76 files changed, 0 insertions, 26371 deletions
diff --git a/src/lib/libssl/LICENSE b/src/lib/libssl/LICENSE
deleted file mode 100644
index e6afecc724..0000000000
--- a/src/lib/libssl/LICENSE
+++ /dev/null
@@ -1,127 +0,0 @@
-  LICENSE ISSUES
-  ==============
-  The OpenSSL toolkit stays under a dual license, i.e. both the conditions of
-  the OpenSSL License and the original SSLeay license apply to the toolkit.
-  See below for the actual license texts. Actually both licenses are BSD-style
-  Open Source licenses. In case of any license issues related to OpenSSL
-  please contact openssl-core@openssl.org.
-  OpenSSL License
-  ---------------
-/* ====================================================================
- * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer. 
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
- Original SSLeay License
- -----------------------
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
diff --git a/src/lib/libssl/bio_ssl.c b/src/lib/libssl/bio_ssl.c
deleted file mode 100644
index d683ee43e1..0000000000
--- a/src/lib/libssl/bio_ssl.c
+++ /dev/null
@@ -1,598 +0,0 @@
-/* ssl/bio_ssl.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <errno.h>
-#include <openssl/crypto.h>
-#include <openssl/bio.h>
-#include <openssl/err.h>
-#include <openssl/ssl.h>
-static int ssl_write(BIO *h, const char *buf, int num);
-static int ssl_read(BIO *h, char *buf, int size);
-static int ssl_puts(BIO *h, const char *str);
-static long ssl_ctrl(BIO *h, int cmd, long arg1, void *arg2);
-static int ssl_new(BIO *h);
-static int ssl_free(BIO *data);
-static long ssl_callback_ctrl(BIO *h, int cmd, bio_info_cb *fp);
-typedef struct bio_ssl_st
-        {
-        SSL *ssl; /* The ssl handle :-) */
-        /* re-negotiate every time the total number of bytes is this size */
-        int num_renegotiates;
-        unsigned long renegotiate_count;
-        unsigned long byte_count;
-        unsigned long renegotiate_timeout;
-        unsigned long last_time;
-        } BIO_SSL;
-static BIO_METHOD methods_sslp=
-        {
-        BIO_TYPE_SSL,"ssl",
-        ssl_write,
-        ssl_read,
-        ssl_puts,
-        NULL, /* ssl_gets, */
-        ssl_ctrl,
-        ssl_new,
-        ssl_free,
-        ssl_callback_ctrl,
-        };
-BIO_METHOD *BIO_f_ssl(void)
-        {
-        return(&methods_sslp);
-        }
-static int ssl_new(BIO *bi)
-        {
-        BIO_SSL *bs;
-        bs=(BIO_SSL *)OPENSSL_malloc(sizeof(BIO_SSL));
-        if (bs == NULL)
-                {
-                BIOerr(BIO_F_SSL_NEW,ERR_R_MALLOC_FAILURE);
-                return(0);
-                }
-        memset(bs,0,sizeof(BIO_SSL));
-        bi->init=0;
-        bi->ptr=(char *)bs;
-        bi->flags=0;
-        return(1);
-        }
-static int ssl_free(BIO *a)
-        {
-        BIO_SSL *bs;
-        if (a == NULL) return(0);
-        bs=(BIO_SSL *)a->ptr;
-        if (bs->ssl != NULL) SSL_shutdown(bs->ssl);
-        if (a->shutdown)
-                {
-                if (a->init && (bs->ssl != NULL))
-                        SSL_free(bs->ssl);
-                a->init=0;
-                a->flags=0;
-                }
-        if (a->ptr != NULL)
-                OPENSSL_free(a->ptr);
-        return(1);
-        }
-        
-static int ssl_read(BIO *b, char *out, int outl)
-        {
-        int ret=1;
-        BIO_SSL *sb;
-        SSL *ssl;
-        int retry_reason=0;
-        int r=0;
-        if (out == NULL) return(0);
-        sb=(BIO_SSL *)b->ptr;
-        ssl=sb->ssl;
-        BIO_clear_retry_flags(b);
-#if 0
-        if (!SSL_is_init_finished(ssl))
-                {
-/*              ret=SSL_do_handshake(ssl); */
-                if (ret > 0)
-                        {
-                        outflags=(BIO_FLAGS_READ|BIO_FLAGS_SHOULD_RETRY);
-                        ret= -1;
-                        goto end;
-                        }
-                }
-#endif
-/*      if (ret > 0) */
-        ret=SSL_read(ssl,out,outl);
-        switch (SSL_get_error(ssl,ret))
-                {
-        case SSL_ERROR_NONE:
-                if (ret <= 0) break;
-                if (sb->renegotiate_count > 0)
-                        {
-                        sb->byte_count+=ret;
-                        if (sb->byte_count > sb->renegotiate_count)
-                                {
-                                sb->byte_count=0;
-                                sb->num_renegotiates++;
-                                SSL_renegotiate(ssl);
-                                r=1;
-                                }
-                        }
-                if ((sb->renegotiate_timeout > 0) && (!r))
-                        {
-                        unsigned long tm;
-                        tm=(unsigned long)time(NULL);
-                        if (tm > sb->last_time+sb->renegotiate_timeout)
-                                {
-                                sb->last_time=tm;
-                                sb->num_renegotiates++;
-                                SSL_renegotiate(ssl);
-                                }
-                        }
-                break;
-        case SSL_ERROR_WANT_READ:
-                BIO_set_retry_read(b);
-                break;
-        case SSL_ERROR_WANT_WRITE:
-                BIO_set_retry_write(b);
-                break;
-        case SSL_ERROR_WANT_X509_LOOKUP:
-                BIO_set_retry_special(b);
-                retry_reason=BIO_RR_SSL_X509_LOOKUP;
-                break;
-        case SSL_ERROR_WANT_ACCEPT:
-                BIO_set_retry_special(b);
-                retry_reason=BIO_RR_ACCEPT;
-                break;
-        case SSL_ERROR_WANT_CONNECT:
-                BIO_set_retry_special(b);
-                retry_reason=BIO_RR_CONNECT;
-                break;
-        case SSL_ERROR_SYSCALL:
-        case SSL_ERROR_SSL:
-        case SSL_ERROR_ZERO_RETURN:
-        default:
-                break;
-                }
-        b->retry_reason=retry_reason;
-        return(ret);
-        }
-static int ssl_write(BIO *b, const char *out, int outl)
-        {
-        int ret,r=0;
-        int retry_reason=0;
-        SSL *ssl;
-        BIO_SSL *bs;
-        if (out == NULL) return(0);
-        bs=(BIO_SSL *)b->ptr;
-        ssl=bs->ssl;
-        BIO_clear_retry_flags(b);
-/*      ret=SSL_do_handshake(ssl);
-        if (ret > 0) */
-        ret=SSL_write(ssl,out,outl);
-        switch (SSL_get_error(ssl,ret))
-                {
-        case SSL_ERROR_NONE:
-                if (ret <= 0) break;
-                if (bs->renegotiate_count > 0)
-                        {
-                        bs->byte_count+=ret;
-                        if (bs->byte_count > bs->renegotiate_count)
-                                {
-                                bs->byte_count=0;
-                                bs->num_renegotiates++;
-                                SSL_renegotiate(ssl);
-                                r=1;
-                                }
-                        }
-                if ((bs->renegotiate_timeout > 0) && (!r))
-                        {
-                        unsigned long tm;
-                        tm=(unsigned long)time(NULL);
-                        if (tm > bs->last_time+bs->renegotiate_timeout)
-                                {
-                                bs->last_time=tm;
-                                bs->num_renegotiates++;
-                                SSL_renegotiate(ssl);
-                                }
-                        }
-                break;
-        case SSL_ERROR_WANT_WRITE:
-                BIO_set_retry_write(b);
-                break;
-        case SSL_ERROR_WANT_READ:
-                BIO_set_retry_read(b);
-                break;
-        case SSL_ERROR_WANT_X509_LOOKUP:
-                BIO_set_retry_special(b);
-                retry_reason=BIO_RR_SSL_X509_LOOKUP;
-                break;
-        case SSL_ERROR_WANT_CONNECT:
-                BIO_set_retry_special(b);
-                retry_reason=BIO_RR_CONNECT;
-        case SSL_ERROR_SYSCALL:
-        case SSL_ERROR_SSL:
-        default:
-                break;
-                }
-        b->retry_reason=retry_reason;
-        return(ret);
-        }
-static long ssl_ctrl(BIO *b, int cmd, long num, void *ptr)
-        {
-        SSL **sslp,*ssl;
-        BIO_SSL *bs;
-        BIO *dbio,*bio;
-        long ret=1;
-        bs=(BIO_SSL *)b->ptr;
-        ssl=bs->ssl;
-        if ((ssl == NULL)  && (cmd != BIO_C_SET_SSL))
-                return(0);
-        switch (cmd)
-                {
-        case BIO_CTRL_RESET:
-                SSL_shutdown(ssl);
-                if (ssl->handshake_func == ssl->method->ssl_connect)
-                        SSL_set_connect_state(ssl);
-                else if (ssl->handshake_func == ssl->method->ssl_accept)
-                        SSL_set_accept_state(ssl);
-                SSL_clear(ssl);
-                if (b->next_bio != NULL)
-                        ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
-                else if (ssl->rbio != NULL)
-                        ret=BIO_ctrl(ssl->rbio,cmd,num,ptr);
-                else
-                        ret=1;
-                break;
-        case BIO_CTRL_INFO:
-                ret=0;
-                break;
-        case BIO_C_SSL_MODE:
-                if (num) /* client mode */
-                        SSL_set_connect_state(ssl);
-                else
-                        SSL_set_accept_state(ssl);
-                break;
-        case BIO_C_SET_SSL_RENEGOTIATE_TIMEOUT:
-                ret=bs->renegotiate_timeout;
-                if (num < 60) num=5;
-                bs->renegotiate_timeout=(unsigned long)num;
-                bs->last_time=(unsigned long)time(NULL);
-                break;
-        case BIO_C_SET_SSL_RENEGOTIATE_BYTES:
-                ret=bs->renegotiate_count;
-                if ((long)num >=512)
-                        bs->renegotiate_count=(unsigned long)num;
-                break;
-        case BIO_C_GET_SSL_NUM_RENEGOTIATES:
-                ret=bs->num_renegotiates;
-                break;
-        case BIO_C_SET_SSL:
-                if (ssl != NULL)
-                        ssl_free(b);
-                b->shutdown=(int)num;
-                ssl=(SSL *)ptr;
-                ((BIO_SSL *)b->ptr)->ssl=ssl;
-                bio=SSL_get_rbio(ssl);
-                if (bio != NULL)
-                        {
-                        if (b->next_bio != NULL)
-                                BIO_push(bio,b->next_bio);
-                        b->next_bio=bio;
-                        CRYPTO_add(&bio->references,1,CRYPTO_LOCK_BIO);
-                        }
-                b->init=1;
-                break;
-        case BIO_C_GET_SSL:
-                if (ptr != NULL)
-                        {
-                        sslp=(SSL **)ptr;
-                        *sslp=ssl;
-                        }
-                else
-                        ret=0;
-                break;
-        case BIO_CTRL_GET_CLOSE:
-                ret=b->shutdown;
-                break;
-        case BIO_CTRL_SET_CLOSE:
-                b->shutdown=(int)num;
-                break;
-        case BIO_CTRL_WPENDING:
-                ret=BIO_ctrl(ssl->wbio,cmd,num,ptr);
-                break;
-        case BIO_CTRL_PENDING:
-                ret=SSL_pending(ssl);
-                if (ret == 0)
-                        ret=BIO_pending(ssl->rbio);
-                break;
-        case BIO_CTRL_FLUSH:
-                BIO_clear_retry_flags(b);
-                ret=BIO_ctrl(ssl->wbio,cmd,num,ptr);
-                BIO_copy_next_retry(b);
-                break;
-        case BIO_CTRL_PUSH:
-                if ((b->next_bio != NULL) && (b->next_bio != ssl->rbio))
-                        {
-                        SSL_set_bio(ssl,b->next_bio,b->next_bio);
-                        CRYPTO_add(&b->next_bio->references,1,CRYPTO_LOCK_BIO);
-                        }
-                break;
-        case BIO_CTRL_POP:
-                /* ugly bit of a hack */
-                if (ssl->rbio != ssl->wbio) /* we are in trouble :-( */
-                        {
-                        BIO_free_all(ssl->wbio);
-                        }
-                if (b->next_bio != NULL)
-                        {
-                        CRYPTO_add(&b->next_bio->references,1,CRYPTO_LOCK_BIO);
-                        }
-                ssl->wbio=NULL;
-                ssl->rbio=NULL;
-                break;
-        case BIO_C_DO_STATE_MACHINE:
-                BIO_clear_retry_flags(b);
-                b->retry_reason=0;
-                ret=(int)SSL_do_handshake(ssl);
-                switch (SSL_get_error(ssl,(int)ret))
-                        {
-                case SSL_ERROR_WANT_READ:
-                        BIO_set_flags(b,
-                                BIO_FLAGS_READ|BIO_FLAGS_SHOULD_RETRY);
-                        break;
-                case SSL_ERROR_WANT_WRITE:
-                        BIO_set_flags(b,
-                                BIO_FLAGS_WRITE|BIO_FLAGS_SHOULD_RETRY);
-                        break;
-                case SSL_ERROR_WANT_CONNECT:
-                        BIO_set_flags(b,
-                                BIO_FLAGS_IO_SPECIAL|BIO_FLAGS_SHOULD_RETRY);
-                        b->retry_reason=b->next_bio->retry_reason;
-                        break;
-                default:
-                        break;
-                        }
-                break;
-        case BIO_CTRL_DUP:
-                dbio=(BIO *)ptr;
-                if (((BIO_SSL *)dbio->ptr)->ssl != NULL)
-                        SSL_free(((BIO_SSL *)dbio->ptr)->ssl);
-                ((BIO_SSL *)dbio->ptr)->ssl=SSL_dup(ssl);
-                ((BIO_SSL *)dbio->ptr)->renegotiate_count=
-                        ((BIO_SSL *)b->ptr)->renegotiate_count;
-                ((BIO_SSL *)dbio->ptr)->byte_count=
-                        ((BIO_SSL *)b->ptr)->byte_count;
-                ((BIO_SSL *)dbio->ptr)->renegotiate_timeout=
-                        ((BIO_SSL *)b->ptr)->renegotiate_timeout;
-                ((BIO_SSL *)dbio->ptr)->last_time=
-                        ((BIO_SSL *)b->ptr)->last_time;
-                ret=(((BIO_SSL *)dbio->ptr)->ssl != NULL);
-                break;
-        case BIO_C_GET_FD:
-                ret=BIO_ctrl(ssl->rbio,cmd,num,ptr);
-                break;
-        case BIO_CTRL_SET_CALLBACK:
-                {
-#if 0 /* FIXME: Should this be used?  -- Richard Levitte */
-                BIOerr(SSL_F_SSL_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-                ret = -1;
-#else
-                ret=0;
-#endif
-                }
-                break;
-        case BIO_CTRL_GET_CALLBACK:
-                {
-                void (**fptr)();
-                fptr=(void (**)())ptr;
-                *fptr=SSL_get_info_callback(ssl);
-                }
-                break;
-        default:
-                ret=BIO_ctrl(ssl->rbio,cmd,num,ptr);
-                break;
-                }
-        return(ret);
-        }
-static long ssl_callback_ctrl(BIO *b, int cmd, bio_info_cb *fp)
-        {
-        SSL *ssl;
-        BIO_SSL *bs;
-        long ret=1;
-        bs=(BIO_SSL *)b->ptr;
-        ssl=bs->ssl;
-        switch (cmd)
-                {
-        case BIO_CTRL_SET_CALLBACK:
-                {
-                /* FIXME: setting this via a completely different prototype
-                   seems like a crap idea */
-                SSL_set_info_callback(ssl,(void (*)(const SSL *,int,int))fp);
-                }
-                break;
-        default:
-                ret=BIO_callback_ctrl(ssl->rbio,cmd,fp);
-                break;
-                }
-        return(ret);
-        }
-static int ssl_puts(BIO *bp, const char *str)
-        {
-        int n,ret;
-        n=strlen(str);
-        ret=BIO_write(bp,str,n);
-        return(ret);
-        }
-BIO *BIO_new_buffer_ssl_connect(SSL_CTX *ctx)
-        {
-#ifndef OPENSSL_NO_SOCK
-        BIO *ret=NULL,*buf=NULL,*ssl=NULL;
-        if ((buf=BIO_new(BIO_f_buffer())) == NULL)
-                return(NULL);
-        if ((ssl=BIO_new_ssl_connect(ctx)) == NULL)
-                goto err;
-        if ((ret=BIO_push(buf,ssl)) == NULL)
-                goto err;
-        return(ret);
-err:
-        if (buf != NULL) BIO_free(buf);
-        if (ssl != NULL) BIO_free(ssl);
-#endif
-        return(NULL);
-        }
-BIO *BIO_new_ssl_connect(SSL_CTX *ctx)
-        {
-        BIO *ret=NULL,*con=NULL,*ssl=NULL;
-        if ((con=BIO_new(BIO_s_connect())) == NULL)
-                return(NULL);
-        if ((ssl=BIO_new_ssl(ctx,1)) == NULL)
-                goto err;
-        if ((ret=BIO_push(ssl,con)) == NULL)
-                goto err;
-        return(ret);
-err:
-        if (con != NULL) BIO_free(con);
-        if (ret != NULL) BIO_free(ret);
-        return(NULL);
-        }
-BIO *BIO_new_ssl(SSL_CTX *ctx, int client)
-        {
-        BIO *ret;
-        SSL *ssl;
-        if ((ret=BIO_new(BIO_f_ssl())) == NULL)
-                return(NULL);
-        if ((ssl=SSL_new(ctx)) == NULL)
-                {
-                BIO_free(ret);
-                return(NULL);
-                }
-        if (client)
-                SSL_set_connect_state(ssl);
-        else
-                SSL_set_accept_state(ssl);
-                
-        BIO_set_ssl(ret,ssl,BIO_CLOSE);
-        return(ret);
-        }
-int BIO_ssl_copy_session_id(BIO *t, BIO *f)
-        {
-        t=BIO_find_type(t,BIO_TYPE_SSL);
-        f=BIO_find_type(f,BIO_TYPE_SSL);
-        if ((t == NULL) || (f == NULL))
-                return(0);
-        if (    (((BIO_SSL *)t->ptr)->ssl == NULL) || 
-                (((BIO_SSL *)f->ptr)->ssl == NULL))
-                return(0);
-        SSL_copy_session_id(((BIO_SSL *)t->ptr)->ssl,((BIO_SSL *)f->ptr)->ssl);
-        return(1);
-        }
-void BIO_ssl_shutdown(BIO *b)
-        {
-        SSL *s;
-        while (b != NULL)
-                {
-                if (b->method->type == BIO_TYPE_SSL)
-                        {
-                        s=((BIO_SSL *)b->ptr)->ssl;
-                        SSL_shutdown(s);
-                        break;
-                        }
-                b=b->next_bio;
-                }
-        }
diff --git a/src/lib/libssl/doc/openssl.cnf b/src/lib/libssl/doc/openssl.cnf
deleted file mode 100644
index 4c1d595b0a..0000000000
--- a/src/lib/libssl/doc/openssl.cnf
+++ /dev/null
@@ -1,313 +0,0 @@
-#
-# OpenSSL example configuration file.
-# This is mostly being used for generation of certificate requests.
-#
-# This definition stops the following lines choking if HOME isn't
-# defined.
-HOME                    = .
-RANDFILE                = $ENV::HOME/.rnd
-# Extra OBJECT IDENTIFIER info:
-#oid_file               = $ENV::HOME/.oid
-oid_section             = new_oids
-# To use this configuration file with the "-extfile" option of the
-# "openssl x509" utility, name here the section containing the
-# X.509v3 extensions to use:
-# extensions            = 
-# (Alternatively, use a configuration file that has only
-# X.509v3 extensions in its main [= default] section.)
-[ new_oids ]
-# We can add new OIDs in here for use by 'ca' and 'req'.
-# Add a simple OID like this:
-# testoid1=1.2.3.4
-# Or use config file substitution like this:
-# testoid2=${testoid1}.5.6
-####################################################################
-[ ca ]
-default_ca      = CA_default            # The default ca section
-####################################################################
-[ CA_default ]
-dir             = ./demoCA              # Where everything is kept
-certs           = $dir/certs            # Where the issued certs are kept
-crl_dir         = $dir/crl              # Where the issued crl are kept
-database        = $dir/index.txt        # database index file.
-#unique_subject = no                    # Set to 'no' to allow creation of
-                                        # several ctificates with same subject.
-new_certs_dir   = $dir/newcerts         # default place for new certs.
-certificate     = $dir/cacert.pem       # The CA certificate
-serial          = $dir/serial           # The current serial number
-#crlnumber      = $dir/crlnumber        # the current crl number must be
-                                        # commented out to leave a V1 CRL
-crl             = $dir/crl.pem          # The current CRL
-private_key     = $dir/private/cakey.pem# The private key
-RANDFILE        = $dir/private/.rand    # private random number file
-x509_extensions = usr_cert              # The extentions to add to the cert
-# Comment out the following two lines for the "traditional"
-# (and highly broken) format.
-name_opt        = ca_default            # Subject Name options
-cert_opt        = ca_default            # Certificate field options
-# Extension copying option: use with caution.
-# copy_extensions = copy
-# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
-# so this is commented out by default to leave a V1 CRL.
-# crlnumber must also be commented out to leave a V1 CRL.
-# crl_extensions        = crl_ext
-default_days    = 365                   # how long to certify for
-default_crl_days= 30                    # how long before next CRL
-default_md      = md5                   # which md to use.
-preserve        = no                    # keep passed DN ordering
-# A few difference way of specifying how similar the request should look
-# For type CA, the listed attributes must be the same, and the optional
-# and supplied fields are just that :-)
-policy          = policy_match
-# For the CA policy
-[ policy_match ]
-countryName             = match
-stateOrProvinceName     = match
-organizationName        = match
-organizationalUnitName  = optional
-commonName              = supplied
-emailAddress            = optional
-# For the 'anything' policy
-# At this point in time, you must list all acceptable 'object'
-# types.
-[ policy_anything ]
-countryName             = optional
-stateOrProvinceName     = optional
-localityName            = optional
-organizationName        = optional
-organizationalUnitName  = optional
-commonName              = supplied
-emailAddress            = optional
-####################################################################
-[ req ]
-default_bits            = 1024
-default_keyfile         = privkey.pem
-distinguished_name      = req_distinguished_name
-attributes              = req_attributes
-x509_extensions = v3_ca # The extentions to add to the self signed cert
-# Passwords for private keys if not present they will be prompted for
-# input_password = secret
-# output_password = secret
-# This sets a mask for permitted string types. There are several options. 
-# default: PrintableString, T61String, BMPString.
-# pkix   : PrintableString, BMPString.
-# utf8only: only UTF8Strings.
-# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
-# MASK:XXXX a literal mask value.
-# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
-# so use this option with caution!
-string_mask = nombstr
-# req_extensions = v3_req # The extensions to add to a certificate request
-[ req_distinguished_name ]
-countryName                     = Country Name (2 letter code)
-countryName_default             = AU
-countryName_min                 = 2
-countryName_max                 = 2
-stateOrProvinceName             = State or Province Name (full name)
-stateOrProvinceName_default     = Some-State
-localityName                    = Locality Name (eg, city)
-0.organizationName              = Organization Name (eg, company)
-0.organizationName_default      = Internet Widgits Pty Ltd
-# we can do this but it is not needed normally :-)
-#1.organizationName             = Second Organization Name (eg, company)
-#1.organizationName_default     = World Wide Web Pty Ltd
-organizationalUnitName          = Organizational Unit Name (eg, section)
-#organizationalUnitName_default =
-commonName                      = Common Name (eg, YOUR name)
-commonName_max                  = 64
-emailAddress                    = Email Address
-emailAddress_max                = 64
-# SET-ex3                       = SET extension number 3
-[ req_attributes ]
-challengePassword               = A challenge password
-challengePassword_min           = 4
-challengePassword_max           = 20
-unstructuredName                = An optional company name
-[ usr_cert ]
-# These extensions are added when 'ca' signs a request.
-# This goes against PKIX guidelines but some CAs do it and some software
-# requires this to avoid interpreting an end user certificate as a CA.
-basicConstraints=CA:FALSE
-# Here are some examples of the usage of nsCertType. If it is omitted
-# the certificate can be used for anything *except* object signing.
-# This is OK for an SSL server.
-# nsCertType                    = server
-# For an object signing certificate this would be used.
-# nsCertType = objsign
-# For normal client use this is typical
-# nsCertType = client, email
-# and for everything including object signing:
-# nsCertType = client, email, objsign
-# This is typical in keyUsage for a client certificate.
-# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-# This will be displayed in Netscape's comment listbox.
-nsComment                       = "OpenSSL Generated Certificate"
-# PKIX recommendations harmless if included in all certificates.
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer:always
-# This stuff is for subjectAltName and issuerAltname.
-# Import the email address.
-# subjectAltName=email:copy
-# An alternative to produce certificates that aren't
-# deprecated according to PKIX.
-# subjectAltName=email:move
-# Copy subject details
-# issuerAltName=issuer:copy
-#nsCaRevocationUrl              = http://www.domain.dom/ca-crl.pem
-#nsBaseUrl
-#nsRevocationUrl
-#nsRenewalUrl
-#nsCaPolicyUrl
-#nsSslServerName
-[ v3_req ]
-# Extensions to add to a certificate request
-basicConstraints = CA:FALSE
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-[ v3_ca ]
-# Extensions for a typical CA
-# PKIX recommendation.
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always,issuer:always
-# This is what PKIX recommends but some broken software chokes on critical
-# extensions.
-#basicConstraints = critical,CA:true
-# So we do this instead.
-basicConstraints = CA:true
-# Key usage: this is typical for a CA certificate. However since it will
-# prevent it being used as an test self-signed certificate it is best
-# left out by default.
-# keyUsage = cRLSign, keyCertSign
-# Some might want this also
-# nsCertType = sslCA, emailCA
-# Include email address in subject alt name: another PKIX recommendation
-# subjectAltName=email:copy
-# Copy issuer details
-# issuerAltName=issuer:copy
-# DER hex encoding of an extension: beware experts only!
-# obj=DER:02:03
-# Where 'obj' is a standard or added object
-# You can even override a supported extension:
-# basicConstraints= critical, DER:30:03:01:01:FF
-[ crl_ext ]
-# CRL extensions.
-# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
-# issuerAltName=issuer:copy
-authorityKeyIdentifier=keyid:always,issuer:always
-[ proxy_cert_ext ]
-# These extensions should be added when creating a proxy certificate
-# This goes against PKIX guidelines but some CAs do it and some software
-# requires this to avoid interpreting an end user certificate as a CA.
-basicConstraints=CA:FALSE
-# Here are some examples of the usage of nsCertType. If it is omitted
-# the certificate can be used for anything *except* object signing.
-# This is OK for an SSL server.
-# nsCertType                    = server
-# For an object signing certificate this would be used.
-# nsCertType = objsign
-# For normal client use this is typical
-# nsCertType = client, email
-# and for everything including object signing:
-# nsCertType = client, email, objsign
-# This is typical in keyUsage for a client certificate.
-# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-# This will be displayed in Netscape's comment listbox.
-nsComment                       = "OpenSSL Generated Certificate"
-# PKIX recommendations harmless if included in all certificates.
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer:always
-# This stuff is for subjectAltName and issuerAltname.
-# Import the email address.
-# subjectAltName=email:copy
-# An alternative to produce certificates that aren't
-# deprecated according to PKIX.
-# subjectAltName=email:move
-# Copy subject details
-# issuerAltName=issuer:copy
-#nsCaRevocationUrl              = http://www.domain.dom/ca-crl.pem
-#nsBaseUrl
-#nsRevocationUrl
-#nsRenewalUrl
-#nsCaPolicyUrl
-#nsSslServerName
-# This really needs to be in place for it to be a proxy certificate.
-proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
diff --git a/src/lib/libssl/doc/openssl.txt b/src/lib/libssl/doc/openssl.txt
deleted file mode 100644
index 432a17b66c..0000000000
--- a/src/lib/libssl/doc/openssl.txt
+++ /dev/null
@@ -1,1235 +0,0 @@
-This is some preliminary documentation for OpenSSL.
-Contents:
- OpenSSL X509V3 extension configuration
- X509V3 Extension code: programmers guide
- PKCS#12 Library
-==============================================================================
-               OpenSSL X509V3 extension configuration
-==============================================================================
-OpenSSL X509V3 extension configuration: preliminary documentation.
-INTRODUCTION.
-For OpenSSL 0.9.2 the extension code has be considerably enhanced. It is now
-possible to add and print out common X509 V3 certificate and CRL extensions.
-BEGINNERS NOTE
-For most simple applications you don't need to know too much about extensions:
-the default openssl.cnf values will usually do sensible things.
-If you want to know more you can initially quickly look through the sections
-describing how the standard OpenSSL utilities display and add extensions and
-then the list of supported extensions.
-For more technical information about the meaning of extensions see:
-http://www.imc.org/ietf-pkix/
-http://home.netscape.com/eng/security/certs.html
-PRINTING EXTENSIONS.
-Extension values are automatically printed out for supported extensions.
-openssl x509 -in cert.pem -text
-openssl crl -in crl.pem -text
-will give information in the extension printout, for example:
-        X509v3 extensions:
-            X509v3 Basic Constraints: 
-                CA:TRUE
-            X509v3 Subject Key Identifier: 
-                73:FE:F7:59:A7:E1:26:84:44:D6:44:36:EE:79:1A:95:7C:B1:4B:15
-            X509v3 Authority Key Identifier: 
-                keyid:73:FE:F7:59:A7:E1:26:84:44:D6:44:36:EE:79:1A:95:7C:B1:4B:15, DirName:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/Email=email@1.address/Email=email@2.address, serial:00
-            X509v3 Key Usage: 
-                Certificate Sign, CRL Sign
-            X509v3 Subject Alternative Name: 
-                email:email@1.address, email:email@2.address
-CONFIGURATION FILES.
-The OpenSSL utilities 'ca' and 'req' can now have extension sections listing
-which certificate extensions to include. In each case a line:
-x509_extensions = extension_section
-indicates which section contains the extensions. In the case of 'req' the
-extension section is used when the -x509 option is present to create a
-self signed root certificate.
-The 'x509' utility also supports extensions when it signs a certificate.
-The -extfile option is used to set the configuration file containing the
-extensions. In this case a line with:
-extensions = extension_section
-in the nameless (default) section is used. If no such line is included then
-it uses the default section.
-You can also add extensions to CRLs: a line
-crl_extensions = crl_extension_section
-will include extensions when the -gencrl option is used with the 'ca' utility.
-You can add any extension to a CRL but of the supported extensions only
-issuerAltName and authorityKeyIdentifier make any real sense. Note: these are
-CRL extensions NOT CRL *entry* extensions which cannot currently be generated.
-CRL entry extensions can be displayed.
-NB. At this time Netscape Communicator rejects V2 CRLs: to get an old V1 CRL
-you should not include a crl_extensions line in the configuration file.
-As with all configuration files you can use the inbuilt environment expansion
-to allow the values to be passed in the environment. Therefore if you have
-several extension sections used for different purposes you can have a line:
-x509_extensions = $ENV::ENV_EXT
-and set the ENV_EXT environment variable before calling the relevant utility.
-EXTENSION SYNTAX.
-Extensions have the basic form:
-extension_name=[critical,] extension_options
-the use of the critical option makes the extension critical. Extreme caution
-should be made when using the critical flag. If an extension is marked
-as critical then any client that does not understand the extension should
-reject it as invalid. Some broken software will reject certificates which
-have *any* critical extensions (these violates PKIX but we have to live
-with it).
-There are three main types of extension: string extensions, multi-valued
-extensions, and raw extensions.
-String extensions simply have a string which contains either the value itself
-or how it is obtained.
-For example:
-nsComment="This is a Comment"
-Multi-valued extensions have a short form and a long form. The short form
-is a list of names and values:
-basicConstraints=critical,CA:true,pathlen:1
-The long form allows the values to be placed in a separate section:
-basicConstraints=critical,@bs_section
-[bs_section]
-CA=true
-pathlen=1
-Both forms are equivalent. However it should be noted that in some cases the
-same name can appear multiple times, for example,
-subjectAltName=email:steve@here,email:steve@there
-in this case an equivalent long form is:
-subjectAltName=@alt_section
-[alt_section]
-email.1=steve@here
-email.2=steve@there
-This is because the configuration file code cannot handle the same name
-occurring twice in the same section.
-The syntax of raw extensions is governed by the extension code: it can
-for example contain data in multiple sections. The correct syntax to
-use is defined by the extension code itself: check out the certificate
-policies extension for an example.
-In addition it is also possible to use the word DER to include arbitrary
-data in any extension.
-1.2.3.4=critical,DER:01:02:03:04
-1.2.3.4=DER:01020304
-The value following DER is a hex dump of the DER encoding of the extension
-Any extension can be placed in this form to override the default behaviour.
-For example:
-basicConstraints=critical,DER:00:01:02:03
-WARNING: DER should be used with caution. It is possible to create totally
-invalid extensions unless care is taken.
-CURRENTLY SUPPORTED EXTENSIONS.
-If you aren't sure about extensions then they can be largely ignored: its only
-when you want to do things like restrict certificate usage when you need to
-worry about them. 
-The only extension that a beginner might want to look at is Basic Constraints.
-If in addition you want to try Netscape object signing the you should also
-look at Netscape Certificate Type.
-Literal String extensions.
-In each case the 'value' of the extension is placed directly in the
-extension. Currently supported extensions in this category are: nsBaseUrl,
-nsRevocationUrl, nsCaRevocationUrl, nsRenewalUrl, nsCaPolicyUrl,
-nsSslServerName and nsComment.
-For example:
-nsComment="This is a test comment"
-Bit Strings.
-Bit string extensions just consist of a list of supported bits, currently
-two extensions are in this category: PKIX keyUsage and the Netscape specific
-nsCertType.
-nsCertType (netscape certificate type) takes the flags: client, server, email,
-objsign, reserved, sslCA, emailCA, objCA.
-keyUsage (PKIX key usage) takes the flags: digitalSignature, nonRepudiation,
-keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign,
-encipherOnly, decipherOnly.
-For example:
-nsCertType=server
-keyUsage=digitalSignature, nonRepudiation
-Hints on Netscape Certificate Type.
-Other than Basic Constraints this is the only extension a beginner might
-want to use, if you want to try Netscape object signing, otherwise it can
-be ignored.
-If you want a certificate that can be used just for object signing then:
-nsCertType=objsign
-will do the job. If you want to use it as a normal end user and server
-certificate as well then
-nsCertType=objsign,email,server
-is more appropriate. You cannot use a self signed certificate for object
-signing (well Netscape signtool can but it cheats!) so you need to create
-a CA certificate and sign an end user certificate with it.
-Side note: If you want to conform to the Netscape specifications then you
-should really also set:
-nsCertType=objCA
-in the *CA* certificate for just an object signing CA and
-nsCertType=objCA,emailCA,sslCA
-for everything. Current Netscape software doesn't enforce this so it can
-be omitted.
-Basic Constraints.
-This is generally the only extension you need to worry about for simple
-applications. If you want your certificate to be usable as a CA certificate
-(in addition to an end user certificate) then you set this to:
-basicConstraints=CA:TRUE
-if you want to be certain the certificate cannot be used as a CA then do:
-basicConstraints=CA:FALSE
-The rest of this section describes more advanced usage.
-Basic constraints is a multi-valued extension that supports a CA and an
-optional pathlen option. The CA option takes the values true and false and
-pathlen takes an integer. Note if the CA option is false the pathlen option
-should be omitted. 
-The pathlen parameter indicates the maximum number of CAs that can appear
-below this one in a chain. So if you have a CA with a pathlen of zero it can
-only be used to sign end user certificates and not further CAs. This all
-assumes that the software correctly interprets this extension of course.
-Examples:
-basicConstraints=CA:TRUE
-basicConstraints=critical,CA:TRUE, pathlen:0
-NOTE: for a CA to be considered valid it must have the CA option set to
-TRUE. An end user certificate MUST NOT have the CA value set to true.
-According to PKIX recommendations it should exclude the extension entirely,
-however some software may require CA set to FALSE for end entity certificates.
-Extended Key Usage.
-This extensions consists of a list of usages.
-These can either be object short names of the dotted numerical form of OIDs.
-While any OID can be used only certain values make sense. In particular the
-following PKIX, NS and MS values are meaningful:
-Value                   Meaning
-----                   -------
-serverAuth              SSL/TLS Web Server Authentication.
-clientAuth              SSL/TLS Web Client Authentication.
-codeSigning             Code signing.
-emailProtection         E-mail Protection (S/MIME).
-timeStamping            Trusted Timestamping
-msCodeInd               Microsoft Individual Code Signing (authenticode)
-msCodeCom               Microsoft Commercial Code Signing (authenticode)
-msCTLSign               Microsoft Trust List Signing
-msSGC                   Microsoft Server Gated Crypto
-msEFS                   Microsoft Encrypted File System
-nsSGC                   Netscape Server Gated Crypto
-For example, under IE5 a CA can be used for any purpose: by including a list
-of the above usages the CA can be restricted to only authorised uses.
-Note: software packages may place additional interpretations on certificate 
-use, in particular some usages may only work for selected CAs. Don't for example
-expect just including msSGC or nsSGC will automatically mean that a certificate
-can be used for SGC ("step up" encryption) otherwise anyone could use it.
-Examples:
-extendedKeyUsage=critical,codeSigning,1.2.3.4
-extendedKeyUsage=nsSGC,msSGC
-Subject Key Identifier.
-This is really a string extension and can take two possible values. Either
-a hex string giving details of the extension value to include or the word
-'hash' which then automatically follow PKIX guidelines in selecting and
-appropriate key identifier. The use of the hex string is strongly discouraged.
-Example: subjectKeyIdentifier=hash
-Authority Key Identifier.
-The authority key identifier extension permits two options. keyid and issuer:
-both can take the optional value "always".
-If the keyid option is present an attempt is made to copy the subject key
-identifier from the parent certificate. If the value "always" is present
-then an error is returned if the option fails.
-The issuer option copies the issuer and serial number from the issuer
-certificate. Normally this will only be done if the keyid option fails or
-is not included: the "always" flag will always include the value.
-Subject Alternative Name.
-The subject alternative name extension allows various literal values to be
-included in the configuration file. These include "email" (an email address)
-"URI" a uniform resource indicator, "DNS" (a DNS domain name), RID (a
-registered ID: OBJECT IDENTIFIER) and IP (and IP address).
-Also the email option include a special 'copy' value. This will automatically
-include and email addresses contained in the certificate subject name in
-the extension.
-Examples:
-subjectAltName=email:copy,email:my@other.address,URI:http://my.url.here/
-subjectAltName=email:my@other.address,RID:1.2.3.4
-Issuer Alternative Name.
-The issuer alternative name option supports all the literal options of
-subject alternative name. It does *not* support the email:copy option because
-that would not make sense. It does support an additional issuer:copy option
-that will copy all the subject alternative name values from the issuer 
-certificate (if possible).
-Example:
-issuserAltName = issuer:copy
-Authority Info Access.
-The authority information access extension gives details about how to access
-certain information relating to the CA. Its syntax is accessOID;location
-where 'location' has the same syntax as subject alternative name (except
-that email:copy is not supported). accessOID can be any valid OID but only
-certain values are meaningful for example OCSP and caIssuers. OCSP gives the
-location of an OCSP responder: this is used by Netscape PSM and other software.
-Example:
-authorityInfoAccess = OCSP;URI:http://ocsp.my.host/
-authorityInfoAccess = caIssuers;URI:http://my.ca/ca.html
-CRL distribution points.
-This is a multi-valued extension that supports all the literal options of
-subject alternative name. Of the few software packages that currently interpret
-this extension most only interpret the URI option.
-Currently each option will set a new DistributionPoint with the fullName
-field set to the given value.
-Other fields like cRLissuer and reasons cannot currently be set or displayed:
-at this time no examples were available that used these fields.
-If you see this extension with <UNSUPPORTED> when you attempt to print it out
-or it doesn't appear to display correctly then let me know, including the
-certificate (mail me at steve@openssl.org) .
-Examples:
-crlDistributionPoints=URI:http://www.myhost.com/myca.crl
-crlDistributionPoints=URI:http://www.my.com/my.crl,URI:http://www.oth.com/my.crl
-Certificate Policies.
-This is a RAW extension. It attempts to display the contents of this extension:
-unfortunately this extension is often improperly encoded.
-The certificate policies extension will rarely be used in practice: few
-software packages interpret it correctly or at all. IE5 does partially
-support this extension: but it needs the 'ia5org' option because it will
-only correctly support a broken encoding. Of the options below only the
-policy OID, explicitText and CPS options are displayed with IE5.
-All the fields of this extension can be set by using the appropriate syntax.
-If you follow the PKIX recommendations of not including any qualifiers and just
-using only one OID then you just include the value of that OID. Multiple OIDs
-can be set separated by commas, for example:
-certificatePolicies= 1.2.4.5, 1.1.3.4
-If you wish to include qualifiers then the policy OID and qualifiers need to
-be specified in a separate section: this is done by using the @section syntax
-instead of a literal OID value.
-The section referred to must include the policy OID using the name
-policyIdentifier, cPSuri qualifiers can be included using the syntax:
-CPS.nnn=value
-userNotice qualifiers can be set using the syntax:
-userNotice.nnn=@notice
-The value of the userNotice qualifier is specified in the relevant section.
-This section can include explicitText, organization and noticeNumbers
-options. explicitText and organization are text strings, noticeNumbers is a
-comma separated list of numbers. The organization and noticeNumbers options
-(if included) must BOTH be present. If you use the userNotice option with IE5
-then you need the 'ia5org' option at the top level to modify the encoding:
-otherwise it will not be interpreted properly.
-Example:
-certificatePolicies=ia5org,1.2.3.4,1.5.6.7.8,@polsect
-[polsect]
-policyIdentifier = 1.3.5.8
-CPS.1="http://my.host.name/"
-CPS.2="http://my.your.name/"
-userNotice.1=@notice
-[notice]
-explicitText="Explicit Text Here"
-organization="Organisation Name"
-noticeNumbers=1,2,3,4
-TECHNICAL NOTE: the ia5org option changes the type of the 'organization' field,
-according to PKIX it should be of type DisplayText but Verisign uses an 
-IA5STRING and IE5 needs this too.
-Display only extensions.
-Some extensions are only partially supported and currently are only displayed
-but cannot be set. These include private key usage period, CRL number, and
-CRL reason.
-==============================================================================
-                X509V3 Extension code: programmers guide
-==============================================================================
-The purpose of the extension code is twofold. It allows an extension to be
-created from a string or structure describing its contents and it prints out an
-extension in a human or machine readable form.
-1. Initialisation and cleanup.
-No special initialisation is needed before calling the extension functions.
-You used to have to call X509V3_add_standard_extensions(); but this is no longer
-required and this function no longer does anything.
-void X509V3_EXT_cleanup(void);
-This function should be called to cleanup the extension code if any custom
-extensions have been added. If no custom extensions have been added then this
-call does nothing. After this call all custom extension code is freed up but
-you can still use the standard extensions.
-2. Printing and parsing extensions.
-The simplest way to print out extensions is via the standard X509 printing
-routines: if you use the standard X509_print() function, the supported
-extensions will be printed out automatically.
-The following functions allow finer control over extension display:
-int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, int flag, int indent);
-int X509V3_EXT_print_fp(FILE *out, X509_EXTENSION *ext, int flag, int indent);
-These two functions print out an individual extension to a BIO or FILE pointer.
-Currently the flag argument is unused and should be set to 0. The 'indent'
-argument is the number of spaces to indent each line.
-void *X509V3_EXT_d2i(X509_EXTENSION *ext);
-This function parses an extension and returns its internal structure. The
-precise structure you get back depends on the extension being parsed. If the
-extension if basicConstraints you will get back a pointer to a
-BASIC_CONSTRAINTS structure. Check out the source in crypto/x509v3 for more
-details about the structures returned. The returned structure should be freed
-after use using the relevant free function, BASIC_CONSTRAINTS_free() for 
-example.
-void    *       X509_get_ext_d2i(X509 *x, int nid, int *crit, int *idx);
-void    *       X509_CRL_get_ext_d2i(X509_CRL *x, int nid, int *crit, int *idx);
-void    *       X509_REVOKED_get_ext_d2i(X509_REVOKED *x, int nid, int *crit, int *idx);
-void    *       X509V3_get_d2i(STACK_OF(X509_EXTENSION) *x, int nid, int *crit, int *idx);
-These functions combine the operations of searching for extensions and
-parsing them. They search a certificate, a CRL a CRL entry or a stack
-of extensions respectively for extension whose NID is 'nid' and return
-the parsed result of NULL if an error occurred. For example:
-BASIC_CONSTRAINTS *bs;
-bs = X509_get_ext_d2i(cert, NID_basic_constraints, NULL, NULL);
-This will search for the basicConstraints extension and either return
-it value or NULL. NULL can mean either the extension was not found, it
-occurred more than once or it could not be parsed.
-If 'idx' is NULL then an extension is only parsed if it occurs precisely
-once. This is standard behaviour because extensions normally cannot occur
-more than once. If however more than one extension of the same type can
-occur it can be used to parse successive extensions for example:
-int i;
-void *ext;
-i = -1;
-for(;;) {
-        ext = X509_get_ext_d2i(x, nid, crit, &idx);
-        if(ext == NULL) break;
-         /* Do something with ext */
-}
-If 'crit' is not NULL and the extension was found then the int it points to
-is set to 1 for critical extensions and 0 for non critical. Therefore if the
-function returns NULL but 'crit' is set to 0 or 1 then the extension was
-found but it could not be parsed.
-The int pointed to by crit will be set to -1 if the extension was not found
-and -2 if the extension occurred more than once (this will only happen if
-idx is NULL). In both cases the function will return NULL.
-3. Generating extensions.
-An extension will typically be generated from a configuration file, or some
-other kind of configuration database.
-int X509V3_EXT_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section,
-                                                                 X509 *cert);
-int X509V3_EXT_CRL_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section,
-                                                                 X509_CRL *crl);
-These functions add all the extensions in the given section to the given
-certificate or CRL. They will normally be called just before the certificate
-or CRL is due to be signed. Both return 0 on error on non zero for success.
-In each case 'conf' is the LHASH pointer of the configuration file to use
-and 'section' is the section containing the extension details.
-See the 'context functions' section for a description of the ctx parameter.
-X509_EXTENSION *X509V3_EXT_conf(LHASH *conf, X509V3_CTX *ctx, char *name,
-                                                                 char *value);
-This function returns an extension based on a name and value pair, if the
-pair will not need to access other sections in a config file (or there is no
-config file) then the 'conf' parameter can be set to NULL.
-X509_EXTENSION *X509V3_EXT_conf_nid(char *conf, X509V3_CTX *ctx, int nid,
-                                                                 char *value);
-This function creates an extension in the same way as X509V3_EXT_conf() but
-takes the NID of the extension rather than its name.
-For example to produce basicConstraints with the CA flag and a path length of
-10:
-x = X509V3_EXT_conf_nid(NULL, NULL, NID_basic_constraints,"CA:TRUE,pathlen:10");
-X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc);
-This function sets up an extension from its internal structure. The ext_nid
-parameter is the NID of the extension and 'crit' is the critical flag.
-4. Context functions.
-The following functions set and manipulate an extension context structure.
-The purpose of the extension context is to allow the extension code to
-access various structures relating to the "environment" of the certificate:
-for example the issuers certificate or the certificate request.
-void X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subject,
-                                 X509_REQ *req, X509_CRL *crl, int flags);
-This function sets up an X509V3_CTX structure with details of the certificate
-environment: specifically the issuers certificate, the subject certificate,
-the certificate request and the CRL: if these are not relevant or not
-available then they can be set to NULL. The 'flags' parameter should be set
-to zero.
-X509V3_set_ctx_test(ctx)
-This macro is used to set the 'ctx' structure to a 'test' value: this is to
-allow the syntax of an extension (or configuration file) to be tested.
-X509V3_set_ctx_nodb(ctx)
-This macro is used when no configuration database is present.
-void X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH *lhash);
-This function is used to set the configuration database when it is an LHASH
-structure: typically a configuration file.
-The following functions are used to access a configuration database: they
-should only be used in RAW extensions.
-char * X509V3_get_string(X509V3_CTX *ctx, char *name, char *section);
-This function returns the value of the parameter "name" in "section", or NULL
-if there has been an error.
-void X509V3_string_free(X509V3_CTX *ctx, char *str);
-This function frees up the string returned by the above function.
-STACK_OF(CONF_VALUE) * X509V3_get_section(X509V3_CTX *ctx, char *section);
-This function returns a whole section as a STACK_OF(CONF_VALUE) .
-void X509V3_section_free( X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *section);
-This function frees up the STACK returned by the above function.
-Note: it is possible to use the extension code with a custom configuration
-database. To do this the "db_meth" element of the X509V3_CTX structure should
-be set to an X509V3_CTX_METHOD structure. This structure contains the following
-function pointers:
-char * (*get_string)(void *db, char *section, char *value);
-STACK_OF(CONF_VALUE) * (*get_section)(void *db, char *section);
-void (*free_string)(void *db, char * string);
-void (*free_section)(void *db, STACK_OF(CONF_VALUE) *section);
-these will be called and passed the 'db' element in the X509V3_CTX structure
-to access the database. If a given function is not implemented or not required
-it can be set to NULL.
-5. String helper functions.
-There are several "i2s" and "s2i" functions that convert structures to and
-from ASCII strings. In all the "i2s" cases the returned string should be
-freed using Free() after use. Since some of these are part of other extension
-code they may take a 'method' parameter. Unless otherwise stated it can be
-safely set to NULL.
-char *i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, ASN1_OCTET_STRING *oct);
-This returns a hex string from an ASN1_OCTET_STRING.
-char * i2s_ASN1_INTEGER(X509V3_EXT_METHOD *meth, ASN1_INTEGER *aint);
-char * i2s_ASN1_ENUMERATED(X509V3_EXT_METHOD *meth, ASN1_ENUMERATED *aint);
-These return a string decimal representations of an ASN1_INTEGER and an
-ASN1_ENUMERATED type, respectively.
-ASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method,
-                                                   X509V3_CTX *ctx, char *str);
-This converts an ASCII hex string to an ASN1_OCTET_STRING.
-ASN1_INTEGER * s2i_ASN1_INTEGER(X509V3_EXT_METHOD *meth, char *value);
-This converts a decimal ASCII string into an ASN1_INTEGER.
-6. Multi valued extension helper functions.
-The following functions can be used to manipulate STACKs of CONF_VALUE
-structures, as used by multi valued extensions.
-int X509V3_get_value_bool(CONF_VALUE *value, int *asn1_bool);
-This function expects a boolean value in 'value' and sets 'asn1_bool' to
-it. That is it sets it to 0 for FALSE or 0xff for TRUE. The following
-strings are acceptable: "TRUE", "true", "Y", "y", "YES", "yes", "FALSE"
-"false", "N", "n", "NO" or "no".
-int X509V3_get_value_int(CONF_VALUE *value, ASN1_INTEGER **aint);
-This accepts a decimal integer of arbitrary length and sets an ASN1_INTEGER.
-int X509V3_add_value(const char *name, const char *value,
-                                                STACK_OF(CONF_VALUE) **extlist);
-This simply adds a string name and value pair.
-int X509V3_add_value_uchar(const char *name, const unsigned char *value,
-                                                STACK_OF(CONF_VALUE) **extlist);
-The same as above but for an unsigned character value.
-int X509V3_add_value_bool(const char *name, int asn1_bool,
-                                                STACK_OF(CONF_VALUE) **extlist);
-This adds either "TRUE" or "FALSE" depending on the value of 'asn1_bool'
-int X509V3_add_value_bool_nf(char *name, int asn1_bool,
-                                                STACK_OF(CONF_VALUE) **extlist);
-This is the same as above except it adds nothing if asn1_bool is FALSE.
-int X509V3_add_value_int(const char *name, ASN1_INTEGER *aint,
-                                                STACK_OF(CONF_VALUE) **extlist);
-This function adds the value of the ASN1_INTEGER in decimal form.
-7. Other helper functions.
-<to be added>
-ADDING CUSTOM EXTENSIONS.
-Currently there are three types of supported extensions. 
-String extensions are simple strings where the value is placed directly in the
-extensions, and the string returned is printed out.
-Multi value extensions are passed a STACK_OF(CONF_VALUE) name and value pairs
-or return a STACK_OF(CONF_VALUE).
-Raw extensions are just passed a BIO or a value and it is the extensions
-responsibility to handle all the necessary printing.
-There are two ways to add an extension. One is simply as an alias to an already
-existing extension. An alias is an extension that is identical in ASN1 structure
-to an existing extension but has a different OBJECT IDENTIFIER. This can be
-done by calling:
-int X509V3_EXT_add_alias(int nid_to, int nid_from);
-'nid_to' is the new extension NID and 'nid_from' is the already existing
-extension NID.
-Alternatively an extension can be written from scratch. This involves writing
-the ASN1 code to encode and decode the extension and functions to print out and
-generate the extension from strings. The relevant functions are then placed in
-a X509V3_EXT_METHOD structure and int X509V3_EXT_add(X509V3_EXT_METHOD *ext);
-called.
-The X509V3_EXT_METHOD structure is described below.
-strut {
-int ext_nid;
-int ext_flags;
-X509V3_EXT_NEW ext_new;
-X509V3_EXT_FREE ext_free;
-X509V3_EXT_D2I d2i;
-X509V3_EXT_I2D i2d;
-X509V3_EXT_I2S i2s;
-X509V3_EXT_S2I s2i;
-X509V3_EXT_I2V i2v;
-X509V3_EXT_V2I v2i;
-X509V3_EXT_R2I r2i;
-X509V3_EXT_I2R i2r;
-void *usr_data;
-};
-The elements have the following meanings.
-ext_nid         is the NID of the object identifier of the extension.
-ext_flags       is set of flags. Currently the only external flag is
-                X509V3_EXT_MULTILINE which means a multi valued extensions
-                should be printed on separate lines.
-usr_data        is an extension specific pointer to any relevant data. This
-                allows extensions to share identical code but have different
-                uses. An example of this is the bit string extension which uses
-                usr_data to contain a list of the bit names.
-All the remaining elements are function pointers.
-ext_new         is a pointer to a function that allocates memory for the
-                extension ASN1 structure: for example ASN1_OBJECT_new().
-ext_free        is a pointer to a function that free up memory of the extension
-                ASN1 structure: for example ASN1_OBJECT_free().
-d2i             is the standard ASN1 function that converts a DER buffer into
-                the internal ASN1 structure: for example d2i_ASN1_IA5STRING().
-i2d             is the standard ASN1 function that converts the internal
-                structure into the DER representation: for example
-                i2d_ASN1_IA5STRING().
-The remaining functions are depend on the type of extension. One i2X and
-one X2i should be set and the rest set to NULL. The types set do not need
-to match up, for example the extension could be set using the multi valued
-v2i function and printed out using the raw i2r.
-All functions have the X509V3_EXT_METHOD passed to them in the 'method'
-parameter and an X509V3_CTX structure. Extension code can then access the
-parent structure via the 'method' parameter to for example make use of the value
-of usr_data. If the code needs to use detail relating to the request it can
-use the 'ctx' parameter.
-A note should be given here about the 'flags' member of the 'ctx' parameter.
-If it has the value CTX_TEST then the configuration syntax is being checked
-and no actual certificate or CRL exists. Therefore any attempt in the config
-file to access such information should silently succeed. If the syntax is OK
-then it should simply return a (possibly bogus) extension, otherwise it
-should return NULL.
-char *i2s(struct v3_ext_method *method, void *ext);
-This function takes the internal structure in the ext parameter and returns
-a Malloc'ed string representing its value.
-void * s2i(struct v3_ext_method *method, struct v3_ext_ctx *ctx, char *str);
-This function takes the string representation in the ext parameter and returns
-an allocated internal structure: ext_free() will be used on this internal
-structure after use.
-i2v and v2i handle a STACK_OF(CONF_VALUE):
-typedef struct
-{
-        char *section;
-        char *name;
-        char *value;
-} CONF_VALUE;
-Only the name and value members are currently used.
-STACK_OF(CONF_VALUE) * i2v(struct v3_ext_method *method, void *ext);
-This function is passed the internal structure in the ext parameter and
-returns a STACK of CONF_VALUE structures. The values of name, value,
-section and the structure itself will be freed up with Free after use.
-Several helper functions are available to add values to this STACK.
-void * v2i(struct v3_ext_method *method, struct v3_ext_ctx *ctx,
-                                                STACK_OF(CONF_VALUE) *values);
-This function takes a STACK_OF(CONF_VALUE) structures and should set the
-values of the external structure. This typically uses the name element to
-determine which structure element to set and the value element to determine
-what to set it to. Several helper functions are available for this
-purpose (see above).
-int i2r(struct v3_ext_method *method, void *ext, BIO *out, int indent);
-This function is passed the internal extension structure in the ext parameter
-and sends out a human readable version of the extension to out. The 'indent'
-parameter should be noted to determine the necessary amount of indentation
-needed on the output.
-void * r2i(struct v3_ext_method *method, struct v3_ext_ctx *ctx, char *str);
-This is just passed the string representation of the extension. It is intended
-to be used for more elaborate extensions where the standard single and multi
-valued options are insufficient. They can use the 'ctx' parameter to parse the
-configuration database themselves. See the context functions section for details
-of how to do this.
-Note: although this type takes the same parameters as the "r2s" function there
-is a subtle difference. Whereas an "r2i" function can access a configuration
-database an "s2i" function MUST NOT. This is so the internal code can safely
-assume that an "s2i" function will work without a configuration database.
-==============================================================================
-                            PKCS#12 Library
-==============================================================================
-This section describes the internal PKCS#12 support. There are very few
-differences between the old external library and the new internal code at
-present. This may well change because the external library will not be updated
-much in future.
-This version now includes a couple of high level PKCS#12 functions which
-generally "do the right thing" and should make it much easier to handle PKCS#12
-structures.
-HIGH LEVEL FUNCTIONS.
-For most applications you only need concern yourself with the high level
-functions. They can parse and generate simple PKCS#12 files as produced by
-Netscape and MSIE or indeed any compliant PKCS#12 file containing a single
-private key and certificate pair.
-1. Initialisation and cleanup.
-No special initialisation is needed for the internal PKCS#12 library: the 
-standard SSLeay_add_all_algorithms() is sufficient. If you do not wish to
-add all algorithms (you should at least add SHA1 though) then you can manually
-initialise the PKCS#12 library with:
-PKCS12_PBE_add();
-The memory allocated by the PKCS#12 library is freed up when EVP_cleanup() is
-called or it can be directly freed with:
-EVP_PBE_cleanup();
-after this call (or EVP_cleanup() ) no more PKCS#12 library functions should
-be called.
-2. I/O functions.
-i2d_PKCS12_bio(bp, p12)
-This writes out a PKCS12 structure to a BIO.
-i2d_PKCS12_fp(fp, p12)
-This is the same but for a FILE pointer.
-d2i_PKCS12_bio(bp, p12)
-This reads in a PKCS12 structure from a BIO.
-d2i_PKCS12_fp(fp, p12)
-This is the same but for a FILE pointer.
-3. High level functions.
-3.1 Parsing with PKCS12_parse().
-int PKCS12_parse(PKCS12 *p12, char *pass, EVP_PKEY **pkey, X509 **cert,
-                                                                 STACK **ca);
-This function takes a PKCS12 structure and a password (ASCII, null terminated)
-and returns the private key, the corresponding certificate and any CA
-certificates. If any of these is not required it can be passed as a NULL.
-The 'ca' parameter should be either NULL, a pointer to NULL or a valid STACK
-structure. Typically to read in a PKCS#12 file you might do:
-p12 = d2i_PKCS12_fp(fp, NULL);
-PKCS12_parse(p12, password, &pkey, &cert, NULL);        /* CAs not wanted */
-PKCS12_free(p12);
-3.2 PKCS#12 creation with PKCS12_create().
-PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert,
-                        STACK *ca, int nid_key, int nid_cert, int iter,
-                                                 int mac_iter, int keytype);
-This function will create a PKCS12 structure from a given password, name,
-private key, certificate and optional STACK of CA certificates. The remaining
-5 parameters can be set to 0 and sensible defaults will be used.
-The parameters nid_key and nid_cert are the key and certificate encryption
-algorithms, iter is the encryption iteration count, mac_iter is the MAC
-iteration count and keytype is the type of private key. If you really want
-to know what these last 5 parameters do then read the low level section.
-Typically to create a PKCS#12 file the following could be used:
-p12 = PKCS12_create(pass, "My Certificate", pkey, cert, NULL, 0,0,0,0,0);
-i2d_PKCS12_fp(fp, p12);
-PKCS12_free(p12);
-3.3 Changing a PKCS#12 structure password.
-int PKCS12_newpass(PKCS12 *p12, char *oldpass, char *newpass);
-This changes the password of an already existing PKCS#12 structure. oldpass
-is the old password and newpass is the new one. An error occurs if the old
-password is incorrect.
-LOW LEVEL FUNCTIONS.
-In some cases the high level functions do not provide the necessary
-functionality. For example if you want to generate or parse more complex
-PKCS#12 files. The sample pkcs12 application uses the low level functions
-to display details about the internal structure of a PKCS#12 file.
-Introduction.
-This is a brief description of how a PKCS#12 file is represented internally:
-some knowledge of PKCS#12 is assumed.
-A PKCS#12 object contains several levels.
-At the lowest level is a PKCS12_SAFEBAG. This can contain a certificate, a
-CRL, a private key, encrypted or unencrypted, a set of safebags (so the
-structure can be nested) or other secrets (not documented at present). 
-A safebag can optionally have attributes, currently these are: a unicode
-friendlyName (a Unicode string) or a localKeyID (a string of bytes).
-At the next level is an authSafe which is a set of safebags collected into
-a PKCS#7 ContentInfo. This can be just plain data, or encrypted itself.
-At the top level is the PKCS12 structure itself which contains a set of
-authSafes in an embedded PKCS#7 Contentinfo of type data. In addition it
-contains a MAC which is a kind of password protected digest to preserve
-integrity (so any unencrypted stuff below can't be tampered with).
-The reason for these levels is so various objects can be encrypted in various
-ways. For example you might want to encrypt a set of private keys with
-triple-DES and then include the related certificates either unencrypted or
-with lower encryption. Yes it's the dreaded crypto laws at work again which
-allow strong encryption on private keys and only weak encryption on other
-stuff.
-To build one of these things you turn all certificates and keys into safebags
-(with optional attributes). You collect the safebags into (one or more) STACKS
-and convert these into authsafes (encrypted or unencrypted).  The authsafes
-are collected into a STACK and added to a PKCS12 structure.  Finally a MAC
-inserted.
-Pulling one apart is basically the reverse process. The MAC is verified against
-the given password. The authsafes are extracted and each authsafe split into
-a set of safebags (possibly involving decryption). Finally the safebags are
-decomposed into the original keys and certificates and the attributes used to
-match up private key and certificate pairs.
-Anyway here are the functions that do the dirty work.
-1. Construction functions.
-1.1 Safebag functions.
-M_PKCS12_x5092certbag(x509)
-This macro takes an X509 structure and returns a certificate bag. The
-X509 structure can be freed up after calling this function.
-M_PKCS12_x509crl2certbag(crl)
-As above but for a CRL.
-PKCS8_PRIV_KEY_INFO *PKEY2PKCS8(EVP_PKEY *pkey)
-Take a private key and convert it into a PKCS#8 PrivateKeyInfo structure.
-Works for both RSA and DSA private keys. NB since the PKCS#8 PrivateKeyInfo
-structure contains a private key data in plain text form it should be free'd
-up as soon as it has been encrypted for security reasons (freeing up the
-structure zeros out the sensitive data). This can be done with
-PKCS8_PRIV_KEY_INFO_free().
-PKCS8_add_keyusage(PKCS8_PRIV_KEY_INFO *p8, int usage)
-This sets the key type when a key is imported into MSIE or Outlook 98. Two
-values are currently supported: KEY_EX and KEY_SIG. KEY_EX is an exchange type
-key that can also be used for signing but its size is limited in the export
-versions of MS software to 512 bits, it is also the default. KEY_SIG is a
-signing only key but the keysize is unlimited (well 16K is supposed to work).
-If you are using the domestic version of MSIE then you can ignore this because
-KEY_EX is not limited and can be used for both.
-PKCS12_SAFEBAG *PKCS12_MAKE_KEYBAG(PKCS8_PRIV_KEY_INFO *p8)
-Convert a PKCS8 private key structure into a keybag. This routine embeds the
-p8 structure in the keybag so p8 should not be freed up or used after it is
-called.  The p8 structure will be freed up when the safebag is freed.
-PKCS12_SAFEBAG *PKCS12_MAKE_SHKEYBAG(int pbe_nid, unsigned char *pass, int passlen, unsigned char *salt, int saltlen, int iter, PKCS8_PRIV_KEY_INFO *p8)
-Convert a PKCS#8 structure into a shrouded key bag (encrypted). p8 is not
-embedded and can be freed up after use.
-int PKCS12_add_localkeyid(PKCS12_SAFEBAG *bag, unsigned char *name, int namelen)
-int PKCS12_add_friendlyname(PKCS12_SAFEBAG *bag, unsigned char *name, int namelen)
-Add a local key id or a friendlyname to a safebag.
-1.2 Authsafe functions.
-PKCS7 *PKCS12_pack_p7data(STACK *sk)
-Take a stack of safebags and convert them into an unencrypted authsafe. The
-stack of safebags can be freed up after calling this function.
-PKCS7 *PKCS12_pack_p7encdata(int pbe_nid, unsigned char *pass, int passlen, unsigned char *salt, int saltlen, int iter, STACK *bags);
-As above but encrypted.
-1.3 PKCS12 functions.
-PKCS12 *PKCS12_init(int mode)
-Initialise a PKCS12 structure (currently mode should be NID_pkcs7_data).
-M_PKCS12_pack_authsafes(p12, safes)
-This macro takes a STACK of authsafes and adds them to a PKCS#12 structure.
-int PKCS12_set_mac(PKCS12 *p12, unsigned char *pass, int passlen, unsigned char *salt, int saltlen, int iter, EVP_MD *md_type);
-Add a MAC to a PKCS12 structure. If EVP_MD is NULL use SHA-1, the spec suggests
-that SHA-1 should be used.
-2. Extraction Functions.
-2.1 Safebags.
-M_PKCS12_bag_type(bag)
-Return the type of "bag". Returns one of the following
-NID_keyBag
-NID_pkcs8ShroudedKeyBag                 7
-NID_certBag                             8
-NID_crlBag                              9
-NID_secretBag                           10
-NID_safeContentsBag                     11
-M_PKCS12_cert_bag_type(bag)
-Returns type of certificate bag, following are understood.
-NID_x509Certificate                     14
-NID_sdsiCertificate                     15
-M_PKCS12_crl_bag_type(bag)
-Returns crl bag type, currently only NID_crlBag is recognised.
-M_PKCS12_certbag2x509(bag)
-This macro extracts an X509 certificate from a certificate bag.
-M_PKCS12_certbag2x509crl(bag)
-As above but for a CRL.
-EVP_PKEY * PKCS82PKEY(PKCS8_PRIV_KEY_INFO *p8)
-Extract a private key from a PKCS8 private key info structure.
-M_PKCS12_decrypt_skey(bag, pass, passlen) 
-Decrypt a shrouded key bag and return a PKCS8 private key info structure.
-Works with both RSA and DSA keys
-char *PKCS12_get_friendlyname(bag)
-Returns the friendlyName of a bag if present or NULL if none. The returned
-string is a null terminated ASCII string allocated with Malloc(). It should 
-thus be freed up with Free() after use.
-2.2 AuthSafe functions.
-M_PKCS12_unpack_p7data(p7)
-Extract a STACK of safe bags from a PKCS#7 data ContentInfo.
-#define M_PKCS12_unpack_p7encdata(p7, pass, passlen)
-As above but for an encrypted content info.
-2.3 PKCS12 functions.
-M_PKCS12_unpack_authsafes(p12)
-Extract a STACK of authsafes from a PKCS12 structure.
-M_PKCS12_mac_present(p12)
-Check to see if a MAC is present.
-int PKCS12_verify_mac(PKCS12 *p12, unsigned char *pass, int passlen)
-Verify a MAC on a PKCS12 structure. Returns an error if MAC not present.
-Notes.
-1. All the function return 0 or NULL on error.
-2. Encryption based functions take a common set of parameters. These are
-described below.
-pass, passlen
-ASCII password and length. The password on the MAC is called the "integrity
-password" the encryption password is called the "privacy password" in the
-PKCS#12 documentation. The passwords do not have to be the same. If -1 is
-passed for the length it is worked out by the function itself (currently
-this is sometimes done whatever is passed as the length but that may change).
-salt, saltlen
-A 'salt' if salt is NULL a random salt is used. If saltlen is also zero a
-default length is used.
-iter
-Iteration count. This is a measure of how many times an internal function is
-called to encrypt the data. The larger this value is the longer it takes, it
-makes dictionary attacks on passwords harder. NOTE: Some implementations do
-not support an iteration count on the MAC. If the password for the MAC and
-encryption is the same then there is no point in having a high iteration
-count for encryption if the MAC has no count. The MAC could be attacked
-and the password used for the main decryption.
-pbe_nid
-This is the NID of the password based encryption method used. The following are
-supported.
-NID_pbe_WithSHA1And128BitRC4
-NID_pbe_WithSHA1And40BitRC4
-NID_pbe_WithSHA1And3_Key_TripleDES_CBC
-NID_pbe_WithSHA1And2_Key_TripleDES_CBC
-NID_pbe_WithSHA1And128BitRC2_CBC
-NID_pbe_WithSHA1And40BitRC2_CBC
-Which you use depends on the implementation you are exporting to. "Export
-grade" (i.e. cryptographically challenged) products cannot support all
-algorithms. Typically you may be able to use any encryption on shrouded key
-bags but they must then be placed in an unencrypted authsafe. Other authsafes
-may only support 40bit encryption. Of course if you are using SSLeay
-throughout you can strongly encrypt everything and have high iteration counts
-on everything.
-3. For decryption routines only the password and length are needed.
-4. Unlike the external version the nid's of objects are the values of the
-constants: that is NID_certBag is the real nid, therefore there is no 
-PKCS12_obj_offset() function.  Note the object constants are not the same as
-those of the external version. If you use these constants then you will need
-to recompile your code.
-5. With the exception of PKCS12_MAKE_KEYBAG(), after calling any function or 
-macro of the form PKCS12_MAKE_SOMETHING(other) the "other" structure can be
-reused or freed up safely.
diff --git a/src/lib/libssl/doc/standards.txt b/src/lib/libssl/doc/standards.txt
deleted file mode 100644
index f6675b574b..0000000000
--- a/src/lib/libssl/doc/standards.txt
+++ /dev/null
@@ -1,261 +0,0 @@
-Standards related to OpenSSL
-============================
-[Please, this is currently a draft.  I made a first try at finding
- documents that describe parts of what OpenSSL implements.  There are
- big gaps, and I've most certainly done something wrong.  Please
- correct whatever is...  Also, this note should be removed when this
- file is reaching a somewhat correct state.        -- Richard Levitte]
-All pointers in here will be either URL's or blobs of text borrowed
-from miscellaneous indexes, like rfc-index.txt (index of RFCs),
-1id-index.txt (index of Internet drafts) and the like.
-To find the latest possible RFCs, it's recommended to either browse
-ftp://ftp.isi.edu/in-notes/ or go to http://www.rfc-editor.org/ and
-use the search mechanism found there.
-To find the latest possible Internet drafts, it's recommended to
-browse ftp://ftp.isi.edu/internet-drafts/.
-To find the latest possible PKCS, it's recommended to browse
-http://www.rsasecurity.com/rsalabs/pkcs/.
-Implemented:
------------
-These are documents that describe things that are implemented (in
-whole or at least great parts) in OpenSSL.
-1319 The MD2 Message-Digest Algorithm. B. Kaliski. April 1992.
-     (Format: TXT=25661 bytes) (Status: INFORMATIONAL)
-1320 The MD4 Message-Digest Algorithm. R. Rivest. April 1992. (Format:
-     TXT=32407 bytes) (Status: INFORMATIONAL)
-1321 The MD5 Message-Digest Algorithm. R. Rivest. April 1992. (Format:
-     TXT=35222 bytes) (Status: INFORMATIONAL)
-2246 The TLS Protocol Version 1.0. T. Dierks, C. Allen. January 1999.
-     (Format: TXT=170401 bytes) (Status: PROPOSED STANDARD)
-2268 A Description of the RC2(r) Encryption Algorithm. R. Rivest.
-     January 1998. (Format: TXT=19048 bytes) (Status: INFORMATIONAL)
-2315 PKCS 7: Cryptographic Message Syntax Version 1.5. B. Kaliski.
-     March 1998. (Format: TXT=69679 bytes) (Status: INFORMATIONAL)
-PKCS#8: Private-Key Information Syntax Standard
-PKCS#12: Personal Information Exchange Syntax Standard, version 1.0.
-2560 X.509 Internet Public Key Infrastructure Online Certificate
-     Status Protocol - OCSP. M. Myers, R. Ankney, A. Malpani, S. Galperin,
-     C. Adams. June 1999. (Format: TXT=43243 bytes) (Status: PROPOSED
-     STANDARD)
-2712 Addition of Kerberos Cipher Suites to Transport Layer Security
-     (TLS). A. Medvinsky, M. Hur. October 1999. (Format: TXT=13763 bytes)
-     (Status: PROPOSED STANDARD)
-2898 PKCS #5: Password-Based Cryptography Specification Version 2.0.
-     B. Kaliski. September 2000. (Format: TXT=68692 bytes) (Status:
-     INFORMATIONAL)
-2986 PKCS #10: Certification Request Syntax Specification Version 1.7.
-     M. Nystrom, B. Kaliski. November 2000. (Format: TXT=27794 bytes)
-     (Obsoletes RFC2314) (Status: INFORMATIONAL)
-3174 US Secure Hash Algorithm 1 (SHA1). D. Eastlake 3rd, P. Jones.
-     September 2001. (Format: TXT=35525 bytes) (Status: INFORMATIONAL)
-3268 Advanced Encryption Standard (AES) Ciphersuites for Transport
-     Layer Security (TLS). P. Chown. June 2002. (Format: TXT=13530 bytes)
-     (Status: PROPOSED STANDARD)
-3279 Algorithms and Identifiers for the Internet X.509 Public Key
-     Infrastructure Certificate and Certificate Revocation List (CRL)
-     Profile. L. Bassham, W. Polk, R. Housley. April 2002. (Format:
-     TXT=53833 bytes) (Status: PROPOSED STANDARD)
-3280 Internet X.509 Public Key Infrastructure Certificate and
-     Certificate Revocation List (CRL) Profile. R. Housley, W. Polk, W.
-     Ford, D. Solo. April 2002. (Format: TXT=295556 bytes) (Obsoletes
-     RFC2459) (Status: PROPOSED STANDARD)
-3447 Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography
-     Specifications Version 2.1. J. Jonsson, B. Kaliski. February 2003.
-     (Format: TXT=143173 bytes) (Obsoletes RFC2437) (Status:           
-     INFORMATIONAL)                                         
-3820 Internet X.509 Public Key Infrastructure (PKI) Proxy Certificate
-     Profile. S. Tuecke, V. Welch, D. Engert, L. Pearlman, M. Thompson.
-     June 2004. (Format: TXT=86374 bytes) (Status: PROPOSED STANDARD)
-Related:
--------
-These are documents that are close to OpenSSL, for example the
-STARTTLS documents.
-1421 Privacy Enhancement for Internet Electronic Mail: Part I: Message
-     Encryption and Authentication Procedures. J. Linn. February 1993.
-     (Format: TXT=103894 bytes) (Obsoletes RFC1113) (Status: PROPOSED
-     STANDARD)
-1422 Privacy Enhancement for Internet Electronic Mail: Part II:
-     Certificate-Based Key Management. S. Kent. February 1993. (Format:
-     TXT=86085 bytes) (Obsoletes RFC1114) (Status: PROPOSED STANDARD)
-1423 Privacy Enhancement for Internet Electronic Mail: Part III:
-     Algorithms, Modes, and Identifiers. D. Balenson. February 1993.
-     (Format: TXT=33277 bytes) (Obsoletes RFC1115) (Status: PROPOSED
-     STANDARD)
-1424 Privacy Enhancement for Internet Electronic Mail: Part IV: Key
-     Certification and Related Services. B. Kaliski. February 1993.
-     (Format: TXT=17537 bytes) (Status: PROPOSED STANDARD)
-2025 The Simple Public-Key GSS-API Mechanism (SPKM). C. Adams. October
-     1996. (Format: TXT=101692 bytes) (Status: PROPOSED STANDARD)
-2510 Internet X.509 Public Key Infrastructure Certificate Management
-     Protocols. C. Adams, S. Farrell. March 1999. (Format: TXT=158178
-     bytes) (Status: PROPOSED STANDARD)
-2511 Internet X.509 Certificate Request Message Format. M. Myers, C.
-     Adams, D. Solo, D. Kemp. March 1999. (Format: TXT=48278 bytes)
-     (Status: PROPOSED STANDARD)
-2527 Internet X.509 Public Key Infrastructure Certificate Policy and
-     Certification Practices Framework. S. Chokhani, W. Ford. March 1999.
-     (Format: TXT=91860 bytes) (Status: INFORMATIONAL)
-2538 Storing Certificates in the Domain Name System (DNS). D. Eastlake
-     3rd, O. Gudmundsson. March 1999. (Format: TXT=19857 bytes) (Status:
-     PROPOSED STANDARD)
-2539 Storage of Diffie-Hellman Keys in the Domain Name System (DNS).
-     D. Eastlake 3rd. March 1999. (Format: TXT=21049 bytes) (Status:
-     PROPOSED STANDARD)
-2559 Internet X.509 Public Key Infrastructure Operational Protocols -
-     LDAPv2. S. Boeyen, T. Howes, P. Richard. April 1999. (Format:
-     TXT=22889 bytes) (Updates RFC1778) (Status: PROPOSED STANDARD)
-2585 Internet X.509 Public Key Infrastructure Operational Protocols:
-     FTP and HTTP. R. Housley, P. Hoffman. May 1999. (Format: TXT=14813
-     bytes) (Status: PROPOSED STANDARD)
-2587 Internet X.509 Public Key Infrastructure LDAPv2 Schema. S.
-     Boeyen, T. Howes, P. Richard. June 1999. (Format: TXT=15102 bytes)
-     (Status: PROPOSED STANDARD)
-2595 Using TLS with IMAP, POP3 and ACAP. C. Newman. June 1999.
-     (Format: TXT=32440 bytes) (Status: PROPOSED STANDARD)
-2631 Diffie-Hellman Key Agreement Method. E. Rescorla. June 1999.
-     (Format: TXT=25932 bytes) (Status: PROPOSED STANDARD)
-2632 S/MIME Version 3 Certificate Handling. B. Ramsdell, Ed.. June
-     1999. (Format: TXT=27925 bytes) (Status: PROPOSED STANDARD)
-2716 PPP EAP TLS Authentication Protocol. B. Aboba, D. Simon. October
-     1999. (Format: TXT=50108 bytes) (Status: EXPERIMENTAL)
-2773 Encryption using KEA and SKIPJACK. R. Housley, P. Yee, W. Nace.
-     February 2000. (Format: TXT=20008 bytes) (Updates RFC0959) (Status:
-     EXPERIMENTAL)
-2797 Certificate Management Messages over CMS. M. Myers, X. Liu, J.
-     Schaad, J. Weinstein. April 2000. (Format: TXT=103357 bytes) (Status:
-     PROPOSED STANDARD)
-2817 Upgrading to TLS Within HTTP/1.1. R. Khare, S. Lawrence. May
-     2000. (Format: TXT=27598 bytes) (Updates RFC2616) (Status: PROPOSED
-     STANDARD)
-2818 HTTP Over TLS. E. Rescorla. May 2000. (Format: TXT=15170 bytes)
-     (Status: INFORMATIONAL)
-2876 Use of the KEA and SKIPJACK Algorithms in CMS. J. Pawling. July
-     2000. (Format: TXT=29265 bytes) (Status: INFORMATIONAL)
-2984 Use of the CAST-128 Encryption Algorithm in CMS. C. Adams.
-     October 2000. (Format: TXT=11591 bytes) (Status: PROPOSED STANDARD)
-2985 PKCS #9: Selected Object Classes and Attribute Types Version 2.0.
-     M. Nystrom, B. Kaliski. November 2000. (Format: TXT=70703 bytes)
-     (Status: INFORMATIONAL)
-3029 Internet X.509 Public Key Infrastructure Data Validation and
-     Certification Server Protocols. C. Adams, P. Sylvester, M. Zolotarev,
-     R. Zuccherato. February 2001. (Format: TXT=107347 bytes) (Status:
-     EXPERIMENTAL)
-3039 Internet X.509 Public Key Infrastructure Qualified Certificates
-     Profile. S. Santesson, W. Polk, P. Barzin, M. Nystrom. January 2001.
-     (Format: TXT=67619 bytes) (Status: PROPOSED STANDARD)
-3058 Use of the IDEA Encryption Algorithm in CMS. S. Teiwes, P.
-     Hartmann, D. Kuenzi. February 2001. (Format: TXT=17257 bytes)
-     (Status: INFORMATIONAL)
-3161 Internet X.509 Public Key Infrastructure Time-Stamp Protocol
-     (TSP). C. Adams, P. Cain, D. Pinkas, R. Zuccherato. August 2001.
-     (Format: TXT=54585 bytes) (Status: PROPOSED STANDARD)
-3185 Reuse of CMS Content Encryption Keys. S. Farrell, S. Turner.
-     October 2001. (Format: TXT=20404 bytes) (Status: PROPOSED STANDARD)
-3207 SMTP Service Extension for Secure SMTP over Transport Layer
-     Security. P. Hoffman. February 2002. (Format: TXT=18679 bytes)
-     (Obsoletes RFC2487) (Status: PROPOSED STANDARD)
-3217 Triple-DES and RC2 Key Wrapping. R. Housley. December 2001.
-     (Format: TXT=19855 bytes) (Status: INFORMATIONAL)
-3274 Compressed Data Content Type for Cryptographic Message Syntax
-     (CMS). P. Gutmann. June 2002. (Format: TXT=11276 bytes) (Status:
-     PROPOSED STANDARD)
-3278 Use of Elliptic Curve Cryptography (ECC) Algorithms in
-     Cryptographic Message Syntax (CMS). S. Blake-Wilson, D. Brown, P.
-     Lambert. April 2002. (Format: TXT=33779 bytes) (Status:
-     INFORMATIONAL)
-3281 An Internet Attribute Certificate Profile for Authorization. S.
-     Farrell, R. Housley. April 2002. (Format: TXT=90580 bytes) (Status:
-     PROPOSED STANDARD)
-3369 Cryptographic Message Syntax (CMS). R. Housley. August 2002.
-     (Format: TXT=113975 bytes) (Obsoletes RFC2630, RFC3211) (Status:
-     PROPOSED STANDARD)
-3370 Cryptographic Message Syntax (CMS) Algorithms. R. Housley. August
-     2002. (Format: TXT=51001 bytes) (Obsoletes RFC2630, RFC3211) (Status:
-     PROPOSED STANDARD)
-3377 Lightweight Directory Access Protocol (v3): Technical
-     Specification. J. Hodges, R. Morgan. September 2002. (Format:
-     TXT=9981 bytes) (Updates RFC2251, RFC2252, RFC2253, RFC2254, RFC2255,
-     RFC2256, RFC2829, RFC2830) (Status: PROPOSED STANDARD)
-3394 Advanced Encryption Standard (AES) Key Wrap Algorithm. J. Schaad,
-     R. Housley. September 2002. (Format: TXT=73072 bytes) (Status:
-     INFORMATIONAL)
-3436 Transport Layer Security over Stream Control Transmission
-     Protocol. A. Jungmaier, E. Rescorla, M. Tuexen. December 2002.
-     (Format: TXT=16333 bytes) (Status: PROPOSED STANDARD)
-  "Securing FTP with TLS", 01/27/2000, <draft-murray-auth-ftp-ssl-05.txt>  
- 
-To be implemented:
------------------
-These are documents that describe things that are planed to be
-implemented in the hopefully short future.
diff --git a/src/lib/libssl/s23_clnt.c b/src/lib/libssl/s23_clnt.c
deleted file mode 100644
index 86356731ea..0000000000
--- a/src/lib/libssl/s23_clnt.c
+++ /dev/null
@@ -1,616 +0,0 @@
-/* ssl/s23_clnt.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-#include <stdio.h>
-#include "ssl_locl.h"
-#include <openssl/buffer.h>
-#include <openssl/rand.h>
-#include <openssl/objects.h>
-#include <openssl/evp.h>
-static SSL_METHOD *ssl23_get_client_method(int ver);
-static int ssl23_client_hello(SSL *s);
-static int ssl23_get_server_hello(SSL *s);
-static SSL_METHOD *ssl23_get_client_method(int ver)
-        {
-#ifndef OPENSSL_NO_SSL2
-        if (ver == SSL2_VERSION)
-                return(SSLv2_client_method());
-#endif
-        if (ver == SSL3_VERSION)
-                return(SSLv3_client_method());
-        else if (ver == TLS1_VERSION)
-                return(TLSv1_client_method());
-        else
-                return(NULL);
-        }
-SSL_METHOD *SSLv23_client_method(void)
-        {
-        static int init=1;
-        static SSL_METHOD SSLv23_client_data;
-        if (init)
-                {
-                CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
-                if (init)
-                        {
-                        memcpy((char *)&SSLv23_client_data,
-                                (char *)sslv23_base_method(),sizeof(SSL_METHOD));
-                        SSLv23_client_data.ssl_connect=ssl23_connect;
-                        SSLv23_client_data.get_ssl_method=ssl23_get_client_method;
-                        init=0;
-                        }
-                CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
-                }
-        return(&SSLv23_client_data);
-        }
-int ssl23_connect(SSL *s)
-        {
-        BUF_MEM *buf=NULL;
-        unsigned long Time=(unsigned long)time(NULL);
-        void (*cb)(const SSL *ssl,int type,int val)=NULL;
-        int ret= -1;
-        int new_state,state;
-        RAND_add(&Time,sizeof(Time),0);
-        ERR_clear_error();
-        clear_sys_error();
-        if (s->info_callback != NULL)
-                cb=s->info_callback;
-        else if (s->ctx->info_callback != NULL)
-                cb=s->ctx->info_callback;
-        
-        s->in_handshake++;
-        if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); 
-        for (;;)
-                {
-                state=s->state;
-                switch(s->state)
-                        {
-                case SSL_ST_BEFORE:
-                case SSL_ST_CONNECT:
-                case SSL_ST_BEFORE|SSL_ST_CONNECT:
-                case SSL_ST_OK|SSL_ST_CONNECT:
-                        if (s->session != NULL)
-                                {
-                                SSLerr(SSL_F_SSL23_CONNECT,SSL_R_SSL23_DOING_SESSION_ID_REUSE);
-                                ret= -1;
-                                goto end;
-                                }
-                        s->server=0;
-                        if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
-                        /* s->version=TLS1_VERSION; */
-                        s->type=SSL_ST_CONNECT;
-                        if (s->init_buf == NULL)
-                                {
-                                if ((buf=BUF_MEM_new()) == NULL)
-                                        {
-                                        ret= -1;
-                                        goto end;
-                                        }
-                                if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
-                                        {
-                                        ret= -1;
-                                        goto end;
-                                        }
-                                s->init_buf=buf;
-                                buf=NULL;
-                                }
-                        if (!ssl3_setup_buffers(s)) { ret= -1; goto end; }
-                        ssl3_init_finished_mac(s);
-                        s->state=SSL23_ST_CW_CLNT_HELLO_A;
-                        s->ctx->stats.sess_connect++;
-                        s->init_num=0;
-                        break;
-                case SSL23_ST_CW_CLNT_HELLO_A:
-                case SSL23_ST_CW_CLNT_HELLO_B:
-                        s->shutdown=0;
-                        ret=ssl23_client_hello(s);
-                        if (ret <= 0) goto end;
-                        s->state=SSL23_ST_CR_SRVR_HELLO_A;
-                        s->init_num=0;
-                        break;
-                case SSL23_ST_CR_SRVR_HELLO_A:
-                case SSL23_ST_CR_SRVR_HELLO_B:
-                        ret=ssl23_get_server_hello(s);
-                        if (ret >= 0) cb=NULL;
-                        goto end;
-                        /* break; */
-                default:
-                        SSLerr(SSL_F_SSL23_CONNECT,SSL_R_UNKNOWN_STATE);
-                        ret= -1;
-                        goto end;
-                        /* break; */
-                        }
-                if (s->debug) { (void)BIO_flush(s->wbio); }
-                if ((cb != NULL) && (s->state != state))
-                        {
-                        new_state=s->state;
-                        s->state=state;
-                        cb(s,SSL_CB_CONNECT_LOOP,1);
-                        s->state=new_state;
-                        }
-                }
-end:
-        s->in_handshake--;
-        if (buf != NULL)
-                BUF_MEM_free(buf);
-        if (cb != NULL)
-                cb(s,SSL_CB_CONNECT_EXIT,ret);
-        return(ret);
-        }
-static int ssl23_client_hello(SSL *s)
-        {
-        unsigned char *buf;
-        unsigned char *p,*d;
-        int i,j,ch_len;
-        unsigned long Time,l;
-        int ssl2_compat;
-        int version = 0, version_major, version_minor;
-        SSL_COMP *comp;
-        int ret;
-        ssl2_compat = (s->options & SSL_OP_NO_SSLv2) ? 0 : 1;
-        if (!(s->options & SSL_OP_NO_TLSv1))
-                {
-                version = TLS1_VERSION;
-                }
-        else if (!(s->options & SSL_OP_NO_SSLv3))
-                {
-                version = SSL3_VERSION;
-                }
-        else if (!(s->options & SSL_OP_NO_SSLv2))
-                {
-                version = SSL2_VERSION;
-                }
-        buf=(unsigned char *)s->init_buf->data;
-        if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
-                {
-#if 0
-                /* don't reuse session-id's */
-                if (!ssl_get_new_session(s,0))
-                        {
-                        return(-1);
-                        }
-#endif
-                p=s->s3->client_random;
-                Time=(unsigned long)time(NULL);                 /* Time */
-                l2n(Time,p);
-                if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
-                        return -1;
-                if (version == TLS1_VERSION)
-                        {
-                        version_major = TLS1_VERSION_MAJOR;
-                        version_minor = TLS1_VERSION_MINOR;
-                        }
-#ifdef OPENSSL_FIPS
-                else if(FIPS_mode())
-                        {
-                        SSLerr(SSL_F_SSL23_CLIENT_HELLO,
-                                        SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
-                        return -1;
-                        }
-#endif
-                else if (version == SSL3_VERSION)
-                        {
-                        version_major = SSL3_VERSION_MAJOR;
-                        version_minor = SSL3_VERSION_MINOR;
-                        }
-                else if (version == SSL2_VERSION)
-                        {
-                        version_major = SSL2_VERSION_MAJOR;
-                        version_minor = SSL2_VERSION_MINOR;
-                        }
-                else
-                        {
-                        SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_NO_PROTOCOLS_AVAILABLE);
-                        return(-1);
-                        }
-                s->client_version = version;
-                if (ssl2_compat)
-                        {
-                        /* create SSL 2.0 compatible Client Hello */
-                        /* two byte record header will be written last */
-                        d = &(buf[2]);
-                        p = d + 9; /* leave space for message type, version, individual length fields */
-                        *(d++) = SSL2_MT_CLIENT_HELLO;
-                        *(d++) = version_major;
-                        *(d++) = version_minor;
-                        
-                        /* Ciphers supported */
-                        i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),p,0);
-                        if (i == 0)
-                                {
-                                /* no ciphers */
-                                SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
-                                return -1;
-                                }
-                        s2n(i,d);
-                        p+=i;
-                        
-                        /* put in the session-id length (zero since there is no reuse) */
-#if 0
-                        s->session->session_id_length=0;
-#endif
-                        s2n(0,d);
-                        if (s->options & SSL_OP_NETSCAPE_CHALLENGE_BUG)
-                                ch_len=SSL2_CHALLENGE_LENGTH;
-                        else
-                                ch_len=SSL2_MAX_CHALLENGE_LENGTH;
-                        /* write out sslv2 challenge */
-                        if (SSL3_RANDOM_SIZE < ch_len)
-                                i=SSL3_RANDOM_SIZE;
-                        else
-                                i=ch_len;
-                        s2n(i,d);
-                        memset(&(s->s3->client_random[0]),0,SSL3_RANDOM_SIZE);
-                        if (RAND_pseudo_bytes(&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i) <= 0)
-                                return -1;
-                        memcpy(p,&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i);
-                        p+=i;
-                        i= p- &(buf[2]);
-                        buf[0]=((i>>8)&0xff)|0x80;
-                        buf[1]=(i&0xff);
-                        /* number of bytes to write */
-                        s->init_num=i+2;
-                        s->init_off=0;
-                        ssl3_finish_mac(s,&(buf[2]),i);
-                        }
-                else
-                        {
-                        /* create Client Hello in SSL 3.0/TLS 1.0 format */
-                        /* do the record header (5 bytes) and handshake message header (4 bytes) last */
-                        d = p = &(buf[9]);
-                        
-                        *(p++) = version_major;
-                        *(p++) = version_minor;
-                        /* Random stuff */
-                        memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE);
-                        p += SSL3_RANDOM_SIZE;
-                        /* Session ID (zero since there is no reuse) */
-                        *(p++) = 0;
-                        /* Ciphers supported (using SSL 3.0/TLS 1.0 format) */
-                        i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]),ssl3_put_cipher_by_char);
-                        if (i == 0)
-                                {
-                                SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
-                                return -1;
-                                }
-                        s2n(i,p);
-                        p+=i;
-                        /* COMPRESSION */
-                        if (s->ctx->comp_methods == NULL)
-                                j=0;
-                        else
-                                j=sk_SSL_COMP_num(s->ctx->comp_methods);
-                        *(p++)=1+j;
-                        for (i=0; i<j; i++)
-                                {
-                                comp=sk_SSL_COMP_value(s->ctx->comp_methods,i);
-                                *(p++)=comp->id;
-                                }
-                        *(p++)=0; /* Add the NULL method */
-                        
-                        l = p-d;
-                        *p = 42;
-                        /* fill in 4-byte handshake header */
-                        d=&(buf[5]);
-                        *(d++)=SSL3_MT_CLIENT_HELLO;
-                        l2n3(l,d);
-                        l += 4;
-                        if (l > SSL3_RT_MAX_PLAIN_LENGTH)
-                                {
-                                SSLerr(SSL_F_SSL23_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);
-                                return -1;
-                                }
-                        
-                        /* fill in 5-byte record header */
-                        d=buf;
-                        *(d++) = SSL3_RT_HANDSHAKE;
-                        *(d++) = version_major;
-                        *(d++) = version_minor; /* arguably we should send the *lowest* suported version here
-                                                 * (indicating, e.g., TLS 1.0 in "SSL 3.0 format") */
-                        s2n((int)l,d);
-                        /* number of bytes to write */
-                        s->init_num=p-buf;
-                        s->init_off=0;
-                        ssl3_finish_mac(s,&(buf[5]), s->init_num - 5);
-                        }
-                s->state=SSL23_ST_CW_CLNT_HELLO_B;
-                s->init_off=0;
-                }
-        /* SSL3_ST_CW_CLNT_HELLO_B */
-        ret = ssl23_write_bytes(s);
-        if ((ret >= 2) && s->msg_callback)
-                {
-                /* Client Hello has been sent; tell msg_callback */
-                if (ssl2_compat)
-                        s->msg_callback(1, SSL2_VERSION, 0, s->init_buf->data+2, ret-2, s, s->msg_callback_arg);
-                else
-                        s->msg_callback(1, version, SSL3_RT_HANDSHAKE, s->init_buf->data+5, ret-5, s, s->msg_callback_arg);
-                }
-        return ret;
-        }
-static int ssl23_get_server_hello(SSL *s)
-        {
-        char buf[8];
-        unsigned char *p;
-        int i;
-        int n;
-        n=ssl23_read_bytes(s,7);
-        if (n != 7) return(n);
-        p=s->packet;
-        memcpy(buf,p,n);
-        if ((p[0] & 0x80) && (p[2] == SSL2_MT_SERVER_HELLO) &&
-                (p[5] == 0x00) && (p[6] == 0x02))
-                {
-#ifdef OPENSSL_NO_SSL2
-                SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
-                goto err;
-#else
-                /* we are talking sslv2 */
-                /* we need to clean up the SSLv3 setup and put in the
-                 * sslv2 stuff. */
-                int ch_len;
-                if (s->options & SSL_OP_NO_SSLv2)
-                        {
-                        SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
-                        goto err;
-                        }
-                if (s->s2 == NULL)
-                        {
-                        if (!ssl2_new(s))
-                                goto err;
-                        }
-                else
-                        ssl2_clear(s);
-                if (s->options & SSL_OP_NETSCAPE_CHALLENGE_BUG)
-                        ch_len=SSL2_CHALLENGE_LENGTH;
-                else
-                        ch_len=SSL2_MAX_CHALLENGE_LENGTH;
-                /* write out sslv2 challenge */
-                i=(SSL3_RANDOM_SIZE < ch_len)
-                        ?SSL3_RANDOM_SIZE:ch_len;
-                s->s2->challenge_length=i;
-                memcpy(s->s2->challenge,
-                        &(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i);
-                if (s->s3 != NULL) ssl3_free(s);
-                if (!BUF_MEM_grow_clean(s->init_buf,
-                        SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER))
-                        {
-                        SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,ERR_R_BUF_LIB);
-                        goto err;
-                        }
-                s->state=SSL2_ST_GET_SERVER_HELLO_A;
-                if (!(s->client_version == SSL2_VERSION))
-                        /* use special padding (SSL 3.0 draft/RFC 2246, App. E.2) */
-                        s->s2->ssl2_rollback=1;
-                /* setup the 5 bytes we have read so we get them from
-                 * the sslv2 buffer */
-                s->rstate=SSL_ST_READ_HEADER;
-                s->packet_length=n;
-                s->packet= &(s->s2->rbuf[0]);
-                memcpy(s->packet,buf,n);
-                s->s2->rbuf_left=n;
-                s->s2->rbuf_offs=0;
-                /* we have already written one */
-                s->s2->write_sequence=1;
-                s->method=SSLv2_client_method();
-                s->handshake_func=s->method->ssl_connect;
-#endif
-                }
-        else if ((p[0] == SSL3_RT_HANDSHAKE) &&
-                 (p[1] == SSL3_VERSION_MAJOR) &&
-                 ((p[2] == SSL3_VERSION_MINOR) ||
-                  (p[2] == TLS1_VERSION_MINOR)) &&
-                 (p[5] == SSL3_MT_SERVER_HELLO))
-                {
-                /* we have sslv3 or tls1 */
-                if (!ssl_init_wbio_buffer(s,1)) goto err;
-                /* we are in this state */
-                s->state=SSL3_ST_CR_SRVR_HELLO_A;
-                /* put the 5 bytes we have read into the input buffer
-                 * for SSLv3 */
-                s->rstate=SSL_ST_READ_HEADER;
-                s->packet_length=n;
-                s->packet= &(s->s3->rbuf.buf[0]);
-                memcpy(s->packet,buf,n);
-                s->s3->rbuf.left=n;
-                s->s3->rbuf.offset=0;
-                if ((p[2] == SSL3_VERSION_MINOR) &&
-                        !(s->options & SSL_OP_NO_SSLv3))
-                        {
-#ifdef OPENSSL_FIPS
-                        if(FIPS_mode())
-                                {
-                                SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,
-                                        SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
-                                goto err;
-                                }
-#endif
-                        s->version=SSL3_VERSION;
-                        s->method=SSLv3_client_method();
-                        }
-                else if ((p[2] == TLS1_VERSION_MINOR) &&
-                        !(s->options & SSL_OP_NO_TLSv1))
-                        {
-                        s->version=TLS1_VERSION;
-                        s->method=TLSv1_client_method();
-                        }
-                else
-                        {
-                        SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
-                        goto err;
-                        }
-                        
-                s->handshake_func=s->method->ssl_connect;
-                }
-        else if ((p[0] == SSL3_RT_ALERT) &&
-                 (p[1] == SSL3_VERSION_MAJOR) &&
-                 ((p[2] == SSL3_VERSION_MINOR) ||
-                  (p[2] == TLS1_VERSION_MINOR)) &&
-                 (p[3] == 0) &&
-                 (p[4] == 2))
-                {
-                void (*cb)(const SSL *ssl,int type,int val)=NULL;
-                int j;
-                /* An alert */
-                if (s->info_callback != NULL)
-                        cb=s->info_callback;
-                else if (s->ctx->info_callback != NULL)
-                        cb=s->ctx->info_callback;
- 
-                i=p[5];
-                if (cb != NULL)
-                        {
-                        j=(i<<8)|p[6];
-                        cb(s,SSL_CB_READ_ALERT,j);
-                        }
-                s->rwstate=SSL_NOTHING;
-                SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_AD_REASON_OFFSET+p[6]);
-                goto err;
-                }
-        else
-                {
-                SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_R_UNKNOWN_PROTOCOL);
-                goto err;
-                }
-        s->init_num=0;
-        /* Since, if we are sending a ssl23 client hello, we are not
-         * reusing a session-id */
-        if (!ssl_get_new_session(s,0))
-                goto err;
-        s->first_packet=1;
-        return(SSL_connect(s));
-err:
-        return(-1);
-        }
diff --git a/src/lib/libssl/s23_lib.c b/src/lib/libssl/s23_lib.c
deleted file mode 100644
index 8d7dbcf569..0000000000
--- a/src/lib/libssl/s23_lib.c
+++ /dev/null
@@ -1,236 +0,0 @@
-/* ssl/s23_lib.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-#include <stdio.h>
-#include <openssl/objects.h>
-#include "ssl_locl.h"
-static int ssl23_num_ciphers(void );
-static SSL_CIPHER *ssl23_get_cipher(unsigned int u);
-static int ssl23_read(SSL *s, void *buf, int len);
-static int ssl23_peek(SSL *s, void *buf, int len);
-static int ssl23_write(SSL *s, const void *buf, int len);
-static long ssl23_default_timeout(void );
-static int ssl23_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p);
-static SSL_CIPHER *ssl23_get_cipher_by_char(const unsigned char *p);
-const char *SSL23_version_str="SSLv2/3 compatibility" OPENSSL_VERSION_PTEXT;
-static SSL_METHOD SSLv23_data= {
-        TLS1_VERSION,
-        tls1_new,
-        tls1_clear,
-        tls1_free,
-        ssl_undefined_function,
-        ssl_undefined_function,
-        ssl23_read,
-        ssl23_peek,
-        ssl23_write,
-        ssl_undefined_function,
-        ssl_undefined_function,
-        ssl_ok,
-        ssl3_ctrl,
-        ssl3_ctx_ctrl,
-        ssl23_get_cipher_by_char,
-        ssl23_put_cipher_by_char,
-        ssl_undefined_const_function,
-        ssl23_num_ciphers,
-        ssl23_get_cipher,
-        ssl_bad_method,
-        ssl23_default_timeout,
-        &ssl3_undef_enc_method,
-        ssl_undefined_function,
-        ssl3_callback_ctrl,
-        ssl3_ctx_callback_ctrl,
-        };
-static long ssl23_default_timeout(void)
-        {
-        return(300);
-        }
-SSL_METHOD *sslv23_base_method(void)
-        {
-        return(&SSLv23_data);
-        }
-static int ssl23_num_ciphers(void)
-        {
-        return(ssl3_num_ciphers()
-#ifndef OPENSSL_NO_SSL2
-               + ssl2_num_ciphers()
-#endif
-            );
-        }
-static SSL_CIPHER *ssl23_get_cipher(unsigned int u)
-        {
-        unsigned int uu=ssl3_num_ciphers();
-        if (u < uu)
-                return(ssl3_get_cipher(u));
-        else
-#ifndef OPENSSL_NO_SSL2
-                return(ssl2_get_cipher(u-uu));
-#else
-                return(NULL);
-#endif
-        }
-/* This function needs to check if the ciphers required are actually
- * available */
-static SSL_CIPHER *ssl23_get_cipher_by_char(const unsigned char *p)
-        {
-        SSL_CIPHER c,*cp;
-        unsigned long id;
-        int n;
-        n=ssl3_num_ciphers();
-        id=0x03000000|((unsigned long)p[0]<<16L)|
-                ((unsigned long)p[1]<<8L)|(unsigned long)p[2];
-        c.id=id;
-        cp=ssl3_get_cipher_by_char(p);
-#ifndef OPENSSL_NO_SSL2
-        if (cp == NULL)
-                cp=ssl2_get_cipher_by_char(p);
-#endif
-        return(cp);
-        }
-static int ssl23_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p)
-        {
-        long l;
-        /* We can write SSLv2 and SSLv3 ciphers */
-        if (p != NULL)
-                {
-                l=c->id;
-                p[0]=((unsigned char)(l>>16L))&0xFF;
-                p[1]=((unsigned char)(l>> 8L))&0xFF;
-                p[2]=((unsigned char)(l     ))&0xFF;
-                }
-        return(3);
-        }
-static int ssl23_read(SSL *s, void *buf, int len)
-        {
-        int n;
-        clear_sys_error();
-        if (SSL_in_init(s) && (!s->in_handshake))
-                {
-                n=s->handshake_func(s);
-                if (n < 0) return(n);
-                if (n == 0)
-                        {
-                        SSLerr(SSL_F_SSL23_READ,SSL_R_SSL_HANDSHAKE_FAILURE);
-                        return(-1);
-                        }
-                return(SSL_read(s,buf,len));
-                }
-        else
-                {
-                ssl_undefined_function(s);
-                return(-1);
-                }
-        }
-static int ssl23_peek(SSL *s, void *buf, int len)
-        {
-        int n;
-        clear_sys_error();
-        if (SSL_in_init(s) && (!s->in_handshake))
-                {
-                n=s->handshake_func(s);
-                if (n < 0) return(n);
-                if (n == 0)
-                        {
-                        SSLerr(SSL_F_SSL23_PEEK,SSL_R_SSL_HANDSHAKE_FAILURE);
-                        return(-1);
-                        }
-                return(SSL_peek(s,buf,len));
-                }
-        else
-                {
-                ssl_undefined_function(s);
-                return(-1);
-                }
-        }
-static int ssl23_write(SSL *s, const void *buf, int len)
-        {
-        int n;
-        clear_sys_error();
-        if (SSL_in_init(s) && (!s->in_handshake))
-                {
-                n=s->handshake_func(s);
-                if (n < 0) return(n);
-                if (n == 0)
-                        {
-                        SSLerr(SSL_F_SSL23_WRITE,SSL_R_SSL_HANDSHAKE_FAILURE);
-                        return(-1);
-                        }
-                return(SSL_write(s,buf,len));
-                }
-        else
-                {
-                ssl_undefined_function(s);
-                return(-1);
-                }
-        }
diff --git a/src/lib/libssl/s23_pkt.c b/src/lib/libssl/s23_pkt.c
deleted file mode 100644
index 4ca6a1b258..0000000000
--- a/src/lib/libssl/s23_pkt.c
+++ /dev/null
@@ -1,117 +0,0 @@
-/* ssl/s23_pkt.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-#include <stdio.h>
-#include <errno.h>
-#define USE_SOCKETS
-#include "ssl_locl.h"
-#include <openssl/evp.h>
-#include <openssl/buffer.h>
-int ssl23_write_bytes(SSL *s)
-        {
-        int i,num,tot;
-        char *buf;
-        buf=s->init_buf->data;
-        tot=s->init_off;
-        num=s->init_num;
-        for (;;)
-                {
-                s->rwstate=SSL_WRITING;
-                i=BIO_write(s->wbio,&(buf[tot]),num);
-                if (i <= 0)
-                        {
-                        s->init_off=tot;
-                        s->init_num=num;
-                        return(i);
-                        }
-                s->rwstate=SSL_NOTHING;
-                if (i == num) return(tot+i);
-                num-=i;
-                tot+=i;
-                }
-        }
-/* return regularly only when we have read (at least) 'n' bytes */
-int ssl23_read_bytes(SSL *s, int n)
-        {
-        unsigned char *p;
-        int j;
-        if (s->packet_length < (unsigned int)n)
-                {
-                p=s->packet;
-                for (;;)
-                        {
-                        s->rwstate=SSL_READING;
-                        j=BIO_read(s->rbio,(char *)&(p[s->packet_length]),
-                                n-s->packet_length);
-                        if (j <= 0)
-                                return(j);
-                        s->rwstate=SSL_NOTHING;
-                        s->packet_length+=j;
-                        if (s->packet_length >= (unsigned int)n)
-                                return(s->packet_length);
-                        }
-                }
-        return(n);
-        }
diff --git a/src/lib/libssl/s23_srvr.c b/src/lib/libssl/s23_srvr.c
deleted file mode 100644
index b73abc448f..0000000000
--- a/src/lib/libssl/s23_srvr.c
+++ /dev/null
@@ -1,600 +0,0 @@
-/* ssl/s23_srvr.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-/* ====================================================================
- * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer. 
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-#include <stdio.h>
-#include "ssl_locl.h"
-#include <openssl/buffer.h>
-#include <openssl/rand.h>
-#include <openssl/objects.h>
-#include <openssl/evp.h>
-static SSL_METHOD *ssl23_get_server_method(int ver);
-int ssl23_get_client_hello(SSL *s);
-static SSL_METHOD *ssl23_get_server_method(int ver)
-        {
-#ifndef OPENSSL_NO_SSL2
-        if (ver == SSL2_VERSION)
-                return(SSLv2_server_method());
-#endif
-        if (ver == SSL3_VERSION)
-                return(SSLv3_server_method());
-        else if (ver == TLS1_VERSION)
-                return(TLSv1_server_method());
-        else
-                return(NULL);
-        }
-SSL_METHOD *SSLv23_server_method(void)
-        {
-        static int init=1;
-        static SSL_METHOD SSLv23_server_data;
-        if (init)
-                {
-                CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
-                if (init)
-                        {
-                        memcpy((char *)&SSLv23_server_data,
-                                (char *)sslv23_base_method(),sizeof(SSL_METHOD));
-                        SSLv23_server_data.ssl_accept=ssl23_accept;
-                        SSLv23_server_data.get_ssl_method=ssl23_get_server_method;
-                        init=0;
-                        }
-                CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
-                }
-        return(&SSLv23_server_data);
-        }
-int ssl23_accept(SSL *s)
-        {
-        BUF_MEM *buf;
-        unsigned long Time=(unsigned long)time(NULL);
-        void (*cb)(const SSL *ssl,int type,int val)=NULL;
-        int ret= -1;
-        int new_state,state;
-        RAND_add(&Time,sizeof(Time),0);
-        ERR_clear_error();
-        clear_sys_error();
-        if (s->info_callback != NULL)
-                cb=s->info_callback;
-        else if (s->ctx->info_callback != NULL)
-                cb=s->ctx->info_callback;
-        
-        s->in_handshake++;
-        if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); 
-        for (;;)
-                {
-                state=s->state;
-                switch(s->state)
-                        {
-                case SSL_ST_BEFORE:
-                case SSL_ST_ACCEPT:
-                case SSL_ST_BEFORE|SSL_ST_ACCEPT:
-                case SSL_ST_OK|SSL_ST_ACCEPT:
-                        s->server=1;
-                        if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
-                        /* s->version=SSL3_VERSION; */
-                        s->type=SSL_ST_ACCEPT;
-                        if (s->init_buf == NULL)
-                                {
-                                if ((buf=BUF_MEM_new()) == NULL)
-                                        {
-                                        ret= -1;
-                                        goto end;
-                                        }
-                                if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
-                                        {
-                                        ret= -1;
-                                        goto end;
-                                        }
-                                s->init_buf=buf;
-                                }
-                        ssl3_init_finished_mac(s);
-                        s->state=SSL23_ST_SR_CLNT_HELLO_A;
-                        s->ctx->stats.sess_accept++;
-                        s->init_num=0;
-                        break;
-                case SSL23_ST_SR_CLNT_HELLO_A:
-                case SSL23_ST_SR_CLNT_HELLO_B:
-                        s->shutdown=0;
-                        ret=ssl23_get_client_hello(s);
-                        if (ret >= 0) cb=NULL;
-                        goto end;
-                        /* break; */
-                default:
-                        SSLerr(SSL_F_SSL23_ACCEPT,SSL_R_UNKNOWN_STATE);
-                        ret= -1;
-                        goto end;
-                        /* break; */
-                        }
-                if ((cb != NULL) && (s->state != state))
-                        {
-                        new_state=s->state;
-                        s->state=state;
-                        cb(s,SSL_CB_ACCEPT_LOOP,1);
-                        s->state=new_state;
-                        }
-                }
-end:
-        s->in_handshake--;
-        if (cb != NULL)
-                cb(s,SSL_CB_ACCEPT_EXIT,ret);
-        return(ret);
-        }
-int ssl23_get_client_hello(SSL *s)
-        {
-        char buf_space[11]; /* Request this many bytes in initial read.
