Vendor import of OpenSSL 0.9.8b

915 files changed, 98999 insertions, 20663 deletions

diff --git a/crypto/openssl/CHANGES b/crypto/openssl/CHANGES
index 048349e502ee..ce9de568caac 100644
--- a/crypto/openssl/CHANGES
+++ b/crypto/openssl/CHANGES
@@ -2,6 +2,1058 @@
  OpenSSL CHANGES
  _______________
 
+ Changes between 0.9.8a and 0.9.8b  [04 May 2006]
+
+  *) When applying a cipher rule check to see if string match is an explicit
+     cipher suite and only match that one cipher suite if it is.
+     [Steve Henson]
+
+  *) Link in manifests for VC++ if needed.
+     [Austin Ziegler <halostatue@gmail.com>]
+
+  *) Update support for ECC-based TLS ciphersuites according to
+     draft-ietf-tls-ecc-12.txt with proposed changes (but without
+     TLS extensions, which are supported starting with the 0.9.9
+     branch, not in the OpenSSL 0.9.8 branch).
+     [Douglas Stebila]
+
+  *) New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free() to support
+     opaque EVP_CIPHER_CTX handling.
+     [Steve Henson]
+
+  *) Fixes and enhancements to zlib compression code. We now only use
+     "zlib1.dll" and use the default __cdecl calling convention on Win32
+     to conform with the standards mentioned here:
+           http://www.zlib.net/DLL_FAQ.txt
+     Static zlib linking now works on Windows and the new --with-zlib-include
+     --with-zlib-lib options to Configure can be used to supply the location
+     of the headers and library. Gracefully handle case where zlib library
+     can't be loaded.
+     [Steve Henson]
+
+  *) Several fixes and enhancements to the OID generation code. The old code
+     sometimes allowed invalid OIDs (1.X for X >= 40 for example), couldn't
+     handle numbers larger than ULONG_MAX, truncated printing and had a
+     non standard OBJ_obj2txt() behaviour.
+     [Steve Henson]
+
+  *) Add support for building of engines under engine/ as shared libraries
+     under VC++ build system.
+     [Steve Henson]
+
+  *) Corrected the numerous bugs in the Win32 path splitter in DSO.
+     Hopefully, we will not see any false combination of paths any more.
+     [Richard Levitte]
+
+ Changes between 0.9.8 and 0.9.8a  [11 Oct 2005]
+
+  *) Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING
+     (part of SSL_OP_ALL).  This option used to disable the
+     countermeasure against man-in-the-middle protocol-version
+     rollback in the SSL 2.0 server implementation, which is a bad
+     idea.  (CVE-2005-2969)
+
+     [Bodo Moeller; problem pointed out by Yutaka Oiwa (Research Center
+     for Information Security, National Institute of Advanced Industrial
+     Science and Technology [AIST], Japan)]
+
+  *) Add two function to clear and return the verify parameter flags.
+     [Steve Henson]
+
+  *) Keep cipherlists sorted in the source instead of sorting them at
+     runtime, thus removing the need for a lock.
+     [Nils Larsch]
+
+  *) Avoid some small subgroup attacks in Diffie-Hellman.
+     [Nick Mathewson and Ben Laurie]
+
+  *) Add functions for well-known primes.
+     [Nick Mathewson]
+
+  *) Extended Windows CE support.
+     [Satoshi Nakamura and Andy Polyakov]
+
+  *) Initialize SSL_METHOD structures at compile time instead of during
+     runtime, thus removing the need for a lock.
+     [Steve Henson]
+
+  *) Make PKCS7_decrypt() work even if no certificate is supplied by
+     attempting to decrypt each encrypted key in turn. Add support to
+     smime utility.
+     [Steve Henson]
+
+ Changes between 0.9.7h and 0.9.8  [05 Jul 2005]
+
+  *) Add libcrypto.pc and libssl.pc for those who feel they need them.
+     [Richard Levitte]
+
+  *) Change CA.sh and CA.pl so they don't bundle the CSR and the private
+     key into the same file any more.
+     [Richard Levitte]
+
+  *) Add initial support for Win64, both IA64 and AMD64/x64 flavors.
+     [Andy Polyakov]
+
+  *) Add -utf8 command line and config file option to 'ca'.
+     [Stefan <stf@udoma.org]
+
+  *) Removed the macro des_crypt(), as it seems to conflict with some
+     libraries.  Use DES_crypt().
+     [Richard Levitte]
+
+  *) Correct naming of the 'chil' and '4758cca' ENGINEs. This
+     involves renaming the source and generated shared-libs for
+     both. The engines will accept the corrected or legacy ids
+     ('ncipher' and '4758_cca' respectively) when binding. NB,
+     this only applies when building 'shared'.
+     [Corinna Vinschen <vinschen@redhat.com> and Geoff Thorpe]
+
+  *) Add attribute functions to EVP_PKEY structure. Modify
+     PKCS12_create() to recognize a CSP name attribute and
+     use it. Make -CSP option work again in pkcs12 utility.
+     [Steve Henson]
+
+  *) Add new functionality to the bn blinding code:
+     - automatic re-creation of the BN_BLINDING parameters after
+       a fixed number of uses (currently 32)
+     - add new function for parameter creation
+     - introduce flags to control the update behaviour of the
+       BN_BLINDING parameters
+     - hide BN_BLINDING structure
+     Add a second BN_BLINDING slot to the RSA structure to improve
+     performance when a single RSA object is shared among several
+     threads.
+     [Nils Larsch]
+
+  *) Add support for DTLS.
+     [Nagendra Modadugu <nagendra@cs.stanford.edu> and Ben Laurie]
+
+  *) Add support for DER encoded private keys (SSL_FILETYPE_ASN1)
+     to SSL_CTX_use_PrivateKey_file() and SSL_use_PrivateKey_file()
+     [Walter Goulet]
+
+  *) Remove buggy and incompletet DH cert support from
+     ssl/ssl_rsa.c and ssl/s3_both.c
+     [Nils Larsch]
+
+  *) Use SHA-1 instead of MD5 as the default digest algorithm for
+     the apps/openssl applications.
+     [Nils Larsch]
+
+  *) Compile clean with "-Wall -Wmissing-prototypes
+     -Wstrict-prototypes -Wmissing-declarations -Werror". Currently
+     DEBUG_SAFESTACK must also be set.
+     [Ben Laurie]
+
+  *) Change ./Configure so that certain algorithms can be disabled by default.
+     The new counterpiece to "no-xxx" is "enable-xxx".
+
+     The patented RC5 and MDC2 algorithms will now be disabled unless
+     "enable-rc5" and "enable-mdc2", respectively, are specified.
+
+     (IDEA remains enabled despite being patented.  This is because IDEA
+     is frequently required for interoperability, and there is no license
+     fee for non-commercial use.  As before, "no-idea" can be used to
+     avoid this algorithm.)
+
+     [Bodo Moeller]
+
+  *) Add processing of proxy certificates (see RFC 3820).  This work was
+     sponsored by KTH (The Royal Institute of Technology in Stockholm) and
+     EGEE (Enabling Grids for E-science in Europe).
+     [Richard Levitte]
+
+  *) RC4 performance overhaul on modern architectures/implementations, such
+     as Intel P4, IA-64 and AMD64.
+     [Andy Polyakov]
+
+  *) New utility extract-section.pl. This can be used specify an alternative
+     section number in a pod file instead of having to treat each file as
+     a separate case in Makefile. This can be done by adding two lines to the
+     pod file:
+
+     =for comment openssl_section:XXX
+
+     The blank line is mandatory.
+
+     [Steve Henson]
+
+  *) New arguments -certform, -keyform and -pass for s_client and s_server
+     to allow alternative format key and certificate files and passphrase
+     sources.
+     [Steve Henson]
+
+  *) New structure X509_VERIFY_PARAM which combines current verify parameters,
+     update associated structures and add various utility functions.
+
+     Add new policy related verify parameters, include policy checking in 
+     standard verify code. Enhance 'smime' application with extra parameters
+     to support policy checking and print out.
+     [Steve Henson]
+
+  *) Add a new engine to support VIA PadLock ACE extensions in the VIA C3
+     Nehemiah processors. These extensions support AES encryption in hardware
+     as well as RNG (though RNG support is currently disabled).
+     [Michal Ludvig <michal@logix.cz>, with help from Andy Polyakov]
+
+  *) Deprecate BN_[get|set]_params() functions (they were ignored internally).
+     [Geoff Thorpe]
+
+  *) New FIPS 180-2 algorithms, SHA-224/-256/-384/-512 are implemented.
+     [Andy Polyakov and a number of other people]
+
+  *) Improved PowerPC platform support. Most notably BIGNUM assembler
+     implementation contributed by IBM.
+     [Suresh Chari, Peter Waltenberg, Andy Polyakov]
+
+  *) The new 'RSA_generate_key_ex' function now takes a BIGNUM for the public
+     exponent rather than 'unsigned long'. There is a corresponding change to
+     the new 'rsa_keygen' element of the RSA_METHOD structure.
+     [Jelte Jansen, Geoff Thorpe]
+
+  *) Functionality for creating the initial serial number file is now
+     moved from CA.pl to the 'ca' utility with a new option -create_serial.
+
+     (Before OpenSSL 0.9.7e, CA.pl used to initialize the serial
+     number file to 1, which is bound to cause problems.  To avoid
+     the problems while respecting compatibility between different 0.9.7
+     patchlevels, 0.9.7e  employed 'openssl x509 -next_serial' in
+     CA.pl for serial number initialization.  With the new release 0.9.8,
+     we can fix the problem directly in the 'ca' utility.)
+     [Steve Henson]
+
+  *) Reduced header interdepencies by declaring more opaque objects in
+     ossl_typ.h. As a consequence, including some headers (eg. engine.h) will
+     give fewer recursive includes, which could break lazy source code - so
+     this change is covered by the OPENSSL_NO_DEPRECATED symbol. As always,
+     developers should define this symbol when building and using openssl to
+     ensure they track the recommended behaviour, interfaces, [etc], but
+     backwards-compatible behaviour prevails when this isn't defined.
+     [Geoff Thorpe]
+
+  *) New function X509_POLICY_NODE_print() which prints out policy nodes.
+     [Steve Henson]
+
+  *) Add new EVP function EVP_CIPHER_CTX_rand_key and associated functionality.
+     This will generate a random key of the appropriate length based on the 
+     cipher context. The EVP_CIPHER can provide its own random key generation
+     routine to support keys of a specific form. This is used in the des and 
+     3des routines to generate a key of the correct parity. Update S/MIME
+     code to use new functions and hence generate correct parity DES keys.
+     Add EVP_CHECK_DES_KEY #define to return an error if the key is not 
+     valid (weak or incorrect parity).
+     [Steve Henson]
+
+  *) Add a local set of CRLs that can be used by X509_verify_cert() as well
+     as looking them up. This is useful when the verified structure may contain
+     CRLs, for example PKCS#7 signedData. Modify PKCS7_verify() to use any CRLs
+     present unless the new PKCS7_NO_CRL flag is asserted.
+     [Steve Henson]
+
+  *) Extend ASN1 oid configuration module. It now additionally accepts the
+     syntax:
+
+     shortName = some long name, 1.2.3.4
+     [Steve Henson]
+
+  *) Reimplemented the BN_CTX implementation. There is now no more static
+     limitation on the number of variables it can handle nor the depth of the
+     "stack" handling for BN_CTX_start()/BN_CTX_end() pairs. The stack
+     information can now expand as required, and rather than having a single
+     static array of bignums, BN_CTX now uses a linked-list of such arrays
+     allowing it to expand on demand whilst maintaining the usefulness of
+     BN_CTX's "bundling".
+     [Geoff Thorpe]
+
+  *) Add a missing BN_CTX parameter to the 'rsa_mod_exp' callback in RSA_METHOD
+     to allow all RSA operations to function using a single BN_CTX.
+     [Geoff Thorpe]
+
+  *) Preliminary support for certificate policy evaluation and checking. This
+     is initially intended to pass the tests outlined in "Conformance Testing
+     of Relying Party Client Certificate Path Processing Logic" v1.07.
+     [Steve Henson]
+
+  *) bn_dup_expand() has been deprecated, it was introduced in 0.9.7 and
+     remained unused and not that useful. A variety of other little bignum
+     tweaks and fixes have also been made continuing on from the audit (see
+     below).
+     [Geoff Thorpe]
+
+  *) Constify all or almost all d2i, c2i, s2i and r2i functions, along with
+     associated ASN1, EVP and SSL functions and old ASN1 macros.
+     [Richard Levitte]
+
+  *) BN_zero() only needs to set 'top' and 'neg' to zero for correct results,
+     and this should never fail. So the return value from the use of
+     BN_set_word() (which can fail due to needless expansion) is now deprecated;
+     if OPENSSL_NO_DEPRECATED is defined, BN_zero() is a void macro.
+     [Geoff Thorpe]
+
+  *) BN_CTX_get() should return zero-valued bignums, providing the same
+     initialised value as BN_new().
+     [Geoff Thorpe, suggested by Ulf Möller]
+
+  *) Support for inhibitAnyPolicy certificate extension.
+     [Steve Henson]
+
+  *) An audit of the BIGNUM code is underway, for which debugging code is
+     enabled when BN_DEBUG is defined. This makes stricter enforcements on what
+     is considered valid when processing BIGNUMs, and causes execution to
+     assert() when a problem is discovered. If BN_DEBUG_RAND is defined,
+     further steps are taken to deliberately pollute unused data in BIGNUM
+     structures to try and expose faulty code further on. For now, openssl will
+     (in its default mode of operation) continue to tolerate the inconsistent
+     forms that it has tolerated in the past, but authors and packagers should
+     consider trying openssl and their own applications when compiled with
+     these debugging symbols defined. It will help highlight potential bugs in
+     their own code, and will improve the test coverage for OpenSSL itself. At
+     some point, these tighter rules will become openssl's default to improve
+     maintainability, though the assert()s and other overheads will remain only
+     in debugging configurations. See bn.h for more details.
+     [Geoff Thorpe, Nils Larsch, Ulf Möller]
+
+  *) BN_CTX_init() has been deprecated, as BN_CTX is an opaque structure
+     that can only be obtained through BN_CTX_new() (which implicitly
+     initialises it). The presence of this function only made it possible
+     to overwrite an existing structure (and cause memory leaks).
+     [Geoff Thorpe]
+
+  *) Because of the callback-based approach for implementing LHASH as a
+     template type, lh_insert() adds opaque objects to hash-tables and
+     lh_doall() or lh_doall_arg() are typically used with a destructor callback
+     to clean up those corresponding objects before destroying the hash table
+     (and losing the object pointers). So some over-zealous constifications in
+     LHASH have been relaxed so that lh_insert() does not take (nor store) the
+     objects as "const" and the lh_doall[_arg] callback wrappers are not
+     prototyped to have "const" restrictions on the object pointers they are
+     given (and so aren't required to cast them away any more).
+     [Geoff Thorpe]
+
+  *) The tmdiff.h API was so ugly and minimal that our own timing utility
+     (speed) prefers to use its own implementation. The two implementations
+     haven't been consolidated as yet (volunteers?) but the tmdiff API has had
+     its object type properly exposed (MS_TM) instead of casting to/from "char
+     *". This may still change yet if someone realises MS_TM and "ms_time_***"
+     aren't necessarily the greatest nomenclatures - but this is what was used
+     internally to the implementation so I've used that for now.
+     [Geoff Thorpe]
+
+  *) Ensure that deprecated functions do not get compiled when
+     OPENSSL_NO_DEPRECATED is defined. Some "openssl" subcommands and a few of
+     the self-tests were still using deprecated key-generation functions so
+     these have been updated also.
+     [Geoff Thorpe]
+
+  *) Reorganise PKCS#7 code to separate the digest location functionality
+     into PKCS7_find_digest(), digest addtion into PKCS7_bio_add_digest().
+     New function PKCS7_set_digest() to set the digest type for PKCS#7
+     digestedData type. Add additional code to correctly generate the
+     digestedData type and add support for this type in PKCS7 initialization
+     functions.
+     [Steve Henson]
+
+  *) New function PKCS7_set0_type_other() this initializes a PKCS7 
+     structure of type "other".
+     [Steve Henson]
+
+  *) Fix prime generation loop in crypto/bn/bn_prime.pl by making
+     sure the loop does correctly stop and breaking ("division by zero")
+     modulus operations are not performed. The (pre-generated) prime
+     table crypto/bn/bn_prime.h was already correct, but it could not be
+     re-generated on some platforms because of the "division by zero"
+     situation in the script.
+     [Ralf S. Engelschall]
+
+  *) Update support for ECC-based TLS ciphersuites according to
+     draft-ietf-tls-ecc-03.txt: the KDF1 key derivation function with
+     SHA-1 now is only used for "small" curves (where the
+     representation of a field element takes up to 24 bytes); for
+     larger curves, the field element resulting from ECDH is directly
+     used as premaster secret.
+     [Douglas Stebila (Sun Microsystems Laboratories)]
+
+  *) Add code for kP+lQ timings to crypto/ec/ectest.c, and add SEC2
+     curve secp160r1 to the tests.
+     [Douglas Stebila (Sun Microsystems Laboratories)]
+
+  *) Add the possibility to load symbols globally with DSO.
+     [Götz Babin-Ebell <babin-ebell@trustcenter.de> via Richard Levitte]
+
+  *) Add the functions ERR_set_mark() and ERR_pop_to_mark() for better
+     control of the error stack.
+     [Richard Levitte]
+
+  *) Add support for STORE in ENGINE.
+     [Richard Levitte]
+
+  *) Add the STORE type.  The intention is to provide a common interface
+     to certificate and key stores, be they simple file-based stores, or
+     HSM-type store, or LDAP stores, or...
+     NOTE: The code is currently UNTESTED and isn't really used anywhere.
+     [Richard Levitte]
+
+  *) Add a generic structure called OPENSSL_ITEM.  This can be used to
+     pass a list of arguments to any function as well as provide a way
+     for a function to pass data back to the caller.
+     [Richard Levitte]
+
+  *) Add the functions BUF_strndup() and BUF_memdup().  BUF_strndup()
+     works like BUF_strdup() but can be used to duplicate a portion of
+     a string.  The copy gets NUL-terminated.  BUF_memdup() duplicates
+     a memory area.
+     [Richard Levitte]
+
+  *) Add the function sk_find_ex() which works like sk_find(), but will
+     return an index to an element even if an exact match couldn't be
+     found.  The index is guaranteed to point at the element where the
+     searched-for key would be inserted to preserve sorting order.
+     [Richard Levitte]
+
+  *) Add the function OBJ_bsearch_ex() which works like OBJ_bsearch() but
+     takes an extra flags argument for optional functionality.  Currently,
+     the following flags are defined:
+
+	OBJ_BSEARCH_VALUE_ON_NOMATCH
+	This one gets OBJ_bsearch_ex() to return a pointer to the first
+	element where the comparing function returns a negative or zero
+	number.
+
+	OBJ_BSEARCH_FIRST_VALUE_ON_MATCH
+	This one gets OBJ_bsearch_ex() to return a pointer to the first
+	element where the comparing function returns zero.  This is useful
+	if there are more than one element where the comparing function
+	returns zero.
+     [Richard Levitte]
+
+  *) Make it possible to create self-signed certificates with 'openssl ca'
+     in such a way that the self-signed certificate becomes part of the
+     CA database and uses the same mechanisms for serial number generation
+     as all other certificate signing.  The new flag '-selfsign' enables
+     this functionality.  Adapt CA.sh and CA.pl.in.
+     [Richard Levitte]
+
+  *) Add functionality to check the public key of a certificate request
+     against a given private.  This is useful to check that a certificate
+     request can be signed by that key (self-signing).
+     [Richard Levitte]
+
+  *) Make it possible to have multiple active certificates with the same
+     subject in the CA index file.  This is done only if the keyword
+     'unique_subject' is set to 'no' in the main CA section (default
+     if 'CA_default') of the configuration file.  The value is saved
+     with the database itself in a separate index attribute file,
+     named like the index file with '.attr' appended to the name.
+     [Richard Levitte]
+
+  *) Generate muti valued AVAs using '+' notation in config files for
+     req and dirName.
+     [Steve Henson]
+
+  *) Support for nameConstraints certificate extension.
+     [Steve Henson]
+
+  *) Support for policyConstraints certificate extension.
+     [Steve Henson]
+
+  *) Support for policyMappings certificate extension.
+     [Steve Henson]
+
+  *) Make sure the default DSA_METHOD implementation only uses its
+     dsa_mod_exp() and/or bn_mod_exp() handlers if they are non-NULL,
+     and change its own handlers to be NULL so as to remove unnecessary
+     indirection. This lets alternative implementations fallback to the
+     default implementation more easily.
+     [Geoff Thorpe]
+
+  *) Support for directoryName in GeneralName related extensions
+     in config files.
+     [Steve Henson]
+
+  *) Make it possible to link applications using Makefile.shared.
+     Make that possible even when linking against static libraries!
+     [Richard Levitte]
+
+  *) Support for single pass processing for S/MIME signing. This now
+     means that S/MIME signing can be done from a pipe, in addition
+     cleartext signing (multipart/signed type) is effectively streaming
+     and the signed data does not need to be all held in memory.
+
+     This is done with a new flag PKCS7_STREAM. When this flag is set
+     PKCS7_sign() only initializes the PKCS7 structure and the actual signing
+     is done after the data is output (and digests calculated) in
+     SMIME_write_PKCS7().
+     [Steve Henson]
+
+  *) Add full support for -rpath/-R, both in shared libraries and
+     applications, at least on the platforms where it's known how
+     to do it.
+     [Richard Levitte]
+
+  *) In crypto/ec/ec_mult.c, implement fast point multiplication with
+     precomputation, based on wNAF splitting: EC_GROUP_precompute_mult()
+     will now compute a table of multiples of the generator that
+     makes subsequent invocations of EC_POINTs_mul() or EC_POINT_mul()
+     faster (notably in the case of a single point multiplication,
+     scalar * generator).
+     [Nils Larsch, Bodo Moeller]
+
+  *) IPv6 support for certificate extensions. The various extensions
+     which use the IP:a.b.c.d can now take IPv6 addresses using the
+     formats of RFC1884 2.2 . IPv6 addresses are now also displayed
+     correctly.
+     [Steve Henson]
+
+  *) Added an ENGINE that implements RSA by performing private key
+     exponentiations with the GMP library. The conversions to and from
+     GMP's mpz_t format aren't optimised nor are any montgomery forms
+     cached, and on x86 it appears OpenSSL's own performance has caught up.
+     However there are likely to be other architectures where GMP could
+     provide a boost. This ENGINE is not built in by default, but it can be
+     specified at Configure time and should be accompanied by the necessary
+     linker additions, eg;
+         ./config -DOPENSSL_USE_GMP -lgmp
+     [Geoff Thorpe]
+
+  *) "openssl engine" will not display ENGINE/DSO load failure errors when
+     testing availability of engines with "-t" - the old behaviour is
+     produced by increasing the feature's verbosity with "-tt".
+     [Geoff Thorpe]
+
+  *) ECDSA routines: under certain error conditions uninitialized BN objects
+     could be freed. Solution: make sure initialization is performed early
+     enough. (Reported and fix supplied by Nils Larsch <nla@trustcenter.de>
+     via PR#459)
+     [Lutz Jaenicke]
+
+  *) Key-generation can now be implemented in RSA_METHOD, DSA_METHOD
+     and DH_METHOD (eg. by ENGINE implementations) to override the normal
+     software implementations. For DSA and DH, parameter generation can
+     also be overriden by providing the appropriate method callbacks.
+     [Geoff Thorpe]
+
+  *) Change the "progress" mechanism used in key-generation and
+     primality testing to functions that take a new BN_GENCB pointer in
+     place of callback/argument pairs. The new API functions have "_ex"
+     postfixes and the older functions are reimplemented as wrappers for
+     the new ones. The OPENSSL_NO_DEPRECATED symbol can be used to hide
+     declarations of the old functions to help (graceful) attempts to
+     migrate to the new functions. Also, the new key-generation API
+     functions operate on a caller-supplied key-structure and return
+     success/failure rather than returning a key or NULL - this is to
+     help make "keygen" another member function of RSA_METHOD etc.
+
+     Example for using the new callback interface:
+
+          int (*my_callback)(int a, int b, BN_GENCB *cb) = ...;
+          void *my_arg = ...;
+          BN_GENCB my_cb;
+
+          BN_GENCB_set(&my_cb, my_callback, my_arg);
+
+          return BN_is_prime_ex(some_bignum, BN_prime_checks, NULL, &cb);
+          /* For the meaning of a, b in calls to my_callback(), see the
+           * documentation of the function that calls the callback.
+           * cb will point to my_cb; my_arg can be retrieved as cb->arg.
+           * my_callback should return 1 if it wants BN_is_prime_ex()
+           * to continue, or 0 to stop.
+           */
+
+     [Geoff Thorpe]
+
+  *) Change the ZLIB compression method to be stateful, and make it
+     available to TLS with the number defined in 
+     draft-ietf-tls-compression-04.txt.
+     [Richard Levitte]
+
+  *) Add the ASN.1 structures and functions for CertificatePair, which
+     is defined as follows (according to X.509_4thEditionDraftV6.pdf):
+
+     CertificatePair ::= SEQUENCE {
+        forward		[0]	Certificate OPTIONAL,
+        reverse		[1]	Certificate OPTIONAL,
+        -- at least one of the pair shall be present -- }
+
+     Also implement the PEM functions to read and write certificate
+     pairs, and defined the PEM tag as "CERTIFICATE PAIR".
+
+     This needed to be defined, mostly for the sake of the LDAP
+     attribute crossCertificatePair, but may prove useful elsewhere as
+     well.
+     [Richard Levitte]
+
+  *) Make it possible to inhibit symlinking of shared libraries in
+     Makefile.shared, for Cygwin's sake.
+     [Richard Levitte]
+
+  *) Extend the BIGNUM API by creating a function 
+          void BN_set_negative(BIGNUM *a, int neg);
+     and a macro that behave like
+          int  BN_is_negative(const BIGNUM *a);
+
+     to avoid the need to access 'a->neg' directly in applications.
+     [Nils Larsch]
+
+  *) Implement fast modular reduction for pseudo-Mersenne primes
+     used in NIST curves (crypto/bn/bn_nist.c, crypto/ec/ecp_nist.c).
+     EC_GROUP_new_curve_GFp() will now automatically use this
+     if applicable.
+     [Nils Larsch <nla@trustcenter.de>]
+
+  *) Add new lock type (CRYPTO_LOCK_BN).
+     [Bodo Moeller]
+
+  *) Change the ENGINE framework to automatically load engines
+     dynamically from specific directories unless they could be
+     found to already be built in or loaded.  Move all the
+     current engines except for the cryptodev one to a new
+     directory engines/.
+     The engines in engines/ are built as shared libraries if
+     the "shared" options was given to ./Configure or ./config.
+     Otherwise, they are inserted in libcrypto.a.
+     /usr/local/ssl/engines is the default directory for dynamic
+     engines, but that can be overriden at configure time through
+     the usual use of --prefix and/or --openssldir, and at run
+     time with the environment variable OPENSSL_ENGINES.
+     [Geoff Thorpe and Richard Levitte]
+
+  *) Add Makefile.shared, a helper makefile to build shared
+     libraries.  Addapt Makefile.org.
+     [Richard Levitte]
+
+  *) Add version info to Win32 DLLs.
+     [Peter 'Luna' Runestig" <peter@runestig.com>]
+
+  *) Add new 'medium level' PKCS#12 API. Certificates and keys
+     can be added using this API to created arbitrary PKCS#12
+     files while avoiding the low level API.
+
+     New options to PKCS12_create(), key or cert can be NULL and
+     will then be omitted from the output file. The encryption
+     algorithm NIDs can be set to -1 for no encryption, the mac
+     iteration count can be set to 0 to omit the mac.
+
+     Enhance pkcs12 utility by making the -nokeys and -nocerts
+     options work when creating a PKCS#12 file. New option -nomac
+     to omit the mac, NONE can be set for an encryption algorithm.
+     New code is modified to use the enhanced PKCS12_create()
+     instead of the low level API.
+     [Steve Henson]
+
+  *) Extend ASN1 encoder to support indefinite length constructed
+     encoding. This can output sequences tags and octet strings in
+     this form. Modify pk7_asn1.c to support indefinite length
+     encoding. This is experimental and needs additional code to
+     be useful, such as an ASN1 bio and some enhanced streaming
+     PKCS#7 code.
+
+     Extend template encode functionality so that tagging is passed
+     down to the template encoder.
+     [Steve Henson]
+
+  *) Let 'openssl req' fail if an argument to '-newkey' is not
+     recognized instead of using RSA as a default.
+     [Bodo Moeller]
+
+  *) Add support for ECC-based ciphersuites from draft-ietf-tls-ecc-01.txt.
+     As these are not official, they are not included in "ALL";
+     the "ECCdraft" ciphersuite group alias can be used to select them.
+     [Vipul Gupta and Sumit Gupta (Sun Microsystems Laboratories)]
+
+  *) Add ECDH engine support.
+     [Nils Gura and Douglas Stebila (Sun Microsystems Laboratories)]
+
+  *) Add ECDH in new directory crypto/ecdh/.
+     [Douglas Stebila (Sun Microsystems Laboratories)]
+
+  *) Let BN_rand_range() abort with an error after 100 iterations
+     without success (which indicates a broken PRNG).
+     [Bodo Moeller]
+
+  *) Change BN_mod_sqrt() so that it verifies that the input value
+     is really the square of the return value.  (Previously,
+     BN_mod_sqrt would show GIGO behaviour.)
+     [Bodo Moeller]
+
+  *) Add named elliptic curves over binary fields from X9.62, SECG,
+     and WAP/WTLS; add OIDs that were still missing.
+
+     [Sheueling Chang Shantz and Douglas Stebila
+     (Sun Microsystems Laboratories)]
+
+  *) Extend the EC library for elliptic curves over binary fields
+     (new files ec2_smpl.c, ec2_smpt.c, ec2_mult.c in crypto/ec/).
+     New EC_METHOD:
+
+          EC_GF2m_simple_method
+
+     New API functions:
+
+          EC_GROUP_new_curve_GF2m
+          EC_GROUP_set_curve_GF2m
+          EC_GROUP_get_curve_GF2m
+          EC_POINT_set_affine_coordinates_GF2m
+          EC_POINT_get_affine_coordinates_GF2m
+          EC_POINT_set_compressed_coordinates_GF2m
+
+     Point compression for binary fields is disabled by default for
+     patent reasons (compile with OPENSSL_EC_BIN_PT_COMP defined to
+     enable it).
+
+     As binary polynomials are represented as BIGNUMs, various members
+     of the EC_GROUP and EC_POINT data structures can be shared
+     between the implementations for prime fields and binary fields;
+     the above ..._GF2m functions (except for EX_GROUP_new_curve_GF2m)
+     are essentially identical to their ..._GFp counterparts.
+     (For simplicity, the '..._GFp' prefix has been dropped from
+     various internal method names.)
+
+     An internal 'field_div' method (similar to 'field_mul' and
+     'field_sqr') has been added; this is used only for binary fields.
+
+     [Sheueling Chang Shantz and Douglas Stebila
+     (Sun Microsystems Laboratories)]
+
+  *) Optionally dispatch EC_POINT_mul(), EC_POINT_precompute_mult()
+     through methods ('mul', 'precompute_mult').
+
+     The generic implementations (now internally called 'ec_wNAF_mul'
+     and 'ec_wNAF_precomputed_mult') remain the default if these
+     methods are undefined.
+
+     [Sheueling Chang Shantz and Douglas Stebila
+     (Sun Microsystems Laboratories)]
+
+  *) New function EC_GROUP_get_degree, which is defined through
+     EC_METHOD.  For curves over prime fields, this returns the bit
+     length of the modulus.
+
+     [Sheueling Chang Shantz and Douglas Stebila
+     (Sun Microsystems Laboratories)]
+
+  *) New functions EC_GROUP_dup, EC_POINT_dup.
+     (These simply call ..._new  and ..._copy).
+
+     [Sheueling Chang Shantz and Douglas Stebila
+     (Sun Microsystems Laboratories)]
+
+  *) Add binary polynomial arithmetic software in crypto/bn/bn_gf2m.c.
+     Polynomials are represented as BIGNUMs (where the sign bit is not
+     used) in the following functions [macros]:  
+
+          BN_GF2m_add
+          BN_GF2m_sub             [= BN_GF2m_add]
+          BN_GF2m_mod             [wrapper for BN_GF2m_mod_arr]
+          BN_GF2m_mod_mul         [wrapper for BN_GF2m_mod_mul_arr]
+          BN_GF2m_mod_sqr         [wrapper for BN_GF2m_mod_sqr_arr]
+          BN_GF2m_mod_inv
+          BN_GF2m_mod_exp         [wrapper for BN_GF2m_mod_exp_arr]
+          BN_GF2m_mod_sqrt        [wrapper for BN_GF2m_mod_sqrt_arr]
+          BN_GF2m_mod_solve_quad  [wrapper for BN_GF2m_mod_solve_quad_arr]
+          BN_GF2m_cmp             [= BN_ucmp]
+
+     (Note that only the 'mod' functions are actually for fields GF(2^m).
+     BN_GF2m_add() is misnomer, but this is for the sake of consistency.)
+
+     For some functions, an the irreducible polynomial defining a
+     field can be given as an 'unsigned int[]' with strictly
+     decreasing elements giving the indices of those bits that are set;
+     i.e., p[] represents the polynomial
+          f(t) = t^p[0] + t^p[1] + ... + t^p[k]
+     where
+          p[0] > p[1] > ... > p[k] = 0.
+     This applies to the following functions:
+
+          BN_GF2m_mod_arr
+          BN_GF2m_mod_mul_arr
+          BN_GF2m_mod_sqr_arr
+          BN_GF2m_mod_inv_arr        [wrapper for BN_GF2m_mod_inv]
+          BN_GF2m_mod_div_arr        [wrapper for BN_GF2m_mod_div]
+          BN_GF2m_mod_exp_arr
+          BN_GF2m_mod_sqrt_arr
+          BN_GF2m_mod_solve_quad_arr
+          BN_GF2m_poly2arr
+          BN_GF2m_arr2poly
+
+     Conversion can be performed by the following functions:
+
+          BN_GF2m_poly2arr
+          BN_GF2m_arr2poly
+
+     bntest.c has additional tests for binary polynomial arithmetic.
+
+     Two implementations for BN_GF2m_mod_div() are available.
+     The default algorithm simply uses BN_GF2m_mod_inv() and
+     BN_GF2m_mod_mul().  The alternative algorithm is compiled in only
+     if OPENSSL_SUN_GF2M_DIV is defined (patent pending; read the
+     copyright notice in crypto/bn/bn_gf2m.c before enabling it).
+
+     [Sheueling Chang Shantz and Douglas Stebila
+     (Sun Microsystems Laboratories)]
+
+  *) Add new error code 'ERR_R_DISABLED' that can be used when some
+     functionality is disabled at compile-time.
+     [Douglas Stebila <douglas.stebila@sun.com>]
+
+  *) Change default behaviour of 'openssl asn1parse' so that more
+     information is visible when viewing, e.g., a certificate:
+
+     Modify asn1_parse2 (crypto/asn1/asn1_par.c) so that in non-'dump'
+     mode the content of non-printable OCTET STRINGs is output in a
+     style similar to INTEGERs, but with '[HEX DUMP]' prepended to
+     avoid the appearance of a printable string.
+     [Nils Larsch <nla@trustcenter.de>]
+
+  *) Add 'asn1_flag' and 'asn1_form' member to EC_GROUP with access
+     functions
+          EC_GROUP_set_asn1_flag()
+          EC_GROUP_get_asn1_flag()
+          EC_GROUP_set_point_conversion_form()
+          EC_GROUP_get_point_conversion_form()
+     These control ASN1 encoding details:
+     - Curves (i.e., groups) are encoded explicitly unless asn1_flag
+       has been set to OPENSSL_EC_NAMED_CURVE.
+     - Points are encoded in uncompressed form by default; options for
+       asn1_for are as for point2oct, namely
+          POINT_CONVERSION_COMPRESSED
+          POINT_CONVERSION_UNCOMPRESSED
+          POINT_CONVERSION_HYBRID
+
+     Also add 'seed' and 'seed_len' members to EC_GROUP with access
+     functions
+          EC_GROUP_set_seed()
+          EC_GROUP_get0_seed()
+          EC_GROUP_get_seed_len()
+     This is used only for ASN1 purposes (so far).
+     [Nils Larsch <nla@trustcenter.de>]
+
+  *) Add 'field_type' member to EC_METHOD, which holds the NID
+     of the appropriate field type OID.  The new function
+     EC_METHOD_get_field_type() returns this value.
+     [Nils Larsch <nla@trustcenter.de>]
+
+  *) Add functions 
+          EC_POINT_point2bn()
+          EC_POINT_bn2point()
+          EC_POINT_point2hex()
+          EC_POINT_hex2point()
+     providing useful interfaces to EC_POINT_point2oct() and
+     EC_POINT_oct2point().
+     [Nils Larsch <nla@trustcenter.de>]
+
+  *) Change internals of the EC library so that the functions
+          EC_GROUP_set_generator()
+          EC_GROUP_get_generator()
+          EC_GROUP_get_order()
+          EC_GROUP_get_cofactor()
+     are implemented directly in crypto/ec/ec_lib.c and not dispatched
+     to methods, which would lead to unnecessary code duplication when
+     adding different types of curves.
+     [Nils Larsch <nla@trustcenter.de> with input by Bodo Moeller]
+
+  *) Implement compute_wNAF (crypto/ec/ec_mult.c) without BIGNUM
+     arithmetic, and such that modified wNAFs are generated
+     (which avoid length expansion in many cases).
+     [Bodo Moeller]
+
+  *) Add a function EC_GROUP_check_discriminant() (defined via
+     EC_METHOD) that verifies that the curve discriminant is non-zero.
+
+     Add a function EC_GROUP_check() that makes some sanity tests
+     on a EC_GROUP, its generator and order.  This includes
+     EC_GROUP_check_discriminant().
+     [Nils Larsch <nla@trustcenter.de>]
+
+  *) Add ECDSA in new directory crypto/ecdsa/.
+
+     Add applications 'openssl ecparam' and 'openssl ecdsa'
+     (these are based on 'openssl dsaparam' and 'openssl dsa').
+
+     ECDSA support is also included in various other files across the
+     library.  Most notably,
+     - 'openssl req' now has a '-newkey ecdsa:file' option;
+     - EVP_PKCS82PKEY (crypto/evp/evp_pkey.c) now can handle ECDSA;
+     - X509_PUBKEY_get (crypto/asn1/x_pubkey.c) and
+       d2i_PublicKey (crypto/asn1/d2i_pu.c) have been modified to make
+       them suitable for ECDSA where domain parameters must be
+       extracted before the specific public key;
+     - ECDSA engine support has been added.
+     [Nils Larsch <nla@trustcenter.de>]
+
+  *) Include some named elliptic curves, and add OIDs from X9.62,
+     SECG, and WAP/WTLS.  Each curve can be obtained from the new
+     function
+          EC_GROUP_new_by_curve_name(),
+     and the list of available named curves can be obtained with
+          EC_get_builtin_curves().
+     Also add a 'curve_name' member to EC_GROUP objects, which can be
+     accessed via
+         EC_GROUP_set_curve_name()
+         EC_GROUP_get_curve_name()
+     [Nils Larsch <larsch@trustcenter.de, Bodo Moeller]
+ 
+  *) Remove a few calls to bn_wexpand() in BN_sqr() (the one in there
+     was actually never needed) and in BN_mul().  The removal in BN_mul()
+     required a small change in bn_mul_part_recursive() and the addition
+     of the functions bn_cmp_part_words(), bn_sub_part_words() and
+     bn_add_part_words(), which do the same thing as bn_cmp_words(),
+     bn_sub_words() and bn_add_words() except they take arrays with
+     differing sizes.
+     [Richard Levitte]
+
+ Changes between 0.9.7h and 0.9.7i  [14 Oct 2005]
+
+  *) Wrapped the definition of EVP_MAX_MD_SIZE in a #ifdef OPENSSL_FIPS.
+     The value now differs depending on if you build for FIPS or not.
+     BEWARE!  A program linked with a shared FIPSed libcrypto can't be
+     safely run with a non-FIPSed libcrypto, as it may crash because of
+     the difference induced by this change.
+     [Andy Polyakov]
+
+ Changes between 0.9.7g and 0.9.7h  [11 Oct 2005]
+
+  *) Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING
+     (part of SSL_OP_ALL).  This option used to disable the
+     countermeasure against man-in-the-middle protocol-version
+     rollback in the SSL 2.0 server implementation, which is a bad
+     idea.  (CVE-2005-2969)
+
+     [Bodo Moeller; problem pointed out by Yutaka Oiwa (Research Center
+     for Information Security, National Institute of Advanced Industrial
+     Science and Technology [AIST], Japan)]
+
+  *) Minimal support for X9.31 signatures and PSS padding modes. This is
+     mainly for FIPS compliance and not fully integrated at this stage.
+     [Steve Henson]
+
+  *) For DSA signing, unless DSA_FLAG_NO_EXP_CONSTTIME is set, perform
+     the exponentiation using a fixed-length exponent.  (Otherwise,
+     the information leaked through timing could expose the secret key
+     after many signatures; cf. Bleichenbacher's attack on DSA with
+     biased k.)
+     [Bodo Moeller]
+
+  *) Make a new fixed-window mod_exp implementation the default for
+     RSA, DSA, and DH private-key operations so that the sequence of
+     squares and multiplies and the memory access pattern are
+     independent of the particular secret key.  This will mitigate
+     cache-timing and potential related attacks.
+
+     BN_mod_exp_mont_consttime() is the new exponentiation implementation,
+     and this is automatically used by BN_mod_exp_mont() if the new flag
+     BN_FLG_EXP_CONSTTIME is set for the exponent.  RSA, DSA, and DH
+     will use this BN flag for private exponents unless the flag
+     RSA_FLAG_NO_EXP_CONSTTIME, DSA_FLAG_NO_EXP_CONSTTIME, or
+     DH_FLAG_NO_EXP_CONSTTIME, respectively, is set.
+
+     [Matthew D Wood (Intel Corp), with some changes by Bodo Moeller]
+
+  *) Change the client implementation for SSLv23_method() and
+     SSLv23_client_method() so that is uses the SSL 3.0/TLS 1.0
+     Client Hello message format if the SSL_OP_NO_SSLv2 option is set.
+     (Previously, the SSL 2.0 backwards compatible Client Hello
+     message format would be used even with SSL_OP_NO_SSLv2.)
+     [Bodo Moeller]
+
+  *) Add support for smime-type MIME parameter in S/MIME messages which some
+     clients need.
+     [Steve Henson]
+
+  *) New function BN_MONT_CTX_set_locked() to set montgomery parameters in
+     a threadsafe manner. Modify rsa code to use new function and add calls
+     to dsa and dh code (which had race conditions before).
+     [Steve Henson]
+
+  *) Include the fixed error library code in the C error file definitions
+     instead of fixing them up at runtime. This keeps the error code
+     structures constant.
+     [Steve Henson]
+
+ Changes between 0.9.7f and 0.9.7g  [11 Apr 2005]
+
+  [NB: OpenSSL 0.9.7h and later 0.9.7 patch levels were released after
+  OpenSSL 0.9.8.]
+
+  *) Fixes for newer kerberos headers. NB: the casts are needed because
+     the 'length' field is signed on one version and unsigned on another
+     with no (?) obvious way to tell the difference, without these VC++
+     complains. Also the "definition" of FAR (blank) is no longer included
+     nor is the error ENOMEM. KRB5_PRIVATE has to be set to 1 to pick up
+     some needed definitions.
+     [Steve Henson]
+
+  *) Undo Cygwin change.
+     [Ulf Möller]
+
+  *) Added support for proxy certificates according to RFC 3820.
+     Because they may be a security thread to unaware applications,
+     they must be explicitely allowed in run-time.  See
+     docs/HOWTO/proxy_certificates.txt for further information.
+     [Richard Levitte]
+
+ Changes between 0.9.7e and 0.9.7f  [22 Mar 2005]
+
+  *) Use (SSL_RANDOM_VALUE - 4) bytes of pseudo random data when generating
+     server and client random values. Previously
+     (SSL_RANDOM_VALUE - sizeof(time_t)) would be used which would result in
+     less random data when sizeof(time_t) > 4 (some 64 bit platforms).
+
+     This change has negligible security impact because:
+
+     1. Server and client random values still have 24 bytes of pseudo random
+        data.
+
+     2. Server and client random values are sent in the clear in the initial
+        handshake.
+
+     3. The master secret is derived using the premaster secret (48 bytes in
+        size for static RSA ciphersuites) as well as client server and random
+        values.
+
+     The OpenSSL team would like to thank the UK NISCC for bringing this issue
+     to our attention. 
+
+     [Stephen Henson, reported by UK NISCC]
+
+  *) Use Windows randomness collection on Cygwin.
+     [Ulf Möller]
+
+  *) Fix hang in EGD/PRNGD query when communication socket is closed
+     prematurely by EGD/PRNGD.
+     [Darren Tucker <dtucker@zip.com.au> via Lutz Jänicke, resolves #1014]
+
+  *) Prompt for pass phrases when appropriate for PKCS12 input format.
+     [Steve Henson]
+
+  *) Back-port of selected performance improvements from development
+     branch, as well as improved support for PowerPC platforms.
+     [Andy Polyakov]
+
+  *) Add lots of checks for memory allocation failure, error codes to indicate
+     failure and freeing up memory if a failure occurs.
+     [Nauticus Networks SSL Team <openssl@nauticusnet.com>, Steve Henson]
+
+  *) Add new -passin argument to dgst.
+     [Steve Henson]
+
+  *) Perform some character comparisons of different types in X509_NAME_cmp:
+     this is needed for some certificates that reencode DNs into UTF8Strings
+     (in violation of RFC3280) and can't or wont issue name rollover
+     certificates.
+     [Steve Henson]
+
+  *) Make an explicit check during certificate validation to see that
+     the CA setting in each certificate on the chain is correct.  As a
+     side effect always do the following basic checks on extensions,
+     not just when there's an associated purpose to the check:
+
+      - if there is an unhandled critical extension (unless the user
+        has chosen to ignore this fault)
+      - if the path length has been exceeded (if one is set at all)
+      - that certain extensions fit the associated purpose (if one has
+        been given)
+     [Richard Levitte]
+
  Changes between 0.9.7d and 0.9.7e  [25 Oct 2004]
 
   *) Avoid a race condition when CRLs are checked in a multi threaded 
@@ -29,11 +1081,11 @@
  Changes between 0.9.7c and 0.9.7d  [17 Mar 2004]
 
   *) Fix null-pointer assignment in do_change_cipher_spec() revealed           
-     by using the Codenomicon TLS Test Tool (CAN-2004-0079)                    
+     by using the Codenomicon TLS Test Tool (CVE-2004-0079)                    
      [Joe Orton, Steve Henson]   
 
   *) Fix flaw in SSL/TLS handshaking when using Kerberos ciphersuites
-     (CAN-2004-0112)
+     (CVE-2004-0112)
      [Joe Orton, Steve Henson]   
 
   *) Make it possible to have multiple active certificates with the same
@@ -76,9 +1128,9 @@
   *) Fix various bugs revealed by running the NISCC test suite:
 
      Stop out of bounds reads in the ASN1 code when presented with
-     invalid tags (CAN-2003-0543 and CAN-2003-0544).
+     invalid tags (CVE-2003-0543 and CVE-2003-0544).
      
-     Free up ASN1_TYPE correctly if ANY type is invalid (CAN-2003-0545).
+     Free up ASN1_TYPE correctly if ANY type is invalid (CVE-2003-0545).
 
      If verify callback ignores invalid public key errors don't try to check
      certificate signature with the NULL public key.
@@ -163,7 +1215,7 @@
      via timing by performing a MAC computation even if incorrrect
      block cipher padding has been found.  This is a countermeasure
      against active attacks where the attacker has to distinguish
-     between bad padding and a MAC verification error. (CAN-2003-0078)
+     between bad padding and a MAC verification error. (CVE-2003-0078)
 
      [Bodo Moeller; problem pointed out by Brice Canvel (EPFL),
      Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and
@@ -380,7 +1432,7 @@
 
      Remote buffer overflow in SSL3 protocol - an attacker could
      supply an oversized master key in Kerberos-enabled versions.
-     (CAN-2002-0657)
+     (CVE-2002-0657)
      [Ben Laurie (CHATS)]
 
   *) Change the SSL kerb5 codes to match RFC 2712.
@@ -2064,7 +3116,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
  Changes between 0.9.6l and 0.9.6m  [17 Mar 2004]
 
   *) Fix null-pointer assignment in do_change_cipher_spec() revealed
-     by using the Codenomicon TLS Test Tool (CAN-2004-0079)
+     by using the Codenomicon TLS Test Tool (CVE-2004-0079)
      [Joe Orton, Steve Henson]
 
  Changes between 0.9.6k and 0.9.6l  [04 Nov 2003]
@@ -2072,7 +3124,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
   *) Fix additional bug revealed by the NISCC test suite:
 
      Stop bug triggering large recursion when presented with
-     certain ASN.1 tags (CAN-2003-0851)
+     certain ASN.1 tags (CVE-2003-0851)
      [Steve Henson]
 
  Changes between 0.9.6j and 0.9.6k  [30 Sep 2003]
@@ -2080,7 +3132,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
   *) Fix various bugs revealed by running the NISCC test suite:
 
      Stop out of bounds reads in the ASN1 code when presented with
-     invalid tags (CAN-2003-0543 and CAN-2003-0544).
+     invalid tags (CVE-2003-0543 and CVE-2003-0544).
      
      If verify callback ignores invalid public key errors don't try to check
      certificate signature with the NULL public key.
@@ -2132,7 +3184,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
      via timing by performing a MAC computation even if incorrrect
      block cipher padding has been found.  This is a countermeasure
      against active attacks where the attacker has to distinguish
-     between bad padding and a MAC verification error. (CAN-2003-0078)
+     between bad padding and a MAC verification error. (CVE-2003-0078)
 
      [Bodo Moeller; problem pointed out by Brice Canvel (EPFL),
      Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and
@@ -2265,7 +3317,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
   *) Add various sanity checks to asn1_get_length() to reject
      the ASN1 length bytes if they exceed sizeof(long), will appear
      negative or the content length exceeds the length of the
-     supplied buffer. (CAN-2002-0659)
+     supplied buffer. (CVE-2002-0659)
      [Steve Henson, Adi Stav <stav@mercury.co.il>, James Yonan <jim@ntlp.com>]
 
   *) Assertions for various potential buffer overflows, not known to
@@ -2273,15 +3325,15 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
      [Ben Laurie (CHATS)]
 
   *) Various temporary buffers to hold ASCII versions of integers were
-     too small for 64 bit platforms. (CAN-2002-0655)
+     too small for 64 bit platforms. (CVE-2002-0655)
      [Matthew Byng-Maddick <mbm@aldigital.co.uk> and Ben Laurie (CHATS)>
 
   *) Remote buffer overflow in SSL3 protocol - an attacker could
-     supply an oversized session ID to a client. (CAN-2002-0656)
+     supply an oversized session ID to a client. (CVE-2002-0656)
      [Ben Laurie (CHATS)]
 
   *) Remote buffer overflow in SSL2 protocol - an attacker could
-     supply an oversized client master key. (CAN-2002-0656)
+     supply an oversized client master key. (CVE-2002-0656)
      [Ben Laurie (CHATS)]
 
  Changes between 0.9.6c and 0.9.6d  [9 May 2002]
diff --git a/crypto/openssl/ChangeLog.0_9_7-stable_not-in-head b/crypto/openssl/ChangeLog.0_9_7-stable_not-in-head
new file mode 100644
index 000000000000..1203a22158a8
--- /dev/null
+++ b/crypto/openssl/ChangeLog.0_9_7-stable_not-in-head
@@ -0,0 +1,163 @@
+This file, together with ChangeLog.0_9_7-stable_not-in-head_FIPS,
+provides a collection of those CVS change log entries for the
+0.9.7 branch (OpenSSL_0_9_7-stable) that do not appear similarly in
+0.9.8-dev (CVS head).
+    
+ChangeLog.0_9_7-stable_not-in-head_FIPS  -  "FIPS" related changes
+ChangeLog.0_9_7-stable_not-in-head       -  everything else
+
+Some obvious false positives have been eliminated: e.g., we do not
+care about a simple "make update"; and we don't care about changes
+identified to the 0.9.7 branch that were explicitly identified as
+backports from head.
+    
+Eliminating all other entries (and finally this file and its
+compantion), either as false positives or as things that should go
+into 0.9.8, remains to be done.  Any additional changes to 0.9.7 that
+are not immediately put into 0.9.8, but belong there as well, should
+be added to the end of this file.
+
+
+2002-11-04 17:33  levitte
+
+	Changed:
+		Configure (1.314.2.38), "Exp", lines: +4 -2
+
+	Return my normal debug targets to something not so extreme, and
+	make the extreme ones special (or 'extreme', if you will :-)).
+
+2002-12-16 19:17  appro
+
+	Changed:
+		crypto/bn/bn_lcl.h (1.23.2.3), "Exp", lines: +3 -0
+		crypto/bn/bn_mul.c (1.28.2.4), "Exp", lines: +84 -445
+
+	This is rollback to 0.9.6h bn_mul.c to address problem reported in
+	RT#272.
+
+2003-07-27 15:46  ben
+
+	Changed:
+		crypto/aes/aes.h (1.1.2.5), "Exp", lines: +3 -0
+		crypto/aes/aes_cfb.c (1.1.2.4), "Exp", lines: +57 -0
+
+	Add untested CFB-r mode. Will be tested soon.
+
+2003-07-28 17:07  ben
+
+	Changed:
+		Makefile.org (1.154.2.69), "Exp", lines: +5 -1
+		crypto/aes/aes.h (1.1.2.6), "Exp", lines: +3 -0
+		crypto/aes/aes_cfb.c (1.1.2.5), "Exp", lines: +19 -0
+		crypto/dsa/Makefile.ssl (1.49.2.6), "Exp", lines: +3 -2
+		crypto/err/Makefile.ssl (1.48.2.4), "Exp", lines: +17 -16
+		crypto/evp/e_aes.c (1.6.2.5), "Exp", lines: +8 -0
+		crypto/evp/e_des.c (1.5.2.2), "Exp", lines: +1 -1
+		crypto/evp/e_des3.c (1.8.2.3), "Exp", lines: +2 -2
+		crypto/evp/evp.h (1.86.2.11), "Exp", lines: +28 -11
+		crypto/evp/evp_locl.h (1.7.2.3), "Exp", lines: +2 -2
+		crypto/objects/obj_dat.h (1.49.2.13), "Exp", lines: +10 -5
+		crypto/objects/obj_mac.h (1.19.2.13), "Exp", lines: +5 -0
+		crypto/objects/obj_mac.num (1.15.2.9), "Exp", lines: +1 -0
+		crypto/objects/objects.txt (1.20.2.14), "Exp", lines: +4 -0
+		fips/Makefile.ssl (1.1.2.3), "Exp", lines: +7 -0
+		fips/aes/Makefile.ssl (1.1.2.2), "Exp", lines: +23 -1
+		fips/aes/fips_aesavs.c (1.1.2.3), "Exp", lines: +9 -1
+		test/Makefile.ssl (1.84.2.30), "Exp", lines: +101 -43
+
+	Add support for partial CFB modes, make tests work, update
+	dependencies.
+
+2003-07-29 12:56  ben
+
+	Changed:
+		crypto/aes/aes_cfb.c (1.1.2.6), "Exp", lines: +9 -6
+		crypto/evp/c_allc.c (1.8.2.3), "Exp", lines: +1 -0
+		crypto/evp/evp_test.c (1.14.2.11), "Exp", lines: +17 -8
+		crypto/evp/evptests.txt (1.9.2.2), "Exp", lines: +48 -1
+
+	Working CFB1 and test vectors.
+
+2003-07-29 15:24  ben
+
+	Changed:
+		crypto/evp/e_aes.c (1.6.2.6), "Exp", lines: +14 -0
+		crypto/objects/obj_dat.h (1.49.2.14), "Exp", lines: +15 -5
+		crypto/objects/obj_mac.h (1.19.2.14), "Exp", lines: +10 -0
+		crypto/objects/obj_mac.num (1.15.2.10), "Exp", lines: +2 -0
+		crypto/objects/objects.txt (1.20.2.15), "Exp", lines: +2 -0
+		fips/aes/Makefile.ssl (1.1.2.3), "Exp", lines: +1 -1
+		fips/aes/fips_aesavs.c (1.1.2.4), "Exp", lines: +34 -19
+
+	The rest of the keysizes for CFB1, working AES AVS test for CFB1.
+
+2003-07-29 19:05  ben
+
+	Changed:
+		crypto/aes/aes.h (1.1.2.7), "Exp", lines: +3 -0
+		crypto/aes/aes_cfb.c (1.1.2.7), "Exp", lines: +14 -0
+		crypto/evp/c_allc.c (1.8.2.4), "Exp", lines: +1 -0
+		crypto/evp/e_aes.c (1.6.2.7), "Exp", lines: +4 -9
+		crypto/evp/evptests.txt (1.9.2.3), "Exp", lines: +48 -0
+		crypto/objects/obj_dat.h (1.49.2.15), "Exp", lines: +20 -5
+		crypto/objects/obj_mac.h (1.19.2.15), "Exp", lines: +15 -0
+		crypto/objects/obj_mac.num (1.15.2.11), "Exp", lines: +3 -0
+		crypto/objects/objects.txt (1.20.2.16), "Exp", lines: +3 -0
+		fips/aes/fips_aesavs.c (1.1.2.7), "Exp", lines: +11 -0
+
+	AES CFB8.
+
+2003-07-30 20:30  ben
+
+	Changed:
+		Makefile.org (1.154.2.70), "Exp", lines: +16 -5
+		crypto/des/cfb_enc.c (1.7.2.1), "Exp", lines: +2 -1
+		crypto/des/des_enc.c (1.11.2.2), "Exp", lines: +4 -0
+		crypto/evp/e_aes.c (1.6.2.8), "Exp", lines: +7 -14
+		crypto/evp/e_des.c (1.5.2.3), "Exp", lines: +37 -1
+		crypto/evp/evp.h (1.86.2.12), "Exp", lines: +6 -0
+		crypto/evp/evp_locl.h (1.7.2.4), "Exp", lines: +9 -0
+		crypto/objects/obj_dat.h (1.49.2.16), "Exp", lines: +48 -23
+		crypto/objects/obj_mac.h (1.19.2.16), "Exp", lines: +31 -6
+		crypto/objects/obj_mac.num (1.15.2.12), "Exp", lines: +5 -0
+		crypto/objects/objects.txt (1.20.2.17), "Exp", lines: +12 -6
+		fips/Makefile.ssl (1.1.2.4), "Exp", lines: +8 -1
+		fips/fips_make_sha1 (1.1.2.3), "Exp", lines: +3 -0
+		fips/aes/Makefile.ssl (1.1.2.4), "Exp", lines: +1 -1
+		fips/des/.cvsignore (1.1.2.1), "Exp", lines: +3 -0
+		fips/des/Makefile.ssl (1.1.2.1), "Exp", lines: +96 -0
+		fips/des/fingerprint.sha1 (1.1.2.1), "Exp", lines: +2 -0
+		fips/des/fips_des_enc.c (1.1.2.1), "Exp", lines: +288 -0
+		fips/des/fips_des_locl.h (1.1.2.1), "Exp", lines: +428 -0
+		fips/des/fips_desmovs.c (1.1.2.1), "Exp", lines: +659 -0
+
+	Whoops, forgot FIPS DES, also add EVPs for DES CFB1 and 8.
+
+2003-08-01 12:25  ben
+
+	Changed:
+		crypto/des/cfb_enc.c (1.7.2.2), "Exp", lines: +45 -36
+		crypto/evp/c_allc.c (1.8.2.5), "Exp", lines: +2 -0
+		crypto/evp/e_des.c (1.5.2.4), "Exp", lines: +8 -3
+		crypto/evp/evptests.txt (1.9.2.4), "Exp", lines: +6 -0
+
+	Fix DES CFB-r.
+
+2003-08-01 12:31  ben
+
+	Changed:
+		crypto/evp/evptests.txt (1.9.2.5), "Exp", lines: +4 -0
+
+	DES CFB8 test.
+
+2005-04-19 16:21  appro
+
+	Changed:
+		Configure (1.314.2.117), "Exp", lines: +24 -21
+		Makefile.org (1.154.2.100), "Exp", lines: +1 -11
+		TABLE (1.99.2.52), "Exp", lines: +20 -20
+		apps/Makefile (1.1.4.15), "Exp", lines: +1 -1
+		test/Makefile (1.1.4.12), "Exp", lines: +1 -1
+
+	Enable shared link on HP-UX.
+
diff --git a/crypto/openssl/ChangeLog.0_9_7-stable_not-in-head_FIPS b/crypto/openssl/ChangeLog.0_9_7-stable_not-in-head_FIPS
new file mode 100644
index 000000000000..1e6c88f77abf
--- /dev/null
+++ b/crypto/openssl/ChangeLog.0_9_7-stable_not-in-head_FIPS
@@ -0,0 +1,1494 @@
+See file ChangeLog.0_9_7-stable_not-in-head for explanations.
+This is the "FIPS"-related part.
+
+
+
+2003-07-27 19:00  ben
+
+	Changed:
+		Configure (1.314.2.85), "Exp", lines: +2 -0
+		Makefile.org (1.154.2.67), "Exp", lines: +12 -3
+		crypto/cryptlib.c (1.32.2.9), "Exp", lines: +5 -0
+		crypto/md32_common.h (1.22.2.4), "Exp", lines: +11 -0
+		crypto/aes/Makefile.ssl (1.4.2.6), "Exp", lines: +2 -1
+		crypto/aes/aes_core.c (1.1.2.4), "Exp", lines: +4 -0
+		crypto/des/des.h (1.40.2.4), "Exp", lines: +1 -1
+		crypto/des/des_old.c (1.11.2.4), "Exp", lines: +1 -1
+		crypto/des/destest.c (1.30.2.6), "Exp", lines: +2 -2
+		crypto/des/ecb3_enc.c (1.8.2.1), "Exp", lines: +1 -3
+		crypto/dsa/Makefile.ssl (1.49.2.5), "Exp", lines: +7 -4
+		crypto/dsa/dsa_ossl.c (1.12.2.4), "Exp", lines: +2 -0
+		crypto/dsa/dsa_sign.c (1.10.2.3), "Exp", lines: +12 -0
+		crypto/dsa/dsa_vrf.c (1.10.2.3), "Exp", lines: +8 -0
+		crypto/engine/engine.h (1.36.2.6), "Exp", lines: +4 -0
+		crypto/err/err.h (1.35.2.3), "Exp", lines: +2 -0
+		crypto/err/err_all.c (1.17.2.2), "Exp", lines: +4 -0
+		crypto/err/openssl.ec (1.11.2.1), "Exp", lines: +1 -0
+		crypto/evp/Makefile.ssl (1.64.2.8), "Exp", lines: +8 -7
+		crypto/evp/c_all.c (1.7.8.7), "Exp", lines: +1 -0
+		crypto/evp/e_aes.c (1.6.2.4), "Exp", lines: +12 -4
+		crypto/evp/e_des3.c (1.8.2.2), "Exp", lines: +1 -1
+		crypto/evp/evp.h (1.86.2.10), "Exp", lines: +2 -0
+		crypto/evp/evp_err.c (1.23.2.1), "Exp", lines: +3 -1
+		crypto/md4/Makefile.ssl (1.6.2.4), "Exp", lines: +7 -4
+		crypto/md5/Makefile.ssl (1.33.2.7), "Exp", lines: +7 -4
+		crypto/rand/Makefile.ssl (1.56.2.4), "Exp", lines: +17 -15
+		crypto/rand/md_rand.c (1.69.2.2), "Exp", lines: +9 -0
+		crypto/rand/rand.h (1.26.2.5), "Exp", lines: +2 -0
+		crypto/rand/rand_err.c (1.6.2.1), "Exp", lines: +3 -1
+		crypto/rand/rand_lib.c (1.15.2.2), "Exp", lines: +11 -0
+		crypto/ripemd/Makefile.ssl (1.25.2.5), "Exp", lines: +7 -2
+		crypto/sha/Makefile.ssl (1.26.2.5), "Exp", lines: +16 -6
+		fips/.cvsignore (1.1.2.1), "Exp", lines: +1 -0
+		fips/Makefile.ssl (1.1.2.1), "Exp", lines: +155 -0
+		fips/fingerprint.sha1 (1.1.2.1), "Exp", lines: +3 -0
+		fips/fips.c (1.1.2.1), "Exp", lines: +74 -0
+		fips/fips.h (1.1.2.1), "Exp", lines: +85 -0
+		fips/fips_check_sha1 (1.1.2.1), "Exp", lines: +7 -0
+		fips/fips_err.c (1.1.2.1), "Exp", lines: +96 -0
+		fips/fips_make_sha1 (1.1.2.1), "Exp", lines: +21 -0
+		fips/lib (1.1.2.1), "Exp", lines: +0 -0
+		fips/aes/.cvsignore (1.1.2.1), "Exp", lines: +4 -0
+		fips/aes/Makefile.ssl (1.1.2.1), "Exp", lines: +95 -0
+		fips/aes/fingerprint.sha1 (1.1.2.1), "Exp", lines: +2 -0
+		fips/aes/fips_aes_core.c (1.1.2.1), "Exp", lines: +1260 -0
+		fips/aes/fips_aes_locl.h (1.1.2.1), "Exp", lines: +85 -0
+		fips/aes/fips_aesavs.c (1.1.2.1), "Exp", lines: +896 -0
+		fips/dsa/.cvsignore (1.1.2.1), "Exp", lines: +2 -0
+		fips/dsa/Makefile.ssl (1.1.2.1), "Exp", lines: +95 -0
+		fips/dsa/fingerprint.sha1 (1.1.2.1), "Exp", lines: +1 -0
+		fips/dsa/fips_dsa_ossl.c (1.1.2.1), "Exp", lines: +366 -0
+		fips/dsa/fips_dsatest.c (1.1.2.1), "Exp", lines: +252 -0
+		fips/rand/.cvsignore (1.1.2.1), "Exp", lines: +2 -0
+		fips/rand/Makefile.ssl (1.1.2.1), "Exp", lines: +94 -0
+		fips/rand/fingerprint.sha1 (1.1.2.1), "Exp", lines: +2 -0
+		fips/rand/fips_rand.c (1.1.2.1), "Exp", lines: +236 -0
+		fips/rand/fips_rand.h (1.1.2.1), "Exp", lines: +55 -0
+		fips/rand/fips_randtest.c (1.1.2.1), "Exp", lines: +348 -0
+		fips/sha1/.cvsignore (1.1.2.1), "Exp", lines: +3 -0
+		fips/sha1/Makefile.ssl (1.1.2.1), "Exp", lines: +94 -0
+		fips/sha1/fingerprint.sha1 (1.1.2.1), "Exp", lines: +3 -0
+		fips/sha1/fips_md32_common.h (1.1.2.1), "Exp", lines: +637 -0
+		fips/sha1/fips_sha1dgst.c (1.1.2.1), "Exp", lines: +76 -0
+		fips/sha1/fips_sha1test.c (1.1.2.1), "Exp", lines: +128 -0
+		fips/sha1/fips_sha_locl.h (1.1.2.1), "Exp", lines: +472 -0
+		fips/sha1/fips_standalone_sha1.c (1.1.2.1), "Exp", lines: +101 -0
+		fips/sha1/standalone.sha1 (1.1.2.1), "Exp", lines: +4 -0
+		test/Makefile.ssl (1.84.2.29), "Exp", lines: +81 -13
+		util/mkerr.pl (1.18.2.4), "Exp", lines: +2 -1
+
+	Unfinished FIPS stuff for review/improvement.
+
+2003-07-27 19:19  ben
+
+	Changed:
+		fips/fips_check_sha1 (1.1.2.2), "Exp", lines: +1 -1
+
+	Use unified diff.
+
+2003-07-27 19:23  ben
+
+	Changed:
+		fips/Makefile.ssl (1.1.2.2), "Exp", lines: +3 -3
+		fips/fingerprint.sha1 (1.1.2.2), "Exp", lines: +2 -1
+		fips/fips_make_sha1 (1.1.2.2), "Exp", lines: +1 -1
+
+	Build in non-FIPS mode.
+
+2003-07-27 23:13  ben
+
+	Changed:
+		Makefile.org (1.154.2.68), "Exp", lines: +1 -1
+		fips/fips_check_sha1 (1.1.2.3), "Exp", lines: +2 -1
+		fips/aes/fips_aesavs.c (1.1.2.2), "Exp", lines: +2 -0
+		fips/dsa/fips_dsa_ossl.c (1.1.2.2), "Exp", lines: +8 -0
+		fips/dsa/fips_dsatest.c (1.1.2.2), "Exp", lines: +2 -1
+		fips/sha1/fingerprint.sha1 (1.1.2.2), "Exp", lines: +1 -1
+		fips/sha1/fips_sha1dgst.c (1.1.2.2), "Exp", lines: +5 -1
+		fips/sha1/fips_standalone_sha1.c (1.1.2.2), "Exp", lines: +2 -0
+		fips/sha1/standalone.sha1 (1.1.2.2), "Exp", lines: +1 -1
+
+	Build when not FIPS.
+
+2003-07-28 11:56  ben
+
+	Changed:
+		fips/dsa/fingerprint.sha1 (1.1.2.2), "Exp", lines: +1 -1
+		fips/sha1/standalone.sha1 (1.1.2.3), "Exp", lines: +1 -1
+
+	New fingerprints.
+
+2003-07-29 16:06  ben
+
+	Changed:
+		fips/aes/fips_aesavs.c (1.1.2.5), "Exp", lines: +295 -303
+
+	Reformat.
+
+2003-07-29 16:34  ben
+
+	Changed:
+		fips/aes/fips_aesavs.c (1.1.2.6), "Exp", lines: +43 -17
+
+	MMT for CFB1
+
+2003-07-29 17:17  ben
+
+	Changed:
+		fips/fips_err_wrapper.c (1.1.2.1), "Exp", lines: +5 -0
+		fips/sha1/sha1hashes.txt (1.1.2.1), "Exp", lines: +342 -0
+		fips/sha1/sha1vectors.txt (1.1.2.1), "Exp", lines: +2293 -0
+
+	Missing files.
+
+2003-07-31 23:30  levitte
+
+	Changed:
+		Makefile.org (1.154.2.71), "Exp", lines: +2 -0
+
+	If FDIRS is to be treated like SDIRS, let's not forget to
+	initialize it in Makefile.org.
+
+2003-07-31 23:41  levitte
+
+	Changed:
+		fips/sha1/fips_sha1test.c (1.1.2.2), "Exp", lines: +3 -3
+
+	No C++ comments in C programs!
+
+2003-08-01 15:07  steve
+
+	Changed:
+		fips/aes/fips_aesavs.c (1.1.2.8), "Exp", lines: +3 -3
+
+	Replace C++ style comments.
+
+2003-08-03 14:22  ben
+
+	Changed:
+		fips/des/fips_desmovs.c (1.1.2.2), "Exp", lines: +55 -37
+
+	Make tests work (CFB1 still doesn't produce the right answers,
+	strangely).
+
+2003-08-08 12:08  levitte
+
+	Changed:
+		fips/des/fips_des_enc.c (1.1.2.2), "Exp", lines: +9 -0
+
+	Avoid clashing with the regular DES functions when not compiling
+	with -DFIPS.  This is basically only visible when building with
+	shared library supoort...
+
+2003-08-11 11:36  levitte
+
+	Deleted:
+		fips/sha1/.cvsignore (1.1.2.2)
+		fips/sha1/Makefile.ssl (1.1.2.3)
+		fips/sha1/fingerprint.sha1 (1.1.2.3)
+		fips/sha1/fips_md32_common.h (1.1.2.2)
+		fips/sha1/fips_sha1dgst.c (1.1.2.3)
+		fips/sha1/fips_sha1test.c (1.1.2.3)
+		fips/sha1/fips_sha_locl.h (1.1.2.2)
+		fips/sha1/fips_standalone_sha1.c (1.1.2.3)
+		fips/sha1/sha1hashes.txt (1.1.2.2)
+		fips/sha1/sha1vectors.txt (1.1.2.2)
+		fips/sha1/standalone.sha1 (1.1.2.4)
+		fips/dsa/.cvsignore (1.1.2.2)
+		fips/dsa/Makefile.ssl (1.1.2.2)
+		fips/dsa/fingerprint.sha1 (1.1.2.3)
+		fips/dsa/fips_dsa_ossl.c (1.1.2.3)
+		fips/dsa/fips_dsatest.c (1.1.2.3)
+		fips/rand/.cvsignore (1.1.2.2)
+		fips/rand/Makefile.ssl (1.1.2.2)
+		fips/rand/fingerprint.sha1 (1.1.2.2)
+		fips/rand/fips_rand.c (1.1.2.2)
+		fips/rand/fips_rand.h (1.1.2.2)
+		fips/rand/fips_randtest.c (1.1.2.2)
+		fips/des/.cvsignore (1.1.2.2)
+		fips/des/Makefile.ssl (1.1.2.3)
+		fips/des/fingerprint.sha1 (1.1.2.2)
+		fips/des/fips_des_enc.c (1.1.2.3)
+		fips/des/fips_des_locl.h (1.1.2.2)
+		fips/des/fips_desmovs.c (1.1.2.3)
+		fips/aes/.cvsignore (1.1.2.2)
+		fips/aes/Makefile.ssl (1.1.2.5)
+		fips/aes/fingerprint.sha1 (1.1.2.2)
+		fips/aes/fips_aes_core.c (1.1.2.2)
+		fips/aes/fips_aes_locl.h (1.1.2.2)
+		fips/aes/fips_aesavs.c (1.1.2.9)
+		fips/.cvsignore (1.1.2.2)
+		fips/Makefile.ssl (1.1.2.6)
+		fips/fingerprint.sha1 (1.1.2.3)
+		fips/fips.c (1.1.2.2)
+		fips/fips.h (1.1.2.2)
+		fips/fips_check_sha1 (1.1.2.4)
+		fips/fips_err.c (1.1.2.2)
+		fips/fips_err_wrapper.c (1.1.2.2)
+		fips/fips_make_sha1 (1.1.2.4)
+		fips/lib (1.1.2.2)
+	Changed:
+		util/libeay.num (1.173.2.16), "Exp", lines: +11 -38
+		util/mkerr.pl (1.18.2.5), "Exp", lines: +1 -2
+		test/Makefile.ssl (1.84.2.31), "Exp", lines: +54 -180
+		crypto/ripemd/Makefile.ssl (1.25.2.6), "Exp", lines: +2 -7
+		crypto/sha/Makefile.ssl (1.26.2.6), "Exp", lines: +6 -16
+		crypto/rand/Makefile.ssl (1.56.2.5), "Exp", lines: +15 -17
+		crypto/rand/md_rand.c (1.69.2.3), "Exp", lines: +0 -9
+		crypto/rand/rand.h (1.26.2.6), "Exp", lines: +0 -2
+		crypto/rand/rand_err.c (1.6.2.2), "Exp", lines: +1 -3
+		crypto/rand/rand_lib.c (1.15.2.3), "Exp", lines: +0 -11
+		crypto/objects/obj_dat.h (1.49.2.18), "Exp", lines: +3 -27
+		crypto/objects/obj_mac.h (1.19.2.18), "Exp", lines: +0 -32
+		crypto/objects/obj_mac.num (1.15.2.14), "Exp", lines: +0 -8
+		crypto/objects/objects.txt (1.20.2.19), "Exp", lines: +0 -11
+		crypto/md4/Makefile.ssl (1.6.2.5), "Exp", lines: +4 -7
+		crypto/md5/Makefile.ssl (1.33.2.8), "Exp", lines: +4 -7
+		crypto/evp/Makefile.ssl (1.64.2.9), "Exp", lines: +7 -8
+		crypto/evp/c_allc.c (1.8.2.6), "Exp", lines: +0 -4
+		crypto/evp/e_aes.c (1.6.2.9), "Exp", lines: +4 -22
+		crypto/evp/e_des.c (1.5.2.5), "Exp", lines: +2 -43
+		crypto/evp/e_des3.c (1.8.2.4), "Exp", lines: +3 -3
+		crypto/evp/evp.h (1.86.2.13), "Exp", lines: +11 -36
+		crypto/evp/evp_err.c (1.23.2.2), "Exp", lines: +1 -3
+		crypto/evp/evp_lib.c (1.6.8.3), "Exp", lines: +0 -24
+		crypto/evp/evp_locl.h (1.7.2.5), "Exp", lines: +2 -11
+		crypto/evp/evp_test.c (1.14.2.12), "Exp", lines: +8 -17
+		crypto/evp/evptests.txt (1.9.2.6), "Exp", lines: +1 -106
+		crypto/dsa/Makefile.ssl (1.49.2.7), "Exp", lines: +6 -10
+		crypto/dsa/dsa_ossl.c (1.12.2.5), "Exp", lines: +0 -2
+		crypto/dsa/dsa_sign.c (1.10.2.4), "Exp", lines: +0 -12
+		crypto/dsa/dsa_vrf.c (1.10.2.4), "Exp", lines: +0 -8
+		crypto/err/Makefile.ssl (1.48.2.5), "Exp", lines: +16 -17
+		crypto/err/err.h (1.35.2.4), "Exp", lines: +0 -2
+		crypto/err/err_all.c (1.17.2.3), "Exp", lines: +0 -4
+		crypto/err/openssl.ec (1.11.2.2), "Exp", lines: +0 -1
+		crypto/des/des.h (1.40.2.5), "Exp", lines: +1 -1
+		crypto/des/des_enc.c (1.11.2.3), "Exp", lines: +0 -4
+		crypto/des/des_old.c (1.11.2.5), "Exp", lines: +1 -1
+		crypto/des/destest.c (1.30.2.7), "Exp", lines: +2 -2
+		crypto/des/ecb3_enc.c (1.8.2.2), "Exp", lines: +3 -1
+		crypto/aes/Makefile.ssl (1.4.2.7), "Exp", lines: +1 -2
+		crypto/aes/aes.h (1.1.2.8), "Exp", lines: +0 -9
+		crypto/aes/aes_cfb.c (1.1.2.8), "Exp", lines: +0 -93
+		crypto/aes/aes_core.c (1.1.2.5), "Exp", lines: +0 -4
+		crypto/cryptlib.c (1.32.2.10), "Exp", lines: +0 -5
+		crypto/md32_common.h (1.22.2.5), "Exp", lines: +0 -11
+		Configure (1.314.2.86), "Exp", lines: +0 -2
+		Makefile.org (1.154.2.72), "Exp", lines: +8 -34
+		TABLE (1.99.2.30), "Exp", lines: +0 -50
+
+	A new branch for FIPS-related changes has been created with the
+	name OpenSSL-fips-0_9_7-stable.
+
+		Since the 0.9.7-stable branch is supposed to be in freeze
+	and should only contain bug corrections, this change removes the
+	FIPS changes from that branch.
+
+2004-05-11 14:44  ben
+
+	Deleted:
+		apps/Makefile.ssl (1.100.2.27)
+		crypto/Makefile.ssl (1.84.2.12)
+		crypto/aes/Makefile.ssl (1.4.2.9)
+		crypto/asn1/Makefile.ssl (1.77.2.7)
+		crypto/bf/Makefile.ssl (1.25.2.6)
+		crypto/bio/Makefile.ssl (1.52.2.4)
+		crypto/bn/Makefile.ssl (1.65.2.9)
+		crypto/buffer/Makefile.ssl (1.32.2.4)
+		crypto/cast/Makefile.ssl (1.31.2.6)
+		crypto/comp/Makefile.ssl (1.32.2.4)
+		crypto/conf/Makefile.ssl (1.38.2.8)
+		crypto/des/Makefile.ssl (1.61.2.13)
+		crypto/dh/Makefile.ssl (1.43.2.5)
+		crypto/dsa/Makefile.ssl (1.49.2.9)
+		crypto/dso/Makefile.ssl (1.11.2.4)
+		crypto/ec/Makefile.ssl (1.7.2.4)
+		crypto/engine/Makefile.ssl (1.30.2.13)
+		crypto/err/Makefile.ssl (1.48.2.7)
+		crypto/evp/Makefile.ssl (1.64.2.12)
+		crypto/hmac/Makefile.ssl (1.33.2.6)
+		crypto/idea/Makefile.ssl (1.20.2.4)
+		crypto/krb5/Makefile.ssl (1.5.2.6)
+		crypto/lhash/Makefile.ssl (1.28.2.4)
+		crypto/md2/Makefile.ssl (1.29.2.5)
+		crypto/md4/Makefile.ssl (1.6.2.7)
+		crypto/md5/Makefile.ssl (1.33.2.10)
+		crypto/mdc2/Makefile.ssl (1.30.2.4)
+		crypto/objects/Makefile.ssl (1.46.2.6)
+		crypto/ocsp/Makefile.ssl (1.19.2.7)
+		crypto/pem/Makefile.ssl (1.51.2.5)
+		crypto/pkcs12/Makefile.ssl (1.37.2.5)
+		crypto/pkcs7/Makefile.ssl (1.47.2.5)
+		crypto/rand/Makefile.ssl (1.56.2.8)
+		crypto/rc2/Makefile.ssl (1.20.2.4)
+		crypto/rc4/Makefile.ssl (1.25.2.6)
+		crypto/rc5/Makefile.ssl (1.22.2.6)
+		crypto/ripemd/Makefile.ssl (1.25.2.9)
+		crypto/rsa/Makefile.ssl (1.53.2.6)
+		crypto/sha/Makefile.ssl (1.26.2.9)
+		crypto/stack/Makefile.ssl (1.28.2.4)
+		crypto/txt_db/Makefile.ssl (1.26.2.4)
+		crypto/ui/Makefile.ssl (1.10.2.6)
+		crypto/x509/Makefile.ssl (1.56.2.5)
+		crypto/x509v3/Makefile.ssl (1.62.2.5)
+		ssl/Makefile.ssl (1.53.2.11)
+		test/Makefile.ssl (1.84.2.36)
+		tools/Makefile.ssl (1.9.2.4)
+	Changed:
+		.cvsignore (1.7.6.2), "Exp", lines: +2 -1
+		Configure (1.314.2.92), "Exp", lines: +38 -8
+		FAQ (1.61.2.31), "Exp", lines: +1 -1
+		INSTALL (1.45.2.9), "Exp", lines: +2 -2
+		INSTALL.W32 (1.30.2.14), "Exp", lines: +9 -4
+		Makefile.org (1.154.2.78), "Exp", lines: +51 -19
+		PROBLEMS (1.4.2.10), "Exp", lines: +2 -2
+		e_os.h (1.56.2.17), "Exp", lines: +20 -1
+		apps/.cvsignore (1.5.8.1), "Exp", lines: +1 -0
+		apps/Makefile (1.1.4.1), "Exp", lines: +1147 -0
+		apps/apps.c (1.49.2.27), "Exp", lines: +0 -10
+		apps/ca.c (1.102.2.31), "Exp", lines: +0 -10
+		apps/dgst.c (1.23.2.10), "Exp", lines: +39 -11
+		apps/openssl.c (1.48.2.9), "Exp", lines: +19 -0
+		crypto/Makefile (1.1.4.1), "Exp", lines: +217 -0
+		crypto/cryptlib.c (1.32.2.11), "Exp", lines: +5 -0
+		crypto/crypto-lib.com (1.53.2.12), "Exp", lines: +1 -1
+		crypto/md32_common.h (1.22.2.6), "Exp", lines: +12 -0
+		crypto/aes/Makefile (1.1.4.1), "Exp", lines: +102 -0
+		crypto/aes/aes.h (1.1.2.9), "Exp", lines: +9 -0
+		crypto/aes/aes_cfb.c (1.1.2.9), "Exp", lines: +93 -0
+		crypto/aes/aes_core.c (1.1.2.6), "Exp", lines: +4 -0
+		crypto/asn1/Makefile (1.1.4.1), "Exp", lines: +1150 -0
+		crypto/bf/Makefile (1.1.4.1), "Exp", lines: +113 -0
+		crypto/bio/Makefile (1.1.4.1), "Exp", lines: +214 -0
+		crypto/bio/bio.h (1.56.2.6), "Exp", lines: +1 -0
+		crypto/bn/Makefile (1.1.4.1), "Exp", lines: +324 -0
+		crypto/bn/bntest.c (1.55.2.4), "Exp", lines: +1 -1
+		crypto/buffer/Makefile (1.1.4.1), "Exp", lines: +92 -0
+		crypto/cast/Makefile (1.1.4.1), "Exp", lines: +118 -0
+		crypto/cast/asm/.cvsignore (1.2.8.1), "Exp", lines: +1 -0
+		crypto/comp/Makefile (1.1.4.1), "Exp", lines: +112 -0
+		crypto/conf/Makefile (1.1.4.1), "Exp", lines: +181 -0
+		crypto/des/Makefile (1.1.4.1), "Exp", lines: +314 -0
+		crypto/des/cfb64ede.c (1.6.2.4), "Exp", lines: +111 -0
+		crypto/des/des.h (1.40.2.6), "Exp", lines: +5 -1
+		crypto/des/des_enc.c (1.11.2.4), "Exp", lines: +8 -0
+		crypto/des/des_old.c (1.11.2.6), "Exp", lines: +1 -1
+		crypto/des/destest.c (1.30.2.8), "Exp", lines: +2 -2
+		crypto/des/ecb3_enc.c (1.8.2.3), "Exp", lines: +1 -3
+		crypto/des/set_key.c (1.18.2.2), "Exp", lines: +4 -0
+		crypto/dh/Makefile (1.1.4.1), "Exp", lines: +131 -0
+		crypto/dsa/Makefile (1.1.4.1), "Exp", lines: +173 -0
+		crypto/dsa/dsa_gen.c (1.19.2.1), "Exp", lines: +4 -1
+		crypto/dsa/dsa_key.c (1.9.2.1), "Exp", lines: +2 -0
+		crypto/dsa/dsa_ossl.c (1.12.2.6), "Exp", lines: +2 -0
+		crypto/dsa/dsa_sign.c (1.10.2.5), "Exp", lines: +12 -0
+		crypto/dsa/dsa_vrf.c (1.10.2.5), "Exp", lines: +8 -0
+		crypto/dso/Makefile (1.1.4.1), "Exp", lines: +140 -0
+		crypto/ec/Makefile (1.1.4.1), "Exp", lines: +126 -0
+		crypto/engine/Makefile (1.1.4.1), "Exp", lines: +536 -0
+		crypto/engine/hw_cryptodev.c (1.1.2.6), "Exp", lines: +6 -2
+		crypto/err/Makefile (1.1.4.1), "Exp", lines: +118 -0
+		crypto/err/err.h (1.35.2.6), "Exp", lines: +2 -0
+		crypto/err/err_all.c (1.17.2.4), "Exp", lines: +4 -0
+		crypto/err/openssl.ec (1.11.2.3), "Exp", lines: +1 -0
+		crypto/evp/Makefile (1.1.4.1), "Exp", lines: +1057 -0
+		crypto/evp/bio_md.c (1.11.2.1), "Exp", lines: +6 -0
+		crypto/evp/c_allc.c (1.8.2.7), "Exp", lines: +8 -0
+		crypto/evp/e_aes.c (1.6.2.10), "Exp", lines: +22 -4
+		crypto/evp/e_des.c (1.5.2.8), "Exp", lines: +36 -3
+		crypto/evp/e_des3.c (1.8.2.7), "Exp", lines: +43 -4
+		crypto/evp/evp.h (1.86.2.15), "Exp", lines: +39 -11
+		crypto/evp/evp_err.c (1.23.2.3), "Exp", lines: +3 -1
+		crypto/evp/evp_lib.c (1.6.8.4), "Exp", lines: +24 -0
+		crypto/evp/evp_locl.h (1.7.2.6), "Exp", lines: +11 -2
+		crypto/evp/evp_test.c (1.14.2.13), "Exp", lines: +17 -8
+		crypto/evp/evptests.txt (1.9.2.7), "Exp", lines: +106 -1
+		crypto/hmac/Makefile (1.1.4.1), "Exp", lines: +99 -0
+		crypto/idea/Makefile (1.1.4.1), "Exp", lines: +89 -0
+		crypto/krb5/Makefile (1.1.4.1), "Exp", lines: +88 -0
+		crypto/lhash/Makefile (1.1.4.1), "Exp", lines: +91 -0
+		crypto/md2/Makefile (1.1.4.1), "Exp", lines: +91 -0
+		crypto/md4/Makefile (1.1.4.1), "Exp", lines: +93 -0
+		crypto/md5/Makefile (1.1.4.1), "Exp", lines: +129 -0
+		crypto/mdc2/Makefile (1.1.4.1), "Exp", lines: +96 -0
+		crypto/objects/Makefile (1.1.4.1), "Exp", lines: +121 -0
+		crypto/objects/obj_dat.h (1.49.2.19), "Exp", lines: +33 -3
+		crypto/objects/obj_mac.h (1.19.2.19), "Exp", lines: +40 -0
+		crypto/objects/obj_mac.num (1.15.2.15), "Exp", lines: +10 -0
+		crypto/objects/objects.txt (1.20.2.20), "Exp", lines: +13 -0
+		crypto/ocsp/Makefile (1.1.4.1), "Exp", lines: +291 -0
+		crypto/pem/Makefile (1.1.4.1), "Exp", lines: +334 -0
+		crypto/pkcs12/Makefile (1.1.4.1), "Exp", lines: +415 -0
+		crypto/pkcs7/Makefile (1.1.4.1), "Exp", lines: +241 -0
+		crypto/rand/Makefile (1.1.4.1), "Exp", lines: +196 -0
+		crypto/rand/md_rand.c (1.69.2.4), "Exp", lines: +9 -0
+		crypto/rand/rand.h (1.26.2.7), "Exp", lines: +3 -0
+		crypto/rand/rand_err.c (1.6.2.3), "Exp", lines: +4 -1
+		crypto/rand/rand_lib.c (1.15.2.4), "Exp", lines: +11 -0
+		crypto/rc2/Makefile (1.1.4.1), "Exp", lines: +89 -0
+		crypto/rc4/Makefile (1.1.4.1), "Exp", lines: +108 -0
+		crypto/rc5/Makefile (1.1.4.1), "Exp", lines: +106 -0
+		crypto/ripemd/Makefile (1.1.4.1), "Exp", lines: +111 -0
+		crypto/rsa/Makefile (1.1.4.1), "Exp", lines: +239 -0
+		crypto/rsa/rsa_eay.c (1.28.2.9), "Exp", lines: +1 -1
+		crypto/rsa/rsa_gen.c (1.8.6.1), "Exp", lines: +3 -0
+		crypto/sha/Makefile (1.1.4.1), "Exp", lines: +118 -0
+		crypto/sha/sha1dgst.c (1.21.2.1), "Exp", lines: +8 -0
+		crypto/stack/Makefile (1.1.4.1), "Exp", lines: +86 -0
+		crypto/txt_db/Makefile (1.1.4.1), "Exp", lines: +86 -0
+		crypto/ui/Makefile (1.1.4.1), "Exp", lines: +115 -0
+		crypto/x509/Makefile (1.1.4.1), "Exp", lines: +592 -0
+		crypto/x509v3/Makefile (1.1.4.1), "Exp", lines: +601 -0
+		fips/Makefile (1.1.4.1), "Exp", lines: +202 -0
+		fips/fingerprint.sha1 (1.1.2.4), "Exp", lines: +4 -4
+		fips/fips.c (1.1.2.3), "Exp", lines: +120 -5
+		fips/fips.h (1.1.2.3), "Exp", lines: +42 -2
+		fips/fips_check_sha1 (1.1.2.5), "Exp", lines: +2 -2
+		fips/fips_err.h (1.1.4.1), "Exp", lines: +117 -0
+		fips/fips_err_wrapper.c (1.1.2.3), "Exp", lines: +4 -2
+		fips/fips_locl.h (1.1.4.1), "Exp", lines: +62 -0
+		fips/fips_make_sha1 (1.1.2.5), "Exp", lines: +9 -6
+		fips/fips_test_suite.c (1.1.4.1), "Exp", lines: +302 -0
+		fips/openssl_fips_fingerprint (1.1.4.1), "Exp", lines: +25 -0
+		fips/aes/Makefile (1.1.4.1), "Exp", lines: +131 -0
+		fips/aes/fingerprint.sha1 (1.1.2.3), "Exp", lines: +3 -2
+		fips/aes/fips_aes_core.c (1.1.2.3), "Exp", lines: +5 -2
+		fips/aes/fips_aes_locl.h (1.1.2.3), "Exp", lines: +0 -0
+		fips/aes/fips_aes_selftest.c (1.1.4.1), "Exp", lines: +112 -0
+		fips/aes/fips_aesavs.c (1.1.2.10), "Exp", lines: +12 -6
+		fips/des/Makefile (1.1.4.1), "Exp", lines: +155 -0
+		fips/des/fingerprint.sha1 (1.1.2.3), "Exp", lines: +5 -2
+		fips/des/fips_des_enc.c (1.1.2.4), "Exp", lines: +16 -3
+		fips/des/fips_des_locl.h (1.1.2.3), "Exp", lines: +1 -1
+		fips/des/fips_des_selftest.c (1.1.4.1), "Exp", lines: +200 -0
+		fips/des/fips_desmovs.c (1.1.2.4), "Exp", lines: +186 -79
+		fips/des/fips_set_key.c (1.1.4.1), "Exp", lines: +415 -0
+		fips/des/asm/fips-dx86-elf.s (1.1.4.1), "Exp", lines: +2697 -0
+		fips/dsa/Makefile (1.1.4.1), "Exp", lines: +159 -0
+		fips/dsa/fingerprint.sha1 (1.1.2.4), "Exp", lines: +3 -1
+		fips/dsa/fips_dsa_gen.c (1.1.4.1), "Exp", lines: +373 -0
+		fips/dsa/fips_dsa_ossl.c (1.1.2.4), "Exp", lines: +16 -3
+		fips/dsa/fips_dsa_selftest.c (1.1.4.1), "Exp", lines: +168 -0
+		fips/dsa/fips_dsatest.c (1.1.2.4), "Exp", lines: +10 -6
+		fips/dsa/fips_dssvs.c (1.1.4.1), "Exp", lines: +306 -0
+		fips/rand/Makefile (1.1.4.1), "Exp", lines: +104 -0
+		fips/rand/fingerprint.sha1 (1.1.2.3), "Exp", lines: +2 -2
+		fips/rand/fips_rand.c (1.1.2.3), "Exp", lines: +60 -10
+		fips/rand/fips_rand.h (1.1.2.3), "Exp", lines: +19 -1
+		fips/rand/fips_randtest.c (1.1.2.3), "Exp", lines: +31 -10
+		fips/rsa/Makefile (1.1.4.1), "Exp", lines: +112 -0
+		fips/rsa/fingerprint.sha1 (1.1.4.1), "Exp", lines: +3 -0
+		fips/rsa/fips_rsa_eay.c (1.1.4.1), "Exp", lines: +735 -0
+		fips/rsa/fips_rsa_gen.c (1.1.4.1), "Exp", lines: +249 -0
+		fips/rsa/fips_rsa_selftest.c (1.1.4.1), "Exp", lines: +207 -0
+		fips/sha1/.cvsignore (1.1.2.3), "Exp", lines: +1 -2
+		fips/sha1/Makefile (1.1.4.1), "Exp", lines: +158 -0
+		fips/sha1/fingerprint.sha1 (1.1.2.4), "Exp", lines: +5 -3
+		fips/sha1/fips_md32_common.h (1.1.2.3), "Exp", lines: +0 -0
+		fips/sha1/fips_sha1_selftest.c (1.1.4.1), "Exp", lines: +97 -0
+		fips/sha1/fips_sha1dgst.c (1.1.2.4), "Exp", lines: +4 -4
+		fips/sha1/fips_sha1test.c (1.1.2.4), "Exp", lines: +17 -0
+		fips/sha1/fips_sha_locl.h (1.1.2.3), "Exp", lines: +7 -0
+		fips/sha1/fips_standalone_sha1.c (1.1.2.4), "Exp", lines: +60 -7
+		fips/sha1/sha1hashes.txt (1.1.2.3), "Exp", lines: +0 -0
+		fips/sha1/sha1vectors.txt (1.1.2.3), "Exp", lines: +0 -0
+		fips/sha1/standalone.sha1 (1.1.2.5), "Exp", lines: +6 -4
+		fips/sha1/asm/sx86-elf.s (1.1.4.1), "Exp", lines: +1568 -0
+		ms/do_masm.bat (1.1.8.2), "Exp", lines: +12 -10
+		ms/do_ms.bat (1.4.8.2), "Exp", lines: +11 -11
+		ms/do_nasm.bat (1.1.8.2), "Exp", lines: +12 -11
+		ms/do_nt.bat (1.2.8.1), "Exp", lines: +4 -4
+		shlib/hpux10-cc.sh (1.3.2.2), "Exp", lines: +3 -3
+		ssl/Makefile (1.1.4.1), "Exp", lines: +1019 -0
+		ssl/s3_clnt.c (1.53.2.16), "Exp", lines: +10 -0
+		ssl/s3_srvr.c (1.85.2.21), "Exp", lines: +9 -0
+		ssl/ssl_cert.c (1.48.2.7), "Exp", lines: +9 -0
+		ssl/ssl_lib.c (1.110.2.12), "Exp", lines: +13 -1
+		ssl/ssltest.c (1.53.2.23), "Exp", lines: +33 -1
+		ssl/t1_enc.c (1.27.2.8), "Exp", lines: +19 -1
+		test/.cvsignore (1.4.8.1), "Exp", lines: +4 -0
+		test/Makefile (1.1.4.1), "Exp", lines: +941 -0
+		test/bctest (1.14.2.1), "Exp", lines: +1 -1
+		test/testenc (1.3.8.1), "Exp", lines: +1 -1
+		test/testfipsssl (1.1.4.1), "Exp", lines: +113 -0
+		tools/Makefile (1.1.4.1), "Exp", lines: +61 -0
+		util/cygwin.sh (1.1.2.5), "Exp", lines: +3 -3
+		util/domd (1.6.2.3), "Exp", lines: +5 -5
+		util/fixNT.sh (1.1.1.2.8.1), "Exp", lines: +3 -3
+		util/libeay.num (1.173.2.19), "Exp", lines: +55 -11
+		util/mk1mf.pl (1.41.2.10), "Exp", lines: +6 -4
+		util/mkdef.pl (1.67.2.7), "Exp", lines: +11 -4
+		util/mkerr.pl (1.18.2.6), "Exp", lines: +2 -1
+		util/mkfiles.pl (1.12.2.1), "Exp", lines: +8 -1
+		util/pod2mantest (1.1.2.7), "Exp", lines: +1 -1
+		util/selftest.pl (1.18.2.1), "Exp", lines: +2 -2
+		util/pl/BC-16.pl (1.2.2.1), "Exp", lines: +1 -1
+		util/pl/BC-32.pl (1.11.2.4), "Exp", lines: +1 -1
+		util/pl/Mingw32.pl (1.12.6.5), "Exp", lines: +1 -1
+		util/pl/OS2-EMX.pl (1.1.2.3), "Exp", lines: +1 -1
+		util/pl/VC-16.pl (1.3.2.1), "Exp", lines: +2 -2
+		util/pl/VC-32.pl (1.11.2.3), "Exp", lines: +2 -2
+		util/pl/VC-CE.pl (1.1.2.5), "Exp", lines: +1 -1
+		util/pl/ultrix.pl (1.2.8.1), "Exp", lines: +1 -1
+
+	Pull FIPS back into stable.
+
+2004-05-12 10:27  levitte
+
+	Changed:
+		apps/Makefile (1.1.4.2), "Exp", lines: +3 -1
+
+	Only check for FIPS signatures when FIPS is enabled.
+
+2004-05-12 10:28  levitte
+
+	Changed:
+		crypto/des/FILES0 (1.1.4.2), "Exp", lines: +1 -1
+
+	Makefile.ssl changed name to Makefile.
+
+2004-05-12 10:28  levitte
+
+	Changed:
+		fips/rand/fips_rand.c (1.1.2.4), "Exp", lines: +5 -1
+
+	Only really build this file when OPENSSL_FIPS is defined.  And oh,
+	let's keep internal variables static.
+
+2004-05-12 10:42  levitte
+
+	Changed:
+		fips/rand/fingerprint.sha1 (1.1.2.4), "Exp", lines: +1 -1
+
+	I forgot to modify the signature for fips_rand.c...
+
+2004-05-12 10:46  levitte
+
+	Changed:
+		fips/rsa/.cvsignore (1.1.4.1), "Exp", lines: +1 -0
+		fips/.cvsignore (1.1.2.3), "Exp", lines: +1 -1
+		fips/aes/.cvsignore (1.1.2.3), "Exp", lines: +0 -3
+		fips/des/.cvsignore (1.1.2.3), "Exp", lines: +0 -2
+		fips/dsa/.cvsignore (1.1.2.3), "Exp", lines: +0 -1
+		fips/rand/.cvsignore (1.1.2.3), "Exp", lines: +0 -1
+
+	Ignore the 'lib' timestamp file.
+
+2004-05-12 12:07  levitte
+
+	Changed:
+		fips/.cvsignore (1.1.2.4), "Exp", lines: +1 -0
+		fips/aes/.cvsignore (1.1.2.4), "Exp", lines: +1 -0
+		fips/des/.cvsignore (1.1.2.4), "Exp", lines: +1 -0
+		fips/dsa/.cvsignore (1.1.2.4), "Exp", lines: +1 -0
+		fips/rand/.cvsignore (1.1.2.4), "Exp", lines: +1 -0
+		fips/rsa/.cvsignore (1.1.4.2), "Exp", lines: +1 -0
+		fips/sha1/.cvsignore (1.1.2.4), "Exp", lines: +1 -0
+
+	Ignore 'Makefile.save'
+
+2004-05-12 16:11  ben
+
+	Changed:
+		crypto/rand/rand.h (1.26.2.8), "Exp", lines: +2 -0
+		crypto/rand/rand_err.c (1.6.2.4), "Exp", lines: +2 -0
+		fips/fingerprint.sha1 (1.1.2.5), "Exp", lines: +1 -1
+		fips/fips.c (1.1.2.4), "Exp", lines: +5 -1
+		fips/rand/fingerprint.sha1 (1.1.2.5), "Exp", lines: +1 -1
+		fips/rand/fips_rand.c (1.1.2.5), "Exp", lines: +29 -0
+
+	Blow up in people's faces if they don't reseed.
+
+2004-05-15 19:51  ben
+
+	Changed:
+		crypto/dh/dh.h (1.23.2.6), "Exp", lines: +1 -0
+		crypto/dh/dh_err.c (1.6.2.3), "Exp", lines: +2 -1
+		crypto/dh/dh_gen.c (1.8.8.2), "Exp", lines: +9 -0
+		fips/fips_test_suite.c (1.1.4.2), "Exp", lines: +4 -3
+		fips/aes/fips_aesavs.c (1.1.2.11), "Exp", lines: +49 -1
+		fips/des/fingerprint.sha1 (1.1.2.4), "Exp", lines: +1 -1
+		fips/des/fips_desmovs.c (1.1.2.5), "Exp", lines: +49 -1
+		fips/des/fips_set_key.c (1.1.4.2), "Exp", lines: +2 -0
+		fips/sha1/fingerprint.sha1 (1.1.2.5), "Exp", lines: +1 -1
+		fips/sha1/fips_md32_common.h (1.1.2.4), "Exp", lines: +3 -0
+		fips/sha1/standalone.sha1 (1.1.2.6), "Exp", lines: +1 -1
+
+	Fix self-tests, ban some things in FIPS mode, fix copyrights.
+
+2004-05-17 06:28  levitte
+
+	Changed:
+		util/mk1mf.pl (1.41.2.11), "Exp", lines: +8 -2
+		util/pl/BC-16.pl (1.2.2.2), "Exp", lines: +9 -4
+		util/pl/BC-32.pl (1.11.2.5), "Exp", lines: +8 -3
+		util/pl/Mingw32.pl (1.12.6.6), "Exp", lines: +7 -2
+		util/pl/OS2-EMX.pl (1.1.2.4), "Exp", lines: +7 -2
+		util/pl/VC-16.pl (1.3.2.2), "Exp", lines: +7 -2
+		util/pl/VC-32.pl (1.11.2.4), "Exp", lines: +7 -2
+		util/pl/VC-CE.pl (1.1.2.6), "Exp", lines: +7 -2
+		util/pl/linux.pl (1.3.6.1), "Exp", lines: +7 -2
+		util/pl/ultrix.pl (1.2.8.2), "Exp", lines: +7 -2
+		util/pl/unix.pl (1.2.8.1), "Exp", lines: +7 -2
+
+	Generate SHA1 files on Windows and other platforms supported by
+	mk1mf.pl, when building in FIPS mode.
+
+		Note: UNTESTED!
+
+2004-05-17 06:30  levitte
+
+	Changed:
+		apps/apps.h (1.44.2.14), "Exp", lines: +3 -0
+		apps/openssl.c (1.48.2.10), "Exp", lines: +9 -5
+
+	Make sure the applications know when we are running in FIPS mode.
+	We can't use the variable in libcrypto, since it's supposedly
+	unknown.
+
+		Note: currently only supported in MONOLITH mode.
+
+2004-05-17 06:31  levitte
+
+	Changed:
+		apps/enc.c (1.35.2.9), "Exp", lines: +10 -1
+
+	When in FIPS mode, use SHA1 to digest the key, rather than MD5, as
+	MD5 isn't a FIPS-approved algorithm.
+
+		Note: this means the user needs to keep track of this, and
+	we need to add support for that...
+
+2004-05-19 16:16  levitte
+
+	Changed:
+		fips/rsa/fingerprint.sha1 (1.1.4.2), "Exp", lines: +2 -2
+		fips/rsa/fips_rsa_eay.c (1.1.4.2), "Exp", lines: +8 -8
+		fips/rsa/fips_rsa_gen.c (1.1.4.2), "Exp", lines: +1 -1
+		fips/dsa/fingerprint.sha1 (1.1.2.5), "Exp", lines: +2 -2
+		fips/dsa/fips_dsa_gen.c (1.1.4.2), "Exp", lines: +2 -2
+		fips/dsa/fips_dsa_ossl.c (1.1.2.5), "Exp", lines: +4 -4
+		fips/aes/fingerprint.sha1 (1.1.2.4), "Exp", lines: +1 -1
+		fips/aes/fips_aes_core.c (1.1.2.4), "Exp", lines: +5 -5
+		crypto/rsa/rsa.h (1.36.2.11), "Exp", lines: +4 -0
+		crypto/aes/aes.h (1.1.2.10), "Exp", lines: +6 -0
+		crypto/dsa/dsa.h (1.26.2.5), "Exp", lines: +4 -0
+
+	Define FIPS_*_SIZE_T for AES, DSA and RSA as well, in preparation
+	for size_t-ification of those algorithms in future version of
+	OpenSSL...
+
+2004-05-27 11:33  levitte
+
+	Changed:
+		makevms.com (1.35.2.3), "Exp", lines: +27 -0
+
+	Copy the FIPS files to the temporary openssl include directory.
+
+2004-05-27 12:04  levitte
+
+	Changed:
+		fips/fips-lib.com (1.1.2.1), "Exp", lines: +1179 -0
+		makevms.com (1.35.2.4), "Exp", lines: +8 -0
+
+	Compile the FIPS directory on VMS as well.  fips-lib.com is
+	essentially a copy of crypto-lib.com, with just a few edits.
+
+2004-05-27 12:07  levitte
+
+	Changed:
+		fips/install.com (1.1.2.1), "Exp", lines: +55 -0
+		install.com (1.4.2.2), "Exp", lines: +6 -6
+
+	Run an installation of FIPS stuff as well.
+
+2004-05-27 12:19  levitte
+
+	Changed:
+		test/maketests.com (1.13.2.5), "Exp", lines: +3 -3
+		apps/makeapps.com (1.18.2.5), "Exp", lines: +3 -3
+
+	Make sure o_str.h is reachable.
+
+2004-06-19 15:15  ben
+
+	Changed:
+		Makefile.org (1.154.2.80), "Exp", lines: +1 -1
+		crypto/dh/dh.h (1.23.2.7), "Exp", lines: +0 -1
+		crypto/dh/dh_check.c (1.6.2.1), "Exp", lines: +4 -0
+		crypto/dh/dh_err.c (1.6.2.4), "Exp", lines: +0 -1
+		crypto/dh/dh_gen.c (1.8.8.3), "Exp", lines: +5 -9
+		crypto/dh/dh_key.c (1.16.2.3), "Exp", lines: +4 -0
+		fips/Makefile (1.1.4.2), "Exp", lines: +13 -14
+		fips/fingerprint.sha1 (1.1.2.6), "Exp", lines: +2 -2
+		fips/fips.h (1.1.2.4), "Exp", lines: +1 -0
+		fips/fips_err.h (1.1.4.2), "Exp", lines: +1 -0
+		fips/fips_make_sha1 (1.1.2.6), "Exp", lines: +3 -0
+		fips/fips_test_suite.c (1.1.4.3), "Exp", lines: +13 -9
+		fips/openssl_fips_fingerprint (1.1.4.2), "Exp", lines: +1 -2
+
+	The version that was actually submitted for FIPS testing.
+
+2004-06-19 15:16  ben
+
+	Changed:
+		fips/dh/Makefile (1.1.2.1), "Exp", lines: +92 -0
+		fips/dh/fingerprint.sha1 (1.1.2.1), "Exp", lines: +3 -0
+		fips/dh/fips_dh_check.c (1.1.2.1), "Exp", lines: +119 -0
+		fips/dh/fips_dh_gen.c (1.1.2.1), "Exp", lines: +182 -0
+		fips/dh/fips_dh_key.c (1.1.2.1), "Exp", lines: +222 -0
+
+	Add Diffie-Hellman to FIPS.
+
+2004-06-19 15:18  ben
+
+	Changed:
+		fips/.cvsignore (1.1.2.5), "Exp", lines: +2 -0
+		fips/dh/.cvsignore (1.1.2.1), "Exp", lines: +1 -0
+
+	Update ignores.
+
+2004-06-21 11:07  levitte
+
+	Changed:
+		fips/aes/Makefile (1.1.4.2), "Exp", lines: +7 -5
+		fips/des/Makefile (1.1.4.2), "Exp", lines: +7 -5
+		fips/dh/Makefile (1.1.2.2), "Exp", lines: +7 -6
+		fips/dsa/Makefile (1.1.4.2), "Exp", lines: +7 -6
+		fips/rsa/Makefile (1.1.4.2), "Exp", lines: +7 -6
+		fips/sha1/Makefile (1.1.4.2), "Exp", lines: +7 -5
+
+	Make sure we don't try to loop over an empty EXHEADER.	In the
+	Makefiles where this was fixed by commenting away code, change it
+	to check for an empty EXHEADER instead, so we have less hassle in a
+	future where EXHEADER changes.
+
+		PR: 900
+
+2004-06-21 20:05  levitte
+
+	Changed:
+		Makefile.org (1.154.2.82), "Exp", lines: +3 -1
+
+	Standard sh doesn't tolerate ! as part of the conditional command.
+
+		PR: 900
+
+2004-06-28 22:33  levitte
+
+	Changed:
+		fips/dh/fips_dh_check.c (1.1.2.2), "Exp", lines: +6 -0
+		fips/dh/fips_dh_gen.c (1.1.2.2), "Exp", lines: +6 -2
+		fips/dh/fips_dh_key.c (1.1.2.2), "Exp", lines: +8 -0
+
+	Make sure the FIPS stuff is only really compiled when in FIPS mode.
+
+2004-07-12 19:59  ben
+
+	Changed:
+		fips/fips_test_suite.c (1.1.4.4), "Exp", lines: +39 -6
+		fips/dh/fingerprint.sha1 (1.1.2.2), "Exp", lines: +3 -3
+
+	Corrected test program.
+
+2004-07-17 14:48  appro
+
+	Changed:
+		fips/des/Makefile (1.1.4.3), "Exp", lines: +1 -1
+
+	Eliminate enforced -g from CFLAGS. It switches off optimization
+	with some compilers, e.g. DEC C.
+
+2004-07-21 19:41  steve
+
+	Changed:
+		crypto/pem/pem_all.c (1.20.2.1), "Exp", lines: +119 -0
+
+	When in FIPS mode write private keys in PKCS#8 and PBES2 format to
+	avoid use of prohibited MD5 algorithm.
+
+2004-07-23 15:20  ben
+
+	Changed:
+		fips/rand/fingerprint.sha1 (1.1.2.7), "Exp", lines: +1 -1
+		fips/rand/fips_rand.c (1.1.2.7), "Exp", lines: +22 -7
+		fips/rand/fips_randtest.c (1.1.2.5), "Exp", lines: +2 -2
+
+	Convert to X9.31.
+
+2004-07-21 19:35  steve
+
+	Changed:
+		fips/fingerprint.sha1 (1.1.2.7), "Exp", lines: +1 -1
+		fips/fips.c (1.1.2.5), "Exp", lines: +3 -3
+		fips/rsa/fingerprint.sha1 (1.1.4.3), "Exp", lines: +1 -1
+		fips/rsa/fips_rsa_selftest.c (1.1.4.2), "Exp", lines: +8 -8
+
+	Avoid compiler warnings.
+
+2004-07-27 02:17  steve
+
+	Changed:
+		fips/fips_test_suite.c (1.1.4.5), "Exp", lines: +9 -8
+
+	Stop compiler warnings.
+
+2004-07-27 02:20  steve
+
+	Changed:
+		crypto/err/err.c (1.51.2.6), "Exp", lines: +1 -0
+
+	Add FIPS name to error library.
+
+2004-07-27 14:22  steve
+
+	Changed:
+		Makefile.org (1.154.2.84), "Exp", lines: +3 -3
+		fips/fips_check_sha1 (1.1.2.6), "Exp", lines: +1 -1
+		fips/openssl_fips_fingerprint (1.1.4.3), "Exp", lines: +1 -1
+
+	Rename libcrypto.sha1 to libcrypto.a.sha1
+
+2004-07-27 20:28  steve
+
+	Changed:
+		ssl/s3_lib.c (1.57.2.11), "Exp", lines: +33 -33
+		ssl/ssl.h (1.126.2.20), "Exp", lines: +1 -0
+		ssl/ssl_ciph.c (1.33.2.9), "Exp", lines: +11 -0
+		ssl/ssl_locl.h (1.47.2.3), "Exp", lines: +2 -1
+
+	New cipher "strength" FIPS which specifies that a cipher suite is
+	FIPS compatible.
+
+		New cipherstring "FIPS" is all FIPS compatible ciphersuites
+	except eNULL.
+
+		Only allow FIPS ciphersuites in FIPS mode.
+
+2004-07-28 04:24  levitte
+
+	Changed:
+		makevms.com (1.35.2.6), "Exp", lines: +2 -2
+
+	From the FIPS directory, darnit!
+
+2004-07-28 15:47  levitte
+
+	Changed:
+		makevms.com (1.35.2.7), "Exp", lines: +5 -1
+
+	Define OPENSSL_FIPS in opensslconf.h if a logical name with the
+	same name is defined.
+
+		Go up one directory level before dealing with FIPS stuff.
+
+2004-07-30 00:26  levitte
+
+	Changed:
+		fips/fips-lib.com (1.1.2.2), "Exp", lines: +3 -3
+
+	We're building crypto stuff, not ssl stuff.  Additionally, we're in
+	the fips subdirectory, not the crypto one...
+
+2004-07-30 16:37  levitte
+
+	Changed:
+		fips/sha1/fingerprint.sha1 (1.1.2.7), "Exp", lines: +2 -2
+		fips/sha1/fips_md32_common.h (1.1.2.6), "Exp", lines: +1 -1
+		fips/sha1/fips_sha_locl.h (1.1.2.5), "Exp", lines: +2 -2
+		fips/sha1/fips_standalone_sha1.c (1.1.2.5), "Exp", lines: +1 -1
+		fips/sha1/standalone.sha1 (1.1.2.8), "Exp", lines: +3 -3
+		ssl/ssl_ciph.c (1.33.2.10), "Exp", lines: +2 -2
+		fips/rsa/fingerprint.sha1 (1.1.4.4), "Exp", lines: +2 -2
+		fips/rsa/fips_rsa_eay.c (1.1.4.3), "Exp", lines: +1 -1
+		fips/rsa/fips_rsa_gen.c (1.1.4.3), "Exp", lines: +1 -1
+		fips/dh/fingerprint.sha1 (1.1.2.3), "Exp", lines: +1 -1
+		fips/dh/fips_dh_gen.c (1.1.2.3), "Exp", lines: +1 -1
+		fips/dsa/fingerprint.sha1 (1.1.2.6), "Exp", lines: +2 -2
+		fips/dsa/fips_dsa_gen.c (1.1.4.3), "Exp", lines: +4 -3
+		fips/dsa/fips_dsa_ossl.c (1.1.2.6), "Exp", lines: +2 -2
+		fips/des/fingerprint.sha1 (1.1.2.5), "Exp", lines: +2 -2
+		fips/des/fips_des_enc.c (1.1.2.5), "Exp", lines: +2 -2
+		fips/des/fips_set_key.c (1.1.4.3), "Exp", lines: +3 -3
+		fips/fingerprint.sha1 (1.1.2.8), "Exp", lines: +2 -2
+		fips/fips.c (1.1.2.6), "Exp", lines: +76 -23
+		fips/fips.h (1.1.2.5), "Exp", lines: +2 -3
+		fips/fips_locl.h (1.1.4.2), "Exp", lines: +7 -2
+		fips/aes/fingerprint.sha1 (1.1.2.5), "Exp", lines: +1 -1
+		fips/aes/fips_aes_core.c (1.1.2.5), "Exp", lines: +1 -1
+		crypto/rand/md_rand.c (1.69.2.5), "Exp", lines: +1 -1
+		crypto/rand/rand_lib.c (1.15.2.5), "Exp", lines: +2 -1
+		crypto/dsa/dsa_sign.c (1.10.2.6), "Exp", lines: +2 -2
+		crypto/dsa/dsa_vrf.c (1.10.2.6), "Exp", lines: +1 -1
+		crypto/pem/pem_all.c (1.20.2.2), "Exp", lines: +2 -2
+		crypto/cryptlib.c (1.32.2.12), "Exp", lines: +122 -6
+		crypto/crypto.h (1.62.2.8), "Exp", lines: +8 -1
+		crypto/md32_common.h (1.22.2.7), "Exp", lines: +2 -2
+
+	To protect FIPS-related global variables, add locking mechanisms
+	around them.
+
+		NOTE: because two new locks are added, this adds potential
+	binary incompatibility with earlier versions in the 0.9.7 series.
+	However, those locks will only ever be touched when FIPS_mode_set()
+	is called and after, thanks to a variable that's only changed from
+	0 to 1 once (when FIPS_mode_set() is called).  So basically, as
+	long as FIPS mode hasn't been engaged explicitely by the calling
+	application, the new locks are treated as if they didn't exist at
+	all, thus not becoming a problem.  Applications that are built or
+	rebuilt to use FIPS functionality will need to be recompiled in any
+	case, thus not being a problem either.
+
+2004-08-02 16:15  levitte
+
+	Changed:
+		crypto/cryptlib.c (1.32.2.13), "Exp", lines: +4 -4
+
+	Let's lock a write lock when changing values, shall we?
+
+		Thanks to Dr Stephen Henson <shenson@drh-consultancy.co.uk>
+	for making me aware of this error.
+
+2004-08-05 20:11  steve
+
+	Changed:
+		fips/fingerprint.sha1 (1.1.2.9), "Exp", lines: +1 -1
+		fips/fips.c (1.1.2.7), "Exp", lines: +1 -1
+
+	Stop compiler giving bogus shadow warning.
+
+2004-08-09 14:13  levitte
+
+	Changed:
+		makevms.com (1.35.2.8), "Exp", lines: +1 -1
+
+	In the fips directory, we use FIPS-LIB.COM, not CRYPTO-LIB.COM...
+
+2004-08-09 14:14  levitte
+
+	Changed:
+		fips/fips-lib.com (1.1.2.3), "Exp", lines: +4 -4
+
+	Correct typos and include directory specifications.
+
+2004-08-10 11:11  levitte
+
+	Changed:
+		fips/fips-lib.com (1.1.2.4), "Exp", lines: +2 -1
+
+	Update the VMS fips library builder with the DH library.
+
+2004-08-10 12:04  levitte
+
+	Changed:
+		fips/rand/fingerprint.sha1 (1.1.2.8), "Exp", lines: +1 -1
+		fips/rand/fips_rand.c (1.1.2.8), "Exp", lines: +7 -1
+
+	With DEC C in ANSI C mode, we need to define _XOPEN_SOURCE_EXTENDED
+	to get struct timeval and gettimeofday().
+
+2004-09-06 16:19  levitte
+
+	Changed:
+		fips/fips.c (1.1.2.8), "Exp", lines: +5 -4
+
+	Replace the bogus checks of n with proper uses of feof(), ferror()
+	and clearerr().
+
+2004-09-06 16:21  levitte
+
+	Changed:
+		fips/sha1/fips_sha_locl.h (1.1.2.6), "Exp", lines: +2 -2
+
+	num is an unsigned long, but since it was transfered from
+	crypto/sha/sha_locl.h, where it is in fact an int, we need to check
+	for less-than-zero as if it was an int...
+
+2004-10-08 12:03  ben
+
+	Changed:
+		fips/fingerprint.sha1 (1.1.2.10), "Exp", lines: +1 -1
+		fips/sha1/fingerprint.sha1 (1.1.2.8), "Exp", lines: +1 -1
+		fips/sha1/standalone.sha1 (1.1.2.9), "Exp", lines: +1 -1
+
+	Update fingerprints.
+
+2004-10-14 07:51  levitte
+
+	Changed:
+		VMS/mkshared.com (1.3.2.1), "Exp", lines: +8 -0
+
+	We need to check for OPENSSL_FIPS when building shared libraries,
+	so we get correct transfer vectors for those functions when
+	required.
+
+2004-10-26 13:47  steve
+
+	Changed:
+		util/mkfiles.pl (1.12.2.2), "Exp", lines: +1 -0
+
+	Add fips/dh directory to mkfiles.pl
+
+2004-10-26 14:17  levitte
+
+	Changed:
+		fips/sha1/Makefile (1.1.4.4), "Exp", lines: +3 -1
+		util/mkfiles.pl (1.12.2.3), "Exp", lines: +1 -0
+		fips/Makefile (1.1.4.5), "Exp", lines: +7 -1
+		crypto/sha/Makefile (1.1.4.4), "Exp", lines: +1 -7
+
+	fips/dh was missing in mkfiles.pl.  make update
+
+2004-10-26 15:01  steve
+
+	Changed:
+		util/mkfiles.pl (1.12.2.4), "Exp", lines: +0 -1
+
+	Only add fips/dh once...
+
+2004-11-01 09:20  levitte
+
+	Changed:
+		fips/rand/fingerprint.sha1 (1.1.2.9), "Exp", lines: +1 -1
+		fips/rand/fips_rand.c (1.1.2.9), "Exp", lines: +3 -1
+
+	Make sure _XOPEN_SOURCE_EXTENDED is correctly defined, and only if
+	not already defined.
+
+2004-12-09 19:03  appro
+
+	vChanged:
+		crypto/Makefile (1.1.4.4), "Exp", lines: +2 -0
+
+	Postpone linking of shared libcrypto in FIPS build.
+
+2004-12-09 19:13  appro
+
+	Changed:
+		fips/fingerprint.sha1 (1.1.2.11), "Exp", lines: +1 -1
+		fips/fips.c (1.1.2.9), "Exp", lines: +13 -1
+		fips/openssl_fips_fingerprint (1.1.4.4), "Exp", lines: +4 -2
+
+	Cygwin specific FIPS fix-ups.
+
+2004-12-09 23:43  appro
+
+	Changed:
+		Configure (1.314.2.100), "Exp", lines: +2 -3
+		crypto/des/des_enc.c (1.11.2.5), "Exp", lines: +2 -2
+
+	Eliminate false dependency on 386 config option is FIPS context.
+	At the same time limit assembler support to ELF platforms [that's
+	what is there, ELF modules].
+
+2004-12-10 12:37  appro
+
+	Changed:
+		Configure (1.314.2.101), "Exp", lines: +10 -3
+		crypto/des/des_enc.c (1.11.2.6), "Exp", lines: +2 -2
+
+	Respect no-asm with fips option and disable FIPS DES assembler in
+	shared context [because it's not PIC].
+
+2004-12-10 14:15  appro
+
+	Changed:
+		fips/sha1/fingerprint.sha1 (1.1.2.10), "Exp", lines: +1 -1
+		fips/sha1/standalone.sha1 (1.1.2.11), "Exp", lines: +1 -1
+		fips/sha1/asm/sx86-elf.s (1.1.4.3), "Exp", lines: +32 -32
+
+	Solaris x86 assembler update.
+
+2004-12-10 17:30  appro
+
+	Changed:
+		fips/fips_check_sha1 (1.1.2.7), "Exp", lines: +1 -1
+		fips/openssl_fips_fingerprint (1.1.4.5), "Exp", lines: +1 -1
+		fips/sha1/Makefile (1.1.4.6), "Exp", lines: +1 -1
+
+	Adapt FIPS sub-tree for mingw.
+
+2005-01-03 18:46  steve
+
+	Changed:
+		fips/rsa/fingerprint.sha1 (1.1.4.5), "Exp", lines: +1 -1
+		fips/rsa/fips_rsa_selftest.c (1.1.4.3), "Exp", lines: +55 -11
+
+	RSA KAT.
+
+2005-01-11 17:54  levitte
+
+	Changed:
+		fips/rsa/fingerprint.sha1 (1.1.4.6), "Exp", lines: +1 -1
+		fips/rsa/fips_rsa_selftest.c (1.1.4.4), "Exp", lines: +2 -2
+
+	Clear signed vs. unsigned conflicts.  Change the fingerprint
+	accordingly.
+
+2005-01-11 19:25  levitte
+
+	Changed:
+		ssl/ssltest.c (1.53.2.24), "Exp", lines: +2 -2
+		fips/rand/fips_randtest.c (1.1.2.6), "Exp", lines: +3 -3
+		fips/sha1/fips_sha1test.c (1.1.2.5), "Exp", lines: +10 -4
+		fips/des/fips_desmovs.c (1.1.2.6), "Exp", lines: +8 -7
+		fips/dsa/fips_dsatest.c (1.1.2.5), "Exp", lines: +2 -2
+		apps/openssl.c (1.48.2.12), "Exp", lines: +1 -1
+		fips/aes/fips_aesavs.c (1.1.2.12), "Exp", lines: +8 -7
+
+	Use EXIT() instead of exit().
+
+2005-01-26 21:00  steve
+
+	Changed:
+		apps/dgst.c (1.23.2.13), "Exp", lines: +10 -0
+		apps/pkcs12.c (1.60.2.13), "Exp", lines: +8 -1
+		crypto/crypto.h (1.62.2.9), "Exp", lines: +49 -0
+		crypto/md32_common.h (1.22.2.9), "Exp", lines: +1 -1
+		crypto/bf/bf_skey.c (1.6.2.1), "Exp", lines: +2 -1
+		crypto/bf/blowfish.h (1.9.2.1), "Exp", lines: +4 -1
+		crypto/cast/c_skey.c (1.5.6.1), "Exp", lines: +3 -1
+		crypto/cast/cast.h (1.7.2.1), "Exp", lines: +4 -1
+		crypto/evp/bio_md.c (1.11.2.3), "Exp", lines: +2 -7
+		crypto/evp/digest.c (1.21.2.7), "Exp", lines: +11 -0
+		crypto/evp/e_aes.c (1.6.2.11), "Exp", lines: +11 -11
+		crypto/evp/e_des.c (1.5.2.9), "Exp", lines: +5 -3
+		crypto/evp/e_des3.c (1.8.2.8), "Exp", lines: +6 -6
+		crypto/evp/evp.h (1.86.2.16), "Exp", lines: +17 -0
+		crypto/evp/evp_enc.c (1.28.2.11), "Exp", lines: +15 -1
+		crypto/evp/evp_err.c (1.23.2.4), "Exp", lines: +6 -1
+		crypto/evp/evp_locl.h (1.7.2.7), "Exp", lines: +17 -2
+		crypto/evp/m_dss.c (1.8.2.1), "Exp", lines: +1 -1
+		crypto/evp/m_md2.c (1.9.2.1), "Exp", lines: +1 -0
+		crypto/evp/m_md4.c (1.8.2.1), "Exp", lines: +1 -0
+		crypto/evp/m_md5.c (1.9.2.1), "Exp", lines: +1 -0
+		crypto/evp/m_mdc2.c (1.9.2.1), "Exp", lines: +1 -0
+		crypto/evp/m_sha.c (1.8.2.2), "Exp", lines: +1 -0
+		crypto/evp/m_sha1.c (1.8.2.1), "Exp", lines: +1 -1
+		crypto/evp/names.c (1.7.2.1), "Exp", lines: +3 -0
+		crypto/hmac/hmac.c (1.12.2.3), "Exp", lines: +7 -0
+		crypto/hmac/hmac.h (1.14.2.2), "Exp", lines: +1 -0
+		crypto/idea/i_skey.c (1.5.6.1), "Exp", lines: +13 -0
+		crypto/idea/idea.h (1.10.2.1), "Exp", lines: +4 -0
+		crypto/md2/md2.h (1.11.2.1), "Exp", lines: +3 -0
+		crypto/md2/md2_dgst.c (1.13.2.4), "Exp", lines: +3 -1
+		crypto/md4/md4.h (1.3.2.1), "Exp", lines: +3 -0
+		crypto/md4/md4_dgst.c (1.2.2.2), "Exp", lines: +1 -1
+		crypto/md5/md5.h (1.10.2.3), "Exp", lines: +3 -0
+		crypto/md5/md5_dgst.c (1.16.2.2), "Exp", lines: +1 -1
+		crypto/mdc2/mdc2.h (1.9.2.1), "Exp", lines: +3 -1
+		crypto/mdc2/mdc2dgst.c (1.13.2.1), "Exp", lines: +3 -1
+		crypto/rc2/rc2.h (1.10.2.1), "Exp", lines: +4 -1
+		crypto/rc2/rc2_skey.c (1.4.6.1), "Exp", lines: +13 -0
+		crypto/rc4/rc4.h (1.10.2.2), "Exp", lines: +3 -0
+		crypto/rc4/rc4_skey.c (1.10.8.2), "Exp", lines: +2 -1
+		crypto/rc5/rc5.h (1.5.2.1), "Exp", lines: +4 -1
+		crypto/rc5/rc5_skey.c (1.4.6.1), "Exp", lines: +14 -0
+		crypto/ripemd/ripemd.h (1.8.2.1), "Exp", lines: +3 -0
+		crypto/ripemd/rmd_dgst.c (1.13.2.2), "Exp", lines: +2 -1
+		crypto/sha/sha.h (1.11.2.2), "Exp", lines: +3 -0
+		crypto/sha/sha_locl.h (1.16.2.3), "Exp", lines: +4 -0
+		crypto/x509/x509_cmp.c (1.22.2.4), "Exp", lines: +7 -1
+		crypto/x509/x509_vfy.c (1.56.2.13), "Exp", lines: +1 -1
+		ssl/s3_clnt.c (1.53.2.18), "Exp", lines: +2 -0
+		ssl/s3_enc.c (1.31.2.9), "Exp", lines: +3 -0
+		ssl/s3_srvr.c (1.85.2.23), "Exp", lines: +2 -0
+		ssl/t1_enc.c (1.27.2.9), "Exp", lines: +2 -0
+
+	FIPS algorithm blocking.
+
+		Non FIPS algorithms are not normally allowed in FIPS mode.
+
+		Any attempt to use them via high level functions will
+	return an error.
+
+		The low level non-FIPS algorithm functions cannot return
+	errors so they produce assertion failures. HMAC also has to give an
+	assertion error because it (erroneously) can't return an error
+	either.
+
+		There are exceptions (such as MD5 in TLS and non
+	cryptographic use of algorithms) and applications can override the
+	blocking and use non FIPS algorithms anyway.
+
+		For low level functions the override is perfomed by
+	prefixing the algorithm initalization function with "private_" for
+	example private_MD5_Init().
+
+		For high level functions an override is performed by
+	setting a flag in the context.
+
+2005-01-27 02:49  steve
+
+	Changed:
+		apps/dgst.c (1.23.2.14), "Exp", lines: +9 -5
+		crypto/crypto.h (1.62.2.10), "Exp", lines: +3 -0
+		crypto/evp/digest.c (1.21.2.8), "Exp", lines: +34 -0
+		crypto/hmac/hmac.c (1.12.2.4), "Exp", lines: +9 -0
+
+	More FIPS algorithm blocking.
+
+		Catch attempted use of non FIPS algorithms with HMAC.
+
+		Give an assertion error for applications that ignore FIPS
+	digest errors.
+
+		Make -non-fips-allow work with dgst and HMAC.
+
+2005-01-28 15:03  steve
+
+	Changed:
+		apps/dgst.c (1.23.2.15), "Exp", lines: +2 -1
+		apps/enc.c (1.35.2.13), "Exp", lines: +38 -4
+		crypto/evp/e_rc4.c (1.11.2.2), "Exp", lines: +1 -0
+		crypto/evp/evp.h (1.86.2.17), "Exp", lines: +3 -0
+		crypto/evp/evp_enc.c (1.28.2.12), "Exp", lines: +60 -15
+		crypto/evp/evp_locl.h (1.7.2.8), "Exp", lines: +1 -0
+		test/testenc (1.3.8.2), "Exp", lines: +8 -8
+
+	Further FIPS algorithm blocking.
+
+		Fixes to cipher blocking and enabling code.
+
+		Add option -non-fips-allow to 'enc' and update testenc.
+
+2005-01-31 02:33  steve
+
+	Changed:
+		ssl/s23_clnt.c (1.20.2.7), "Exp", lines: +16 -0
+		ssl/s23_srvr.c (1.41.2.6), "Exp", lines: +9 -0
+		ssl/s3_clnt.c (1.53.2.19), "Exp", lines: +0 -8
+		ssl/s3_enc.c (1.31.2.10), "Exp", lines: +1 -0
+		ssl/s3_srvr.c (1.85.2.24), "Exp", lines: +0 -8
+		ssl/ssl.h (1.126.2.21), "Exp", lines: +1 -0
+		ssl/ssl_cert.c (1.48.2.10), "Exp", lines: +0 -8
+		ssl/ssl_err.c (1.41.2.4), "Exp", lines: +2 -1
+		ssl/ssl_lib.c (1.110.2.13), "Exp", lines: +8 -9
+		ssl/t1_enc.c (1.27.2.10), "Exp", lines: +0 -18
+
+	Only allow TLS is FIPS mode.
+
+		Remove old FIPS_allow_md5() calls.
+
+2005-02-05 19:24  steve
+
+	Changed:
+		apps/req.c (1.88.2.18), "Exp", lines: +8 -1
+		apps/x509.c (1.67.2.20), "Exp", lines: +8 -1
+
+	In FIPS mode use SHA1 as default digest in x509 and req utilities.
+
+2005-03-15 10:46  appro
+
+	Changed:
+		Makefile.org (1.154.2.96), "Exp", lines: +1 -1
+		crypto/Makefile (1.1.4.6), "Exp", lines: +2 -3
+		fips/Makefile (1.1.4.8), "Exp", lines: +4 -1
+
+	Real Bourne shell doesn't accept ! as in "if ! grep ..." Fix this
+	in crypto/Makefile and make Makefile.org and fips/Makefile more
+	discreet.
+
+2005-03-22 18:29  steve
+
+	Changed:
+		fips/fingerprint.sha1 (1.1.2.12), "Exp", lines: +1 -1
+		fips/fips.c (1.1.2.10), "Exp", lines: +1 -0
+
+	Fix memory leak.
+
+2005-03-27 05:36  steve
+
+	Changed:
+		crypto/evp/e_null.c (1.9.2.1), "Exp", lines: +1 -1
+		ssl/s3_lib.c (1.57.2.13), "Exp", lines: +3 -3
+
+	Allow 'null' cipher and appropriate Kerberos ciphersuites in FIPS
+	mode.
+
+2005-04-14 14:44  steve
+
+	Changed:
+		fips/fipshashes.sha1 (1.1.2.1), "Exp", lines: +29 -0
+		util/checkhash.pl (1.1.2.1), "Exp", lines: +181 -0
+
+	Perl script that checks or rebuilds FIPS hash files. This works on
+	both Unix and Windows.
+
+		Merge all FIPS hash files into a single hash file
+	fips/fips.sha1
+
+2005-04-15 05:27  steve
+
+	Changed:
+		fips/Makefile (1.1.4.9), "Exp", lines: +1 -1
+		fips/aes/Makefile (1.1.4.4), "Exp", lines: +1 -4
+		fips/des/Makefile (1.1.4.6), "Exp", lines: +1 -4
+		fips/dh/Makefile (1.1.2.5), "Exp", lines: +1 -4
+		fips/dsa/Makefile (1.1.4.4), "Exp", lines: +1 -4
+		fips/rand/Makefile (1.1.4.3), "Exp", lines: +1 -4
+		fips/rsa/Makefile (1.1.4.5), "Exp", lines: +1 -4
+		fips/sha1/Makefile (1.1.4.9), "Exp", lines: +1 -7
+
+	Update hash checking in makefiles to use new perl script.
+
+2005-04-17 06:37  steve
+
+	Changed:
+		util/checkhash.pl (1.1.2.2), "Exp", lines: +163 -127
+
+	Modify checkhash.pl so it can be run standalone or included as a
+	funtion in another perl script.
+
+2005-04-17 16:00  appro
+
+	Changed:
+		fips/sha1/Makefile (1.1.4.10), "Exp", lines: +9 -5
+
+	Bring back fips_standalone_sha1.
+
+2005-04-17 16:17  appro
+
+	Deleted:
+		fips/sha1/asm/sx86-elf.s (1.1.4.4)
+	Changed:
+		Configure (1.314.2.114), "Exp", lines: +1 -1
+		fips/fipshashes.sha1 (1.1.2.2), "Exp", lines: +1 -1
+		fips/sha1/Makefile (1.1.4.11), "Exp", lines: +1 -1
+		fips/sha1/standalone.sha1 (1.1.2.13), "Exp", lines: +1 -1
+		fips/sha1/asm/fips-sx86-elf.s (1.1.2.1), "Exp", lines: +1568 -0
+
+	Rename fips/sha1/sx86-elf.s to fips/sha1/fips-sx86-elf.s.
+
+2005-04-17 16:21  steve
+
+	Changed:
+		util/checkhash.pl (1.1.2.3), "Exp", lines: +2 -0
+
+	Return 0 for successful hash check.
+
+2005-04-17 16:54  appro
+
+	Changed:
+		Configure (1.314.2.116), "Exp", lines: +8 -1
+		Makefile.org (1.154.2.99), "Exp", lines: +3 -2
+		crypto/aes/aes_cbc.c (1.1.2.11), "Exp", lines: +2 -0
+		fips/fipshashes.sha1 (1.1.2.4), "Exp", lines: +1 -0
+		fips/aes/Makefile (1.1.4.5), "Exp", lines: +4 -2
+		fips/aes/asm/fips-ax86-elf.s (1.1.2.1), "Exp", lines: +1822 -0
+
+	Throw in fips/aes/asm/fips-ax86-elf.s.
+
+2005-04-17 16:35  appro
+
+	Changed:
+		Configure (1.314.2.115), "Exp", lines: +1 -1
+		fips/fipshashes.sha1 (1.1.2.3), "Exp", lines: +1 -1
+		fips/des/asm/fips-dx86-elf.s (1.1.4.2), "Exp", lines: +108 -98
+
+	Regenerate fips/des/asm/fips-dx86-elf.s with -fPIC flag.
+
+2005-04-17 17:26  appro
+
+	Changed:
+		crypto/cryptlib.c (1.32.2.18), "Exp", lines: +6 -55
+		crypto/crypto.h (1.62.2.11), "Exp", lines: +0 -3
+		fips/fips.c (1.1.2.11), "Exp", lines: +62 -8
+		fips/fips.h (1.1.2.7), "Exp", lines: +2 -3
+		fips/fips_locl.h (1.1.4.3), "Exp", lines: +6 -3
+		fips/fipshashes.sha1 (1.1.2.5), "Exp", lines: +4 -4
+		fips/rand/fips_rand.c (1.1.2.10), "Exp", lines: +3 -1
+		fips/rsa/fips_rsa_gen.c (1.1.4.4), "Exp", lines: +4 -2
+
+	Resolve minor binary compatibility issues in fips.
+
+2005-04-17 18:22  appro
+
+	Changed:
+		fips/fipshashes.sha1 (1.1.2.6), "Exp", lines: +12 -12
+		fips/des/fips_des_locl.h (1.1.2.4), "Exp", lines: +1 -1
+		fips/des/fips_set_key.c (1.1.4.4), "Exp", lines: +2 -2
+		fips/dh/fips_dh_key.c (1.1.2.3), "Exp", lines: +1 -1
+		fips/dsa/fips_dsa_ossl.c (1.1.2.7), "Exp", lines: +1 -1
+		fips/dsa/fips_dsa_selftest.c (1.1.4.2), "Exp", lines: +3 -3
+		fips/rand/fips_rand.c (1.1.2.11), "Exp", lines: +2 -2
+		fips/rand/fips_rand.h (1.1.2.5), "Exp", lines: +1 -1
+		fips/rsa/fips_rsa_eay.c (1.1.4.4), "Exp", lines: +1 -1
+		fips/rsa/fips_rsa_gen.c (1.1.4.5), "Exp", lines: +1 -1
+		fips/rsa/fips_rsa_selftest.c (1.1.4.5), "Exp", lines: +11 -11
+		fips/sha1/fips_sha1_selftest.c (1.1.4.2), "Exp", lines: +1 -1
+		fips/sha1/fips_sha1dgst.c (1.1.2.5), "Exp", lines: +1 -1
+		fips/sha1/standalone.sha1 (1.1.2.14), "Exp", lines: +2 -2
+
+	Minor fips const-ification.
+
+2005-04-18 07:02  steve
+
+	Changed:
+		crypto/bf/bf_skey.c (1.6.2.2), "Exp", lines: +1 -0
+		crypto/cast/c_skey.c (1.5.6.2), "Exp", lines: +1 -0
+		crypto/idea/i_skey.c (1.5.6.2), "Exp", lines: +1 -0
+		crypto/rc2/rc2_skey.c (1.4.6.2), "Exp", lines: +1 -0
+		crypto/rc4/rc4_skey.c (1.10.8.3), "Exp", lines: +1 -0
+		crypto/rc5/rc5_skey.c (1.4.6.2), "Exp", lines: +1 -0
+
+	Pick up definition of FIPS_mode() in fips.h to avoid warnings.
+
+2005-04-18 10:34  steve
+
+	Deleted:
+		fips/fingerprint.sha1 (1.1.2.14)
+		fips/fips_check_sha1 (1.1.2.8)
+		fips/fips_make_sha1 (1.1.2.7)
+		fips/aes/fingerprint.sha1 (1.1.2.7)
+		fips/des/fingerprint.sha1 (1.1.2.6)
+		fips/dh/fingerprint.sha1 (1.1.2.4)
+		fips/dsa/fingerprint.sha1 (1.1.2.7)
+		fips/rand/fingerprint.sha1 (1.1.2.10)
+		fips/rsa/fingerprint.sha1 (1.1.4.7)
+		fips/sha1/fingerprint.sha1 (1.1.2.12)
+	Changed:
+		fips/sha1/Makefile (1.1.4.12), "Exp", lines: +1 -4
+
+	Remove obsolete fingerprint.sha1 files and associated scripts.
+	Delete test in fips/sha1/Makefile: the top level test checks the
+	same files.
+
+2005-04-19 09:11  appro
+
+	Deleted:
+		fips/fipshashes.sha1 (1.1.2.7)
+		fips/sha1/standalone.sha1 (1.1.2.15)
+	Changed:
+		fips/fipshashes.c (1.1.2.1), "Exp", lines: +32 -0
+		util/checkhash.pl (1.1.2.4), "Exp", lines: +7 -4
+
+	Maintain fingerprint hashes as C source.
+
+2005-04-19 09:17  appro
+
+	Changed:
+		util/checkhash.pl (1.1.2.5), "Exp", lines: +1 -1
+
+	Complete the transition C-code hashes.
+
+2005-04-21 19:06  steve
+
+	Changed:
+		apps/openssl.c (1.48.2.13), "Exp", lines: +0 -2
+		fips/fips.c (1.1.2.12), "Exp", lines: +0 -27
+		fips/fips.h (1.1.2.8), "Exp", lines: +0 -2
+		fips/fipshashes.c (1.1.2.2), "Exp", lines: +2 -2
+
+	Remove defunct FIPS_allow_md5() and related functions.
+
+2005-04-22 06:15  appro
+
+	Changed:
+		fips/fips.c (1.1.2.13), "Exp", lines: +3 -3
+		fips/fips_err.h (1.1.4.4), "Exp", lines: +3 -3
+		fips/fipshashes.c (1.1.2.4), "Exp", lines: +2 -2
+
+	Move some variables to .bss.
+
diff --git a/crypto/openssl/Configure b/crypto/openssl/Configure
index 2cd5877f5312..9831ff3fab5c 100755
--- a/crypto/openssl/Configure
+++ b/crypto/openssl/Configure
@@ -10,7 +10,7 @@ use strict;
 
 # see INSTALL for instructions.
 
-my $usage="Usage: Configure [no-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-engine] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [386] [[no-]fips] [debug] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";
+my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";
 
 # Options:
 #
@@ -38,7 +38,6 @@ my $usage="Usage: Configure [no-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-
 # --test-sanity Make a number of sanity checks on the data in this file.
 #               This is a debugging tool for OpenSSL developers.
 #
-# no-engine     do not compile in any engine code.
 # no-hw-xxx     do not compile support for specific crypto hardware.
 #               Generic OpenSSL-style methods relating to this support
 #               are always compiled but return NULL if the hardware
@@ -56,6 +55,7 @@ my $usage="Usage: Configure [no-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-
 # zlib-dynamic	Like "zlib", but the zlib library is expected to be a shared
 #		library and will be loaded in run-time by the OpenSSL library.
 # 386           generate 80386 code
+# no-sse2	disables IA-32 SSE2 code, above option implies no-sse2
 # no-<cipher>   build without specified algorithm (rsa, idea, rc5, ...)
 # -<xxx> +<xxx> compiler options are passed through 
 #
@@ -87,9 +87,15 @@ my $usage="Usage: Configure [no-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-
 #		(intended for 64-bit CPUs running 32-bit OS).
 # BF_PTR	use 'pointer arithmatic' for Blowfish (unsafe on Alpha).
 # BF_PTR2	intel specific version (generic version is more efficient).
+#
+# Following are set automatically by this script
+#
 # MD5_ASM	use some extra md5 assember,
 # SHA1_ASM	use some extra sha1 assember, must define L_ENDIAN for x86
 # RMD160_ASM	use some extra ripemd160 assember,
+# SHA256_ASM	sha256_block is implemented in assembler
+# SHA512_ASM	sha512_block is implemented in assembler
+# AES_ASM	ASE_[en|de]crypt is implemented in assembler
 
 my $x86_gcc_des="DES_PTR DES_RISC1 DES_UNROLL";
 
@@ -108,19 +114,25 @@ my $tlib="-lnsl -lsocket";
 my $bits1="THIRTY_TWO_BIT ";
 my $bits2="SIXTY_FOUR_BIT ";
 
-my $x86_elf_asm="asm/bn86-elf.o asm/co86-elf.o:asm/dx86-elf.o asm/yx86-elf.o:asm/bx86-elf.o:asm/mx86-elf.o:asm/sx86-elf.o:asm/cx86-elf.o:asm/rx86-elf.o:asm/rm86-elf.o:asm/r586-elf.o";
-my $x86_out_asm="asm/bn86-out.o asm/co86-out.o:asm/dx86-out.o asm/yx86-out.o:asm/bx86-out.o:asm/mx86-out.o:asm/sx86-out.o:asm/cx86-out.o:asm/rx86-out.o:asm/rm86-out.o:asm/r586-out.o";
-my $x86_bsdi_asm="asm/bn86bsdi.o asm/co86bsdi.o:asm/dx86bsdi.o asm/yx86bsdi.o:asm/bx86bsdi.o:asm/mx86bsdi.o:asm/sx86bsdi.o:asm/cx86bsdi.o:asm/rx86bsdi.o:asm/rm86bsdi.o:asm/r586bsdi.o";
+my $x86_elf_asm="x86cpuid-elf.o:bn86-elf.o co86-elf.o:dx86-elf.o yx86-elf.o:ax86-elf.o:bx86-elf.o:mx86-elf.o:sx86-elf.o s512sse2-elf.o:cx86-elf.o:rx86-elf.o:rm86-elf.o:r586-elf.o";
+my $x86_coff_asm="x86cpuid-cof.o:bn86-cof.o co86-cof.o:dx86-cof.o yx86-cof.o:ax86-cof.o:bx86-cof.o:mx86-cof.o:sx86-cof.o s512sse2-cof.o:cx86-cof.o:rx86-cof.o:rm86-cof.o:r586-cof.o";
+my $x86_out_asm="x86cpuid-out.o:bn86-out.o co86-out.o:dx86-out.o yx86-out.o:ax86-out.o:bx86-out.o:mx86-out.o:sx86-out.o s512sse2-out.o:cx86-out.o:rx86-out.o:rm86-out.o:r586-out.o";
+
+my $x86_64_asm="x86_64cpuid.o:x86_64-gcc.o::::md5-x86_64.o:::rc4-x86_64.o::";
+my $ia64_asm=":bn-ia64.o::aes_core.o aes_cbc.o aes-ia64.o:::sha1-ia64.o sha256-ia64.o sha512-ia64.o::rc4-ia64.o::";
 
-my $mips3_irix_asm="asm/mips3.o::::::::";
-# There seems to be boundary faults in asm/alpha.s.
-#my $alpha_asm="asm/alpha.o::::::::";
-my $alpha_asm="::::::::";
+my $no_asm="::::::::::";
 
-# -DB_ENDIAN slows things down on a sparc for md5, but helps sha1.
-# So the md5_locl.h file has an undef B_ENDIAN if sun is defined
+# As for $BSDthreads. Idea is to maintain "collective" set of flags,
+# which would cover all BSD flavors. -pthread applies to them all, 
+# but is treated differently. OpenBSD expands is as -D_POSIX_THREAD
+# -lc_r, which is sufficient. FreeBSD 4.x expands it as -lc_r,
+# which has to be accompanied by explicit -D_THREAD_SAFE and
+# sometimes -D_REENTRANT. FreeBSD 5.x expands it as -lc_r, which
+# seems to be sufficient?
+my $BSDthreads="-pthread -D_THREAD_SAFE -D_REENTRANT";
 
-#config-string	$cc : $cflags : $unistd : $thread_cflag : $sys_id : $lflags : $bn_ops : $bn_obj : $des_obj : $bf_obj : $md5_obj : $sha1_obj : $cast_obj : $rc4_obj : $rmd160_obj : $rc5_obj : $dso_scheme : $shared_target : $shared_cflag : $shared_ldflag : $shared_extension : $ranlib : $arflags
+#config-string	$cc : $cflags : $unistd : $thread_cflag : $sys_id : $lflags : $bn_ops : $cpuid_obj : $bn_obj : $des_obj : $aes_obj : $bf_obj : $md5_obj : $sha1_obj : $cast_obj : $rc4_obj : $rmd160_obj : $rc5_obj : $dso_scheme : $shared_target : $shared_cflag : $shared_ldflag : $shared_extension : $ranlib : $arflags
 
 my %table=(
 # File 'TABLE' (created by 'make TABLE') contains the data from this list,
@@ -135,21 +147,25 @@ my %table=(
 # Our development configs
 "purify",	"purify gcc:-g -DPURIFY -Wall::(unknown)::-lsocket -lnsl::::",
 "debug",	"gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -ggdb -g2 -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror::(unknown)::-lefence::::",
-"debug-ben",	"gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -O2 -Wall -Wshadow -Werror -pipe::(unknown)::::asm/bn86-elf.o asm/co86-elf.o",
+"debug-ben",	"gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown):::::bn86-elf.o co86-elf.o",
 "debug-ben-openbsd","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::",
 "debug-ben-openbsd-debug","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::",
-"debug-ben-debug",	"gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -g3 -O2 -Wall -Wshadow -Werror -pipe::(unknown)::::::",
+"debug-ben-debug",	"gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::::",
 "debug-ben-strict",	"gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe::(unknown)::::::",
-"debug-ben-fips-debug","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_FIPS -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::asm/bn86-elf.o asm/co86-elf.o",
 "debug-rse","cc:-DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
-"debug-bodo",	"gcc:-DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DBIO_PAIR_DEBUG -DPEDANTIC -g -m486 -pedantic -Wshadow -Wall::-D_REENTRANT:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
-"debug-ulf",	"gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -g -O2 -m486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT:::${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
-"debug-steve",	"gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -mcpu=i486 -pedantic -Wno-long-long -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
-"debug-steve-linux-pseudo64",	"gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DOPENSSL_NO_ASM -g -mcpu=i486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:SIXTY_FOUR_BIT::dlfcn",
-"debug-levitte-linux-elf","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wmissing-prototypes -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"debug-levitte-linux-noasm","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wmissing-prototypes -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"debug-levitte-linux-elf-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wmissing-prototypes -Wconversion -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"debug-levitte-linux-noasm-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wmissing-prototypes -Wconversion -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-bodo",	"gcc:-DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBIO_PAIR_DEBUG -DPEDANTIC -g -march=i486 -pedantic -Wshadow -Wall::-D_REENTRANT:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
+"debug-ulf", "gcc:-DTERMIOS -DL_ENDIAN -march=i486 -Wall -DBN_DEBUG -DBN_DEBUG_RAND -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -g -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations:::CYGWIN32:::${no_asm}:win32:cygwin-shared:::.dll",
+"debug-steve",	"gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -mcpu=i486 -pedantic -Wno-long-long -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared",
+"debug-steve-linux-pseudo64",	"gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DOPENSSL_NO_ASM -g -mcpu=i486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:SIXTY_FOUR_BIT:${no_asm}:dlfcn:linux-shared",
+"debug-levitte-linux-elf","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-levitte-linux-noasm","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-levitte-linux-elf-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-levitte-linux-noasm-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-geoff","gcc:-DBN_DEBUG -DBN_DEBUG_RAND -DBN_STRICT -DPURIFY -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_ASM -DOPENSSL_NO_INLINE_ASM -DL_ENDIAN -DTERMIO -DPEDANTIC -O1 -ggdb2 -Wall -Werror -Wundef -pedantic -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-align -Wsign-compare -Wmissing-prototypes -Wmissing-declarations -Wno-long-long::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-linux-pentium","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -mcpu=pentium -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
+"debug-linux-ppro","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -mcpu=pentiumpro -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
+"debug-linux-elf","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -march=i486 -Wall::-D_REENTRANT::-lefence -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-linux-elf-noefence","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -march=i486 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "dist",		"cc:-O::(unknown)::::::",
 
 # Basic configs that should work on any (32 and less bit) box
@@ -157,10 +173,8 @@ my %table=(
 "cc",		"cc:-O::(unknown)::::::",
 
 ####VOS Configurations
-"vos-gcc","gcc:-b hppa1.1-stratus-vos -O3 -Wall -Wuninitialized -D_POSIX_C_SOURCE=200112L -D_BSD::(unknown):VOS:-Wl,-map:BN_LLONG:::::::::::::.so:",
-"debug-vos-gcc","gcc:-b hppa1.1-stratus-vos -O0 -g -Wall -D_POSIX_C_SOURCE=200112L -D_BSD -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG::(unknown):VOS:-Wl,-map:BN_LLONG:::::::::::::.so:",
-"vos-vcc","vcc:-b i386-stratus-vos -O3 -D_POSIX_C_SOURCE=200112L -D_BSD::(unknown):VOS:-Wl,-map::::::::::::::.so:",
-"debug-vos-vcc","vcc:-b i386-stratus-vos -O0 -g -D_POSIX_C_SOURCE=200112L -D_BSD -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG::(unknown):VOS:-Wl,-map::::::::::::::.so:",
+"vos-gcc","gcc:-O3 -Wall -D_POSIX_C_SOURCE=200112L -D_BSD -DB_ENDIAN::(unknown):VOS:-Wl,-map:BN_LLONG:${no_asm}:::::.so:",
+"debug-vos-gcc","gcc:-O0 -g -Wall -D_POSIX_C_SOURCE=200112L -D_BSD -DB_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG::(unknown):VOS:-Wl,-map:BN_LLONG:${no_asm}:::::.so:",
 
 #### Solaris x86 with GNU C setups
 # -DOPENSSL_NO_INLINE_ASM switches off inline assembler. We have to do it
@@ -168,68 +182,59 @@ my %table=(
 # surrounds it with #APP #NO_APP comment pair which (at least Solaris
 # 7_x86) /usr/ccs/bin/as fails to assemble with "Illegal mnemonic"
 # error message.
-"solaris-x86-gcc","gcc:-O3 -fomit-frame-pointer -m486 -Wall -DL_ENDIAN -DOPENSSL_NO_INLINE_ASM::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-
+"solaris-x86-gcc","gcc:-O3 -fomit-frame-pointer -march=pentium -Wall -DL_ENDIAN -DOPENSSL_NO_INLINE_ASM::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+# -shared -static-libgcc might appear controversial, but modules taken
+# from static libgcc do not have relocations and linking them into our
+# shared objects doesn't have any negative side-effects. On the contrary,
+# doing so makes it possible to use gcc shared build with Sun C. Given
+# that gcc generates faster code [thanks to inline assembler], I would
+# actually recommend to consider using gcc shared build even with vendor
+# compiler:-)
+#						<appro@fy.chalmers.se>
+"solaris64-x86_64-gcc","gcc:-m64 -O3 -Wall -DL_ENDIAN -DMD32_REG_T=int::-D_REENTRANT::-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:solaris-shared:-fPIC:-m64 -shared -static-libgcc:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+ 
 #### Solaris x86 with Sun C setups
-"solaris-x86-cc","cc:-fast -O -Xa::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris-x86-cc","cc:-fast -O -Xa::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL BF_PTR:${no_asm}:dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris64-x86_64-cc","cc:-fast -xarch=amd64 -xstrconst -Xa -DL_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${no_asm}:dlfcn:solaris-shared:-KPIC:-xarch=amd64 -G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 
 #### SPARC Solaris with GNU C setups
-"solaris-sparcv7-gcc","gcc:-O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"solaris-sparcv8-gcc","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris-sparcv7-gcc","gcc:-O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}:dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris-sparcv8-gcc","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8.o:des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # -m32 should be safe to add as long as driver recognizes -mcpu=ultrasparc
-"solaris-sparcv9-gcc","gcc:-m32 -mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"solaris64-sparcv9-gcc31","gcc:-mcpu=ultrasparc -m64 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:solaris-shared:-fPIC:-m64 -shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-# gcc pre-2.8 doesn't understand -mcpu=ultrasparc, so fall down to -mv8
-# but keep the assembler modules.
-"solaris-sparcv9-gcc27","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus-gcc27.o:::asm/md5-sparcv8plus-gcc27.o::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"solaris64-sparcv9-gcc","gcc:-m64 -mcpu=ultrasparc -O3 -Wall -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:solaris-shared:-fPIC:-m64 -shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-
+"solaris-sparcv9-gcc","gcc:-m32 -mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8plus.o:des_enc-sparc.o fcrypt_b.o:::md5-sparcv8plus.o::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris64-sparcv9-gcc","gcc:-m64 -mcpu=ultrasparc -O3 -Wall -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:::des_enc-sparc.o fcrypt_b.o:::md5-sparcv9.o::::::dlfcn:solaris-shared:-fPIC:-m64 -shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 ####
-"debug-solaris-sparcv8-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mv8 -Wall -DB_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"debug-solaris-sparcv9-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mcpu=ultrasparc -Wall -DB_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-solaris-sparcv8-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mv8 -Wall -DB_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8.o::::::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-solaris-sparcv9-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG_ALL -DPEDANTIC -O -g -mcpu=ultrasparc -pedantic -ansi -Wall -Wshadow -Wno-long-long -D__EXTENSIONS__ -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8plus.o:des_enc-sparc.o fcrypt_b.o:::md5-sparcv8plus.o::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 
 #### SPARC Solaris with Sun C setups
-# DO NOT use /xO[34] on sparc with SC3.0.  It is broken, and will not pass the tests
-"solaris-sparc-sc3","cc:-fast -O -Xa -DB_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # SC4.0 doesn't pass 'make test', upgrade to SC5.0 or SC4.2.
 # SC4.2 is ok, better than gcc even on bn as long as you tell it -xarch=v8
 # SC5.0 note: Compiler common patch 107357-01 or later is required!
-"solaris-sparcv7-cc","cc:-xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"solaris-sparcv8-cc","cc:-xarch=v8 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"solaris-sparcv9-cc","cc:-xtarget=ultra -xarch=v8plus -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:solaris-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"solaris64-sparcv9-cc","cc:-xtarget=ultra -xarch=v9 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:solaris-shared:-KPIC:-xarch=v9:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):/usr/ccs/bin/ar rs",
+"solaris-sparcv7-cc","cc:-xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${no_asm}:dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris-sparcv8-cc","cc:-xarch=v8 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR::sparcv8.o:des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris-sparcv9-cc","cc:-xtarget=ultra -xarch=v8plus -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR::sparcv8plus.o:des_enc-sparc.o fcrypt_b.o:::md5-sparcv8plus.o::::::dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris64-sparcv9-cc","cc:-xtarget=ultra -xarch=v9 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:::des_enc-sparc.o fcrypt_b.o:::md5-sparcv9.o::::::dlfcn:solaris-shared:-KPIC:-xarch=v9 -G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):/usr/ccs/bin/ar rs",
 ####
-"debug-solaris-sparcv8-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -xarch=v8 -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"debug-solaris-sparcv9-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -xtarget=ultra -xarch=v8plus -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:solaris-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-solaris-sparcv8-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG_ALL -xarch=v8 -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR::sparcv8.o::::::::::dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-solaris-sparcv9-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG_ALL -xtarget=ultra -xarch=v8plus -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR::sparcv8plus.o::::md5-sparcv8plus.o::::::dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", 
 
-#### SPARC Linux setups
-"linux-sparcv7","gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::",
-# Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently
-# assisted with debugging of following two configs.
-"linux-sparcv8","gcc:-mv8 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-# it's a real mess with -mcpu=ultrasparc option under Linux, but
-# -Wa,-Av8plus should do the trick no matter what.
-"linux-sparcv9","gcc:-mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-# GCC 3.1 is a requirement
-"linux64-sparcv9","gcc:-m64 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:ULTRASPARC:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-
-# Sunos configs, assuming sparc for the gcc one.
-##"sunos-cc", "cc:-O4 -DNOPROTO -DNOCONST::(unknown):SUNOS::DES_UNROLL:::",
-"sunos-gcc","gcc:-O3 -mv8 -Dssize_t=int::(unknown):SUNOS::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL DES_PTR DES_RISC1:::",
+#### SunOS configs, assuming sparc for the gcc one.
+#"sunos-cc", "cc:-O4 -DNOPROTO -DNOCONST::(unknown):SUNOS::DES_UNROLL:${no_asm}::",
+"sunos-gcc","gcc:-O3 -mv8 -Dssize_t=int::(unknown):SUNOS::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL DES_PTR DES_RISC1:${no_asm}::",
 
 #### IRIX 5.x configs
 # -mips2 flag is added by ./config when appropriate.
-"irix-gcc","gcc:-O3 -DTERMIOS -DB_ENDIAN::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX RC4_CHAR RC4_CHUNK DES_UNROLL DES_RISC2 DES_PTR BF_PTR::::::::::dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"irix-cc", "cc:-O2 -use_readonly_const -DTERMIOS -DB_ENDIAN::(unknown):::BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC2 DES_UNROLL BF_PTR::::::::::dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"irix-gcc","gcc:-O3 -DTERMIOS -DB_ENDIAN::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX RC4_CHAR RC4_CHUNK DES_UNROLL DES_RISC2 DES_PTR BF_PTR:${no_asm}:dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"irix-cc", "cc:-O2 -use_readonly_const -DTERMIOS -DB_ENDIAN::(unknown):::BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC2 DES_UNROLL BF_PTR:${no_asm}:dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 #### IRIX 6.x configs
 # Only N32 and N64 ABIs are supported. If you need O32 ABI build, invoke
 # './Configure irix-cc -o32' manually.
-# -mips4 flag is added by ./config when appropriate.
-"irix-mips3-gcc","gcc:-mabi=n32 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::MD2_CHAR RC4_INDEX RC4_CHAR RC4_CHUNK_LL DES_UNROLL DES_RISC2 DES_PTR BF_PTR SIXTY_FOUR_BIT:${mips3_irix_asm}:dlfcn:irix-shared::-mabi=n32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"irix-mips3-cc", "cc:-n32 -mips3 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::DES_PTR RC4_CHAR RC4_CHUNK_LL DES_RISC2 DES_UNROLL BF_PTR SIXTY_FOUR_BIT:${mips3_irix_asm}:dlfcn:irix-shared::-n32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"irix-mips3-gcc","gcc:-mabi=n32 -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::MD2_CHAR RC4_INDEX RC4_CHAR RC4_CHUNK_LL DES_UNROLL DES_RISC2 DES_PTR BF_PTR SIXTY_FOUR_BIT::bn-mips3.o::::::::::dlfcn:irix-shared::-mabi=n32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"irix-mips3-cc", "cc:-n32 -mips3 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::DES_PTR RC4_CHAR RC4_CHUNK_LL DES_RISC2 DES_UNROLL BF_PTR SIXTY_FOUR_BIT::bn-mips3.o::::::::::dlfcn:irix-shared::-n32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # N64 ABI builds.
-"irix64-mips4-gcc","gcc:-mabi=64 -mips4 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:${mips3_irix_asm}:dlfcn:irix-shared::-mabi=64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"irix64-mips4-cc", "cc:-64 -mips4 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:${mips3_irix_asm}:dlfcn:irix-shared::-64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"irix64-mips4-gcc","gcc:-mabi=64 -mips4 -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG::bn-mips3.o::::::::::dlfcn:irix-shared::-mabi=64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"irix64-mips4-cc", "cc:-64 -mips4 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG::bn-mips3.o::::::::::dlfcn:irix-shared::-64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 
 #### Unified HP-UX ANSI C configs.
 # Special notes:
@@ -248,7 +253,7 @@ my %table=(
 #   suitable for execution on the host you're currently compiling at.
 #   If the toolkit is ment to be used on various PA-RISC processors
 #   consider './config +DAportable'.
-# - +DD64 is chosen in favour of +DA2.0W because it's ment to be
+# - +DD64 is chosen in favour of +DA2.0W because it's meant to be
 #   compatible with *future* releases.
 # - If you run ./Configure hpux-parisc-[g]cc manually don't forget to
 #   pass -D_REENTRANT on HP-UX 10 and later.
@@ -259,106 +264,78 @@ my %table=(
 #   crypto/sha/sha_lcl.h.
 #					<appro@fy.chalmers.se>
 #
-#!#"hpux-parisc-cc","cc:-Ae +O3 +ESlit -z -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY::::-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl",
 # Since there is mention of this in shlib/hpux10-cc.sh
-"hpux-parisc-cc-o4","cc:-Ae +O4 +ESlit -z -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY::::-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"hpux-parisc-gcc","gcc:-O3 -DB_ENDIAN -DBN_DIV2W::::-Wl,+s -ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:-fPIC::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"hpux64-parisc-cc","cc:-Ae +DD64 +O3 +ESlit -z -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dlfcn:hpux64-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-# 64bit PARISC for GCC without optimization, which seems to make problems.
-# Submitted by <ross.alexander@uk.neceur.com>
-"hpux64-parisc-gcc","gcc:-DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dlfcn:hpux64-shared:-fpic::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"hpux64-parisc2-gcc","gcc:-O3 -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/pa-risc2W.o:::::::::dlfcn:hpux64-shared:-fpic::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-
-# IA-64 targets
-"hpux-ia64-cc","cc:-Ae +DD32 +O3 +Olit=all -z -DB_ENDIAN::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/ia64-cpp.o:::::::::dlfcn:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-# Frank Geurts <frank.geurts@nl.abnamro.com> has patiently assisted with
-# with debugging of the following config.
-"hpux64-ia64-cc","cc:-Ae +DD64 +O3 +Olit=all -z -DB_ENDIAN::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/ia64-cpp.o:::::::::dlfcn:hpux64-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux-parisc-cc-o4","cc:-Ae +O4 +ESlit -z -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY::-D_REENTRANT::-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1:${no_asm}:dl:hpux-shared:+Z:-b:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux-parisc-gcc","gcc:-O3 -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-Wl,+s -ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1:${no_asm}:dl:hpux-shared:-fPIC:-shared:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux-parisc2-gcc","gcc:-march=2.0 -O3 -DB_ENDIAN -D_REENTRANT::::-Wl,+s -ldld:SIXTY_FOUR_BIT RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL DES_RISC1::pa-risc2.o::::::::::dl:hpux-shared:-fPIC:-shared:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux64-parisc2-gcc","gcc:-O3 -DB_ENDIAN -D_REENTRANT::::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::pa-risc2W.o::::::::::dlfcn:hpux-shared:-fpic:-shared:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 
 # More attempts at unified 10.X and 11.X targets for HP C compiler.
 #
 # Chris Ruemmler <ruemmler@cup.hp.com>
 # Kevin Steves <ks@hp.se>
-"hpux-parisc-cc","cc:+O3 +Optrs_strongly_typed -Ae +ESlit -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY::-D_REENTRANT::-Wl,+s -ldld:MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"hpux-parisc2-cc","cc:+DA2.0 +DS2.0 +O3 +Optrs_strongly_typed -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-Wl,+s -ldld:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/pa-risc2.o:::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"hpux64-parisc2-cc","cc:+DD64 +O3 +Optrs_strongly_typed -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/pa-risc2W.o:::::::::dlfcn:hpux64-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-# Isn't the line below meaningless? HP-UX cc optimizes for host by default.
-# hpux-parisc1_0-cc with +DAportable flag would make more sense. <appro>
-"hpux-parisc1_1-cc","cc:+DA1.1 +DS1.1 +O3 +Optrs_strongly_typed -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-Wl,+s -ldld:MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-
-# HPUX 9.X config.
-# Don't use the bundled cc.  It is broken.  Use HP ANSI C if possible, or
-# egcs.  gcc 2.8.1 is also broken.
-
-"hpux-cc",	"cc:-DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY -Ae +ESlit +O3 -z::(unknown)::-Wl,+s -ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-# If hpux-cc fails (e.g. during "make test"), try the next one; otherwise,
-# please report your OS and compiler version to the openssl-bugs@openssl.org
-# mailing list.
-"hpux-brokencc",	"cc:-DB_ENDIAN -DBN_DIV2W -Ae +ESlit +O2 -z::(unknown)::-Wl,+s -ldld:DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-
-"hpux-gcc",	"gcc:-DB_ENDIAN -DBN_DIV2W -O3::(unknown)::-Wl,+s -ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:-fPIC::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-# If hpux-gcc fails, try this one:
-"hpux-brokengcc",	"gcc:-DB_ENDIAN -DBN_DIV2W -O3::(unknown)::-Wl,+s -ldld:DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:-fPIC::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-
-# HPUX 9.X on Motorola 68k platforms with gcc
-"hpux-m68k-gcc",  "gcc:-DB_ENDIAN -DBN_DIV2W -O3::(unknown):::BN_LLONG DES_PTR DES_UNROLL:::::::::::::",
-
-# HPUX 10.X config.  Supports threads.
-"hpux10-cc",	"cc:-DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY -Ae +ESlit +O3 -z::-D_REENTRANT::-Wl,+s -ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-# If hpux10-cc fails, try this one (if still fails, try deleting BN_LLONG):
-"hpux10-brokencc",	"cc:-DB_ENDIAN -DBN_DIV2W -Ae +ESlit +O2 -z::-D_REENTRANT::-Wl,+s -ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-
-"hpux10-gcc",	"gcc:-DB_ENDIAN -DBN_DIV2W -O3::-D_REENTRANT::-Wl,+s -ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:-fPIC::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-# If hpux10-gcc fails, try this one:
-"hpux10-brokengcc",	"gcc:-DB_ENDIAN -DBN_DIV2W -O3::-D_REENTRANT::-Wl,+s -ldld:DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:-fPIC::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-
-# HPUX 11.X from www.globus.org.
-# Only works on PA-RISC 2.0 cpus, and not optimized.  Why?
-#"hpux11-32bit-cc","cc:+DA2.0 -DB_ENDIAN -D_HPUX_SOURCE -Aa -Ae +ESlit::-D_REENTRANT:::DES_PTR DES_UNROLL DES_RISC1:::",
-#"hpux11-64bit-cc","cc:+DA2.0W -g -D_HPUX_SOURCE -Aa -Ae +ESlit::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT :::",
-# Use unified settings above instead.
+"hpux-parisc-cc","cc:+O3 +Optrs_strongly_typed -Ae +ESlit -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY::-D_REENTRANT::-Wl,+s -ldld:MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:${no_asm}:dl:hpux-shared:+Z:-b:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux-parisc1_0-cc","cc:+DAportable +O3 +Optrs_strongly_typed -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-Wl,+s -ldld:MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:${no_asm}:dl:hpux-shared:+Z:-b:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux-parisc2-cc","cc:+DA2.0 +DS2.0 +O3 +Optrs_strongly_typed -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY -D_REENTRANT::::-Wl,+s -ldld:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::pa-risc2.o::::::::::dl:hpux-shared:+Z:-b:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux64-parisc2-cc","cc:+DD64 +O3 +Optrs_strongly_typed -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY -D_REENTRANT::::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::pa-risc2W.o::::::::::dlfcn:hpux-shared:+Z:+DD64 -b:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 
-#### HP MPE/iX http://jazz.external.hp.com/src/openssl/
-"MPE/iX-gcc", "gcc:-D_ENDIAN -DBN_DIV2W -O3 -D_POSIX_SOURCE -D_SOCKET_SOURCE -I/SYSLOG/PUB::(unknown):MPE:-L/SYSLOG/PUB -lsyslog -lsocket -lcurses:BN_LLONG DES_PTR DES_UNROLL DES_RISC1:::",
+# HP/UX IA-64 targets
+"hpux-ia64-cc","cc:-Ae +DD32 +O2 +Olit=all -z -DB_ENDIAN -D_REENTRANT::::-ldl:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX DES_UNROLL DES_RISC1 DES_INT:${ia64_asm}:dlfcn:hpux-shared:+Z:+DD32 -b:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+# Frank Geurts <frank.geurts@nl.abnamro.com> has patiently assisted with
+# with debugging of the following config.
+"hpux64-ia64-cc","cc:-Ae +DD64 +O3 +Olit=all -z -DB_ENDIAN -D_REENTRANT::::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX DES_UNROLL DES_RISC1 DES_INT:${ia64_asm}:dlfcn:hpux-shared:+Z:+DD64 -b:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+# GCC builds...
+"hpux-ia64-gcc","gcc:-O3 -DB_ENDIAN -D_REENTRANT::::-ldl:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX DES_UNROLL DES_RISC1 DES_INT::bn-ia64.o::aes-ia64.o:::sha256-ia64.o sha512-ia64.o::rc4-ia64.o:::dlfcn:hpux-shared:-fpic:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux64-ia64-gcc","gcc:-mlp64 -O3 -DB_ENDIAN -D_REENTRANT::::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX DES_UNROLL DES_RISC1 DES_INT:${ia64_asm}:dlfcn:hpux-shared:-fpic:-mlp64 -shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", 
 
-#### PARISC Linux setups
-"linux-parisc","gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT:::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::",
+# Legacy HPUX 9.X configs...
+"hpux-cc",	"cc:-DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY -Ae +ESlit +O2 -z::(unknown)::-Wl,+s -ldld:DES_PTR DES_UNROLL DES_RISC1:${no_asm}:dl:hpux-shared:+Z:-b:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux-gcc",	"gcc:-DB_ENDIAN -DBN_DIV2W -O3::(unknown)::-Wl,+s -ldld:DES_PTR DES_UNROLL DES_RISC1:${no_asm}:dl:hpux-shared:-fPIC:-shared:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+
+#### HP MPE/iX http://jazz.external.hp.com/src/openssl/
+"MPE/iX-gcc",	"gcc:-D_ENDIAN -DBN_DIV2W -O3 -D_POSIX_SOURCE -D_SOCKET_SOURCE -I/SYSLOG/PUB::(unknown):MPE:-L/SYSLOG/PUB -lsyslog -lsocket -lcurses:BN_LLONG DES_PTR DES_UNROLL DES_RISC1:::",
 
-# Dec Alpha, OSF/1 - the alpha164-cc is historical, for the conversion
-# from the older DEC C Compiler to the newer compiler.  It's now the
-# same as the preferred entry, alpha-cc.  If you are still using the
-# older compiler (you're at 3.x or earlier, or perhaps very early 4.x)
-# you should use `alphaold-cc'.
+# DEC Alpha OSF/1/Tru64 targets.
 #
 #	"What's in a name? That which we call a rose
 #	 By any other word would smell as sweet."
 #
 # - William Shakespeare, "Romeo & Juliet", Act II, scene II.
 #
-# For OSF/1 3.2b and earlier, and Digital UNIX 3.2c - 3.2g, with the
-# vendor compiler, use alphaold-cc.
-# For Digital UNIX 4.0 - 4.0e, with the vendor compiler, use alpha-cc.
-# For Tru64 UNIX 4.f - current, with the vendor compiler, use alpha-cc.
-#
-# There's also an alternate target available (which `config' will never
-# select) called alpha-cc-rpath.  This target builds an RPATH into the
-# shared libraries, which is very convenient on Tru64 since binaries
-# linked against that shared library will automatically inherit that RPATH,
-# and hence know where to look for the openssl libraries, even if they're in
-# an odd place.
-#
 # For gcc, the following gave a %50 speedup on a 164 over the 'DES_INT' version
 #
-"alpha-gcc","gcc:-O3::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_RISC1:${alpha_asm}:dlfcn:alpha-osf1-shared:::.so",
-"alphaold-cc", "cc:-std1 -tune host -O4 -readonly_strings::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:alpha-osf1-shared:::.so",
-"alpha164-cc", "cc:-std1 -tune host -fast -readonly_strings::-pthread:::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:tru64-shared:::.so",
-"alpha-cc", "cc:-std1 -tune host -fast -readonly_strings::-pthread:::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:tru64-shared:::.so",
-"alpha-cc-rpath", "cc:-std1 -tune host -fast -readonly_strings::-pthread:::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:tru64-shared-rpath:::.so",
-#
-# This probably belongs in a different section.
-#
-"FreeBSD-alpha","gcc:-DTERMIOS -O -fomit-frame-pointer::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC2::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"osf1-alpha-gcc", "gcc:-O3::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_RISC1:${no_asm}:dlfcn:alpha-osf1-shared:::.so",
+"osf1-alpha-cc",  "cc:-std1 -tune host -O4 -readonly_strings::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${no_asm}:dlfcn:alpha-osf1-shared:::.so",
+"tru64-alpha-cc", "cc:-std1 -tune host -fast -readonly_strings::-pthread:::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${no_asm}:dlfcn:alpha-osf1-shared::-msym:.so",
 
+####
+#### Variety of LINUX:-)
+####
+# *-generic* is endian-neutral target, but ./config is free to
+# throw in -D[BL]_ENDIAN, whichever appropriate...
+"linux-generic32","gcc:-DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-ppc",	"gcc:-DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc32.o::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+#### IA-32 targets...
+"linux-ia32-icc",	"icc:-DL_ENDIAN -DTERMIO -O2 -no_cpprt::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-elf",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-aout",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -march=i486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}",
+####
+"linux-generic64","gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+# -bpowerpc64-linux is transient option, -m64 should be the one to use...
+"linux-ppc64",	"gcc:-bpowerpc64-linux -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc64.o::::::::::dlfcn:linux-shared:-fPIC:-bpowerpc64-linux:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-ia64",	"gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-x86_64",	"gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+#### SPARC Linux setups
+# Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently
+# assisted with debugging of following two configs.
+"linux-sparcv8","gcc:-mv8 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8.o:des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+# it's a real mess with -mcpu=ultrasparc option under Linux, but
+# -Wa,-Av8plus should do the trick no matter what.
+"linux-sparcv9","gcc:-m32 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8plus.o:des_enc-sparc.o fcrypt_b.o:::md5-sparcv8plus.o::::::dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+# GCC 3.1 is a requirement
+"linux64-sparcv9","gcc:-m64 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:ULTRASPARC:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::des_enc-sparc.o fcrypt_b.o:::md5-sparcv9.o::::::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 #### Alpha Linux with GNU C and Compaq C setups
 # Special notes:
 # - linux-alpha+bwx-gcc is ment to be used from ./config only. If you
@@ -372,59 +349,39 @@ my %table=(
 #
 #					<appro@fy.chalmers.se>
 #
-"linux-alpha-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-alpha+bwx-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
-"linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
-
-# assembler versions -- currently defunct:
-##"OpenBSD-alpha","gcc:-DTERMIOS -O3 -fomit-frame-pointer:::(unknown):SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2:${alpha_asm}",
-
-# The intel boxes :-), It would be worth seeing if bsdi-gcc can use the
-# bn86-elf.o file file since it is hand tweaked assembler.
-"linux-elf",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-pentium",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -mcpu=pentium -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-ppro",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -mcpu=pentiumpro -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-k6",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -mcpu=k6 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"debug-linux-pentium","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -mcpu=pentium -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
-"debug-linux-ppro","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -mcpu=pentiumpro -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
-"debug-linux-elf","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT::-lefence -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"debug-linux-elf-noefence","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-aout",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}",
-"linux-mipsel",   "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-mips",   "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-ppc",    "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-m68k",   "gcc:-DB_ENDIAN -DTERMIO -O2 -fomit-frame-pointer -Wall::-D_REENTRANT:::BN_LLONG::",
-"linux-s390",	"gcc:-DB_ENDIAN -DTERMIO -DNO_ASM -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-s390x",	"gcc:-DB_ENDIAN -DTERMIO -DNO_ASM -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-ia64",   "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR:asm/ia64.o:::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-ia64-ecc",   "ecc:-DL_ENDIAN -DTERMIO -O2 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR:asm/ia64.o:::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR BF_PTR2 DES_INT DES_UNROLL:asm/x86_64-gcc.o:::::::::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"NetBSD-sparc",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer -mv8 -Wall -DB_ENDIAN::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"NetBSD-m68",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer -Wall -DB_ENDIAN::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"NetBSD-x86",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer -m486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"FreeBSD-elf",  "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::-pthread -D_REENTRANT -D_THREAD_SAFE -D_THREADSAFE:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"FreeBSD-sparc64","gcc:-DB_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer::-pthread -D_REENTRANT -D_THREAD_SAFE -D_THREADSAFE:::SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2 BF_PTR::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"FreeBSD-ia64","gcc:-DL_ENDIAN -DTERMIOS -O -fomit-frame-pointer::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR:asm/ia64-cpp.o:::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"FreeBSD",      "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}",
-"bsdi-gcc",     "gcc:-O3 -ffast-math -DL_ENDIAN -DPERL5 -m486::(unknown):::RSA_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_bsdi_asm}",
-"bsdi-elf-gcc",     "gcc:-DPERL5 -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown)::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-alpha-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-alpha+bwx-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${no_asm}",
+"linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${no_asm}",
+
+#### *BSD [do see comment about ${BSDthreads} above!]
+"BSD-generic32","gcc:-DTERMIOS -O3 -fomit-frame-pointer -Wall::${BSDthreads}:::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"BSD-x86",	"gcc:-DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer -Wall::${BSDthreads}:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:dlfcn:bsd-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"BSD-x86-elf",	"gcc:-DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer -Wall::${BSDthreads}:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-BSD-x86-elf",	"gcc:-DL_ENDIAN -DTERMIOS -O3 -Wall -g::${BSDthreads}:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"BSD-sparcv8",	"gcc:-DB_ENDIAN -DTERMIOS -O3 -mv8 -Wall::${BSDthreads}:::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL::sparcv8.o:des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+
+"BSD-generic64","gcc:-DTERMIOS -O3 -Wall::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+# -DMD32_REG_T=int doesn't actually belong in sparc64 target, it
+# simply *happens* to work around a compiler bug in gcc 3.3.3,
+# triggered by RIPEMD160 code.
+"BSD-sparc64",	"gcc:-DB_ENDIAN -DTERMIOS -O3 -DMD32_REG_T=int -Wall::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC2_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC2 BF_PTR:::des_enc-sparc.o fcrypt_b.o:::md5-sparcv9.o::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"BSD-ia64",	"gcc:-DL_ENDIAN -DTERMIOS -O3 -Wall::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"BSD-x86_64",	"gcc:-DL_ENDIAN -DTERMIOS -O3 -DMD32_REG_T=int -Wall::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+
+"bsdi-elf-gcc",     "gcc:-DPERL5 -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -Wall::(unknown)::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+
 "nextstep",	"cc:-O -Wall:<libc.h>:(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::",
 "nextstep3.3",	"cc:-O3 -Wall:<libc.h>:(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::",
 
 # NCR MP-RAS UNIX ver 02.03.01
 "ncr-scde","cc:-O6 -Xa -Hoff=BEHAVED -686 -Hwide -Hiw::(unknown)::-lsocket -lnsl -lc89:${x86_gcc_des} ${x86_gcc_opts}:::",
 
-# QNX 4
+# QNX
 "qnx4",	"cc:-DL_ENDIAN -DTERMIO::(unknown):::${x86_gcc_des} ${x86_gcc_opts}:",
-
-# QNX 6
 "qnx6",	"cc:-DL_ENDIAN -DTERMIOS::(unknown)::-lsocket:${x86_gcc_des} ${x86_gcc_opts}:",
 
-# Linux on ARM
-"linux-elf-arm","gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-
-# SCO/Caldera targets.
+#### SCO/Caldera targets.
 #
 # Originally we had like unixware-*, unixware-*-pentium, unixware-*-p6, etc.
 # Now we only have blended unixware-* as it's the only one used by ./config.
@@ -435,25 +392,23 @@ my %table=(
 # compiler drivers and assemblers. Tim Rice <tim@multitalents.net> has
 # patiently assisted to debug most of it.
 #
-# UnixWare 2.0x fails destest with -O
+# UnixWare 2.0x fails destest with -O.
 "unixware-2.0","cc:-DFILIO_H -DNO_STRINGS_H::-Kthread::-lsocket -lnsl -lresolv -lx:${x86_gcc_des} ${x86_gcc_opts}:::",
 "unixware-2.1","cc:-O -DFILIO_H::-Kthread::-lsocket -lnsl -lresolv -lx:${x86_gcc_des} ${x86_gcc_opts}:::",
 "unixware-7","cc:-O -DFILIO_H -Kalloca::-Kthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}:${x86_elf_asm}:dlfcn:svr5-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"unixware-7-gcc","gcc:-DL_ENDIAN -DFILIO_H -O3 -fomit-frame-pointer -m486 -Wall::-D_REENTRANT::-lsocket -lnsl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:gnu-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"OpenUNIX-8","cc:-O -DFILIO_H -Kalloca::-Kthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}:${x86_elf_asm}:dlfcn:svr5-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"OpenUNIX-8-gcc","gcc:-O -DFILIO_H -fomit-frame-pointer::-pthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}:${x86_elf_asm}:dlfcn:svr5-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"sco3-gcc",  "gcc:-O3 -fomit-frame-pointer -Dssize_t=int -DNO_SYS_UN_H::(unknown)::-lsocket:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::", # the SCO assembler doesn't seem to like our assembler files ...
+"unixware-7-gcc","gcc:-DL_ENDIAN -DFILIO_H -O3 -fomit-frame-pointer -march=pentium -Wall::-D_REENTRANT::-lsocket -lnsl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:gnu-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # SCO 5 - Ben Laurie <ben@algroup.co.uk> says the -O breaks the SCO cc.
 "sco5-cc",  "cc:-belf::(unknown)::-lsocket -lnsl:${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:svr3-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "sco5-gcc",  "gcc:-O3 -fomit-frame-pointer::(unknown)::-lsocket -lnsl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:svr3-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 
-
-# IBM's AIX.
-"aix-cc",   "cc:-O -DB_ENDIAN -qmaxmem=16384::(unknown):AIX::BN_LLONG RC4_CHAR:::",
-"aix-gcc",  "gcc:-O3 -DB_ENDIAN::(unknown):AIX::BN_LLONG RC4_CHAR:::",
-"aix43-cc",   "cc:-O -DAIX -DB_ENDIAN -qmaxmem=16384::(unknown):::BN_LLONG RC4_CHAR::::::::::dlfcn:aix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::",
-"aix43-gcc",  "gcc:-O1 -DAIX -DB_ENDIAN::(unknown):::BN_LLONG RC4_CHAR::::::::::dlfcn:",
-"aix64-cc",   "cc:-O -DAIX -DB_ENDIAN -qmaxmem=16384 -q64::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHAR::::::::::dlfcn:aix-shared::-q64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 64",
+#### IBM's AIX.
+"aix3-cc",  "cc:-O -DB_ENDIAN -qmaxmem=16384::(unknown):AIX::BN_LLONG RC4_CHAR:::",
+"aix-gcc",  "gcc:-O -DB_ENDIAN::-D_THREAD_SAFE:AIX::BN_LLONG RC4_CHAR::aix_ppc32.o::::::::::dlfcn:",
+"aix64-gcc","gcc:-O -DB_ENDIAN::-D_THREAD_SAFE:AIX::SIXTY_FOUR_BIT_LONG RC4_CHAR::aix_ppc64.o::::::::::dlfcn::::::-X64",
+# Below targets assume AIX 5. Idea is to effectively disregard $OBJECT_MODE
+# at build time. $OBJECT_MODE is respected at ./config stage!
+"aix-cc",   "cc:-q32 -O -DB_ENDIAN -qmaxmem=16384::-qthreaded:AIX::BN_LLONG RC4_CHAR::aix_ppc32.o::::::::::dlfcn:aix-shared::-q32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 32",
+"aix64-cc", "cc:-q64 -O -DB_ENDIAN -qmaxmem=16384::(unknown):AIX::SIXTY_FOUR_BIT_LONG RC4_CHAR::aix_ppc64.o::::::::::dlfcn:aix-shared::-q64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 64",
 
 #
 # Cray T90 and similar (SDSC)
@@ -488,7 +443,7 @@ my %table=(
 
 # Sinix/ReliantUNIX RM400
 # NOTE: The CDS++ Compiler up to V2.0Bsomething has the IRIX_CC_BUG optimizer problem. Better use -g  */
-"ReliantUNIX","cc:-KPIC -g -DTERMIOS -DB_ENDIAN::-Kthread:SNI:-lsocket -lnsl -lc -L/usr/ucblib -lucb:BN_LLONG DES_PTR DES_RISC2 DES_UNROLL BF_PTR::::::::::dlfcn:reliantunix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"ReliantUNIX","cc:-KPIC -g -DTERMIOS -DB_ENDIAN::-Kthread:SNI:-lsocket -lnsl -lc -L/usr/ucblib -lucb:BN_LLONG DES_PTR DES_RISC2 DES_UNROLL BF_PTR:${no_asm}:dlfcn:reliantunix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "SINIX","cc:-O::(unknown):SNI:-lsocket -lnsl -lc -L/usr/ucblib -lucb:RC4_INDEX RC4_CHAR:::",
 "SINIX-N","/usr/ucb/cc:-O2 -misaligned::(unknown)::-lucb:RC4_INDEX RC4_CHAR:::",
 
@@ -501,56 +456,53 @@ my %table=(
 #
 "OS390-Unix","c89.sh:-O -DB_ENDIAN -DCHARSET_EBCDIC -DNO_SYS_PARAM_H  -D_ALL_SOURCE::(unknown):::THIRTY_TWO_BIT DES_PTR DES_UNROLL MD2_CHAR RC4_INDEX RC4_CHAR BF_PTR:::",
 
-# Windows NT, Microsoft Visual C++ 4.0
+# Win64 targets, WIN64I denotes IA-64 and WIN64A - AMD64
+"VC-WIN64I","cl::::WIN64I::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:${no_asm}:win32",
+"VC-WIN64A","cl::::WIN64A::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:${no_asm}:win32",
 
-"VC-NT","cl::::WINNT::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}::::::::::win32",
-"VC-CE","cl::::WINCE::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}::::::::::win32",
-"VC-WIN32","cl::::WIN32::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}::::::::::win32",
-"VC-WIN16","cl:::(unknown):WIN16::MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX THIRTY_TWO_BIT:::",
-"VC-W31-16","cl:::(unknown):WIN16::BN_LLONG MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX SIXTEEN_BIT:::",
-"VC-W31-32","cl::::WIN16::BN_LLONG MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX THIRTY_TWO_BIT:::",
-"VC-MSDOS","cl:::(unknown):MSDOS::BN_LLONG MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX SIXTEEN_BIT:::",
+# Visual C targets
+"VC-NT","cl::::WINNT::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}:${no_asm}:win32",
+"VC-CE","cl::::WINCE::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}:${no_asm}:win32",
+"VC-WIN32","cl::::WIN32::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}:${no_asm}:win32",
 
 # Borland C++ 4.5
-"BC-32","bcc32::::WIN32::BN_LLONG DES_PTR RC4_INDEX EXPORT_VAR_AS_FN::::::::::win32",
-"BC-16","bcc:::(unknown):WIN16::BN_LLONG DES_PTR RC4_INDEX SIXTEEN_BIT:::",
+"BC-32","bcc32::::WIN32::BN_LLONG DES_PTR RC4_INDEX EXPORT_VAR_AS_FN:${no_asm}:win32",
 
 # MinGW
-"mingw", "gcc:-DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -mno-cygwin -Wall:::MINGW32:-mno-cygwin -lwsock32 -lgdi32:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:win32::::.dll",
+"mingw", "gcc:-mno-cygwin -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -Wall -D_WIN32_WINNT=0x333:::MINGW32:-lwsock32 -lgdi32:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts} EXPORT_VAR_AS_FN:${x86_coff_asm}:win32:cygwin-shared:-D_WINDLL -DOPENSSL_USE_APPLINK:-mno-cygwin -shared:.dll.a",
 
 # UWIN 
-"UWIN", "cc:-DTERMIOS -DL_ENDIAN -O -Wall:::UWIN::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32",
+"UWIN", "cc:-DTERMIOS -DL_ENDIAN -O -Wall:::UWIN::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:win32",
 
 # Cygwin
-"Cygwin-pre1.3", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown):CYGWIN32::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32",
-"Cygwin", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -Wall:::CYGWIN32::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:win32:cygwin-shared:::.dll",
+"Cygwin-pre1.3", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown):CYGWIN32::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:win32",
+"Cygwin", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -Wall:::CYGWIN32::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_coff_asm}:dlfcn:cygwin-shared:-D_WINDLL:-shared:.dll.a",
+"debug-Cygwin", "gcc:-DTERMIOS -DL_ENDIAN -march=i486 -Wall -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -g -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror:::CYGWIN32:::${no_asm}:dlfcn:cygwin-shared:-D_WINDLL:-shared:.dll.a",
+
+# NetWare from David Ward (dsward@novell.com) - requires MetroWerks NLM development tools
+# netware-clib => legacy CLib c-runtime support
+"netware-clib", "mwccnlm::::::BN_LLONG ${x86_gcc_opts}::",
+# netware-libc => LibC/NKS support
+# NetWare defaults socket bio to WinSock sockets. However, the LibC build can be
+# configured to use BSD sockets instead.
+"netware-libc", "mwccnlm::::::BN_LLONG ${x86_gcc_opts}::",
+"netware-libc-bsdsock", "mwccnlm::::::BN_LLONG ${x86_gcc_opts}::",
+"netware-libc-gcc", "i586-netware-gcc:-nostdinc -I/ndk/libc/include -I/ndk/libc/include/winsock -DL_ENDIAN -DNETWARE_LIBC -DOPENSSL_SYSNAME_NETWARE -DTERMIO -O2 -Wall:::::BN_LLONG ${x86_gcc_opts}::",
 
 # DJGPP
-"DJGPP", "gcc:-I/dev/env/WATT_ROOT/inc -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O2 -Wall:::MSDOS:-L/dev/env/WATT_ROOT/lib -lwatt:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::",
+"DJGPP", "gcc:-I/dev/env/WATT_ROOT/inc -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O2 -Wall:::MSDOS:-L/dev/env/WATT_ROOT/lib -lwatt:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:",
 
 # Ultrix from Bernhard Simon <simon@zid.tuwien.ac.at>
 "ultrix-cc","cc:-std1 -O -Olimit 2500 -DL_ENDIAN::(unknown):::::::",
-"ultrix-gcc","gcc:-O3 -DL_ENDIAN::(unknown):::::::",
+"ultrix-gcc","gcc:-O3 -DL_ENDIAN::(unknown):::BN_LLONG::::",
 # K&R C is no longer supported; you need gcc on old Ultrix installations
 ##"ultrix","cc:-O2 -DNOPROTO -DNOCONST -DL_ENDIAN::(unknown):::::::",
 
-# Some OpenBSD from Bob Beck <beck@obtuse.com>
-"OpenBSD",		"gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"OpenBSD-alpha",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):::SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"OpenBSD-i386",	"gcc:-DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"OpenBSD-m68k",		"gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"OpenBSD-m88k",		"gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"OpenBSD-mips",		"gcc:-DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"OpenBSD-powerpc",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"OpenBSD-sparc",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"OpenBSD-sparc64",	"gcc:-DB_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer::(unknown):::SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2 BF_PTR::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"OpenBSD-vax",		"gcc:-DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"OpenBSD-hppa",		"gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG RC2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-
 ##### MacOS X (a.k.a. Rhapsody or Darwin) setup
-"rhapsody-ppc-cc","cc:-O3 -DB_ENDIAN::(unknown):MACOSX_RHAPSODY::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::",
-"darwin-ppc-cc","cc:-O3 -fomit-frame-pointer -fno-common -DB_ENDIAN::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::::::::::darwin-shared:-fPIC::.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
-"darwin-i386-cc","cc:-O3 -fomit-frame-pointer -fno-common -DB_ENDIAN::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::::::::::darwin-shared:-fPIC::.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
+"rhapsody-ppc-cc","cc:-O3 -DB_ENDIAN::(unknown):MACOSX_RHAPSODY::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}::",
+"darwin-ppc-cc","cc:-O3 -DB_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::osx_ppc32.o::::::::::dlfcn:darwin-shared:-fPIC -fno-common:-dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
+"darwin-i386-cc","cc:-O3 -fomit-frame-pointer -fno-common::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}:dlfcn:darwin-shared:-fPIC -fno-common:-dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
+"debug-darwin-ppc-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DB_ENDIAN -g -Wall -O::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::osx_ppc32.o::::::::::dlfcn:darwin-shared:-fPIC -fno-common:-dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
 
 ##### A/UX
 "aux3-gcc","gcc:-O2 -DTERMIO::(unknown):AUX:-lbsd:RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::",
@@ -559,7 +511,7 @@ my %table=(
 "newsos4-gcc","gcc:-O -DB_ENDIAN::(unknown):NEWS4:-lmld -liberty:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::",
 
 ##### GNU Hurd
-"hurd-x86",  "gcc:-DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer -m486 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC",
+"hurd-x86",  "gcc:-DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer -march=i486 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC",
 
 ##### OS/2 EMX
 "OS2-EMX", "gcc::::::::",
@@ -567,17 +519,18 @@ my %table=(
 ##### VxWorks for various targets
 "vxworks-ppc405","ccppc:-g -msoft-float -mlongcall -DCPU=PPC405 -I\$(WIND_BASE)/target/h:::VXWORKS:-r:::::",
 "vxworks-ppc750","ccppc:-ansi -nostdinc -DPPC750 -D_REENTRANT -fvolatile -fno-builtin -fno-for-scope -fsigned-char -Wall -msoft-float -mlongcall -DCPU=PPC604 -I\$(WIND_BASE)/target/h \$(DEBUG_FLAG):::VXWORKS:-r:::::",
-"vxworks-ppc750-debug","ccppc:-ansi -nostdinc -DPPC750 -D_REENTRANT -fvolatile -fno-builtin -fno-for-scope -fsigned-char -Wall -msoft-float -mlongcall -DCPU=PPC604 -I\$(WIND_BASE)/target/h -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DDEBUG -g:::VXWORKS:-r:::::",
+"vxworks-ppc750-debug","ccppc:-ansi -nostdinc -DPPC750 -D_REENTRANT -fvolatile -fno-builtin -fno-for-scope -fsigned-char -Wall -msoft-float -mlongcall -DCPU=PPC604 -I\$(WIND_BASE)/target/h -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DDEBUG -g:::VXWORKS:-r:::::",
 "vxworks-ppc860","ccppc:-nostdinc -msoft-float -DCPU=PPC860 -DNO_STRINGS_H -I\$(WIND_BASE)/target/h:::VXWORKS:-r:::::",
-"vxworks-mipsle","ccmips:-B\$(WIND_BASE)/host/\$(WIND_HOST_TYPE)/lib/gcc-lib/ -DL_ENDIAN -EL -Wl,-EL -mips2 -mno-branch-likely -G 0 -fno-builtin -msoft-float -DCPU=MIPS32 -DMIPSEL -DNO_STRINGS_H -I\$(WIND_BASE)/target/h:::VXWORKS:-r::::::::::::::::ranlibmips:",
+"vxworks-mipsle","ccmips:-B\$(WIND_BASE)/host/\$(WIND_HOST_TYPE)/lib/gcc-lib/ -DL_ENDIAN -EL -Wl,-EL -mips2 -mno-branch-likely -G 0 -fno-builtin -msoft-float -DCPU=MIPS32 -DMIPSEL -DNO_STRINGS_H -I\$(WIND_BASE)/target/h:::VXWORKS:-r::${no_asm}::::::ranlibmips:",
 
 ##### Compaq Non-Stop Kernel (Tandem)
 "tandem-c89","c89:-Ww -D__TANDEM -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1 -D_TANDEM_SOURCE -DB_ENDIAN::(unknown):::THIRTY_TWO_BIT:::",
 
 );
 
-my @WinTargets=qw(VC-NT VC-CE VC-WIN32 VC-WIN16 VC-W31-16 VC-W31-32 VC-MSDOS
-	BC-32 BC-16 Mingw32 OS2-EMX);
+my @MK1MF_Builds=qw(VC-WIN64I VC-WIN64A
+		    VC-NT VC-CE VC-WIN32
+		    BC-32 OS2-EMX netware-clib netware-libc netware-libc-bsdsock);
 
 my $idx = 0;
 my $idx_cc = $idx++;
@@ -587,8 +540,10 @@ my $idx_thread_cflag = $idx++;
 my $idx_sys_id = $idx++;
 my $idx_lflags = $idx++;
 my $idx_bn_ops = $idx++;
+my $idx_cpuid_obj = $idx++;
 my $idx_bn_obj = $idx++;
 my $idx_des_obj = $idx++;
+my $idx_aes_obj = $idx++;
 my $idx_bf_obj = $idx++;
 my $idx_md5_obj = $idx++;
 my $idx_sha1_obj = $idx++;
@@ -609,12 +564,13 @@ my $openssldir="";
 my $exe_ext="";
 my $install_prefix="";
 my $no_threads=0;
-my $no_shared=1;
-my $zlib=0;
-my $no_krb5=0;
 my $threads=0;
+my $no_shared=0; # but "no-shared" is default
+my $zlib=1;      # but "no-zlib" is default
+my $no_krb5=0;   # but "no-krb5" is implied unless "--with-krb5-..." is used
 my $no_asm=0;
 my $no_dso=0;
+my $no_gmp=0;
 my @skip=();
 my $Makefile="Makefile";
 my $des_locl="crypto/des/des_locl.h";
@@ -628,7 +584,7 @@ my $rc2	="crypto/rc2/rc2.h";
 my $bf	="crypto/bf/bf_locl.h";
 my $bn_asm	="bn_asm.o";
 my $des_enc="des_enc.o fcrypt_b.o";
-my $fips_des_enc="fips_des_enc.o";
+my $aes_enc="aes_core.o aes_cbc.o";
 my $bf_enc	="bf_enc.o";
 my $cast_enc="c_enc.o";
 my $rc4_enc="rc4_enc.o";
@@ -639,16 +595,28 @@ my $rmd160_obj="";
 my $processor="";
 my $default_ranlib;
 my $perl;
-my $fips=0;
-my $debug=0;
 
-my $no_ssl2=0;
-my $no_ssl3=0;
-my $no_tls1=0;
-my $no_md5=0;
-my $no_sha=0;
-my $no_rsa=0;
-my $no_dh=0;
+
+# All of the following is disabled by default (RC5 was enabled before 0.9.8):
+
+my %disabled = ( # "what"         => "comment"
+		 "gmp"		  => "default",
+                 "mdc2"           => "default",
+                 "rc5"            => "default",
+                 "shared"         => "default",
+                 "zlib"           => "default",
+                 "zlib-dynamic"   => "default"
+               );
+
+# Additional "no-..." options will be collected in %disabled.
+# To remove something from %disabled, use e.g. "enable-rc5".
+# For symmetry, "disable-..." is a synonym for "no-...".
+
+# This is what $depflags will look like with the above default:
+my $default_depflags = "-DOPENSSL_NO_GMP -DOPENSSL_NO_MDC2 -DOPENSSL_NO_RC5 ";
+
+
+my $no_sse2=0;
 
 &usage if ($#ARGV < 0);
 
@@ -690,102 +658,38 @@ PROCESS_ARGS:
 	foreach (@argvcopy)
 		{
 		s /^-no-/no-/; # some people just can't read the instructions
-		if (/^--test-sanity$/)
-			{
-			exit(&test_sanity());
-			}
-		elsif (/^no-asm$/)
-		 	{
-			$no_asm=1;
-			$flags .= "-DOPENSSL_NO_ASM ";
-			$openssl_other_defines .= "#define OPENSSL_NO_ASM\n";
-			}
-		elsif (/^no-err$/)
-		 	{
-			$flags .= "-DOPENSSL_NO_ERR ";
-			$openssl_other_defines .= "#define OPENSSL_NO_ERR\n";
-			}
-		elsif (/^no-hw-(.+)$/)
-			{
-			my $hw=$1;
-			$hw =~ tr/[a-z]/[A-Z]/;
-			$flags .= "-DOPENSSL_NO_HW_$hw ";
-			$openssl_other_defines .= "#define OPENSSL_NO_HW_$hw\n";
-			}
-		elsif (/^no-hw$/)
-			{
-			$flags .= "-DOPENSSL_NO_HW ";
-			$openssl_other_defines .= "#define OPENSSL_NO_HW\n";
-			}
-		elsif (/^no-dso$/)
-			{ $no_dso=1; }
-		elsif (/^no-krb5$/)
-			{ $no_krb5=1; }
-		elsif (/^no-threads$/)
-			{ $no_threads=1; }
-		elsif (/^threads$/)
-			{ $threads=1; }
-		elsif (/^no-shared$/)
-			{ $no_shared=1; }
-		elsif (/^shared$/ || /^-shared$/ || /^--shared$/)
-			{ $no_shared=0; }
-		elsif (/^no-zlib$/)
-			{ $zlib=0; }
-		elsif (/^zlib$/)
-			{ $zlib=1; }
-		elsif (/^zlib-dynamic$/)
-			{ $zlib=2; }
-		elsif (/^no-symlinks$/)
-			{ $symlink=0; }
-		elsif (/^no-ssl$/)
-			{ $no_ssl2 = $no_ssl3 = 1; }
-		elsif (/^no-ssl2$/)
-			{ $no_ssl2 = 1; }
-		elsif (/^no-ssl3$/)
-			{ $no_ssl3 = 1; }
-		elsif (/^no-tls1?$/)
-			{ $no_tls1 = 1; }
-		elsif (/^no-fips$/)
-			{ $fips = 0; }
-		elsif (/^no-(.+)$/)
+
+		# rewrite some options in "enable-..." form
+		s /^-?-?shared$/enable-shared/;
+		s /^threads$/enable-threads/;
+		s /^zlib$/enable-zlib/;
+		s /^zlib-dynamic$/enable-zlib-dynamic/;
+
+		if (/^no-(.+)$/ || /^disable-(.+)$/)
 			{
-			my $algo=$1;
-			push @skip,$algo;
-			$algo =~ tr/[a-z]/[A-Z]/;
-			$flags .= "-DOPENSSL_NO_$algo ";
-			$depflags .= "-DOPENSSL_NO_$algo ";
-			$openssl_algorithm_defines .= "#define OPENSSL_NO_$algo\n";
-			if ($algo eq "RIJNDAEL")
-				{
-				push @skip, "aes";
-				$flags .= "-DOPENSSL_NO_AES ";
-				$depflags .= "-DOPENSSL_NO_AES ";
-				$openssl_algorithm_defines .= "#define OPENSSL_NO_AES\n";
-				}
-			if ($algo eq "DES")
-				{
-				push @skip, "mdc2";
-				$options .= " no-mdc2";
-				$flags .= "-DOPENSSL_NO_MDC2 ";
-				$depflags .= "-DOPENSSL_NO_MDC2 ";
-				$openssl_algorithm_defines .= "#define OPENSSL_NO_MDC2\n";
-				}
-			if ($algo eq "MD5")
-				{
-				$no_md5 = 1;
-				}
-			if ($algo eq "SHA")
+			if ($1 eq "ssl")
 				{
-				$no_sha = 1;
+				$disabled{"ssl2"} = "option(ssl)";
+				$disabled{"ssl3"} = "option(ssl)";
 				}
-			if ($algo eq "RSA")
+			elsif ($1 eq "tls")
 				{
-				$no_rsa = 1;
+				$disabled{"tls1"} = "option(tls)"
 				}
-			if ($algo eq "DH")
+			else
 				{
-				$no_dh = 1;
+				$disabled{$1} = "option";
 				}
+			}			
+		elsif (/^enable-(.+)$/)
+			{
+			delete $disabled{$1};
+
+			$threads = 1 if ($1 eq "threads");
+			}
+		elsif (/^--test-sanity$/)
+			{
+			exit(&test_sanity());
 			}
 		elsif (/^reconfigure/ || /^reconf/)
 			{
@@ -793,7 +697,7 @@ PROCESS_ARGS:
 				{
 				while (<IN>)
 					{
-					chop;
+					chomp;
 					if (/^CONFIGURE_ARGS=(.*)/)
 						{
 						$argvstring=$1;
@@ -812,14 +716,6 @@ PROCESS_ARGS:
 			}
 		elsif (/^386$/)
 			{ $processor=386; }
-		elsif (/^fips$/)
-			{
-			$fips=1;
-		        }
-		elsif (/^debug$/)
-			{
-			$debug=1;
-			}
 		elsif (/^rsaref$/)
 			{
 			# No RSAref support any more since it's not needed.
@@ -852,6 +748,14 @@ PROCESS_ARGS:
 				{
 				$withargs{"krb5-".$1}=$2;
 				}
+			elsif (/^--with-zlib-lib=(.*)$/)
+				{
+				$withargs{"zlib-lib"}=$1;
+				}
+			elsif (/^--with-zlib-include=(.*)$/)
+				{
+				$withargs{"zlib-include"}="-I$1";
+				}
 			else
 				{
 				print STDERR $usage;
@@ -865,52 +769,73 @@ PROCESS_ARGS:
 			}
 		else
 			{
-			die "target already defined - $target\n" if ($target ne "");
+			die "target already defined - $target (offending arg: $_)\n" if ($target ne "");
 			$target=$_;
 			}
-		unless ($_ eq $target) {
-			if ($options eq "") {
-				$options = $_;
-			} else {
-				$options .= " ".$_;
+
+		unless ($_ eq $target || /^no-/ || /^disable-/)
+			{
+			# "no-..." follows later after implied disactivations
+			# have been derived.  (Don't take this too seroiusly,
+			# we really only write OPTIONS to the Makefile out of
+			# nostalgia.)
+
+			if ($options eq "")
+				{ $options = $_; }
+			else
+				{ $options .= " ".$_; }
 			}
 		}
 	}
-}
 
-$no_ssl3=1 if ($no_md5 || $no_sha);
-$no_ssl3=1 if ($no_rsa && $no_dh);
 
-$no_ssl2=1 if ($no_md5);
-$no_ssl2=1 if ($no_rsa);
 
-$no_tls1=1 if ($no_md5 || $no_sha);
-$no_tls1=1 if ($no_dh);
+if ($processor eq "386")
+	{
+	$disabled{"sse2"} = "forced";
+	}
 
-if ($no_ssl2)
+if (!defined($withargs{"krb5-flavor"}) || $withargs{"krb5-flavor"} eq "")
 	{
-	push @skip,"SSL2";
-	$flags .= "-DOPENSSL_NO_SSL2 ";
-	$depflags .= "-DOPENSSL_NO_SSL2 ";
-	$openssl_algorithm_defines .= "#define OPENSSL_NO_SSL2\n";
+	$disabled{"krb5"} = "krb5-flavor not specified";
 	}
 
-if ($no_ssl3)
+if (!defined($disabled{"zlib-dynamic"}))
 	{
-	push @skip,"SSL3";
-	$flags .= "-DOPENSSL_NO_SSL3 ";
-	$depflags .= "-DOPENSSL_NO_SSL3 ";
-	$openssl_algorithm_defines .= "#define OPENSSL_NO_SSL3\n";
+	# "zlib-dynamic" was specifically enabled, so enable "zlib"
+	delete $disabled{"zlib"};
 	}
 
-if ($no_tls1)
+if (defined($disabled{"rijndael"}))
 	{
-	push @skip,"TLS1";
-	$flags .= "-DOPENSSL_NO_TLS1 ";
-	$depflags .= "-DOPENSSL_NO_TLS1 ";
-	$openssl_algorithm_defines .= "#define OPENSSL_NO_TLS1\n";
+	$disabled{"aes"} = "forced";
+	}
+if (defined($disabled{"des"}))
+	{
+	$disabled{"mdc2"} = "forced";
+	}
+if (defined($disabled{"ec"}))
+	{
+	$disabled{"ecdsa"} = "forced";
+	$disabled{"ecdh"} = "forced";
 	}
 
+# SSL 2.0 requires MD5 and RSA
+if (defined($disabled{"md5"}) || defined($disabled{"rsa"}))
+	{
+	$disabled{"ssl2"} = "forced";
+	}
+
+# SSL 3.0 and TLS requires MD5 and SHA and either RSA or DSA+DH
+if (defined($disabled{"md5"}) || defined($disabled{"sha"})
+    || (defined($disabled{"rsa"})
+        && (defined($disabled{"dsa"}) || defined($disabled{"dh"}))))
+	{
+	$disabled{"ssl3"} = "forced";
+	$disabled{"tls1"} = "forced";
+	}
+
+
 if ($target eq "TABLE") {
 	foreach $target (sort keys %table) {
 		print_table_entry($target);
@@ -934,11 +859,69 @@ print "Configuring for $target\n";
 
 &usage if (!defined($table{$target}));
 
-my $IsWindows=scalar grep /^$target$/,@WinTargets;
 
-$exe_ext=".exe" if ($target eq "Cygwin");
-$exe_ext=".exe" if ($target eq "DJGPP");
-$exe_ext=".pm" if ($target eq "vos-gcc" or $target eq "debug-vos-gcc" or $target eq "vos-vcc" or $target eq "debug-vos-vcc");
+foreach (sort (keys %disabled))
+	{
+	$options .= " no-$_";
+
+	printf "    no-%-12s %-10s", $_, "[$disabled{$_}]";
+
+	if (/^dso$/)
+		{ $no_dso = 1; }
+	elsif (/^threads$/)
+		{ $no_threads = 1; }
+	elsif (/^shared$/)
+		{ $no_shared = 1; }
+	elsif (/^zlib$/)
+		{ $zlib = 0; }
+	elsif (/^static-engine$/)
+		{ }
+	elsif (/^zlib-dynamic$/)
+		{ }
+	elsif (/^symlinks$/)
+		{ $symlink = 0; }
+	elsif (/^sse2$/)
+		{ $no_sse2 = 1; }
+	else
+		{
+		my ($ALGO, $algo);
+		($ALGO = $algo = $_) =~ tr/[a-z]/[A-Z]/;
+
+		if (/^asm$/ || /^err$/ || /^hw$/ || /^hw-/)
+			{
+			$openssl_other_defines .= "#define OPENSSL_NO_$ALGO\n";
+			print " OPENSSL_NO_$ALGO";
+		
+			if (/^err$/)	{ $flags .= "-DOPENSSL_NO_ERR "; }
+			elsif (/^asm$/)	{ $no_asm = 1; }
+			}
+		else
+			{
+			$openssl_algorithm_defines .= "#define OPENSSL_NO_$ALGO\n";
+			print " OPENSSL_NO_$ALGO";
+
+			if (/^krb5$/)
+				{ $no_krb5 = 1; }
+			else
+				{
+				push @skip, $algo;
+				print " (skip dir)";
+
+				$depflags .="-DOPENSSL_NO_$ALGO ";
+				}
+			}
+		}
+
+	print "\n";
+	}
+
+
+my $IsMK1MF=scalar grep /^$target$/,@MK1MF_Builds;
+
+$IsMK1MF=1 if ($target eq "mingw" && $^O ne "cygwin");
+
+$exe_ext=".exe" if ($target eq "Cygwin" || $target eq "DJGPP" || $target eq "mingw");
+$exe_ext=".pm"  if ($target =~ /vos/);
 $openssldir="/usr/local/ssl" if ($openssldir eq "" and $prefix eq "");
 $prefix=$openssldir if $prefix eq "";
 
@@ -953,7 +936,7 @@ $openssldir=$prefix . "/ssl" if $openssldir eq "";
 $openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/])/;
 
 
-print "IsWindows=$IsWindows\n";
+print "IsMK1MF=$IsMK1MF\n";
 
 my @fields = split(/\s*:\s*/,$table{$target} . ":" x 30 , -1);
 my $cc = $fields[$idx_cc];
@@ -963,14 +946,16 @@ my $thread_cflag = $fields[$idx_thread_cflag];
 my $sys_id = $fields[$idx_sys_id];
 my $lflags = $fields[$idx_lflags];
 my $bn_ops = $fields[$idx_bn_ops];
+my $cpuid_obj = $fields[$idx_cpuid_obj];
 my $bn_obj = $fields[$idx_bn_obj];
 my $des_obj = $fields[$idx_des_obj];
+my $aes_obj = $fields[$idx_aes_obj];
 my $bf_obj = $fields[$idx_bf_obj];
-$md5_obj = $fields[$idx_md5_obj];
-$sha1_obj = $fields[$idx_sha1_obj];
+my $md5_obj = $fields[$idx_md5_obj];
+my $sha1_obj = $fields[$idx_sha1_obj];
 my $cast_obj = $fields[$idx_cast_obj];
 my $rc4_obj = $fields[$idx_rc4_obj];
-$rmd160_obj = $fields[$idx_rmd160_obj];
+my $rmd160_obj = $fields[$idx_rmd160_obj];
 my $rc5_obj = $fields[$idx_rc5_obj];
 my $dso_scheme = $fields[$idx_dso_scheme];
 my $shared_target = $fields[$idx_shared_target];
@@ -981,20 +966,14 @@ my $ranlib = $fields[$idx_ranlib];
 my $arflags = $fields[$idx_arflags];
 
 my $no_shared_warn=0;
+my $no_user_cflags=0;
 
-$cflags="$flags$cflags" if ($flags ne "");
+if ($flags ne "")	{ $cflags="$flags$cflags"; }
+else			{ $no_user_cflags=1;       }
 
 # Kerberos settings.  The flavor must be provided from outside, either through
 # the script "config" or manually.
-if ($no_krb5
-	|| !defined($withargs{"krb5-flavor"})
-	|| $withargs{"krb5-flavor"} eq "")
-	{
-	$cflags="-DOPENSSL_NO_KRB5 $cflags";
-	$options.=" no-krb5" unless $no_krb5;
-	$openssl_algorithm_defines .= "#define OPENSSL_NO_KRB5\n";
-	}
-else
+if (!$no_krb5)
 	{
 	my ($lresolv, $lpath, $lext);
 	if ($withargs{"krb5-flavor"} =~ /^[Hh]eimdal$/)
@@ -1014,7 +993,7 @@ else
 			if $withargs{"krb5-dir"} eq "";
 		$withargs{"krb5-lib"} = "-L".$withargs{"krb5-dir"}.
 			"/lib -lgssapi -lkrb5 -lcom_err"
-			if $withargs{"krb5-lib"} eq "";
+			if $withargs{"krb5-lib"} eq "" && !$IsMK1MF;
 		$cflags="-DKRB5_HEIMDAL $cflags";
 		}
 	if ($withargs{"krb5-flavor"} =~ /^[Mm][Ii][Tt]/)
@@ -1023,7 +1002,7 @@ else
 			if $withargs{"krb5-dir"} eq "";
 		$withargs{"krb5-lib"} = "-L".$withargs{"krb5-dir"}.
 			"/lib -lgssapi_krb5 -lkrb5 -lcom_err -lk5crypto"
-			if $withargs{"krb5-lib"} eq "";
+			if $withargs{"krb5-lib"} eq "" && !$IsMK1MF;
 		$cflags="-DKRB5_MIT $cflags";
 		$withargs{"krb5-flavor"} =~ s/^[Mm][Ii][Tt][._-]*//;
 		if ($withargs{"krb5-flavor"} =~ /^1[._-]*[01]/)
@@ -1080,10 +1059,17 @@ if ($thread_cflag ne "(unknown)" && !$no_threads)
 	# If we know how to do it, support threads by default.
 	$threads = 1;
 	}
-if ($thread_cflag eq "(unknown)")
+if ($thread_cflag eq "(unknown)" && $threads)
 	{
-	# If the user asked for "threads", hopefully they also provided
-	# any system-dependent compiler options that are necessary.
+	# If the user asked for "threads", [s]he is also expected to
+	# provide any system-dependent compiler options that are
+	# necessary.
+	if ($no_user_cflags)
+		{
+		print "You asked for multi-threading support, but didn't\n";
+		print "provide any system-specific compiler options\n";
+		exit(1);
+		}
 	$thread_cflags="-DOPENSSL_THREADS $cflags" ;
 	$thread_defines .= "#define OPENSSL_THREADS\n";
 	}
@@ -1105,7 +1091,7 @@ $lflags="$libs$lflags" if ($libs ne "");
 
 if ($no_asm)
 	{
-	$bn_obj=$des_obj=$bf_obj=$cast_obj=$rc4_obj=$rc5_obj="";
+	$cpuid_obj=$bn_obj=$des_obj=$aes_obj=$bf_obj=$cast_obj=$rc4_obj=$rc5_obj="";
 	$sha1_obj=$md5_obj=$rmd160_obj="";
 	}
 
@@ -1123,8 +1109,14 @@ if ($threads)
 if ($zlib)
 	{
 	$cflags = "-DZLIB $cflags";
-	$cflags = "-DZLIB_SHARED $cflags" if $zlib == 2;
-	$lflags = "$lflags -lz" if $zlib == 1;
+	if (defined($disabled{"zlib-dynamic"}))
+		{
+		$lflags = "$lflags -lz";
+		}
+	else
+		{
+		$cflags = "-DZLIB_SHARED $cflags";
+		}
 	}
 
 # You will find shlib_mark1 and shlib_mark2 explained in Makefile.org
@@ -1138,13 +1130,41 @@ if (!$no_shared)
 	{
 	if ($shared_cflag ne "")
 		{
-		$cflags = "$shared_cflag $cflags";
+		$cflags = "$shared_cflag -DOPENSSL_PIC $cflags";
+		}
+	}
+
+if (!$IsMK1MF)
+	{
+	if ($no_shared)
+		{
+		$openssl_other_defines.="#define OPENSSL_NO_DYNAMIC_ENGINE\n";
+		}
+	else
+		{
+		$openssl_other_defines.="#define OPENSSL_NO_STATIC_ENGINE\n";
+		}
+	}
+
+$cpuid_obj.=" uplink.o uplink-cof.o" if ($cflags =~ /\-DOPENSSL_USE_APPLINK/);
+# Compiler fix-ups
+if ($target =~ /icc$/)
+	{
+	my($iccver)=`$cc -V 2>&1`;
+	if ($iccver =~ /Version ([0-9]+)\./)	{ $iccver=$1; }
+	else					{ $iccver=0;  }
+	if ($iccver>=8)
+		{
+		# Eliminate unnecessary dependency from libirc.a. This is
+		# essential for shared library support, as otherwise
+		# apps/openssl can end up in endless loop upon startup...
+		$cflags.=" -Dmemcpy=__builtin_memcpy -Dmemset=__builtin_memset";
 		}
 	}
 
 if ($sys_id ne "")
 	{
-	$cflags="-DOPENSSL_SYSNAME_$sys_id $cflags";
+	#$cflags="-DOPENSSL_SYSNAME_$sys_id $cflags";
 	$openssl_sys_defines="#define OPENSSL_SYSNAME_$sys_id\n";
 	}
 
@@ -1158,25 +1178,30 @@ if ($ranlib eq "")
 #$bn1=$bn_asm unless ($bn1 =~ /\.o$/);
 #$bn_obj="$bn1";
 
+$cpuid_obj="" if ($processor eq "386");
+
 $bn_obj = $bn_asm unless $bn_obj ne "";
+# bn86* is the only one implementing bn_*_part_words
+$cflags.=" -DOPENSSL_BN_ASM_PART_WORDS" if ($bn_obj =~ /bn86/);
+$cflags.=" -DOPENSSL_IA32_SSE2" if (!$no_sse2 && $bn_obj =~ /bn86/);
 
-if ($fips)
-	{
-	$des_obj=$sha1_obj="";
-	$openssl_other_defines.="#define OPENSSL_FIPS\n";
-	}
-$des_obj=$des_enc	unless (!$fips && $des_obj =~ /\.o$/);
-my $fips_des_obj='asm/fips-dx86-elf.o';
-$fips_des_obj=$fips_des_enc unless $processor eq '386';
-my $fips_sha1_obj='asm/sx86-elf.o' if $processor eq '386';
+$des_obj=$des_enc	unless ($des_obj =~ /\.o$/);
 $bf_obj=$bf_enc		unless ($bf_obj =~ /\.o$/);
 $cast_obj=$cast_enc	unless ($cast_obj =~ /\.o$/);
 $rc4_obj=$rc4_enc	unless ($rc4_obj =~ /\.o$/);
 $rc5_obj=$rc5_enc	unless ($rc5_obj =~ /\.o$/);
-if ($sha1_obj =~ /\.o$/ || $fips_sha1_obj =~ /\.o$/)
+if ($sha1_obj =~ /\.o$/)
 	{
 #	$sha1_obj=$sha1_enc;
-	$cflags.=" -DSHA1_ASM";
+	$cflags.=" -DSHA1_ASM"   if ($sha1_obj =~ /sx86/ || $sha1_obj =~ /sha1/);
+	$cflags.=" -DSHA256_ASM" if ($sha1_obj =~ /sha256/);
+	$cflags.=" -DSHA512_ASM" if ($sha1_obj =~ /sha512/);
+	if ($sha1_obj =~ /x86/)
+	    {	if ($no_sse2)
+		{   $sha1_obj =~ s/\S*sse2\S+//;        }
+		elsif ($cflags !~ /OPENSSL_IA32_SSE2/)
+		{   $cflags.=" -DOPENSSL_IA32_SSE2";    }
+	    }
 	}
 if ($md5_obj =~ /\.o$/)
 	{
@@ -1188,11 +1213,12 @@ if ($rmd160_obj =~ /\.o$/)
 #	$rmd160_obj=$rmd160_enc;
 	$cflags.=" -DRMD160_ASM";
 	}
-
-if ($debug)
+if ($aes_obj =~ /\.o$/)
 	{
-	$cflags.=" -g";
-	$cflags=~s/-fomit-frame-pointer//;
+	$cflags.=" -DAES_ASM";
+	}
+else	{
+	$aes_obj=$aes_enc;
 	}
 
 # "Stringify" the C flags string.  This permits it to be made part of a string
@@ -1200,6 +1226,7 @@ if ($debug)
 $cflags =~ s/([\\\"])/\\\1/g;
 
 my $version = "unknown";
+my $version_num = "unknown";
 my $major = "unknown";
 my $minor = "unknown";
 my $shlib_version_number = "unknown";
@@ -1211,6 +1238,7 @@ open(IN,'<crypto/opensslv.h') || die "unable to read opensslv.h:$!\n";
 while (<IN>)
 	{
 	$version=$1 if /OPENSSL.VERSION.TEXT.*OpenSSL (\S+) /;
+	$version_num=$1 if /OPENSSL.VERSION.NUMBER.*0x(\S+)/;
 	$shlib_version_number=$1 if /SHLIB_VERSION_NUMBER *"([^"]+)"/;
 	$shlib_version_history=$1 if /SHLIB_VERSION_HISTORY *"([^"]*)"/;
 	}
@@ -1236,7 +1264,7 @@ print OUT "### Generated automatically from Makefile.org by Configure.\n\n";
 my $sdirs=0;
 while (<IN>)
 	{
-	chop;
+	chomp;
 	$sdirs = 1 if /^SDIRS=/;
 	if ($sdirs) {
 		my $dir;
@@ -1265,16 +1293,16 @@ while (<IN>)
 	s/^DEPFLAG=.*$/DEPFLAG= $depflags/;
 	s/^EX_LIBS=.*$/EX_LIBS= $lflags/;
 	s/^EXE_EXT=.*$/EXE_EXT= $exe_ext/;
+	s/^CPUID_OBJ=.*$/CPUID_OBJ= $cpuid_obj/;
 	s/^BN_ASM=.*$/BN_ASM= $bn_obj/;
 	s/^DES_ENC=.*$/DES_ENC= $des_obj/;
-	s/^FIPS_DES_ENC=.*$/FIPS_DES_ENC= $fips_des_obj/;
+	s/^AES_ASM_OBJ=.*$/AES_ASM_OBJ= $aes_obj/;
 	s/^BF_ENC=.*$/BF_ENC= $bf_obj/;
 	s/^CAST_ENC=.*$/CAST_ENC= $cast_obj/;
 	s/^RC4_ENC=.*$/RC4_ENC= $rc4_obj/;
 	s/^RC5_ENC=.*$/RC5_ENC= $rc5_obj/;
 	s/^MD5_ASM_OBJ=.*$/MD5_ASM_OBJ= $md5_obj/;
 	s/^SHA1_ASM_OBJ=.*$/SHA1_ASM_OBJ= $sha1_obj/;
-	s/^FIPS_SHA1_ASM_OBJ=.*$/FIPS_SHA1_ASM_OBJ= $fips_sha1_obj/;
 	s/^RMD160_ASM_OBJ=.*$/RMD160_ASM_OBJ= $rmd160_obj/;
 	s/^PROCESSOR=.*/PROCESSOR= $processor/;
 	s/^RANLIB=.*/RANLIB= $ranlib/;
@@ -1282,6 +1310,8 @@ while (<IN>)
 	s/^PERL=.*/PERL= $perl/;
 	s/^KRB5_INCLUDES=.*/KRB5_INCLUDES=$withargs{"krb5-include"}/;
 	s/^LIBKRB5=.*/LIBKRB5=$withargs{"krb5-lib"}/;
+	s/^LIBZLIB=.*/LIBZLIB=$withargs{"zlib-lib"}/;
+	s/^ZLIB_INCLUDE=.*/ZLIB_INCLUDE=$withargs{"zlib-include"}/;
 	s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/;
 	s/^SHLIB_MARK=.*/SHLIB_MARK=$shared_mark/;
 	s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL)/ if (!$no_shared);
@@ -1314,8 +1344,10 @@ rename("$Makefile.new",$Makefile) || die "unable to rename $Makefile.new\n";
 print "CC            =$cc\n";
 print "CFLAG         =$cflags\n";
 print "EX_LIBS       =$lflags\n";
+print "CPUID_OBJ     =$cpuid_obj\n";
 print "BN_ASM        =$bn_obj\n";
 print "DES_ENC       =$des_obj\n";
+print "AES_ASM_OBJ   =$aes_obj\n";
 print "BF_ENC        =$bf_obj\n";
 print "CAST_ENC      =$cast_obj\n";
 print "RC4_ENC       =$rc4_obj\n";
@@ -1407,10 +1439,14 @@ print OUT "#ifdef OPENSSL_ALGORITHM_DEFINES\n";
 print OUT $openssl_algorithm_defines_trans;
 print OUT "#endif\n\n";
 
+print OUT "#define OPENSSL_CPUID_OBJ\n\n" if ($cpuid_obj);
+
 while (<IN>)
 	{
 	if	(/^#define\s+OPENSSLDIR/)
 		{ print OUT "#define OPENSSLDIR \"$openssldir\"\n"; }
+	elsif	(/^#define\s+ENGINESDIR/)
+		{ print OUT "#define ENGINESDIR \"$prefix/lib/engines\"\n"; }
 	elsif	(/^#((define)|(undef))\s+OPENSSL_EXPORT_VAR_AS_FUNCTION/)
 		{ printf OUT "#undef OPENSSL_EXPORT_VAR_AS_FUNCTION\n"
 			if $export_var_as_fn;
@@ -1455,7 +1491,7 @@ while (<IN>)
 	elsif	(/^#((define)|(undef))\s+RC4_INDEX/)
 		{ printf OUT "#%s RC4_INDEX\n",($rc4_idx)?"define":"undef"; }
 	elsif (/^#(define|undef)\s+I386_ONLY/)
-		{ printf OUT "#%s I386_ONLY\n", ($processor == 386)?
+		{ printf OUT "#%s I386_ONLY\n", ($processor eq "386")?
 			"define":"undef"; }
 	elsif	(/^#define\s+MD2_INT\s/)
 		{ printf OUT "#define MD2_INT unsigned %s\n",$type[$md2_int]; }
@@ -1502,12 +1538,12 @@ print "RC2 uses u$type[$rc2_int]\n" if $rc2_int != $def_int;
 print "BF_PTR used\n" if $bf_ptr == 1; 
 print "BF_PTR2 used\n" if $bf_ptr == 2; 
 
-if($IsWindows) {
+if($IsMK1MF) {
 	open (OUT,">crypto/buildinf.h") || die "Can't open buildinf.h";
 	printf OUT <<EOF;
 #ifndef MK1MF_BUILD
   /* auto-generated by Configure for crypto/cversion.c:
-   * for Unix builds, crypto/Makefile generates functional definitions;
+   * for Unix builds, crypto/Makefile.ssl generates functional definitions;
    * Windows builds (and other mk1mf builds) compile cversion.c with
    * -DMK1MF_BUILD and use definitions added to this file by util/mk1mf.pl. */
   #error "Windows builds (PLATFORM=$target) use mk1mf.pl-created Makefiles"
@@ -1518,31 +1554,91 @@ EOF
 	my $make_command = "make PERL=\'$perl\'";
 	my $make_targets = "";
 	$make_targets .= " links" if $symlink;
-	$make_targets .= " depend" if $depflags ne "" && $make_depend;
+	$make_targets .= " depend" if $depflags ne $default_depflags && $make_depend;
 	$make_targets .= " gentests" if $symlink;
 	(system $make_command.$make_targets) == 0 or exit $?
 		if $make_targets ne "";
 	if ( $perl =~ m@^/@) {
 	    &dofile("tools/c_rehash",$perl,'^#!/', '#!%s','^my \$dir;$', 'my $dir = "' . $openssldir . '";');
-	    &dofile("apps/der_chop",$perl,'^#!/', '#!%s');
 	    &dofile("apps/CA.pl",$perl,'^#!/', '#!%s');
 	} else {
 	    # No path for Perl known ...
 	    &dofile("tools/c_rehash",'/usr/local/bin/perl','^#!/', '#!%s','^my \$dir;$', 'my $dir = "' . $openssldir . '";');
-	    &dofile("apps/der_chop",'/usr/local/bin/perl','^#!/', '#!%s');
 	    &dofile("apps/CA.pl",'/usr/local/bin/perl','^#!/', '#!%s');
 	}
-	if ($depflags ne "" && !$make_depend) {
+	if ($depflags ne $default_depflags && !$make_depend) {
 		print <<EOF;
 
-Since you've disabled at least one algorithm, you need to do the following
-before building:
+Since you've disabled or enabled at least one algorithm, you need to do
+the following before building:
 
 	make depend
 EOF
 	}
 }
 
+# create the ms/version32.rc file if needed
+if ($IsMK1MF) {
+	my ($v1, $v2, $v3, $v4);
+	if ($version_num =~ /(^[0-9a-f]{1})([0-9a-f]{2})([0-9a-f]{2})([0-9a-f]{2})/i) {
+		$v1=hex $1;
+		$v2=hex $2;
+		$v3=hex $3;
+		$v4=hex $4;
+	}
+	open (OUT,">ms/version32.rc") || die "Can't open ms/version32.rc";
+	print OUT <<EOF;
+#include <winver.h>
+
+LANGUAGE 0x09,0x01
+
+1 VERSIONINFO
+  FILEVERSION $v1,$v2,$v3,$v4
+  PRODUCTVERSION $v1,$v2,$v3,$v4
+  FILEFLAGSMASK 0x3fL
+#ifdef _DEBUG
+  FILEFLAGS 0x01L
+#else
+  FILEFLAGS 0x00L
+#endif
+  FILEOS VOS__WINDOWS32
+  FILETYPE VFT_DLL
+  FILESUBTYPE 0x0L
+BEGIN
+    BLOCK "StringFileInfo"
+    BEGIN
+	BLOCK "040904b0"
+	BEGIN
+	    // Required:	    
+	    VALUE "CompanyName", "The OpenSSL Project, http://www.openssl.org/\\0"
+	    VALUE "FileDescription", "OpenSSL Shared Library\\0"
+	    VALUE "FileVersion", "$version\\0"
+#if defined(CRYPTO)
+	    VALUE "InternalName", "libeay32\\0"
+	    VALUE "OriginalFilename", "libeay32.dll\\0"
+#elif defined(SSL)
+	    VALUE "InternalName", "ssleay32\\0"
+	    VALUE "OriginalFilename", "ssleay32.dll\\0"
+#endif
+	    VALUE "ProductName", "The OpenSSL Toolkit\\0"
+	    VALUE "ProductVersion", "$version\\0"
+	    // Optional:
+	    //VALUE "Comments", "\\0"
+	    VALUE "LegalCopyright", "Copyright © 1998-2005 The OpenSSL Project. Copyright © 1995-1998 Eric A. Young, Tim J. Hudson. All rights reserved.\\0"
+	    //VALUE "LegalTrademarks", "\\0"
+	    //VALUE "PrivateBuild", "\\0"
+	    //VALUE "SpecialBuild", "\\0"
+	END
+    END
+    BLOCK "VarFileInfo"
+    BEGIN
+        VALUE "Translation", 0x409, 0x4b0
+    END
+END
+EOF
+	close(OUT);
+  }
+  
 print <<EOF;
 
 Configured for $target.
@@ -1638,7 +1734,7 @@ sub print_table_entry
 	my $target = shift;
 
 	(my $cc,my $cflags,my $unistd,my $thread_cflag,my $sys_id,my $lflags,
-	my $bn_ops,my $bn_obj,my $des_obj,my $bf_obj,
+	my $bn_ops,my $cpuid_obj,my $bn_obj,my $des_obj,my $aes_obj, my $bf_obj,
 	my $md5_obj,my $sha1_obj,my $cast_obj,my $rc4_obj,my $rmd160_obj,
 	my $rc5_obj,my $dso_scheme,my $shared_target,my $shared_cflag,
 	my $shared_ldflag,my $shared_extension,my $ranlib,my $arflags)=
@@ -1654,8 +1750,10 @@ sub print_table_entry
 \$sys_id       = $sys_id
 \$lflags       = $lflags
 \$bn_ops       = $bn_ops
+\$cpuid_obj    = $cpuid_obj
 \$bn_obj       = $bn_obj
 \$des_obj      = $des_obj
+\$aes_obj      = $aes_obj
 \$bf_obj       = $bf_obj
 \$md5_obj      = $md5_obj
 \$sha1_obj     = $sha1_obj
diff --git a/crypto/openssl/FAQ b/crypto/openssl/FAQ
index 1c232c3c54b8..c31c1ee36ed9 100644
--- a/crypto/openssl/FAQ
+++ b/crypto/openssl/FAQ
@@ -31,6 +31,7 @@ OpenSSL  -  Frequently Asked Questions
 * Why does my browser give a warning about a mismatched hostname?
 * How do I install a CA certificate into a browser?
 * Why is OpenSSL x509 DN output not conformant to RFC2253?
+* What is a "128 bit certificate"? Can I create one with OpenSSL?
 