-                             * We can detect SSL 3.0/TLS 1.0 Client Hellos
-                             * ('type == 3') correctly only when the following
-                             * is in a single record, which is not guaranteed by
-                             * the protocol specification:
-                             * Byte  Content
-                             *  0     type            \
-                             *  1/2   version          > record header
-                             *  3/4   length          /
-                             *  5     msg_type        \
-                             *  6-8   length           > Client Hello message
-                             *  9/10  client_version  /
-                             */
-        char *buf= &(buf_space[0]);
-        unsigned char *p,*d,*d_len,*dd;
-        unsigned int i;
-        unsigned int csl,sil,cl;
-        int n=0,j;
-        int type=0;
-        int v[2];
-        if (s->state == SSL23_ST_SR_CLNT_HELLO_A)
-                {
-                /* read the initial header */
-                v[0]=v[1]=0;
-                if (!ssl3_setup_buffers(s)) goto err;
-                n=ssl23_read_bytes(s, sizeof buf_space);
-                if (n != sizeof buf_space) return(n); /* n == -1 || n == 0 */
-                p=s->packet;
-                memcpy(buf,p,n);
-                if ((p[0] & 0x80) && (p[2] == SSL2_MT_CLIENT_HELLO))
-                        {
-                        /*
-                         * SSLv2 header
-                         */
-                        if ((p[3] == 0x00) && (p[4] == 0x02))
-                                {
-                                v[0]=p[3]; v[1]=p[4];
-                                /* SSLv2 */
-                                if (!(s->options & SSL_OP_NO_SSLv2))
-                                        type=1;
-                                }
-                        else if (p[3] == SSL3_VERSION_MAJOR)
-                                {
-                                v[0]=p[3]; v[1]=p[4];
-                                /* SSLv3/TLSv1 */
-                                if (p[4] >= TLS1_VERSION_MINOR)
-                                        {
-                                        if (!(s->options & SSL_OP_NO_TLSv1))
-                                                {
-                                                s->version=TLS1_VERSION;
-                                                /* type=2; */ /* done later to survive restarts */
-                                                s->state=SSL23_ST_SR_CLNT_HELLO_B;
-                                                }
-                                        else if (!(s->options & SSL_OP_NO_SSLv3))
-                                                {
-                                                s->version=SSL3_VERSION;
-                                                /* type=2; */
-                                                s->state=SSL23_ST_SR_CLNT_HELLO_B;
-                                                }
-                                        else if (!(s->options & SSL_OP_NO_SSLv2))
-                                                {
-                                                type=1;
-                                                }
-                                        }
-                                else if (!(s->options & SSL_OP_NO_SSLv3))
-                                        {
-                                        s->version=SSL3_VERSION;
-                                        /* type=2; */
-                                        s->state=SSL23_ST_SR_CLNT_HELLO_B;
-                                        }
-                                else if (!(s->options & SSL_OP_NO_SSLv2))
-                                        type=1;
-                                }
-                        }
-                else if ((p[0] == SSL3_RT_HANDSHAKE) &&
-                         (p[1] == SSL3_VERSION_MAJOR) &&
-                         (p[5] == SSL3_MT_CLIENT_HELLO) &&
-                         ((p[3] == 0 && p[4] < 5 /* silly record length? */)
-                                || (p[9] == p[1])))
-                        {
-                        /*
-                         * SSLv3 or tls1 header
-                         */
-                        
-                        v[0]=p[1]; /* major version (= SSL3_VERSION_MAJOR) */
-                        /* We must look at client_version inside the Client Hello message
-                         * to get the correct minor version.
-                         * However if we have only a pathologically small fragment of the
-                         * Client Hello message, this would be difficult, and we'd have
-                         * to read more records to find out.
-                         * No known SSL 3.0 client fragments ClientHello like this,
-                         * so we simply assume TLS 1.0 to avoid protocol version downgrade
-                         * attacks. */
-                        if (p[3] == 0 && p[4] < 6)
-                                {
-#if 0
-                                SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_TOO_SMALL);
-                                goto err;
-#else
-                                v[1] = TLS1_VERSION_MINOR;
-#endif
-                                }
-                        else
-                                v[1]=p[10]; /* minor version according to client_version */
-                        if (v[1] >= TLS1_VERSION_MINOR)
-                                {
-                                if (!(s->options & SSL_OP_NO_TLSv1))
-                                        {
-                                        s->version=TLS1_VERSION;
-                                        type=3;
-                                        }
-                                else if (!(s->options & SSL_OP_NO_SSLv3))
-                                        {
-                                        s->version=SSL3_VERSION;
-                                        type=3;
-                                        }
-                                }
-                        else
-                                {
-                                /* client requests SSL 3.0 */
-                                if (!(s->options & SSL_OP_NO_SSLv3))
-                                        {
-                                        s->version=SSL3_VERSION;
-                                        type=3;
-                                        }
-                                else if (!(s->options & SSL_OP_NO_TLSv1))
-                                        {
-                                        /* we won't be able to use TLS of course,
-                                         * but this will send an appropriate alert */
-                                        s->version=TLS1_VERSION;
-                                        type=3;
-                                        }
-                                }
-                        }
-                else if ((strncmp("GET ", (char *)p,4) == 0) ||
-                         (strncmp("POST ",(char *)p,5) == 0) ||
-                         (strncmp("HEAD ",(char *)p,5) == 0) ||
-                         (strncmp("PUT ", (char *)p,4) == 0))
-                        {
-                        SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_HTTP_REQUEST);
-                        goto err;
-                        }
-                else if (strncmp("CONNECT",(char *)p,7) == 0)
-                        {
-                        SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_HTTPS_PROXY_REQUEST);
-                        goto err;
-                        }
-                }
-#ifdef OPENSSL_FIPS
-        if (FIPS_mode() && (s->version < TLS1_VERSION))
-                {
-                SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,
-                                        SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
-                goto err;
-                }
-#endif
-        if (s->state == SSL23_ST_SR_CLNT_HELLO_B)
-                {
-                /* we have SSLv3/TLSv1 in an SSLv2 header
-                 * (other cases skip this state) */
-                type=2;
-                p=s->packet;
-                v[0] = p[3]; /* == SSL3_VERSION_MAJOR */
-                v[1] = p[4];
-                n=((p[0]&0x7f)<<8)|p[1];
-                if (n > (1024*4))
-                        {
-                        SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_TOO_LARGE);
-                        goto err;
-                        }
-                j=ssl23_read_bytes(s,n+2);
-                if (j <= 0) return(j);
-                ssl3_finish_mac(s, s->packet+2, s->packet_length-2);
-                if (s->msg_callback)
-                        s->msg_callback(0, SSL2_VERSION, 0, s->packet+2, s->packet_length-2, s, s->msg_callback_arg); /* CLIENT-HELLO */
-                p=s->packet;
-                p+=5;
-                n2s(p,csl);
-                n2s(p,sil);
-                n2s(p,cl);
-                d=(unsigned char *)s->init_buf->data;
-                if ((csl+sil+cl+11) != s->packet_length)
-                        {
-                        SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_LENGTH_MISMATCH);
-                        goto err;
-                        }
-                /* record header: msg_type ... */
-                *(d++) = SSL3_MT_CLIENT_HELLO;
-                /* ... and length (actual value will be written later) */
-                d_len = d;
-                d += 3;
-                /* client_version */
-                *(d++) = SSL3_VERSION_MAJOR; /* == v[0] */
-                *(d++) = v[1];
-                /* lets populate the random area */
-                /* get the challenge_length */
-                i=(cl > SSL3_RANDOM_SIZE)?SSL3_RANDOM_SIZE:cl;
-                memset(d,0,SSL3_RANDOM_SIZE);
-                memcpy(&(d[SSL3_RANDOM_SIZE-i]),&(p[csl+sil]),i);
-                d+=SSL3_RANDOM_SIZE;
-                /* no session-id reuse */
-                *(d++)=0;
-                /* ciphers */
-                j=0;
-                dd=d;
-                d+=2;
-                for (i=0; i<csl; i+=3)
-                        {
-                        if (p[i] != 0) continue;
-                        *(d++)=p[i+1];
-                        *(d++)=p[i+2];
-                        j+=2;
-                        }
-                s2n(j,dd);
-                /* COMPRESSION */
-                *(d++)=1;
-                *(d++)=0;
-                
-                i = (d-(unsigned char *)s->init_buf->data) - 4;
-                l2n3((long)i, d_len);
-                /* get the data reused from the init_buf */
-                s->s3->tmp.reuse_message=1;
-                s->s3->tmp.message_type=SSL3_MT_CLIENT_HELLO;
-                s->s3->tmp.message_size=i;
-                }
-        /* imaginary new state (for program structure): */
-        /* s->state = SSL23_SR_CLNT_HELLO_C */
-        if (type == 1)
-                {
-#ifdef OPENSSL_NO_SSL2
-                SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
-                goto err;
-#else
-                /* we are talking sslv2 */
-                /* we need to clean up the SSLv3/TLSv1 setup and put in the
-                 * sslv2 stuff. */
-                if (s->s2 == NULL)
-                        {
-                        if (!ssl2_new(s))
-                                goto err;
-                        }
-                else
-                        ssl2_clear(s);
-                if (s->s3 != NULL) ssl3_free(s);
-                if (!BUF_MEM_grow_clean(s->init_buf,
-                        SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER))
-                        {
-                        goto err;
-                        }
-                s->state=SSL2_ST_GET_CLIENT_HELLO_A;
-                if (s->options & SSL_OP_NO_TLSv1 && s->options & SSL_OP_NO_SSLv3)
-                        s->s2->ssl2_rollback=0;
-                else
-                        /* reject SSL 2.0 session if client supports SSL 3.0 or TLS 1.0
-                         * (SSL 3.0 draft/RFC 2246, App. E.2) */
-                        s->s2->ssl2_rollback=1;
-                /* setup the n bytes we have read so we get them from
-                 * the sslv2 buffer */
-                s->rstate=SSL_ST_READ_HEADER;
-                s->packet_length=n;
-                s->packet= &(s->s2->rbuf[0]);
-                memcpy(s->packet,buf,n);
-                s->s2->rbuf_left=n;
-                s->s2->rbuf_offs=0;
-                s->method=SSLv2_server_method();
-                s->handshake_func=s->method->ssl_accept;
-#endif
-                }
-        if ((type == 2) || (type == 3))
-                {
-                /* we have SSLv3/TLSv1 (type 2: SSL2 style, type 3: SSL3/TLS style) */
-                if (!ssl_init_wbio_buffer(s,1)) goto err;
-                /* we are in this state */
-                s->state=SSL3_ST_SR_CLNT_HELLO_A;
-                if (type == 3)
-                        {
-                        /* put the 'n' bytes we have read into the input buffer
-                         * for SSLv3 */
-                        s->rstate=SSL_ST_READ_HEADER;
-                        s->packet_length=n;
-                        s->packet= &(s->s3->rbuf.buf[0]);
-                        memcpy(s->packet,buf,n);
-                        s->s3->rbuf.left=n;
-                        s->s3->rbuf.offset=0;
-                        }
-                else
-                        {
-                        s->packet_length=0;
-                        s->s3->rbuf.left=0;
-                        s->s3->rbuf.offset=0;
-                        }
-                if (s->version == TLS1_VERSION)
-                        s->method = TLSv1_server_method();
-                else
-                        s->method = SSLv3_server_method();
-#if 0 /* ssl3_get_client_hello does this */
-                s->client_version=(v[0]<<8)|v[1];
-#endif
-                s->handshake_func=s->method->ssl_accept;
-                }
-        
-        if ((type < 1) || (type > 3))
-                {
-                /* bad, very bad */
-                SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNKNOWN_PROTOCOL);
-                goto err;
-                }
-        s->init_num=0;
-        if (buf != buf_space) OPENSSL_free(buf);
-        s->first_packet=1;
-        return(SSL_accept(s));
-err:
-        if (buf != buf_space) OPENSSL_free(buf);
-        return(-1);
-        }
diff --git a/src/lib/libssl/s3_both.c b/src/lib/libssl/s3_both.c
deleted file mode 100644
index 64d317b7ac..0000000000
--- a/src/lib/libssl/s3_both.c
+++ /dev/null
@@ -1,635 +0,0 @@
-/* ssl/s3_both.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-/* ====================================================================
- * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer. 
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-#include <limits.h>
-#include <string.h>
-#include <stdio.h>
-#include "ssl_locl.h"
-#include <openssl/buffer.h>
-#include <openssl/rand.h>
-#include <openssl/objects.h>
-#include <openssl/evp.h>
-#include <openssl/x509.h>
-/* send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or SSL3_RT_CHANGE_CIPHER_SPEC) */
-int ssl3_do_write(SSL *s, int type)
-        {
-        int ret;
-        ret=ssl3_write_bytes(s,type,&s->init_buf->data[s->init_off],
-                             s->init_num);
-        if (ret < 0) return(-1);
-        if (type == SSL3_RT_HANDSHAKE)
-                /* should not be done for 'Hello Request's, but in that case
-                 * we'll ignore the result anyway */
-                ssl3_finish_mac(s,(unsigned char *)&s->init_buf->data[s->init_off],ret);
-        
-        if (ret == s->init_num)
-                {
-                if (s->msg_callback)
-                        s->msg_callback(1, s->version, type, s->init_buf->data, (size_t)(s->init_off + s->init_num), s, s->msg_callback_arg);
-                return(1);
-                }
-        s->init_off+=ret;
-        s->init_num-=ret;
-        return(0);
-        }
-int ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen)
-        {
-        unsigned char *p,*d;
-        int i;
-        unsigned long l;
-        if (s->state == a)
-                {
-                d=(unsigned char *)s->init_buf->data;
-                p= &(d[4]);
-                i=s->method->ssl3_enc->final_finish_mac(s,
-                        &(s->s3->finish_dgst1),
-                        &(s->s3->finish_dgst2),
-                        sender,slen,s->s3->tmp.finish_md);
-                s->s3->tmp.finish_md_len = i;
-                memcpy(p, s->s3->tmp.finish_md, i);
-                p+=i;
-                l=i;
-#ifdef OPENSSL_SYS_WIN16
-                /* MSVC 1.5 does not clear the top bytes of the word unless
-                 * I do this.
-                 */
-                l&=0xffff;
-#endif
-                *(d++)=SSL3_MT_FINISHED;
-                l2n3(l,d);
-                s->init_num=(int)l+4;
-                s->init_off=0;
-                s->state=b;
-                }
-        /* SSL3_ST_SEND_xxxxxx_HELLO_B */
-        return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
-        }
-int ssl3_get_finished(SSL *s, int a, int b)
-        {
-        int al,i,ok;
-        long n;
-        unsigned char *p;
-        /* the mac has already been generated when we received the
-         * change cipher spec message and is in s->s3->tmp.peer_finish_md
-         */ 
-        n=ssl3_get_message(s,
-                a,
-                b,
-                SSL3_MT_FINISHED,
-                64, /* should actually be 36+4 :-) */
-                &ok);
-        if (!ok) return((int)n);
-        /* If this occurs, we have missed a message */
-        if (!s->s3->change_cipher_spec)
-                {
-                al=SSL_AD_UNEXPECTED_MESSAGE;
-                SSLerr(SSL_F_SSL3_GET_FINISHED,SSL_R_GOT_A_FIN_BEFORE_A_CCS);
-                goto f_err;
-                }
-        s->s3->change_cipher_spec=0;
-        p = (unsigned char *)s->init_msg;
-        i = s->s3->tmp.peer_finish_md_len;
-        if (i != n)
-                {
-                al=SSL_AD_DECODE_ERROR;
-                SSLerr(SSL_F_SSL3_GET_FINISHED,SSL_R_BAD_DIGEST_LENGTH);
-                goto f_err;
-                }
-        if (memcmp(p, s->s3->tmp.peer_finish_md, i) != 0)
-                {
-                al=SSL_AD_DECRYPT_ERROR;
-                SSLerr(SSL_F_SSL3_GET_FINISHED,SSL_R_DIGEST_CHECK_FAILED);
-                goto f_err;
-                }
-        return(1);
-f_err:
-        ssl3_send_alert(s,SSL3_AL_FATAL,al);
-        return(0);
-        }
-/* for these 2 messages, we need to
- * ssl->enc_read_ctx                    re-init
- * ssl->s3->read_sequence               zero
- * ssl->s3->read_mac_secret             re-init
- * ssl->session->read_sym_enc           assign
- * ssl->session->read_compression       assign
- * ssl->session->read_hash              assign
- */
-int ssl3_send_change_cipher_spec(SSL *s, int a, int b)
-        { 
-        unsigned char *p;
-        if (s->state == a)
-                {
-                p=(unsigned char *)s->init_buf->data;
-                *p=SSL3_MT_CCS;
-                s->init_num=1;
-                s->init_off=0;
-                s->state=b;
-                }
-        /* SSL3_ST_CW_CHANGE_B */
-        return(ssl3_do_write(s,SSL3_RT_CHANGE_CIPHER_SPEC));
-        }
-unsigned long ssl3_output_cert_chain(SSL *s, X509 *x)
-        {
-        unsigned char *p;
-        int n,i;
-        unsigned long l=7;
-        BUF_MEM *buf;
-        X509_STORE_CTX xs_ctx;
-        X509_OBJECT obj;
-        int no_chain;
-        if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || s->ctx->extra_certs)
-                no_chain = 1;
-        else
-                no_chain = 0;
-        /* TLSv1 sends a chain with nothing in it, instead of an alert */
-        buf=s->init_buf;
-        if (!BUF_MEM_grow_clean(buf,10))
-                {
-                SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,ERR_R_BUF_LIB);
-                return(0);
-                }
-        if (x != NULL)
-                {
-                if(!no_chain && !X509_STORE_CTX_init(&xs_ctx,s->ctx->cert_store,NULL,NULL))
-                        {
-                        SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,ERR_R_X509_LIB);
-                        return(0);
-                        }
-                for (;;)
-                        {
-                        n=i2d_X509(x,NULL);
-                        if (!BUF_MEM_grow_clean(buf,(int)(n+l+3)))
-                                {
-                                SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,ERR_R_BUF_LIB);
-                                return(0);
-                                }
-                        p=(unsigned char *)&(buf->data[l]);
-                        l2n3(n,p);
-                        i2d_X509(x,&p);
-                        l+=n+3;
-                        if (no_chain)
-                                break;
-                        if (X509_NAME_cmp(X509_get_subject_name(x),
-                                X509_get_issuer_name(x)) == 0) break;
-                        i=X509_STORE_get_by_subject(&xs_ctx,X509_LU_X509,
-                                X509_get_issuer_name(x),&obj);
-                        if (i <= 0) break;
-                        x=obj.data.x509;
-                        /* Count is one too high since the X509_STORE_get uped the
-                         * ref count */
-                        X509_free(x);
-                        }
-                if (!no_chain)
-                        X509_STORE_CTX_cleanup(&xs_ctx);
-                }
-        /* Thawte special :-) */
-        if (s->ctx->extra_certs != NULL)
-        for (i=0; i<sk_X509_num(s->ctx->extra_certs); i++)
-                {
-                x=sk_X509_value(s->ctx->extra_certs,i);
-                n=i2d_X509(x,NULL);
-                if (!BUF_MEM_grow_clean(buf,(int)(n+l+3)))
-                        {
-                        SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,ERR_R_BUF_LIB);
-                        return(0);
-                        }
-                p=(unsigned char *)&(buf->data[l]);
-                l2n3(n,p);
-                i2d_X509(x,&p);
-                l+=n+3;
-                }
-        l-=7;
-        p=(unsigned char *)&(buf->data[4]);
-        l2n3(l,p);
-        l+=3;
-        p=(unsigned char *)&(buf->data[0]);
-        *(p++)=SSL3_MT_CERTIFICATE;
-        l2n3(l,p);
-        l+=4;
-        return(l);
-        }
-/* Obtain handshake message of message type 'mt' (any if mt == -1),
- * maximum acceptable body length 'max'.
- * The first four bytes (msg_type and length) are read in state 'st1',
- * the body is read in state 'stn'.
- */
-long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
-        {
-        unsigned char *p;
-        unsigned long l;
-        long n;
-        int i,al;
-        if (s->s3->tmp.reuse_message)
-                {
-                s->s3->tmp.reuse_message=0;
-                if ((mt >= 0) && (s->s3->tmp.message_type != mt))
-                        {
-                        al=SSL_AD_UNEXPECTED_MESSAGE;
-                        SSLerr(SSL_F_SSL3_GET_MESSAGE,SSL_R_UNEXPECTED_MESSAGE);
-                        goto f_err;
-                        }
-                *ok=1;
-                s->init_msg = s->init_buf->data + 4;
-                s->init_num = (int)s->s3->tmp.message_size;
-                return s->init_num;
-                }
-        p=(unsigned char *)s->init_buf->data;
-        if (s->state == st1) /* s->init_num < 4 */
-                {
-                int skip_message;
-                do
-                        {
-                        while (s->init_num < 4)
-                                {
-                                i=ssl3_read_bytes(s,SSL3_RT_HANDSHAKE,&p[s->init_num],
-                                        4 - s->init_num, 0);
-                                if (i <= 0)
-                                        {
-                                        s->rwstate=SSL_READING;
-                                        *ok = 0;
-                                        return i;
-                                        }
-                                s->init_num+=i;
-                                }
-                        
-                        skip_message = 0;
-                        if (!s->server)
-                                if (p[0] == SSL3_MT_HELLO_REQUEST)
-                                        /* The server may always send 'Hello Request' messages --
-                                         * we are doing a handshake anyway now, so ignore them
-                                         * if their format is correct. Does not count for
-                                         * 'Finished' MAC. */
-                                        if (p[1] == 0 && p[2] == 0 &&p[3] == 0)
-                                                {
-                                                s->init_num = 0;
-                                                skip_message = 1;
-                                                if (s->msg_callback)
-                                                        s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, p, 4, s, s->msg_callback_arg);
-                                                }
-                        }
-                while (skip_message);
-                /* s->init_num == 4 */
-                if ((mt >= 0) && (*p != mt))
-                        {
-                        al=SSL_AD_UNEXPECTED_MESSAGE;
-                        SSLerr(SSL_F_SSL3_GET_MESSAGE,SSL_R_UNEXPECTED_MESSAGE);
-                        goto f_err;
-                        }
-                if ((mt < 0) && (*p == SSL3_MT_CLIENT_HELLO) &&
-                                        (st1 == SSL3_ST_SR_CERT_A) &&
-                                        (stn == SSL3_ST_SR_CERT_B))
-                        {
-                        /* At this point we have got an MS SGC second client
-                         * hello (maybe we should always allow the client to
-                         * start a new handshake?). We need to restart the mac.
-                         * Don't increment {num,total}_renegotiations because
-                         * we have not completed the handshake. */
-                        ssl3_init_finished_mac(s);
-                        }
-                s->s3->tmp.message_type= *(p++);
-                n2l3(p,l);
-                if (l > (unsigned long)max)
-                        {
-                        al=SSL_AD_ILLEGAL_PARAMETER;
-                        SSLerr(SSL_F_SSL3_GET_MESSAGE,SSL_R_EXCESSIVE_MESSAGE_SIZE);
-                        goto f_err;
-                        }
-                if (l > (INT_MAX-4)) /* BUF_MEM_grow takes an 'int' parameter */
-                        {
-                        al=SSL_AD_ILLEGAL_PARAMETER;
-                        SSLerr(SSL_F_SSL3_GET_MESSAGE,SSL_R_EXCESSIVE_MESSAGE_SIZE);
-                        goto f_err;
-                        }
-                if (l && !BUF_MEM_grow_clean(s->init_buf,(int)l+4))
-                        {
-                        SSLerr(SSL_F_SSL3_GET_MESSAGE,ERR_R_BUF_LIB);
-                        goto err;
-                        }
-                s->s3->tmp.message_size=l;
-                s->state=stn;
-                s->init_msg = s->init_buf->data + 4;
-                s->init_num = 0;
-                }
-        /* next state (stn) */
-        p = s->init_msg;
-        n = s->s3->tmp.message_size - s->init_num;
-        while (n > 0)
-                {
-                i=ssl3_read_bytes(s,SSL3_RT_HANDSHAKE,&p[s->init_num],n,0);
-                if (i <= 0)
-                        {
-                        s->rwstate=SSL_READING;
-                        *ok = 0;
-                        return i;
-                        }
-                s->init_num += i;
-                n -= i;
-                }
-        ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, s->init_num + 4);
-        if (s->msg_callback)
-                s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data, (size_t)s->init_num + 4, s, s->msg_callback_arg);
-        *ok=1;
-        return s->init_num;
-f_err:
-        ssl3_send_alert(s,SSL3_AL_FATAL,al);
-err:
-        *ok=0;
-        return(-1);
-        }
-int ssl_cert_type(X509 *x, EVP_PKEY *pkey)
-        {
-        EVP_PKEY *pk;
-        int ret= -1,i,j;
-        if (pkey == NULL)
-                pk=X509_get_pubkey(x);
-        else
-                pk=pkey;
-        if (pk == NULL) goto err;
-        i=pk->type;
-        if (i == EVP_PKEY_RSA)
-                {
-                ret=SSL_PKEY_RSA_ENC;
-                if (x != NULL)
-                        {
-                        j=X509_get_ext_count(x);
-                        /* check to see if this is a signing only certificate */
-                        /* EAY EAY EAY EAY */
-                        }
-                }
-        else if (i == EVP_PKEY_DSA)
-                {
-                ret=SSL_PKEY_DSA_SIGN;
-                }
-        else if (i == EVP_PKEY_DH)
-                {
-                /* if we just have a key, we needs to be guess */
-                if (x == NULL)
-                        ret=SSL_PKEY_DH_DSA;
-                else
-                        {
-                        j=X509_get_signature_type(x);
-                        if (j == EVP_PKEY_RSA)
-                                ret=SSL_PKEY_DH_RSA;
-                        else if (j== EVP_PKEY_DSA)
-                                ret=SSL_PKEY_DH_DSA;
-                        else ret= -1;
-                        }
-                }
-        else
-                ret= -1;
-err:
-        if(!pkey) EVP_PKEY_free(pk);
-        return(ret);
-        }
-int ssl_verify_alarm_type(long type)
-        {
-        int al;
-        switch(type)
-                {
-        case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
-        case X509_V_ERR_UNABLE_TO_GET_CRL:
-        case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER:
-                al=SSL_AD_UNKNOWN_CA;
-                break;
-        case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
-        case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:
-        case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
-        case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
-        case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
-        case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:
-        case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
-        case X509_V_ERR_CERT_NOT_YET_VALID:
-        case X509_V_ERR_CRL_NOT_YET_VALID:
-        case X509_V_ERR_CERT_UNTRUSTED:
-        case X509_V_ERR_CERT_REJECTED:
-                al=SSL_AD_BAD_CERTIFICATE;
-                break;
-        case X509_V_ERR_CERT_SIGNATURE_FAILURE:
-        case X509_V_ERR_CRL_SIGNATURE_FAILURE:
-                al=SSL_AD_DECRYPT_ERROR;
-                break;
-        case X509_V_ERR_CERT_HAS_EXPIRED:
-        case X509_V_ERR_CRL_HAS_EXPIRED:
-                al=SSL_AD_CERTIFICATE_EXPIRED;
-                break;
-        case X509_V_ERR_CERT_REVOKED:
-                al=SSL_AD_CERTIFICATE_REVOKED;
-                break;
-        case X509_V_ERR_OUT_OF_MEM:
-                al=SSL_AD_INTERNAL_ERROR;
-                break;
-        case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
-        case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
-        case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
-        case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
-        case X509_V_ERR_CERT_CHAIN_TOO_LONG:
-        case X509_V_ERR_PATH_LENGTH_EXCEEDED:
-        case X509_V_ERR_INVALID_CA:
-                al=SSL_AD_UNKNOWN_CA;
-                break;
-        case X509_V_ERR_APPLICATION_VERIFICATION:
-                al=SSL_AD_HANDSHAKE_FAILURE;
-                break;
-        case X509_V_ERR_INVALID_PURPOSE:
-                al=SSL_AD_UNSUPPORTED_CERTIFICATE;
-                break;
-        default:
-                al=SSL_AD_CERTIFICATE_UNKNOWN;
-                break;
-                }
-        return(al);
-        }
-int ssl3_setup_buffers(SSL *s)
-        {
-        unsigned char *p;
-        unsigned int extra;
-        size_t len;
-        if (s->s3->rbuf.buf == NULL)
-                {
-                if (s->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
-                        extra=SSL3_RT_MAX_EXTRA;
-                else
-                        extra=0;
-                len = SSL3_RT_MAX_PACKET_SIZE + extra;
-                if ((p=OPENSSL_malloc(len)) == NULL)
-                        goto err;
-                s->s3->rbuf.buf = p;
-                s->s3->rbuf.len = len;
-                }
-        if (s->s3->wbuf.buf == NULL)
-                {
-                len = SSL3_RT_MAX_PACKET_SIZE;
-                len += SSL3_RT_HEADER_LENGTH + 256; /* extra space for empty fragment */
-                if ((p=OPENSSL_malloc(len)) == NULL)
-                        goto err;
-                s->s3->wbuf.buf = p;
-                s->s3->wbuf.len = len;
-                }
-        s->packet= &(s->s3->rbuf.buf[0]);
-        return(1);
-err:
-        SSLerr(SSL_F_SSL3_SETUP_BUFFERS,ERR_R_MALLOC_FAILURE);
-        return(0);
-        }
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
deleted file mode 100644
index 4163d97944..0000000000
--- a/src/lib/libssl/s3_clnt.c
+++ /dev/null
@@ -1,1985 +0,0 @@
-/* ssl/s3_clnt.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-/* ====================================================================
- * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer. 
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-#include <stdio.h>
-#include "ssl_locl.h"
-#include "kssl_lcl.h"
-#include <openssl/buffer.h>
-#include <openssl/rand.h>
-#include <openssl/objects.h>
-#include <openssl/evp.h>
-#include <openssl/md5.h>
-#include <openssl/fips.h>
-static SSL_METHOD *ssl3_get_client_method(int ver);
-static int ssl3_client_hello(SSL *s);
-static int ssl3_get_server_hello(SSL *s);
-static int ssl3_get_certificate_request(SSL *s);
-static int ca_dn_cmp(const X509_NAME * const *a,const X509_NAME * const *b);
-static int ssl3_get_server_done(SSL *s);
-static int ssl3_send_client_verify(SSL *s);
-static int ssl3_send_client_certificate(SSL *s);
-static int ssl3_send_client_key_exchange(SSL *s);
-static int ssl3_get_key_exchange(SSL *s);
-static int ssl3_get_server_certificate(SSL *s);
-static int ssl3_check_cert_and_algorithm(SSL *s);
-static SSL_METHOD *ssl3_get_client_method(int ver)
-        {
-        if (ver == SSL3_VERSION)
-                return(SSLv3_client_method());
-        else
-                return(NULL);
-        }
-SSL_METHOD *SSLv3_client_method(void)
-        {
-        static int init=1;
-        static SSL_METHOD SSLv3_client_data;
-        if (init)
-                {
-                CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
-                if (init)
-                        {
-                        memcpy((char *)&SSLv3_client_data,(char *)sslv3_base_method(),
-                                sizeof(SSL_METHOD));
-                        SSLv3_client_data.ssl_connect=ssl3_connect;
-                        SSLv3_client_data.get_ssl_method=ssl3_get_client_method;
-                        init=0;
-                        }
-                CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
-                }
-        return(&SSLv3_client_data);
-        }
-int ssl3_connect(SSL *s)
-        {
-        BUF_MEM *buf=NULL;
-        unsigned long Time=(unsigned long)time(NULL),l;
-        long num1;
-        void (*cb)(const SSL *ssl,int type,int val)=NULL;
-        int ret= -1;
-        int new_state,state,skip=0;
-        RAND_add(&Time,sizeof(Time),0);
-        ERR_clear_error();
-        clear_sys_error();
-        if (s->info_callback != NULL)
-                cb=s->info_callback;
-        else if (s->ctx->info_callback != NULL)
-                cb=s->ctx->info_callback;
-        
-        s->in_handshake++;
-        if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); 
-        for (;;)
-                {
-                state=s->state;
-                switch(s->state)
-                        {
-                case SSL_ST_RENEGOTIATE:
-                        s->new_session=1;
-                        s->state=SSL_ST_CONNECT;
-                        s->ctx->stats.sess_connect_renegotiate++;
-                        /* break */
-                case SSL_ST_BEFORE:
-                case SSL_ST_CONNECT:
-                case SSL_ST_BEFORE|SSL_ST_CONNECT:
-                case SSL_ST_OK|SSL_ST_CONNECT:
-                        s->server=0;
-                        if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
-                        if ((s->version & 0xff00 ) != 0x0300)
-                                {
-                                SSLerr(SSL_F_SSL3_CONNECT, ERR_R_INTERNAL_ERROR);
-                                ret = -1;
-                                goto end;
-                                }
-                                
-                        /* s->version=SSL3_VERSION; */
-                        s->type=SSL_ST_CONNECT;
-                        if (s->init_buf == NULL)
-                                {
-                                if ((buf=BUF_MEM_new()) == NULL)
-                                        {
-                                        ret= -1;
-                                        goto end;
-                                        }
-                                if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
-                                        {
-                                        ret= -1;
-                                        goto end;
-                                        }
-                                s->init_buf=buf;
-                                buf=NULL;
-                                }
-                        if (!ssl3_setup_buffers(s)) { ret= -1; goto end; }
-                        /* setup buffing BIO */
-                        if (!ssl_init_wbio_buffer(s,0)) { ret= -1; goto end; }
-                        /* don't push the buffering BIO quite yet */
-                        ssl3_init_finished_mac(s);
-                        s->state=SSL3_ST_CW_CLNT_HELLO_A;
-                        s->ctx->stats.sess_connect++;
-                        s->init_num=0;
-                        break;
-                case SSL3_ST_CW_CLNT_HELLO_A:
-                case SSL3_ST_CW_CLNT_HELLO_B:
-                        s->shutdown=0;
-                        ret=ssl3_client_hello(s);
-                        if (ret <= 0) goto end;
-                        s->state=SSL3_ST_CR_SRVR_HELLO_A;
-                        s->init_num=0;
-                        /* turn on buffering for the next lot of output */
-                        if (s->bbio != s->wbio)
-                                s->wbio=BIO_push(s->bbio,s->wbio);
-                        break;
-                case SSL3_ST_CR_SRVR_HELLO_A:
-                case SSL3_ST_CR_SRVR_HELLO_B:
-                        ret=ssl3_get_server_hello(s);
-                        if (ret <= 0) goto end;
-                        if (s->hit)
-                                s->state=SSL3_ST_CR_FINISHED_A;
-                        else
-                                s->state=SSL3_ST_CR_CERT_A;
-                        s->init_num=0;
-                        break;
-                case SSL3_ST_CR_CERT_A:
-                case SSL3_ST_CR_CERT_B:
-                        /* Check if it is anon DH */
-                        if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL))
-                                {
-                                ret=ssl3_get_server_certificate(s);
-                                if (ret <= 0) goto end;
-                                }
-                        else
-                                skip=1;
-                        s->state=SSL3_ST_CR_KEY_EXCH_A;
-                        s->init_num=0;
-                        break;
-                case SSL3_ST_CR_KEY_EXCH_A:
-                case SSL3_ST_CR_KEY_EXCH_B:
-                        ret=ssl3_get_key_exchange(s);
-                        if (ret <= 0) goto end;
-                        s->state=SSL3_ST_CR_CERT_REQ_A;
-                        s->init_num=0;
-                        /* at this point we check that we have the
-                         * required stuff from the server */
-                        if (!ssl3_check_cert_and_algorithm(s))
-                                {
-                                ret= -1;
-                                goto end;
-                                }
-                        break;
-                case SSL3_ST_CR_CERT_REQ_A:
-                case SSL3_ST_CR_CERT_REQ_B:
-                        ret=ssl3_get_certificate_request(s);
-                        if (ret <= 0) goto end;
-                        s->state=SSL3_ST_CR_SRVR_DONE_A;
-                        s->init_num=0;
-                        break;
-                case SSL3_ST_CR_SRVR_DONE_A:
-                case SSL3_ST_CR_SRVR_DONE_B:
-                        ret=ssl3_get_server_done(s);
-                        if (ret <= 0) goto end;
-                        if (s->s3->tmp.cert_req)
-                                s->state=SSL3_ST_CW_CERT_A;
-                        else
-                                s->state=SSL3_ST_CW_KEY_EXCH_A;
-                        s->init_num=0;
-                        break;
-                case SSL3_ST_CW_CERT_A:
-                case SSL3_ST_CW_CERT_B:
-                case SSL3_ST_CW_CERT_C:
-                case SSL3_ST_CW_CERT_D:
-                        ret=ssl3_send_client_certificate(s);
-                        if (ret <= 0) goto end;
-                        s->state=SSL3_ST_CW_KEY_EXCH_A;
-                        s->init_num=0;
-                        break;
-                case SSL3_ST_CW_KEY_EXCH_A:
-                case SSL3_ST_CW_KEY_EXCH_B:
-                        ret=ssl3_send_client_key_exchange(s);
-                        if (ret <= 0) goto end;
-                        l=s->s3->tmp.new_cipher->algorithms;
-                        /* EAY EAY EAY need to check for DH fix cert
-                         * sent back */
-                        /* For TLS, cert_req is set to 2, so a cert chain
-                         * of nothing is sent, but no verify packet is sent */
-                        if (s->s3->tmp.cert_req == 1)
-                                {
-                                s->state=SSL3_ST_CW_CERT_VRFY_A;
-                                }
-                        else
-                                {
-                                s->state=SSL3_ST_CW_CHANGE_A;
-                                s->s3->change_cipher_spec=0;
-                                }
-                        s->init_num=0;
-                        break;
-                case SSL3_ST_CW_CERT_VRFY_A:
-                case SSL3_ST_CW_CERT_VRFY_B:
-                        ret=ssl3_send_client_verify(s);
-                        if (ret <= 0) goto end;
-                        s->state=SSL3_ST_CW_CHANGE_A;
-                        s->init_num=0;
-                        s->s3->change_cipher_spec=0;
-                        break;
-                case SSL3_ST_CW_CHANGE_A:
-                case SSL3_ST_CW_CHANGE_B:
-                        ret=ssl3_send_change_cipher_spec(s,
-                                SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B);
-                        if (ret <= 0) goto end;
-                        s->state=SSL3_ST_CW_FINISHED_A;
-                        s->init_num=0;
-                        s->session->cipher=s->s3->tmp.new_cipher;
-                        if (s->s3->tmp.new_compression == NULL)
-                                s->session->compress_meth=0;
-                        else
-                                s->session->compress_meth=
-                                        s->s3->tmp.new_compression->id;
-                        if (!s->method->ssl3_enc->setup_key_block(s))
-                                {
-                                ret= -1;
-                                goto end;
-                                }
-                        if (!s->method->ssl3_enc->change_cipher_state(s,
-                                SSL3_CHANGE_CIPHER_CLIENT_WRITE))
-                                {
-                                ret= -1;
-                                goto end;
-                                }
-                        break;
-                case SSL3_ST_CW_FINISHED_A:
-                case SSL3_ST_CW_FINISHED_B:
-                        ret=ssl3_send_finished(s,
-                                SSL3_ST_CW_FINISHED_A,SSL3_ST_CW_FINISHED_B,
-                                s->method->ssl3_enc->client_finished_label,
-                                s->method->ssl3_enc->client_finished_label_len);
-                        if (ret <= 0) goto end;
-                        s->state=SSL3_ST_CW_FLUSH;
-                        /* clear flags */
-                        s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER;
-                        if (s->hit)
-                                {
-                                s->s3->tmp.next_state=SSL_ST_OK;
-                                if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED)
-                                        {
-                                        s->state=SSL_ST_OK;
-                                        s->s3->flags|=SSL3_FLAGS_POP_BUFFER;
-                                        s->s3->delay_buf_pop_ret=0;
-                                        }
-                                }
-                        else
-                                {
-                                s->s3->tmp.next_state=SSL3_ST_CR_FINISHED_A;
-                                }
-                        s->init_num=0;
-                        break;
-                case SSL3_ST_CR_FINISHED_A:
-                case SSL3_ST_CR_FINISHED_B:
-                        ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A,
-                                SSL3_ST_CR_FINISHED_B);
-                        if (ret <= 0) goto end;
-                        if (s->hit)
-                                s->state=SSL3_ST_CW_CHANGE_A;
-                        else
-                                s->state=SSL_ST_OK;
-                        s->init_num=0;
-                        break;
-                case SSL3_ST_CW_FLUSH:
-                        /* number of bytes to be flushed */
-                        num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL);
-                        if (num1 > 0)
-                                {
-                                s->rwstate=SSL_WRITING;
-                                num1=BIO_flush(s->wbio);
-                                if (num1 <= 0) { ret= -1; goto end; }
-                                s->rwstate=SSL_NOTHING;
-                                }
-                        s->state=s->s3->tmp.next_state;
-                        break;
-                case SSL_ST_OK:
-                        /* clean a few things up */
-                        ssl3_cleanup_key_block(s);
-                        if (s->init_buf != NULL)
-                                {
-                                BUF_MEM_free(s->init_buf);
-                                s->init_buf=NULL;
-                                }
-                        /* If we are not 'joining' the last two packets,
-                         * remove the buffering now */
-                        if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER))
-                                ssl_free_wbio_buffer(s);
-                        /* else do it later in ssl3_write */
-                        s->init_num=0;
-                        s->new_session=0;
-                        ssl_update_cache(s,SSL_SESS_CACHE_CLIENT);
-                        if (s->hit) s->ctx->stats.sess_hit++;
-                        ret=1;
-                        /* s->server=0; */
-                        s->handshake_func=ssl3_connect;
-                        s->ctx->stats.sess_connect_good++;
-                        if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
-                        goto end;
-                        /* break; */
-                        
-                default:
-                        SSLerr(SSL_F_SSL3_CONNECT,SSL_R_UNKNOWN_STATE);
-                        ret= -1;
-                        goto end;
-                        /* break; */
-                        }
-                /* did we do anything */
-                if (!s->s3->tmp.reuse_message && !skip)
-                        {
-                        if (s->debug)
-                                {
-                                if ((ret=BIO_flush(s->wbio)) <= 0)
-                                        goto end;
-                                }
-                        if ((cb != NULL) && (s->state != state))
-                                {
-                                new_state=s->state;
-                                s->state=state;
-                                cb(s,SSL_CB_CONNECT_LOOP,1);
-                                s->state=new_state;
-                                }
-                        }
-                skip=0;
-                }
-end:
-        s->in_handshake--;
-        if (buf != NULL)
-                BUF_MEM_free(buf);
-        if (cb != NULL)
-                cb(s,SSL_CB_CONNECT_EXIT,ret);
-        return(ret);
-        }
-static int ssl3_client_hello(SSL *s)
-        {
-        unsigned char *buf;
-        unsigned char *p,*d;
-        int i,j;
-        unsigned long Time,l;
-        SSL_COMP *comp;
-        buf=(unsigned char *)s->init_buf->data;
-        if (s->state == SSL3_ST_CW_CLNT_HELLO_A)
-                {
-                if ((s->session == NULL) ||
-                        (s->session->ssl_version != s->version) ||
-                        (s->session->not_resumable))
-                        {
-                        if (!ssl_get_new_session(s,0))
-                                goto err;
-                        }
-                /* else use the pre-loaded session */
-                p=s->s3->client_random;
-                Time=(unsigned long)time(NULL);                 /* Time */
-                l2n(Time,p);
-                if(RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
-                    goto err;
-                /* Do the message type and length last */
-                d=p= &(buf[4]);
-                *(p++)=s->version>>8;
-                *(p++)=s->version&0xff;
-                s->client_version=s->version;
-                /* Random stuff */
-                memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE);
-                p+=SSL3_RANDOM_SIZE;
-                /* Session ID */
-                if (s->new_session)
-                        i=0;
-                else
-                        i=s->session->session_id_length;
-                *(p++)=i;
-                if (i != 0)
-                        {
-                        if (i > sizeof s->session->session_id)
-                                {
-                                SSLerr(SSL_F_SSL3_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
-                                goto err;
-                                }
-                        memcpy(p,s->session->session_id,i);
-                        p+=i;
-                        }
-                
-                /* Ciphers supported */
-                i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]),0);
-                if (i == 0)
-                        {
-                        SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
-                        goto err;
-                        }
-                s2n(i,p);
-                p+=i;
-                /* COMPRESSION */
-                if (s->ctx->comp_methods == NULL)
-                        j=0;
-                else
-                        j=sk_SSL_COMP_num(s->ctx->comp_methods);
-                *(p++)=1+j;
-                for (i=0; i<j; i++)
-                        {
-                        comp=sk_SSL_COMP_value(s->ctx->comp_methods,i);
-                        *(p++)=comp->id;
-                        }
-                *(p++)=0; /* Add the NULL method */
-                
-                l=(p-d);
-                d=buf;
-                *(d++)=SSL3_MT_CLIENT_HELLO;
-                l2n3(l,d);
-                s->state=SSL3_ST_CW_CLNT_HELLO_B;
-                /* number of bytes to write */
-                s->init_num=p-buf;
-                s->init_off=0;
-                }
-        /* SSL3_ST_CW_CLNT_HELLO_B */
-        return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
-err:
-        return(-1);
-        }
-static int ssl3_get_server_hello(SSL *s)
-        {
-        STACK_OF(SSL_CIPHER) *sk;
-        SSL_CIPHER *c;
-        unsigned char *p,*d;
-        int i,al,ok;
-        unsigned int j;
-        long n;
-        SSL_COMP *comp;
-        n=ssl3_get_message(s,
-                SSL3_ST_CR_SRVR_HELLO_A,
-                SSL3_ST_CR_SRVR_HELLO_B,
-                SSL3_MT_SERVER_HELLO,
-                300, /* ?? */
-                &ok);
-        if (!ok) return((int)n);
-        d=p=(unsigned char *)s->init_msg;
-        if ((p[0] != (s->version>>8)) || (p[1] != (s->version&0xff)))
-                {
-                SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_SSL_VERSION);
-                s->version=(s->version&0xff00)|p[1];
-                al=SSL_AD_PROTOCOL_VERSION;
-                goto f_err;
-                }
-        p+=2;
-        /* load the server hello data */
-        /* load the server random */
-        memcpy(s->s3->server_random,p,SSL3_RANDOM_SIZE);
-        p+=SSL3_RANDOM_SIZE;
-        /* get the session-id */
-        j= *(p++);
-        if ((j > sizeof s->session->session_id) || (j > SSL3_SESSION_ID_SIZE))
-                {
-                al=SSL_AD_ILLEGAL_PARAMETER;
-                SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_LONG);
-                goto f_err;
-                }
-        if (j != 0 && j == s->session->session_id_length
-            && memcmp(p,s->session->session_id,j) == 0)
-            {
-            if(s->sid_ctx_length != s->session->sid_ctx_length
-               || memcmp(s->session->sid_ctx,s->sid_ctx,s->sid_ctx_length))
-                {
-                /* actually a client application bug */
-                al=SSL_AD_ILLEGAL_PARAMETER;
-                SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
-                goto f_err;
-                }
-            s->hit=1;
-            }
-        else    /* a miss or crap from the other end */
-                {
-                /* If we were trying for session-id reuse, make a new
-                 * SSL_SESSION so we don't stuff up other people */
-                s->hit=0;
-                if (s->session->session_id_length > 0)
-                        {
-                        if (!ssl_get_new_session(s,0))
-                                {
-                                al=SSL_AD_INTERNAL_ERROR;
-                                goto f_err;
-                                }
-                        }
-                s->session->session_id_length=j;
-                memcpy(s->session->session_id,p,j); /* j could be 0 */
-                }
-        p+=j;
-        c=ssl_get_cipher_by_char(s,p);
-        if (c == NULL)
-                {
-                /* unknown cipher */
-                al=SSL_AD_ILLEGAL_PARAMETER;
-                SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNKNOWN_CIPHER_RETURNED);
-                goto f_err;
-                }
-        p+=ssl_put_cipher_by_char(s,NULL,NULL);
-        sk=ssl_get_ciphers_by_id(s);
-        i=sk_SSL_CIPHER_find(sk,c);
-        if (i < 0)
-                {
-                /* we did not say we would use this cipher */
-                al=SSL_AD_ILLEGAL_PARAMETER;
-                SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED);
-                goto f_err;
-                }
-        /* Depending on the session caching (internal/external), the cipher
-           and/or cipher_id values may not be set. Make sure that
-           cipher_id is set and use it for comparison. */
-        if (s->session->cipher)
-                s->session->cipher_id = s->session->cipher->id;
-        if (s->hit && (s->session->cipher_id != c->id))
-                {
-                if (!(s->options &
-                        SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG))
-                        {
-                        al=SSL_AD_ILLEGAL_PARAMETER;
-                        SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
-                        goto f_err;
-                        }
-                }
-        s->s3->tmp.new_cipher=c;
-        /* lets get the compression algorithm */
-        /* COMPRESSION */
-        j= *(p++);
-        if (j == 0)
-                comp=NULL;
-        else
-                comp=ssl3_comp_find(s->ctx->comp_methods,j);
-        
-        if ((j != 0) && (comp == NULL))
-                {
-                al=SSL_AD_ILLEGAL_PARAMETER;
-                SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
-                goto f_err;
-                }
-        else
-                {
-                s->s3->tmp.new_compression=comp;
-                }
-        if (p != (d+n))
-                {
-                /* wrong packet length */
-                al=SSL_AD_DECODE_ERROR;
-                SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_PACKET_LENGTH);
-                goto err;
-                }
-        return(1);
-f_err:
-        ssl3_send_alert(s,SSL3_AL_FATAL,al);
-err:
-        return(-1);
-        }
-static int ssl3_get_server_certificate(SSL *s)
-        {
-        int al,i,ok,ret= -1;
-        unsigned long n,nc,llen,l;
-        X509 *x=NULL;
-        unsigned char *p,*d,*q;
-        STACK_OF(X509) *sk=NULL;
-        SESS_CERT *sc;
-        EVP_PKEY *pkey=NULL;
-        int need_cert = 1; /* VRS: 0=> will allow null cert if auth == KRB5 */
-        n=ssl3_get_message(s,
-                SSL3_ST_CR_CERT_A,
-                SSL3_ST_CR_CERT_B,
-                -1,
-                s->max_cert_list,
-                &ok);
-        if (!ok) return((int)n);
-        if (s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE)
-                {
-                s->s3->tmp.reuse_message=1;
-                return(1);
-                }
-        if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE)
-                {
-                al=SSL_AD_UNEXPECTED_MESSAGE;
-                SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_BAD_MESSAGE_TYPE);
-                goto f_err;
-                }
-        d=p=(unsigned char *)s->init_msg;
-        if ((sk=sk_X509_new_null()) == NULL)
-                {
-                SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE);
-                goto err;
-                }
-        n2l3(p,llen);
-        if (llen+3 != n)
-                {
-                al=SSL_AD_DECODE_ERROR;
-                SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_LENGTH_MISMATCH);
-                goto f_err;
-                }
-        for (nc=0; nc<llen; )
-                {
-                n2l3(p,l);
-                if ((l+nc+3) > llen)
-                        {
-                        al=SSL_AD_DECODE_ERROR;
-                        SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
-                        goto f_err;
-                        }
-                q=p;
-                x=d2i_X509(NULL,&q,l);
-                if (x == NULL)
-                        {
-                        al=SSL_AD_BAD_CERTIFICATE;
-                        SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_ASN1_LIB);
-                        goto f_err;
-                        }
-                if (q != (p+l))
-                        {
-                        al=SSL_AD_DECODE_ERROR;
-                        SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
-                        goto f_err;
-                        }
-                if (!sk_X509_push(sk,x))
-                        {
-                        SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE);
-                        goto err;
-                        }
-                x=NULL;
-                nc+=l+3;
-                p=q;
-                }
-        i=ssl_verify_cert_chain(s,sk);
-        if ((s->verify_mode != SSL_VERIFY_NONE) && (!i)
-#ifndef OPENSSL_NO_KRB5
-                && (s->s3->tmp.new_cipher->algorithms & (SSL_MKEY_MASK|SSL_AUTH_MASK))
-                != (SSL_aKRB5|SSL_kKRB5)
-#endif /* OPENSSL_NO_KRB5 */
-                )
-                {
-                al=ssl_verify_alarm_type(s->verify_result);
-                SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED);
-                goto f_err; 
-                }
-        ERR_clear_error(); /* but we keep s->verify_result */
-        sc=ssl_sess_cert_new();
-        if (sc == NULL) goto err;
-        if (s->session->sess_cert) ssl_sess_cert_free(s->session->sess_cert);
-        s->session->sess_cert=sc;
-        sc->cert_chain=sk;
-        /* Inconsistency alert: cert_chain does include the peer's
-         * certificate, which we don't include in s3_srvr.c */
-        x=sk_X509_value(sk,0);
-        sk=NULL;
-        /* VRS 19990621: possible memory leak; sk=null ==> !sk_pop_free() @end*/
-        pkey=X509_get_pubkey(x);
-        /* VRS: allow null cert if auth == KRB5 */
-        need_cert =     ((s->s3->tmp.new_cipher->algorithms
-                        & (SSL_MKEY_MASK|SSL_AUTH_MASK))
-                        == (SSL_aKRB5|SSL_kKRB5))? 0: 1;
-#ifdef KSSL_DEBUG
-        printf("pkey,x = %p, %p\n", pkey,x);
-        printf("ssl_cert_type(x,pkey) = %d\n", ssl_cert_type(x,pkey));
-        printf("cipher, alg, nc = %s, %lx, %d\n", s->s3->tmp.new_cipher->name,
-                s->s3->tmp.new_cipher->algorithms, need_cert);
-#endif    /* KSSL_DEBUG */
-        if (need_cert && ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey)))
-                {
-                x=NULL;
-                al=SSL3_AL_FATAL;
-                SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
-                        SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS);
-                goto f_err;
-                }
-        i=ssl_cert_type(x,pkey);
-        if (need_cert && i < 0)
-                {
-                x=NULL;
-                al=SSL3_AL_FATAL;
-                SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
-                        SSL_R_UNKNOWN_CERTIFICATE_TYPE);
-                goto f_err;
-                }
-        if (need_cert)
-                {
-                sc->peer_cert_type=i;
-                CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
-                /* Why would the following ever happen?
-                 * We just created sc a couple of lines ago. */
-                if (sc->peer_pkeys[i].x509 != NULL)
-                        X509_free(sc->peer_pkeys[i].x509);
-                sc->peer_pkeys[i].x509=x;
-                sc->peer_key= &(sc->peer_pkeys[i]);
-                if (s->session->peer != NULL)
-                        X509_free(s->session->peer);
-                CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
-                s->session->peer=x;
-                }
-        else
-                {
-                sc->peer_cert_type=i;
-                sc->peer_key= NULL;
-                if (s->session->peer != NULL)
-                        X509_free(s->session->peer);
-                s->session->peer=NULL;
-                }
-        s->session->verify_result = s->verify_result;
-        x=NULL;
-        ret=1;
-        if (0)
-                {
-f_err:
-                ssl3_send_alert(s,SSL3_AL_FATAL,al);
-                }
-err:
-        EVP_PKEY_free(pkey);
-        X509_free(x);
-        sk_X509_pop_free(sk,X509_free);
-        return(ret);
-        }
-static int ssl3_get_key_exchange(SSL *s)
-        {
-#ifndef OPENSSL_NO_RSA
-        unsigned char *q,md_buf[EVP_MAX_MD_SIZE*2];
-#endif
-        EVP_MD_CTX md_ctx;
-        unsigned char *param,*p;
-        int al,i,j,param_len,ok;
-        long n,alg;
-        EVP_PKEY *pkey=NULL;
-#ifndef OPENSSL_NO_RSA
-        RSA *rsa=NULL;
-#endif
-#ifndef OPENSSL_NO_DH
-        DH *dh=NULL;
-#endif
-        /* use same message size as in ssl3_get_certificate_request()
-         * as ServerKeyExchange message may be skipped */
-        n=ssl3_get_message(s,
-                SSL3_ST_CR_KEY_EXCH_A,
-                SSL3_ST_CR_KEY_EXCH_B,
-                -1,
-                s->max_cert_list,
-                &ok);
-        if (!ok) return((int)n);
-        if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE)
-                {
-                s->s3->tmp.reuse_message=1;
-                return(1);
-                }
-        param=p=(unsigned char *)s->init_msg;
-        if (s->session->sess_cert != NULL)
-                {
-#ifndef OPENSSL_NO_RSA
-                if (s->session->sess_cert->peer_rsa_tmp != NULL)
-                        {
-                        RSA_free(s->session->sess_cert->peer_rsa_tmp);
-                        s->session->sess_cert->peer_rsa_tmp=NULL;
-                        }
-#endif
-#ifndef OPENSSL_NO_DH
-                if (s->session->sess_cert->peer_dh_tmp)
-                        {
-                        DH_free(s->session->sess_cert->peer_dh_tmp);
-                        s->session->sess_cert->peer_dh_tmp=NULL;
-                        }
-#endif
-                }
-        else
-                {
-                s->session->sess_cert=ssl_sess_cert_new();
-                }
-        param_len=0;
-        alg=s->s3->tmp.new_cipher->algorithms;
-        EVP_MD_CTX_init(&md_ctx);
-#ifndef OPENSSL_NO_RSA
-        if (alg & SSL_kRSA)
-                {
-                if ((rsa=RSA_new()) == NULL)
-                        {
-                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
-                        goto err;
-                        }
-                n2s(p,i);
-                param_len=i+2;
-                if (param_len > n)
-                        {
-                        al=SSL_AD_DECODE_ERROR;
-                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_MODULUS_LENGTH);
-                        goto f_err;
-                        }
-                if (!(rsa->n=BN_bin2bn(p,i,rsa->n)))
-                        {
-                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
-                        goto err;
-                        }
-                p+=i;
-                n2s(p,i);
-                param_len+=i+2;
-                if (param_len > n)
-                        {
-                        al=SSL_AD_DECODE_ERROR;
-                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_E_LENGTH);
-                        goto f_err;
-                        }
-                if (!(rsa->e=BN_bin2bn(p,i,rsa->e)))
-                        {
-                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
-                        goto err;
-                        }
-                p+=i;
-                n-=param_len;
-                /* this should be because we are using an export cipher */
-                if (alg & SSL_aRSA)
-                        pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
-                else
-                        {
-                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
-                        goto err;
-                        }
-                s->session->sess_cert->peer_rsa_tmp=rsa;
-                rsa=NULL;
-                }
-#else /* OPENSSL_NO_RSA */
-        if (0)
-                ;
-#endif
-#ifndef OPENSSL_NO_DH
-        else if (alg & SSL_kEDH)
-                {
-                if ((dh=DH_new()) == NULL)
-                        {
-                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_DH_LIB);
-                        goto err;
-                        }
-                n2s(p,i);
-                param_len=i+2;
-                if (param_len > n)
-                        {
-                        al=SSL_AD_DECODE_ERROR;
-                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_P_LENGTH);
-                        goto f_err;
-                        }
-                if (!(dh->p=BN_bin2bn(p,i,NULL)))
-                        {
-                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
-                        goto err;
-                        }
-                p+=i;
-                n2s(p,i);
-                param_len+=i+2;
-                if (param_len > n)
-                        {
-                        al=SSL_AD_DECODE_ERROR;
-                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_G_LENGTH);
-                        goto f_err;
-                        }
-                if (!(dh->g=BN_bin2bn(p,i,NULL)))
-                        {
-                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
-                        goto err;
-                        }
-                p+=i;
-                n2s(p,i);
-                param_len+=i+2;
-                if (param_len > n)
-                        {
-                        al=SSL_AD_DECODE_ERROR;
-                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_PUB_KEY_LENGTH);
-                        goto f_err;
-                        }
-                if (!(dh->pub_key=BN_bin2bn(p,i,NULL)))
-                        {
-                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
-                        goto err;
-                        }
-                p+=i;
-                n-=param_len;
-#ifndef OPENSSL_NO_RSA
-                if (alg & SSL_aRSA)
-                        pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
-#else
-                if (0)
-                        ;
-#endif
-#ifndef OPENSSL_NO_DSA
-                else if (alg & SSL_aDSS)
-                        pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509);
-#endif
-                /* else anonymous DH, so no certificate or pkey. */
-                s->session->sess_cert->peer_dh_tmp=dh;
-                dh=NULL;
-                }
-        else if ((alg & SSL_kDHr) || (alg & SSL_kDHd))
-                {
-                al=SSL_AD_ILLEGAL_PARAMETER;
-                SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER);
-                goto f_err;
-                }
-#endif /* !OPENSSL_NO_DH */
-        if (alg & SSL_aFZA)
-                {
-                al=SSL_AD_HANDSHAKE_FAILURE;
-                SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER);
-                goto f_err;
-                }
-        /* p points to the next byte, there are 'n' bytes left */
-        /* if it was signed, check the signature */
-        if (pkey != NULL)
-                {
-                n2s(p,i);
-                n-=2;
-                j=EVP_PKEY_size(pkey);
-                if ((i != n) || (n > j) || (n <= 0))
-                        {
-                        /* wrong packet length */
-                        al=SSL_AD_DECODE_ERROR;
-                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_WRONG_SIGNATURE_LENGTH);
-                        goto f_err;
-                        }
-#ifndef OPENSSL_NO_RSA
-                if (pkey->type == EVP_PKEY_RSA)
-                        {
-                        int num;
-                        j=0;
-                        q=md_buf;
-                        for (num=2; num > 0; num--)
-                                {
-                                EVP_MD_CTX_set_flags(&md_ctx,
-                                        EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
-                                EVP_DigestInit_ex(&md_ctx,(num == 2)
-                                        ?s->ctx->md5:s->ctx->sha1, NULL);
-                                EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
-                                EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
-                                EVP_DigestUpdate(&md_ctx,param,param_len);
-                                
-                                EVP_DigestFinal_ex(&md_ctx,q,(unsigned int *)&i);
-                                q+=i;
-                                j+=i;
-                                }
-                        i=RSA_verify(NID_md5_sha1, md_buf, j, p, n,
-                                                                pkey->pkey.rsa);
-                        if (i < 0)
-                                {
-                                al=SSL_AD_DECRYPT_ERROR;
-                                SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT);
-                                goto f_err;
-                                }
-                        if (i == 0)
-                                {
-                                /* bad signature */
-                                al=SSL_AD_DECRYPT_ERROR;
-                                SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE);
-                                goto f_err;
-                                }
-                        }
-                else
-#endif
-#ifndef OPENSSL_NO_DSA
-                        if (pkey->type == EVP_PKEY_DSA)
-                        {
-                        /* lets do DSS */
-                        EVP_VerifyInit_ex(&md_ctx,EVP_dss1(), NULL);
-                        EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
-                        EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
-                        EVP_VerifyUpdate(&md_ctx,param,param_len);
-                        if (!EVP_VerifyFinal(&md_ctx,p,(int)n,pkey))
-                                {
-                                /* bad signature */
-                                al=SSL_AD_DECRYPT_ERROR;
-                                SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE);
-                                goto f_err;
-                                }
-                        }
-                else
-#endif
-                        {
-                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
-                        goto err;
-                        }
-                }
-        else
-                {
-                /* still data left over */
-                if (!(alg & SSL_aNULL))
-                        {
-                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
-                        goto err;
-                        }
-                if (n != 0)
-                        {
-                        al=SSL_AD_DECODE_ERROR;
-                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_EXTRA_DATA_IN_MESSAGE);
-                        goto f_err;
-                        }
-                }
-        EVP_PKEY_free(pkey);
-        EVP_MD_CTX_cleanup(&md_ctx);
-        return(1);
-f_err:
-        ssl3_send_alert(s,SSL3_AL_FATAL,al);
-err:
-        EVP_PKEY_free(pkey);
-#ifndef OPENSSL_NO_RSA
-        if (rsa != NULL)
-                RSA_free(rsa);
-#endif
-#ifndef OPENSSL_NO_DH
-        if (dh != NULL)
-                DH_free(dh);
-#endif
-        EVP_MD_CTX_cleanup(&md_ctx);
-        return(-1);
-        }
-static int ssl3_get_certificate_request(SSL *s)
-        {
-        int ok,ret=0;
-        unsigned long n,nc,l;
-        unsigned int llen,ctype_num,i;
-        X509_NAME *xn=NULL;
-        unsigned char *p,*d,*q;
-        STACK_OF(X509_NAME) *ca_sk=NULL;
-        n=ssl3_get_message(s,
-                SSL3_ST_CR_CERT_REQ_A,
-                SSL3_ST_CR_CERT_REQ_B,
-                -1,
-                s->max_cert_list,
-                &ok);
-        if (!ok) return((int)n);
-        s->s3->tmp.cert_req=0;
-        if (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE)
-                {
-                s->s3->tmp.reuse_message=1;
-                return(1);
-                }
-        if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST)
-                {
-                ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
-                SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_WRONG_MESSAGE_TYPE);
-                goto err;
-                }
-        /* TLS does not like anon-DH with client cert */
-        if (s->version > SSL3_VERSION)
-                {
-                l=s->s3->tmp.new_cipher->algorithms;
-                if (l & SSL_aNULL)
-                        {
-                        ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
-                        SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER);
-                        goto err;
-                        }
-                }
-        d=p=(unsigned char *)s->init_msg;
-        if ((ca_sk=sk_X509_NAME_new(ca_dn_cmp)) == NULL)
-                {
-                SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE);
-                goto err;
-                }
-        /* get the certificate types */
-        ctype_num= *(p++);
-        if (ctype_num > SSL3_CT_NUMBER)
-                ctype_num=SSL3_CT_NUMBER;
-        for (i=0; i<ctype_num; i++)
-                s->s3->tmp.ctype[i]= p[i];
-        p+=ctype_num;
-        /* get the CA RDNs */
-        n2s(p,llen);
-#if 0
-{
-FILE *out;
-out=fopen("/tmp/vsign.der","w");
-fwrite(p,1,llen,out);
-fclose(out);
-}
-#endif
-        if ((llen+ctype_num+2+1) != n)
-                {
-                ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
-                SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_LENGTH_MISMATCH);
-                goto err;
-                }
-        for (nc=0; nc<llen; )
-                {
-                n2s(p,l);
-                if ((l+nc+2) > llen)
-                        {
-                        if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
-                                goto cont; /* netscape bugs */
-                        ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
-                        SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_TOO_LONG);
-                        goto err;
-                        }
-                q=p;
-                if ((xn=d2i_X509_NAME(NULL,&q,l)) == NULL)
-                        {
-                        /* If netscape tolerance is on, ignore errors */
-                        if (s->options & SSL_OP_NETSCAPE_CA_DN_BUG)
-                                goto cont;
-                        else
-                                {
-                                ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
-                                SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_ASN1_LIB);
-                                goto err;
-                                }
-                        }
-                if (q != (p+l))
-                        {
-                        ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
-                        SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_LENGTH_MISMATCH);
-                        goto err;
-                        }
-                if (!sk_X509_NAME_push(ca_sk,xn))
-                        {
-                        SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE);
-                        goto err;
-                        }
-                p+=l;
-                nc+=l+2;
-                }
-        if (0)
-                {
-cont:
-                ERR_clear_error();
-                }
-        /* we should setup a certificate to return.... */
-        s->s3->tmp.cert_req=1;
-        s->s3->tmp.ctype_num=ctype_num;
-        if (s->s3->tmp.ca_names != NULL)
-                sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
-        s->s3->tmp.ca_names=ca_sk;
-        ca_sk=NULL;
-        ret=1;
-err:
-        if (ca_sk != NULL) sk_X509_NAME_pop_free(ca_sk,X509_NAME_free);
-        return(ret);
-        }
-static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b)
-        {
-        return(X509_NAME_cmp(*a,*b));
-        }
-static int ssl3_get_server_done(SSL *s)
-        {
-        int ok,ret=0;
-        long n;
-        n=ssl3_get_message(s,
-                SSL3_ST_CR_SRVR_DONE_A,
-                SSL3_ST_CR_SRVR_DONE_B,
-                SSL3_MT_SERVER_DONE,
-                30, /* should be very small, like 0 :-) */
-                &ok);
-        if (!ok) return((int)n);
-        if (n > 0)
-                {
-                /* should contain no data */
-                ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
-                SSLerr(SSL_F_SSL3_GET_SERVER_DONE,SSL_R_LENGTH_MISMATCH);
-                return -1;
-                }
-        ret=1;
-        return(ret);
-        }
-static int ssl3_send_client_key_exchange(SSL *s)
-        {
-        unsigned char *p,*d;
-        int n;
-        unsigned long l;
-#ifndef OPENSSL_NO_RSA
-        unsigned char *q;
-        EVP_PKEY *pkey=NULL;
-#endif
-#ifndef OPENSSL_NO_KRB5
-        KSSL_ERR kssl_err;
-#endif /* OPENSSL_NO_KRB5 */
-        if (s->state == SSL3_ST_CW_KEY_EXCH_A)
-                {
-                d=(unsigned char *)s->init_buf->data;
-                p= &(d[4]);
-                l=s->s3->tmp.new_cipher->algorithms;
-                /* Fool emacs indentation */
-                if (0) {}
-#ifndef OPENSSL_NO_RSA
-                else if (l & SSL_kRSA)
-                        {
-                        RSA *rsa;
-                        unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
-                        if (s->session->sess_cert->peer_rsa_tmp != NULL)
-                                rsa=s->session->sess_cert->peer_rsa_tmp;
-                        else
-                                {
-                                pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
-                                if ((pkey == NULL) ||
-                                        (pkey->type != EVP_PKEY_RSA) ||
-                                        (pkey->pkey.rsa == NULL))
-                                        {
-                                        SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
-                                        goto err;
-                                        }
-                                rsa=pkey->pkey.rsa;
-                                EVP_PKEY_free(pkey);
-                                }
-                                
-                        tmp_buf[0]=s->client_version>>8;
-                        tmp_buf[1]=s->client_version&0xff;
-                        if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0)
-                                        goto err;
-                        s->session->master_key_length=sizeof tmp_buf;
-                        q=p;
-                        /* Fix buf for TLS and beyond */
-                        if (s->version > SSL3_VERSION)
-                                p+=2;
-                        n=RSA_public_encrypt(sizeof tmp_buf,
-                                tmp_buf,p,rsa,RSA_PKCS1_PADDING);
-#ifdef PKCS1_CHECK
-                        if (s->options & SSL_OP_PKCS1_CHECK_1) p[1]++;
-                        if (s->options & SSL_OP_PKCS1_CHECK_2) tmp_buf[0]=0x70;
-#endif
-                        if (n <= 0)
-                                {
-                                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_ENCRYPT);
-                                goto err;
-                                }
-                        /* Fix buf for TLS and beyond */
-                        if (s->version > SSL3_VERSION)
-                                {
-                                s2n(n,q);
-                                n+=2;
-                                }
-                        s->session->master_key_length=
-                                s->method->ssl3_enc->generate_master_secret(s,
-                                        s->session->master_key,
-                                        tmp_buf,sizeof tmp_buf);
-                        OPENSSL_cleanse(tmp_buf,sizeof tmp_buf);
-                        }
-#endif
-#ifndef OPENSSL_NO_KRB5
-                else if (l & SSL_kKRB5)
-                        {
-                        krb5_error_code krb5rc;
-                        KSSL_CTX        *kssl_ctx = s->kssl_ctx;
-                        /*  krb5_data   krb5_ap_req;  */
-                        krb5_data       *enc_ticket;
-                        krb5_data       authenticator, *authp = NULL;
-                        EVP_CIPHER_CTX  ciph_ctx;
-                        EVP_CIPHER      *enc = NULL;
-                        unsigned char   iv[EVP_MAX_IV_LENGTH];
-                        unsigned char   tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
-                        unsigned char   epms[SSL_MAX_MASTER_KEY_LENGTH 
-                                                + EVP_MAX_IV_LENGTH];
-                        int             padl, outl = sizeof(epms);
-                        EVP_CIPHER_CTX_init(&ciph_ctx);
-#ifdef KSSL_DEBUG
-                        printf("ssl3_send_client_key_exchange(%lx & %lx)\n",
-                                l, SSL_kKRB5);
-#endif  /* KSSL_DEBUG */
-                        authp = NULL;
-#ifdef KRB5SENDAUTH
-                        if (KRB5SENDAUTH)  authp = &authenticator;
-#endif  /* KRB5SENDAUTH */
-                        krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket, authp,
-                                &kssl_err);
-                        enc = kssl_map_enc(kssl_ctx->enctype);
-                        if (enc == NULL)
-                            goto err;
-#ifdef KSSL_DEBUG
-                        {
-                        printf("kssl_cget_tkt rtn %d\n", krb5rc);
-                        if (krb5rc && kssl_err.text)
-                          printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text);
-                        }
-#endif  /* KSSL_DEBUG */
-                        if (krb5rc)
-                                {
-                                ssl3_send_alert(s,SSL3_AL_FATAL,
-                                                SSL_AD_HANDSHAKE_FAILURE);
-                                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
-                                                kssl_err.reason);
-                                goto err;
-                                }
-                        /*  20010406 VRS - Earlier versions used KRB5 AP_REQ
-                        **  in place of RFC 2712 KerberosWrapper, as in:
-                        **
-                        **  Send ticket (copy to *p, set n = length)
-                        **  n = krb5_ap_req.length;
-                        **  memcpy(p, krb5_ap_req.data, krb5_ap_req.length);
-                        **  if (krb5_ap_req.data)  
-                        **    kssl_krb5_free_data_contents(NULL,&krb5_ap_req);
-                        **
-                        **  Now using real RFC 2712 KerberosWrapper
-                        **  (Thanks to Simon Wilkinson <sxw@sxw.org.uk>)
-                        **  Note: 2712 "opaque" types are here replaced
-                        **  with a 2-byte length followed by the value.
-                        **  Example:
-                        **  KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms
-                        **  Where "xx xx" = length bytes.  Shown here with
-                        **  optional authenticator omitted.
-                        */
-                        /*  KerberosWrapper.Ticket              */
-                        s2n(enc_ticket->length,p);
-                        memcpy(p, enc_ticket->data, enc_ticket->length);
-                        p+= enc_ticket->length;
-                        n = enc_ticket->length + 2;
-                        /*  KerberosWrapper.Authenticator       */
-                        if (authp  &&  authp->length)  
-                                {
-                                s2n(authp->length,p);
-                                memcpy(p, authp->data, authp->length);
-                                p+= authp->length;
-                                n+= authp->length + 2;
-                                
-                                free(authp->data);
-                                authp->data = NULL;
-                                authp->length = 0;
-                                }
-                        else
-                                {
-                                s2n(0,p);/*  null authenticator length  */
-                                n+=2;
-                                }
- 
-                        if (RAND_bytes(tmp_buf,sizeof tmp_buf) <= 0)
-                            goto err;
-                        /*  20010420 VRS.  Tried it this way; failed.
-                        **      EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL);
-                        **      EVP_CIPHER_CTX_set_key_length(&ciph_ctx,
-                        **                              kssl_ctx->length);
-                        **      EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv);
-                        */
-                        memset(iv, 0, sizeof iv);  /* per RFC 1510 */
-                        EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,
-                                kssl_ctx->key,iv);
-                        EVP_EncryptUpdate(&ciph_ctx,epms,&outl,tmp_buf,
-                                sizeof tmp_buf);
-                        EVP_EncryptFinal_ex(&ciph_ctx,&(epms[outl]),&padl);
-                        outl += padl;
-                        if (outl > sizeof epms)
-                                {
-                                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
-                                goto err;
-                                }
-                        EVP_CIPHER_CTX_cleanup(&ciph_ctx);
-                        /*  KerberosWrapper.EncryptedPreMasterSecret    */
-                        s2n(outl,p);
-                        memcpy(p, epms, outl);
-                        p+=outl;
-                        n+=outl + 2;
-                        s->session->master_key_length=
-                                s->method->ssl3_enc->generate_master_secret(s,
-                                        s->session->master_key,
-                                        tmp_buf, sizeof tmp_buf);
-                        OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
-                        OPENSSL_cleanse(epms, outl);
-                        }
-#endif
-#ifndef OPENSSL_NO_DH
-                else if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
-                        {
-                        DH *dh_srvr,*dh_clnt;
-                        if (s->session->sess_cert->peer_dh_tmp != NULL)
-                                dh_srvr=s->session->sess_cert->peer_dh_tmp;
-                        else
-                                {
-                                /* we get them from the cert */
-                                ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
-                                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_DH_PARAMETERS);
-                                goto err;
-                                }
-                        
-                        /* generate a new random key */
-                        if ((dh_clnt=DHparams_dup(dh_srvr)) == NULL)
-                                {
-                                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
-                                goto err;
-                                }
-                        if (!DH_generate_key(dh_clnt))
-                                {
-                                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
-                                goto err;
-                                }
-                        /* use the 'p' output buffer for the DH key, but
-                         * make sure to clear it out afterwards */
-                        n=DH_compute_key(p,dh_srvr->pub_key,dh_clnt);
-                        if (n <= 0)
-                                {
-                                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
-                                goto err;
-                                }
-                        /* generate master key from the result */
-                        s->session->master_key_length=
-                                s->method->ssl3_enc->generate_master_secret(s,
-                                        s->session->master_key,p,n);
-                        /* clean up */
-                        memset(p,0,n);
-                        /* send off the data */
-                        n=BN_num_bytes(dh_clnt->pub_key);
-                        s2n(n,p);
-                        BN_bn2bin(dh_clnt->pub_key,p);
-                        n+=2;
-                        DH_free(dh_clnt);
-                        /* perhaps clean things up a bit EAY EAY EAY EAY*/
-                        }
-#endif
-                else
-                        {
-                        ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
-                        SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
-                        goto err;
-                        }
-                
-                *(d++)=SSL3_MT_CLIENT_KEY_EXCHANGE;
-                l2n3(n,d);
-                s->state=SSL3_ST_CW_KEY_EXCH_B;
-                /* number of bytes to write */
-                s->init_num=n+4;
-                s->init_off=0;
-                }
-        /* SSL3_ST_CW_KEY_EXCH_B */
-        return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
-err:
-        return(-1);
-        }
-static int ssl3_send_client_verify(SSL *s)
-        {
-        unsigned char *p,*d;
-        unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
-        EVP_PKEY *pkey;
-#ifndef OPENSSL_NO_RSA
-        unsigned u=0;
-#endif
-        unsigned long n;
-#ifndef OPENSSL_NO_DSA
-        int j;
-#endif
-        if (s->state == SSL3_ST_CW_CERT_VRFY_A)
-                {
-                d=(unsigned char *)s->init_buf->data;
-                p= &(d[4]);
-                pkey=s->cert->key->privatekey;
-                s->method->ssl3_enc->cert_verify_mac(s,&(s->s3->finish_dgst2),
-                        &(data[MD5_DIGEST_LENGTH]));
-#ifndef OPENSSL_NO_RSA
-                if (pkey->type == EVP_PKEY_RSA)
-                        {
-                        s->method->ssl3_enc->cert_verify_mac(s,
-                                &(s->s3->finish_dgst1),&(data[0]));
-                        if (RSA_sign(NID_md5_sha1, data,
-                                         MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH,
-                                        &(p[2]), &u, pkey->pkey.rsa) <= 0 )
-                                {
-                                SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_RSA_LIB);
-                                goto err;
-                                }
-                        s2n(u,p);
-                        n=u+2;
-                        }
-                else
-#endif
-#ifndef OPENSSL_NO_DSA
-                        if (pkey->type == EVP_PKEY_DSA)
-                        {
-                        if (!DSA_sign(pkey->save_type,
-                                &(data[MD5_DIGEST_LENGTH]),
-                                SHA_DIGEST_LENGTH,&(p[2]),
-                                (unsigned int *)&j,pkey->pkey.dsa))
-                                {
-                                SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_DSA_LIB);
-                                goto err;
-                                }
-                        s2n(j,p);
-                        n=j+2;
-                        }
-                else
-#endif
-                        {
-                        SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_INTERNAL_ERROR);
-                        goto err;
-                        }
-                *(d++)=SSL3_MT_CERTIFICATE_VERIFY;
-                l2n3(n,d);
-                s->state=SSL3_ST_CW_CERT_VRFY_B;
-                s->init_num=(int)n+4;
-                s->init_off=0;
-                }
-        return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
-err:
-        return(-1);
-        }
-static int ssl3_send_client_certificate(SSL *s)
-        {
-        X509 *x509=NULL;
-        EVP_PKEY *pkey=NULL;
-        int i;
-        unsigned long l;
-        if (s->state == SSL3_ST_CW_CERT_A)
-                {
-                if ((s->cert == NULL) ||
-                        (s->cert->key->x509 == NULL) ||
-                        (s->cert->key->privatekey == NULL))
-                        s->state=SSL3_ST_CW_CERT_B;
-                else
-                        s->state=SSL3_ST_CW_CERT_C;
-                }
-        /* We need to get a client cert */
-        if (s->state == SSL3_ST_CW_CERT_B)
-                {
-                /* If we get an error, we need to
-                 * ssl->rwstate=SSL_X509_LOOKUP; return(-1);
-                 * We then get retied later */
-                i=0;
-                if (s->ctx->client_cert_cb != NULL)
-                        i=s->ctx->client_cert_cb(s,&(x509),&(pkey));
-                if (i < 0)
-                        {
-                        s->rwstate=SSL_X509_LOOKUP;
-                        return(-1);
-                        }
-                s->rwstate=SSL_NOTHING;
-                if ((i == 1) && (pkey != NULL) && (x509 != NULL))
-                        {
-                        s->state=SSL3_ST_CW_CERT_B;
-                        if (    !SSL_use_certificate(s,x509) ||
-                                !SSL_use_PrivateKey(s,pkey))
-                                i=0;
-                        }
-                else if (i == 1)
-                        {
-                        i=0;
-                        SSLerr(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE,SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
-                        }
-                if (x509 != NULL) X509_free(x509);
-                if (pkey != NULL) EVP_PKEY_free(pkey);
-                if (i == 0)
-                        {
-                        if (s->version == SSL3_VERSION)
-                                {
-                                s->s3->tmp.cert_req=0;
-                                ssl3_send_alert(s,SSL3_AL_WARNING,SSL_AD_NO_CERTIFICATE);
-                                return(1);
-                                }
-                        else
-                                {
-                                s->s3->tmp.cert_req=2;
-                                }
-                        }
-                /* Ok, we have a cert */
-                s->state=SSL3_ST_CW_CERT_C;
-                }
-        if (s->state == SSL3_ST_CW_CERT_C)
-                {
-                s->state=SSL3_ST_CW_CERT_D;
-                l=ssl3_output_cert_chain(s,
-                        (s->s3->tmp.cert_req == 2)?NULL:s->cert->key->x509);
-                s->init_num=(int)l;
-                s->init_off=0;
-                }
-        /* SSL3_ST_CW_CERT_D */
-        return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
-        }
-#define has_bits(i,m)   (((i)&(m)) == (m))
-static int ssl3_check_cert_and_algorithm(SSL *s)
-        {
-        int i,idx;
-        long algs;
-        EVP_PKEY *pkey=NULL;
-        SESS_CERT *sc;
-#ifndef OPENSSL_NO_RSA
-        RSA *rsa;
-#endif
-#ifndef OPENSSL_NO_DH
-        DH *dh;
-#endif
-        sc=s->session->sess_cert;
-        if (sc == NULL)
-                {
-                SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,ERR_R_INTERNAL_ERROR);
-                goto err;
-                }
-        algs=s->s3->tmp.new_cipher->algorithms;
-        /* we don't have a certificate */
-        if (algs & (SSL_aDH|SSL_aNULL|SSL_aKRB5))
-                return(1);
-#ifndef OPENSSL_NO_RSA
-        rsa=s->session->sess_cert->peer_rsa_tmp;
-#endif
-#ifndef OPENSSL_NO_DH
-        dh=s->session->sess_cert->peer_dh_tmp;
-#endif
-        /* This is the passed certificate */
-        idx=sc->peer_cert_type;
-        pkey=X509_get_pubkey(sc->peer_pkeys[idx].x509);
-        i=X509_certificate_type(sc->peer_pkeys[idx].x509,pkey);
-        EVP_PKEY_free(pkey);
-        
-        /* Check that we have a certificate if we require one */
-        if ((algs & SSL_aRSA) && !has_bits(i,EVP_PK_RSA|EVP_PKT_SIGN))
-                {
-                SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_SIGNING_CERT);
-                goto f_err;
-                }
-#ifndef OPENSSL_NO_DSA
-        else if ((algs & SSL_aDSS) && !has_bits(i,EVP_PK_DSA|EVP_PKT_SIGN))
-                {
-                SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DSA_SIGNING_CERT);
-                goto f_err;
-                }
-#endif
-#ifndef OPENSSL_NO_RSA
-        if ((algs & SSL_kRSA) &&
-                !(has_bits(i,EVP_PK_RSA|EVP_PKT_ENC) || (rsa != NULL)))
-                {
-                SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_ENCRYPTING_CERT);
-                goto f_err;
-                }
-#endif
-#ifndef OPENSSL_NO_DH
-        if ((algs & SSL_kEDH) &&
-                !(has_bits(i,EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL)))
-                {
-                SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_KEY);
-                goto f_err;
-                }
-        else if ((algs & SSL_kDHr) && !has_bits(i,EVP_PK_DH|EVP_PKS_RSA))
-                {
-                SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_RSA_CERT);
-                goto f_err;
-                }
-#ifndef OPENSSL_NO_DSA
-        else if ((algs & SSL_kDHd) && !has_bits(i,EVP_PK_DH|EVP_PKS_DSA))
-                {
-                SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_DSA_CERT);
-                goto f_err;
-                }
-#endif
-#endif
-        if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i,EVP_PKT_EXP))
-                {
-#ifndef OPENSSL_NO_RSA
-                if (algs & SSL_kRSA)
-                        {
-                        if (rsa == NULL
-                            || RSA_size(rsa)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher))
-                                {
-                                SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_RSA_KEY);
-                                goto f_err;
-                                }
-                        }
-                else
-#endif
-#ifndef OPENSSL_NO_DH
-                        if (algs & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
-                            {
-                            if (dh == NULL
-                                || DH_size(dh)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher))
-                                {
-                                SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_DH_KEY);
-                                goto f_err;
-                                }
-                        }
-                else
-#endif
-                        {
-                        SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
-                        goto f_err;
-                        }
-                }
-        return(1);
-f_err:
-        ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
-err:
-        return(0);
-        }
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
deleted file mode 100644
index a77588e725..0000000000
--- a/src/lib/libssl/s3_lib.c
+++ /dev/null
@@ -1,1799 +0,0 @@
-/* ssl/s3_lib.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-/* ====================================================================
- * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer. 
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-#include <stdio.h>
-#include <openssl/objects.h>
-#include "ssl_locl.h"
-#include "kssl_lcl.h"
-#include <openssl/md5.h>
-const char *ssl3_version_str="SSLv3" OPENSSL_VERSION_PTEXT;
-#define SSL3_NUM_CIPHERS        (sizeof(ssl3_ciphers)/sizeof(SSL_CIPHER))
-static long ssl3_default_timeout(void );
-OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
-/* The RSA ciphers */
-/* Cipher 01 */
-        {
-        1,
-        SSL3_TXT_RSA_NULL_MD5,
-        SSL3_CK_RSA_NULL_MD5,
-        SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_MD5|SSL_SSLV3,
-        SSL_NOT_EXP|SSL_STRONG_NONE,
-        0,
-        0,
-        0,
-        SSL_ALL_CIPHERS,
-        SSL_ALL_STRENGTHS,
-        },
-/* Cipher 02 */
-        {
-        1,
-        SSL3_TXT_RSA_NULL_SHA,
-        SSL3_CK_RSA_NULL_SHA,
-        SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP|SSL_STRONG_NONE|SSL_FIPS,
-        0,
-        0,
-        0,
-        SSL_ALL_CIPHERS,
-        SSL_ALL_STRENGTHS,
-        },
-/* anon DH */
-/* Cipher 17 */
-        {
-        1,
-        SSL3_TXT_ADH_RC4_40_MD5,
-        SSL3_CK_ADH_RC4_40_MD5,
-        SSL_kEDH |SSL_aNULL|SSL_RC4  |SSL_MD5 |SSL_SSLV3,
-        SSL_EXPORT|SSL_EXP40,
-        0,
-        40,
-        128,
-        SSL_ALL_CIPHERS,
-        SSL_ALL_STRENGTHS,
-        },
-/* Cipher 18 */
-        {
-        1,
-        SSL3_TXT_ADH_RC4_128_MD5,
-        SSL3_CK_ADH_RC4_128_MD5,
-        SSL_kEDH |SSL_aNULL|SSL_RC4  |SSL_MD5 |SSL_SSLV3,
-        SSL_NOT_EXP|SSL_MEDIUM,
-        0,
-        128,
-        128,
-        SSL_ALL_CIPHERS,
-        SSL_ALL_STRENGTHS,
-        },
-/* Cipher 19 */
-        {
-        1,
-        SSL3_TXT_ADH_DES_40_CBC_SHA,
-        SSL3_CK_ADH_DES_40_CBC_SHA,
-        SSL_kEDH |SSL_aNULL|SSL_DES|SSL_SHA1|SSL_SSLV3,
-        SSL_EXPORT|SSL_EXP40|SSL_FIPS,
-        0,
-        40,
-        128,
-        SSL_ALL_CIPHERS,
-        SSL_ALL_STRENGTHS,
-        },
-/* Cipher 1A */
-        {
-        1,
-        SSL3_TXT_ADH_DES_64_CBC_SHA,
-        SSL3_CK_ADH_DES_64_CBC_SHA,
-        SSL_kEDH |SSL_aNULL|SSL_DES  |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP|SSL_LOW|SSL_FIPS,
-        0,
-        56,
-        56,
-        SSL_ALL_CIPHERS,
-        SSL_ALL_STRENGTHS,
-        },
-/* Cipher 1B */
-        {
-        1,
-        SSL3_TXT_ADH_DES_192_CBC_SHA,
-        SSL3_CK_ADH_DES_192_CBC_SHA,
-        SSL_kEDH |SSL_aNULL|SSL_3DES |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
-        0,
-        168,
-        168,
-        SSL_ALL_CIPHERS,
-        SSL_ALL_STRENGTHS,
-        },
-/* RSA again */
-/* Cipher 03 */
-        {
-        1,
-        SSL3_TXT_RSA_RC4_40_MD5,
-        SSL3_CK_RSA_RC4_40_MD5,
-        SSL_kRSA|SSL_aRSA|SSL_RC4  |SSL_MD5 |SSL_SSLV3,
-        SSL_EXPORT|SSL_EXP40,
-        0,
-        40,
-        128,
-        SSL_ALL_CIPHERS,
-        SSL_ALL_STRENGTHS,
-        },
-/* Cipher 04 */
-        {
-        1,
-        SSL3_TXT_RSA_RC4_128_MD5,
-        SSL3_CK_RSA_RC4_128_MD5,
-        SSL_kRSA|SSL_aRSA|SSL_RC4  |SSL_MD5|SSL_SSLV3,
-        SSL_NOT_EXP|SSL_MEDIUM,
-        0,
-        128,
-        128,
-        SSL_ALL_CIPHERS,
-        SSL_ALL_STRENGTHS,
-        },
-/* Cipher 05 */
-        {
-        1,
-        SSL3_TXT_RSA_RC4_128_SHA,
-        SSL3_CK_RSA_RC4_128_SHA,
-        SSL_kRSA|SSL_aRSA|SSL_RC4  |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP|SSL_MEDIUM,
-        0,
-        128,
-        128,
-        SSL_ALL_CIPHERS,
-        SSL_ALL_STRENGTHS,
-        },
-/* Cipher 06 */
-        {
-        1,
-        SSL3_TXT_RSA_RC2_40_MD5,
-        SSL3_CK_RSA_RC2_40_MD5,
-        SSL_kRSA|SSL_aRSA|SSL_RC2  |SSL_MD5 |SSL_SSLV3,
-        SSL_EXPORT|SSL_EXP40,
-        0,
-        40,
-        128,
-        SSL_ALL_CIPHERS,
-        SSL_ALL_STRENGTHS,
-        },
-/* Cipher 07 */
-#ifndef OPENSSL_NO_IDEA
-        {
-        1,
-        SSL3_TXT_RSA_IDEA_128_SHA,
-        SSL3_CK_RSA_IDEA_128_SHA,
-        SSL_kRSA|SSL_aRSA|SSL_IDEA |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP|SSL_MEDIUM,
-        0,
-        128,
-        128,
-        SSL_ALL_CIPHERS,
-        SSL_ALL_STRENGTHS,
-        },
-#endif
-/* Cipher 08 */
-        {
-        1,
-        SSL3_TXT_RSA_DES_40_CBC_SHA,
-        SSL3_CK_RSA_DES_40_CBC_SHA,
-        SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_SSLV3,
-        SSL_EXPORT|SSL_EXP40|SSL_FIPS,
-        0,
-        40,
-        56,
-        SSL_ALL_CIPHERS,
-        SSL_ALL_STRENGTHS,
-        },
-/* Cipher 09 */
-        {
-        1,
-        SSL3_TXT_RSA_DES_64_CBC_SHA,
-        SSL3_CK_RSA_DES_64_CBC_SHA,
-        SSL_kRSA|SSL_aRSA|SSL_DES  |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP|SSL_LOW|SSL_FIPS,
-        0,
-        56,
-        56,
-        SSL_ALL_CIPHERS,
-        SSL_ALL_STRENGTHS,
-        },
-/* Cipher 0A */
-        {
-        1,
-        SSL3_TXT_RSA_DES_192_CBC3_SHA,
-        SSL3_CK_RSA_DES_192_CBC3_SHA,
-        SSL_kRSA|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
-        0,
-        168,
-        168,
-        SSL_ALL_CIPHERS,
-        SSL_ALL_STRENGTHS,
-        },
-/*  The DH ciphers */
-/* Cipher 0B */
-        {
-        0,
-        SSL3_TXT_DH_DSS_DES_40_CBC_SHA,
-        SSL3_CK_DH_DSS_DES_40_CBC_SHA,
-        SSL_kDHd |SSL_aDH|SSL_DES|SSL_SHA1|SSL_SSLV3,
-        SSL_EXPORT|SSL_EXP40|SSL_FIPS,
-        0,
-        40,
-        56,
-        SSL_ALL_CIPHERS,
-        SSL_ALL_STRENGTHS,
-        },
-/* Cipher 0C */
-        {
-        0,
-        SSL3_TXT_DH_DSS_DES_64_CBC_SHA,
-        SSL3_CK_DH_DSS_DES_64_CBC_SHA,
-        SSL_kDHd |SSL_aDH|SSL_DES  |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP|SSL_LOW|SSL_FIPS,
-        0,
-        56,
-        56,
-        SSL_ALL_CIPHERS,
-        SSL_ALL_STRENGTHS,
-        },
-/* Cipher 0D */
-        {
-        0,
-        SSL3_TXT_DH_DSS_DES_192_CBC3_SHA,
-        SSL3_CK_DH_DSS_DES_192_CBC3_SHA,
-        SSL_kDHd |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
-        0,
-        168,
-        168,
-        SSL_ALL_CIPHERS,
-        SSL_ALL_STRENGTHS,
-        },
-/* Cipher 0E */
-        {
-        0,
-        SSL3_TXT_DH_RSA_DES_40_CBC_SHA,
-        SSL3_CK_DH_RSA_DES_40_CBC_SHA,
-        SSL_kDHr |SSL_aDH|SSL_DES|SSL_SHA1|SSL_SSLV3,
-        SSL_EXPORT|SSL_EXP40|SSL_FIPS,
-        0,
-        40,
-        56,
-        SSL_ALL_CIPHERS,
-        SSL_ALL_STRENGTHS,
-        },
-/* Cipher 0F */
-        {
-        0,
-        SSL3_TXT_DH_RSA_DES_64_CBC_SHA,
-        SSL3_CK_DH_RSA_DES_64_CBC_SHA,
-        SSL_kDHr |SSL_aDH|SSL_DES  |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP|SSL_LOW|SSL_FIPS,
-        0,
-        56,
-        56,
-        SSL_ALL_CIPHERS,
-        SSL_ALL_STRENGTHS,
-        },
-/* Cipher 10 */
-        {
-        0,
-        SSL3_TXT_DH_RSA_DES_192_CBC3_SHA,
-        SSL3_CK_DH_RSA_DES_192_CBC3_SHA,
-        SSL_kDHr |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
-        0,
-        168,
-        168,
-        SSL_ALL_CIPHERS,
-        SSL_ALL_STRENGTHS,
-        },
-/* The Ephemeral DH ciphers */
-/* Cipher 11 */
-        {
-        1,
-        SSL3_TXT_EDH_DSS_DES_40_CBC_SHA,
-        SSL3_CK_EDH_DSS_DES_40_CBC_SHA,
-        SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA1|SSL_SSLV3,
-        SSL_EXPORT|SSL_EXP40|SSL_FIPS,
-        0,
-        40,
-        56,
-        SSL_ALL_CIPHERS,
-        SSL_ALL_STRENGTHS,
-        },
-/* Cipher 12 */
-        {
-        1,
-        SSL3_TXT_EDH_DSS_DES_64_CBC_SHA,
-        SSL3_CK_EDH_DSS_DES_64_CBC_SHA,
-        SSL_kEDH|SSL_aDSS|SSL_DES  |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP|SSL_LOW|SSL_FIPS,
-        0,
-        56,
-        56,
-        SSL_ALL_CIPHERS,
-        SSL_ALL_STRENGTHS,
-        },
-/* Cipher 13 */
-        {
-        1,
-        SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA,
-        SSL3_CK_EDH_DSS_DES_192_CBC3_SHA,
-        SSL_kEDH|SSL_aDSS|SSL_3DES |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
-        0,
-        168,
-        168,
-        SSL_ALL_CIPHERS,
-        SSL_ALL_STRENGTHS,
-        },
-/* Cipher 14 */
-        {
-        1,
-        SSL3_TXT_EDH_RSA_DES_40_CBC_SHA,
-        SSL3_CK_EDH_RSA_DES_40_CBC_SHA,
-        SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_SSLV3,
-        SSL_EXPORT|SSL_EXP40|SSL_FIPS,
-        0,
-        40,
-        56,
-        SSL_ALL_CIPHERS,
-        SSL_ALL_STRENGTHS,
-        },
-/* Cipher 15 */
-        {
-        1,
-        SSL3_TXT_EDH_RSA_DES_64_CBC_SHA,
-        SSL3_CK_EDH_RSA_DES_64_CBC_SHA,
-        SSL_kEDH|SSL_aRSA|SSL_DES  |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP|SSL_LOW|SSL_FIPS,
-        0,
-        56,
-        56,
-        SSL_ALL_CIPHERS,
-        SSL_ALL_STRENGTHS,
-        },
-/* Cipher 16 */
-        {
-        1,
-        SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA,
-        SSL3_CK_EDH_RSA_DES_192_CBC3_SHA,
-        SSL_kEDH|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
-        0,
-        168,
-        168,
-        SSL_ALL_CIPHERS,
-        SSL_ALL_STRENGTHS,
-        },
-/* Fortezza */
-/* Cipher 1C */
-        {
-        0,
-        SSL3_TXT_FZA_DMS_NULL_SHA,
-        SSL3_CK_FZA_DMS_NULL_SHA,
-        SSL_kFZA|SSL_aFZA |SSL_eNULL |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP|SSL_STRONG_NONE,
-        0,
-        0,
-        0,
-        SSL_ALL_CIPHERS,
-        SSL_ALL_STRENGTHS,
-        },
-/* Cipher 1D */
-        {
-        0,
-        SSL3_TXT_FZA_DMS_FZA_SHA,
-        SSL3_CK_FZA_DMS_FZA_SHA,
-        SSL_kFZA|SSL_aFZA |SSL_eFZA |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP|SSL_STRONG_NONE,
-        0,
-        0,
-        0,
-        SSL_ALL_CIPHERS,
-        SSL_ALL_STRENGTHS,
-        },
-#if 0
-/* Cipher 1E */
-        {
-        0,
-        SSL3_TXT_FZA_DMS_RC4_SHA,
-        SSL3_CK_FZA_DMS_RC4_SHA,
-        SSL_kFZA|SSL_aFZA |SSL_RC4  |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP|SSL_MEDIUM,
-        0,
-        128,
-        128,
-        SSL_ALL_CIPHERS,
-        SSL_ALL_STRENGTHS,
-        },
-#endif
-#ifndef OPENSSL_NO_KRB5
-/* The Kerberos ciphers
-** 20000107 VRS: And the first shall be last,
-** in hopes of avoiding the lynx ssl renegotiation problem.
-*/
-/* Cipher 1E VRS */
-        {
-        1,
-        SSL3_TXT_KRB5_DES_64_CBC_SHA,
-        SSL3_CK_KRB5_DES_64_CBC_SHA,
-        SSL_kKRB5|SSL_aKRB5|  SSL_DES|SSL_SHA1   |SSL_SSLV3,
-        SSL_NOT_EXP|SSL_LOW|SSL_FIPS,
-        0,
-        56,
-        56,
-        SSL_ALL_CIPHERS,
-        SSL_ALL_STRENGTHS,
-        },
-/* Cipher 1F VRS */
-        {
-        1,
-        SSL3_TXT_KRB5_DES_192_CBC3_SHA,
-        SSL3_CK_KRB5_DES_192_CBC3_SHA,
-        SSL_kKRB5|SSL_aKRB5|  SSL_3DES|SSL_SHA1  |SSL_SSLV3,
-        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
-        0,
-        112,
-        168,
-        SSL_ALL_CIPHERS,
-        SSL_ALL_STRENGTHS,
-        },
-/* Cipher 20 VRS */
-        {
-        1,
-        SSL3_TXT_KRB5_RC4_128_SHA,
-        SSL3_CK_KRB5_RC4_128_SHA,
-        SSL_kKRB5|SSL_aKRB5|  SSL_RC4|SSL_SHA1  |SSL_SSLV3,
-        SSL_NOT_EXP|SSL_MEDIUM,
-        0,
-        128,
-        128,
-        SSL_ALL_CIPHERS,
-        SSL_ALL_STRENGTHS,
-        },
-/* Cipher 21 VRS */
-        {
-        1,
-        SSL3_TXT_KRB5_IDEA_128_CBC_SHA,
-        SSL3_CK_KRB5_IDEA_128_CBC_SHA,
-        SSL_kKRB5|SSL_aKRB5|  SSL_IDEA|SSL_SHA1  |SSL_SSLV3,
-        SSL_NOT_EXP|SSL_MEDIUM,
-        0,
-        128,
-        128,
-        SSL_ALL_CIPHERS,
-        SSL_ALL_STRENGTHS,
-        },
-/* Cipher 22 VRS */
-        {
-        1,
-        SSL3_TXT_KRB5_DES_64_CBC_MD5,
-        SSL3_CK_KRB5_DES_64_CBC_MD5,
-        SSL_kKRB5|SSL_aKRB5|  SSL_DES|SSL_MD5    |SSL_SSLV3,
-        SSL_NOT_EXP|SSL_LOW,
-        0,
-        56,
-        56,
-        SSL_ALL_CIPHERS,
-        SSL_ALL_STRENGTHS,
-        },
-/* Cipher 23 VRS */
-        {
-        1,
-        SSL3_TXT_KRB5_DES_192_CBC3_MD5,
-        SSL3_CK_KRB5_DES_192_CBC3_MD5,
-        SSL_kKRB5|SSL_aKRB5|  SSL_3DES|SSL_MD5   |SSL_SSLV3,
-        SSL_NOT_EXP|SSL_HIGH,
-        0,
-        112,
-        168,
-        SSL_ALL_CIPHERS,
-        SSL_ALL_STRENGTHS,
-        },
-/* Cipher 24 VRS */
-        {
-        1,
-        SSL3_TXT_KRB5_RC4_128_MD5,
-        SSL3_CK_KRB5_RC4_128_MD5,
-        SSL_kKRB5|SSL_aKRB5|  SSL_RC4|SSL_MD5  |SSL_SSLV3,
-        SSL_NOT_EXP|SSL_MEDIUM,
-        0,
-        128,
-        128,
-        SSL_ALL_CIPHERS,
-        SSL_ALL_STRENGTHS,
-        },
-/* Cipher 25 VRS */
-        {
-        1,
-        SSL3_TXT_KRB5_IDEA_128_CBC_MD5,
-        SSL3_CK_KRB5_IDEA_128_CBC_MD5,
-        SSL_kKRB5|SSL_aKRB5|  SSL_IDEA|SSL_MD5  |SSL_SSLV3,
-        SSL_NOT_EXP|SSL_MEDIUM,
-        0,
-        128,
-        128,
-        SSL_ALL_CIPHERS,
-        SSL_ALL_STRENGTHS,
-        },
-/* Cipher 26 VRS */
-        {
-        1,
-        SSL3_TXT_KRB5_DES_40_CBC_SHA,
-        SSL3_CK_KRB5_DES_40_CBC_SHA,
-        SSL_kKRB5|SSL_aKRB5|  SSL_DES|SSL_SHA1   |SSL_SSLV3,
-        SSL_EXPORT|SSL_EXP40|SSL_FIPS,
-        0,
-        40,
-        56,
-        SSL_ALL_CIPHERS,
-        SSL_ALL_STRENGTHS,
-        },
-/* Cipher 27 VRS */
-        {
-        1,
-        SSL3_TXT_KRB5_RC2_40_CBC_SHA,
-        SSL3_CK_KRB5_RC2_40_CBC_SHA,
-        SSL_kKRB5|SSL_aKRB5|  SSL_RC2|SSL_SHA1   |SSL_SSLV3,
-        SSL_EXPORT|SSL_EXP40,
-        0,
-        40,
-        128,
-        SSL_ALL_CIPHERS,
-        SSL_ALL_STRENGTHS,
-        },
-/* Cipher 28 VRS */
-        {
-        1,
-        SSL3_TXT_KRB5_RC4_40_SHA,
-        SSL3_CK_KRB5_RC4_40_SHA,
-        SSL_kKRB5|SSL_aKRB5|  SSL_RC4|SSL_SHA1   |SSL_SSLV3,
-        SSL_EXPORT|SSL_EXP40,
-        0,
-        128,
-        128,
-        SSL_ALL_CIPHERS,
-        SSL_ALL_STRENGTHS,
-        },
-/* Cipher 29 VRS */
-        {
-        1,
-        SSL3_TXT_KRB5_DES_40_CBC_MD5,
-        SSL3_CK_KRB5_DES_40_CBC_MD5,
-        SSL_kKRB5|SSL_aKRB5|  SSL_DES|SSL_MD5    |SSL_SSLV3,
-        SSL_EXPORT|SSL_EXP40,
-        0,
-        40,
-        56,
-        SSL_ALL_CIPHERS,
-        SSL_ALL_STRENGTHS,
-        },
-/* Cipher 2A VRS */
-        {
-        1,
-        SSL3_TXT_KRB5_RC2_40_CBC_MD5,
-        SSL3_CK_KRB5_RC2_40_CBC_MD5,
-        SSL_kKRB5|SSL_aKRB5|  SSL_RC2|SSL_MD5    |SSL_SSLV3,
-        SSL_EXPORT|SSL_EXP40,
-        0,
-        40,
-        128,
-        SSL_ALL_CIPHERS,
-        SSL_ALL_STRENGTHS,
-        },
-/* Cipher 2B VRS */
-        {
-        1,
-        SSL3_TXT_KRB5_RC4_40_MD5,
-        SSL3_CK_KRB5_RC4_40_MD5,
-        SSL_kKRB5|SSL_aKRB5|  SSL_RC4|SSL_MD5    |SSL_SSLV3,
-        SSL_EXPORT|SSL_EXP40,
-        0,
-        128,
-        128,
-        SSL_ALL_CIPHERS,
-        SSL_ALL_STRENGTHS,
-        },
-#endif  /* OPENSSL_NO_KRB5 */
-#if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES
-        /* New TLS Export CipherSuites */
-        /* Cipher 60 */
-            {
-            1,
-            TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5,
-            TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5,
-            SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_TLSV1,
-            SSL_EXPORT|SSL_EXP56,
-            0,
-            56,
-            128,
-            SSL_ALL_CIPHERS,
-            SSL_ALL_STRENGTHS,
-            },
-        /* Cipher 61 */
-            {
-            1,
-            TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5,
-            TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5,
-            SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_TLSV1,
-            SSL_EXPORT|SSL_EXP56,
-            0,
-            56,
-            128,
-            SSL_ALL_CIPHERS,
-            SSL_ALL_STRENGTHS,
-            },
-        /* Cipher 62 */
-            {
-            1,
-            TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA,
-            TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA,
-            SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA|SSL_TLSV1,
-            SSL_EXPORT|SSL_EXP56|SSL_FIPS,
-            0,
-            56,
-            56,
-            SSL_ALL_CIPHERS,
-            SSL_ALL_STRENGTHS,
-            },
-        /* Cipher 63 */
-            {
-            1,
-            TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
-            TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
-            SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA|SSL_TLSV1,
-            SSL_EXPORT|SSL_EXP56|SSL_FIPS,
-            0,
-            56,
-            56,
-            SSL_ALL_CIPHERS,
-            SSL_ALL_STRENGTHS,
-            },
-        /* Cipher 64 */
-            {
-            1,
-            TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA,
-            TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA,
-            SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1,
-            SSL_EXPORT|SSL_EXP56,
-            0,
-            56,
-            128,
-            SSL_ALL_CIPHERS,
-            SSL_ALL_STRENGTHS,
-            },
-        /* Cipher 65 */
-            {
-            1,
-            TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
-            TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
-            SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_TLSV1,
-            SSL_EXPORT|SSL_EXP56,
-            0,
-            56,
-            128,
-            SSL_ALL_CIPHERS,
-            SSL_ALL_STRENGTHS,
-            },
-        /* Cipher 66 */
-            {
-            1,
-            TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA,
-            TLS1_CK_DHE_DSS_WITH_RC4_128_SHA,
-            SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP|SSL_MEDIUM,
-            0,
-            128,
-            128,
-            SSL_ALL_CIPHERS,
-            SSL_ALL_STRENGTHS
-            },
-#endif
-        /* New AES ciphersuites */
-        /* Cipher 2F */
-            {
-            1,
-            TLS1_TXT_RSA_WITH_AES_128_SHA,
-            TLS1_CK_RSA_WITH_AES_128_SHA,
-            SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1,
-            SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
-            0,
-            128,
-            128,
-            SSL_ALL_CIPHERS,
-            SSL_ALL_STRENGTHS,
-            },
-        /* Cipher 30 */
-            {
-            0,
-            TLS1_TXT_DH_DSS_WITH_AES_128_SHA,
-            TLS1_CK_DH_DSS_WITH_AES_128_SHA,
-            SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
-            0,
-            128,
-            128,
-            SSL_ALL_CIPHERS,
-            SSL_ALL_STRENGTHS,
-            },
-        /* Cipher 31 */
-            {
-            0,
-            TLS1_TXT_DH_RSA_WITH_AES_128_SHA,
-            TLS1_CK_DH_RSA_WITH_AES_128_SHA,
-            SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
-            0,
-            128,
-            128,
-            SSL_ALL_CIPHERS,
-            SSL_ALL_STRENGTHS,
-            },
-        /* Cipher 32 */
-            {
-            1,
-            TLS1_TXT_DHE_DSS_WITH_AES_128_SHA,
-            TLS1_CK_DHE_DSS_WITH_AES_128_SHA,
-            SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
-            0,
-            128,
-            128,
-            SSL_ALL_CIPHERS,
-            SSL_ALL_STRENGTHS,
-            },
-        /* Cipher 33 */
-            {
-            1,
-            TLS1_TXT_DHE_RSA_WITH_AES_128_SHA,
-            TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
-            SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
-            0,
-            128,
-            128,
-            SSL_ALL_CIPHERS,
-            SSL_ALL_STRENGTHS,
-            },
-        /* Cipher 34 */
-            {
-            1,
-            TLS1_TXT_ADH_WITH_AES_128_SHA,
-            TLS1_CK_ADH_WITH_AES_128_SHA,
-            SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
-            0,
-            128,
-            128,
-            SSL_ALL_CIPHERS,
-            SSL_ALL_STRENGTHS,
-            },
-        /* Cipher 35 */
-            {
-            1,
-            TLS1_TXT_RSA_WITH_AES_256_SHA,
-            TLS1_CK_RSA_WITH_AES_256_SHA,
-            SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1,
-            SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
-            0,
-            256,
-            256,
-            SSL_ALL_CIPHERS,
-            SSL_ALL_STRENGTHS,
-            },
-        /* Cipher 36 */
-            {
-            0,
-            TLS1_TXT_DH_DSS_WITH_AES_256_SHA,
-            TLS1_CK_DH_DSS_WITH_AES_256_SHA,
-            SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
-            0,
-            256,
-            256,
-            SSL_ALL_CIPHERS,
-            SSL_ALL_STRENGTHS,
-            },
-        /* Cipher 37 */
-            {
-            0,
-            TLS1_TXT_DH_RSA_WITH_AES_256_SHA,
-            TLS1_CK_DH_RSA_WITH_AES_256_SHA,
-            SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
-            0,
-            256,
-            256,
-            SSL_ALL_CIPHERS,
-            SSL_ALL_STRENGTHS,
-            },
-        /* Cipher 38 */
-            {
-            1,
-            TLS1_TXT_DHE_DSS_WITH_AES_256_SHA,
-            TLS1_CK_DHE_DSS_WITH_AES_256_SHA,
-            SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
-            0,
-            256,
-            256,
-            SSL_ALL_CIPHERS,
-            SSL_ALL_STRENGTHS,
-            },
-        /* Cipher 39 */
-            {
-            1,
-            TLS1_TXT_DHE_RSA_WITH_AES_256_SHA,
-            TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
-            SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
-            0,
-            256,
-            256,
-            SSL_ALL_CIPHERS,
-            SSL_ALL_STRENGTHS,
-            },
-        /* Cipher 3A */
-            {
-            1,
-            TLS1_TXT_ADH_WITH_AES_256_SHA,
-            TLS1_CK_ADH_WITH_AES_256_SHA,
-            SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
-            0,
-            256,
-            256,
-            SSL_ALL_CIPHERS,
-            SSL_ALL_STRENGTHS,
-            },
-/* end of list */
-        };
-static SSL3_ENC_METHOD SSLv3_enc_data={
-        ssl3_enc,
-        ssl3_mac,
-        ssl3_setup_key_block,
-        ssl3_generate_master_secret,
-        ssl3_change_cipher_state,
-        ssl3_final_finish_mac,
-        MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH,
-        ssl3_cert_verify_mac,
-        SSL3_MD_CLIENT_FINISHED_CONST,4,
-        SSL3_MD_SERVER_FINISHED_CONST,4,
-        ssl3_alert_code,
-        };
-static SSL_METHOD SSLv3_data= {
-        SSL3_VERSION,
-        ssl3_new,
-        ssl3_clear,
-        ssl3_free,
-        ssl_undefined_function,
-        ssl_undefined_function,
-        ssl3_read,
-        ssl3_peek,
-        ssl3_write,
-        ssl3_shutdown,
-        ssl3_renegotiate,
-        ssl3_renegotiate_check,
-        ssl3_ctrl,
-        ssl3_ctx_ctrl,
-        ssl3_get_cipher_by_char,
-        ssl3_put_cipher_by_char,
-        ssl3_pending,
-        ssl3_num_ciphers,
-        ssl3_get_cipher,
-        ssl_bad_method,
-        ssl3_default_timeout,
-        &SSLv3_enc_data,
-        ssl_undefined_function,
-        ssl3_callback_ctrl,
-        ssl3_ctx_callback_ctrl,
-        };
-static long ssl3_default_timeout(void)
-        {
-        /* 2 hours, the 24 hours mentioned in the SSLv3 spec
-         * is way too long for http, the cache would over fill */
-        return(60*60*2);
-        }
-SSL_METHOD *sslv3_base_method(void)
-        {
-        return(&SSLv3_data);
-        }
-int ssl3_num_ciphers(void)
-        {
-        return(SSL3_NUM_CIPHERS);
-        }
-SSL_CIPHER *ssl3_get_cipher(unsigned int u)
-        {
-        if (u < SSL3_NUM_CIPHERS)
-                return(&(ssl3_ciphers[SSL3_NUM_CIPHERS-1-u]));
-        else
-                return(NULL);
-        }
-int ssl3_pending(const SSL *s)
-        {
-        if (s->rstate == SSL_ST_READ_BODY)
-                return 0;
-        
-        return (s->s3->rrec.type == SSL3_RT_APPLICATION_DATA) ? s->s3->rrec.length : 0;
-        }
-int ssl3_new(SSL *s)
-        {
-        SSL3_STATE *s3;
-        if ((s3=OPENSSL_malloc(sizeof *s3)) == NULL) goto err;
-        memset(s3,0,sizeof *s3);
-        EVP_MD_CTX_init(&s3->finish_dgst1);
-        EVP_MD_CTX_init(&s3->finish_dgst2);
-        s->s3=s3;
-        s->method->ssl_clear(s);
-        return(1);
-err:
-        return(0);
-        }
-void ssl3_free(SSL *s)
-        {
-        if(s == NULL)
-            return;
-        ssl3_cleanup_key_block(s);
-        if (s->s3->rbuf.buf != NULL)
-                OPENSSL_free(s->s3->rbuf.buf);
-        if (s->s3->wbuf.buf != NULL)
-                OPENSSL_free(s->s3->wbuf.buf);
-        if (s->s3->rrec.comp != NULL)
-                OPENSSL_free(s->s3->rrec.comp);
-#ifndef OPENSSL_NO_DH
-        if (s->s3->tmp.dh != NULL)
-                DH_free(s->s3->tmp.dh);
-#endif
-        if (s->s3->tmp.ca_names != NULL)
-                sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
-        EVP_MD_CTX_cleanup(&s->s3->finish_dgst1);
-        EVP_MD_CTX_cleanup(&s->s3->finish_dgst2);
-        OPENSSL_cleanse(s->s3,sizeof *s->s3);
-        OPENSSL_free(s->s3);
-        s->s3=NULL;
-        }
-void ssl3_clear(SSL *s)
-        {
-        unsigned char *rp,*wp;
-        size_t rlen, wlen;
-        ssl3_cleanup_key_block(s);
-        if (s->s3->tmp.ca_names != NULL)
-                sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
-        if (s->s3->rrec.comp != NULL)
-                {
-                OPENSSL_free(s->s3->rrec.comp);
-                s->s3->rrec.comp=NULL;
-                }
-#ifndef OPENSSL_NO_DH
-        if (s->s3->tmp.dh != NULL)
-                DH_free(s->s3->tmp.dh);
-#endif
-        rp = s->s3->rbuf.buf;
-        wp = s->s3->wbuf.buf;
-        rlen = s->s3->rbuf.len;
-        wlen = s->s3->wbuf.len;
-        EVP_MD_CTX_cleanup(&s->s3->finish_dgst1);
-        EVP_MD_CTX_cleanup(&s->s3->finish_dgst2);
-        memset(s->s3,0,sizeof *s->s3);
-        s->s3->rbuf.buf = rp;
-        s->s3->wbuf.buf = wp;
-        s->s3->rbuf.len = rlen;
-        s->s3->wbuf.len = wlen;
-        ssl_free_wbio_buffer(s);
-        s->packet_length=0;
-        s->s3->renegotiate=0;
-        s->s3->total_renegotiations=0;
-        s->s3->num_renegotiations=0;
-        s->s3->in_read_app_data=0;
-        s->version=SSL3_VERSION;
-        }
-long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
-        {
-        int ret=0;
-#if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_RSA)
-        if (
-#ifndef OPENSSL_NO_RSA
-            cmd == SSL_CTRL_SET_TMP_RSA ||
-            cmd == SSL_CTRL_SET_TMP_RSA_CB ||
-#endif
-#ifndef OPENSSL_NO_DSA
-            cmd == SSL_CTRL_SET_TMP_DH ||
-            cmd == SSL_CTRL_SET_TMP_DH_CB ||
-#endif
-                0)
-                {
-                if (!ssl_cert_inst(&s->cert))
-                        {
-                        SSLerr(SSL_F_SSL3_CTRL, ERR_R_MALLOC_FAILURE);
-                        return(0);
-                        }
-                }
-#endif
-        switch (cmd)
-                {
-        case SSL_CTRL_GET_SESSION_REUSED:
-                ret=s->hit;
-                break;
-        case SSL_CTRL_GET_CLIENT_CERT_REQUEST:
-                break;
-        case SSL_CTRL_GET_NUM_RENEGOTIATIONS:
-                ret=s->s3->num_renegotiations;
-                break;
-        case SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS:
-                ret=s->s3->num_renegotiations;
-                s->s3->num_renegotiations=0;
-                break;
-        case SSL_CTRL_GET_TOTAL_RENEGOTIATIONS:
-                ret=s->s3->total_renegotiations;
-                break;
-        case SSL_CTRL_GET_FLAGS:
-                ret=(int)(s->s3->flags);
-                break;
-#ifndef OPENSSL_NO_RSA
-        case SSL_CTRL_NEED_TMP_RSA:
-                if ((s->cert != NULL) && (s->cert->rsa_tmp == NULL) &&
-                    ((s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) ||
-                     (EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey) > (512/8))))
-                        ret = 1;
-                break;
-        case SSL_CTRL_SET_TMP_RSA:
-                {
-                        RSA *rsa = (RSA *)parg;
-                        if (rsa == NULL)
-                                {
-                                SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER);
-                                return(ret);
-                                }
-                        if ((rsa = RSAPrivateKey_dup(rsa)) == NULL)
-                                {
-                                SSLerr(SSL_F_SSL3_CTRL, ERR_R_RSA_LIB);
-                                return(ret);
-                                }
-                        if (s->cert->rsa_tmp != NULL)
-                                RSA_free(s->cert->rsa_tmp);
-                        s->cert->rsa_tmp = rsa;
-                        ret = 1;
-                }
-                break;
-        case SSL_CTRL_SET_TMP_RSA_CB:
-                {
-                SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-                return(ret);
-                }
-                break;
-#endif
-#ifndef OPENSSL_NO_DH
-        case SSL_CTRL_SET_TMP_DH:
-                {
-                        DH *dh = (DH *)parg;
-                        if (dh == NULL)
-                                {
-                                SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER);
-                                return(ret);
-                                }
-                        if ((dh = DHparams_dup(dh)) == NULL)
-                                {
-                                SSLerr(SSL_F_SSL3_CTRL, ERR_R_DH_LIB);
-                                return(ret);
-                                }
-                        if (!(s->options & SSL_OP_SINGLE_DH_USE))
-                                {
-                                if (!DH_generate_key(dh))
-                                        {
-                                        DH_free(dh);
-                                        SSLerr(SSL_F_SSL3_CTRL, ERR_R_DH_LIB);
-                                        return(ret);
-                                        }
-                                }
-                        if (s->cert->dh_tmp != NULL)
-                                DH_free(s->cert->dh_tmp);
-                        s->cert->dh_tmp = dh;
-                        ret = 1;
-                }
-                break;
-        case SSL_CTRL_SET_TMP_DH_CB:
-                {
-                SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-                return(ret);
-                }
-                break;
-#endif
-        default:
-                break;
-                }
-        return(ret);
-        }
-long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)())
-        {
-        int ret=0;
-#if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_RSA)
-        if (
-#ifndef OPENSSL_NO_RSA
-            cmd == SSL_CTRL_SET_TMP_RSA_CB ||
-#endif
-#ifndef OPENSSL_NO_DSA
-            cmd == SSL_CTRL_SET_TMP_DH_CB ||
-#endif
-                0)
-                {
-                if (!ssl_cert_inst(&s->cert))
-                        {
-                        SSLerr(SSL_F_SSL3_CALLBACK_CTRL, ERR_R_MALLOC_FAILURE);
-                        return(0);
-                        }
-                }
-#endif
-        switch (cmd)
-                {
-#ifndef OPENSSL_NO_RSA
-        case SSL_CTRL_SET_TMP_RSA_CB:
-                {
-                s->cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp;
-                }
-                break;
-#endif
-#ifndef OPENSSL_NO_DH
-        case SSL_CTRL_SET_TMP_DH_CB:
-                {
-                s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;
-                }
-                break;
-#endif
-        default:
-                break;
-                }
-        return(ret);
-        }
-long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
-        {
-        CERT *cert;
-        cert=ctx->cert;
-        switch (cmd)
-                {
-#ifndef OPENSSL_NO_RSA
-        case SSL_CTRL_NEED_TMP_RSA:
-                if (    (cert->rsa_tmp == NULL) &&
-                        ((cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) ||
-                         (EVP_PKEY_size(cert->pkeys[SSL_PKEY_RSA_ENC].privatekey) > (512/8)))
-                        )
-                        return(1);
-                else
-                        return(0);
-                /* break; */
-        case SSL_CTRL_SET_TMP_RSA:
-                {
-                RSA *rsa;
-                int i;
-                rsa=(RSA *)parg;
-                i=1;
-                if (rsa == NULL)
-                        i=0;
-                else
-                        {
-                        if ((rsa=RSAPrivateKey_dup(rsa)) == NULL)
-                                i=0;
-                        }
-                if (!i)
-                        {
-                        SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_RSA_LIB);
-                        return(0);
-                        }
-                else
-                        {
-                        if (cert->rsa_tmp != NULL)
-                                RSA_free(cert->rsa_tmp);
-                        cert->rsa_tmp=rsa;
-                        return(1);
-                        }
-                }
-                /* break; */
-        case SSL_CTRL_SET_TMP_RSA_CB:
-                {
-                SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-                return(0);
-                }
-                break;
-#endif
-#ifndef OPENSSL_NO_DH
-        case SSL_CTRL_SET_TMP_DH:
-                {
-                DH *new=NULL,*dh;
-                dh=(DH *)parg;
-                if ((new=DHparams_dup(dh)) == NULL)
-                        {
-                        SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_DH_LIB);
-                        return 0;
-                        }
-                if (!(ctx->options & SSL_OP_SINGLE_DH_USE))
-                        {
-                        if (!DH_generate_key(new))
-                                {
-                                SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_DH_LIB);
-                                DH_free(new);
-                                return 0;
-                                }
-                        }
-                if (cert->dh_tmp != NULL)
-                        DH_free(cert->dh_tmp);
-                cert->dh_tmp=new;
-                return 1;
-                }
-                /*break; */
-        case SSL_CTRL_SET_TMP_DH_CB:
-                {
-                SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-                return(0);
-                }
-                break;
-#endif
-        /* A Thawte special :-) */
-        case SSL_CTRL_EXTRA_CHAIN_CERT:
-                if (ctx->extra_certs == NULL)
-                        {
-                        if ((ctx->extra_certs=sk_X509_new_null()) == NULL)
-                                return(0);
-                        }
-                sk_X509_push(ctx->extra_certs,(X509 *)parg);
-                break;
-        default:
-                return(0);
-                }
-        return(1);
-        }
-long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)())
-        {
-        CERT *cert;
-        cert=ctx->cert;
-        switch (cmd)
-                {
-#ifndef OPENSSL_NO_RSA
-        case SSL_CTRL_SET_TMP_RSA_CB:
-                {
-                cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp;
-                }
-                break;
-#endif
-#ifndef OPENSSL_NO_DH
-        case SSL_CTRL_SET_TMP_DH_CB:
-                {
-                cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;
-                }
-                break;
-#endif
-        default:
-                return(0);
-                }
-        return(1);
-        }
-/* This function needs to check if the ciphers required are actually
- * available */
-SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p)
-        {
-        static int init=1;
-        static SSL_CIPHER *sorted[SSL3_NUM_CIPHERS];
-        SSL_CIPHER c,*cp= &c,**cpp;
-        unsigned long id;
-        int i;
-        if (init)
-                {
-                CRYPTO_w_lock(CRYPTO_LOCK_SSL);
-                if (init)
-                        {
-                        for (i=0; i<SSL3_NUM_CIPHERS; i++)
-                                sorted[i]= &(ssl3_ciphers[i]);
-                        qsort(sorted,
-                                SSL3_NUM_CIPHERS,sizeof(SSL_CIPHER *),
-                                FP_ICC ssl_cipher_ptr_id_cmp);
-                        init=0;
-                        }
-                
-                CRYPTO_w_unlock(CRYPTO_LOCK_SSL);
-                }
-        id=0x03000000L|((unsigned long)p[0]<<8L)|(unsigned long)p[1];
-        c.id=id;
-        cpp=(SSL_CIPHER **)OBJ_bsearch((char *)&cp,
-                (char *)sorted,
-                SSL3_NUM_CIPHERS,sizeof(SSL_CIPHER *),
-                FP_ICC ssl_cipher_ptr_id_cmp);
-        if ((cpp == NULL) || !(*cpp)->valid)
-                return(NULL);
-        else
-                return(*cpp);
-        }
-int ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p)
-        {
-        long l;
-        if (p != NULL)
-                {
-                l=c->id;
-                if ((l & 0xff000000) != 0x03000000) return(0);
-                p[0]=((unsigned char)(l>> 8L))&0xFF;
-                p[1]=((unsigned char)(l     ))&0xFF;
-                }
-        return(2);
-        }
-SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
-             STACK_OF(SSL_CIPHER) *srvr)
-        {
-        SSL_CIPHER *c,*ret=NULL;
-        STACK_OF(SSL_CIPHER) *prio, *allow;
-        int i,j,ok;
-        CERT *cert;
-        unsigned long alg,mask,emask;
-        /* Let's see which ciphers we can support */
-        cert=s->cert;
-#if 0
-        /* Do not set the compare functions, because this may lead to a
-         * reordering by "id". We want to keep the original ordering.
-         * We may pay a price in performance during sk_SSL_CIPHER_find(),
-         * but would have to pay with the price of sk_SSL_CIPHER_dup().
-         */
-        sk_SSL_CIPHER_set_cmp_func(srvr, ssl_cipher_ptr_id_cmp);
-        sk_SSL_CIPHER_set_cmp_func(clnt, ssl_cipher_ptr_id_cmp);
-#endif
-#ifdef CIPHER_DEBUG
-        printf("Server has %d from %p:\n", sk_SSL_CIPHER_num(srvr), srvr);
-        for(i=0 ; i < sk_SSL_CIPHER_num(srvr) ; ++i)
-            {
-            c=sk_SSL_CIPHER_value(srvr,i);
-            printf("%p:%s\n",c,c->name);
-            }
-        printf("Client sent %d from %p:\n", sk_SSL_CIPHER_num(clnt), clnt);
-        for(i=0 ; i < sk_SSL_CIPHER_num(clnt) ; ++i)
-            {
-            c=sk_SSL_CIPHER_value(clnt,i);
-            printf("%p:%s\n",c,c->name);
-            }
-#endif
-        if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE)
-            {
-            prio = srvr;
-            allow = clnt;
-            }
-        else
-            {
-            prio = clnt;
-            allow = srvr;
-            }
-        for (i=0; i<sk_SSL_CIPHER_num(prio); i++)
-                {
-                c=sk_SSL_CIPHER_value(prio,i);
-                ssl_set_cert_masks(cert,c);
-                mask=cert->mask;
-                emask=cert->export_mask;
-                        
-#ifdef KSSL_DEBUG
-                printf("ssl3_choose_cipher %d alg= %lx\n", i,c->algorithms);
-#endif    /* KSSL_DEBUG */
-                alg=c->algorithms&(SSL_MKEY_MASK|SSL_AUTH_MASK);
-#ifndef OPENSSL_NO_KRB5
-                if (alg & SSL_KRB5) 
-                        {
-                        if ( !kssl_keytab_is_available(s->kssl_ctx) )
-                            continue;
-                        }
-#endif /* OPENSSL_NO_KRB5 */
-                if (SSL_C_IS_EXPORT(c))
-                        {
-                        ok=((alg & emask) == alg)?1:0;
-#ifdef CIPHER_DEBUG
-                        printf("%d:[%08lX:%08lX]%p:%s (export)\n",ok,alg,emask,
-                               c,c->name);
-#endif
-                        }
-                else
-                        {
-                        ok=((alg & mask) == alg)?1:0;
-#ifdef CIPHER_DEBUG
-                        printf("%d:[%08lX:%08lX]%p:%s\n",ok,alg,mask,c,
-                               c->name);
-#endif
-                        }
-                if (!ok) continue;
-        
-                j=sk_SSL_CIPHER_find(allow,c);
-                if (j >= 0)
-                        {
-                        ret=sk_SSL_CIPHER_value(allow,j);
-                        break;
-                        }
-                }
-        return(ret);
-        }
-int ssl3_get_req_cert_type(SSL *s, unsigned char *p)
-        {
-        int ret=0;
-        unsigned long alg;
-        alg=s->s3->tmp.new_cipher->algorithms;
-#ifndef OPENSSL_NO_DH
-        if (alg & (SSL_kDHr|SSL_kEDH))
-                {
-#  ifndef OPENSSL_NO_RSA
-                p[ret++]=SSL3_CT_RSA_FIXED_DH;
-#  endif
-#  ifndef OPENSSL_NO_DSA
-                p[ret++]=SSL3_CT_DSS_FIXED_DH;
-#  endif
-                }
-        if ((s->version == SSL3_VERSION) &&
-                (alg & (SSL_kEDH|SSL_kDHd|SSL_kDHr)))
-                {
-#  ifndef OPENSSL_NO_RSA
-                p[ret++]=SSL3_CT_RSA_EPHEMERAL_DH;
-#  endif
-#  ifndef OPENSSL_NO_DSA
-                p[ret++]=SSL3_CT_DSS_EPHEMERAL_DH;
-#  endif
-                }
-#endif /* !OPENSSL_NO_DH */
-#ifndef OPENSSL_NO_RSA
-        p[ret++]=SSL3_CT_RSA_SIGN;
-#endif
-#ifndef OPENSSL_NO_DSA
-        p[ret++]=SSL3_CT_DSS_SIGN;
-#endif
-        return(ret);
-        }
-int ssl3_shutdown(SSL *s)
-        {
-        /* Don't do anything much if we have not done the handshake or
-         * we don't want to send messages :-) */
-        if ((s->quiet_shutdown) || (s->state == SSL_ST_BEFORE))
-                {
-                s->shutdown=(SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
-                return(1);
-                }
-        if (!(s->shutdown & SSL_SENT_SHUTDOWN))
-                {
-                s->shutdown|=SSL_SENT_SHUTDOWN;
-#if 1
-                ssl3_send_alert(s,SSL3_AL_WARNING,SSL_AD_CLOSE_NOTIFY);
-#endif
-                /* our shutdown alert has been sent now, and if it still needs
-                 * to be written, s->s3->alert_dispatch will be true */
-                }
-        else if (s->s3->alert_dispatch)
-                {
-                /* resend it if not sent */
-#if 1
-                ssl3_dispatch_alert(s);
-#endif
-                }
-        else if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN))
-                {
-                /* If we are waiting for a close from our peer, we are closed */
-                ssl3_read_bytes(s,0,NULL,0,0);
-                }
-        if ((s->shutdown == (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)) &&
-                !s->s3->alert_dispatch)
-                return(1);
-        else
-                return(0);
-        }
-int ssl3_write(SSL *s, const void *buf, int len)
-        {
-        int ret,n;
-#if 0
-        if (s->shutdown & SSL_SEND_SHUTDOWN)
-                {
-                s->rwstate=SSL_NOTHING;
-                return(0);
-                }
-#endif
-        clear_sys_error();
-        if (s->s3->renegotiate) ssl3_renegotiate_check(s);
-        /* This is an experimental flag that sends the
-         * last handshake message in the same packet as the first
-         * use data - used to see if it helps the TCP protocol during
-         * session-id reuse */
-        /* The second test is because the buffer may have been removed */
-        if ((s->s3->flags & SSL3_FLAGS_POP_BUFFER) && (s->wbio == s->bbio))
-                {
-                /* First time through, we write into the buffer */
-                if (s->s3->delay_buf_pop_ret == 0)
-                        {
-                        ret=ssl3_write_bytes(s,SSL3_RT_APPLICATION_DATA,
-                                             buf,len);
-                        if (ret <= 0) return(ret);
-                        s->s3->delay_buf_pop_ret=ret;
-                        }
-                s->rwstate=SSL_WRITING;
-                n=BIO_flush(s->wbio);
-                if (n <= 0) return(n);
-                s->rwstate=SSL_NOTHING;
-                /* We have flushed the buffer, so remove it */
-                ssl_free_wbio_buffer(s);
-                s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER;
-                ret=s->s3->delay_buf_pop_ret;
-                s->s3->delay_buf_pop_ret=0;
-                }
-        else
-                {
-                ret=ssl3_write_bytes(s,SSL3_RT_APPLICATION_DATA,
-                                     buf,len);
-                if (ret <= 0) return(ret);
-                }
-        return(ret);
-        }
-static int ssl3_read_internal(SSL *s, void *buf, int len, int peek)
-        {
-        int ret;
-        
-        clear_sys_error();
-        if (s->s3->renegotiate) ssl3_renegotiate_check(s);
-        s->s3->in_read_app_data=1;
-        ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek);
-        if ((ret == -1) && (s->s3->in_read_app_data == 2))
-                {
-                /* ssl3_read_bytes decided to call s->handshake_func, which
-                 * called ssl3_read_bytes to read handshake data.
-                 * However, ssl3_read_bytes actually found application data
-                 * and thinks that application data makes sense here; so disable
-                 * handshake processing and try to read application data again. */
-                s->in_handshake++;
-                ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek);
-                s->in_handshake--;
-                }
-        else
-                s->s3->in_read_app_data=0;
-        return(ret);
-        }
-int ssl3_read(SSL *s, void *buf, int len)
-        {
-        return ssl3_read_internal(s, buf, len, 0);
-        }
-int ssl3_peek(SSL *s, void *buf, int len)
-        {
-        return ssl3_read_internal(s, buf, len, 1);
-        }
-int ssl3_renegotiate(SSL *s)
-        {
-        if (s->handshake_func == NULL)
-                return(1);
-        if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
-                return(0);
-        s->s3->renegotiate=1;
-        return(1);
-        }
-int ssl3_renegotiate_check(SSL *s)
-        {
-        int ret=0;
-        if (s->s3->renegotiate)
-                {
-                if (    (s->s3->rbuf.left == 0) &&
-                        (s->s3->wbuf.left == 0) &&
-                        !SSL_in_init(s))
-                        {
-/*
-if we are the server, and we have sent a 'RENEGOTIATE' message, we
-need to go to SSL_ST_ACCEPT.
-*/
-                        /* SSL_ST_ACCEPT */
-                        s->state=SSL_ST_RENEGOTIATE;
-                        s->s3->renegotiate=0;
-                        s->s3->num_renegotiations++;
-                        s->s3->total_renegotiations++;
-                        ret=1;
-                        }
-                }
-        return(ret);
-        }
diff --git a/src/lib/libssl/s3_pkt.c b/src/lib/libssl/s3_pkt.c
deleted file mode 100644
index cb0b12b400..0000000000
--- a/src/lib/libssl/s3_pkt.c
+++ /dev/null
@@ -1,1310 +0,0 @@
-/* ssl/s3_pkt.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-/* ====================================================================
- * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer. 
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-#include <stdio.h>
-#include <errno.h>
-#define USE_SOCKETS
-#include "ssl_locl.h"
-#include <openssl/evp.h>
-#include <openssl/buffer.h>
-static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
-                         unsigned int len, int create_empty_fragment);
-static int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
-                              unsigned int len);
-static int ssl3_get_record(SSL *s);
-static int do_compress(SSL *ssl);
-static int do_uncompress(SSL *ssl);
-static int do_change_cipher_spec(SSL *ssl);
-/* used only by ssl3_get_record */
-static int ssl3_read_n(SSL *s, int n, int max, int extend)
-        {
-        /* If extend == 0, obtain new n-byte packet; if extend == 1, increase
-         * packet by another n bytes.
-         * The packet will be in the sub-array of s->s3->rbuf.buf specified
-         * by s->packet and s->packet_length.
-         * (If s->read_ahead is set, 'max' bytes may be stored in rbuf
-         * [plus s->packet_length bytes if extend == 1].)
-         */
-        int i,off,newb;
-        if (!extend)
-                {
-                /* start with empty packet ... */
-                if (s->s3->rbuf.left == 0)
-                        s->s3->rbuf.offset = 0;
-                s->packet = s->s3->rbuf.buf + s->s3->rbuf.offset;
-                s->packet_length = 0;
-                /* ... now we can act as if 'extend' was set */
-                }
-        /* if there is enough in the buffer from a previous read, take some */
-        if (s->s3->rbuf.left >= (int)n)
-                {
-                s->packet_length+=n;
-                s->s3->rbuf.left-=n;
-                s->s3->rbuf.offset+=n;
-                return(n);
-                }
-        /* else we need to read more data */
-        if (!s->read_ahead)
-                max=n;
-        {
-                /* avoid buffer overflow */
-                int max_max = s->s3->rbuf.len - s->packet_length;
-                if (max > max_max)
-                        max = max_max;
-        }
-        if (n > max) /* does not happen */
-                {
-                SSLerr(SSL_F_SSL3_READ_N,ERR_R_INTERNAL_ERROR);
-                return -1;
-                }
-        off = s->packet_length;
-        newb = s->s3->rbuf.left;
-        /* Move any available bytes to front of buffer:
-         * 'off' bytes already pointed to by 'packet',
-         * 'newb' extra ones at the end */
-        if (s->packet != s->s3->rbuf.buf)
-                {
-                /*  off > 0 */
-                memmove(s->s3->rbuf.buf, s->packet, off+newb);
-                s->packet = s->s3->rbuf.buf;
-                }
-        while (newb < n)
-                {
-                /* Now we have off+newb bytes at the front of s->s3->rbuf.buf and need
-                 * to read in more until we have off+n (up to off+max if possible) */
-                clear_sys_error();
-                if (s->rbio != NULL)
-                        {
-                        s->rwstate=SSL_READING;
-                        i=BIO_read(s->rbio,     &(s->s3->rbuf.buf[off+newb]), max-newb);
-                        }
-                else
-                        {
-                        SSLerr(SSL_F_SSL3_READ_N,SSL_R_READ_BIO_NOT_SET);
-                        i = -1;
-                        }
-                if (i <= 0)
-                        {
-                        s->s3->rbuf.left = newb;
-                        return(i);
-                        }
-                newb+=i;
-                }
-        /* done reading, now the book-keeping */
-        s->s3->rbuf.offset = off + n;
-        s->s3->rbuf.left = newb - n;
-        s->packet_length += n;
-        s->rwstate=SSL_NOTHING;
-        return(n);
-        }
-/* Call this to get a new input record.
- * It will return <= 0 if more data is needed, normally due to an error
- * or non-blocking IO.
- * When it finishes, one packet has been decoded and can be found in
- * ssl->s3->rrec.type    - is the type of record
- * ssl->s3->rrec.data,   - data
- * ssl->s3->rrec.length, - number of bytes
- */
-/* used only by ssl3_read_bytes */
-static int ssl3_get_record(SSL *s)
-        {
-        int ssl_major,ssl_minor,al;
-        int enc_err,n,i,ret= -1;
-        SSL3_RECORD *rr;
-        SSL_SESSION *sess;
-        unsigned char *p;
-        unsigned char md[EVP_MAX_MD_SIZE];
-        short version;
-        unsigned int mac_size;
-        int clear=0;
-        size_t extra;
-        int decryption_failed_or_bad_record_mac = 0;
-        unsigned char *mac = NULL;
-        rr= &(s->s3->rrec);
-        sess=s->session;
-        if (s->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
-                extra=SSL3_RT_MAX_EXTRA;
-        else
-                extra=0;
-        if (extra != s->s3->rbuf.len - SSL3_RT_MAX_PACKET_SIZE)
-                {
-                /* actually likely an application error: SLS_OP_MICROSOFT_BIG_SSLV3_BUFFER
-                 * set after ssl3_setup_buffers() was done */
-                SSLerr(SSL_F_SSL3_GET_RECORD, ERR_R_INTERNAL_ERROR);
-                return -1;
-                }
-again:
-        /* check if we have the header */
-        if (    (s->rstate != SSL_ST_READ_BODY) ||
-                (s->packet_length < SSL3_RT_HEADER_LENGTH)) 
-                {
-                n=ssl3_read_n(s, SSL3_RT_HEADER_LENGTH, s->s3->rbuf.len, 0);
-                if (n <= 0) return(n); /* error or non-blocking */
-                s->rstate=SSL_ST_READ_BODY;
-                p=s->packet;
-                /* Pull apart the header into the SSL3_RECORD */
-                rr->type= *(p++);
-                ssl_major= *(p++);
-                ssl_minor= *(p++);
-                version=(ssl_major<<8)|ssl_minor;
-                n2s(p,rr->length);
-                /* Lets check version */
-                if (s->first_packet)
-                        {
-                        s->first_packet=0;
-                        }
-                else
-                        {
-                        if (version != s->version)
-                                {
-                                SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
-                                /* Send back error using their
-                                 * version number :-) */
-                                s->version=version;
-                                al=SSL_AD_PROTOCOL_VERSION;
-                                goto f_err;
-                                }
-                        }
-                if ((version>>8) != SSL3_VERSION_MAJOR)
-                        {
-                        SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
-                        goto err;
-                        }
-                if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH+extra)
-                        {
-                        al=SSL_AD_RECORD_OVERFLOW;
-                        SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PACKET_LENGTH_TOO_LONG);
-                        goto f_err;
-                        }
-                /* now s->rstate == SSL_ST_READ_BODY */
-                }
-        /* s->rstate == SSL_ST_READ_BODY, get and decode the data */
-        if (rr->length > s->packet_length-SSL3_RT_HEADER_LENGTH)
-                {
-                /* now s->packet_length == SSL3_RT_HEADER_LENGTH */
-                i=rr->length;
-                n=ssl3_read_n(s,i,i,1);
-                if (n <= 0) return(n); /* error or non-blocking io */
-                /* now n == rr->length,
-                 * and s->packet_length == SSL3_RT_HEADER_LENGTH + rr->length */
-                }
-        s->rstate=SSL_ST_READ_HEADER; /* set state for later operations */
-        /* At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length,
-         * and we have that many bytes in s->packet
-         */
-        rr->input= &(s->packet[SSL3_RT_HEADER_LENGTH]);
-        /* ok, we can now read from 's->packet' data into 'rr'
-         * rr->input points at rr->length bytes, which
-         * need to be copied into rr->data by either
-         * the decryption or by the decompression
-         * When the data is 'copied' into the rr->data buffer,
-         * rr->input will be pointed at the new buffer */ 
-        /* We now have - encrypted [ MAC [ compressed [ plain ] ] ]
-         * rr->length bytes of encrypted compressed stuff. */
-        /* check is not needed I believe */
-        if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH+extra)
-                {
-                al=SSL_AD_RECORD_OVERFLOW;
-                SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
-                goto f_err;
-                }
-        /* decrypt in place in 'rr->input' */
-        rr->data=rr->input;
-        enc_err = s->method->ssl3_enc->enc(s,0);
-        if (enc_err <= 0)
-                {
-                if (enc_err == 0)
-                        /* SSLerr() and ssl3_send_alert() have been called */
-                        goto err;
-                /* Otherwise enc_err == -1, which indicates bad padding
-                 * (rec->length has not been changed in this case).
-                 * To minimize information leaked via timing, we will perform
-                 * the MAC computation anyway. */
-                decryption_failed_or_bad_record_mac = 1;
-                }
-#ifdef TLS_DEBUG
-printf("dec %d\n",rr->length);
-{ unsigned int z; for (z=0; z<rr->length; z++) printf("%02X%c",rr->data[z],((z+1)%16)?' ':'\n'); }
-printf("\n");
-#endif
-        /* r->length is now the compressed data plus mac */
-        if (    (sess == NULL) ||
-                (s->enc_read_ctx == NULL) ||
-                (s->read_hash == NULL))
-                clear=1;
-        if (!clear)
-                {
-                mac_size=EVP_MD_size(s->read_hash);
-                if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra+mac_size)
-                        {
-#if 0 /* OK only for stream ciphers (then rr->length is visible from ciphertext anyway) */
-                        al=SSL_AD_RECORD_OVERFLOW;
-                        SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
-                        goto f_err;
-#else
-                        decryption_failed_or_bad_record_mac = 1;
-#endif                  
-                        }
-                /* check the MAC for rr->input (it's in mac_size bytes at the tail) */
-                if (rr->length >= mac_size)
-                        {
-                        rr->length -= mac_size;
-                        mac = &rr->data[rr->length];
-                        }
-                else
-                        {
-                        /* record (minus padding) is too short to contain a MAC */
-#if 0 /* OK only for stream ciphers */
-                        al=SSL_AD_DECODE_ERROR;
-                        SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT);
-                        goto f_err;
-#else
-                        decryption_failed_or_bad_record_mac = 1;
-                        rr->length = 0;
-#endif
-                        }
-                i=s->method->ssl3_enc->mac(s,md,0);
-                if (mac == NULL || memcmp(md, mac, mac_size) != 0)
-                        {
-                        decryption_failed_or_bad_record_mac = 1;
-                        }
-                }
-        if (decryption_failed_or_bad_record_mac)
-                {
-                /* A separate 'decryption_failed' alert was introduced with TLS 1.0,
-                 * SSL 3.0 only has 'bad_record_mac'.  But unless a decryption
-                 * failure is directly visible from the ciphertext anyway,
-                 * we should not reveal which kind of error occured -- this
-                 * might become visible to an attacker (e.g. via a logfile) */
-                al=SSL_AD_BAD_RECORD_MAC;
-                SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
-                goto f_err;
-                }
-        /* r->length is now just compressed */
-        if (s->expand != NULL)
-                {
-                if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra)
-                        {
-                        al=SSL_AD_RECORD_OVERFLOW;
-                        SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_COMPRESSED_LENGTH_TOO_LONG);
-                        goto f_err;
-                        }
-                if (!do_uncompress(s))
-                        {
-                        al=SSL_AD_DECOMPRESSION_FAILURE;
-                        SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_BAD_DECOMPRESSION);
-                        goto f_err;
-                        }
-                }
-        if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH+extra)
-                {
-                al=SSL_AD_RECORD_OVERFLOW;
-                SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DATA_LENGTH_TOO_LONG);
-                goto f_err;
-                }
-        rr->off=0;
-        /* So at this point the following is true
-         * ssl->s3->rrec.type   is the type of record
-         * ssl->s3->rrec.length == number of bytes in record
-         * ssl->s3->rrec.off    == offset to first valid byte
-         * ssl->s3->rrec.data   == where to take bytes from, increment
-         *                         after use :-).
-         */
-        /* we have pulled in a full packet so zero things */
-        s->packet_length=0;
-        /* just read a 0 length packet */
-        if (rr->length == 0) goto again;
-        return(1);
-f_err:
-        ssl3_send_alert(s,SSL3_AL_FATAL,al);
-err:
-        return(ret);
-        }
-static int do_uncompress(SSL *ssl)
-        {
-        int i;
-        SSL3_RECORD *rr;
-        rr= &(ssl->s3->rrec);
-        i=COMP_expand_block(ssl->expand,rr->comp,
-                SSL3_RT_MAX_PLAIN_LENGTH,rr->data,(int)rr->length);
-        if (i < 0)
-                return(0);
-        else
-                rr->length=i;
-        rr->data=rr->comp;
-        return(1);
-        }
-static int do_compress(SSL *ssl)
-        {
-        int i;
-        SSL3_RECORD *wr;
-        wr= &(ssl->s3->wrec);
-        i=COMP_compress_block(ssl->compress,wr->data,
-                SSL3_RT_MAX_COMPRESSED_LENGTH,
-                wr->input,(int)wr->length);
-        if (i < 0)
-                return(0);
-        else
-                wr->length=i;
-        wr->input=wr->data;
-        return(1);
-        }
-/* Call this to write data in records of type 'type'
- * It will return <= 0 if not all data has been sent or non-blocking IO.
- */
-int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
-        {
-        const unsigned char *buf=buf_;
-        unsigned int tot,n,nw;
-        int i;
-        s->rwstate=SSL_NOTHING;
-        tot=s->s3->wnum;
-        s->s3->wnum=0;
-        if (SSL_in_init(s) && !s->in_handshake)
-                {
-                i=s->handshake_func(s);
-                if (i < 0) return(i);
-                if (i == 0)
-                        {
-                        SSLerr(SSL_F_SSL3_WRITE_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
-                        return -1;
-                        }
-                }
-        n=(len-tot);
-        for (;;)
-                {
-                if (n > SSL3_RT_MAX_PLAIN_LENGTH)
-                        nw=SSL3_RT_MAX_PLAIN_LENGTH;
-                else
-                        nw=n;
-                i=do_ssl3_write(s, type, &(buf[tot]), nw, 0);
-                if (i <= 0)
-                        {
-                        s->s3->wnum=tot;
-                        return i;
-                        }
-                if ((i == (int)n) ||
-                        (type == SSL3_RT_APPLICATION_DATA &&
-                         (s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE)))
-                        {
-                        /* next chunk of data should get another prepended empty fragment
-                         * in ciphersuites with known-IV weakness: */
-                        s->s3->empty_fragment_done = 0;
-                        
-                        return tot+i;
-                        }
-                n-=i;
-                tot+=i;
-                }
-        }
-static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
-                         unsigned int len, int create_empty_fragment)
-        {
-        unsigned char *p,*plen;
-        int i,mac_size,clear=0;
-        int prefix_len = 0;
-        SSL3_RECORD *wr;
-        SSL3_BUFFER *wb;
-        SSL_SESSION *sess;
-        /* first check if there is a SSL3_BUFFER still being written
-         * out.  This will happen with non blocking IO */
-        if (s->s3->wbuf.left != 0)
-                return(ssl3_write_pending(s,type,buf,len));
-        /* If we have an alert to send, lets send it */
-        if (s->s3->alert_dispatch)
-                {
-                i=ssl3_dispatch_alert(s);
-                if (i <= 0)
-                        return(i);
-                /* if it went, fall through and send more stuff */
-                }
-        if (len == 0 && !create_empty_fragment)
-                return 0;
-        wr= &(s->s3->wrec);
-        wb= &(s->s3->wbuf);
-        sess=s->session;
-        if (    (sess == NULL) ||
-                (s->enc_write_ctx == NULL) ||
-                (s->write_hash == NULL))
-                clear=1;
-        if (clear)
-                mac_size=0;
-        else
-                mac_size=EVP_MD_size(s->write_hash);
-        /* 'create_empty_fragment' is true only when this function calls itself */
-        if (!clear && !create_empty_fragment && !s->s3->empty_fragment_done)
-                {
-                /* countermeasure against known-IV weakness in CBC ciphersuites
-                 * (see http://www.openssl.org/~bodo/tls-cbc.txt) */
-                if (s->s3->need_empty_fragments && type == SSL3_RT_APPLICATION_DATA)
-                        {
-                        /* recursive function call with 'create_empty_fragment' set;
-                         * this prepares and buffers the data for an empty fragment
-                         * (these 'prefix_len' bytes are sent out later
-                         * together with the actual payload) */
-                        prefix_len = do_ssl3_write(s, type, buf, 0, 1);
-                        if (prefix_len <= 0)
-                                goto err;
-                        if (s->s3->wbuf.len < (size_t)prefix_len + SSL3_RT_MAX_PACKET_SIZE)
-                                {
-                                /* insufficient space */
-                                SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR);
-                                goto err;
-                                }
-                        }
-                
-                s->s3->empty_fragment_done = 1;
-                }
-        p = wb->buf + prefix_len;
-        /* write the header */
-        *(p++)=type&0xff;
-        wr->type=type;
-        *(p++)=(s->version>>8);
-        *(p++)=s->version&0xff;
-        /* field where we are to write out packet length */
-        plen=p; 
-        p+=2;
-        /* lets setup the record stuff. */
-        wr->data=p;
-        wr->length=(int)len;
-        wr->input=(unsigned char *)buf;
-        /* we now 'read' from wr->input, wr->length bytes into
-         * wr->data */
-        /* first we compress */
-        if (s->compress != NULL)
-                {
-                if (!do_compress(s))
-                        {
-                        SSLerr(SSL_F_DO_SSL3_WRITE,SSL_R_COMPRESSION_FAILURE);
-                        goto err;
-                        }
-                }
-        else
-                {
-                memcpy(wr->data,wr->input,wr->length);
-                wr->input=wr->data;
-                }
-        /* we should still have the output to wr->data and the input
-         * from wr->input.  Length should be wr->length.
-         * wr->data still points in the wb->buf */
-        if (mac_size != 0)
-                {
-                s->method->ssl3_enc->mac(s,&(p[wr->length]),1);
-                wr->length+=mac_size;
-                wr->input=p;
-                wr->data=p;
-                }
-        /* ssl3_enc can only have an error on read */
-        s->method->ssl3_enc->enc(s,1);
-        /* record length after mac and block padding */
-        s2n(wr->length,plen);
-        /* we should now have
-         * wr->data pointing to the encrypted data, which is
-         * wr->length long */
-        wr->type=type; /* not needed but helps for debugging */
-        wr->length+=SSL3_RT_HEADER_LENGTH;
-        if (create_empty_fragment)
-                {
-                /* we are in a recursive call;
-                 * just return the length, don't write out anything here
-                 */
-                return wr->length;
-                }
-        /* now let's set up wb */
-        wb->left = prefix_len + wr->length;
-        wb->offset = 0;
-        /* memorize arguments so that ssl3_write_pending can detect bad write retries later */
-        s->s3->wpend_tot=len;
-        s->s3->wpend_buf=buf;
-        s->s3->wpend_type=type;
-        s->s3->wpend_ret=len;
-        /* we now just need to write the buffer */
-        return ssl3_write_pending(s,type,buf,len);
-err:
-        return -1;
-        }
-/* if s->s3->wbuf.left != 0, we need to call this */
-static int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
-                              unsigned int len)
-        {
-        int i;
-/* XXXX */
-        if ((s->s3->wpend_tot > (int)len)
-                || ((s->s3->wpend_buf != buf) &&
-                        !(s->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER))
-                || (s->s3->wpend_type != type))
-                {
-                SSLerr(SSL_F_SSL3_WRITE_PENDING,SSL_R_BAD_WRITE_RETRY);
-                return(-1);
-                }
-        for (;;)
-                {
-                clear_sys_error();
-                if (s->wbio != NULL)
-                        {
-                        s->rwstate=SSL_WRITING;
-                        i=BIO_write(s->wbio,
-                                (char *)&(s->s3->wbuf.buf[s->s3->wbuf.offset]),
-                                (unsigned int)s->s3->wbuf.left);
-                        }
-                else
-                        {
-                        SSLerr(SSL_F_SSL3_WRITE_PENDING,SSL_R_BIO_NOT_SET);
-                        i= -1;
-                        }
-                if (i == s->s3->wbuf.left)
-                        {
-                        s->s3->wbuf.left=0;
-                        s->rwstate=SSL_NOTHING;
-                        return(s->s3->wpend_ret);
-                        }
-                else if (i <= 0)
-                        return(i);
-                s->s3->wbuf.offset+=i;
-                s->s3->wbuf.left-=i;
-                }
-        }
-/* Return up to 'len' payload bytes received in 'type' records.
- * 'type' is one of the following:
- *
- *   -  SSL3_RT_HANDSHAKE (when ssl3_get_message calls us)
- *   -  SSL3_RT_APPLICATION_DATA (when ssl3_read calls us)
- *   -  0 (during a shutdown, no data has to be returned)
- *
- * If we don't have stored data to work from, read a SSL/TLS record first
- * (possibly multiple records if we still don't have anything to return).
- *
- * This function must handle any surprises the peer may have for us, such as
- * Alert records (e.g. close_notify), ChangeCipherSpec records (not really
- * a surprise, but handled as if it were), or renegotiation requests.
- * Also if record payloads contain fragments too small to process, we store
- * them until there is enough for the respective protocol (the record protocol
- * may use arbitrary fragmentation and even interleaving):
- *     Change cipher spec protocol
- *             just 1 byte needed, no need for keeping anything stored
- *     Alert protocol
- *             2 bytes needed (AlertLevel, AlertDescription)
- *     Handshake protocol
- *             4 bytes needed (HandshakeType, uint24 length) -- we just have
- *             to detect unexpected Client Hello and Hello Request messages
- *             here, anything else is handled by higher layers
- *     Application data protocol
- *             none of our business
- */
-int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
-        {
-        int al,i,j,ret;
-        unsigned int n;
-        SSL3_RECORD *rr;
-        void (*cb)(const SSL *ssl,int type2,int val)=NULL;
-        if (s->s3->rbuf.buf == NULL) /* Not initialized yet */
-                if (!ssl3_setup_buffers(s))
-                        return(-1);
-        if ((type && (type != SSL3_RT_APPLICATION_DATA) && (type != SSL3_RT_HANDSHAKE) && type) ||
-            (peek && (type != SSL3_RT_APPLICATION_DATA)))
-                {
-                SSLerr(SSL_F_SSL3_READ_BYTES, ERR_R_INTERNAL_ERROR);
-                return -1;
-                }
-        if ((type == SSL3_RT_HANDSHAKE) && (s->s3->handshake_fragment_len > 0))
-                /* (partially) satisfy request from storage */
-                {
-                unsigned char *src = s->s3->handshake_fragment;
-                unsigned char *dst = buf;
-                unsigned int k;
-                /* peek == 0 */
-                n = 0;
-                while ((len > 0) && (s->s3->handshake_fragment_len > 0))
-                        {
-                        *dst++ = *src++;
-                        len--; s->s3->handshake_fragment_len--;
-                        n++;
-                        }
-                /* move any remaining fragment bytes: */
-                for (k = 0; k < s->s3->handshake_fragment_len; k++)
-                        s->s3->handshake_fragment[k] = *src++;
-                return n;
-        }
-        /* Now s->s3->handshake_fragment_len == 0 if type == SSL3_RT_HANDSHAKE. */
-        if (!s->in_handshake && SSL_in_init(s))
-                {
-                /* type == SSL3_RT_APPLICATION_DATA */
-                i=s->handshake_func(s);
-                if (i < 0) return(i);
-                if (i == 0)
-                        {
-                        SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
-                        return(-1);
-                        }
-                }
-start:
-        s->rwstate=SSL_NOTHING;
-        /* s->s3->rrec.type         - is the type of record
-         * s->s3->rrec.data,    - data
-         * s->s3->rrec.off,     - offset into 'data' for next read
-         * s->s3->rrec.length,  - number of bytes. */
-        rr = &(s->s3->rrec);
-        /* get new packet if necessary */
-        if ((rr->length == 0) || (s->rstate == SSL_ST_READ_BODY))
-                {
-                ret=ssl3_get_record(s);
-                if (ret <= 0) return(ret);
-                }
-        /* we now have a packet which can be read and processed */
-        if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
-                                       * reset by ssl3_get_finished */
-                && (rr->type != SSL3_RT_HANDSHAKE))
-                {
-                al=SSL_AD_UNEXPECTED_MESSAGE;
-                SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_DATA_BETWEEN_CCS_AND_FINISHED);
-                goto f_err;
-                }
-        /* If the other end has shut down, throw anything we read away
-         * (even in 'peek' mode) */
-        if (s->shutdown & SSL_RECEIVED_SHUTDOWN)
-                {
-                rr->length=0;
-                s->rwstate=SSL_NOTHING;
-                return(0);
-                }
-        if (type == rr->type) /* SSL3_RT_APPLICATION_DATA or SSL3_RT_HANDSHAKE */
-                {
-                /* make sure that we are not getting application data when we
-                 * are doing a handshake for the first time */
-                if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) &&
-                        (s->enc_read_ctx == NULL))
-                        {
-                        al=SSL_AD_UNEXPECTED_MESSAGE;
-                        SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_APP_DATA_IN_HANDSHAKE);
-                        goto f_err;
-                        }
-                if (len <= 0) return(len);
-                if ((unsigned int)len > rr->length)
-                        n = rr->length;
-                else
-                        n = (unsigned int)len;
-                memcpy(buf,&(rr->data[rr->off]),n);
-                if (!peek)
-                        {
-                        rr->length-=n;
-                        rr->off+=n;
-                        if (rr->length == 0)
-                                {
-                                s->rstate=SSL_ST_READ_HEADER;
-                                rr->off=0;
-                                }
-                        }
-                return(n);
-                }
-        /* If we get here, then type != rr->type; if we have a handshake
-         * message, then it was unexpected (Hello Request or Client Hello). */
-        /* In case of record types for which we have 'fragment' storage,
-         * fill that so that we can process the data at a fixed place.
-         */
-                {
-                unsigned int dest_maxlen = 0;
-                unsigned char *dest = NULL;
-                unsigned int *dest_len = NULL;
-                if (rr->type == SSL3_RT_HANDSHAKE)
-                        {
-                        dest_maxlen = sizeof s->s3->handshake_fragment;
-                        dest = s->s3->handshake_fragment;
-                        dest_len = &s->s3->handshake_fragment_len;
-                        }
-                else if (rr->type == SSL3_RT_ALERT)
-                        {
-                        dest_maxlen = sizeof s->s3->alert_fragment;
-                        dest = s->s3->alert_fragment;
-                        dest_len = &s->s3->alert_fragment_len;
-                        }
-                if (dest_maxlen > 0)
-                        {
-                        n = dest_maxlen - *dest_len; /* available space in 'dest' */
-                        if (rr->length < n)
-                                n = rr->length; /* available bytes */
-                        /* now move 'n' bytes: */
-                        while (n-- > 0)
-                                {
-                                dest[(*dest_len)++] = rr->data[rr->off++];
-                                rr->length--;
-                                }
-                        if (*dest_len < dest_maxlen)
-                                goto start; /* fragment was too small */
-                        }
-                }
-        /* s->s3->handshake_fragment_len == 4  iff  rr->type == SSL3_RT_HANDSHAKE;
-         * s->s3->alert_fragment_len == 2      iff  rr->type == SSL3_RT_ALERT.
-         * (Possibly rr is 'empty' now, i.e. rr->length may be 0.) */
-        /* If we are a client, check for an incoming 'Hello Request': */
-        if ((!s->server) &&
-                (s->s3->handshake_fragment_len >= 4) &&
-                (s->s3->handshake_fragment[0] == SSL3_MT_HELLO_REQUEST) &&
-                (s->session != NULL) && (s->session->cipher != NULL))
-                {
-                s->s3->handshake_fragment_len = 0;
-                if ((s->s3->handshake_fragment[1] != 0) ||
-                        (s->s3->handshake_fragment[2] != 0) ||
-                        (s->s3->handshake_fragment[3] != 0))
-                        {
-                        al=SSL_AD_DECODE_ERROR;
-                        SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_HELLO_REQUEST);
-                        goto f_err;
-                        }
-                if (s->msg_callback)
-                        s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->s3->handshake_fragment, 4, s, s->msg_callback_arg);
-                if (SSL_is_init_finished(s) &&
-                        !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
-                        !s->s3->renegotiate)
-                        {
-                        ssl3_renegotiate(s);
-                        if (ssl3_renegotiate_check(s))
-                                {
-                                i=s->handshake_func(s);
-                                if (i < 0) return(i);
-                                if (i == 0)
-                                        {
-                                        SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
-                                        return(-1);
-                                        }
-                                if (!(s->mode & SSL_MODE_AUTO_RETRY))
-                                        {
-                                        if (s->s3->rbuf.left == 0) /* no read-ahead left? */
-                                                {
-                                                BIO *bio;
-                                                /* In the case where we try to read application data,
-                                                 * but we trigger an SSL handshake, we return -1 with
-                                                 * the retry option set.  Otherwise renegotiation may
-                                                 * cause nasty problems in the blocking world */
-                                                s->rwstate=SSL_READING;
-                                                bio=SSL_get_rbio(s);
-                                                BIO_clear_retry_flags(bio);
-                                                BIO_set_retry_read(bio);
-                                                return(-1);
-                                                }
-                                        }
-                                }
-                        }
-                /* we either finished a handshake or ignored the request,
-                 * now try again to obtain the (application) data we were asked for */
-                goto start;
-                }
-        if (s->s3->alert_fragment_len >= 2)
-                {
-                int alert_level = s->s3->alert_fragment[0];
-                int alert_descr = s->s3->alert_fragment[1];
-                s->s3->alert_fragment_len = 0;
-                if (s->msg_callback)
-                        s->msg_callback(0, s->version, SSL3_RT_ALERT, s->s3->alert_fragment, 2, s, s->msg_callback_arg);
-                if (s->info_callback != NULL)
-                        cb=s->info_callback;
-                else if (s->ctx->info_callback != NULL)
-                        cb=s->ctx->info_callback;
-                if (cb != NULL)
-                        {
-                        j = (alert_level << 8) | alert_descr;
-                        cb(s, SSL_CB_READ_ALERT, j);
-                        }
-                if (alert_level == 1) /* warning */
-                        {
-                        s->s3->warn_alert = alert_descr;
-                        if (alert_descr == SSL_AD_CLOSE_NOTIFY)
-                                {
-                                s->shutdown |= SSL_RECEIVED_SHUTDOWN;
-                                return(0);
-                                }
-                        }
-                else if (alert_level == 2) /* fatal */
-                        {
-                        char tmp[16];
-                        s->rwstate=SSL_NOTHING;
-                        s->s3->fatal_alert = alert_descr;
-                        SSLerr(SSL_F_SSL3_READ_BYTES, SSL_AD_REASON_OFFSET + alert_descr);
-                        BIO_snprintf(tmp,sizeof tmp,"%d",alert_descr);
-                        ERR_add_error_data(2,"SSL alert number ",tmp);
-                        s->shutdown|=SSL_RECEIVED_SHUTDOWN;
-                        SSL_CTX_remove_session(s->ctx,s->session);
-                        return(0);
-                        }
-                else
-                        {
-                        al=SSL_AD_ILLEGAL_PARAMETER;
-                        SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNKNOWN_ALERT_TYPE);
-                        goto f_err;
-                        }
-                goto start;
-                }
-        if (s->shutdown & SSL_SENT_SHUTDOWN) /* but we have not received a shutdown */
-                {
-                s->rwstate=SSL_NOTHING;
-                rr->length=0;
-                return(0);
-                }
-        if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC)
-                {
-                /* 'Change Cipher Spec' is just a single byte, so we know
-                 * exactly what the record payload has to look like */
-                if (    (rr->length != 1) || (rr->off != 0) ||
-                        (rr->data[0] != SSL3_MT_CCS))
-                        {
-                        al=SSL_AD_ILLEGAL_PARAMETER;
-                        SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC);
-                        goto f_err;
-                        }
-                /* Check we have a cipher to change to */
-                if (s->s3->tmp.new_cipher == NULL)
-                        {
-                        al=SSL_AD_UNEXPECTED_MESSAGE;
-                        SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_CCS_RECEIVED_EARLY);
-                        goto f_err;
-                        }
-                rr->length=0;
-                if (s->msg_callback)
-                        s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC, rr->data, 1, s, s->msg_callback_arg);
-                s->s3->change_cipher_spec=1;
-                if (!do_change_cipher_spec(s))
-                        goto err;
-                else
-                        goto start;
-                }
-        /* Unexpected handshake message (Client Hello, or protocol violation) */
-        if ((s->s3->handshake_fragment_len >= 4) &&     !s->in_handshake)
-                {
-                if (((s->state&SSL_ST_MASK) == SSL_ST_OK) &&
-                        !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS))
-                        {
-#if 0 /* worked only because C operator preferences are not as expected (and
-       * because this is not really needed for clients except for detecting
-       * protocol violations): */
-                        s->state=SSL_ST_BEFORE|(s->server)
-                                ?SSL_ST_ACCEPT
-                                :SSL_ST_CONNECT;
-#else
-                        s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT;
-#endif
-                        s->new_session=1;
-                        }
-                i=s->handshake_func(s);
-                if (i < 0) return(i);
-                if (i == 0)
-                        {
-                        SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
-                        return(-1);
-                        }
-                if (!(s->mode & SSL_MODE_AUTO_RETRY))
-                        {
-                        if (s->s3->rbuf.left == 0) /* no read-ahead left? */
-                                {
-                                BIO *bio;
-                                /* In the case where we try to read application data,
-                                 * but we trigger an SSL handshake, we return -1 with
-                                 * the retry option set.  Otherwise renegotiation may
-                                 * cause nasty problems in the blocking world */
-                                s->rwstate=SSL_READING;
-                                bio=SSL_get_rbio(s);
-                                BIO_clear_retry_flags(bio);
-                                BIO_set_retry_read(bio);
-                                return(-1);
-                                }
-                        }
-                goto start;
-                }
-        switch (rr->type)
-                {
-        default:
-#ifndef OPENSSL_NO_TLS
-                /* TLS just ignores unknown message types */
-                if (s->version == TLS1_VERSION)
-                        {
-                        rr->length = 0;
-                        goto start;
-                        }
-#endif
-                al=SSL_AD_UNEXPECTED_MESSAGE;
-                SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
-                goto f_err;
-        case SSL3_RT_CHANGE_CIPHER_SPEC:
-        case SSL3_RT_ALERT:
-        case SSL3_RT_HANDSHAKE:
-                /* we already handled all of these, with the possible exception
-                 * of SSL3_RT_HANDSHAKE when s->in_handshake is set, but that
-                 * should not happen when type != rr->type */
-                al=SSL_AD_UNEXPECTED_MESSAGE;
-                SSLerr(SSL_F_SSL3_READ_BYTES,ERR_R_INTERNAL_ERROR);
-                goto f_err;
-        case SSL3_RT_APPLICATION_DATA:
-                /* At this point, we were expecting handshake data,
-                 * but have application data.  If the library was
-                 * running inside ssl3_read() (i.e. in_read_app_data
-                 * is set) and it makes sense to read application data
-                 * at this point (session renegotiation not yet started),
-                 * we will indulge it.
-                 */
-                if (s->s3->in_read_app_data &&
-                        (s->s3->total_renegotiations != 0) &&
-                        ((
-                                (s->state & SSL_ST_CONNECT) &&
-                                (s->state >= SSL3_ST_CW_CLNT_HELLO_A) &&
-                                (s->state <= SSL3_ST_CR_SRVR_HELLO_A)
-                                ) || (
-                                        (s->state & SSL_ST_ACCEPT) &&
-                                        (s->state <= SSL3_ST_SW_HELLO_REQ_A) &&
-                                        (s->state >= SSL3_ST_SR_CLNT_HELLO_A)
-                                        )
-                                ))
-                        {
-                        s->s3->in_read_app_data=2;
-                        return(-1);
-                        }
-                else
-                        {
-                        al=SSL_AD_UNEXPECTED_MESSAGE;
-                        SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
-                        goto f_err;
-                        }
-                }
-        /* not reached */
-f_err:
-        ssl3_send_alert(s,SSL3_AL_FATAL,al);
-err:
-        return(-1);
-        }
-static int do_change_cipher_spec(SSL *s)
-        {
-        int i;
-        const char *sender;
-        int slen;
-        if (s->state & SSL_ST_ACCEPT)
-                i=SSL3_CHANGE_CIPHER_SERVER_READ;
-        else
-                i=SSL3_CHANGE_CIPHER_CLIENT_READ;
-        if (s->s3->tmp.key_block == NULL)
-                {
-                s->session->cipher=s->s3->tmp.new_cipher;
-                if (!s->method->ssl3_enc->setup_key_block(s)) return(0);
-                }
-        if (!s->method->ssl3_enc->change_cipher_state(s,i))
-                return(0);
-        /* we have to record the message digest at
-         * this point so we can get it before we read
-         * the finished message */
-        if (s->state & SSL_ST_CONNECT)
-                {
-                sender=s->method->ssl3_enc->server_finished_label;
-                slen=s->method->ssl3_enc->server_finished_label_len;
-                }
-        else
-                {
-                sender=s->method->ssl3_enc->client_finished_label;
-                slen=s->method->ssl3_enc->client_finished_label_len;
-                }
-        s->s3->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s,
-                &(s->s3->finish_dgst1),
-                &(s->s3->finish_dgst2),
-                sender,slen,s->s3->tmp.peer_finish_md);
-        return(1);
-        }
-void ssl3_send_alert(SSL *s, int level, int desc)
-        {
-        /* Map tls/ssl alert value to correct one */
-        desc=s->method->ssl3_enc->alert_value(desc);
-        if (s->version == SSL3_VERSION && desc == SSL_AD_PROTOCOL_VERSION)
-                desc = SSL_AD_HANDSHAKE_FAILURE; /* SSL 3.0 does not have protocol_version alerts */
-        if (desc < 0) return;
-        /* If a fatal one, remove from cache */
-        if ((level == 2) && (s->session != NULL))
-                SSL_CTX_remove_session(s->ctx,s->session);
-        s->s3->alert_dispatch=1;
-        s->s3->send_alert[0]=level;
-        s->s3->send_alert[1]=desc;
-        if (s->s3->wbuf.left == 0) /* data still being written out? */
-                ssl3_dispatch_alert(s);
-        /* else data is still being written out, we will get written
-         * some time in the future */
-        }
-int ssl3_dispatch_alert(SSL *s)
-        {
-        int i,j;
-        void (*cb)(const SSL *ssl,int type,int val)=NULL;
-        s->s3->alert_dispatch=0;
-        i = do_ssl3_write(s, SSL3_RT_ALERT, &s->s3->send_alert[0], 2, 0);
-        if (i <= 0)
-                {
-                s->s3->alert_dispatch=1;
-                }
-        else
-                {
-                /* Alert sent to BIO.  If it is important, flush it now.
-                 * If the message does not get sent due to non-blocking IO,
-                 * we will not worry too much. */
-                if (s->s3->send_alert[0] == SSL3_AL_FATAL)
-                        (void)BIO_flush(s->wbio);
-                if (s->msg_callback)
-                        s->msg_callback(1, s->version, SSL3_RT_ALERT, s->s3->send_alert, 2, s, s->msg_callback_arg);
-                if (s->info_callback != NULL)
-                        cb=s->info_callback;
-                else if (s->ctx->info_callback != NULL)
-                        cb=s->ctx->info_callback;
-                if (cb != NULL)
-                        {
-                        j=(s->s3->send_alert[0]<<8)|s->s3->send_alert[1];
-                        cb(s,SSL_CB_WRITE_ALERT,j);
-                        }
-                }
-        return(i);
-        }
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
deleted file mode 100644
index 36fc39d7f8..0000000000
--- a/src/lib/libssl/s3_srvr.c
+++ /dev/null
@@ -1,2082 +0,0 @@
-/* ssl/s3_srvr.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-/* ====================================================================
- * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer. 
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-#define REUSE_CIPHER_BUG
-#define NETSCAPE_HANG_BUG
-#include <stdio.h>
-#include "ssl_locl.h"
-#include "kssl_lcl.h"
-#include <openssl/buffer.h>
-#include <openssl/rand.h>
-#include <openssl/objects.h>
-#include <openssl/evp.h>
-#include <openssl/x509.h>
-#ifndef OPENSSL_NO_KRB5
-#include <openssl/krb5_asn.h>
-#endif
-#include <openssl/md5.h>
-#include <openssl/fips.h>
-static SSL_METHOD *ssl3_get_server_method(int ver);
-static int ssl3_get_client_hello(SSL *s);
-static int ssl3_check_client_hello(SSL *s);
-static int ssl3_send_server_hello(SSL *s);
-static int ssl3_send_server_key_exchange(SSL *s);
-static int ssl3_send_certificate_request(SSL *s);
-static int ssl3_send_server_done(SSL *s);
-static int ssl3_get_client_key_exchange(SSL *s);
-static int ssl3_get_client_certificate(SSL *s);
-static int ssl3_get_cert_verify(SSL *s);
-static int ssl3_send_hello_request(SSL *s);
-static SSL_METHOD *ssl3_get_server_method(int ver)
-        {
-        if (ver == SSL3_VERSION)
-                return(SSLv3_server_method());
-        else
-                return(NULL);
-        }
-SSL_METHOD *SSLv3_server_method(void)
-        {
-        static int init=1;
-        static SSL_METHOD SSLv3_server_data;
-        if (init)
-                {
-                CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
-                if (init)
-                        {
-                        memcpy((char *)&SSLv3_server_data,(char *)sslv3_base_method(),
-                                sizeof(SSL_METHOD));
-                        SSLv3_server_data.ssl_accept=ssl3_accept;
-                        SSLv3_server_data.get_ssl_method=ssl3_get_server_method;
-                        init=0;
-                        }
-                        
-                CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
-                }
-        return(&SSLv3_server_data);
-        }
-int ssl3_accept(SSL *s)
-        {
-        BUF_MEM *buf;
-        unsigned long l,Time=(unsigned long)time(NULL);
-        void (*cb)(const SSL *ssl,int type,int val)=NULL;
-        long num1;
-        int ret= -1;
-        int new_state,state,skip=0;
-        RAND_add(&Time,sizeof(Time),0);
-        ERR_clear_error();
-        clear_sys_error();
-        if (s->info_callback != NULL)
-                cb=s->info_callback;
-        else if (s->ctx->info_callback != NULL)
-                cb=s->ctx->info_callback;
-        /* init things to blank */
-        s->in_handshake++;
-        if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
-        if (s->cert == NULL)
-                {
-                SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_NO_CERTIFICATE_SET);
-                return(-1);
-                }
-        for (;;)
-                {
-                state=s->state;
-                switch (s->state)
-                        {
-                case SSL_ST_RENEGOTIATE:
-                        s->new_session=1;
-                        /* s->state=SSL_ST_ACCEPT; */
-                case SSL_ST_BEFORE:
-                case SSL_ST_ACCEPT:
-                case SSL_ST_BEFORE|SSL_ST_ACCEPT:
-                case SSL_ST_OK|SSL_ST_ACCEPT:
-                        s->server=1;
-                        if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
-                        if ((s->version>>8) != 3)
-                                {
-                                SSLerr(SSL_F_SSL3_ACCEPT, ERR_R_INTERNAL_ERROR);
-                                return -1;
-                                }
-                        s->type=SSL_ST_ACCEPT;
-                        if (s->init_buf == NULL)
-                                {
-                                if ((buf=BUF_MEM_new()) == NULL)
-                                        {
-                                        ret= -1;
-                                        goto end;
-                                        }
-                                if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
-                                        {
-                                        ret= -1;
-                                        goto end;
-                                        }
-                                s->init_buf=buf;
-                                }
-                        if (!ssl3_setup_buffers(s))
-                                {
-                                ret= -1;
-                                goto end;
-                                }
-                        s->init_num=0;
-                        if (s->state != SSL_ST_RENEGOTIATE)
-                                {
-                                /* Ok, we now need to push on a buffering BIO so that
-                                 * the output is sent in a way that TCP likes :-)
-                                 */
-                                if (!ssl_init_wbio_buffer(s,1)) { ret= -1; goto end; }
-                                
-                                ssl3_init_finished_mac(s);
-                                s->state=SSL3_ST_SR_CLNT_HELLO_A;
-                                s->ctx->stats.sess_accept++;
-                                }
-                        else
-                                {
-                                /* s->state == SSL_ST_RENEGOTIATE,
-                                 * we will just send a HelloRequest */
-                                s->ctx->stats.sess_accept_renegotiate++;
-                                s->state=SSL3_ST_SW_HELLO_REQ_A;
-                                }
-                        break;
-                case SSL3_ST_SW_HELLO_REQ_A:
-                case SSL3_ST_SW_HELLO_REQ_B:
-                        s->shutdown=0;
-                        ret=ssl3_send_hello_request(s);
-                        if (ret <= 0) goto end;
-                        s->s3->tmp.next_state=SSL3_ST_SW_HELLO_REQ_C;
-                        s->state=SSL3_ST_SW_FLUSH;
-                        s->init_num=0;
-                        ssl3_init_finished_mac(s);
-                        break;
-                case SSL3_ST_SW_HELLO_REQ_C:
-                        s->state=SSL_ST_OK;
-                        break;
-                case SSL3_ST_SR_CLNT_HELLO_A:
-                case SSL3_ST_SR_CLNT_HELLO_B:
-                case SSL3_ST_SR_CLNT_HELLO_C:
-                        s->shutdown=0;
-                        ret=ssl3_get_client_hello(s);
-                        if (ret <= 0) goto end;
-                        s->new_session = 2;
-                        s->state=SSL3_ST_SW_SRVR_HELLO_A;
-                        s->init_num=0;
-                        break;
-                case SSL3_ST_SW_SRVR_HELLO_A:
-                case SSL3_ST_SW_SRVR_HELLO_B:
-                        ret=ssl3_send_server_hello(s);
-                        if (ret <= 0) goto end;
-                        if (s->hit)
-                                s->state=SSL3_ST_SW_CHANGE_A;
-                        else
-                                s->state=SSL3_ST_SW_CERT_A;
-                        s->init_num=0;
-                        break;
-                case SSL3_ST_SW_CERT_A:
-                case SSL3_ST_SW_CERT_B:
-                        /* Check if it is anon DH */
-                        if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL))
-                                {
-                                ret=ssl3_send_server_certificate(s);
-                                if (ret <= 0) goto end;
-                                }
-                        else
-                                skip=1;
-                        s->state=SSL3_ST_SW_KEY_EXCH_A;
-                        s->init_num=0;
-                        break;
-                case SSL3_ST_SW_KEY_EXCH_A:
-                case SSL3_ST_SW_KEY_EXCH_B:
-                        l=s->s3->tmp.new_cipher->algorithms;
-                        /* clear this, it may get reset by
-                         * send_server_key_exchange */
-                        if ((s->options & SSL_OP_EPHEMERAL_RSA)
-#ifndef OPENSSL_NO_KRB5
-                                && !(l & SSL_KRB5)
-#endif /* OPENSSL_NO_KRB5 */
-                                )
-                                /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key
-                                 * even when forbidden by protocol specs
-                                 * (handshake may fail as clients are not required to
-                                 * be able to handle this) */
-                                s->s3->tmp.use_rsa_tmp=1;
-                        else
-                                s->s3->tmp.use_rsa_tmp=0;
-                        /* only send if a DH key exchange, fortezza or
-                         * RSA but we have a sign only certificate */
-                        if (s->s3->tmp.use_rsa_tmp
-                            || (l & (SSL_DH|SSL_kFZA))
-                            || ((l & SSL_kRSA)
-                                && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
-                                    || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)
-                                        && EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)
-                                        )
-                                    )
-                                )
-                            )
-                                {
-                                ret=ssl3_send_server_key_exchange(s);
-                                if (ret <= 0) goto end;
-                                }
-                        else
-                                skip=1;
-                        s->state=SSL3_ST_SW_CERT_REQ_A;
-                        s->init_num=0;
-                        break;
-                case SSL3_ST_SW_CERT_REQ_A:
-                case SSL3_ST_SW_CERT_REQ_B:
-                        if (/* don't request cert unless asked for it: */
-                                !(s->verify_mode & SSL_VERIFY_PEER) ||
-                                /* if SSL_VERIFY_CLIENT_ONCE is set,
-                                 * don't request cert during re-negotiation: */
-                                ((s->session->peer != NULL) &&
-                                 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
-                                /* never request cert in anonymous ciphersuites
-                                 * (see section "Certificate request" in SSL 3 drafts
-                                 * and in RFC 2246): */
-                                ((s->s3->tmp.new_cipher->algorithms & SSL_aNULL) &&
-                                 /* ... except when the application insists on verification
-                                  * (against the specs, but s3_clnt.c accepts this for SSL 3) */
-                                 !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) ||
-                                 /* never request cert in Kerberos ciphersuites */
-                                (s->s3->tmp.new_cipher->algorithms & SSL_aKRB5))
-                                {
-                                /* no cert request */
-                                skip=1;
-                                s->s3->tmp.cert_request=0;
-                                s->state=SSL3_ST_SW_SRVR_DONE_A;
-                                }
-                        else
-                                {
-                                s->s3->tmp.cert_request=1;
-                                ret=ssl3_send_certificate_request(s);
-                                if (ret <= 0) goto end;
-#ifndef NETSCAPE_HANG_BUG
-                                s->state=SSL3_ST_SW_SRVR_DONE_A;
-#else
-                                s->state=SSL3_ST_SW_FLUSH;
-                                s->s3->tmp.next_state=SSL3_ST_SR_CERT_A;
-#endif
-                                s->init_num=0;
-                                }
-                        break;
-                case SSL3_ST_SW_SRVR_DONE_A:
-                case SSL3_ST_SW_SRVR_DONE_B:
-                        ret=ssl3_send_server_done(s);
-                        if (ret <= 0) goto end;
-                        s->s3->tmp.next_state=SSL3_ST_SR_CERT_A;
-                        s->state=SSL3_ST_SW_FLUSH;
-                        s->init_num=0;
-                        break;
-                
-                case SSL3_ST_SW_FLUSH:
-                        /* number of bytes to be flushed */
-                        num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL);
-                        if (num1 > 0)
-                                {
-                                s->rwstate=SSL_WRITING;
-                                num1=BIO_flush(s->wbio);
-                                if (num1 <= 0) { ret= -1; goto end; }
-                                s->rwstate=SSL_NOTHING;
-                                }
-                        s->state=s->s3->tmp.next_state;
-                        break;
-                case SSL3_ST_SR_CERT_A:
-                case SSL3_ST_SR_CERT_B:
-                        /* Check for second client hello (MS SGC) */
-                        ret = ssl3_check_client_hello(s);
-                        if (ret <= 0)
-                                goto end;
-                        if (ret == 2)
-                                s->state = SSL3_ST_SR_CLNT_HELLO_C;
-                        else {
-                                if (s->s3->tmp.cert_request)
-                                        {
-                                        ret=ssl3_get_client_certificate(s);
-                                        if (ret <= 0) goto end;
-                                        }
-                                s->init_num=0;
-                                s->state=SSL3_ST_SR_KEY_EXCH_A;
-                        }
-                        break;
-                case SSL3_ST_SR_KEY_EXCH_A:
-                case SSL3_ST_SR_KEY_EXCH_B:
-                        ret=ssl3_get_client_key_exchange(s);
-                        if (ret <= 0) goto end;
-                        s->state=SSL3_ST_SR_CERT_VRFY_A;
-                        s->init_num=0;
-                        /* We need to get hashes here so if there is
-                         * a client cert, it can be verified */ 
-                        s->method->ssl3_enc->cert_verify_mac(s,
-                                &(s->s3->finish_dgst1),
-                                &(s->s3->tmp.cert_verify_md[0]));
-                        s->method->ssl3_enc->cert_verify_mac(s,
-                                &(s->s3->finish_dgst2),
-                                &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]));
-                        break;
-                case SSL3_ST_SR_CERT_VRFY_A:
-                case SSL3_ST_SR_CERT_VRFY_B:
-                        /* we should decide if we expected this one */
-                        ret=ssl3_get_cert_verify(s);
-                        if (ret <= 0) goto end;
-                        s->state=SSL3_ST_SR_FINISHED_A;
-                        s->init_num=0;
-                        break;
-                case SSL3_ST_SR_FINISHED_A:
-                case SSL3_ST_SR_FINISHED_B:
-                        ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A,
-                                SSL3_ST_SR_FINISHED_B);
-                        if (ret <= 0) goto end;
-                        if (s->hit)
-                                s->state=SSL_ST_OK;
-                        else
-                                s->state=SSL3_ST_SW_CHANGE_A;
-                        s->init_num=0;
-                        break;
-                case SSL3_ST_SW_CHANGE_A:
-                case SSL3_ST_SW_CHANGE_B:
-                        s->session->cipher=s->s3->tmp.new_cipher;
-                        if (!s->method->ssl3_enc->setup_key_block(s))
-                                { ret= -1; goto end; }
-                        ret=ssl3_send_change_cipher_spec(s,
-                                SSL3_ST_SW_CHANGE_A,SSL3_ST_SW_CHANGE_B);
-                        if (ret <= 0) goto end;
-                        s->state=SSL3_ST_SW_FINISHED_A;
-                        s->init_num=0;
-                        if (!s->method->ssl3_enc->change_cipher_state(s,
-                                SSL3_CHANGE_CIPHER_SERVER_WRITE))
-                                {
-                                ret= -1;
-                                goto end;
-                                }
-                        break;
-                case SSL3_ST_SW_FINISHED_A:
-                case SSL3_ST_SW_FINISHED_B:
-                        ret=ssl3_send_finished(s,
-                                SSL3_ST_SW_FINISHED_A,SSL3_ST_SW_FINISHED_B,
-                                s->method->ssl3_enc->server_finished_label,
-                                s->method->ssl3_enc->server_finished_label_len);
-                        if (ret <= 0) goto end;
-                        s->state=SSL3_ST_SW_FLUSH;
-                        if (s->hit)
-                                s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
-                        else
-                                s->s3->tmp.next_state=SSL_ST_OK;
-                        s->init_num=0;
-                        break;
-                case SSL_ST_OK:
-                        /* clean a few things up */
-                        ssl3_cleanup_key_block(s);
-                        BUF_MEM_free(s->init_buf);
-                        s->init_buf=NULL;
-                        /* remove buffering on output */
-                        ssl_free_wbio_buffer(s);
-                        s->init_num=0;
-                        if (s->new_session == 2) /* skipped if we just sent a HelloRequest */
-                                {
-                                /* actually not necessarily a 'new' session unless
-                                 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */
-                                
-                                s->new_session=0;
-                                
-                                ssl_update_cache(s,SSL_SESS_CACHE_SERVER);
-                                
-                                s->ctx->stats.sess_accept_good++;
-                                /* s->server=1; */
-                                s->handshake_func=ssl3_accept;
-                                if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
-                                }
-                        
-                        ret = 1;
-                        goto end;
-                        /* break; */
-                default:
-                        SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_UNKNOWN_STATE);
-                        ret= -1;
-                        goto end;
-                        /* break; */
-                        }
-                
-                if (!s->s3->tmp.reuse_message && !skip)
-                        {
-                        if (s->debug)
-                                {
-                                if ((ret=BIO_flush(s->wbio)) <= 0)
-                                        goto end;
-                                }
-                        if ((cb != NULL) && (s->state != state))
-                                {
-                                new_state=s->state;
-                                s->state=state;
-                                cb(s,SSL_CB_ACCEPT_LOOP,1);
-                                s->state=new_state;
-                                }
-                        }
-                skip=0;
-                }
-end:
-        /* BIO_flush(s->wbio); */
-        s->in_handshake--;
-        if (cb != NULL)
-                cb(s,SSL_CB_ACCEPT_EXIT,ret);
-        return(ret);
-        }
-static int ssl3_send_hello_request(SSL *s)
-        {
-        unsigned char *p;
-        if (s->state == SSL3_ST_SW_HELLO_REQ_A)
-                {
-                p=(unsigned char *)s->init_buf->data;
-                *(p++)=SSL3_MT_HELLO_REQUEST;
-                *(p++)=0;
-                *(p++)=0;
-                *(p++)=0;
-                s->state=SSL3_ST_SW_HELLO_REQ_B;
-                /* number of bytes to write */
-                s->init_num=4;
-                s->init_off=0;
-                }
-        /* SSL3_ST_SW_HELLO_REQ_B */
-        return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
-        }
-static int ssl3_check_client_hello(SSL *s)
-        {
-        int ok;
-        long n;
-        /* this function is called when we really expect a Certificate message,
-         * so permit appropriate message length */
-        n=ssl3_get_message(s,
-                SSL3_ST_SR_CERT_A,
-                SSL3_ST_SR_CERT_B,
-                -1,
-                s->max_cert_list,
-                &ok);
-        if (!ok) return((int)n);
-        s->s3->tmp.reuse_message = 1;
-        if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO)
-                {
-                /* Throw away what we have done so far in the current handshake,
-                 * which will now be aborted. (A full SSL_clear would be too much.)
-                 * I hope that tmp.dh is the only thing that may need to be cleared
-                 * when a handshake is not completed ... */
-#ifndef OPENSSL_NO_DH
-                if (s->s3->tmp.dh != NULL)
-                        {
-                        DH_free(s->s3->tmp.dh);
-                        s->s3->tmp.dh = NULL;
-                        }
-#endif
-                return 2;
-                }
-        return 1;
-}
-static int ssl3_get_client_hello(SSL *s)
-        {
-        int i,j,ok,al,ret= -1;
-        long n;
-        unsigned long id;
-        unsigned char *p,*d,*q;
-        SSL_CIPHER *c;
-        SSL_COMP *comp=NULL;
-        STACK_OF(SSL_CIPHER) *ciphers=NULL;
-        /* We do this so that we will respond with our native type.
-         * If we are TLSv1 and we get SSLv3, we will respond with TLSv1,
-         * This down switching should be handled by a different method.
-         * If we are SSLv3, we will respond with SSLv3, even if prompted with
-         * TLSv1.
-         */
-        if (s->state == SSL3_ST_SR_CLNT_HELLO_A)
-                {
-                s->first_packet=1;
-                s->state=SSL3_ST_SR_CLNT_HELLO_B;
-                }
-        n=ssl3_get_message(s,
-                SSL3_ST_SR_CLNT_HELLO_B,
-                SSL3_ST_SR_CLNT_HELLO_C,
-                SSL3_MT_CLIENT_HELLO,
-                SSL3_RT_MAX_PLAIN_LENGTH,
-                &ok);
-        if (!ok) return((int)n);
-        d=p=(unsigned char *)s->init_msg;
-        /* use version from inside client hello, not from record header
-         * (may differ: see RFC 2246, Appendix E, second paragraph) */
-        s->client_version=(((int)p[0])<<8)|(int)p[1];
-        p+=2;
-        if (s->client_version < s->version)
-                {
-                SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER);
-                if ((s->client_version>>8) == SSL3_VERSION_MAJOR) 
-                        {
-                        /* similar to ssl3_get_record, send alert using remote version number */
-                        s->version = s->client_version;
-                        }
-                al = SSL_AD_PROTOCOL_VERSION;
-                goto f_err;
-                }
-        /* load the client random */
-        memcpy(s->s3->client_random,p,SSL3_RANDOM_SIZE);
-        p+=SSL3_RANDOM_SIZE;
-        /* get the session-id */
-        j= *(p++);
-        s->hit=0;
-        /* Versions before 0.9.7 always allow session reuse during renegotiation
-         * (i.e. when s->new_session is true), option
-         * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is new with 0.9.7.
-         * Maybe this optional behaviour should always have been the default,
-         * but we cannot safely change the default behaviour (or new applications
-         * might be written that become totally unsecure when compiled with
-         * an earlier library version)
-         */
-        if (j == 0 || (s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION)))
-                {
-                if (!ssl_get_new_session(s,1))
-                        goto err;
-                }
-        else
-                {
-                i=ssl_get_prev_session(s,p,j);
-                if (i == 1)
-                        { /* previous session */
-                        s->hit=1;
-                        }
-                else if (i == -1)
-                        goto err;
-                else /* i == 0 */
-                        {
-                        if (!ssl_get_new_session(s,1))
-                                goto err;
-                        }
-                }
-        p+=j;
-        n2s(p,i);
-        if ((i == 0) && (j != 0))
-                {
-                /* we need a cipher if we are not resuming a session */
-                al=SSL_AD_ILLEGAL_PARAMETER;
-                SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_CIPHERS_SPECIFIED);
-                goto f_err;
-                }
-        if ((p+i) >= (d+n))
-                {
-                /* not enough data */
-                al=SSL_AD_DECODE_ERROR;
-                SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH);
-                goto f_err;
-                }
-        if ((i > 0) && (ssl_bytes_to_cipher_list(s,p,i,&(ciphers))
-                == NULL))
-                {
-                goto err;
-                }
-        p+=i;
-        /* If it is a hit, check that the cipher is in the list */
-        if ((s->hit) && (i > 0))
-                {
-                j=0;
-                id=s->session->cipher->id;
-#ifdef CIPHER_DEBUG
-                printf("client sent %d ciphers\n",sk_num(ciphers));
-#endif
-                for (i=0; i<sk_SSL_CIPHER_num(ciphers); i++)
-                        {
-                        c=sk_SSL_CIPHER_value(ciphers,i);
-#ifdef CIPHER_DEBUG
-                        printf("client [%2d of %2d]:%s\n",
-                                i,sk_num(ciphers),SSL_CIPHER_get_name(c));
-#endif
-                        if (c->id == id)
-                                {
-                                j=1;
-                                break;
-                                }
-                        }
-                if (j == 0)
-                        {
-                        if ((s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1))
-                                {
-                                /* Very bad for multi-threading.... */
-                                s->session->cipher=sk_SSL_CIPHER_value(ciphers,
-                                                                       0);
-                                }
-                        else
-                                {
-                                /* we need to have the cipher in the cipher
-                                 * list if we are asked to reuse it */
-                                al=SSL_AD_ILLEGAL_PARAMETER;
-                                SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_REQUIRED_CIPHER_MISSING);
-                                goto f_err;
-                                }
-                        }
-                }
-        /* compression */
-        i= *(p++);
-        if ((p+i) > (d+n))
-                {
-                /* not enough data */
-                al=SSL_AD_DECODE_ERROR;
-                SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH);
-                goto f_err;
-                }
-        q=p;
-        for (j=0; j<i; j++)
-                {
-                if (p[j] == 0) break;
-                }
-        p+=i;
-        if (j >= i)
-                {
-                /* no compress */
-                al=SSL_AD_DECODE_ERROR;
-                SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_COMPRESSION_SPECIFIED);
-                goto f_err;
-                }
-        /* Worst case, we will use the NULL compression, but if we have other
-         * options, we will now look for them.  We have i-1 compression
-         * algorithms from the client, starting at q. */
-        s->s3->tmp.new_compression=NULL;
-        if (s->ctx->comp_methods != NULL)
-                { /* See if we have a match */
-                int m,nn,o,v,done=0;
-                nn=sk_SSL_COMP_num(s->ctx->comp_methods);
-                for (m=0; m<nn; m++)
-                        {
-                        comp=sk_SSL_COMP_value(s->ctx->comp_methods,m);
-                        v=comp->id;
-                        for (o=0; o<i; o++)
-                                {
-                                if (v == q[o])
-                                        {
-                                        done=1;
-                                        break;
-                                        }
-                                }
-                        if (done) break;
-                        }
-                if (done)
-                        s->s3->tmp.new_compression=comp;
-                else
-                        comp=NULL;
-                }
-        /* TLS does not mind if there is extra stuff */
-#if 0   /* SSL 3.0 does not mind either, so we should disable this test
-         * (was enabled in 0.9.6d through 0.9.6j and 0.9.7 through 0.9.7b,
-         * in earlier SSLeay/OpenSSL releases this test existed but was buggy) */
-        if (s->version == SSL3_VERSION)
-                {
-                if (p < (d+n))
-                        {
-                        /* wrong number of bytes,
-                         * there could be more to follow */
-                        al=SSL_AD_DECODE_ERROR;
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH);
-                        goto f_err;
-                        }
-                }
-#endif
-        /* Given s->session->ciphers and SSL_get_ciphers, we must
-         * pick a cipher */
-        if (!s->hit)
-                {
-                s->session->compress_meth=(comp == NULL)?0:comp->id;
-                if (s->session->ciphers != NULL)
-                        sk_SSL_CIPHER_free(s->session->ciphers);
-                s->session->ciphers=ciphers;
-                if (ciphers == NULL)
-                        {
-                        al=SSL_AD_ILLEGAL_PARAMETER;
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_CIPHERS_PASSED);
-                        goto f_err;
-                        }
-                ciphers=NULL;
-                c=ssl3_choose_cipher(s,s->session->ciphers,
-                                     SSL_get_ciphers(s));
-                if (c == NULL)
-                        {
-                        al=SSL_AD_HANDSHAKE_FAILURE;
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHARED_CIPHER);
-                        goto f_err;
-                        }
-                s->s3->tmp.new_cipher=c;
-                }
-        else
-                {
-                /* Session-id reuse */
-#ifdef REUSE_CIPHER_BUG
-                STACK_OF(SSL_CIPHER) *sk;
-                SSL_CIPHER *nc=NULL;
-                SSL_CIPHER *ec=NULL;
-                if (s->options & SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG)
-                        {
-                        sk=s->session->ciphers;
-                        for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
-                                {
-                                c=sk_SSL_CIPHER_value(sk,i);
-                                if (c->algorithms & SSL_eNULL)
-                                        nc=c;
-                                if (SSL_C_IS_EXPORT(c))
-                                        ec=c;
-                                }
-                        if (nc != NULL)
-                                s->s3->tmp.new_cipher=nc;
-                        else if (ec != NULL)
-                                s->s3->tmp.new_cipher=ec;
-                        else
-                                s->s3->tmp.new_cipher=s->session->cipher;
-                        }
-                else
-#endif
-                s->s3->tmp.new_cipher=s->session->cipher;
-                }
-        
-        /* we now have the following setup. 
-         * client_random
-         * cipher_list          - our prefered list of ciphers
-         * ciphers              - the clients prefered list of ciphers
-         * compression          - basically ignored right now
-         * ssl version is set   - sslv3
-         * s->session           - The ssl session has been setup.
-         * s->hit               - session reuse flag
-         * s->tmp.new_cipher    - the new cipher to use.
-         */
-        ret=1;
-        if (0)
-                {
-f_err:
-                ssl3_send_alert(s,SSL3_AL_FATAL,al);
-                }
-err:
-        if (ciphers != NULL) sk_SSL_CIPHER_free(ciphers);
-        return(ret);
-        }
-static int ssl3_send_server_hello(SSL *s)
-        {
-        unsigned char *buf;
-        unsigned char *p,*d;
-        int i,sl;
-        unsigned long l,Time;
-        if (s->state == SSL3_ST_SW_SRVR_HELLO_A)
-                {
-                buf=(unsigned char *)s->init_buf->data;
-                p=s->s3->server_random;
-                Time=(unsigned long)time(NULL);                 /* Time */
-                l2n(Time,p);
-                if(RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
-                        return -1;
-                /* Do the message type and length last */
-                d=p= &(buf[4]);
-                *(p++)=s->version>>8;
-                *(p++)=s->version&0xff;
-                /* Random stuff */
-                memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE);
-                p+=SSL3_RANDOM_SIZE;
-                /* now in theory we have 3 options to sending back the
-                 * session id.  If it is a re-use, we send back the
-                 * old session-id, if it is a new session, we send
-                 * back the new session-id or we send back a 0 length
-                 * session-id if we want it to be single use.
-                 * Currently I will not implement the '0' length session-id
-                 * 12-Jan-98 - I'll now support the '0' length stuff.
-                 */
-                if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER))
-                        s->session->session_id_length=0;
-                sl=s->session->session_id_length;
-                if (sl > sizeof s->session->session_id)
-                        {
-                        SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
-                        return -1;
-                        }
-                *(p++)=sl;
-                memcpy(p,s->session->session_id,sl);
-                p+=sl;
-                /* put the cipher */
-                i=ssl3_put_cipher_by_char(s->s3->tmp.new_cipher,p);
-                p+=i;
-                /* put the compression method */
-                if (s->s3->tmp.new_compression == NULL)
-                        *(p++)=0;
-                else
-                        *(p++)=s->s3->tmp.new_compression->id;
-                /* do the header */
-                l=(p-d);
-                d=buf;
-                *(d++)=SSL3_MT_SERVER_HELLO;
-                l2n3(l,d);
-                s->state=SSL3_ST_CW_CLNT_HELLO_B;
-                /* number of bytes to write */
-                s->init_num=p-buf;
-                s->init_off=0;
-                }
-        /* SSL3_ST_CW_CLNT_HELLO_B */
-        return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
-        }
-static int ssl3_send_server_done(SSL *s)
-        {
-        unsigned char *p;
-        if (s->state == SSL3_ST_SW_SRVR_DONE_A)
-                {
-                p=(unsigned char *)s->init_buf->data;
-                /* do the header */
-                *(p++)=SSL3_MT_SERVER_DONE;
-                *(p++)=0;
-                *(p++)=0;
-                *(p++)=0;
-                s->state=SSL3_ST_SW_SRVR_DONE_B;
-                /* number of bytes to write */
-                s->init_num=4;
-                s->init_off=0;
-                }
-        /* SSL3_ST_CW_CLNT_HELLO_B */
-        return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
-        }
-static int ssl3_send_server_key_exchange(SSL *s)
-        {
-#ifndef OPENSSL_NO_RSA
-        unsigned char *q;
-        int j,num;
-        RSA *rsa;
-        unsigned char md_buf[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
-        unsigned int u;
-#endif
-#ifndef OPENSSL_NO_DH
-        DH *dh=NULL,*dhp;
-#endif
-        EVP_PKEY *pkey;
-        unsigned char *p,*d;
-        int al,i;
-        unsigned long type;
-        int n;
-        CERT *cert;
-        BIGNUM *r[4];
-        int nr[4],kn;
-        BUF_MEM *buf;
-        EVP_MD_CTX md_ctx;
-        EVP_MD_CTX_init(&md_ctx);
-        if (s->state == SSL3_ST_SW_KEY_EXCH_A)
-                {
-                type=s->s3->tmp.new_cipher->algorithms & SSL_MKEY_MASK;
-                cert=s->cert;
-                buf=s->init_buf;
-                r[0]=r[1]=r[2]=r[3]=NULL;
-                n=0;
-#ifndef OPENSSL_NO_RSA
-                if (type & SSL_kRSA)
-                        {
-                        rsa=cert->rsa_tmp;
-                        if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL))
-                                {
-                                rsa=s->cert->rsa_tmp_cb(s,
-                                      SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
-                                      SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
-                                if(rsa == NULL)
-                                {
-                                        al=SSL_AD_HANDSHAKE_FAILURE;
-                                        SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_ERROR_GENERATING_TMP_RSA_KEY);
-                                        goto f_err;
-                                }
-                                RSA_up_ref(rsa);
-                                cert->rsa_tmp=rsa;
-                                }
-                        if (rsa == NULL)
-                                {
-                                al=SSL_AD_HANDSHAKE_FAILURE;
-                                SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_RSA_KEY);
-                                goto f_err;
-                                }
-                        r[0]=rsa->n;
-                        r[1]=rsa->e;
-                        s->s3->tmp.use_rsa_tmp=1;
-                        }
-                else
-#endif
-#ifndef OPENSSL_NO_DH
-                        if (type & SSL_kEDH)
-                        {
-                        dhp=cert->dh_tmp;
-                        if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL))
-                                dhp=s->cert->dh_tmp_cb(s,
-                                      SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
-                                      SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
-                        if (dhp == NULL)
-                                {
-                                al=SSL_AD_HANDSHAKE_FAILURE;
-                                SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY);
-                                goto f_err;
-                                }
-                        if (s->s3->tmp.dh != NULL)
-                                {
-                                DH_free(dh);
-                                SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
-                                goto err;
-                                }
-                        if ((dh=DHparams_dup(dhp)) == NULL)
-                                {
-                                SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
-                                goto err;
-                                }
-                        s->s3->tmp.dh=dh;
-                        if ((dhp->pub_key == NULL ||
-                             dhp->priv_key == NULL ||
-                             (s->options & SSL_OP_SINGLE_DH_USE)))
-                                {
-                                if(!DH_generate_key(dh))
-                                    {
-                                    SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
-                                           ERR_R_DH_LIB);
-                                    goto err;
-                                    }
-                                }
-                        else
-                                {
-                                dh->pub_key=BN_dup(dhp->pub_key);
-                                dh->priv_key=BN_dup(dhp->priv_key);
-                                if ((dh->pub_key == NULL) ||
-                                        (dh->priv_key == NULL))
-                                        {
-                                        SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
-                                        goto err;
-                                        }
-                                }
-                        r[0]=dh->p;
-                        r[1]=dh->g;
-                        r[2]=dh->pub_key;
-                        }
-                else 
-#endif
-                        {
-                        al=SSL_AD_HANDSHAKE_FAILURE;
-                        SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
-                        goto f_err;
-                        }
-                for (i=0; r[i] != NULL; i++)
-                        {
-                        nr[i]=BN_num_bytes(r[i]);
-                        n+=2+nr[i];
-                        }
-                if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL))
-                        {
-                        if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher))
-                                == NULL)
-                                {
-                                al=SSL_AD_DECODE_ERROR;
-                                goto f_err;
-                                }
-                        kn=EVP_PKEY_size(pkey);
-                        }
-                else
-                        {
-                        pkey=NULL;
-                        kn=0;
-                        }
-                if (!BUF_MEM_grow_clean(buf,n+4+kn))
-                        {
-                        SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_BUF);
-                        goto err;
-                        }
-                d=(unsigned char *)s->init_buf->data;
-                p= &(d[4]);
-                for (i=0; r[i] != NULL; i++)
-                        {
-                        s2n(nr[i],p);
-                        BN_bn2bin(r[i],p);
-                        p+=nr[i];
-                        }
-                /* not anonymous */
-                if (pkey != NULL)
-                        {
-                        /* n is the length of the params, they start at &(d[4])
-                         * and p points to the space at the end. */
-#ifndef OPENSSL_NO_RSA
-                        if (pkey->type == EVP_PKEY_RSA)
-                                {
-                                q=md_buf;
-                                j=0;
-                                for (num=2; num > 0; num--)
-                                        {
-                                        EVP_MD_CTX_set_flags(&md_ctx,
-                                                EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
-                                        EVP_DigestInit_ex(&md_ctx,(num == 2)
-                                                ?s->ctx->md5:s->ctx->sha1, NULL);
-                                        EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
-                                        EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
-                                        EVP_DigestUpdate(&md_ctx,&(d[4]),n);
-                                        EVP_DigestFinal_ex(&md_ctx,q,
-                                                (unsigned int *)&i);
-                                        q+=i;
-                                        j+=i;
-                                        }
-                                if (RSA_sign(NID_md5_sha1, md_buf, j,
-                                        &(p[2]), &u, pkey->pkey.rsa) <= 0)
-                                        {
-                                        SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_RSA);
-                                        goto err;
-                                        }
-                                s2n(u,p);
-                                n+=u+2;
-                                }
-                        else
-#endif
-#if !defined(OPENSSL_NO_DSA)
-                                if (pkey->type == EVP_PKEY_DSA)
-                                {
-                                /* lets do DSS */
-                                EVP_SignInit_ex(&md_ctx,EVP_dss1(), NULL);
-                                EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
-                                EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
-                                EVP_SignUpdate(&md_ctx,&(d[4]),n);
-                                if (!EVP_SignFinal(&md_ctx,&(p[2]),
-                                        (unsigned int *)&i,pkey))
-                                        {
-                                        SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_DSA);
-                                        goto err;
-                                        }
-                                s2n(i,p);
-                                n+=i+2;
-                                }
-                        else
-#endif
-                                {
-                                /* Is this error check actually needed? */
-                                al=SSL_AD_HANDSHAKE_FAILURE;
-                                SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_PKEY_TYPE);
-                                goto f_err;
-                                }
-                        }
-                *(d++)=SSL3_MT_SERVER_KEY_EXCHANGE;
-                l2n3(n,d);
-                /* we should now have things packed up, so lets send
-                 * it off */
-                s->init_num=n+4;
-                s->init_off=0;
-                }
-        s->state = SSL3_ST_SW_KEY_EXCH_B;
-        EVP_MD_CTX_cleanup(&md_ctx);
-        return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
-f_err:
-        ssl3_send_alert(s,SSL3_AL_FATAL,al);
-err:
-        EVP_MD_CTX_cleanup(&md_ctx);
-        return(-1);
-        }
-static int ssl3_send_certificate_request(SSL *s)
-        {
-        unsigned char *p,*d;
-        int i,j,nl,off,n;
-        STACK_OF(X509_NAME) *sk=NULL;
-        X509_NAME *name;
-        BUF_MEM *buf;
-        if (s->state == SSL3_ST_SW_CERT_REQ_A)
-                {
-                buf=s->init_buf;
-                d=p=(unsigned char *)&(buf->data[4]);
-                /* get the list of acceptable cert types */
-                p++;
-                n=ssl3_get_req_cert_type(s,p);
-                d[0]=n;
-                p+=n;
-                n++;
-                off=n;
-                p+=2;
-                n+=2;
-                sk=SSL_get_client_CA_list(s);
-                nl=0;
-                if (sk != NULL)
-                        {
-                        for (i=0; i<sk_X509_NAME_num(sk); i++)
-                                {
-                                name=sk_X509_NAME_value(sk,i);
-                                j=i2d_X509_NAME(name,NULL);
-                                if (!BUF_MEM_grow_clean(buf,4+n+j+2))
-                                        {
-                                        SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,ERR_R_BUF_LIB);
-                                        goto err;
-                                        }
-                                p=(unsigned char *)&(buf->data[4+n]);
-                                if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
-                                        {
-                                        s2n(j,p);
-                                        i2d_X509_NAME(name,&p);
-                                        n+=2+j;
-                                        nl+=2+j;
-                                        }
-                                else
-                                        {
-                                        d=p;
-                                        i2d_X509_NAME(name,&p);
-                                        j-=2; s2n(j,d); j+=2;
-                                        n+=j;
-                                        nl+=j;
-                                        }
-                                }
-                        }
-                /* else no CA names */
-                p=(unsigned char *)&(buf->data[4+off]);
-                s2n(nl,p);
-                d=(unsigned char *)buf->data;
-                *(d++)=SSL3_MT_CERTIFICATE_REQUEST;
-                l2n3(n,d);
-                /* we should now have things packed up, so lets send
-                 * it off */
-                s->init_num=n+4;
-                s->init_off=0;
-#ifdef NETSCAPE_HANG_BUG
-                p=(unsigned char *)s->init_buf->data + s->init_num;
-                /* do the header */
-                *(p++)=SSL3_MT_SERVER_DONE;
-                *(p++)=0;
-                *(p++)=0;
-                *(p++)=0;
-                s->init_num += 4;
-#endif
-                s->state = SSL3_ST_SW_CERT_REQ_B;
-                }
-        /* SSL3_ST_SW_CERT_REQ_B */
-        return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
-err:
-        return(-1);
-        }
-static int ssl3_get_client_key_exchange(SSL *s)
-        {
-        int i,al,ok;
-        long n;
-        unsigned long l;
-        unsigned char *p;
-#ifndef OPENSSL_NO_RSA
-        RSA *rsa=NULL;
-        EVP_PKEY *pkey=NULL;
-#endif
-#ifndef OPENSSL_NO_DH
-        BIGNUM *pub=NULL;
-        DH *dh_srvr;
-#endif
-#ifndef OPENSSL_NO_KRB5
-        KSSL_ERR kssl_err;
-#endif /* OPENSSL_NO_KRB5 */
-        n=ssl3_get_message(s,
-                SSL3_ST_SR_KEY_EXCH_A,
-                SSL3_ST_SR_KEY_EXCH_B,
-                SSL3_MT_CLIENT_KEY_EXCHANGE,
-                2048, /* ??? */
-                &ok);
-        if (!ok) return((int)n);
-        p=(unsigned char *)s->init_msg;
-        l=s->s3->tmp.new_cipher->algorithms;
-#ifndef OPENSSL_NO_RSA
-        if (l & SSL_kRSA)
-                {
-                /* FIX THIS UP EAY EAY EAY EAY */
-                if (s->s3->tmp.use_rsa_tmp)
-                        {
-                        if ((s->cert != NULL) && (s->cert->rsa_tmp != NULL))
-                                rsa=s->cert->rsa_tmp;
-                        /* Don't do a callback because rsa_tmp should
-                         * be sent already */
-                        if (rsa == NULL)
-                                {
-                                al=SSL_AD_HANDSHAKE_FAILURE;
-                                SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_RSA_PKEY);
-                                goto f_err;
-                                }
-                        }
-                else
-                        {
-                        pkey=s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey;
-                        if (    (pkey == NULL) ||
-                                (pkey->type != EVP_PKEY_RSA) ||
-                                (pkey->pkey.rsa == NULL))
-                                {
-                                al=SSL_AD_HANDSHAKE_FAILURE;
-                                SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_RSA_CERTIFICATE);
-                                goto f_err;
-                                }
-                        rsa=pkey->pkey.rsa;
-                        }
-                /* TLS */
-                if (s->version > SSL3_VERSION)
-                        {
-                        n2s(p,i);
-                        if (n != i+2)
-                                {
-                                if (!(s->options & SSL_OP_TLS_D5_BUG))
-                                        {
-                                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);
-                                        goto err;
-                                        }
-                                else
-                                        p-=2;
-                                }
-                        else
-                                n=i;
-                        }
-                i=RSA_private_decrypt((int)n,p,p,rsa,RSA_PKCS1_PADDING);
-                al = -1;
-                
-                if (i != SSL_MAX_MASTER_KEY_LENGTH)
-                        {
-                        al=SSL_AD_DECODE_ERROR;
-                        /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); */
-                        }
-                if ((al == -1) && !((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff))))
-                        {
-                        /* The premaster secret must contain the same version number as the
-                         * ClientHello to detect version rollback attacks (strangely, the
-                         * protocol does not offer such protection for DH ciphersuites).
-                         * However, buggy clients exist that send the negotiated protocol
-                         * version instead if the server does not support the requested
-                         * protocol version.
-                         * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. */
-                        if (!((s->options & SSL_OP_TLS_ROLLBACK_BUG) &&
-                                (p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff))))
-                                {
-                                al=SSL_AD_DECODE_ERROR;
-                                /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */
-                                /* The Klima-Pokorny-Rosa extension of Bleichenbacher's attack
-                                 * (http://eprint.iacr.org/2003/052/) exploits the version
-                                 * number check as a "bad version oracle" -- an alert would
-                                 * reveal that the plaintext corresponding to some ciphertext
-                                 * made up by the adversary is properly formatted except
-                                 * that the version number is wrong.  To avoid such attacks,
-                                 * we should treat this just like any other decryption error. */
-                                }
-                        }
-                if (al != -1)
-                        {
-                        /* Some decryption failure -- use random value instead as countermeasure
-                         * against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding
-                         * (see RFC 2246, section 7.4.7.1). */
-                        ERR_clear_error();
-                        i = SSL_MAX_MASTER_KEY_LENGTH;
-                        p[0] = s->client_version >> 8;
-                        p[1] = s->client_version & 0xff;
-                        if(RAND_pseudo_bytes(p+2, i-2) <= 0)  /* should be RAND_bytes, but we cannot work around a failure */
-                                goto err;
-                        }
-        
-                s->session->master_key_length=
-                        s->method->ssl3_enc->generate_master_secret(s,
-                                s->session->master_key,
-                                p,i);
-                OPENSSL_cleanse(p,i);
-                }
-        else
-#endif
-#ifndef OPENSSL_NO_DH
-                if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
-                {
-                n2s(p,i);
-                if (n != i+2)
-                        {
-                        if (!(s->options & SSL_OP_SSLEAY_080_CLIENT_DH_BUG))
-                                {
-                                SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
-                                goto err;
-                                }
-                        else
-                                {
-                                p-=2;
-                                i=(int)n;
-                                }
-                        }
-                if (n == 0L) /* the parameters are in the cert */
-                        {
-                        al=SSL_AD_HANDSHAKE_FAILURE;
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_DECODE_DH_CERTS);
-                        goto f_err;
-                        }
-                else
-                        {
-                        if (s->s3->tmp.dh == NULL)
-                                {
-                                al=SSL_AD_HANDSHAKE_FAILURE;
-                                SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY);
-                                goto f_err;
-                                }
-                        else
-                                dh_srvr=s->s3->tmp.dh;
-                        }
-                pub=BN_bin2bn(p,i,NULL);
-                if (pub == NULL)
-                        {
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BN_LIB);
-                        goto err;
-                        }
-                i=DH_compute_key(p,pub,dh_srvr);
-                if (i <= 0)
-                        {
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
-                        goto err;
-                        }
-                DH_free(s->s3->tmp.dh);
-                s->s3->tmp.dh=NULL;
-                BN_clear_free(pub);
-                pub=NULL;
-                s->session->master_key_length=
-                        s->method->ssl3_enc->generate_master_secret(s,
-                                s->session->master_key,p,i);
-                OPENSSL_cleanse(p,i);
-                }
-        else
-#endif
-#ifndef OPENSSL_NO_KRB5
-        if (l & SSL_kKRB5)
-                {
-                krb5_error_code         krb5rc;
-                krb5_data               enc_ticket;
-                krb5_data               authenticator;
-                krb5_data               enc_pms;
-                KSSL_CTX                *kssl_ctx = s->kssl_ctx;
-                EVP_CIPHER_CTX          ciph_ctx;
-                EVP_CIPHER              *enc = NULL;
-                unsigned char           iv[EVP_MAX_IV_LENGTH];
-                unsigned char           pms[SSL_MAX_MASTER_KEY_LENGTH
-                                               + EVP_MAX_BLOCK_LENGTH];
-                int                     padl, outl;
-                krb5_timestamp          authtime = 0;
-                krb5_ticket_times       ttimes;
-                EVP_CIPHER_CTX_init(&ciph_ctx);
-                if (!kssl_ctx)  kssl_ctx = kssl_ctx_new();
-                n2s(p,i);
-                enc_ticket.length = i;
-                if (n < (long)enc_ticket.length + 6)
-                        {
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                                SSL_R_DATA_LENGTH_TOO_LONG);
-                        goto err;
-                        }
-                enc_ticket.data = (char *)p;
-                p+=enc_ticket.length;
-                n2s(p,i);
-                authenticator.length = i;
-                if (n < (long)(enc_ticket.length + authenticator.length + 6))
-                        {
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                                SSL_R_DATA_LENGTH_TOO_LONG);
-                        goto err;
-                        }
-                authenticator.data = (char *)p;
-                p+=authenticator.length;
-                n2s(p,i);
-                enc_pms.length = i;
-                enc_pms.data = (char *)p;
-                p+=enc_pms.length;
-                /* Note that the length is checked again below,
-                ** after decryption
-                */
-                if(enc_pms.length > sizeof pms)
-                        {
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                               SSL_R_DATA_LENGTH_TOO_LONG);
-                        goto err;
-                        }
-                if (n != (long)(enc_ticket.length + authenticator.length +
-                                                enc_pms.length + 6))
-                        {
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                                SSL_R_DATA_LENGTH_TOO_LONG);
-                        goto err;
-                        }
-                if ((krb5rc = kssl_sget_tkt(kssl_ctx, &enc_ticket, &ttimes,
-                                        &kssl_err)) != 0)
-                        {
-#ifdef KSSL_DEBUG
-                        printf("kssl_sget_tkt rtn %d [%d]\n",
-                                krb5rc, kssl_err.reason);
-                        if (kssl_err.text)
-                                printf("kssl_err text= %s\n", kssl_err.text);
-#endif  /* KSSL_DEBUG */
-                        SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
-                                kssl_err.reason);
-                        goto err;
-                        }
-                /*  Note: no authenticator is not considered an error,
-                **  but will return authtime == 0.
-                */
-                if ((krb5rc = kssl_check_authent(kssl_ctx, &authenticator,
-                                        &authtime, &kssl_err)) != 0)
-                        {
-#ifdef KSSL_DEBUG
-                        printf("kssl_check_authent rtn %d [%d]\n",
-                                krb5rc, kssl_err.reason);
-                        if (kssl_err.text)
-                                printf("kssl_err text= %s\n", kssl_err.text);
-#endif  /* KSSL_DEBUG */
-                        SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
-                                kssl_err.reason);
-                        goto err;
-                        }
-                if ((krb5rc = kssl_validate_times(authtime, &ttimes)) != 0)
-                        {
-                        SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, krb5rc);
-                        goto err;
-                        }
-#ifdef KSSL_DEBUG
-                kssl_ctx_show(kssl_ctx);
-#endif  /* KSSL_DEBUG */
-                enc = kssl_map_enc(kssl_ctx->enctype);
-                if (enc == NULL)
-                    goto err;
-                memset(iv, 0, sizeof iv);       /* per RFC 1510 */
-                if (!EVP_DecryptInit_ex(&ciph_ctx,enc,NULL,kssl_ctx->key,iv))
-                        {
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                                SSL_R_DECRYPTION_FAILED);
-                        goto err;
-                        }
-                if (!EVP_DecryptUpdate(&ciph_ctx, pms,&outl,
-                                        (unsigned char *)enc_pms.data, enc_pms.length))
-                        {
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                                SSL_R_DECRYPTION_FAILED);
-                        goto err;
-                        }
-                if (outl > SSL_MAX_MASTER_KEY_LENGTH)
-                        {
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                                SSL_R_DATA_LENGTH_TOO_LONG);
-                        goto err;
-                        }
-                if (!EVP_DecryptFinal_ex(&ciph_ctx,&(pms[outl]),&padl))
-                        {
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                                SSL_R_DECRYPTION_FAILED);
-                        goto err;
-                        }
-                outl += padl;
-                if (outl > SSL_MAX_MASTER_KEY_LENGTH)
-                        {
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                                SSL_R_DATA_LENGTH_TOO_LONG);
-                        goto err;
-                        }
-                EVP_CIPHER_CTX_cleanup(&ciph_ctx);
-                s->session->master_key_length=
-                        s->method->ssl3_enc->generate_master_secret(s,
-                                s->session->master_key, pms, outl);
-                if (kssl_ctx->client_princ)
-                        {
-                        int len = strlen(kssl_ctx->client_princ);
-                        if ( len < SSL_MAX_KRB5_PRINCIPAL_LENGTH ) 
-                                {
-                                s->session->krb5_client_princ_len = len;
-                                memcpy(s->session->krb5_client_princ,kssl_ctx->client_princ,len);
-                                }
-                        }
-                /*  Was doing kssl_ctx_free() here,
-                **  but it caused problems for apache.