 [BUILD] Questions about building and testing OpenSSL
 
@@ -46,6 +47,9 @@ OpenSSL  -  Frequently Asked Questions
 * Why does the OpenSSL test suite fail on MacOS X?
 * Why does the OpenSSL test suite fail in BN_sqr test [on a 64-bit platform]?
 * Why does OpenBSD-i386 build fail on des-586.s with "Unimplemented segment type"?
+* Why does the OpenSSL test suite fail in sha512t on x86 CPU?
+* Why does compiler fail to compile sha512.c?
+* Test suite still fails, what to do?
 
 [PROG] Questions about programming with OpenSSL
 
@@ -70,7 +74,7 @@ OpenSSL  -  Frequently Asked Questions
 * Which is the current version of OpenSSL?
 
 The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 0.9.7e was released on October 25, 2004.
+OpenSSL 0.9.8b was released on May 4th, 2006.
 
 In addition to the current stable release, you can also access daily
 snapshots of the OpenSSL development version at <URL:
@@ -141,8 +145,8 @@ less Unix-centric, it might have been used much earlier.
 
 With version 0.9.6 OpenSSL was extended to interface to external crypto
 hardware. This was realized in a special release '0.9.6-engine'. With
-version 0.9.7 (not yet released) the changes were merged into the main
-development line, so that the special release is no longer necessary.
+version 0.9.7 the changes were merged into the main development line,
+so that the special release is no longer necessary.
 
 * How do I check the authenticity of the OpenSSL distribution?
 
@@ -152,7 +156,8 @@ Use MD5 to check that a tarball from a mirror site is identical:
    md5sum TARBALL | awk '{print $1;}' | cmp - TARBALL.md5
 
 You can check authenticity using pgp or gpg. You need the OpenSSL team
-member public key used to sign it (download it from a key server). Then
+member public key used to sign it (download it from a key server, see a
+list of keys at <URL: http://www.openssl.org/about/>). Then
 just do:
 
    pgp TARBALL.asc
@@ -166,8 +171,8 @@ you if you want to use OpenSSL.  For information on intellectual
 property rights, please consult a lawyer.  The OpenSSL team does not
 offer legal advice.
 
-You can configure OpenSSL so as not to use RC5 and IDEA by using
- ./config no-rc5 no-idea
+You can configure OpenSSL so as not to use IDEA, MDC2 and RC5 by using
+ ./config no-idea no-mdc2 no-rc5
 
 
 * Can I use OpenSSL with GPL software?
@@ -383,6 +388,43 @@ interface, the "-nameopt" option could be introduded. See the manual
 page of the "openssl x509" commandline tool for details. The old behaviour
 has however been left as default for the sake of compatibility.
 
+* What is a "128 bit certificate"? Can I create one with OpenSSL?
+
+The term "128 bit certificate" is a highly misleading marketing term. It does
+*not* refer to the size of the public key in the certificate! A certificate
+containing a 128 bit RSA key would have negligible security.
+
+There were various other names such as "magic certificates", "SGC
+certificates", "step up certificates" etc.
+
+You can't generally create such a certificate using OpenSSL but there is no
+need to any more. Nowadays web browsers using unrestricted strong encryption
+are generally available.
+
+When there were tight export restrictions on the export of strong encryption
+software from the US only weak encryption algorithms could be freely exported
+(initially 40 bit and then 56 bit). It was widely recognised that this was
+inadequate. A relaxation the rules allowed the use of strong encryption but
+only to an authorised server.
+
+Two slighly different techniques were developed to support this, one used by
+Netscape was called "step up", the other used by MSIE was called "Server Gated
+Cryptography" (SGC). When a browser initially connected to a server it would
+check to see if the certificate contained certain extensions and was issued by
+an authorised authority. If these test succeeded it would reconnect using
+strong encryption.
+
+Only certain (initially one) certificate authorities could issue the
+certificates and they generally cost more than ordinary certificates.
+
+Although OpenSSL can create certificates containing the appropriate extensions
+the certificate would not come from a permitted authority and so would not
+be recognized.
+
+The export laws were later changed to allow almost unrestricted use of strong
+encryption so these certificates are now obsolete.
+
+
 [BUILD] =======================================================================
 
 * Why does the linker complain about undefined symbols?
@@ -462,7 +504,7 @@ get the best result from OpenSSL.  A bit more complicated solution is the
 following:
 
 ----- snip:start -----
-  make DIRS=crypto SDIRS=sha "`grep '^CFLAG=' Makefile | \
+  make DIRS=crypto SDIRS=sha "`grep '^CFLAG=' Makefile.ssl | \
        sed -e 's/ -O[0-9] / -O0 /'`"
   rm `ls crypto/*.o crypto/sha/*.o | grep -v 'sha_dgst\.o'`
   make
@@ -472,6 +514,10 @@ This will only compile sha_dgst.c with -O0, the rest with the optimization
 level chosen by the configuration process.  When the above is done, do the
 test and installation and you're set.
 
+3. Reconfigure the toolkit with no-sha0 option to leave out SHA0. It 
+should not be used and is not used in SSL/TLS nor any other recognized
+protocol in either case.
+
 
 * Why does the OpenSSL compilation fail with "ar: command not found"?
 
@@ -593,6 +639,35 @@ Reportedly elder *BSD a.out platforms also suffer from this problem and
 remedy should be same. Provided binary is statically linked and should be
 working across wider range of *BSD branches, not just OpenBSD.
 
+* Why does the OpenSSL test suite fail in sha512t on x86 CPU?
+
+If the test program in question fails withs SIGILL, Illegal Instruction
+exception, then you more than likely to run SSE2-capable CPU, such as
+Intel P4, under control of kernel which does not support SSE2
+instruction extentions. See accompanying INSTALL file and
+OPENSSL_ia32cap(3) documentation page for further information.
+
+* Why does compiler fail to compile sha512.c?
+
+OpenSSL SHA-512 implementation depends on compiler support for 64-bit
+integer type. Few elder compilers [ULTRIX cc, SCO compiler to mention a
+couple] lack support for this and therefore are incapable of compiling
+the module in question. The recommendation is to disable SHA-512 by
+adding no-sha512 to ./config [or ./Configure] command line. Another
+possible alternative might be to switch to GCC.
+
+* Test suite still fails, what to do?
+
+Another common reason for failure to complete some particular test is
+simply bad code generated by a buggy component in toolchain or deficiency
+in run-time environment. There are few cases documented in PROBLEMS file,
+consult it for possible workaround before you beat the drum. Even if you
+don't find solution or even mention there, do reserve for possibility of
+a compiler bug. Compiler bugs might appear in rather bizarre ways, they
+never make sense, and tend to emerge when you least expect them. In order
+to identify one, drop optimization level, e.g. by editing CFLAG line in
+top-level Makefile, recompile and re-run the test.
+
 [PROG] ========================================================================
 
 * Is OpenSSL thread-safe?
@@ -625,10 +700,10 @@ your application must link  against the same by which OpenSSL was
 built.  If you are using MS Visual C++ (Studio) this can be changed
 by:
 
-1.  Select Settings... from the Project Menu.
-2.  Select the C/C++ Tab.
-3.  Select "Code Generation from the "Category" drop down list box
-4.  Select the Appropriate library (see table below) from the "Use
+ 1. Select Settings... from the Project Menu.
+ 2. Select the C/C++ Tab.
+ 3. Select "Code Generation from the "Category" drop down list box
+ 4. Select the Appropriate library (see table below) from the "Use
     run-time library" drop down list box.  Perform this step for both
     your debug and release versions of your application (look at the
     top left of the settings panel to change between the two)
@@ -647,30 +722,44 @@ by:
 Note that debug and release libraries are NOT interchangeable.  If you
 built OpenSSL with /MD your application must use /MD and cannot use /MDd.
 
+As per 0.9.8 the above limitation is eliminated for .DLLs. OpenSSL
+.DLLs compiled with some specific run-time option [we insist on the
+default /MD] can be deployed with application compiled with different
+option or even different compiler. But there is a catch! Instead of
+re-compiling OpenSSL toolkit, as you would have to with prior versions,
+you have to compile small C snippet with compiler and/or options of
+your choice. The snippet gets installed as
+<install-root>/include/openssl/applink.c and should be either added to
+your application project or simply #include-d in one [and only one]
+of your application source files. Failure to link this shim module
+into your application manifests itself as fatal "no OPENSSL_Applink"
+run-time error. An explicit reminder is due that in this situation
+[mixing compiler options] it is as important to add CRYPTO_malloc_init
+prior first call to OpenSSL.
 
 * How do I read or write a DER encoded buffer using the ASN1 functions?
 
 You have two options. You can either use a memory BIO in conjunction
-with the i2d_XXX_bio() or d2i_XXX_bio() functions or you can use the
-i2d_XXX(), d2i_XXX() functions directly. Since these are often the
+with the i2d_*_bio() or d2i_*_bio() functions or you can use the
+i2d_*(), d2i_*() functions directly. Since these are often the
 cause of grief here are some code fragments using PKCS7 as an example:
 
-unsigned char *buf, *p;
-int len;
+ unsigned char *buf, *p;
+ int len;
 
-len = i2d_PKCS7(p7, NULL);
-buf = OPENSSL_malloc(len); /* or Malloc, error checking omitted */
-p = buf;
-i2d_PKCS7(p7, &p);
+ len = i2d_PKCS7(p7, NULL);
+ buf = OPENSSL_malloc(len); /* or Malloc, error checking omitted */
+ p = buf;
+ i2d_PKCS7(p7, &p);
 
 At this point buf contains the len bytes of the DER encoding of
 p7.
 
 The opposite assumes we already have len bytes in buf:
 
-unsigned char *p;
-p = buf;
-p7 = d2i_PKCS7(NULL, &p, len);
+ unsigned char *p;
+ p = buf;
+ p7 = d2i_PKCS7(NULL, &p, len);
 
 At this point p7 contains a valid PKCS7 structure of NULL if an error
 occurred. If an error occurred ERR_print_errors(bio) should give more
@@ -788,9 +877,20 @@ that is allocated when an application starts up. Since such tables do not grow
 in size over time they are harmless.
 
 These internal tables can be freed up when an application closes using various
-functions.  Currently these include: EVP_cleanup(), ERR_remove_state(),
-ERR_free_strings(), ENGINE_cleanup(), CONF_modules_unload() and
-CRYPTO_cleanup_all_ex_data().
+functions.  Currently these include following:
+
+Thread-local cleanup functions:
+
+  ERR_remove_state()
+
+Application-global cleanup functions that are aware of usage (and therefore
+thread-safe):
+
+  ENGINE_cleanup() and CONF_modules_unload()
+
+"Brutal" (thread-unsafe) Application-global cleanup functions:
+
+  ERR_free_strings(), EVP_cleanup() and CRYPTO_cleanup_all_ex_data().
 
 
 ===============================================================================
diff --git a/crypto/openssl/INSTALL b/crypto/openssl/INSTALL
index 503474f2e4ce..ebb36978a2ae 100644
--- a/crypto/openssl/INSTALL
+++ b/crypto/openssl/INSTALL
@@ -2,8 +2,10 @@
  INSTALLATION ON THE UNIX PLATFORM
  ---------------------------------
 
- [Installation on DOS (with djgpp), Windows, OpenVMS and MacOS (before MacOS X)
-  is described in INSTALL.DJGPP, INSTALL.W32, INSTALL.VMS and INSTALL.MacOS.
+ [Installation on DOS (with djgpp), Windows, OpenVMS, MacOS (before MacOS X)
+  and NetWare is described in INSTALL.DJGPP, INSTALL.W32, INSTALL.VMS,
+  INSTALL.MacOS and INSTALL.NW.
+  
   This document describes installation on operating systems in the Unix
   family.]
 
@@ -73,14 +75,30 @@
   no-asm        Do not use assembler code.
 
   386           Use the 80386 instruction set only (the default x86 code is
-                more efficient, but requires at least a 486).
+                more efficient, but requires at least a 486). Note: Use
+                compiler flags for any other CPU specific configuration,
+                e.g. "-m32" to build x86 code on an x64 system.
+
+  no-sse2	Exclude SSE2 code pathes. Normally SSE2 extention is
+		detected at run-time, but the decision whether or not the
+		machine code will be executed is taken solely on CPU
+		capability vector. This means that if you happen to run OS
+		kernel which does not support SSE2 extension on Intel P4
+		processor, then your application might be exposed to
+		"illegal instruction" exception. There might be a way
+		to enable support in kernel, e.g. FreeBSD kernel can be
+		compiled with CPU_ENABLE_SSE, and there is a way to
+		disengage SSE2 code pathes upon application start-up,
+		but if you aim for wider "audience" running such kernel,
+		consider no-sse2. Both 386 and no-asm options above imply
+		no-sse2.
 
   no-<cipher>   Build without the specified cipher (bf, cast, des, dh, dsa,
                 hmac, md2, md5, mdc2, rc2, rc4, rc5, rsa, sha).
                 The crypto/<cipher> directory can be removed after running
                 "make depend".
 
-  -Dxxx, -lxxx, -Lxxx, -fxxx, -Kxxx These system specific options will
+  -Dxxx, -lxxx, -Lxxx, -fxxx, -mxxx, -Kxxx These system specific options will
                 be passed through to the compiler to allow you to
                 define preprocessor symbols, specify additional libraries,
                 library directories or other compiler options.
@@ -123,7 +141,7 @@
      generic configurations "cc" or "gcc" should usually work on 32 bit
      systems.
 
-     Configure creates the file Makefile from Makefile.org and
+     Configure creates the file Makefile.ssl from Makefile.org and
      defines various macros in crypto/opensslconf.h (generated from
      crypto/opensslconf.h.in).
 
@@ -159,7 +177,7 @@
      the failure that isn't a problem in OpenSSL itself (like a missing
      or malfunctioning bc).  If it is a problem with OpenSSL itself,
      try removing any compiler optimization flags from the CFLAG line
-     in Makefile and run "make clean; make". Please send a bug
+     in Makefile.ssl and run "make clean; make". Please send a bug
      report to <openssl-bugs@openssl.org>, including the output of
      "make report" in order to be added to the request tracker at
      http://www.openssl.org/support/rt2.html.
@@ -312,7 +330,7 @@
  Note on support for multiple builds
  -----------------------------------
 
- OpenSSL is usually built in it's source tree.  Unfortunately, this doesn't
+ OpenSSL is usually built in its source tree.  Unfortunately, this doesn't
  support building for multiple platforms from the same source tree very well.
  It is however possible to build in a separate tree through the use of lots
  of symbolic links, which should be prepared like this:
diff --git a/crypto/openssl/LICENSE b/crypto/openssl/LICENSE
index 40277883a592..e6afecc72494 100644
--- a/crypto/openssl/LICENSE
+++ b/crypto/openssl/LICENSE
@@ -12,7 +12,7 @@
   ---------------
 
 /* ====================================================================
- * Copyright (c) 1998-2004 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
diff --git a/crypto/openssl/Makefile b/crypto/openssl/Makefile
index 9c284bf265e4..18fa5a3d2b82 100644
--- a/crypto/openssl/Makefile
+++ b/crypto/openssl/Makefile
@@ -4,16 +4,16 @@
 ## Makefile for OpenSSL
 ##
 
-VERSION=0.9.7e
+VERSION=0.9.8b
 MAJOR=0
-MINOR=9.7
-SHLIB_VERSION_NUMBER=0.9.7
+MINOR=9.8
+SHLIB_VERSION_NUMBER=0.9.8
 SHLIB_VERSION_HISTORY=
 SHLIB_MAJOR=0
-SHLIB_MINOR=9.7
+SHLIB_MINOR=9.8
 SHLIB_EXT=
 PLATFORM=dist
-OPTIONS= no-krb5
+OPTIONS= no-gmp no-krb5 no-mdc2 no-rc5 no-shared no-zlib no-zlib-dynamic
 CONFIGURE_ARGS=dist
 SHLIB_TARGET=
 
@@ -60,9 +60,8 @@ OPENSSLDIR=/usr/local/ssl
 # PKCS1_CHECK - pkcs1 tests.
 
 CC= cc
-#CFLAG= -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized -DSHA1_ASM -DMD5_ASM -DRMD160_ASM
-CFLAG= -DOPENSSL_NO_KRB5 -O
-DEPFLAG= 
+CFLAG= -O
+DEPFLAG= -DOPENSSL_NO_GMP -DOPENSSL_NO_MDC2 -DOPENSSL_NO_RC5 
 PEX_LIBS= 
 EX_LIBS= 
 EXE_EXT= 
@@ -82,113 +81,45 @@ MAKEDEPPROG=makedepend
 AS=$(CC) -c
 ASFLAG=$(CFLAG)
 
-# Set BN_ASM to bn_asm.o if you want to use the C version
-BN_ASM= bn_asm.o
-#BN_ASM= bn_asm.o
-#BN_ASM= asm/bn86-elf.o	# elf, linux-elf
-#BN_ASM= asm/bn86-sol.o # solaris
-#BN_ASM= asm/bn86-out.o # a.out, FreeBSD
-#BN_ASM= asm/bn86bsdi.o # bsdi
-#BN_ASM= asm/alpha.o    # DEC Alpha
-#BN_ASM= asm/pa-risc2.o # HP-UX PA-RISC
-#BN_ASM= asm/r3000.o    # SGI MIPS cpu
-#BN_ASM= asm/sparc.o    # Sun solaris/SunOS
-#BN_ASM= asm/bn-win32.o # Windows 95/NT
-#BN_ASM= asm/x86w16.o   # 16 bit code for Windows 3.1/DOS
-#BN_ASM= asm/x86w32.o   # 32 bit code for Windows 3.1
-
 # For x86 assembler: Set PROCESSOR to 386 if you want to support
 # the 80386.
 PROCESSOR= 
 
-# Set DES_ENC to des_enc.o if you want to use the C version
-#There are 4 x86 assember options.
-FIPS_DES_ENC= fips_des_enc.o
+# CPUID module collects small commonly used assembler snippets
+CPUID_OBJ= 
+BN_ASM= bn_asm.o
 DES_ENC= des_enc.o fcrypt_b.o
-#DES_ENC= des_enc.o fcrypt_b.o          # C
-#DES_ENC= asm/dx86-elf.o asm/yx86-elf.o # elf
-#DES_ENC= asm/dx86-sol.o asm/yx86-sol.o # solaris
-#DES_ENC= asm/dx86-out.o asm/yx86-out.o # a.out, FreeBSD
-#DES_ENC= asm/dx86bsdi.o asm/yx86bsdi.o # bsdi
-
-# Set BF_ENC to bf_enc.o if you want to use the C version
-#There are 4 x86 assember options.
+AES_ASM_OBJ= aes_core.o aes_cbc.o
 BF_ENC= bf_enc.o
-#BF_ENC= bf_enc.o
-#BF_ENC= asm/bx86-elf.o # elf
-#BF_ENC= asm/bx86-sol.o # solaris
-#BF_ENC= asm/bx86-out.o # a.out, FreeBSD
-#BF_ENC= asm/bx86bsdi.o # bsdi
-
-# Set CAST_ENC to c_enc.o if you want to use the C version
-#There are 4 x86 assember options.
 CAST_ENC= c_enc.o
-#CAST_ENC= c_enc.o
-#CAST_ENC= asm/cx86-elf.o # elf
-#CAST_ENC= asm/cx86-sol.o # solaris
-#CAST_ENC= asm/cx86-out.o # a.out, FreeBSD
-#CAST_ENC= asm/cx86bsdi.o # bsdi
-
-# Set RC4_ENC to rc4_enc.o if you want to use the C version
-#There are 4 x86 assember options.
 RC4_ENC= rc4_enc.o
-#RC4_ENC= rc4_enc.o
-#RC4_ENC= asm/rx86-elf.o # elf
-#RC4_ENC= asm/rx86-sol.o # solaris
-#RC4_ENC= asm/rx86-out.o # a.out, FreeBSD
-#RC4_ENC= asm/rx86bsdi.o # bsdi
-
-# Set RC5_ENC to rc5_enc.o if you want to use the C version
-#There are 4 x86 assember options.
 RC5_ENC= rc5_enc.o
-#RC5_ENC= rc5_enc.o
-#RC5_ENC= asm/r586-elf.o # elf
-#RC5_ENC= asm/r586-sol.o # solaris
-#RC5_ENC= asm/r586-out.o # a.out, FreeBSD
-#RC5_ENC= asm/r586bsdi.o # bsdi
-
-# Also need MD5_ASM defined
 MD5_ASM_OBJ= 
-#MD5_ASM_OBJ= asm/mx86-elf.o        # elf
-#MD5_ASM_OBJ= asm/mx86-sol.o        # solaris
-#MD5_ASM_OBJ= asm/mx86-out.o        # a.out, FreeBSD
-#MD5_ASM_OBJ= asm/mx86bsdi.o        # bsdi
-
-# Also need SHA1_ASM defined
 SHA1_ASM_OBJ= 
-FIPS_SHA1_ASM_OBJ= 
-#SHA1_ASM_OBJ= asm/sx86-elf.o       # elf
-#SHA1_ASM_OBJ= asm/sx86-sol.o       # solaris
-#SHA1_ASM_OBJ= asm/sx86-out.o       # a.out, FreeBSD
-#SHA1_ASM_OBJ= asm/sx86bsdi.o       # bsdi
-
-# Also need RMD160_ASM defined
 RMD160_ASM_OBJ= 
-#RMD160_ASM_OBJ= asm/rm86-elf.o       # elf
-#RMD160_ASM_OBJ= asm/rm86-sol.o       # solaris
-#RMD160_ASM_OBJ= asm/rm86-out.o       # a.out, FreeBSD
-#RMD160_ASM_OBJ= asm/rm86bsdi.o       # bsdi
 
 # KRB5 stuff
 KRB5_INCLUDES=
 LIBKRB5=
 
-# When we're prepared to use shared libraries in the programs we link here
-# we might set SHLIB_MARK to '$(SHARED_LIBS)'.
-SHLIB_MARK=
+# Zlib stuff
+ZLIB_INCLUDE=
+LIBZLIB=
 
-DIRS=   crypto fips ssl $(SHLIB_MARK) sigs apps test tools
-SHLIBDIRS= fips crypto ssl
+DIRS=   crypto ssl engines apps test tools
+SHLIBDIRS= crypto ssl
 
 # dirs in crypto to build
-SDIRS=  objects \
-	md2 md4 md5 sha mdc2 hmac ripemd \
-	des rc2 rc4 rc5 idea bf cast \
-	bn ec rsa dsa dh dso engine aes \
+SDIRS=  \
+	objects \
+	md2 md4 md5 sha hmac ripemd \
+	des aes rc2 rc4 idea bf cast \
+	bn ec rsa dsa ecdsa dh ecdh dso engine \
 	buffer bio stack lhash rand err \
-	evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5
-
-FDIRS=	sha1 rand des aes dsa rsa dh
+	evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5 \
+	store pqueue
+# keep in mind that the above list is adjusted by ./Configure
+# according to no-xxx arguments...
 
 # tests to perform.  "alltests" is a special word indicating that all tests
 # should be performed.
@@ -207,7 +138,6 @@ ONEDIRS=out tmp
 EDIRS=  times doc bugs util include certs ms shlib mt demos perl sf dep VMS
 WDIRS=  windows
 LIBS=   libcrypto.a libssl.a
-SIGS=	libcrypto.a.sha1
 SHARED_CRYPTO=libcrypto$(SHLIB_EXT)
 SHARED_SSL=libssl$(SHLIB_EXT)
 SHARED_LIBS=
@@ -222,45 +152,106 @@ WTARFILE=       $(NAME)-win.tar
 EXHEADER=       e_os2.h
 HEADER=         e_os.h
 
-# When we're prepared to use shared libraries in the programs we link here
-# we might remove 'clean-shared' from the targets to perform at this stage
+all: Makefile build_all openssl.pc libssl.pc libcrypto.pc
+
+# as we stick to -e, CLEARENV ensures that local variables in lower
+# Makefiles remain local and variable. $${VAR+VAR} is tribute to Korn
+# shell, which [annoyingly enough] terminates unset with error if VAR
+# is not present:-( TOP= && unset TOP is tribute to HP-UX /bin/sh,
+# which terminates unset with error if no variable was present:-(
+CLEARENV=	TOP= && unset TOP $${LIB+LIB} $${LIBS+LIBS}	\
+		$${INCLUDE+INCLUDE} $${INCLUDES+INCLUDES}	\
+		$${DIR+DIR} $${DIRS+DIRS} $${SRC+SRC}		\
+		$${LIBSRC+LIBSRC} $${LIBOBJ+LIBOBJ} $${ALL+ALL}	\
+		$${EXHEADER+EXHEADER} $${HEADER+HEADER}		\
+		$${GENERAL+GENERAL} $${CFLAGS+CFLAGS}		\
+		$${ASFLAGS+ASFLAGS} $${AFLAGS+AFLAGS}		\
+		$${LDCMD+LDCMD} $${LDFLAGS+LDFLAGS}		\
+		$${SHAREDCMD+SHAREDCMD} $${SHAREDFLAGS+SHAREDFLAGS}	\
+		$${SHARED_LIB+SHARED_LIB} $${LIBEXTRAS+LIBEXTRAS}
+
+BUILDENV=	PLATFORM='${PLATFORM}' PROCESSOR='${PROCESSOR}' \
+		CC='${CC}' CFLAG='${CFLAG}' 			\
+		AS='${CC}' ASFLAG='${CFLAG} -c'			\
+		AR='${AR}' PERL='${PERL}' RANLIB='${RANLIB}'	\
+		SDIRS='${SDIRS}' LIBRPATH='${INSTALLTOP}/lib'	\
+		INSTALL_PREFIX='${INSTALL_PREFIX}'		\
+		INSTALLTOP='${INSTALLTOP}' OPENSSLDIR='${OPENSSLDIR}'	\
+		MAKEDEPEND='$$$${TOP}/util/domd $$$${TOP} -MD ${MAKEDEPPROG}' \
+		DEPFLAG='-DOPENSSL_NO_DEPRECATED ${DEPFLAG}'	\
+		MAKEDEPPROG='${MAKEDEPPROG}'			\
+		SHARED_LDFLAGS='${SHARED_LDFLAGS}'		\
+		KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}'	\
+		EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}'	\
+		SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}'	\
+		PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}'	\
+		CPUID_OBJ='${CPUID_OBJ}'			\
+		BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' 	\
+		AES_ASM_OBJ='${AES_ASM_OBJ}'			\
+		BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}'	\
+		RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}'	\
+		SHA1_ASM_OBJ='${SHA1_ASM_OBJ}'			\
+		MD5_ASM_OBJ='${MD5_ASM_OBJ}'			\
+		RMD160_ASM_OBJ='${RMD160_ASM_OBJ}'		\
+		THIS=$${THIS:-$@} MAKEFILE=Makefile MAKEOVERRIDES=
+# MAKEOVERRIDES= effectively "equalizes" GNU-ish and SysV-ish make flavors,
+# which in turn eliminates ambiguities in variable treatment with -e.
+
+# BUILD_CMD is a generic macro to build a given target in a given
+# subdirectory.  The target must be given through the shell variable
+# `target' and the subdirectory to build in must be given through `dir'.
+# This macro shouldn't be used directly, use RECURSIVE_BUILD_CMD or
+# BUILD_ONE_CMD instead.
+#
+# BUILD_ONE_CMD is a macro to build a given target in a given
+# subdirectory if that subdirectory is part of $(DIRS).  It requires
+# exactly the same shell variables as BUILD_CMD.
+#
+# RECURSIVE_BUILD_CMD is a macro to build a given target in all
+# subdirectories defined in $(DIRS).  It requires that the target
+# is given through the shell variable `target'.
+BUILD_CMD=  if [ -d "$$dir" ]; then \
+	    (	cd $$dir && echo "making $$target in $$dir..." && \
+		$(CLEARENV) && $(MAKE) -e $(BUILDENV) TOP=.. DIR=$$dir $$target \
+	    ) || exit 1; \
+	    fi
+RECURSIVE_BUILD_CMD=for dir in $(DIRS); do $(BUILD_CMD); done
+BUILD_ONE_CMD=\
+	if echo " $(DIRS) " | grep " $$dir " >/dev/null 2>/dev/null; then \
+		$(BUILD_CMD); \
+	fi
 
-all: Makefile sub_all openssl.pc
+reflect:
+	@[ -n "$(THIS)" ] && $(CLEARENV) && $(MAKE) $(THIS) -e $(BUILDENV)
 
-sigs:	$(SIGS)
-libcrypto.a.sha1: libcrypto.a
-	if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \
-		$(RANLIB) libcrypto.a; \
-		fips/sha1/fips_standalone_sha1 libcrypto.a > libcrypto.a.sha1; \
-	fi
+sub_all: build_all
+build_all: build_libs build_apps build_tests build_tools
 
-sub_all:
-	@for i in $(DIRS); \
-	do \
-	if [ -d "$$i" ]; then \
-		(cd $$i && echo "making all in $$i..." && \
-		$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' AS='${AS}' ASFLAG='${ASFLAG}' SDIRS='$(SDIRS)' FDIRS='$(FDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' FIPS_DES_ENC='${FIPS_DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' all ) || exit 1; \
-	else \
-		$(MAKE) $$i; \
-	fi; \
-	done;
+build_libs: build_crypto build_ssl build_engines
 
-sub_target:
-	@for i in $(DIRS); \
-	do \
-	if [ -d "$$i" ]; then \
-		(cd $$i && echo "making $(TARGET) in $$i..." && \
-		$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' AS='${AS}' ASFLAG='${ASFLAG}' SDIRS='$(SDIRS)' FDIRS='$(FDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' FIPS_DES_ENC='${FIPS_DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' TARGET='$(TARGET)' sub_target ) || exit 1; \
-	else \
-		$(MAKE) $$i; \
-	fi; \
-	done;
+build_crypto:
+	@dir=crypto; target=all; $(BUILD_ONE_CMD)
+build_ssl:
+	@dir=ssl; target=all; $(BUILD_ONE_CMD)
+build_engines:
+	@dir=engines; target=all; $(BUILD_ONE_CMD)
+build_apps:
+	@dir=apps; target=all; $(BUILD_ONE_CMD)
+build_tests:
+	@dir=test; target=all; $(BUILD_ONE_CMD)
+build_tools:
+	@dir=tools; target=all; $(BUILD_ONE_CMD)
+
+all_testapps: build_libs build_testapps
+build_testapps:
+	@dir=crypto; target=testapps; $(BUILD_ONE_CMD)
 
 libcrypto$(SHLIB_EXT): libcrypto.a
 	@if [ "$(SHLIB_TARGET)" != "" ]; then \
 		$(MAKE) SHLIBDIRS=crypto build-shared; \
 	else \
 		echo "There's no support for shared libraries on this platform" >&2; \
+		exit 1; \
 	fi
 
 libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT) libssl.a
@@ -268,10 +259,11 @@ libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT) libssl.a
 		$(MAKE) SHLIBDIRS=ssl SHLIBDEPS='-lcrypto' build-shared; \
 	else \
 		echo "There's no support for shared libraries on this platform" >&2; \
+		exit 1; \
 	fi
 
 clean-shared:
-	@for i in $(SHLIBDIRS); do \
+	@set -e; for i in $(SHLIBDIRS); do \
 		if [ -n "$(SHARED_LIBS_LINK_EXTS)" ]; then \
 			tmp="$(SHARED_LIBS_LINK_EXTS)"; \
 			for j in $${tmp:-x}; do \
@@ -280,327 +272,59 @@ clean-shared:
 		fi; \
 		( set -x; rm -f lib$$i$(SHLIB_EXT) ); \
 		if [ "$(PLATFORM)" = "Cygwin" ]; then \
-			( set -x; rm -f cyg$$i-$(SHLIB_VERSION_NUMBER)$(SHLIB_EXT) lib$$i$(SHLIB_EXT).a ); \
+			( set -x; rm -f cyg$$i$(SHLIB_EXT) lib$$i$(SHLIB_EXT).a ); \
 		fi; \
 	done
 
 link-shared:
-	@if [ -n "$(SHARED_LIBS_LINK_EXTS)" ]; then \
-		tmp="$(SHARED_LIBS_LINK_EXTS)"; \
-		for i in $(SHLIBDIRS); do \
-			prev=lib$$i$(SHLIB_EXT); \
-			for j in $${tmp:-x}; do \
-				( set -x; \
-				rm -f lib$$i$$j; ln -s $$prev lib$$i$$j ); \
-				prev=lib$$i$$j; \
-			done; \
-		done; \
-	fi
-
-build-shared: clean-shared do_$(SHLIB_TARGET) link-shared
-
-do_bsd-gcc-shared: do_gnu-shared
-do_linux-shared: do_gnu-shared
-do_gnu-shared:
-	libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
-	if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
-		libs="$(LIBKRB5) $$libs"; \
-	fi; \
-	( set -x; ${CC} ${SHARED_LDFLAGS} \
-		-shared -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-		-Wl,-soname=lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-		-Wl,-Bsymbolic \
-		-Wl,--whole-archive lib$$i.a \
-		-Wl,--no-whole-archive $$libs ${EX_LIBS} -lc ) || exit 1; \
-	libs="-l$$i $$libs"; \
-	done
-
-DETECT_GNU_LD=(${CC} -Wl,-V /dev/null 2>&1 | grep '^GNU ld' )>/dev/null
-
-# For Darwin AKA Mac OS/X (dyld)
-do_darwin-shared: 
-	libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
-	if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
-		libs="$(LIBKRB5) $$libs"; \
-	fi; \
-	( set -x; ${CC} --verbose -dynamiclib -o lib$$i${SHLIB_EXT} \
-		lib$$i.a $$libs -all_load -current_version ${SHLIB_MAJOR}.${SHLIB_MINOR} \
-		-compatibility_version ${SHLIB_MAJOR}.`echo ${SHLIB_MINOR} | cut -d. -f1` \
-		-install_name ${INSTALLTOP}/lib/lib$$i${SHLIB_EXT} ) || exit 1; \
-	libs="-l`basename $$i${SHLIB_EXT} .dylib` $$libs"; \
-	echo "" ; \
+	@ set -e; for i in ${SHLIBDIRS}; do \
+		$(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \
+			LIBNAME=$$i LIBVERSION=${SHLIB_MAJOR}.${SHLIB_MINOR} \
+			LIBCOMPATVERSIONS=";${SHLIB_VERSION_HISTORY}" \
+			symlink.$(SHLIB_TARGET); \
+		libs="$$libs -l$$i"; \
 	done
 
-do_cygwin-shared:
-	libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
-	if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
-		libs="$(LIBKRB5) $$libs"; \
-	fi; \
-	( set -x; ${CC}  -shared -o cyg$$i-$(SHLIB_VERSION_NUMBER).dll \
-		-Wl,-Bsymbolic \
-		-Wl,--whole-archive lib$$i.a \
-		-Wl,--out-implib,lib$$i.dll.a \
-		-Wl,--no-whole-archive $$libs ) || exit 1; \
-	libs="-l$$i $$libs"; \
-	done
-
-# This assumes that GNU utilities are *not* used
-do_alpha-osf1-shared:
-	if ${DETECT_GNU_LD}; then \
-		$(MAKE) do_gnu-shared; \
-	else \
-		libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
-		if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
-			libs="$(LIBKRB5) $$libs"; \
-		fi; \
-		( set -x; ${CC} ${SHARED_LDFLAGS} \
-			-shared -o lib$$i.so \
-			-set_version "${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}" \
-			-all lib$$i.a -none $$libs ${EX_LIBS} -lc ) || exit 1; \
-		libs="-l$$i $$libs"; \
-		done; \
-	fi
-
-# This assumes that GNU utilities are *not* used
-# The difference between alpha-osf1-shared and tru64-shared is the `-msym'
-# option passed to the linker.
-do_tru64-shared:
-	if ${DETECT_GNU_LD}; then \
-		$(MAKE) do_gnu-shared; \
-	else \
-		libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
-		if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
-			libs="$(LIBKRB5) $$libs"; \
-		fi; \
-		( set -x; ${CC} ${SHARED_LDFLAGS} \
-			-shared -msym -o lib$$i.so \
-			-set_version "${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}" \
-			-all lib$$i.a -none $$libs ${EX_LIBS} -lc ) || exit 1; \
-		libs="-l$$i $$libs"; \
-		done; \
-	fi
-
-# This assumes that GNU utilities are *not* used
-# The difference between tru64-shared and tru64-shared-rpath is the
-# -rpath ${INSTALLTOP}/lib passed to the linker.
-do_tru64-shared-rpath:
-	if ${DETECT_GNU_LD}; then \
-		$(MAKE) do_gnu-shared; \
-	else \
-		libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
-		if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
-			libs="$(LIBKRB5) $$libs"; \
-		fi; \
-		( set -x; ${CC} ${SHARED_LDFLAGS} \
-			-shared -msym -o lib$$i.so \
-			-rpath  ${INSTALLTOP}/lib \
-			-set_version "${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}" \
-			-all lib$$i.a -none $$libs ${EX_LIBS} -lc ) || exit 1; \
-		libs="-l$$i $$libs"; \
-		done; \
-	fi
-
-
-# This assumes that GNU utilities are *not* used
-do_solaris-shared:
-	if ${DETECT_GNU_LD}; then \
-		$(MAKE) do_gnu-shared; \
-	else \
-		libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
-		if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
-			libs="$(LIBKRB5) $$libs"; \
-		fi; \
-		( PATH=/usr/ccs/bin:$$PATH ; export PATH; \
-		  MINUSZ='-z '; \
-		  (${CC} -v 2>&1 | grep gcc) > /dev/null && MINUSZ='-Wl,-z,'; \
-		  set -x; ${CC} ${SHARED_LDFLAGS} -G -dy -z text \
-			-o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-			-h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-			-Wl,-Bsymbolic \
-			$${MINUSZ}allextract lib$$i.a $${MINUSZ}defaultextract \
-			$$libs ${EX_LIBS} -lc ) || exit 1; \
-		libs="-l$$i $$libs"; \
-		done; \
-	fi
-
-# OpenServer 5 native compilers used
-do_svr3-shared:
-	if ${DETECT_GNU_LD}; then \
-		$(MAKE) do_gnu-shared; \
-	else \
-		libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
-		if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
-			libs="$(LIBKRB5) $$libs"; \
-		fi; \
-		( PATH=/usr/ccs/bin:$$PATH ; export PATH; \
-		  find . -name "*.o" -print > allobjs ; \
-		  OBJS= ; export OBJS ; \
-		  for obj in `ar t lib$$i.a` ; do \
-		    OBJS="$${OBJS} `grep /$$obj allobjs`" ; \
-		  done ; \
-		  set -x; ${CC} ${SHARED_LDFLAGS} \
-			-G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-			-h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-			$${OBJS} $$libs ${EX_LIBS} ) || exit 1; \
-		libs="-l$$i $$libs"; \
-		done; \
-	fi
-
-# UnixWare 7 and OpenUNIX 8 native compilers used
-do_svr5-shared:
-	if ${DETECT_GNU_LD}; then \
-		$(MAKE) do_gnu-shared; \
-	else \
-		libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
-		if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
-			libs="$(LIBKRB5) $$libs"; \
-		fi; \
-		( PATH=/usr/ccs/bin:$$PATH ; export PATH; \
-		  SHARE_FLAG='-G'; \
-		  (${CC} -v 2>&1 | grep gcc) > /dev/null && SHARE_FLAG='-shared'; \
-		  find . -name "*.o" -print > allobjs ; \
-		  OBJS= ; export OBJS ; \
-		  for obj in `ar t lib$$i.a` ; do \
-		    OBJS="$${OBJS} `grep /$$obj allobjs`" ; \
-		  done ; \
-		  set -x; LD_LIBRARY_PATH=.:$$LD_LIBRARY_PATH \
-			${CC} ${SHARED_LDFLAGS} \
-			$${SHARE_FLAG} -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-			-h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-			$${OBJS} $$libs ${EX_LIBS} ) || exit 1; \
-		libs="-l$$i $$libs"; \
-		done; \
-	fi
+build-shared: do_$(SHLIB_TARGET) link-shared
 
-# This assumes that GNU utilities are *not* used
-do_irix-shared:
-	if ${DETECT_GNU_LD}; then \
-		$(MAKE) do_gnu-shared; \
-	else \
-		libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
+do_$(SHLIB_TARGET):
+	@ set -e; libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
 		if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
 			libs="$(LIBKRB5) $$libs"; \
 		fi; \
-		( WHOLELIB="-all lib$$i.a -notall"; \
-		  (${CC} -v 2>&1 | grep gcc) > /dev/null && WHOLELIB="-Wl,-all,lib$$i.a,-notall"; \
-		  set -x; ${CC} ${SHARED_LDFLAGS} \
-			-shared -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-			-Wl,-soname,lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-			$${WHOLELIB} $$libs ${EX_LIBS} -lc) || exit 1; \
+		$(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \
+			LIBNAME=$$i LIBVERSION=${SHLIB_MAJOR}.${SHLIB_MINOR} \
+			LIBCOMPATVERSIONS=";${SHLIB_VERSION_HISTORY}" \
+			LIBDEPS="$$libs $(EX_LIBS)" \
+			link_a.$(SHLIB_TARGET); \
 		libs="-l$$i $$libs"; \
-		done; \
-	fi
-
-# This assumes that GNU utilities are *not* used
-# HP-UX includes the full pathname of libs we depend on, so we would get
-# ./libcrypto (with ./ as path information) compiled into libssl, hence
-# we omit the SHLIBDEPS. Applications must be linked with -lssl -lcrypto
-# anyway.
-# The object modules are loaded from lib$i.a using the undocumented -Fl
-# option.
-#
-# WARNING: Until DSO is fixed to support a search path, we support SHLIB_PATH
-#          by temporarily specifying "+s"!
-#
-do_hpux-shared:
-	for i in ${SHLIBDIRS}; do \
-	if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
-		libs="$(LIBKRB5) $$libs"; \
-	fi; \
-	( set -x; /usr/ccs/bin/ld ${SHARED_LDFLAGS} \
-		+vnocompatwarnings \
-		-b -z +s \
-		-o lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-		+h lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-		-Fl lib$$i.a -ldld -lc ) || exit 1; \
-	chmod a=rx lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR}; \
 	done
 
-# This assumes that GNU utilities are *not* used
-# HP-UX includes the full pathname of libs we depend on, so we would get
-# ./libcrypto (with ./ as path information) compiled into libssl, hence
-# we omit the SHLIBDEPS. Applications must be linked with -lssl -lcrypto
-# anyway.
-#
-# HP-UX in 64bit mode has "+s" enabled by default; it will search for
-# shared libraries along LD_LIBRARY_PATH _and_ SHLIB_PATH.
-#
-do_hpux64-shared:
-	for i in ${SHLIBDIRS}; do \
-	if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
-		libs="$(LIBKRB5) $$libs"; \
-	fi; \
-	( set -x; /usr/ccs/bin/ld ${SHARED_LDFLAGS} \
-		-b -z \
-		-o lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-		+h lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-		+forceload lib$$i.a -ldl -lc ) || exit 1; \
-	chmod a=rx lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR}; \
-	done
-
-# The following method is said to work on all platforms.  Tests will
-# determine if that's how it's gong to be used.
-# This assumes that for all but GNU systems, GNU utilities are *not* used.
-# ALLSYMSFLAGS would be:
-#  GNU systems: --whole-archive
-#  Tru64 Unix:  -all
-#  Solaris:     -z allextract
-#  Irix:        -all
-#  HP/UX-32bit: -Fl
-#  HP/UX-64bit: +forceload
-#  AIX:		-bnogc
-# SHAREDFLAGS would be:
-#  GNU systems: -shared -Wl,-soname=lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR}
-#  Tru64 Unix:  -shared \
-#		-set_version "${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}"
-#  Solaris:     -G -h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR}
-#  Irix:        -shared -Wl,-soname,lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR}
-#  HP/UX-32bit: +vnocompatwarnings -b -z +s \
-#		+h lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR}
-#  HP/UX-64bit: -b -z +h lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR}
-#  AIX:		-G -bE:lib$$i.exp -bM:SRE
-# SHAREDCMD would be:
-#  GNU systems: $(CC)
-#  Tru64 Unix:  $(CC)
-#  Solaris:     $(CC)
-#  Irix:        $(CC)
-#  HP/UX-32bit: /usr/ccs/bin/ld
-#  HP/UX-64bit: /usr/ccs/bin/ld
-#  AIX:		$(CC)
-ALLSYMSFLAG=-bnogc
-SHAREDFLAGS=${SHARED_LDFLAGS} -G -bE:lib$$i.exp -bM:SRE
-SHAREDCMD=$(CC)
-do_aix-shared:
-	libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
-	if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
-		libs="$(LIBKRB5) $$libs"; \
-	fi; \
-	( set -x; \
-	  ld -r -o lib$$i.o $(ALLSYMSFLAG) lib$$i.a && \
-	  ( nm -Pg lib$$i.o | grep ' [BD] ' | cut -f1 -d' ' > lib$$i.exp; \
-	    $(SHAREDCMD) $(SHAREDFLAGS) \
-		-o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} lib$$i.o \
-		$$libs ${EX_LIBS} ) ) \
-	|| exit 1; \
-	libs="-l$$i $$libs"; \
-	done
+libcrypto.pc: Makefile
+	@ ( echo 'prefix=$(INSTALLTOP)'; \
+	    echo 'exec_prefix=$${prefix}'; \
+	    echo 'libdir=$${exec_prefix}/lib'; \
+	    echo 'includedir=$${prefix}/include'; \
+	    echo ''; \
+	    echo 'Name: OpenSSL-libcrypto'; \
+	    echo 'Description: OpenSSL cryptography library'; \
+	    echo 'Version: '$(VERSION); \
+	    echo 'Requires: '; \
+	    echo 'Libs: -L$${libdir} -lcrypto $(EX_LIBS)'; \
+	    echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libcrypto.pc
 
-do_reliantunix-shared:
-	libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
-	if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
-		libs="$(LIBKRB5) $$libs"; \
-	fi; \
-	tmpdir=/tmp/openssl.$$$$ ; rm -rf $$tmpdir ; \
-	( set -x; \
-	  ( Opwd=`pwd` ; mkdir $$tmpdir || exit 1; \
-	    cd $$tmpdir || exit 1 ; ar x $$Opwd/lib$$i.a ; \
-	    ${CC} -G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} *.o \
-	  ) || exit 1; \
-	  cp $$tmpdir/lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} . ; \
-	) || exit 1; \
-	rm -rf $$tmpdir ; \
-	libs="-l$$i $$libs"; \
-	done
+libssl.pc: Makefile
+	@ ( echo 'prefix=$(INSTALLTOP)'; \
+	    echo 'exec_prefix=$${prefix}'; \
+	    echo 'libdir=$${exec_prefix}/lib'; \
+	    echo 'includedir=$${prefix}/include'; \
+	    echo ''; \
+	    echo 'Name: OpenSSL'; \
+	    echo 'Description: Secure Sockets Layer and cryptography libraries'; \
+	    echo 'Version: '$(VERSION); \
+	    echo 'Requires: '; \
+	    echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)'; \
+	    echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libssl.pc
 
 openssl.pc: Makefile
 	@ ( echo 'prefix=$(INSTALLTOP)'; \
@@ -612,31 +336,25 @@ openssl.pc: Makefile
 	    echo 'Description: Secure Sockets Layer and cryptography libraries and tools'; \
 	    echo 'Version: '$(VERSION); \
 	    echo 'Requires: '; \
-	    echo 'Libs: -L$${libdir} -lssl -lcrypto $(LIBKRB5) $(EX_LIBS)'; \
+	    echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)'; \
 	    echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc
 
-Makefile: Makefile.org
-	@echo "Makefile is older than Makefile.org."
+Makefile: Makefile.org Configure config
+	@echo "Makefile is older than Makefile.org, Configure or config."
 	@echo "Reconfigure the source tree (via './config' or 'perl Configure'), please."
 	@false
 
 libclean:
-	rm -f *.map *.so *.so.* engines/*.so *.a */lib */*/lib
+	rm -f *.map *.so *.so.* *.dll engines/*.so engines/*.dll *.a engines/*.a */lib */*/lib
 
 clean:	libclean
 	rm -f shlib/*.o *.o core a.out fluff rehash.time testlog make.log cctest cctest.c
-	@for i in $(DIRS) ;\
-	do \
-	if [ -d "$$i" ]; then \
-		(cd $$i && echo "making clean in $$i..." && \
-		$(MAKE) SDIRS='${SDIRS}' clean ) || exit 1; \
-		rm -f $(LIBS); \
-	fi; \
-	done;
-	rm -f openssl.pc
+	@set -e; target=clean; $(RECURSIVE_BUILD_CMD)
+	rm -f $(LIBS)
+	rm -f openssl.pc libssl.pc libcrypto.pc
 	rm -f speed.* .pure
 	rm -f $(TARFILE)
-	@for i in $(ONEDIRS) ;\
+	@set -e; for i in $(ONEDIRS) ;\
 	do \
 	rm -fr $$i/*; \
 	done
@@ -647,84 +365,44 @@ makefile.one: files
 
 files:
 	$(PERL) $(TOP)/util/files.pl Makefile > $(TOP)/MINFO
-	@for i in $(DIRS) ;\
-	do \
-	if [ -d "$$i" ]; then \
-		(cd $$i && echo "making 'files' in $$i..." && \
-		$(MAKE) SDIRS='${SDIRS}' PERL='${PERL}' files ) || exit 1; \
-	fi; \
-	done;
+	@set -e; target=files; $(RECURSIVE_BUILD_CMD)
 
 links:
 	@$(PERL) $(TOP)/util/mkdir-p.pl include/openssl
 	@$(PERL) $(TOP)/util/mklink.pl include/openssl $(EXHEADER)
-	@for i in $(DIRS); do \
-	if [ -d "$$i" ]; then \
-		(cd $$i && echo "making links in $$i..." && \
-		$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' FIPS_DES_ENC='${FIPS_DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PERL='${PERL}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' links ) || exit 1; \
-	fi; \
-	done;
+	@set -e; target=links; $(RECURSIVE_BUILD_CMD)
 
 gentests:
 	@(cd test && echo "generating dummy tests (if needed)..." && \
-	$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' FIPS_DES_ENC='${FIPS_DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' TESTS='${TESTS}' OPENSSL_DEBUG_MEMORY=on generate );
+	$(CLEARENV) && $(MAKE) -e $(BUILDENV) TESTS='${TESTS}' OPENSSL_DEBUG_MEMORY=on generate );
 
 dclean:
 	rm -f *.bak
-	@for i in $(DIRS) ;\
-	do \
-	if [ -d "$$i" ]; then \
-		(cd $$i && echo "making dclean in $$i..." && \
-		$(MAKE) SDIRS='${SDIRS}' PERL='${PERL}' dclean ) || exit 1; \
-	fi; \
-	done;
+	@set -e; target=dclean; $(RECURSIVE_BUILD_CMD)
 
 rehash: rehash.time
 rehash.time: certs
-	@(OPENSSL="`pwd`/apps/openssl$(EXE_EXT)"; OPENSSL_DEBUG_MEMORY=on; \
-		export OPENSSL OPENSSL_DEBUG_MEMORY; \
-		LD_LIBRARY_PATH="`pwd`:$$LD_LIBRARY_PATH"; \
-		DYLD_LIBRARY_PATH="`pwd`:$$DYLD_LIBRARY_PATH"; \
-		SHLIB_PATH="`pwd`:$$SHLIB_PATH"; \
-		LIBPATH="`pwd`:$$LIBPATH"; \
-		if [ "$(PLATFORM)" = "Cygwin" ]; then PATH="`pwd`:$$PATH"; fi; \
-		export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; \
-		$(PERL) tools/c_rehash certs)
+	@(OPENSSL="`pwd`/util/opensslwrap.sh"; \
+	  OPENSSL_DEBUG_MEMORY=on; \
+	  export OPENSSL OPENSSL_DEBUG_MEMORY; \
+	  $(PERL) tools/c_rehash certs)
 	touch rehash.time
 
 test:   tests
 
 tests: rehash
 	@(cd test && echo "testing..." && \
-	$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' FIPS_DES_ENC='${FIPS_DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' TESTS='${TESTS}' OPENSSL_DEBUG_MEMORY=on tests );
-	@LD_LIBRARY_PATH="`pwd`:$$LD_LIBRARY_PATH"; \
-	DYLD_LIBRARY_PATH="`pwd`:$$DYLD_LIBRARY_PATH"; \
-	SHLIB_PATH="`pwd`:$$SHLIB_PATH"; \
-	LIBPATH="`pwd`:$$LIBPATH"; \
-	if [ "$(PLATFORM)" = "Cygwin" ]; then PATH="`pwd`:$$PATH"; fi; \
-	export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; \
-	apps/openssl version -a
+	$(CLEARENV) && $(MAKE) -e $(BUILDENV) TOP=.. TESTS='${TESTS}' OPENSSL_DEBUG_MEMORY=on tests );
+	util/opensslwrap.sh version -a
 
 report:
 	@$(PERL) util/selftest.pl
 
 depend:
-	@for i in $(DIRS) ;\
-	do \
-	if [ -d "$$i" ]; then \
-		(cd $$i && echo "making dependencies $$i..." && \
-		$(MAKE) SDIRS='${SDIRS}' CFLAG='${CFLAG}' DEPFLAG='${DEPFLAG}' MAKEDEPPROG='${MAKEDEPPROG}' KRB5_INCLUDES='${KRB5_INCLUDES}' PERL='${PERL}' depend ) || exit 1; \
-	fi; \
-	done;
+	@set -e; target=depend; $(RECURSIVE_BUILD_CMD)
 
 lint:
-	@for i in $(DIRS) ;\
-	do \
-	if [ -d "$$i" ]; then \
-		(cd $$i && echo "making lint $$i..." && \
-		$(MAKE) SDIRS='${SDIRS}' lint ) || exit 1; \
-	fi; \
-	done;
+	@set -e; target=lint; $(RECURSIVE_BUILD_CMD)
 
 tags:
 	rm -f TAGS
@@ -732,7 +410,8 @@ tags:
 
 errors:
 	$(PERL) util/mkerr.pl -recurse -write
-	(cd crypto/engine; $(MAKE) PERL=$(PERL) errors)
+	(cd engines; $(MAKE) PERL=$(PERL) errors)
+	$(PERL) util/ck_errf.pl */*.c */*/*.c
 
 stacks:
 	$(PERL) util/mkstack.pl -write
@@ -751,11 +430,15 @@ crypto/objects/obj_mac.h: crypto/objects/objects.pl crypto/objects/objects.txt c
 apps/openssl-vms.cnf: apps/openssl.cnf
 	$(PERL) VMS/VMSify-conf.pl < apps/openssl.cnf > apps/openssl-vms.cnf
 
+crypto/bn/bn_prime.h: crypto/bn/bn_prime.pl
+	$(PERL) crypto/bn/bn_prime.pl >crypto/bn/bn_prime.h
+
+
 TABLE: Configure
 	(echo 'Output of `Configure TABLE'"':"; \
 	$(PERL) Configure TABLE) > TABLE
 
-update: depend errors stacks util/libeay.num util/ssleay.num crypto/objects/obj_dat.h apps/openssl-vms.cnf TABLE
+update: errors stacks util/libeay.num util/ssleay.num crypto/objects/obj_dat.h apps/openssl-vms.cnf crypto/bn/bn_prime.h TABLE depend
 
 # Build distribution tar-file. As the list of files returned by "find" is
 # pretty long, on several platforms a "too many arguments" error or similar
@@ -790,45 +473,36 @@ dist:
 	@$(MAKE) TAR='${TAR}' TARFLAGS='${TARFLAGS}' tar
 
 dist_pem_h:
-	(cd crypto/pem; $(MAKE) CC='${CC}' SDIRS='${SDIRS}' CFLAG='${CFLAG}' pem.h; $(MAKE) clean)
+	(cd crypto/pem; $(MAKE) -e $(BUILDENV) pem.h; $(MAKE) clean)
 
 install: all install_docs install_sw
 
 install_sw:
 	@$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \
 		$(INSTALL_PREFIX)$(INSTALLTOP)/lib \
+		$(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines \
 		$(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig \
 		$(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl \
 		$(INSTALL_PREFIX)$(OPENSSLDIR)/misc \
 		$(INSTALL_PREFIX)$(OPENSSLDIR)/certs \
 		$(INSTALL_PREFIX)$(OPENSSLDIR)/private
-	@for i in $(EXHEADER) ;\
+	@set -e; headerlist="$(EXHEADER)"; for i in $$headerlist;\
 	do \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
 	done;
-	@for i in $(DIRS) ;\
-	do \
-	if [ -d "$$i" ]; then \
-		(cd $$i; echo "installing $$i..."; \
-		$(MAKE) CC='${CC}' CFLAG='${CFLAG}' INSTALL_PREFIX='${INSTALL_PREFIX}' INSTALLTOP='${INSTALLTOP}' OPENSSLDIR='${OPENSSLDIR}' EX_LIBS='${EX_LIBS}' SDIRS='${SDIRS}' RANLIB='${RANLIB}' EXE_EXT='${EXE_EXT}' install ); \
-	fi; \
-	done
-	@for i in $(LIBS) ;\
+	@set -e; target=install; $(RECURSIVE_BUILD_CMD)
+	@set -e; for i in $(LIBS) ;\
 	do \
 		if [ -f "$$i" ]; then \
 		(       echo installing $$i; \
 			cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
-			if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \
-				: ; \
-			else \
-				$(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
-			fi; \
+			$(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
 			chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
 			mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \
 		fi; \
 	done;
-	@if [ -n "$(SHARED_LIBS)" ]; then \
+	@set -e; if [ -n "$(SHARED_LIBS)" ]; then \
 		tmp="$(SHARED_LIBS)"; \
 		for i in $${tmp:-x}; \
 		do \
@@ -839,20 +513,19 @@ install_sw:
 					chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
 					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \
 				else \
-					c=`echo $$i | sed 's/^lib\(.*\)\.dll/cyg\1-$(SHLIB_VERSION_NUMBER).dll/'`; \
+					c=`echo $$i | sed 's/^lib\(.*\)\.dll\.a/cyg\1-$(SHLIB_VERSION_NUMBER).dll/'`; \
 					cp $$c $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \
 					chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \
 					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \
-					cp $$i.a $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a.new; \
-					chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a.new; \
-					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a; \
+					cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
+					chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
+					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \
 				fi ); \
 			fi; \
 		done; \
 		(	here="`pwd`"; \
 			cd $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \
-			set $(MAKE); \
-			$$1 -f $$here/Makefile link-shared ); \
+			$(MAKE) -f $$here/Makefile HERE="$$here" link-shared ); \
 		if [ "$(INSTALLTOP)" != "/usr" ]; then \
 			echo 'OpenSSL shared libraries have been installed in:'; \
 			echo '  $(INSTALLTOP)'; \
@@ -860,15 +533,10 @@ install_sw:
 			sed -e '1,/^$$/d' doc/openssl-shared.txt; \
 		fi; \
 	fi
-	@for i in $(SIGS) ;\
-	do \
-		if [ -f "$$i" ]; then \
-		(       echo installing $$i; \
-			cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
-			chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
-			mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \
-		fi; \
-	done;
+	cp libcrypto.pc $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig/libcrypto.pc
+	cp libssl.pc $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig/libssl.pc
 	cp openssl.pc $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig/openssl.pc
 
@@ -881,12 +549,12 @@ install_docs:
 	@pod2man="`cd util; ./pod2mantest $(PERL)`"; \
 	here="`pwd`"; \
 	filecase=; \
-	if [ "$(PLATFORM)" = "DJGPP" -o "$(PLATFORM)" = "Cygwin" ]; then \
+	if [ "$(PLATFORM)" = "DJGPP" -o "$(PLATFORM)" = "Cygwin" -o "$(PLATFORM)" = "mingw" ]; then \
 		filecase=-i; \
 	fi; \
-	for i in doc/apps/*.pod; do \
+	set -e; for i in doc/apps/*.pod; do \
 		fn=`basename $$i .pod`; \
-		if [ "$$fn" = "config" ]; then sec=5; else sec=1; fi; \
+		sec=`$(PERL) util/extract-section.pl 1 < $$i`; \
 		echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \
 		(cd `$(PERL) util/dirname.pl $$i`; \
 		sh -c "$$pod2man \
@@ -894,16 +562,16 @@ install_docs:
 			--release=$(VERSION) `basename $$i`") \
 			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
 		$(PERL) util/extract-names.pl < $$i | \
-			grep -v $$filecase "^$$fn\$$" | \
-			grep -v "[	]" | \
+			(grep -v $$filecase "^$$fn\$$"; true) | \
+			(grep -v "[	]"; true) | \
 			(cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \
 			 while read n; do \
 				$$here/util/point.sh $$fn.$${sec}$(MANSUFFIX) "$$n".$${sec}$(MANSUFFIX); \
 			 done); \
 	done; \
-	for i in doc/crypto/*.pod doc/ssl/*.pod; do \
+	set -e; for i in doc/crypto/*.pod doc/ssl/*.pod; do \
 		fn=`basename $$i .pod`; \
-		if [ "$$fn" = "des_modes" ]; then sec=7; else sec=3; fi; \
+		sec=`$(PERL) util/extract-section.pl 3 < $$i`; \
 		echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \
 		(cd `$(PERL) util/dirname.pl $$i`; \
 		sh -c "$$pod2man \
@@ -911,8 +579,8 @@ install_docs:
 			--release=$(VERSION) `basename $$i`") \
 			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
 		$(PERL) util/extract-names.pl < $$i | \
-			grep -v $$filecase "^$$fn\$$" | \
-			grep -v "[	]" | \
+			(grep -v $$filecase "^$$fn\$$"; true) | \
+			(grep -v "[	]"; true) | \
 			(cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \
 			 while read n; do \
 				$$here/util/point.sh $$fn.$${sec}$(MANSUFFIX) "$$n".$${sec}$(MANSUFFIX); \
diff --git a/crypto/openssl/Makefile.org b/crypto/openssl/Makefile.org
index 7a30acac3cb4..eaa9a11f9ce4 100644
--- a/crypto/openssl/Makefile.org
+++ b/crypto/openssl/Makefile.org
@@ -57,9 +57,8 @@ OPENSSLDIR=/usr/local/ssl
 # equal 4.
 # PKCS1_CHECK - pkcs1 tests.
 
-CC= gcc
-#CFLAG= -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized -DSHA1_ASM -DMD5_ASM -DRMD160_ASM
-CFLAG= -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM
+CC= cc
+CFLAG= -O
 DEPFLAG= 
 PEX_LIBS= 
 EX_LIBS= 
@@ -80,113 +79,45 @@ MAKEDEPPROG=makedepend
 AS=$(CC) -c
 ASFLAG=$(CFLAG)
 
-# Set BN_ASM to bn_asm.o if you want to use the C version
-BN_ASM= bn_asm.o
-#BN_ASM= bn_asm.o
-#BN_ASM= asm/bn86-elf.o	# elf, linux-elf
-#BN_ASM= asm/bn86-sol.o # solaris
-#BN_ASM= asm/bn86-out.o # a.out, FreeBSD
-#BN_ASM= asm/bn86bsdi.o # bsdi
-#BN_ASM= asm/alpha.o    # DEC Alpha
-#BN_ASM= asm/pa-risc2.o # HP-UX PA-RISC
-#BN_ASM= asm/r3000.o    # SGI MIPS cpu
-#BN_ASM= asm/sparc.o    # Sun solaris/SunOS
-#BN_ASM= asm/bn-win32.o # Windows 95/NT
-#BN_ASM= asm/x86w16.o   # 16 bit code for Windows 3.1/DOS
-#BN_ASM= asm/x86w32.o   # 32 bit code for Windows 3.1
-
 # For x86 assembler: Set PROCESSOR to 386 if you want to support
 # the 80386.
 PROCESSOR=
 
-# Set DES_ENC to des_enc.o if you want to use the C version
-#There are 4 x86 assember options.
-FIPS_DES_ENC= des_enc.o fcrypt_b.o
-DES_ENC= asm/dx86-out.o asm/yx86-out.o
-#DES_ENC= des_enc.o fcrypt_b.o          # C
-#DES_ENC= asm/dx86-elf.o asm/yx86-elf.o # elf
-#DES_ENC= asm/dx86-sol.o asm/yx86-sol.o # solaris
-#DES_ENC= asm/dx86-out.o asm/yx86-out.o # a.out, FreeBSD
-#DES_ENC= asm/dx86bsdi.o asm/yx86bsdi.o # bsdi
-
-# Set BF_ENC to bf_enc.o if you want to use the C version
-#There are 4 x86 assember options.
-BF_ENC= asm/bx86-out.o
-#BF_ENC= bf_enc.o
-#BF_ENC= asm/bx86-elf.o # elf
-#BF_ENC= asm/bx86-sol.o # solaris
-#BF_ENC= asm/bx86-out.o # a.out, FreeBSD
-#BF_ENC= asm/bx86bsdi.o # bsdi
-
-# Set CAST_ENC to c_enc.o if you want to use the C version
-#There are 4 x86 assember options.
-CAST_ENC= asm/cx86-out.o
-#CAST_ENC= c_enc.o
-#CAST_ENC= asm/cx86-elf.o # elf
-#CAST_ENC= asm/cx86-sol.o # solaris
-#CAST_ENC= asm/cx86-out.o # a.out, FreeBSD
-#CAST_ENC= asm/cx86bsdi.o # bsdi
-
-# Set RC4_ENC to rc4_enc.o if you want to use the C version
-#There are 4 x86 assember options.
-RC4_ENC= asm/rx86-out.o
-#RC4_ENC= rc4_enc.o
-#RC4_ENC= asm/rx86-elf.o # elf
-#RC4_ENC= asm/rx86-sol.o # solaris
-#RC4_ENC= asm/rx86-out.o # a.out, FreeBSD
-#RC4_ENC= asm/rx86bsdi.o # bsdi
-
-# Set RC5_ENC to rc5_enc.o if you want to use the C version
-#There are 4 x86 assember options.
-RC5_ENC= asm/r586-out.o
-#RC5_ENC= rc5_enc.o
-#RC5_ENC= asm/r586-elf.o # elf
-#RC5_ENC= asm/r586-sol.o # solaris
-#RC5_ENC= asm/r586-out.o # a.out, FreeBSD
-#RC5_ENC= asm/r586bsdi.o # bsdi
-
-# Also need MD5_ASM defined
-MD5_ASM_OBJ= asm/mx86-out.o
-#MD5_ASM_OBJ= asm/mx86-elf.o        # elf
-#MD5_ASM_OBJ= asm/mx86-sol.o        # solaris
-#MD5_ASM_OBJ= asm/mx86-out.o        # a.out, FreeBSD
-#MD5_ASM_OBJ= asm/mx86bsdi.o        # bsdi
-
-# Also need SHA1_ASM defined
-SHA1_ASM_OBJ= asm/sx86-out.o
-FIPS_SHA1_ASM_OBJ= asm/sx86-out.o
-#SHA1_ASM_OBJ= asm/sx86-elf.o       # elf
-#SHA1_ASM_OBJ= asm/sx86-sol.o       # solaris
-#SHA1_ASM_OBJ= asm/sx86-out.o       # a.out, FreeBSD
-#SHA1_ASM_OBJ= asm/sx86bsdi.o       # bsdi
-
-# Also need RMD160_ASM defined
-RMD160_ASM_OBJ= asm/rm86-out.o
-#RMD160_ASM_OBJ= asm/rm86-elf.o       # elf
-#RMD160_ASM_OBJ= asm/rm86-sol.o       # solaris
-#RMD160_ASM_OBJ= asm/rm86-out.o       # a.out, FreeBSD
-#RMD160_ASM_OBJ= asm/rm86bsdi.o       # bsdi
+# CPUID module collects small commonly used assembler snippets
+CPUID_OBJ= 
+BN_ASM= bn_asm.o
+DES_ENC= des_enc.o fcrypt_b.o
+AES_ASM_OBJ=aes_core.o aes_cbc.o
+BF_ENC= bf_enc.o
+CAST_ENC= c_enc.o
+RC4_ENC= rc4_enc.o
+RC5_ENC= rc5_enc.o
+MD5_ASM_OBJ= 
+SHA1_ASM_OBJ= 
+RMD160_ASM_OBJ= 
 
 # KRB5 stuff
 KRB5_INCLUDES=
 LIBKRB5=
 
-# When we're prepared to use shared libraries in the programs we link here
-# we might set SHLIB_MARK to '$(SHARED_LIBS)'.
-SHLIB_MARK=
+# Zlib stuff
+ZLIB_INCLUDE=
+LIBZLIB=
 
-DIRS=   crypto fips ssl $(SHLIB_MARK) sigs apps test tools
-SHLIBDIRS= fips crypto ssl
+DIRS=   crypto ssl engines apps test tools
+SHLIBDIRS= crypto ssl
 
 # dirs in crypto to build
-SDIRS=  objects \
+SDIRS=  \
+	objects \
 	md2 md4 md5 sha mdc2 hmac ripemd \
-	des rc2 rc4 rc5 idea bf cast \
-	bn ec rsa dsa dh dso engine aes \
+	des aes rc2 rc4 rc5 idea bf cast \
+	bn ec rsa dsa ecdsa dh ecdh dso engine \
 	buffer bio stack lhash rand err \
-	evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5
-
-FDIRS=	sha1 rand des aes dsa rsa dh
+	evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5 \
+	store pqueue
+# keep in mind that the above list is adjusted by ./Configure
+# according to no-xxx arguments...
 
 # tests to perform.  "alltests" is a special word indicating that all tests
 # should be performed.
@@ -205,7 +136,6 @@ ONEDIRS=out tmp
 EDIRS=  times doc bugs util include certs ms shlib mt demos perl sf dep VMS
 WDIRS=  windows
 LIBS=   libcrypto.a libssl.a
-SIGS=	libcrypto.a.sha1
 SHARED_CRYPTO=libcrypto$(SHLIB_EXT)
 SHARED_SSL=libssl$(SHLIB_EXT)
 SHARED_LIBS=
@@ -220,45 +150,106 @@ WTARFILE=       $(NAME)-win.tar
 EXHEADER=       e_os2.h
 HEADER=         e_os.h
 
-# When we're prepared to use shared libraries in the programs we link here
-# we might remove 'clean-shared' from the targets to perform at this stage
+all: Makefile build_all openssl.pc libssl.pc libcrypto.pc
+
+# as we stick to -e, CLEARENV ensures that local variables in lower
+# Makefiles remain local and variable. $${VAR+VAR} is tribute to Korn
+# shell, which [annoyingly enough] terminates unset with error if VAR
+# is not present:-( TOP= && unset TOP is tribute to HP-UX /bin/sh,
+# which terminates unset with error if no variable was present:-(
+CLEARENV=	TOP= && unset TOP $${LIB+LIB} $${LIBS+LIBS}	\
+		$${INCLUDE+INCLUDE} $${INCLUDES+INCLUDES}	\
+		$${DIR+DIR} $${DIRS+DIRS} $${SRC+SRC}		\
+		$${LIBSRC+LIBSRC} $${LIBOBJ+LIBOBJ} $${ALL+ALL}	\
+		$${EXHEADER+EXHEADER} $${HEADER+HEADER}		\
+		$${GENERAL+GENERAL} $${CFLAGS+CFLAGS}		\
+		$${ASFLAGS+ASFLAGS} $${AFLAGS+AFLAGS}		\
+		$${LDCMD+LDCMD} $${LDFLAGS+LDFLAGS}		\
+		$${SHAREDCMD+SHAREDCMD} $${SHAREDFLAGS+SHAREDFLAGS}	\
+		$${SHARED_LIB+SHARED_LIB} $${LIBEXTRAS+LIBEXTRAS}
+
+BUILDENV=	PLATFORM='${PLATFORM}' PROCESSOR='${PROCESSOR}' \
+		CC='${CC}' CFLAG='${CFLAG}' 			\
+		AS='${CC}' ASFLAG='${CFLAG} -c'			\
+		AR='${AR}' PERL='${PERL}' RANLIB='${RANLIB}'	\
+		SDIRS='${SDIRS}' LIBRPATH='${INSTALLTOP}/lib'	\
+		INSTALL_PREFIX='${INSTALL_PREFIX}'		\
+		INSTALLTOP='${INSTALLTOP}' OPENSSLDIR='${OPENSSLDIR}'	\
+		MAKEDEPEND='$$$${TOP}/util/domd $$$${TOP} -MD ${MAKEDEPPROG}' \
+		DEPFLAG='-DOPENSSL_NO_DEPRECATED ${DEPFLAG}'	\
+		MAKEDEPPROG='${MAKEDEPPROG}'			\
+		SHARED_LDFLAGS='${SHARED_LDFLAGS}'		\
+		KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}'	\
+		EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}'	\
+		SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}'	\
+		PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}'	\
+		CPUID_OBJ='${CPUID_OBJ}'			\
+		BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' 	\
+		AES_ASM_OBJ='${AES_ASM_OBJ}'			\
+		BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}'	\
+		RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}'	\
+		SHA1_ASM_OBJ='${SHA1_ASM_OBJ}'			\
+		MD5_ASM_OBJ='${MD5_ASM_OBJ}'			\
+		RMD160_ASM_OBJ='${RMD160_ASM_OBJ}'		\
+		THIS=$${THIS:-$@} MAKEFILE=Makefile MAKEOVERRIDES=
+# MAKEOVERRIDES= effectively "equalizes" GNU-ish and SysV-ish make flavors,
+# which in turn eliminates ambiguities in variable treatment with -e.
+
+# BUILD_CMD is a generic macro to build a given target in a given
+# subdirectory.  The target must be given through the shell variable
+# `target' and the subdirectory to build in must be given through `dir'.
+# This macro shouldn't be used directly, use RECURSIVE_BUILD_CMD or
+# BUILD_ONE_CMD instead.
+#
+# BUILD_ONE_CMD is a macro to build a given target in a given
+# subdirectory if that subdirectory is part of $(DIRS).  It requires
+# exactly the same shell variables as BUILD_CMD.
+#
+# RECURSIVE_BUILD_CMD is a macro to build a given target in all
+# subdirectories defined in $(DIRS).  It requires that the target
+# is given through the shell variable `target'.
+BUILD_CMD=  if [ -d "$$dir" ]; then \
+	    (	cd $$dir && echo "making $$target in $$dir..." && \
+		$(CLEARENV) && $(MAKE) -e $(BUILDENV) TOP=.. DIR=$$dir $$target \
+	    ) || exit 1; \
+	    fi
+RECURSIVE_BUILD_CMD=for dir in $(DIRS); do $(BUILD_CMD); done
+BUILD_ONE_CMD=\
+	if echo " $(DIRS) " | grep " $$dir " >/dev/null 2>/dev/null; then \
+		$(BUILD_CMD); \
+	fi
 
-all: Makefile sub_all openssl.pc
+reflect:
+	@[ -n "$(THIS)" ] && $(CLEARENV) && $(MAKE) $(THIS) -e $(BUILDENV)
 
-sigs:	$(SIGS)
-libcrypto.a.sha1: libcrypto.a
-	if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \
-		$(RANLIB) libcrypto.a; \
-		fips/sha1/fips_standalone_sha1 libcrypto.a > libcrypto.a.sha1; \
-	fi
+sub_all: build_all
+build_all: build_libs build_apps build_tests build_tools
 
-sub_all:
-	@for i in $(DIRS); \
-	do \
-	if [ -d "$$i" ]; then \
-		(cd $$i && echo "making all in $$i..." && \
-		$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' AS='${AS}' ASFLAG='${ASFLAG}' SDIRS='$(SDIRS)' FDIRS='$(FDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' FIPS_DES_ENC='${FIPS_DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' all ) || exit 1; \
-	else \
-		$(MAKE) $$i; \
-	fi; \
-	done;
+build_libs: build_crypto build_ssl build_engines
 
-sub_target:
-	@for i in $(DIRS); \
-	do \
-	if [ -d "$$i" ]; then \
-		(cd $$i && echo "making $(TARGET) in $$i..." && \
-		$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' AS='${AS}' ASFLAG='${ASFLAG}' SDIRS='$(SDIRS)' FDIRS='$(FDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' FIPS_DES_ENC='${FIPS_DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' TARGET='$(TARGET)' sub_target ) || exit 1; \
-	else \
-		$(MAKE) $$i; \
-	fi; \
-	done;
+build_crypto:
+	@dir=crypto; target=all; $(BUILD_ONE_CMD)
+build_ssl:
+	@dir=ssl; target=all; $(BUILD_ONE_CMD)
+build_engines:
+	@dir=engines; target=all; $(BUILD_ONE_CMD)
+build_apps:
+	@dir=apps; target=all; $(BUILD_ONE_CMD)
+build_tests:
+	@dir=test; target=all; $(BUILD_ONE_CMD)
+build_tools:
+	@dir=tools; target=all; $(BUILD_ONE_CMD)
+
+all_testapps: build_libs build_testapps
+build_testapps:
+	@dir=crypto; target=testapps; $(BUILD_ONE_CMD)
 
 libcrypto$(SHLIB_EXT): libcrypto.a
 	@if [ "$(SHLIB_TARGET)" != "" ]; then \
 		$(MAKE) SHLIBDIRS=crypto build-shared; \
 	else \
 		echo "There's no support for shared libraries on this platform" >&2; \
+		exit 1; \
 	fi
 
 libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT) libssl.a
@@ -266,10 +257,11 @@ libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT) libssl.a
 		$(MAKE) SHLIBDIRS=ssl SHLIBDEPS='-lcrypto' build-shared; \
 	else \
 		echo "There's no support for shared libraries on this platform" >&2; \
+		exit 1; \
 	fi
 
 clean-shared:
-	@for i in $(SHLIBDIRS); do \
+	@set -e; for i in $(SHLIBDIRS); do \
 		if [ -n "$(SHARED_LIBS_LINK_EXTS)" ]; then \
 			tmp="$(SHARED_LIBS_LINK_EXTS)"; \
 			for j in $${tmp:-x}; do \
@@ -278,327 +270,59 @@ clean-shared:
 		fi; \
 		( set -x; rm -f lib$$i$(SHLIB_EXT) ); \
 		if [ "$(PLATFORM)" = "Cygwin" ]; then \
-			( set -x; rm -f cyg$$i-$(SHLIB_VERSION_NUMBER)$(SHLIB_EXT) lib$$i$(SHLIB_EXT).a ); \
+			( set -x; rm -f cyg$$i$(SHLIB_EXT) lib$$i$(SHLIB_EXT).a ); \
 		fi; \
 	done
 
 link-shared:
-	@if [ -n "$(SHARED_LIBS_LINK_EXTS)" ]; then \
-		tmp="$(SHARED_LIBS_LINK_EXTS)"; \
-		for i in $(SHLIBDIRS); do \
-			prev=lib$$i$(SHLIB_EXT); \
-			for j in $${tmp:-x}; do \
-				( set -x; \
-				rm -f lib$$i$$j; ln -s $$prev lib$$i$$j ); \
-				prev=lib$$i$$j; \
-			done; \
-		done; \
-	fi
-
-build-shared: clean-shared do_$(SHLIB_TARGET) link-shared
-
-do_bsd-gcc-shared: do_gnu-shared
-do_linux-shared: do_gnu-shared
-do_gnu-shared:
-	libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
-	if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
-		libs="$(LIBKRB5) $$libs"; \
-	fi; \
-	( set -x; ${CC} ${SHARED_LDFLAGS} \
-		-shared -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-		-Wl,-soname=lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-		-Wl,-Bsymbolic \
-		-Wl,--whole-archive lib$$i.a \
-		-Wl,--no-whole-archive $$libs ${EX_LIBS} -lc ) || exit 1; \
-	libs="-l$$i $$libs"; \
-	done
-
-DETECT_GNU_LD=(${CC} -Wl,-V /dev/null 2>&1 | grep '^GNU ld' )>/dev/null
-
-# For Darwin AKA Mac OS/X (dyld)
-do_darwin-shared: 
-	libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
-	if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
-		libs="$(LIBKRB5) $$libs"; \
-	fi; \
-	( set -x; ${CC} --verbose -dynamiclib -o lib$$i${SHLIB_EXT} \
-		lib$$i.a $$libs -all_load -current_version ${SHLIB_MAJOR}.${SHLIB_MINOR} \
-		-compatibility_version ${SHLIB_MAJOR}.`echo ${SHLIB_MINOR} | cut -d. -f1` \
-		-install_name ${INSTALLTOP}/lib/lib$$i${SHLIB_EXT} ) || exit 1; \
-	libs="-l`basename $$i${SHLIB_EXT} .dylib` $$libs"; \
-	echo "" ; \
+	@ set -e; for i in ${SHLIBDIRS}; do \
+		$(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \
+			LIBNAME=$$i LIBVERSION=${SHLIB_MAJOR}.${SHLIB_MINOR} \
+			LIBCOMPATVERSIONS=";${SHLIB_VERSION_HISTORY}" \
+			symlink.$(SHLIB_TARGET); \
+		libs="$$libs -l$$i"; \
 	done
 
-do_cygwin-shared:
-	libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
-	if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
-		libs="$(LIBKRB5) $$libs"; \
-	fi; \
-	( set -x; ${CC}  -shared -o cyg$$i-$(SHLIB_VERSION_NUMBER).dll \
-		-Wl,-Bsymbolic \
-		-Wl,--whole-archive lib$$i.a \
-		-Wl,--out-implib,lib$$i.dll.a \
-		-Wl,--no-whole-archive $$libs ) || exit 1; \
-	libs="-l$$i $$libs"; \
-	done
-
-# This assumes that GNU utilities are *not* used
-do_alpha-osf1-shared:
-	if ${DETECT_GNU_LD}; then \
-		$(MAKE) do_gnu-shared; \
-	else \
-		libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
-		if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
-			libs="$(LIBKRB5) $$libs"; \
-		fi; \
-		( set -x; ${CC} ${SHARED_LDFLAGS} \
-			-shared -o lib$$i.so \
-			-set_version "${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}" \
-			-all lib$$i.a -none $$libs ${EX_LIBS} -lc ) || exit 1; \
-		libs="-l$$i $$libs"; \
-		done; \
-	fi
-
-# This assumes that GNU utilities are *not* used
-# The difference between alpha-osf1-shared and tru64-shared is the `-msym'
-# option passed to the linker.
-do_tru64-shared:
-	if ${DETECT_GNU_LD}; then \
-		$(MAKE) do_gnu-shared; \
-	else \
-		libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
-		if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
-			libs="$(LIBKRB5) $$libs"; \
-		fi; \
-		( set -x; ${CC} ${SHARED_LDFLAGS} \
-			-shared -msym -o lib$$i.so \
-			-set_version "${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}" \
-			-all lib$$i.a -none $$libs ${EX_LIBS} -lc ) || exit 1; \
-		libs="-l$$i $$libs"; \
-		done; \
-	fi
-
-# This assumes that GNU utilities are *not* used
-# The difference between tru64-shared and tru64-shared-rpath is the
-# -rpath ${INSTALLTOP}/lib passed to the linker.
-do_tru64-shared-rpath:
-	if ${DETECT_GNU_LD}; then \
-		$(MAKE) do_gnu-shared; \
-	else \
-		libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
-		if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
-			libs="$(LIBKRB5) $$libs"; \
-		fi; \
-		( set -x; ${CC} ${SHARED_LDFLAGS} \
-			-shared -msym -o lib$$i.so \
-			-rpath  ${INSTALLTOP}/lib \
-			-set_version "${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}" \
-			-all lib$$i.a -none $$libs ${EX_LIBS} -lc ) || exit 1; \
-		libs="-l$$i $$libs"; \
-		done; \
-	fi
-
-
-# This assumes that GNU utilities are *not* used
-do_solaris-shared:
-	if ${DETECT_GNU_LD}; then \
-		$(MAKE) do_gnu-shared; \
-	else \
-		libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
-		if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
-			libs="$(LIBKRB5) $$libs"; \
-		fi; \
-		( PATH=/usr/ccs/bin:$$PATH ; export PATH; \
-		  MINUSZ='-z '; \
-		  (${CC} -v 2>&1 | grep gcc) > /dev/null && MINUSZ='-Wl,-z,'; \
-		  set -x; ${CC} ${SHARED_LDFLAGS} -G -dy -z text \
-			-o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-			-h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-			-Wl,-Bsymbolic \
-			$${MINUSZ}allextract lib$$i.a $${MINUSZ}defaultextract \
-			$$libs ${EX_LIBS} -lc ) || exit 1; \
-		libs="-l$$i $$libs"; \
-		done; \
-	fi
-
-# OpenServer 5 native compilers used
-do_svr3-shared:
-	if ${DETECT_GNU_LD}; then \
-		$(MAKE) do_gnu-shared; \
-	else \
-		libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
-		if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
-			libs="$(LIBKRB5) $$libs"; \
-		fi; \
-		( PATH=/usr/ccs/bin:$$PATH ; export PATH; \
-		  find . -name "*.o" -print > allobjs ; \
-		  OBJS= ; export OBJS ; \
-		  for obj in `ar t lib$$i.a` ; do \
-		    OBJS="$${OBJS} `grep /$$obj allobjs`" ; \
-		  done ; \
-		  set -x; ${CC} ${SHARED_LDFLAGS} \
-			-G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-			-h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-			$${OBJS} $$libs ${EX_LIBS} ) || exit 1; \
-		libs="-l$$i $$libs"; \
-		done; \
-	fi
+build-shared: do_$(SHLIB_TARGET) link-shared
 
-# UnixWare 7 and OpenUNIX 8 native compilers used
-do_svr5-shared:
-	if ${DETECT_GNU_LD}; then \
-		$(MAKE) do_gnu-shared; \
-	else \
-		libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
+do_$(SHLIB_TARGET):
+	@ set -e; libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
 		if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
 			libs="$(LIBKRB5) $$libs"; \
 		fi; \
-		( PATH=/usr/ccs/bin:$$PATH ; export PATH; \
-		  SHARE_FLAG='-G'; \
-		  (${CC} -v 2>&1 | grep gcc) > /dev/null && SHARE_FLAG='-shared'; \
-		  find . -name "*.o" -print > allobjs ; \
-		  OBJS= ; export OBJS ; \
-		  for obj in `ar t lib$$i.a` ; do \
-		    OBJS="$${OBJS} `grep /$$obj allobjs`" ; \
-		  done ; \
-		  set -x; LD_LIBRARY_PATH=.:$$LD_LIBRARY_PATH \
-			${CC} ${SHARED_LDFLAGS} \
-			$${SHARE_FLAG} -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-			-h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-			$${OBJS} $$libs ${EX_LIBS} ) || exit 1; \
+		$(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \
+			LIBNAME=$$i LIBVERSION=${SHLIB_MAJOR}.${SHLIB_MINOR} \
+			LIBCOMPATVERSIONS=";${SHLIB_VERSION_HISTORY}" \
+			LIBDEPS="$$libs $(EX_LIBS)" \
+			link_a.$(SHLIB_TARGET); \
 		libs="-l$$i $$libs"; \
-		done; \
-	fi
-
-# This assumes that GNU utilities are *not* used
-do_irix-shared:
-	if ${DETECT_GNU_LD}; then \
-		$(MAKE) do_gnu-shared; \
-	else \
-		libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
-		if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
-			libs="$(LIBKRB5) $$libs"; \
-		fi; \
-		( WHOLELIB="-all lib$$i.a -notall"; \
-		  (${CC} -v 2>&1 | grep gcc) > /dev/null && WHOLELIB="-Wl,-all,lib$$i.a,-notall"; \
-		  set -x; ${CC} ${SHARED_LDFLAGS} \
-			-shared -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-			-Wl,-soname,lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-			$${WHOLELIB} $$libs ${EX_LIBS} -lc) || exit 1; \
-		libs="-l$$i $$libs"; \
-		done; \
-	fi
-
-# This assumes that GNU utilities are *not* used
-# HP-UX includes the full pathname of libs we depend on, so we would get
-# ./libcrypto (with ./ as path information) compiled into libssl, hence
-# we omit the SHLIBDEPS. Applications must be linked with -lssl -lcrypto
-# anyway.
-# The object modules are loaded from lib$i.a using the undocumented -Fl
-# option.
-#
-# WARNING: Until DSO is fixed to support a search path, we support SHLIB_PATH
-#          by temporarily specifying "+s"!
-#
-do_hpux-shared:
-	for i in ${SHLIBDIRS}; do \
-	if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
-		libs="$(LIBKRB5) $$libs"; \
-	fi; \
-	( set -x; /usr/ccs/bin/ld ${SHARED_LDFLAGS} \
-		+vnocompatwarnings \
-		-b -z +s \
-		-o lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-		+h lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-		-Fl lib$$i.a -ldld -lc ) || exit 1; \
-	chmod a=rx lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR}; \
-	done
-
-# This assumes that GNU utilities are *not* used
-# HP-UX includes the full pathname of libs we depend on, so we would get
-# ./libcrypto (with ./ as path information) compiled into libssl, hence
-# we omit the SHLIBDEPS. Applications must be linked with -lssl -lcrypto
-# anyway.
-#
-# HP-UX in 64bit mode has "+s" enabled by default; it will search for
-# shared libraries along LD_LIBRARY_PATH _and_ SHLIB_PATH.
-#
-do_hpux64-shared:
-	for i in ${SHLIBDIRS}; do \
-	if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
-		libs="$(LIBKRB5) $$libs"; \
-	fi; \
-	( set -x; /usr/ccs/bin/ld ${SHARED_LDFLAGS} \
-		-b -z \
-		-o lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-		+h lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-		+forceload lib$$i.a -ldl -lc ) || exit 1; \
-	chmod a=rx lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR}; \
 	done
 
-# The following method is said to work on all platforms.  Tests will
-# determine if that's how it's gong to be used.
-# This assumes that for all but GNU systems, GNU utilities are *not* used.
-# ALLSYMSFLAGS would be:
-#  GNU systems: --whole-archive
-#  Tru64 Unix:  -all
-#  Solaris:     -z allextract
-#  Irix:        -all
-#  HP/UX-32bit: -Fl
-#  HP/UX-64bit: +forceload
-#  AIX:		-bnogc
-# SHAREDFLAGS would be:
-#  GNU systems: -shared -Wl,-soname=lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR}
-#  Tru64 Unix:  -shared \
-#		-set_version "${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}"
-#  Solaris:     -G -h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR}
-#  Irix:        -shared -Wl,-soname,lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR}
-#  HP/UX-32bit: +vnocompatwarnings -b -z +s \
-#		+h lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR}
-#  HP/UX-64bit: -b -z +h lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR}
-#  AIX:		-G -bE:lib$$i.exp -bM:SRE
-# SHAREDCMD would be:
-#  GNU systems: $(CC)
-#  Tru64 Unix:  $(CC)
-#  Solaris:     $(CC)
-#  Irix:        $(CC)
-#  HP/UX-32bit: /usr/ccs/bin/ld
-#  HP/UX-64bit: /usr/ccs/bin/ld
-#  AIX:		$(CC)
-ALLSYMSFLAG=-bnogc
-SHAREDFLAGS=${SHARED_LDFLAGS} -G -bE:lib$$i.exp -bM:SRE
-SHAREDCMD=$(CC)
-do_aix-shared:
-	libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
-	if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
-		libs="$(LIBKRB5) $$libs"; \
-	fi; \
-	( set -x; \
-	  ld -r -o lib$$i.o $(ALLSYMSFLAG) lib$$i.a && \
-	  ( nm -Pg lib$$i.o | grep ' [BD] ' | cut -f1 -d' ' > lib$$i.exp; \
-	    $(SHAREDCMD) $(SHAREDFLAGS) \
-		-o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} lib$$i.o \
-		$$libs ${EX_LIBS} ) ) \
-	|| exit 1; \
-	libs="-l$$i $$libs"; \
-	done
+libcrypto.pc: Makefile
+	@ ( echo 'prefix=$(INSTALLTOP)'; \
+	    echo 'exec_prefix=$${prefix}'; \
+	    echo 'libdir=$${exec_prefix}/lib'; \
+	    echo 'includedir=$${prefix}/include'; \
+	    echo ''; \
+	    echo 'Name: OpenSSL-libcrypto'; \
+	    echo 'Description: OpenSSL cryptography library'; \
+	    echo 'Version: '$(VERSION); \
+	    echo 'Requires: '; \
+	    echo 'Libs: -L$${libdir} -lcrypto $(EX_LIBS)'; \
+	    echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libcrypto.pc
 
-do_reliantunix-shared:
-	libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
-	if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
-		libs="$(LIBKRB5) $$libs"; \
-	fi; \
-	tmpdir=/tmp/openssl.$$$$ ; rm -rf $$tmpdir ; \
-	( set -x; \
-	  ( Opwd=`pwd` ; mkdir $$tmpdir || exit 1; \
-	    cd $$tmpdir || exit 1 ; ar x $$Opwd/lib$$i.a ; \
-	    ${CC} -G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} *.o \
-	  ) || exit 1; \
-	  cp $$tmpdir/lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} . ; \
-	) || exit 1; \
-	rm -rf $$tmpdir ; \
-	libs="-l$$i $$libs"; \
-	done
+libssl.pc: Makefile
+	@ ( echo 'prefix=$(INSTALLTOP)'; \
+	    echo 'exec_prefix=$${prefix}'; \
+	    echo 'libdir=$${exec_prefix}/lib'; \
+	    echo 'includedir=$${prefix}/include'; \
+	    echo ''; \
+	    echo 'Name: OpenSSL'; \
+	    echo 'Description: Secure Sockets Layer and cryptography libraries'; \
+	    echo 'Version: '$(VERSION); \
+	    echo 'Requires: '; \
+	    echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)'; \
+	    echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libssl.pc
 
 openssl.pc: Makefile
 	@ ( echo 'prefix=$(INSTALLTOP)'; \
@@ -610,31 +334,25 @@ openssl.pc: Makefile
 	    echo 'Description: Secure Sockets Layer and cryptography libraries and tools'; \
 	    echo 'Version: '$(VERSION); \
 	    echo 'Requires: '; \
-	    echo 'Libs: -L$${libdir} -lssl -lcrypto $(LIBKRB5) $(EX_LIBS)'; \
+	    echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)'; \
 	    echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc
 
-Makefile: Makefile.org
-	@echo "Makefile is older than Makefile.org."
+Makefile: Makefile.org Configure config
+	@echo "Makefile is older than Makefile.org, Configure or config."
 	@echo "Reconfigure the source tree (via './config' or 'perl Configure'), please."
 	@false
 
 libclean:
-	rm -f *.map *.so *.so.* engines/*.so *.a */lib */*/lib
+	rm -f *.map *.so *.so.* *.dll engines/*.so engines/*.dll *.a engines/*.a */lib */*/lib
 
 clean:	libclean
 	rm -f shlib/*.o *.o core a.out fluff rehash.time testlog make.log cctest cctest.c
-	@for i in $(DIRS) ;\
-	do \
-	if [ -d "$$i" ]; then \
-		(cd $$i && echo "making clean in $$i..." && \
-		$(MAKE) SDIRS='${SDIRS}' clean ) || exit 1; \
-		rm -f $(LIBS); \
-	fi; \
-	done;
-	rm -f openssl.pc
+	@set -e; target=clean; $(RECURSIVE_BUILD_CMD)
+	rm -f $(LIBS)
+	rm -f openssl.pc libssl.pc libcrypto.pc
 	rm -f speed.* .pure
 	rm -f $(TARFILE)
-	@for i in $(ONEDIRS) ;\
+	@set -e; for i in $(ONEDIRS) ;\
 	do \
 	rm -fr $$i/*; \
 	done
@@ -645,84 +363,44 @@ makefile.one: files
 
 files:
 	$(PERL) $(TOP)/util/files.pl Makefile > $(TOP)/MINFO
-	@for i in $(DIRS) ;\
-	do \
-	if [ -d "$$i" ]; then \
-		(cd $$i && echo "making 'files' in $$i..." && \
-		$(MAKE) SDIRS='${SDIRS}' PERL='${PERL}' files ) || exit 1; \
-	fi; \
-	done;
+	@set -e; target=files; $(RECURSIVE_BUILD_CMD)
 
 links:
 	@$(PERL) $(TOP)/util/mkdir-p.pl include/openssl
 	@$(PERL) $(TOP)/util/mklink.pl include/openssl $(EXHEADER)
-	@for i in $(DIRS); do \
-	if [ -d "$$i" ]; then \
-		(cd $$i && echo "making links in $$i..." && \
-		$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' FIPS_DES_ENC='${FIPS_DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PERL='${PERL}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' links ) || exit 1; \
-	fi; \
-	done;
+	@set -e; target=links; $(RECURSIVE_BUILD_CMD)
 
 gentests:
 	@(cd test && echo "generating dummy tests (if needed)..." && \
-	$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' FIPS_DES_ENC='${FIPS_DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' TESTS='${TESTS}' OPENSSL_DEBUG_MEMORY=on generate );
+	$(CLEARENV) && $(MAKE) -e $(BUILDENV) TESTS='${TESTS}' OPENSSL_DEBUG_MEMORY=on generate );
 
 dclean:
 	rm -f *.bak
-	@for i in $(DIRS) ;\
-	do \
-	if [ -d "$$i" ]; then \
-		(cd $$i && echo "making dclean in $$i..." && \
-		$(MAKE) SDIRS='${SDIRS}' PERL='${PERL}' dclean ) || exit 1; \
-	fi; \
-	done;
+	@set -e; target=dclean; $(RECURSIVE_BUILD_CMD)
 
 rehash: rehash.time
 rehash.time: certs
-	@(OPENSSL="`pwd`/apps/openssl$(EXE_EXT)"; OPENSSL_DEBUG_MEMORY=on; \
-		export OPENSSL OPENSSL_DEBUG_MEMORY; \
-		LD_LIBRARY_PATH="`pwd`:$$LD_LIBRARY_PATH"; \
-		DYLD_LIBRARY_PATH="`pwd`:$$DYLD_LIBRARY_PATH"; \
-		SHLIB_PATH="`pwd`:$$SHLIB_PATH"; \
-		LIBPATH="`pwd`:$$LIBPATH"; \
-		if [ "$(PLATFORM)" = "Cygwin" ]; then PATH="`pwd`:$$PATH"; fi; \
-		export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; \
-		$(PERL) tools/c_rehash certs)
+	@(OPENSSL="`pwd`/util/opensslwrap.sh"; \
+	  OPENSSL_DEBUG_MEMORY=on; \
+	  export OPENSSL OPENSSL_DEBUG_MEMORY; \
+	  $(PERL) tools/c_rehash certs)
 	touch rehash.time
 
 test:   tests
 
 tests: rehash
 	@(cd test && echo "testing..." && \
-	$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' FIPS_DES_ENC='${FIPS_DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' TESTS='${TESTS}' OPENSSL_DEBUG_MEMORY=on tests );
-	@LD_LIBRARY_PATH="`pwd`:$$LD_LIBRARY_PATH"; \
-	DYLD_LIBRARY_PATH="`pwd`:$$DYLD_LIBRARY_PATH"; \
-	SHLIB_PATH="`pwd`:$$SHLIB_PATH"; \
-	LIBPATH="`pwd`:$$LIBPATH"; \
-	if [ "$(PLATFORM)" = "Cygwin" ]; then PATH="`pwd`:$$PATH"; fi; \
-	export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; \
-	apps/openssl version -a
+	$(CLEARENV) && $(MAKE) -e $(BUILDENV) TOP=.. TESTS='${TESTS}' OPENSSL_DEBUG_MEMORY=on tests );
+	util/opensslwrap.sh version -a
 
 report:
 	@$(PERL) util/selftest.pl
 
 depend:
-	@for i in $(DIRS) ;\
-	do \
-	if [ -d "$$i" ]; then \
-		(cd $$i && echo "making dependencies $$i..." && \
-		$(MAKE) SDIRS='${SDIRS}' CFLAG='${CFLAG}' DEPFLAG='${DEPFLAG}' MAKEDEPPROG='${MAKEDEPPROG}' KRB5_INCLUDES='${KRB5_INCLUDES}' PERL='${PERL}' depend ) || exit 1; \
-	fi; \
-	done;
+	@set -e; target=depend; $(RECURSIVE_BUILD_CMD)
 
 lint:
-	@for i in $(DIRS) ;\
-	do \
-	if [ -d "$$i" ]; then \
-		(cd $$i && echo "making lint $$i..." && \
-		$(MAKE) SDIRS='${SDIRS}' lint ) || exit 1; \
-	fi; \
-	done;
+	@set -e; target=lint; $(RECURSIVE_BUILD_CMD)
 
 tags:
 	rm -f TAGS
@@ -730,7 +408,8 @@ tags:
 
 errors:
 	$(PERL) util/mkerr.pl -recurse -write
-	(cd crypto/engine; $(MAKE) PERL=$(PERL) errors)
+	(cd engines; $(MAKE) PERL=$(PERL) errors)
+	$(PERL) util/ck_errf.pl */*.c */*/*.c
 
 stacks:
 	$(PERL) util/mkstack.pl -write
@@ -749,11 +428,15 @@ crypto/objects/obj_mac.h: crypto/objects/objects.pl crypto/objects/objects.txt c
 apps/openssl-vms.cnf: apps/openssl.cnf
 	$(PERL) VMS/VMSify-conf.pl < apps/openssl.cnf > apps/openssl-vms.cnf
 
+crypto/bn/bn_prime.h: crypto/bn/bn_prime.pl
+	$(PERL) crypto/bn/bn_prime.pl >crypto/bn/bn_prime.h
+
+
 TABLE: Configure
 	(echo 'Output of `Configure TABLE'"':"; \
 	$(PERL) Configure TABLE) > TABLE
 
-update: depend errors stacks util/libeay.num util/ssleay.num crypto/objects/obj_dat.h apps/openssl-vms.cnf TABLE
+update: errors stacks util/libeay.num util/ssleay.num crypto/objects/obj_dat.h apps/openssl-vms.cnf crypto/bn/bn_prime.h TABLE depend
 
 # Build distribution tar-file. As the list of files returned by "find" is
 # pretty long, on several platforms a "too many arguments" error or similar
@@ -788,45 +471,36 @@ dist:
 	@$(MAKE) TAR='${TAR}' TARFLAGS='${TARFLAGS}' tar
 
 dist_pem_h:
-	(cd crypto/pem; $(MAKE) CC='${CC}' SDIRS='${SDIRS}' CFLAG='${CFLAG}' pem.h; $(MAKE) clean)
+	(cd crypto/pem; $(MAKE) -e $(BUILDENV) pem.h; $(MAKE) clean)
 
 install: all install_docs install_sw
 
 install_sw:
 	@$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \
 		$(INSTALL_PREFIX)$(INSTALLTOP)/lib \
+		$(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines \
 		$(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig \
 		$(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl \
 		$(INSTALL_PREFIX)$(OPENSSLDIR)/misc \
 		$(INSTALL_PREFIX)$(OPENSSLDIR)/certs \
 		$(INSTALL_PREFIX)$(OPENSSLDIR)/private
-	@for i in $(EXHEADER) ;\
+	@set -e; headerlist="$(EXHEADER)"; for i in $$headerlist;\
 	do \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
 	done;
-	@for i in $(DIRS) ;\
-	do \
-	if [ -d "$$i" ]; then \
-		(cd $$i; echo "installing $$i..."; \
-		$(MAKE) CC='${CC}' CFLAG='${CFLAG}' INSTALL_PREFIX='${INSTALL_PREFIX}' INSTALLTOP='${INSTALLTOP}' OPENSSLDIR='${OPENSSLDIR}' EX_LIBS='${EX_LIBS}' SDIRS='${SDIRS}' RANLIB='${RANLIB}' EXE_EXT='${EXE_EXT}' install ); \
-	fi; \
-	done
-	@for i in $(LIBS) ;\
+	@set -e; target=install; $(RECURSIVE_BUILD_CMD)
+	@set -e; for i in $(LIBS) ;\
 	do \
 		if [ -f "$$i" ]; then \
 		(       echo installing $$i; \
 			cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
-			if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \
-				: ; \
-			else \
-				$(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
-			fi; \
+			$(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
 			chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
 			mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \
 		fi; \
 	done;
-	@if [ -n "$(SHARED_LIBS)" ]; then \
+	@set -e; if [ -n "$(SHARED_LIBS)" ]; then \
 		tmp="$(SHARED_LIBS)"; \
 		for i in $${tmp:-x}; \
 		do \
@@ -837,20 +511,19 @@ install_sw:
 					chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
 					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \
 				else \
-					c=`echo $$i | sed 's/^lib\(.*\)\.dll/cyg\1-$(SHLIB_VERSION_NUMBER).dll/'`; \
+					c=`echo $$i | sed 's/^lib\(.*\)\.dll\.a/cyg\1-$(SHLIB_VERSION_NUMBER).dll/'`; \
 					cp $$c $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \
 					chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \
 					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \
-					cp $$i.a $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a.new; \
-					chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a.new; \
-					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a; \
+					cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
+					chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
+					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \
 				fi ); \
 			fi; \
 		done; \
 		(	here="`pwd`"; \
 			cd $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \
-			set $(MAKE); \
-			$$1 -f $$here/Makefile link-shared ); \
+			$(MAKE) -f $$here/Makefile HERE="$$here" link-shared ); \
 		if [ "$(INSTALLTOP)" != "/usr" ]; then \
 			echo 'OpenSSL shared libraries have been installed in:'; \
 			echo '  $(INSTALLTOP)'; \
@@ -858,15 +531,10 @@ install_sw:
 			sed -e '1,/^$$/d' doc/openssl-shared.txt; \
 		fi; \
 	fi
-	@for i in $(SIGS) ;\
-	do \
-		if [ -f "$$i" ]; then \
-		(       echo installing $$i; \
-			cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
-			chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
-			mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \
-		fi; \
-	done;
+	cp libcrypto.pc $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig/libcrypto.pc
+	cp libssl.pc $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig/libssl.pc
 	cp openssl.pc $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig/openssl.pc
 
@@ -879,12 +547,12 @@ install_docs:
 	@pod2man="`cd util; ./pod2mantest $(PERL)`"; \
 	here="`pwd`"; \
 	filecase=; \
-	if [ "$(PLATFORM)" = "DJGPP" -o "$(PLATFORM)" = "Cygwin" ]; then \
+	if [ "$(PLATFORM)" = "DJGPP" -o "$(PLATFORM)" = "Cygwin" -o "$(PLATFORM)" = "mingw" ]; then \
 		filecase=-i; \
 	fi; \
-	for i in doc/apps/*.pod; do \
+	set -e; for i in doc/apps/*.pod; do \
 		fn=`basename $$i .pod`; \
-		if [ "$$fn" = "config" ]; then sec=5; else sec=1; fi; \
+		sec=`$(PERL) util/extract-section.pl 1 < $$i`; \
 		echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \
 		(cd `$(PERL) util/dirname.pl $$i`; \
 		sh -c "$$pod2man \
@@ -892,16 +560,16 @@ install_docs:
 			--release=$(VERSION) `basename $$i`") \
 			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
 		$(PERL) util/extract-names.pl < $$i | \
-			grep -v $$filecase "^$$fn\$$" | \
-			grep -v "[	]" | \
+			(grep -v $$filecase "^$$fn\$$"; true) | \
+			(grep -v "[	]"; true) | \
 			(cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \
 			 while read n; do \
 				$$here/util/point.sh $$fn.$${sec}$(MANSUFFIX) "$$n".$${sec}$(MANSUFFIX); \
 			 done); \
 	done; \
-	for i in doc/crypto/*.pod doc/ssl/*.pod; do \
+	set -e; for i in doc/crypto/*.pod doc/ssl/*.pod; do \
 		fn=`basename $$i .pod`; \
-		if [ "$$fn" = "des_modes" ]; then sec=7; else sec=3; fi; \
+		sec=`$(PERL) util/extract-section.pl 3 < $$i`; \
 		echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \
 		(cd `$(PERL) util/dirname.pl $$i`; \
 		sh -c "$$pod2man \
@@ -909,8 +577,8 @@ install_docs:
 			--release=$(VERSION) `basename $$i`") \
 			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
 		$(PERL) util/extract-names.pl < $$i | \
-			grep -v $$filecase "^$$fn\$$" | \
-			grep -v "[	]" | \
+			(grep -v $$filecase "^$$fn\$$"; true) | \
+			(grep -v "[	]"; true) | \
 			(cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \
 			 while read n; do \
 				$$here/util/point.sh $$fn.$${sec}$(MANSUFFIX) "$$n".$${sec}$(MANSUFFIX); \
diff --git a/crypto/openssl/Makefile.shared b/crypto/openssl/Makefile.shared
new file mode 100644
index 000000000000..ef1bfe1223a5
--- /dev/null
+++ b/crypto/openssl/Makefile.shared
@@ -0,0 +1,603 @@
+#
+# Helper makefile to link shared libraries in a portable way.
+# This is much simpler than libtool, and hopefully not too error-prone.
+#
+# The following variables need to be set on the command line to build
+# properly
+
+# CC contains the current compiler.  This one MUST be defined
+CC=cc
+CFLAGS=$(CFLAG)
+# LDFLAGS contains flags to be used when temporary object files (when building
+# shared libraries) are created, or when an application is linked.
+# SHARED_LDFLAGS contains flags to be used when the shared library is created.
+LDFLAGS=
+SHARED_LDFLAGS=
+
+# LIBNAME contains just the name of the library, without prefix ("lib"
+# on Unix, "cyg" for certain forms under Cygwin...) or suffix (.a, .so,
+# .dll, ...).  This one MUST have a value when using this makefile to
+# build shared libraries.
+# For example, to build libfoo.so, you need to do the following:
+#LIBNAME=foo
+LIBNAME=
+
+# APPNAME contains just the name of the application, without suffix (""
+# on Unix, ".exe" on Windows, ...).  This one MUST have a value when using
+# this makefile to build applications.
+# For example, to build foo, you need to do the following:
+#APPNAME=foo
+APPNAME=
+
+# OBJECTS contains all the object files to link together into the application.
+# This must contain at least one object file.
+#OBJECTS=foo.o
+OBJECTS=
+
+# LIBEXTRAS contains extra modules to link together with the library.
+# For example, if a second library, say libbar.a needs to be linked into
+# libfoo.so, you need to do the following:
+#LIBEXTRAS=libbar.a
+# Note that this MUST be used when using the link_o targets, to hold the
+# names of all object files that go into the target library.
+LIBEXTRAS=
+
+# LIBVERSION contains the current version of the library.
+# For example, to build libfoo.so.1.2, you need to do the following:
+#LIBVERSION=1.2
+LIBVERSION=
+
+# LIBCOMPATVERSIONS contains the compatibility versions (a list) of
+# the library.  They MUST be in decreasing order.
+# For example, if libfoo.so.1.2.1 is backward compatible with libfoo.so.1.2
+# and libfoo.so.1, you need to do the following:
+#LIBCOMPATVERSIONS=1.2 1
+# Note that on systems that use sonames, the last number will appear as
+# part of it.
+# It's also possible, for systems that support it (Tru64, for example),
+# to add extra compatibility info with more precision, by adding a second
+# list of versions, separated from the first with a semicolon, like this:
+#LIBCOMPATVERSIONS=1.2 1;1.2.0 1.1.2 1.1.1 1.1.0 1.0.0
+LIBCOMPATVERSIONS=
+
+# LIBDEPS contains all the flags necessary to cover all necessary
+# dependencies to other libraries.
+LIBDEPS=
+
+#------------------------------------------------------------------------------
+# The rest is private to this makefile.
+
+SET_X=:
+#SET_X=set -x
+
+top:
+	echo "Trying to use this makefile interactively?  Don't."
+
+CALC_VERSIONS=	\
+	SHLIB_COMPAT=; SHLIB_SOVER=; \
+	if [ -n "$(LIBVERSION)$(LIBCOMPATVERSIONS)" ]; then \
+		prev=""; \
+		for v in `echo "$(LIBVERSION) $(LIBCOMPATVERSIONS)" | cut -d';' -f1`; do \
+			SHLIB_SOVER_NODOT=$$v; \
+			SHLIB_SOVER=.$$v; \
+			if [ -n "$$prev" ]; then \
+				SHLIB_COMPAT="$$SHLIB_COMPAT .$$prev"; \
+			fi; \
+			prev=$$v; \
+		done; \
+	fi
+
+LINK_APP=	\
+  ( $(SET_X);   \
+    LIBDEPS="$${LIBDEPS:-$(LIBDEPS)}"; \
+    LDCMD="$${LDCMD:-$(CC)}"; LDFLAGS="$${LDFLAGS:-$(CFLAGS)}"; \
+    LIBPATH=`for x in $$LIBDEPS; do if echo $$x | grep '^ *-L' > /dev/null 2>&1; then echo $$x | sed -e 's/^ *-L//'; fi; done | uniq`; \
+    LIBPATH=`echo $$LIBPATH | sed -e 's/ /:/g'`; \
+    LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \
+    $${LDCMD} $${LDFLAGS} -o $${APPNAME:=$(APPNAME)} $(OBJECTS) $${LIBDEPS} )
+
+LINK_SO=	\
+  ( $(SET_X);   \
+    LIBDEPS="$${LIBDEPS:-$(LIBDEPS)}"; \
+    SHAREDCMD="$${SHAREDCMD:-$(CC)}"; \
+    SHAREDFLAGS="$${SHAREDFLAGS:-$(CFLAGS) $(SHARED_LDFLAGS)}"; \
+    nm -Pg $$SHOBJECTS | grep ' [BDT] ' | cut -f1 -d' ' > lib$(LIBNAME).exp; \
+    LIBPATH=`for x in $$LIBDEPS; do if echo $$x | grep '^ *-L' > /dev/null 2>&1; then echo $$x | sed -e 's/^ *-L//'; fi; done | uniq`; \
+    LIBPATH=`echo $$LIBPATH | sed -e 's/ /:/g'`; \
+    LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \
+    $${SHAREDCMD} $${SHAREDFLAGS} \
+	-o $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX \
+	$$ALLSYMSFLAGS $$SHOBJECTS $$NOALLSYMSFLAGS $$LIBDEPS \
+  ) && $(SYMLINK_SO); \
+  ( $(SET_X); rm -f lib$(LIBNAME).exp )
+
+SYMLINK_SO=	\
+	if [ -n "$$INHIBIT_SYMLINKS" ]; then :; else \
+		prev=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX; \
+		if [ -n "$$SHLIB_COMPAT" ]; then \
+			for x in $$SHLIB_COMPAT; do \
+				( $(SET_X); rm -f $$SHLIB$$x$$SHLIB_SUFFIX; \
+				  ln -s $$prev $$SHLIB$$x$$SHLIB_SUFFIX ); \
+				prev=$$SHLIB$$x$$SHLIB_SUFFIX; \
+			done; \
+		fi; \
+		if [ -n "$$SHLIB_SOVER" ]; then \
+			( $(SET_X); rm -f $$SHLIB$$SHLIB_SUFFIX; \
+			  ln -s $$prev $$SHLIB$$SHLIB_SUFFIX ); \
+		fi; \
+	fi
+
+LINK_SO_A=	SHOBJECTS="lib$(LIBNAME).a $(LIBEXTRAS)"; $(LINK_SO)
+LINK_SO_O=	SHOBJECTS="$(LIBEXTRAS)"; $(LINK_SO)
+
+LINK_SO_A_VIA_O=	\
+  SHOBJECTS=lib$(LIBNAME).o; \
+  ALL=$$ALLSYMSFLAGS; ALLSYMSFLAGS=; NOALLSYMSFLAGS=; \
+  ( $(SET_X); \
+    ld $(LDFLAGS) -r -o lib$(LIBNAME).o $$ALL lib$(LIBNAME).a $(LIBEXTRAS) ); \
+  $(LINK_SO) && rm -f $(LIBNAME).o
+
+LINK_SO_A_UNPACKED=	\
+  UNPACKDIR=link_tmp.$$$$; rm -rf $$UNPACKDIR; mkdir $$UNPACKDIR; \
+  (cd $$UNPACKDIR; ar x ../lib$(LIBNAME).a) && \
+  ([ -z "$(LIBEXTRAS)" ] || cp $(LIBEXTRAS) $$UNPACKDIR) && \
+  SHOBJECTS=$$UNPACKDIR/*.o; \
+  $(LINK_SO) && rm -rf $$UNPACKDIR
+
+DETECT_GNU_LD=(${CC} -Wl,-V /dev/null 2>&1 | grep '^GNU ld' )>/dev/null
+
+DO_GNU_SO=$(CALC_VERSIONS); \
+	SHLIB=lib$(LIBNAME).so; \
+	SHLIB_SUFFIX=; \
+	ALLSYMSFLAGS='-Wl,--whole-archive'; \
+	NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
+	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
+
+DO_GNU_APP=LDFLAGS="$(CFLAGS) -Wl,-rpath,$(LIBRPATH)"
+
+#This is rather special.  It's a special target with which one can link
+#applications without bothering with any features that have anything to
+#do with shared libraries, for example when linking against static
+#libraries.  It's mostly here to avoid a lot of conditionals everywhere
+#else...
+link_app.:
+	$(LINK_APP)
+
+link_o.gnu:
+	@ $(DO_GNU_SO); $(LINK_SO_O)
+link_a.gnu:
+	@ $(DO_GNU_SO); $(LINK_SO_A)
+link_app.gnu:
+	@ $(DO_GNU_APP); $(LINK_APP)
+
+link_o.bsd:
+	@if ${DETECT_GNU_LD}; then $(DO_GNU_SO); else \
+	$(CALC_VERSIONS); \
+	SHLIB=lib$(LIBNAME).so; \
+	SHLIB_SUFFIX=; \
+	LIBDEPS=" "; \
+	ALLSYMSFLAGS="-Wl,-Bforcearchive"; \
+	NOALLSYMSFLAGS=; \
+	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -nostdlib"; \
+	fi; $(LINK_SO_O)
+link_a.bsd:
+	@if ${DETECT_GNU_LD}; then $(DO_GNU_SO); else \
+	$(CALC_VERSIONS); \
+	SHLIB=lib$(LIBNAME).so; \
+	SHLIB_SUFFIX=; \
+	LIBDEPS=" "; \
+	ALLSYMSFLAGS="-Wl,-Bforcearchive"; \
+	NOALLSYMSFLAGS=; \
+	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -nostdlib"; \
+	fi; $(LINK_SO_A)
+link_app.bsd:
+	@if ${DETECT_GNU_LD}; then $(DO_GNU_APP); else \
+	LDFLAGS="$(CFLAGS) -Wl,-rpath,$(LIBPATH)"; \
+	fi; $(LINK_APP)
+
+# For Darwin AKA Mac OS/X (dyld)
+# link_o.darwin produces .so, because we let it use dso_dlfcn module,
+# which has .so extension hard-coded. One can argue that one should
+# develop special dso module for MacOS X. At least manual encourages
+# to use native NSModule(3) API and refers to dlfcn as termporary hack.
+link_o.darwin:
+	@ $(CALC_VERSIONS); \
+	SHLIB=lib$(LIBNAME); \
+	SHLIB_SUFFIX=.so; \
+	ALLSYMSFLAGS='-all_load'; \
+	NOALLSYMSFLAGS=''; \
+	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS)"; \
+	if [ -n "$(LIBVERSION)" ]; then \
+		SHAREDFLAGS="$$SHAREDFLAGS -current_version $(LIBVERSION)"; \
+	fi; \
+	if [ -n "$$SHLIB_SOVER_NODOT" ]; then \
+		SHAREDFLAGS="$$SHAREDFLAGS -compatibility_version $$SHLIB_SOVER_NODOT"; \
+	fi; \
+	$(LINK_SO_O)
+link_a.darwin:
+	@ $(CALC_VERSIONS); \
+	SHLIB=lib$(LIBNAME); \
+	SHLIB_SUFFIX=.dylib; \
+	ALLSYMSFLAGS='-all_load'; \
+	NOALLSYMSFLAGS=''; \
+	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS)"; \
+	if [ -n "$(LIBVERSION)" ]; then \
+		SHAREDFLAGS="$$SHAREDFLAGS -current_version $(LIBVERSION)"; \
+	fi; \
+	if [ -n "$$SHLIB_SOVER_NODOT" ]; then \
+		SHAREDFLAGS="$$SHAREDFLAGS -compatibility_version $$SHLIB_SOVER_NODOT"; \
+	fi; \
+	SHAREDFLAGS="$$SHAREDFLAGS -install_name ${INSTALLTOP}/lib/$$SHLIB${SHLIB_EXT}"; \
+	$(LINK_SO_A)
+link_app.darwin:	# is there run-path on darwin?
+	$(LINK_APP)
+
+link_o.cygwin:
+	@ $(CALC_VERSIONS); \
+	INHIBIT_SYMLINKS=yes; \
+	SHLIB=cyg$(LIBNAME); \
+	expr $(PLATFORM) : 'mingw' > /dev/null && SHLIB=$(LIBNAME)eay32; \
+	SHLIB_SUFFIX=.dll; \
+	LIBVERSION="$(LIBVERSION)"; \
+	SHLIB_SOVER=${LIBVERSION:+"-$(LIBVERSION)"}; \
+	ALLSYMSFLAGS='-Wl,--whole-archive'; \
+	NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
+	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,--out-implib,lib$(LIBNAME).dll.a"; \
+	$(LINK_SO_O)
+link_a.cygwin:
+	@ $(CALC_VERSIONS); \
+	INHIBIT_SYMLINKS=yes; \
+	SHLIB=cyg$(LIBNAME); \
+	expr $(PLATFORM) : 'mingw' > /dev/null && SHLIB=$(LIBNAME)eay32; \
+	SHLIB_SUFFIX=.dll; \
+	SHLIB_SOVER=-$(LIBVERSION); \
+	ALLSYMSFLAGS='-Wl,--whole-archive'; \
+	NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
+	base=;  [ $(LIBNAME) = "crypto" ] && base=-Wl,--image-base,0x63000000; \
+	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared $$base -Wl,-Bsymbolic -Wl,--out-implib,lib$(LIBNAME).dll.a"; \
+	[ -f apps/$$SHLIB$$SHLIB_SUFFIX ] && rm apps/$$SHLIB$$SHLIB_SUFFIX; \
+	[ -f test/$$SHLIB$$SHLIB_SUFFIX ] && rm test/$$SHLIB$$SHLIB_SUFFIX; \
+	$(LINK_SO_A) || exit 1; \
+	cp -p $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX apps/; \
+	cp -p $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX test/
+link_app.cygwin:
+	$(LINK_APP)
+
+link_o.alpha-osf1:
+	@ if ${DETECT_GNU_LD}; then \
+		$(DO_GNU_SO); \
+	else \
+		SHLIB=lib$(LIBNAME).so; \
+		SHLIB_SUFFIX=; \
+		SHLIB_HIST=`echo "$(LIBCOMPATVERSIONS)" | cut -d';' -f2 | sed -e 's/ */:/'`; \
+		if [ -n "$$SHLIB_HIST" ]; then \
+			SHLIB_HIST="$${SHLIB_HIST}:$(LIBVERSION)"; \
+		else \
+			SHLIB_HIST="$(LIBVERSION)"; \
+		fi; \
+		SHLIB_SOVER=; \
+		ALLSYMSFLAGS='-all'; \
+		NOALLSYMSFLAGS='-none'; \
+		SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared"; \
+		if [ -n "$$SHLIB_HIST" ]; then \
+			SHAREDFLAGS="$$SHAREDFLAGS -set_version $$SHLIB_HIST"; \
+		fi; \
+	fi; \
+	$(LINK_SO_O)
+link_a.alpha-osf1:
+	@ if ${DETECT_GNU_LD}; then \
+		$(DO_GNU_SO); \
+	else \
+		SHLIB=lib$(LIBNAME).so; \
+		SHLIB_SUFFIX=; \
+		SHLIB_HIST=`echo "$(LIBCOMPATVERSIONS)" | cut -d';' -f2 | sed -e 's/ */:/'`; \
+		if [ -n "$$SHLIB_HIST" ]; then \
+			SHLIB_HIST="$${SHLIB_HIST}:$(LIBVERSION)"; \
+		else \
+			SHLIB_HIST="$(LIBVERSION)"; \
+		fi; \
+		SHLIB_SOVER=; \
+		ALLSYMSFLAGS='-all'; \
+		NOALLSYMSFLAGS='-none'; \
+		SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared"; \
+		if [ -n "$$SHLIB_HIST" ]; then \
+			SHAREDFLAGS="$$SHAREDFLAGS -set_version $$SHLIB_HIST"; \
+		fi; \
+	fi; \
+	$(LINK_SO_A)
+link_app.alpha-osf1:
+	@if ${DETECT_GNU_LD}; then \
+		$(DO_GNU_APP); \
+	else \
+		LDFLAGS="$(CFLAGS) -rpath $(LIBRPATH)"; \
+	fi; \
+	$(LINK_APP)
+
+link_o.solaris:
+	@ if ${DETECT_GNU_LD}; then \
+		$(DO_GNU_SO); \
+	else \
+		$(CALC_VERSIONS); \
+		MINUSZ='-z '; \
+		($(CC) -v 2>&1 | grep gcc) > /dev/null && MINUSZ='-Wl,-z,'; \
+		SHLIB=lib$(LIBNAME).so; \
+		SHLIB_SUFFIX=; \
+		ALLSYMSFLAGS="$${MINUSZ}allextract"; \
+		NOALLSYMSFLAGS="$${MINUSZ}defaultextract"; \
+		SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -h $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX -Wl,-Bsymbolic"; \
+	fi; \
+	$(LINK_SO_O)
+link_a.solaris:
+	@ if ${DETECT_GNU_LD}; then \
+		$(DO_GNU_SO); \
+	else \
+		$(CALC_VERSIONS); \
+		MINUSZ='-z '; \
+		(${CC} -v 2>&1 | grep gcc) > /dev/null && MINUSZ='-Wl,-z,'; \
+		SHLIB=lib$(LIBNAME).so; \
+		SHLIB_SUFFIX=;\
+		ALLSYMSFLAGS="$${MINUSZ}allextract"; \
+		NOALLSYMSFLAGS="$${MINUSZ}defaultextract"; \
+		SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -h $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX -Wl,-Bsymbolic"; \
+	fi; \
+	$(LINK_SO_A)
+link_app.solaris:
+	@ if ${DETECT_GNU_LD}; then \
+		$(DO_GNU_APP); \
+	else \
+		LDFLAGS="$(CFLAGS) -R $(LIBRPATH)"; \
+	fi; \
+	$(LINK_APP)
+
+# OpenServer 5 native compilers used
+link_o.svr3:
+	@ if ${DETECT_GNU_LD}; then \
+		$(DO_GNU_SO); \
+	else \
+		$(CALC_VERSIONS); \
+		SHLIB=lib$(LIBNAME).so; \
+		SHLIB_SUFFIX=; \
+		ALLSYMSFLAGS=''; \
+		NOALLSYMSFLAGS=''; \
+		SHAREDFLAGS="$(CFLAGS) -G -h $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"; \
+	fi; \
+	$(LINK_SO_O)
+link_a.svr3:
+	@ if ${DETECT_GNU_LD}; then \
+		$(DO_GNU_SO); \
+	else \
+		$(CALC_VERSIONS); \
+		SHLIB=lib$(LIBNAME).so; \
+		SHLIB_SUFFIX=; \
+		ALLSYMSFLAGS=''; \
+		NOALLSYMSFLAGS=''; \
+		SHAREDFLAGS="$(CFLAGS) -G -h $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"; \
+	fi; \
+	$(LINK_SO_A_UNPACKED)
+link_app.svr3:
+	@${DETECT_GNU_LD} && $(DO_GNU_APP); \
+	$(LINK_APP)
+
+# UnixWare 7 and OpenUNIX 8 native compilers used
+link_o.svr5:
+	@ if ${DETECT_GNU_LD}; then \
+		$(DO_GNU_SO); \
+	else \
+		$(CALC_VERSIONS); \
+		SHARE_FLAG='-G'; \
+		($(CC) -v 2>&1 | grep gcc) > /dev/null && SHARE_FLAG='-shared'; \
+		SHLIB=lib$(LIBNAME).so; \
+		SHLIB_SUFFIX=; \
+		ALLSYMSFLAGS=''; \
+		NOALLSYMSFLAGS=''; \
+		SHAREDFLAGS="$(CFLAGS) $${SHARE_FLAG} -h $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"; \
+	fi; \
+	$(LINK_SO_O)
+link_a.svr5:
+	@ if ${DETECT_GNU_LD}; then \
+		$(DO_GNU_SO); \
+	else \
+		$(CALC_VERSIONS); \
+		SHARE_FLAG='-G'; \
+		(${CC} -v 2>&1 | grep gcc) > /dev/null && SHARE_FLAG='-shared'; \
+		SHLIB=lib$(LIBNAME).so; \
+		SHLIB_SUFFIX=; \
+		ALLSYMSFLAGS=''; \
+		NOALLSYMSFLAGS=''; \
+		SHAREDFLAGS="$(CFLAGS) $${SHARE_FLAG} -h $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"; \
+	fi; \
+	$(LINK_SO_A_UNPACKED)
+link_app.svr5:
+	@${DETECT_GNU_LD} && $(DO_GNU_APP); \
+	$(LINK_APP)
+
+link_o.irix:
+	@ if ${DETECT_GNU_LD}; then \
+		$(DO_GNU_SO); \
+	else \
+		$(CALC_VERSIONS); \
+		SHLIB=lib$(LIBNAME).so; \
+		SHLIB_SUFFIX=; \
+		MINUSWL=""; \
+		($(CC) -v 2>&1 | grep gcc) > /dev/null && MINUSWL="-Wl,"; \
+		ALLSYMSFLAGS="$${MINUSWL}-all"; \
+		NOALLSYMSFLAGS="$${MINUSWL}-none"; \
+		SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-soname,$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"; \
+	fi; \
+	$(LINK_SO_O)
+link_a.irix:
+	@ if ${DETECT_GNU_LD}; then \
+		$(DO_GNU_SO); \
+	else \
+		$(CALC_VERSIONS); \
+		SHLIB=lib$(LIBNAME).so; \
+		SHLIB_SUFFIX=; \
+		MINUSWL=""; \
+		($(CC) -v 2>&1 | grep gcc) > /dev/null && MINUSWL="-Wl,"; \
+		ALLSYMSFLAGS="$${MINUSWL}-all"; \
+		NOALLSYMSFLAGS="$${MINUSWL}-none"; \
+		SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-soname,$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"; \
+	fi; \
+	$(LINK_SO_A)
+link_app.irix:
+	@LDFLAGS="$(CFLAGS) -Wl,-rpath,$(LIBRPATH)"; \
+	$(LINK_APP)
+
+# 32-bit PA-RISC HP-UX embeds the -L pathname of libs we link with, so
+# we compensate for it with +cdp ../: and +cdp ./:. Yes, these rewrite
+# rules imply that we can only link one level down in catalog structure,
+# but that's what takes place for the moment of this writing. +cdp option
+# was introduced in HP-UX 11.x and applies in 32-bit PA-RISC link
+# editor context only [it's simply ignored in other cases, which are all
+# ELFs by the way].
+#
+link_o.hpux:
+	@if ${DETECT_GNU_LD}; then $(DO_GNU_SO); else \
+	$(CALC_VERSIONS); \
+	SHLIB=lib$(LIBNAME).sl; \
+	expr "$(CFLAGS)" : 'DSO_DLFCN' > /dev/null && SHLIB=lib$(LIBNAME).so; \
+	SHLIB_SUFFIX=; \
+	ALLSYMSFLAGS='-Wl,-Fl'; \
+	NOALLSYMSFLAGS=''; \
+	expr $(PLATFORM) : 'hpux64' > /dev/null && ALLSYMSFLAGS='-Wl,+forceload'; \
+	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -Wl,-B,symbolic,+vnocompatwarnings,-z,+s,+h,$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"; \
+	fi; \
+	rm -f $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX || :; \
+	$(LINK_SO_O) && chmod a=rx $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX
+link_a.hpux:
+	@if ${DETECT_GNU_LD}; then $(DO_GNU_SO); else \
+	$(CALC_VERSIONS); \
+	SHLIB=lib$(LIBNAME).sl; \
+	expr $(PLATFORM) : '.*ia64' > /dev/null && SHLIB=lib$(LIBNAME).so; \
+	SHLIB_SUFFIX=; \
+	ALLSYMSFLAGS='-Wl,-Fl'; \
+	NOALLSYMSFLAGS=''; \
+	expr $(PLATFORM) : 'hpux64' > /dev/null && ALLSYMSFLAGS='-Wl,+forceload'; \
+	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -Wl,-B,symbolic,+vnocompatwarnings,-z,+s,+h,$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"; \
+	fi; \
+	rm -f $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX || :; \
+	$(LINK_SO_A) && chmod a=rx $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX
+link_app.hpux:
+	@if ${DETECT_GNU_LD}; then $(DO_GNU_APP); else \
+	LDFLAGS="$(CFLAGS) -Wl,+s,+cdp,../:,+cdp,./:,+b,$(LIBRPATH)"; \
+	fi; \
+	$(LINK_APP)
+
+link_o.aix:
+	@ $(CALC_VERSIONS); \
+	OBJECT_MODE=`expr x$(SHARED_LDFLAGS) : 'x\-[a-z]\([0-9]*\)'`; \
+	OBJECT_MODE=$${OBJECT_MODE:-32}; export OBJECT_MODE; \
+	SHLIB=lib$(LIBNAME).so; \
+	SHLIB_SUFFIX=; \
+	ALLSYMSFLAGS='-bnogc'; \
+	NOALLSYMSFLAGS=''; \
+	SHAREDFLAGS='$(CFLAGS) $(SHARED_LDFLAGS) -G -bE:lib$(LIBNAME).exp -bM:SRE'; \
+	$(LINK_SO_O); rm -rf lib$(LIBNAME).exp
+link_a.aix:
+	@ $(CALC_VERSIONS); \
+	OBJECT_MODE=`expr x$(SHARED_LDFLAGS) : 'x\-[a-z]\([0-9]*\)'`; \
+	OBJECT_MODE=$${OBJECT_MODE:-32}; export OBJECT_MODE; \
+	SHLIB=lib$(LIBNAME).so; \
+	SHLIB_SUFFIX=; \
+	ALLSYMSFLAGS='-bnogc'; \
+	NOALLSYMSFLAGS=''; \
+	SHAREDFLAGS='$(CFLAGS) $(SHARED_LDFLAGS) -G -bE:lib$(LIBNAME).exp -bM:SRE'; \
+	$(LINK_SO_A_VIA_O)
+link_app.aix:
+	LDFLAGS="$(CFLAGS) -blibpath:$(LIBRPATH):$${LIBPATH:-/usr/lib:/lib}"; \
+	$(LINK_APP)
+
+link_o.reliantunix:
+	@ $(CALC_VERSIONS); \
+	SHLIB=lib$(LIBNAME).so; \
+	SHLIB_SUFFIX=; \
+	ALLSYMSFLAGS=; \
+	NOALLSYMSFLAGS=''; \
+	SHAREDFLAGS='$(CFLAGS) -G'; \
+	$(LINK_SO_O)
+link_a.reliantunix:
+	@ $(CALC_VERSIONS); \
+	SHLIB=lib$(LIBNAME).so; \
+	SHLIB_SUFFIX=; \
+	ALLSYMSFLAGS=; \
+	NOALLSYMSFLAGS=''; \
+	SHAREDFLAGS='$(CFLAGS) -G'; \
+	$(LINK_SO_A_UNPACKED)
+link_app.reliantunix:
+	$(LINK_APP)
+
+# Targets to build symbolic links when needed
+symlink.gnu symlink.solaris symlink.svr3 symlink.svr5 symlink.irix \
+symlink.aix symlink.reliantunix:
+	@ $(CALC_VERSIONS); \
+	SHLIB=lib$(LIBNAME).so; \
+	$(SYMLINK_SO)
+symlink.darwin:
+	@ $(CALC_VERSIONS); \
+	SHLIB=lib$(LIBNAME); \
+	SHLIB_SUFFIX=.dylib; \
+	$(SYMLINK_SO)
+symlink.hpux:
+	@ $(CALC_VERSIONS); \
+	SHLIB=lib$(LIBNAME).sl; \
+	expr $(PLATFORM) : '.*ia64' > /dev/null && SHLIB=lib$(LIBNAME).so; \
+	$(SYMLINK_SO)
+# The following lines means those specific architectures do no symlinks
+symlink.cygwin symlink.alpha-osf1 symlink.tru64 symlink.tru64-rpath:
+
+# Compatibility targets
+link_o.bsd-gcc-shared link_o.linux-shared link_o.gnu-shared: link_o.gnu
+link_a.bsd-gcc-shared link_a.linux-shared link_a.gnu-shared: link_a.gnu
+link_app.bsd-gcc-shared link_app.linux-shared link_app.gnu-shared: link_app.gnu
+symlink.bsd-gcc-shared symlink.bsd-shared symlink.linux-shared symlink.gnu-shared: symlink.gnu
+link_o.bsd-shared: link_o.bsd
+link_a.bsd-shared: link_a.bsd
+link_app.bsd-shared: link_app.bsd
+link_o.darwin-shared: link_o.darwin
+link_a.darwin-shared: link_a.darwin
+link_app.darwin-shared: link_app.darwin
+symlink.darwin-shared: symlink.darwin
+link_o.cygwin-shared: link_o.cygwin
+link_a.cygwin-shared: link_a.cygwin
+link_app.cygwin-shared: link_app.cygwin
+symlink.cygwin-shared: symlink.cygwin
+link_o.alpha-osf1-shared: link_o.alpha-osf1
+link_a.alpha-osf1-shared: link_a.alpha-osf1
+link_app.alpha-osf1-shared: link_app.alpha-osf1
+symlink.alpha-osf1-shared: symlink.alpha-osf1
+link_o.tru64-shared: link_o.tru64
+link_a.tru64-shared: link_a.tru64
+link_app.tru64-shared: link_app.tru64
+symlink.tru64-shared: symlink.tru64
+link_o.tru64-shared-rpath: link_o.tru64-rpath
+link_a.tru64-shared-rpath: link_a.tru64-rpath
+link_app.tru64-shared-rpath: link_app.tru64-rpath
+symlink.tru64-shared-rpath: symlink.tru64-rpath
+link_o.solaris-shared: link_o.solaris
+link_a.solaris-shared: link_a.solaris
+link_app.solaris-shared: link_app.solaris
+symlink.solaris-shared: symlink.solaris
+link_o.svr3-shared: link_o.svr3
+link_a.svr3-shared: link_a.svr3
+link_app.svr3-shared: link_app.svr3
+symlink.svr3-shared: symlink.svr3
+link_o.svr5-shared: link_o.svr5
+link_a.svr5-shared: link_a.svr5
+link_app.svr5-shared: link_app.svr5
+symlink.svr5-shared: symlink.svr5
+link_o.irix-shared: link_o.irix
+link_a.irix-shared: link_a.irix
+link_app.irix-shared: link_app.irix
+symlink.irix-shared: symlink.irix
+link_o.hpux-shared: link_o.hpux
+link_a.hpux-shared: link_a.hpux
+link_app.hpux-shared: link_app.hpux
+symlink.hpux-shared: symlink.hpux
+link_o.aix-shared: link_o.aix
+link_a.aix-shared: link_a.aix
+link_app.aix-shared: link_app.aix
+symlink.aix-shared: symlink.aix
+link_o.reliantunix-shared: link_o.reliantunix
+link_a.reliantunix-shared: link_a.reliantunix
+link_app.reliantunix-shared: link_app.reliantunix
+symlink.reliantunix-shared: symlink.reliantunix
diff --git a/crypto/openssl/NEWS b/crypto/openssl/NEWS
index 496f59de41a1..4cdfbf4377ba 100644
--- a/crypto/openssl/NEWS
+++ b/crypto/openssl/NEWS
@@ -5,6 +5,127 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 0.9.8a and OpenSSL 0.9.8b:
+
+      o Cipher string fixes.
+      o Fixes for VC++ 2005.
+      o Updated ECC cipher suite support.
+      o New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free().
+      o Zlib compression usage fixes.
+      o Built in dynamic engine compilation support on Win32.
+      o Fixes auto dynamic engine loading in Win32.
+
+  Major changes between OpenSSL 0.9.8 and OpenSSL 0.9.8a:
+
+      o Fix potential SSL 2.0 rollback, CAN-2005-2969
+      o Extended Windows CE support
+
+  Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.8:
+
+      o Major work on the BIGNUM library for higher efficiency and to
+        make operations more streamlined and less contradictory.  This
+        is the result of a major audit of the BIGNUM library.
+      o Addition of BIGNUM functions for fields GF(2^m) and NIST
+        curves, to support the Elliptic Crypto functions.
+      o Major work on Elliptic Crypto; ECDH and ECDSA added, including
+        the use through EVP, X509 and ENGINE.
+      o New ASN.1 mini-compiler that's usable through the OpenSSL
+        configuration file.
+      o Added support for ASN.1 indefinite length constructed encoding.
+      o New PKCS#12 'medium level' API to manipulate PKCS#12 files.
+      o Complete rework of shared library construction and linking
+        programs with shared or static libraries, through a separate
+        Makefile.shared.
+      o Rework of the passing of parameters from one Makefile to another.
+      o Changed ENGINE framework to load dynamic engine modules
+        automatically from specifically given directories.
+      o New structure and ASN.1 functions for CertificatePair.
+      o Changed the ZLIB compression method to be stateful.
+      o Changed the key-generation and primality testing "progress"
+        mechanism to take a structure that contains the ticker
+        function and an argument.
+      o New engine module: GMP (performs private key exponentiation).
+      o New engine module: VIA PadLOck ACE extension in VIA C3
+        Nehemiah processors.
+      o Added support for IPv6 addresses in certificate extensions.
+        See RFC 1884, section 2.2.
+      o Added support for certificate policy mappings, policy
+        constraints and name constraints.
+      o Added support for multi-valued AVAs in the OpenSSL
+        configuration file.
+      o Added support for multiple certificates with the same subject
+        in the 'openssl ca' index file.
+      o Make it possible to create self-signed certificates using
+        'openssl ca -selfsign'.
+      o Make it possible to generate a serial number file with
+        'openssl ca -create_serial'.
+      o New binary search functions with extended functionality.
+      o New BUF functions.
+      o New STORE structure and library to provide an interface to all
+        sorts of data repositories.  Supports storage of public and
+        private keys, certificates, CRLs, numbers and arbitrary blobs.
+	This library is unfortunately unfinished and unused withing
+	OpenSSL.
+      o New control functions for the error stack.
+      o Changed the PKCS#7 library to support one-pass S/MIME
+        processing.
+      o Added the possibility to compile without old deprecated
+        functionality with the OPENSSL_NO_DEPRECATED macro or the
+        'no-deprecated' argument to the config and Configure scripts.
+      o Constification of all ASN.1 conversion functions, and other
+        affected functions.
+      o Improved platform support for PowerPC.
+      o New FIPS 180-2 algorithms (SHA-224, -256, -384 and -512).
+      o New X509_VERIFY_PARAM structure to support parametrisation
+        of X.509 path validation.
+      o Major overhaul of RC4 performance on Intel P4, IA-64 and
+        AMD64.
+      o Changed the Configure script to have some algorithms disabled
+        by default.  Those can be explicitely enabled with the new
+        argument form 'enable-xxx'.
+      o Change the default digest in 'openssl' commands from MD5 to
+        SHA-1.
+      o Added support for DTLS.
+      o New BIGNUM blinding.
+      o Added support for the RSA-PSS encryption scheme
+      o Added support for the RSA X.931 padding.
+      o Added support for BSD sockets on NetWare.
+      o Added support for files larger than 2GB.
+      o Added initial support for Win64.
+      o Added alternate pkg-config files.
+
+  Major changes between OpenSSL 0.9.7i and OpenSSL 0.9.7j:
+
+      o Visual C++ 2005 fixes.
+      o Update Windows build system for FIPS.
+
+  Major changes between OpenSSL 0.9.7h and OpenSSL 0.9.7i:
+
+      o Give EVP_MAX_MD_SIZE it's old value, except for a FIPS build.
+
+  Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.7h:
+
+      o Fix SSL 2.0 Rollback, CAN-2005-2969
+      o Allow use of fixed-length exponent on DSA signing
+      o Default fixed-window RSA, DSA, DH private-key operations
+
+  Major changes between OpenSSL 0.9.7f and OpenSSL 0.9.7g:
+
+      o More compilation issues fixed.
+      o Adaptation to more modern Kerberos API.
+      o Enhanced or corrected configuration for Solaris64, Mingw and Cygwin.
+      o Enhanced x86_64 assembler BIGNUM module.
+      o More constification.
+      o Added processing of proxy certificates (RFC 3820).
+
+  Major changes between OpenSSL 0.9.7e and OpenSSL 0.9.7f:
+
+      o Several compilation issues fixed.
+      o Many memory allocation failure checks added.
+      o Improved comparison of X509 Name type.
+      o Mandatory basic checks on certificates.
+      o Performance improvements.
+
   Major changes between OpenSSL 0.9.7d and OpenSSL 0.9.7e:
 
       o Fix race condition in CRL checking code.
diff --git a/crypto/openssl/PROBLEMS b/crypto/openssl/PROBLEMS
index d6731b1b134c..ed3c1745352c 100644
--- a/crypto/openssl/PROBLEMS
+++ b/crypto/openssl/PROBLEMS
@@ -48,20 +48,34 @@ will interfere with each other and lead to test failure.
 The solution is simple for now: don't run parallell make when testing.
 
 
-* Bugs in gcc 3.0 triggered
+* Bugs in gcc triggered
 
-According to a problem report, there are bugs in gcc 3.0 that are
-triggered by some of the code in OpenSSL, more specifically in
-PEM_get_EVP_CIPHER_INFO().  The triggering code is the following:
+- According to a problem report, there are bugs in gcc 3.0 that are
+  triggered by some of the code in OpenSSL, more specifically in
+  PEM_get_EVP_CIPHER_INFO().  The triggering code is the following:
 
 	header+=11;
 	if (*header != '4') return(0); header++;
 	if (*header != ',') return(0); header++;
 
-What happens is that gcc might optimize a little too agressively, and
-you end up with an extra incrementation when *header != '4'.
+  What happens is that gcc might optimize a little too agressively, and
+  you end up with an extra incrementation when *header != '4'.
 
-We recommend that you upgrade gcc to as high a 3.x version as you can.
+  We recommend that you upgrade gcc to as high a 3.x version as you can.
+
+- According to multiple problem reports, some of our message digest
+  implementations trigger bug[s] in code optimizer in gcc 3.3 for sparc64
+  and gcc 2.96 for ppc. Former fails to complete RIPEMD160 test, while
+  latter - SHA one.
+
+  The recomendation is to upgrade your compiler. This naturally applies to
+  other similar cases.
+
+- There is a subtle Solaris x86-specific gcc run-time environment bug, which
+  "falls between" OpenSSL [0.9.8 and later], Solaris ld and GCC. The bug
+  manifests itself as Segmentation Fault upon early application start-up.
+  The problem can be worked around by patching the environment according to
+  http://www.openssl.org/~appro/values.c.
 
 * solaris64-sparcv9-cc SHA-1 performance with WorkShop 6 compiler.
 
@@ -90,15 +104,6 @@ failures in other parts of the code.
 
 Workaround: modify the target to +O2 when building with no-asm.
 
-* Poor support for AIX shared builds.
-
-do_aix-shared rule is not flexible enough to parameterize through a
-config-line. './Configure aix43-cc shared' is working, but not
-'./Configure aix64-gcc shared'. In latter case make fails to create shared
-libraries. It's possible to build 64-bit shared libraries by running
-'env OBJECT_MODE=64 make', but we need more elegant solution. Preferably one
-supporting even gcc shared builds. See RT#463 for background information.
-
 * Problems building shared libraries on SCO OpenServer Release 5.0.6
   with gcc 2.95.3
 
@@ -129,3 +134,64 @@ Any information helping to solve this issue would be deeply
 appreciated.
 
 NOTE: building non-shared doesn't come with this problem.
+
+* ULTRIX build fails with shell errors, such as "bad substitution"
+  and "test: argument expected"
+
+The problem is caused by ULTRIX /bin/sh supporting only original
+Bourne shell syntax/semantics, and the trouble is that the vast
+majority is so accustomed to more modern syntax, that very few
+people [if any] would recognize the ancient syntax even as valid.
+This inevitably results in non-trivial scripts breaking on ULTRIX,
+and OpenSSL isn't an exclusion. Fortunately there is workaround,
+hire /bin/ksh to do the job /bin/sh fails to do.
+
+1. Trick make(1) to use /bin/ksh by setting up following environ-
+   ment variables *prior* you execute ./Configure and make:
+
+	PROG_ENV=POSIX
+	MAKESHELL=/bin/ksh
+	export PROG_ENV MAKESHELL
+
+   or if your shell is csh-compatible:
+
+	setenv PROG_ENV POSIX
+	setenv MAKESHELL /bin/ksh
+
+2. Trick /bin/sh to use alternative expression evaluator. Create
+   following 'test' script for example in /tmp:
+
+	#!/bin/ksh
+	${0##*/} "$@"
+
+   Then 'chmod a+x /tmp/test; ln /tmp/test /tmp/[' and *prepend*
+   your $PATH with chosen location, e.g. PATH=/tmp:$PATH. Alter-
+   natively just replace system /bin/test and /bin/[ with the
+   above script.
+
+* hpux64-ia64-cc fails blowfish test.
+
+Compiler bug, presumably at particular patch level. It should be noted
+that same compiler generates correct 32-bit code, a.k.a. hpux-ia64-cc
+target. Drop optimization level to +O2 when compiling 64-bit bf_skey.o.
+
+* no-engines generates errors.
+
+Unfortunately, the 'no-engines' configuration option currently doesn't
+work properly.  Use 'no-hw' and you'll will at least get no hardware
+support.  We'll see how we fix that on OpenSSL versions past 0.9.8.
+
+* 'make test' fails in BN_sqr [commonly with "error 139" denoting SIGSEGV]
+  if elder GNU binutils were deployed to link shared libcrypto.so.
+
+As subject suggests the failure is caused by a bug in elder binutils,
+either as or ld, and was observed on FreeBSD and Linux. There are two
+options. First is naturally to upgrade binutils, the second one - to
+reconfigure with additional no-sse2 [or 386] option passed to ./config.
+
+* If configured with ./config no-dso, toolkit still gets linked with -ldl,
+  which most notably poses a problem when linking with dietlibc.
+
+We don't have framework to associate -ldl with no-dso, therefore the only
+way is to edit Makefile right after ./config no-dso and remove -ldl from
+EX_LIBS line.
diff --git a/crypto/openssl/README b/crypto/openssl/README
index 4d0cd83be662..48612bb0340d 100644
--- a/crypto/openssl/README
+++ b/crypto/openssl/README
@@ -1,7 +1,7 @@
 
- OpenSSL 0.9.7e 25 Oct 2004
+ OpenSSL 0.9.8b 04 May 2006
 
- Copyright (c) 1998-2004 The OpenSSL Project
+ Copyright (c) 1998-2005 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
  All rights reserved.
 
@@ -14,13 +14,13 @@
  protocols as well as a full-strength general purpose cryptography library.
  The project is managed by a worldwide community of volunteers that use the
  Internet to communicate, plan, and develop the OpenSSL toolkit and its
- related documentation. 
+ related documentation.
 
  OpenSSL is based on the excellent SSLeay library developed from Eric A. Young
  and Tim J. Hudson.  The OpenSSL toolkit is licensed under a dual-license (the
  OpenSSL license plus the SSLeay license) situation, which basically means
  that you are free to get and use it for commercial and non-commercial
- purposes as long as you fulfill the conditions of both licenses. 
+ purposes as long as you fulfill the conditions of both licenses.
 
  OVERVIEW
  --------
@@ -53,11 +53,11 @@
         MDC2 message digest. A DES based hash that is popular on smart cards.
 
      Public Key
-        RSA encryption/decryption/generation.  
+        RSA encryption/decryption/generation.
             There is no limit on the number of bits.
-        DSA encryption/decryption/generation.   
+        DSA encryption/decryption/generation.
             There is no limit on the number of bits.
-        Diffie-Hellman key-exchange/key generation.  
+        Diffie-Hellman key-exchange/key generation.
             There is no limit on the number of bits.
 
      X.509v3 certificates
@@ -80,16 +80,16 @@
         A simple stack.
         A Configuration loader that uses a format similar to MS .ini files.
 
- openssl: 
+ openssl:
      A command line tool that can be used for:
         Creation of RSA, DH and DSA key parameters
-        Creation of X.509 certificates, CSRs and CRLs 
+        Creation of X.509 certificates, CSRs and CRLs
         Calculation of Message Digests
         Encryption and Decryption with Ciphers
         SSL/TLS Client and Server Tests
         Handling of S/MIME signed or encrypted mail
 
-        
+
  PATENTS
  -------
 
@@ -104,13 +104,15 @@
  licensing conditions. Their web page is http://www.rsasecurity.com/.
 
  RC4 is a trademark of RSA Security, so use of this label should perhaps
- only be used with RSA Security's permission. 
+ only be used with RSA Security's permission.
 
  The IDEA algorithm is patented by Ascom in Austria, France, Germany, Italy,
  Japan, the Netherlands, Spain, Sweden, Switzerland, UK and the USA.  They
  should be contacted if that algorithm is to be used; their web page is
  http://www.ascom.ch/.
 
+ The MDC2 algorithm is patented by IBM.
+
  INSTALLATION
  ------------
 
@@ -129,7 +131,7 @@
  or application author.  We try to collect those in doc/PROBLEMS, with current
  thoughts on how they should be solved in a future of OpenSSL.
 
- SUPPORT 
+ SUPPORT
  -------
 
  If you have any problems with OpenSSL then please take the following steps
@@ -138,7 +140,7 @@
     - Download the current snapshot from ftp://ftp.openssl.org/snapshot/
       to see if the problem has already been addressed
     - Remove ASM versions of libraries
-    - Remove compiler optimisation flags 
+    - Remove compiler optimisation flags
 
  If you wish to report a bug then please include the following information in
  any bug report:
@@ -191,3 +193,4 @@
  # ./Configure dist; make clean
  # cd ..
  # diff -ur openssl-orig openssl-work > mydiffs.patch
+
diff --git a/crypto/openssl/apps/CA.pl b/crypto/openssl/apps/CA.pl
index a52a0045c1e8..a3965ecea96e 100755
--- a/crypto/openssl/apps/CA.pl
+++ b/crypto/openssl/apps/CA.pl
@@ -36,16 +36,26 @@
 # default openssl.cnf file has setup as per the following
 # demoCA ... where everything is stored
 
+my $openssl;
+if(defined $ENV{OPENSSL}) {
+	$openssl = $ENV{OPENSSL};
+} else {
+	$openssl = "openssl";
+	$ENV{OPENSSL} = $openssl;
+}
+
 $SSLEAY_CONFIG=$ENV{"SSLEAY_CONFIG"};
-$DAYS="-days 365";
-$REQ="openssl req $SSLEAY_CONFIG";
-$CA="openssl ca $SSLEAY_CONFIG";
-$VERIFY="openssl verify";
-$X509="openssl x509";
-$PKCS12="openssl pkcs12";
+$DAYS="-days 365";	# 1 year
+$CADAYS="-days 1095";	# 3 years
+$REQ="$openssl req $SSLEAY_CONFIG";
+$CA="$openssl ca $SSLEAY_CONFIG";
+$VERIFY="$openssl verify";
+$X509="$openssl x509";
+$PKCS12="$openssl pkcs12";
 
 $CATOP="./demoCA";
 $CAKEY="cakey.pem";
+$CAREQ="careq.pem";
 $CACERT="cacert.pem";
 
 $DIRMODE = 0777;
@@ -58,19 +68,19 @@ foreach (@ARGV) {
 	    exit 0;
 	} elsif (/^-newcert$/) {
 	    # create a certificate
-	    system ("$REQ -new -x509 -keyout newreq.pem -out newreq.pem $DAYS");
+	    system ("$REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS");
 	    $RET=$?;
-	    print "Certificate (and private key) is in newreq.pem\n"
+	    print "Certificate is in newcert.pem, private key is in newkey.pem\n"
 	} elsif (/^-newreq$/) {
 	    # create a certificate request
-	    system ("$REQ -new -keyout newreq.pem -out newreq.pem $DAYS");
+	    system ("$REQ -new -keyout newkey.pem -out newreq.pem $DAYS");
 	    $RET=$?;
-	    print "Request (and private key) is in newreq.pem\n";
+	    print "Request is in newreq.pem, private key is in newkey.pem\n";
 	} elsif (/^-newreq-nodes$/) {
 	    # create a certificate request
-	    system ("$REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS");
+	    system ("$REQ -new -nodes -keyout newkey.pem -out newreq.pem $DAYS");
 	    $RET=$?;
-	    print "Request (and private key) is in newreq.pem\n";
+	    print "Request is in newreq.pem, private key is in newkey.pem\n";
 	} elsif (/^-newca$/) {
 		# if explicitly asked for or it doesn't exist then setup the
 		# directory structure that Eric likes to manage things 
@@ -84,6 +94,9 @@ foreach (@ARGV) {
 		mkdir "${CATOP}/private", $DIRMODE;
 		open OUT, ">${CATOP}/index.txt";
 		close OUT;
+		open OUT, ">${CATOP}/crlnumber";
+		print OUT "01\n";
+		close OUT;
 	    }
 	    if ( ! -f "${CATOP}/private/$CAKEY" ) {
 		print "CA certificate filename (or enter to create)\n";
@@ -98,22 +111,24 @@ foreach (@ARGV) {
 		    $RET=$?;
 		} else {
 		    print "Making CA certificate ...\n";
-		    system ("$REQ -new -x509 -keyout " .
-			"${CATOP}/private/$CAKEY -out ${CATOP}/$CACERT $DAYS");
+		    system ("$REQ -new -keyout " .
+			"${CATOP}/private/$CAKEY -out ${CATOP}/$CAREQ");
+		    system ("$CA -create_serial " .
+			"-out ${CATOP}/$CACERT $CADAYS -batch " . 
+			"-keyfile ${CATOP}/private/$CAKEY -selfsign " .
+			"-extensions v3_ca " .
+			"-infiles ${CATOP}/$CAREQ ");
 		    $RET=$?;
 		}
 	    }
-	    if (! -f "${CATOP}/serial" ) {
-		system ("$X509 -in ${CATOP}/$CACERT -noout "
-			. "-next_serial -out ${CATOP}/serial");
-	    }
 	} elsif (/^-pkcs12$/) {
 	    my $cname = $ARGV[1];
 	    $cname = "My Certificate" unless defined $cname;
-	    system ("$PKCS12 -in newcert.pem -inkey newreq.pem " .
+	    system ("$PKCS12 -in newcert.pem -inkey newkey.pem " .
 			"-certfile ${CATOP}/$CACERT -out newcert.p12 " .
 			"-export -name \"$cname\"");
 	    $RET=$?;
+	    print "PKCS #12 file is in newcert.p12\n";
 	    exit $RET;
 	} elsif (/^-xsign$/) {
 	    system ("$CA -policy policy_anything -infiles newreq.pem");
diff --git a/crypto/openssl/apps/CA.pl.in b/crypto/openssl/apps/CA.pl.in
index ae7d9c045f31..c783a6e6a541 100644
--- a/crypto/openssl/apps/CA.pl.in
+++ b/crypto/openssl/apps/CA.pl.in
@@ -36,16 +36,26 @@
 # default openssl.cnf file has setup as per the following
 # demoCA ... where everything is stored
 
+my $openssl;
+if(defined $ENV{OPENSSL}) {
+	$openssl = $ENV{OPENSSL};
+} else {
+	$openssl = "openssl";
+	$ENV{OPENSSL} = $openssl;
+}
+
 $SSLEAY_CONFIG=$ENV{"SSLEAY_CONFIG"};
-$DAYS="-days 365";
-$REQ="openssl req $SSLEAY_CONFIG";
-$CA="openssl ca $SSLEAY_CONFIG";
-$VERIFY="openssl verify";
-$X509="openssl x509";
-$PKCS12="openssl pkcs12";
+$DAYS="-days 365";	# 1 year
+$CADAYS="-days 1095";	# 3 years
+$REQ="$openssl req $SSLEAY_CONFIG";
+$CA="$openssl ca $SSLEAY_CONFIG";
+$VERIFY="$openssl verify";
+$X509="$openssl x509";
+$PKCS12="$openssl pkcs12";
 
 $CATOP="./demoCA";
 $CAKEY="cakey.pem";
+$CAREQ="careq.pem";
 $CACERT="cacert.pem";
 
 $DIRMODE = 0777;
@@ -58,19 +68,19 @@ foreach (@ARGV) {
 	    exit 0;
 	} elsif (/^-newcert$/) {
 	    # create a certificate
-	    system ("$REQ -new -x509 -keyout newreq.pem -out newreq.pem $DAYS");
+	    system ("$REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS");
 	    $RET=$?;
-	    print "Certificate (and private key) is in newreq.pem\n"
+	    print "Certificate is in newcert.pem, private key is in newkey.pem\n"
 	} elsif (/^-newreq$/) {
 	    # create a certificate request
-	    system ("$REQ -new -keyout newreq.pem -out newreq.pem $DAYS");
+	    system ("$REQ -new -keyout newkey.pem -out newreq.pem $DAYS");
 	    $RET=$?;
-	    print "Request (and private key) is in newreq.pem\n";
+	    print "Request is in newreq.pem, private key is in newkey.pem\n";
 	} elsif (/^-newreq-nodes$/) {
 	    # create a certificate request
-	    system ("$REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS");
+	    system ("$REQ -new -nodes -keyout newkey.pem -out newreq.pem $DAYS");
 	    $RET=$?;
-	    print "Request (and private key) is in newreq.pem\n";
+	    print "Request is in newreq.pem, private key is in newkey.pem\n";
 	} elsif (/^-newca$/) {
 		# if explicitly asked for or it doesn't exist then setup the
 		# directory structure that Eric likes to manage things 
@@ -84,6 +94,9 @@ foreach (@ARGV) {
 		mkdir "${CATOP}/private", $DIRMODE;
 		open OUT, ">${CATOP}/index.txt";
 		close OUT;
+		open OUT, ">${CATOP}/crlnumber";
+		print OUT "01\n";
+		close OUT;
 	    }
 	    if ( ! -f "${CATOP}/private/$CAKEY" ) {
 		print "CA certificate filename (or enter to create)\n";
@@ -98,22 +111,24 @@ foreach (@ARGV) {
 		    $RET=$?;
 		} else {
 		    print "Making CA certificate ...\n";
-		    system ("$REQ -new -x509 -keyout " .
-			"${CATOP}/private/$CAKEY -out ${CATOP}/$CACERT $DAYS");
+		    system ("$REQ -new -keyout " .
+			"${CATOP}/private/$CAKEY -out ${CATOP}/$CAREQ");
+		    system ("$CA -create_serial " .
+			"-out ${CATOP}/$CACERT $CADAYS -batch " . 
+			"-keyfile ${CATOP}/private/$CAKEY -selfsign " .
+			"-extensions v3_ca " .
+			"-infiles ${CATOP}/$CAREQ ");
 		    $RET=$?;
 		}
 	    }
-	    if (! -f "${CATOP}/serial" ) {
-		system ("$X509 -in ${CATOP}/$CACERT -noout "
-			. "-next_serial -out ${CATOP}/serial");
-	    }
 	} elsif (/^-pkcs12$/) {
 	    my $cname = $ARGV[1];
 	    $cname = "My Certificate" unless defined $cname;
-	    system ("$PKCS12 -in newcert.pem -inkey newreq.pem " .
+	    system ("$PKCS12 -in newcert.pem -inkey newkey.pem " .
 			"-certfile ${CATOP}/$CACERT -out newcert.p12 " .
 			"-export -name \"$cname\"");
 	    $RET=$?;
+	    print "PKCS #12 file is in newcert.p12\n";
 	    exit $RET;
 	} elsif (/^-xsign$/) {
 	    system ("$CA -policy policy_anything -infiles newreq.pem");
diff --git a/crypto/openssl/apps/CA.sh b/crypto/openssl/apps/CA.sh
index d9f3069fb2a6..a0b20d85a975 100644
--- a/crypto/openssl/apps/CA.sh
+++ b/crypto/openssl/apps/CA.sh
@@ -30,14 +30,18 @@
 # default openssl.cnf file has setup as per the following
 # demoCA ... where everything is stored
 
-DAYS="-days 365"
-REQ="openssl req $SSLEAY_CONFIG"
-CA="openssl ca $SSLEAY_CONFIG"
-VERIFY="openssl verify"
-X509="openssl x509"
+if [ -z "$OPENSSL" ]; then OPENSSL=openssl; fi
+
+DAYS="-days 365"	# 1 year
+CADAYS="-days 1095"	# 3 years
+REQ="$OPENSSL req $SSLEAY_CONFIG"
+CA="$OPENSSL ca $SSLEAY_CONFIG"
+VERIFY="$OPENSSL verify"
+X509="$OPENSSL x509"
 
 CATOP=./demoCA
 CAKEY=./cakey.pem
+CAREQ=./careq.pem
 CACERT=./cacert.pem
 
 for i
@@ -49,15 +53,15 @@ case $i in
     ;;
 -newcert) 
     # create a certificate
-    $REQ -new -x509 -keyout newreq.pem -out newreq.pem $DAYS
+    $REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS
     RET=$?
-    echo "Certificate (and private key) is in newreq.pem"
+    echo "Certificate is in newcert.pem, private key is in newkey.pem"
     ;;
 -newreq) 
     # create a certificate request
-    $REQ -new -keyout newreq.pem -out newreq.pem $DAYS
+    $REQ -new -keyout newkey.pem -out newreq.pem $DAYS
     RET=$?
-    echo "Request (and private key) is in newreq.pem"
+    echo "Request is in newreq.pem, private key is in newkey.pem"
     ;;
 -newca)     
     # if explicitly asked for or it doesn't exist then setup the directory
@@ -70,7 +74,7 @@ case $i in
 	mkdir ${CATOP}/crl 
 	mkdir ${CATOP}/newcerts
 	mkdir ${CATOP}/private
-	echo "01" > ${CATOP}/serial
+	echo "00" > ${CATOP}/serial
 	touch ${CATOP}/index.txt
     fi
     if [ ! -f ${CATOP}/private/$CAKEY ]; then
@@ -83,8 +87,11 @@ case $i in
 	    RET=$?
 	else
 	    echo "Making CA certificate ..."
-	    $REQ -new -x509 -keyout ${CATOP}/private/$CAKEY \
-			   -out ${CATOP}/$CACERT $DAYS
+	    $REQ -new -keyout ${CATOP}/private/$CAKEY \
+			   -out ${CATOP}/$CAREQ
+	    $CA -out ${CATOP}/$CACERT $CADAYS -batch \
+			   -keyfile ${CATOP}/private/$CAKEY -selfsign \
+			   -infiles ${CATOP}/$CAREQ 
 	    RET=$?
 	fi
     fi
diff --git a/crypto/openssl/apps/Makefile b/crypto/openssl/apps/Makefile
index b44c8fa3845f..79ea8a733714 100644
--- a/crypto/openssl/apps/Makefile
+++ b/crypto/openssl/apps/Makefile
@@ -7,11 +7,6 @@ TOP=		..
 CC=		cc
 INCLUDES=	-I$(TOP) -I../include $(KRB5_INCLUDES)
 CFLAG=		-g -static
-INSTALL_PREFIX=
-INSTALLTOP=	/usr/local/ssl
-OPENSSLDIR=	/usr/local/ssl
-MAKEDEPPROG=	makedepend
-MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=	Makefile
 PERL=		perl
 RM=		rm -f
@@ -36,12 +31,12 @@ LIBSSL=-L.. -lssl
 
 PROGRAM= openssl
 
-SCRIPTS=CA.sh CA.pl der_chop
+SCRIPTS=CA.sh CA.pl
 
 EXE= $(PROGRAM)$(EXE_EXT)
 
 E_EXE=	verify asn1pars req dgst dh dhparam enc passwd gendh errstr \
-	ca crl rsa rsautl dsa dsaparam \
+	ca crl rsa rsautl dsa dsaparam ec ecparam \
 	x509 genrsa gendsa s_server s_client speed \
 	s_time version pkcs7 crl2pkcs7 sess_id ciphers nseq pkcs12 \
 	pkcs8 spkac smime rand engine ocsp prime
@@ -57,17 +52,19 @@ RAND_SRC=app_rand.c
 
 E_OBJ=	verify.o asn1pars.o req.o dgst.o dh.o dhparam.o enc.o passwd.o gendh.o errstr.o \
 	ca.o pkcs7.o crl2p7.o crl.o \
-	rsa.o rsautl.o dsa.o dsaparam.o \
+	rsa.o rsautl.o dsa.o dsaparam.o ec.o ecparam.o \
 	x509.o genrsa.o gendsa.o s_server.o s_client.o speed.o \
 	s_time.o $(A_OBJ) $(S_OBJ) $(RAND_OBJ) version.o sess_id.o \
-	ciphers.o nseq.o pkcs12.o pkcs8.o spkac.o smime.o rand.o engine.o ocsp.o prime.o
+	ciphers.o nseq.o pkcs12.o pkcs8.o spkac.o smime.o rand.o engine.o \
+	ocsp.o prime.o
 
 E_SRC=	verify.c asn1pars.c req.c dgst.c dh.c enc.c passwd.c gendh.c errstr.c ca.c \
 	pkcs7.c crl2p7.c crl.c \
-	rsa.c rsautl.c dsa.c dsaparam.c \
+	rsa.c rsautl.c dsa.c dsaparam.c ec.c ecparam.c \
 	x509.c genrsa.c gendsa.c s_server.c s_client.c speed.c \
 	s_time.c $(A_SRC) $(S_SRC) $(RAND_SRC) version.c sess_id.c \
-	ciphers.c nseq.c pkcs12.c pkcs8.c spkac.c smime.c rand.c engine.c ocsp.c prime.c
+	ciphers.c nseq.c pkcs12.c pkcs8.c spkac.c smime.c rand.c engine.c \
+	ocsp.c prime.c
 
 SRC=$(E_SRC)
 
@@ -86,8 +83,13 @@ all:	exe
 exe:	$(EXE)
 
 req: sreq.o $(A_OBJ) $(DLIBCRYPTO)
-	LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
-	$(CC) -o req $(CFLAG) sreq.o $(A_OBJ) $(RAND_OBJ) $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+	shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \
+		shlib_target="$(SHLIB_TARGET)"; \
+	fi; \
+	$(MAKE) -f $(TOP)/Makefile.shared -e \
+		APPNAME=req OBJECTS="sreq.o $(A_OBJ) $(RAND_OBJ)" \
+		LIBDEPS="$(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)" \
+		link_app.$${shlib_target}
 
 sreq.o: req.c 
 	$(CC) -c $(INCLUDES) $(CFLAG) -o sreq.o req.c
@@ -96,14 +98,15 @@ files:
 	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
 
 install:
-	@for i in $(EXE); \
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+	@set -e; for i in $(EXE); \
 	do  \
 	(echo installing $$i; \
 	 cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
 	 chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
 	 mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i ); \
 	 done;
-	@for i in $(SCRIPTS); \
+	@set -e; for i in $(SCRIPTS); \
 	do  \
 	(echo installing $$i; \
 	 cp $$i $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new; \
@@ -125,7 +128,11 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(SRC)
+	@if [ -z "$(THIS)" ]; then \
+	    $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; \
+	else \
+	    $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(SRC); \
+	fi
 
 dclean:
 	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
@@ -143,23 +150,21 @@ $(DLIBCRYPTO):
 
 $(EXE): progs.h $(E_OBJ) $(PROGRAM).o $(DLIBCRYPTO) $(DLIBSSL)
 	$(RM) $(EXE)
-	if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
-	  $(CC) -o $(EXE) $(CFLAGS) $(PROGRAM).o $(E_OBJ) $(PEX_LIBS) $(DLIBSSL) $(LIBKRB5) $(DLIBCRYPTO) $(EX_LIBS) ; \
+	shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \
+		shlib_target="$(SHLIB_TARGET)"; \
+	fi; \
+	if [ "$${shlib_target}" = "darwin-shared" ] ; then \
+	  LIBRARIES="$(DLIBSSL) $(LIBKRB5) $(DLIBCRYPTO)" ; \
 	else \
-	  LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
-	  $(CC) -o $(EXE) $(CFLAGS) $(PROGRAM).o $(E_OBJ) $(PEX_LIBS) $(LIBSSL) $(LIBKRB5) $(LIBCRYPTO) $(EX_LIBS) ; \
-	fi
-	if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \
-		TOP=$(TOP) $(TOP)/fips/openssl_fips_fingerprint $(TOP)/libcrypto.a $(EXE); \
-	fi
-	-(cd ..; OPENSSL="`pwd`/apps/$(EXE)"; export OPENSSL; \
-		LD_LIBRARY_PATH="`pwd`:$$LD_LIBRARY_PATH"; \
-		DYLD_LIBRARY_PATH="`pwd`:$$DYLD_LIBRARY_PATH"; \
-		SHLIB_PATH="`pwd`:$$SHLIB_PATH"; \
-		LIBPATH="`pwd`:$$LIBPATH"; \
-		if [ "$(PLATFORM)" = "Cygwin" ]; then PATH="`pwd`:$$PATH"; fi; \
-		export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; \
-		$(PERL) tools/c_rehash certs)
+	  LIBRARIES="$(LIBSSL) $(LIBKRB5) $(LIBCRYPTO)" ; \
+	fi; \
+	$(MAKE) -f $(TOP)/Makefile.shared -e \
+		APPNAME=$(EXE) OBJECTS="$(PROGRAM).o $(E_OBJ)" \
+		LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \
+		link_app.$${shlib_target}
+	-(cd ..; \
+	  OPENSSL="`pwd`/util/opensslwrap.sh"; export OPENSSL; \
+	  $(PERL) tools/c_rehash certs)
 
 progs.h: progs.pl
 	$(PERL) progs.pl $(E_EXE) >progs.h
@@ -167,1005 +172,729 @@ progs.h: progs.pl
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-app_rand.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-app_rand.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
-app_rand.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-app_rand.o: ../include/openssl/cast.h ../include/openssl/conf.h
-app_rand.o: ../include/openssl/crypto.h ../include/openssl/des.h
-app_rand.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-app_rand.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
-app_rand.o: ../include/openssl/engine.h ../include/openssl/err.h
-app_rand.o: ../include/openssl/evp.h ../include/openssl/idea.h
-app_rand.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-app_rand.o: ../include/openssl/md4.h ../include/openssl/md5.h
-app_rand.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-app_rand.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-app_rand.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-app_rand.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
-app_rand.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-app_rand.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-app_rand.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+app_rand.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+app_rand.o: ../include/openssl/buffer.h ../include/openssl/conf.h
+app_rand.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+app_rand.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+app_rand.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+app_rand.o: ../include/openssl/evp.h ../include/openssl/lhash.h
+app_rand.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+app_rand.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+app_rand.o: ../include/openssl/ossl_typ.h ../include/openssl/pkcs7.h
+app_rand.o: ../include/openssl/rand.h ../include/openssl/safestack.h
 app_rand.o: ../include/openssl/sha.h ../include/openssl/stack.h
 app_rand.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
-app_rand.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
 app_rand.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h app_rand.c
 app_rand.o: apps.h
-apps.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-apps.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+apps.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 apps.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-apps.o: ../include/openssl/cast.h ../include/openssl/conf.h
-apps.o: ../include/openssl/crypto.h ../include/openssl/des.h
-apps.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-apps.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+apps.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+apps.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+apps.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 apps.o: ../include/openssl/engine.h ../include/openssl/err.h
-apps.o: ../include/openssl/evp.h ../include/openssl/idea.h
-apps.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-apps.o: ../include/openssl/md4.h ../include/openssl/md5.h
-apps.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-apps.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-apps.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-apps.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-apps.o: ../include/openssl/pkcs12.h ../include/openssl/pkcs7.h
-apps.o: ../include/openssl/rand.h ../include/openssl/rc2.h
-apps.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-apps.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+apps.o: ../include/openssl/evp.h ../include/openssl/lhash.h
+apps.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+apps.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+apps.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+apps.o: ../include/openssl/pem2.h ../include/openssl/pkcs12.h
+apps.o: ../include/openssl/pkcs7.h ../include/openssl/rsa.h
 apps.o: ../include/openssl/safestack.h ../include/openssl/sha.h
 apps.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
 apps.o: ../include/openssl/txt_db.h ../include/openssl/ui.h
-apps.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
-apps.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.c apps.h
-asn1pars.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-asn1pars.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
-asn1pars.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-asn1pars.o: ../include/openssl/cast.h ../include/openssl/conf.h
-asn1pars.o: ../include/openssl/crypto.h ../include/openssl/des.h
-asn1pars.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-asn1pars.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
-asn1pars.o: ../include/openssl/engine.h ../include/openssl/err.h
-asn1pars.o: ../include/openssl/evp.h ../include/openssl/idea.h
-asn1pars.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-asn1pars.o: ../include/openssl/md4.h ../include/openssl/md5.h
-asn1pars.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+apps.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+apps.o: ../include/openssl/x509v3.h apps.c apps.h
+asn1pars.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+asn1pars.o: ../include/openssl/buffer.h ../include/openssl/conf.h
+asn1pars.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+asn1pars.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+asn1pars.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+asn1pars.o: ../include/openssl/err.h ../include/openssl/evp.h
+asn1pars.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
 asn1pars.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
 asn1pars.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
 asn1pars.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-asn1pars.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
-asn1pars.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-asn1pars.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-asn1pars.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+asn1pars.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
 asn1pars.o: ../include/openssl/sha.h ../include/openssl/stack.h
 asn1pars.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
-asn1pars.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
 asn1pars.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
 asn1pars.o: asn1pars.c
-ca.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-ca.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+ca.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 ca.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-ca.o: ../include/openssl/cast.h ../include/openssl/conf.h
-ca.o: ../include/openssl/crypto.h ../include/openssl/des.h
-ca.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-ca.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+ca.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+ca.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+ca.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 ca.o: ../include/openssl/engine.h ../include/openssl/err.h
-ca.o: ../include/openssl/evp.h ../include/openssl/idea.h
-ca.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-ca.o: ../include/openssl/md4.h ../include/openssl/md5.h
-ca.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-ca.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
-ca.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-ca.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-ca.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-ca.o: ../include/openssl/rand.h ../include/openssl/rc2.h
-ca.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-ca.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
-ca.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-ca.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-ca.o: ../include/openssl/txt_db.h ../include/openssl/ui.h
-ca.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
-ca.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h ca.c
-ciphers.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-ciphers.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+ca.o: ../include/openssl/evp.h ../include/openssl/lhash.h
+ca.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+ca.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
+ca.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+ca.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+ca.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
+ca.o: ../include/openssl/sha.h ../include/openssl/stack.h
+ca.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
+ca.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+ca.o: ../include/openssl/x509v3.h apps.h ca.c
+ciphers.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 ciphers.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-ciphers.o: ../include/openssl/cast.h ../include/openssl/comp.h
-ciphers.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-ciphers.o: ../include/openssl/des.h ../include/openssl/des_old.h
-ciphers.o: ../include/openssl/dh.h ../include/openssl/dsa.h
-ciphers.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
-ciphers.o: ../include/openssl/err.h ../include/openssl/evp.h
-ciphers.o: ../include/openssl/idea.h ../include/openssl/kssl.h
-ciphers.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-ciphers.o: ../include/openssl/md4.h ../include/openssl/md5.h
-ciphers.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+ciphers.o: ../include/openssl/comp.h ../include/openssl/conf.h
+ciphers.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h
+ciphers.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+ciphers.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+ciphers.o: ../include/openssl/engine.h ../include/openssl/err.h
+ciphers.o: ../include/openssl/evp.h ../include/openssl/kssl.h
+ciphers.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
 ciphers.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
 ciphers.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
 ciphers.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-ciphers.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
-ciphers.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-ciphers.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-ciphers.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+ciphers.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
+ciphers.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h
 ciphers.o: ../include/openssl/sha.h ../include/openssl/ssl.h
 ciphers.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
 ciphers.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
 ciphers.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-ciphers.o: ../include/openssl/txt_db.h ../include/openssl/ui.h
-ciphers.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
+ciphers.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
 ciphers.o: ../include/openssl/x509_vfy.h apps.h ciphers.c
-crl.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-crl.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
-crl.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-crl.o: ../include/openssl/cast.h ../include/openssl/conf.h
-crl.o: ../include/openssl/crypto.h ../include/openssl/des.h
-crl.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-crl.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
-crl.o: ../include/openssl/engine.h ../include/openssl/err.h
-crl.o: ../include/openssl/evp.h ../include/openssl/idea.h
-crl.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-crl.o: ../include/openssl/md4.h ../include/openssl/md5.h
-crl.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+crl.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+crl.o: ../include/openssl/buffer.h ../include/openssl/conf.h
+crl.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+crl.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+crl.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+crl.o: ../include/openssl/err.h ../include/openssl/evp.h
+crl.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
 crl.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
 crl.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
 crl.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-crl.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
-crl.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-crl.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-crl.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+crl.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
 crl.o: ../include/openssl/sha.h ../include/openssl/stack.h
 crl.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
-crl.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
 crl.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
 crl.o: ../include/openssl/x509v3.h apps.h crl.c
-crl2p7.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-crl2p7.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
-crl2p7.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-crl2p7.o: ../include/openssl/cast.h ../include/openssl/conf.h
-crl2p7.o: ../include/openssl/crypto.h ../include/openssl/des.h
-crl2p7.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-crl2p7.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
-crl2p7.o: ../include/openssl/engine.h ../include/openssl/err.h
-crl2p7.o: ../include/openssl/evp.h ../include/openssl/idea.h
-crl2p7.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-crl2p7.o: ../include/openssl/md4.h ../include/openssl/md5.h
-crl2p7.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+crl2p7.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+crl2p7.o: ../include/openssl/buffer.h ../include/openssl/conf.h
+crl2p7.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+crl2p7.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+crl2p7.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+crl2p7.o: ../include/openssl/err.h ../include/openssl/evp.h
+crl2p7.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
 crl2p7.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
 crl2p7.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
 crl2p7.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-crl2p7.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
-crl2p7.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-crl2p7.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-crl2p7.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+crl2p7.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
 crl2p7.o: ../include/openssl/sha.h ../include/openssl/stack.h
 crl2p7.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
-crl2p7.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
 crl2p7.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
 crl2p7.o: crl2p7.c
-dgst.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-dgst.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
-dgst.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-dgst.o: ../include/openssl/cast.h ../include/openssl/conf.h
-dgst.o: ../include/openssl/crypto.h ../include/openssl/des.h
-dgst.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-dgst.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
-dgst.o: ../include/openssl/engine.h ../include/openssl/err.h
-dgst.o: ../include/openssl/evp.h ../include/openssl/hmac.h
-dgst.o: ../include/openssl/idea.h ../include/openssl/lhash.h
-dgst.o: ../include/openssl/md2.h ../include/openssl/md4.h
-dgst.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
-dgst.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-dgst.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-dgst.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-dgst.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-dgst.o: ../include/openssl/rand.h ../include/openssl/rc2.h
-dgst.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-dgst.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
-dgst.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-dgst.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-dgst.o: ../include/openssl/txt_db.h ../include/openssl/ui.h
-dgst.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
-dgst.o: ../include/openssl/x509_vfy.h apps.h dgst.c
-dh.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-dh.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+dgst.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+dgst.o: ../include/openssl/buffer.h ../include/openssl/conf.h
+dgst.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+dgst.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+dgst.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+dgst.o: ../include/openssl/err.h ../include/openssl/evp.h
+dgst.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+dgst.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+dgst.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+dgst.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+dgst.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
+dgst.o: ../include/openssl/sha.h ../include/openssl/stack.h
+dgst.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
+dgst.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h dgst.c
+dh.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 dh.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-dh.o: ../include/openssl/cast.h ../include/openssl/conf.h
-dh.o: ../include/openssl/crypto.h ../include/openssl/des.h
-dh.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-dh.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
-dh.o: ../include/openssl/engine.h ../include/openssl/err.h
-dh.o: ../include/openssl/evp.h ../include/openssl/idea.h
-dh.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-dh.o: ../include/openssl/md4.h ../include/openssl/md5.h
-dh.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+dh.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+dh.o: ../include/openssl/dh.h ../include/openssl/e_os2.h
+dh.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+dh.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+dh.o: ../include/openssl/err.h ../include/openssl/evp.h
+dh.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
 dh.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
 dh.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
 dh.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-dh.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
-dh.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-dh.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-dh.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+dh.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
 dh.o: ../include/openssl/sha.h ../include/openssl/stack.h
 dh.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
-dh.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
 dh.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h dh.c
-dsa.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-dsa.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+dsa.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 dsa.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-dsa.o: ../include/openssl/cast.h ../include/openssl/conf.h
-dsa.o: ../include/openssl/crypto.h ../include/openssl/des.h
-dsa.o: ../include/openssl/des_old.h ../include/openssl/dh.h
+dsa.o: ../include/openssl/conf.h ../include/openssl/crypto.h
 dsa.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
-dsa.o: ../include/openssl/engine.h ../include/openssl/err.h
-dsa.o: ../include/openssl/evp.h ../include/openssl/idea.h
-dsa.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-dsa.o: ../include/openssl/md4.h ../include/openssl/md5.h
-dsa.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+dsa.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+dsa.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+dsa.o: ../include/openssl/err.h ../include/openssl/evp.h
+dsa.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
 dsa.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
 dsa.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
 dsa.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-dsa.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
-dsa.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-dsa.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-dsa.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+dsa.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
 dsa.o: ../include/openssl/sha.h ../include/openssl/stack.h
 dsa.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
-dsa.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
 dsa.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h dsa.c
-dsaparam.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-dsaparam.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+dsaparam.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 dsaparam.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-dsaparam.o: ../include/openssl/cast.h ../include/openssl/conf.h
-dsaparam.o: ../include/openssl/crypto.h ../include/openssl/des.h
-dsaparam.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-dsaparam.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+dsaparam.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+dsaparam.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+dsaparam.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+dsaparam.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 dsaparam.o: ../include/openssl/engine.h ../include/openssl/err.h
-dsaparam.o: ../include/openssl/evp.h ../include/openssl/idea.h
-dsaparam.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-dsaparam.o: ../include/openssl/md4.h ../include/openssl/md5.h
-dsaparam.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-dsaparam.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-dsaparam.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-dsaparam.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-dsaparam.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
-dsaparam.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-dsaparam.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-dsaparam.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-dsaparam.o: ../include/openssl/sha.h ../include/openssl/stack.h
+dsaparam.o: ../include/openssl/evp.h ../include/openssl/lhash.h
+dsaparam.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+dsaparam.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+dsaparam.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+dsaparam.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+dsaparam.o: ../include/openssl/rand.h ../include/openssl/rsa.h
+dsaparam.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+dsaparam.o: ../include/openssl/stack.h ../include/openssl/store.h
 dsaparam.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
-dsaparam.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
-dsaparam.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
-dsaparam.o: dsaparam.c
-enc.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-enc.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
-enc.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-enc.o: ../include/openssl/cast.h ../include/openssl/conf.h
-enc.o: ../include/openssl/crypto.h ../include/openssl/des.h
-enc.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-enc.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
-enc.o: ../include/openssl/engine.h ../include/openssl/err.h
-enc.o: ../include/openssl/evp.h ../include/openssl/idea.h
-enc.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-enc.o: ../include/openssl/md4.h ../include/openssl/md5.h
-enc.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+dsaparam.o: ../include/openssl/ui.h ../include/openssl/x509.h
+dsaparam.o: ../include/openssl/x509_vfy.h apps.h dsaparam.c
+ec.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+ec.o: ../include/openssl/buffer.h ../include/openssl/conf.h
+ec.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+ec.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+ec.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+ec.o: ../include/openssl/err.h ../include/openssl/evp.h
+ec.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+ec.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+ec.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+ec.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+ec.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
+ec.o: ../include/openssl/sha.h ../include/openssl/stack.h
+ec.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
+ec.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h ec.c
+ecparam.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+ecparam.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+ecparam.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+ecparam.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+ecparam.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+ecparam.o: ../include/openssl/engine.h ../include/openssl/err.h
+ecparam.o: ../include/openssl/evp.h ../include/openssl/lhash.h
+ecparam.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+ecparam.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+ecparam.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+ecparam.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ecparam.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+ecparam.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+ecparam.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
+ecparam.o: ../include/openssl/x509_vfy.h apps.h ecparam.c
+enc.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+enc.o: ../include/openssl/buffer.h ../include/openssl/conf.h
+enc.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+enc.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+enc.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+enc.o: ../include/openssl/err.h ../include/openssl/evp.h
+enc.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
 enc.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
 enc.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
 enc.o: ../include/openssl/pem.h ../include/openssl/pem2.h
 enc.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
-enc.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-enc.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-enc.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-enc.o: ../include/openssl/sha.h ../include/openssl/stack.h
-enc.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
-enc.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
-enc.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h enc.c
-engine.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-engine.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+enc.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+enc.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+enc.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
+enc.o: ../include/openssl/x509_vfy.h apps.h enc.c
+engine.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 engine.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-engine.o: ../include/openssl/cast.h ../include/openssl/comp.h
-engine.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-engine.o: ../include/openssl/des.h ../include/openssl/des_old.h
-engine.o: ../include/openssl/dh.h ../include/openssl/dsa.h
-engine.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
-engine.o: ../include/openssl/err.h ../include/openssl/evp.h
-engine.o: ../include/openssl/idea.h ../include/openssl/kssl.h
-engine.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-engine.o: ../include/openssl/md4.h ../include/openssl/md5.h
-engine.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+engine.o: ../include/openssl/comp.h ../include/openssl/conf.h
+engine.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h
+engine.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+engine.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+engine.o: ../include/openssl/engine.h ../include/openssl/err.h
+engine.o: ../include/openssl/evp.h ../include/openssl/kssl.h
+engine.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
 engine.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
 engine.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
 engine.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-engine.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
-engine.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-engine.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-engine.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+engine.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
+engine.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h
 engine.o: ../include/openssl/sha.h ../include/openssl/ssl.h
 engine.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
 engine.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
 engine.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-engine.o: ../include/openssl/txt_db.h ../include/openssl/ui.h
-engine.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
+engine.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
 engine.o: ../include/openssl/x509_vfy.h apps.h engine.c
-errstr.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-errstr.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+errstr.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 errstr.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-errstr.o: ../include/openssl/cast.h ../include/openssl/comp.h
-errstr.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-errstr.o: ../include/openssl/des.h ../include/openssl/des_old.h
-errstr.o: ../include/openssl/dh.h ../include/openssl/dsa.h
-errstr.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
-errstr.o: ../include/openssl/err.h ../include/openssl/evp.h
-errstr.o: ../include/openssl/idea.h ../include/openssl/kssl.h
-errstr.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-errstr.o: ../include/openssl/md4.h ../include/openssl/md5.h
-errstr.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+errstr.o: ../include/openssl/comp.h ../include/openssl/conf.h
+errstr.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h
+errstr.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+errstr.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+errstr.o: ../include/openssl/engine.h ../include/openssl/err.h
+errstr.o: ../include/openssl/evp.h ../include/openssl/kssl.h
+errstr.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
 errstr.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
 errstr.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
 errstr.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-errstr.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
-errstr.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-errstr.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-errstr.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+errstr.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
+errstr.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h
 errstr.o: ../include/openssl/sha.h ../include/openssl/ssl.h
 errstr.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
 errstr.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
 errstr.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-errstr.o: ../include/openssl/txt_db.h ../include/openssl/ui.h
-errstr.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
+errstr.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
 errstr.o: ../include/openssl/x509_vfy.h apps.h errstr.c
-gendh.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-gendh.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+gendh.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 gendh.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-gendh.o: ../include/openssl/cast.h ../include/openssl/conf.h
-gendh.o: ../include/openssl/crypto.h ../include/openssl/des.h
-gendh.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-gendh.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+gendh.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+gendh.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+gendh.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+gendh.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 gendh.o: ../include/openssl/engine.h ../include/openssl/err.h
-gendh.o: ../include/openssl/evp.h ../include/openssl/idea.h
-gendh.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-gendh.o: ../include/openssl/md4.h ../include/openssl/md5.h
-gendh.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-gendh.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-gendh.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-gendh.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-gendh.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
-gendh.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-gendh.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-gendh.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-gendh.o: ../include/openssl/sha.h ../include/openssl/stack.h
+gendh.o: ../include/openssl/evp.h ../include/openssl/lhash.h
+gendh.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+gendh.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+gendh.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+gendh.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+gendh.o: ../include/openssl/rand.h ../include/openssl/rsa.h
+gendh.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+gendh.o: ../include/openssl/stack.h ../include/openssl/store.h
 gendh.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
-gendh.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
-gendh.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h gendh.c
-gendsa.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-gendsa.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+gendh.o: ../include/openssl/ui.h ../include/openssl/x509.h
+gendh.o: ../include/openssl/x509_vfy.h apps.h gendh.c
+gendsa.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 gendsa.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-gendsa.o: ../include/openssl/cast.h ../include/openssl/conf.h
-gendsa.o: ../include/openssl/crypto.h ../include/openssl/des.h
-gendsa.o: ../include/openssl/des_old.h ../include/openssl/dh.h
+gendsa.o: ../include/openssl/conf.h ../include/openssl/crypto.h
 gendsa.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
-gendsa.o: ../include/openssl/engine.h ../include/openssl/err.h
-gendsa.o: ../include/openssl/evp.h ../include/openssl/idea.h
-gendsa.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-gendsa.o: ../include/openssl/md4.h ../include/openssl/md5.h
-gendsa.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+gendsa.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+gendsa.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+gendsa.o: ../include/openssl/err.h ../include/openssl/evp.h
+gendsa.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
 gendsa.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
 gendsa.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
 gendsa.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-gendsa.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
-gendsa.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-gendsa.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-gendsa.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+gendsa.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
 gendsa.o: ../include/openssl/sha.h ../include/openssl/stack.h
 gendsa.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
-gendsa.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
 gendsa.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
 gendsa.o: gendsa.c
-genrsa.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-genrsa.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+genrsa.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 genrsa.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-genrsa.o: ../include/openssl/cast.h ../include/openssl/conf.h
-genrsa.o: ../include/openssl/crypto.h ../include/openssl/des.h
-genrsa.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-genrsa.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+genrsa.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+genrsa.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+genrsa.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+genrsa.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 genrsa.o: ../include/openssl/engine.h ../include/openssl/err.h
-genrsa.o: ../include/openssl/evp.h ../include/openssl/idea.h
-genrsa.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-genrsa.o: ../include/openssl/md4.h ../include/openssl/md5.h
-genrsa.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-genrsa.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-genrsa.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-genrsa.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-genrsa.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
-genrsa.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-genrsa.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-genrsa.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-genrsa.o: ../include/openssl/sha.h ../include/openssl/stack.h
+genrsa.o: ../include/openssl/evp.h ../include/openssl/lhash.h
+genrsa.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+genrsa.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+genrsa.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+genrsa.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+genrsa.o: ../include/openssl/rand.h ../include/openssl/rsa.h
+genrsa.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+genrsa.o: ../include/openssl/stack.h ../include/openssl/store.h
 genrsa.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
-genrsa.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
-genrsa.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
-genrsa.o: genrsa.c
-nseq.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-nseq.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
-nseq.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-nseq.o: ../include/openssl/cast.h ../include/openssl/conf.h
-nseq.o: ../include/openssl/crypto.h ../include/openssl/des.h
-nseq.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-nseq.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
-nseq.o: ../include/openssl/engine.h ../include/openssl/err.h
-nseq.o: ../include/openssl/evp.h ../include/openssl/idea.h
-nseq.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-nseq.o: ../include/openssl/md4.h ../include/openssl/md5.h
-nseq.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+genrsa.o: ../include/openssl/ui.h ../include/openssl/x509.h
+genrsa.o: ../include/openssl/x509_vfy.h apps.h genrsa.c
+nseq.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+nseq.o: ../include/openssl/buffer.h ../include/openssl/conf.h
+nseq.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+nseq.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+nseq.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+nseq.o: ../include/openssl/err.h ../include/openssl/evp.h
+nseq.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
 nseq.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
 nseq.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
 nseq.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-nseq.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
-nseq.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-nseq.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-nseq.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+nseq.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
 nseq.o: ../include/openssl/sha.h ../include/openssl/stack.h
 nseq.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
-nseq.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
 nseq.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h nseq.c
-ocsp.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-ocsp.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+ocsp.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 ocsp.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-ocsp.o: ../include/openssl/cast.h ../include/openssl/comp.h
-ocsp.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-ocsp.o: ../include/openssl/des.h ../include/openssl/des_old.h
-ocsp.o: ../include/openssl/dh.h ../include/openssl/dsa.h
-ocsp.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
-ocsp.o: ../include/openssl/err.h ../include/openssl/evp.h
-ocsp.o: ../include/openssl/idea.h ../include/openssl/kssl.h
-ocsp.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-ocsp.o: ../include/openssl/md4.h ../include/openssl/md5.h
-ocsp.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+ocsp.o: ../include/openssl/comp.h ../include/openssl/conf.h
+ocsp.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h
+ocsp.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+ocsp.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+ocsp.o: ../include/openssl/engine.h ../include/openssl/err.h
+ocsp.o: ../include/openssl/evp.h ../include/openssl/kssl.h
+ocsp.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
 ocsp.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
 ocsp.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
 ocsp.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
 ocsp.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-ocsp.o: ../include/openssl/rand.h ../include/openssl/rc2.h
-ocsp.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-ocsp.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+ocsp.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
 ocsp.o: ../include/openssl/safestack.h ../include/openssl/sha.h
 ocsp.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
 ocsp.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
 ocsp.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
 ocsp.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
-ocsp.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
 ocsp.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
 ocsp.o: ../include/openssl/x509v3.h apps.h ocsp.c
-openssl.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-openssl.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+openssl.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 openssl.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-openssl.o: ../include/openssl/cast.h ../include/openssl/comp.h
-openssl.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-openssl.o: ../include/openssl/des.h ../include/openssl/des_old.h
-openssl.o: ../include/openssl/dh.h ../include/openssl/dsa.h
-openssl.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
-openssl.o: ../include/openssl/err.h ../include/openssl/evp.h
-openssl.o: ../include/openssl/fips.h ../include/openssl/idea.h
-openssl.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
-openssl.o: ../include/openssl/md2.h ../include/openssl/md4.h
-openssl.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
-openssl.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-openssl.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-openssl.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-openssl.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-openssl.o: ../include/openssl/rand.h ../include/openssl/rc2.h
-openssl.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-openssl.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
-openssl.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-openssl.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-openssl.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-openssl.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-openssl.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
-openssl.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
-openssl.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
-openssl.o: openssl.c progs.h s_apps.h
-passwd.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-passwd.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
-passwd.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-passwd.o: ../include/openssl/cast.h ../include/openssl/conf.h
+openssl.o: ../include/openssl/comp.h ../include/openssl/conf.h
+openssl.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h
+openssl.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+openssl.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+openssl.o: ../include/openssl/engine.h ../include/openssl/err.h
+openssl.o: ../include/openssl/evp.h ../include/openssl/kssl.h
+openssl.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+openssl.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+openssl.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+openssl.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+openssl.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
+openssl.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h
+openssl.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+openssl.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+openssl.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+openssl.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+openssl.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
+openssl.o: ../include/openssl/x509_vfy.h apps.h openssl.c progs.h s_apps.h
+passwd.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+passwd.o: ../include/openssl/buffer.h ../include/openssl/conf.h
 passwd.o: ../include/openssl/crypto.h ../include/openssl/des.h
-passwd.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-passwd.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
-passwd.o: ../include/openssl/engine.h ../include/openssl/err.h
-passwd.o: ../include/openssl/evp.h ../include/openssl/idea.h
-passwd.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-passwd.o: ../include/openssl/md4.h ../include/openssl/md5.h
-passwd.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-passwd.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-passwd.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-passwd.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
-passwd.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-passwd.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-passwd.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+passwd.o: ../include/openssl/des_old.h ../include/openssl/e_os2.h
+passwd.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+passwd.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+passwd.o: ../include/openssl/err.h ../include/openssl/evp.h
+passwd.o: ../include/openssl/lhash.h ../include/openssl/md5.h
+passwd.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+passwd.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+passwd.o: ../include/openssl/ossl_typ.h ../include/openssl/pkcs7.h
+passwd.o: ../include/openssl/rand.h ../include/openssl/safestack.h
 passwd.o: ../include/openssl/sha.h ../include/openssl/stack.h
 passwd.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
 passwd.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
 passwd.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
 passwd.o: passwd.c
-pkcs12.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-pkcs12.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
-pkcs12.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-pkcs12.o: ../include/openssl/cast.h ../include/openssl/conf.h
-pkcs12.o: ../include/openssl/crypto.h ../include/openssl/des.h
-pkcs12.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-pkcs12.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
-pkcs12.o: ../include/openssl/engine.h ../include/openssl/err.h
-pkcs12.o: ../include/openssl/evp.h ../include/openssl/idea.h
-pkcs12.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-pkcs12.o: ../include/openssl/md4.h ../include/openssl/md5.h
-pkcs12.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+pkcs12.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+pkcs12.o: ../include/openssl/buffer.h ../include/openssl/conf.h
+pkcs12.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+pkcs12.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+pkcs12.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+pkcs12.o: ../include/openssl/err.h ../include/openssl/evp.h
+pkcs12.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
 pkcs12.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
 pkcs12.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
 pkcs12.o: ../include/openssl/pem.h ../include/openssl/pem2.h
 pkcs12.o: ../include/openssl/pkcs12.h ../include/openssl/pkcs7.h
-pkcs12.o: ../include/openssl/rand.h ../include/openssl/rc2.h
-pkcs12.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-pkcs12.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
 pkcs12.o: ../include/openssl/safestack.h ../include/openssl/sha.h
 pkcs12.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-pkcs12.o: ../include/openssl/txt_db.h ../include/openssl/ui.h
-pkcs12.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
+pkcs12.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
 pkcs12.o: ../include/openssl/x509_vfy.h apps.h pkcs12.c
-pkcs7.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-pkcs7.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
-pkcs7.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-pkcs7.o: ../include/openssl/cast.h ../include/openssl/conf.h
-pkcs7.o: ../include/openssl/crypto.h ../include/openssl/des.h
-pkcs7.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-pkcs7.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
-pkcs7.o: ../include/openssl/engine.h ../include/openssl/err.h
-pkcs7.o: ../include/openssl/evp.h ../include/openssl/idea.h
-pkcs7.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-pkcs7.o: ../include/openssl/md4.h ../include/openssl/md5.h
-pkcs7.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+pkcs7.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+pkcs7.o: ../include/openssl/buffer.h ../include/openssl/conf.h
+pkcs7.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+pkcs7.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+pkcs7.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+pkcs7.o: ../include/openssl/err.h ../include/openssl/evp.h
+pkcs7.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
 pkcs7.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
 pkcs7.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
 pkcs7.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-pkcs7.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
-pkcs7.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-pkcs7.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-pkcs7.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+pkcs7.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
 pkcs7.o: ../include/openssl/sha.h ../include/openssl/stack.h
 pkcs7.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
-pkcs7.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
 pkcs7.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h pkcs7.c
-pkcs8.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-pkcs8.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
-pkcs8.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-pkcs8.o: ../include/openssl/cast.h ../include/openssl/conf.h
-pkcs8.o: ../include/openssl/crypto.h ../include/openssl/des.h
-pkcs8.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-pkcs8.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
-pkcs8.o: ../include/openssl/engine.h ../include/openssl/err.h
-pkcs8.o: ../include/openssl/evp.h ../include/openssl/idea.h
-pkcs8.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-pkcs8.o: ../include/openssl/md4.h ../include/openssl/md5.h
-pkcs8.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+pkcs8.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+pkcs8.o: ../include/openssl/buffer.h ../include/openssl/conf.h
+pkcs8.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+pkcs8.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+pkcs8.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+pkcs8.o: ../include/openssl/err.h ../include/openssl/evp.h
+pkcs8.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
 pkcs8.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
 pkcs8.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
 pkcs8.o: ../include/openssl/pem.h ../include/openssl/pem2.h
 pkcs8.o: ../include/openssl/pkcs12.h ../include/openssl/pkcs7.h
-pkcs8.o: ../include/openssl/rand.h ../include/openssl/rc2.h
-pkcs8.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-pkcs8.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
 pkcs8.o: ../include/openssl/safestack.h ../include/openssl/sha.h
 pkcs8.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-pkcs8.o: ../include/openssl/txt_db.h ../include/openssl/ui.h
-pkcs8.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
+pkcs8.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
 pkcs8.o: ../include/openssl/x509_vfy.h apps.h pkcs8.c
-prime.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-prime.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+prime.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 prime.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-prime.o: ../include/openssl/cast.h ../include/openssl/conf.h
-prime.o: ../include/openssl/crypto.h ../include/openssl/des.h
-prime.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-prime.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
-prime.o: ../include/openssl/engine.h ../include/openssl/err.h
-prime.o: ../include/openssl/evp.h ../include/openssl/idea.h
-prime.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-prime.o: ../include/openssl/md4.h ../include/openssl/md5.h
-prime.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+prime.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+prime.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+prime.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+prime.o: ../include/openssl/engine.h ../include/openssl/evp.h
+prime.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
 prime.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
 prime.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-prime.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
-prime.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-prime.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-prime.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+prime.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
 prime.o: ../include/openssl/sha.h ../include/openssl/stack.h
 prime.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
-prime.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
 prime.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h prime.c
-rand.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-rand.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
-rand.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-rand.o: ../include/openssl/cast.h ../include/openssl/conf.h
-rand.o: ../include/openssl/crypto.h ../include/openssl/des.h
-rand.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-rand.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
-rand.o: ../include/openssl/engine.h ../include/openssl/err.h
-rand.o: ../include/openssl/evp.h ../include/openssl/idea.h
-rand.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-rand.o: ../include/openssl/md4.h ../include/openssl/md5.h
-rand.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+rand.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+rand.o: ../include/openssl/buffer.h ../include/openssl/conf.h
+rand.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+rand.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+rand.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+rand.o: ../include/openssl/err.h ../include/openssl/evp.h
+rand.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
 rand.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
 rand.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
 rand.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
-rand.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-rand.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-rand.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-rand.o: ../include/openssl/sha.h ../include/openssl/stack.h
-rand.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
-rand.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
-rand.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h rand.c
-req.o: ../crypto/cryptlib.h ../e_os.h ../include/openssl/aes.h
-req.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-req.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-req.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+rand.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+rand.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+rand.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
+rand.o: ../include/openssl/x509_vfy.h apps.h rand.c
+req.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+req.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 req.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-req.o: ../include/openssl/des.h ../include/openssl/des_old.h
 req.o: ../include/openssl/dh.h ../include/openssl/dsa.h
-req.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
-req.o: ../include/openssl/err.h ../include/openssl/evp.h
-req.o: ../include/openssl/idea.h ../include/openssl/lhash.h
-req.o: ../include/openssl/md2.h ../include/openssl/md4.h
-req.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+req.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+req.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+req.o: ../include/openssl/engine.h ../include/openssl/err.h
+req.o: ../include/openssl/evp.h ../include/openssl/lhash.h
 req.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
 req.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
 req.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
 req.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-req.o: ../include/openssl/rand.h ../include/openssl/rc2.h
-req.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-req.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+req.o: ../include/openssl/rand.h ../include/openssl/rsa.h
 req.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-req.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-req.o: ../include/openssl/txt_db.h ../include/openssl/ui.h
-req.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
+req.o: ../include/openssl/stack.h ../include/openssl/store.h
+req.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
+req.o: ../include/openssl/ui.h ../include/openssl/x509.h
 req.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h req.c
-rsa.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-rsa.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+rsa.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 rsa.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-rsa.o: ../include/openssl/cast.h ../include/openssl/conf.h
-rsa.o: ../include/openssl/crypto.h ../include/openssl/des.h
-rsa.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-rsa.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+rsa.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+rsa.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+rsa.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 rsa.o: ../include/openssl/engine.h ../include/openssl/err.h
-rsa.o: ../include/openssl/evp.h ../include/openssl/idea.h
-rsa.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-rsa.o: ../include/openssl/md4.h ../include/openssl/md5.h
-rsa.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-rsa.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-rsa.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-rsa.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-rsa.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
-rsa.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-rsa.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+rsa.o: ../include/openssl/evp.h ../include/openssl/lhash.h
+rsa.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+rsa.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+rsa.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+rsa.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
 rsa.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
 rsa.o: ../include/openssl/sha.h ../include/openssl/stack.h
 rsa.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
-rsa.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
 rsa.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h rsa.c
-rsautl.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-rsautl.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
-rsautl.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-rsautl.o: ../include/openssl/cast.h ../include/openssl/conf.h
-rsautl.o: ../include/openssl/crypto.h ../include/openssl/des.h
-rsautl.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-rsautl.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
-rsautl.o: ../include/openssl/engine.h ../include/openssl/err.h
-rsautl.o: ../include/openssl/evp.h ../include/openssl/idea.h
-rsautl.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-rsautl.o: ../include/openssl/md4.h ../include/openssl/md5.h
-rsautl.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+rsautl.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+rsautl.o: ../include/openssl/buffer.h ../include/openssl/conf.h
+rsautl.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+rsautl.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+rsautl.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+rsautl.o: ../include/openssl/err.h ../include/openssl/evp.h
+rsautl.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
 rsautl.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
 rsautl.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
 rsautl.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-rsautl.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
-rsautl.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-rsautl.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-rsautl.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-rsautl.o: ../include/openssl/sha.h ../include/openssl/stack.h
-rsautl.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
-rsautl.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
-rsautl.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
-rsautl.o: rsautl.c
-s_cb.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-s_cb.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+rsautl.o: ../include/openssl/pkcs7.h ../include/openssl/rsa.h
+rsautl.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+rsautl.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+rsautl.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
+rsautl.o: ../include/openssl/x509_vfy.h apps.h rsautl.c
+s_cb.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 s_cb.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-s_cb.o: ../include/openssl/cast.h ../include/openssl/comp.h
-s_cb.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-s_cb.o: ../include/openssl/des.h ../include/openssl/des_old.h
-s_cb.o: ../include/openssl/dh.h ../include/openssl/dsa.h
-s_cb.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
-s_cb.o: ../include/openssl/err.h ../include/openssl/evp.h
-s_cb.o: ../include/openssl/idea.h ../include/openssl/kssl.h
-s_cb.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-s_cb.o: ../include/openssl/md4.h ../include/openssl/md5.h
-s_cb.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+s_cb.o: ../include/openssl/comp.h ../include/openssl/conf.h
+s_cb.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h
+s_cb.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+s_cb.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+s_cb.o: ../include/openssl/engine.h ../include/openssl/err.h
+s_cb.o: ../include/openssl/evp.h ../include/openssl/kssl.h
+s_cb.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
 s_cb.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
 s_cb.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
 s_cb.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-s_cb.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
-s_cb.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-s_cb.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-s_cb.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s_cb.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
+s_cb.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h
 s_cb.o: ../include/openssl/sha.h ../include/openssl/ssl.h
 s_cb.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
 s_cb.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
 s_cb.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s_cb.o: ../include/openssl/txt_db.h ../include/openssl/ui.h
-s_cb.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
+s_cb.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
 s_cb.o: ../include/openssl/x509_vfy.h apps.h s_apps.h s_cb.c
-s_client.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-s_client.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+s_client.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 s_client.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-s_client.o: ../include/openssl/cast.h ../include/openssl/comp.h
-s_client.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-s_client.o: ../include/openssl/des.h ../include/openssl/des_old.h
-s_client.o: ../include/openssl/dh.h ../include/openssl/dsa.h
-s_client.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
-s_client.o: ../include/openssl/err.h ../include/openssl/evp.h
-s_client.o: ../include/openssl/idea.h ../include/openssl/kssl.h
-s_client.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-s_client.o: ../include/openssl/md4.h ../include/openssl/md5.h
-s_client.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+s_client.o: ../include/openssl/comp.h ../include/openssl/conf.h
+s_client.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h
+s_client.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+s_client.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+s_client.o: ../include/openssl/engine.h ../include/openssl/err.h
+s_client.o: ../include/openssl/evp.h ../include/openssl/kssl.h
+s_client.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
 s_client.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
 s_client.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
 s_client.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-s_client.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
-s_client.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-s_client.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-s_client.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-s_client.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-s_client.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-s_client.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-s_client.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s_client.o: ../include/openssl/txt_db.h ../include/openssl/ui.h
-s_client.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
-s_client.o: ../include/openssl/x509_vfy.h apps.h s_apps.h s_client.c
-s_server.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-s_server.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+s_client.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
+s_client.o: ../include/openssl/pqueue.h ../include/openssl/rand.h
+s_client.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s_client.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s_client.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s_client.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+s_client.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
+s_client.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
+s_client.o: s_apps.h s_client.c timeouts.h
+s_server.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 s_server.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-s_server.o: ../include/openssl/cast.h ../include/openssl/comp.h
-s_server.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-s_server.o: ../include/openssl/des.h ../include/openssl/des_old.h
-s_server.o: ../include/openssl/dh.h ../include/openssl/dsa.h
-s_server.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
-s_server.o: ../include/openssl/err.h ../include/openssl/evp.h
-s_server.o: ../include/openssl/idea.h ../include/openssl/kssl.h
-s_server.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-s_server.o: ../include/openssl/md4.h ../include/openssl/md5.h
-s_server.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+s_server.o: ../include/openssl/comp.h ../include/openssl/conf.h
+s_server.o: ../include/openssl/crypto.h ../include/openssl/dh.h
+s_server.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+s_server.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+s_server.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+s_server.o: ../include/openssl/engine.h ../include/openssl/err.h
+s_server.o: ../include/openssl/evp.h ../include/openssl/kssl.h
+s_server.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
 s_server.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
 s_server.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
 s_server.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-s_server.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
-s_server.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-s_server.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+s_server.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
+s_server.o: ../include/openssl/pqueue.h ../include/openssl/rand.h
 s_server.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
 s_server.o: ../include/openssl/sha.h ../include/openssl/ssl.h
 s_server.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
 s_server.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-s_server.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s_server.o: ../include/openssl/txt_db.h ../include/openssl/ui.h
-s_server.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
-s_server.o: ../include/openssl/x509_vfy.h apps.h s_apps.h s_server.c
-s_socket.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-s_socket.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+s_server.o: ../include/openssl/store.h ../include/openssl/symhacks.h
+s_server.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
+s_server.o: ../include/openssl/ui.h ../include/openssl/x509.h
+s_server.o: ../include/openssl/x509_vfy.h apps.h s_apps.h s_server.c timeouts.h
+s_socket.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 s_socket.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-s_socket.o: ../include/openssl/cast.h ../include/openssl/comp.h
-s_socket.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-s_socket.o: ../include/openssl/des.h ../include/openssl/des_old.h
-s_socket.o: ../include/openssl/dh.h ../include/openssl/dsa.h
-s_socket.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
-s_socket.o: ../include/openssl/err.h ../include/openssl/evp.h
-s_socket.o: ../include/openssl/idea.h ../include/openssl/kssl.h
-s_socket.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-s_socket.o: ../include/openssl/md4.h ../include/openssl/md5.h
-s_socket.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-s_socket.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-s_socket.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-s_socket.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-s_socket.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
-s_socket.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-s_socket.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-s_socket.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-s_socket.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-s_socket.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-s_socket.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-s_socket.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s_socket.o: ../include/openssl/txt_db.h ../include/openssl/ui.h
-s_socket.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
-s_socket.o: ../include/openssl/x509_vfy.h apps.h s_apps.h s_socket.c
-s_time.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-s_time.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+s_socket.o: ../include/openssl/comp.h ../include/openssl/conf.h
+s_socket.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h
+s_socket.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+s_socket.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+s_socket.o: ../include/openssl/engine.h ../include/openssl/evp.h
+s_socket.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+s_socket.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+s_socket.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+s_socket.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+s_socket.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s_socket.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
+s_socket.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s_socket.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s_socket.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s_socket.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+s_socket.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
+s_socket.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
+s_socket.o: s_apps.h s_socket.c
+s_time.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 s_time.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-s_time.o: ../include/openssl/cast.h ../include/openssl/comp.h
-s_time.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-s_time.o: ../include/openssl/des.h ../include/openssl/des_old.h
-s_time.o: ../include/openssl/dh.h ../include/openssl/dsa.h
-s_time.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
-s_time.o: ../include/openssl/err.h ../include/openssl/evp.h
-s_time.o: ../include/openssl/idea.h ../include/openssl/kssl.h
-s_time.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-s_time.o: ../include/openssl/md4.h ../include/openssl/md5.h
-s_time.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+s_time.o: ../include/openssl/comp.h ../include/openssl/conf.h
+s_time.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h
+s_time.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+s_time.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+s_time.o: ../include/openssl/engine.h ../include/openssl/err.h
+s_time.o: ../include/openssl/evp.h ../include/openssl/kssl.h
+s_time.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
 s_time.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
 s_time.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
 s_time.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-s_time.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
-s_time.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-s_time.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-s_time.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s_time.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
+s_time.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h
 s_time.o: ../include/openssl/sha.h ../include/openssl/ssl.h
 s_time.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
 s_time.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
 s_time.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s_time.o: ../include/openssl/txt_db.h ../include/openssl/ui.h
-s_time.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
+s_time.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
 s_time.o: ../include/openssl/x509_vfy.h apps.h s_apps.h s_time.c
-sess_id.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-sess_id.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+sess_id.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 sess_id.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-sess_id.o: ../include/openssl/cast.h ../include/openssl/comp.h
-sess_id.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-sess_id.o: ../include/openssl/des.h ../include/openssl/des_old.h
-sess_id.o: ../include/openssl/dh.h ../include/openssl/dsa.h
-sess_id.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
-sess_id.o: ../include/openssl/err.h ../include/openssl/evp.h
-sess_id.o: ../include/openssl/idea.h ../include/openssl/kssl.h
-sess_id.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-sess_id.o: ../include/openssl/md4.h ../include/openssl/md5.h
-sess_id.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+sess_id.o: ../include/openssl/comp.h ../include/openssl/conf.h
+sess_id.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h
+sess_id.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+sess_id.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+sess_id.o: ../include/openssl/engine.h ../include/openssl/err.h
+sess_id.o: ../include/openssl/evp.h ../include/openssl/kssl.h
+sess_id.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
 sess_id.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
 sess_id.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
 sess_id.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-sess_id.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
-sess_id.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-sess_id.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-sess_id.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+sess_id.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
+sess_id.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h
 sess_id.o: ../include/openssl/sha.h ../include/openssl/ssl.h
 sess_id.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
 sess_id.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
 sess_id.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-sess_id.o: ../include/openssl/txt_db.h ../include/openssl/ui.h
-sess_id.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
+sess_id.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
 sess_id.o: ../include/openssl/x509_vfy.h apps.h sess_id.c
-smime.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-smime.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
-smime.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-smime.o: ../include/openssl/cast.h ../include/openssl/conf.h
-smime.o: ../include/openssl/crypto.h ../include/openssl/des.h
-smime.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-smime.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
-smime.o: ../include/openssl/engine.h ../include/openssl/err.h
-smime.o: ../include/openssl/evp.h ../include/openssl/idea.h
-smime.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-smime.o: ../include/openssl/md4.h ../include/openssl/md5.h
-smime.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+smime.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+smime.o: ../include/openssl/buffer.h ../include/openssl/conf.h
+smime.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+smime.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+smime.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+smime.o: ../include/openssl/err.h ../include/openssl/evp.h
+smime.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
 smime.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
 smime.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
 smime.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-smime.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
-smime.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-smime.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-smime.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+smime.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
 smime.o: ../include/openssl/sha.h ../include/openssl/stack.h
 smime.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
-smime.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
-smime.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h smime.c
+smime.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+smime.o: ../include/openssl/x509v3.h apps.h smime.c
 speed.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
 speed.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
 speed.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 speed.o: ../include/openssl/cast.h ../include/openssl/conf.h
 speed.o: ../include/openssl/crypto.h ../include/openssl/des.h
-speed.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-speed.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+speed.o: ../include/openssl/des_old.h ../include/openssl/dsa.h
+speed.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+speed.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 speed.o: ../include/openssl/engine.h ../include/openssl/err.h
 speed.o: ../include/openssl/evp.h ../include/openssl/hmac.h
 speed.o: ../include/openssl/idea.h ../include/openssl/lhash.h
 speed.o: ../include/openssl/md2.h ../include/openssl/md4.h
-speed.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
-speed.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-speed.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-speed.o: ../include/openssl/ossl_typ.h ../include/openssl/pkcs7.h
-speed.o: ../include/openssl/rand.h ../include/openssl/rc2.h
-speed.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+speed.o: ../include/openssl/md5.h ../include/openssl/obj_mac.h
+speed.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+speed.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+speed.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
+speed.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
 speed.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
 speed.o: ../include/openssl/safestack.h ../include/openssl/sha.h
 speed.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
 speed.o: ../include/openssl/txt_db.h ../include/openssl/ui.h
 speed.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
 speed.o: ../include/openssl/x509_vfy.h apps.h speed.c testdsa.h testrsa.h
-spkac.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-spkac.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
-spkac.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-spkac.o: ../include/openssl/cast.h ../include/openssl/conf.h
-spkac.o: ../include/openssl/crypto.h ../include/openssl/des.h
-spkac.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-spkac.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
-spkac.o: ../include/openssl/engine.h ../include/openssl/err.h
-spkac.o: ../include/openssl/evp.h ../include/openssl/idea.h
-spkac.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-spkac.o: ../include/openssl/md4.h ../include/openssl/md5.h
-spkac.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+spkac.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+spkac.o: ../include/openssl/buffer.h ../include/openssl/conf.h
+spkac.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+spkac.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+spkac.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+spkac.o: ../include/openssl/err.h ../include/openssl/evp.h
+spkac.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
 spkac.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
 spkac.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
 spkac.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-spkac.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
-spkac.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-spkac.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-spkac.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+spkac.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
 spkac.o: ../include/openssl/sha.h ../include/openssl/stack.h
 spkac.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
-spkac.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
 spkac.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h spkac.c
-verify.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-verify.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
-verify.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-verify.o: ../include/openssl/cast.h ../include/openssl/conf.h
-verify.o: ../include/openssl/crypto.h ../include/openssl/des.h
-verify.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-verify.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
-verify.o: ../include/openssl/engine.h ../include/openssl/err.h
-verify.o: ../include/openssl/evp.h ../include/openssl/idea.h
-verify.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-verify.o: ../include/openssl/md4.h ../include/openssl/md5.h
-verify.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+verify.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+verify.o: ../include/openssl/buffer.h ../include/openssl/conf.h
+verify.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+verify.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+verify.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+verify.o: ../include/openssl/err.h ../include/openssl/evp.h
+verify.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
 verify.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
 verify.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
 verify.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-verify.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
-verify.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-verify.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-verify.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+verify.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
 verify.o: ../include/openssl/sha.h ../include/openssl/stack.h
 verify.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
-verify.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
 verify.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
 verify.o: ../include/openssl/x509v3.h apps.h verify.c
-version.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-version.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
-version.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-version.o: ../include/openssl/cast.h ../include/openssl/conf.h
+version.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+version.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+version.o: ../include/openssl/buffer.h ../include/openssl/conf.h
 version.o: ../include/openssl/crypto.h ../include/openssl/des.h
-version.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-version.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
-version.o: ../include/openssl/engine.h ../include/openssl/err.h
+version.o: ../include/openssl/des_old.h ../include/openssl/e_os2.h
+version.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+version.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
 version.o: ../include/openssl/evp.h ../include/openssl/idea.h
 version.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-version.o: ../include/openssl/md4.h ../include/openssl/md5.h
-version.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-version.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-version.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-version.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
-version.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-version.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-version.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+version.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+version.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+version.o: ../include/openssl/ossl_typ.h ../include/openssl/pkcs7.h
+version.o: ../include/openssl/rc4.h ../include/openssl/safestack.h
 version.o: ../include/openssl/sha.h ../include/openssl/stack.h
 version.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
 version.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
 version.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
 version.o: version.c
-x509.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-x509.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+x509.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 x509.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-x509.o: ../include/openssl/cast.h ../include/openssl/conf.h
-x509.o: ../include/openssl/crypto.h ../include/openssl/des.h
-x509.o: ../include/openssl/des_old.h ../include/openssl/dh.h
+x509.o: ../include/openssl/conf.h ../include/openssl/crypto.h
 x509.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
-x509.o: ../include/openssl/engine.h ../include/openssl/err.h
-x509.o: ../include/openssl/evp.h ../include/openssl/idea.h
-x509.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-x509.o: ../include/openssl/md4.h ../include/openssl/md5.h
-x509.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+x509.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+x509.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+x509.o: ../include/openssl/err.h ../include/openssl/evp.h
+x509.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
 x509.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
 x509.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
 x509.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-x509.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
-x509.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-x509.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-x509.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-x509.o: ../include/openssl/sha.h ../include/openssl/stack.h
-x509.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
-x509.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
-x509.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-x509.o: ../include/openssl/x509v3.h apps.h x509.c
+x509.o: ../include/openssl/pkcs7.h ../include/openssl/rsa.h
+x509.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+x509.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+x509.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
+x509.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h x509.c
diff --git a/crypto/openssl/apps/apps.c b/crypto/openssl/apps/apps.c
index b747e2d3cf03..613c3ba4955c 100644
--- a/crypto/openssl/apps/apps.c
+++ b/crypto/openssl/apps/apps.c
@@ -125,13 +125,17 @@
 #ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
 #endif
+#ifndef OPENSSL_NO_RSA
+#include <openssl/rsa.h>
+#endif
+#include <openssl/bn.h>
 