-                **  kssl_ctx = kssl_ctx_free(kssl_ctx);
-                **  if (s->kssl_ctx)  s->kssl_ctx = NULL;
-                */
-                }
-        else
-#endif  /* OPENSSL_NO_KRB5 */
-                {
-                al=SSL_AD_HANDSHAKE_FAILURE;
-                SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                                SSL_R_UNKNOWN_CIPHER_TYPE);
-                goto f_err;
-                }
-        return(1);
-f_err:
-        ssl3_send_alert(s,SSL3_AL_FATAL,al);
-#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_RSA)
-err:
-#endif
-        return(-1);
-        }
-static int ssl3_get_cert_verify(SSL *s)
-        {
-        EVP_PKEY *pkey=NULL;
-        unsigned char *p;
-        int al,ok,ret=0;
-        long n;
-        int type=0,i,j;
-        X509 *peer;
-        n=ssl3_get_message(s,
-                SSL3_ST_SR_CERT_VRFY_A,
-                SSL3_ST_SR_CERT_VRFY_B,
-                -1,
-                514, /* 514? */
-                &ok);
-        if (!ok) return((int)n);
-        if (s->session->peer != NULL)
-                {
-                peer=s->session->peer;
-                pkey=X509_get_pubkey(peer);
-                type=X509_certificate_type(peer,pkey);
-                }
-        else
-                {
-                peer=NULL;
-                pkey=NULL;
-                }
-        if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY)
-                {
-                s->s3->tmp.reuse_message=1;
-                if ((peer != NULL) && (type | EVP_PKT_SIGN))
-                        {
-                        al=SSL_AD_UNEXPECTED_MESSAGE;
-                        SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_MISSING_VERIFY_MESSAGE);
-                        goto f_err;
-                        }
-                ret=1;
-                goto end;
-                }
-        if (peer == NULL)
-                {
-                SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_NO_CLIENT_CERT_RECEIVED);
-                al=SSL_AD_UNEXPECTED_MESSAGE;
-                goto f_err;
-                }
-        if (!(type & EVP_PKT_SIGN))
-                {
-                SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
-                al=SSL_AD_ILLEGAL_PARAMETER;
-                goto f_err;
-                }
-        if (s->s3->change_cipher_spec)
-                {
-                SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_CCS_RECEIVED_EARLY);
-                al=SSL_AD_UNEXPECTED_MESSAGE;
-                goto f_err;
-                }
-        /* we now have a signature that we need to verify */
-        p=(unsigned char *)s->init_msg;
-        n2s(p,i);
-        n-=2;
-        if (i > n)
-                {
-                SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_LENGTH_MISMATCH);
-                al=SSL_AD_DECODE_ERROR;
-                goto f_err;
-                }
-        j=EVP_PKEY_size(pkey);
-        if ((i > j) || (n > j) || (n <= 0))
-                {
-                SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_WRONG_SIGNATURE_SIZE);
-                al=SSL_AD_DECODE_ERROR;
-                goto f_err;
-                }
-#ifndef OPENSSL_NO_RSA 
-        if (pkey->type == EVP_PKEY_RSA)
-                {
-                i=RSA_verify(NID_md5_sha1, s->s3->tmp.cert_verify_md,
-                        MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH, p, i, 
-                                                        pkey->pkey.rsa);
-                if (i < 0)
-                        {
-                        al=SSL_AD_DECRYPT_ERROR;
-                        SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_DECRYPT);
-                        goto f_err;
-                        }
-                if (i == 0)
-                        {
-                        al=SSL_AD_DECRYPT_ERROR;
-                        SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_SIGNATURE);
-                        goto f_err;
-                        }
-                }
-        else
-#endif
-#ifndef OPENSSL_NO_DSA
-                if (pkey->type == EVP_PKEY_DSA)
-                {
-                j=DSA_verify(pkey->save_type,
-                        &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]),
-                        SHA_DIGEST_LENGTH,p,i,pkey->pkey.dsa);
-                if (j <= 0)
-                        {
-                        /* bad signature */
-                        al=SSL_AD_DECRYPT_ERROR;
-                        SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_DSA_SIGNATURE);
-                        goto f_err;
-                        }
-                }
-        else
-#endif
-                {
-                SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,ERR_R_INTERNAL_ERROR);
-                al=SSL_AD_UNSUPPORTED_CERTIFICATE;
-                goto f_err;
-                }
-        ret=1;
-        if (0)
-                {
-f_err:
-                ssl3_send_alert(s,SSL3_AL_FATAL,al);
-                }
-end:
-        EVP_PKEY_free(pkey);
-        return(ret);
-        }
-static int ssl3_get_client_certificate(SSL *s)
-        {
-        int i,ok,al,ret= -1;
-        X509 *x=NULL;
-        unsigned long l,nc,llen,n;
-        unsigned char *p,*d,*q;
-        STACK_OF(X509) *sk=NULL;
-        n=ssl3_get_message(s,
-                SSL3_ST_SR_CERT_A,
-                SSL3_ST_SR_CERT_B,
-                -1,
-                s->max_cert_list,
-                &ok);
-        if (!ok) return((int)n);
-        if      (s->s3->tmp.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE)
-                {
-                if (    (s->verify_mode & SSL_VERIFY_PEER) &&
-                        (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
-                        {
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
-                        al=SSL_AD_HANDSHAKE_FAILURE;
-                        goto f_err;
-                        }
-                /* If tls asked for a client cert, the client must return a 0 list */
-                if ((s->version > SSL3_VERSION) && s->s3->tmp.cert_request)
-                        {
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST);
-                        al=SSL_AD_UNEXPECTED_MESSAGE;
-                        goto f_err;
-                        }
-                s->s3->tmp.reuse_message=1;
-                return(1);
-                }
-        if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE)
-                {
-                al=SSL_AD_UNEXPECTED_MESSAGE;
-                SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_WRONG_MESSAGE_TYPE);
-                goto f_err;
-                }
-        d=p=(unsigned char *)s->init_msg;
-        if ((sk=sk_X509_new_null()) == NULL)
-                {
-                SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE);
-                goto err;
-                }
-        n2l3(p,llen);
-        if (llen+3 != n)
-                {
-                al=SSL_AD_DECODE_ERROR;
-                SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_LENGTH_MISMATCH);
-                goto f_err;
-                }
-        for (nc=0; nc<llen; )
-                {
-                n2l3(p,l);
-                if ((l+nc+3) > llen)
-                        {
-                        al=SSL_AD_DECODE_ERROR;
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
-                        goto f_err;
-                        }
-                q=p;
-                x=d2i_X509(NULL,&p,l);
-                if (x == NULL)
-                        {
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_ASN1_LIB);
-                        goto err;
-                        }
-                if (p != (q+l))
-                        {
-                        al=SSL_AD_DECODE_ERROR;
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
-                        goto f_err;
-                        }
-                if (!sk_X509_push(sk,x))
-                        {
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE);
-                        goto err;
-                        }
-                x=NULL;
-                nc+=l+3;
-                }
-        if (sk_X509_num(sk) <= 0)
-                {
-                /* TLS does not mind 0 certs returned */
-                if (s->version == SSL3_VERSION)
-                        {
-                        al=SSL_AD_HANDSHAKE_FAILURE;
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATES_RETURNED);
-                        goto f_err;
-                        }
-                /* Fail for TLS only if we required a certificate */
-                else if ((s->verify_mode & SSL_VERIFY_PEER) &&
-                         (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
-                        {
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
-                        al=SSL_AD_HANDSHAKE_FAILURE;
-                        goto f_err;
-                        }
-                }
-        else
-                {
-                i=ssl_verify_cert_chain(s,sk);
-                if (!i)
-                        {
-                        al=ssl_verify_alarm_type(s->verify_result);
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATE_RETURNED);
-                        goto f_err;
-                        }
-                }
-        if (s->session->peer != NULL) /* This should not be needed */
-                X509_free(s->session->peer);
-        s->session->peer=sk_X509_shift(sk);
-        s->session->verify_result = s->verify_result;
-        /* With the current implementation, sess_cert will always be NULL
-         * when we arrive here. */
-        if (s->session->sess_cert == NULL)
-                {
-                s->session->sess_cert = ssl_sess_cert_new();
-                if (s->session->sess_cert == NULL)
-                        {
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE);
-                        goto err;
-                        }
-                }
-        if (s->session->sess_cert->cert_chain != NULL)
-                sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free);
-        s->session->sess_cert->cert_chain=sk;
-        /* Inconsistency alert: cert_chain does *not* include the
-         * peer's own certificate, while we do include it in s3_clnt.c */
-        sk=NULL;
-        ret=1;
-        if (0)
-                {
-f_err:
-                ssl3_send_alert(s,SSL3_AL_FATAL,al);
-                }
-err:
-        if (x != NULL) X509_free(x);
-        if (sk != NULL) sk_X509_pop_free(sk,X509_free);
-        return(ret);
-        }
-int ssl3_send_server_certificate(SSL *s)
-        {
-        unsigned long l;
-        X509 *x;
-        if (s->state == SSL3_ST_SW_CERT_A)
-                {
-                x=ssl_get_server_send_cert(s);
-                if (x == NULL &&
-                        /* VRS: allow null cert if auth == KRB5 */
-                        (s->s3->tmp.new_cipher->algorithms
-                                & (SSL_MKEY_MASK|SSL_AUTH_MASK))
-                        != (SSL_aKRB5|SSL_kKRB5))
-                        {
-                        SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR);
-                        return(0);
-                        }
-                l=ssl3_output_cert_chain(s,x);
-                s->state=SSL3_ST_SW_CERT_B;
-                s->init_num=(int)l;
-                s->init_off=0;
-                }
-        /* SSL3_ST_SW_CERT_B */
-        return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
-        }
diff --git a/src/lib/libssl/shlib_version b/src/lib/libssl/shlib_version
deleted file mode 100644
index f461c53390..0000000000
--- a/src/lib/libssl/shlib_version
+++ /dev/null
@@ -1,2 +0,0 @@
-major=11
-minor=0
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
deleted file mode 100644
index 99e188086b..0000000000
--- a/src/lib/libssl/ssl.h
+++ /dev/null
@@ -1,1853 +0,0 @@
-/* ssl/ssl.h */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-/* ====================================================================
- * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer. 
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-/* ====================================================================
- * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer. 
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-#ifndef HEADER_SSL_H 
-#define HEADER_SSL_H 
-#include <openssl/e_os2.h>
-#ifndef OPENSSL_NO_COMP
-#include <openssl/comp.h>
-#endif
-#ifndef OPENSSL_NO_BIO
-#include <openssl/bio.h>
-#endif
-#ifndef OPENSSL_NO_X509
-#include <openssl/x509.h>
-#endif
-#include <openssl/kssl.h>
-#include <openssl/safestack.h>
-#include <openssl/symhacks.h>
-#ifdef  __cplusplus
-extern "C" {
-#endif
-/* SSLeay version number for ASN.1 encoding of the session information */
-/* Version 0 - initial version
- * Version 1 - added the optional peer certificate
- */
-#define SSL_SESSION_ASN1_VERSION 0x0001
-/* text strings for the ciphers */
-#define SSL_TXT_NULL_WITH_MD5           SSL2_TXT_NULL_WITH_MD5                  
-#define SSL_TXT_RC4_128_WITH_MD5        SSL2_TXT_RC4_128_WITH_MD5               
-#define SSL_TXT_RC4_128_EXPORT40_WITH_MD5 SSL2_TXT_RC4_128_EXPORT40_WITH_MD5    
-#define SSL_TXT_RC2_128_CBC_WITH_MD5    SSL2_TXT_RC2_128_CBC_WITH_MD5           
-#define SSL_TXT_RC2_128_CBC_EXPORT40_WITH_MD5 SSL2_TXT_RC2_128_CBC_EXPORT40_WITH_MD5    
-#define SSL_TXT_IDEA_128_CBC_WITH_MD5   SSL2_TXT_IDEA_128_CBC_WITH_MD5          
-#define SSL_TXT_DES_64_CBC_WITH_MD5     SSL2_TXT_DES_64_CBC_WITH_MD5            
-#define SSL_TXT_DES_64_CBC_WITH_SHA     SSL2_TXT_DES_64_CBC_WITH_SHA            
-#define SSL_TXT_DES_192_EDE3_CBC_WITH_MD5 SSL2_TXT_DES_192_EDE3_CBC_WITH_MD5    
-#define SSL_TXT_DES_192_EDE3_CBC_WITH_SHA SSL2_TXT_DES_192_EDE3_CBC_WITH_SHA    
-/*    VRS Additional Kerberos5 entries
- */
-#define SSL_TXT_KRB5_DES_64_CBC_SHA   SSL3_TXT_KRB5_DES_64_CBC_SHA
-#define SSL_TXT_KRB5_DES_192_CBC3_SHA SSL3_TXT_KRB5_DES_192_CBC3_SHA
-#define SSL_TXT_KRB5_RC4_128_SHA      SSL3_TXT_KRB5_RC4_128_SHA
-#define SSL_TXT_KRB5_IDEA_128_CBC_SHA SSL3_TXT_KRB5_IDEA_128_CBC_SHA
-#define SSL_TXT_KRB5_DES_64_CBC_MD5   SSL3_TXT_KRB5_DES_64_CBC_MD5       
-#define SSL_TXT_KRB5_DES_192_CBC3_MD5 SSL3_TXT_KRB5_DES_192_CBC3_MD5       
-#define SSL_TXT_KRB5_RC4_128_MD5      SSL3_TXT_KRB5_RC4_128_MD5
-#define SSL_TXT_KRB5_IDEA_128_CBC_MD5 SSL3_TXT_KRB5_IDEA_128_CBC_MD5 
-#define SSL_TXT_KRB5_DES_40_CBC_SHA   SSL3_TXT_KRB5_DES_40_CBC_SHA 
-#define SSL_TXT_KRB5_RC2_40_CBC_SHA   SSL3_TXT_KRB5_RC2_40_CBC_SHA 
-#define SSL_TXT_KRB5_RC4_40_SHA       SSL3_TXT_KRB5_RC4_40_SHA
-#define SSL_TXT_KRB5_DES_40_CBC_MD5   SSL3_TXT_KRB5_DES_40_CBC_MD5 
-#define SSL_TXT_KRB5_RC2_40_CBC_MD5   SSL3_TXT_KRB5_RC2_40_CBC_MD5 
-#define SSL_TXT_KRB5_RC4_40_MD5       SSL3_TXT_KRB5_RC4_40_MD5
-#define SSL_TXT_KRB5_DES_40_CBC_SHA   SSL3_TXT_KRB5_DES_40_CBC_SHA
-#define SSL_TXT_KRB5_DES_40_CBC_MD5   SSL3_TXT_KRB5_DES_40_CBC_MD5
-#define SSL_TXT_KRB5_DES_64_CBC_SHA   SSL3_TXT_KRB5_DES_64_CBC_SHA
-#define SSL_TXT_KRB5_DES_64_CBC_MD5   SSL3_TXT_KRB5_DES_64_CBC_MD5
-#define SSL_TXT_KRB5_DES_192_CBC3_SHA SSL3_TXT_KRB5_DES_192_CBC3_SHA
-#define SSL_TXT_KRB5_DES_192_CBC3_MD5 SSL3_TXT_KRB5_DES_192_CBC3_MD5
-#define SSL_MAX_KRB5_PRINCIPAL_LENGTH  256
-#define SSL_MAX_SSL_SESSION_ID_LENGTH           32
-#define SSL_MAX_SID_CTX_LENGTH                  32
-#define SSL_MIN_RSA_MODULUS_LENGTH_IN_BYTES     (512/8)
-#define SSL_MAX_KEY_ARG_LENGTH                  8
-#define SSL_MAX_MASTER_KEY_LENGTH               48
-/* These are used to specify which ciphers to use and not to use */
-#define SSL_TXT_LOW             "LOW"
-#define SSL_TXT_MEDIUM          "MEDIUM"
-#define SSL_TXT_HIGH            "HIGH"
-#define SSL_TXT_FIPS            "FIPS"
-#define SSL_TXT_kFZA            "kFZA"
-#define SSL_TXT_aFZA            "aFZA"
-#define SSL_TXT_eFZA            "eFZA"
-#define SSL_TXT_FZA             "FZA"
-#define SSL_TXT_aNULL           "aNULL"
-#define SSL_TXT_eNULL           "eNULL"
-#define SSL_TXT_NULL            "NULL"
-#define SSL_TXT_kKRB5           "kKRB5"
-#define SSL_TXT_aKRB5           "aKRB5"
-#define SSL_TXT_KRB5            "KRB5"
-#define SSL_TXT_kRSA            "kRSA"
-#define SSL_TXT_kDHr            "kDHr"
-#define SSL_TXT_kDHd            "kDHd"
-#define SSL_TXT_kEDH            "kEDH"
-#define SSL_TXT_aRSA            "aRSA"
-#define SSL_TXT_aDSS            "aDSS"
-#define SSL_TXT_aDH             "aDH"
-#define SSL_TXT_DSS             "DSS"
-#define SSL_TXT_DH              "DH"
-#define SSL_TXT_EDH             "EDH"
-#define SSL_TXT_ADH             "ADH"
-#define SSL_TXT_RSA             "RSA"
-#define SSL_TXT_DES             "DES"
-#define SSL_TXT_3DES            "3DES"
-#define SSL_TXT_RC4             "RC4"
-#define SSL_TXT_RC2             "RC2"
-#define SSL_TXT_IDEA            "IDEA"
-#define SSL_TXT_AES             "AES"
-#define SSL_TXT_MD5             "MD5"
-#define SSL_TXT_SHA1            "SHA1"
-#define SSL_TXT_SHA             "SHA"
-#define SSL_TXT_EXP             "EXP"
-#define SSL_TXT_EXPORT          "EXPORT"
-#define SSL_TXT_EXP40           "EXPORT40"
-#define SSL_TXT_EXP56           "EXPORT56"
-#define SSL_TXT_SSLV2           "SSLv2"
-#define SSL_TXT_SSLV3           "SSLv3"
-#define SSL_TXT_TLSV1           "TLSv1"
-#define SSL_TXT_ALL             "ALL"
-/*
- * COMPLEMENTOF* definitions. These identifiers are used to (de-select)
- * ciphers normally not being used.
- * Example: "RC4" will activate all ciphers using RC4 including ciphers
- * without authentication, which would normally disabled by DEFAULT (due
- * the "!ADH" being part of default). Therefore "RC4:!COMPLEMENTOFDEFAULT"
- * will make sure that it is also disabled in the specific selection.
- * COMPLEMENTOF* identifiers are portable between version, as adjustments
- * to the default cipher setup will also be included here.
- *
- * COMPLEMENTOFDEFAULT does not experience the same special treatment that
- * DEFAULT gets, as only selection is being done and no sorting as needed
- * for DEFAULT.
- */
-#define SSL_TXT_CMPALL          "COMPLEMENTOFALL"
-#define SSL_TXT_CMPDEF          "COMPLEMENTOFDEFAULT"
-/* The following cipher list is used by default.
- * It also is substituted when an application-defined cipher list string
- * starts with 'DEFAULT'. */
-#define SSL_DEFAULT_CIPHER_LIST "ALL:!ADH:+RC4:@STRENGTH" /* low priority for RC4 */
-/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
-#define SSL_SENT_SHUTDOWN       1
-#define SSL_RECEIVED_SHUTDOWN   2
-#ifdef __cplusplus
-}
-#endif
-#include <openssl/crypto.h>
-#include <openssl/lhash.h>
-#include <openssl/buffer.h>
-#include <openssl/pem.h>
-#ifdef  __cplusplus
-extern "C" {
-#endif
-#if (defined(OPENSSL_NO_RSA) || defined(OPENSSL_NO_MD5)) && !defined(OPENSSL_NO_SSL2)
-#define OPENSSL_NO_SSL2
-#endif
-#define SSL_FILETYPE_ASN1       X509_FILETYPE_ASN1
-#define SSL_FILETYPE_PEM        X509_FILETYPE_PEM
-/* This is needed to stop compilers complaining about the
- * 'struct ssl_st *' function parameters used to prototype callbacks
- * in SSL_CTX. */
-typedef struct ssl_st *ssl_crock_st;
-/* used to hold info on the particular ciphers used */
-typedef struct ssl_cipher_st
-        {
-        int valid;
-        const char *name;               /* text name */
-        unsigned long id;               /* id, 4 bytes, first is version */
-        unsigned long algorithms;       /* what ciphers are used */
-        unsigned long algo_strength;    /* strength and export flags */
-        unsigned long algorithm2;       /* Extra flags */
-        int strength_bits;              /* Number of bits really used */
-        int alg_bits;                   /* Number of bits for algorithm */
-        unsigned long mask;             /* used for matching */
-        unsigned long mask_strength;    /* also used for matching */
-        } SSL_CIPHER;
-DECLARE_STACK_OF(SSL_CIPHER)
-typedef struct ssl_st SSL;
-typedef struct ssl_ctx_st SSL_CTX;
-/* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */
-typedef struct ssl_method_st
-        {
-        int version;
-        int (*ssl_new)(SSL *s);
-        void (*ssl_clear)(SSL *s);
-        void (*ssl_free)(SSL *s);
-        int (*ssl_accept)(SSL *s);
-        int (*ssl_connect)(SSL *s);
-        int (*ssl_read)(SSL *s,void *buf,int len);
-        int (*ssl_peek)(SSL *s,void *buf,int len);
-        int (*ssl_write)(SSL *s,const void *buf,int len);
-        int (*ssl_shutdown)(SSL *s);
-        int (*ssl_renegotiate)(SSL *s);
-        int (*ssl_renegotiate_check)(SSL *s);
-        long (*ssl_ctrl)(SSL *s,int cmd,long larg,void *parg);
-        long (*ssl_ctx_ctrl)(SSL_CTX *ctx,int cmd,long larg,void *parg);
-        SSL_CIPHER *(*get_cipher_by_char)(const unsigned char *ptr);
-        int (*put_cipher_by_char)(const SSL_CIPHER *cipher,unsigned char *ptr);
-        int (*ssl_pending)(const SSL *s);
-        int (*num_ciphers)(void);
-        SSL_CIPHER *(*get_cipher)(unsigned ncipher);
-        struct ssl_method_st *(*get_ssl_method)(int version);
-        long (*get_timeout)(void);
-        struct ssl3_enc_method *ssl3_enc; /* Extra SSLv3/TLS stuff */
-        int (*ssl_version)();
-        long (*ssl_callback_ctrl)(SSL *s, int cb_id, void (*fp)());
-        long (*ssl_ctx_callback_ctrl)(SSL_CTX *s, int cb_id, void (*fp)());
-        } SSL_METHOD;
-/* Lets make this into an ASN.1 type structure as follows
- * SSL_SESSION_ID ::= SEQUENCE {
- *      version                 INTEGER,        -- structure version number
- *      SSLversion              INTEGER,        -- SSL version number
- *      Cipher                  OCTET_STRING,   -- the 3 byte cipher ID
- *      Session_ID              OCTET_STRING,   -- the Session ID
- *      Master_key              OCTET_STRING,   -- the master key
- *      KRB5_principal          OCTET_STRING    -- optional Kerberos principal
- *      Key_Arg [ 0 ] IMPLICIT  OCTET_STRING,   -- the optional Key argument
- *      Time [ 1 ] EXPLICIT     INTEGER,        -- optional Start Time
- *      Timeout [ 2 ] EXPLICIT  INTEGER,        -- optional Timeout ins seconds
- *      Peer [ 3 ] EXPLICIT     X509,           -- optional Peer Certificate
- *      Session_ID_context [ 4 ] EXPLICIT OCTET_STRING,   -- the Session ID context
- *      Verify_result [ 5 ] EXPLICIT INTEGER    -- X509_V_... code for `Peer'
- *      Compression [6] IMPLICIT ASN1_OBJECT    -- compression OID XXXXX
- *      }
- * Look in ssl/ssl_asn1.c for more details
- * I'm using EXPLICIT tags so I can read the damn things using asn1parse :-).
- */
-typedef struct ssl_session_st
-        {
-        int ssl_version;        /* what ssl version session info is
-                                 * being kept in here? */
-        /* only really used in SSLv2 */
-        unsigned int key_arg_length;
-        unsigned char key_arg[SSL_MAX_KEY_ARG_LENGTH];
-        int master_key_length;
-        unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH];
-        /* session_id - valid? */
-        unsigned int session_id_length;
-        unsigned char session_id[SSL_MAX_SSL_SESSION_ID_LENGTH];
-        /* this is used to determine whether the session is being reused in
-         * the appropriate context. It is up to the application to set this,
-         * via SSL_new */
-        unsigned int sid_ctx_length;
-        unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
-#ifndef OPENSSL_NO_KRB5
-        unsigned int krb5_client_princ_len;
-        unsigned char krb5_client_princ[SSL_MAX_KRB5_PRINCIPAL_LENGTH];
-#endif /* OPENSSL_NO_KRB5 */
-        int not_resumable;
-        /* The cert is the certificate used to establish this connection */
-        struct sess_cert_st /* SESS_CERT */ *sess_cert;
-        /* This is the cert for the other end.
-         * On clients, it will be the same as sess_cert->peer_key->x509
-         * (the latter is not enough as sess_cert is not retained
-         * in the external representation of sessions, see ssl_asn1.c). */
-        X509 *peer;
-        /* when app_verify_callback accepts a session where the peer's certificate
-         * is not ok, we must remember the error for session reuse: */
-        long verify_result; /* only for servers */
-        int references;
-        long timeout;
-        long time;
-        int compress_meth;              /* Need to lookup the method */
-        SSL_CIPHER *cipher;
-        unsigned long cipher_id;        /* when ASN.1 loaded, this
-                                         * needs to be used to load
-                                         * the 'cipher' structure */
-        STACK_OF(SSL_CIPHER) *ciphers; /* shared ciphers? */
-        CRYPTO_EX_DATA ex_data; /* application specific data */
-        /* These are used to make removal of session-ids more
-         * efficient and to implement a maximum cache size. */
-        struct ssl_session_st *prev,*next;
-        } SSL_SESSION;
-#define SSL_OP_MICROSOFT_SESS_ID_BUG                    0x00000001L
-#define SSL_OP_NETSCAPE_CHALLENGE_BUG                   0x00000002L
-#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG         0x00000008L
-#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG              0x00000010L
-#define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER               0x00000020L
-#define SSL_OP_MSIE_SSLV2_RSA_PADDING                   0x00000040L /* no effect since 0.9.7h and 0.9.8b */
-#define SSL_OP_SSLEAY_080_CLIENT_DH_BUG                 0x00000080L
-#define SSL_OP_TLS_D5_BUG                               0x00000100L
-#define SSL_OP_TLS_BLOCK_PADDING_BUG                    0x00000200L
-/* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added
- * in OpenSSL 0.9.6d.  Usually (depending on the application protocol)
- * the workaround is not needed.  Unfortunately some broken SSL/TLS
- * implementations cannot handle it at all, which is why we include
- * it in SSL_OP_ALL. */
-#define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS              0x00000800L /* added in 0.9.6e */
-/* SSL_OP_ALL: various bug workarounds that should be rather harmless.
- *             This used to be 0x000FFFFFL before 0.9.7. */
-#define SSL_OP_ALL                                      0x00000FFFL
-/* As server, disallow session resumption on renegotiation */
-#define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION   0x00010000L
-/* If set, always create a new key when using tmp_dh parameters */
-#define SSL_OP_SINGLE_DH_USE                            0x00100000L
-/* Set to always use the tmp_rsa key when doing RSA operations,
- * even when this violates protocol specs */
-#define SSL_OP_EPHEMERAL_RSA                            0x00200000L
-/* Set on servers to choose the cipher according to the server's
- * preferences */
-#define SSL_OP_CIPHER_SERVER_PREFERENCE                 0x00400000L
-/* If set, a server will allow a client to issue a SSLv3.0 version number
- * as latest version supported in the premaster secret, even when TLSv1.0
- * (version 3.1) was announced in the client hello. Normally this is
- * forbidden to prevent version rollback attacks. */
-#define SSL_OP_TLS_ROLLBACK_BUG                         0x00800000L
-#define SSL_OP_NO_SSLv2                                 0x01000000L
-#define SSL_OP_NO_SSLv3                                 0x02000000L
-#define SSL_OP_NO_TLSv1                                 0x04000000L
-/* The next flag deliberately changes the ciphertest, this is a check
- * for the PKCS#1 attack */
-#define SSL_OP_PKCS1_CHECK_1                            0x08000000L
-#define SSL_OP_PKCS1_CHECK_2                            0x10000000L
-#define SSL_OP_NETSCAPE_CA_DN_BUG                       0x20000000L
-#define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG          0x40000000L
-/* Allow SSL_write(..., n) to return r with 0 < r < n (i.e. report success
- * when just a single record has been written): */
-#define SSL_MODE_ENABLE_PARTIAL_WRITE       0x00000001L
-/* Make it possible to retry SSL_write() with changed buffer location
- * (buffer contents must stay the same!); this is not the default to avoid
- * the misconception that non-blocking SSL_write() behaves like
- * non-blocking write(): */
-#define SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER 0x00000002L
-/* Never bother the application with retries if the transport
- * is blocking: */
-#define SSL_MODE_AUTO_RETRY 0x00000004L
-/* Don't attempt to automatically build certificate chain */
-#define SSL_MODE_NO_AUTO_CHAIN 0x00000008L
-/* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value,
- * they cannot be used to clear bits. */
-#define SSL_CTX_set_options(ctx,op) \
-        SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,(op),NULL)
-#define SSL_CTX_get_options(ctx) \
-        SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,0,NULL)
-#define SSL_set_options(ssl,op) \
-        SSL_ctrl((ssl),SSL_CTRL_OPTIONS,(op),NULL)
-#define SSL_get_options(ssl) \
-        SSL_ctrl((ssl),SSL_CTRL_OPTIONS,0,NULL)
-#define SSL_CTX_set_mode(ctx,op) \
-        SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,(op),NULL)
-#define SSL_CTX_get_mode(ctx) \
-        SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,0,NULL)
-#define SSL_set_mode(ssl,op) \
-        SSL_ctrl((ssl),SSL_CTRL_MODE,(op),NULL)
-#define SSL_get_mode(ssl) \
-        SSL_ctrl((ssl),SSL_CTRL_MODE,0,NULL)
-void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));
-void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));
-#define SSL_CTX_set_msg_callback_arg(ctx, arg) SSL_CTX_ctrl((ctx), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg))
-#define SSL_set_msg_callback_arg(ssl, arg) SSL_ctrl((ssl), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg))
-#if defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_WIN32)
-#define SSL_MAX_CERT_LIST_DEFAULT 1024*30 /* 30k max cert list :-) */
-#else
-#define SSL_MAX_CERT_LIST_DEFAULT 1024*100 /* 100k max cert list :-) */
-#endif
-#define SSL_SESSION_CACHE_MAX_SIZE_DEFAULT      (1024*20)
-/* This callback type is used inside SSL_CTX, SSL, and in the functions that set
- * them. It is used to override the generation of SSL/TLS session IDs in a
- * server. Return value should be zero on an error, non-zero to proceed. Also,
- * callbacks should themselves check if the id they generate is unique otherwise
- * the SSL handshake will fail with an error - callbacks can do this using the
- * 'ssl' value they're passed by;
- *      SSL_has_matching_session_id(ssl, id, *id_len)
- * The length value passed in is set at the maximum size the session ID can be.
- * In SSLv2 this is 16 bytes, whereas SSLv3/TLSv1 it is 32 bytes. The callback
- * can alter this length to be less if desired, but under SSLv2 session IDs are
- * supposed to be fixed at 16 bytes so the id will be padded after the callback
- * returns in this case. It is also an error for the callback to set the size to
- * zero. */
-typedef int (*GEN_SESSION_CB)(const SSL *ssl, unsigned char *id,
-                                unsigned int *id_len);
-typedef struct ssl_comp_st
-        {
-        int id;
-        char *name;
-#ifndef OPENSSL_NO_COMP
-        COMP_METHOD *method;
-#else
-        char *method;
-#endif
-        } SSL_COMP;
-DECLARE_STACK_OF(SSL_COMP)
-struct ssl_ctx_st
-        {
-        SSL_METHOD *method;
-        STACK_OF(SSL_CIPHER) *cipher_list;
-        /* same as above but sorted for lookup */
-        STACK_OF(SSL_CIPHER) *cipher_list_by_id;
-        struct x509_store_st /* X509_STORE */ *cert_store;
-        struct lhash_st /* LHASH */ *sessions;  /* a set of SSL_SESSIONs */
-        /* Most session-ids that will be cached, default is
-         * SSL_SESSION_CACHE_MAX_SIZE_DEFAULT. 0 is unlimited. */
-        unsigned long session_cache_size;
-        struct ssl_session_st *session_cache_head;
-        struct ssl_session_st *session_cache_tail;
-        /* This can have one of 2 values, ored together,
-         * SSL_SESS_CACHE_CLIENT,
-         * SSL_SESS_CACHE_SERVER,
-         * Default is SSL_SESSION_CACHE_SERVER, which means only
-         * SSL_accept which cache SSL_SESSIONS. */
-        int session_cache_mode;
-        /* If timeout is not 0, it is the default timeout value set
-         * when SSL_new() is called.  This has been put in to make
-         * life easier to set things up */
-        long session_timeout;
-        /* If this callback is not null, it will be called each
-         * time a session id is added to the cache.  If this function
-         * returns 1, it means that the callback will do a
-         * SSL_SESSION_free() when it has finished using it.  Otherwise,
-         * on 0, it means the callback has finished with it.
-         * If remove_session_cb is not null, it will be called when
-         * a session-id is removed from the cache.  After the call,
-         * OpenSSL will SSL_SESSION_free() it. */
-        int (*new_session_cb)(struct ssl_st *ssl,SSL_SESSION *sess);
-        void (*remove_session_cb)(struct ssl_ctx_st *ctx,SSL_SESSION *sess);
-        SSL_SESSION *(*get_session_cb)(struct ssl_st *ssl,
-                unsigned char *data,int len,int *copy);
-        struct
-                {
-                int sess_connect;       /* SSL new conn - started */
-                int sess_connect_renegotiate;/* SSL reneg - requested */
-                int sess_connect_good;  /* SSL new conne/reneg - finished */
-                int sess_accept;        /* SSL new accept - started */
-                int sess_accept_renegotiate;/* SSL reneg - requested */
-                int sess_accept_good;   /* SSL accept/reneg - finished */
-                int sess_miss;          /* session lookup misses  */
-                int sess_timeout;       /* reuse attempt on timeouted session */
-                int sess_cache_full;    /* session removed due to full cache */
-                int sess_hit;           /* session reuse actually done */
-                int sess_cb_hit;        /* session-id that was not
-                                         * in the cache was
-                                         * passed back via the callback.  This
-                                         * indicates that the application is
-                                         * supplying session-id's from other
-                                         * processes - spooky :-) */
-                } stats;
-        int references;
-        /* if defined, these override the X509_verify_cert() calls */
-        int (*app_verify_callback)(X509_STORE_CTX *, void *);
-        void *app_verify_arg;
-        /* before OpenSSL 0.9.7, 'app_verify_arg' was ignored
-         * ('app_verify_callback' was called with just one argument) */
-        /* Default password callback. */
-        pem_password_cb *default_passwd_callback;
-        /* Default password callback user data. */
-        void *default_passwd_callback_userdata;
-        /* get client cert callback */
-        int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
-        CRYPTO_EX_DATA ex_data;
-        const EVP_MD *rsa_md5;/* For SSLv2 - name is 'ssl2-md5' */
-        const EVP_MD *md5;      /* For SSLv3/TLSv1 'ssl3-md5' */
-        const EVP_MD *sha1;   /* For SSLv3/TLSv1 'ssl3->sha1' */
-        STACK_OF(X509) *extra_certs;
-        STACK_OF(SSL_COMP) *comp_methods; /* stack of SSL_COMP, SSLv3/TLSv1 */
-        /* Default values used when no per-SSL value is defined follow */
-        void (*info_callback)(const SSL *ssl,int type,int val); /* used if SSL's info_callback is NULL */
-        /* what we put in client cert requests */
-        STACK_OF(X509_NAME) *client_CA;
-        /* Default values to use in SSL structures follow (these are copied by SSL_new) */
-        unsigned long options;
-        unsigned long mode;
-        long max_cert_list;
-        struct cert_st /* CERT */ *cert;
-        int read_ahead;
-        /* callback that allows applications to peek at protocol messages */
-        void (*msg_callback)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg);
-        void *msg_callback_arg;
-        int verify_mode;
-        int verify_depth;
-        unsigned int sid_ctx_length;
-        unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
-        int (*default_verify_callback)(int ok,X509_STORE_CTX *ctx); /* called 'verify_callback' in the SSL */
-        /* Default generate session ID callback. */
-        GEN_SESSION_CB generate_session_id;
-        int purpose;            /* Purpose setting */
-        int trust;              /* Trust setting */
-        int quiet_shutdown;
-        };
-#define SSL_SESS_CACHE_OFF                      0x0000
-#define SSL_SESS_CACHE_CLIENT                   0x0001
-#define SSL_SESS_CACHE_SERVER                   0x0002
-#define SSL_SESS_CACHE_BOTH     (SSL_SESS_CACHE_CLIENT|SSL_SESS_CACHE_SERVER)
-#define SSL_SESS_CACHE_NO_AUTO_CLEAR            0x0080
-/* enough comments already ... see SSL_CTX_set_session_cache_mode(3) */
-#define SSL_SESS_CACHE_NO_INTERNAL_LOOKUP       0x0100
-#define SSL_SESS_CACHE_NO_INTERNAL_STORE        0x0200
-#define SSL_SESS_CACHE_NO_INTERNAL \
-        (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP|SSL_SESS_CACHE_NO_INTERNAL_STORE)
-  struct lhash_st *SSL_CTX_sessions(SSL_CTX *ctx);
-#define SSL_CTX_sess_number(ctx) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_NUMBER,0,NULL)
-#define SSL_CTX_sess_connect(ctx) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT,0,NULL)
-#define SSL_CTX_sess_connect_good(ctx) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT_GOOD,0,NULL)
-#define SSL_CTX_sess_connect_renegotiate(ctx) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT_RENEGOTIATE,0,NULL)
-#define SSL_CTX_sess_accept(ctx) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT,0,NULL)
-#define SSL_CTX_sess_accept_renegotiate(ctx) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT_RENEGOTIATE,0,NULL)
-#define SSL_CTX_sess_accept_good(ctx) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT_GOOD,0,NULL)
-#define SSL_CTX_sess_hits(ctx) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_HIT,0,NULL)
-#define SSL_CTX_sess_cb_hits(ctx) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CB_HIT,0,NULL)
-#define SSL_CTX_sess_misses(ctx) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_MISSES,0,NULL)
-#define SSL_CTX_sess_timeouts(ctx) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_TIMEOUTS,0,NULL)
-#define SSL_CTX_sess_cache_full(ctx) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CACHE_FULL,0,NULL)
-#define SSL_CTX_sess_set_new_cb(ctx,cb) ((ctx)->new_session_cb=(cb))
-#define SSL_CTX_sess_get_new_cb(ctx)    ((ctx)->new_session_cb)
-#define SSL_CTX_sess_set_remove_cb(ctx,cb)      ((ctx)->remove_session_cb=(cb))
-#define SSL_CTX_sess_get_remove_cb(ctx) ((ctx)->remove_session_cb)
-#define SSL_CTX_sess_set_get_cb(ctx,cb) ((ctx)->get_session_cb=(cb))
-#define SSL_CTX_sess_get_get_cb(ctx)    ((ctx)->get_session_cb)
-#define SSL_CTX_set_info_callback(ctx,cb)       ((ctx)->info_callback=(cb))
-#define SSL_CTX_get_info_callback(ctx)          ((ctx)->info_callback)
-#define SSL_CTX_set_client_cert_cb(ctx,cb)      ((ctx)->client_cert_cb=(cb))
-#define SSL_CTX_get_client_cert_cb(ctx)         ((ctx)->client_cert_cb)
-#define SSL_NOTHING     1
-#define SSL_WRITING     2
-#define SSL_READING     3
-#define SSL_X509_LOOKUP 4
-/* These will only be used when doing non-blocking IO */
-#define SSL_want_nothing(s)     (SSL_want(s) == SSL_NOTHING)
-#define SSL_want_read(s)        (SSL_want(s) == SSL_READING)
-#define SSL_want_write(s)       (SSL_want(s) == SSL_WRITING)
-#define SSL_want_x509_lookup(s) (SSL_want(s) == SSL_X509_LOOKUP)
-struct ssl_st
-        {
-        /* protocol version
-         * (one of SSL2_VERSION, SSL3_VERSION, TLS1_VERSION)
-         */
-        int version;
-        int type; /* SSL_ST_CONNECT or SSL_ST_ACCEPT */
-        SSL_METHOD *method; /* SSLv3 */
-        /* There are 2 BIO's even though they are normally both the
-         * same.  This is so data can be read and written to different
-         * handlers */
-#ifndef OPENSSL_NO_BIO
-        BIO *rbio; /* used by SSL_read */
-        BIO *wbio; /* used by SSL_write */
-        BIO *bbio; /* used during session-id reuse to concatenate
-                    * messages */
-#else
-        char *rbio; /* used by SSL_read */
-        char *wbio; /* used by SSL_write */
-        char *bbio;
-#endif
-        /* This holds a variable that indicates what we were doing
-         * when a 0 or -1 is returned.  This is needed for
-         * non-blocking IO so we know what request needs re-doing when
-         * in SSL_accept or SSL_connect */
-        int rwstate;
-        /* true when we are actually in SSL_accept() or SSL_connect() */
-        int in_handshake;
-        int (*handshake_func)();
-        /* Imagine that here's a boolean member "init" that is
-         * switched as soon as SSL_set_{accept/connect}_state
-         * is called for the first time, so that "state" and
-         * "handshake_func" are properly initialized.  But as
-         * handshake_func is == 0 until then, we use this
-         * test instead of an "init" member.
-         */
-        int server;     /* are we the server side? - mostly used by SSL_clear*/
-        int new_session;/* 1 if we are to use a new session.
-                         * 2 if we are a server and are inside a handshake
-                         *   (i.e. not just sending a HelloRequest)
-                         * NB: For servers, the 'new' session may actually be a previously
-                         * cached session or even the previous session unless
-                         * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */
-        int quiet_shutdown;/* don't send shutdown packets */
-        int shutdown;   /* we have shut things down, 0x01 sent, 0x02
-                         * for received */
-        int state;      /* where we are */
-        int rstate;     /* where we are when reading */
-        BUF_MEM *init_buf;      /* buffer used during init */
-        void *init_msg;         /* pointer to handshake message body, set by ssl3_get_message() */
-        int init_num;           /* amount read/written */
-        int init_off;           /* amount read/written */
-        /* used internally to point at a raw packet */
-        unsigned char *packet;
-        unsigned int packet_length;
-        struct ssl2_state_st *s2; /* SSLv2 variables */
-        struct ssl3_state_st *s3; /* SSLv3 variables */
-        int read_ahead;         /* Read as many input bytes as possible
-                                 * (for non-blocking reads) */
-        /* callback that allows applications to peek at protocol messages */
-        void (*msg_callback)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg);
-        void *msg_callback_arg;
-        int hit;                /* reusing a previous session */
-        int purpose;            /* Purpose setting */
-        int trust;              /* Trust setting */
-        /* crypto */
-        STACK_OF(SSL_CIPHER) *cipher_list;
-        STACK_OF(SSL_CIPHER) *cipher_list_by_id;
-        /* These are the ones being used, the ones in SSL_SESSION are
-         * the ones to be 'copied' into these ones */
-        EVP_CIPHER_CTX *enc_read_ctx;           /* cryptographic state */
-        const EVP_MD *read_hash;                /* used for mac generation */
-#ifndef OPENSSL_NO_COMP
-        COMP_CTX *expand;                       /* uncompress */
-#else
-        char *expand;
-#endif
-        EVP_CIPHER_CTX *enc_write_ctx;          /* cryptographic state */
-        const EVP_MD *write_hash;               /* used for mac generation */
-#ifndef OPENSSL_NO_COMP
-        COMP_CTX *compress;                     /* compression */
-#else
-        char *compress; 
-#endif
-        /* session info */
-        /* client cert? */
-        /* This is used to hold the server certificate used */
-        struct cert_st /* CERT */ *cert;
-        /* the session_id_context is used to ensure sessions are only reused
-         * in the appropriate context */
-        unsigned int sid_ctx_length;
-        unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
-        /* This can also be in the session once a session is established */
-        SSL_SESSION *session;
-        /* Default generate session ID callback. */
-        GEN_SESSION_CB generate_session_id;
-        /* Used in SSL2 and SSL3 */
-        int verify_mode;        /* 0 don't care about verify failure.
-                                 * 1 fail if verify fails */
-        int verify_depth;
-        int (*verify_callback)(int ok,X509_STORE_CTX *ctx); /* fail if callback returns 0 */
-        void (*info_callback)(const SSL *ssl,int type,int val); /* optional informational callback */
-        int error;              /* error bytes to be written */
-        int error_code;         /* actual code */
-#ifndef OPENSSL_NO_KRB5
-        KSSL_CTX *kssl_ctx;     /* Kerberos 5 context */
-#endif  /* OPENSSL_NO_KRB5 */
-        SSL_CTX *ctx;
-        /* set this flag to 1 and a sleep(1) is put into all SSL_read()
-         * and SSL_write() calls, good for nbio debuging :-) */
-        int debug;      
-        /* extra application data */
-        long verify_result;
-        CRYPTO_EX_DATA ex_data;
-        /* for server side, keep the list of CA_dn we can use */
-        STACK_OF(X509_NAME) *client_CA;
-        int references;
-        unsigned long options; /* protocol behaviour */
-        unsigned long mode; /* API behaviour */
-        long max_cert_list;
-        int first_packet;
-        int client_version;     /* what was passed, used for
-                                 * SSLv3/TLS rollback check */
-        };
-#ifdef __cplusplus
-}
-#endif
-#include <openssl/ssl2.h>
-#include <openssl/ssl3.h>
-#include <openssl/tls1.h> /* This is mostly sslv3 with a few tweaks */
-#include <openssl/ssl23.h>
-#ifdef  __cplusplus
-extern "C" {
-#endif
-/* compatibility */
-#define SSL_set_app_data(s,arg)         (SSL_set_ex_data(s,0,(char *)arg))
-#define SSL_get_app_data(s)             (SSL_get_ex_data(s,0))
-#define SSL_SESSION_set_app_data(s,a)   (SSL_SESSION_set_ex_data(s,0,(char *)a))
-#define SSL_SESSION_get_app_data(s)     (SSL_SESSION_get_ex_data(s,0))
-#define SSL_CTX_get_app_data(ctx)       (SSL_CTX_get_ex_data(ctx,0))
-#define SSL_CTX_set_app_data(ctx,arg)   (SSL_CTX_set_ex_data(ctx,0,(char *)arg))
-/* The following are the possible values for ssl->state are are
- * used to indicate where we are up to in the SSL connection establishment.
- * The macros that follow are about the only things you should need to use
- * and even then, only when using non-blocking IO.
- * It can also be useful to work out where you were when the connection
- * failed */
-#define SSL_ST_CONNECT                  0x1000
-#define SSL_ST_ACCEPT                   0x2000
-#define SSL_ST_MASK                     0x0FFF
-#define SSL_ST_INIT                     (SSL_ST_CONNECT|SSL_ST_ACCEPT)
-#define SSL_ST_BEFORE                   0x4000
-#define SSL_ST_OK                       0x03
-#define SSL_ST_RENEGOTIATE              (0x04|SSL_ST_INIT)
-#define SSL_CB_LOOP                     0x01
-#define SSL_CB_EXIT                     0x02
-#define SSL_CB_READ                     0x04
-#define SSL_CB_WRITE                    0x08
-#define SSL_CB_ALERT                    0x4000 /* used in callback */
-#define SSL_CB_READ_ALERT               (SSL_CB_ALERT|SSL_CB_READ)
-#define SSL_CB_WRITE_ALERT              (SSL_CB_ALERT|SSL_CB_WRITE)
-#define SSL_CB_ACCEPT_LOOP              (SSL_ST_ACCEPT|SSL_CB_LOOP)
-#define SSL_CB_ACCEPT_EXIT              (SSL_ST_ACCEPT|SSL_CB_EXIT)
-#define SSL_CB_CONNECT_LOOP             (SSL_ST_CONNECT|SSL_CB_LOOP)
-#define SSL_CB_CONNECT_EXIT             (SSL_ST_CONNECT|SSL_CB_EXIT)
-#define SSL_CB_HANDSHAKE_START          0x10
-#define SSL_CB_HANDSHAKE_DONE           0x20
-/* Is the SSL_connection established? */
-#define SSL_get_state(a)                SSL_state(a)
-#define SSL_is_init_finished(a)         (SSL_state(a) == SSL_ST_OK)
-#define SSL_in_init(a)                  (SSL_state(a)&SSL_ST_INIT)
-#define SSL_in_before(a)                (SSL_state(a)&SSL_ST_BEFORE)
-#define SSL_in_connect_init(a)          (SSL_state(a)&SSL_ST_CONNECT)
-#define SSL_in_accept_init(a)           (SSL_state(a)&SSL_ST_ACCEPT)
-/* The following 2 states are kept in ssl->rstate when reads fail,
- * you should not need these */
-#define SSL_ST_READ_HEADER                      0xF0
-#define SSL_ST_READ_BODY                        0xF1
-#define SSL_ST_READ_DONE                        0xF2
-/* Obtain latest Finished message
- *   -- that we sent (SSL_get_finished)
- *   -- that we expected from peer (SSL_get_peer_finished).
- * Returns length (0 == no Finished so far), copies up to 'count' bytes. */
-size_t SSL_get_finished(const SSL *s, void *buf, size_t count);
-size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count);
-/* use either SSL_VERIFY_NONE or SSL_VERIFY_PEER, the last 2 options
- * are 'ored' with SSL_VERIFY_PEER if they are desired */
-#define SSL_VERIFY_NONE                 0x00
-#define SSL_VERIFY_PEER                 0x01
-#define SSL_VERIFY_FAIL_IF_NO_PEER_CERT 0x02
-#define SSL_VERIFY_CLIENT_ONCE          0x04
-#define OpenSSL_add_ssl_algorithms()    SSL_library_init()
-#define SSLeay_add_ssl_algorithms()     SSL_library_init()
-/* this is for backward compatibility */
-#if 0 /* NEW_SSLEAY */
-#define SSL_CTX_set_default_verify(a,b,c) SSL_CTX_set_verify(a,b,c)
-#define SSL_set_pref_cipher(c,n)        SSL_set_cipher_list(c,n)
-#define SSL_add_session(a,b)            SSL_CTX_add_session((a),(b))
-#define SSL_remove_session(a,b)         SSL_CTX_remove_session((a),(b))
-#define SSL_flush_sessions(a,b)         SSL_CTX_flush_sessions((a),(b))
-#endif
-/* More backward compatibility */
-#define SSL_get_cipher(s) \
-                SSL_CIPHER_get_name(SSL_get_current_cipher(s))
-#define SSL_get_cipher_bits(s,np) \
-                SSL_CIPHER_get_bits(SSL_get_current_cipher(s),np)
-#define SSL_get_cipher_version(s) \
-                SSL_CIPHER_get_version(SSL_get_current_cipher(s))
-#define SSL_get_cipher_name(s) \
-                SSL_CIPHER_get_name(SSL_get_current_cipher(s))
-#define SSL_get_time(a)         SSL_SESSION_get_time(a)
-#define SSL_set_time(a,b)       SSL_SESSION_set_time((a),(b))
-#define SSL_get_timeout(a)      SSL_SESSION_get_timeout(a)
-#define SSL_set_timeout(a,b)    SSL_SESSION_set_timeout((a),(b))
-#if 1 /*SSLEAY_MACROS*/
-#define d2i_SSL_SESSION_bio(bp,s_id) (SSL_SESSION *)ASN1_d2i_bio( \
-        (char *(*)())SSL_SESSION_new,(char *(*)())d2i_SSL_SESSION, \
-        (bp),(unsigned char **)(s_id))
-#define i2d_SSL_SESSION_bio(bp,s_id) ASN1_i2d_bio(i2d_SSL_SESSION, \
-        bp,(unsigned char *)s_id)
-#define PEM_read_SSL_SESSION(fp,x,cb,u) (SSL_SESSION *)PEM_ASN1_read( \
-        (char *(*)())d2i_SSL_SESSION,PEM_STRING_SSL_SESSION,fp,(char **)x,cb,u)
-#define PEM_read_bio_SSL_SESSION(bp,x,cb,u) (SSL_SESSION *)PEM_ASN1_read_bio( \
-        (char *(*)())d2i_SSL_SESSION,PEM_STRING_SSL_SESSION,bp,(char **)x,cb,u)
-#define PEM_write_SSL_SESSION(fp,x) \
-        PEM_ASN1_write((int (*)())i2d_SSL_SESSION, \
-                PEM_STRING_SSL_SESSION,fp, (char *)x, NULL,NULL,0,NULL,NULL)
-#define PEM_write_bio_SSL_SESSION(bp,x) \
-        PEM_ASN1_write_bio((int (*)())i2d_SSL_SESSION, \
-                PEM_STRING_SSL_SESSION,bp, (char *)x, NULL,NULL,0,NULL,NULL)
-#endif
-#define SSL_AD_REASON_OFFSET            1000
-/* These alert types are for SSLv3 and TLSv1 */
-#define SSL_AD_CLOSE_NOTIFY             SSL3_AD_CLOSE_NOTIFY
-#define SSL_AD_UNEXPECTED_MESSAGE       SSL3_AD_UNEXPECTED_MESSAGE /* fatal */
-#define SSL_AD_BAD_RECORD_MAC           SSL3_AD_BAD_RECORD_MAC     /* fatal */
-#define SSL_AD_DECRYPTION_FAILED        TLS1_AD_DECRYPTION_FAILED
-#define SSL_AD_RECORD_OVERFLOW          TLS1_AD_RECORD_OVERFLOW
-#define SSL_AD_DECOMPRESSION_FAILURE    SSL3_AD_DECOMPRESSION_FAILURE/* fatal */
-#define SSL_AD_HANDSHAKE_FAILURE        SSL3_AD_HANDSHAKE_FAILURE/* fatal */
-#define SSL_AD_NO_CERTIFICATE           SSL3_AD_NO_CERTIFICATE /* Not for TLS */
-#define SSL_AD_BAD_CERTIFICATE          SSL3_AD_BAD_CERTIFICATE
-#define SSL_AD_UNSUPPORTED_CERTIFICATE  SSL3_AD_UNSUPPORTED_CERTIFICATE
-#define SSL_AD_CERTIFICATE_REVOKED      SSL3_AD_CERTIFICATE_REVOKED
-#define SSL_AD_CERTIFICATE_EXPIRED      SSL3_AD_CERTIFICATE_EXPIRED
-#define SSL_AD_CERTIFICATE_UNKNOWN      SSL3_AD_CERTIFICATE_UNKNOWN
-#define SSL_AD_ILLEGAL_PARAMETER        SSL3_AD_ILLEGAL_PARAMETER   /* fatal */
-#define SSL_AD_UNKNOWN_CA               TLS1_AD_UNKNOWN_CA      /* fatal */
-#define SSL_AD_ACCESS_DENIED            TLS1_AD_ACCESS_DENIED   /* fatal */
-#define SSL_AD_DECODE_ERROR             TLS1_AD_DECODE_ERROR    /* fatal */
-#define SSL_AD_DECRYPT_ERROR            TLS1_AD_DECRYPT_ERROR
-#define SSL_AD_EXPORT_RESTRICTION       TLS1_AD_EXPORT_RESTRICTION/* fatal */
-#define SSL_AD_PROTOCOL_VERSION         TLS1_AD_PROTOCOL_VERSION /* fatal */
-#define SSL_AD_INSUFFICIENT_SECURITY    TLS1_AD_INSUFFICIENT_SECURITY/* fatal */
-#define SSL_AD_INTERNAL_ERROR           TLS1_AD_INTERNAL_ERROR  /* fatal */
-#define SSL_AD_USER_CANCELLED           TLS1_AD_USER_CANCELLED
-#define SSL_AD_NO_RENEGOTIATION         TLS1_AD_NO_RENEGOTIATION
-#define SSL_ERROR_NONE                  0
-#define SSL_ERROR_SSL                   1
-#define SSL_ERROR_WANT_READ             2
-#define SSL_ERROR_WANT_WRITE            3
-#define SSL_ERROR_WANT_X509_LOOKUP      4
-#define SSL_ERROR_SYSCALL               5 /* look at error stack/return value/errno */
-#define SSL_ERROR_ZERO_RETURN           6
-#define SSL_ERROR_WANT_CONNECT          7
-#define SSL_ERROR_WANT_ACCEPT           8
-#define SSL_CTRL_NEED_TMP_RSA                   1
-#define SSL_CTRL_SET_TMP_RSA                    2
-#define SSL_CTRL_SET_TMP_DH                     3
-#define SSL_CTRL_SET_TMP_RSA_CB                 4
-#define SSL_CTRL_SET_TMP_DH_CB                  5
-#define SSL_CTRL_GET_SESSION_REUSED             6
-#define SSL_CTRL_GET_CLIENT_CERT_REQUEST        7
-#define SSL_CTRL_GET_NUM_RENEGOTIATIONS         8
-#define SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS       9
-#define SSL_CTRL_GET_TOTAL_RENEGOTIATIONS       10
-#define SSL_CTRL_GET_FLAGS                      11
-#define SSL_CTRL_EXTRA_CHAIN_CERT               12
-#define SSL_CTRL_SET_MSG_CALLBACK               13
-#define SSL_CTRL_SET_MSG_CALLBACK_ARG           14
-/* Stats */
-#define SSL_CTRL_SESS_NUMBER                    20
-#define SSL_CTRL_SESS_CONNECT                   21
-#define SSL_CTRL_SESS_CONNECT_GOOD              22
-#define SSL_CTRL_SESS_CONNECT_RENEGOTIATE       23
-#define SSL_CTRL_SESS_ACCEPT                    24
-#define SSL_CTRL_SESS_ACCEPT_GOOD               25
-#define SSL_CTRL_SESS_ACCEPT_RENEGOTIATE        26
-#define SSL_CTRL_SESS_HIT                       27
-#define SSL_CTRL_SESS_CB_HIT                    28
-#define SSL_CTRL_SESS_MISSES                    29
-#define SSL_CTRL_SESS_TIMEOUTS                  30
-#define SSL_CTRL_SESS_CACHE_FULL                31
-#define SSL_CTRL_OPTIONS                        32
-#define SSL_CTRL_MODE                           33
-#define SSL_CTRL_GET_READ_AHEAD                 40
-#define SSL_CTRL_SET_READ_AHEAD                 41
-#define SSL_CTRL_SET_SESS_CACHE_SIZE            42
-#define SSL_CTRL_GET_SESS_CACHE_SIZE            43
-#define SSL_CTRL_SET_SESS_CACHE_MODE            44
-#define SSL_CTRL_GET_SESS_CACHE_MODE            45
-#define SSL_CTRL_GET_MAX_CERT_LIST              50
-#define SSL_CTRL_SET_MAX_CERT_LIST              51
-#define SSL_session_reused(ssl) \
-        SSL_ctrl((ssl),SSL_CTRL_GET_SESSION_REUSED,0,NULL)
-#define SSL_num_renegotiations(ssl) \
-        SSL_ctrl((ssl),SSL_CTRL_GET_NUM_RENEGOTIATIONS,0,NULL)
-#define SSL_clear_num_renegotiations(ssl) \
-        SSL_ctrl((ssl),SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS,0,NULL)
-#define SSL_total_renegotiations(ssl) \
-        SSL_ctrl((ssl),SSL_CTRL_GET_TOTAL_RENEGOTIATIONS,0,NULL)
-#define SSL_CTX_need_tmp_RSA(ctx) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_NEED_TMP_RSA,0,NULL)
-#define SSL_CTX_set_tmp_rsa(ctx,rsa) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_RSA,0,(char *)rsa)
-#define SSL_CTX_set_tmp_dh(ctx,dh) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_DH,0,(char *)dh)
-#define SSL_need_tmp_RSA(ssl) \
-        SSL_ctrl(ssl,SSL_CTRL_NEED_TMP_RSA,0,NULL)
-#define SSL_set_tmp_rsa(ssl,rsa) \
-        SSL_ctrl(ssl,SSL_CTRL_SET_TMP_RSA,0,(char *)rsa)
-#define SSL_set_tmp_dh(ssl,dh) \
-        SSL_ctrl(ssl,SSL_CTRL_SET_TMP_DH,0,(char *)dh)
-#define SSL_CTX_add_extra_chain_cert(ctx,x509) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_EXTRA_CHAIN_CERT,0,(char *)x509)
-#ifndef OPENSSL_NO_BIO
-BIO_METHOD *BIO_f_ssl(void);
-BIO *BIO_new_ssl(SSL_CTX *ctx,int client);
-BIO *BIO_new_ssl_connect(SSL_CTX *ctx);
-BIO *BIO_new_buffer_ssl_connect(SSL_CTX *ctx);
-int BIO_ssl_copy_session_id(BIO *to,BIO *from);
-void BIO_ssl_shutdown(BIO *ssl_bio);
-#endif
-int     SSL_CTX_set_cipher_list(SSL_CTX *,const char *str);
-SSL_CTX *SSL_CTX_new(SSL_METHOD *meth);
-void    SSL_CTX_free(SSL_CTX *);
-long SSL_CTX_set_timeout(SSL_CTX *ctx,long t);
-long SSL_CTX_get_timeout(const SSL_CTX *ctx);
-X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *);
-void SSL_CTX_set_cert_store(SSL_CTX *,X509_STORE *);
-int SSL_want(const SSL *s);
-int     SSL_clear(SSL *s);
-void    SSL_CTX_flush_sessions(SSL_CTX *ctx,long tm);
-SSL_CIPHER *SSL_get_current_cipher(const SSL *s);
-int     SSL_CIPHER_get_bits(const SSL_CIPHER *c,int *alg_bits);
-char *  SSL_CIPHER_get_version(const SSL_CIPHER *c);
-const char *    SSL_CIPHER_get_name(const SSL_CIPHER *c);
-int     SSL_get_fd(const SSL *s);
-int     SSL_get_rfd(const SSL *s);
-int     SSL_get_wfd(const SSL *s);
-const char  * SSL_get_cipher_list(const SSL *s,int n);
-char *  SSL_get_shared_ciphers(const SSL *s, char *buf, int len);
-int     SSL_get_read_ahead(const SSL * s);
-int     SSL_pending(const SSL *s);
-#ifndef OPENSSL_NO_SOCK
-int     SSL_set_fd(SSL *s, int fd);
-int     SSL_set_rfd(SSL *s, int fd);
-int     SSL_set_wfd(SSL *s, int fd);
-#endif
-#ifndef OPENSSL_NO_BIO
-void    SSL_set_bio(SSL *s, BIO *rbio,BIO *wbio);
-BIO *   SSL_get_rbio(const SSL *s);
-BIO *   SSL_get_wbio(const SSL *s);
-#endif
-int     SSL_set_cipher_list(SSL *s, const char *str);
-void    SSL_set_read_ahead(SSL *s, int yes);
-int     SSL_get_verify_mode(const SSL *s);
-int     SSL_get_verify_depth(const SSL *s);
-int     (*SSL_get_verify_callback(const SSL *s))(int,X509_STORE_CTX *);
-void    SSL_set_verify(SSL *s, int mode,
-                       int (*callback)(int ok,X509_STORE_CTX *ctx));
-void    SSL_set_verify_depth(SSL *s, int depth);
-#ifndef OPENSSL_NO_RSA
-int     SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa);
-#endif
-int     SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len);
-int     SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey);
-int     SSL_use_PrivateKey_ASN1(int pk,SSL *ssl, unsigned char *d, long len);
-int     SSL_use_certificate(SSL *ssl, X509 *x);
-int     SSL_use_certificate_ASN1(SSL *ssl, unsigned char *d, int len);
-#ifndef OPENSSL_NO_STDIO
-int     SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type);
-int     SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type);
-int     SSL_use_certificate_file(SSL *ssl, const char *file, int type);
-int     SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type);
-int     SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type);
-int     SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type);
-int     SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file); /* PEM type */
-STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file);
-int     SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs,
-                                            const char *file);
-#ifndef OPENSSL_SYS_VMS
-#ifndef OPENSSL_SYS_MACINTOSH_CLASSIC /* XXXXX: Better scheme needed! [was: #ifndef MAC_OS_pre_X] */
-int     SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs,
-                                           const char *dir);
-#endif
-#endif
-#endif
-void    SSL_load_error_strings(void );
-const char *SSL_state_string(const SSL *s);
-const char *SSL_rstate_string(const SSL *s);
-const char *SSL_state_string_long(const SSL *s);
-const char *SSL_rstate_string_long(const SSL *s);
-long    SSL_SESSION_get_time(const SSL_SESSION *s);
-long    SSL_SESSION_set_time(SSL_SESSION *s, long t);
-long    SSL_SESSION_get_timeout(const SSL_SESSION *s);
-long    SSL_SESSION_set_timeout(SSL_SESSION *s, long t);
-void    SSL_copy_session_id(SSL *to,const SSL *from);
-SSL_SESSION *SSL_SESSION_new(void);
-unsigned long SSL_SESSION_hash(const SSL_SESSION *a);
-int     SSL_SESSION_cmp(const SSL_SESSION *a,const SSL_SESSION *b);
-#ifndef OPENSSL_NO_FP_API
-int     SSL_SESSION_print_fp(FILE *fp,const SSL_SESSION *ses);
-#endif
-#ifndef OPENSSL_NO_BIO
-int     SSL_SESSION_print(BIO *fp,const SSL_SESSION *ses);
-#endif
-void    SSL_SESSION_free(SSL_SESSION *ses);
-int     i2d_SSL_SESSION(SSL_SESSION *in,unsigned char **pp);
-int     SSL_set_session(SSL *to, SSL_SESSION *session);
-int     SSL_CTX_add_session(SSL_CTX *s, SSL_SESSION *c);
-int     SSL_CTX_remove_session(SSL_CTX *,SSL_SESSION *c);
-int     SSL_CTX_set_generate_session_id(SSL_CTX *, GEN_SESSION_CB);
-int     SSL_set_generate_session_id(SSL *, GEN_SESSION_CB);
-int     SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id,
-                                        unsigned int id_len);
-SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a,const unsigned char * const *pp,
-                             long length);
-#ifdef HEADER_X509_H
-X509 *  SSL_get_peer_certificate(const SSL *s);
-#endif
-STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s);
-int SSL_CTX_get_verify_mode(const SSL_CTX *ctx);
-int SSL_CTX_get_verify_depth(const SSL_CTX *ctx);
-int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int,X509_STORE_CTX *);
-void SSL_CTX_set_verify(SSL_CTX *ctx,int mode,
-                        int (*callback)(int, X509_STORE_CTX *));
-void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth);
-void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*cb)(X509_STORE_CTX *,void *), void *arg);
-#ifndef OPENSSL_NO_RSA
-int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa);
-#endif
-int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, unsigned char *d, long len);
-int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey);
-int SSL_CTX_use_PrivateKey_ASN1(int pk,SSL_CTX *ctx,
-        unsigned char *d, long len);
-int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x);
-int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, unsigned char *d);
-void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb);
-void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u);
-int SSL_CTX_check_private_key(const SSL_CTX *ctx);
-int SSL_check_private_key(const SSL *ctx);
-int     SSL_CTX_set_session_id_context(SSL_CTX *ctx,const unsigned char *sid_ctx,
-                                       unsigned int sid_ctx_len);
-SSL *   SSL_new(SSL_CTX *ctx);
-int     SSL_set_session_id_context(SSL *ssl,const unsigned char *sid_ctx,
-                                   unsigned int sid_ctx_len);
-int SSL_CTX_set_purpose(SSL_CTX *s, int purpose);
-int SSL_set_purpose(SSL *s, int purpose);
-int SSL_CTX_set_trust(SSL_CTX *s, int trust);
-int SSL_set_trust(SSL *s, int trust);
-void    SSL_free(SSL *ssl);
-int     SSL_accept(SSL *ssl);
-int     SSL_connect(SSL *ssl);
-int     SSL_read(SSL *ssl,void *buf,int num);
-int     SSL_peek(SSL *ssl,void *buf,int num);
-int     SSL_write(SSL *ssl,const void *buf,int num);
-long    SSL_ctrl(SSL *ssl,int cmd, long larg, void *parg);
-long    SSL_callback_ctrl(SSL *, int, void (*)());
-long    SSL_CTX_ctrl(SSL_CTX *ctx,int cmd, long larg, void *parg);
-long    SSL_CTX_callback_ctrl(SSL_CTX *, int, void (*)());
-int     SSL_get_error(const SSL *s,int ret_code);
-const char *SSL_get_version(const SSL *s);
-/* This sets the 'default' SSL version that SSL_new() will create */
-int SSL_CTX_set_ssl_version(SSL_CTX *ctx,SSL_METHOD *meth);
-SSL_METHOD *SSLv2_method(void);         /* SSLv2 */
-SSL_METHOD *SSLv2_server_method(void);  /* SSLv2 */
-SSL_METHOD *SSLv2_client_method(void);  /* SSLv2 */
-SSL_METHOD *SSLv3_method(void);         /* SSLv3 */
-SSL_METHOD *SSLv3_server_method(void);  /* SSLv3 */
-SSL_METHOD *SSLv3_client_method(void);  /* SSLv3 */
-SSL_METHOD *SSLv23_method(void);        /* SSLv3 but can rollback to v2 */
-SSL_METHOD *SSLv23_server_method(void); /* SSLv3 but can rollback to v2 */
-SSL_METHOD *SSLv23_client_method(void); /* SSLv3 but can rollback to v2 */
-SSL_METHOD *TLSv1_method(void);         /* TLSv1.0 */
-SSL_METHOD *TLSv1_server_method(void);  /* TLSv1.0 */
-SSL_METHOD *TLSv1_client_method(void);  /* TLSv1.0 */
-STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s);
-int SSL_do_handshake(SSL *s);
-int SSL_renegotiate(SSL *s);
-int SSL_renegotiate_pending(SSL *s);
-int SSL_shutdown(SSL *s);
-SSL_METHOD *SSL_get_ssl_method(SSL *s);
-int SSL_set_ssl_method(SSL *s,SSL_METHOD *method);
-const char *SSL_alert_type_string_long(int value);
-const char *SSL_alert_type_string(int value);
-const char *SSL_alert_desc_string_long(int value);
-const char *SSL_alert_desc_string(int value);
-void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list);
-void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list);
-STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s);
-STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *s);
-int SSL_add_client_CA(SSL *ssl,X509 *x);
-int SSL_CTX_add_client_CA(SSL_CTX *ctx,X509 *x);
-void SSL_set_connect_state(SSL *s);
-void SSL_set_accept_state(SSL *s);
-long SSL_get_default_timeout(const SSL *s);
-int SSL_library_init(void );
-char *SSL_CIPHER_description(SSL_CIPHER *,char *buf,int size);
-STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk);
-SSL *SSL_dup(SSL *ssl);
-X509 *SSL_get_certificate(const SSL *ssl);
-/* EVP_PKEY */ struct evp_pkey_st *SSL_get_privatekey(SSL *ssl);
-void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx,int mode);
-int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx);
-void SSL_set_quiet_shutdown(SSL *ssl,int mode);
-int SSL_get_quiet_shutdown(const SSL *ssl);
-void SSL_set_shutdown(SSL *ssl,int mode);
-int SSL_get_shutdown(const SSL *ssl);
-int SSL_version(const SSL *ssl);
-int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx);
-int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
-        const char *CApath);
-#define SSL_get0_session SSL_get_session /* just peek at pointer */
-SSL_SESSION *SSL_get_session(const SSL *ssl);
-SSL_SESSION *SSL_get1_session(SSL *ssl); /* obtain a reference count */
-SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl);
-void SSL_set_info_callback(SSL *ssl,
-                           void (*cb)(const SSL *ssl,int type,int val));
-void (*SSL_get_info_callback(const SSL *ssl))(const SSL *ssl,int type,int val);
-int SSL_state(const SSL *ssl);
-void SSL_set_verify_result(SSL *ssl,long v);
-long SSL_get_verify_result(const SSL *ssl);
-int SSL_set_ex_data(SSL *ssl,int idx,void *data);
-void *SSL_get_ex_data(const SSL *ssl,int idx);
-int SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
-        CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
-int SSL_SESSION_set_ex_data(SSL_SESSION *ss,int idx,void *data);
-void *SSL_SESSION_get_ex_data(const SSL_SESSION *ss,int idx);
-int SSL_SESSION_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
-        CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
-int SSL_CTX_set_ex_data(SSL_CTX *ssl,int idx,void *data);
-void *SSL_CTX_get_ex_data(const SSL_CTX *ssl,int idx);
-int SSL_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
-        CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
-int SSL_get_ex_data_X509_STORE_CTX_idx(void );
-#define SSL_CTX_sess_set_cache_size(ctx,t) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SESS_CACHE_SIZE,t,NULL)
-#define SSL_CTX_sess_get_cache_size(ctx) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_GET_SESS_CACHE_SIZE,0,NULL)
-#define SSL_CTX_set_session_cache_mode(ctx,m) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SESS_CACHE_MODE,m,NULL)
-#define SSL_CTX_get_session_cache_mode(ctx) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_GET_SESS_CACHE_MODE,0,NULL)
-#define SSL_CTX_get_default_read_ahead(ctx) SSL_CTX_get_read_ahead(ctx)
-#define SSL_CTX_set_default_read_ahead(ctx,m) SSL_CTX_set_read_ahead(ctx,m)
-#define SSL_CTX_get_read_ahead(ctx) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_GET_READ_AHEAD,0,NULL)
-#define SSL_CTX_set_read_ahead(ctx,m) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SET_READ_AHEAD,m,NULL)
-#define SSL_CTX_get_max_cert_list(ctx) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_GET_MAX_CERT_LIST,0,NULL)
-#define SSL_CTX_set_max_cert_list(ctx,m) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SET_MAX_CERT_LIST,m,NULL)
-#define SSL_get_max_cert_list(ssl) \
-        SSL_ctrl(ssl,SSL_CTRL_GET_MAX_CERT_LIST,0,NULL)
-#define SSL_set_max_cert_list(ssl,m) \
-        SSL_ctrl(ssl,SSL_CTRL_SET_MAX_CERT_LIST,m,NULL)
-     /* NB: the keylength is only applicable when is_export is true */
-#ifndef OPENSSL_NO_RSA
-void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,
-                                  RSA *(*cb)(SSL *ssl,int is_export,
-                                             int keylength));
-void SSL_set_tmp_rsa_callback(SSL *ssl,
-                                  RSA *(*cb)(SSL *ssl,int is_export,
-                                             int keylength));
-#endif
-#ifndef OPENSSL_NO_DH
-void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,
-                                 DH *(*dh)(SSL *ssl,int is_export,
-                                           int keylength));
-void SSL_set_tmp_dh_callback(SSL *ssl,
-                                 DH *(*dh)(SSL *ssl,int is_export,
-                                           int keylength));
-#endif
-#ifndef OPENSSL_NO_COMP
-int SSL_COMP_add_compression_method(int id,COMP_METHOD *cm);
-#else
-int SSL_COMP_add_compression_method(int id,char *cm);
-#endif
-/* BEGIN ERROR CODES */
-/* The following lines are auto generated by the script mkerr.pl. Any changes
- * made after this point may be overwritten when the script is next run.
- */
-void ERR_load_SSL_strings(void);
-/* Error codes for the SSL functions. */
-/* Function codes. */
-#define SSL_F_CLIENT_CERTIFICATE                         100
-#define SSL_F_CLIENT_FINISHED                            238
-#define SSL_F_CLIENT_HELLO                               101
-#define SSL_F_CLIENT_MASTER_KEY                          102
-#define SSL_F_D2I_SSL_SESSION                            103
-#define SSL_F_DO_SSL3_WRITE                              104
-#define SSL_F_GET_CLIENT_FINISHED                        105
-#define SSL_F_GET_CLIENT_HELLO                           106
-#define SSL_F_GET_CLIENT_MASTER_KEY                      107
-#define SSL_F_GET_SERVER_FINISHED                        108
-#define SSL_F_GET_SERVER_HELLO                           109
-#define SSL_F_GET_SERVER_VERIFY                          110
-#define SSL_F_I2D_SSL_SESSION                            111
-#define SSL_F_READ_N                                     112
-#define SSL_F_REQUEST_CERTIFICATE                        113
-#define SSL_F_SERVER_FINISH                              239
-#define SSL_F_SERVER_HELLO                               114
-#define SSL_F_SERVER_VERIFY                              240
-#define SSL_F_SSL23_ACCEPT                               115
-#define SSL_F_SSL23_CLIENT_HELLO                         116
-#define SSL_F_SSL23_CONNECT                              117
-#define SSL_F_SSL23_GET_CLIENT_HELLO                     118
-#define SSL_F_SSL23_GET_SERVER_HELLO                     119
-#define SSL_F_SSL23_PEEK                                 237
-#define SSL_F_SSL23_READ                                 120
-#define SSL_F_SSL23_WRITE                                121
-#define SSL_F_SSL2_ACCEPT                                122
-#define SSL_F_SSL2_CONNECT                               123
-#define SSL_F_SSL2_ENC_INIT                              124
-#define SSL_F_SSL2_GENERATE_KEY_MATERIAL                 241
-#define SSL_F_SSL2_PEEK                                  234
-#define SSL_F_SSL2_READ                                  125
-#define SSL_F_SSL2_READ_INTERNAL                         236
-#define SSL_F_SSL2_SET_CERTIFICATE                       126
-#define SSL_F_SSL2_WRITE                                 127
-#define SSL_F_SSL3_ACCEPT                                128
-#define SSL_F_SSL3_CALLBACK_CTRL                         233
-#define SSL_F_SSL3_CHANGE_CIPHER_STATE                   129
-#define SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM              130
-#define SSL_F_SSL3_CLIENT_HELLO                          131
-#define SSL_F_SSL3_CONNECT                               132
-#define SSL_F_SSL3_CTRL                                  213
-#define SSL_F_SSL3_CTX_CTRL                              133
-#define SSL_F_SSL3_ENC                                   134
-#define SSL_F_SSL3_GENERATE_KEY_BLOCK                    238
-#define SSL_F_SSL3_GET_CERTIFICATE_REQUEST               135
-#define SSL_F_SSL3_GET_CERT_VERIFY                       136
-#define SSL_F_SSL3_GET_CLIENT_CERTIFICATE                137
-#define SSL_F_SSL3_GET_CLIENT_HELLO                      138
-#define SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE               139
-#define SSL_F_SSL3_GET_FINISHED                          140
-#define SSL_F_SSL3_GET_KEY_EXCHANGE                      141
-#define SSL_F_SSL3_GET_MESSAGE                           142
-#define SSL_F_SSL3_GET_RECORD                            143
-#define SSL_F_SSL3_GET_SERVER_CERTIFICATE                144
-#define SSL_F_SSL3_GET_SERVER_DONE                       145
-#define SSL_F_SSL3_GET_SERVER_HELLO                      146
-#define SSL_F_SSL3_OUTPUT_CERT_CHAIN                     147
-#define SSL_F_SSL3_PEEK                                  235
-#define SSL_F_SSL3_READ_BYTES                            148
-#define SSL_F_SSL3_READ_N                                149
-#define SSL_F_SSL3_SEND_CERTIFICATE_REQUEST              150
-#define SSL_F_SSL3_SEND_CLIENT_CERTIFICATE               151
-#define SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE              152
-#define SSL_F_SSL3_SEND_CLIENT_VERIFY                    153
-#define SSL_F_SSL3_SEND_SERVER_CERTIFICATE               154
-#define SSL_F_SSL3_SEND_SERVER_HELLO                     242
-#define SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE              155
-#define SSL_F_SSL3_SETUP_BUFFERS                         156
-#define SSL_F_SSL3_SETUP_KEY_BLOCK                       157
-#define SSL_F_SSL3_WRITE_BYTES                           158
-#define SSL_F_SSL3_WRITE_PENDING                         159
-#define SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK         215
-#define SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK        216
-#define SSL_F_SSL_BAD_METHOD                             160
-#define SSL_F_SSL_BYTES_TO_CIPHER_LIST                   161
-#define SSL_F_SSL_CERT_DUP                               221
-#define SSL_F_SSL_CERT_INST                              222
-#define SSL_F_SSL_CERT_INSTANTIATE                       214
-#define SSL_F_SSL_CERT_NEW                               162
-#define SSL_F_SSL_CHECK_PRIVATE_KEY                      163
-#define SSL_F_SSL_CIPHER_PROCESS_RULESTR                 230
-#define SSL_F_SSL_CIPHER_STRENGTH_SORT                   231
-#define SSL_F_SSL_CLEAR                                  164
-#define SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD            165
-#define SSL_F_SSL_CREATE_CIPHER_LIST                     166
-#define SSL_F_SSL_CTRL                                   232
-#define SSL_F_SSL_CTX_CHECK_PRIVATE_KEY                  168
-#define SSL_F_SSL_CTX_NEW                                169
-#define SSL_F_SSL_CTX_SET_CIPHER_LIST                    269
-#define SSL_F_SSL_CTX_SET_PURPOSE                        226
-#define SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT             219
-#define SSL_F_SSL_CTX_SET_SSL_VERSION                    170
-#define SSL_F_SSL_CTX_SET_TRUST                          229
-#define SSL_F_SSL_CTX_USE_CERTIFICATE                    171
-#define SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1               172
-#define SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE         220
-#define SSL_F_SSL_CTX_USE_CERTIFICATE_FILE               173
-#define SSL_F_SSL_CTX_USE_PRIVATEKEY                     174
-#define SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1                175
-#define SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE                176
-#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY                  177
-#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1             178
-#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE             179
-#define SSL_F_SSL_DO_HANDSHAKE                           180
-#define SSL_F_SSL_GET_NEW_SESSION                        181
-#define SSL_F_SSL_GET_PREV_SESSION                       217
-#define SSL_F_SSL_GET_SERVER_SEND_CERT                   182
-#define SSL_F_SSL_GET_SIGN_PKEY                          183
-#define SSL_F_SSL_INIT_WBIO_BUFFER                       184
-#define SSL_F_SSL_LOAD_CLIENT_CA_FILE                    185
-#define SSL_F_SSL_NEW                                    186
-#define SSL_F_SSL_READ                                   223
-#define SSL_F_SSL_RSA_PRIVATE_DECRYPT                    187
-#define SSL_F_SSL_RSA_PUBLIC_ENCRYPT                     188
-#define SSL_F_SSL_SESSION_NEW                            189
-#define SSL_F_SSL_SESSION_PRINT_FP                       190
-#define SSL_F_SSL_SESS_CERT_NEW                          225
-#define SSL_F_SSL_SET_CERT                               191
-#define SSL_F_SSL_SET_CIPHER_LIST                        271
-#define SSL_F_SSL_SET_FD                                 192
-#define SSL_F_SSL_SET_PKEY                               193
-#define SSL_F_SSL_SET_PURPOSE                            227
-#define SSL_F_SSL_SET_RFD                                194
-#define SSL_F_SSL_SET_SESSION                            195
-#define SSL_F_SSL_SET_SESSION_ID_CONTEXT                 218
-#define SSL_F_SSL_SET_TRUST                              228
-#define SSL_F_SSL_SET_WFD                                196
-#define SSL_F_SSL_SHUTDOWN                               224
-#define SSL_F_SSL_UNDEFINED_CONST_FUNCTION               243
-#define SSL_F_SSL_UNDEFINED_FUNCTION                     197
-#define SSL_F_SSL_USE_CERTIFICATE                        198
-#define SSL_F_SSL_USE_CERTIFICATE_ASN1                   199
-#define SSL_F_SSL_USE_CERTIFICATE_FILE                   200
-#define SSL_F_SSL_USE_PRIVATEKEY                         201
-#define SSL_F_SSL_USE_PRIVATEKEY_ASN1                    202
-#define SSL_F_SSL_USE_PRIVATEKEY_FILE                    203
-#define SSL_F_SSL_USE_RSAPRIVATEKEY                      204
-#define SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1                 205
-#define SSL_F_SSL_USE_RSAPRIVATEKEY_FILE                 206
-#define SSL_F_SSL_VERIFY_CERT_CHAIN                      207
-#define SSL_F_SSL_WRITE                                  208
-#define SSL_F_TLS1_CHANGE_CIPHER_STATE                   209
-#define SSL_F_TLS1_ENC                                   210
-#define SSL_F_TLS1_SETUP_KEY_BLOCK                       211
-#define SSL_F_WRITE_PENDING                              212
-/* Reason codes. */
-#define SSL_R_APP_DATA_IN_HANDSHAKE                      100
-#define SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT 272
-#define SSL_R_BAD_ALERT_RECORD                           101
-#define SSL_R_BAD_AUTHENTICATION_TYPE                    102
-#define SSL_R_BAD_CHANGE_CIPHER_SPEC                     103
-#define SSL_R_BAD_CHECKSUM                               104
-#define SSL_R_BAD_DATA_RETURNED_BY_CALLBACK              106
-#define SSL_R_BAD_DECOMPRESSION                          107
-#define SSL_R_BAD_DH_G_LENGTH                            108
-#define SSL_R_BAD_DH_PUB_KEY_LENGTH                      109
-#define SSL_R_BAD_DH_P_LENGTH                            110
-#define SSL_R_BAD_DIGEST_LENGTH                          111
-#define SSL_R_BAD_DSA_SIGNATURE                          112
-#define SSL_R_BAD_HELLO_REQUEST                          105
-#define SSL_R_BAD_LENGTH                                 271
-#define SSL_R_BAD_MAC_DECODE                             113
-#define SSL_R_BAD_MESSAGE_TYPE                           114
-#define SSL_R_BAD_PACKET_LENGTH                          115
-#define SSL_R_BAD_PROTOCOL_VERSION_NUMBER                116
-#define SSL_R_BAD_RESPONSE_ARGUMENT                      117
-#define SSL_R_BAD_RSA_DECRYPT                            118
-#define SSL_R_BAD_RSA_ENCRYPT                            119
-#define SSL_R_BAD_RSA_E_LENGTH                           120
-#define SSL_R_BAD_RSA_MODULUS_LENGTH                     121
-#define SSL_R_BAD_RSA_SIGNATURE                          122
-#define SSL_R_BAD_SIGNATURE                              123
-#define SSL_R_BAD_SSL_FILETYPE                           124
-#define SSL_R_BAD_SSL_SESSION_ID_LENGTH                  125
-#define SSL_R_BAD_STATE                                  126
-#define SSL_R_BAD_WRITE_RETRY                            127
-#define SSL_R_BIO_NOT_SET                                128
-#define SSL_R_BLOCK_CIPHER_PAD_IS_WRONG                  129
-#define SSL_R_BN_LIB                                     130
-#define SSL_R_CA_DN_LENGTH_MISMATCH                      131
-#define SSL_R_CA_DN_TOO_LONG                             132
-#define SSL_R_CCS_RECEIVED_EARLY                         133
-#define SSL_R_CERTIFICATE_VERIFY_FAILED                  134
-#define SSL_R_CERT_LENGTH_MISMATCH                       135
-#define SSL_R_CHALLENGE_IS_DIFFERENT                     136
-#define SSL_R_CIPHER_CODE_WRONG_LENGTH                   137
-#define SSL_R_CIPHER_OR_HASH_UNAVAILABLE                 138
-#define SSL_R_CIPHER_TABLE_SRC_ERROR                     139
-#define SSL_R_COMPRESSED_LENGTH_TOO_LONG                 140
-#define SSL_R_COMPRESSION_FAILURE                        141
-#define SSL_R_COMPRESSION_LIBRARY_ERROR                  142
-#define SSL_R_CONNECTION_ID_IS_DIFFERENT                 143
-#define SSL_R_CONNECTION_TYPE_NOT_SET                    144
-#define SSL_R_DATA_BETWEEN_CCS_AND_FINISHED              145
-#define SSL_R_DATA_LENGTH_TOO_LONG                       146
-#define SSL_R_DECRYPTION_FAILED                          147
-#define SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC        281
-#define SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG            148
-#define SSL_R_DIGEST_CHECK_FAILED                        149
-#define SSL_R_ENCRYPTED_LENGTH_TOO_LONG                  150
-#define SSL_R_ERROR_GENERATING_TMP_RSA_KEY               282
-#define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST              151
-#define SSL_R_EXCESSIVE_MESSAGE_SIZE                     152
-#define SSL_R_EXTRA_DATA_IN_MESSAGE                      153
-#define SSL_R_GOT_A_FIN_BEFORE_A_CCS                     154
-#define SSL_R_HTTPS_PROXY_REQUEST                        155
-#define SSL_R_HTTP_REQUEST                               156
-#define SSL_R_ILLEGAL_PADDING                            283
-#define SSL_R_INVALID_CHALLENGE_LENGTH                   158
-#define SSL_R_INVALID_COMMAND                            280
-#define SSL_R_INVALID_PURPOSE                            278
-#define SSL_R_INVALID_TRUST                              279
-#define SSL_R_KEY_ARG_TOO_LONG                           284
-#define SSL_R_KRB5                                       285
-#define SSL_R_KRB5_C_CC_PRINC                            286
-#define SSL_R_KRB5_C_GET_CRED                            287
-#define SSL_R_KRB5_C_INIT                                288
-#define SSL_R_KRB5_C_MK_REQ                              289
-#define SSL_R_KRB5_S_BAD_TICKET                          290
-#define SSL_R_KRB5_S_INIT                                291
-#define SSL_R_KRB5_S_RD_REQ                              292
-#define SSL_R_KRB5_S_TKT_EXPIRED                         293
-#define SSL_R_KRB5_S_TKT_NYV                             294
-#define SSL_R_KRB5_S_TKT_SKEW                            295
-#define SSL_R_LENGTH_MISMATCH                            159
-#define SSL_R_LENGTH_TOO_SHORT                           160
-#define SSL_R_LIBRARY_BUG                                274
-#define SSL_R_LIBRARY_HAS_NO_CIPHERS                     161
-#define SSL_R_MESSAGE_TOO_LONG                           296
-#define SSL_R_MISSING_DH_DSA_CERT                        162
-#define SSL_R_MISSING_DH_KEY                             163
-#define SSL_R_MISSING_DH_RSA_CERT                        164
-#define SSL_R_MISSING_DSA_SIGNING_CERT                   165
-#define SSL_R_MISSING_EXPORT_TMP_DH_KEY                  166
-#define SSL_R_MISSING_EXPORT_TMP_RSA_KEY                 167
-#define SSL_R_MISSING_RSA_CERTIFICATE                    168
-#define SSL_R_MISSING_RSA_ENCRYPTING_CERT                169
-#define SSL_R_MISSING_RSA_SIGNING_CERT                   170
-#define SSL_R_MISSING_TMP_DH_KEY                         171
-#define SSL_R_MISSING_TMP_RSA_KEY                        172
-#define SSL_R_MISSING_TMP_RSA_PKEY                       173
-#define SSL_R_MISSING_VERIFY_MESSAGE                     174
-#define SSL_R_NON_SSLV2_INITIAL_PACKET                   175
-#define SSL_R_NO_CERTIFICATES_RETURNED                   176
-#define SSL_R_NO_CERTIFICATE_ASSIGNED                    177
-#define SSL_R_NO_CERTIFICATE_RETURNED                    178
-#define SSL_R_NO_CERTIFICATE_SET                         179
-#define SSL_R_NO_CERTIFICATE_SPECIFIED                   180
-#define SSL_R_NO_CIPHERS_AVAILABLE                       181
-#define SSL_R_NO_CIPHERS_PASSED                          182
-#define SSL_R_NO_CIPHERS_SPECIFIED                       183
-#define SSL_R_NO_CIPHER_LIST                             184
-#define SSL_R_NO_CIPHER_MATCH                            185
-#define SSL_R_NO_CLIENT_CERT_RECEIVED                    186
-#define SSL_R_NO_COMPRESSION_SPECIFIED                   187
-#define SSL_R_NO_METHOD_SPECIFIED                        188
-#define SSL_R_NO_PRIVATEKEY                              189
-#define SSL_R_NO_PRIVATE_KEY_ASSIGNED                    190
-#define SSL_R_NO_PROTOCOLS_AVAILABLE                     191
-#define SSL_R_NO_PUBLICKEY                               192
-#define SSL_R_NO_SHARED_CIPHER                           193
-#define SSL_R_NO_VERIFY_CALLBACK                         194
-#define SSL_R_NULL_SSL_CTX                               195
-#define SSL_R_NULL_SSL_METHOD_PASSED                     196
-#define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED            197
-#define SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE              297
-#define SSL_R_PACKET_LENGTH_TOO_LONG                     198
-#define SSL_R_PATH_TOO_LONG                              270
-#define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE          199
-#define SSL_R_PEER_ERROR                                 200
-#define SSL_R_PEER_ERROR_CERTIFICATE                     201
-#define SSL_R_PEER_ERROR_NO_CERTIFICATE                  202
-#define SSL_R_PEER_ERROR_NO_CIPHER                       203
-#define SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE    204
-#define SSL_R_PRE_MAC_LENGTH_TOO_LONG                    205
-#define SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS          206
-#define SSL_R_PROTOCOL_IS_SHUTDOWN                       207
-#define SSL_R_PUBLIC_KEY_ENCRYPT_ERROR                   208
-#define SSL_R_PUBLIC_KEY_IS_NOT_RSA                      209
-#define SSL_R_PUBLIC_KEY_NOT_RSA                         210
-#define SSL_R_READ_BIO_NOT_SET                           211
-#define SSL_R_READ_WRONG_PACKET_TYPE                     212
-#define SSL_R_RECORD_LENGTH_MISMATCH                     213
-#define SSL_R_RECORD_TOO_LARGE                           214
-#define SSL_R_RECORD_TOO_SMALL                           298
-#define SSL_R_REQUIRED_CIPHER_MISSING                    215
-#define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO                 216
-#define SSL_R_REUSE_CERT_TYPE_NOT_ZERO                   217
-#define SSL_R_REUSE_CIPHER_LIST_NOT_ZERO                 218
-#define SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED           277
-#define SSL_R_SHORT_READ                                 219
-#define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE      220
-#define SSL_R_SSL23_DOING_SESSION_ID_REUSE               221
-#define SSL_R_SSL2_CONNECTION_ID_TOO_LONG                299
-#define SSL_R_SSL3_SESSION_ID_TOO_LONG                   300
-#define SSL_R_SSL3_SESSION_ID_TOO_SHORT                  222
-#define SSL_R_SSLV3_ALERT_BAD_CERTIFICATE                1042
-#define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC                 1020
-#define SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED            1045
-#define SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED            1044
-#define SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN            1046
-#define SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE          1030
-#define SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE              1040
-#define SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER              1047
-#define SSL_R_SSLV3_ALERT_NO_CERTIFICATE                 1041
-#define SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE             1010
-#define SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE        1043
-#define SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION         228
-#define SSL_R_SSL_HANDSHAKE_FAILURE                      229
-#define SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS                 230
-#define SSL_R_SSL_SESSION_ID_CALLBACK_FAILED             301
-#define SSL_R_SSL_SESSION_ID_CONFLICT                    302
-#define SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG            273
-#define SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH              303
-#define SSL_R_SSL_SESSION_ID_IS_DIFFERENT                231
-#define SSL_R_TLSV1_ALERT_ACCESS_DENIED                  1049
-#define SSL_R_TLSV1_ALERT_DECODE_ERROR                   1050
-#define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED              1021
-#define SSL_R_TLSV1_ALERT_DECRYPT_ERROR                  1051
-#define SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION             1060
-#define SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY          1071
-#define SSL_R_TLSV1_ALERT_INTERNAL_ERROR                 1080
-#define SSL_R_TLSV1_ALERT_NO_RENEGOTIATION               1100
-#define SSL_R_TLSV1_ALERT_PROTOCOL_VERSION               1070
-#define SSL_R_TLSV1_ALERT_RECORD_OVERFLOW                1022
-#define SSL_R_TLSV1_ALERT_UNKNOWN_CA                     1048
-#define SSL_R_TLSV1_ALERT_USER_CANCELLED                 1090
-#define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER       232
-#define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233
-#define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG    234
-#define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER            235
-#define SSL_R_UNABLE_TO_DECODE_DH_CERTS                  236
-#define SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY               237
-#define SSL_R_UNABLE_TO_FIND_DH_PARAMETERS               238
-#define SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS       239
-#define SSL_R_UNABLE_TO_FIND_SSL_METHOD                  240
-#define SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES           241
-#define SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES           242
-#define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES          243
-#define SSL_R_UNEXPECTED_MESSAGE                         244
-#define SSL_R_UNEXPECTED_RECORD                          245
-#define SSL_R_UNINITIALIZED                              276
-#define SSL_R_UNKNOWN_ALERT_TYPE                         246
-#define SSL_R_UNKNOWN_CERTIFICATE_TYPE                   247
-#define SSL_R_UNKNOWN_CIPHER_RETURNED                    248
-#define SSL_R_UNKNOWN_CIPHER_TYPE                        249
-#define SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE                  250
-#define SSL_R_UNKNOWN_PKEY_TYPE                          251
-#define SSL_R_UNKNOWN_PROTOCOL                           252
-#define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE                  253
-#define SSL_R_UNKNOWN_SSL_VERSION                        254
-#define SSL_R_UNKNOWN_STATE                              255
-#define SSL_R_UNSUPPORTED_CIPHER                         256
-#define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM          257
-#define SSL_R_UNSUPPORTED_PROTOCOL                       258
-#define SSL_R_UNSUPPORTED_SSL_VERSION                    259
-#define SSL_R_WRITE_BIO_NOT_SET                          260
-#define SSL_R_WRONG_CIPHER_RETURNED                      261
-#define SSL_R_WRONG_MESSAGE_TYPE                         262
-#define SSL_R_WRONG_NUMBER_OF_KEY_BITS                   263
-#define SSL_R_WRONG_SIGNATURE_LENGTH                     264
-#define SSL_R_WRONG_SIGNATURE_SIZE                       265
-#define SSL_R_WRONG_SSL_VERSION                          266
-#define SSL_R_WRONG_VERSION_NUMBER                       267
-#define SSL_R_X509_LIB                                   268
-#define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS           269
-#ifdef  __cplusplus
-}
-#endif
-#endif
diff --git a/src/lib/libssl/ssl2.h b/src/lib/libssl/ssl2.h
deleted file mode 100644
index 99a52ea0dd..0000000000
--- a/src/lib/libssl/ssl2.h
+++ /dev/null
@@ -1,268 +0,0 @@
-/* ssl/ssl2.h */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-#ifndef HEADER_SSL2_H 
-#define HEADER_SSL2_H 
-#ifdef  __cplusplus
-extern "C" {
-#endif
-/* Protocol Version Codes */
-#define SSL2_VERSION            0x0002
-#define SSL2_VERSION_MAJOR      0x00
-#define SSL2_VERSION_MINOR      0x02
-/* #define SSL2_CLIENT_VERSION  0x0002 */
-/* #define SSL2_SERVER_VERSION  0x0002 */
-/* Protocol Message Codes */
-#define SSL2_MT_ERROR                   0
-#define SSL2_MT_CLIENT_HELLO            1
-#define SSL2_MT_CLIENT_MASTER_KEY       2
-#define SSL2_MT_CLIENT_FINISHED         3
-#define SSL2_MT_SERVER_HELLO            4
-#define SSL2_MT_SERVER_VERIFY           5
-#define SSL2_MT_SERVER_FINISHED         6
-#define SSL2_MT_REQUEST_CERTIFICATE     7
-#define SSL2_MT_CLIENT_CERTIFICATE      8
-/* Error Message Codes */
-#define SSL2_PE_UNDEFINED_ERROR         0x0000
-#define SSL2_PE_NO_CIPHER               0x0001
-#define SSL2_PE_NO_CERTIFICATE          0x0002
-#define SSL2_PE_BAD_CERTIFICATE         0x0004
-#define SSL2_PE_UNSUPPORTED_CERTIFICATE_TYPE 0x0006
-/* Cipher Kind Values */
-#define SSL2_CK_NULL_WITH_MD5                   0x02000000 /* v3 */
-#define SSL2_CK_RC4_128_WITH_MD5                0x02010080
-#define SSL2_CK_RC4_128_EXPORT40_WITH_MD5       0x02020080
-#define SSL2_CK_RC2_128_CBC_WITH_MD5            0x02030080
-#define SSL2_CK_RC2_128_CBC_EXPORT40_WITH_MD5   0x02040080
-#define SSL2_CK_IDEA_128_CBC_WITH_MD5           0x02050080
-#define SSL2_CK_DES_64_CBC_WITH_MD5             0x02060040
-#define SSL2_CK_DES_64_CBC_WITH_SHA             0x02060140 /* v3 */
-#define SSL2_CK_DES_192_EDE3_CBC_WITH_MD5       0x020700c0
-#define SSL2_CK_DES_192_EDE3_CBC_WITH_SHA       0x020701c0 /* v3 */
-#define SSL2_CK_RC4_64_WITH_MD5                 0x02080080 /* MS hack */
- 
-#define SSL2_CK_DES_64_CFB64_WITH_MD5_1         0x02ff0800 /* SSLeay */
-#define SSL2_CK_NULL                            0x02ff0810 /* SSLeay */
-#define SSL2_TXT_DES_64_CFB64_WITH_MD5_1        "DES-CFB-M1"
-#define SSL2_TXT_NULL_WITH_MD5                  "NULL-MD5"
-#define SSL2_TXT_RC4_128_WITH_MD5               "RC4-MD5"
-#define SSL2_TXT_RC4_128_EXPORT40_WITH_MD5      "EXP-RC4-MD5"
-#define SSL2_TXT_RC2_128_CBC_WITH_MD5           "RC2-CBC-MD5"
-#define SSL2_TXT_RC2_128_CBC_EXPORT40_WITH_MD5  "EXP-RC2-CBC-MD5"
-#define SSL2_TXT_IDEA_128_CBC_WITH_MD5          "IDEA-CBC-MD5"
-#define SSL2_TXT_DES_64_CBC_WITH_MD5            "DES-CBC-MD5"
-#define SSL2_TXT_DES_64_CBC_WITH_SHA            "DES-CBC-SHA"
-#define SSL2_TXT_DES_192_EDE3_CBC_WITH_MD5      "DES-CBC3-MD5"
-#define SSL2_TXT_DES_192_EDE3_CBC_WITH_SHA      "DES-CBC3-SHA"
-#define SSL2_TXT_RC4_64_WITH_MD5                "RC4-64-MD5"
-#define SSL2_TXT_NULL                           "NULL"
-/* Flags for the SSL_CIPHER.algorithm2 field */
-#define SSL2_CF_5_BYTE_ENC                      0x01
-#define SSL2_CF_8_BYTE_ENC                      0x02
-/* Certificate Type Codes */
-#define SSL2_CT_X509_CERTIFICATE                0x01
-/* Authentication Type Code */
-#define SSL2_AT_MD5_WITH_RSA_ENCRYPTION         0x01
-#define SSL2_MAX_SSL_SESSION_ID_LENGTH          32
-/* Upper/Lower Bounds */
-#define SSL2_MAX_MASTER_KEY_LENGTH_IN_BITS      256
-#ifdef OPENSSL_SYS_MPE
-#define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER    29998u
-#else
-#define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER    32767u  /* 2^15-1 */
-#endif
-#define SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER    16383 /* 2^14-1 */
-#define SSL2_CHALLENGE_LENGTH   16
-/*#define SSL2_CHALLENGE_LENGTH 32 */
-#define SSL2_MIN_CHALLENGE_LENGTH       16
-#define SSL2_MAX_CHALLENGE_LENGTH       32
-#define SSL2_CONNECTION_ID_LENGTH       16
-#define SSL2_MAX_CONNECTION_ID_LENGTH   16
-#define SSL2_SSL_SESSION_ID_LENGTH      16
-#define SSL2_MAX_CERT_CHALLENGE_LENGTH  32
-#define SSL2_MIN_CERT_CHALLENGE_LENGTH  16
-#define SSL2_MAX_KEY_MATERIAL_LENGTH    24
-#ifndef HEADER_SSL_LOCL_H
-#define  CERT           char
-#endif
-typedef struct ssl2_state_st
-        {
-        int three_byte_header;
-        int clear_text;         /* clear text */
-        int escape;             /* not used in SSLv2 */
-        int ssl2_rollback;      /* used if SSLv23 rolled back to SSLv2 */
-        /* non-blocking io info, used to make sure the same
-         * args were passwd */
-        unsigned int wnum;      /* number of bytes sent so far */
-        int wpend_tot;
-        const unsigned char *wpend_buf;
-        int wpend_off;  /* offset to data to write */
-        int wpend_len;  /* number of bytes passwd to write */
-        int wpend_ret;  /* number of bytes to return to caller */
-        /* buffer raw data */
-        int rbuf_left;
-        int rbuf_offs;
-        unsigned char *rbuf;
-        unsigned char *wbuf;
-        unsigned char *write_ptr;/* used to point to the start due to
-                                  * 2/3 byte header. */
-        unsigned int padding;
-        unsigned int rlength; /* passed to ssl2_enc */
-        int ract_data_length; /* Set when things are encrypted. */
-        unsigned int wlength; /* passed to ssl2_enc */
-        int wact_data_length; /* Set when things are decrypted. */
-        unsigned char *ract_data;
-        unsigned char *wact_data;
-        unsigned char *mac_data;
-        unsigned char *read_key;
-        unsigned char *write_key;
-                /* Stuff specifically to do with this SSL session */
-        unsigned int challenge_length;
-        unsigned char challenge[SSL2_MAX_CHALLENGE_LENGTH];
-        unsigned int conn_id_length;
-        unsigned char conn_id[SSL2_MAX_CONNECTION_ID_LENGTH];
-        unsigned int key_material_length;
-        unsigned char key_material[SSL2_MAX_KEY_MATERIAL_LENGTH*2];
-        unsigned long read_sequence;
-        unsigned long write_sequence;
-        struct  {
-                unsigned int conn_id_length;
-                unsigned int cert_type; 
-                unsigned int cert_length;
-                unsigned int csl; 
-                unsigned int clear;
-                unsigned int enc; 
-                unsigned char ccl[SSL2_MAX_CERT_CHALLENGE_LENGTH];
-                unsigned int cipher_spec_length;
-                unsigned int session_id_length;
-                unsigned int clen;
-                unsigned int rlen;
-                } tmp;
-        } SSL2_STATE;
-/* SSLv2 */
-/* client */
-#define SSL2_ST_SEND_CLIENT_HELLO_A             (0x10|SSL_ST_CONNECT)
-#define SSL2_ST_SEND_CLIENT_HELLO_B             (0x11|SSL_ST_CONNECT)
-#define SSL2_ST_GET_SERVER_HELLO_A              (0x20|SSL_ST_CONNECT)
-#define SSL2_ST_GET_SERVER_HELLO_B              (0x21|SSL_ST_CONNECT)
-#define SSL2_ST_SEND_CLIENT_MASTER_KEY_A        (0x30|SSL_ST_CONNECT)
-#define SSL2_ST_SEND_CLIENT_MASTER_KEY_B        (0x31|SSL_ST_CONNECT)
-#define SSL2_ST_SEND_CLIENT_FINISHED_A          (0x40|SSL_ST_CONNECT)
-#define SSL2_ST_SEND_CLIENT_FINISHED_B          (0x41|SSL_ST_CONNECT)
-#define SSL2_ST_SEND_CLIENT_CERTIFICATE_A       (0x50|SSL_ST_CONNECT)
-#define SSL2_ST_SEND_CLIENT_CERTIFICATE_B       (0x51|SSL_ST_CONNECT)
-#define SSL2_ST_SEND_CLIENT_CERTIFICATE_C       (0x52|SSL_ST_CONNECT)
-#define SSL2_ST_SEND_CLIENT_CERTIFICATE_D       (0x53|SSL_ST_CONNECT)
-#define SSL2_ST_GET_SERVER_VERIFY_A             (0x60|SSL_ST_CONNECT)
-#define SSL2_ST_GET_SERVER_VERIFY_B             (0x61|SSL_ST_CONNECT)
-#define SSL2_ST_GET_SERVER_FINISHED_A           (0x70|SSL_ST_CONNECT)
-#define SSL2_ST_GET_SERVER_FINISHED_B           (0x71|SSL_ST_CONNECT)
-#define SSL2_ST_CLIENT_START_ENCRYPTION         (0x80|SSL_ST_CONNECT)
-#define SSL2_ST_X509_GET_CLIENT_CERTIFICATE     (0x90|SSL_ST_CONNECT)
-/* server */
-#define SSL2_ST_GET_CLIENT_HELLO_A              (0x10|SSL_ST_ACCEPT)
-#define SSL2_ST_GET_CLIENT_HELLO_B              (0x11|SSL_ST_ACCEPT)
-#define SSL2_ST_GET_CLIENT_HELLO_C              (0x12|SSL_ST_ACCEPT)
-#define SSL2_ST_SEND_SERVER_HELLO_A             (0x20|SSL_ST_ACCEPT)
-#define SSL2_ST_SEND_SERVER_HELLO_B             (0x21|SSL_ST_ACCEPT)
-#define SSL2_ST_GET_CLIENT_MASTER_KEY_A         (0x30|SSL_ST_ACCEPT)
-#define SSL2_ST_GET_CLIENT_MASTER_KEY_B         (0x31|SSL_ST_ACCEPT)
-#define SSL2_ST_SEND_SERVER_VERIFY_A            (0x40|SSL_ST_ACCEPT)
-#define SSL2_ST_SEND_SERVER_VERIFY_B            (0x41|SSL_ST_ACCEPT)
-#define SSL2_ST_SEND_SERVER_VERIFY_C            (0x42|SSL_ST_ACCEPT)
-#define SSL2_ST_GET_CLIENT_FINISHED_A           (0x50|SSL_ST_ACCEPT)
-#define SSL2_ST_GET_CLIENT_FINISHED_B           (0x51|SSL_ST_ACCEPT)
-#define SSL2_ST_SEND_SERVER_FINISHED_A          (0x60|SSL_ST_ACCEPT)
-#define SSL2_ST_SEND_SERVER_FINISHED_B          (0x61|SSL_ST_ACCEPT)
-#define SSL2_ST_SEND_REQUEST_CERTIFICATE_A      (0x70|SSL_ST_ACCEPT)
-#define SSL2_ST_SEND_REQUEST_CERTIFICATE_B      (0x71|SSL_ST_ACCEPT)
-#define SSL2_ST_SEND_REQUEST_CERTIFICATE_C      (0x72|SSL_ST_ACCEPT)
-#define SSL2_ST_SEND_REQUEST_CERTIFICATE_D      (0x73|SSL_ST_ACCEPT)
-#define SSL2_ST_SERVER_START_ENCRYPTION         (0x80|SSL_ST_ACCEPT)
-#define SSL2_ST_X509_GET_SERVER_CERTIFICATE     (0x90|SSL_ST_ACCEPT)
-#ifdef  __cplusplus
-}
-#endif
-#endif
diff --git a/src/lib/libssl/ssl23.h b/src/lib/libssl/ssl23.h
deleted file mode 100644
index d3228983c7..0000000000
--- a/src/lib/libssl/ssl23.h
+++ /dev/null
@@ -1,83 +0,0 @@
-/* ssl/ssl23.h */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-#ifndef HEADER_SSL23_H 
-#define HEADER_SSL23_H 
-#ifdef  __cplusplus
-extern "C" {
-#endif
-/*client */
-/* write to server */
-#define SSL23_ST_CW_CLNT_HELLO_A        (0x210|SSL_ST_CONNECT)
-#define SSL23_ST_CW_CLNT_HELLO_B        (0x211|SSL_ST_CONNECT)
-/* read from server */
-#define SSL23_ST_CR_SRVR_HELLO_A        (0x220|SSL_ST_CONNECT)
-#define SSL23_ST_CR_SRVR_HELLO_B        (0x221|SSL_ST_CONNECT)
-/* server */
-/* read from client */
-#define SSL23_ST_SR_CLNT_HELLO_A        (0x210|SSL_ST_ACCEPT)
-#define SSL23_ST_SR_CLNT_HELLO_B        (0x211|SSL_ST_ACCEPT)
-#ifdef  __cplusplus
-}
-#endif
-#endif
diff --git a/src/lib/libssl/ssl3.h b/src/lib/libssl/ssl3.h
deleted file mode 100644
index 1153aeda74..0000000000
--- a/src/lib/libssl/ssl3.h
+++ /dev/null
@@ -1,526 +0,0 @@
-/* ssl/ssl3.h */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-/* ====================================================================
- * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer. 
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-#ifndef HEADER_SSL3_H 
-#define HEADER_SSL3_H 
-#ifndef OPENSSL_NO_COMP
-#include <openssl/comp.h>
-#endif
-#include <openssl/buffer.h>
-#include <openssl/evp.h>
-#include <openssl/ssl.h>
-#ifdef  __cplusplus
-extern "C" {
-#endif
-#define SSL3_CK_RSA_NULL_MD5                    0x03000001
-#define SSL3_CK_RSA_NULL_SHA                    0x03000002
-#define SSL3_CK_RSA_RC4_40_MD5                  0x03000003
-#define SSL3_CK_RSA_RC4_128_MD5                 0x03000004
-#define SSL3_CK_RSA_RC4_128_SHA                 0x03000005
-#define SSL3_CK_RSA_RC2_40_MD5                  0x03000006
-#define SSL3_CK_RSA_IDEA_128_SHA                0x03000007
-#define SSL3_CK_RSA_DES_40_CBC_SHA              0x03000008
-#define SSL3_CK_RSA_DES_64_CBC_SHA              0x03000009
-#define SSL3_CK_RSA_DES_192_CBC3_SHA            0x0300000A
-#define SSL3_CK_DH_DSS_DES_40_CBC_SHA           0x0300000B
-#define SSL3_CK_DH_DSS_DES_64_CBC_SHA           0x0300000C
-#define SSL3_CK_DH_DSS_DES_192_CBC3_SHA         0x0300000D
-#define SSL3_CK_DH_RSA_DES_40_CBC_SHA           0x0300000E
-#define SSL3_CK_DH_RSA_DES_64_CBC_SHA           0x0300000F
-#define SSL3_CK_DH_RSA_DES_192_CBC3_SHA         0x03000010
-#define SSL3_CK_EDH_DSS_DES_40_CBC_SHA          0x03000011
-#define SSL3_CK_EDH_DSS_DES_64_CBC_SHA          0x03000012
-#define SSL3_CK_EDH_DSS_DES_192_CBC3_SHA        0x03000013
-#define SSL3_CK_EDH_RSA_DES_40_CBC_SHA          0x03000014
-#define SSL3_CK_EDH_RSA_DES_64_CBC_SHA          0x03000015
-#define SSL3_CK_EDH_RSA_DES_192_CBC3_SHA        0x03000016
-#define SSL3_CK_ADH_RC4_40_MD5                  0x03000017
-#define SSL3_CK_ADH_RC4_128_MD5                 0x03000018
-#define SSL3_CK_ADH_DES_40_CBC_SHA              0x03000019
-#define SSL3_CK_ADH_DES_64_CBC_SHA              0x0300001A
-#define SSL3_CK_ADH_DES_192_CBC_SHA             0x0300001B
-#define SSL3_CK_FZA_DMS_NULL_SHA                0x0300001C
-#define SSL3_CK_FZA_DMS_FZA_SHA                 0x0300001D
-#if 0 /* Because it clashes with KRB5, is never used any more, and is safe
-         to remove according to David Hopwood <david.hopwood@zetnet.co.uk>
-         of the ietf-tls list */
-#define SSL3_CK_FZA_DMS_RC4_SHA                 0x0300001E
-#endif
-/*    VRS Additional Kerberos5 entries
- */
-#define SSL3_CK_KRB5_DES_64_CBC_SHA             0x0300001E
-#define SSL3_CK_KRB5_DES_192_CBC3_SHA           0x0300001F
-#define SSL3_CK_KRB5_RC4_128_SHA                0x03000020
-#define SSL3_CK_KRB5_IDEA_128_CBC_SHA           0x03000021
-#define SSL3_CK_KRB5_DES_64_CBC_MD5             0x03000022
-#define SSL3_CK_KRB5_DES_192_CBC3_MD5           0x03000023
-#define SSL3_CK_KRB5_RC4_128_MD5                0x03000024
-#define SSL3_CK_KRB5_IDEA_128_CBC_MD5           0x03000025
-#define SSL3_CK_KRB5_DES_40_CBC_SHA             0x03000026
-#define SSL3_CK_KRB5_RC2_40_CBC_SHA             0x03000027
-#define SSL3_CK_KRB5_RC4_40_SHA                 0x03000028
-#define SSL3_CK_KRB5_DES_40_CBC_MD5             0x03000029
-#define SSL3_CK_KRB5_RC2_40_CBC_MD5             0x0300002A
-#define SSL3_CK_KRB5_RC4_40_MD5                 0x0300002B
-#define SSL3_TXT_RSA_NULL_MD5                   "NULL-MD5"
-#define SSL3_TXT_RSA_NULL_SHA                   "NULL-SHA"
-#define SSL3_TXT_RSA_RC4_40_MD5                 "EXP-RC4-MD5"
-#define SSL3_TXT_RSA_RC4_128_MD5                "RC4-MD5"
-#define SSL3_TXT_RSA_RC4_128_SHA                "RC4-SHA"
-#define SSL3_TXT_RSA_RC2_40_MD5                 "EXP-RC2-CBC-MD5"
-#define SSL3_TXT_RSA_IDEA_128_SHA               "IDEA-CBC-SHA"
-#define SSL3_TXT_RSA_DES_40_CBC_SHA             "EXP-DES-CBC-SHA"
-#define SSL3_TXT_RSA_DES_64_CBC_SHA             "DES-CBC-SHA"
-#define SSL3_TXT_RSA_DES_192_CBC3_SHA           "DES-CBC3-SHA"
-#define SSL3_TXT_DH_DSS_DES_40_CBC_SHA          "EXP-DH-DSS-DES-CBC-SHA"
-#define SSL3_TXT_DH_DSS_DES_64_CBC_SHA          "DH-DSS-DES-CBC-SHA"
-#define SSL3_TXT_DH_DSS_DES_192_CBC3_SHA        "DH-DSS-DES-CBC3-SHA"
-#define SSL3_TXT_DH_RSA_DES_40_CBC_SHA          "EXP-DH-RSA-DES-CBC-SHA"
-#define SSL3_TXT_DH_RSA_DES_64_CBC_SHA          "DH-RSA-DES-CBC-SHA"
-#define SSL3_TXT_DH_RSA_DES_192_CBC3_SHA        "DH-RSA-DES-CBC3-SHA"
-#define SSL3_TXT_EDH_DSS_DES_40_CBC_SHA         "EXP-EDH-DSS-DES-CBC-SHA"
-#define SSL3_TXT_EDH_DSS_DES_64_CBC_SHA         "EDH-DSS-DES-CBC-SHA"
-#define SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA       "EDH-DSS-DES-CBC3-SHA"
-#define SSL3_TXT_EDH_RSA_DES_40_CBC_SHA         "EXP-EDH-RSA-DES-CBC-SHA"
-#define SSL3_TXT_EDH_RSA_DES_64_CBC_SHA         "EDH-RSA-DES-CBC-SHA"
-#define SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA       "EDH-RSA-DES-CBC3-SHA"
-#define SSL3_TXT_ADH_RC4_40_MD5                 "EXP-ADH-RC4-MD5"
-#define SSL3_TXT_ADH_RC4_128_MD5                "ADH-RC4-MD5"
-#define SSL3_TXT_ADH_DES_40_CBC_SHA             "EXP-ADH-DES-CBC-SHA"
-#define SSL3_TXT_ADH_DES_64_CBC_SHA             "ADH-DES-CBC-SHA"
-#define SSL3_TXT_ADH_DES_192_CBC_SHA            "ADH-DES-CBC3-SHA"
-#define SSL3_TXT_FZA_DMS_NULL_SHA               "FZA-NULL-SHA"
-#define SSL3_TXT_FZA_DMS_FZA_SHA                "FZA-FZA-CBC-SHA"
-#define SSL3_TXT_FZA_DMS_RC4_SHA                "FZA-RC4-SHA"
-#define SSL3_TXT_KRB5_DES_64_CBC_SHA            "KRB5-DES-CBC-SHA"
-#define SSL3_TXT_KRB5_DES_192_CBC3_SHA          "KRB5-DES-CBC3-SHA"
-#define SSL3_TXT_KRB5_RC4_128_SHA               "KRB5-RC4-SHA"
-#define SSL3_TXT_KRB5_IDEA_128_CBC_SHA          "KRB5-IDEA-CBC-SHA"
-#define SSL3_TXT_KRB5_DES_64_CBC_MD5            "KRB5-DES-CBC-MD5"
-#define SSL3_TXT_KRB5_DES_192_CBC3_MD5          "KRB5-DES-CBC3-MD5"
-#define SSL3_TXT_KRB5_RC4_128_MD5               "KRB5-RC4-MD5"
-#define SSL3_TXT_KRB5_IDEA_128_CBC_MD5          "KRB5-IDEA-CBC-MD5"
-#define SSL3_TXT_KRB5_DES_40_CBC_SHA            "EXP-KRB5-DES-CBC-SHA"
-#define SSL3_TXT_KRB5_RC2_40_CBC_SHA            "EXP-KRB5-RC2-CBC-SHA"
-#define SSL3_TXT_KRB5_RC4_40_SHA                "EXP-KRB5-RC4-SHA"
-#define SSL3_TXT_KRB5_DES_40_CBC_MD5            "EXP-KRB5-DES-CBC-MD5"
-#define SSL3_TXT_KRB5_RC2_40_CBC_MD5            "EXP-KRB5-RC2-CBC-MD5"
-#define SSL3_TXT_KRB5_RC4_40_MD5                "EXP-KRB5-RC4-MD5"
-#define SSL3_SSL_SESSION_ID_LENGTH              32
-#define SSL3_MAX_SSL_SESSION_ID_LENGTH          32
-#define SSL3_MASTER_SECRET_SIZE                 48
-#define SSL3_RANDOM_SIZE                        32
-#define SSL3_SESSION_ID_SIZE                    32
-#define SSL3_RT_HEADER_LENGTH                   5
-/* Due to MS stuffing up, this can change.... */
-#if defined(OPENSSL_SYS_WIN16) || \
-        (defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_WIN32))
-#define SSL3_RT_MAX_EXTRA                       (14000)
-#else
-#define SSL3_RT_MAX_EXTRA                       (16384)
-#endif
-#define SSL3_RT_MAX_PLAIN_LENGTH                16384
-#define SSL3_RT_MAX_COMPRESSED_LENGTH   (1024+SSL3_RT_MAX_PLAIN_LENGTH)
-#define SSL3_RT_MAX_ENCRYPTED_LENGTH    (1024+SSL3_RT_MAX_COMPRESSED_LENGTH)
-#define SSL3_RT_MAX_PACKET_SIZE         (SSL3_RT_MAX_ENCRYPTED_LENGTH+SSL3_RT_HEADER_LENGTH)
-#define SSL3_RT_MAX_DATA_SIZE                   (1024*1024)
-#define SSL3_MD_CLIENT_FINISHED_CONST   "\x43\x4C\x4E\x54"
-#define SSL3_MD_SERVER_FINISHED_CONST   "\x53\x52\x56\x52"
-#define SSL3_VERSION                    0x0300
-#define SSL3_VERSION_MAJOR              0x03
-#define SSL3_VERSION_MINOR              0x00
-#define SSL3_RT_CHANGE_CIPHER_SPEC      20
-#define SSL3_RT_ALERT                   21
-#define SSL3_RT_HANDSHAKE               22
-#define SSL3_RT_APPLICATION_DATA        23
-#define SSL3_AL_WARNING                 1
-#define SSL3_AL_FATAL                   2
-#define SSL3_AD_CLOSE_NOTIFY             0
-#define SSL3_AD_UNEXPECTED_MESSAGE      10      /* fatal */
-#define SSL3_AD_BAD_RECORD_MAC          20      /* fatal */
-#define SSL3_AD_DECOMPRESSION_FAILURE   30      /* fatal */
-#define SSL3_AD_HANDSHAKE_FAILURE       40      /* fatal */
-#define SSL3_AD_NO_CERTIFICATE          41
-#define SSL3_AD_BAD_CERTIFICATE         42
-#define SSL3_AD_UNSUPPORTED_CERTIFICATE 43
-#define SSL3_AD_CERTIFICATE_REVOKED     44
-#define SSL3_AD_CERTIFICATE_EXPIRED     45
-#define SSL3_AD_CERTIFICATE_UNKNOWN     46
-#define SSL3_AD_ILLEGAL_PARAMETER       47      /* fatal */
-typedef struct ssl3_record_st
-        {
-/*r */  int type;               /* type of record */
-/*rw*/  unsigned int length;    /* How many bytes available */
-/*r */  unsigned int off;       /* read/write offset into 'buf' */
-/*rw*/  unsigned char *data;    /* pointer to the record data */
-/*rw*/  unsigned char *input;   /* where the decode bytes are */
-/*r */  unsigned char *comp;    /* only used with decompression - malloc()ed */
-        } SSL3_RECORD;
-typedef struct ssl3_buffer_st
-        {
-        unsigned char *buf;     /* at least SSL3_RT_MAX_PACKET_SIZE bytes,
-                                 * see ssl3_setup_buffers() */
-        size_t len;             /* buffer size */
-        int offset;             /* where to 'copy from' */
-        int left;               /* how many bytes left */
-        } SSL3_BUFFER;
-#define SSL3_CT_RSA_SIGN                        1
-#define SSL3_CT_DSS_SIGN                        2
-#define SSL3_CT_RSA_FIXED_DH                    3
-#define SSL3_CT_DSS_FIXED_DH                    4
-#define SSL3_CT_RSA_EPHEMERAL_DH                5
-#define SSL3_CT_DSS_EPHEMERAL_DH                6
-#define SSL3_CT_FORTEZZA_DMS                    20
-#define SSL3_CT_NUMBER                          7
-#define SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS       0x0001
-#define SSL3_FLAGS_DELAY_CLIENT_FINISHED        0x0002
-#define SSL3_FLAGS_POP_BUFFER                   0x0004
-#define TLS1_FLAGS_TLS_PADDING_BUG              0x0008
-typedef struct ssl3_state_st
-        {
-        long flags;
-        int delay_buf_pop_ret;
-        unsigned char read_sequence[8];
-        unsigned char read_mac_secret[EVP_MAX_MD_SIZE];
-        unsigned char write_sequence[8];
-        unsigned char write_mac_secret[EVP_MAX_MD_SIZE];
-        unsigned char server_random[SSL3_RANDOM_SIZE];
-        unsigned char client_random[SSL3_RANDOM_SIZE];
-        /* flags for countermeasure against known-IV weakness */
-        int need_empty_fragments;
-        int empty_fragment_done;
-        SSL3_BUFFER rbuf;       /* read IO goes into here */
-        SSL3_BUFFER wbuf;       /* write IO goes into here */
-        SSL3_RECORD rrec;       /* each decoded record goes in here */
-        SSL3_RECORD wrec;       /* goes out from here */
-        /* storage for Alert/Handshake protocol data received but not
-         * yet processed by ssl3_read_bytes: */
-        unsigned char alert_fragment[2];
-        unsigned int alert_fragment_len;
-        unsigned char handshake_fragment[4];
-        unsigned int handshake_fragment_len;
-        /* partial write - check the numbers match */
-        unsigned int wnum;      /* number of bytes sent so far */
-        int wpend_tot;          /* number bytes written */
-        int wpend_type;
-        int wpend_ret;          /* number of bytes submitted */
-        const unsigned char *wpend_buf;
-        /* used during startup, digest all incoming/outgoing packets */
-        EVP_MD_CTX finish_dgst1;
-        EVP_MD_CTX finish_dgst2;
-        /* this is set whenerver we see a change_cipher_spec message
-         * come in when we are not looking for one */
-        int change_cipher_spec;
-        int warn_alert;
-        int fatal_alert;
-        /* we allow one fatal and one warning alert to be outstanding,
-         * send close alert via the warning alert */
-        int alert_dispatch;
-        unsigned char send_alert[2];
-        /* This flag is set when we should renegotiate ASAP, basically when
-         * there is no more data in the read or write buffers */
-        int renegotiate;
-        int total_renegotiations;
-        int num_renegotiations;
-        int in_read_app_data;
-        struct  {
-                /* actually only needs to be 16+20 */
-                unsigned char cert_verify_md[EVP_MAX_MD_SIZE*2];
-                /* actually only need to be 16+20 for SSLv3 and 12 for TLS */
-                unsigned char finish_md[EVP_MAX_MD_SIZE*2];
-                int finish_md_len;
-                unsigned char peer_finish_md[EVP_MAX_MD_SIZE*2];
-                int peer_finish_md_len;
-                
-                unsigned long message_size;
-                int message_type;
-                /* used to hold the new cipher we are going to use */
-                SSL_CIPHER *new_cipher;
-#ifndef OPENSSL_NO_DH
-                DH *dh;
-#endif
-                /* used when SSL_ST_FLUSH_DATA is entered */
-                int next_state;                 
-                int reuse_message;
-                /* used for certificate requests */
-                int cert_req;
-                int ctype_num;
-                char ctype[SSL3_CT_NUMBER];
-                STACK_OF(X509_NAME) *ca_names;
-                int use_rsa_tmp;
-                int key_block_length;
-                unsigned char *key_block;
-                const EVP_CIPHER *new_sym_enc;
-                const EVP_MD *new_hash;
-#ifndef OPENSSL_NO_COMP
-                const SSL_COMP *new_compression;
-#else
-                char *new_compression;
-#endif
-                int cert_request;
-                } tmp;
-        } SSL3_STATE;
-/* SSLv3 */
-/*client */
-/* extra state */
-#define SSL3_ST_CW_FLUSH                (0x100|SSL_ST_CONNECT)
-/* write to server */
-#define SSL3_ST_CW_CLNT_HELLO_A         (0x110|SSL_ST_CONNECT)
-#define SSL3_ST_CW_CLNT_HELLO_B         (0x111|SSL_ST_CONNECT)
-/* read from server */
-#define SSL3_ST_CR_SRVR_HELLO_A         (0x120|SSL_ST_CONNECT)
-#define SSL3_ST_CR_SRVR_HELLO_B         (0x121|SSL_ST_CONNECT)
-#define SSL3_ST_CR_CERT_A               (0x130|SSL_ST_CONNECT)
-#define SSL3_ST_CR_CERT_B               (0x131|SSL_ST_CONNECT)
-#define SSL3_ST_CR_KEY_EXCH_A           (0x140|SSL_ST_CONNECT)
-#define SSL3_ST_CR_KEY_EXCH_B           (0x141|SSL_ST_CONNECT)
-#define SSL3_ST_CR_CERT_REQ_A           (0x150|SSL_ST_CONNECT)
-#define SSL3_ST_CR_CERT_REQ_B           (0x151|SSL_ST_CONNECT)
-#define SSL3_ST_CR_SRVR_DONE_A          (0x160|SSL_ST_CONNECT)
-#define SSL3_ST_CR_SRVR_DONE_B          (0x161|SSL_ST_CONNECT)
-/* write to server */
-#define SSL3_ST_CW_CERT_A               (0x170|SSL_ST_CONNECT)
-#define SSL3_ST_CW_CERT_B               (0x171|SSL_ST_CONNECT)
-#define SSL3_ST_CW_CERT_C               (0x172|SSL_ST_CONNECT)
-#define SSL3_ST_CW_CERT_D               (0x173|SSL_ST_CONNECT)
-#define SSL3_ST_CW_KEY_EXCH_A           (0x180|SSL_ST_CONNECT)
-#define SSL3_ST_CW_KEY_EXCH_B           (0x181|SSL_ST_CONNECT)
-#define SSL3_ST_CW_CERT_VRFY_A          (0x190|SSL_ST_CONNECT)
-#define SSL3_ST_CW_CERT_VRFY_B          (0x191|SSL_ST_CONNECT)
-#define SSL3_ST_CW_CHANGE_A             (0x1A0|SSL_ST_CONNECT)
-#define SSL3_ST_CW_CHANGE_B             (0x1A1|SSL_ST_CONNECT)
-#define SSL3_ST_CW_FINISHED_A           (0x1B0|SSL_ST_CONNECT)
-#define SSL3_ST_CW_FINISHED_B           (0x1B1|SSL_ST_CONNECT)
-/* read from server */
-#define SSL3_ST_CR_CHANGE_A             (0x1C0|SSL_ST_CONNECT)
-#define SSL3_ST_CR_CHANGE_B             (0x1C1|SSL_ST_CONNECT)
-#define SSL3_ST_CR_FINISHED_A           (0x1D0|SSL_ST_CONNECT)
-#define SSL3_ST_CR_FINISHED_B           (0x1D1|SSL_ST_CONNECT)
-/* server */
-/* extra state */
-#define SSL3_ST_SW_FLUSH                (0x100|SSL_ST_ACCEPT)
-/* read from client */
-/* Do not change the number values, they do matter */
-#define SSL3_ST_SR_CLNT_HELLO_A         (0x110|SSL_ST_ACCEPT)
-#define SSL3_ST_SR_CLNT_HELLO_B         (0x111|SSL_ST_ACCEPT)
-#define SSL3_ST_SR_CLNT_HELLO_C         (0x112|SSL_ST_ACCEPT)
-/* write to client */
-#define SSL3_ST_SW_HELLO_REQ_A          (0x120|SSL_ST_ACCEPT)
-#define SSL3_ST_SW_HELLO_REQ_B          (0x121|SSL_ST_ACCEPT)
-#define SSL3_ST_SW_HELLO_REQ_C          (0x122|SSL_ST_ACCEPT)
-#define SSL3_ST_SW_SRVR_HELLO_A         (0x130|SSL_ST_ACCEPT)
-#define SSL3_ST_SW_SRVR_HELLO_B         (0x131|SSL_ST_ACCEPT)
-#define SSL3_ST_SW_CERT_A               (0x140|SSL_ST_ACCEPT)
-#define SSL3_ST_SW_CERT_B               (0x141|SSL_ST_ACCEPT)
-#define SSL3_ST_SW_KEY_EXCH_A           (0x150|SSL_ST_ACCEPT)
-#define SSL3_ST_SW_KEY_EXCH_B           (0x151|SSL_ST_ACCEPT)
-#define SSL3_ST_SW_CERT_REQ_A           (0x160|SSL_ST_ACCEPT)
-#define SSL3_ST_SW_CERT_REQ_B           (0x161|SSL_ST_ACCEPT)
-#define SSL3_ST_SW_SRVR_DONE_A          (0x170|SSL_ST_ACCEPT)
-#define SSL3_ST_SW_SRVR_DONE_B          (0x171|SSL_ST_ACCEPT)
-/* read from client */
-#define SSL3_ST_SR_CERT_A               (0x180|SSL_ST_ACCEPT)
-#define SSL3_ST_SR_CERT_B               (0x181|SSL_ST_ACCEPT)
-#define SSL3_ST_SR_KEY_EXCH_A           (0x190|SSL_ST_ACCEPT)
-#define SSL3_ST_SR_KEY_EXCH_B           (0x191|SSL_ST_ACCEPT)
-#define SSL3_ST_SR_CERT_VRFY_A          (0x1A0|SSL_ST_ACCEPT)
-#define SSL3_ST_SR_CERT_VRFY_B          (0x1A1|SSL_ST_ACCEPT)
-#define SSL3_ST_SR_CHANGE_A             (0x1B0|SSL_ST_ACCEPT)
-#define SSL3_ST_SR_CHANGE_B             (0x1B1|SSL_ST_ACCEPT)
-#define SSL3_ST_SR_FINISHED_A           (0x1C0|SSL_ST_ACCEPT)
-#define SSL3_ST_SR_FINISHED_B           (0x1C1|SSL_ST_ACCEPT)
-/* write to client */
-#define SSL3_ST_SW_CHANGE_A             (0x1D0|SSL_ST_ACCEPT)
-#define SSL3_ST_SW_CHANGE_B             (0x1D1|SSL_ST_ACCEPT)
-#define SSL3_ST_SW_FINISHED_A           (0x1E0|SSL_ST_ACCEPT)
-#define SSL3_ST_SW_FINISHED_B           (0x1E1|SSL_ST_ACCEPT)
-#define SSL3_MT_HELLO_REQUEST                   0
-#define SSL3_MT_CLIENT_HELLO                    1
-#define SSL3_MT_SERVER_HELLO                    2
-#define SSL3_MT_CERTIFICATE                     11
-#define SSL3_MT_SERVER_KEY_EXCHANGE             12
-#define SSL3_MT_CERTIFICATE_REQUEST             13
-#define SSL3_MT_SERVER_DONE                     14
-#define SSL3_MT_CERTIFICATE_VERIFY              15
-#define SSL3_MT_CLIENT_KEY_EXCHANGE             16
-#define SSL3_MT_FINISHED                        20
-#define SSL3_MT_CCS                             1
-/* These are used when changing over to a new cipher */
-#define SSL3_CC_READ            0x01
-#define SSL3_CC_WRITE           0x02
-#define SSL3_CC_CLIENT          0x10
-#define SSL3_CC_SERVER          0x20
-#define SSL3_CHANGE_CIPHER_CLIENT_WRITE (SSL3_CC_CLIENT|SSL3_CC_WRITE)  
-#define SSL3_CHANGE_CIPHER_SERVER_READ  (SSL3_CC_SERVER|SSL3_CC_READ)
-#define SSL3_CHANGE_CIPHER_CLIENT_READ  (SSL3_CC_CLIENT|SSL3_CC_READ)
-#define SSL3_CHANGE_CIPHER_SERVER_WRITE (SSL3_CC_SERVER|SSL3_CC_WRITE)
-#ifdef  __cplusplus
-}
-#endif
-#endif
diff --git a/src/lib/libssl/ssl_algs.c b/src/lib/libssl/ssl_algs.c
deleted file mode 100644
index 3d1299ee7b..0000000000
--- a/src/lib/libssl/ssl_algs.c
+++ /dev/null
@@ -1,111 +0,0 @@
-/* ssl/ssl_algs.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-#include <stdio.h>
-#include <openssl/objects.h>
-#include <openssl/lhash.h>
-#include "ssl_locl.h"
-int SSL_library_init(void)
-        {
-#ifndef OPENSSL_NO_DES
-        EVP_add_cipher(EVP_des_cbc());
-        EVP_add_cipher(EVP_des_ede3_cbc());
-#endif
-#ifndef OPENSSL_NO_IDEA
-        EVP_add_cipher(EVP_idea_cbc());
-#endif
-#ifndef OPENSSL_NO_RC4
-        EVP_add_cipher(EVP_rc4());
-#endif  
-#ifndef OPENSSL_NO_RC2
-        EVP_add_cipher(EVP_rc2_cbc());
-#endif
-#ifndef OPENSSL_NO_AES
-        EVP_add_cipher(EVP_aes_128_cbc());
-        EVP_add_cipher(EVP_aes_192_cbc());
-        EVP_add_cipher(EVP_aes_256_cbc());
-#endif
-#ifndef OPENSSL_NO_MD2
-        EVP_add_digest(EVP_md2());
-#endif
-#ifndef OPENSSL_NO_MD5
-        EVP_add_digest(EVP_md5());
-        EVP_add_digest_alias(SN_md5,"ssl2-md5");
-        EVP_add_digest_alias(SN_md5,"ssl3-md5");
-#endif
-#ifndef OPENSSL_NO_SHA
-        EVP_add_digest(EVP_sha1()); /* RSA with sha1 */
-        EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
-        EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
-#endif
-#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_DSA)
-        EVP_add_digest(EVP_dss1()); /* DSA with sha1 */
-        EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
-        EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1");
-        EVP_add_digest_alias(SN_dsaWithSHA1,"dss1");
-#endif
-        /* If you want support for phased out ciphers, add the following */
-#if 0
-        EVP_add_digest(EVP_sha());
-        EVP_add_digest(EVP_dss());
-#endif
-        return(1);
-        }
diff --git a/src/lib/libssl/ssl_asn1.c b/src/lib/libssl/ssl_asn1.c
deleted file mode 100644
index fc5fcce108..0000000000
--- a/src/lib/libssl/ssl_asn1.c
+++ /dev/null
@@ -1,398 +0,0 @@
-/* ssl/ssl_asn1.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-#include <stdio.h>
-#include <stdlib.h>
-#include "ssl_locl.h"
-#include <openssl/asn1_mac.h>
-#include <openssl/objects.h>
-#include <openssl/x509.h>
-typedef struct ssl_session_asn1_st
-        {
-        ASN1_INTEGER version;
-        ASN1_INTEGER ssl_version;
-        ASN1_OCTET_STRING cipher;
-        ASN1_OCTET_STRING master_key;
-        ASN1_OCTET_STRING session_id;
-        ASN1_OCTET_STRING session_id_context;
-        ASN1_OCTET_STRING key_arg;
-#ifndef OPENSSL_NO_KRB5
-        ASN1_OCTET_STRING krb5_princ;
-#endif /* OPENSSL_NO_KRB5 */
-        ASN1_INTEGER time;
-        ASN1_INTEGER timeout;
-        ASN1_INTEGER verify_result;
-        } SSL_SESSION_ASN1;
-int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
-        {
-#define LSIZE2 (sizeof(long)*2)
-        int v1=0,v2=0,v3=0,v4=0,v5=0;
-        unsigned char buf[4],ibuf1[LSIZE2],ibuf2[LSIZE2];
-        unsigned char ibuf3[LSIZE2],ibuf4[LSIZE2],ibuf5[LSIZE2];
-        long l;
-        SSL_SESSION_ASN1 a;
-        M_ASN1_I2D_vars(in);
-        if ((in == NULL) || ((in->cipher == NULL) && (in->cipher_id == 0)))
-                return(0);
-        /* Note that I cheat in the following 2 assignments.  I know
-         * that if the ASN1_INTEGER passed to ASN1_INTEGER_set
-         * is > sizeof(long)+1, the buffer will not be re-OPENSSL_malloc()ed.
-         * This is a bit evil but makes things simple, no dynamic allocation
-         * to clean up :-) */
-        a.version.length=LSIZE2;
-        a.version.type=V_ASN1_INTEGER;
-        a.version.data=ibuf1;
-        ASN1_INTEGER_set(&(a.version),SSL_SESSION_ASN1_VERSION);
-        a.ssl_version.length=LSIZE2;
-        a.ssl_version.type=V_ASN1_INTEGER;
-        a.ssl_version.data=ibuf2;
-        ASN1_INTEGER_set(&(a.ssl_version),in->ssl_version);
-        a.cipher.type=V_ASN1_OCTET_STRING;
-        a.cipher.data=buf;
-        if (in->cipher == NULL)
-                l=in->cipher_id;
-        else
-                l=in->cipher->id;
-        if (in->ssl_version == SSL2_VERSION)
-                {
-                a.cipher.length=3;
-                buf[0]=((unsigned char)(l>>16L))&0xff;
-                buf[1]=((unsigned char)(l>> 8L))&0xff;
-                buf[2]=((unsigned char)(l     ))&0xff;
-                }
-        else
-                {
-                a.cipher.length=2;
-                buf[0]=((unsigned char)(l>>8L))&0xff;
-                buf[1]=((unsigned char)(l    ))&0xff;
-                }
-        a.master_key.length=in->master_key_length;
-        a.master_key.type=V_ASN1_OCTET_STRING;
-        a.master_key.data=in->master_key;
-        a.session_id.length=in->session_id_length;
-        a.session_id.type=V_ASN1_OCTET_STRING;
-        a.session_id.data=in->session_id;
-        a.session_id_context.length=in->sid_ctx_length;
-        a.session_id_context.type=V_ASN1_OCTET_STRING;
-        a.session_id_context.data=in->sid_ctx;
-        a.key_arg.length=in->key_arg_length;
-        a.key_arg.type=V_ASN1_OCTET_STRING;
-        a.key_arg.data=in->key_arg;
-#ifndef OPENSSL_NO_KRB5
-        if (in->krb5_client_princ_len)
-                {
-                a.krb5_princ.length=in->krb5_client_princ_len;
-                a.krb5_princ.type=V_ASN1_OCTET_STRING;
-                a.krb5_princ.data=in->krb5_client_princ;
-                }
-#endif /* OPENSSL_NO_KRB5 */
- 
-        if (in->time != 0L)
-                {
-                a.time.length=LSIZE2;
-                a.time.type=V_ASN1_INTEGER;
-                a.time.data=ibuf3;
-                ASN1_INTEGER_set(&(a.time),in->time);
-                }
-        if (in->timeout != 0L)
-                {
-                a.timeout.length=LSIZE2;
-                a.timeout.type=V_ASN1_INTEGER;
-                a.timeout.data=ibuf4;
-                ASN1_INTEGER_set(&(a.timeout),in->timeout);
-                }
-        if (in->verify_result != X509_V_OK)
-                {
-                a.verify_result.length=LSIZE2;
-                a.verify_result.type=V_ASN1_INTEGER;
-                a.verify_result.data=ibuf5;
-                ASN1_INTEGER_set(&a.verify_result,in->verify_result);
-                }
-        M_ASN1_I2D_len(&(a.version),            i2d_ASN1_INTEGER);
-        M_ASN1_I2D_len(&(a.ssl_version),        i2d_ASN1_INTEGER);
-        M_ASN1_I2D_len(&(a.cipher),             i2d_ASN1_OCTET_STRING);
-        M_ASN1_I2D_len(&(a.session_id),         i2d_ASN1_OCTET_STRING);
-        M_ASN1_I2D_len(&(a.master_key),         i2d_ASN1_OCTET_STRING);
-#ifndef OPENSSL_NO_KRB5
-        if (in->krb5_client_princ_len)
-                M_ASN1_I2D_len(&(a.krb5_princ), i2d_ASN1_OCTET_STRING);
-#endif /* OPENSSL_NO_KRB5 */
-        if (in->key_arg_length > 0)
-                M_ASN1_I2D_len_IMP_opt(&(a.key_arg),i2d_ASN1_OCTET_STRING);
-        if (in->time != 0L)
-                M_ASN1_I2D_len_EXP_opt(&(a.time),i2d_ASN1_INTEGER,1,v1);
-        if (in->timeout != 0L)
-                M_ASN1_I2D_len_EXP_opt(&(a.timeout),i2d_ASN1_INTEGER,2,v2);
-        if (in->peer != NULL)
-                M_ASN1_I2D_len_EXP_opt(in->peer,i2d_X509,3,v3);
-        M_ASN1_I2D_len_EXP_opt(&a.session_id_context,i2d_ASN1_OCTET_STRING,4,v4);
-        if (in->verify_result != X509_V_OK)
-                M_ASN1_I2D_len_EXP_opt(&(a.verify_result),i2d_ASN1_INTEGER,5,v5);
-        M_ASN1_I2D_seq_total();
-        M_ASN1_I2D_put(&(a.version),            i2d_ASN1_INTEGER);
-        M_ASN1_I2D_put(&(a.ssl_version),        i2d_ASN1_INTEGER);
-        M_ASN1_I2D_put(&(a.cipher),             i2d_ASN1_OCTET_STRING);
-        M_ASN1_I2D_put(&(a.session_id),         i2d_ASN1_OCTET_STRING);
-        M_ASN1_I2D_put(&(a.master_key),         i2d_ASN1_OCTET_STRING);
-#ifndef OPENSSL_NO_KRB5
-        if (in->krb5_client_princ_len)
-                M_ASN1_I2D_put(&(a.krb5_princ), i2d_ASN1_OCTET_STRING);
-#endif /* OPENSSL_NO_KRB5 */
-        if (in->key_arg_length > 0)
-                M_ASN1_I2D_put_IMP_opt(&(a.key_arg),i2d_ASN1_OCTET_STRING,0);
-        if (in->time != 0L)
-                M_ASN1_I2D_put_EXP_opt(&(a.time),i2d_ASN1_INTEGER,1,v1);
-        if (in->timeout != 0L)
-                M_ASN1_I2D_put_EXP_opt(&(a.timeout),i2d_ASN1_INTEGER,2,v2);
-        if (in->peer != NULL)
-                M_ASN1_I2D_put_EXP_opt(in->peer,i2d_X509,3,v3);
-        M_ASN1_I2D_put_EXP_opt(&a.session_id_context,i2d_ASN1_OCTET_STRING,4,
-                               v4);
-        if (in->verify_result != X509_V_OK)
-                M_ASN1_I2D_put_EXP_opt(&a.verify_result,i2d_ASN1_INTEGER,5,v5);
-        M_ASN1_I2D_finish();
-        }
-SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char * const *pp,
-             long length)
-        {
-        int version,ssl_version=0,i;
-        long id;
-        ASN1_INTEGER ai,*aip;
-        ASN1_OCTET_STRING os,*osp;
-        M_ASN1_D2I_vars(a,SSL_SESSION *,SSL_SESSION_new);
-        aip= &ai;
-        osp= &os;
-        M_ASN1_D2I_Init();
-        M_ASN1_D2I_start_sequence();
-        ai.data=NULL; ai.length=0;
-        M_ASN1_D2I_get(aip,d2i_ASN1_INTEGER);
-        version=(int)ASN1_INTEGER_get(aip);
-        if (ai.data != NULL) { OPENSSL_free(ai.data); ai.data=NULL; ai.length=0; }
-        /* we don't care about the version right now :-) */
-        M_ASN1_D2I_get(aip,d2i_ASN1_INTEGER);
-        ssl_version=(int)ASN1_INTEGER_get(aip);
-        ret->ssl_version=ssl_version;
-        if (ai.data != NULL) { OPENSSL_free(ai.data); ai.data=NULL; ai.length=0; }
-        os.data=NULL; os.length=0;
-        M_ASN1_D2I_get(osp,d2i_ASN1_OCTET_STRING);
-        if (ssl_version == SSL2_VERSION)
-                {
-                if (os.length != 3)
-                        {
-                        c.error=SSL_R_CIPHER_CODE_WRONG_LENGTH;
-                        goto err;
-                        }
-                id=0x02000000L|
-                        ((unsigned long)os.data[0]<<16L)|
-                        ((unsigned long)os.data[1]<< 8L)|
-                         (unsigned long)os.data[2];
-                }
-        else if ((ssl_version>>8) == SSL3_VERSION_MAJOR)
-                {
-                if (os.length != 2)
-                        {
-                        c.error=SSL_R_CIPHER_CODE_WRONG_LENGTH;
-                        goto err;
-                        }
-                id=0x03000000L|
-                        ((unsigned long)os.data[0]<<8L)|
-                         (unsigned long)os.data[1];
-                }
-        else
-                {
-                SSLerr(SSL_F_D2I_SSL_SESSION,SSL_R_UNKNOWN_SSL_VERSION);
-                return(NULL);
-                }
-        
-        ret->cipher=NULL;
-        ret->cipher_id=id;
-        M_ASN1_D2I_get(osp,d2i_ASN1_OCTET_STRING);
-        if ((ssl_version>>8) == SSL3_VERSION_MAJOR)
-                i=SSL3_MAX_SSL_SESSION_ID_LENGTH;
-        else /* if (ssl_version == SSL2_VERSION_MAJOR) */
-                i=SSL2_MAX_SSL_SESSION_ID_LENGTH;
-        if (os.length > i)
-                os.length = i;
-        if (os.length > sizeof ret->session_id) /* can't happen */
-                os.length = sizeof ret->session_id;
-        ret->session_id_length=os.length;
-        OPENSSL_assert(os.length <= sizeof ret->session_id);
-        memcpy(ret->session_id,os.data,os.length);
-        M_ASN1_D2I_get(osp,d2i_ASN1_OCTET_STRING);
-        if (ret->master_key_length > SSL_MAX_MASTER_KEY_LENGTH)
-                ret->master_key_length=SSL_MAX_MASTER_KEY_LENGTH;
-        else
-                ret->master_key_length=os.length;
-        memcpy(ret->master_key,os.data,ret->master_key_length);
-        os.length=0;
-#ifndef OPENSSL_NO_KRB5
-        os.length=0;
-        M_ASN1_D2I_get_opt(osp,d2i_ASN1_OCTET_STRING,V_ASN1_OCTET_STRING);
-        if (os.data)
-                {
-                if (os.length > SSL_MAX_KRB5_PRINCIPAL_LENGTH)
-                        ret->krb5_client_princ_len=0;
-                else
-                        ret->krb5_client_princ_len=os.length;
-                memcpy(ret->krb5_client_princ,os.data,ret->krb5_client_princ_len);
-                OPENSSL_free(os.data);
-                os.data = NULL;
-                os.length = 0;
-                }
-        else
-                ret->krb5_client_princ_len=0;
-#endif /* OPENSSL_NO_KRB5 */
-        M_ASN1_D2I_get_IMP_opt(osp,d2i_ASN1_OCTET_STRING,0,V_ASN1_OCTET_STRING);
-        if (os.length > SSL_MAX_KEY_ARG_LENGTH)
-                ret->key_arg_length=SSL_MAX_KEY_ARG_LENGTH;
-        else
-                ret->key_arg_length=os.length;
-        memcpy(ret->key_arg,os.data,ret->key_arg_length);
-        if (os.data != NULL) OPENSSL_free(os.data);
-        ai.length=0;
-        M_ASN1_D2I_get_EXP_opt(aip,d2i_ASN1_INTEGER,1);
-        if (ai.data != NULL)
-                {
-                ret->time=ASN1_INTEGER_get(aip);
-                OPENSSL_free(ai.data); ai.data=NULL; ai.length=0;
-                }
-        else
-                ret->time=(unsigned long)time(NULL);
-        ai.length=0;
-        M_ASN1_D2I_get_EXP_opt(aip,d2i_ASN1_INTEGER,2);
-        if (ai.data != NULL)
-                {
-                ret->timeout=ASN1_INTEGER_get(aip);
-                OPENSSL_free(ai.data); ai.data=NULL; ai.length=0;
-                }
-        else
-                ret->timeout=3;
-        if (ret->peer != NULL)
-                {
-                X509_free(ret->peer);
-                ret->peer=NULL;
-                }
-        M_ASN1_D2I_get_EXP_opt(ret->peer,d2i_X509,3);
-        os.length=0;
-        os.data=NULL;
-        M_ASN1_D2I_get_EXP_opt(osp,d2i_ASN1_OCTET_STRING,4);
-        if(os.data != NULL)
-            {
-            if (os.length > SSL_MAX_SID_CTX_LENGTH)
-                {
-                ret->sid_ctx_length=os.length;
-                SSLerr(SSL_F_D2I_SSL_SESSION,SSL_R_BAD_LENGTH);
-                }
-            else
-                {
-                ret->sid_ctx_length=os.length;
-                memcpy(ret->sid_ctx,os.data,os.length);
-                }
-            OPENSSL_free(os.data); os.data=NULL; os.length=0;
-            }
-        else
-            ret->sid_ctx_length=0;
-        ai.length=0;
-        M_ASN1_D2I_get_EXP_opt(aip,d2i_ASN1_INTEGER,5);
-        if (ai.data != NULL)
-                {
-                ret->verify_result=ASN1_INTEGER_get(aip);
-                OPENSSL_free(ai.data); ai.data=NULL; ai.length=0;
-                }
-        else
-                ret->verify_result=X509_V_OK;
-        M_ASN1_D2I_Finish(a,SSL_SESSION_free,SSL_F_D2I_SSL_SESSION);
-        }
diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c
deleted file mode 100644
index b779e6bb4d..0000000000
--- a/src/lib/libssl/ssl_cert.c
+++ /dev/null
@@ -1,898 +0,0 @@
-/*! \file ssl/ssl_cert.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-/* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer. 
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- */
-#include <stdio.h>
-#include "e_os.h"
-#ifndef NO_SYS_TYPES_H
-# include <sys/types.h>
-#endif
-#if !defined(OPENSSL_SYS_WIN32) && !defined(OPENSSL_SYS_VMS) && !defined(NeXT) && !defined(MAC_OS_pre_X)
-#include <dirent.h>
-#endif
-#if defined(WIN32)
-#include <windows.h>
-#include <tchar.h>
-#endif
-#ifdef NeXT
-#include <sys/dir.h>
-#define dirent direct
-#endif
-#include <openssl/objects.h>
-#include <openssl/bio.h>
-#include <openssl/pem.h>
-#include <openssl/x509v3.h>
-#include "ssl_locl.h"
-#include <openssl/fips.h>
-int SSL_get_ex_data_X509_STORE_CTX_idx(void)
-        {
-        static volatile int ssl_x509_store_ctx_idx= -1;
-        if (ssl_x509_store_ctx_idx < 0)
-                {
-                /* any write lock will do; usually this branch
-                 * will only be taken once anyway */
-                CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
-                
-                if (ssl_x509_store_ctx_idx < 0)
-                        {
-                        ssl_x509_store_ctx_idx=X509_STORE_CTX_get_ex_new_index(
-                                0,"SSL for verify callback",NULL,NULL,NULL);
-                        }
-                
-                CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
-                }
-        return ssl_x509_store_ctx_idx;
-        }
-CERT *ssl_cert_new(void)
-        {
-        CERT *ret;
-        ret=(CERT *)OPENSSL_malloc(sizeof(CERT));
-        if (ret == NULL)
-                {
-                SSLerr(SSL_F_SSL_CERT_NEW,ERR_R_MALLOC_FAILURE);
-                return(NULL);
-                }
-        memset(ret,0,sizeof(CERT));
-        ret->key= &(ret->pkeys[SSL_PKEY_RSA_ENC]);
-        ret->references=1;
-        return(ret);
-        }
-CERT *ssl_cert_dup(CERT *cert)
-        {
-        CERT *ret;
-        int i;
-        ret = (CERT *)OPENSSL_malloc(sizeof(CERT));
-        if (ret == NULL)
-                {
-                SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_MALLOC_FAILURE);
-                return(NULL);
-                }
-        memset(ret, 0, sizeof(CERT));
-        ret->key = &ret->pkeys[cert->key - &cert->pkeys[0]];
-        /* or ret->key = ret->pkeys + (cert->key - cert->pkeys),
-         * if you find that more readable */
-        ret->valid = cert->valid;
-        ret->mask = cert->mask;
-        ret->export_mask = cert->export_mask;
-#ifndef OPENSSL_NO_RSA
-        if (cert->rsa_tmp != NULL)
-                {
-                RSA_up_ref(cert->rsa_tmp);
-                ret->rsa_tmp = cert->rsa_tmp;
-                }
-        ret->rsa_tmp_cb = cert->rsa_tmp_cb;
-#endif
-#ifndef OPENSSL_NO_DH
-        if (cert->dh_tmp != NULL)
-                {
-                /* DH parameters don't have a reference count */
-                ret->dh_tmp = DHparams_dup(cert->dh_tmp);
-                if (ret->dh_tmp == NULL)
-                        {
-                        SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_DH_LIB);
-                        goto err;
-                        }
-                if (cert->dh_tmp->priv_key)
-                        {
-                        BIGNUM *b = BN_dup(cert->dh_tmp->priv_key);
-                        if (!b)
-                                {
-                                SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_BN_LIB);
-                                goto err;
-                                }
-                        ret->dh_tmp->priv_key = b;
-                        }
-                if (cert->dh_tmp->pub_key)
-                        {
-                        BIGNUM *b = BN_dup(cert->dh_tmp->pub_key);
-                        if (!b)
-                                {
-                                SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_BN_LIB);
-                                goto err;
-                                }
-                        ret->dh_tmp->pub_key = b;
-                        }
-                }
-        ret->dh_tmp_cb = cert->dh_tmp_cb;
-#endif
-        for (i = 0; i < SSL_PKEY_NUM; i++)
-                {
-                if (cert->pkeys[i].x509 != NULL)
-                        {
-                        ret->pkeys[i].x509 = cert->pkeys[i].x509;
-                        CRYPTO_add(&ret->pkeys[i].x509->references, 1,
-                                CRYPTO_LOCK_X509);
-                        }
-                
-                if (cert->pkeys[i].privatekey != NULL)
-                        {
-                        ret->pkeys[i].privatekey = cert->pkeys[i].privatekey;
-                        CRYPTO_add(&ret->pkeys[i].privatekey->references, 1,
-                                CRYPTO_LOCK_EVP_PKEY);
-                        switch(i) 
-                                {
-                                /* If there was anything special to do for
-                                 * certain types of keys, we'd do it here.
-                                 * (Nothing at the moment, I think.) */
-                        case SSL_PKEY_RSA_ENC:
-                        case SSL_PKEY_RSA_SIGN:
-                                /* We have an RSA key. */
-                                break;
-                                
-                        case SSL_PKEY_DSA_SIGN:
-                                /* We have a DSA key. */
-                                break;
-                                
-                        case SSL_PKEY_DH_RSA:
-                        case SSL_PKEY_DH_DSA:
-                                /* We have a DH key. */
-                                break;
-                                
-                        default:
-                                /* Can't happen. */
-                                SSLerr(SSL_F_SSL_CERT_DUP, SSL_R_LIBRARY_BUG);
-                                }
-                        }
-                }
-        
-        /* ret->extra_certs *should* exist, but currently the own certificate
-         * chain is held inside SSL_CTX */
-        ret->references=1;
-        return(ret);
-        
-#ifndef OPENSSL_NO_DH /* avoid 'unreferenced label' warning if OPENSSL_NO_DH is defined */
-err:
-#endif
-#ifndef OPENSSL_NO_RSA
-        if (ret->rsa_tmp != NULL)
-                RSA_free(ret->rsa_tmp);
-#endif
-#ifndef OPENSSL_NO_DH
-        if (ret->dh_tmp != NULL)
-                DH_free(ret->dh_tmp);
-#endif
-        for (i = 0; i < SSL_PKEY_NUM; i++)
-                {
-                if (ret->pkeys[i].x509 != NULL)
-                        X509_free(ret->pkeys[i].x509);
-                if (ret->pkeys[i].privatekey != NULL)
-                        EVP_PKEY_free(ret->pkeys[i].privatekey);
-                }
-        return NULL;
-        }
-void ssl_cert_free(CERT *c)
-        {
-        int i;
-        if(c == NULL)
-            return;
-        i=CRYPTO_add(&c->references,-1,CRYPTO_LOCK_SSL_CERT);
-#ifdef REF_PRINT
-        REF_PRINT("CERT",c);
-#endif
-        if (i > 0) return;
-#ifdef REF_CHECK
-        if (i < 0)
-                {
-                fprintf(stderr,"ssl_cert_free, bad reference count\n");
-                abort(); /* ok */
-                }
-#endif
-#ifndef OPENSSL_NO_RSA
-        if (c->rsa_tmp) RSA_free(c->rsa_tmp);
-#endif
-#ifndef OPENSSL_NO_DH
-        if (c->dh_tmp) DH_free(c->dh_tmp);
-#endif
-        for (i=0; i<SSL_PKEY_NUM; i++)
-                {
-                if (c->pkeys[i].x509 != NULL)
-                        X509_free(c->pkeys[i].x509);
-                if (c->pkeys[i].privatekey != NULL)
-                        EVP_PKEY_free(c->pkeys[i].privatekey);
-#if 0
-                if (c->pkeys[i].publickey != NULL)
-                        EVP_PKEY_free(c->pkeys[i].publickey);
-#endif
-                }
-        OPENSSL_free(c);
-        }
-int ssl_cert_inst(CERT **o)
-        {
-        /* Create a CERT if there isn't already one
-         * (which cannot really happen, as it is initially created in
-         * SSL_CTX_new; but the earlier code usually allows for that one
-         * being non-existant, so we follow that behaviour, as it might
-         * turn out that there actually is a reason for it -- but I'm
-         * not sure that *all* of the existing code could cope with
-         * s->cert being NULL, otherwise we could do without the
-         * initialization in SSL_CTX_new).
-         */
-        
-        if (o == NULL) 
-                {
-                SSLerr(SSL_F_SSL_CERT_INST, ERR_R_PASSED_NULL_PARAMETER);
-                return(0);
-                }
-        if (*o == NULL)
-                {
-                if ((*o = ssl_cert_new()) == NULL)
-                        {
-                        SSLerr(SSL_F_SSL_CERT_INST, ERR_R_MALLOC_FAILURE);
-                        return(0);
-                        }
-                }
-        return(1);
-        }
-SESS_CERT *ssl_sess_cert_new(void)
-        {
-        SESS_CERT *ret;
-        ret = OPENSSL_malloc(sizeof *ret);
-        if (ret == NULL)
-                {
-                SSLerr(SSL_F_SSL_SESS_CERT_NEW, ERR_R_MALLOC_FAILURE);
-                return NULL;
-                }
-        memset(ret, 0 ,sizeof *ret);
-        ret->peer_key = &(ret->peer_pkeys[SSL_PKEY_RSA_ENC]);
-        ret->references = 1;
-        return ret;
-        }
-void ssl_sess_cert_free(SESS_CERT *sc)
-        {
-        int i;
-        if (sc == NULL)
-                return;
-        i = CRYPTO_add(&sc->references, -1, CRYPTO_LOCK_SSL_SESS_CERT);
-#ifdef REF_PRINT
-        REF_PRINT("SESS_CERT", sc);
-#endif
-        if (i > 0)
-                return;
-#ifdef REF_CHECK
-        if (i < 0)
-                {
-                fprintf(stderr,"ssl_sess_cert_free, bad reference count\n");
-                abort(); /* ok */
-                }
-#endif
-        /* i == 0 */
-        if (sc->cert_chain != NULL)
-                sk_X509_pop_free(sc->cert_chain, X509_free);
-        for (i = 0; i < SSL_PKEY_NUM; i++)
-                {
-                if (sc->peer_pkeys[i].x509 != NULL)
-                        X509_free(sc->peer_pkeys[i].x509);
-#if 0 /* We don't have the peer's private key.  These lines are just
-           * here as a reminder that we're still using a not-quite-appropriate
-           * data structure. */
-                if (sc->peer_pkeys[i].privatekey != NULL)
-                        EVP_PKEY_free(sc->peer_pkeys[i].privatekey);
-#endif
-                }
-#ifndef OPENSSL_NO_RSA
-        if (sc->peer_rsa_tmp != NULL)
-                RSA_free(sc->peer_rsa_tmp);
-#endif
-#ifndef OPENSSL_NO_DH
-        if (sc->peer_dh_tmp != NULL)
-                DH_free(sc->peer_dh_tmp);
-#endif
-        OPENSSL_free(sc);
-        }
-int ssl_set_peer_cert_type(SESS_CERT *sc,int type)
-        {
-        sc->peer_cert_type = type;
-        return(1);
-        }
-int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk)
-        {
-        X509 *x;
-        int i;
-        X509_STORE_CTX ctx;
-        if ((sk == NULL) || (sk_X509_num(sk) == 0))
-                return(0);
-        x=sk_X509_value(sk,0);
-        if(!X509_STORE_CTX_init(&ctx,s->ctx->cert_store,x,sk))
-                {
-                SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN,ERR_R_X509_LIB);
-                return(0);
-                }
-        if (SSL_get_verify_depth(s) >= 0)
-                X509_STORE_CTX_set_depth(&ctx, SSL_get_verify_depth(s));
-        X509_STORE_CTX_set_ex_data(&ctx,SSL_get_ex_data_X509_STORE_CTX_idx(),s);
-        /* We need to set the verify purpose. The purpose can be determined by
-         * the context: if its a server it will verify SSL client certificates
-         * or vice versa.
-         */
-        if (s->server)
-                i = X509_PURPOSE_SSL_CLIENT;
-        else
-                i = X509_PURPOSE_SSL_SERVER;
-        X509_STORE_CTX_purpose_inherit(&ctx, i, s->purpose, s->trust);
-        if (s->verify_callback)
-                X509_STORE_CTX_set_verify_cb(&ctx, s->verify_callback);
-        if (s->ctx->app_verify_callback != NULL)
-#if 1 /* new with OpenSSL 0.9.7 */
-                i=s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg); 
-#else
-                i=s->ctx->app_verify_callback(&ctx); /* should pass app_verify_arg */
-#endif
-        else
-                {
-#ifndef OPENSSL_NO_X509_VERIFY
-                i=X509_verify_cert(&ctx);
-#else
-                i=0;
-                ctx.error=X509_V_ERR_APPLICATION_VERIFICATION;
-                SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN,SSL_R_NO_VERIFY_CALLBACK);
-#endif
-                }
-        s->verify_result=ctx.error;
-        X509_STORE_CTX_cleanup(&ctx);
-        return(i);
-        }
-static void set_client_CA_list(STACK_OF(X509_NAME) **ca_list,STACK_OF(X509_NAME) *name_list)
-        {
-        if (*ca_list != NULL)
-                sk_X509_NAME_pop_free(*ca_list,X509_NAME_free);
-        *ca_list=name_list;
-        }
-STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk)
-        {
-        int i;
-        STACK_OF(X509_NAME) *ret;
-        X509_NAME *name;
-        ret=sk_X509_NAME_new_null();
-        for (i=0; i<sk_X509_NAME_num(sk); i++)
-                {
-                name=X509_NAME_dup(sk_X509_NAME_value(sk,i));
-                if ((name == NULL) || !sk_X509_NAME_push(ret,name))
-                        {
-                        sk_X509_NAME_pop_free(ret,X509_NAME_free);
-                        return(NULL);
-                        }
-                }
-        return(ret);
-        }
-void SSL_set_client_CA_list(SSL *s,STACK_OF(X509_NAME) *name_list)
-        {
-        set_client_CA_list(&(s->client_CA),name_list);
-        }
-void SSL_CTX_set_client_CA_list(SSL_CTX *ctx,STACK_OF(X509_NAME) *name_list)
-        {
-        set_client_CA_list(&(ctx->client_CA),name_list);
-        }
-STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx)
-        {
-        return(ctx->client_CA);
-        }
-STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s)
-        {
-        if (s->type == SSL_ST_CONNECT)
-                { /* we are in the client */
-                if (((s->version>>8) == SSL3_VERSION_MAJOR) &&
-                        (s->s3 != NULL))
-                        return(s->s3->tmp.ca_names);
-                else
-                        return(NULL);
-                }
-        else
-                {
-                if (s->client_CA != NULL)
-                        return(s->client_CA);
-                else
-                        return(s->ctx->client_CA);
-                }
-        }
-static int add_client_CA(STACK_OF(X509_NAME) **sk,X509 *x)
-        {
-        X509_NAME *name;
-        if (x == NULL) return(0);
-        if ((*sk == NULL) && ((*sk=sk_X509_NAME_new_null()) == NULL))
-                return(0);
-                
-        if ((name=X509_NAME_dup(X509_get_subject_name(x))) == NULL)
-                return(0);
-        if (!sk_X509_NAME_push(*sk,name))
-                {
-                X509_NAME_free(name);
-                return(0);
-                }
-        return(1);
-        }
-int SSL_add_client_CA(SSL *ssl,X509 *x)
-        {
-        return(add_client_CA(&(ssl->client_CA),x));
-        }
-int SSL_CTX_add_client_CA(SSL_CTX *ctx,X509 *x)
-        {
-        return(add_client_CA(&(ctx->client_CA),x));
-        }
-static int xname_cmp(const X509_NAME * const *a, const X509_NAME * const *b)
-        {
-        return(X509_NAME_cmp(*a,*b));
-        }
-#ifndef OPENSSL_NO_STDIO
-/*!
- * Load CA certs from a file into a ::STACK. Note that it is somewhat misnamed;
- * it doesn't really have anything to do with clients (except that a common use
- * for a stack of CAs is to send it to the client). Actually, it doesn't have
- * much to do with CAs, either, since it will load any old cert.
- * \param file the file containing one or more certs.
- * \return a ::STACK containing the certs.
- */
-STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file)
-        {
-        BIO *in;
-        X509 *x=NULL;
-        X509_NAME *xn=NULL;
-        STACK_OF(X509_NAME) *ret = NULL,*sk;
-        sk=sk_X509_NAME_new(xname_cmp);
-        in=BIO_new(BIO_s_file_internal());
-        if ((sk == NULL) || (in == NULL))
-                {
-                SSLerr(SSL_F_SSL_LOAD_CLIENT_CA_FILE,ERR_R_MALLOC_FAILURE);
-                goto err;
-                }
-        
-        if (!BIO_read_filename(in,file))
-                goto err;
-        for (;;)
-                {
-                if (PEM_read_bio_X509(in,&x,NULL,NULL) == NULL)
-                        break;
-                if (ret == NULL)
-                        {
-                        ret = sk_X509_NAME_new_null();
-                        if (ret == NULL)
-                                {
-                                SSLerr(SSL_F_SSL_LOAD_CLIENT_CA_FILE,ERR_R_MALLOC_FAILURE);
-                                goto err;
-                                }
-                        }
-                if ((xn=X509_get_subject_name(x)) == NULL) goto err;
-                /* check for duplicates */
-                xn=X509_NAME_dup(xn);
-                if (xn == NULL) goto err;
-                if (sk_X509_NAME_find(sk,xn) >= 0)
-                        X509_NAME_free(xn);
-                else
-                        {
-                        sk_X509_NAME_push(sk,xn);
-                        sk_X509_NAME_push(ret,xn);
-                        }
-                }
-        if (0)
-                {
-err:
-                if (ret != NULL) sk_X509_NAME_pop_free(ret,X509_NAME_free);
-                ret=NULL;
-                }
-        if (sk != NULL) sk_X509_NAME_free(sk);
-        if (in != NULL) BIO_free(in);
-        if (x != NULL) X509_free(x);
-        if (ret != NULL)
-                ERR_clear_error();
-        return(ret);
-        }
-#endif
-/*!
- * Add a file of certs to a stack.
- * \param stack the stack to add to.
- * \param file the file to add from. All certs in this file that are not
- * already in the stack will be added.
- * \return 1 for success, 0 for failure. Note that in the case of failure some
- * certs may have been added to \c stack.
- */
-int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
-                                        const char *file)
-        {
-        BIO *in;
-        X509 *x=NULL;
-        X509_NAME *xn=NULL;
-        int ret=1;
-        int (*oldcmp)(const X509_NAME * const *a, const X509_NAME * const *b);
-        
-        oldcmp=sk_X509_NAME_set_cmp_func(stack,xname_cmp);
-        
-        in=BIO_new(BIO_s_file_internal());
-        
-        if (in == NULL)
-                {
-                SSLerr(SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK,ERR_R_MALLOC_FAILURE);
-                goto err;
-                }
-        
-        if (!BIO_read_filename(in,file))
-                goto err;
-        
-        for (;;)
-                {
-                if (PEM_read_bio_X509(in,&x,NULL,NULL) == NULL)
-                        break;
-                if ((xn=X509_get_subject_name(x)) == NULL) goto err;
-                xn=X509_NAME_dup(xn);
-                if (xn == NULL) goto err;
-                if (sk_X509_NAME_find(stack,xn) >= 0)
-                        X509_NAME_free(xn);
-                else
-                        sk_X509_NAME_push(stack,xn);
-                }
-        if (0)
-                {
-err:
-                ret=0;
-                }
-        if(in != NULL)
-                BIO_free(in);
-        if(x != NULL)
-                X509_free(x);
-        
-        sk_X509_NAME_set_cmp_func(stack,oldcmp);
-        return ret;
-        }
-/*!
- * Add a directory of certs to a stack.
- * \param stack the stack to append to.
- * \param dir the directory to append from. All files in this directory will be
- * examined as potential certs. Any that are acceptable to
- * SSL_add_dir_cert_subjects_to_stack() that are not already in the stack will be
- * included.
- * \return 1 for success, 0 for failure. Note that in the case of failure some
- * certs may have been added to \c stack.
- */
-#ifndef OPENSSL_SYS_WIN32
-#ifndef OPENSSL_SYS_VMS         /* XXXX This may be fixed in the future */
-#ifndef OPENSSL_SYS_MACINTOSH_CLASSIC /* XXXXX: Better scheme needed! */
-int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
-                                       const char *dir)
-        {
-        DIR *d;
-        struct dirent *dstruct;
-        int ret = 0;
-        CRYPTO_w_lock(CRYPTO_LOCK_READDIR);
-        d = opendir(dir);
-        /* Note that a side effect is that the CAs will be sorted by name */
-        if(!d)
-                {
-                SYSerr(SYS_F_OPENDIR, get_last_sys_error());
-                ERR_add_error_data(3, "opendir('", dir, "')");
-                SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK, ERR_R_SYS_LIB);
-                goto err;
-                }
-        
-        while((dstruct=readdir(d)))
-                {
-                char buf[1024];
-                int r;
-                
-                if(strlen(dir)+strlen(dstruct->d_name)+2 > sizeof buf)
-                        {
-                        SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,SSL_R_PATH_TOO_LONG);
-                        goto err;
-                        }
-                
-                r = BIO_snprintf(buf,sizeof buf,"%s/%s",dir,dstruct->d_name);
-                if (r <= 0 || r >= sizeof buf)
-                        goto err;
-                if(!SSL_add_file_cert_subjects_to_stack(stack,buf))
-                        goto err;
-                }
-        ret = 1;
-err:    
-        if (d) closedir(d);
-        CRYPTO_w_unlock(CRYPTO_LOCK_READDIR);
-        return ret;
-        }
-#endif
-#endif
-#else /* OPENSSL_SYS_WIN32 */
-#if defined(_WIN32_WCE)
-# ifndef UNICODE
-#  error "WinCE comes in UNICODE flavor only..."
-# endif
-# if _WIN32_WCE<101 && !defined(OPENSSL_NO_MULTIBYTE)
-#  define OPENSSL_NO_MULTIBYTE
-# endif
-# ifndef  FindFirstFile
-#  define FindFirstFile FindFirstFileW
-# endif
-# ifndef  FindNextFile
-#  define FindNextFile FindNextFileW
-# endif
-#endif
-int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
-                                       const char *dir)
-        {
-        WIN32_FIND_DATA FindFileData;
-        HANDLE hFind;
-        int    ret = 0;
-        TCHAR *wdir = NULL;
-        size_t i,len_0 = strlen(dir)+1; /* len_0 accounts for trailing 0 */
-        char   buf[1024],*slash;
-        if (len_0 > (sizeof(buf)-14))   /* 14 is just some value... */
-                {
-                SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,SSL_R_PATH_TOO_LONG);
-                return ret;
-                }
-        CRYPTO_w_lock(CRYPTO_LOCK_READDIR);
-        if (sizeof(TCHAR) != sizeof(char))
-                {
-                wdir = (TCHAR *)malloc(len_0*sizeof(TCHAR));
-                if (wdir == NULL)
-                        goto err_noclose;
-#ifndef OPENSSL_NO_MULTIBYTE
-                if (!MultiByteToWideChar(CP_ACP,0,dir,len_0,
-                                        (WCHAR *)wdir,len_0))
-#endif
-                        for (i=0;i<len_0;i++) wdir[i]=(TCHAR)dir[i];
-                hFind = FindFirstFile(wdir, &FindFileData);
-                }
-        else    hFind = FindFirstFile((const TCHAR *)dir, &FindFileData);
-        /* Note that a side effect is that the CAs will be sorted by name */
-        if(hFind == INVALID_HANDLE_VALUE)
-                {
-                SYSerr(SYS_F_OPENDIR, get_last_sys_error());
-                ERR_add_error_data(3, "opendir('", dir, "')");
-                SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK, ERR_R_SYS_LIB);
-                goto err_noclose;
-                }
-        strncpy(buf,dir,sizeof(buf));   /* strcpy is safe too... */
-        buf[len_0-1]='/';               /* no trailing zero!     */
-        slash=buf+len_0;
-        do      {
-                const TCHAR *fnam=FindFileData.cFileName;
-                size_t flen_0=_tcslen(fnam)+1;
-                if (flen_0 > (sizeof(buf)-len_0))
-                        {
-                        SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,SSL_R_PATH_TOO_LONG);
-                        goto err;
-                        }
-                /* else strcpy would be safe too... */
-                if (sizeof(TCHAR) != sizeof(char))
-                        {
-#ifndef OPENSSL_NO_MULTIBYTE
-                        if (!WideCharToMultiByte(CP_ACP,0,
-                                                (WCHAR *)fnam,flen_0,
-                                                slash,sizeof(buf)-len_0,
-                                                NULL,0))
-#endif
-                                for (i=0;i<flen_0;i++) slash[i]=(char)fnam[i];
-                        }
-                else    strncpy(slash,(const char *)fnam,sizeof(buf)-len_0);
-                if(!SSL_add_file_cert_subjects_to_stack(stack,buf))
-                        goto err;
-                }
-        while (FindNextFile(hFind, &FindFileData) != FALSE);
-        ret = 1;
-err:    
-        FindClose(hFind);
-err_noclose:
-        if (wdir != NULL)
-                free(wdir);
-        CRYPTO_w_unlock(CRYPTO_LOCK_READDIR);
-        return ret;
-        }
-#endif
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
deleted file mode 100644
index f622180c69..0000000000
--- a/src/lib/libssl/ssl_ciph.c
+++ /dev/null
@@ -1,1139 +0,0 @@
-/* ssl/ssl_ciph.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-#include <stdio.h>
-#include <openssl/objects.h>
-#include <openssl/comp.h>
-#include <openssl/fips.h>
-#include "ssl_locl.h"
-#define SSL_ENC_DES_IDX         0
-#define SSL_ENC_3DES_IDX        1
-#define SSL_ENC_RC4_IDX         2
-#define SSL_ENC_RC2_IDX         3
-#define SSL_ENC_IDEA_IDX        4
-#define SSL_ENC_eFZA_IDX        5
-#define SSL_ENC_NULL_IDX        6
-#define SSL_ENC_AES128_IDX      7
-#define SSL_ENC_AES256_IDX      8
-#define SSL_ENC_NUM_IDX         9
-static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX]={
-        NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL
-        };
-static STACK_OF(SSL_COMP) *ssl_comp_methods=NULL;
-#define SSL_MD_MD5_IDX  0
-#define SSL_MD_SHA1_IDX 1
-#define SSL_MD_NUM_IDX  2
-static const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX]={
-        NULL,NULL,
-        };
-#define CIPHER_ADD      1
-#define CIPHER_KILL     2
-#define CIPHER_DEL      3
-#define CIPHER_ORD      4
-#define CIPHER_SPECIAL  5
-typedef struct cipher_order_st
-        {
-        SSL_CIPHER *cipher;
-        int active;
-        int dead;
-        struct cipher_order_st *next,*prev;
-        } CIPHER_ORDER;
-static const SSL_CIPHER cipher_aliases[]={
-        /* Don't include eNULL unless specifically enabled. */
-        {0,SSL_TXT_ALL, 0,SSL_ALL & ~SSL_eNULL, SSL_ALL ,0,0,0,SSL_ALL,SSL_ALL}, /* must be first */
-        {0,SSL_TXT_CMPALL,0,SSL_eNULL,0,0,0,0,SSL_ENC_MASK,0},  /* COMPLEMENT OF ALL */
-        {0,SSL_TXT_CMPDEF,0,SSL_ADH, 0,0,0,0,SSL_AUTH_MASK,0},
-        {0,SSL_TXT_kKRB5,0,SSL_kKRB5,0,0,0,0,SSL_MKEY_MASK,0},  /* VRS Kerberos5 */
-        {0,SSL_TXT_kRSA,0,SSL_kRSA,  0,0,0,0,SSL_MKEY_MASK,0},
-        {0,SSL_TXT_kDHr,0,SSL_kDHr,  0,0,0,0,SSL_MKEY_MASK,0},
-        {0,SSL_TXT_kDHd,0,SSL_kDHd,  0,0,0,0,SSL_MKEY_MASK,0},
-        {0,SSL_TXT_kEDH,0,SSL_kEDH,  0,0,0,0,SSL_MKEY_MASK,0},
-        {0,SSL_TXT_kFZA,0,SSL_kFZA,  0,0,0,0,SSL_MKEY_MASK,0},
-        {0,SSL_TXT_DH,  0,SSL_DH,    0,0,0,0,SSL_MKEY_MASK,0},
-        {0,SSL_TXT_EDH, 0,SSL_EDH,   0,0,0,0,SSL_MKEY_MASK|SSL_AUTH_MASK,0},
-        {0,SSL_TXT_aKRB5,0,SSL_aKRB5,0,0,0,0,SSL_AUTH_MASK,0},  /* VRS Kerberos5 */
-        {0,SSL_TXT_aRSA,0,SSL_aRSA,  0,0,0,0,SSL_AUTH_MASK,0},
-        {0,SSL_TXT_aDSS,0,SSL_aDSS,  0,0,0,0,SSL_AUTH_MASK,0},
-        {0,SSL_TXT_aFZA,0,SSL_aFZA,  0,0,0,0,SSL_AUTH_MASK,0},
-        {0,SSL_TXT_aNULL,0,SSL_aNULL,0,0,0,0,SSL_AUTH_MASK,0},
-        {0,SSL_TXT_aDH, 0,SSL_aDH,   0,0,0,0,SSL_AUTH_MASK,0},
-        {0,SSL_TXT_DSS, 0,SSL_DSS,   0,0,0,0,SSL_AUTH_MASK,0},
-        {0,SSL_TXT_DES, 0,SSL_DES,   0,0,0,0,SSL_ENC_MASK,0},
-        {0,SSL_TXT_3DES,0,SSL_3DES,  0,0,0,0,SSL_ENC_MASK,0},
-        {0,SSL_TXT_RC4, 0,SSL_RC4,   0,0,0,0,SSL_ENC_MASK,0},
-        {0,SSL_TXT_RC2, 0,SSL_RC2,   0,0,0,0,SSL_ENC_MASK,0},
-#ifndef OPENSSL_NO_IDEA
-        {0,SSL_TXT_IDEA,0,SSL_IDEA,  0,0,0,0,SSL_ENC_MASK,0},
-#endif
-        {0,SSL_TXT_eNULL,0,SSL_eNULL,0,0,0,0,SSL_ENC_MASK,0},
-        {0,SSL_TXT_eFZA,0,SSL_eFZA,  0,0,0,0,SSL_ENC_MASK,0},
-        {0,SSL_TXT_AES, 0,SSL_AES,   0,0,0,0,SSL_ENC_MASK,0},
-        {0,SSL_TXT_MD5, 0,SSL_MD5,   0,0,0,0,SSL_MAC_MASK,0},
-        {0,SSL_TXT_SHA1,0,SSL_SHA1,  0,0,0,0,SSL_MAC_MASK,0},
-        {0,SSL_TXT_SHA, 0,SSL_SHA,   0,0,0,0,SSL_MAC_MASK,0},
-        {0,SSL_TXT_NULL,0,SSL_NULL,  0,0,0,0,SSL_ENC_MASK,0},
-        {0,SSL_TXT_KRB5,0,SSL_KRB5,  0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK,0},
-        {0,SSL_TXT_RSA, 0,SSL_RSA,   0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK,0},
-        {0,SSL_TXT_ADH, 0,SSL_ADH,   0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK,0},
-        {0,SSL_TXT_FZA, 0,SSL_FZA,   0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK|SSL_ENC_MASK,0},
-        {0,SSL_TXT_SSLV2, 0,SSL_SSLV2, 0,0,0,0,SSL_SSL_MASK,0},
-        {0,SSL_TXT_SSLV3, 0,SSL_SSLV3, 0,0,0,0,SSL_SSL_MASK,0},
-        {0,SSL_TXT_TLSV1, 0,SSL_TLSV1, 0,0,0,0,SSL_SSL_MASK,0},
-        {0,SSL_TXT_EXP   ,0, 0,SSL_EXPORT, 0,0,0,0,SSL_EXP_MASK},
-        {0,SSL_TXT_EXPORT,0, 0,SSL_EXPORT, 0,0,0,0,SSL_EXP_MASK},
-        {0,SSL_TXT_EXP40, 0, 0, SSL_EXP40, 0,0,0,0,SSL_STRONG_MASK},
-        {0,SSL_TXT_EXP56, 0, 0, SSL_EXP56, 0,0,0,0,SSL_STRONG_MASK},
-        {0,SSL_TXT_LOW,   0, 0,   SSL_LOW, 0,0,0,0,SSL_STRONG_MASK},
-        {0,SSL_TXT_MEDIUM,0, 0,SSL_MEDIUM, 0,0,0,0,SSL_STRONG_MASK},
-        {0,SSL_TXT_HIGH,  0, 0,  SSL_HIGH, 0,0,0,0,SSL_STRONG_MASK},
-        {0,SSL_TXT_FIPS,  0, 0,  SSL_FIPS, 0,0,0,0,SSL_FIPS|SSL_STRONG_NONE},
-        };
-static int init_ciphers=1;
-static void load_ciphers(void)
-        {
-        ssl_cipher_methods[SSL_ENC_DES_IDX]= 
-                EVP_get_cipherbyname(SN_des_cbc);
-        ssl_cipher_methods[SSL_ENC_3DES_IDX]=
-                EVP_get_cipherbyname(SN_des_ede3_cbc);
-        ssl_cipher_methods[SSL_ENC_RC4_IDX]=
-                EVP_get_cipherbyname(SN_rc4);
-        ssl_cipher_methods[SSL_ENC_RC2_IDX]= 
-                EVP_get_cipherbyname(SN_rc2_cbc);
-#ifndef OPENSSL_NO_IDEA
-        ssl_cipher_methods[SSL_ENC_IDEA_IDX]= 
-                EVP_get_cipherbyname(SN_idea_cbc);
-#else
-        ssl_cipher_methods[SSL_ENC_IDEA_IDX]= NULL;
-#endif
-        ssl_cipher_methods[SSL_ENC_AES128_IDX]=
-          EVP_get_cipherbyname(SN_aes_128_cbc);
-        ssl_cipher_methods[SSL_ENC_AES256_IDX]=
-          EVP_get_cipherbyname(SN_aes_256_cbc);
-        ssl_digest_methods[SSL_MD_MD5_IDX]=
-                EVP_get_digestbyname(SN_md5);
-        ssl_digest_methods[SSL_MD_SHA1_IDX]=
-                EVP_get_digestbyname(SN_sha1);
-        init_ciphers=0;
-        }
-int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
-             const EVP_MD **md, SSL_COMP **comp)
-        {
-        int i;
-        SSL_CIPHER *c;
-        c=s->cipher;
-        if (c == NULL) return(0);
-        if (comp != NULL)
-                {
-                SSL_COMP ctmp;
-                if (s->compress_meth == 0)
-                        *comp=NULL;
-                else if (ssl_comp_methods == NULL)
-                        {
-                        /* bad */
-                        *comp=NULL;
-                        }
-                else
-                        {
-                        ctmp.id=s->compress_meth;
-                        i=sk_SSL_COMP_find(ssl_comp_methods,&ctmp);
-                        if (i >= 0)
-                                *comp=sk_SSL_COMP_value(ssl_comp_methods,i);
-                        else
-                                *comp=NULL;
-                        }
-                }
-        if ((enc == NULL) || (md == NULL)) return(0);
-        switch (c->algorithms & SSL_ENC_MASK)
-                {
-        case SSL_DES:
-                i=SSL_ENC_DES_IDX;
-                break;
-        case SSL_3DES:
-                i=SSL_ENC_3DES_IDX;
-                break;
-        case SSL_RC4:
-                i=SSL_ENC_RC4_IDX;
-                break;
-        case SSL_RC2:
-                i=SSL_ENC_RC2_IDX;
-                break;
-        case SSL_IDEA:
-                i=SSL_ENC_IDEA_IDX;
-                break;
-        case SSL_eNULL:
-                i=SSL_ENC_NULL_IDX;
-                break;
-        case SSL_AES:
-                switch(c->alg_bits)
-                        {
-                case 128: i=SSL_ENC_AES128_IDX; break;
-                case 256: i=SSL_ENC_AES256_IDX; break;
-                default: i=-1; break;
-                        }
-                break;
-        default:
-                i= -1;
-                break;
-                }
-        if ((i < 0) || (i >= SSL_ENC_NUM_IDX))
-                *enc=NULL;
-        else
-                {
-                if (i == SSL_ENC_NULL_IDX)
-                        *enc=EVP_enc_null();
-                else
-                        *enc=ssl_cipher_methods[i];
-                }
-        switch (c->algorithms & SSL_MAC_MASK)
-                {
-        case SSL_MD5:
-                i=SSL_MD_MD5_IDX;
-                break;
-        case SSL_SHA1:
-                i=SSL_MD_SHA1_IDX;
-                break;
-        default:
-                i= -1;
-                break;
-                }
-        if ((i < 0) || (i >= SSL_MD_NUM_IDX))
-                *md=NULL;
-        else
-                *md=ssl_digest_methods[i];
-        if ((*enc != NULL) && (*md != NULL))
-                return(1);
-        else
-                return(0);
-        }
-#define ITEM_SEP(a) \
-        (((a) == ':') || ((a) == ' ') || ((a) == ';') || ((a) == ','))
-static void ll_append_tail(CIPHER_ORDER **head, CIPHER_ORDER *curr,
-             CIPHER_ORDER **tail)
-        {
-        if (curr == *tail) return;
-        if (curr == *head)
-                *head=curr->next;
-        if (curr->prev != NULL)
-                curr->prev->next=curr->next;
-        if (curr->next != NULL) /* should always be true */
-                curr->next->prev=curr->prev;
-        (*tail)->next=curr;
-        curr->prev= *tail;
-        curr->next=NULL;
-        *tail=curr;
-        }
-static unsigned long ssl_cipher_get_disabled(void)
-        {
-        unsigned long mask;
-        mask = SSL_kFZA;
-#ifdef OPENSSL_NO_RSA
-        mask |= SSL_aRSA|SSL_kRSA;
-#endif
-#ifdef OPENSSL_NO_DSA
-        mask |= SSL_aDSS;
-#endif
-#ifdef OPENSSL_NO_DH
-        mask |= SSL_kDHr|SSL_kDHd|SSL_kEDH|SSL_aDH;
-#endif
-#ifdef OPENSSL_NO_KRB5
-        mask |= SSL_kKRB5|SSL_aKRB5;
-#endif
-#ifdef SSL_FORBID_ENULL
-        mask |= SSL_eNULL;
-#endif
-        mask |= (ssl_cipher_methods[SSL_ENC_DES_IDX ] == NULL) ? SSL_DES :0;
-        mask |= (ssl_cipher_methods[SSL_ENC_3DES_IDX] == NULL) ? SSL_3DES:0;
-        mask |= (ssl_cipher_methods[SSL_ENC_RC4_IDX ] == NULL) ? SSL_RC4 :0;
-        mask |= (ssl_cipher_methods[SSL_ENC_RC2_IDX ] == NULL) ? SSL_RC2 :0;
-        mask |= (ssl_cipher_methods[SSL_ENC_IDEA_IDX] == NULL) ? SSL_IDEA:0;
-        mask |= (ssl_cipher_methods[SSL_ENC_eFZA_IDX] == NULL) ? SSL_eFZA:0;
-        mask |= (ssl_cipher_methods[SSL_ENC_AES128_IDX] == NULL) ? SSL_AES:0;
-        mask |= (ssl_digest_methods[SSL_MD_MD5_IDX ] == NULL) ? SSL_MD5 :0;
-        mask |= (ssl_digest_methods[SSL_MD_SHA1_IDX] == NULL) ? SSL_SHA1:0;
-        return(mask);
-        }
-static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
-                int num_of_ciphers, unsigned long mask, CIPHER_ORDER *co_list,
-                CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
-        {
-        int i, co_list_num;
-        SSL_CIPHER *c;
-        /*
-         * We have num_of_ciphers descriptions compiled in, depending on the
-         * method selected (SSLv2 and/or SSLv3, TLSv1 etc).
-         * These will later be sorted in a linked list with at most num
-         * entries.
-         */
-        /* Get the initial list of ciphers */
-        co_list_num = 0;        /* actual count of ciphers */
-        for (i = 0; i < num_of_ciphers; i++)
-                {
-                c = ssl_method->get_cipher(i);
-                /* drop those that use any of that is not available */
-#ifdef OPENSSL_FIPS
-                if ((c != NULL) && c->valid && !(c->algorithms & mask)
-                        && (!FIPS_mode() || (c->algo_strength & SSL_FIPS)))
-#else
-                if ((c != NULL) && c->valid && !(c->algorithms & mask))
-#endif
-                        {
-                        co_list[co_list_num].cipher = c;
-                        co_list[co_list_num].next = NULL;
-                        co_list[co_list_num].prev = NULL;
-                        co_list[co_list_num].active = 0;
-                        co_list_num++;
-#ifdef KSSL_DEBUG
-                        printf("\t%d: %s %lx %lx\n",i,c->name,c->id,c->algorithms);
-#endif  /* KSSL_DEBUG */
-                        /*
-                        if (!sk_push(ca_list,(char *)c)) goto err;
-                        */
-                        }
-                }
-        /*
-         * Prepare linked list from list entries
-         */     
-        for (i = 1; i < co_list_num - 1; i++)
-                {
-                co_list[i].prev = &(co_list[i-1]);
-                co_list[i].next = &(co_list[i+1]);
-                }
-        if (co_list_num > 0)
-                {
-                (*head_p) = &(co_list[0]);
-                (*head_p)->prev = NULL;
-                (*head_p)->next = &(co_list[1]);
-                (*tail_p) = &(co_list[co_list_num - 1]);
-                (*tail_p)->prev = &(co_list[co_list_num - 2]);
-                (*tail_p)->next = NULL;
-                }
-        }
-static void ssl_cipher_collect_aliases(SSL_CIPHER **ca_list,
-                        int num_of_group_aliases, unsigned long mask,
-                        CIPHER_ORDER *head)
-        {
-        CIPHER_ORDER *ciph_curr;
-        SSL_CIPHER **ca_curr;
-        int i;
-        /*
-         * First, add the real ciphers as already collected
-         */
-        ciph_curr = head;
-        ca_curr = ca_list;
-        while (ciph_curr != NULL)
-                {
-                *ca_curr = ciph_curr->cipher;
-                ca_curr++;
-                ciph_curr = ciph_curr->next;
-                }
-        /*
-         * Now we add the available ones from the cipher_aliases[] table.
-         * They represent either an algorithm, that must be fully
-         * supported (not match any bit in mask) or represent a cipher
-         * strength value (will be added in any case because algorithms=0).
-         */
-        for (i = 0; i < num_of_group_aliases; i++)
-                {
-                if ((i == 0) ||         /* always fetch "ALL" */
-                    !(cipher_aliases[i].algorithms & mask))
-                        {
-                        *ca_curr = (SSL_CIPHER *)(cipher_aliases + i);
-                        ca_curr++;
-                        }
-                }
-        *ca_curr = NULL;        /* end of list */
-        }
-static void ssl_cipher_apply_rule(unsigned long algorithms, unsigned long mask,
-                unsigned long algo_strength, unsigned long mask_strength,
-                int rule, int strength_bits, CIPHER_ORDER *co_list,
-                CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
-        {
-        CIPHER_ORDER *head, *tail, *curr, *curr2, *tail2;
-        SSL_CIPHER *cp;
-        unsigned long ma, ma_s;
-#ifdef CIPHER_DEBUG
-        printf("Applying rule %d with %08lx %08lx %08lx %08lx (%d)\n",
-                rule, algorithms, mask, algo_strength, mask_strength,
-                strength_bits);
-#endif
-        curr = head = *head_p;
-        curr2 = head;
-        tail2 = tail = *tail_p;
-        for (;;)
-                {
-                if ((curr == NULL) || (curr == tail2)) break;
-                curr = curr2;
-                curr2 = curr->next;
-                cp = curr->cipher;
-                /*
-                 * Selection criteria is either the number of strength_bits
-                 * or the algorithm used.
-                 */
-                if (strength_bits == -1)
-                        {
-                        ma = mask & cp->algorithms;
-                        ma_s = mask_strength & cp->algo_strength;
-#ifdef CIPHER_DEBUG
-                        printf("\nName: %s:\nAlgo = %08lx Algo_strength = %08lx\nMask = %08lx Mask_strength %08lx\n", cp->name, cp->algorithms, cp->algo_strength, mask, mask_strength);
-                        printf("ma = %08lx ma_s %08lx, ma&algo=%08lx, ma_s&algos=%08lx\n", ma, ma_s, ma&algorithms, ma_s&algo_strength);
-#endif
-                        /*
-                         * Select: if none of the mask bit was met from the
-                         * cipher or not all of the bits were met, the
-                         * selection does not apply.
-                         */
-                        if (((ma == 0) && (ma_s == 0)) ||
-                            ((ma & algorithms) != ma) ||
-                            ((ma_s & algo_strength) != ma_s))
-                                continue; /* does not apply */
-                        }
-                else if (strength_bits != cp->strength_bits)
-                        continue;       /* does not apply */
-#ifdef CIPHER_DEBUG
-                printf("Action = %d\n", rule);
-#endif
-                /* add the cipher if it has not been added yet. */
-                if (rule == CIPHER_ADD)
-                        {
-                        if (!curr->active)
-                                {
-                                ll_append_tail(&head, curr, &tail);
-                                curr->active = 1;
-                                }
-                        }
-                /* Move the added cipher to this location */
-                else if (rule == CIPHER_ORD)
-                        {
-                        if (curr->active)
-                                {
-                                ll_append_tail(&head, curr, &tail);
-                                }
-                        }
-                else if (rule == CIPHER_DEL)
-                        curr->active = 0;
-                else if (rule == CIPHER_KILL)
-                        {
-                        if (head == curr)
-                                head = curr->next;
-                        else
-                                curr->prev->next = curr->next;
-                        if (tail == curr)
-                                tail = curr->prev;
-                        curr->active = 0;
-                        if (curr->next != NULL)
-                                curr->next->prev = curr->prev;
-                        if (curr->prev != NULL)
-                                curr->prev->next = curr->next;
-                        curr->next = NULL;
-                        curr->prev = NULL;
-                        }
-                }
-        *head_p = head;
-        *tail_p = tail;
-        }
-static int ssl_cipher_strength_sort(CIPHER_ORDER *co_list,
-                                    CIPHER_ORDER **head_p,
-                                    CIPHER_ORDER **tail_p)
-        {
-        int max_strength_bits, i, *number_uses;
-        CIPHER_ORDER *curr;
-        /*
-         * This routine sorts the ciphers with descending strength. The sorting
-         * must keep the pre-sorted sequence, so we apply the normal sorting
-         * routine as '+' movement to the end of the list.
-         */
-        max_strength_bits = 0;
-        curr = *head_p;
-        while (curr != NULL)
-                {
-                if (curr->active &&
-                    (curr->cipher->strength_bits > max_strength_bits))
-                    max_strength_bits = curr->cipher->strength_bits;
-                curr = curr->next;
-                }
-        number_uses = OPENSSL_malloc((max_strength_bits + 1) * sizeof(int));
-        if (!number_uses)
-        {
-                SSLerr(SSL_F_SSL_CIPHER_STRENGTH_SORT,ERR_R_MALLOC_FAILURE);
-                return(0);
-        }
-        memset(number_uses, 0, (max_strength_bits + 1) * sizeof(int));
-        /*
-         * Now find the strength_bits values actually used
-         */
-        curr = *head_p;
-        while (curr != NULL)
-                {
-                if (curr->active)
-                        number_uses[curr->cipher->strength_bits]++;
-                curr = curr->next;
-                }
-        /*
-         * Go through the list of used strength_bits values in descending
-         * order.
-         */
-        for (i = max_strength_bits; i >= 0; i--)
-                if (number_uses[i] > 0)
-                        ssl_cipher_apply_rule(0, 0, 0, 0, CIPHER_ORD, i,
-                                        co_list, head_p, tail_p);
-        OPENSSL_free(number_uses);
-        return(1);
-        }
-static int ssl_cipher_process_rulestr(const char *rule_str,
-                CIPHER_ORDER *co_list, CIPHER_ORDER **head_p,
-                CIPHER_ORDER **tail_p, SSL_CIPHER **ca_list)
-        {
-        unsigned long algorithms, mask, algo_strength, mask_strength;
-        const char *l, *start, *buf;
-        int j, multi, found, rule, retval, ok, buflen;
-        char ch;
-        retval = 1;
-        l = rule_str;
-        for (;;)
-                {
-                ch = *l;
-                if (ch == '\0')
-                        break;          /* done */
-                if (ch == '-')
-                        { rule = CIPHER_DEL; l++; }
-                else if (ch == '+')
-                        { rule = CIPHER_ORD; l++; }
-                else if (ch == '!')
-                        { rule = CIPHER_KILL; l++; }
-                else if (ch == '@')
-                        { rule = CIPHER_SPECIAL; l++; }
-                else
-                        { rule = CIPHER_ADD; }
-                if (ITEM_SEP(ch))
-                        {
-                        l++;
-                        continue;
-                        }
-                algorithms = mask = algo_strength = mask_strength = 0;
-                start=l;
-                for (;;)
-                        {
-                        ch = *l;
-                        buf = l;
-                        buflen = 0;
-#ifndef CHARSET_EBCDIC
-                        while ( ((ch >= 'A') && (ch <= 'Z')) ||
-                                ((ch >= '0') && (ch <= '9')) ||
-                                ((ch >= 'a') && (ch <= 'z')) ||
-                                 (ch == '-'))
-#else
-                        while ( isalnum(ch) || (ch == '-'))
-#endif
-                                 {
-                                 ch = *(++l);
-                                 buflen++;
-                                 }
-                        if (buflen == 0)
-                                {
-                                /*
-                                 * We hit something we cannot deal with,
-                                 * it is no command or separator nor
-                                 * alphanumeric, so we call this an error.
-                                 */
-                                SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
-                                       SSL_R_INVALID_COMMAND);
-                                retval = found = 0;
-                                l++;
-                                break;
-                                }
-                        if (rule == CIPHER_SPECIAL)
-                                {
-                                found = 0; /* unused -- avoid compiler warning */
-                                break;  /* special treatment */
-                                }
-                        /* check for multi-part specification */
-                        if (ch == '+')
-                                {
-                                multi=1;
-                                l++;
-                                }
-                        else
-                                multi=0;
-                        /*
-                         * Now search for the cipher alias in the ca_list. Be careful
-                         * with the strncmp, because the "buflen" limitation
-                         * will make the rule "ADH:SOME" and the cipher
-                         * "ADH-MY-CIPHER" look like a match for buflen=3.
-                         * So additionally check whether the cipher name found
-                         * has the correct length. We can save a strlen() call:
-                         * just checking for the '\0' at the right place is
-                         * sufficient, we have to strncmp() anyway. (We cannot
-                         * use strcmp(), because buf is not '\0' terminated.)
-                         */
-                         j = found = 0;
-                         while (ca_list[j])
-                                {
-                                if (!strncmp(buf, ca_list[j]->name, buflen) &&
-                                    (ca_list[j]->name[buflen] == '\0'))
-                                        {
-                                        found = 1;
-                                        break;
-                                        }
-                                else
-                                        j++;
-                                }
-                        if (!found)
-                                break;  /* ignore this entry */
-                        /* New algorithms:
-                         *  1 - any old restrictions apply outside new mask
-                         *  2 - any new restrictions apply outside old mask
-                         *  3 - enforce old & new where masks intersect
-                         */
-                        algorithms = (algorithms & ~ca_list[j]->mask) |         /* 1 */
-                                     (ca_list[j]->algorithms & ~mask) |         /* 2 */
-                                     (algorithms & ca_list[j]->algorithms);     /* 3 */
-                        mask |= ca_list[j]->mask;
-                        algo_strength = (algo_strength & ~ca_list[j]->mask_strength) |
-                                        (ca_list[j]->algo_strength & ~mask_strength) |
-                                        (algo_strength & ca_list[j]->algo_strength);
-                        mask_strength |= ca_list[j]->mask_strength;
-                        if (!multi) break;
-                        }
-                /*
-                 * Ok, we have the rule, now apply it
-                 */
-                if (rule == CIPHER_SPECIAL)
-                        {       /* special command */
-                        ok = 0;
-                        if ((buflen == 8) &&
-                                !strncmp(buf, "STRENGTH", 8))
-                                ok = ssl_cipher_strength_sort(co_list,
-                                        head_p, tail_p);
-                        else
-                                SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
-                                        SSL_R_INVALID_COMMAND);
-                        if (ok == 0)
-                                retval = 0;
-                        /*
-                         * We do not support any "multi" options
-                         * together with "@", so throw away the
-                         * rest of the command, if any left, until
-                         * end or ':' is found.
-                         */
-                        while ((*l != '\0') && ITEM_SEP(*l))
-                                l++;
-                        }
-                else if (found)
-                        {
-                        ssl_cipher_apply_rule(algorithms, mask,
-                                algo_strength, mask_strength, rule, -1,
-                                co_list, head_p, tail_p);
-                        }
-                else
-                        {
-                        while ((*l != '\0') && ITEM_SEP(*l))
-                                l++;
-                        }
-                if (*l == '\0') break; /* done */
-                }
-        return(retval);
-        }
-STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
-                STACK_OF(SSL_CIPHER) **cipher_list,
-                STACK_OF(SSL_CIPHER) **cipher_list_by_id,
-                const char *rule_str)
-        {
-        int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases;
-        unsigned long disabled_mask;
-        STACK_OF(SSL_CIPHER) *cipherstack, *tmp_cipher_list;
-        const char *rule_p;
-        CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
-        SSL_CIPHER **ca_list = NULL;
-        /*
-         * Return with error if nothing to do.
-         */
-        if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL)
-                return NULL;
-        if (init_ciphers)
-                {
-                CRYPTO_w_lock(CRYPTO_LOCK_SSL);
-                if (init_ciphers) load_ciphers();
-                CRYPTO_w_unlock(CRYPTO_LOCK_SSL);
-                }
-        /*
-         * To reduce the work to do we only want to process the compiled
-         * in algorithms, so we first get the mask of disabled ciphers.
-         */
-        disabled_mask = ssl_cipher_get_disabled();
-        /*
-         * Now we have to collect the available ciphers from the compiled
-         * in ciphers. We cannot get more than the number compiled in, so
-         * it is used for allocation.
-         */
-        num_of_ciphers = ssl_method->num_ciphers();
-#ifdef KSSL_DEBUG
-        printf("ssl_create_cipher_list() for %d ciphers\n", num_of_ciphers);
-#endif    /* KSSL_DEBUG */
-        co_list = (CIPHER_ORDER *)OPENSSL_malloc(sizeof(CIPHER_ORDER) * num_of_ciphers);
-        if (co_list == NULL)
-                {
-                SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE);
-                return(NULL);   /* Failure */
-                }
-        ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers, disabled_mask,
-                                   co_list, &head, &tail);
-        /*
-         * We also need cipher aliases for selecting based on the rule_str.
-         * There might be two types of entries in the rule_str: 1) names
-         * of ciphers themselves 2) aliases for groups of ciphers.
-         * For 1) we need the available ciphers and for 2) the cipher
-         * groups of cipher_aliases added together in one list (otherwise
-         * we would be happy with just the cipher_aliases table).
-         */
-        num_of_group_aliases = sizeof(cipher_aliases) / sizeof(SSL_CIPHER);
-        num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
-        ca_list =
-                (SSL_CIPHER **)OPENSSL_malloc(sizeof(SSL_CIPHER *) * num_of_alias_max);
-        if (ca_list == NULL)
-                {
-                OPENSSL_free(co_list);
-                SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE);
-                return(NULL);   /* Failure */
-                }
-        ssl_cipher_collect_aliases(ca_list, num_of_group_aliases, disabled_mask,
-                                   head);
-        /*
-         * If the rule_string begins with DEFAULT, apply the default rule
-         * before using the (possibly available) additional rules.
-         */
-        ok = 1;
-        rule_p = rule_str;
-        if (strncmp(rule_str,"DEFAULT",7) == 0)
-                {
-                ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST,
-                        co_list, &head, &tail, ca_list);
-                rule_p += 7;
-                if (*rule_p == ':')
-                        rule_p++;
-                }
-        if (ok && (strlen(rule_p) > 0))
-                ok = ssl_cipher_process_rulestr(rule_p, co_list, &head, &tail,
-                                                ca_list);
-        OPENSSL_free(ca_list);  /* Not needed anymore */
-        if (!ok)
-                {       /* Rule processing failure */
-                OPENSSL_free(co_list);
-                return(NULL);
-                }
-        /*
-         * Allocate new "cipherstack" for the result, return with error
-         * if we cannot get one.
-         */
-        if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL)
-                {
-                OPENSSL_free(co_list);
-                return(NULL);
-                }
-        /*
-         * The cipher selection for the list is done. The ciphers are added
-         * to the resulting precedence to the STACK_OF(SSL_CIPHER).
-         */
-        for (curr = head; curr != NULL; curr = curr->next)
-                {
-#ifdef OPENSSL_FIPS
-                if (curr->active && (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS))
-#else
-                if (curr->active)
-#endif
-                        {
-                        sk_SSL_CIPHER_push(cipherstack, curr->cipher);
-#ifdef CIPHER_DEBUG
-                        printf("<%s>\n",curr->cipher->name);
-#endif
-                        }
-                }
-        OPENSSL_free(co_list);  /* Not needed any longer */
-        tmp_cipher_list = sk_SSL_CIPHER_dup(cipherstack);
-        if (tmp_cipher_list == NULL)
-                {
-                sk_SSL_CIPHER_free(cipherstack);
-                return NULL;
-                }
-        if (*cipher_list != NULL)
-                sk_SSL_CIPHER_free(*cipher_list);
-        *cipher_list = cipherstack;
-        if (*cipher_list_by_id != NULL)
-                sk_SSL_CIPHER_free(*cipher_list_by_id);
-        *cipher_list_by_id = tmp_cipher_list;
-        sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id,ssl_cipher_ptr_id_cmp);
-        return(cipherstack);
-        }
-char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len)
-        {
-        int is_export,pkl,kl;
-        char *ver,*exp_str;
-        char *kx,*au,*enc,*mac;
-        unsigned long alg,alg2,alg_s;
-#ifdef KSSL_DEBUG
-        static char *format="%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s AL=%lx\n";
-#else
-        static char *format="%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s\n";
-#endif /* KSSL_DEBUG */
-        alg=cipher->algorithms;
-        alg_s=cipher->algo_strength;
-        alg2=cipher->algorithm2;
-        is_export=SSL_C_IS_EXPORT(cipher);
-        pkl=SSL_C_EXPORT_PKEYLENGTH(cipher);
-        kl=SSL_C_EXPORT_KEYLENGTH(cipher);
-        exp_str=is_export?" export":"";
-        if (alg & SSL_SSLV2)
-                ver="SSLv2";
-        else if (alg & SSL_SSLV3)
-                ver="SSLv3";
-        else
-                ver="unknown";
-        switch (alg&SSL_MKEY_MASK)
-                {
-        case SSL_kRSA:
-                kx=is_export?(pkl == 512 ? "RSA(512)" : "RSA(1024)"):"RSA";
-                break;
-        case SSL_kDHr:
-                kx="DH/RSA";
-                break;
-        case SSL_kDHd:
-                kx="DH/DSS";
-                break;
-        case SSL_kKRB5:         /* VRS */
-        case SSL_KRB5:          /* VRS */
-            kx="KRB5";
-            break;
-        case SSL_kFZA:
-                kx="Fortezza";
-                break;
-        case SSL_kEDH:
-                kx=is_export?(pkl == 512 ? "DH(512)" : "DH(1024)"):"DH";
-                break;
-        default:
-                kx="unknown";
-                }
-        switch (alg&SSL_AUTH_MASK)
-                {
-        case SSL_aRSA:
-                au="RSA";
-                break;
-        case SSL_aDSS:
-                au="DSS";
-                break;
-        case SSL_aDH:
-                au="DH";
-                break;
-        case SSL_aKRB5:         /* VRS */
-        case SSL_KRB5:          /* VRS */
-            au="KRB5";
-            break;
-        case SSL_aFZA:
-        case SSL_aNULL:
-                au="None";
-                break;
-        default:
-                au="unknown";
-                break;
-                }
-        switch (alg&SSL_ENC_MASK)
-                {
-        case SSL_DES:
-                enc=(is_export && kl == 5)?"DES(40)":"DES(56)";
-                break;
-        case SSL_3DES:
-                enc="3DES(168)";
-                break;
-        case SSL_RC4:
-                enc=is_export?(kl == 5 ? "RC4(40)" : "RC4(56)")
-                  :((alg2&SSL2_CF_8_BYTE_ENC)?"RC4(64)":"RC4(128)");
-                break;
-        case SSL_RC2:
-                enc=is_export?(kl == 5 ? "RC2(40)" : "RC2(56)"):"RC2(128)";
-                break;
-        case SSL_IDEA:
-                enc="IDEA(128)";
-                break;
-        case SSL_eFZA:
-                enc="Fortezza";
-                break;
-        case SSL_eNULL:
-                enc="None";
-                break;
-        case SSL_AES:
-                switch(cipher->strength_bits)
-                        {
-                case 128: enc="AES(128)"; break;
-                case 192: enc="AES(192)"; break;
-                case 256: enc="AES(256)"; break;
-                default: enc="AES(?""?""?)"; break;
-                        }
-                break;
-        default:
-                enc="unknown";
-                break;
-                }
-        switch (alg&SSL_MAC_MASK)
-                {
-        case SSL_MD5:
-                mac="MD5";
-                break;
-        case SSL_SHA1:
-                mac="SHA1";
-                break;
-        default:
-                mac="unknown";
-                break;
-                }
-        if (buf == NULL)
-                {
-                len=128;
-                buf=OPENSSL_malloc(len);
-                if (buf == NULL) return("OPENSSL_malloc Error");
-                }
-        else if (len < 128)
-                return("Buffer too small");
-#ifdef KSSL_DEBUG
-        BIO_snprintf(buf,len,format,cipher->name,ver,kx,au,enc,mac,exp_str,alg);
-#else
-        BIO_snprintf(buf,len,format,cipher->name,ver,kx,au,enc,mac,exp_str);
-#endif /* KSSL_DEBUG */
-        return(buf);
-        }
-char *SSL_CIPHER_get_version(const SSL_CIPHER *c)
-        {
-        int i;
-        if (c == NULL) return("(NONE)");
-        i=(int)(c->id>>24L);
-        if (i == 3)
-                return("TLSv1/SSLv3");
-        else if (i == 2)
-                return("SSLv2");
-        else
-                return("unknown");
-        }
-/* return the actual cipher being used */
-const char *SSL_CIPHER_get_name(const SSL_CIPHER *c)
-        {
-        if (c != NULL)
-                return(c->name);
-        return("(NONE)");
-        }
-/* number of bits for symmetric cipher */
-int SSL_CIPHER_get_bits(const SSL_CIPHER *c, int *alg_bits)
-        {
-        int ret=0;
-        if (c != NULL)
-                {
-                if (alg_bits != NULL) *alg_bits = c->alg_bits;
-                ret = c->strength_bits;
-                }
-        return(ret);
-        }
-SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n)
-        {
-        SSL_COMP *ctmp;
-        int i,nn;
-        if ((n == 0) || (sk == NULL)) return(NULL);
-        nn=sk_SSL_COMP_num(sk);
-        for (i=0; i<nn; i++)
-                {
-                ctmp=sk_SSL_COMP_value(sk,i);
-                if (ctmp->id == n)
-                        return(ctmp);
-                }
-        return(NULL);
-        }
-static int sk_comp_cmp(const SSL_COMP * const *a,
-                        const SSL_COMP * const *b)
-        {
-        return((*a)->id-(*b)->id);
-        }
-STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void)
-        {
-        return(ssl_comp_methods);
-        }
-int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm)
-        {
-        SSL_COMP *comp;
-        STACK_OF(SSL_COMP) *sk;
-        if (cm == NULL || cm->type == NID_undef)
-                return 1;
-        MemCheck_off();
-        comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
-        comp->id=id;
-        comp->method=cm;
-        if (ssl_comp_methods == NULL)
-                sk=ssl_comp_methods=sk_SSL_COMP_new(sk_comp_cmp);
-        else
-                sk=ssl_comp_methods;
-        if ((sk == NULL) || !sk_SSL_COMP_push(sk,comp))
-                {
-                MemCheck_on();
-                SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,ERR_R_MALLOC_FAILURE);
-                return(1);
-                }
-        else
-                {
-                MemCheck_on();
-                return(0);
-                }
-        }
diff --git a/src/lib/libssl/ssl_err.c b/src/lib/libssl/ssl_err.c
deleted file mode 100644
index 4bcf591298..0000000000
--- a/src/lib/libssl/ssl_err.c
+++ /dev/null
@@ -1,462 +0,0 @@
-/* ssl/ssl_err.c */
-/* ====================================================================
- * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer. 
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-/* NOTE: this file was auto generated by the mkerr.pl script: any changes
- * made to it will be overwritten when the script next updates this file,
- * only reason strings will be preserved.