 #define NON_MAIN
 #include "apps.h"
 #undef NON_MAIN
 
 typedef struct {
-	char *name;
+	const char *name;
 	unsigned long flag;
 	unsigned long mask;
 } NAME_EX_TBL;
@@ -250,7 +254,7 @@ int str2fmt(char *s)
 		return(FORMAT_UNDEF);
 	}
 
-#if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_WIN16)
+#if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_WIN16) || defined(OPENSSL_SYS_NETWARE)
 void program_name(char *in, char *out, int size)
 	{
 	int i,n;
@@ -269,12 +273,23 @@ void program_name(char *in, char *out, int size)
 	if (p == NULL)
 		p=in;
 	n=strlen(p);
+
+#if defined(OPENSSL_SYS_NETWARE)
+   /* strip off trailing .nlm if present. */
+   if ((n > 4) && (p[n-4] == '.') &&
+      ((p[n-3] == 'n') || (p[n-3] == 'N')) &&
+      ((p[n-2] == 'l') || (p[n-2] == 'L')) &&
+      ((p[n-1] == 'm') || (p[n-1] == 'M')))
+      n-=4;
+#else
 	/* strip off trailing .exe if present. */
 	if ((n > 4) && (p[n-4] == '.') &&
 		((p[n-3] == 'e') || (p[n-3] == 'E')) &&
 		((p[n-2] == 'x') || (p[n-2] == 'X')) &&
 		((p[n-1] == 'e') || (p[n-1] == 'E')))
 		n-=4;
+#endif
+
 	if (n > size-1)
 		n=size-1;
 
@@ -330,22 +345,6 @@ void program_name(char *in, char *out, int size)
 #endif
 #endif
 
-#ifdef OPENSSL_SYS_VMS
-int VMS_strcasecmp(const char *str1, const char *str2)
-	{
-	while (*str1 && *str2)
-		{
-		int res = toupper(*str1) - toupper(*str2);
-		if (res) return res < 0 ? -1 : 1;
-		}
-	if (*str1)
-		return 1;
-	if (*str2)
-		return -1;
-	return 0;
-	}
-#endif
-
 int chopup_args(ARGS *arg, char *buf, int *argc, char **argv[])
 	{
 	int num,len,i;
@@ -377,10 +376,17 @@ int chopup_args(ARGS *arg, char *buf, int *argc, char **argv[])
 		/* The start of something good :-) */
 		if (num >= arg->count)
 			{
-			arg->count+=20;
-			arg->data=(char **)OPENSSL_realloc(arg->data,
-				sizeof(char *)*arg->count);
-			if (argc == 0) return(0);
+			char **tmp_p;
+			int tlen = arg->count + 20;
+			tmp_p = (char **)OPENSSL_realloc(arg->data,
+				sizeof(char *)*tlen);
+			if (tmp_p == NULL)
+				return 0;
+			arg->data  = tmp_p;
+			arg->count = tlen;
+			/* initialize newly allocated data */
+			for (i = num; i < arg->count; i++)
+				arg->data[i] = NULL;
 			}
 		arg->data[num++]=p;
 
@@ -542,7 +548,7 @@ int password_callback(char *buf, int bufsiz, int verify,
 		char *prompt = NULL;
 
 		prompt = UI_construct_prompt(ui, "pass phrase",
-			cb_data->prompt_info);
+			prompt_info);
 
 		ui_flags |= UI_INPUT_FLAG_DEFAULT_PWD;
 		UI_ctrl(ui, UI_CTRL_PRINT_ERRORS, 1, 0, 0);
@@ -691,6 +697,51 @@ int add_oid_section(BIO *err, CONF *conf)
 	return 1;
 }
 
+static int load_pkcs12(BIO *err, BIO *in, const char *desc,
+		pem_password_cb *pem_cb,  void *cb_data,
+		EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca)
+	{
+ 	const char *pass;
+	char tpass[PEM_BUFSIZE];
+	int len, ret = 0;
+	PKCS12 *p12;
+	p12 = d2i_PKCS12_bio(in, NULL);
+	if (p12 == NULL)
+		{
+		BIO_printf(err, "Error loading PKCS12 file for %s\n", desc);	
+		goto die;
+		}
+	/* See if an empty password will do */
+	if (PKCS12_verify_mac(p12, "", 0) || PKCS12_verify_mac(p12, NULL, 0))
+		pass = "";
+	else
+		{
+		if (!pem_cb)
+			pem_cb = (pem_password_cb *)password_callback;
+		len = pem_cb(tpass, PEM_BUFSIZE, 0, cb_data);
+		if (len < 0) 
+			{
+			BIO_printf(err, "Passpharse callback error for %s\n",
+					desc);
+			goto die;
+			}
+		if (len < PEM_BUFSIZE)
+			tpass[len] = 0;
+		if (!PKCS12_verify_mac(p12, tpass, len))
+			{
+			BIO_printf(err,
+	"Mac verify error (wrong password?) in PKCS12 file for %s\n", desc);	
+			goto die;
+			}
+		pass = tpass;
+		}
+	ret = PKCS12_parse(p12, pass, pkey, cert, ca);
+	die:
+	if (p12)
+		PKCS12_free(p12);
+	return ret;
+	}
+
 X509 *load_cert(BIO *err, const char *file, int format,
 	const char *pass, ENGINE *e, const char *cert_descrip)
 	{
@@ -725,7 +776,7 @@ X509 *load_cert(BIO *err, const char *file, int format,
 		x=d2i_X509_bio(cert,NULL);
 	else if (format == FORMAT_NETSCAPE)
 		{
-		unsigned char *p,*op;
+		const unsigned char *p,*op;
 		int size=0,i;
 
 		/* We sort of have to do it this way because it is sort of nice
@@ -771,11 +822,9 @@ X509 *load_cert(BIO *err, const char *file, int format,
 			(pem_password_cb *)password_callback, NULL);
 	else if (format == FORMAT_PKCS12)
 		{
-		PKCS12 *p12 = d2i_PKCS12_bio(cert, NULL);
-
-		PKCS12_parse(p12, NULL, NULL, &x, NULL);
-		PKCS12_free(p12);
-		p12 = NULL;
+		if (!load_pkcs12(err, cert,cert_descrip, NULL, NULL,
+					NULL, &x, NULL))
+			goto end;
 		}
 	else	{
 		BIO_printf(err,"bad input format specified for %s\n",
@@ -854,11 +903,10 @@ EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin,
 #endif
 	else if (format == FORMAT_PKCS12)
 		{
-		PKCS12 *p12 = d2i_PKCS12_bio(key, NULL);
-
-		PKCS12_parse(p12, pass, &pkey, NULL, NULL);
-		PKCS12_free(p12);
-		p12 = NULL;
+		if (!load_pkcs12(err, key, key_descrip,
+				(pem_password_cb *)password_callback, &cb_data,
+				&pkey, NULL, NULL))
+			goto end;
 		}
 	else
 		{
@@ -1230,7 +1278,7 @@ static int set_table_opts(unsigned long *flags, const char *arg, const NAME_EX_T
 	return 0;
 }
 
-void print_name(BIO *out, char *title, X509_NAME *nm, unsigned long lflags)
+void print_name(BIO *out, const char *title, X509_NAME *nm, unsigned long lflags)
 {
 	char *buf;
 	char mline = 0;
@@ -1565,8 +1613,9 @@ int rotate_serial(char *serialfile, char *new_suffix, char *old_suffix)
 		{
 		if (errno != ENOENT 
 #ifdef ENOTDIR
-			&& errno != ENOTDIR)
+			&& errno != ENOTDIR
 #endif
+		   )
 			goto err;
 		}
 	else
@@ -1697,23 +1746,10 @@ CA_DB *load_index(char *dbfile, DB_ATTR *db_attr)
 		char *p = NCONF_get_string(dbattr_conf,NULL,"unique_subject");
 		if (p)
 			{
+#ifdef RL_DEBUG
 			BIO_printf(bio_err, "DEBUG[load_index]: unique_subject = \"%s\"\n", p);
-			switch(*p)
-				{
-			case 'f': /* false */
-			case 'F': /* FALSE */
-			case 'n': /* no */
-			case 'N': /* NO */
-				retdb->attributes.unique_subject = 0;
-				break;
-			case 't': /* true */
-			case 'T': /* TRUE */
-			case 'y': /* yes */
-			case 'Y': /* YES */
-			default:
-				retdb->attributes.unique_subject = 1;
-				break;
-				}
+#endif
+			retdb->attributes.unique_subject = parse_yesno(p,1);
 			}
 		}
 
@@ -1748,7 +1784,7 @@ int index_index(CA_DB *db)
 	return 1;
 	}
 
-int save_index(char *dbfile, char *suffix, CA_DB *db)
+int save_index(const char *dbfile, const char *suffix, CA_DB *db)
 	{
 	char buf[3][BSIZE];
 	BIO *out = BIO_new(BIO_s_file());
@@ -1815,7 +1851,7 @@ int save_index(char *dbfile, char *suffix, CA_DB *db)
 	return 0;
 	}
 
-int rotate_index(char *dbfile, char *new_suffix, char *old_suffix)
+int rotate_index(const char *dbfile, const char *new_suffix, const char *old_suffix)
 	{
 	char buf[5][BSIZE];
 	int i,j;
@@ -1867,8 +1903,9 @@ int rotate_index(char *dbfile, char *new_suffix, char *old_suffix)
 		{
 		if (errno != ENOENT 
 #ifdef ENOTDIR
-			&& errno != ENOTDIR)
+			&& errno != ENOTDIR
 #endif
+		   )
 			goto err;
 		}
 	else
@@ -1903,8 +1940,9 @@ int rotate_index(char *dbfile, char *new_suffix, char *old_suffix)
 		{
 		if (errno != ENOENT 
 #ifdef ENOTDIR
-			&& errno != ENOTDIR)
+			&& errno != ENOTDIR
 #endif
+		   )
 			goto err;
 		}
 	else
@@ -1953,9 +1991,174 @@ void free_index(CA_DB *db)
 		}
 	}
 
+int parse_yesno(const char *str, int def)
+	{
+	int ret = def;
+	if (str)
+		{
+		switch (*str)
+			{
+		case 'f': /* false */
+		case 'F': /* FALSE */
+		case 'n': /* no */
+		case 'N': /* NO */
+		case '0': /* 0 */
+			ret = 0;
+			break;
+		case 't': /* true */
+		case 'T': /* TRUE */
+		case 'y': /* yes */
+		case 'Y': /* YES */
+		case '1': /* 1 */
+			ret = 0;
+			break;
+		default:
+			ret = def;
+			break;
+			}
+		}
+	return ret;
+	}
+
+/*
+ * subject is expected to be in the format /type0=value0/type1=value1/type2=...
+ * where characters may be escaped by \
+ */
+X509_NAME *parse_name(char *subject, long chtype, int multirdn)
+	{
+	size_t buflen = strlen(subject)+1; /* to copy the types and values into. due to escaping, the copy can only become shorter */
+	char *buf = OPENSSL_malloc(buflen);
+	size_t max_ne = buflen / 2 + 1; /* maximum number of name elements */
+	char **ne_types = OPENSSL_malloc(max_ne * sizeof (char *));
+	char **ne_values = OPENSSL_malloc(max_ne * sizeof (char *));
+	int *mval = OPENSSL_malloc (max_ne * sizeof (int));
+
+	char *sp = subject, *bp = buf;
+	int i, ne_num = 0;
+
+	X509_NAME *n = NULL;
+	int nid;
+
+	if (!buf || !ne_types || !ne_values)
+		{
+		BIO_printf(bio_err, "malloc error\n");
+		goto error;
+		}	
+
+	if (*subject != '/')
+		{
+		BIO_printf(bio_err, "Subject does not start with '/'.\n");
+		goto error;
+		}
+	sp++; /* skip leading / */
+
+	/* no multivalued RDN by default */
+	mval[ne_num] = 0;
+
+	while (*sp)
+		{
+		/* collect type */
+		ne_types[ne_num] = bp;
+		while (*sp)
+			{
+			if (*sp == '\\') /* is there anything to escape in the type...? */
+				{
+				if (*++sp)
+					*bp++ = *sp++;
+				else	
+					{
+					BIO_printf(bio_err, "escape character at end of string\n");
+					goto error;
+					}
+				}	
+			else if (*sp == '=')
+				{
+				sp++;
+				*bp++ = '\0';
+				break;
+				}
+			else
+				*bp++ = *sp++;
+			}
+		if (!*sp)
+			{
+			BIO_printf(bio_err, "end of string encountered while processing type of subject name element #%d\n", ne_num);
+			goto error;
+			}
+		ne_values[ne_num] = bp;
+		while (*sp)
+			{
+			if (*sp == '\\')
+				{
+				if (*++sp)
+					*bp++ = *sp++;
+				else
+					{
+					BIO_printf(bio_err, "escape character at end of string\n");
+					goto error;
+					}
+				}
+			else if (*sp == '/')
+				{
+				sp++;
+				/* no multivalued RDN by default */
+				mval[ne_num+1] = 0;
+				break;
+				}
+			else if (*sp == '+' && multirdn)
+				{
+				/* a not escaped + signals a mutlivalued RDN */
+				sp++;
+				mval[ne_num+1] = -1;
+				break;
+				}
+			else
+				*bp++ = *sp++;
+			}
+		*bp++ = '\0';
+		ne_num++;
+		}	
+
+	if (!(n = X509_NAME_new()))
+		goto error;
+
+	for (i = 0; i < ne_num; i++)
+		{
+		if ((nid=OBJ_txt2nid(ne_types[i])) == NID_undef)
+			{
+			BIO_printf(bio_err, "Subject Attribute %s has no known NID, skipped\n", ne_types[i]);
+			continue;
+			}
+
+		if (!*ne_values[i])
+			{
+			BIO_printf(bio_err, "No value provided for Subject Attribute %s, skipped\n", ne_types[i]);
+			continue;
+			}
+
+		if (!X509_NAME_add_entry_by_NID(n, nid, chtype, (unsigned char*)ne_values[i], -1,-1,mval[i]))
+			goto error;
+		}
+
+	OPENSSL_free(ne_values);
+	OPENSSL_free(ne_types);
+	OPENSSL_free(buf);
+	return n;
+
+error:
+	X509_NAME_free(n);
+	if (ne_values)
+		OPENSSL_free(ne_values);
+	if (ne_types)
+		OPENSSL_free(ne_types);
+	if (buf)
+		OPENSSL_free(buf);
+	return NULL;
+}
+
 /* This code MUST COME AFTER anything that uses rename() */
 #ifdef OPENSSL_SYS_WIN32
-int WIN32_rename(char *from, char *to)
+int WIN32_rename(const char *from, const char *to)
 	{
 #ifndef OPENSSL_SYS_WINCE
 	/* Windows rename gives an error if 'to' exists, so delete it
@@ -1991,3 +2194,142 @@ int WIN32_rename(char *from, char *to)
 #endif
 	}
 #endif
+
+int args_verify(char ***pargs, int *pargc,
+			int *badarg, BIO *err, X509_VERIFY_PARAM **pm)
+	{
+	ASN1_OBJECT *otmp = NULL;
+	unsigned long flags = 0;
+	int i;
+	int purpose = 0;
+	char **oldargs = *pargs;
+	char *arg = **pargs, *argn = (*pargs)[1];
+	if (!strcmp(arg, "-policy"))
+		{
+		if (!argn)
+			*badarg = 1;
+		else
+			{
+			otmp = OBJ_txt2obj(argn, 0);
+			if (!otmp)
+				{
+				BIO_printf(err, "Invalid Policy \"%s\"\n",
+									argn);
+				*badarg = 1;
+				}
+			}
+		(*pargs)++;
+		}
+	else if (strcmp(arg,"-purpose") == 0)
+		{
+		X509_PURPOSE *xptmp;
+		if (!argn)
+			*badarg = 1;
+		else
+			{
+			i = X509_PURPOSE_get_by_sname(argn);
+			if(i < 0)
+				{
+				BIO_printf(err, "unrecognized purpose\n");
+				*badarg = 1;
+				}
+			else
+				{
+				xptmp = X509_PURPOSE_get0(i);
+				purpose = X509_PURPOSE_get_id(xptmp);
+				}
+			}
+		(*pargs)++;
+		}
+	else if (!strcmp(arg, "-ignore_critical"))
+		flags |= X509_V_FLAG_IGNORE_CRITICAL;
+	else if (!strcmp(arg, "-issuer_checks"))
+		flags |= X509_V_FLAG_CB_ISSUER_CHECK;
+	else if (!strcmp(arg, "-crl_check"))
+		flags |=  X509_V_FLAG_CRL_CHECK;
+	else if (!strcmp(arg, "-crl_check_all"))
+		flags |= X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL;
+	else if (!strcmp(arg, "-policy_check"))
+		flags |= X509_V_FLAG_POLICY_CHECK;
+	else if (!strcmp(arg, "-explicit_policy"))
+		flags |= X509_V_FLAG_EXPLICIT_POLICY;
+	else if (!strcmp(arg, "-x509_strict"))
+		flags |= X509_V_FLAG_X509_STRICT;
+	else if (!strcmp(arg, "-policy_print"))
+		flags |= X509_V_FLAG_NOTIFY_POLICY;
+	else
+		return 0;
+
+	if (*badarg)
+		{
+		if (*pm)
+			X509_VERIFY_PARAM_free(*pm);
+		*pm = NULL;
+		goto end;
+		}
+
+	if (!*pm && !(*pm = X509_VERIFY_PARAM_new()))
+		{
+		*badarg = 1;
+		goto end;
+		}
+
+	if (otmp)
+		X509_VERIFY_PARAM_add0_policy(*pm, otmp);
+	if (flags)
+		X509_VERIFY_PARAM_set_flags(*pm, flags);
+
+	if (purpose)
+		X509_VERIFY_PARAM_set_purpose(*pm, purpose);
+
+	end:
+
+	(*pargs)++;
+
+	if (pargc)
+		*pargc -= *pargs - oldargs;
+
+	return 1;
+
+	}
+
+static void nodes_print(BIO *out, const char *name,
+	STACK_OF(X509_POLICY_NODE) *nodes)
+	{
+	X509_POLICY_NODE *node;
+	int i;
+	BIO_printf(out, "%s Policies:", name);
+	if (nodes)
+		{
+		BIO_puts(out, "\n");
+		for (i = 0; i < sk_X509_POLICY_NODE_num(nodes); i++)
+			{
+			node = sk_X509_POLICY_NODE_value(nodes, i);
+			X509_POLICY_NODE_print(out, node, 2);
+			}
+		}
+	else
+		BIO_puts(out, " <empty>\n");
+	}
+
+void policies_print(BIO *out, X509_STORE_CTX *ctx)
+	{
+	X509_POLICY_TREE *tree;
+	int explicit_policy;
+	int free_out = 0;
+	if (out == NULL)
+		{
+		out = BIO_new_fp(stderr, BIO_NOCLOSE);
+		free_out = 1;
+		}
+	tree = X509_STORE_CTX_get0_policy_tree(ctx);
+	explicit_policy = X509_STORE_CTX_get_explicit_policy(ctx);
+
+	BIO_printf(out, "Require explicit Policy: %s\n",
+				explicit_policy ? "True" : "False");
+
+	nodes_print(out, "Authority", X509_policy_tree_get0_policies(tree));
+	nodes_print(out, "User", X509_policy_tree_get0_user_policies(tree));
+	if (free_out)
+		BIO_free(out);
+	}
diff --git a/crypto/openssl/apps/apps.h b/crypto/openssl/apps/apps.h
index 4320410dad37..26dcbc5771d5 100644
--- a/crypto/openssl/apps/apps.h
+++ b/crypto/openssl/apps/apps.h
@@ -114,9 +114,7 @@
 
 #include "e_os.h"
 
-#include <openssl/buffer.h>
 #include <openssl/bio.h>
-#include <openssl/crypto.h>
 #include <openssl/x509.h>
 #include <openssl/lhash.h>
 #include <openssl/conf.h>
@@ -138,7 +136,7 @@ long app_RAND_load_files(char *file); /* `file' is a list of files to read,
 
 #ifdef OPENSSL_SYS_WIN32
 #define rename(from,to) WIN32_rename((from),(to))
-int WIN32_rename(char *oldname,char *newname);
+int WIN32_rename(const char *oldname,const char *newname);
 #endif
 
 #ifndef MONOLITH
@@ -148,11 +146,9 @@ int WIN32_rename(char *oldname,char *newname);
 #ifndef NON_MAIN
 CONF *config=NULL;
 BIO *bio_err=NULL;
-int in_FIPS_mode=0;
 #else
 extern CONF *config;
 extern BIO *bio_err;
-extern int in_FIPS_mode;
 #endif
 
 #else
@@ -161,11 +157,12 @@ extern int in_FIPS_mode;
 extern CONF *config;
 extern char *default_config_file;
 extern BIO *bio_err;
-extern int in_FIPS_mode;
 
 #endif
 
+#ifndef OPENSSL_SYS_NETWARE
 #include <signal.h>
+#endif
 
 #ifdef SIGPIPE
 #define do_pipe_sig()	signal(SIGPIPE,SIG_IGN)
@@ -257,7 +254,7 @@ void program_name(char *in,char *out,int size);
 int chopup_args(ARGS *arg,char *buf, int *argc, char **argv[]);
 #ifdef HEADER_X509_H
 int dump_cert_text(BIO *out, X509 *x);
-void print_name(BIO *out, char *title, X509_NAME *nm, unsigned long lflags);
+void print_name(BIO *out, const char *title, X509_NAME *nm, unsigned long lflags);
 #endif
 int set_cert_ex(unsigned long *flags, const char *arg);
 int set_name_ex(unsigned long *flags, const char *arg);
@@ -283,7 +280,7 @@ char *make_config_name(void);
 
 /* Functions defined in ca.c and also used in ocsp.c */
 int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold,
-			ASN1_GENERALIZEDTIME **pinvtm, char *str);
+			ASN1_GENERALIZEDTIME **pinvtm, const char *str);
 
 #define DB_type         0
 #define DB_exp_date     1
@@ -313,12 +310,16 @@ int rotate_serial(char *serialfile, char *new_suffix, char *old_suffix);
 int rand_serial(BIGNUM *b, ASN1_INTEGER *ai);
 CA_DB *load_index(char *dbfile, DB_ATTR *dbattr);
 int index_index(CA_DB *db);
-int save_index(char *dbfile, char *suffix, CA_DB *db);
-int rotate_index(char *dbfile, char *new_suffix, char *old_suffix);
+int save_index(const char *dbfile, const char *suffix, CA_DB *db);
+int rotate_index(const char *dbfile, const char *new_suffix, const char *old_suffix);
 void free_index(CA_DB *db);
 int index_name_cmp(const char **a, const char **b);
+int parse_yesno(const char *str, int def);
 
-X509_NAME *do_subject(char *str, long chtype);
+X509_NAME *parse_name(char *str, long chtype, int multirdn);
+int args_verify(char ***pargs, int *pargc,
+			int *badarg, BIO *err, X509_VERIFY_PARAM **pm);
+void policies_print(BIO *out, X509_STORE_CTX *ctx);
 
 #define FORMAT_UNDEF    0
 #define FORMAT_ASN1     1
diff --git a/crypto/openssl/apps/asn1pars.c b/crypto/openssl/apps/asn1pars.c
index c89b358b238b..b1a7c8e5dbf8 100644
--- a/crypto/openssl/apps/asn1pars.c
+++ b/crypto/openssl/apps/asn1pars.c
@@ -82,6 +82,8 @@
 
 int MAIN(int, char **);
 
+static int do_generate(BIO *bio, char *genstr, char *genconf, BUF_MEM *buf);
+
 int MAIN(int argc, char **argv)
 	{
 	int i,badops=0,offset=0,ret=1,j;
@@ -90,7 +92,9 @@ int MAIN(int argc, char **argv)
 	BIO *in=NULL,*out=NULL,*b64=NULL, *derout = NULL;
 	int informat,indent=0, noout = 0, dump = 0;
 	char *infile=NULL,*str=NULL,*prog,*oidfile=NULL, *derfile=NULL;
+	char *genstr=NULL, *genconf=NULL;
 	unsigned char *tmpbuf;
+	const unsigned char *ctmpbuf;
 	BUF_MEM *buf=NULL;
 	STACK *osk=NULL;
 	ASN1_TYPE *at=NULL;
@@ -167,6 +171,16 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			sk_push(osk,*(++argv));
 			}
+		else if (strcmp(*argv,"-genstr") == 0)
+			{
+			if (--argc < 1) goto bad;
+			genstr= *(++argv);
+			}
+		else if (strcmp(*argv,"-genconf") == 0)
+			{
+			if (--argc < 1) goto bad;
+			genconf= *(++argv);
+			}
 		else
 			{
 			BIO_printf(bio_err,"unknown option %s\n",*argv);
@@ -182,7 +196,7 @@ int MAIN(int argc, char **argv)
 bad:
 		BIO_printf(bio_err,"%s [options] <infile\n",prog);
 		BIO_printf(bio_err,"where options are\n");
-		BIO_printf(bio_err," -inform arg   input format - one of DER TXT PEM\n");
+		BIO_printf(bio_err," -inform arg   input format - one of DER PEM\n");
 		BIO_printf(bio_err," -in arg       input file\n");
 		BIO_printf(bio_err," -out arg      output file (output format is always DER\n");
 		BIO_printf(bio_err," -noout arg    don't produce any output\n");
@@ -195,6 +209,8 @@ bad:
 		BIO_printf(bio_err," -strparse offset\n");
 		BIO_printf(bio_err,"               a series of these can be used to 'dig' into multiple\n");
 		BIO_printf(bio_err,"               ASN1 blob wrappings\n");
+		BIO_printf(bio_err," -genstr str   string to generate ASN1 structure from\n");
+		BIO_printf(bio_err," -genconf file file to generate ASN1 structure from\n");
 		goto end;
 		}
 
@@ -248,25 +264,39 @@ bad:
 	if ((buf=BUF_MEM_new()) == NULL) goto end;
 	if (!BUF_MEM_grow(buf,BUFSIZ*8)) goto end; /* Pre-allocate :-) */
 
-	if (informat == FORMAT_PEM)
+	if (genstr || genconf)
 		{
-		BIO *tmp;
-
-		if ((b64=BIO_new(BIO_f_base64())) == NULL)
+		num = do_generate(bio_err, genstr, genconf, buf);
+		if (num < 0)
+			{
+			ERR_print_errors(bio_err);
 			goto end;
-		BIO_push(b64,in);
-		tmp=in;
-		in=b64;
-		b64=tmp;
+			}
 		}
 
-	num=0;
-	for (;;)
+	else
 		{
-		if (!BUF_MEM_grow(buf,(int)num+BUFSIZ)) goto end;
-		i=BIO_read(in,&(buf->data[num]),BUFSIZ);
-		if (i <= 0) break;
-		num+=i;
+
+		if (informat == FORMAT_PEM)
+			{
+			BIO *tmp;
+
+			if ((b64=BIO_new(BIO_f_base64())) == NULL)
+				goto end;
+			BIO_push(b64,in);
+			tmp=in;
+			in=b64;
+			b64=tmp;
+			}
+
+		num=0;
+		for (;;)
+			{
+			if (!BUF_MEM_grow(buf,(int)num+BUFSIZ)) goto end;
+			i=BIO_read(in,&(buf->data[num]),BUFSIZ);
+			if (i <= 0) break;
+			num+=i;
+			}
 		}
 	str=buf->data;
 
@@ -278,8 +308,8 @@ bad:
 		tmplen=num;
 		for (i=0; i<sk_num(osk); i++)
 			{
-			int typ;
 			ASN1_TYPE *atmp;
+			int typ;
 			j=atoi(sk_value(osk,i));
 			if (j == 0)
 				{
@@ -289,7 +319,8 @@ bad:
 			tmpbuf+=j;
 			tmplen-=j;
 			atmp = at;
-			at = d2i_ASN1_TYPE(NULL,&tmpbuf,tmplen);
+			ctmpbuf = tmpbuf;
+			at = d2i_ASN1_TYPE(NULL,&ctmpbuf,tmplen);
 			ASN1_TYPE_free(atmp);
 			if(!at)
 				{
@@ -353,3 +384,61 @@ end:
 	OPENSSL_EXIT(ret);
 	}
 
+static int do_generate(BIO *bio, char *genstr, char *genconf, BUF_MEM *buf)
+	{
+	CONF *cnf = NULL;
+	int len;
+	long errline;
+	unsigned char *p;
+	ASN1_TYPE *atyp = NULL;
+
+	if (genconf)
+		{
+		cnf = NCONF_new(NULL);
+		if (!NCONF_load(cnf, genconf, &errline))
+			goto conferr;
+		if (!genstr)
+			genstr = NCONF_get_string(cnf, "default", "asn1");
+		if (!genstr)
+			{
+			BIO_printf(bio, "Can't find 'asn1' in '%s'\n", genconf);
+			goto err;
+			}
+		}
+
+	atyp = ASN1_generate_nconf(genstr, cnf);
+	NCONF_free(cnf);
+
+	if (!atyp)
+		return -1;
+
+	len = i2d_ASN1_TYPE(atyp, NULL);
+
+	if (len <= 0)
+		goto err;
+
+	if (!BUF_MEM_grow(buf,len))
+		goto err;
+
+	p=(unsigned char *)buf->data;
+
+	i2d_ASN1_TYPE(atyp, &p);
+
+	ASN1_TYPE_free(atyp);
+	return len;
+
+	conferr:
+
+	if (errline > 0)
+		BIO_printf(bio, "Error on line %ld of config file '%s'\n",
+							errline, genconf);
+	else
+		BIO_printf(bio, "Error loading config file '%s'\n", genconf);
+
+	err:
+	NCONF_free(cnf);
+	ASN1_TYPE_free(atyp);
+
+	return -1;
+
+	}
diff --git a/crypto/openssl/apps/ca.c b/crypto/openssl/apps/ca.c
index cacacb6ffd62..210b5e1ff474 100644
--- a/crypto/openssl/apps/ca.c
+++ b/crypto/openssl/apps/ca.c
@@ -83,7 +83,7 @@
 #    else
 #      include <unixlib.h>
 #    endif
-#  elif !defined(OPENSSL_SYS_VXWORKS) && !defined(OPENSSL_SYS_WINDOWS)
+#  elif !defined(OPENSSL_SYS_VXWORKS) && !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_NETWARE)
 #    include <sys/file.h>
 #  endif
 #endif
@@ -105,6 +105,9 @@
 
 #define ENV_DEFAULT_CA		"default_ca"
 
+#define STRING_MASK	"string_mask"
+#define UTF8_IN			"utf8"
+
 #define ENV_DIR			"dir"
 #define ENV_CERTS		"certs"
 #define ENV_CRL_DIR		"crl_dir"
@@ -131,6 +134,7 @@
 #define ENV_NAMEOPT		"name_opt"
 #define ENV_CERTOPT		"cert_opt"
 #define ENV_EXTCOPY		"copy_extensions"
+#define ENV_UNIQUE_SUBJECT	"unique_subject"
 
 #define ENV_DATABASE		"database"
 
@@ -142,7 +146,7 @@
 #define REV_KEY_COMPROMISE	3	/* Value is cert key compromise time */
 #define REV_CA_COMPROMISE	4	/* Value is CA key compromise time */
 
-static char *ca_usage[]={
+static const char *ca_usage[]={
 "usage: ca args\n",
 "\n",
 " -verbose        - Talk alot while doing things\n",
@@ -160,6 +164,7 @@ static char *ca_usage[]={
 " -keyform arg    - private key file format (PEM or ENGINE)\n",
 " -key arg        - key to decode the private key if it is encrypted\n",
 " -cert file      - The CA certificate\n",
+" -selfsign       - sign a certificate with the key associated with it\n",
 " -in file        - The input PEM encoded certificate request(s)\n",
 " -out file       - Where to put the output file(s)\n",
 " -outdir dir     - Where to put output certificates\n",
@@ -172,6 +177,8 @@ static char *ca_usage[]={
 " -msie_hack      - msie modifications to handle all those universal strings\n",
 " -revoke file    - Revoke a certificate (given in file)\n",
 " -subj arg       - Use arg instead of request's subject\n",
+" -utf8           - input characters are UTF8 (default ASCII)\n",
+" -multivalue-rdn - enable support for multivalued RDNs\n",
 " -extensions ..  - Extension section (override value in config file)\n",
 " -extfile file   - Configuration file with X509v3 extentions to add\n",
 " -crlexts ..     - CRL extension section (override value in config file)\n",
@@ -189,40 +196,40 @@ extern int EF_PROTECT_BELOW;
 extern int EF_ALIGNMENT;
 #endif
 
-static void lookup_fail(char *name,char *tag);
+static void lookup_fail(const char *name, const char *tag);
 static int certify(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,
 		   const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,CA_DB *db,
-		   BIGNUM *serial, char *subj, int email_dn, char *startdate,
+		   BIGNUM *serial, char *subj,unsigned long chtype, int multirdn, int email_dn, char *startdate,
 		   char *enddate, long days, int batch, char *ext_sect, CONF *conf,
 		   int verbose, unsigned long certopt, unsigned long nameopt,
-		   int default_op, int ext_copy);
+		   int default_op, int ext_copy, int selfsign);
 static int certify_cert(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,
 			const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,
-			CA_DB *db, BIGNUM *serial, char *subj, int email_dn,
+			CA_DB *db, BIGNUM *serial, char *subj,unsigned long chtype, int multirdn, int email_dn,
 			char *startdate, char *enddate, long days, int batch,
 			char *ext_sect, CONF *conf,int verbose, unsigned long certopt,
 			unsigned long nameopt, int default_op, int ext_copy,
 			ENGINE *e);
 static int certify_spkac(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,
 			 const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,
-			 CA_DB *db, BIGNUM *serial,char *subj, int email_dn,
+			 CA_DB *db, BIGNUM *serial,char *subj,unsigned long chtype, int multirdn, int email_dn,
 			 char *startdate, char *enddate, long days, char *ext_sect,
 			 CONF *conf, int verbose, unsigned long certopt, 
 			 unsigned long nameopt, int default_op, int ext_copy);
 static int fix_data(int nid, int *type);
 static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext);
 static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
-	STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial,char *subj,
+	STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial,char *subj,unsigned long chtype, int multirdn,
 	int email_dn, char *startdate, char *enddate, long days, int batch,
        	int verbose, X509_REQ *req, char *ext_sect, CONF *conf,
 	unsigned long certopt, unsigned long nameopt, int default_op,
-	int ext_copy);
+	int ext_copy, int selfsign);
 static int do_revoke(X509 *x509, CA_DB *db, int ext, char *extval);
 static int get_certificate_status(const char *ser_status, CA_DB *db);
 static int do_updatedb(CA_DB *db);
 static int check_time_format(char *str);
 char *make_revocation_str(int rev_type, char *rev_arg);
-int make_revoked(X509_REVOKED *rev, char *str);
+int make_revoked(X509_REVOKED *rev, const char *str);
 int old_entry_print(BIO *bp, ASN1_OBJECT *obj, ASN1_STRING *str);
 static CONF *conf=NULL;
 static CONF *extconf=NULL;
@@ -272,6 +279,8 @@ int MAIN(int argc, char **argv)
 	char *extensions=NULL;
 	char *extfile=NULL;
 	char *subj=NULL;
+	unsigned long chtype = MBSTRING_ASC;
+	int multirdn = 0;
 	char *tmp_email_dn=NULL;
 	char *crl_ext=NULL;
 	int rev_type = REV_NONE;
@@ -286,7 +295,8 @@ int MAIN(int argc, char **argv)
 	unsigned long nameopt = 0, certopt = 0;
 	int default_op = 1;
 	int ext_copy = EXT_COPY_NONE;
-	X509 *x509=NULL;
+	int selfsign = 0;
+	X509 *x509=NULL, *x509p = NULL;
 	X509 *x=NULL;
 	BIO *in=NULL,*out=NULL,*Sout=NULL,*Cout=NULL;
 	char *dbfile=NULL;
@@ -295,7 +305,8 @@ int MAIN(int argc, char **argv)
 	X509_REVOKED *r=NULL;
 	ASN1_TIME *tmptm;
 	ASN1_INTEGER *tmpser;
-	char **pp,*p,*f;
+	char *f;
+	const char *p, **pp;
 	int i,j;
 	const EVP_MD *dgst=NULL;
 	STACK_OF(CONF_VALUE) *attribs=NULL;
@@ -350,6 +361,12 @@ EF_ALIGNMENT=0;
 			subj= *(++argv);
 			/* preserve=1; */
 			}
+		else if (strcmp(*argv,"-utf8") == 0)
+			chtype = MBSTRING_UTF8;
+		else if (strcmp(*argv,"-create_serial") == 0)
+			create_ser = 1;
+		else if (strcmp(*argv,"-multivalue-rdn") == 0)
+			multirdn=1;
 		else if (strcmp(*argv,"-startdate") == 0)
 			{
 			if (--argc < 1) goto bad;
@@ -400,6 +417,8 @@ EF_ALIGNMENT=0;
 			if (--argc < 1) goto bad;
 			certfile= *(++argv);
 			}
+		else if (strcmp(*argv,"-selfsign") == 0)
+			selfsign=1;
 		else if (strcmp(*argv,"-in") == 0)
 			{
 			if (--argc < 1) goto bad;
@@ -633,29 +652,31 @@ bad:
 		ERR_clear_error();
 	app_RAND_load_file(randfile, bio_err, 0);
 
+	f = NCONF_get_string(conf, section, STRING_MASK);
+	if (!f)
+		ERR_clear_error();
+
+	if(f && !ASN1_STRING_set_default_mask_asc(f)) {
+		BIO_printf(bio_err, "Invalid global string mask setting %s\n", f);
+		goto err;
+	}
+
+	if (chtype != MBSTRING_UTF8){
+		f = NCONF_get_string(conf, section, UTF8_IN);
+		if (!f)
+			ERR_clear_error();
+		else if (!strcmp(f, "yes"))
+			chtype = MBSTRING_UTF8;
+	}
+
 	db_attr.unique_subject = 1;
-	p = NCONF_get_string(conf, section, "unique_subject");
+	p = NCONF_get_string(conf, section, ENV_UNIQUE_SUBJECT);
 	if (p)
 		{
 #ifdef RL_DEBUG
 		BIO_printf(bio_err, "DEBUG: unique_subject = \"%s\"\n", p);
 #endif
-		switch(*p)
-			{
-		case 'f': /* false */
-		case 'F': /* FALSE */
-		case 'n': /* no */
-		case 'N': /* NO */
-			db_attr.unique_subject = 0;
-			break;
-		case 't': /* true */
-		case 'T': /* TRUE */
-		case 'y': /* yes */
-		case 'Y': /* YES */
-		default:
-			db_attr.unique_subject = 1;
-			break;
-			}
+		db_attr.unique_subject = parse_yesno(p,1);
 		}
 	else
 		ERR_clear_error();
@@ -699,7 +720,7 @@ bad:
 	}
 
 	/*****************************************************************/
-	/* we definitely need a public key, so let's get it */
+	/* we definitely need a private key, so let's get it */
 
 	if ((keyfile == NULL) && ((keyfile=NCONF_get_string(conf,
 		section,ENV_PRIVATE_KEY)) == NULL))
@@ -727,22 +748,27 @@ bad:
 
 	/*****************************************************************/
 	/* we need a certificate */
-	if ((certfile == NULL) && ((certfile=NCONF_get_string(conf,
-		section,ENV_CERTIFICATE)) == NULL))
+	if (!selfsign || spkac_file || ss_cert_file || gencrl)
 		{
-		lookup_fail(section,ENV_CERTIFICATE);
-		goto err;
-		}
-	x509=load_cert(bio_err, certfile, FORMAT_PEM, NULL, e,
-		"CA certificate");
-	if (x509 == NULL)
-		goto err;
+		if ((certfile == NULL)
+			&& ((certfile=NCONF_get_string(conf,
+				     section,ENV_CERTIFICATE)) == NULL))
+			{
+			lookup_fail(section,ENV_CERTIFICATE);
+			goto err;
+			}
+		x509=load_cert(bio_err, certfile, FORMAT_PEM, NULL, e,
+			"CA certificate");
+		if (x509 == NULL)
+			goto err;
 
-	if (!X509_check_private_key(x509,pkey))
-		{
-		BIO_printf(bio_err,"CA certificate and CA private key do not match\n");
-		goto err;
+		if (!X509_check_private_key(x509,pkey))
+			{
+			BIO_printf(bio_err,"CA certificate and CA private key do not match\n");
+			goto err;
+			}
 		}
+	if (!selfsign) x509p = x509;
 
 	f=NCONF_get_string(conf,BASE_SECTION,ENV_PRESERVE);
 	if (f == NULL)
@@ -856,7 +882,7 @@ bad:
 	/* Lets check some fields */
 	for (i=0; i<sk_num(db->db->data); i++)
 		{
-		pp=(char **)sk_value(db->db->data,i);
+		pp=(const char **)sk_value(db->db->data,i);
 		if ((pp[DB_type][0] != DB_TYPE_REV) &&
 			(pp[DB_rev_date][0] != '\0'))
 			{
@@ -869,7 +895,7 @@ bad:
 			BIO_printf(bio_err," in entry %d\n", i+1);
 			goto err;
 			}
-		if (!check_time_format(pp[DB_exp_date]))
+		if (!check_time_format((char *)pp[DB_exp_date]))
 			{
 			BIO_printf(bio_err,"entry %d: invalid expiry date\n",i+1);
 			goto err;
@@ -943,7 +969,6 @@ bad:
 			if (verbose) BIO_printf(bio_err,
 				"Done. %d entries marked as expired\n",i); 
 	      		}
-			goto err;
 	  	}
 
  	/*****************************************************************/
@@ -994,25 +1019,27 @@ bad:
 			}
 		}
 
+	if ((md == NULL) && ((md=NCONF_get_string(conf,
+		section,ENV_DEFAULT_MD)) == NULL))
+		{
+		lookup_fail(section,ENV_DEFAULT_MD);
+		goto err;
+		}
+
+	if ((dgst=EVP_get_digestbyname(md)) == NULL)
+		{
+		BIO_printf(bio_err,"%s is an unsupported message digest type\n",md);
+		goto err;
+		}
+
 	if (req)
 		{
-		if ((md == NULL) && ((md=NCONF_get_string(conf,
-			section,ENV_DEFAULT_MD)) == NULL))
-			{
-			lookup_fail(section,ENV_DEFAULT_MD);
-			goto err;
-			}
 		if ((email_dn == 1) && ((tmp_email_dn=NCONF_get_string(conf,
 			section,ENV_DEFAULT_EMAIL_DN)) != NULL ))
 			{
 			if(strcmp(tmp_email_dn,"no") == 0)
 				email_dn=0;
 			}
-		if ((dgst=EVP_get_digestbyname(md)) == NULL)
-			{
-			BIO_printf(bio_err,"%s is an unsupported message digest type\n",md);
-			goto err;
-			}
 		if (verbose)
 			BIO_printf(bio_err,"message digest is %s\n",
 				OBJ_nid2ln(dgst->type));
@@ -1131,7 +1158,7 @@ bad:
 			{
 			total++;
 			j=certify_spkac(&x,spkac_file,pkey,x509,dgst,attribs,db,
-				serial,subj,email_dn,startdate,enddate,days,extensions,
+				serial,subj,chtype,multirdn,email_dn,startdate,enddate,days,extensions,
 				conf,verbose,certopt,nameopt,default_op,ext_copy);
 			if (j < 0) goto err;
 			if (j > 0)
@@ -1155,7 +1182,7 @@ bad:
 			{
 			total++;
 			j=certify_cert(&x,ss_cert_file,pkey,x509,dgst,attribs,
-				db,serial,subj,email_dn,startdate,enddate,days,batch,
+				db,serial,subj,chtype,multirdn,email_dn,startdate,enddate,days,batch,
 				extensions,conf,verbose, certopt, nameopt,
 				default_op, ext_copy, e);
 			if (j < 0) goto err;
@@ -1174,10 +1201,10 @@ bad:
 		if (infile != NULL)
 			{
 			total++;
-			j=certify(&x,infile,pkey,x509,dgst,attribs,db,
-				serial,subj,email_dn,startdate,enddate,days,batch,
+			j=certify(&x,infile,pkey,x509p,dgst,attribs,db,
+				serial,subj,chtype,multirdn,email_dn,startdate,enddate,days,batch,
 				extensions,conf,verbose, certopt, nameopt,
-				default_op, ext_copy);
+				default_op, ext_copy, selfsign);
 			if (j < 0) goto err;
 			if (j > 0)
 				{
@@ -1194,10 +1221,10 @@ bad:
 		for (i=0; i<argc; i++)
 			{
 			total++;
-			j=certify(&x,argv[i],pkey,x509,dgst,attribs,db,
-				serial,subj,email_dn,startdate,enddate,days,batch,
+			j=certify(&x,argv[i],pkey,x509p,dgst,attribs,db,
+				serial,subj,chtype,multirdn,email_dn,startdate,enddate,days,batch,
 				extensions,conf,verbose, certopt, nameopt,
-				default_op, ext_copy);
+				default_op, ext_copy, selfsign);
 			if (j < 0) goto err;
 			if (j > 0)
 				{
@@ -1248,7 +1275,7 @@ bad:
 			x=sk_X509_value(cert_sk,i);
 
 			j=x->cert_info->serialNumber->length;
-			p=(char *)x->cert_info->serialNumber->data;
+			p=(const char *)x->cert_info->serialNumber->data;
 			
 			if(strlen(outdir) >= (size_t)(j ? BSIZE-j*2-6 : BSIZE-8))
 				{
@@ -1369,7 +1396,7 @@ bad:
 
 		for (i=0; i<sk_num(db->db->data); i++)
 			{
-			pp=(char **)sk_value(db->db->data,i);
+			pp=(const char **)sk_value(db->db->data,i);
 			if (pp[DB_type][0] == DB_TYPE_REV)
 				{
 				if ((r=X509_REVOKED_new()) == NULL) goto err;
@@ -1395,23 +1422,15 @@ bad:
 
 		/* we now have a CRL */
 		if (verbose) BIO_printf(bio_err,"signing CRL\n");
-		if (md != NULL)
-			{
-			if ((dgst=EVP_get_digestbyname(md)) == NULL)
-				{
-				BIO_printf(bio_err,"%s is an unsupported message digest type\n",md);
-				goto err;
-				}
-			}
-		else
-			{
 #ifndef OPENSSL_NO_DSA
-			if (pkey->type == EVP_PKEY_DSA) 
-				dgst=EVP_dss1();
-			else
+		if (pkey->type == EVP_PKEY_DSA) 
+			dgst=EVP_dss1();
+		else
+#endif
+#ifndef OPENSSL_NO_ECDSA
+		if (pkey->type == EVP_PKEY_EC)
+			dgst=EVP_ecdsa();
 #endif
-				dgst=EVP_md5();
-			}
 
 		/* Add any extensions asked for */
 
@@ -1498,7 +1517,7 @@ err:
 	BN_free(serial);
 	free_index(db);
 	EVP_PKEY_free(pkey);
-	X509_free(x509);
+	if (x509) X509_free(x509);
 	X509_CRL_free(crl);
 	NCONF_free(conf);
 	OBJ_cleanup();
@@ -1506,17 +1525,17 @@ err:
 	OPENSSL_EXIT(ret);
 	}
 
-static void lookup_fail(char *name, char *tag)
+static void lookup_fail(const char *name, const char *tag)
 	{
 	BIO_printf(bio_err,"variable lookup failed for %s::%s\n",name,tag);
 	}
 
 static int certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
 	     const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, CA_DB *db,
-	     BIGNUM *serial, char *subj, int email_dn, char *startdate, char *enddate,
+	     BIGNUM *serial, char *subj,unsigned long chtype, int multirdn, int email_dn, char *startdate, char *enddate,
 	     long days, int batch, char *ext_sect, CONF *lconf, int verbose,
 	     unsigned long certopt, unsigned long nameopt, int default_op,
-	     int ext_copy)
+	     int ext_copy, int selfsign)
 	{
 	X509_REQ *req=NULL;
 	BIO *in=NULL;
@@ -1541,6 +1560,12 @@ static int certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
 
 	BIO_printf(bio_err,"Check that the request matches the signature\n");
 
+	if (selfsign && !X509_REQ_check_private_key(req,pkey))
+		{
+		BIO_printf(bio_err,"Certificate request and CA private key do not match\n");
+		ok=0;
+		goto err;
+		}
 	if ((pktmp=X509_REQ_get_pubkey(req)) == NULL)
 		{
 		BIO_printf(bio_err,"error unpacking public key\n");
@@ -1563,9 +1588,9 @@ static int certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
 	else
 		BIO_printf(bio_err,"Signature ok\n");
 
-	ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj, email_dn,
+	ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,chtype,multirdn, email_dn,
 		startdate,enddate,days,batch,verbose,req,ext_sect,lconf,
-		certopt, nameopt, default_op, ext_copy);
+		certopt, nameopt, default_op, ext_copy, selfsign);
 
 err:
 	if (req != NULL) X509_REQ_free(req);
@@ -1575,7 +1600,7 @@ err:
 
 static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
 	     const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, CA_DB *db,
-	     BIGNUM *serial, char *subj, int email_dn, char *startdate, char *enddate,
+	     BIGNUM *serial, char *subj, unsigned long chtype, int multirdn, int email_dn, char *startdate, char *enddate,
 	     long days, int batch, char *ext_sect, CONF *lconf, int verbose,
 	     unsigned long certopt, unsigned long nameopt, int default_op,
 	     int ext_copy, ENGINE *e)
@@ -1617,9 +1642,9 @@ static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
 	if ((rreq=X509_to_X509_REQ(req,NULL,EVP_md5())) == NULL)
 		goto err;
 
-	ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,email_dn,startdate,enddate,
+	ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,chtype,multirdn,email_dn,startdate,enddate,
 		days,batch,verbose,rreq,ext_sect,lconf, certopt, nameopt, default_op,
-		ext_copy);
+		ext_copy, 0);
 
 err:
 	if (rreq != NULL) X509_REQ_free(rreq);
@@ -1629,10 +1654,11 @@ err:
 
 static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
 	     STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, char *subj,
+	     unsigned long chtype, int multirdn,
 	     int email_dn, char *startdate, char *enddate, long days, int batch,
 	     int verbose, X509_REQ *req, char *ext_sect, CONF *lconf,
 	     unsigned long certopt, unsigned long nameopt, int default_op,
-	     int ext_copy)
+	     int ext_copy, int selfsign)
 	{
 	X509_NAME *name=NULL,*CAname=NULL,*subject=NULL, *dn_subject=NULL;
 	ASN1_UTCTIME *tm,*tmptm;
@@ -1644,7 +1670,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
 	X509_NAME_ENTRY *tne,*push;
 	EVP_PKEY *pktmp;
 	int ok= -1,i,j,last,nid;
-	char *p;
+	const char *p;
 	CONF_VALUE *cv;
 	char *row[DB_NUMBER],**rrow=NULL,**irow=NULL;
 	char buf[25];
@@ -1661,7 +1687,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
 
 	if (subj)
 		{
-		X509_NAME *n = do_subject(subj, MBSTRING_ASC);
+		X509_NAME *n = parse_name(subj, chtype, multirdn);
 
 		if (!n)
 			{
@@ -1736,7 +1762,10 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
 		}
 
 	/* take a copy of the issuer name before we mess with it. */
-	CAname=X509_NAME_dup(x509->cert_info->subject);
+	if (selfsign)
+		CAname=X509_NAME_dup(name);
+	else
+		CAname=X509_NAME_dup(x509->cert_info->subject);
 	if (CAname == NULL) goto err;
 	str=str2=NULL;
 
@@ -1948,8 +1977,16 @@ again2:
 
 	if (BN_to_ASN1_INTEGER(serial,ci->serialNumber) == NULL)
 		goto err;
-	if (!X509_set_issuer_name(ret,X509_get_subject_name(x509)))
-		goto err;
+	if (selfsign)
+		{
+		if (!X509_set_issuer_name(ret,subject))
+			goto err;
+		}
+	else
+		{
+		if (!X509_set_issuer_name(ret,X509_get_subject_name(x509)))
+			goto err;
+		}
 
 	if (strcmp(startdate,"today") == 0)
 		X509_gmtime_adj(X509_get_notBefore(ret),0);
@@ -1984,7 +2021,10 @@ again2:
 		ci->extensions = NULL;
 
 		/* Initialize the context structure */
-		X509V3_set_ctx(&ctx, x509, ret, req, NULL, 0);
+		if (selfsign)
+			X509V3_set_ctx(&ctx, ret, ret, req, NULL, 0);
+		else
+			X509V3_set_ctx(&ctx, x509, ret, req, NULL, 0);
 
 		if (extconf)
 			{
@@ -2051,7 +2091,7 @@ again2:
 
 	BIO_printf(bio_err,"Certificate is to be certified until ");
 	ASN1_UTCTIME_print(bio_err,X509_get_notAfter(ret));
-	if (days) BIO_printf(bio_err," (%d days)",days);
+	if (days) BIO_printf(bio_err," (%ld days)",days);
 	BIO_printf(bio_err, "\n");
 
 	if (!batch)
@@ -2078,6 +2118,16 @@ again2:
 		EVP_PKEY_copy_parameters(pktmp,pkey);
 	EVP_PKEY_free(pktmp);
 #endif
+#ifndef OPENSSL_NO_ECDSA
+	if (pkey->type == EVP_PKEY_EC)
+		dgst = EVP_ecdsa();
+	pktmp = X509_get_pubkey(ret);
+	if (EVP_PKEY_missing_parameters(pktmp) &&
+		!EVP_PKEY_missing_parameters(pkey))
+		EVP_PKEY_copy_parameters(pktmp, pkey);
+	EVP_PKEY_free(pktmp);
+#endif
+
 
 	if (!X509_sign(ret,pkey,dgst))
 		goto err;
@@ -2174,7 +2224,7 @@ static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext)
 
 static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
 	     const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, CA_DB *db,
-	     BIGNUM *serial, char *subj, int email_dn, char *startdate, char *enddate,
+	     BIGNUM *serial, char *subj,unsigned long chtype, int multirdn, int email_dn, char *startdate, char *enddate,
 	     long days, char *ext_sect, CONF *lconf, int verbose, unsigned long certopt,
 	     unsigned long nameopt, int default_op, int ext_copy)
 	{
@@ -2315,9 +2365,9 @@ static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
 
 	X509_REQ_set_pubkey(req,pktmp);
 	EVP_PKEY_free(pktmp);
-	ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,email_dn,startdate,enddate,
+	ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,chtype,multirdn,email_dn,startdate,enddate,
 		   days,1,verbose,req,ext_sect,lconf, certopt, nameopt, default_op,
-			ext_copy);
+			ext_copy, 0);
 err:
 	if (req != NULL) X509_REQ_free(req);
 	if (parms != NULL) CONF_free(parms);
@@ -2628,7 +2678,7 @@ err:
 	return (cnt);
 	}
 
-static char *crl_reasons[] = {
+static const char *crl_reasons[] = {
 	/* CRL reason strings */
 	"unspecified",
 	"keyCompromise",
@@ -2656,7 +2706,8 @@ static char *crl_reasons[] = {
 
 char *make_revocation_str(int rev_type, char *rev_arg)
 	{
-	char *reason = NULL, *other = NULL, *str;
+	char *other = NULL, *str;
+	const char *reason = NULL;
 	ASN1_OBJECT *otmp;
 	ASN1_UTCTIME *revtm = NULL;
 	int i;
@@ -2750,7 +2801,7 @@ char *make_revocation_str(int rev_type, char *rev_arg)
  */
 
 
-int make_revoked(X509_REVOKED *rev, char *str)
+int make_revoked(X509_REVOKED *rev, const char *str)
 	{
 	char *tmp = NULL;
 	int reason_code = -1;
@@ -2804,129 +2855,6 @@ int make_revoked(X509_REVOKED *rev, char *str)
 	return ret;
 	}
 
-/*
- * subject is expected to be in the format /type0=value0/type1=value1/type2=...
- * where characters may be escaped by \
- */
-X509_NAME *do_subject(char *subject, long chtype)
-	{
-	size_t buflen = strlen(subject)+1; /* to copy the types and values into. due to escaping, the copy can only become shorter */
-	char *buf = OPENSSL_malloc(buflen);
-	size_t max_ne = buflen / 2 + 1; /* maximum number of name elements */
-	char **ne_types = OPENSSL_malloc(max_ne * sizeof (char *));
-	char **ne_values = OPENSSL_malloc(max_ne * sizeof (char *));
-
-	char *sp = subject, *bp = buf;
-	int i, ne_num = 0;
-
-	X509_NAME *n = NULL;
-	int nid;
-
-	if (!buf || !ne_types || !ne_values)
-	{
-		BIO_printf(bio_err, "malloc error\n");
-		goto error;
-	}
-
-	if (*subject != '/')
-	{
-		BIO_printf(bio_err, "Subject does not start with '/'.\n");
-		goto error;
-	}
-	sp++; /* skip leading / */
-
-	while (*sp)
-		{
-		/* collect type */
-		ne_types[ne_num] = bp;
-		while (*sp)
-			{
-			if (*sp == '\\') /* is there anything to escape in the type...? */
-				{
-				if (*++sp)
-					*bp++ = *sp++;
-				else
-					{
-					BIO_printf(bio_err, "escape character at end of string\n");
-					goto error;
-					}
-				}
-			else if (*sp == '=')
-				{
-				sp++;
-				*bp++ = '\0';
-				break;
-				}
-			else
-				*bp++ = *sp++;
-			}
-		if (!*sp)
-			{
-			BIO_printf(bio_err, "end of string encountered while processing type of subject name element #%d\n", ne_num);
-			goto error;
-			}
-		ne_values[ne_num] = bp;
-		while (*sp)
-			{
-			if (*sp == '\\')
-				{
-				if (*++sp)
-					*bp++ = *sp++;
-				else
-					{
-					BIO_printf(bio_err, "escape character at end of string\n");
-					goto error;
-					}
-				}
-			else if (*sp == '/')
-				{
-				sp++;
-				break;
-				}
-			else
-				*bp++ = *sp++;
-			}
-		*bp++ = '\0';
-		ne_num++;
-		}
-
-	if (!(n = X509_NAME_new()))
-		goto error;
-
-	for (i = 0; i < ne_num; i++)
-		{
-		if ((nid=OBJ_txt2nid(ne_types[i])) == NID_undef)
-			{
-			BIO_printf(bio_err, "Subject Attribute %s has no known NID, skipped\n", ne_types[i]);
-			continue;
-			}
-
-		if (!*ne_values[i])
-			{
-			BIO_printf(bio_err, "No value provided for Subject Attribute %s, skipped\n", ne_types[i]);
-			continue;
-			}
-
-		if (!X509_NAME_add_entry_by_NID(n, nid, chtype, (unsigned char*)ne_values[i], -1,-1,0))
-			goto error;
-		}
-
-	OPENSSL_free(ne_values);
-	OPENSSL_free(ne_types);
-	OPENSSL_free(buf);
-	return n;
-
-error:
-	X509_NAME_free(n);
-	if (ne_values)
-		OPENSSL_free(ne_values);
-	if (ne_types)
-		OPENSSL_free(ne_types);
-	if (buf)
-		OPENSSL_free(buf);
-	return NULL;
-}
-
 int old_entry_print(BIO *bp, ASN1_OBJECT *obj, ASN1_STRING *str)
 	{
 	char buf[25],*pbuf, *p;
@@ -2966,12 +2894,13 @@ int old_entry_print(BIO *bp, ASN1_OBJECT *obj, ASN1_STRING *str)
 	return 1;
 	}
 
-int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold, ASN1_GENERALIZEDTIME **pinvtm, char *str)
+int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold, ASN1_GENERALIZEDTIME **pinvtm, const char *str)
 	{
 	char *tmp = NULL;
 	char *rtime_str, *reason_str = NULL, *arg_str = NULL, *p;
 	int reason_code = -1;
-	int i, ret = 0;
+	int ret = 0;
+	unsigned int i;
 	ASN1_OBJECT *hold = NULL;
 	ASN1_GENERALIZEDTIME *comp_time = NULL;
 	tmp = BUF_strdup(str);
diff --git a/crypto/openssl/apps/ciphers.c b/crypto/openssl/apps/ciphers.c
index 7c62fc5dc339..43f0ac594ad4 100644
--- a/crypto/openssl/apps/ciphers.c
+++ b/crypto/openssl/apps/ciphers.c
@@ -69,7 +69,7 @@
 #undef PROG
 #define PROG	ciphers_main
 
-static char *ciphers_usage[]={
+static const char *ciphers_usage[]={
 "usage: ciphers args\n",
 " -v          - verbose mode, a textual listing of the ciphers in SSLeay\n",
 " -ssl2       - SSL2 mode\n",
@@ -84,7 +84,7 @@ int MAIN(int argc, char **argv)
 	{
 	int ret=1,i;
 	int verbose=0;
-	char **pp;
+	const char **pp;
 	const char *p;
 	int badops=0;
 	SSL_CTX *ctx=NULL;
diff --git a/crypto/openssl/apps/crl.c b/crypto/openssl/apps/crl.c
index 81d66587c140..a0040fba1194 100644
--- a/crypto/openssl/apps/crl.c
+++ b/crypto/openssl/apps/crl.c
@@ -72,7 +72,7 @@
 #undef POSTFIX
 #define	POSTFIX	".rvk"
 
-static char *crl_usage[]={
+static const char *crl_usage[]={
 "usage: crl args\n",
 "\n",
 " -inform arg     - input format - default PEM (DER or PEM)\n",
@@ -108,14 +108,14 @@ int MAIN(int argc, char **argv)
 	char *infile=NULL,*outfile=NULL;
 	int hash=0,issuer=0,lastupdate=0,nextupdate=0,noout=0,text=0;
 	int fingerprint = 0;
-	char **pp;
+	const char **pp;
 	X509_STORE *store = NULL;
 	X509_STORE_CTX ctx;
 	X509_LOOKUP *lookup = NULL;
 	X509_OBJECT xobj;
 	EVP_PKEY *pkey;
 	int do_ver = 0;
-	const EVP_MD *md_alg,*digest=EVP_md5();
+	const EVP_MD *md_alg,*digest=EVP_sha1();
 
 	apps_startup();
 
@@ -355,7 +355,11 @@ bad:
 
 	if (text) X509_CRL_print(out, x);
 
-	if (noout) goto end;
+	if (noout) 
+		{
+		ret = 0;
+		goto end;
+		}
 
 	if 	(outformat == FORMAT_ASN1)
 		i=(int)i2d_X509_CRL_bio(out,x);
diff --git a/crypto/openssl/apps/dgst.c b/crypto/openssl/apps/dgst.c
index f8d9a70f2339..c13535f3b21f 100644
--- a/crypto/openssl/apps/dgst.c
+++ b/crypto/openssl/apps/dgst.c
@@ -66,7 +66,6 @@
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
-#include <openssl/hmac.h>
 
 #undef BUFSIZE
 #define BUFSIZE	1024*8
@@ -74,11 +73,9 @@
 #undef PROG
 #define PROG	dgst_main
 
-static HMAC_CTX hmac_ctx;
-
 int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
 	  EVP_PKEY *key, unsigned char *sigin, int siglen, const char *title,
-	  const char *file,BIO *bmd,const char *hmac_key);
+	  const char *file);
 
 int MAIN(int, char **);
 
@@ -103,10 +100,10 @@ int MAIN(int argc, char **argv)
 	EVP_PKEY *sigkey = NULL;
 	unsigned char *sigbuf = NULL;
 	int siglen = 0;
+	char *passargin = NULL, *passin = NULL;
 #ifndef OPENSSL_NO_ENGINE
 	char *engine=NULL;
 #endif
-	char *hmac_key=NULL;
 
 	apps_startup();
 
@@ -149,6 +146,12 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) break;
 			keyfile=*(++argv);
 			}
+		else if (!strcmp(*argv,"-passin"))
+			{
+			if (--argc < 1)
+				break;
+			passargin=*++argv;
+			}
 		else if (strcmp(*argv,"-verify") == 0)
 			{
 			if (--argc < 1) break;
@@ -185,12 +188,6 @@ int MAIN(int argc, char **argv)
 			out_bin = 1;
 		else if (strcmp(*argv,"-d") == 0)
 			debug=1;
-		else if (!strcmp(*argv,"-hmac"))
-			{
-			if (--argc < 1)
-				break;
-			hmac_key=*++argv;
-			}
 		else if ((m=EVP_get_digestbyname(&((*argv)[1]))) != NULL)
 			md=m;
 		else
@@ -232,10 +229,20 @@ int MAIN(int argc, char **argv)
 			LN_md4,LN_md4);
 		BIO_printf(bio_err,"-%3s to use the %s message digest algorithm\n",
 			LN_md2,LN_md2);
+#ifndef OPENSSL_NO_SHA
 		BIO_printf(bio_err,"-%3s to use the %s message digest algorithm\n",
 			LN_sha1,LN_sha1);
 		BIO_printf(bio_err,"-%3s to use the %s message digest algorithm\n",
 			LN_sha,LN_sha);
+#ifndef OPENSSL_NO_SHA256
+		BIO_printf(bio_err,"-%3s to use the %s message digest algorithm\n",
+			LN_sha256,LN_sha256);
+#endif
+#ifndef OPENSSL_NO_SHA512
+		BIO_printf(bio_err,"-%3s to use the %s message digest algorithm\n",
+			LN_sha512,LN_sha512);
+#endif
+#endif
 		BIO_printf(bio_err,"-%3s to use the %s message digest algorithm\n",
 			LN_mdc2,LN_mdc2);
 		BIO_printf(bio_err,"-%3s to use the %s message digest algorithm\n",
@@ -245,7 +252,7 @@ int MAIN(int argc, char **argv)
 		}
 
 #ifndef OPENSSL_NO_ENGINE
-	e = setup_engine(bio_err, engine, 0);
+        e = setup_engine(bio_err, engine, 0);
 #endif
 
 	in=BIO_new(BIO_s_file());
@@ -257,6 +264,12 @@ int MAIN(int argc, char **argv)
 		BIO_set_callback_arg(in,bio_err);
 		}
 
+	if(!app_passwd(bio_err, passargin, NULL, &passin, NULL))
+		{
+		BIO_printf(bio_err, "Error getting password\n");
+		goto end;
+		}
+
 	if ((in == NULL) || (bmd == NULL))
 		{
 		ERR_print_errors(bio_err);
@@ -298,7 +311,7 @@ int MAIN(int argc, char **argv)
 			sigkey = load_pubkey(bio_err, keyfile, keyform, 0, NULL,
 				e, "key file");
 		else
-			sigkey = load_key(bio_err, keyfile, keyform, 0, NULL,
+			sigkey = load_key(bio_err, keyfile, keyform, 0, passin,
 				e, "key file");
 		if (!sigkey)
 			{
@@ -328,6 +341,8 @@ int MAIN(int argc, char **argv)
 			goto end;
 		}
 	}
+		
+
 
 	/* we use md as a filter, reading from 'in' */
 	if (!BIO_set_md(bmd,md))
@@ -343,7 +358,7 @@ int MAIN(int argc, char **argv)
 		{
 		BIO_set_fp(in,stdin,BIO_NOCLOSE);
 		err=do_fp(out, buf,inp,separator, out_bin, sigkey, sigbuf,
-			  siglen,"","(stdin)",bmd,hmac_key);
+			  siglen,"","(stdin)");
 		}
 	else
 		{
@@ -361,15 +376,14 @@ int MAIN(int argc, char **argv)
 				}
 			if(!out_bin)
 				{
-				size_t len = strlen(name)+strlen(argv[i])+(hmac_key ? 5 : 0)+5;
+				size_t len = strlen(name)+strlen(argv[i])+5;
 				tmp=tofree=OPENSSL_malloc(len);
-				BIO_snprintf(tmp,len,"%s%s(%s)= ",
-							 hmac_key ? "HMAC-" : "",name,argv[i]);
+				BIO_snprintf(tmp,len,"%s(%s)= ",name,argv[i]);
 				}
 			else
 				tmp="";
 			r=do_fp(out,buf,inp,separator,out_bin,sigkey,sigbuf,
-				siglen,tmp,argv[i],bmd,hmac_key);
+				siglen,tmp,argv[i]);
 			if(r)
 			    err=r;
 			if(tofree)
@@ -384,6 +398,8 @@ end:
 		OPENSSL_free(buf);
 		}
 	if (in != NULL) BIO_free(in);
+	if (passin)
+		OPENSSL_free(passin);
 	BIO_free_all(out);
 	EVP_PKEY_free(sigkey);
 	if(sigbuf) OPENSSL_free(sigbuf);
@@ -394,21 +410,11 @@ end:
 
 int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
 	  EVP_PKEY *key, unsigned char *sigin, int siglen, const char *title,
-	  const char *file,BIO *bmd,const char *hmac_key)
+	  const char *file)
 	{
-	unsigned int len;
+	int len;
 	int i;
-	EVP_MD_CTX *md_ctx;
 
-	if (hmac_key)
-		{
-		EVP_MD *md;
-
-		BIO_get_md(bmd,&md);
-		HMAC_Init(&hmac_ctx,hmac_key,strlen(hmac_key),md);
-		BIO_get_md_ctx(bmd,&md_ctx);
-		BIO_set_md_ctx(bmd,&hmac_ctx.md_ctx);
-		}
 	for (;;)
 		{
 		i=BIO_read(bp,(char *)buf,BUFSIZE);
@@ -451,11 +457,6 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
 			return 1;
 			}
 		}
-	else if(hmac_key)
-		{
-		HMAC_Final(&hmac_ctx,buf,&len);
-		HMAC_CTX_cleanup(&hmac_ctx);
-		}
 	else
 		len=BIO_gets(bp,(char *)buf,BUFSIZE);
 
@@ -463,7 +464,7 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
 	else 
 		{
 		BIO_write(out,title,strlen(title));
-		for (i=0; (unsigned int)i<len; i++)
+		for (i=0; i<len; i++)
 			{
 			if (sep && (i != 0))
 				BIO_printf(out, ":");
@@ -471,10 +472,6 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
 			}
 		BIO_printf(out, "\n");
 		}
-	if (hmac_key)
-		{
-		BIO_set_md_ctx(bmd,md_ctx);
-		}
 	return 0;
 	}
 
diff --git a/crypto/openssl/apps/dh.c b/crypto/openssl/apps/dh.c
index cd01fed13987..c4d891e125ea 100644
--- a/crypto/openssl/apps/dh.c
+++ b/crypto/openssl/apps/dh.c
@@ -57,6 +57,7 @@
  * [including the GNU Public Licence.]
  */
 
+#include <openssl/opensslconf.h>	/* for OPENSSL_NO_DH */
 #ifndef OPENSSL_NO_DH
 #include <stdio.h>
 #include <stdlib.h>
diff --git a/crypto/openssl/apps/dhparam.c b/crypto/openssl/apps/dhparam.c
index dc00355b95b7..04bd57c6e8aa 100644
--- a/crypto/openssl/apps/dhparam.c
+++ b/crypto/openssl/apps/dhparam.c
@@ -109,6 +109,7 @@
  *
  */
 
+#include <openssl/opensslconf.h>	/* for OPENSSL_NO_DH */
 #ifndef OPENSSL_NO_DH
 #include <stdio.h>
 #include <stdlib.h>
@@ -142,7 +143,7 @@
  * -C
  */
 
-static void MS_CALLBACK dh_cb(int p, int n, void *arg);
+static int MS_CALLBACK dh_cb(int p, int n, BN_GENCB *cb);
 
 int MAIN(int, char **);
 
@@ -294,6 +295,8 @@ bad:
 
 	if(num) {
 
+		BN_GENCB cb;
+		BN_GENCB_set(&cb, dh_cb, bio_err);
 		if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL)
 			{
 			BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
@@ -305,12 +308,13 @@ bad:
 #ifndef OPENSSL_NO_DSA
 		if (dsaparam)
 			{
-			DSA *dsa;
+			DSA *dsa = DSA_new();
 			
 			BIO_printf(bio_err,"Generating DSA parameters, %d bit long prime\n",num);
-			dsa = DSA_generate_parameters(num, NULL, 0, NULL, NULL, dh_cb, bio_err);
-			if (dsa == NULL)
+			if(!dsa || !DSA_generate_parameters_ex(dsa, num,
+						NULL, 0, NULL, NULL, &cb))
 				{
+				if(dsa) DSA_free(dsa);
 				ERR_print_errors(bio_err);
 				goto end;
 				}
@@ -326,12 +330,12 @@ bad:
 		else
 #endif
 			{
+			dh = DH_new();
 			BIO_printf(bio_err,"Generating DH parameters, %d bit long safe prime, generator %d\n",num,g);
 			BIO_printf(bio_err,"This is going to take a long time\n");
-			dh=DH_generate_parameters(num,g,dh_cb,bio_err);
-			
-			if (dh == NULL)
+			if(!dh || !DH_generate_parameters_ex(dh, num, g, &cb))
 				{
+				if(dh) DH_free(dh);
 				ERR_print_errors(bio_err);
 				goto end;
 				}
@@ -534,7 +538,7 @@ end:
 	}
 
 /* dh_cb is identical to dsa_cb in apps/dsaparam.c */
-static void MS_CALLBACK dh_cb(int p, int n, void *arg)
+static int MS_CALLBACK dh_cb(int p, int n, BN_GENCB *cb)
 	{
 	char c='*';
 
@@ -542,11 +546,12 @@ static void MS_CALLBACK dh_cb(int p, int n, void *arg)
 	if (p == 1) c='+';
 	if (p == 2) c='*';
 	if (p == 3) c='\n';
-	BIO_write((BIO *)arg,&c,1);
-	(void)BIO_flush((BIO *)arg);
+	BIO_write(cb->arg,&c,1);
+	(void)BIO_flush(cb->arg);
 #ifdef LINT
 	p=n;
 #endif
+	return 1;
 	}
 
 #endif
diff --git a/crypto/openssl/apps/dsa.c b/crypto/openssl/apps/dsa.c
index e9de3a3bdfb6..a5ec5d7e6c1c 100644
--- a/crypto/openssl/apps/dsa.c
+++ b/crypto/openssl/apps/dsa.c
@@ -56,6 +56,7 @@
  * [including the GNU Public Licence.]
  */
 
+#include <openssl/opensslconf.h>	/* for OPENSSL_NO_DSA */
 #ifndef OPENSSL_NO_DSA
 #include <stdio.h>
 #include <stdlib.h>
@@ -68,6 +69,7 @@
 #include <openssl/evp.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
+#include <openssl/bn.h>
 
 #undef PROG
 #define PROG	dsa_main
diff --git a/crypto/openssl/apps/dsaparam.c b/crypto/openssl/apps/dsaparam.c
index 04861e898639..c301e81af18c 100644
--- a/crypto/openssl/apps/dsaparam.c
+++ b/crypto/openssl/apps/dsaparam.c
@@ -56,6 +56,13 @@
  * [including the GNU Public Licence.]
  */
 
+#include <openssl/opensslconf.h>	/* for OPENSSL_NO_DSA */
+/* Until the key-gen callbacks are modified to use newer prototypes, we allow
+ * deprecated functions for openssl-internal code */
+#ifdef OPENSSL_NO_DEPRECATED
+#undef OPENSSL_NO_DEPRECATED
+#endif
+
 #ifndef OPENSSL_NO_DSA
 #include <assert.h>
 #include <stdio.h>
@@ -82,9 +89,23 @@
  * -C
  * -noout
  * -genkey
+ *  #ifdef GENCB_TEST
+ * -timebomb n  - interrupt keygen after <n> seconds
+ *  #endif
  */
 
-static void MS_CALLBACK dsa_cb(int p, int n, void *arg);
+#ifdef GENCB_TEST
+
+static int stop_keygen_flag = 0;
+
+static void timebomb_sigalarm(int foo)
+	{
+	stop_keygen_flag = 1;
+	}
+
+#endif
+
+static int MS_CALLBACK dsa_cb(int p, int n, BN_GENCB *cb);
 
 int MAIN(int, char **);
 
@@ -103,6 +124,9 @@ int MAIN(int argc, char **argv)
 #ifndef OPENSSL_NO_ENGINE
 	char *engine=NULL;
 #endif
+#ifdef GENCB_TEST
+	int timebomb=0;
+#endif
 
 	apps_startup();
 
@@ -150,6 +174,13 @@ int MAIN(int argc, char **argv)
 			engine = *(++argv);
 			}
 #endif
+#ifdef GENCB_TEST
+		else if(strcmp(*argv, "-timebomb") == 0)
+			{
+			if (--argc < 1) goto bad;
+			timebomb = atoi(*(++argv));
+			}
+#endif
 		else if (strcmp(*argv,"-text") == 0)
 			text=1;
 		else if (strcmp(*argv,"-C") == 0)
@@ -200,6 +231,9 @@ bad:
 #ifndef OPENSSL_NO_ENGINE
 		BIO_printf(bio_err," -engine e     use engine e, possibly a hardware device.\n");
 #endif
+#ifdef GENCB_TEST
+		BIO_printf(bio_err," -timebomb n   interrupt keygen after <n> seconds\n");
+#endif
 		BIO_printf(bio_err," number        number of bits to use for generating private key\n");
 		goto end;
 		}
@@ -257,10 +291,47 @@ bad:
 
 	if (numbits > 0)
 		{
+		BN_GENCB cb;
+		BN_GENCB_set(&cb, dsa_cb, bio_err);
 		assert(need_rand);
+		dsa = DSA_new();
+		if(!dsa)
+			{
+			BIO_printf(bio_err,"Error allocating DSA object\n");
+			goto end;
+			}
 		BIO_printf(bio_err,"Generating DSA parameters, %d bit long prime\n",num);
 	        BIO_printf(bio_err,"This could take some time\n");
-	        dsa=DSA_generate_parameters(num,NULL,0,NULL,NULL, dsa_cb,bio_err);
+#ifdef GENCB_TEST
+		if(timebomb > 0)
+	{
+		struct sigaction act;
+		act.sa_handler = timebomb_sigalarm;
+		act.sa_flags = 0;
+		BIO_printf(bio_err,"(though I'll stop it if not done within %d secs)\n",
+				timebomb);
+		if(sigaction(SIGALRM, &act, NULL) != 0)
+			{
+			BIO_printf(bio_err,"Error, couldn't set SIGALRM handler\n");
+			goto end;
+			}
+		alarm(timebomb);
+	}
+#endif
+	        if(!DSA_generate_parameters_ex(dsa,num,NULL,0,NULL,NULL, &cb))
+			{
+#ifdef GENCB_TEST
+			if(stop_keygen_flag)
+				{
+				BIO_printf(bio_err,"DSA key generation time-stopped\n");
+				/* This is an asked-for behaviour! */
+				ret = 0;
+				goto end;
+				}
+#endif
+			BIO_printf(bio_err,"Error, DSA key generation failed\n");
+			goto end;
+			}
 		}
 	else if	(informat == FORMAT_ASN1)
 		dsa=d2i_DSAparams_bio(in,NULL);
@@ -385,7 +456,7 @@ end:
 	OPENSSL_EXIT(ret);
 	}
 
-static void MS_CALLBACK dsa_cb(int p, int n, void *arg)
+static int MS_CALLBACK dsa_cb(int p, int n, BN_GENCB *cb)
 	{
 	char c='*';
 
@@ -393,10 +464,15 @@ static void MS_CALLBACK dsa_cb(int p, int n, void *arg)
 	if (p == 1) c='+';
 	if (p == 2) c='*';
 	if (p == 3) c='\n';
-	BIO_write(arg,&c,1);
-	(void)BIO_flush(arg);
+	BIO_write(cb->arg,&c,1);
+	(void)BIO_flush(cb->arg);
 #ifdef LINT
 	p=n;
 #endif
+#ifdef GENCB_TEST
+	if(stop_keygen_flag)
+		return 0;
+#endif
+	return 1;
 	}
 #endif
diff --git a/crypto/openssl/apps/ec.c b/crypto/openssl/apps/ec.c
new file mode 100644
index 000000000000..9ddaddfe5e70
--- /dev/null
+++ b/crypto/openssl/apps/ec.c
@@ -0,0 +1,400 @@
+/* apps/ec.c */
+/*
+ * Written by Nils Larsch for the OpenSSL project.
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/opensslconf.h>
+#ifndef OPENSSL_NO_EC
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include "apps.h"
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/pem.h>
+
+#undef PROG
+#define PROG	ec_main
+
+/* -inform arg    - input format - default PEM (one of DER, NET or PEM)
+ * -outform arg   - output format - default PEM
+ * -in arg        - input file - default stdin
+ * -out arg       - output file - default stdout
+ * -des           - encrypt output if PEM format with DES in cbc mode
+ * -text          - print a text version
+ * -param_out     - print the elliptic curve parameters
+ * -conv_form arg - specifies the point encoding form
+ * -param_enc arg - specifies the parameter encoding
+ */
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+{
+#ifndef OPENSSL_NO_ENGINE
+	ENGINE 	*e = NULL;
+#endif
+	int 	ret = 1;
+	EC_KEY 	*eckey = NULL;
+	const EC_GROUP *group;
+	int 	i, badops = 0;
+	const EVP_CIPHER *enc = NULL;
+	BIO 	*in = NULL, *out = NULL;
+	int 	informat, outformat, text=0, noout=0;
+	int  	pubin = 0, pubout = 0, param_out = 0;
+	char 	*infile, *outfile, *prog, *engine;
+	char 	*passargin = NULL, *passargout = NULL;
+	char 	*passin = NULL, *passout = NULL;
+	point_conversion_form_t form = POINT_CONVERSION_UNCOMPRESSED;
+	int	new_form = 0;
+	int	asn1_flag = OPENSSL_EC_NAMED_CURVE;
+	int 	new_asn1_flag = 0;
+
+	apps_startup();
+
+	if (bio_err == NULL)
+		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
+			BIO_set_fp(bio_err, stderr, BIO_NOCLOSE|BIO_FP_TEXT);
+
+	if (!load_config(bio_err, NULL))
+		goto end;
+
+	engine = NULL;
+	infile = NULL;
+	outfile = NULL;
+	informat = FORMAT_PEM;
+	outformat = FORMAT_PEM;
+
+	prog = argv[0];
+	argc--;
+	argv++;
+	while (argc >= 1)
+		{
+		if (strcmp(*argv,"-inform") == 0)
+			{
+			if (--argc < 1) goto bad;
+			informat=str2fmt(*(++argv));
+			}
+		else if (strcmp(*argv,"-outform") == 0)
+			{
+			if (--argc < 1) goto bad;
+			outformat=str2fmt(*(++argv));
+			}
+		else if (strcmp(*argv,"-in") == 0)
+			{
+			if (--argc < 1) goto bad;
+			infile= *(++argv);
+			}
+		else if (strcmp(*argv,"-out") == 0)
+			{
+			if (--argc < 1) goto bad;
+			outfile= *(++argv);
+			}
+		else if (strcmp(*argv,"-passin") == 0)
+			{
+			if (--argc < 1) goto bad;
+			passargin= *(++argv);
+			}
+		else if (strcmp(*argv,"-passout") == 0)
+			{
+			if (--argc < 1) goto bad;
+			passargout= *(++argv);
+			}
+		else if (strcmp(*argv, "-engine") == 0)
+			{
+			if (--argc < 1) goto bad;
+			engine= *(++argv);
+			}
+		else if (strcmp(*argv, "-noout") == 0)
+			noout = 1;
+		else if (strcmp(*argv, "-text") == 0)
+			text = 1;
+		else if (strcmp(*argv, "-conv_form") == 0)
+			{
+			if (--argc < 1)
+				goto bad;
+			++argv;
+			new_form = 1;
+			if (strcmp(*argv, "compressed") == 0)
+				form = POINT_CONVERSION_COMPRESSED;
+			else if (strcmp(*argv, "uncompressed") == 0)
+				form = POINT_CONVERSION_UNCOMPRESSED;
+			else if (strcmp(*argv, "hybrid") == 0)
+				form = POINT_CONVERSION_HYBRID;
+			else
+				goto bad;
+			}
+		else if (strcmp(*argv, "-param_enc") == 0)
+			{
+			if (--argc < 1)
+				goto bad;
+			++argv;
+			new_asn1_flag = 1;
+			if (strcmp(*argv, "named_curve") == 0)
+				asn1_flag = OPENSSL_EC_NAMED_CURVE;
+			else if (strcmp(*argv, "explicit") == 0)
+				asn1_flag = 0;
+			else
+				goto bad;
+			}
+		else if (strcmp(*argv, "-param_out") == 0)
+			param_out = 1;
+		else if (strcmp(*argv, "-pubin") == 0)
+			pubin=1;
+		else if (strcmp(*argv, "-pubout") == 0)
+			pubout=1;
+		else if ((enc=EVP_get_cipherbyname(&(argv[0][1]))) == NULL)
+			{
+			BIO_printf(bio_err, "unknown option %s\n", *argv);
+			badops=1;
+			break;
+			}
+		argc--;
+		argv++;
+		}
+
+	if (badops)
+		{
+bad:
+		BIO_printf(bio_err, "%s [options] <infile >outfile\n", prog);
+		BIO_printf(bio_err, "where options are\n");
+		BIO_printf(bio_err, " -inform arg     input format - "
+				"DER or PEM\n");
+		BIO_printf(bio_err, " -outform arg    output format - "
+				"DER or PEM\n");
+		BIO_printf(bio_err, " -in arg         input file\n");
+		BIO_printf(bio_err, " -passin arg     input file pass "
+				"phrase source\n");
+		BIO_printf(bio_err, " -out arg        output file\n");
+		BIO_printf(bio_err, " -passout arg    output file pass "
+				"phrase source\n");
+		BIO_printf(bio_err, " -engine e       use engine e, "
+				"possibly a hardware device.\n");
+		BIO_printf(bio_err, " -des            encrypt PEM output, "
+				"instead of 'des' every other \n"
+				"                 cipher "
+				"supported by OpenSSL can be used\n");
+		BIO_printf(bio_err, " -text           print the key\n");
+		BIO_printf(bio_err, " -noout          don't print key out\n");
+		BIO_printf(bio_err, " -param_out      print the elliptic "
+				"curve parameters\n");
+		BIO_printf(bio_err, " -conv_form arg  specifies the "
+				"point conversion form \n");
+		BIO_printf(bio_err, "                 possible values:"
+				" compressed\n");
+		BIO_printf(bio_err, "                                 "
+				" uncompressed (default)\n");
+		BIO_printf(bio_err, "                                  "
+				" hybrid\n");
+		BIO_printf(bio_err, " -param_enc arg  specifies the way"
+				" the ec parameters are encoded\n");
+		BIO_printf(bio_err, "                 in the asn1 der "
+				"encoding\n");
+		BIO_printf(bio_err, "                 possilbe values:"
+				" named_curve (default)\n");
+		BIO_printf(bio_err,"                                  "
+				"explicit\n");
+		goto end;
+		}
+
+	ERR_load_crypto_strings();
+
+#ifndef OPENSSL_NO_ENGINE
+        e = setup_engine(bio_err, engine, 0);
+#endif
+
+	if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) 
+		{
+		BIO_printf(bio_err, "Error getting passwords\n");
+		goto end;
+		}
+
+	in = BIO_new(BIO_s_file());
+	out = BIO_new(BIO_s_file());
+	if ((in == NULL) || (out == NULL))
+		{
+		ERR_print_errors(bio_err);
+		goto end;
+		}
+
+	if (infile == NULL)
+		BIO_set_fp(in, stdin, BIO_NOCLOSE);
+	else
+		{
+		if (BIO_read_filename(in, infile) <= 0)
+			{
+			perror(infile);
+			goto end;
+			}
+		}
+
+	BIO_printf(bio_err, "read EC key\n");
+	if (informat == FORMAT_ASN1) 
+		{
+		if (pubin) 
+			eckey = d2i_EC_PUBKEY_bio(in, NULL);
+		else 
+			eckey = d2i_ECPrivateKey_bio(in, NULL);
+		} 
+	else if (informat == FORMAT_PEM) 
+		{
+		if (pubin) 
+			eckey = PEM_read_bio_EC_PUBKEY(in, NULL, NULL, 
+				NULL);
+		else 
+			eckey = PEM_read_bio_ECPrivateKey(in, NULL, NULL,
+				passin);
+		} 
+	else
+		{
+		BIO_printf(bio_err, "bad input format specified for key\n");
+		goto end;
+		}
+	if (eckey == NULL)
+		{
+		BIO_printf(bio_err,"unable to load Key\n");
+		ERR_print_errors(bio_err);
+		goto end;
+		}
+
+	if (outfile == NULL)
+		{
+		BIO_set_fp(out, stdout, BIO_NOCLOSE);
+#ifdef OPENSSL_SYS_VMS
+			{
+			BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+			out = BIO_push(tmpbio, out);
+			}
+#endif
+		}
+	else
+		{
+		if (BIO_write_filename(out, outfile) <= 0)
+			{
+			perror(outfile);
+			goto end;
+			}
+		}
+
+	group = EC_KEY_get0_group(eckey);
+
+	if (new_form)
+		EC_KEY_set_conv_form(eckey, form);
+
+	if (new_asn1_flag)
+		EC_KEY_set_asn1_flag(eckey, asn1_flag);
+
+	if (text) 
+		if (!EC_KEY_print(out, eckey, 0))
+			{
+			perror(outfile);
+			ERR_print_errors(bio_err);
+			goto end;
+			}
+
+	if (noout) 
+		goto end;
+
+	BIO_printf(bio_err, "writing EC key\n");
+	if (outformat == FORMAT_ASN1) 
+		{
+		if (param_out)
+			i = i2d_ECPKParameters_bio(out, group);
+		else if (pubin || pubout) 
+			i = i2d_EC_PUBKEY_bio(out, eckey);
+		else 
+			i = i2d_ECPrivateKey_bio(out, eckey);
+		} 
+	else if (outformat == FORMAT_PEM) 
+		{
+		if (param_out)
+			i = PEM_write_bio_ECPKParameters(out, group);
+		else if (pubin || pubout)
+			i = PEM_write_bio_EC_PUBKEY(out, eckey);
+		else 
+			i = PEM_write_bio_ECPrivateKey(out, eckey, enc,
+						NULL, 0, NULL, passout);
+		} 
+	else 
+		{
+		BIO_printf(bio_err, "bad output format specified for "
+			"outfile\n");
+		goto end;
+		}
+
+	if (!i)
+		{
+		BIO_printf(bio_err, "unable to write private key\n");
+		ERR_print_errors(bio_err);
+		}
+	else
+		ret=0;
+end:
+	if (in)
+		BIO_free(in);
+	if (out)
+		BIO_free_all(out);
+	if (eckey)
+		EC_KEY_free(eckey);
+	if (passin)
+		OPENSSL_free(passin);
+	if (passout)
+		OPENSSL_free(passout);
+	apps_shutdown();
+	OPENSSL_EXIT(ret);
+}
+#endif
diff --git a/crypto/openssl/apps/ecparam.c b/crypto/openssl/apps/ecparam.c
new file mode 100644
index 000000000000..4e1fc837ed6a
--- /dev/null
+++ b/crypto/openssl/apps/ecparam.c
@@ -0,0 +1,728 @@
+/* apps/ecparam.c */
+/*
+ * Written by Nils Larsch for the OpenSSL project.
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+/* ====================================================================
+ * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
+ *
+ * Portions of the attached software ("Contribution") are developed by 
+ * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
+ *
+ * The Contribution is licensed pursuant to the OpenSSL open source
+ * license provided above.
+ *
+ * The elliptic curve binary polynomial software is originally written by 
+ * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories.
+ *
+ */
+
+#include <openssl/opensslconf.h>
+#ifndef OPENSSL_NO_EC
+#include <assert.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <time.h>
+#include <string.h>
+#include "apps.h"
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/bn.h>
+#include <openssl/ec.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+
+#undef PROG
+#define PROG	ecparam_main
+
+/* -inform arg      - input format - default PEM (DER or PEM)
+ * -outform arg     - output format - default PEM
+ * -in  arg         - input file  - default stdin
+ * -out arg         - output file - default stdout
+ * -noout           - do not print the ec parameter
+ * -text            - print the ec parameters in text form
+ * -check           - validate the ec parameters
+ * -C               - print a 'C' function creating the parameters
+ * -name arg        - use the ec parameters with 'short name' name
+ * -list_curves     - prints a list of all currently available curve 'short names'
+ * -conv_form arg   - specifies the point conversion form 
+ *                  - possible values: compressed
+ *                                     uncompressed (default)
+ *                                     hybrid
+ * -param_enc arg   - specifies the way the ec parameters are encoded
+ *                    in the asn1 der encoding
+ *                    possible values: named_curve (default)
+ *                                     explicit
+ * -no_seed         - if 'explicit' parameters are choosen do not use the seed
+ * -genkey          - generate ec key
+ * -rand file       - files to use for random number input
+ * -engine e        - use engine e, possibly a hardware device
+ */
+
+
+static int ecparam_print_var(BIO *,BIGNUM *,const char *,int,unsigned char *);
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+	{
+	EC_GROUP *group = NULL;
+	point_conversion_form_t form = POINT_CONVERSION_UNCOMPRESSED; 
+	int 	new_form = 0;
+	int 	asn1_flag = OPENSSL_EC_NAMED_CURVE;
+	int 	new_asn1_flag = 0;
+	char 	*curve_name = NULL, *inrand = NULL;
+	int	list_curves = 0, no_seed = 0, check = 0,
+		badops = 0, text = 0, i, need_rand = 0, genkey = 0;
+	char	*infile = NULL, *outfile = NULL, *prog;
+	BIO 	*in = NULL, *out = NULL;
+	int 	informat, outformat, noout = 0, C = 0, ret = 1;
+#ifndef OPENSSL_NO_ENGINE
+	ENGINE	*e = NULL;
+#endif
+	char	*engine = NULL;
+
+	BIGNUM	*ec_p = NULL, *ec_a = NULL, *ec_b = NULL,
+		*ec_gen = NULL, *ec_order = NULL, *ec_cofactor = NULL;
+	unsigned char *buffer = NULL;
+
+	apps_startup();
+
+	if (bio_err == NULL)
+		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
+			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
+
+	if (!load_config(bio_err, NULL))
+		goto end;
+
+	informat=FORMAT_PEM;
+	outformat=FORMAT_PEM;
+
+	prog=argv[0];
+	argc--;
+	argv++;
+	while (argc >= 1)
+		{
+		if 	(strcmp(*argv,"-inform") == 0)
+			{
+			if (--argc < 1) goto bad;
+			informat=str2fmt(*(++argv));
+			}
+		else if (strcmp(*argv,"-outform") == 0)
+			{
+			if (--argc < 1) goto bad;
+			outformat=str2fmt(*(++argv));
+			}
+		else if (strcmp(*argv,"-in") == 0)
+			{
+			if (--argc < 1) goto bad;
+			infile= *(++argv);
+			}
+		else if (strcmp(*argv,"-out") == 0)
+			{
+			if (--argc < 1) goto bad;
+			outfile= *(++argv);
+			}
+		else if (strcmp(*argv,"-text") == 0)
+			text = 1;
+		else if (strcmp(*argv,"-C") == 0)
+			C = 1;
+		else if (strcmp(*argv,"-check") == 0)
+			check = 1;
+		else if (strcmp (*argv, "-name") == 0)
+			{
+			if (--argc < 1)
+				goto bad;
+			curve_name = *(++argv);
+			}
+		else if (strcmp(*argv, "-list_curves") == 0)
+			list_curves = 1;
+		else if (strcmp(*argv, "-conv_form") == 0)
+			{
+			if (--argc < 1)
+				goto bad;
+			++argv;
+			new_form = 1;
+			if (strcmp(*argv, "compressed") == 0)
+				form = POINT_CONVERSION_COMPRESSED;
+			else if (strcmp(*argv, "uncompressed") == 0)
+				form = POINT_CONVERSION_UNCOMPRESSED;
+			else if (strcmp(*argv, "hybrid") == 0)
+				form = POINT_CONVERSION_HYBRID;
+			else
+				goto bad;
+			}
+		else if (strcmp(*argv, "-param_enc") == 0)
+			{
+			if (--argc < 1)
+				goto bad;
+			++argv;
+			new_asn1_flag = 1;
+			if (strcmp(*argv, "named_curve") == 0)
+				asn1_flag = OPENSSL_EC_NAMED_CURVE;
+			else if (strcmp(*argv, "explicit") == 0)
+				asn1_flag = 0;
+			else
+				goto bad;
+			}
+		else if (strcmp(*argv, "-no_seed") == 0)
+			no_seed = 1;
+		else if (strcmp(*argv, "-noout") == 0)
+			noout=1;
+		else if (strcmp(*argv,"-genkey") == 0)
+			{
+			genkey=1;
+			need_rand=1;
+			}
+		else if (strcmp(*argv, "-rand") == 0)
+			{
+			if (--argc < 1) goto bad;
+			inrand= *(++argv);
+			need_rand=1;
+			}
+		else if(strcmp(*argv, "-engine") == 0)
+			{
+			if (--argc < 1) goto bad;
+			engine = *(++argv);
+			}	
+		else
+			{
+			BIO_printf(bio_err,"unknown option %s\n",*argv);
+			badops=1;
+			break;
+			}
+		argc--;
+		argv++;
+		}
+
+	if (badops)
+		{
+bad:
+		BIO_printf(bio_err, "%s [options] <infile >outfile\n",prog);
+		BIO_printf(bio_err, "where options are\n");
+		BIO_printf(bio_err, " -inform arg       input format - "
+				"default PEM (DER or PEM)\n");
+		BIO_printf(bio_err, " -outform arg      output format - "
+				"default PEM\n");
+		BIO_printf(bio_err, " -in  arg          input file  - "
+				"default stdin\n");
+		BIO_printf(bio_err, " -out arg          output file - "
+				"default stdout\n");
+		BIO_printf(bio_err, " -noout            do not print the "
+				"ec parameter\n");
+		BIO_printf(bio_err, " -text             print the ec "
+				"parameters in text form\n");
+		BIO_printf(bio_err, " -check            validate the ec "
+				"parameters\n");
+		BIO_printf(bio_err, " -C                print a 'C' "
+				"function creating the parameters\n");
+		BIO_printf(bio_err, " -name arg         use the "
+				"ec parameters with 'short name' name\n");
+		BIO_printf(bio_err, " -list_curves      prints a list of "
+				"all currently available curve 'short names'\n");
+		BIO_printf(bio_err, " -conv_form arg    specifies the "
+				"point conversion form \n");
+		BIO_printf(bio_err, "                   possible values:"
+				" compressed\n");
+		BIO_printf(bio_err, "                                   "
+				" uncompressed (default)\n");
+		BIO_printf(bio_err, "                                   "
+				" hybrid\n");
+		BIO_printf(bio_err, " -param_enc arg    specifies the way"
+				" the ec parameters are encoded\n");
+		BIO_printf(bio_err, "                   in the asn1 der "
+				"encoding\n");
+		BIO_printf(bio_err, "                   possible values:"
+				" named_curve (default)\n");
+		BIO_printf(bio_err, "                                   "
+				" explicit\n");
+		BIO_printf(bio_err, " -no_seed          if 'explicit'"
+				" parameters are choosen do not"
+				" use the seed\n");
+		BIO_printf(bio_err, " -genkey           generate ec"
+				" key\n");
+		BIO_printf(bio_err, " -rand file        files to use for"
+				" random number input\n");
+		BIO_printf(bio_err, " -engine e         use engine e, "
+				"possibly a hardware device\n");
+		goto end;
+		}
+
+	ERR_load_crypto_strings();
+
+	in=BIO_new(BIO_s_file());
+	out=BIO_new(BIO_s_file());
+	if ((in == NULL) || (out == NULL))
+		{
+		ERR_print_errors(bio_err);
+		goto end;
+		}
+
+	if (infile == NULL)
+		BIO_set_fp(in,stdin,BIO_NOCLOSE);
+	else
+		{
+		if (BIO_read_filename(in,infile) <= 0)
+			{
+			perror(infile);
+			goto end;
+			}
+		}
+	if (outfile == NULL)
+		{
+		BIO_set_fp(out,stdout,BIO_NOCLOSE);
+#ifdef OPENSSL_SYS_VMS
+		{
+		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+		out = BIO_push(tmpbio, out);
+		}
+#endif
+		}
+	else
+		{
+		if (BIO_write_filename(out,outfile) <= 0)
+			{
+			perror(outfile);
+			goto end;
+			}
+		}
+
+#ifndef OPENSSL_NO_ENGINE
+	e = setup_engine(bio_err, engine, 0);
+#endif
+
+	if (list_curves)
+		{
+		EC_builtin_curve *curves = NULL;
+		size_t crv_len = 0;
+		size_t n = 0;
+
+		crv_len = EC_get_builtin_curves(NULL, 0);
+
+		curves = OPENSSL_malloc((int)(sizeof(EC_builtin_curve) * crv_len));
+
+		if (curves == NULL)
+			goto end;
+
+		if (!EC_get_builtin_curves(curves, crv_len))
+			{
+			OPENSSL_free(curves);
+			goto end;
+			}
+
+		
+		for (n = 0; n < crv_len; n++)
+			{
+			const char *comment;
+			const char *sname;
+			comment = curves[n].comment;
+			sname   = OBJ_nid2sn(curves[n].nid);
+			if (comment == NULL)
+				comment = "CURVE DESCRIPTION NOT AVAILABLE";
+			if (sname == NULL)
+				sname = "";
+
+			BIO_printf(out, "  %-10s: ", sname);
+			BIO_printf(out, "%s\n", comment);
+			} 
+
+		OPENSSL_free(curves);
+		ret = 0;
+		goto end;
+		}
+
+	if (curve_name != NULL)
+		{
+		int nid;
+
+		/* workaround for the SECG curve names secp192r1
+		 * and secp256r1 (which are the same as the curves
+		 * prime192v1 and prime256v1 defined in X9.62)
+		 */
+		if (!strcmp(curve_name, "secp192r1"))
+			{
+			BIO_printf(bio_err, "using curve name prime192v1 "
+				"instead of secp192r1\n");
+			nid = NID_X9_62_prime192v1;
+			}
+		else if (!strcmp(curve_name, "secp256r1"))
+			{
+			BIO_printf(bio_err, "using curve name prime256v1 "
+				"instead of secp256r1\n");
+			nid = NID_X9_62_prime256v1;
+			}
+		else
+			nid = OBJ_sn2nid(curve_name);
+	
+		if (nid == 0)
+			{
+			BIO_printf(bio_err, "unknown curve name (%s)\n", 
+				curve_name);
+			goto end;
+			}
+
+		group = EC_GROUP_new_by_curve_name(nid);
+		if (group == NULL)
+			{
+			BIO_printf(bio_err, "unable to create curve (%s)\n", 
+				curve_name);
+			goto end;
+			}
+		EC_GROUP_set_asn1_flag(group, asn1_flag);
+		EC_GROUP_set_point_conversion_form(group, form);
+		}
+	else if (informat == FORMAT_ASN1)
+		{
+		group = d2i_ECPKParameters_bio(in, NULL);
+		}
+	else if (informat == FORMAT_PEM)
+		{
+		group = PEM_read_bio_ECPKParameters(in,NULL,NULL,NULL);
+		}
+	else
+		{
+		BIO_printf(bio_err, "bad input format specified\n");
+		goto end;
+		}
+
+	if (group == NULL)
+		{
+		BIO_printf(bio_err, 
+			"unable to load elliptic curve parameters\n");
+		ERR_print_errors(bio_err);
+		goto end;
+		}
+
+	if (new_form)
+		EC_GROUP_set_point_conversion_form(group, form);
+
+	if (new_asn1_flag)
+		EC_GROUP_set_asn1_flag(group, asn1_flag);
+
+	if (no_seed)
+		{
+		EC_GROUP_set_seed(group, NULL, 0);
+		}
+
+	if (text)
+		{
+		if (!ECPKParameters_print(out, group, 0))
+			goto end;
+		}
+
+	if (check)
+		{
+		if (group == NULL)
+			BIO_printf(bio_err, "no elliptic curve parameters\n");
+		BIO_printf(bio_err, "checking elliptic curve parameters: ");
+		if (!EC_GROUP_check(group, NULL))
+			{
+			BIO_printf(bio_err, "failed\n");
+			ERR_print_errors(bio_err);
+			}
+		else
+			BIO_printf(bio_err, "ok\n");
+			
+		}
+
+	if (C)
+		{
+		size_t	buf_len = 0, tmp_len = 0;
+		const EC_POINT *point;
+		int	is_prime, len = 0;
+		const EC_METHOD *meth = EC_GROUP_method_of(group);
+
+		if ((ec_p = BN_new()) == NULL || (ec_a = BN_new()) == NULL ||
+		    (ec_b = BN_new()) == NULL || (ec_gen = BN_new()) == NULL ||
+		    (ec_order = BN_new()) == NULL || 
+		    (ec_cofactor = BN_new()) == NULL )
+			{
+			perror("OPENSSL_malloc");
+			goto end;
+			}
+
+		is_prime = (EC_METHOD_get_field_type(meth) == 
+			NID_X9_62_prime_field);
+
+		if (is_prime)
+			{
+			if (!EC_GROUP_get_curve_GFp(group, ec_p, ec_a,
+				ec_b, NULL))
+				goto end;
+			}
+		else
+			{
+			/* TODO */
+			goto end;
+			}
+
+		if ((point = EC_GROUP_get0_generator(group)) == NULL)
+			goto end;
+		if (!EC_POINT_point2bn(group, point, 
+			EC_GROUP_get_point_conversion_form(group), ec_gen, 
+			NULL))
+			goto end;
+		if (!EC_GROUP_get_order(group, ec_order, NULL))
+			goto end;
+		if (!EC_GROUP_get_cofactor(group, ec_cofactor, NULL))
+			goto end;
+
+		if (!ec_p || !ec_a || !ec_b || !ec_gen || 
+			!ec_order || !ec_cofactor)
+			goto end;
+
+		len = BN_num_bits(ec_order);
+
+		if ((tmp_len = (size_t)BN_num_bytes(ec_p)) > buf_len)
+			buf_len = tmp_len;
+		if ((tmp_len = (size_t)BN_num_bytes(ec_a)) > buf_len)
+			buf_len = tmp_len;
+		if ((tmp_len = (size_t)BN_num_bytes(ec_b)) > buf_len)
+			buf_len = tmp_len;
+		if ((tmp_len = (size_t)BN_num_bytes(ec_gen)) > buf_len)
+			buf_len = tmp_len;
+		if ((tmp_len = (size_t)BN_num_bytes(ec_order)) > buf_len)
+			buf_len = tmp_len;
+		if ((tmp_len = (size_t)BN_num_bytes(ec_cofactor)) > buf_len)
+			buf_len = tmp_len;
+
+		buffer = (unsigned char *)OPENSSL_malloc(buf_len);
+
+		if (buffer == NULL)
+			{
+			perror("OPENSSL_malloc");
+			goto end;
+			}
+
+		ecparam_print_var(out, ec_p, "ec_p", len, buffer);
+		ecparam_print_var(out, ec_a, "ec_a", len, buffer);
+		ecparam_print_var(out, ec_b, "ec_b", len, buffer);
+		ecparam_print_var(out, ec_gen, "ec_gen", len, buffer);
+		ecparam_print_var(out, ec_order, "ec_order", len, buffer);
+		ecparam_print_var(out, ec_cofactor, "ec_cofactor", len, 
+			buffer);
+
+		BIO_printf(out, "\n\n");
+
+		BIO_printf(out, "EC_GROUP *get_ec_group_%d(void)\n\t{\n", len);
+		BIO_printf(out, "\tint ok=0;\n");
+		BIO_printf(out, "\tEC_GROUP *group = NULL;\n");
+		BIO_printf(out, "\tEC_POINT *point = NULL;\n");
+		BIO_printf(out, "\tBIGNUM   *tmp_1 = NULL, *tmp_2 = NULL, "
+				"*tmp_3 = NULL;\n\n");
+		BIO_printf(out, "\tif ((tmp_1 = BN_bin2bn(ec_p_%d, "
+				"sizeof(ec_p_%d), NULL)) == NULL)\n\t\t"
+				"goto err;\n", len, len);
+		BIO_printf(out, "\tif ((tmp_2 = BN_bin2bn(ec_a_%d, "
+				"sizeof(ec_a_%d), NULL)) == NULL)\n\t\t"
+				"goto err;\n", len, len);
+		BIO_printf(out, "\tif ((tmp_3 = BN_bin2bn(ec_b_%d, "
+				"sizeof(ec_b_%d), NULL)) == NULL)\n\t\t"
+				"goto err;\n", len, len);
+		if (is_prime)
+			{
+			BIO_printf(out, "\tif ((group = EC_GROUP_new_curve_"
+				"GFp(tmp_1, tmp_2, tmp_3, NULL)) == NULL)"
+				"\n\t\tgoto err;\n\n");
+			}
+		else
+			{
+			/* TODO */
+			goto end;
+			}
+		BIO_printf(out, "\t/* build generator */\n");
+		BIO_printf(out, "\tif ((tmp_1 = BN_bin2bn(ec_gen_%d, "
+				"sizeof(ec_gen_%d), tmp_1)) == NULL)"
+				"\n\t\tgoto err;\n", len, len);
+		BIO_printf(out, "\tpoint = EC_POINT_bn2point(group, tmp_1, "
+				"NULL, NULL);\n");
+		BIO_printf(out, "\tif (point == NULL)\n\t\tgoto err;\n");
+		BIO_printf(out, "\tif ((tmp_2 = BN_bin2bn(ec_order_%d, "
+				"sizeof(ec_order_%d), tmp_2)) == NULL)"
+				"\n\t\tgoto err;\n", len, len);
+		BIO_printf(out, "\tif ((tmp_3 = BN_bin2bn(ec_cofactor_%d, "
+				"sizeof(ec_cofactor_%d), tmp_3)) == NULL)"
+				"\n\t\tgoto err;\n", len, len);
+		BIO_printf(out, "\tif (!EC_GROUP_set_generator(group, point,"
+				" tmp_2, tmp_3))\n\t\tgoto err;\n");
+		BIO_printf(out, "\n\tok=1;\n");
+		BIO_printf(out, "err:\n");
+		BIO_printf(out, "\tif (tmp_1)\n\t\tBN_free(tmp_1);\n");
+		BIO_printf(out, "\tif (tmp_2)\n\t\tBN_free(tmp_2);\n");
+		BIO_printf(out, "\tif (tmp_3)\n\t\tBN_free(tmp_3);\n");
+		BIO_printf(out, "\tif (point)\n\t\tEC_POINT_free(point);\n");
+		BIO_printf(out, "\tif (!ok)\n");
+		BIO_printf(out, "\t\t{\n");
+		BIO_printf(out, "\t\tEC_GROUP_free(group);\n");
+		BIO_printf(out, "\t\tgroup = NULL;\n");
+		BIO_printf(out, "\t\t}\n");
+		BIO_printf(out, "\treturn(group);\n\t}\n");
+	}
+
+	if (!noout)
+		{
+		if (outformat == FORMAT_ASN1)
+			i = i2d_ECPKParameters_bio(out, group);
+		else if (outformat == FORMAT_PEM)
+			i = PEM_write_bio_ECPKParameters(out, group);
+		else	
+			{
+			BIO_printf(bio_err,"bad output format specified for"
+				" outfile\n");
+			goto end;
+			}
+		if (!i)
+			{
+			BIO_printf(bio_err, "unable to write elliptic "
+				"curve parameters\n");
+			ERR_print_errors(bio_err);
+			goto end;
+			}
+		}
+	
+	if (need_rand)
+		{
+		app_RAND_load_file(NULL, bio_err, (inrand != NULL));
+		if (inrand != NULL)
+			BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
+				app_RAND_load_files(inrand));
+		}
+
+	if (genkey)
+		{
+		EC_KEY *eckey = EC_KEY_new();
+
+		if (eckey == NULL)
+			goto end;
+
+		assert(need_rand);
+
+		if (EC_KEY_set_group(eckey, group) == 0)
+			goto end;
+		
+		if (!EC_KEY_generate_key(eckey))
+			{
+			EC_KEY_free(eckey);
+			goto end;
+			}
+		if (outformat == FORMAT_ASN1)
+			i = i2d_ECPrivateKey_bio(out, eckey);
+		else if (outformat == FORMAT_PEM)
+			i = PEM_write_bio_ECPrivateKey(out, eckey, NULL,
+				NULL, 0, NULL, NULL);
+		else	
+			{
+			BIO_printf(bio_err, "bad output format specified "
+				"for outfile\n");
+			EC_KEY_free(eckey);
+			goto end;
+			}
+		EC_KEY_free(eckey);
+		}
+
+	if (need_rand)
+		app_RAND_write_file(NULL, bio_err);
+
+	ret=0;
+end:
+	if (ec_p)
+		BN_free(ec_p);
+	if (ec_a)
+		BN_free(ec_a);
+	if (ec_b)
+		BN_free(ec_b);
+	if (ec_gen)
+		BN_free(ec_gen);
+	if (ec_order)
+		BN_free(ec_order);
+	if (ec_cofactor)
+		BN_free(ec_cofactor);
+	if (buffer)
+		OPENSSL_free(buffer);
+	if (in != NULL)
+		BIO_free(in);
+	if (out != NULL)
+		BIO_free_all(out);
+	if (group != NULL)
+		EC_GROUP_free(group);
+	apps_shutdown();
+	OPENSSL_EXIT(ret);
+}
+
+static int ecparam_print_var(BIO *out, BIGNUM *in, const char *var,
+	int len, unsigned char *buffer)
+	{
+	BIO_printf(out, "static unsigned char %s_%d[] = {", var, len);
+	if (BN_is_zero(in))
+		BIO_printf(out, "\n\t0x00");
+	else 
+		{
+		int i, l;
+
+		l = BN_bn2bin(in, buffer);
+		for (i=0; i<l-1; i++)
+			{
+			if ((i%12) == 0) 
+				BIO_printf(out, "\n\t");
+			BIO_printf(out, "0x%02X,", buffer[i]);
+			}
+		if ((i%12) == 0) 
+			BIO_printf(out, "\n\t");
+		BIO_printf(out, "0x%02X", buffer[i]);
+		}
+	BIO_printf(out, "\n\t};\n\n");
+	return 1;
+	}
+#endif
diff --git a/crypto/openssl/apps/enc.c b/crypto/openssl/apps/enc.c
index cf1d98cd6536..ea948f8d101b 100644
--- a/crypto/openssl/apps/enc.c
+++ b/crypto/openssl/apps/enc.c
@@ -118,6 +118,7 @@ int MAIN(int argc, char **argv)
 	int enc=1,printkey=0,i,base64=0;
 	int debug=0,olb64=0,nosalt=0;
 	const EVP_CIPHER *cipher=NULL,*c;
+	EVP_CIPHER_CTX *ctx = NULL;
 	char *inf=NULL,*outf=NULL;
 	BIO *in=NULL,*out=NULL,*b64=NULL,*benc=NULL,*rbio=NULL,*wbio=NULL;
 #define PROG_NAME_SIZE  39
@@ -313,10 +314,7 @@ bad:
 
 	if (dgst == NULL)
 		{
-		if (in_FIPS_mode)
-			dgst = EVP_sha1();
-		else
-			dgst = EVP_md5();
+		dgst = EVP_md5();
 		}
 
 	if (bufsize != NULL)
@@ -539,13 +537,31 @@ bad:
 
 		if ((benc=BIO_new(BIO_f_cipher())) == NULL)
 			goto end;
-		BIO_set_cipher(benc,cipher,key,iv,enc);
-		if (nopad)
+
+		/* Since we may be changing parameters work on the encryption
+		 * context rather than calling BIO_set_cipher().
+		 */
+
+		BIO_get_cipher_ctx(benc, &ctx);
+		if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, enc))
 			{
-			EVP_CIPHER_CTX *ctx;
-			BIO_get_cipher_ctx(benc, &ctx);
+			BIO_printf(bio_err, "Error setting cipher %s\n",
+				EVP_CIPHER_name(cipher));
+			ERR_print_errors(bio_err);
+			goto end;
+			}
+
+		if (nopad)
 			EVP_CIPHER_CTX_set_padding(ctx, 0);
+
+		if (!EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, enc))
+			{
+			BIO_printf(bio_err, "Error setting cipher %s\n",
+				EVP_CIPHER_name(cipher));
+			ERR_print_errors(bio_err);
+			goto end;
 			}
+
 		if (debug)
 			{
 			BIO_set_callback(benc,BIO_debug_callback);
@@ -557,7 +573,7 @@ bad:
 			if (!nosalt)
 				{
 				printf("salt=");
-				for (i=0; i<sizeof salt; i++)
+				for (i=0; i<(int)sizeof(salt); i++)
 					printf("%02X",salt[i]);
 				printf("\n");
 				}
diff --git a/crypto/openssl/apps/engine.c b/crypto/openssl/apps/engine.c
index 12283d0aed67..25c861710799 100644
--- a/crypto/openssl/apps/engine.c
+++ b/crypto/openssl/apps/engine.c
@@ -72,14 +72,15 @@
 #undef PROG
 #define PROG	engine_main
 
-static char *engine_usage[]={
+static const char *engine_usage[]={
 "usage: engine opts [engine ...]\n",
 " -v[v[v[v]]] - verbose mode, for each engine, list its 'control commands'\n",
 "               -vv will additionally display each command's description\n",
 "               -vvv will also add the input flags for each command\n",
 "               -vvvv will also show internal input flags\n",
 " -c          - for each engine, also list the capabilities\n",
-" -t          - for each engine, check that they are really available\n",
+" -t[t]       - for each engine, check that they are really available\n",
+"               -tt will display error trace for unavailable engines\n",
 " -pre <cmd>  - runs command 'cmd' against the ENGINE before any attempts\n",
 "               to load it (if -t is used)\n",
 " -post <cmd> - runs command 'cmd' against the ENGINE after loading it\n",
@@ -343,8 +344,8 @@ int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 	{
 	int ret=1,i;
-	char **pp;
-	int verbose=0, list_cap=0, test_avail=0;
+	const char **pp;
+	int verbose=0, list_cap=0, test_avail=0, test_avail_noise = 0;
 	ENGINE *e;
 	STACK *engines = sk_new_null();
 	STACK *pre_cmds = sk_new_null();
@@ -382,16 +383,26 @@ int MAIN(int argc, char **argv)
 			}
 		else if (strcmp(*argv,"-c") == 0)
 			list_cap=1;
-		else if (strcmp(*argv,"-t") == 0)
+		else if (strncmp(*argv,"-t",2) == 0)
+			{
 			test_avail=1;
+			if(strspn(*argv + 1, "t") < strlen(*argv + 1))
+				goto skip_arg_loop;
+			if((test_avail_noise = strlen(*argv + 1) - 1) > 1)
+				goto skip_arg_loop;
+			}
 		else if (strcmp(*argv,"-pre") == 0)
 			{
 			argc--; argv++;
+			if (argc == 0)
+				goto skip_arg_loop;
 			sk_push(pre_cmds,*argv);
 			}
 		else if (strcmp(*argv,"-post") == 0)
 			{
 			argc--; argv++;
+			if (argc == 0)
+				goto skip_arg_loop;
 			sk_push(post_cmds,*argv);
 			}
 		else if ((strncmp(*argv,"-h",2) == 0) ||
@@ -498,7 +509,8 @@ skip_digests:
 				else
 					{
 					BIO_printf(bio_out, "[ unavailable ]\n");
-					ERR_print_errors_fp(stdout);
+					if(test_avail_noise)
+						ERR_print_errors_fp(stdout);
 					ERR_clear_error();
 					}
 				}
@@ -512,6 +524,7 @@ skip_digests:
 
 	ret=0;
 end:
+
 	ERR_print_errors(bio_err);
 	sk_pop_free(engines, identity);
 	sk_pop_free(pre_cmds, identity);
diff --git a/crypto/openssl/apps/gendh.c b/crypto/openssl/apps/gendh.c
index a34a862caf97..47497864b002 100644
--- a/crypto/openssl/apps/gendh.c
+++ b/crypto/openssl/apps/gendh.c
@@ -57,6 +57,13 @@
  * [including the GNU Public Licence.]
  */
 
+#include <openssl/opensslconf.h>
+/* Until the key-gen callbacks are modified to use newer prototypes, we allow
+ * deprecated functions for openssl-internal code */
+#ifdef OPENSSL_NO_DEPRECATED
+#undef OPENSSL_NO_DEPRECATED
+#endif
+
 #ifndef OPENSSL_NO_DH
 #include <stdio.h>
 #include <string.h>
@@ -75,12 +82,13 @@
 #undef PROG
 #define PROG gendh_main
 
-static void MS_CALLBACK dh_cb(int p, int n, void *arg);
+static int MS_CALLBACK dh_cb(int p, int n, BN_GENCB *cb);
 
 int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
 	{
+	BN_GENCB cb;
 #ifndef OPENSSL_NO_ENGINE
 	ENGINE *e = NULL;
 #endif
@@ -96,6 +104,7 @@ int MAIN(int argc, char **argv)
 
 	apps_startup();
 
+	BN_GENCB_set(&cb, dh_cb, bio_err);
 	if (bio_err == NULL)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
@@ -193,10 +202,10 @@ bad:
 
 	BIO_printf(bio_err,"Generating DH parameters, %d bit long safe prime, generator %d\n",num,g);
 	BIO_printf(bio_err,"This is going to take a long time\n");
-	dh=DH_generate_parameters(num,g,dh_cb,bio_err);
-		
-	if (dh == NULL) goto end;
 
+	if(((dh = DH_new()) == NULL) || !DH_generate_parameters_ex(dh, num, g, &cb))
+		goto end;
+		
 	app_RAND_write_file(NULL, bio_err);
 
 	if (!PEM_write_bio_DHparams(out,dh))
@@ -211,7 +220,7 @@ end:
 	OPENSSL_EXIT(ret);
 	}
 
-static void MS_CALLBACK dh_cb(int p, int n, void *arg)
+static int MS_CALLBACK dh_cb(int p, int n, BN_GENCB *cb)
 	{
 	char c='*';
 
@@ -219,10 +228,11 @@ static void MS_CALLBACK dh_cb(int p, int n, void *arg)
 	if (p == 1) c='+';
 	if (p == 2) c='*';
 	if (p == 3) c='\n';
-	BIO_write((BIO *)arg,&c,1);
-	(void)BIO_flush((BIO *)arg);
+	BIO_write(cb->arg,&c,1);
+	(void)BIO_flush(cb->arg);
 #ifdef LINT
 	p=n;
 #endif
+	return 1;
 	}
 #endif
diff --git a/crypto/openssl/apps/gendsa.c b/crypto/openssl/apps/gendsa.c
index 6d2ed06c81d9..828e27f1c045 100644
--- a/crypto/openssl/apps/gendsa.c
+++ b/crypto/openssl/apps/gendsa.c
@@ -56,6 +56,7 @@
  * [including the GNU Public Licence.]
  */
 
+#include <openssl/opensslconf.h>	/* for OPENSSL_NO_DSA */
 #ifndef OPENSSL_NO_DSA
 #include <stdio.h>
 #include <string.h>
diff --git a/crypto/openssl/apps/genrsa.c b/crypto/openssl/apps/genrsa.c
index 63be873b7bf8..4f62cfd04f3d 100644
--- a/crypto/openssl/apps/genrsa.c
+++ b/crypto/openssl/apps/genrsa.c
@@ -56,6 +56,13 @@
  * [including the GNU Public Licence.]
  */
 
+#include <openssl/opensslconf.h>
+/* Until the key-gen callbacks are modified to use newer prototypes, we allow
+ * deprecated functions for openssl-internal code */
+#ifdef OPENSSL_NO_DEPRECATED
+#undef OPENSSL_NO_DEPRECATED
+#endif
+
 #ifndef OPENSSL_NO_RSA
 #include <stdio.h>
 #include <string.h>
@@ -75,17 +82,17 @@
 #undef PROG
 #define PROG genrsa_main
 
-static void MS_CALLBACK genrsa_cb(int p, int n, void *arg);
+static int MS_CALLBACK genrsa_cb(int p, int n, BN_GENCB *cb);
 
 int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
 	{
+	BN_GENCB cb;
 #ifndef OPENSSL_NO_ENGINE
 	ENGINE *e = NULL;
 #endif
 	int ret=1;
-	RSA *rsa=NULL;
 	int i,num=DEFBITS;
 	long l;
 	const EVP_CIPHER *enc=NULL;
@@ -97,8 +104,13 @@ int MAIN(int argc, char **argv)
 #endif
 	char *inrand=NULL;
 	BIO *out=NULL;
+	BIGNUM *bn = BN_new();
+	RSA *rsa = RSA_new();
+
+	if(!bn || !rsa) goto err;
 
 	apps_startup();
+	BN_GENCB_set(&cb, genrsa_cb, bio_err);
 
 	if (bio_err == NULL)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
@@ -233,12 +245,12 @@ bad:
 
 	BIO_printf(bio_err,"Generating RSA private key, %d bit long modulus\n",
 		num);
-	rsa=RSA_generate_key(num,f4,genrsa_cb,bio_err);
+
+	if(!BN_set_word(bn, f4) || !RSA_generate_key_ex(rsa, num, bn, &cb))
+		goto err;
 		
 	app_RAND_write_file(NULL, bio_err);
 
-	if (rsa == NULL) goto err;
-	
 	/* We need to do the following for when the base number size is <
 	 * long, esp windows 3.1 :-(. */
 	l=0L;
@@ -262,8 +274,9 @@ bad:
 
 	ret=0;
 err:
-	if (rsa != NULL) RSA_free(rsa);
-	if (out != NULL) BIO_free_all(out);
+	if (bn) BN_free(bn);
+	if (rsa) RSA_free(rsa);
+	if (out) BIO_free_all(out);
 	if(passout) OPENSSL_free(passout);
 	if (ret != 0)
 		ERR_print_errors(bio_err);
@@ -271,7 +284,7 @@ err:
 	OPENSSL_EXIT(ret);
 	}
 
-static void MS_CALLBACK genrsa_cb(int p, int n, void *arg)
+static int MS_CALLBACK genrsa_cb(int p, int n, BN_GENCB *cb)
 	{
 	char c='*';
 
@@ -279,11 +292,12 @@ static void MS_CALLBACK genrsa_cb(int p, int n, void *arg)
 	if (p == 1) c='+';
 	if (p == 2) c='*';
 	if (p == 3) c='\n';
-	BIO_write((BIO *)arg,&c,1);
-	(void)BIO_flush((BIO *)arg);
+	BIO_write(cb->arg,&c,1);
+	(void)BIO_flush(cb->arg);
 #ifdef LINT
 	p=n;
 #endif
+	return 1;
 	}
 #else /* !OPENSSL_NO_RSA */
 
diff --git a/crypto/openssl/apps/ocsp.c b/crypto/openssl/apps/ocsp.c
index 856b797b532e..52af592a4a61 100644
--- a/crypto/openssl/apps/ocsp.c
+++ b/crypto/openssl/apps/ocsp.c
@@ -64,6 +64,7 @@
 #include <openssl/ocsp.h>
 #include <openssl/err.h>
 #include <openssl/ssl.h>
+#include <openssl/bn.h>
 
 /* Maximum leeway in validity period: default 5 minutes */
 #define MAX_VALIDITY_PERIOD	(5 * 60)
@@ -784,7 +785,7 @@ int MAIN(int argc, char **argv)
 
 	if (i != OCSP_RESPONSE_STATUS_SUCCESSFUL)
 		{
-		BIO_printf(out, "Responder Error: %s (%ld)\n",
+		BIO_printf(out, "Responder Error: %s (%d)\n",
 				OCSP_response_status_str(i), i);
 		if (ignore_err)
 			goto redo_accept;
@@ -850,7 +851,7 @@ int MAIN(int argc, char **argv)
 
 		if(i <= 0)
 			{
-			BIO_printf(bio_err, "Response Verify Failure\n", i);
+			BIO_printf(bio_err, "Response Verify Failure\n");
 			ERR_print_errors(bio_err);
 			}
 		else
diff --git a/crypto/openssl/apps/openssl.c b/crypto/openssl/apps/openssl.c
index 9a9ef916531e..02d86d546df3 100644
--- a/crypto/openssl/apps/openssl.c
+++ b/crypto/openssl/apps/openssl.c
@@ -129,7 +129,6 @@
 #include "progs.h"
 #include "s_apps.h"
 #include <openssl/err.h>
-#include <openssl/fips.h>
 
 /* The LHASH callbacks ("hash" & "cmp") have been replaced by functions with the
  * base prototypes (we cast each variable inside the function to the required
@@ -148,7 +147,6 @@ char *default_config_file=NULL;
 #ifdef MONOLITH
 CONF *config=NULL;
 BIO *bio_err=NULL;
-int in_FIPS_mode=0;
 #endif
 
 
@@ -222,38 +220,18 @@ int main(int Argc, char *Argv[])
 #define PROG_NAME_SIZE	39
 	char pname[PROG_NAME_SIZE+1];
 	FUNCTION f,*fp;
-	MS_STATIC char *prompt,buf[1024];
+	MS_STATIC const char *prompt;
+	MS_STATIC char buf[1024];
 	char *to_free=NULL;
 	int n,i,ret=0;
 	int argc;
 	char **argv,*p;
 	LHASH *prog=NULL;
 	long errline;
-
+ 
 	arg.data=NULL;
 	arg.count=0;
 
-	in_FIPS_mode = 0;
-
-#ifdef OPENSSL_FIPS
-	if(getenv("OPENSSL_FIPS")) {
-#if defined(_WIN32)
-		char filename[MAX_PATH] = "";
-		GetModuleFileName( NULL, filename, MAX_PATH) ;
-		p = filename;
-#else
-		p = Argv[0];
-#endif
-		if (!FIPS_mode_set(1,p)) {
-			ERR_load_crypto_strings();
-			ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
-			exit(1);
-		}
-		in_FIPS_mode = 1;
-		if (getenv("OPENSSL_FIPS_MD5"))
-			FIPS_allow_md5(1);
-		}
-#endif
 	if (bio_err == NULL)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
@@ -511,7 +489,7 @@ static LHASH *prog_init(void)
 	{
 	LHASH *ret;
 	FUNCTION *f;
-	int i;
+	size_t i;
 
 	/* Purely so it looks nice when the user hits ? */
 	for(i=0,f=functions ; f->name != NULL ; ++f,++i)
@@ -529,12 +507,12 @@ static LHASH *prog_init(void)
 /* static int MS_CALLBACK cmp(FUNCTION *a, FUNCTION *b) */
 static int MS_CALLBACK cmp(const void *a_void, const void *b_void)
 	{
-	return(strncmp(((FUNCTION *)a_void)->name,
-			((FUNCTION *)b_void)->name,8));
+	return(strncmp(((const FUNCTION *)a_void)->name,
+			((const FUNCTION *)b_void)->name,8));
 	}
 
 /* static unsigned long MS_CALLBACK hash(FUNCTION *a) */
 static unsigned long MS_CALLBACK hash(const void *a_void)
 	{
-	return(lh_strhash(((FUNCTION *)a_void)->name));
+	return(lh_strhash(((const FUNCTION *)a_void)->name));
 	}
diff --git a/crypto/openssl/apps/openssl.cnf b/crypto/openssl/apps/openssl.cnf
index af688a426036..9e59020c1764 100644
--- a/crypto/openssl/apps/openssl.cnf
+++ b/crypto/openssl/apps/openssl.cnf
@@ -44,8 +44,8 @@ new_certs_dir	= $dir/newcerts		# default place for new certs.
 
 certificate	= $dir/cacert.pem 	# The CA certificate
 serial		= $dir/serial 		# The current serial number
-#crlnumber	= $dir/crlnumber	# the current crl number must be
-					# commented out to leave a V1 CRL
+crlnumber	= $dir/crlnumber	# the current crl number
+					# must be commented out to leave a V1 CRL
 crl		= $dir/crl.pem 		# The current CRL
 private_key	= $dir/private/cakey.pem# The private key
 RANDFILE	= $dir/private/.rand	# private random number file
@@ -67,7 +67,7 @@ cert_opt 	= ca_default		# Certificate field options
 
 default_days	= 365			# how long to certify for
 default_crl_days= 30			# how long before next CRL
-default_md	= md5			# which md to use.
+default_md	= sha1			# which md to use.
 preserve	= no			# keep passed DN ordering
 
 # A few difference way of specifying how similar the request should look
@@ -188,7 +188,7 @@ nsComment			= "OpenSSL Generated Certificate"
 
 # PKIX recommendations harmless if included in all certificates.
 subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer:always
+authorityKeyIdentifier=keyid,issuer
 
 # This stuff is for subjectAltName and issuerAltname.
 # Import the email address.
@@ -258,3 +258,56 @@ basicConstraints = CA:true
 
 # issuerAltName=issuer:copy
 authorityKeyIdentifier=keyid:always,issuer:always
+
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
diff --git a/crypto/openssl/apps/passwd.c b/crypto/openssl/apps/passwd.c
index 3ad91d89d6a5..9ca25dd1da81 100644
--- a/crypto/openssl/apps/passwd.c
+++ b/crypto/openssl/apps/passwd.c
@@ -312,7 +312,8 @@ static char *md5crypt(const char *passwd, const char *magic, const char *salt)
 	static char out_buf[6 + 9 + 24 + 2]; /* "$apr1$..salt..$.......md5hash..........\0" */
 	unsigned char buf[MD5_DIGEST_LENGTH];
 	char *salt_out;
-	int n, i;
+	int n;
+	unsigned int i;
 	EVP_MD_CTX md,md2;
 	size_t passwd_len, salt_len;
 
@@ -358,13 +359,13 @@ static char *md5crypt(const char *passwd, const char *magic, const char *salt)
 	for (i = 0; i < 1000; i++)
 		{
 		EVP_DigestInit_ex(&md2,EVP_md5(), NULL);
-		EVP_DigestUpdate(&md2, (i & 1) ? (unsigned char *) passwd : buf,
+		EVP_DigestUpdate(&md2, (i & 1) ? (unsigned const char *) passwd : buf,
 		                       (i & 1) ? passwd_len : sizeof buf);
 		if (i % 3)
 			EVP_DigestUpdate(&md2, salt_out, salt_len);
 		if (i % 7)
 			EVP_DigestUpdate(&md2, passwd, passwd_len);
-		EVP_DigestUpdate(&md2, (i & 1) ? buf : (unsigned char *) passwd,
+		EVP_DigestUpdate(&md2, (i & 1) ? buf : (unsigned const char *) passwd,
 		                       (i & 1) ? sizeof buf : passwd_len);
 		EVP_DigestFinal_ex(&md2, buf, NULL);
 		}
@@ -473,7 +474,8 @@ static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
 	if ((strlen(passwd) > pw_maxlen))
 		{
 		if (!quiet)
-			BIO_printf(bio_err, "Warning: truncating password to %u characters\n", pw_maxlen);
+			/* XXX: really we should know how to print a size_t, not cast it */
+			BIO_printf(bio_err, "Warning: truncating password to %u characters\n", (unsigned)pw_maxlen);
 		passwd[pw_maxlen] = 0;
 		}
 	assert(strlen(passwd) <= pw_maxlen);
diff --git a/crypto/openssl/apps/pkcs12.c b/crypto/openssl/apps/pkcs12.c
index 71192bdf749c..c22c00fce156 100644
--- a/crypto/openssl/apps/pkcs12.c
+++ b/crypto/openssl/apps/pkcs12.c
@@ -1,11 +1,9 @@
 /* pkcs12.c */
-#if !defined(OPENSSL_NO_DES) && !defined(OPENSSL_NO_SHA1)
-
 /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
- * project 1999.
+ * project.
  */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2002 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -58,6 +56,9 @@
  *
  */
 
+#include <openssl/opensslconf.h>
+#if !defined(OPENSSL_NO_DES) && !defined(OPENSSL_NO_SHA1)
+
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -83,7 +84,7 @@ int dump_certs_keys_p12(BIO *out, PKCS12 *p12, char *pass, int passlen, int opti
 int dump_certs_pkeys_bags(BIO *out, STACK_OF(PKCS12_SAFEBAG) *bags, char *pass,
 			  int passlen, int options, char *pempass);
 int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bags, char *pass, int passlen, int options, char *pempass);
-int print_attribs(BIO *out, STACK_OF(X509_ATTRIBUTE) *attrlst, char *name);
+int print_attribs(BIO *out, STACK_OF(X509_ATTRIBUTE) *attrlst,const char *name);
 void hex_prin(BIO *out, unsigned char *buf, int len);
 int alg_print(BIO *x, X509_ALGOR *alg);
 int cert_load(BIO *in, STACK_OF(X509) *sk);
@@ -166,10 +167,14 @@ int MAIN(int argc, char **argv)
 					 maciter = PKCS12_DEFAULT_ITER;
 		else if (!strcmp (*args, "-nomaciter"))
 					 maciter = 1;
+		else if (!strcmp (*args, "-nomac"))
+					 maciter = -1;
 		else if (!strcmp (*args, "-nodes")) enc=NULL;
 		else if (!strcmp (*args, "-certpbe")) {
 			if (args[1]) {
 				args++;
+				if (!strcmp(*args, "NONE"))
+					cert_pbe = -1;
 				cert_pbe=OBJ_txt2nid(*args);
 				if(cert_pbe == NID_undef) {
 					BIO_printf(bio_err,
@@ -180,7 +185,10 @@ int MAIN(int argc, char **argv)
 		} else if (!strcmp (*args, "-keypbe")) {
 			if (args[1]) {
 				args++;
-				key_pbe=OBJ_txt2nid(*args);
+				if (!strcmp(*args, "NONE"))
+					key_pbe = -1;
+				else
+					key_pbe=OBJ_txt2nid(*args);
 				if(key_pbe == NID_undef) {
 					BIO_printf(bio_err,
 						 "Unknown PBE algorithm %s\n", *args);
@@ -365,24 +373,6 @@ int MAIN(int argc, char **argv)
 	    goto end;
    }
 
-#if 0
-   if (certfile) {
-    	if(!(certsin = BIO_new_file(certfile, "r"))) {
-	    BIO_printf(bio_err, "Can't open certificate file %s\n", certfile);
-	    perror (certfile);
-	    goto end;
-	}
-    }
-
-    if (keyname) {
-    	if(!(inkey = BIO_new_file(keyname, "r"))) {
-	    BIO_printf(bio_err, "Can't key certificate file %s\n", keyname);
-	    perror (keyname);
-	    goto end;
-	}
-     }
-#endif
-
 #ifdef CRYPTO_MDEBUG
     CRYPTO_pop_info();
     CRYPTO_push_info("write files");
@@ -419,27 +409,31 @@ int MAIN(int argc, char **argv)
 
     if (export_cert) {
 	EVP_PKEY *key = NULL;
-	STACK_OF(PKCS12_SAFEBAG) *bags = NULL;
-	STACK_OF(PKCS7) *safes = NULL;
-	PKCS12_SAFEBAG *bag = NULL;
-	PKCS8_PRIV_KEY_INFO *p8 = NULL;
-	PKCS7 *authsafe = NULL;
-	X509 *ucert = NULL;
+	X509 *ucert = NULL, *x = NULL;
 	STACK_OF(X509) *certs=NULL;
-	char *catmp = NULL;
+	unsigned char *catmp = NULL;
 	int i;
-	unsigned char keyid[EVP_MAX_MD_SIZE];
-	unsigned int keyidlen = 0;
+
+	if ((options & (NOCERTS|NOKEYS)) == (NOCERTS|NOKEYS))
+		{	
+		BIO_printf(bio_err, "Nothing to do!\n");
+		goto export_end;
+		}
+
+	if (options & NOCERTS)
+		chain = 0;
 
 #ifdef CRYPTO_MDEBUG
 	CRYPTO_push_info("process -export_cert");
 	CRYPTO_push_info("reading private key");
 #endif
-	key = load_key(bio_err, keyname ? keyname : infile, FORMAT_PEM, 1,
-		passin, e, "private key");
-	if (!key) {
-		goto export_end;
-	}
+	if (!(options & NOKEYS))
+		{
+		key = load_key(bio_err, keyname ? keyname : infile,
+				FORMAT_PEM, 1, passin, e, "private key");
+		if (!key)
+			goto export_end;
+		}
 
 #ifdef CRYPTO_MDEBUG
 	CRYPTO_pop_info();
@@ -447,49 +441,61 @@ int MAIN(int argc, char **argv)
 #endif
 
 	/* Load in all certs in input file */
-	if(!(certs = load_certs(bio_err, infile, FORMAT_PEM, NULL, e,
-		"certificates"))) {
-		goto export_end;
-	}
+	if(!(options & NOCERTS))
+		{
+		certs = load_certs(bio_err, infile, FORMAT_PEM, NULL, e,
+							"certificates");
+		if (!certs)
+			goto export_end;
 
-#ifdef CRYPTO_MDEBUG
-	CRYPTO_pop_info();
-	CRYPTO_push_info("reading certs from input 2");
-#endif
+		if (key)
+			{
+			/* Look for matching private key */
+			for(i = 0; i < sk_X509_num(certs); i++)
+				{
+				x = sk_X509_value(certs, i);
+				if(X509_check_private_key(x, key))
+					{
+					ucert = x;
+					/* Zero keyid and alias */
+					X509_keyid_set1(ucert, NULL, 0);
+					X509_alias_set1(ucert, NULL, 0);
+					/* Remove from list */
+					sk_X509_delete(certs, i);
+					break;
+					}
+				}
+			if (!ucert)
+				{
+				BIO_printf(bio_err, "No certificate matches private key\n");
+				goto export_end;
+				}
+			}
 
-	for(i = 0; i < sk_X509_num(certs); i++) {
-		ucert = sk_X509_value(certs, i);
-		if(X509_check_private_key(ucert, key)) {
-			X509_digest(ucert, EVP_sha1(), keyid, &keyidlen);
-			break;
 		}
-	}
-	if(!keyidlen) {
-		ucert = NULL;
-		BIO_printf(bio_err, "No certificate matches private key\n");
-		goto export_end;
-	}
-	
+
 #ifdef CRYPTO_MDEBUG
 	CRYPTO_pop_info();
-	CRYPTO_push_info("reading certs from certfile");
+	CRYPTO_push_info("reading certs from input 2");
 #endif
 
-	bags = sk_PKCS12_SAFEBAG_new_null ();
-
 	/* Add any more certificates asked for */
-	if (certfile) {
+	if(certfile)
+		{
 		STACK_OF(X509) *morecerts=NULL;
 		if(!(morecerts = load_certs(bio_err, certfile, FORMAT_PEM,
 					    NULL, e,
-					    "certificates from certfile"))) {
+					    "certificates from certfile")))
 			goto export_end;
-		}
-		while(sk_X509_num(morecerts) > 0) {
+		while(sk_X509_num(morecerts) > 0)
 			sk_X509_push(certs, sk_X509_shift(morecerts));
-		}
 		sk_X509_free(morecerts);
- 	}
+ 		}
+
+#ifdef CRYPTO_MDEBUG
+	CRYPTO_pop_info();
+	CRYPTO_push_info("reading certs from certfile");
+#endif
 
 #ifdef CRYPTO_MDEBUG
 	CRYPTO_pop_info();
@@ -526,100 +532,55 @@ int MAIN(int argc, char **argv)
 		}			
     	}
 
-#ifdef CRYPTO_MDEBUG
-	CRYPTO_pop_info();
-	CRYPTO_push_info("building bags");
-#endif
-
-	/* We now have loads of certificates: include them all */
-	for(i = 0; i < sk_X509_num(certs); i++) {
-		X509 *cert = NULL;
-		cert = sk_X509_value(certs, i);
-		bag = PKCS12_x5092certbag(cert);
-		/* If it matches private key set id */
-		if(cert == ucert) {
-			if(name) PKCS12_add_friendlyname(bag, name, -1);
-			PKCS12_add_localkeyid(bag, keyid, keyidlen);
-		} else if((catmp = sk_shift(canames))) 
-				PKCS12_add_friendlyname(bag, catmp, -1);
-		sk_PKCS12_SAFEBAG_push(bags, bag);
-	}
-	sk_X509_pop_free(certs, X509_free);
-	certs = NULL;
-
-#ifdef CRYPTO_MDEBUG
-	CRYPTO_pop_info();
-	CRYPTO_push_info("encrypting bags");
-#endif
-
-	if(!noprompt &&
-		EVP_read_pw_string(pass, sizeof pass, "Enter Export Password:", 1)) {
-	    BIO_printf (bio_err, "Can't read Password\n");
-	    goto export_end;
-        }
-	if (!twopass) BUF_strlcpy(macpass, pass, sizeof macpass);
-	/* Turn certbags into encrypted authsafe */
-	authsafe = PKCS12_pack_p7encdata(cert_pbe, cpass, -1, NULL, 0,
-								 iter, bags);
-	sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
-	bags = NULL;
-
-	if (!authsafe) {
-		ERR_print_errors (bio_err);
-		goto export_end;
-	}
-
-	safes = sk_PKCS7_new_null ();
-	sk_PKCS7_push (safes, authsafe);
+	/* Add any CA names */
 
-#ifdef CRYPTO_MDEBUG
-	CRYPTO_pop_info();
-	CRYPTO_push_info("building shrouded key bag");
-#endif
+	for (i = 0; i < sk_num(canames); i++)
+		{
+		catmp = (unsigned char *)sk_value(canames, i);
+		X509_alias_set1(sk_X509_value(certs, i), catmp, -1);
+		}
 
-	/* Make a shrouded key bag */
-	p8 = EVP_PKEY2PKCS8 (key);
-	if(keytype) PKCS8_add_keyusage(p8, keytype);
-	bag = PKCS12_MAKE_SHKEYBAG(key_pbe, cpass, -1, NULL, 0, iter, p8);
-	PKCS8_PRIV_KEY_INFO_free(p8);
-	p8 = NULL;
-        if (name) PKCS12_add_friendlyname (bag, name, -1);
-	if(csp_name) PKCS12_add_CSPName_asc(bag, csp_name, -1);
-	PKCS12_add_localkeyid (bag, keyid, keyidlen);
-	bags = sk_PKCS12_SAFEBAG_new_null();
-	sk_PKCS12_SAFEBAG_push (bags, bag);
+	if (csp_name && key)
+		EVP_PKEY_add1_attr_by_NID(key, NID_ms_csp_name,
+				MBSTRING_ASC, (unsigned char *)csp_name, -1);
+		
 
 #ifdef CRYPTO_MDEBUG
 	CRYPTO_pop_info();
-	CRYPTO_push_info("encrypting shrouded key bag");
+	CRYPTO_push_info("reading password");
 #endif
 
-	/* Turn it into unencrypted safe bag */
-	authsafe = PKCS12_pack_p7data (bags);
-	sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
-	bags = NULL;
-	sk_PKCS7_push (safes, authsafe);
+	if(!noprompt &&
+		EVP_read_pw_string(pass, sizeof pass, "Enter Export Password:", 1))
+		{
+	    	BIO_printf (bio_err, "Can't read Password\n");
+	    	goto export_end;
+        	}
+	if (!twopass) BUF_strlcpy(macpass, pass, sizeof macpass);
 
 #ifdef CRYPTO_MDEBUG
 	CRYPTO_pop_info();
-	CRYPTO_push_info("building pkcs12");
+	CRYPTO_push_info("creating PKCS#12 structure");
 #endif
 
-	p12 = PKCS12_init(NID_pkcs7_data);
-
-	PKCS12_pack_authsafes(p12, safes);
+	p12 = PKCS12_create(cpass, name, key, ucert, certs,
+				key_pbe, cert_pbe, iter, -1, keytype);
 
-	sk_PKCS7_pop_free(safes, PKCS7_free);
-	safes = NULL;
+	if (!p12)
+		{
+	    	ERR_print_errors (bio_err);
+		goto export_end;
+		}
 
-	PKCS12_set_mac (p12, mpass, -1, NULL, 0, maciter, NULL);
+	if (maciter != -1)
+		PKCS12_set_mac(p12, mpass, -1, NULL, 0, maciter, NULL);
 
 #ifdef CRYPTO_MDEBUG
 	CRYPTO_pop_info();
 	CRYPTO_push_info("writing pkcs12");
 #endif
 
-	i2d_PKCS12_bio (out, p12);
+	i2d_PKCS12_bio(out, p12);
 
 	ret = 0;
 
@@ -632,8 +593,7 @@ int MAIN(int argc, char **argv)
 
 	if (key) EVP_PKEY_free(key);
 	if (certs) sk_X509_pop_free(certs, X509_free);
-	if (safes) sk_PKCS7_pop_free(safes, PKCS7_free);
-	if (bags) sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
+	if (ucert) X509_free(ucert);
 
 #ifdef CRYPTO_MDEBUG
 	CRYPTO_pop_info();
@@ -666,7 +626,7 @@ int MAIN(int argc, char **argv)
     CRYPTO_push_info("verify MAC");
 #endif
 	/* If we enter empty password try no password first */
-	if(!macpass[0] && PKCS12_verify_mac(p12, NULL, 0)) {
+	if(!mpass[0] && PKCS12_verify_mac(p12, NULL, 0)) {
 		/* If mac and crypto pass the same set it to NULL too */
 		if(!twopass) cpass = NULL;
 	} else if (!PKCS12_verify_mac(p12, mpass, -1)) {
@@ -710,9 +670,10 @@ int MAIN(int argc, char **argv)
 int dump_certs_keys_p12 (BIO *out, PKCS12 *p12, char *pass,
 	     int passlen, int options, char *pempass)
 {
-	STACK_OF(PKCS7) *asafes;
+	STACK_OF(PKCS7) *asafes = NULL;
 	STACK_OF(PKCS12_SAFEBAG) *bags;
 	int i, bagnid;
+	int ret = 0;
 	PKCS7 *p7;
 
 	if (!( asafes = PKCS12_unpack_authsafes(p12))) return 0;
@@ -730,16 +691,22 @@ int dump_certs_keys_p12 (BIO *out, PKCS12 *p12, char *pass,
 			}
 			bags = PKCS12_unpack_p7encdata(p7, pass, passlen);
 		} else continue;
-		if (!bags) return 0;
+		if (!bags) goto err;
 	    	if (!dump_certs_pkeys_bags (out, bags, pass, passlen, 
 						 options, pempass)) {
 			sk_PKCS12_SAFEBAG_pop_free (bags, PKCS12_SAFEBAG_free);
-			return 0;
+			goto err;
 		}
 		sk_PKCS12_SAFEBAG_pop_free (bags, PKCS12_SAFEBAG_free);
+		bags = NULL;
 	}
-	sk_PKCS7_pop_free (asafes, PKCS7_free);
-	return 1;
+	ret = 1;
+
+	err:
+
+	if (asafes)
+		sk_PKCS7_pop_free (asafes, PKCS7_free);
+	return ret;
 }
 
 int dump_certs_pkeys_bags (BIO *out, STACK_OF(PKCS12_SAFEBAG) *bags,
@@ -856,11 +823,12 @@ err:
 int alg_print (BIO *x, X509_ALGOR *alg)
 {
 	PBEPARAM *pbe;
-	unsigned char *p;
+	const unsigned char *p;
 	p = alg->parameter->value.sequence->data;
 	pbe = d2i_PBEPARAM (NULL, &p, alg->parameter->value.sequence->length);
-	BIO_printf (bio_err, "%s, Iteration %d\n", 
-	OBJ_nid2ln(OBJ_obj2nid(alg->algorithm)), ASN1_INTEGER_get(pbe->iter));
+	BIO_printf (bio_err, "%s, Iteration %ld\n", 
+		OBJ_nid2ln(OBJ_obj2nid(alg->algorithm)),
+		ASN1_INTEGER_get(pbe->iter));
 	PBEPARAM_free (pbe);
 	return 0;
 }
@@ -894,7 +862,7 @@ int cert_load(BIO *in, STACK_OF(X509) *sk)
 
 /* Generalised attribute print: handle PKCS#8 and bag attributes */
 
-int print_attribs (BIO *out, STACK_OF(X509_ATTRIBUTE) *attrlst, char *name)
+int print_attribs (BIO *out, STACK_OF(X509_ATTRIBUTE) *attrlst,const char *name)
 {
 	X509_ATTRIBUTE *attr;
 	ASN1_TYPE *av;
diff --git a/crypto/openssl/apps/prime.c b/crypto/openssl/apps/prime.c
index 5c731a7e015c..af2fed15af69 100644
--- a/crypto/openssl/apps/prime.c
+++ b/crypto/openssl/apps/prime.c
@@ -56,12 +56,14 @@
 #undef PROG
 #define PROG prime_main
 
+int MAIN(int, char **);
+
 int MAIN(int argc, char **argv)
     {
     int hex=0;
     int checks=20;
     BIGNUM *bn=NULL;
-    BIO *bio_out=NULL;
+    BIO *bio_out;
 
     apps_startup();
 
@@ -69,18 +71,6 @@ int MAIN(int argc, char **argv)
 	if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 	    BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
 
-    if (bio_out == NULL)
-	if ((bio_out=BIO_new(BIO_s_file())) != NULL)
-	    {
-	    BIO_set_fp(bio_out,stdout,BIO_NOCLOSE);
-#ifdef OPENSSL_SYS_VMS
-	    {
-	    BIO *tmpbio = BIO_new(BIO_f_linebuffer());
-	    bio_out = BIO_push(tmpbio, bio_out);
-	    }
-#endif
-	    }
-
     --argc;
     ++argv;
     while (argc >= 1 && **argv == '-')
@@ -95,16 +85,29 @@ int MAIN(int argc, char **argv)
 	else
 	    {
 	    BIO_printf(bio_err,"Unknown option '%s'\n",*argv);
-	bad:
-	    BIO_printf(bio_err,"options are\n");
-	    BIO_printf(bio_err,"%-14s hex\n","-hex");
-	    BIO_printf(bio_err,"%-14s number of checks\n","-checks <n>");
-	    exit(1);
+	    goto bad;
 	    }
 	--argc;
 	++argv;
 	}
 
+    if (argv[0] == NULL)
+	{
+	BIO_printf(bio_err,"No prime specified\n");
+	goto bad;
+	}
+
+   if ((bio_out=BIO_new(BIO_s_file())) != NULL)
+	{
+	BIO_set_fp(bio_out,stdout,BIO_NOCLOSE);
+#ifdef OPENSSL_SYS_VMS
+	    {
+	    BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+	    bio_out = BIO_push(tmpbio, bio_out);
+	    }
+#endif
+	}
+
     if(hex)
 	BN_hex2bn(&bn,argv[0]);
     else
@@ -112,7 +115,16 @@ int MAIN(int argc, char **argv)
 
     BN_print(bio_out,bn);
     BIO_printf(bio_out," is %sprime\n",
-	       BN_is_prime(bn,checks,NULL,NULL,NULL) ? "" : "not ");
+	       BN_is_prime_ex(bn,checks,NULL,NULL) ? "" : "not ");
+
+    BN_free(bn);
+    BIO_free_all(bio_out);
 
     return 0;
+
+    bad:
+    BIO_printf(bio_err,"options are\n");
+    BIO_printf(bio_err,"%-14s hex\n","-hex");
+    BIO_printf(bio_err,"%-14s number of checks\n","-checks <n>");
+    return 1;
     }
diff --git a/crypto/openssl/apps/progs.h b/crypto/openssl/apps/progs.h
index 0493257bde1f..dc665c53a704 100644
--- a/crypto/openssl/apps/progs.h
+++ b/crypto/openssl/apps/progs.h
@@ -17,6 +17,8 @@ extern int rsa_main(int argc,char *argv[]);
 extern int rsautl_main(int argc,char *argv[]);
 extern int dsa_main(int argc,char *argv[]);
 extern int dsaparam_main(int argc,char *argv[]);
+extern int ec_main(int argc,char *argv[]);
+extern int ecparam_main(int argc,char *argv[]);
 extern int x509_main(int argc,char *argv[]);
 extern int genrsa_main(int argc,char *argv[]);
 extern int gendsa_main(int argc,char *argv[]);
@@ -35,11 +37,9 @@ extern int pkcs8_main(int argc,char *argv[]);
 extern int spkac_main(int argc,char *argv[]);
 extern int smime_main(int argc,char *argv[]);
 extern int rand_main(int argc,char *argv[]);
-extern int prime_main(int argc,char *argv[]);
-#ifndef OPENSSL_NO_ENGINE
 extern int engine_main(int argc,char *argv[]);
-#endif
 extern int ocsp_main(int argc,char *argv[]);
+extern int prime_main(int argc,char *argv[]);
 
 #define FUNC_TYPE_GENERAL	1
 #define FUNC_TYPE_MD		2
@@ -47,8 +47,8 @@ extern int ocsp_main(int argc,char *argv[]);
 
 typedef struct {
 	int type;
-	char *name;
-	int (*func)();
+	const char *name;
+	int (*func)(int argc,char *argv[]);
 	} FUNCTION;
 
 FUNCTION functions[] = {
@@ -82,6 +82,12 @@ FUNCTION functions[] = {
 #ifndef OPENSSL_NO_DSA
 	{FUNC_TYPE_GENERAL,"dsaparam",dsaparam_main},
 #endif
+#ifndef OPENSSL_NO_EC
+	{FUNC_TYPE_GENERAL,"ec",ec_main},
+#endif
+#ifndef OPENSSL_NO_EC
+	{FUNC_TYPE_GENERAL,"ecparam",ecparam_main},
+#endif
 	{FUNC_TYPE_GENERAL,"x509",x509_main},
 #ifndef OPENSSL_NO_RSA
 	{FUNC_TYPE_GENERAL,"genrsa",genrsa_main},
@@ -116,11 +122,11 @@ FUNCTION functions[] = {
 	{FUNC_TYPE_GENERAL,"spkac",spkac_main},
 	{FUNC_TYPE_GENERAL,"smime",smime_main},
 	{FUNC_TYPE_GENERAL,"rand",rand_main},
-	{FUNC_TYPE_GENERAL,"prime",prime_main},
 #ifndef OPENSSL_NO_ENGINE
 	{FUNC_TYPE_GENERAL,"engine",engine_main},
 #endif
 	{FUNC_TYPE_GENERAL,"ocsp",ocsp_main},
+	{FUNC_TYPE_GENERAL,"prime",prime_main},
 #ifndef OPENSSL_NO_MD2
 	{FUNC_TYPE_MD,"md2",dgst_main},
 #endif
diff --git a/crypto/openssl/apps/progs.pl b/crypto/openssl/apps/progs.pl
index d6a40edb91d2..36569d2661c3 100644
--- a/crypto/openssl/apps/progs.pl
+++ b/crypto/openssl/apps/progs.pl
@@ -16,8 +16,8 @@ print <<'EOF';
 
 typedef struct {
 	int type;
-	char *name;
-	int (*func)();
+	const char *name;
+	int (*func)(int argc,char *argv[]);
 	} FUNCTION;
 
 FUNCTION functions[] = {
@@ -29,10 +29,16 @@ foreach (@ARGV)
 	$str="\t{FUNC_TYPE_GENERAL,\"$_\",${_}_main},\n";
 	if (($_ =~ /^s_/) || ($_ =~ /^ciphers$/))
 		{ print "#if !defined(OPENSSL_NO_SOCK) && !(defined(OPENSSL_NO_SSL2) && defined(OPENSSL_NO_SSL3))\n${str}#endif\n"; } 
+	elsif ( ($_ =~ /^speed$/))
+		{ print "#ifndef OPENSSL_NO_SPEED\n${str}#endif\n"; }
+	elsif ( ($_ =~ /^engine$/))
+		{ print "#ifndef OPENSSL_NO_ENGINE\n${str}#endif\n"; }
 	elsif ( ($_ =~ /^rsa$/) || ($_ =~ /^genrsa$/) || ($_ =~ /^rsautl$/)) 
 		{ print "#ifndef OPENSSL_NO_RSA\n${str}#endif\n";  }
 	elsif ( ($_ =~ /^dsa$/) || ($_ =~ /^gendsa$/) || ($_ =~ /^dsaparam$/))
 		{ print "#ifndef OPENSSL_NO_DSA\n${str}#endif\n"; }
+	elsif ( ($_ =~ /^ec$/) || ($_ =~ /^ecparam$/))
+		{ print "#ifndef OPENSSL_NO_EC\n${str}#endif\n";}
 	elsif ( ($_ =~ /^dh$/) || ($_ =~ /^gendh$/) || ($_ =~ /^dhparam$/))
 		{ print "#ifndef OPENSSL_NO_DH\n${str}#endif\n"; }
 	elsif ( ($_ =~ /^pkcs12$/))
diff --git a/crypto/openssl/apps/rand.c b/crypto/openssl/apps/rand.c
index 63724bc73025..a893896033a8 100644
--- a/crypto/openssl/apps/rand.c
+++ b/crypto/openssl/apps/rand.c
@@ -205,7 +205,7 @@ int MAIN(int argc, char **argv)
 		int chunk;
 
 		chunk = num;
-		if (chunk > sizeof buf)
+		if (chunk > (int)sizeof(buf))
 			chunk = sizeof buf;
 		r = RAND_bytes(buf, chunk);
 		if (r <= 0)
diff --git a/crypto/openssl/apps/req.c b/crypto/openssl/apps/req.c
index 046bb3dc90ce..f58e65ec852f 100644
--- a/crypto/openssl/apps/req.c
+++ b/crypto/openssl/apps/req.c
@@ -56,6 +56,12 @@
  * [including the GNU Public Licence.]
  */
 
+/* Until the key-gen callbacks are modified to use newer prototypes, we allow
+ * deprecated functions for openssl-internal code */
+#ifdef OPENSSL_NO_DEPRECATED
+#undef OPENSSL_NO_DEPRECATED
+#endif
+
 #include <stdio.h>
 #include <stdlib.h>
 #include <time.h>
@@ -73,7 +79,13 @@
 #include <openssl/x509v3.h>
 #include <openssl/objects.h>
 #include <openssl/pem.h>
-#include "../crypto/cryptlib.h"
+#include <openssl/bn.h>
+#ifndef OPENSSL_NO_RSA
+#include <openssl/rsa.h>
+#endif
+#ifndef OPENSSL_NO_DSA
+#include <openssl/dsa.h>
+#endif
 
 #define SECTION		"req"
 
@@ -113,9 +125,10 @@
  *		  require.  This format is wrong
  */
 
-static int make_REQ(X509_REQ *req,EVP_PKEY *pkey,char *dn,int attribs,
-		unsigned long chtype);
-static int build_subject(X509_REQ *req, char *subj, unsigned long chtype);
+static int make_REQ(X509_REQ *req,EVP_PKEY *pkey,char *dn,int mutlirdn,
+		int attribs,unsigned long chtype);
+static int build_subject(X509_REQ *req, char *subj, unsigned long chtype,
+		int multirdn);
 static int prompt_info(X509_REQ *req,
 		STACK_OF(CONF_VALUE) *dn_sk, char *dn_sect,
 		STACK_OF(CONF_VALUE) *attr_sk, char *attr_sect, int attribs,
@@ -123,16 +136,16 @@ static int prompt_info(X509_REQ *req,
 static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *sk,
 				STACK_OF(CONF_VALUE) *attr, int attribs,
 				unsigned long chtype);
-static int add_attribute_object(X509_REQ *req, char *text,
-				char *def, char *value, int nid, int n_min,
+static int add_attribute_object(X509_REQ *req, char *text, const char *def,
+				char *value, int nid, int n_min,
 				int n_max, unsigned long chtype);
-static int add_DN_object(X509_NAME *n, char *text, char *def, char *value,
-	int nid,int n_min,int n_max, unsigned long chtype);
+static int add_DN_object(X509_NAME *n, char *text, const char *def, char *value,
+	int nid,int n_min,int n_max, unsigned long chtype, int mval);
 #ifndef OPENSSL_NO_RSA
-static void MS_CALLBACK req_cb(int p,int n,void *arg);
+static int MS_CALLBACK req_cb(int p, int n, BN_GENCB *cb);
 #endif
 static int req_check_len(int len,int n_min,int n_max);
-static int check_end(char *str, char *end);
+static int check_end(const char *str, const char *end);
 #ifndef MONOLITH
 static char *default_config_file=NULL;
 #endif
@@ -142,6 +155,7 @@ static int batch=0;
 #define TYPE_RSA	1
 #define TYPE_DSA	2
 #define TYPE_DH		3
+#define TYPE_EC		4
 
 int MAIN(int, char **);
 
@@ -151,6 +165,9 @@ int MAIN(int argc, char **argv)
 #ifndef OPENSSL_NO_DSA
 	DSA *dsa_params=NULL;
 #endif
+#ifndef OPENSSL_NO_ECDSA
+	EC_KEY *ec_params = NULL;
+#endif
 	unsigned long nmflag = 0, reqflag = 0;
 	int ex=1,x509=0,days=30;
 	X509 *x509ss=NULL;
@@ -175,7 +192,8 @@ int MAIN(int argc, char **argv)
 	char *passin = NULL, *passout = NULL;
 	char *p;
 	char *subj = NULL;
-	const EVP_MD *md_alg=NULL,*digest=EVP_md5();
+	int multirdn = 0;
+	const EVP_MD *md_alg=NULL,*digest=EVP_sha1();
 	unsigned long chtype = MBSTRING_ASC;
 #ifndef MONOLITH
 	char *to_free;
@@ -322,11 +340,64 @@ int MAIN(int argc, char **argv)
 						}
 					}
 				BIO_free(in);
-				newkey=BN_num_bits(dsa_params->p);
 				in=NULL;
+				newkey=BN_num_bits(dsa_params->p);
 				}
 			else 
 #endif
+#ifndef OPENSSL_NO_ECDSA
+				if (strncmp("ec:",p,3) == 0)
+				{
+				X509 *xtmp=NULL;
+				EVP_PKEY *dtmp;
+				EC_GROUP *group;
+
+				pkey_type=TYPE_EC;
+				p+=3;
+				if ((in=BIO_new_file(p,"r")) == NULL)
+					{
+					perror(p);
+					goto end;
+					}
+				if ((ec_params = EC_KEY_new()) == NULL)
+					goto end;
+				group = PEM_read_bio_ECPKParameters(in, NULL, NULL, NULL);
+				if (group == NULL)
+					{
+					EC_KEY_free(ec_params);
+					ERR_clear_error();
+					(void)BIO_reset(in);
+					if ((xtmp=PEM_read_bio_X509(in,NULL,NULL,NULL)) == NULL)
+						{	
+						BIO_printf(bio_err,"unable to load EC parameters from file\n");
+						goto end;
+						}
+
+					if ((dtmp=X509_get_pubkey(xtmp))==NULL)
+						goto end;
+					if (dtmp->type == EVP_PKEY_EC)
+						ec_params = EC_KEY_dup(dtmp->pkey.ec);
+					EVP_PKEY_free(dtmp);
+					X509_free(xtmp);
+					if (ec_params == NULL)
+						{
+						BIO_printf(bio_err,"Certificate does not contain EC parameters\n");
+						goto end;
+						}
+					}
+				else
+					{
+					if (EC_KEY_set_group(ec_params, group) == 0)
+						goto end;
+					EC_GROUP_free(group);
+					}
+
+				BIO_free(in);
+				in=NULL;
+				newkey = EC_GROUP_get_degree(EC_KEY_get0_group(ec_params));
+				}
+			else
+#endif
 #ifndef OPENSSL_NO_DH
 				if (strncmp("dh:",p,4) == 0)
 				{
@@ -335,7 +406,9 @@ int MAIN(int argc, char **argv)
 				}
 			else
 #endif
-				pkey_type=TYPE_RSA;
+				{
+				goto bad;
+				}
 
 			newreq=1;
 			}
@@ -380,6 +453,8 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			subj= *(++argv);
 			}
+		else if (strcmp(*argv,"-multivalue-rdn") == 0)
+			multirdn=1;
 		else if (strcmp(*argv,"-days") == 0)
 			{
 			if (--argc < 1) goto bad;
@@ -445,9 +520,13 @@ bad:
 		BIO_printf(bio_err,"                the random number generator\n");
 		BIO_printf(bio_err," -newkey rsa:bits generate a new RSA key of 'bits' in size\n");
 		BIO_printf(bio_err," -newkey dsa:file generate a new DSA key, parameters taken from CA in 'file'\n");
+#ifndef OPENSSL_NO_ECDSA
+		BIO_printf(bio_err," -newkey ec:file generate a new EC key, parameters taken from CA in 'file'\n");
+#endif
 		BIO_printf(bio_err," -[digest]      Digest to sign with (md5, sha1, md2, mdc2, md4)\n");
 		BIO_printf(bio_err," -config file   request template file.\n");
 		BIO_printf(bio_err," -subj arg      set or modify request subject\n");
+		BIO_printf(bio_err," -multivalue-rdn enable support for multivalued RDNs\n");
 		BIO_printf(bio_err," -new           new request.\n");
 		BIO_printf(bio_err," -batch         do not ask anything during request generation\n");
 		BIO_printf(bio_err," -x509          output a x509 structure instead of a cert. req.\n");
@@ -499,13 +578,16 @@ bad:
 	else
 		{
 		req_conf=config;
-		if( verbose )
-			BIO_printf(bio_err,"Using configuration from %s\n",
-			default_config_file);
+
 		if (req_conf == NULL)
 			{
-			BIO_printf(bio_err,"Unable to load config info\n");
+			BIO_printf(bio_err,"Unable to load config info from %s\n", default_config_file);
+			if (newreq)
+				goto end;
 			}
+		else if( verbose )
+			BIO_printf(bio_err,"Using configuration from %s\n",
+			default_config_file);
 		}
 
 	if (req_conf != NULL)
@@ -637,7 +719,8 @@ bad:
 			   message */
 			goto end;
 			}
-		if (EVP_PKEY_type(pkey->type) == EVP_PKEY_DSA)
+		if (EVP_PKEY_type(pkey->type) == EVP_PKEY_DSA || 
+			EVP_PKEY_type(pkey->type) == EVP_PKEY_EC)
 			{
 			char *randfile = NCONF_get_string(req_conf,SECTION,"RANDFILE");
 			if (randfile == NULL)
@@ -648,6 +731,9 @@ bad:
 
 	if (newreq && (pkey == NULL))
 		{
+#ifndef OPENSSL_NO_RSA
+		BN_GENCB cb;
+#endif
 		char *randfile = NCONF_get_string(req_conf,SECTION,"RANDFILE");
 		if (randfile == NULL)
 			ERR_clear_error();
@@ -661,24 +747,33 @@ bad:
 				newkey=DEFAULT_KEY_LENGTH;
 			}
 
-		if (newkey < MIN_KEY_LENGTH)
+		if (newkey < MIN_KEY_LENGTH && (pkey_type == TYPE_RSA || pkey_type == TYPE_DSA))
 			{
 			BIO_printf(bio_err,"private key length is too short,\n");
-			BIO_printf(bio_err,"it needs to be at least %d bits, not %d\n",MIN_KEY_LENGTH,newkey);
+			BIO_printf(bio_err,"it needs to be at least %d bits, not %ld\n",MIN_KEY_LENGTH,newkey);
 			goto end;
 			}
-		BIO_printf(bio_err,"Generating a %d bit %s private key\n",
-			newkey,(pkey_type == TYPE_RSA)?"RSA":"DSA");
+		BIO_printf(bio_err,"Generating a %ld bit %s private key\n",
+			newkey,(pkey_type == TYPE_RSA)?"RSA":
+			(pkey_type == TYPE_DSA)?"DSA":"EC");
 
 		if ((pkey=EVP_PKEY_new()) == NULL) goto end;
 
 #ifndef OPENSSL_NO_RSA
+		BN_GENCB_set(&cb, req_cb, bio_err);
 		if (pkey_type == TYPE_RSA)
 			{
-			if (!EVP_PKEY_assign_RSA(pkey,
-				RSA_generate_key(newkey,0x10001,
-					req_cb,bio_err)))
+			RSA *rsa = RSA_new();
+			BIGNUM *bn = BN_new();
+			if(!bn || !rsa || !BN_set_word(bn, 0x10001) ||
+					!RSA_generate_key_ex(rsa, newkey, bn, &cb) ||
+					!EVP_PKEY_assign_RSA(pkey, rsa))
+				{
+				if(bn) BN_free(bn);
+				if(rsa) RSA_free(rsa);
 				goto end;
+				}
+			BN_free(bn);
 			}
 		else
 #endif
@@ -690,6 +785,15 @@ bad:
 			dsa_params=NULL;
 			}
 #endif
+#ifndef OPENSSL_NO_ECDSA
+			if (pkey_type == TYPE_EC)
+			{
+			if (!EC_KEY_generate_key(ec_params)) goto end;
+			if (!EVP_PKEY_assign_EC_KEY(pkey, ec_params)) 
+				goto end;
+			ec_params = NULL;
+			}
+#endif
 
 		app_RAND_write_file(randfile, bio_err);
 
@@ -796,6 +900,10 @@ loop:
 		if (pkey->type == EVP_PKEY_DSA)
 			digest=EVP_dss1();
 #endif
+#ifndef OPENSSL_NO_ECDSA
+		if (pkey->type == EVP_PKEY_EC)
+			digest=EVP_ecdsa();
+#endif
 		if (req == NULL)
 			{
 			req=X509_REQ_new();
@@ -804,7 +912,7 @@ loop:
 				goto end;
 				}
 
-			i=make_REQ(req,pkey,subj,!x509, chtype);
+			i=make_REQ(req,pkey,subj,multirdn,!x509, chtype);
 			subj=NULL; /* done processing '-subj' option */
 			if ((kludge > 0) && !sk_X509_ATTRIBUTE_num(req->req_info->attributes))
 				{
@@ -899,7 +1007,7 @@ loop:
 			print_name(bio_err, "old subject=", X509_REQ_get_subject_name(req), nmflag);
 			}
 
-		if (build_subject(req, subj, chtype) == 0)
+		if (build_subject(req, subj, chtype, multirdn) == 0)
 			{
 			BIO_printf(bio_err, "ERROR: cannot modify subject\n");
 			ex=1;
@@ -1083,12 +1191,15 @@ end:
 #ifndef OPENSSL_NO_DSA
 	if (dsa_params != NULL) DSA_free(dsa_params);
 #endif
+#ifndef OPENSSL_NO_ECDSA
+	if (ec_params != NULL) EC_KEY_free(ec_params);
+#endif
 	apps_shutdown();
 	OPENSSL_EXIT(ex);
 	}
 
-static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *subj, int attribs,
-			unsigned long chtype)
+static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *subj, int multirdn,
+			int attribs, unsigned long chtype)
 	{
 	int ret=0,i;
 	char no_prompt = 0;
@@ -1138,7 +1249,7 @@ static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *subj, int attribs,
 	else 
 		{
 		if (subj)
-			i = build_subject(req, subj, chtype);
+			i = build_subject(req, subj, chtype, multirdn);
 		else
 			i = prompt_info(req, dn_sk, dn_sect, attr_sk, attr_sect, attribs, chtype);
 		}
@@ -1155,11 +1266,11 @@ err:
  * subject is expected to be in the format /type0=value0/type1=value1/type2=...
  * where characters may be escaped by \
  */
-static int build_subject(X509_REQ *req, char *subject, unsigned long chtype)
+static int build_subject(X509_REQ *req, char *subject, unsigned long chtype, int multirdn)
 	{
 	X509_NAME *n;
 
-	if (!(n = do_subject(subject, chtype)))
+	if (!(n = parse_name(subject, chtype, multirdn)))
 		return 0;
 
 	if (!X509_REQ_set_subject_name(req, n))
@@ -1180,9 +1291,10 @@ static int prompt_info(X509_REQ *req,
 	int i;
 	char *p,*q;
 	char buf[100];
-	int nid;
+	int nid, mval;
 	long n_min,n_max;
-	char *type,*def,*value;
+	char *type, *value;
+	const char *def;
 	CONF_VALUE *v;
 	X509_NAME *subj;
 	subj = X509_REQ_get_subject_name(req);
@@ -1223,10 +1335,17 @@ start:		for (;;)
 					if(*p) type = p;
 					break;
 				}
+			if (*type == '+')
+				{
+				mval = -1;
+				type++;
+				}
+			else
+				mval = 0;
 			/* If OBJ not recognised ignore it */
 			if ((nid=OBJ_txt2nid(type)) == NID_undef) goto start;
 			if (BIO_snprintf(buf,sizeof buf,"%s_default",v->name)
-				>= sizeof buf)
+				>= (int)sizeof(buf))
 			   {
 			   BIO_printf(bio_err,"Name '%s' too long\n",v->name);
 			   return 0;
@@ -1260,7 +1379,7 @@ start:		for (;;)
 				}
 
 			if (!add_DN_object(subj,v->value,def,value,nid,
-				n_min,n_max, chtype))
+				n_min,n_max, chtype, mval))
 				return 0;
 			}
 		if (X509_NAME_entry_count(subj) == 0)
@@ -1291,7 +1410,7 @@ start2:			for (;;)
 					goto start2;
 
 				if (BIO_snprintf(buf,sizeof buf,"%s_default",type)
-					>= sizeof buf)
+					>= (int)sizeof(buf))
 				   {
 				   BIO_printf(bio_err,"Name '%s' too long\n",v->name);
 				   return 0;
@@ -1350,6 +1469,7 @@ static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *dn_sk,
 
 	for (i = 0; i < sk_CONF_VALUE_num(dn_sk); i++)
 		{
+		int mval;
 		v=sk_CONF_VALUE_value(dn_sk,i);
 		p=q=NULL;
 		type=v->name;
@@ -1366,8 +1486,19 @@ static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *dn_sk,
 				if(*p) type = p;
 				break;
 			}
+#ifndef CHARSET_EBCDIC
+		if (*p == '+')
+#else
+		if (*p == os_toascii['+'])
+#endif
+			{
+			p++;
+			mval = -1;
+			}
+		else
+			mval = 0;
 		if (!X509_NAME_add_entry_by_txt(subj,type, chtype,
-				(unsigned char *) v->value,-1,-1,0)) return 0;
+				(unsigned char *) v->value,-1,-1,mval)) return 0;
 
 		}
 
@@ -1389,8 +1520,8 @@ static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *dn_sk,
 	}
 
 
-static int add_DN_object(X509_NAME *n, char *text, char *def, char *value,
-	     int nid, int n_min, int n_max, unsigned long chtype)
+static int add_DN_object(X509_NAME *n, char *text, const char *def, char *value,
+	     int nid, int n_min, int n_max, unsigned long chtype, int mval)
 	{
 	int i,ret=0;
 	MS_STATIC char buf[1024];
@@ -1439,14 +1570,14 @@ start:
 #endif
 	if(!req_check_len(i, n_min, n_max)) goto start;
 	if (!X509_NAME_add_entry_by_NID(n,nid, chtype,
-				(unsigned char *) buf, -1,-1,0)) goto err;
+				(unsigned char *) buf, -1,-1,mval)) goto err;
 	ret=1;
 err:
 	return(ret);
 	}
 
-static int add_attribute_object(X509_REQ *req, char *text,
-				char *def, char *value, int nid, int n_min,
+static int add_attribute_object(X509_REQ *req, char *text, const char *def,
+				char *value, int nid, int n_min,
 				int n_max, unsigned long chtype)
 	{
 	int i;
@@ -1510,7 +1641,7 @@ err:
 	}
 
 #ifndef OPENSSL_NO_RSA
-static void MS_CALLBACK req_cb(int p, int n, void *arg)
+static int MS_CALLBACK req_cb(int p, int n, BN_GENCB *cb)
 	{
 	char c='*';
 
@@ -1518,11 +1649,12 @@ static void MS_CALLBACK req_cb(int p, int n, void *arg)
 	if (p == 1) c='+';
 	if (p == 2) c='*';
 	if (p == 3) c='\n';
-	BIO_write((BIO *)arg,&c,1);
-	(void)BIO_flush((BIO *)arg);
+	BIO_write(cb->arg,&c,1);
+	(void)BIO_flush(cb->arg);
 #ifdef LINT
 	p=n;
 #endif
+	return 1;
 	}
 #endif
 
@@ -1542,10 +1674,10 @@ static int req_check_len(int len, int n_min, int n_max)
 	}
 
 /* Check if the end of a string matches 'end' */
-static int check_end(char *str, char *end)
+static int check_end(const char *str, const char *end)
 {
 	int elen, slen;	
-	char *tmp;
+	const char *tmp;
 	elen = strlen(end);
 	slen = strlen(str);
 	if(elen > slen) return 1;
diff --git a/crypto/openssl/apps/rsa.c b/crypto/openssl/apps/rsa.c
index 0acdb08b24c3..d5cb7b721293 100644
--- a/crypto/openssl/apps/rsa.c
+++ b/crypto/openssl/apps/rsa.c
@@ -56,6 +56,7 @@
  * [including the GNU Public Licence.]
  */
 
+#include <openssl/opensslconf.h>
 #ifndef OPENSSL_NO_RSA
 #include <stdio.h>
 #include <stdlib.h>
@@ -68,6 +69,7 @@
 #include <openssl/evp.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
+#include <openssl/bn.h>
 
 #undef PROG
 #define PROG	rsa_main
@@ -307,7 +309,7 @@ bad:
 			BIO_printf(out,"RSA key ok\n");
 		else if (r == 0)
 			{
-			long err;
+			unsigned long err;
 
 			while ((err = ERR_peek_error()) != 0 &&
 				ERR_GET_LIB(err) == ERR_LIB_RSA &&
diff --git a/crypto/openssl/apps/rsautl.c b/crypto/openssl/apps/rsautl.c
index 5db6fe7cd74f..463890950e1f 100644
--- a/crypto/openssl/apps/rsautl.c
+++ b/crypto/openssl/apps/rsautl.c
@@ -56,12 +56,14 @@
  *
  */
 
+#include <openssl/opensslconf.h>
 #ifndef OPENSSL_NO_RSA
 
 #include "apps.h"
 #include <string.h>
 #include <openssl/err.h>
 #include <openssl/pem.h>
+#include <openssl/rsa.h>
 
 #define RSA_SIGN 	1
 #define RSA_VERIFY 	2
@@ -147,6 +149,7 @@ int MAIN(int argc, char **argv)
 		else if(!strcmp(*argv, "-oaep")) pad = RSA_PKCS1_OAEP_PADDING;
 		else if(!strcmp(*argv, "-ssl")) pad = RSA_SSLV23_PADDING;
 		else if(!strcmp(*argv, "-pkcs")) pad = RSA_PKCS1_PADDING;
+		else if(!strcmp(*argv, "-x931")) pad = RSA_X931_PADDING;
 		else if(!strcmp(*argv, "-sign")) {
 			rsa_mode = RSA_SIGN;
 			need_priv = 1;
diff --git a/crypto/openssl/apps/s_apps.h b/crypto/openssl/apps/s_apps.h
index 66b6edd442be..886a95a2b8ce 100644
--- a/crypto/openssl/apps/s_apps.h
+++ b/crypto/openssl/apps/s_apps.h
@@ -108,8 +108,9 @@
  * Hudson (tjh@cryptsoft.com).
  *
  */
-
+#if !defined(OPENSSL_SYS_NETWARE)  /* conflicts with winsock2 stuff on netware */
 #include <sys/types.h>
+#endif
 #include <openssl/opensslconf.h>
 
 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
@@ -147,19 +148,20 @@ typedef fd_mask fd_set;
 #define PORT_STR        "4433"
 #define PROTOCOL        "tcp"
 
-int do_server(int port, int *ret, int (*cb) (), char *context);
+int do_server(int port, int type, int *ret, int (*cb) (char *hostname, int s, unsigned char *context), unsigned char *context);
 #ifdef HEADER_X509_H
 int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
 #endif
 #ifdef HEADER_SSL_H
 int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file);
+int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key);
 #endif
-int init_client(int *sock, char *server, int port);
+int init_client(int *sock, char *server, int port, int type);
 int should_retry(int i);
 int extract_port(char *str, short *port_ptr);
 int extract_host_port(char *str,char **host_ptr,unsigned char *ip,short *p);
 
-long MS_CALLBACK bio_dump_cb(BIO *bio, int cmd, const char *argp,
+long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp,
 	int argi, long argl, long ret);
 
 #ifdef HEADER_SSL_H
diff --git a/crypto/openssl/apps/s_cb.c b/crypto/openssl/apps/s_cb.c
index 675527df1fc5..9a35d46adc28 100644
--- a/crypto/openssl/apps/s_cb.c
+++ b/crypto/openssl/apps/s_cb.c
@@ -229,8 +229,36 @@ int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file)
 	return(1);
 	}
 
-long MS_CALLBACK bio_dump_cb(BIO *bio, int cmd, const char *argp, int argi,
-	     long argl, long ret)
+int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key)
+	{
+	if (cert ==  NULL)
+		return 1;
+	if (SSL_CTX_use_certificate(ctx,cert) <= 0)
+		{
+		BIO_printf(bio_err,"error setting certificate\n");
+		ERR_print_errors(bio_err);
+		return 0;
+		}
+	if (SSL_CTX_use_PrivateKey(ctx,key) <= 0)
+		{
+		BIO_printf(bio_err,"error setting private key\n");
+		ERR_print_errors(bio_err);
+		return 0;
+		}
+
+		
+		/* Now we know that a key and cert have been set against
+		 * the SSL context */
+	if (!SSL_CTX_check_private_key(ctx))
+		{
+		BIO_printf(bio_err,"Private key does not match the certificate public key\n");
+		return 0;
+		}
+	return 1;
+	}
+
+long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp,
+	int argi, long argl, long ret)
 	{
 	BIO *out;
 
@@ -239,15 +267,15 @@ long MS_CALLBACK bio_dump_cb(BIO *bio, int cmd, const char *argp, int argi,
 
 	if (cmd == (BIO_CB_READ|BIO_CB_RETURN))
 		{
-		BIO_printf(out,"read from %08X [%08lX] (%d bytes => %ld (0x%X))\n",
-			bio,argp,argi,ret,ret);
+		BIO_printf(out,"read from %p [%p] (%d bytes => %ld (0x%lX))\n",
+ 			(void *)bio,argp,argi,ret,ret);
 		BIO_dump(out,argp,(int)ret);
 		return(ret);
 		}
 	else if (cmd == (BIO_CB_WRITE|BIO_CB_RETURN))
 		{
-		BIO_printf(out,"write to %08X [%08lX] (%d bytes => %ld (0x%X))\n",
-			bio,argp,argi,ret,ret);
+		BIO_printf(out,"write to %p [%p] (%d bytes => %ld (0x%lX))\n",
+			(void *)bio,argp,argi,ret,ret);
 		BIO_dump(out,argp,(int)ret);
 		}
 	return(ret);
@@ -255,7 +283,7 @@ long MS_CALLBACK bio_dump_cb(BIO *bio, int cmd, const char *argp, int argi,
 
 void MS_CALLBACK apps_ssl_info_callback(const SSL *s, int where, int ret)
 	{
-	char *str;
+	const char *str;
 	int w;
 
 	w=where& ~SSL_ST_MASK;
@@ -318,14 +346,14 @@ void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void *
 
 		if (len > 0)
 			{
-			switch (((unsigned char*)buf)[0])
+			switch (((const unsigned char*)buf)[0])
 				{
 				case 0:
 					str_details1 = ", ERROR:";
 					str_details2 = " ???";
 					if (len >= 3)
 						{
-						unsigned err = (((unsigned char*)buf)[1]<<8) + ((unsigned char*)buf)[2];
+						unsigned err = (((const unsigned char*)buf)[1]<<8) + ((const unsigned char*)buf)[2];
 						
 						switch (err)
 							{
@@ -394,7 +422,7 @@ void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void *
 			
 			if (len == 2)
 				{
-				switch (((unsigned char*)buf)[0])
+				switch (((const unsigned char*)buf)[0])
 					{
 				case 1:
 					str_details1 = ", warning";
@@ -405,7 +433,7 @@ void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void *
 					}
 
 				str_details2 = " ???";
-				switch (((unsigned char*)buf)[1])
+				switch (((const unsigned char*)buf)[1])
 					{
 				case 0:
 					str_details2 = " close_notify";
@@ -486,7 +514,7 @@ void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void *
 
 			if (len > 0)
 				{
-				switch (((unsigned char*)buf)[0])
+				switch (((const unsigned char*)buf)[0])
 					{
 				case 0:
 					str_details1 = ", HelloRequest";
@@ -539,7 +567,7 @@ void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void *
 			{
 			if (i % 16 == 0 && i > 0)
 				BIO_printf(bio, "\n   ");
-			BIO_printf(bio, " %02x", ((unsigned char*)buf)[i]);
+			BIO_printf(bio, " %02x", ((const unsigned char*)buf)[i]);
 			}
 		if (i < len)
 			BIO_printf(bio, " ...");
diff --git a/crypto/openssl/apps/s_client.c b/crypto/openssl/apps/s_client.c
index eb6fd7c1c342..4a1857f3a82e 100644
--- a/crypto/openssl/apps/s_client.c
+++ b/crypto/openssl/apps/s_client.c
@@ -135,6 +135,7 @@ typedef unsigned int u_int;
 #include <openssl/pem.h>
 #include <openssl/rand.h>
 #include "s_apps.h"
+#include "timeouts.h"
 
 #ifdef OPENSSL_SYS_WINCE
 /* Windows CE incorrectly defines fileno as returning void*, so to avoid problems below... */
@@ -187,16 +188,22 @@ static void sc_usage(void)
 	BIO_printf(bio_err," -port port     - use -connect instead\n");
 	BIO_printf(bio_err," -connect host:port - who to connect to (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR);
 
-	BIO_printf(bio_err," -verify arg   - turn on peer certificate verification\n");
+	BIO_printf(bio_err," -verify depth - turn on peer certificate verification\n");
 	BIO_printf(bio_err," -cert arg     - certificate file to use, PEM format assumed\n");
-	BIO_printf(bio_err," -key arg      - Private key file to use, PEM format assumed, in cert file if\n");
+	BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n");
+	BIO_printf(bio_err," -key arg      - Private key file to use, in cert file if\n");
 	BIO_printf(bio_err,"                 not specified but cert file is.\n");
+	BIO_printf(bio_err," -keyform arg  - key format (PEM or DER) PEM default\n");
+	BIO_printf(bio_err," -pass arg     - private key file pass phrase source\n");
 	BIO_printf(bio_err," -CApath arg   - PEM format directory of CA's\n");
 	BIO_printf(bio_err," -CAfile arg   - PEM format file of CA's\n");
 	BIO_printf(bio_err," -reconnect    - Drop and re-make the connection with the same Session-ID\n");
 	BIO_printf(bio_err," -pause        - sleep(1) after each read(2) and write(2) system call\n");
 	BIO_printf(bio_err," -showcerts    - show all certificates in the chain\n");
 	BIO_printf(bio_err," -debug        - extra output\n");
+#ifdef WATT32
+	BIO_printf(bio_err," -wdebug       - WATT-32 tcp debugging\n");
+#endif
 	BIO_printf(bio_err," -msg          - Show protocol messages\n");
 	BIO_printf(bio_err," -nbio_test    - more ssl protocol testing\n");
 	BIO_printf(bio_err," -state        - print the 'ssl' states\n");
@@ -209,6 +216,8 @@ static void sc_usage(void)
 	BIO_printf(bio_err," -ssl2         - just use SSLv2\n");
 	BIO_printf(bio_err," -ssl3         - just use SSLv3\n");
 	BIO_printf(bio_err," -tls1         - just use TLSv1\n");
+	BIO_printf(bio_err," -dtls1        - just use DTLSv1\n");    
+	BIO_printf(bio_err," -mtu          - set the MTU\n");
 	BIO_printf(bio_err," -no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
 	BIO_printf(bio_err," -bugs         - Switch on all SSL implementation bug workarounds\n");
 	BIO_printf(bio_err," -serverpref   - Use server's cipher preferences (only SSLv2)\n");
@@ -241,6 +250,10 @@ int MAIN(int argc, char **argv)
 	int full_log=1;
 	char *host=SSL_HOST_NAME;
 	char *cert_file=NULL,*key_file=NULL;
+	int cert_format = FORMAT_PEM, key_format = FORMAT_PEM;
+	char *passarg = NULL, *pass = NULL;
+	X509 *cert = NULL;
+	EVP_PKEY *key = NULL;
 	char *CApath=NULL,*CAfile=NULL,*cipher=NULL;
 	int reconnect=0,badop=0,verify=SSL_VERIFY_NONE,bugs=0;
 	int crlf=0;
@@ -250,16 +263,25 @@ int MAIN(int argc, char **argv)
 	int starttls_proto = 0;
 	int prexit = 0, vflags = 0;
 	SSL_METHOD *meth=NULL;
+#ifdef sock_type
+#undef sock_type
+#endif
+	int sock_type=SOCK_STREAM;
 	BIO *sbio;
 	char *inrand=NULL;
 #ifndef OPENSSL_NO_ENGINE
 	char *engine_id=NULL;
 	ENGINE *e=NULL;
 #endif
-#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE)
 	struct timeval tv;
 #endif
 
+	struct sockaddr peer;
+	int peerlen = sizeof(peer);
+	int enable_timeouts = 0 ;
+	long mtu = 0;
+
 #if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
 	meth=SSLv23_client_method();
 #elif !defined(OPENSSL_NO_SSL3)
@@ -329,6 +351,11 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			cert_file= *(++argv);
 			}
+		else if	(strcmp(*argv,"-certform") == 0)
+			{
+			if (--argc < 1) goto bad;
+			cert_format = str2fmt(*(++argv));
+			}
 		else if	(strcmp(*argv,"-crl_check") == 0)
 			vflags |= X509_V_FLAG_CRL_CHECK;
 		else if	(strcmp(*argv,"-crl_check_all") == 0)
@@ -348,6 +375,10 @@ int MAIN(int argc, char **argv)
 			c_Pause=1;
 		else if	(strcmp(*argv,"-debug") == 0)
 			c_debug=1;
+#ifdef WATT32
+		else if (strcmp(*argv,"-wdebug") == 0)
+			dbug_init();
+#endif
 		else if	(strcmp(*argv,"-msg") == 0)
 			c_msg=1;
 		else if	(strcmp(*argv,"-showcerts") == 0)
@@ -368,8 +399,32 @@ int MAIN(int argc, char **argv)
 		else if	(strcmp(*argv,"-tls1") == 0)
 			meth=TLSv1_client_method();
 #endif
+#ifndef OPENSSL_NO_DTLS1
+		else if	(strcmp(*argv,"-dtls1") == 0)
+			{
+			meth=DTLSv1_client_method();
+			sock_type=SOCK_DGRAM;
+			}
+		else if (strcmp(*argv,"-timeout") == 0)
+			enable_timeouts=1;
+		else if (strcmp(*argv,"-mtu") == 0)
+			{
+			if (--argc < 1) goto bad;
+			mtu = atol(*(++argv));
+			}
+#endif
 		else if (strcmp(*argv,"-bugs") == 0)
 			bugs=1;
+		else if	(strcmp(*argv,"-keyform") == 0)
+			{
+			if (--argc < 1) goto bad;
+			key_format = str2fmt(*(++argv));
+			}
+		else if	(strcmp(*argv,"-pass") == 0)
+			{
+			if (--argc < 1) goto bad;
+			passarg = *(++argv);
+			}
 		else if	(strcmp(*argv,"-key") == 0)
 			{
 			if (--argc < 1) goto bad;
@@ -451,6 +506,42 @@ bad:
 #ifndef OPENSSL_NO_ENGINE
         e = setup_engine(bio_err, engine_id, 1);
 #endif
+	if (!app_passwd(bio_err, passarg, NULL, &pass, NULL))
+		{
+		BIO_printf(bio_err, "Error getting password\n");
+		goto end;
+		}
+
+	if (key_file == NULL)
+		key_file = cert_file;
+
+
+	if (key_file)
+
+		{
+
+		key = load_key(bio_err, key_file, key_format, 0, pass, e,
+			       "client certificate private key file");
+		if (!key)
+			{
+			ERR_print_errors(bio_err);
+			goto end;
+			}
+
+		}
+
+	if (cert_file)
+
+		{
+		cert = load_cert(bio_err,cert_file,cert_format,
+				NULL, e, "client certificate file");
+
+		if (!cert)
+			{
+			ERR_print_errors(bio_err);
+			goto end;
+			}
+		}
 
 	if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
 		&& !RAND_status())
@@ -485,6 +576,10 @@ bad:
 		SSL_CTX_set_options(ctx,SSL_OP_ALL|off);
 	else
 		SSL_CTX_set_options(ctx,off);
+	/* DTLS: partial reads end up discarding unread UDP bytes :-( 
+	 * Setting read ahead solves this problem.
+	 */
+	if (sock_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1);
 
 	if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
 	if (cipher != NULL)
@@ -499,7 +594,7 @@ bad:
 #endif
 
 	SSL_CTX_set_verify(ctx,verify,verify_callback);
-	if (!set_cert_stuff(ctx,cert_file,key_file))
+	if (!set_cert_key_stuff(ctx,cert,key))
 		goto end;
 
 	if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
@@ -524,7 +619,7 @@ bad:
 
 re_start:
 