- */
-#include <stdio.h>
-#include <openssl/err.h>
-#include <openssl/ssl.h>
-/* BEGIN ERROR CODES */
-#ifndef OPENSSL_NO_ERR
-#define ERR_FUNC(func) ERR_PACK(ERR_LIB_SSL,func,0)
-#define ERR_REASON(reason) ERR_PACK(ERR_LIB_SSL,0,reason)
-static ERR_STRING_DATA SSL_str_functs[]=
-        {
-{ERR_FUNC(SSL_F_CLIENT_CERTIFICATE),    "CLIENT_CERTIFICATE"},
-{ERR_FUNC(SSL_F_CLIENT_FINISHED),       "CLIENT_FINISHED"},
-{ERR_FUNC(SSL_F_CLIENT_HELLO),  "CLIENT_HELLO"},
-{ERR_FUNC(SSL_F_CLIENT_MASTER_KEY),     "CLIENT_MASTER_KEY"},
-{ERR_FUNC(SSL_F_D2I_SSL_SESSION),       "d2i_SSL_SESSION"},
-{ERR_FUNC(SSL_F_DO_SSL3_WRITE), "DO_SSL3_WRITE"},
-{ERR_FUNC(SSL_F_GET_CLIENT_FINISHED),   "GET_CLIENT_FINISHED"},
-{ERR_FUNC(SSL_F_GET_CLIENT_HELLO),      "GET_CLIENT_HELLO"},
-{ERR_FUNC(SSL_F_GET_CLIENT_MASTER_KEY), "GET_CLIENT_MASTER_KEY"},
-{ERR_FUNC(SSL_F_GET_SERVER_FINISHED),   "GET_SERVER_FINISHED"},
-{ERR_FUNC(SSL_F_GET_SERVER_HELLO),      "GET_SERVER_HELLO"},
-{ERR_FUNC(SSL_F_GET_SERVER_VERIFY),     "GET_SERVER_VERIFY"},
-{ERR_FUNC(SSL_F_I2D_SSL_SESSION),       "i2d_SSL_SESSION"},
-{ERR_FUNC(SSL_F_READ_N),        "READ_N"},
-{ERR_FUNC(SSL_F_REQUEST_CERTIFICATE),   "REQUEST_CERTIFICATE"},
-{ERR_FUNC(SSL_F_SERVER_FINISH), "SERVER_FINISH"},
-{ERR_FUNC(SSL_F_SERVER_HELLO),  "SERVER_HELLO"},
-{ERR_FUNC(SSL_F_SERVER_VERIFY), "SERVER_VERIFY"},
-{ERR_FUNC(SSL_F_SSL23_ACCEPT),  "SSL23_ACCEPT"},
-{ERR_FUNC(SSL_F_SSL23_CLIENT_HELLO),    "SSL23_CLIENT_HELLO"},
-{ERR_FUNC(SSL_F_SSL23_CONNECT), "SSL23_CONNECT"},
-{ERR_FUNC(SSL_F_SSL23_GET_CLIENT_HELLO),        "SSL23_GET_CLIENT_HELLO"},
-{ERR_FUNC(SSL_F_SSL23_GET_SERVER_HELLO),        "SSL23_GET_SERVER_HELLO"},
-{ERR_FUNC(SSL_F_SSL23_PEEK),    "SSL23_PEEK"},
-{ERR_FUNC(SSL_F_SSL23_READ),    "SSL23_READ"},
-{ERR_FUNC(SSL_F_SSL23_WRITE),   "SSL23_WRITE"},
-{ERR_FUNC(SSL_F_SSL2_ACCEPT),   "SSL2_ACCEPT"},
-{ERR_FUNC(SSL_F_SSL2_CONNECT),  "SSL2_CONNECT"},
-{ERR_FUNC(SSL_F_SSL2_ENC_INIT), "SSL2_ENC_INIT"},
-{ERR_FUNC(SSL_F_SSL2_GENERATE_KEY_MATERIAL),    "SSL2_GENERATE_KEY_MATERIAL"},
-{ERR_FUNC(SSL_F_SSL2_PEEK),     "SSL2_PEEK"},
-{ERR_FUNC(SSL_F_SSL2_READ),     "SSL2_READ"},
-{ERR_FUNC(SSL_F_SSL2_READ_INTERNAL),    "SSL2_READ_INTERNAL"},
-{ERR_FUNC(SSL_F_SSL2_SET_CERTIFICATE),  "SSL2_SET_CERTIFICATE"},
-{ERR_FUNC(SSL_F_SSL2_WRITE),    "SSL2_WRITE"},
-{ERR_FUNC(SSL_F_SSL3_ACCEPT),   "SSL3_ACCEPT"},
-{ERR_FUNC(SSL_F_SSL3_CALLBACK_CTRL),    "SSL3_CALLBACK_CTRL"},
-{ERR_FUNC(SSL_F_SSL3_CHANGE_CIPHER_STATE),      "SSL3_CHANGE_CIPHER_STATE"},
-{ERR_FUNC(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM), "SSL3_CHECK_CERT_AND_ALGORITHM"},
-{ERR_FUNC(SSL_F_SSL3_CLIENT_HELLO),     "SSL3_CLIENT_HELLO"},
-{ERR_FUNC(SSL_F_SSL3_CONNECT),  "SSL3_CONNECT"},
-{ERR_FUNC(SSL_F_SSL3_CTRL),     "SSL3_CTRL"},
-{ERR_FUNC(SSL_F_SSL3_CTX_CTRL), "SSL3_CTX_CTRL"},
-{ERR_FUNC(SSL_F_SSL3_ENC),      "SSL3_ENC"},
-{ERR_FUNC(SSL_F_SSL3_GENERATE_KEY_BLOCK),       "SSL3_GENERATE_KEY_BLOCK"},
-{ERR_FUNC(SSL_F_SSL3_GET_CERTIFICATE_REQUEST),  "SSL3_GET_CERTIFICATE_REQUEST"},
-{ERR_FUNC(SSL_F_SSL3_GET_CERT_VERIFY),  "SSL3_GET_CERT_VERIFY"},
-{ERR_FUNC(SSL_F_SSL3_GET_CLIENT_CERTIFICATE),   "SSL3_GET_CLIENT_CERTIFICATE"},
-{ERR_FUNC(SSL_F_SSL3_GET_CLIENT_HELLO), "SSL3_GET_CLIENT_HELLO"},
-{ERR_FUNC(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE),  "SSL3_GET_CLIENT_KEY_EXCHANGE"},
-{ERR_FUNC(SSL_F_SSL3_GET_FINISHED),     "SSL3_GET_FINISHED"},
-{ERR_FUNC(SSL_F_SSL3_GET_KEY_EXCHANGE), "SSL3_GET_KEY_EXCHANGE"},
-{ERR_FUNC(SSL_F_SSL3_GET_MESSAGE),      "SSL3_GET_MESSAGE"},
-{ERR_FUNC(SSL_F_SSL3_GET_RECORD),       "SSL3_GET_RECORD"},
-{ERR_FUNC(SSL_F_SSL3_GET_SERVER_CERTIFICATE),   "SSL3_GET_SERVER_CERTIFICATE"},
-{ERR_FUNC(SSL_F_SSL3_GET_SERVER_DONE),  "SSL3_GET_SERVER_DONE"},
-{ERR_FUNC(SSL_F_SSL3_GET_SERVER_HELLO), "SSL3_GET_SERVER_HELLO"},
-{ERR_FUNC(SSL_F_SSL3_OUTPUT_CERT_CHAIN),        "SSL3_OUTPUT_CERT_CHAIN"},
-{ERR_FUNC(SSL_F_SSL3_PEEK),     "SSL3_PEEK"},
-{ERR_FUNC(SSL_F_SSL3_READ_BYTES),       "SSL3_READ_BYTES"},
-{ERR_FUNC(SSL_F_SSL3_READ_N),   "SSL3_READ_N"},
-{ERR_FUNC(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST), "SSL3_SEND_CERTIFICATE_REQUEST"},
-{ERR_FUNC(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE),  "SSL3_SEND_CLIENT_CERTIFICATE"},
-{ERR_FUNC(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE), "SSL3_SEND_CLIENT_KEY_EXCHANGE"},
-{ERR_FUNC(SSL_F_SSL3_SEND_CLIENT_VERIFY),       "SSL3_SEND_CLIENT_VERIFY"},
-{ERR_FUNC(SSL_F_SSL3_SEND_SERVER_CERTIFICATE),  "SSL3_SEND_SERVER_CERTIFICATE"},
-{ERR_FUNC(SSL_F_SSL3_SEND_SERVER_HELLO),        "SSL3_SEND_SERVER_HELLO"},
-{ERR_FUNC(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE), "SSL3_SEND_SERVER_KEY_EXCHANGE"},
-{ERR_FUNC(SSL_F_SSL3_SETUP_BUFFERS),    "SSL3_SETUP_BUFFERS"},
-{ERR_FUNC(SSL_F_SSL3_SETUP_KEY_BLOCK),  "SSL3_SETUP_KEY_BLOCK"},
-{ERR_FUNC(SSL_F_SSL3_WRITE_BYTES),      "SSL3_WRITE_BYTES"},
-{ERR_FUNC(SSL_F_SSL3_WRITE_PENDING),    "SSL3_WRITE_PENDING"},
-{ERR_FUNC(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK),    "SSL_add_dir_cert_subjects_to_stack"},
-{ERR_FUNC(SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK),   "SSL_add_file_cert_subjects_to_stack"},
-{ERR_FUNC(SSL_F_SSL_BAD_METHOD),        "SSL_BAD_METHOD"},
-{ERR_FUNC(SSL_F_SSL_BYTES_TO_CIPHER_LIST),      "SSL_BYTES_TO_CIPHER_LIST"},
-{ERR_FUNC(SSL_F_SSL_CERT_DUP),  "SSL_CERT_DUP"},
-{ERR_FUNC(SSL_F_SSL_CERT_INST), "SSL_CERT_INST"},
-{ERR_FUNC(SSL_F_SSL_CERT_INSTANTIATE),  "SSL_CERT_INSTANTIATE"},
-{ERR_FUNC(SSL_F_SSL_CERT_NEW),  "SSL_CERT_NEW"},
-{ERR_FUNC(SSL_F_SSL_CHECK_PRIVATE_KEY), "SSL_check_private_key"},
-{ERR_FUNC(SSL_F_SSL_CIPHER_PROCESS_RULESTR),    "SSL_CIPHER_PROCESS_RULESTR"},
-{ERR_FUNC(SSL_F_SSL_CIPHER_STRENGTH_SORT),      "SSL_CIPHER_STRENGTH_SORT"},
-{ERR_FUNC(SSL_F_SSL_CLEAR),     "SSL_clear"},
-{ERR_FUNC(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD),       "SSL_COMP_add_compression_method"},
-{ERR_FUNC(SSL_F_SSL_CREATE_CIPHER_LIST),        "SSL_CREATE_CIPHER_LIST"},
-{ERR_FUNC(SSL_F_SSL_CTRL),      "SSL_ctrl"},
-{ERR_FUNC(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY),     "SSL_CTX_check_private_key"},
-{ERR_FUNC(SSL_F_SSL_CTX_NEW),   "SSL_CTX_new"},
-{ERR_FUNC(SSL_F_SSL_CTX_SET_CIPHER_LIST),       "SSL_CTX_set_cipher_list"},
-{ERR_FUNC(SSL_F_SSL_CTX_SET_PURPOSE),   "SSL_CTX_set_purpose"},
-{ERR_FUNC(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT),        "SSL_CTX_set_session_id_context"},
-{ERR_FUNC(SSL_F_SSL_CTX_SET_SSL_VERSION),       "SSL_CTX_set_ssl_version"},
-{ERR_FUNC(SSL_F_SSL_CTX_SET_TRUST),     "SSL_CTX_set_trust"},
-{ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE),       "SSL_CTX_use_certificate"},
-{ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1),  "SSL_CTX_use_certificate_ASN1"},
-{ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE),    "SSL_CTX_use_certificate_chain_file"},
-{ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE),  "SSL_CTX_use_certificate_file"},
-{ERR_FUNC(SSL_F_SSL_CTX_USE_PRIVATEKEY),        "SSL_CTX_use_PrivateKey"},
-{ERR_FUNC(SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1),   "SSL_CTX_use_PrivateKey_ASN1"},
-{ERR_FUNC(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE),   "SSL_CTX_use_PrivateKey_file"},
-{ERR_FUNC(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY),     "SSL_CTX_use_RSAPrivateKey"},
-{ERR_FUNC(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1),        "SSL_CTX_use_RSAPrivateKey_ASN1"},
-{ERR_FUNC(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE),        "SSL_CTX_use_RSAPrivateKey_file"},
-{ERR_FUNC(SSL_F_SSL_DO_HANDSHAKE),      "SSL_do_handshake"},
-{ERR_FUNC(SSL_F_SSL_GET_NEW_SESSION),   "SSL_GET_NEW_SESSION"},
-{ERR_FUNC(SSL_F_SSL_GET_PREV_SESSION),  "SSL_GET_PREV_SESSION"},
-{ERR_FUNC(SSL_F_SSL_GET_SERVER_SEND_CERT),      "SSL_GET_SERVER_SEND_CERT"},
-{ERR_FUNC(SSL_F_SSL_GET_SIGN_PKEY),     "SSL_GET_SIGN_PKEY"},
-{ERR_FUNC(SSL_F_SSL_INIT_WBIO_BUFFER),  "SSL_INIT_WBIO_BUFFER"},
-{ERR_FUNC(SSL_F_SSL_LOAD_CLIENT_CA_FILE),       "SSL_load_client_CA_file"},
-{ERR_FUNC(SSL_F_SSL_NEW),       "SSL_new"},
-{ERR_FUNC(SSL_F_SSL_READ),      "SSL_read"},
-{ERR_FUNC(SSL_F_SSL_RSA_PRIVATE_DECRYPT),       "SSL_RSA_PRIVATE_DECRYPT"},
-{ERR_FUNC(SSL_F_SSL_RSA_PUBLIC_ENCRYPT),        "SSL_RSA_PUBLIC_ENCRYPT"},
-{ERR_FUNC(SSL_F_SSL_SESSION_NEW),       "SSL_SESSION_new"},
-{ERR_FUNC(SSL_F_SSL_SESSION_PRINT_FP),  "SSL_SESSION_print_fp"},
-{ERR_FUNC(SSL_F_SSL_SESS_CERT_NEW),     "SSL_SESS_CERT_NEW"},
-{ERR_FUNC(SSL_F_SSL_SET_CERT),  "SSL_SET_CERT"},
-{ERR_FUNC(SSL_F_SSL_SET_CIPHER_LIST),   "SSL_set_cipher_list"},
-{ERR_FUNC(SSL_F_SSL_SET_FD),    "SSL_set_fd"},
-{ERR_FUNC(SSL_F_SSL_SET_PKEY),  "SSL_SET_PKEY"},
-{ERR_FUNC(SSL_F_SSL_SET_PURPOSE),       "SSL_set_purpose"},
-{ERR_FUNC(SSL_F_SSL_SET_RFD),   "SSL_set_rfd"},
-{ERR_FUNC(SSL_F_SSL_SET_SESSION),       "SSL_set_session"},
-{ERR_FUNC(SSL_F_SSL_SET_SESSION_ID_CONTEXT),    "SSL_set_session_id_context"},
-{ERR_FUNC(SSL_F_SSL_SET_TRUST), "SSL_set_trust"},
-{ERR_FUNC(SSL_F_SSL_SET_WFD),   "SSL_set_wfd"},
-{ERR_FUNC(SSL_F_SSL_SHUTDOWN),  "SSL_shutdown"},
-{ERR_FUNC(SSL_F_SSL_UNDEFINED_CONST_FUNCTION),  "SSL_UNDEFINED_CONST_FUNCTION"},
-{ERR_FUNC(SSL_F_SSL_UNDEFINED_FUNCTION),        "SSL_UNDEFINED_FUNCTION"},
-{ERR_FUNC(SSL_F_SSL_USE_CERTIFICATE),   "SSL_use_certificate"},
-{ERR_FUNC(SSL_F_SSL_USE_CERTIFICATE_ASN1),      "SSL_use_certificate_ASN1"},
-{ERR_FUNC(SSL_F_SSL_USE_CERTIFICATE_FILE),      "SSL_use_certificate_file"},
-{ERR_FUNC(SSL_F_SSL_USE_PRIVATEKEY),    "SSL_use_PrivateKey"},
-{ERR_FUNC(SSL_F_SSL_USE_PRIVATEKEY_ASN1),       "SSL_use_PrivateKey_ASN1"},
-{ERR_FUNC(SSL_F_SSL_USE_PRIVATEKEY_FILE),       "SSL_use_PrivateKey_file"},
-{ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY), "SSL_use_RSAPrivateKey"},
-{ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1),    "SSL_use_RSAPrivateKey_ASN1"},
-{ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE),    "SSL_use_RSAPrivateKey_file"},
-{ERR_FUNC(SSL_F_SSL_VERIFY_CERT_CHAIN), "SSL_VERIFY_CERT_CHAIN"},
-{ERR_FUNC(SSL_F_SSL_WRITE),     "SSL_write"},
-{ERR_FUNC(SSL_F_TLS1_CHANGE_CIPHER_STATE),      "TLS1_CHANGE_CIPHER_STATE"},
-{ERR_FUNC(SSL_F_TLS1_ENC),      "TLS1_ENC"},
-{ERR_FUNC(SSL_F_TLS1_SETUP_KEY_BLOCK),  "TLS1_SETUP_KEY_BLOCK"},
-{ERR_FUNC(SSL_F_WRITE_PENDING), "WRITE_PENDING"},
-{0,NULL}
-        };
-static ERR_STRING_DATA SSL_str_reasons[]=
-        {
-{ERR_REASON(SSL_R_APP_DATA_IN_HANDSHAKE) ,"app data in handshake"},
-{ERR_REASON(SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT),"attempt to reuse session in different context"},
-{ERR_REASON(SSL_R_BAD_ALERT_RECORD)      ,"bad alert record"},
-{ERR_REASON(SSL_R_BAD_AUTHENTICATION_TYPE),"bad authentication type"},
-{ERR_REASON(SSL_R_BAD_CHANGE_CIPHER_SPEC),"bad change cipher spec"},
-{ERR_REASON(SSL_R_BAD_CHECKSUM)          ,"bad checksum"},
-{ERR_REASON(SSL_R_BAD_DATA_RETURNED_BY_CALLBACK),"bad data returned by callback"},
-{ERR_REASON(SSL_R_BAD_DECOMPRESSION)     ,"bad decompression"},
-{ERR_REASON(SSL_R_BAD_DH_G_LENGTH)       ,"bad dh g length"},
-{ERR_REASON(SSL_R_BAD_DH_PUB_KEY_LENGTH) ,"bad dh pub key length"},
-{ERR_REASON(SSL_R_BAD_DH_P_LENGTH)       ,"bad dh p length"},
-{ERR_REASON(SSL_R_BAD_DIGEST_LENGTH)     ,"bad digest length"},
-{ERR_REASON(SSL_R_BAD_DSA_SIGNATURE)     ,"bad dsa signature"},
-{ERR_REASON(SSL_R_BAD_HELLO_REQUEST)     ,"bad hello request"},
-{ERR_REASON(SSL_R_BAD_LENGTH)            ,"bad length"},
-{ERR_REASON(SSL_R_BAD_MAC_DECODE)        ,"bad mac decode"},
-{ERR_REASON(SSL_R_BAD_MESSAGE_TYPE)      ,"bad message type"},
-{ERR_REASON(SSL_R_BAD_PACKET_LENGTH)     ,"bad packet length"},
-{ERR_REASON(SSL_R_BAD_PROTOCOL_VERSION_NUMBER),"bad protocol version number"},
-{ERR_REASON(SSL_R_BAD_RESPONSE_ARGUMENT) ,"bad response argument"},
-{ERR_REASON(SSL_R_BAD_RSA_DECRYPT)       ,"bad rsa decrypt"},
-{ERR_REASON(SSL_R_BAD_RSA_ENCRYPT)       ,"bad rsa encrypt"},
-{ERR_REASON(SSL_R_BAD_RSA_E_LENGTH)      ,"bad rsa e length"},
-{ERR_REASON(SSL_R_BAD_RSA_MODULUS_LENGTH),"bad rsa modulus length"},
-{ERR_REASON(SSL_R_BAD_RSA_SIGNATURE)     ,"bad rsa signature"},
-{ERR_REASON(SSL_R_BAD_SIGNATURE)         ,"bad signature"},
-{ERR_REASON(SSL_R_BAD_SSL_FILETYPE)      ,"bad ssl filetype"},
-{ERR_REASON(SSL_R_BAD_SSL_SESSION_ID_LENGTH),"bad ssl session id length"},
-{ERR_REASON(SSL_R_BAD_STATE)             ,"bad state"},
-{ERR_REASON(SSL_R_BAD_WRITE_RETRY)       ,"bad write retry"},
-{ERR_REASON(SSL_R_BIO_NOT_SET)           ,"bio not set"},
-{ERR_REASON(SSL_R_BLOCK_CIPHER_PAD_IS_WRONG),"block cipher pad is wrong"},
-{ERR_REASON(SSL_R_BN_LIB)                ,"bn lib"},
-{ERR_REASON(SSL_R_CA_DN_LENGTH_MISMATCH) ,"ca dn length mismatch"},
-{ERR_REASON(SSL_R_CA_DN_TOO_LONG)        ,"ca dn too long"},
-{ERR_REASON(SSL_R_CCS_RECEIVED_EARLY)    ,"ccs received early"},
-{ERR_REASON(SSL_R_CERTIFICATE_VERIFY_FAILED),"certificate verify failed"},
-{ERR_REASON(SSL_R_CERT_LENGTH_MISMATCH)  ,"cert length mismatch"},
-{ERR_REASON(SSL_R_CHALLENGE_IS_DIFFERENT),"challenge is different"},
-{ERR_REASON(SSL_R_CIPHER_CODE_WRONG_LENGTH),"cipher code wrong length"},
-{ERR_REASON(SSL_R_CIPHER_OR_HASH_UNAVAILABLE),"cipher or hash unavailable"},
-{ERR_REASON(SSL_R_CIPHER_TABLE_SRC_ERROR),"cipher table src error"},
-{ERR_REASON(SSL_R_COMPRESSED_LENGTH_TOO_LONG),"compressed length too long"},
-{ERR_REASON(SSL_R_COMPRESSION_FAILURE)   ,"compression failure"},
-{ERR_REASON(SSL_R_COMPRESSION_LIBRARY_ERROR),"compression library error"},
-{ERR_REASON(SSL_R_CONNECTION_ID_IS_DIFFERENT),"connection id is different"},
-{ERR_REASON(SSL_R_CONNECTION_TYPE_NOT_SET),"connection type not set"},
-{ERR_REASON(SSL_R_DATA_BETWEEN_CCS_AND_FINISHED),"data between ccs and finished"},
-{ERR_REASON(SSL_R_DATA_LENGTH_TOO_LONG)  ,"data length too long"},
-{ERR_REASON(SSL_R_DECRYPTION_FAILED)     ,"decryption failed"},
-{ERR_REASON(SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC),"decryption failed or bad record mac"},
-{ERR_REASON(SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG),"dh public value length is wrong"},
-{ERR_REASON(SSL_R_DIGEST_CHECK_FAILED)   ,"digest check failed"},
-{ERR_REASON(SSL_R_ENCRYPTED_LENGTH_TOO_LONG),"encrypted length too long"},
-{ERR_REASON(SSL_R_ERROR_GENERATING_TMP_RSA_KEY),"error generating tmp rsa key"},
-{ERR_REASON(SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST),"error in received cipher list"},
-{ERR_REASON(SSL_R_EXCESSIVE_MESSAGE_SIZE),"excessive message size"},
-{ERR_REASON(SSL_R_EXTRA_DATA_IN_MESSAGE) ,"extra data in message"},
-{ERR_REASON(SSL_R_GOT_A_FIN_BEFORE_A_CCS),"got a fin before a ccs"},
-{ERR_REASON(SSL_R_HTTPS_PROXY_REQUEST)   ,"https proxy request"},
-{ERR_REASON(SSL_R_HTTP_REQUEST)          ,"http request"},
-{ERR_REASON(SSL_R_ILLEGAL_PADDING)       ,"illegal padding"},
-{ERR_REASON(SSL_R_INVALID_CHALLENGE_LENGTH),"invalid challenge length"},
-{ERR_REASON(SSL_R_INVALID_COMMAND)       ,"invalid command"},
-{ERR_REASON(SSL_R_INVALID_PURPOSE)       ,"invalid purpose"},
-{ERR_REASON(SSL_R_INVALID_TRUST)         ,"invalid trust"},
-{ERR_REASON(SSL_R_KEY_ARG_TOO_LONG)      ,"key arg too long"},
-{ERR_REASON(SSL_R_KRB5)                  ,"krb5"},
-{ERR_REASON(SSL_R_KRB5_C_CC_PRINC)       ,"krb5 client cc principal (no tkt?)"},
-{ERR_REASON(SSL_R_KRB5_C_GET_CRED)       ,"krb5 client get cred"},
-{ERR_REASON(SSL_R_KRB5_C_INIT)           ,"krb5 client init"},
-{ERR_REASON(SSL_R_KRB5_C_MK_REQ)         ,"krb5 client mk_req (expired tkt?)"},
-{ERR_REASON(SSL_R_KRB5_S_BAD_TICKET)     ,"krb5 server bad ticket"},
-{ERR_REASON(SSL_R_KRB5_S_INIT)           ,"krb5 server init"},
-{ERR_REASON(SSL_R_KRB5_S_RD_REQ)         ,"krb5 server rd_req (keytab perms?)"},
-{ERR_REASON(SSL_R_KRB5_S_TKT_EXPIRED)    ,"krb5 server tkt expired"},
-{ERR_REASON(SSL_R_KRB5_S_TKT_NYV)        ,"krb5 server tkt not yet valid"},
-{ERR_REASON(SSL_R_KRB5_S_TKT_SKEW)       ,"krb5 server tkt skew"},
-{ERR_REASON(SSL_R_LENGTH_MISMATCH)       ,"length mismatch"},
-{ERR_REASON(SSL_R_LENGTH_TOO_SHORT)      ,"length too short"},
-{ERR_REASON(SSL_R_LIBRARY_BUG)           ,"library bug"},
-{ERR_REASON(SSL_R_LIBRARY_HAS_NO_CIPHERS),"library has no ciphers"},
-{ERR_REASON(SSL_R_MESSAGE_TOO_LONG)      ,"message too long"},
-{ERR_REASON(SSL_R_MISSING_DH_DSA_CERT)   ,"missing dh dsa cert"},
-{ERR_REASON(SSL_R_MISSING_DH_KEY)        ,"missing dh key"},
-{ERR_REASON(SSL_R_MISSING_DH_RSA_CERT)   ,"missing dh rsa cert"},
-{ERR_REASON(SSL_R_MISSING_DSA_SIGNING_CERT),"missing dsa signing cert"},
-{ERR_REASON(SSL_R_MISSING_EXPORT_TMP_DH_KEY),"missing export tmp dh key"},
-{ERR_REASON(SSL_R_MISSING_EXPORT_TMP_RSA_KEY),"missing export tmp rsa key"},
-{ERR_REASON(SSL_R_MISSING_RSA_CERTIFICATE),"missing rsa certificate"},
-{ERR_REASON(SSL_R_MISSING_RSA_ENCRYPTING_CERT),"missing rsa encrypting cert"},
-{ERR_REASON(SSL_R_MISSING_RSA_SIGNING_CERT),"missing rsa signing cert"},
-{ERR_REASON(SSL_R_MISSING_TMP_DH_KEY)    ,"missing tmp dh key"},
-{ERR_REASON(SSL_R_MISSING_TMP_RSA_KEY)   ,"missing tmp rsa key"},
-{ERR_REASON(SSL_R_MISSING_TMP_RSA_PKEY)  ,"missing tmp rsa pkey"},
-{ERR_REASON(SSL_R_MISSING_VERIFY_MESSAGE),"missing verify message"},
-{ERR_REASON(SSL_R_NON_SSLV2_INITIAL_PACKET),"non sslv2 initial packet"},
-{ERR_REASON(SSL_R_NO_CERTIFICATES_RETURNED),"no certificates returned"},
-{ERR_REASON(SSL_R_NO_CERTIFICATE_ASSIGNED),"no certificate assigned"},
-{ERR_REASON(SSL_R_NO_CERTIFICATE_RETURNED),"no certificate returned"},
-{ERR_REASON(SSL_R_NO_CERTIFICATE_SET)    ,"no certificate set"},
-{ERR_REASON(SSL_R_NO_CERTIFICATE_SPECIFIED),"no certificate specified"},
-{ERR_REASON(SSL_R_NO_CIPHERS_AVAILABLE)  ,"no ciphers available"},
-{ERR_REASON(SSL_R_NO_CIPHERS_PASSED)     ,"no ciphers passed"},
-{ERR_REASON(SSL_R_NO_CIPHERS_SPECIFIED)  ,"no ciphers specified"},
-{ERR_REASON(SSL_R_NO_CIPHER_LIST)        ,"no cipher list"},
-{ERR_REASON(SSL_R_NO_CIPHER_MATCH)       ,"no cipher match"},
-{ERR_REASON(SSL_R_NO_CLIENT_CERT_RECEIVED),"no client cert received"},
-{ERR_REASON(SSL_R_NO_COMPRESSION_SPECIFIED),"no compression specified"},
-{ERR_REASON(SSL_R_NO_METHOD_SPECIFIED)   ,"no method specified"},
-{ERR_REASON(SSL_R_NO_PRIVATEKEY)         ,"no privatekey"},
-{ERR_REASON(SSL_R_NO_PRIVATE_KEY_ASSIGNED),"no private key assigned"},
-{ERR_REASON(SSL_R_NO_PROTOCOLS_AVAILABLE),"no protocols available"},
-{ERR_REASON(SSL_R_NO_PUBLICKEY)          ,"no publickey"},
-{ERR_REASON(SSL_R_NO_SHARED_CIPHER)      ,"no shared cipher"},
-{ERR_REASON(SSL_R_NO_VERIFY_CALLBACK)    ,"no verify callback"},
-{ERR_REASON(SSL_R_NULL_SSL_CTX)          ,"null ssl ctx"},
-{ERR_REASON(SSL_R_NULL_SSL_METHOD_PASSED),"null ssl method passed"},
-{ERR_REASON(SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED),"old session cipher not returned"},
-{ERR_REASON(SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE),"only tls allowed in fips mode"},
-{ERR_REASON(SSL_R_PACKET_LENGTH_TOO_LONG),"packet length too long"},
-{ERR_REASON(SSL_R_PATH_TOO_LONG)         ,"path too long"},
-{ERR_REASON(SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE),"peer did not return a certificate"},
-{ERR_REASON(SSL_R_PEER_ERROR)            ,"peer error"},
-{ERR_REASON(SSL_R_PEER_ERROR_CERTIFICATE),"peer error certificate"},
-{ERR_REASON(SSL_R_PEER_ERROR_NO_CERTIFICATE),"peer error no certificate"},
-{ERR_REASON(SSL_R_PEER_ERROR_NO_CIPHER)  ,"peer error no cipher"},
-{ERR_REASON(SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE),"peer error unsupported certificate type"},
-{ERR_REASON(SSL_R_PRE_MAC_LENGTH_TOO_LONG),"pre mac length too long"},
-{ERR_REASON(SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS),"problems mapping cipher functions"},
-{ERR_REASON(SSL_R_PROTOCOL_IS_SHUTDOWN)  ,"protocol is shutdown"},
-{ERR_REASON(SSL_R_PUBLIC_KEY_ENCRYPT_ERROR),"public key encrypt error"},
-{ERR_REASON(SSL_R_PUBLIC_KEY_IS_NOT_RSA) ,"public key is not rsa"},
-{ERR_REASON(SSL_R_PUBLIC_KEY_NOT_RSA)    ,"public key not rsa"},
-{ERR_REASON(SSL_R_READ_BIO_NOT_SET)      ,"read bio not set"},
-{ERR_REASON(SSL_R_READ_WRONG_PACKET_TYPE),"read wrong packet type"},
-{ERR_REASON(SSL_R_RECORD_LENGTH_MISMATCH),"record length mismatch"},
-{ERR_REASON(SSL_R_RECORD_TOO_LARGE)      ,"record too large"},
-{ERR_REASON(SSL_R_RECORD_TOO_SMALL)      ,"record too small"},
-{ERR_REASON(SSL_R_REQUIRED_CIPHER_MISSING),"required cipher missing"},
-{ERR_REASON(SSL_R_REUSE_CERT_LENGTH_NOT_ZERO),"reuse cert length not zero"},
-{ERR_REASON(SSL_R_REUSE_CERT_TYPE_NOT_ZERO),"reuse cert type not zero"},
-{ERR_REASON(SSL_R_REUSE_CIPHER_LIST_NOT_ZERO),"reuse cipher list not zero"},
-{ERR_REASON(SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED),"session id context uninitialized"},
-{ERR_REASON(SSL_R_SHORT_READ)            ,"short read"},
-{ERR_REASON(SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE),"signature for non signing certificate"},
-{ERR_REASON(SSL_R_SSL23_DOING_SESSION_ID_REUSE),"ssl23 doing session id reuse"},
-{ERR_REASON(SSL_R_SSL2_CONNECTION_ID_TOO_LONG),"ssl2 connection id too long"},
-{ERR_REASON(SSL_R_SSL3_SESSION_ID_TOO_LONG),"ssl3 session id too long"},
-{ERR_REASON(SSL_R_SSL3_SESSION_ID_TOO_SHORT),"ssl3 session id too short"},
-{ERR_REASON(SSL_R_SSLV3_ALERT_BAD_CERTIFICATE),"sslv3 alert bad certificate"},
-{ERR_REASON(SSL_R_SSLV3_ALERT_BAD_RECORD_MAC),"sslv3 alert bad record mac"},
-{ERR_REASON(SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED),"sslv3 alert certificate expired"},
-{ERR_REASON(SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED),"sslv3 alert certificate revoked"},
-{ERR_REASON(SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN),"sslv3 alert certificate unknown"},
-{ERR_REASON(SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE),"sslv3 alert decompression failure"},
-{ERR_REASON(SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE),"sslv3 alert handshake failure"},
-{ERR_REASON(SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER),"sslv3 alert illegal parameter"},
-{ERR_REASON(SSL_R_SSLV3_ALERT_NO_CERTIFICATE),"sslv3 alert no certificate"},
-{ERR_REASON(SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE),"sslv3 alert unexpected message"},
-{ERR_REASON(SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE),"sslv3 alert unsupported certificate"},
-{ERR_REASON(SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION),"ssl ctx has no default ssl version"},
-{ERR_REASON(SSL_R_SSL_HANDSHAKE_FAILURE) ,"ssl handshake failure"},
-{ERR_REASON(SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS),"ssl library has no ciphers"},
-{ERR_REASON(SSL_R_SSL_SESSION_ID_CALLBACK_FAILED),"ssl session id callback failed"},
-{ERR_REASON(SSL_R_SSL_SESSION_ID_CONFLICT),"ssl session id conflict"},
-{ERR_REASON(SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG),"ssl session id context too long"},
-{ERR_REASON(SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH),"ssl session id has bad length"},
-{ERR_REASON(SSL_R_SSL_SESSION_ID_IS_DIFFERENT),"ssl session id is different"},
-{ERR_REASON(SSL_R_TLSV1_ALERT_ACCESS_DENIED),"tlsv1 alert access denied"},
-{ERR_REASON(SSL_R_TLSV1_ALERT_DECODE_ERROR),"tlsv1 alert decode error"},
-{ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPTION_FAILED),"tlsv1 alert decryption failed"},
-{ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPT_ERROR),"tlsv1 alert decrypt error"},
-{ERR_REASON(SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION),"tlsv1 alert export restriction"},
-{ERR_REASON(SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY),"tlsv1 alert insufficient security"},
-{ERR_REASON(SSL_R_TLSV1_ALERT_INTERNAL_ERROR),"tlsv1 alert internal error"},
-{ERR_REASON(SSL_R_TLSV1_ALERT_NO_RENEGOTIATION),"tlsv1 alert no renegotiation"},
-{ERR_REASON(SSL_R_TLSV1_ALERT_PROTOCOL_VERSION),"tlsv1 alert protocol version"},
-{ERR_REASON(SSL_R_TLSV1_ALERT_RECORD_OVERFLOW),"tlsv1 alert record overflow"},
-{ERR_REASON(SSL_R_TLSV1_ALERT_UNKNOWN_CA),"tlsv1 alert unknown ca"},
-{ERR_REASON(SSL_R_TLSV1_ALERT_USER_CANCELLED),"tlsv1 alert user cancelled"},
-{ERR_REASON(SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER),"tls client cert req with anon cipher"},
-{ERR_REASON(SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST),"tls peer did not respond with certificate list"},
-{ERR_REASON(SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG),"tls rsa encrypted value length is wrong"},
-{ERR_REASON(SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER),"tried to use unsupported cipher"},
-{ERR_REASON(SSL_R_UNABLE_TO_DECODE_DH_CERTS),"unable to decode dh certs"},
-{ERR_REASON(SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY),"unable to extract public key"},
-{ERR_REASON(SSL_R_UNABLE_TO_FIND_DH_PARAMETERS),"unable to find dh parameters"},
-{ERR_REASON(SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS),"unable to find public key parameters"},
-{ERR_REASON(SSL_R_UNABLE_TO_FIND_SSL_METHOD),"unable to find ssl method"},
-{ERR_REASON(SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES),"unable to load ssl2 md5 routines"},
-{ERR_REASON(SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES),"unable to load ssl3 md5 routines"},
-{ERR_REASON(SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES),"unable to load ssl3 sha1 routines"},
-{ERR_REASON(SSL_R_UNEXPECTED_MESSAGE)    ,"unexpected message"},
-{ERR_REASON(SSL_R_UNEXPECTED_RECORD)     ,"unexpected record"},
-{ERR_REASON(SSL_R_UNINITIALIZED)         ,"uninitialized"},
-{ERR_REASON(SSL_R_UNKNOWN_ALERT_TYPE)    ,"unknown alert type"},
-{ERR_REASON(SSL_R_UNKNOWN_CERTIFICATE_TYPE),"unknown certificate type"},
-{ERR_REASON(SSL_R_UNKNOWN_CIPHER_RETURNED),"unknown cipher returned"},
-{ERR_REASON(SSL_R_UNKNOWN_CIPHER_TYPE)   ,"unknown cipher type"},
-{ERR_REASON(SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE),"unknown key exchange type"},
-{ERR_REASON(SSL_R_UNKNOWN_PKEY_TYPE)     ,"unknown pkey type"},
-{ERR_REASON(SSL_R_UNKNOWN_PROTOCOL)      ,"unknown protocol"},
-{ERR_REASON(SSL_R_UNKNOWN_REMOTE_ERROR_TYPE),"unknown remote error type"},
-{ERR_REASON(SSL_R_UNKNOWN_SSL_VERSION)   ,"unknown ssl version"},
-{ERR_REASON(SSL_R_UNKNOWN_STATE)         ,"unknown state"},
-{ERR_REASON(SSL_R_UNSUPPORTED_CIPHER)    ,"unsupported cipher"},
-{ERR_REASON(SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM),"unsupported compression algorithm"},
-{ERR_REASON(SSL_R_UNSUPPORTED_PROTOCOL)  ,"unsupported protocol"},
-{ERR_REASON(SSL_R_UNSUPPORTED_SSL_VERSION),"unsupported ssl version"},
-{ERR_REASON(SSL_R_WRITE_BIO_NOT_SET)     ,"write bio not set"},
-{ERR_REASON(SSL_R_WRONG_CIPHER_RETURNED) ,"wrong cipher returned"},
-{ERR_REASON(SSL_R_WRONG_MESSAGE_TYPE)    ,"wrong message type"},
-{ERR_REASON(SSL_R_WRONG_NUMBER_OF_KEY_BITS),"wrong number of key bits"},
-{ERR_REASON(SSL_R_WRONG_SIGNATURE_LENGTH),"wrong signature length"},
-{ERR_REASON(SSL_R_WRONG_SIGNATURE_SIZE)  ,"wrong signature size"},
-{ERR_REASON(SSL_R_WRONG_SSL_VERSION)     ,"wrong ssl version"},
-{ERR_REASON(SSL_R_WRONG_VERSION_NUMBER)  ,"wrong version number"},
-{ERR_REASON(SSL_R_X509_LIB)              ,"x509 lib"},
-{ERR_REASON(SSL_R_X509_VERIFICATION_SETUP_PROBLEMS),"x509 verification setup problems"},
-{0,NULL}
-        };
-#endif
-void ERR_load_SSL_strings(void)
-        {
-        static int init=1;
-        if (init)
-                {
-                init=0;
-#ifndef OPENSSL_NO_ERR
-                ERR_load_strings(0,SSL_str_functs);
-                ERR_load_strings(0,SSL_str_reasons);
-#endif
-                }
-        }
diff --git a/src/lib/libssl/ssl_err2.c b/src/lib/libssl/ssl_err2.c
deleted file mode 100644
index ea95a5f983..0000000000
--- a/src/lib/libssl/ssl_err2.c
+++ /dev/null
@@ -1,70 +0,0 @@
-/* ssl/ssl_err2.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-#include <stdio.h>
-#include <openssl/err.h>
-#include <openssl/ssl.h>
-void SSL_load_error_strings(void)
-        {
-#ifndef OPENSSL_NO_ERR
-        ERR_load_crypto_strings();
-        ERR_load_SSL_strings();
-#endif
-        }
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
deleted file mode 100644
index 0f4b7a475b..0000000000
--- a/src/lib/libssl/ssl_lib.c
+++ /dev/null
@@ -1,2355 +0,0 @@
-/*! \file ssl/ssl_lib.c
- *  \brief Version independent SSL functions.
- */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-/* ====================================================================
- * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer. 
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-#ifdef REF_CHECK
-#  include <assert.h>
-#endif
-#include <stdio.h>
-#include "ssl_locl.h"
-#include "kssl_lcl.h"
-#include <openssl/objects.h>
-#include <openssl/lhash.h>
-#include <openssl/x509v3.h>
-#include <openssl/fips.h>
-const char *SSL_version_str=OPENSSL_VERSION_TEXT;
-SSL3_ENC_METHOD ssl3_undef_enc_method={
-        /* evil casts, but these functions are only called if there's a library bug */
-        (int (*)(SSL *,int))ssl_undefined_function,
-        (int (*)(SSL *, unsigned char *, int))ssl_undefined_function,
-        ssl_undefined_function,
-        (int (*)(SSL *, unsigned char *, unsigned char *, int))ssl_undefined_function,
-        (int (*)(SSL*, int))ssl_undefined_function,
-        (int (*)(SSL *, EVP_MD_CTX *, EVP_MD_CTX *, const char*, int, unsigned char *))ssl_undefined_function
-        };
-int SSL_clear(SSL *s)
-        {
-        if (s->method == NULL)
-                {
-                SSLerr(SSL_F_SSL_CLEAR,SSL_R_NO_METHOD_SPECIFIED);
-                return(0);
-                }
-        if (ssl_clear_bad_session(s))
-                {
-                SSL_SESSION_free(s->session);
-                s->session=NULL;
-                }
-        s->error=0;
-        s->hit=0;
-        s->shutdown=0;
-#if 0 /* Disabled since version 1.10 of this file (early return not
-       * needed because SSL_clear is not called when doing renegotiation) */
-        /* This is set if we are doing dynamic renegotiation so keep
-         * the old cipher.  It is sort of a SSL_clear_lite :-) */
-        if (s->new_session) return(1);
-#else
-        if (s->new_session)
-                {
-                SSLerr(SSL_F_SSL_CLEAR,ERR_R_INTERNAL_ERROR);
-                return 0;
-                }
-#endif
-        s->type=0;
-        s->state=SSL_ST_BEFORE|((s->server)?SSL_ST_ACCEPT:SSL_ST_CONNECT);
-        s->version=s->method->version;
-        s->client_version=s->version;
-        s->rwstate=SSL_NOTHING;
-        s->rstate=SSL_ST_READ_HEADER;
-#if 0
-        s->read_ahead=s->ctx->read_ahead;
-#endif
-        if (s->init_buf != NULL)
-                {
-                BUF_MEM_free(s->init_buf);
-                s->init_buf=NULL;
-                }
-        ssl_clear_cipher_ctx(s);
-        s->first_packet=0;
-#if 1
-        /* Check to see if we were changed into a different method, if
-         * so, revert back if we are not doing session-id reuse. */
-        if (!s->in_handshake && (s->session == NULL) && (s->method != s->ctx->method))
-                {
-                s->method->ssl_free(s);
-                s->method=s->ctx->method;
-                if (!s->method->ssl_new(s))
-                        return(0);
-                }
-        else
-#endif
-                s->method->ssl_clear(s);
-        return(1);
-        }
-/** Used to change an SSL_CTXs default SSL method type */
-int SSL_CTX_set_ssl_version(SSL_CTX *ctx,SSL_METHOD *meth)
-        {
-        STACK_OF(SSL_CIPHER) *sk;
-        ctx->method=meth;
-        sk=ssl_create_cipher_list(ctx->method,&(ctx->cipher_list),
-                &(ctx->cipher_list_by_id),SSL_DEFAULT_CIPHER_LIST);
-        if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0))
-                {
-                SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION,SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
-                return(0);
-                }
-        return(1);
-        }
-SSL *SSL_new(SSL_CTX *ctx)
-        {
-        SSL *s;
-        if (ctx == NULL)
-                {
-                SSLerr(SSL_F_SSL_NEW,SSL_R_NULL_SSL_CTX);
-                return(NULL);
-                }
-        if (ctx->method == NULL)
-                {
-                SSLerr(SSL_F_SSL_NEW,SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION);
-                return(NULL);
-                }
-        s=(SSL *)OPENSSL_malloc(sizeof(SSL));
-        if (s == NULL) goto err;
-        memset(s,0,sizeof(SSL));
-#ifndef OPENSSL_NO_KRB5
-        s->kssl_ctx = kssl_ctx_new();
-#endif  /* OPENSSL_NO_KRB5 */
-        s->options=ctx->options;
-        s->mode=ctx->mode;
-        s->max_cert_list=ctx->max_cert_list;
-        if (ctx->cert != NULL)
-                {
-                /* Earlier library versions used to copy the pointer to
-                 * the CERT, not its contents; only when setting new
-                 * parameters for the per-SSL copy, ssl_cert_new would be
-                 * called (and the direct reference to the per-SSL_CTX
-                 * settings would be lost, but those still were indirectly
-                 * accessed for various purposes, and for that reason they
-                 * used to be known as s->ctx->default_cert).
-                 * Now we don't look at the SSL_CTX's CERT after having
-                 * duplicated it once. */
-                s->cert = ssl_cert_dup(ctx->cert);
-                if (s->cert == NULL)
-                        goto err;
-                }
-        else
-                s->cert=NULL; /* Cannot really happen (see SSL_CTX_new) */
-        s->read_ahead=ctx->read_ahead;
-        s->msg_callback=ctx->msg_callback;
-        s->msg_callback_arg=ctx->msg_callback_arg;
-        s->verify_mode=ctx->verify_mode;
-        s->verify_depth=ctx->verify_depth;
-        s->sid_ctx_length=ctx->sid_ctx_length;
-        OPENSSL_assert(s->sid_ctx_length <= sizeof s->sid_ctx);
-        memcpy(&s->sid_ctx,&ctx->sid_ctx,sizeof(s->sid_ctx));
-        s->verify_callback=ctx->default_verify_callback;
-        s->generate_session_id=ctx->generate_session_id;
-        s->purpose = ctx->purpose;
-        s->trust = ctx->trust;
-        s->quiet_shutdown=ctx->quiet_shutdown;
-        CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);
-        s->ctx=ctx;
-        s->verify_result=X509_V_OK;
-        s->method=ctx->method;
-        if (!s->method->ssl_new(s))
-                goto err;
-        s->references=1;
-        s->server=(ctx->method->ssl_accept == ssl_undefined_function)?0:1;
-        SSL_clear(s);
-        CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data);
-        return(s);
-err:
-        if (s != NULL)
-                {
-                if (s->cert != NULL)
-                        ssl_cert_free(s->cert);
-                if (s->ctx != NULL)
-                        SSL_CTX_free(s->ctx); /* decrement reference count */
-                OPENSSL_free(s);
-                }
-        SSLerr(SSL_F_SSL_NEW,ERR_R_MALLOC_FAILURE);
-        return(NULL);
-        }
-int SSL_CTX_set_session_id_context(SSL_CTX *ctx,const unsigned char *sid_ctx,
-                                   unsigned int sid_ctx_len)
-    {
-    if(sid_ctx_len > sizeof ctx->sid_ctx)
-        {
-        SSLerr(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT,SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
-        return 0;
-        }
-    ctx->sid_ctx_length=sid_ctx_len;
-    memcpy(ctx->sid_ctx,sid_ctx,sid_ctx_len);
-    return 1;
-    }
-int SSL_set_session_id_context(SSL *ssl,const unsigned char *sid_ctx,
-                               unsigned int sid_ctx_len)
-    {
-    if(sid_ctx_len > SSL_MAX_SID_CTX_LENGTH)
-        {
-        SSLerr(SSL_F_SSL_SET_SESSION_ID_CONTEXT,SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
-        return 0;
-        }
-    ssl->sid_ctx_length=sid_ctx_len;
-    memcpy(ssl->sid_ctx,sid_ctx,sid_ctx_len);
-    return 1;
-    }
-int SSL_CTX_set_generate_session_id(SSL_CTX *ctx, GEN_SESSION_CB cb)
-        {
-        CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
-        ctx->generate_session_id = cb;
-        CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
-        return 1;
-        }
-int SSL_set_generate_session_id(SSL *ssl, GEN_SESSION_CB cb)
-        {
-        CRYPTO_w_lock(CRYPTO_LOCK_SSL);
-        ssl->generate_session_id = cb;
-        CRYPTO_w_unlock(CRYPTO_LOCK_SSL);
-        return 1;
-        }
-int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id,
-                                unsigned int id_len)
-        {
-        /* A quick examination of SSL_SESSION_hash and SSL_SESSION_cmp shows how
-         * we can "construct" a session to give us the desired check - ie. to
-         * find if there's a session in the hash table that would conflict with
-         * any new session built out of this id/id_len and the ssl_version in
-         * use by this SSL. */
-        SSL_SESSION r, *p;
-        if(id_len > sizeof r.session_id)
-                return 0;
-        r.ssl_version = ssl->version;
-        r.session_id_length = id_len;
-        memcpy(r.session_id, id, id_len);
-        /* NB: SSLv2 always uses a fixed 16-byte session ID, so even if a
-         * callback is calling us to check the uniqueness of a shorter ID, it
-         * must be compared as a padded-out ID because that is what it will be
-         * converted to when the callback has finished choosing it. */
-        if((r.ssl_version == SSL2_VERSION) &&
-                        (id_len < SSL2_SSL_SESSION_ID_LENGTH))
-                {
-                memset(r.session_id + id_len, 0,
-                        SSL2_SSL_SESSION_ID_LENGTH - id_len);
-                r.session_id_length = SSL2_SSL_SESSION_ID_LENGTH;
-                }
-        CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
-        p = (SSL_SESSION *)lh_retrieve(ssl->ctx->sessions, &r);
-        CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
-        return (p != NULL);
-        }
-int SSL_CTX_set_purpose(SSL_CTX *s, int purpose)
-        {
-        return X509_PURPOSE_set(&s->purpose, purpose);
-        }
-int SSL_set_purpose(SSL *s, int purpose)
-        {
-        return X509_PURPOSE_set(&s->purpose, purpose);
-        }
-int SSL_CTX_set_trust(SSL_CTX *s, int trust)
-        {
-        return X509_TRUST_set(&s->trust, trust);
-        }
-int SSL_set_trust(SSL *s, int trust)
-        {
-        return X509_TRUST_set(&s->trust, trust);
-        }
-void SSL_free(SSL *s)
-        {
-        int i;
-        if(s == NULL)
-            return;
-        i=CRYPTO_add(&s->references,-1,CRYPTO_LOCK_SSL);
-#ifdef REF_PRINT
-        REF_PRINT("SSL",s);
-#endif
-        if (i > 0) return;
-#ifdef REF_CHECK
-        if (i < 0)
-                {
-                fprintf(stderr,"SSL_free, bad reference count\n");
-                abort(); /* ok */
-                }
-#endif
-        CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data);
-        if (s->bbio != NULL)
-                {
-                /* If the buffering BIO is in place, pop it off */
-                if (s->bbio == s->wbio)
-                        {
-                        s->wbio=BIO_pop(s->wbio);
-                        }
-                BIO_free(s->bbio);
-                s->bbio=NULL;
-                }
-        if (s->rbio != NULL)
-                BIO_free_all(s->rbio);
-        if ((s->wbio != NULL) && (s->wbio != s->rbio))
-                BIO_free_all(s->wbio);
-        if (s->init_buf != NULL) BUF_MEM_free(s->init_buf);
-        /* add extra stuff */
-        if (s->cipher_list != NULL) sk_SSL_CIPHER_free(s->cipher_list);
-        if (s->cipher_list_by_id != NULL) sk_SSL_CIPHER_free(s->cipher_list_by_id);
-        /* Make the next call work :-) */
-        if (s->session != NULL)
-                {
-                ssl_clear_bad_session(s);
-                SSL_SESSION_free(s->session);
-                }
-        ssl_clear_cipher_ctx(s);
-        if (s->cert != NULL) ssl_cert_free(s->cert);
-        /* Free up if allocated */
-        if (s->ctx) SSL_CTX_free(s->ctx);
-        if (s->client_CA != NULL)
-                sk_X509_NAME_pop_free(s->client_CA,X509_NAME_free);
-        if (s->method != NULL) s->method->ssl_free(s);
-#ifndef OPENSSL_NO_KRB5
-        if (s->kssl_ctx != NULL)
-                kssl_ctx_free(s->kssl_ctx);
-#endif  /* OPENSSL_NO_KRB5 */
-        OPENSSL_free(s);
-        }
-void SSL_set_bio(SSL *s,BIO *rbio,BIO *wbio)
-        {
-        /* If the output buffering BIO is still in place, remove it
-         */
-        if (s->bbio != NULL)
-                {
-                if (s->wbio == s->bbio)
-                        {
-                        s->wbio=s->wbio->next_bio;
-                        s->bbio->next_bio=NULL;
-                        }
-                }
-        if ((s->rbio != NULL) && (s->rbio != rbio))
-                BIO_free_all(s->rbio);
-        if ((s->wbio != NULL) && (s->wbio != wbio) && (s->rbio != s->wbio))
-                BIO_free_all(s->wbio);
-        s->rbio=rbio;
-        s->wbio=wbio;
-        }
-BIO *SSL_get_rbio(const SSL *s)
-        { return(s->rbio); }
-BIO *SSL_get_wbio(const SSL *s)
-        { return(s->wbio); }
-int SSL_get_fd(const SSL *s)
-        {
-        return(SSL_get_rfd(s));
-        }
-int SSL_get_rfd(const SSL *s)
-        {
-        int ret= -1;
-        BIO *b,*r;
-        b=SSL_get_rbio(s);
-        r=BIO_find_type(b,BIO_TYPE_DESCRIPTOR);
-        if (r != NULL)
-                BIO_get_fd(r,&ret);
-        return(ret);
-        }
-int SSL_get_wfd(const SSL *s)
-        {
-        int ret= -1;
-        BIO *b,*r;
-        b=SSL_get_wbio(s);
-        r=BIO_find_type(b,BIO_TYPE_DESCRIPTOR);
-        if (r != NULL)
-                BIO_get_fd(r,&ret);
-        return(ret);
-        }
-#ifndef OPENSSL_NO_SOCK
-int SSL_set_fd(SSL *s,int fd)
-        {
-        int ret=0;
-        BIO *bio=NULL;
-        bio=BIO_new(BIO_s_socket());
-        if (bio == NULL)
-                {
-                SSLerr(SSL_F_SSL_SET_FD,ERR_R_BUF_LIB);
-                goto err;
-                }
-        BIO_set_fd(bio,fd,BIO_NOCLOSE);
-        SSL_set_bio(s,bio,bio);
-        ret=1;
-err:
-        return(ret);
-        }
-int SSL_set_wfd(SSL *s,int fd)
-        {
-        int ret=0;
-        BIO *bio=NULL;
-        if ((s->rbio == NULL) || (BIO_method_type(s->rbio) != BIO_TYPE_SOCKET)
-                || ((int)BIO_get_fd(s->rbio,NULL) != fd))
-                {
-                bio=BIO_new(BIO_s_socket());
-                if (bio == NULL)
-                        { SSLerr(SSL_F_SSL_SET_WFD,ERR_R_BUF_LIB); goto err; }
-                BIO_set_fd(bio,fd,BIO_NOCLOSE);
-                SSL_set_bio(s,SSL_get_rbio(s),bio);
-                }
-        else
-                SSL_set_bio(s,SSL_get_rbio(s),SSL_get_rbio(s));
-        ret=1;
-err:
-        return(ret);
-        }
-int SSL_set_rfd(SSL *s,int fd)
-        {
-        int ret=0;
-        BIO *bio=NULL;
-        if ((s->wbio == NULL) || (BIO_method_type(s->wbio) != BIO_TYPE_SOCKET)
-                || ((int)BIO_get_fd(s->wbio,NULL) != fd))
-                {
-                bio=BIO_new(BIO_s_socket());
-                if (bio == NULL)
-                        {
-                        SSLerr(SSL_F_SSL_SET_RFD,ERR_R_BUF_LIB);
-                        goto err;
-                        }
-                BIO_set_fd(bio,fd,BIO_NOCLOSE);
-                SSL_set_bio(s,bio,SSL_get_wbio(s));
-                }
-        else
-                SSL_set_bio(s,SSL_get_wbio(s),SSL_get_wbio(s));
-        ret=1;
-err:
-        return(ret);
-        }
-#endif
-/* return length of latest Finished message we sent, copy to 'buf' */
-size_t SSL_get_finished(const SSL *s, void *buf, size_t count)
-        {
-        size_t ret = 0;
-        
-        if (s->s3 != NULL)
-                {
-                ret = s->s3->tmp.finish_md_len;
-                if (count > ret)
-                        count = ret;
-                memcpy(buf, s->s3->tmp.finish_md, count);
-                }
-        return ret;
-        }
-/* return length of latest Finished message we expected, copy to 'buf' */
-size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count)
-        {
-        size_t ret = 0;
-        
-        if (s->s3 != NULL)
-                {
-                ret = s->s3->tmp.peer_finish_md_len;
-                if (count > ret)
-                        count = ret;
-                memcpy(buf, s->s3->tmp.peer_finish_md, count);
-                }
-        return ret;
-        }
-int SSL_get_verify_mode(const SSL *s)
-        {
-        return(s->verify_mode);
-        }
-int SSL_get_verify_depth(const SSL *s)
-        {
-        return(s->verify_depth);
-        }
-int (*SSL_get_verify_callback(const SSL *s))(int,X509_STORE_CTX *)
-        {
-        return(s->verify_callback);
-        }
-int SSL_CTX_get_verify_mode(const SSL_CTX *ctx)
-        {
-        return(ctx->verify_mode);
-        }
-int SSL_CTX_get_verify_depth(const SSL_CTX *ctx)
-        {
-        return(ctx->verify_depth);
-        }
-int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int,X509_STORE_CTX *)
-        {
-        return(ctx->default_verify_callback);
-        }
-void SSL_set_verify(SSL *s,int mode,
-                    int (*callback)(int ok,X509_STORE_CTX *ctx))
-        {
-        s->verify_mode=mode;
-        if (callback != NULL)
-                s->verify_callback=callback;
-        }
-void SSL_set_verify_depth(SSL *s,int depth)
-        {
-        s->verify_depth=depth;
-        }
-void SSL_set_read_ahead(SSL *s,int yes)
-        {
-        s->read_ahead=yes;
-        }
-int SSL_get_read_ahead(const SSL *s)
-        {
-        return(s->read_ahead);
-        }
-int SSL_pending(const SSL *s)
-        {
-        /* SSL_pending cannot work properly if read-ahead is enabled
-         * (SSL_[CTX_]ctrl(..., SSL_CTRL_SET_READ_AHEAD, 1, NULL)),
-         * and it is impossible to fix since SSL_pending cannot report
-         * errors that may be observed while scanning the new data.
-         * (Note that SSL_pending() is often used as a boolean value,
-         * so we'd better not return -1.)
-         */
-        return(s->method->ssl_pending(s));
-        }
-X509 *SSL_get_peer_certificate(const SSL *s)
-        {
-        X509 *r;
-        
-        if ((s == NULL) || (s->session == NULL))
-                r=NULL;
-        else
-                r=s->session->peer;
-        if (r == NULL) return(r);
-        CRYPTO_add(&r->references,1,CRYPTO_LOCK_X509);
-        return(r);
-        }
-STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s)
-        {
-        STACK_OF(X509) *r;
-        
-        if ((s == NULL) || (s->session == NULL) || (s->session->sess_cert == NULL))
-                r=NULL;
-        else
-                r=s->session->sess_cert->cert_chain;
-        /* If we are a client, cert_chain includes the peer's own
-         * certificate; if we are a server, it does not. */
-        
-        return(r);
-        }
-/* Now in theory, since the calling process own 't' it should be safe to
- * modify.  We need to be able to read f without being hassled */
-void SSL_copy_session_id(SSL *t,const SSL *f)
-        {
-        CERT *tmp;
-        /* Do we need to to SSL locking? */
-        SSL_set_session(t,SSL_get_session(f));
-        /* what if we are setup as SSLv2 but want to talk SSLv3 or
-         * vice-versa */
-        if (t->method != f->method)
-                {
-                t->method->ssl_free(t); /* cleanup current */
-                t->method=f->method;    /* change method */
-                t->method->ssl_new(t);  /* setup new */
-                }
-        tmp=t->cert;
-        if (f->cert != NULL)
-                {
-                CRYPTO_add(&f->cert->references,1,CRYPTO_LOCK_SSL_CERT);
-                t->cert=f->cert;
-                }
-        else
-                t->cert=NULL;
-        if (tmp != NULL) ssl_cert_free(tmp);
-        SSL_set_session_id_context(t,f->sid_ctx,f->sid_ctx_length);
-        }
-/* Fix this so it checks all the valid key/cert options */
-int SSL_CTX_check_private_key(const SSL_CTX *ctx)
-        {
-        if (    (ctx == NULL) ||
-                (ctx->cert == NULL) ||
-                (ctx->cert->key->x509 == NULL))
-                {
-                SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,SSL_R_NO_CERTIFICATE_ASSIGNED);
-                return(0);
-                }
-        if      (ctx->cert->key->privatekey == NULL)
-                {
-                SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,SSL_R_NO_PRIVATE_KEY_ASSIGNED);
-                return(0);
-                }
-        return(X509_check_private_key(ctx->cert->key->x509, ctx->cert->key->privatekey));
-        }
-/* Fix this function so that it takes an optional type parameter */
-int SSL_check_private_key(const SSL *ssl)
-        {
-        if (ssl == NULL)
-                {
-                SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,ERR_R_PASSED_NULL_PARAMETER);
-                return(0);
-                }
-        if (ssl->cert == NULL)
-                {
-                SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,SSL_R_NO_CERTIFICATE_ASSIGNED);
-                return 0;
-                }
-        if (ssl->cert->key->x509 == NULL)
-                {
-                SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,SSL_R_NO_CERTIFICATE_ASSIGNED);
-                return(0);
-                }
-        if (ssl->cert->key->privatekey == NULL)
-                {
-                SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,SSL_R_NO_PRIVATE_KEY_ASSIGNED);
-                return(0);
-                }
-        return(X509_check_private_key(ssl->cert->key->x509,
-                ssl->cert->key->privatekey));
-        }
-int SSL_accept(SSL *s)
-        {
-        if (s->handshake_func == 0)
-                /* Not properly initialized yet */
-                SSL_set_accept_state(s);
-        return(s->method->ssl_accept(s));
-        }
-int SSL_connect(SSL *s)
-        {
-        if (s->handshake_func == 0)
-                /* Not properly initialized yet */
-                SSL_set_connect_state(s);
-        return(s->method->ssl_connect(s));
-        }
-long SSL_get_default_timeout(const SSL *s)
-        {
-        return(s->method->get_timeout());
-        }
-int SSL_read(SSL *s,void *buf,int num)
-        {
-        if (s->handshake_func == 0)
-                {
-                SSLerr(SSL_F_SSL_READ, SSL_R_UNINITIALIZED);
-                return -1;
-                }
-        if (s->shutdown & SSL_RECEIVED_SHUTDOWN)
-                {
-                s->rwstate=SSL_NOTHING;
-                return(0);
-                }
-        return(s->method->ssl_read(s,buf,num));
-        }
-int SSL_peek(SSL *s,void *buf,int num)
-        {
-        if (s->handshake_func == 0)
-                {
-                SSLerr(SSL_F_SSL_READ, SSL_R_UNINITIALIZED);
-                return -1;
-                }
-        if (s->shutdown & SSL_RECEIVED_SHUTDOWN)
-                {
-                return(0);
-                }
-        return(s->method->ssl_peek(s,buf,num));
-        }
-int SSL_write(SSL *s,const void *buf,int num)
-        {
-        if (s->handshake_func == 0)
-                {
-                SSLerr(SSL_F_SSL_WRITE, SSL_R_UNINITIALIZED);
-                return -1;
-                }
-        if (s->shutdown & SSL_SENT_SHUTDOWN)
-                {
-                s->rwstate=SSL_NOTHING;
-                SSLerr(SSL_F_SSL_WRITE,SSL_R_PROTOCOL_IS_SHUTDOWN);
-                return(-1);
-                }
-        return(s->method->ssl_write(s,buf,num));
-        }
-int SSL_shutdown(SSL *s)
-        {
-        /* Note that this function behaves differently from what one might
-         * expect.  Return values are 0 for no success (yet),
-         * 1 for success; but calling it once is usually not enough,
-         * even if blocking I/O is used (see ssl3_shutdown).
-         */
-        if (s->handshake_func == 0)
-                {
-                SSLerr(SSL_F_SSL_SHUTDOWN, SSL_R_UNINITIALIZED);
-                return -1;
-                }
-        if ((s != NULL) && !SSL_in_init(s))
-                return(s->method->ssl_shutdown(s));
-        else
-                return(1);
-        }
-int SSL_renegotiate(SSL *s)
-        {
-        if (s->new_session == 0)
-                {
-                s->new_session=1;
-                }
-        return(s->method->ssl_renegotiate(s));
-        }
-int SSL_renegotiate_pending(SSL *s)
-        {
-        /* becomes true when negotiation is requested;
-         * false again once a handshake has finished */
-        return (s->new_session != 0);
-        }
-long SSL_ctrl(SSL *s,int cmd,long larg,void *parg)
-        {
-        long l;
-        switch (cmd)
-                {
-        case SSL_CTRL_GET_READ_AHEAD:
-                return(s->read_ahead);
-        case SSL_CTRL_SET_READ_AHEAD:
-                l=s->read_ahead;
-                s->read_ahead=larg;
-                return(l);
-        case SSL_CTRL_SET_MSG_CALLBACK_ARG:
-                s->msg_callback_arg = parg;
-                return 1;
-        case SSL_CTRL_OPTIONS:
-                return(s->options|=larg);
-        case SSL_CTRL_MODE:
-                return(s->mode|=larg);
-        case SSL_CTRL_GET_MAX_CERT_LIST:
-                return(s->max_cert_list);
-        case SSL_CTRL_SET_MAX_CERT_LIST:
-                l=s->max_cert_list;
-                s->max_cert_list=larg;
-                return(l);
-        default:
-                return(s->method->ssl_ctrl(s,cmd,larg,parg));
-                }
-        }
-long SSL_callback_ctrl(SSL *s, int cmd, void (*fp)())
-        {
-        switch(cmd)
-                {
-        case SSL_CTRL_SET_MSG_CALLBACK:
-                s->msg_callback = (void (*)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))(fp);
-                return 1;
-                
-        default:
-                return(s->method->ssl_callback_ctrl(s,cmd,fp));
-                }
-        }
-struct lhash_st *SSL_CTX_sessions(SSL_CTX *ctx)
-        {
-        return ctx->sessions;
-        }
-long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd,long larg,void *parg)
-        {
-        long l;
-        switch (cmd)
-                {
-        case SSL_CTRL_GET_READ_AHEAD:
-                return(ctx->read_ahead);
-        case SSL_CTRL_SET_READ_AHEAD:
-                l=ctx->read_ahead;
-                ctx->read_ahead=larg;
-                return(l);
-                
-        case SSL_CTRL_SET_MSG_CALLBACK_ARG:
-                ctx->msg_callback_arg = parg;
-                return 1;
-        case SSL_CTRL_GET_MAX_CERT_LIST:
-                return(ctx->max_cert_list);
-        case SSL_CTRL_SET_MAX_CERT_LIST:
-                l=ctx->max_cert_list;
-                ctx->max_cert_list=larg;
-                return(l);
-        case SSL_CTRL_SET_SESS_CACHE_SIZE:
-                l=ctx->session_cache_size;
-                ctx->session_cache_size=larg;
-                return(l);
-        case SSL_CTRL_GET_SESS_CACHE_SIZE:
-                return(ctx->session_cache_size);
-        case SSL_CTRL_SET_SESS_CACHE_MODE:
-                l=ctx->session_cache_mode;
-                ctx->session_cache_mode=larg;
-                return(l);
-        case SSL_CTRL_GET_SESS_CACHE_MODE:
-                return(ctx->session_cache_mode);
-        case SSL_CTRL_SESS_NUMBER:
-                return(ctx->sessions->num_items);
-        case SSL_CTRL_SESS_CONNECT:
-                return(ctx->stats.sess_connect);
-        case SSL_CTRL_SESS_CONNECT_GOOD:
-                return(ctx->stats.sess_connect_good);
-        case SSL_CTRL_SESS_CONNECT_RENEGOTIATE:
-                return(ctx->stats.sess_connect_renegotiate);
-        case SSL_CTRL_SESS_ACCEPT:
-                return(ctx->stats.sess_accept);
-        case SSL_CTRL_SESS_ACCEPT_GOOD:
-                return(ctx->stats.sess_accept_good);
-        case SSL_CTRL_SESS_ACCEPT_RENEGOTIATE:
-                return(ctx->stats.sess_accept_renegotiate);
-        case SSL_CTRL_SESS_HIT:
-                return(ctx->stats.sess_hit);
-        case SSL_CTRL_SESS_CB_HIT:
-                return(ctx->stats.sess_cb_hit);
-        case SSL_CTRL_SESS_MISSES:
-                return(ctx->stats.sess_miss);
-        case SSL_CTRL_SESS_TIMEOUTS:
-                return(ctx->stats.sess_timeout);
-        case SSL_CTRL_SESS_CACHE_FULL:
-                return(ctx->stats.sess_cache_full);
-        case SSL_CTRL_OPTIONS:
-                return(ctx->options|=larg);
-        case SSL_CTRL_MODE:
-                return(ctx->mode|=larg);
-        default:
-                return(ctx->method->ssl_ctx_ctrl(ctx,cmd,larg,parg));
-                }
-        }
-long SSL_CTX_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)())
-        {
-        switch(cmd)
-                {
-        case SSL_CTRL_SET_MSG_CALLBACK:
-                ctx->msg_callback = (void (*)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))(fp);
-                return 1;
-        default:
-                return(ctx->method->ssl_ctx_callback_ctrl(ctx,cmd,fp));
-                }
-        }
-int ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b)
-        {
-        long l;
-        l=a->id-b->id;
-        if (l == 0L)
-                return(0);
-        else
-                return((l > 0)?1:-1);
-        }
-int ssl_cipher_ptr_id_cmp(const SSL_CIPHER * const *ap,
-                        const SSL_CIPHER * const *bp)
-        {
-        long l;
-        l=(*ap)->id-(*bp)->id;
-        if (l == 0L)
-                return(0);
-        else
-                return((l > 0)?1:-1);
-        }
-/** return a STACK of the ciphers available for the SSL and in order of
- * preference */
-STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s)
-        {
-        if (s != NULL)
-                {
-                if (s->cipher_list != NULL)
-                        {
-                        return(s->cipher_list);
-                        }
-                else if ((s->ctx != NULL) &&
-                        (s->ctx->cipher_list != NULL))
-                        {
-                        return(s->ctx->cipher_list);
-                        }
-                }
-        return(NULL);
-        }
-/** return a STACK of the ciphers available for the SSL and in order of
- * algorithm id */
-STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s)
-        {
-        if (s != NULL)
-                {
-                if (s->cipher_list_by_id != NULL)
-                        {
-                        return(s->cipher_list_by_id);
-                        }
-                else if ((s->ctx != NULL) &&
-                        (s->ctx->cipher_list_by_id != NULL))
-                        {
-                        return(s->ctx->cipher_list_by_id);
-                        }
-                }
-        return(NULL);
-        }
-/** The old interface to get the same thing as SSL_get_ciphers() */
-const char *SSL_get_cipher_list(const SSL *s,int n)
-        {
-        SSL_CIPHER *c;
-        STACK_OF(SSL_CIPHER) *sk;
-        if (s == NULL) return(NULL);
-        sk=SSL_get_ciphers(s);
-        if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= n))
-                return(NULL);
-        c=sk_SSL_CIPHER_value(sk,n);
-        if (c == NULL) return(NULL);
-        return(c->name);
-        }
-/** specify the ciphers to be used by default by the SSL_CTX */
-int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str)
-        {
-        STACK_OF(SSL_CIPHER) *sk;
-        
-        sk=ssl_create_cipher_list(ctx->method,&ctx->cipher_list,
-                &ctx->cipher_list_by_id,str);
-        /* ssl_create_cipher_list may return an empty stack if it
-         * was unable to find a cipher matching the given rule string
-         * (for example if the rule string specifies a cipher which
-         * has been disabled). This is not an error as far as 
-         * ssl_create_cipher_list is concerned, and hence 
-         * ctx->cipher_list and ctx->cipher_list_by_id has been
-         * updated. */
-        if (sk == NULL)
-                return 0;
-        else if (sk_SSL_CIPHER_num(sk) == 0)
-                {
-                SSLerr(SSL_F_SSL_CTX_SET_CIPHER_LIST, SSL_R_NO_CIPHER_MATCH);
-                return 0;
-                }
-        return 1;
-        }
-/** specify the ciphers to be used by the SSL */
-int SSL_set_cipher_list(SSL *s,const char *str)
-        {
-        STACK_OF(SSL_CIPHER) *sk;
-        
-        sk=ssl_create_cipher_list(s->ctx->method,&s->cipher_list,
-                &s->cipher_list_by_id,str);
-        /* see comment in SSL_CTX_set_cipher_list */
-        if (sk == NULL)
-                return 0;
-        else if (sk_SSL_CIPHER_num(sk) == 0)
-                {
-                SSLerr(SSL_F_SSL_SET_CIPHER_LIST, SSL_R_NO_CIPHER_MATCH);
-                return 0;
-                }
-        return 1;
-        }
-/* works well for SSLv2, not so good for SSLv3 */
-char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len)
-        {
-        char *end;
-        STACK_OF(SSL_CIPHER) *sk;
-        SSL_CIPHER *c;
-        size_t curlen = 0;
-        int i;
-        if ((s->session == NULL) || (s->session->ciphers == NULL) ||
-                (len < 2))
-                return(NULL);
-        sk=s->session->ciphers;
-        buf[0] = '\0';
-        for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
-                {
-                c=sk_SSL_CIPHER_value(sk,i);
-                end = buf + curlen;
-                if (strlcat(buf, c->name, len) >= len ||
-                    (curlen = strlcat(buf, ":", len)) >= len)
-                        {
-                        /* remove truncated cipher from list */
-                        *end = '\0';
-                        break;
-                        }
-                }
-        /* remove trailing colon */
-        if ((end = strrchr(buf, ':')) != NULL)
-                *end = '\0';
-        return(buf);
-        }
-int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p,
-                             int (*put_cb)(const SSL_CIPHER *, unsigned char *))
-        {
-        int i,j=0;
-        SSL_CIPHER *c;
-        unsigned char *q;
-#ifndef OPENSSL_NO_KRB5
-        int nokrb5 = !kssl_tgt_is_available(s->kssl_ctx);
-#endif /* OPENSSL_NO_KRB5 */
-        if (sk == NULL) return(0);
-        q=p;
-        for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
-                {
-                c=sk_SSL_CIPHER_value(sk,i);
-#ifndef OPENSSL_NO_KRB5
-                if ((c->algorithms & SSL_KRB5) && nokrb5)
-                    continue;
-#endif /* OPENSSL_NO_KRB5 */                    
-                j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p);
-                p+=j;
-                }
-        return(p-q);
-        }
-STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num,
-                                               STACK_OF(SSL_CIPHER) **skp)
-        {
-        SSL_CIPHER *c;
-        STACK_OF(SSL_CIPHER) *sk;
-        int i,n;
-        n=ssl_put_cipher_by_char(s,NULL,NULL);
-        if ((num%n) != 0)
-                {
-                SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
-                return(NULL);
-                }
-        if ((skp == NULL) || (*skp == NULL))
-                sk=sk_SSL_CIPHER_new_null(); /* change perhaps later */
-        else
-                {
-                sk= *skp;
-                sk_SSL_CIPHER_zero(sk);
-                }
-        for (i=0; i<num; i+=n)
-                {
-                c=ssl_get_cipher_by_char(s,p);
-                p+=n;
-                if (c != NULL)
-                        {
-                        if (!sk_SSL_CIPHER_push(sk,c))
-                                {
-                                SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,ERR_R_MALLOC_FAILURE);
-                                goto err;
-                                }
-                        }
-                }
-        if (skp != NULL)
-                *skp=sk;
-        return(sk);
-err:
-        if ((skp == NULL) || (*skp == NULL))
-                sk_SSL_CIPHER_free(sk);
-        return(NULL);
-        }
-unsigned long SSL_SESSION_hash(const SSL_SESSION *a)
-        {
-        unsigned long l;
-        l=(unsigned long)
-                ((unsigned int) a->session_id[0]     )|
-                ((unsigned int) a->session_id[1]<< 8L)|
-                ((unsigned long)a->session_id[2]<<16L)|
-                ((unsigned long)a->session_id[3]<<24L);
-        return(l);
-        }
-/* NB: If this function (or indeed the hash function which uses a sort of
- * coarser function than this one) is changed, ensure
- * SSL_CTX_has_matching_session_id() is checked accordingly. It relies on being
- * able to construct an SSL_SESSION that will collide with any existing session
- * with a matching session ID. */
-int SSL_SESSION_cmp(const SSL_SESSION *a,const SSL_SESSION *b)
-        {
-        if (a->ssl_version != b->ssl_version)
-                return(1);
-        if (a->session_id_length != b->session_id_length)
-                return(1);
-        return(memcmp(a->session_id,b->session_id,a->session_id_length));
-        }
-/* These wrapper functions should remain rather than redeclaring
- * SSL_SESSION_hash and SSL_SESSION_cmp for void* types and casting each
- * variable. The reason is that the functions aren't static, they're exposed via
- * ssl.h. */
-static IMPLEMENT_LHASH_HASH_FN(SSL_SESSION_hash, SSL_SESSION *)
-static IMPLEMENT_LHASH_COMP_FN(SSL_SESSION_cmp, SSL_SESSION *)
-SSL_CTX *SSL_CTX_new(SSL_METHOD *meth)
-        {
-        SSL_CTX *ret=NULL;
-        
-        if (meth == NULL)
-                {
-                SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_NULL_SSL_METHOD_PASSED);
-                return(NULL);
-                }
-#ifdef OPENSSL_FIPS
-        if (FIPS_mode() && (meth->version < TLS1_VERSION))      
-                {
-                SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
-                return NULL;
-                }
-#endif
-        if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0)
-                {
-                SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
-                goto err;
-                }
-        ret=(SSL_CTX *)OPENSSL_malloc(sizeof(SSL_CTX));
-        if (ret == NULL)
-                goto err;
-        memset(ret,0,sizeof(SSL_CTX));
-        ret->method=meth;
-        ret->cert_store=NULL;
-        ret->session_cache_mode=SSL_SESS_CACHE_SERVER;
-        ret->session_cache_size=SSL_SESSION_CACHE_MAX_SIZE_DEFAULT;
-        ret->session_cache_head=NULL;
-        ret->session_cache_tail=NULL;
-        /* We take the system default */
-        ret->session_timeout=meth->get_timeout();
-        ret->new_session_cb=0;
-        ret->remove_session_cb=0;
-        ret->get_session_cb=0;
-        ret->generate_session_id=0;
-        memset((char *)&ret->stats,0,sizeof(ret->stats));
-        ret->references=1;
-        ret->quiet_shutdown=0;
-/*      ret->cipher=NULL;*/
-/*      ret->s2->challenge=NULL;
-        ret->master_key=NULL;
-        ret->key_arg=NULL;
-        ret->s2->conn_id=NULL; */
-        ret->info_callback=NULL;
-        ret->app_verify_callback=0;
-        ret->app_verify_arg=NULL;
-        ret->max_cert_list=SSL_MAX_CERT_LIST_DEFAULT;
-        ret->read_ahead=0;
-        ret->msg_callback=0;
-        ret->msg_callback_arg=NULL;
-        ret->verify_mode=SSL_VERIFY_NONE;
-        ret->verify_depth=-1; /* Don't impose a limit (but x509_lu.c does) */
-        ret->sid_ctx_length=0;
-        ret->default_verify_callback=NULL;
-        if ((ret->cert=ssl_cert_new()) == NULL)
-                goto err;
-        ret->default_passwd_callback=0;
-        ret->default_passwd_callback_userdata=NULL;
-        ret->client_cert_cb=0;
-        ret->sessions=lh_new(LHASH_HASH_FN(SSL_SESSION_hash),
-                        LHASH_COMP_FN(SSL_SESSION_cmp));
-        if (ret->sessions == NULL) goto err;
-        ret->cert_store=X509_STORE_new();
-        if (ret->cert_store == NULL) goto err;
-        ssl_create_cipher_list(ret->method,
-                &ret->cipher_list,&ret->cipher_list_by_id,
-                SSL_DEFAULT_CIPHER_LIST);
-        if (ret->cipher_list == NULL
-            || sk_SSL_CIPHER_num(ret->cipher_list) <= 0)
-                {
-                SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_LIBRARY_HAS_NO_CIPHERS);
-                goto err2;
-                }
-        if ((ret->rsa_md5=EVP_get_digestbyname("ssl2-md5")) == NULL)
-                {
-                SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES);
-                goto err2;
-                }
-        if ((ret->md5=EVP_get_digestbyname("ssl3-md5")) == NULL)
-                {
-                SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES);
-                goto err2;
-                }
-        if ((ret->sha1=EVP_get_digestbyname("ssl3-sha1")) == NULL)
-                {
-                SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES);
-                goto err2;
-                }
-        if ((ret->client_CA=sk_X509_NAME_new_null()) == NULL)
-                goto err;
-        CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data);
-        ret->extra_certs=NULL;
-        ret->comp_methods=SSL_COMP_get_compression_methods();
-        return(ret);
-err:
-        SSLerr(SSL_F_SSL_CTX_NEW,ERR_R_MALLOC_FAILURE);
-err2:
-        if (ret != NULL) SSL_CTX_free(ret);
-        return(NULL);
-        }
-#if 0
-static void SSL_COMP_free(SSL_COMP *comp)
-    { OPENSSL_free(comp); }
-#endif
-void SSL_CTX_free(SSL_CTX *a)
-        {
-        int i;
-        if (a == NULL) return;
-        i=CRYPTO_add(&a->references,-1,CRYPTO_LOCK_SSL_CTX);
-#ifdef REF_PRINT
-        REF_PRINT("SSL_CTX",a);
-#endif
-        if (i > 0) return;
-#ifdef REF_CHECK
-        if (i < 0)
-                {
-                fprintf(stderr,"SSL_CTX_free, bad reference count\n");
-                abort(); /* ok */
-                }
-#endif
-        /*
-         * Free internal session cache. However: the remove_cb() may reference
-         * the ex_data of SSL_CTX, thus the ex_data store can only be removed
-         * after the sessions were flushed.
-         * As the ex_data handling routines might also touch the session cache,
-         * the most secure solution seems to be: empty (flush) the cache, then
-         * free ex_data, then finally free the cache.
-         * (See ticket [openssl.org #212].)
-         */
-        if (a->sessions != NULL)
-                SSL_CTX_flush_sessions(a,0);
-        CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_CTX, a, &a->ex_data);
-        if (a->sessions != NULL)
-                lh_free(a->sessions);
-        if (a->cert_store != NULL)
-                X509_STORE_free(a->cert_store);
-        if (a->cipher_list != NULL)
-                sk_SSL_CIPHER_free(a->cipher_list);
-        if (a->cipher_list_by_id != NULL)
-                sk_SSL_CIPHER_free(a->cipher_list_by_id);
-        if (a->cert != NULL)
-                ssl_cert_free(a->cert);
-        if (a->client_CA != NULL)
-                sk_X509_NAME_pop_free(a->client_CA,X509_NAME_free);
-        if (a->extra_certs != NULL)
-                sk_X509_pop_free(a->extra_certs,X509_free);
-#if 0 /* This should never be done, since it removes a global database */
-        if (a->comp_methods != NULL)
-                sk_SSL_COMP_pop_free(a->comp_methods,SSL_COMP_free);
-#else
-        a->comp_methods = NULL;
-#endif
-        OPENSSL_free(a);
-        }
-void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb)
-        {
-        ctx->default_passwd_callback=cb;
-        }
-void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx,void *u)
-        {
-        ctx->default_passwd_callback_userdata=u;
-        }
-void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*cb)(X509_STORE_CTX *,void *), void *arg)
-        {
-        ctx->app_verify_callback=cb;
-        ctx->app_verify_arg=arg;
-        }
-void SSL_CTX_set_verify(SSL_CTX *ctx,int mode,int (*cb)(int, X509_STORE_CTX *))
-        {
-        ctx->verify_mode=mode;
-        ctx->default_verify_callback=cb;
-        }
-void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth)
-        {
-        ctx->verify_depth=depth;
-        }
-void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher)
-        {
-        CERT_PKEY *cpk;
-        int rsa_enc,rsa_tmp,rsa_sign,dh_tmp,dh_rsa,dh_dsa,dsa_sign;
-        int rsa_enc_export,dh_rsa_export,dh_dsa_export;
-        int rsa_tmp_export,dh_tmp_export,kl;
-        unsigned long mask,emask;
-        if (c == NULL) return;
-        kl=SSL_C_EXPORT_PKEYLENGTH(cipher);
-#ifndef OPENSSL_NO_RSA
-        rsa_tmp=(c->rsa_tmp != NULL || c->rsa_tmp_cb != NULL);
-        rsa_tmp_export=(c->rsa_tmp_cb != NULL ||
-                (rsa_tmp && RSA_size(c->rsa_tmp)*8 <= kl));
-#else
-        rsa_tmp=rsa_tmp_export=0;
-#endif
-#ifndef OPENSSL_NO_DH
-        dh_tmp=(c->dh_tmp != NULL || c->dh_tmp_cb != NULL);
-        dh_tmp_export=(c->dh_tmp_cb != NULL ||
-                (dh_tmp && DH_size(c->dh_tmp)*8 <= kl));
-#else
-        dh_tmp=dh_tmp_export=0;
-#endif
-        cpk= &(c->pkeys[SSL_PKEY_RSA_ENC]);
-        rsa_enc= (cpk->x509 != NULL && cpk->privatekey != NULL);
-        rsa_enc_export=(rsa_enc && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
-        cpk= &(c->pkeys[SSL_PKEY_RSA_SIGN]);
-        rsa_sign=(cpk->x509 != NULL && cpk->privatekey != NULL);
-        cpk= &(c->pkeys[SSL_PKEY_DSA_SIGN]);
-        dsa_sign=(cpk->x509 != NULL && cpk->privatekey != NULL);
-        cpk= &(c->pkeys[SSL_PKEY_DH_RSA]);
-        dh_rsa=  (cpk->x509 != NULL && cpk->privatekey != NULL);
-        dh_rsa_export=(dh_rsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
-        cpk= &(c->pkeys[SSL_PKEY_DH_DSA]);
-/* FIX THIS EAY EAY EAY */
-        dh_dsa=  (cpk->x509 != NULL && cpk->privatekey != NULL);
-        dh_dsa_export=(dh_dsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
-        mask=0;
-        emask=0;
-#ifdef CIPHER_DEBUG
-        printf("rt=%d rte=%d dht=%d re=%d ree=%d rs=%d ds=%d dhr=%d dhd=%d\n",
-                rsa_tmp,rsa_tmp_export,dh_tmp,
-                rsa_enc,rsa_enc_export,rsa_sign,dsa_sign,dh_rsa,dh_dsa);
-#endif
-        if (rsa_enc || (rsa_tmp && rsa_sign))
-                mask|=SSL_kRSA;
-        if (rsa_enc_export || (rsa_tmp_export && (rsa_sign || rsa_enc)))
-                emask|=SSL_kRSA;
-#if 0
-        /* The match needs to be both kEDH and aRSA or aDSA, so don't worry */
-        if (    (dh_tmp || dh_rsa || dh_dsa) && 
-                (rsa_enc || rsa_sign || dsa_sign))
-                mask|=SSL_kEDH;
-        if ((dh_tmp_export || dh_rsa_export || dh_dsa_export) &&
-                (rsa_enc || rsa_sign || dsa_sign))
-                emask|=SSL_kEDH;
-#endif
-        if (dh_tmp_export) 
-                emask|=SSL_kEDH;
-        if (dh_tmp)
-                mask|=SSL_kEDH;
-        if (dh_rsa) mask|=SSL_kDHr;
-        if (dh_rsa_export) emask|=SSL_kDHr;
-        if (dh_dsa) mask|=SSL_kDHd;
-        if (dh_dsa_export) emask|=SSL_kDHd;
-        if (rsa_enc || rsa_sign)
-                {
-                mask|=SSL_aRSA;
-                emask|=SSL_aRSA;
-                }
-        if (dsa_sign)
-                {
-                mask|=SSL_aDSS;
-                emask|=SSL_aDSS;
-                }
-        mask|=SSL_aNULL;
-        emask|=SSL_aNULL;
-#ifndef OPENSSL_NO_KRB5
-        mask|=SSL_kKRB5|SSL_aKRB5;
-        emask|=SSL_kKRB5|SSL_aKRB5;
-#endif
-        c->mask=mask;
-        c->export_mask=emask;
-        c->valid=1;
-        }
-/* THIS NEEDS CLEANING UP */
-X509 *ssl_get_server_send_cert(SSL *s)
-        {
-        unsigned long alg,mask,kalg;
-        CERT *c;
-        int i,is_export;
-        c=s->cert;
-        ssl_set_cert_masks(c, s->s3->tmp.new_cipher);
-        alg=s->s3->tmp.new_cipher->algorithms;
-        is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
-        mask=is_export?c->export_mask:c->mask;
-        kalg=alg&(SSL_MKEY_MASK|SSL_AUTH_MASK);
-        if      (kalg & SSL_kDHr)
-                i=SSL_PKEY_DH_RSA;
-        else if (kalg & SSL_kDHd)
-                i=SSL_PKEY_DH_DSA;
-        else if (kalg & SSL_aDSS)
-                i=SSL_PKEY_DSA_SIGN;
-        else if (kalg & SSL_aRSA)
-                {
-                if (c->pkeys[SSL_PKEY_RSA_ENC].x509 == NULL)
-                        i=SSL_PKEY_RSA_SIGN;
-                else
-                        i=SSL_PKEY_RSA_ENC;
-                }
-        else if (kalg & SSL_aKRB5)
-                {
-                /* VRS something else here? */
-                return(NULL);
-                }
-        else /* if (kalg & SSL_aNULL) */
-                {
-                SSLerr(SSL_F_SSL_GET_SERVER_SEND_CERT,ERR_R_INTERNAL_ERROR);
-                return(NULL);
-                }
-        if (c->pkeys[i].x509 == NULL) return(NULL);
-        return(c->pkeys[i].x509);
-        }
-EVP_PKEY *ssl_get_sign_pkey(SSL *s,SSL_CIPHER *cipher)
-        {
-        unsigned long alg;
-        CERT *c;
-        alg=cipher->algorithms;
-        c=s->cert;
-        if ((alg & SSL_aDSS) &&
-                (c->pkeys[SSL_PKEY_DSA_SIGN].privatekey != NULL))
-                return(c->pkeys[SSL_PKEY_DSA_SIGN].privatekey);
-        else if (alg & SSL_aRSA)
-                {
-                if (c->pkeys[SSL_PKEY_RSA_SIGN].privatekey != NULL)
-                        return(c->pkeys[SSL_PKEY_RSA_SIGN].privatekey);
-                else if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey != NULL)
-                        return(c->pkeys[SSL_PKEY_RSA_ENC].privatekey);
-                else
-                        return(NULL);
-                }
-        else /* if (alg & SSL_aNULL) */
-                {
-                SSLerr(SSL_F_SSL_GET_SIGN_PKEY,ERR_R_INTERNAL_ERROR);
-                return(NULL);
-                }
-        }
-void ssl_update_cache(SSL *s,int mode)
-        {
-        int i;
-        /* If the session_id_length is 0, we are not supposed to cache it,
-         * and it would be rather hard to do anyway :-) */
-        if (s->session->session_id_length == 0) return;
-        i=s->ctx->session_cache_mode;
-        if ((i & mode) && (!s->hit)
-                && ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE)
-                    || SSL_CTX_add_session(s->ctx,s->session))
-                && (s->ctx->new_session_cb != NULL))
-                {
-                CRYPTO_add(&s->session->references,1,CRYPTO_LOCK_SSL_SESSION);
-                if (!s->ctx->new_session_cb(s,s->session))
-                        SSL_SESSION_free(s->session);
-                }
-        /* auto flush every 255 connections */
-        if ((!(i & SSL_SESS_CACHE_NO_AUTO_CLEAR)) &&
-                ((i & mode) == mode))
-                {
-                if (  (((mode & SSL_SESS_CACHE_CLIENT)
-                        ?s->ctx->stats.sess_connect_good
-                        :s->ctx->stats.sess_accept_good) & 0xff) == 0xff)
-                        {
-                        SSL_CTX_flush_sessions(s->ctx,(unsigned long)time(NULL));
-                        }
-                }
-        }
-SSL_METHOD *SSL_get_ssl_method(SSL *s)
-        {
-        return(s->method);
-        }
-int SSL_set_ssl_method(SSL *s,SSL_METHOD *meth)
-        {
-        int conn= -1;
-        int ret=1;
-        if (s->method != meth)
-                {
-                if (s->handshake_func != NULL)
-                        conn=(s->handshake_func == s->method->ssl_connect);
-                if (s->method->version == meth->version)
-                        s->method=meth;
-                else
-                        {
-                        s->method->ssl_free(s);
-                        s->method=meth;
-                        ret=s->method->ssl_new(s);
-                        }
-                if (conn == 1)
-                        s->handshake_func=meth->ssl_connect;
-                else if (conn == 0)
-                        s->handshake_func=meth->ssl_accept;
-                }
-        return(ret);
-        }
-int SSL_get_error(const SSL *s,int i)
-        {
-        int reason;
-        unsigned long l;
-        BIO *bio;
-        if (i > 0) return(SSL_ERROR_NONE);
-        /* Make things return SSL_ERROR_SYSCALL when doing SSL_do_handshake
-         * etc, where we do encode the error */
-        if ((l=ERR_peek_error()) != 0)
-                {
-                if (ERR_GET_LIB(l) == ERR_LIB_SYS)
-                        return(SSL_ERROR_SYSCALL);
-                else
-                        return(SSL_ERROR_SSL);
-                }
-        if ((i < 0) && SSL_want_read(s))
-                {
-                bio=SSL_get_rbio(s);
-                if (BIO_should_read(bio))
-                        return(SSL_ERROR_WANT_READ);
-                else if (BIO_should_write(bio))
-                        /* This one doesn't make too much sense ... We never try
-                         * to write to the rbio, and an application program where
-                         * rbio and wbio are separate couldn't even know what it
-                         * should wait for.
-                         * However if we ever set s->rwstate incorrectly
-                         * (so that we have SSL_want_read(s) instead of
-                         * SSL_want_write(s)) and rbio and wbio *are* the same,
-                         * this test works around that bug; so it might be safer
-                         * to keep it. */
-                        return(SSL_ERROR_WANT_WRITE);
-                else if (BIO_should_io_special(bio))
-                        {
-                        reason=BIO_get_retry_reason(bio);
-                        if (reason == BIO_RR_CONNECT)
-                                return(SSL_ERROR_WANT_CONNECT);
-                        else if (reason == BIO_RR_ACCEPT)
-                                return(SSL_ERROR_WANT_ACCEPT);
-                        else
-                                return(SSL_ERROR_SYSCALL); /* unknown */
-                        }
-                }
-        if ((i < 0) && SSL_want_write(s))
-                {
-                bio=SSL_get_wbio(s);
-                if (BIO_should_write(bio))
-                        return(SSL_ERROR_WANT_WRITE);
-                else if (BIO_should_read(bio))
-                        /* See above (SSL_want_read(s) with BIO_should_write(bio)) */
-                        return(SSL_ERROR_WANT_READ);
-                else if (BIO_should_io_special(bio))
-                        {
-                        reason=BIO_get_retry_reason(bio);
-                        if (reason == BIO_RR_CONNECT)
-                                return(SSL_ERROR_WANT_CONNECT);
-                        else if (reason == BIO_RR_ACCEPT)
-                                return(SSL_ERROR_WANT_ACCEPT);
-                        else
-                                return(SSL_ERROR_SYSCALL);
-                        }
-                }
-        if ((i < 0) && SSL_want_x509_lookup(s))
-                {
-                return(SSL_ERROR_WANT_X509_LOOKUP);
-                }
-        if (i == 0)
-                {
-                if (s->version == SSL2_VERSION)
-                        {
-                        /* assume it is the socket being closed */
-                        return(SSL_ERROR_ZERO_RETURN);
-                        }
-                else
-                        {
-                        if ((s->shutdown & SSL_RECEIVED_SHUTDOWN) &&
-                                (s->s3->warn_alert == SSL_AD_CLOSE_NOTIFY))
-                                return(SSL_ERROR_ZERO_RETURN);
-                        }
-                }
-        return(SSL_ERROR_SYSCALL);
-        }
-int SSL_do_handshake(SSL *s)
-        {
-        int ret=1;
-        if (s->handshake_func == NULL)
-                {
-                SSLerr(SSL_F_SSL_DO_HANDSHAKE,SSL_R_CONNECTION_TYPE_NOT_SET);
-                return(-1);
-                }
-        s->method->ssl_renegotiate_check(s);
-        if (SSL_in_init(s) || SSL_in_before(s))
-                {
-                ret=s->handshake_func(s);
-                }
-        return(ret);
-        }
-/* For the next 2 functions, SSL_clear() sets shutdown and so
- * one of these calls will reset it */
-void SSL_set_accept_state(SSL *s)
-        {
-        s->server=1;
-        s->shutdown=0;
-        s->state=SSL_ST_ACCEPT|SSL_ST_BEFORE;
-        s->handshake_func=s->method->ssl_accept;
-        /* clear the current cipher */
-        ssl_clear_cipher_ctx(s);
-        }
-void SSL_set_connect_state(SSL *s)
-        {
-        s->server=0;
-        s->shutdown=0;
-        s->state=SSL_ST_CONNECT|SSL_ST_BEFORE;
-        s->handshake_func=s->method->ssl_connect;
-        /* clear the current cipher */
-        ssl_clear_cipher_ctx(s);
-        }
-int ssl_undefined_function(SSL *s)
-        {
-        SSLerr(SSL_F_SSL_UNDEFINED_FUNCTION,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-        return(0);
-        }
-int ssl_undefined_const_function(const SSL *s)
-        {
-        SSLerr(SSL_F_SSL_UNDEFINED_CONST_FUNCTION,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-        return(0);
-        }
-SSL_METHOD *ssl_bad_method(int ver)
-        {
-        SSLerr(SSL_F_SSL_BAD_METHOD,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-        return(NULL);
-        }
-const char *SSL_get_version(const SSL *s)
-        {
-        if (s->version == TLS1_VERSION)
-                return("TLSv1");
-        else if (s->version == SSL3_VERSION)
-                return("SSLv3");
-        else if (s->version == SSL2_VERSION)
-                return("SSLv2");
-        else
-                return("unknown");
-        }
-SSL *SSL_dup(SSL *s)
-        {
-        STACK_OF(X509_NAME) *sk;
-        X509_NAME *xn;
-        SSL *ret;
-        int i;
-                 
-        if ((ret=SSL_new(SSL_get_SSL_CTX(s))) == NULL)
-            return(NULL);
-        ret->version = s->version;
-        ret->type = s->type;
-        ret->method = s->method;
-        if (s->session != NULL)
-                {
-                /* This copies session-id, SSL_METHOD, sid_ctx, and 'cert' */
-                SSL_copy_session_id(ret,s);
-                }
-        else
-                {
-                /* No session has been established yet, so we have to expect
-                 * that s->cert or ret->cert will be changed later --
-                 * they should not both point to the same object,
-                 * and thus we can't use SSL_copy_session_id. */
-                ret->method->ssl_free(ret);
-                ret->method = s->method;
-                ret->method->ssl_new(ret);
-                if (s->cert != NULL)
-                        {
-                        if (ret->cert != NULL)
-                                {
-                                ssl_cert_free(ret->cert);
-                                }
-                        ret->cert = ssl_cert_dup(s->cert);
-                        if (ret->cert == NULL)
-                                goto err;
-                        }
-                                
-                SSL_set_session_id_context(ret,
-                        s->sid_ctx, s->sid_ctx_length);
-                }
-        ret->options=s->options;
-        ret->mode=s->mode;
-        SSL_set_max_cert_list(ret,SSL_get_max_cert_list(s));
-        SSL_set_read_ahead(ret,SSL_get_read_ahead(s));
-        ret->msg_callback = s->msg_callback;
-        ret->msg_callback_arg = s->msg_callback_arg;
-        SSL_set_verify(ret,SSL_get_verify_mode(s),
-                SSL_get_verify_callback(s));
-        SSL_set_verify_depth(ret,SSL_get_verify_depth(s));
-        ret->generate_session_id = s->generate_session_id;
-        SSL_set_info_callback(ret,SSL_get_info_callback(s));
-        
-        ret->debug=s->debug;
-        /* copy app data, a little dangerous perhaps */
-        if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL, &ret->ex_data, &s->ex_data))
-                goto err;
-        /* setup rbio, and wbio */
-        if (s->rbio != NULL)
-                {
-                if (!BIO_dup_state(s->rbio,(char *)&ret->rbio))
-                        goto err;
-                }
-        if (s->wbio != NULL)
-                {
-                if (s->wbio != s->rbio)
-                        {
-                        if (!BIO_dup_state(s->wbio,(char *)&ret->wbio))
-                                goto err;
-                        }
-                else
-                        ret->wbio=ret->rbio;
-                }
-        ret->rwstate = s->rwstate;
-        ret->in_handshake = s->in_handshake;
-        ret->handshake_func = s->handshake_func;
-        ret->server = s->server;
-        ret->new_session = s->new_session;
-        ret->quiet_shutdown = s->quiet_shutdown;
-        ret->shutdown=s->shutdown;
-        ret->state=s->state; /* SSL_dup does not really work at any state, though */
-        ret->rstate=s->rstate;
-        ret->init_num = 0; /* would have to copy ret->init_buf, ret->init_msg, ret->init_num, ret->init_off */
-        ret->hit=s->hit;
-        ret->purpose=s->purpose;
-        ret->trust=s->trust;
-        /* dup the cipher_list and cipher_list_by_id stacks */
-        if (s->cipher_list != NULL)
-                {
-                if ((ret->cipher_list=sk_SSL_CIPHER_dup(s->cipher_list)) == NULL)
-                        goto err;
-                }
-        if (s->cipher_list_by_id != NULL)
-                if ((ret->cipher_list_by_id=sk_SSL_CIPHER_dup(s->cipher_list_by_id))
-                        == NULL)
-                        goto err;
-        /* Dup the client_CA list */
-        if (s->client_CA != NULL)
-                {
-                if ((sk=sk_X509_NAME_dup(s->client_CA)) == NULL) goto err;
-                ret->client_CA=sk;
-                for (i=0; i<sk_X509_NAME_num(sk); i++)
-                        {
-                        xn=sk_X509_NAME_value(sk,i);
-                        if (sk_X509_NAME_set(sk,i,X509_NAME_dup(xn)) == NULL)
-                                {
-                                X509_NAME_free(xn);
-                                goto err;
-                                }
-                        }
-                }
-        if (0)
-                {
-err:
-                if (ret != NULL) SSL_free(ret);
-                ret=NULL;
-                }
-        return(ret);
-        }
-void ssl_clear_cipher_ctx(SSL *s)
-        {
-        if (s->enc_read_ctx != NULL)
-                {
-                EVP_CIPHER_CTX_cleanup(s->enc_read_ctx);
-                OPENSSL_free(s->enc_read_ctx);
-                s->enc_read_ctx=NULL;
-                }
-        if (s->enc_write_ctx != NULL)
-                {
-                EVP_CIPHER_CTX_cleanup(s->enc_write_ctx);
-                OPENSSL_free(s->enc_write_ctx);
-                s->enc_write_ctx=NULL;
-                }
-        if (s->expand != NULL)
-                {
-                COMP_CTX_free(s->expand);
-                s->expand=NULL;
-                }
-        if (s->compress != NULL)
-                {
-                COMP_CTX_free(s->compress);
-                s->compress=NULL;
-                }
-        }
-/* Fix this function so that it takes an optional type parameter */
-X509 *SSL_get_certificate(const SSL *s)
-        {
-        if (s->cert != NULL)
-                return(s->cert->key->x509);
-        else
-                return(NULL);
-        }
-/* Fix this function so that it takes an optional type parameter */
-EVP_PKEY *SSL_get_privatekey(SSL *s)
-        {
-        if (s->cert != NULL)
-                return(s->cert->key->privatekey);
-        else
-                return(NULL);
-        }
-SSL_CIPHER *SSL_get_current_cipher(const SSL *s)
-        {
-        if ((s->session != NULL) && (s->session->cipher != NULL))
-                return(s->session->cipher);
-        return(NULL);
-        }
-int ssl_init_wbio_buffer(SSL *s,int push)
-        {
-        BIO *bbio;
-        if (s->bbio == NULL)
-                {
-                bbio=BIO_new(BIO_f_buffer());
-                if (bbio == NULL) return(0);
-                s->bbio=bbio;
-                }
-        else
-                {
-                bbio=s->bbio;
-                if (s->bbio == s->wbio)
-                        s->wbio=BIO_pop(s->wbio);
-                }
-        (void)BIO_reset(bbio);
-/*      if (!BIO_set_write_buffer_size(bbio,16*1024)) */
-        if (!BIO_set_read_buffer_size(bbio,1))
-                {
-                SSLerr(SSL_F_SSL_INIT_WBIO_BUFFER,ERR_R_BUF_LIB);
-                return(0);
-                }
-        if (push)
-                {
-                if (s->wbio != bbio)
-                        s->wbio=BIO_push(bbio,s->wbio);
-                }
-        else
-                {
-                if (s->wbio == bbio)
-                        s->wbio=BIO_pop(bbio);
-                }
-        return(1);
-        }
-void ssl_free_wbio_buffer(SSL *s)
-        {
-        if (s->bbio == NULL) return;
-        if (s->bbio == s->wbio)
-                {
-                /* remove buffering */
-                s->wbio=BIO_pop(s->wbio);
-#ifdef REF_CHECK /* not the usual REF_CHECK, but this avoids adding one more preprocessor symbol */
-                assert(s->wbio != NULL);
-#endif  
-        }
-        BIO_free(s->bbio);
-        s->bbio=NULL;
-        }
-        
-void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx,int mode)
-        {
-        ctx->quiet_shutdown=mode;
-        }
-int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx)
-        {
-        return(ctx->quiet_shutdown);
-        }
-void SSL_set_quiet_shutdown(SSL *s,int mode)
-        {
-        s->quiet_shutdown=mode;
-        }
-int SSL_get_quiet_shutdown(const SSL *s)
-        {
-        return(s->quiet_shutdown);
-        }
-void SSL_set_shutdown(SSL *s,int mode)
-        {
-        s->shutdown=mode;
-        }
-int SSL_get_shutdown(const SSL *s)
-        {
-        return(s->shutdown);
-        }
-int SSL_version(const SSL *s)
-        {
-        return(s->version);
-        }
-SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl)
-        {
-        return(ssl->ctx);
-        }
-#ifndef OPENSSL_NO_STDIO
-int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx)
-        {
-        return(X509_STORE_set_default_paths(ctx->cert_store));
-        }
-int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
-                const char *CApath)
-        {
-        int r;
-        r=X509_STORE_load_locations(ctx->cert_store,CAfile,CApath);
-        return r;
-        }
-#endif
-void SSL_set_info_callback(SSL *ssl,
-                           void (*cb)(const SSL *ssl,int type,int val))
-        {
-        ssl->info_callback=cb;
-        }
-void (*SSL_get_info_callback(const SSL *ssl))(const SSL *ssl,int type,int val)
-        {
-        return ssl->info_callback;
-        }
-int SSL_state(const SSL *ssl)
-        {
-        return(ssl->state);
-        }
-void SSL_set_verify_result(SSL *ssl,long arg)
-        {
-        ssl->verify_result=arg;
-        }
-long SSL_get_verify_result(const SSL *ssl)
-        {
-        return(ssl->verify_result);
-        }
-int SSL_get_ex_new_index(long argl,void *argp,CRYPTO_EX_new *new_func,
-                         CRYPTO_EX_dup *dup_func,CRYPTO_EX_free *free_func)
-        {
-        return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL, argl, argp,
-                                new_func, dup_func, free_func);
-        }
-int SSL_set_ex_data(SSL *s,int idx,void *arg)
-        {
-        return(CRYPTO_set_ex_data(&s->ex_data,idx,arg));
-        }
-void *SSL_get_ex_data(const SSL *s,int idx)
-        {
-        return(CRYPTO_get_ex_data(&s->ex_data,idx));
-        }
-int SSL_CTX_get_ex_new_index(long argl,void *argp,CRYPTO_EX_new *new_func,
-                             CRYPTO_EX_dup *dup_func,CRYPTO_EX_free *free_func)
-        {
-        return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL_CTX, argl, argp,
-                                new_func, dup_func, free_func);
-        }
-int SSL_CTX_set_ex_data(SSL_CTX *s,int idx,void *arg)
-        {
-        return(CRYPTO_set_ex_data(&s->ex_data,idx,arg));
-        }
-void *SSL_CTX_get_ex_data(const SSL_CTX *s,int idx)
-        {
-        return(CRYPTO_get_ex_data(&s->ex_data,idx));
-        }
-int ssl_ok(SSL *s)
-        {
-        return(1);
-        }
-X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx)
-        {
-        return(ctx->cert_store);
-        }
-void SSL_CTX_set_cert_store(SSL_CTX *ctx,X509_STORE *store)
-        {
-        if (ctx->cert_store != NULL)
-                X509_STORE_free(ctx->cert_store);
-        ctx->cert_store=store;
-        }
-int SSL_want(const SSL *s)
-        {
-        return(s->rwstate);
-        }
-/*!
- * \brief Set the callback for generating temporary RSA keys.
- * \param ctx the SSL context.
- * \param cb the callback
- */
-#ifndef OPENSSL_NO_RSA
-void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,RSA *(*cb)(SSL *ssl,
-                                                          int is_export,
-                                                          int keylength))
-    {
-    SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_RSA_CB,(void (*)())cb);
-    }
-void SSL_set_tmp_rsa_callback(SSL *ssl,RSA *(*cb)(SSL *ssl,
-                                                  int is_export,
-                                                  int keylength))
-    {
-    SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_RSA_CB,(void (*)())cb);
-    }
-#endif
-#ifdef DOXYGEN
-/*!
- * \brief The RSA temporary key callback function.
- * \param ssl the SSL session.
- * \param is_export \c TRUE if the temp RSA key is for an export ciphersuite.
- * \param keylength if \c is_export is \c TRUE, then \c keylength is the size
- * of the required key in bits.
- * \return the temporary RSA key.
- * \sa SSL_CTX_set_tmp_rsa_callback, SSL_set_tmp_rsa_callback
- */
-RSA *cb(SSL *ssl,int is_export,int keylength)
-    {}
-#endif
-/*!
- * \brief Set the callback for generating temporary DH keys.
- * \param ctx the SSL context.
- * \param dh the callback
- */
-#ifndef OPENSSL_NO_DH
-void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,DH *(*dh)(SSL *ssl,int is_export,
-                                                        int keylength))
-        {
-        SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_DH_CB,(void (*)())dh);
-        }
-void SSL_set_tmp_dh_callback(SSL *ssl,DH *(*dh)(SSL *ssl,int is_export,
-                                                int keylength))
-        {
-        SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_DH_CB,(void (*)())dh);
-        }
-#endif
-void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))
-        {
-        SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_MSG_CALLBACK, (void (*)())cb);
-        }
-void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))
-        {
-        SSL_callback_ctrl(ssl, SSL_CTRL_SET_MSG_CALLBACK, (void (*)())cb);
-        }
-#if defined(_WINDLL) && defined(OPENSSL_SYS_WIN16)
-#include "../crypto/bio/bss_file.c"
-#endif
-IMPLEMENT_STACK_OF(SSL_CIPHER)
-IMPLEMENT_STACK_OF(SSL_COMP)
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
deleted file mode 100644
index 6a0b7595f4..0000000000
--- a/src/lib/libssl/ssl_locl.h
+++ /dev/null
@@ -1,623 +0,0 @@
-/* ssl/ssl_locl.h */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-/* ====================================================================
- * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer. 
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-#ifndef HEADER_SSL_LOCL_H
-#define HEADER_SSL_LOCL_H
-#include <stdlib.h>
-#include <time.h>
-#include <string.h>
-#include <errno.h>
-#include "e_os.h"
-#include <openssl/buffer.h>
-#include <openssl/comp.h>
-#include <openssl/bio.h>
-#include <openssl/crypto.h>
-#include <openssl/evp.h>
-#include <openssl/stack.h>
-#include <openssl/x509.h>
-#include <openssl/err.h>
-#include <openssl/ssl.h>
-#include <openssl/symhacks.h>
-#ifdef OPENSSL_BUILD_SHLIBSSL
-# undef OPENSSL_EXTERN
-# define OPENSSL_EXTERN OPENSSL_EXPORT
-#endif
-#define PKCS1_CHECK
-#define c2l(c,l)        (l = ((unsigned long)(*((c)++)))     , \
-                         l|=(((unsigned long)(*((c)++)))<< 8), \
-                         l|=(((unsigned long)(*((c)++)))<<16), \
-                         l|=(((unsigned long)(*((c)++)))<<24))
-/* NOTE - c is not incremented as per c2l */
-#define c2ln(c,l1,l2,n) { \
-                        c+=n; \
-                        l1=l2=0; \
-                        switch (n) { \
-                        case 8: l2 =((unsigned long)(*(--(c))))<<24; \
-                        case 7: l2|=((unsigned long)(*(--(c))))<<16; \
-                        case 6: l2|=((unsigned long)(*(--(c))))<< 8; \
-                        case 5: l2|=((unsigned long)(*(--(c))));     \
-                        case 4: l1 =((unsigned long)(*(--(c))))<<24; \
-                        case 3: l1|=((unsigned long)(*(--(c))))<<16; \
-                        case 2: l1|=((unsigned long)(*(--(c))))<< 8; \
-                        case 1: l1|=((unsigned long)(*(--(c))));     \
-                                } \
-                        }
-#define l2c(l,c)        (*((c)++)=(unsigned char)(((l)    )&0xff), \
-                         *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
-                         *((c)++)=(unsigned char)(((l)>>16)&0xff), \
-                         *((c)++)=(unsigned char)(((l)>>24)&0xff))
-#define n2l(c,l)        (l =((unsigned long)(*((c)++)))<<24, \
-                         l|=((unsigned long)(*((c)++)))<<16, \
-                         l|=((unsigned long)(*((c)++)))<< 8, \
-                         l|=((unsigned long)(*((c)++))))
-#define l2n(l,c)        (*((c)++)=(unsigned char)(((l)>>24)&0xff), \
-                         *((c)++)=(unsigned char)(((l)>>16)&0xff), \
-                         *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
-                         *((c)++)=(unsigned char)(((l)    )&0xff))
-/* NOTE - c is not incremented as per l2c */
-#define l2cn(l1,l2,c,n) { \
-                        c+=n; \
-                        switch (n) { \
-                        case 8: *(--(c))=(unsigned char)(((l2)>>24)&0xff); \
-                        case 7: *(--(c))=(unsigned char)(((l2)>>16)&0xff); \
-                        case 6: *(--(c))=(unsigned char)(((l2)>> 8)&0xff); \
-                        case 5: *(--(c))=(unsigned char)(((l2)    )&0xff); \
-                        case 4: *(--(c))=(unsigned char)(((l1)>>24)&0xff); \
-                        case 3: *(--(c))=(unsigned char)(((l1)>>16)&0xff); \
-                        case 2: *(--(c))=(unsigned char)(((l1)>> 8)&0xff); \
-                        case 1: *(--(c))=(unsigned char)(((l1)    )&0xff); \
-                                } \
-                        }
-#define n2s(c,s)        ((s=(((unsigned int)(c[0]))<< 8)| \
-                            (((unsigned int)(c[1]))    )),c+=2)
-#define s2n(s,c)        ((c[0]=(unsigned char)(((s)>> 8)&0xff), \
-                          c[1]=(unsigned char)(((s)    )&0xff)),c+=2)
-#define n2l3(c,l)       ((l =(((unsigned long)(c[0]))<<16)| \
-                             (((unsigned long)(c[1]))<< 8)| \
-                             (((unsigned long)(c[2]))    )),c+=3)
-#define l2n3(l,c)       ((c[0]=(unsigned char)(((l)>>16)&0xff), \
-                          c[1]=(unsigned char)(((l)>> 8)&0xff), \
-                          c[2]=(unsigned char)(((l)    )&0xff)),c+=3)
-/* LOCAL STUFF */
-#define SSL_DECRYPT     0
-#define SSL_ENCRYPT     1
-#define TWO_BYTE_BIT    0x80
-#define SEC_ESC_BIT     0x40
-#define TWO_BYTE_MASK   0x7fff
-#define THREE_BYTE_MASK 0x3fff
-#define INC32(a)        ((a)=((a)+1)&0xffffffffL)
-#define DEC32(a)        ((a)=((a)-1)&0xffffffffL)
-#define MAX_MAC_SIZE    20 /* up from 16 for SSLv3 */
-/*
- * Define the Bitmasks for SSL_CIPHER.algorithms.
- * This bits are used packed as dense as possible. If new methods/ciphers
- * etc will be added, the bits a likely to change, so this information
- * is for internal library use only, even though SSL_CIPHER.algorithms
- * can be publicly accessed.
- * Use the according functions for cipher management instead.
- *
- * The bit mask handling in the selection and sorting scheme in
- * ssl_create_cipher_list() has only limited capabilities, reflecting
- * that the different entities within are mutually exclusive:
- * ONLY ONE BIT PER MASK CAN BE SET AT A TIME.
- */
-#define SSL_MKEY_MASK           0x0000003FL
-#define SSL_kRSA                0x00000001L /* RSA key exchange */
-#define SSL_kDHr                0x00000002L /* DH cert RSA CA cert */
-#define SSL_kDHd                0x00000004L /* DH cert DSA CA cert */
-#define SSL_kFZA                0x00000008L
-#define SSL_kEDH                0x00000010L /* tmp DH key no DH cert */
-#define SSL_kKRB5               0x00000020L /* Kerberos5 key exchange */
-#define SSL_EDH                 (SSL_kEDH|(SSL_AUTH_MASK^SSL_aNULL))
-#define SSL_AUTH_MASK           0x00000FC0L
-#define SSL_aRSA                0x00000040L /* Authenticate with RSA */
-#define SSL_aDSS                0x00000080L /* Authenticate with DSS */
-#define SSL_DSS                 SSL_aDSS
-#define SSL_aFZA                0x00000100L
-#define SSL_aNULL               0x00000200L /* no Authenticate, ADH */
-#define SSL_aDH                 0x00000400L /* no Authenticate, ADH */
-#define SSL_aKRB5               0x00000800L /* Authenticate with KRB5 */
-#define SSL_NULL                (SSL_eNULL)
-#define SSL_ADH                 (SSL_kEDH|SSL_aNULL)
-#define SSL_RSA                 (SSL_kRSA|SSL_aRSA)
-#define SSL_DH                  (SSL_kDHr|SSL_kDHd|SSL_kEDH)
-#define SSL_FZA                 (SSL_aFZA|SSL_kFZA|SSL_eFZA)
-#define SSL_KRB5                (SSL_kKRB5|SSL_aKRB5)
-#define SSL_ENC_MASK            0x0087F000L
-#define SSL_DES                 0x00001000L
-#define SSL_3DES                0x00002000L
-#define SSL_RC4                 0x00004000L
-#define SSL_RC2                 0x00008000L
-#define SSL_IDEA                0x00010000L
-#define SSL_eFZA                0x00020000L
-#define SSL_eNULL               0x00040000L
-#define SSL_AES                 0x00800000L
-#define SSL_MAC_MASK            0x00180000L
-#define SSL_MD5                 0x00080000L
-#define SSL_SHA1                0x00100000L
-#define SSL_SHA                 (SSL_SHA1)
-#define SSL_SSL_MASK            0x00600000L
-#define SSL_SSLV2               0x00200000L
-#define SSL_SSLV3               0x00400000L
-#define SSL_TLSV1               SSL_SSLV3       /* for now */
-/* we have used 007fffff - 9 bits left to go */
-/*
- * Export and cipher strength information. For each cipher we have to decide
- * whether it is exportable or not. This information is likely to change
- * over time, since the export control rules are no static technical issue.
- *
- * Independent of the export flag the cipher strength is sorted into classes.
- * SSL_EXP40 was denoting the 40bit US export limit of past times, which now
- * is at 56bit (SSL_EXP56). If the exportable cipher class is going to change
- * again (eg. to 64bit) the use of "SSL_EXP*" becomes blurred even more,
- * since SSL_EXP64 could be similar to SSL_LOW.
- * For this reason SSL_MICRO and SSL_MINI macros are included to widen the
- * namespace of SSL_LOW-SSL_HIGH to lower values. As development of speed
- * and ciphers goes, another extension to SSL_SUPER and/or SSL_ULTRA would
- * be possible.
- */
-#define SSL_EXP_MASK            0x00000003L
-#define SSL_NOT_EXP             0x00000001L
-#define SSL_EXPORT              0x00000002L
-#define SSL_STRONG_MASK         0x000000fcL
-#define SSL_STRONG_NONE         0x00000004L
-#define SSL_EXP40               0x00000008L
-#define SSL_MICRO               (SSL_EXP40)
-#define SSL_EXP56               0x00000010L
-#define SSL_MINI                (SSL_EXP56)
-#define SSL_LOW                 0x00000020L
-#define SSL_MEDIUM              0x00000040L
-#define SSL_HIGH                0x00000080L
-#define SSL_FIPS                0x00000100L
-/* we have used 000001ff - 23 bits left to go */
-/*
- * Macros to check the export status and cipher strength for export ciphers.
- * Even though the macros for EXPORT and EXPORT40/56 have similar names,
- * their meaning is different:
- * *_EXPORT macros check the 'exportable' status.
- * *_EXPORT40/56 macros are used to check whether a certain cipher strength
- *          is given.
- * Since the SSL_IS_EXPORT* and SSL_EXPORT* macros depend on the correct
- * algorithm structure element to be passed (algorithms, algo_strength) and no
- * typechecking can be done as they are all of type unsigned long, their
- * direct usage is discouraged.
- * Use the SSL_C_* macros instead.