-	if (init_client(&s,host,port) == 0)
+	if (init_client(&s,host,port,sock_type) == 0)
 		{
 		BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error());
 		SHUTDOWN(s);
@@ -545,7 +640,46 @@ re_start:
 		}
 #endif                                              
 	if (c_Pause & 0x01) con->debug=1;
-	sbio=BIO_new_socket(s,BIO_NOCLOSE);
+
+	if ( SSL_version(con) == DTLS1_VERSION)
+		{
+		struct timeval timeout;
+
+		sbio=BIO_new_dgram(s,BIO_NOCLOSE);
+		if (getsockname(s, &peer, (void *)&peerlen) < 0)
+			{
+			BIO_printf(bio_err, "getsockname:errno=%d\n",
+				get_last_socket_error());
+			SHUTDOWN(s);
+			goto end;
+			}
+
+		BIO_ctrl_set_connected(sbio, 1, &peer);
+
+		if ( enable_timeouts)
+			{
+			timeout.tv_sec = 0;
+			timeout.tv_usec = DGRAM_RCV_TIMEOUT;
+			BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
+			
+			timeout.tv_sec = 0;
+			timeout.tv_usec = DGRAM_SND_TIMEOUT;
+			BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
+			}
+
+		if ( mtu > 0)
+			{
+			SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
+			SSL_set_mtu(con, mtu);
+			}
+		else
+			/* want to do MTU discovery */
+			BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL);
+		}
+	else
+		sbio=BIO_new_socket(s,BIO_NOCLOSE);
+
+
 
 	if (nbio_test)
 		{
@@ -558,7 +692,7 @@ re_start:
 	if (c_debug)
 		{
 		con->debug=1;
-		BIO_set_callback(sbio,bio_dump_cb);
+		BIO_set_callback(sbio,bio_dump_callback);
 		BIO_set_callback_arg(sbio,bio_c_out);
 		}
 	if (c_msg)
@@ -640,7 +774,7 @@ re_start:
 
 		if (!ssl_pending)
 			{
-#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS)
+#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE)
 			if (tty_on)
 				{
 				if (read_tty)  FD_SET(fileno(stdin),&readfds);
@@ -690,6 +824,16 @@ re_start:
 				} else 	i=select(width,(void *)&readfds,(void *)&writefds,
 					 NULL,NULL);
 			}
+#elif defined(OPENSSL_SYS_NETWARE)
+			if(!write_tty) {
+				if(read_tty) {
+					tv.tv_sec = 1;
+					tv.tv_usec = 0;
+					i=select(width,(void *)&readfds,(void *)&writefds,
+						NULL,&tv);
+				} else 	i=select(width,(void *)&readfds,(void *)&writefds,
+					NULL,NULL);
+			}
 #else
 			i=select(width,(void *)&readfds,(void *)&writefds,
 				 NULL,NULL);
@@ -770,7 +914,7 @@ re_start:
 				goto shut;
 				}
 			}
-#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE)
 		/* Assume Windows/DOS can always write */
 		else if (!ssl_pending && write_tty)
 #else
@@ -857,6 +1001,8 @@ printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240
 #else
 		else if ((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0)))
 #endif
+#elif defined (OPENSSL_SYS_NETWARE)
+        else if (_kbhit())
 #else
 		else if (FD_ISSET(fileno(stdin),&readfds))
 #endif
@@ -920,6 +1066,12 @@ end:
 	if (con != NULL) SSL_free(con);
 	if (con2 != NULL) SSL_free(con2);
 	if (ctx != NULL) SSL_CTX_free(ctx);
+	if (cert)
+		X509_free(cert);
+	if (key)
+		EVP_PKEY_free(key);
+	if (pass)
+		OPENSSL_free(pass);
 	if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); }
 	if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); }
 	if (mbuf != NULL) { OPENSSL_cleanse(mbuf,BUFSIZZ); OPENSSL_free(mbuf); }
@@ -937,13 +1089,16 @@ static void print_stuff(BIO *bio, SSL *s, int full)
 	{
 	X509 *peer=NULL;
 	char *p;
-	static char *space="                ";
+	static const char *space="                ";
 	char buf[BUFSIZ];
 	STACK_OF(X509) *sk;
 	STACK_OF(X509_NAME) *sk2;
 	SSL_CIPHER *c;
 	X509_NAME *xn;
 	int j,i;
+#ifndef OPENSSL_NO_COMP
+	const COMP_METHOD *comp, *expansion;
+#endif
 
 	if (full)
 		{
@@ -1046,6 +1201,14 @@ static void print_stuff(BIO *bio, SSL *s, int full)
 							 EVP_PKEY_bits(pktmp));
 		EVP_PKEY_free(pktmp);
 	}
+#ifndef OPENSSL_NO_COMP
+	comp=SSL_get_current_compression(s);
+	expansion=SSL_get_current_expansion(s);
+	BIO_printf(bio,"Compression: %s\n",
+		comp ? SSL_COMP_get_name(comp) : "NONE");
+	BIO_printf(bio,"Expansion: %s\n",
+		expansion ? SSL_COMP_get_name(expansion) : "NONE");
+#endif
 	SSL_SESSION_print(bio,SSL_get_session(s));
 	BIO_printf(bio,"---\n");
 	if (peer != NULL)
diff --git a/crypto/openssl/apps/s_server.c b/crypto/openssl/apps/s_server.c
index ff4ab6ef28b9..0d6727ca43f3 100644
--- a/crypto/openssl/apps/s_server.c
+++ b/crypto/openssl/apps/s_server.c
@@ -108,18 +108,33 @@
  * Hudson (tjh@cryptsoft.com).
  *
  */
+/* ====================================================================
+ * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
+ * ECC cipher suite support in OpenSSL originally developed by 
+ * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
+ */
+
+/* Until the key-gen callbacks are modified to use newer prototypes, we allow
+ * deprecated functions for openssl-internal code */
+#ifdef OPENSSL_NO_DEPRECATED
+#undef OPENSSL_NO_DEPRECATED
+#endif
 
 #include <assert.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
-#include <sys/types.h>
+
 #include <sys/stat.h>
 #include <openssl/e_os2.h>
 #ifdef OPENSSL_NO_STDIO
 #define APPS_WIN16
 #endif
 
+#if !defined(OPENSSL_SYS_NETWARE)  /* conflicts with winsock2 stuff on netware */
+#include <sys/types.h>
+#endif
+
 /* With IPv6, it looks like Digital has mixed up the proper order of
    recursive header file inclusion, resulting in the compiler complaining
    that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which
@@ -138,7 +153,14 @@ typedef unsigned int u_int;
 #include <openssl/x509.h>
 #include <openssl/ssl.h>
 #include <openssl/rand.h>
+#ifndef OPENSSL_NO_DH
+#include <openssl/dh.h>
+#endif
+#ifndef OPENSSL_NO_RSA
+#include <openssl/rsa.h>
+#endif
 #include "s_apps.h"
+#include "timeouts.h"
 
 #ifdef OPENSSL_SYS_WINCE
 /* Windows CE incorrectly defines fileno as returning void*, so to avoid problems below... */
@@ -165,9 +187,10 @@ static void print_stats(BIO *bp,SSL_CTX *ctx);
 static int generate_session_id(const SSL *ssl, unsigned char *id,
 				unsigned int *id_len);
 #ifndef OPENSSL_NO_DH
-static DH *load_dh_param(char *dhfile);
+static DH *load_dh_param(const char *dhfile);
 static DH *get_dh512(void);
 #endif
+
 #ifdef MONOLITH
 static void s_server_init(void);
 #endif
@@ -206,6 +229,7 @@ static DH *get_dh512(void)
 	}
 #endif
 
+
 /* static int load_CA(SSL_CTX *ctx, char *file);*/
 
 #undef BUFSIZZ
@@ -222,7 +246,7 @@ extern int verify_depth;
 static char *cipher=NULL;
 static int s_server_verify=SSL_VERIFY_NONE;
 static int s_server_session_id_context = 1; /* anything will do */
-static char *s_cert_file=TEST_CERT,*s_key_file=NULL;
+static const char *s_cert_file=TEST_CERT,*s_key_file=NULL;
 static char *s_dcert_file=NULL,*s_dkey_file=NULL;
 #ifdef FIONBIO
 static int s_nbio=0;
@@ -243,6 +267,14 @@ static char *engine_id=NULL;
 #endif
 static const char *session_id_prefix=NULL;
 
+static int enable_timeouts = 0;
+#ifdef mtu
+#undef mtu
+#endif
+static long mtu;
+static int cert_chain = 0;
+
+
 #ifdef MONOLITH
 static void s_server_init(void)
 	{
@@ -279,14 +311,25 @@ static void sv_usage(void)
 	BIO_printf(bio_err," -context arg  - set session ID context\n");
 	BIO_printf(bio_err," -verify arg   - turn on peer certificate verification\n");
 	BIO_printf(bio_err," -Verify arg   - turn on peer certificate verification, must have a cert.\n");
-	BIO_printf(bio_err," -cert arg     - certificate file to use, PEM format assumed\n");
+	BIO_printf(bio_err," -cert arg     - certificate file to use\n");
 	BIO_printf(bio_err,"                 (default is %s)\n",TEST_CERT);
-	BIO_printf(bio_err," -key arg      - Private Key file to use, PEM format assumed, in cert file if\n");
+	BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n");
+	BIO_printf(bio_err," -key arg      - Private Key file to use, in cert file if\n");
 	BIO_printf(bio_err,"                 not specified (default is %s)\n",TEST_CERT);
+	BIO_printf(bio_err," -keyform arg  - key format (PEM, DER or ENGINE) PEM default\n");
+	BIO_printf(bio_err," -pass arg     - private key file pass phrase source\n");
 	BIO_printf(bio_err," -dcert arg    - second certificate file to use (usually for DSA)\n");
+	BIO_printf(bio_err," -dcertform x  - second certificate format (PEM or DER) PEM default\n");
 	BIO_printf(bio_err," -dkey arg     - second private key file to use (usually for DSA)\n");
+	BIO_printf(bio_err," -dkeyform arg - second key format (PEM, DER or ENGINE) PEM default\n");
+	BIO_printf(bio_err," -dpass arg    - second private key file pass phrase source\n");
 	BIO_printf(bio_err," -dhparam arg  - DH parameter file to use, in cert file if not specified\n");
 	BIO_printf(bio_err,"                 or a default set of parameters is used\n");
+#ifndef OPENSSL_NO_ECDH
+	BIO_printf(bio_err," -named_curve arg  - Elliptic curve name to use for ephemeral ECDH keys.\n" \
+	                   "                 Use \"openssl ecparam -list_curves\" for all names\n" \
+	                   "                 (default is sect163r2).\n");
+#endif
 #ifdef FIONBIO
 	BIO_printf(bio_err," -nbio         - Run with non-blocking IO\n");
 #endif
@@ -305,12 +348,19 @@ static void sv_usage(void)
 	BIO_printf(bio_err," -ssl2         - Just talk SSLv2\n");
 	BIO_printf(bio_err," -ssl3         - Just talk SSLv3\n");
 	BIO_printf(bio_err," -tls1         - Just talk TLSv1\n");
+	BIO_printf(bio_err," -dtls1        - Just talk DTLSv1\n");
+	BIO_printf(bio_err," -timeout      - Enable timeouts\n");
+	BIO_printf(bio_err," -mtu          - Set MTU\n");
+	BIO_printf(bio_err," -chain        - Read a certificate chain\n");
 	BIO_printf(bio_err," -no_ssl2      - Just disable SSLv2\n");
 	BIO_printf(bio_err," -no_ssl3      - Just disable SSLv3\n");
 	BIO_printf(bio_err," -no_tls1      - Just disable TLSv1\n");
 #ifndef OPENSSL_NO_DH
 	BIO_printf(bio_err," -no_dhe       - Disable ephemeral DH\n");
 #endif
+#ifndef OPENSSL_NO_ECDH
+	BIO_printf(bio_err," -no_ecdhe     - Disable ephemeral ECDH\n");
+#endif
 	BIO_printf(bio_err," -bugs         - Turn on SSL bug compatibility\n");
 	BIO_printf(bio_err," -www          - Respond to a 'GET /' with a status page\n");
 	BIO_printf(bio_err," -WWW          - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>\n");
@@ -484,18 +534,31 @@ int MAIN(int argc, char *argv[])
 	int vflags = 0;
 	short port=PORT;
 	char *CApath=NULL,*CAfile=NULL;
-	char *context = NULL;
+	unsigned char *context = NULL;
 	char *dhfile = NULL;
+#ifndef OPENSSL_NO_ECDH
+	char *named_curve = NULL;
+#endif
 	int badop=0,bugs=0;
 	int ret=1;
 	int off=0;
-	int no_tmp_rsa=0,no_dhe=0,nocert=0;
+	int no_tmp_rsa=0,no_dhe=0,no_ecdhe=0,nocert=0;
 	int state=0;
 	SSL_METHOD *meth=NULL;
+#ifdef sock_type
+#undef sock_type
+#endif
+    int sock_type=SOCK_STREAM;
 #ifndef OPENSSL_NO_ENGINE
 	ENGINE *e=NULL;
 #endif
 	char *inrand=NULL;
+	int s_cert_format = FORMAT_PEM, s_key_format = FORMAT_PEM;
+	char *passarg = NULL, *pass = NULL;
+	char *dpassarg = NULL, *dpass = NULL;
+	int s_dcert_format = FORMAT_PEM, s_dkey_format = FORMAT_PEM;
+	X509 *s_cert = NULL, *s_dcert = NULL;
+	EVP_PKEY *s_key = NULL, *s_dkey = NULL;
 
 #if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
 	meth=SSLv23_server_method();
@@ -555,28 +618,65 @@ int MAIN(int argc, char *argv[])
 		else if	(strcmp(*argv,"-context") == 0)
 			{
 			if (--argc < 1) goto bad;
-			context= *(++argv);
+			context= (unsigned char *)*(++argv);
 			}
 		else if	(strcmp(*argv,"-cert") == 0)
 			{
 			if (--argc < 1) goto bad;
 			s_cert_file= *(++argv);
 			}
+		else if	(strcmp(*argv,"-certform") == 0)
+			{
+			if (--argc < 1) goto bad;
+			s_cert_format = str2fmt(*(++argv));
+			}
 		else if	(strcmp(*argv,"-key") == 0)
 			{
 			if (--argc < 1) goto bad;
 			s_key_file= *(++argv);
 			}
+		else if	(strcmp(*argv,"-keyform") == 0)
+			{
+			if (--argc < 1) goto bad;
+			s_key_format = str2fmt(*(++argv));
+			}
+		else if	(strcmp(*argv,"-pass") == 0)
+			{
+			if (--argc < 1) goto bad;
+			passarg = *(++argv);
+			}
 		else if	(strcmp(*argv,"-dhparam") == 0)
 			{
 			if (--argc < 1) goto bad;
 			dhfile = *(++argv);
 			}
+#ifndef OPENSSL_NO_ECDH		
+		else if	(strcmp(*argv,"-named_curve") == 0)
+			{
+			if (--argc < 1) goto bad;
+			named_curve = *(++argv);
+			}
+#endif
+		else if	(strcmp(*argv,"-dcertform") == 0)
+			{
+			if (--argc < 1) goto bad;
+			s_dcert_format = str2fmt(*(++argv));
+			}
 		else if	(strcmp(*argv,"-dcert") == 0)
 			{
 			if (--argc < 1) goto bad;
 			s_dcert_file= *(++argv);
 			}
+		else if	(strcmp(*argv,"-dkeyform") == 0)
+			{
+			if (--argc < 1) goto bad;
+			s_dkey_format = str2fmt(*(++argv));
+			}
+		else if	(strcmp(*argv,"-dpass") == 0)
+			{
+			if (--argc < 1) goto bad;
+			dpassarg = *(++argv);
+			}
 		else if	(strcmp(*argv,"-dkey") == 0)
 			{
 			if (--argc < 1) goto bad;
@@ -640,6 +740,8 @@ int MAIN(int argc, char *argv[])
 			{ no_tmp_rsa=1; }
 		else if	(strcmp(*argv,"-no_dhe") == 0)
 			{ no_dhe=1; }
+		else if	(strcmp(*argv,"-no_ecdhe") == 0)
+			{ no_ecdhe=1; }
 		else if	(strcmp(*argv,"-www") == 0)
 			{ www=1; }
 		else if	(strcmp(*argv,"-WWW") == 0)
@@ -664,6 +766,22 @@ int MAIN(int argc, char *argv[])
 		else if	(strcmp(*argv,"-tls1") == 0)
 			{ meth=TLSv1_server_method(); }
 #endif
+#ifndef OPENSSL_NO_DTLS1
+		else if	(strcmp(*argv,"-dtls1") == 0)
+			{ 
+			meth=DTLSv1_server_method();
+			sock_type = SOCK_DGRAM;
+			}
+		else if (strcmp(*argv,"-timeout") == 0)
+			enable_timeouts = 1;
+		else if (strcmp(*argv,"-mtu") == 0)
+			{
+			if (--argc < 1) goto bad;
+			mtu = atol(*(++argv));
+			}
+		else if (strcmp(*argv, "-chain") == 0)
+			cert_chain = 1;
+#endif
 		else if (strcmp(*argv, "-id_prefix") == 0)
 			{
 			if (--argc < 1) goto bad;
@@ -704,6 +822,62 @@ bad:
         e = setup_engine(bio_err, engine_id, 1);
 #endif
 
+	if (!app_passwd(bio_err, passarg, dpassarg, &pass, &dpass))
+		{
+		BIO_printf(bio_err, "Error getting password\n");
+		goto end;
+		}
+
+
+	if (s_key_file == NULL)
+		s_key_file = s_cert_file;
+
+	if (nocert == 0)
+		{
+		s_key = load_key(bio_err, s_key_file, s_key_format, 0, pass, e,
+		       "server certificate private key file");
+		if (!s_key)
+			{
+			ERR_print_errors(bio_err);
+			goto end;
+			}
+
+		s_cert = load_cert(bio_err,s_cert_file,s_cert_format,
+			NULL, e, "server certificate file");
+
+		if (!s_cert)
+			{
+			ERR_print_errors(bio_err);
+			goto end;
+			}
+		}
+
+	if (s_dcert_file)
+		{
+
+		if (s_dkey_file == NULL)
+			s_dkey_file = s_dcert_file;
+
+		s_dkey = load_key(bio_err, s_dkey_file, s_dkey_format,
+				0, dpass, e,
+			       "second certificate private key file");
+		if (!s_dkey)
+			{
+			ERR_print_errors(bio_err);
+			goto end;
+			}
+
+		s_dcert = load_cert(bio_err,s_dcert_file,s_dcert_format,
+				NULL, e, "second server certificate file");
+
+		if (!s_dcert)
+			{
+			ERR_print_errors(bio_err);
+			goto end;
+			}
+
+		}
+
 	if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
 		&& !RAND_status())
 		{
@@ -726,7 +900,7 @@ bad:
 			}
 		}
 
-#if !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_DSA)
+#if !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_ECDSA)
 	if (nocert)
 #endif
 		{
@@ -762,6 +936,10 @@ bad:
 	if (bugs) SSL_CTX_set_options(ctx,SSL_OP_ALL);
 	if (hack) SSL_CTX_set_options(ctx,SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG);
 	SSL_CTX_set_options(ctx,off);
+	/* DTLS: partial reads end up discarding unread UDP bytes :-( 
+	 * Setting read ahead solves this problem.
+	 */
+	if (sock_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1);
 
 	if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
 
@@ -814,12 +992,57 @@ bad:
 		DH_free(dh);
 		}
 #endif
+
+#ifndef OPENSSL_NO_ECDH
+	if (!no_ecdhe)
+		{
+		EC_KEY *ecdh=NULL;
+
+		if (named_curve)
+			{
+			int nid = OBJ_sn2nid(named_curve);
+
+			if (nid == 0)
+				{
+				BIO_printf(bio_err, "unknown curve name (%s)\n", 
+					named_curve);
+				goto end;
+				}
+			ecdh = EC_KEY_new_by_curve_name(nid);
+			if (ecdh == NULL)
+				{
+				BIO_printf(bio_err, "unable to create curve (%s)\n", 
+					named_curve);
+				goto end;
+				}
+			}
+
+		if (ecdh != NULL)
+			{
+			BIO_printf(bio_s_out,"Setting temp ECDH parameters\n");
+			}
+		else
+			{
+			BIO_printf(bio_s_out,"Using default temp ECDH parameters\n");
+			ecdh = EC_KEY_new_by_curve_name(NID_sect163r2);
+			if (ecdh == NULL) 
+				{
+				BIO_printf(bio_err, "unable to create curve (sect163r2)\n");
+				goto end;
+				}
+			}
+		(void)BIO_flush(bio_s_out);
+
+		SSL_CTX_set_tmp_ecdh(ctx,ecdh);
+		EC_KEY_free(ecdh);
+		}
+#endif
 	
-	if (!set_cert_stuff(ctx,s_cert_file,s_key_file))
+	if (!set_cert_key_stuff(ctx,s_cert,s_key))
 		goto end;
-	if (s_dcert_file != NULL)
+	if (s_dcert != NULL)
 		{
-		if (!set_cert_stuff(ctx,s_dcert_file,s_dkey_file))
+		if (!set_cert_key_stuff(ctx,s_dcert,s_dkey))
 			goto end;
 		}
 
@@ -863,16 +1086,28 @@ bad:
 
 	BIO_printf(bio_s_out,"ACCEPT\n");
 	if (www)
-		do_server(port,&accept_socket,www_body, context);
+		do_server(port,sock_type,&accept_socket,www_body, context);
 	else
-		do_server(port,&accept_socket,sv_body, context);
+		do_server(port,sock_type,&accept_socket,sv_body, context);
 	print_stats(bio_s_out,ctx);
 	ret=0;
 end:
 	if (ctx != NULL) SSL_CTX_free(ctx);
+	if (s_cert)
+		X509_free(s_cert);
+	if (s_dcert)
+		X509_free(s_dcert);
+	if (s_key)
+		EVP_PKEY_free(s_key);
+	if (s_dkey)
+		EVP_PKEY_free(s_dkey);
+	if (pass)
+		OPENSSL_free(pass);
+	if (dpass)
+		OPENSSL_free(dpass);
 	if (bio_s_out != NULL)
 		{
-		BIO_free(bio_s_out);
+        BIO_free(bio_s_out);
 		bio_s_out=NULL;
 		}
 	apps_shutdown();
@@ -883,23 +1118,23 @@ static void print_stats(BIO *bio, SSL_CTX *ssl_ctx)
 	{
 	BIO_printf(bio,"%4ld items in the session cache\n",
 		SSL_CTX_sess_number(ssl_ctx));
-	BIO_printf(bio,"%4d client connects (SSL_connect())\n",
+	BIO_printf(bio,"%4ld client connects (SSL_connect())\n",
 		SSL_CTX_sess_connect(ssl_ctx));
-	BIO_printf(bio,"%4d client renegotiates (SSL_connect())\n",
+	BIO_printf(bio,"%4ld client renegotiates (SSL_connect())\n",
 		SSL_CTX_sess_connect_renegotiate(ssl_ctx));
-	BIO_printf(bio,"%4d client connects that finished\n",
+	BIO_printf(bio,"%4ld client connects that finished\n",
 		SSL_CTX_sess_connect_good(ssl_ctx));
-	BIO_printf(bio,"%4d server accepts (SSL_accept())\n",
+	BIO_printf(bio,"%4ld server accepts (SSL_accept())\n",
 		SSL_CTX_sess_accept(ssl_ctx));
-	BIO_printf(bio,"%4d server renegotiates (SSL_accept())\n",
+	BIO_printf(bio,"%4ld server renegotiates (SSL_accept())\n",
 		SSL_CTX_sess_accept_renegotiate(ssl_ctx));
-	BIO_printf(bio,"%4d server accepts that finished\n",
+	BIO_printf(bio,"%4ld server accepts that finished\n",
 		SSL_CTX_sess_accept_good(ssl_ctx));
-	BIO_printf(bio,"%4d session cache hits\n",SSL_CTX_sess_hits(ssl_ctx));
-	BIO_printf(bio,"%4d session cache misses\n",SSL_CTX_sess_misses(ssl_ctx));
-	BIO_printf(bio,"%4d session cache timeouts\n",SSL_CTX_sess_timeouts(ssl_ctx));
-	BIO_printf(bio,"%4d callback cache hits\n",SSL_CTX_sess_cb_hits(ssl_ctx));
-	BIO_printf(bio,"%4d cache full overflows (%d allowed)\n",
+	BIO_printf(bio,"%4ld session cache hits\n",SSL_CTX_sess_hits(ssl_ctx));
+	BIO_printf(bio,"%4ld session cache misses\n",SSL_CTX_sess_misses(ssl_ctx));
+	BIO_printf(bio,"%4ld session cache timeouts\n",SSL_CTX_sess_timeouts(ssl_ctx));
+	BIO_printf(bio,"%4ld callback cache hits\n",SSL_CTX_sess_cb_hits(ssl_ctx));
+	BIO_printf(bio,"%4ld cache full overflows (%ld allowed)\n",
 		SSL_CTX_sess_cache_full(ssl_ctx),
 		SSL_CTX_sess_get_cache_size(ssl_ctx));
 	}
@@ -913,7 +1148,7 @@ static int sv_body(char *hostname, int s, unsigned char *context)
 	unsigned long l;
 	SSL *con=NULL;
 	BIO *sbio;
-#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE)
 	struct timeval tv;
 #endif
 
@@ -951,7 +1186,39 @@ static int sv_body(char *hostname, int s, unsigned char *context)
 	}
 	SSL_clear(con);
 
-	sbio=BIO_new_socket(s,BIO_NOCLOSE);
+	if (SSL_version(con) == DTLS1_VERSION)
+		{
+		struct timeval timeout;
+
+		sbio=BIO_new_dgram(s,BIO_NOCLOSE);
+
+		if ( enable_timeouts)
+			{
+			timeout.tv_sec = 0;
+			timeout.tv_usec = DGRAM_RCV_TIMEOUT;
+			BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
+			
+			timeout.tv_sec = 0;
+			timeout.tv_usec = DGRAM_SND_TIMEOUT;
+			BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
+			}
+
+		
+		if ( mtu > 0)
+			{
+			SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
+			SSL_set_mtu(con, mtu);
+			}
+		else
+			/* want to do MTU discovery */
+			BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL);
+
+        /* turn on cookie exchange */
+        SSL_set_options(con, SSL_OP_COOKIE_EXCHANGE);
+		}
+	else
+		sbio=BIO_new_socket(s,BIO_NOCLOSE);
+
 	if (s_nbio_test)
 		{
 		BIO *test;
@@ -966,7 +1233,7 @@ static int sv_body(char *hostname, int s, unsigned char *context)
 	if (s_debug)
 		{
 		con->debug=1;
-		BIO_set_callback(SSL_get_rbio(con),bio_dump_cb);
+		BIO_set_callback(SSL_get_rbio(con),bio_dump_callback);
 		BIO_set_callback_arg(SSL_get_rbio(con),bio_s_out);
 		}
 	if (s_msg)
@@ -987,7 +1254,7 @@ static int sv_body(char *hostname, int s, unsigned char *context)
 		if (!read_from_sslcon)
 			{
 			FD_ZERO(&readfds);
-#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS)
+#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE)
 			FD_SET(fileno(stdin),&readfds);
 #endif
 			FD_SET(s,&readfds);
@@ -997,7 +1264,7 @@ static int sv_body(char *hostname, int s, unsigned char *context)
 			 * the compiler: if you do have a cast then you can either
 			 * go for (int *) or (void *).
 			 */
-#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE)
                         /* Under DOS (non-djgpp) and Windows we can't select on stdin: only
 			 * on sockets. As a workaround we timeout the select every
 			 * second and check for any keypress. In a proper Windows
@@ -1057,7 +1324,8 @@ static int sv_body(char *hostname, int s, unsigned char *context)
 				if ((i <= 0) || (buf[0] == 'q'))
 					{
 					BIO_printf(bio_s_out,"DONE\n");
-					SHUTDOWN(s);
+					if (SSL_version(con) != DTLS1_VERSION)
+                        SHUTDOWN(s);
 	/*				close_accept_socket();
 					ret= -11;*/
 					goto err;
@@ -1086,7 +1354,7 @@ static int sv_body(char *hostname, int s, unsigned char *context)
 					}
 				if (buf[0] == 'P')
 					{
-					static char *str="Lets print some clear text\n";
+					static const char *str="Lets print some clear text\n";
 					BIO_write(SSL_get_wbio(con),str,strlen(str));
 					}
 				if (buf[0] == 'S')
@@ -1270,7 +1538,7 @@ static int init_ssl_connection(SSL *con)
 	}
 
 #ifndef OPENSSL_NO_DH
-static DH *load_dh_param(char *dhfile)
+static DH *load_dh_param(const char *dhfile)
 	{
 	DH *ret=NULL;
 	BIO *bio;
@@ -1369,7 +1637,7 @@ static int www_body(char *hostname, int s, unsigned char *context)
 	if (s_debug)
 		{
 		con->debug=1;
-		BIO_set_callback(SSL_get_rbio(con),bio_dump_cb);
+		BIO_set_callback(SSL_get_rbio(con),bio_dump_callback);
 		BIO_set_callback_arg(SSL_get_rbio(con),bio_s_out);
 		}
 	if (s_msg)
@@ -1417,7 +1685,9 @@ static int www_body(char *hostname, int s, unsigned char *context)
 			else
 				{
 				BIO_printf(bio_s_out,"read R BLOCK\n");
-#if !defined(OPENSSL_SYS_MSDOS) && !defined(__DJGPP__)
+#if defined(OPENSSL_SYS_NETWARE)
+            delay(1000);
+#elif !defined(OPENSSL_SYS_MSDOS) && !defined(__DJGPP__)
 				sleep(1);
 #endif
 				continue;
@@ -1436,7 +1706,7 @@ static int www_body(char *hostname, int s, unsigned char *context)
 			char *p;
 			X509 *peer;
 			STACK_OF(SSL_CIPHER) *sk;
-			static char *space="                          ";
+			static const char *space="                          ";
 
 			BIO_puts(io,"HTTP/1.0 200 ok\r\nContent-type: text/html\r\n\r\n");
 			BIO_puts(io,"<HTML><BODY BGCOLOR=\"#ffffff\">\n");
@@ -1516,7 +1786,7 @@ static int www_body(char *hostname, int s, unsigned char *context)
 			{
 			BIO *file;
 			char *p,*e;
-			static char *text="HTTP/1.0 200 ok\r\nContent-type: text/plain\r\n\r\n";
+			static const char *text="HTTP/1.0 200 ok\r\nContent-type: text/plain\r\n\r\n";
 
 			/* skip the '/' */
 			p= &(buf[5]);
@@ -1692,21 +1962,30 @@ err:
 #ifndef OPENSSL_NO_RSA
 static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength)
 	{
+	BIGNUM *bn = NULL;
 	static RSA *rsa_tmp=NULL;
 
-	if (rsa_tmp == NULL)
+	if (!rsa_tmp && ((bn = BN_new()) == NULL))
+		BIO_printf(bio_err,"Allocation error in generating RSA key\n");
+	if (!rsa_tmp && bn)
 		{
 		if (!s_quiet)
 			{
 			BIO_printf(bio_err,"Generating temp (%d bit) RSA key...",keylength);
 			(void)BIO_flush(bio_err);
 			}
-		rsa_tmp=RSA_generate_key(keylength,RSA_F4,NULL,NULL);
+		if(!BN_set_word(bn, RSA_F4) || ((rsa_tmp = RSA_new()) == NULL) ||
+				!RSA_generate_key_ex(rsa_tmp, keylength, bn, NULL))
+			{
+			if(rsa_tmp) RSA_free(rsa_tmp);
+			rsa_tmp = NULL;
+			}
 		if (!s_quiet)
 			{
 			BIO_printf(bio_err,"\n");
 			(void)BIO_flush(bio_err);
 			}
+		BN_free(bn);
 		}
 	return(rsa_tmp);
 	}
diff --git a/crypto/openssl/apps/s_socket.c b/crypto/openssl/apps/s_socket.c
index 1867890966f6..4a922e16a0be 100644
--- a/crypto/openssl/apps/s_socket.c
+++ b/crypto/openssl/apps/s_socket.c
@@ -62,8 +62,6 @@
 #include <errno.h>
 #include <signal.h>
 
-#include <openssl/e_os2.h>
-
 /* With IPv6, it looks like Digital has mixed up the proper order of
    recursive header file inclusion, resulting in the compiler complaining
    that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which
@@ -81,14 +79,26 @@ typedef unsigned int u_int;
 #include "s_apps.h"
 #include <openssl/ssl.h>
 
+#ifdef FLAT_INC
+#include "e_os.h"
+#else
+#include "../e_os.h"
+#endif
+
+#ifndef OPENSSL_NO_SOCK
+
+#if defined(OPENSSL_SYS_NETWARE) && defined(NETWARE_BSDSOCK)
+#include "netdb.h"
+#endif
+
 static struct hostent *GetHostByName(char *name);
-#ifdef OPENSSL_SYS_WINDOWS
+#if defined(OPENSSL_SYS_WINDOWS) || (defined(OPENSSL_SYS_NETWARE) && !defined(NETWARE_BSDSOCK))
 static void ssl_sock_cleanup(void);
 #endif
 static int ssl_sock_init(void);
-static int init_client_ip(int *sock,unsigned char ip[4], int port);
-static int init_server(int *sock, int port);
-static int init_server_long(int *sock, int port,char *ip);
+static int init_client_ip(int *sock,unsigned char ip[4], int port, int type);
+static int init_server(int *sock, int port, int type);
+static int init_server_long(int *sock, int port,char *ip, int type);
 static int do_accept(int acc_sock, int *sock, char **host);
 static int host_ip(char *str, unsigned char ip[4]);
 
@@ -98,6 +108,10 @@ static int host_ip(char *str, unsigned char ip[4]);
 #define SOCKET_PROTOCOL	IPPROTO_TCP
 #endif
 
+#if defined(OPENSSL_SYS_NETWARE) && !defined(NETWARE_BSDSOCK)
+static int wsa_init_done=0;
+#endif
+
 #ifdef OPENSSL_SYS_WINDOWS
 static struct WSAData wsa_state;
 static int wsa_init_done=0;
@@ -146,6 +160,15 @@ static void ssl_sock_cleanup(void)
 		WSACleanup();
 		}
 	}
+#elif defined(OPENSSL_SYS_NETWARE) && !defined(NETWARE_BSDSOCK)
+static void sock_cleanup(void)
+    {
+    if (wsa_init_done)
+        {
+        wsa_init_done=0;
+		WSACleanup();
+		}
+	}
 #endif
 
 static int ssl_sock_init(void)
@@ -153,7 +176,6 @@ static int ssl_sock_init(void)
 #ifdef WATT32
 	extern int _watt_do_exit;
 	_watt_do_exit = 0;
-	dbug_init();
 	if (sock_init())
 		return (0);
 #elif defined(OPENSSL_SYS_WINDOWS)
@@ -181,11 +203,32 @@ static int ssl_sock_init(void)
 		SetWindowLong(topWnd,GWL_WNDPROC,(LONG)lpTopHookProc);
 #endif /* OPENSSL_SYS_WIN16 */
 		}
+#elif defined(OPENSSL_SYS_NETWARE) && !defined(NETWARE_BSDSOCK)
+   WORD wVerReq;
+   WSADATA wsaData;
+   int err;
+
+   if (!wsa_init_done)
+      {
+   
+# ifdef SIGINT
+      signal(SIGINT,(void (*)(int))sock_cleanup);
+# endif
+
+      wsa_init_done=1;
+      wVerReq = MAKEWORD( 2, 0 );
+      err = WSAStartup(wVerReq,&wsaData);
+      if (err != 0)
+         {
+         BIO_printf(bio_err,"unable to start WINSOCK2, error code=%d\n",err);
+         return(0);
+         }
+      }
 #endif /* OPENSSL_SYS_WINDOWS */
 	return(1);
 	}
 
-int init_client(int *sock, char *host, int port)
+int init_client(int *sock, char *host, int port, int type)
 	{
 	unsigned char ip[4];
 	short p=0;
@@ -195,10 +238,10 @@ int init_client(int *sock, char *host, int port)
 		return(0);
 		}
 	if (p != 0) port=p;
-	return(init_client_ip(sock,ip,port));
+	return(init_client_ip(sock,ip,port,type));
 	}
 
-static int init_client_ip(int *sock, unsigned char ip[4], int port)
+static int init_client_ip(int *sock, unsigned char ip[4], int port, int type)
 	{
 	unsigned long addr;
 	struct sockaddr_in them;
@@ -216,13 +259,20 @@ static int init_client_ip(int *sock, unsigned char ip[4], int port)
 		((unsigned long)ip[3]);
 	them.sin_addr.s_addr=htonl(addr);
 
-	s=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL);
+	if (type == SOCK_STREAM)
+		s=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL);
+	else /* ( type == SOCK_DGRAM) */
+		s=socket(AF_INET,SOCK_DGRAM,IPPROTO_UDP);
+			
 	if (s == INVALID_SOCKET) { perror("socket"); return(0); }
 
 #ifndef OPENSSL_SYS_MPE
-	i=0;
-	i=setsockopt(s,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i));
-	if (i < 0) { perror("keepalive"); return(0); }
+	if (type == SOCK_STREAM)
+		{
+		i=0;
+		i=setsockopt(s,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i));
+		if (i < 0) { perror("keepalive"); return(0); }
+		}
 #endif
 
 	if (connect(s,(struct sockaddr *)&them,sizeof(them)) == -1)
@@ -231,30 +281,36 @@ static int init_client_ip(int *sock, unsigned char ip[4], int port)
 	return(1);
 	}
 
-int do_server(int port, int *ret, int (*cb)(), char *context)
+int do_server(int port, int type, int *ret, int (*cb)(char *hostname, int s, unsigned char *context), unsigned char *context)
 	{
 	int sock;
-	char *name;
+	char *name = NULL;
 	int accept_socket;
 	int i;
 
-	if (!init_server(&accept_socket,port)) return(0);
+	if (!init_server(&accept_socket,port,type)) return(0);
 
 	if (ret != NULL)
 		{
 		*ret=accept_socket;
 		/* return(1);*/
 		}
-	for (;;)
-		{
-		if (do_accept(accept_socket,&sock,&name) == 0)
+  	for (;;)
+  		{
+		if (type==SOCK_STREAM)
 			{
-			SHUTDOWN(accept_socket);
-			return(0);
+			if (do_accept(accept_socket,&sock,&name) == 0)
+				{
+				SHUTDOWN(accept_socket);
+				return(0);
+				}
 			}
+		else
+			sock = accept_socket;
 		i=(*cb)(name,sock, context);
 		if (name != NULL) OPENSSL_free(name);
-		SHUTDOWN2(sock);
+		if (type==SOCK_STREAM)
+			SHUTDOWN2(sock);
 		if (i < 0)
 			{
 			SHUTDOWN2(accept_socket);
@@ -263,7 +319,7 @@ int do_server(int port, int *ret, int (*cb)(), char *context)
 		}
 	}
 
-static int init_server_long(int *sock, int port, char *ip)
+static int init_server_long(int *sock, int port, char *ip, int type)
 	{
 	int ret=0;
 	struct sockaddr_in server;
@@ -283,7 +339,11 @@ static int init_server_long(int *sock, int port, char *ip)
 #else
 		memcpy(&server.sin_addr,ip,4);
 #endif
-	s=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL);
+	
+		if (type == SOCK_STREAM)
+			s=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL);
+		else /* type == SOCK_DGRAM */
+			s=socket(AF_INET, SOCK_DGRAM,IPPROTO_UDP);
 
 	if (s == INVALID_SOCKET) goto err;
 #if defined SOL_SOCKET && defined SO_REUSEADDR
@@ -301,7 +361,7 @@ static int init_server_long(int *sock, int port, char *ip)
 		goto err;
 		}
 	/* Make it 128 for linux */
-	if (listen(s,128) == -1) goto err;
+	if (type==SOCK_STREAM && listen(s,128) == -1) goto err;
 	i=0;
 	*sock=s;
 	ret=1;
@@ -313,9 +373,9 @@ err:
 	return(ret);
 	}
 
-static int init_server(int *sock, int port)
+static int init_server(int *sock, int port, int type)
 	{
-	return(init_server_long(sock, port, NULL));
+	return(init_server_long(sock, port, NULL, type));
 	}
 
 static int do_accept(int acc_sock, int *sock, char **host)
@@ -342,7 +402,7 @@ redoit:
 	ret=accept(acc_sock,(struct sockaddr *)&from,(void *)&len);
 	if (ret == INVALID_SOCKET)
 		{
-#ifdef OPENSSL_SYS_WINDOWS
+#if defined(OPENSSL_SYS_WINDOWS) || (defined(OPENSSL_SYS_NETWARE) && !defined(NETWARE_BSDSOCK))
 		i=WSAGetLastError();
 		BIO_printf(bio_err,"accept error %d\n",i);
 #else
@@ -553,3 +613,5 @@ static struct hostent *GetHostByName(char *name)
 		return(ret);
 		}
 	}
+
+#endif
diff --git a/crypto/openssl/apps/s_time.c b/crypto/openssl/apps/s_time.c
index 7d4705746578..904945e1a866 100644
--- a/crypto/openssl/apps/s_time.c
+++ b/crypto/openssl/apps/s_time.c
@@ -85,7 +85,7 @@
 #include OPENSSL_UNISTD
 #endif
 
-#if !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_VXWORKS) && (!defined(OPENSSL_SYS_VMS) || defined(__DECC))
+#if !defined(OPENSSL_SYS_NETWARE) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_VXWORKS) && (!defined(OPENSSL_SYS_VMS) || defined(__DECC))
 #define TIMES
 #endif
 
@@ -105,7 +105,7 @@
 #undef TIMES
 #endif
 
-#if !defined(TIMES) && !defined(OPENSSL_SYS_VXWORKS)
+#if !defined(TIMES) && !defined(OPENSSL_SYS_VXWORKS) && !defined(OPENSSL_SYS_NETWARE)
 #include <sys/timeb.h>
 #endif
 
@@ -384,6 +384,20 @@ static double tm_Time_F(int s)
 		ret=((double)(tend.tms_utime-tstart.tms_utime))/HZ;
 		return((ret == 0.0)?1e-6:ret);
 	}
+#elif defined(OPENSSL_SYS_NETWARE)
+    static clock_t tstart,tend;
+
+    if (s == START)
+    {
+        tstart=clock();
+        return(0);
+    }
+    else
+    {
+        tend=clock();
+        ret=(double)((double)(tend)-(double)(tstart));
+        return((ret < 0.001)?0.001:ret);
+    }
 #elif defined(OPENSSL_SYS_VXWORKS)
         {
 	static unsigned long tick_start, tick_end;
diff --git a/crypto/openssl/apps/sess_id.c b/crypto/openssl/apps/sess_id.c
index d91d84d2206b..b99179f27679 100644
--- a/crypto/openssl/apps/sess_id.c
+++ b/crypto/openssl/apps/sess_id.c
@@ -69,7 +69,7 @@
 #undef PROG
 #define PROG	sess_id_main
 
-static char *sess_id_usage[]={
+static const char *sess_id_usage[]={
 "usage: sess_id args\n",
 "\n",
 " -inform arg     - input format - default PEM (DER or PEM)\n",
@@ -95,7 +95,7 @@ int MAIN(int argc, char **argv)
 	int informat,outformat;
 	char *infile=NULL,*outfile=NULL,*context=NULL;
 	int cert=0,noout=0,text=0;
-	char **pp;
+	const char **pp;
 
 	apps_startup();
 
@@ -241,7 +241,7 @@ bad:
 	if (!noout && !cert)
 		{
 		if 	(outformat == FORMAT_ASN1)
-			i=(int)i2d_SSL_SESSION_bio(out,x);
+			i=i2d_SSL_SESSION_bio(out,x);
 		else if (outformat == FORMAT_PEM)
 			i=PEM_write_bio_SSL_SESSION(out,x);
 		else	{
diff --git a/crypto/openssl/apps/smime.c b/crypto/openssl/apps/smime.c
index 51bc893ffa8a..250fd69a981b 100644
--- a/crypto/openssl/apps/smime.c
+++ b/crypto/openssl/apps/smime.c
@@ -1,9 +1,9 @@
 /* smime.c */
 /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
- * project 1999.
+ * project.
  */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2004 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -64,10 +64,13 @@
 #include <openssl/crypto.h>
 #include <openssl/pem.h>
 #include <openssl/err.h>
+#include <openssl/x509_vfy.h>
+#include <openssl/x509v3.h>
 
 #undef PROG
 #define PROG smime_main
 static int save_certs(char *signerfile, STACK_OF(X509) *signers);
+static int smime_cb(int ok, X509_STORE_CTX *ctx);
 
 #define SMIME_OP	0x10
 #define SMIME_ENCRYPT	(1 | SMIME_OP)
@@ -79,12 +82,12 @@ static int save_certs(char *signerfile, STACK_OF(X509) *signers);
 int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
-{
+	{
 	ENGINE *e = NULL;
 	int operation = 0;
 	int ret = 0;
 	char **args;
-	char *inmode = "r", *outmode = "w";
+	const char *inmode = "r", *outmode = "w";
 	char *infile = NULL, *outfile = NULL;
 	char *signerfile = NULL, *recipfile = NULL;
 	char *certfile = NULL, *keyfile = NULL, *contfile=NULL;
@@ -96,7 +99,7 @@ int MAIN(int argc, char **argv)
 	STACK_OF(X509) *encerts = NULL, *other = NULL;
 	BIO *in = NULL, *out = NULL, *indata = NULL;
 	int badarg = 0;
-	int flags = PKCS7_DETACHED, store_flags = 0;
+	int flags = PKCS7_DETACHED;
 	char *to = NULL, *from = NULL, *subject = NULL;
 	char *CAfile = NULL, *CApath = NULL;
 	char *passargin = NULL, *passin = NULL;
@@ -108,24 +111,34 @@ int MAIN(int argc, char **argv)
 	char *engine=NULL;
 #endif
 
+	X509_VERIFY_PARAM *vpm = NULL;
+
 	args = argv + 1;
 	ret = 1;
 
 	apps_startup();
 
 	if (bio_err == NULL)
+		{
 		if ((bio_err = BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err, stderr, BIO_NOCLOSE|BIO_FP_TEXT);
+		}
 
 	if (!load_config(bio_err, NULL))
 		goto end;
 
-	while (!badarg && *args && *args[0] == '-') {
-		if (!strcmp (*args, "-encrypt")) operation = SMIME_ENCRYPT;
-		else if (!strcmp (*args, "-decrypt")) operation = SMIME_DECRYPT;
-		else if (!strcmp (*args, "-sign")) operation = SMIME_SIGN;
-		else if (!strcmp (*args, "-verify")) operation = SMIME_VERIFY;
-		else if (!strcmp (*args, "-pk7out")) operation = SMIME_PK7OUT;
+	while (!badarg && *args && *args[0] == '-')
+		{
+		if (!strcmp (*args, "-encrypt"))
+			operation = SMIME_ENCRYPT;
+		else if (!strcmp (*args, "-decrypt"))
+			operation = SMIME_DECRYPT;
+		else if (!strcmp (*args, "-sign"))
+			operation = SMIME_SIGN;
+		else if (!strcmp (*args, "-verify"))
+			operation = SMIME_VERIFY;
+		else if (!strcmp (*args, "-pk7out"))
+			operation = SMIME_PK7OUT;
 #ifndef OPENSSL_NO_DES
 		else if (!strcmp (*args, "-des3")) 
 				cipher = EVP_des_ede3_cbc();
@@ -172,127 +185,225 @@ int MAIN(int argc, char **argv)
 				flags |= PKCS7_NOOLDMIMETYPE;
 		else if (!strcmp (*args, "-crlfeol"))
 				flags |= PKCS7_CRLFEOL;
-		else if (!strcmp (*args, "-crl_check"))
-				store_flags |= X509_V_FLAG_CRL_CHECK;
-		else if (!strcmp (*args, "-crl_check_all"))
-				store_flags |= X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL;
-		else if (!strcmp(*args,"-rand")) {
-			if (args[1]) {
+		else if (!strcmp(*args,"-rand"))
+			{
+			if (args[1])
+				{
 				args++;
 				inrand = *args;
-			} else badarg = 1;
+				}
+			else
+				badarg = 1;
 			need_rand = 1;
+			}
 #ifndef OPENSSL_NO_ENGINE
-		} else if (!strcmp(*args,"-engine")) {
-			if (args[1]) {
+		else if (!strcmp(*args,"-engine"))
+			{
+			if (args[1])
+				{
 				args++;
 				engine = *args;
-			} else badarg = 1;
+				}
+			else badarg = 1;
+			}
 #endif
-		} else if (!strcmp(*args,"-passin")) {
-			if (args[1]) {
+		else if (!strcmp(*args,"-passin"))
+			{
+			if (args[1])
+				{
 				args++;
 				passargin = *args;
-			} else badarg = 1;
-		} else if (!strcmp (*args, "-to")) {
-			if (args[1]) {
+				}
+			else
+				badarg = 1;
+			}
+		else if (!strcmp (*args, "-to"))
+			{
+			if (args[1])
+				{
 				args++;
 				to = *args;
-			} else badarg = 1;
-		} else if (!strcmp (*args, "-from")) {
-			if (args[1]) {
+				}
+			else
+				badarg = 1;
+			}
+		else if (!strcmp (*args, "-from"))
+			{
+			if (args[1])
+				{
 				args++;
 				from = *args;
-			} else badarg = 1;
-		} else if (!strcmp (*args, "-subject")) {
-			if (args[1]) {
+				}
+			else badarg = 1;
+			}
+		else if (!strcmp (*args, "-subject"))
+			{
+			if (args[1])
+				{
 				args++;
 				subject = *args;
-			} else badarg = 1;
-		} else if (!strcmp (*args, "-signer")) {
-			if (args[1]) {
+				}
+			else
+				badarg = 1;
+			}
+		else if (!strcmp (*args, "-signer"))
+			{
+			if (args[1])
+				{
 				args++;
 				signerfile = *args;
-			} else badarg = 1;
-		} else if (!strcmp (*args, "-recip")) {
-			if (args[1]) {
+				}
+			else
+				badarg = 1;
+			}
+		else if (!strcmp (*args, "-recip"))
+			{
+			if (args[1])
+				{
 				args++;
 				recipfile = *args;
-			} else badarg = 1;
-		} else if (!strcmp (*args, "-inkey")) {
-			if (args[1]) {
+				}
+			else badarg = 1;
+			}
+		else if (!strcmp (*args, "-inkey"))
+			{
+			if (args[1])
+				{
 				args++;
 				keyfile = *args;
-			} else badarg = 1;
-		} else if (!strcmp (*args, "-keyform")) {
-			if (args[1]) {
+				}
+			else
+				badarg = 1;
+		}
+		else if (!strcmp (*args, "-keyform"))
+			{
+			if (args[1])
+				{
 				args++;
 				keyform = str2fmt(*args);
-			} else badarg = 1;
-		} else if (!strcmp (*args, "-certfile")) {
-			if (args[1]) {
+				}
+			else
+				badarg = 1;
+			}
+		else if (!strcmp (*args, "-certfile"))
+			{
+			if (args[1])
+				{
 				args++;
 				certfile = *args;
-			} else badarg = 1;
-		} else if (!strcmp (*args, "-CAfile")) {
-			if (args[1]) {
+				}
+			else
+				badarg = 1;
+			}
+		else if (!strcmp (*args, "-CAfile"))
+			{
+			if (args[1])
+				{
 				args++;
 				CAfile = *args;
-			} else badarg = 1;
-		} else if (!strcmp (*args, "-CApath")) {
-			if (args[1]) {
+				}
+			else
+				badarg = 1;
+			}
+		else if (!strcmp (*args, "-CApath"))
+			{
+			if (args[1])
+				{
 				args++;
 				CApath = *args;
-			} else badarg = 1;
-		} else if (!strcmp (*args, "-in")) {
-			if (args[1]) {
+				}
+			else
+				badarg = 1;
+			}
+		else if (!strcmp (*args, "-in"))
+			{
+			if (args[1])
+				{
 				args++;
 				infile = *args;
-			} else badarg = 1;
-		} else if (!strcmp (*args, "-inform")) {
-			if (args[1]) {
+				}
+			else
+				badarg = 1;
+			}
+		else if (!strcmp (*args, "-inform"))
+			{
+			if (args[1])
+				{
 				args++;
 				informat = str2fmt(*args);
-			} else badarg = 1;
-		} else if (!strcmp (*args, "-outform")) {
-			if (args[1]) {
+				}
+			else
+				badarg = 1;
+			}
+		else if (!strcmp (*args, "-outform"))
+			{
+			if (args[1])
+				{
 				args++;
 				outformat = str2fmt(*args);
-			} else badarg = 1;
-		} else if (!strcmp (*args, "-out")) {
-			if (args[1]) {
+				}
+			else
+				badarg = 1;
+			}
+		else if (!strcmp (*args, "-out"))
+			{
+			if (args[1])
+				{
 				args++;
 				outfile = *args;
-			} else badarg = 1;
-		} else if (!strcmp (*args, "-content")) {
-			if (args[1]) {
+				}
+			else
+				badarg = 1;
+			}
+		else if (!strcmp (*args, "-content"))
+			{
+			if (args[1])
+				{
 				args++;
 				contfile = *args;
-			} else badarg = 1;
-		} else badarg = 1;
+				}
+			else
+				badarg = 1;
+			}
+		else if (args_verify(&args, NULL, &badarg, bio_err, &vpm))
+			continue;
+		else
+			badarg = 1;
 		args++;
-	}
+		}
 
-	if(operation == SMIME_SIGN) {
-		if(!signerfile) {
+
+	if (operation == SMIME_SIGN)
+		{
+		if (!signerfile)
+			{
 			BIO_printf(bio_err, "No signer certificate specified\n");
 			badarg = 1;
-		}
+			}
 		need_rand = 1;
-	} else if(operation == SMIME_DECRYPT) {
-		if(!recipfile) {
-			BIO_printf(bio_err, "No recipient certificate and key specified\n");
+		}
+	else if (operation == SMIME_DECRYPT)
+		{
+		if (!recipfile && !keyfile)
+			{
+			BIO_printf(bio_err, "No recipient certificate or key specified\n");
 			badarg = 1;
+			}
 		}
-	} else if(operation == SMIME_ENCRYPT) {
-		if(!*args) {
+	else if (operation == SMIME_ENCRYPT)
+		{
+		if (!*args)
+			{
 			BIO_printf(bio_err, "No recipient(s) certificate(s) specified\n");
 			badarg = 1;
-		}
+			}
 		need_rand = 1;
-	} else if(!operation) badarg = 1;
+		}
+	else if (!operation)
+		badarg = 1;
 
-	if (badarg) {
+	if (badarg)
+		{
 		BIO_printf (bio_err, "Usage smime [options] cert.pem ...\n");
 		BIO_printf (bio_err, "where options are\n");
 		BIO_printf (bio_err, "-encrypt       encrypt message\n");
@@ -347,121 +458,155 @@ int MAIN(int argc, char **argv)
 		BIO_printf(bio_err,  "               the random number generator\n");
 		BIO_printf (bio_err, "cert.pem       recipient certificate(s) for encryption\n");
 		goto end;
-	}
+		}
 
 #ifndef OPENSSL_NO_ENGINE
         e = setup_engine(bio_err, engine, 0);
 #endif
 
-	if(!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
+	if (!app_passwd(bio_err, passargin, NULL, &passin, NULL))
+		{
 		BIO_printf(bio_err, "Error getting password\n");
 		goto end;
-	}
+		}
 
-	if (need_rand) {
+	if (need_rand)
+		{
 		app_RAND_load_file(NULL, bio_err, (inrand != NULL));
 		if (inrand != NULL)
 			BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
 				app_RAND_load_files(inrand));
-	}
+		}
 
 	ret = 2;
 
-	if(operation != SMIME_SIGN) flags &= ~PKCS7_DETACHED;
+	if (operation != SMIME_SIGN)
+		flags &= ~PKCS7_DETACHED;
 
-	if(operation & SMIME_OP) {
-		if(flags & PKCS7_BINARY) inmode = "rb";
-		if(outformat == FORMAT_ASN1) outmode = "wb";
-	} else {
-		if(flags & PKCS7_BINARY) outmode = "wb";
-		if(informat == FORMAT_ASN1) inmode = "rb";
-	}
+	if (operation & SMIME_OP)
+		{
+		if (flags & PKCS7_BINARY)
+			inmode = "rb";
+		if (outformat == FORMAT_ASN1)
+			outmode = "wb";
+		}
+	else
+		{
+		if (flags & PKCS7_BINARY)
+			outmode = "wb";
+		if (informat == FORMAT_ASN1)
+			inmode = "rb";
+		}
 
-	if(operation == SMIME_ENCRYPT) {
-		if (!cipher) {
+	if (operation == SMIME_ENCRYPT)
+		{
+		if (!cipher)
+			{
 #ifndef OPENSSL_NO_RC2			
 			cipher = EVP_rc2_40_cbc();
 #else
 			BIO_printf(bio_err, "No cipher selected\n");
 			goto end;
 #endif
-		}
+			}
 		encerts = sk_X509_new_null();
-		while (*args) {
-			if(!(cert = load_cert(bio_err,*args,FORMAT_PEM,
-				NULL, e, "recipient certificate file"))) {
+		while (*args)
+			{
+			if (!(cert = load_cert(bio_err,*args,FORMAT_PEM,
+				NULL, e, "recipient certificate file")))
+				{
 #if 0				/* An appropriate message is already printed */
 				BIO_printf(bio_err, "Can't read recipient certificate file %s\n", *args);
 #endif
 				goto end;
-			}
+				}
 			sk_X509_push(encerts, cert);
 			cert = NULL;
 			args++;
+			}
 		}
-	}
 
-	if(signerfile && (operation == SMIME_SIGN)) {
-		if(!(signer = load_cert(bio_err,signerfile,FORMAT_PEM, NULL,
-			e, "signer certificate"))) {
+	if (signerfile && (operation == SMIME_SIGN))
+		{
+		if (!(signer = load_cert(bio_err,signerfile,FORMAT_PEM, NULL,
+			e, "signer certificate")))
+			{
 #if 0			/* An appropri message has already been printed */
 			BIO_printf(bio_err, "Can't read signer certificate file %s\n", signerfile);
 #endif
 			goto end;
+			}
 		}
-	}
 
-	if(certfile) {
-		if(!(other = load_certs(bio_err,certfile,FORMAT_PEM, NULL,
-			e, "certificate file"))) {
+	if (certfile)
+		{
+		if (!(other = load_certs(bio_err,certfile,FORMAT_PEM, NULL,
+			e, "certificate file")))
+			{
 #if 0			/* An appropriate message has already been printed */
 			BIO_printf(bio_err, "Can't read certificate file %s\n", certfile);
 #endif
 			ERR_print_errors(bio_err);
 			goto end;
+			}
 		}
-	}
 
-	if(recipfile && (operation == SMIME_DECRYPT)) {
-		if(!(recip = load_cert(bio_err,recipfile,FORMAT_PEM,NULL,
-			e, "recipient certificate file"))) {
+	if (recipfile && (operation == SMIME_DECRYPT))
+		{
+		if (!(recip = load_cert(bio_err,recipfile,FORMAT_PEM,NULL,
+			e, "recipient certificate file")))
+			{
 #if 0			/* An appropriate message has alrady been printed */
 			BIO_printf(bio_err, "Can't read recipient certificate file %s\n", recipfile);
 #endif
 			ERR_print_errors(bio_err);
 			goto end;
+			}
 		}
-	}
 
-	if(operation == SMIME_DECRYPT) {
-		if(!keyfile) keyfile = recipfile;
-	} else if(operation == SMIME_SIGN) {
-		if(!keyfile) keyfile = signerfile;
-	} else keyfile = NULL;
+	if (operation == SMIME_DECRYPT)
+		{
+		if (!keyfile)
+			keyfile = recipfile;
+		}
+	else if (operation == SMIME_SIGN)
+		{
+		if (!keyfile)
+			keyfile = signerfile;
+		}
+	else keyfile = NULL;
 
-	if(keyfile) {
+	if (keyfile)
+		{
 		key = load_key(bio_err, keyfile, keyform, 0, passin, e,
 			       "signing key file");
-		if (!key) {
+		if (!key)
 			goto end;
-                }
-	}
+		}
 
-	if (infile) {
-		if (!(in = BIO_new_file(infile, inmode))) {
+	if (infile)
+		{
+		if (!(in = BIO_new_file(infile, inmode)))
+			{
 			BIO_printf (bio_err,
 				 "Can't open input file %s\n", infile);
 			goto end;
+			}
 		}
-	} else in = BIO_new_fp(stdin, BIO_NOCLOSE);
+	else
+		in = BIO_new_fp(stdin, BIO_NOCLOSE);
 
-	if (outfile) {
-		if (!(out = BIO_new_file(outfile, outmode))) {
+	if (outfile)
+		{
+		if (!(out = BIO_new_file(outfile, outmode)))
+			{
 			BIO_printf (bio_err,
 				 "Can't open output file %s\n", outfile);
 			goto end;
+			}
 		}
-	} else {
+	else
+		{
 		out = BIO_new_fp(stdout, BIO_NOCLOSE);
 #ifdef OPENSSL_SYS_VMS
 		{
@@ -469,100 +614,133 @@ int MAIN(int argc, char **argv)
 		    out = BIO_push(tmpbio, out);
 		}
 #endif
-	}
+		}
 
-	if(operation == SMIME_VERIFY) {
-		if(!(store = setup_verify(bio_err, CAfile, CApath))) goto end;
-		X509_STORE_set_flags(store, store_flags);
-	}
+	if (operation == SMIME_VERIFY)
+		{
+		if (!(store = setup_verify(bio_err, CAfile, CApath)))
+			goto end;
+		X509_STORE_set_verify_cb_func(store, smime_cb);
+		if (vpm)
+			X509_STORE_set1_param(store, vpm);
+		}
 
 
 	ret = 3;
 
-	if(operation == SMIME_ENCRYPT) {
+	if (operation == SMIME_ENCRYPT)
 		p7 = PKCS7_encrypt(encerts, in, cipher, flags);
-	} else if(operation == SMIME_SIGN) {
+	else if (operation == SMIME_SIGN)
+		{
+		/* If detached data and SMIME output enable partial
+		 * signing.
+		 */
+		if ((flags & PKCS7_DETACHED) && (outformat == FORMAT_SMIME))
+			flags |= PKCS7_STREAM;
 		p7 = PKCS7_sign(signer, key, other, in, flags);
-		if (BIO_reset(in) != 0 && (flags & PKCS7_DETACHED)) {
-		  BIO_printf(bio_err, "Can't rewind input file\n");
-		  goto end;
+		/* Don't need to rewind for partial signing */
+		if (!(flags & PKCS7_STREAM) && (BIO_reset(in) != 0))
+			{
+			BIO_printf(bio_err, "Can't rewind input file\n");
+			goto end;
+			}
 		}
-	} else {
-		if(informat == FORMAT_SMIME) 
+	else
+		{
+		if (informat == FORMAT_SMIME) 
 			p7 = SMIME_read_PKCS7(in, &indata);
-		else if(informat == FORMAT_PEM) 
+		else if (informat == FORMAT_PEM) 
 			p7 = PEM_read_bio_PKCS7(in, NULL, NULL, NULL);
-		else if(informat == FORMAT_ASN1) 
+		else if (informat == FORMAT_ASN1) 
 			p7 = d2i_PKCS7_bio(in, NULL);
-		else {
+		else
+			{
 			BIO_printf(bio_err, "Bad input format for PKCS#7 file\n");
 			goto end;
-		}
+			}
 
-		if(!p7) {
+		if (!p7)
+			{
 			BIO_printf(bio_err, "Error reading S/MIME message\n");
 			goto end;
-		}
-		if(contfile) {
+			}
+		if (contfile)
+			{
 			BIO_free(indata);
-			if(!(indata = BIO_new_file(contfile, "rb"))) {
+			if (!(indata = BIO_new_file(contfile, "rb")))
+				{
 				BIO_printf(bio_err, "Can't read content file %s\n", contfile);
 				goto end;
+				}
 			}
 		}
-	}
 
-	if(!p7) {
+	if (!p7)
+		{
 		BIO_printf(bio_err, "Error creating PKCS#7 structure\n");
 		goto end;
-	}
+		}
 
 	ret = 4;
-	if(operation == SMIME_DECRYPT) {
-		if(!PKCS7_decrypt(p7, key, recip, out, flags)) {
+	if (operation == SMIME_DECRYPT)
+		{
+		if (!PKCS7_decrypt(p7, key, recip, out, flags))
+			{
 			BIO_printf(bio_err, "Error decrypting PKCS#7 structure\n");
 			goto end;
+			}
 		}
-	} else if(operation == SMIME_VERIFY) {
+	else if (operation == SMIME_VERIFY)
+		{
 		STACK_OF(X509) *signers;
-		if(PKCS7_verify(p7, other, store, indata, out, flags)) {
+		if (PKCS7_verify(p7, other, store, indata, out, flags))
 			BIO_printf(bio_err, "Verification successful\n");
-		} else {
+		else
+			{
 			BIO_printf(bio_err, "Verification failure\n");
 			goto end;
-		}
+			}
 		signers = PKCS7_get0_signers(p7, other, flags);
-		if(!save_certs(signerfile, signers)) {
+		if (!save_certs(signerfile, signers))
+			{
 			BIO_printf(bio_err, "Error writing signers to %s\n",
 								signerfile);
 			ret = 5;
 			goto end;
-		}
+			}
 		sk_X509_free(signers);
-	} else if(operation == SMIME_PK7OUT) {
+		}
+	else if (operation == SMIME_PK7OUT)
 		PEM_write_bio_PKCS7(out, p7);
-	} else {
-		if(to) BIO_printf(out, "To: %s\n", to);
-		if(from) BIO_printf(out, "From: %s\n", from);
-		if(subject) BIO_printf(out, "Subject: %s\n", subject);
-		if(outformat == FORMAT_SMIME) 
+	else
+		{
+		if (to)
+			BIO_printf(out, "To: %s\n", to);
+		if (from)
+			BIO_printf(out, "From: %s\n", from);
+		if (subject)
+			BIO_printf(out, "Subject: %s\n", subject);
+		if (outformat == FORMAT_SMIME) 
 			SMIME_write_PKCS7(out, p7, in, flags);
-		else if(outformat == FORMAT_PEM) 
+		else if (outformat == FORMAT_PEM) 
 			PEM_write_bio_PKCS7(out,p7);
-		else if(outformat == FORMAT_ASN1) 
+		else if (outformat == FORMAT_ASN1) 
 			i2d_PKCS7_bio(out,p7);
-		else {
+		else
+			{
 			BIO_printf(bio_err, "Bad output format for PKCS#7 file\n");
 			goto end;
+			}
 		}
-	}
 	ret = 0;
 end:
 	if (need_rand)
 		app_RAND_write_file(NULL, bio_err);
-	if(ret) ERR_print_errors(bio_err);
+	if (ret) ERR_print_errors(bio_err);
 	sk_X509_pop_free(encerts, X509_free);
 	sk_X509_pop_free(other, X509_free);
+	if (vpm)
+		X509_VERIFY_PARAM_free(vpm);
 	X509_STORE_free(store);
 	X509_free(cert);
 	X509_free(recip);
@@ -572,20 +750,39 @@ end:
 	BIO_free(in);
 	BIO_free(indata);
 	BIO_free_all(out);
-	if(passin) OPENSSL_free(passin);
+	if (passin) OPENSSL_free(passin);
 	return (ret);
 }
 
 static int save_certs(char *signerfile, STACK_OF(X509) *signers)
-{
+	{
 	int i;
 	BIO *tmp;
-	if(!signerfile) return 1;
+	if (!signerfile)
+		return 1;
 	tmp = BIO_new_file(signerfile, "w");
-	if(!tmp) return 0;
+	if (!tmp) return 0;
 	for(i = 0; i < sk_X509_num(signers); i++)
 		PEM_write_bio_X509(tmp, sk_X509_value(signers, i));
 	BIO_free(tmp);
 	return 1;
-}
+	}
 	
+
+/* Minimal callback just to output policy info (if any) */
+
+static int smime_cb(int ok, X509_STORE_CTX *ctx)
+	{
+	int error;
+
+	error = X509_STORE_CTX_get_error(ctx);
+
+	if ((error != X509_V_ERR_NO_EXPLICIT_POLICY)
+		&& ((error != X509_V_OK) || (ok != 2)))
+		return ok;
+
+	policies_print(NULL, ctx);
+
+	return ok;
+
+	}
diff --git a/crypto/openssl/apps/speed.c b/crypto/openssl/apps/speed.c
index 5ed510ced69b..7082c37ccc15 100644
--- a/crypto/openssl/apps/speed.c
+++ b/crypto/openssl/apps/speed.c
@@ -55,6 +55,19 @@
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
  */
+/* ====================================================================
+ * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
+ *
+ * Portions of the attached software ("Contribution") are developed by 
+ * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
+ *
+ * The Contribution is licensed pursuant to the OpenSSL open source
+ * license provided above.
+ *
+ * The ECDH and ECDSA speed test software is originally written by 
+ * Sumit Gupta of Sun Microsystems Laboratories.
+ *
+ */
 
 /* most of this code has been pilfered from my libdes speed.c program */
 
@@ -64,6 +77,8 @@
 #define SECONDS		3	
 #define RSA_SECONDS	10
 #define DSA_SECONDS	10
+#define ECDSA_SECONDS   10
+#define ECDH_SECONDS    10
 
 /* 11-Sep-92 Andrew Daviel   Support for Silicon Graphics IRIX added */
 /* 06-Apr-92 Luke Brennan    Support for VMS and add extra signal calls */
@@ -73,7 +88,7 @@
 
 #include <stdio.h>
 #include <stdlib.h>
-#include <signal.h>
+
 #include <string.h>
 #include <math.h>
 #include "apps.h"
@@ -89,6 +104,10 @@
 #include OPENSSL_UNISTD
 #endif
 
+#ifndef OPENSSL_SYS_NETWARE
+#include <signal.h>
+#endif
+
 #if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) || defined(OPENSSL_SYS_MACOSX)
 # define USE_TOD
 #elif !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_VXWORKS) && (!defined(OPENSSL_SYS_VMS) || defined(__DECC))
@@ -98,6 +117,12 @@
 # define TIMEB
 #endif
 
+#if defined(OPENSSL_SYS_NETWARE)
+#undef TIMES
+#undef TIMEB
+#include <time.h>
+#endif
+
 #ifndef _IRIX
 # include <time.h>
 #endif
@@ -122,7 +147,7 @@
 #include <sys/timeb.h>
 #endif
 
-#if !defined(TIMES) && !defined(TIMEB) && !defined(USE_TOD) && !defined(OPENSSL_SYS_VXWORKS)
+#if !defined(TIMES) && !defined(TIMEB) && !defined(USE_TOD) && !defined(OPENSSL_SYS_VXWORKS) && !defined(OPENSSL_SYS_NETWARE)
 #error "It seems neither struct tms nor struct timeb is supported in this platform!"
 #endif
 
@@ -132,6 +157,7 @@
 #include <sys/param.h>
 #endif
 
+#include <openssl/bn.h>
 #ifndef OPENSSL_NO_DES
 #include <openssl/des.h>
 #endif
@@ -184,14 +210,31 @@
 #endif
 #include <openssl/x509.h>
 #ifndef OPENSSL_NO_DSA
+#include <openssl/dsa.h>
 #include "./testdsa.h"
 #endif
+#ifndef OPENSSL_NO_ECDSA
+#include <openssl/ecdsa.h>
+#endif
+#ifndef OPENSSL_NO_ECDH
+#include <openssl/ecdh.h>
+#endif
+
+/*
+ * The following "HZ" timing stuff should be sync'd up with the code in
+ * crypto/tmdiff.[ch]. That appears to try to do the same job, though I think
+ * this code is more up to date than libcrypto's so there may be features to
+ * migrate over first. This is used in two places further down AFAICS. 
+ * The point is that nothing in openssl actually *uses* that tmdiff stuff, so
+ * either speed.c should be using it or it should go because it's obviously not
+ * useful enough. Anyone want to do a janitorial job on this?
+ */
 
 /* The following if from times(3) man page.  It may need to be changed */
 #ifndef HZ
 # if defined(_SC_CLK_TCK) \
      && (!defined(OPENSSL_SYS_VMS) || __CTRL_VER >= 70000000)
-#  define HZ ((double)sysconf(_SC_CLK_TCK))
+#  define HZ sysconf(_SC_CLK_TCK)
 # else
 #  ifndef CLK_TCK
 #   ifndef _BSD_CLK_TCK_ /* FreeBSD hack */
@@ -205,7 +248,7 @@
 # endif
 #endif
 
-#if !defined(OPENSSL_SYS_VMS) && !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MACINTOSH_CLASSIC) && !defined(OPENSSL_SYS_OS2)
+#if !defined(OPENSSL_SYS_VMS) && !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MACINTOSH_CLASSIC) && !defined(OPENSSL_SYS_OS2) && !defined(OPENSSL_SYS_NETWARE)
 # define HAVE_FORK 1
 #endif
 
@@ -219,25 +262,41 @@ static int usertime=1;
 
 static double Time_F(int s);
 static void print_message(const char *s,long num,int length);
-static void pkey_print_message(char *str,char *str2,long num,int bits,int sec);
+static void pkey_print_message(const char *str, const char *str2,
+	long num, int bits, int sec);
 static void print_result(int alg,int run_no,int count,double time_used);
 #ifdef HAVE_FORK
 static int do_multi(int multi);
 #endif
 
-#define ALGOR_NUM	19
+#define ALGOR_NUM	21
 #define SIZE_NUM	5
 #define RSA_NUM		4
 #define DSA_NUM		3
+
+#define EC_NUM       16
+#define MAX_ECDH_SIZE 256
+
 static const char *names[ALGOR_NUM]={
   "md2","mdc2","md4","md5","hmac(md5)","sha1","rmd160","rc4",
   "des cbc","des ede3","idea cbc",
   "rc2 cbc","rc5-32/12 cbc","blowfish cbc","cast cbc",
-  "aes-128 cbc","aes-192 cbc","aes-256 cbc"};
+  "aes-128 cbc","aes-192 cbc","aes-256 cbc","evp","sha256","sha512"};
 static double results[ALGOR_NUM][SIZE_NUM];
 static int lengths[SIZE_NUM]={16,64,256,1024,8*1024};
 static double rsa_results[RSA_NUM][2];
 static double dsa_results[DSA_NUM][2];
+#ifndef OPENSSL_NO_ECDSA
+static double ecdsa_results[EC_NUM][2];
+#endif
+#ifndef OPENSSL_NO_ECDH
+static double ecdh_results[EC_NUM][1];
+#endif
+
+#if defined(OPENSSL_NO_DSA) && !(defined(OPENSSL_NO_ECDSA) && defined(OPENSSL_NO_ECDH))
+static const char rnd_seed[] = "string to make the random number generator think it has entropy";
+static int rnd_fake = 0;
+#endif
 
 #ifdef SIGALRM
 #if defined(__STDC__) || defined(sgi) || defined(_AIX)
@@ -260,13 +319,39 @@ static SIGRETTYPE sig_done(int sig)
 #define START	0
 #define STOP	1
 
+#if defined(OPENSSL_SYS_NETWARE)
+
+   /* for NetWare the best we can do is use clock() which returns the
+    * time, in hundredths of a second, since the NLM began executing
+   */
+static double Time_F(int s)
+	{
+	double ret;
+
+   static clock_t tstart,tend;
+
+   if (s == START)
+   {
+      tstart=clock();
+      return(0);
+   }
+   else
+   {
+      tend=clock();
+      ret=(double)((double)(tend)-(double)(tstart));
+      return((ret < 0.001)?0.001:ret);
+   }
+   }
+
+#else
+
 static double Time_F(int s)
 	{
 	double ret;
 
 #ifdef USE_TOD
 	if(usertime)
-	    {
+		{
 		static struct rusage tstart,tend;
 
 		getrusage_used = 1;
@@ -321,7 +406,8 @@ static double Time_F(int s)
 		else
 			{
 			times(&tend);
-			ret=((double)(tend.tms_utime-tstart.tms_utime))/HZ;
+			ret = HZ;
+			ret=(double)(tend.tms_utime-tstart.tms_utime) / ret;
 			return((ret < 1e-3)?1e-3:ret);
 			}
 		}
@@ -367,6 +453,25 @@ static double Time_F(int s)
 # endif
 #endif
 	}
+#endif /* if defined(OPENSSL_SYS_NETWARE) */
+
+
+#ifndef OPENSSL_NO_ECDH
+static const int KDF1_SHA1_len = 20;
+static void *KDF1_SHA1(const void *in, size_t inlen, void *out, size_t *outlen)
+	{
+#ifndef OPENSSL_NO_SHA
+	if (*outlen < SHA_DIGEST_LENGTH)
+		return NULL;
+	else
+		*outlen = SHA_DIGEST_LENGTH;
+	return SHA1(in, inlen, out);
+#else
+	return NULL;
+#endif	/* OPENSSL_NO_SHA */
+	}
+#endif	/* OPENSSL_NO_ECDH */
+
 
 int MAIN(int, char **);
 
@@ -401,6 +506,12 @@ int MAIN(int argc, char **argv)
 #endif
 #ifndef OPENSSL_NO_SHA
 	unsigned char sha[SHA_DIGEST_LENGTH];
+#ifndef OPENSSL_NO_SHA256
+	unsigned char sha256[SHA256_DIGEST_LENGTH];
+#endif
+#ifndef OPENSSL_NO_SHA512
+	unsigned char sha512[SHA512_DIGEST_LENGTH];
+#endif
 #endif
 #ifndef OPENSSL_NO_RIPEMD
 	unsigned char rmd160[RIPEMD160_DIGEST_LENGTH];
@@ -426,6 +537,7 @@ int MAIN(int argc, char **argv)
 	static const unsigned char key16[16]=
 		{0x12,0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0,
 		 0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0,0x12};
+#ifndef OPENSSL_NO_AES
 	static const unsigned char key24[24]=
 		{0x12,0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0,
 		 0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0,0x12,
@@ -435,6 +547,7 @@ int MAIN(int argc, char **argv)
 		 0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0,0x12,
 		 0x56,0x78,0x9a,0xbc,0xde,0xf0,0x12,0x34,
 		 0x78,0x9a,0xbc,0xde,0xf0,0x12,0x34,0x56};
+#endif
 #ifndef OPENSSL_NO_AES
 #define MAX_BLOCK_SIZE 128
 #else
@@ -473,6 +586,8 @@ int MAIN(int argc, char **argv)
 #define D_CBC_192_AES	16
 #define D_CBC_256_AES	17
 #define D_EVP		18
+#define D_SHA256	19
+#define D_SHA512	20
 	double d=0.0;
 	long c[ALGOR_NUM][SIZE_NUM];
 #define	R_DSA_512	0
@@ -482,6 +597,24 @@ int MAIN(int argc, char **argv)
 #define	R_RSA_1024	1
 #define	R_RSA_2048	2
 #define	R_RSA_4096	3
+
+#define R_EC_P160    0
+#define R_EC_P192    1	
+#define R_EC_P224    2
+#define R_EC_P256    3
+#define R_EC_P384    4
+#define R_EC_P521    5
+#define R_EC_K163    6
+#define R_EC_K233    7
+#define R_EC_K283    8
+#define R_EC_K409    9
+#define R_EC_K571    10
+#define R_EC_B163    11
+#define R_EC_B233    12
+#define R_EC_B283    13
+#define R_EC_B409    14
+#define R_EC_B571    15
+
 #ifndef OPENSSL_NO_RSA
 	RSA *rsa_key[RSA_NUM];
 	long rsa_c[RSA_NUM][2];
@@ -497,8 +630,87 @@ int MAIN(int argc, char **argv)
 	long dsa_c[DSA_NUM][2];
 	static unsigned int dsa_bits[DSA_NUM]={512,1024,2048};
 #endif
+#ifndef OPENSSL_NO_EC
+	/* We only test over the following curves as they are representative, 
+	 * To add tests over more curves, simply add the curve NID
+	 * and curve name to the following arrays and increase the 
+	 * EC_NUM value accordingly. 
+	 */
+	static unsigned int test_curves[EC_NUM] = 
+	{	
+	/* Prime Curves */
+	NID_secp160r1,
+	NID_X9_62_prime192v1,
+	NID_secp224r1,
+	NID_X9_62_prime256v1,
+	NID_secp384r1,
+	NID_secp521r1,
+	/* Binary Curves */
+	NID_sect163k1,
+	NID_sect233k1,
+	NID_sect283k1,
+	NID_sect409k1,
+	NID_sect571k1,
+	NID_sect163r2,
+	NID_sect233r1,
+	NID_sect283r1,
+	NID_sect409r1,
+	NID_sect571r1
+	}; 
+	static const char * test_curves_names[EC_NUM] = 
+	{
+	/* Prime Curves */
+	"secp160r1",
+	"nistp192",
+	"nistp224",
+	"nistp256",
+	"nistp384",
+	"nistp521",
+	/* Binary Curves */
+	"nistk163",
+	"nistk233",
+	"nistk283",
+	"nistk409",
+	"nistk571",
+	"nistb163",
+	"nistb233",
+	"nistb283",
+	"nistb409",
+	"nistb571"
+	};
+	static int test_curves_bits[EC_NUM] =
+        {
+        160, 192, 224, 256, 384, 521,
+        163, 233, 283, 409, 571,
+        163, 233, 283, 409, 571
+        };
+
+#endif
+
+#ifndef OPENSSL_NO_ECDSA
+	unsigned char ecdsasig[256];
+	unsigned int ecdsasiglen;
+	EC_KEY *ecdsa[EC_NUM];
+	long ecdsa_c[EC_NUM][2];
+#endif
+
+#ifndef OPENSSL_NO_ECDH
+	EC_KEY *ecdh_a[EC_NUM], *ecdh_b[EC_NUM];
+	unsigned char secret_a[MAX_ECDH_SIZE], secret_b[MAX_ECDH_SIZE];
+	int secret_size_a, secret_size_b;
+	int ecdh_checks = 0;
+	int secret_idx = 0;
+	long ecdh_c[EC_NUM][2];
+#endif
+
 	int rsa_doit[RSA_NUM];
 	int dsa_doit[DSA_NUM];
+#ifndef OPENSSL_NO_ECDSA
+	int ecdsa_doit[EC_NUM];
+#endif
+#ifndef OPENSSL_NO_ECDH
+        int ecdh_doit[EC_NUM];
+#endif
 	int doit[ALGOR_NUM];
 	int pr_header=0;
 	const EVP_CIPHER *evp_cipher=NULL;
@@ -517,6 +729,17 @@ int MAIN(int argc, char **argv)
 #ifndef OPENSSL_NO_DSA
 	memset(dsa_key,0,sizeof(dsa_key));
 #endif
+#ifndef OPENSSL_NO_ECDSA
+	for (i=0; i<EC_NUM; i++) ecdsa[i] = NULL;
+#endif
+#ifndef OPENSSL_NO_ECDH
+	for (i=0; i<EC_NUM; i++)
+		{
+		ecdh_a[i] = NULL;
+		ecdh_b[i] = NULL;
+		}
+#endif
+
 
 	if (bio_err == NULL)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
@@ -555,6 +778,15 @@ int MAIN(int argc, char **argv)
 		rsa_doit[i]=0;
 	for (i=0; i<DSA_NUM; i++)
 		dsa_doit[i]=0;
+#ifndef OPENSSL_NO_ECDSA
+	for (i=0; i<EC_NUM; i++)
+		ecdsa_doit[i]=0;
+#endif
+#ifndef OPENSSL_NO_ECDH
+	for (i=0; i<EC_NUM; i++)
+		ecdh_doit[i]=0;
+#endif
+
 	
 	j=0;
 	argc--;
@@ -662,9 +894,19 @@ int MAIN(int argc, char **argv)
 #ifndef OPENSSL_NO_SHA
 			if (strcmp(*argv,"sha1") == 0) doit[D_SHA1]=1;
 		else
-			if (strcmp(*argv,"sha") == 0) doit[D_SHA1]=1;
+			if (strcmp(*argv,"sha") == 0)	doit[D_SHA1]=1,
+							doit[D_SHA256]=1,
+							doit[D_SHA512]=1;
+		else
+#ifndef OPENSSL_NO_SHA256
+			if (strcmp(*argv,"sha256") == 0) doit[D_SHA256]=1;
 		else
 #endif
+#ifndef OPENSSL_NO_SHA512
+			if (strcmp(*argv,"sha512") == 0) doit[D_SHA512]=1;
+		else
+#endif
+#endif
 #ifndef OPENSSL_NO_RIPEMD
 			if (strcmp(*argv,"ripemd") == 0) doit[D_RMD160]=1;
 		else
@@ -777,6 +1019,54 @@ int MAIN(int argc, char **argv)
 			}
 		else
 #endif
+#ifndef OPENSSL_NO_ECDSA
+		     if (strcmp(*argv,"ecdsap160") == 0) ecdsa_doit[R_EC_P160]=2;
+		else if (strcmp(*argv,"ecdsap192") == 0) ecdsa_doit[R_EC_P192]=2;
+		else if (strcmp(*argv,"ecdsap224") == 0) ecdsa_doit[R_EC_P224]=2;
+		else if (strcmp(*argv,"ecdsap256") == 0) ecdsa_doit[R_EC_P256]=2;
+		else if (strcmp(*argv,"ecdsap384") == 0) ecdsa_doit[R_EC_P384]=2;
+		else if (strcmp(*argv,"ecdsap521") == 0) ecdsa_doit[R_EC_P521]=2;
+		else if (strcmp(*argv,"ecdsak163") == 0) ecdsa_doit[R_EC_K163]=2;
+		else if (strcmp(*argv,"ecdsak233") == 0) ecdsa_doit[R_EC_K233]=2;
+		else if (strcmp(*argv,"ecdsak283") == 0) ecdsa_doit[R_EC_K283]=2;
+		else if (strcmp(*argv,"ecdsak409") == 0) ecdsa_doit[R_EC_K409]=2;
+		else if (strcmp(*argv,"ecdsak571") == 0) ecdsa_doit[R_EC_K571]=2;
+		else if (strcmp(*argv,"ecdsab163") == 0) ecdsa_doit[R_EC_B163]=2;
+		else if (strcmp(*argv,"ecdsab233") == 0) ecdsa_doit[R_EC_B233]=2;
+		else if (strcmp(*argv,"ecdsab283") == 0) ecdsa_doit[R_EC_B283]=2;
+		else if (strcmp(*argv,"ecdsab409") == 0) ecdsa_doit[R_EC_B409]=2;
+		else if (strcmp(*argv,"ecdsab571") == 0) ecdsa_doit[R_EC_B571]=2;
+		else if (strcmp(*argv,"ecdsa") == 0)
+			{
+			for (i=0; i < EC_NUM; i++)
+				ecdsa_doit[i]=1;
+			}
+		else
+#endif
+#ifndef OPENSSL_NO_ECDH
+		     if (strcmp(*argv,"ecdhp160") == 0) ecdh_doit[R_EC_P160]=2;
+		else if (strcmp(*argv,"ecdhp192") == 0) ecdh_doit[R_EC_P192]=2;
+		else if (strcmp(*argv,"ecdhp224") == 0) ecdh_doit[R_EC_P224]=2;
+		else if (strcmp(*argv,"ecdhp256") == 0) ecdh_doit[R_EC_P256]=2;
+		else if (strcmp(*argv,"ecdhp384") == 0) ecdh_doit[R_EC_P384]=2;
+		else if (strcmp(*argv,"ecdhp521") == 0) ecdh_doit[R_EC_P521]=2;
+		else if (strcmp(*argv,"ecdhk163") == 0) ecdh_doit[R_EC_K163]=2;
+		else if (strcmp(*argv,"ecdhk233") == 0) ecdh_doit[R_EC_K233]=2;
+		else if (strcmp(*argv,"ecdhk283") == 0) ecdh_doit[R_EC_K283]=2;
+		else if (strcmp(*argv,"ecdhk409") == 0) ecdh_doit[R_EC_K409]=2;
+		else if (strcmp(*argv,"ecdhk571") == 0) ecdh_doit[R_EC_K571]=2;
+		else if (strcmp(*argv,"ecdhb163") == 0) ecdh_doit[R_EC_B163]=2;
+		else if (strcmp(*argv,"ecdhb233") == 0) ecdh_doit[R_EC_B233]=2;
+		else if (strcmp(*argv,"ecdhb283") == 0) ecdh_doit[R_EC_B283]=2;
+		else if (strcmp(*argv,"ecdhb409") == 0) ecdh_doit[R_EC_B409]=2;
+		else if (strcmp(*argv,"ecdhb571") == 0) ecdh_doit[R_EC_B571]=2;
+		else if (strcmp(*argv,"ecdh") == 0)
+			{
+			for (i=0; i < EC_NUM; i++)
+				ecdh_doit[i]=1;
+			}
+		else
+#endif
 			{
 			BIO_printf(bio_err,"Error: bad option or value\n");
 			BIO_printf(bio_err,"\n");
@@ -799,6 +1089,12 @@ int MAIN(int argc, char **argv)
 #ifndef OPENSSL_NO_SHA1
 			BIO_printf(bio_err,"sha1     ");
 #endif
+#ifndef OPENSSL_NO_SHA256
+			BIO_printf(bio_err,"sha256   ");
+#endif
+#ifndef OPENSSL_NO_SHA512
+			BIO_printf(bio_err,"sha512   ");
+#endif
 #ifndef OPENSSL_NO_RIPEMD160
 			BIO_printf(bio_err,"rmd160");
 #endif
@@ -842,6 +1138,18 @@ int MAIN(int argc, char **argv)
 #ifndef OPENSSL_NO_DSA
 			BIO_printf(bio_err,"dsa512   dsa1024  dsa2048\n");
 #endif
+#ifndef OPENSSL_NO_ECDSA
+			BIO_printf(bio_err,"ecdsap160 ecdsap192 ecdsap224 ecdsap256 ecdsap384 ecdsap521\n");
+			BIO_printf(bio_err,"ecdsak163 ecdsak233 ecdsak283 ecdsak409 ecdsak571\n");
+			BIO_printf(bio_err,"ecdsab163 ecdsab233 ecdsab283 ecdsab409 ecdsab571\n");
+			BIO_printf(bio_err,"ecdsa\n");
+#endif
+#ifndef OPENSSL_NO_ECDH
+			BIO_printf(bio_err,"ecdhp160  ecdhp192  ecdhp224  ecdhp256  ecdhp384  ecdhp521\n");
+			BIO_printf(bio_err,"ecdhk163  ecdhk233  ecdhk283  ecdhk409  ecdhk571\n");
+			BIO_printf(bio_err,"ecdhb163  ecdhb233  ecdhb283  ecdhb409  ecdhb571\n");
+			BIO_printf(bio_err,"ecdh\n");
+#endif
 
 #ifndef OPENSSL_NO_IDEA
 			BIO_printf(bio_err,"idea     ");
@@ -983,10 +1291,10 @@ int MAIN(int argc, char **argv)
 	BIO_printf(bio_err,"First we calculate the approximate speed ...\n");
 	count=10;
 	do	{
-		long i;
+		long it;
 		count*=2;
 		Time_F(START);
-		for (i=count; i; i--)
+		for (it=count; it; it--)
 			DES_ecb_encrypt(buf_as_des_cblock,buf_as_des_cblock,
 				&sch,DES_ENCRYPT);
 		d=Time_F(STOP);
@@ -1010,6 +1318,8 @@ int MAIN(int argc, char **argv)
 	c[D_CBC_128_AES][0]=count;
 	c[D_CBC_192_AES][0]=count;
 	c[D_CBC_256_AES][0]=count;
+	c[D_SHA256][0]=count;
+	c[D_SHA512][0]=count;
 
 	for (i=1; i<SIZE_NUM; i++)
 		{
@@ -1020,6 +1330,8 @@ int MAIN(int argc, char **argv)
 		c[D_HMAC][i]=c[D_HMAC][0]*4*lengths[0]/lengths[i];
 		c[D_SHA1][i]=c[D_SHA1][0]*4*lengths[0]/lengths[i];
 		c[D_RMD160][i]=c[D_RMD160][0]*4*lengths[0]/lengths[i];
+		c[D_SHA256][i]=c[D_SHA256][0]*4*lengths[0]/lengths[i];
+		c[D_SHA512][i]=c[D_SHA512][0]*4*lengths[0]/lengths[i];
 		}
 	for (i=1; i<SIZE_NUM; i++)
 		{
@@ -1079,6 +1391,114 @@ int MAIN(int argc, char **argv)
 		}
 #endif
 
+#ifndef OPENSSL_NO_ECDSA
+	ecdsa_c[R_EC_P160][0]=count/1000;
+	ecdsa_c[R_EC_P160][1]=count/1000/2;
+	for (i=R_EC_P192; i<=R_EC_P521; i++)
+		{
+		ecdsa_c[i][0]=ecdsa_c[i-1][0]/2;
+		ecdsa_c[i][1]=ecdsa_c[i-1][1]/2;
+		if ((ecdsa_doit[i] <= 1) && (ecdsa_c[i][0] == 0))
+			ecdsa_doit[i]=0;
+		else
+			{
+			if (ecdsa_c[i] == 0)
+				{
+				ecdsa_c[i][0]=1;
+				ecdsa_c[i][1]=1;
+				}
+			}
+		}
+	ecdsa_c[R_EC_K163][0]=count/1000;
+	ecdsa_c[R_EC_K163][1]=count/1000/2;
+	for (i=R_EC_K233; i<=R_EC_K571; i++)
+		{
+		ecdsa_c[i][0]=ecdsa_c[i-1][0]/2;
+		ecdsa_c[i][1]=ecdsa_c[i-1][1]/2;
+		if ((ecdsa_doit[i] <= 1) && (ecdsa_c[i][0] == 0))
+			ecdsa_doit[i]=0;
+		else
+			{
+			if (ecdsa_c[i] == 0)
+				{
+				ecdsa_c[i][0]=1;
+				ecdsa_c[i][1]=1;
+				}
+			}
+		}
+	ecdsa_c[R_EC_B163][0]=count/1000;
+	ecdsa_c[R_EC_B163][1]=count/1000/2;
+	for (i=R_EC_B233; i<=R_EC_B571; i++)
+		{
+		ecdsa_c[i][0]=ecdsa_c[i-1][0]/2;
+		ecdsa_c[i][1]=ecdsa_c[i-1][1]/2;
+		if ((ecdsa_doit[i] <= 1) && (ecdsa_c[i][0] == 0))
+			ecdsa_doit[i]=0;
+		else
+			{
+			if (ecdsa_c[i] == 0)
+				{
+				ecdsa_c[i][0]=1;
+				ecdsa_c[i][1]=1;
+				}
+			}
+		}
+#endif
+
+#ifndef OPENSSL_NO_ECDH
+	ecdh_c[R_EC_P160][0]=count/1000;
+	ecdh_c[R_EC_P160][1]=count/1000;
+	for (i=R_EC_P192; i<=R_EC_P521; i++)
+		{
+		ecdh_c[i][0]=ecdh_c[i-1][0]/2;
+		ecdh_c[i][1]=ecdh_c[i-1][1]/2;
+		if ((ecdh_doit[i] <= 1) && (ecdh_c[i][0] == 0))
+			ecdh_doit[i]=0;
+		else
+			{
+			if (ecdh_c[i] == 0)
+				{
+				ecdh_c[i][0]=1;
+				ecdh_c[i][1]=1;
+				}
+			}
+		}
+	ecdh_c[R_EC_K163][0]=count/1000;
+	ecdh_c[R_EC_K163][1]=count/1000;
+	for (i=R_EC_K233; i<=R_EC_K571; i++)
+		{
+		ecdh_c[i][0]=ecdh_c[i-1][0]/2;
+		ecdh_c[i][1]=ecdh_c[i-1][1]/2;
+		if ((ecdh_doit[i] <= 1) && (ecdh_c[i][0] == 0))
+			ecdh_doit[i]=0;
+		else
+			{
+			if (ecdh_c[i] == 0)
+				{
+				ecdh_c[i][0]=1;
+				ecdh_c[i][1]=1;
+				}
+			}
+		}
+	ecdh_c[R_EC_B163][0]=count/1000;
+	ecdh_c[R_EC_B163][1]=count/1000;
+	for (i=R_EC_B233; i<=R_EC_B571; i++)
+		{
+		ecdh_c[i][0]=ecdh_c[i-1][0]/2;
+		ecdh_c[i][1]=ecdh_c[i-1][1]/2;
+		if ((ecdh_doit[i] <= 1) && (ecdh_c[i][0] == 0))
+			ecdh_doit[i]=0;
+		else
+			{
+			if (ecdh_c[i] == 0)
+				{
+				ecdh_c[i][0]=1;
+				ecdh_c[i][1]=1;
+				}
+			}
+		}
+#endif
+
 #define COND(d)	(count < (d))
 #define COUNT(d) (d)
 #else
@@ -1188,6 +1608,37 @@ int MAIN(int argc, char **argv)
 			print_result(D_SHA1,j,count,d);
 			}
 		}
+
+#ifndef OPENSSL_NO_SHA256
+	if (doit[D_SHA256])
+		{
+		for (j=0; j<SIZE_NUM; j++)
+			{
+			print_message(names[D_SHA256],c[D_SHA256][j],lengths[j]);
+			Time_F(START);
+			for (count=0,run=1; COND(c[D_SHA256][j]); count++)
+				SHA256(buf,lengths[j],sha256);
+			d=Time_F(STOP);
+			print_result(D_SHA256,j,count,d);
+			}
+		}
+#endif
+
+#ifndef OPENSSL_NO_SHA512
+	if (doit[D_SHA512])
+		{
+		for (j=0; j<SIZE_NUM; j++)
+			{
+			print_message(names[D_SHA512],c[D_SHA512][j],lengths[j]);
+			Time_F(START);
+			for (count=0,run=1; COND(c[D_SHA512][j]); count++)
+				SHA512(buf,lengths[j],sha512);
+			d=Time_F(STOP);
+			print_result(D_SHA512,j,count,d);
+			}
+		}
+#endif
+
 #endif
 #ifndef OPENSSL_NO_RIPEMD
 	if (doit[D_RMD160])
@@ -1605,6 +2056,217 @@ int MAIN(int argc, char **argv)
 		}
 	if (rnd_fake) RAND_cleanup();
 #endif
+
+#ifndef OPENSSL_NO_ECDSA
+	if (RAND_status() != 1) 
+		{
+		RAND_seed(rnd_seed, sizeof rnd_seed);
+		rnd_fake = 1;
+		}
+	for (j=0; j<EC_NUM; j++) 
+		{
+		int ret;
+
+		if (!ecdsa_doit[j]) continue; /* Ignore Curve */ 
+		ecdsa[j] = EC_KEY_new_by_curve_name(test_curves[j]);
+		if (ecdsa[j] == NULL) 
+			{
+			BIO_printf(bio_err,"ECDSA failure.\n");
+			ERR_print_errors(bio_err);
+			rsa_count=1;
+			} 
+		else 
+			{
+#if 1
+			EC_KEY_precompute_mult(ecdsa[j], NULL);
+#endif
+			/* Perform ECDSA signature test */
+			EC_KEY_generate_key(ecdsa[j]);
+			ret = ECDSA_sign(0, buf, 20, ecdsasig, 
+				&ecdsasiglen, ecdsa[j]);
+			if (ret == 0) 
+				{
+				BIO_printf(bio_err,"ECDSA sign failure.  No ECDSA sign will be done.\n");
+				ERR_print_errors(bio_err);
+				rsa_count=1;
+				} 
+			else 
+				{
+				pkey_print_message("sign","ecdsa",
+					ecdsa_c[j][0], 
+					test_curves_bits[j],
+					ECDSA_SECONDS);
+
+				Time_F(START);
+				for (count=0,run=1; COND(ecdsa_c[j][0]);
+					count++) 
+					{
+					ret=ECDSA_sign(0, buf, 20, 
+						ecdsasig, &ecdsasiglen,
+						ecdsa[j]);
+					if (ret == 0) 
+						{
+						BIO_printf(bio_err, "ECDSA sign failure\n");
+						ERR_print_errors(bio_err);
+						count=1;
+						break;
+						}
+					}
+				d=Time_F(STOP);
+
+				BIO_printf(bio_err, mr ? "+R5:%ld:%d:%.2f\n" :
+					"%ld %d bit ECDSA signs in %.2fs \n", 
+					count, test_curves_bits[j], d);
+				ecdsa_results[j][0]=d/(double)count;
+				rsa_count=count;
+				}
+
+			/* Perform ECDSA verification test */
+			ret=ECDSA_verify(0, buf, 20, ecdsasig, 
+				ecdsasiglen, ecdsa[j]);
+			if (ret != 1) 
+				{
+				BIO_printf(bio_err,"ECDSA verify failure.  No ECDSA verify will be done.\n");
+				ERR_print_errors(bio_err);
+				ecdsa_doit[j] = 0;
+				} 
+			else 
+				{
+				pkey_print_message("verify","ecdsa",
+				ecdsa_c[j][1],
+				test_curves_bits[j],
+				ECDSA_SECONDS);
+				Time_F(START);
+				for (count=0,run=1; COND(ecdsa_c[j][1]); count++) 
+					{
+					ret=ECDSA_verify(0, buf, 20, ecdsasig, ecdsasiglen, ecdsa[j]);
+					if (ret != 1) 
+						{
+						BIO_printf(bio_err, "ECDSA verify failure\n");
+						ERR_print_errors(bio_err);
+						count=1;
+						break;
+						}
+					}
+				d=Time_F(STOP);
+				BIO_printf(bio_err, mr? "+R6:%ld:%d:%.2f\n"
+						: "%ld %d bit ECDSA verify in %.2fs\n",
+				count, test_curves_bits[j], d);
+				ecdsa_results[j][1]=d/(double)count;
+				}
+
+			if (rsa_count <= 1) 
+				{
+				/* if longer than 10s, don't do any more */
+				for (j++; j<EC_NUM; j++)
+				ecdsa_doit[j]=0;
+				}
+			}
+		}
+	if (rnd_fake) RAND_cleanup();
+#endif
+
+#ifndef OPENSSL_NO_ECDH
+	if (RAND_status() != 1)
+		{
+		RAND_seed(rnd_seed, sizeof rnd_seed);
+		rnd_fake = 1;
+		}
+	for (j=0; j<EC_NUM; j++)
+		{
+		if (!ecdh_doit[j]) continue;
+		ecdh_a[j] = EC_KEY_new_by_curve_name(test_curves[j]);
+		ecdh_b[j] = EC_KEY_new_by_curve_name(test_curves[j]);
+		if ((ecdh_a[j] == NULL) || (ecdh_b[j] == NULL))
+			{
+			BIO_printf(bio_err,"ECDH failure.\n");
+			ERR_print_errors(bio_err);
+			rsa_count=1;
+			}
+		else
+			{
+			/* generate two ECDH key pairs */
+			if (!EC_KEY_generate_key(ecdh_a[j]) ||
+				!EC_KEY_generate_key(ecdh_b[j]))
+				{
+				BIO_printf(bio_err,"ECDH key generation failure.\n");
+				ERR_print_errors(bio_err);
+				rsa_count=1;		
+				}
+			else
+				{
+				/* If field size is not more than 24 octets, then use SHA-1 hash of result;
+				 * otherwise, use result (see section 4.8 of draft-ietf-tls-ecc-03.txt).
+				 */
+				int field_size, outlen;
+				void *(*kdf)(const void *in, size_t inlen, void *out, size_t *xoutlen);
+				field_size = EC_GROUP_get_degree(EC_KEY_get0_group(ecdh_a[j]));
+				if (field_size <= 24 * 8)
+					{
+					outlen = KDF1_SHA1_len;
+					kdf = KDF1_SHA1;
+					}
+				else
+					{
+					outlen = (field_size+7)/8;
+					kdf = NULL;
+					}
+				secret_size_a = ECDH_compute_key(secret_a, outlen,
+					EC_KEY_get0_public_key(ecdh_b[j]),
+					ecdh_a[j], kdf);
+				secret_size_b = ECDH_compute_key(secret_b, outlen,
+					EC_KEY_get0_public_key(ecdh_a[j]),
+					ecdh_b[j], kdf);
+				if (secret_size_a != secret_size_b) 
+					ecdh_checks = 0;
+				else
+					ecdh_checks = 1;
+
+				for (secret_idx = 0; 
+				    (secret_idx < secret_size_a)
+					&& (ecdh_checks == 1);
+				    secret_idx++)
+					{
+					if (secret_a[secret_idx] != secret_b[secret_idx])
+					ecdh_checks = 0;
+					}
+
+				if (ecdh_checks == 0)
+					{
+					BIO_printf(bio_err,"ECDH computations don't match.\n");
+					ERR_print_errors(bio_err);
+					rsa_count=1;		
+					}
+
+				pkey_print_message("","ecdh",
+				ecdh_c[j][0], 
+				test_curves_bits[j],
+				ECDH_SECONDS);
+				Time_F(START);
+				for (count=0,run=1; COND(ecdh_c[j][0]); count++)
+					{
+					ECDH_compute_key(secret_a, outlen,
+					EC_KEY_get0_public_key(ecdh_b[j]),
+					ecdh_a[j], kdf);
+					}
+				d=Time_F(STOP);
+				BIO_printf(bio_err, mr ? "+R7:%ld:%d:%.2f\n" :"%ld %d-bit ECDH ops in %.2fs\n",
+				count, test_curves_bits[j], d);
+				ecdh_results[j][0]=d/(double)count;
+				rsa_count=count;
+				}
+			}
+
+
+		if (rsa_count <= 1)
+			{
+			/* if longer than 10s, don't do any more */
+			for (j++; j<EC_NUM; j++)
+			ecdh_doit[j]=0;
+			}
+		}
+	if (rnd_fake) RAND_cleanup();
+#endif
 #ifdef HAVE_FORK
 show_res:
 #endif
@@ -1645,7 +2307,10 @@ show_res:
 #endif
 #ifdef HZ
 #define as_string(s) (#s)
-		printf("HZ=%g", (double)HZ);
+		{
+		double dbl = HZ;
+		printf("HZ=%g", dbl);
+		}
 # ifdef _SC_CLK_TCK
 		printf(" [sysconf value]");
 # endif
@@ -1706,7 +2371,7 @@ show_res:
 				k,rsa_bits[k],rsa_results[k][0],
 				rsa_results[k][1]);
 		else
-			fprintf(stdout,"rsa %4u bits %8.4fs %8.4fs %8.1f %8.1f\n",
+			fprintf(stdout,"rsa %4u bits %8.6fs %8.6fs %8.1f %8.1f\n",
 				rsa_bits[k],rsa_results[k][0],rsa_results[k][1],
 				1.0/rsa_results[k][0],1.0/rsa_results[k][1]);
 		}
@@ -1725,12 +2390,62 @@ show_res:
 			fprintf(stdout,"+F3:%u:%u:%f:%f\n",
 				k,dsa_bits[k],dsa_results[k][0],dsa_results[k][1]);
 		else
-			fprintf(stdout,"dsa %4u bits %8.4fs %8.4fs %8.1f %8.1f\n",
+			fprintf(stdout,"dsa %4u bits %8.6fs %8.6fs %8.1f %8.1f\n",
 				dsa_bits[k],dsa_results[k][0],dsa_results[k][1],
 				1.0/dsa_results[k][0],1.0/dsa_results[k][1]);
 		}
 #endif
+#ifndef OPENSSL_NO_ECDSA
+	j=1;
+	for (k=0; k<EC_NUM; k++)
+		{
+		if (!ecdsa_doit[k]) continue;
+		if (j && !mr)
+			{
+			printf("%30ssign    verify    sign/s verify/s\n"," ");
+			j=0;
+			}
+
+		if (mr)
+			fprintf(stdout,"+F4:%u:%u:%f:%f\n", 
+				k, test_curves_bits[k],
+				ecdsa_results[k][0],ecdsa_results[k][1]);
+		else
+			fprintf(stdout,
+				"%4u bit ecdsa (%s) %8.4fs %8.4fs %8.1f %8.1f\n", 
+				test_curves_bits[k],
+				test_curves_names[k],
+				ecdsa_results[k][0],ecdsa_results[k][1], 
+				1.0/ecdsa_results[k][0],1.0/ecdsa_results[k][1]);
+		}
+#endif
+
+
+#ifndef OPENSSL_NO_ECDH
+	j=1;
+	for (k=0; k<EC_NUM; k++)
+		{
+		if (!ecdh_doit[k]) continue;
+		if (j && !mr)
+			{
+			printf("%30sop      op/s\n"," ");
+			j=0;
+			}
+		if (mr)
+			fprintf(stdout,"+F5:%u:%u:%f:%f\n",
+				k, test_curves_bits[k],
+				ecdh_results[k][0], 1.0/ecdh_results[k][0]);
+
+		else
+			fprintf(stdout,"%4u bit ecdh (%s) %8.4fs %8.1f\n",
+				test_curves_bits[k],
+				test_curves_names[k],
+				ecdh_results[k][0], 1.0/ecdh_results[k][0]);
+		}
+#endif
+
 	mret=0;
+
 end:
 	ERR_print_errors(bio_err);
 	if (buf != NULL) OPENSSL_free(buf);
@@ -1745,6 +2460,22 @@ end:
 		if (dsa_key[i] != NULL)
 			DSA_free(dsa_key[i]);
 #endif
+
+#ifndef OPENSSL_NO_ECDSA
+	for (i=0; i<EC_NUM; i++)
+		if (ecdsa[i] != NULL)
+			EC_KEY_free(ecdsa[i]);
+#endif
+#ifndef OPENSSL_NO_ECDH
+	for (i=0; i<EC_NUM; i++)
+	{
+		if (ecdh_a[i] != NULL)
+			EC_KEY_free(ecdh_a[i]);
+		if (ecdh_b[i] != NULL)
+			EC_KEY_free(ecdh_b[i]);
+	}
+#endif
+
 	apps_shutdown();
 	OPENSSL_EXIT(mret);
 	}
@@ -1766,8 +2497,8 @@ static void print_message(const char *s, long num, int length)
 #endif
 	}
 
-static void pkey_print_message(char *str, char *str2, long num, int bits,
-	     int tm)
+static void pkey_print_message(const char *str, const char *str2, long num,
+	int bits, int tm)
 	{
 #ifdef SIGALRM
 	BIO_printf(bio_err,mr ? "+DTP:%d:%s:%s:%d\n"
@@ -1786,11 +2517,12 @@ static void pkey_print_message(char *str, char *str2, long num, int bits,
 
 static void print_result(int alg,int run_no,int count,double time_used)
 	{
-	BIO_printf(bio_err,mr ? "+R:%ld:%s:%f\n"
-		   : "%ld %s's in %.2fs\n",count,names[alg],time_used);
+	BIO_printf(bio_err,mr ? "+R:%d:%s:%f\n"
+		   : "%d %s's in %.2fs\n",count,names[alg],time_used);
 	results[alg][run_no]=((double)count)/time_used*lengths[run_no];
 	}
 
+#ifdef HAVE_FORK
 static char *sstrsep(char **string, const char *delim)
     {
     char isdelim[256];
@@ -1822,7 +2554,6 @@ static char *sstrsep(char **string, const char *delim)
     return token;
     }
 
-#ifdef HAVE_FORK
 static int do_multi(int multi)
 	{
 	int n;
@@ -1946,6 +2677,49 @@ static int do_multi(int multi)
 				else
 					dsa_results[k][1]=d;
 				}
+#ifndef OPENSSL_NO_ECDSA
+			else if(!strncmp(buf,"+F4:",4))
+				{
+				int k;
+				double d;
+				
+				p=buf+4;
+				k=atoi(sstrsep(&p,sep));
+				sstrsep(&p,sep);
+
+				d=atof(sstrsep(&p,sep));
+				if(n)
+					ecdsa_results[k][0]=1/(1/ecdsa_results[k][0]+1/d);
+				else
+					ecdsa_results[k][0]=d;
+
+				d=atof(sstrsep(&p,sep));
+				if(n)
+					ecdsa_results[k][1]=1/(1/ecdsa_results[k][1]+1/d);
+				else
+					ecdsa_results[k][1]=d;
+				}
+#endif 
+
+#ifndef OPENSSL_NO_ECDH
+			else if(!strncmp(buf,"+F5:",4))
+				{
+				int k;
+				double d;
+				
+				p=buf+4;
+				k=atoi(sstrsep(&p,sep));
+				sstrsep(&p,sep);
+
+				d=atof(sstrsep(&p,sep));
+				if(n)
+					ecdh_results[k][0]=1/(1/ecdh_results[k][0]+1/d);
+				else
+					ecdh_results[k][0]=d;
+
+				}
+#endif
+
 			else if(!strncmp(buf,"+H:",3))
 				{
 				}
diff --git a/crypto/openssl/apps/spkac.c b/crypto/openssl/apps/spkac.c
index 47ee53f1eef6..0191d0a783f7 100644
--- a/crypto/openssl/apps/spkac.c
+++ b/crypto/openssl/apps/spkac.c
@@ -87,7 +87,8 @@ int MAIN(int argc, char **argv)
 	int verify=0,noout=0,pubkey=0;
 	char *infile = NULL,*outfile = NULL,*prog;
 	char *passargin = NULL, *passin = NULL;
-	char *spkac = "SPKAC", *spksect = "default", *spkstr = NULL;
+	const char *spkac = "SPKAC", *spksect = "default";
+	char *spkstr = NULL;
 	char *challenge = NULL, *keyfile = NULL;
 	CONF *conf = NULL;
 	NETSCAPE_SPKI *spki = NULL;
@@ -200,7 +201,7 @@ bad:
 		}
 		spki = NETSCAPE_SPKI_new();
 		if(challenge) ASN1_STRING_set(spki->spkac->challenge,
-						 challenge, strlen(challenge));
+						 challenge, (int)strlen(challenge));
 		NETSCAPE_SPKI_set_pubkey(spki, pkey);
 		NETSCAPE_SPKI_sign(spki, pkey, EVP_md5());
 		spkstr = NETSCAPE_SPKI_b64_encode(spki);
diff --git a/crypto/openssl/apps/timeouts.h b/crypto/openssl/apps/timeouts.h
new file mode 100644
index 000000000000..89b5dc76f679
--- /dev/null
+++ b/crypto/openssl/apps/timeouts.h
@@ -0,0 +1,67 @@
+/* apps/timeouts.h */
+/* 
+ * DTLS implementation written by Nagendra Modadugu
+ * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.  
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef INCLUDED_TIMEOUTS_H
+#define INCLUDED_TIMEOUTS_H
+
+/* numbers in us */
+#define DGRAM_RCV_TIMEOUT         250000
+#define DGRAM_SND_TIMEOUT         250000
+
+#endif /* ! INCLUDED_TIMEOUTS_H */
diff --git a/crypto/openssl/apps/verify.c b/crypto/openssl/apps/verify.c
index 6a93c018b8ce..9ff32cb06832 100644
--- a/crypto/openssl/apps/verify.c
+++ b/crypto/openssl/apps/verify.c
@@ -79,13 +79,14 @@ int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 	{
 	ENGINE *e = NULL;
-	int i,ret=1;
+	int i,ret=1, badarg = 0;
 	int purpose = -1;
 	char *CApath=NULL,*CAfile=NULL;
 	char *untfile = NULL, *trustfile = NULL;
 	STACK_OF(X509) *untrusted = NULL, *trusted = NULL;
 	X509_STORE *cert_ctx=NULL;
 	X509_LOOKUP *lookup=NULL;
+	X509_VERIFY_PARAM *vpm = NULL;
 #ifndef OPENSSL_NO_ENGINE
 	char *engine=NULL;
 #endif
@@ -121,18 +122,12 @@ int MAIN(int argc, char **argv)
 				if (argc-- < 1) goto end;
 				CAfile= *(++argv);
 				}
-			else if (strcmp(*argv,"-purpose") == 0)
+			else if (args_verify(&argv, &argc, &badarg, bio_err,
+									&vpm))
 				{
-				X509_PURPOSE *xptmp;
-				if (argc-- < 1) goto end;
-				i = X509_PURPOSE_get_by_sname(*(++argv));
-				if(i < 0)
-					{
-					BIO_printf(bio_err, "unrecognized purpose\n");
+				if (badarg)
 					goto end;
-					}
-				xptmp = X509_PURPOSE_get0(i);
-				purpose = X509_PURPOSE_get_id(xptmp);
+				continue;
 				}
 			else if (strcmp(*argv,"-untrusted") == 0)
 				{
@@ -153,14 +148,6 @@ int MAIN(int argc, char **argv)
 #endif
 			else if (strcmp(*argv,"-help") == 0)
 				goto end;
-			else if (strcmp(*argv,"-ignore_critical") == 0)
-				vflags |= X509_V_FLAG_IGNORE_CRITICAL;
-			else if (strcmp(*argv,"-issuer_checks") == 0)
-				vflags |= X509_V_FLAG_CB_ISSUER_CHECK;
-			else if (strcmp(*argv,"-crl_check") == 0)
-				vflags |= X509_V_FLAG_CRL_CHECK;
-			else if (strcmp(*argv,"-crl_check_all") == 0)
-				vflags |= X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL;
 			else if (strcmp(*argv,"-verbose") == 0)
 				v_verbose=1;
 			else if (argv[0][0] == '-')
@@ -178,6 +165,9 @@ int MAIN(int argc, char **argv)
         e = setup_engine(bio_err, engine, 0);
 #endif
 
+	if (vpm)
+		X509_STORE_set1_param(cert_ctx, vpm);
+
 	lookup=X509_STORE_add_lookup(cert_ctx,X509_LOOKUP_file());
 	if (lookup == NULL) abort();
 	if (CAfile) {
@@ -238,6 +228,7 @@ end:
 								X509_PURPOSE_get0_name(ptmp));
 		}
 	}
+	if (vpm) X509_VERIFY_PARAM_free(vpm);
 	if (cert_ctx != NULL) X509_STORE_free(cert_ctx);
 	sk_X509_pop_free(untrusted, X509_free);
 	sk_X509_pop_free(trusted, X509_free);
@@ -339,10 +330,13 @@ static int MS_CALLBACK cb(int ok, X509_STORE_CTX *ctx)
 
 	if (!ok)
 		{
-		X509_NAME_oneline(
+		if (ctx->current_cert)
+			{
+			X509_NAME_oneline(
 				X509_get_subject_name(ctx->current_cert),buf,
 				sizeof buf);
-		printf("%s\n",buf);
+			printf("%s\n",buf);
+			}
 		printf("error %d at %d depth lookup:%s\n",ctx->error,
 			ctx->error_depth,
 			X509_verify_cert_error_string(ctx->error));
@@ -354,13 +348,21 @@ static int MS_CALLBACK cb(int ok, X509_STORE_CTX *ctx)
 		if (ctx->error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) ok=1;
 		/* Continue after extension errors too */
 		if (ctx->error == X509_V_ERR_INVALID_CA) ok=1;
+		if (ctx->error == X509_V_ERR_INVALID_NON_CA) ok=1;
 		if (ctx->error == X509_V_ERR_PATH_LENGTH_EXCEEDED) ok=1;
 		if (ctx->error == X509_V_ERR_INVALID_PURPOSE) ok=1;
 		if (ctx->error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) ok=1;
 		if (ctx->error == X509_V_ERR_CRL_HAS_EXPIRED) ok=1;
 		if (ctx->error == X509_V_ERR_CRL_NOT_YET_VALID) ok=1;
 		if (ctx->error == X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION) ok=1;
+
+		if (ctx->error == X509_V_ERR_NO_EXPLICIT_POLICY)
+			policies_print(NULL, ctx);
+		return ok;
+
 		}
+	if ((ctx->error == X509_V_OK) && (ok == 2))
+		policies_print(NULL, ctx);
 	if (!v_verbose)
 		ERR_clear_error();
 	return(ok);
diff --git a/crypto/openssl/apps/version.c b/crypto/openssl/apps/version.c
index 0843b67565e7..69ef3e1bad07 100644
--- a/crypto/openssl/apps/version.c
+++ b/crypto/openssl/apps/version.c
@@ -115,6 +115,7 @@
 #include "apps.h"
 #include <openssl/evp.h>
 #include <openssl/crypto.h>
+#include <openssl/bn.h>
 #ifndef OPENSSL_NO_MD2
 # include <openssl/md2.h>
 #endif
@@ -172,7 +173,19 @@ int MAIN(int argc, char **argv)
 			}
 		}
 
-	if (version) printf("%s\n",SSLeay_version(SSLEAY_VERSION));
+	if (version)
+		{
+		if (SSLeay() == SSLEAY_VERSION_NUMBER)
+			{
+			printf("%s\n",SSLeay_version(SSLEAY_VERSION));
+			}
+		else
+			{
+			printf("%s (Library: %s)\n",
+				OPENSSL_VERSION_TEXT,
+				SSLeay_version(SSLEAY_VERSION));
+			}
+		}
 	if (date)    printf("%s\n",SSLeay_version(SSLEAY_BUILT_ON));
 	if (platform) printf("%s\n",SSLeay_version(SSLEAY_PLATFORM));
 	if (options) 
diff --git a/crypto/openssl/apps/x509.c b/crypto/openssl/apps/x509.c
index dedd9f1a9a48..5f61eb5c467a 100644
--- a/crypto/openssl/apps/x509.c
+++ b/crypto/openssl/apps/x509.c
@@ -73,6 +73,12 @@
 #include <openssl/x509v3.h>
 #include <openssl/objects.h>
 #include <openssl/pem.h>
+#ifndef OPENSSL_NO_RSA
+#include <openssl/rsa.h>
+#endif
+#ifndef OPENSSL_NO_DSA
+#include <openssl/dsa.h>
+#endif
 
 #undef PROG
 #define PROG x509_main
@@ -81,7 +87,7 @@
 #define	POSTFIX	".srl"
 #define DEF_DAYS	30
 
-static char *x509_usage[]={
+static const char *x509_usage[]={
 "usage: x509 args\n",
 " -inform arg     - input format - default PEM (one of DER, NET or PEM)\n",
 " -outform arg    - output format - default PEM (one of DER, NET or PEM)\n",
@@ -92,7 +98,9 @@ static char *x509_usage[]={
 " -out arg        - output file - default stdout\n",
 " -passin arg     - private key password source\n",
 " -serial         - print serial number value\n",
-" -hash           - print hash value\n",
+" -subject_hash   - print subject hash value\n",
+" -issuer_hash    - print issuer hash value\n",
+" -hash           - synonym for -subject_hash\n",
 " -subject        - print subject DN\n",
 " -issuer         - print issuer DN\n",
 " -email          - print email address(es)\n",
@@ -167,19 +175,20 @@ int MAIN(int argc, char **argv)
 	char *infile=NULL,*outfile=NULL,*keyfile=NULL,*CAfile=NULL;
 	char *CAkeyfile=NULL,*CAserial=NULL;
 	char *alias=NULL;
-	int text=0,serial=0,hash=0,subject=0,issuer=0,startdate=0,enddate=0;
-	int next_serial=0,ocspid=0;
+	int text=0,serial=0,subject=0,issuer=0,startdate=0,enddate=0;
+	int next_serial=0;
+	int subject_hash=0,issuer_hash=0,ocspid=0;
 	int noout=0,sign_flag=0,CA_flag=0,CA_createserial=0,email=0;
 	int trustout=0,clrtrust=0,clrreject=0,aliasout=0,clrext=0;
 	int C=0;
 	int x509req=0,days=DEF_DAYS,modulus=0,pubkey=0;
 	int pprint = 0;
-	char **pp;
+	const char **pp;
 	X509_STORE *ctx=NULL;
 	X509_REQ *rq=NULL;
 	int fingerprint=0;
 	char buf[256];
-	const EVP_MD *md_alg,*digest=EVP_md5();
+	const EVP_MD *md_alg,*digest=EVP_sha1();
 	CONF *extconf = NULL;
 	char *extsect = NULL, *extfile = NULL, *passin = NULL, *passargin = NULL;
 	int need_rand = 0;
@@ -381,8 +390,11 @@ int MAIN(int argc, char **argv)
 			x509req= ++num;
 		else if (strcmp(*argv,"-text") == 0)
 			text= ++num;
-		else if (strcmp(*argv,"-hash") == 0)
-			hash= ++num;
+		else if (strcmp(*argv,"-hash") == 0
+			|| strcmp(*argv,"-subject_hash") == 0)
+			subject_hash= ++num;
+		else if (strcmp(*argv,"-issuer_hash") == 0)
+			issuer_hash= ++num;
 		else if (strcmp(*argv,"-subject") == 0)
 			subject= ++num;
 		else if (strcmp(*argv,"-issuer") == 0)
@@ -598,9 +610,12 @@ bad:
 			sno = ASN1_INTEGER_new();
 			if (!sno || !rand_serial(NULL, sno))
 				goto end;
+			if (!X509_set_serialNumber(x, sno)) 
+				goto end;
+			ASN1_INTEGER_free(sno);
+			sno = NULL;
 			}
-
-		if (!X509_set_serialNumber(x, sno)) 
+		else if (!X509_set_serialNumber(x, sno)) 
 			goto end;
 
 		if (!X509_set_issuer_name(x,req->req_info->subject)) goto end;
@@ -694,7 +709,8 @@ bad:
 			else if (serial == i)
 				{
 				BIO_printf(STDout,"serial=");
-				i2a_ASN1_INTEGER(STDout,x->cert_info->serialNumber);
+				i2a_ASN1_INTEGER(STDout,
+					X509_get_serialNumber(x));
 				BIO_printf(STDout,"\n");
 				}
 			else if (next_serial == i)
@@ -731,10 +747,14 @@ bad:
 				if (alstr) BIO_printf(STDout,"%s\n", alstr);
 				else BIO_puts(STDout,"<No Alias>\n");
 				}
-			else if (hash == i)
+			else if (subject_hash == i)
 				{
 				BIO_printf(STDout,"%08lx\n",X509_subject_name_hash(x));
 				}
+			else if (issuer_hash == i)
+				{
+				BIO_printf(STDout,"%08lx\n",X509_issuer_name_hash(x));
+				}
 			else if (pprint == i)
 				{
 				X509_PURPOSE *ptmp;
@@ -896,6 +916,10 @@ bad:
 		                if (Upkey->type == EVP_PKEY_DSA)
 		                        digest=EVP_dss1();
 #endif
+#ifndef OPENSSL_NO_ECDSA
+				if (Upkey->type == EVP_PKEY_EC)
+					digest=EVP_ecdsa();
+#endif
 
 				assert(need_rand);
 				if (!sign(x,Upkey,days,clrext,digest,
@@ -916,6 +940,10 @@ bad:
 		                if (CApkey->type == EVP_PKEY_DSA)
 		                        digest=EVP_dss1();
 #endif
+#ifndef OPENSSL_NO_ECDSA
+				if (CApkey->type == EVP_PKEY_EC)
+					digest = EVP_ecdsa();
+#endif
 				
 				assert(need_rand);
 				if (!x509_certify(ctx,CAfile,digest,x,xca,
@@ -947,6 +975,10 @@ bad:
 		                if (pk->type == EVP_PKEY_DSA)
 		                        digest=EVP_dss1();
 #endif
+#ifndef OPENSSL_NO_ECDSA
+				if (pk->type == EVP_PKEY_EC)
+					digest=EVP_ecdsa();
+#endif
 
 				rq=X509_to_X509_REQ(x,pk,digest);
 				EVP_PKEY_free(pk);
@@ -971,9 +1003,9 @@ bad:
 
 	if (checkend)
 		{
-		time_t tnow=time(NULL);
+		time_t tcheck=time(NULL) + checkoffset;
 
-		if (ASN1_UTCTIME_cmp_time_t(X509_get_notAfter(x), tnow+checkoffset) == -1)
+		if (X509_cmp_time(X509_get_notAfter(x), &tcheck) < 0)
 			{
 			BIO_printf(out,"Certificate will expire\n");
 			ret=1;
@@ -1010,8 +1042,7 @@ bad:
 		ah.data=(char *)x;
 		ah.meth=X509_asn1_meth();
 
-		/* no macro for this one yet */
-		i=ASN1_i2d_bio(i2d_ASN1_HEADER,out,(unsigned char *)&ah);
+		i=ASN1_i2d_bio_of(ASN1_HEADER,i2d_ASN1_HEADER,out,&ah);
 		}
 	else	{
 		BIO_printf(bio_err,"bad output format specified for outfile\n");
diff --git a/crypto/openssl/certs/argena.pem b/crypto/openssl/certs/argena.pem
new file mode 100644
index 000000000000..db730e38dd88
--- /dev/null
+++ b/crypto/openssl/certs/argena.pem
@@ -0,0 +1,39 @@
+-----BEGIN CERTIFICATE-----
+MIIG0zCCBbugAwIBAgIBADANBgkqhkiG9w0BAQUFADCBzDELMAkGA1UEBhMCQVQx
+EDAOBgNVBAgTB0F1c3RyaWExDzANBgNVBAcTBlZpZW5uYTE6MDgGA1UEChMxQVJH
+RSBEQVRFTiAtIEF1c3RyaWFuIFNvY2lldHkgZm9yIERhdGEgUHJvdGVjdGlvbjEl
+MCMGA1UECxMcQS1DRVJUIENlcnRpZmljYXRpb24gU2VydmljZTEYMBYGA1UEAxMP
+QS1DRVJUIEFEVkFOQ0VEMR0wGwYJKoZIhvcNAQkBFg5pbmZvQGEtY2VydC5hdDAe
+Fw0wNDEwMjMxNDE0MTRaFw0xMTEwMjMxNDE0MTRaMIHMMQswCQYDVQQGEwJBVDEQ
+MA4GA1UECBMHQXVzdHJpYTEPMA0GA1UEBxMGVmllbm5hMTowOAYDVQQKEzFBUkdF
+IERBVEVOIC0gQXVzdHJpYW4gU29jaWV0eSBmb3IgRGF0YSBQcm90ZWN0aW9uMSUw
+IwYDVQQLExxBLUNFUlQgQ2VydGlmaWNhdGlvbiBTZXJ2aWNlMRgwFgYDVQQDEw9B
+LUNFUlQgQURWQU5DRUQxHTAbBgkqhkiG9w0BCQEWDmluZm9AYS1jZXJ0LmF0MIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3euXIy+mnf6BYKbK+QH5k679
+tUFqeT8jlZxMew8eNiHuw9KoxWBzL6KksK+5uK7Gatw+sbAYntEGE80P+Jg1hADM
+e+Fr5V0bc6QS3gkVtfUCW/RIvfMM39oxvmqJmOgPnJU7H6+nmLtsq61tv9kVJi/2
+4Y5wXW3odet72sF57EoG6s78w0BUVLNcMngS9bZZzmdG3/d6JbkGgoNF/8DcgCBJ
+W/t0JrcIzyppXIOVtUzzOrrU86zuUgT3Rtkl5kjG7DEHpFb9H0fTOY1v8+gRoaO6
+2gA0PCiysgVZjwgVeYe3KAg11nznyleDv198uK3Dc1oXIGYjJx2FpKWUvAuAEwID
+AQABo4ICvDCCArgwHQYDVR0OBBYEFDd/Pj6ZcWDKJNSRE3nQdCm0qCTYMIH5BgNV
+HSMEgfEwge6AFDd/Pj6ZcWDKJNSRE3nQdCm0qCTYoYHSpIHPMIHMMQswCQYDVQQG
+EwJBVDEQMA4GA1UECBMHQXVzdHJpYTEPMA0GA1UEBxMGVmllbm5hMTowOAYDVQQK
+EzFBUkdFIERBVEVOIC0gQXVzdHJpYW4gU29jaWV0eSBmb3IgRGF0YSBQcm90ZWN0
+aW9uMSUwIwYDVQQLExxBLUNFUlQgQ2VydGlmaWNhdGlvbiBTZXJ2aWNlMRgwFgYD
+VQQDEw9BLUNFUlQgQURWQU5DRUQxHTAbBgkqhkiG9w0BCQEWDmluZm9AYS1jZXJ0
+LmF0ggEAMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgHmMEcGA1UdJQRAMD4G
+CCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwMGCCsGAQUFBwMEBggrBgEFBQcD
+CAYKKwYBBAGCNwoDBDARBglghkgBhvhCAQEEBAMCAP8wUQYDVR0gBEowSDBGBggq
+KAAYAQEBAzA6MDgGCCsGAQUFBwIBFixodHRwOi8vd3d3LmEtY2VydC5hdC9jZXJ0
+aWZpY2F0ZS1wb2xpY3kuaHRtbDA7BglghkgBhvhCAQgELhYsaHR0cDovL3d3dy5h
+LWNlcnQuYXQvY2VydGlmaWNhdGUtcG9saWN5Lmh0bWwwGQYDVR0RBBIwEIEOaW5m
+b0BhLWNlcnQuYXQwLwYDVR0SBCgwJoEOaW5mb0BhLWNlcnQuYXSGFGh0dHA6Ly93
+d3cuYS1jZXJ0LmF0MEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHBzOi8vc2VjdXJlLmEt
+Y2VydC5hdC9jZ2ktYmluL2EtY2VydC1hZHZhbmNlZC5jZ2kwDQYJKoZIhvcNAQEF
+BQADggEBACX1IvgfdG2rvfv35O48vSEvcVaEdlN8USFBHWz3JRAozgzvaBtwHkjK
+Zwt5l/BWOtjbvHfRjDt7ijlBEcxOOrNC1ffyMHwHrXpvff6YpQ5wnxmIYEQcURiG
+HMqruEX0WkuDNgSKwefsgXs27eeBauHgNGVcTYH1rmHu/ZyLpLxOyJQ2PCzA1DzW
+3rWkIX92ogJ7lTRdWrbxwUL1XGinxnnaQ74+/y0pI9JNEv7ic2tpkweRMpkedaLW
+msC1+orfKTebsg69aMaCx7o6jNONRmR/7TVaPf8/k6g52cHZ9YWjQvup22b5rWxG
+J5r5LZ4vCPmF4+T4lutjUYAa/lGuQTg=
+-----END CERTIFICATE-----
diff --git a/crypto/openssl/certs/argeng.pem b/crypto/openssl/certs/argeng.pem
new file mode 100644
index 000000000000..621e30e208ca
--- /dev/null
+++ b/crypto/openssl/certs/argeng.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDwzCCAyygAwIBAgIBADANBgkqhkiG9w0BAQQFADCBmDELMAkGA1UEBhMCQVQx
+EDAOBgNVBAgTB0F1c3RyaWExDzANBgNVBAcTBlZpZW5uYTFCMEAGA1UEChM5QXJn
+ZSBEYXRlbiBPZXN0ZXJyZWljaGlzY2hlIEdlc2VsbHNjaGFmdCBmdWVyIERhdGVu
+c2NodXR6MSIwIAYJKoZIhvcNAQkBFhNhLWNlcnRAYXJnZWRhdGVuLmF0MB4XDTAx
+MDIxMjExMzAzMFoXDTA5MDIxMjExMzAzMFowgZgxCzAJBgNVBAYTAkFUMRAwDgYD
+VQQIEwdBdXN0cmlhMQ8wDQYDVQQHEwZWaWVubmExQjBABgNVBAoTOUFyZ2UgRGF0
+ZW4gT2VzdGVycmVpY2hpc2NoZSBHZXNlbGxzY2hhZnQgZnVlciBEYXRlbnNjaHV0
+ejEiMCAGCSqGSIb3DQEJARYTYS1jZXJ0QGFyZ2VkYXRlbi5hdDCBnzANBgkqhkiG
+9w0BAQEFAAOBjQAwgYkCgYEAwgsHqoNtmmrJ86+e1I4hOVBaL4kokqKN2IPOIL+1
+XwY8vfOOUfPEdhWpaC0ldt7VYrksgDiUccgH0FROANWK2GkfKMDzjjXHysR04uEb
+Om7Kqjqn0nproOGkFG+QvBZgs+Ws+HXNFJA6V76fU4+JXq4452LSK4Lr5YcBquu3
+NJECAwEAAaOCARkwggEVMB0GA1UdDgQWBBQ0j59zH/G31zRjgK1y2P//tSAWZjCB
+xQYDVR0jBIG9MIG6gBQ0j59zH/G31zRjgK1y2P//tSAWZqGBnqSBmzCBmDELMAkG
+A1UEBhMCQVQxEDAOBgNVBAgTB0F1c3RyaWExDzANBgNVBAcTBlZpZW5uYTFCMEAG
+A1UEChM5QXJnZSBEYXRlbiBPZXN0ZXJyZWljaGlzY2hlIEdlc2VsbHNjaGFmdCBm
+dWVyIERhdGVuc2NodXR6MSIwIAYJKoZIhvcNAQkBFhNhLWNlcnRAYXJnZWRhdGVu
+LmF0ggEAMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMBEGCWCGSAGG+EIBAQQE
+AwICBDANBgkqhkiG9w0BAQQFAAOBgQBFuJYncqMYB6gXQS3eDOI90BEHfFTKy/dV
+AV+K7QdAYikWmqgBheRdPKddJdccPy/Zl/p3ZT7GhDyC5f3wZjcuu8AJ27BNwbCA
+x54dgxgCNcyPm79nY8MRtEdEpoRGdSsFKJemz6hpXM++MWFciyrRWIIA44XB0Gv3
+US0spjsDPQ==
+-----END CERTIFICATE-----
diff --git a/crypto/openssl/certs/demo/ca-cert.pem b/crypto/openssl/certs/demo/ca-cert.pem
new file mode 100644
index 000000000000..bcba68aefad4
--- /dev/null
+++ b/crypto/openssl/certs/demo/ca-cert.pem
@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIC5TCCAk6gAwIBAgIBATANBgkqhkiG9w0BAQQFADBcMQswCQYDVQQGEwJBVTET
+MBEGA1UECBMKUXVlZW5zbGFuZDEaMBgGA1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQx
+HDAaBgNVBAMTE1Rlc3QgUENBICgxMDI0IGJpdCkwHhcNOTkxMjAyMjEzODUxWhcN
+MDUwNzEwMjEzODUxWjBbMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFu
+ZDEaMBgGA1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxGzAZBgNVBAMTElRlc3QgQ0Eg
+KDEwMjQgYml0KTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAo7ujy3XXpU/p
+yDJtOxkMJmGv3mdiVm7JrdoKLUgqjO2rBaeNuYMUiuI6oYU+tlD6agwRML0Pn2JF
+b90VdK/UXrmRr9djaEuH17EIKjte5RwOzndCndsjcCYyoeODMTyg7dqPIkDMmRNM
+5R5xBTabD+Aji0wzQupYxBLuW5PLj7ECAwEAAaOBtzCBtDAdBgNVHQ4EFgQU1WWA
+U42mkhi3ecgey1dsJjU61+UwgYQGA1UdIwR9MHuAFE0RaEcrj18q1dw+G6nJbsTW
+R213oWCkXjBcMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDEaMBgG
+A1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxHDAaBgNVBAMTE1Rlc3QgUENBICgxMDI0
+IGJpdCmCAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQBb39BRphHL
+6aRAQyymsvBvPSCiG9+kR0R1L23aTpNbhXp2BebyFjbEQYZc2kWGiKKcHkNECA35
+3d4LoqUlVey8DFyafOIJd9hxdZfg+rxlHMxnL7uCJRmx9+xB411Jtsol9/wg1uCK
+sleGpgB4j8cG2SVCz7V2MNZNK+d5QCnR7A==
+-----END CERTIFICATE-----
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQCju6PLddelT+nIMm07GQwmYa/eZ2JWbsmt2gotSCqM7asFp425
+gxSK4jqhhT62UPpqDBEwvQ+fYkVv3RV0r9ReuZGv12NoS4fXsQgqO17lHA7Od0Kd
+2yNwJjKh44MxPKDt2o8iQMyZE0zlHnEFNpsP4COLTDNC6ljEEu5bk8uPsQIDAQAB
+AoGAVZmpFZsDZfr0l2S9tLLwpjRWNOlKATQkno6q2WesT0eGLQufTciY+c8ypfU6
+hyio8r5iUl/VhhdjhAtKx1mRpiotftHo/eYf8rtsrnprOnWG0bWjLjtIoMbcxGn2
+J3bN6LJmbJMjDs0eJ3KnTu646F3nDUw2oGAwmpzKXA1KAP0CQQDRvQhxk2D3Pehs
+HvG665u2pB5ipYQngEFlZO7RHJZzJOZEWSLuuMqaF/7pTfA5jiBvWqCgJeCRRInL
+21ru4dlPAkEAx9jj7BgKn5TYnMoBSSe0afjsV9oApVpN1Nacb1YDtCwy+scp3++s
+nFxlv98wxIlSdpwMUn+AUWfjiWR7Tu/G/wJBAJ/KjwZIrFVxewP0x2ILYsTRYLzz
+MS4PDsO7FB+I0i7DbBOifXS2oNSpd3I0CNMwrxFnUHzynpbOStVfN3ZL5w0CQQCa
+pwFahxBRhkJKsxhjoFJBX9yl75JoY4Wvm5Tbo9ih6UJaRx3kqfkN14L2BKYcsZgb
+KY9vmDOYy6iNfjDeWTfJAkBkfPUb8oTJ/nSP5zN6sqGxSY4krc4xLxpRmxoJ8HL2
+XfhqXkTzbU13RX9JJ/NZ8vQN9Vm2NhxRGJocQkmcdVtJ
+-----END RSA PRIVATE KEY-----
diff --git a/crypto/openssl/certs/demo/dsa-ca.pem b/crypto/openssl/certs/demo/dsa-ca.pem
new file mode 100644
index 000000000000..9eb08f3ddd45
--- /dev/null
+++ b/crypto/openssl/certs/demo/dsa-ca.pem
@@ -0,0 +1,43 @@
+-----BEGIN DSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,C5B6C7CC9E1FE2C0
+
+svCXBcBRhMuU22UXOfiKZA+thmz6KYXpt1Yg5Rd+TYQcQ1MdvNy0B0tkP1SxzDq0
+Xh1eMeTML9/9/0rKakgNXXXbpi5RB8t6BmwRSyej89F7nn1mtR3qzoyPRpp15SDl
+Tn67C+2v+HDF3MFk88hiNCYkNbcmi7TWvChsl8N1r7wdZwtIox56yXdgxw6ZIpa/
+par0oUCzN7fiavPgCWz1kfPNSaBQSdxwH7TZi5tMHAr0J3C7a7QRnZfE09R59Uqr
+zslrq+ndIw1BZAxoY0SlBu+iFOVaBVlwToC4AsHkv7j7l8ITtr7f42YbBa44D9TO
+uOhONmkk/v3Fso4RaOEzdKZC+hnmmzvHs6TiTWm6yzJgSFwyOUK0eGmKEeVxpcH5
+rUOlHOwzen+FFtocZDZAfdFnb7QY7L/boQvyA5A+ZbRG4DUpmBQeQsSaICHM5Rxx
+1QaLF413VNPXTLPbW0ilSc2H8x2iZTIVKfd33oSO6NhXPtSYQgfecEF4BvNHY5c4
+HovjT4mckbK95bcBzoCHu43vuSQkmZzdYo/ydSZt6zoPavbBLueTpgSbdXiDi827
+MVqOsYxGCb+kez0FoDSTgw==
+-----END DSA PRIVATE KEY-----
+-----BEGIN CERTIFICATE REQUEST-----
+MIICUjCCAhECAQAwUjELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUx
+ITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDELMAkGA1UEAxMCQ0Ew
+ggG0MIIBKQYFKw4DAgwwggEeAoGBAKc/boW/QWopffCfRxkwkJoJHdpqMx7FPYaW
+sxXgUy6P4FmCc5A+dTGZR3pS+4Xk2aZ7OJtoioSbh8YetX6GS1NbWc9xZRmIbs5m
+rmuINvvsKNzC16W75Sw5JkvamnAYlTeVEFYj9hXtugRe3jlP/bdDH7WkZW/NgBHk
+cJVbUM1JAhUA9wcx7fpsBgPVhYocrJxl51BmZW8CgYBN30wDppGK9RlvUEYlmeVo
+bzDjaeHls12YuyiGSPzemQQ/X4gMnHMkDSBduSqaPxiWJ+Rih8F7dGJT/GEnqHqR
+CZ228U2cVA9YBu5JdAfOVX4jzhb2ytxaYQF+yXG1TfbcNCmHaPZeIJOz2/XkCWxB
+F5WS6wG1c6Vqftgy7Q4CuAOBhAACgYAapll6iqz9XrZFlk2GCVcB+KihxWnH7IuH
+vSLw9YUrJahcBHmbpvt494lF4gC5w3WPM+vXJofbusk4GoQEEsQNMDaah4m49uUq
+AylOVFJJJXuirVJ+o+0TtOFDITEAl+YZZariXOD7tdOSOl9RLMPC6+daHKS9e68u
+3enxhqnDGaAAMAkGBSsOAwIbBQADMAAwLQIVAJGVuFsG/0DBuSZ0jF7ypdU0/G0v
+AhQfeF5BoMMDbX/kidUVpQ6gadPlZA==
+-----END CERTIFICATE REQUEST-----
+-----BEGIN CERTIFICATE-----
+MIIBrjCCAWwCAQswCQYFKw4DAhsFADBTMQswCQYDVQQGEwJBVTETMBEGA1UECBMK
+U29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMQww
+CgYDVQQDEwNQQ0EwHhcNOTcwNjE1MDIxNDI5WhcNOTcwNzE1MDIxNDI5WjBSMQsw
+CQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJu
+ZXQgV2lkZ2l0cyBQdHkgTHRkMQswCQYDVQQDEwJDQTCBkjAJBgUrDgMCDAUAA4GE
+AAKBgBqmWXqKrP1etkWWTYYJVwH4qKHFacfsi4e9IvD1hSslqFwEeZum+3j3iUXi
+ALnDdY8z69cmh9u6yTgahAQSxA0wNpqHibj25SoDKU5UUkkle6KtUn6j7RO04UMh
+MQCX5hllquJc4Pu105I6X1Esw8Lr51ocpL17ry7d6fGGqcMZMAkGBSsOAwIbBQAD
+MQAwLgIVAJ4wtQsANPxHo7Q4IQZYsL12SKdbAhUAjJ9n38zxT+iai2164xS+LIfa
+C1Q=
+-----END CERTIFICATE-----
+
diff --git a/crypto/openssl/certs/demo/dsa-pca.pem b/crypto/openssl/certs/demo/dsa-pca.pem
new file mode 100644
index 000000000000..e3641ad47e6b
--- /dev/null
+++ b/crypto/openssl/certs/demo/dsa-pca.pem
@@ -0,0 +1,49 @@
+-----BEGIN DSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,F80EEEBEEA7386C4
+
+GZ9zgFcHOlnhPoiSbVi/yXc9mGoj44A6IveD4UlpSEUt6Xbse3Fr0KHIUyQ3oGnS
+mClKoAp/eOTb5Frhto85SzdsxYtac+X1v5XwdzAMy2KowHVk1N8A5jmE2OlkNPNt
+of132MNlo2cyIRYaa35PPYBGNCmUm7YcYS8O90YtkrQZZTf4+2C4kllhMcdkQwkr
+FWSWC8YOQ7w0LHb4cX1FejHHom9Nd/0PN3vn3UyySvfOqoR7nbXkrpHXmPIr0hxX
+RcF0aXcV/CzZ1/nfXWQf4o3+oD0T22SDoVcZY60IzI0oIc3pNCbDV3uKNmgekrFd
+qOUJ+QW8oWp7oefRx62iBfIeC8DZunohMXaWAQCU0sLQOR4yEdeUCnzCSywe0bG1
+diD0KYaEe+Yub1BQH4aLsBgDjardgpJRTQLq0DUvw0/QGO1irKTJzegEDNVBKrVn
+V4AHOKT1CUKqvGNRP1UnccUDTF6miOAtaj/qpzra7sSk7dkGBvIEeFoAg84kfh9h
+hVvF1YyzC9bwZepruoqoUwke/WdNIR5ymOVZ/4Liw0JdIOcq+atbdRX08niqIRkf
+dsZrUj4leo3zdefYUQ7w4N2Ns37yDFq7
+-----END DSA PRIVATE KEY-----
+-----BEGIN CERTIFICATE REQUEST-----
+MIICVTCCAhMCAQAwUzELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUx
+ITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEMMAoGA1UEAxMDUENB
+MIIBtTCCASkGBSsOAwIMMIIBHgKBgQCnP26Fv0FqKX3wn0cZMJCaCR3aajMexT2G
+lrMV4FMuj+BZgnOQPnUxmUd6UvuF5NmmezibaIqEm4fGHrV+hktTW1nPcWUZiG7O
+Zq5riDb77Cjcwtelu+UsOSZL2ppwGJU3lRBWI/YV7boEXt45T/23Qx+1pGVvzYAR
+5HCVW1DNSQIVAPcHMe36bAYD1YWKHKycZedQZmVvAoGATd9MA6aRivUZb1BGJZnl
+aG8w42nh5bNdmLsohkj83pkEP1+IDJxzJA0gXbkqmj8YlifkYofBe3RiU/xhJ6h6
+kQmdtvFNnFQPWAbuSXQHzlV+I84W9srcWmEBfslxtU323DQph2j2XiCTs9v15Als
+QReVkusBtXOlan7YMu0OArgDgYUAAoGBAKbtuR5AdW+ICjCFe2ixjUiJJzM2IKwe
+6NZEMXg39+HQ1UTPTmfLZLps+rZfolHDXuRKMXbGFdSF0nXYzotPCzi7GauwEJTZ
+yr27ZZjA1C6apGSQ9GzuwNvZ4rCXystVEagAS8OQ4H3D4dWS17Zg31ICb5o4E5r0
+z09o/Uz46u0VoAAwCQYFKw4DAhsFAAMxADAuAhUArRubTxsbIXy3AhtjQ943AbNB
+nSICFQCu+g1iW3jwF+gOcbroD4S/ZcvB3w==
+-----END CERTIFICATE REQUEST-----
+-----BEGIN CERTIFICATE-----
+MIIC0zCCApECAQAwCQYFKw4DAhsFADBTMQswCQYDVQQGEwJBVTETMBEGA1UECBMK
+U29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMQww
+CgYDVQQDEwNQQ0EwHhcNOTcwNjE0MjI1NDQ1WhcNOTcwNzE0MjI1NDQ1WjBTMQsw
+CQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJu
+ZXQgV2lkZ2l0cyBQdHkgTHRkMQwwCgYDVQQDEwNQQ0EwggG1MIIBKQYFKw4DAgww
+ggEeAoGBAKc/boW/QWopffCfRxkwkJoJHdpqMx7FPYaWsxXgUy6P4FmCc5A+dTGZ
+R3pS+4Xk2aZ7OJtoioSbh8YetX6GS1NbWc9xZRmIbs5mrmuINvvsKNzC16W75Sw5
+JkvamnAYlTeVEFYj9hXtugRe3jlP/bdDH7WkZW/NgBHkcJVbUM1JAhUA9wcx7fps
+BgPVhYocrJxl51BmZW8CgYBN30wDppGK9RlvUEYlmeVobzDjaeHls12YuyiGSPze
+mQQ/X4gMnHMkDSBduSqaPxiWJ+Rih8F7dGJT/GEnqHqRCZ228U2cVA9YBu5JdAfO
+VX4jzhb2ytxaYQF+yXG1TfbcNCmHaPZeIJOz2/XkCWxBF5WS6wG1c6Vqftgy7Q4C
+uAOBhQACgYEApu25HkB1b4gKMIV7aLGNSIknMzYgrB7o1kQxeDf34dDVRM9OZ8tk
+umz6tl+iUcNe5EoxdsYV1IXSddjOi08LOLsZq7AQlNnKvbtlmMDULpqkZJD0bO7A
+29nisJfKy1URqABLw5DgfcPh1ZLXtmDfUgJvmjgTmvTPT2j9TPjq7RUwCQYFKw4D
+AhsFAAMxADAuAhUAvtv6AkMolix1Jvy3UnVEIUqdCUICFQC+jq8P49mwrY9oJ24n
+5rKUjNBhSg==
+-----END CERTIFICATE-----
+
diff --git a/crypto/openssl/certs/demo/nortelCA.pem b/crypto/openssl/certs/demo/nortelCA.pem
new file mode 100644
index 000000000000..207f34ab3a7d
--- /dev/null
+++ b/crypto/openssl/certs/demo/nortelCA.pem
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICajCCAdMCBDGA0QUwDQYJKoZIhvcNAQEEBQAwfTELMAkGA1UEBhMCQ2ExDzAN
+BgNVBAcTBk5lcGVhbjEeMBwGA1UECxMVTm8gTGlhYmlsaXR5IEFjY2VwdGVkMR8w
+HQYDVQQKExZGb3IgRGVtbyBQdXJwb3NlcyBPbmx5MRwwGgYDVQQDExNFbnRydXN0
+IERlbW8gV2ViIENBMB4XDTk2MDQyNjEzMzUwMVoXDTA2MDQyNjEzMzUwMVowfTEL
+MAkGA1UEBhMCQ2ExDzANBgNVBAcTBk5lcGVhbjEeMBwGA1UECxMVTm8gTGlhYmls
+aXR5IEFjY2VwdGVkMR8wHQYDVQQKExZGb3IgRGVtbyBQdXJwb3NlcyBPbmx5MRww
+GgYDVQQDExNFbnRydXN0IERlbW8gV2ViIENBMIGdMA0GCSqGSIb3DQEBAQUAA4GL
+ADCBhwKBgQCaroS7O1DA0hm4IefNYU1cx/nqOmzEnk291d1XqznDeF4wEgakbkCc
+zTKxK791yNpXG5RmngqH7cygDRTHZJ6mfCRn0wGC+AI00F2vYTGqPGRQL1N3lZT0
+YDKFC0SQeMMjFIZ1aeQigroFQnHo0VB3zWIMpNkka8PY9lxHZAmWwQIBAzANBgkq
+hkiG9w0BAQQFAAOBgQBAx0UMVA1s54lMQyXjMX5kj99FJN5itb8bK1Rk+cegPQPF
+cWO9SEWyEjjBjIkjjzAwBkaEszFsNGxemxtXvwjIm1xEUMTVlPEWTs2qnDvAUA9W
+YqhWbhH0toGT36236QAsqCZ76rbTRVSSX2BHyJwJMG2tCRv7kRJ//NIgxj3H4w==
+-----END CERTIFICATE-----
+
diff --git a/crypto/openssl/certs/demo/pca-cert.pem b/crypto/openssl/certs/demo/pca-cert.pem
new file mode 100644
index 000000000000..9d754d460d57
--- /dev/null
+++ b/crypto/openssl/certs/demo/pca-cert.pem
@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIC5jCCAk+gAwIBAgIBADANBgkqhkiG9w0BAQQFADBcMQswCQYDVQQGEwJBVTET
+MBEGA1UECBMKUXVlZW5zbGFuZDEaMBgGA1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQx
+HDAaBgNVBAMTE1Rlc3QgUENBICgxMDI0IGJpdCkwHhcNOTkxMjAyMjEzNTQ4WhcN
+MDUwNzExMjEzNTQ4WjBcMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFu
+ZDEaMBgGA1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxHDAaBgNVBAMTE1Rlc3QgUENB
+ICgxMDI0IGJpdCkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ2haT/f5Zwy
+V+MiuSDjSR62adBoSiBB7Usty44lXqsp9RICw+DCCxpsn/CfxPEDXLLd4olsWXc6
+JRcxGynbYmnzk+Z6aIPPJQhK3CTvaqGnWKZsA1m+WaUIUqJCuNTK4N+7hMAGaf6S
+S3e9HVgEQ4a34gXJ7VQFVIBNV1EnZRWHAgMBAAGjgbcwgbQwHQYDVR0OBBYEFE0R
+aEcrj18q1dw+G6nJbsTWR213MIGEBgNVHSMEfTB7gBRNEWhHK49fKtXcPhupyW7E
+1kdtd6FgpF4wXDELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxGjAY
+BgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRwwGgYDVQQDExNUZXN0IFBDQSAoMTAy
+NCBiaXQpggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAUa8B3pho
++Mvxeq9HsEzJxHIFQla05S5J/e/V+DQTYoKiRFchKPrDAdrzYSEvP3h4QJEtsNqQ
+JfOxg5M42uLFq7aPGWkF6ZZqZsYS+zA9IVT14g7gNA6Ne+5QtJqQtH9HA24st0T0
+Tga/lZ9M2ovImovaxSL/kRHbpCWcqWVxpOw=
+-----END CERTIFICATE-----
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQCdoWk/3+WcMlfjIrkg40ketmnQaEogQe1LLcuOJV6rKfUSAsPg
+wgsabJ/wn8TxA1yy3eKJbFl3OiUXMRsp22Jp85PmemiDzyUIStwk72qhp1imbANZ
+vlmlCFKiQrjUyuDfu4TABmn+kkt3vR1YBEOGt+IFye1UBVSATVdRJ2UVhwIDAQAB
+AoGAba4fTtuap5l7/8ZsbE7Z1O32KJY4ZcOZukLOLUUhXxXduT+FTgGWujc0/rgc
+z9qYCLlNZHOouMYTgtSfYvuMuLZ11VIt0GYH+nRioLShE59Yy+zCRyC+gPigS1kz
+xvo14AsOIPYV14Tk/SsHyq6E0eTk7VzaIE197giiINUERPECQQDSKmtPTh/lRKw7
+HSZSM0I1mFWn/1zqrAbontRQY5w98QWIOe5qmzYyFbPXYT3d9BzlsMyhgiRNoBbD
+yvohSHXJAkEAwAHx6ezAZeWWzD5yXD36nyjpkVCw7Tk7TSmOceLJMWt1QcrCfqlS
+xA5jjpQ6Z8suU5DdtWAryM2sAir1WisYzwJAd6Zcx56jvAQ3xcPXsE6scBTVFzrj
+7FqZ6E+cclPzfLQ+QQsyOBE7bpI6e/FJppY26XGZXo3YGzV8IGXrt40oOQJALETG
+h86EFXo3qGOFbmsDy4pdP5nBERCu8X1xUCSfintiD4c2DInxgS5oGclnJeMcjTvL
+QjQoJCX3UJCi/OUO1QJBAKgcDHWjMvt+l1pjJBsSEZ0HX9AAIIVx0RQmbFGS+F2Q
+hhu5l77WnnZOQ9vvhV5u7NPCUF9nhU3jh60qWWO8mkc=
+-----END RSA PRIVATE KEY-----
diff --git a/crypto/openssl/certs/demo/timCA.pem b/crypto/openssl/certs/demo/timCA.pem
new file mode 100644
index 000000000000..9c8d5bf9c690
--- /dev/null
+++ b/crypto/openssl/certs/demo/timCA.pem
@@ -0,0 +1,16 @@
+Tims test GCI CA
+
+-----BEGIN CERTIFICATE-----
+MIIB8DCCAZoCAQAwDQYJKoZIhvcNAQEEBQAwgYIxCzAJBgNVBAYTAkFVMRMwEQYD
+VQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhCcmlzYmFuZTEaMBgGA1UEChMRQ3J5
+cHRTb2Z0IFB0eSBMdGQxFDASBgNVBAsTC2RldmVsb3BtZW50MRkwFwYDVQQDExBD
+cnlwdFNvZnQgRGV2IENBMB4XDTk3MDMyMjEzMzQwNFoXDTk4MDMyMjEzMzQwNFow
+gYIxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhC
+cmlzYmFuZTEaMBgGA1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxFDASBgNVBAsTC2Rl
+dmVsb3BtZW50MRkwFwYDVQQDExBDcnlwdFNvZnQgRGV2IENBMFwwDQYJKoZIhvcN
+AQEBBQADSwAwSAJBAOAOAqogG5QwAmLhzyO4CoRnx/wVy4NZP4dxJy83O1EnL0rw
+OdsamJKvPOLHgSXo3gDu9uVyvCf/QJmZAmC5ml8CAwEAATANBgkqhkiG9w0BAQQF
+AANBADRRS/GVdd7rAqRW6SdmgLJduOU2yq3avBu99kRqbp9A/dLu6r6jU+eP4oOA
+TfdbFZtAAD2Hx9jUtY3tfdrJOb8= 
+-----END CERTIFICATE-----
+
diff --git a/crypto/openssl/certs/demo/tjhCA.pem b/crypto/openssl/certs/demo/tjhCA.pem
new file mode 100644
index 000000000000..67bee1b20018
--- /dev/null
+++ b/crypto/openssl/certs/demo/tjhCA.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICVjCCAgACAQAwDQYJKoZIhvcNAQEEBQAwgbUxCzAJBgNVBAYTAkFVMRMwEQYD
+VQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhCcmlzYmFuZTEaMBgGA1UEChMRQ3J5
+cHRTb2Z0IFB0eSBMdGQxLDAqBgNVBAsTI1dPUlRITEVTUyBDRVJUSUZJQ0FUSU9O
+IEFVVEhPUklUSUVTMTQwMgYDVQQDEytaRVJPIFZBTFVFIENBIC0gREVNT05TVFJB
+VElPTiBQVVJQT1NFUyBPTkxZMB4XDTk3MDQwMzEzMjI1NFoXDTk4MDQwMzEzMjI1
+NFowgbUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpRdWVlbnNsYW5kMREwDwYDVQQH
+EwhCcmlzYmFuZTEaMBgGA1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxLDAqBgNVBAsT
+I1dPUlRITEVTUyBDRVJUSUZJQ0FUSU9OIEFVVEhPUklUSUVTMTQwMgYDVQQDEyta
+RVJPIFZBTFVFIENBIC0gREVNT05TVFJBVElPTiBQVVJQT1NFUyBPTkxZMFwwDQYJ
+KoZIhvcNAQEBBQADSwAwSAJBAOZ7T7yqP/tyspcko3yPY1y0Cm2EmwNvzW4QgVXR
+Fjs3HmJ4xtSpXdo6mwcGezL3Abt/aQXaxv9PU8xt+Jr0OFUCAwEAATANBgkqhkiG
+9w0BAQQFAANBAOQpYmGgyCqCy1OljgJhCqQOu627oVlHzK1L+t9vBaMfn40AVUR4
+WzQVWO31KTgi5vTK1U+3h46fgUWqQ0h+6rU=
+-----END CERTIFICATE-----
diff --git a/crypto/openssl/certs/demo/vsigntca.pem b/crypto/openssl/certs/demo/vsigntca.pem
new file mode 100644
index 000000000000..05acf76e66c6
--- /dev/null
+++ b/crypto/openssl/certs/demo/vsigntca.pem
@@ -0,0 +1,18 @@
+subject=/O=VeriSign, Inc/OU=www.verisign.com/repository/TestCPS Incorp. By Ref. Liab. LTD./OU=For VeriSign authorized testing only. No assurances (C)VS1997
+notBefore=Mar  4 00:00:00 1997 GMT
+notAfter=Mar  4 23:59:59 2025 GMT
+-----BEGIN CERTIFICATE-----
+MIICTTCCAfcCEEdoCqpuXxnoK27q7d58Qc4wDQYJKoZIhvcNAQEEBQAwgakxFjAU
+BgNVBAoTDVZlcmlTaWduLCBJbmMxRzBFBgNVBAsTPnd3dy52ZXJpc2lnbi5jb20v
+cmVwb3NpdG9yeS9UZXN0Q1BTIEluY29ycC4gQnkgUmVmLiBMaWFiLiBMVEQuMUYw
+RAYDVQQLEz1Gb3IgVmVyaVNpZ24gYXV0aG9yaXplZCB0ZXN0aW5nIG9ubHkuIE5v
+IGFzc3VyYW5jZXMgKEMpVlMxOTk3MB4XDTk3MDMwNDAwMDAwMFoXDTI1MDMwNDIz
+NTk1OVowgakxFjAUBgNVBAoTDVZlcmlTaWduLCBJbmMxRzBFBgNVBAsTPnd3dy52
+ZXJpc2lnbi5jb20vcmVwb3NpdG9yeS9UZXN0Q1BTIEluY29ycC4gQnkgUmVmLiBM
+aWFiLiBMVEQuMUYwRAYDVQQLEz1Gb3IgVmVyaVNpZ24gYXV0aG9yaXplZCB0ZXN0
+aW5nIG9ubHkuIE5vIGFzc3VyYW5jZXMgKEMpVlMxOTk3MFwwDQYJKoZIhvcNAQEB
+BQADSwAwSAJBAMak6xImJx44jMKcbkACy5/CyMA2fqXK4PlzTtCxRq5tFkDzne7s
+cI8oFK/J+gFZNE3bjidDxf07O3JOYG9RGx8CAwEAATANBgkqhkiG9w0BAQQFAANB
+ADT523tENOKrEheZFpsJx1UUjPrG7TwYc/C4NBHrZI4gZJcKVFIfNulftVS6UMYW
+ToLEMaUojc3DuNXHG21PDG8=
+-----END CERTIFICATE-----
diff --git a/crypto/openssl/certs/expired/RegTP-4R.pem b/crypto/openssl/certs/expired/RegTP-4R.pem
new file mode 100644
index 000000000000..6f2c6abccd6c
--- /dev/null
+++ b/crypto/openssl/certs/expired/RegTP-4R.pem
@@ -0,0 +1,19 @@
+issuer= CN=4R-CA 1:PN+0.2.262.1.10.7.20=#130131,O=Regulierungsbeh\C3\88orde f\C3\88ur Telekommunikation und Post,C=DE
+notBefore=Jan 21 16:04:53 1999 GMT
+notAfter=Jan 21 16:04:53 2004 GMT
+subject= CN=4R-CA 1:PN+0.2.262.1.10.7.20=#130131,O=Regulierungsbeh\C3\88orde f\C3\88ur Telekommunikation und Post,C=DE
+-----BEGIN CERTIFICATE-----
+MIICZzCCAdOgAwIBAgIEOwVn1DAKBgYrJAMDAQIFADBvMQswCQYDVQQGEwJERTE9
+MDsGA1UEChQ0UmVndWxpZXJ1bmdzYmVoyG9yZGUgZsh1ciBUZWxla29tbXVuaWth
+dGlvbiB1bmQgUG9zdDEhMAwGBwKCBgEKBxQTATEwEQYDVQQDFAo0Ui1DQSAxOlBO
+MCIYDzE5OTkwMTIxMTYwNDUzWhgPMjAwNDAxMjExNjA0NTNaMG8xCzAJBgNVBAYT
+AkRFMT0wOwYDVQQKFDRSZWd1bGllcnVuZ3NiZWjIb3JkZSBmyHVyIFRlbGVrb21t
+dW5pa2F0aW9uIHVuZCBQb3N0MSEwDAYHAoIGAQoHFBMBMTARBgNVBAMUCjRSLUNB
+IDE6UE4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGAjzHbq2asUlqeWbXTQHso
+aVF6YIPVH3c/B2cbuy9HJ/lnE6x0asOzM2DGDqi47xkdAxPc0LZ0fxO87rkmz7xs
+jJObnVrMXpyUSDSp5Y0wqKJdsFdr6mGFOQZteIti8AJnr8xMkwnWVyuOlEXsFe1h
+5gxwQXrOcPinE6qu1t/3PmECBMAAAAGjEjAQMA4GA1UdDwEB/wQEAwIBBjAKBgYr
+JAMDAQIFAAOBgQA+RdocBmA2VV9E5aKPBcp01tdZAvvW9Tve3docArVKR/4/yvSX
+Z+wvzzk+uu4qBp49HN3nqPYMrzbTmjBFu4ce5fkZ7dHF0W1sSBL0rox5z36Aq2re
+JjfEOEmSnNe0+opuh4FSVOssXblXTE8lEQU0FhhItgDx2ADnWZibaxLG4w==
+-----END CERTIFICATE-----
diff --git a/crypto/openssl/certs/expired/factory.pem b/crypto/openssl/certs/expired/factory.pem
new file mode 100644
index 000000000000..8e28b391b2f3
--- /dev/null
+++ b/crypto/openssl/certs/expired/factory.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICTTCCAbagAwIBAgIBADANBgkqhkiG9w0BAQQFADBMMQswCQYDVQQGEwJHQjEM
+MAoGA1UEChMDVUNMMRgwFgYDVQQLEw9JQ0UtVEVMIFByb2plY3QxFTATBgNVBAMT
+DFRydXN0RmFjdG9yeTAeFw05NzA0MjIxNDM5MTRaFw05ODA0MjIxNDM5MTRaMEwx
+CzAJBgNVBAYTAkdCMQwwCgYDVQQKEwNVQ0wxGDAWBgNVBAsTD0lDRS1URUwgUHJv
+amVjdDEVMBMGA1UEAxMMVHJ1c3RGYWN0b3J5MIGcMAoGBFUIAQECAgQAA4GNADCB
+iQKBgQCEieR8NcXkUW1f0G6aC6u0i8q/98JqS6RxK5YmHIGKCkuTWAUjzLfUa4dt
+U9igGCjTuxaDqlzEim+t/02pmiBZT9HaX++35MjQPUWmsChcYU5WyzGErXi+rQaw
+zlwS73zM8qiPj/97lXYycWhgL0VaiDSPxRXEUdWoaGruom4mNQIDAQABo0IwQDAd
+BgNVHQ4EFgQUHal1LZr7oVg5z6lYzrhTgZRCmcUwDgYDVR0PAQH/BAQDAgH2MA8G
+A1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAfaggfl6FZoioecjv0dq8
+/DXo/u11iMZvXn08gjX/zl2b4wtPbShOSY5FhkSm8GeySasz+/Nwb/uzfnIhokWi
+lfPZHtlCWtXbIy/TN51eJyq04ceDCQDWvLC2enVg9KB+GJ34b5c5VaPRzq8MBxsA
+S7ELuYGtmYgYm9NZOIr7yU0=
+-----END CERTIFICATE-----
diff --git a/crypto/openssl/certs/expired/rsa-cca.pem b/crypto/openssl/certs/expired/rsa-cca.pem
new file mode 100644
index 000000000000..69f5c1c84cd7
--- /dev/null
+++ b/crypto/openssl/certs/expired/rsa-cca.pem
@@ -0,0 +1,19 @@
+subject=/C=US/O=RSA Data Security, Inc./OU=Commercial Certification Authority
+issuer= /C=US/O=RSA Data Security, Inc./OU=Commercial Certification Authority
+notBefore=941104185834Z
+notAfter =991103185834Z
+-----BEGIN X509 CERTIFICATE-----
+
+MIICIzCCAZACBQJBAAAWMA0GCSqGSIb3DQEBAgUAMFwxCzAJBgNVBAYTAlVTMSAw
+HgYDVQQKExdSU0EgRGF0YSBTZWN1cml0eSwgSW5jLjErMCkGA1UECxMiQ29tbWVy
+Y2lhbCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NDExMDQxODU4MzRaFw05
+OTExMDMxODU4MzRaMFwxCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0EgRGF0YSBT
+ZWN1cml0eSwgSW5jLjErMCkGA1UECxMiQ29tbWVyY2lhbCBDZXJ0aWZpY2F0aW9u
+IEF1dGhvcml0eTCBmzANBgkqhkiG9w0BAQEFAAOBiQAwgYUCfgCk+4Fie84QJ93o
+975sbsZwmdu41QUDaSiCnHJ/lj+O7Kwpkj+KFPhCdr69XQO5kNTQvAayUTNfxMK/
+touPmbZiImDd298ggrTKoi8tUO2UMt7gVY3UaOLgTNLNBRYulWZcYVI4HlGogqHE
+7yXpCuaLK44xZtn42f29O2nZ6wIDAQABMA0GCSqGSIb3DQEBAgUAA34AdrW2EP4j
+9/dZYkuwX5zBaLxJu7NJbyFHXSudVMQAKD+YufKKg5tgf+tQx6sFEC097TgCwaVI
+0v5loMC86qYjFmZsGySp8+x5NRhPJsjjr1BKx6cxa9B8GJ1Qv6km+iYrRpwUqbtb
+MJhCKLVLU7tDCZJAuqiqWqTGtotXTcU=
+-----END X509 CERTIFICATE-----
diff --git a/crypto/openssl/certs/expired/vsign2.pem b/crypto/openssl/certs/expired/vsign2.pem
new file mode 100644
index 000000000000..d8bdd8c812f1
--- /dev/null
+++ b/crypto/openssl/certs/expired/vsign2.pem
@@ -0,0 +1,18 @@
+subject=/C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority
+notBefore=Jan 29 00:00:00 1996 GMT
+notAfter=Jan  7 23:59:59 2004 GMT
+-----BEGIN CERTIFICATE-----
+MIICPTCCAaYCEQC6WslMBTuS1qe2307QU5INMA0GCSqGSIb3DQEBAgUAMF8xCzAJ
+BgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xh
+c3MgMiBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05
+NjAxMjkwMDAwMDBaFw0wNDAxMDcyMzU5NTlaMF8xCzAJBgNVBAYTAlVTMRcwFQYD
+VQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMiBQdWJsaWMgUHJp
+bWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOB
+jQAwgYkCgYEAtlqLow1qI4OAa885h/QhEzMGTCWi7VUSl8WngLn6g8EgoPovFQ18
+oWBrfnks+gYPOq72G2+x0v8vKFJfg31LxHq3+GYfgFT8t8KOWUoUV0bRmpO+QZED
+uxWAk1zr58wIbD8+s0r8/0tsI9VQgiZEGY4jw3HqGSRHBJ51v8imAB8CAwEAATAN
+BgkqhkiG9w0BAQIFAAOBgQC2AB+TV6QHp0DOZUA/VV7t7/pUSaUw1iF8YYfug5ML
+v7Qz8pisnwa/TqjOFIFMywROWMPPX+5815pvy0GKt3+BuP+EYcYnQ2UdDOyxAArd
+G6S7x3ggKLKi3TaVLuFUT79guXdoEZkj6OpS6KoATmdOu5C1RZtG644W78QzWzM9
+1Q==
+-----END CERTIFICATE-----
diff --git a/crypto/openssl/certs/wellsfgo.pem b/crypto/openssl/certs/wellsfgo.pem
new file mode 100644
index 000000000000..2ba88cdda792
--- /dev/null
+++ b/crypto/openssl/certs/wellsfgo.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID5TCCAs2gAwIBAgIEOeSXnjANBgkqhkiG9w0BAQUFADCBgjELMAkGA1UEBhMC
+VVMxFDASBgNVBAoTC1dlbGxzIEZhcmdvMSwwKgYDVQQLEyNXZWxscyBGYXJnbyBD
+ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEvMC0GA1UEAxMmV2VsbHMgRmFyZ28gUm9v
+dCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDAxMDExMTY0MTI4WhcNMjEwMTE0
+MTY0MTI4WjCBgjELMAkGA1UEBhMCVVMxFDASBgNVBAoTC1dlbGxzIEZhcmdvMSww
+KgYDVQQLEyNXZWxscyBGYXJnbyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEvMC0G
+A1UEAxMmV2VsbHMgRmFyZ28gUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDVqDM7Jvk0/82bfuUER84A4n13
+5zHCLielTWi5MbqNQ1mXx3Oqfz1cQJ4F5aHiidlMuD+b+Qy0yGIZLEWukR5zcUHE
+SxP9cMIlrCL1dQu3U+SlK93OvRw6esP3E48mVJwWa2uv+9iWsWCaSOAlIiR5NM4O
+JgALTqv9i86C1y8IcGjBqAr5dE8Hq6T54oN+J3N0Prj5OEL8pahbSCOz6+MlsoCu
+ltQKnMJ4msZoGK43YjdeUXWoWGPAUe5AeH6orxqg4bB4nVCMe+ez/I4jsNtlAHCE
+AQgAFG5Uhpq6zPk3EPbg3oQtnaSFN9OH4xXQwReQfhkhahKpdv0SAulPIV4XAgMB
+AAGjYTBfMA8GA1UdEwEB/wQFMAMBAf8wTAYDVR0gBEUwQzBBBgtghkgBhvt7hwcB
+CzAyMDAGCCsGAQUFBwIBFiRodHRwOi8vd3d3LndlbGxzZmFyZ28uY29tL2NlcnRw
+b2xpY3kwDQYJKoZIhvcNAQEFBQADggEBANIn3ZwKdyu7IvICtUpKkfnRLb7kuxpo
+7w6kAOnu5+/u9vnldKTC2FJYxHT7zmu1Oyl5GFrvm+0fazbuSCUlFLZWohDo7qd/
+0D+j0MNdJu4HzMPBJCGHHt8qElNvQRbn7a6U+oxy+hNH8Dx+rn0ROhPs7fpvcmR7
+nX1/Jv16+yWt6j4pf0zjAFcysLPp7VMX2YuyFA4w6OXVE8Zkr8QA1dhYJPz1j+zx
+x32l2w8n0cbyQIjmH/ZhqPRCyLk306m+LFZ4wnKbWV01QIroTmMatukgalHizqSQ
+33ZwmVxwQ023tqcZZE6St8WRPH9IFmV7Fv3L/PvZ1dZPIWU7Sn9Ho/s=
+-----END CERTIFICATE-----
diff --git a/crypto/openssl/config b/crypto/openssl/config
index 36e820e4fea4..6583959479a1 100755
--- a/crypto/openssl/config
+++ b/crypto/openssl/config
@@ -82,9 +82,9 @@ if [ "x$XREL" != "x" ]; then
 		esac
 		;;
 	    4.2)
-		echo "i386-whatever-unixware1"; exit 0
+		echo "whatever-whatever-unixware1"; exit 0
 		;;
-	    5)
+	    5*)
 		case "x${VERSION}" in
 		    # We hardcode i586 in place of ${MACHINE} for the
 		    # following reason. The catch is that even though Pentium
@@ -93,8 +93,7 @@ if [ "x$XREL" != "x" ]; then
 		    # with i386 is that it makes ./config pass 386 to
 		    # ./Configure, which in turn makes make generate
 		    # inefficient SHA-1 (for this moment) code.
-		    x7*)  echo "i586-sco-unixware7";           exit 0 ;;
-		    x8*)  echo "i586-unkn-OpenUNIX${VERSION}"; exit 0 ;;
+		    x[678]*)  echo "i586-sco-unixware7"; exit 0 ;;
 		esac
 		;;
 	esac
@@ -111,16 +110,16 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in
 	echo "m68k-apple-aux3"; exit 0
 	;;
 
-    AIX:[3456789]:4:*)
-	echo "${MACHINE}-ibm-aix43"; exit 0
+    AIX:[3-9]:4:*)
+	echo "${MACHINE}-ibm-aix"; exit 0
 	;;
 
-    AIX:*:[56789]:*)
-	echo "${MACHINE}-ibm-aix43"; exit 0
+    AIX:*:[5-9]:*)
+	echo "${MACHINE}-ibm-aix"; exit 0
 	;;
 
     AIX:*)
-	echo "${MACHINE}-ibm-aix"; exit 0
+	echo "${MACHINE}-ibm-aix3"; exit 0
 	;;
 
     dgux:*)
@@ -337,6 +336,9 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in
 	echo "mips-sony-newsos4"; exit 0;
 	;;
 
+    MINGW*)
+	echo "${MACHINE}-whatever-mingw"; exit 0;
+	;;
     CYGWIN*)
 	case "$RELEASE" in
 	    [bB]*|1.0|1.[12].*)
@@ -404,7 +406,7 @@ if [ "$GCCVER" != "" ]; then
   CC=gcc
   # then strip off whatever prefix egcs prepends the number with...
   # Hopefully, this will work for any future prefixes as well.
-  GCCVER=`echo $GCCVER | sed 's/^[a-zA-Z]*\-//'`
+  GCCVER=`echo $GCCVER | LC_ALL=C sed 's/^[a-zA-Z]*\-//'`
   # Since gcc 3.1 gcc --version behaviour has changed.  gcc -dumpversion
   # does give us what we want though, so we use that.  We just just the
   # major and minor version numbers.
@@ -442,15 +444,13 @@ if [ "$SYSTEM" = "SunOS" ]; then
   	egrep -e '^cc: .* C [0-9]\.[0-9]' | \
 	sed 's/.* C \([0-9]\)\.\([0-9]\).*/\1\2/'`
   CCVER=${CCVER:-0}
-  if [ $CCVER -gt 40 ]; then
+  if [ $MACHINE != i86pc -a $CCVER -gt 40 ]; then
     CC=cc	# overrides gcc!!!
     if [ $CCVER -eq 50 ]; then
       echo "WARNING! Detected WorkShop C 5.0. Do make sure you have"
       echo "         patch #107357-01 or later applied."
       sleep 5
     fi
-  elif [ "$CC" = "cc" -a $CCVER -gt 0 ]; then
-    CC=sc3
   fi
 fi
 
@@ -491,91 +491,81 @@ case "$GUESSOS" in
 	OUT="irix-$CC"
 	;;
   mips3-sgi-irix)
-	CPU=`(hinv -t cpu) 2>/dev/null | head -1 | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'`
-	CPU=${CPU:-0}
-	if [ $CPU -ge 5000 ]; then
-		options="$options -mips4"
-	else
-		options="$options -mips3"
-	fi
+	#CPU=`(hinv -t cpu) 2>/dev/null | head -1 | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'`
+	#CPU=${CPU:-0}
+	#if [ $CPU -ge 5000 ]; then
+	#	options="$options -mips4"
+	#else
+	#	options="$options -mips3"
+	#fi
 	OUT="irix-mips3-$CC"
 	;;
   mips4-sgi-irix64)
 	echo "WARNING! If you wish to build 64-bit library, then you have to"
 	echo "         invoke './Configure irix64-mips4-$CC' *manually*."
-	if [ "$TEST" = "false" ]; then
+	if [ "$TEST" = "false" -a -t 1 ]; then
 	  echo "         You have about 5 seconds to press Ctrl-C to abort."
-	  (stty -icanon min 0 time 50; read waste) < /dev/tty
+	  (trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1
 	fi
-        CPU=`(hinv -t cpu) 2>/dev/null | head -1 | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'`
-        CPU=${CPU:-0}
-        if [ $CPU -ge 5000 ]; then
-                options="$options -mips4"
-        else
-                options="$options -mips3"
-        fi
+        #CPU=`(hinv -t cpu) 2>/dev/null | head -1 | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'`
+        #CPU=${CPU:-0}
+        #if [ $CPU -ge 5000 ]; then
+        #        options="$options -mips4"
+        #else
+        #        options="$options -mips3"
+        #fi
 	OUT="irix-mips3-$CC"
 	;;
+  ppc-apple-rhapsody) OUT="rhapsody-ppc-cc" ;;
+  ppc-apple-darwin*) OUT="darwin-ppc-cc" ;;
+  i386-apple-darwin*) OUT="darwin-i386-cc" ;;
   alpha-*-linux2)
-        ISA=`awk '/cpu model/{print$4}' /proc/cpuinfo`
+        ISA=`awk '/cpu model/{print$4;exit(0);}' /proc/cpuinfo`
 	case ${ISA:-generic} in
-	*[67])	OUT="linux-alpha+bwx-$CC" ;;
+	*[678])	OUT="linux-alpha+bwx-$CC" ;;
 	*)	OUT="linux-alpha-$CC" ;;
 	esac
 	if [ "$CC" = "gcc" ]; then
 	    case ${ISA:-generic} in
 	    EV5|EV45)		options="$options -mcpu=ev5";;
 	    EV56|PCA56)		options="$options -mcpu=ev56";;
-	    EV6|EV67|PCA57)	options="$options -mcpu=ev6";;
+	    *)			options="$options -mcpu=ev6";;
 	    esac
 	fi
 	;;
-  mips-*-linux?)
-          cat >dummy.c <<EOF
-#include <stdio.h>  /* for printf() prototype */
-        int main (argc, argv) int argc; char *argv[]; {
-#ifdef __MIPSEB__
-  printf ("linux-%s\n", argv[1]);
-#endif
-#ifdef __MIPSEL__
-  printf ("linux-%sel\n", argv[1]);
-#endif
-  return 0;
-}
-EOF
-	${CC} -o dummy dummy.c && OUT=`./dummy ${MACHINE}`
-	rm dummy dummy.c
-	;;
   ppc64-*-linux2)
-	#Use the standard target for PPC architecture until we create a
-	#special one for the 64bit architecture.
-	OUT="linux-ppc" ;;
+	echo "WARNING! If you wish to build 64-bit library, then you have to"
+	echo "         invoke './Configure linux-ppc64' *manually*."
+	if [ "$TEST" = "false" -a -t 1 ]; then
+	    echo "         You have about 5 seconds to press Ctrl-C to abort."
+	    (trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1
+	fi
+	OUT="linux-ppc"
+	;;
   ppc-*-linux2) OUT="linux-ppc" ;;
-  m68k-*-linux*) OUT="linux-m68k" ;;
   ia64-*-linux?) OUT="linux-ia64" ;;
-  ppc-apple-rhapsody) OUT="rhapsody-ppc-cc" ;;
-  ppc-apple-darwin*) OUT="darwin-ppc-cc" ;;
-  i386-apple-darwin*) OUT="darwin-i386-cc" ;;
   sparc64-*-linux2)
 	echo "WARNING! If you *know* that your GNU C supports 64-bit/V9 ABI"
 	echo "         and wish to build 64-bit library, then you have to"
 	echo "         invoke './Configure linux64-sparcv9' *manually*."
-	if [ "$TEST" = "false" ]; then
+	if [ "$TEST" = "false" -a -t 1 ]; then
 	  echo "          You have about 5 seconds to press Ctrl-C to abort."
-	  (stty -icanon min 0 time 50; read waste) < /dev/tty
+	  (trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1
 	fi
 	OUT="linux-sparcv9" ;;
   sparc-*-linux2)
-	KARCH=`awk '/^type/{print$3}' /proc/cpuinfo`
+	KARCH=`awk '/^type/{print$3;exit(0);}' /proc/cpuinfo`
 	case ${KARCH:-sun4} in
 	sun4u*)	OUT="linux-sparcv9" ;;
 	sun4m)	OUT="linux-sparcv8" ;;
 	sun4d)	OUT="linux-sparcv8" ;;
-	*)	OUT="linux-sparcv7" ;;
+	*)	OUT="linux-generic32"; options="$options -DB_ENDIAN" ;;
 	esac ;;
-  parisc-*-linux2)
-        CPUARCH=`awk '/cpu family/{print substr($5,1,3)}' /proc/cpuinfo`
-	CPUSCHEDULE=`awk '/^cpu.[ 	]: PA/{print substr($3,3)}' /proc/cpuinfo`
+  parisc*-*-linux2)
+	# 64-bit builds under parisc64 linux are not supported and
+	# compiler is expected to generate 32-bit objects...
+	CPUARCH=`awk '/cpu family/{print substr($5,1,3); exit(0);}' /proc/cpuinfo`
+	CPUSCHEDULE=`awk '/^cpu.[ 	]*: PA/{print substr($3,3); exit(0);}' /proc/cpuinfo`
 
 	# ??TODO ??  Model transformations
 	# 0. CPU Architecture for the 1.1 processor has letter suffixes. We strip that off
@@ -588,28 +578,29 @@ EOF
 	#         PA8500   -> 8000   (2.0)
 	#         PA8600   -> 8000   (2.0)
 
-	CPUSCHEDULE=`echo $CPUSCHEDULE|sed -e 's/7300LC/7100LC/' -e 's/8?00/8000/'`
+	CPUSCHEDULE=`echo $CPUSCHEDULE|sed -e 's/7300LC/7100LC/' -e 's/8.00/8000/'`
 	# Finish Model transformations
 
-	options="$options -mschedule=$CPUSCHEDULE -march=$CPUARCH"
-	OUT="linux-parisc" ;;
-  arm*-*-linux2) OUT="linux-elf-arm" ;;
-  s390-*-linux2) OUT="linux-s390" ;;
-  s390x-*-linux?) OUT="linux-s390x" ;;
+	options="$options -DB_ENDIAN -mschedule=$CPUSCHEDULE -march=$CPUARCH"
+	OUT="linux-generic32" ;;
+  arm*b-*-linux2) OUT="linux-generic32"; options="$options -DB_ENDIAN" ;;
+  arm*l-*-linux2) OUT="linux-generic32"; options="$options -DL_ENDIAN" ;;
+  s390*-*-linux2) OUT="linux-generic32"; options="$options -DB_ENDIAN -DNO_ASM" ;;
   x86_64-*-linux?) OUT="linux-x86_64" ;;
-  *-*-linux2) OUT="linux-elf"
+  *86-*-linux2) OUT="linux-elf"
 	if [ "$GCCVER" -gt 28 ]; then
           if grep '^model.*Pentium' /proc/cpuinfo >/dev/null ; then
-            OUT="linux-pentium"
+	    options="$options -mcpu=pentium"
           fi
           if grep '^model.*Pentium Pro' /proc/cpuinfo >/dev/null ; then
-            OUT="linux-ppro"
+	    options="$options -mcpu=pentiumpro"
           fi
           if grep '^model.*K6' /proc/cpuinfo >/dev/null ; then
-            OUT="linux-k6"
+	    options="$options -mcpu=k6"
           fi
         fi ;;
   *-*-linux1) OUT="linux-aout" ;;
+  *-*-linux2) OUT="linux-generic32" ;;
   sun4u*-*-solaris2)
 	OUT="solaris-sparcv9-$CC"
 	ISA64=`(isalist) 2>/dev/null | grep sparcv9`
@@ -617,9 +608,9 @@ EOF
 	    if [ "$CC" = "cc" -a $CCVER -ge 50 ]; then
 		echo "WARNING! If you wish to build 64-bit library, then you have to"
 		echo "         invoke './Configure solaris64-sparcv9-cc' *manually*."
-		if [ "$TEST" = "false" ]; then
+		if [ "$TEST" = "false" -a -t 1 ]; then
 		  echo "         You have about 5 seconds to press Ctrl-C to abort."
-		  (stty -icanon min 0 time 50; read waste) < /dev/tty
+		  (trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1
 		fi
 	    elif [ "$CC" = "gcc" -a "$GCC_ARCH" = "-m64" ]; then
 		# $GCC_ARCH denotes default ABI chosen by compiler driver
@@ -629,17 +620,17 @@ EOF
 		OUT="solaris64-sparcv9-gcc"
 		echo "WARNING! If you wish to build 32-bit library, then you have to"
 		echo "         invoke './Configure solaris-sparcv9-gcc' *manually*."
-		if [ "$TEST" = "false" ]; then
+		if [ "$TEST" = "false" -a -t 1 ]; then
 		  echo "         You have about 5 seconds to press Ctrl-C to abort."
-		  (stty -icanon min 0 time 50; read waste) < /dev/tty
+		  (trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1
 		fi
 	    elif [ "$GCC_ARCH" = "-m32" ]; then
 		echo "NOTICE! If you *know* that your GNU C supports 64-bit/V9 ABI"
 		echo "        and wish to build 64-bit library, then you have to"
 		echo "        invoke './Configure solaris64-sparcv9-gcc' *manually*."
-		if [ "$TEST" = "false" ]; then
+		if [ "$TEST" = "false" -a -t 1 ]; then
 		  echo "         You have about 5 seconds to press Ctrl-C to abort."
-		  (stty -icanon min 0 time 50; read waste) < /dev/tty
+		  (trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1
 		fi
 	    fi
 	fi
@@ -647,47 +638,49 @@ EOF
   sun4m-*-solaris2)	OUT="solaris-sparcv8-$CC" ;;
   sun4d-*-solaris2)	OUT="solaris-sparcv8-$CC" ;;
   sun4*-*-solaris2)	OUT="solaris-sparcv7-$CC" ;;
-  *86*-*-solaris2) OUT="solaris-x86-$CC" ;;
-  *-*-sunos4) OUT="sunos-$CC" ;;
-  alpha*-*-freebsd*) OUT="FreeBSD-alpha" ;;
-  sparc64-*-freebsd*) OUT="FreeBSD-sparc64" ;;
-  ia64-*-freebsd*) OUT="FreeBSD-ia64" ;;
-  *-freebsd[3-9]*) OUT="FreeBSD-elf" ;;
-  *-freebsd[1-2]*) OUT="FreeBSD" ;;
-  *86*-*-netbsd) OUT="NetBSD-x86" ;;
-  sun3*-*-netbsd) OUT="NetBSD-m68" ;;
-  *-*-netbsd) OUT="NetBSD-sparc" ;;
-  alpha*-*-openbsd) OUT="OpenBSD-alpha" ;;
-  *86*-*-openbsd) OUT="OpenBSD-i386" ;;
-  m68k*-*-openbsd) OUT="OpenBSD-m68k" ;;
-  m88k*-*-openbsd) OUT="OpenBSD-m88k" ;;
-  mips*-*-openbsd) OUT="OpenBSD-mips" ;;
-  pmax*-*-openbsd) OUT="OpenBSD-mips" ;;
-  powerpc*-*-openbsd) OUT="OpenBSD-powerpc" ;;
-  sparc64*-*-openbsd) OUT="OpenBSD-sparc64" ;;
-  sparc*-*-openbsd) OUT="OpenBSD-sparc" ;;
-  vax*-*-openbsd) OUT="OpenBSD-vax" ;;
-  hppa*-*-openbsd) OUT="OpenBSD-hppa" ;;
-  *-*-openbsd) OUT="OpenBSD" ;;
-  *86*-*-bsdi4) OUT="bsdi-elf-gcc" ;;
-  *-*-osf) OUT="alphaold-cc" ;;
-  *-*-tru64) OUT="alpha-cc" ;;
-  *-*-OpenUNIX*)
+  *86*-*-solaris2)
+	ISA64=`(isalist) 2>/dev/null | grep amd64`
+	if [ "$ISA64" != "" ]; then
+	    OUT="solaris64-x86_64-$CC"
+	else
+	    OUT="solaris-x86-$CC"
+	    if [ `uname -r | sed -e 's/5\.//'` -lt 10 ]; then
+		options="$options no-sse2"
+	    fi
+	fi
+	;;
+  *-*-sunos4)		OUT="sunos-$CC" ;;
+
+  *86*-*-bsdi4)		OUT="BSD-x86-elf"; options="$options no-sse2 -ldl" ;;
+  alpha*-*-*bsd*)	OUT="BSD-generic64; options="$options -DL_ENDIAN" ;;
+  powerpc64-*-*bsd*)	OUT="BSD-generic64; options="$options -DB_ENDIAN" ;;
+  sparc64-*-*bsd*)	OUT="BSD-sparc64" ;;
+  ia64-*-*bsd*)		OUT="BSD-ia64" ;;
+  amd64-*-*bsd*)	OUT="BSD-x86_64" ;;
+  *86*-*-*bsd*)		# mimic ld behaviour when it's looking for libc...
+			if [ -L /usr/lib/libc.so ]; then	# [Free|Net]BSD
+			    libc=/usr/lib/libc.so
+			else					# OpenBSD
+			    # ld searches for highest libc.so.* and so do we
+			    libc=`(ls /usr/lib/libc.so.* | tail -1) 2>/dev/null`
+			fi
+			case "`(file -L $libc) 2>/dev/null`" in
+			*ELF*)	OUT="BSD-x86-elf" ;;
+			*)	OUT="BSD-x86"; options="$options no-sse2" ;;
+			esac ;;
+  *-*-*bsd*)		OUT="BSD-generic32" ;;
+
+  *-*-osf)		OUT="osf1-alpha-cc" ;;
+  *-*-tru64)		OUT="tru64-alpha-cc" ;;
+  *-*-[Uu]nix[Ww]are7)
 	if [ "$CC" = "gcc" ]; then
-	  OUT="OpenUNIX-8-gcc" 
+	  OUT="unixware-7-gcc" ; options="$options no-sse2"
 	else    
-	  OUT="OpenUNIX-8" 
+	  OUT="unixware-7" ; options="$options no-sse2 -D__i386__"
 	fi
 	;;
-  *-*-unixware7) OUT="unixware-7" ;;
-  *-*-UnixWare7) OUT="unixware-7" ;;
-  *-*-Unixware7) OUT="unixware-7" ;;
-  *-*-unixware20*) OUT="unixware-2.0" ;;
-  *-*-unixware21*) OUT="unixware-2.1" ;;
-  *-*-UnixWare20*) OUT="unixware-2.0" ;;
-  *-*-UnixWare21*) OUT="unixware-2.1" ;;
-  *-*-Unixware20*) OUT="unixware-2.0" ;;
-  *-*-Unixware21*) OUT="unixware-2.1" ;;
+  *-*-[Uu]nix[Ww]are20*) OUT="unixware-2.0"; options="$options no-sse2 no-sha512" ;;
+  *-*-[Uu]nix[Ww]are21*) OUT="unixware-2.1"; options="$options no-sse2 no-sha512" ;;
   *-*-vos)
 	options="$options no-threads no-shared no-asm no-dso"
 	EXE=".pm"
@@ -696,15 +689,8 @@ EOF
   RM*-siemens-sysv4) OUT="ReliantUNIX" ;;
   *-siemens-sysv4) OUT="SINIX" ;;
   *-hpux1*)
-	if [ $CC = "gcc" ];
-	then
-	  if [ $GCC_BITS = "64" ]; then
+	if [ $CC = "gcc" -a $GCC_BITS = "64" ]; then
 	    OUT="hpux64-parisc2-gcc"
-	  else
-	    OUT="hpux-parisc-gcc"
-	  fi
-	else
-	  OUT="hpux-parisc-$CC"
 	fi
 	KERNEL_BITS=`(getconf KERNEL_BITS) 2>/dev/null`
 	KERNEL_BITS=${KERNEL_BITS:-32}
@@ -715,34 +701,57 @@ EOF
 	     echo "WARNING! 64-bit ABI is the default configured ABI on HP-UXi."
 	     echo "         If you wish to build 32-bit library, the you have to"
 	     echo "         invoke './Configure hpux-ia64-cc' *manually*."
-	     if [ "$TEST" = "false" ]; then
+	     if [ "$TEST" = "false" -a -t 1 ]; then
 		echo "         You have about 5 seconds to press Ctrl-C to abort."
-		(stty -icanon min 0 time 50; read waste) < /dev/tty
+		(trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1
 	     fi
 	     OUT="hpux64-ia64-cc"
 	elif [ $CPU_VERSION -ge 532 ]; then	# PA-RISC 2.x CPU
-	     if [ "$CC" = "cc" ]; then
-		OUT="hpux-parisc2-cc" # can't we have hpux-parisc2-gcc?
-	     fi
+	     OUT=${OUT:-"hpux-parisc2-${CC}"}
 	     if [ $KERNEL_BITS -eq 64 -a "$CC" = "cc" ]; then
 		echo "WARNING! If you wish to build 64-bit library then you have to"
 		echo "         invoke './Configure hpux64-parisc2-cc' *manually*."
-		if [ "$TEST" = "false" ]; then
+		if [ "$TEST" = "false" -a -t 1 ]; then
 		  echo "         You have about 5 seconds to press Ctrl-C to abort."
-		  (stty -icanon min 0 time 50; read waste) < /dev/tty
+		  (trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1
 		fi
 	     fi
 	elif [ $CPU_VERSION -ge 528 ]; then	# PA-RISC 1.1+ CPU
-	     :
+	     OUT="hpux-parisc-${CC}
 	elif [ $CPU_VERSION -ge 523 ]; then	# PA-RISC 1.0 CPU
-	     :
+	     OUT="hpux-parisc-${CC}
 	else					# Motorola(?) CPU
 	     OUT="hpux-$CC"
 	fi
 	options="$options -D_REENTRANT" ;;
   *-hpux)	OUT="hpux-parisc-$CC" ;;
+  *-aix)
+	KERNEL_BITS=`(getconf KERNEL_BITMODE) 2>/dev/null`
+	KERNEL_BITS=${KERNEL_BITS:-32}
+	OBJECT_MODE=${OBJECT_MODE:-32}
+	if [ "$CC" = "gcc" ]; then
+	    OUT="aix-gcc"
+	elif [ $OBJECT_MODE -eq 64 ]; then
+	    echo 'Your $OBJECT_MODE was found to be set to 64' 
+	    OUT="aix64-cc"
+	else
+	    OUT="aix-cc"
+	    if [ $KERNEL_BITS -eq 64 ]; then
+		echo "WARNING! If you wish to build 64-bit kit, then you have to"
+		echo "         invoke './Configure aix64-cc' *manually*."
+		if [ "$TEST" = "false" -a -t 1 ]; then
+		    echo "         You have ~5 seconds to press Ctrl-C to abort."
+		    (trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1
+		fi
+	    fi
+	fi
+	if (lsattr -E -O -l proc0 | grep -i powerpc) >/dev/null 2>&1; then
+	    :	# this applies even to Power3 and later, as they return PowerPC_POWER[345]
+	else
+	    options="$options no-asm"
+	fi
+	;;
   # these are all covered by the catchall below
-  # *-aix) OUT="aix-$CC" ;;
   # *-dgux) OUT="dgux" ;;
   mips-sony-newsos4) OUT="newsos4-gcc" ;;
   *-*-cygwin_pre1.3) OUT="Cygwin-pre1.3" ;;
@@ -768,9 +777,10 @@ esac
 # gcc < 2.8 does not support -mcpu=ultrasparc
 if [ "$OUT" = solaris-sparcv9-gcc -a $GCCVER -lt 28 ]
 then
-  echo "WARNING! Do consider upgrading to gcc-2.8 or later."
+  echo "WARNING! Falling down to 'solaris-sparcv8-gcc'."
+  echo "         Upgrade to gcc-2.8 or later."
   sleep 5
-  OUT=solaris-sparcv9-gcc27
+  OUT=solaris-sparcv8-gcc
 fi
 if [ "$OUT" = "linux-sparcv9" -a $GCCVER -lt 28 ]
 then
diff --git a/crypto/openssl/crypto/LPdir_nyi.c b/crypto/openssl/crypto/LPdir_nyi.c
new file mode 100644
index 000000000000..6c1a50e6a8e2
--- /dev/null
+++ b/crypto/openssl/crypto/LPdir_nyi.c
@@ -0,0 +1,42 @@
+/* $LP: LPlib/source/LPdir_win.c,v 1.1 2004/06/14 10:07:56 _cvs_levitte Exp $ */
+/*
+ * Copyright (c) 2004, Richard Levitte <richard@levitte.org>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef LPDIR_H
+#include "LPdir.h"
+#endif
+
+struct LP_dir_context_st { void *dummy; };
+const char *LP_find_file(LP_DIR_CTX **ctx, const char *directory)
+	{
+	errno = EINVAL;
+	return 0;
+	}
+int LP_find_file_end(LP_DIR_CTX **ctx)
+	{
+	errno = EINVAL;
+	return 0;
+	}
diff --git a/crypto/openssl/crypto/LPdir_unix.c b/crypto/openssl/crypto/LPdir_unix.c
new file mode 100644
index 000000000000..b004cd99e8ab
--- /dev/null
+++ b/crypto/openssl/crypto/LPdir_unix.c
@@ -0,0 +1,127 @@
+/* $LP: LPlib/source/LPdir_unix.c,v 1.11 2004/09/23 22:07:22 _cvs_levitte Exp $ */
+/*
+ * Copyright (c) 2004, Richard Levitte <richard@levitte.org>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <stddef.h>
+#include <stdlib.h>
+#include <limits.h>
+#include <string.h>
+#include <sys/types.h>
+#include <dirent.h>
+#include <errno.h>
+#ifndef LPDIR_H
+#include "LPdir.h"
+#endif
+
+/* The POSIXly macro for the maximum number of characters in a file path
+   is NAME_MAX.  However, some operating systems use PATH_MAX instead.
+   Therefore, it seems natural to first check for PATH_MAX and use that,
+   and if it doesn't exist, use NAME_MAX. */
+#if defined(PATH_MAX)
+# define LP_ENTRY_SIZE PATH_MAX
+#elif defined(NAME_MAX)
+# define LP_ENTRY_SIZE NAME_MAX
+#endif
+
+/* Of course, there's the possibility that neither PATH_MAX nor NAME_MAX
+   exist.  It's also possible that NAME_MAX exists but is define to a
+   very small value (HP-UX offers 14), so we need to check if we got a
+   result, and if it meets a minimum standard, and create or change it
+   if not. */
+#if !defined(LP_ENTRY_SIZE) || LP_ENTRY_SIZE<255
+# undef LP_ENTRY_SIZE
+# define LP_ENTRY_SIZE 255
+#endif
+
+struct LP_dir_context_st
+{
+  DIR *dir;
+  char entry_name[LP_ENTRY_SIZE+1];
+};
+
+const char *LP_find_file(LP_DIR_CTX **ctx, const char *directory)
+{
+  struct dirent *direntry = NULL;
+
+  if (ctx == NULL || directory == NULL)
+    {
+      errno = EINVAL;
+      return 0;
+    }
+
+  errno = 0;
+  if (*ctx == NULL)
+    {
+      *ctx = (LP_DIR_CTX *)malloc(sizeof(LP_DIR_CTX));
+      if (*ctx == NULL)
+	{
+	  errno = ENOMEM;
+	  return 0;
+	}
+      memset(*ctx, '\0', sizeof(LP_DIR_CTX));
+
+      (*ctx)->dir = opendir(directory);
+      if ((*ctx)->dir == NULL)
+	{
+	  int save_errno = errno; /* Probably not needed, but I'm paranoid */
+	  free(*ctx);
+	  *ctx = NULL;
+	  errno = save_errno;
+	  return 0;
+	}
+    }
+
+  direntry = readdir((*ctx)->dir);
+  if (direntry == NULL)
+    {
+      return 0;
+    }
+
+  strncpy((*ctx)->entry_name, direntry->d_name, sizeof((*ctx)->entry_name) - 1);
+  (*ctx)->entry_name[sizeof((*ctx)->entry_name) - 1] = '\0';
+  return (*ctx)->entry_name;
+}
+
+int LP_find_file_end(LP_DIR_CTX **ctx)
+{
+  if (ctx != NULL && *ctx != NULL)
+    {
+      int ret = closedir((*ctx)->dir);
+
+      free(*ctx);
+      switch (ret)
+	{
+	case 0:
+	  return 1;
+	case -1:
+	  return 0;
+	default:
+	  break;
+	}
+    }
+  errno = EINVAL;
+  return 0;
+}
diff --git a/crypto/openssl/crypto/LPdir_vms.c b/crypto/openssl/crypto/LPdir_vms.c
new file mode 100644
index 000000000000..85b427a623b6
--- /dev/null
+++ b/crypto/openssl/crypto/LPdir_vms.c
@@ -0,0 +1,199 @@
+/* $LP: LPlib/source/LPdir_vms.c,v 1.20 2004/08/26 13:36:05 _cvs_levitte Exp $ */
+/*
+ * Copyright (c) 2004, Richard Levitte <richard@levitte.org>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <descrip.h>
+#include <namdef.h>
+#include <rmsdef.h>
+#include <libfildef.h>
+#include <lib$routines.h>
+#include <strdef.h>
+#include <str$routines.h>
+#include <stsdef.h>
+#ifndef LPDIR_H
+#include "LPdir.h"
+#endif
+
+/* Because some compiler options hide this macor */
+#ifndef EVMSERR
+#define EVMSERR		65535  /* error for non-translatable VMS errors */
+#endif
+
+struct LP_dir_context_st
+{
+  unsigned long VMS_context;
+#ifdef NAML$C_MAXRSS
+  char filespec[NAML$C_MAXRSS+1];
+  char result[NAML$C_MAXRSS+1];
+#else
+  char filespec[256];
+  char result[256];
+#endif
+  struct dsc$descriptor_d filespec_dsc;
+  struct dsc$descriptor_d result_dsc;
+};
+
+const char *LP_find_file(LP_DIR_CTX **ctx, const char *directory)
+{
+  int status;
+  char *p, *r;
+  size_t l;
+  unsigned long flags = 0;
+#ifdef NAML$C_MAXRSS
+  flags |= LIB$M_FIL_LONG_NAMES;
+#endif
+
+  if (ctx == NULL || directory == NULL)
+    {
+      errno = EINVAL;
+      return 0;
+    }
+
+  errno = 0;
+  if (*ctx == NULL)
+    {
+      size_t filespeclen = strlen(directory);
+      char *filespec = NULL;
+
+      /* MUST be a VMS directory specification!  Let's estimate if it is. */
+      if (directory[filespeclen-1] != ']'
+	  && directory[filespeclen-1] != '>'
+	  && directory[filespeclen-1] != ':')
+	{
+	  errno = EINVAL;
+	  return 0;
+	}
+
+      filespeclen += 4;		/* "*.*;" */
+
+      if (filespeclen >
+#ifdef NAML$C_MAXRSS
+	  NAML$C_MAXRSS
+#else
+	  255
+#endif
+	  )
+	{
+	  errno = ENAMETOOLONG;
+	  return 0;
+	}
+
+      *ctx = (LP_DIR_CTX *)malloc(sizeof(LP_DIR_CTX));
+      if (*ctx == NULL)
+	{
+	  errno = ENOMEM;
+	  return 0;
+	}
+      memset(*ctx, '\0', sizeof(LP_DIR_CTX));
+
+      strcpy((*ctx)->filespec,directory);
+      strcat((*ctx)->filespec,"*.*;");
+      (*ctx)->filespec_dsc.dsc$w_length = filespeclen;
+      (*ctx)->filespec_dsc.dsc$b_dtype = DSC$K_DTYPE_T;
+      (*ctx)->filespec_dsc.dsc$b_class = DSC$K_CLASS_S;
+      (*ctx)->filespec_dsc.dsc$a_pointer = (*ctx)->filespec;
+      (*ctx)->result_dsc.dsc$w_length = 0;
+      (*ctx)->result_dsc.dsc$b_dtype = DSC$K_DTYPE_T;
+      (*ctx)->result_dsc.dsc$b_class = DSC$K_CLASS_D;
+      (*ctx)->result_dsc.dsc$a_pointer = 0;
+    }
+
+  (*ctx)->result_dsc.dsc$w_length = 0;
+  (*ctx)->result_dsc.dsc$b_dtype = DSC$K_DTYPE_T;
+  (*ctx)->result_dsc.dsc$b_class = DSC$K_CLASS_D;
+  (*ctx)->result_dsc.dsc$a_pointer = 0;
+
+  status = lib$find_file(&(*ctx)->filespec_dsc, &(*ctx)->result_dsc,
+			 &(*ctx)->VMS_context, 0, 0, 0, &flags);
+
+  if (status == RMS$_NMF)
+    {
+      errno = 0;
+      vaxc$errno = status;
+      return NULL;
+    }
+
+  if(!$VMS_STATUS_SUCCESS(status))
+    {
+      errno = EVMSERR;
+      vaxc$errno = status;
+      return NULL;
+    }
+
+  /* Quick, cheap and dirty way to discard any device and directory,
+     since we only want file names */
+  l = (*ctx)->result_dsc.dsc$w_length;
+  p = (*ctx)->result_dsc.dsc$a_pointer;
+  r = p;
+  for (; *p; p++)
+    {
+      if (*p == '^' && p[1] != '\0') /* Take care of ODS-5 escapes */
+	{
+	  p++;
+	}
+      else if (*p == ':' || *p == '>' || *p == ']')
+	{
+	  l -= p + 1 - r;
+	  r = p + 1;
+	}
+      else if (*p == ';')
+	{
+	  l = p - r;
+	  break;
+	}
+    }
+
+  strncpy((*ctx)->result, r, l);
+  (*ctx)->result[l] = '\0';
+  str$free1_dx(&(*ctx)->result_dsc);
+
+  return (*ctx)->result;
+}
+
+int LP_find_file_end(LP_DIR_CTX **ctx)
+{
+  if (ctx != NULL && *ctx != NULL)
+    {
+      int status = lib$find_file_end(&(*ctx)->VMS_context);
+
+      free(*ctx);
+
+      if(!$VMS_STATUS_SUCCESS(status))
+	{
+	  errno = EVMSERR;
+	  vaxc$errno = status;
+	  return 0;
+	}
+      return 1;
+    }
+  errno = EINVAL;
+  return 0;
+}
+
diff --git a/crypto/openssl/crypto/LPdir_win.c b/crypto/openssl/crypto/LPdir_win.c
new file mode 100644
index 000000000000..09b475beed17
--- /dev/null
+++ b/crypto/openssl/crypto/LPdir_win.c
@@ -0,0 +1,155 @@
+/* $LP: LPlib/source/LPdir_win.c,v 1.10 2004/08/26 13:36:05 _cvs_levitte Exp $ */
+/*
+ * Copyright (c) 2004, Richard Levitte <richard@levitte.org>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#include <windows.h>
+#include <tchar.h>
+#ifndef LPDIR_H
+#include "LPdir.h"
+#endif
+
+/* We're most likely overcautious here, but let's reserve for
+    broken WinCE headers and explicitly opt for UNICODE call.
+    Keep in mind that our WinCE builds are compiled with -DUNICODE
+    [as well as -D_UNICODE]. */
+#if defined(LP_SYS_WINCE) && !defined(FindFirstFile)
+# define FindFirstFile FindFirstFileW
+#endif
+#if defined(LP_SYS_WINCE) && !defined(FindFirstFile)
+# define FindNextFile FindNextFileW
+#endif
+
+#ifndef NAME_MAX
+#define NAME_MAX 255
+#endif
+
+struct LP_dir_context_st
+{
+  WIN32_FIND_DATA ctx;
+  HANDLE handle;
+  char entry_name[NAME_MAX+1];
+};
+
+const char *LP_find_file(LP_DIR_CTX **ctx, const char *directory)
+{
+  struct dirent *direntry = NULL;
+
+  if (ctx == NULL || directory == NULL)
+    {
+      errno = EINVAL;
+      return 0;
+    }
+
+  errno = 0;
+  if (*ctx == NULL)
+    {
+      *ctx = (LP_DIR_CTX *)malloc(sizeof(LP_DIR_CTX));
+      if (*ctx == NULL)
+	{
+	  errno = ENOMEM;
+	  return 0;
+	}
+      memset(*ctx, '\0', sizeof(LP_DIR_CTX));
+
+      if (sizeof(TCHAR) != sizeof(char))
+	{
+	  TCHAR *wdir = NULL;
+	  /* len_0 denotes string length *with* trailing 0 */ 
+	  size_t index = 0,len_0 = strlen(directory) + 1;
+
+	  wdir = (TCHAR *)malloc(len_0 * sizeof(TCHAR));
+	  if (wdir == NULL)
+	    {
+	      free(*ctx);
+	      *ctx = NULL;
+	      errno = ENOMEM;
+	      return 0;
+	    }
+
+#ifdef LP_MULTIBYTE_AVAILABLE
+	  if (!MultiByteToWideChar(CP_ACP, 0, directory, len_0, (WCHAR *)wdir, len_0))
+#endif
+	    for (index = 0; index < len_0; index++)
+	      wdir[index] = (TCHAR)directory[index];
+
+	  (*ctx)->handle = FindFirstFile(wdir, &(*ctx)->ctx);
+
+	  free(wdir);
+	}
+      else
+	(*ctx)->handle = FindFirstFile((TCHAR *)directory, &(*ctx)->ctx);
+
+      if ((*ctx)->handle == INVALID_HANDLE_VALUE)
+	{
+	  free(*ctx);
+	  *ctx = NULL;
+	  errno = EINVAL;
+	  return 0;
+	}
+    }
+  else
+    {
+      if (FindNextFile((*ctx)->handle, &(*ctx)->ctx) == FALSE)
+	{
+	  return 0;
+	}
+    }
+
+  if (sizeof(TCHAR) != sizeof(char))
+    {
+      TCHAR *wdir = (*ctx)->ctx.cFileName;
+      size_t index, len_0 = 0;
+
+      while (wdir[len_0] && len_0 < (sizeof((*ctx)->entry_name) - 1)) len_0++;
+      len_0++;
+
+#ifdef LP_MULTIBYTE_AVAILABLE
+      if (!WideCharToMultiByte(CP_ACP, 0, (WCHAR *)wdir, len_0, (*ctx)->entry_name,
+			       sizeof((*ctx)->entry_name), NULL, 0))
+#endif
+	for (index = 0; index < len_0; index++)
+	  (*ctx)->entry_name[index] = (char)wdir[index];
+    }
+  else
+    strncpy((*ctx)->entry_name, (const char *)(*ctx)->ctx.cFileName,
+	    sizeof((*ctx)->entry_name)-1);
+
+  (*ctx)->entry_name[sizeof((*ctx)->entry_name)-1] = '\0';
+
+  return (*ctx)->entry_name;
+}
+
+int LP_find_file_end(LP_DIR_CTX **ctx)
+{
+  if (ctx != NULL && *ctx != NULL)
+    {
+      FindClose((*ctx)->handle);
+      free(*ctx);
+      *ctx = NULL;
+      return 1;
+    }
+  errno = EINVAL;
+  return 0;
+}
diff --git a/crypto/openssl/crypto/LPdir_win32.c b/crypto/openssl/crypto/LPdir_win32.c
new file mode 100644
index 000000000000..e39872da5259
--- /dev/null
+++ b/crypto/openssl/crypto/LPdir_win32.c
@@ -0,0 +1,30 @@
+/* $LP: LPlib/source/LPdir_win32.c,v 1.3 2004/08/26 13:36:05 _cvs_levitte Exp $ */
+/*
+ * Copyright (c) 2004, Richard Levitte <richard@levitte.org>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#define LP_SYS_WIN32
+#define LP_MULTIBYTE_AVAILABLE
+#include "LPdir_win.c"
diff --git a/crypto/openssl/crypto/LPdir_wince.c b/crypto/openssl/crypto/LPdir_wince.c
new file mode 100644
index 000000000000..ab0e1e6f4f8d
--- /dev/null
+++ b/crypto/openssl/crypto/LPdir_wince.c
@@ -0,0 +1,31 @@
+/* $LP: LPlib/source/LPdir_wince.c,v 1.3 2004/08/26 13:36:05 _cvs_levitte Exp $ */
+/*
+ * Copyright (c) 2004, Richard Levitte <richard@levitte.org>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#define LP_SYS_WINCE
+/* We might want to define LP_MULTIBYTE_AVAILABLE here.  It's currently
+   under investigation what the exact conditions would be */
+#include "LPdir_win.c"
diff --git a/crypto/openssl/crypto/Makefile b/crypto/openssl/crypto/Makefile
index 347de0cc113b..bb8eaa036c55 100644
--- a/crypto/openssl/crypto/Makefile
+++ b/crypto/openssl/crypto/Makefile
@@ -1,48 +1,46 @@
 #
-# SSLeay/crypto/Makefile
+# OpenSSL/crypto/Makefile
 #
 
 DIR=		crypto
 TOP=		..
 CC=		cc
 INCLUDE=	-I. -I$(TOP) -I../include
+# INCLUDES targets sudbirs!
 INCLUDES=	-I.. -I../.. -I../../include
 CFLAG=		-g
-INSTALL_PREFIX=
-OPENSSLDIR=     /usr/local/ssl
-INSTALLTOP=	/usr/local/ssl
 MAKEDEPPROG=	makedepend
 MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=       Makefile
 RM=             rm -f
 AR=		ar r
 
+RECURSIVE_MAKE=	[ -n "$(SDIRS)" ] && for i in $(SDIRS) ; do \
+		    (cd $$i && echo "making $$target in $(DIR)/$$i..." && \
+		    $(MAKE) -e TOP=../.. DIR=$$i INCLUDES='${INCLUDES}' $$target ) || exit 1; \
+		done;
+
 PEX_LIBS=
 EX_LIBS=
  
 CFLAGS= $(INCLUDE) $(CFLAG)
-
+ASFLAGS= $(INCLUDE) $(ASFLAG)
+AFLAGS=$(ASFLAGS)
 
 LIBS=
 
-SDIRS=	md2 md5 sha mdc2 hmac ripemd \
-	des rc2 rc4 rc5 idea bf cast \
-	bn ec rsa dsa dh dso engine aes \
-	buffer bio stack lhash rand err objects \
-	evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5
-
 GENERAL=Makefile README crypto-lib.com install.com
 
 LIB= $(TOP)/libcrypto.a
 SHARED_LIB= libcrypto$(SHLIB_EXT)
-LIBSRC=	cryptlib.c mem.c mem_clr.c mem_dbg.c cversion.c ex_data.c tmdiff.c cpt_err.c ebcdic.c uid.c o_time.c o_str.c
-LIBOBJ= cryptlib.o mem.o mem_clr.o mem_dbg.o cversion.o ex_data.o tmdiff.o cpt_err.o ebcdic.o uid.o o_time.o o_str.o
+LIBSRC=	cryptlib.c mem.c mem_clr.c mem_dbg.c cversion.c ex_data.c tmdiff.c cpt_err.c ebcdic.c uid.c o_time.c o_str.c o_dir.c
+LIBOBJ= cryptlib.o mem.o mem_clr.o mem_dbg.o cversion.o ex_data.o tmdiff.o cpt_err.o ebcdic.o uid.o o_time.o o_str.o o_dir.o $(CPUID_OBJ)
 
 SRC= $(LIBSRC)
 
 EXHEADER= crypto.h tmdiff.h opensslv.h opensslconf.h ebcdic.h symhacks.h \
 	ossl_typ.h
-HEADER=	cryptlib.h buildinf.h md32_common.h o_time.h o_str.h $(EXHEADER)
+HEADER=	cryptlib.h buildinf.h md32_common.h o_time.h o_str.h o_dir.h $(EXHEADER)
 
 ALL=    $(GENERAL) $(SRC) $(HEADER)
 
@@ -59,39 +57,49 @@ buildinf.h: ../Makefile
 	echo "  #define DATE \"`LC_ALL=C LC_TIME=C date`\""; \
 	echo '#endif' ) >buildinf.h
 