- */
-#define SSL_IS_EXPORT(a)        ((a)&SSL_EXPORT)
-#define SSL_IS_EXPORT56(a)      ((a)&SSL_EXP56)
-#define SSL_IS_EXPORT40(a)      ((a)&SSL_EXP40)
-#define SSL_C_IS_EXPORT(c)      SSL_IS_EXPORT((c)->algo_strength)
-#define SSL_C_IS_EXPORT56(c)    SSL_IS_EXPORT56((c)->algo_strength)
-#define SSL_C_IS_EXPORT40(c)    SSL_IS_EXPORT40((c)->algo_strength)
-#define SSL_EXPORT_KEYLENGTH(a,s)       (SSL_IS_EXPORT40(s) ? 5 : \
-                                 ((a)&SSL_ENC_MASK) == SSL_DES ? 8 : 7)
-#define SSL_EXPORT_PKEYLENGTH(a) (SSL_IS_EXPORT40(a) ? 512 : 1024)
-#define SSL_C_EXPORT_KEYLENGTH(c)       SSL_EXPORT_KEYLENGTH((c)->algorithms, \
-                                (c)->algo_strength)
-#define SSL_C_EXPORT_PKEYLENGTH(c)      SSL_EXPORT_PKEYLENGTH((c)->algo_strength)
-#define SSL_ALL                 0xffffffffL
-#define SSL_ALL_CIPHERS         (SSL_MKEY_MASK|SSL_AUTH_MASK|SSL_ENC_MASK|\
-                                SSL_MAC_MASK)
-#define SSL_ALL_STRENGTHS       (SSL_EXP_MASK|SSL_STRONG_MASK)
-/* Mostly for SSLv3 */
-#define SSL_PKEY_RSA_ENC        0
-#define SSL_PKEY_RSA_SIGN       1
-#define SSL_PKEY_DSA_SIGN       2
-#define SSL_PKEY_DH_RSA         3
-#define SSL_PKEY_DH_DSA         4
-#define SSL_PKEY_NUM            5
-/* SSL_kRSA <- RSA_ENC | (RSA_TMP & RSA_SIGN) |
- *          <- (EXPORT & (RSA_ENC | RSA_TMP) & RSA_SIGN)
- * SSL_kDH  <- DH_ENC & (RSA_ENC | RSA_SIGN | DSA_SIGN)
- * SSL_kEDH <- RSA_ENC | RSA_SIGN | DSA_SIGN
- * SSL_aRSA <- RSA_ENC | RSA_SIGN
- * SSL_aDSS <- DSA_SIGN
- */
-/*
-#define CERT_INVALID            0
-#define CERT_PUBLIC_KEY         1
-#define CERT_PRIVATE_KEY        2
-*/
-typedef struct cert_pkey_st
-        {
-        X509 *x509;
-        EVP_PKEY *privatekey;
-        } CERT_PKEY;
-typedef struct cert_st
-        {
-        /* Current active set */
-        CERT_PKEY *key; /* ALWAYS points to an element of the pkeys array
-                         * Probably it would make more sense to store
-                         * an index, not a pointer. */
- 
-        /* The following masks are for the key and auth
-         * algorithms that are supported by the certs below */
-        int valid;
-        unsigned long mask;
-        unsigned long export_mask;
-#ifndef OPENSSL_NO_RSA
-        RSA *rsa_tmp;
-        RSA *(*rsa_tmp_cb)(SSL *ssl,int is_export,int keysize);
-#endif
-#ifndef OPENSSL_NO_DH
-        DH *dh_tmp;
-        DH *(*dh_tmp_cb)(SSL *ssl,int is_export,int keysize);
-#endif
-        CERT_PKEY pkeys[SSL_PKEY_NUM];
-        int references; /* >1 only if SSL_copy_session_id is used */
-        } CERT;
-typedef struct sess_cert_st
-        {
-        STACK_OF(X509) *cert_chain; /* as received from peer (not for SSL2) */
-        /* The 'peer_...' members are used only by clients. */
-        int peer_cert_type;
-        CERT_PKEY *peer_key; /* points to an element of peer_pkeys (never NULL!) */
-        CERT_PKEY peer_pkeys[SSL_PKEY_NUM];
-        /* Obviously we don't have the private keys of these,
-         * so maybe we shouldn't even use the CERT_PKEY type here. */
-#ifndef OPENSSL_NO_RSA
-        RSA *peer_rsa_tmp; /* not used for SSL 2 */
-#endif
-#ifndef OPENSSL_NO_DH
-        DH *peer_dh_tmp; /* not used for SSL 2 */
-#endif
-        int references; /* actually always 1 at the moment */
-        } SESS_CERT;
-/*#define MAC_DEBUG     */
-/*#define ERR_DEBUG     */
-/*#define ABORT_DEBUG   */
-/*#define PKT_DEBUG 1   */
-/*#define DES_DEBUG     */
-/*#define DES_OFB_DEBUG */
-/*#define SSL_DEBUG     */
-/*#define RSA_DEBUG     */ 
-/*#define IDEA_DEBUG    */ 
-#define FP_ICC  (int (*)(const void *,const void *))
-#define ssl_put_cipher_by_char(ssl,ciph,ptr) \
-                ((ssl)->method->put_cipher_by_char((ciph),(ptr)))
-#define ssl_get_cipher_by_char(ssl,ptr) \
-                ((ssl)->method->get_cipher_by_char(ptr))
-/* This is for the SSLv3/TLSv1.0 differences in crypto/hash stuff
- * It is a bit of a mess of functions, but hell, think of it as
- * an opaque structure :-) */
-typedef struct ssl3_enc_method
-        {
-        int (*enc)(SSL *, int);
-        int (*mac)(SSL *, unsigned char *, int);
-        int (*setup_key_block)(SSL *);
-        int (*generate_master_secret)(SSL *, unsigned char *, unsigned char *, int);
-        int (*change_cipher_state)(SSL *, int);
-        int (*final_finish_mac)(SSL *, EVP_MD_CTX *, EVP_MD_CTX *, const char *, int, unsigned char *);
-        int finish_mac_length;
-        int (*cert_verify_mac)(SSL *, EVP_MD_CTX *, unsigned char *);
-        const char *client_finished_label;
-        int client_finished_label_len;
-        const char *server_finished_label;
-        int server_finished_label_len;
-        int (*alert_value)(int);
-        } SSL3_ENC_METHOD;
-/* Used for holding the relevant compression methods loaded into SSL_CTX */
-typedef struct ssl3_comp_st
-        {
-        int comp_id;    /* The identifier byte for this compression type */
-        char *name;     /* Text name used for the compression type */
-        COMP_METHOD *method; /* The method :-) */
-        } SSL3_COMP;
-extern SSL3_ENC_METHOD ssl3_undef_enc_method;
-OPENSSL_EXTERN SSL_CIPHER ssl2_ciphers[];
-OPENSSL_EXTERN SSL_CIPHER ssl3_ciphers[];
-#ifdef OPENSSL_SYS_VMS
-#undef SSL_COMP_get_compression_methods
-#define SSL_COMP_get_compression_methods        SSL_COMP_get_compress_methods
-#endif
-SSL_METHOD *ssl_bad_method(int ver);
-SSL_METHOD *sslv2_base_method(void);
-SSL_METHOD *sslv23_base_method(void);
-SSL_METHOD *sslv3_base_method(void);
-void ssl_clear_cipher_ctx(SSL *s);
-int ssl_clear_bad_session(SSL *s);
-CERT *ssl_cert_new(void);
-CERT *ssl_cert_dup(CERT *cert);
-int ssl_cert_inst(CERT **o);
-void ssl_cert_free(CERT *c);
-SESS_CERT *ssl_sess_cert_new(void);
-void ssl_sess_cert_free(SESS_CERT *sc);
-int ssl_set_peer_cert_type(SESS_CERT *c, int type);
-int ssl_get_new_session(SSL *s, int session);
-int ssl_get_prev_session(SSL *s, unsigned char *session,int len);
-int ssl_cipher_id_cmp(const SSL_CIPHER *a,const SSL_CIPHER *b);
-int ssl_cipher_ptr_id_cmp(const SSL_CIPHER * const *ap,
-                        const SSL_CIPHER * const *bp);
-STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num,
-                                               STACK_OF(SSL_CIPHER) **skp);
-int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p,
-                             int (*put_cb)(const SSL_CIPHER *, unsigned char *));
-STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *meth,
-                                             STACK_OF(SSL_CIPHER) **pref,
-                                             STACK_OF(SSL_CIPHER) **sorted,
-                                             const char *rule_str);
-void ssl_update_cache(SSL *s, int mode);
-int ssl_cipher_get_evp(const SSL_SESSION *s,const EVP_CIPHER **enc,
-                       const EVP_MD **md,SSL_COMP **comp);
-int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk);
-int ssl_undefined_function(SSL *s);
-int ssl_undefined_const_function(const SSL *s);
-X509 *ssl_get_server_send_cert(SSL *);
-EVP_PKEY *ssl_get_sign_pkey(SSL *,SSL_CIPHER *);
-int ssl_cert_type(X509 *x,EVP_PKEY *pkey);
-void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher);
-STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s);
-int ssl_verify_alarm_type(long type);
-int ssl2_enc_init(SSL *s, int client);
-int ssl2_generate_key_material(SSL *s);
-void ssl2_enc(SSL *s,int send_data);
-void ssl2_mac(SSL *s,unsigned char *mac,int send_data);
-SSL_CIPHER *ssl2_get_cipher_by_char(const unsigned char *p);
-int ssl2_put_cipher_by_char(const SSL_CIPHER *c,unsigned char *p);
-int ssl2_part_read(SSL *s, unsigned long f, int i);
-int ssl2_do_write(SSL *s);
-int ssl2_set_certificate(SSL *s, int type, int len, unsigned char *data);
-void ssl2_return_error(SSL *s,int reason);
-void ssl2_write_error(SSL *s);
-int ssl2_num_ciphers(void);
-SSL_CIPHER *ssl2_get_cipher(unsigned int u);
-int     ssl2_new(SSL *s);
-void    ssl2_free(SSL *s);
-int     ssl2_accept(SSL *s);
-int     ssl2_connect(SSL *s);
-int     ssl2_read(SSL *s, void *buf, int len);
-int     ssl2_peek(SSL *s, void *buf, int len);
-int     ssl2_write(SSL *s, const void *buf, int len);
-int     ssl2_shutdown(SSL *s);
-void    ssl2_clear(SSL *s);
-long    ssl2_ctrl(SSL *s,int cmd, long larg, void *parg);
-long    ssl2_ctx_ctrl(SSL_CTX *s,int cmd, long larg, void *parg);
-long    ssl2_callback_ctrl(SSL *s,int cmd, void (*fp)());
-long    ssl2_ctx_callback_ctrl(SSL_CTX *s,int cmd, void (*fp)());
-int     ssl2_pending(const SSL *s);
-SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p);
-int ssl3_put_cipher_by_char(const SSL_CIPHER *c,unsigned char *p);
-void ssl3_init_finished_mac(SSL *s);
-int ssl3_send_server_certificate(SSL *s);
-int ssl3_get_finished(SSL *s,int state_a,int state_b);
-int ssl3_setup_key_block(SSL *s);
-int ssl3_send_change_cipher_spec(SSL *s,int state_a,int state_b);
-int ssl3_change_cipher_state(SSL *s,int which);
-void ssl3_cleanup_key_block(SSL *s);
-int ssl3_do_write(SSL *s,int type);
-void ssl3_send_alert(SSL *s,int level, int desc);
-int ssl3_generate_master_secret(SSL *s, unsigned char *out,
-        unsigned char *p, int len);
-int ssl3_get_req_cert_type(SSL *s,unsigned char *p);
-long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok);
-int ssl3_send_finished(SSL *s, int a, int b, const char *sender,int slen);
-int ssl3_num_ciphers(void);
-SSL_CIPHER *ssl3_get_cipher(unsigned int u);
-int ssl3_renegotiate(SSL *ssl); 
-int ssl3_renegotiate_check(SSL *ssl); 
-int ssl3_dispatch_alert(SSL *s);
-int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek);
-int ssl3_write_bytes(SSL *s, int type, const void *buf, int len);
-int ssl3_final_finish_mac(SSL *s, EVP_MD_CTX *ctx1, EVP_MD_CTX *ctx2,
-        const char *sender, int slen,unsigned char *p);
-int ssl3_cert_verify_mac(SSL *s, EVP_MD_CTX *in, unsigned char *p);
-void ssl3_finish_mac(SSL *s, const unsigned char *buf, int len);
-int ssl3_enc(SSL *s, int send_data);
-int ssl3_mac(SSL *ssl, unsigned char *md, int send_data);
-unsigned long ssl3_output_cert_chain(SSL *s, X509 *x);
-SSL_CIPHER *ssl3_choose_cipher(SSL *ssl,STACK_OF(SSL_CIPHER) *clnt,
-                               STACK_OF(SSL_CIPHER) *srvr);
-int     ssl3_setup_buffers(SSL *s);
-int     ssl3_new(SSL *s);
-void    ssl3_free(SSL *s);
-int     ssl3_accept(SSL *s);
-int     ssl3_connect(SSL *s);
-int     ssl3_read(SSL *s, void *buf, int len);
-int     ssl3_peek(SSL *s, void *buf, int len);
-int     ssl3_write(SSL *s, const void *buf, int len);
-int     ssl3_shutdown(SSL *s);
-void    ssl3_clear(SSL *s);
-long    ssl3_ctrl(SSL *s,int cmd, long larg, void *parg);
-long    ssl3_ctx_ctrl(SSL_CTX *s,int cmd, long larg, void *parg);
-long    ssl3_callback_ctrl(SSL *s,int cmd, void (*fp)());
-long    ssl3_ctx_callback_ctrl(SSL_CTX *s,int cmd, void (*fp)());
-int     ssl3_pending(const SSL *s);
-int ssl23_accept(SSL *s);
-int ssl23_connect(SSL *s);
-int ssl23_read_bytes(SSL *s, int n);
-int ssl23_write_bytes(SSL *s);
-int tls1_new(SSL *s);
-void tls1_free(SSL *s);
-void tls1_clear(SSL *s);
-long tls1_ctrl(SSL *s,int cmd, long larg, void *parg);
-long tls1_callback_ctrl(SSL *s,int cmd, void (*fp)());
-SSL_METHOD *tlsv1_base_method(void );
-int ssl_init_wbio_buffer(SSL *s, int push);
-void ssl_free_wbio_buffer(SSL *s);
-int tls1_change_cipher_state(SSL *s, int which);
-int tls1_setup_key_block(SSL *s);
-int tls1_enc(SSL *s, int snd);
-int tls1_final_finish_mac(SSL *s, EVP_MD_CTX *in1_ctx, EVP_MD_CTX *in2_ctx,
-        const char *str, int slen, unsigned char *p);
-int tls1_cert_verify_mac(SSL *s, EVP_MD_CTX *in, unsigned char *p);
-int tls1_mac(SSL *ssl, unsigned char *md, int snd);
-int tls1_generate_master_secret(SSL *s, unsigned char *out,
-        unsigned char *p, int len);
-int tls1_alert_code(int code);
-int ssl3_alert_code(int code);
-int ssl_ok(SSL *s);
-SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n);
-STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void);
-#endif
diff --git a/src/lib/libssl/ssl_rsa.c b/src/lib/libssl/ssl_rsa.c
deleted file mode 100644
index fb0bd4d045..0000000000
--- a/src/lib/libssl/ssl_rsa.c
+++ /dev/null
@@ -1,817 +0,0 @@
-/* ssl/ssl_rsa.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-#include <stdio.h>
-#include "ssl_locl.h"
-#include <openssl/bio.h>
-#include <openssl/objects.h>
-#include <openssl/evp.h>
-#include <openssl/x509.h>
-#include <openssl/pem.h>
-static int ssl_set_cert(CERT *c, X509 *x509);
-static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey);
-int SSL_use_certificate(SSL *ssl, X509 *x)
-        {
-        if (x == NULL)
-                {
-                SSLerr(SSL_F_SSL_USE_CERTIFICATE,ERR_R_PASSED_NULL_PARAMETER);
-                return(0);
-                }
-        if (!ssl_cert_inst(&ssl->cert))
-                {
-                SSLerr(SSL_F_SSL_USE_CERTIFICATE,ERR_R_MALLOC_FAILURE);
-                return(0);
-                }
-        return(ssl_set_cert(ssl->cert,x));
-        }
-#ifndef OPENSSL_NO_STDIO
-int SSL_use_certificate_file(SSL *ssl, const char *file, int type)
-        {
-        int j;
-        BIO *in;
-        int ret=0;
-        X509 *x=NULL;
-        in=BIO_new(BIO_s_file_internal());
-        if (in == NULL)
-                {
-                SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE,ERR_R_BUF_LIB);
-                goto end;
-                }
-        if (BIO_read_filename(in,file) <= 0)
-                {
-                SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE,ERR_R_SYS_LIB);
-                goto end;
-                }
-        if (type == SSL_FILETYPE_ASN1)
-                {
-                j=ERR_R_ASN1_LIB;
-                x=d2i_X509_bio(in,NULL);
-                }
-        else if (type == SSL_FILETYPE_PEM)
-                {
-                j=ERR_R_PEM_LIB;
-                x=PEM_read_bio_X509(in,NULL,ssl->ctx->default_passwd_callback,ssl->ctx->default_passwd_callback_userdata);
-                }
-        else
-                {
-                SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE,SSL_R_BAD_SSL_FILETYPE);
-                goto end;
-                }
-        if (x == NULL)
-                {
-                SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE,j);
-                goto end;
-                }
-        ret=SSL_use_certificate(ssl,x);
-end:
-        if (x != NULL) X509_free(x);
-        if (in != NULL) BIO_free(in);
-        return(ret);
-        }
-#endif
-int SSL_use_certificate_ASN1(SSL *ssl, unsigned char *d, int len)
-        {
-        X509 *x;
-        int ret;
-        x=d2i_X509(NULL,&d,(long)len);
-        if (x == NULL)
-                {
-                SSLerr(SSL_F_SSL_USE_CERTIFICATE_ASN1,ERR_R_ASN1_LIB);
-                return(0);
-                }
-        ret=SSL_use_certificate(ssl,x);
-        X509_free(x);
-        return(ret);
-        }
-#ifndef OPENSSL_NO_RSA
-int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa)
-        {
-        EVP_PKEY *pkey;
-        int ret;
-        if (rsa == NULL)
-                {
-                SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY,ERR_R_PASSED_NULL_PARAMETER);
-                return(0);
-                }
-        if (!ssl_cert_inst(&ssl->cert))
-                {
-                SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY,ERR_R_MALLOC_FAILURE);
-                return(0);
-                }
-        if ((pkey=EVP_PKEY_new()) == NULL)
-                {
-                SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY,ERR_R_EVP_LIB);
-                return(0);
-                }
-        RSA_up_ref(rsa);
-        EVP_PKEY_assign_RSA(pkey,rsa);
-        ret=ssl_set_pkey(ssl->cert,pkey);
-        EVP_PKEY_free(pkey);
-        return(ret);
-        }
-#endif
-static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
-        {
-        int i,ok=0,bad=0;
-        i=ssl_cert_type(NULL,pkey);
-        if (i < 0)
-                {
-                SSLerr(SSL_F_SSL_SET_PKEY,SSL_R_UNKNOWN_CERTIFICATE_TYPE);
-                return(0);
-                }
-        if (c->pkeys[i].x509 != NULL)
-                {
-                EVP_PKEY *pktmp;
-                pktmp = X509_get_pubkey(c->pkeys[i].x509);
-                EVP_PKEY_copy_parameters(pktmp,pkey);
-                EVP_PKEY_free(pktmp);
-                ERR_clear_error();
-#ifndef OPENSSL_NO_RSA
-                /* Don't check the public/private key, this is mostly
-                 * for smart cards. */
-                if ((pkey->type == EVP_PKEY_RSA) &&
-                        (RSA_flags(pkey->pkey.rsa) &
-                         RSA_METHOD_FLAG_NO_CHECK))
-                         ok=1;
-                else
-#endif
-                     if (!X509_check_private_key(c->pkeys[i].x509,pkey))
-                        {
-                        if ((i == SSL_PKEY_DH_RSA) || (i == SSL_PKEY_DH_DSA))
-                                {
-                                i=(i == SSL_PKEY_DH_RSA)?
-                                        SSL_PKEY_DH_DSA:SSL_PKEY_DH_RSA;
-                                if (c->pkeys[i].x509 == NULL)
-                                        ok=1;
-                                else
-                                        {
-                                        if (!X509_check_private_key(
-                                                c->pkeys[i].x509,pkey))
-                                                bad=1;
-                                        else
-                                                ok=1;
-                                        }
-                                }
-                        else
-                                bad=1;
-                        }
-                else
-                        ok=1;
-                }
-        else
-                ok=1;
-        if (bad)
-                {
-                X509_free(c->pkeys[i].x509);
-                c->pkeys[i].x509=NULL;
-                return(0);
-                }
-        ERR_clear_error(); /* make sure no error from X509_check_private_key()
-                            * is left if we have chosen to ignore it */
-        if (c->pkeys[i].privatekey != NULL)
-                EVP_PKEY_free(c->pkeys[i].privatekey);
-        CRYPTO_add(&pkey->references,1,CRYPTO_LOCK_EVP_PKEY);
-        c->pkeys[i].privatekey=pkey;
-        c->key= &(c->pkeys[i]);
-        c->valid=0;
-        return(1);
-        }
-#ifndef OPENSSL_NO_RSA
-#ifndef OPENSSL_NO_STDIO
-int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type)
-        {
-        int j,ret=0;
-        BIO *in;
-        RSA *rsa=NULL;
-        in=BIO_new(BIO_s_file_internal());
-        if (in == NULL)
-                {
-                SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE,ERR_R_BUF_LIB);
-                goto end;
-                }
-        if (BIO_read_filename(in,file) <= 0)
-                {
-                SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE,ERR_R_SYS_LIB);
-                goto end;
-                }
-        if      (type == SSL_FILETYPE_ASN1)
-                {
-                j=ERR_R_ASN1_LIB;
-                rsa=d2i_RSAPrivateKey_bio(in,NULL);
-                }
-        else if (type == SSL_FILETYPE_PEM)
-                {
-                j=ERR_R_PEM_LIB;
-                rsa=PEM_read_bio_RSAPrivateKey(in,NULL,
-                        ssl->ctx->default_passwd_callback,ssl->ctx->default_passwd_callback_userdata);
-                }
-        else
-                {
-                SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE,SSL_R_BAD_SSL_FILETYPE);
-                goto end;
-                }
-        if (rsa == NULL)
-                {
-                SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE,j);
-                goto end;
-                }
-        ret=SSL_use_RSAPrivateKey(ssl,rsa);
-        RSA_free(rsa);
-end:
-        if (in != NULL) BIO_free(in);
-        return(ret);
-        }
-#endif
-int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len)
-        {
-        int ret;
-        const unsigned char *p;
-        RSA *rsa;
-        p=d;
-        if ((rsa=d2i_RSAPrivateKey(NULL,&p,(long)len)) == NULL)
-                {
-                SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1,ERR_R_ASN1_LIB);
-                return(0);
-                }
-        ret=SSL_use_RSAPrivateKey(ssl,rsa);
-        RSA_free(rsa);
-        return(ret);
-        }
-#endif /* !OPENSSL_NO_RSA */
-int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey)
-        {
-        int ret;
-        if (pkey == NULL)
-                {
-                SSLerr(SSL_F_SSL_USE_PRIVATEKEY,ERR_R_PASSED_NULL_PARAMETER);
-                return(0);
-                }
-        if (!ssl_cert_inst(&ssl->cert))
-                {
-                SSLerr(SSL_F_SSL_USE_PRIVATEKEY,ERR_R_MALLOC_FAILURE);
-                return(0);
-                }
-        ret=ssl_set_pkey(ssl->cert,pkey);
-        return(ret);
-        }
-#ifndef OPENSSL_NO_STDIO
-int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type)
-        {
-        int j,ret=0;
-        BIO *in;
-        EVP_PKEY *pkey=NULL;
-        in=BIO_new(BIO_s_file_internal());
-        if (in == NULL)
-                {
-                SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE,ERR_R_BUF_LIB);
-                goto end;
-                }
-        if (BIO_read_filename(in,file) <= 0)
-                {
-                SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE,ERR_R_SYS_LIB);
-                goto end;
-                }
-        if (type == SSL_FILETYPE_PEM)
-                {
-                j=ERR_R_PEM_LIB;
-                pkey=PEM_read_bio_PrivateKey(in,NULL,
-                        ssl->ctx->default_passwd_callback,ssl->ctx->default_passwd_callback_userdata);
-                }
-        else
-                {
-                SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE,SSL_R_BAD_SSL_FILETYPE);
-                goto end;
-                }
-        if (pkey == NULL)
-                {
-                SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE,j);
-                goto end;
-                }
-        ret=SSL_use_PrivateKey(ssl,pkey);
-        EVP_PKEY_free(pkey);
-end:
-        if (in != NULL) BIO_free(in);
-        return(ret);
-        }
-#endif
-int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, unsigned char *d, long len)
-        {
-        int ret;
-        unsigned char *p;
-        EVP_PKEY *pkey;
-        p=d;
-        if ((pkey=d2i_PrivateKey(type,NULL,&p,(long)len)) == NULL)
-                {
-                SSLerr(SSL_F_SSL_USE_PRIVATEKEY_ASN1,ERR_R_ASN1_LIB);
-                return(0);
-                }
-        ret=SSL_use_PrivateKey(ssl,pkey);
-        EVP_PKEY_free(pkey);
-        return(ret);
-        }
-int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x)
-        {
-        if (x == NULL)
-                {
-                SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE,ERR_R_PASSED_NULL_PARAMETER);
-                return(0);
-                }
-        if (!ssl_cert_inst(&ctx->cert))
-                {
-                SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE,ERR_R_MALLOC_FAILURE);
-                return(0);
-                }
-        return(ssl_set_cert(ctx->cert, x));
-        }
-static int ssl_set_cert(CERT *c, X509 *x)
-        {
-        EVP_PKEY *pkey;
-        int i,ok=0,bad=0;
-        pkey=X509_get_pubkey(x);
-        if (pkey == NULL)
-                {
-                SSLerr(SSL_F_SSL_SET_CERT,SSL_R_X509_LIB);
-                return(0);
-                }
-        i=ssl_cert_type(x,pkey);
-        if (i < 0)
-                {
-                SSLerr(SSL_F_SSL_SET_CERT,SSL_R_UNKNOWN_CERTIFICATE_TYPE);
-                EVP_PKEY_free(pkey);
-                return(0);
-                }
-        if (c->pkeys[i].privatekey != NULL)
-                {
-                EVP_PKEY_copy_parameters(pkey,c->pkeys[i].privatekey);
-                ERR_clear_error();
-#ifndef OPENSSL_NO_RSA
-                /* Don't check the public/private key, this is mostly
-                 * for smart cards. */
-                if ((c->pkeys[i].privatekey->type == EVP_PKEY_RSA) &&
-                        (RSA_flags(c->pkeys[i].privatekey->pkey.rsa) &
-                         RSA_METHOD_FLAG_NO_CHECK))
-                         ok=1;
-                else
-#endif
-                {
-                if (!X509_check_private_key(x,c->pkeys[i].privatekey))
-                        {
-                        if ((i == SSL_PKEY_DH_RSA) || (i == SSL_PKEY_DH_DSA))
-                                {
-                                i=(i == SSL_PKEY_DH_RSA)?
-                                        SSL_PKEY_DH_DSA:SSL_PKEY_DH_RSA;
-                                if (c->pkeys[i].privatekey == NULL)
-                                        ok=1;
-                                else
-                                        {
-                                        if (!X509_check_private_key(x,
-                                                c->pkeys[i].privatekey))
-                                                bad=1;
-                                        else
-                                                ok=1;
-                                        }
-                                }
-                        else
-                                bad=1;
-                        }
-                else
-                        ok=1;
-                } /* OPENSSL_NO_RSA */
-                }
-        else
-                ok=1;
-        EVP_PKEY_free(pkey);
-        if (bad)
-                {
-                EVP_PKEY_free(c->pkeys[i].privatekey);
-                c->pkeys[i].privatekey=NULL;
-                }
-        if (c->pkeys[i].x509 != NULL)
-                X509_free(c->pkeys[i].x509);
-        CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
-        c->pkeys[i].x509=x;
-        c->key= &(c->pkeys[i]);
-        c->valid=0;
-        return(1);
-        }
-#ifndef OPENSSL_NO_STDIO
-int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type)
-        {
-        int j;
-        BIO *in;
-        int ret=0;
-        X509 *x=NULL;
-        in=BIO_new(BIO_s_file_internal());
-        if (in == NULL)
-                {
-                SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE,ERR_R_BUF_LIB);
-                goto end;
-                }
-        if (BIO_read_filename(in,file) <= 0)
-                {
-                SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE,ERR_R_SYS_LIB);
-                goto end;
-                }
-        if (type == SSL_FILETYPE_ASN1)
-                {
-                j=ERR_R_ASN1_LIB;
-                x=d2i_X509_bio(in,NULL);
-                }
-        else if (type == SSL_FILETYPE_PEM)
-                {
-                j=ERR_R_PEM_LIB;
-                x=PEM_read_bio_X509(in,NULL,ctx->default_passwd_callback,ctx->default_passwd_callback_userdata);
-                }
-        else
-                {
-                SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE,SSL_R_BAD_SSL_FILETYPE);
-                goto end;
-                }
-        if (x == NULL)
-                {
-                SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE,j);
-                goto end;
-                }
-        ret=SSL_CTX_use_certificate(ctx,x);
-end:
-        if (x != NULL) X509_free(x);
-        if (in != NULL) BIO_free(in);
-        return(ret);
-        }
-#endif
-int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, unsigned char *d)
-        {
-        X509 *x;
-        int ret;
-        x=d2i_X509(NULL,&d,(long)len);
-        if (x == NULL)
-                {
-                SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1,ERR_R_ASN1_LIB);
-                return(0);
-                }
-        ret=SSL_CTX_use_certificate(ctx,x);
-        X509_free(x);
-        return(ret);
-        }
-#ifndef OPENSSL_NO_RSA
-int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa)
-        {
-        int ret;
-        EVP_PKEY *pkey;
-        if (rsa == NULL)
-                {
-                SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY,ERR_R_PASSED_NULL_PARAMETER);
-                return(0);
-                }
-        if (!ssl_cert_inst(&ctx->cert))
-                {
-                SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY,ERR_R_MALLOC_FAILURE);
-                return(0);
-                }
-        if ((pkey=EVP_PKEY_new()) == NULL)
-                {
-                SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY,ERR_R_EVP_LIB);
-                return(0);
-                }
-        RSA_up_ref(rsa);
-        EVP_PKEY_assign_RSA(pkey,rsa);
-        ret=ssl_set_pkey(ctx->cert, pkey);
-        EVP_PKEY_free(pkey);
-        return(ret);
-        }
-#ifndef OPENSSL_NO_STDIO
-int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type)
-        {
-        int j,ret=0;
-        BIO *in;
-        RSA *rsa=NULL;
-        in=BIO_new(BIO_s_file_internal());
-        if (in == NULL)
-                {
-                SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE,ERR_R_BUF_LIB);
-                goto end;
-                }
-        if (BIO_read_filename(in,file) <= 0)
-                {
-                SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE,ERR_R_SYS_LIB);
-                goto end;
-                }
-        if      (type == SSL_FILETYPE_ASN1)
-                {
-                j=ERR_R_ASN1_LIB;
-                rsa=d2i_RSAPrivateKey_bio(in,NULL);
-                }
-        else if (type == SSL_FILETYPE_PEM)
-                {
-                j=ERR_R_PEM_LIB;
-                rsa=PEM_read_bio_RSAPrivateKey(in,NULL,
-                        ctx->default_passwd_callback,ctx->default_passwd_callback_userdata);
-                }
-        else
-                {
-                SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE,SSL_R_BAD_SSL_FILETYPE);
-                goto end;
-                }
-        if (rsa == NULL)
-                {
-                SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE,j);
-                goto end;
-                }
-        ret=SSL_CTX_use_RSAPrivateKey(ctx,rsa);
-        RSA_free(rsa);
-end:
-        if (in != NULL) BIO_free(in);
-        return(ret);
-        }
-#endif
-int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, unsigned char *d, long len)
-        {
-        int ret;
-        const unsigned char *p;
-        RSA *rsa;
-        p=d;
-        if ((rsa=d2i_RSAPrivateKey(NULL,&p,(long)len)) == NULL)
-                {
-                SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1,ERR_R_ASN1_LIB);
-                return(0);
-                }
-        ret=SSL_CTX_use_RSAPrivateKey(ctx,rsa);
-        RSA_free(rsa);
-        return(ret);
-        }
-#endif /* !OPENSSL_NO_RSA */
-int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey)
-        {
-        if (pkey == NULL)
-                {
-                SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY,ERR_R_PASSED_NULL_PARAMETER);
-                return(0);
-                }
-        if (!ssl_cert_inst(&ctx->cert))
-                {
-                SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY,ERR_R_MALLOC_FAILURE);
-                return(0);
-                }
-        return(ssl_set_pkey(ctx->cert,pkey));
-        }
-#ifndef OPENSSL_NO_STDIO
-int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type)
-        {
-        int j,ret=0;
-        BIO *in;
-        EVP_PKEY *pkey=NULL;
-        in=BIO_new(BIO_s_file_internal());
-        if (in == NULL)
-                {
-                SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE,ERR_R_BUF_LIB);
-                goto end;
-                }
-        if (BIO_read_filename(in,file) <= 0)
-                {
-                SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE,ERR_R_SYS_LIB);
-                goto end;
-                }
-        if (type == SSL_FILETYPE_PEM)
-                {
-                j=ERR_R_PEM_LIB;
-                pkey=PEM_read_bio_PrivateKey(in,NULL,
-                        ctx->default_passwd_callback,ctx->default_passwd_callback_userdata);
-                }
-        else
-                {
-                SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE,SSL_R_BAD_SSL_FILETYPE);
-                goto end;
-                }
-        if (pkey == NULL)
-                {
-                SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE,j);
-                goto end;
-                }
-        ret=SSL_CTX_use_PrivateKey(ctx,pkey);
-        EVP_PKEY_free(pkey);
-end:
-        if (in != NULL) BIO_free(in);
-        return(ret);
-        }
-#endif
-int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, unsigned char *d,
-             long len)
-        {
-        int ret;
-        unsigned char *p;
-        EVP_PKEY *pkey;
-        p=d;
-        if ((pkey=d2i_PrivateKey(type,NULL,&p,(long)len)) == NULL)
-                {
-                SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1,ERR_R_ASN1_LIB);
-                return(0);
-                }
-        ret=SSL_CTX_use_PrivateKey(ctx,pkey);
-        EVP_PKEY_free(pkey);
-        return(ret);
-        }
-#ifndef OPENSSL_NO_STDIO
-/* Read a file that contains our certificate in "PEM" format,
- * possibly followed by a sequence of CA certificates that should be
- * sent to the peer in the Certificate message.
- */
-int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file)
-        {
-        BIO *in;
-        int ret=0;
-        X509 *x=NULL;
-        in=BIO_new(BIO_s_file_internal());
-        if (in == NULL)
-                {
-                SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,ERR_R_BUF_LIB);
-                goto end;
-                }
-        if (BIO_read_filename(in,file) <= 0)
-                {
-                SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,ERR_R_SYS_LIB);
-                goto end;
-                }
-        x=PEM_read_bio_X509(in,NULL,ctx->default_passwd_callback,ctx->default_passwd_callback_userdata);
-        if (x == NULL)
-                {
-                SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,ERR_R_PEM_LIB);
-                goto end;
-                }
-        ret=SSL_CTX_use_certificate(ctx,x);
-        if (ERR_peek_error() != 0)
-                ret = 0;  /* Key/certificate mismatch doesn't imply ret==0 ... */
-        if (ret)
-                {
-                /* If we could set up our certificate, now proceed to
-                 * the CA certificates.
-                 */
-                X509 *ca;
-                int r;
-                unsigned long err;
-                
-                if (ctx->extra_certs != NULL) 
-                        {
-                        sk_X509_pop_free(ctx->extra_certs, X509_free);
-                        ctx->extra_certs = NULL;
-                        }
-                while ((ca = PEM_read_bio_X509(in,NULL,ctx->default_passwd_callback,ctx->default_passwd_callback_userdata))
-                        != NULL)
-                        {
-                        r = SSL_CTX_add_extra_chain_cert(ctx, ca);
-                        if (!r) 
-                                {
-                                X509_free(ca);
-                                ret = 0;
-                                goto end;
-                                }
-                        /* Note that we must not free r if it was successfully
-                         * added to the chain (while we must free the main
-                         * certificate, since its reference count is increased
-                         * by SSL_CTX_use_certificate). */
-                        }
-                /* When the while loop ends, it's usually just EOF. */
-                err = ERR_peek_last_error();
-                if (ERR_GET_LIB(err) == ERR_LIB_PEM && ERR_GET_REASON(err) == PEM_R_NO_START_LINE)
-                        ERR_clear_error();
-                else 
-                        ret = 0; /* some real error */
-                }
-end:
-        if (x != NULL) X509_free(x);
-        if (in != NULL) BIO_free(in);
-        return(ret);
-        }
-#endif
diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c
deleted file mode 100644
index 2ba8b9612e..0000000000
--- a/src/lib/libssl/ssl_sess.c
+++ /dev/null
@@ -1,755 +0,0 @@
-/* ssl/ssl_sess.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-#include <stdio.h>
-#include <openssl/lhash.h>
-#include <openssl/rand.h>
-#include "ssl_locl.h"
-static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s);
-static void SSL_SESSION_list_add(SSL_CTX *ctx,SSL_SESSION *s);
-static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck);
-SSL_SESSION *SSL_get_session(const SSL *ssl)
-/* aka SSL_get0_session; gets 0 objects, just returns a copy of the pointer */
-        {
-        return(ssl->session);
-        }
-SSL_SESSION *SSL_get1_session(SSL *ssl)
-/* variant of SSL_get_session: caller really gets something */
-        {
-        SSL_SESSION *sess;
-        /* Need to lock this all up rather than just use CRYPTO_add so that
-         * somebody doesn't free ssl->session between when we check it's
-         * non-null and when we up the reference count. */
-        CRYPTO_w_lock(CRYPTO_LOCK_SSL_SESSION);
-        sess = ssl->session;
-        if(sess)
-                sess->references++;
-        CRYPTO_w_unlock(CRYPTO_LOCK_SSL_SESSION);
-        return(sess);
-        }
-int SSL_SESSION_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
-             CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
-        {
-        return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL_SESSION, argl, argp,
-                        new_func, dup_func, free_func);
-        }
-int SSL_SESSION_set_ex_data(SSL_SESSION *s, int idx, void *arg)
-        {
-        return(CRYPTO_set_ex_data(&s->ex_data,idx,arg));
-        }
-void *SSL_SESSION_get_ex_data(const SSL_SESSION *s, int idx)
-        {
-        return(CRYPTO_get_ex_data(&s->ex_data,idx));
-        }
-SSL_SESSION *SSL_SESSION_new(void)
-        {
-        SSL_SESSION *ss;
-        ss=(SSL_SESSION *)OPENSSL_malloc(sizeof(SSL_SESSION));
-        if (ss == NULL)
-                {
-                SSLerr(SSL_F_SSL_SESSION_NEW,ERR_R_MALLOC_FAILURE);
-                return(0);
-                }
-        memset(ss,0,sizeof(SSL_SESSION));
-        ss->verify_result = 1; /* avoid 0 (= X509_V_OK) just in case */
-        ss->references=1;
-        ss->timeout=60*5+4; /* 5 minute timeout by default */
-        ss->time=(unsigned long)time(NULL);
-        ss->prev=NULL;
-        ss->next=NULL;
-        ss->compress_meth=0;
-        CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data);
-        return(ss);
-        }
-/* Even with SSLv2, we have 16 bytes (128 bits) of session ID space. SSLv3/TLSv1
- * has 32 bytes (256 bits). As such, filling the ID with random gunk repeatedly
- * until we have no conflict is going to complete in one iteration pretty much
- * "most" of the time (btw: understatement). So, if it takes us 10 iterations
- * and we still can't avoid a conflict - well that's a reasonable point to call
- * it quits. Either the RAND code is broken or someone is trying to open roughly
- * very close to 2^128 (or 2^256) SSL sessions to our server. How you might
- * store that many sessions is perhaps a more interesting question ... */
-#define MAX_SESS_ID_ATTEMPTS 10
-static int def_generate_session_id(const SSL *ssl, unsigned char *id,
-                                unsigned int *id_len)
-{
-        unsigned int retry = 0;
-        do
-                if(RAND_pseudo_bytes(id, *id_len) <= 0)
-                        return 0;
-        while(SSL_has_matching_session_id(ssl, id, *id_len) &&
-                (++retry < MAX_SESS_ID_ATTEMPTS));
-        if(retry < MAX_SESS_ID_ATTEMPTS)
-                return 1;
-        /* else - woops a session_id match */
-        /* XXX We should also check the external cache --
-         * but the probability of a collision is negligible, and
-         * we could not prevent the concurrent creation of sessions
-         * with identical IDs since we currently don't have means
-         * to atomically check whether a session ID already exists
-         * and make a reservation for it if it does not
-         * (this problem applies to the internal cache as well).
-         */
-        return 0;
-}
-int ssl_get_new_session(SSL *s, int session)
-        {
-        /* This gets used by clients and servers. */
-        unsigned int tmp;
-        SSL_SESSION *ss=NULL;
-        GEN_SESSION_CB cb = def_generate_session_id;
-        if ((ss=SSL_SESSION_new()) == NULL) return(0);
-        /* If the context has a default timeout, use it */
-        if (s->ctx->session_timeout == 0)
-                ss->timeout=SSL_get_default_timeout(s);
-        else
-                ss->timeout=s->ctx->session_timeout;
-        if (s->session != NULL)
-                {
-                SSL_SESSION_free(s->session);
-                s->session=NULL;
-                }
-        if (session)
-                {
-                if (s->version == SSL2_VERSION)
-                        {
-                        ss->ssl_version=SSL2_VERSION;
-                        ss->session_id_length=SSL2_SSL_SESSION_ID_LENGTH;
-                        }
-                else if (s->version == SSL3_VERSION)
-                        {
-                        ss->ssl_version=SSL3_VERSION;
-                        ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
-                        }
-                else if (s->version == TLS1_VERSION)
-                        {
-                        ss->ssl_version=TLS1_VERSION;
-                        ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
-                        }
-                else
-                        {
-                        SSLerr(SSL_F_SSL_GET_NEW_SESSION,SSL_R_UNSUPPORTED_SSL_VERSION);
-                        SSL_SESSION_free(ss);
-                        return(0);
-                        }
-                /* Choose which callback will set the session ID */
-                CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
-                if(s->generate_session_id)
-                        cb = s->generate_session_id;
-                else if(s->ctx->generate_session_id)
-                        cb = s->ctx->generate_session_id;
-                CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
-                /* Choose a session ID */
-                tmp = ss->session_id_length;
-                if(!cb(s, ss->session_id, &tmp))
-                        {
-                        /* The callback failed */
-                        SSLerr(SSL_F_SSL_GET_NEW_SESSION,
-                                SSL_R_SSL_SESSION_ID_CALLBACK_FAILED);
-                        SSL_SESSION_free(ss);
-                        return(0);
-                        }
-                /* Don't allow the callback to set the session length to zero.
-                 * nor set it higher than it was. */
-                if(!tmp || (tmp > ss->session_id_length))
-                        {
-                        /* The callback set an illegal length */
-                        SSLerr(SSL_F_SSL_GET_NEW_SESSION,
-                                SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH);
-                        SSL_SESSION_free(ss);
-                        return(0);
-                        }
-                /* If the session length was shrunk and we're SSLv2, pad it */
-                if((tmp < ss->session_id_length) && (s->version == SSL2_VERSION))
-                        memset(ss->session_id + tmp, 0, ss->session_id_length - tmp);
-                else
-                        ss->session_id_length = tmp;
-                /* Finally, check for a conflict */
-                if(SSL_has_matching_session_id(s, ss->session_id,
-                                                ss->session_id_length))
-                        {
-                        SSLerr(SSL_F_SSL_GET_NEW_SESSION,
-                                SSL_R_SSL_SESSION_ID_CONFLICT);
-                        SSL_SESSION_free(ss);
-                        return(0);
-                        }
-                }
-        else
-                {
-                ss->session_id_length=0;
-                }
-        if (s->sid_ctx_length > sizeof ss->sid_ctx)
-                {
-                SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_INTERNAL_ERROR);
-                SSL_SESSION_free(ss);
-                return 0;
-                }
-        memcpy(ss->sid_ctx,s->sid_ctx,s->sid_ctx_length);
-        ss->sid_ctx_length=s->sid_ctx_length;
-        s->session=ss;
-        ss->ssl_version=s->version;
-        ss->verify_result = X509_V_OK;
-        return(1);
-        }
-int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len)
-        {
-        /* This is used only by servers. */
-        SSL_SESSION *ret=NULL,data;
-        int fatal = 0;
-        data.ssl_version=s->version;
-        data.session_id_length=len;
-        if (len > SSL_MAX_SSL_SESSION_ID_LENGTH)
-                goto err;
-        memcpy(data.session_id,session_id,len);
-        if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP))
-                {
-                CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
-                ret=(SSL_SESSION *)lh_retrieve(s->ctx->sessions,&data);
-                if (ret != NULL)
-                    /* don't allow other threads to steal it: */
-                    CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION);
-                CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
-                }
-        if (ret == NULL)
-                {
-                int copy=1;
-        
-                s->ctx->stats.sess_miss++;
-                ret=NULL;
-                if (s->ctx->get_session_cb != NULL
-                    && (ret=s->ctx->get_session_cb(s,session_id,len,&copy))
-                       != NULL)
-                        {
-                        s->ctx->stats.sess_cb_hit++;
-                        /* Increment reference count now if the session callback
-                         * asks us to do so (note that if the session structures
-                         * returned by the callback are shared between threads,
-                         * it must handle the reference count itself [i.e. copy == 0],
-                         * or things won't be thread-safe). */
-                        if (copy)
-                                CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION);
-                        /* Add the externally cached session to the internal
-                         * cache as well if and only if we are supposed to. */
-                        if(!(s->ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_STORE))
-                                /* The following should not return 1, otherwise,
-                                 * things are very strange */
-                                SSL_CTX_add_session(s->ctx,ret);
-                        }
-                if (ret == NULL)
-                        goto err;
-                }
-        /* Now ret is non-NULL, and we own one of its reference counts. */
-        if((s->verify_mode&SSL_VERIFY_PEER)
-           && (!s->sid_ctx_length || ret->sid_ctx_length != s->sid_ctx_length
-               || memcmp(ret->sid_ctx,s->sid_ctx,ret->sid_ctx_length)))
-            {
-                /* We've found the session named by the client, but we don't
-                 * want to use it in this context. */
-                
-                if (s->sid_ctx_length == 0)
-                        {
-                        /* application should have used SSL[_CTX]_set_session_id_context
-                         * -- we could tolerate this and just pretend we never heard
-                         * of this session, but then applications could effectively
-                         * disable the session cache by accident without anyone noticing */
-                        SSLerr(SSL_F_SSL_GET_PREV_SESSION,SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED);
-                        fatal = 1;
-                        goto err;
-                        }
-                else
-                        {
-#if 0 /* The client cannot always know when a session is not appropriate,
-           * so we shouldn't generate an error message. */
-                        SSLerr(SSL_F_SSL_GET_PREV_SESSION,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
-#endif
-                        goto err; /* treat like cache miss */
-                        }
-                }
-        if (ret->cipher == NULL)
-                {
-                unsigned char buf[5],*p;
-                unsigned long l;
-                p=buf;
-                l=ret->cipher_id;
-                l2n(l,p);
-                if ((ret->ssl_version>>8) == SSL3_VERSION_MAJOR)
-                        ret->cipher=ssl_get_cipher_by_char(s,&(buf[2]));
-                else 
-                        ret->cipher=ssl_get_cipher_by_char(s,&(buf[1]));
-                if (ret->cipher == NULL)
-                        goto err;
-                }
-#if 0 /* This is way too late. */
-        /* If a thread got the session, then 'swaped', and another got
-         * it and then due to a time-out decided to 'OPENSSL_free' it we could
-         * be in trouble.  So I'll increment it now, then double decrement
-         * later - am I speaking rubbish?. */
-        CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION);
-#endif
-        if (ret->timeout < (long)(time(NULL) - ret->time)) /* timeout */
-                {
-                s->ctx->stats.sess_timeout++;
-                /* remove it from the cache */
-                SSL_CTX_remove_session(s->ctx,ret);
-                goto err;
-                }
-        s->ctx->stats.sess_hit++;
-        /* ret->time=time(NULL); */ /* rezero timeout? */
-        /* again, just leave the session 
-         * if it is the same session, we have just incremented and
-         * then decremented the reference count :-) */
-        if (s->session != NULL)
-                SSL_SESSION_free(s->session);
-        s->session=ret;
-        s->verify_result = s->session->verify_result;
-        return(1);
- err:
-        if (ret != NULL)
-                SSL_SESSION_free(ret);
-        if (fatal)
-                return -1;
-        else
-                return 0;
-        }
-int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *c)
-        {
-        int ret=0;
-        SSL_SESSION *s;
-        /* add just 1 reference count for the SSL_CTX's session cache
-         * even though it has two ways of access: each session is in a
-         * doubly linked list and an lhash */
-        CRYPTO_add(&c->references,1,CRYPTO_LOCK_SSL_SESSION);
-        /* if session c is in already in cache, we take back the increment later */
-        CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
-        s=(SSL_SESSION *)lh_insert(ctx->sessions,c);
-        
-        /* s != NULL iff we already had a session with the given PID.
-         * In this case, s == c should hold (then we did not really modify
-         * ctx->sessions), or we're in trouble. */
-        if (s != NULL && s != c)
-                {
-                /* We *are* in trouble ... */
-                SSL_SESSION_list_remove(ctx,s);
-                SSL_SESSION_free(s);
-                /* ... so pretend the other session did not exist in cache
-                 * (we cannot handle two SSL_SESSION structures with identical
-                 * session ID in the same cache, which could happen e.g. when
-                 * two threads concurrently obtain the same session from an external
-                 * cache) */
-                s = NULL;
-                }
-        /* Put at the head of the queue unless it is already in the cache */
-        if (s == NULL)
-                SSL_SESSION_list_add(ctx,c);
-        if (s != NULL)
-                {
-                /* existing cache entry -- decrement previously incremented reference
-                 * count because it already takes into account the cache */
-                SSL_SESSION_free(s); /* s == c */
-                ret=0;
-                }
-        else
-                {
-                /* new cache entry -- remove old ones if cache has become too large */
-                
-                ret=1;
-                if (SSL_CTX_sess_get_cache_size(ctx) > 0)
-                        {
-                        while (SSL_CTX_sess_number(ctx) >
-                                SSL_CTX_sess_get_cache_size(ctx))
-                                {
-                                if (!remove_session_lock(ctx,
-                                        ctx->session_cache_tail, 0))
-                                        break;
-                                else
-                                        ctx->stats.sess_cache_full++;
-                                }
-                        }
-                }
-        CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
-        return(ret);
-        }
-int SSL_CTX_remove_session(SSL_CTX *ctx, SSL_SESSION *c)
-{
-        return remove_session_lock(ctx, c, 1);
-}
-static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck)
-        {
-        SSL_SESSION *r;
-        int ret=0;
-        if ((c != NULL) && (c->session_id_length != 0))
-                {
-                if(lck) CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
-                if ((r = (SSL_SESSION *)lh_retrieve(ctx->sessions,c)) == c)
-                        {
-                        ret=1;
-                        r=(SSL_SESSION *)lh_delete(ctx->sessions,c);
-                        SSL_SESSION_list_remove(ctx,c);
-                        }
-                if(lck) CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
-                if (ret)
-                        {
-                        r->not_resumable=1;
-                        if (ctx->remove_session_cb != NULL)
-                                ctx->remove_session_cb(ctx,r);
-                        SSL_SESSION_free(r);
-                        }
-                }
-        else
-                ret=0;
-        return(ret);
-        }
-void SSL_SESSION_free(SSL_SESSION *ss)
-        {
-        int i;
-        if(ss == NULL)
-            return;
-        i=CRYPTO_add(&ss->references,-1,CRYPTO_LOCK_SSL_SESSION);
-#ifdef REF_PRINT
-        REF_PRINT("SSL_SESSION",ss);
-#endif
-        if (i > 0) return;
-#ifdef REF_CHECK
-        if (i < 0)
-                {
-                fprintf(stderr,"SSL_SESSION_free, bad reference count\n");
-                abort(); /* ok */
-                }
-#endif
-        CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data);
-        OPENSSL_cleanse(ss->key_arg,sizeof ss->key_arg);
-        OPENSSL_cleanse(ss->master_key,sizeof ss->master_key);
-        OPENSSL_cleanse(ss->session_id,sizeof ss->session_id);
-        if (ss->sess_cert != NULL) ssl_sess_cert_free(ss->sess_cert);
-        if (ss->peer != NULL) X509_free(ss->peer);
-        if (ss->ciphers != NULL) sk_SSL_CIPHER_free(ss->ciphers);
-        OPENSSL_cleanse(ss,sizeof(*ss));
-        OPENSSL_free(ss);
-        }
-int SSL_set_session(SSL *s, SSL_SESSION *session)
-        {
-        int ret=0;
-        SSL_METHOD *meth;
-        if (session != NULL)
-                {
-                meth=s->ctx->method->get_ssl_method(session->ssl_version);
-                if (meth == NULL)
-                        meth=s->method->get_ssl_method(session->ssl_version);
-                if (meth == NULL)
-                        {
-                        SSLerr(SSL_F_SSL_SET_SESSION,SSL_R_UNABLE_TO_FIND_SSL_METHOD);
-                        return(0);
-                        }
-                if (meth != s->method)
-                        {
-                        if (!SSL_set_ssl_method(s,meth))
-                                return(0);
-                        if (s->ctx->session_timeout == 0)
-                                session->timeout=SSL_get_default_timeout(s);
-                        else
-                                session->timeout=s->ctx->session_timeout;
-                        }
-#ifndef OPENSSL_NO_KRB5
-                if (s->kssl_ctx && !s->kssl_ctx->client_princ &&
-                    session->krb5_client_princ_len > 0)
-                {
-                    s->kssl_ctx->client_princ = (char *)malloc(session->krb5_client_princ_len + 1);
-                    memcpy(s->kssl_ctx->client_princ,session->krb5_client_princ,
-                            session->krb5_client_princ_len);
-                    s->kssl_ctx->client_princ[session->krb5_client_princ_len] = '\0';
-                }
-#endif /* OPENSSL_NO_KRB5 */
-                /* CRYPTO_w_lock(CRYPTO_LOCK_SSL);*/
-                CRYPTO_add(&session->references,1,CRYPTO_LOCK_SSL_SESSION);
-                if (s->session != NULL)
-                        SSL_SESSION_free(s->session);
-                s->session=session;
-                s->verify_result = s->session->verify_result;
-                /* CRYPTO_w_unlock(CRYPTO_LOCK_SSL);*/
-                ret=1;
-                }
-        else
-                {
-                if (s->session != NULL)
-                        {
-                        SSL_SESSION_free(s->session);
-                        s->session=NULL;
-                        }
-                meth=s->ctx->method;
-                if (meth != s->method)
-                        {
-                        if (!SSL_set_ssl_method(s,meth))
-                                return(0);
-                        }
-                ret=1;
-                }
-        return(ret);
-        }
-long SSL_SESSION_set_timeout(SSL_SESSION *s, long t)
-        {
-        if (s == NULL) return(0);
-        s->timeout=t;
-        return(1);
-        }
-long SSL_SESSION_get_timeout(const SSL_SESSION *s)
-        {
-        if (s == NULL) return(0);
-        return(s->timeout);
-        }
-long SSL_SESSION_get_time(const SSL_SESSION *s)
-        {
-        if (s == NULL) return(0);
-        return(s->time);
-        }
-long SSL_SESSION_set_time(SSL_SESSION *s, long t)
-        {
-        if (s == NULL) return(0);
-        s->time=t;
-        return(t);
-        }
-long SSL_CTX_set_timeout(SSL_CTX *s, long t)
-        {
-        long l;
-        if (s == NULL) return(0);
-        l=s->session_timeout;
-        s->session_timeout=t;
-        return(l);
-        }
-long SSL_CTX_get_timeout(const SSL_CTX *s)
-        {
-        if (s == NULL) return(0);
-        return(s->session_timeout);
-        }
-typedef struct timeout_param_st
-        {
-        SSL_CTX *ctx;
-        long time;
-        LHASH *cache;
-        } TIMEOUT_PARAM;
-static void timeout(SSL_SESSION *s, TIMEOUT_PARAM *p)
-        {
-        if ((p->time == 0) || (p->time > (s->time+s->timeout))) /* timeout */
-                {
-                /* The reason we don't call SSL_CTX_remove_session() is to
-                 * save on locking overhead */
-                lh_delete(p->cache,s);
-                SSL_SESSION_list_remove(p->ctx,s);
-                s->not_resumable=1;
-                if (p->ctx->remove_session_cb != NULL)
-                        p->ctx->remove_session_cb(p->ctx,s);
-                SSL_SESSION_free(s);
-                }
-        }
-static IMPLEMENT_LHASH_DOALL_ARG_FN(timeout, SSL_SESSION *, TIMEOUT_PARAM *)
-void SSL_CTX_flush_sessions(SSL_CTX *s, long t)
-        {
-        unsigned long i;
-        TIMEOUT_PARAM tp;
-        tp.ctx=s;
-        tp.cache=s->sessions;
-        if (tp.cache == NULL) return;
-        tp.time=t;
-        CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
-        i=tp.cache->down_load;
-        tp.cache->down_load=0;
-        lh_doall_arg(tp.cache, LHASH_DOALL_ARG_FN(timeout), &tp);
-        tp.cache->down_load=i;
-        CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
-        }
-int ssl_clear_bad_session(SSL *s)
-        {
-        if (    (s->session != NULL) &&
-                !(s->shutdown & SSL_SENT_SHUTDOWN) &&
-                !(SSL_in_init(s) || SSL_in_before(s)))
-                {
-                SSL_CTX_remove_session(s->ctx,s->session);
-                return(1);
-                }
-        else
-                return(0);
-        }
-/* locked by SSL_CTX in the calling function */
-static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s)
-        {
-        if ((s->next == NULL) || (s->prev == NULL)) return;
-        if (s->next == (SSL_SESSION *)&(ctx->session_cache_tail))
-                { /* last element in list */
-                if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head))
-                        { /* only one element in list */
-                        ctx->session_cache_head=NULL;
-                        ctx->session_cache_tail=NULL;
-                        }
-                else
-                        {
-                        ctx->session_cache_tail=s->prev;
-                        s->prev->next=(SSL_SESSION *)&(ctx->session_cache_tail);
-                        }
-                }
-        else
-                {
-                if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head))
-                        { /* first element in list */
-                        ctx->session_cache_head=s->next;
-                        s->next->prev=(SSL_SESSION *)&(ctx->session_cache_head);
-                        }
-                else
-                        { /* middle of list */
-                        s->next->prev=s->prev;
-                        s->prev->next=s->next;
-                        }
-                }
-        s->prev=s->next=NULL;
-        }
-static void SSL_SESSION_list_add(SSL_CTX *ctx, SSL_SESSION *s)
-        {
-        if ((s->next != NULL) && (s->prev != NULL))
-                SSL_SESSION_list_remove(ctx,s);
-        if (ctx->session_cache_head == NULL)
-                {
-                ctx->session_cache_head=s;
-                ctx->session_cache_tail=s;
-                s->prev=(SSL_SESSION *)&(ctx->session_cache_head);
-                s->next=(SSL_SESSION *)&(ctx->session_cache_tail);
-                }
-        else
-                {
-                s->next=ctx->session_cache_head;
-                s->next->prev=s;
-                s->prev=(SSL_SESSION *)&(ctx->session_cache_head);
-                ctx->session_cache_head=s;
-                }
-        }
diff --git a/src/lib/libssl/ssl_stat.c b/src/lib/libssl/ssl_stat.c
deleted file mode 100644
index b16d253081..0000000000
--- a/src/lib/libssl/ssl_stat.c
+++ /dev/null
@@ -1,502 +0,0 @@
-/* ssl/ssl_stat.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-#include <stdio.h>
-#include "ssl_locl.h"
-const char *SSL_state_string_long(const SSL *s)
-        {
-        const char *str;
-        switch (s->state)
-                {
-case SSL_ST_BEFORE: str="before SSL initialization"; break;
-case SSL_ST_ACCEPT: str="before accept initialization"; break;
-case SSL_ST_CONNECT: str="before connect initialization"; break;
-case SSL_ST_OK: str="SSL negotiation finished successfully"; break;
-case SSL_ST_RENEGOTIATE:        str="SSL renegotiate ciphers"; break;
-case SSL_ST_BEFORE|SSL_ST_CONNECT: str="before/connect initialization"; break;
-case SSL_ST_OK|SSL_ST_CONNECT: str="ok/connect SSL initialization"; break;
-case SSL_ST_BEFORE|SSL_ST_ACCEPT: str="before/accept initialization"; break;
-case SSL_ST_OK|SSL_ST_ACCEPT: str="ok/accept SSL initialization"; break;
-#ifndef OPENSSL_NO_SSL2
-case SSL2_ST_CLIENT_START_ENCRYPTION: str="SSLv2 client start encryption"; break;
-case SSL2_ST_SERVER_START_ENCRYPTION: str="SSLv2 server start encryption"; break;
-case SSL2_ST_SEND_CLIENT_HELLO_A: str="SSLv2 write client hello A"; break;
-case SSL2_ST_SEND_CLIENT_HELLO_B: str="SSLv2 write client hello B"; break;
-case SSL2_ST_GET_SERVER_HELLO_A: str="SSLv2 read server hello A"; break;
-case SSL2_ST_GET_SERVER_HELLO_B: str="SSLv2 read server hello B"; break;
-case SSL2_ST_SEND_CLIENT_MASTER_KEY_A: str="SSLv2 write client master key A"; break;
-case SSL2_ST_SEND_CLIENT_MASTER_KEY_B: str="SSLv2 write client master key B"; break;
-case SSL2_ST_SEND_CLIENT_FINISHED_A: str="SSLv2 write client finished A"; break;
-case SSL2_ST_SEND_CLIENT_FINISHED_B: str="SSLv2 write client finished B"; break;
-case SSL2_ST_SEND_CLIENT_CERTIFICATE_A: str="SSLv2 write client certificate A"; break;
-case SSL2_ST_SEND_CLIENT_CERTIFICATE_B: str="SSLv2 write client certificate B"; break;
-case SSL2_ST_SEND_CLIENT_CERTIFICATE_C: str="SSLv2 write client certificate C"; break;
-case SSL2_ST_SEND_CLIENT_CERTIFICATE_D: str="SSLv2 write client certificate D"; break;
-case SSL2_ST_GET_SERVER_VERIFY_A: str="SSLv2 read server verify A"; break;
-case SSL2_ST_GET_SERVER_VERIFY_B: str="SSLv2 read server verify B"; break;
-case SSL2_ST_GET_SERVER_FINISHED_A: str="SSLv2 read server finished A"; break;
-case SSL2_ST_GET_SERVER_FINISHED_B: str="SSLv2 read server finished B"; break;
-case SSL2_ST_GET_CLIENT_HELLO_A: str="SSLv2 read client hello A"; break;
-case SSL2_ST_GET_CLIENT_HELLO_B: str="SSLv2 read client hello B"; break;
-case SSL2_ST_GET_CLIENT_HELLO_C: str="SSLv2 read client hello C"; break;
-case SSL2_ST_SEND_SERVER_HELLO_A: str="SSLv2 write server hello A"; break;
-case SSL2_ST_SEND_SERVER_HELLO_B: str="SSLv2 write server hello B"; break;
-case SSL2_ST_GET_CLIENT_MASTER_KEY_A: str="SSLv2 read client master key A"; break;
-case SSL2_ST_GET_CLIENT_MASTER_KEY_B: str="SSLv2 read client master key B"; break;
-case SSL2_ST_SEND_SERVER_VERIFY_A: str="SSLv2 write server verify A"; break;
-case SSL2_ST_SEND_SERVER_VERIFY_B: str="SSLv2 write server verify B"; break;
-case SSL2_ST_SEND_SERVER_VERIFY_C: str="SSLv2 write server verify C"; break;
-case SSL2_ST_GET_CLIENT_FINISHED_A: str="SSLv2 read client finished A"; break;
-case SSL2_ST_GET_CLIENT_FINISHED_B: str="SSLv2 read client finished B"; break;
-case SSL2_ST_SEND_SERVER_FINISHED_A: str="SSLv2 write server finished A"; break;
-case SSL2_ST_SEND_SERVER_FINISHED_B: str="SSLv2 write server finished B"; break;
-case SSL2_ST_SEND_REQUEST_CERTIFICATE_A: str="SSLv2 write request certificate A"; break;
-case SSL2_ST_SEND_REQUEST_CERTIFICATE_B: str="SSLv2 write request certificate B"; break;
-case SSL2_ST_SEND_REQUEST_CERTIFICATE_C: str="SSLv2 write request certificate C"; break;
-case SSL2_ST_SEND_REQUEST_CERTIFICATE_D: str="SSLv2 write request certificate D"; break;
-case SSL2_ST_X509_GET_SERVER_CERTIFICATE: str="SSLv2 X509 read server certificate"; break;
-case SSL2_ST_X509_GET_CLIENT_CERTIFICATE: str="SSLv2 X509 read client certificate"; break;
-#endif
-#ifndef OPENSSL_NO_SSL3
-/* SSLv3 additions */
-case SSL3_ST_CW_CLNT_HELLO_A:   str="SSLv3 write client hello A"; break;
-case SSL3_ST_CW_CLNT_HELLO_B:   str="SSLv3 write client hello B"; break;
-case SSL3_ST_CR_SRVR_HELLO_A:   str="SSLv3 read server hello A"; break;
-case SSL3_ST_CR_SRVR_HELLO_B:   str="SSLv3 read server hello B"; break;
-case SSL3_ST_CR_CERT_A:         str="SSLv3 read server certificate A"; break;
-case SSL3_ST_CR_CERT_B:         str="SSLv3 read server certificate B"; break;
-case SSL3_ST_CR_KEY_EXCH_A:     str="SSLv3 read server key exchange A"; break;
-case SSL3_ST_CR_KEY_EXCH_B:     str="SSLv3 read server key exchange B"; break;
-case SSL3_ST_CR_CERT_REQ_A:     str="SSLv3 read server certificate request A"; break;
-case SSL3_ST_CR_CERT_REQ_B:     str="SSLv3 read server certificate request B"; break;
-case SSL3_ST_CR_SRVR_DONE_A:    str="SSLv3 read server done A"; break;
-case SSL3_ST_CR_SRVR_DONE_B:    str="SSLv3 read server done B"; break;
-case SSL3_ST_CW_CERT_A:         str="SSLv3 write client certificate A"; break;
-case SSL3_ST_CW_CERT_B:         str="SSLv3 write client certificate B"; break;
-case SSL3_ST_CW_CERT_C:         str="SSLv3 write client certificate C"; break;
-case SSL3_ST_CW_CERT_D:         str="SSLv3 write client certificate D"; break;
-case SSL3_ST_CW_KEY_EXCH_A:     str="SSLv3 write client key exchange A"; break;
-case SSL3_ST_CW_KEY_EXCH_B:     str="SSLv3 write client key exchange B"; break;
-case SSL3_ST_CW_CERT_VRFY_A:    str="SSLv3 write certificate verify A"; break;
-case SSL3_ST_CW_CERT_VRFY_B:    str="SSLv3 write certificate verify B"; break;
-case SSL3_ST_CW_CHANGE_A:
-case SSL3_ST_SW_CHANGE_A:       str="SSLv3 write change cipher spec A"; break;
-case SSL3_ST_CW_CHANGE_B:       
-case SSL3_ST_SW_CHANGE_B:       str="SSLv3 write change cipher spec B"; break;
-case SSL3_ST_CW_FINISHED_A:     
-case SSL3_ST_SW_FINISHED_A:     str="SSLv3 write finished A"; break;
-case SSL3_ST_CW_FINISHED_B:     
-case SSL3_ST_SW_FINISHED_B:     str="SSLv3 write finished B"; break;
-case SSL3_ST_CR_CHANGE_A:       
-case SSL3_ST_SR_CHANGE_A:       str="SSLv3 read change cipher spec A"; break;
-case SSL3_ST_CR_CHANGE_B:       
-case SSL3_ST_SR_CHANGE_B:       str="SSLv3 read change cipher spec B"; break;
-case SSL3_ST_CR_FINISHED_A:     
-case SSL3_ST_SR_FINISHED_A:     str="SSLv3 read finished A"; break;
-case SSL3_ST_CR_FINISHED_B:     
-case SSL3_ST_SR_FINISHED_B:     str="SSLv3 read finished B"; break;
-case SSL3_ST_CW_FLUSH:
-case SSL3_ST_SW_FLUSH:          str="SSLv3 flush data"; break;
-case SSL3_ST_SR_CLNT_HELLO_A:   str="SSLv3 read client hello A"; break;
-case SSL3_ST_SR_CLNT_HELLO_B:   str="SSLv3 read client hello B"; break;
-case SSL3_ST_SR_CLNT_HELLO_C:   str="SSLv3 read client hello C"; break;
-case SSL3_ST_SW_HELLO_REQ_A:    str="SSLv3 write hello request A"; break;
-case SSL3_ST_SW_HELLO_REQ_B:    str="SSLv3 write hello request B"; break;
-case SSL3_ST_SW_HELLO_REQ_C:    str="SSLv3 write hello request C"; break;
-case SSL3_ST_SW_SRVR_HELLO_A:   str="SSLv3 write server hello A"; break;
-case SSL3_ST_SW_SRVR_HELLO_B:   str="SSLv3 write server hello B"; break;
-case SSL3_ST_SW_CERT_A:         str="SSLv3 write certificate A"; break;
-case SSL3_ST_SW_CERT_B:         str="SSLv3 write certificate B"; break;
-case SSL3_ST_SW_KEY_EXCH_A:     str="SSLv3 write key exchange A"; break;
-case SSL3_ST_SW_KEY_EXCH_B:     str="SSLv3 write key exchange B"; break;
-case SSL3_ST_SW_CERT_REQ_A:     str="SSLv3 write certificate request A"; break;
-case SSL3_ST_SW_CERT_REQ_B:     str="SSLv3 write certificate request B"; break;
-case SSL3_ST_SW_SRVR_DONE_A:    str="SSLv3 write server done A"; break;
-case SSL3_ST_SW_SRVR_DONE_B:    str="SSLv3 write server done B"; break;
-case SSL3_ST_SR_CERT_A:         str="SSLv3 read client certificate A"; break;
-case SSL3_ST_SR_CERT_B:         str="SSLv3 read client certificate B"; break;
-case SSL3_ST_SR_KEY_EXCH_A:     str="SSLv3 read client key exchange A"; break;
-case SSL3_ST_SR_KEY_EXCH_B:     str="SSLv3 read client key exchange B"; break;
-case SSL3_ST_SR_CERT_VRFY_A:    str="SSLv3 read certificate verify A"; break;
-case SSL3_ST_SR_CERT_VRFY_B:    str="SSLv3 read certificate verify B"; break;
-#endif
-#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
-/* SSLv2/v3 compatibility states */
-/* client */
-case SSL23_ST_CW_CLNT_HELLO_A:  str="SSLv2/v3 write client hello A"; break;
-case SSL23_ST_CW_CLNT_HELLO_B:  str="SSLv2/v3 write client hello B"; break;
-case SSL23_ST_CR_SRVR_HELLO_A:  str="SSLv2/v3 read server hello A"; break;
-case SSL23_ST_CR_SRVR_HELLO_B:  str="SSLv2/v3 read server hello B"; break;
-/* server */
-case SSL23_ST_SR_CLNT_HELLO_A:  str="SSLv2/v3 read client hello A"; break;
-case SSL23_ST_SR_CLNT_HELLO_B:  str="SSLv2/v3 read client hello B"; break;
-#endif
-default:        str="unknown state"; break;
-                }
-        return(str);
-        }
-const char *SSL_rstate_string_long(const SSL *s)
-        {
-        const char *str;
-        switch (s->rstate)
-                {
-        case SSL_ST_READ_HEADER: str="read header"; break;
-        case SSL_ST_READ_BODY: str="read body"; break;
-        case SSL_ST_READ_DONE: str="read done"; break;
-        default: str="unknown"; break;
-                }
-        return(str);
-        }
-const char *SSL_state_string(const SSL *s)
-        {
-        const char *str;
-        switch (s->state)
-                {
-case SSL_ST_BEFORE:                             str="PINIT "; break;
-case SSL_ST_ACCEPT:                             str="AINIT "; break;
-case SSL_ST_CONNECT:                            str="CINIT "; break;
-case SSL_ST_OK:                                 str="SSLOK "; break;
-#ifndef OPENSSL_NO_SSL2
-case SSL2_ST_CLIENT_START_ENCRYPTION:           str="2CSENC"; break;
-case SSL2_ST_SERVER_START_ENCRYPTION:           str="2SSENC"; break;
-case SSL2_ST_SEND_CLIENT_HELLO_A:               str="2SCH_A"; break;
-case SSL2_ST_SEND_CLIENT_HELLO_B:               str="2SCH_B"; break;
-case SSL2_ST_GET_SERVER_HELLO_A:                str="2GSH_A"; break;
-case SSL2_ST_GET_SERVER_HELLO_B:                str="2GSH_B"; break;
-case SSL2_ST_SEND_CLIENT_MASTER_KEY_A:          str="2SCMKA"; break;
-case SSL2_ST_SEND_CLIENT_MASTER_KEY_B:          str="2SCMKB"; break;
-case SSL2_ST_SEND_CLIENT_FINISHED_A:            str="2SCF_A"; break;
-case SSL2_ST_SEND_CLIENT_FINISHED_B:            str="2SCF_B"; break;
-case SSL2_ST_SEND_CLIENT_CERTIFICATE_A:         str="2SCC_A"; break;
-case SSL2_ST_SEND_CLIENT_CERTIFICATE_B:         str="2SCC_B"; break;
-case SSL2_ST_SEND_CLIENT_CERTIFICATE_C:         str="2SCC_C"; break;
-case SSL2_ST_SEND_CLIENT_CERTIFICATE_D:         str="2SCC_D"; break;
-case SSL2_ST_GET_SERVER_VERIFY_A:               str="2GSV_A"; break;
-case SSL2_ST_GET_SERVER_VERIFY_B:               str="2GSV_B"; break;
-case SSL2_ST_GET_SERVER_FINISHED_A:             str="2GSF_A"; break;
-case SSL2_ST_GET_SERVER_FINISHED_B:             str="2GSF_B"; break;
-case SSL2_ST_GET_CLIENT_HELLO_A:                str="2GCH_A"; break;
-case SSL2_ST_GET_CLIENT_HELLO_B:                str="2GCH_B"; break;
-case SSL2_ST_GET_CLIENT_HELLO_C:                str="2GCH_C"; break;
-case SSL2_ST_SEND_SERVER_HELLO_A:               str="2SSH_A"; break;
-case SSL2_ST_SEND_SERVER_HELLO_B:               str="2SSH_B"; break;
-case SSL2_ST_GET_CLIENT_MASTER_KEY_A:           str="2GCMKA"; break;
-case SSL2_ST_GET_CLIENT_MASTER_KEY_B:           str="2GCMKA"; break;
-case SSL2_ST_SEND_SERVER_VERIFY_A:              str="2SSV_A"; break;
-case SSL2_ST_SEND_SERVER_VERIFY_B:              str="2SSV_B"; break;
-case SSL2_ST_SEND_SERVER_VERIFY_C:              str="2SSV_C"; break;
-case SSL2_ST_GET_CLIENT_FINISHED_A:             str="2GCF_A"; break;
-case SSL2_ST_GET_CLIENT_FINISHED_B:             str="2GCF_B"; break;
-case SSL2_ST_SEND_SERVER_FINISHED_A:            str="2SSF_A"; break;
-case SSL2_ST_SEND_SERVER_FINISHED_B:            str="2SSF_B"; break;
-case SSL2_ST_SEND_REQUEST_CERTIFICATE_A:        str="2SRC_A"; break;
-case SSL2_ST_SEND_REQUEST_CERTIFICATE_B:        str="2SRC_B"; break;
-case SSL2_ST_SEND_REQUEST_CERTIFICATE_C:        str="2SRC_C"; break;
-case SSL2_ST_SEND_REQUEST_CERTIFICATE_D:        str="2SRC_D"; break;
-case SSL2_ST_X509_GET_SERVER_CERTIFICATE:       str="2X9GSC"; break;
-case SSL2_ST_X509_GET_CLIENT_CERTIFICATE:       str="2X9GCC"; break;
-#endif
-#ifndef OPENSSL_NO_SSL3
-/* SSLv3 additions */
-case SSL3_ST_SW_FLUSH:
-case SSL3_ST_CW_FLUSH:                          str="3FLUSH"; break;
-case SSL3_ST_CW_CLNT_HELLO_A:                   str="3WCH_A"; break;
-case SSL3_ST_CW_CLNT_HELLO_B:                   str="3WCH_B"; break;
-case SSL3_ST_CR_SRVR_HELLO_A:                   str="3RSH_A"; break;
-case SSL3_ST_CR_SRVR_HELLO_B:                   str="3RSH_B"; break;
-case SSL3_ST_CR_CERT_A:                         str="3RSC_A"; break;
-case SSL3_ST_CR_CERT_B:                         str="3RSC_B"; break;
-case SSL3_ST_CR_KEY_EXCH_A:                     str="3RSKEA"; break;
-case SSL3_ST_CR_KEY_EXCH_B:                     str="3RSKEB"; break;
-case SSL3_ST_CR_CERT_REQ_A:                     str="3RCR_A"; break;
-case SSL3_ST_CR_CERT_REQ_B:                     str="3RCR_B"; break;
-case SSL3_ST_CR_SRVR_DONE_A:                    str="3RSD_A"; break;
-case SSL3_ST_CR_SRVR_DONE_B:                    str="3RSD_B"; break;
-case SSL3_ST_CW_CERT_A:                         str="3WCC_A"; break;
-case SSL3_ST_CW_CERT_B:                         str="3WCC_B"; break;
-case SSL3_ST_CW_CERT_C:                         str="3WCC_C"; break;
-case SSL3_ST_CW_CERT_D:                         str="3WCC_D"; break;
-case SSL3_ST_CW_KEY_EXCH_A:                     str="3WCKEA"; break;
-case SSL3_ST_CW_KEY_EXCH_B:                     str="3WCKEB"; break;
-case SSL3_ST_CW_CERT_VRFY_A:                    str="3WCV_A"; break;
-case SSL3_ST_CW_CERT_VRFY_B:                    str="3WCV_B"; break;
-case SSL3_ST_SW_CHANGE_A:
-case SSL3_ST_CW_CHANGE_A:                       str="3WCCSA"; break;
-case SSL3_ST_SW_CHANGE_B:
-case SSL3_ST_CW_CHANGE_B:                       str="3WCCSB"; break;
-case SSL3_ST_SW_FINISHED_A:
-case SSL3_ST_CW_FINISHED_A:                     str="3WFINA"; break;
-case SSL3_ST_SW_FINISHED_B:
-case SSL3_ST_CW_FINISHED_B:                     str="3WFINB"; break;
-case SSL3_ST_SR_CHANGE_A:
-case SSL3_ST_CR_CHANGE_A:                       str="3RCCSA"; break;
-case SSL3_ST_SR_CHANGE_B:
-case SSL3_ST_CR_CHANGE_B:                       str="3RCCSB"; break;
-case SSL3_ST_SR_FINISHED_A:
-case SSL3_ST_CR_FINISHED_A:                     str="3RFINA"; break;
-case SSL3_ST_SR_FINISHED_B:
-case SSL3_ST_CR_FINISHED_B:                     str="3RFINB"; break;
-case SSL3_ST_SW_HELLO_REQ_A:                    str="3WHR_A"; break;
-case SSL3_ST_SW_HELLO_REQ_B:                    str="3WHR_B"; break;
-case SSL3_ST_SW_HELLO_REQ_C:                    str="3WHR_C"; break;
-case SSL3_ST_SR_CLNT_HELLO_A:                   str="3RCH_A"; break;
-case SSL3_ST_SR_CLNT_HELLO_B:                   str="3RCH_B"; break;
-case SSL3_ST_SR_CLNT_HELLO_C:                   str="3RCH_C"; break;
-case SSL3_ST_SW_SRVR_HELLO_A:                   str="3WSH_A"; break;
-case SSL3_ST_SW_SRVR_HELLO_B:                   str="3WSH_B"; break;
-case SSL3_ST_SW_CERT_A:                         str="3WSC_A"; break;
-case SSL3_ST_SW_CERT_B:                         str="3WSC_B"; break;
-case SSL3_ST_SW_KEY_EXCH_A:                     str="3WSKEA"; break;
-case SSL3_ST_SW_KEY_EXCH_B:                     str="3WSKEB"; break;
-case SSL3_ST_SW_CERT_REQ_A:                     str="3WCR_A"; break;
-case SSL3_ST_SW_CERT_REQ_B:                     str="3WCR_B"; break;
-case SSL3_ST_SW_SRVR_DONE_A:                    str="3WSD_A"; break;
-case SSL3_ST_SW_SRVR_DONE_B:                    str="3WSD_B"; break;
-case SSL3_ST_SR_CERT_A:                         str="3RCC_A"; break;
-case SSL3_ST_SR_CERT_B:                         str="3RCC_B"; break;
-case SSL3_ST_SR_KEY_EXCH_A:                     str="3RCKEA"; break;
-case SSL3_ST_SR_KEY_EXCH_B:                     str="3RCKEB"; break;
-case SSL3_ST_SR_CERT_VRFY_A:                    str="3RCV_A"; break;
-case SSL3_ST_SR_CERT_VRFY_B:                    str="3RCV_B"; break;
-#endif
-#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
-/* SSLv2/v3 compatibility states */
-/* client */
-case SSL23_ST_CW_CLNT_HELLO_A:                  str="23WCHA"; break;
-case SSL23_ST_CW_CLNT_HELLO_B:                  str="23WCHB"; break;
-case SSL23_ST_CR_SRVR_HELLO_A:                  str="23RSHA"; break;
-case SSL23_ST_CR_SRVR_HELLO_B:                  str="23RSHA"; break;
-/* server */
-case SSL23_ST_SR_CLNT_HELLO_A:                  str="23RCHA"; break;
-case SSL23_ST_SR_CLNT_HELLO_B:                  str="23RCHB"; break;
-#endif
-default:                                        str="UNKWN "; break;
-                }
-        return(str);
-        }
-const char *SSL_alert_type_string_long(int value)
-        {
-        value>>=8;
-        if (value == SSL3_AL_WARNING)
-                return("warning");
-        else if (value == SSL3_AL_FATAL)
-                return("fatal");
-        else
-                return("unknown");
-        }
-const char *SSL_alert_type_string(int value)
-        {
-        value>>=8;
-        if (value == SSL3_AL_WARNING)
-                return("W");
-        else if (value == SSL3_AL_FATAL)
-                return("F");
-        else
-                return("U");
-        }
-const char *SSL_alert_desc_string(int value)
-        {
-        const char *str;
-        switch (value & 0xff)
-                {
-        case SSL3_AD_CLOSE_NOTIFY:              str="CN"; break;
-        case SSL3_AD_UNEXPECTED_MESSAGE:        str="UM"; break;
-        case SSL3_AD_BAD_RECORD_MAC:            str="BM"; break;
-        case SSL3_AD_DECOMPRESSION_FAILURE:     str="DF"; break;
-        case SSL3_AD_HANDSHAKE_FAILURE:         str="HF"; break;
-        case SSL3_AD_NO_CERTIFICATE:            str="NC"; break;
-        case SSL3_AD_BAD_CERTIFICATE:           str="BC"; break;
-        case SSL3_AD_UNSUPPORTED_CERTIFICATE:   str="UC"; break;
-        case SSL3_AD_CERTIFICATE_REVOKED:       str="CR"; break;
-        case SSL3_AD_CERTIFICATE_EXPIRED:       str="CE"; break;
-        case SSL3_AD_CERTIFICATE_UNKNOWN:       str="CU"; break;
-        case SSL3_AD_ILLEGAL_PARAMETER:         str="IP"; break;
-        case TLS1_AD_DECRYPTION_FAILED:         str="DC"; break;
-        case TLS1_AD_RECORD_OVERFLOW:           str="RO"; break;
-        case TLS1_AD_UNKNOWN_CA:                str="CA"; break;
-        case TLS1_AD_ACCESS_DENIED:             str="AD"; break;
-        case TLS1_AD_DECODE_ERROR:              str="DE"; break;
-        case TLS1_AD_DECRYPT_ERROR:             str="CY"; break;
-        case TLS1_AD_EXPORT_RESTRICTION:        str="ER"; break;
-        case TLS1_AD_PROTOCOL_VERSION:          str="PV"; break;
-        case TLS1_AD_INSUFFICIENT_SECURITY:     str="IS"; break;
-        case TLS1_AD_INTERNAL_ERROR:            str="IE"; break;
-        case TLS1_AD_USER_CANCELLED:            str="US"; break;
-        case TLS1_AD_NO_RENEGOTIATION:          str="NR"; break;
-        default:                                str="UK"; break;
-                }
-        return(str);
-        }
-const char *SSL_alert_desc_string_long(int value)
-        {
-        const char *str;
-        switch (value & 0xff)
-                {
-        case SSL3_AD_CLOSE_NOTIFY:
-                str="close notify";
-                break;
-        case SSL3_AD_UNEXPECTED_MESSAGE:
-                str="unexpected_message";
-                break;
-        case SSL3_AD_BAD_RECORD_MAC:
-                str="bad record mac";
-                break;
-        case SSL3_AD_DECOMPRESSION_FAILURE:
-                str="decompression failure";
-                break;
-        case SSL3_AD_HANDSHAKE_FAILURE:
-                str="handshake failure";
-                break;
-        case SSL3_AD_NO_CERTIFICATE:
-                str="no certificate";
-                break;
-        case SSL3_AD_BAD_CERTIFICATE:
-                str="bad certificate";
-                break;
-        case SSL3_AD_UNSUPPORTED_CERTIFICATE:
-                str="unsupported certificate";
-                break;
-        case SSL3_AD_CERTIFICATE_REVOKED:
-                str="certificate revoked";
-                break;
-        case SSL3_AD_CERTIFICATE_EXPIRED:
-                str="certificate expired";
-                break;
-        case SSL3_AD_CERTIFICATE_UNKNOWN:
-                str="certificate unknown";
-                break;
-        case SSL3_AD_ILLEGAL_PARAMETER:
-                str="illegal parameter";
-                break;
-        case TLS1_AD_DECRYPTION_FAILED:
-                str="decryption failed";
-                break;
-        case TLS1_AD_RECORD_OVERFLOW:
-                str="record overflow";
-                break;
-        case TLS1_AD_UNKNOWN_CA:
-                str="unknown CA";
-                break;
-        case TLS1_AD_ACCESS_DENIED:
-                str="access denied";
-                break;
-        case TLS1_AD_DECODE_ERROR:
-                str="decode error";
-                break;
-        case TLS1_AD_DECRYPT_ERROR:
-                str="decrypt error";
-                break;
-        case TLS1_AD_EXPORT_RESTRICTION:
-                str="export restriction";
-                break;
-        case TLS1_AD_PROTOCOL_VERSION:
-                str="protocol version";
-                break;
-        case TLS1_AD_INSUFFICIENT_SECURITY:
-                str="insufficient security";
-                break;
-        case TLS1_AD_INTERNAL_ERROR:
-                str="internal error";
-                break;
-        case TLS1_AD_USER_CANCELLED:
-                str="user canceled";
-                break;
-        case TLS1_AD_NO_RENEGOTIATION:
-                str="no renegotiation";
-                break;
-        default: str="unknown"; break;
-                }
-        return(str);
-        }
-const char *SSL_rstate_string(const SSL *s)
-        {
-        const char *str;
-        switch (s->rstate)
-                {
-        case SSL_ST_READ_HEADER:str="RH"; break;
-        case SSL_ST_READ_BODY:  str="RB"; break;
-        case SSL_ST_READ_DONE:  str="RD"; break;
-        default: str="unknown"; break;
-                }
-        return(str);
-        }
diff --git a/src/lib/libssl/ssl_txt.c b/src/lib/libssl/ssl_txt.c
deleted file mode 100644
index 8655a31333..0000000000
--- a/src/lib/libssl/ssl_txt.c
+++ /dev/null
@@ -1,186 +0,0 @@
-/* ssl/ssl_txt.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-#include <stdio.h>
-#include <openssl/buffer.h>
-#include "ssl_locl.h"
-#ifndef OPENSSL_NO_FP_API
-int SSL_SESSION_print_fp(FILE *fp, const SSL_SESSION *x)
-        {
-        BIO *b;
-        int ret;
-        if ((b=BIO_new(BIO_s_file_internal())) == NULL)
-                {
-                SSLerr(SSL_F_SSL_SESSION_PRINT_FP,ERR_R_BUF_LIB);
-                return(0);
-                }
-        BIO_set_fp(b,fp,BIO_NOCLOSE);
-        ret=SSL_SESSION_print(b,x);
-        BIO_free(b);
-        return(ret);
-        }
-#endif
-int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
-        {
-        unsigned int i;
-        char *s;
-        if (x == NULL) goto err;
-        if (BIO_puts(bp,"SSL-Session:\n") <= 0) goto err;
-        if (x->ssl_version == SSL2_VERSION)
-                s="SSLv2";
-        else if (x->ssl_version == SSL3_VERSION)
-                s="SSLv3";
-        else if (x->ssl_version == TLS1_VERSION)
-                s="TLSv1";
-        else
-                s="unknown";
-        if (BIO_printf(bp,"    Protocol  : %s\n",s) <= 0) goto err;
-        if (x->cipher == NULL)
-                {
-                if (((x->cipher_id) & 0xff000000) == 0x02000000)
-                        {
-                        if (BIO_printf(bp,"    Cipher    : %06lX\n",x->cipher_id&0xffffff) <= 0)
-                                goto err;
-                        }
-                else
-                        {
-                        if (BIO_printf(bp,"    Cipher    : %04lX\n",x->cipher_id&0xffff) <= 0)
-                                goto err;
-                        }
-                }
-        else
-                {
-                if (BIO_printf(bp,"    Cipher    : %s\n",((x->cipher == NULL)?"unknown":x->cipher->name)) <= 0)
-                        goto err;
-                }
-        if (BIO_puts(bp,"    Session-ID: ") <= 0) goto err;
-        for (i=0; i<x->session_id_length; i++)
-                {
-                if (BIO_printf(bp,"%02X",x->session_id[i]) <= 0) goto err;
-                }
-        if (BIO_puts(bp,"\n    Session-ID-ctx: ") <= 0) goto err;
-        for (i=0; i<x->sid_ctx_length; i++)
-                {
-                if (BIO_printf(bp,"%02X",x->sid_ctx[i]) <= 0)
-                        goto err;
-                }
-        if (BIO_puts(bp,"\n    Master-Key: ") <= 0) goto err;
-        for (i=0; i<(unsigned int)x->master_key_length; i++)
-                {
-                if (BIO_printf(bp,"%02X",x->master_key[i]) <= 0) goto err;
-                }
-        if (BIO_puts(bp,"\n    Key-Arg   : ") <= 0) goto err;
-        if (x->key_arg_length == 0)
-                {
-                if (BIO_puts(bp,"None") <= 0) goto err;
-                }
-        else
-                for (i=0; i<x->key_arg_length; i++)
-                        {
-                        if (BIO_printf(bp,"%02X",x->key_arg[i]) <= 0) goto err;
-                        }
-#ifndef OPENSSL_NO_KRB5
-       if (BIO_puts(bp,"\n    Krb5 Principal: ") <= 0) goto err;
-            if (x->krb5_client_princ_len == 0)
-            {
-                if (BIO_puts(bp,"None") <= 0) goto err;
-                }
-        else
-                for (i=0; i<x->krb5_client_princ_len; i++)
-                        {
-                        if (BIO_printf(bp,"%02X",x->krb5_client_princ[i]) <= 0) goto err;
-                        }
-#endif /* OPENSSL_NO_KRB5 */
-        if (x->compress_meth != 0)
-                {
-                SSL_COMP *comp;
-                ssl_cipher_get_evp(x,NULL,NULL,&comp);
-                if (comp == NULL)
-                        {
-                        if (BIO_printf(bp,"\n   Compression: %d",x->compress_meth) <= 0) goto err;
-                        }
-                else
-                        {
-                        if (BIO_printf(bp,"\n   Compression: %d (%s)", comp->id,comp->method->name) <= 0) goto err;
-                        }
-                }       
-        if (x->time != 0L)
-                {
-                if (BIO_printf(bp, "\n    Start Time: %ld",x->time) <= 0) goto err;
-                }
-        if (x->timeout != 0L)
-                {
-                if (BIO_printf(bp, "\n    Timeout   : %ld (sec)",x->timeout) <= 0) goto err;
-                }
-        if (BIO_puts(bp,"\n") <= 0) goto err;
-        if (BIO_puts(bp, "    Verify return code: ") <= 0) goto err;
-        if (BIO_printf(bp, "%ld (%s)\n", x->verify_result,
-                X509_verify_cert_error_string(x->verify_result)) <= 0) goto err;
-                
-        return(1);
-err:
-        return(0);
-        }
diff --git a/src/lib/libssl/t1_clnt.c b/src/lib/libssl/t1_clnt.c
deleted file mode 100644
index 57205fb429..0000000000
--- a/src/lib/libssl/t1_clnt.c
+++ /dev/null
@@ -1,97 +0,0 @@
-/* ssl/t1_clnt.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-#include <stdio.h>
-#include "ssl_locl.h"
-#include <openssl/buffer.h>
-#include <openssl/rand.h>
-#include <openssl/objects.h>
-#include <openssl/evp.h>
-static SSL_METHOD *tls1_get_client_method(int ver);
-static SSL_METHOD *tls1_get_client_method(int ver)
-        {
-        if (ver == TLS1_VERSION)
-                return(TLSv1_client_method());
-        else
-                return(NULL);
-        }
-SSL_METHOD *TLSv1_client_method(void)
-        {
-        static int init=1;
-        static SSL_METHOD TLSv1_client_data;
-        if (init)
-                {
-                CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
-                if (init)
-                        {
-                        memcpy((char *)&TLSv1_client_data,(char *)tlsv1_base_method(),
-                                sizeof(SSL_METHOD));
-                        TLSv1_client_data.ssl_connect=ssl3_connect;
-                        TLSv1_client_data.get_ssl_method=tls1_get_client_method;
-                        init=0;
-                        }
-                
-                CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
-                }
-        return(&TLSv1_client_data);
-        }
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c
deleted file mode 100644
index 2c6246abf5..0000000000
--- a/src/lib/libssl/t1_enc.c
+++ /dev/null
@@ -1,816 +0,0 @@
-/* ssl/t1_enc.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-/* ====================================================================
- * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer. 
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-#include <stdio.h>
-#include "ssl_locl.h"
-#include <openssl/comp.h>
-#include <openssl/evp.h>
-#include <openssl/hmac.h>
-#include <openssl/md5.h>
-#include <openssl/fips.h>
-static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
-                        int sec_len, unsigned char *seed, int seed_len,
-                        unsigned char *out, int olen)
-        {
-        int chunk,n;
-        unsigned int j;
-        HMAC_CTX ctx;
-        HMAC_CTX ctx_tmp;
-        unsigned char A1[EVP_MAX_MD_SIZE];
-        unsigned int A1_len;
-        
-        chunk=EVP_MD_size(md);
-        HMAC_CTX_init(&ctx);
-        HMAC_CTX_init(&ctx_tmp);
-        HMAC_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
-        HMAC_CTX_set_flags(&ctx_tmp, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
-        HMAC_Init_ex(&ctx,sec,sec_len,md, NULL);
-        HMAC_Init_ex(&ctx_tmp,sec,sec_len,md, NULL);
-        HMAC_Update(&ctx,seed,seed_len);
-        HMAC_Final(&ctx,A1,&A1_len);
-        n=0;
-        for (;;)
-                {
-                HMAC_Init_ex(&ctx,NULL,0,NULL,NULL); /* re-init */
-                HMAC_Init_ex(&ctx_tmp,NULL,0,NULL,NULL); /* re-init */
-                HMAC_Update(&ctx,A1,A1_len);
-                HMAC_Update(&ctx_tmp,A1,A1_len);
-                HMAC_Update(&ctx,seed,seed_len);
-                if (olen > chunk)
-                        {
-                        HMAC_Final(&ctx,out,&j);
-                        out+=j;
-                        olen-=j;
-                        HMAC_Final(&ctx_tmp,A1,&A1_len); /* calc the next A1 value */
-                        }
-                else    /* last one */
-                        {
-                        HMAC_Final(&ctx,A1,&A1_len);
-                        memcpy(out,A1,olen);
-                        break;
-                        }
-                }
-        HMAC_CTX_cleanup(&ctx);
-        HMAC_CTX_cleanup(&ctx_tmp);
-        OPENSSL_cleanse(A1,sizeof(A1));
-        }
-static void tls1_PRF(const EVP_MD *md5, const EVP_MD *sha1,
-                     unsigned char *label, int label_len,
-                     const unsigned char *sec, int slen, unsigned char *out1,
-                     unsigned char *out2, int olen)
-        {
-        int len,i;
-        const unsigned char *S1,*S2;
-        len=slen/2;
-        S1=sec;
-        S2= &(sec[len]);
-        len+=(slen&1); /* add for odd, make longer */
-        tls1_P_hash(md5 ,S1,len,label,label_len,out1,olen);
-        tls1_P_hash(sha1,S2,len,label,label_len,out2,olen);
-        for (i=0; i<olen; i++)
-                out1[i]^=out2[i];
-        }
-static void tls1_generate_key_block(SSL *s, unsigned char *km,
-             unsigned char *tmp, int num)
-        {
-        unsigned char *p;
-        unsigned char buf[SSL3_RANDOM_SIZE*2+
-                TLS_MD_MAX_CONST_SIZE];
-        p=buf;
-        memcpy(p,TLS_MD_KEY_EXPANSION_CONST,
-                TLS_MD_KEY_EXPANSION_CONST_SIZE);
-        p+=TLS_MD_KEY_EXPANSION_CONST_SIZE;
-        memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE);
-        p+=SSL3_RANDOM_SIZE;
-        memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE);
-        p+=SSL3_RANDOM_SIZE;
-        tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,(int)(p-buf),
-                 s->session->master_key,s->session->master_key_length,
-                 km,tmp,num);
-#ifdef KSSL_DEBUG
-        printf("tls1_generate_key_block() ==> %d byte master_key =\n\t",
-                s->session->master_key_length);
-        {
-        int i;
-        for (i=0; i < s->session->master_key_length; i++)
-                {
-                printf("%02X", s->session->master_key[i]);
-                }
-        printf("\n");  }
-#endif    /* KSSL_DEBUG */
-        }
-int tls1_change_cipher_state(SSL *s, int which)
-        {
-        static const unsigned char empty[]="";
-        unsigned char *p,*key_block,*mac_secret;
-        unsigned char *exp_label,buf[TLS_MD_MAX_CONST_SIZE+
-                SSL3_RANDOM_SIZE*2];
-        unsigned char tmp1[EVP_MAX_KEY_LENGTH];
-        unsigned char tmp2[EVP_MAX_KEY_LENGTH];
-        unsigned char iv1[EVP_MAX_IV_LENGTH*2];
-        unsigned char iv2[EVP_MAX_IV_LENGTH*2];
-        unsigned char *ms,*key,*iv,*er1,*er2;
-        int client_write;
-        EVP_CIPHER_CTX *dd;
-        const EVP_CIPHER *c;
-        const SSL_COMP *comp;
-        const EVP_MD *m;
-        int is_export,n,i,j,k,exp_label_len,cl;
-        int reuse_dd = 0;
-        is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
-        c=s->s3->tmp.new_sym_enc;
-        m=s->s3->tmp.new_hash;
-        comp=s->s3->tmp.new_compression;
-        key_block=s->s3->tmp.key_block;
-#ifdef KSSL_DEBUG
-        printf("tls1_change_cipher_state(which= %d) w/\n", which);
-        printf("\talg= %ld, comp= %p\n", s->s3->tmp.new_cipher->algorithms,
-                comp);
-        printf("\tevp_cipher == %p ==? &d_cbc_ede_cipher3\n", c);
-        printf("\tevp_cipher: nid, blksz= %d, %d, keylen=%d, ivlen=%d\n",
-                c->nid,c->block_size,c->key_len,c->iv_len);
-        printf("\tkey_block: len= %d, data= ", s->s3->tmp.key_block_length);
-        {
-        int i;
-        for (i=0; i<s->s3->tmp.key_block_length; i++)
-                printf("%02x", key_block[i]);  printf("\n");
-        }
-#endif  /* KSSL_DEBUG */
-        if (which & SSL3_CC_READ)
-                {
-                if (s->enc_read_ctx != NULL)
-                        reuse_dd = 1;
-                else if ((s->enc_read_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
-                        goto err;
-                dd= s->enc_read_ctx;
-                s->read_hash=m;
-                if (s->expand != NULL)
-                        {
-                        COMP_CTX_free(s->expand);
-                        s->expand=NULL;
-                        }
-                if (comp != NULL)
-                        {
-                        s->expand=COMP_CTX_new(comp->method);
-                        if (s->expand == NULL)
-                                {
-                                SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR);
-                                goto err2;
-                                }
-                        if (s->s3->rrec.comp == NULL)
-                                s->s3->rrec.comp=(unsigned char *)
-                                        OPENSSL_malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH);
-                        if (s->s3->rrec.comp == NULL)
-                                goto err;
-                        }
-                memset(&(s->s3->read_sequence[0]),0,8);
-                mac_secret= &(s->s3->read_mac_secret[0]);
-                }
-        else
-                {
-                if (s->enc_write_ctx != NULL)
-                        reuse_dd = 1;
-                else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
-                        goto err;
-                if ((s->enc_write_ctx == NULL) &&
-                        ((s->enc_write_ctx=(EVP_CIPHER_CTX *)
-                        OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL))
-                        goto err;
-                dd= s->enc_write_ctx;
-                s->write_hash=m;
-                if (s->compress != NULL)
-                        {
-                        COMP_CTX_free(s->compress);
-                        s->compress=NULL;
-                        }
-                if (comp != NULL)
-                        {
-                        s->compress=COMP_CTX_new(comp->method);
-                        if (s->compress == NULL)
-                                {
-                                SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR);
-                                goto err2;
-                                }
-                        }
-                memset(&(s->s3->write_sequence[0]),0,8);
-                mac_secret= &(s->s3->write_mac_secret[0]);
-                }
-        if (reuse_dd)
-                EVP_CIPHER_CTX_cleanup(dd);
-        EVP_CIPHER_CTX_init(dd);
-        p=s->s3->tmp.key_block;
-        i=EVP_MD_size(m);
-        cl=EVP_CIPHER_key_length(c);
-        j=is_export ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ?
-                       cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl;
-        /* Was j=(exp)?5:EVP_CIPHER_key_length(c); */
-        k=EVP_CIPHER_iv_length(c);
-        er1= &(s->s3->client_random[0]);
-        er2= &(s->s3->server_random[0]);
-        if (    (which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) ||
-                (which == SSL3_CHANGE_CIPHER_SERVER_READ))
-                {
-                ms=  &(p[ 0]); n=i+i;
-                key= &(p[ n]); n+=j+j;
-                iv=  &(p[ n]); n+=k+k;
-                exp_label=(unsigned char *)TLS_MD_CLIENT_WRITE_KEY_CONST;
-                exp_label_len=TLS_MD_CLIENT_WRITE_KEY_CONST_SIZE;
-                client_write=1;
-                }
-        else
-                {
-                n=i;
-                ms=  &(p[ n]); n+=i+j;
-                key= &(p[ n]); n+=j+k;
-                iv=  &(p[ n]); n+=k;
-                exp_label=(unsigned char *)TLS_MD_SERVER_WRITE_KEY_CONST;
-                exp_label_len=TLS_MD_SERVER_WRITE_KEY_CONST_SIZE;
-                client_write=0;
-                }
-        if (n > s->s3->tmp.key_block_length)
-                {
-                SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,ERR_R_INTERNAL_ERROR);
-                goto err2;
-                }
-        memcpy(mac_secret,ms,i);
-#ifdef TLS_DEBUG
-printf("which = %04X\nmac key=",which);
-{ int z; for (z=0; z<i; z++) printf("%02X%c",ms[z],((z+1)%16)?' ':'\n'); }
-#endif
-        if (is_export)
-                {
-                /* In here I set both the read and write key/iv to the
-                 * same value since only the correct one will be used :-).
-                 */
-                p=buf;
-                memcpy(p,exp_label,exp_label_len);
-                p+=exp_label_len;
-                memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE);
-                p+=SSL3_RANDOM_SIZE;
-                memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE);
-                p+=SSL3_RANDOM_SIZE;
-                tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,(int)(p-buf),key,j,
-                         tmp1,tmp2,EVP_CIPHER_key_length(c));
-                key=tmp1;
-                if (k > 0)
-                        {
-                        p=buf;
-                        memcpy(p,TLS_MD_IV_BLOCK_CONST,
-                                TLS_MD_IV_BLOCK_CONST_SIZE);
-                        p+=TLS_MD_IV_BLOCK_CONST_SIZE;
-                        memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE);
-                        p+=SSL3_RANDOM_SIZE;
-                        memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE);
-                        p+=SSL3_RANDOM_SIZE;
-                        tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,p-buf,empty,0,
-                                 iv1,iv2,k*2);
-                        if (client_write)
-                                iv=iv1;
-                        else
-                                iv= &(iv1[k]);
-                        }
-                }
-        s->session->key_arg_length=0;
-#ifdef KSSL_DEBUG
-        {
-        int i;
-        printf("EVP_CipherInit_ex(dd,c,key=,iv=,which)\n");
-        printf("\tkey= "); for (i=0; i<c->key_len; i++) printf("%02x", key[i]);
-        printf("\n");
-        printf("\t iv= "); for (i=0; i<c->iv_len; i++) printf("%02x", iv[i]);
-        printf("\n");
-        }
-#endif  /* KSSL_DEBUG */
-        EVP_CipherInit_ex(dd,c,NULL,key,iv,(which & SSL3_CC_WRITE));
-#ifdef TLS_DEBUG
-printf("which = %04X\nkey=",which);
-{ int z; for (z=0; z<EVP_CIPHER_key_length(c); z++) printf("%02X%c",key[z],((z+1)%16)?' ':'\n'); }
-printf("\niv=");
-{ int z; for (z=0; z<k; z++) printf("%02X%c",iv[z],((z+1)%16)?' ':'\n'); }
-printf("\n");
-#endif
-        OPENSSL_cleanse(tmp1,sizeof(tmp1));
-        OPENSSL_cleanse(tmp2,sizeof(tmp1));
-        OPENSSL_cleanse(iv1,sizeof(iv1));
-        OPENSSL_cleanse(iv2,sizeof(iv2));
-        return(1);
-err:
-        SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,ERR_R_MALLOC_FAILURE);
-err2:
-        return(0);
-        }
-int tls1_setup_key_block(SSL *s)
-        {
-        unsigned char *p1,*p2;
-        const EVP_CIPHER *c;
-        const EVP_MD *hash;
-        int num;
-        SSL_COMP *comp;
-#ifdef KSSL_DEBUG
-        printf ("tls1_setup_key_block()\n");
-#endif  /* KSSL_DEBUG */
-        if (s->s3->tmp.key_block_length != 0)
-                return(1);
-        if (!ssl_cipher_get_evp(s->session,&c,&hash,&comp))
-                {
-                SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
-                return(0);
-                }
-        s->s3->tmp.new_sym_enc=c;
-        s->s3->tmp.new_hash=hash;
-        num=EVP_CIPHER_key_length(c)+EVP_MD_size(hash)+EVP_CIPHER_iv_length(c);
-        num*=2;
-        ssl3_cleanup_key_block(s);
-        if ((p1=(unsigned char *)OPENSSL_malloc(num)) == NULL)
-                goto err;
-        if ((p2=(unsigned char *)OPENSSL_malloc(num)) == NULL)
-                goto err;
-        s->s3->tmp.key_block_length=num;
-        s->s3->tmp.key_block=p1;
-#ifdef TLS_DEBUG
-printf("client random\n");
-{ int z; for (z=0; z<SSL3_RANDOM_SIZE; z++) printf("%02X%c",s->s3->client_random[z],((z+1)%16)?' ':'\n'); }
-printf("server random\n");
-{ int z; for (z=0; z<SSL3_RANDOM_SIZE; z++) printf("%02X%c",s->s3->server_random[z],((z+1)%16)?' ':'\n'); }
-printf("pre-master\n");
-{ int z; for (z=0; z<s->session->master_key_length; z++) printf("%02X%c",s->session->master_key[z],((z+1)%16)?' ':'\n'); }
-#endif
-        tls1_generate_key_block(s,p1,p2,num);
-        OPENSSL_cleanse(p2,num);
-        OPENSSL_free(p2);
-#ifdef TLS_DEBUG
-printf("\nkey block\n");
-{ int z; for (z=0; z<num; z++) printf("%02X%c",p1[z],((z+1)%16)?' ':'\n'); }
-#endif
-        if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
-                {
-                /* enable vulnerability countermeasure for CBC ciphers with
-                 * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt)
-                 */
-                s->s3->need_empty_fragments = 1;
-                if (s->session->cipher != NULL)
-                        {
-                        if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_eNULL)
-                                s->s3->need_empty_fragments = 0;
-                        
-#ifndef OPENSSL_NO_RC4
-                        if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_RC4)
-                                s->s3->need_empty_fragments = 0;
-#endif
-                        }
-                }
-        return(1);
-err:
-        SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE);
-        return(0);
-        }
-int tls1_enc(SSL *s, int send)
-        {
-        SSL3_RECORD *rec;
-        EVP_CIPHER_CTX *ds;
-        unsigned long l;
-        int bs,i,ii,j,k,n=0;
-        const EVP_CIPHER *enc;
-        if (send)
-                {
-                if (s->write_hash != NULL)
-                        n=EVP_MD_size(s->write_hash);
-                ds=s->enc_write_ctx;
-                rec= &(s->s3->wrec);
-                if (s->enc_write_ctx == NULL)
-                        enc=NULL;
-                else
-                        enc=EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
-                }
-        else
-                {
-                if (s->read_hash != NULL)
-                        n=EVP_MD_size(s->read_hash);
-                ds=s->enc_read_ctx;
-                rec= &(s->s3->rrec);
-                if (s->enc_read_ctx == NULL)
-                        enc=NULL;
-                else
-                        enc=EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
-                }
-#ifdef KSSL_DEBUG
-        printf("tls1_enc(%d)\n", send);
-#endif    /* KSSL_DEBUG */
-        if ((s->session == NULL) || (ds == NULL) ||
-                (enc == NULL))
-                {
-                memmove(rec->data,rec->input,rec->length);
-                rec->input=rec->data;
-                }
-        else
-                {
-                l=rec->length;
-                bs=EVP_CIPHER_block_size(ds->cipher);
-                if ((bs != 1) && send)
-                        {
-                        i=bs-((int)l%bs);
-                        /* Add weird padding of upto 256 bytes */
-                        /* we need to add 'i' padding bytes of value j */
-                        j=i-1;
-                        if (s->options & SSL_OP_TLS_BLOCK_PADDING_BUG)
-                                {
-                                if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG)
-                                        j++;
-                                }
-                        for (k=(int)l; k<(int)(l+i); k++)
-                                rec->input[k]=j;
-                        l+=i;
-                        rec->length+=i;
-                        }
-#ifdef KSSL_DEBUG
-                {
-                unsigned long ui;
-                printf("EVP_Cipher(ds=%p,rec->data=%p,rec->input=%p,l=%ld) ==>\n",
-                        ds,rec->data,rec->input,l);
-                printf("\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%d %d], %d iv_len\n",
-                        ds->buf_len, ds->cipher->key_len,
-                        DES_KEY_SZ, DES_SCHEDULE_SZ,
-                        ds->cipher->iv_len);
-                printf("\t\tIV: ");
-                for (i=0; i<ds->cipher->iv_len; i++) printf("%02X", ds->iv[i]);
-                printf("\n");
-                printf("\trec->input=");
-                for (ui=0; ui<l; ui++) printf(" %02x", rec->input[ui]);
-                printf("\n");
-                }
-#endif  /* KSSL_DEBUG */
-                if (!send)
-                        {
-                        if (l == 0 || l%bs != 0)
-                                {
-                                SSLerr(SSL_F_TLS1_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
-                                ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED);
-                                return 0;
-                                }
-                        }
-                
-                EVP_Cipher(ds,rec->data,rec->input,l);
-#ifdef KSSL_DEBUG
-                {
-                unsigned long i;
-                printf("\trec->data=");
-                for (i=0; i<l; i++)
-                        printf(" %02x", rec->data[i]);  printf("\n");
-                }
-#endif  /* KSSL_DEBUG */
-                if ((bs != 1) && !send)
-                        {
-                        ii=i=rec->data[l-1]; /* padding_length */
-                        i++;
-                        if (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG)
-                                {
-                                /* First packet is even in size, so check */
-                                if ((memcmp(s->s3->read_sequence,
-                                        "\0\0\0\0\0\0\0\0",8) == 0) && !(ii & 1))
-                                        s->s3->flags|=TLS1_FLAGS_TLS_PADDING_BUG;
-                                if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG)
-                                        i--;
-                                }
-                        /* TLS 1.0 does not bound the number of padding bytes by the block size.