+x86cpuid-elf.s:	x86cpuid.pl perlasm/x86asm.pl
+	$(PERL) x86cpuid.pl elf $(CFLAGS) $(PROCESSOR) > $@
+x86cpuid-cof.s: x86cpuid.pl perlasm/x86asm.pl
+	$(PERL) x86cpuid.pl coff $(CFLAGS) $(PROCESSOR) > $@
+x86cpuid-out.s: x86cpuid.pl perlasm/x86asm.pl
+	$(PERL) x86cpuid.pl a.out $(CFLAGS) $(PROCESSOR) > $@
+
+uplink.o:	../ms/uplink.c
+	$(CC) $(CFLAGS) -c -o $@ ../ms/uplink.c
+
+uplink-cof.s:	../ms/uplink.pl
+	$(PERL) ../ms/uplink.pl coff > $@
+
+x86_64cpuid.s: x86_64cpuid.pl
+	$(PERL) x86_64cpuid.pl $@
+ia64cpuid.s: ia64cpuid.S
+	$(CC) $(CFLAGS) -E ia64cpuid.S > $@
+
 testapps:
-	if echo ${SDIRS} | fgrep ' des '; \
-	then cd des && $(MAKE) CC='$(CC)' INCLUDES='${INCLUDES}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' des; fi
-	cd pkcs7 && $(MAKE) CC='$(CC)' INCLUDES='${INCLUDES}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' testapps
+	[ -z "$(THIS)" ] || (	if echo ${SDIRS} | fgrep ' des '; \
+				then cd des && $(MAKE) -e des; fi )
+	[ -z "$(THIS)" ] || ( cd pkcs7 && $(MAKE) -e testapps );
+	@if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi
 
 subdirs:
-	@for i in $(SDIRS) ;\
-	do \
-	(cd $$i && echo "making all in crypto/$$i..." && \
-	$(MAKE) CC='$(CC)' INCLUDES='${INCLUDES}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' all ) || exit 1; \
-	done;
+	@target=all; $(RECURSIVE_MAKE)
 
 files:
 	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
-	@for i in $(SDIRS) ;\
-	do \
-	(cd $$i && echo "making 'files' in crypto/$$i..." && \
-	$(MAKE) PERL='${PERL}' files ); \
-	done;
+	@target=files; $(RECURSIVE_MAKE)
 
 links:
 	@$(PERL) $(TOP)/util/mklink.pl ../include/openssl $(EXHEADER)
 	@$(PERL) $(TOP)/util/mklink.pl ../test $(TEST)
 	@$(PERL) $(TOP)/util/mklink.pl ../apps $(APPS)
-	@for i in $(SDIRS); do \
-	(cd $$i && echo "making links in crypto/$$i..." && \
-	$(MAKE) CC='$(CC)' INCLUDES='${INCLUDES}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' AR='${AR}' PERL='${PERL}' links ); \
-	done;
+	@target=links; $(RECURSIVE_MAKE)
 
-lib:	$(LIBOBJ)
+# lib: and $(LIB): are splitted to avoid end-less loop
+lib:	$(LIB)
+	@touch lib
+$(LIB):	$(LIBOBJ)
 	$(AR) $(LIB) $(LIBOBJ)
 	$(RANLIB) $(LIB) || echo Never mind.
-	@touch lib
 
 shared: buildinf.h lib subdirs
 	if [ -n "$(SHARED_LIBS)" ]; then \
@@ -99,119 +107,98 @@ shared: buildinf.h lib subdirs
 	fi
 
 libs:
-	@for i in $(SDIRS) ;\
-	do \
-	(cd $$i && echo "making libs in crypto/$$i..." && \
-	$(MAKE) CC='$(CC)' CFLAG='${CFLAG}' INSTALL_PREFIX='${INSTALL_PREFIX}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' AR='${AR}' lib ); \
-	done;
-
-tests:
-	@for i in $(SDIRS) ;\
-	do \
-	(cd $$i && echo "making tests in crypto/$$i..." && \
-	$(MAKE) CC='$(CC)' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' AR='${AR}' tests ); \
-	done;
+	@target=lib; $(RECURSIVE_MAKE)
 
 install:
-	@for i in $(EXHEADER) ;\
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+	@headerlist="$(EXHEADER)"; for i in $$headerlist ;\
 	do \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
 	done;
-	@for i in $(SDIRS) ;\
-	do \
-	(cd $$i && echo "making install in crypto/$$i..." && \
-	$(MAKE) CC='$(CC)' CFLAG='${CFLAG}' INSTALL_PREFIX='${INSTALL_PREFIX}'  INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' install ); \
-	done;
+	@target=install; $(RECURSIVE_MAKE)
 
 lint:
-	@for i in $(SDIRS) ;\
-	do \
-	(cd $$i && echo "making lint in crypto/$$i..." && \
-	$(MAKE) CC='$(CC)' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' lint ); \
-	done;
+	@target=lint; $(RECURSIVE_MAKE)
 
 depend:
-	if [ ! -f buildinf.h ]; then touch buildinf.h; fi # fake buildinf.h if it does not exist
-	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDE) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
-	if [ ! -s buildinf.h ]; then rm buildinf.h; fi
-	@for i in $(SDIRS) ;\
-	do \
-	(cd $$i && echo "making depend in crypto/$$i..." && \
-	$(MAKE) MAKEFILE='${MAKEFILE}' INCLUDES='${INCLUDES}' CFLAG='${CFLAG}' DEPFLAG='${DEPFLAG}' MAKEDEPPROG='${MAKEDEPPROG}' KRB5_INCLUDES='${KRB5_INCLUDES}' PERL='${PERL}' depend ); \
-	done;
+	@[ -z "$(THIS)" -o -f buildinf.h ] || touch buildinf.h # fake buildinf.h if it does not exist
+	@[ -z "$(THIS)" ] || $(MAKEDEPEND) -- $(CFLAG) $(INCLUDE) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
+	@[ -z "$(THIS)" -o -s buildinf.h ] || rm buildinf.h
+	@[ -z "$(THIS)" ] || (set -e; target=depend; $(RECURSIVE_MAKE) )
+	@if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi
 
 clean:
-	rm -f buildinf.h *.o */*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
-	@for i in $(SDIRS) ;\
-	do \
-	(cd $$i && echo "making clean in crypto/$$i..." && \
-	$(MAKE) CC='$(CC)' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' clean ); \
-	done;
+	rm -f buildinf.h *.s *.o */*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+	@target=clean; $(RECURSIVE_MAKE)
 
 dclean:
 	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
 	mv -f Makefile.new $(MAKEFILE)
-	@for i in $(SDIRS) ;\
-	do \
-	(cd $$i && echo "making dclean in crypto/$$i..." && \
-	$(MAKE) PERL='${PERL}' CC='$(CC)' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' dclean ); \
-	done;
+	@target=dclean; $(RECURSIVE_MAKE)
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
 cpt_err.o: ../include/openssl/bio.h ../include/openssl/crypto.h
 cpt_err.o: ../include/openssl/e_os2.h ../include/openssl/err.h
 cpt_err.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h
-cpt_err.o: ../include/openssl/opensslv.h ../include/openssl/safestack.h
-cpt_err.o: ../include/openssl/stack.h ../include/openssl/symhacks.h cpt_err.c
+cpt_err.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+cpt_err.o: ../include/openssl/safestack.h ../include/openssl/stack.h
+cpt_err.o: ../include/openssl/symhacks.h cpt_err.c
 cryptlib.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/buffer.h
 cryptlib.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
 cryptlib.o: ../include/openssl/err.h ../include/openssl/lhash.h
 cryptlib.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-cryptlib.o: ../include/openssl/safestack.h ../include/openssl/stack.h
-cryptlib.o: ../include/openssl/symhacks.h cryptlib.c cryptlib.h
+cryptlib.o: ../include/openssl/ossl_typ.h ../include/openssl/safestack.h
+cryptlib.o: ../include/openssl/stack.h ../include/openssl/symhacks.h cryptlib.c
+cryptlib.o: cryptlib.h
 cversion.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/buffer.h
 cversion.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
 cversion.o: ../include/openssl/err.h ../include/openssl/lhash.h
 cversion.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-cversion.o: ../include/openssl/safestack.h ../include/openssl/stack.h
-cversion.o: ../include/openssl/symhacks.h buildinf.h cryptlib.h cversion.c
+cversion.o: ../include/openssl/ossl_typ.h ../include/openssl/safestack.h
+cversion.o: ../include/openssl/stack.h ../include/openssl/symhacks.h buildinf.h
+cversion.o: cryptlib.h cversion.c
 ebcdic.o: ../include/openssl/e_os2.h ../include/openssl/opensslconf.h ebcdic.c
 ex_data.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/buffer.h
 ex_data.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
 ex_data.o: ../include/openssl/err.h ../include/openssl/lhash.h
 ex_data.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-ex_data.o: ../include/openssl/safestack.h ../include/openssl/stack.h
-ex_data.o: ../include/openssl/symhacks.h cryptlib.h ex_data.c
+ex_data.o: ../include/openssl/ossl_typ.h ../include/openssl/safestack.h
+ex_data.o: ../include/openssl/stack.h ../include/openssl/symhacks.h cryptlib.h
+ex_data.o: ex_data.c
 mem.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/buffer.h
 mem.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
 mem.o: ../include/openssl/err.h ../include/openssl/lhash.h
 mem.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-mem.o: ../include/openssl/safestack.h ../include/openssl/stack.h
-mem.o: ../include/openssl/symhacks.h cryptlib.h mem.c
+mem.o: ../include/openssl/ossl_typ.h ../include/openssl/safestack.h
+mem.o: ../include/openssl/stack.h ../include/openssl/symhacks.h cryptlib.h
+mem.o: mem.c
 mem_clr.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
 mem_clr.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-mem_clr.o: ../include/openssl/safestack.h ../include/openssl/stack.h
-mem_clr.o: ../include/openssl/symhacks.h mem_clr.c
+mem_clr.o: ../include/openssl/ossl_typ.h ../include/openssl/safestack.h
+mem_clr.o: ../include/openssl/stack.h ../include/openssl/symhacks.h mem_clr.c
 mem_dbg.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/buffer.h
 mem_dbg.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
 mem_dbg.o: ../include/openssl/err.h ../include/openssl/lhash.h
 mem_dbg.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-mem_dbg.o: ../include/openssl/safestack.h ../include/openssl/stack.h
-mem_dbg.o: ../include/openssl/symhacks.h cryptlib.h mem_dbg.c
-o_str.o: ../include/openssl/e_os2.h ../include/openssl/opensslconf.h o_str.c
-o_str.o: o_str.h
+mem_dbg.o: ../include/openssl/ossl_typ.h ../include/openssl/safestack.h
+mem_dbg.o: ../include/openssl/stack.h ../include/openssl/symhacks.h cryptlib.h
+mem_dbg.o: mem_dbg.c
+o_dir.o: ../e_os.h ../include/openssl/e_os2.h ../include/openssl/opensslconf.h
+o_dir.o: LPdir_unix.c o_dir.c o_dir.h
+o_str.o: ../e_os.h ../include/openssl/e_os2.h ../include/openssl/opensslconf.h
+o_str.o: o_str.c o_str.h
 o_time.o: ../include/openssl/e_os2.h ../include/openssl/opensslconf.h o_time.c
 o_time.o: o_time.h
 tmdiff.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/buffer.h
 tmdiff.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
 tmdiff.o: ../include/openssl/err.h ../include/openssl/lhash.h
 tmdiff.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-tmdiff.o: ../include/openssl/safestack.h ../include/openssl/stack.h
-tmdiff.o: ../include/openssl/symhacks.h ../include/openssl/tmdiff.h cryptlib.h
-tmdiff.o: tmdiff.c
+tmdiff.o: ../include/openssl/ossl_typ.h ../include/openssl/safestack.h
+tmdiff.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+tmdiff.o: ../include/openssl/tmdiff.h cryptlib.h tmdiff.c
 uid.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
 uid.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-uid.o: ../include/openssl/safestack.h ../include/openssl/stack.h
-uid.o: ../include/openssl/symhacks.h uid.c
+uid.o: ../include/openssl/ossl_typ.h ../include/openssl/safestack.h
+uid.o: ../include/openssl/stack.h ../include/openssl/symhacks.h uid.c
diff --git a/crypto/openssl/crypto/aes/Makefile b/crypto/openssl/crypto/aes/Makefile
index 71087bc18f1e..057b70bdd157 100644
--- a/crypto/openssl/crypto/aes/Makefile
+++ b/crypto/openssl/crypto/aes/Makefile
@@ -8,16 +8,14 @@ CC=	cc
 CPP=	$(CC) -E
 INCLUDES=
 CFLAG=-g
-INSTALL_PREFIX=
-OPENSSLDIR=     /usr/local/ssl
-INSTALLTOP=	/usr/local/ssl
-MAKEDEPPROG=	makedepend
-MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=	Makefile
 AR=		ar r
 
-# CFLAGS= -mpentiumpro $(INCLUDES) $(CFLAG) -O3 -fexpensive-optimizations -funroll-loops -fforce-addr
+AES_ASM_OBJ=aes_core.o aes_cbc.o
+
 CFLAGS= $(INCLUDES) $(CFLAG)
+ASFLAGS= $(INCLUDES) $(ASFLAG)
+AFLAGS= $(ASFLAGS)
 
 GENERAL=Makefile
 #TEST=aestest.c
@@ -26,7 +24,7 @@ APPS=
 
 LIB=$(TOP)/libcrypto.a
 LIBSRC=aes_core.c aes_misc.c aes_ecb.c aes_cbc.c aes_cfb.c aes_ofb.c aes_ctr.c
-LIBOBJ=aes_core.o aes_misc.o aes_ecb.o aes_cbc.o aes_cfb.o aes_ofb.o aes_ctr.o
+LIBOBJ=aes_misc.o aes_ecb.o aes_cfb.o aes_ofb.o aes_ctr.o $(AES_ASM_OBJ)
 
 SRC= $(LIBSRC)
 
@@ -47,6 +45,16 @@ lib:	$(LIBOBJ)
 
 $(LIBOBJ): $(LIBSRC)
 
+aes-ia64.s: asm/aes-ia64.S
+	$(CC) $(CFLAGS) -E asm/aes-ia64.S > $@
+
+ax86-elf.s: asm/aes-586.pl ../perlasm/x86asm.pl
+	(cd asm; $(PERL) aes-586.pl elf $(CFLAGS) $(PROCESSOR) > ../$@)
+ax86-cof.s: asm/aes-586.pl ../perlasm/x86asm.pl
+	(cd asm; $(PERL) aes-586.pl coff $(CFLAGS) $(PROCESSOR) > ../$@)
+ax86-out.s: asm/aes-586.pl ../perlasm/x86asm.pl
+	(cd asm; $(PERL) aes-586.pl a.out $(CFLAGS) $(PROCESSOR) > ../$@)
+
 files:
 	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
 
@@ -55,10 +63,9 @@ links:
 	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
 
-install: installs
-
-installs:
-	@for i in $(EXHEADER) ; \
+install:
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+	@headerlist="$(EXHEADER)"; for i in $$headerlist ; \
 	do  \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
@@ -73,6 +80,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
+	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
@@ -80,17 +88,17 @@ dclean:
 	mv -f Makefile.new $(MAKEFILE)
 
 clean:
-	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+	rm -f *.s *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
 aes_cbc.o: ../../include/openssl/aes.h ../../include/openssl/e_os2.h
 aes_cbc.o: ../../include/openssl/opensslconf.h aes_cbc.c aes_locl.h
-aes_cfb.o: ../../include/openssl/aes.h ../../include/openssl/e_os2.h
-aes_cfb.o: ../../include/openssl/opensslconf.h aes_cfb.c aes_locl.h
+aes_cfb.o: ../../e_os.h ../../include/openssl/aes.h
+aes_cfb.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
+aes_cfb.o: aes_cfb.c aes_locl.h
 aes_core.o: ../../include/openssl/aes.h ../../include/openssl/e_os2.h
-aes_core.o: ../../include/openssl/fips.h ../../include/openssl/opensslconf.h
-aes_core.o: aes_core.c aes_locl.h
+aes_core.o: ../../include/openssl/opensslconf.h aes_core.c aes_locl.h
 aes_ctr.o: ../../include/openssl/aes.h ../../include/openssl/e_os2.h
 aes_ctr.o: ../../include/openssl/opensslconf.h aes_ctr.c aes_locl.h
 aes_ecb.o: ../../include/openssl/aes.h ../../include/openssl/e_os2.h
diff --git a/crypto/openssl/crypto/aes/aes.h b/crypto/openssl/crypto/aes/aes.h
index 8a3ea0b88366..9ffcc9ff2a30 100644
--- a/crypto/openssl/crypto/aes/aes.h
+++ b/crypto/openssl/crypto/aes/aes.h
@@ -52,7 +52,7 @@
 #ifndef HEADER_AES_H
 #define HEADER_AES_H
 
-#include <openssl/e_os2.h>
+#include <openssl/opensslconf.h>
 
 #ifdef OPENSSL_NO_AES
 #error AES is disabled.
@@ -66,17 +66,17 @@
 #define AES_MAXNR 14
 #define AES_BLOCK_SIZE 16
 
-#if defined(OPENSSL_FIPS)
-#define FIPS_AES_SIZE_T	int
-#endif
-
 #ifdef  __cplusplus
 extern "C" {
 #endif
 
 /* This should be a hidden type, but EVP requires that the size be known */
 struct aes_key_st {
+#ifdef AES_LONG
     unsigned long rd_key[4 *(AES_MAXNR + 1)];
+#else
+    unsigned int rd_key[4 *(AES_MAXNR + 1)];
+#endif
     int rounds;
 };
 typedef struct aes_key_st AES_KEY;
diff --git a/crypto/openssl/crypto/aes/aes_cbc.c b/crypto/openssl/crypto/aes/aes_cbc.c
index 1222a21002c1..d2ba6bcdb465 100644
--- a/crypto/openssl/crypto/aes/aes_cbc.c
+++ b/crypto/openssl/crypto/aes/aes_cbc.c
@@ -66,6 +66,7 @@ void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
 	unsigned long n;
 	unsigned long len = length;
 	unsigned char tmp[AES_BLOCK_SIZE];
+	const unsigned char *iv = ivec;
 
 	assert(in && out && key && ivec);
 	assert((AES_ENCRYPT == enc)||(AES_DECRYPT == enc));
@@ -73,22 +74,39 @@ void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
 	if (AES_ENCRYPT == enc) {
 		while (len >= AES_BLOCK_SIZE) {
 			for(n=0; n < AES_BLOCK_SIZE; ++n)
-				tmp[n] = in[n] ^ ivec[n];
-			AES_encrypt(tmp, out, key);
-			memcpy(ivec, out, AES_BLOCK_SIZE);
+				out[n] = in[n] ^ iv[n];
+			AES_encrypt(out, out, key);
+			iv = out;
 			len -= AES_BLOCK_SIZE;
 			in += AES_BLOCK_SIZE;
 			out += AES_BLOCK_SIZE;
 		}
 		if (len) {
 			for(n=0; n < len; ++n)
-				tmp[n] = in[n] ^ ivec[n];
+				out[n] = in[n] ^ iv[n];
 			for(n=len; n < AES_BLOCK_SIZE; ++n)
-				tmp[n] = ivec[n];
-			AES_encrypt(tmp, tmp, key);
-			memcpy(out, tmp, AES_BLOCK_SIZE);
-			memcpy(ivec, tmp, AES_BLOCK_SIZE);
-		}			
+				out[n] = iv[n];
+			AES_encrypt(out, out, key);
+			iv = out;
+		}
+		memcpy(ivec,iv,AES_BLOCK_SIZE);
+	} else if (in != out) {
+		while (len >= AES_BLOCK_SIZE) {
+			AES_decrypt(in, out, key);
+			for(n=0; n < AES_BLOCK_SIZE; ++n)
+				out[n] ^= iv[n];
+			iv = in;
+			len -= AES_BLOCK_SIZE;
+			in  += AES_BLOCK_SIZE;
+			out += AES_BLOCK_SIZE;
+		}
+		if (len) {
+			AES_decrypt(in,tmp,key);
+			for(n=0; n < len; ++n)
+				out[n] = tmp[n] ^ iv[n];
+			iv = in;
+		}
+		memcpy(ivec,iv,AES_BLOCK_SIZE);
 	} else {
 		while (len >= AES_BLOCK_SIZE) {
 			memcpy(tmp, in, AES_BLOCK_SIZE);
@@ -102,10 +120,12 @@ void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
 		}
 		if (len) {
 			memcpy(tmp, in, AES_BLOCK_SIZE);
-			AES_decrypt(tmp, tmp, key);
+			AES_decrypt(tmp, out, key);
 			for(n=0; n < len; ++n)
-				out[n] = tmp[n] ^ ivec[n];
+				out[n] ^= ivec[n];
+			for(n=len; n < AES_BLOCK_SIZE; ++n)
+				out[n] = tmp[n];
 			memcpy(ivec, tmp, AES_BLOCK_SIZE);
-		}			
+		}
 	}
 }
diff --git a/crypto/openssl/crypto/aes/aes_cfb.c b/crypto/openssl/crypto/aes/aes_cfb.c
index 2e0c41ec2b6b..49f0411010c3 100644
--- a/crypto/openssl/crypto/aes/aes_cfb.c
+++ b/crypto/openssl/crypto/aes/aes_cfb.c
@@ -114,6 +114,7 @@
 
 #include <openssl/aes.h>
 #include "aes_locl.h"
+#include "e_os.h"
 
 /* The input and output encrypted as though 128bit cfb mode is being
  * used.  The extra state information to record how much of the
@@ -157,61 +158,35 @@ void AES_cfb128_encrypt(const unsigned char *in, unsigned char *out,
 
 /* This expects a single block of size nbits for both in and out. Note that
    it corrupts any extra bits in the last byte of out */
-/* Untested, once it is working, it will be optimised */
 void AES_cfbr_encrypt_block(const unsigned char *in,unsigned char *out,
 			    const int nbits,const AES_KEY *key,
 			    unsigned char *ivec,const int enc)
     {
-    int n;
+    int n,rem,num;
     unsigned char ovec[AES_BLOCK_SIZE*2];
 
-    assert(in && out && key && ivec);
-    if(enc)
-	{
-	/* construct the new IV */
-	AES_encrypt(ivec,ovec,key);
-	/* encrypt the input */
-	for(n=0 ; n < (nbits+7)/8 ; ++n)
-	    out[n]=in[n]^ovec[n];
-	/* fill in the first half of the new IV with the current IV */
-	memcpy(ovec,ivec,AES_BLOCK_SIZE);
-	/* and put the ciphertext in the second half */
-	memcpy(ovec+AES_BLOCK_SIZE,out,(nbits+7)/8);
-	/* shift ovec left most of the bits... */
-	memmove(ovec,ovec+nbits/8,AES_BLOCK_SIZE+(nbits%8 ? 1 : 0));
-	/* now the remaining bits */
-	if(nbits%8 != 0)
-	    for(n=0 ; n < AES_BLOCK_SIZE ; ++n)
-		{
-		ovec[n]<<=nbits%8;
-		ovec[n]|=ovec[n+1]>>(8-nbits%8);
-		}
-	/* finally, move it back into place */
-	memcpy(ivec,ovec,AES_BLOCK_SIZE);
-	}
-    else
-	{
-	/* construct the new IV in the first half of ovec */
-	AES_encrypt(ivec,ovec,key);
-	/* decrypt the input */
-	for(n=0 ; n < (nbits+7)/8 ; ++n)
-	    out[n]=in[n]^ovec[n];
+    if (nbits<=0 || nbits>128) return;
+
 	/* fill in the first half of the new IV with the current IV */
 	memcpy(ovec,ivec,AES_BLOCK_SIZE);
-	/* append the ciphertext */
-	memcpy(ovec+AES_BLOCK_SIZE,in,(nbits+7)/8);
-	/* shift ovec left most of the bits... */
-	memmove(ovec,ovec+nbits/8,AES_BLOCK_SIZE+(nbits%8 ? 1 : 0));
-	/* now the remaining bits */
-	if(nbits%8 != 0)
+	/* construct the new IV */
+	AES_encrypt(ivec,ivec,key);
+	num = (nbits+7)/8;
+	if (enc)	/* encrypt the input */
+	    for(n=0 ; n < num ; ++n)
+		out[n] = (ovec[AES_BLOCK_SIZE+n] = in[n] ^ ivec[n]);
+	else		/* decrypt the input */
+	    for(n=0 ; n < num ; ++n)
+		out[n] = (ovec[AES_BLOCK_SIZE+n] = in[n]) ^ ivec[n];
+	/* shift ovec left... */
+	rem = nbits%8;
+	num = nbits/8;
+	if(rem==0)
+	    memcpy(ivec,ovec+num,AES_BLOCK_SIZE);
+	else
 	    for(n=0 ; n < AES_BLOCK_SIZE ; ++n)
-		{
-		ovec[n]<<=nbits%8;
-		ovec[n]|=ovec[n+1]>>(8-nbits%8);
-		}
-	/* finally, move it back into place */
-	memcpy(ivec,ovec,AES_BLOCK_SIZE);
-	}
+		ivec[n] = ovec[n+num]<<rem | ovec[n+num+1]>>(8-rem);
+
     /* it is not necessary to cleanse ovec, since the IV is not secret */
     }
 
diff --git a/crypto/openssl/crypto/aes/aes_core.c b/crypto/openssl/crypto/aes/aes_core.c
index ed566a81233f..410ae2e8e88a 100644
--- a/crypto/openssl/crypto/aes/aes_core.c
+++ b/crypto/openssl/crypto/aes/aes_core.c
@@ -37,11 +37,8 @@
 
 #include <stdlib.h>
 #include <openssl/aes.h>
-#include <openssl/fips.h>
 #include "aes_locl.h"
 
-#ifndef OPENSSL_FIPS
-
 /*
 Te0[x] = S [x].[02, 01, 01, 03];
 Te1[x] = S [x].[03, 02, 01, 01];
@@ -56,6 +53,13 @@ Td3[x] = Si[x].[09, 0d, 0b, 0e];
 Td4[x] = Si[x].[01, 01, 01, 01];
 */
 
+#ifdef AES_ASM
+extern const u32 AES_Te[5][256];
+#define Te0 AES_Te[0]
+#define Te1 AES_Te[1]
+#define Te2 AES_Te[2]
+#define Te3 AES_Te[3]
+#else
 static const u32 Te0[256] = {
     0xc66363a5U, 0xf87c7c84U, 0xee777799U, 0xf67b7b8dU,
     0xfff2f20dU, 0xd66b6bbdU, 0xde6f6fb1U, 0x91c5c554U,
@@ -255,7 +259,6 @@ static const u32 Te2[256] = {
     0xb0cb7bb0U, 0x54fca854U, 0xbbd66dbbU, 0x163a2c16U,
 };
 static const u32 Te3[256] = {
-
     0x6363a5c6U, 0x7c7c84f8U, 0x777799eeU, 0x7b7b8df6U,
     0xf2f20dffU, 0x6b6bbdd6U, 0x6f6fb1deU, 0xc5c55491U,
     0x30305060U, 0x01010302U, 0x6767a9ceU, 0x2b2b7d56U,
@@ -321,6 +324,7 @@ static const u32 Te3[256] = {
     0x4141c382U, 0x9999b029U, 0x2d2d775aU, 0x0f0f111eU,
     0xb0b0cb7bU, 0x5454fca8U, 0xbbbbd66dU, 0x16163a2cU,
 };
+#endif
 static const u32 Te4[256] = {
     0x63636363U, 0x7c7c7c7cU, 0x77777777U, 0x7b7b7b7bU,
     0xf2f2f2f2U, 0x6b6b6b6bU, 0x6f6f6f6fU, 0xc5c5c5c5U,
@@ -387,6 +391,14 @@ static const u32 Te4[256] = {
     0x41414141U, 0x99999999U, 0x2d2d2d2dU, 0x0f0f0f0fU,
     0xb0b0b0b0U, 0x54545454U, 0xbbbbbbbbU, 0x16161616U,
 };
+
+#ifdef AES_ASM
+extern const u32 AES_Td[5][256];
+#define Td0 AES_Td[0]
+#define Td1 AES_Td[1]
+#define Td2 AES_Td[2]
+#define Td3 AES_Td[3]
+#else
 static const u32 Td0[256] = {
     0x51f4a750U, 0x7e416553U, 0x1a17a4c3U, 0x3a275e96U,
     0x3bab6bcbU, 0x1f9d45f1U, 0xacfa58abU, 0x4be30393U,
@@ -540,7 +552,6 @@ static const u32 Td2[256] = {
     0xf4cd65daU, 0xbed50605U, 0x621fd134U, 0xfe8ac4a6U,
     0x539d342eU, 0x55a0a2f3U, 0xe132058aU, 0xeb75a4f6U,
     0xec390b83U, 0xefaa4060U, 0x9f065e71U, 0x1051bd6eU,
-
     0x8af93e21U, 0x063d96ddU, 0x05aedd3eU, 0xbd464de6U,
     0x8db59154U, 0x5d0571c4U, 0xd46f0406U, 0x15ff6050U,
     0xfb241998U, 0xe997d6bdU, 0x43cc8940U, 0x9e7767d9U,
@@ -652,6 +663,7 @@ static const u32 Td3[256] = {
     0xa8017139U, 0x0cb3de08U, 0xb4e49cd8U, 0x56c19064U,
     0xcb84617bU, 0x32b670d5U, 0x6c5c7448U, 0xb85742d0U,
 };
+#endif
 static const u32 Td4[256] = {
     0x52525252U, 0x09090909U, 0x6a6a6a6aU, 0xd5d5d5d5U,
     0x30303030U, 0x36363636U, 0xa5a5a5a5U, 0x38383838U,
@@ -876,6 +888,7 @@ int AES_set_decrypt_key(const unsigned char *userKey, const int bits,
 	return 0;
 }
 
+#ifndef AES_ASM
 /*
  * Encrypt a single block
  * in and out can overlap
@@ -1258,4 +1271,4 @@ void AES_decrypt(const unsigned char *in, unsigned char *out,
 	PUTU32(out + 12, s3);
 }
 
-#endif /* ndef OPENSSL_FIPS */
+#endif /* AES_ASM */
diff --git a/crypto/openssl/crypto/aes/aes_locl.h b/crypto/openssl/crypto/aes/aes_locl.h
index 4184729e344d..054b442d416f 100644
--- a/crypto/openssl/crypto/aes/aes_locl.h
+++ b/crypto/openssl/crypto/aes/aes_locl.h
@@ -62,7 +62,7 @@
 #include <stdlib.h>
 #include <string.h>
 
-#if defined(_MSC_VER) && !defined(_M_IA64) && !defined(OPENSSL_SYS_WINCE)
+#if defined(_MSC_VER) && (defined(_M_IX86) || defined(_M_AMD64) || defined(_M_X64))
 # define SWAP(x) (_lrotl(x, 8) & 0x00ff00ff | _lrotr(x, 8) & 0xff00ff00)
 # define GETU32(p) SWAP(*((u32 *)(p)))
 # define PUTU32(ct, st) { *((u32 *)(ct)) = SWAP((st)); }
@@ -71,7 +71,11 @@
 # define PUTU32(ct, st) { (ct)[0] = (u8)((st) >> 24); (ct)[1] = (u8)((st) >> 16); (ct)[2] = (u8)((st) >>  8); (ct)[3] = (u8)(st); }
 #endif
 
+#ifdef AES_LONG
 typedef unsigned long u32;
+#else
+typedef unsigned int u32;
+#endif
 typedef unsigned short u16;
 typedef unsigned char u8;
 
diff --git a/crypto/openssl/crypto/aes/asm/aes-586.pl b/crypto/openssl/crypto/aes/asm/aes-586.pl
new file mode 100755
index 000000000000..c1206238819a
--- /dev/null
+++ b/crypto/openssl/crypto/aes/asm/aes-586.pl
@@ -0,0 +1,1531 @@
+#!/usr/bin/env perl
+#
+# ====================================================================
+# Written by Andy Polyakov <appro@fy.chalmers.se> for the OpenSSL
+# project. Rights for redistribution and usage in source and binary
+# forms are granted according to the OpenSSL license.
+# ====================================================================
+#
+# Version 3.4.
+#
+# You might fail to appreciate this module performance from the first
+# try. If compared to "vanilla" linux-ia32-icc target, i.e. considered
+# to be *the* best Intel C compiler without -KPIC, performance appears
+# to be virtually identical... But try to re-configure with shared
+# library support... Aha! Intel compiler "suddenly" lags behind by 30%
+# [on P4, more on others]:-) And if compared to position-independent
+# code generated by GNU C, this code performs *more* than *twice* as
+# fast! Yes, all this buzz about PIC means that unlike other hand-
+# coded implementations, this one was explicitly designed to be safe
+# to use even in shared library context... This also means that this
+# code isn't necessarily absolutely fastest "ever," because in order
+# to achieve position independence an extra register has to be
+# off-loaded to stack, which affects the benchmark result.
+#
+# Special note about instruction choice. Do you recall RC4_INT code
+# performing poorly on P4? It might be the time to figure out why.
+# RC4_INT code implies effective address calculations in base+offset*4
+# form. Trouble is that it seems that offset scaling turned to be
+# critical path... At least eliminating scaling resulted in 2.8x RC4
+# performance improvement [as you might recall]. As AES code is hungry
+# for scaling too, I [try to] avoid the latter by favoring off-by-2
+# shifts and masking the result with 0xFF<<2 instead of "boring" 0xFF.
+#
+# As was shown by Dean Gaudet <dean@arctic.org>, the above note turned
+# void. Performance improvement with off-by-2 shifts was observed on
+# intermediate implementation, which was spilling yet another register
+# to stack... Final offset*4 code below runs just a tad faster on P4,
+# but exhibits up to 10% improvement on other cores.
+#
+# Second version is "monolithic" replacement for aes_core.c, which in
+# addition to AES_[de|en]crypt implements AES_set_[de|en]cryption_key.
+# This made it possible to implement little-endian variant of the
+# algorithm without modifying the base C code. Motivating factor for
+# the undertaken effort was that it appeared that in tight IA-32
+# register window little-endian flavor could achieve slightly higher
+# Instruction Level Parallelism, and it indeed resulted in up to 15%
+# better performance on most recent µ-archs...
+#
+# Third version adds AES_cbc_encrypt implementation, which resulted in
+# up to 40% performance imrovement of CBC benchmark results. 40% was
+# observed on P4 core, where "overall" imrovement coefficient, i.e. if
+# compared to PIC generated by GCC and in CBC mode, was observed to be
+# as large as 4x:-) CBC performance is virtually identical to ECB now
+# and on some platforms even better, e.g. 17.6 "small" cycles/byte on
+# Opteron, because certain function prologues and epilogues are
+# effectively taken out of the loop...
+#
+# Version 3.2 implements compressed tables and prefetch of these tables
+# in CBC[!] mode. Former means that 3/4 of table references are now
+# misaligned, which unfortunately has negative impact on elder IA-32
+# implementations, Pentium suffered 30% penalty, PIII - 10%.
+#
+# Version 3.3 avoids L1 cache aliasing between stack frame and
+# S-boxes, and 3.4 - L1 cache aliasing even between key schedule. The
+# latter is achieved by copying the key schedule to controlled place in
+# stack. This unfortunately has rather strong impact on small block CBC
+# performance, ~2x deterioration on 16-byte block if compared to 3.3.
+#
+# Current ECB performance numbers for 128-bit key in CPU cycles per
+# processed byte [measure commonly used by AES benchmarkers] are:
+#
+#		small footprint		fully unrolled
+# P4		24			22
+# AMD K8	20			19
+# PIII		25			23
+# Pentium	81			78
+
+push(@INC,"perlasm","../../perlasm");
+require "x86asm.pl";
+
+&asm_init($ARGV[0],"aes-586.pl",$ARGV[$#ARGV] eq "386");
+
+$s0="eax";
+$s1="ebx";
+$s2="ecx";
+$s3="edx";
+$key="edi";
+$acc="esi";
+
+$compromise=0;		# $compromise=128 abstains from copying key
+			# schedule to stack when encrypting inputs
+			# shorter than 128 bytes at the cost of
+			# risksing aliasing with S-boxes. In return
+			# you get way better, up to +70%, small block
+			# performance.
+$small_footprint=1;	# $small_footprint=1 code is ~5% slower [on
+			# recent µ-archs], but ~5 times smaller!
+			# I favor compact code to minimize cache
+			# contention and in hope to "collect" 5% back
+			# in real-life applications...
+$vertical_spin=0;	# shift "verticaly" defaults to 0, because of
+			# its proof-of-concept status...
+
+# Note that there is no decvert(), as well as last encryption round is
+# performed with "horizontal" shifts. This is because this "vertical"
+# implementation [one which groups shifts on a given $s[i] to form a
+# "column," unlike "horizontal" one, which groups shifts on different
+# $s[i] to form a "row"] is work in progress. It was observed to run
+# few percents faster on Intel cores, but not AMD. On AMD K8 core it's
+# whole 12% slower:-( So we face a trade-off... Shall it be resolved
+# some day? Till then the code is considered experimental and by
+# default remains dormant...
+
+sub encvert()
+{ my ($te,@s) = @_;
+  my $v0 = $acc, $v1 = $key;
+
+	&mov	($v0,$s[3]);				# copy s3
+	&mov	(&DWP(4,"esp"),$s[2]);			# save s2
+	&mov	($v1,$s[0]);				# copy s0
+	&mov	(&DWP(8,"esp"),$s[1]);			# save s1
+
+	&movz	($s[2],&HB($s[0]));
+	&and	($s[0],0xFF);
+	&mov	($s[0],&DWP(0,$te,$s[0],8));		# s0>>0
+	&shr	($v1,16);
+	&mov	($s[3],&DWP(3,$te,$s[2],8));		# s0>>8
+	&movz	($s[1],&HB($v1));
+	&and	($v1,0xFF);
+	&mov	($s[2],&DWP(2,$te,$v1,8));		# s0>>16
+	 &mov	($v1,$v0);
+	&mov	($s[1],&DWP(1,$te,$s[1],8));		# s0>>24
+
+	&and	($v0,0xFF);
+	&xor	($s[3],&DWP(0,$te,$v0,8));		# s3>>0
+	&movz	($v0,&HB($v1));
+	&shr	($v1,16);
+	&xor	($s[2],&DWP(3,$te,$v0,8));		# s3>>8
+	&movz	($v0,&HB($v1));
+	&and	($v1,0xFF);
+	&xor	($s[1],&DWP(2,$te,$v1,8));		# s3>>16
+	 &mov	($v1,&DWP(4,"esp"));			# restore s2
+	&xor	($s[0],&DWP(1,$te,$v0,8));		# s3>>24
+
+	&mov	($v0,$v1);
+	&and	($v1,0xFF);
+	&xor	($s[2],&DWP(0,$te,$v1,8));		# s2>>0
+	&movz	($v1,&HB($v0));
+	&shr	($v0,16);
+	&xor	($s[1],&DWP(3,$te,$v1,8));		# s2>>8
+	&movz	($v1,&HB($v0));
+	&and	($v0,0xFF);
+	&xor	($s[0],&DWP(2,$te,$v0,8));		# s2>>16
+	 &mov	($v0,&DWP(8,"esp"));			# restore s1
+	&xor	($s[3],&DWP(1,$te,$v1,8));		# s2>>24
+
+	&mov	($v1,$v0);
+	&and	($v0,0xFF);
+	&xor	($s[1],&DWP(0,$te,$v0,8));		# s1>>0
+	&movz	($v0,&HB($v1));
+	&shr	($v1,16);
+	&xor	($s[0],&DWP(3,$te,$v0,8));		# s1>>8
+	&movz	($v0,&HB($v1));
+	&and	($v1,0xFF);
+	&xor	($s[3],&DWP(2,$te,$v1,8));		# s1>>16
+	 &mov	($key,&DWP(12,"esp"));			# reincarnate v1 as key
+	&xor	($s[2],&DWP(1,$te,$v0,8));		# s1>>24
+}
+
+sub encstep()
+{ my ($i,$te,@s) = @_;
+  my $tmp = $key;
+  my $out = $i==3?$s[0]:$acc;
+
+	# lines marked with #%e?x[i] denote "reordered" instructions...
+	if ($i==3)  {	&mov	($key,&DWP(12,"esp"));		}##%edx
+	else        {	&mov	($out,$s[0]);
+			&and	($out,0xFF);			}
+	if ($i==1)  {	&shr	($s[0],16);			}#%ebx[1]
+	if ($i==2)  {	&shr	($s[0],24);			}#%ecx[2]
+			&mov	($out,&DWP(0,$te,$out,8));
+
+	if ($i==3)  {	$tmp=$s[1];				}##%eax
+			&movz	($tmp,&HB($s[1]));
+			&xor	($out,&DWP(3,$te,$tmp,8));
+
+	if ($i==3)  {	$tmp=$s[2]; &mov ($s[1],&DWP(4,"esp"));	}##%ebx
+	else        {	&mov	($tmp,$s[2]);
+			&shr	($tmp,16);			}
+	if ($i==2)  {	&and	($s[1],0xFF);			}#%edx[2]
+			&and	($tmp,0xFF);
+			&xor	($out,&DWP(2,$te,$tmp,8));
+
+	if ($i==3)  {	$tmp=$s[3]; &mov ($s[2],&DWP(8,"esp"));	}##%ecx
+	elsif($i==2){	&movz	($tmp,&HB($s[3]));		}#%ebx[2]
+	else        {	&mov	($tmp,$s[3]); 
+			&shr	($tmp,24)			}
+			&xor	($out,&DWP(1,$te,$tmp,8));
+	if ($i<2)   {	&mov	(&DWP(4+4*$i,"esp"),$out);	}
+	if ($i==3)  {	&mov	($s[3],$acc);			}
+			&comment();
+}
+
+sub enclast()
+{ my ($i,$te,@s)=@_;
+  my $tmp = $key;
+  my $out = $i==3?$s[0]:$acc;
+
+	if ($i==3)  {	&mov	($key,&DWP(12,"esp"));		}##%edx
+	else        {	&mov	($out,$s[0]);			}
+			&and	($out,0xFF);
+	if ($i==1)  {	&shr	($s[0],16);			}#%ebx[1]
+	if ($i==2)  {	&shr	($s[0],24);			}#%ecx[2]
+			&mov	($out,&DWP(2,$te,$out,8));
+			&and	($out,0x000000ff);
+
+	if ($i==3)  {	$tmp=$s[1];				}##%eax
+			&movz	($tmp,&HB($s[1]));
+			&mov	($tmp,&DWP(0,$te,$tmp,8));
+			&and	($tmp,0x0000ff00);
+			&xor	($out,$tmp);
+
+	if ($i==3)  {	$tmp=$s[2]; &mov ($s[1],&DWP(4,"esp"));	}##%ebx
+	else        {	mov	($tmp,$s[2]);
+			&shr	($tmp,16);			}
+	if ($i==2)  {	&and	($s[1],0xFF);			}#%edx[2]
+			&and	($tmp,0xFF);
+			&mov	($tmp,&DWP(0,$te,$tmp,8));
+			&and	($tmp,0x00ff0000);
+			&xor	($out,$tmp);
+
+	if ($i==3)  {	$tmp=$s[3]; &mov ($s[2],&DWP(8,"esp"));	}##%ecx
+	elsif($i==2){	&movz	($tmp,&HB($s[3]));		}#%ebx[2]
+	else        {	&mov	($tmp,$s[3]);
+			&shr	($tmp,24);			}
+			&mov	($tmp,&DWP(2,$te,$tmp,8));
+			&and	($tmp,0xff000000);
+			&xor	($out,$tmp);
+	if ($i<2)   {	&mov	(&DWP(4+4*$i,"esp"),$out);	}
+	if ($i==3)  {	&mov	($s[3],$acc);			}
+}
+
+sub _data_word() { my $i; while(defined($i=shift)) { &data_word($i,$i); } }
+
+&public_label("AES_Te");
+&function_begin_B("_x86_AES_encrypt");
+	if ($vertical_spin) {
+		# I need high parts of volatile registers to be accessible...
+		&exch	($s1="edi",$key="ebx");
+		&mov	($s2="esi",$acc="ecx");
+	}
+
+	# note that caller is expected to allocate stack frame for me!
+	&mov	(&DWP(12,"esp"),$key);		# save key
+
+	&xor	($s0,&DWP(0,$key));		# xor with key
+	&xor	($s1,&DWP(4,$key));
+	&xor	($s2,&DWP(8,$key));
+	&xor	($s3,&DWP(12,$key));
+
+	&mov	($acc,&DWP(240,$key));		# load key->rounds
+
+	if ($small_footprint) {
+	    &lea	($acc,&DWP(-2,$acc,$acc));
+	    &lea	($acc,&DWP(0,$key,$acc,8));
+	    &mov	(&DWP(16,"esp"),$acc);	# end of key schedule
+	    &align	(4);
+	    &set_label("loop");
+		if ($vertical_spin) {
+		    &encvert("ebp",$s0,$s1,$s2,$s3);
+		} else {
+		    &encstep(0,"ebp",$s0,$s1,$s2,$s3);
+		    &encstep(1,"ebp",$s1,$s2,$s3,$s0);
+		    &encstep(2,"ebp",$s2,$s3,$s0,$s1);
+		    &encstep(3,"ebp",$s3,$s0,$s1,$s2);
+		}
+		&add	($key,16);		# advance rd_key
+		&xor	($s0,&DWP(0,$key));
+		&xor	($s1,&DWP(4,$key));
+		&xor	($s2,&DWP(8,$key));
+		&xor	($s3,&DWP(12,$key));
+	    &cmp	($key,&DWP(16,"esp"));
+	    &mov	(&DWP(12,"esp"),$key);
+	    &jb		(&label("loop"));
+	}
+	else {
+	    &cmp	($acc,10);
+	    &jle	(&label("10rounds"));
+	    &cmp	($acc,12);
+	    &jle	(&label("12rounds"));
+
+	&set_label("14rounds");
+	    for ($i=1;$i<3;$i++) {
+		if ($vertical_spin) {
+		    &encvert("ebp",$s0,$s1,$s2,$s3);
+		} else {
+		    &encstep(0,"ebp",$s0,$s1,$s2,$s3);
+		    &encstep(1,"ebp",$s1,$s2,$s3,$s0);
+		    &encstep(2,"ebp",$s2,$s3,$s0,$s1);
+		    &encstep(3,"ebp",$s3,$s0,$s1,$s2);
+		}
+		&xor	($s0,&DWP(16*$i+0,$key));
+		&xor	($s1,&DWP(16*$i+4,$key));
+		&xor	($s2,&DWP(16*$i+8,$key));
+		&xor	($s3,&DWP(16*$i+12,$key));
+	    }
+	    &add	($key,32);
+	    &mov	(&DWP(12,"esp"),$key);	# advance rd_key
+	&set_label("12rounds");
+	    for ($i=1;$i<3;$i++) {
+		if ($vertical_spin) {
+		    &encvert("ebp",$s0,$s1,$s2,$s3);
+		} else {
+		    &encstep(0,"ebp",$s0,$s1,$s2,$s3);
+		    &encstep(1,"ebp",$s1,$s2,$s3,$s0);
+		    &encstep(2,"ebp",$s2,$s3,$s0,$s1);
+		    &encstep(3,"ebp",$s3,$s0,$s1,$s2);
+		}
+		&xor	($s0,&DWP(16*$i+0,$key));
+		&xor	($s1,&DWP(16*$i+4,$key));
+		&xor	($s2,&DWP(16*$i+8,$key));
+		&xor	($s3,&DWP(16*$i+12,$key));
+	    }
+	    &add	($key,32);
+	    &mov	(&DWP(12,"esp"),$key);	# advance rd_key
+	&set_label("10rounds");
+	    for ($i=1;$i<10;$i++) {
+		if ($vertical_spin) {
+		    &encvert("ebp",$s0,$s1,$s2,$s3);
+		} else {
+		    &encstep(0,"ebp",$s0,$s1,$s2,$s3);
+		    &encstep(1,"ebp",$s1,$s2,$s3,$s0);
+		    &encstep(2,"ebp",$s2,$s3,$s0,$s1);
+		    &encstep(3,"ebp",$s3,$s0,$s1,$s2);
+		}
+		&xor	($s0,&DWP(16*$i+0,$key));
+		&xor	($s1,&DWP(16*$i+4,$key));
+		&xor	($s2,&DWP(16*$i+8,$key));
+		&xor	($s3,&DWP(16*$i+12,$key));
+	    }
+	}
+
+	if ($vertical_spin) {
+	    # "reincarnate" some registers for "horizontal" spin...
+	    &mov	($s1="ebx",$key="edi");
+	    &mov	($s2="ecx",$acc="esi");
+	}
+	&enclast(0,"ebp",$s0,$s1,$s2,$s3);
+	&enclast(1,"ebp",$s1,$s2,$s3,$s0);
+	&enclast(2,"ebp",$s2,$s3,$s0,$s1);
+	&enclast(3,"ebp",$s3,$s0,$s1,$s2);
+
+	&add	($key,$small_footprint?16:160);
+	&xor	($s0,&DWP(0,$key));
+	&xor	($s1,&DWP(4,$key));
+	&xor	($s2,&DWP(8,$key));
+	&xor	($s3,&DWP(12,$key));
+
+	&ret	();
+
+&set_label("AES_Te",64);	# Yes! I keep it in the code segment!
+	&_data_word(0xa56363c6, 0x847c7cf8, 0x997777ee, 0x8d7b7bf6);
+	&_data_word(0x0df2f2ff, 0xbd6b6bd6, 0xb16f6fde, 0x54c5c591);
+	&_data_word(0x50303060, 0x03010102, 0xa96767ce, 0x7d2b2b56);
+	&_data_word(0x19fefee7, 0x62d7d7b5, 0xe6abab4d, 0x9a7676ec);
+	&_data_word(0x45caca8f, 0x9d82821f, 0x40c9c989, 0x877d7dfa);
+	&_data_word(0x15fafaef, 0xeb5959b2, 0xc947478e, 0x0bf0f0fb);
+	&_data_word(0xecadad41, 0x67d4d4b3, 0xfda2a25f, 0xeaafaf45);
+	&_data_word(0xbf9c9c23, 0xf7a4a453, 0x967272e4, 0x5bc0c09b);
+	&_data_word(0xc2b7b775, 0x1cfdfde1, 0xae93933d, 0x6a26264c);
+	&_data_word(0x5a36366c, 0x413f3f7e, 0x02f7f7f5, 0x4fcccc83);
+	&_data_word(0x5c343468, 0xf4a5a551, 0x34e5e5d1, 0x08f1f1f9);
+	&_data_word(0x937171e2, 0x73d8d8ab, 0x53313162, 0x3f15152a);
+	&_data_word(0x0c040408, 0x52c7c795, 0x65232346, 0x5ec3c39d);
+	&_data_word(0x28181830, 0xa1969637, 0x0f05050a, 0xb59a9a2f);
+	&_data_word(0x0907070e, 0x36121224, 0x9b80801b, 0x3de2e2df);
+	&_data_word(0x26ebebcd, 0x6927274e, 0xcdb2b27f, 0x9f7575ea);
+	&_data_word(0x1b090912, 0x9e83831d, 0x742c2c58, 0x2e1a1a34);
+	&_data_word(0x2d1b1b36, 0xb26e6edc, 0xee5a5ab4, 0xfba0a05b);
+	&_data_word(0xf65252a4, 0x4d3b3b76, 0x61d6d6b7, 0xceb3b37d);
+	&_data_word(0x7b292952, 0x3ee3e3dd, 0x712f2f5e, 0x97848413);
+	&_data_word(0xf55353a6, 0x68d1d1b9, 0x00000000, 0x2cededc1);
+	&_data_word(0x60202040, 0x1ffcfce3, 0xc8b1b179, 0xed5b5bb6);
+	&_data_word(0xbe6a6ad4, 0x46cbcb8d, 0xd9bebe67, 0x4b393972);
+	&_data_word(0xde4a4a94, 0xd44c4c98, 0xe85858b0, 0x4acfcf85);
+	&_data_word(0x6bd0d0bb, 0x2aefefc5, 0xe5aaaa4f, 0x16fbfbed);
+	&_data_word(0xc5434386, 0xd74d4d9a, 0x55333366, 0x94858511);
+	&_data_word(0xcf45458a, 0x10f9f9e9, 0x06020204, 0x817f7ffe);
+	&_data_word(0xf05050a0, 0x443c3c78, 0xba9f9f25, 0xe3a8a84b);
+	&_data_word(0xf35151a2, 0xfea3a35d, 0xc0404080, 0x8a8f8f05);
+	&_data_word(0xad92923f, 0xbc9d9d21, 0x48383870, 0x04f5f5f1);
+	&_data_word(0xdfbcbc63, 0xc1b6b677, 0x75dadaaf, 0x63212142);
+	&_data_word(0x30101020, 0x1affffe5, 0x0ef3f3fd, 0x6dd2d2bf);
+	&_data_word(0x4ccdcd81, 0x140c0c18, 0x35131326, 0x2fececc3);
+	&_data_word(0xe15f5fbe, 0xa2979735, 0xcc444488, 0x3917172e);
+	&_data_word(0x57c4c493, 0xf2a7a755, 0x827e7efc, 0x473d3d7a);
+	&_data_word(0xac6464c8, 0xe75d5dba, 0x2b191932, 0x957373e6);
+	&_data_word(0xa06060c0, 0x98818119, 0xd14f4f9e, 0x7fdcdca3);
+	&_data_word(0x66222244, 0x7e2a2a54, 0xab90903b, 0x8388880b);
+	&_data_word(0xca46468c, 0x29eeeec7, 0xd3b8b86b, 0x3c141428);
+	&_data_word(0x79dedea7, 0xe25e5ebc, 0x1d0b0b16, 0x76dbdbad);
+	&_data_word(0x3be0e0db, 0x56323264, 0x4e3a3a74, 0x1e0a0a14);
+	&_data_word(0xdb494992, 0x0a06060c, 0x6c242448, 0xe45c5cb8);
+	&_data_word(0x5dc2c29f, 0x6ed3d3bd, 0xefacac43, 0xa66262c4);
+	&_data_word(0xa8919139, 0xa4959531, 0x37e4e4d3, 0x8b7979f2);
+	&_data_word(0x32e7e7d5, 0x43c8c88b, 0x5937376e, 0xb76d6dda);
+	&_data_word(0x8c8d8d01, 0x64d5d5b1, 0xd24e4e9c, 0xe0a9a949);
+	&_data_word(0xb46c6cd8, 0xfa5656ac, 0x07f4f4f3, 0x25eaeacf);
+	&_data_word(0xaf6565ca, 0x8e7a7af4, 0xe9aeae47, 0x18080810);
+	&_data_word(0xd5baba6f, 0x887878f0, 0x6f25254a, 0x722e2e5c);
+	&_data_word(0x241c1c38, 0xf1a6a657, 0xc7b4b473, 0x51c6c697);
+	&_data_word(0x23e8e8cb, 0x7cdddda1, 0x9c7474e8, 0x211f1f3e);
+	&_data_word(0xdd4b4b96, 0xdcbdbd61, 0x868b8b0d, 0x858a8a0f);
+	&_data_word(0x907070e0, 0x423e3e7c, 0xc4b5b571, 0xaa6666cc);
+	&_data_word(0xd8484890, 0x05030306, 0x01f6f6f7, 0x120e0e1c);
+	&_data_word(0xa36161c2, 0x5f35356a, 0xf95757ae, 0xd0b9b969);
+	&_data_word(0x91868617, 0x58c1c199, 0x271d1d3a, 0xb99e9e27);
+	&_data_word(0x38e1e1d9, 0x13f8f8eb, 0xb398982b, 0x33111122);
+	&_data_word(0xbb6969d2, 0x70d9d9a9, 0x898e8e07, 0xa7949433);
+	&_data_word(0xb69b9b2d, 0x221e1e3c, 0x92878715, 0x20e9e9c9);
+	&_data_word(0x49cece87, 0xff5555aa, 0x78282850, 0x7adfdfa5);
+	&_data_word(0x8f8c8c03, 0xf8a1a159, 0x80898909, 0x170d0d1a);
+	&_data_word(0xdabfbf65, 0x31e6e6d7, 0xc6424284, 0xb86868d0);
+	&_data_word(0xc3414182, 0xb0999929, 0x772d2d5a, 0x110f0f1e);
+	&_data_word(0xcbb0b07b, 0xfc5454a8, 0xd6bbbb6d, 0x3a16162c);
+#rcon:
+	&data_word(0x00000001, 0x00000002, 0x00000004, 0x00000008);
+	&data_word(0x00000010, 0x00000020, 0x00000040, 0x00000080);
+	&data_word(0x0000001b, 0x00000036, 0, 0, 0, 0, 0, 0);
+&function_end_B("_x86_AES_encrypt");
+
+# void AES_encrypt (const void *inp,void *out,const AES_KEY *key);
+&public_label("AES_Te");
+&function_begin("AES_encrypt");
+	&mov	($acc,&wparam(0));		# load inp
+	&mov	($key,&wparam(2));		# load key
+
+	&mov	($s0,"esp");
+	&sub	("esp",24);
+	&and	("esp",-64);
+	&add	("esp",4);
+	&mov	(&DWP(16,"esp"),$s0);
+
+	&call   (&label("pic_point"));          # make it PIC!
+	&set_label("pic_point");
+	&blindpop("ebp");
+	&lea    ("ebp",&DWP(&label("AES_Te")."-".&label("pic_point"),"ebp"));
+
+	&mov	($s0,&DWP(0,$acc));		# load input data
+	&mov	($s1,&DWP(4,$acc));
+	&mov	($s2,&DWP(8,$acc));
+	&mov	($s3,&DWP(12,$acc));
+
+	&call	("_x86_AES_encrypt");
+
+	&mov	("esp",&DWP(16,"esp"));
+
+	&mov	($acc,&wparam(1));		# load out
+	&mov	(&DWP(0,$acc),$s0);		# write output data
+	&mov	(&DWP(4,$acc),$s1);
+	&mov	(&DWP(8,$acc),$s2);
+	&mov	(&DWP(12,$acc),$s3);
+&function_end("AES_encrypt");
+
+#------------------------------------------------------------------#
+
+sub decstep()
+{ my ($i,$td,@s) = @_;
+  my $tmp = $key;
+  my $out = $i==3?$s[0]:$acc;
+
+	# no instructions are reordered, as performance appears
+	# optimal... or rather that all attempts to reorder didn't
+	# result in better performance [which by the way is not a
+	# bit lower than ecryption].
+	if($i==3)   {	&mov	($key,&DWP(12,"esp"));		}
+	else        {	&mov	($out,$s[0]);			}
+			&and	($out,0xFF);
+			&mov	($out,&DWP(0,$td,$out,8));
+
+	if ($i==3)  {	$tmp=$s[1];				}
+			&movz	($tmp,&HB($s[1]));
+			&xor	($out,&DWP(3,$td,$tmp,8));
+
+	if ($i==3)  {	$tmp=$s[2]; &mov ($s[1],$acc);		}
+	else        {	&mov	($tmp,$s[2]);			}
+			&shr	($tmp,16);
+			&and	($tmp,0xFF);
+			&xor	($out,&DWP(2,$td,$tmp,8));
+
+	if ($i==3)  {	$tmp=$s[3]; &mov ($s[2],&DWP(8,"esp"));	}
+	else        {	&mov	($tmp,$s[3]);			}
+			&shr	($tmp,24);
+			&xor	($out,&DWP(1,$td,$tmp,8));
+	if ($i<2)   {	&mov	(&DWP(4+4*$i,"esp"),$out);	}
+	if ($i==3)  {	&mov	($s[3],&DWP(4,"esp"));		}
+			&comment();
+}
+
+sub declast()
+{ my ($i,$td,@s)=@_;
+  my $tmp = $key;
+  my $out = $i==3?$s[0]:$acc;
+
+	if($i==3)   {	&mov	($key,&DWP(12,"esp"));		}
+	else        {	&mov	($out,$s[0]);			}
+			&and	($out,0xFF);
+			&mov	($out,&DWP(2048,$td,$out,4));
+			&and	($out,0x000000ff);
+
+	if ($i==3)  {	$tmp=$s[1];				}
+			&movz	($tmp,&HB($s[1]));
+			&mov	($tmp,&DWP(2048,$td,$tmp,4));
+			&and	($tmp,0x0000ff00);
+			&xor	($out,$tmp);
+
+	if ($i==3)  {	$tmp=$s[2]; &mov ($s[1],$acc);		}
+	else        {	mov	($tmp,$s[2]);			}
+			&shr	($tmp,16);
+			&and	($tmp,0xFF);
+			&mov	($tmp,&DWP(2048,$td,$tmp,4));
+			&and	($tmp,0x00ff0000);
+			&xor	($out,$tmp);
+
+	if ($i==3)  {	$tmp=$s[3]; &mov ($s[2],&DWP(8,"esp"));	}
+	else        {	&mov	($tmp,$s[3]);			}
+			&shr	($tmp,24);
+			&mov	($tmp,&DWP(2048,$td,$tmp,4));
+			&and	($tmp,0xff000000);
+			&xor	($out,$tmp);
+	if ($i<2)   {	&mov	(&DWP(4+4*$i,"esp"),$out);	}
+	if ($i==3)  {	&mov	($s[3],&DWP(4,"esp"));		}
+}
+
+&public_label("AES_Td");
+&function_begin_B("_x86_AES_decrypt");
+	# note that caller is expected to allocate stack frame for me!
+	&mov	(&DWP(12,"esp"),$key);		# save key
+
+	&xor	($s0,&DWP(0,$key));		# xor with key
+	&xor	($s1,&DWP(4,$key));
+	&xor	($s2,&DWP(8,$key));
+	&xor	($s3,&DWP(12,$key));
+
+	&mov	($acc,&DWP(240,$key));		# load key->rounds
+
+	if ($small_footprint) {
+	    &lea	($acc,&DWP(-2,$acc,$acc));
+	    &lea	($acc,&DWP(0,$key,$acc,8));
+	    &mov	(&DWP(16,"esp"),$acc);	# end of key schedule
+	    &align	(4);
+	    &set_label("loop");
+		&decstep(0,"ebp",$s0,$s3,$s2,$s1);
+		&decstep(1,"ebp",$s1,$s0,$s3,$s2);
+		&decstep(2,"ebp",$s2,$s1,$s0,$s3);
+		&decstep(3,"ebp",$s3,$s2,$s1,$s0);
+		&add	($key,16);		# advance rd_key
+		&xor	($s0,&DWP(0,$key));
+		&xor	($s1,&DWP(4,$key));
+		&xor	($s2,&DWP(8,$key));
+		&xor	($s3,&DWP(12,$key));
+	    &cmp	($key,&DWP(16,"esp"));
+	    &mov	(&DWP(12,"esp"),$key);
+	    &jb		(&label("loop"));
+	}
+	else {
+	    &cmp	($acc,10);
+	    &jle	(&label("10rounds"));
+	    &cmp	($acc,12);
+	    &jle	(&label("12rounds"));
+
+	&set_label("14rounds");
+	    for ($i=1;$i<3;$i++) {
+		&decstep(0,"ebp",$s0,$s3,$s2,$s1);
+		&decstep(1,"ebp",$s1,$s0,$s3,$s2);
+		&decstep(2,"ebp",$s2,$s1,$s0,$s3);
+		&decstep(3,"ebp",$s3,$s2,$s1,$s0);
+		&xor	($s0,&DWP(16*$i+0,$key));
+		&xor	($s1,&DWP(16*$i+4,$key));
+		&xor	($s2,&DWP(16*$i+8,$key));
+		&xor	($s3,&DWP(16*$i+12,$key));
+	    }
+	    &add	($key,32);
+	    &mov	(&DWP(12,"esp"),$key);	# advance rd_key
+	&set_label("12rounds");
+	    for ($i=1;$i<3;$i++) {
+		&decstep(0,"ebp",$s0,$s3,$s2,$s1);
+		&decstep(1,"ebp",$s1,$s0,$s3,$s2);
+		&decstep(2,"ebp",$s2,$s1,$s0,$s3);
+		&decstep(3,"ebp",$s3,$s2,$s1,$s0);
+		&xor	($s0,&DWP(16*$i+0,$key));
+		&xor	($s1,&DWP(16*$i+4,$key));
+		&xor	($s2,&DWP(16*$i+8,$key));
+		&xor	($s3,&DWP(16*$i+12,$key));
+	    }
+	    &add	($key,32);
+	    &mov	(&DWP(12,"esp"),$key);	# advance rd_key
+	&set_label("10rounds");
+	    for ($i=1;$i<10;$i++) {
+		&decstep(0,"ebp",$s0,$s3,$s2,$s1);
+		&decstep(1,"ebp",$s1,$s0,$s3,$s2);
+		&decstep(2,"ebp",$s2,$s1,$s0,$s3);
+		&decstep(3,"ebp",$s3,$s2,$s1,$s0);
+		&xor	($s0,&DWP(16*$i+0,$key));
+		&xor	($s1,&DWP(16*$i+4,$key));
+		&xor	($s2,&DWP(16*$i+8,$key));
+		&xor	($s3,&DWP(16*$i+12,$key));
+	    }
+	}
+
+	&declast(0,"ebp",$s0,$s3,$s2,$s1);
+	&declast(1,"ebp",$s1,$s0,$s3,$s2);
+	&declast(2,"ebp",$s2,$s1,$s0,$s3);
+	&declast(3,"ebp",$s3,$s2,$s1,$s0);
+
+	&add	($key,$small_footprint?16:160);
+	&xor	($s0,&DWP(0,$key));
+	&xor	($s1,&DWP(4,$key));
+	&xor	($s2,&DWP(8,$key));
+	&xor	($s3,&DWP(12,$key));
+
+	&ret	();
+
+&set_label("AES_Td",64);	# Yes! I keep it in the code segment!
+	&_data_word(0x50a7f451, 0x5365417e, 0xc3a4171a, 0x965e273a);
+	&_data_word(0xcb6bab3b, 0xf1459d1f, 0xab58faac, 0x9303e34b);
+	&_data_word(0x55fa3020, 0xf66d76ad, 0x9176cc88, 0x254c02f5);
+	&_data_word(0xfcd7e54f, 0xd7cb2ac5, 0x80443526, 0x8fa362b5);
+	&_data_word(0x495ab1de, 0x671bba25, 0x980eea45, 0xe1c0fe5d);
+	&_data_word(0x02752fc3, 0x12f04c81, 0xa397468d, 0xc6f9d36b);
+	&_data_word(0xe75f8f03, 0x959c9215, 0xeb7a6dbf, 0xda595295);
+	&_data_word(0x2d83bed4, 0xd3217458, 0x2969e049, 0x44c8c98e);
+	&_data_word(0x6a89c275, 0x78798ef4, 0x6b3e5899, 0xdd71b927);
+	&_data_word(0xb64fe1be, 0x17ad88f0, 0x66ac20c9, 0xb43ace7d);
+	&_data_word(0x184adf63, 0x82311ae5, 0x60335197, 0x457f5362);
+	&_data_word(0xe07764b1, 0x84ae6bbb, 0x1ca081fe, 0x942b08f9);
+	&_data_word(0x58684870, 0x19fd458f, 0x876cde94, 0xb7f87b52);
+	&_data_word(0x23d373ab, 0xe2024b72, 0x578f1fe3, 0x2aab5566);
+	&_data_word(0x0728ebb2, 0x03c2b52f, 0x9a7bc586, 0xa50837d3);
+	&_data_word(0xf2872830, 0xb2a5bf23, 0xba6a0302, 0x5c8216ed);
+	&_data_word(0x2b1ccf8a, 0x92b479a7, 0xf0f207f3, 0xa1e2694e);
+	&_data_word(0xcdf4da65, 0xd5be0506, 0x1f6234d1, 0x8afea6c4);
+	&_data_word(0x9d532e34, 0xa055f3a2, 0x32e18a05, 0x75ebf6a4);
+	&_data_word(0x39ec830b, 0xaaef6040, 0x069f715e, 0x51106ebd);
+	&_data_word(0xf98a213e, 0x3d06dd96, 0xae053edd, 0x46bde64d);
+	&_data_word(0xb58d5491, 0x055dc471, 0x6fd40604, 0xff155060);
+	&_data_word(0x24fb9819, 0x97e9bdd6, 0xcc434089, 0x779ed967);
+	&_data_word(0xbd42e8b0, 0x888b8907, 0x385b19e7, 0xdbeec879);
+	&_data_word(0x470a7ca1, 0xe90f427c, 0xc91e84f8, 0x00000000);
+	&_data_word(0x83868009, 0x48ed2b32, 0xac70111e, 0x4e725a6c);
+	&_data_word(0xfbff0efd, 0x5638850f, 0x1ed5ae3d, 0x27392d36);
+	&_data_word(0x64d90f0a, 0x21a65c68, 0xd1545b9b, 0x3a2e3624);
+	&_data_word(0xb1670a0c, 0x0fe75793, 0xd296eeb4, 0x9e919b1b);
+	&_data_word(0x4fc5c080, 0xa220dc61, 0x694b775a, 0x161a121c);
+	&_data_word(0x0aba93e2, 0xe52aa0c0, 0x43e0223c, 0x1d171b12);
+	&_data_word(0x0b0d090e, 0xadc78bf2, 0xb9a8b62d, 0xc8a91e14);
+	&_data_word(0x8519f157, 0x4c0775af, 0xbbdd99ee, 0xfd607fa3);
+	&_data_word(0x9f2601f7, 0xbcf5725c, 0xc53b6644, 0x347efb5b);
+	&_data_word(0x7629438b, 0xdcc623cb, 0x68fcedb6, 0x63f1e4b8);
+	&_data_word(0xcadc31d7, 0x10856342, 0x40229713, 0x2011c684);
+	&_data_word(0x7d244a85, 0xf83dbbd2, 0x1132f9ae, 0x6da129c7);
+	&_data_word(0x4b2f9e1d, 0xf330b2dc, 0xec52860d, 0xd0e3c177);
+	&_data_word(0x6c16b32b, 0x99b970a9, 0xfa489411, 0x2264e947);
+	&_data_word(0xc48cfca8, 0x1a3ff0a0, 0xd82c7d56, 0xef903322);
+	&_data_word(0xc74e4987, 0xc1d138d9, 0xfea2ca8c, 0x360bd498);
+	&_data_word(0xcf81f5a6, 0x28de7aa5, 0x268eb7da, 0xa4bfad3f);
+	&_data_word(0xe49d3a2c, 0x0d927850, 0x9bcc5f6a, 0x62467e54);
+	&_data_word(0xc2138df6, 0xe8b8d890, 0x5ef7392e, 0xf5afc382);
+	&_data_word(0xbe805d9f, 0x7c93d069, 0xa92dd56f, 0xb31225cf);
+	&_data_word(0x3b99acc8, 0xa77d1810, 0x6e639ce8, 0x7bbb3bdb);
+	&_data_word(0x097826cd, 0xf418596e, 0x01b79aec, 0xa89a4f83);
+	&_data_word(0x656e95e6, 0x7ee6ffaa, 0x08cfbc21, 0xe6e815ef);
+	&_data_word(0xd99be7ba, 0xce366f4a, 0xd4099fea, 0xd67cb029);
+	&_data_word(0xafb2a431, 0x31233f2a, 0x3094a5c6, 0xc066a235);
+	&_data_word(0x37bc4e74, 0xa6ca82fc, 0xb0d090e0, 0x15d8a733);
+	&_data_word(0x4a9804f1, 0xf7daec41, 0x0e50cd7f, 0x2ff69117);
+	&_data_word(0x8dd64d76, 0x4db0ef43, 0x544daacc, 0xdf0496e4);
+	&_data_word(0xe3b5d19e, 0x1b886a4c, 0xb81f2cc1, 0x7f516546);
+	&_data_word(0x04ea5e9d, 0x5d358c01, 0x737487fa, 0x2e410bfb);
+	&_data_word(0x5a1d67b3, 0x52d2db92, 0x335610e9, 0x1347d66d);
+	&_data_word(0x8c61d79a, 0x7a0ca137, 0x8e14f859, 0x893c13eb);
+	&_data_word(0xee27a9ce, 0x35c961b7, 0xede51ce1, 0x3cb1477a);
+	&_data_word(0x59dfd29c, 0x3f73f255, 0x79ce1418, 0xbf37c773);
+	&_data_word(0xeacdf753, 0x5baafd5f, 0x146f3ddf, 0x86db4478);
+	&_data_word(0x81f3afca, 0x3ec468b9, 0x2c342438, 0x5f40a3c2);
+	&_data_word(0x72c31d16, 0x0c25e2bc, 0x8b493c28, 0x41950dff);
+	&_data_word(0x7101a839, 0xdeb30c08, 0x9ce4b4d8, 0x90c15664);
+	&_data_word(0x6184cb7b, 0x70b632d5, 0x745c6c48, 0x4257b8d0);
+#Td4:
+	&data_word(0x52525252, 0x09090909, 0x6a6a6a6a, 0xd5d5d5d5);
+	&data_word(0x30303030, 0x36363636, 0xa5a5a5a5, 0x38383838);
+	&data_word(0xbfbfbfbf, 0x40404040, 0xa3a3a3a3, 0x9e9e9e9e);
+	&data_word(0x81818181, 0xf3f3f3f3, 0xd7d7d7d7, 0xfbfbfbfb);
+	&data_word(0x7c7c7c7c, 0xe3e3e3e3, 0x39393939, 0x82828282);
+	&data_word(0x9b9b9b9b, 0x2f2f2f2f, 0xffffffff, 0x87878787);
+	&data_word(0x34343434, 0x8e8e8e8e, 0x43434343, 0x44444444);
+	&data_word(0xc4c4c4c4, 0xdededede, 0xe9e9e9e9, 0xcbcbcbcb);
+	&data_word(0x54545454, 0x7b7b7b7b, 0x94949494, 0x32323232);
+	&data_word(0xa6a6a6a6, 0xc2c2c2c2, 0x23232323, 0x3d3d3d3d);
+	&data_word(0xeeeeeeee, 0x4c4c4c4c, 0x95959595, 0x0b0b0b0b);
+	&data_word(0x42424242, 0xfafafafa, 0xc3c3c3c3, 0x4e4e4e4e);
+	&data_word(0x08080808, 0x2e2e2e2e, 0xa1a1a1a1, 0x66666666);
+	&data_word(0x28282828, 0xd9d9d9d9, 0x24242424, 0xb2b2b2b2);
+	&data_word(0x76767676, 0x5b5b5b5b, 0xa2a2a2a2, 0x49494949);
+	&data_word(0x6d6d6d6d, 0x8b8b8b8b, 0xd1d1d1d1, 0x25252525);
+	&data_word(0x72727272, 0xf8f8f8f8, 0xf6f6f6f6, 0x64646464);
+	&data_word(0x86868686, 0x68686868, 0x98989898, 0x16161616);
+	&data_word(0xd4d4d4d4, 0xa4a4a4a4, 0x5c5c5c5c, 0xcccccccc);
+	&data_word(0x5d5d5d5d, 0x65656565, 0xb6b6b6b6, 0x92929292);
+	&data_word(0x6c6c6c6c, 0x70707070, 0x48484848, 0x50505050);
+	&data_word(0xfdfdfdfd, 0xedededed, 0xb9b9b9b9, 0xdadadada);
+	&data_word(0x5e5e5e5e, 0x15151515, 0x46464646, 0x57575757);
+	&data_word(0xa7a7a7a7, 0x8d8d8d8d, 0x9d9d9d9d, 0x84848484);
+	&data_word(0x90909090, 0xd8d8d8d8, 0xabababab, 0x00000000);
+	&data_word(0x8c8c8c8c, 0xbcbcbcbc, 0xd3d3d3d3, 0x0a0a0a0a);
+	&data_word(0xf7f7f7f7, 0xe4e4e4e4, 0x58585858, 0x05050505);
+	&data_word(0xb8b8b8b8, 0xb3b3b3b3, 0x45454545, 0x06060606);
+	&data_word(0xd0d0d0d0, 0x2c2c2c2c, 0x1e1e1e1e, 0x8f8f8f8f);
+	&data_word(0xcacacaca, 0x3f3f3f3f, 0x0f0f0f0f, 0x02020202);
+	&data_word(0xc1c1c1c1, 0xafafafaf, 0xbdbdbdbd, 0x03030303);
+	&data_word(0x01010101, 0x13131313, 0x8a8a8a8a, 0x6b6b6b6b);
+	&data_word(0x3a3a3a3a, 0x91919191, 0x11111111, 0x41414141);
+	&data_word(0x4f4f4f4f, 0x67676767, 0xdcdcdcdc, 0xeaeaeaea);
+	&data_word(0x97979797, 0xf2f2f2f2, 0xcfcfcfcf, 0xcececece);
+	&data_word(0xf0f0f0f0, 0xb4b4b4b4, 0xe6e6e6e6, 0x73737373);
+	&data_word(0x96969696, 0xacacacac, 0x74747474, 0x22222222);
+	&data_word(0xe7e7e7e7, 0xadadadad, 0x35353535, 0x85858585);
+	&data_word(0xe2e2e2e2, 0xf9f9f9f9, 0x37373737, 0xe8e8e8e8);
+	&data_word(0x1c1c1c1c, 0x75757575, 0xdfdfdfdf, 0x6e6e6e6e);
+	&data_word(0x47474747, 0xf1f1f1f1, 0x1a1a1a1a, 0x71717171);
+	&data_word(0x1d1d1d1d, 0x29292929, 0xc5c5c5c5, 0x89898989);
+	&data_word(0x6f6f6f6f, 0xb7b7b7b7, 0x62626262, 0x0e0e0e0e);
+	&data_word(0xaaaaaaaa, 0x18181818, 0xbebebebe, 0x1b1b1b1b);
+	&data_word(0xfcfcfcfc, 0x56565656, 0x3e3e3e3e, 0x4b4b4b4b);
+	&data_word(0xc6c6c6c6, 0xd2d2d2d2, 0x79797979, 0x20202020);
+	&data_word(0x9a9a9a9a, 0xdbdbdbdb, 0xc0c0c0c0, 0xfefefefe);
+	&data_word(0x78787878, 0xcdcdcdcd, 0x5a5a5a5a, 0xf4f4f4f4);
+	&data_word(0x1f1f1f1f, 0xdddddddd, 0xa8a8a8a8, 0x33333333);
+	&data_word(0x88888888, 0x07070707, 0xc7c7c7c7, 0x31313131);
+	&data_word(0xb1b1b1b1, 0x12121212, 0x10101010, 0x59595959);
+	&data_word(0x27272727, 0x80808080, 0xecececec, 0x5f5f5f5f);
+	&data_word(0x60606060, 0x51515151, 0x7f7f7f7f, 0xa9a9a9a9);
+	&data_word(0x19191919, 0xb5b5b5b5, 0x4a4a4a4a, 0x0d0d0d0d);
+	&data_word(0x2d2d2d2d, 0xe5e5e5e5, 0x7a7a7a7a, 0x9f9f9f9f);
+	&data_word(0x93939393, 0xc9c9c9c9, 0x9c9c9c9c, 0xefefefef);
+	&data_word(0xa0a0a0a0, 0xe0e0e0e0, 0x3b3b3b3b, 0x4d4d4d4d);
+	&data_word(0xaeaeaeae, 0x2a2a2a2a, 0xf5f5f5f5, 0xb0b0b0b0);
+	&data_word(0xc8c8c8c8, 0xebebebeb, 0xbbbbbbbb, 0x3c3c3c3c);
+	&data_word(0x83838383, 0x53535353, 0x99999999, 0x61616161);
+	&data_word(0x17171717, 0x2b2b2b2b, 0x04040404, 0x7e7e7e7e);
+	&data_word(0xbabababa, 0x77777777, 0xd6d6d6d6, 0x26262626);
+	&data_word(0xe1e1e1e1, 0x69696969, 0x14141414, 0x63636363);
+	&data_word(0x55555555, 0x21212121, 0x0c0c0c0c, 0x7d7d7d7d);
+&function_end_B("_x86_AES_decrypt");
+
+# void AES_decrypt (const void *inp,void *out,const AES_KEY *key);
+&public_label("AES_Td");
+&function_begin("AES_decrypt");
+	&mov	($acc,&wparam(0));		# load inp
+	&mov	($key,&wparam(2));		# load key
+
+	&mov	($s0,"esp");
+	&sub	("esp",24);
+	&and	("esp",-64);
+	&add	("esp",4);
+	&mov	(&DWP(16,"esp"),$s0);
+
+	&call   (&label("pic_point"));          # make it PIC!
+	&set_label("pic_point");
+	&blindpop("ebp");
+	&lea    ("ebp",&DWP(&label("AES_Td")."-".&label("pic_point"),"ebp"));
+
+	&mov	($s0,&DWP(0,$acc));		# load input data
+	&mov	($s1,&DWP(4,$acc));
+	&mov	($s2,&DWP(8,$acc));
+	&mov	($s3,&DWP(12,$acc));
+
+	&call	("_x86_AES_decrypt");
+
+	&mov	("esp",&DWP(16,"esp"));
+
+	&mov	($acc,&wparam(1));		# load out
+	&mov	(&DWP(0,$acc),$s0);		# write output data
+	&mov	(&DWP(4,$acc),$s1);
+	&mov	(&DWP(8,$acc),$s2);
+	&mov	(&DWP(12,$acc),$s3);
+&function_end("AES_decrypt");
+
+# void AES_cbc_encrypt (const void char *inp, unsigned char *out,
+#			size_t length, const AES_KEY *key,
+#			unsigned char *ivp,const int enc);
+{
+# stack frame layout
+# -4(%esp)	0(%esp)		return address
+# 0(%esp)	4(%esp)		tmp1
+# 4(%esp)	8(%esp)		tmp2
+# 8(%esp)	12(%esp)	key
+# 12(%esp)	16(%esp)	end of key schedule
+my $_esp=&DWP(16,"esp");	#saved %esp
+my $_inp=&DWP(20,"esp");	#copy of wparam(0)
+my $_out=&DWP(24,"esp");	#copy of wparam(1)
+my $_len=&DWP(28,"esp");	#copy of wparam(2)
+my $_key=&DWP(32,"esp");	#copy of wparam(3)
+my $_ivp=&DWP(36,"esp");	#copy of wparam(4)
+my $_tmp=&DWP(40,"esp");	#volatile variable
+my $ivec=&DWP(44,"esp");	#ivec[16]
+my $aes_key=&DWP(60,"esp");	#copy of aes_key
+
+&public_label("AES_Te");
+&public_label("AES_Td");
+&function_begin("AES_cbc_encrypt");
+	&mov	($s2 eq "ecx"? $s2 : "",&wparam(2));	# load len
+	&cmp	($s2,0);
+	&je	(&label("enc_out"));
+
+	&call   (&label("pic_point"));		# make it PIC!
+	&set_label("pic_point");
+	&blindpop("ebp");
+
+	&pushf	();
+	&cld	();
+
+	&cmp	(&wparam(5),0);
+	&je	(&label("DECRYPT"));
+
+	&lea    ("ebp",&DWP(&label("AES_Te")."-".&label("pic_point"),"ebp"));
+
+	# allocate aligned stack frame...
+	&lea	($key,&DWP(-64-244,"esp"));
+	&and	($key,-64);
+
+	# ... and make sure it doesn't alias with AES_Te modulo 4096
+	&mov	($s0,"ebp");
+	&lea	($s1,&DWP(2048,"ebp"));
+	&mov	($s3,$key);
+	&and	($s0,0xfff);		# s = %ebp&0xfff
+	&and	($s1,0xfff);		# e = (%ebp+2048)&0xfff
+	&and	($s3,0xfff);		# p = %esp&0xfff
+
+	&cmp	($s3,$s1);		# if (p>=e) %esp =- (p-e);
+	&jb	(&label("te_break_out"));
+	&sub	($s3,$s1);
+	&sub	($key,$s3);
+	&jmp	(&label("te_ok"));
+	&set_label("te_break_out");	# else %esp -= (p-s)&0xfff + framesz;
+	&sub	($s3,$s0);
+	&and	($s3,0xfff);
+	&add	($s3,64+256);
+	&sub	($key,$s3);
+	&align	(4);
+	&set_label("te_ok");
+
+	&mov	($s0,&wparam(0));	# load inp
+	&mov	($s1,&wparam(1));	# load out
+	&mov	($s3,&wparam(3));	# load key
+	&mov	($acc,&wparam(4));	# load ivp
+
+	&exch	("esp",$key);
+	&add	("esp",4);		# reserve for return address!
+	&mov	($_esp,$key);		# save %esp
+
+	&mov	($_inp,$s0);		# save copy of inp
+	&mov	($_out,$s1);		# save copy of out
+	&mov	($_len,$s2);		# save copy of len
+	&mov	($_key,$s3);		# save copy of key
+	&mov	($_ivp,$acc);		# save copy of ivp
+
+	if ($compromise) {
+		&cmp	($s2,$compromise);
+		&jb	(&label("skip_ecopy"));
+	}
+	# copy key schedule to stack
+	&mov	("ecx",244/4);
+	&mov	("esi",$s3);
+	&lea	("edi",$aes_key);
+	&mov	($_key,"edi");
+	&align	(4);
+	&data_word(0xF689A5F3);	# rep movsd
+	&set_label("skip_ecopy") if ($compromise);
+
+	&mov	($acc,$s0);
+	&mov	($key,16);
+	&align	(4);
+	&set_label("prefetch_te");
+		&mov	($s0,&DWP(0,"ebp"));
+		&mov	($s1,&DWP(32,"ebp"));
+		&mov	($s2,&DWP(64,"ebp"));
+		&mov	($s3,&DWP(96,"ebp"));
+		&lea	("ebp",&DWP(128,"ebp"));
+		&dec	($key);
+	&jnz	(&label("prefetch_te"));
+	&sub	("ebp",2048);
+
+	&mov	($s2,$_len);
+	&mov	($key,$_ivp);
+	&test	($s2,0xFFFFFFF0);
+	&jz	(&label("enc_tail"));		# short input...
+
+	&mov	($s0,&DWP(0,$key));		# load iv
+	&mov	($s1,&DWP(4,$key));
+
+	&align	(4);
+	&set_label("enc_loop");
+		&mov	($s2,&DWP(8,$key));
+		&mov	($s3,&DWP(12,$key));
+
+		&xor	($s0,&DWP(0,$acc));	# xor input data
+		&xor	($s1,&DWP(4,$acc));
+		&xor	($s2,&DWP(8,$acc));
+		&xor	($s3,&DWP(12,$acc));
+
+		&mov	($key,$_key);		# load key
+		&call	("_x86_AES_encrypt");
+
+		&mov	($acc,$_inp);		# load inp
+		&mov	($key,$_out);		# load out
+
+		&mov	(&DWP(0,$key),$s0);	# save output data
+		&mov	(&DWP(4,$key),$s1);
+		&mov	(&DWP(8,$key),$s2);
+		&mov	(&DWP(12,$key),$s3);
+
+		&mov	($s2,$_len);		# load len
+
+		&lea	($acc,&DWP(16,$acc));
+		&mov	($_inp,$acc);		# save inp
+
+		&lea	($s3,&DWP(16,$key));
+		&mov	($_out,$s3);		# save out
+
+		&sub	($s2,16);
+		&test	($s2,0xFFFFFFF0);
+		&mov	($_len,$s2);		# save len
+	&jnz	(&label("enc_loop"));
+	&test	($s2,15);
+	&jnz	(&label("enc_tail"));
+	&mov	($acc,$_ivp);		# load ivp
+	&mov	($s2,&DWP(8,$key));	# restore last dwords
+	&mov	($s3,&DWP(12,$key));
+	&mov	(&DWP(0,$acc),$s0);	# save ivec
+	&mov	(&DWP(4,$acc),$s1);
+	&mov	(&DWP(8,$acc),$s2);
+	&mov	(&DWP(12,$acc),$s3);
+
+	&mov	("edi",$_key);
+	&mov	("esp",$_esp);
+	if ($compromise) {
+		&cmp	(&wparam(2),$compromise);
+		&jb	(&label("skip_ezero"));
+	}
+	# zero copy of key schedule
+	&mov	("ecx",240/4);
+	&xor	("eax","eax");
+	&align	(4);
+	&data_word(0xF689ABF3);	# rep stosd
+	&set_label("skip_ezero") if ($compromise);
+	&popf	();
+    &set_label("enc_out");
+	&function_end_A();
+	&pushf	();			# kludge, never executed
+
+    &align	(4);
+    &set_label("enc_tail");
+	&push	($key eq "edi" ? $key : "");	# push ivp
+	&mov	($key,$_out);			# load out
+	&mov	($s1,16);
+	&sub	($s1,$s2);
+	&cmp	($key,$acc);			# compare with inp
+	&je	(&label("enc_in_place"));
+	&align	(4);
+	&data_word(0xF689A4F3);	# rep movsb	# copy input
+	&jmp	(&label("enc_skip_in_place"));
+    &set_label("enc_in_place");
+	&lea	($key,&DWP(0,$key,$s2));
+    &set_label("enc_skip_in_place");
+	&mov	($s2,$s1);
+	&xor	($s0,$s0);
+	&align	(4);
+	&data_word(0xF689AAF3);	# rep stosb	# zero tail
+	&pop	($key);				# pop ivp
+
+	&mov	($acc,$_out);			# output as input
+	&mov	($s0,&DWP(0,$key));
+	&mov	($s1,&DWP(4,$key));
+	&mov	($_len,16);			# len=16
+	&jmp	(&label("enc_loop"));		# one more spin...
+
+#----------------------------- DECRYPT -----------------------------#
+&align	(4);
+&set_label("DECRYPT");
+	&lea    ("ebp",&DWP(&label("AES_Td")."-".&label("pic_point"),"ebp"));
+
+	# allocate aligned stack frame...
+	&lea	($key,&DWP(-64-244,"esp"));
+	&and	($key,-64);
+
+	# ... and make sure it doesn't alias with AES_Td modulo 4096
+	&mov	($s0,"ebp");
+	&lea	($s1,&DWP(3072,"ebp"));
+	&mov	($s3,$key);
+	&and	($s0,0xfff);		# s = %ebp&0xfff
+	&and	($s1,0xfff);		# e = (%ebp+3072)&0xfff
+	&and	($s3,0xfff);		# p = %esp&0xfff
+
+	&cmp	($s3,$s1);		# if (p>=e) %esp =- (p-e);
+	&jb	(&label("td_break_out"));
+	&sub	($s3,$s1);
+	&sub	($key,$s3);
+	&jmp	(&label("td_ok"));
+	&set_label("td_break_out");	# else %esp -= (p-s)&0xfff + framesz;
+	&sub	($s3,$s0);
+	&and	($s3,0xfff);
+	&add	($s3,64+256);
+	&sub	($key,$s3);
+	&align	(4);
+	&set_label("td_ok");
+
+	&mov	($s0,&wparam(0));	# load inp
+	&mov	($s1,&wparam(1));	# load out
+	&mov	($s3,&wparam(3));	# load key
+	&mov	($acc,&wparam(4));	# load ivp
+
+	&exch	("esp",$key);
+	&add	("esp",4);		# reserve for return address!
+	&mov	($_esp,$key);		# save %esp
+
+	&mov	($_inp,$s0);		# save copy of inp
+	&mov	($_out,$s1);		# save copy of out
+	&mov	($_len,$s2);		# save copy of len
+	&mov	($_key,$s3);		# save copy of key
+	&mov	($_ivp,$acc);		# save copy of ivp
+
+	if ($compromise) {
+		&cmp	($s2,$compromise);
+		&jb	(&label("skip_dcopy"));
+	}
+	# copy key schedule to stack
+	&mov	("ecx",244/4);
+	&mov	("esi",$s3);
+	&lea	("edi",$aes_key);
+	&mov	($_key,"edi");
+	&align	(4);
+	&data_word(0xF689A5F3);	# rep movsd
+	&set_label("skip_dcopy") if ($compromise);
+
+	&mov	($acc,$s0);
+	&mov	($key,24);
+	&align	(4);
+	&set_label("prefetch_td");
+		&mov	($s0,&DWP(0,"ebp"));
+		&mov	($s1,&DWP(32,"ebp"));
+		&mov	($s2,&DWP(64,"ebp"));
+		&mov	($s3,&DWP(96,"ebp"));
+		&lea	("ebp",&DWP(128,"ebp"));
+		&dec	($key);
+	&jnz	(&label("prefetch_td"));
+	&sub	("ebp",3072);
+
+	&cmp	($acc,$_out);
+	&je	(&label("dec_in_place"));	# in-place processing...
+
+	&mov	($key,$_ivp);		# load ivp
+	&mov	($_tmp,$key);
+
+	&align	(4);
+	&set_label("dec_loop");
+		&mov	($s0,&DWP(0,$acc));	# read input
+		&mov	($s1,&DWP(4,$acc));
+		&mov	($s2,&DWP(8,$acc));
+		&mov	($s3,&DWP(12,$acc));
+
+		&mov	($key,$_key);		# load key
+		&call	("_x86_AES_decrypt");
+
+		&mov	($key,$_tmp);		# load ivp
+		&mov	($acc,$_len);		# load len
+		&xor	($s0,&DWP(0,$key));	# xor iv
+		&xor	($s1,&DWP(4,$key));
+		&xor	($s2,&DWP(8,$key));
+		&xor	($s3,&DWP(12,$key));
+
+		&sub	($acc,16);
+		&jc	(&label("dec_partial"));
+		&mov	($_len,$acc);		# save len
+		&mov	($acc,$_inp);		# load inp
+		&mov	($key,$_out);		# load out
+
+		&mov	(&DWP(0,$key),$s0);	# write output
+		&mov	(&DWP(4,$key),$s1);
+		&mov	(&DWP(8,$key),$s2);
+		&mov	(&DWP(12,$key),$s3);
+
+		&mov	($_tmp,$acc);		# save ivp
+		&lea	($acc,&DWP(16,$acc));
+		&mov	($_inp,$acc);		# save inp
+
+		&lea	($key,&DWP(16,$key));
+		&mov	($_out,$key);		# save out
+
+	&jnz	(&label("dec_loop"));
+	&mov	($key,$_tmp);		# load temp ivp
+    &set_label("dec_end");
+	&mov	($acc,$_ivp);		# load user ivp
+	&mov	($s0,&DWP(0,$key));	# load iv
+	&mov	($s1,&DWP(4,$key));
+	&mov	($s2,&DWP(8,$key));
+	&mov	($s3,&DWP(12,$key));
+	&mov	(&DWP(0,$acc),$s0);	# copy back to user
+	&mov	(&DWP(4,$acc),$s1);
+	&mov	(&DWP(8,$acc),$s2);
+	&mov	(&DWP(12,$acc),$s3);
+	&jmp	(&label("dec_out"));
+
+    &align	(4);
+    &set_label("dec_partial");
+	&lea	($key,$ivec);
+	&mov	(&DWP(0,$key),$s0);	# dump output to stack
+	&mov	(&DWP(4,$key),$s1);
+	&mov	(&DWP(8,$key),$s2);
+	&mov	(&DWP(12,$key),$s3);
+	&lea	($s2 eq "ecx" ? $s2 : "",&DWP(16,$acc));
+	&mov	($acc eq "esi" ? $acc : "",$key);
+	&mov	($key eq "edi" ? $key : "",$_out);	# load out
+	&data_word(0xF689A4F3);	# rep movsb		# copy output
+	&mov	($key,$_inp);				# use inp as temp ivp
+	&jmp	(&label("dec_end"));
+
+    &align	(4);
+    &set_label("dec_in_place");
+	&set_label("dec_in_place_loop");
+		&lea	($key,$ivec);
+		&mov	($s0,&DWP(0,$acc));	# read input
+		&mov	($s1,&DWP(4,$acc));
+		&mov	($s2,&DWP(8,$acc));
+		&mov	($s3,&DWP(12,$acc));
+
+		&mov	(&DWP(0,$key),$s0);	# copy to temp
+		&mov	(&DWP(4,$key),$s1);
+		&mov	(&DWP(8,$key),$s2);
+		&mov	(&DWP(12,$key),$s3);
+
+		&mov	($key,$_key);		# load key
+		&call	("_x86_AES_decrypt");
+
+		&mov	($key,$_ivp);		# load ivp
+		&mov	($acc,$_out);		# load out
+		&xor	($s0,&DWP(0,$key));	# xor iv
+		&xor	($s1,&DWP(4,$key));
+		&xor	($s2,&DWP(8,$key));
+		&xor	($s3,&DWP(12,$key));
+
+		&mov	(&DWP(0,$acc),$s0);	# write output
+		&mov	(&DWP(4,$acc),$s1);
+		&mov	(&DWP(8,$acc),$s2);
+		&mov	(&DWP(12,$acc),$s3);
+
+		&lea	($acc,&DWP(16,$acc));
+		&mov	($_out,$acc);		# save out
+
+		&lea	($acc,$ivec);
+		&mov	($s0,&DWP(0,$acc));	# read temp
+		&mov	($s1,&DWP(4,$acc));
+		&mov	($s2,&DWP(8,$acc));
+		&mov	($s3,&DWP(12,$acc));
+
+		&mov	(&DWP(0,$key),$s0);	# copy iv
+		&mov	(&DWP(4,$key),$s1);
+		&mov	(&DWP(8,$key),$s2);
+		&mov	(&DWP(12,$key),$s3);
+
+		&mov	($acc,$_inp);		# load inp
+
+		&lea	($acc,&DWP(16,$acc));
+		&mov	($_inp,$acc);		# save inp
+
+		&mov	($s2,$_len);		# load len
+		&sub	($s2,16);
+		&jc	(&label("dec_in_place_partial"));
+		&mov	($_len,$s2);		# save len
+	&jnz	(&label("dec_in_place_loop"));
+	&jmp	(&label("dec_out"));
+
+    &align	(4);
+    &set_label("dec_in_place_partial");
+	# one can argue if this is actually required...
+	&mov	($key eq "edi" ? $key : "",$_out);
+	&lea	($acc eq "esi" ? $acc : "",$ivec);
+	&lea	($key,&DWP(0,$key,$s2));
+	&lea	($acc,&DWP(16,$acc,$s2));
+	&neg	($s2 eq "ecx" ? $s2 : "");
+	&data_word(0xF689A4F3);	# rep movsb	# restore tail
+
+    &align	(4);
+    &set_label("dec_out");
+    &mov	("edi",$_key);
+    &mov	("esp",$_esp);
+    if ($compromise) {
+	&cmp	(&wparam(2),$compromise);
+	&jb	(&label("skip_dzero"));
+    }
+    # zero copy of key schedule
+    &mov	("ecx",240/4);
+    &xor	("eax","eax");
+    &align	(4);
+    &data_word(0xF689ABF3);	# rep stosd
+    &set_label("skip_dzero") if ($compromise);
+    &popf	();
+&function_end("AES_cbc_encrypt");
+}
+
+#------------------------------------------------------------------#
+
+sub enckey()
+{
+	&movz	("esi",&LB("edx"));		# rk[i]>>0
+	&mov	("ebx",&DWP(2,"ebp","esi",8));
+	&movz	("esi",&HB("edx"));		# rk[i]>>8
+	&and	("ebx",0xFF000000);
+	&xor	("eax","ebx");
+
+	&mov	("ebx",&DWP(2,"ebp","esi",8));
+	&shr	("edx",16);
+	&and	("ebx",0x000000FF);
+	&movz	("esi",&LB("edx"));		# rk[i]>>16
+	&xor	("eax","ebx");
+
+	&mov	("ebx",&DWP(0,"ebp","esi",8));
+	&movz	("esi",&HB("edx"));		# rk[i]>>24
+	&and	("ebx",0x0000FF00);
+	&xor	("eax","ebx");
+
+	&mov	("ebx",&DWP(0,"ebp","esi",8));
+	&and	("ebx",0x00FF0000);
+	&xor	("eax","ebx");
+
+	&xor	("eax",&DWP(2048,"ebp","ecx",4));	# rcon
+}
+
+# int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
+#                        AES_KEY *key)
+&public_label("AES_Te");
+&function_begin("AES_set_encrypt_key");
+	&mov	("esi",&wparam(0));		# user supplied key
+	&mov	("edi",&wparam(2));		# private key schedule
+
+	&test	("esi",-1);
+	&jz	(&label("badpointer"));
+	&test	("edi",-1);
+	&jz	(&label("badpointer"));
+
+	&call	(&label("pic_point"));
+	&set_label("pic_point");
+	&blindpop("ebp");
+	&lea	("ebp",&DWP(&label("AES_Te")."-".&label("pic_point"),"ebp"));
+
+	&mov	("ecx",&wparam(1));		# number of bits in key
+	&cmp	("ecx",128);
+	&je	(&label("10rounds"));
+	&cmp	("ecx",192);
+	&je	(&label("12rounds"));
+	&cmp	("ecx",256);
+	&je	(&label("14rounds"));
+	&mov	("eax",-2);			# invalid number of bits
+	&jmp	(&label("exit"));
+
+    &set_label("10rounds");
+	&mov	("eax",&DWP(0,"esi"));		# copy first 4 dwords
+	&mov	("ebx",&DWP(4,"esi"));
+	&mov	("ecx",&DWP(8,"esi"));
+	&mov	("edx",&DWP(12,"esi"));
+	&mov	(&DWP(0,"edi"),"eax");
+	&mov	(&DWP(4,"edi"),"ebx");
+	&mov	(&DWP(8,"edi"),"ecx");
+	&mov	(&DWP(12,"edi"),"edx");
+
+	&xor	("ecx","ecx");
+	&jmp	(&label("10shortcut"));
+
+	&align	(4);
+	&set_label("10loop");
+		&mov	("eax",&DWP(0,"edi"));		# rk[0]
+		&mov	("edx",&DWP(12,"edi"));		# rk[3]
+	&set_label("10shortcut");
+		&enckey	();
+
+		&mov	(&DWP(16,"edi"),"eax");		# rk[4]
+		&xor	("eax",&DWP(4,"edi"));
+		&mov	(&DWP(20,"edi"),"eax");		# rk[5]
+		&xor	("eax",&DWP(8,"edi"));
+		&mov	(&DWP(24,"edi"),"eax");		# rk[6]
+		&xor	("eax",&DWP(12,"edi"));
+		&mov	(&DWP(28,"edi"),"eax");		# rk[7]
+		&inc	("ecx");
+		&add	("edi",16);
+		&cmp	("ecx",10);
+	&jl	(&label("10loop"));
+
+	&mov	(&DWP(80,"edi"),10);		# setup number of rounds
+	&xor	("eax","eax");
+	&jmp	(&label("exit"));
+		
+    &set_label("12rounds");
+	&mov	("eax",&DWP(0,"esi"));		# copy first 6 dwords
+	&mov	("ebx",&DWP(4,"esi"));
+	&mov	("ecx",&DWP(8,"esi"));
+	&mov	("edx",&DWP(12,"esi"));
+	&mov	(&DWP(0,"edi"),"eax");
+	&mov	(&DWP(4,"edi"),"ebx");
+	&mov	(&DWP(8,"edi"),"ecx");
+	&mov	(&DWP(12,"edi"),"edx");
+	&mov	("ecx",&DWP(16,"esi"));
+	&mov	("edx",&DWP(20,"esi"));
+	&mov	(&DWP(16,"edi"),"ecx");
+	&mov	(&DWP(20,"edi"),"edx");
+
+	&xor	("ecx","ecx");
+	&jmp	(&label("12shortcut"));
+
+	&align	(4);
+	&set_label("12loop");
+		&mov	("eax",&DWP(0,"edi"));		# rk[0]
+		&mov	("edx",&DWP(20,"edi"));		# rk[5]
+	&set_label("12shortcut");
+		&enckey	();
+
+		&mov	(&DWP(24,"edi"),"eax");		# rk[6]
+		&xor	("eax",&DWP(4,"edi"));
+		&mov	(&DWP(28,"edi"),"eax");		# rk[7]
+		&xor	("eax",&DWP(8,"edi"));
+		&mov	(&DWP(32,"edi"),"eax");		# rk[8]
+		&xor	("eax",&DWP(12,"edi"));
+		&mov	(&DWP(36,"edi"),"eax");		# rk[9]
+
+		&cmp	("ecx",7);
+		&je	(&label("12break"));
+		&inc	("ecx");
+
+		&xor	("eax",&DWP(16,"edi"));
+		&mov	(&DWP(40,"edi"),"eax");		# rk[10]
+		&xor	("eax",&DWP(20,"edi"));
+		&mov	(&DWP(44,"edi"),"eax");		# rk[11]
+
+		&add	("edi",24);
+	&jmp	(&label("12loop"));
+
+	&set_label("12break");
+	&mov	(&DWP(72,"edi"),12);		# setup number of rounds
+	&xor	("eax","eax");
+	&jmp	(&label("exit"));
+
+    &set_label("14rounds");
+	&mov	("eax",&DWP(0,"esi"));		# copy first 8 dwords
+	&mov	("ebx",&DWP(4,"esi"));
+	&mov	("ecx",&DWP(8,"esi"));
+	&mov	("edx",&DWP(12,"esi"));
+	&mov	(&DWP(0,"edi"),"eax");
+	&mov	(&DWP(4,"edi"),"ebx");
+	&mov	(&DWP(8,"edi"),"ecx");
+	&mov	(&DWP(12,"edi"),"edx");
+	&mov	("eax",&DWP(16,"esi"));
+	&mov	("ebx",&DWP(20,"esi"));
+	&mov	("ecx",&DWP(24,"esi"));
+	&mov	("edx",&DWP(28,"esi"));
+	&mov	(&DWP(16,"edi"),"eax");
+	&mov	(&DWP(20,"edi"),"ebx");
+	&mov	(&DWP(24,"edi"),"ecx");
+	&mov	(&DWP(28,"edi"),"edx");
+
+	&xor	("ecx","ecx");
+	&jmp	(&label("14shortcut"));
+
+	&align	(4);
+	&set_label("14loop");
+		&mov	("edx",&DWP(28,"edi"));		# rk[7]
+	&set_label("14shortcut");
+		&mov	("eax",&DWP(0,"edi"));		# rk[0]
+
+		&enckey	();
+
+		&mov	(&DWP(32,"edi"),"eax");		# rk[8]
+		&xor	("eax",&DWP(4,"edi"));
+		&mov	(&DWP(36,"edi"),"eax");		# rk[9]
+		&xor	("eax",&DWP(8,"edi"));
+		&mov	(&DWP(40,"edi"),"eax");		# rk[10]
+		&xor	("eax",&DWP(12,"edi"));
+		&mov	(&DWP(44,"edi"),"eax");		# rk[11]
+
+		&cmp	("ecx",6);
+		&je	(&label("14break"));
+		&inc	("ecx");
+
+		&mov	("edx","eax");
+		&mov	("eax",&DWP(16,"edi"));		# rk[4]
+		&movz	("esi",&LB("edx"));		# rk[11]>>0
+		&mov	("ebx",&DWP(2,"ebp","esi",8));
+		&movz	("esi",&HB("edx"));		# rk[11]>>8
+		&and	("ebx",0x000000FF);
+		&xor	("eax","ebx");
+
+		&mov	("ebx",&DWP(0,"ebp","esi",8));
+		&shr	("edx",16);
+		&and	("ebx",0x0000FF00);
+		&movz	("esi",&LB("edx"));		# rk[11]>>16
+		&xor	("eax","ebx");
+
+		&mov	("ebx",&DWP(0,"ebp","esi",8));
+		&movz	("esi",&HB("edx"));		# rk[11]>>24
+		&and	("ebx",0x00FF0000);
+		&xor	("eax","ebx");
+
+		&mov	("ebx",&DWP(2,"ebp","esi",8));
+		&and	("ebx",0xFF000000);
+		&xor	("eax","ebx");
+
+		&mov	(&DWP(48,"edi"),"eax");		# rk[12]
+		&xor	("eax",&DWP(20,"edi"));
+		&mov	(&DWP(52,"edi"),"eax");		# rk[13]
+		&xor	("eax",&DWP(24,"edi"));
+		&mov	(&DWP(56,"edi"),"eax");		# rk[14]
+		&xor	("eax",&DWP(28,"edi"));
+		&mov	(&DWP(60,"edi"),"eax");		# rk[15]
+
+		&add	("edi",32);
+	&jmp	(&label("14loop"));
+
+	&set_label("14break");
+	&mov	(&DWP(48,"edi"),14);		# setup number of rounds
+	&xor	("eax","eax");
+	&jmp	(&label("exit"));
+
+    &set_label("badpointer");
+	&mov	("eax",-1);
+    &set_label("exit");
+&function_end("AES_set_encrypt_key");
+
+sub deckey()
+{ my ($i,$ptr,$te,$td) = @_;
+
+	&mov	("eax",&DWP($i,$ptr));
+	&mov	("edx","eax");
+	&movz	("ebx",&HB("eax"));
+	&shr	("edx",16);
+	&and	("eax",0xFF);
+	&movz	("eax",&BP(2,$te,"eax",8));
+	&movz	("ebx",&BP(2,$te,"ebx",8));
+	&mov	("eax",&DWP(0,$td,"eax",8));
+	&xor	("eax",&DWP(3,$td,"ebx",8));
+	&movz	("ebx",&HB("edx"));
+	&and	("edx",0xFF);
+	&movz	("edx",&BP(2,$te,"edx",8));
+	&movz	("ebx",&BP(2,$te,"ebx",8));
+	&xor	("eax",&DWP(2,$td,"edx",8));
+	&xor	("eax",&DWP(1,$td,"ebx",8));
+	&mov	(&DWP($i,$ptr),"eax");
+}
+
+# int AES_set_decrypt_key(const unsigned char *userKey, const int bits,
+#                        AES_KEY *key)
+&public_label("AES_Td");
+&public_label("AES_Te");
+&function_begin_B("AES_set_decrypt_key");
+	&mov	("eax",&wparam(0));
+	&mov	("ecx",&wparam(1));
+	&mov	("edx",&wparam(2));
+	&sub	("esp",12);
+	&mov	(&DWP(0,"esp"),"eax");
+	&mov	(&DWP(4,"esp"),"ecx");
+	&mov	(&DWP(8,"esp"),"edx");
+	&call	("AES_set_encrypt_key");
+	&add	("esp",12);
+	&cmp	("eax",0);
+	&je	(&label("proceed"));
+	&ret	();
+
+    &set_label("proceed");
+	&push	("ebp");
+	&push	("ebx");
+	&push	("esi");
+	&push	("edi");
+
+	&mov	("esi",&wparam(2));
+	&mov	("ecx",&DWP(240,"esi"));	# pull number of rounds
+	&lea	("ecx",&DWP(0,"","ecx",4));
+	&lea	("edi",&DWP(0,"esi","ecx",4));	# pointer to last chunk
+
+	&align	(4);
+	&set_label("invert");			# invert order of chunks
+		&mov	("eax",&DWP(0,"esi"));
+		&mov	("ebx",&DWP(4,"esi"));
+		&mov	("ecx",&DWP(0,"edi"));
+		&mov	("edx",&DWP(4,"edi"));
+		&mov	(&DWP(0,"edi"),"eax");
+		&mov	(&DWP(4,"edi"),"ebx");
+		&mov	(&DWP(0,"esi"),"ecx");
+		&mov	(&DWP(4,"esi"),"edx");
+		&mov	("eax",&DWP(8,"esi"));
+		&mov	("ebx",&DWP(12,"esi"));
+		&mov	("ecx",&DWP(8,"edi"));
+		&mov	("edx",&DWP(12,"edi"));
+		&mov	(&DWP(8,"edi"),"eax");
+		&mov	(&DWP(12,"edi"),"ebx");
+		&mov	(&DWP(8,"esi"),"ecx");
+		&mov	(&DWP(12,"esi"),"edx");
+		&add	("esi",16);
+		&sub	("edi",16);
+		&cmp	("esi","edi");
+	&jne	(&label("invert"));
+
+	&call	(&label("pic_point"));
+	&set_label("pic_point");
+	blindpop("ebp");
+	&lea	("edi",&DWP(&label("AES_Td")."-".&label("pic_point"),"ebp"));
+	&lea	("ebp",&DWP(&label("AES_Te")."-".&label("pic_point"),"ebp"));
+
+	&mov	("esi",&wparam(2));
+	&mov	("ecx",&DWP(240,"esi"));	# pull number of rounds
+	&dec	("ecx");
+	&align	(4);
+	&set_label("permute");			# permute the key schedule
+		&add	("esi",16);
+		&deckey	(0,"esi","ebp","edi");
+		&deckey	(4,"esi","ebp","edi");
+		&deckey	(8,"esi","ebp","edi");
+		&deckey	(12,"esi","ebp","edi");
+		&dec	("ecx");
+	&jnz	(&label("permute"));
+
+	&xor	("eax","eax");			# return success
+&function_end("AES_set_decrypt_key");
+
+&asm_finish();
diff --git a/crypto/openssl/crypto/aes/asm/aes-ia64.S b/crypto/openssl/crypto/aes/asm/aes-ia64.S
new file mode 100644
index 000000000000..542cf335e995
--- /dev/null
+++ b/crypto/openssl/crypto/aes/asm/aes-ia64.S
@@ -0,0 +1,1652 @@
+// ====================================================================
+// Written by Andy Polyakov <appro@fy.chalmers.se> for the OpenSSL
+// project. Rights for redistribution and usage in source and binary
+// forms are granted according to the OpenSSL license.
+// ====================================================================
+//
+// What's wrong with compiler generated code? Compiler never uses
+// variable 'shr' which is pairable with 'extr'/'dep' instructions.
+// Then it uses 'zxt' which is an I-type, but can be replaced with
+// 'and' which in turn can be assigned to M-port [there're double as
+// much M-ports as there're I-ports on Itanium 2]. By sacrificing few
+// registers for small constants (255, 24 and 16) to be used with
+// 'shr' and 'and' instructions I can achieve better ILP, Intruction
+// Level Parallelism, and performance. This code outperforms GCC 3.3
+// generated code by over factor of 2 (two), GCC 3.4 - by 70% and
+// HP C - by 40%. Measured best-case scenario, i.e. aligned
+// big-endian input, ECB timing on Itanium 2 is (18 + 13*rounds)
+// ticks per block, or 9.25 CPU cycles per byte for 128 bit key.
+
+.ident	"aes-ia64.S, version 1.1"
+.ident	"IA-64 ISA artwork by Andy Polyakov <appro@fy.chalmers.se>"
+.explicit
+.text
+
+rk0=r8;     rk1=r9;
+
+prsave=r10;
+maskff=r11;
+twenty4=r14;
+sixteen=r15;
+
+te00=r16;   te11=r17;   te22=r18;   te33=r19;
+te01=r20;   te12=r21;   te23=r22;   te30=r23;
+te02=r24;   te13=r25;   te20=r26;   te31=r27;
+te03=r28;   te10=r29;   te21=r30;   te32=r31;
+
+// these are rotating...
+t0=r32;     s0=r33;
+t1=r34;     s1=r35;
+t2=r36;     s2=r37;
+t3=r38;     s3=r39;
+
+te0=r40;    te1=r41;    te2=r42;    te3=r43;
+
+#if defined(_HPUX_SOURCE) && !defined(_LP64)
+# define ADDP	addp4
+# define KSZ	4
+# define LDKEY	ld4
+#else
+# define ADDP	add
+#endif
+
+// This implies that AES_KEY comprises 32-bit key schedule elements
+// even on LP64 platforms.
+#ifndef	KSZ
+# define KSZ	4
+# define LDKEY	ld4
+#endif
+
+.proc	_ia64_AES_encrypt#
+// Input:	rk0-rk1
+//		te0
+//		te3	as AES_KEY->rounds!!!
+//		s0-s3
+//		maskff,twenty4,sixteen
+// Output:	r16,r20,r24,r28 as s0-s3
+// Clobber:	r16-r31,rk0-rk1,r32-r43
+.align	32
+_ia64_AES_encrypt:
+{ .mmi;	alloc	r16=ar.pfs,12,0,0,8
+	LDKEY	t0=[rk0],2*KSZ
+	mov	pr.rot=1<<16	}
+{ .mmi;	LDKEY	t1=[rk1],2*KSZ
+	add	te1=1024,te0
+	add	te3=-3,te3	};;
+{ .mib;	LDKEY	t2=[rk0],2*KSZ
+	mov	ar.ec=3		}
+{ .mib;	LDKEY	t3=[rk1],2*KSZ
+	add	te2=2048,te0
+	brp.loop.imp	.Le_top,.Le_end-16	};;
+
+{ .mmi;	xor	s0=s0,t0
+	xor	s1=s1,t1
+	mov	ar.lc=te3	}
+{ .mmi;	xor	s2=s2,t2
+	xor	s3=s3,t3
+	add	te3=3072,te0	};;
+
+.align	32
+.Le_top:
+{ .mmi;	(p0)	LDKEY	t0=[rk0],2*KSZ		// 0/0:rk[0]
+	(p0)	and	te33=s3,maskff		// 0/0:s3&0xff
+	(p0)	extr.u	te22=s2,8,8	}	// 0/0:s2>>8&0xff
+{ .mmi; (p0)	LDKEY	t1=[rk1],2*KSZ		// 0/1:rk[1]
+	(p0)	and	te30=s0,maskff		// 0/1:s0&0xff
+	(p0)	shr.u	te00=s0,twenty4	};;	// 0/0:s0>>24
+{ .mmi;	(p0)	LDKEY	t2=[rk0],2*KSZ		// 1/2:rk[2]
+	(p0)	shladd	te33=te33,2,te3		// 1/0:te0+s0>>24
+	(p0)	extr.u	te23=s3,8,8	}	// 1/1:s3>>8&0xff
+{ .mmi;	(p0)	LDKEY	t3=[rk1],2*KSZ		// 1/3:rk[3]
+	(p0)	shladd	te30=te30,2,te3		// 1/1:te3+s0
+	(p0)	shr.u	te01=s1,twenty4	};;	// 1/1:s1>>24
+{ .mmi;	(p0)	ld4	te33=[te33]		// 2/0:te3[s3&0xff]
+	(p0)	shladd	te22=te22,2,te2		// 2/0:te2+s2>>8&0xff
+	(p0)	extr.u	te20=s0,8,8	}	// 2/2:s0>>8&0xff
+{ .mmi;	(p0)	ld4	te30=[te30]		// 2/1:te3[s0]
+	(p0)	shladd	te23=te23,2,te2		// 2/1:te2+s3>>8
+	(p0)	shr.u	te02=s2,twenty4	};;	// 2/2:s2>>24
+{ .mmi;	(p0)	ld4	te22=[te22]		// 3/0:te2[s2>>8]
+	(p0)	shladd	te20=te20,2,te2		// 3/2:te2+s0>>8
+	(p0)	extr.u	te21=s1,8,8	}	// 3/3:s1>>8&0xff
+{ .mmi;	(p0)	ld4	te23=[te23]		// 3/1:te2[s3>>8]
+	(p0)	shladd	te00=te00,2,te0		// 3/0:te0+s0>>24
+	(p0)	shr.u	te03=s3,twenty4	};;	// 3/3:s3>>24
+{ .mmi;	(p0)	ld4	te20=[te20]		// 4/2:te2[s0>>8]
+	(p0)	shladd	te21=te21,2,te2		// 4/3:te3+s2
+	(p0)	extr.u	te11=s1,16,8	}	// 4/0:s1>>16&0xff
+{ .mmi;	(p0)	ld4	te00=[te00]		// 4/0:te0[s0>>24]
+	(p0)	shladd	te01=te01,2,te0		// 4/1:te0+s1>>24
+	(p0)	shr.u	te13=s3,sixteen	};;	// 4/2:s3>>16
+{ .mmi;	(p0)	ld4	te21=[te21]		// 5/3:te2[s1>>8]
+	(p0)	shladd	te11=te11,2,te1		// 5/0:te1+s1>>16
+	(p0)	extr.u	te12=s2,16,8	}	// 5/1:s2>>16&0xff
+{ .mmi;	(p0)	ld4	te01=[te01]		// 5/1:te0[s1>>24]
+	(p0)	shladd	te02=te02,2,te0		// 5/2:te0+s2>>24
+	(p0)	and	te31=s1,maskff	};;	// 5/2:s1&0xff
+
+{ .mmi;	(p0)	ld4	te11=[te11]		// 6/0:te1[s1>>16]
+	(p0)	shladd	te12=te12,2,te1		// 6/1:te1+s2>>16
+	(p0)	extr.u	te10=s0,16,8	}	// 6/3:s0>>16&0xff
+{ .mmi;	(p0)	ld4	te02=[te02]		// 6/2:te0[s2>>24]
+	(p0)	shladd	te03=te03,2,te0		// 6/3:te1+s0>>16
+	(p0)	and	te32=s2,maskff	};;	// 6/3:s2&0xff
+{ .mmi;	(p0)	ld4	te12=[te12]		// 7/1:te1[s2>>16]
+	(p0)	shladd	te31=te31,2,te3		// 7/2:te3+s1&0xff
+	(p0)	and	te13=te13,maskff}	// 7/2:s3>>16&0xff
+{ .mmi;	(p0)	ld4	te03=[te03]		// 7/3:te0[s3>>24]
+	(p0)	shladd	te32=te32,2,te3		// 7/3:te3+s2
+	(p0)	xor	t0=t0,te33	};;	// 7/0:
+{ .mmi;	(p0)	ld4	te31=[te31]		// 8/2:te3[s1]
+	(p0)	shladd	te13=te13,2,te1		// 8/2:te1+s3>>16
+	(p0)	xor	t0=t0,te22	}	// 8/0:
+{ .mmi;	(p0)	ld4	te32=[te32]		// 8/3:te3[s2]
+	(p0)	shladd	te10=te10,2,te1		// 8/3:te1+s0>>16
+	(p0)	xor	t1=t1,te30	};;	// 8/1:
+{ .mmi;	(p0)	ld4	te13=[te13]		// 9/2:te1[s3>>16]
+	(p0)	xor	t0=t0,te00		// 9/0:
+	(p0)	xor	t1=t1,te23	}	// 9/1:		
+{ .mmi;	(p0)	ld4	te10=[te10]		// 9/3:te1[s0>>16]
+	(p0)	xor	t2=t2,te20		// 9/2:
+	(p0)	xor	t3=t3,te21	};;	// 9/3:
+{ .mmi;	(p0)	xor	t0=t0,te11		// 10/0:done!
+	(p0)	xor	t1=t1,te01		// 10/1:
+	(p0)	xor	t2=t2,te02	}	// 10/2:
+{ .mmi;	(p0)	xor	t3=t3,te03		// 10/3:
+	(p16)	cmp.eq	p0,p17=r0,r0 	};;	// 10/clear (p17)
+{ .mmi;	(p0)	xor	t1=t1,te12		// 11/1:done!
+	(p0)	xor	t2=t2,te31		// 11/2:
+	(p0)	xor	t3=t3,te32	}	// 11/3:
+{ .mmi;	(p17)	add	te0=4096,te0		// 11/	
+	(p17)	add	te1=4096,te1	};;	// 11/
+{ .mib;	(p0)	xor	t2=t2,te13		// 12/2:done!
+	(p0)	xor	t3=t3,te10	}	// 12/3:done!
+{ .mib;	(p17)	add	te2=4096,te2		// 12/
+	(p17)	add	te3=4096,te3		// 12/
+	br.ctop.sptk	.Le_top		};;
+.Le_end:
+{ .mib;	mov	r16=s0
+	mov	r20=s1			}
+{ .mib;	mov	r24=s2
+	mov	r28=s3
+	br.ret.sptk	b6		};;
+.endp	_ia64_AES_encrypt#
+
+// void AES_encrypt (const void *in,void *out,const AES_KEY *key);
+.global	AES_encrypt#
+.proc	AES_encrypt#
+.align	32
+.skip	16
+AES_encrypt:
+	.prologue
+	.fframe	0
+	.save	ar.pfs,r2
+	.save	ar.lc,r3
+{ .mmi;	alloc	r2=ar.pfs,3,0,12,0
+	addl	out8=@ltoff(AES_Te#),gp
+	mov	r3=ar.lc		}
+{ .mmi;	and	out0=3,in0
+	ADDP	in0=0,in0
+	ADDP	out11=KSZ*60,in2	};;	// &AES_KEY->rounds
+
+	.body
+{ .mmi;	ld8	out8=[out8]			// Te0
+	ld4	out11=[out11]			// AES_KEY->rounds
+	mov	prsave=pr		}
+
+#if defined(_HPUX_SOURCE)	// HPUX is big-endian, cut 15+15 cycles...
+{ .mib; cmp.ne	p6,p0=out0,r0
+	add	out0=4,in0
+(p6)	br.dpnt.many	.Le_i_unaligned	};;
+
+{ .mmi;	ld4	out1=[in0],8		// s0
+	and	out9=3,in1
+	mov	twenty4=24		}
+{ .mmi;	ld4	out3=[out0],8		// s1
+	ADDP	rk0=0,in2
+	mov	sixteen=16		};;
+{ .mmi;	ld4	out5=[in0]		// s2
+	cmp.ne	p6,p0=out9,r0
+	mov	maskff=0xff		}
+{ .mmb;	ld4	out7=[out0]		// s3
+	ADDP	rk1=KSZ,in2
+	br.call.sptk.many	b6=_ia64_AES_encrypt	};;
+
+{ .mib;	ADDP	in0=4,in1
+	ADDP	in1=0,in1
+(p6)	br.spnt	.Le_o_unaligned		};;
+
+{ .mii;	mov	ar.pfs=r2
+	mov	ar.lc=r3		}
+{ .mmi;	st4	[in1]=r16,8		// s0
+	st4	[in0]=r20,8		// s1
+	mov	pr=prsave,0x1ffff	};;
+{ .mmb;	st4	[in1]=r24		// s2
+	st4	[in0]=r28		// s3
+	br.ret.sptk.many	b0	};;
+#endif
+
+.align	32
+.Le_i_unaligned:
+{ .mmi;	add	out0=1,in0
+	add	out2=2,in0
+	add	out4=3,in0	};;
+{ .mmi;	ld1	r16=[in0],4
+	ld1	r17=[out0],4	}//;;
+{ .mmi;	ld1	r18=[out2],4
+	ld1	out1=[out4],4	};;	// s0
+{ .mmi;	ld1	r20=[in0],4
+	ld1	r21=[out0],4	}//;;
+{ .mmi;	ld1	r22=[out2],4
+	ld1	out3=[out4],4	};;	// s1
+{ .mmi;	ld1	r24=[in0],4
+	ld1	r25=[out0],4	}//;;
+{ .mmi;	ld1	r26=[out2],4
+	ld1	out5=[out4],4	};;	// s2
+{ .mmi;	ld1	r28=[in0]
+	ld1	r29=[out0]	}//;;
+{ .mmi;	ld1	r30=[out2]
+	ld1	out7=[out4]	};;	// s3
+
+{ .mii;
+	dep	out1=r16,out1,24,8	//;;
+	dep	out3=r20,out3,24,8	}//;;
+{ .mii;	ADDP	rk0=0,in2
+	dep	out5=r24,out5,24,8	//;;
+	dep	out7=r28,out7,24,8	};;
+{ .mii;	ADDP	rk1=KSZ,in2
+	dep	out1=r17,out1,16,8	//;;
+	dep	out3=r21,out3,16,8	}//;;
+{ .mii;	mov	twenty4=24
+	dep	out5=r25,out5,16,8	//;;
+	dep	out7=r29,out7,16,8	};;
+{ .mii;	mov	sixteen=16
+	dep	out1=r18,out1,8,8	//;;
+	dep	out3=r22,out3,8,8	}//;;
+{ .mii;	mov	maskff=0xff
+	dep	out5=r26,out5,8,8	//;;
+	dep	out7=r30,out7,8,8	};;
+
+{ .mib;	br.call.sptk.many	b6=_ia64_AES_encrypt	};;
+
+.Le_o_unaligned:
+{ .mii;	ADDP	out0=0,in1
+	extr.u	r17=r16,8,8			// s0
+	shr.u	r19=r16,twenty4		}//;;
+{ .mii;	ADDP	out1=1,in1
+	extr.u	r18=r16,16,8
+	shr.u	r23=r20,twenty4		}//;;	// s1
+{ .mii;	ADDP	out2=2,in1
+	extr.u	r21=r20,8,8
+	shr.u	r22=r20,sixteen	}//;;
+{ .mii;	ADDP	out3=3,in1
+	extr.u	r25=r24,8,8			// s2
+	shr.u	r27=r24,twenty4		};;
+{ .mii;	st1	[out3]=r16,4
+	extr.u	r26=r24,16,8
+	shr.u	r31=r28,twenty4	}//;;	// s3
+{ .mii;	st1	[out2]=r17,4
+	extr.u	r29=r28,8,8
+	shr.u	r30=r28,sixteen		}//;;
+
+{ .mmi;	st1	[out1]=r18,4
+	st1	[out0]=r19,4		};;
+{ .mmi;	st1	[out3]=r20,4
+	st1	[out2]=r21,4		}//;;
+{ .mmi;	st1	[out1]=r22,4
+	st1	[out0]=r23,4		};;
+{ .mmi;	st1	[out3]=r24,4
+	st1	[out2]=r25,4
+	mov	pr=prsave,0x1ffff	}//;;
+{ .mmi;	st1	[out1]=r26,4
+	st1	[out0]=r27,4
+	mov	ar.pfs=r2		};;
+{ .mmi;	st1	[out3]=r28
+	st1	[out2]=r29
+	mov	ar.lc=r3		}//;;
+{ .mmb;	st1	[out1]=r30
+	st1	[out0]=r31
+	br.ret.sptk.many	b0	};;
+.endp	AES_encrypt#
+
+// *AES_decrypt are autogenerated by the following script:
+#if 0
+#!/usr/bin/env perl
+print "// *AES_decrypt are autogenerated by the following script:\n#if 0\n";
+open(PROG,'<'.$0); while(<PROG>) { print; } close(PROG);
+print "#endif\n";
+while(<>) {
+	$process=1	if (/\.proc\s+_ia64_AES_encrypt/);
+	next		if (!$process);
+
+	#s/te00=s0/td00=s0/;	s/te00/td00/g;
+	s/te11=s1/td13=s3/;	s/te11/td13/g;
+	#s/te22=s2/td22=s2/;	s/te22/td22/g;
+	s/te33=s3/td31=s1/;	s/te33/td31/g;
+
+	#s/te01=s1/td01=s1/;	s/te01/td01/g;
+	s/te12=s2/td10=s0/;	s/te12/td10/g;
+	#s/te23=s3/td23=s3/;	s/te23/td23/g;
+	s/te30=s0/td32=s2/;	s/te30/td32/g;
+
+	#s/te02=s2/td02=s2/;	s/te02/td02/g;
+	s/te13=s3/td11=s1/;	s/te13/td11/g;
+	#s/te20=s0/td20=s0/;	s/te20/td20/g;
+	s/te31=s1/td33=s3/;	s/te31/td33/g;
+
+	#s/te03=s3/td03=s3/;	s/te03/td03/g;
+	s/te10=s0/td12=s2/;	s/te10/td12/g;
+	#s/te21=s1/td21=s1/;	s/te21/td21/g;
+	s/te32=s2/td30=s0/;	s/te32/td30/g;
+
+	s/td/te/g;
+
+	s/AES_encrypt/AES_decrypt/g;
+	s/\.Le_/.Ld_/g;
+	s/AES_Te#/AES_Td#/g;
+
+	print;
+
+	exit		if (/\.endp\s+AES_decrypt/);
+}
+#endif
+.proc	_ia64_AES_decrypt#
+// Input:	rk0-rk1
+//		te0
+//		te3	as AES_KEY->rounds!!!
+//		s0-s3
+//		maskff,twenty4,sixteen
+// Output:	r16,r20,r24,r28 as s0-s3
+// Clobber:	r16-r31,rk0-rk1,r32-r43
+.align	32
+_ia64_AES_decrypt:
+{ .mmi;	alloc	r16=ar.pfs,12,0,0,8
+	LDKEY	t0=[rk0],2*KSZ
+	mov	pr.rot=1<<16	}
+{ .mmi;	LDKEY	t1=[rk1],2*KSZ
+	add	te1=1024,te0
+	add	te3=-3,te3	};;
+{ .mib;	LDKEY	t2=[rk0],2*KSZ
+	mov	ar.ec=3		}
+{ .mib;	LDKEY	t3=[rk1],2*KSZ
+	add	te2=2048,te0
+	brp.loop.imp	.Ld_top,.Ld_end-16	};;
+
+{ .mmi;	xor	s0=s0,t0
+	xor	s1=s1,t1
+	mov	ar.lc=te3	}
+{ .mmi;	xor	s2=s2,t2
+	xor	s3=s3,t3
+	add	te3=3072,te0	};;
+
+.align	32
+.Ld_top:
+{ .mmi;	(p0)	LDKEY	t0=[rk0],2*KSZ		// 0/0:rk[0]
+	(p0)	and	te31=s1,maskff		// 0/0:s3&0xff
+	(p0)	extr.u	te22=s2,8,8	}	// 0/0:s2>>8&0xff
+{ .mmi; (p0)	LDKEY	t1=[rk1],2*KSZ		// 0/1:rk[1]
+	(p0)	and	te32=s2,maskff		// 0/1:s0&0xff
+	(p0)	shr.u	te00=s0,twenty4	};;	// 0/0:s0>>24
+{ .mmi;	(p0)	LDKEY	t2=[rk0],2*KSZ		// 1/2:rk[2]
+	(p0)	shladd	te31=te31,2,te3		// 1/0:te0+s0>>24
+	(p0)	extr.u	te23=s3,8,8	}	// 1/1:s3>>8&0xff
+{ .mmi;	(p0)	LDKEY	t3=[rk1],2*KSZ		// 1/3:rk[3]
+	(p0)	shladd	te32=te32,2,te3		// 1/1:te3+s0
+	(p0)	shr.u	te01=s1,twenty4	};;	// 1/1:s1>>24
+{ .mmi;	(p0)	ld4	te31=[te31]		// 2/0:te3[s3&0xff]
+	(p0)	shladd	te22=te22,2,te2		// 2/0:te2+s2>>8&0xff
+	(p0)	extr.u	te20=s0,8,8	}	// 2/2:s0>>8&0xff
+{ .mmi;	(p0)	ld4	te32=[te32]		// 2/1:te3[s0]
+	(p0)	shladd	te23=te23,2,te2		// 2/1:te2+s3>>8
+	(p0)	shr.u	te02=s2,twenty4	};;	// 2/2:s2>>24
+{ .mmi;	(p0)	ld4	te22=[te22]		// 3/0:te2[s2>>8]
+	(p0)	shladd	te20=te20,2,te2		// 3/2:te2+s0>>8
+	(p0)	extr.u	te21=s1,8,8	}	// 3/3:s1>>8&0xff
+{ .mmi;	(p0)	ld4	te23=[te23]		// 3/1:te2[s3>>8]
+	(p0)	shladd	te00=te00,2,te0		// 3/0:te0+s0>>24
+	(p0)	shr.u	te03=s3,twenty4	};;	// 3/3:s3>>24
+{ .mmi;	(p0)	ld4	te20=[te20]		// 4/2:te2[s0>>8]
+	(p0)	shladd	te21=te21,2,te2		// 4/3:te3+s2
+	(p0)	extr.u	te13=s3,16,8	}	// 4/0:s1>>16&0xff
+{ .mmi;	(p0)	ld4	te00=[te00]		// 4/0:te0[s0>>24]
+	(p0)	shladd	te01=te01,2,te0		// 4/1:te0+s1>>24
+	(p0)	shr.u	te11=s1,sixteen	};;	// 4/2:s3>>16
+{ .mmi;	(p0)	ld4	te21=[te21]		// 5/3:te2[s1>>8]
+	(p0)	shladd	te13=te13,2,te1		// 5/0:te1+s1>>16
+	(p0)	extr.u	te10=s0,16,8	}	// 5/1:s2>>16&0xff
+{ .mmi;	(p0)	ld4	te01=[te01]		// 5/1:te0[s1>>24]
+	(p0)	shladd	te02=te02,2,te0		// 5/2:te0+s2>>24
+	(p0)	and	te33=s3,maskff	};;	// 5/2:s1&0xff
+
+{ .mmi;	(p0)	ld4	te13=[te13]		// 6/0:te1[s1>>16]
+	(p0)	shladd	te10=te10,2,te1		// 6/1:te1+s2>>16
+	(p0)	extr.u	te12=s2,16,8	}	// 6/3:s0>>16&0xff
+{ .mmi;	(p0)	ld4	te02=[te02]		// 6/2:te0[s2>>24]
+	(p0)	shladd	te03=te03,2,te0		// 6/3:te1+s0>>16
+	(p0)	and	te30=s0,maskff	};;	// 6/3:s2&0xff
+{ .mmi;	(p0)	ld4	te10=[te10]		// 7/1:te1[s2>>16]
+	(p0)	shladd	te33=te33,2,te3		// 7/2:te3+s1&0xff
+	(p0)	and	te11=te11,maskff}	// 7/2:s3>>16&0xff
+{ .mmi;	(p0)	ld4	te03=[te03]		// 7/3:te0[s3>>24]
+	(p0)	shladd	te30=te30,2,te3		// 7/3:te3+s2
+	(p0)	xor	t0=t0,te31	};;	// 7/0:
+{ .mmi;	(p0)	ld4	te33=[te33]		// 8/2:te3[s1]
+	(p0)	shladd	te11=te11,2,te1		// 8/2:te1+s3>>16
+	(p0)	xor	t0=t0,te22	}	// 8/0:
+{ .mmi;	(p0)	ld4	te30=[te30]		// 8/3:te3[s2]
+	(p0)	shladd	te12=te12,2,te1		// 8/3:te1+s0>>16
+	(p0)	xor	t1=t1,te32	};;	// 8/1:
+{ .mmi;	(p0)	ld4	te11=[te11]		// 9/2:te1[s3>>16]
+	(p0)	xor	t0=t0,te00		// 9/0:
+	(p0)	xor	t1=t1,te23	}	// 9/1:		
+{ .mmi;	(p0)	ld4	te12=[te12]		// 9/3:te1[s0>>16]
+	(p0)	xor	t2=t2,te20		// 9/2:
+	(p0)	xor	t3=t3,te21	};;	// 9/3:
+{ .mmi;	(p0)	xor	t0=t0,te13		// 10/0:done!
+	(p0)	xor	t1=t1,te01		// 10/1:
+	(p0)	xor	t2=t2,te02	}	// 10/2:
+{ .mmi;	(p0)	xor	t3=t3,te03		// 10/3:
+	(p16)	cmp.eq	p0,p17=r0,r0 	};;	// 10/clear (p17)
+{ .mmi;	(p0)	xor	t1=t1,te10		// 11/1:done!
+	(p0)	xor	t2=t2,te33		// 11/2:
+	(p0)	xor	t3=t3,te30	}	// 11/3:
+{ .mmi;	(p17)	add	te0=4096,te0		// 11/	
+	(p17)	add	te1=4096,te1	};;	// 11/
+{ .mib;	(p0)	xor	t2=t2,te11		// 12/2:done!
+	(p0)	xor	t3=t3,te12	}	// 12/3:done!
+{ .mib;	(p17)	add	te2=4096,te2		// 12/
+	(p17)	add	te3=4096,te3		// 12/
+	br.ctop.sptk	.Ld_top		};;
+.Ld_end:
+{ .mib;	mov	r16=s0
+	mov	r20=s1			}
+{ .mib;	mov	r24=s2
+	mov	r28=s3
+	br.ret.sptk	b6		};;
+.endp	_ia64_AES_decrypt#
+
+// void AES_decrypt (const void *in,void *out,const AES_KEY *key);
+.global	AES_decrypt#
+.proc	AES_decrypt#
+.align	32
+.skip	16
+AES_decrypt:
+	.prologue
+	.fframe	0
+	.save	ar.pfs,r2
+	.save	ar.lc,r3
+{ .mmi;	alloc	r2=ar.pfs,3,0,12,0
+	addl	out8=@ltoff(AES_Td#),gp
+	mov	r3=ar.lc		}
+{ .mmi;	and	out0=3,in0
+	ADDP	in0=0,in0
+	ADDP	out11=KSZ*60,in2	};;	// &AES_KEY->rounds
+
+	.body
+{ .mmi;	ld8	out8=[out8]			// Te0
+	ld4	out11=[out11]			// AES_KEY->rounds
+	mov	prsave=pr		}
+
+#if defined(_HPUX_SOURCE)	// HPUX is big-endian, cut 15+15 cycles...
+{ .mib; cmp.ne	p6,p0=out0,r0
+	add	out0=4,in0
+(p6)	br.dpnt.many	.Ld_i_unaligned	};;
+
+{ .mmi;	ld4	out1=[in0],8		// s0
+	and	out9=3,in1
+	mov	twenty4=24		}
+{ .mmi;	ld4	out3=[out0],8		// s1
+	ADDP	rk0=0,in2
+	mov	sixteen=16		};;
+{ .mmi;	ld4	out5=[in0]		// s2
+	cmp.ne	p6,p0=out9,r0
+	mov	maskff=0xff		}
+{ .mmb;	ld4	out7=[out0]		// s3
+	ADDP	rk1=KSZ,in2
+	br.call.sptk.many	b6=_ia64_AES_decrypt	};;
+
+{ .mib;	ADDP	in0=4,in1
+	ADDP	in1=0,in1
+(p6)	br.spnt	.Ld_o_unaligned		};;
+
+{ .mii;	mov	ar.pfs=r2
+	mov	ar.lc=r3		}
+{ .mmi;	st4	[in1]=r16,8		// s0
+	st4	[in0]=r20,8		// s1
+	mov	pr=prsave,0x1ffff	};;
+{ .mmb;	st4	[in1]=r24		// s2
+	st4	[in0]=r28		// s3
+	br.ret.sptk.many	b0	};;
+#endif
+
+.align	32
+.Ld_i_unaligned:
+{ .mmi;	add	out0=1,in0
+	add	out2=2,in0
+	add	out4=3,in0	};;
+{ .mmi;	ld1	r16=[in0],4
+	ld1	r17=[out0],4	}//;;
+{ .mmi;	ld1	r18=[out2],4
+	ld1	out1=[out4],4	};;	// s0
+{ .mmi;	ld1	r20=[in0],4
+	ld1	r21=[out0],4	}//;;
+{ .mmi;	ld1	r22=[out2],4
+	ld1	out3=[out4],4	};;	// s1
+{ .mmi;	ld1	r24=[in0],4
+	ld1	r25=[out0],4	}//;;
+{ .mmi;	ld1	r26=[out2],4
+	ld1	out5=[out4],4	};;	// s2
+{ .mmi;	ld1	r28=[in0]
+	ld1	r29=[out0]	}//;;
+{ .mmi;	ld1	r30=[out2]
+	ld1	out7=[out4]	};;	// s3
+
+{ .mii;
+	dep	out1=r16,out1,24,8	//;;
+	dep	out3=r20,out3,24,8	}//;;
+{ .mii;	ADDP	rk0=0,in2
+	dep	out5=r24,out5,24,8	//;;
+	dep	out7=r28,out7,24,8	};;
+{ .mii;	ADDP	rk1=KSZ,in2
+	dep	out1=r17,out1,16,8	//;;
+	dep	out3=r21,out3,16,8	}//;;
+{ .mii;	mov	twenty4=24
+	dep	out5=r25,out5,16,8	//;;
+	dep	out7=r29,out7,16,8	};;
+{ .mii;	mov	sixteen=16
+	dep	out1=r18,out1,8,8	//;;
+	dep	out3=r22,out3,8,8	}//;;
+{ .mii;	mov	maskff=0xff
+	dep	out5=r26,out5,8,8	//;;
+	dep	out7=r30,out7,8,8	};;
+
+{ .mib;	br.call.sptk.many	b6=_ia64_AES_decrypt	};;
+
+.Ld_o_unaligned:
+{ .mii;	ADDP	out0=0,in1
+	extr.u	r17=r16,8,8			// s0
+	shr.u	r19=r16,twenty4		}//;;
+{ .mii;	ADDP	out1=1,in1
+	extr.u	r18=r16,16,8
+	shr.u	r23=r20,twenty4		}//;;	// s1
+{ .mii;	ADDP	out2=2,in1
+	extr.u	r21=r20,8,8
+	shr.u	r22=r20,sixteen	}//;;
+{ .mii;	ADDP	out3=3,in1
+	extr.u	r25=r24,8,8			// s2
+	shr.u	r27=r24,twenty4		};;
+{ .mii;	st1	[out3]=r16,4
+	extr.u	r26=r24,16,8
+	shr.u	r31=r28,twenty4	}//;;	// s3
+{ .mii;	st1	[out2]=r17,4
+	extr.u	r29=r28,8,8
+	shr.u	r30=r28,sixteen		}//;;
+
+{ .mmi;	st1	[out1]=r18,4
+	st1	[out0]=r19,4		};;
+{ .mmi;	st1	[out3]=r20,4
+	st1	[out2]=r21,4		}//;;
+{ .mmi;	st1	[out1]=r22,4
+	st1	[out0]=r23,4		};;
+{ .mmi;	st1	[out3]=r24,4
+	st1	[out2]=r25,4
+	mov	pr=prsave,0x1ffff	}//;;
+{ .mmi;	st1	[out1]=r26,4
+	st1	[out0]=r27,4
+	mov	ar.pfs=r2		};;
+{ .mmi;	st1	[out3]=r28
+	st1	[out2]=r29
+	mov	ar.lc=r3		}//;;
+{ .mmb;	st1	[out1]=r30
+	st1	[out0]=r31
+	br.ret.sptk.many	b0	};;
+.endp	AES_decrypt#
+
+// leave it in .text segment...
+.align	64
+.global	AES_Te#
+.type	AES_Te#,@object
+AES_Te:	data4	0xc66363a5, 0xf87c7c84, 0xee777799, 0xf67b7b8d
+	data4	0xfff2f20d, 0xd66b6bbd, 0xde6f6fb1, 0x91c5c554
+	data4	0x60303050, 0x02010103, 0xce6767a9, 0x562b2b7d
+	data4	0xe7fefe19, 0xb5d7d762, 0x4dababe6, 0xec76769a
+	data4	0x8fcaca45, 0x1f82829d, 0x89c9c940, 0xfa7d7d87
+	data4	0xeffafa15, 0xb25959eb, 0x8e4747c9, 0xfbf0f00b
+	data4	0x41adadec, 0xb3d4d467, 0x5fa2a2fd, 0x45afafea
+	data4	0x239c9cbf, 0x53a4a4f7, 0xe4727296, 0x9bc0c05b
+	data4	0x75b7b7c2, 0xe1fdfd1c, 0x3d9393ae, 0x4c26266a
+	data4	0x6c36365a, 0x7e3f3f41, 0xf5f7f702, 0x83cccc4f
+	data4	0x6834345c, 0x51a5a5f4, 0xd1e5e534, 0xf9f1f108
+	data4	0xe2717193, 0xabd8d873, 0x62313153, 0x2a15153f
+	data4	0x0804040c, 0x95c7c752, 0x46232365, 0x9dc3c35e
+	data4	0x30181828, 0x379696a1, 0x0a05050f, 0x2f9a9ab5
+	data4	0x0e070709, 0x24121236, 0x1b80809b, 0xdfe2e23d
+	data4	0xcdebeb26, 0x4e272769, 0x7fb2b2cd, 0xea75759f
+	data4	0x1209091b, 0x1d83839e, 0x582c2c74, 0x341a1a2e
+	data4	0x361b1b2d, 0xdc6e6eb2, 0xb45a5aee, 0x5ba0a0fb
+	data4	0xa45252f6, 0x763b3b4d, 0xb7d6d661, 0x7db3b3ce
+	data4	0x5229297b, 0xdde3e33e, 0x5e2f2f71, 0x13848497
+	data4	0xa65353f5, 0xb9d1d168, 0x00000000, 0xc1eded2c
+	data4	0x40202060, 0xe3fcfc1f, 0x79b1b1c8, 0xb65b5bed
+	data4	0xd46a6abe, 0x8dcbcb46, 0x67bebed9, 0x7239394b
+	data4	0x944a4ade, 0x984c4cd4, 0xb05858e8, 0x85cfcf4a
+	data4	0xbbd0d06b, 0xc5efef2a, 0x4faaaae5, 0xedfbfb16
+	data4	0x864343c5, 0x9a4d4dd7, 0x66333355, 0x11858594
+	data4	0x8a4545cf, 0xe9f9f910, 0x04020206, 0xfe7f7f81
+	data4	0xa05050f0, 0x783c3c44, 0x259f9fba, 0x4ba8a8e3
+	data4	0xa25151f3, 0x5da3a3fe, 0x804040c0, 0x058f8f8a
+	data4	0x3f9292ad, 0x219d9dbc, 0x70383848, 0xf1f5f504
+	data4	0x63bcbcdf, 0x77b6b6c1, 0xafdada75, 0x42212163
+	data4	0x20101030, 0xe5ffff1a, 0xfdf3f30e, 0xbfd2d26d
+	data4	0x81cdcd4c, 0x180c0c14, 0x26131335, 0xc3ecec2f
+	data4	0xbe5f5fe1, 0x359797a2, 0x884444cc, 0x2e171739
+	data4	0x93c4c457, 0x55a7a7f2, 0xfc7e7e82, 0x7a3d3d47
+	data4	0xc86464ac, 0xba5d5de7, 0x3219192b, 0xe6737395
+	data4	0xc06060a0, 0x19818198, 0x9e4f4fd1, 0xa3dcdc7f
+	data4	0x44222266, 0x542a2a7e, 0x3b9090ab, 0x0b888883
+	data4	0x8c4646ca, 0xc7eeee29, 0x6bb8b8d3, 0x2814143c
+	data4	0xa7dede79, 0xbc5e5ee2, 0x160b0b1d, 0xaddbdb76
+	data4	0xdbe0e03b, 0x64323256, 0x743a3a4e, 0x140a0a1e
+	data4	0x924949db, 0x0c06060a, 0x4824246c, 0xb85c5ce4
+	data4	0x9fc2c25d, 0xbdd3d36e, 0x43acacef, 0xc46262a6
+	data4	0x399191a8, 0x319595a4, 0xd3e4e437, 0xf279798b
+	data4	0xd5e7e732, 0x8bc8c843, 0x6e373759, 0xda6d6db7
+	data4	0x018d8d8c, 0xb1d5d564, 0x9c4e4ed2, 0x49a9a9e0
+	data4	0xd86c6cb4, 0xac5656fa, 0xf3f4f407, 0xcfeaea25
+	data4	0xca6565af, 0xf47a7a8e, 0x47aeaee9, 0x10080818
+	data4	0x6fbabad5, 0xf0787888, 0x4a25256f, 0x5c2e2e72
+	data4	0x381c1c24, 0x57a6a6f1, 0x73b4b4c7, 0x97c6c651
+	data4	0xcbe8e823, 0xa1dddd7c, 0xe874749c, 0x3e1f1f21
+	data4	0x964b4bdd, 0x61bdbddc, 0x0d8b8b86, 0x0f8a8a85
+	data4	0xe0707090, 0x7c3e3e42, 0x71b5b5c4, 0xcc6666aa
+	data4	0x904848d8, 0x06030305, 0xf7f6f601, 0x1c0e0e12
+	data4	0xc26161a3, 0x6a35355f, 0xae5757f9, 0x69b9b9d0
+	data4	0x17868691, 0x99c1c158, 0x3a1d1d27, 0x279e9eb9
+	data4	0xd9e1e138, 0xebf8f813, 0x2b9898b3, 0x22111133
+	data4	0xd26969bb, 0xa9d9d970, 0x078e8e89, 0x339494a7
+	data4	0x2d9b9bb6, 0x3c1e1e22, 0x15878792, 0xc9e9e920
+	data4	0x87cece49, 0xaa5555ff, 0x50282878, 0xa5dfdf7a
+	data4	0x038c8c8f, 0x59a1a1f8, 0x09898980, 0x1a0d0d17
+	data4	0x65bfbfda, 0xd7e6e631, 0x844242c6, 0xd06868b8
+	data4	0x824141c3, 0x299999b0, 0x5a2d2d77, 0x1e0f0f11
+	data4	0x7bb0b0cb, 0xa85454fc, 0x6dbbbbd6, 0x2c16163a
+// Te1:
+	data4	0xa5c66363, 0x84f87c7c, 0x99ee7777, 0x8df67b7b
+	data4	0x0dfff2f2, 0xbdd66b6b, 0xb1de6f6f, 0x5491c5c5
+	data4	0x50603030, 0x03020101, 0xa9ce6767, 0x7d562b2b
+	data4	0x19e7fefe, 0x62b5d7d7, 0xe64dabab, 0x9aec7676
+	data4	0x458fcaca, 0x9d1f8282, 0x4089c9c9, 0x87fa7d7d
+	data4	0x15effafa, 0xebb25959, 0xc98e4747, 0x0bfbf0f0
+	data4	0xec41adad, 0x67b3d4d4, 0xfd5fa2a2, 0xea45afaf
+	data4	0xbf239c9c, 0xf753a4a4, 0x96e47272, 0x5b9bc0c0
+	data4	0xc275b7b7, 0x1ce1fdfd, 0xae3d9393, 0x6a4c2626
+	data4	0x5a6c3636, 0x417e3f3f, 0x02f5f7f7, 0x4f83cccc
+	data4	0x5c683434, 0xf451a5a5, 0x34d1e5e5, 0x08f9f1f1
+	data4	0x93e27171, 0x73abd8d8, 0x53623131, 0x3f2a1515
+	data4	0x0c080404, 0x5295c7c7, 0x65462323, 0x5e9dc3c3
+	data4	0x28301818, 0xa1379696, 0x0f0a0505, 0xb52f9a9a
+	data4	0x090e0707, 0x36241212, 0x9b1b8080, 0x3ddfe2e2
+	data4	0x26cdebeb, 0x694e2727, 0xcd7fb2b2, 0x9fea7575
+	data4	0x1b120909, 0x9e1d8383, 0x74582c2c, 0x2e341a1a
+	data4	0x2d361b1b, 0xb2dc6e6e, 0xeeb45a5a, 0xfb5ba0a0
+	data4	0xf6a45252, 0x4d763b3b, 0x61b7d6d6, 0xce7db3b3
+	data4	0x7b522929, 0x3edde3e3, 0x715e2f2f, 0x97138484
+	data4	0xf5a65353, 0x68b9d1d1, 0x00000000, 0x2cc1eded
+	data4	0x60402020, 0x1fe3fcfc, 0xc879b1b1, 0xedb65b5b
+	data4	0xbed46a6a, 0x468dcbcb, 0xd967bebe, 0x4b723939
+	data4	0xde944a4a, 0xd4984c4c, 0xe8b05858, 0x4a85cfcf
+	data4	0x6bbbd0d0, 0x2ac5efef, 0xe54faaaa, 0x16edfbfb
+	data4	0xc5864343, 0xd79a4d4d, 0x55663333, 0x94118585
+	data4	0xcf8a4545, 0x10e9f9f9, 0x06040202, 0x81fe7f7f
+	data4	0xf0a05050, 0x44783c3c, 0xba259f9f, 0xe34ba8a8
+	data4	0xf3a25151, 0xfe5da3a3, 0xc0804040, 0x8a058f8f
+	data4	0xad3f9292, 0xbc219d9d, 0x48703838, 0x04f1f5f5
+	data4	0xdf63bcbc, 0xc177b6b6, 0x75afdada, 0x63422121
+	data4	0x30201010, 0x1ae5ffff, 0x0efdf3f3, 0x6dbfd2d2
+	data4	0x4c81cdcd, 0x14180c0c, 0x35261313, 0x2fc3ecec
+	data4	0xe1be5f5f, 0xa2359797, 0xcc884444, 0x392e1717
+	data4	0x5793c4c4, 0xf255a7a7, 0x82fc7e7e, 0x477a3d3d
+	data4	0xacc86464, 0xe7ba5d5d, 0x2b321919, 0x95e67373
+	data4	0xa0c06060, 0x98198181, 0xd19e4f4f, 0x7fa3dcdc
+	data4	0x66442222, 0x7e542a2a, 0xab3b9090, 0x830b8888
+	data4	0xca8c4646, 0x29c7eeee, 0xd36bb8b8, 0x3c281414
+	data4	0x79a7dede, 0xe2bc5e5e, 0x1d160b0b, 0x76addbdb
+	data4	0x3bdbe0e0, 0x56643232, 0x4e743a3a, 0x1e140a0a
+	data4	0xdb924949, 0x0a0c0606, 0x6c482424, 0xe4b85c5c
+	data4	0x5d9fc2c2, 0x6ebdd3d3, 0xef43acac, 0xa6c46262
+	data4	0xa8399191, 0xa4319595, 0x37d3e4e4, 0x8bf27979
+	data4	0x32d5e7e7, 0x438bc8c8, 0x596e3737, 0xb7da6d6d
+	data4	0x8c018d8d, 0x64b1d5d5, 0xd29c4e4e, 0xe049a9a9
+	data4	0xb4d86c6c, 0xfaac5656, 0x07f3f4f4, 0x25cfeaea
+	data4	0xafca6565, 0x8ef47a7a, 0xe947aeae, 0x18100808
+	data4	0xd56fbaba, 0x88f07878, 0x6f4a2525, 0x725c2e2e
+	data4	0x24381c1c, 0xf157a6a6, 0xc773b4b4, 0x5197c6c6
+	data4	0x23cbe8e8, 0x7ca1dddd, 0x9ce87474, 0x213e1f1f
+	data4	0xdd964b4b, 0xdc61bdbd, 0x860d8b8b, 0x850f8a8a
+	data4	0x90e07070, 0x427c3e3e, 0xc471b5b5, 0xaacc6666
+	data4	0xd8904848, 0x05060303, 0x01f7f6f6, 0x121c0e0e
+	data4	0xa3c26161, 0x5f6a3535, 0xf9ae5757, 0xd069b9b9
+	data4	0x91178686, 0x5899c1c1, 0x273a1d1d, 0xb9279e9e
+	data4	0x38d9e1e1, 0x13ebf8f8, 0xb32b9898, 0x33221111
+	data4	0xbbd26969, 0x70a9d9d9, 0x89078e8e, 0xa7339494
+	data4	0xb62d9b9b, 0x223c1e1e, 0x92158787, 0x20c9e9e9
+	data4	0x4987cece, 0xffaa5555, 0x78502828, 0x7aa5dfdf
+	data4	0x8f038c8c, 0xf859a1a1, 0x80098989, 0x171a0d0d
+	data4	0xda65bfbf, 0x31d7e6e6, 0xc6844242, 0xb8d06868
+	data4	0xc3824141, 0xb0299999, 0x775a2d2d, 0x111e0f0f
+	data4	0xcb7bb0b0, 0xfca85454, 0xd66dbbbb, 0x3a2c1616
+// Te2:
+	data4	0x63a5c663, 0x7c84f87c, 0x7799ee77, 0x7b8df67b
+	data4	0xf20dfff2, 0x6bbdd66b, 0x6fb1de6f, 0xc55491c5
+	data4	0x30506030, 0x01030201, 0x67a9ce67, 0x2b7d562b
+	data4	0xfe19e7fe, 0xd762b5d7, 0xabe64dab, 0x769aec76
+	data4	0xca458fca, 0x829d1f82, 0xc94089c9, 0x7d87fa7d
+	data4	0xfa15effa, 0x59ebb259, 0x47c98e47, 0xf00bfbf0
+	data4	0xadec41ad, 0xd467b3d4, 0xa2fd5fa2, 0xafea45af
+	data4	0x9cbf239c, 0xa4f753a4, 0x7296e472, 0xc05b9bc0
+	data4	0xb7c275b7, 0xfd1ce1fd, 0x93ae3d93, 0x266a4c26
+	data4	0x365a6c36, 0x3f417e3f, 0xf702f5f7, 0xcc4f83cc
+	data4	0x345c6834, 0xa5f451a5, 0xe534d1e5, 0xf108f9f1
+	data4	0x7193e271, 0xd873abd8, 0x31536231, 0x153f2a15
+	data4	0x040c0804, 0xc75295c7, 0x23654623, 0xc35e9dc3
+	data4	0x18283018, 0x96a13796, 0x050f0a05, 0x9ab52f9a
+	data4	0x07090e07, 0x12362412, 0x809b1b80, 0xe23ddfe2
+	data4	0xeb26cdeb, 0x27694e27, 0xb2cd7fb2, 0x759fea75
+	data4	0x091b1209, 0x839e1d83, 0x2c74582c, 0x1a2e341a
+	data4	0x1b2d361b, 0x6eb2dc6e, 0x5aeeb45a, 0xa0fb5ba0
+	data4	0x52f6a452, 0x3b4d763b, 0xd661b7d6, 0xb3ce7db3
+	data4	0x297b5229, 0xe33edde3, 0x2f715e2f, 0x84971384
+	data4	0x53f5a653, 0xd168b9d1, 0x00000000, 0xed2cc1ed
+	data4	0x20604020, 0xfc1fe3fc, 0xb1c879b1, 0x5bedb65b
+	data4	0x6abed46a, 0xcb468dcb, 0xbed967be, 0x394b7239
+	data4	0x4ade944a, 0x4cd4984c, 0x58e8b058, 0xcf4a85cf
+	data4	0xd06bbbd0, 0xef2ac5ef, 0xaae54faa, 0xfb16edfb
+	data4	0x43c58643, 0x4dd79a4d, 0x33556633, 0x85941185
+	data4	0x45cf8a45, 0xf910e9f9, 0x02060402, 0x7f81fe7f
+	data4	0x50f0a050, 0x3c44783c, 0x9fba259f, 0xa8e34ba8
+	data4	0x51f3a251, 0xa3fe5da3, 0x40c08040, 0x8f8a058f
+	data4	0x92ad3f92, 0x9dbc219d, 0x38487038, 0xf504f1f5
+	data4	0xbcdf63bc, 0xb6c177b6, 0xda75afda, 0x21634221
+	data4	0x10302010, 0xff1ae5ff, 0xf30efdf3, 0xd26dbfd2
+	data4	0xcd4c81cd, 0x0c14180c, 0x13352613, 0xec2fc3ec
+	data4	0x5fe1be5f, 0x97a23597, 0x44cc8844, 0x17392e17
+	data4	0xc45793c4, 0xa7f255a7, 0x7e82fc7e, 0x3d477a3d
+	data4	0x64acc864, 0x5de7ba5d, 0x192b3219, 0x7395e673
+	data4	0x60a0c060, 0x81981981, 0x4fd19e4f, 0xdc7fa3dc
+	data4	0x22664422, 0x2a7e542a, 0x90ab3b90, 0x88830b88
+	data4	0x46ca8c46, 0xee29c7ee, 0xb8d36bb8, 0x143c2814
+	data4	0xde79a7de, 0x5ee2bc5e, 0x0b1d160b, 0xdb76addb
+	data4	0xe03bdbe0, 0x32566432, 0x3a4e743a, 0x0a1e140a
+	data4	0x49db9249, 0x060a0c06, 0x246c4824, 0x5ce4b85c
+	data4	0xc25d9fc2, 0xd36ebdd3, 0xacef43ac, 0x62a6c462
+	data4	0x91a83991, 0x95a43195, 0xe437d3e4, 0x798bf279
+	data4	0xe732d5e7, 0xc8438bc8, 0x37596e37, 0x6db7da6d
+	data4	0x8d8c018d, 0xd564b1d5, 0x4ed29c4e, 0xa9e049a9
+	data4	0x6cb4d86c, 0x56faac56, 0xf407f3f4, 0xea25cfea
+	data4	0x65afca65, 0x7a8ef47a, 0xaee947ae, 0x08181008
+	data4	0xbad56fba, 0x7888f078, 0x256f4a25, 0x2e725c2e
+	data4	0x1c24381c, 0xa6f157a6, 0xb4c773b4, 0xc65197c6
+	data4	0xe823cbe8, 0xdd7ca1dd, 0x749ce874, 0x1f213e1f
+	data4	0x4bdd964b, 0xbddc61bd, 0x8b860d8b, 0x8a850f8a
+	data4	0x7090e070, 0x3e427c3e, 0xb5c471b5, 0x66aacc66
+	data4	0x48d89048, 0x03050603, 0xf601f7f6, 0x0e121c0e
+	data4	0x61a3c261, 0x355f6a35, 0x57f9ae57, 0xb9d069b9
+	data4	0x86911786, 0xc15899c1, 0x1d273a1d, 0x9eb9279e
+	data4	0xe138d9e1, 0xf813ebf8, 0x98b32b98, 0x11332211
+	data4	0x69bbd269, 0xd970a9d9, 0x8e89078e, 0x94a73394
+	data4	0x9bb62d9b, 0x1e223c1e, 0x87921587, 0xe920c9e9
+	data4	0xce4987ce, 0x55ffaa55, 0x28785028, 0xdf7aa5df
+	data4	0x8c8f038c, 0xa1f859a1, 0x89800989, 0x0d171a0d
+	data4	0xbfda65bf, 0xe631d7e6, 0x42c68442, 0x68b8d068
+	data4	0x41c38241, 0x99b02999, 0x2d775a2d, 0x0f111e0f
+	data4	0xb0cb7bb0, 0x54fca854, 0xbbd66dbb, 0x163a2c16
+// Te3:
+	data4	0x6363a5c6, 0x7c7c84f8, 0x777799ee, 0x7b7b8df6
+	data4	0xf2f20dff, 0x6b6bbdd6, 0x6f6fb1de, 0xc5c55491
+	data4	0x30305060, 0x01010302, 0x6767a9ce, 0x2b2b7d56
+	data4	0xfefe19e7, 0xd7d762b5, 0xababe64d, 0x76769aec
+	data4	0xcaca458f, 0x82829d1f, 0xc9c94089, 0x7d7d87fa
+	data4	0xfafa15ef, 0x5959ebb2, 0x4747c98e, 0xf0f00bfb
+	data4	0xadadec41, 0xd4d467b3, 0xa2a2fd5f, 0xafafea45
+	data4	0x9c9cbf23, 0xa4a4f753, 0x727296e4, 0xc0c05b9b
+	data4	0xb7b7c275, 0xfdfd1ce1, 0x9393ae3d, 0x26266a4c
+	data4	0x36365a6c, 0x3f3f417e, 0xf7f702f5, 0xcccc4f83
+	data4	0x34345c68, 0xa5a5f451, 0xe5e534d1, 0xf1f108f9
+	data4	0x717193e2, 0xd8d873ab, 0x31315362, 0x15153f2a
+	data4	0x04040c08, 0xc7c75295, 0x23236546, 0xc3c35e9d
+	data4	0x18182830, 0x9696a137, 0x05050f0a, 0x9a9ab52f
+	data4	0x0707090e, 0x12123624, 0x80809b1b, 0xe2e23ddf
+	data4	0xebeb26cd, 0x2727694e, 0xb2b2cd7f, 0x75759fea
+	data4	0x09091b12, 0x83839e1d, 0x2c2c7458, 0x1a1a2e34
+	data4	0x1b1b2d36, 0x6e6eb2dc, 0x5a5aeeb4, 0xa0a0fb5b
+	data4	0x5252f6a4, 0x3b3b4d76, 0xd6d661b7, 0xb3b3ce7d
+	data4	0x29297b52, 0xe3e33edd, 0x2f2f715e, 0x84849713
+	data4	0x5353f5a6, 0xd1d168b9, 0x00000000, 0xeded2cc1
+	data4	0x20206040, 0xfcfc1fe3, 0xb1b1c879, 0x5b5bedb6
+	data4	0x6a6abed4, 0xcbcb468d, 0xbebed967, 0x39394b72
+	data4	0x4a4ade94, 0x4c4cd498, 0x5858e8b0, 0xcfcf4a85
+	data4	0xd0d06bbb, 0xefef2ac5, 0xaaaae54f, 0xfbfb16ed
+	data4	0x4343c586, 0x4d4dd79a, 0x33335566, 0x85859411
+	data4	0x4545cf8a, 0xf9f910e9, 0x02020604, 0x7f7f81fe
+	data4	0x5050f0a0, 0x3c3c4478, 0x9f9fba25, 0xa8a8e34b
+	data4	0x5151f3a2, 0xa3a3fe5d, 0x4040c080, 0x8f8f8a05
+	data4	0x9292ad3f, 0x9d9dbc21, 0x38384870, 0xf5f504f1
+	data4	0xbcbcdf63, 0xb6b6c177, 0xdada75af, 0x21216342
+	data4	0x10103020, 0xffff1ae5, 0xf3f30efd, 0xd2d26dbf
+	data4	0xcdcd4c81, 0x0c0c1418, 0x13133526, 0xecec2fc3
+	data4	0x5f5fe1be, 0x9797a235, 0x4444cc88, 0x1717392e
+	data4	0xc4c45793, 0xa7a7f255, 0x7e7e82fc, 0x3d3d477a
+	data4	0x6464acc8, 0x5d5de7ba, 0x19192b32, 0x737395e6
+	data4	0x6060a0c0, 0x81819819, 0x4f4fd19e, 0xdcdc7fa3
+	data4	0x22226644, 0x2a2a7e54, 0x9090ab3b, 0x8888830b
+	data4	0x4646ca8c, 0xeeee29c7, 0xb8b8d36b, 0x14143c28
+	data4	0xdede79a7, 0x5e5ee2bc, 0x0b0b1d16, 0xdbdb76ad
+	data4	0xe0e03bdb, 0x32325664, 0x3a3a4e74, 0x0a0a1e14
+	data4	0x4949db92, 0x06060a0c, 0x24246c48, 0x5c5ce4b8
+	data4	0xc2c25d9f, 0xd3d36ebd, 0xacacef43, 0x6262a6c4
+	data4	0x9191a839, 0x9595a431, 0xe4e437d3, 0x79798bf2
+	data4	0xe7e732d5, 0xc8c8438b, 0x3737596e, 0x6d6db7da
+	data4	0x8d8d8c01, 0xd5d564b1, 0x4e4ed29c, 0xa9a9e049
+	data4	0x6c6cb4d8, 0x5656faac, 0xf4f407f3, 0xeaea25cf
+	data4	0x6565afca, 0x7a7a8ef4, 0xaeaee947, 0x08081810
+	data4	0xbabad56f, 0x787888f0, 0x25256f4a, 0x2e2e725c
+	data4	0x1c1c2438, 0xa6a6f157, 0xb4b4c773, 0xc6c65197
+	data4	0xe8e823cb, 0xdddd7ca1, 0x74749ce8, 0x1f1f213e
+	data4	0x4b4bdd96, 0xbdbddc61, 0x8b8b860d, 0x8a8a850f
+	data4	0x707090e0, 0x3e3e427c, 0xb5b5c471, 0x6666aacc
+	data4	0x4848d890, 0x03030506, 0xf6f601f7, 0x0e0e121c
+	data4	0x6161a3c2, 0x35355f6a, 0x5757f9ae, 0xb9b9d069
+	data4	0x86869117, 0xc1c15899, 0x1d1d273a, 0x9e9eb927
+	data4	0xe1e138d9, 0xf8f813eb, 0x9898b32b, 0x11113322
+	data4	0x6969bbd2, 0xd9d970a9, 0x8e8e8907, 0x9494a733
+	data4	0x9b9bb62d, 0x1e1e223c, 0x87879215, 0xe9e920c9
+	data4	0xcece4987, 0x5555ffaa, 0x28287850, 0xdfdf7aa5
+	data4	0x8c8c8f03, 0xa1a1f859, 0x89898009, 0x0d0d171a
+	data4	0xbfbfda65, 0xe6e631d7, 0x4242c684, 0x6868b8d0
+	data4	0x4141c382, 0x9999b029, 0x2d2d775a, 0x0f0f111e
+	data4	0xb0b0cb7b, 0x5454fca8, 0xbbbbd66d, 0x16163a2c
+// Te4:
+	data4	0x63000000, 0x7c000000, 0x77000000, 0x7b000000
+	data4	0xf2000000, 0x6b000000, 0x6f000000, 0xc5000000
+	data4	0x30000000, 0x01000000, 0x67000000, 0x2b000000
+	data4	0xfe000000, 0xd7000000, 0xab000000, 0x76000000
+	data4	0xca000000, 0x82000000, 0xc9000000, 0x7d000000
+	data4	0xfa000000, 0x59000000, 0x47000000, 0xf0000000
+	data4	0xad000000, 0xd4000000, 0xa2000000, 0xaf000000
+	data4	0x9c000000, 0xa4000000, 0x72000000, 0xc0000000
+	data4	0xb7000000, 0xfd000000, 0x93000000, 0x26000000
+	data4	0x36000000, 0x3f000000, 0xf7000000, 0xcc000000
+	data4	0x34000000, 0xa5000000, 0xe5000000, 0xf1000000
+	data4	0x71000000, 0xd8000000, 0x31000000, 0x15000000
+	data4	0x04000000, 0xc7000000, 0x23000000, 0xc3000000
+	data4	0x18000000, 0x96000000, 0x05000000, 0x9a000000
+	data4	0x07000000, 0x12000000, 0x80000000, 0xe2000000
+	data4	0xeb000000, 0x27000000, 0xb2000000, 0x75000000
+	data4	0x09000000, 0x83000000, 0x2c000000, 0x1a000000
+	data4	0x1b000000, 0x6e000000, 0x5a000000, 0xa0000000
+	data4	0x52000000, 0x3b000000, 0xd6000000, 0xb3000000
+	data4	0x29000000, 0xe3000000, 0x2f000000, 0x84000000
+	data4	0x53000000, 0xd1000000, 0x00000000, 0xed000000
+	data4	0x20000000, 0xfc000000, 0xb1000000, 0x5b000000
+	data4	0x6a000000, 0xcb000000, 0xbe000000, 0x39000000
+	data4	0x4a000000, 0x4c000000, 0x58000000, 0xcf000000
+	data4	0xd0000000, 0xef000000, 0xaa000000, 0xfb000000
+	data4	0x43000000, 0x4d000000, 0x33000000, 0x85000000
+	data4	0x45000000, 0xf9000000, 0x02000000, 0x7f000000
+	data4	0x50000000, 0x3c000000, 0x9f000000, 0xa8000000
+	data4	0x51000000, 0xa3000000, 0x40000000, 0x8f000000
+	data4	0x92000000, 0x9d000000, 0x38000000, 0xf5000000
+	data4	0xbc000000, 0xb6000000, 0xda000000, 0x21000000
+	data4	0x10000000, 0xff000000, 0xf3000000, 0xd2000000
+	data4	0xcd000000, 0x0c000000, 0x13000000, 0xec000000
+	data4	0x5f000000, 0x97000000, 0x44000000, 0x17000000
+	data4	0xc4000000, 0xa7000000, 0x7e000000, 0x3d000000
+	data4	0x64000000, 0x5d000000, 0x19000000, 0x73000000
+	data4	0x60000000, 0x81000000, 0x4f000000, 0xdc000000
+	data4	0x22000000, 0x2a000000, 0x90000000, 0x88000000
+	data4	0x46000000, 0xee000000, 0xb8000000, 0x14000000
+	data4	0xde000000, 0x5e000000, 0x0b000000, 0xdb000000
+	data4	0xe0000000, 0x32000000, 0x3a000000, 0x0a000000
+	data4	0x49000000, 0x06000000, 0x24000000, 0x5c000000
+	data4	0xc2000000, 0xd3000000, 0xac000000, 0x62000000
+	data4	0x91000000, 0x95000000, 0xe4000000, 0x79000000
+	data4	0xe7000000, 0xc8000000, 0x37000000, 0x6d000000
+	data4	0x8d000000, 0xd5000000, 0x4e000000, 0xa9000000
+	data4	0x6c000000, 0x56000000, 0xf4000000, 0xea000000
+	data4	0x65000000, 0x7a000000, 0xae000000, 0x08000000
+	data4	0xba000000, 0x78000000, 0x25000000, 0x2e000000
+	data4	0x1c000000, 0xa6000000, 0xb4000000, 0xc6000000
+	data4	0xe8000000, 0xdd000000, 0x74000000, 0x1f000000
+	data4	0x4b000000, 0xbd000000, 0x8b000000, 0x8a000000
+	data4	0x70000000, 0x3e000000, 0xb5000000, 0x66000000
+	data4	0x48000000, 0x03000000, 0xf6000000, 0x0e000000
+	data4	0x61000000, 0x35000000, 0x57000000, 0xb9000000
+	data4	0x86000000, 0xc1000000, 0x1d000000, 0x9e000000
+	data4	0xe1000000, 0xf8000000, 0x98000000, 0x11000000
+	data4	0x69000000, 0xd9000000, 0x8e000000, 0x94000000
+	data4	0x9b000000, 0x1e000000, 0x87000000, 0xe9000000
+	data4	0xce000000, 0x55000000, 0x28000000, 0xdf000000
+	data4	0x8c000000, 0xa1000000, 0x89000000, 0x0d000000
+	data4	0xbf000000, 0xe6000000, 0x42000000, 0x68000000
+	data4	0x41000000, 0x99000000, 0x2d000000, 0x0f000000
+	data4	0xb0000000, 0x54000000, 0xbb000000, 0x16000000
+// Te5:
+	data4	0x00630000, 0x007c0000, 0x00770000, 0x007b0000
+	data4	0x00f20000, 0x006b0000, 0x006f0000, 0x00c50000
+	data4	0x00300000, 0x00010000, 0x00670000, 0x002b0000
+	data4	0x00fe0000, 0x00d70000, 0x00ab0000, 0x00760000
+	data4	0x00ca0000, 0x00820000, 0x00c90000, 0x007d0000
+	data4	0x00fa0000, 0x00590000, 0x00470000, 0x00f00000
+	data4	0x00ad0000, 0x00d40000, 0x00a20000, 0x00af0000
+	data4	0x009c0000, 0x00a40000, 0x00720000, 0x00c00000
+	data4	0x00b70000, 0x00fd0000, 0x00930000, 0x00260000
+	data4	0x00360000, 0x003f0000, 0x00f70000, 0x00cc0000
+	data4	0x00340000, 0x00a50000, 0x00e50000, 0x00f10000
+	data4	0x00710000, 0x00d80000, 0x00310000, 0x00150000
+	data4	0x00040000, 0x00c70000, 0x00230000, 0x00c30000
+	data4	0x00180000, 0x00960000, 0x00050000, 0x009a0000
+	data4	0x00070000, 0x00120000, 0x00800000, 0x00e20000
+	data4	0x00eb0000, 0x00270000, 0x00b20000, 0x00750000
+	data4	0x00090000, 0x00830000, 0x002c0000, 0x001a0000
+	data4	0x001b0000, 0x006e0000, 0x005a0000, 0x00a00000
+	data4	0x00520000, 0x003b0000, 0x00d60000, 0x00b30000
+	data4	0x00290000, 0x00e30000, 0x002f0000, 0x00840000
+	data4	0x00530000, 0x00d10000, 0x00000000, 0x00ed0000
+	data4	0x00200000, 0x00fc0000, 0x00b10000, 0x005b0000
+	data4	0x006a0000, 0x00cb0000, 0x00be0000, 0x00390000
+	data4	0x004a0000, 0x004c0000, 0x00580000, 0x00cf0000
+	data4	0x00d00000, 0x00ef0000, 0x00aa0000, 0x00fb0000
+	data4	0x00430000, 0x004d0000, 0x00330000, 0x00850000
+	data4	0x00450000, 0x00f90000, 0x00020000, 0x007f0000
+	data4	0x00500000, 0x003c0000, 0x009f0000, 0x00a80000
+	data4	0x00510000, 0x00a30000, 0x00400000, 0x008f0000
+	data4	0x00920000, 0x009d0000, 0x00380000, 0x00f50000
+	data4	0x00bc0000, 0x00b60000, 0x00da0000, 0x00210000
+	data4	0x00100000, 0x00ff0000, 0x00f30000, 0x00d20000
+	data4	0x00cd0000, 0x000c0000, 0x00130000, 0x00ec0000
+	data4	0x005f0000, 0x00970000, 0x00440000, 0x00170000
+	data4	0x00c40000, 0x00a70000, 0x007e0000, 0x003d0000
+	data4	0x00640000, 0x005d0000, 0x00190000, 0x00730000
+	data4	0x00600000, 0x00810000, 0x004f0000, 0x00dc0000
+	data4	0x00220000, 0x002a0000, 0x00900000, 0x00880000
+	data4	0x00460000, 0x00ee0000, 0x00b80000, 0x00140000
+	data4	0x00de0000, 0x005e0000, 0x000b0000, 0x00db0000
+	data4	0x00e00000, 0x00320000, 0x003a0000, 0x000a0000
+	data4	0x00490000, 0x00060000, 0x00240000, 0x005c0000
+	data4	0x00c20000, 0x00d30000, 0x00ac0000, 0x00620000
+	data4	0x00910000, 0x00950000, 0x00e40000, 0x00790000
+	data4	0x00e70000, 0x00c80000, 0x00370000, 0x006d0000
+	data4	0x008d0000, 0x00d50000, 0x004e0000, 0x00a90000
+	data4	0x006c0000, 0x00560000, 0x00f40000, 0x00ea0000
+	data4	0x00650000, 0x007a0000, 0x00ae0000, 0x00080000
+	data4	0x00ba0000, 0x00780000, 0x00250000, 0x002e0000
+	data4	0x001c0000, 0x00a60000, 0x00b40000, 0x00c60000
+	data4	0x00e80000, 0x00dd0000, 0x00740000, 0x001f0000
+	data4	0x004b0000, 0x00bd0000, 0x008b0000, 0x008a0000
+	data4	0x00700000, 0x003e0000, 0x00b50000, 0x00660000
+	data4	0x00480000, 0x00030000, 0x00f60000, 0x000e0000
+	data4	0x00610000, 0x00350000, 0x00570000, 0x00b90000
+	data4	0x00860000, 0x00c10000, 0x001d0000, 0x009e0000
+	data4	0x00e10000, 0x00f80000, 0x00980000, 0x00110000
+	data4	0x00690000, 0x00d90000, 0x008e0000, 0x00940000
+	data4	0x009b0000, 0x001e0000, 0x00870000, 0x00e90000
+	data4	0x00ce0000, 0x00550000, 0x00280000, 0x00df0000
+	data4	0x008c0000, 0x00a10000, 0x00890000, 0x000d0000
+	data4	0x00bf0000, 0x00e60000, 0x00420000, 0x00680000
+	data4	0x00410000, 0x00990000, 0x002d0000, 0x000f0000
+	data4	0x00b00000, 0x00540000, 0x00bb0000, 0x00160000
+// Te6:
+	data4	0x00006300, 0x00007c00, 0x00007700, 0x00007b00
+	data4	0x0000f200, 0x00006b00, 0x00006f00, 0x0000c500
+	data4	0x00003000, 0x00000100, 0x00006700, 0x00002b00
+	data4	0x0000fe00, 0x0000d700, 0x0000ab00, 0x00007600
+	data4	0x0000ca00, 0x00008200, 0x0000c900, 0x00007d00
+	data4	0x0000fa00, 0x00005900, 0x00004700, 0x0000f000
+	data4	0x0000ad00, 0x0000d400, 0x0000a200, 0x0000af00
+	data4	0x00009c00, 0x0000a400, 0x00007200, 0x0000c000
+	data4	0x0000b700, 0x0000fd00, 0x00009300, 0x00002600
+	data4	0x00003600, 0x00003f00, 0x0000f700, 0x0000cc00
+	data4	0x00003400, 0x0000a500, 0x0000e500, 0x0000f100
+	data4	0x00007100, 0x0000d800, 0x00003100, 0x00001500
+	data4	0x00000400, 0x0000c700, 0x00002300, 0x0000c300
+	data4	0x00001800, 0x00009600, 0x00000500, 0x00009a00
+	data4	0x00000700, 0x00001200, 0x00008000, 0x0000e200
+	data4	0x0000eb00, 0x00002700, 0x0000b200, 0x00007500
+	data4	0x00000900, 0x00008300, 0x00002c00, 0x00001a00
+	data4	0x00001b00, 0x00006e00, 0x00005a00, 0x0000a000
+	data4	0x00005200, 0x00003b00, 0x0000d600, 0x0000b300
+	data4	0x00002900, 0x0000e300, 0x00002f00, 0x00008400
+	data4	0x00005300, 0x0000d100, 0x00000000, 0x0000ed00
+	data4	0x00002000, 0x0000fc00, 0x0000b100, 0x00005b00
+	data4	0x00006a00, 0x0000cb00, 0x0000be00, 0x00003900
+	data4	0x00004a00, 0x00004c00, 0x00005800, 0x0000cf00
+	data4	0x0000d000, 0x0000ef00, 0x0000aa00, 0x0000fb00
+	data4	0x00004300, 0x00004d00, 0x00003300, 0x00008500
+	data4	0x00004500, 0x0000f900, 0x00000200, 0x00007f00
+	data4	0x00005000, 0x00003c00, 0x00009f00, 0x0000a800
+	data4	0x00005100, 0x0000a300, 0x00004000, 0x00008f00
+	data4	0x00009200, 0x00009d00, 0x00003800, 0x0000f500
+	data4	0x0000bc00, 0x0000b600, 0x0000da00, 0x00002100
+	data4	0x00001000, 0x0000ff00, 0x0000f300, 0x0000d200
+	data4	0x0000cd00, 0x00000c00, 0x00001300, 0x0000ec00
+	data4	0x00005f00, 0x00009700, 0x00004400, 0x00001700
+	data4	0x0000c400, 0x0000a700, 0x00007e00, 0x00003d00
+	data4	0x00006400, 0x00005d00, 0x00001900, 0x00007300
+	data4	0x00006000, 0x00008100, 0x00004f00, 0x0000dc00
+	data4	0x00002200, 0x00002a00, 0x00009000, 0x00008800
+	data4	0x00004600, 0x0000ee00, 0x0000b800, 0x00001400
+	data4	0x0000de00, 0x00005e00, 0x00000b00, 0x0000db00
+	data4	0x0000e000, 0x00003200, 0x00003a00, 0x00000a00
+	data4	0x00004900, 0x00000600, 0x00002400, 0x00005c00
+	data4	0x0000c200, 0x0000d300, 0x0000ac00, 0x00006200
+	data4	0x00009100, 0x00009500, 0x0000e400, 0x00007900
+	data4	0x0000e700, 0x0000c800, 0x00003700, 0x00006d00
+	data4	0x00008d00, 0x0000d500, 0x00004e00, 0x0000a900
+	data4	0x00006c00, 0x00005600, 0x0000f400, 0x0000ea00
+	data4	0x00006500, 0x00007a00, 0x0000ae00, 0x00000800
+	data4	0x0000ba00, 0x00007800, 0x00002500, 0x00002e00
+	data4	0x00001c00, 0x0000a600, 0x0000b400, 0x0000c600
+	data4	0x0000e800, 0x0000dd00, 0x00007400, 0x00001f00
+	data4	0x00004b00, 0x0000bd00, 0x00008b00, 0x00008a00
+	data4	0x00007000, 0x00003e00, 0x0000b500, 0x00006600
+	data4	0x00004800, 0x00000300, 0x0000f600, 0x00000e00
+	data4	0x00006100, 0x00003500, 0x00005700, 0x0000b900
+	data4	0x00008600, 0x0000c100, 0x00001d00, 0x00009e00
+	data4	0x0000e100, 0x0000f800, 0x00009800, 0x00001100
+	data4	0x00006900, 0x0000d900, 0x00008e00, 0x00009400
+	data4	0x00009b00, 0x00001e00, 0x00008700, 0x0000e900
+	data4	0x0000ce00, 0x00005500, 0x00002800, 0x0000df00
+	data4	0x00008c00, 0x0000a100, 0x00008900, 0x00000d00
+	data4	0x0000bf00, 0x0000e600, 0x00004200, 0x00006800
+	data4	0x00004100, 0x00009900, 0x00002d00, 0x00000f00
+	data4	0x0000b000, 0x00005400, 0x0000bb00, 0x00001600
+// Te7:
+	data4	0x00000063, 0x0000007c, 0x00000077, 0x0000007b
+	data4	0x000000f2, 0x0000006b, 0x0000006f, 0x000000c5
+	data4	0x00000030, 0x00000001, 0x00000067, 0x0000002b
+	data4	0x000000fe, 0x000000d7, 0x000000ab, 0x00000076
+	data4	0x000000ca, 0x00000082, 0x000000c9, 0x0000007d
+	data4	0x000000fa, 0x00000059, 0x00000047, 0x000000f0
+	data4	0x000000ad, 0x000000d4, 0x000000a2, 0x000000af
+	data4	0x0000009c, 0x000000a4, 0x00000072, 0x000000c0
+	data4	0x000000b7, 0x000000fd, 0x00000093, 0x00000026
+	data4	0x00000036, 0x0000003f, 0x000000f7, 0x000000cc
+	data4	0x00000034, 0x000000a5, 0x000000e5, 0x000000f1
+	data4	0x00000071, 0x000000d8, 0x00000031, 0x00000015
+	data4	0x00000004, 0x000000c7, 0x00000023, 0x000000c3
+	data4	0x00000018, 0x00000096, 0x00000005, 0x0000009a
+	data4	0x00000007, 0x00000012, 0x00000080, 0x000000e2
+	data4	0x000000eb, 0x00000027, 0x000000b2, 0x00000075
+	data4	0x00000009, 0x00000083, 0x0000002c, 0x0000001a
+	data4	0x0000001b, 0x0000006e, 0x0000005a, 0x000000a0
+	data4	0x00000052, 0x0000003b, 0x000000d6, 0x000000b3
+	data4	0x00000029, 0x000000e3, 0x0000002f, 0x00000084
+	data4	0x00000053, 0x000000d1, 0x00000000, 0x000000ed
+	data4	0x00000020, 0x000000fc, 0x000000b1, 0x0000005b
+	data4	0x0000006a, 0x000000cb, 0x000000be, 0x00000039
+	data4	0x0000004a, 0x0000004c, 0x00000058, 0x000000cf
+	data4	0x000000d0, 0x000000ef, 0x000000aa, 0x000000fb
+	data4	0x00000043, 0x0000004d, 0x00000033, 0x00000085
+	data4	0x00000045, 0x000000f9, 0x00000002, 0x0000007f
+	data4	0x00000050, 0x0000003c, 0x0000009f, 0x000000a8
+	data4	0x00000051, 0x000000a3, 0x00000040, 0x0000008f
+	data4	0x00000092, 0x0000009d, 0x00000038, 0x000000f5
+	data4	0x000000bc, 0x000000b6, 0x000000da, 0x00000021
+	data4	0x00000010, 0x000000ff, 0x000000f3, 0x000000d2
+	data4	0x000000cd, 0x0000000c, 0x00000013, 0x000000ec
+	data4	0x0000005f, 0x00000097, 0x00000044, 0x00000017
+	data4	0x000000c4, 0x000000a7, 0x0000007e, 0x0000003d
+	data4	0x00000064, 0x0000005d, 0x00000019, 0x00000073
+	data4	0x00000060, 0x00000081, 0x0000004f, 0x000000dc
+	data4	0x00000022, 0x0000002a, 0x00000090, 0x00000088
+	data4	0x00000046, 0x000000ee, 0x000000b8, 0x00000014
+	data4	0x000000de, 0x0000005e, 0x0000000b, 0x000000db
+	data4	0x000000e0, 0x00000032, 0x0000003a, 0x0000000a
+	data4	0x00000049, 0x00000006, 0x00000024, 0x0000005c
+	data4	0x000000c2, 0x000000d3, 0x000000ac, 0x00000062
+	data4	0x00000091, 0x00000095, 0x000000e4, 0x00000079
+	data4	0x000000e7, 0x000000c8, 0x00000037, 0x0000006d
+	data4	0x0000008d, 0x000000d5, 0x0000004e, 0x000000a9
+	data4	0x0000006c, 0x00000056, 0x000000f4, 0x000000ea
+	data4	0x00000065, 0x0000007a, 0x000000ae, 0x00000008
+	data4	0x000000ba, 0x00000078, 0x00000025, 0x0000002e
+	data4	0x0000001c, 0x000000a6, 0x000000b4, 0x000000c6
+	data4	0x000000e8, 0x000000dd, 0x00000074, 0x0000001f
+	data4	0x0000004b, 0x000000bd, 0x0000008b, 0x0000008a
+	data4	0x00000070, 0x0000003e, 0x000000b5, 0x00000066
+	data4	0x00000048, 0x00000003, 0x000000f6, 0x0000000e
+	data4	0x00000061, 0x00000035, 0x00000057, 0x000000b9
+	data4	0x00000086, 0x000000c1, 0x0000001d, 0x0000009e
+	data4	0x000000e1, 0x000000f8, 0x00000098, 0x00000011
+	data4	0x00000069, 0x000000d9, 0x0000008e, 0x00000094
+	data4	0x0000009b, 0x0000001e, 0x00000087, 0x000000e9
+	data4	0x000000ce, 0x00000055, 0x00000028, 0x000000df
+	data4	0x0000008c, 0x000000a1, 0x00000089, 0x0000000d
+	data4	0x000000bf, 0x000000e6, 0x00000042, 0x00000068
+	data4	0x00000041, 0x00000099, 0x0000002d, 0x0000000f
+	data4	0x000000b0, 0x00000054, 0x000000bb, 0x00000016
+.size	AES_Te#,8*256*4	// HP-UX assembler fails to ".-AES_Te#"
+
+.align	64
+.global	AES_Td#
+.type	AES_Td#,@object
+AES_Td:	data4	0x51f4a750, 0x7e416553, 0x1a17a4c3, 0x3a275e96
+	data4	0x3bab6bcb, 0x1f9d45f1, 0xacfa58ab, 0x4be30393
+	data4	0x2030fa55, 0xad766df6, 0x88cc7691, 0xf5024c25
+	data4	0x4fe5d7fc, 0xc52acbd7, 0x26354480, 0xb562a38f
+	data4	0xdeb15a49, 0x25ba1b67, 0x45ea0e98, 0x5dfec0e1
+	data4	0xc32f7502, 0x814cf012, 0x8d4697a3, 0x6bd3f9c6
+	data4	0x038f5fe7, 0x15929c95, 0xbf6d7aeb, 0x955259da
+	data4	0xd4be832d, 0x587421d3, 0x49e06929, 0x8ec9c844
+	data4	0x75c2896a, 0xf48e7978, 0x99583e6b, 0x27b971dd
+	data4	0xbee14fb6, 0xf088ad17, 0xc920ac66, 0x7dce3ab4
+	data4	0x63df4a18, 0xe51a3182, 0x97513360, 0x62537f45
+	data4	0xb16477e0, 0xbb6bae84, 0xfe81a01c, 0xf9082b94
+	data4	0x70486858, 0x8f45fd19, 0x94de6c87, 0x527bf8b7
+	data4	0xab73d323, 0x724b02e2, 0xe31f8f57, 0x6655ab2a
+	data4	0xb2eb2807, 0x2fb5c203, 0x86c57b9a, 0xd33708a5
+	data4	0x302887f2, 0x23bfa5b2, 0x02036aba, 0xed16825c
+	data4	0x8acf1c2b, 0xa779b492, 0xf307f2f0, 0x4e69e2a1
+	data4	0x65daf4cd, 0x0605bed5, 0xd134621f, 0xc4a6fe8a
+	data4	0x342e539d, 0xa2f355a0, 0x058ae132, 0xa4f6eb75
+	data4	0x0b83ec39, 0x4060efaa, 0x5e719f06, 0xbd6e1051
+	data4	0x3e218af9, 0x96dd063d, 0xdd3e05ae, 0x4de6bd46
+	data4	0x91548db5, 0x71c45d05, 0x0406d46f, 0x605015ff
+	data4	0x1998fb24, 0xd6bde997, 0x894043cc, 0x67d99e77
+	data4	0xb0e842bd, 0x07898b88, 0xe7195b38, 0x79c8eedb
+	data4	0xa17c0a47, 0x7c420fe9, 0xf8841ec9, 0x00000000
+	data4	0x09808683, 0x322bed48, 0x1e1170ac, 0x6c5a724e
+	data4	0xfd0efffb, 0x0f853856, 0x3daed51e, 0x362d3927
+	data4	0x0a0fd964, 0x685ca621, 0x9b5b54d1, 0x24362e3a
+	data4	0x0c0a67b1, 0x9357e70f, 0xb4ee96d2, 0x1b9b919e
+	data4	0x80c0c54f, 0x61dc20a2, 0x5a774b69, 0x1c121a16
+	data4	0xe293ba0a, 0xc0a02ae5, 0x3c22e043, 0x121b171d
+	data4	0x0e090d0b, 0xf28bc7ad, 0x2db6a8b9, 0x141ea9c8
+	data4	0x57f11985, 0xaf75074c, 0xee99ddbb, 0xa37f60fd
+	data4	0xf701269f, 0x5c72f5bc, 0x44663bc5, 0x5bfb7e34
+	data4	0x8b432976, 0xcb23c6dc, 0xb6edfc68, 0xb8e4f163
+	data4	0xd731dcca, 0x42638510, 0x13972240, 0x84c61120
+	data4	0x854a247d, 0xd2bb3df8, 0xaef93211, 0xc729a16d
+	data4	0x1d9e2f4b, 0xdcb230f3, 0x0d8652ec, 0x77c1e3d0
+	data4	0x2bb3166c, 0xa970b999, 0x119448fa, 0x47e96422
+	data4	0xa8fc8cc4, 0xa0f03f1a, 0x567d2cd8, 0x223390ef
+	data4	0x87494ec7, 0xd938d1c1, 0x8ccaa2fe, 0x98d40b36
+	data4	0xa6f581cf, 0xa57ade28, 0xdab78e26, 0x3fadbfa4
+	data4	0x2c3a9de4, 0x5078920d, 0x6a5fcc9b, 0x547e4662
+	data4	0xf68d13c2, 0x90d8b8e8, 0x2e39f75e, 0x82c3aff5
+	data4	0x9f5d80be, 0x69d0937c, 0x6fd52da9, 0xcf2512b3
+	data4	0xc8ac993b, 0x10187da7, 0xe89c636e, 0xdb3bbb7b
+	data4	0xcd267809, 0x6e5918f4, 0xec9ab701, 0x834f9aa8
+	data4	0xe6956e65, 0xaaffe67e, 0x21bccf08, 0xef15e8e6
+	data4	0xbae79bd9, 0x4a6f36ce, 0xea9f09d4, 0x29b07cd6
+	data4	0x31a4b2af, 0x2a3f2331, 0xc6a59430, 0x35a266c0
+	data4	0x744ebc37, 0xfc82caa6, 0xe090d0b0, 0x33a7d815
+	data4	0xf104984a, 0x41ecdaf7, 0x7fcd500e, 0x1791f62f
+	data4	0x764dd68d, 0x43efb04d, 0xccaa4d54, 0xe49604df
+	data4	0x9ed1b5e3, 0x4c6a881b, 0xc12c1fb8, 0x4665517f
+	data4	0x9d5eea04, 0x018c355d, 0xfa877473, 0xfb0b412e
+	data4	0xb3671d5a, 0x92dbd252, 0xe9105633, 0x6dd64713
+	data4	0x9ad7618c, 0x37a10c7a, 0x59f8148e, 0xeb133c89
+	data4	0xcea927ee, 0xb761c935, 0xe11ce5ed, 0x7a47b13c
+	data4	0x9cd2df59, 0x55f2733f, 0x1814ce79, 0x73c737bf
+	data4	0x53f7cdea, 0x5ffdaa5b, 0xdf3d6f14, 0x7844db86
+	data4	0xcaaff381, 0xb968c43e, 0x3824342c, 0xc2a3405f
+	data4	0x161dc372, 0xbce2250c, 0x283c498b, 0xff0d9541
+	data4	0x39a80171, 0x080cb3de, 0xd8b4e49c, 0x6456c190
+	data4	0x7bcb8461, 0xd532b670, 0x486c5c74, 0xd0b85742
+// Td1:
+	data4	0x5051f4a7, 0x537e4165, 0xc31a17a4, 0x963a275e
+	data4	0xcb3bab6b, 0xf11f9d45, 0xabacfa58, 0x934be303
+	data4	0x552030fa, 0xf6ad766d, 0x9188cc76, 0x25f5024c
+	data4	0xfc4fe5d7, 0xd7c52acb, 0x80263544, 0x8fb562a3
+	data4	0x49deb15a, 0x6725ba1b, 0x9845ea0e, 0xe15dfec0
+	data4	0x02c32f75, 0x12814cf0, 0xa38d4697, 0xc66bd3f9
+	data4	0xe7038f5f, 0x9515929c, 0xebbf6d7a, 0xda955259
+	data4	0x2dd4be83, 0xd3587421, 0x2949e069, 0x448ec9c8
+	data4	0x6a75c289, 0x78f48e79, 0x6b99583e, 0xdd27b971
+	data4	0xb6bee14f, 0x17f088ad, 0x66c920ac, 0xb47dce3a
+	data4	0x1863df4a, 0x82e51a31, 0x60975133, 0x4562537f
+	data4	0xe0b16477, 0x84bb6bae, 0x1cfe81a0, 0x94f9082b
+	data4	0x58704868, 0x198f45fd, 0x8794de6c, 0xb7527bf8
+	data4	0x23ab73d3, 0xe2724b02, 0x57e31f8f, 0x2a6655ab
+	data4	0x07b2eb28, 0x032fb5c2, 0x9a86c57b, 0xa5d33708
+	data4	0xf2302887, 0xb223bfa5, 0xba02036a, 0x5ced1682
+	data4	0x2b8acf1c, 0x92a779b4, 0xf0f307f2, 0xa14e69e2
+	data4	0xcd65daf4, 0xd50605be, 0x1fd13462, 0x8ac4a6fe
+	data4	0x9d342e53, 0xa0a2f355, 0x32058ae1, 0x75a4f6eb
+	data4	0x390b83ec, 0xaa4060ef, 0x065e719f, 0x51bd6e10
+	data4	0xf93e218a, 0x3d96dd06, 0xaedd3e05, 0x464de6bd
+	data4	0xb591548d, 0x0571c45d, 0x6f0406d4, 0xff605015
+	data4	0x241998fb, 0x97d6bde9, 0xcc894043, 0x7767d99e
+	data4	0xbdb0e842, 0x8807898b, 0x38e7195b, 0xdb79c8ee
+	data4	0x47a17c0a, 0xe97c420f, 0xc9f8841e, 0x00000000
+	data4	0x83098086, 0x48322bed, 0xac1e1170, 0x4e6c5a72
+	data4	0xfbfd0eff, 0x560f8538, 0x1e3daed5, 0x27362d39
+	data4	0x640a0fd9, 0x21685ca6, 0xd19b5b54, 0x3a24362e
+	data4	0xb10c0a67, 0x0f9357e7, 0xd2b4ee96, 0x9e1b9b91
+	data4	0x4f80c0c5, 0xa261dc20, 0x695a774b, 0x161c121a
+	data4	0x0ae293ba, 0xe5c0a02a, 0x433c22e0, 0x1d121b17
+	data4	0x0b0e090d, 0xadf28bc7, 0xb92db6a8, 0xc8141ea9
+	data4	0x8557f119, 0x4caf7507, 0xbbee99dd, 0xfda37f60
+	data4	0x9ff70126, 0xbc5c72f5, 0xc544663b, 0x345bfb7e
+	data4	0x768b4329, 0xdccb23c6, 0x68b6edfc, 0x63b8e4f1
+	data4	0xcad731dc, 0x10426385, 0x40139722, 0x2084c611
+	data4	0x7d854a24, 0xf8d2bb3d, 0x11aef932, 0x6dc729a1
+	data4	0x4b1d9e2f, 0xf3dcb230, 0xec0d8652, 0xd077c1e3
+	data4	0x6c2bb316, 0x99a970b9, 0xfa119448, 0x2247e964
+	data4	0xc4a8fc8c, 0x1aa0f03f, 0xd8567d2c, 0xef223390
+	data4	0xc787494e, 0xc1d938d1, 0xfe8ccaa2, 0x3698d40b
+	data4	0xcfa6f581, 0x28a57ade, 0x26dab78e, 0xa43fadbf
+	data4	0xe42c3a9d, 0x0d507892, 0x9b6a5fcc, 0x62547e46
+	data4	0xc2f68d13, 0xe890d8b8, 0x5e2e39f7, 0xf582c3af
+	data4	0xbe9f5d80, 0x7c69d093, 0xa96fd52d, 0xb3cf2512
+	data4	0x3bc8ac99, 0xa710187d, 0x6ee89c63, 0x7bdb3bbb
+	data4	0x09cd2678, 0xf46e5918, 0x01ec9ab7, 0xa8834f9a
+	data4	0x65e6956e, 0x7eaaffe6, 0x0821bccf, 0xe6ef15e8
+	data4	0xd9bae79b, 0xce4a6f36, 0xd4ea9f09, 0xd629b07c
+	data4	0xaf31a4b2, 0x312a3f23, 0x30c6a594, 0xc035a266
+	data4	0x37744ebc, 0xa6fc82ca, 0xb0e090d0, 0x1533a7d8
+	data4	0x4af10498, 0xf741ecda, 0x0e7fcd50, 0x2f1791f6
+	data4	0x8d764dd6, 0x4d43efb0, 0x54ccaa4d, 0xdfe49604
+	data4	0xe39ed1b5, 0x1b4c6a88, 0xb8c12c1f, 0x7f466551
+	data4	0x049d5eea, 0x5d018c35, 0x73fa8774, 0x2efb0b41
+	data4	0x5ab3671d, 0x5292dbd2, 0x33e91056, 0x136dd647
+	data4	0x8c9ad761, 0x7a37a10c, 0x8e59f814, 0x89eb133c
+	data4	0xeecea927, 0x35b761c9, 0xede11ce5, 0x3c7a47b1
+	data4	0x599cd2df, 0x3f55f273, 0x791814ce, 0xbf73c737
+	data4	0xea53f7cd, 0x5b5ffdaa, 0x14df3d6f, 0x867844db
+	data4	0x81caaff3, 0x3eb968c4, 0x2c382434, 0x5fc2a340
+	data4	0x72161dc3, 0x0cbce225, 0x8b283c49, 0x41ff0d95
+	data4	0x7139a801, 0xde080cb3, 0x9cd8b4e4, 0x906456c1
+	data4	0x617bcb84, 0x70d532b6, 0x74486c5c, 0x42d0b857
+// Td2:
+	data4	0xa75051f4, 0x65537e41, 0xa4c31a17, 0x5e963a27
+	data4	0x6bcb3bab, 0x45f11f9d, 0x58abacfa, 0x03934be3
+	data4	0xfa552030, 0x6df6ad76, 0x769188cc, 0x4c25f502
+	data4	0xd7fc4fe5, 0xcbd7c52a, 0x44802635, 0xa38fb562
+	data4	0x5a49deb1, 0x1b6725ba, 0x0e9845ea, 0xc0e15dfe
+	data4	0x7502c32f, 0xf012814c, 0x97a38d46, 0xf9c66bd3
+	data4	0x5fe7038f, 0x9c951592, 0x7aebbf6d, 0x59da9552
+	data4	0x832dd4be, 0x21d35874, 0x692949e0, 0xc8448ec9
+	data4	0x896a75c2, 0x7978f48e, 0x3e6b9958, 0x71dd27b9
+	data4	0x4fb6bee1, 0xad17f088, 0xac66c920, 0x3ab47dce
+	data4	0x4a1863df, 0x3182e51a, 0x33609751, 0x7f456253
+	data4	0x77e0b164, 0xae84bb6b, 0xa01cfe81, 0x2b94f908
+	data4	0x68587048, 0xfd198f45, 0x6c8794de, 0xf8b7527b
+	data4	0xd323ab73, 0x02e2724b, 0x8f57e31f, 0xab2a6655
+	data4	0x2807b2eb, 0xc2032fb5, 0x7b9a86c5, 0x08a5d337
+	data4	0x87f23028, 0xa5b223bf, 0x6aba0203, 0x825ced16
+	data4	0x1c2b8acf, 0xb492a779, 0xf2f0f307, 0xe2a14e69
+	data4	0xf4cd65da, 0xbed50605, 0x621fd134, 0xfe8ac4a6
+	data4	0x539d342e, 0x55a0a2f3, 0xe132058a, 0xeb75a4f6
+	data4	0xec390b83, 0xefaa4060, 0x9f065e71, 0x1051bd6e
+	data4	0x8af93e21, 0x063d96dd, 0x05aedd3e, 0xbd464de6
+	data4	0x8db59154, 0x5d0571c4, 0xd46f0406, 0x15ff6050
+	data4	0xfb241998, 0xe997d6bd, 0x43cc8940, 0x9e7767d9
+	data4	0x42bdb0e8, 0x8b880789, 0x5b38e719, 0xeedb79c8
+	data4	0x0a47a17c, 0x0fe97c42, 0x1ec9f884, 0x00000000
+	data4	0x86830980, 0xed48322b, 0x70ac1e11, 0x724e6c5a
+	data4	0xfffbfd0e, 0x38560f85, 0xd51e3dae, 0x3927362d
+	data4	0xd9640a0f, 0xa621685c, 0x54d19b5b, 0x2e3a2436
+	data4	0x67b10c0a, 0xe70f9357, 0x96d2b4ee, 0x919e1b9b
+	data4	0xc54f80c0, 0x20a261dc, 0x4b695a77, 0x1a161c12
+	data4	0xba0ae293, 0x2ae5c0a0, 0xe0433c22, 0x171d121b
+	data4	0x0d0b0e09, 0xc7adf28b, 0xa8b92db6, 0xa9c8141e
+	data4	0x198557f1, 0x074caf75, 0xddbbee99, 0x60fda37f
+	data4	0x269ff701, 0xf5bc5c72, 0x3bc54466, 0x7e345bfb
+	data4	0x29768b43, 0xc6dccb23, 0xfc68b6ed, 0xf163b8e4
+	data4	0xdccad731, 0x85104263, 0x22401397, 0x112084c6
+	data4	0x247d854a, 0x3df8d2bb, 0x3211aef9, 0xa16dc729
+	data4	0x2f4b1d9e, 0x30f3dcb2, 0x52ec0d86, 0xe3d077c1
+	data4	0x166c2bb3, 0xb999a970, 0x48fa1194, 0x642247e9
+	data4	0x8cc4a8fc, 0x3f1aa0f0, 0x2cd8567d, 0x90ef2233
+	data4	0x4ec78749, 0xd1c1d938, 0xa2fe8cca, 0x0b3698d4
+	data4	0x81cfa6f5, 0xde28a57a, 0x8e26dab7, 0xbfa43fad
+	data4	0x9de42c3a, 0x920d5078, 0xcc9b6a5f, 0x4662547e
+	data4	0x13c2f68d, 0xb8e890d8, 0xf75e2e39, 0xaff582c3
+	data4	0x80be9f5d, 0x937c69d0, 0x2da96fd5, 0x12b3cf25
+	data4	0x993bc8ac, 0x7da71018, 0x636ee89c, 0xbb7bdb3b
+	data4	0x7809cd26, 0x18f46e59, 0xb701ec9a, 0x9aa8834f
+	data4	0x6e65e695, 0xe67eaaff, 0xcf0821bc, 0xe8e6ef15
+	data4	0x9bd9bae7, 0x36ce4a6f, 0x09d4ea9f, 0x7cd629b0
+	data4	0xb2af31a4, 0x23312a3f, 0x9430c6a5, 0x66c035a2
+	data4	0xbc37744e, 0xcaa6fc82, 0xd0b0e090, 0xd81533a7
+	data4	0x984af104, 0xdaf741ec, 0x500e7fcd, 0xf62f1791
+	data4	0xd68d764d, 0xb04d43ef, 0x4d54ccaa, 0x04dfe496
+	data4	0xb5e39ed1, 0x881b4c6a, 0x1fb8c12c, 0x517f4665
+	data4	0xea049d5e, 0x355d018c, 0x7473fa87, 0x412efb0b
+	data4	0x1d5ab367, 0xd25292db, 0x5633e910, 0x47136dd6
+	data4	0x618c9ad7, 0x0c7a37a1, 0x148e59f8, 0x3c89eb13
+	data4	0x27eecea9, 0xc935b761, 0xe5ede11c, 0xb13c7a47
+	data4	0xdf599cd2, 0x733f55f2, 0xce791814, 0x37bf73c7
+	data4	0xcdea53f7, 0xaa5b5ffd, 0x6f14df3d, 0xdb867844
+	data4	0xf381caaf, 0xc43eb968, 0x342c3824, 0x405fc2a3
+	data4	0xc372161d, 0x250cbce2, 0x498b283c, 0x9541ff0d
+	data4	0x017139a8, 0xb3de080c, 0xe49cd8b4, 0xc1906456
+	data4	0x84617bcb, 0xb670d532, 0x5c74486c, 0x5742d0b8
+// Td3:
+	data4	0xf4a75051, 0x4165537e, 0x17a4c31a, 0x275e963a
+	data4	0xab6bcb3b, 0x9d45f11f, 0xfa58abac, 0xe303934b
+	data4	0x30fa5520, 0x766df6ad, 0xcc769188, 0x024c25f5
+	data4	0xe5d7fc4f, 0x2acbd7c5, 0x35448026, 0x62a38fb5
+	data4	0xb15a49de, 0xba1b6725, 0xea0e9845, 0xfec0e15d
+	data4	0x2f7502c3, 0x4cf01281, 0x4697a38d, 0xd3f9c66b
+	data4	0x8f5fe703, 0x929c9515, 0x6d7aebbf, 0x5259da95
+	data4	0xbe832dd4, 0x7421d358, 0xe0692949, 0xc9c8448e
+	data4	0xc2896a75, 0x8e7978f4, 0x583e6b99, 0xb971dd27
+	data4	0xe14fb6be, 0x88ad17f0, 0x20ac66c9, 0xce3ab47d
+	data4	0xdf4a1863, 0x1a3182e5, 0x51336097, 0x537f4562
+	data4	0x6477e0b1, 0x6bae84bb, 0x81a01cfe, 0x082b94f9
+	data4	0x48685870, 0x45fd198f, 0xde6c8794, 0x7bf8b752
+	data4	0x73d323ab, 0x4b02e272, 0x1f8f57e3, 0x55ab2a66
+	data4	0xeb2807b2, 0xb5c2032f, 0xc57b9a86, 0x3708a5d3
+	data4	0x2887f230, 0xbfa5b223, 0x036aba02, 0x16825ced
+	data4	0xcf1c2b8a, 0x79b492a7, 0x07f2f0f3, 0x69e2a14e
+	data4	0xdaf4cd65, 0x05bed506, 0x34621fd1, 0xa6fe8ac4
+	data4	0x2e539d34, 0xf355a0a2, 0x8ae13205, 0xf6eb75a4
+	data4	0x83ec390b, 0x60efaa40, 0x719f065e, 0x6e1051bd
+	data4	0x218af93e, 0xdd063d96, 0x3e05aedd, 0xe6bd464d
+	data4	0x548db591, 0xc45d0571, 0x06d46f04, 0x5015ff60
+	data4	0x98fb2419, 0xbde997d6, 0x4043cc89, 0xd99e7767
+	data4	0xe842bdb0, 0x898b8807, 0x195b38e7, 0xc8eedb79
+	data4	0x7c0a47a1, 0x420fe97c, 0x841ec9f8, 0x00000000
+	data4	0x80868309, 0x2bed4832, 0x1170ac1e, 0x5a724e6c
+	data4	0x0efffbfd, 0x8538560f, 0xaed51e3d, 0x2d392736
+	data4	0x0fd9640a, 0x5ca62168, 0x5b54d19b, 0x362e3a24
+	data4	0x0a67b10c, 0x57e70f93, 0xee96d2b4, 0x9b919e1b
+	data4	0xc0c54f80, 0xdc20a261, 0x774b695a, 0x121a161c
+	data4	0x93ba0ae2, 0xa02ae5c0, 0x22e0433c, 0x1b171d12
+	data4	0x090d0b0e, 0x8bc7adf2, 0xb6a8b92d, 0x1ea9c814
+	data4	0xf1198557, 0x75074caf, 0x99ddbbee, 0x7f60fda3
+	data4	0x01269ff7, 0x72f5bc5c, 0x663bc544, 0xfb7e345b
+	data4	0x4329768b, 0x23c6dccb, 0xedfc68b6, 0xe4f163b8
+	data4	0x31dccad7, 0x63851042, 0x97224013, 0xc6112084
+	data4	0x4a247d85, 0xbb3df8d2, 0xf93211ae, 0x29a16dc7
+	data4	0x9e2f4b1d, 0xb230f3dc, 0x8652ec0d, 0xc1e3d077
+	data4	0xb3166c2b, 0x70b999a9, 0x9448fa11, 0xe9642247
+	data4	0xfc8cc4a8, 0xf03f1aa0, 0x7d2cd856, 0x3390ef22
+	data4	0x494ec787, 0x38d1c1d9, 0xcaa2fe8c, 0xd40b3698
+	data4	0xf581cfa6, 0x7ade28a5, 0xb78e26da, 0xadbfa43f
+	data4	0x3a9de42c, 0x78920d50, 0x5fcc9b6a, 0x7e466254
+	data4	0x8d13c2f6, 0xd8b8e890, 0x39f75e2e, 0xc3aff582
+	data4	0x5d80be9f, 0xd0937c69, 0xd52da96f, 0x2512b3cf
+	data4	0xac993bc8, 0x187da710, 0x9c636ee8, 0x3bbb7bdb
+	data4	0x267809cd, 0x5918f46e, 0x9ab701ec, 0x4f9aa883
+	data4	0x956e65e6, 0xffe67eaa, 0xbccf0821, 0x15e8e6ef
+	data4	0xe79bd9ba, 0x6f36ce4a, 0x9f09d4ea, 0xb07cd629
+	data4	0xa4b2af31, 0x3f23312a, 0xa59430c6, 0xa266c035
+	data4	0x4ebc3774, 0x82caa6fc, 0x90d0b0e0, 0xa7d81533
+	data4	0x04984af1, 0xecdaf741, 0xcd500e7f, 0x91f62f17
+	data4	0x4dd68d76, 0xefb04d43, 0xaa4d54cc, 0x9604dfe4
+	data4	0xd1b5e39e, 0x6a881b4c, 0x2c1fb8c1, 0x65517f46
+	data4	0x5eea049d, 0x8c355d01, 0x877473fa, 0x0b412efb
+	data4	0x671d5ab3, 0xdbd25292, 0x105633e9, 0xd647136d
+	data4	0xd7618c9a, 0xa10c7a37, 0xf8148e59, 0x133c89eb
+	data4	0xa927eece, 0x61c935b7, 0x1ce5ede1, 0x47b13c7a
+	data4	0xd2df599c, 0xf2733f55, 0x14ce7918, 0xc737bf73
+	data4	0xf7cdea53, 0xfdaa5b5f, 0x3d6f14df, 0x44db8678
+	data4	0xaff381ca, 0x68c43eb9, 0x24342c38, 0xa3405fc2
+	data4	0x1dc37216, 0xe2250cbc, 0x3c498b28, 0x0d9541ff
+	data4	0xa8017139, 0x0cb3de08, 0xb4e49cd8, 0x56c19064
+	data4	0xcb84617b, 0x32b670d5, 0x6c5c7448, 0xb85742d0
+// Td4:
+	data4	0x52000000, 0x09000000, 0x6a000000, 0xd5000000
+	data4	0x30000000, 0x36000000, 0xa5000000, 0x38000000
+	data4	0xbf000000, 0x40000000, 0xa3000000, 0x9e000000
+	data4	0x81000000, 0xf3000000, 0xd7000000, 0xfb000000
+	data4	0x7c000000, 0xe3000000, 0x39000000, 0x82000000
+	data4	0x9b000000, 0x2f000000, 0xff000000, 0x87000000
+	data4	0x34000000, 0x8e000000, 0x43000000, 0x44000000
+	data4	0xc4000000, 0xde000000, 0xe9000000, 0xcb000000
+	data4	0x54000000, 0x7b000000, 0x94000000, 0x32000000
+	data4	0xa6000000, 0xc2000000, 0x23000000, 0x3d000000
+	data4	0xee000000, 0x4c000000, 0x95000000, 0x0b000000
+	data4	0x42000000, 0xfa000000, 0xc3000000, 0x4e000000
+	data4	0x08000000, 0x2e000000, 0xa1000000, 0x66000000
+	data4	0x28000000, 0xd9000000, 0x24000000, 0xb2000000
+	data4	0x76000000, 0x5b000000, 0xa2000000, 0x49000000
+	data4	0x6d000000, 0x8b000000, 0xd1000000, 0x25000000
+	data4	0x72000000, 0xf8000000, 0xf6000000, 0x64000000
+	data4	0x86000000, 0x68000000, 0x98000000, 0x16000000
+	data4	0xd4000000, 0xa4000000, 0x5c000000, 0xcc000000
+	data4	0x5d000000, 0x65000000, 0xb6000000, 0x92000000
+	data4	0x6c000000, 0x70000000, 0x48000000, 0x50000000
+	data4	0xfd000000, 0xed000000, 0xb9000000, 0xda000000
+	data4	0x5e000000, 0x15000000, 0x46000000, 0x57000000
+	data4	0xa7000000, 0x8d000000, 0x9d000000, 0x84000000
+	data4	0x90000000, 0xd8000000, 0xab000000, 0x00000000
+	data4	0x8c000000, 0xbc000000, 0xd3000000, 0x0a000000
+	data4	0xf7000000, 0xe4000000, 0x58000000, 0x05000000
+	data4	0xb8000000, 0xb3000000, 0x45000000, 0x06000000
+	data4	0xd0000000, 0x2c000000, 0x1e000000, 0x8f000000
+	data4	0xca000000, 0x3f000000, 0x0f000000, 0x02000000
+	data4	0xc1000000, 0xaf000000, 0xbd000000, 0x03000000
+	data4	0x01000000, 0x13000000, 0x8a000000, 0x6b000000
+	data4	0x3a000000, 0x91000000, 0x11000000, 0x41000000
+	data4	0x4f000000, 0x67000000, 0xdc000000, 0xea000000
+	data4	0x97000000, 0xf2000000, 0xcf000000, 0xce000000
+	data4	0xf0000000, 0xb4000000, 0xe6000000, 0x73000000
+	data4	0x96000000, 0xac000000, 0x74000000, 0x22000000
+	data4	0xe7000000, 0xad000000, 0x35000000, 0x85000000
+	data4	0xe2000000, 0xf9000000, 0x37000000, 0xe8000000
+	data4	0x1c000000, 0x75000000, 0xdf000000, 0x6e000000
+	data4	0x47000000, 0xf1000000, 0x1a000000, 0x71000000
+	data4	0x1d000000, 0x29000000, 0xc5000000, 0x89000000
+	data4	0x6f000000, 0xb7000000, 0x62000000, 0x0e000000
+	data4	0xaa000000, 0x18000000, 0xbe000000, 0x1b000000
+	data4	0xfc000000, 0x56000000, 0x3e000000, 0x4b000000
+	data4	0xc6000000, 0xd2000000, 0x79000000, 0x20000000
+	data4	0x9a000000, 0xdb000000, 0xc0000000, 0xfe000000
+	data4	0x78000000, 0xcd000000, 0x5a000000, 0xf4000000
+	data4	0x1f000000, 0xdd000000, 0xa8000000, 0x33000000
+	data4	0x88000000, 0x07000000, 0xc7000000, 0x31000000
+	data4	0xb1000000, 0x12000000, 0x10000000, 0x59000000
+	data4	0x27000000, 0x80000000, 0xec000000, 0x5f000000
+	data4	0x60000000, 0x51000000, 0x7f000000, 0xa9000000
+	data4	0x19000000, 0xb5000000, 0x4a000000, 0x0d000000
+	data4	0x2d000000, 0xe5000000, 0x7a000000, 0x9f000000
+	data4	0x93000000, 0xc9000000, 0x9c000000, 0xef000000
+	data4	0xa0000000, 0xe0000000, 0x3b000000, 0x4d000000
+	data4	0xae000000, 0x2a000000, 0xf5000000, 0xb0000000
+	data4	0xc8000000, 0xeb000000, 0xbb000000, 0x3c000000
+	data4	0x83000000, 0x53000000, 0x99000000, 0x61000000
+	data4	0x17000000, 0x2b000000, 0x04000000, 0x7e000000
+	data4	0xba000000, 0x77000000, 0xd6000000, 0x26000000
+	data4	0xe1000000, 0x69000000, 0x14000000, 0x63000000
+	data4	0x55000000, 0x21000000, 0x0c000000, 0x7d000000
+// Td5:
+	data4	0x00520000, 0x00090000, 0x006a0000, 0x00d50000
+	data4	0x00300000, 0x00360000, 0x00a50000, 0x00380000
+	data4	0x00bf0000, 0x00400000, 0x00a30000, 0x009e0000
+	data4	0x00810000, 0x00f30000, 0x00d70000, 0x00fb0000
+	data4	0x007c0000, 0x00e30000, 0x00390000, 0x00820000
+	data4	0x009b0000, 0x002f0000, 0x00ff0000, 0x00870000
+	data4	0x00340000, 0x008e0000, 0x00430000, 0x00440000
+	data4	0x00c40000, 0x00de0000, 0x00e90000, 0x00cb0000
+	data4	0x00540000, 0x007b0000, 0x00940000, 0x00320000
+	data4	0x00a60000, 0x00c20000, 0x00230000, 0x003d0000
+	data4	0x00ee0000, 0x004c0000, 0x00950000, 0x000b0000
+	data4	0x00420000, 0x00fa0000, 0x00c30000, 0x004e0000
+	data4	0x00080000, 0x002e0000, 0x00a10000, 0x00660000
+	data4	0x00280000, 0x00d90000, 0x00240000, 0x00b20000
+	data4	0x00760000, 0x005b0000, 0x00a20000, 0x00490000
+	data4	0x006d0000, 0x008b0000, 0x00d10000, 0x00250000
+	data4	0x00720000, 0x00f80000, 0x00f60000, 0x00640000
+	data4	0x00860000, 0x00680000, 0x00980000, 0x00160000
+	data4	0x00d40000, 0x00a40000, 0x005c0000, 0x00cc0000
+	data4	0x005d0000, 0x00650000, 0x00b60000, 0x00920000
+	data4	0x006c0000, 0x00700000, 0x00480000, 0x00500000
+	data4	0x00fd0000, 0x00ed0000, 0x00b90000, 0x00da0000
+	data4	0x005e0000, 0x00150000, 0x00460000, 0x00570000
+	data4	0x00a70000, 0x008d0000, 0x009d0000, 0x00840000
+	data4	0x00900000, 0x00d80000, 0x00ab0000, 0x00000000
+	data4	0x008c0000, 0x00bc0000, 0x00d30000, 0x000a0000
+	data4	0x00f70000, 0x00e40000, 0x00580000, 0x00050000
+	data4	0x00b80000, 0x00b30000, 0x00450000, 0x00060000
+	data4	0x00d00000, 0x002c0000, 0x001e0000, 0x008f0000
+	data4	0x00ca0000, 0x003f0000, 0x000f0000, 0x00020000
+	data4	0x00c10000, 0x00af0000, 0x00bd0000, 0x00030000
+	data4	0x00010000, 0x00130000, 0x008a0000, 0x006b0000
+	data4	0x003a0000, 0x00910000, 0x00110000, 0x00410000
+	data4	0x004f0000, 0x00670000, 0x00dc0000, 0x00ea0000
+	data4	0x00970000, 0x00f20000, 0x00cf0000, 0x00ce0000
+	data4	0x00f00000, 0x00b40000, 0x00e60000, 0x00730000
+	data4	0x00960000, 0x00ac0000, 0x00740000, 0x00220000
+	data4	0x00e70000, 0x00ad0000, 0x00350000, 0x00850000
+	data4	0x00e20000, 0x00f90000, 0x00370000, 0x00e80000
+	data4	0x001c0000, 0x00750000, 0x00df0000, 0x006e0000
+	data4	0x00470000, 0x00f10000, 0x001a0000, 0x00710000
+	data4	0x001d0000, 0x00290000, 0x00c50000, 0x00890000
+	data4	0x006f0000, 0x00b70000, 0x00620000, 0x000e0000
+	data4	0x00aa0000, 0x00180000, 0x00be0000, 0x001b0000
+	data4	0x00fc0000, 0x00560000, 0x003e0000, 0x004b0000
+	data4	0x00c60000, 0x00d20000, 0x00790000, 0x00200000
+	data4	0x009a0000, 0x00db0000, 0x00c00000, 0x00fe0000
+	data4	0x00780000, 0x00cd0000, 0x005a0000, 0x00f40000
+	data4	0x001f0000, 0x00dd0000, 0x00a80000, 0x00330000
+	data4	0x00880000, 0x00070000, 0x00c70000, 0x00310000
+	data4	0x00b10000, 0x00120000, 0x00100000, 0x00590000
+	data4	0x00270000, 0x00800000, 0x00ec0000, 0x005f0000
+	data4	0x00600000, 0x00510000, 0x007f0000, 0x00a90000
+	data4	0x00190000, 0x00b50000, 0x004a0000, 0x000d0000
+	data4	0x002d0000, 0x00e50000, 0x007a0000, 0x009f0000
+	data4	0x00930000, 0x00c90000, 0x009c0000, 0x00ef0000
+	data4	0x00a00000, 0x00e00000, 0x003b0000, 0x004d0000
+	data4	0x00ae0000, 0x002a0000, 0x00f50000, 0x00b00000
+	data4	0x00c80000, 0x00eb0000, 0x00bb0000, 0x003c0000
+	data4	0x00830000, 0x00530000, 0x00990000, 0x00610000
+	data4	0x00170000, 0x002b0000, 0x00040000, 0x007e0000
+	data4	0x00ba0000, 0x00770000, 0x00d60000, 0x00260000
+	data4	0x00e10000, 0x00690000, 0x00140000, 0x00630000
+	data4	0x00550000, 0x00210000, 0x000c0000, 0x007d0000
+// Td6:
+	data4	0x00005200, 0x00000900, 0x00006a00, 0x0000d500
+	data4	0x00003000, 0x00003600, 0x0000a500, 0x00003800
+	data4	0x0000bf00, 0x00004000, 0x0000a300, 0x00009e00
+	data4	0x00008100, 0x0000f300, 0x0000d700, 0x0000fb00
+	data4	0x00007c00, 0x0000e300, 0x00003900, 0x00008200
+	data4	0x00009b00, 0x00002f00, 0x0000ff00, 0x00008700
+	data4	0x00003400, 0x00008e00, 0x00004300, 0x00004400
+	data4	0x0000c400, 0x0000de00, 0x0000e900, 0x0000cb00
+	data4	0x00005400, 0x00007b00, 0x00009400, 0x00003200
+	data4	0x0000a600, 0x0000c200, 0x00002300, 0x00003d00
+	data4	0x0000ee00, 0x00004c00, 0x00009500, 0x00000b00
+	data4	0x00004200, 0x0000fa00, 0x0000c300, 0x00004e00
+	data4	0x00000800, 0x00002e00, 0x0000a100, 0x00006600
+	data4	0x00002800, 0x0000d900, 0x00002400, 0x0000b200
+	data4	0x00007600, 0x00005b00, 0x0000a200, 0x00004900
+	data4	0x00006d00, 0x00008b00, 0x0000d100, 0x00002500
+	data4	0x00007200, 0x0000f800, 0x0000f600, 0x00006400
+	data4	0x00008600, 0x00006800, 0x00009800, 0x00001600
+	data4	0x0000d400, 0x0000a400, 0x00005c00, 0x0000cc00
+	data4	0x00005d00, 0x00006500, 0x0000b600, 0x00009200
+	data4	0x00006c00, 0x00007000, 0x00004800, 0x00005000
+	data4	0x0000fd00, 0x0000ed00, 0x0000b900, 0x0000da00
+	data4	0x00005e00, 0x00001500, 0x00004600, 0x00005700
+	data4	0x0000a700, 0x00008d00, 0x00009d00, 0x00008400
+	data4	0x00009000, 0x0000d800, 0x0000ab00, 0x00000000
+	data4	0x00008c00, 0x0000bc00, 0x0000d300, 0x00000a00
+	data4	0x0000f700, 0x0000e400, 0x00005800, 0x00000500
+	data4	0x0000b800, 0x0000b300, 0x00004500, 0x00000600
+	data4	0x0000d000, 0x00002c00, 0x00001e00, 0x00008f00
+	data4	0x0000ca00, 0x00003f00, 0x00000f00, 0x00000200
+	data4	0x0000c100, 0x0000af00, 0x0000bd00, 0x00000300
+	data4	0x00000100, 0x00001300, 0x00008a00, 0x00006b00
+	data4	0x00003a00, 0x00009100, 0x00001100, 0x00004100
+	data4	0x00004f00, 0x00006700, 0x0000dc00, 0x0000ea00
+	data4	0x00009700, 0x0000f200, 0x0000cf00, 0x0000ce00
+	data4	0x0000f000, 0x0000b400, 0x0000e600, 0x00007300
+	data4	0x00009600, 0x0000ac00, 0x00007400, 0x00002200
+	data4	0x0000e700, 0x0000ad00, 0x00003500, 0x00008500
+	data4	0x0000e200, 0x0000f900, 0x00003700, 0x0000e800
+	data4	0x00001c00, 0x00007500, 0x0000df00, 0x00006e00
+	data4	0x00004700, 0x0000f100, 0x00001a00, 0x00007100
+	data4	0x00001d00, 0x00002900, 0x0000c500, 0x00008900
+	data4	0x00006f00, 0x0000b700, 0x00006200, 0x00000e00
+	data4	0x0000aa00, 0x00001800, 0x0000be00, 0x00001b00
+	data4	0x0000fc00, 0x00005600, 0x00003e00, 0x00004b00
+	data4	0x0000c600, 0x0000d200, 0x00007900, 0x00002000
+	data4	0x00009a00, 0x0000db00, 0x0000c000, 0x0000fe00
+	data4	0x00007800, 0x0000cd00, 0x00005a00, 0x0000f400
+	data4	0x00001f00, 0x0000dd00, 0x0000a800, 0x00003300
+	data4	0x00008800, 0x00000700, 0x0000c700, 0x00003100
+	data4	0x0000b100, 0x00001200, 0x00001000, 0x00005900
+	data4	0x00002700, 0x00008000, 0x0000ec00, 0x00005f00
+	data4	0x00006000, 0x00005100, 0x00007f00, 0x0000a900
+	data4	0x00001900, 0x0000b500, 0x00004a00, 0x00000d00
+	data4	0x00002d00, 0x0000e500, 0x00007a00, 0x00009f00
+	data4	0x00009300, 0x0000c900, 0x00009c00, 0x0000ef00
+	data4	0x0000a000, 0x0000e000, 0x00003b00, 0x00004d00
+	data4	0x0000ae00, 0x00002a00, 0x0000f500, 0x0000b000
+	data4	0x0000c800, 0x0000eb00, 0x0000bb00, 0x00003c00
+	data4	0x00008300, 0x00005300, 0x00009900, 0x00006100
+	data4	0x00001700, 0x00002b00, 0x00000400, 0x00007e00
+	data4	0x0000ba00, 0x00007700, 0x0000d600, 0x00002600
+	data4	0x0000e100, 0x00006900, 0x00001400, 0x00006300
+	data4	0x00005500, 0x00002100, 0x00000c00, 0x00007d00
+// Td7:
+	data4	0x00000052, 0x00000009, 0x0000006a, 0x000000d5
+	data4	0x00000030, 0x00000036, 0x000000a5, 0x00000038
+	data4	0x000000bf, 0x00000040, 0x000000a3, 0x0000009e
+	data4	0x00000081, 0x000000f3, 0x000000d7, 0x000000fb
+	data4	0x0000007c, 0x000000e3, 0x00000039, 0x00000082
+	data4	0x0000009b, 0x0000002f, 0x000000ff, 0x00000087
+	data4	0x00000034, 0x0000008e, 0x00000043, 0x00000044
+	data4	0x000000c4, 0x000000de, 0x000000e9, 0x000000cb
+	data4	0x00000054, 0x0000007b, 0x00000094, 0x00000032
+	data4	0x000000a6, 0x000000c2, 0x00000023, 0x0000003d
+	data4	0x000000ee, 0x0000004c, 0x00000095, 0x0000000b
+	data4	0x00000042, 0x000000fa, 0x000000c3, 0x0000004e
+	data4	0x00000008, 0x0000002e, 0x000000a1, 0x00000066
+	data4	0x00000028, 0x000000d9, 0x00000024, 0x000000b2
+	data4	0x00000076, 0x0000005b, 0x000000a2, 0x00000049
+	data4	0x0000006d, 0x0000008b, 0x000000d1, 0x00000025
+	data4	0x00000072, 0x000000f8, 0x000000f6, 0x00000064
+	data4	0x00000086, 0x00000068, 0x00000098, 0x00000016
+	data4	0x000000d4, 0x000000a4, 0x0000005c, 0x000000cc
+	data4	0x0000005d, 0x00000065, 0x000000b6, 0x00000092
+	data4	0x0000006c, 0x00000070, 0x00000048, 0x00000050
+	data4	0x000000fd, 0x000000ed, 0x000000b9, 0x000000da
+	data4	0x0000005e, 0x00000015, 0x00000046, 0x00000057
+	data4	0x000000a7, 0x0000008d, 0x0000009d, 0x00000084
+	data4	0x00000090, 0x000000d8, 0x000000ab, 0x00000000
+	data4	0x0000008c, 0x000000bc, 0x000000d3, 0x0000000a
+	data4	0x000000f7, 0x000000e4, 0x00000058, 0x00000005
+	data4	0x000000b8, 0x000000b3, 0x00000045, 0x00000006
+	data4	0x000000d0, 0x0000002c, 0x0000001e, 0x0000008f
+	data4	0x000000ca, 0x0000003f, 0x0000000f, 0x00000002
+	data4	0x000000c1, 0x000000af, 0x000000bd, 0x00000003
+	data4	0x00000001, 0x00000013, 0x0000008a, 0x0000006b
+	data4	0x0000003a, 0x00000091, 0x00000011, 0x00000041
+	data4	0x0000004f, 0x00000067, 0x000000dc, 0x000000ea
+	data4	0x00000097, 0x000000f2, 0x000000cf, 0x000000ce
+	data4	0x000000f0, 0x000000b4, 0x000000e6, 0x00000073
+	data4	0x00000096, 0x000000ac, 0x00000074, 0x00000022
+	data4	0x000000e7, 0x000000ad, 0x00000035, 0x00000085
+	data4	0x000000e2, 0x000000f9, 0x00000037, 0x000000e8
+	data4	0x0000001c, 0x00000075, 0x000000df, 0x0000006e
+	data4	0x00000047, 0x000000f1, 0x0000001a, 0x00000071
+	data4	0x0000001d, 0x00000029, 0x000000c5, 0x00000089
+	data4	0x0000006f, 0x000000b7, 0x00000062, 0x0000000e
+	data4	0x000000aa, 0x00000018, 0x000000be, 0x0000001b
+	data4	0x000000fc, 0x00000056, 0x0000003e, 0x0000004b
+	data4	0x000000c6, 0x000000d2, 0x00000079, 0x00000020
+	data4	0x0000009a, 0x000000db, 0x000000c0, 0x000000fe
+	data4	0x00000078, 0x000000cd, 0x0000005a, 0x000000f4
+	data4	0x0000001f, 0x000000dd, 0x000000a8, 0x00000033
+	data4	0x00000088, 0x00000007, 0x000000c7, 0x00000031
+	data4	0x000000b1, 0x00000012, 0x00000010, 0x00000059
+	data4	0x00000027, 0x00000080, 0x000000ec, 0x0000005f
+	data4	0x00000060, 0x00000051, 0x0000007f, 0x000000a9
+	data4	0x00000019, 0x000000b5, 0x0000004a, 0x0000000d
+	data4	0x0000002d, 0x000000e5, 0x0000007a, 0x0000009f
+	data4	0x00000093, 0x000000c9, 0x0000009c, 0x000000ef
+	data4	0x000000a0, 0x000000e0, 0x0000003b, 0x0000004d
+	data4	0x000000ae, 0x0000002a, 0x000000f5, 0x000000b0
+	data4	0x000000c8, 0x000000eb, 0x000000bb, 0x0000003c
+	data4	0x00000083, 0x00000053, 0x00000099, 0x00000061
+	data4	0x00000017, 0x0000002b, 0x00000004, 0x0000007e
+	data4	0x000000ba, 0x00000077, 0x000000d6, 0x00000026
+	data4	0x000000e1, 0x00000069, 0x00000014, 0x00000063
+	data4	0x00000055, 0x00000021, 0x0000000c, 0x0000007d
+.size	AES_Td#,8*256*4	// HP-UX assembler fails to ".-AES_Td#"
diff --git a/crypto/openssl/crypto/asn1/Makefile b/crypto/openssl/crypto/asn1/Makefile
index 61145cba5aa7..f67c5ebd711a 100644
--- a/crypto/openssl/crypto/asn1/Makefile
+++ b/crypto/openssl/crypto/asn1/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/asn1/Makefile
+# OpenSSL/crypto/asn1/Makefile
 #
 