-                         * All of them must have value 'padding_length'. */
-                        if (i > (int)rec->length)
-                                {
-                                /* Incorrect padding. SSLerr() and ssl3_alert are done
-                                 * by caller: we don't want to reveal whether this is
-                                 * a decryption error or a MAC verification failure
-                                 * (see http://www.openssl.org/~bodo/tls-cbc.txt) */
-                                return -1;
-                                }
-                        for (j=(int)(l-i); j<(int)l; j++)
-                                {
-                                if (rec->data[j] != ii)
-                                        {
-                                        /* Incorrect padding */
-                                        return -1;
-                                        }
-                                }
-                        rec->length-=i;
-                        }
-                }
-        return(1);
-        }
-int tls1_cert_verify_mac(SSL *s, EVP_MD_CTX *in_ctx, unsigned char *out)
-        {
-        unsigned int ret;
-        EVP_MD_CTX ctx;
-        EVP_MD_CTX_init(&ctx);
-        EVP_MD_CTX_copy_ex(&ctx,in_ctx);
-        EVP_DigestFinal_ex(&ctx,out,&ret);
-        EVP_MD_CTX_cleanup(&ctx);
-        return((int)ret);
-        }
-int tls1_final_finish_mac(SSL *s, EVP_MD_CTX *in1_ctx, EVP_MD_CTX *in2_ctx,
-             const char *str, int slen, unsigned char *out)
-        {
-        unsigned int i;
-        EVP_MD_CTX ctx;
-        unsigned char buf[TLS_MD_MAX_CONST_SIZE+MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
-        unsigned char *q,buf2[12];
-        q=buf;
-        memcpy(q,str,slen);
-        q+=slen;
-        EVP_MD_CTX_init(&ctx);
-        EVP_MD_CTX_copy_ex(&ctx,in1_ctx);
-        EVP_DigestFinal_ex(&ctx,q,&i);
-        q+=i;
-        EVP_MD_CTX_copy_ex(&ctx,in2_ctx);
-        EVP_DigestFinal_ex(&ctx,q,&i);
-        q+=i;
-        tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,(int)(q-buf),
-                s->session->master_key,s->session->master_key_length,
-                out,buf2,sizeof buf2);
-        EVP_MD_CTX_cleanup(&ctx);
-        return sizeof buf2;
-        }
-int tls1_mac(SSL *ssl, unsigned char *md, int send)
-        {
-        SSL3_RECORD *rec;
-        unsigned char *mac_sec,*seq;
-        const EVP_MD *hash;
-        unsigned int md_size;
-        int i;
-        HMAC_CTX hmac;
-        unsigned char buf[5]; 
-        if (send)
-                {
-                rec= &(ssl->s3->wrec);
-                mac_sec= &(ssl->s3->write_mac_secret[0]);
-                seq= &(ssl->s3->write_sequence[0]);
-                hash=ssl->write_hash;
-                }
-        else
-                {
-                rec= &(ssl->s3->rrec);
-                mac_sec= &(ssl->s3->read_mac_secret[0]);
-                seq= &(ssl->s3->read_sequence[0]);
-                hash=ssl->read_hash;
-                }
-        md_size=EVP_MD_size(hash);
-        buf[0]=rec->type;
-        buf[1]=TLS1_VERSION_MAJOR;
-        buf[2]=TLS1_VERSION_MINOR;
-        buf[3]=rec->length>>8;
-        buf[4]=rec->length&0xff;
-        /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */
-        HMAC_CTX_init(&hmac);
-        HMAC_Init_ex(&hmac,mac_sec,EVP_MD_size(hash),hash,NULL);
-        HMAC_Update(&hmac,seq,8);
-        HMAC_Update(&hmac,buf,5);
-        HMAC_Update(&hmac,rec->input,rec->length);
-        HMAC_Final(&hmac,md,&md_size);
-        HMAC_CTX_cleanup(&hmac);
-#ifdef TLS_DEBUG
-printf("sec=");
-{unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",mac_sec[z]); printf("\n"); }
-printf("seq=");
-{int z; for (z=0; z<8; z++) printf("%02X ",seq[z]); printf("\n"); }
-printf("buf=");
-{int z; for (z=0; z<5; z++) printf("%02X ",buf[z]); printf("\n"); }
-printf("rec=");
-{unsigned int z; for (z=0; z<rec->length; z++) printf("%02X ",buf[z]); printf("\n"); }
-#endif
-        for (i=7; i>=0; i--)
-                {
-                ++seq[i];
-                if (seq[i] != 0) break; 
-                }
-#ifdef TLS_DEBUG
-{unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",md[z]); printf("\n"); }
-#endif
-        return(md_size);
-        }
-int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
-             int len)
-        {
-        unsigned char buf[SSL3_RANDOM_SIZE*2+TLS_MD_MASTER_SECRET_CONST_SIZE];
-        unsigned char buff[SSL_MAX_MASTER_KEY_LENGTH];
-#ifdef KSSL_DEBUG
-        printf ("tls1_generate_master_secret(%p,%p, %p, %d)\n", s,out, p,len);
-#endif  /* KSSL_DEBUG */
-        /* Setup the stuff to munge */
-        memcpy(buf,TLS_MD_MASTER_SECRET_CONST,
-                TLS_MD_MASTER_SECRET_CONST_SIZE);
-        memcpy(&(buf[TLS_MD_MASTER_SECRET_CONST_SIZE]),
-                s->s3->client_random,SSL3_RANDOM_SIZE);
-        memcpy(&(buf[SSL3_RANDOM_SIZE+TLS_MD_MASTER_SECRET_CONST_SIZE]),
-                s->s3->server_random,SSL3_RANDOM_SIZE);
-        tls1_PRF(s->ctx->md5,s->ctx->sha1,
-                buf,TLS_MD_MASTER_SECRET_CONST_SIZE+SSL3_RANDOM_SIZE*2,p,len,
-                s->session->master_key,buff,sizeof buff);
-#ifdef KSSL_DEBUG
-        printf ("tls1_generate_master_secret() complete\n");
-#endif  /* KSSL_DEBUG */
-        return(SSL3_MASTER_SECRET_SIZE);
-        }
-int tls1_alert_code(int code)
-        {
-        switch (code)
-                {
-        case SSL_AD_CLOSE_NOTIFY:       return(SSL3_AD_CLOSE_NOTIFY);
-        case SSL_AD_UNEXPECTED_MESSAGE: return(SSL3_AD_UNEXPECTED_MESSAGE);
-        case SSL_AD_BAD_RECORD_MAC:     return(SSL3_AD_BAD_RECORD_MAC);
-        case SSL_AD_DECRYPTION_FAILED:  return(TLS1_AD_DECRYPTION_FAILED);
-        case SSL_AD_RECORD_OVERFLOW:    return(TLS1_AD_RECORD_OVERFLOW);
-        case SSL_AD_DECOMPRESSION_FAILURE:return(SSL3_AD_DECOMPRESSION_FAILURE);
-        case SSL_AD_HANDSHAKE_FAILURE:  return(SSL3_AD_HANDSHAKE_FAILURE);
-        case SSL_AD_NO_CERTIFICATE:     return(-1);
-        case SSL_AD_BAD_CERTIFICATE:    return(SSL3_AD_BAD_CERTIFICATE);
-        case SSL_AD_UNSUPPORTED_CERTIFICATE:return(SSL3_AD_UNSUPPORTED_CERTIFICATE);
-        case SSL_AD_CERTIFICATE_REVOKED:return(SSL3_AD_CERTIFICATE_REVOKED);
-        case SSL_AD_CERTIFICATE_EXPIRED:return(SSL3_AD_CERTIFICATE_EXPIRED);
-        case SSL_AD_CERTIFICATE_UNKNOWN:return(SSL3_AD_CERTIFICATE_UNKNOWN);
-        case SSL_AD_ILLEGAL_PARAMETER:  return(SSL3_AD_ILLEGAL_PARAMETER);
-        case SSL_AD_UNKNOWN_CA:         return(TLS1_AD_UNKNOWN_CA);
-        case SSL_AD_ACCESS_DENIED:      return(TLS1_AD_ACCESS_DENIED);
-        case SSL_AD_DECODE_ERROR:       return(TLS1_AD_DECODE_ERROR);
-        case SSL_AD_DECRYPT_ERROR:      return(TLS1_AD_DECRYPT_ERROR);
-        case SSL_AD_EXPORT_RESTRICTION: return(TLS1_AD_EXPORT_RESTRICTION);
-        case SSL_AD_PROTOCOL_VERSION:   return(TLS1_AD_PROTOCOL_VERSION);
-        case SSL_AD_INSUFFICIENT_SECURITY:return(TLS1_AD_INSUFFICIENT_SECURITY);
-        case SSL_AD_INTERNAL_ERROR:     return(TLS1_AD_INTERNAL_ERROR);
-        case SSL_AD_USER_CANCELLED:     return(TLS1_AD_USER_CANCELLED);
-        case SSL_AD_NO_RENEGOTIATION:   return(TLS1_AD_NO_RENEGOTIATION);
-        default:                        return(-1);
-                }
-        }
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
deleted file mode 100644
index ca6c03d5af..0000000000
--- a/src/lib/libssl/t1_lib.c
+++ /dev/null
@@ -1,149 +0,0 @@
-/* ssl/t1_lib.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-#include <stdio.h>
-#include <openssl/objects.h>
-#include "ssl_locl.h"
-const char *tls1_version_str="TLSv1" OPENSSL_VERSION_PTEXT;
-static long tls1_default_timeout(void);
-static SSL3_ENC_METHOD TLSv1_enc_data={
-        tls1_enc,
-        tls1_mac,
-        tls1_setup_key_block,
-        tls1_generate_master_secret,
-        tls1_change_cipher_state,
-        tls1_final_finish_mac,
-        TLS1_FINISH_MAC_LENGTH,
-        tls1_cert_verify_mac,
-        TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
-        TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
-        tls1_alert_code,
-        };
-static SSL_METHOD TLSv1_data= {
-        TLS1_VERSION,
-        tls1_new,
-        tls1_clear,
-        tls1_free,
-        ssl_undefined_function,
-        ssl_undefined_function,
-        ssl3_read,
-        ssl3_peek,
-        ssl3_write,
-        ssl3_shutdown,
-        ssl3_renegotiate,
-        ssl3_renegotiate_check,
-        ssl3_ctrl,
-        ssl3_ctx_ctrl,
-        ssl3_get_cipher_by_char,
-        ssl3_put_cipher_by_char,
-        ssl3_pending,
-        ssl3_num_ciphers,
-        ssl3_get_cipher,
-        ssl_bad_method,
-        tls1_default_timeout,
-        &TLSv1_enc_data,
-        ssl_undefined_function,
-        ssl3_callback_ctrl,
-        ssl3_ctx_callback_ctrl,
-        };
-static long tls1_default_timeout(void)
-        {
-        /* 2 hours, the 24 hours mentioned in the TLSv1 spec
-         * is way too long for http, the cache would over fill */
-        return(60*60*2);
-        }
-SSL_METHOD *tlsv1_base_method(void)
-        {
-        return(&TLSv1_data);
-        }
-int tls1_new(SSL *s)
-        {
-        if (!ssl3_new(s)) return(0);
-        s->method->ssl_clear(s);
-        return(1);
-        }
-void tls1_free(SSL *s)
-        {
-        ssl3_free(s);
-        }
-void tls1_clear(SSL *s)
-        {
-        ssl3_clear(s);
-        s->version=TLS1_VERSION;
-        }
-#if 0
-long tls1_ctrl(SSL *s, int cmd, long larg, char *parg)
-        {
-        return(0);
-        }
-long tls1_callback_ctrl(SSL *s, int cmd, void *(*fp)())
-        {
-        return(0);
-        }
-#endif
diff --git a/src/lib/libssl/t1_meth.c b/src/lib/libssl/t1_meth.c
deleted file mode 100644
index fcc243f782..0000000000
--- a/src/lib/libssl/t1_meth.c
+++ /dev/null
@@ -1,96 +0,0 @@
-/* ssl/t1_meth.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-#include <stdio.h>
-#include <openssl/objects.h>
-#include "ssl_locl.h"
-static SSL_METHOD *tls1_get_method(int ver);
-static SSL_METHOD *tls1_get_method(int ver)
-        {
-        if (ver == TLS1_VERSION)
-                return(TLSv1_method());
-        else
-                return(NULL);
-        }
-SSL_METHOD *TLSv1_method(void)
-        {
-        static int init=1;
-        static SSL_METHOD TLSv1_data;
-        if (init)
-                {
-                CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
-                
-                if (init)
-                        {
-                        memcpy((char *)&TLSv1_data,(char *)tlsv1_base_method(),
-                                sizeof(SSL_METHOD));
-                        TLSv1_data.ssl_connect=ssl3_connect;
-                        TLSv1_data.ssl_accept=ssl3_accept;
-                        TLSv1_data.get_ssl_method=tls1_get_method;
-                        init=0;
-                        }
-                CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
-                }
-        
-        return(&TLSv1_data);
-        }
diff --git a/src/lib/libssl/t1_srvr.c b/src/lib/libssl/t1_srvr.c
deleted file mode 100644
index 1c1149e49f..0000000000
--- a/src/lib/libssl/t1_srvr.c
+++ /dev/null
@@ -1,98 +0,0 @@
-/* ssl/t1_srvr.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-#include <stdio.h>
-#include "ssl_locl.h"
-#include <openssl/buffer.h>
-#include <openssl/rand.h>
-#include <openssl/objects.h>
-#include <openssl/evp.h>
-#include <openssl/x509.h>
-static SSL_METHOD *tls1_get_server_method(int ver);
-static SSL_METHOD *tls1_get_server_method(int ver)
-        {
-        if (ver == TLS1_VERSION)
-                return(TLSv1_server_method());
-        else
-                return(NULL);
-        }
-SSL_METHOD *TLSv1_server_method(void)
-        {
-        static int init=1;
-        static SSL_METHOD TLSv1_server_data;
-        if (init)
-                {
-                CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
-                if (init)
-                        {
-                        memcpy((char *)&TLSv1_server_data,(char *)tlsv1_base_method(),
-                                sizeof(SSL_METHOD));
-                        TLSv1_server_data.ssl_accept=ssl3_accept;
-                        TLSv1_server_data.get_ssl_method=tls1_get_server_method;
-                        init=0;
-                        }
-                        
-                CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
-                }
-        return(&TLSv1_server_data);
-        }
diff --git a/src/lib/libssl/test/CAss.cnf b/src/lib/libssl/test/CAss.cnf
deleted file mode 100644
index 21da59a73a..0000000000
--- a/src/lib/libssl/test/CAss.cnf
+++ /dev/null
@@ -1,33 +0,0 @@
-#
-# SSLeay example configuration file.
-# This is mostly being used for generation of certificate requests.
-#
-RANDFILE                = ./.rnd
-####################################################################
-[ req ]
-default_bits            = 512
-default_keyfile         = keySS.pem
-distinguished_name      = req_distinguished_name
-encrypt_rsa_key         = no
-default_md              = sha1
-[ req_distinguished_name ]
-countryName                     = Country Name (2 letter code)
-countryName_default             = AU
-countryName_value               = AU
-organizationName                = Organization Name (eg, company)
-organizationName_value          = Dodgy Brothers
-commonName                      = Common Name (eg, YOUR name)
-commonName_value                = Dodgy CA
-[ v3_ca ]
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always,issuer:always
-basicConstraints = CA:true,pathlen:1
-keyUsage = cRLSign, keyCertSign
-issuerAltName=issuer:copy
diff --git a/src/lib/libssl/test/CAssdh.cnf b/src/lib/libssl/test/CAssdh.cnf
deleted file mode 100644
index 4e0a908679..0000000000
--- a/src/lib/libssl/test/CAssdh.cnf
+++ /dev/null
@@ -1,24 +0,0 @@
-#
-# SSLeay example configuration file.
-# This is mostly being used for generation of certificate requests.
-#
-# hacked by iang to do DH certs - CA
-RANDFILE              = ./.rnd
-####################################################################
-[ req ]
-distinguished_name    = req_distinguished_name
-encrypt_rsa_key               = no
-[ req_distinguished_name ]
-countryName                   = Country Name (2 letter code)
-countryName_default           = CU
-countryName_value             = CU
-organizationName              = Organization Name (eg, company)
-organizationName_value                = La Junta de la Revolucion
-commonName                    = Common Name (eg, YOUR name)
-commonName_value              = Junta
diff --git a/src/lib/libssl/test/CAssdsa.cnf b/src/lib/libssl/test/CAssdsa.cnf
deleted file mode 100644
index a6b4d1810c..0000000000
--- a/src/lib/libssl/test/CAssdsa.cnf
+++ /dev/null
@@ -1,23 +0,0 @@
-#
-# SSLeay example configuration file.
-# This is mostly being used for generation of certificate requests.
-#
-# hacked by iang to do DSA certs - CA
-RANDFILE              = ./.rnd
-####################################################################
-[ req ]
-distinguished_name    = req_distinguished_name
-encrypt_rsa_key               = no
-[ req_distinguished_name ]
-countryName                   = Country Name (2 letter code)
-countryName_default           = ES
-countryName_value             = ES
-organizationName              = Organization Name (eg, company)
-organizationName_value                = Hermanos Locos
-commonName                    = Common Name (eg, YOUR name)
-commonName_value              = Hermanos Locos CA
diff --git a/src/lib/libssl/test/CAssrsa.cnf b/src/lib/libssl/test/CAssrsa.cnf
deleted file mode 100644
index eb24a6dfc0..0000000000
--- a/src/lib/libssl/test/CAssrsa.cnf
+++ /dev/null
@@ -1,24 +0,0 @@
-#
-# SSLeay example configuration file.
-# This is mostly being used for generation of certificate requests.
-#
-# create RSA certs - CA
-RANDFILE              = ./.rnd
-####################################################################
-[ req ]
-distinguished_name    = req_distinguished_name
-encrypt_key           = no
-[ req_distinguished_name ]
-countryName                   = Country Name (2 letter code)
-countryName_default           = ES
-countryName_value             = ES
-organizationName              = Organization Name (eg, company)
-organizationName_value                = Hermanos Locos
-commonName                    = Common Name (eg, YOUR name)
-commonName_value              = Hermanos Locos CA
diff --git a/src/lib/libssl/test/P1ss.cnf b/src/lib/libssl/test/P1ss.cnf
deleted file mode 100644
index 876a0d35f8..0000000000
--- a/src/lib/libssl/test/P1ss.cnf
+++ /dev/null
@@ -1,37 +0,0 @@
-#
-# SSLeay example configuration file.
-# This is mostly being used for generation of certificate requests.
-#
-RANDFILE                = ./.rnd
-####################################################################
-[ req ]
-default_bits            = 512
-default_keyfile         = keySS.pem
-distinguished_name      = req_distinguished_name
-encrypt_rsa_key         = no
-default_md              = md2
-[ req_distinguished_name ]
-countryName                     = Country Name (2 letter code)
-countryName_default             = AU
-countryName_value               = AU
-organizationName                = Organization Name (eg, company)
-organizationName_value          = Dodgy Brothers
-0.commonName                    = Common Name (eg, YOUR name)
-0.commonName_value              = Brother 1
-1.commonName                    = Common Name (eg, YOUR name)
-1.commonName_value              = Brother 2
-2.commonName                    = Common Name (eg, YOUR name)
-2.commonName_value              = Proxy 1
-[ v3_proxy ]
-basicConstraints=CA:FALSE
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer:always
-proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:1,policy:text:AB
diff --git a/src/lib/libssl/test/P2ss.cnf b/src/lib/libssl/test/P2ss.cnf
deleted file mode 100644
index 373a87e7c2..0000000000
--- a/src/lib/libssl/test/P2ss.cnf
+++ /dev/null
@@ -1,45 +0,0 @@
-#
-# SSLeay example configuration file.
-# This is mostly being used for generation of certificate requests.
-#
-RANDFILE                = ./.rnd
-####################################################################
-[ req ]
-default_bits            = 512
-default_keyfile         = keySS.pem
-distinguished_name      = req_distinguished_name
-encrypt_rsa_key         = no
-default_md              = md2
-[ req_distinguished_name ]
-countryName                     = Country Name (2 letter code)
-countryName_default             = AU
-countryName_value               = AU
-organizationName                = Organization Name (eg, company)
-organizationName_value          = Dodgy Brothers
-0.commonName                    = Common Name (eg, YOUR name)
-0.commonName_value              = Brother 1
-1.commonName                    = Common Name (eg, YOUR name)
-1.commonName_value              = Brother 2
-2.commonName                    = Common Name (eg, YOUR name)
-2.commonName_value              = Proxy 1
-3.commonName                    = Common Name (eg, YOUR name)
-3.commonName_value              = Proxy 2
-[ v3_proxy ]
-basicConstraints=CA:FALSE
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer:always
-proxyCertInfo=critical,@proxy_ext
-[ proxy_ext ]
-language=id-ppl-anyLanguage
-pathlen=0
-policy=text:BC
diff --git a/src/lib/libssl/test/Sssdsa.cnf b/src/lib/libssl/test/Sssdsa.cnf
deleted file mode 100644
index 8e170a28ef..0000000000
--- a/src/lib/libssl/test/Sssdsa.cnf
+++ /dev/null
@@ -1,27 +0,0 @@
-#
-# SSLeay example configuration file.
-# This is mostly being used for generation of certificate requests.
-#
-# hacked by iang to do DSA certs - Server
-RANDFILE              = ./.rnd
-####################################################################
-[ req ]
-distinguished_name    = req_distinguished_name
-encrypt_rsa_key               = no
-[ req_distinguished_name ]
-countryName                   = Country Name (2 letter code)
-countryName_default           = ES
-countryName_value             = ES
-organizationName                = Organization Name (eg, company)
-organizationName_value          = Tortilleras S.A.
-0.commonName                  = Common Name (eg, YOUR name)
-0.commonName_value            = Torti
-1.commonName                  = Common Name (eg, YOUR name)
-1.commonName_value            = Gordita
diff --git a/src/lib/libssl/test/Sssrsa.cnf b/src/lib/libssl/test/Sssrsa.cnf
deleted file mode 100644
index 8c79a03fca..0000000000
--- a/src/lib/libssl/test/Sssrsa.cnf
+++ /dev/null
@@ -1,26 +0,0 @@
-#
-# SSLeay example configuration file.
-# This is mostly being used for generation of certificate requests.
-#
-# create RSA certs - Server
-RANDFILE              = ./.rnd
-####################################################################
-[ req ]
-distinguished_name    = req_distinguished_name
-encrypt_key           = no
-[ req_distinguished_name ]
-countryName                   = Country Name (2 letter code)
-countryName_default           = ES
-countryName_value             = ES
-organizationName                = Organization Name (eg, company)
-organizationName_value          = Tortilleras S.A.
-0.commonName                  = Common Name (eg, YOUR name)
-0.commonName_value            = Torti
-1.commonName                  = Common Name (eg, YOUR name)
-1.commonName_value            = Gordita
diff --git a/src/lib/libssl/test/Uss.cnf b/src/lib/libssl/test/Uss.cnf
deleted file mode 100644
index 0c0ebb5f67..0000000000
--- a/src/lib/libssl/test/Uss.cnf
+++ /dev/null
@@ -1,36 +0,0 @@
-#
-# SSLeay example configuration file.
-# This is mostly being used for generation of certificate requests.
-#
-RANDFILE                = ./.rnd
-####################################################################
-[ req ]
-default_bits            = 512
-default_keyfile         = keySS.pem
-distinguished_name      = req_distinguished_name
-encrypt_rsa_key         = no
-default_md              = md2
-[ req_distinguished_name ]
-countryName                     = Country Name (2 letter code)
-countryName_default             = AU
-countryName_value               = AU
-organizationName                = Organization Name (eg, company)
-organizationName_value          = Dodgy Brothers
-0.commonName                    = Common Name (eg, YOUR name)
-0.commonName_value              = Brother 1
-1.commonName                    = Common Name (eg, YOUR name)
-1.commonName_value              = Brother 2
-[ v3_ee ]
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer:always
-basicConstraints = CA:false
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-issuerAltName=issuer:copy
diff --git a/src/lib/libssl/test/VMSca-response.1 b/src/lib/libssl/test/VMSca-response.1
deleted file mode 100644
index 8b13789179..0000000000
--- a/src/lib/libssl/test/VMSca-response.1
+++ /dev/null
@@ -1 +0,0 @@
diff --git a/src/lib/libssl/test/VMSca-response.2 b/src/lib/libssl/test/VMSca-response.2
deleted file mode 100644
index 9b48ee4cf9..0000000000
--- a/src/lib/libssl/test/VMSca-response.2
+++ /dev/null
@@ -1,2 +0,0 @@
-y
-y
diff --git a/src/lib/libssl/test/bctest b/src/lib/libssl/test/bctest
deleted file mode 100644
index e81fc0733a..0000000000
--- a/src/lib/libssl/test/bctest
+++ /dev/null
@@ -1,111 +0,0 @@
-#!/bin/sh
-# This script is used by test/Makefile to check whether a sane 'bc'
-# is installed.
-# ('make test_bn' should not try to run 'bc' if it does not exist or if
-# it is a broken 'bc' version that is known to cause trouble.)
-#
-# If 'bc' works, we also test if it knows the 'print' command.
-#
-# In any case, output an appropriate command line for running (or not
-# running) bc.
-IFS=:
-try_without_dir=true
-# First we try "bc", then "$dir/bc" for each item in $PATH.
-for dir in dummy:$PATH; do
-    if [ "$try_without_dir" = true ]; then
-      # first iteration
-      bc=bc
-      try_without_dir=false
-    else
-      # second and later iterations
-      bc="$dir/bc"
-      if [ ! -f "$bc" ]; then  # '-x' is not available on Ultrix
-        bc=''
-      fi
-    fi
-    if [ ! "$bc" = '' ]; then
-        failure=none
-        # Test for SunOS 5.[78] bc bug
-        "$bc" >tmp.bctest <<\EOF
-obase=16
-ibase=16
-a=AD88C418F31B3FC712D0425001D522B3AE9134FF3A98C13C1FCC1682211195406C1A6C66C6A\
-CEEC1A0EC16950233F77F1C2F2363D56DD71A36C57E0B2511FC4BA8F22D261FE2E9356D99AF57\
-10F3817C0E05BF79C423C3F66FDF321BE8D3F18F625D91B670931C1EF25F28E489BDA1C5422D1\
-C3F6F7A1AD21585746ECC4F10A14A778AF56F08898E965E9909E965E0CB6F85B514150C644759\
-3BE731877B16EA07B552088FF2EA728AC5E0FF3A23EB939304519AB8B60F2C33D6BA0945B66F0\
-4FC3CADF855448B24A9D7640BCF473E
-b=DCE91E7D120B983EA9A104B5A96D634DD644C37657B1C7860B45E6838999B3DCE5A555583C6\
-9209E41F413422954175A06E67FFEF6746DD652F0F48AEFECC3D8CAC13523BDAAD3F5AF4212BD\
-8B3CD64126E1A82E190228020C05B91C8B141F1110086FC2A4C6ED631EBA129D04BB9A19FC53D\
-3ED0E2017D60A68775B75481449
-(a/b)*b + (a%b) - a
-EOF
-        if [ 0 != "`cat tmp.bctest`" ]; then
-            failure=SunOStest
-        fi
-        if [ "$failure" = none ]; then
-            # Test for SCO bc bug.
-            "$bc" >tmp.bctest <<\EOF
-obase=16
-ibase=16
-FFDD63BA1A4648F0D804F8A1C66C53F0D2110590E8A3907EC73B4AEC6F15AC177F176F2274D2\
-9DC8022EA0D7DD3ABE9746D2D46DD3EA5B5F6F69DF12877E0AC5E7F5ADFACEE54573F5D256A06\
-11B5D2BC24947724E22AE4EC3FB0C39D9B4694A01AFE5E43B4D99FB9812A0E4A5773D8B254117\
-1239157EC6E3D8D50199 * -FFDD63BA1A4648F0D804F8A1C66C53F0D2110590E8A3907EC73B4\
-AEC6F15AC177F176F2274D29DC8022EA0D7DD3ABE9746D2D46DD3EA5B5F6F69DF12877E0AC5E7\
-F5ADFACEE54573F5D256A0611B5D2BC24947724E22AE4EC3FB0C39D9B4694A01AFE5E43B4D99F\
-B9812A0E4A5773D8B2541171239157EC6E3D8D50199 - FFBACC221682DA464B6D7F123482522\
-02EDAEDCA38C3B69E9B7BBCD6165A9CD8716C4903417F23C09A85B851961F92C217258CEEB866\
-85EFCC5DD131853A02C07A873B8E2AF2E40C6D5ED598CD0E8F35AD49F3C3A17FDB7653E4E2DC4\
-A8D23CC34686EE4AD01F7407A7CD74429AC6D36DBF0CB6A3E302D0E5BDFCD048A3B90C1BE5AA8\
-E16C3D5884F9136B43FF7BB443764153D4AEC176C681B078F4CC53D6EB6AB76285537DDEE7C18\
-8C72441B52EDBDDBC77E02D34E513F2AABF92F44109CAFE8242BD0ECBAC5604A94B02EA44D43C\
-04E9476E6FBC48043916BFA1485C6093603600273C9C33F13114D78064AE42F3DC466C7DA543D\
-89C8D71
-AD534AFBED2FA39EE9F40E20FCF9E2C861024DB98DDCBA1CD118C49CA55EEBC20D6BA51B2271C\
-928B693D6A73F67FEB1B4571448588B46194617D25D910C6A9A130CC963155CF34079CB218A44\
-8A1F57E276D92A33386DDCA3D241DB78C8974ABD71DD05B0FA555709C9910D745185E6FE108E3\
-37F1907D0C56F8BFBF52B9704 % -E557905B56B13441574CAFCE2BD257A750B1A8B2C88D0E36\
-E18EF7C38DAC80D3948E17ED63AFF3B3467866E3B89D09A81B3D16B52F6A3C7134D3C6F5123E9\
-F617E3145BBFBE9AFD0D6E437EA4FF6F04BC67C4F1458B4F0F47B64 - 1C2BBBB19B74E86FD32\
-9E8DB6A8C3B1B9986D57ED5419C2E855F7D5469E35E76334BB42F4C43E3F3A31B9697C171DAC4\
-D97935A7E1A14AD209D6CF811F55C6DB83AA9E6DFECFCD6669DED7171EE22A40C6181615CAF3F\
-5296964
-EOF
-            if [ "0
-0" != "`cat tmp.bctest`" ]; then
-                failure=SCOtest
-            fi
-        fi
-        if [ "$failure" = none ]; then
-            # bc works; now check if it knows the 'print' command.
-            if [ "OK" = "`echo 'print \"OK\"' | $bc 2>/dev/null`" ]
-            then
-                echo "$bc"
-            else
-                echo "sed 's/print.*//' | $bc"
-            fi
-            exit 0
-        fi
-        echo "$bc does not work properly ('$failure' failed).  Looking for another bc ..." >&2
-    fi
-done
-echo "No working bc found.  Consider installing GNU bc." >&2
-if [ "$1" = ignore ]; then
-  echo "cat >/dev/null"
-  exit 0
-fi
-exit 1
diff --git a/src/lib/libssl/test/methtest.c b/src/lib/libssl/test/methtest.c
deleted file mode 100644
index 005c2f4822..0000000000
--- a/src/lib/libssl/test/methtest.c
+++ /dev/null
@@ -1,105 +0,0 @@
-/* test/methtest.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-#include <stdio.h>
-#include <stdlib.h>
-#include <openssl/rsa.h>
-#include <openssl/x509.h>
-#include "meth.h"
-#include <openssl/err.h>
-int main(argc,argv)
-int argc;
-char *argv[];
-        {
-        METHOD_CTX *top,*tmp1,*tmp2;
-        top=METH_new(x509_lookup()); /* get a top level context */
-        if (top == NULL) goto err;
-        tmp1=METH_new(x509_by_file());
-        if (top == NULL) goto err;
-        METH_arg(tmp1,METH_TYPE_FILE,"cafile1");
-        METH_arg(tmp1,METH_TYPE_FILE,"cafile2");
-        METH_push(top,METH_X509_CA_BY_SUBJECT,tmp1);
-        tmp2=METH_new(x509_by_dir());
-        METH_arg(tmp2,METH_TYPE_DIR,"/home/eay/.CAcerts");
-        METH_arg(tmp2,METH_TYPE_DIR,"/home/eay/SSLeay/certs");
-        METH_arg(tmp2,METH_TYPE_DIR,"/usr/local/ssl/certs");
-        METH_push(top,METH_X509_CA_BY_SUBJECT,tmp2);
-/*      tmp=METH_new(x509_by_issuer_dir);
-        METH_arg(tmp,METH_TYPE_DIR,"/home/eay/.mycerts");
-        METH_push(top,METH_X509_BY_ISSUER,tmp);
-        tmp=METH_new(x509_by_issuer_primary);
-        METH_arg(tmp,METH_TYPE_FILE,"/home/eay/.mycerts/primary.pem");
-        METH_push(top,METH_X509_BY_ISSUER,tmp);
-*/
-        METH_init(top);
-        METH_control(tmp1,METH_CONTROL_DUMP,stdout);
-        METH_control(tmp2,METH_CONTROL_DUMP,stdout);
-        EXIT(0);
-err:
-        ERR_load_crypto_strings();
-        ERR_print_errors_fp(stderr);
-        EXIT(1);
-        return(0);
-        }
diff --git a/src/lib/libssl/test/pkcs7-1.pem b/src/lib/libssl/test/pkcs7-1.pem
deleted file mode 100644
index c47b27af88..0000000000
--- a/src/lib/libssl/test/pkcs7-1.pem
+++ /dev/null
@@ -1,15 +0,0 @@
-----BEGIN PKCS7-----
-MIICUAYJKoZIhvcNAQcCoIICQTCCAj0CAQExDjAMBggqhkiG9w0CAgUAMCgGCSqG
-SIb3DQEHAaAbBBlFdmVyeW9uZSBnZXRzIEZyaWRheSBvZmYuoIIBXjCCAVowggEE
-AgQUAAApMA0GCSqGSIb3DQEBAgUAMCwxCzAJBgNVBAYTAlVTMR0wGwYDVQQKExRF
-eGFtcGxlIE9yZ2FuaXphdGlvbjAeFw05MjA5MDkyMjE4MDZaFw05NDA5MDkyMjE4
-MDVaMEIxCzAJBgNVBAYTAlVTMR0wGwYDVQQKExRFeGFtcGxlIE9yZ2FuaXphdGlv
-bjEUMBIGA1UEAxMLVGVzdCBVc2VyIDEwWzANBgkqhkiG9w0BAQEFAANKADBHAkAK
-ZnkdxpiBaN56t3QZu3+wwAHGJxAnAHUUKULhmo2MUdBTs+N4Kh3l3Fr06+mUaBcB
-FKHf5nzcmpr1XWVWILurAgMBAAEwDQYJKoZIhvcNAQECBQADQQBFGqHhqncgSl/N
-9XYGnQL3MsJvNnsNV4puZPOakR9Hld8JlDQFEaDR30ogsmp3TMrvdfxpLlTCoZN8
-BxEmnZsWMYGbMIGYAgEBMDQwLDELMAkGA1UEBhMCVVMxHTAbBgNVBAoTFEV4YW1w
-bGUgT3JnYW5pemF0aW9uAgQUAAApMAwGCCqGSIb3DQICBQAwDQYJKoZIhvcNAQEB
-BQAEQAX6aoEvx9+L9PJUJQngPoRuEbnGIL4gCe+0QO+8xmkhaZSsBPNBtX0FIC1C
-j7Kie1x339mxW/w9VZNTUDQQweHh
-----END PKCS7-----
diff --git a/src/lib/libssl/test/pkcs7.pem b/src/lib/libssl/test/pkcs7.pem
deleted file mode 100644
index d55c60b94e..0000000000
--- a/src/lib/libssl/test/pkcs7.pem
+++ /dev/null
@@ -1,54 +0,0 @@
-     MIAGCSqGSIb3DQEHAqCAMIACAQExADCABgkqhkiG9w0BBwEAAKCAMIIE+DCCBGGg
-     AwIBAgIQaGSF/JpbS1C223+yrc+N1DANBgkqhkiG9w0BAQQFADBiMREwDwYDVQQH
-     EwhJbnRlcm5ldDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNDAyBgNVBAsTK1Zl
-     cmlTaWduIENsYXNzIDEgQ0EgLSBJbmRpdmlkdWFsIFN1YnNjcmliZXIwHhcNOTYw
-     ODEyMDAwMDAwWhcNOTYwODE3MjM1OTU5WjCCASAxETAPBgNVBAcTCEludGVybmV0
-     MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMrVmVyaVNpZ24gQ2xh
-     c3MgMSBDQSAtIEluZGl2aWR1YWwgU3Vic2NyaWJlcjE3MDUGA1UECxMuRGlnaXRh
-     bCBJRCBDbGFzcyAxIC0gU01JTUUgVmVyaVNpZ24sIEluYy4gVEVTVDFGMEQGA1UE
-     CxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L0NQUyBJbmNvcnAuIGJ5IFJl
-     Zi4sTElBQi5MVEQoYyk5NjEZMBcGA1UEAxMQQWxleGFuZHJlIERlYWNvbjEgMB4G
-     CSqGSIb3DQEJARYRYWxleEB2ZXJpc2lnbi5jb20wWzANBgkqhkiG9w0BAQEFAANK
-     ADBHAkAOy7xxCAIkOfuIA2LyRpxgKlDORl8htdXYhF5iBGUx1GYaK6KF+bK/CCI0
-     l4j2OfWGFBUrwGoWqxTNcWgTfMzRAgMBAAGjggIyMIICLjAJBgNVHRMEAjAAMIIC
-     HwYDVR0DBIICFjCCAhIwggIOMIICCgYLYIZIAYb4RQEHAQEwggH5FoIBp1RoaXMg
-     Y2VydGlmaWNhdGUgaW5jb3Jwb3JhdGVzIGJ5IHJlZmVyZW5jZSwgYW5kIGl0cyB1
-     c2UgaXMgc3RyaWN0bHkgc3ViamVjdCB0bywgdGhlIFZlcmlTaWduIENlcnRpZmlj
-     YXRpb24gUHJhY3RpY2UgU3RhdGVtZW50IChDUFMpLCBhdmFpbGFibGUgYXQ6IGh0
-     dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9DUFM7IGJ5IEUtbWFpbCBhdCBDUFMtcmVx
-     dWVzdHNAdmVyaXNpZ24uY29tOyBvciBieSBtYWlsIGF0IFZlcmlTaWduLCBJbmMu
-     LCAyNTkzIENvYXN0IEF2ZS4sIE1vdW50YWluIFZpZXcsIENBIDk0MDQzIFVTQSBU
-     ZWwuICsxICg0MTUpIDk2MS04ODMwIENvcHlyaWdodCAoYykgMTk5NiBWZXJpU2ln
-     biwgSW5jLiAgQWxsIFJpZ2h0cyBSZXNlcnZlZC4gQ0VSVEFJTiBXQVJSQU5USUVT
-     IERJU0NMQUlNRUQgYW5kIExJQUJJTElUWSBMSU1JVEVELqAOBgxghkgBhvhFAQcB
-     AQGhDgYMYIZIAYb4RQEHAQECMCwwKhYoaHR0cHM6Ly93d3cudmVyaXNpZ24uY29t
-     L3JlcG9zaXRvcnkvQ1BTIDANBgkqhkiG9w0BAQQFAAOBgQAimWMGQwwwxk+b3KAL
-     HlSWXtU7LWHe29CEG8XeVNTvrqs6SBqT7OoENOkGxpfdpVgZ3Qw2SKjxDvbvpfSF
-     slsqcxWSgB/hWuaVuZCkvTw/dYGGOxkTJGxvDCfl1PZjX4dKbatslsi9Z9HpGWT7
-     ttItRwKqcBKgmCJvKi1pGWED0zCCAnkwggHioAMCAQICEDURpVKQb+fQKaRAGdQR
-     /D4wDQYJKoZIhvcNAQECBQAwXzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlT
-     aWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAxIFB1YmxpYyBQcmltYXJ5IENlcnRp
-     ZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2MDYyNzAwMDAwMFoXDTk3MDYyNzIzNTk1
-     OVowYjERMA8GA1UEBxMISW50ZXJuZXQxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMu
-     MTQwMgYDVQQLEytWZXJpU2lnbiBDbGFzcyAxIENBIC0gSW5kaXZpZHVhbCBTdWJz
-     Y3JpYmVyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC2FKbPTdAFDdjKI9Bv
-     qrQpkmOOLPhvltcunXZLEbE2jVfJw/0cxrr+Hgi6M8qV6r7jW80GqLd5HUQq7XPy
-     sVKDaBBwZJHXPmv5912dFEObbpdFmIFH0S3L3bty10w/cariQPJUObwW7s987Lrb
-     P2wqsxaxhhKdrpM01bjV0Pc+qQIDAQABozMwMTAPBgNVHRMECDAGAQH/AgEBMAsG
-     A1UdDwQEAwIBBjARBglghkgBhvhCAQEEBAMCAgQwDQYJKoZIhvcNAQECBQADgYEA
-     KeXHoBmnbxRCgk0jM9e9mDppdxpsipIna/J8DOHEUuD4nONAr4+xOg73SBl026n7
-     Bk55A2wvAMGo7+kKTZ+rHaFDDcmq4O+rzFri2RIOeGAncj1IcGptAQhvXoIhFMG4
-     Jlzg1KlHZHqy7D3jex78zcSU7kKOu8f5tAX1jC3+sToAAKGAMIIBJzCBkTANBgkq
-     hkiG9w0BAQIFADBiMREwDwYDVQQHEwhJbnRlcm5ldDEXMBUGA1UEChMOVmVyaVNp
-     Z24sIEluYy4xNDAyBgNVBAsTK1ZlcmlTaWduIENsYXNzIDEgQ0EgLSBJbmRpdmlk
-     dWFsIFN1YnNjcmliZXIXDTk2MDcwMTE3MzA0MFoXDTk3MDcwMTAwMDAwMFowDQYJ
-     KoZIhvcNAQECBQADgYEAGLuQ6PX8A7AiqBEtWzYtl6lZNSDI0bR5YUo+D2Jzkw30
-     dxQnJSbKXEc6XYuzAW5HvrzATXu5c19WWPT4cRDwmjH71i9QcDysWwf/wE0qGTiW
-     I3tQT0I5VGh7jIJD07nlBw3R4Xl8dH9kr85JsWinqDH5YKpIo9o8knY5n7+qjOow
-     ggEkMIGOMA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5W
-     ZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMSBQdWJsaWMgUHJpbWFyeSBD
-     ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eRcNOTYwNzE2MjMxMTI5WhcNOTYwODE1MDAw
-     MDAwWjANBgkqhkiG9w0BAQIFAAOBgQAXsLE4vnsY6sY67QrmWec7iaU2ehzxanEK
-     /9wKHZNuhlNzk+qGZZw2evxfUe2OaRbYpl8zuZvhK9BHD3ad14OSe9/zx5hOPgP/
-     DQXt6R4R8Q/1JheBrolrgbavjvI2wKS8/Psp2prBrkF4T48+AKRmS8Zzh1guxgvP
-     b+xSu/jH0gAAMYAAAAAAAAAAAA==
diff --git a/src/lib/libssl/test/r160test.c b/src/lib/libssl/test/r160test.c
deleted file mode 100644
index a172e393ca..0000000000
--- a/src/lib/libssl/test/r160test.c
+++ /dev/null
@@ -1,57 +0,0 @@
-/* test/r160test.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
diff --git a/src/lib/libssl/test/tcrl b/src/lib/libssl/test/tcrl
deleted file mode 100644
index 3ffed12a03..0000000000
--- a/src/lib/libssl/test/tcrl
+++ /dev/null
@@ -1,85 +0,0 @@
-#!/bin/sh
-if test "$OSTYPE" = msdosdjgpp; then
-    PATH=../apps\;$PATH
-else
-    PATH=../apps:$PATH
-fi
-export PATH
-cmd='../util/shlib_wrap.sh ../apps/openssl crl'
-if [ "$1"x != "x" ]; then
-        t=$1
-else
-        t=testcrl.pem
-fi
-echo testing crl conversions
-cp $t fff.p
-echo "p -> d"
-$cmd -in fff.p -inform p -outform d >f.d
-if [ $? != 0 ]; then exit 1; fi
-#echo "p -> t"
-#$cmd -in fff.p -inform p -outform t >f.t
-#if [ $? != 0 ]; then exit 1; fi
-echo "p -> p"
-$cmd -in fff.p -inform p -outform p >f.p
-if [ $? != 0 ]; then exit 1; fi
-echo "d -> d"
-$cmd -in f.d -inform d -outform d >ff.d1
-if [ $? != 0 ]; then exit 1; fi
-#echo "t -> d"
-#$cmd -in f.t -inform t -outform d >ff.d2
-#if [ $? != 0 ]; then exit 1; fi
-echo "p -> d"
-$cmd -in f.p -inform p -outform d >ff.d3
-if [ $? != 0 ]; then exit 1; fi
-#echo "d -> t"
-#$cmd -in f.d -inform d -outform t >ff.t1
-#if [ $? != 0 ]; then exit 1; fi
-#echo "t -> t"
-#$cmd -in f.t -inform t -outform t >ff.t2
-#if [ $? != 0 ]; then exit 1; fi
-#echo "p -> t"
-#$cmd -in f.p -inform p -outform t >ff.t3
-#if [ $? != 0 ]; then exit 1; fi
-echo "d -> p"
-$cmd -in f.d -inform d -outform p >ff.p1
-if [ $? != 0 ]; then exit 1; fi
-#echo "t -> p"
-#$cmd -in f.t -inform t -outform p >ff.p2
-#if [ $? != 0 ]; then exit 1; fi
-echo "p -> p"
-$cmd -in f.p -inform p -outform p >ff.p3
-if [ $? != 0 ]; then exit 1; fi
-cmp fff.p f.p
-if [ $? != 0 ]; then exit 1; fi
-cmp fff.p ff.p1
-if [ $? != 0 ]; then exit 1; fi
-#cmp fff.p ff.p2
-#if [ $? != 0 ]; then exit 1; fi
-cmp fff.p ff.p3
-if [ $? != 0 ]; then exit 1; fi
-#cmp f.t ff.t1
-#if [ $? != 0 ]; then exit 1; fi
-#cmp f.t ff.t2
-#if [ $? != 0 ]; then exit 1; fi
-#cmp f.t ff.t3
-#if [ $? != 0 ]; then exit 1; fi
-cmp f.p ff.p1
-if [ $? != 0 ]; then exit 1; fi
-#cmp f.p ff.p2
-#if [ $? != 0 ]; then exit 1; fi
-cmp f.p ff.p3
-if [ $? != 0 ]; then exit 1; fi
-/bin/rm -f f.* ff.* fff.*
-exit 0
diff --git a/src/lib/libssl/test/test.cnf b/src/lib/libssl/test/test.cnf
deleted file mode 100644
index faad3914a8..0000000000
--- a/src/lib/libssl/test/test.cnf
+++ /dev/null
@@ -1,88 +0,0 @@
-#
-# SSLeay example configuration file.
-# This is mostly being used for generation of certificate requests.
-#
-RANDFILE                = ./.rnd
-####################################################################
-[ ca ]
-default_ca      = CA_default            # The default ca section
-####################################################################
-[ CA_default ]
-dir             = ./demoCA              # Where everything is kept
-certs           = $dir/certs            # Where the issued certs are kept
-crl_dir         = $dir/crl              # Where the issued crl are kept
-database        = $dir/index.txt        # database index file.
-new_certs_dir   = $dir/new_certs        # default place for new certs.
-certificate     = $dir/CAcert.pem       # The CA certificate
-serial          = $dir/serial           # The current serial number
-crl             = $dir/crl.pem          # The current CRL
-private_key     = $dir/private/CAkey.pem# The private key
-RANDFILE        = $dir/private/.rand    # private random number file
-default_days    = 365                   # how long to certify for
-default_crl_days= 30                    # how long before next CRL
-default_md      = md5                   # which md to use.
-# A few difference way of specifying how similar the request should look
-# For type CA, the listed attributes must be the same, and the optional
-# and supplied fields are just that :-)
-policy          = policy_match
-# For the CA policy
-[ policy_match ]
-countryName             = match
-stateOrProvinceName     = match
-organizationName        = match
-organizationalUnitName  = optional
-commonName              = supplied
-emailAddress            = optional
-# For the 'anything' policy
-# At this point in time, you must list all acceptable 'object'
-# types.
-[ policy_anything ]
-countryName             = optional
-stateOrProvinceName     = optional
-localityName            = optional
-organizationName        = optional
-organizationalUnitName  = optional
-commonName              = supplied
-emailAddress            = optional
-####################################################################
-[ req ]
-default_bits            = 512
-default_keyfile         = testkey.pem
-distinguished_name      = req_distinguished_name
-encrypt_rsa_key         = no
-[ req_distinguished_name ]
-countryName                     = Country Name (2 letter code)
-countryName_default             = AU
-countryName_value               = AU
-stateOrProvinceName             = State or Province Name (full name)
-stateOrProvinceName_default     = Queensland
-stateOrProvinceName_value       =
-localityName                    = Locality Name (eg, city)
-localityName_value              = Brisbane
-organizationName                = Organization Name (eg, company)
-organizationName_default        = 
-organizationName_value          = CryptSoft Pty Ltd
-organizationalUnitName          = Organizational Unit Name (eg, section)
-organizationalUnitName_default  =
-organizationalUnitName_value    = .
-commonName                      = Common Name (eg, YOUR name)
-commonName_value                = Eric Young
-emailAddress                    = Email Address
-emailAddress_value              = eay@mincom.oz.au
diff --git a/src/lib/libssl/test/testca b/src/lib/libssl/test/testca
deleted file mode 100644
index 5b2faa78f1..0000000000
--- a/src/lib/libssl/test/testca
+++ /dev/null
@@ -1,51 +0,0 @@
-#!/bin/sh
-SH="/bin/sh"
-if test "$OSTYPE" = msdosdjgpp; then
-    PATH=./apps\;../apps\;$PATH
-else
-    PATH=../apps:$PATH
-fi
-export SH PATH
-SSLEAY_CONFIG="-config CAss.cnf"
-export SSLEAY_CONFIG
-OPENSSL="`pwd`/../util/shlib_wrap.sh openssl"
-export OPENSSL
-/bin/rm -fr demoCA
-$SH ../apps/CA.sh -newca <<EOF
-EOF
-if [ $? != 0 ]; then
-        exit 1;
-fi
-SSLEAY_CONFIG="-config Uss.cnf"
-export SSLEAY_CONFIG
-$SH ../apps/CA.sh -newreq
-if [ $? != 0 ]; then
-        exit 1;
-fi
-SSLEAY_CONFIG="-config ../apps/openssl.cnf"
-export SSLEAY_CONFIG
-$SH ../apps/CA.sh -sign  <<EOF
-y
-y
-EOF
-if [ $? != 0 ]; then
-        exit 1;
-fi
-$SH ../apps/CA.sh -verify newcert.pem
-if [ $? != 0 ]; then
-        exit 1;
-fi
-/bin/rm -fr demoCA newcert.pem newreq.pem
-#usage: CA -newcert|-newreq|-newca|-sign|-verify
diff --git a/src/lib/libssl/test/testcrl.pem b/src/lib/libssl/test/testcrl.pem
deleted file mode 100644
index 0989788354..0000000000
--- a/src/lib/libssl/test/testcrl.pem
+++ /dev/null
@@ -1,16 +0,0 @@
-----BEGIN X509 CRL-----
-MIICjTCCAfowDQYJKoZIhvcNAQECBQAwXzELMAkGA1UEBhMCVVMxIDAeBgNVBAoT
-F1JTQSBEYXRhIFNlY3VyaXR5LCBJbmMuMS4wLAYDVQQLEyVTZWN1cmUgU2VydmVy
-IENlcnRpZmljYXRpb24gQXV0aG9yaXR5Fw05NTA1MDIwMjEyMjZaFw05NTA2MDEw
-MDAxNDlaMIIBaDAWAgUCQQAABBcNOTUwMjAxMTcyNDI2WjAWAgUCQQAACRcNOTUw
-MjEwMDIxNjM5WjAWAgUCQQAADxcNOTUwMjI0MDAxMjQ5WjAWAgUCQQAADBcNOTUw
-MjI1MDA0NjQ0WjAWAgUCQQAAGxcNOTUwMzEzMTg0MDQ5WjAWAgUCQQAAFhcNOTUw
-MzE1MTkxNjU0WjAWAgUCQQAAGhcNOTUwMzE1MTk0MDQxWjAWAgUCQQAAHxcNOTUw
-MzI0MTk0NDMzWjAWAgUCcgAABRcNOTUwMzI5MjAwNzExWjAWAgUCcgAAERcNOTUw
-MzMwMDIzNDI2WjAWAgUCQQAAIBcNOTUwNDA3MDExMzIxWjAWAgUCcgAAHhcNOTUw
-NDA4MDAwMjU5WjAWAgUCcgAAQRcNOTUwNDI4MTcxNzI0WjAWAgUCcgAAOBcNOTUw
-NDI4MTcyNzIxWjAWAgUCcgAATBcNOTUwNTAyMDIxMjI2WjANBgkqhkiG9w0BAQIF
-AAN+AHqOEJXSDejYy0UwxxrH/9+N2z5xu/if0J6qQmK92W0hW158wpJg+ovV3+wQ
-wvIEPRL2rocL0tKfAsVq1IawSJzSNgxG0lrcla3MrJBnZ4GaZDu4FutZh72MR3Gt
-JaAL3iTJHJD55kK2D/VoyY1djlsPuNh6AEgdVwFAyp0v
-----END X509 CRL-----
diff --git a/src/lib/libssl/test/testenc b/src/lib/libssl/test/testenc
deleted file mode 100644
index 4571ea2875..0000000000
--- a/src/lib/libssl/test/testenc
+++ /dev/null
@@ -1,54 +0,0 @@
-#!/bin/sh
-testsrc=Makefile
-test=./p
-cmd="../util/shlib_wrap.sh ../apps/openssl"
-cat $testsrc >$test;
-echo cat
-$cmd enc -non-fips-allow < $test > $test.cipher
-$cmd enc -non-fips-allow < $test.cipher >$test.clear
-cmp $test $test.clear
-if [ $? != 0 ]
-then
-        exit 1
-else
-        /bin/rm $test.cipher $test.clear
-fi
-echo base64
-$cmd enc -non-fips-allow -a -e < $test > $test.cipher
-$cmd enc -non-fips-allow -a -d < $test.cipher >$test.clear
-cmp $test $test.clear
-if [ $? != 0 ]
-then
-        exit 1
-else
-        /bin/rm $test.cipher $test.clear
-fi
-for i in `$cmd list-cipher-commands`
-do
-        echo $i
-        $cmd $i -non-fips-allow -bufsize 113 -e -k test < $test > $test.$i.cipher
-        $cmd $i -non-fips-allow -bufsize 157 -d -k test < $test.$i.cipher >$test.$i.clear
-        cmp $test $test.$i.clear
-        if [ $? != 0 ]
-        then
-                exit 1
-        else
-                /bin/rm $test.$i.cipher $test.$i.clear
-        fi
-        echo $i base64
-        $cmd $i -non-fips-allow -bufsize 113 -a -e -k test < $test > $test.$i.cipher
-        $cmd $i -non-fips-allow -bufsize 157 -a -d -k test < $test.$i.cipher >$test.$i.clear
-        cmp $test $test.$i.clear
-        if [ $? != 0 ]
-        then
-                exit 1
-        else
-                /bin/rm $test.$i.cipher $test.$i.clear
-        fi
-done
-rm -f $test
diff --git a/src/lib/libssl/test/testgen b/src/lib/libssl/test/testgen
deleted file mode 100644
index 524c0d134c..0000000000
--- a/src/lib/libssl/test/testgen
+++ /dev/null
@@ -1,44 +0,0 @@
-#!/bin/sh
-T=testcert
-KEY=512
-CA=../certs/testca.pem
-/bin/rm -f $T.1 $T.2 $T.key
-if test "$OSTYPE" = msdosdjgpp; then
-    PATH=../apps\;$PATH;
-else
-    PATH=../apps:$PATH;
-fi
-export PATH
-echo "generating certificate request"
-echo "string to make the random number generator think it has entropy" >> ./.rnd
-if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then
-  req_new='-newkey dsa:../apps/dsa512.pem'
-else
-  req_new='-new'
-  echo "There should be a 2 sequences of .'s and some +'s."
-  echo "There should not be more that at most 80 per line"
-fi
-echo "This could take some time."
-rm -f testkey.pem testreq.pem
-../util/shlib_wrap.sh ../apps/openssl req -config test.cnf $req_new -out testreq.pem
-if [ $? != 0 ]; then
-echo problems creating request
-exit 1
-fi
-../util/shlib_wrap.sh ../apps/openssl req -config test.cnf -verify -in testreq.pem -noout
-if [ $? != 0 ]; then
-echo signature on req is wrong
-exit 1
-fi
-exit 0
diff --git a/src/lib/libssl/test/testp7.pem b/src/lib/libssl/test/testp7.pem
deleted file mode 100644
index e5b7866c31..0000000000
--- a/src/lib/libssl/test/testp7.pem
+++ /dev/null
@@ -1,46 +0,0 @@
-----BEGIN PKCS7-----
-MIIIGAYJKoZIhvcNAQcCoIIICTCCCAUCAQExADALBgkqhkiG9w0BBwGgggY8MIIE
-cjCCBBygAwIBAgIQeS+OJfWJUZAx6cX0eAiMjzANBgkqhkiG9w0BAQQFADBiMREw
-DwYDVQQHEwhJbnRlcm5ldDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNDAyBgNV
-BAsTK1ZlcmlTaWduIENsYXNzIDEgQ0EgLSBJbmRpdmlkdWFsIFN1YnNjcmliZXIw
-HhcNOTYwNzE5MDAwMDAwWhcNOTcwMzMwMjM1OTU5WjCB1TERMA8GA1UEBxMISW50
-ZXJuZXQxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTQwMgYDVQQLEytWZXJpU2ln
-biBDbGFzcyAxIENBIC0gSW5kaXZpZHVhbCBTdWJzY3JpYmVyMSgwJgYDVQQLEx9E
-aWdpdGFsIElEIENsYXNzIDEgLSBTTUlNRSBUZXN0MUcwRQYDVQQLEz53d3cudmVy
-aXNpZ24uY29tL3JlcG9zaXRvcnkvQ1BTLTEuMCBJbmMuIGJ5IFJlZi4sTElBQi5M
-VEQoYyk5NjBbMA0GCSqGSIb3DQEBAQUAA0oAMEcCQA7LvHEIAiQ5+4gDYvJGnGAq
-UM5GXyG11diEXmIEZTHUZhorooX5sr8IIjSXiPY59YYUFSvAaharFM1xaBN8zNEC
-AwEAAaOCAjkwggI1MAkGA1UdEwQCMAAwggImBgNVHQMEggIdMIICGTCCAhUwggIR
-BgtghkgBhvhFAQcBATCCAgAWggGrVGhpcyBjZXJ0aWZpY2F0ZSBpbmNvcnBvcmF0
-ZXMgYnkgcmVmZXJlbmNlLCBhbmQgaXRzIHVzZSBpcyBzdHJpY3RseSBzdWJqZWN0
-IHRvLCB0aGUgVmVyaVNpZ24gQ2VydGlmaWNhdGlvbiBQcmFjdGljZSBTdGF0ZW1l
-bnQgKENQUyksIGF2YWlsYWJsZSBhdDogaHR0cHM6Ly93d3cudmVyaXNpZ24uY29t
-L0NQUy0xLjA7IGJ5IEUtbWFpbCBhdCBDUFMtcmVxdWVzdHNAdmVyaXNpZ24uY29t
-OyBvciBieSBtYWlsIGF0IFZlcmlTaWduLCBJbmMuLCAyNTkzIENvYXN0IEF2ZS4s
-IE1vdW50YWluIFZpZXcsIENBIDk0MDQzIFVTQSBUZWwuICsxICg0MTUpIDk2MS04
-ODMwIENvcHlyaWdodCAoYykgMTk5NiBWZXJpU2lnbiwgSW5jLiAgQWxsIFJpZ2h0
-cyBSZXNlcnZlZC4gQ0VSVEFJTiBXQVJSQU5USUVTIERJU0NMQUlNRUQgYW5kIExJ
-QUJJTElUWSBMSU1JVEVELqAOBgxghkgBhvhFAQcBAQGhDgYMYIZIAYb4RQEHAQEC
-MC8wLRYraHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvQ1BTLTEu
-AzANBgkqhkiG9w0BAQQFAANBAMCYDuSb/eIlYSxY31nZZTaCZkCSfHjlacMofExr
-cF+A2yHoEuT+eCQkqM0pMNHXddUeoQ9RjV+VuMBNmm63DUYwggHCMIIBbKADAgEC
-AhB8CYTq1bkRFJBYOd67cp9JMA0GCSqGSIb3DQEBAgUAMD4xCzAJBgNVBAYTAlVT
-MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEWMBQGA1UECxMNVEVTVCBSb290IFBD
-QTAeFw05NjA3MTcwMDAwMDBaFw05NzA3MTcyMzU5NTlaMGIxETAPBgNVBAcTCElu
-dGVybmV0MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMrVmVyaVNp
-Z24gQ2xhc3MgMSBDQSAtIEluZGl2aWR1YWwgU3Vic2NyaWJlcjBcMA0GCSqGSIb3
-DQEBAQUAA0sAMEgCQQDsVzrNgnDhbAJZrWeLd9g1vMZJA2W67D33TTbga6yMt+ES
-TWEywhS6RNP+fzLGg7utinjH4tL60cXa0G27GDsLAgMBAAGjIjAgMAsGA1UdDwQE
-AwIBBjARBglghkgBhvhCAQEEBAMCAgQwDQYJKoZIhvcNAQECBQADQQAUp6bRwkaD
-2d1MBs/mjUcgTI2fXVmW8tTm/Ud6OzUwpC3vYgybiOOA4f6mOC5dbyUHrLOsrihU
-47ZQ0Jo1DUfboYIBrTCBwTBtMA0GCSqGSIb3DQEBAgUAMD4xCzAJBgNVBAYTAlVT
-MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEWMBQGA1UECxMNVEVTVCBSb290IFBD
-QRcNOTYwNzE3MTc0NDA5WhcNOTgwNzE3MDAwMDAwWjANBgkqhkiG9w0BAQIFAANB
-AHitA0/xAukCjHzeh1AMT/l2oC68N+yFb+aJPHBBMxc6gG2MaKjBNwb5hcXUllMl
-ExONA3ju10f7owIq3s3wx10wgeYwgZEwDQYJKoZIhvcNAQECBQAwYjERMA8GA1UE
-BxMISW50ZXJuZXQxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTQwMgYDVQQLEytW
-ZXJpU2lnbiBDbGFzcyAxIENBIC0gSW5kaXZpZHVhbCBTdWJzY3JpYmVyFw05NjA3
-MTcxNzU5MjlaFw05NzA3MTgwMDAwMDBaMA0GCSqGSIb3DQEBAgUAA0EAubVWYTsW
-sQmste9f+UgMw8BkjDlM25fwQLrCfmmnLxjewey10kSROypUaJLb+r4oRALc0fG9
-XfZsaiiIgotQHjEA
-----END PKCS7-----
diff --git a/src/lib/libssl/test/testreq2.pem b/src/lib/libssl/test/testreq2.pem
deleted file mode 100644
index c3cdcffcbc..0000000000
--- a/src/lib/libssl/test/testreq2.pem
+++ /dev/null
@@ -1,7 +0,0 @@
-----BEGIN CERTIFICATE REQUEST-----
-MIHaMIGFAgEAMA4xDDAKBgNVBAMTA2NuNDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgC
-QQCQsnkyUGDY2R3mYoeTprFJKgWuJ3f1jUjlIuW5+wfAUoeMt35c4vcFZ2mIBpEG
-DtzkNQN1kr2O9ldm9zYnYhyhAgMBAAGgEjAQBgorBgEEAYI3AgEOMQIwADANBgkq
-hkiG9w0BAQQFAANBAAb2szZgVIxg3vK6kYLjGSBISyuzcXJ6IvuPW6M+yzi1Qgoi
-gQhazHTJp91T8ItZEzUJGZSZl2e5iXlnffWB+/U=
-----END CERTIFICATE REQUEST-----
diff --git a/src/lib/libssl/test/testrsa.pem b/src/lib/libssl/test/testrsa.pem
deleted file mode 100644
index aad21067a8..0000000000
--- a/src/lib/libssl/test/testrsa.pem
+++ /dev/null
@@ -1,9 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
-MIIBPAIBAAJBAKrbeqkuRk8VcRmWFmtP+LviMB3+6dizWW3DwaffznyHGAFwUJ/I
-Tv0XtbsCyl3QoyKGhrOAy3RvPK5M38iuXT0CAwEAAQJAZ3cnzaHXM/bxGaR5CR1R
-rD1qFBAVfoQFiOH9uPJgMaoAuoQEisPHVcZDKcOv4wEg6/TInAIXBnEigtqvRzuy
-oQIhAPcgZzUq3yVooAaoov8UbXPxqHlwo6GBMqnv20xzkf6ZAiEAsP4BnIaQTM8S
-mvcpHZwQJdmdHHkGKAs37Dfxi67HbkUCIQCeZGliHXFa071Fp06ZeWlR2ADonTZz
-rJBhdTe0v5pCeQIhAIZfkiGgGBX4cIuuckzEm43g9WMUjxP/0GlK39vIyihxAiEA
-mymehFRT0MvqW5xAKAx7Pgkt8HVKwVhc2LwGKHE0DZM=
-----END RSA PRIVATE KEY-----
diff --git a/src/lib/libssl/test/testsid.pem b/src/lib/libssl/test/testsid.pem
deleted file mode 100644
index 7ffd008f66..0000000000
--- a/src/lib/libssl/test/testsid.pem
+++ /dev/null
@@ -1,12 +0,0 @@
-----BEGIN SSL SESSION PARAMETERS-----
-MIIB1gIBAQIBAgQDAQCABBCi11xa5qkOP8xrr02K/NQCBBBkIYQZM0Bt95W0EHNV
-bA58oQYCBDIBr7WiBAICASyjggGGMIIBgjCCASwCAQMwDQYJKoZIhvcNAQEEBQAw
-ODELMAkGA1UEBhMCQVUxDDAKBgNVBAgTA1FMRDEbMBkGA1UEAxMSU1NMZWF5L3Jz
-YSB0ZXN0IENBMB4XDTk1MTAwOTIzMzEzNFoXDTk4MDcwNTIzMzEzNFowYDELMAkG
-A1UEBhMCQVUxDDAKBgNVBAgTA1FMRDEZMBcGA1UEChMQTWluY29tIFB0eS4gTHRk
-LjELMAkGA1UECxMCQ1MxGzAZBgNVBAMTElNTTGVheSBkZW1vIGNsaWVudDBcMA0G
-CSqGSIb3DQEBAQUAA0sAMEgCQQC4pcXEL1lgVA+B5Q3TcuW/O3LZHoA73IYm8oFD
-TezgCDhL2RTMn+seKWF36UtJKRIOBU9jZHCVVd0Me5ls6BEjAgMBAAEwDQYJKoZI
-hvcNAQEEBQADQQBoIpOcwUY1qlVF7j3ROSGvUsbvByOBFmYWkIBgsCqR+9qo1A7L
-CrWF5i8LWt/vLwAHaxWNx2YuBJMFyuK81fTvpA0EC3Rlc3Rjb250ZXh0
-----END SSL SESSION PARAMETERS-----
diff --git a/src/lib/libssl/test/testss b/src/lib/libssl/test/testss
deleted file mode 100644
index 1a426857d3..0000000000
--- a/src/lib/libssl/test/testss
+++ /dev/null
@@ -1,163 +0,0 @@
-#!/bin/sh
-digest='-sha1'
-reqcmd="../util/shlib_wrap.sh ../apps/openssl req"
-x509cmd="../util/shlib_wrap.sh ../apps/openssl x509 $digest"
-verifycmd="../util/shlib_wrap.sh ../apps/openssl verify"
-dummycnf="../apps/openssl.cnf"
-CAkey="keyCA.ss"
-CAcert="certCA.ss"
-CAreq="reqCA.ss"
-CAconf="CAss.cnf"
-CAreq2="req2CA.ss"      # temp
-Uconf="Uss.cnf"
-Ukey="keyU.ss"
-Ureq="reqU.ss"
-Ucert="certU.ss"
-P1conf="P1ss.cnf"
-P1key="keyP1.ss"
-P1req="reqP1.ss"
-P1cert="certP1.ss"
-P1intermediate="tmp_intP1.ss"
-P2conf="P2ss.cnf"
-P2key="keyP2.ss"
-P2req="reqP2.ss"
-P2cert="certP2.ss"
-P2intermediate="tmp_intP2.ss"
-echo
-echo "make a certificate request using 'req'"
-echo "string to make the random number generator think it has entropy" >> ./.rnd
-if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then
-  req_new='-newkey dsa:../apps/dsa512.pem'
-else
-  req_new='-new'
-fi
-$reqcmd -config $CAconf -out $CAreq -keyout $CAkey $req_new #>err.ss
-if [ $? != 0 ]; then
-        echo "error using 'req' to generate a certificate request"
-        exit 1
-fi
-echo
-echo "convert the certificate request into a self signed certificate using 'x509'"
-$x509cmd -CAcreateserial -in $CAreq -days 30 -req -out $CAcert -signkey $CAkey -extfile $CAconf -extensions v3_ca >err.ss
-if [ $? != 0 ]; then
-        echo "error using 'x509' to self sign a certificate request"
-        exit 1
-fi
-echo
-echo "convert a certificate into a certificate request using 'x509'"
-$x509cmd -in $CAcert -x509toreq -signkey $CAkey -out $CAreq2 >err.ss
-if [ $? != 0 ]; then
-        echo "error using 'x509' convert a certificate to a certificate request"
-        exit 1
-fi
-$reqcmd -config $dummycnf -verify -in $CAreq -noout
-if [ $? != 0 ]; then
-        echo first generated request is invalid
-        exit 1
-fi
-$reqcmd -config $dummycnf -verify -in $CAreq2 -noout
-if [ $? != 0 ]; then
-        echo second generated request is invalid
-        exit 1
-fi
-$verifycmd -CAfile $CAcert $CAcert
-if [ $? != 0 ]; then
-        echo first generated cert is invalid
-        exit 1
-fi
-echo
-echo "make a user certificate request using 'req'"
-$reqcmd -config $Uconf -out $Ureq -keyout $Ukey $req_new >err.ss
-if [ $? != 0 ]; then
-        echo "error using 'req' to generate a user certificate request"
-        exit 1
-fi
-echo
-echo "sign user certificate request with the just created CA via 'x509'"
-$x509cmd -CAcreateserial -in $Ureq -days 30 -req -out $Ucert -CA $CAcert -CAkey $CAkey -extfile $Uconf -extensions v3_ee >err.ss
-if [ $? != 0 ]; then
-        echo "error using 'x509' to sign a user certificate request"
-        exit 1
-fi
-$verifycmd -CAfile $CAcert $Ucert
-echo
-echo "Certificate details"
-$x509cmd -subject -issuer -startdate -enddate -noout -in $Ucert
-echo
-echo "make a proxy certificate request using 'req'"
-$reqcmd -config $P1conf -out $P1req -keyout $P1key $req_new >err.ss
-if [ $? != 0 ]; then
-        echo "error using 'req' to generate a proxy certificate request"
-        exit 1
-fi
-echo
-echo "sign proxy certificate request with the just created user certificate via 'x509'"
-$x509cmd -CAcreateserial -in $P1req -days 30 -req -out $P1cert -CA $Ucert -CAkey $Ukey -extfile $P1conf -extensions v3_proxy >err.ss
-if [ $? != 0 ]; then
-        echo "error using 'x509' to sign a proxy certificate request"
-        exit 1
-fi
-cat $Ucert > $P1intermediate
-$verifycmd -CAfile $CAcert -untrusted $P1intermediate $P1cert
-echo
-echo "Certificate details"
-$x509cmd -subject -issuer -startdate -enddate -noout -in $P1cert
-echo
-echo "make another proxy certificate request using 'req'"
-$reqcmd -config $P2conf -out $P2req -keyout $P2key $req_new >err.ss
-if [ $? != 0 ]; then
-        echo "error using 'req' to generate another proxy certificate request"
-        exit 1
-fi
-echo
-echo "sign second proxy certificate request with the first proxy certificate via 'x509'"
-$x509cmd -CAcreateserial -in $P2req -days 30 -req -out $P2cert -CA $P1cert -CAkey $P1key -extfile $P2conf -extensions v3_proxy >err.ss
-if [ $? != 0 ]; then
-        echo "error using 'x509' to sign a second proxy certificate request"
-        exit 1
-fi
-cat $Ucert $P1cert > $P2intermediate
-$verifycmd -CAfile $CAcert -untrusted $P2intermediate $P2cert
-echo
-echo "Certificate details"
-$x509cmd -subject -issuer -startdate -enddate -noout -in $P2cert
-echo
-echo The generated CA certificate is $CAcert
-echo The generated CA private key is $CAkey
-echo The generated user certificate is $Ucert
-echo The generated user private key is $Ukey
-echo The first generated proxy certificate is $P1cert
-echo The first generated proxy private key is $P1key
-echo The second generated proxy certificate is $P2cert
-echo The second generated proxy private key is $P2key
-/bin/rm err.ss
-#/bin/rm $P1intermediate
-#/bin/rm $P2intermediate
-exit 0
diff --git a/src/lib/libssl/test/testssl b/src/lib/libssl/test/testssl
deleted file mode 100644
index 8ac90ae5ee..0000000000
--- a/src/lib/libssl/test/testssl
+++ /dev/null
@@ -1,145 +0,0 @@
-#!/bin/sh
-if [ "$1" = "" ]; then
-  key=../apps/server.pem
-else
-  key="$1"
-fi
-if [ "$2" = "" ]; then
-  cert=../apps/server.pem
-else
-  cert="$2"
-fi
-ssltest="../util/shlib_wrap.sh ./ssltest -key $key -cert $cert -c_key $key -c_cert $cert"
-if ../util/shlib_wrap.sh ../apps/openssl x509 -in $cert -text -noout | fgrep 'DSA Public Key' >/dev/null; then
-  dsa_cert=YES
-else
-  dsa_cert=NO
-fi
-if [ "$3" = "" ]; then
-  CA="-CApath ../certs"
-else
-  CA="-CAfile $3"
-fi
-if [ "$4" = "" ]; then
-  extra=""
-else
-  extra="$4"
-fi
-#############################################################################
-echo test sslv2
-$ssltest -ssl2 $extra || exit 1
-echo test sslv2 with server authentication
-$ssltest -ssl2 -server_auth $CA $extra || exit 1
-if [ $dsa_cert = NO ]; then
-  echo test sslv2 with client authentication
-  $ssltest -ssl2 -client_auth $CA $extra || exit 1
-  echo test sslv2 with both client and server authentication
-  $ssltest -ssl2 -server_auth -client_auth $CA $extra || exit 1
-fi
-echo test sslv3
-$ssltest -ssl3 $extra || exit 1
-echo test sslv3 with server authentication
-$ssltest -ssl3 -server_auth $CA $extra || exit 1
-echo test sslv3 with client authentication
-$ssltest -ssl3 -client_auth $CA $extra || exit 1
-echo test sslv3 with both client and server authentication
-$ssltest -ssl3 -server_auth -client_auth $CA $extra || exit 1
-echo test sslv2/sslv3
-$ssltest $extra || exit 1
-echo test sslv2/sslv3 with server authentication
-$ssltest -server_auth $CA $extra || exit 1
-echo test sslv2/sslv3 with client authentication
-$ssltest -client_auth $CA $extra || exit 1
-echo test sslv2/sslv3 with both client and server authentication
-$ssltest -server_auth -client_auth $CA $extra || exit 1
-echo test sslv2 via BIO pair
-$ssltest -bio_pair -ssl2 $extra || exit 1
-echo test sslv2 with server authentication via BIO pair
-$ssltest -bio_pair -ssl2 -server_auth $CA $extra || exit 1
-if [ $dsa_cert = NO ]; then
-  echo test sslv2 with client authentication via BIO pair
-  $ssltest -bio_pair -ssl2 -client_auth $CA $extra || exit 1
-  echo test sslv2 with both client and server authentication via BIO pair
-  $ssltest -bio_pair -ssl2 -server_auth -client_auth $CA $extra || exit 1
-fi
-echo test sslv3 via BIO pair
-$ssltest -bio_pair -ssl3 $extra || exit 1
-echo test sslv3 with server authentication via BIO pair
-$ssltest -bio_pair -ssl3 -server_auth $CA $extra || exit 1
-echo test sslv3 with client authentication via BIO pair
-$ssltest -bio_pair -ssl3 -client_auth $CA $extra || exit 1
-echo test sslv3 with both client and server authentication via BIO pair
-$ssltest -bio_pair -ssl3 -server_auth -client_auth $CA $extra || exit 1
-echo test sslv2/sslv3 via BIO pair
-$ssltest $extra || exit 1
-if [ $dsa_cert = NO ]; then
-  echo test sslv2/sslv3 w/o DHE via BIO pair
-  $ssltest -bio_pair -no_dhe $extra || exit 1
-fi
-echo test sslv2/sslv3 with 1024bit DHE via BIO pair
-$ssltest -bio_pair -dhe1024dsa -v $extra || exit 1
-echo test sslv2/sslv3 with server authentication
-$ssltest -bio_pair -server_auth $CA $extra || exit 1
-echo test sslv2/sslv3 with client authentication via BIO pair
-$ssltest -bio_pair -client_auth $CA $extra || exit 1
-echo test sslv2/sslv3 with both client and server authentication via BIO pair
-$ssltest -bio_pair -server_auth -client_auth $CA $extra || exit 1
-echo test sslv2/sslv3 with both client and server authentication via BIO pair and app verify
-$ssltest -bio_pair -server_auth -client_auth -app_verify $CA $extra || exit 1
-#############################################################################
-if ../util/shlib_wrap.sh ../apps/openssl no-dh; then
-  echo skipping anonymous DH tests
-else
-  echo test tls1 with 1024bit anonymous DH, multiple handshakes
-  $ssltest -v -bio_pair -tls1 -cipher ADH -dhe1024dsa -num 10 -f -time $extra || exit 1
-fi
-if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then
-  echo skipping RSA tests
-else
-  echo test tls1 with 1024bit RSA, no DHE, multiple handshakes
-  ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -no_dhe -num 10 -f -time $extra || exit 1
-  if ../util/shlib_wrap.sh ../apps/openssl no-dh; then
-    echo skipping RSA+DHE tests
-  else
-    echo test tls1 with 1024bit RSA, 1024bit DHE, multiple handshakes
-    ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -dhe1024dsa -num 10 -f -time $extra || exit 1
-  fi
-fi
-exit 0
diff --git a/src/lib/libssl/test/testsslproxy b/src/lib/libssl/test/testsslproxy
deleted file mode 100644
index 58bbda8ab7..0000000000
--- a/src/lib/libssl/test/testsslproxy
+++ /dev/null
@@ -1,10 +0,0 @@
-#! /bin/sh
-echo 'Testing a lot of proxy conditions.'
-echo 'Some of them may turn out being invalid, which is fine.'
-for auth in A B C BC; do
-    for cond in A B C 'A|B&!C'; do
-        sh ./testssl $1 $2 $3 "-proxy -proxy_auth $auth -proxy_cond $cond"
-        if [ $? = 3 ]; then exit 1; fi
-    done
-done
diff --git a/src/lib/libssl/test/testx509.pem b/src/lib/libssl/test/testx509.pem
deleted file mode 100644
index 8a85d14964..0000000000
--- a/src/lib/libssl/test/testx509.pem
+++ /dev/null
@@ -1,10 +0,0 @@
-----BEGIN CERTIFICATE-----
-MIIBWzCCAQYCARgwDQYJKoZIhvcNAQEEBQAwODELMAkGA1UEBhMCQVUxDDAKBgNV
-BAgTA1FMRDEbMBkGA1UEAxMSU1NMZWF5L3JzYSB0ZXN0IENBMB4XDTk1MDYxOTIz
-MzMxMloXDTk1MDcxNzIzMzMxMlowOjELMAkGA1UEBhMCQVUxDDAKBgNVBAgTA1FM
-RDEdMBsGA1UEAxMUU1NMZWF5L3JzYSB0ZXN0IGNlcnQwXDANBgkqhkiG9w0BAQEF
-AANLADBIAkEAqtt6qS5GTxVxGZYWa0/4u+IwHf7p2LNZbcPBp9/OfIcYAXBQn8hO
-/Re1uwLKXdCjIoaGs4DLdG88rkzfyK5dPQIDAQABMAwGCCqGSIb3DQIFBQADQQAE
-Wc7EcF8po2/ZO6kNCwK/ICH6DobgLekA5lSLr5EvuioZniZp5lFzAw4+YzPQ7XKJ
-zl9HYIMxATFyqSiD9jsx
-----END CERTIFICATE-----
diff --git a/src/lib/libssl/test/times b/src/lib/libssl/test/times
deleted file mode 100644
index 738d569b8f..0000000000
--- a/src/lib/libssl/test/times
+++ /dev/null
@@ -1,113 +0,0 @@
-More number for the questions about SSL overheads....
-The following numbers were generated on a pentium pro 200, running linux.
-They give an indication of the SSL protocol and encryption overheads.
-The program that generated them is an unreleased version of ssl/ssltest.c
-which is the SSLeay ssl protocol testing program.  It is a single process that
-talks both sides of the SSL protocol via a non-blocking memory buffer
-interface.
-How do I read this?  The protocol and cipher are reasonable obvious.
-The next number is the number of connections being made.  The next is the
-number of bytes exchanged bewteen the client and server side of the protocol.
-This is the number of bytes that the client sends to the server, and then
-the server sends back.  Because this is all happening in one process,
-the data is being encrypted, decrypted, encrypted and then decrypted again.
-It is a round trip of that many bytes.  Because the one process performs
-both the client and server sides of the protocol and it sends this many bytes
-each direction, multiply this number by 4 to generate the number
-of bytes encrypted/decrypted/MACed.  The first time value is how many seconds
-elapsed doing a full SSL handshake, the second is the cost of one
-full handshake and the rest being session-id reuse.
-SSLv2 RC4-MD5      1000 x      1   12.83s   0.70s
-SSLv3 NULL-MD5     1000 x      1   14.35s   1.47s
-SSLv3 RC4-MD5      1000 x      1   14.46s   1.56s
-SSLv3 RC4-MD5      1000 x      1   51.93s   1.62s 1024bit RSA
-SSLv3 RC4-SHA      1000 x      1   14.61s   1.83s
-SSLv3 DES-CBC-SHA  1000 x      1   14.70s   1.89s
-SSLv3 DES-CBC3-SHA 1000 x      1   15.16s   2.16s
-SSLv2 RC4-MD5      1000 x   1024   13.72s   1.27s
-SSLv3 NULL-MD5     1000 x   1024   14.79s   1.92s
-SSLv3 RC4-MD5      1000 x   1024   52.58s   2.29s 1024bit RSA
-SSLv3 RC4-SHA      1000 x   1024   15.39s   2.67s
-SSLv3 DES-CBC-SHA  1000 x   1024   16.45s   3.55s
-SSLv3 DES-CBC3-SHA 1000 x   1024   18.21s   5.38s
-SSLv2 RC4-MD5      1000 x  10240   18.97s   6.52s
-SSLv3 NULL-MD5     1000 x  10240   17.79s   5.11s
-SSLv3 RC4-MD5      1000 x  10240   20.25s   7.90s
-SSLv3 RC4-MD5      1000 x  10240   58.26s   8.08s 1024bit RSA
-SSLv3 RC4-SHA      1000 x  10240   22.96s  11.44s
-SSLv3 DES-CBC-SHA  1000 x  10240   30.65s  18.41s
-SSLv3 DES-CBC3-SHA 1000 x  10240   47.04s  34.53s
-SSLv2 RC4-MD5      1000 x 102400   70.22s  57.74s
-SSLv3 NULL-MD5     1000 x 102400   43.73s  31.03s
-SSLv3 RC4-MD5      1000 x 102400   71.32s  58.83s
-SSLv3 RC4-MD5      1000 x 102400  109.66s  59.20s 1024bit RSA
-SSLv3 RC4-SHA      1000 x 102400   95.88s  82.21s
-SSLv3 DES-CBC-SHA  1000 x 102400  173.22s 160.55s
-SSLv3 DES-CBC3-SHA 1000 x 102400  336.61s 323.82s
-What does this all mean?  Well for a server, with no session-id reuse, with
-a transfer size of 10240 bytes, using RC4-MD5 and a 512bit server key,
-a pentium pro 200 running linux can handle the SSLv3 protocol overheads of
-about 49 connections a second.  Reality will be quite different :-).
-Remeber the first number is 1000 full ssl handshakes, the second is
-1 full and 999 with session-id reuse.  The RSA overheads for each exchange
-would be one public and one private operation, but the protocol/MAC/cipher
-cost would be quite similar in both the client and server.
-eric (adding numbers to speculation)
--- Appendix ---
- The time measured is user time but these number a very rough.
- Remember this is the cost of both client and server sides of the protocol.
- The TCP/kernel overhead of connection establishment is normally the
-  killer in SSL.  Often delays in the TCP protocol will make session-id
-  reuse look slower that new sessions, but this would not be the case on
-  a loaded server.
- The TCP round trip latencies, while slowing indervidual connections,
-  would have minimal impact on throughput.
- Instead of sending one 102400 byte buffer, one 8k buffer is sent until
- the required number of bytes are processed.
- The SSLv3 connections were actually SSLv2 compatable SSLv3 headers.
- A 512bit server key was being used except where noted.
- No server key verification was being performed on the client side of the
-  protocol.  This would slow things down very little.
- The library being used is SSLeay 0.8.x.
- The normal mesauring system was commands of the form
-  time ./ssltest -num 1000 -bytes 102400 -cipher DES-CBC-SHA -reuse
-  This modified version of ssltest should be in the next public release of
-  SSLeay.
-The general cipher performace number for this platform are
-SSLeay 0.8.2a 04-Sep-1997
-built on Fri Sep  5 17:37:05 EST 1997
-options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowfish(ptr2)
-C flags:gcc -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized 
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2               131.02k      368.41k      500.57k      549.21k      566.09k
-mdc2              535.60k      589.10k      595.88k      595.97k      594.54k
-md5              1801.53k     9674.77k    17484.03k    21849.43k    23592.96k
-sha              1261.63k     5533.25k     9285.63k    11187.88k    11913.90k
-sha1             1103.13k     4782.53k     7933.78k     9472.34k    10070.70k
-rc4             10722.53k    14443.93k    15215.79k    15299.24k    15219.59k
-des cbc          3286.57k     3827.73k     3913.39k     3931.82k     3926.70k
-des ede3         1443.50k     1549.08k     1561.17k     1566.38k     1564.67k
-idea cbc         2203.64k     2508.16k     2538.33k     2543.62k     2547.71k
-rc2 cbc          1430.94k     1511.59k     1524.82k     1527.13k     1523.33k
-blowfish cbc     4716.07k     5965.82k     6190.17k     6243.67k     6234.11k
-                  sign    verify
-rsa  512 bits   0.0100s   0.0011s
-rsa 1024 bits   0.0451s   0.0012s
-rsa 2048 bits   0.2605s   0.0086s
-rsa 4096 bits   1.6883s   0.0302s
diff --git a/src/lib/libssl/test/tpkcs7 b/src/lib/libssl/test/tpkcs7
deleted file mode 100644
index 79bb6e0edf..0000000000
--- a/src/lib/libssl/test/tpkcs7
+++ /dev/null
@@ -1,55 +0,0 @@
-#!/bin/sh
-if test "$OSTYPE" = msdosdjgpp; then
-    PATH=../apps\;$PATH
-else
-    PATH=../apps:$PATH
-fi
-export PATH
-cmd='../util/shlib_wrap.sh ../apps/openssl pkcs7'
-if [ "$1"x != "x" ]; then
-        t=$1
-else
-        t=testp7.pem
-fi
-echo testing pkcs7 conversions
-cp $t fff.p
-echo "p -> d"
-$cmd -in fff.p -inform p -outform d >f.d
-if [ $? != 0 ]; then exit 1; fi
-echo "p -> p"
-$cmd -in fff.p -inform p -outform p >f.p
-if [ $? != 0 ]; then exit 1; fi
-echo "d -> d"
-$cmd -in f.d -inform d -outform d >ff.d1
-if [ $? != 0 ]; then exit 1; fi
-echo "p -> d"
-$cmd -in f.p -inform p -outform d >ff.d3
-if [ $? != 0 ]; then exit 1; fi
-echo "d -> p"
-$cmd -in f.d -inform d -outform p >ff.p1
-if [ $? != 0 ]; then exit 1; fi
-echo "p -> p"
-$cmd -in f.p -inform p -outform p >ff.p3
-if [ $? != 0 ]; then exit 1; fi
-cmp fff.p f.p
-if [ $? != 0 ]; then exit 1; fi
-cmp fff.p ff.p1
-if [ $? != 0 ]; then exit 1; fi
-cmp fff.p ff.p3
-if [ $? != 0 ]; then exit 1; fi
-cmp f.p ff.p1
-if [ $? != 0 ]; then exit 1; fi
-cmp f.p ff.p3
-if [ $? != 0 ]; then exit 1; fi
-/bin/rm -f f.* ff.* fff.*
-exit 0
diff --git a/src/lib/libssl/test/tpkcs7d b/src/lib/libssl/test/tpkcs7d
deleted file mode 100644
index 20394b34c4..0000000000
--- a/src/lib/libssl/test/tpkcs7d
+++ /dev/null
@@ -1,48 +0,0 @@
-#!/bin/sh
-if test "$OSTYPE" = msdosdjgpp; then
-    PATH=../apps\;$PATH
-else
-    PATH=../apps:$PATH
-fi
-export PATH
-cmd='../util/shlib_wrap.sh ../apps/openssl pkcs7'
-if [ "$1"x != "x" ]; then
-        t=$1
-else
-        t=pkcs7-1.pem
-fi
-echo "testing pkcs7 conversions (2)"
-cp $t fff.p
-echo "p -> d"
-$cmd -in fff.p -inform p -outform d >f.d
-if [ $? != 0 ]; then exit 1; fi
-echo "p -> p"
-$cmd -in fff.p -inform p -outform p >f.p
-if [ $? != 0 ]; then exit 1; fi
-echo "d -> d"
-$cmd -in f.d -inform d -outform d >ff.d1
-if [ $? != 0 ]; then exit 1; fi
-echo "p -> d"
-$cmd -in f.p -inform p -outform d >ff.d3
-if [ $? != 0 ]; then exit 1; fi
-echo "d -> p"
-$cmd -in f.d -inform d -outform p >ff.p1
-if [ $? != 0 ]; then exit 1; fi
-echo "p -> p"
-$cmd -in f.p -inform p -outform p >ff.p3
-if [ $? != 0 ]; then exit 1; fi
-cmp f.p ff.p1
-if [ $? != 0 ]; then exit 1; fi
-cmp f.p ff.p3
-if [ $? != 0 ]; then exit 1; fi
-/bin/rm -f f.* ff.* fff.*
-exit 0
diff --git a/src/lib/libssl/test/treq b/src/lib/libssl/test/treq
deleted file mode 100644
index 7e020210a5..0000000000
--- a/src/lib/libssl/test/treq
+++ /dev/null
@@ -1,90 +0,0 @@
-#!/bin/sh
-if test "$OSTYPE" = msdosdjgpp; then
-    PATH=../apps\;$PATH
-else
-    PATH=../apps:$PATH
-fi
-export PATH
-cmd='../util/shlib_wrap.sh ../apps/openssl req -config ../apps/openssl.cnf'
-if [ "$1"x != "x" ]; then
-        t=$1
-else
-        t=testreq.pem
-fi
-if $cmd -in $t -inform p -noout -text | fgrep 'Unknown Public Key'; then
-  echo "skipping req conversion test for $t"
-  exit 0
-fi
-echo testing req conversions
-cp $t fff.p
-echo "p -> d"
-$cmd -in fff.p -inform p -outform d >f.d
-if [ $? != 0 ]; then exit 1; fi
-#echo "p -> t"
-#$cmd -in fff.p -inform p -outform t >f.t
-#if [ $? != 0 ]; then exit 1; fi
-echo "p -> p"
-$cmd -in fff.p -inform p -outform p >f.p
-if [ $? != 0 ]; then exit 1; fi
-echo "d -> d"
-$cmd -verify -in f.d -inform d -outform d >ff.d1
-if [ $? != 0 ]; then exit 1; fi
-#echo "t -> d"
-#$cmd -in f.t -inform t -outform d >ff.d2
-#if [ $? != 0 ]; then exit 1; fi
-echo "p -> d"
-$cmd -verify -in f.p -inform p -outform d >ff.d3
-if [ $? != 0 ]; then exit 1; fi
-#echo "d -> t"
-#$cmd -in f.d -inform d -outform t >ff.t1
-#if [ $? != 0 ]; then exit 1; fi
-#echo "t -> t"
-#$cmd -in f.t -inform t -outform t >ff.t2
-#if [ $? != 0 ]; then exit 1; fi
-#echo "p -> t"
-#$cmd -in f.p -inform p -outform t >ff.t3
-#if [ $? != 0 ]; then exit 1; fi
-echo "d -> p"
-$cmd -in f.d -inform d -outform p >ff.p1
-if [ $? != 0 ]; then exit 1; fi
-#echo "t -> p"
-#$cmd -in f.t -inform t -outform p >ff.p2
-#if [ $? != 0 ]; then exit 1; fi
-echo "p -> p"
-$cmd -in f.p -inform p -outform p >ff.p3
-if [ $? != 0 ]; then exit 1; fi
-cmp fff.p f.p
-if [ $? != 0 ]; then exit 1; fi
-cmp fff.p ff.p1
-if [ $? != 0 ]; then exit 1; fi
-#cmp fff.p ff.p2
-#if [ $? != 0 ]; then exit 1; fi
-cmp fff.p ff.p3
-if [ $? != 0 ]; then exit 1; fi
-#cmp f.t ff.t1
-#if [ $? != 0 ]; then exit 1; fi
-#cmp f.t ff.t2
-#if [ $? != 0 ]; then exit 1; fi
-#cmp f.t ff.t3
-#if [ $? != 0 ]; then exit 1; fi
-cmp f.p ff.p1
-if [ $? != 0 ]; then exit 1; fi
-#cmp f.p ff.p2
-#if [ $? != 0 ]; then exit 1; fi
-cmp f.p ff.p3
-if [ $? != 0 ]; then exit 1; fi
-/bin/rm -f f.* ff.* fff.*
-exit 0
diff --git a/src/lib/libssl/test/trsa b/src/lib/libssl/test/trsa
deleted file mode 100644
index 67b4a98841..0000000000
--- a/src/lib/libssl/test/trsa
+++ /dev/null
@@ -1,90 +0,0 @@
-#!/bin/sh
-if test "$OSTYPE" = msdosdjgpp; then
-    PATH=../apps\;$PATH
-else
-    PATH=../apps:$PATH
-fi
-export PATH
-if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then
-  echo skipping rsa conversion test
-  exit 0
-fi
-cmd='../util/shlib_wrap.sh ../apps/openssl rsa'
-if [ "$1"x != "x" ]; then
-        t=$1
-else
-        t=testrsa.pem
-fi
-echo testing rsa conversions
-cp $t fff.p
-echo "p -> d"
-$cmd -in fff.p -inform p -outform d >f.d
-if [ $? != 0 ]; then exit 1; fi
-#echo "p -> t"
-#$cmd -in fff.p -inform p -outform t >f.t
-#if [ $? != 0 ]; then exit 1; fi
-echo "p -> p"
-$cmd -in fff.p -inform p -outform p >f.p
-if [ $? != 0 ]; then exit 1; fi
-echo "d -> d"
-$cmd -in f.d -inform d -outform d >ff.d1
-if [ $? != 0 ]; then exit 1; fi
-#echo "t -> d"
-#$cmd -in f.t -inform t -outform d >ff.d2
-#if [ $? != 0 ]; then exit 1; fi
-echo "p -> d"
-$cmd -in f.p -inform p -outform d >ff.d3
-if [ $? != 0 ]; then exit 1; fi
-#echo "d -> t"
-#$cmd -in f.d -inform d -outform t >ff.t1
-#if [ $? != 0 ]; then exit 1; fi
-#echo "t -> t"
-#$cmd -in f.t -inform t -outform t >ff.t2
-#if [ $? != 0 ]; then exit 1; fi
-#echo "p -> t"
-#$cmd -in f.p -inform p -outform t >ff.t3
-#if [ $? != 0 ]; then exit 1; fi
-echo "d -> p"
-$cmd -in f.d -inform d -outform p >ff.p1
-if [ $? != 0 ]; then exit 1; fi
-#echo "t -> p"
-#$cmd -in f.t -inform t -outform p >ff.p2
-#if [ $? != 0 ]; then exit 1; fi
-echo "p -> p"
-$cmd -in f.p -inform p -outform p >ff.p3
-if [ $? != 0 ]; then exit 1; fi
-cmp fff.p f.p
-if [ $? != 0 ]; then exit 1; fi
-cmp fff.p ff.p1
-if [ $? != 0 ]; then exit 1; fi
-#cmp fff.p ff.p2
-#if [ $? != 0 ]; then exit 1; fi
-cmp fff.p ff.p3
-if [ $? != 0 ]; then exit 1; fi
-#cmp f.t ff.t1
-#if [ $? != 0 ]; then exit 1; fi
-#cmp f.t ff.t2
-#if [ $? != 0 ]; then exit 1; fi
-#cmp f.t ff.t3
-#if [ $? != 0 ]; then exit 1; fi
-cmp f.p ff.p1
-if [ $? != 0 ]; then exit 1; fi
-#cmp f.p ff.p2
-#if [ $? != 0 ]; then exit 1; fi
-cmp f.p ff.p3
-if [ $? != 0 ]; then exit 1; fi
-/bin/rm -f f.* ff.* fff.*
-exit 0
diff --git a/src/lib/libssl/test/tsid b/src/lib/libssl/test/tsid
deleted file mode 100644
index fb4a7213b9..0000000000
--- a/src/lib/libssl/test/tsid
+++ /dev/null
@@ -1,85 +0,0 @@
-#!/bin/sh
-if test "$OSTYPE" = msdosdjgpp; then
-    PATH=../apps\;$PATH
-else
-    PATH=../apps:$PATH
-fi
-export PATH
-cmd='../util/shlib_wrap.sh ../apps/openssl sess_id'
-if [ "$1"x != "x" ]; then
-        t=$1
-else
-        t=testsid.pem
-fi
-echo testing session-id conversions
-cp $t fff.p
-echo "p -> d"
-$cmd -in fff.p -inform p -outform d >f.d
-if [ $? != 0 ]; then exit 1; fi
-#echo "p -> t"
-#$cmd -in fff.p -inform p -outform t >f.t
-#if [ $? != 0 ]; then exit 1; fi
-echo "p -> p"
-$cmd -in fff.p -inform p -outform p >f.p
-if [ $? != 0 ]; then exit 1; fi
-echo "d -> d"
-$cmd -in f.d -inform d -outform d >ff.d1
-if [ $? != 0 ]; then exit 1; fi
-#echo "t -> d"
-#$cmd -in f.t -inform t -outform d >ff.d2
-#if [ $? != 0 ]; then exit 1; fi
-echo "p -> d"
-$cmd -in f.p -inform p -outform d >ff.d3
-if [ $? != 0 ]; then exit 1; fi
-#echo "d -> t"
-#$cmd -in f.d -inform d -outform t >ff.t1
-#if [ $? != 0 ]; then exit 1; fi
-#echo "t -> t"
-#$cmd -in f.t -inform t -outform t >ff.t2
-#if [ $? != 0 ]; then exit 1; fi
-#echo "p -> t"
-#$cmd -in f.p -inform p -outform t >ff.t3
-#if [ $? != 0 ]; then exit 1; fi
-echo "d -> p"
-$cmd -in f.d -inform d -outform p >ff.p1
-if [ $? != 0 ]; then exit 1; fi
-#echo "t -> p"
-#$cmd -in f.t -inform t -outform p >ff.p2
-#if [ $? != 0 ]; then exit 1; fi
-echo "p -> p"
-$cmd -in f.p -inform p -outform p >ff.p3
-if [ $? != 0 ]; then exit 1; fi
-cmp fff.p f.p
-if [ $? != 0 ]; then exit 1; fi
-cmp fff.p ff.p1
-if [ $? != 0 ]; then exit 1; fi
-#cmp fff.p ff.p2
-#if [ $? != 0 ]; then exit 1; fi
-cmp fff.p ff.p3
-if [ $? != 0 ]; then exit 1; fi
-#cmp f.t ff.t1
-#if [ $? != 0 ]; then exit 1; fi
-#cmp f.t ff.t2
-#if [ $? != 0 ]; then exit 1; fi
-#cmp f.t ff.t3
-#if [ $? != 0 ]; then exit 1; fi
-cmp f.p ff.p1
-if [ $? != 0 ]; then exit 1; fi
-#cmp f.p ff.p2
-#if [ $? != 0 ]; then exit 1; fi
-cmp f.p ff.p3
-if [ $? != 0 ]; then exit 1; fi
-/bin/rm -f f.* ff.* fff.*
-exit 0
diff --git a/src/lib/libssl/test/tx509 b/src/lib/libssl/test/tx509
deleted file mode 100644
index 1b9c8661f3..0000000000
--- a/src/lib/libssl/test/tx509
+++ /dev/null
@@ -1,85 +0,0 @@
-#!/bin/sh
-if test "$OSTYPE" = msdosdjgpp; then
-    PATH=../apps\;$PATH
-else
-    PATH=../apps:$PATH
-fi
-export PATH
-cmd='../util/shlib_wrap.sh ../apps/openssl x509'
-if [ "$1"x != "x" ]; then
-        t=$1
-else
-        t=testx509.pem
-fi
-echo testing X509 conversions
-cp $t fff.p
-echo "p -> d"
-$cmd -in fff.p -inform p -outform d >f.d
-if [ $? != 0 ]; then exit 1; fi
-echo "p -> n"
-$cmd -in fff.p -inform p -outform n >f.n
-if [ $? != 0 ]; then exit 1; fi
-echo "p -> p"
-$cmd -in fff.p -inform p -outform p >f.p
-if [ $? != 0 ]; then exit 1; fi
-echo "d -> d"
-$cmd -in f.d -inform d -outform d >ff.d1
-if [ $? != 0 ]; then exit 1; fi
-echo "n -> d"
-$cmd -in f.n -inform n -outform d >ff.d2
-if [ $? != 0 ]; then exit 1; fi
-echo "p -> d"
-$cmd -in f.p -inform p -outform d >ff.d3
-if [ $? != 0 ]; then exit 1; fi
-echo "d -> n"
-$cmd -in f.d -inform d -outform n >ff.n1
-if [ $? != 0 ]; then exit 1; fi
-echo "n -> n"
-$cmd -in f.n -inform n -outform n >ff.n2
-if [ $? != 0 ]; then exit 1; fi
-echo "p -> n"
-$cmd -in f.p -inform p -outform n >ff.n3
-if [ $? != 0 ]; then exit 1; fi
-echo "d -> p"
-$cmd -in f.d -inform d -outform p >ff.p1
-if [ $? != 0 ]; then exit 1; fi
-echo "n -> p"
-$cmd -in f.n -inform n -outform p >ff.p2
-if [ $? != 0 ]; then exit 1; fi
-echo "p -> p"
-$cmd -in f.p -inform p -outform p >ff.p3
-if [ $? != 0 ]; then exit 1; fi
-cmp fff.p f.p
-if [ $? != 0 ]; then exit 1; fi
-cmp fff.p ff.p1
-if [ $? != 0 ]; then exit 1; fi
-cmp fff.p ff.p2
-if [ $? != 0 ]; then exit 1; fi
-cmp fff.p ff.p3
-if [ $? != 0 ]; then exit 1; fi
-cmp f.n ff.n1
-if [ $? != 0 ]; then exit 1; fi
-cmp f.n ff.n2
-if [ $? != 0 ]; then exit 1; fi
-cmp f.n ff.n3
-if [ $? != 0 ]; then exit 1; fi
-cmp f.p ff.p1
-if [ $? != 0 ]; then exit 1; fi
-cmp f.p ff.p2
-if [ $? != 0 ]; then exit 1; fi
-cmp f.p ff.p3
-if [ $? != 0 ]; then exit 1; fi
-/bin/rm -f f.* ff.* fff.*
-exit 0
diff --git a/src/lib/libssl/test/v3-cert1.pem b/src/lib/libssl/test/v3-cert1.pem
deleted file mode 100644
index 0da253d5c3..0000000000
--- a/src/lib/libssl/test/v3-cert1.pem
+++ /dev/null
@@ -1,16 +0,0 @@
-----BEGIN CERTIFICATE-----
-MIICjTCCAfigAwIBAgIEMaYgRzALBgkqhkiG9w0BAQQwRTELMAkGA1UEBhMCVVMx
-NjA0BgNVBAoTLU5hdGlvbmFsIEFlcm9uYXV0aWNzIGFuZCBTcGFjZSBBZG1pbmlz
-dHJhdGlvbjAmFxE5NjA1MjgxMzQ5MDUrMDgwMBcROTgwNTI4MTM0OTA1KzA4MDAw
-ZzELMAkGA1UEBhMCVVMxNjA0BgNVBAoTLU5hdGlvbmFsIEFlcm9uYXV0aWNzIGFu
-ZCBTcGFjZSBBZG1pbmlzdHJhdGlvbjEgMAkGA1UEBRMCMTYwEwYDVQQDEwxTdGV2
-ZSBTY2hvY2gwWDALBgkqhkiG9w0BAQEDSQAwRgJBALrAwyYdgxmzNP/ts0Uyf6Bp
-miJYktU/w4NG67ULaN4B5CnEz7k57s9o3YY3LecETgQ5iQHmkwlYDTL2fTgVfw0C
-AQOjgaswgagwZAYDVR0ZAQH/BFowWDBWMFQxCzAJBgNVBAYTAlVTMTYwNAYDVQQK
-Ey1OYXRpb25hbCBBZXJvbmF1dGljcyBhbmQgU3BhY2UgQWRtaW5pc3RyYXRpb24x
-DTALBgNVBAMTBENSTDEwFwYDVR0BAQH/BA0wC4AJODMyOTcwODEwMBgGA1UdAgQR
-MA8ECTgzMjk3MDgyM4ACBSAwDQYDVR0KBAYwBAMCBkAwCwYJKoZIhvcNAQEEA4GB
-AH2y1VCEw/A4zaXzSYZJTTUi3uawbbFiS2yxHvgf28+8Js0OHXk1H1w2d6qOHH21
-X82tZXd/0JtG0g1T9usFFBDvYK8O0ebgz/P5ELJnBL2+atObEuJy1ZZ0pBDWINR3
-WkDNLCGiTkCKp0F5EWIrVDwh54NNevkCQRZita+z4IBO
-----END CERTIFICATE-----
diff --git a/src/lib/libssl/test/v3-cert2.pem b/src/lib/libssl/test/v3-cert2.pem
deleted file mode 100644
index de0723ff8d..0000000000
--- a/src/lib/libssl/test/v3-cert2.pem
+++ /dev/null
@@ -1,16 +0,0 @@
-----BEGIN CERTIFICATE-----
-MIICiTCCAfKgAwIBAgIEMeZfHzANBgkqhkiG9w0BAQQFADB9MQswCQYDVQQGEwJD
-YTEPMA0GA1UEBxMGTmVwZWFuMR4wHAYDVQQLExVObyBMaWFiaWxpdHkgQWNjZXB0
-ZWQxHzAdBgNVBAoTFkZvciBEZW1vIFB1cnBvc2VzIE9ubHkxHDAaBgNVBAMTE0Vu
-dHJ1c3QgRGVtbyBXZWIgQ0EwHhcNOTYwNzEyMTQyMDE1WhcNOTYxMDEyMTQyMDE1
-WjB0MSQwIgYJKoZIhvcNAQkBExVjb29rZUBpc3NsLmF0bC5ocC5jb20xCzAJBgNV
-BAYTAlVTMScwJQYDVQQLEx5IZXdsZXR0IFBhY2thcmQgQ29tcGFueSAoSVNTTCkx
-FjAUBgNVBAMTDVBhdWwgQS4gQ29va2UwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA
-6ceSq9a9AU6g+zBwaL/yVmW1/9EE8s5you1mgjHnj0wAILuoB3L6rm6jmFRy7QZT
-G43IhVZdDua4e+5/n1ZslwIDAQABo2MwYTARBglghkgBhvhCAQEEBAMCB4AwTAYJ
-YIZIAYb4QgENBD8WPVRoaXMgY2VydGlmaWNhdGUgaXMgb25seSBpbnRlbmRlZCBm
-b3IgZGVtb25zdHJhdGlvbiBwdXJwb3Nlcy4wDQYJKoZIhvcNAQEEBQADgYEAi8qc
-F3zfFqy1sV8NhjwLVwOKuSfhR/Z8mbIEUeSTlnH3QbYt3HWZQ+vXI8mvtZoBc2Fz
-lexKeIkAZXCesqGbs6z6nCt16P6tmdfbZF3I3AWzLquPcOXjPf4HgstkyvVBn0Ap
-jAFN418KF/Cx4qyHB4cjdvLrRjjQLnb2+ibo7QU=
-----END CERTIFICATE-----
diff --git a/src/lib/libssl/tls1.h b/src/lib/libssl/tls1.h
deleted file mode 100644
index 38838ea9a5..0000000000
--- a/src/lib/libssl/tls1.h
+++ /dev/null
@@ -1,195 +0,0 @@
-/* ssl/tls1.h */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-#ifndef HEADER_TLS1_H 
-#define HEADER_TLS1_H 
-#include <openssl/buffer.h>
-#ifdef  __cplusplus
-extern "C" {
-#endif
-#define TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES    1
-#define TLS1_VERSION                    0x0301
-#define TLS1_VERSION_MAJOR              0x03
-#define TLS1_VERSION_MINOR              0x01
-#define TLS1_AD_DECRYPTION_FAILED       21
-#define TLS1_AD_RECORD_OVERFLOW         22
-#define TLS1_AD_UNKNOWN_CA              48      /* fatal */
-#define TLS1_AD_ACCESS_DENIED           49      /* fatal */
-#define TLS1_AD_DECODE_ERROR            50      /* fatal */
-#define TLS1_AD_DECRYPT_ERROR           51
-#define TLS1_AD_EXPORT_RESTRICTION      60      /* fatal */
-#define TLS1_AD_PROTOCOL_VERSION        70      /* fatal */
-#define TLS1_AD_INSUFFICIENT_SECURITY   71      /* fatal */
-#define TLS1_AD_INTERNAL_ERROR          80      /* fatal */
-#define TLS1_AD_USER_CANCELLED          90
-#define TLS1_AD_NO_RENEGOTIATION        100
-/* Additional TLS ciphersuites from draft-ietf-tls-56-bit-ciphersuites-00.txt
- * (available if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES is defined, see
- * s3_lib.c).  We actually treat them like SSL 3.0 ciphers, which we probably
- * shouldn't. */
-#define TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5          0x03000060
-#define TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5      0x03000061
-#define TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA         0x03000062
-#define TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA     0x03000063
-#define TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA          0x03000064
-#define TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA      0x03000065
-#define TLS1_CK_DHE_DSS_WITH_RC4_128_SHA                0x03000066
-/* AES ciphersuites from RFC3268 */
-#define TLS1_CK_RSA_WITH_AES_128_SHA                    0x0300002F
-#define TLS1_CK_DH_DSS_WITH_AES_128_SHA                 0x03000030
-#define TLS1_CK_DH_RSA_WITH_AES_128_SHA                 0x03000031
-#define TLS1_CK_DHE_DSS_WITH_AES_128_SHA                0x03000032
-#define TLS1_CK_DHE_RSA_WITH_AES_128_SHA                0x03000033
-#define TLS1_CK_ADH_WITH_AES_128_SHA                    0x03000034
-#define TLS1_CK_RSA_WITH_AES_256_SHA                    0x03000035
-#define TLS1_CK_DH_DSS_WITH_AES_256_SHA                 0x03000036
-#define TLS1_CK_DH_RSA_WITH_AES_256_SHA                 0x03000037
-#define TLS1_CK_DHE_DSS_WITH_AES_256_SHA                0x03000038
-#define TLS1_CK_DHE_RSA_WITH_AES_256_SHA                0x03000039
-#define TLS1_CK_ADH_WITH_AES_256_SHA                    0x0300003A
-/* XXX
- * Inconsistency alert:
- * The OpenSSL names of ciphers with ephemeral DH here include the string
- * "DHE", while elsewhere it has always been "EDH".
- * (The alias for the list of all such ciphers also is "EDH".)
- * The specifications speak of "EDH"; maybe we should allow both forms
- * for everything. */
-#define TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5         "EXP1024-RC4-MD5"
-#define TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5     "EXP1024-RC2-CBC-MD5"
-#define TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA        "EXP1024-DES-CBC-SHA"
-#define TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA    "EXP1024-DHE-DSS-DES-CBC-SHA"
-#define TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA         "EXP1024-RC4-SHA"
-#define TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA     "EXP1024-DHE-DSS-RC4-SHA"
-#define TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA               "DHE-DSS-RC4-SHA"
-/* AES ciphersuites from RFC3268 */
-#define TLS1_TXT_RSA_WITH_AES_128_SHA                   "AES128-SHA"
-#define TLS1_TXT_DH_DSS_WITH_AES_128_SHA                "DH-DSS-AES128-SHA"
-#define TLS1_TXT_DH_RSA_WITH_AES_128_SHA                "DH-RSA-AES128-SHA"
-#define TLS1_TXT_DHE_DSS_WITH_AES_128_SHA               "DHE-DSS-AES128-SHA"
-#define TLS1_TXT_DHE_RSA_WITH_AES_128_SHA               "DHE-RSA-AES128-SHA"
-#define TLS1_TXT_ADH_WITH_AES_128_SHA                   "ADH-AES128-SHA"
-#define TLS1_TXT_RSA_WITH_AES_256_SHA                   "AES256-SHA"
-#define TLS1_TXT_DH_DSS_WITH_AES_256_SHA                "DH-DSS-AES256-SHA"
-#define TLS1_TXT_DH_RSA_WITH_AES_256_SHA                "DH-RSA-AES256-SHA"
-#define TLS1_TXT_DHE_DSS_WITH_AES_256_SHA               "DHE-DSS-AES256-SHA"
-#define TLS1_TXT_DHE_RSA_WITH_AES_256_SHA               "DHE-RSA-AES256-SHA"
-#define TLS1_TXT_ADH_WITH_AES_256_SHA                   "ADH-AES256-SHA"
-#define TLS_CT_RSA_SIGN                 1
-#define TLS_CT_DSS_SIGN                 2
-#define TLS_CT_RSA_FIXED_DH             3
-#define TLS_CT_DSS_FIXED_DH             4
-#define TLS_CT_NUMBER                   4
-#define TLS1_FINISH_MAC_LENGTH          12
-#define TLS_MD_MAX_CONST_SIZE                   20
-#define TLS_MD_CLIENT_FINISH_CONST              "client finished"
-#define TLS_MD_CLIENT_FINISH_CONST_SIZE         15
-#define TLS_MD_SERVER_FINISH_CONST              "server finished"
-#define TLS_MD_SERVER_FINISH_CONST_SIZE         15
-#define TLS_MD_SERVER_WRITE_KEY_CONST           "server write key"
-#define TLS_MD_SERVER_WRITE_KEY_CONST_SIZE      16
-#define TLS_MD_KEY_EXPANSION_CONST              "key expansion"
-#define TLS_MD_KEY_EXPANSION_CONST_SIZE         13
-#define TLS_MD_CLIENT_WRITE_KEY_CONST           "client write key"
-#define TLS_MD_CLIENT_WRITE_KEY_CONST_SIZE      16
-#define TLS_MD_SERVER_WRITE_KEY_CONST           "server write key"
-#define TLS_MD_SERVER_WRITE_KEY_CONST_SIZE      16
-#define TLS_MD_IV_BLOCK_CONST                   "IV block"
-#define TLS_MD_IV_BLOCK_CONST_SIZE              8
-#define TLS_MD_MASTER_SECRET_CONST              "master secret"
-#define TLS_MD_MASTER_SECRET_CONST_SIZE         13
-#ifdef CHARSET_EBCDIC
-#undef TLS_MD_CLIENT_FINISH_CONST
-#define TLS_MD_CLIENT_FINISH_CONST    "\x63\x6c\x69\x65\x6e\x74\x20\x66\x69\x6e\x69\x73\x68\x65\x64"  /*client finished*/
-#undef TLS_MD_SERVER_FINISH_CONST
-#define TLS_MD_SERVER_FINISH_CONST    "\x73\x65\x72\x76\x65\x72\x20\x66\x69\x6e\x69\x73\x68\x65\x64"  /*server finished*/
-#undef TLS_MD_SERVER_WRITE_KEY_CONST
-#define TLS_MD_SERVER_WRITE_KEY_CONST "\x73\x65\x72\x76\x65\x72\x20\x77\x72\x69\x74\x65\x20\x6b\x65\x79"  /*server write key*/
-#undef TLS_MD_KEY_EXPANSION_CONST
-#define TLS_MD_KEY_EXPANSION_CONST    "\x6b\x65\x79\x20\x65\x78\x70\x61\x6e\x73\x69\x6f\x6e"  /*key expansion*/
-#undef TLS_MD_CLIENT_WRITE_KEY_CONST
-#define TLS_MD_CLIENT_WRITE_KEY_CONST "\x63\x6c\x69\x65\x6e\x74\x20\x77\x72\x69\x74\x65\x20\x6b\x65\x79"  /*client write key*/
-#undef TLS_MD_SERVER_WRITE_KEY_CONST
-#define TLS_MD_SERVER_WRITE_KEY_CONST "\x73\x65\x72\x76\x65\x72\x20\x77\x72\x69\x74\x65\x20\x6b\x65\x79"  /*server write key*/
-#undef TLS_MD_IV_BLOCK_CONST
-#define TLS_MD_IV_BLOCK_CONST         "\x49\x56\x20\x62\x6c\x6f\x63\x6b"  /*IV block*/
-#undef TLS_MD_MASTER_SECRET_CONST
-#define TLS_MD_MASTER_SECRET_CONST    "\x6d\x61\x73\x74\x65\x72\x20\x73\x65\x63\x72\x65\x74"  /*master secret*/
-#endif
-#ifdef  __cplusplus
-}
-#endif
-#endif