 DIR=	asn1
@@ -7,11 +7,6 @@ TOP=	../..
 CC=	cc
 INCLUDES= -I.. -I$(TOP) -I../../include
 CFLAG=-g
-INSTALL_PREFIX=
-OPENSSLDIR=     /usr/local/ssl
-INSTALLTOP=/usr/local/ssl
-MAKEDEPPROG=	makedepend
-MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=	Makefile
 AR=		ar r
 
@@ -32,7 +27,7 @@ LIBSRC=	a_object.c a_bitstr.c a_utctm.c a_gentm.c a_time.c a_int.c a_octet.c \
 	tasn_new.c tasn_fre.c tasn_enc.c tasn_dec.c tasn_utl.c tasn_typ.c \
 	f_int.c f_string.c n_pkey.c \
 	f_enum.c a_hdr.c x_pkey.c a_bool.c x_exten.c \
-	asn1_par.c asn1_lib.c asn1_err.c a_meth.c a_bytes.c a_strnid.c \
+	asn1_gen.c asn1_par.c asn1_lib.c asn1_err.c a_meth.c a_bytes.c a_strnid.c \
 	evp_asn1.c asn_pack.c p5_pbe.c p5_pbev2.c p8_pkey.c asn_moid.c
 LIBOBJ= a_object.o a_bitstr.o a_utctm.o a_gentm.o a_time.o a_int.o a_octet.o \
 	a_print.o a_type.o a_set.o a_dup.o a_d2i_fp.o a_i2d_fp.o \
@@ -44,7 +39,7 @@ LIBOBJ= a_object.o a_bitstr.o a_utctm.o a_gentm.o a_time.o a_int.o a_octet.o \
 	tasn_new.o tasn_fre.o tasn_enc.o tasn_dec.o tasn_utl.o tasn_typ.o \
 	f_int.o f_string.o n_pkey.o \
 	f_enum.o a_hdr.o x_pkey.o a_bool.o x_exten.o \
-	asn1_par.o asn1_lib.o asn1_err.o a_meth.o a_bytes.o a_strnid.o \
+	asn1_gen.o asn1_par.o asn1_lib.o asn1_err.o a_meth.o a_bytes.o a_strnid.o \
 	evp_asn1.o asn_pack.o p5_pbe.o p5_pbev2.o p8_pkey.o asn_moid.o
 
 SRC= $(LIBSRC)
@@ -81,7 +76,8 @@ links:
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
 
 install:
-	@for i in $(EXHEADER) ; \
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+	@headerlist="$(EXHEADER)"; for i in $$headerlist ; \
 	do  \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
@@ -96,6 +92,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
+	@[ -n "$(MAKEDEPEND)" ] # should be set by top Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
@@ -109,69 +106,57 @@ clean:
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
 a_bitstr.o: ../../e_os.h ../../include/openssl/asn1.h
-a_bitstr.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-a_bitstr.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-a_bitstr.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-a_bitstr.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+a_bitstr.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+a_bitstr.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+a_bitstr.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+a_bitstr.o: ../../include/openssl/opensslconf.h
 a_bitstr.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 a_bitstr.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 a_bitstr.o: ../../include/openssl/symhacks.h ../cryptlib.h a_bitstr.c
 a_bool.o: ../../e_os.h ../../include/openssl/asn1.h
 a_bool.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
-a_bool.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-a_bool.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-a_bool.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-a_bool.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-a_bool.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
-a_bool.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-a_bool.o: ../cryptlib.h a_bool.c
+a_bool.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+a_bool.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+a_bool.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+a_bool.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+a_bool.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+a_bool.o: ../../include/openssl/symhacks.h ../cryptlib.h a_bool.c
 a_bytes.o: ../../e_os.h ../../include/openssl/asn1.h
-a_bytes.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-a_bytes.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-a_bytes.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-a_bytes.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-a_bytes.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-a_bytes.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-a_bytes.o: ../../include/openssl/symhacks.h ../cryptlib.h a_bytes.c
+a_bytes.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+a_bytes.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+a_bytes.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+a_bytes.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+a_bytes.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+a_bytes.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+a_bytes.o: ../cryptlib.h a_bytes.c
 a_d2i_fp.o: ../../e_os.h ../../include/openssl/asn1.h
 a_d2i_fp.o: ../../include/openssl/asn1_mac.h ../../include/openssl/bio.h
-a_d2i_fp.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-a_d2i_fp.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-a_d2i_fp.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-a_d2i_fp.o: ../../include/openssl/opensslconf.h
+a_d2i_fp.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+a_d2i_fp.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+a_d2i_fp.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 a_d2i_fp.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 a_d2i_fp.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 a_d2i_fp.o: ../../include/openssl/symhacks.h ../cryptlib.h a_d2i_fp.c
-a_digest.o: ../../e_os.h ../../include/openssl/aes.h
-a_digest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-a_digest.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-a_digest.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-a_digest.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-a_digest.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-a_digest.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-a_digest.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-a_digest.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-a_digest.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-a_digest.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+a_digest.o: ../../e_os.h ../../include/openssl/asn1.h
+a_digest.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+a_digest.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+a_digest.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+a_digest.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+a_digest.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 a_digest.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 a_digest.o: ../../include/openssl/opensslconf.h
 a_digest.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-a_digest.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-a_digest.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-a_digest.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-a_digest.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-a_digest.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-a_digest.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-a_digest.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-a_digest.o: ../cryptlib.h a_digest.c
+a_digest.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+a_digest.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+a_digest.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+a_digest.o: ../../include/openssl/x509_vfy.h ../cryptlib.h a_digest.c
 a_dup.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
-a_dup.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-a_dup.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-a_dup.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-a_dup.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-a_dup.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
-a_dup.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-a_dup.o: ../cryptlib.h a_dup.c
+a_dup.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+a_dup.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+a_dup.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+a_dup.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+a_dup.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+a_dup.o: ../../include/openssl/symhacks.h ../cryptlib.h a_dup.c
 a_enum.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 a_enum.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
 a_enum.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
@@ -181,27 +166,26 @@ a_enum.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
 a_enum.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 a_enum.o: ../cryptlib.h a_enum.c
 a_gentm.o: ../../e_os.h ../../include/openssl/asn1.h
-a_gentm.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-a_gentm.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-a_gentm.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-a_gentm.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-a_gentm.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-a_gentm.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-a_gentm.o: ../../include/openssl/symhacks.h ../cryptlib.h ../o_time.h a_gentm.c
+a_gentm.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+a_gentm.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+a_gentm.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+a_gentm.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+a_gentm.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+a_gentm.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+a_gentm.o: ../cryptlib.h ../o_time.h a_gentm.c
 a_hdr.o: ../../e_os.h ../../include/openssl/asn1.h
 a_hdr.o: ../../include/openssl/asn1_mac.h ../../include/openssl/bio.h
-a_hdr.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-a_hdr.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-a_hdr.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-a_hdr.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-a_hdr.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
-a_hdr.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-a_hdr.o: ../cryptlib.h a_hdr.c
+a_hdr.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+a_hdr.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+a_hdr.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+a_hdr.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+a_hdr.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+a_hdr.o: ../../include/openssl/symhacks.h ../cryptlib.h a_hdr.c
 a_i2d_fp.o: ../../e_os.h ../../include/openssl/asn1.h
-a_i2d_fp.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-a_i2d_fp.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-a_i2d_fp.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-a_i2d_fp.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+a_i2d_fp.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+a_i2d_fp.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+a_i2d_fp.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+a_i2d_fp.o: ../../include/openssl/opensslconf.h
 a_i2d_fp.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 a_i2d_fp.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 a_i2d_fp.o: ../../include/openssl/symhacks.h ../cryptlib.h a_i2d_fp.c
@@ -214,667 +198,501 @@ a_int.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
 a_int.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 a_int.o: ../cryptlib.h a_int.c
 a_mbstr.o: ../../e_os.h ../../include/openssl/asn1.h
-a_mbstr.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-a_mbstr.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-a_mbstr.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-a_mbstr.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-a_mbstr.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-a_mbstr.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-a_mbstr.o: ../../include/openssl/symhacks.h ../cryptlib.h a_mbstr.c
+a_mbstr.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+a_mbstr.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+a_mbstr.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+a_mbstr.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+a_mbstr.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+a_mbstr.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+a_mbstr.o: ../cryptlib.h a_mbstr.c
 a_meth.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
-a_meth.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-a_meth.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-a_meth.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-a_meth.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-a_meth.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
-a_meth.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-a_meth.o: ../cryptlib.h a_meth.c
+a_meth.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+a_meth.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+a_meth.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+a_meth.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+a_meth.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+a_meth.o: ../../include/openssl/symhacks.h ../cryptlib.h a_meth.c
 a_object.o: ../../e_os.h ../../include/openssl/asn1.h
-a_object.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-a_object.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-a_object.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-a_object.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-a_object.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+a_object.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+a_object.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+a_object.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+a_object.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+a_object.o: ../../include/openssl/opensslconf.h
 a_object.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 a_object.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 a_object.o: ../../include/openssl/symhacks.h ../cryptlib.h a_object.c
 a_octet.o: ../../e_os.h ../../include/openssl/asn1.h
-a_octet.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-a_octet.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-a_octet.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-a_octet.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-a_octet.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-a_octet.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-a_octet.o: ../../include/openssl/symhacks.h ../cryptlib.h a_octet.c
+a_octet.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+a_octet.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+a_octet.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+a_octet.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+a_octet.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+a_octet.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+a_octet.o: ../cryptlib.h a_octet.c
 a_print.o: ../../e_os.h ../../include/openssl/asn1.h
-a_print.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-a_print.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-a_print.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-a_print.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-a_print.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-a_print.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-a_print.o: ../../include/openssl/symhacks.h ../cryptlib.h a_print.c
+a_print.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+a_print.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+a_print.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+a_print.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+a_print.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+a_print.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+a_print.o: ../cryptlib.h a_print.c
 a_set.o: ../../e_os.h ../../include/openssl/asn1.h
 a_set.o: ../../include/openssl/asn1_mac.h ../../include/openssl/bio.h
-a_set.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-a_set.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-a_set.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-a_set.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-a_set.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
-a_set.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-a_set.o: ../cryptlib.h a_set.c
-a_sign.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-a_sign.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+a_set.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+a_set.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+a_set.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+a_set.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+a_set.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+a_set.o: ../../include/openssl/symhacks.h ../cryptlib.h a_set.c
+a_sign.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 a_sign.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-a_sign.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-a_sign.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-a_sign.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-a_sign.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-a_sign.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-a_sign.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-a_sign.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-a_sign.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-a_sign.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-a_sign.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-a_sign.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-a_sign.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-a_sign.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+a_sign.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+a_sign.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+a_sign.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+a_sign.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+a_sign.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+a_sign.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+a_sign.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
 a_sign.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 a_sign.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-a_sign.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
 a_sign.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 a_sign.o: ../cryptlib.h a_sign.c
-a_strex.o: ../../e_os.h ../../include/openssl/aes.h
-a_strex.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-a_strex.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-a_strex.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-a_strex.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-a_strex.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-a_strex.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-a_strex.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-a_strex.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-a_strex.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-a_strex.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+a_strex.o: ../../e_os.h ../../include/openssl/asn1.h
+a_strex.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+a_strex.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+a_strex.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+a_strex.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+a_strex.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 a_strex.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 a_strex.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 a_strex.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-a_strex.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-a_strex.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-a_strex.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-a_strex.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-a_strex.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-a_strex.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-a_strex.o: ../../include/openssl/x509_vfy.h ../cryptlib.h a_strex.c charmap.h
+a_strex.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+a_strex.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+a_strex.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+a_strex.o: ../cryptlib.h a_strex.c charmap.h
 a_strnid.o: ../../e_os.h ../../include/openssl/asn1.h
-a_strnid.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-a_strnid.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-a_strnid.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-a_strnid.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-a_strnid.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+a_strnid.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+a_strnid.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+a_strnid.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+a_strnid.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+a_strnid.o: ../../include/openssl/opensslconf.h
 a_strnid.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 a_strnid.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 a_strnid.o: ../../include/openssl/symhacks.h ../cryptlib.h a_strnid.c
 a_time.o: ../../e_os.h ../../include/openssl/asn1.h
 a_time.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
-a_time.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-a_time.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-a_time.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-a_time.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-a_time.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
-a_time.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-a_time.o: ../cryptlib.h ../o_time.h a_time.c
+a_time.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+a_time.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+a_time.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+a_time.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+a_time.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+a_time.o: ../../include/openssl/symhacks.h ../cryptlib.h ../o_time.h a_time.c
 a_type.o: ../../e_os.h ../../include/openssl/asn1.h
 a_type.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
-a_type.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-a_type.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-a_type.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-a_type.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-a_type.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
-a_type.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-a_type.o: ../cryptlib.h a_type.c
+a_type.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+a_type.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+a_type.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+a_type.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+a_type.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+a_type.o: ../../include/openssl/symhacks.h ../cryptlib.h a_type.c
 a_utctm.o: ../../e_os.h ../../include/openssl/asn1.h
-a_utctm.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-a_utctm.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-a_utctm.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-a_utctm.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-a_utctm.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-a_utctm.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-a_utctm.o: ../../include/openssl/symhacks.h ../cryptlib.h ../o_time.h a_utctm.c
+a_utctm.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+a_utctm.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+a_utctm.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+a_utctm.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+a_utctm.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+a_utctm.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+a_utctm.o: ../cryptlib.h ../o_time.h a_utctm.c
 a_utf8.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
-a_utf8.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-a_utf8.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-a_utf8.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-a_utf8.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-a_utf8.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
-a_utf8.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-a_utf8.o: ../cryptlib.h a_utf8.c
-a_verify.o: ../../e_os.h ../../include/openssl/aes.h
-a_verify.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-a_verify.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-a_verify.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-a_verify.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-a_verify.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-a_verify.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+a_utf8.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+a_utf8.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+a_utf8.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+a_utf8.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+a_utf8.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+a_utf8.o: ../../include/openssl/symhacks.h ../cryptlib.h a_utf8.c
+a_verify.o: ../../e_os.h ../../include/openssl/asn1.h
+a_verify.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+a_verify.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+a_verify.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+a_verify.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 a_verify.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-a_verify.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-a_verify.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-a_verify.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-a_verify.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-a_verify.o: ../../include/openssl/opensslconf.h
+a_verify.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+a_verify.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 a_verify.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-a_verify.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-a_verify.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-a_verify.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-a_verify.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-a_verify.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-a_verify.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-a_verify.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-a_verify.o: ../cryptlib.h a_verify.c
+a_verify.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+a_verify.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+a_verify.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+a_verify.o: ../../include/openssl/x509_vfy.h ../cryptlib.h a_verify.c
 asn1_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-asn1_err.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
-asn1_err.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-asn1_err.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+asn1_err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+asn1_err.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+asn1_err.o: ../../include/openssl/opensslconf.h
 asn1_err.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 asn1_err.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 asn1_err.o: ../../include/openssl/symhacks.h asn1_err.c
+asn1_gen.o: ../../e_os.h ../../include/openssl/asn1.h
+asn1_gen.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+asn1_gen.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+asn1_gen.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+asn1_gen.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+asn1_gen.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+asn1_gen.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+asn1_gen.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+asn1_gen.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+asn1_gen.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+asn1_gen.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+asn1_gen.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+asn1_gen.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+asn1_gen.o: ../cryptlib.h asn1_gen.c
 asn1_lib.o: ../../e_os.h ../../include/openssl/asn1.h
 asn1_lib.o: ../../include/openssl/asn1_mac.h ../../include/openssl/bio.h
-asn1_lib.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-asn1_lib.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-asn1_lib.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-asn1_lib.o: ../../include/openssl/opensslconf.h
+asn1_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+asn1_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+asn1_lib.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 asn1_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 asn1_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 asn1_lib.o: ../../include/openssl/symhacks.h ../cryptlib.h asn1_lib.c
 asn1_par.o: ../../e_os.h ../../include/openssl/asn1.h
-asn1_par.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-asn1_par.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-asn1_par.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-asn1_par.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-asn1_par.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+asn1_par.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+asn1_par.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+asn1_par.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+asn1_par.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+asn1_par.o: ../../include/openssl/opensslconf.h
 asn1_par.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 asn1_par.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 asn1_par.o: ../../include/openssl/symhacks.h ../cryptlib.h asn1_par.c
-asn_moid.o: ../../e_os.h ../../include/openssl/aes.h
-asn_moid.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-asn_moid.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-asn_moid.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+asn_moid.o: ../../e_os.h ../../include/openssl/asn1.h
+asn_moid.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 asn_moid.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-asn_moid.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-asn_moid.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
 asn_moid.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h
-asn_moid.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-asn_moid.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-asn_moid.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-asn_moid.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+asn_moid.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+asn_moid.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+asn_moid.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 asn_moid.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 asn_moid.o: ../../include/openssl/opensslconf.h
 asn_moid.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-asn_moid.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-asn_moid.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-asn_moid.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-asn_moid.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-asn_moid.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-asn_moid.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-asn_moid.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-asn_moid.o: ../cryptlib.h asn_moid.c
+asn_moid.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+asn_moid.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+asn_moid.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+asn_moid.o: ../../include/openssl/x509_vfy.h ../cryptlib.h asn_moid.c
 asn_pack.o: ../../e_os.h ../../include/openssl/asn1.h
-asn_pack.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-asn_pack.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-asn_pack.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-asn_pack.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+asn_pack.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+asn_pack.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+asn_pack.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+asn_pack.o: ../../include/openssl/opensslconf.h
 asn_pack.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 asn_pack.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 asn_pack.o: ../../include/openssl/symhacks.h ../cryptlib.h asn_pack.c
-d2i_pr.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-d2i_pr.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+d2i_pr.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 d2i_pr.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-d2i_pr.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-d2i_pr.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-d2i_pr.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-d2i_pr.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-d2i_pr.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-d2i_pr.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-d2i_pr.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-d2i_pr.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+d2i_pr.o: ../../include/openssl/crypto.h ../../include/openssl/dsa.h
+d2i_pr.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+d2i_pr.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+d2i_pr.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 d2i_pr.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 d2i_pr.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-d2i_pr.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-d2i_pr.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 d2i_pr.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-d2i_pr.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-d2i_pr.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-d2i_pr.o: ../../include/openssl/ui_compat.h ../cryptlib.h d2i_pr.c
-d2i_pu.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-d2i_pu.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+d2i_pr.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+d2i_pr.o: ../cryptlib.h d2i_pr.c
+d2i_pu.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 d2i_pu.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-d2i_pu.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-d2i_pu.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-d2i_pu.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-d2i_pu.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-d2i_pu.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-d2i_pu.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-d2i_pu.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-d2i_pu.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+d2i_pu.o: ../../include/openssl/crypto.h ../../include/openssl/dsa.h
+d2i_pu.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+d2i_pu.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+d2i_pu.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 d2i_pu.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 d2i_pu.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-d2i_pu.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-d2i_pu.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 d2i_pu.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-d2i_pu.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-d2i_pu.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-d2i_pu.o: ../../include/openssl/ui_compat.h ../cryptlib.h d2i_pu.c
+d2i_pu.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+d2i_pu.o: ../cryptlib.h d2i_pu.c
 evp_asn1.o: ../../e_os.h ../../include/openssl/asn1.h
 evp_asn1.o: ../../include/openssl/asn1_mac.h ../../include/openssl/bio.h
-evp_asn1.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-evp_asn1.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-evp_asn1.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-evp_asn1.o: ../../include/openssl/opensslconf.h
+evp_asn1.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+evp_asn1.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+evp_asn1.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 evp_asn1.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 evp_asn1.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 evp_asn1.o: ../../include/openssl/symhacks.h ../cryptlib.h evp_asn1.c
 f_enum.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
-f_enum.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-f_enum.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-f_enum.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-f_enum.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-f_enum.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
-f_enum.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-f_enum.o: ../cryptlib.h f_enum.c
+f_enum.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+f_enum.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+f_enum.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+f_enum.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+f_enum.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+f_enum.o: ../../include/openssl/symhacks.h ../cryptlib.h f_enum.c
 f_int.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
-f_int.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-f_int.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-f_int.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-f_int.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-f_int.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
-f_int.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-f_int.o: ../cryptlib.h f_int.c
+f_int.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+f_int.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+f_int.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+f_int.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+f_int.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+f_int.o: ../../include/openssl/symhacks.h ../cryptlib.h f_int.c
 f_string.o: ../../e_os.h ../../include/openssl/asn1.h
-f_string.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-f_string.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-f_string.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-f_string.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+f_string.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+f_string.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+f_string.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+f_string.o: ../../include/openssl/opensslconf.h
 f_string.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 f_string.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 f_string.o: ../../include/openssl/symhacks.h ../cryptlib.h f_string.c
-i2d_pr.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-i2d_pr.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+i2d_pr.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 i2d_pr.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-i2d_pr.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-i2d_pr.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-i2d_pr.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-i2d_pr.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-i2d_pr.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-i2d_pr.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-i2d_pr.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-i2d_pr.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+i2d_pr.o: ../../include/openssl/crypto.h ../../include/openssl/dsa.h
+i2d_pr.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+i2d_pr.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+i2d_pr.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 i2d_pr.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 i2d_pr.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-i2d_pr.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-i2d_pr.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 i2d_pr.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-i2d_pr.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-i2d_pr.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-i2d_pr.o: ../../include/openssl/ui_compat.h ../cryptlib.h i2d_pr.c
-i2d_pu.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-i2d_pu.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+i2d_pr.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+i2d_pr.o: ../cryptlib.h i2d_pr.c
+i2d_pu.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 i2d_pu.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-i2d_pu.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-i2d_pu.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-i2d_pu.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-i2d_pu.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-i2d_pu.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-i2d_pu.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-i2d_pu.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-i2d_pu.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+i2d_pu.o: ../../include/openssl/crypto.h ../../include/openssl/dsa.h
+i2d_pu.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+i2d_pu.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+i2d_pu.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 i2d_pu.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 i2d_pu.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-i2d_pu.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-i2d_pu.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 i2d_pu.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-i2d_pu.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-i2d_pu.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-i2d_pu.o: ../../include/openssl/ui_compat.h ../cryptlib.h i2d_pu.c
-n_pkey.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
+i2d_pu.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+i2d_pu.o: ../cryptlib.h i2d_pu.c
+n_pkey.o: ../../e_os.h ../../include/openssl/asn1.h
 n_pkey.o: ../../include/openssl/asn1_mac.h ../../include/openssl/asn1t.h
-n_pkey.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-n_pkey.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-n_pkey.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-n_pkey.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-n_pkey.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-n_pkey.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-n_pkey.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-n_pkey.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-n_pkey.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-n_pkey.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-n_pkey.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-n_pkey.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-n_pkey.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-n_pkey.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-n_pkey.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-n_pkey.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-n_pkey.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-n_pkey.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-n_pkey.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-n_pkey.o: ../cryptlib.h n_pkey.c
-nsseq.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-nsseq.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
-nsseq.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-nsseq.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-nsseq.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-nsseq.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-nsseq.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-nsseq.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-nsseq.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-nsseq.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-nsseq.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+n_pkey.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+n_pkey.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+n_pkey.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+n_pkey.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+n_pkey.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+n_pkey.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+n_pkey.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+n_pkey.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+n_pkey.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+n_pkey.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+n_pkey.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+n_pkey.o: ../../include/openssl/x509_vfy.h ../cryptlib.h n_pkey.c
+nsseq.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
+nsseq.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+nsseq.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+nsseq.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+nsseq.o: ../../include/openssl/ecdsa.h ../../include/openssl/evp.h
+nsseq.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 nsseq.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 nsseq.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-nsseq.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-nsseq.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-nsseq.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-nsseq.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-nsseq.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-nsseq.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-nsseq.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h nsseq.c
-p5_pbe.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
+nsseq.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+nsseq.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+nsseq.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+nsseq.o: ../../include/openssl/x509_vfy.h nsseq.c
+p5_pbe.o: ../../e_os.h ../../include/openssl/asn1.h
 p5_pbe.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
-p5_pbe.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-p5_pbe.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-p5_pbe.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-p5_pbe.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-p5_pbe.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+p5_pbe.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+p5_pbe.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+p5_pbe.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 p5_pbe.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-p5_pbe.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-p5_pbe.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-p5_pbe.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-p5_pbe.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-p5_pbe.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-p5_pbe.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-p5_pbe.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h
-p5_pbe.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-p5_pbe.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+p5_pbe.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+p5_pbe.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+p5_pbe.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+p5_pbe.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
 p5_pbe.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 p5_pbe.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-p5_pbe.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
 p5_pbe.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 p5_pbe.o: ../cryptlib.h p5_pbe.c
-p5_pbev2.o: ../../e_os.h ../../include/openssl/aes.h
-p5_pbev2.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
-p5_pbev2.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-p5_pbev2.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-p5_pbev2.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-p5_pbev2.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-p5_pbev2.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-p5_pbev2.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-p5_pbev2.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-p5_pbev2.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-p5_pbev2.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-p5_pbev2.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+p5_pbev2.o: ../../e_os.h ../../include/openssl/asn1.h
+p5_pbev2.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+p5_pbev2.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+p5_pbev2.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+p5_pbev2.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+p5_pbev2.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+p5_pbev2.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 p5_pbev2.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 p5_pbev2.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 p5_pbev2.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
-p5_pbev2.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-p5_pbev2.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-p5_pbev2.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-p5_pbev2.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-p5_pbev2.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-p5_pbev2.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-p5_pbev2.o: ../../include/openssl/x509_vfy.h ../cryptlib.h p5_pbev2.c
-p8_pkey.o: ../../e_os.h ../../include/openssl/aes.h
-p8_pkey.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
-p8_pkey.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-p8_pkey.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-p8_pkey.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-p8_pkey.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-p8_pkey.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-p8_pkey.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-p8_pkey.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-p8_pkey.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-p8_pkey.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-p8_pkey.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+p5_pbev2.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p5_pbev2.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+p5_pbev2.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+p5_pbev2.o: ../cryptlib.h p5_pbev2.c
+p8_pkey.o: ../../e_os.h ../../include/openssl/asn1.h
+p8_pkey.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+p8_pkey.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+p8_pkey.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+p8_pkey.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+p8_pkey.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+p8_pkey.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 p8_pkey.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 p8_pkey.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-p8_pkey.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-p8_pkey.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-p8_pkey.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-p8_pkey.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-p8_pkey.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-p8_pkey.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-p8_pkey.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-p8_pkey.o: ../cryptlib.h p8_pkey.c
-t_bitst.o: ../../e_os.h ../../include/openssl/aes.h
-t_bitst.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-t_bitst.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-t_bitst.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+p8_pkey.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+p8_pkey.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+p8_pkey.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+p8_pkey.o: ../../include/openssl/x509_vfy.h ../cryptlib.h p8_pkey.c
+t_bitst.o: ../../e_os.h ../../include/openssl/asn1.h
+t_bitst.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 t_bitst.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-t_bitst.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-t_bitst.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-t_bitst.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-t_bitst.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-t_bitst.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-t_bitst.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-t_bitst.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+t_bitst.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+t_bitst.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+t_bitst.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+t_bitst.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 t_bitst.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 t_bitst.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-t_bitst.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-t_bitst.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-t_bitst.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-t_bitst.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-t_bitst.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-t_bitst.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-t_bitst.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-t_bitst.o: ../../include/openssl/x509v3.h ../cryptlib.h t_bitst.c
-t_crl.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-t_crl.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+t_bitst.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+t_bitst.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+t_bitst.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+t_bitst.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+t_bitst.o: ../cryptlib.h t_bitst.c
+t_crl.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 t_crl.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-t_crl.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
-t_crl.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-t_crl.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-t_crl.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+t_crl.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+t_crl.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+t_crl.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 t_crl.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-t_crl.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-t_crl.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-t_crl.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-t_crl.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-t_crl.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-t_crl.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-t_crl.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-t_crl.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-t_crl.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+t_crl.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+t_crl.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+t_crl.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+t_crl.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
 t_crl.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-t_crl.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-t_crl.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
+t_crl.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
 t_crl.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
 t_crl.o: ../cryptlib.h t_crl.c
 t_pkey.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 t_pkey.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
 t_pkey.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
 t_pkey.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-t_pkey.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-t_pkey.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-t_pkey.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rsa.h
-t_pkey.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-t_pkey.o: ../../include/openssl/symhacks.h ../cryptlib.h t_pkey.c
-t_req.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-t_req.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+t_pkey.o: ../../include/openssl/ec.h ../../include/openssl/err.h
+t_pkey.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+t_pkey.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+t_pkey.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+t_pkey.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+t_pkey.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+t_pkey.o: ../cryptlib.h t_pkey.c
+t_req.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 t_req.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-t_req.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
-t_req.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-t_req.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
+t_req.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
 t_req.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-t_req.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-t_req.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-t_req.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-t_req.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+t_req.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+t_req.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+t_req.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 t_req.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 t_req.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 t_req.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-t_req.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-t_req.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 t_req.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 t_req.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-t_req.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-t_req.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
+t_req.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
 t_req.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
 t_req.o: ../cryptlib.h t_req.c
-t_spki.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-t_spki.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+t_spki.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 t_spki.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-t_spki.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-t_spki.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-t_spki.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-t_spki.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-t_spki.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-t_spki.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-t_spki.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-t_spki.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+t_spki.o: ../../include/openssl/crypto.h ../../include/openssl/dsa.h
+t_spki.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+t_spki.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+t_spki.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+t_spki.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 t_spki.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 t_spki.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-t_spki.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-t_spki.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-t_spki.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+t_spki.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
 t_spki.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 t_spki.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-t_spki.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
 t_spki.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 t_spki.o: ../cryptlib.h t_spki.c
-t_x509.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-t_x509.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+t_x509.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 t_x509.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-t_x509.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
-t_x509.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-t_x509.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
+t_x509.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
 t_x509.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-t_x509.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-t_x509.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-t_x509.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-t_x509.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+t_x509.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+t_x509.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+t_x509.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 t_x509.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 t_x509.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 t_x509.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-t_x509.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-t_x509.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 t_x509.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 t_x509.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-t_x509.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-t_x509.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
+t_x509.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
 t_x509.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
 t_x509.o: ../cryptlib.h t_x509.c
-t_x509a.o: ../../e_os.h ../../include/openssl/aes.h
-t_x509a.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-t_x509a.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-t_x509a.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-t_x509a.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-t_x509a.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-t_x509a.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-t_x509a.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-t_x509a.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-t_x509a.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-t_x509a.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+t_x509a.o: ../../e_os.h ../../include/openssl/asn1.h
+t_x509a.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+t_x509a.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+t_x509a.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+t_x509a.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+t_x509a.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 t_x509a.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 t_x509a.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 t_x509a.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-t_x509a.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-t_x509a.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-t_x509a.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-t_x509a.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-t_x509a.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-t_x509a.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-t_x509a.o: ../../include/openssl/x509_vfy.h ../cryptlib.h t_x509a.c
+t_x509a.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+t_x509a.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+t_x509a.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+t_x509a.o: ../cryptlib.h t_x509a.c
 tasn_dec.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
-tasn_dec.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-tasn_dec.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-tasn_dec.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-tasn_dec.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-tasn_dec.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+tasn_dec.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+tasn_dec.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+tasn_dec.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+tasn_dec.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+tasn_dec.o: ../../include/openssl/opensslconf.h
 tasn_dec.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 tasn_dec.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 tasn_dec.o: ../../include/openssl/symhacks.h tasn_dec.c
-tasn_enc.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
-tasn_enc.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-tasn_enc.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-tasn_enc.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-tasn_enc.o: ../../include/openssl/opensslconf.h
+tasn_enc.o: ../../e_os.h ../../include/openssl/asn1.h
+tasn_enc.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+tasn_enc.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+tasn_enc.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+tasn_enc.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+tasn_enc.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 tasn_enc.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 tasn_enc.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-tasn_enc.o: ../../include/openssl/symhacks.h tasn_enc.c
+tasn_enc.o: ../../include/openssl/symhacks.h ../cryptlib.h tasn_enc.c
 tasn_fre.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
-tasn_fre.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-tasn_fre.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-tasn_fre.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-tasn_fre.o: ../../include/openssl/opensslconf.h
+tasn_fre.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
+tasn_fre.o: ../../include/openssl/e_os2.h ../../include/openssl/obj_mac.h
+tasn_fre.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 tasn_fre.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 tasn_fre.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 tasn_fre.o: ../../include/openssl/symhacks.h tasn_fre.c
 tasn_new.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
-tasn_new.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-tasn_new.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-tasn_new.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-tasn_new.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-tasn_new.o: ../../include/openssl/opensslconf.h
+tasn_new.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
+tasn_new.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+tasn_new.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+tasn_new.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 tasn_new.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 tasn_new.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 tasn_new.o: ../../include/openssl/symhacks.h tasn_new.c
 tasn_typ.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
-tasn_typ.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-tasn_typ.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-tasn_typ.o: ../../include/openssl/opensslconf.h
+tasn_typ.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
+tasn_typ.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
 tasn_typ.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 tasn_typ.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 tasn_typ.o: ../../include/openssl/symhacks.h tasn_typ.c
 tasn_utl.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
-tasn_utl.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-tasn_utl.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-tasn_utl.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-tasn_utl.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-tasn_utl.o: ../../include/openssl/opensslconf.h
+tasn_utl.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
+tasn_utl.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+tasn_utl.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+tasn_utl.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 tasn_utl.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 tasn_utl.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 tasn_utl.o: ../../include/openssl/symhacks.h tasn_utl.c
-x_algor.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-x_algor.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
-x_algor.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x_algor.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x_algor.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-x_algor.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-x_algor.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-x_algor.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-x_algor.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-x_algor.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-x_algor.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+x_algor.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
+x_algor.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+x_algor.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+x_algor.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+x_algor.o: ../../include/openssl/ecdsa.h ../../include/openssl/evp.h
+x_algor.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 x_algor.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 x_algor.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-x_algor.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-x_algor.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-x_algor.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-x_algor.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-x_algor.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-x_algor.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-x_algor.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x_algor.o: x_algor.c
-x_attrib.o: ../../e_os.h ../../include/openssl/aes.h
-x_attrib.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
-x_attrib.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-x_attrib.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-x_attrib.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-x_attrib.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-x_attrib.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-x_attrib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-x_attrib.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-x_attrib.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-x_attrib.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-x_attrib.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+x_algor.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+x_algor.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x_algor.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+x_algor.o: ../../include/openssl/x509_vfy.h x_algor.c
+x_attrib.o: ../../e_os.h ../../include/openssl/asn1.h
+x_attrib.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+x_attrib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+x_attrib.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+x_attrib.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+x_attrib.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x_attrib.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 x_attrib.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 x_attrib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-x_attrib.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-x_attrib.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-x_attrib.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-x_attrib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-x_attrib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-x_attrib.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-x_attrib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x_attrib.o: ../cryptlib.h x_attrib.c
+x_attrib.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+x_attrib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x_attrib.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+x_attrib.o: ../../include/openssl/x509_vfy.h ../cryptlib.h x_attrib.c
 x_bignum.o: ../../e_os.h ../../include/openssl/asn1.h
 x_bignum.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
 x_bignum.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
@@ -884,69 +702,43 @@ x_bignum.o: ../../include/openssl/opensslconf.h
 x_bignum.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 x_bignum.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 x_bignum.o: ../../include/openssl/symhacks.h ../cryptlib.h x_bignum.c
-x_crl.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
+x_crl.o: ../../e_os.h ../../include/openssl/asn1.h
 x_crl.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
-x_crl.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x_crl.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x_crl.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-x_crl.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-x_crl.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+x_crl.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+x_crl.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+x_crl.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 x_crl.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x_crl.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x_crl.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-x_crl.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-x_crl.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-x_crl.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-x_crl.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-x_crl.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x_crl.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-x_crl.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+x_crl.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+x_crl.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x_crl.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x_crl.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
 x_crl.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x_crl.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-x_crl.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
+x_crl.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
 x_crl.o: ../../include/openssl/x509_vfy.h ../cryptlib.h x_crl.c
-x_exten.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-x_exten.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
-x_exten.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x_exten.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x_exten.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-x_exten.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-x_exten.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-x_exten.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-x_exten.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-x_exten.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-x_exten.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+x_exten.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
+x_exten.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+x_exten.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+x_exten.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+x_exten.o: ../../include/openssl/ecdsa.h ../../include/openssl/evp.h
+x_exten.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 x_exten.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 x_exten.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-x_exten.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-x_exten.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-x_exten.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-x_exten.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-x_exten.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-x_exten.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-x_exten.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x_exten.o: x_exten.c
-x_info.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-x_info.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-x_info.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-x_info.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-x_info.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-x_info.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-x_info.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-x_info.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-x_info.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-x_info.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-x_info.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+x_exten.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+x_exten.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x_exten.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+x_exten.o: ../../include/openssl/x509_vfy.h x_exten.c
+x_info.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+x_info.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+x_info.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+x_info.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+x_info.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x_info.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 x_info.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 x_info.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-x_info.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-x_info.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-x_info.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-x_info.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-x_info.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-x_info.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-x_info.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x_info.o: ../cryptlib.h x_info.c
+x_info.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+x_info.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x_info.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+x_info.o: ../../include/openssl/x509_vfy.h ../cryptlib.h x_info.c
 x_long.o: ../../e_os.h ../../include/openssl/asn1.h
 x_long.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
 x_long.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
@@ -956,195 +748,123 @@ x_long.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 x_long.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
 x_long.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 x_long.o: ../cryptlib.h x_long.c
-x_name.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
+x_name.o: ../../e_os.h ../../include/openssl/asn1.h
 x_name.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
-x_name.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x_name.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x_name.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-x_name.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-x_name.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+x_name.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+x_name.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+x_name.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 x_name.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x_name.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x_name.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-x_name.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-x_name.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-x_name.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-x_name.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-x_name.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x_name.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-x_name.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+x_name.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+x_name.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x_name.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x_name.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
 x_name.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x_name.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-x_name.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
+x_name.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
 x_name.o: ../../include/openssl/x509_vfy.h ../cryptlib.h x_name.c
-x_pkey.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
+x_pkey.o: ../../e_os.h ../../include/openssl/asn1.h
 x_pkey.o: ../../include/openssl/asn1_mac.h ../../include/openssl/bio.h
-x_pkey.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x_pkey.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x_pkey.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-x_pkey.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-x_pkey.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+x_pkey.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+x_pkey.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+x_pkey.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 x_pkey.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x_pkey.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x_pkey.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-x_pkey.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-x_pkey.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-x_pkey.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-x_pkey.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-x_pkey.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x_pkey.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-x_pkey.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+x_pkey.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+x_pkey.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x_pkey.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x_pkey.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
 x_pkey.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x_pkey.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-x_pkey.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
+x_pkey.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
 x_pkey.o: ../../include/openssl/x509_vfy.h ../cryptlib.h x_pkey.c
-x_pubkey.o: ../../e_os.h ../../include/openssl/aes.h
-x_pubkey.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
-x_pubkey.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-x_pubkey.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-x_pubkey.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-x_pubkey.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-x_pubkey.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-x_pubkey.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-x_pubkey.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-x_pubkey.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-x_pubkey.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-x_pubkey.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-x_pubkey.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x_pubkey.o: ../../e_os.h ../../include/openssl/asn1.h
+x_pubkey.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+x_pubkey.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+x_pubkey.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+x_pubkey.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+x_pubkey.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+x_pubkey.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+x_pubkey.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+x_pubkey.o: ../../include/openssl/opensslconf.h
 x_pubkey.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-x_pubkey.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-x_pubkey.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-x_pubkey.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+x_pubkey.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
 x_pubkey.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 x_pubkey.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-x_pubkey.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
 x_pubkey.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 x_pubkey.o: ../cryptlib.h x_pubkey.c
-x_req.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
+x_req.o: ../../e_os.h ../../include/openssl/asn1.h
 x_req.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
-x_req.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x_req.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x_req.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-x_req.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-x_req.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+x_req.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+x_req.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+x_req.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 x_req.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x_req.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x_req.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-x_req.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-x_req.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-x_req.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-x_req.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-x_req.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x_req.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-x_req.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+x_req.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+x_req.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x_req.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x_req.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
 x_req.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x_req.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-x_req.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
+x_req.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
 x_req.o: ../../include/openssl/x509_vfy.h ../cryptlib.h x_req.c
-x_sig.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
+x_sig.o: ../../e_os.h ../../include/openssl/asn1.h
 x_sig.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
-x_sig.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x_sig.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x_sig.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-x_sig.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-x_sig.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+x_sig.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+x_sig.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+x_sig.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 x_sig.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x_sig.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x_sig.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-x_sig.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-x_sig.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-x_sig.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-x_sig.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-x_sig.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x_sig.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-x_sig.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+x_sig.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+x_sig.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x_sig.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x_sig.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
 x_sig.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x_sig.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-x_sig.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
+x_sig.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
 x_sig.o: ../../include/openssl/x509_vfy.h ../cryptlib.h x_sig.c
-x_spki.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
+x_spki.o: ../../e_os.h ../../include/openssl/asn1.h
 x_spki.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
-x_spki.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x_spki.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x_spki.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-x_spki.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-x_spki.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+x_spki.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+x_spki.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+x_spki.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 x_spki.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x_spki.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x_spki.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-x_spki.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-x_spki.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-x_spki.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-x_spki.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-x_spki.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x_spki.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-x_spki.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+x_spki.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+x_spki.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x_spki.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x_spki.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
 x_spki.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x_spki.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-x_spki.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
+x_spki.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
 x_spki.o: ../../include/openssl/x509_vfy.h ../cryptlib.h x_spki.c
-x_val.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
+x_val.o: ../../e_os.h ../../include/openssl/asn1.h
 x_val.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
-x_val.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x_val.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x_val.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-x_val.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-x_val.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+x_val.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+x_val.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+x_val.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 x_val.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x_val.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x_val.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-x_val.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-x_val.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-x_val.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-x_val.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-x_val.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x_val.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-x_val.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+x_val.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+x_val.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x_val.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x_val.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
 x_val.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x_val.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-x_val.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
+x_val.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
 x_val.o: ../../include/openssl/x509_vfy.h ../cryptlib.h x_val.c
-x_x509.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
+x_x509.o: ../../e_os.h ../../include/openssl/asn1.h
 x_x509.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
-x_x509.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x_x509.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x_x509.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-x_x509.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-x_x509.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-x_x509.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-x_x509.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-x_x509.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-x_x509.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-x_x509.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-x_x509.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-x_x509.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-x_x509.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-x_x509.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-x_x509.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+x_x509.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+x_x509.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+x_x509.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+x_x509.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+x_x509.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+x_x509.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+x_x509.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+x_x509.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
 x_x509.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 x_x509.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-x_x509.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
 x_x509.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 x_x509.o: ../../include/openssl/x509v3.h ../cryptlib.h x_x509.c
-x_x509a.o: ../../e_os.h ../../include/openssl/aes.h
-x_x509a.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
-x_x509a.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-x_x509a.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-x_x509a.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-x_x509a.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-x_x509a.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-x_x509a.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-x_x509a.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-x_x509a.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-x_x509a.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-x_x509a.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+x_x509a.o: ../../e_os.h ../../include/openssl/asn1.h
+x_x509a.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+x_x509a.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+x_x509a.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+x_x509a.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+x_x509a.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x_x509a.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 x_x509a.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 x_x509a.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-x_x509a.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-x_x509a.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-x_x509a.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-x_x509a.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-x_x509a.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-x_x509a.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-x_x509a.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x_x509a.o: ../cryptlib.h x_x509a.c
+x_x509a.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+x_x509a.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x_x509a.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+x_x509a.o: ../../include/openssl/x509_vfy.h ../cryptlib.h x_x509a.c
diff --git a/crypto/openssl/crypto/asn1/a_bitstr.c b/crypto/openssl/crypto/asn1/a_bitstr.c
index f4ea96cd54e8..0fb9ce0c2aea 100644
--- a/crypto/openssl/crypto/asn1/a_bitstr.c
+++ b/crypto/openssl/crypto/asn1/a_bitstr.c
@@ -113,11 +113,12 @@ int i2c_ASN1_BIT_STRING(ASN1_BIT_STRING *a, unsigned char **pp)
 	return(ret);
 	}
 
-ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a, unsigned char **pp,
-	     long len)
+ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a,
+	const unsigned char **pp, long len)
 	{
 	ASN1_BIT_STRING *ret=NULL;
-	unsigned char *p,*s;
+	const unsigned char *p;
+	unsigned char *s;
 	int i;
 
 	if (len < 1)
@@ -164,7 +165,7 @@ ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a, unsigned char **pp,
 	*pp=p;
 	return(ret);
 err:
-	ASN1err(ASN1_F_D2I_ASN1_BIT_STRING,i);
+	ASN1err(ASN1_F_C2I_ASN1_BIT_STRING,i);
 	if ((ret != NULL) && ((a == NULL) || (*a != ret)))
 		M_ASN1_BIT_STRING_free(ret);
 	return(NULL);
@@ -182,9 +183,11 @@ int ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *a, int n, int value)
 	iv= ~v;
 	if (!value) v=0;
 
+	if (a == NULL)
+		return 0;
+
 	a->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07); /* clear, set on write */
 
-	if (a == NULL) return(0);
 	if ((a->length < (w+1)) || (a->data == NULL))
 		{
 		if (!value) return(1); /* Don't need to set */
@@ -194,8 +197,12 @@ int ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *a, int n, int value)
 			c=(unsigned char *)OPENSSL_realloc_clean(a->data,
 								 a->length,
 								 w+1);
-		if (c == NULL) return(0);
-		if (w+1-a->length > 0) memset(c+a->length, 0, w+1-a->length);
+		if (c == NULL)
+			{
+			ASN1err(ASN1_F_ASN1_BIT_STRING_SET_BIT,ERR_R_MALLOC_FAILURE);
+			return 0;
+			}
+  		if (w+1-a->length > 0) memset(c+a->length, 0, w+1-a->length);
 		a->data=c;
 		a->length=w+1;
 	}
diff --git a/crypto/openssl/crypto/asn1/a_bool.c b/crypto/openssl/crypto/asn1/a_bool.c
index 24333ea4d525..331acdf05350 100644
--- a/crypto/openssl/crypto/asn1/a_bool.c
+++ b/crypto/openssl/crypto/asn1/a_bool.c
@@ -75,10 +75,10 @@ int i2d_ASN1_BOOLEAN(int a, unsigned char **pp)
 	return(r);
 	}
 
-int d2i_ASN1_BOOLEAN(int *a, unsigned char **pp, long length)
+int d2i_ASN1_BOOLEAN(int *a, const unsigned char **pp, long length)
 	{
 	int ret= -1;
-	unsigned char *p;
+	const unsigned char *p;
 	long len;
 	int inf,tag,xclass;
 	int i=0;
diff --git a/crypto/openssl/crypto/asn1/a_bytes.c b/crypto/openssl/crypto/asn1/a_bytes.c
index afd27b80e1b0..8d13f9c93113 100644
--- a/crypto/openssl/crypto/asn1/a_bytes.c
+++ b/crypto/openssl/crypto/asn1/a_bytes.c
@@ -60,14 +60,15 @@
 #include "cryptlib.h"
 #include <openssl/asn1.h>
 
-static int asn1_collate_primitive(ASN1_STRING *a, ASN1_CTX *c);
+static int asn1_collate_primitive(ASN1_STRING *a, ASN1_const_CTX *c);
 /* type is a 'bitmap' of acceptable string types.
  */
-ASN1_STRING *d2i_ASN1_type_bytes(ASN1_STRING **a, unsigned char **pp,
+ASN1_STRING *d2i_ASN1_type_bytes(ASN1_STRING **a, const unsigned char **pp,
 	     long length, int type)
 	{
 	ASN1_STRING *ret=NULL;
-	unsigned char *p,*s;
+	const unsigned char *p;
+	unsigned char *s;
 	long len;
 	int inf,tag,xclass;
 	int i=0;
@@ -153,11 +154,12 @@ int i2d_ASN1_bytes(ASN1_STRING *a, unsigned char **pp, int tag, int xclass)
 	return(r);
 	}
 
-ASN1_STRING *d2i_ASN1_bytes(ASN1_STRING **a, unsigned char **pp, long length,
-	     int Ptag, int Pclass)
+ASN1_STRING *d2i_ASN1_bytes(ASN1_STRING **a, const unsigned char **pp,
+	     long length, int Ptag, int Pclass)
 	{
 	ASN1_STRING *ret=NULL;
-	unsigned char *p,*s;
+	const unsigned char *p;
+	unsigned char *s;
 	long len;
 	int inf,tag,xclass;
 	int i=0;
@@ -185,7 +187,7 @@ ASN1_STRING *d2i_ASN1_bytes(ASN1_STRING **a, unsigned char **pp, long length,
 
 	if (inf & V_ASN1_CONSTRUCTED)
 		{
-		ASN1_CTX c;
+		ASN1_const_CTX c;
 
 		c.pp=pp;
 		c.p=p;
@@ -247,7 +249,7 @@ err:
  * them into the one structure that is then returned */
 /* There have been a few bug fixes for this function from
  * Paul Keogh <paul.keogh@sse.ie>, many thanks to him */
-static int asn1_collate_primitive(ASN1_STRING *a, ASN1_CTX *c)
+static int asn1_collate_primitive(ASN1_STRING *a, ASN1_const_CTX *c)
 	{
 	ASN1_STRING *os=NULL;
 	BUF_MEM b;
@@ -268,7 +270,7 @@ static int asn1_collate_primitive(ASN1_STRING *a, ASN1_CTX *c)
 		{
 		if (c->inf & 1)
 			{
-			c->eos=ASN1_check_infinite_end(&c->p,
+			c->eos=ASN1_const_check_infinite_end(&c->p,
 				(long)(c->max-c->p));
 			if (c->eos) break;
 			}
@@ -296,7 +298,7 @@ static int asn1_collate_primitive(ASN1_STRING *a, ASN1_CTX *c)
 		num+=os->length;
 		}
 
-	if (!asn1_Finish(c)) goto err;
+	if (!asn1_const_Finish(c)) goto err;
 
 	a->length=num;
 	if (a->data != NULL) OPENSSL_free(a->data);
diff --git a/crypto/openssl/crypto/asn1/a_d2i_fp.c b/crypto/openssl/crypto/asn1/a_d2i_fp.c
index b67b75e7c27e..ece40bc4c003 100644
--- a/crypto/openssl/crypto/asn1/a_d2i_fp.c
+++ b/crypto/openssl/crypto/asn1/a_d2i_fp.c
@@ -66,11 +66,10 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb);
 #ifndef NO_OLD_ASN1
 #ifndef OPENSSL_NO_FP_API
 
-char *ASN1_d2i_fp(char *(*xnew)(), char *(*d2i)(), FILE *in,
-	     unsigned char **x)
+void *ASN1_d2i_fp(void *(*xnew)(void), d2i_of_void *d2i, FILE *in, void **x)
         {
         BIO *b;
-        char *ret;
+        void *ret;
 
         if ((b=BIO_new(BIO_s_file())) == NULL)
 		{
@@ -84,12 +83,11 @@ char *ASN1_d2i_fp(char *(*xnew)(), char *(*d2i)(), FILE *in,
         }
 #endif
 
-char *ASN1_d2i_bio(char *(*xnew)(), char *(*d2i)(), BIO *in,
-	     unsigned char **x)
+void *ASN1_d2i_bio(void *(*xnew)(void), d2i_of_void *d2i, BIO *in, void **x)
 	{
 	BUF_MEM *b = NULL;
-	unsigned char *p;
-	char *ret=NULL;
+	const unsigned char *p;
+	void *ret=NULL;
 	int len;
 
 	len = asn1_d2i_read_bio(in, &b);
@@ -107,14 +105,14 @@ err:
 void *ASN1_item_d2i_bio(const ASN1_ITEM *it, BIO *in, void *x)
 	{
 	BUF_MEM *b = NULL;
-	unsigned char *p;
+	const unsigned char *p;
 	void *ret=NULL;
 	int len;
 
 	len = asn1_d2i_read_bio(in, &b);
 	if(len < 0) goto err;
 
-	p=(unsigned char *)b->data;
+	p=(const unsigned char *)b->data;
 	ret=ASN1_item_d2i(x,&p,len, it);
 err:
 	if (b != NULL) BUF_MEM_free(b);
@@ -129,7 +127,7 @@ void *ASN1_item_d2i_fp(const ASN1_ITEM *it, FILE *in, void *x)
 
         if ((b=BIO_new(BIO_s_file())) == NULL)
 		{
-		ASN1err(ASN1_F_ASN1_D2I_FP,ERR_R_BUF_LIB);
+		ASN1err(ASN1_F_ASN1_ITEM_D2I_FP,ERR_R_BUF_LIB);
                 return(NULL);
 		}
         BIO_set_fp(b,in,BIO_NOCLOSE);
@@ -146,7 +144,7 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
 	unsigned char *p;
 	int i;
 	int ret=-1;
-	ASN1_CTX c;
+	ASN1_const_CTX c;
 	int want=HEADER_SIZE;
 	int eos=0;
 #if defined(__GNUC__) && defined(__ia64)
@@ -160,7 +158,7 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
 	b=BUF_MEM_new();
 	if (b == NULL)
 		{
-		ASN1err(ASN1_F_ASN1_D2I_BIO,ERR_R_MALLOC_FAILURE);
+		ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ERR_R_MALLOC_FAILURE);
 		return -1;
 		}
 
@@ -173,13 +171,13 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
 
 			if (!BUF_MEM_grow_clean(b,len+want))
 				{
-				ASN1err(ASN1_F_ASN1_D2I_BIO,ERR_R_MALLOC_FAILURE);
+				ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ERR_R_MALLOC_FAILURE);
 				goto err;
 				}
 			i=BIO_read(in,&(b->data[len]),want);
 			if ((i < 0) && ((len-off) == 0))
 				{
-				ASN1err(ASN1_F_ASN1_D2I_BIO,ASN1_R_NOT_ENOUGH_DATA);
+				ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ASN1_R_NOT_ENOUGH_DATA);
 				goto err;
 				}
 			if (i > 0)
@@ -199,7 +197,7 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
 			if (e != ASN1_R_TOO_LONG)
 				goto err;
 			else
-				ERR_get_error(); /* clear error */
+				ERR_clear_error(); /* clear error */
 			}
 		i=c.p-p;/* header length */
 		off+=i;	/* end of data */
@@ -228,7 +226,7 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
 				want-=(len-off);
 				if (!BUF_MEM_grow_clean(b,len+want))
 					{
-					ASN1err(ASN1_F_ASN1_D2I_BIO,ERR_R_MALLOC_FAILURE);
+					ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ERR_R_MALLOC_FAILURE);
 					goto err;
 					}
 				while (want > 0)
@@ -236,7 +234,7 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
 					i=BIO_read(in,&(b->data[len]),want);
 					if (i <= 0)
 						{
-						ASN1err(ASN1_F_ASN1_D2I_BIO,
+						ASN1err(ASN1_F_ASN1_D2I_READ_BIO,
 						    ASN1_R_NOT_ENOUGH_DATA);
 						goto err;
 						}
diff --git a/crypto/openssl/crypto/asn1/a_digest.c b/crypto/openssl/crypto/asn1/a_digest.c
index 4931e222a05e..d00d9e22b188 100644
--- a/crypto/openssl/crypto/asn1/a_digest.c
+++ b/crypto/openssl/crypto/asn1/a_digest.c
@@ -65,20 +65,25 @@
 # include <sys/types.h>
 #endif
 
+#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/buffer.h>
 #include <openssl/x509.h>
 
 #ifndef NO_ASN1_OLD
 
-int ASN1_digest(int (*i2d)(), const EVP_MD *type, char *data,
+int ASN1_digest(i2d_of_void *i2d, const EVP_MD *type, char *data,
 		unsigned char *md, unsigned int *len)
 	{
 	int i;
 	unsigned char *str,*p;
 
 	i=i2d(data,NULL);
-	if ((str=(unsigned char *)OPENSSL_malloc(i)) == NULL) return(0);
+	if ((str=(unsigned char *)OPENSSL_malloc(i)) == NULL)
+		{
+		ASN1err(ASN1_F_ASN1_DIGEST,ERR_R_MALLOC_FAILURE);
+		return(0);
+		}
 	p=str;
 	i2d(data,&p);
 
diff --git a/crypto/openssl/crypto/asn1/a_dup.c b/crypto/openssl/crypto/asn1/a_dup.c
index 58a017884cb5..199d50f521cd 100644
--- a/crypto/openssl/crypto/asn1/a_dup.c
+++ b/crypto/openssl/crypto/asn1/a_dup.c
@@ -62,22 +62,23 @@
 
 #ifndef NO_OLD_ASN1
 
-char *ASN1_dup(int (*i2d)(), char *(*d2i)(), char *x)
+void *ASN1_dup(i2d_of_void *i2d, d2i_of_void *d2i, char *x)
 	{
 	unsigned char *b,*p;
-	long i;
+	const unsigned char *p2;
+	int i;
 	char *ret;
 
 	if (x == NULL) return(NULL);
 
-	i=(long)i2d(x,NULL);
-	b=(unsigned char *)OPENSSL_malloc((unsigned int)i+10);
+	i=i2d(x,NULL);
+	b=OPENSSL_malloc(i+10);
 	if (b == NULL)
 		{ ASN1err(ASN1_F_ASN1_DUP,ERR_R_MALLOC_FAILURE); return(NULL); }
 	p= b;
 	i=i2d(x,&p);
-	p= b;
-	ret=d2i(NULL,&p,i);
+	p2= b;
+	ret=d2i(NULL,&p2,i);
 	OPENSSL_free(b);
 	return(ret);
 	}
@@ -91,7 +92,8 @@ char *ASN1_dup(int (*i2d)(), char *(*d2i)(), char *x)
 
 void *ASN1_item_dup(const ASN1_ITEM *it, void *x)
 	{
-	unsigned char *b = NULL, *p;
+	unsigned char *b = NULL;
+	const unsigned char *p;
 	long i;
 	void *ret;
 
@@ -99,7 +101,7 @@ void *ASN1_item_dup(const ASN1_ITEM *it, void *x)
 
 	i=ASN1_item_i2d(x,&b,it);
 	if (b == NULL)
-		{ ASN1err(ASN1_F_ASN1_DUP,ERR_R_MALLOC_FAILURE); return(NULL); }
+		{ ASN1err(ASN1_F_ASN1_ITEM_DUP,ERR_R_MALLOC_FAILURE); return(NULL); }
 	p= b;
 	ret=ASN1_item_d2i(NULL,&p,i, it);
 	OPENSSL_free(b);
diff --git a/crypto/openssl/crypto/asn1/a_enum.c b/crypto/openssl/crypto/asn1/a_enum.c
index ad8f0ffd1ab3..fe9aa13b9cd5 100644
--- a/crypto/openssl/crypto/asn1/a_enum.c
+++ b/crypto/openssl/crypto/asn1/a_enum.c
@@ -59,6 +59,7 @@
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/asn1.h>
+#include <openssl/bn.h>
 
 /* 
  * Code for ENUMERATED type: identical to INTEGER apart from a different tag.
@@ -67,12 +68,13 @@
 
 int ASN1_ENUMERATED_set(ASN1_ENUMERATED *a, long v)
 	{
-	int i,j,k;
+	int j,k;
+	unsigned int i;
 	unsigned char buf[sizeof(long)+1];
 	long d;
 
 	a->type=V_ASN1_ENUMERATED;
-	if (a->length < (sizeof(long)+1))
+	if (a->length < (int)(sizeof(long)+1))
 		{
 		if (a->data != NULL)
 			OPENSSL_free(a->data);
@@ -116,7 +118,7 @@ long ASN1_ENUMERATED_get(ASN1_ENUMERATED *a)
 	else if (i != V_ASN1_ENUMERATED)
 		return -1;
 	
-	if (a->length > sizeof(long))
+	if (a->length > (int)sizeof(long))
 		{
 		/* hmm... a bit ugly */
 		return(0xffffffffL);
@@ -147,7 +149,7 @@ ASN1_ENUMERATED *BN_to_ASN1_ENUMERATED(BIGNUM *bn, ASN1_ENUMERATED *ai)
 		ASN1err(ASN1_F_BN_TO_ASN1_ENUMERATED,ERR_R_NESTED_ASN1_ERROR);
 		goto err;
 		}
-	if(bn->neg) ret->type = V_ASN1_NEG_ENUMERATED;
+	if(BN_is_negative(bn)) ret->type = V_ASN1_NEG_ENUMERATED;
 	else ret->type=V_ASN1_ENUMERATED;
 	j=BN_num_bits(bn);
 	len=((j == 0)?0:((j/8)+1));
@@ -156,7 +158,7 @@ ASN1_ENUMERATED *BN_to_ASN1_ENUMERATED(BIGNUM *bn, ASN1_ENUMERATED *ai)
 		unsigned char *new_data=OPENSSL_realloc(ret->data, len+4);
 		if (!new_data)
 			{
-			ASN1err(ASN1_F_BN_TO_ASN1_INTEGER,ERR_R_MALLOC_FAILURE);
+			ASN1err(ASN1_F_BN_TO_ASN1_ENUMERATED,ERR_R_MALLOC_FAILURE);
 			goto err;
 			}
 		ret->data=new_data;
@@ -175,6 +177,6 @@ BIGNUM *ASN1_ENUMERATED_to_BN(ASN1_ENUMERATED *ai, BIGNUM *bn)
 
 	if ((ret=BN_bin2bn(ai->data,ai->length,bn)) == NULL)
 		ASN1err(ASN1_F_ASN1_ENUMERATED_TO_BN,ASN1_R_BN_LIB);
-	else if(ai->type == V_ASN1_NEG_ENUMERATED) ret->neg = 1;
+	else if(ai->type == V_ASN1_NEG_ENUMERATED) BN_set_negative(ret,1);
 	return(ret);
 	}
diff --git a/crypto/openssl/crypto/asn1/a_gentm.c b/crypto/openssl/crypto/asn1/a_gentm.c
index 85810078681e..def79062a57d 100644
--- a/crypto/openssl/crypto/asn1/a_gentm.c
+++ b/crypto/openssl/crypto/asn1/a_gentm.c
@@ -181,7 +181,7 @@ err:
 	return(0);
 	}
 
-int ASN1_GENERALIZEDTIME_set_string(ASN1_GENERALIZEDTIME *s, char *str)
+int ASN1_GENERALIZEDTIME_set_string(ASN1_GENERALIZEDTIME *s, const char *str)
 	{
 	ASN1_GENERALIZEDTIME t;
 
@@ -192,8 +192,9 @@ int ASN1_GENERALIZEDTIME_set_string(ASN1_GENERALIZEDTIME *s, char *str)
 		{
 		if (s != NULL)
 			{
-			ASN1_STRING_set((ASN1_STRING *)s,
-				(unsigned char *)str,t.length);
+			if (!ASN1_STRING_set((ASN1_STRING *)s,
+				(unsigned char *)str,t.length))
+				return 0;
 			s->type=V_ASN1_GENERALIZEDTIME;
 			}
 		return(1);
@@ -223,7 +224,12 @@ ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_set(ASN1_GENERALIZEDTIME *s,
 	if ((p == NULL) || ((size_t)s->length < len))
 		{
 		p=OPENSSL_malloc(len);
-		if (p == NULL) return(NULL);
+		if (p == NULL)
+			{
+			ASN1err(ASN1_F_ASN1_GENERALIZEDTIME_SET,
+				ERR_R_MALLOC_FAILURE);
+			return(NULL);
+			}
 		if (s->data != NULL)
 			OPENSSL_free(s->data);
 		s->data=(unsigned char *)p;
diff --git a/crypto/openssl/crypto/asn1/a_hdr.c b/crypto/openssl/crypto/asn1/a_hdr.c
index b1aad81f7731..d1c2a7b9e3a0 100644
--- a/crypto/openssl/crypto/asn1/a_hdr.c
+++ b/crypto/openssl/crypto/asn1/a_hdr.c
@@ -76,17 +76,17 @@ int i2d_ASN1_HEADER(ASN1_HEADER *a, unsigned char **pp)
 	M_ASN1_I2D_finish();
 	}
 
-ASN1_HEADER *d2i_ASN1_HEADER(ASN1_HEADER **a, unsigned char **pp,
+ASN1_HEADER *d2i_ASN1_HEADER(ASN1_HEADER **a, const unsigned char **pp,
 	     long length)
 	{
 	M_ASN1_D2I_vars(a,ASN1_HEADER *,ASN1_HEADER_new);
 
 	M_ASN1_D2I_Init();
         M_ASN1_D2I_start_sequence();
-        M_ASN1_D2I_get(ret->header,d2i_ASN1_OCTET_STRING);
+        M_ASN1_D2I_get_x(ASN1_OCTET_STRING,ret->header,d2i_ASN1_OCTET_STRING);
 	if (ret->meth != NULL)
 		{
-		M_ASN1_D2I_get(ret->data,ret->meth->d2i);
+		M_ASN1_D2I_get_x(void,ret->data,ret->meth->d2i);
 		}
 	else
 		{
diff --git a/crypto/openssl/crypto/asn1/a_i2d_fp.c b/crypto/openssl/crypto/asn1/a_i2d_fp.c
index f4f1b73ebe88..a3ad76d35687 100644
--- a/crypto/openssl/crypto/asn1/a_i2d_fp.c
+++ b/crypto/openssl/crypto/asn1/a_i2d_fp.c
@@ -64,7 +64,7 @@
 #ifndef NO_OLD_ASN1
 
 #ifndef OPENSSL_NO_FP_API
-int ASN1_i2d_fp(int (*i2d)(), FILE *out, unsigned char *x)
+int ASN1_i2d_fp(i2d_of_void *i2d, FILE *out, void *x)
         {
         BIO *b;
         int ret;
@@ -81,7 +81,7 @@ int ASN1_i2d_fp(int (*i2d)(), FILE *out, unsigned char *x)
         }
 #endif
 
-int ASN1_i2d_bio(int (*i2d)(), BIO *out, unsigned char *x)
+int ASN1_i2d_bio(i2d_of_void *i2d, BIO *out, unsigned char *x)
 	{
 	char *b;
 	unsigned char *p;
@@ -124,7 +124,7 @@ int ASN1_item_i2d_fp(const ASN1_ITEM *it, FILE *out, void *x)
 
         if ((b=BIO_new(BIO_s_file())) == NULL)
 		{
-		ASN1err(ASN1_F_ASN1_I2D_FP,ERR_R_BUF_LIB);
+		ASN1err(ASN1_F_ASN1_ITEM_I2D_FP,ERR_R_BUF_LIB);
                 return(0);
 		}
         BIO_set_fp(b,out,BIO_NOCLOSE);
@@ -142,7 +142,7 @@ int ASN1_item_i2d_bio(const ASN1_ITEM *it, BIO *out, void *x)
 	n = ASN1_item_i2d(x, &b, it);
 	if (b == NULL)
 		{
-		ASN1err(ASN1_F_ASN1_I2D_BIO,ERR_R_MALLOC_FAILURE);
+		ASN1err(ASN1_F_ASN1_ITEM_I2D_BIO,ERR_R_MALLOC_FAILURE);
 		return(0);
 		}
 
diff --git a/crypto/openssl/crypto/asn1/a_int.c b/crypto/openssl/crypto/asn1/a_int.c
index 21cc64bb234e..f8d198efb160 100644
--- a/crypto/openssl/crypto/asn1/a_int.c
+++ b/crypto/openssl/crypto/asn1/a_int.c
@@ -59,6 +59,7 @@
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/asn1.h>
+#include <openssl/bn.h>
 
 ASN1_INTEGER *ASN1_INTEGER_dup(ASN1_INTEGER *x)
 { return M_ASN1_INTEGER_dup(x);}
@@ -174,11 +175,12 @@ int i2c_ASN1_INTEGER(ASN1_INTEGER *a, unsigned char **pp)
 
 /* Convert just ASN1 INTEGER content octets to ASN1_INTEGER structure */
 
-ASN1_INTEGER *c2i_ASN1_INTEGER(ASN1_INTEGER **a, unsigned char **pp,
+ASN1_INTEGER *c2i_ASN1_INTEGER(ASN1_INTEGER **a, const unsigned char **pp,
 	     long len)
 	{
 	ASN1_INTEGER *ret=NULL;
-	unsigned char *p,*to,*s, *pend;
+	const unsigned char *p, *pend;
+	unsigned char *to,*s;
 	int i;
 
 	if ((a == NULL) || ((*a) == NULL))
@@ -254,7 +256,7 @@ ASN1_INTEGER *c2i_ASN1_INTEGER(ASN1_INTEGER **a, unsigned char **pp,
 	*pp=pend;
 	return(ret);
 err:
-	ASN1err(ASN1_F_D2I_ASN1_INTEGER,i);
+	ASN1err(ASN1_F_C2I_ASN1_INTEGER,i);
 	if ((ret != NULL) && ((a == NULL) || (*a != ret)))
 		M_ASN1_INTEGER_free(ret);
 	return(NULL);
@@ -266,11 +268,12 @@ err:
  * with its MSB set as negative (it doesn't add a padding zero).
  */
 
-ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a, unsigned char **pp,
+ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a, const unsigned char **pp,
 	     long length)
 	{
 	ASN1_INTEGER *ret=NULL;
-	unsigned char *p,*to,*s;
+	const unsigned char *p;
+	unsigned char *to,*s;
 	long len;
 	int inf,tag,xclass;
 	int i;
@@ -332,12 +335,13 @@ err:
 
 int ASN1_INTEGER_set(ASN1_INTEGER *a, long v)
 	{
-	int i,j,k;
+	int j,k;
+	unsigned int i;
 	unsigned char buf[sizeof(long)+1];
 	long d;
 
 	a->type=V_ASN1_INTEGER;
-	if (a->length < (sizeof(long)+1))
+	if (a->length < (int)(sizeof(long)+1))
 		{
 		if (a->data != NULL)
 			OPENSSL_free(a->data);
@@ -381,7 +385,7 @@ long ASN1_INTEGER_get(ASN1_INTEGER *a)
 	else if (i != V_ASN1_INTEGER)
 		return -1;
 	
-	if (a->length > sizeof(long))
+	if (a->length > (int)sizeof(long))
 		{
 		/* hmm... a bit ugly */
 		return(0xffffffffL);
@@ -412,7 +416,8 @@ ASN1_INTEGER *BN_to_ASN1_INTEGER(BIGNUM *bn, ASN1_INTEGER *ai)
 		ASN1err(ASN1_F_BN_TO_ASN1_INTEGER,ERR_R_NESTED_ASN1_ERROR);
 		goto err;
 		}
-	if(bn->neg) ret->type = V_ASN1_NEG_INTEGER;
+	if (BN_is_negative(bn))
+		ret->type = V_ASN1_NEG_INTEGER;
 	else ret->type=V_ASN1_INTEGER;
 	j=BN_num_bits(bn);
 	len=((j == 0)?0:((j/8)+1));
@@ -445,7 +450,8 @@ BIGNUM *ASN1_INTEGER_to_BN(ASN1_INTEGER *ai, BIGNUM *bn)
 
 	if ((ret=BN_bin2bn(ai->data,ai->length,bn)) == NULL)
 		ASN1err(ASN1_F_ASN1_INTEGER_TO_BN,ASN1_R_BN_LIB);
-	else if(ai->type == V_ASN1_NEG_INTEGER) ret->neg = 1;
+	else if(ai->type == V_ASN1_NEG_INTEGER)
+		BN_set_negative(ret, 1);
 	return(ret);
 	}
 
diff --git a/crypto/openssl/crypto/asn1/a_mbstr.c b/crypto/openssl/crypto/asn1/a_mbstr.c
index 208b3ec395f1..2d4800a22a4c 100644
--- a/crypto/openssl/crypto/asn1/a_mbstr.c
+++ b/crypto/openssl/crypto/asn1/a_mbstr.c
@@ -107,7 +107,7 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
 
 		case MBSTRING_BMP:
 		if(len & 1) {
-			ASN1err(ASN1_F_ASN1_MBSTRING_COPY,
+			ASN1err(ASN1_F_ASN1_MBSTRING_NCOPY,
 					 ASN1_R_INVALID_BMPSTRING_LENGTH);
 			return -1;
 		}
@@ -116,7 +116,7 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
 
 		case MBSTRING_UNIV:
 		if(len & 3) {
-			ASN1err(ASN1_F_ASN1_MBSTRING_COPY,
+			ASN1err(ASN1_F_ASN1_MBSTRING_NCOPY,
 					 ASN1_R_INVALID_UNIVERSALSTRING_LENGTH);
 			return -1;
 		}
@@ -128,7 +128,7 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
 		/* This counts the characters and does utf8 syntax checking */
 		ret = traverse_string(in, len, MBSTRING_UTF8, in_utf8, &nchar);
 		if(ret < 0) {
-			ASN1err(ASN1_F_ASN1_MBSTRING_COPY,
+			ASN1err(ASN1_F_ASN1_MBSTRING_NCOPY,
 						 ASN1_R_INVALID_UTF8STRING);
 			return -1;
 		}
@@ -139,19 +139,19 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
 		break;
 
 		default:
-		ASN1err(ASN1_F_ASN1_MBSTRING_COPY, ASN1_R_UNKNOWN_FORMAT);
+		ASN1err(ASN1_F_ASN1_MBSTRING_NCOPY, ASN1_R_UNKNOWN_FORMAT);
 		return -1;
 	}
 
 	if((minsize > 0) && (nchar < minsize)) {
-		ASN1err(ASN1_F_ASN1_MBSTRING_COPY, ASN1_R_STRING_TOO_SHORT);
+		ASN1err(ASN1_F_ASN1_MBSTRING_NCOPY, ASN1_R_STRING_TOO_SHORT);
 		BIO_snprintf(strbuf, sizeof strbuf, "%ld", minsize);
 		ERR_add_error_data(2, "minsize=", strbuf);
 		return -1;
 	}
 
 	if((maxsize > 0) && (nchar > maxsize)) {
-		ASN1err(ASN1_F_ASN1_MBSTRING_COPY, ASN1_R_STRING_TOO_LONG);
+		ASN1err(ASN1_F_ASN1_MBSTRING_NCOPY, ASN1_R_STRING_TOO_LONG);
 		BIO_snprintf(strbuf, sizeof strbuf, "%ld", maxsize);
 		ERR_add_error_data(2, "maxsize=", strbuf);
 		return -1;
@@ -159,7 +159,7 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
 
 	/* Now work out minimal type (if any) */
 	if(traverse_string(in, len, inform, type_str, &mask) < 0) {
-		ASN1err(ASN1_F_ASN1_MBSTRING_COPY, ASN1_R_ILLEGAL_CHARACTERS);
+		ASN1err(ASN1_F_ASN1_MBSTRING_NCOPY, ASN1_R_ILLEGAL_CHARACTERS);
 		return -1;
 	}
 
@@ -193,7 +193,7 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
 		free_out = 1;
 		dest = ASN1_STRING_type_new(str_type);
 		if(!dest) {
-			ASN1err(ASN1_F_ASN1_MBSTRING_COPY,
+			ASN1err(ASN1_F_ASN1_MBSTRING_NCOPY,
 							ERR_R_MALLOC_FAILURE);
 			return -1;
 		}
@@ -202,7 +202,7 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
 	/* If both the same type just copy across */
 	if(inform == outform) {
 		if(!ASN1_STRING_set(dest, in, len)) {
-			ASN1err(ASN1_F_ASN1_MBSTRING_COPY,ERR_R_MALLOC_FAILURE);
+			ASN1err(ASN1_F_ASN1_MBSTRING_NCOPY,ERR_R_MALLOC_FAILURE);
 			return -1;
 		}
 		return str_type;
@@ -233,7 +233,7 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
 	}
 	if(!(p = OPENSSL_malloc(outlen + 1))) {
 		if(free_out) ASN1_STRING_free(dest);
-		ASN1err(ASN1_F_ASN1_MBSTRING_COPY,ERR_R_MALLOC_FAILURE);
+		ASN1err(ASN1_F_ASN1_MBSTRING_NCOPY,ERR_R_MALLOC_FAILURE);
 		return -1;
 	}
 	dest->length = outlen;
diff --git a/crypto/openssl/crypto/asn1/a_meth.c b/crypto/openssl/crypto/asn1/a_meth.c
index 63158e9cab2d..50bea917e38b 100644
--- a/crypto/openssl/crypto/asn1/a_meth.c
+++ b/crypto/openssl/crypto/asn1/a_meth.c
@@ -62,16 +62,16 @@
 #include <openssl/asn1.h>
 
 static  ASN1_METHOD ia5string_meth={
-	(int (*)())	i2d_ASN1_IA5STRING,
-	(char *(*)())	d2i_ASN1_IA5STRING,
-	(char *(*)())	ASN1_STRING_new,
-	(void (*)())	ASN1_STRING_free};
+	(I2D_OF(void))	i2d_ASN1_IA5STRING,
+	(D2I_OF(void))	d2i_ASN1_IA5STRING,
+	(void *(*)(void))ASN1_STRING_new,
+	(void (*)(void *))ASN1_STRING_free};
 
 static  ASN1_METHOD bit_string_meth={
-	(int (*)())	i2d_ASN1_BIT_STRING,
-	(char *(*)())	d2i_ASN1_BIT_STRING,
-	(char *(*)())	ASN1_STRING_new,
-	(void (*)())	ASN1_STRING_free};
+	(I2D_OF(void))	i2d_ASN1_BIT_STRING,
+	(D2I_OF(void))	d2i_ASN1_BIT_STRING,
+	(void *(*)(void))ASN1_STRING_new,
+	(void (*)(void *))ASN1_STRING_free};
 
 ASN1_METHOD *ASN1_IA5STRING_asn1_meth(void)
 	{
diff --git a/crypto/openssl/crypto/asn1/a_object.c b/crypto/openssl/crypto/asn1/a_object.c
index 0a8e6c287cc3..a36356e34474 100644
--- a/crypto/openssl/crypto/asn1/a_object.c
+++ b/crypto/openssl/crypto/asn1/a_object.c
@@ -57,6 +57,7 @@
  */
 
 #include <stdio.h>
+#include <limits.h>
 #include "cryptlib.h"
 #include <openssl/buffer.h>
 #include <openssl/asn1.h>
@@ -83,10 +84,12 @@ int i2d_ASN1_OBJECT(ASN1_OBJECT *a, unsigned char **pp)
 
 int a2d_ASN1_OBJECT(unsigned char *out, int olen, const char *buf, int num)
 	{
-	int i,first,len=0,c;
-	char tmp[24];
+	int i,first,len=0,c, use_bn;
+	char ftmp[24], *tmp = ftmp;
+	int tmpsize = sizeof ftmp;
 	const char *p;
 	unsigned long l;
+	BIGNUM *bl = NULL;
 
 	if (num == 0)
 		return(0);
@@ -98,7 +101,7 @@ int a2d_ASN1_OBJECT(unsigned char *out, int olen, const char *buf, int num)
 	num--;
 	if ((c >= '0') && (c <= '2'))
 		{
-		first=(c-'0')*40;
+		first= c-'0';
 		}
 	else
 		{
@@ -122,6 +125,7 @@ int a2d_ASN1_OBJECT(unsigned char *out, int olen, const char *buf, int num)
 			goto err;
 			}
 		l=0;
+		use_bn = 0;
 		for (;;)
 			{
 			if (num <= 0) break;
@@ -134,7 +138,22 @@ int a2d_ASN1_OBJECT(unsigned char *out, int olen, const char *buf, int num)
 				ASN1err(ASN1_F_A2D_ASN1_OBJECT,ASN1_R_INVALID_DIGIT);
 				goto err;
 				}
-			l=l*10L+(long)(c-'0');
+			if (!use_bn && l > (ULONG_MAX / 10L))
+				{
+				use_bn = 1;
+				if (!bl)
+					bl = BN_new();
+				if (!bl || !BN_set_word(bl, l))
+					goto err;
+				}
+			if (use_bn)
+				{
+				if (!BN_mul_word(bl, 10L)
+					|| !BN_add_word(bl, c-'0'))
+					goto err;
+				}
+			else
+				l=l*10L+(long)(c-'0');
 			}
 		if (len == 0)
 			{
@@ -143,14 +162,42 @@ int a2d_ASN1_OBJECT(unsigned char *out, int olen, const char *buf, int num)
 				ASN1err(ASN1_F_A2D_ASN1_OBJECT,ASN1_R_SECOND_NUMBER_TOO_LARGE);
 				goto err;
 				}
-			l+=(long)first;
+			if (use_bn)
+				{
+				if (!BN_add_word(bl, first * 40))
+					goto err;
+				}
+			else
+				l+=(long)first*40;
 			}
 		i=0;
-		for (;;)
+		if (use_bn)
+			{
+			int blsize;
+			blsize = BN_num_bits(bl);
+			blsize = (blsize + 6)/7;
+			if (blsize > tmpsize)
+				{
+				if (tmp != ftmp)
+					OPENSSL_free(tmp);
+				tmpsize = blsize + 32;
+				tmp = OPENSSL_malloc(tmpsize);
+				if (!tmp)
+					goto err;
+				}
+			while(blsize--)
+				tmp[i++] = (unsigned char)BN_div_word(bl, 0x80L);
+			}
+		else
 			{
-			tmp[i++]=(unsigned char)l&0x7f;
-			l>>=7L;
-			if (l == 0L) break;
+					
+			for (;;)
+				{
+				tmp[i++]=(unsigned char)l&0x7f;
+				l>>=7L;
+				if (l == 0L) break;
+				}
+
 			}
 		if (out != NULL)
 			{
@@ -166,8 +213,16 @@ int a2d_ASN1_OBJECT(unsigned char *out, int olen, const char *buf, int num)
 		else
 			len+=i;
 		}
+	if (tmp != ftmp)
+		OPENSSL_free(tmp);
+	if (bl)
+		BN_free(bl);
 	return(len);
 err:
+	if (tmp != ftmp)
+		OPENSSL_free(tmp);
+	if (bl)
+		BN_free(bl);
 	return(0);
 	}
 
@@ -178,21 +233,31 @@ int i2t_ASN1_OBJECT(char *buf, int buf_len, ASN1_OBJECT *a)
 
 int i2a_ASN1_OBJECT(BIO *bp, ASN1_OBJECT *a)
 	{
-	char buf[80];
+	char buf[80], *p = buf;
 	int i;
 
 	if ((a == NULL) || (a->data == NULL))
 		return(BIO_write(bp,"NULL",4));
 	i=i2t_ASN1_OBJECT(buf,sizeof buf,a);
-	if (i > sizeof buf) i=sizeof buf;
-	BIO_write(bp,buf,i);
+	if (i > (int)(sizeof(buf) - 1))
+		{
+		p = OPENSSL_malloc(i + 1);
+		if (!p)
+			return -1;
+		i2t_ASN1_OBJECT(p,i + 1,a);
+		}
+	if (i <= 0)
+		return BIO_write(bp, "<INVALID>", 9);
+	BIO_write(bp,p,i);
+	if (p != buf)
+		OPENSSL_free(p);
 	return(i);
 	}
 
-ASN1_OBJECT *d2i_ASN1_OBJECT(ASN1_OBJECT **a, unsigned char **pp,
+ASN1_OBJECT *d2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp,
 	     long length)
 {
-	unsigned char *p;
+	const unsigned char *p;
 	long len;
 	int tag,xclass;
 	int inf,i;
@@ -219,11 +284,11 @@ err:
 		ASN1_OBJECT_free(ret);
 	return(NULL);
 }
-ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, unsigned char **pp,
+ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp,
 	     long len)
 	{
 	ASN1_OBJECT *ret=NULL;
-	unsigned char *p;
+	const unsigned char *p;
 	int i;
 
 	/* only the ASN1_OBJECTs from the 'table' will have values
@@ -255,7 +320,7 @@ ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, unsigned char **pp,
 	*pp=p;
 	return(ret);
 err:
-	ASN1err(ASN1_F_D2I_ASN1_OBJECT,i);
+	ASN1err(ASN1_F_C2I_ASN1_OBJECT,i);
 	if ((ret != NULL) && ((a == NULL) || (*a != ret)))
 		ASN1_OBJECT_free(ret);
 	return(NULL);
diff --git a/crypto/openssl/crypto/asn1/a_octet.c b/crypto/openssl/crypto/asn1/a_octet.c
index 9690bae0f12d..24fd0f8e5a76 100644
--- a/crypto/openssl/crypto/asn1/a_octet.c
+++ b/crypto/openssl/crypto/asn1/a_octet.c
@@ -66,6 +66,6 @@ ASN1_OCTET_STRING *ASN1_OCTET_STRING_dup(ASN1_OCTET_STRING *x)
 int ASN1_OCTET_STRING_cmp(ASN1_OCTET_STRING *a, ASN1_OCTET_STRING *b)
 { return M_ASN1_OCTET_STRING_cmp(a, b); }
 
-int ASN1_OCTET_STRING_set(ASN1_OCTET_STRING *x, unsigned char *d, int len)
+int ASN1_OCTET_STRING_set(ASN1_OCTET_STRING *x, const unsigned char *d, int len)
 { return M_ASN1_OCTET_STRING_set(x, d, len); }
 
diff --git a/crypto/openssl/crypto/asn1/a_print.c b/crypto/openssl/crypto/asn1/a_print.c
index 8035513f0478..d18e77232044 100644
--- a/crypto/openssl/crypto/asn1/a_print.c
+++ b/crypto/openssl/crypto/asn1/a_print.c
@@ -60,7 +60,7 @@
 #include "cryptlib.h"
 #include <openssl/asn1.h>
 
-int ASN1_PRINTABLE_type(unsigned char *s, int len)
+int ASN1_PRINTABLE_type(const unsigned char *s, int len)
 	{
 	int c;
 	int ia5=0;
diff --git a/crypto/openssl/crypto/asn1/a_set.c b/crypto/openssl/crypto/asn1/a_set.c
index 0f839822ff22..958558c204dd 100644
--- a/crypto/openssl/crypto/asn1/a_set.c
+++ b/crypto/openssl/crypto/asn1/a_set.c
@@ -85,8 +85,8 @@ static int SetBlobCmp(const void *elem1, const void *elem2 )
     }
 
 /* int is_set:  if TRUE, then sort the contents (i.e. it isn't a SEQUENCE)    */
-int i2d_ASN1_SET(STACK *a, unsigned char **pp, int (*func)(), int ex_tag,
-	     int ex_class, int is_set)
+int i2d_ASN1_SET(STACK *a, unsigned char **pp, i2d_of_void *i2d, int ex_tag,
+		 int ex_class, int is_set)
 	{
 	int ret=0,r;
 	int i;
@@ -97,7 +97,7 @@ int i2d_ASN1_SET(STACK *a, unsigned char **pp, int (*func)(), int ex_tag,
 
 	if (a == NULL) return(0);
 	for (i=sk_num(a)-1; i>=0; i--)
-		ret+=func(sk_value(a,i),NULL);
+		ret+=i2d(sk_value(a,i),NULL);
 	r=ASN1_object_size(1,ret,ex_tag);
 	if (pp == NULL) return(r);
 
@@ -111,20 +111,25 @@ int i2d_ASN1_SET(STACK *a, unsigned char **pp, int (*func)(), int ex_tag,
 	if(!is_set || (sk_num(a) < 2))
 		{
 		for (i=0; i<sk_num(a); i++)
-                	func(sk_value(a,i),&p);
+                	i2d(sk_value(a,i),&p);
 
 		*pp=p;
 		return(r);
 		}
 
         pStart  = p; /* Catch the beg of Setblobs*/
-        if (!(rgSetBlob = (MYBLOB *)OPENSSL_malloc( sk_num(a) * sizeof(MYBLOB)))) return 0; /* In this array
-we will store the SET blobs */
+		/* In this array we will store the SET blobs */
+		rgSetBlob = (MYBLOB *)OPENSSL_malloc(sk_num(a) * sizeof(MYBLOB));
+		if (rgSetBlob == NULL)
+			{
+			ASN1err(ASN1_F_I2D_ASN1_SET,ERR_R_MALLOC_FAILURE);
+			return(0);
+			}
 
         for (i=0; i<sk_num(a); i++)
 	        {
                 rgSetBlob[i].pbData = p;  /* catch each set encode blob */
-                func(sk_value(a,i),&p);
+                i2d(sk_value(a,i),&p);
                 rgSetBlob[i].cbData = p - rgSetBlob[i].pbData; /* Length of this
 SetBlob
 */
@@ -135,7 +140,11 @@ SetBlob
  /* Now we have to sort the blobs. I am using a simple algo.
     *Sort ptrs *Copy to temp-mem *Copy from temp-mem to user-mem*/
         qsort( rgSetBlob, sk_num(a), sizeof(MYBLOB), SetBlobCmp);
-        if (!(pTempMem = OPENSSL_malloc(totSize))) return 0;
+		if (!(pTempMem = OPENSSL_malloc(totSize)))
+			{
+			ASN1err(ASN1_F_I2D_ASN1_SET,ERR_R_MALLOC_FAILURE);
+			return(0);
+			}
 
 /* Copy to temp mem */
         p = pTempMem;
@@ -153,14 +162,21 @@ SetBlob
         return(r);
         }
 
-STACK *d2i_ASN1_SET(STACK **a, unsigned char **pp, long length,
-	     char *(*func)(), void (*free_func)(void *), int ex_tag, int ex_class)
+STACK *d2i_ASN1_SET(STACK **a, const unsigned char **pp, long length,
+		    d2i_of_void *d2i, void (*free_func)(void *), int ex_tag,
+		    int ex_class)
 	{
-	ASN1_CTX c;
+	ASN1_const_CTX c;
 	STACK *ret=NULL;
 
 	if ((a == NULL) || ((*a) == NULL))
-		{ if ((ret=sk_new_null()) == NULL) goto err; }
+		{
+		if ((ret=sk_new_null()) == NULL)
+			{
+			ASN1err(ASN1_F_D2I_ASN1_SET,ERR_R_MALLOC_FAILURE);
+			goto err;
+			}
+		}
 	else
 		ret=(*a);
 
@@ -195,7 +211,9 @@ STACK *d2i_ASN1_SET(STACK **a, unsigned char **pp, long length,
 		char *s;
 
 		if (M_ASN1_D2I_end_sequence()) break;
-		if ((s=func(NULL,&c.p,c.slen,c.max-c.p)) == NULL)
+		/* XXX: This was called with 4 arguments, incorrectly, it seems
+		   if ((s=func(NULL,&c.p,c.slen,c.max-c.p)) == NULL) */
+		if ((s=d2i(NULL,&c.p,c.slen)) == NULL)
 			{
 			ASN1err(ASN1_F_D2I_ASN1_SET,ASN1_R_ERROR_PARSING_SET_ELEMENT);
 			asn1_add_error(*pp,(int)(c.q- *pp));
diff --git a/crypto/openssl/crypto/asn1/a_sign.c b/crypto/openssl/crypto/asn1/a_sign.c
index 52ce7e39740b..1081950518c7 100644
--- a/crypto/openssl/crypto/asn1/a_sign.c
+++ b/crypto/openssl/crypto/asn1/a_sign.c
@@ -56,7 +56,7 @@
  * [including the GNU Public Licence.]
  */
 /* ====================================================================
- * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2003 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -126,9 +126,9 @@
 
 #ifndef NO_ASN1_OLD
 
-int ASN1_sign(int (*i2d)(), X509_ALGOR *algor1, X509_ALGOR *algor2,
-	     ASN1_BIT_STRING *signature, char *data, EVP_PKEY *pkey,
-	     const EVP_MD *type)
+int ASN1_sign(i2d_of_void *i2d, X509_ALGOR *algor1, X509_ALGOR *algor2,
+	      ASN1_BIT_STRING *signature, char *data, EVP_PKEY *pkey,
+	      const EVP_MD *type)
 	{
 	EVP_MD_CTX ctx;
 	unsigned char *p,*buf_in=NULL,*buf_out=NULL;
@@ -229,10 +229,11 @@ int ASN1_item_sign(const ASN1_ITEM *it, X509_ALGOR *algor1, X509_ALGOR *algor2,
 		else
 			a=algor2;
 		if (a == NULL) continue;
-                if (type->pkey_type == NID_dsaWithSHA1)
+                if (type->pkey_type == NID_dsaWithSHA1 ||
+			type->pkey_type == NID_ecdsa_with_SHA1)
 			{
-			/* special case: RFC 2459 tells us to omit 'parameters'
-			 * with id-dsa-with-sha1 */
+			/* special case: RFC 3279 tells us to omit 'parameters'
+			 * with id-dsa-with-sha1 and ecdsa-with-SHA1 */
 			ASN1_TYPE_free(a->parameter);
 			a->parameter = NULL;
 			}
@@ -247,12 +248,12 @@ int ASN1_item_sign(const ASN1_ITEM *it, X509_ALGOR *algor1, X509_ALGOR *algor2,
 		a->algorithm=OBJ_nid2obj(type->pkey_type);
 		if (a->algorithm == NULL)
 			{
-			ASN1err(ASN1_F_ASN1_SIGN,ASN1_R_UNKNOWN_OBJECT_TYPE);
+			ASN1err(ASN1_F_ASN1_ITEM_SIGN,ASN1_R_UNKNOWN_OBJECT_TYPE);
 			goto err;
 			}
 		if (a->algorithm->length == 0)
 			{
-			ASN1err(ASN1_F_ASN1_SIGN,ASN1_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD);
+			ASN1err(ASN1_F_ASN1_ITEM_SIGN,ASN1_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD);
 			goto err;
 			}
 		}
@@ -262,7 +263,7 @@ int ASN1_item_sign(const ASN1_ITEM *it, X509_ALGOR *algor1, X509_ALGOR *algor2,
 	if ((buf_in == NULL) || (buf_out == NULL))
 		{
 		outl=0;
-		ASN1err(ASN1_F_ASN1_SIGN,ERR_R_MALLOC_FAILURE);
+		ASN1err(ASN1_F_ASN1_ITEM_SIGN,ERR_R_MALLOC_FAILURE);
 		goto err;
 		}
 
@@ -272,7 +273,7 @@ int ASN1_item_sign(const ASN1_ITEM *it, X509_ALGOR *algor1, X509_ALGOR *algor2,
 			(unsigned int *)&outl,pkey))
 		{
 		outl=0;
-		ASN1err(ASN1_F_ASN1_SIGN,ERR_R_EVP_LIB);
+		ASN1err(ASN1_F_ASN1_ITEM_SIGN,ERR_R_EVP_LIB);
 		goto err;
 		}
 	if (signature->data != NULL) OPENSSL_free(signature->data);
diff --git a/crypto/openssl/crypto/asn1/a_strex.c b/crypto/openssl/crypto/asn1/a_strex.c
index a07122ba4794..fc743c2ad080 100644
--- a/crypto/openssl/crypto/asn1/a_strex.c
+++ b/crypto/openssl/crypto/asn1/a_strex.c
@@ -3,7 +3,7 @@
  * project 2000.
  */
 /* ====================================================================
- * Copyright (c) 2000-2004 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -58,12 +58,12 @@
 
 #include <stdio.h>
 #include <string.h>
+#include "cryptlib.h"
 #include <openssl/crypto.h>
 #include <openssl/x509.h>
 #include <openssl/asn1.h>
 
 #include "charmap.h"
-#include "cryptlib.h"
 
 /* ASN1_STRING_print_ex() and X509_NAME_print_ex().
  * Enhanced string and name printing routines handling
@@ -194,6 +194,8 @@ static int do_buf(unsigned char *buf, int buflen,
 			if(i < 0) return -1;	/* Invalid UTF8String */
 			p += i;
 			break;
+			default:
+			return -1;	/* invalid width */
 		}
 		if (p == q) orflags = CHARTYPE_LAST_ESC_2253;
 		if(type & BUF_TYPE_CONVUTF8) {
@@ -223,7 +225,7 @@ static int do_buf(unsigned char *buf, int buflen,
 
 static int do_hex_dump(char_io *io_ch, void *arg, unsigned char *buf, int buflen)
 {
-	const static char hexdig[] = "0123456789ABCDEF";
+	static const char hexdig[] = "0123456789ABCDEF";
 	unsigned char *p, *q;
 	char hextmp[2];
 	if(arg) {
@@ -279,7 +281,7 @@ static int do_dump(unsigned long lflags, char_io *io_ch, void *arg, ASN1_STRING
  * otherwise it is the number of bytes per character
  */
 
-const static signed char tag2nbyte[] = {
+static const signed char tag2nbyte[] = {
 	-1, -1, -1, -1, -1,	/* 0-4 */
 	-1, -1, -1, -1, -1,	/* 5-9 */
 	-1, -1, 0, -1,		/* 10-13 */
@@ -356,12 +358,13 @@ static int do_print_ex(char_io *io_ch, void *arg, unsigned long lflags, ASN1_STR
 	}
 
 	len = do_buf(str->data, str->length, type, flags, &quotes, io_ch, NULL);
-	if(outlen < 0) return -1;
+	if(len < 0) return -1;
 	outlen += len;
 	if(quotes) outlen += 2;
 	if(!arg) return outlen;
 	if(quotes && !io_ch(arg, "\"", 1)) return -1;
-	do_buf(str->data, str->length, type, flags, NULL, io_ch, arg);
+	if(do_buf(str->data, str->length, type, flags, NULL, io_ch, arg) < 0)
+		return -1;
 	if(quotes && !io_ch(arg, "\"", 1)) return -1;
 	return outlen;
 }
@@ -513,7 +516,7 @@ int X509_NAME_print_ex(BIO *out, X509_NAME *nm, int indent, unsigned long flags)
 	return do_name_ex(send_bio_chars, out, nm, indent, flags);
 }
 
-
+#ifndef OPENSSL_NO_FP_API
 int X509_NAME_print_ex_fp(FILE *fp, X509_NAME *nm, int indent, unsigned long flags)
 {
 	if(flags == XN_FLAG_COMPAT)
@@ -528,17 +531,19 @@ int X509_NAME_print_ex_fp(FILE *fp, X509_NAME *nm, int indent, unsigned long fla
 		}
 	return do_name_ex(send_fp_chars, fp, nm, indent, flags);
 }
+#endif
 
 int ASN1_STRING_print_ex(BIO *out, ASN1_STRING *str, unsigned long flags)
 {
 	return do_print_ex(send_bio_chars, out, flags, str);
 }
 
-
+#ifndef OPENSSL_NO_FP_API
 int ASN1_STRING_print_ex_fp(FILE *fp, ASN1_STRING *str, unsigned long flags)
 {
 	return do_print_ex(send_fp_chars, fp, flags, str);
 }
+#endif
 
 /* Utility function: convert any string type to UTF8, returns number of bytes
  * in output string or a negative error code
@@ -553,12 +558,7 @@ int ASN1_STRING_to_UTF8(unsigned char **out, ASN1_STRING *in)
 	if((type < 0) || (type > 30)) return -1;
 	mbflag = tag2nbyte[type];
 	if(mbflag == -1) return -1;
-	if (mbflag == 0)
-		mbflag = MBSTRING_UTF8;
-	else if (mbflag == 4)
-		mbflag = MBSTRING_UNIV;
-	else		
-		mbflag |= MBSTRING_FLAG;
+	mbflag |= MBSTRING_FLAG;
 	stmp.data = NULL;
 	ret = ASN1_mbstring_copy(&str, in->data, in->length, mbflag, B_ASN1_UTF8STRING);
 	if(ret < 0) return ret;
diff --git a/crypto/openssl/crypto/asn1/a_type.c b/crypto/openssl/crypto/asn1/a_type.c
index fe3fcd40b0b2..a6acef16f3b3 100644
--- a/crypto/openssl/crypto/asn1/a_type.c
+++ b/crypto/openssl/crypto/asn1/a_type.c
@@ -57,8 +57,8 @@
  */
 
 #include <stdio.h>
-#include <openssl/asn1t.h>
 #include "cryptlib.h"
+#include <openssl/asn1t.h>
 
 int ASN1_TYPE_get(ASN1_TYPE *a)
 	{
@@ -71,7 +71,10 @@ int ASN1_TYPE_get(ASN1_TYPE *a)
 void ASN1_TYPE_set(ASN1_TYPE *a, int type, void *value)
 	{
 	if (a->value.ptr != NULL)
-		ASN1_primitive_free((ASN1_VALUE **)&a, NULL);
+		{
+		ASN1_TYPE **tmp_a = &a;
+		ASN1_primitive_free((ASN1_VALUE **)tmp_a, NULL);
+		}
 	a->type=type;
 	a->value.ptr=value;
 	}
diff --git a/crypto/openssl/crypto/asn1/a_utctm.c b/crypto/openssl/crypto/asn1/a_utctm.c
index 999852dae527..d31c0281930b 100644
--- a/crypto/openssl/crypto/asn1/a_utctm.c
+++ b/crypto/openssl/crypto/asn1/a_utctm.c
@@ -162,7 +162,7 @@ err:
 	return(0);
 	}
 
-int ASN1_UTCTIME_set_string(ASN1_UTCTIME *s, char *str)
+int ASN1_UTCTIME_set_string(ASN1_UTCTIME *s, const char *str)
 	{
 	ASN1_UTCTIME t;
 
@@ -173,8 +173,9 @@ int ASN1_UTCTIME_set_string(ASN1_UTCTIME *s, char *str)
 		{
 		if (s != NULL)
 			{
-			ASN1_STRING_set((ASN1_STRING *)s,
-				(unsigned char *)str,t.length);
+			if (!ASN1_STRING_set((ASN1_STRING *)s,
+				(unsigned char *)str,t.length))
+				return 0;
 			s->type = V_ASN1_UTCTIME;
 			}
 		return(1);
@@ -203,7 +204,11 @@ ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s, time_t t)
 	if ((p == NULL) || ((size_t)s->length < len))
 		{
 		p=OPENSSL_malloc(len);
-		if (p == NULL) return(NULL);
+		if (p == NULL)
+			{
+			ASN1err(ASN1_F_ASN1_UTCTIME_SET,ERR_R_MALLOC_FAILURE);
+			return(NULL);
+			}
 		if (s->data != NULL)
 			OPENSSL_free(s->data);
 		s->data=(unsigned char *)p;
diff --git a/crypto/openssl/crypto/asn1/a_verify.c b/crypto/openssl/crypto/asn1/a_verify.c
index da2a0a6d6950..fdce6e4380b6 100644
--- a/crypto/openssl/crypto/asn1/a_verify.c
+++ b/crypto/openssl/crypto/asn1/a_verify.c
@@ -73,8 +73,8 @@
 
 #ifndef NO_ASN1_OLD
 
-int ASN1_verify(int (*i2d)(), X509_ALGOR *a, ASN1_BIT_STRING *signature,
-	     char *data, EVP_PKEY *pkey)
+int ASN1_verify(i2d_of_void *i2d, X509_ALGOR *a, ASN1_BIT_STRING *signature,
+		char *data, EVP_PKEY *pkey)
 	{
 	EVP_MD_CTX ctx;
 	const EVP_MD *type;
@@ -138,7 +138,14 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a, ASN1_BIT_STRING *signat
 	type=EVP_get_digestbyname(OBJ_nid2sn(i));
 	if (type == NULL)
 		{
-		ASN1err(ASN1_F_ASN1_VERIFY,ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
+		ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
+		goto err;
+		}
+
+	if (!EVP_VerifyInit_ex(&ctx,type, NULL))
+		{
+		ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ERR_R_EVP_LIB);
+		ret=0;
 		goto err;
 		}
 
@@ -146,11 +153,10 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a, ASN1_BIT_STRING *signat
 	
 	if (buf_in == NULL)
 		{
-		ASN1err(ASN1_F_ASN1_VERIFY,ERR_R_MALLOC_FAILURE);
+		ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ERR_R_MALLOC_FAILURE);
 		goto err;
 		}
 
-	EVP_VerifyInit_ex(&ctx,type, NULL);
 	EVP_VerifyUpdate(&ctx,(unsigned char *)buf_in,inl);
 
 	OPENSSL_cleanse(buf_in,(unsigned int)inl);
@@ -159,7 +165,7 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a, ASN1_BIT_STRING *signat
 	if (EVP_VerifyFinal(&ctx,(unsigned char *)signature->data,
 			(unsigned int)signature->length,pkey) <= 0)
 		{
-		ASN1err(ASN1_F_ASN1_VERIFY,ERR_R_EVP_LIB);
+		ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ERR_R_EVP_LIB);
 		ret=0;
 		goto err;
 		}
diff --git a/crypto/openssl/crypto/asn1/asn1.h b/crypto/openssl/crypto/asn1/asn1.h
index 3414509f1b74..30f1eecd5b90 100644
--- a/crypto/openssl/crypto/asn1/asn1.h
+++ b/crypto/openssl/crypto/asn1/asn1.h
@@ -60,17 +60,19 @@
 #define HEADER_ASN1_H
 
 #include <time.h>
+#include <openssl/e_os2.h>
 #ifndef OPENSSL_NO_BIO
 #include <openssl/bio.h>
 #endif
-#include <openssl/e_os2.h>
-#include <openssl/bn.h>
 #include <openssl/stack.h>
 #include <openssl/safestack.h>
 
 #include <openssl/symhacks.h>
 
 #include <openssl/ossl_typ.h>
+#ifndef OPENSSL_NO_DEPRECATED
+#include <openssl/bn.h>
+#endif
 
 #ifdef OPENSSL_BUILD_SHLIBCRYPTO
 # undef OPENSSL_EXTERN
@@ -147,19 +149,24 @@ extern "C" {
 #define B_ASN1_UTF8STRING	0x2000
 #define B_ASN1_UTCTIME		0x4000
 #define B_ASN1_GENERALIZEDTIME	0x8000
+#define B_ASN1_SEQUENCE		0x10000
 
 /* For use with ASN1_mbstring_copy() */
 #define MBSTRING_FLAG		0x1000
+#define MBSTRING_UTF8		(MBSTRING_FLAG)
 #define MBSTRING_ASC		(MBSTRING_FLAG|1)
 #define MBSTRING_BMP		(MBSTRING_FLAG|2)
-#define MBSTRING_UNIV		(MBSTRING_FLAG|3)
-#define MBSTRING_UTF8		(MBSTRING_FLAG|4)
+#define MBSTRING_UNIV		(MBSTRING_FLAG|4)
 
 struct X509_algor_st;
 
 #define DECLARE_ASN1_SET_OF(type) /* filled in by mkstack.pl */
 #define IMPLEMENT_ASN1_SET_OF(type) /* nothing, no longer needed */
 
+/* We MUST make sure that, except for constness, asn1_ctx_st and
+   asn1_const_ctx are exactly the same.  Fortunately, as soon as
+   the old ASN1 parsing macros are gone, we can throw this away
+   as well... */
 typedef struct asn1_ctx_st
 	{
 	unsigned char *p;/* work char pointer */
@@ -175,6 +182,21 @@ typedef struct asn1_ctx_st
 	int line;	/* used in error processing */
 	} ASN1_CTX;
 
+typedef struct asn1_const_ctx_st
+	{
+	const unsigned char *p;/* work char pointer */
+	int eos;	/* end of sequence read for indefinite encoding */
+	int error;	/* error code to use when returning an error */
+	int inf;	/* constructed if 0x20, indefinite is 0x21 */
+	int tag;	/* tag from last 'get object' */
+	int xclass;	/* class from last 'get object' */
+	long slen;	/* length of last 'get object' */
+	const unsigned char *max; /* largest value of p allowed */
+	const unsigned char *q;/* temporary variable */
+	const unsigned char **pp;/* variable */
+	int line;	/* used in error processing */
+	} ASN1_const_CTX;
+
 /* These are used internally in the ASN1_OBJECT to keep track of
  * whether the names and data need to be free()ed */
 #define ASN1_OBJECT_FLAG_DYNAMIC	 0x01	/* internal use */
@@ -191,6 +213,11 @@ typedef struct asn1_object_st
 	} ASN1_OBJECT;
 
 #define ASN1_STRING_FLAG_BITS_LEFT 0x08 /* Set if 0x07 has bits left value */
+/* This indicates that the ASN1_STRING is not a real value but just a place
+ * holder for the location where indefinite length constructed data should
+ * be inserted in the memory buffer 
+ */
+#define ASN1_STRING_FLAG_NDEF 0x010 
 /* This is the base type that holds just about everything :-) */
 typedef struct asn1_string_st
 	{
@@ -259,18 +286,19 @@ typedef struct ASN1_VALUE_st ASN1_VALUE;
 
 #define DECLARE_ASN1_FUNCTIONS(type) DECLARE_ASN1_FUNCTIONS_name(type, type)
 
+#define DECLARE_ASN1_ALLOC_FUNCTIONS(type) \
+	DECLARE_ASN1_ALLOC_FUNCTIONS_name(type, type)
+
 #define DECLARE_ASN1_FUNCTIONS_name(type, name) \
-	type *name##_new(void); \
-	void name##_free(type *a); \
+	DECLARE_ASN1_ALLOC_FUNCTIONS_name(type, name) \
 	DECLARE_ASN1_ENCODE_FUNCTIONS(type, name, name)
 
 #define DECLARE_ASN1_FUNCTIONS_fname(type, itname, name) \
-	type *name##_new(void); \
-	void name##_free(type *a); \
+	DECLARE_ASN1_ALLOC_FUNCTIONS_name(type, name) \
 	DECLARE_ASN1_ENCODE_FUNCTIONS(type, itname, name)
 
 #define	DECLARE_ASN1_ENCODE_FUNCTIONS(type, itname, name) \
-	type *d2i_##name(type **a, unsigned char **in, long len); \
+	type *d2i_##name(type **a, const unsigned char **in, long len); \
 	int i2d_##name(type *a, unsigned char **out); \
 	DECLARE_ASN1_ITEM(itname)
 
@@ -279,10 +307,26 @@ typedef struct ASN1_VALUE_st ASN1_VALUE;
 	int i2d_##name(const type *a, unsigned char **out); \
 	DECLARE_ASN1_ITEM(name)
 
+#define	DECLARE_ASN1_NDEF_FUNCTION(name) \
+	int i2d_##name##_NDEF(name *a, unsigned char **out);
+
 #define DECLARE_ASN1_FUNCTIONS_const(name) \
 	name *name##_new(void); \
 	void name##_free(name *a);
 
+#define DECLARE_ASN1_ALLOC_FUNCTIONS_name(type, name) \
+	type *name##_new(void); \
+	void name##_free(type *a);
+
+#define D2I_OF(type) type *(*)(type **,const unsigned char **,long)
+#define I2D_OF(type) int (*)(type *,unsigned char **)
+#define I2D_OF_const(type) int (*)(const type *,unsigned char **)
+
+#define TYPEDEF_D2I_OF(type) typedef type *d2i_of_##type(type **,const unsigned char **,long)
+#define TYPEDEF_I2D_OF(type) typedef int i2d_of_##type(type *,unsigned char **)
+#define TYPEDEF_D2I2D_OF(type) TYPEDEF_D2I_OF(type); TYPEDEF_I2D_OF(type)
+
+TYPEDEF_D2I2D_OF(void);
 
 /* The following macros and typedefs allow an ASN1_ITEM
  * to be embedded in a structure and referenced. Since
@@ -475,17 +519,17 @@ DECLARE_ASN1_SET_OF(ASN1_TYPE)
 
 typedef struct asn1_method_st
 	{
-	int (*i2d)();
-	char *(*d2i)();
-	char *(*create)();
-	void (*destroy)();
+	i2d_of_void *i2d;
+	d2i_of_void *d2i;
+	void *(*create)(void);
+	void (*destroy)(void *);
 	} ASN1_METHOD;
 
 /* This is used when parsing some Netscape objects */
 typedef struct asn1_header_st
 	{
 	ASN1_OCTET_STRING *header;
-	char *data;
+	void *data;
 	ASN1_METHOD *meth;
 	} ASN1_HEADER;
 
@@ -551,6 +595,7 @@ typedef struct BIT_STRING_BITNAME_st {
 			B_ASN1_UNIVERSALSTRING|\
 			B_ASN1_BMPSTRING|\
 			B_ASN1_UTF8STRING|\
+			B_ASN1_SEQUENCE|\
 			B_ASN1_UNKNOWN
 
 #define B_ASN1_DIRECTORYSTRING \
@@ -700,9 +745,9 @@ void ASN1_TYPE_set(ASN1_TYPE *a, int type, void *value);
 ASN1_OBJECT *	ASN1_OBJECT_new(void );
 void		ASN1_OBJECT_free(ASN1_OBJECT *a);
 int		i2d_ASN1_OBJECT(ASN1_OBJECT *a,unsigned char **pp);
-ASN1_OBJECT *	c2i_ASN1_OBJECT(ASN1_OBJECT **a,unsigned char **pp,
+ASN1_OBJECT *	c2i_ASN1_OBJECT(ASN1_OBJECT **a,const unsigned char **pp,
 			long length);
-ASN1_OBJECT *	d2i_ASN1_OBJECT(ASN1_OBJECT **a,unsigned char **pp,
+ASN1_OBJECT *	d2i_ASN1_OBJECT(ASN1_OBJECT **a,const unsigned char **pp,
 			long length);
 
 DECLARE_ASN1_ITEM(ASN1_OBJECT)
@@ -725,7 +770,7 @@ unsigned char * ASN1_STRING_data(ASN1_STRING *x);
 
 DECLARE_ASN1_FUNCTIONS(ASN1_BIT_STRING)
 int		i2c_ASN1_BIT_STRING(ASN1_BIT_STRING *a,unsigned char **pp);
-ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a,unsigned char **pp,
+ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a,const unsigned char **pp,
 			long length);
 int		ASN1_BIT_STRING_set(ASN1_BIT_STRING *a, unsigned char *d,
 			int length );
@@ -741,13 +786,13 @@ int ASN1_BIT_STRING_set_asc(ASN1_BIT_STRING *bs, char *name, int value,
 				BIT_STRING_BITNAME *tbl);
 
 int		i2d_ASN1_BOOLEAN(int a,unsigned char **pp);
-int 		d2i_ASN1_BOOLEAN(int *a,unsigned char **pp,long length);
+int 		d2i_ASN1_BOOLEAN(int *a,const unsigned char **pp,long length);
 
 DECLARE_ASN1_FUNCTIONS(ASN1_INTEGER)
 int		i2c_ASN1_INTEGER(ASN1_INTEGER *a,unsigned char **pp);
-ASN1_INTEGER *c2i_ASN1_INTEGER(ASN1_INTEGER **a,unsigned char **pp,
+ASN1_INTEGER *c2i_ASN1_INTEGER(ASN1_INTEGER **a,const unsigned char **pp,
 			long length);
-ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a,unsigned char **pp,
+ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a,const unsigned char **pp,
 			long length);
 ASN1_INTEGER *	ASN1_INTEGER_dup(ASN1_INTEGER *x);
 int ASN1_INTEGER_cmp(ASN1_INTEGER *x, ASN1_INTEGER *y);
@@ -756,7 +801,7 @@ DECLARE_ASN1_FUNCTIONS(ASN1_ENUMERATED)
 
 int ASN1_UTCTIME_check(ASN1_UTCTIME *a);
 ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s,time_t t);
-int ASN1_UTCTIME_set_string(ASN1_UTCTIME *s, char *str); 
+int ASN1_UTCTIME_set_string(ASN1_UTCTIME *s, const char *str);
 int ASN1_UTCTIME_cmp_time_t(const ASN1_UTCTIME *s, time_t t);
 #if 0
 time_t ASN1_UTCTIME_get(const ASN1_UTCTIME *s);
@@ -764,12 +809,12 @@ time_t ASN1_UTCTIME_get(const ASN1_UTCTIME *s);
 
 int ASN1_GENERALIZEDTIME_check(ASN1_GENERALIZEDTIME *a);
 ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_set(ASN1_GENERALIZEDTIME *s,time_t t);
-int ASN1_GENERALIZEDTIME_set_string(ASN1_GENERALIZEDTIME *s, char *str); 
+int ASN1_GENERALIZEDTIME_set_string(ASN1_GENERALIZEDTIME *s, const char *str);
 
 DECLARE_ASN1_FUNCTIONS(ASN1_OCTET_STRING)
 ASN1_OCTET_STRING *	ASN1_OCTET_STRING_dup(ASN1_OCTET_STRING *a);
 int 	ASN1_OCTET_STRING_cmp(ASN1_OCTET_STRING *a, ASN1_OCTET_STRING *b);
-int 	ASN1_OCTET_STRING_set(ASN1_OCTET_STRING *str, unsigned char *data, int len);
+int 	ASN1_OCTET_STRING_set(ASN1_OCTET_STRING *str, const unsigned char *data, int len);
 
 DECLARE_ASN1_FUNCTIONS(ASN1_VISIBLESTRING)
 DECLARE_ASN1_FUNCTIONS(ASN1_UNIVERSALSTRING)
@@ -792,15 +837,17 @@ DECLARE_ASN1_FUNCTIONS(ASN1_UTCTIME)
 DECLARE_ASN1_FUNCTIONS(ASN1_GENERALIZEDTIME)
 DECLARE_ASN1_FUNCTIONS(ASN1_TIME)
 
+DECLARE_ASN1_ITEM(ASN1_OCTET_STRING_NDEF)
+
 ASN1_TIME *ASN1_TIME_set(ASN1_TIME *s,time_t t);
 int ASN1_TIME_check(ASN1_TIME *t);
 ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *t, ASN1_GENERALIZEDTIME **out);
 
-int		i2d_ASN1_SET(STACK *a, unsigned char **pp,
-			int (*func)(), int ex_tag, int ex_class, int is_set);
-STACK *		d2i_ASN1_SET(STACK **a, unsigned char **pp, long length,
-			char *(*func)(), void (*free_func)(void *),
-			int ex_tag, int ex_class);
+int i2d_ASN1_SET(STACK *a, unsigned char **pp,
+		 i2d_of_void *i2d, int ex_tag, int ex_class, int is_set);
+STACK *	d2i_ASN1_SET(STACK **a, const unsigned char **pp, long length,
+		     d2i_of_void *d2i, void (*free_func)(void *),
+		     int ex_tag, int ex_class);
 
 #ifndef OPENSSL_NO_BIO
 int i2a_ASN1_INTEGER(BIO *bp, ASN1_INTEGER *a);
@@ -829,36 +876,49 @@ BIGNUM *ASN1_ENUMERATED_to_BN(ASN1_ENUMERATED *ai,BIGNUM *bn);
 
 /* General */
 /* given a string, return the correct type, max is the maximum length */
-int ASN1_PRINTABLE_type(unsigned char *s, int max);
+int ASN1_PRINTABLE_type(const unsigned char *s, int max);
 
 int i2d_ASN1_bytes(ASN1_STRING *a, unsigned char **pp, int tag, int xclass);
-ASN1_STRING *d2i_ASN1_bytes(ASN1_STRING **a, unsigned char **pp,
+ASN1_STRING *d2i_ASN1_bytes(ASN1_STRING **a, const unsigned char **pp,
 	long length, int Ptag, int Pclass);
 unsigned long ASN1_tag2bit(int tag);
 /* type is one or more of the B_ASN1_ values. */
-ASN1_STRING *d2i_ASN1_type_bytes(ASN1_STRING **a,unsigned char **pp,
+ASN1_STRING *d2i_ASN1_type_bytes(ASN1_STRING **a,const unsigned char **pp,
 		long length,int type);
 
 /* PARSING */
 int asn1_Finish(ASN1_CTX *c);
+int asn1_const_Finish(ASN1_const_CTX *c);
 
 /* SPECIALS */
-int ASN1_get_object(unsigned char **pp, long *plength, int *ptag,
+int ASN1_get_object(const unsigned char **pp, long *plength, int *ptag,
 	int *pclass, long omax);
 int ASN1_check_infinite_end(unsigned char **p,long len);
+int ASN1_const_check_infinite_end(const unsigned char **p,long len);
 void ASN1_put_object(unsigned char **pp, int constructed, int length,
 	int tag, int xclass);
+int ASN1_put_eoc(unsigned char **pp);
 int ASN1_object_size(int constructed, int length, int tag);
 
 /* Used to implement other functions */
-char *ASN1_dup(int (*i2d)(),char *(*d2i)(),char *x);
+void *ASN1_dup(i2d_of_void *i2d, d2i_of_void *d2i, char *x);
+#define ASN1_dup_of(type,i2d,d2i,x) \
+	((type *(*)(I2D_OF(type),D2I_OF(type),type *))openssl_fcast(ASN1_dup))(i2d,d2i,x)
+#define ASN1_dup_of_const(type,i2d,d2i,x) \
+	((type *(*)(I2D_OF_const(type),D2I_OF(type),type *))openssl_fcast(ASN1_dup))(i2d,d2i,x)
 
 void *ASN1_item_dup(const ASN1_ITEM *it, void *x);
 
 #ifndef OPENSSL_NO_FP_API
-char *ASN1_d2i_fp(char *(*xnew)(),char *(*d2i)(),FILE *fp,unsigned char **x);
+void *ASN1_d2i_fp(void *(*xnew)(void), d2i_of_void *d2i, FILE *in, void **x);
+#define ASN1_d2i_fp_of(type,xnew,d2i,in,x) \
+	((type *(*)(type *(*)(void),D2I_OF(type),FILE *,type **))openssl_fcast(ASN1_d2i_fp))(xnew,d2i,in,x)
 void *ASN1_item_d2i_fp(const ASN1_ITEM *it, FILE *in, void *x);
-int ASN1_i2d_fp(int (*i2d)(),FILE *out,unsigned char *x);
+int ASN1_i2d_fp(i2d_of_void *i2d,FILE *out,void *x);
+#define ASN1_i2d_fp_of(type,i2d,out,x) \
+	((int (*)(I2D_OF(type),FILE *,type *))openssl_fcast(ASN1_i2d_fp))(i2d,out,x)
+#define ASN1_i2d_fp_of_const(type,i2d,out,x) \
+	((int (*)(I2D_OF_const(type),FILE *,type *))openssl_fcast(ASN1_i2d_fp))(i2d,out,x)
 int ASN1_item_i2d_fp(const ASN1_ITEM *it, FILE *out, void *x);
 int ASN1_STRING_print_ex_fp(FILE *fp, ASN1_STRING *str, unsigned long flags);
 #endif
@@ -866,23 +926,29 @@ int ASN1_STRING_print_ex_fp(FILE *fp, ASN1_STRING *str, unsigned long flags);
 int ASN1_STRING_to_UTF8(unsigned char **out, ASN1_STRING *in);
 
 #ifndef OPENSSL_NO_BIO
-char *ASN1_d2i_bio(char *(*xnew)(),char *(*d2i)(),BIO *bp,unsigned char **x);
+void *ASN1_d2i_bio(void *(*xnew)(void), d2i_of_void *d2i, BIO *in, void **x);
+#define ASN1_d2i_bio_of(type,xnew,d2i,in,x) \
+	((type *(*)(type *(*)(void),D2I_OF(type),BIO *,type **))openssl_fcast(ASN1_d2i_bio))(xnew,d2i,in,x)
 void *ASN1_item_d2i_bio(const ASN1_ITEM *it, BIO *in, void *x);
-int ASN1_i2d_bio(int (*i2d)(),BIO *out,unsigned char *x);
+int ASN1_i2d_bio(i2d_of_void *i2d,BIO *out, unsigned char *x);
+#define ASN1_i2d_bio_of(type,i2d,out,x) \
+	((int (*)(I2D_OF(type),BIO *,type *))openssl_fcast(ASN1_i2d_bio))(i2d,out,x)
+#define ASN1_i2d_bio_of_const(type,i2d,out,x) \
+	((int (*)(I2D_OF_const(type),BIO *,const type *))openssl_fcast(ASN1_i2d_bio))(i2d,out,x)
 int ASN1_item_i2d_bio(const ASN1_ITEM *it, BIO *out, void *x);
 int ASN1_UTCTIME_print(BIO *fp,ASN1_UTCTIME *a);
 int ASN1_GENERALIZEDTIME_print(BIO *fp,ASN1_GENERALIZEDTIME *a);
 int ASN1_TIME_print(BIO *fp,ASN1_TIME *a);
 int ASN1_STRING_print(BIO *bp,ASN1_STRING *v);
 int ASN1_STRING_print_ex(BIO *out, ASN1_STRING *str, unsigned long flags);
-int ASN1_parse(BIO *bp,unsigned char *pp,long len,int indent);
-int ASN1_parse_dump(BIO *bp,unsigned char *pp,long len,int indent,int dump);
+int ASN1_parse(BIO *bp,const unsigned char *pp,long len,int indent);
+int ASN1_parse_dump(BIO *bp,const unsigned char *pp,long len,int indent,int dump);
 #endif
 const char *ASN1_tag2str(int tag);
 
 /* Used to load and write netscape format cert/key */
 int i2d_ASN1_HEADER(ASN1_HEADER *a,unsigned char **pp);
-ASN1_HEADER *d2i_ASN1_HEADER(ASN1_HEADER **a,unsigned char **pp, long length);
+ASN1_HEADER *d2i_ASN1_HEADER(ASN1_HEADER **a,const unsigned char **pp, long length);
 ASN1_HEADER *ASN1_HEADER_new(void );
 void ASN1_HEADER_free(ASN1_HEADER *a);
 
@@ -903,13 +969,16 @@ int ASN1_TYPE_set_int_octetstring(ASN1_TYPE *a, long num,
 int ASN1_TYPE_get_int_octetstring(ASN1_TYPE *a,long *num,
 	unsigned char *data, int max_len);
 
-STACK *ASN1_seq_unpack(unsigned char *buf, int len, char *(*d2i)(),
-						 void (*free_func)(void *) ); 
-unsigned char *ASN1_seq_pack(STACK *safes, int (*i2d)(), unsigned char **buf,
-			     int *len );
-void *ASN1_unpack_string(ASN1_STRING *oct, char *(*d2i)());
+STACK *ASN1_seq_unpack(const unsigned char *buf, int len,
+		       d2i_of_void *d2i, void (*free_func)(void *));
+unsigned char *ASN1_seq_pack(STACK *safes, i2d_of_void *i2d,
+			     unsigned char **buf, int *len );
+void *ASN1_unpack_string(ASN1_STRING *oct, d2i_of_void *d2i);
 void *ASN1_item_unpack(ASN1_STRING *oct, const ASN1_ITEM *it);
-ASN1_STRING *ASN1_pack_string(void *obj, int (*i2d)(), ASN1_OCTET_STRING **oct);
+ASN1_STRING *ASN1_pack_string(void *obj, i2d_of_void *i2d,
+			      ASN1_OCTET_STRING **oct);
+#define ASN1_pack_string_of(type,obj,i2d,oct) \
+	((ASN1_STRING *(*)(type *,I2D_OF(type),ASN1_OCTET_STRING **))openssl_fcast(ASN1_pack_string))(obj,i2d,oct)
 ASN1_STRING *ASN1_item_pack(void *obj, const ASN1_ITEM *it, ASN1_OCTET_STRING **oct);
 
 void ASN1_STRING_set_default_mask(unsigned long mask);
@@ -932,11 +1001,15 @@ void ASN1_STRING_TABLE_cleanup(void);
 /* Old API compatible functions */
 ASN1_VALUE *ASN1_item_new(const ASN1_ITEM *it);
 void ASN1_item_free(ASN1_VALUE *val, const ASN1_ITEM *it);
-ASN1_VALUE * ASN1_item_d2i(ASN1_VALUE **val, unsigned char **in, long len, const ASN1_ITEM *it);
+ASN1_VALUE * ASN1_item_d2i(ASN1_VALUE **val, const unsigned char **in, long len, const ASN1_ITEM *it);
 int ASN1_item_i2d(ASN1_VALUE *val, unsigned char **out, const ASN1_ITEM *it);
+int ASN1_item_ndef_i2d(ASN1_VALUE *val, unsigned char **out, const ASN1_ITEM *it);
 
 void ASN1_add_oid_module(void);
 
+ASN1_TYPE *ASN1_generate_nconf(char *str, CONF *nconf);
+ASN1_TYPE *ASN1_generate_v3(char *str, X509V3_CTX *cnf);
+	
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
  * made after this point may be overwritten when the script is next run.
@@ -950,43 +1023,67 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_F_A2I_ASN1_ENUMERATED			 101
 #define ASN1_F_A2I_ASN1_INTEGER				 102
 #define ASN1_F_A2I_ASN1_STRING				 103
+#define ASN1_F_APPEND_EXP				 176
+#define ASN1_F_ASN1_BIT_STRING_SET_BIT			 183
+#define ASN1_F_ASN1_CB					 177
 #define ASN1_F_ASN1_CHECK_TLEN				 104
 #define ASN1_F_ASN1_COLLATE_PRIMITIVE			 105
 #define ASN1_F_ASN1_COLLECT				 106
-#define ASN1_F_ASN1_D2I_BIO				 107
 #define ASN1_F_ASN1_D2I_EX_PRIMITIVE			 108
 #define ASN1_F_ASN1_D2I_FP				 109
+#define ASN1_F_ASN1_D2I_READ_BIO			 107
+#define ASN1_F_ASN1_DIGEST				 184
 #define ASN1_F_ASN1_DO_ADB				 110
 #define ASN1_F_ASN1_DUP					 111
 #define ASN1_F_ASN1_ENUMERATED_SET			 112
 #define ASN1_F_ASN1_ENUMERATED_TO_BN			 113
+#define ASN1_F_ASN1_EX_C2I				 204
+#define ASN1_F_ASN1_FIND_END				 190
+#define ASN1_F_ASN1_GENERALIZEDTIME_SET			 185
+#define ASN1_F_ASN1_GENERATE_V3				 178
 #define ASN1_F_ASN1_GET_OBJECT				 114
 #define ASN1_F_ASN1_HEADER_NEW				 115
 #define ASN1_F_ASN1_I2D_BIO				 116
 #define ASN1_F_ASN1_I2D_FP				 117
 #define ASN1_F_ASN1_INTEGER_SET				 118
 #define ASN1_F_ASN1_INTEGER_TO_BN			 119
+#define ASN1_F_ASN1_ITEM_D2I_FP				 206
+#define ASN1_F_ASN1_ITEM_DUP				 191
+#define ASN1_F_ASN1_ITEM_EX_COMBINE_NEW			 121
 #define ASN1_F_ASN1_ITEM_EX_D2I				 120
-#define ASN1_F_ASN1_ITEM_NEW				 121
-#define ASN1_F_ASN1_MBSTRING_COPY			 122
+#define ASN1_F_ASN1_ITEM_I2D_BIO			 192
+#define ASN1_F_ASN1_ITEM_I2D_FP				 193
+#define ASN1_F_ASN1_ITEM_PACK				 198
+#define ASN1_F_ASN1_ITEM_SIGN				 195
+#define ASN1_F_ASN1_ITEM_UNPACK				 199
+#define ASN1_F_ASN1_ITEM_VERIFY				 197
+#define ASN1_F_ASN1_MBSTRING_NCOPY			 122
 #define ASN1_F_ASN1_OBJECT_NEW				 123
 #define ASN1_F_ASN1_PACK_STRING				 124
-#define ASN1_F_ASN1_PBE_SET				 125
+#define ASN1_F_ASN1_PCTX_NEW				 205
+#define ASN1_F_ASN1_PKCS5_PBE_SET			 125
 #define ASN1_F_ASN1_SEQ_PACK				 126
 #define ASN1_F_ASN1_SEQ_UNPACK				 127
 #define ASN1_F_ASN1_SIGN				 128
+#define ASN1_F_ASN1_STR2TYPE				 179
+#define ASN1_F_ASN1_STRING_SET				 186
 #define ASN1_F_ASN1_STRING_TABLE_ADD			 129
 #define ASN1_F_ASN1_STRING_TYPE_NEW			 130
-#define ASN1_F_ASN1_TEMPLATE_D2I			 131
 #define ASN1_F_ASN1_TEMPLATE_EX_D2I			 132
 #define ASN1_F_ASN1_TEMPLATE_NEW			 133
+#define ASN1_F_ASN1_TEMPLATE_NOEXP_D2I			 131
 #define ASN1_F_ASN1_TIME_SET				 175
 #define ASN1_F_ASN1_TYPE_GET_INT_OCTETSTRING		 134
 #define ASN1_F_ASN1_TYPE_GET_OCTETSTRING		 135
 #define ASN1_F_ASN1_UNPACK_STRING			 136
+#define ASN1_F_ASN1_UTCTIME_SET				 187
 #define ASN1_F_ASN1_VERIFY				 137
+#define ASN1_F_BITSTR_CB				 180
 #define ASN1_F_BN_TO_ASN1_ENUMERATED			 138
 #define ASN1_F_BN_TO_ASN1_INTEGER			 139
+#define ASN1_F_C2I_ASN1_BIT_STRING			 189
+#define ASN1_F_C2I_ASN1_INTEGER				 194
+#define ASN1_F_C2I_ASN1_OBJECT				 196
 #define ASN1_F_COLLECT_DATA				 140
 #define ASN1_F_D2I_ASN1_BIT_STRING			 141
 #define ASN1_F_D2I_ASN1_BOOLEAN				 142
@@ -1003,23 +1100,30 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_F_D2I_NETSCAPE_RSA_2			 153
 #define ASN1_F_D2I_PRIVATEKEY				 154
 #define ASN1_F_D2I_PUBLICKEY				 155
+#define ASN1_F_D2I_RSA_NET				 200
+#define ASN1_F_D2I_RSA_NET_2				 201
 #define ASN1_F_D2I_X509					 156
 #define ASN1_F_D2I_X509_CINF				 157
-#define ASN1_F_D2I_X509_NAME				 158
 #define ASN1_F_D2I_X509_PKEY				 159
+#define ASN1_F_I2D_ASN1_SET				 188
 #define ASN1_F_I2D_ASN1_TIME				 160
 #define ASN1_F_I2D_DSA_PUBKEY				 161
-#define ASN1_F_I2D_NETSCAPE_RSA				 162
+#define ASN1_F_I2D_EC_PUBKEY				 181
 #define ASN1_F_I2D_PRIVATEKEY				 163
 #define ASN1_F_I2D_PUBLICKEY				 164
+#define ASN1_F_I2D_RSA_NET				 162
 #define ASN1_F_I2D_RSA_PUBKEY				 165
 #define ASN1_F_LONG_C2I					 166
 #define ASN1_F_OID_MODULE_INIT				 174
+#define ASN1_F_PARSE_TAGGING				 182
 #define ASN1_F_PKCS5_PBE2_SET				 167
+#define ASN1_F_PKCS5_PBE_SET				 202
 #define ASN1_F_X509_CINF_NEW				 168
 #define ASN1_F_X509_CRL_ADD0_REVOKED			 169
 #define ASN1_F_X509_INFO_NEW				 170
-#define ASN1_F_X509_NAME_NEW				 171
+#define ASN1_F_X509_NAME_ENCODE				 203
+#define ASN1_F_X509_NAME_EX_D2I				 158
+#define ASN1_F_X509_NAME_EX_NEW				 171
 #define ASN1_F_X509_NEW					 172
 #define ASN1_F_X509_PKEY_NEW				 173
 
@@ -1037,6 +1141,7 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_R_DATA_IS_WRONG				 109
 #define ASN1_R_DECODE_ERROR				 110
 #define ASN1_R_DECODING_ERROR				 111
+#define ASN1_R_DEPTH_EXCEEDED				 174
 #define ASN1_R_ENCODE_ERROR				 112
 #define ASN1_R_ERROR_GETTING_TIME			 173
 #define ASN1_R_ERROR_LOADING_SECTION			 172
@@ -1051,38 +1156,58 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_R_FIELD_MISSING				 121
 #define ASN1_R_FIRST_NUM_TOO_LARGE			 122
 #define ASN1_R_HEADER_TOO_LONG				 123
+#define ASN1_R_ILLEGAL_BITSTRING_FORMAT			 175
+#define ASN1_R_ILLEGAL_BOOLEAN				 176
 #define ASN1_R_ILLEGAL_CHARACTERS			 124
+#define ASN1_R_ILLEGAL_FORMAT				 177
+#define ASN1_R_ILLEGAL_HEX				 178
+#define ASN1_R_ILLEGAL_IMPLICIT_TAG			 179
+#define ASN1_R_ILLEGAL_INTEGER				 180
+#define ASN1_R_ILLEGAL_NESTED_TAGGING			 181
 #define ASN1_R_ILLEGAL_NULL				 125
+#define ASN1_R_ILLEGAL_NULL_VALUE			 182
+#define ASN1_R_ILLEGAL_OBJECT				 183
 #define ASN1_R_ILLEGAL_OPTIONAL_ANY			 126
 #define ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE		 170
 #define ASN1_R_ILLEGAL_TAGGED_ANY			 127
+#define ASN1_R_ILLEGAL_TIME_VALUE			 184
+#define ASN1_R_INTEGER_NOT_ASCII_FORMAT			 185
 #define ASN1_R_INTEGER_TOO_LARGE_FOR_LONG		 128
 #define ASN1_R_INVALID_BMPSTRING_LENGTH			 129
 #define ASN1_R_INVALID_DIGIT				 130
+#define ASN1_R_INVALID_MODIFIER				 186
+#define ASN1_R_INVALID_NUMBER				 187
 #define ASN1_R_INVALID_SEPARATOR			 131
 #define ASN1_R_INVALID_TIME_FORMAT			 132
 #define ASN1_R_INVALID_UNIVERSALSTRING_LENGTH		 133
 #define ASN1_R_INVALID_UTF8STRING			 134
 #define ASN1_R_IV_TOO_LARGE				 135
 #define ASN1_R_LENGTH_ERROR				 136
+#define ASN1_R_LIST_ERROR				 188
 #define ASN1_R_MISSING_EOC				 137
 #define ASN1_R_MISSING_SECOND_NUMBER			 138
+#define ASN1_R_MISSING_VALUE				 189
 #define ASN1_R_MSTRING_NOT_UNIVERSAL			 139
 #define ASN1_R_MSTRING_WRONG_TAG			 140
+#define ASN1_R_NESTED_ASN1_STRING			 197
 #define ASN1_R_NON_HEX_CHARACTERS			 141
+#define ASN1_R_NOT_ASCII_FORMAT				 190
 #define ASN1_R_NOT_ENOUGH_DATA				 142
 #define ASN1_R_NO_MATCHING_CHOICE_TYPE			 143
 #define ASN1_R_NULL_IS_WRONG_LENGTH			 144
+#define ASN1_R_OBJECT_NOT_ASCII_FORMAT			 191
 #define ASN1_R_ODD_NUMBER_OF_CHARS			 145
 #define ASN1_R_PRIVATE_KEY_HEADER_MISSING		 146
 #define ASN1_R_SECOND_NUMBER_TOO_LARGE			 147
 #define ASN1_R_SEQUENCE_LENGTH_MISMATCH			 148
 #define ASN1_R_SEQUENCE_NOT_CONSTRUCTED			 149
+#define ASN1_R_SEQUENCE_OR_SET_NEEDS_CONFIG		 192
 #define ASN1_R_SHORT_LINE				 150
 #define ASN1_R_STRING_TOO_LONG				 151
 #define ASN1_R_STRING_TOO_SHORT				 152
 #define ASN1_R_TAG_VALUE_TOO_HIGH			 153
 #define ASN1_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD 154
+#define ASN1_R_TIME_NOT_ASCII_FORMAT			 193
 #define ASN1_R_TOO_LONG					 155
 #define ASN1_R_TYPE_NOT_CONSTRUCTED			 156
 #define ASN1_R_UNABLE_TO_DECODE_RSA_KEY			 157
@@ -1092,10 +1217,13 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM		 161
 #define ASN1_R_UNKNOWN_OBJECT_TYPE			 162
 #define ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE			 163
+#define ASN1_R_UNKNOWN_TAG				 194
+#define ASN1_R_UNKOWN_FORMAT				 195
 #define ASN1_R_UNSUPPORTED_ANY_DEFINED_BY_TYPE		 164
 #define ASN1_R_UNSUPPORTED_CIPHER			 165
 #define ASN1_R_UNSUPPORTED_ENCRYPTION_ALGORITHM		 166
 #define ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE		 167
+#define ASN1_R_UNSUPPORTED_TYPE				 196
 #define ASN1_R_WRONG_TAG				 168
 #define ASN1_R_WRONG_TYPE				 169
 
diff --git a/crypto/openssl/crypto/asn1/asn1_err.c b/crypto/openssl/crypto/asn1/asn1_err.c
index 094ec06fda08..c672d2ebe5f4 100644
--- a/crypto/openssl/crypto/asn1/asn1_err.c
+++ b/crypto/openssl/crypto/asn1/asn1_err.c
@@ -1,6 +1,6 @@
 /* crypto/asn1/asn1_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2002 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -64,163 +64,222 @@
 
 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_ASN1,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_ASN1,0,reason)
+
 static ERR_STRING_DATA ASN1_str_functs[]=
 	{
-{ERR_PACK(0,ASN1_F_A2D_ASN1_OBJECT,0),	"a2d_ASN1_OBJECT"},
-{ERR_PACK(0,ASN1_F_A2I_ASN1_ENUMERATED,0),	"a2i_ASN1_ENUMERATED"},
-{ERR_PACK(0,ASN1_F_A2I_ASN1_INTEGER,0),	"a2i_ASN1_INTEGER"},
-{ERR_PACK(0,ASN1_F_A2I_ASN1_STRING,0),	"a2i_ASN1_STRING"},
-{ERR_PACK(0,ASN1_F_ASN1_CHECK_TLEN,0),	"ASN1_CHECK_TLEN"},
-{ERR_PACK(0,ASN1_F_ASN1_COLLATE_PRIMITIVE,0),	"ASN1_COLLATE_PRIMITIVE"},
-{ERR_PACK(0,ASN1_F_ASN1_COLLECT,0),	"ASN1_COLLECT"},
-{ERR_PACK(0,ASN1_F_ASN1_D2I_BIO,0),	"ASN1_d2i_bio"},
-{ERR_PACK(0,ASN1_F_ASN1_D2I_EX_PRIMITIVE,0),	"ASN1_D2I_EX_PRIMITIVE"},
-{ERR_PACK(0,ASN1_F_ASN1_D2I_FP,0),	"ASN1_d2i_fp"},
-{ERR_PACK(0,ASN1_F_ASN1_DO_ADB,0),	"ASN1_DO_ADB"},
-{ERR_PACK(0,ASN1_F_ASN1_DUP,0),	"ASN1_dup"},
-{ERR_PACK(0,ASN1_F_ASN1_ENUMERATED_SET,0),	"ASN1_ENUMERATED_set"},
-{ERR_PACK(0,ASN1_F_ASN1_ENUMERATED_TO_BN,0),	"ASN1_ENUMERATED_to_BN"},
-{ERR_PACK(0,ASN1_F_ASN1_GET_OBJECT,0),	"ASN1_get_object"},
-{ERR_PACK(0,ASN1_F_ASN1_HEADER_NEW,0),	"ASN1_HEADER_new"},
-{ERR_PACK(0,ASN1_F_ASN1_I2D_BIO,0),	"ASN1_i2d_bio"},
-{ERR_PACK(0,ASN1_F_ASN1_I2D_FP,0),	"ASN1_i2d_fp"},
-{ERR_PACK(0,ASN1_F_ASN1_INTEGER_SET,0),	"ASN1_INTEGER_set"},
-{ERR_PACK(0,ASN1_F_ASN1_INTEGER_TO_BN,0),	"ASN1_INTEGER_to_BN"},
-{ERR_PACK(0,ASN1_F_ASN1_ITEM_EX_D2I,0),	"ASN1_ITEM_EX_D2I"},
-{ERR_PACK(0,ASN1_F_ASN1_ITEM_NEW,0),	"ASN1_item_new"},
-{ERR_PACK(0,ASN1_F_ASN1_MBSTRING_COPY,0),	"ASN1_mbstring_copy"},
-{ERR_PACK(0,ASN1_F_ASN1_OBJECT_NEW,0),	"ASN1_OBJECT_new"},
-{ERR_PACK(0,ASN1_F_ASN1_PACK_STRING,0),	"ASN1_pack_string"},
-{ERR_PACK(0,ASN1_F_ASN1_PBE_SET,0),	"ASN1_PBE_SET"},
-{ERR_PACK(0,ASN1_F_ASN1_SEQ_PACK,0),	"ASN1_seq_pack"},
-{ERR_PACK(0,ASN1_F_ASN1_SEQ_UNPACK,0),	"ASN1_seq_unpack"},
-{ERR_PACK(0,ASN1_F_ASN1_SIGN,0),	"ASN1_sign"},
-{ERR_PACK(0,ASN1_F_ASN1_STRING_TABLE_ADD,0),	"ASN1_STRING_TABLE_add"},
-{ERR_PACK(0,ASN1_F_ASN1_STRING_TYPE_NEW,0),	"ASN1_STRING_type_new"},
-{ERR_PACK(0,ASN1_F_ASN1_TEMPLATE_D2I,0),	"ASN1_TEMPLATE_D2I"},
-{ERR_PACK(0,ASN1_F_ASN1_TEMPLATE_EX_D2I,0),	"ASN1_TEMPLATE_EX_D2I"},
-{ERR_PACK(0,ASN1_F_ASN1_TEMPLATE_NEW,0),	"ASN1_TEMPLATE_NEW"},
-{ERR_PACK(0,ASN1_F_ASN1_TIME_SET,0),	"ASN1_TIME_set"},
-{ERR_PACK(0,ASN1_F_ASN1_TYPE_GET_INT_OCTETSTRING,0),	"ASN1_TYPE_get_int_octetstring"},
-{ERR_PACK(0,ASN1_F_ASN1_TYPE_GET_OCTETSTRING,0),	"ASN1_TYPE_get_octetstring"},
-{ERR_PACK(0,ASN1_F_ASN1_UNPACK_STRING,0),	"ASN1_unpack_string"},
-{ERR_PACK(0,ASN1_F_ASN1_VERIFY,0),	"ASN1_verify"},
-{ERR_PACK(0,ASN1_F_BN_TO_ASN1_ENUMERATED,0),	"BN_to_ASN1_ENUMERATED"},
-{ERR_PACK(0,ASN1_F_BN_TO_ASN1_INTEGER,0),	"BN_to_ASN1_INTEGER"},
-{ERR_PACK(0,ASN1_F_COLLECT_DATA,0),	"COLLECT_DATA"},
-{ERR_PACK(0,ASN1_F_D2I_ASN1_BIT_STRING,0),	"D2I_ASN1_BIT_STRING"},
-{ERR_PACK(0,ASN1_F_D2I_ASN1_BOOLEAN,0),	"d2i_ASN1_BOOLEAN"},
-{ERR_PACK(0,ASN1_F_D2I_ASN1_BYTES,0),	"d2i_ASN1_bytes"},
-{ERR_PACK(0,ASN1_F_D2I_ASN1_GENERALIZEDTIME,0),	"D2I_ASN1_GENERALIZEDTIME"},
-{ERR_PACK(0,ASN1_F_D2I_ASN1_HEADER,0),	"d2i_ASN1_HEADER"},
-{ERR_PACK(0,ASN1_F_D2I_ASN1_INTEGER,0),	"D2I_ASN1_INTEGER"},
-{ERR_PACK(0,ASN1_F_D2I_ASN1_OBJECT,0),	"d2i_ASN1_OBJECT"},
-{ERR_PACK(0,ASN1_F_D2I_ASN1_SET,0),	"d2i_ASN1_SET"},
-{ERR_PACK(0,ASN1_F_D2I_ASN1_TYPE_BYTES,0),	"d2i_ASN1_type_bytes"},
-{ERR_PACK(0,ASN1_F_D2I_ASN1_UINTEGER,0),	"d2i_ASN1_UINTEGER"},
-{ERR_PACK(0,ASN1_F_D2I_ASN1_UTCTIME,0),	"D2I_ASN1_UTCTIME"},
-{ERR_PACK(0,ASN1_F_D2I_NETSCAPE_RSA,0),	"d2i_Netscape_RSA"},
-{ERR_PACK(0,ASN1_F_D2I_NETSCAPE_RSA_2,0),	"D2I_NETSCAPE_RSA_2"},
-{ERR_PACK(0,ASN1_F_D2I_PRIVATEKEY,0),	"d2i_PrivateKey"},
-{ERR_PACK(0,ASN1_F_D2I_PUBLICKEY,0),	"d2i_PublicKey"},
-{ERR_PACK(0,ASN1_F_D2I_X509,0),	"D2I_X509"},
-{ERR_PACK(0,ASN1_F_D2I_X509_CINF,0),	"D2I_X509_CINF"},
-{ERR_PACK(0,ASN1_F_D2I_X509_NAME,0),	"D2I_X509_NAME"},
-{ERR_PACK(0,ASN1_F_D2I_X509_PKEY,0),	"d2i_X509_PKEY"},
-{ERR_PACK(0,ASN1_F_I2D_ASN1_TIME,0),	"I2D_ASN1_TIME"},
-{ERR_PACK(0,ASN1_F_I2D_DSA_PUBKEY,0),	"i2d_DSA_PUBKEY"},
-{ERR_PACK(0,ASN1_F_I2D_NETSCAPE_RSA,0),	"i2d_Netscape_RSA"},
-{ERR_PACK(0,ASN1_F_I2D_PRIVATEKEY,0),	"i2d_PrivateKey"},
-{ERR_PACK(0,ASN1_F_I2D_PUBLICKEY,0),	"i2d_PublicKey"},
-{ERR_PACK(0,ASN1_F_I2D_RSA_PUBKEY,0),	"i2d_RSA_PUBKEY"},
-{ERR_PACK(0,ASN1_F_LONG_C2I,0),	"LONG_C2I"},
-{ERR_PACK(0,ASN1_F_OID_MODULE_INIT,0),	"OID_MODULE_INIT"},
-{ERR_PACK(0,ASN1_F_PKCS5_PBE2_SET,0),	"PKCS5_pbe2_set"},
-{ERR_PACK(0,ASN1_F_X509_CINF_NEW,0),	"X509_CINF_NEW"},
-{ERR_PACK(0,ASN1_F_X509_CRL_ADD0_REVOKED,0),	"X509_CRL_add0_revoked"},
-{ERR_PACK(0,ASN1_F_X509_INFO_NEW,0),	"X509_INFO_new"},
-{ERR_PACK(0,ASN1_F_X509_NAME_NEW,0),	"X509_NAME_NEW"},
-{ERR_PACK(0,ASN1_F_X509_NEW,0),	"X509_NEW"},
-{ERR_PACK(0,ASN1_F_X509_PKEY_NEW,0),	"X509_PKEY_new"},
+{ERR_FUNC(ASN1_F_A2D_ASN1_OBJECT),	"a2d_ASN1_OBJECT"},
+{ERR_FUNC(ASN1_F_A2I_ASN1_ENUMERATED),	"a2i_ASN1_ENUMERATED"},
+{ERR_FUNC(ASN1_F_A2I_ASN1_INTEGER),	"a2i_ASN1_INTEGER"},
+{ERR_FUNC(ASN1_F_A2I_ASN1_STRING),	"a2i_ASN1_STRING"},
+{ERR_FUNC(ASN1_F_APPEND_EXP),	"APPEND_EXP"},
+{ERR_FUNC(ASN1_F_ASN1_BIT_STRING_SET_BIT),	"ASN1_BIT_STRING_set_bit"},
+{ERR_FUNC(ASN1_F_ASN1_CB),	"ASN1_CB"},
+{ERR_FUNC(ASN1_F_ASN1_CHECK_TLEN),	"ASN1_CHECK_TLEN"},
+{ERR_FUNC(ASN1_F_ASN1_COLLATE_PRIMITIVE),	"ASN1_COLLATE_PRIMITIVE"},
+{ERR_FUNC(ASN1_F_ASN1_COLLECT),	"ASN1_COLLECT"},
+{ERR_FUNC(ASN1_F_ASN1_D2I_EX_PRIMITIVE),	"ASN1_D2I_EX_PRIMITIVE"},
+{ERR_FUNC(ASN1_F_ASN1_D2I_FP),	"ASN1_d2i_fp"},
+{ERR_FUNC(ASN1_F_ASN1_D2I_READ_BIO),	"ASN1_D2I_READ_BIO"},
+{ERR_FUNC(ASN1_F_ASN1_DIGEST),	"ASN1_digest"},
+{ERR_FUNC(ASN1_F_ASN1_DO_ADB),	"ASN1_DO_ADB"},
+{ERR_FUNC(ASN1_F_ASN1_DUP),	"ASN1_dup"},
+{ERR_FUNC(ASN1_F_ASN1_ENUMERATED_SET),	"ASN1_ENUMERATED_set"},
+{ERR_FUNC(ASN1_F_ASN1_ENUMERATED_TO_BN),	"ASN1_ENUMERATED_to_BN"},
+{ERR_FUNC(ASN1_F_ASN1_EX_C2I),	"ASN1_EX_C2I"},
+{ERR_FUNC(ASN1_F_ASN1_FIND_END),	"ASN1_FIND_END"},
+{ERR_FUNC(ASN1_F_ASN1_GENERALIZEDTIME_SET),	"ASN1_GENERALIZEDTIME_set"},
+{ERR_FUNC(ASN1_F_ASN1_GENERATE_V3),	"ASN1_generate_v3"},
+{ERR_FUNC(ASN1_F_ASN1_GET_OBJECT),	"ASN1_get_object"},
+{ERR_FUNC(ASN1_F_ASN1_HEADER_NEW),	"ASN1_HEADER_new"},
+{ERR_FUNC(ASN1_F_ASN1_I2D_BIO),	"ASN1_i2d_bio"},
+{ERR_FUNC(ASN1_F_ASN1_I2D_FP),	"ASN1_i2d_fp"},
+{ERR_FUNC(ASN1_F_ASN1_INTEGER_SET),	"ASN1_INTEGER_set"},
+{ERR_FUNC(ASN1_F_ASN1_INTEGER_TO_BN),	"ASN1_INTEGER_to_BN"},
+{ERR_FUNC(ASN1_F_ASN1_ITEM_D2I_FP),	"ASN1_item_d2i_fp"},
+{ERR_FUNC(ASN1_F_ASN1_ITEM_DUP),	"ASN1_item_dup"},
+{ERR_FUNC(ASN1_F_ASN1_ITEM_EX_COMBINE_NEW),	"ASN1_ITEM_EX_COMBINE_NEW"},
+{ERR_FUNC(ASN1_F_ASN1_ITEM_EX_D2I),	"ASN1_ITEM_EX_D2I"},
+{ERR_FUNC(ASN1_F_ASN1_ITEM_I2D_BIO),	"ASN1_item_i2d_bio"},
+{ERR_FUNC(ASN1_F_ASN1_ITEM_I2D_FP),	"ASN1_item_i2d_fp"},
+{ERR_FUNC(ASN1_F_ASN1_ITEM_PACK),	"ASN1_item_pack"},
+{ERR_FUNC(ASN1_F_ASN1_ITEM_SIGN),	"ASN1_item_sign"},
+{ERR_FUNC(ASN1_F_ASN1_ITEM_UNPACK),	"ASN1_item_unpack"},
+{ERR_FUNC(ASN1_F_ASN1_ITEM_VERIFY),	"ASN1_item_verify"},
+{ERR_FUNC(ASN1_F_ASN1_MBSTRING_NCOPY),	"ASN1_mbstring_ncopy"},
+{ERR_FUNC(ASN1_F_ASN1_OBJECT_NEW),	"ASN1_OBJECT_new"},
+{ERR_FUNC(ASN1_F_ASN1_PACK_STRING),	"ASN1_pack_string"},
+{ERR_FUNC(ASN1_F_ASN1_PCTX_NEW),	"ASN1_PCTX_NEW"},
+{ERR_FUNC(ASN1_F_ASN1_PKCS5_PBE_SET),	"ASN1_PKCS5_PBE_SET"},
+{ERR_FUNC(ASN1_F_ASN1_SEQ_PACK),	"ASN1_seq_pack"},
+{ERR_FUNC(ASN1_F_ASN1_SEQ_UNPACK),	"ASN1_seq_unpack"},
+{ERR_FUNC(ASN1_F_ASN1_SIGN),	"ASN1_sign"},
+{ERR_FUNC(ASN1_F_ASN1_STR2TYPE),	"ASN1_STR2TYPE"},
+{ERR_FUNC(ASN1_F_ASN1_STRING_SET),	"ASN1_STRING_set"},
+{ERR_FUNC(ASN1_F_ASN1_STRING_TABLE_ADD),	"ASN1_STRING_TABLE_add"},
+{ERR_FUNC(ASN1_F_ASN1_STRING_TYPE_NEW),	"ASN1_STRING_type_new"},
+{ERR_FUNC(ASN1_F_ASN1_TEMPLATE_EX_D2I),	"ASN1_TEMPLATE_EX_D2I"},
+{ERR_FUNC(ASN1_F_ASN1_TEMPLATE_NEW),	"ASN1_TEMPLATE_NEW"},
+{ERR_FUNC(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I),	"ASN1_TEMPLATE_NOEXP_D2I"},
+{ERR_FUNC(ASN1_F_ASN1_TIME_SET),	"ASN1_TIME_SET"},
+{ERR_FUNC(ASN1_F_ASN1_TYPE_GET_INT_OCTETSTRING),	"ASN1_TYPE_get_int_octetstring"},
+{ERR_FUNC(ASN1_F_ASN1_TYPE_GET_OCTETSTRING),	"ASN1_TYPE_get_octetstring"},
+{ERR_FUNC(ASN1_F_ASN1_UNPACK_STRING),	"ASN1_unpack_string"},
+{ERR_FUNC(ASN1_F_ASN1_UTCTIME_SET),	"ASN1_UTCTIME_set"},
+{ERR_FUNC(ASN1_F_ASN1_VERIFY),	"ASN1_verify"},
+{ERR_FUNC(ASN1_F_BITSTR_CB),	"BITSTR_CB"},
+{ERR_FUNC(ASN1_F_BN_TO_ASN1_ENUMERATED),	"BN_to_ASN1_ENUMERATED"},
+{ERR_FUNC(ASN1_F_BN_TO_ASN1_INTEGER),	"BN_to_ASN1_INTEGER"},
+{ERR_FUNC(ASN1_F_C2I_ASN1_BIT_STRING),	"c2i_ASN1_BIT_STRING"},
+{ERR_FUNC(ASN1_F_C2I_ASN1_INTEGER),	"c2i_ASN1_INTEGER"},
+{ERR_FUNC(ASN1_F_C2I_ASN1_OBJECT),	"c2i_ASN1_OBJECT"},
+{ERR_FUNC(ASN1_F_COLLECT_DATA),	"COLLECT_DATA"},
+{ERR_FUNC(ASN1_F_D2I_ASN1_BIT_STRING),	"D2I_ASN1_BIT_STRING"},
+{ERR_FUNC(ASN1_F_D2I_ASN1_BOOLEAN),	"d2i_ASN1_BOOLEAN"},
+{ERR_FUNC(ASN1_F_D2I_ASN1_BYTES),	"d2i_ASN1_bytes"},
+{ERR_FUNC(ASN1_F_D2I_ASN1_GENERALIZEDTIME),	"D2I_ASN1_GENERALIZEDTIME"},
+{ERR_FUNC(ASN1_F_D2I_ASN1_HEADER),	"d2i_ASN1_HEADER"},
+{ERR_FUNC(ASN1_F_D2I_ASN1_INTEGER),	"D2I_ASN1_INTEGER"},
+{ERR_FUNC(ASN1_F_D2I_ASN1_OBJECT),	"d2i_ASN1_OBJECT"},
+{ERR_FUNC(ASN1_F_D2I_ASN1_SET),	"d2i_ASN1_SET"},
+{ERR_FUNC(ASN1_F_D2I_ASN1_TYPE_BYTES),	"d2i_ASN1_type_bytes"},
+{ERR_FUNC(ASN1_F_D2I_ASN1_UINTEGER),	"d2i_ASN1_UINTEGER"},
+{ERR_FUNC(ASN1_F_D2I_ASN1_UTCTIME),	"D2I_ASN1_UTCTIME"},
+{ERR_FUNC(ASN1_F_D2I_NETSCAPE_RSA),	"d2i_Netscape_RSA"},
+{ERR_FUNC(ASN1_F_D2I_NETSCAPE_RSA_2),	"D2I_NETSCAPE_RSA_2"},
+{ERR_FUNC(ASN1_F_D2I_PRIVATEKEY),	"d2i_PrivateKey"},
+{ERR_FUNC(ASN1_F_D2I_PUBLICKEY),	"d2i_PublicKey"},
+{ERR_FUNC(ASN1_F_D2I_RSA_NET),	"d2i_RSA_NET"},
+{ERR_FUNC(ASN1_F_D2I_RSA_NET_2),	"D2I_RSA_NET_2"},
+{ERR_FUNC(ASN1_F_D2I_X509),	"D2I_X509"},
+{ERR_FUNC(ASN1_F_D2I_X509_CINF),	"D2I_X509_CINF"},
+{ERR_FUNC(ASN1_F_D2I_X509_PKEY),	"d2i_X509_PKEY"},
+{ERR_FUNC(ASN1_F_I2D_ASN1_SET),	"i2d_ASN1_SET"},
+{ERR_FUNC(ASN1_F_I2D_ASN1_TIME),	"I2D_ASN1_TIME"},
+{ERR_FUNC(ASN1_F_I2D_DSA_PUBKEY),	"i2d_DSA_PUBKEY"},
+{ERR_FUNC(ASN1_F_I2D_EC_PUBKEY),	"i2d_EC_PUBKEY"},
+{ERR_FUNC(ASN1_F_I2D_PRIVATEKEY),	"i2d_PrivateKey"},
+{ERR_FUNC(ASN1_F_I2D_PUBLICKEY),	"i2d_PublicKey"},
+{ERR_FUNC(ASN1_F_I2D_RSA_NET),	"i2d_RSA_NET"},
+{ERR_FUNC(ASN1_F_I2D_RSA_PUBKEY),	"i2d_RSA_PUBKEY"},
+{ERR_FUNC(ASN1_F_LONG_C2I),	"LONG_C2I"},
+{ERR_FUNC(ASN1_F_OID_MODULE_INIT),	"OID_MODULE_INIT"},
+{ERR_FUNC(ASN1_F_PARSE_TAGGING),	"PARSE_TAGGING"},
+{ERR_FUNC(ASN1_F_PKCS5_PBE2_SET),	"PKCS5_pbe2_set"},
+{ERR_FUNC(ASN1_F_PKCS5_PBE_SET),	"PKCS5_PBE_SET"},
+{ERR_FUNC(ASN1_F_X509_CINF_NEW),	"X509_CINF_NEW"},
+{ERR_FUNC(ASN1_F_X509_CRL_ADD0_REVOKED),	"X509_CRL_ADD0_REVOKED"},
+{ERR_FUNC(ASN1_F_X509_INFO_NEW),	"X509_INFO_NEW"},
+{ERR_FUNC(ASN1_F_X509_NAME_ENCODE),	"X509_NAME_ENCODE"},
+{ERR_FUNC(ASN1_F_X509_NAME_EX_D2I),	"X509_NAME_EX_D2I"},
+{ERR_FUNC(ASN1_F_X509_NAME_EX_NEW),	"X509_NAME_EX_NEW"},
+{ERR_FUNC(ASN1_F_X509_NEW),	"X509_NEW"},
+{ERR_FUNC(ASN1_F_X509_PKEY_NEW),	"X509_PKEY_new"},
 {0,NULL}
 	};
 
 static ERR_STRING_DATA ASN1_str_reasons[]=
 	{
-{ASN1_R_ADDING_OBJECT                    ,"adding object"},
-{ASN1_R_AUX_ERROR                        ,"aux error"},
-{ASN1_R_BAD_CLASS                        ,"bad class"},
-{ASN1_R_BAD_OBJECT_HEADER                ,"bad object header"},
-{ASN1_R_BAD_PASSWORD_READ                ,"bad password read"},
-{ASN1_R_BAD_TAG                          ,"bad tag"},
-{ASN1_R_BN_LIB                           ,"bn lib"},
-{ASN1_R_BOOLEAN_IS_WRONG_LENGTH          ,"boolean is wrong length"},
-{ASN1_R_BUFFER_TOO_SMALL                 ,"buffer too small"},
-{ASN1_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER  ,"cipher has no object identifier"},
-{ASN1_R_DATA_IS_WRONG                    ,"data is wrong"},
-{ASN1_R_DECODE_ERROR                     ,"decode error"},
-{ASN1_R_DECODING_ERROR                   ,"decoding error"},
-{ASN1_R_ENCODE_ERROR                     ,"encode error"},
-{ASN1_R_ERROR_GETTING_TIME               ,"error getting time"},
-{ASN1_R_ERROR_LOADING_SECTION            ,"error loading section"},
-{ASN1_R_ERROR_PARSING_SET_ELEMENT        ,"error parsing set element"},
-{ASN1_R_ERROR_SETTING_CIPHER_PARAMS      ,"error setting cipher params"},
-{ASN1_R_EXPECTING_AN_INTEGER             ,"expecting an integer"},
-{ASN1_R_EXPECTING_AN_OBJECT              ,"expecting an object"},
-{ASN1_R_EXPECTING_A_BOOLEAN              ,"expecting a boolean"},
-{ASN1_R_EXPECTING_A_TIME                 ,"expecting a time"},
-{ASN1_R_EXPLICIT_LENGTH_MISMATCH         ,"explicit length mismatch"},
-{ASN1_R_EXPLICIT_TAG_NOT_CONSTRUCTED     ,"explicit tag not constructed"},
-{ASN1_R_FIELD_MISSING                    ,"field missing"},
-{ASN1_R_FIRST_NUM_TOO_LARGE              ,"first num too large"},
-{ASN1_R_HEADER_TOO_LONG                  ,"header too long"},
-{ASN1_R_ILLEGAL_CHARACTERS               ,"illegal characters"},
-{ASN1_R_ILLEGAL_NULL                     ,"illegal null"},
-{ASN1_R_ILLEGAL_OPTIONAL_ANY             ,"illegal optional any"},
-{ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE ,"illegal options on item template"},
-{ASN1_R_ILLEGAL_TAGGED_ANY               ,"illegal tagged any"},
-{ASN1_R_INTEGER_TOO_LARGE_FOR_LONG       ,"integer too large for long"},
-{ASN1_R_INVALID_BMPSTRING_LENGTH         ,"invalid bmpstring length"},
-{ASN1_R_INVALID_DIGIT                    ,"invalid digit"},
-{ASN1_R_INVALID_SEPARATOR                ,"invalid separator"},
-{ASN1_R_INVALID_TIME_FORMAT              ,"invalid time format"},
-{ASN1_R_INVALID_UNIVERSALSTRING_LENGTH   ,"invalid universalstring length"},
-{ASN1_R_INVALID_UTF8STRING               ,"invalid utf8string"},
-{ASN1_R_IV_TOO_LARGE                     ,"iv too large"},
-{ASN1_R_LENGTH_ERROR                     ,"length error"},
-{ASN1_R_MISSING_EOC                      ,"missing eoc"},
-{ASN1_R_MISSING_SECOND_NUMBER            ,"missing second number"},
-{ASN1_R_MSTRING_NOT_UNIVERSAL            ,"mstring not universal"},
-{ASN1_R_MSTRING_WRONG_TAG                ,"mstring wrong tag"},
-{ASN1_R_NON_HEX_CHARACTERS               ,"non hex characters"},
-{ASN1_R_NOT_ENOUGH_DATA                  ,"not enough data"},
-{ASN1_R_NO_MATCHING_CHOICE_TYPE          ,"no matching choice type"},
-{ASN1_R_NULL_IS_WRONG_LENGTH             ,"null is wrong length"},
-{ASN1_R_ODD_NUMBER_OF_CHARS              ,"odd number of chars"},
-{ASN1_R_PRIVATE_KEY_HEADER_MISSING       ,"private key header missing"},
-{ASN1_R_SECOND_NUMBER_TOO_LARGE          ,"second number too large"},
-{ASN1_R_SEQUENCE_LENGTH_MISMATCH         ,"sequence length mismatch"},
-{ASN1_R_SEQUENCE_NOT_CONSTRUCTED         ,"sequence not constructed"},
-{ASN1_R_SHORT_LINE                       ,"short line"},
-{ASN1_R_STRING_TOO_LONG                  ,"string too long"},
-{ASN1_R_STRING_TOO_SHORT                 ,"string too short"},
-{ASN1_R_TAG_VALUE_TOO_HIGH               ,"tag value too high"},
-{ASN1_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD,"the asn1 object identifier is not known for this md"},
-{ASN1_R_TOO_LONG                         ,"too long"},
-{ASN1_R_TYPE_NOT_CONSTRUCTED             ,"type not constructed"},
-{ASN1_R_UNABLE_TO_DECODE_RSA_KEY         ,"unable to decode rsa key"},
-{ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY ,"unable to decode rsa private key"},
-{ASN1_R_UNEXPECTED_EOC                   ,"unexpected eoc"},
-{ASN1_R_UNKNOWN_FORMAT                   ,"unknown format"},
-{ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM ,"unknown message digest algorithm"},
-{ASN1_R_UNKNOWN_OBJECT_TYPE              ,"unknown object type"},
-{ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE          ,"unknown public key type"},
-{ASN1_R_UNSUPPORTED_ANY_DEFINED_BY_TYPE  ,"unsupported any defined by type"},
-{ASN1_R_UNSUPPORTED_CIPHER               ,"unsupported cipher"},
-{ASN1_R_UNSUPPORTED_ENCRYPTION_ALGORITHM ,"unsupported encryption algorithm"},
-{ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE      ,"unsupported public key type"},
-{ASN1_R_WRONG_TAG                        ,"wrong tag"},
-{ASN1_R_WRONG_TYPE                       ,"wrong type"},
+{ERR_REASON(ASN1_R_ADDING_OBJECT)        ,"adding object"},
+{ERR_REASON(ASN1_R_AUX_ERROR)            ,"aux error"},
+{ERR_REASON(ASN1_R_BAD_CLASS)            ,"bad class"},
+{ERR_REASON(ASN1_R_BAD_OBJECT_HEADER)    ,"bad object header"},
+{ERR_REASON(ASN1_R_BAD_PASSWORD_READ)    ,"bad password read"},
+{ERR_REASON(ASN1_R_BAD_TAG)              ,"bad tag"},
+{ERR_REASON(ASN1_R_BN_LIB)               ,"bn lib"},
+{ERR_REASON(ASN1_R_BOOLEAN_IS_WRONG_LENGTH),"boolean is wrong length"},
+{ERR_REASON(ASN1_R_BUFFER_TOO_SMALL)     ,"buffer too small"},
+{ERR_REASON(ASN1_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER),"cipher has no object identifier"},
+{ERR_REASON(ASN1_R_DATA_IS_WRONG)        ,"data is wrong"},
+{ERR_REASON(ASN1_R_DECODE_ERROR)         ,"decode error"},
+{ERR_REASON(ASN1_R_DECODING_ERROR)       ,"decoding error"},
+{ERR_REASON(ASN1_R_DEPTH_EXCEEDED)       ,"depth exceeded"},
+{ERR_REASON(ASN1_R_ENCODE_ERROR)         ,"encode error"},
+{ERR_REASON(ASN1_R_ERROR_GETTING_TIME)   ,"error getting time"},
+{ERR_REASON(ASN1_R_ERROR_LOADING_SECTION),"error loading section"},
+{ERR_REASON(ASN1_R_ERROR_PARSING_SET_ELEMENT),"error parsing set element"},
+{ERR_REASON(ASN1_R_ERROR_SETTING_CIPHER_PARAMS),"error setting cipher params"},
+{ERR_REASON(ASN1_R_EXPECTING_AN_INTEGER) ,"expecting an integer"},
+{ERR_REASON(ASN1_R_EXPECTING_AN_OBJECT)  ,"expecting an object"},
+{ERR_REASON(ASN1_R_EXPECTING_A_BOOLEAN)  ,"expecting a boolean"},
+{ERR_REASON(ASN1_R_EXPECTING_A_TIME)     ,"expecting a time"},
+{ERR_REASON(ASN1_R_EXPLICIT_LENGTH_MISMATCH),"explicit length mismatch"},
+{ERR_REASON(ASN1_R_EXPLICIT_TAG_NOT_CONSTRUCTED),"explicit tag not constructed"},
+{ERR_REASON(ASN1_R_FIELD_MISSING)        ,"field missing"},
+{ERR_REASON(ASN1_R_FIRST_NUM_TOO_LARGE)  ,"first num too large"},
+{ERR_REASON(ASN1_R_HEADER_TOO_LONG)      ,"header too long"},
+{ERR_REASON(ASN1_R_ILLEGAL_BITSTRING_FORMAT),"illegal bitstring format"},
+{ERR_REASON(ASN1_R_ILLEGAL_BOOLEAN)      ,"illegal boolean"},
+{ERR_REASON(ASN1_R_ILLEGAL_CHARACTERS)   ,"illegal characters"},
+{ERR_REASON(ASN1_R_ILLEGAL_FORMAT)       ,"illegal format"},
+{ERR_REASON(ASN1_R_ILLEGAL_HEX)          ,"illegal hex"},
+{ERR_REASON(ASN1_R_ILLEGAL_IMPLICIT_TAG) ,"illegal implicit tag"},
+{ERR_REASON(ASN1_R_ILLEGAL_INTEGER)      ,"illegal integer"},
+{ERR_REASON(ASN1_R_ILLEGAL_NESTED_TAGGING),"illegal nested tagging"},
+{ERR_REASON(ASN1_R_ILLEGAL_NULL)         ,"illegal null"},
+{ERR_REASON(ASN1_R_ILLEGAL_NULL_VALUE)   ,"illegal null value"},
+{ERR_REASON(ASN1_R_ILLEGAL_OBJECT)       ,"illegal object"},
+{ERR_REASON(ASN1_R_ILLEGAL_OPTIONAL_ANY) ,"illegal optional any"},
+{ERR_REASON(ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE),"illegal options on item template"},
+{ERR_REASON(ASN1_R_ILLEGAL_TAGGED_ANY)   ,"illegal tagged any"},
+{ERR_REASON(ASN1_R_ILLEGAL_TIME_VALUE)   ,"illegal time value"},
+{ERR_REASON(ASN1_R_INTEGER_NOT_ASCII_FORMAT),"integer not ascii format"},
+{ERR_REASON(ASN1_R_INTEGER_TOO_LARGE_FOR_LONG),"integer too large for long"},
+{ERR_REASON(ASN1_R_INVALID_BMPSTRING_LENGTH),"invalid bmpstring length"},
+{ERR_REASON(ASN1_R_INVALID_DIGIT)        ,"invalid digit"},
+{ERR_REASON(ASN1_R_INVALID_MODIFIER)     ,"invalid modifier"},
+{ERR_REASON(ASN1_R_INVALID_NUMBER)       ,"invalid number"},
+{ERR_REASON(ASN1_R_INVALID_SEPARATOR)    ,"invalid separator"},
+{ERR_REASON(ASN1_R_INVALID_TIME_FORMAT)  ,"invalid time format"},
+{ERR_REASON(ASN1_R_INVALID_UNIVERSALSTRING_LENGTH),"invalid universalstring length"},
+{ERR_REASON(ASN1_R_INVALID_UTF8STRING)   ,"invalid utf8string"},
+{ERR_REASON(ASN1_R_IV_TOO_LARGE)         ,"iv too large"},
+{ERR_REASON(ASN1_R_LENGTH_ERROR)         ,"length error"},
+{ERR_REASON(ASN1_R_LIST_ERROR)           ,"list error"},
+{ERR_REASON(ASN1_R_MISSING_EOC)          ,"missing eoc"},
+{ERR_REASON(ASN1_R_MISSING_SECOND_NUMBER),"missing second number"},
+{ERR_REASON(ASN1_R_MISSING_VALUE)        ,"missing value"},
+{ERR_REASON(ASN1_R_MSTRING_NOT_UNIVERSAL),"mstring not universal"},
+{ERR_REASON(ASN1_R_MSTRING_WRONG_TAG)    ,"mstring wrong tag"},
+{ERR_REASON(ASN1_R_NESTED_ASN1_STRING)   ,"nested asn1 string"},
+{ERR_REASON(ASN1_R_NON_HEX_CHARACTERS)   ,"non hex characters"},
+{ERR_REASON(ASN1_R_NOT_ASCII_FORMAT)     ,"not ascii format"},
+{ERR_REASON(ASN1_R_NOT_ENOUGH_DATA)      ,"not enough data"},
+{ERR_REASON(ASN1_R_NO_MATCHING_CHOICE_TYPE),"no matching choice type"},
+{ERR_REASON(ASN1_R_NULL_IS_WRONG_LENGTH) ,"null is wrong length"},
+{ERR_REASON(ASN1_R_OBJECT_NOT_ASCII_FORMAT),"object not ascii format"},
+{ERR_REASON(ASN1_R_ODD_NUMBER_OF_CHARS)  ,"odd number of chars"},
+{ERR_REASON(ASN1_R_PRIVATE_KEY_HEADER_MISSING),"private key header missing"},
+{ERR_REASON(ASN1_R_SECOND_NUMBER_TOO_LARGE),"second number too large"},
+{ERR_REASON(ASN1_R_SEQUENCE_LENGTH_MISMATCH),"sequence length mismatch"},
+{ERR_REASON(ASN1_R_SEQUENCE_NOT_CONSTRUCTED),"sequence not constructed"},
+{ERR_REASON(ASN1_R_SEQUENCE_OR_SET_NEEDS_CONFIG),"sequence or set needs config"},
+{ERR_REASON(ASN1_R_SHORT_LINE)           ,"short line"},
+{ERR_REASON(ASN1_R_STRING_TOO_LONG)      ,"string too long"},
+{ERR_REASON(ASN1_R_STRING_TOO_SHORT)     ,"string too short"},
+{ERR_REASON(ASN1_R_TAG_VALUE_TOO_HIGH)   ,"tag value too high"},
+{ERR_REASON(ASN1_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD),"the asn1 object identifier is not known for this md"},
+{ERR_REASON(ASN1_R_TIME_NOT_ASCII_FORMAT),"time not ascii format"},
+{ERR_REASON(ASN1_R_TOO_LONG)             ,"too long"},
+{ERR_REASON(ASN1_R_TYPE_NOT_CONSTRUCTED) ,"type not constructed"},
+{ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_KEY),"unable to decode rsa key"},
+{ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY),"unable to decode rsa private key"},
+{ERR_REASON(ASN1_R_UNEXPECTED_EOC)       ,"unexpected eoc"},
+{ERR_REASON(ASN1_R_UNKNOWN_FORMAT)       ,"unknown format"},
+{ERR_REASON(ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM),"unknown message digest algorithm"},
+{ERR_REASON(ASN1_R_UNKNOWN_OBJECT_TYPE)  ,"unknown object type"},
+{ERR_REASON(ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE),"unknown public key type"},
+{ERR_REASON(ASN1_R_UNKNOWN_TAG)          ,"unknown tag"},
+{ERR_REASON(ASN1_R_UNKOWN_FORMAT)        ,"unkown format"},
+{ERR_REASON(ASN1_R_UNSUPPORTED_ANY_DEFINED_BY_TYPE),"unsupported any defined by type"},
+{ERR_REASON(ASN1_R_UNSUPPORTED_CIPHER)   ,"unsupported cipher"},
+{ERR_REASON(ASN1_R_UNSUPPORTED_ENCRYPTION_ALGORITHM),"unsupported encryption algorithm"},
+{ERR_REASON(ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE),"unsupported public key type"},
+{ERR_REASON(ASN1_R_UNSUPPORTED_TYPE)     ,"unsupported type"},
+{ERR_REASON(ASN1_R_WRONG_TAG)            ,"wrong tag"},
+{ERR_REASON(ASN1_R_WRONG_TYPE)           ,"wrong type"},
 {0,NULL}
 	};
 
@@ -234,8 +293,8 @@ void ERR_load_ASN1_strings(void)
 		{
 		init=0;
 #ifndef OPENSSL_NO_ERR
-		ERR_load_strings(ERR_LIB_ASN1,ASN1_str_functs);
-		ERR_load_strings(ERR_LIB_ASN1,ASN1_str_reasons);
+		ERR_load_strings(0,ASN1_str_functs);
+		ERR_load_strings(0,ASN1_str_reasons);
 #endif
 
 		}
diff --git a/crypto/openssl/crypto/asn1/asn1_gen.c b/crypto/openssl/crypto/asn1/asn1_gen.c
new file mode 100644
index 000000000000..26c832781e40
--- /dev/null
+++ b/crypto/openssl/crypto/asn1/asn1_gen.c
@@ -0,0 +1,848 @@
+/* asn1_gen.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2002.
+ */
+/* ====================================================================
+ * Copyright (c) 2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+#include <openssl/x509v3.h>
+
+#define ASN1_GEN_FLAG		0x10000
+#define ASN1_GEN_FLAG_IMP	(ASN1_GEN_FLAG|1)
+#define ASN1_GEN_FLAG_EXP	(ASN1_GEN_FLAG|2)
+#define ASN1_GEN_FLAG_TAG	(ASN1_GEN_FLAG|3)
+#define ASN1_GEN_FLAG_BITWRAP	(ASN1_GEN_FLAG|4)
+#define ASN1_GEN_FLAG_OCTWRAP	(ASN1_GEN_FLAG|5)
+#define ASN1_GEN_FLAG_SEQWRAP	(ASN1_GEN_FLAG|6)
+#define ASN1_GEN_FLAG_SETWRAP	(ASN1_GEN_FLAG|7)
+#define ASN1_GEN_FLAG_FORMAT	(ASN1_GEN_FLAG|8)
+
+#define ASN1_GEN_STR(str,val)	{str, sizeof(str) - 1, val}
+
+#define ASN1_FLAG_EXP_MAX	20
+
+/* Input formats */
+
+/* ASCII: default */
+#define ASN1_GEN_FORMAT_ASCII	1
+/* UTF8 */
+#define ASN1_GEN_FORMAT_UTF8	2
+/* Hex */
+#define ASN1_GEN_FORMAT_HEX	3
+/* List of bits */
+#define ASN1_GEN_FORMAT_BITLIST	4
+
+
+struct tag_name_st
+	{
+	const char *strnam;
+	int len;
+	int tag;
+	};
+
+typedef struct
+	{
+	int exp_tag;
+	int exp_class;
+	int exp_constructed;
+	int exp_pad;
+	long exp_len;
+	} tag_exp_type;
+
+typedef struct
+	{
+	int imp_tag;
+	int imp_class;
+	int utype;
+	int format;
+	const char *str;
+	tag_exp_type exp_list[ASN1_FLAG_EXP_MAX];
+	int exp_count;
+	} tag_exp_arg;
+
+static int bitstr_cb(const char *elem, int len, void *bitstr);
+static int asn1_cb(const char *elem, int len, void *bitstr);
+static int append_exp(tag_exp_arg *arg, int exp_tag, int exp_class, int exp_constructed, int exp_pad, int imp_ok);
+static int parse_tagging(const char *vstart, int vlen, int *ptag, int *pclass);
+static ASN1_TYPE *asn1_multi(int utype, const char *section, X509V3_CTX *cnf);
+static ASN1_TYPE *asn1_str2type(const char *str, int format, int utype);
+static int asn1_str2tag(const char *tagstr, int len);
+
+ASN1_TYPE *ASN1_generate_nconf(char *str, CONF *nconf)
+	{
+	X509V3_CTX cnf;
+
+	if (!nconf)
+		return ASN1_generate_v3(str, NULL);
+
+	X509V3_set_nconf(&cnf, nconf);
+	return ASN1_generate_v3(str, &cnf);
+	}
+
+ASN1_TYPE *ASN1_generate_v3(char *str, X509V3_CTX *cnf)
+	{
+	ASN1_TYPE *ret;
+	tag_exp_arg asn1_tags;
+	tag_exp_type *etmp;
+
+	int i, len;
+
+	unsigned char *orig_der = NULL, *new_der = NULL;
+	const unsigned char *cpy_start;
+	unsigned char *p;
+	const unsigned char *cp;
+	int cpy_len;
+	long hdr_len;
+	int hdr_constructed = 0, hdr_tag, hdr_class;
+	int r;
+
+	asn1_tags.imp_tag = -1;
+	asn1_tags.imp_class = -1;
+	asn1_tags.format = ASN1_GEN_FORMAT_ASCII;
+	asn1_tags.exp_count = 0;
+	if (CONF_parse_list(str, ',', 1, asn1_cb, &asn1_tags) != 0)
+		return NULL;
+
+	if ((asn1_tags.utype == V_ASN1_SEQUENCE) || (asn1_tags.utype == V_ASN1_SET))
+		{
+		if (!cnf)
+			{
+			ASN1err(ASN1_F_ASN1_GENERATE_V3, ASN1_R_SEQUENCE_OR_SET_NEEDS_CONFIG);
+			return NULL;
+			}
+		ret = asn1_multi(asn1_tags.utype, asn1_tags.str, cnf);
+		}
+	else
+		ret = asn1_str2type(asn1_tags.str, asn1_tags.format, asn1_tags.utype);
+
+	if (!ret)
+		return NULL;
+
+	/* If no tagging return base type */
+	if ((asn1_tags.imp_tag == -1) && (asn1_tags.exp_count == 0))
+		return ret;
+
+	/* Generate the encoding */
+	cpy_len = i2d_ASN1_TYPE(ret, &orig_der);
+	ASN1_TYPE_free(ret);
+	ret = NULL;
+	/* Set point to start copying for modified encoding */
+	cpy_start = orig_der;
+
+	/* Do we need IMPLICIT tagging? */
+	if (asn1_tags.imp_tag != -1)
+		{
+		/* If IMPLICIT we will replace the underlying tag */
+		/* Skip existing tag+len */
+		r = ASN1_get_object(&cpy_start, &hdr_len, &hdr_tag, &hdr_class, cpy_len);
+		if (r & 0x80)
+			goto err;
+		/* Update copy length */
+		cpy_len -= cpy_start - orig_der;
+		/* For IMPLICIT tagging the length should match the
+		 * original length and constructed flag should be
+		 * consistent.
+		 */
+		if (r & 0x1)
+			{
+			/* Indefinite length constructed */
+			hdr_constructed = 2;
+			hdr_len = 0;
+			}
+		else
+			/* Just retain constructed flag */
+			hdr_constructed = r & V_ASN1_CONSTRUCTED;
+		/* Work out new length with IMPLICIT tag: ignore constructed
+		 * because it will mess up if indefinite length
+		 */
+		len = ASN1_object_size(0, hdr_len, asn1_tags.imp_tag);
+		}
+	else
+		len = cpy_len;
+
+	/* Work out length in any EXPLICIT, starting from end */
+
+	for(i = 0, etmp = asn1_tags.exp_list + asn1_tags.exp_count - 1; i < asn1_tags.exp_count; i++, etmp--)
+		{
+		/* Content length: number of content octets + any padding */
+		len += etmp->exp_pad;
+		etmp->exp_len = len;
+		/* Total object length: length including new header */
+		len = ASN1_object_size(0, len, etmp->exp_tag);
+		}
+
+	/* Allocate buffer for new encoding */
+
+	new_der = OPENSSL_malloc(len);
+
+	/* Generate tagged encoding */
+
+	p = new_der;
+
+	/* Output explicit tags first */
+
+	for (i = 0, etmp = asn1_tags.exp_list; i < asn1_tags.exp_count; i++, etmp++)
+		{
+		ASN1_put_object(&p, etmp->exp_constructed, etmp->exp_len,
+					etmp->exp_tag, etmp->exp_class);
+		if (etmp->exp_pad)
+			*p++ = 0;
+		}
+
+	/* If IMPLICIT, output tag */
+
+	if (asn1_tags.imp_tag != -1)
+		ASN1_put_object(&p, hdr_constructed, hdr_len,
+					asn1_tags.imp_tag, asn1_tags.imp_class);
+
+	/* Copy across original encoding */
+	memcpy(p, cpy_start, cpy_len);
+
+	cp = new_der;
+
+	/* Obtain new ASN1_TYPE structure */
+	ret = d2i_ASN1_TYPE(NULL, &cp, len);
+
+	err:
+	if (orig_der)
+		OPENSSL_free(orig_der);
+	if (new_der)
+		OPENSSL_free(new_der);
+
+	return ret;
+
+	}
+
+static int asn1_cb(const char *elem, int len, void *bitstr)
+	{
+	tag_exp_arg *arg = bitstr;
+	int i;
+	int utype;
+	int vlen = 0;
+	const char *p, *vstart = NULL;
+
+	int tmp_tag, tmp_class;
+
+	for(i = 0, p = elem; i < len; p++, i++)
+		{
+		/* Look for the ':' in name value pairs */
+		if (*p == ':')
+			{
+			vstart = p + 1;
+			vlen = len - (vstart - elem);
+			len = p - elem;
+			break;
+			}
+		}
+
+	utype = asn1_str2tag(elem, len);
+
+	if (utype == -1)
+		{
+		ASN1err(ASN1_F_ASN1_CB, ASN1_R_UNKNOWN_TAG);
+		ERR_add_error_data(2, "tag=", elem);
+		return -1;
+		}
+
+	/* If this is not a modifier mark end of string and exit */
+	if (!(utype & ASN1_GEN_FLAG))
+		{
+		arg->utype = utype;
+		arg->str = vstart;
+		/* If no value and not end of string, error */
+		if (!vstart && elem[len])
+			{
+			ASN1err(ASN1_F_ASN1_CB, ASN1_R_MISSING_VALUE);
+			return -1;
+			}
+		return 0;
+		}
+
+	switch(utype)
+		{
+
+		case ASN1_GEN_FLAG_IMP:
+		/* Check for illegal multiple IMPLICIT tagging */
+		if (arg->imp_tag != -1)
+			{
+			ASN1err(ASN1_F_ASN1_CB, ASN1_R_ILLEGAL_NESTED_TAGGING);
+			return -1;
+			}
+		if (!parse_tagging(vstart, vlen, &arg->imp_tag, &arg->imp_class))
+			return -1;
+		break;
+
+		case ASN1_GEN_FLAG_EXP:
+
+		if (!parse_tagging(vstart, vlen, &tmp_tag, &tmp_class))
+			return -1;
+		if (!append_exp(arg, tmp_tag, tmp_class, 1, 0, 0))
+			return -1;
+		break;
+
+		case ASN1_GEN_FLAG_SEQWRAP:
+		if (!append_exp(arg, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL, 1, 0, 1))
+			return -1;
+		break;
+
+		case ASN1_GEN_FLAG_SETWRAP:
+		if (!append_exp(arg, V_ASN1_SET, V_ASN1_UNIVERSAL, 1, 0, 1))
+			return -1;
+		break;
+
+		case ASN1_GEN_FLAG_BITWRAP:
+		if (!append_exp(arg, V_ASN1_BIT_STRING, V_ASN1_UNIVERSAL, 0, 1, 1))
+			return -1;
+		break;
+
+		case ASN1_GEN_FLAG_OCTWRAP:
+		if (!append_exp(arg, V_ASN1_OCTET_STRING, V_ASN1_UNIVERSAL, 0, 0, 1))
+			return -1;
+		break;
+
+		case ASN1_GEN_FLAG_FORMAT:
+		if (!strncmp(vstart, "ASCII", 5))
+			arg->format = ASN1_GEN_FORMAT_ASCII;
+		else if (!strncmp(vstart, "UTF8", 4))
+			arg->format = ASN1_GEN_FORMAT_UTF8;
+		else if (!strncmp(vstart, "HEX", 3))
+			arg->format = ASN1_GEN_FORMAT_HEX;
+		else if (!strncmp(vstart, "BITLIST", 3))
+			arg->format = ASN1_GEN_FORMAT_BITLIST;
+		else
+			{
+			ASN1err(ASN1_F_ASN1_CB, ASN1_R_UNKOWN_FORMAT);
+			return -1;
+			}
+		break;
+
+		}
+
+	return 1;
+
+	}
+
+static int parse_tagging(const char *vstart, int vlen, int *ptag, int *pclass)
+	{
+	char erch[2];
+	long tag_num;
+	char *eptr;
+	if (!vstart)
+		return 0;
+	tag_num = strtoul(vstart, &eptr, 10);
+	/* Check we haven't gone past max length: should be impossible */
+	if (eptr && *eptr && (eptr > vstart + vlen))
+		return 0;
+	if (tag_num < 0)
+		{
+		ASN1err(ASN1_F_PARSE_TAGGING, ASN1_R_INVALID_NUMBER);
+		return 0;
+		}
+	*ptag = tag_num;
+	/* If we have non numeric characters, parse them */
+	if (eptr)
+		vlen -= eptr - vstart;
+	else 
+		vlen = 0;
+	if (vlen)
+		{
+		switch (*eptr)
+			{
+
+			case 'U':
+			*pclass = V_ASN1_UNIVERSAL;
+			break;
+
+			case 'A':
+			*pclass = V_ASN1_APPLICATION;
+			break;
+
+			case 'P':
+			*pclass = V_ASN1_PRIVATE;
+			break;
+
+			case 'C':
+			*pclass = V_ASN1_CONTEXT_SPECIFIC;
+			break;
+
+			default:
+			erch[0] = *eptr;
+			erch[1] = 0;
+			ASN1err(ASN1_F_PARSE_TAGGING, ASN1_R_INVALID_MODIFIER);
+			ERR_add_error_data(2, "Char=", erch);
+			return 0;
+			break;
+
+			}
+		}
+	else
+		*pclass = V_ASN1_CONTEXT_SPECIFIC;
+
+	return 1;
+
+	}
+
+/* Handle multiple types: SET and SEQUENCE */
+
+static ASN1_TYPE *asn1_multi(int utype, const char *section, X509V3_CTX *cnf)
+	{
+	ASN1_TYPE *ret = NULL, *typ = NULL;
+	STACK_OF(ASN1_TYPE) *sk = NULL;
+	STACK_OF(CONF_VALUE) *sect = NULL;
+	unsigned char *der = NULL, *p;
+	int derlen;
+	int i, is_set;
+	sk = sk_ASN1_TYPE_new_null();
+	if (section)
+		{
+		if (!cnf)
+			goto bad;
+		sect = X509V3_get_section(cnf, (char *)section);
+		if (!sect)
+			goto bad;
+		for (i = 0; i < sk_CONF_VALUE_num(sect); i++)
+			{
+			typ = ASN1_generate_v3(sk_CONF_VALUE_value(sect, i)->value, cnf);
+			if (!typ)
+				goto bad;
+			sk_ASN1_TYPE_push(sk, typ);
+			typ = NULL;
+			}
+		}
+
+	/* Now we has a STACK of the components, convert to the correct form */
+
+	if (utype == V_ASN1_SET)
+		is_set = 1;
+	else
+		is_set = 0;
+
+
+	derlen = i2d_ASN1_SET_OF_ASN1_TYPE(sk, NULL, i2d_ASN1_TYPE, utype,
+					   V_ASN1_UNIVERSAL, is_set);
+	der = OPENSSL_malloc(derlen);
+	p = der;
+	i2d_ASN1_SET_OF_ASN1_TYPE(sk, &p, i2d_ASN1_TYPE, utype,
+				  V_ASN1_UNIVERSAL, is_set);
+
+	if (!(ret = ASN1_TYPE_new()))
+		goto bad;
+
+	if (!(ret->value.asn1_string = ASN1_STRING_type_new(utype)))
+		goto bad;
+
+	ret->type = utype;
+
+	ret->value.asn1_string->data = der;
+	ret->value.asn1_string->length = derlen;
+
+	der = NULL;
+
+	bad:
+
+	if (der)
+		OPENSSL_free(der);
+
+	if (sk)
+		sk_ASN1_TYPE_pop_free(sk, ASN1_TYPE_free);
+	if (typ)
+		ASN1_TYPE_free(typ);
+	if (sect)
+		X509V3_section_free(cnf, sect);
+
+	return ret;
+	}
+
+static int append_exp(tag_exp_arg *arg, int exp_tag, int exp_class, int exp_constructed, int exp_pad, int imp_ok)
+	{
+	tag_exp_type *exp_tmp;
+	/* Can only have IMPLICIT if permitted */
+	if ((arg->imp_tag != -1) && !imp_ok)
+		{
+		ASN1err(ASN1_F_APPEND_EXP, ASN1_R_ILLEGAL_IMPLICIT_TAG);
+		return 0;
+		}
+
+	if (arg->exp_count == ASN1_FLAG_EXP_MAX)
+		{
+		ASN1err(ASN1_F_APPEND_EXP, ASN1_R_DEPTH_EXCEEDED);
+		return 0;
+		}
+
+	exp_tmp = &arg->exp_list[arg->exp_count++];
+
+	/* If IMPLICIT set tag to implicit value then
+	 * reset implicit tag since it has been used.
+	 */
+	if (arg->imp_tag != -1)
+		{
+		exp_tmp->exp_tag = arg->imp_tag;
+		exp_tmp->exp_class = arg->imp_class;
+		arg->imp_tag = -1;
+		arg->imp_class = -1;
+		}
+	else
+		{
+		exp_tmp->exp_tag = exp_tag;
+		exp_tmp->exp_class = exp_class;
+		}
+	exp_tmp->exp_constructed = exp_constructed;
+	exp_tmp->exp_pad = exp_pad;
+
+	return 1;
+	}
+
+
+static int asn1_str2tag(const char *tagstr, int len)
+	{
+	unsigned int i;
+	static struct tag_name_st *tntmp, tnst [] = {
+		ASN1_GEN_STR("BOOL", V_ASN1_BOOLEAN),
+		ASN1_GEN_STR("BOOLEAN", V_ASN1_BOOLEAN),
+		ASN1_GEN_STR("NULL", V_ASN1_NULL),
+		ASN1_GEN_STR("INT", V_ASN1_INTEGER),
+		ASN1_GEN_STR("INTEGER", V_ASN1_INTEGER),
+		ASN1_GEN_STR("ENUM", V_ASN1_ENUMERATED),
+		ASN1_GEN_STR("ENUMERATED", V_ASN1_ENUMERATED),
+		ASN1_GEN_STR("OID", V_ASN1_OBJECT),
+		ASN1_GEN_STR("OBJECT", V_ASN1_OBJECT),
+		ASN1_GEN_STR("UTCTIME", V_ASN1_UTCTIME),
+		ASN1_GEN_STR("UTC", V_ASN1_UTCTIME),
+		ASN1_GEN_STR("GENERALIZEDTIME", V_ASN1_GENERALIZEDTIME),
+		ASN1_GEN_STR("GENTIME", V_ASN1_GENERALIZEDTIME),
+		ASN1_GEN_STR("OCT", V_ASN1_OCTET_STRING),
+		ASN1_GEN_STR("OCTETSTRING", V_ASN1_OCTET_STRING),
+		ASN1_GEN_STR("BITSTR", V_ASN1_BIT_STRING),
+		ASN1_GEN_STR("BITSTRING", V_ASN1_BIT_STRING),
+		ASN1_GEN_STR("UNIVERSALSTRING", V_ASN1_UNIVERSALSTRING),
+		ASN1_GEN_STR("UNIV", V_ASN1_UNIVERSALSTRING),
+		ASN1_GEN_STR("IA5", V_ASN1_IA5STRING),
+		ASN1_GEN_STR("IA5STRING", V_ASN1_IA5STRING),
+		ASN1_GEN_STR("UTF8", V_ASN1_UTF8STRING),
+		ASN1_GEN_STR("UTF8String", V_ASN1_UTF8STRING),
+		ASN1_GEN_STR("BMP", V_ASN1_BMPSTRING),
+		ASN1_GEN_STR("BMPSTRING", V_ASN1_BMPSTRING),
+		ASN1_GEN_STR("VISIBLESTRING", V_ASN1_VISIBLESTRING),
+		ASN1_GEN_STR("VISIBLE", V_ASN1_VISIBLESTRING),
+		ASN1_GEN_STR("PRINTABLESTRING", V_ASN1_PRINTABLESTRING),
+		ASN1_GEN_STR("PRINTABLE", V_ASN1_PRINTABLESTRING),
+		ASN1_GEN_STR("T61", V_ASN1_T61STRING),
+		ASN1_GEN_STR("T61STRING", V_ASN1_T61STRING),
+		ASN1_GEN_STR("TELETEXSTRING", V_ASN1_T61STRING),
+		ASN1_GEN_STR("GeneralString", V_ASN1_GENERALSTRING),
+		ASN1_GEN_STR("GENSTR", V_ASN1_GENERALSTRING),
+
+		/* Special cases */
+		ASN1_GEN_STR("SEQUENCE", V_ASN1_SEQUENCE),
+		ASN1_GEN_STR("SEQ", V_ASN1_SEQUENCE),
+		ASN1_GEN_STR("SET", V_ASN1_SET),
+		/* type modifiers */
+		/* Explicit tag */
+		ASN1_GEN_STR("EXP", ASN1_GEN_FLAG_EXP),
+		ASN1_GEN_STR("EXPLICIT", ASN1_GEN_FLAG_EXP),
+		/* Implicit tag */
+		ASN1_GEN_STR("IMP", ASN1_GEN_FLAG_IMP),
+		ASN1_GEN_STR("IMPLICIT", ASN1_GEN_FLAG_IMP),
+		/* OCTET STRING wrapper */
+		ASN1_GEN_STR("OCTWRAP", ASN1_GEN_FLAG_OCTWRAP),
+		/* SEQUENCE wrapper */
+		ASN1_GEN_STR("SEQWRAP", ASN1_GEN_FLAG_SEQWRAP),
+		/* SET wrapper */
+		ASN1_GEN_STR("SETWRAP", ASN1_GEN_FLAG_SETWRAP),
+		/* BIT STRING wrapper */
+		ASN1_GEN_STR("BITWRAP", ASN1_GEN_FLAG_BITWRAP),
+		ASN1_GEN_STR("FORM", ASN1_GEN_FLAG_FORMAT),
+		ASN1_GEN_STR("FORMAT", ASN1_GEN_FLAG_FORMAT),
+	};
+
+	if (len == -1)
+		len = strlen(tagstr);
+	
+	tntmp = tnst;	
+	for (i = 0; i < sizeof(tnst) / sizeof(struct tag_name_st); i++, tntmp++)
+		{
+		if ((len == tntmp->len) && !strncmp(tntmp->strnam, tagstr, len))
+			return tntmp->tag;
+		}
+	
+	return -1;
+	}
+
+static ASN1_TYPE *asn1_str2type(const char *str, int format, int utype)
+	{
+	ASN1_TYPE *atmp = NULL;
+
+	CONF_VALUE vtmp;
+
+	unsigned char *rdata;
+	long rdlen;
+
+	int no_unused = 1;
+
+	if (!(atmp = ASN1_TYPE_new()))
+		{
+		ASN1err(ASN1_F_ASN1_STR2TYPE, ERR_R_MALLOC_FAILURE);
+		return NULL;
+		}
+
+	if (!str)
+		str = "";
+
+	switch(utype)
+		{
+
+		case V_ASN1_NULL:
+		if (str && *str)
+			{
+			ASN1err(ASN1_F_ASN1_STR2TYPE, ASN1_R_ILLEGAL_NULL_VALUE);
+			goto bad_form;
+			}
+		break;
+		
+		case V_ASN1_BOOLEAN:
+		if (format != ASN1_GEN_FORMAT_ASCII)
+			{
+			ASN1err(ASN1_F_ASN1_STR2TYPE, ASN1_R_NOT_ASCII_FORMAT);
+			goto bad_form;
+			}
+		vtmp.name = NULL;
+		vtmp.section = NULL;
+		vtmp.value = (char *)str;
+		if (!X509V3_get_value_bool(&vtmp, &atmp->value.boolean))
+			{
+			ASN1err(ASN1_F_ASN1_STR2TYPE, ASN1_R_ILLEGAL_BOOLEAN);
+			goto bad_str;
+			}
+		break;
+
+		case V_ASN1_INTEGER:
+		case V_ASN1_ENUMERATED:
+		if (format != ASN1_GEN_FORMAT_ASCII)
+			{
+			ASN1err(ASN1_F_ASN1_STR2TYPE, ASN1_R_INTEGER_NOT_ASCII_FORMAT);
+			goto bad_form;
+			}
+		if (!(atmp->value.integer = s2i_ASN1_INTEGER(NULL, (char *)str)))
+			{
+			ASN1err(ASN1_F_ASN1_STR2TYPE, ASN1_R_ILLEGAL_INTEGER);
+			goto bad_str;
+			}
+		break;
+
+		case V_ASN1_OBJECT:
+		if (format != ASN1_GEN_FORMAT_ASCII)
+			{
+			ASN1err(ASN1_F_ASN1_STR2TYPE, ASN1_R_OBJECT_NOT_ASCII_FORMAT);
+			goto bad_form;
+			}
+		if (!(atmp->value.object = OBJ_txt2obj(str, 0)))
+			{
+			ASN1err(ASN1_F_ASN1_STR2TYPE, ASN1_R_ILLEGAL_OBJECT);
+			goto bad_str;
+			}
+		break;
+
+		case V_ASN1_UTCTIME:
+		case V_ASN1_GENERALIZEDTIME:
+		if (format != ASN1_GEN_FORMAT_ASCII)
+			{
+			ASN1err(ASN1_F_ASN1_STR2TYPE, ASN1_R_TIME_NOT_ASCII_FORMAT);
+			goto bad_form;
+			}
+		if (!(atmp->value.asn1_string = ASN1_STRING_new()))
+			{
+			ASN1err(ASN1_F_ASN1_STR2TYPE, ERR_R_MALLOC_FAILURE);
+			goto bad_str;
+			}
+		if (!ASN1_STRING_set(atmp->value.asn1_string, str, -1))
+			{
+			ASN1err(ASN1_F_ASN1_STR2TYPE, ERR_R_MALLOC_FAILURE);
+			goto bad_str;
+			}
+		atmp->value.asn1_string->type = utype;
+		if (!ASN1_TIME_check(atmp->value.asn1_string))
+			{
+			ASN1err(ASN1_F_ASN1_STR2TYPE, ASN1_R_ILLEGAL_TIME_VALUE);
+			goto bad_str;
+			}
+
+		break;
+
+		case V_ASN1_BMPSTRING:
+		case V_ASN1_PRINTABLESTRING:
+		case V_ASN1_IA5STRING:
+		case V_ASN1_T61STRING:
+		case V_ASN1_UTF8STRING:
+		case V_ASN1_VISIBLESTRING:
+		case V_ASN1_UNIVERSALSTRING:
+		case V_ASN1_GENERALSTRING:
+
+		if (format == ASN1_GEN_FORMAT_ASCII)
+			format = MBSTRING_ASC;
+		else if (format == ASN1_GEN_FORMAT_UTF8)
+			format = MBSTRING_UTF8;
+		else
+			{
+			ASN1err(ASN1_F_ASN1_STR2TYPE, ASN1_R_ILLEGAL_FORMAT);
+			goto bad_form;
+			}
+
+
+		if (ASN1_mbstring_copy(&atmp->value.asn1_string, (unsigned char *)str,
+						-1, format, ASN1_tag2bit(utype)) <= 0)
+			{
+			ASN1err(ASN1_F_ASN1_STR2TYPE, ERR_R_MALLOC_FAILURE);
+			goto bad_str;
+			}
+		
+
+		break;
+
+		case V_ASN1_BIT_STRING:
+
+		case V_ASN1_OCTET_STRING:
+
+		if (!(atmp->value.asn1_string = ASN1_STRING_new()))
+			{
+			ASN1err(ASN1_F_ASN1_STR2TYPE, ERR_R_MALLOC_FAILURE);
+			goto bad_form;
+			}
+
+		if (format == ASN1_GEN_FORMAT_HEX)
+			{
+
+			if (!(rdata = string_to_hex((char *)str, &rdlen)))
+				{
+				ASN1err(ASN1_F_ASN1_STR2TYPE, ASN1_R_ILLEGAL_HEX);
+				goto bad_str;
+				}
+
+			atmp->value.asn1_string->data = rdata;
+			atmp->value.asn1_string->length = rdlen;
+			atmp->value.asn1_string->type = utype;
+
+			}
+		else if (format == ASN1_GEN_FORMAT_ASCII)
+			ASN1_STRING_set(atmp->value.asn1_string, str, -1);
+		else if ((format == ASN1_GEN_FORMAT_BITLIST) && (utype == V_ASN1_BIT_STRING))
+			{
+			if (!CONF_parse_list(str, ',', 1, bitstr_cb, atmp->value.bit_string))
+				{
+				ASN1err(ASN1_F_ASN1_STR2TYPE, ASN1_R_LIST_ERROR);
+				goto bad_str;
+				}
+			no_unused = 0;
+			
+			}
+		else 
+			{
+			ASN1err(ASN1_F_ASN1_STR2TYPE, ASN1_R_ILLEGAL_BITSTRING_FORMAT);
+			goto bad_form;
+			}
+
+		if ((utype == V_ASN1_BIT_STRING) && no_unused)
+			{
+			atmp->value.asn1_string->flags
+				&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07);
+        		atmp->value.asn1_string->flags
+				|= ASN1_STRING_FLAG_BITS_LEFT;
+			}
+
+
+		break;
+
+		default:
+		ASN1err(ASN1_F_ASN1_STR2TYPE, ASN1_R_UNSUPPORTED_TYPE);
+		goto bad_str;
+		break;
+		}
+
+
+	atmp->type = utype;
+	return atmp;
+
+
+	bad_str:
+	ERR_add_error_data(2, "string=", str);
+	bad_form:
+
+	ASN1_TYPE_free(atmp);
+	return NULL;
+
+	}
+
+static int bitstr_cb(const char *elem, int len, void *bitstr)
+	{
+	long bitnum;
+	char *eptr;
+	if (!elem)
+		return 0;
+	bitnum = strtoul(elem, &eptr, 10);
+	if (eptr && *eptr && (eptr != elem + len))
+		return 0;
+	if (bitnum < 0)
+		{
+		ASN1err(ASN1_F_BITSTR_CB, ASN1_R_INVALID_NUMBER);
+		return 0;
+		}
+	if (!ASN1_BIT_STRING_set_bit(bitstr, bitnum, 1))
+		{
+		ASN1err(ASN1_F_BITSTR_CB, ERR_R_MALLOC_FAILURE);
+		return 0;
+		}
+	return 1;
+	}
+
diff --git a/crypto/openssl/crypto/asn1/asn1_lib.c b/crypto/openssl/crypto/asn1/asn1_lib.c
index a74f1368d34d..bb94257cee34 100644
--- a/crypto/openssl/crypto/asn1/asn1_lib.c
+++ b/crypto/openssl/crypto/asn1/asn1_lib.c
@@ -62,11 +62,11 @@
 #include <openssl/asn1.h>
 #include <openssl/asn1_mac.h>
 
-static int asn1_get_length(unsigned char **pp,int *inf,long *rl,int max);
+static int asn1_get_length(const unsigned char **pp,int *inf,long *rl,int max);
 static void asn1_put_length(unsigned char **pp, int length);
 const char *ASN1_version="ASN.1" OPENSSL_VERSION_PTEXT;
 
-int ASN1_check_infinite_end(unsigned char **p, long len)
+static int _asn1_check_infinite_end(const unsigned char **p, long len)
 	{
 	/* If there is 0 or 1 byte left, the length check should pick
 	 * things up */
@@ -80,13 +80,23 @@ int ASN1_check_infinite_end(unsigned char **p, long len)
 	return(0);
 	}
 
+int ASN1_check_infinite_end(unsigned char **p, long len)
+	{
+	return _asn1_check_infinite_end((const unsigned char **)p, len);
+	}
 
-int ASN1_get_object(unsigned char **pp, long *plength, int *ptag, int *pclass,
-	     long omax)
+int ASN1_const_check_infinite_end(const unsigned char **p, long len)
+	{
+	return _asn1_check_infinite_end(p, len);
+	}
+
+
+int ASN1_get_object(const unsigned char **pp, long *plength, int *ptag,
+	int *pclass, long omax)
 	{
 	int i,ret;
 	long l;
-	unsigned char *p= *pp;
+	const unsigned char *p= *pp;
 	int tag,xclass,inf;
 	long max=omax;
 
@@ -141,11 +151,11 @@ err:
 	return(0x80);
 	}
 
-static int asn1_get_length(unsigned char **pp, int *inf, long *rl, int max)
+static int asn1_get_length(const unsigned char **pp, int *inf, long *rl, int max)
 	{
-	unsigned char *p= *pp;
+	const unsigned char *p= *pp;
 	unsigned long ret=0;
-	int i;
+	unsigned int i;
 
 	if (max-- < 1) return(0);
 	if (*p == 0x80)
@@ -205,13 +215,22 @@ void ASN1_put_object(unsigned char **pp, int constructed, int length, int tag,
 			}
 		p += ttag;
 		}
-	if ((constructed == 2) && (length == 0))
-		*(p++)=0x80; /* der_put_length would output 0 instead */
+	if (constructed == 2)
+		*(p++)=0x80;
 	else
 		asn1_put_length(&p,length);
 	*pp=p;
 	}
 
+int ASN1_put_eoc(unsigned char **pp)
+	{
+	unsigned char *p = *pp;
+	*p++ = 0;
+	*p++ = 0;
+	*pp = p;
+	return 2;
+	}
+
 static void asn1_put_length(unsigned char **pp, int length)
 	{
 	unsigned char *p= *pp;
@@ -249,8 +268,8 @@ int ASN1_object_size(int constructed, int length, int tag)
 			ret++;
 			}
 		}
-	if ((length == 0) && (constructed == 2))
-		ret+=2;
+	if (constructed == 2)
+		return ret + 3;
 	ret++;
 	if (length > 127)
 		{
@@ -263,11 +282,11 @@ int ASN1_object_size(int constructed, int length, int tag)
 	return(ret);
 	}
 
-int asn1_Finish(ASN1_CTX *c)
+static int _asn1_Finish(ASN1_const_CTX *c)
 	{
 	if ((c->inf == (1|V_ASN1_CONSTRUCTED)) && (!c->eos))
 		{
-		if (!ASN1_check_infinite_end(&c->p,c->slen))
+		if (!ASN1_const_check_infinite_end(&c->p,c->slen))
 			{
 			c->error=ERR_R_MISSING_ASN1_EOS;
 			return(0);
@@ -282,9 +301,19 @@ int asn1_Finish(ASN1_CTX *c)
 	return(1);
 	}
 
-int asn1_GetSequence(ASN1_CTX *c, long *length)
+int asn1_Finish(ASN1_CTX *c)
+	{
+	return _asn1_Finish((ASN1_const_CTX *)c);
+	}
+
+int asn1_const_Finish(ASN1_const_CTX *c)
+	{
+	return _asn1_Finish(c);
+	}
+
+int asn1_GetSequence(ASN1_const_CTX *c, long *length)
 	{
-	unsigned char *q;
+	const unsigned char *q;
 
 	q=c->p;
 	c->inf=ASN1_get_object(&(c->p),&(c->slen),&(c->tag),&(c->xclass),
@@ -349,6 +378,7 @@ int ASN1_STRING_set(ASN1_STRING *str, const void *_data, int len)
 
 		if (str->data == NULL)
 			{
+			ASN1err(ASN1_F_ASN1_STRING_SET,ERR_R_MALLOC_FAILURE);
 			str->data=c;
 			return(0);
 			}
@@ -410,7 +440,7 @@ int ASN1_STRING_cmp(ASN1_STRING *a, ASN1_STRING *b)
 		return(i);
 	}
 
-void asn1_add_error(unsigned char *address, int offset)
+void asn1_add_error(const unsigned char *address, int offset)
 	{
 	char buf1[DECIMAL_SIZE(address)+1],buf2[DECIMAL_SIZE(offset)+1];
 
diff --git a/crypto/openssl/crypto/asn1/asn1_mac.h b/crypto/openssl/crypto/asn1/asn1_mac.h
index a48649ceeb32..d958ca60d9dc 100644
--- a/crypto/openssl/crypto/asn1/asn1_mac.h
+++ b/crypto/openssl/crypto/asn1/asn1_mac.h
@@ -73,11 +73,11 @@ extern "C" {
 	ERR_PUT_error(ASN1_MAC_ERR_LIB,(f),(r),__FILE__,(line))
 
 #define M_ASN1_D2I_vars(a,type,func) \
-	ASN1_CTX c; \
+	ASN1_const_CTX c; \
 	type ret=NULL; \
 	\
-	c.pp=(unsigned char **)pp; \
-	c.q= *(unsigned char **)pp; \
+	c.pp=(const unsigned char **)pp; \
+	c.q= *(const unsigned char **)pp; \
 	c.error=ERR_R_NESTED_ASN1_ERROR; \
 	if ((a == NULL) || ((*a) == NULL)) \
 		{ if ((ret=(type)func()) == NULL) \
@@ -85,13 +85,13 @@ extern "C" {
 	else	ret=(*a);
 
 #define M_ASN1_D2I_Init() \
-	c.p= *(unsigned char **)pp; \
+	c.p= *(const unsigned char **)pp; \
 	c.max=(length == 0)?0:(c.p+length);
 
 #define M_ASN1_D2I_Finish_2(a) \
-	if (!asn1_Finish(&c)) \
+	if (!asn1_const_Finish(&c)) \
 		{ c.line=__LINE__; goto err; } \
-	*(unsigned char **)pp=c.p; \
+	*(const unsigned char **)pp=c.p; \
 	if (a != NULL) (*a)=ret; \
 	return(ret);
 
@@ -99,7 +99,7 @@ extern "C" {
 	M_ASN1_D2I_Finish_2(a); \
 err:\
 	ASN1_MAC_H_err((e),c.error,c.line); \
-	asn1_add_error(*(unsigned char **)pp,(int)(c.q- *pp)); \
+	asn1_add_error(*(const unsigned char **)pp,(int)(c.q- *pp)); \
 	if ((ret != NULL) && ((a == NULL) || (*a != ret))) func(ret); \
 	return(NULL)
 
@@ -123,15 +123,22 @@ err:\
 
 #define M_ASN1_D2I_end_sequence() \
 	(((c.inf&1) == 0)?(c.slen <= 0): \
-		(c.eos=ASN1_check_infinite_end(&c.p,c.slen)))
+		(c.eos=ASN1_const_check_infinite_end(&c.p,c.slen)))
 
 /* Don't use this with d2i_ASN1_BOOLEAN() */
-#define M_ASN1_D2I_get(b,func) \
+#define M_ASN1_D2I_get(b, func) \
 	c.q=c.p; \
 	if (func(&(b),&c.p,c.slen) == NULL) \
 		{c.line=__LINE__; goto err; } \
 	c.slen-=(c.p-c.q);
 
+/* Don't use this with d2i_ASN1_BOOLEAN() */
+#define M_ASN1_D2I_get_x(type,b,func) \
+	c.q=c.p; \
+	if (((D2I_OF(type))func)(&(b),&c.p,c.slen) == NULL) \
+		{c.line=__LINE__; goto err; } \
+	c.slen-=(c.p-c.q);
+
 /* use this instead () */
 #define M_ASN1_D2I_get_int(b,func) \
 	c.q=c.p; \
@@ -278,7 +285,7 @@ err:\
 			{ c.line=__LINE__; goto err; } \
 		if (Tinf == (V_ASN1_CONSTRUCTED+1)) { \
 			Tlen = c.slen - (c.p - c.q); \
-			if(!ASN1_check_infinite_end(&c.p, Tlen)) \
+			if(!ASN1_const_check_infinite_end(&c.p, Tlen)) \
 				{ c.error=ERR_R_MISSING_ASN1_EOS; \
 				c.line=__LINE__; goto err; } \
 		}\
@@ -353,8 +360,12 @@ err:\
 		return(NULL)
 
 
-#define M_ASN1_next		(*c.p)
-#define M_ASN1_next_prev	(*c.q)
+/* BIG UGLY WARNING!  This is so damn ugly I wanna puke.  Unfortunately,
+   some macros that use ASN1_const_CTX still insist on writing in the input
+   stream.  ARGH!  ARGH!  ARGH!  Let's get rid of this macro package.
+   Please?						-- Richard Levitte */
+#define M_ASN1_next		(*((unsigned char *)(c.p)))
+#define M_ASN1_next_prev	(*((unsigned char *)(c.q)))
 
 /*************************************************/
 
@@ -551,8 +562,8 @@ err:\
 #define M_ASN1_I2D_finish()	*pp=p; \
 				return(r);
 
-int asn1_GetSequence(ASN1_CTX *c, long *length);
-void asn1_add_error(unsigned char *address,int offset);
+int asn1_GetSequence(ASN1_const_CTX *c, long *length);
+void asn1_add_error(const unsigned char *address,int offset);
 #ifdef  __cplusplus
 }
 #endif
diff --git a/crypto/openssl/crypto/asn1/asn1_par.c b/crypto/openssl/crypto/asn1/asn1_par.c
index 676d434f034d..501b62a4b199 100644
--- a/crypto/openssl/crypto/asn1/asn1_par.c
+++ b/crypto/openssl/crypto/asn1/asn1_par.c
@@ -64,7 +64,7 @@
 
 static int asn1_print_info(BIO *bp, int tag, int xclass,int constructed,
 	int indent);
-static int asn1_parse2(BIO *bp, unsigned char **pp, long length,
+static int asn1_parse2(BIO *bp, const unsigned char **pp, long length,
 	int offset, int depth, int indent, int dump);
 static int asn1_print_info(BIO *bp, int tag, int xclass, int constructed,
 	     int indent)
@@ -88,7 +88,10 @@ static int asn1_print_info(BIO *bp, int tag, int xclass, int constructed,
 		BIO_snprintf(str,sizeof str,"cont [ %d ]",tag);
 	else if ((xclass & V_ASN1_APPLICATION) == V_ASN1_APPLICATION)
 		BIO_snprintf(str,sizeof str,"appl [ %d ]",tag);
-	else p = ASN1_tag2str(tag);
+	else if (tag > 30)
+		BIO_snprintf(str,sizeof str,"<ASN1 %d>",tag);
+	else
+		p = ASN1_tag2str(tag);
 
 	if (p2 != NULL)
 		{
@@ -103,20 +106,20 @@ err:
 	return(0);
 	}
 
-int ASN1_parse(BIO *bp, unsigned char *pp, long len, int indent)
+int ASN1_parse(BIO *bp, const unsigned char *pp, long len, int indent)
 	{
 	return(asn1_parse2(bp,&pp,len,0,0,indent,0));
 	}
 
-int ASN1_parse_dump(BIO *bp, unsigned char *pp, long len, int indent, int dump)
+int ASN1_parse_dump(BIO *bp, const unsigned char *pp, long len, int indent, int dump)
 	{
 	return(asn1_parse2(bp,&pp,len,0,0,indent,dump));
 	}
 
-static int asn1_parse2(BIO *bp, unsigned char **pp, long length, int offset,
+static int asn1_parse2(BIO *bp, const unsigned char **pp, long length, int offset,
 	     int depth, int indent, int dump)
 	{
-	unsigned char *p,*ep,*tot,*op,*opp;
+	const unsigned char *p,*ep,*tot,*op,*opp;
 	long len;
 	int tag,xclass,ret=0;
 	int nl,hl,j,r;
@@ -215,7 +218,7 @@ static int asn1_parse2(BIO *bp, unsigned char **pp, long length, int offset,
 				{
 				if (BIO_write(bp,":",1) <= 0) goto end;
 				if ((len > 0) &&
-					BIO_write(bp,(char *)p,(int)len)
+					BIO_write(bp,(const char *)p,(int)len)
 					!= (int)len)
 					goto end;
 				}
@@ -256,9 +259,11 @@ static int asn1_parse2(BIO *bp, unsigned char **pp, long length, int offset,
 
 				opp=op;
 				os=d2i_ASN1_OCTET_STRING(NULL,&opp,len+hl);
-				if (os != NULL)
+				if (os != NULL && os->length > 0)
 					{
-					opp=os->data;
+					opp = os->data;
+					/* testing whether the octet string is
+					 * printable */
 					for (i=0; i<os->length; i++)
 						{
 						if ((	(opp[i] < ' ') &&
@@ -271,28 +276,47 @@ static int asn1_parse2(BIO *bp, unsigned char **pp, long length, int offset,
 							break;
 							}
 						}
-					if (printable && (os->length > 0))
+					if (printable)
+					/* printable string */
 						{
 						if (BIO_write(bp,":",1) <= 0)
 							goto end;
-						if (BIO_write(bp,(char *)opp,
+						if (BIO_write(bp,(const char *)opp,
 							os->length) <= 0)
 							goto end;
 						}
-					if (!printable && (os->length > 0)
-						&& dump)
+					else if (!dump)
+					/* not printable => print octet string
+					 * as hex dump */
+						{
+						if (BIO_write(bp,"[HEX DUMP]:",11) <= 0)
+							goto end;
+						for (i=0; i<os->length; i++)
+							{
+							if (BIO_printf(bp,"%02X"
+								, opp[i]) <= 0)
+								goto end;
+							}
+						}
+					else
+					/* print the normal dump */
 						{
 						if (!nl) 
 							{
 							if (BIO_write(bp,"\n",1) <= 0)
 								goto end;
 							}
-						if (BIO_dump_indent(bp,(char *)opp,
-							((dump == -1 || dump > os->length)?os->length:dump),
+						if (BIO_dump_indent(bp,
+							(const char *)opp,
+							((dump == -1 || dump > 
+							os->length)?os->length:dump),
 							dump_indent) <= 0)
 							goto end;
 						nl=1;
 						}
+					}
+				if (os != NULL)
+					{
 					M_ASN1_OCTET_STRING_free(os);
 					os=NULL;
 					}
@@ -368,7 +392,7 @@ static int asn1_parse2(BIO *bp, unsigned char **pp, long length, int offset,
 					if (BIO_write(bp,"\n",1) <= 0)
 						goto end;
 					}
-				if (BIO_dump_indent(bp,(char *)p,
+				if (BIO_dump_indent(bp,(const char *)p,
 					((dump == -1 || dump > len)?len:dump),
 					dump_indent) <= 0)
 					goto end;
@@ -398,7 +422,7 @@ end:
 
 const char *ASN1_tag2str(int tag)
 {
-	const static char *tag2str[] = {
+	static const char *tag2str[] = {
 	 "EOC", "BOOLEAN", "INTEGER", "BIT STRING", "OCTET STRING", /* 0-4 */
 	 "NULL", "OBJECT", "OBJECT DESCRIPTOR", "EXTERNAL", "REAL", /* 5-9 */
 	 "ENUMERATED", "<ASN1 11>", "UTF8STRING", "<ASN1 13>", 	    /* 10-13 */
diff --git a/crypto/openssl/crypto/asn1/asn1t.h b/crypto/openssl/crypto/asn1/asn1t.h
index ed372f855413..cc0cd1c8423b 100644
--- a/crypto/openssl/crypto/asn1/asn1t.h
+++ b/crypto/openssl/crypto/asn1/asn1t.h
@@ -112,7 +112,7 @@ extern "C" {
 /* Macros to aid ASN1 template writing */
 
 #define ASN1_ITEM_TEMPLATE(tname) \
-	const static ASN1_TEMPLATE tname##_item_tt 
+	static const ASN1_TEMPLATE tname##_item_tt 
 
 #define ASN1_ITEM_TEMPLATE_END(tname) \
 	;\
@@ -150,7 +150,7 @@ extern "C" {
  */
 
 #define ASN1_SEQUENCE(tname) \
-	const static ASN1_TEMPLATE tname##_seq_tt[] 
+	static const ASN1_TEMPLATE tname##_seq_tt[] 
 
 #define ASN1_SEQUENCE_END(stname) ASN1_SEQUENCE_END_name(stname, stname)
 
@@ -166,22 +166,37 @@ extern "C" {
 		#stname \
 	ASN1_ITEM_end(tname)
 
+#define ASN1_NDEF_SEQUENCE(tname) \
+	ASN1_SEQUENCE(tname)
+
 #define ASN1_SEQUENCE_cb(tname, cb) \
-	const static ASN1_AUX tname##_aux = {NULL, 0, 0, 0, cb, 0}; \
+	static const ASN1_AUX tname##_aux = {NULL, 0, 0, 0, cb, 0}; \
 	ASN1_SEQUENCE(tname)
 
 #define ASN1_BROKEN_SEQUENCE(tname) \
-	const static ASN1_AUX tname##_aux = {NULL, ASN1_AFLG_BROKEN, 0, 0, 0, 0}; \
+	static const ASN1_AUX tname##_aux = {NULL, ASN1_AFLG_BROKEN, 0, 0, 0, 0}; \
 	ASN1_SEQUENCE(tname)
 
 #define ASN1_SEQUENCE_ref(tname, cb, lck) \
-	const static ASN1_AUX tname##_aux = {NULL, ASN1_AFLG_REFCOUNT, offsetof(tname, references), lck, cb, 0}; \
+	static const ASN1_AUX tname##_aux = {NULL, ASN1_AFLG_REFCOUNT, offsetof(tname, references), lck, cb, 0}; \
 	ASN1_SEQUENCE(tname)
 
 #define ASN1_SEQUENCE_enc(tname, enc, cb) \
-	const static ASN1_AUX tname##_aux = {NULL, ASN1_AFLG_ENCODING, 0, 0, cb, offsetof(tname, enc)}; \
+	static const ASN1_AUX tname##_aux = {NULL, ASN1_AFLG_ENCODING, 0, 0, cb, offsetof(tname, enc)}; \
 	ASN1_SEQUENCE(tname)
 
+#define ASN1_NDEF_SEQUENCE_END(tname) \
+	;\
+	ASN1_ITEM_start(tname) \
+		ASN1_ITYPE_NDEF_SEQUENCE,\
+		V_ASN1_SEQUENCE,\
+		tname##_seq_tt,\
+		sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\
+		NULL,\
+		sizeof(tname),\
+		#tname \
+	ASN1_ITEM_end(tname)
+
 #define ASN1_BROKEN_SEQUENCE_END(stname) ASN1_SEQUENCE_END_ref(stname, stname)
 
 #define ASN1_SEQUENCE_END_enc(stname, tname) ASN1_SEQUENCE_END_ref(stname, tname)
@@ -224,10 +239,10 @@ extern "C" {
  */
 
 #define ASN1_CHOICE(tname) \
-	const static ASN1_TEMPLATE tname##_ch_tt[] 
+	static const ASN1_TEMPLATE tname##_ch_tt[] 
 
 #define ASN1_CHOICE_cb(tname, cb) \
-	const static ASN1_AUX tname##_aux = {NULL, 0, 0, 0, cb, 0}; \
+	static const ASN1_AUX tname##_aux = {NULL, 0, 0, 0, cb, 0}; \
 	ASN1_CHOICE(tname)
 
 #define ASN1_CHOICE_END(stname) ASN1_CHOICE_END_name(stname, stname)
@@ -353,16 +368,20 @@ extern "C" {
 #define ASN1_EXP_SEQUENCE_OF_OPT(stname, field, type, tag) \
 			ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_SEQUENCE_OF|ASN1_TFLG_OPTIONAL)
 
+/* EXPLICIT OPTIONAL using indefinite length constructed form */
+#define ASN1_NDEF_EXP_OPT(stname, field, type, tag) \
+			ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_OPTIONAL|ASN1_TFLG_NDEF)
+
 /* Macros for the ASN1_ADB structure */
 
 #define ASN1_ADB(name) \
-	const static ASN1_ADB_TABLE name##_adbtbl[] 
+	static const ASN1_ADB_TABLE name##_adbtbl[] 
 
 #ifndef OPENSSL_EXPORT_VAR_AS_FUNCTION
 
 #define ASN1_ADB_END(name, flags, field, app_table, def, none) \
 	;\
-	const static ASN1_ADB name##_adb = {\
+	static const ASN1_ADB name##_adb = {\
 		flags,\
 		offsetof(name, field),\
 		app_table,\
@@ -376,9 +395,9 @@ extern "C" {
 
 #define ASN1_ADB_END(name, flags, field, app_table, def, none) \
 	;\
-	const static ASN1_ITEM *name##_adb(void) \
+	static const ASN1_ITEM *name##_adb(void) \
 	{ \
-	const static ASN1_ADB internal_adb = \
+	static const ASN1_ADB internal_adb = \
 		{\
 		flags,\
 		offsetof(name, field),\
@@ -397,7 +416,7 @@ extern "C" {
 #define ADB_ENTRY(val, template) {val, template}
 
 #define ASN1_ADB_TEMPLATE(name) \
-	const static ASN1_TEMPLATE name##_tt 
+	static const ASN1_TEMPLATE name##_tt 
 
 /* This is the ASN1 template structure that defines
  * a wrapper round the actual type. It determines the
@@ -410,7 +429,7 @@ unsigned long flags;		/* Various flags */
 long tag;			/* tag, not used if no tagging */
 unsigned long offset;		/* Offset of this field in structure */
 #ifndef NO_ASN1_FIELD_NAMES
-char *field_name;		/* Field name */
+const char *field_name;		/* Field name */
 #endif
 ASN1_ITEM_EXP *item;		/* Relevant ASN1_ITEM or ASN1_ADB */
 };
@@ -518,6 +537,13 @@ struct ASN1_ADB_TABLE_st {
 
 #define ASN1_TFLG_COMBINE	(0x1<<10)
 
+/* This flag when present in a SEQUENCE OF, SET OF
+ * or EXPLICIT causes indefinite length constructed
+ * encoding to be used if required.
+ */
+
+#define ASN1_TFLG_NDEF		(0x1<<11)
+
 /* This is the actual ASN1 item itself */
 
 struct ASN1_ITEM_st {
@@ -570,19 +596,25 @@ const char *sname;		/* Structure name */
  * has a special meaning, it is used as a mask
  * of acceptable types using the B_ASN1 constants.
  *
+ * NDEF_SEQUENCE is the same as SEQUENCE except
+ * that it will use indefinite length constructed
+ * encoding if requested.
+ *
  */
 
-#define ASN1_ITYPE_PRIMITIVE	0x0
+#define ASN1_ITYPE_PRIMITIVE		0x0
+
+#define ASN1_ITYPE_SEQUENCE		0x1
 
-#define ASN1_ITYPE_SEQUENCE	0x1
+#define ASN1_ITYPE_CHOICE		0x2
 
-#define ASN1_ITYPE_CHOICE	0x2
+#define ASN1_ITYPE_COMPAT		0x3
 
-#define ASN1_ITYPE_COMPAT	0x3
+#define ASN1_ITYPE_EXTERN		0x4
 
-#define ASN1_ITYPE_EXTERN	0x4
+#define ASN1_ITYPE_MSTRING		0x5
 
-#define ASN1_ITYPE_MSTRING	0x5
+#define ASN1_ITYPE_NDEF_SEQUENCE	0x6
 
 /* Cache for ASN1 tag and length, so we
  * don't keep re-reading it for things
@@ -602,10 +634,10 @@ struct ASN1_TLC_st{
 
 typedef ASN1_VALUE * ASN1_new_func(void);
 typedef void ASN1_free_func(ASN1_VALUE *a);
-typedef ASN1_VALUE * ASN1_d2i_func(ASN1_VALUE **a, unsigned char ** in, long length);
+typedef ASN1_VALUE * ASN1_d2i_func(ASN1_VALUE **a, const unsigned char ** in, long length);
 typedef int ASN1_i2d_func(ASN1_VALUE * a, unsigned char **in);
 
-typedef int ASN1_ex_d2i(ASN1_VALUE **pval, unsigned char **in, long len, const ASN1_ITEM *it,
+typedef int ASN1_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, const ASN1_ITEM *it,
 					int tag, int aclass, char opt, ASN1_TLC *ctx);
 
 typedef int ASN1_ex_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_ITEM *it, int tag, int aclass);
@@ -613,7 +645,7 @@ typedef int ASN1_ex_new_func(ASN1_VALUE **pval, const ASN1_ITEM *it);
 typedef void ASN1_ex_free_func(ASN1_VALUE **pval, const ASN1_ITEM *it);
 
 typedef int ASN1_primitive_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype, const ASN1_ITEM *it);
-typedef int ASN1_primitive_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it);
+typedef int ASN1_primitive_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it);
 
 typedef struct ASN1_COMPAT_FUNCS_st {
 	ASN1_new_func *asn1_new;
@@ -743,6 +775,9 @@ typedef struct ASN1_AUX_st {
 #define IMPLEMENT_ASN1_FUNCTIONS_ENCODE_name(stname, itname) \
 			IMPLEMENT_ASN1_FUNCTIONS_ENCODE_fname(stname, itname, itname)
 
+#define IMPLEMENT_ASN1_ALLOC_FUNCTIONS(stname) \
+		IMPLEMENT_ASN1_ALLOC_FUNCTIONS_fname(stname, stname, stname)
+
 #define IMPLEMENT_ASN1_ALLOC_FUNCTIONS_fname(stname, itname, fname) \
 	stname *fname##_new(void) \
 	{ \
@@ -758,7 +793,7 @@ typedef struct ASN1_AUX_st {
 	IMPLEMENT_ASN1_ALLOC_FUNCTIONS_fname(stname, itname, fname)
 
 #define IMPLEMENT_ASN1_ENCODE_FUNCTIONS_fname(stname, itname, fname) \
-	stname *d2i_##fname(stname **a, unsigned char **in, long len) \
+	stname *d2i_##fname(stname **a, const unsigned char **in, long len) \
 	{ \
 		return (stname *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, ASN1_ITEM_rptr(itname));\
 	} \
@@ -767,13 +802,19 @@ typedef struct ASN1_AUX_st {
 		return ASN1_item_i2d((ASN1_VALUE *)a, out, ASN1_ITEM_rptr(itname));\
 	} 
 
+#define IMPLEMENT_ASN1_NDEF_FUNCTION(stname) \
+	int i2d_##stname##_NDEF(stname *a, unsigned char **out) \
+	{ \
+		return ASN1_item_ndef_i2d((ASN1_VALUE *)a, out, ASN1_ITEM_rptr(stname));\
+	} 
+
 /* This includes evil casts to remove const: they will go away when full
  * ASN1 constification is done.
  */
 #define IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(stname, itname, fname) \
 	stname *d2i_##fname(stname **a, const unsigned char **in, long len) \
 	{ \
-		return (stname *)ASN1_item_d2i((ASN1_VALUE **)a, (unsigned char **)in, len, ASN1_ITEM_rptr(itname));\
+		return (stname *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, ASN1_ITEM_rptr(itname));\
 	} \
 	int i2d_##fname(const stname *a, unsigned char **out) \
 	{ \
@@ -798,7 +839,6 @@ typedef struct ASN1_AUX_st {
 DECLARE_ASN1_ITEM(ASN1_BOOLEAN)
 DECLARE_ASN1_ITEM(ASN1_TBOOLEAN)
 DECLARE_ASN1_ITEM(ASN1_FBOOLEAN)
-DECLARE_ASN1_ITEM(ASN1_ANY)
 DECLARE_ASN1_ITEM(ASN1_SEQUENCE)
 DECLARE_ASN1_ITEM(CBIGNUM)
 DECLARE_ASN1_ITEM(BIGNUM)
@@ -815,8 +855,8 @@ int ASN1_template_new(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt);
 int ASN1_primitive_new(ASN1_VALUE **pval, const ASN1_ITEM *it);
 
 void ASN1_template_free(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt);
-int ASN1_template_d2i(ASN1_VALUE **pval, unsigned char **in, long len, const ASN1_TEMPLATE *tt);
-int ASN1_item_ex_d2i(ASN1_VALUE **pval, unsigned char **in, long len, const ASN1_ITEM *it,
+int ASN1_template_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, const ASN1_TEMPLATE *tt);
+int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, const ASN1_ITEM *it,
 				int tag, int aclass, char opt, ASN1_TLC *ctx);
 
 int ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_ITEM *it, int tag, int aclass);
@@ -824,7 +864,7 @@ int ASN1_template_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_TEMPLAT
 void ASN1_primitive_free(ASN1_VALUE **pval, const ASN1_ITEM *it);
 
 int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype, const ASN1_ITEM *it);
-int asn1_ex_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it);
+int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it);
 
 int asn1_get_choice_selector(ASN1_VALUE **pval, const ASN1_ITEM *it);
 int asn1_set_choice_selector(ASN1_VALUE **pval, int value, const ASN1_ITEM *it);
@@ -838,7 +878,7 @@ int asn1_do_lock(ASN1_VALUE **pval, int op, const ASN1_ITEM *it);
 void asn1_enc_init(ASN1_VALUE **pval, const ASN1_ITEM *it);
 void asn1_enc_free(ASN1_VALUE **pval, const ASN1_ITEM *it);
 int asn1_enc_restore(int *len, unsigned char **out, ASN1_VALUE **pval, const ASN1_ITEM *it);
-int asn1_enc_save(ASN1_VALUE **pval, unsigned char *in, int inlen, const ASN1_ITEM *it);
+int asn1_enc_save(ASN1_VALUE **pval, const unsigned char *in, int inlen, const ASN1_ITEM *it);
 
 #ifdef  __cplusplus
 }
diff --git a/crypto/openssl/crypto/asn1/asn_moid.c b/crypto/openssl/crypto/asn1/asn_moid.c
index edb44c988f08..72cc1210becd 100644
--- a/crypto/openssl/crypto/asn1/asn_moid.c
+++ b/crypto/openssl/crypto/asn1/asn_moid.c
@@ -3,7 +3,7 @@
  * project 2001.
  */
 /* ====================================================================
- * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 2001-2004 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -57,6 +57,7 @@
  */
 
 #include <stdio.h>
+#include <ctype.h>
 #include <openssl/crypto.h>
 #include "cryptlib.h"
 #include <openssl/conf.h>
@@ -65,6 +66,8 @@
 
 /* Simple ASN1 OID module: add all objects in a given section */
 
+static int do_create(char *value, char *name);
+
 static int oid_module_init(CONF_IMODULE *md, const CONF *cnf)
 	{
 	int i;
@@ -80,7 +83,7 @@ static int oid_module_init(CONF_IMODULE *md, const CONF *cnf)
 	for(i = 0; i < sk_CONF_VALUE_num(sktmp); i++)
 		{
 		oval = sk_CONF_VALUE_value(sktmp, i);
-		if(OBJ_create(oval->value, oval->name, oval->name) == NID_undef)
+		if(!do_create(oval->value, oval->name))
 			{
 			ASN1err(ASN1_F_OID_MODULE_INIT, ASN1_R_ADDING_OBJECT);
 			return 0;
@@ -98,3 +101,60 @@ void ASN1_add_oid_module(void)
 	{
 	CONF_module_add("oid_section", oid_module_init, oid_module_finish);
 	}
+
+/* Create an OID based on a name value pair. Accept two formats.
+ * shortname = 1.2.3.4
+ * shortname = some long name, 1.2.3.4
+ */
+
+
+static int do_create(char *value, char *name)
+	{
+	int nid;
+	ASN1_OBJECT *oid;
+	char *ln, *ostr, *p, *lntmp;
+	p = strrchr(value, ',');
+	if (!p)
+		{
+		ln = name;
+		ostr = value;
+		}
+	else
+		{
+		ln = NULL;
+		ostr = p + 1;
+		if (!*ostr)
+			return 0;
+		while(isspace((unsigned char)*ostr)) ostr++;
+		}
+
+	nid = OBJ_create(ostr, name, ln);
+
+	if (nid == NID_undef)
+		return 0;
+
+	if (p)
+		{
+		ln = value;
+		while(isspace((unsigned char)*ln)) ln++;
+		p--;
+		while(isspace((unsigned char)*p))
+			{
+			if (p == ln)
+				return 0;
+			p--;
+			}
+		p++;
+		lntmp = OPENSSL_malloc((p - ln) + 1);
+		if (lntmp == NULL)
+			return 0;
+		memcpy(lntmp, ln, p - ln);
+		lntmp[p - ln + 1] = 0;
+		oid = OBJ_nid2obj(nid);
+		oid->ln = lntmp;
+		}
+
+	return 1;
+	}
+		
+		
diff --git a/crypto/openssl/crypto/asn1/asn_pack.c b/crypto/openssl/crypto/asn1/asn_pack.c
index e6051db2dc98..e8b671b7b51b 100644
--- a/crypto/openssl/crypto/asn1/asn_pack.c
+++ b/crypto/openssl/crypto/asn1/asn_pack.c
@@ -66,11 +66,11 @@
 
 /* Turn an ASN1 encoded SEQUENCE OF into a STACK of structures */
 
-STACK *ASN1_seq_unpack(unsigned char *buf, int len, char *(*d2i)(),
-	     void (*free_func)(void *))
+STACK *ASN1_seq_unpack(const unsigned char *buf, int len,
+		       d2i_of_void *d2i,void (*free_func)(void *))
 {
     STACK *sk;
-    unsigned char *pbuf;
+    const unsigned char *pbuf;
     pbuf =  buf;
     if (!(sk = d2i_ASN1_SET(NULL, &pbuf, len, d2i, free_func,
 					V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL)))
@@ -82,8 +82,8 @@ STACK *ASN1_seq_unpack(unsigned char *buf, int len, char *(*d2i)(),
  * OPENSSL_malloc'ed buffer
  */
 
-unsigned char *ASN1_seq_pack(STACK *safes, int (*i2d)(), unsigned char **buf,
-	     int *len)
+unsigned char *ASN1_seq_pack(STACK *safes, i2d_of_void *i2d,
+			     unsigned char **buf, int *len)
 {
 	int safelen;
 	unsigned char *safe, *p;
@@ -106,9 +106,9 @@ unsigned char *ASN1_seq_pack(STACK *safes, int (*i2d)(), unsigned char **buf,
 
 /* Extract an ASN1 object from an ASN1_STRING */
 
-void *ASN1_unpack_string (ASN1_STRING *oct, char *(*d2i)())
+void *ASN1_unpack_string(ASN1_STRING *oct, d2i_of_void *d2i)
 {
-	unsigned char *p;
+	const unsigned char *p;
 	char *ret;
 
 	p = oct->data;
@@ -119,7 +119,7 @@ void *ASN1_unpack_string (ASN1_STRING *oct, char *(*d2i)())
 
 /* Pack an ASN1 object into an ASN1_STRING */
 
-ASN1_STRING *ASN1_pack_string(void *obj, int (*i2d)(), ASN1_STRING **oct)
+ASN1_STRING *ASN1_pack_string(void *obj, i2d_of_void *i2d, ASN1_STRING **oct)
 {
 	unsigned char *p;
 	ASN1_STRING *octmp;
@@ -155,7 +155,7 @@ ASN1_STRING *ASN1_item_pack(void *obj, const ASN1_ITEM *it, ASN1_STRING **oct)
 
 	if (!oct || !*oct) {
 		if (!(octmp = ASN1_STRING_new ())) {
-			ASN1err(ASN1_F_ASN1_PACK_STRING,ERR_R_MALLOC_FAILURE);
+			ASN1err(ASN1_F_ASN1_ITEM_PACK,ERR_R_MALLOC_FAILURE);
 			return NULL;
 		}
 		if (oct) *oct = octmp;
@@ -167,11 +167,11 @@ ASN1_STRING *ASN1_item_pack(void *obj, const ASN1_ITEM *it, ASN1_STRING **oct)
 	}
 		
 	if (!(octmp->length = ASN1_item_i2d(obj, &octmp->data, it))) {
-		ASN1err(ASN1_F_ASN1_PACK_STRING,ASN1_R_ENCODE_ERROR);
+		ASN1err(ASN1_F_ASN1_ITEM_PACK,ASN1_R_ENCODE_ERROR);
 		return NULL;
 	}
 	if (!octmp->data) {
-		ASN1err(ASN1_F_ASN1_PACK_STRING,ERR_R_MALLOC_FAILURE);
+		ASN1err(ASN1_F_ASN1_ITEM_PACK,ERR_R_MALLOC_FAILURE);
 		return NULL;
 	}
 	return octmp;
@@ -181,11 +181,11 @@ ASN1_STRING *ASN1_item_pack(void *obj, const ASN1_ITEM *it, ASN1_STRING **oct)
 
 void *ASN1_item_unpack(ASN1_STRING *oct, const ASN1_ITEM *it)
 {
-	unsigned char *p;
+	const unsigned char *p;
 	void *ret;
 
 	p = oct->data;
 	if(!(ret = ASN1_item_d2i(NULL, &p, oct->length, it)))
-		ASN1err(ASN1_F_ASN1_UNPACK_STRING,ASN1_R_DECODE_ERROR);
+		ASN1err(ASN1_F_ASN1_ITEM_UNPACK,ASN1_R_DECODE_ERROR);
 	return ret;
 }
diff --git a/crypto/openssl/crypto/asn1/d2i_pr.c b/crypto/openssl/crypto/asn1/d2i_pr.c
index 2e7d96af904a..207ccda5ac95 100644
--- a/crypto/openssl/crypto/asn1/d2i_pr.c
+++ b/crypto/openssl/crypto/asn1/d2i_pr.c
@@ -68,8 +68,11 @@
 #ifndef OPENSSL_NO_DSA
 #include <openssl/dsa.h>
 #endif
+#ifndef OPENSSL_NO_EC
+#include <openssl/ec.h>
+#endif
 
-EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **a, unsigned char **pp,
+EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **a, const unsigned char **pp,
 	     long length)
 	{
 	EVP_PKEY *ret;
@@ -108,6 +111,16 @@ EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **a, unsigned char **pp,
 			}
 		break;
 #endif
+#ifndef OPENSSL_NO_EC
+	case EVP_PKEY_EC:
+		if ((ret->pkey.ec = d2i_ECPrivateKey(NULL, 
+			(const unsigned char **)pp, length)) == NULL)
+			{
+			ASN1err(ASN1_F_D2I_PRIVATEKEY, ERR_R_ASN1_LIB);
+			goto err;
+			}
+		break;
+#endif
 	default:
 		ASN1err(ASN1_F_D2I_PRIVATEKEY,ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE);
 		goto err;
@@ -122,11 +135,11 @@ err:
 
 /* This works like d2i_PrivateKey() except it automatically works out the type */
 
-EVP_PKEY *d2i_AutoPrivateKey(EVP_PKEY **a, unsigned char **pp,
+EVP_PKEY *d2i_AutoPrivateKey(EVP_PKEY **a, const unsigned char **pp,
 	     long length)
 {
 	STACK_OF(ASN1_TYPE) *inkey;
-	unsigned char *p;
+	const unsigned char *p;
 	int keytype;
 	p = *pp;
 	/* Dirty trick: read in the ASN1 data into a STACK_OF(ASN1_TYPE):
@@ -138,7 +151,10 @@ EVP_PKEY *d2i_AutoPrivateKey(EVP_PKEY **a, unsigned char **pp,
 	/* Since we only need to discern "traditional format" RSA and DSA
 	 * keys we can just count the elements.
          */
-	if(sk_ASN1_TYPE_num(inkey) == 6) keytype = EVP_PKEY_DSA;
+	if(sk_ASN1_TYPE_num(inkey) == 6) 
+		keytype = EVP_PKEY_DSA;
+	else if (sk_ASN1_TYPE_num(inkey) == 4)
+		keytype = EVP_PKEY_EC;
 	else keytype = EVP_PKEY_RSA;
 	sk_ASN1_TYPE_pop_free(inkey, ASN1_TYPE_free);
 	return d2i_PrivateKey(keytype, a, pp, length);
diff --git a/crypto/openssl/crypto/asn1/d2i_pu.c b/crypto/openssl/crypto/asn1/d2i_pu.c
index 71f2eb361bd4..3694f51a8c0a 100644
--- a/crypto/openssl/crypto/asn1/d2i_pu.c
+++ b/crypto/openssl/crypto/asn1/d2i_pu.c
@@ -68,8 +68,11 @@
 #ifndef OPENSSL_NO_DSA
 #include <openssl/dsa.h>
 #endif
+#ifndef OPENSSL_NO_EC
+#include <openssl/ec.h>
+#endif
 
-EVP_PKEY *d2i_PublicKey(int type, EVP_PKEY **a, unsigned char **pp,
+EVP_PKEY *d2i_PublicKey(int type, EVP_PKEY **a, const unsigned char **pp,
 	     long length)
 	{
 	EVP_PKEY *ret;
@@ -100,14 +103,24 @@ EVP_PKEY *d2i_PublicKey(int type, EVP_PKEY **a, unsigned char **pp,
 #endif
 #ifndef OPENSSL_NO_DSA
 	case EVP_PKEY_DSA:
-		if ((ret->pkey.dsa=d2i_DSAPublicKey(NULL,
-			(const unsigned char **)pp,length)) == NULL) /* TMP UGLY CAST */
+		if (!d2i_DSAPublicKey(&(ret->pkey.dsa),
+			(const unsigned char **)pp,length)) /* TMP UGLY CAST */
 			{
 			ASN1err(ASN1_F_D2I_PUBLICKEY,ERR_R_ASN1_LIB);
 			goto err;
 			}
 		break;
 #endif
+#ifndef OPENSSL_NO_EC
+	case EVP_PKEY_EC:
+		if (!o2i_ECPublicKey(&(ret->pkey.ec),
+				     (const unsigned char **)pp, length))
+			{
+			ASN1err(ASN1_F_D2I_PUBLICKEY, ERR_R_ASN1_LIB);
+			goto err;
+			}
+	break;
+#endif
 	default:
 		ASN1err(ASN1_F_D2I_PUBLICKEY,ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE);
 		goto err;
diff --git a/crypto/openssl/crypto/asn1/evp_asn1.c b/crypto/openssl/crypto/asn1/evp_asn1.c
index 3506005a7146..f3d9804860ec 100644
--- a/crypto/openssl/crypto/asn1/evp_asn1.c
+++ b/crypto/openssl/crypto/asn1/evp_asn1.c
@@ -115,7 +115,11 @@ int ASN1_TYPE_set_int_octetstring(ASN1_TYPE *a, long num, unsigned char *data,
 
 	if ((osp=ASN1_STRING_new()) == NULL) return(0);
 	/* Grow the 'string' */
-	ASN1_STRING_set(osp,NULL,size);
+	if (!ASN1_STRING_set(osp,NULL,size))
+		{
+		ASN1_STRING_free(osp);
+		return(0);
+		}
 
 	M_ASN1_STRING_length_set(osp, size);
 	p=M_ASN1_STRING_data(osp);
@@ -137,9 +141,9 @@ int ASN1_TYPE_get_int_octetstring(ASN1_TYPE *a, long *num, unsigned char *data,
 	int ret= -1,n;
 	ASN1_INTEGER *ai=NULL;
 	ASN1_OCTET_STRING *os=NULL;
-	unsigned char *p;
+	const unsigned char *p;
 	long length;
-	ASN1_CTX c;
+	ASN1_const_CTX c;
 
 	if ((a->type != V_ASN1_SEQUENCE) || (a->value.sequence == NULL))
 		{
diff --git a/crypto/openssl/crypto/asn1/i2d_pr.c b/crypto/openssl/crypto/asn1/i2d_pr.c
index 1e951ae01d3b..0be52c5b76ac 100644
--- a/crypto/openssl/crypto/asn1/i2d_pr.c
+++ b/crypto/openssl/crypto/asn1/i2d_pr.c
@@ -67,6 +67,9 @@
 #ifndef OPENSSL_NO_DSA
 #include <openssl/dsa.h>
 #endif
+#ifndef OPENSSL_NO_EC
+#include <openssl/ec.h>
+#endif
 
 int i2d_PrivateKey(EVP_PKEY *a, unsigned char **pp)
 	{
@@ -83,6 +86,12 @@ int i2d_PrivateKey(EVP_PKEY *a, unsigned char **pp)
 		return(i2d_DSAPrivateKey(a->pkey.dsa,pp));
 		}
 #endif
+#ifndef OPENSSL_NO_EC
+	if (a->type == EVP_PKEY_EC)
+		{
+		return(i2d_ECPrivateKey(a->pkey.ec, pp));
+		}
+#endif
 
 	ASN1err(ASN1_F_I2D_PRIVATEKEY,ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE);
 	return(-1);
diff --git a/crypto/openssl/crypto/asn1/i2d_pu.c b/crypto/openssl/crypto/asn1/i2d_pu.c
index 013d19bbf418..34286dbd359f 100644
--- a/crypto/openssl/crypto/asn1/i2d_pu.c
+++ b/crypto/openssl/crypto/asn1/i2d_pu.c
@@ -67,6 +67,9 @@
 #ifndef OPENSSL_NO_DSA
 #include <openssl/dsa.h>
 #endif
+#ifndef OPENSSL_NO_EC
+#include <openssl/ec.h>
+#endif
 
 int i2d_PublicKey(EVP_PKEY *a, unsigned char **pp)
 	{
@@ -80,6 +83,10 @@ int i2d_PublicKey(EVP_PKEY *a, unsigned char **pp)
 	case EVP_PKEY_DSA:
 		return(i2d_DSAPublicKey(a->pkey.dsa,pp));
 #endif
+#ifndef OPENSSL_NO_EC
+	case EVP_PKEY_EC:
+		return(i2o_ECPublicKey(a->pkey.ec, pp));
+#endif
 	default:
 		ASN1err(ASN1_F_I2D_PUBLICKEY,ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE);
 		return(-1);
diff --git a/crypto/openssl/crypto/asn1/n_pkey.c b/crypto/openssl/crypto/asn1/n_pkey.c
index 766b51c53830..60bc437938cf 100644
--- a/crypto/openssl/crypto/asn1/n_pkey.c
+++ b/crypto/openssl/crypto/asn1/n_pkey.c
@@ -56,9 +56,9 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef OPENSSL_NO_RSA
 #include <stdio.h>
 #include "cryptlib.h"
+#ifndef OPENSSL_NO_RSA
 #include <openssl/rsa.h>
 #include <openssl/objects.h>
 #include <openssl/asn1t.h>
@@ -107,14 +107,20 @@ DECLARE_ASN1_ENCODE_FUNCTIONS_const(NETSCAPE_PKEY,NETSCAPE_PKEY)
 IMPLEMENT_ASN1_FUNCTIONS_const(NETSCAPE_PKEY)
 
 static RSA *d2i_RSA_NET_2(RSA **a, ASN1_OCTET_STRING *os,
-	     int (*cb)(), int sgckey);
+			  int (*cb)(char *buf, int len, const char *prompt,
+				    int verify),
+			  int sgckey);
 
-int i2d_Netscape_RSA(const RSA *a, unsigned char **pp, int (*cb)())
+int i2d_Netscape_RSA(const RSA *a, unsigned char **pp,
+		     int (*cb)(char *buf, int len, const char *prompt,
+			       int verify))
 {
 	return i2d_RSA_NET(a, pp, cb, 0);
 }
 
-int i2d_RSA_NET(const RSA *a, unsigned char **pp, int (*cb)(), int sgckey)
+int i2d_RSA_NET(const RSA *a, unsigned char **pp,
+		int (*cb)(char *buf, int len, const char *prompt, int verify),
+		int sgckey)
 	{
 	int i, j, ret = 0;
 	int rsalen, pkeylen, olen;
@@ -164,7 +170,7 @@ int i2d_RSA_NET(const RSA *a, unsigned char **pp, int (*cb)(), int sgckey)
 	/* Since its RC4 encrypted length is actual length */
 	if ((zz=(unsigned char *)OPENSSL_malloc(rsalen)) == NULL)
 		{
-		ASN1err(ASN1_F_I2D_NETSCAPE_RSA,ERR_R_MALLOC_FAILURE);
+		ASN1err(ASN1_F_I2D_RSA_NET,ERR_R_MALLOC_FAILURE);
 		goto err;
 		}
 
@@ -174,13 +180,13 @@ int i2d_RSA_NET(const RSA *a, unsigned char **pp, int (*cb)(), int sgckey)
 
 	if ((zz=OPENSSL_malloc(pkeylen)) == NULL)
 		{
-		ASN1err(ASN1_F_I2D_NETSCAPE_RSA,ERR_R_MALLOC_FAILURE);
+		ASN1err(ASN1_F_I2D_RSA_NET,ERR_R_MALLOC_FAILURE);
 		goto err;
 		}
 
 	if (!ASN1_STRING_set(enckey->os, "private-key", -1)) 
 		{
-		ASN1err(ASN1_F_I2D_NETSCAPE_RSA,ERR_R_MALLOC_FAILURE);
+		ASN1err(ASN1_F_I2D_RSA_NET,ERR_R_MALLOC_FAILURE);
 		goto err;
 		}
 	enckey->enckey->digest->data = zz;
@@ -191,10 +197,10 @@ int i2d_RSA_NET(const RSA *a, unsigned char **pp, int (*cb)(), int sgckey)
 		
 	if (cb == NULL)
 		cb=EVP_read_pw_string;
-	i=cb(buf,256,"Enter Private Key password:",1);
+	i=cb((char *)buf,256,"Enter Private Key password:",1);
 	if (i != 0)
 		{
-		ASN1err(ASN1_F_I2D_NETSCAPE_RSA,ASN1_R_BAD_PASSWORD_READ);
+		ASN1err(ASN1_F_I2D_RSA_NET,ASN1_R_BAD_PASSWORD_READ);
 		goto err;
 		}
 	i = strlen((char *)buf);
@@ -224,12 +230,16 @@ err:
 	}
 
 
-RSA *d2i_Netscape_RSA(RSA **a, const unsigned char **pp, long length, int (*cb)())
+RSA *d2i_Netscape_RSA(RSA **a, const unsigned char **pp, long length,
+		      int (*cb)(char *buf, int len, const char *prompt,
+				int verify))
 {
 	return d2i_RSA_NET(a, pp, length, cb, 0);
 }
 
-RSA *d2i_RSA_NET(RSA **a, const unsigned char **pp, long length, int (*cb)(), int sgckey)
+RSA *d2i_RSA_NET(RSA **a, const unsigned char **pp, long length,
+		 int (*cb)(char *buf, int len, const char *prompt, int verify),
+		 int sgckey)
 	{
 	RSA *ret=NULL;
 	const unsigned char *p, *kp;
@@ -239,20 +249,20 @@ RSA *d2i_RSA_NET(RSA **a, const unsigned char **pp, long length, int (*cb)(), in
 
 	enckey = d2i_NETSCAPE_ENCRYPTED_PKEY(NULL, &p, length);
 	if(!enckey) {
-		ASN1err(ASN1_F_D2I_NETSCAPE_RSA,ASN1_R_DECODING_ERROR);
+		ASN1err(ASN1_F_D2I_RSA_NET,ASN1_R_DECODING_ERROR);
 		return NULL;
 	}
 
 	if ((enckey->os->length != 11) || (strncmp("private-key",
 		(char *)enckey->os->data,11) != 0))
 		{
-		ASN1err(ASN1_F_D2I_NETSCAPE_RSA,ASN1_R_PRIVATE_KEY_HEADER_MISSING);
+		ASN1err(ASN1_F_D2I_RSA_NET,ASN1_R_PRIVATE_KEY_HEADER_MISSING);
 		NETSCAPE_ENCRYPTED_PKEY_free(enckey);
 		return NULL;
 		}
 	if (OBJ_obj2nid(enckey->enckey->algor->algorithm) != NID_rc4)
 		{
-		ASN1err(ASN1_F_D2I_NETSCAPE_RSA_2,ASN1_R_UNSUPPORTED_ENCRYPTION_ALGORITHM);
+		ASN1err(ASN1_F_D2I_RSA_NET,ASN1_R_UNSUPPORTED_ENCRYPTION_ALGORITHM);
 		goto err;
 	}
 	kp = enckey->enckey->digest->data;
@@ -269,7 +279,8 @@ RSA *d2i_RSA_NET(RSA **a, const unsigned char **pp, long length, int (*cb)(), in
 	}
 
 static RSA *d2i_RSA_NET_2(RSA **a, ASN1_OCTET_STRING *os,
-	     int (*cb)(), int sgckey)
+			  int (*cb)(char *buf, int len, const char *prompt,
+				    int verify), int sgckey)
 	{
 	NETSCAPE_PKEY *pkey=NULL;
 	RSA *ret=NULL;
@@ -279,10 +290,10 @@ static RSA *d2i_RSA_NET_2(RSA **a, ASN1_OCTET_STRING *os,
 	unsigned char key[EVP_MAX_KEY_LENGTH];
 	EVP_CIPHER_CTX ctx;
 
-	i=cb(buf,256,"Enter Private Key password:",0);
+	i=cb((char *)buf,256,"Enter Private Key password:",0);
 	if (i != 0)
 		{
-		ASN1err(ASN1_F_D2I_NETSCAPE_RSA_2,ASN1_R_BAD_PASSWORD_READ);
+		ASN1err(ASN1_F_D2I_RSA_NET_2,ASN1_R_BAD_PASSWORD_READ);
 		goto err;
 		}
 
@@ -307,14 +318,14 @@ static RSA *d2i_RSA_NET_2(RSA **a, ASN1_OCTET_STRING *os,
 
 	if ((pkey=d2i_NETSCAPE_PKEY(NULL,&zz,os->length)) == NULL)
 		{
-		ASN1err(ASN1_F_D2I_NETSCAPE_RSA_2,ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY);
+		ASN1err(ASN1_F_D2I_RSA_NET_2,ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY);
 		goto err;
 		}
 		
 	zz=pkey->private_key->data;
 	if ((ret=d2i_RSAPrivateKey(a,&zz,pkey->private_key->length)) == NULL)
 		{
-		ASN1err(ASN1_F_D2I_NETSCAPE_RSA_2,ASN1_R_UNABLE_TO_DECODE_RSA_KEY);
+		ASN1err(ASN1_F_D2I_RSA_NET_2,ASN1_R_UNABLE_TO_DECODE_RSA_KEY);
 		goto err;
 		}
 err:
diff --git a/crypto/openssl/crypto/asn1/p5_pbe.c b/crypto/openssl/crypto/asn1/p5_pbe.c
index 891150638e99..da91170094b5 100644
--- a/crypto/openssl/crypto/asn1/p5_pbe.c
+++ b/crypto/openssl/crypto/asn1/p5_pbe.c
@@ -76,47 +76,56 @@ IMPLEMENT_ASN1_FUNCTIONS(PBEPARAM)
 X509_ALGOR *PKCS5_pbe_set(int alg, int iter, unsigned char *salt,
 	     int saltlen)
 {
-	PBEPARAM *pbe;
+	PBEPARAM *pbe=NULL;
 	ASN1_OBJECT *al;
 	X509_ALGOR *algor;
-	ASN1_TYPE *astype;
+	ASN1_TYPE *astype=NULL;
 
 	if (!(pbe = PBEPARAM_new ())) {
-		ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE);
-		return NULL;
+		ASN1err(ASN1_F_PKCS5_PBE_SET,ERR_R_MALLOC_FAILURE);
+		goto err;
 	}
 	if(iter <= 0) iter = PKCS5_DEFAULT_ITER;
-	ASN1_INTEGER_set (pbe->iter, iter);
+	if (!ASN1_INTEGER_set(pbe->iter, iter)) {
+		ASN1err(ASN1_F_PKCS5_PBE_SET,ERR_R_MALLOC_FAILURE);
+		goto err;
+	}
 	if (!saltlen) saltlen = PKCS5_SALT_LEN;
 	if (!(pbe->salt->data = OPENSSL_malloc (saltlen))) {
-		ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE);
-		return NULL;
+		ASN1err(ASN1_F_PKCS5_PBE_SET,ERR_R_MALLOC_FAILURE);
+		goto err;
 	}
 	pbe->salt->length = saltlen;
 	if (salt) memcpy (pbe->salt->data, salt, saltlen);
 	else if (RAND_pseudo_bytes (pbe->salt->data, saltlen) < 0)
-		return NULL;
+		goto err;
 
 	if (!(astype = ASN1_TYPE_new())) {
-		ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE);
-		return NULL;
+		ASN1err(ASN1_F_PKCS5_PBE_SET,ERR_R_MALLOC_FAILURE);
+		goto err;
 	}
 
 	astype->type = V_ASN1_SEQUENCE;
-	if(!ASN1_pack_string(pbe, i2d_PBEPARAM, &astype->value.sequence)) {
-		ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE);
-		return NULL;
+	if(!ASN1_pack_string_of(PBEPARAM, pbe, i2d_PBEPARAM,
+				&astype->value.sequence)) {
+		ASN1err(ASN1_F_PKCS5_PBE_SET,ERR_R_MALLOC_FAILURE);
+		goto err;
 	}
 	PBEPARAM_free (pbe);
+	pbe = NULL;
 	
 	al = OBJ_nid2obj(alg); /* never need to free al */
 	if (!(algor = X509_ALGOR_new())) {
-		ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE);
-		return NULL;
+		ASN1err(ASN1_F_PKCS5_PBE_SET,ERR_R_MALLOC_FAILURE);
+		goto err;
 	}
 	ASN1_OBJECT_free(algor->algorithm);
 	algor->algorithm = al;
 	algor->parameter = astype;
 
 	return (algor);
+err:
+	if (pbe != NULL) PBEPARAM_free(pbe);
+	if (astype != NULL) ASN1_TYPE_free(astype);
+	return NULL;
 }
diff --git a/crypto/openssl/crypto/asn1/p5_pbev2.c b/crypto/openssl/crypto/asn1/p5_pbev2.c
index e0dc0ec4ee3d..c834a38ddf3c 100644
--- a/crypto/openssl/crypto/asn1/p5_pbev2.c
+++ b/crypto/openssl/crypto/asn1/p5_pbev2.c
@@ -115,7 +115,7 @@ X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter,
 	/* Create random IV */
 	if (EVP_CIPHER_iv_length(cipher) &&
 		RAND_pseudo_bytes(iv, EVP_CIPHER_iv_length(cipher)) < 0)
-		goto err;
+  		goto err;
 
 	EVP_CIPHER_CTX_init(&ctx);
 
@@ -164,7 +164,7 @@ X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter,
 
 	if(!(pbe2->keyfunc->parameter = ASN1_TYPE_new())) goto merr;
 
-	if(!ASN1_pack_string(kdf, i2d_PBKDF2PARAM,
+	if(!ASN1_pack_string_of(PBKDF2PARAM, kdf, i2d_PBKDF2PARAM,
 			 &pbe2->keyfunc->parameter->value.sequence)) goto merr;
 	pbe2->keyfunc->parameter->type = V_ASN1_SEQUENCE;
 
@@ -180,7 +180,7 @@ X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter,
 
 	/* Encode PBE2PARAM into parameter */
 
-	if(!ASN1_pack_string(pbe2, i2d_PBE2PARAM,
+	if(!ASN1_pack_string_of(PBE2PARAM, pbe2, i2d_PBE2PARAM,
 				 &ret->parameter->value.sequence)) goto merr;
 	ret->parameter->type = V_ASN1_SEQUENCE;
 
diff --git a/crypto/openssl/crypto/asn1/t_bitst.c b/crypto/openssl/crypto/asn1/t_bitst.c
index 8ee789f0825f..397332d9b8e6 100644
--- a/crypto/openssl/crypto/asn1/t_bitst.c
+++ b/crypto/openssl/crypto/asn1/t_bitst.c
@@ -84,7 +84,10 @@ int ASN1_BIT_STRING_set_asc(ASN1_BIT_STRING *bs, char *name, int value,
 	int bitnum;
 	bitnum = ASN1_BIT_STRING_num_asc(name, tbl);
 	if(bitnum < 0) return 0;
-	if(bs) ASN1_BIT_STRING_set_bit(bs, bitnum, value);
+	if(bs) {
+		if(!ASN1_BIT_STRING_set_bit(bs, bitnum, value))
+			return 0;
+	}
 	return 1;
 }
 
diff --git a/crypto/openssl/crypto/asn1/t_crl.c b/crypto/openssl/crypto/asn1/t_crl.c
index 757c148df81d..929b3e590438 100644
--- a/crypto/openssl/crypto/asn1/t_crl.c
+++ b/crypto/openssl/crypto/asn1/t_crl.c
@@ -72,7 +72,7 @@ int X509_CRL_print_fp(FILE *fp, X509_CRL *x)
 
         if ((b=BIO_new(BIO_s_file())) == NULL)
 		{
-		X509err(X509_F_X509_PRINT_FP,ERR_R_BUF_LIB);
+		X509err(X509_F_X509_CRL_PRINT_FP,ERR_R_BUF_LIB);
                 return(0);
 		}
         BIO_set_fp(b,fp,BIO_NOCLOSE);
@@ -121,7 +121,7 @@ int X509_CRL_print(BIO *out, X509_CRL *x)
 		r = sk_X509_REVOKED_value(rev, i);
 		BIO_printf(out,"    Serial Number: ");
 		i2a_ASN1_INTEGER(out,r->serialNumber);
-		BIO_printf(out,"\n        Revocation Date: ","");
+		BIO_printf(out,"\n        Revocation Date: ");
 		ASN1_TIME_print(out,r->revocationDate);
 		BIO_printf(out,"\n");
 		X509V3_extensions_print(out, "CRL entry extensions",
diff --git a/crypto/openssl/crypto/asn1/t_pkey.c b/crypto/openssl/crypto/asn1/t_pkey.c
index d15006e6546c..afb95d67121a 100644
--- a/crypto/openssl/crypto/asn1/t_pkey.c
+++ b/crypto/openssl/crypto/asn1/t_pkey.c
@@ -55,9 +55,15 @@
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
  */
+/* ====================================================================
+ * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
+ * Binary polynomial ECC support in OpenSSL originally developed by 
+ * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
+ */
 
 #include <stdio.h>
 #include "cryptlib.h"
+#include <openssl/objects.h>
 #include <openssl/buffer.h>
 #include <openssl/bn.h>
 #ifndef OPENSSL_NO_RSA
@@ -69,26 +75,33 @@
 #ifndef OPENSSL_NO_DSA
 #include <openssl/dsa.h>
 #endif
+#ifndef OPENSSL_NO_EC
+#include <openssl/ec.h>
+#endif
 
-static int print(BIO *fp,const char *str,BIGNUM *num,
+static int print(BIO *fp,const char *str, const BIGNUM *num,
 		unsigned char *buf,int off);
+#ifndef OPENSSL_NO_EC
+static int print_bin(BIO *fp, const char *str, const unsigned char *num,
+		size_t len, int off);
+#endif
 #ifndef OPENSSL_NO_RSA
 #ifndef OPENSSL_NO_FP_API
 int RSA_print_fp(FILE *fp, const RSA *x, int off)
-        {
-        BIO *b;
-        int ret;
+	{
+	BIO *b;
+	int ret;
 
-        if ((b=BIO_new(BIO_s_file())) == NULL)
+	if ((b=BIO_new(BIO_s_file())) == NULL)
 		{
 		RSAerr(RSA_F_RSA_PRINT_FP,ERR_R_BUF_LIB);
-                return(0);
+		return(0);
 		}
-        BIO_set_fp(b,fp,BIO_NOCLOSE);
-        ret=RSA_print(b,x,off);
-        BIO_free(b);
-        return(ret);
-        }
+	BIO_set_fp(b,fp,BIO_NOCLOSE);
+	ret=RSA_print(b,x,off);
+	BIO_free(b);
+	return(ret);
+	}
 #endif
 
 int RSA_print(BIO *bp, const RSA *x, int off)
@@ -96,7 +109,7 @@ int RSA_print(BIO *bp, const RSA *x, int off)
 	char str[128];
 	const char *s;
 	unsigned char *m=NULL;
-	int ret=0;
+	int ret=0, mod_len = 0;
 	size_t buf_len=0, i;
 
 	if (x->n)
@@ -130,27 +143,37 @@ int RSA_print(BIO *bp, const RSA *x, int off)
 		goto err;
 		}
 
+	if (x->n != NULL)
+		mod_len = BN_num_bits(x->n);
+
 	if (x->d != NULL)
 		{
 		if(!BIO_indent(bp,off,128))
 		   goto err;
-		if (BIO_printf(bp,"Private-Key: (%d bit)\n",BN_num_bits(x->n))
+		if (BIO_printf(bp,"Private-Key: (%d bit)\n", mod_len)
 			<= 0) goto err;
 		}
 
 	if (x->d == NULL)
-		BIO_snprintf(str,sizeof str,"Modulus (%d bit):",BN_num_bits(x->n));
+		BIO_snprintf(str,sizeof str,"Modulus (%d bit):", mod_len);
 	else
 		BUF_strlcpy(str,"modulus:",sizeof str);
 	if (!print(bp,str,x->n,m,off)) goto err;
 	s=(x->d == NULL)?"Exponent:":"publicExponent:";
-	if (!print(bp,s,x->e,m,off)) goto err;
-	if (!print(bp,"privateExponent:",x->d,m,off)) goto err;
-	if (!print(bp,"prime1:",x->p,m,off)) goto err;
-	if (!print(bp,"prime2:",x->q,m,off)) goto err;
-	if (!print(bp,"exponent1:",x->dmp1,m,off)) goto err;
-	if (!print(bp,"exponent2:",x->dmq1,m,off)) goto err;
-	if (!print(bp,"coefficient:",x->iqmp,m,off)) goto err;
+	if ((x->e != NULL) && !print(bp,s,x->e,m,off))
+		goto err;
+	if ((x->d != NULL) && !print(bp,"privateExponent:",x->d,m,off))
+		goto err;
+	if ((x->p != NULL) && !print(bp,"prime1:",x->p,m,off))
+		goto err;
+	if ((x->q != NULL) && !print(bp,"prime2:",x->q,m,off))
+		goto err;
+	if ((x->dmp1 != NULL) && !print(bp,"exponent1:",x->dmp1,m,off))
+		goto err;
+	if ((x->dmq1 != NULL) && !print(bp,"exponent2:",x->dmq1,m,off))
+		goto err;
+	if ((x->iqmp != NULL) && !print(bp,"coefficient:",x->iqmp,m,off))
+		goto err;
 	ret=1;
 err:
 	if (m != NULL) OPENSSL_free(m);
@@ -185,6 +208,11 @@ int DSA_print(BIO *bp, const DSA *x, int off)
 
 	if (x->p)
 		buf_len = (size_t)BN_num_bytes(x->p);
+	else
+		{
+		DSAerr(DSA_F_DSA_PRINT,DSA_R_MISSING_PARAMETERS);
+		goto err;
+		}
 	if (x->q)
 		if (buf_len < (i = (size_t)BN_num_bytes(x->q)))
 			buf_len = i;
@@ -227,16 +255,334 @@ err:
 	}
 #endif /* !OPENSSL_NO_DSA */
 
-static int print(BIO *bp, const char *number, BIGNUM *num, unsigned char *buf,
+#ifndef OPENSSL_NO_EC
+#ifndef OPENSSL_NO_FP_API
+int ECPKParameters_print_fp(FILE *fp, const EC_GROUP *x, int off)
+	{
+	BIO *b;
+	int ret;
+
+	if ((b=BIO_new(BIO_s_file())) == NULL)
+		{
+		ECerr(EC_F_ECPKPARAMETERS_PRINT_FP,ERR_R_BUF_LIB);
+		return(0);
+		}
+	BIO_set_fp(b, fp, BIO_NOCLOSE);
+	ret = ECPKParameters_print(b, x, off);
+	BIO_free(b);
+	return(ret);
+	}
+
+int EC_KEY_print_fp(FILE *fp, const EC_KEY *x, int off)
+	{
+	BIO *b;
+	int ret;
+ 
+	if ((b=BIO_new(BIO_s_file())) == NULL)
+		{
+		ECerr(EC_F_EC_KEY_PRINT_FP, ERR_R_BIO_LIB);
+		return(0);
+		}
+	BIO_set_fp(b, fp, BIO_NOCLOSE);
+	ret = EC_KEY_print(b, x, off);
+	BIO_free(b);
+	return(ret);
+	}
+#endif
+
+int ECPKParameters_print(BIO *bp, const EC_GROUP *x, int off)
+	{
+	unsigned char *buffer=NULL;
+	size_t	buf_len=0, i;
+	int     ret=0, reason=ERR_R_BIO_LIB;
+	BN_CTX  *ctx=NULL;
+	const EC_POINT *point=NULL;
+	BIGNUM	*p=NULL, *a=NULL, *b=NULL, *gen=NULL,
+		*order=NULL, *cofactor=NULL;
+	const unsigned char *seed;
+	size_t	seed_len=0;
+	
+	static const char *gen_compressed = "Generator (compressed):";
+	static const char *gen_uncompressed = "Generator (uncompressed):";
+	static const char *gen_hybrid = "Generator (hybrid):";
+ 
+	if (!x)
+		{
+		reason = ERR_R_PASSED_NULL_PARAMETER;
+		goto err;
+		}
+
+	if (EC_GROUP_get_asn1_flag(x))
+		{
+		/* the curve parameter are given by an asn1 OID */
+		int nid;
+
+		if (!BIO_indent(bp, off, 128))
+			goto err;
+
+		nid = EC_GROUP_get_curve_name(x);
+		if (nid == 0)
+			goto err;
+
+		if (BIO_printf(bp, "ASN1 OID: %s", OBJ_nid2sn(nid)) <= 0)
+			goto err;
+		if (BIO_printf(bp, "\n") <= 0)
+			goto err;
+		}
+	else
+		{
+		/* explicit parameters */
+		int is_char_two = 0;
+		point_conversion_form_t form;
+		int tmp_nid = EC_METHOD_get_field_type(EC_GROUP_method_of(x));
+
+		if (tmp_nid == NID_X9_62_characteristic_two_field)
+			is_char_two = 1;
+
+		if ((p = BN_new()) == NULL || (a = BN_new()) == NULL ||
+			(b = BN_new()) == NULL || (order = BN_new()) == NULL ||
+			(cofactor = BN_new()) == NULL)
+			{
+			reason = ERR_R_MALLOC_FAILURE;
+			goto err;
+			}
+
+		if (is_char_two)
+			{
+			if (!EC_GROUP_get_curve_GF2m(x, p, a, b, ctx))
+				{
+				reason = ERR_R_EC_LIB;
+				goto err;
+				}
+			}
+		else /* prime field */
+			{
+			if (!EC_GROUP_get_curve_GFp(x, p, a, b, ctx))
+				{
+				reason = ERR_R_EC_LIB;
+				goto err;
+				}
+			}
+
+		if ((point = EC_GROUP_get0_generator(x)) == NULL)
+			{
+			reason = ERR_R_EC_LIB;
+			goto err;
+			}
+		if (!EC_GROUP_get_order(x, order, NULL) || 
+            		!EC_GROUP_get_cofactor(x, cofactor, NULL))
+			{
+			reason = ERR_R_EC_LIB;
+			goto err;
+			}
+		
+		form = EC_GROUP_get_point_conversion_form(x);
+
+		if ((gen = EC_POINT_point2bn(x, point, 
+				form, NULL, ctx)) == NULL)
+			{
+			reason = ERR_R_EC_LIB;
+			goto err;
+			}
+
+		buf_len = (size_t)BN_num_bytes(p);
+		if (buf_len < (i = (size_t)BN_num_bytes(a)))
+			buf_len = i;
+		if (buf_len < (i = (size_t)BN_num_bytes(b)))
+			buf_len = i;
+		if (buf_len < (i = (size_t)BN_num_bytes(gen)))
+			buf_len = i;
+		if (buf_len < (i = (size_t)BN_num_bytes(order)))
+			buf_len = i;
+		if (buf_len < (i = (size_t)BN_num_bytes(cofactor))) 
+			buf_len = i;
+
+		if ((seed = EC_GROUP_get0_seed(x)) != NULL)
+			seed_len = EC_GROUP_get_seed_len(x);
+
+		buf_len += 10;
+		if ((buffer = OPENSSL_malloc(buf_len)) == NULL)
+			{
+			reason = ERR_R_MALLOC_FAILURE;
+			goto err;
+			}
+
+		if (!BIO_indent(bp, off, 128))
+			goto err;
+
+		/* print the 'short name' of the field type */
+		if (BIO_printf(bp, "Field Type: %s\n", OBJ_nid2sn(tmp_nid))
+			<= 0)
+			goto err;  
+
+		if (is_char_two)
+			{
+			/* print the 'short name' of the base type OID */
+			int basis_type = EC_GROUP_get_basis_type(x);
+			if (basis_type == 0)
+				goto err;
+
+			if (!BIO_indent(bp, off, 128))
+				goto err;
+
+			if (BIO_printf(bp, "Basis Type: %s\n", 
+				OBJ_nid2sn(basis_type)) <= 0)
+				goto err;
+
+			/* print the polynomial */
+			if ((p != NULL) && !print(bp, "Polynomial:", p, buffer,
+				off))
+				goto err;
+			}
+		else
+			{
+			if ((p != NULL) && !print(bp, "Prime:", p, buffer,off))
+				goto err;
+			}
+		if ((a != NULL) && !print(bp, "A:   ", a, buffer, off)) 
+			goto err;
+		if ((b != NULL) && !print(bp, "B:   ", b, buffer, off))
+			goto err;
+		if (form == POINT_CONVERSION_COMPRESSED)
+			{
+			if ((gen != NULL) && !print(bp, gen_compressed, gen,
+				buffer, off))
+				goto err;
+			}
+		else if (form == POINT_CONVERSION_UNCOMPRESSED)
+			{
+			if ((gen != NULL) && !print(bp, gen_uncompressed, gen,
+				buffer, off))
+				goto err;
+			}
+		else /* form == POINT_CONVERSION_HYBRID */
+			{
+			if ((gen != NULL) && !print(bp, gen_hybrid, gen,
+				buffer, off))
+				goto err;
+			}
+		if ((order != NULL) && !print(bp, "Order: ", order, 
+			buffer, off)) goto err;
+		if ((cofactor != NULL) && !print(bp, "Cofactor: ", cofactor, 
+			buffer, off)) goto err;
+		if (seed && !print_bin(bp, "Seed:", seed, seed_len, off))
+			goto err;
+		}
+	ret=1;
+err:
+	if (!ret)
+ 		ECerr(EC_F_ECPKPARAMETERS_PRINT, reason);
+	if (p) 
+		BN_free(p);
+	if (a) 
+		BN_free(a);
+	if (b)
+		BN_free(b);
+	if (gen)
+		BN_free(gen);
+	if (order)
+		BN_free(order);
+	if (cofactor)
+		BN_free(cofactor);
+	if (ctx)
+		BN_CTX_free(ctx);
+	if (buffer != NULL) 
+		OPENSSL_free(buffer);
+	return(ret);	
+	}
+
+int EC_KEY_print(BIO *bp, const EC_KEY *x, int off)
+	{
+	unsigned char *buffer=NULL;
+	size_t	buf_len=0, i;
+	int     ret=0, reason=ERR_R_BIO_LIB;
+	BIGNUM  *pub_key=NULL, *order=NULL;
+	BN_CTX  *ctx=NULL;
+	const EC_GROUP *group;
+	const EC_POINT *public_key;
+	const BIGNUM *priv_key;
+ 
+	if (x == NULL || (group = EC_KEY_get0_group(x)) == NULL)
+		{
+		reason = ERR_R_PASSED_NULL_PARAMETER;
+		goto err;
+		}
+
+	public_key = EC_KEY_get0_public_key(x);
+	if ((pub_key = EC_POINT_point2bn(group, public_key,
+		EC_KEY_get_conv_form(x), NULL, ctx)) == NULL)
+		{
+		reason = ERR_R_EC_LIB;
+		goto err;
+		}
+
+	buf_len = (size_t)BN_num_bytes(pub_key);
+	priv_key = EC_KEY_get0_private_key(x);
+	if (priv_key != NULL)
+		{
+		if ((i = (size_t)BN_num_bytes(priv_key)) > buf_len)
+			buf_len = i;
+		}
+
+	buf_len += 10;
+	if ((buffer = OPENSSL_malloc(buf_len)) == NULL)
+		{
+		reason = ERR_R_MALLOC_FAILURE;
+		goto err;
+		}
+
+	if (priv_key != NULL)
+		{
+		if (!BIO_indent(bp, off, 128))
+			goto err;
+		if ((order = BN_new()) == NULL)
+			goto err;
+		if (!EC_GROUP_get_order(group, order, NULL))
+			goto err;
+		if (BIO_printf(bp, "Private-Key: (%d bit)\n", 
+			BN_num_bits(order)) <= 0) goto err;
+		}
+  
+	if ((priv_key != NULL) && !print(bp, "priv:", priv_key, 
+		buffer, off))
+		goto err;
+	if ((pub_key != NULL) && !print(bp, "pub: ", pub_key,
+		buffer, off))
+		goto err;
+	if (!ECPKParameters_print(bp, group, off))
+		goto err;
+	ret=1;
+err:
+	if (!ret)
+ 		ECerr(EC_F_EC_KEY_PRINT, reason);
+	if (pub_key) 
+		BN_free(pub_key);
+	if (order)
+		BN_free(order);
+	if (ctx)
+		BN_CTX_free(ctx);
+	if (buffer != NULL)
+		OPENSSL_free(buffer);
+	return(ret);
+	}
+#endif /* OPENSSL_NO_EC */
+
+static int print(BIO *bp, const char *number, const BIGNUM *num, unsigned char *buf,
 	     int off)
 	{
 	int n,i;
 	const char *neg;
 
 	if (num == NULL) return(1);
-	neg=(num->neg)?"-":"";
+	neg = (BN_is_negative(num))?"-":"";
 	if(!BIO_indent(bp,off,128))
 		return 0;
+	if (BN_is_zero(num))
+		{
+		if (BIO_printf(bp, "%s 0\n", number) <= 0)
+			return 0;
+		return 1;
+		}
 
 	if (BN_num_bytes(num) <= BN_BYTES)
 		{
@@ -272,23 +618,63 @@ static int print(BIO *bp, const char *number, BIGNUM *num, unsigned char *buf,
 	return(1);
 	}
 
+#ifndef OPENSSL_NO_EC
+static int print_bin(BIO *fp, const char *name, const unsigned char *buf,
+		size_t len, int off)
+	{
+	size_t i;
+	char str[128];
+
+	if (buf == NULL)
+		return 1;
+	if (off)
+		{
+		if (off > 128)
+			off=128;
+		memset(str,' ',off);
+		if (BIO_write(fp, str, off) <= 0)
+			return 0;
+		}
+
+	if (BIO_printf(fp,"%s", name) <= 0)
+		return 0;
+
+	for (i=0; i<len; i++)
+		{
+		if ((i%15) == 0)
+			{
+			str[0]='\n';
+			memset(&(str[1]),' ',off+4);
+			if (BIO_write(fp, str, off+1+4) <= 0)
+				return 0;
+			}
+		if (BIO_printf(fp,"%02x%s",buf[i],((i+1) == len)?"":":") <= 0)
+			return 0;
+		}
+	if (BIO_write(fp,"\n",1) <= 0)
+		return 0;
+
+	return 1;
+	}
+#endif
+
 #ifndef OPENSSL_NO_DH
 #ifndef OPENSSL_NO_FP_API
 int DHparams_print_fp(FILE *fp, const DH *x)
-        {
-        BIO *b;
-        int ret;
+	{
+	BIO *b;
+	int ret;
 
-        if ((b=BIO_new(BIO_s_file())) == NULL)
+	if ((b=BIO_new(BIO_s_file())) == NULL)
 		{
 		DHerr(DH_F_DHPARAMS_PRINT_FP,ERR_R_BUF_LIB);
-                return(0);
+		return(0);
 		}
-        BIO_set_fp(b,fp,BIO_NOCLOSE);
-        ret=DHparams_print(b, x);
-        BIO_free(b);
-        return(ret);
-        }
+	BIO_set_fp(b,fp,BIO_NOCLOSE);
+	ret=DHparams_print(b, x);
+	BIO_free(b);
+	return(ret);
+	}
 #endif
 
 int DHparams_print(BIO *bp, const DH *x)
@@ -299,6 +685,11 @@ int DHparams_print(BIO *bp, const DH *x)
 
 	if (x->p)
 		buf_len = (size_t)BN_num_bytes(x->p);
+	else
+		{
+		reason = ERR_R_PASSED_NULL_PARAMETER;
+		goto err;
+		}
 	if (x->g)
 		if (buf_len < (i = (size_t)BN_num_bytes(x->g)))
 			buf_len = i;
@@ -333,30 +724,35 @@ err:
 #ifndef OPENSSL_NO_DSA
 #ifndef OPENSSL_NO_FP_API
 int DSAparams_print_fp(FILE *fp, const DSA *x)
-        {
-        BIO *b;
-        int ret;
+	{
+	BIO *b;
+	int ret;
 
-        if ((b=BIO_new(BIO_s_file())) == NULL)
+	if ((b=BIO_new(BIO_s_file())) == NULL)
 		{
 		DSAerr(DSA_F_DSAPARAMS_PRINT_FP,ERR_R_BUF_LIB);
-                return(0);
+		return(0);
 		}
-        BIO_set_fp(b,fp,BIO_NOCLOSE);
-        ret=DSAparams_print(b, x);
-        BIO_free(b);
-        return(ret);
-        }
+	BIO_set_fp(b,fp,BIO_NOCLOSE);
+	ret=DSAparams_print(b, x);
+	BIO_free(b);
+	return(ret);
+	}
 #endif
 
 int DSAparams_print(BIO *bp, const DSA *x)
 	{
 	unsigned char *m=NULL;
-	int reason=ERR_R_BUF_LIB,ret=0;
+	int ret=0;
 	size_t buf_len=0,i;
 
 	if (x->p)
 		buf_len = (size_t)BN_num_bytes(x->p);
+	else
+		{
+		DSAerr(DSA_F_DSAPARAMS_PRINT,DSA_R_MISSING_PARAMETERS);
+		goto err;
+		}
 	if (x->q)
 		if (buf_len < (i = (size_t)BN_num_bytes(x->q)))
 			buf_len = i;
@@ -366,7 +762,7 @@ int DSAparams_print(BIO *bp, const DSA *x)
 	m=(unsigned char *)OPENSSL_malloc(buf_len+10);
 	if (m == NULL)
 		{
-		reason=ERR_R_MALLOC_FAILURE;
+		DSAerr(DSA_F_DSAPARAMS_PRINT,ERR_R_MALLOC_FAILURE);
 		goto err;
 		}
 
@@ -374,14 +770,70 @@ int DSAparams_print(BIO *bp, const DSA *x)
 		BN_num_bits(x->p)) <= 0)
 		goto err;
 	if (!print(bp,"p:",x->p,m,4)) goto err;
-	if (!print(bp,"q:",x->q,m,4)) goto err;
-	if (!print(bp,"g:",x->g,m,4)) goto err;
+	if ((x->q != NULL) && !print(bp,"q:",x->q,m,4)) goto err;
+	if ((x->g != NULL) && !print(bp,"g:",x->g,m,4)) goto err;
 	ret=1;
 err:
 	if (m != NULL) OPENSSL_free(m);
-	DSAerr(DSA_F_DSAPARAMS_PRINT,reason);
 	return(ret);
 	}
 
 #endif /* !OPENSSL_NO_DSA */
 
+#ifndef OPENSSL_NO_EC
+#ifndef OPENSSL_NO_FP_API
+int ECParameters_print_fp(FILE *fp, const EC_KEY *x)
+	{
+	BIO *b;
+	int ret;
+ 
+	if ((b=BIO_new(BIO_s_file())) == NULL)
+		{
+		ECerr(EC_F_ECPARAMETERS_PRINT_FP, ERR_R_BIO_LIB);
+		return(0);
+		}
+	BIO_set_fp(b, fp, BIO_NOCLOSE);
+	ret = ECParameters_print(b, x);
+	BIO_free(b);
+	return(ret);
+	}
+#endif
+
+int ECParameters_print(BIO *bp, const EC_KEY *x)
+	{
+	int     reason=ERR_R_EC_LIB, ret=0;
+	BIGNUM	*order=NULL;
+	const EC_GROUP *group;
+ 
+	if (x == NULL || (group = EC_KEY_get0_group(x)) == NULL)
+		{
+		reason = ERR_R_PASSED_NULL_PARAMETER;;
+		goto err;
+		}
+
+	if ((order = BN_new()) == NULL)
+		{
+		reason = ERR_R_MALLOC_FAILURE;
+		goto err;
+		}
+
+	if (!EC_GROUP_get_order(group, order, NULL))
+		{
+		reason = ERR_R_EC_LIB;
+		goto err;
+		}
+ 
+	if (BIO_printf(bp, "ECDSA-Parameters: (%d bit)\n", 
+		BN_num_bits(order)) <= 0)
+		goto err;
+	if (!ECPKParameters_print(bp, group, 4))
+		goto err;
+	ret=1;
+err:
+	if (order)
+		BN_free(order);
+	ECerr(EC_F_ECPARAMETERS_PRINT, reason);
+	return(ret);
+	}
+  
+#endif
diff --git a/crypto/openssl/crypto/asn1/t_req.c b/crypto/openssl/crypto/asn1/t_req.c
index 740cee80c0fd..c779a9bb1805 100644
--- a/crypto/openssl/crypto/asn1/t_req.c
+++ b/crypto/openssl/crypto/asn1/t_req.c
@@ -63,6 +63,12 @@
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
+#ifndef OPENSSL_NO_RSA
+#include <openssl/rsa.h>
+#endif
+#ifndef OPENSSL_NO_DSA
+#include <openssl/dsa.h>
+#endif
 
 #ifndef OPENSSL_NO_FP_API
 int X509_REQ_print_fp(FILE *fp, X509_REQ *x)
@@ -160,6 +166,14 @@ int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags, unsigned long
 			}
 		else
 #endif
+#ifndef OPENSSL_NO_EC
+		if (pkey->type == EVP_PKEY_EC)
+		{
+			BIO_printf(bp, "%12sEC Public Key: \n","");
+			EC_KEY_print(bp, pkey->pkey.ec, 16);
+		}
+	else
+#endif
 			BIO_printf(bp,"%12sUnknown Public Key:\n","");
 
 		EVP_PKEY_free(pkey);
@@ -246,7 +260,7 @@ get_next:
 				obj=X509_EXTENSION_get_object(ex);
 				i2a_ASN1_OBJECT(bp,obj);
 				j=X509_EXTENSION_get_critical(ex);
-				if (BIO_printf(bp,": %s\n",j?"critical":"","") <= 0)
+				if (BIO_printf(bp,": %s\n",j?"critical":"") <= 0)
 					goto err;
 				if(!X509V3_EXT_print(bp, ex, 0, 16))
 					{
@@ -266,7 +280,7 @@ get_next:
 
 	return(1);
 err:
-	X509err(X509_F_X509_REQ_PRINT,ERR_R_BUF_LIB);
+	X509err(X509_F_X509_REQ_PRINT_EX,ERR_R_BUF_LIB);
 	return(0);
 	}
 
diff --git a/crypto/openssl/crypto/asn1/t_spki.c b/crypto/openssl/crypto/asn1/t_spki.c
index 5abfbc815ea9..c2a5797dd8bf 100644
--- a/crypto/openssl/crypto/asn1/t_spki.c
+++ b/crypto/openssl/crypto/asn1/t_spki.c
@@ -60,6 +60,13 @@
 #include "cryptlib.h"
 #include <openssl/x509.h>
 #include <openssl/asn1.h>
+#ifndef OPENSSL_NO_RSA
+#include <openssl/rsa.h>
+#endif
+#ifndef OPENSSL_NO_DSA
+#include <openssl/dsa.h>
+#endif
+#include <openssl/bn.h>
 
 /* Print out an SPKI */
 
@@ -93,6 +100,15 @@ int NETSCAPE_SPKI_print(BIO *out, NETSCAPE_SPKI *spki)
 		}
 		else
 #endif
+#ifndef OPENSSL_NO_EC
+		if (pkey->type == EVP_PKEY_EC)
+		{
+			BIO_printf(out, "  EC Public Key:\n");
+			EC_KEY_print(out, pkey->pkey.ec,2);
+		}
+		else
+#endif
+
 			BIO_printf(out,"  Unknown Public Key:\n");
 		EVP_PKEY_free(pkey);
 	}
diff --git a/crypto/openssl/crypto/asn1/t_x509.c b/crypto/openssl/crypto/asn1/t_x509.c
index d1034c47f83f..61f48d14d773 100644
--- a/crypto/openssl/crypto/asn1/t_x509.c
+++ b/crypto/openssl/crypto/asn1/t_x509.c
@@ -66,6 +66,9 @@
 #ifndef OPENSSL_NO_DSA
 #include <openssl/dsa.h>
 #endif
+#ifndef OPENSSL_NO_EC
+#include <openssl/ec.h>
+#endif
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
@@ -83,7 +86,7 @@ int X509_print_ex_fp(FILE *fp, X509 *x, unsigned long nmflag, unsigned long cfla
 
         if ((b=BIO_new(BIO_s_file())) == NULL)
 		{
-		X509err(X509_F_X509_PRINT_FP,ERR_R_BUF_LIB);
+		X509err(X509_F_X509_PRINT_EX_FP,ERR_R_BUF_LIB);
                 return(0);
 		}
         BIO_set_fp(b,fp,BIO_NOCLOSE);
@@ -229,6 +232,14 @@ int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, unsigned long cflag)
 			}
 		else
 #endif
+#ifndef OPENSSL_NO_EC
+		if (pkey->type == EVP_PKEY_EC)
+			{
+			BIO_printf(bp, "%12sEC Public Key:\n","");
+			EC_KEY_print(bp, pkey->pkey.ec, 16);
+			}
+		else
+#endif
 			BIO_printf(bp,"%12sUnknown Public Key:\n","");
 
 		EVP_PKEY_free(pkey);
diff --git a/crypto/openssl/crypto/asn1/tasn_dec.c b/crypto/openssl/crypto/asn1/tasn_dec.c
index 2426cb6253a3..f8b27cffdbf4 100644
--- a/crypto/openssl/crypto/asn1/tasn_dec.c
+++ b/crypto/openssl/crypto/asn1/tasn_dec.c
@@ -3,7 +3,7 @@
  * project 2000.
  */
 /* ====================================================================
- * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 2000-2005 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -65,23 +65,40 @@
 #include <openssl/buffer.h>
 #include <openssl/err.h>
 
-static int asn1_check_eoc(unsigned char **in, long len);
-static int asn1_collect(BUF_MEM *buf, unsigned char **in, long len, char inf, int tag, int aclass);
-static int collect_data(BUF_MEM *buf, unsigned char **p, long plen);
-static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass, char *inf, char *cst,
-			unsigned char **in, long len, int exptag, int expclass, char opt, ASN1_TLC *ctx);
-static int asn1_template_ex_d2i(ASN1_VALUE **pval, unsigned char **in, long len, const ASN1_TEMPLATE *tt, char opt, ASN1_TLC *ctx);
-static int asn1_template_noexp_d2i(ASN1_VALUE **val, unsigned char **in, long len, const ASN1_TEMPLATE *tt, char opt, ASN1_TLC *ctx);
-static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, unsigned char **in, long len,
-					const ASN1_ITEM *it, int tag, int aclass, char opt, ASN1_TLC *ctx);
+static int asn1_check_eoc(const unsigned char **in, long len);
+static int asn1_find_end(const unsigned char **in, long len, char inf);
+
+static int asn1_collect(BUF_MEM *buf, const unsigned char **in, long len,
+				char inf, int tag, int aclass);
+
+static int collect_data(BUF_MEM *buf, const unsigned char **p, long plen);
+
+static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass,
+				char *inf, char *cst,
+				const unsigned char **in, long len,
+				int exptag, int expclass, char opt,
+				ASN1_TLC *ctx);
+
+static int asn1_template_ex_d2i(ASN1_VALUE **pval,
+				const unsigned char **in, long len,
+				const ASN1_TEMPLATE *tt, char opt,
+				ASN1_TLC *ctx);
+static int asn1_template_noexp_d2i(ASN1_VALUE **val,
+				const unsigned char **in, long len,
+				const ASN1_TEMPLATE *tt, char opt,
+				ASN1_TLC *ctx);
+static int asn1_d2i_ex_primitive(ASN1_VALUE **pval,
+				const unsigned char **in, long len,
+				const ASN1_ITEM *it,
+				int tag, int aclass, char opt, ASN1_TLC *ctx);
 
 /* Table to convert tags to bit values, used for MSTRING type */
-static unsigned long tag2bit[32]={
+static unsigned long tag2bit[32] = {
 0,	0,	0,	B_ASN1_BIT_STRING,	/* tags  0 -  3 */
 B_ASN1_OCTET_STRING,	0,	0,		B_ASN1_UNKNOWN,/* tags  4- 7 */
 B_ASN1_UNKNOWN,	B_ASN1_UNKNOWN,	B_ASN1_UNKNOWN,	B_ASN1_UNKNOWN,/* tags  8-11 */
 B_ASN1_UTF8STRING,B_ASN1_UNKNOWN,B_ASN1_UNKNOWN,B_ASN1_UNKNOWN,/* tags 12-15 */
-0,	0,	B_ASN1_NUMERICSTRING,B_ASN1_PRINTABLESTRING,   /* tags 16-19 */
+B_ASN1_SEQUENCE,0,B_ASN1_NUMERICSTRING,B_ASN1_PRINTABLESTRING, /* tags 16-19 */
 B_ASN1_T61STRING,B_ASN1_VIDEOTEXSTRING,B_ASN1_IA5STRING,       /* tags 20-22 */
 B_ASN1_UTCTIME, B_ASN1_GENERALIZEDTIME,			       /* tags 23-24 */	
 B_ASN1_GRAPHICSTRING,B_ASN1_ISO64STRING,B_ASN1_GENERALSTRING,  /* tags 25-27 */
@@ -89,14 +106,14 @@ B_ASN1_UNIVERSALSTRING,B_ASN1_UNKNOWN,B_ASN1_BMPSTRING,B_ASN1_UNKNOWN, /* tags 2
 	};
 
 unsigned long ASN1_tag2bit(int tag)
-{
-	if((tag < 0) || (tag > 30)) return 0;
+	{
+	if ((tag < 0) || (tag > 30)) return 0;
 	return tag2bit[tag];
-}
+	}
 
 /* Macro to initialize and invalidate the cache */
 
-#define asn1_tlc_clear(c)	if(c) (c)->valid = 0
+#define asn1_tlc_clear(c)	if (c) (c)->valid = 0
 
 /* Decode an ASN1 item, this currently behaves just 
  * like a standard 'd2i' function. 'in' points to 
@@ -106,113 +123,147 @@ unsigned long ASN1_tag2bit(int tag)
  * case.
  */
 
-ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **pval, unsigned char **in, long len, const ASN1_ITEM *it)
-{
+ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **pval,
+		const unsigned char **in, long len, const ASN1_ITEM *it)
+	{
 	ASN1_TLC c;
 	ASN1_VALUE *ptmpval = NULL;
-	if(!pval) pval = &ptmpval;
+	if (!pval)
+		pval = &ptmpval;
 	asn1_tlc_clear(&c);
-	if(ASN1_item_ex_d2i(pval, in, len, it, -1, 0, 0, &c) > 0) 
+	if (ASN1_item_ex_d2i(pval, in, len, it, -1, 0, 0, &c) > 0) 
 		return *pval;
 	return NULL;
-}
+	}
 
-int ASN1_template_d2i(ASN1_VALUE **pval, unsigned char **in, long len, const ASN1_TEMPLATE *tt)
-{
+int ASN1_template_d2i(ASN1_VALUE **pval,
+		const unsigned char **in, long len, const ASN1_TEMPLATE *tt)
+	{
 	ASN1_TLC c;
 	asn1_tlc_clear(&c);
 	return asn1_template_ex_d2i(pval, in, len, tt, 0, &c);
-}
+	}
 
 
 /* Decode an item, taking care of IMPLICIT tagging, if any.
  * If 'opt' set and tag mismatch return -1 to handle OPTIONAL
  */
 
-int ASN1_item_ex_d2i(ASN1_VALUE **pval, unsigned char **in, long len, const ASN1_ITEM *it,
-				int tag, int aclass, char opt, ASN1_TLC *ctx)
-{
+int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
+			const ASN1_ITEM *it,
+			int tag, int aclass, char opt, ASN1_TLC *ctx)
+	{
 	const ASN1_TEMPLATE *tt, *errtt = NULL;
 	const ASN1_COMPAT_FUNCS *cf;
 	const ASN1_EXTERN_FUNCS *ef;
 	const ASN1_AUX *aux = it->funcs;
 	ASN1_aux_cb *asn1_cb;
-	unsigned char *p, *q, imphack = 0, oclass;
+	const unsigned char *p = NULL, *q;
+	unsigned char *wp=NULL;	/* BIG FAT WARNING!  BREAKS CONST WHERE USED */
+	unsigned char imphack = 0, oclass;
 	char seq_eoc, seq_nolen, cst, isopt;
 	long tmplen;
 	int i;
 	int otag;
 	int ret = 0;
 	ASN1_VALUE *pchval, **pchptr, *ptmpval;
-	if(!pval) return 0;
-	if(aux && aux->asn1_cb) asn1_cb = aux->asn1_cb;
+	if (!pval)
+		return 0;
+	if (aux && aux->asn1_cb)
+		asn1_cb = aux->asn1_cb;
 	else asn1_cb = 0;
 
-	switch(it->itype) {
-
+	switch(it->itype)
+		{
 		case ASN1_ITYPE_PRIMITIVE:
-		if(it->templates) {
-			/* tagging or OPTIONAL is currently illegal on an item template
-			 * because the flags can't get passed down. In practice this isn't
-			 * a problem: we include the relevant flags from the item template
-			 * in the template itself.
+		if (it->templates)
+			{
+			/* tagging or OPTIONAL is currently illegal on an item
+			 * template because the flags can't get passed down.
+			 * In practice this isn't a problem: we include the
+			 * relevant flags from the item template in the
+			 * template itself.
 			 */
-			if ((tag != -1) || opt) {
-				ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE);
+			if ((tag != -1) || opt)
+				{
+				ASN1err(ASN1_F_ASN1_ITEM_EX_D2I,
+				ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE);
 				goto err;
-			}
-			return asn1_template_ex_d2i(pval, in, len, it->templates, opt, ctx);
+				}
+			return asn1_template_ex_d2i(pval, in, len,
+					it->templates, opt, ctx);
 		}
-		return asn1_d2i_ex_primitive(pval, in, len, it, tag, aclass, opt, ctx);
+		return asn1_d2i_ex_primitive(pval, in, len, it,
+						tag, aclass, opt, ctx);
 		break;
 
 		case ASN1_ITYPE_MSTRING:
 		p = *in;
 		/* Just read in tag and class */
-		ret = asn1_check_tlen(NULL, &otag, &oclass, NULL, NULL, &p, len, -1, 0, 1, ctx);
-		if(!ret) {
-			ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
+		ret = asn1_check_tlen(NULL, &otag, &oclass, NULL, NULL,
+						&p, len, -1, 0, 1, ctx);
+		if (!ret)
+			{
+			ASN1err(ASN1_F_ASN1_ITEM_EX_D2I,
+					ERR_R_NESTED_ASN1_ERROR);
 			goto err;
-		} 
+			}
+
 		/* Must be UNIVERSAL class */
-		if(oclass != V_ASN1_UNIVERSAL) {
+		if (oclass != V_ASN1_UNIVERSAL)
+			{
 			/* If OPTIONAL, assume this is OK */
-			if(opt) return -1;
-			ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_MSTRING_NOT_UNIVERSAL);
+			if (opt) return -1;
+			ASN1err(ASN1_F_ASN1_ITEM_EX_D2I,
+					ASN1_R_MSTRING_NOT_UNIVERSAL);
 			goto err;
-		} 
+			}
 		/* Check tag matches bit map */
-		if(!(ASN1_tag2bit(otag) & it->utype)) {
+		if (!(ASN1_tag2bit(otag) & it->utype))
+			{
 			/* If OPTIONAL, assume this is OK */
-			if(opt) return -1;
-			ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_MSTRING_WRONG_TAG);
+			if (opt)
+				return -1;
+			ASN1err(ASN1_F_ASN1_ITEM_EX_D2I,
+					ASN1_R_MSTRING_WRONG_TAG);
 			goto err;
-		} 
-		return asn1_d2i_ex_primitive(pval, in, len, it, otag, 0, 0, ctx);
+			}
+		return asn1_d2i_ex_primitive(pval, in, len,
+						it, otag, 0, 0, ctx);
 
 		case ASN1_ITYPE_EXTERN:
 		/* Use new style d2i */
 		ef = it->funcs;
-		return ef->asn1_ex_d2i(pval, in, len, it, tag, aclass, opt, ctx);
+		return ef->asn1_ex_d2i(pval, in, len,
+						it, tag, aclass, opt, ctx);
 
 		case ASN1_ITYPE_COMPAT:
 		/* we must resort to old style evil hackery */
 		cf = it->funcs;
 
 		/* If OPTIONAL see if it is there */
-		if(opt) {
+		if (opt)
+			{
 			int exptag;
 			p = *in;
-			if(tag == -1) exptag = it->utype;
+			if (tag == -1)
+				exptag = it->utype;
 			else exptag = tag;
-			/* Don't care about anything other than presence of expected tag */
-			ret = asn1_check_tlen(NULL, NULL, NULL, NULL, NULL, &p, len, exptag, aclass, 1, ctx);
-			if(!ret) {
-				ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
+			/* Don't care about anything other than presence
+			 * of expected tag */
+
+			ret = asn1_check_tlen(NULL, NULL, NULL, NULL, NULL,
+					&p, len, exptag, aclass, 1, ctx);
+			if (!ret)
+				{
+				ASN1err(ASN1_F_ASN1_ITEM_EX_D2I,
+					ERR_R_NESTED_ASN1_ERROR);
 				goto err;
+				}
+			if (ret == -1)
+				return -1;
 			}
-			if(ret == -1) return -1;
-		}
+
 		/* This is the old style evil hack IMPLICIT handling:
 		 * since the underlying code is expecting a tag and
 		 * class other than the one present we change the
@@ -228,245 +279,332 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, unsigned char **in, long len, const ASN1
 		 * buffer.
 		 */
 
-		if(tag != -1) {
-			p = *in;
-			imphack = *p;
-			*p = (unsigned char)((*p & V_ASN1_CONSTRUCTED) | it->utype);
-		}
+		if (tag != -1)
+			{
+			wp = *(unsigned char **)in;
+			imphack = *wp;
+			if (p == NULL)
+				{
+				ASN1err(ASN1_F_ASN1_ITEM_EX_D2I,
+					ERR_R_NESTED_ASN1_ERROR);
+				goto err;
+				}
+			*wp = (unsigned char)((*p & V_ASN1_CONSTRUCTED)
+								| it->utype);
+			}
 
 		ptmpval = cf->asn1_d2i(pval, in, len);
 
-		if(tag != -1) *p = imphack;
+		if (tag != -1)
+			*wp = imphack;
+
+		if (ptmpval)
+			return 1;
 
-		if(ptmpval) return 1;
 		ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
 		goto err;
 
 
 		case ASN1_ITYPE_CHOICE:
-		if(asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it))
+		if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it))
 				goto auxerr;
 
 		/* Allocate structure */
-		if(!*pval) {
-			if(!ASN1_item_ex_new(pval, it)) {
-				ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
-				goto err;
+		if (!*pval && !ASN1_item_ex_new(pval, it))
+			{
+			ASN1err(ASN1_F_ASN1_ITEM_EX_D2I,
+						ERR_R_NESTED_ASN1_ERROR);
+			goto err;
 			}
-		}
 		/* CHOICE type, try each possibility in turn */
 		pchval = NULL;
 		p = *in;
-		for(i = 0, tt=it->templates; i < it->tcount; i++, tt++) {
+		for (i = 0, tt=it->templates; i < it->tcount; i++, tt++)
+			{
 			pchptr = asn1_get_field_ptr(pval, tt);
 			/* We mark field as OPTIONAL so its absence
 			 * can be recognised.
 			 */
 			ret = asn1_template_ex_d2i(pchptr, &p, len, tt, 1, ctx);
 			/* If field not present, try the next one */
-			if(ret == -1) continue;
+			if (ret == -1)
+				continue;
 			/* If positive return, read OK, break loop */
-			if(ret > 0) break;
+			if (ret > 0)
+				break;
 			/* Otherwise must be an ASN1 parsing error */
 			errtt = tt;
-			ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
+			ASN1err(ASN1_F_ASN1_ITEM_EX_D2I,
+						ERR_R_NESTED_ASN1_ERROR);
 			goto err;
-		}
+			}
+
 		/* Did we fall off the end without reading anything? */
-		if(i == it->tcount) {
+		if (i == it->tcount)
+			{
 			/* If OPTIONAL, this is OK */
-			if(opt) {
+			if (opt)
+				{
 				/* Free and zero it */
 				ASN1_item_ex_free(pval, it);
 				return -1;
-			}
-			ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_NO_MATCHING_CHOICE_TYPE);
+				}
+			ASN1err(ASN1_F_ASN1_ITEM_EX_D2I,
+					ASN1_R_NO_MATCHING_CHOICE_TYPE);
 			goto err;
-		}
+			}
+
 		asn1_set_choice_selector(pval, i, it);
 		*in = p;
-		if(asn1_cb && !asn1_cb(ASN1_OP_D2I_POST, pval, it))
+		if (asn1_cb && !asn1_cb(ASN1_OP_D2I_POST, pval, it))
 				goto auxerr;
 		return 1;
 
+		case ASN1_ITYPE_NDEF_SEQUENCE:
 		case ASN1_ITYPE_SEQUENCE:
 		p = *in;
 		tmplen = len;
 
 		/* If no IMPLICIT tagging set to SEQUENCE, UNIVERSAL */
-		if(tag == -1) {
+		if (tag == -1)
+			{
 			tag = V_ASN1_SEQUENCE;
 			aclass = V_ASN1_UNIVERSAL;
-		}
+			}
 		/* Get SEQUENCE length and update len, p */
-		ret = asn1_check_tlen(&len, NULL, NULL, &seq_eoc, &cst, &p, len, tag, aclass, opt, ctx);
-		if(!ret) {
-			ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
+		ret = asn1_check_tlen(&len, NULL, NULL, &seq_eoc, &cst,
+					&p, len, tag, aclass, opt, ctx);
+		if (!ret)
+			{
+			ASN1err(ASN1_F_ASN1_ITEM_EX_D2I,
+					ERR_R_NESTED_ASN1_ERROR);
 			goto err;
-		} else if(ret == -1) return -1;
-		if(aux && (aux->flags & ASN1_AFLG_BROKEN)) {
+			}
+		else if (ret == -1)
+			return -1;
+		if (aux && (aux->flags & ASN1_AFLG_BROKEN))
+			{
 			len = tmplen - (p - *in);
 			seq_nolen = 1;
-		} else seq_nolen = seq_eoc;	/* If indefinite we don't do a length check */
-		if(!cst) {
-			ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_SEQUENCE_NOT_CONSTRUCTED);
+			}
+		/* If indefinite we don't do a length check */
+		else seq_nolen = seq_eoc;
+		if (!cst)
+			{
+			ASN1err(ASN1_F_ASN1_ITEM_EX_D2I,
+				ASN1_R_SEQUENCE_NOT_CONSTRUCTED);
 			goto err;
-		}
+			}
 
-		if(!*pval) {
-			if(!ASN1_item_ex_new(pval, it)) {
-				ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
-				goto err;
+		if (!*pval && !ASN1_item_ex_new(pval, it))
+			{
+			ASN1err(ASN1_F_ASN1_ITEM_EX_D2I,
+				ERR_R_NESTED_ASN1_ERROR);
+			goto err;
 			}
-		}
-		if(asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it))
+
+		if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it))
 				goto auxerr;
 
 		/* Get each field entry */
-		for(i = 0, tt = it->templates; i < it->tcount; i++, tt++) {
+		for (i = 0, tt = it->templates; i < it->tcount; i++, tt++)
+			{
 			const ASN1_TEMPLATE *seqtt;
 			ASN1_VALUE **pseqval;
 			seqtt = asn1_do_adb(pval, tt, 1);
-			if(!seqtt) goto err;
+			if (!seqtt)
+				goto err;
 			pseqval = asn1_get_field_ptr(pval, seqtt);
 			/* Have we ran out of data? */
-			if(!len) break;
+			if (!len)
+				break;
 			q = p;
-			if(asn1_check_eoc(&p, len)) {
-				if(!seq_eoc) {
-					ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_UNEXPECTED_EOC);
+			if (asn1_check_eoc(&p, len))
+				{
+				if (!seq_eoc)
+					{
+					ASN1err(ASN1_F_ASN1_ITEM_EX_D2I,
+							ASN1_R_UNEXPECTED_EOC);
 					goto err;
-				}
+					}
 				len -= p - q;
 				seq_eoc = 0;
 				q = p;
 				break;
-			}
-			/* This determines the OPTIONAL flag value. The field cannot
-			 * be omitted if it is the last of a SEQUENCE and there is
-			 * still data to be read. This isn't strictly necessary but
-			 * it increases efficiency in some cases.
+				}
+			/* This determines the OPTIONAL flag value. The field
+			 * cannot be omitted if it is the last of a SEQUENCE
+			 * and there is still data to be read. This isn't
+			 * strictly necessary but it increases efficiency in
+			 * some cases.
 			 */
-			if(i == (it->tcount - 1)) isopt = 0;
+			if (i == (it->tcount - 1))
+				isopt = 0;
 			else isopt = (char)(seqtt->flags & ASN1_TFLG_OPTIONAL);
-			/* attempt to read in field, allowing each to be OPTIONAL */
-			ret = asn1_template_ex_d2i(pseqval, &p, len, seqtt, isopt, ctx);
-			if(!ret) {
+			/* attempt to read in field, allowing each to be
+			 * OPTIONAL */
+
+			ret = asn1_template_ex_d2i(pseqval, &p, len,
+							seqtt, isopt, ctx);
+			if (!ret)
+				{
 				errtt = seqtt;
 				goto err;
-			} else if(ret == -1) {
-				/* OPTIONAL component absent. Free and zero the field
+				}
+			else if (ret == -1)
+				{
+				/* OPTIONAL component absent.
+				 * Free and zero the field.
 				 */
 				ASN1_template_free(pseqval, seqtt);
 				continue;
-			}
+				}
 			/* Update length */
 			len -= p - q;
-		}
+			}
+
 		/* Check for EOC if expecting one */
-		if(seq_eoc && !asn1_check_eoc(&p, len)) {
+		if (seq_eoc && !asn1_check_eoc(&p, len))
+			{
 			ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_MISSING_EOC);
 			goto err;
-		}
+			}
 		/* Check all data read */
-		if(!seq_nolen && len) {
-			ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_SEQUENCE_LENGTH_MISMATCH);
+		if (!seq_nolen && len)
+			{
+			ASN1err(ASN1_F_ASN1_ITEM_EX_D2I,
+					ASN1_R_SEQUENCE_LENGTH_MISMATCH);
 			goto err;
-		}
+			}
 
 		/* If we get here we've got no more data in the SEQUENCE,
 		 * however we may not have read all fields so check all
 		 * remaining are OPTIONAL and clear any that are.
 		 */
-		for(; i < it->tcount; tt++, i++) {
+		for (; i < it->tcount; tt++, i++)
+			{
 			const ASN1_TEMPLATE *seqtt;
 			seqtt = asn1_do_adb(pval, tt, 1);
-			if(!seqtt) goto err;
-			if(seqtt->flags & ASN1_TFLG_OPTIONAL) {
+			if (!seqtt)
+				goto err;
+			if (seqtt->flags & ASN1_TFLG_OPTIONAL)
+				{
 				ASN1_VALUE **pseqval;
 				pseqval = asn1_get_field_ptr(pval, seqtt);
 				ASN1_template_free(pseqval, seqtt);
-			} else {
+				}
+			else
+				{
 				errtt = seqtt;
-				ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_FIELD_MISSING);
+				ASN1err(ASN1_F_ASN1_ITEM_EX_D2I,
+							ASN1_R_FIELD_MISSING);
 				goto err;
+				}
 			}
-		}
 		/* Save encoding */
-		if(!asn1_enc_save(pval, *in, p - *in, it)) goto auxerr;
+		if (!asn1_enc_save(pval, *in, p - *in, it))
+			goto auxerr;
 		*in = p;
-		if(asn1_cb && !asn1_cb(ASN1_OP_D2I_POST, pval, it))
+		if (asn1_cb && !asn1_cb(ASN1_OP_D2I_POST, pval, it))
 				goto auxerr;
 		return 1;
 
 		default:
 		return 0;
-	}
+		}
 	auxerr:
 	ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR);
 	err:
 	ASN1_item_ex_free(pval, it);
-	if(errtt) ERR_add_error_data(4, "Field=", errtt->field_name, ", Type=", it->sname);
-	else ERR_add_error_data(2, "Type=", it->sname);
+	if (errtt)
+		ERR_add_error_data(4, "Field=", errtt->field_name,
+					", Type=", it->sname);
+	else
+		ERR_add_error_data(2, "Type=", it->sname);
 	return 0;
-}
+	}
 
-/* Templates are handled with two separate functions. One handles any EXPLICIT tag and the other handles the
- * rest.
+/* Templates are handled with two separate functions.
+ * One handles any EXPLICIT tag and the other handles the rest.
  */
 
-static int asn1_template_ex_d2i(ASN1_VALUE **val, unsigned char **in, long inlen, const ASN1_TEMPLATE *tt, char opt, ASN1_TLC *ctx)
-{
+static int asn1_template_ex_d2i(ASN1_VALUE **val,
+				const unsigned char **in, long inlen,
+				const ASN1_TEMPLATE *tt, char opt,
+							ASN1_TLC *ctx)
+	{
 	int flags, aclass;
 	int ret;
 	long len;
-	unsigned char *p, *q;
+	const unsigned char *p, *q;
 	char exp_eoc;
-	if(!val) return 0;
+	if (!val)
+		return 0;
 	flags = tt->flags;
 	aclass = flags & ASN1_TFLG_TAG_CLASS;
 
 	p = *in;
 
 	/* Check if EXPLICIT tag expected */
-	if(flags & ASN1_TFLG_EXPTAG) {
+	if (flags & ASN1_TFLG_EXPTAG)
+		{
 		char cst;
-		/* Need to work out amount of data available to the inner content and where it
-		 * starts: so read in EXPLICIT header to get the info.
+		/* Need to work out amount of data available to the inner
+		 * content and where it starts: so read in EXPLICIT header to
+		 * get the info.
 		 */
-		ret = asn1_check_tlen(&len, NULL, NULL, &exp_eoc, &cst, &p, inlen, tt->tag, aclass, opt, ctx);
+		ret = asn1_check_tlen(&len, NULL, NULL, &exp_eoc, &cst,
+					&p, inlen, tt->tag, aclass, opt, ctx);
 		q = p;
-		if(!ret) {
-			ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
+		if (!ret)
+			{
+			ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I,
+					ERR_R_NESTED_ASN1_ERROR);
 			return 0;
-		} else if(ret == -1) return -1;
-		if(!cst) {
-			ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, ASN1_R_EXPLICIT_TAG_NOT_CONSTRUCTED);
+			}
+		else if (ret == -1)
+			return -1;
+		if (!cst)
+			{
+			ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I,
+					ASN1_R_EXPLICIT_TAG_NOT_CONSTRUCTED);
 			return 0;
-		}
+			}
 		/* We've found the field so it can't be OPTIONAL now */
 		ret = asn1_template_noexp_d2i(val, &p, len, tt, 0, ctx);
-		if(!ret) {
-			ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
+		if (!ret)
+			{
+			ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I,
+					ERR_R_NESTED_ASN1_ERROR);
 			return 0;
-		}
+			}
 		/* We read the field in OK so update length */
 		len -= p - q;
-		if(exp_eoc) {
+		if (exp_eoc)
+			{
 			/* If NDEF we must have an EOC here */
-			if(!asn1_check_eoc(&p, len)) {
-				ASN1err(ASN1_F_ASN1_TEMPLATE_D2I, ASN1_R_MISSING_EOC);
+			if (!asn1_check_eoc(&p, len))
+				{
+				ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I,
+						ASN1_R_MISSING_EOC);
 				goto err;
+				}
 			}
-		} else {
-			/* Otherwise we must hit the EXPLICIT tag end or its an error */
-			if(len) {
-				ASN1err(ASN1_F_ASN1_TEMPLATE_D2I, ASN1_R_EXPLICIT_LENGTH_MISMATCH);
+		else
+			{
+			/* Otherwise we must hit the EXPLICIT tag end or its
+			 * an error */
+			if (len)
+				{
+				ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I,
+					ASN1_R_EXPLICIT_LENGTH_MISMATCH);
 				goto err;
+				}
 			}
 		}
-	} else 
-		return asn1_template_noexp_d2i(val, in, inlen, tt, opt, ctx);
+		else 
+			return asn1_template_noexp_d2i(val, in, inlen,
+								tt, opt, ctx);
 
 	*in = p;
 	return 1;
@@ -475,98 +613,145 @@ static int asn1_template_ex_d2i(ASN1_VALUE **val, unsigned char **in, long inlen
 	ASN1_template_free(val, tt);
 	*val = NULL;
 	return 0;
-}
+	}
 
-static int asn1_template_noexp_d2i(ASN1_VALUE **val, unsigned char **in, long len, const ASN1_TEMPLATE *tt, char opt, ASN1_TLC *ctx)
-{
+static int asn1_template_noexp_d2i(ASN1_VALUE **val,
+				const unsigned char **in, long len,
+				const ASN1_TEMPLATE *tt, char opt,
+				ASN1_TLC *ctx)
+	{
 	int flags, aclass;
 	int ret;
-	unsigned char *p, *q;
-	if(!val) return 0;
+	const unsigned char *p, *q;
+	if (!val)
+		return 0;
 	flags = tt->flags;
 	aclass = flags & ASN1_TFLG_TAG_CLASS;
 
 	p = *in;
 	q = p;
 
-	if(flags & ASN1_TFLG_SK_MASK) {
+	if (flags & ASN1_TFLG_SK_MASK)
+		{
 		/* SET OF, SEQUENCE OF */
 		int sktag, skaclass;
 		char sk_eoc;
 		/* First work out expected inner tag value */
-		if(flags & ASN1_TFLG_IMPTAG) {
+		if (flags & ASN1_TFLG_IMPTAG)
+			{
 			sktag = tt->tag;
 			skaclass = aclass;
-		} else {
+			}
+		else
+			{
 			skaclass = V_ASN1_UNIVERSAL;
-			if(flags & ASN1_TFLG_SET_OF) sktag = V_ASN1_SET;
-			else sktag = V_ASN1_SEQUENCE;
-		}
+			if (flags & ASN1_TFLG_SET_OF)
+				sktag = V_ASN1_SET;
+			else
+				sktag = V_ASN1_SEQUENCE;
+			}
 		/* Get the tag */
-		ret = asn1_check_tlen(&len, NULL, NULL, &sk_eoc, NULL, &p, len, sktag, skaclass, opt, ctx);
-		if(!ret) {
-			ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
+		ret = asn1_check_tlen(&len, NULL, NULL, &sk_eoc, NULL,
+					&p, len, sktag, skaclass, opt, ctx);
+		if (!ret)
+			{
+			ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I,
+						ERR_R_NESTED_ASN1_ERROR);
 			return 0;
-		} else if(ret == -1) return -1;
-		if(!*val) *val = (ASN1_VALUE *)sk_new_null();
-		else {
+			}
+		else if (ret == -1)
+			return -1;
+		if (!*val)
+			*val = (ASN1_VALUE *)sk_new_null();
+		else
+			{
 			/* We've got a valid STACK: free up any items present */
 			STACK *sktmp = (STACK *)*val;
 			ASN1_VALUE *vtmp;
-			while(sk_num(sktmp) > 0) {
+			while(sk_num(sktmp) > 0)
+				{
 				vtmp = (ASN1_VALUE *)sk_pop(sktmp);
-				ASN1_item_ex_free(&vtmp, ASN1_ITEM_ptr(tt->item));
+				ASN1_item_ex_free(&vtmp,
+						ASN1_ITEM_ptr(tt->item));
+				}
 			}
-		}
 				
-		if(!*val) {
-			ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, ERR_R_MALLOC_FAILURE);
+		if (!*val)
+			{
+			ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I,
+						ERR_R_MALLOC_FAILURE);
 			goto err;
-		}
+			}
+
 		/* Read as many items as we can */
-		while(len > 0) {
+		while(len > 0)
+			{
 			ASN1_VALUE *skfield;
 			q = p;
 			/* See if EOC found */
-			if(asn1_check_eoc(&p, len)) {
-				if(!sk_eoc) {
-					ASN1err(ASN1_F_ASN1_TEMPLATE_D2I, ASN1_R_UNEXPECTED_EOC);
+			if (asn1_check_eoc(&p, len))
+				{
+				if (!sk_eoc)
+					{
+					ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I,
+							ASN1_R_UNEXPECTED_EOC);
 					goto err;
-				}
+					}
 				len -= p - q;
 				sk_eoc = 0;
 				break;
-			}
+				}
 			skfield = NULL;
-			if(!ASN1_item_ex_d2i(&skfield, &p, len, ASN1_ITEM_ptr(tt->item), -1, 0, 0, ctx)) {
-				ASN1err(ASN1_F_ASN1_TEMPLATE_D2I, ERR_R_NESTED_ASN1_ERROR);
+			if (!ASN1_item_ex_d2i(&skfield, &p, len,
+						ASN1_ITEM_ptr(tt->item),
+						-1, 0, 0, ctx))
+				{
+				ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I,
+					ERR_R_NESTED_ASN1_ERROR);
 				goto err;
-			}
+				}
 			len -= p - q;
-			if(!sk_push((STACK *)*val, (char *)skfield)) {
-				ASN1err(ASN1_F_ASN1_TEMPLATE_D2I, ERR_R_MALLOC_FAILURE);
+			if (!sk_push((STACK *)*val, (char *)skfield))
+				{
+				ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I,
+						ERR_R_MALLOC_FAILURE);
 				goto err;
+				}
 			}
-		}
-		if(sk_eoc) {
-			ASN1err(ASN1_F_ASN1_TEMPLATE_D2I, ASN1_R_MISSING_EOC);
+		if (sk_eoc)
+			{
+			ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ASN1_R_MISSING_EOC);
 			goto err;
+			}
 		}
-	} else if(flags & ASN1_TFLG_IMPTAG) {
+	else if (flags & ASN1_TFLG_IMPTAG)
+		{
 		/* IMPLICIT tagging */
-		ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), tt->tag, aclass, opt, ctx);
-		if(!ret) {
-			ASN1err(ASN1_F_ASN1_TEMPLATE_D2I, ERR_R_NESTED_ASN1_ERROR);
+		ret = ASN1_item_ex_d2i(val, &p, len,
+			ASN1_ITEM_ptr(tt->item), tt->tag, aclass, opt, ctx);
+		if (!ret)
+			{
+			ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I,
+						ERR_R_NESTED_ASN1_ERROR);
 			goto err;
-		} else if(ret == -1) return -1;
-	} else {
+			}
+		else if (ret == -1)
+			return -1;
+		}
+	else
+		{
 		/* Nothing special */
-		ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), -1, 0, opt, ctx);
-		if(!ret) {
-			ASN1err(ASN1_F_ASN1_TEMPLATE_D2I, ERR_R_NESTED_ASN1_ERROR);
+		ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item),
+							-1, 0, opt, ctx);
+		if (!ret)
+			{
+			ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I,
+					ERR_R_NESTED_ASN1_ERROR);
 			goto err;
-		} else if(ret == -1) return -1;
-	}
+			}
+		else if (ret == -1)
+			return -1;
+		}
 
 	*in = p;
 	return 1;
@@ -575,83 +760,114 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val, unsigned char **in, long le
 	ASN1_template_free(val, tt);
 	*val = NULL;
 	return 0;
-}
+	}
 
-static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, unsigned char **in, long inlen, 
-						const ASN1_ITEM *it,
-						int tag, int aclass, char opt, ASN1_TLC *ctx)
-{
+static int asn1_d2i_ex_primitive(ASN1_VALUE **pval,
+				const unsigned char **in, long inlen, 
+				const ASN1_ITEM *it,
+				int tag, int aclass, char opt, ASN1_TLC *ctx)
+	{
 	int ret = 0, utype;
 	long plen;
 	char cst, inf, free_cont = 0;
-	unsigned char *p;
+	const unsigned char *p;
 	BUF_MEM buf;
-	unsigned char *cont = NULL;
+	const unsigned char *cont = NULL;
 	long len; 
-	if(!pval) {
+	if (!pval)
+		{
 		ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ASN1_R_ILLEGAL_NULL);
 		return 0; /* Should never happen */
-	}
+		}
 
-	if(it->itype == ASN1_ITYPE_MSTRING) {
+	if (it->itype == ASN1_ITYPE_MSTRING)
+		{
 		utype = tag;
 		tag = -1;
-	} else utype = it->utype;
+		}
+	else
+		utype = it->utype;
 
-	if(utype == V_ASN1_ANY) {
+	if (utype == V_ASN1_ANY)
+		{
 		/* If type is ANY need to figure out type from tag */
 		unsigned char oclass;
-		if(tag >= 0) {
-			ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ASN1_R_ILLEGAL_TAGGED_ANY);
+		if (tag >= 0)
+			{
+			ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE,
+					ASN1_R_ILLEGAL_TAGGED_ANY);
 			return 0;
-		}
-		if(opt) {
-			ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ASN1_R_ILLEGAL_OPTIONAL_ANY);
+			}
+		if (opt)
+			{
+			ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE,
+					ASN1_R_ILLEGAL_OPTIONAL_ANY);
 			return 0;
-		}
+			}
 		p = *in;
-		ret = asn1_check_tlen(NULL, &utype, &oclass, NULL, NULL, &p, inlen, -1, 0, 0, ctx);
-		if(!ret) {
-			ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ERR_R_NESTED_ASN1_ERROR);
+		ret = asn1_check_tlen(NULL, &utype, &oclass, NULL, NULL,
+					&p, inlen, -1, 0, 0, ctx);
+		if (!ret)
+			{
+			ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE,
+					ERR_R_NESTED_ASN1_ERROR);
 			return 0;
+			}
+		if (oclass != V_ASN1_UNIVERSAL)
+			utype = V_ASN1_OTHER;
 		}
-		if(oclass != V_ASN1_UNIVERSAL) utype = V_ASN1_OTHER;
-	}
-	if(tag == -1) {
+	if (tag == -1)
+		{
 		tag = utype;
 		aclass = V_ASN1_UNIVERSAL;
-	}
+		}
 	p = *in;
 	/* Check header */
-	ret = asn1_check_tlen(&plen, NULL, NULL, &inf, &cst, &p, inlen, tag, aclass, opt, ctx);
-	if(!ret) {
+	ret = asn1_check_tlen(&plen, NULL, NULL, &inf, &cst,
+				&p, inlen, tag, aclass, opt, ctx);
+	if (!ret)
+		{
 		ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ERR_R_NESTED_ASN1_ERROR);
 		return 0;
-	} else if(ret == -1) return -1;
+		}
+	else if (ret == -1)
+		return -1;
 	/* SEQUENCE, SET and "OTHER" are left in encoded form */
-	if((utype == V_ASN1_SEQUENCE) || (utype == V_ASN1_SET) || (utype == V_ASN1_OTHER)) {
-		/* Clear context cache for type OTHER because the auto clear when
-		 * we have a exact match wont work
+	if ((utype == V_ASN1_SEQUENCE)
+		|| (utype == V_ASN1_SET) || (utype == V_ASN1_OTHER))
+		{
+		/* Clear context cache for type OTHER because the auto clear
+		 * when we have a exact match wont work
 		 */
-		if(utype == V_ASN1_OTHER) {
+		if (utype == V_ASN1_OTHER)
+			{
 			asn1_tlc_clear(ctx);
+			}
 		/* SEQUENCE and SET must be constructed */
-		} else if(!cst) {
-			ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ASN1_R_TYPE_NOT_CONSTRUCTED);
+		else if (!cst)
+			{
+			ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE,
+				ASN1_R_TYPE_NOT_CONSTRUCTED);
 			return 0;
-		}
+			}
 
 		cont = *in;
 		/* If indefinite length constructed find the real end */
-		if(inf) {
-			if(!asn1_collect(NULL, &p, plen, inf, -1, -1)) goto err;
+		if (inf)
+			{
+			if (!asn1_find_end(&p, plen, inf))
+				 goto err;
 			len = p - cont;
-		} else {
+			}
+		else
+			{
 			len = p - cont + plen;
 			p += plen;
 			buf.data = NULL;
+			}
 		}
-	} else if(cst) {
+	else if (cst)
+		{
 		buf.length = 0;
 		buf.max = 0;
 		buf.data = NULL;
@@ -661,36 +877,43 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, unsigned char **in, long inl
 		 * internally irrespective of the type. So instead just check
 		 * for UNIVERSAL class and ignore the tag.
 		 */
-		if(!asn1_collect(&buf, &p, plen, inf, -1, V_ASN1_UNIVERSAL)) goto err;
+		if (!asn1_collect(&buf, &p, plen, inf, -1, V_ASN1_UNIVERSAL))
+			goto err;
 		len = buf.length;
 		/* Append a final null to string */
-		if(!BUF_MEM_grow_clean(&buf, len + 1)) {
-			ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ERR_R_MALLOC_FAILURE);
+		if (!BUF_MEM_grow_clean(&buf, len + 1))
+			{
+			ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE,
+						ERR_R_MALLOC_FAILURE);
 			return 0;
-		}
+			}
 		buf.data[len] = 0;
-		cont = (unsigned char *)buf.data;
+		cont = (const unsigned char *)buf.data;
 		free_cont = 1;
-	} else {
+		}
+	else
+		{
 		cont = p;
 		len = plen;
 		p += plen;
-	}
+		}
 
 	/* We now have content length and type: translate into a structure */
-	if(!asn1_ex_c2i(pval, cont, len, utype, &free_cont, it)) goto err;
+	if (!asn1_ex_c2i(pval, cont, len, utype, &free_cont, it))
+		goto err;
 
 	*in = p;
 	ret = 1;
 	err:
-	if(free_cont && buf.data) OPENSSL_free(buf.data);
+	if (free_cont && buf.data) OPENSSL_free(buf.data);
 	return ret;
-}
+	}
 
 /* Translate ASN1 content octets into a structure */
 
-int asn1_ex_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it)
-{
+int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
+			int utype, char *free_cont, const ASN1_ITEM *it)
+	{
 	ASN1_VALUE **opval = NULL;
 	ASN1_STRING *stmp;
 	ASN1_TYPE *typ = NULL;
@@ -698,43 +921,62 @@ int asn1_ex_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char
 	const ASN1_PRIMITIVE_FUNCS *pf;
 	ASN1_INTEGER **tint;
 	pf = it->funcs;
-	if(pf && pf->prim_c2i) return pf->prim_c2i(pval, cont, len, utype, free_cont, it);
+
+	if (pf && pf->prim_c2i)
+		return pf->prim_c2i(pval, cont, len, utype, free_cont, it);
 	/* If ANY type clear type and set pointer to internal value */
-	if(it->utype == V_ASN1_ANY) {
-		if(!*pval) {
+	if (it->utype == V_ASN1_ANY)
+		{
+		if (!*pval)
+			{
 			typ = ASN1_TYPE_new();
+			if (typ == NULL)
+				goto err;
 			*pval = (ASN1_VALUE *)typ;
-		} else typ = (ASN1_TYPE *)*pval;
-		if(utype != typ->type) ASN1_TYPE_set(typ, utype, NULL);
+			}
+		else
+			typ = (ASN1_TYPE *)*pval;
+
+		if (utype != typ->type)
+			ASN1_TYPE_set(typ, utype, NULL);
 		opval = pval;
 		pval = (ASN1_VALUE **)&typ->value.ptr;
-	}
-	switch(utype) {
+		}
+	switch(utype)
+		{
 		case V_ASN1_OBJECT:
-		if(!c2i_ASN1_OBJECT((ASN1_OBJECT **)pval, &cont, len)) goto err;
+		if (!c2i_ASN1_OBJECT((ASN1_OBJECT **)pval, &cont, len))
+			goto err;
 		break;
 
 		case V_ASN1_NULL:
-		if(len) {
-			ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ASN1_R_NULL_IS_WRONG_LENGTH);
+		if (len)
+			{
+			ASN1err(ASN1_F_ASN1_EX_C2I,
+						ASN1_R_NULL_IS_WRONG_LENGTH);
 			goto err;
-		}
+			}
 		*pval = (ASN1_VALUE *)1;
 		break;
 
 		case V_ASN1_BOOLEAN:
-		if(len != 1) {
-			ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ASN1_R_BOOLEAN_IS_WRONG_LENGTH);
+		if (len != 1)
+			{
+			ASN1err(ASN1_F_ASN1_EX_C2I,
+						ASN1_R_BOOLEAN_IS_WRONG_LENGTH);
 			goto err;
-		} else {
+			}
+		else
+			{
 			ASN1_BOOLEAN *tbool;
 			tbool = (ASN1_BOOLEAN *)pval;
 			*tbool = *cont;
-		}
+			}
 		break;
 
 		case V_ASN1_BIT_STRING:
-		if(!c2i_ASN1_BIT_STRING((ASN1_BIT_STRING **)pval, &cont, len)) goto err;
+		if (!c2i_ASN1_BIT_STRING((ASN1_BIT_STRING **)pval, &cont, len))
+			goto err;
 		break;
 
 		case V_ASN1_INTEGER:
@@ -742,7 +984,8 @@ int asn1_ex_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char
 		case V_ASN1_ENUMERATED:
 		case V_ASN1_NEG_ENUMERATED:
 		tint = (ASN1_INTEGER **)pval;
-		if(!c2i_ASN1_INTEGER(tint, &cont, len)) goto err;
+		if (!c2i_ASN1_INTEGER(tint, &cont, len))
+			goto err;
 		/* Fixup type to match the expected form */
 		(*tint)->type = utype | ((*tint)->type & V_ASN1_NEG);
 		break;
@@ -766,127 +1009,216 @@ int asn1_ex_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char
 		case V_ASN1_SEQUENCE:
 		default:
 		/* All based on ASN1_STRING and handled the same */
-		if(!*pval) {
+		if (!*pval)
+			{
 			stmp = ASN1_STRING_type_new(utype);
-			if(!stmp) {
-				ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ERR_R_MALLOC_FAILURE);
+			if (!stmp)
+				{
+				ASN1err(ASN1_F_ASN1_EX_C2I,
+							ERR_R_MALLOC_FAILURE);
 				goto err;
-			}
+				}
 			*pval = (ASN1_VALUE *)stmp;
-		} else {
+			}
+		else
+			{
 			stmp = (ASN1_STRING *)*pval;
 			stmp->type = utype;
-		}
+			}
 		/* If we've already allocated a buffer use it */
-		if(*free_cont) {
-			if(stmp->data) OPENSSL_free(stmp->data);
-			stmp->data = cont;
+		if (*free_cont)
+			{
+			if (stmp->data)
+				OPENSSL_free(stmp->data);
+			stmp->data = (unsigned char *)cont; /* UGLY CAST! RL */
 			stmp->length = len;
 			*free_cont = 0;
-		} else {
-			if(!ASN1_STRING_set(stmp, cont, len)) {
-				ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ERR_R_MALLOC_FAILURE);
+			}
+		else
+			{
+			if (!ASN1_STRING_set(stmp, cont, len))
+				{
+				ASN1err(ASN1_F_ASN1_EX_C2I,
+							ERR_R_MALLOC_FAILURE);
 				ASN1_STRING_free(stmp);	
 				*pval = NULL;
 				goto err;
+				}
 			}
-		}
 		break;
-	}
+		}
 	/* If ASN1_ANY and NULL type fix up value */
-	if(typ && utype==V_ASN1_NULL) typ->value.ptr = NULL;
+	if (typ && (utype == V_ASN1_NULL))
+		 typ->value.ptr = NULL;
 
 	ret = 1;
 	err:
-	if(!ret)
+	if (!ret)
 		{
 		ASN1_TYPE_free(typ);
 		if (opval)
 			*opval = NULL;
 		}
 	return ret;
-}
+	}
+
+
+/* This function finds the end of an ASN1 structure when passed its maximum
+ * length, whether it is indefinite length and a pointer to the content.
+ * This is more efficient than calling asn1_collect because it does not
+ * recurse on each indefinite length header.
+ */
 
+static int asn1_find_end(const unsigned char **in, long len, char inf)
+	{
+	int expected_eoc;
+	long plen;
+	const unsigned char *p = *in, *q;
+	/* If not indefinite length constructed just add length */
+	if (inf == 0)
+		{
+		*in += len;
+		return 1;
+		}
+	expected_eoc = 1;
+	/* Indefinite length constructed form. Find the end when enough EOCs
+	 * are found. If more indefinite length constructed headers
+	 * are encountered increment the expected eoc count otherwise just
+	 * skip to the end of the data.
+	 */
+	while (len > 0)
+		{
+		if(asn1_check_eoc(&p, len))
+			{
+			expected_eoc--;
+			if (expected_eoc == 0)
+				break;
+			len -= 2;
+			continue;
+			}
+		q = p;
+		/* Just read in a header: only care about the length */
+		if(!asn1_check_tlen(&plen, NULL, NULL, &inf, NULL, &p, len,
+				-1, 0, 0, NULL))
+			{
+			ASN1err(ASN1_F_ASN1_FIND_END, ERR_R_NESTED_ASN1_ERROR);
+			return 0;
+			}
+		if (inf)
+			expected_eoc++;
+		else
+			p += plen;
+		len -= p - q;
+		}
+	if (expected_eoc)
+		{
+		ASN1err(ASN1_F_ASN1_FIND_END, ASN1_R_MISSING_EOC);
+		return 0;
+		}
+	*in = p;
+	return 1;
+	}
 /* This function collects the asn1 data from a constructred string
  * type into a buffer. The values of 'in' and 'len' should refer
  * to the contents of the constructed type and 'inf' should be set
- * if it is indefinite length. If 'buf' is NULL then we just want
- * to find the end of the current structure: useful for indefinite
- * length constructed stuff.
+ * if it is indefinite length.
  */
 
-static int asn1_collect(BUF_MEM *buf, unsigned char **in, long len, char inf, int tag, int aclass)
-{
-	unsigned char *p, *q;
+static int asn1_collect(BUF_MEM *buf, const unsigned char **in, long len,
+				char inf, int tag, int aclass)
+	{
+	const unsigned char *p, *q;
 	long plen;
 	char cst, ininf;
 	p = *in;
 	inf &= 1;
-	/* If no buffer and not indefinite length constructed just pass over the encoded data */
-	if(!buf && !inf) {
+	/* If no buffer and not indefinite length constructed just pass over
+	 * the encoded data */
+	if (!buf && !inf)
+		{
 		*in += len;
 		return 1;
-	}
-	while(len > 0) {
+		}
+	while(len > 0)
+		{
 		q = p;
 		/* Check for EOC */
-		if(asn1_check_eoc(&p, len)) {
-			/* EOC is illegal outside indefinite length constructed form */
-			if(!inf) {
-				ASN1err(ASN1_F_ASN1_COLLECT, ASN1_R_UNEXPECTED_EOC);
+		if (asn1_check_eoc(&p, len))
+			{
+			/* EOC is illegal outside indefinite length
+			 * constructed form */
+			if (!inf)
+				{
+				ASN1err(ASN1_F_ASN1_COLLECT,
+					ASN1_R_UNEXPECTED_EOC);
 				return 0;
-			}
+				}
 			inf = 0;
 			break;
-		}
-		if(!asn1_check_tlen(&plen, NULL, NULL, &ininf, &cst, &p, len, tag, aclass, 0, NULL)) {
+			}
+
+		if (!asn1_check_tlen(&plen, NULL, NULL, &ininf, &cst, &p,
+					len, tag, aclass, 0, NULL))
+			{
 			ASN1err(ASN1_F_ASN1_COLLECT, ERR_R_NESTED_ASN1_ERROR);
 			return 0;
-		}
+			}
+
 		/* If indefinite length constructed update max length */
-		if(cst) {
-			if(!asn1_collect(buf, &p, plen, ininf, tag, aclass)) return 0;
-		} else {
-			if(!collect_data(buf, &p, plen)) return 0;
-		}
+		if (cst)
+			{
+#ifdef OPENSSL_ALLOW_NESTED_ASN1_STRINGS
+			if (!asn1_collect(buf, &p, plen, ininf, tag, aclass))
+				return 0;
+#else
+			ASN1err(ASN1_F_ASN1_COLLECT, ASN1_R_NESTED_ASN1_STRING);
+			return 0;
+#endif
+			}
+		else if (plen && !collect_data(buf, &p, plen))
+			return 0;
 		len -= p - q;
-	}
-	if(inf) {
+		}
+	if (inf)
+		{
 		ASN1err(ASN1_F_ASN1_COLLECT, ASN1_R_MISSING_EOC);
 		return 0;
-	}
+		}
 	*in = p;
 	return 1;
-}
-
-static int collect_data(BUF_MEM *buf, unsigned char **p, long plen)
-{
-		int len;
-		if(buf) {
-			len = buf->length;
-			if(!BUF_MEM_grow_clean(buf, len + plen)) {
-				ASN1err(ASN1_F_COLLECT_DATA, ERR_R_MALLOC_FAILURE);
-				return 0;
+	}
+
+static int collect_data(BUF_MEM *buf, const unsigned char **p, long plen)
+	{
+	int len;
+	if (buf)
+		{
+		len = buf->length;
+		if (!BUF_MEM_grow_clean(buf, len + plen))
+			{
+			ASN1err(ASN1_F_COLLECT_DATA, ERR_R_MALLOC_FAILURE);
+			return 0;
 			}
-			memcpy(buf->data + len, *p, plen);
+		memcpy(buf->data + len, *p, plen);
 		}
-		*p += plen;
-		return 1;
-}
+	*p += plen;
+	return 1;
+	}
 
 /* Check for ASN1 EOC and swallow it if found */
 
-static int asn1_check_eoc(unsigned char **in, long len)
-{
-	unsigned char *p;
-	if(len < 2) return 0;
+static int asn1_check_eoc(const unsigned char **in, long len)
+	{
+	const unsigned char *p;
+	if (len < 2) return 0;
 	p = *in;
-	if(!p[0] && !p[1]) {
+	if (!p[0] && !p[1])
+		{
 		*in += 2;
 		return 1;
-	}
+		}
 	return 0;
-}
+	}
 
 /* Check an ASN1 tag and length: a bit like ASN1_get_object
  * but it sets the length for indefinite length constructed
@@ -895,25 +1227,32 @@ static int asn1_check_eoc(unsigned char **in, long len)
  * header length just read.
  */
 
-static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass, char *inf, char *cst,
-		unsigned char **in, long len, int exptag, int expclass, char opt, ASN1_TLC *ctx)
-{
+static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass,
+				char *inf, char *cst,
+				const unsigned char **in, long len,
+				int exptag, int expclass, char opt,
+				ASN1_TLC *ctx)
+	{
 	int i;
 	int ptag, pclass;
 	long plen;
-	unsigned char *p, *q;
+	const unsigned char *p, *q;
 	p = *in;
 	q = p;
 
-	if(ctx && ctx->valid) {
+	if (ctx && ctx->valid)
+		{
 		i = ctx->ret;
 		plen = ctx->plen;
 		pclass = ctx->pclass;
 		ptag = ctx->ptag;
 		p += ctx->hdrlen;
-	} else {
+		}
+	else
+		{
 		i = ASN1_get_object(&p, &plen, &ptag, &pclass, len);
-		if(ctx) {
+		if (ctx)
+			{
 			ctx->ret = i;
 			ctx->plen = plen;
 			ctx->pclass = pclass;
@@ -923,43 +1262,57 @@ static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass, char *i
 			/* If definite length, and no error, length +
 			 * header can't exceed total amount of data available. 
 			 */
-			if(!(i & 0x81) && ((plen + ctx->hdrlen) > len)) {
-				ASN1err(ASN1_F_ASN1_CHECK_TLEN, ASN1_R_TOO_LONG);
+			if (!(i & 0x81) && ((plen + ctx->hdrlen) > len))
+				{
+				ASN1err(ASN1_F_ASN1_CHECK_TLEN,
+							ASN1_R_TOO_LONG);
 				asn1_tlc_clear(ctx);
 				return 0;
+				}
 			}
 		}
-	}
 
-	if(i & 0x80) {
+	if (i & 0x80)
+		{
 		ASN1err(ASN1_F_ASN1_CHECK_TLEN, ASN1_R_BAD_OBJECT_HEADER);
 		asn1_tlc_clear(ctx);
 		return 0;
-	}
-	if(exptag >= 0) {
-		if((exptag != ptag) || (expclass != pclass)) {
-			/* If type is OPTIONAL, not an error, but indicate missing
-			 * type.
+		}
+	if (exptag >= 0)
+		{
+		if ((exptag != ptag) || (expclass != pclass))
+			{
+			/* If type is OPTIONAL, not an error:
+			 * indicate missing type.
 			 */
-			if(opt) return -1;
+			if (opt) return -1;
 			asn1_tlc_clear(ctx);
 			ASN1err(ASN1_F_ASN1_CHECK_TLEN, ASN1_R_WRONG_TAG);
 			return 0;
-		}
-		/* We have a tag and class match, so assume we are going to do something with it */
+			}
+		/* We have a tag and class match:
+		 * assume we are going to do something with it */
 		asn1_tlc_clear(ctx);
-	}
+		}
 
-	if(i & 1) plen = len - (p - q);
+	if (i & 1)
+		plen = len - (p - q);
 
-	if(inf) *inf = i & 1;
+	if (inf)
+		*inf = i & 1;
 
-	if(cst) *cst = i & V_ASN1_CONSTRUCTED;
+	if (cst)
+		*cst = i & V_ASN1_CONSTRUCTED;
 
-	if(olen) *olen = plen;
-	if(oclass) *oclass = pclass;
-	if(otag) *otag = ptag;
+	if (olen)
+		*olen = plen;
+
+	if (oclass)
+		*oclass = pclass;
+
+	if (otag)
+		*otag = ptag;
 
 	*in = p;
 	return 1;
-}
+	}
diff --git a/crypto/openssl/crypto/asn1/tasn_enc.c b/crypto/openssl/crypto/asn1/tasn_enc.c
index f6c8ddef0aad..25c94aa1d95a 100644
--- a/crypto/openssl/crypto/asn1/tasn_enc.c
+++ b/crypto/openssl/crypto/asn1/tasn_enc.c
@@ -3,7 +3,7 @@
  * project 2000.
  */
 /* ====================================================================
- * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 2000-2004 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -59,88 +59,119 @@
 
 #include <stddef.h>
 #include <string.h>
+#include "cryptlib.h"
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/objects.h>
 
-static int asn1_i2d_ex_primitive(ASN1_VALUE **pval, unsigned char **out, const ASN1_ITEM *it, int tag, int aclass);
-static int asn1_set_seq_out(STACK_OF(ASN1_VALUE) *seq, unsigned char **out, int skcontlen, const ASN1_ITEM *item, int isset);
+static int asn1_i2d_ex_primitive(ASN1_VALUE **pval, unsigned char **out,
+					const ASN1_ITEM *it,
+					int tag, int aclass);
+static int asn1_set_seq_out(STACK_OF(ASN1_VALUE) *sk, unsigned char **out,
+					int skcontlen, const ASN1_ITEM *item,
+					int do_sort, int iclass);
+static int asn1_template_ex_i2d(ASN1_VALUE **pval, unsigned char **out,
+					const ASN1_TEMPLATE *tt,
+					int tag, int aclass);
+static int asn1_item_flags_i2d(ASN1_VALUE *val, unsigned char **out,
+					const ASN1_ITEM *it, int flags);
+
+/* Top level i2d equivalents: the 'ndef' variant instructs the encoder
+ * to use indefinite length constructed encoding, where appropriate
+ */
+
+int ASN1_item_ndef_i2d(ASN1_VALUE *val, unsigned char **out,
+						const ASN1_ITEM *it)
+	{
+	return asn1_item_flags_i2d(val, out, it, ASN1_TFLG_NDEF);
+	}
+
+int ASN1_item_i2d(ASN1_VALUE *val, unsigned char **out, const ASN1_ITEM *it)
+	{
+	return asn1_item_flags_i2d(val, out, it, 0);
+	}
 
-/* Encode an ASN1 item, this is compatible with the
+/* Encode an ASN1 item, this is use by the
  * standard 'i2d' function. 'out' points to 
- * a buffer to output the data to, in future we will
- * have more advanced versions that can output data
- * a piece at a time and this will simply be a special
- * case.
+ * a buffer to output the data to.
  *
  * The new i2d has one additional feature. If the output
  * buffer is NULL (i.e. *out == NULL) then a buffer is
  * allocated and populated with the encoding.
  */
 
-
-int ASN1_item_i2d(ASN1_VALUE *val, unsigned char **out, const ASN1_ITEM *it)
-{
-	if(out && !*out) {
+static int asn1_item_flags_i2d(ASN1_VALUE *val, unsigned char **out,
+					const ASN1_ITEM *it, int flags)
+	{
+	if (out && !*out)
+		{
 		unsigned char *p, *buf;
 		int len;
-		len = ASN1_item_ex_i2d(&val, NULL, it, -1, 0);
-		if(len <= 0) return len;
+		len = ASN1_item_ex_i2d(&val, NULL, it, -1, flags);
+		if (len <= 0)
+			return len;
 		buf = OPENSSL_malloc(len);
-		if(!buf) return -1;
+		if (!buf)
+			return -1;
 		p = buf;
-		ASN1_item_ex_i2d(&val, &p, it, -1, 0);
+		ASN1_item_ex_i2d(&val, &p, it, -1, flags);
 		*out = buf;
 		return len;
+		}
+
+	return ASN1_item_ex_i2d(&val, out, it, -1, flags);
 	}
-		
-	return ASN1_item_ex_i2d(&val, out, it, -1, 0);
-}
 
 /* Encode an item, taking care of IMPLICIT tagging (if any).
  * This function performs the normal item handling: it can be
  * used in external types.
  */
 
-int ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_ITEM *it, int tag, int aclass)
-{
+int ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out,
+			const ASN1_ITEM *it, int tag, int aclass)
+	{
 	const ASN1_TEMPLATE *tt = NULL;
 	unsigned char *p = NULL;
-	int i, seqcontlen, seqlen;
-	ASN1_STRING *strtmp;
+	int i, seqcontlen, seqlen, ndef = 1;
 	const ASN1_COMPAT_FUNCS *cf;
 	const ASN1_EXTERN_FUNCS *ef;
 	const ASN1_AUX *aux = it->funcs;
-	ASN1_aux_cb *asn1_cb;
-	if((it->itype != ASN1_ITYPE_PRIMITIVE) && !*pval) return 0;
-	if(aux && aux->asn1_cb) asn1_cb = aux->asn1_cb;
-	else asn1_cb = 0;
+	ASN1_aux_cb *asn1_cb = 0;
+
+	if ((it->itype != ASN1_ITYPE_PRIMITIVE) && !*pval)
+		return 0;
 
-	switch(it->itype) {
+	if (aux && aux->asn1_cb)
+		 asn1_cb = aux->asn1_cb;
+
+	switch(it->itype)
+		{
 
 		case ASN1_ITYPE_PRIMITIVE:
-		if(it->templates)
-			return ASN1_template_i2d(pval, out, it->templates);
+		if (it->templates)
+			return asn1_template_ex_i2d(pval, out, it->templates,
+								tag, aclass);
 		return asn1_i2d_ex_primitive(pval, out, it, tag, aclass);
 		break;
 
 		case ASN1_ITYPE_MSTRING:
-		strtmp = (ASN1_STRING *)*pval;
-		return asn1_i2d_ex_primitive(pval, out, it, -1, 0);
+		return asn1_i2d_ex_primitive(pval, out, it, -1, aclass);
 
 		case ASN1_ITYPE_CHOICE:
-		if(asn1_cb && !asn1_cb(ASN1_OP_I2D_PRE, pval, it))
+		if (asn1_cb && !asn1_cb(ASN1_OP_I2D_PRE, pval, it))
 				return 0;
 		i = asn1_get_choice_selector(pval, it);
-		if((i >= 0) && (i < it->tcount)) {
+		if ((i >= 0) && (i < it->tcount))
+			{
 			ASN1_VALUE **pchval;
 			const ASN1_TEMPLATE *chtt;
 			chtt = it->templates + i;
 			pchval = asn1_get_field_ptr(pval, chtt);
-			return ASN1_template_i2d(pchval, out, chtt);
-		} 
+			return asn1_template_ex_i2d(pchval, out, chtt,
+								-1, aclass);
+			}
 		/* Fixme: error condition if selector out of range */
-		if(asn1_cb && !asn1_cb(ASN1_OP_I2D_POST, pval, it))
+		if (asn1_cb && !asn1_cb(ASN1_OP_I2D_POST, pval, it))
 				return 0;
 		break;
 
@@ -152,136 +183,236 @@ int ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_ITEM *it
 		case ASN1_ITYPE_COMPAT:
 		/* old style hackery... */
 		cf = it->funcs;
-		if(out) p = *out;
+		if (out)
+			p = *out;
 		i = cf->asn1_i2d(*pval, out);
 		/* Fixup for IMPLICIT tag: note this messes up for tags > 30,
 		 * but so did the old code. Tags > 30 are very rare anyway.
 		 */
-		if(out && (tag != -1))
+		if (out && (tag != -1))
 			*p = aclass | tag | (*p & V_ASN1_CONSTRUCTED);
 		return i;
 		
+		case ASN1_ITYPE_NDEF_SEQUENCE:
+		/* Use indefinite length constructed if requested */
+		if (aclass & ASN1_TFLG_NDEF) ndef = 2;
+		/* fall through */
+
 		case ASN1_ITYPE_SEQUENCE:
 		i = asn1_enc_restore(&seqcontlen, out, pval, it);
 		/* An error occurred */
-		if(i < 0) return 0;
+		if (i < 0)
+			return 0;
 		/* We have a valid cached encoding... */
-		if(i > 0) return seqcontlen;
+		if (i > 0)
+			return seqcontlen;
 		/* Otherwise carry on */
 		seqcontlen = 0;
 		/* If no IMPLICIT tagging set to SEQUENCE, UNIVERSAL */
-		if(tag == -1) {
+		if (tag == -1)
+			{
 			tag = V_ASN1_SEQUENCE;
-			aclass = V_ASN1_UNIVERSAL;
-		}
-		if(asn1_cb && !asn1_cb(ASN1_OP_I2D_PRE, pval, it))
+			/* Retain any other flags in aclass */
+			aclass = (aclass & ~ASN1_TFLG_TAG_CLASS)
+					| V_ASN1_UNIVERSAL;
+			}
+		if (asn1_cb && !asn1_cb(ASN1_OP_I2D_PRE, pval, it))
 				return 0;
 		/* First work out sequence content length */
-		for(i = 0, tt = it->templates; i < it->tcount; tt++, i++) {
+		for (i = 0, tt = it->templates; i < it->tcount; tt++, i++)
+			{
 			const ASN1_TEMPLATE *seqtt;
 			ASN1_VALUE **pseqval;
 			seqtt = asn1_do_adb(pval, tt, 1);
-			if(!seqtt) return 0;
+			if (!seqtt)
+				return 0;
 			pseqval = asn1_get_field_ptr(pval, seqtt);
 			/* FIXME: check for errors in enhanced version */
-			/* FIXME: special handling of indefinite length encoding */
-			seqcontlen += ASN1_template_i2d(pseqval, NULL, seqtt);
-		}
-		seqlen = ASN1_object_size(1, seqcontlen, tag);
-		if(!out) return seqlen;
+			seqcontlen += asn1_template_ex_i2d(pseqval, NULL, seqtt,
+								-1, aclass);
+			}
+
+		seqlen = ASN1_object_size(ndef, seqcontlen, tag);
+		if (!out)
+			return seqlen;
 		/* Output SEQUENCE header */
-		ASN1_put_object(out, 1, seqcontlen, tag, aclass);
-		for(i = 0, tt = it->templates; i < it->tcount; tt++, i++) {
+		ASN1_put_object(out, ndef, seqcontlen, tag, aclass);
+		for (i = 0, tt = it->templates; i < it->tcount; tt++, i++)
+			{
 			const ASN1_TEMPLATE *seqtt;
 			ASN1_VALUE **pseqval;
 			seqtt = asn1_do_adb(pval, tt, 1);
-			if(!seqtt) return 0;
+			if (!seqtt)
+				return 0;
 			pseqval = asn1_get_field_ptr(pval, seqtt);
 			/* FIXME: check for errors in enhanced version */
-			ASN1_template_i2d(pseqval, out, seqtt);
-		}
-		if(asn1_cb  && !asn1_cb(ASN1_OP_I2D_POST, pval, it))
+			asn1_template_ex_i2d(pseqval, out, seqtt, -1, aclass);
+			}
+		if (ndef == 2)
+			ASN1_put_eoc(out);
+		if (asn1_cb  && !asn1_cb(ASN1_OP_I2D_POST, pval, it))
 				return 0;
 		return seqlen;
 
 		default:
 		return 0;
-	}
+
+		}
 	return 0;
-}
+	}
 
-int ASN1_template_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_TEMPLATE *tt)
-{
-	int i, ret, flags, aclass;
+int ASN1_template_i2d(ASN1_VALUE **pval, unsigned char **out,
+							const ASN1_TEMPLATE *tt)
+	{
+	return asn1_template_ex_i2d(pval, out, tt, -1, 0);
+	}
+
+static int asn1_template_ex_i2d(ASN1_VALUE **pval, unsigned char **out,
+				const ASN1_TEMPLATE *tt, int tag, int iclass)
+	{
+	int i, ret, flags, ttag, tclass, ndef;
 	flags = tt->flags;
-	aclass = flags & ASN1_TFLG_TAG_CLASS;
-	if(flags & ASN1_TFLG_SK_MASK) {
+	/* Work out tag and class to use: tagging may come
+	 * either from the template or the arguments, not both
+	 * because this would create ambiguity. Additionally
+	 * the iclass argument may contain some additional flags
+	 * which should be noted and passed down to other levels.
+	 */
+	if (flags & ASN1_TFLG_TAG_MASK)
+		{
+		/* Error if argument and template tagging */
+		if (tag != -1)
+			/* FIXME: error code here */
+			return -1;
+		/* Get tagging from template */
+		ttag = tt->tag;
+		tclass = flags & ASN1_TFLG_TAG_CLASS;
+		}
+	else if (tag != -1)
+		{
+		/* No template tagging, get from arguments */
+		ttag = tag;
+		tclass = iclass & ASN1_TFLG_TAG_CLASS;
+		}
+	else
+		{
+		ttag = -1;
+		tclass = 0;
+		}
+	/* 
+	 * Remove any class mask from iflag.
+	 */
+	iclass &= ~ASN1_TFLG_TAG_CLASS;
+
+	/* At this point 'ttag' contains the outer tag to use,
+	 * 'tclass' is the class and iclass is any flags passed
+	 * to this function.
+	 */
+
+	/* if template and arguments require ndef, use it */
+	if ((flags & ASN1_TFLG_NDEF) && (iclass & ASN1_TFLG_NDEF))
+		ndef = 2;
+	else ndef = 1;
+
+	if (flags & ASN1_TFLG_SK_MASK)
+		{
 		/* SET OF, SEQUENCE OF */
 		STACK_OF(ASN1_VALUE) *sk = (STACK_OF(ASN1_VALUE) *)*pval;
 		int isset, sktag, skaclass;
 		int skcontlen, sklen;
 		ASN1_VALUE *skitem;
-		if(!*pval) return 0;
-		if(flags & ASN1_TFLG_SET_OF) {
+
+		if (!*pval)
+			return 0;
+
+		if (flags & ASN1_TFLG_SET_OF)
+			{
 			isset = 1;
 			/* 2 means we reorder */
-			if(flags & ASN1_TFLG_SEQUENCE_OF) isset = 2;
-		} else isset = 0;
-		/* First work out inner tag value */
-		if(flags & ASN1_TFLG_IMPTAG) {
-			sktag = tt->tag;
-			skaclass = aclass;
-		} else {
+			if (flags & ASN1_TFLG_SEQUENCE_OF)
+				isset = 2;
+			}
+		else isset = 0;
+
+		/* Work out inner tag value: if EXPLICIT
+		 * or no tagging use underlying type.
+		 */
+		if ((ttag != -1) && !(flags & ASN1_TFLG_EXPTAG))
+			{
+			sktag = ttag;
+			skaclass = tclass;
+			}
+		else
+			{
 			skaclass = V_ASN1_UNIVERSAL;
-			if(isset) sktag = V_ASN1_SET;
+			if (isset)
+				sktag = V_ASN1_SET;
 			else sktag = V_ASN1_SEQUENCE;
-		}
-		/* Now work out length of items */
+			}
+
+		/* Determine total length of items */
 		skcontlen = 0;
-		for(i = 0; i < sk_ASN1_VALUE_num(sk); i++) {
+		for (i = 0; i < sk_ASN1_VALUE_num(sk); i++)
+			{
 			skitem = sk_ASN1_VALUE_value(sk, i);
-			skcontlen += ASN1_item_ex_i2d(&skitem, NULL, ASN1_ITEM_ptr(tt->item), -1, 0);
-		}
-		sklen = ASN1_object_size(1, skcontlen, sktag);
+			skcontlen += ASN1_item_ex_i2d(&skitem, NULL,
+						ASN1_ITEM_ptr(tt->item),
+							-1, iclass);
+			}
+		sklen = ASN1_object_size(ndef, skcontlen, sktag);
 		/* If EXPLICIT need length of surrounding tag */
-		if(flags & ASN1_TFLG_EXPTAG)
-			ret = ASN1_object_size(1, sklen, tt->tag);
+		if (flags & ASN1_TFLG_EXPTAG)
+			ret = ASN1_object_size(ndef, sklen, ttag);
 		else ret = sklen;
 
-		if(!out) return ret;
+		if (!out)
+			return ret;
 
 		/* Now encode this lot... */
 		/* EXPLICIT tag */
-		if(flags & ASN1_TFLG_EXPTAG)
-			ASN1_put_object(out, 1, sklen, tt->tag, aclass);
+		if (flags & ASN1_TFLG_EXPTAG)
+			ASN1_put_object(out, ndef, sklen, ttag, tclass);
 		/* SET or SEQUENCE and IMPLICIT tag */
-		ASN1_put_object(out, 1, skcontlen, sktag, skaclass);
-		/* And finally the stuff itself */
-		asn1_set_seq_out(sk, out, skcontlen, ASN1_ITEM_ptr(tt->item), isset);
+		ASN1_put_object(out, ndef, skcontlen, sktag, skaclass);
+		/* And the stuff itself */
+		asn1_set_seq_out(sk, out, skcontlen, ASN1_ITEM_ptr(tt->item),
+								isset, iclass);
+		if (ndef == 2)
+			{
+			ASN1_put_eoc(out);
+			if (flags & ASN1_TFLG_EXPTAG)
+				ASN1_put_eoc(out);
+			}
 
 		return ret;
-	}
-			
-	if(flags & ASN1_TFLG_EXPTAG) {
+		}
+
+	if (flags & ASN1_TFLG_EXPTAG)
+		{
 		/* EXPLICIT tagging */
 		/* Find length of tagged item */
-		i = ASN1_item_ex_i2d(pval, NULL, ASN1_ITEM_ptr(tt->item), -1, 0);
-		if(!i) return 0;
+		i = ASN1_item_ex_i2d(pval, NULL, ASN1_ITEM_ptr(tt->item),
+								-1, iclass);
+		if (!i)
+			return 0;
 		/* Find length of EXPLICIT tag */
-		ret = ASN1_object_size(1, i, tt->tag);
-		if(out) {
+		ret = ASN1_object_size(ndef, i, ttag);
+		if (out)
+			{
 			/* Output tag and item */
-			ASN1_put_object(out, 1, i, tt->tag, aclass);
-			ASN1_item_ex_i2d(pval, out, ASN1_ITEM_ptr(tt->item), -1, 0);
-		}
+			ASN1_put_object(out, ndef, i, ttag, tclass);
+			ASN1_item_ex_i2d(pval, out, ASN1_ITEM_ptr(tt->item),
+								-1, iclass);
+			if (ndef == 2)
+				ASN1_put_eoc(out);
+			}
 		return ret;
-	}
-	if(flags & ASN1_TFLG_IMPTAG) {
-		/* IMPLICIT tagging */
-		return ASN1_item_ex_i2d(pval, out, ASN1_ITEM_ptr(tt->item), tt->tag, aclass);
-	}
-	/* Nothing special: treat as normal */
-	return ASN1_item_ex_i2d(pval, out, ASN1_ITEM_ptr(tt->item), -1, 0);
+		}
+
+	/* Either normal or IMPLICIT tagging: combine class and flags */
+	return ASN1_item_ex_i2d(pval, out, ASN1_ITEM_ptr(tt->item),
+						ttag, tclass | iclass);
+
 }
 
 /* Temporary structure used to hold DER encoding of items for SET OF */
@@ -293,72 +424,90 @@ typedef	struct {
 } DER_ENC;
 
 static int der_cmp(const void *a, const void *b)
-{
+	{
 	const DER_ENC *d1 = a, *d2 = b;
 	int cmplen, i;
 	cmplen = (d1->length < d2->length) ? d1->length : d2->length;
 	i = memcmp(d1->data, d2->data, cmplen);
-	if(i) return i;
+	if (i)
+		return i;
 	return d1->length - d2->length;
-}
+	}
 
 /* Output the content octets of SET OF or SEQUENCE OF */
 
-static int asn1_set_seq_out(STACK_OF(ASN1_VALUE) *sk, unsigned char **out, int skcontlen, const ASN1_ITEM *item, int do_sort)
-{
+static int asn1_set_seq_out(STACK_OF(ASN1_VALUE) *sk, unsigned char **out,
+					int skcontlen, const ASN1_ITEM *item,
+					int do_sort, int iclass)
+	{
 	int i;
 	ASN1_VALUE *skitem;
 	unsigned char *tmpdat = NULL, *p = NULL;
 	DER_ENC *derlst = NULL, *tder;
-	if(do_sort) {
+	if (do_sort)
+		 {
 		/* Don't need to sort less than 2 items */
-		if(sk_ASN1_VALUE_num(sk) < 2) do_sort = 0;
-		else {
-			derlst = OPENSSL_malloc(sk_ASN1_VALUE_num(sk) * sizeof(*derlst));
+		if (sk_ASN1_VALUE_num(sk) < 2)
+			do_sort = 0;
+		else
+			{
+			derlst = OPENSSL_malloc(sk_ASN1_VALUE_num(sk)
+						* sizeof(*derlst));
 			tmpdat = OPENSSL_malloc(skcontlen);
-			if(!derlst || !tmpdat) return 0;
+			if (!derlst || !tmpdat)
+				return 0;
+			}
 		}
-	}
 	/* If not sorting just output each item */
-	if(!do_sort) {
-		for(i = 0; i < sk_ASN1_VALUE_num(sk); i++) {
+	if (!do_sort)
+		{
+		for (i = 0; i < sk_ASN1_VALUE_num(sk); i++)
+			{
 			skitem = sk_ASN1_VALUE_value(sk, i);
-			ASN1_item_i2d(skitem, out, item);
-		}
+			ASN1_item_ex_i2d(&skitem, out, item, -1, iclass);
+			}
 		return 1;
-	}
+		}
 	p = tmpdat;
+
 	/* Doing sort: build up a list of each member's DER encoding */
-	for(i = 0, tder = derlst; i < sk_ASN1_VALUE_num(sk); i++, tder++) {
+	for (i = 0, tder = derlst; i < sk_ASN1_VALUE_num(sk); i++, tder++)
+		{
 		skitem = sk_ASN1_VALUE_value(sk, i);
 		tder->data = p;
-		tder->length = ASN1_item_i2d(skitem, &p, item);
+		tder->length = ASN1_item_ex_i2d(&skitem, &p, item, -1, iclass);
 		tder->field = skitem;
-	}
+		}
+
 	/* Now sort them */
 	qsort(derlst, sk_ASN1_VALUE_num(sk), sizeof(*derlst), der_cmp);
 	/* Output sorted DER encoding */	
 	p = *out;
-	for(i = 0, tder = derlst; i < sk_ASN1_VALUE_num(sk); i++, tder++) {
+	for (i = 0, tder = derlst; i < sk_ASN1_VALUE_num(sk); i++, tder++)
+		{
 		memcpy(p, tder->data, tder->length);
 		p += tder->length;
-	}
+		}
 	*out = p;
 	/* If do_sort is 2 then reorder the STACK */
-	if(do_sort == 2) {
-		for(i = 0, tder = derlst; i < sk_ASN1_VALUE_num(sk); i++, tder++)
+	if (do_sort == 2)
+		{
+		for (i = 0, tder = derlst; i < sk_ASN1_VALUE_num(sk);
+							i++, tder++)
 			sk_ASN1_VALUE_set(sk, i, tder->field);
-	}
+		}
 	OPENSSL_free(derlst);
 	OPENSSL_free(tmpdat);
 	return 1;
-}
+	}
 
-static int asn1_i2d_ex_primitive(ASN1_VALUE **pval, unsigned char **out, const ASN1_ITEM *it, int tag, int aclass)
-{
+static int asn1_i2d_ex_primitive(ASN1_VALUE **pval, unsigned char **out,
+				const ASN1_ITEM *it, int tag, int aclass)
+	{
 	int len;
 	int utype;
 	int usetag;
+	int ndef = 0;
 
 	utype = it->utype;
 
@@ -374,33 +523,48 @@ static int asn1_i2d_ex_primitive(ASN1_VALUE **pval, unsigned char **out, const A
 	 * because the call to asn1_ex_i2c() could change
 	 * utype.
 	 */
-	if((utype == V_ASN1_SEQUENCE) || (utype == V_ASN1_SET) ||
+	if ((utype == V_ASN1_SEQUENCE) || (utype == V_ASN1_SET) ||
 	   (utype == V_ASN1_OTHER))
 		usetag = 0;
 	else usetag = 1;
 
 	/* -1 means omit type */
 
-	if(len == -1) return 0;
+	if (len == -1)
+		return 0;
+
+	/* -2 return is special meaning use ndef */
+	if (len == -2)
+		{
+		ndef = 2;
+		len = 0;
+		}
 
 	/* If not implicitly tagged get tag from underlying type */
-	if(tag == -1) tag = utype;
+	if (tag == -1) tag = utype;
 
 	/* Output tag+length followed by content octets */
-	if(out) {
-		if(usetag) ASN1_put_object(out, 0, len, tag, aclass);
+	if (out)
+		{
+		if (usetag)
+			ASN1_put_object(out, ndef, len, tag, aclass);
 		asn1_ex_i2c(pval, *out, &utype, it);
-		*out += len;
-	}
+		if (ndef)
+			ASN1_put_eoc(out);
+		else
+			*out += len;
+		}
 
-	if(usetag) return ASN1_object_size(0, len, tag);
+	if (usetag)
+		return ASN1_object_size(ndef, len, tag);
 	return len;
-}
+	}
 
 /* Produce content octets from a structure */
 
-int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cout, int *putype, const ASN1_ITEM *it)
-{
+int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cout, int *putype,
+				const ASN1_ITEM *it)
+	{
 	ASN1_BOOLEAN *tbool = NULL;
 	ASN1_STRING *strtmp;
 	ASN1_OBJECT *otmp;
@@ -409,28 +573,36 @@ int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cout, int *putype, const ASN1_
 	int len;
 	const ASN1_PRIMITIVE_FUNCS *pf;
 	pf = it->funcs;
-	if(pf && pf->prim_i2c) return pf->prim_i2c(pval, cout, putype, it);
+	if (pf && pf->prim_i2c)
+		return pf->prim_i2c(pval, cout, putype, it);
 
 	/* Should type be omitted? */
-	if((it->itype != ASN1_ITYPE_PRIMITIVE) || (it->utype != V_ASN1_BOOLEAN)) {
-		if(!*pval) return -1;
-	}
+	if ((it->itype != ASN1_ITYPE_PRIMITIVE)
+		|| (it->utype != V_ASN1_BOOLEAN))
+		{
+		if (!*pval) return -1;
+		}
 
-	if(it->itype == ASN1_ITYPE_MSTRING) {
+	if (it->itype == ASN1_ITYPE_MSTRING)
+		{
 		/* If MSTRING type set the underlying type */
 		strtmp = (ASN1_STRING *)*pval;
 		utype = strtmp->type;
 		*putype = utype;
-	} else if(it->utype == V_ASN1_ANY) {
+		}
+	else if (it->utype == V_ASN1_ANY)
+		{
 		/* If ANY set type and pointer to value */
 		ASN1_TYPE *typ;
 		typ = (ASN1_TYPE *)*pval;
 		utype = typ->type;
 		*putype = utype;
 		pval = (ASN1_VALUE **)&typ->value.ptr;
-	} else utype = *putype;
+		}
+	else utype = *putype;
 
-	switch(utype) {
+	switch(utype)
+		{
 		case V_ASN1_OBJECT:
 		otmp = (ASN1_OBJECT *)*pval;
 		cont = otmp->data;
@@ -444,17 +616,24 @@ int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cout, int *putype, const ASN1_
 
 		case V_ASN1_BOOLEAN:
 		tbool = (ASN1_BOOLEAN *)pval;
-		if(*tbool == -1) return -1;
-		/* Default handling if value == size field then omit */
-		if(*tbool && (it->size > 0)) return -1;
-		if(!*tbool && !it->size) return -1;
+		if (*tbool == -1)
+			return -1;
+		if (it->utype != V_ASN1_ANY)
+			{
+			/* Default handling if value == size field then omit */
+			if (*tbool && (it->size > 0))
+				return -1;
+			if (!*tbool && !it->size)
+				return -1;
+			}
 		c = (unsigned char)*tbool;
 		cont = &c;
 		len = 1;
 		break;
 
 		case V_ASN1_BIT_STRING:
-		return i2c_ASN1_BIT_STRING((ASN1_BIT_STRING *)*pval, cout ? &cout : NULL);
+		return i2c_ASN1_BIT_STRING((ASN1_BIT_STRING *)*pval,
+							cout ? &cout : NULL);
 		break;
 
 		case V_ASN1_INTEGER:
@@ -464,7 +643,8 @@ int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cout, int *putype, const ASN1_
 		/* These are all have the same content format
 		 * as ASN1_INTEGER
 		 */
-		return i2c_ASN1_INTEGER((ASN1_INTEGER *)*pval, cout ? &cout : NULL);
+		return i2c_ASN1_INTEGER((ASN1_INTEGER *)*pval,
+							cout ? &cout : NULL);
 		break;
 
 		case V_ASN1_OCTET_STRING:
@@ -486,12 +666,25 @@ int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cout, int *putype, const ASN1_
 		default:
 		/* All based on ASN1_STRING and handled the same */
 		strtmp = (ASN1_STRING *)*pval;
+		/* Special handling for NDEF */
+		if ((it->size == ASN1_TFLG_NDEF)
+			&& (strtmp->flags & ASN1_STRING_FLAG_NDEF))
+			{
+			if (cout)
+				{
+				strtmp->data = cout;
+				strtmp->length = 0;
+				}
+			/* Special return code */
+			return -2;
+			}
 		cont = strtmp->data;
 		len = strtmp->length;
 
 		break;
 
-	}
-	if(cout && len) memcpy(cout, cont, len);
+		}
+	if (cout && len)
+		memcpy(cout, cont, len);
 	return len;
-}
+	}
diff --git a/crypto/openssl/crypto/asn1/tasn_fre.c b/crypto/openssl/crypto/asn1/tasn_fre.c
index 2dd844159ebe..b68b66a23b18 100644
--- a/crypto/openssl/crypto/asn1/tasn_fre.c
+++ b/crypto/openssl/crypto/asn1/tasn_fre.c
@@ -67,33 +67,40 @@ static void asn1_item_combine_free(ASN1_VALUE **pval, const ASN1_ITEM *it, int c
 /* Free up an ASN1 structure */
 
 void ASN1_item_free(ASN1_VALUE *val, const ASN1_ITEM *it)
-{
+	{
 	asn1_item_combine_free(&val, it, 0);
-}
+	}
 
 void ASN1_item_ex_free(ASN1_VALUE **pval, const ASN1_ITEM *it)
-{
+	{
 	asn1_item_combine_free(pval, it, 0);
-}
+	}
 
 static void asn1_item_combine_free(ASN1_VALUE **pval, const ASN1_ITEM *it, int combine)
-{
+	{
 	const ASN1_TEMPLATE *tt = NULL, *seqtt;
 	const ASN1_EXTERN_FUNCS *ef;
 	const ASN1_COMPAT_FUNCS *cf;
 	const ASN1_AUX *aux = it->funcs;
 	ASN1_aux_cb *asn1_cb;
 	int i;
-	if(!pval) return;
-	if((it->itype != ASN1_ITYPE_PRIMITIVE) && !*pval) return;
-	if(aux && aux->asn1_cb) asn1_cb = aux->asn1_cb;
-	else asn1_cb = 0;
+	if (!pval)
+		return;
+	if ((it->itype != ASN1_ITYPE_PRIMITIVE) && !*pval)
+		return;
+	if (aux && aux->asn1_cb)
+		asn1_cb = aux->asn1_cb;
+	else
+		asn1_cb = 0;
 
-	switch(it->itype) {
+	switch(it->itype)
+		{
 
 		case ASN1_ITYPE_PRIMITIVE:
-		if(it->templates) ASN1_template_free(pval, it->templates);
-		else ASN1_primitive_free(pval, it);
+		if (it->templates)
+			ASN1_template_free(pval, it->templates);
+		else
+			ASN1_primitive_free(pval, it);
 		break;
 
 		case ASN1_ITYPE_MSTRING:
@@ -101,41 +108,53 @@ static void asn1_item_combine_free(ASN1_VALUE **pval, const ASN1_ITEM *it, int c
 		break;
 
 		case ASN1_ITYPE_CHOICE:
-		if(asn1_cb) {
+		if (asn1_cb)
+			{
 			i = asn1_cb(ASN1_OP_FREE_PRE, pval, it);
-			if(i == 2) return;
-		}
+			if (i == 2)
+				return;
+			}
 		i = asn1_get_choice_selector(pval, it);
-		if(asn1_cb) asn1_cb(ASN1_OP_FREE_PRE, pval, it);
-		if((i >= 0) && (i < it->tcount)) {
+		if (asn1_cb)
+			asn1_cb(ASN1_OP_FREE_PRE, pval, it);
+		if ((i >= 0) && (i < it->tcount))
+			{
 			ASN1_VALUE **pchval;
 			tt = it->templates + i;
 			pchval = asn1_get_field_ptr(pval, tt);
 			ASN1_template_free(pchval, tt);
-		}
-		if(asn1_cb) asn1_cb(ASN1_OP_FREE_POST, pval, it);
-		if(!combine) {
+			}
+		if (asn1_cb)
+			asn1_cb(ASN1_OP_FREE_POST, pval, it);
+		if (!combine)
+			{
 			OPENSSL_free(*pval);
 			*pval = NULL;
-		}
+			}
 		break;
 
 		case ASN1_ITYPE_COMPAT:
 		cf = it->funcs;
-		if(cf && cf->asn1_free) cf->asn1_free(*pval);
+		if (cf && cf->asn1_free)
+			cf->asn1_free(*pval);
 		break;
 
 		case ASN1_ITYPE_EXTERN:
 		ef = it->funcs;
-		if(ef && ef->asn1_ex_free) ef->asn1_ex_free(pval, it);
+		if (ef && ef->asn1_ex_free)
+			ef->asn1_ex_free(pval, it);
 		break;
 
+		case ASN1_ITYPE_NDEF_SEQUENCE:
 		case ASN1_ITYPE_SEQUENCE:
-		if(asn1_do_lock(pval, -1, it) > 0) return;
-		if(asn1_cb) {
+		if (asn1_do_lock(pval, -1, it) > 0)
+			return;
+		if (asn1_cb)
+			{
 			i = asn1_cb(ASN1_OP_FREE_PRE, pval, it);
-			if(i == 2) return;
-		}		
+			if (i == 2)
+				return;
+			}		
 		asn1_enc_free(pval, it);
 		/* If we free up as normal we will invalidate any
 		 * ANY DEFINED BY field and we wont be able to 
@@ -143,64 +162,84 @@ static void asn1_item_combine_free(ASN1_VALUE **pval, const ASN1_ITEM *it, int c
 		 * free up in reverse order.
 		 */
 		tt = it->templates + it->tcount - 1;
-		for(i = 0; i < it->tcount; tt--, i++) {
+		for (i = 0; i < it->tcount; tt--, i++)
+			{
 			ASN1_VALUE **pseqval;
 			seqtt = asn1_do_adb(pval, tt, 0);
-			if(!seqtt) continue;
+			if (!seqtt)
+				continue;
 			pseqval = asn1_get_field_ptr(pval, seqtt);
 			ASN1_template_free(pseqval, seqtt);
-		}
-		if(asn1_cb) asn1_cb(ASN1_OP_FREE_POST, pval, it);
-		if(!combine) {
+			}
+		if (asn1_cb)
+			asn1_cb(ASN1_OP_FREE_POST, pval, it);
+		if (!combine)
+			{
 			OPENSSL_free(*pval);
 			*pval = NULL;
-		}
+			}
 		break;
+		}
 	}
-}
 
 void ASN1_template_free(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt)
-{
+	{
 	int i;
-	if(tt->flags & ASN1_TFLG_SK_MASK) {
+	if (tt->flags & ASN1_TFLG_SK_MASK)
+		{
 		STACK_OF(ASN1_VALUE) *sk = (STACK_OF(ASN1_VALUE) *)*pval;
-		for(i = 0; i < sk_ASN1_VALUE_num(sk); i++) {
+		for (i = 0; i < sk_ASN1_VALUE_num(sk); i++)
+			{
 			ASN1_VALUE *vtmp;
 			vtmp = sk_ASN1_VALUE_value(sk, i);
-			asn1_item_combine_free(&vtmp, ASN1_ITEM_ptr(tt->item), 0);
-		}
+			asn1_item_combine_free(&vtmp, ASN1_ITEM_ptr(tt->item),
+									0);
+			}
 		sk_ASN1_VALUE_free(sk);
 		*pval = NULL;
-	} else asn1_item_combine_free(pval, ASN1_ITEM_ptr(tt->item),
+		}
+	else
+		asn1_item_combine_free(pval, ASN1_ITEM_ptr(tt->item),
 						tt->flags & ASN1_TFLG_COMBINE);
-}
+	}
 
 void ASN1_primitive_free(ASN1_VALUE **pval, const ASN1_ITEM *it)
-{
+	{
 	int utype;
-	if(it) {
+	if (it)
+		{
 		const ASN1_PRIMITIVE_FUNCS *pf;
 		pf = it->funcs;
-		if(pf && pf->prim_free) {
+		if (pf && pf->prim_free)
+			{
 			pf->prim_free(pval, it);
 			return;
+			}
 		}
-	}
 	/* Special case: if 'it' is NULL free contents of ASN1_TYPE */
-	if(!it) {
+	if (!it)
+		{
 		ASN1_TYPE *typ = (ASN1_TYPE *)*pval;
 		utype = typ->type;
 		pval = (ASN1_VALUE **)&typ->value.ptr;
-		if(!*pval) return;
-	} else if(it->itype == ASN1_ITYPE_MSTRING) {
+		if (!*pval)
+			return;
+		}
+	else if (it->itype == ASN1_ITYPE_MSTRING)
+		{
 		utype = -1;
-		if(!*pval) return;
-	} else {
+		if (!*pval)
+			return;
+		}
+	else
+		{
 		utype = it->utype;
-		if((utype != V_ASN1_BOOLEAN) && !*pval) return;
-	}
+		if ((utype != V_ASN1_BOOLEAN) && !*pval)
+			return;
+		}
 
-	switch(utype) {
+	switch(utype)
+		{
 		case V_ASN1_OBJECT:
 		ASN1_OBJECT_free((ASN1_OBJECT *)*pval);
 		break;
@@ -224,6 +263,6 @@ void ASN1_primitive_free(ASN1_VALUE **pval, const ASN1_ITEM *it)
 		ASN1_STRING_free((ASN1_STRING *)*pval);
 		*pval = NULL;
 		break;
-	}
+		}
 	*pval = NULL;
-}
+	}
diff --git a/crypto/openssl/crypto/asn1/tasn_new.c b/crypto/openssl/crypto/asn1/tasn_new.c
index a0e3db574f2d..531dad365c0e 100644
--- a/crypto/openssl/crypto/asn1/tasn_new.c
+++ b/crypto/openssl/crypto/asn1/tasn_new.c
@@ -3,7 +3,7 @@
  * project 2000.
  */
 /* ====================================================================
- * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 2000-2004 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -64,27 +64,30 @@
 #include <openssl/asn1t.h>
 #include <string.h>
 
-static int asn1_item_ex_combine_new(ASN1_VALUE **pval, const ASN1_ITEM *it, int combine);
+static int asn1_item_ex_combine_new(ASN1_VALUE **pval, const ASN1_ITEM *it,
+								int combine);
 static void asn1_item_clear(ASN1_VALUE **pval, const ASN1_ITEM *it);
 static void asn1_template_clear(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt);
 void asn1_primitive_clear(ASN1_VALUE **pval, const ASN1_ITEM *it);
 
 ASN1_VALUE *ASN1_item_new(const ASN1_ITEM *it)
-{
+	{
 	ASN1_VALUE *ret = NULL;
-	if(ASN1_item_ex_new(&ret, it) > 0) return ret;
+	if (ASN1_item_ex_new(&ret, it) > 0)
+		return ret;
 	return NULL;
-}
+	}
 
 /* Allocate an ASN1 structure */
 
 int ASN1_item_ex_new(ASN1_VALUE **pval, const ASN1_ITEM *it)
-{
+	{
 	return asn1_item_ex_combine_new(pval, it, 0);
-}
+	}
 
-static int asn1_item_ex_combine_new(ASN1_VALUE **pval, const ASN1_ITEM *it, int combine)
-{
+static int asn1_item_ex_combine_new(ASN1_VALUE **pval, const ASN1_ITEM *it,
+								int combine)
+	{
 	const ASN1_TEMPLATE *tt = NULL;
 	const ASN1_COMPAT_FUNCS *cf;
 	const ASN1_EXTERN_FUNCS *ef;
@@ -92,133 +95,155 @@ static int asn1_item_ex_combine_new(ASN1_VALUE **pval, const ASN1_ITEM *it, int
 	ASN1_aux_cb *asn1_cb;
 	ASN1_VALUE **pseqval;
 	int i;
-	if(aux && aux->asn1_cb) asn1_cb = aux->asn1_cb;
-	else asn1_cb = 0;
+	if (aux && aux->asn1_cb)
+		asn1_cb = aux->asn1_cb;
+	else
+		asn1_cb = 0;
 
-	if(!combine) *pval = NULL;
+	if (!combine) *pval = NULL;
 
 #ifdef CRYPTO_MDEBUG
-	if(it->sname) CRYPTO_push_info(it->sname);
+	if (it->sname)
+		CRYPTO_push_info(it->sname);
 #endif
 
-	switch(it->itype) {
+	switch(it->itype)
+		{
 
 		case ASN1_ITYPE_EXTERN:
 		ef = it->funcs;
-		if(ef && ef->asn1_ex_new) {
-			if(!ef->asn1_ex_new(pval, it))
+		if (ef && ef->asn1_ex_new)
+			{
+			if (!ef->asn1_ex_new(pval, it))
 				goto memerr;
-		}
+			}
 		break;
 
 		case ASN1_ITYPE_COMPAT:
 		cf = it->funcs;
-		if(cf && cf->asn1_new) {
+		if (cf && cf->asn1_new) {
 			*pval = cf->asn1_new();
-			if(!*pval) goto memerr;
+			if (!*pval)
+				goto memerr;
 		}
 		break;
 
 		case ASN1_ITYPE_PRIMITIVE:
-		if(it->templates) {
-			if(!ASN1_template_new(pval, it->templates))
+		if (it->templates)
+			{
+			if (!ASN1_template_new(pval, it->templates))
 				goto memerr;
-		} else {
-			if(!ASN1_primitive_new(pval, it))
+			}
+		else if (!ASN1_primitive_new(pval, it))
 				goto memerr;
-		}
 		break;
 
 		case ASN1_ITYPE_MSTRING:
-		if(!ASN1_primitive_new(pval, it))
+		if (!ASN1_primitive_new(pval, it))
 				goto memerr;
 		break;
 
 		case ASN1_ITYPE_CHOICE:
-		if(asn1_cb) {
+		if (asn1_cb)
+			{
 			i = asn1_cb(ASN1_OP_NEW_PRE, pval, it);
-			if(!i) goto auxerr;
-			if(i==2) {
+			if (!i)
+				goto auxerr;
+			if (i==2)
+				{
 #ifdef CRYPTO_MDEBUG
-				if(it->sname) CRYPTO_pop_info();
+				if (it->sname)
+					CRYPTO_pop_info();
 #endif
 				return 1;
+				}
 			}
-		}
-		if(!combine) {
+		if (!combine)
+			{
 			*pval = OPENSSL_malloc(it->size);
-			if(!*pval) goto memerr;
+			if (!*pval)
+				goto memerr;
 			memset(*pval, 0, it->size);
-		}
+			}
 		asn1_set_choice_selector(pval, -1, it);
-		if(asn1_cb && !asn1_cb(ASN1_OP_NEW_POST, pval, it))
+		if (asn1_cb && !asn1_cb(ASN1_OP_NEW_POST, pval, it))
 				goto auxerr;
 		break;
 
+		case ASN1_ITYPE_NDEF_SEQUENCE:
 		case ASN1_ITYPE_SEQUENCE:
-		if(asn1_cb) {
+		if (asn1_cb)
+			{
 			i = asn1_cb(ASN1_OP_NEW_PRE, pval, it);
-			if(!i) goto auxerr;
-			if(i==2) {
+			if (!i)
+				goto auxerr;
+			if (i==2)
+				{
 #ifdef CRYPTO_MDEBUG
-				if(it->sname) CRYPTO_pop_info();
+				if (it->sname)
+					CRYPTO_pop_info();
 #endif
 				return 1;
+				}
 			}
-		}
-		if(!combine) {
+		if (!combine)
+			{
 			*pval = OPENSSL_malloc(it->size);
-			if(!*pval) goto memerr;
+			if (!*pval)
+				goto memerr;
 			memset(*pval, 0, it->size);
 			asn1_do_lock(pval, 0, it);
 			asn1_enc_init(pval, it);
-		}
-		for(i = 0, tt = it->templates; i < it->tcount; tt++, i++) {
+			}
+		for (i = 0, tt = it->templates; i < it->tcount; tt++, i++)
+			{
 			pseqval = asn1_get_field_ptr(pval, tt);
-			if(!ASN1_template_new(pseqval, tt)) goto memerr;
-		}
-		if(asn1_cb && !asn1_cb(ASN1_OP_NEW_POST, pval, it))
+			if (!ASN1_template_new(pseqval, tt))
+				goto memerr;
+			}
+		if (asn1_cb && !asn1_cb(ASN1_OP_NEW_POST, pval, it))
 				goto auxerr;
 		break;
 	}
 #ifdef CRYPTO_MDEBUG
-	if(it->sname) CRYPTO_pop_info();
+	if (it->sname) CRYPTO_pop_info();
 #endif
 	return 1;
 
 	memerr:
-	ASN1err(ASN1_F_ASN1_ITEM_NEW, ERR_R_MALLOC_FAILURE);
+	ASN1err(ASN1_F_ASN1_ITEM_EX_COMBINE_NEW, ERR_R_MALLOC_FAILURE);
 #ifdef CRYPTO_MDEBUG
-	if(it->sname) CRYPTO_pop_info();
+	if (it->sname) CRYPTO_pop_info();
 #endif
 	return 0;
 
 	auxerr:
-	ASN1err(ASN1_F_ASN1_ITEM_NEW, ASN1_R_AUX_ERROR);
+	ASN1err(ASN1_F_ASN1_ITEM_EX_COMBINE_NEW, ASN1_R_AUX_ERROR);
 	ASN1_item_ex_free(pval, it);
 #ifdef CRYPTO_MDEBUG
-	if(it->sname) CRYPTO_pop_info();
+	if (it->sname) CRYPTO_pop_info();
 #endif
 	return 0;
 
-}
+	}
 
 static void asn1_item_clear(ASN1_VALUE **pval, const ASN1_ITEM *it)
-{
+	{
 	const ASN1_EXTERN_FUNCS *ef;
 
-	switch(it->itype) {
+	switch(it->itype)
+		{
 
 		case ASN1_ITYPE_EXTERN:
 		ef = it->funcs;
-		if(ef && ef->asn1_ex_clear) 
+		if (ef && ef->asn1_ex_clear) 
 			ef->asn1_ex_clear(pval, it);
 		else *pval = NULL;
 		break;
 
 
 		case ASN1_ITYPE_PRIMITIVE:
-		if(it->templates) 
+		if (it->templates) 
 			asn1_template_clear(pval, it->templates);
 		else
 			asn1_primitive_clear(pval, it);
@@ -231,75 +256,90 @@ static void asn1_item_clear(ASN1_VALUE **pval, const ASN1_ITEM *it)
 		case ASN1_ITYPE_COMPAT:
 		case ASN1_ITYPE_CHOICE:
 		case ASN1_ITYPE_SEQUENCE:
+		case ASN1_ITYPE_NDEF_SEQUENCE:
 		*pval = NULL;
 		break;
+		}
 	}
-}
 
 
 int ASN1_template_new(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt)
-{
+	{
 	const ASN1_ITEM *it = ASN1_ITEM_ptr(tt->item);
 	int ret;
-	if(tt->flags & ASN1_TFLG_OPTIONAL) {
+	if (tt->flags & ASN1_TFLG_OPTIONAL)
+		{
 		asn1_template_clear(pval, tt);
 		return 1;
-	}
+		}
 	/* If ANY DEFINED BY nothing to do */
 
-	if(tt->flags & ASN1_TFLG_ADB_MASK) {
+	if (tt->flags & ASN1_TFLG_ADB_MASK)
+		{
 		*pval = NULL;
 		return 1;
-	}
+		}
 #ifdef CRYPTO_MDEBUG
-	if(tt->field_name) CRYPTO_push_info(tt->field_name);
+	if (tt->field_name)
+		CRYPTO_push_info(tt->field_name);
 #endif
 	/* If SET OF or SEQUENCE OF, its a STACK */
-	if(tt->flags & ASN1_TFLG_SK_MASK) {
+	if (tt->flags & ASN1_TFLG_SK_MASK)
+		{
 		STACK_OF(ASN1_VALUE) *skval;
 		skval = sk_ASN1_VALUE_new_null();
-		if(!skval) {
+		if (!skval)
+			{
 			ASN1err(ASN1_F_ASN1_TEMPLATE_NEW, ERR_R_MALLOC_FAILURE);
 			ret = 0;
 			goto done;
-		}
+			}
 		*pval = (ASN1_VALUE *)skval;
 		ret = 1;
 		goto done;
-	}
+		}
 	/* Otherwise pass it back to the item routine */
 	ret = asn1_item_ex_combine_new(pval, it, tt->flags & ASN1_TFLG_COMBINE);
 	done:
 #ifdef CRYPTO_MDEBUG
-	if(it->sname) CRYPTO_pop_info();
+	if (it->sname)
+		CRYPTO_pop_info();
 #endif
 	return ret;
-}
+	}
 
 static void asn1_template_clear(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt)
-{
+	{
 	/* If ADB or STACK just NULL the field */
-	if(tt->flags & (ASN1_TFLG_ADB_MASK|ASN1_TFLG_SK_MASK)) 
+	if (tt->flags & (ASN1_TFLG_ADB_MASK|ASN1_TFLG_SK_MASK)) 
 		*pval = NULL;
 	else
 		asn1_item_clear(pval, ASN1_ITEM_ptr(tt->item));
-}
+	}
 
 
-/* NB: could probably combine most of the real XXX_new() behaviour and junk all the old
- * functions.
+/* NB: could probably combine most of the real XXX_new() behaviour and junk
+ * all the old functions.
  */
 
 int ASN1_primitive_new(ASN1_VALUE **pval, const ASN1_ITEM *it)
-{
+	{
 	ASN1_TYPE *typ;
 	int utype;
-	const ASN1_PRIMITIVE_FUNCS *pf;
-	pf = it->funcs;
-	if(pf && pf->prim_new) return pf->prim_new(pval, it);
-	if(!it || (it->itype == ASN1_ITYPE_MSTRING)) utype = -1;
-	else utype = it->utype;
-	switch(utype) {
+
+	if (it && it->funcs)
+		{
+		const ASN1_PRIMITIVE_FUNCS *pf = it->funcs;
+		if (pf->prim_new)
+			return pf->prim_new(pval, it);
+		}
+
+	if (!it || (it->itype == ASN1_ITYPE_MSTRING))
+		utype = -1;
+	else
+		utype = it->utype;
+	switch(utype)
+		{
 		case V_ASN1_OBJECT:
 		*pval = (ASN1_VALUE *)OBJ_nid2obj(NID_undef);
 		return 1;
@@ -317,7 +357,8 @@ int ASN1_primitive_new(ASN1_VALUE **pval, const ASN1_ITEM *it)
 
 		case V_ASN1_ANY:
 		typ = OPENSSL_malloc(sizeof(ASN1_TYPE));
-		if(!typ) return 0;
+		if (!typ)
+			return 0;
 		typ->value.ptr = NULL;
 		typ->type = -1;
 		*pval = (ASN1_VALUE *)typ;
@@ -326,26 +367,29 @@ int ASN1_primitive_new(ASN1_VALUE **pval, const ASN1_ITEM *it)
 		default:
 		*pval = (ASN1_VALUE *)ASN1_STRING_type_new(utype);
 		break;
-	}
-	if(*pval) return 1;
+		}
+	if (*pval)
+		return 1;
 	return 0;
-}
+	}
 
 void asn1_primitive_clear(ASN1_VALUE **pval, const ASN1_ITEM *it)
-{
+	{
 	int utype;
-	const ASN1_PRIMITIVE_FUNCS *pf;
-	pf = it->funcs;
-	if(pf) {
-		if(pf->prim_clear)
+	if (it && it->funcs)
+		{
+		const ASN1_PRIMITIVE_FUNCS *pf = it->funcs;
+		if (pf->prim_clear)
 			pf->prim_clear(pval, it);
 		else 
 			*pval = NULL;
 		return;
-	}
-	if(!it || (it->itype == ASN1_ITYPE_MSTRING)) utype = -1;
-	else utype = it->utype;
-	if(utype == V_ASN1_BOOLEAN)
+		}
+	if (!it || (it->itype == ASN1_ITYPE_MSTRING))
+		utype = -1;
+	else
+		utype = it->utype;
+	if (utype == V_ASN1_BOOLEAN)
 		*(ASN1_BOOLEAN *)pval = it->size;
 	else *pval = NULL;
-}
+	}
diff --git a/crypto/openssl/crypto/asn1/tasn_typ.c b/crypto/openssl/crypto/asn1/tasn_typ.c
index 804d2eeba273..6f17f1bec716 100644
--- a/crypto/openssl/crypto/asn1/tasn_typ.c
+++ b/crypto/openssl/crypto/asn1/tasn_typ.c
@@ -131,3 +131,7 @@ IMPLEMENT_ASN1_FUNCTIONS_name(ASN1_STRING, DIRECTORYSTRING)
 IMPLEMENT_ASN1_TYPE_ex(ASN1_BOOLEAN, ASN1_BOOLEAN, -1)
 IMPLEMENT_ASN1_TYPE_ex(ASN1_TBOOLEAN, ASN1_BOOLEAN, 1)
 IMPLEMENT_ASN1_TYPE_ex(ASN1_FBOOLEAN, ASN1_BOOLEAN, 0)
+
+/* Special, OCTET STRING with indefinite length constructed support */
+
+IMPLEMENT_ASN1_TYPE_ex(ASN1_OCTET_STRING_NDEF, ASN1_OCTET_STRING, ASN1_TFLG_NDEF)
diff --git a/crypto/openssl/crypto/asn1/tasn_utl.c b/crypto/openssl/crypto/asn1/tasn_utl.c
index 8996ce8c13d2..34d520b180aa 100644
--- a/crypto/openssl/crypto/asn1/tasn_utl.c
+++ b/crypto/openssl/crypto/asn1/tasn_utl.c
@@ -3,7 +3,7 @@
  * project 2000.
  */
 /* ====================================================================
- * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 2000-2004 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -74,23 +74,23 @@
  */
 
 int asn1_get_choice_selector(ASN1_VALUE **pval, const ASN1_ITEM *it)
-{
+	{
 	int *sel = offset2ptr(*pval, it->utype);
 	return *sel;
-}
+	}
 
 /* Given an ASN1_ITEM CHOICE type set
  * the selector value, return old value.
  */
 
 int asn1_set_choice_selector(ASN1_VALUE **pval, int value, const ASN1_ITEM *it)
-{	
+	{	
 	int *sel, ret;
 	sel = offset2ptr(*pval, it->utype);
 	ret = *sel;
 	*sel = value;
 	return ret;
-}
+	}
 
 /* Do reference counting. The value 'op' decides what to do. 
  * if it is +1 then the count is incremented. If op is 0 count is
@@ -99,114 +99,134 @@ int asn1_set_choice_selector(ASN1_VALUE **pval, int value, const ASN1_ITEM *it)
  */
 
 int asn1_do_lock(ASN1_VALUE **pval, int op, const ASN1_ITEM *it)
-{
+	{
 	const ASN1_AUX *aux;
 	int *lck, ret;
-	if(it->itype != ASN1_ITYPE_SEQUENCE) return 0;
+	if ((it->itype != ASN1_ITYPE_SEQUENCE)
+	   && (it->itype != ASN1_ITYPE_NDEF_SEQUENCE))
+		return 0;
 	aux = it->funcs;
-	if(!aux || !(aux->flags & ASN1_AFLG_REFCOUNT)) return 0;
+	if (!aux || !(aux->flags & ASN1_AFLG_REFCOUNT))
+		return 0;
 	lck = offset2ptr(*pval, aux->ref_offset);
-	if(op == 0) {
+	if (op == 0)
+		{
 		*lck = 1;
 		return 1;
-	}
+		}
 	ret = CRYPTO_add(lck, op, aux->ref_lock);
 #ifdef REF_PRINT
 	fprintf(stderr, "%s: Reference Count: %d\n", it->sname, *lck);
 #endif
 #ifdef REF_CHECK
-	if(ret < 0) 
+	if (ret < 0) 
 		fprintf(stderr, "%s, bad reference count\n", it->sname);
 #endif
 	return ret;
-}
+	}
 
 static ASN1_ENCODING *asn1_get_enc_ptr(ASN1_VALUE **pval, const ASN1_ITEM *it)
-{
+	{
 	const ASN1_AUX *aux;
-	if(!pval || !*pval) return NULL;
+	if (!pval || !*pval)
+		return NULL;
 	aux = it->funcs;
-	if(!aux || !(aux->flags & ASN1_AFLG_ENCODING)) return NULL;
+	if (!aux || !(aux->flags & ASN1_AFLG_ENCODING))
+		return NULL;
 	return offset2ptr(*pval, aux->enc_offset);
-}
+	}
 
 void asn1_enc_init(ASN1_VALUE **pval, const ASN1_ITEM *it)
-{
+	{
 	ASN1_ENCODING *enc;
 	enc = asn1_get_enc_ptr(pval, it);
-	if(enc) {
+	if (enc)
+		{
 		enc->enc = NULL;
 		enc->len = 0;
 		enc->modified = 1;
+		}
 	}
-}
 
 void asn1_enc_free(ASN1_VALUE **pval, const ASN1_ITEM *it)
-{
+	{
 	ASN1_ENCODING *enc;
 	enc = asn1_get_enc_ptr(pval, it);
-	if(enc) {
-		if(enc->enc) OPENSSL_free(enc->enc);
+	if (enc)
+		{
+		if (enc->enc)
+			OPENSSL_free(enc->enc);
 		enc->enc = NULL;
 		enc->len = 0;
 		enc->modified = 1;
+		}
 	}
-}
 
-int asn1_enc_save(ASN1_VALUE **pval, unsigned char *in, int inlen, const ASN1_ITEM *it)
-{
+int asn1_enc_save(ASN1_VALUE **pval, const unsigned char *in, int inlen,
+							 const ASN1_ITEM *it)
+	{
 	ASN1_ENCODING *enc;
 	enc = asn1_get_enc_ptr(pval, it);
-	if(!enc) return 1;
+	if (!enc)
+		return 1;
 
-	if(enc->enc) OPENSSL_free(enc->enc);
+	if (enc->enc)
+		OPENSSL_free(enc->enc);
 	enc->enc = OPENSSL_malloc(inlen);
-	if(!enc->enc) return 0;
+	if (!enc->enc)
+		return 0;
 	memcpy(enc->enc, in, inlen);
 	enc->len = inlen;
 	enc->modified = 0;
 
 	return 1;
-}
+	}
 		
-int asn1_enc_restore(int *len, unsigned char **out, ASN1_VALUE **pval, const ASN1_ITEM *it)
-{
+int asn1_enc_restore(int *len, unsigned char **out, ASN1_VALUE **pval,
+							const ASN1_ITEM *it)
+	{
 	ASN1_ENCODING *enc;
 	enc = asn1_get_enc_ptr(pval, it);
-	if(!enc || enc->modified) return 0;
-	if(out) {
+	if (!enc || enc->modified)
+		return 0;
+	if (out)
+		{
 		memcpy(*out, enc->enc, enc->len);
 		*out += enc->len;
-	}
-	if(len) *len = enc->len;
+		}
+	if (len)
+		*len = enc->len;
 	return 1;
-}
+	}
 
 /* Given an ASN1_TEMPLATE get a pointer to a field */
 ASN1_VALUE ** asn1_get_field_ptr(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt)
-{
+	{
 	ASN1_VALUE **pvaltmp;
-	if(tt->flags & ASN1_TFLG_COMBINE) return pval;
+	if (tt->flags & ASN1_TFLG_COMBINE)
+		return pval;
 	pvaltmp = offset2ptr(*pval, tt->offset);
 	/* NOTE for BOOLEAN types the field is just a plain
  	 * int so we can't return int **, so settle for
 	 * (int *).
 	 */
 	return pvaltmp;
-}
+	}
 
 /* Handle ANY DEFINED BY template, find the selector, look up
  * the relevant ASN1_TEMPLATE in the table and return it.
  */
 
-const ASN1_TEMPLATE *asn1_do_adb(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt, int nullerr)
-{
+const ASN1_TEMPLATE *asn1_do_adb(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt,
+								int nullerr)
+	{
 	const ASN1_ADB *adb;
 	const ASN1_ADB_TABLE *atbl;
 	long selector;
 	ASN1_VALUE **sfld;
 	int i;
-	if(!(tt->flags & ASN1_TFLG_ADB_MASK)) return tt;
+	if (!(tt->flags & ASN1_TFLG_ADB_MASK))
+		return tt;
 
 	/* Else ANY DEFINED BY ... get the table */
 	adb = ASN1_ADB_ptr(tt->item);
@@ -215,16 +235,18 @@ const ASN1_TEMPLATE *asn1_do_adb(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt, int
 	sfld = offset2ptr(*pval, adb->offset);
 
 	/* Check if NULL */
-	if(!sfld) {
-		if(!adb->null_tt) goto err;
+	if (!sfld)
+		{
+		if (!adb->null_tt)
+			goto err;
 		return adb->null_tt;
-	}
+		}
 
 	/* Convert type to a long:
 	 * NB: don't check for NID_undef here because it
 	 * might be a legitimate value in the table
 	 */
-	if(tt->flags & ASN1_TFLG_ADB_OID) 
+	if (tt->flags & ASN1_TFLG_ADB_OID) 
 		selector = OBJ_obj2nid((ASN1_OBJECT *)*sfld);
 	else 
 		selector = ASN1_INTEGER_get((ASN1_INTEGER *)*sfld);
@@ -237,17 +259,21 @@ const ASN1_TEMPLATE *asn1_do_adb(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt, int
 	 * linear search.
 	 */
 
-	for(atbl = adb->tbl, i = 0; i < adb->tblcount; i++, atbl++)
-		if(atbl->value == selector) return &atbl->tt;
+	for (atbl = adb->tbl, i = 0; i < adb->tblcount; i++, atbl++)
+		if (atbl->value == selector)
+			return &atbl->tt;
 
 	/* FIXME: need to search application table too */
 
 	/* No match, return default type */
-	if(!adb->default_tt) goto err;		
+	if (!adb->default_tt)
+		goto err;		
 	return adb->default_tt;
 	
 	err:
 	/* FIXME: should log the value or OID of unsupported type */
-	if(nullerr) ASN1err(ASN1_F_ASN1_DO_ADB, ASN1_R_UNSUPPORTED_ANY_DEFINED_BY_TYPE);
+	if (nullerr)
+		ASN1err(ASN1_F_ASN1_DO_ADB,
+			ASN1_R_UNSUPPORTED_ANY_DEFINED_BY_TYPE);
 	return NULL;
-}
+	}
diff --git a/crypto/openssl/crypto/asn1/x_bignum.c b/crypto/openssl/crypto/asn1/x_bignum.c
index 848c7a08779c..869c05d931de 100644
--- a/crypto/openssl/crypto/asn1/x_bignum.c
+++ b/crypto/openssl/crypto/asn1/x_bignum.c
@@ -59,6 +59,7 @@
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/asn1t.h>
+#include <openssl/bn.h>
 
 /* Custom primitive type for BIGNUM handling. This reads in an ASN1_INTEGER as a
  * BIGNUM directly. Currently it ignores the sign which isn't a problem since all
@@ -72,7 +73,7 @@ static int bn_new(ASN1_VALUE **pval, const ASN1_ITEM *it);
 static void bn_free(ASN1_VALUE **pval, const ASN1_ITEM *it);
 
 static int bn_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype, const ASN1_ITEM *it);
-static int bn_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it);
+static int bn_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it);
 
 static ASN1_PRIMITIVE_FUNCS bignum_pf = {
 	NULL, 0,
@@ -122,7 +123,8 @@ static int bn_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype, const ASN
 	return pad + BN_num_bytes(bn);
 }
 
-static int bn_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it)
+static int bn_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
+		  int utype, char *free_cont, const ASN1_ITEM *it)
 {
 	BIGNUM *bn;
 	if(!*pval) bn_new(pval, it);
diff --git a/crypto/openssl/crypto/asn1/x_crl.c b/crypto/openssl/crypto/asn1/x_crl.c
index e4d19183cabc..b99f8fc522c1 100644
--- a/crypto/openssl/crypto/asn1/x_crl.c
+++ b/crypto/openssl/crypto/asn1/x_crl.c
@@ -130,6 +130,7 @@ int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev)
 		ASN1err(ASN1_F_X509_CRL_ADD0_REVOKED, ERR_R_MALLOC_FAILURE);
 		return 0;
 	}
+	inf->enc.modified = 1;
 	return 1;
 }
 
diff --git a/crypto/openssl/crypto/asn1/x_long.c b/crypto/openssl/crypto/asn1/x_long.c
index c5f25956cb28..0db233cb95f6 100644
--- a/crypto/openssl/crypto/asn1/x_long.c
+++ b/crypto/openssl/crypto/asn1/x_long.c
@@ -59,6 +59,7 @@
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/asn1t.h>
+#include <openssl/bn.h>
 
 /* Custom primitive type for long handling. This converts between an ASN1_INTEGER
  * and a long directly.
@@ -69,7 +70,7 @@ static int long_new(ASN1_VALUE **pval, const ASN1_ITEM *it);
 static void long_free(ASN1_VALUE **pval, const ASN1_ITEM *it);
 
 static int long_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype, const ASN1_ITEM *it);
-static int long_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it);
+static int long_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it);
 
 static ASN1_PRIMITIVE_FUNCS long_pf = {
 	NULL, 0,
@@ -136,13 +137,14 @@ static int long_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype, const A
 	return clen + pad;
 }
 
-static int long_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it)
+static int long_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
+		    int utype, char *free_cont, const ASN1_ITEM *it)
 {
 	int neg, i;
 	long ltmp;
 	unsigned long utmp = 0;
 	char *cp = (char *)pval;
-	if(len > sizeof(long)) {
+	if(len > (int)sizeof(long)) {
 		ASN1err(ASN1_F_LONG_C2I, ASN1_R_INTEGER_TOO_LARGE_FOR_LONG);
 		return 0;
 	}
diff --git a/crypto/openssl/crypto/asn1/x_name.c b/crypto/openssl/crypto/asn1/x_name.c
index caece0f1585c..681e5d110fad 100644
--- a/crypto/openssl/crypto/asn1/x_name.c
+++ b/crypto/openssl/crypto/asn1/x_name.c
@@ -61,7 +61,7 @@
 #include <openssl/asn1t.h>
 #include <openssl/x509.h>
 
-static int x509_name_ex_d2i(ASN1_VALUE **val, unsigned char **in, long len, const ASN1_ITEM *it,
+static int x509_name_ex_d2i(ASN1_VALUE **val, const unsigned char **in, long len, const ASN1_ITEM *it,
 					int tag, int aclass, char opt, ASN1_TLC *ctx);
 
 static int x509_name_ex_i2d(ASN1_VALUE **val, unsigned char **out, const ASN1_ITEM *it, int tag, int aclass);
@@ -123,7 +123,7 @@ static int x509_name_ex_new(ASN1_VALUE **val, const ASN1_ITEM *it)
 	return 1;
 
  memerr:
-	ASN1err(ASN1_F_X509_NAME_NEW, ERR_R_MALLOC_FAILURE);
+	ASN1err(ASN1_F_X509_NAME_EX_NEW, ERR_R_MALLOC_FAILURE);
 	if (ret)
 		{
 		if (ret->entries)
@@ -156,25 +156,26 @@ static void sk_internal_free(void *a)
 	sk_free(a);
 }
 
-static int x509_name_ex_d2i(ASN1_VALUE **val, unsigned char **in, long len, const ASN1_ITEM *it,
+static int x509_name_ex_d2i(ASN1_VALUE **val, const unsigned char **in, long len, const ASN1_ITEM *it,
 					int tag, int aclass, char opt, ASN1_TLC *ctx)
 {
-	unsigned char *p = *in, *q;
-	STACK *intname = NULL;
+	const unsigned char *p = *in, *q;
+	STACK *intname = NULL, **intname_pp = &intname;
 	int i, j, ret;
-	X509_NAME *nm = NULL;
+	X509_NAME *nm = NULL, **nm_pp = &nm;
 	STACK_OF(X509_NAME_ENTRY) *entries;
 	X509_NAME_ENTRY *entry;
 	q = p;
 
 	/* Get internal representation of Name */
-	ret = ASN1_item_ex_d2i((ASN1_VALUE **)&intname, &p, len, ASN1_ITEM_rptr(X509_NAME_INTERNAL),
-								tag, aclass, opt, ctx);
+	ret = ASN1_item_ex_d2i((ASN1_VALUE **)intname_pp,
+			       &p, len, ASN1_ITEM_rptr(X509_NAME_INTERNAL),
+			       tag, aclass, opt, ctx);
 	
 	if(ret <= 0) return ret;
 
 	if(*val) x509_name_ex_free(val, NULL);
-	if(!x509_name_ex_new((ASN1_VALUE **)&nm, NULL)) goto err;
+	if(!x509_name_ex_new((ASN1_VALUE **)nm_pp, NULL)) goto err;
 	/* We've decoded it: now cache encoding */
 	if(!BUF_MEM_grow(nm->bytes, p - q)) goto err;
 	memcpy(nm->bytes->data, q, p - q);
@@ -196,7 +197,7 @@ static int x509_name_ex_d2i(ASN1_VALUE **val, unsigned char **in, long len, cons
 	*in = p;
 	return ret;
 	err:
-	ASN1err(ASN1_F_D2I_X509_NAME, ERR_R_NESTED_ASN1_ERROR);
+	ASN1err(ASN1_F_X509_NAME_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
 	return 0;
 }
 
@@ -218,7 +219,7 @@ static int x509_name_ex_i2d(ASN1_VALUE **val, unsigned char **out, const ASN1_IT
 
 static int x509_name_encode(X509_NAME *a)
 {
-	STACK *intname = NULL;
+	STACK *intname = NULL, **intname_pp = &intname;
 	int len;
 	unsigned char *p;
 	STACK_OF(X509_NAME_ENTRY) *entries = NULL;
@@ -236,16 +237,18 @@ static int x509_name_encode(X509_NAME *a)
 		}
 		if(!sk_X509_NAME_ENTRY_push(entries, entry)) goto memerr;
 	}
-	len = ASN1_item_ex_i2d((ASN1_VALUE **)&intname, NULL, ASN1_ITEM_rptr(X509_NAME_INTERNAL), -1, -1);
+	len = ASN1_item_ex_i2d((ASN1_VALUE **)intname_pp, NULL,
+			       ASN1_ITEM_rptr(X509_NAME_INTERNAL), -1, -1);
 	if (!BUF_MEM_grow(a->bytes,len)) goto memerr;
 	p=(unsigned char *)a->bytes->data;
-	ASN1_item_ex_i2d((ASN1_VALUE **)&intname, &p, ASN1_ITEM_rptr(X509_NAME_INTERNAL), -1, -1);
+	ASN1_item_ex_i2d((ASN1_VALUE **)intname_pp,
+			 &p, ASN1_ITEM_rptr(X509_NAME_INTERNAL), -1, -1);
 	sk_pop_free(intname, sk_internal_free);
 	a->modified = 0;
 	return len;
 	memerr:
 	sk_pop_free(intname, sk_internal_free);
-	ASN1err(ASN1_F_D2I_X509_NAME, ERR_R_MALLOC_FAILURE);
+	ASN1err(ASN1_F_X509_NAME_ENCODE, ERR_R_MALLOC_FAILURE);
 	return -1;
 }
 
diff --git a/crypto/openssl/crypto/asn1/x_pkey.c b/crypto/openssl/crypto/asn1/x_pkey.c
index f1c6221ac3f1..8453618426fb 100644
--- a/crypto/openssl/crypto/asn1/x_pkey.c
+++ b/crypto/openssl/crypto/asn1/x_pkey.c
@@ -69,15 +69,15 @@ int i2d_X509_PKEY(X509_PKEY *a, unsigned char **pp)
 	return(0);
 	}
 
-X509_PKEY *d2i_X509_PKEY(X509_PKEY **a, unsigned char **pp, long length)
+X509_PKEY *d2i_X509_PKEY(X509_PKEY **a, const unsigned char **pp, long length)
 	{
 	int i;
 	M_ASN1_D2I_vars(a,X509_PKEY *,X509_PKEY_new);
 
 	M_ASN1_D2I_Init();
 	M_ASN1_D2I_start_sequence();
-	M_ASN1_D2I_get(ret->enc_algor,d2i_X509_ALGOR);
-	M_ASN1_D2I_get(ret->enc_pkey,d2i_ASN1_OCTET_STRING);
+	M_ASN1_D2I_get_x(X509_ALGOR,ret->enc_algor,d2i_X509_ALGOR);
+	M_ASN1_D2I_get_x(ASN1_OCTET_STRING,ret->enc_pkey,d2i_ASN1_OCTET_STRING);
 
 	ret->cipher.cipher=EVP_get_cipherbyname(
 		OBJ_nid2ln(OBJ_obj2nid(ret->enc_algor->algorithm)));
diff --git a/crypto/openssl/crypto/asn1/x_pubkey.c b/crypto/openssl/crypto/asn1/x_pubkey.c
index d9585401206d..91c275611611 100644
--- a/crypto/openssl/crypto/asn1/x_pubkey.c
+++ b/crypto/openssl/crypto/asn1/x_pubkey.c
@@ -60,16 +60,23 @@
 #include "cryptlib.h"
 #include <openssl/asn1t.h>
 #include <openssl/x509.h>
+#ifndef OPENSSL_NO_RSA
+#include <openssl/rsa.h>
+#endif
+#ifndef OPENSSL_NO_DSA
+#include <openssl/dsa.h>
+#endif
 
 /* Minor tweak to operation: free up EVP_PKEY */
 static int pubkey_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it)
-{
-	if(operation == ASN1_OP_FREE_POST) {
+	{
+	if (operation == ASN1_OP_FREE_POST)
+		{
 		X509_PUBKEY *pubkey = (X509_PUBKEY *)*pval;
 		EVP_PKEY_free(pubkey->pkey);
-	}
+		}
 	return 1;
-}
+	}
 
 ASN1_SEQUENCE_cb(X509_PUBKEY, pubkey_cb) = {
 	ASN1_SIMPLE(X509_PUBKEY, algor, X509_ALGOR),
@@ -80,8 +87,7 @@ IMPLEMENT_ASN1_FUNCTIONS(X509_PUBKEY)
 
 int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey)
 	{
-	int ok=0;
-	X509_PUBKEY *pk;
+	X509_PUBKEY *pk=NULL;
 	X509_ALGOR *a;
 	ASN1_OBJECT *o;
 	unsigned char *s,*p = NULL;
@@ -104,32 +110,111 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey)
 			(a->parameter->type != V_ASN1_NULL))
 			{
 			ASN1_TYPE_free(a->parameter);
-			a->parameter=ASN1_TYPE_new();
+			if (!(a->parameter=ASN1_TYPE_new()))
+				{
+				X509err(X509_F_X509_PUBKEY_SET,ERR_R_MALLOC_FAILURE);
+				goto err;
+				}
 			a->parameter->type=V_ASN1_NULL;
 			}
 		}
-	else
 #ifndef OPENSSL_NO_DSA
-		if (pkey->type == EVP_PKEY_DSA)
+	else if (pkey->type == EVP_PKEY_DSA)
 		{
 		unsigned char *pp;
 		DSA *dsa;
-
+		
 		dsa=pkey->pkey.dsa;
 		dsa->write_params=0;
 		ASN1_TYPE_free(a->parameter);
-		i=i2d_DSAparams(dsa,NULL);
-		if ((p=(unsigned char *)OPENSSL_malloc(i)) == NULL) goto err;
+		if ((i=i2d_DSAparams(dsa,NULL)) <= 0)
+			goto err;
+		if (!(p=(unsigned char *)OPENSSL_malloc(i)))
+			{
+			X509err(X509_F_X509_PUBKEY_SET,ERR_R_MALLOC_FAILURE);
+			goto err;
+			}
 		pp=p;
 		i2d_DSAparams(dsa,&pp);
-		a->parameter=ASN1_TYPE_new();
+		if (!(a->parameter=ASN1_TYPE_new()))
+			{
+			OPENSSL_free(p);
+			X509err(X509_F_X509_PUBKEY_SET,ERR_R_MALLOC_FAILURE);
+			goto err;
+			}
 		a->parameter->type=V_ASN1_SEQUENCE;
-		a->parameter->value.sequence=ASN1_STRING_new();
-		ASN1_STRING_set(a->parameter->value.sequence,p,i);
+		if (!(a->parameter->value.sequence=ASN1_STRING_new()))
+			{
+			OPENSSL_free(p);
+			X509err(X509_F_X509_PUBKEY_SET,ERR_R_MALLOC_FAILURE);
+			goto err;
+			}
+		if (!ASN1_STRING_set(a->parameter->value.sequence,p,i))
+			{
+			OPENSSL_free(p);
+			X509err(X509_F_X509_PUBKEY_SET,ERR_R_MALLOC_FAILURE);
+			goto err;
+			}
 		OPENSSL_free(p);
 		}
-	else
 #endif
+#ifndef OPENSSL_NO_EC
+	else if (pkey->type == EVP_PKEY_EC)
+		{
+		int nid=0;
+		unsigned char *pp;
+		EC_KEY *ec_key;
+		const EC_GROUP *group;
+		
+		ec_key = pkey->pkey.ec;
+		ASN1_TYPE_free(a->parameter);
+
+		if ((a->parameter = ASN1_TYPE_new()) == NULL)
+			{
+			X509err(X509_F_X509_PUBKEY_SET, ERR_R_ASN1_LIB);
+			goto err;
+			}
+
+		group = EC_KEY_get0_group(ec_key);
+		if (EC_GROUP_get_asn1_flag(group)
+                     && (nid = EC_GROUP_get_curve_name(group)))
+			{
+			/* just set the OID */
+			a->parameter->type = V_ASN1_OBJECT;
+			a->parameter->value.object = OBJ_nid2obj(nid);
+			}
+		else /* explicit parameters */
+			{
+			if ((i = i2d_ECParameters(ec_key, NULL)) == 0)
+				{
+				X509err(X509_F_X509_PUBKEY_SET, ERR_R_EC_LIB);
+				goto err;
+				}
+			if ((p = (unsigned char *) OPENSSL_malloc(i)) == NULL)
+				{
+				X509err(X509_F_X509_PUBKEY_SET, ERR_R_MALLOC_FAILURE);
+				goto err;
+				}	
+			pp = p;
+			if (!i2d_ECParameters(ec_key, &pp))
+				{
+				X509err(X509_F_X509_PUBKEY_SET, ERR_R_EC_LIB);
+				OPENSSL_free(p);
+				goto err;
+				}
+			a->parameter->type = V_ASN1_SEQUENCE;
+			if ((a->parameter->value.sequence = ASN1_STRING_new()) == NULL)
+				{
+				X509err(X509_F_X509_PUBKEY_SET, ERR_R_ASN1_LIB);
+				OPENSSL_free(p);
+				goto err;
+				}
+			ASN1_STRING_set(a->parameter->value.sequence, p, i);
+			OPENSSL_free(p);
+			}
+		}
+#endif
+	else if (1)
 		{
 		X509err(X509_F_X509_PUBKEY_SET,X509_R_UNSUPPORTED_ALGORITHM);
 		goto err;
@@ -143,8 +228,12 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey)
 		}
 	p=s;
 	i2d_PublicKey(pkey,&p);
-	if (!M_ASN1_BIT_STRING_set(pk->public_key,s,i)) goto err;
-	/* Set number of unused bits to zero */
+	if (!M_ASN1_BIT_STRING_set(pk->public_key,s,i))
+		{
+		X509err(X509_F_X509_PUBKEY_SET,ERR_R_MALLOC_FAILURE);
+		goto err;
+		}
+  	/* Set number of unused bits to zero */
 	pk->public_key->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07);
 	pk->public_key->flags|=ASN1_STRING_FLAG_BITS_LEFT;
 
@@ -159,12 +248,11 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey)
 		X509_PUBKEY_free(*x);
 
 	*x=pk;
-	pk=NULL;
 
-	ok=1;
+	return 1;
 err:
 	if (pk != NULL) X509_PUBKEY_free(pk);
-	return(ok);
+	return 0;
 	}
 
 EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key)
@@ -172,8 +260,8 @@ EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key)
 	EVP_PKEY *ret=NULL;
 	long j;
 	int type;
-	unsigned char *p;
-#ifndef OPENSSL_NO_DSA
+	const unsigned char *p;
+#if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_ECDSA)
 	const unsigned char *cp;
 	X509_ALGOR *a;
 #endif
@@ -181,40 +269,106 @@ EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key)
 	if (key == NULL) goto err;
 
 	if (key->pkey != NULL)
-	    {
-	    CRYPTO_add(&key->pkey->references,1,CRYPTO_LOCK_EVP_PKEY);
-	    return(key->pkey);
-	    }
+		{
+		CRYPTO_add(&key->pkey->references, 1, CRYPTO_LOCK_EVP_PKEY);
+		return(key->pkey);
+		}
 
 	if (key->public_key == NULL) goto err;
 
 	type=OBJ_obj2nid(key->algor->algorithm);
-	p=key->public_key->data;
-        j=key->public_key->length;
-        if ((ret=d2i_PublicKey(type,NULL,&p,(long)j)) == NULL)
+	if ((ret = EVP_PKEY_new()) == NULL)
 		{
-		X509err(X509_F_X509_PUBKEY_GET,X509_R_ERR_ASN1_LIB);
+		X509err(X509_F_X509_PUBKEY_GET, ERR_R_MALLOC_FAILURE);
 		goto err;
 		}
-	ret->save_parameters=0;
+	ret->type = EVP_PKEY_type(type);
 
-#ifndef OPENSSL_NO_DSA
+	/* the parameters must be extracted before the public key (ECDSA!) */
+	
+#if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_ECDSA)
 	a=key->algor;
-	if (ret->type == EVP_PKEY_DSA)
+#endif
+
+	if (0)
+		;
+#ifndef OPENSSL_NO_DSA
+	else if (ret->type == EVP_PKEY_DSA)
 		{
 		if (a->parameter && (a->parameter->type == V_ASN1_SEQUENCE))
 			{
+			if ((ret->pkey.dsa = DSA_new()) == NULL)
+				{
+				X509err(X509_F_X509_PUBKEY_GET, ERR_R_MALLOC_FAILURE);
+				goto err;
+				}
 			ret->pkey.dsa->write_params=0;
 			cp=p=a->parameter->value.sequence->data;
 			j=a->parameter->value.sequence->length;
-			if (!d2i_DSAparams(&ret->pkey.dsa,&cp,(long)j))
+			if (!d2i_DSAparams(&ret->pkey.dsa, &cp, (long)j))
 				goto err;
 			}
 		ret->save_parameters=1;
 		}
 #endif
-	key->pkey=ret;
-	CRYPTO_add(&ret->references,1,CRYPTO_LOCK_EVP_PKEY);
+#ifndef OPENSSL_NO_EC
+	else if (ret->type == EVP_PKEY_EC)
+		{
+		if (a->parameter && (a->parameter->type == V_ASN1_SEQUENCE))
+			{
+			/* type == V_ASN1_SEQUENCE => we have explicit parameters
+                         * (e.g. parameters in the X9_62_EC_PARAMETERS-structure )
+			 */
+			if ((ret->pkey.ec= EC_KEY_new()) == NULL)
+				{
+				X509err(X509_F_X509_PUBKEY_GET, 
+					ERR_R_MALLOC_FAILURE);
+				goto err;
+				}
+			cp = p = a->parameter->value.sequence->data;
+			j = a->parameter->value.sequence->length;
+			if (!d2i_ECParameters(&ret->pkey.ec, &cp, (long)j))
+				{
+				X509err(X509_F_X509_PUBKEY_GET, ERR_R_EC_LIB);
+				goto err;
+				}
+			}
+		else if (a->parameter && (a->parameter->type == V_ASN1_OBJECT))
+			{
+			/* type == V_ASN1_OBJECT => the parameters are given
+			 * by an asn1 OID
+			 */
+			EC_KEY   *ec_key;
+			EC_GROUP *group;
+
+			if (ret->pkey.ec == NULL)
+				ret->pkey.ec = EC_KEY_new();
+			ec_key = ret->pkey.ec;
+			if (ec_key == NULL)
+				goto err;
+			group = EC_GROUP_new_by_curve_name(OBJ_obj2nid(a->parameter->value.object));
+			if (group == NULL)
+				goto err;
+			EC_GROUP_set_asn1_flag(group, OPENSSL_EC_NAMED_CURVE);
+			if (EC_KEY_set_group(ec_key, group) == 0)
+				goto err;
+			EC_GROUP_free(group);
+			}
+			/* the case implicitlyCA is currently not implemented */
+		ret->save_parameters = 1;
+		}
+#endif
+
+	p=key->public_key->data;
+        j=key->public_key->length;
+        if (!d2i_PublicKey(type, &ret, &p, (long)j))
+		{
+		X509err(X509_F_X509_PUBKEY_GET, X509_R_ERR_ASN1_LIB);
+		goto err;
+		}
+
+	key->pkey = ret;
+	CRYPTO_add(&ret->references, 1, CRYPTO_LOCK_EVP_PKEY);
 	return(ret);
 err:
 	if (ret != NULL)
@@ -226,9 +380,9 @@ err:
  * and encode or decode as X509_PUBKEY
  */
 
-EVP_PKEY *d2i_PUBKEY(EVP_PKEY **a, unsigned char **pp,
+EVP_PKEY *d2i_PUBKEY(EVP_PKEY **a, const unsigned char **pp,
 	     long length)
-{
+	{
 	X509_PUBKEY *xpk;
 	EVP_PKEY *pktmp;
 	xpk = d2i_X509_PUBKEY(NULL, pp, length);
@@ -236,15 +390,16 @@ EVP_PKEY *d2i_PUBKEY(EVP_PKEY **a, unsigned char **pp,
 	pktmp = X509_PUBKEY_get(xpk);
 	X509_PUBKEY_free(xpk);
 	if(!pktmp) return NULL;
-	if(a) {
+	if(a)
+		{
 		EVP_PKEY_free(*a);
 		*a = pktmp;
-	}
+		}
 	return pktmp;
-}
+	}
 
 int i2d_PUBKEY(EVP_PKEY *a, unsigned char **pp)
-{
+	{
 	X509_PUBKEY *xpk=NULL;
 	int ret;
 	if(!a) return 0;
@@ -252,83 +407,125 @@ int i2d_PUBKEY(EVP_PKEY *a, unsigned char **pp)
 	ret = i2d_X509_PUBKEY(xpk, pp);
 	X509_PUBKEY_free(xpk);
 	return ret;
-}
+	}
 
 /* The following are equivalents but which return RSA and DSA
  * keys
  */
 #ifndef OPENSSL_NO_RSA
-RSA *d2i_RSA_PUBKEY(RSA **a, unsigned char **pp,
+RSA *d2i_RSA_PUBKEY(RSA **a, const unsigned char **pp,
 	     long length)
-{
+	{
 	EVP_PKEY *pkey;
 	RSA *key;
-	unsigned char *q;
+	const unsigned char *q;
 	q = *pp;
 	pkey = d2i_PUBKEY(NULL, &q, length);
-	if(!pkey) return NULL;
+	if (!pkey) return NULL;
 	key = EVP_PKEY_get1_RSA(pkey);
 	EVP_PKEY_free(pkey);
-	if(!key) return NULL;
+	if (!key) return NULL;
 	*pp = q;
-	if(a) {
+	if (a)
+		{
 		RSA_free(*a);
 		*a = key;
-	}
+		}
 	return key;
-}
+	}
 
 int i2d_RSA_PUBKEY(RSA *a, unsigned char **pp)
-{
+	{
 	EVP_PKEY *pktmp;
 	int ret;
-	if(!a) return 0;
+	if (!a) return 0;
 	pktmp = EVP_PKEY_new();
-	if(!pktmp) {
+	if (!pktmp)
+		{
 		ASN1err(ASN1_F_I2D_RSA_PUBKEY, ERR_R_MALLOC_FAILURE);
 		return 0;
-	}
+		}
 	EVP_PKEY_set1_RSA(pktmp, a);
 	ret = i2d_PUBKEY(pktmp, pp);
 	EVP_PKEY_free(pktmp);
 	return ret;
-}
+	}
 #endif
 
 #ifndef OPENSSL_NO_DSA
-DSA *d2i_DSA_PUBKEY(DSA **a, unsigned char **pp,
+DSA *d2i_DSA_PUBKEY(DSA **a, const unsigned char **pp,
 	     long length)
-{
+	{
 	EVP_PKEY *pkey;
 	DSA *key;
-	unsigned char *q;
+	const unsigned char *q;
 	q = *pp;
 	pkey = d2i_PUBKEY(NULL, &q, length);
-	if(!pkey) return NULL;
+	if (!pkey) return NULL;
 	key = EVP_PKEY_get1_DSA(pkey);
 	EVP_PKEY_free(pkey);
-	if(!key) return NULL;
+	if (!key) return NULL;
 	*pp = q;
-	if(a) {
+	if (a)
+		{
 		DSA_free(*a);
 		*a = key;
-	}
+		}
 	return key;
-}
+	}
 
 int i2d_DSA_PUBKEY(DSA *a, unsigned char **pp)
-{
+	{
 	EVP_PKEY *pktmp;
 	int ret;
 	if(!a) return 0;
 	pktmp = EVP_PKEY_new();
-	if(!pktmp) {
+	if(!pktmp)
+		{
 		ASN1err(ASN1_F_I2D_DSA_PUBKEY, ERR_R_MALLOC_FAILURE);
 		return 0;
-	}
+		}
 	EVP_PKEY_set1_DSA(pktmp, a);
 	ret = i2d_PUBKEY(pktmp, pp);
 	EVP_PKEY_free(pktmp);
 	return ret;
-}
+	}
+#endif
+
+#ifndef OPENSSL_NO_EC
+EC_KEY *d2i_EC_PUBKEY(EC_KEY **a, const unsigned char **pp, long length)
+	{
+	EVP_PKEY *pkey;
+	EC_KEY *key;
+	const unsigned char *q;
+	q = *pp;
+	pkey = d2i_PUBKEY(NULL, &q, length);
+	if (!pkey) return(NULL);
+	key = EVP_PKEY_get1_EC_KEY(pkey);
+	EVP_PKEY_free(pkey);
+	if (!key)  return(NULL);
+	*pp = q;
+	if (a)
+		{
+		EC_KEY_free(*a);
+		*a = key;
+		}
+	return(key);
+	}
+
+int i2d_EC_PUBKEY(EC_KEY *a, unsigned char **pp)
+	{
+	EVP_PKEY *pktmp;
+	int ret;
+	if (!a)	return(0);
+	if ((pktmp = EVP_PKEY_new()) == NULL)
+		{
+		ASN1err(ASN1_F_I2D_EC_PUBKEY, ERR_R_MALLOC_FAILURE);
+		return(0);
+		}
+	EVP_PKEY_set1_EC_KEY(pktmp, a);
+	ret = i2d_PUBKEY(pktmp, pp);
+	EVP_PKEY_free(pktmp);
+	return(ret);
+	}
 #endif
diff --git a/crypto/openssl/crypto/asn1/x_x509.c b/crypto/openssl/crypto/asn1/x_x509.c
index b50167ce433b..12d1a2565968 100644
--- a/crypto/openssl/crypto/asn1/x_x509.c
+++ b/crypto/openssl/crypto/asn1/x_x509.c
@@ -79,6 +79,8 @@ ASN1_SEQUENCE(X509_CINF) = {
 IMPLEMENT_ASN1_FUNCTIONS(X509_CINF)
 /* X509 top level structure needs a bit of customisation */
 
+extern void policy_cache_free(X509_POLICY_CACHE *cache);
+
 static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it)
 {
 	X509 *ret = (X509 *)*pval;
@@ -106,6 +108,7 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it)
 		X509_CERT_AUX_free(ret->aux);
 		ASN1_OCTET_STRING_free(ret->skid);
 		AUTHORITY_KEYID_free(ret->akid);
+		policy_cache_free(ret->policy_cache);
 
 		if (ret->name != NULL) OPENSSL_free(ret->name);
 		break;
@@ -125,11 +128,13 @@ ASN1_SEQUENCE_ref(X509, x509_cb, CRYPTO_LOCK_X509) = {
 IMPLEMENT_ASN1_FUNCTIONS(X509)
 IMPLEMENT_ASN1_DUP_FUNCTION(X509)
 
-static ASN1_METHOD meth={
-	(int (*)())  i2d_X509,
-	(char *(*)())d2i_X509,
-	(char *(*)())X509_new,
-	(void (*)()) X509_free};
+static ASN1_METHOD meth=
+    {
+    (I2D_OF(void))  i2d_X509,
+    (D2I_OF(void)) d2i_X509,
+    (void *(*)(void))X509_new,
+    (void (*)(void *)) X509_free
+    };
 
 ASN1_METHOD *X509_asn1_meth(void)
 	{
@@ -161,9 +166,9 @@ void *X509_get_ex_data(X509 *r, int idx)
  *
  */
 
-X509 *d2i_X509_AUX(X509 **a, unsigned char **pp, long length)
+X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, long length)
 {
-	unsigned char *q;
+	const unsigned char *q;
 	X509 *ret;
 	/* Save start position */
 	q = *pp;
diff --git a/crypto/openssl/crypto/asn1/x_x509a.c b/crypto/openssl/crypto/asn1/x_x509a.c
index f244768b7e1d..13db5fd03fda 100644
--- a/crypto/openssl/crypto/asn1/x_x509a.c
+++ b/crypto/openssl/crypto/asn1/x_x509a.c
@@ -91,6 +91,14 @@ static X509_CERT_AUX *aux_get(X509 *x)
 int X509_alias_set1(X509 *x, unsigned char *name, int len)
 {
 	X509_CERT_AUX *aux;
+	if (!name)
+		{
+		if (!x || !x->aux || !x->aux->alias)
+			return 1;
+		ASN1_UTF8STRING_free(x->aux->alias);
+		x->aux->alias = NULL;
+		return 1;
+		}
 	if(!(aux = aux_get(x))) return 0;
 	if(!aux->alias && !(aux->alias = ASN1_UTF8STRING_new())) return 0;
 	return ASN1_STRING_set(aux->alias, name, len);
@@ -99,6 +107,14 @@ int X509_alias_set1(X509 *x, unsigned char *name, int len)
 int X509_keyid_set1(X509 *x, unsigned char *id, int len)
 {
 	X509_CERT_AUX *aux;
+	if (!id)
+		{
+		if (!x || !x->aux || !x->aux->keyid)
+			return 1;
+		ASN1_OCTET_STRING_free(x->aux->keyid);
+		x->aux->keyid = NULL;
+		return 1;
+		}
 	if(!(aux = aux_get(x))) return 0;
 	if(!aux->keyid && !(aux->keyid = ASN1_OCTET_STRING_new())) return 0;
 	return ASN1_STRING_set(aux->keyid, id, len);
@@ -111,6 +127,13 @@ unsigned char *X509_alias_get0(X509 *x, int *len)
 	return x->aux->alias->data;
 }
 
+unsigned char *X509_keyid_get0(X509 *x, int *len)
+{
+	if(!x->aux || !x->aux->keyid) return NULL;
+	if(len) *len = x->aux->keyid->length;
+	return x->aux->keyid->data;
+}
+
 int X509_add1_trust_object(X509 *x, ASN1_OBJECT *obj)
 {
 	X509_CERT_AUX *aux;
@@ -149,3 +172,9 @@ void X509_reject_clear(X509 *x)
 	}
 }
 
+ASN1_SEQUENCE(X509_CERT_PAIR) = {
+	ASN1_EXP_OPT(X509_CERT_PAIR, forward, X509, 0),
+	ASN1_EXP_OPT(X509_CERT_PAIR, reverse, X509, 1)
+} ASN1_SEQUENCE_END(X509_CERT_PAIR)
+
+IMPLEMENT_ASN1_FUNCTIONS(X509_CERT_PAIR)
diff --git a/crypto/openssl/crypto/bf/Makefile b/crypto/openssl/crypto/bf/Makefile
index 0a2a4439dcf9..8441954a8d95 100644
--- a/crypto/openssl/crypto/bf/Makefile
+++ b/crypto/openssl/crypto/bf/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/blowfish/Makefile
+# OpenSSL/crypto/blowfish/Makefile
 #
 
 DIR=	bf
@@ -8,11 +8,6 @@ CC=	cc
 CPP=	$(CC) -E
 INCLUDES=
 CFLAG=-g
-INSTALL_PREFIX=
-OPENSSLDIR=     /usr/local/ssl
-INSTALLTOP=/usr/local/ssl
-MAKEDEPPROG=	makedepend
-MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=	Makefile
 AR=		ar r
 
@@ -22,6 +17,7 @@ BF_ENC=		bf_enc.o
 
 CFLAGS= $(INCLUDES) $(CFLAG)
 ASFLAGS= $(INCLUDES) $(ASFLAG)
+AFLAGS= $(ASFLAGS)
 
 GENERAL=Makefile
 TEST=bftest.c
@@ -48,20 +44,15 @@ lib:	$(LIBOBJ)
 	$(RANLIB) $(LIB) || echo Never mind.
 	@touch lib
 
-# elf
-asm/bx86-elf.s: asm/bf-586.pl ../perlasm/x86asm.pl ../perlasm/cbc.pl
-	(cd asm; $(PERL) bf-586.pl elf $(CFLAGS) $(PROCESSOR) > bx86-elf.s)
-
+# ELF
+bx86-elf.s: asm/bf-586.pl ../perlasm/x86asm.pl ../perlasm/cbc.pl
+	(cd asm; $(PERL) bf-586.pl elf $(CFLAGS) $(PROCESSOR) > ../$@)
+# COFF
+bx86-cof.s: asm/bf-586.pl ../perlasm/x86asm.pl ../perlasm/cbc.pl
+	(cd asm; $(PERL) bf-586.pl coff $(CFLAGS) $(PROCESSOR) > ../$@)
 # a.out
-asm/bx86-out.o: asm/bx86unix.cpp
-	$(CPP) -DOUT asm/bx86unix.cpp | as -o asm/bx86-out.o
-
-# bsdi
-asm/bx86bsdi.o: asm/bx86unix.cpp
-	$(CPP) -DBSDI asm/bx86unix.cpp | sed 's/ :/:/' | as -o asm/bx86bsdi.o
-
-asm/bx86unix.cpp: asm/bf-586.pl ../perlasm/x86asm.pl ../perlasm/cbc.pl
-	(cd asm; $(PERL) bf-586.pl cpp $(PROCESSOR) >bx86unix.cpp)
+bx86-out.s: asm/bf-586.pl ../perlasm/x86asm.pl ../perlasm/cbc.pl
+	(cd asm; $(PERL) bf-586.pl a.out $(CFLAGS) $(PROCESSOR) > ../$@)
 
 files:
 	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
@@ -71,10 +62,12 @@ links:
 	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
 
-install: installs
-
-installs:
-	@for i in $(EXHEADER) ; \
+# We need to use force because 'install' matches 'INSTALL' on case
+# insensitive systems
+FRC.install:
+install: FRC.install
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+	@headerlist="$(EXHEADER)"; for i in $$headerlist ; \
 	do  \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
@@ -89,6 +82,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
+	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
@@ -96,7 +90,7 @@ dclean:
 	mv -f Makefile.new $(MAKEFILE)
 
 clean:
-	rm -f asm/bx86unix.cpp asm/*-elf.* *.o asm/*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+	rm -f *.s *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
diff --git a/crypto/openssl/crypto/bf/bf_enc.c b/crypto/openssl/crypto/bf/bf_enc.c
index b380acf95940..2d21d09f425f 100644
--- a/crypto/openssl/crypto/bf/bf_enc.c
+++ b/crypto/openssl/crypto/bf/bf_enc.c
@@ -73,7 +73,7 @@ void BF_encrypt(BF_LONG *data, const BF_KEY *key)
 	{
 #ifndef BF_PTR2
 	register BF_LONG l,r;
-    const register BF_LONG *p,*s;
+	register const BF_LONG *p,*s;
 
 	p=key->P;
 	s= &(key->S[0]);
@@ -150,7 +150,7 @@ void BF_decrypt(BF_LONG *data, const BF_KEY *key)
 	{
 #ifndef BF_PTR2
 	register BF_LONG l,r;
-    const register BF_LONG *p,*s;
+	register const BF_LONG *p,*s;
 
 	p=key->P;
 	s= &(key->S[0]);
diff --git a/crypto/openssl/crypto/bf/bf_opts.c b/crypto/openssl/crypto/bf/bf_opts.c
index 171dada2cabb..1721bb99b4ad 100644
--- a/crypto/openssl/crypto/bf/bf_opts.c
+++ b/crypto/openssl/crypto/bf/bf_opts.c
@@ -69,7 +69,10 @@
 #include OPENSSL_UNISTD_IO
 OPENSSL_DECLARE_EXIT
 
+#ifndef OPENSSL_SYS_NETWARE
 #include <signal.h>
+#endif
+
 #ifndef _IRIX
 #include <time.h>
 #endif
diff --git a/crypto/openssl/crypto/bf/bfspeed.c b/crypto/openssl/crypto/bf/bfspeed.c
index f346af64f308..c41ef3b4035b 100644
--- a/crypto/openssl/crypto/bf/bfspeed.c
+++ b/crypto/openssl/crypto/bf/bfspeed.c
@@ -69,7 +69,10 @@
 #include OPENSSL_UNISTD_IO
 OPENSSL_DECLARE_EXIT
 
+#ifndef OPENSSL_SYS_NETWARE
 #include <signal.h>
+#endif
+
 #ifndef _IRIX
 #include <time.h>
 #endif
diff --git a/crypto/openssl/crypto/bf/bftest.c b/crypto/openssl/crypto/bf/bftest.c
index 24d526b14bdb..97e6634d37f0 100644
--- a/crypto/openssl/crypto/bf/bftest.c
+++ b/crypto/openssl/crypto/bf/bftest.c
@@ -62,6 +62,7 @@
 #include <stdio.h>
 #include <string.h>
 #include <stdlib.h>
+#include <openssl/opensslconf.h> /* To see if OPENSSL_NO_BF is defined */
 
 #include "../e_os.h"
 
@@ -277,6 +278,9 @@ int main(int argc, char *argv[])
 	else
 		ret=test();
 
+#ifdef OPENSSL_SYS_NETWARE
+    if (ret) printf("ERROR: %d\n", ret);
+#endif
 	EXIT(ret);
 	return(0);
 	}
diff --git a/crypto/openssl/crypto/bio/Makefile b/crypto/openssl/crypto/bio/Makefile
index 7da953202d10..1ef6c2fb9fdb 100644
--- a/crypto/openssl/crypto/bio/Makefile
+++ b/crypto/openssl/crypto/bio/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/bio/Makefile
+# OpenSSL/crypto/bio/Makefile
 #
 
 DIR=	bio
@@ -7,11 +7,6 @@ TOP=	../..
 CC=	cc
 INCLUDES= -I.. -I$(TOP) -I../../include
 CFLAG=-g
-INSTALL_PREFIX=
-OPENSSLDIR=     /usr/local/ssl
-INSTALLTOP=/usr/local/ssl
-MAKEDEPPROG=	makedepend
-MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=	Makefile
 AR=		ar r
 
@@ -26,19 +21,21 @@ LIBSRC= bio_lib.c bio_cb.c bio_err.c \
 	bss_mem.c bss_null.c bss_fd.c \
 	bss_file.c bss_sock.c bss_conn.c \
 	bf_null.c bf_buff.c b_print.c b_dump.c \
-	b_sock.c bss_acpt.c bf_nbio.c bss_log.c bss_bio.c
+	b_sock.c bss_acpt.c bf_nbio.c bss_log.c bss_bio.c \
+	bss_dgram.c
 #	bf_lbuf.c
 LIBOBJ= bio_lib.o bio_cb.o bio_err.o \
 	bss_mem.o bss_null.o bss_fd.o \
 	bss_file.o bss_sock.o bss_conn.o \
 	bf_null.o bf_buff.o b_print.o b_dump.o \
-	b_sock.o bss_acpt.o bf_nbio.o bss_log.o bss_bio.o
+	b_sock.o bss_acpt.o bf_nbio.o bss_log.o bss_bio.o \
+	bss_dgram.o
 #	bf_lbuf.o
 
 SRC= $(LIBSRC)
 
 EXHEADER= bio.h
-HEADER=	bss_file.c $(EXHEADER)
+HEADER=	bio_lcl.h $(EXHEADER)
 
 ALL=    $(GENERAL) $(SRC) $(HEADER)
 
@@ -61,7 +58,8 @@ links:
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
 
 install:
-	@for i in $(EXHEADER); \
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+	@headerlist="$(EXHEADER)"; for i in $$headerlist; \
 	do  \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
@@ -76,6 +74,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
+	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
@@ -91,30 +90,30 @@ b_dump.o: ../../e_os.h ../../include/openssl/bio.h
 b_dump.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 b_dump.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 b_dump.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-b_dump.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-b_dump.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-b_dump.o: ../cryptlib.h b_dump.c
+b_dump.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+b_dump.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+b_dump.o: ../../include/openssl/symhacks.h ../cryptlib.h b_dump.c bio_lcl.h
 b_print.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 b_print.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 b_print.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 b_print.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-b_print.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-b_print.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-b_print.o: ../cryptlib.h b_print.c
+b_print.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+b_print.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+b_print.o: ../../include/openssl/symhacks.h ../cryptlib.h b_print.c
 b_sock.o: ../../e_os.h ../../include/openssl/bio.h
 b_sock.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 b_sock.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 b_sock.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-b_sock.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-b_sock.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-b_sock.o: ../cryptlib.h b_sock.c
+b_sock.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+b_sock.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+b_sock.o: ../../include/openssl/symhacks.h ../cryptlib.h b_sock.c
 bf_buff.o: ../../e_os.h ../../include/openssl/bio.h
 bf_buff.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bf_buff.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bf_buff.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-bf_buff.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-bf_buff.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bf_buff.o: ../cryptlib.h bf_buff.c
+bf_buff.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+bf_buff.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bf_buff.o: ../../include/openssl/symhacks.h ../cryptlib.h bf_buff.c
 bf_nbio.o: ../../e_os.h ../../include/openssl/bio.h
 bf_nbio.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bf_nbio.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
@@ -127,88 +126,96 @@ bf_null.o: ../../e_os.h ../../include/openssl/bio.h
 bf_null.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bf_null.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bf_null.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-bf_null.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-bf_null.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bf_null.o: ../cryptlib.h bf_null.c
+bf_null.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+bf_null.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bf_null.o: ../../include/openssl/symhacks.h ../cryptlib.h bf_null.c
 bio_cb.o: ../../e_os.h ../../include/openssl/bio.h
 bio_cb.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bio_cb.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bio_cb.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-bio_cb.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-bio_cb.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bio_cb.o: ../cryptlib.h bio_cb.c
+bio_cb.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+bio_cb.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bio_cb.o: ../../include/openssl/symhacks.h ../cryptlib.h bio_cb.c
 bio_err.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
 bio_err.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bio_err.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-bio_err.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-bio_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bio_err.o: bio_err.c
+bio_err.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+bio_err.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bio_err.o: ../../include/openssl/symhacks.h bio_err.c
 bio_lib.o: ../../e_os.h ../../include/openssl/bio.h
 bio_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bio_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bio_lib.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-bio_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-bio_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bio_lib.o: ../cryptlib.h bio_lib.c
+bio_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+bio_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bio_lib.o: ../../include/openssl/symhacks.h ../cryptlib.h bio_lib.c
 bss_acpt.o: ../../e_os.h ../../include/openssl/bio.h
 bss_acpt.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bss_acpt.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bss_acpt.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-bss_acpt.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-bss_acpt.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bss_acpt.o: ../cryptlib.h bss_acpt.c
+bss_acpt.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+bss_acpt.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bss_acpt.o: ../../include/openssl/symhacks.h ../cryptlib.h bss_acpt.c
 bss_bio.o: ../../e_os.h ../../include/openssl/bio.h
 bss_bio.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 bss_bio.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
 bss_bio.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-bss_bio.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-bss_bio.o: ../../include/openssl/symhacks.h bss_bio.c
+bss_bio.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+bss_bio.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+bss_bio.o: bss_bio.c
 bss_conn.o: ../../e_os.h ../../include/openssl/bio.h
 bss_conn.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bss_conn.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bss_conn.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-bss_conn.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-bss_conn.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bss_conn.o: ../cryptlib.h bss_conn.c
+bss_conn.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+bss_conn.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bss_conn.o: ../../include/openssl/symhacks.h ../cryptlib.h bss_conn.c
+bss_dgram.o: ../../e_os.h ../../include/openssl/bio.h
+bss_dgram.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+bss_dgram.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+bss_dgram.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+bss_dgram.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+bss_dgram.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bss_dgram.o: ../../include/openssl/symhacks.h ../cryptlib.h bss_dgram.c
 bss_fd.o: ../../e_os.h ../../include/openssl/bio.h
 bss_fd.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bss_fd.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bss_fd.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-bss_fd.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-bss_fd.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bss_fd.o: ../cryptlib.h bss_fd.c
+bss_fd.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+bss_fd.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bss_fd.o: ../../include/openssl/symhacks.h ../cryptlib.h bio_lcl.h bss_fd.c
 bss_file.o: ../../e_os.h ../../include/openssl/bio.h
 bss_file.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bss_file.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bss_file.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-bss_file.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-bss_file.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bss_file.o: ../cryptlib.h bss_file.c
+bss_file.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+bss_file.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bss_file.o: ../../include/openssl/symhacks.h ../cryptlib.h bio_lcl.h bss_file.c
 bss_log.o: ../../e_os.h ../../include/openssl/bio.h
 bss_log.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bss_log.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bss_log.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-bss_log.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-bss_log.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bss_log.o: ../cryptlib.h bss_log.c
+bss_log.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+bss_log.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bss_log.o: ../../include/openssl/symhacks.h ../cryptlib.h bss_log.c
 bss_mem.o: ../../e_os.h ../../include/openssl/bio.h
 bss_mem.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bss_mem.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bss_mem.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-bss_mem.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-bss_mem.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bss_mem.o: ../cryptlib.h bss_mem.c
+bss_mem.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+bss_mem.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bss_mem.o: ../../include/openssl/symhacks.h ../cryptlib.h bss_mem.c
 bss_null.o: ../../e_os.h ../../include/openssl/bio.h
 bss_null.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bss_null.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bss_null.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-bss_null.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-bss_null.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bss_null.o: ../cryptlib.h bss_null.c
+bss_null.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+bss_null.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bss_null.o: ../../include/openssl/symhacks.h ../cryptlib.h bss_null.c
 bss_sock.o: ../../e_os.h ../../include/openssl/bio.h
 bss_sock.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bss_sock.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bss_sock.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-bss_sock.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-bss_sock.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bss_sock.o: ../cryptlib.h bss_sock.c
+bss_sock.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+bss_sock.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bss_sock.o: ../../include/openssl/symhacks.h ../cryptlib.h bss_sock.c
diff --git a/crypto/openssl/crypto/bio/b_dump.c b/crypto/openssl/crypto/bio/b_dump.c
index f671e722fa39..c80ecc429532 100644
--- a/crypto/openssl/crypto/bio/b_dump.c
+++ b/crypto/openssl/crypto/bio/b_dump.c
@@ -62,30 +62,32 @@
 
 #include <stdio.h>
 #include "cryptlib.h"
-#include <openssl/bio.h>
+#include "bio_lcl.h"
 
 #define TRUNCATE
 #define DUMP_WIDTH	16
 #define DUMP_WIDTH_LESS_INDENT(i) (DUMP_WIDTH-((i-(i>6?6:i)+3)/4))
 
-int BIO_dump(BIO *bio, const char *s, int len)
+int BIO_dump_cb(int (*cb)(const void *data, size_t len, void *u),
+	void *u, const char *s, int len)
 	{
-	return BIO_dump_indent(bio, s, len, 0);
+	return BIO_dump_indent_cb(cb, u, s, len, 0);
 	}
 
-int BIO_dump_indent(BIO *bio, const char *s, int len, int indent)
+int BIO_dump_indent_cb(int (*cb)(const void *data, size_t len, void *u),
+	void *u, const char *s, int len, int indent)
 	{
 	int ret=0;
 	char buf[288+1],tmp[20],str[128+1];
-	int i,j,rows,trunc;
+	int i,j,rows,trc;
 	unsigned char ch;
 	int dump_width;
-	
-	trunc=0;
-	
+
+	trc=0;
+
 #ifdef TRUNCATE
-	for(; (len > 0) && ((s[len-1] == ' ') || (s[len-1] == '\0')); len--) 
-		trunc++;
+	for(; (len > 0) && ((s[len-1] == ' ') || (s[len-1] == '\0')); len--)
+		trc++;
 #endif
 
 	if (indent < 0)
@@ -96,7 +98,7 @@ int BIO_dump_indent(BIO *bio, const char *s, int len, int indent)
 		memset(str,' ',indent);
 		}
 	str[indent]='\0';
-	
+
 	dump_width=DUMP_WIDTH_LESS_INDENT(indent);
 	rows=(len/dump_width);
 	if ((rows*dump_width)<len)
@@ -117,7 +119,7 @@ int BIO_dump_indent(BIO *bio, const char *s, int len, int indent)
 				{
 				ch=((unsigned char)*(s+i*dump_width+j)) & 0xff;
 				BIO_snprintf(tmp,sizeof tmp,"%02x%c",ch,
-					 j==7?'-':' ');
+					j==7?'-':' ');
 				BUF_strlcat(buf,tmp,sizeof buf);
 				}
 			}
@@ -129,28 +131,57 @@ int BIO_dump_indent(BIO *bio, const char *s, int len, int indent)
 			ch=((unsigned char)*(s+i*dump_width+j)) & 0xff;
 #ifndef CHARSET_EBCDIC
 			BIO_snprintf(tmp,sizeof tmp,"%c",
-				 ((ch>=' ')&&(ch<='~'))?ch:'.');
+				((ch>=' ')&&(ch<='~'))?ch:'.');
 #else
 			BIO_snprintf(tmp,sizeof tmp,"%c",
-				 ((ch>=os_toascii[' '])&&(ch<=os_toascii['~']))
-				 ? os_toebcdic[ch]
-				 : '.');
+				((ch>=os_toascii[' '])&&(ch<=os_toascii['~']))
+				? os_toebcdic[ch]
+				: '.');
 #endif
 			BUF_strlcat(buf,tmp,sizeof buf);
 			}
 		BUF_strlcat(buf,"\n",sizeof buf);
-		/* if this is the last call then update the ddt_dump thing so that
-		 * we will move the selection point in the debug window 
+		/* if this is the last call then update the ddt_dump thing so
+		 * that we will move the selection point in the debug window
 		 */
-		ret+=BIO_write(bio,(char *)buf,strlen(buf));
+		ret+=cb((void *)buf,strlen(buf),u);
 		}
 #ifdef TRUNCATE
-	if (trunc > 0)
+	if (trc > 0)
 		{
 		BIO_snprintf(buf,sizeof buf,"%s%04x - <SPACES/NULS>\n",str,
-			 len+trunc);
-		ret+=BIO_write(bio,(char *)buf,strlen(buf));
+			len+trc);
+		ret+=cb((void *)buf,strlen(buf),u);
 		}
 #endif
 	return(ret);
 	}
+
+#ifndef OPENSSL_NO_FP_API
+static int write_fp(const void *data, size_t len, void *fp)
+	{
+	return UP_fwrite(data, len, 1, fp);
+	}
+int BIO_dump_fp(FILE *fp, const char *s, int len)
+	{
+	return BIO_dump_cb(write_fp, fp, s, len);
+	}
+int BIO_dump_indent_fp(FILE *fp, const char *s, int len, int indent)
+	{
+	return BIO_dump_indent_cb(write_fp, fp, s, len, indent);
+	}
+#endif
+
+static int write_bio(const void *data, size_t len, void *bp)
+	{
+	return BIO_write((BIO *)bp, (const char *)data, len);
+	}
+int BIO_dump(BIO *bp, const char *s, int len)
+	{
+	return BIO_dump_cb(write_bio, bp, s, len);
+	}
+int BIO_dump_indent(BIO *bp, const char *s, int len, int indent)
+	{
+	return BIO_dump_indent_cb(write_bio, bp, s, len, indent);
+	}
+
diff --git a/crypto/openssl/crypto/bio/b_print.c b/crypto/openssl/crypto/bio/b_print.c
index c2bb357b4c61..4857cfe0ce84 100644
--- a/crypto/openssl/crypto/bio/b_print.c
+++ b/crypto/openssl/crypto/bio/b_print.c
@@ -482,7 +482,7 @@ fmtint(
     int flags)
 {
     int signvalue = 0;
-    char *prefix = "";
+    const char *prefix = "";
     unsigned LLONG uvalue;
     char convert[DECIMAL_SIZE(value)+3];
     int place = 0;
@@ -513,8 +513,8 @@ fmtint(
             (caps ? "0123456789ABCDEF" : "0123456789abcdef")
             [uvalue % (unsigned) base];
         uvalue = (uvalue / (unsigned) base);
-    } while (uvalue && (place < sizeof convert));
-    if (place == sizeof convert)
+    } while (uvalue && (place < (int)sizeof(convert)));
+    if (place == sizeof(convert))
         place--;
     convert[place] = 0;
 
@@ -576,7 +576,7 @@ abs_val(LDOUBLE value)
 }
 
 static LDOUBLE
-pow10(int in_exp)
+pow_10(int in_exp)
 {
     LDOUBLE result = 1;
     while (in_exp) {
@@ -619,6 +619,7 @@ fmtfp(
     int caps = 0;
     long intpart;
     long fracpart;
+    long max10;
 
     if (max < 0)
         max = 6;
@@ -639,11 +640,12 @@ fmtfp(
 
     /* we "cheat" by converting the fractional part to integer by
        multiplying by a factor of 10 */
-    fracpart = roundv((pow10(max)) * (ufvalue - intpart));
+    max10 = roundv(pow_10(max));
+    fracpart = roundv(pow_10(max) * (ufvalue - intpart));
 
-    if (fracpart >= (long)pow10(max)) {
+    if (fracpart >= max10) {
         intpart++;
-        fracpart -= (long)pow10(max);
+        fracpart -= max10;
     }
 
     /* convert integer part */
@@ -652,7 +654,7 @@ fmtfp(
             (caps ? "0123456789ABCDEF"
               : "0123456789abcdef")[intpart % 10];
         intpart = (intpart / 10);
-    } while (intpart && (iplace < sizeof iconvert));
+    } while (intpart && (iplace < (int)sizeof(iconvert)));
     if (iplace == sizeof iconvert)
         iplace--;
     iconvert[iplace] = 0;
diff --git a/crypto/openssl/crypto/bio/b_sock.c b/crypto/openssl/crypto/bio/b_sock.c
index c851298d1e60..4b3860b991e3 100644
--- a/crypto/openssl/crypto/bio/b_sock.c
+++ b/crypto/openssl/crypto/bio/b_sock.c
@@ -56,14 +56,17 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef OPENSSL_NO_SOCK
-
 #include <stdio.h>
 #include <stdlib.h>
 #include <errno.h>
 #define USE_SOCKETS
 #include "cryptlib.h"
 #include <openssl/bio.h>
+#if defined(OPENSSL_SYS_NETWARE) && defined(NETWARE_BSDSOCK)
+#include "netdb.h"
+#endif
+
+#ifndef OPENSSL_NO_SOCK
 
 #ifdef OPENSSL_SYS_WIN16
 #define SOCKET_PROTOCOL 0 /* more microsoft stupidity */
@@ -79,7 +82,7 @@
 #define MAX_LISTEN  32
 #endif
 
-#ifdef OPENSSL_SYS_WINDOWS
+#if defined(OPENSSL_SYS_WINDOWS) || (defined(OPENSSL_SYS_NETWARE) && !defined(NETWARE_BSDSOCK))
 static int wsa_init_done=0;
 #endif
 
@@ -473,6 +476,31 @@ int BIO_sock_init(void)
 	if (sock_init())
 		return (-1);
 #endif
+
+#if defined(OPENSSL_SYS_NETWARE) && !defined(NETWARE_BSDSOCK)
+    WORD wVerReq;
+    WSADATA wsaData;
+    int err;
+
+    if (!wsa_init_done)
+    {
+   
+# ifdef SIGINT
+        signal(SIGINT,(void (*)(int))BIO_sock_cleanup);
+# endif
+
+        wsa_init_done=1;
+        wVerReq = MAKEWORD( 2, 0 );
+        err = WSAStartup(wVerReq,&wsaData);
+        if (err != 0)
+        {
+            SYSerr(SYS_F_WSASTARTUP,err);
+            BIOerr(BIO_F_BIO_SOCK_INIT,BIO_R_WSASTARTUP);
+            return(-1);
+			}
+		}
+#endif
+
 	return(1);
 	}
 
@@ -487,6 +515,12 @@ void BIO_sock_cleanup(void)
 #endif
 		WSACleanup();
 		}
+#elif defined(OPENSSL_SYS_NETWARE) && !defined(NETWARE_BSDSOCK)
+   if (wsa_init_done)
+        {
+        wsa_init_done=0;
+        WSACleanup();
+		}
 #endif
 	}
 
diff --git a/crypto/openssl/crypto/bio/bf_nbio.c b/crypto/openssl/crypto/bio/bf_nbio.c
index 1ce2bfacc060..c72a23c2e1b2 100644
--- a/crypto/openssl/crypto/bio/bf_nbio.c
+++ b/crypto/openssl/crypto/bio/bf_nbio.c
@@ -127,7 +127,7 @@ static int nbiof_read(BIO *b, char *out, int outl)
 	{
 	NBIO_TEST *nt;
 	int ret=0;
-#if 0
+#if 1
 	int num;
 	unsigned char n;
 #endif
@@ -137,7 +137,7 @@ static int nbiof_read(BIO *b, char *out, int outl)
 	nt=(NBIO_TEST *)b->ptr;
 
 	BIO_clear_retry_flags(b);
-#if 0
+#if 1
 	RAND_pseudo_bytes(&n,1);
 	num=(n&0x07);
 
diff --git a/crypto/openssl/crypto/bio/bio.h b/crypto/openssl/crypto/bio/bio.h
index 2eb703830f4a..07333cf0b32e 100644
--- a/crypto/openssl/crypto/bio/bio.h
+++ b/crypto/openssl/crypto/bio/bio.h
@@ -59,13 +59,14 @@
 #ifndef HEADER_BIO_H
 #define HEADER_BIO_H
 
+#include <openssl/e_os2.h>
+
 #ifndef OPENSSL_NO_FP_API
 # include <stdio.h>
 #endif
 #include <stdarg.h>
 
 #include <openssl/crypto.h>
-#include <openssl/e_os2.h>
 
 #ifdef  __cplusplus
 extern "C" {
@@ -93,6 +94,7 @@ extern "C" {
 #define BIO_TYPE_BER		(18|0x0200)		/* BER -> bin filter */
 #define BIO_TYPE_BIO		(19|0x0400)		/* (half a) BIO pair */
 #define BIO_TYPE_LINEBUFFER	(20|0x0200)		/* filter */
+#define BIO_TYPE_DGRAM		(21|0x0400|0x0100)
 
 #define BIO_TYPE_DESCRIPTOR	0x0100	/* socket, fd, connect or accept */
 #define BIO_TYPE_FILTER		0x0200
@@ -124,6 +126,38 @@ extern "C" {
 
 #define BIO_CTRL_SET_FILENAME	30	/* BIO_s_file special */
 
+/* dgram BIO stuff */
+#define BIO_CTRL_DGRAM_CONNECT       31  /* BIO dgram special */
+#define BIO_CTRL_DGRAM_SET_CONNECTED 32  /* allow for an externally
+										  * connected socket to be
+										  * passed in */ 
+#define BIO_CTRL_DGRAM_SET_RECV_TIMEOUT 33 /* setsockopt, essentially */
+#define BIO_CTRL_DGRAM_GET_RECV_TIMEOUT 34 /* getsockopt, essentially */
+#define BIO_CTRL_DGRAM_SET_SEND_TIMEOUT 35 /* setsockopt, essentially */
+#define BIO_CTRL_DGRAM_GET_SEND_TIMEOUT 36 /* getsockopt, essentially */
+
+#define BIO_CTRL_DGRAM_GET_RECV_TIMER_EXP 37 /* flag whether the last */
+#define BIO_CTRL_DGRAM_GET_SEND_TIMER_EXP 38 /* I/O operation tiemd out */
+					
+/* #ifdef IP_MTU_DISCOVER */
+#define BIO_CTRL_DGRAM_MTU_DISCOVER       39 /* set DF bit on egress packets */
+/* #endif */
+
+#define BIO_CTRL_DGRAM_QUERY_MTU          40 /* as kernel for current MTU */
+#define BIO_CTRL_DGRAM_GET_MTU            41 /* get cached value for MTU */
+#define BIO_CTRL_DGRAM_SET_MTU            42 /* set cached value for
+											  * MTU. want to use this
+                                              * if asking the kernel
+                                              * fails */
+
+#define BIO_CTRL_DGRAM_MTU_EXCEEDED       43 /* check whether the MTU
+											  * was exceed in the
+											  * previous write
+											  * operation */
+
+#define BIO_CTRL_DGRAM_SET_PEER           44 /* Destination for the data */
+
+
 /* modifiers */
 #define BIO_FP_READ		0x02
 #define BIO_FP_WRITE		0x04
@@ -135,6 +169,11 @@ extern "C" {
 #define BIO_FLAGS_IO_SPECIAL	0x04
 #define BIO_FLAGS_RWS (BIO_FLAGS_READ|BIO_FLAGS_WRITE|BIO_FLAGS_IO_SPECIAL)
 #define BIO_FLAGS_SHOULD_RETRY	0x08
+#ifndef	BIO_FLAGS_UPLINK
+/* "UPLINK" flag denotes file descriptors provided by application.
+   It defaults to 0, as most platforms don't require UPLINK interface. */
+#define	BIO_FLAGS_UPLINK	0
+#endif
 
 /* Used in BIO_gethostbyname() */
 #define BIO_GHBN_CTRL_HITS		1
@@ -347,7 +386,6 @@ typedef struct bio_f_buffer_ctx_struct
 #define BIO_C_NWRITE0				145
 #define BIO_C_NWRITE				146
 #define BIO_C_RESET_READ_REQUEST		147
-#define BIO_C_SET_MD_CTX			148
 
 
 #define BIO_set_app_data(s,arg)		BIO_set_ex_data(s,0,arg)
@@ -488,6 +526,18 @@ size_t BIO_ctrl_get_write_guarantee(BIO *b);
 size_t BIO_ctrl_get_read_request(BIO *b);
 int BIO_ctrl_reset_read_request(BIO *b);
 
+/* ctrl macros for dgram */
+#define BIO_ctrl_dgram_connect(b,peer)  \
+                     (int)BIO_ctrl(b,BIO_CTRL_DGRAM_CONNECT,0, (char *)peer)
+#define BIO_ctrl_set_connected(b, state, peer) \
+         (int)BIO_ctrl(b, BIO_CTRL_DGRAM_SET_CONNECTED, state, (char *)peer)
+#define BIO_dgram_recv_timedout(b) \
+         (int)BIO_ctrl(b, BIO_CTRL_DGRAM_GET_RECV_TIMER_EXP, 0, NULL)
+#define BIO_dgram_send_timedout(b) \
+         (int)BIO_ctrl(b, BIO_CTRL_DGRAM_GET_SEND_TIMER_EXP, 0, NULL)
+#define BIO_dgram_set_peer(b,peer) \
+         (int)BIO_ctrl(b, BIO_CTRL_DGRAM_SET_PEER, 0, (char *)peer)
+
 /* These two aren't currently implemented */
 /* int BIO_get_ex_num(BIO *bio); */
 /* void BIO_set_ex_free_func(BIO *bio,int idx,void (*cb)()); */
@@ -567,15 +617,28 @@ BIO_METHOD *BIO_f_buffer(void);
 BIO_METHOD *BIO_f_linebuffer(void);
 #endif
 BIO_METHOD *BIO_f_nbio_test(void);
+#ifndef OPENSSL_NO_DGRAM
+BIO_METHOD *BIO_s_datagram(void);
+#endif
+
 /* BIO_METHOD *BIO_f_ber(void); */
 
 int BIO_sock_should_retry(int i);
 int BIO_sock_non_fatal_error(int error);
+int BIO_dgram_non_fatal_error(int error);
+
 int BIO_fd_should_retry(int i);
 int BIO_fd_non_fatal_error(int error);
+int BIO_dump_cb(int (*cb)(const void *data, size_t len, void *u),
+		void *u, const char *s, int len);
+int BIO_dump_indent_cb(int (*cb)(const void *data, size_t len, void *u),
+		       void *u, const char *s, int len, int indent);
 int BIO_dump(BIO *b,const char *bytes,int len);
 int BIO_dump_indent(BIO *b,const char *bytes,int len,int indent);
-
+#ifndef OPENSSL_NO_FP_API
+int BIO_dump_fp(FILE *fp, const char *s, int len);
+int BIO_dump_indent_fp(FILE *fp, const char *s, int len, int indent);
+#endif
 struct hostent *BIO_gethostbyname(const char *name);
 /* We might want a thread-safe interface too:
  * struct hostent *BIO_gethostbyname_r(const char *name,
@@ -597,6 +660,7 @@ void BIO_sock_cleanup(void);
 int BIO_set_tcp_ndelay(int sock,int turn_on);
 
 BIO *BIO_new_socket(int sock, int close_flag);
+BIO *BIO_new_dgram(int fd, int close_flag);
 BIO *BIO_new_fd(int fd, int close_flag);
 BIO *BIO_new_connect(char *host_port);
 BIO *BIO_new_accept(char *host_port);
@@ -612,10 +676,20 @@ void BIO_copy_next_retry(BIO *b);
 
 /*long BIO_ghbn_ctrl(int cmd,int iarg,char *parg);*/
 
-int BIO_printf(BIO *bio, const char *format, ...);
-int BIO_vprintf(BIO *bio, const char *format, va_list args);
-int BIO_snprintf(char *buf, size_t n, const char *format, ...);
-int BIO_vsnprintf(char *buf, size_t n, const char *format, va_list args);
+#ifdef __GNUC__
+#  define __bio_h__attr__ __attribute__
+#else
+#  define __bio_h__attr__(x)
+#endif
+int BIO_printf(BIO *bio, const char *format, ...)
+	__bio_h__attr__((__format__(__printf__,2,3)));
+int BIO_vprintf(BIO *bio, const char *format, va_list args)
+	__bio_h__attr__((__format__(__printf__,2,0)));
+int BIO_snprintf(char *buf, size_t n, const char *format, ...)
+	__bio_h__attr__((__format__(__printf__,3,4)));
+int BIO_vsnprintf(char *buf, size_t n, const char *format, va_list args)
+	__bio_h__attr__((__format__(__printf__,3,0)));
+#undef __bio_h__attr__
 
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
@@ -629,6 +703,7 @@ void ERR_load_BIO_strings(void);
 #define BIO_F_ACPT_STATE				 100
 #define BIO_F_BIO_ACCEPT				 101
 #define BIO_F_BIO_BER_GET_HEADER			 102
+#define BIO_F_BIO_CALLBACK_CTRL				 131
 #define BIO_F_BIO_CTRL					 103
 #define BIO_F_BIO_GETHOSTBYNAME				 120
 #define BIO_F_BIO_GETS					 104
diff --git a/crypto/openssl/crypto/bio/bio_err.c b/crypto/openssl/crypto/bio/bio_err.c
index 68a119d895e8..426f8d13c6bd 100644
--- a/crypto/openssl/crypto/bio/bio_err.c
+++ b/crypto/openssl/crypto/bio/bio_err.c
@@ -1,6 +1,6 @@
 /* crypto/bio/bio_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -64,73 +64,78 @@
 
 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_BIO,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_BIO,0,reason)
+
 static ERR_STRING_DATA BIO_str_functs[]=
 	{
-{ERR_PACK(0,BIO_F_ACPT_STATE,0),	"ACPT_STATE"},
-{ERR_PACK(0,BIO_F_BIO_ACCEPT,0),	"BIO_accept"},
-{ERR_PACK(0,BIO_F_BIO_BER_GET_HEADER,0),	"BIO_BER_GET_HEADER"},
-{ERR_PACK(0,BIO_F_BIO_CTRL,0),	"BIO_ctrl"},
-{ERR_PACK(0,BIO_F_BIO_GETHOSTBYNAME,0),	"BIO_gethostbyname"},
-{ERR_PACK(0,BIO_F_BIO_GETS,0),	"BIO_gets"},
-{ERR_PACK(0,BIO_F_BIO_GET_ACCEPT_SOCKET,0),	"BIO_get_accept_socket"},
-{ERR_PACK(0,BIO_F_BIO_GET_HOST_IP,0),	"BIO_get_host_ip"},
-{ERR_PACK(0,BIO_F_BIO_GET_PORT,0),	"BIO_get_port"},
-{ERR_PACK(0,BIO_F_BIO_MAKE_PAIR,0),	"BIO_MAKE_PAIR"},
-{ERR_PACK(0,BIO_F_BIO_NEW,0),	"BIO_new"},
-{ERR_PACK(0,BIO_F_BIO_NEW_FILE,0),	"BIO_new_file"},
-{ERR_PACK(0,BIO_F_BIO_NEW_MEM_BUF,0),	"BIO_new_mem_buf"},
-{ERR_PACK(0,BIO_F_BIO_NREAD,0),	"BIO_nread"},
-{ERR_PACK(0,BIO_F_BIO_NREAD0,0),	"BIO_nread0"},
-{ERR_PACK(0,BIO_F_BIO_NWRITE,0),	"BIO_nwrite"},
-{ERR_PACK(0,BIO_F_BIO_NWRITE0,0),	"BIO_nwrite0"},
-{ERR_PACK(0,BIO_F_BIO_PUTS,0),	"BIO_puts"},
-{ERR_PACK(0,BIO_F_BIO_READ,0),	"BIO_read"},
-{ERR_PACK(0,BIO_F_BIO_SOCK_INIT,0),	"BIO_sock_init"},
-{ERR_PACK(0,BIO_F_BIO_WRITE,0),	"BIO_write"},
-{ERR_PACK(0,BIO_F_BUFFER_CTRL,0),	"BUFFER_CTRL"},
-{ERR_PACK(0,BIO_F_CONN_CTRL,0),	"CONN_CTRL"},
-{ERR_PACK(0,BIO_F_CONN_STATE,0),	"CONN_STATE"},
-{ERR_PACK(0,BIO_F_FILE_CTRL,0),	"FILE_CTRL"},
-{ERR_PACK(0,BIO_F_FILE_READ,0),	"FILE_READ"},
-{ERR_PACK(0,BIO_F_LINEBUFFER_CTRL,0),	"LINEBUFFER_CTRL"},
-{ERR_PACK(0,BIO_F_MEM_READ,0),	"MEM_READ"},
-{ERR_PACK(0,BIO_F_MEM_WRITE,0),	"MEM_WRITE"},
-{ERR_PACK(0,BIO_F_SSL_NEW,0),	"SSL_new"},
-{ERR_PACK(0,BIO_F_WSASTARTUP,0),	"WSASTARTUP"},
+{ERR_FUNC(BIO_F_ACPT_STATE),	"ACPT_STATE"},
+{ERR_FUNC(BIO_F_BIO_ACCEPT),	"BIO_accept"},
+{ERR_FUNC(BIO_F_BIO_BER_GET_HEADER),	"BIO_BER_GET_HEADER"},
+{ERR_FUNC(BIO_F_BIO_CALLBACK_CTRL),	"BIO_callback_ctrl"},
+{ERR_FUNC(BIO_F_BIO_CTRL),	"BIO_ctrl"},
+{ERR_FUNC(BIO_F_BIO_GETHOSTBYNAME),	"BIO_gethostbyname"},
+{ERR_FUNC(BIO_F_BIO_GETS),	"BIO_gets"},
+{ERR_FUNC(BIO_F_BIO_GET_ACCEPT_SOCKET),	"BIO_get_accept_socket"},
+{ERR_FUNC(BIO_F_BIO_GET_HOST_IP),	"BIO_get_host_ip"},
+{ERR_FUNC(BIO_F_BIO_GET_PORT),	"BIO_get_port"},
+{ERR_FUNC(BIO_F_BIO_MAKE_PAIR),	"BIO_MAKE_PAIR"},
+{ERR_FUNC(BIO_F_BIO_NEW),	"BIO_new"},
+{ERR_FUNC(BIO_F_BIO_NEW_FILE),	"BIO_new_file"},
+{ERR_FUNC(BIO_F_BIO_NEW_MEM_BUF),	"BIO_new_mem_buf"},
+{ERR_FUNC(BIO_F_BIO_NREAD),	"BIO_nread"},
+{ERR_FUNC(BIO_F_BIO_NREAD0),	"BIO_nread0"},
+{ERR_FUNC(BIO_F_BIO_NWRITE),	"BIO_nwrite"},
+{ERR_FUNC(BIO_F_BIO_NWRITE0),	"BIO_nwrite0"},
+{ERR_FUNC(BIO_F_BIO_PUTS),	"BIO_puts"},
+{ERR_FUNC(BIO_F_BIO_READ),	"BIO_read"},
+{ERR_FUNC(BIO_F_BIO_SOCK_INIT),	"BIO_sock_init"},
+{ERR_FUNC(BIO_F_BIO_WRITE),	"BIO_write"},
+{ERR_FUNC(BIO_F_BUFFER_CTRL),	"BUFFER_CTRL"},
+{ERR_FUNC(BIO_F_CONN_CTRL),	"CONN_CTRL"},
+{ERR_FUNC(BIO_F_CONN_STATE),	"CONN_STATE"},
+{ERR_FUNC(BIO_F_FILE_CTRL),	"FILE_CTRL"},
+{ERR_FUNC(BIO_F_FILE_READ),	"FILE_READ"},
+{ERR_FUNC(BIO_F_LINEBUFFER_CTRL),	"LINEBUFFER_CTRL"},
+{ERR_FUNC(BIO_F_MEM_READ),	"MEM_READ"},
+{ERR_FUNC(BIO_F_MEM_WRITE),	"MEM_WRITE"},
+{ERR_FUNC(BIO_F_SSL_NEW),	"SSL_new"},
+{ERR_FUNC(BIO_F_WSASTARTUP),	"WSASTARTUP"},
 {0,NULL}
 	};
 
 static ERR_STRING_DATA BIO_str_reasons[]=
 	{
-{BIO_R_ACCEPT_ERROR                      ,"accept error"},
-{BIO_R_BAD_FOPEN_MODE                    ,"bad fopen mode"},
-{BIO_R_BAD_HOSTNAME_LOOKUP               ,"bad hostname lookup"},
-{BIO_R_BROKEN_PIPE                       ,"broken pipe"},
-{BIO_R_CONNECT_ERROR                     ,"connect error"},
-{BIO_R_EOF_ON_MEMORY_BIO                 ,"EOF on memory BIO"},
-{BIO_R_ERROR_SETTING_NBIO                ,"error setting nbio"},
-{BIO_R_ERROR_SETTING_NBIO_ON_ACCEPTED_SOCKET,"error setting nbio on accepted socket"},
-{BIO_R_ERROR_SETTING_NBIO_ON_ACCEPT_SOCKET,"error setting nbio on accept socket"},
-{BIO_R_GETHOSTBYNAME_ADDR_IS_NOT_AF_INET ,"gethostbyname addr is not af inet"},
-{BIO_R_INVALID_ARGUMENT                  ,"invalid argument"},
-{BIO_R_INVALID_IP_ADDRESS                ,"invalid ip address"},
-{BIO_R_IN_USE                            ,"in use"},
-{BIO_R_KEEPALIVE                         ,"keepalive"},
-{BIO_R_NBIO_CONNECT_ERROR                ,"nbio connect error"},
-{BIO_R_NO_ACCEPT_PORT_SPECIFIED          ,"no accept port specified"},
-{BIO_R_NO_HOSTNAME_SPECIFIED             ,"no hostname specified"},
-{BIO_R_NO_PORT_DEFINED                   ,"no port defined"},
-{BIO_R_NO_PORT_SPECIFIED                 ,"no port specified"},
-{BIO_R_NO_SUCH_FILE                      ,"no such file"},
-{BIO_R_NULL_PARAMETER                    ,"null parameter"},
-{BIO_R_TAG_MISMATCH                      ,"tag mismatch"},
-{BIO_R_UNABLE_TO_BIND_SOCKET             ,"unable to bind socket"},
-{BIO_R_UNABLE_TO_CREATE_SOCKET           ,"unable to create socket"},
-{BIO_R_UNABLE_TO_LISTEN_SOCKET           ,"unable to listen socket"},
-{BIO_R_UNINITIALIZED                     ,"uninitialized"},
-{BIO_R_UNSUPPORTED_METHOD                ,"unsupported method"},
-{BIO_R_WRITE_TO_READ_ONLY_BIO            ,"write to read only BIO"},
-{BIO_R_WSASTARTUP                        ,"WSAStartup"},
+{ERR_REASON(BIO_R_ACCEPT_ERROR)          ,"accept error"},
+{ERR_REASON(BIO_R_BAD_FOPEN_MODE)        ,"bad fopen mode"},
+{ERR_REASON(BIO_R_BAD_HOSTNAME_LOOKUP)   ,"bad hostname lookup"},
+{ERR_REASON(BIO_R_BROKEN_PIPE)           ,"broken pipe"},
+{ERR_REASON(BIO_R_CONNECT_ERROR)         ,"connect error"},
+{ERR_REASON(BIO_R_EOF_ON_MEMORY_BIO)     ,"EOF on memory BIO"},
+{ERR_REASON(BIO_R_ERROR_SETTING_NBIO)    ,"error setting nbio"},
+{ERR_REASON(BIO_R_ERROR_SETTING_NBIO_ON_ACCEPTED_SOCKET),"error setting nbio on accepted socket"},
+{ERR_REASON(BIO_R_ERROR_SETTING_NBIO_ON_ACCEPT_SOCKET),"error setting nbio on accept socket"},
+{ERR_REASON(BIO_R_GETHOSTBYNAME_ADDR_IS_NOT_AF_INET),"gethostbyname addr is not af inet"},
+{ERR_REASON(BIO_R_INVALID_ARGUMENT)      ,"invalid argument"},
+{ERR_REASON(BIO_R_INVALID_IP_ADDRESS)    ,"invalid ip address"},
+{ERR_REASON(BIO_R_IN_USE)                ,"in use"},
+{ERR_REASON(BIO_R_KEEPALIVE)             ,"keepalive"},
+{ERR_REASON(BIO_R_NBIO_CONNECT_ERROR)    ,"nbio connect error"},
+{ERR_REASON(BIO_R_NO_ACCEPT_PORT_SPECIFIED),"no accept port specified"},
+{ERR_REASON(BIO_R_NO_HOSTNAME_SPECIFIED) ,"no hostname specified"},
+{ERR_REASON(BIO_R_NO_PORT_DEFINED)       ,"no port defined"},
+{ERR_REASON(BIO_R_NO_PORT_SPECIFIED)     ,"no port specified"},
+{ERR_REASON(BIO_R_NO_SUCH_FILE)          ,"no such file"},
+{ERR_REASON(BIO_R_NULL_PARAMETER)        ,"null parameter"},
+{ERR_REASON(BIO_R_TAG_MISMATCH)          ,"tag mismatch"},
+{ERR_REASON(BIO_R_UNABLE_TO_BIND_SOCKET) ,"unable to bind socket"},
+{ERR_REASON(BIO_R_UNABLE_TO_CREATE_SOCKET),"unable to create socket"},
+{ERR_REASON(BIO_R_UNABLE_TO_LISTEN_SOCKET),"unable to listen socket"},
+{ERR_REASON(BIO_R_UNINITIALIZED)         ,"uninitialized"},
+{ERR_REASON(BIO_R_UNSUPPORTED_METHOD)    ,"unsupported method"},
+{ERR_REASON(BIO_R_WRITE_TO_READ_ONLY_BIO),"write to read only BIO"},
+{ERR_REASON(BIO_R_WSASTARTUP)            ,"WSAStartup"},
 {0,NULL}
 	};
 
@@ -144,8 +149,8 @@ void ERR_load_BIO_strings(void)
 		{
 		init=0;
 #ifndef OPENSSL_NO_ERR
-		ERR_load_strings(ERR_LIB_BIO,BIO_str_functs);
-		ERR_load_strings(ERR_LIB_BIO,BIO_str_reasons);
+		ERR_load_strings(0,BIO_str_functs);
+		ERR_load_strings(0,BIO_str_reasons);
 #endif
 
 		}
diff --git a/crypto/openssl/crypto/bio/bio_lcl.h b/crypto/openssl/crypto/bio/bio_lcl.h
new file mode 100644
index 000000000000..dba2919d430c
--- /dev/null
+++ b/crypto/openssl/crypto/bio/bio_lcl.h
@@ -0,0 +1,28 @@
+#include <openssl/bio.h>
+
+#if BIO_FLAGS_UPLINK==0
+/* Shortcut UPLINK calls on most platforms... */
+#define	UP_stdin	stdin
+#define	UP_stdout	stdout
+#define	UP_stderr	stderr
+#define	UP_fprintf	fprintf
+#define	UP_fgets	fgets
+#define	UP_fread	fread
+#define	UP_fwrite	fwrite
+#undef	UP_fsetmod
+#define	UP_feof		feof
+#define	UP_fclose	fclose
+
+#define	UP_fopen	fopen
+#define	UP_fseek	fseek
+#define	UP_ftell	ftell
+#define	UP_fflush	fflush
+#define	UP_ferror	ferror
+#define	UP_fileno	fileno
+
+#define	UP_open		open
+#define	UP_read		read
+#define	UP_write	write
+#define	UP_lseek	lseek
+#define	UP_close	close
+#endif
diff --git a/crypto/openssl/crypto/bio/bio_lib.c b/crypto/openssl/crypto/bio/bio_lib.c
index 692c8fb5c653..dcc989f9d6bf 100644
--- a/crypto/openssl/crypto/bio/bio_lib.c
+++ b/crypto/openssl/crypto/bio/bio_lib.c
@@ -144,7 +144,7 @@ void BIO_vfree(BIO *a)
 int BIO_read(BIO *b, void *out, int outl)
 	{
 	int i;
-	long (*cb)();
+	long (*cb)(BIO *,int,const char *,int,long,long);
 
 	if ((b == NULL) || (b->method == NULL) || (b->method->bread == NULL))
 		{
@@ -176,7 +176,7 @@ int BIO_read(BIO *b, void *out, int outl)
 int BIO_write(BIO *b, const void *in, int inl)
 	{
 	int i;
-	long (*cb)();
+	long (*cb)(BIO *,int,const char *,int,long,long);
 
 	if (b == NULL)
 		return(0);
@@ -211,7 +211,7 @@ int BIO_write(BIO *b, const void *in, int inl)
 int BIO_puts(BIO *b, const char *in)
 	{
 	int i;
-	long (*cb)();
+	long (*cb)(BIO *,int,const char *,int,long,long);
 
 	if ((b == NULL) || (b->method == NULL) || (b->method->bputs == NULL))
 		{
@@ -244,7 +244,7 @@ int BIO_puts(BIO *b, const char *in)
 int BIO_gets(BIO *b, char *in, int inl)
 	{
 	int i;
-	long (*cb)();
+	long (*cb)(BIO *,int,const char *,int,long,long);
 
 	if ((b == NULL) || (b->method == NULL) || (b->method->bgets == NULL))
 		{
@@ -305,7 +305,7 @@ char *BIO_ptr_ctrl(BIO *b, int cmd, long larg)
 long BIO_ctrl(BIO *b, int cmd, long larg, void *parg)
 	{
 	long ret;
-	long (*cb)();
+	long (*cb)(BIO *,int,const char *,int,long,long);
 
 	if (b == NULL) return(0);
 
@@ -332,13 +332,13 @@ long BIO_ctrl(BIO *b, int cmd, long larg, void *parg)
 long BIO_callback_ctrl(BIO *b, int cmd, void (*fp)(struct bio_st *, int, const char *, int, long, long))
 	{
 	long ret;
-	long (*cb)();
+	long (*cb)(BIO *,int,const char *,int,long,long);
 
 	if (b == NULL) return(0);
 
 	if ((b->method == NULL) || (b->method->callback_ctrl == NULL))
 		{
-		BIOerr(BIO_F_BIO_CTRL,BIO_R_UNSUPPORTED_METHOD);
+		BIOerr(BIO_F_BIO_CALLBACK_CTRL,BIO_R_UNSUPPORTED_METHOD);
 		return(-2);
 		}
 
diff --git a/crypto/openssl/crypto/bio/bss_acpt.c b/crypto/openssl/crypto/bio/bss_acpt.c
index 8ea1db158b8b..d090b7272fb6 100644
--- a/crypto/openssl/crypto/bio/bss_acpt.c
+++ b/crypto/openssl/crypto/bio/bss_acpt.c
@@ -56,14 +56,14 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef OPENSSL_NO_SOCK
-
 #include <stdio.h>
 #include <errno.h>
 #define USE_SOCKETS
 #include "cryptlib.h"
 #include <openssl/bio.h>
 
+#ifndef OPENSSL_NO_SOCK
+
 #ifdef OPENSSL_SYS_WIN16
 #define SOCKET_PROTOCOL 0 /* more microsoft stupidity */
 #else
diff --git a/crypto/openssl/crypto/bio/bss_conn.c b/crypto/openssl/crypto/bio/bss_conn.c
index f5d0e759e230..c14727855b25 100644
--- a/crypto/openssl/crypto/bio/bss_conn.c
+++ b/crypto/openssl/crypto/bio/bss_conn.c
@@ -56,14 +56,14 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef OPENSSL_NO_SOCK
-
 #include <stdio.h>
 #include <errno.h>
 #define USE_SOCKETS
 #include "cryptlib.h"
 #include <openssl/bio.h>
 
+#ifndef OPENSSL_NO_SOCK
+
 #ifdef OPENSSL_SYS_WIN16
 #define SOCKET_PROTOCOL 0 /* more microsoft stupidity */
 #else
@@ -130,7 +130,7 @@ static int conn_state(BIO *b, BIO_CONNECT *c)
 	int ret= -1,i;
 	unsigned long l;
 	char *p,*q;
-	int (*cb)()=NULL;
+	int (*cb)(const BIO *,int,int)=NULL;
 
 	if (c->info_callback != NULL)
 		cb=c->info_callback;
@@ -469,7 +469,7 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr)
 		break;
 	case BIO_C_DO_STATE_MACHINE:
 		/* use this one to start the connection */
-		if (!data->state != BIO_CONN_S_OK)
+		if (data->state != BIO_CONN_S_OK)
 			ret=(long)conn_state(b,data);
 		else
 			ret=1;
@@ -590,9 +590,9 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr)
 		break;
 	case BIO_CTRL_GET_CALLBACK:
 		{
-		int (**fptr)();
+		int (**fptr)(const BIO *bio,int state,int xret);
 
-		fptr=(int (**)())ptr;
+		fptr=(int (**)(const BIO *bio,int state,int xret))ptr;
 		*fptr=data->info_callback;
 		}
 		break;
diff --git a/crypto/openssl/crypto/bio/bss_dgram.c b/crypto/openssl/crypto/bio/bss_dgram.c
new file mode 100644
index 000000000000..a0cb29b3dcee
--- /dev/null
+++ b/crypto/openssl/crypto/bio/bss_dgram.c
@@ -0,0 +1,484 @@
+/* crypto/bio/bio_dgram.c */
+/* 
+ * DTLS implementation written by Nagendra Modadugu
+ * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.  
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef OPENSSL_NO_DGRAM
+
+#include <stdio.h>
+#include <errno.h>
+#define USE_SOCKETS
+#include "cryptlib.h"
+
+#include <openssl/bio.h>
+
+#define IP_MTU      14 /* linux is lame */
+
+#ifdef WATT32
+#define sock_write SockWrite  /* Watt-32 uses same names */
+#define sock_read  SockRead
+#define sock_puts  SockPuts
+#endif
+
+static int dgram_write(BIO *h, const char *buf, int num);
+static int dgram_read(BIO *h, char *buf, int size);
+static int dgram_puts(BIO *h, const char *str);
+static long dgram_ctrl(BIO *h, int cmd, long arg1, void *arg2);
+static int dgram_new(BIO *h);
+static int dgram_free(BIO *data);
+static int dgram_clear(BIO *bio);
+
+int BIO_dgram_should_retry(int s);
+
+static BIO_METHOD methods_dgramp=
+	{
+	BIO_TYPE_DGRAM,
+	"datagram socket",
+	dgram_write,
+	dgram_read,
+	dgram_puts,
+	NULL, /* dgram_gets, */
+	dgram_ctrl,
+	dgram_new,
+	dgram_free,
+	NULL,
+	};
+
+typedef struct bio_dgram_data_st
+	{
+	struct sockaddr peer;
+	unsigned int connected;
+	unsigned int _errno;
+	unsigned int mtu;
+	} bio_dgram_data;
+
+BIO_METHOD *BIO_s_datagram(void)
+	{
+	return(&methods_dgramp);
+	}
+
+BIO *BIO_new_dgram(int fd, int close_flag)
+	{
+	BIO *ret;
+
+	ret=BIO_new(BIO_s_datagram());
+	if (ret == NULL) return(NULL);
+	BIO_set_fd(ret,fd,close_flag);
+	return(ret);
+	}
+
+static int dgram_new(BIO *bi)
+	{
+	bio_dgram_data *data = NULL;
+
+	bi->init=0;
+	bi->num=0;
+	data = OPENSSL_malloc(sizeof(bio_dgram_data));
+	if (data == NULL)
+		return 0;
+	memset(data, 0x00, sizeof(bio_dgram_data));
+    bi->ptr = data;
+
+	bi->flags=0;
+	return(1);
+	}
+
+static int dgram_free(BIO *a)
+	{
+	bio_dgram_data *data;
+
+	if (a == NULL) return(0);
+	if ( ! dgram_clear(a))
+		return 0;
+
+	data = (bio_dgram_data *)a->ptr;
+	if(data != NULL) OPENSSL_free(data);
+
+	return(1);
+	}
+
+static int dgram_clear(BIO *a)
+	{
+	if (a == NULL) return(0);
+	if (a->shutdown)
+		{
+		if (a->init)
+			{
+			SHUTDOWN2(a->num);
+			}
+		a->init=0;
+		a->flags=0;
+		}
+	return(1);
+	}
+	
+static int dgram_read(BIO *b, char *out, int outl)
+	{
+	int ret=0;
+	bio_dgram_data *data = (bio_dgram_data *)b->ptr;
+
+	struct sockaddr peer;
+	int peerlen = sizeof(peer);
+
+	if (out != NULL)
+		{
+		clear_socket_error();
+		memset(&peer, 0x00, peerlen);
+		/* Last arg in recvfrom is signed on some platforms and
+		 * unsigned on others. It is of type socklen_t on some
+		 * but this is not universal. Cast to (void *) to avoid
+		 * compiler warnings.
+		 */
+		ret=recvfrom(b->num,out,outl,0,&peer,(void *)&peerlen);
+
+		if ( ! data->connected  && ret > 0)
+			BIO_ctrl(b, BIO_CTRL_DGRAM_CONNECT, 0, &peer);
+
+		BIO_clear_retry_flags(b);
+		if (ret <= 0)
+			{
+			if (BIO_dgram_should_retry(ret))
+				{
+				BIO_set_retry_read(b);
+				data->_errno = get_last_socket_error();
+				}
+			}
+		}
+	return(ret);
+	}
+
+static int dgram_write(BIO *b, const char *in, int inl)
+	{
+	int ret;
+	bio_dgram_data *data = (bio_dgram_data *)b->ptr;
+	clear_socket_error();
+
+    if ( data->connected )
+        ret=send(b->num,in,inl,0);
+    else
+        ret=sendto(b->num, in, inl, 0, &data->peer, sizeof(data->peer));
+
+	BIO_clear_retry_flags(b);
+	if (ret <= 0)
+		{
+		if (BIO_sock_should_retry(ret))
+			{
+			BIO_set_retry_write(b);  
+			data->_errno = get_last_socket_error();
+
+#if 0 /* higher layers are responsible for querying MTU, if necessary */
+			if ( data->_errno == EMSGSIZE)
+				/* retrieve the new MTU */
+				BIO_ctrl(b, BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL);
+#endif
+			}
+		}
+	return(ret);
+	}
+
+static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
+	{
+	long ret=1;
+	int *ip;
+	struct sockaddr *to = NULL;
+	bio_dgram_data *data = NULL;
+	long sockopt_val = 0;
+	unsigned int sockopt_len = 0;
+
+	data = (bio_dgram_data *)b->ptr;
+
+	switch (cmd)
+		{
+	case BIO_CTRL_RESET:
+		num=0;
+	case BIO_C_FILE_SEEK:
+		ret=0;
+		break;
+	case BIO_C_FILE_TELL:
+	case BIO_CTRL_INFO:
+		ret=0;
+		break;
+	case BIO_C_SET_FD:
+		dgram_clear(b);
+		b->num= *((int *)ptr);
+		b->shutdown=(int)num;
+		b->init=1;
+		break;
+	case BIO_C_GET_FD:
+		if (b->init)
+			{
+			ip=(int *)ptr;
+			if (ip != NULL) *ip=b->num;
+			ret=b->num;
+			}
+		else
+			ret= -1;
+		break;
+	case BIO_CTRL_GET_CLOSE:
+		ret=b->shutdown;
+		break;
+	case BIO_CTRL_SET_CLOSE:
+		b->shutdown=(int)num;
+		break;
+	case BIO_CTRL_PENDING:
+	case BIO_CTRL_WPENDING:
+		ret=0;
+		break;
+	case BIO_CTRL_DUP:
+	case BIO_CTRL_FLUSH:
+		ret=1;
+		break;
+	case BIO_CTRL_DGRAM_CONNECT:
+		to = (struct sockaddr *)ptr;
+#if 0
+		if (connect(b->num, to, sizeof(struct sockaddr)) < 0)
+			{ perror("connect"); ret = 0; }
+		else
+			{
+#endif
+			memcpy(&(data->peer),to, sizeof(struct sockaddr));
+#if 0
+			}
+#endif
+		break;
+		/* (Linux)kernel sets DF bit on outgoing IP packets */
+#ifdef IP_MTU_DISCOVER
+	case BIO_CTRL_DGRAM_MTU_DISCOVER:
+		sockopt_val = IP_PMTUDISC_DO;
+		if ((ret = setsockopt(b->num, IPPROTO_IP, IP_MTU_DISCOVER,
+			&sockopt_val, sizeof(sockopt_val))) < 0)
+			perror("setsockopt");
+		break;
+#endif
+	case BIO_CTRL_DGRAM_QUERY_MTU:
+         sockopt_len = sizeof(sockopt_val);
+		if ((ret = getsockopt(b->num, IPPROTO_IP, IP_MTU, (void *)&sockopt_val,
+			&sockopt_len)) < 0 || sockopt_val < 0)
+			{ ret = 0; }
+		else
+			{
+			data->mtu = sockopt_val;
+			ret = data->mtu;
+			}
+		break;
+	case BIO_CTRL_DGRAM_GET_MTU:
+		return data->mtu;
+		break;
+	case BIO_CTRL_DGRAM_SET_MTU:
+		data->mtu = num;
+		ret = num;
+		break;
+	case BIO_CTRL_DGRAM_SET_CONNECTED:
+		to = (struct sockaddr *)ptr;
+
+		if ( to != NULL)
+			{
+			data->connected = 1;
+			memcpy(&(data->peer),to, sizeof(struct sockaddr));
+			}
+		else
+			{
+			data->connected = 0;
+			memset(&(data->peer), 0x00, sizeof(struct sockaddr));
+			}
+		break;
+    case BIO_CTRL_DGRAM_SET_PEER:
+        to = (struct sockaddr *) ptr;
+
+        memcpy(&(data->peer), to, sizeof(struct sockaddr));
+        break;
+	case BIO_CTRL_DGRAM_SET_RECV_TIMEOUT:
+		if ( setsockopt(b->num, SOL_SOCKET, SO_RCVTIMEO, ptr,
+			sizeof(struct timeval)) < 0)
+			{ perror("setsockopt");	ret = -1; }
+		break;
+	case BIO_CTRL_DGRAM_GET_RECV_TIMEOUT:
+		if ( getsockopt(b->num, SOL_SOCKET, SO_RCVTIMEO, 
+			ptr, (void *)&ret) < 0)
+			{ perror("getsockopt"); ret = -1; }
+		break;
+	case BIO_CTRL_DGRAM_SET_SEND_TIMEOUT:
+		if ( setsockopt(b->num, SOL_SOCKET, SO_SNDTIMEO, ptr,
+			sizeof(struct timeval)) < 0)
+			{ perror("setsockopt");	ret = -1; }
+		break;
+	case BIO_CTRL_DGRAM_GET_SEND_TIMEOUT:
+		if ( getsockopt(b->num, SOL_SOCKET, SO_SNDTIMEO, 
+			ptr, (void *)&ret) < 0)
+			{ perror("getsockopt"); ret = -1; }
+		break;
+	case BIO_CTRL_DGRAM_GET_SEND_TIMER_EXP:
+		/* fall-through */
+	case BIO_CTRL_DGRAM_GET_RECV_TIMER_EXP:
+		if ( data->_errno == EAGAIN)
+			{
+			ret = 1;
+			data->_errno = 0;
+			}
+		else
+			ret = 0;
+		break;
+#ifdef EMSGSIZE
+	case BIO_CTRL_DGRAM_MTU_EXCEEDED:
+		if ( data->_errno == EMSGSIZE)
+			{
+			ret = 1;
+			data->_errno = 0;
+			}
+		else
+			ret = 0;
+		break;
+#endif
+	default:
+		ret=0;
+		break;
+		}
+	return(ret);
+	}
+
+static int dgram_puts(BIO *bp, const char *str)
+	{
+	int n,ret;
+
+	n=strlen(str);
+	ret=dgram_write(bp,str,n);
+	return(ret);
+	}
+
+int BIO_dgram_should_retry(int i)
+	{
+	int err;
+
+	if ((i == 0) || (i == -1))
+		{
+		err=get_last_socket_error();
+
+#if defined(OPENSSL_SYS_WINDOWS) && 0 /* more microsoft stupidity? perhaps not? Ben 4/1/99 */
+		if ((i == -1) && (err == 0))
+			return(1);
+#endif
+
+		return(BIO_dgram_non_fatal_error(err));
+		}
+	return(0);
+	}
+
+int BIO_dgram_non_fatal_error(int err)
+	{
+	switch (err)
+		{
+#if defined(OPENSSL_SYS_WINDOWS)
+# if defined(WSAEWOULDBLOCK)
+	case WSAEWOULDBLOCK:
+# endif
+
+# if 0 /* This appears to always be an error */
+#  if defined(WSAENOTCONN)
+	case WSAENOTCONN:
+#  endif
+# endif
+#endif
+
+#ifdef EWOULDBLOCK
+# ifdef WSAEWOULDBLOCK
+#  if WSAEWOULDBLOCK != EWOULDBLOCK
+	case EWOULDBLOCK:
+#  endif
+# else
+	case EWOULDBLOCK:
+# endif
+#endif
+
+#if defined(ENOTCONN)
+	case ENOTCONN:
+#endif
+
+#ifdef EINTR
+	case EINTR:
+#endif
+
+#ifdef EAGAIN
+#if EWOULDBLOCK != EAGAIN
+	case EAGAIN:
+# endif
+#endif
+
+#ifdef EPROTO
+	case EPROTO:
+#endif
+
+#ifdef EINPROGRESS
+	case EINPROGRESS:
+#endif
+
+#ifdef EALREADY
+	case EALREADY:
+#endif
+
+/* DF bit set, and packet larger than MTU */
+#ifdef EMSGSIZE
+	case EMSGSIZE:
+#endif
+
+		return(1);
+		/* break; */
+	default:
+		break;
+		}
+	return(0);
+	}
+#endif
diff --git a/crypto/openssl/crypto/bio/bss_fd.c b/crypto/openssl/crypto/bio/bss_fd.c
index 5e3e187de689..4c229bf64103 100644
--- a/crypto/openssl/crypto/bio/bss_fd.c
+++ b/crypto/openssl/crypto/bio/bss_fd.c
@@ -60,7 +60,19 @@
 #include <errno.h>
 #define USE_SOCKETS
 #include "cryptlib.h"
-#include <openssl/bio.h>
+/*
+ * As for unconditional usage of "UPLINK" interface in this module.
+ * Trouble is that unlike Unix file descriptors [which are indexes
+ * in kernel-side per-process table], corresponding descriptors on
+ * platforms which require "UPLINK" interface seem to be indexes
+ * in a user-land, non-global table. Well, in fact they are indexes
+ * in stdio _iob[], and recall that _iob[] was the very reason why
+ * "UPLINK" interface was introduced in first place. But one way on
+ * another. Neither libcrypto or libssl use this BIO meaning that
+ * file descriptors can only be provided by application. Therefore
+ * "UPLINK" calls are due...
+ */
+#include "bio_lcl.h"
 
 static int fd_write(BIO *h, const char *buf, int num);
 static int fd_read(BIO *h, char *buf, int size);
@@ -100,9 +112,9 @@ BIO *BIO_new_fd(int fd,int close_flag)
 static int fd_new(BIO *bi)
 	{
 	bi->init=0;
-	bi->num=0;
+	bi->num=-1;
 	bi->ptr=NULL;
-	bi->flags=0;
+	bi->flags=BIO_FLAGS_UPLINK; /* essentially redundant */
 	return(1);
 	}
 
@@ -113,10 +125,10 @@ static int fd_free(BIO *a)
 		{
 		if (a->init)
 			{
-			close(a->num);
+			UP_close(a->num);
 			}
 		a->init=0;
-		a->flags=0;
+		a->flags=BIO_FLAGS_UPLINK;
 		}
 	return(1);
 	}
@@ -128,7 +140,7 @@ static int fd_read(BIO *b, char *out,int outl)
 	if (out != NULL)
 		{
 		clear_sys_error();
-		ret=read(b->num,out,outl);
+		ret=UP_read(b->num,out,outl);
 		BIO_clear_retry_flags(b);
 		if (ret <= 0)
 			{
@@ -143,7 +155,7 @@ static int fd_write(BIO *b, const char *in, int inl)
 	{
 	int ret;
 	clear_sys_error();
-	ret=write(b->num,in,inl);
+	ret=UP_write(b->num,in,inl);
 	BIO_clear_retry_flags(b);
 	if (ret <= 0)
 		{
@@ -163,11 +175,11 @@ static long fd_ctrl(BIO *b, int cmd, long num, void *ptr)
 	case BIO_CTRL_RESET:
 		num=0;
 	case BIO_C_FILE_SEEK:
-		ret=(long)lseek(b->num,num,0);
+		ret=(long)UP_lseek(b->num,num,0);
 		break;
 	case BIO_C_FILE_TELL:
 	case BIO_CTRL_INFO:
-		ret=(long)lseek(b->num,0,1);
+		ret=(long)UP_lseek(b->num,0,1);
 		break;
 	case BIO_C_SET_FD:
 		fd_free(b);
diff --git a/crypto/openssl/crypto/bio/bss_file.c b/crypto/openssl/crypto/bio/bss_file.c
index 4fe38ae1986d..b277367da3a4 100644
--- a/crypto/openssl/crypto/bio/bss_file.c
+++ b/crypto/openssl/crypto/bio/bss_file.c
@@ -65,10 +65,28 @@
 #ifndef HEADER_BSS_FILE_C
 #define HEADER_BSS_FILE_C
 
+#if defined(__linux) || defined(__sun) || defined(__hpux)
+/* Following definition aliases fopen to fopen64 on above mentioned
+ * platforms. This makes it possible to open and sequentially access
+ * files larger than 2GB from 32-bit application. It does not allow to
+ * traverse them beyond 2GB with fseek/ftell, but on the other hand *no*
+ * 32-bit platform permits that, not with fseek/ftell. Not to mention
+ * that breaking 2GB limit for seeking would require surgery to *our*
+ * API. But sequential access suffices for practical cases when you
+ * can run into large files, such as fingerprinting, so we can let API
+ * alone. For reference, the list of 32-bit platforms which allow for
+ * sequential access of large files without extra "magic" comprise *BSD,
+ * Darwin, IRIX...
+ */
+#ifndef _FILE_OFFSET_BITS
+#define _FILE_OFFSET_BITS 64
+#endif
+#endif
+
 #include <stdio.h>
 #include <errno.h>
 #include "cryptlib.h"
-#include <openssl/bio.h>
+#include "bio_lcl.h"
 #include <openssl/err.h>
 
 #if !defined(OPENSSL_NO_STDIO)
@@ -110,8 +128,12 @@ BIO *BIO_new_file(const char *filename, const char *mode)
 		return(NULL);
 		}
 	if ((ret=BIO_new(BIO_s_file_internal())) == NULL)
+		{
+		fclose(file);
 		return(NULL);
+		}
 
+	BIO_clear_flags(ret,BIO_FLAGS_UPLINK); /* we did fopen -> we disengage UPLINK */
 	BIO_set_fp(ret,file,BIO_CLOSE);
 	return(ret);
 	}
@@ -123,6 +145,7 @@ BIO *BIO_new_fp(FILE *stream, int close_flag)
 	if ((ret=BIO_new(BIO_s_file())) == NULL)
 		return(NULL);
 
+	BIO_set_flags(ret,BIO_FLAGS_UPLINK); /* redundant, left for documentation puposes */
 	BIO_set_fp(ret,stream,close_flag);
 	return(ret);
 	}
@@ -137,6 +160,7 @@ static int MS_CALLBACK file_new(BIO *bi)
 	bi->init=0;
 	bi->num=0;
 	bi->ptr=NULL;
+	bi->flags=BIO_FLAGS_UPLINK; /* default to UPLINK */
 	return(1);
 	}
 
@@ -147,8 +171,12 @@ static int MS_CALLBACK file_free(BIO *a)
 		{
 		if ((a->init) && (a->ptr != NULL))
 			{
-			fclose((FILE *)a->ptr);
+			if (a->flags&BIO_FLAGS_UPLINK)
+				UP_fclose (a->ptr);
+			else
+				fclose (a->ptr);
 			a->ptr=NULL;
+			a->flags=BIO_FLAGS_UPLINK;
 			}
 		a->init=0;
 		}
@@ -161,8 +189,11 @@ static int MS_CALLBACK file_read(BIO *b, char *out, int outl)
 
 	if (b->init && (out != NULL))
 		{
-		ret=fread(out,1,(int)outl,(FILE *)b->ptr);
-		if(ret == 0 && ferror((FILE *)b->ptr))
+		if (b->flags&BIO_FLAGS_UPLINK)
+			ret=UP_fread(out,1,(int)outl,b->ptr);
+		else
+			ret=fread(out,1,(int)outl,(FILE *)b->ptr);
+		if(ret == 0 && (b->flags&BIO_FLAGS_UPLINK)?UP_ferror((FILE *)b->ptr):ferror((FILE *)b->ptr))
 			{
 			SYSerr(SYS_F_FREAD,get_last_sys_error());
 			BIOerr(BIO_F_FILE_READ,ERR_R_SYS_LIB);
@@ -178,7 +209,11 @@ static int MS_CALLBACK file_write(BIO *b, const char *in, int inl)
 
 	if (b->init && (in != NULL))
 		{
-		if (fwrite(in,(int)inl,1,(FILE *)b->ptr))
+		if (b->flags&BIO_FLAGS_UPLINK)
+			ret=UP_fwrite(in,(int)inl,1,b->ptr);
+		else
+			ret=fwrite(in,(int)inl,1,(FILE *)b->ptr);
+		if (ret)
 			ret=inl;
 		/* ret=fwrite(in,1,(int)inl,(FILE *)b->ptr); */
 		/* according to Tim Hudson <tjh@cryptsoft.com>, the commented
@@ -199,20 +234,45 @@ static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr)
 		{
 	case BIO_C_FILE_SEEK:
 	case BIO_CTRL_RESET:
-		ret=(long)fseek(fp,num,0);
+		if (b->flags&BIO_FLAGS_UPLINK)
+			ret=(long)UP_fseek(b->ptr,num,0);
+		else
+			ret=(long)fseek(fp,num,0);
 		break;
 	case BIO_CTRL_EOF:
-		ret=(long)feof(fp);
+		if (b->flags&BIO_FLAGS_UPLINK)
+			ret=(long)UP_feof(fp);
+		else
+			ret=(long)feof(fp);
 		break;
 	case BIO_C_FILE_TELL:
 	case BIO_CTRL_INFO:
-		ret=ftell(fp);
+		if (b->flags&BIO_FLAGS_UPLINK)
+			ret=UP_ftell(b->ptr);
+		else
+			ret=ftell(fp);
 		break;
 	case BIO_C_SET_FILE_PTR:
 		file_free(b);
 		b->shutdown=(int)num&BIO_CLOSE;
-		b->ptr=(char *)ptr;
+		b->ptr=ptr;
 		b->init=1;
+#if BIO_FLAGS_UPLINK!=0
+#if defined(__MINGW32__) && defined(__MSVCRT__) && !defined(_IOB_ENTRIES)
+#define _IOB_ENTRIES 20
+#endif
+#if defined(_IOB_ENTRIES)
+		/* Safety net to catch purely internal BIO_set_fp calls */
+		if ((size_t)ptr >= (size_t)stdin &&
+		    (size_t)ptr <  (size_t)(stdin+_IOB_ENTRIES))
+			BIO_clear_flags(b,BIO_FLAGS_UPLINK);
+#endif
+#endif
+#ifdef UP_fsetmode
+		if (b->flags&BIO_FLAGS_UPLINK)
+			UP_fsetmode(b->ptr,num&BIO_FP_TEXT?'t':'b');
+		else
+#endif
 		{
 #if defined(OPENSSL_SYS_WINDOWS)
 		int fd = fileno((FILE*)ptr);
@@ -220,6 +280,14 @@ static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr)
 			_setmode(fd,_O_TEXT);
 		else
 			_setmode(fd,_O_BINARY);
+#elif defined(OPENSSL_SYS_NETWARE) && defined(NETWARE_CLIB)
+		int fd = fileno((FILE*)ptr);
+         /* Under CLib there are differences in file modes
+         */
+		if (num & BIO_FP_TEXT)
+			_setmode(fd,O_TEXT);
+		else
+			_setmode(fd,O_BINARY);
 #elif defined(OPENSSL_SYS_MSDOS)
 		int fd = fileno((FILE*)ptr);
 		/* Set correct text/binary mode */
@@ -266,7 +334,13 @@ static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr)
 			ret=0;
 			break;
 			}
-#if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_OS2)
+#if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_WIN32_CYGWIN)
+		if (!(num & BIO_FP_TEXT))
+			strcat(p,"b");
+		else
+			strcat(p,"t");
+#endif
+#if defined(OPENSSL_SYS_NETWARE)
 		if (!(num & BIO_FP_TEXT))
 			strcat(p,"b");
 		else
@@ -281,8 +355,9 @@ static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr)
 			ret=0;
 			break;
 			}
-		b->ptr=(char *)fp;
+		b->ptr=fp;
 		b->init=1;
+		BIO_clear_flags(b,BIO_FLAGS_UPLINK); /* we did fopen -> we disengage UPLINK */
 		break;
 	case BIO_C_GET_FILE_PTR:
 		/* the ptr parameter is actually a FILE ** in this case. */
@@ -299,7 +374,10 @@ static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr)
 		b->shutdown=(int)num;
 		break;
 	case BIO_CTRL_FLUSH:
-		fflush((FILE *)b->ptr);
+		if (b->flags&BIO_FLAGS_UPLINK)
+			UP_fflush(b->ptr);
+		else
+			fflush((FILE *)b->ptr);
 		break;
 	case BIO_CTRL_DUP:
 		ret=1;
@@ -321,7 +399,10 @@ static int MS_CALLBACK file_gets(BIO *bp, char *buf, int size)
 	int ret=0;
 
 	buf[0]='\0';
-	fgets(buf,size,(FILE *)bp->ptr);
+	if (bp->flags&BIO_FLAGS_UPLINK)
+		UP_fgets(buf,size,bp->ptr);
+	else
+		fgets(buf,size,(FILE *)bp->ptr);
 	if (buf[0] != '\0')
 		ret=strlen(buf);
 	return(ret);
diff --git a/crypto/openssl/crypto/bio/bss_log.c b/crypto/openssl/crypto/bio/bss_log.c
index 1eb678cac095..6360dbc820b4 100644
--- a/crypto/openssl/crypto/bio/bss_log.c
+++ b/crypto/openssl/crypto/bio/bss_log.c
@@ -78,6 +78,8 @@
 #  include <starlet.h>
 #elif defined(__ultrix)
 #  include <sys/syslog.h>
+#elif defined(OPENSSL_SYS_NETWARE)
+#  define NO_SYSLOG
 #elif (!defined(MSDOS) || defined(WATT32)) && !defined(OPENSSL_SYS_VXWORKS) && !defined(NO_SYSLOG)
 #  include <syslog.h>
 #endif
diff --git a/crypto/openssl/crypto/bio/bss_sock.c b/crypto/openssl/crypto/bio/bss_sock.c
index 2c1c405ec7e8..472dd75821c5 100644
--- a/crypto/openssl/crypto/bio/bss_sock.c
+++ b/crypto/openssl/crypto/bio/bss_sock.c
@@ -56,8 +56,6 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef OPENSSL_NO_SOCK
-
 #include <stdio.h>
 #include <errno.h>
 #define USE_SOCKETS
@@ -248,7 +246,7 @@ int BIO_sock_non_fatal_error(int err)
 	{
 	switch (err)
 		{
-#if defined(OPENSSL_SYS_WINDOWS)
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_NETWARE)
 # if defined(WSAEWOULDBLOCK)
 	case WSAEWOULDBLOCK:
 # endif
@@ -279,7 +277,7 @@ int BIO_sock_non_fatal_error(int err)
 #endif
 
 #ifdef EAGAIN
-#if EWOULDBLOCK != EAGAIN
+# if EWOULDBLOCK != EAGAIN
 	case EAGAIN:
 # endif
 #endif
@@ -302,4 +300,3 @@ int BIO_sock_non_fatal_error(int err)
 		}
 	return(0);
 	}
-#endif
diff --git a/crypto/openssl/crypto/bn/Makefile b/crypto/openssl/crypto/bn/Makefile
index 76ced9f37c50..5c3e08fa8085 100644
--- a/crypto/openssl/crypto/bn/Makefile
+++ b/crypto/openssl/crypto/bn/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/bn/Makefile
+# OpenSSL/crypto/bn/Makefile
 #
 
 DIR=	bn
@@ -8,11 +8,6 @@ CC=	cc
 CPP=    $(CC) -E
 INCLUDES= -I.. -I$(TOP) -I../../include
 CFLAG=-g
-INSTALL_PREFIX=
-OPENSSLDIR=     /usr/local/ssl
-INSTALLTOP=/usr/local/ssl
-MAKEDEPPROG=	makedepend
-MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=	Makefile
 AR=		ar r
 
@@ -22,6 +17,7 @@ BN_ASM=		bn_asm.o
 
 CFLAGS= $(INCLUDES) $(CFLAG)
 ASFLAGS= $(INCLUDES) $(ASFLAG)
+AFLAGS= $(ASFLAGS)
 
 GENERAL=Makefile
 TEST=bntest.c exptest.c
@@ -31,12 +27,14 @@ LIB=$(TOP)/libcrypto.a
 LIBSRC=	bn_add.c bn_div.c bn_exp.c bn_lib.c bn_ctx.c bn_mul.c bn_mod.c \
 	bn_print.c bn_rand.c bn_shift.c bn_word.c bn_blind.c \
 	bn_kron.c bn_sqrt.c bn_gcd.c bn_prime.c bn_err.c bn_sqr.c bn_asm.c \
-	bn_recp.c bn_mont.c bn_mpi.c bn_exp2.c
+	bn_recp.c bn_mont.c bn_mpi.c bn_exp2.c bn_gf2m.c bn_nist.c \
+	bn_depr.c bn_const.c
 
 LIBOBJ=	bn_add.o bn_div.o bn_exp.o bn_lib.o bn_ctx.o bn_mul.o bn_mod.o \
 	bn_print.o bn_rand.o bn_shift.o bn_word.o bn_blind.o \
 	bn_kron.o bn_sqrt.o bn_gcd.o bn_prime.o bn_err.o bn_sqr.o $(BN_ASM) \
-	bn_recp.o bn_mont.o bn_mpi.o bn_exp2.o
+	bn_recp.o bn_mont.o bn_mpi.o bn_exp2.o bn_gf2m.o bn_nist.o \
+	bn_depr.o bn_const.o
 
 SRC= $(LIBSRC)
 
@@ -64,63 +62,52 @@ lib:	$(LIBOBJ)
 	$(RANLIB) $(LIB) || echo Never mind.
 	@touch lib
 
-# elf
-asm/bn86-elf.s:	asm/bn-586.pl ../perlasm/x86asm.pl
-	(cd asm; $(PERL) bn-586.pl elf $(CFLAGS) > bn86-elf.s)
-
-asm/co86-elf.s:	asm/co-586.pl ../perlasm/x86asm.pl
-	(cd asm; $(PERL) co-586.pl elf $(CFLAGS) > co86-elf.s)
-
+# ELF
+bn86-elf.s:	asm/bn-586.pl ../perlasm/x86asm.pl
+	(cd asm; $(PERL) bn-586.pl elf $(CFLAGS) > ../$@)
+co86-elf.s:	asm/co-586.pl ../perlasm/x86asm.pl
+	(cd asm; $(PERL) co-586.pl elf $(CFLAGS) > ../$@)
+# COFF
+bn86-cof.s: asm/bn-586.pl ../perlasm/x86asm.pl
+	(cd asm; $(PERL) bn-586.pl coff $(CFLAGS) > ../$@)
+co86-cof.s: asm/co-586.pl ../perlasm/x86asm.pl
+	(cd asm; $(PERL) co-586.pl coff $(CFLAGS) > ../$@)
 # a.out
-asm/bn86-out.o: asm/bn86unix.cpp
-	$(CPP) -DOUT asm/bn86unix.cpp | as -o asm/bn86-out.o
-
-asm/co86-out.o: asm/co86unix.cpp
-	$(CPP) -DOUT asm/co86unix.cpp | as -o asm/co86-out.o
-
-# bsdi
-asm/bn86bsdi.o: asm/bn86unix.cpp
-	$(CPP) -DBSDI asm/bn86unix.cpp | sed 's/ :/:/' | as -o asm/bn86bsdi.o
-
-asm/co86bsdi.o: asm/co86unix.cpp
-	$(CPP) -DBSDI asm/co86unix.cpp | sed 's/ :/:/' | as -o asm/co86bsdi.o
-
-asm/bn86unix.cpp: asm/bn-586.pl ../perlasm/x86asm.pl
-	(cd asm; $(PERL) bn-586.pl cpp >bn86unix.cpp )
-
-asm/co86unix.cpp: asm/co-586.pl ../perlasm/x86asm.pl
-	(cd asm; $(PERL) co-586.pl cpp >co86unix.cpp )
-
-asm/sparcv8.o: asm/sparcv8.S
-
-asm/sparcv8plus.o: asm/sparcv8plus.S
-
-# Old GNU assembler doesn't understand V9 instructions, so we
-# hire /usr/ccs/bin/as to do the job. Note that option is called
-# *-gcc27, but even gcc 2>=8 users may experience similar problem
-# if they didn't bother to upgrade GNU assembler. Such users should
-# not choose this option, but be adviced to *remove* GNU assembler
-# or upgrade it.
-asm/sparcv8plus-gcc27.o: asm/sparcv8plus.S
-	$(CC) $(ASFLAGS) -E asm/sparcv8plus.S | \
-		/usr/ccs/bin/as -xarch=v8plus - -o asm/sparcv8plus-gcc27.o
-
-
-asm/ia64.o:	asm/ia64.S
-
-# Some compiler drivers (most notably HP-UX and Intel C++) don't
-# understand .S extension:-( I wish I could pipe output from cc -E,
-# but it's too compiler driver/ABI dependent to cover with a single
-# rule...	<appro@fy.chalmers.se>
-asm/ia64-cpp.o:	asm/ia64.S
-	$(CC) $(ASFLAGS) -E asm/ia64.S > /tmp/ia64.$$$$.s &&	\
-	$(CC) $(ASFLAGS) -c -o asm/ia64-cpp.o /tmp/ia64.$$$$.s;	\
-	rm -f /tmp/ia64.$$$$.s
-
-asm/x86_64-gcc.o: asm/x86_64-gcc.c
-
-asm/pa-risc2W.o: asm/pa-risc2W.s
-	/usr/ccs/bin/as -o asm/pa-risc2W.o asm/pa-risc2W.s
+bn86-out.s: asm/bn-586.pl ../perlasm/x86asm.pl
+	(cd asm; $(PERL) bn-586.pl a.out $(CFLAGS) > ../$@)
+co86-out.s: asm/co-586.pl ../perlasm/x86asm.pl
+	(cd asm; $(PERL) co-586.pl a.out $(CFLAGS) > ../$@)
+
+sparcv8.o:	asm/sparcv8.S
+	$(CC) $(CFLAGS) -c asm/sparcv8.S
+sparcv8plus.o:	asm/sparcv8plus.S
+	$(CC) $(CFLAGS) -c asm/sparcv8plus.S
+
+bn-mips3.o:	asm/mips3.s
+	@if [ "$(CC)" = "gcc" ]; then \
+		ABI=`expr "$(CFLAGS)" : ".*-mabi=\([n3264]*\)"` && \
+		as -$$ABI -O -o $@ asm/mips3.s; \
+	else	$(CC) -c $(CFLAGS) -o $@ asm/mips3.s; fi
+
+x86_64-gcc.o:	asm/x86_64-gcc.c
+	$(CC) $(CFLAGS) -c -o $@ asm/x86_64-gcc.c
+
+bn-ia64.s:	asm/ia64.S
+	$(CC) $(CFLAGS) -E asm/ia64.S > $@
+
+# GNU assembler fails to compile PA-RISC2 modules, insist on calling
+# vendor assembler...
+pa-risc2W.o: asm/pa-risc2W.s
+	/usr/ccs/bin/as -o pa-risc2W.o asm/pa-risc2W.s
+pa-risc2.o: asm/pa-risc2.s
+	/usr/ccs/bin/as -o pa-risc2.o asm/pa-risc2.s
+
+# ppc - AIX, Linux, MacOS X...
+linux_ppc32.s: asm/ppc.pl;	$(PERL) $< $@
+linux_ppc64.s: asm/ppc.pl;	$(PERL) $< $@
+aix_ppc32.s: asm/ppc.pl;	$(PERL) asm/ppc.pl $@
+aix_ppc64.s: asm/ppc.pl;	$(PERL) asm/ppc.pl $@
+osx_ppc32.s: asm/ppc.pl;	$(PERL) $< $@
 
 files:
 	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
@@ -131,7 +118,8 @@ links:
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
 
 install:
-	@for i in $(EXHEADER) ; \
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+	@headerlist="$(EXHEADER)"; for i in $$headerlist ; \
 	do  \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
@@ -154,6 +142,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
+	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
@@ -161,7 +150,7 @@ dclean:
 	mv -f Makefile.new $(MAKEFILE)
 
 clean:
-	rm -f asm/co86unix.cpp asm/bn86unix.cpp asm/*-elf.* *.o */*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff bn_asm.s
+	rm -f *.s *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
@@ -169,101 +158,131 @@ bn_add.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_add.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bn_add.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bn_add.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-bn_add.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-bn_add.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bn_add.o: ../cryptlib.h bn_add.c bn_lcl.h
+bn_add.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+bn_add.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bn_add.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_add.c bn_lcl.h
 bn_asm.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_asm.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bn_asm.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bn_asm.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-bn_asm.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-bn_asm.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bn_asm.o: ../cryptlib.h bn_asm.c bn_lcl.h
+bn_asm.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+bn_asm.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bn_asm.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_asm.c bn_lcl.h
 bn_blind.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_blind.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bn_blind.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bn_blind.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-bn_blind.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-bn_blind.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bn_blind.o: ../cryptlib.h bn_blind.c bn_lcl.h
+bn_blind.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+bn_blind.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bn_blind.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_blind.c bn_lcl.h
+bn_const.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
+bn_const.o: ../../include/openssl/ossl_typ.h bn.h bn_const.c
 bn_ctx.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_ctx.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bn_ctx.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bn_ctx.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-bn_ctx.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-bn_ctx.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bn_ctx.o: ../cryptlib.h bn_ctx.c bn_lcl.h
+bn_ctx.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+bn_ctx.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bn_ctx.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_ctx.c bn_lcl.h
+bn_depr.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_depr.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+bn_depr.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+bn_depr.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+bn_depr.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+bn_depr.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
+bn_depr.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+bn_depr.o: ../cryptlib.h bn_depr.c bn_lcl.h
 bn_div.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_div.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bn_div.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bn_div.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-bn_div.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-bn_div.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bn_div.o: ../cryptlib.h bn_div.c bn_lcl.h
+bn_div.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+bn_div.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bn_div.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_div.c bn_lcl.h
 bn_err.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 bn_err.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
 bn_err.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-bn_err.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-bn_err.o: ../../include/openssl/symhacks.h bn_err.c
+bn_err.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+bn_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+bn_err.o: bn_err.c
 bn_exp.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_exp.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bn_exp.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bn_exp.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-bn_exp.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-bn_exp.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bn_exp.o: ../cryptlib.h bn_exp.c bn_lcl.h
+bn_exp.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+bn_exp.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bn_exp.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_exp.c bn_lcl.h
 bn_exp2.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_exp2.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bn_exp2.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bn_exp2.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-bn_exp2.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-bn_exp2.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bn_exp2.o: ../cryptlib.h bn_exp2.c bn_lcl.h
+bn_exp2.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+bn_exp2.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bn_exp2.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_exp2.c bn_lcl.h
 bn_gcd.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_gcd.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bn_gcd.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bn_gcd.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-bn_gcd.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-bn_gcd.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bn_gcd.o: ../cryptlib.h bn_gcd.c bn_lcl.h
-bn_kron.o: ../../include/openssl/bn.h ../../include/openssl/e_os2.h
-bn_kron.o: ../../include/openssl/opensslconf.h bn_kron.c bn_lcl.h
+bn_gcd.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+bn_gcd.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bn_gcd.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_gcd.c bn_lcl.h
+bn_gf2m.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_gf2m.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+bn_gf2m.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+bn_gf2m.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+bn_gf2m.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+bn_gf2m.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bn_gf2m.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_gf2m.c bn_lcl.h
+bn_kron.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_kron.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+bn_kron.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+bn_kron.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+bn_kron.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+bn_kron.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bn_kron.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_kron.c bn_lcl.h
 bn_lib.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bn_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bn_lib.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-bn_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-bn_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bn_lib.o: ../cryptlib.h bn_lcl.h bn_lib.c
+bn_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+bn_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bn_lib.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h bn_lib.c
 bn_mod.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_mod.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bn_mod.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bn_mod.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-bn_mod.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-bn_mod.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bn_mod.o: ../cryptlib.h bn_lcl.h bn_mod.c
+bn_mod.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+bn_mod.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bn_mod.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h bn_mod.c
 bn_mont.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_mont.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bn_mont.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bn_mont.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-bn_mont.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-bn_mont.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bn_mont.o: ../cryptlib.h bn_lcl.h bn_mont.c
+bn_mont.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+bn_mont.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bn_mont.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h bn_mont.c
 bn_mpi.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_mpi.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bn_mpi.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bn_mpi.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-bn_mpi.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-bn_mpi.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bn_mpi.o: ../cryptlib.h bn_lcl.h bn_mpi.c
+bn_mpi.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+bn_mpi.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bn_mpi.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h bn_mpi.c
 bn_mul.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_mul.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bn_mul.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bn_mul.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-bn_mul.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-bn_mul.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bn_mul.o: ../cryptlib.h bn_lcl.h bn_mul.c
+bn_mul.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+bn_mul.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bn_mul.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h bn_mul.c
+bn_nist.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_nist.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+bn_nist.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+bn_nist.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+bn_nist.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+bn_nist.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bn_nist.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h bn_nist.c
 bn_prime.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_prime.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bn_prime.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
@@ -276,9 +295,9 @@ bn_print.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_print.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bn_print.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bn_print.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-bn_print.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-bn_print.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bn_print.o: ../cryptlib.h bn_lcl.h bn_print.c
+bn_print.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+bn_print.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bn_print.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h bn_print.c
 bn_rand.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_rand.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bn_rand.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
@@ -291,34 +310,34 @@ bn_recp.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_recp.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bn_recp.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bn_recp.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-bn_recp.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-bn_recp.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bn_recp.o: ../cryptlib.h bn_lcl.h bn_recp.c
+bn_recp.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+bn_recp.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bn_recp.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h bn_recp.c
 bn_shift.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_shift.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bn_shift.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bn_shift.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-bn_shift.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-bn_shift.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bn_shift.o: ../cryptlib.h bn_lcl.h bn_shift.c
+bn_shift.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+bn_shift.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bn_shift.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h bn_shift.c
 bn_sqr.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_sqr.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bn_sqr.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bn_sqr.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-bn_sqr.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-bn_sqr.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bn_sqr.o: ../cryptlib.h bn_lcl.h bn_sqr.c
+bn_sqr.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+bn_sqr.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bn_sqr.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h bn_sqr.c
 bn_sqrt.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_sqrt.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bn_sqrt.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bn_sqrt.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-bn_sqrt.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-bn_sqrt.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bn_sqrt.o: ../cryptlib.h bn_lcl.h bn_sqrt.c
+bn_sqrt.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+bn_sqrt.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bn_sqrt.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h bn_sqrt.c
 bn_word.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_word.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bn_word.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bn_word.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-bn_word.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-bn_word.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bn_word.o: ../cryptlib.h bn_lcl.h bn_word.c
+bn_word.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+bn_word.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bn_word.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h bn_word.c
diff --git a/crypto/openssl/crypto/bn/asm/bn-586.pl b/crypto/openssl/crypto/bn/asm/bn-586.pl
index c4de4a2beece..26c2685a726e 100644
--- a/crypto/openssl/crypto/bn/asm/bn-586.pl
+++ b/crypto/openssl/crypto/bn/asm/bn-586.pl
@@ -5,13 +5,18 @@ require "x86asm.pl";
 
 &asm_init($ARGV[0],$0);
 
+$sse2=0;
+for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
+
+&external_label("OPENSSL_ia32cap_P") if ($sse2);
+
 &bn_mul_add_words("bn_mul_add_words");
 &bn_mul_words("bn_mul_words");
 &bn_sqr_words("bn_sqr_words");
 &bn_div_words("bn_div_words");
 &bn_add_words("bn_add_words");
 &bn_sub_words("bn_sub_words");
-#&bn_sub_part_words("bn_sub_part_words");
+&bn_sub_part_words("bn_sub_part_words");
 
 &asm_finish();
 
@@ -19,7 +24,7 @@ sub bn_mul_add_words
 	{
 	local($name)=@_;
 
-	&function_begin($name,"");
+	&function_begin($name,$sse2?"EXTRN\t_OPENSSL_ia32cap_P:DWORD":"");
 
 	&comment("");
 	$Low="eax";
@@ -42,6 +47,83 @@ sub bn_mul_add_words
 
 	&jz(&label("maw_finish"));
 
+	if ($sse2) {
+		&picmeup("eax","OPENSSL_ia32cap_P");
+		&bt(&DWP(0,"eax"),26);
+		&jnc(&label("maw_loop"));
+
+		&movd("mm0",$w);		# mm0 = w
+		&pxor("mm1","mm1");		# mm1 = carry_in
+
+		&set_label("maw_sse2_loop",0);
+		&movd("mm3",&DWP(0,$r,"",0));	# mm3 = r[0]
+		&paddq("mm1","mm3");		# mm1 = carry_in + r[0]
+		&movd("mm2",&DWP(0,$a,"",0));	# mm2 = a[0]
+		&pmuludq("mm2","mm0");		# mm2 = w*a[0]
+		&movd("mm4",&DWP(4,$a,"",0));	# mm4 = a[1]
+		&pmuludq("mm4","mm0");		# mm4 = w*a[1]
+		&movd("mm6",&DWP(8,$a,"",0));	# mm6 = a[2]
+		&pmuludq("mm6","mm0");		# mm6 = w*a[2]
+		&movd("mm7",&DWP(12,$a,"",0));	# mm7 = a[3]
+		&pmuludq("mm7","mm0");		# mm7 = w*a[3]
+		&paddq("mm1","mm2");		# mm1 = carry_in + r[0] + w*a[0]
+		&movd("mm3",&DWP(4,$r,"",0));	# mm3 = r[1]
+		&paddq("mm3","mm4");		# mm3 = r[1] + w*a[1]
+		&movd("mm5",&DWP(8,$r,"",0));	# mm5 = r[2]
+		&paddq("mm5","mm6");		# mm5 = r[2] + w*a[2]
+		&movd("mm4",&DWP(12,$r,"",0));	# mm4 = r[3]
+		&paddq("mm7","mm4");		# mm7 = r[3] + w*a[3]
+		&movd(&DWP(0,$r,"",0),"mm1");
+		&movd("mm2",&DWP(16,$a,"",0));	# mm2 = a[4]
+		&pmuludq("mm2","mm0");		# mm2 = w*a[4]
+		&psrlq("mm1",32);		# mm1 = carry0
+		&movd("mm4",&DWP(20,$a,"",0));	# mm4 = a[5]
+		&pmuludq("mm4","mm0");		# mm4 = w*a[5]
+		&paddq("mm1","mm3");		# mm1 = carry0 + r[1] + w*a[1]
+		&movd("mm6",&DWP(24,$a,"",0));	# mm6 = a[6]
+		&pmuludq("mm6","mm0");		# mm6 = w*a[6]
+		&movd(&DWP(4,$r,"",0),"mm1");
+		&psrlq("mm1",32);		# mm1 = carry1
+		&movd("mm3",&DWP(28,$a,"",0));	# mm3 = a[7]
+		&add($a,32);
+		&pmuludq("mm3","mm0");		# mm3 = w*a[7]
+		&paddq("mm1","mm5");		# mm1 = carry1 + r[2] + w*a[2]
+		&movd("mm5",&DWP(16,$r,"",0));	# mm5 = r[4]
+		&paddq("mm2","mm5");		# mm2 = r[4] + w*a[4]
+		&movd(&DWP(8,$r,"",0),"mm1");
+		&psrlq("mm1",32);		# mm1 = carry2
+		&paddq("mm1","mm7");		# mm1 = carry2 + r[3] + w*a[3]
+		&movd("mm5",&DWP(20,$r,"",0));	# mm5 = r[5]
+		&paddq("mm4","mm5");		# mm4 = r[5] + w*a[5]
+		&movd(&DWP(12,$r,"",0),"mm1");
+		&psrlq("mm1",32);		# mm1 = carry3
+		&paddq("mm1","mm2");		# mm1 = carry3 + r[4] + w*a[4]
+		&movd("mm5",&DWP(24,$r,"",0));	# mm5 = r[6]
+		&paddq("mm6","mm5");		# mm6 = r[6] + w*a[6]
+		&movd(&DWP(16,$r,"",0),"mm1");
+		&psrlq("mm1",32);		# mm1 = carry4
+		&paddq("mm1","mm4");		# mm1 = carry4 + r[5] + w*a[5]
+		&movd("mm5",&DWP(28,$r,"",0));	# mm5 = r[7]
+		&paddq("mm3","mm5");		# mm3 = r[7] + w*a[7]
+		&movd(&DWP(20,$r,"",0),"mm1");
+		&psrlq("mm1",32);		# mm1 = carry5
+		&paddq("mm1","mm6");		# mm1 = carry5 + r[6] + w*a[6]
+		&movd(&DWP(24,$r,"",0),"mm1");
+		&psrlq("mm1",32);		# mm1 = carry6
+		&paddq("mm1","mm3");		# mm1 = carry6 + r[7] + w*a[7]
+		&movd(&DWP(28,$r,"",0),"mm1");
+		&add($r,32);
+		&psrlq("mm1",32);		# mm1 = carry_out
+
+		&sub("ecx",8);
+		&jnz(&label("maw_sse2_loop"));
+
+		&movd($c,"mm1");		# c = carry_out
+		&emms();
+
+		&jmp(&label("maw_finish"));
+	}
+
 	&set_label("maw_loop",0);
 
 	&mov(&swtmp(0),"ecx");	#
diff --git a/crypto/openssl/crypto/bn/asm/ppc.pl b/crypto/openssl/crypto/bn/asm/ppc.pl
new file mode 100644
index 000000000000..08e005347388
--- /dev/null
+++ b/crypto/openssl/crypto/bn/asm/ppc.pl
@@ -0,0 +1,2078 @@
+#!/usr/bin/env perl
+#
+# Implemented as a Perl wrapper as we want to support several different
+# architectures with single file. We pick up the target based on the
+# file name we are asked to generate.
+#
+# It should be noted though that this perl code is nothing like
+# <openssl>/crypto/perlasm/x86*. In this case perl is used pretty much
+# as pre-processor to cover for platform differences in name decoration,
+# linker tables, 32-/64-bit instruction sets...
+#
+# As you might know there're several PowerPC ABI in use. Most notably
+# Linux and AIX use different 32-bit ABIs. Good news are that these ABIs
+# are similar enough to implement leaf(!) functions, which would be ABI
+# neutral. And that's what you find here: ABI neutral leaf functions.
+# In case you wonder what that is...
+#
+#       AIX performance
+#
+#	MEASUREMENTS WITH cc ON a 200 MhZ PowerPC 604e.
+#
+#	The following is the performance of 32-bit compiler
+#	generated code:
+#
+#	OpenSSL 0.9.6c 21 dec 2001
+#	built on: Tue Jun 11 11:06:51 EDT 2002
+#	options:bn(64,32) ...
+#compiler: cc -DTHREADS  -DAIX -DB_ENDIAN -DBN_LLONG -O3
+#                  sign    verify    sign/s verify/s
+#rsa  512 bits   0.0098s   0.0009s    102.0   1170.6
+#rsa 1024 bits   0.0507s   0.0026s     19.7    387.5
+#rsa 2048 bits   0.3036s   0.0085s      3.3    117.1
+#rsa 4096 bits   2.0040s   0.0299s      0.5     33.4
+#dsa  512 bits   0.0087s   0.0106s    114.3     94.5
+#dsa 1024 bits   0.0256s   0.0313s     39.0     32.0	
+#
+#	Same bechmark with this assembler code:
+#
+#rsa  512 bits   0.0056s   0.0005s    178.6   2049.2
+#rsa 1024 bits   0.0283s   0.0015s     35.3    674.1
+#rsa 2048 bits   0.1744s   0.0050s      5.7    201.2
+#rsa 4096 bits   1.1644s   0.0179s      0.9     55.7
+#dsa  512 bits   0.0052s   0.0062s    191.6    162.0
+#dsa 1024 bits   0.0149s   0.0180s     67.0     55.5
+#
+#	Number of operations increases by at almost 75%
+#
+#	Here are performance numbers for 64-bit compiler
+#	generated code:
+#
+#	OpenSSL 0.9.6g [engine] 9 Aug 2002
+#	built on: Fri Apr 18 16:59:20 EDT 2003
+#	options:bn(64,64) ...
+#	compiler: cc -DTHREADS -D_REENTRANT -q64 -DB_ENDIAN -O3
+#                  sign    verify    sign/s verify/s
+#rsa  512 bits   0.0028s   0.0003s    357.1   3844.4
+#rsa 1024 bits   0.0148s   0.0008s     67.5   1239.7
+#rsa 2048 bits   0.0963s   0.0028s     10.4    353.0
+#rsa 4096 bits   0.6538s   0.0102s      1.5     98.1
+#dsa  512 bits   0.0026s   0.0032s    382.5    313.7
+#dsa 1024 bits   0.0081s   0.0099s    122.8    100.6
+#
+#	Same benchmark with this assembler code:
+#
+#rsa  512 bits   0.0020s   0.0002s    510.4   6273.7
+#rsa 1024 bits   0.0088s   0.0005s    114.1   2128.3
+#rsa 2048 bits   0.0540s   0.0016s     18.5    622.5
+#rsa 4096 bits   0.3700s   0.0058s      2.7    171.0
+#dsa  512 bits   0.0016s   0.0020s    610.7    507.1
+#dsa 1024 bits   0.0047s   0.0058s    212.5    173.2
+#	
+#	Again, performance increases by at about 75%
+#
+#       Mac OS X, Apple G5 1.8GHz (Note this is 32 bit code)
+#       OpenSSL 0.9.7c 30 Sep 2003
+#
+#       Original code.
+#
+#rsa  512 bits   0.0011s   0.0001s    906.1  11012.5
+#rsa 1024 bits   0.0060s   0.0003s    166.6   3363.1
+#rsa 2048 bits   0.0370s   0.0010s     27.1    982.4
+#rsa 4096 bits   0.2426s   0.0036s      4.1    280.4
+#dsa  512 bits   0.0010s   0.0012s   1038.1    841.5
+#dsa 1024 bits   0.0030s   0.0037s    329.6    269.7
+#dsa 2048 bits   0.0101s   0.0127s     98.9     78.6
+#
+#       Same benchmark with this assembler code:
+#
+#rsa  512 bits   0.0007s   0.0001s   1416.2  16645.9
+#rsa 1024 bits   0.0036s   0.0002s    274.4   5380.6
+#rsa 2048 bits   0.0222s   0.0006s     45.1   1589.5
+#rsa 4096 bits   0.1469s   0.0022s      6.8    449.6
+#dsa  512 bits   0.0006s   0.0007s   1664.2   1376.2
+#dsa 1024 bits   0.0018s   0.0023s    545.0    442.2
+#dsa 2048 bits   0.0061s   0.0075s    163.5    132.8
+#
+#        Performance increase of ~60%
+#
+#	If you have comments or suggestions to improve code send
+#	me a note at schari@us.ibm.com
+#
+
+$opf = shift;
+
+if ($opf =~ /32\.s/) {
+	$BITS=	32;
+	$BNSZ=	$BITS/8;
+	$ISA=	"\"ppc\"";
+
+	$LD=	"lwz";		# load
+	$LDU=	"lwzu";		# load and update
+	$ST=	"stw";		# store
+	$STU=	"stwu";		# store and update
+	$UMULL=	"mullw";	# unsigned multiply low
+	$UMULH=	"mulhwu";	# unsigned multiply high
+	$UDIV=	"divwu";	# unsigned divide
+	$UCMPI=	"cmplwi";	# unsigned compare with immediate
+	$UCMP=	"cmplw";	# unsigned compare
+	$CNTLZ=	"cntlzw";	# count leading zeros
+	$SHL=	"slw";		# shift left
+	$SHR=	"srw";		# unsigned shift right
+	$SHRI=	"srwi";		# unsigned shift right by immediate	
+	$SHLI=	"slwi";		# shift left by immediate
+	$CLRU=	"clrlwi";	# clear upper bits
+	$INSR=	"insrwi";	# insert right
+	$ROTL=	"rotlwi";	# rotate left by immediate
+	$TR=	"tw";		# conditional trap
+} elsif ($opf =~ /64\.s/) {
+	$BITS=	64;
+	$BNSZ=	$BITS/8;
+	$ISA=	"\"ppc64\"";
+
+	# same as above, but 64-bit mnemonics...
+	$LD=	"ld";		# load
+	$LDU=	"ldu";		# load and update
+	$ST=	"std";		# store
+	$STU=	"stdu";		# store and update
+	$UMULL=	"mulld";	# unsigned multiply low
+	$UMULH=	"mulhdu";	# unsigned multiply high
+	$UDIV=	"divdu";	# unsigned divide
+	$UCMPI=	"cmpldi";	# unsigned compare with immediate
+	$UCMP=	"cmpld";	# unsigned compare
+	$CNTLZ=	"cntlzd";	# count leading zeros
+	$SHL=	"sld";		# shift left
+	$SHR=	"srd";		# unsigned shift right
+	$SHRI=	"srdi";		# unsigned shift right by immediate	
+	$SHLI=	"sldi";		# shift left by immediate
+	$CLRU=	"clrldi";	# clear upper bits
+	$INSR=	"insrdi";	# insert right 
+	$ROTL=	"rotldi";	# rotate left by immediate
+	$TR=	"td";		# conditional trap
+} else { die "nonsense $opf"; }
+
+( defined shift || open STDOUT,">$opf" ) || die "can't open $opf: $!";
+
+# function entry points from the AIX code
+#
+# There are other, more elegant, ways to handle this. We (IBM) chose
+# this approach as it plays well with scripts we run to 'namespace'
+# OpenSSL .i.e. we add a prefix to all the public symbols so we can
+# co-exist in the same process with other implementations of OpenSSL.
+# 'cleverer' ways of doing these substitutions tend to hide data we
+# need to be obvious.
+#
+my @items = ("bn_sqr_comba4",
+	     "bn_sqr_comba8",
+	     "bn_mul_comba4",
+	     "bn_mul_comba8",
+	     "bn_sub_words",
+	     "bn_add_words",
+	     "bn_div_words",
+	     "bn_sqr_words",
+	     "bn_mul_words",
+	     "bn_mul_add_words");
+
+if    ($opf =~ /linux/)	{  do_linux();	}
+elsif ($opf =~ /aix/)	{  do_aix();	}
+elsif ($opf =~ /osx/)	{  do_osx();	}
+else			{  do_bsd();	}
+
+sub do_linux {
+    $d=&data();
+
+    if ($BITS==64) {
+      foreach $t (@items) {
+        $d =~ s/\.$t:/\
+\t.section\t".opd","aw"\
+\t.align\t3\
+\t.globl\t$t\
+$t:\
+\t.quad\t.$t,.TOC.\@tocbase,0\
+\t.size\t$t,24\
+\t.previous\n\
+\t.type\t.$t,\@function\
+\t.globl\t.$t\
+.$t:/g;
+      }
+    }
+    else {
+      foreach $t (@items) {
+        $d=~s/\.$t/$t/g;
+      }
+    }
+    # hide internal labels to avoid pollution of name table...
+    $d=~s/Lppcasm_/.Lppcasm_/gm;
+    print $d;
+}
+
+sub do_aix {
+    # AIX assembler is smart enough to please the linker without
+    # making us do something special...
+    print &data();
+}
+
+# MacOSX 32 bit
+sub do_osx {
+    $d=&data();
+    # Change the bn symbol prefix from '.' to '_'
+    foreach $t (@items) {
+      $d=~s/\.$t/_$t/g;
+    }
+    # Change .machine to something OS X asm will accept
+    $d=~s/\.machine.*/.text/g;
+    $d=~s/\#/;/g; # change comment from '#' to ';'
+    print $d;
+}
+
+# BSD (Untested)
+sub do_bsd {
+    $d=&data();
+    foreach $t (@items) {
+      $d=~s/\.$t/_$t/g;
+    }
+    print $d;
+}
+
+sub data {
+	local($data)=<<EOF;
+#--------------------------------------------------------------------
+#
+#
+#
+#
+#	File:		ppc32.s
+#
+#	Created by:	Suresh Chari
+#			IBM Thomas J. Watson Research Library
+#			Hawthorne, NY
+#
+#
+#	Description:	Optimized assembly routines for OpenSSL crypto
+#			on the 32 bitPowerPC platform.
+#
+#
+#	Version History
+#
+#	2. Fixed bn_add,bn_sub and bn_div_words, added comments,
+#	   cleaned up code. Also made a single version which can
+#	   be used for both the AIX and Linux compilers. See NOTE
+#	   below.
+#				12/05/03		Suresh Chari
+#			(with lots of help from)        Andy Polyakov
+##	
+#	1. Initial version	10/20/02		Suresh Chari
+#
+#
+#	The following file works for the xlc,cc
+#	and gcc compilers.
+#
+#	NOTE:	To get the file to link correctly with the gcc compiler
+#	        you have to change the names of the routines and remove
+#		the first .(dot) character. This should automatically
+#		be done in the build process.
+#
+#	Hand optimized assembly code for the following routines
+#	
+#	bn_sqr_comba4
+#	bn_sqr_comba8
+#	bn_mul_comba4
+#	bn_mul_comba8
+#	bn_sub_words
+#	bn_add_words
+#	bn_div_words
+#	bn_sqr_words
+#	bn_mul_words
+#	bn_mul_add_words
+#
+#	NOTE:	It is possible to optimize this code more for
+#	specific PowerPC or Power architectures. On the Northstar
+#	architecture the optimizations in this file do
+#	 NOT provide much improvement.
+#
+#	If you have comments or suggestions to improve code send
+#	me a note at schari\@us.ibm.com
+#
+#--------------------------------------------------------------------------
+#
+#	Defines to be used in the assembly code.
+#	
+.set r0,0	# we use it as storage for value of 0
+.set SP,1	# preserved
+.set RTOC,2	# preserved 
+.set r3,3	# 1st argument/return value
+.set r4,4	# 2nd argument/volatile register
+.set r5,5	# 3rd argument/volatile register
+.set r6,6	# ...
+.set r7,7
+.set r8,8
+.set r9,9
+.set r10,10
+.set r11,11
+.set r12,12
+.set r13,13	# not used, nor any other "below" it...
+
+.set BO_IF_NOT,4
+.set BO_IF,12
+.set BO_dCTR_NZERO,16
+.set BO_dCTR_ZERO,18
+.set BO_ALWAYS,20
+.set CR0_LT,0;
+.set CR0_GT,1;
+.set CR0_EQ,2
+.set CR1_FX,4;
+.set CR1_FEX,5;
+.set CR1_VX,6
+.set LR,8
+
+#	Declare function names to be global
+#	NOTE:	For gcc these names MUST be changed to remove
+#	        the first . i.e. for example change ".bn_sqr_comba4"
+#		to "bn_sqr_comba4". This should be automatically done
+#		in the build.
+	
+	.globl	.bn_sqr_comba4
+	.globl	.bn_sqr_comba8
+	.globl	.bn_mul_comba4
+	.globl	.bn_mul_comba8
+	.globl	.bn_sub_words
+	.globl	.bn_add_words
+	.globl	.bn_div_words
+	.globl	.bn_sqr_words
+	.globl	.bn_mul_words
+	.globl	.bn_mul_add_words
+	
+# .text section
+	
+	.machine	$ISA
+
+#
+#	NOTE:	The following label name should be changed to
+#		"bn_sqr_comba4" i.e. remove the first dot
+#		for the gcc compiler. This should be automatically
+#		done in the build
+#
+
+.align	4
+.bn_sqr_comba4:
+#
+# Optimized version of bn_sqr_comba4.
+#
+# void bn_sqr_comba4(BN_ULONG *r, BN_ULONG *a)
+# r3 contains r
+# r4 contains a
+#
+# Freely use registers r5,r6,r7,r8,r9,r10,r11 as follows:	
+# 
+# r5,r6 are the two BN_ULONGs being multiplied.
+# r7,r8 are the results of the 32x32 giving 64 bit multiply.
+# r9,r10, r11 are the equivalents of c1,c2, c3.
+# Here's the assembly
+#
+#
+	xor		r0,r0,r0		# set r0 = 0. Used in the addze
+						# instructions below
+	
+						#sqr_add_c(a,0,c1,c2,c3)
+	$LD		r5,`0*$BNSZ`(r4)		
+	$UMULL		r9,r5,r5		
+	$UMULH		r10,r5,r5		#in first iteration. No need
+						#to add since c1=c2=c3=0.
+						# Note c3(r11) is NOT set to 0
+						# but will be.
+
+	$ST		r9,`0*$BNSZ`(r3)	# r[0]=c1;
+						# sqr_add_c2(a,1,0,c2,c3,c1);
+	$LD		r6,`1*$BNSZ`(r4)		
+	$UMULL		r7,r5,r6
+	$UMULH		r8,r5,r6
+					
+	addc		r7,r7,r7		# compute (r7,r8)=2*(r7,r8)
+	adde		r8,r8,r8
+	addze		r9,r0			# catch carry if any.
+						# r9= r0(=0) and carry 
+	
+	addc		r10,r7,r10		# now add to temp result.
+	addze		r11,r8                  # r8 added to r11 which is 0 
+	addze		r9,r9
+	
+	$ST		r10,`1*$BNSZ`(r3)	#r[1]=c2; 
+						#sqr_add_c(a,1,c3,c1,c2)
+	$UMULL		r7,r6,r6
+	$UMULH		r8,r6,r6
+	addc		r11,r7,r11
+	adde		r9,r8,r9
+	addze		r10,r0
+						#sqr_add_c2(a,2,0,c3,c1,c2)
+	$LD		r6,`2*$BNSZ`(r4)
+	$UMULL		r7,r5,r6
+	$UMULH		r8,r5,r6
+	
+	addc		r7,r7,r7
+	adde		r8,r8,r8
+	addze		r10,r10
+	
+	addc		r11,r7,r11
+	adde		r9,r8,r9
+	addze		r10,r10
+	$ST		r11,`2*$BNSZ`(r3)	#r[2]=c3 
+						#sqr_add_c2(a,3,0,c1,c2,c3);
+	$LD		r6,`3*$BNSZ`(r4)		
+	$UMULL		r7,r5,r6
+	$UMULH		r8,r5,r6
+	addc		r7,r7,r7
+	adde		r8,r8,r8
+	addze		r11,r0
+	
+	addc		r9,r7,r9
+	adde		r10,r8,r10
+	addze		r11,r11
+						#sqr_add_c2(a,2,1,c1,c2,c3);
+	$LD		r5,`1*$BNSZ`(r4)
+	$LD		r6,`2*$BNSZ`(r4)
+	$UMULL		r7,r5,r6
+	$UMULH		r8,r5,r6
+	
+	addc		r7,r7,r7
+	adde		r8,r8,r8
+	addze		r11,r11
+	addc		r9,r7,r9
+	adde		r10,r8,r10
+	addze		r11,r11
+	$ST		r9,`3*$BNSZ`(r3)	#r[3]=c1
+						#sqr_add_c(a,2,c2,c3,c1);
+	$UMULL		r7,r6,r6
+	$UMULH		r8,r6,r6
+	addc		r10,r7,r10
+	adde		r11,r8,r11
+	addze		r9,r0
+						#sqr_add_c2(a,3,1,c2,c3,c1);
+	$LD		r6,`3*$BNSZ`(r4)		
+	$UMULL		r7,r5,r6
+	$UMULH		r8,r5,r6
+	addc		r7,r7,r7
+	adde		r8,r8,r8
+	addze		r9,r9
+	
+	addc		r10,r7,r10
+	adde		r11,r8,r11
+	addze		r9,r9
+	$ST		r10,`4*$BNSZ`(r3)	#r[4]=c2
+						#sqr_add_c2(a,3,2,c3,c1,c2);
+	$LD		r5,`2*$BNSZ`(r4)		
+	$UMULL		r7,r5,r6
+	$UMULH		r8,r5,r6
+	addc		r7,r7,r7
+	adde		r8,r8,r8
+	addze		r10,r0
+	
+	addc		r11,r7,r11
+	adde		r9,r8,r9
+	addze		r10,r10
+	$ST		r11,`5*$BNSZ`(r3)	#r[5] = c3
+						#sqr_add_c(a,3,c1,c2,c3);
+	$UMULL		r7,r6,r6		
+	$UMULH		r8,r6,r6
+	addc		r9,r7,r9
+	adde		r10,r8,r10
+
+	$ST		r9,`6*$BNSZ`(r3)	#r[6]=c1
+	$ST		r10,`7*$BNSZ`(r3)	#r[7]=c2
+	bclr	BO_ALWAYS,CR0_LT
+	.long	0x00000000
+
+#
+#	NOTE:	The following label name should be changed to
+#		"bn_sqr_comba8" i.e. remove the first dot
+#		for the gcc compiler. This should be automatically
+#		done in the build
+#
+	
+.align	4
+.bn_sqr_comba8:
+#
+# This is an optimized version of the bn_sqr_comba8 routine.
+# Tightly uses the adde instruction
+#
+#
+# void bn_sqr_comba8(BN_ULONG *r, BN_ULONG *a)
+# r3 contains r
+# r4 contains a
+#
+# Freely use registers r5,r6,r7,r8,r9,r10,r11 as follows:	
+# 
+# r5,r6 are the two BN_ULONGs being multiplied.
+# r7,r8 are the results of the 32x32 giving 64 bit multiply.
+# r9,r10, r11 are the equivalents of c1,c2, c3.
+#
+# Possible optimization of loading all 8 longs of a into registers
+# doesnt provide any speedup
+# 
+
+	xor		r0,r0,r0		#set r0 = 0.Used in addze
+						#instructions below.
+
+						#sqr_add_c(a,0,c1,c2,c3);
+	$LD		r5,`0*$BNSZ`(r4)
+	$UMULL		r9,r5,r5		#1st iteration:	no carries.
+	$UMULH		r10,r5,r5
+	$ST		r9,`0*$BNSZ`(r3)	# r[0]=c1;
+						#sqr_add_c2(a,1,0,c2,c3,c1);
+	$LD		r6,`1*$BNSZ`(r4)
+	$UMULL		r7,r5,r6
+	$UMULH		r8,r5,r6	
+	
+	addc		r10,r7,r10		#add the two register number
+	adde		r11,r8,r0 		# (r8,r7) to the three register
+	addze		r9,r0			# number (r9,r11,r10).NOTE:r0=0
+	
+	addc		r10,r7,r10		#add the two register number
+	adde		r11,r8,r11 		# (r8,r7) to the three register
+	addze		r9,r9			# number (r9,r11,r10).
+	
+	$ST		r10,`1*$BNSZ`(r3)	# r[1]=c2
+				
+						#sqr_add_c(a,1,c3,c1,c2);
+	$UMULL		r7,r6,r6
+	$UMULH		r8,r6,r6
+	addc		r11,r7,r11
+	adde		r9,r8,r9
+	addze		r10,r0
+						#sqr_add_c2(a,2,0,c3,c1,c2);
+	$LD		r6,`2*$BNSZ`(r4)
+	$UMULL		r7,r5,r6
+	$UMULH		r8,r5,r6
+	
+	addc		r11,r7,r11
+	adde		r9,r8,r9
+	addze		r10,r10
+	
+	addc		r11,r7,r11
+	adde		r9,r8,r9
+	addze		r10,r10
+	
+	$ST		r11,`2*$BNSZ`(r3)	#r[2]=c3
+						#sqr_add_c2(a,3,0,c1,c2,c3);
+	$LD		r6,`3*$BNSZ`(r4)	#r6 = a[3]. r5 is already a[0].
+	$UMULL		r7,r5,r6
+	$UMULH		r8,r5,r6
+	
+	addc		r9,r7,r9
+	adde		r10,r8,r10
+	addze		r11,r0
+	
+	addc		r9,r7,r9
+	adde		r10,r8,r10
+	addze		r11,r11
+						#sqr_add_c2(a,2,1,c1,c2,c3);
+	$LD		r5,`1*$BNSZ`(r4)
+	$LD		r6,`2*$BNSZ`(r4)
+	$UMULL		r7,r5,r6
+	$UMULH		r8,r5,r6
+	
+	addc		r9,r7,r9
+	adde		r10,r8,r10
+	addze		r11,r11
+	
+	addc		r9,r7,r9
+	adde		r10,r8,r10
+	addze		r11,r11
+	
+	$ST		r9,`3*$BNSZ`(r3)	#r[3]=c1;
+						#sqr_add_c(a,2,c2,c3,c1);
+	$UMULL		r7,r6,r6
+	$UMULH		r8,r6,r6
+	
+	addc		r10,r7,r10
+	adde		r11,r8,r11
+	addze		r9,r0
+						#sqr_add_c2(a,3,1,c2,c3,c1);
+	$LD		r6,`3*$BNSZ`(r4)
+	$UMULL		r7,r5,r6
+	$UMULH		r8,r5,r6
+	
+	addc		r10,r7,r10
+	adde		r11,r8,r11
+	addze		r9,r9
+	
+	addc		r10,r7,r10
+	adde		r11,r8,r11
+	addze		r9,r9
+						#sqr_add_c2(a,4,0,c2,c3,c1);
+	$LD		r5,`0*$BNSZ`(r4)
+	$LD		r6,`4*$BNSZ`(r4)
+	$UMULL		r7,r5,r6
+	$UMULH		r8,r5,r6
+	
+	addc		r10,r7,r10
+	adde		r11,r8,r11
+	addze		r9,r9
+	
+	addc		r10,r7,r10
+	adde		r11,r8,r11
+	addze		r9,r9
+	$ST		r10,`4*$BNSZ`(r3)	#r[4]=c2;
+						#sqr_add_c2(a,5,0,c3,c1,c2);
+	$LD		r6,`5*$BNSZ`(r4)
+	$UMULL		r7,r5,r6
+	$UMULH		r8,r5,r6
+	
+	addc		r11,r7,r11
+	adde		r9,r8,r9
+	addze		r10,r0
+	
+	addc		r11,r7,r11
+	adde		r9,r8,r9
+	addze		r10,r10
+						#sqr_add_c2(a,4,1,c3,c1,c2);
+	$LD		r5,`1*$BNSZ`(r4)
+	$LD		r6,`4*$BNSZ`(r4)
+	$UMULL		r7,r5,r6
+	$UMULH		r8,r5,r6
+	
+	addc		r11,r7,r11
+	adde		r9,r8,r9
+	addze		r10,r10
+	
+	addc		r11,r7,r11
+	adde		r9,r8,r9
+	addze		r10,r10
+						#sqr_add_c2(a,3,2,c3,c1,c2);
+	$LD		r5,`2*$BNSZ`(r4)
+	$LD		r6,`3*$BNSZ`(r4)
+	$UMULL		r7,r5,r6
+	$UMULH		r8,r5,r6
+	
+	addc		r11,r7,r11
+	adde		r9,r8,r9
+	addze		r10,r10
+	
+	addc		r11,r7,r11
+	adde		r9,r8,r9
+	addze		r10,r10
+	$ST		r11,`5*$BNSZ`(r3)	#r[5]=c3;
+						#sqr_add_c(a,3,c1,c2,c3);
+	$UMULL		r7,r6,r6
+	$UMULH		r8,r6,r6
+	addc		r9,r7,r9
+	adde		r10,r8,r10
+	addze		r11,r0
+						#sqr_add_c2(a,4,2,c1,c2,c3);
+	$LD		r6,`4*$BNSZ`(r4)
+	$UMULL		r7,r5,r6
+	$UMULH		r8,r5,r6
+	
+	addc		r9,r7,r9
+	adde		r10,r8,r10
+	addze		r11,r11
+	
+	addc		r9,r7,r9
+	adde		r10,r8,r10
+	addze		r11,r11
+						#sqr_add_c2(a,5,1,c1,c2,c3);
+	$LD		r5,`1*$BNSZ`(r4)
+	$LD		r6,`5*$BNSZ`(r4)
+	$UMULL		r7,r5,r6
+	$UMULH		r8,r5,r6
+	
+	addc		r9,r7,r9
+	adde		r10,r8,r10
+	addze		r11,r11
+	
+	addc		r9,r7,r9
+	adde		r10,r8,r10
+	addze		r11,r11
+						#sqr_add_c2(a,6,0,c1,c2,c3);
+	$LD		r5,`0*$BNSZ`(r4)
+	$LD		r6,`6*$BNSZ`(r4)
+	$UMULL		r7,r5,r6
+	$UMULH		r8,r5,r6
+	addc		r9,r7,r9
+	adde		r10,r8,r10
+	addze		r11,r11
+	addc		r9,r7,r9
+	adde		r10,r8,r10
+	addze		r11,r11
+	$ST		r9,`6*$BNSZ`(r3)	#r[6]=c1;
+						#sqr_add_c2(a,7,0,c2,c3,c1);
+	$LD		r6,`7*$BNSZ`(r4)
+	$UMULL		r7,r5,r6
+	$UMULH		r8,r5,r6
+	
+	addc		r10,r7,r10
+	adde		r11,r8,r11
+	addze		r9,r0
+	addc		r10,r7,r10
+	adde		r11,r8,r11
+	addze		r9,r9
+						#sqr_add_c2(a,6,1,c2,c3,c1);
+	$LD		r5,`1*$BNSZ`(r4)
+	$LD		r6,`6*$BNSZ`(r4)
+	$UMULL		r7,r5,r6
+	$UMULH		r8,r5,r6
+	
+	addc		r10,r7,r10
+	adde		r11,r8,r11
+	addze		r9,r9
+	addc		r10,r7,r10
+	adde		r11,r8,r11
+	addze		r9,r9
+						#sqr_add_c2(a,5,2,c2,c3,c1);
+	$LD		r5,`2*$BNSZ`(r4)
+	$LD		r6,`5*$BNSZ`(r4)
+	$UMULL		r7,r5,r6
+	$UMULH		r8,r5,r6
+	addc		r10,r7,r10
+	adde		r11,r8,r11
+	addze		r9,r9
+	addc		r10,r7,r10
+	adde		r11,r8,r11
+	addze		r9,r9
+						#sqr_add_c2(a,4,3,c2,c3,c1);
+	$LD		r5,`3*$BNSZ`(r4)
+	$LD		r6,`4*$BNSZ`(r4)
+	$UMULL		r7,r5,r6
+	$UMULH		r8,r5,r6
+	
+	addc		r10,r7,r10
+	adde		r11,r8,r11
+	addze		r9,r9
+	addc		r10,r7,r10
+	adde		r11,r8,r11
+	addze		r9,r9
+	$ST		r10,`7*$BNSZ`(r3)	#r[7]=c2;
+						#sqr_add_c(a,4,c3,c1,c2);
+	$UMULL		r7,r6,r6
+	$UMULH		r8,r6,r6
+	addc		r11,r7,r11
+	adde		r9,r8,r9
+	addze		r10,r0
+						#sqr_add_c2(a,5,3,c3,c1,c2);
+	$LD		r6,`5*$BNSZ`(r4)
+	$UMULL		r7,r5,r6
+	$UMULH		r8,r5,r6
+	addc		r11,r7,r11
+	adde		r9,r8,r9
+	addze		r10,r10
+	addc		r11,r7,r11
+	adde		r9,r8,r9
+	addze		r10,r10
+						#sqr_add_c2(a,6,2,c3,c1,c2);
+	$LD		r5,`2*$BNSZ`(r4)
+	$LD		r6,`6*$BNSZ`(r4)
+	$UMULL		r7,r5,r6
+	$UMULH		r8,r5,r6
+	addc		r11,r7,r11
+	adde		r9,r8,r9
+	addze		r10,r10
+	
+	addc		r11,r7,r11
+	adde		r9,r8,r9
+	addze		r10,r10
+						#sqr_add_c2(a,7,1,c3,c1,c2);
+	$LD		r5,`1*$BNSZ`(r4)
+	$LD		r6,`7*$BNSZ`(r4)
+	$UMULL		r7,r5,r6
+	$UMULH		r8,r5,r6
+	addc		r11,r7,r11
+	adde		r9,r8,r9
+	addze		r10,r10
+	addc		r11,r7,r11
+	adde		r9,r8,r9
+	addze		r10,r10
+	$ST		r11,`8*$BNSZ`(r3)	#r[8]=c3;
+						#sqr_add_c2(a,7,2,c1,c2,c3);
+	$LD		r5,`2*$BNSZ`(r4)
+	$UMULL		r7,r5,r6
+	$UMULH		r8,r5,r6
+	
+	addc		r9,r7,r9
+	adde		r10,r8,r10
+	addze		r11,r0
+	addc		r9,r7,r9
+	adde		r10,r8,r10
+	addze		r11,r11
+						#sqr_add_c2(a,6,3,c1,c2,c3);
+	$LD		r5,`3*$BNSZ`(r4)
+	$LD		r6,`6*$BNSZ`(r4)
+	$UMULL		r7,r5,r6
+	$UMULH		r8,r5,r6
+	addc		r9,r7,r9
+	adde		r10,r8,r10
+	addze		r11,r11
+	addc		r9,r7,r9
+	adde		r10,r8,r10
+	addze		r11,r11
+						#sqr_add_c2(a,5,4,c1,c2,c3);
+	$LD		r5,`4*$BNSZ`(r4)
+	$LD		r6,`5*$BNSZ`(r4)
+	$UMULL		r7,r5,r6
+	$UMULH		r8,r5,r6
+	addc		r9,r7,r9
+	adde		r10,r8,r10
+	addze		r11,r11
+	addc		r9,r7,r9
+	adde		r10,r8,r10
+	addze		r11,r11
+	$ST		r9,`9*$BNSZ`(r3)	#r[9]=c1;
+						#sqr_add_c(a,5,c2,c3,c1);
+	$UMULL		r7,r6,r6
+	$UMULH		r8,r6,r6
+	addc		r10,r7,r10
+	adde		r11,r8,r11
+	addze		r9,r0
+						#sqr_add_c2(a,6,4,c2,c3,c1);
+	$LD		r6,`6*$BNSZ`(r4)
+	$UMULL		r7,r5,r6
+	$UMULH		r8,r5,r6
+	addc		r10,r7,r10
+	adde		r11,r8,r11
+	addze		r9,r9
+	addc		r10,r7,r10
+	adde		r11,r8,r11
+	addze		r9,r9
+						#sqr_add_c2(a,7,3,c2,c3,c1);
+	$LD		r5,`3*$BNSZ`(r4)
+	$LD		r6,`7*$BNSZ`(r4)
+	$UMULL		r7,r5,r6
+	$UMULH		r8,r5,r6
+	addc		r10,r7,r10
+	adde		r11,r8,r11
+	addze		r9,r9
+	addc		r10,r7,r10
+	adde		r11,r8,r11
+	addze		r9,r9
+	$ST		r10,`10*$BNSZ`(r3)	#r[10]=c2;
+						#sqr_add_c2(a,7,4,c3,c1,c2);
+	$LD		r5,`4*$BNSZ`(r4)
+	$UMULL		r7,r5,r6
+	$UMULH		r8,r5,r6
+	addc		r11,r7,r11
+	adde		r9,r8,r9
+	addze		r10,r0
+	addc		r11,r7,r11
+	adde		r9,r8,r9
+	addze		r10,r10
+						#sqr_add_c2(a,6,5,c3,c1,c2);
+	$LD		r5,`5*$BNSZ`(r4)
+	$LD		r6,`6*$BNSZ`(r4)
+	$UMULL		r7,r5,r6
+	$UMULH		r8,r5,r6
+	addc		r11,r7,r11
+	adde		r9,r8,r9
+	addze		r10,r10
+	addc		r11,r7,r11
+	adde		r9,r8,r9
+	addze		r10,r10
+	$ST		r11,`11*$BNSZ`(r3)	#r[11]=c3;
+						#sqr_add_c(a,6,c1,c2,c3);
+	$UMULL		r7,r6,r6
+	$UMULH		r8,r6,r6
+	addc		r9,r7,r9
+	adde		r10,r8,r10
+	addze		r11,r0
+						#sqr_add_c2(a,7,5,c1,c2,c3)
+	$LD		r6,`7*$BNSZ`(r4)
+	$UMULL		r7,r5,r6
+	$UMULH		r8,r5,r6
+	addc		r9,r7,r9
+	adde		r10,r8,r10
+	addze		r11,r11
+	addc		r9,r7,r9
+	adde		r10,r8,r10
+	addze		r11,r11
+	$ST		r9,`12*$BNSZ`(r3)	#r[12]=c1;
+	
+						#sqr_add_c2(a,7,6,c2,c3,c1)
+	$LD		r5,`6*$BNSZ`(r4)
+	$UMULL		r7,r5,r6
+	$UMULH		r8,r5,r6
+	addc		r10,r7,r10
+	adde		r11,r8,r11
+	addze		r9,r0
+	addc		r10,r7,r10
+	adde		r11,r8,r11
+	addze		r9,r9
+	$ST		r10,`13*$BNSZ`(r3)	#r[13]=c2;
+						#sqr_add_c(a,7,c3,c1,c2);
+	$UMULL		r7,r6,r6
+	$UMULH		r8,r6,r6
+	addc		r11,r7,r11
+	adde		r9,r8,r9
+	$ST		r11,`14*$BNSZ`(r3)	#r[14]=c3;
+	$ST		r9, `15*$BNSZ`(r3)	#r[15]=c1;
+
+
+	bclr	BO_ALWAYS,CR0_LT
+
+	.long	0x00000000
+
+#
+#	NOTE:	The following label name should be changed to
+#		"bn_mul_comba4" i.e. remove the first dot
+#		for the gcc compiler. This should be automatically
+#		done in the build
+#
+
+.align	4
+.bn_mul_comba4:
+#
+# This is an optimized version of the bn_mul_comba4 routine.
+#
+# void bn_mul_comba4(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
+# r3 contains r
+# r4 contains a
+# r5 contains b
+# r6, r7 are the 2 BN_ULONGs being multiplied.
+# r8, r9 are the results of the 32x32 giving 64 multiply.
+# r10, r11, r12 are the equivalents of c1, c2, and c3.
+#
+	xor	r0,r0,r0		#r0=0. Used in addze below.
+					#mul_add_c(a[0],b[0],c1,c2,c3);
+	$LD	r6,`0*$BNSZ`(r4)		
+	$LD	r7,`0*$BNSZ`(r5)		
+	$UMULL	r10,r6,r7		
+	$UMULH	r11,r6,r7		
+	$ST	r10,`0*$BNSZ`(r3)	#r[0]=c1
+					#mul_add_c(a[0],b[1],c2,c3,c1);
+	$LD	r7,`1*$BNSZ`(r5)		
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r11,r8,r11
+	adde	r12,r9,r0
+	addze	r10,r0
+					#mul_add_c(a[1],b[0],c2,c3,c1);
+	$LD	r6, `1*$BNSZ`(r4)		
+	$LD	r7, `0*$BNSZ`(r5)		
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r11,r8,r11
+	adde	r12,r9,r12
+	addze	r10,r10
+	$ST	r11,`1*$BNSZ`(r3)	#r[1]=c2
+					#mul_add_c(a[2],b[0],c3,c1,c2);
+	$LD	r6,`2*$BNSZ`(r4)		
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r12,r8,r12
+	adde	r10,r9,r10
+	addze	r11,r0
+					#mul_add_c(a[1],b[1],c3,c1,c2);
+	$LD	r6,`1*$BNSZ`(r4)		
+	$LD	r7,`1*$BNSZ`(r5)		
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r12,r8,r12
+	adde	r10,r9,r10
+	addze	r11,r11
+					#mul_add_c(a[0],b[2],c3,c1,c2);
+	$LD	r6,`0*$BNSZ`(r4)		
+	$LD	r7,`2*$BNSZ`(r5)		
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r12,r8,r12
+	adde	r10,r9,r10
+	addze	r11,r11
+	$ST	r12,`2*$BNSZ`(r3)	#r[2]=c3
+					#mul_add_c(a[0],b[3],c1,c2,c3);
+	$LD	r7,`3*$BNSZ`(r5)		
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r10,r8,r10
+	adde	r11,r9,r11
+	addze	r12,r0
+					#mul_add_c(a[1],b[2],c1,c2,c3);
+	$LD	r6,`1*$BNSZ`(r4)
+	$LD	r7,`2*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r10,r8,r10
+	adde	r11,r9,r11
+	addze	r12,r12
+					#mul_add_c(a[2],b[1],c1,c2,c3);
+	$LD	r6,`2*$BNSZ`(r4)
+	$LD	r7,`1*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r10,r8,r10
+	adde	r11,r9,r11
+	addze	r12,r12
+					#mul_add_c(a[3],b[0],c1,c2,c3);
+	$LD	r6,`3*$BNSZ`(r4)
+	$LD	r7,`0*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r10,r8,r10
+	adde	r11,r9,r11
+	addze	r12,r12
+	$ST	r10,`3*$BNSZ`(r3)	#r[3]=c1
+					#mul_add_c(a[3],b[1],c2,c3,c1);
+	$LD	r7,`1*$BNSZ`(r5)		
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r11,r8,r11
+	adde	r12,r9,r12
+	addze	r10,r0
+					#mul_add_c(a[2],b[2],c2,c3,c1);
+	$LD	r6,`2*$BNSZ`(r4)
+	$LD	r7,`2*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r11,r8,r11
+	adde	r12,r9,r12
+	addze	r10,r10
+					#mul_add_c(a[1],b[3],c2,c3,c1);
+	$LD	r6,`1*$BNSZ`(r4)
+	$LD	r7,`3*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r11,r8,r11
+	adde	r12,r9,r12
+	addze	r10,r10
+	$ST	r11,`4*$BNSZ`(r3)	#r[4]=c2
+					#mul_add_c(a[2],b[3],c3,c1,c2);
+	$LD	r6,`2*$BNSZ`(r4)		
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r12,r8,r12
+	adde	r10,r9,r10
+	addze	r11,r0
+					#mul_add_c(a[3],b[2],c3,c1,c2);
+	$LD	r6,`3*$BNSZ`(r4)
+	$LD	r7,`2*$BNSZ`(r4)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r12,r8,r12
+	adde	r10,r9,r10
+	addze	r11,r11
+	$ST	r12,`5*$BNSZ`(r3)	#r[5]=c3
+					#mul_add_c(a[3],b[3],c1,c2,c3);
+	$LD	r7,`3*$BNSZ`(r5)		
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r10,r8,r10
+	adde	r11,r9,r11
+
+	$ST	r10,`6*$BNSZ`(r3)	#r[6]=c1
+	$ST	r11,`7*$BNSZ`(r3)	#r[7]=c2
+	bclr	BO_ALWAYS,CR0_LT
+	.long	0x00000000
+
+#
+#	NOTE:	The following label name should be changed to
+#		"bn_mul_comba8" i.e. remove the first dot
+#		for the gcc compiler. This should be automatically
+#		done in the build
+#
+	
+.align	4
+.bn_mul_comba8:
+#
+# Optimized version of the bn_mul_comba8 routine.
+#
+# void bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
+# r3 contains r
+# r4 contains a
+# r5 contains b
+# r6, r7 are the 2 BN_ULONGs being multiplied.
+# r8, r9 are the results of the 32x32 giving 64 multiply.
+# r10, r11, r12 are the equivalents of c1, c2, and c3.
+#
+	xor	r0,r0,r0		#r0=0. Used in addze below.
+	
+					#mul_add_c(a[0],b[0],c1,c2,c3);
+	$LD	r6,`0*$BNSZ`(r4)	#a[0]
+	$LD	r7,`0*$BNSZ`(r5)	#b[0]
+	$UMULL	r10,r6,r7
+	$UMULH	r11,r6,r7
+	$ST	r10,`0*$BNSZ`(r3)	#r[0]=c1;
+					#mul_add_c(a[0],b[1],c2,c3,c1);
+	$LD	r7,`1*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r11,r11,r8
+	addze	r12,r9			# since we didnt set r12 to zero before.
+	addze	r10,r0
+					#mul_add_c(a[1],b[0],c2,c3,c1);
+	$LD	r6,`1*$BNSZ`(r4)
+	$LD	r7,`0*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r11,r11,r8
+	adde	r12,r12,r9
+	addze	r10,r10
+	$ST	r11,`1*$BNSZ`(r3)	#r[1]=c2;
+					#mul_add_c(a[2],b[0],c3,c1,c2);
+	$LD	r6,`2*$BNSZ`(r4)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r12,r12,r8
+	adde	r10,r10,r9
+	addze	r11,r0
+					#mul_add_c(a[1],b[1],c3,c1,c2);
+	$LD	r6,`1*$BNSZ`(r4)
+	$LD	r7,`1*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r12,r12,r8
+	adde	r10,r10,r9
+	addze	r11,r11
+					#mul_add_c(a[0],b[2],c3,c1,c2);
+	$LD	r6,`0*$BNSZ`(r4)
+	$LD	r7,`2*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r12,r12,r8
+	adde	r10,r10,r9
+	addze	r11,r11
+	$ST	r12,`2*$BNSZ`(r3)	#r[2]=c3;
+					#mul_add_c(a[0],b[3],c1,c2,c3);
+	$LD	r7,`3*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r10,r10,r8
+	adde	r11,r11,r9
+	addze	r12,r0
+					#mul_add_c(a[1],b[2],c1,c2,c3);
+	$LD	r6,`1*$BNSZ`(r4)
+	$LD	r7,`2*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r10,r10,r8
+	adde	r11,r11,r9
+	addze	r12,r12
+		
+					#mul_add_c(a[2],b[1],c1,c2,c3);
+	$LD	r6,`2*$BNSZ`(r4)
+	$LD	r7,`1*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r10,r10,r8
+	adde	r11,r11,r9
+	addze	r12,r12
+					#mul_add_c(a[3],b[0],c1,c2,c3);
+	$LD	r6,`3*$BNSZ`(r4)
+	$LD	r7,`0*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r10,r10,r8
+	adde	r11,r11,r9
+	addze	r12,r12
+	$ST	r10,`3*$BNSZ`(r3)	#r[3]=c1;
+					#mul_add_c(a[4],b[0],c2,c3,c1);
+	$LD	r6,`4*$BNSZ`(r4)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r11,r11,r8
+	adde	r12,r12,r9
+	addze	r10,r0
+					#mul_add_c(a[3],b[1],c2,c3,c1);
+	$LD	r6,`3*$BNSZ`(r4)
+	$LD	r7,`1*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r11,r11,r8
+	adde	r12,r12,r9
+	addze	r10,r10
+					#mul_add_c(a[2],b[2],c2,c3,c1);
+	$LD	r6,`2*$BNSZ`(r4)
+	$LD	r7,`2*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r11,r11,r8
+	adde	r12,r12,r9
+	addze	r10,r10
+					#mul_add_c(a[1],b[3],c2,c3,c1);
+	$LD	r6,`1*$BNSZ`(r4)
+	$LD	r7,`3*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r11,r11,r8
+	adde	r12,r12,r9
+	addze	r10,r10
+					#mul_add_c(a[0],b[4],c2,c3,c1);
+	$LD	r6,`0*$BNSZ`(r4)
+	$LD	r7,`4*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r11,r11,r8
+	adde	r12,r12,r9
+	addze	r10,r10
+	$ST	r11,`4*$BNSZ`(r3)	#r[4]=c2;
+					#mul_add_c(a[0],b[5],c3,c1,c2);
+	$LD	r7,`5*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r12,r12,r8
+	adde	r10,r10,r9
+	addze	r11,r0
+					#mul_add_c(a[1],b[4],c3,c1,c2);
+	$LD	r6,`1*$BNSZ`(r4)		
+	$LD	r7,`4*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r12,r12,r8
+	adde	r10,r10,r9
+	addze	r11,r11
+					#mul_add_c(a[2],b[3],c3,c1,c2);
+	$LD	r6,`2*$BNSZ`(r4)		
+	$LD	r7,`3*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r12,r12,r8
+	adde	r10,r10,r9
+	addze	r11,r11
+					#mul_add_c(a[3],b[2],c3,c1,c2);
+	$LD	r6,`3*$BNSZ`(r4)		
+	$LD	r7,`2*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r12,r12,r8
+	adde	r10,r10,r9
+	addze	r11,r11
+					#mul_add_c(a[4],b[1],c3,c1,c2);
+	$LD	r6,`4*$BNSZ`(r4)		
+	$LD	r7,`1*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r12,r12,r8
+	adde	r10,r10,r9
+	addze	r11,r11
+					#mul_add_c(a[5],b[0],c3,c1,c2);
+	$LD	r6,`5*$BNSZ`(r4)		
+	$LD	r7,`0*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r12,r12,r8
+	adde	r10,r10,r9
+	addze	r11,r11
+	$ST	r12,`5*$BNSZ`(r3)	#r[5]=c3;
+					#mul_add_c(a[6],b[0],c1,c2,c3);
+	$LD	r6,`6*$BNSZ`(r4)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r10,r10,r8
+	adde	r11,r11,r9
+	addze	r12,r0
+					#mul_add_c(a[5],b[1],c1,c2,c3);
+	$LD	r6,`5*$BNSZ`(r4)
+	$LD	r7,`1*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r10,r10,r8
+	adde	r11,r11,r9
+	addze	r12,r12
+					#mul_add_c(a[4],b[2],c1,c2,c3);
+	$LD	r6,`4*$BNSZ`(r4)
+	$LD	r7,`2*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r10,r10,r8
+	adde	r11,r11,r9
+	addze	r12,r12
+					#mul_add_c(a[3],b[3],c1,c2,c3);
+	$LD	r6,`3*$BNSZ`(r4)
+	$LD	r7,`3*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r10,r10,r8
+	adde	r11,r11,r9
+	addze	r12,r12
+					#mul_add_c(a[2],b[4],c1,c2,c3);
+	$LD	r6,`2*$BNSZ`(r4)
+	$LD	r7,`4*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r10,r10,r8
+	adde	r11,r11,r9
+	addze	r12,r12
+					#mul_add_c(a[1],b[5],c1,c2,c3);
+	$LD	r6,`1*$BNSZ`(r4)
+	$LD	r7,`5*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r10,r10,r8
+	adde	r11,r11,r9
+	addze	r12,r12
+					#mul_add_c(a[0],b[6],c1,c2,c3);
+	$LD	r6,`0*$BNSZ`(r4)
+	$LD	r7,`6*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r10,r10,r8
+	adde	r11,r11,r9
+	addze	r12,r12
+	$ST	r10,`6*$BNSZ`(r3)	#r[6]=c1;
+					#mul_add_c(a[0],b[7],c2,c3,c1);
+	$LD	r7,`7*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r11,r11,r8
+	adde	r12,r12,r9
+	addze	r10,r0
+					#mul_add_c(a[1],b[6],c2,c3,c1);
+	$LD	r6,`1*$BNSZ`(r4)
+	$LD	r7,`6*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r11,r11,r8
+	adde	r12,r12,r9
+	addze	r10,r10
+					#mul_add_c(a[2],b[5],c2,c3,c1);
+	$LD	r6,`2*$BNSZ`(r4)
+	$LD	r7,`5*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r11,r11,r8
+	adde	r12,r12,r9
+	addze	r10,r10
+					#mul_add_c(a[3],b[4],c2,c3,c1);
+	$LD	r6,`3*$BNSZ`(r4)
+	$LD	r7,`4*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r11,r11,r8
+	adde	r12,r12,r9
+	addze	r10,r10
+					#mul_add_c(a[4],b[3],c2,c3,c1);
+	$LD	r6,`4*$BNSZ`(r4)
+	$LD	r7,`3*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r11,r11,r8
+	adde	r12,r12,r9
+	addze	r10,r10
+					#mul_add_c(a[5],b[2],c2,c3,c1);
+	$LD	r6,`5*$BNSZ`(r4)
+	$LD	r7,`2*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r11,r11,r8
+	adde	r12,r12,r9
+	addze	r10,r10
+					#mul_add_c(a[6],b[1],c2,c3,c1);
+	$LD	r6,`6*$BNSZ`(r4)
+	$LD	r7,`1*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r11,r11,r8
+	adde	r12,r12,r9
+	addze	r10,r10
+					#mul_add_c(a[7],b[0],c2,c3,c1);
+	$LD	r6,`7*$BNSZ`(r4)
+	$LD	r7,`0*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r11,r11,r8
+	adde	r12,r12,r9
+	addze	r10,r10
+	$ST	r11,`7*$BNSZ`(r3)	#r[7]=c2;
+					#mul_add_c(a[7],b[1],c3,c1,c2);
+	$LD	r7,`1*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r12,r12,r8
+	adde	r10,r10,r9
+	addze	r11,r0
+					#mul_add_c(a[6],b[2],c3,c1,c2);
+	$LD	r6,`6*$BNSZ`(r4)
+	$LD	r7,`2*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r12,r12,r8
+	adde	r10,r10,r9
+	addze	r11,r11
+					#mul_add_c(a[5],b[3],c3,c1,c2);
+	$LD	r6,`5*$BNSZ`(r4)
+	$LD	r7,`3*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r12,r12,r8
+	adde	r10,r10,r9
+	addze	r11,r11
+					#mul_add_c(a[4],b[4],c3,c1,c2);
+	$LD	r6,`4*$BNSZ`(r4)
+	$LD	r7,`4*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r12,r12,r8
+	adde	r10,r10,r9
+	addze	r11,r11
+					#mul_add_c(a[3],b[5],c3,c1,c2);
+	$LD	r6,`3*$BNSZ`(r4)
+	$LD	r7,`5*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r12,r12,r8
+	adde	r10,r10,r9
+	addze	r11,r11
+					#mul_add_c(a[2],b[6],c3,c1,c2);
+	$LD	r6,`2*$BNSZ`(r4)
+	$LD	r7,`6*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r12,r12,r8
+	adde	r10,r10,r9
+	addze	r11,r11
+					#mul_add_c(a[1],b[7],c3,c1,c2);
+	$LD	r6,`1*$BNSZ`(r4)
+	$LD	r7,`7*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r12,r12,r8
+	adde	r10,r10,r9
+	addze	r11,r11
+	$ST	r12,`8*$BNSZ`(r3)	#r[8]=c3;
+					#mul_add_c(a[2],b[7],c1,c2,c3);
+	$LD	r6,`2*$BNSZ`(r4)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r10,r10,r8
+	adde	r11,r11,r9
+	addze	r12,r0
+					#mul_add_c(a[3],b[6],c1,c2,c3);
+	$LD	r6,`3*$BNSZ`(r4)
+	$LD	r7,`6*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r10,r10,r8
+	adde	r11,r11,r9
+	addze	r12,r12
+					#mul_add_c(a[4],b[5],c1,c2,c3);
+	$LD	r6,`4*$BNSZ`(r4)
+	$LD	r7,`5*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r10,r10,r8
+	adde	r11,r11,r9
+	addze	r12,r12
+					#mul_add_c(a[5],b[4],c1,c2,c3);
+	$LD	r6,`5*$BNSZ`(r4)
+	$LD	r7,`4*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r10,r10,r8
+	adde	r11,r11,r9
+	addze	r12,r12
+					#mul_add_c(a[6],b[3],c1,c2,c3);
+	$LD	r6,`6*$BNSZ`(r4)
+	$LD	r7,`3*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r10,r10,r8
+	adde	r11,r11,r9
+	addze	r12,r12
+					#mul_add_c(a[7],b[2],c1,c2,c3);
+	$LD	r6,`7*$BNSZ`(r4)
+	$LD	r7,`2*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r10,r10,r8
+	adde	r11,r11,r9
+	addze	r12,r12
+	$ST	r10,`9*$BNSZ`(r3)	#r[9]=c1;
+					#mul_add_c(a[7],b[3],c2,c3,c1);
+	$LD	r7,`3*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r11,r11,r8
+	adde	r12,r12,r9
+	addze	r10,r0
+					#mul_add_c(a[6],b[4],c2,c3,c1);
+	$LD	r6,`6*$BNSZ`(r4)
+	$LD	r7,`4*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r11,r11,r8
+	adde	r12,r12,r9
+	addze	r10,r10
+					#mul_add_c(a[5],b[5],c2,c3,c1);
+	$LD	r6,`5*$BNSZ`(r4)
+	$LD	r7,`5*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r11,r11,r8
+	adde	r12,r12,r9
+	addze	r10,r10
+					#mul_add_c(a[4],b[6],c2,c3,c1);
+	$LD	r6,`4*$BNSZ`(r4)
+	$LD	r7,`6*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r11,r11,r8
+	adde	r12,r12,r9
+	addze	r10,r10
+					#mul_add_c(a[3],b[7],c2,c3,c1);
+	$LD	r6,`3*$BNSZ`(r4)
+	$LD	r7,`7*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r11,r11,r8
+	adde	r12,r12,r9
+	addze	r10,r10
+	$ST	r11,`10*$BNSZ`(r3)	#r[10]=c2;
+					#mul_add_c(a[4],b[7],c3,c1,c2);
+	$LD	r6,`4*$BNSZ`(r4)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r12,r12,r8
+	adde	r10,r10,r9
+	addze	r11,r0
+					#mul_add_c(a[5],b[6],c3,c1,c2);
+	$LD	r6,`5*$BNSZ`(r4)
+	$LD	r7,`6*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r12,r12,r8
+	adde	r10,r10,r9
+	addze	r11,r11
+					#mul_add_c(a[6],b[5],c3,c1,c2);
+	$LD	r6,`6*$BNSZ`(r4)
+	$LD	r7,`5*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r12,r12,r8
+	adde	r10,r10,r9
+	addze	r11,r11
+					#mul_add_c(a[7],b[4],c3,c1,c2);
+	$LD	r6,`7*$BNSZ`(r4)
+	$LD	r7,`4*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r12,r12,r8
+	adde	r10,r10,r9
+	addze	r11,r11
+	$ST	r12,`11*$BNSZ`(r3)	#r[11]=c3;
+					#mul_add_c(a[7],b[5],c1,c2,c3);
+	$LD	r7,`5*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r10,r10,r8
+	adde	r11,r11,r9
+	addze	r12,r0
+					#mul_add_c(a[6],b[6],c1,c2,c3);
+	$LD	r6,`6*$BNSZ`(r4)
+	$LD	r7,`6*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r10,r10,r8
+	adde	r11,r11,r9
+	addze	r12,r12
+					#mul_add_c(a[5],b[7],c1,c2,c3);
+	$LD	r6,`5*$BNSZ`(r4)
+	$LD	r7,`7*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r10,r10,r8
+	adde	r11,r11,r9
+	addze	r12,r12
+	$ST	r10,`12*$BNSZ`(r3)	#r[12]=c1;
+					#mul_add_c(a[6],b[7],c2,c3,c1);
+	$LD	r6,`6*$BNSZ`(r4)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r11,r11,r8
+	adde	r12,r12,r9
+	addze	r10,r0
+					#mul_add_c(a[7],b[6],c2,c3,c1);
+	$LD	r6,`7*$BNSZ`(r4)
+	$LD	r7,`6*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r11,r11,r8
+	adde	r12,r12,r9
+	addze	r10,r10
+	$ST	r11,`13*$BNSZ`(r3)	#r[13]=c2;
+					#mul_add_c(a[7],b[7],c3,c1,c2);
+	$LD	r7,`7*$BNSZ`(r5)
+	$UMULL	r8,r6,r7
+	$UMULH	r9,r6,r7
+	addc	r12,r12,r8
+	adde	r10,r10,r9
+	$ST	r12,`14*$BNSZ`(r3)	#r[14]=c3;
+	$ST	r10,`15*$BNSZ`(r3)	#r[15]=c1;
+	bclr	BO_ALWAYS,CR0_LT
+	.long	0x00000000
+
+#
+#	NOTE:	The following label name should be changed to
+#		"bn_sub_words" i.e. remove the first dot
+#		for the gcc compiler. This should be automatically
+#		done in the build
+#
+#
+.align	4
+.bn_sub_words:
+#
+#	Handcoded version of bn_sub_words
+#
+#BN_ULONG bn_sub_words(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n)
+#
+#	r3 = r
+#	r4 = a
+#	r5 = b
+#	r6 = n
+#
+#       Note:	No loop unrolling done since this is not a performance
+#               critical loop.
+
+	xor	r0,r0,r0	#set r0 = 0
+#
+#	check for r6 = 0 AND set carry bit.
+#
+	subfc.	r7,r0,r6        # If r6 is 0 then result is 0.
+				# if r6 > 0 then result !=0
+				# In either case carry bit is set.
+	bc	BO_IF,CR0_EQ,Lppcasm_sub_adios
+	addi	r4,r4,-$BNSZ
+	addi	r3,r3,-$BNSZ
+	addi	r5,r5,-$BNSZ
+	mtctr	r6
+Lppcasm_sub_mainloop:	
+	$LDU	r7,$BNSZ(r4)
+	$LDU	r8,$BNSZ(r5)
+	subfe	r6,r8,r7	# r6 = r7+carry bit + onescomplement(r8)
+				# if carry = 1 this is r7-r8. Else it
+				# is r7-r8 -1 as we need.
+	$STU	r6,$BNSZ(r3)
+	bc	BO_dCTR_NZERO,CR0_EQ,Lppcasm_sub_mainloop
+Lppcasm_sub_adios:	
+	subfze	r3,r0		# if carry bit is set then r3 = 0 else -1
+	andi.	r3,r3,1         # keep only last bit.
+	bclr	BO_ALWAYS,CR0_LT
+	.long	0x00000000
+
+
+#
+#	NOTE:	The following label name should be changed to
+#		"bn_add_words" i.e. remove the first dot
+#		for the gcc compiler. This should be automatically
+#		done in the build
+#
+
+.align	4
+.bn_add_words:
+#
+#	Handcoded version of bn_add_words
+#
+#BN_ULONG bn_add_words(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n)
+#
+#	r3 = r
+#	r4 = a
+#	r5 = b
+#	r6 = n
+#
+#       Note:	No loop unrolling done since this is not a performance
+#               critical loop.
+
+	xor	r0,r0,r0
+#
+#	check for r6 = 0. Is this needed?
+#
+	addic.	r6,r6,0		#test r6 and clear carry bit.
+	bc	BO_IF,CR0_EQ,Lppcasm_add_adios
+	addi	r4,r4,-$BNSZ
+	addi	r3,r3,-$BNSZ
+	addi	r5,r5,-$BNSZ
+	mtctr	r6
+Lppcasm_add_mainloop:	
+	$LDU	r7,$BNSZ(r4)
+	$LDU	r8,$BNSZ(r5)
+	adde	r8,r7,r8
+	$STU	r8,$BNSZ(r3)
+	bc	BO_dCTR_NZERO,CR0_EQ,Lppcasm_add_mainloop
+Lppcasm_add_adios:	
+	addze	r3,r0			#return carry bit.
+	bclr	BO_ALWAYS,CR0_LT
+	.long	0x00000000
+
+#
+#	NOTE:	The following label name should be changed to
+#		"bn_div_words" i.e. remove the first dot
+#		for the gcc compiler. This should be automatically
+#		done in the build
+#
+
+.align	4
+.bn_div_words:
+#
+#	This is a cleaned up version of code generated by
+#	the AIX compiler. The only optimization is to use
+#	the PPC instruction to count leading zeros instead
+#	of call to num_bits_word. Since this was compiled
+#	only at level -O2 we can possibly squeeze it more?
+#	
+#	r3 = h
+#	r4 = l
+#	r5 = d
+	
+	$UCMPI	0,r5,0			# compare r5 and 0
+	bc	BO_IF_NOT,CR0_EQ,Lppcasm_div1	# proceed if d!=0
+	li	r3,-1			# d=0 return -1
+	bclr	BO_ALWAYS,CR0_LT	
+Lppcasm_div1:
+	xor	r0,r0,r0		#r0=0
+	li	r8,$BITS
+	$CNTLZ.	r7,r5			#r7 = num leading 0s in d.
+	bc	BO_IF,CR0_EQ,Lppcasm_div2	#proceed if no leading zeros
+	subf	r8,r7,r8		#r8 = BN_num_bits_word(d)
+	$SHR.	r9,r3,r8		#are there any bits above r8'th?
+	$TR	16,r9,r0		#if there're, signal to dump core...
+Lppcasm_div2:
+	$UCMP	0,r3,r5			#h>=d?
+	bc	BO_IF,CR0_LT,Lppcasm_div3	#goto Lppcasm_div3 if not
+	subf	r3,r5,r3		#h-=d ; 
+Lppcasm_div3:				#r7 = BN_BITS2-i. so r7=i
+	cmpi	0,0,r7,0		# is (i == 0)?
+	bc	BO_IF,CR0_EQ,Lppcasm_div4
+	$SHL	r3,r3,r7		# h = (h<< i)
+	$SHR	r8,r4,r8		# r8 = (l >> BN_BITS2 -i)
+	$SHL	r5,r5,r7		# d<<=i
+	or	r3,r3,r8		# h = (h<<i)|(l>>(BN_BITS2-i))
+	$SHL	r4,r4,r7		# l <<=i
+Lppcasm_div4:
+	$SHRI	r9,r5,`$BITS/2`		# r9 = dh
+					# dl will be computed when needed
+					# as it saves registers.
+	li	r6,2			#r6=2
+	mtctr	r6			#counter will be in count.
+Lppcasm_divouterloop: 
+	$SHRI	r8,r3,`$BITS/2`		#r8 = (h>>BN_BITS4)
+	$SHRI	r11,r4,`$BITS/2`	#r11= (l&BN_MASK2h)>>BN_BITS4
+					# compute here for innerloop.
+	$UCMP	0,r8,r9			# is (h>>BN_BITS4)==dh
+	bc	BO_IF_NOT,CR0_EQ,Lppcasm_div5	# goto Lppcasm_div5 if not
+
+	li	r8,-1
+	$CLRU	r8,r8,`$BITS/2`		#q = BN_MASK2l 
+	b	Lppcasm_div6
+Lppcasm_div5:
+	$UDIV	r8,r3,r9		#q = h/dh
+Lppcasm_div6:
+	$UMULL	r12,r9,r8		#th = q*dh
+	$CLRU	r10,r5,`$BITS/2`	#r10=dl
+	$UMULL	r6,r8,r10		#tl = q*dl
+	
+Lppcasm_divinnerloop:
+	subf	r10,r12,r3		#t = h -th
+	$SHRI	r7,r10,`$BITS/2`	#r7= (t &BN_MASK2H), sort of...
+	addic.	r7,r7,0			#test if r7 == 0. used below.
+					# now want to compute
+					# r7 = (t<<BN_BITS4)|((l&BN_MASK2h)>>BN_BITS4)
+					# the following 2 instructions do that
+	$SHLI	r7,r10,`$BITS/2`	# r7 = (t<<BN_BITS4)
+	or	r7,r7,r11		# r7|=((l&BN_MASK2h)>>BN_BITS4)
+	$UCMP	1,r6,r7			# compare (tl <= r7)
+	bc	BO_IF_NOT,CR0_EQ,Lppcasm_divinnerexit
+	bc	BO_IF_NOT,CR1_FEX,Lppcasm_divinnerexit
+	addi	r8,r8,-1		#q--
+	subf	r12,r9,r12		#th -=dh
+	$CLRU	r10,r5,`$BITS/2`	#r10=dl. t is no longer needed in loop.
+	subf	r6,r10,r6		#tl -=dl
+	b	Lppcasm_divinnerloop
+Lppcasm_divinnerexit:
+	$SHRI	r10,r6,`$BITS/2`	#t=(tl>>BN_BITS4)
+	$SHLI	r11,r6,`$BITS/2`	#tl=(tl<<BN_BITS4)&BN_MASK2h;
+	$UCMP	1,r4,r11		# compare l and tl
+	add	r12,r12,r10		# th+=t
+	bc	BO_IF_NOT,CR1_FX,Lppcasm_div7  # if (l>=tl) goto Lppcasm_div7
+	addi	r12,r12,1		# th++
+Lppcasm_div7:
+	subf	r11,r11,r4		#r11=l-tl
+	$UCMP	1,r3,r12		#compare h and th
+	bc	BO_IF_NOT,CR1_FX,Lppcasm_div8	#if (h>=th) goto Lppcasm_div8
+	addi	r8,r8,-1		# q--
+	add	r3,r5,r3		# h+=d
+Lppcasm_div8:
+	subf	r12,r12,r3		#r12 = h-th
+	$SHLI	r4,r11,`$BITS/2`	#l=(l&BN_MASK2l)<<BN_BITS4
+					# want to compute
+					# h = ((h<<BN_BITS4)|(l>>BN_BITS4))&BN_MASK2
+					# the following 2 instructions will do this.
+	$INSR	r11,r12,`$BITS/2`,`$BITS/2`	# r11 is the value we want rotated $BITS/2.
+	$ROTL	r3,r11,`$BITS/2`	# rotate by $BITS/2 and store in r3
+	bc	BO_dCTR_ZERO,CR0_EQ,Lppcasm_div9#if (count==0) break ;
+	$SHLI	r0,r8,`$BITS/2`		#ret =q<<BN_BITS4
+	b	Lppcasm_divouterloop
+Lppcasm_div9:
+	or	r3,r8,r0
+	bclr	BO_ALWAYS,CR0_LT
+	.long	0x00000000
+
+#
+#	NOTE:	The following label name should be changed to
+#		"bn_sqr_words" i.e. remove the first dot
+#		for the gcc compiler. This should be automatically
+#		done in the build
+#
+.align	4
+.bn_sqr_words:
+#
+#	Optimized version of bn_sqr_words
+#
+#	void bn_sqr_words(BN_ULONG *r, BN_ULONG *a, int n)
+#
+#	r3 = r
+#	r4 = a
+#	r5 = n
+#
+#	r6 = a[i].
+#	r7,r8 = product.
+#
+#	No unrolling done here. Not performance critical.
+
+	addic.	r5,r5,0			#test r5.
+	bc	BO_IF,CR0_EQ,Lppcasm_sqr_adios
+	addi	r4,r4,-$BNSZ
+	addi	r3,r3,-$BNSZ
+	mtctr	r5
+Lppcasm_sqr_mainloop:	
+					#sqr(r[0],r[1],a[0]);
+	$LDU	r6,$BNSZ(r4)
+	$UMULL	r7,r6,r6
+	$UMULH  r8,r6,r6
+	$STU	r7,$BNSZ(r3)
+	$STU	r8,$BNSZ(r3)
+	bc	BO_dCTR_NZERO,CR0_EQ,Lppcasm_sqr_mainloop
+Lppcasm_sqr_adios:	
+	bclr	BO_ALWAYS,CR0_LT
+	.long	0x00000000
+
+
+#
+#	NOTE:	The following label name should be changed to
+#		"bn_mul_words" i.e. remove the first dot
+#		for the gcc compiler. This should be automatically
+#		done in the build
+#
+
+.align	4	
+.bn_mul_words:
+#
+# BN_ULONG bn_mul_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w)
+#
+# r3 = rp
+# r4 = ap
+# r5 = num
+# r6 = w
+	xor	r0,r0,r0
+	xor	r12,r12,r12		# used for carry
+	rlwinm.	r7,r5,30,2,31		# num >> 2
+	bc	BO_IF,CR0_EQ,Lppcasm_mw_REM
+	mtctr	r7
+Lppcasm_mw_LOOP:	
+					#mul(rp[0],ap[0],w,c1);
+	$LD	r8,`0*$BNSZ`(r4)
+	$UMULL	r9,r6,r8
+	$UMULH  r10,r6,r8
+	addc	r9,r9,r12
+	#addze	r10,r10			#carry is NOT ignored.
+					#will be taken care of
+					#in second spin below
+					#using adde.
+	$ST	r9,`0*$BNSZ`(r3)
+					#mul(rp[1],ap[1],w,c1);
+	$LD	r8,`1*$BNSZ`(r4)	
+	$UMULL	r11,r6,r8
+	$UMULH  r12,r6,r8
+	adde	r11,r11,r10
+	#addze	r12,r12
+	$ST	r11,`1*$BNSZ`(r3)
+					#mul(rp[2],ap[2],w,c1);
+	$LD	r8,`2*$BNSZ`(r4)
+	$UMULL	r9,r6,r8
+	$UMULH  r10,r6,r8
+	adde	r9,r9,r12
+	#addze	r10,r10
+	$ST	r9,`2*$BNSZ`(r3)
+					#mul_add(rp[3],ap[3],w,c1);
+	$LD	r8,`3*$BNSZ`(r4)
+	$UMULL	r11,r6,r8
+	$UMULH  r12,r6,r8
+	adde	r11,r11,r10
+	addze	r12,r12			#this spin we collect carry into
+					#r12
+	$ST	r11,`3*$BNSZ`(r3)
+	
+	addi	r3,r3,`4*$BNSZ`
+	addi	r4,r4,`4*$BNSZ`
+	bc	BO_dCTR_NZERO,CR0_EQ,Lppcasm_mw_LOOP
+
+Lppcasm_mw_REM:
+	andi.	r5,r5,0x3
+	bc	BO_IF,CR0_EQ,Lppcasm_mw_OVER
+					#mul(rp[0],ap[0],w,c1);
+	$LD	r8,`0*$BNSZ`(r4)
+	$UMULL	r9,r6,r8
+	$UMULH  r10,r6,r8
+	addc	r9,r9,r12
+	addze	r10,r10
+	$ST	r9,`0*$BNSZ`(r3)
+	addi	r12,r10,0
+	
+	addi	r5,r5,-1
+	cmpli	0,0,r5,0
+	bc	BO_IF,CR0_EQ,Lppcasm_mw_OVER
+
+	
+					#mul(rp[1],ap[1],w,c1);
+	$LD	r8,`1*$BNSZ`(r4)	
+	$UMULL	r9,r6,r8
+	$UMULH  r10,r6,r8
+	addc	r9,r9,r12
+	addze	r10,r10
+	$ST	r9,`1*$BNSZ`(r3)
+	addi	r12,r10,0
+	
+	addi	r5,r5,-1
+	cmpli	0,0,r5,0
+	bc	BO_IF,CR0_EQ,Lppcasm_mw_OVER
+	
+					#mul_add(rp[2],ap[2],w,c1);
+	$LD	r8,`2*$BNSZ`(r4)
+	$UMULL	r9,r6,r8
+	$UMULH  r10,r6,r8
+	addc	r9,r9,r12
+	addze	r10,r10
+	$ST	r9,`2*$BNSZ`(r3)
+	addi	r12,r10,0
+		
+Lppcasm_mw_OVER:	
+	addi	r3,r12,0
+	bclr	BO_ALWAYS,CR0_LT
+	.long	0x00000000
+
+#
+#	NOTE:	The following label name should be changed to
+#		"bn_mul_add_words" i.e. remove the first dot
+#		for the gcc compiler. This should be automatically
+#		done in the build
+#
+
+.align	4
+.bn_mul_add_words:
+#
+# BN_ULONG bn_mul_add_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w)
+#
+# r3 = rp
+# r4 = ap
+# r5 = num
+# r6 = w
+#
+# empirical evidence suggests that unrolled version performs best!!
+#
+	xor	r0,r0,r0		#r0 = 0
+	xor	r12,r12,r12  		#r12 = 0 . used for carry		
+	rlwinm.	r7,r5,30,2,31		# num >> 2
+	bc	BO_IF,CR0_EQ,Lppcasm_maw_leftover	# if (num < 4) go LPPCASM_maw_leftover
+	mtctr	r7
+Lppcasm_maw_mainloop:	
+					#mul_add(rp[0],ap[0],w,c1);
+	$LD	r8,`0*$BNSZ`(r4)
+	$LD	r11,`0*$BNSZ`(r3)
+	$UMULL	r9,r6,r8
+	$UMULH  r10,r6,r8
+	addc	r9,r9,r12		#r12 is carry.
+	addze	r10,r10
+	addc	r9,r9,r11
+	#addze	r10,r10
+					#the above instruction addze
+					#is NOT needed. Carry will NOT
+					#be ignored. It's not affected
+					#by multiply and will be collected
+					#in the next spin
+	$ST	r9,`0*$BNSZ`(r3)
+	
+					#mul_add(rp[1],ap[1],w,c1);
+	$LD	r8,`1*$BNSZ`(r4)	
+	$LD	r9,`1*$BNSZ`(r3)
+	$UMULL	r11,r6,r8
+	$UMULH  r12,r6,r8
+	adde	r11,r11,r10		#r10 is carry.
+	addze	r12,r12
+	addc	r11,r11,r9
+	#addze	r12,r12
+	$ST	r11,`1*$BNSZ`(r3)
+	
+					#mul_add(rp[2],ap[2],w,c1);
+	$LD	r8,`2*$BNSZ`(r4)
+	$UMULL	r9,r6,r8
+	$LD	r11,`2*$BNSZ`(r3)
+	$UMULH  r10,r6,r8
+	adde	r9,r9,r12
+	addze	r10,r10
+	addc	r9,r9,r11
+	#addze	r10,r10
+	$ST	r9,`2*$BNSZ`(r3)
+	
+					#mul_add(rp[3],ap[3],w,c1);
+	$LD	r8,`3*$BNSZ`(r4)
+	$UMULL	r11,r6,r8
+	$LD	r9,`3*$BNSZ`(r3)
+	$UMULH  r12,r6,r8
+	adde	r11,r11,r10
+	addze	r12,r12
+	addc	r11,r11,r9
+	addze	r12,r12
+	$ST	r11,`3*$BNSZ`(r3)
+	addi	r3,r3,`4*$BNSZ`
+	addi	r4,r4,`4*$BNSZ`
+	bc	BO_dCTR_NZERO,CR0_EQ,Lppcasm_maw_mainloop
+	
+Lppcasm_maw_leftover:
+	andi.	r5,r5,0x3
+	bc	BO_IF,CR0_EQ,Lppcasm_maw_adios
+	addi	r3,r3,-$BNSZ
+	addi	r4,r4,-$BNSZ
+					#mul_add(rp[0],ap[0],w,c1);
+	mtctr	r5
+	$LDU	r8,$BNSZ(r4)
+	$UMULL	r9,r6,r8
+	$UMULH  r10,r6,r8
+	$LDU	r11,$BNSZ(r3)
+	addc	r9,r9,r11
+	addze	r10,r10
+	addc	r9,r9,r12
+	addze	r12,r10
+	$ST	r9,0(r3)
+	
+	bc	BO_dCTR_ZERO,CR0_EQ,Lppcasm_maw_adios
+					#mul_add(rp[1],ap[1],w,c1);
+	$LDU	r8,$BNSZ(r4)	
+	$UMULL	r9,r6,r8
+	$UMULH  r10,r6,r8
+	$LDU	r11,$BNSZ(r3)
+	addc	r9,r9,r11
+	addze	r10,r10
+	addc	r9,r9,r12
+	addze	r12,r10
+	$ST	r9,0(r3)
+	
+	bc	BO_dCTR_ZERO,CR0_EQ,Lppcasm_maw_adios
+					#mul_add(rp[2],ap[2],w,c1);
+	$LDU	r8,$BNSZ(r4)
+	$UMULL	r9,r6,r8
+	$UMULH  r10,r6,r8
+	$LDU	r11,$BNSZ(r3)
+	addc	r9,r9,r11
+	addze	r10,r10
+	addc	r9,r9,r12
+	addze	r12,r10
+	$ST	r9,0(r3)
+		
+Lppcasm_maw_adios:	
+	addi	r3,r12,0
+	bclr	BO_ALWAYS,CR0_LT
+	.long	0x00000000
+	.align	4
+EOF
+	$data =~ s/\`([^\`]*)\`/eval $1/gem;
+
+	# if some assembler chokes on some simplified mnemonic,
+	# this is the spot to fix it up, e.g.:
+	# GNU as doesn't seem to accept cmplw, 32-bit unsigned compare
+	$data =~ s/^(\s*)cmplw(\s+)([^,]+),(.*)/$1cmpl$2$3,0,$4/gm;
+	# assembler X doesn't accept li, load immediate value
+	#$data =~ s/^(\s*)li(\s+)([^,]+),(.*)/$1addi$2$3,0,$4/gm;
+	return($data);
+}
diff --git a/crypto/openssl/crypto/bn/asm/sparcv8plus.S b/crypto/openssl/crypto/bn/asm/sparcv8plus.S
index 0074dfdb750e..8c56e2e7e7cb 100644
--- a/crypto/openssl/crypto/bn/asm/sparcv8plus.S
+++ b/crypto/openssl/crypto/bn/asm/sparcv8plus.S
@@ -162,10 +162,14 @@
  * BN_ULONG w;
  */
 bn_mul_add_words:
+	sra	%o2,%g0,%o2	! signx %o2
 	brgz,a	%o2,.L_bn_mul_add_words_proceed
 	lduw	[%o1],%g2
 	retl
 	clr	%o0
+	nop
+	nop
+	nop
 
 .L_bn_mul_add_words_proceed:
 	srl	%o3,%g0,%o3	! clruw	%o3
@@ -260,10 +264,14 @@ bn_mul_add_words:
  * BN_ULONG w;
  */
 bn_mul_words:
+	sra	%o2,%g0,%o2	! signx %o2
 	brgz,a	%o2,.L_bn_mul_words_proceeed
 	lduw	[%o1],%g2
 	retl
 	clr	%o0
+	nop
+	nop
+	nop
 
 .L_bn_mul_words_proceeed:
 	srl	%o3,%g0,%o3	! clruw	%o3
@@ -344,10 +352,14 @@ bn_mul_words:
  * int n;
  */
 bn_sqr_words:
+	sra	%o2,%g0,%o2	! signx %o2
 	brgz,a	%o2,.L_bn_sqr_words_proceeed
 	lduw	[%o1],%g2
 	retl
 	clr	%o0
+	nop
+	nop
+	nop
 
 .L_bn_sqr_words_proceeed:
 	andcc	%o2,-4,%g0
@@ -445,6 +457,7 @@ bn_div_words:
  * int n;
  */
 bn_add_words:
+	sra	%o3,%g0,%o3	! signx %o3
 	brgz,a	%o3,.L_bn_add_words_proceed
 	lduw	[%o1],%o4
 	retl
@@ -454,7 +467,6 @@ bn_add_words:
 	andcc	%o3,-4,%g0
 	bz,pn	%icc,.L_bn_add_words_tail
 	addcc	%g0,0,%g0	! clear carry flag
-	nop
 
 .L_bn_add_words_loop:		! wow! 32 aligned!
 	dec	4,%o3
@@ -523,6 +535,7 @@ bn_add_words:
  * int n;
  */
 bn_sub_words:
+	sra	%o3,%g0,%o3	! signx %o3
 	brgz,a	%o3,.L_bn_sub_words_proceed
 	lduw	[%o1],%o4
 	retl
@@ -532,7 +545,6 @@ bn_sub_words:
 	andcc	%o3,-4,%g0
 	bz,pn	%icc,.L_bn_sub_words_tail
 	addcc	%g0,0,%g0	! clear carry flag
-	nop
 
 .L_bn_sub_words_loop:		! wow! 32 aligned!
 	dec	4,%o3
diff --git a/crypto/openssl/crypto/bn/asm/x86_64-gcc.c b/crypto/openssl/crypto/bn/asm/x86_64-gcc.c
index 450e8e43228e..73783442515a 100644
--- a/crypto/openssl/crypto/bn/asm/x86_64-gcc.c
+++ b/crypto/openssl/crypto/bn/asm/x86_64-gcc.c
@@ -13,20 +13,42 @@
  * A. Well, that's because this code is basically a quick-n-dirty
  *    proof-of-concept hack. As you can see it's implemented with
  *    inline assembler, which means that you're bound to GCC and that
- *    there must be a room for fine-tuning.
+ *    there might be enough room for further improvement.
  *
  * Q. Why inline assembler?
- * A. x86_64 features own ABI I'm not familiar with. Which is why
- *    I decided to let the compiler take care of subroutine
- *    prologue/epilogue as well as register allocation.
+ * A. x86_64 features own ABI which I'm not familiar with. This is
+ *    why I decided to let the compiler take care of subroutine
+ *    prologue/epilogue as well as register allocation. For reference.
+ *    Win64 implements different ABI for AMD64, different from Linux.
  *
  * Q. How much faster does it get?
- * A. Unfortunately people sitting on x86_64 hardware are prohibited
- *    to disclose the performance numbers, so they (SuSE labs to be
- *    specific) wouldn't tell me. However! Very similar coding technique
- *    (reaching out for 128-bit result from 64x64-bit multiplication)
- *    results in >3 times performance improvement on MIPS and I see no
- *    reason why gain on x86_64 would be so much different:-)
+ * A. 'apps/openssl speed rsa dsa' output with no-asm:
+ *
+ *	                  sign    verify    sign/s verify/s
+ *	rsa  512 bits   0.0006s   0.0001s   1683.8  18456.2
+ *	rsa 1024 bits   0.0028s   0.0002s    356.0   6407.0
+ *	rsa 2048 bits   0.0172s   0.0005s     58.0   1957.8
+ *	rsa 4096 bits   0.1155s   0.0018s      8.7    555.6
+ *	                  sign    verify    sign/s verify/s
+ *	dsa  512 bits   0.0005s   0.0006s   2100.8   1768.3
+ *	dsa 1024 bits   0.0014s   0.0018s    692.3    559.2
+ *	dsa 2048 bits   0.0049s   0.0061s    204.7    165.0
+ *
+ *    'apps/openssl speed rsa dsa' output with this module:
+ *
+ *	                  sign    verify    sign/s verify/s
+ *	rsa  512 bits   0.0004s   0.0000s   2767.1  33297.9
+ *	rsa 1024 bits   0.0012s   0.0001s    867.4  14674.7
+ *	rsa 2048 bits   0.0061s   0.0002s    164.0   5270.0
+ *	rsa 4096 bits   0.0384s   0.0006s     26.1   1650.8
+ *	                  sign    verify    sign/s verify/s
+ *	dsa  512 bits   0.0002s   0.0003s   4442.2   3786.3
+ *	dsa 1024 bits   0.0005s   0.0007s   1835.1   1497.4
+ *	dsa 2048 bits   0.0016s   0.0020s    620.4    504.6
+ *
+ *    For the reference. IA-32 assembler implementation performs
+ *    very much like 64-bit code compiled with no-asm on the same
+ *    machine.
  */
 
 #define BN_ULONG unsigned long
@@ -151,7 +173,7 @@ BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d)
 }
 
 BN_ULONG bn_add_words (BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,int n)
-{ BN_ULONG ret,i;
+{ BN_ULONG ret=0,i=0;
 
 	if (n <= 0) return 0;
 
@@ -164,7 +186,7 @@ BN_ULONG bn_add_words (BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,int n)
 	"	leaq	1(%2),%2	\n"
 	"	loop	1b		\n"
 	"	sbbq	%0,%0		\n"
-		: "+a"(ret),"+c"(n),"+r"(i)
+		: "=&a"(ret),"+c"(n),"=&r"(i)
 		: "r"(rp),"r"(ap),"r"(bp)
 		: "cc"
 	);
@@ -174,7 +196,7 @@ BN_ULONG bn_add_words (BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,int n)
 
 #ifndef SIMICS
 BN_ULONG bn_sub_words (BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,int n)
-{ BN_ULONG ret,i;
+{ BN_ULONG ret=0,i=0;
 
 	if (n <= 0) return 0;
 
@@ -187,7 +209,7 @@ BN_ULONG bn_sub_words (BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,int n)
 	"	leaq	1(%2),%2	\n"
 	"	loop	1b		\n"
 	"	sbbq	%0,%0		\n"
-		: "+a"(ret),"+c"(n),"+r"(i)
+		: "=&a"(ret),"+c"(n),"=&r"(i)
 		: "r"(rp),"r"(ap),"r"(bp)
 		: "cc"
 	);
@@ -318,7 +340,6 @@ BN_ULONG bn_sub_words(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n)
 
 void bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
 	{
-	BN_ULONG bl,bh;
 	BN_ULONG t1,t2;
 	BN_ULONG c1,c2,c3;
 
@@ -423,7 +444,6 @@ void bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
 
 void bn_mul_comba4(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
 	{
-	BN_ULONG bl,bh;
 	BN_ULONG t1,t2;
 	BN_ULONG c1,c2,c3;
 
@@ -464,7 +484,6 @@ void bn_mul_comba4(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
 
 void bn_sqr_comba8(BN_ULONG *r, BN_ULONG *a)
 	{
-	BN_ULONG bl,bh;
 	BN_ULONG t1,t2;
 	BN_ULONG c1,c2,c3;
 
@@ -541,7 +560,6 @@ void bn_sqr_comba8(BN_ULONG *r, BN_ULONG *a)
 
 void bn_sqr_comba4(BN_ULONG *r, BN_ULONG *a)
 	{
-	BN_ULONG bl,bh;
 	BN_ULONG t1,t2;
 	BN_ULONG c1,c2,c3;
 
diff --git a/crypto/openssl/crypto/bn/bn.h b/crypto/openssl/crypto/bn/bn.h
index 3da6d8ced90b..95c5d643cbd1 100644
--- a/crypto/openssl/crypto/bn/bn.h
+++ b/crypto/openssl/crypto/bn/bn.h
@@ -55,6 +55,19 @@
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
  */
+/* ====================================================================
+ * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
+ *
+ * Portions of the attached software ("Contribution") are developed by 
+ * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
+ *
+ * The Contribution is licensed pursuant to the Eric Young open source
+ * license provided above.
+ *
+ * The binary polynomial arithmetic software is originally written by 
+ * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories.
+ *
+ */
 
 #ifndef HEADER_BN_H
 #define HEADER_BN_H
@@ -63,14 +76,23 @@
 #ifndef OPENSSL_NO_FP_API
 #include <stdio.h> /* FILE */
 #endif
+#include <openssl/ossl_typ.h>
 
 #ifdef  __cplusplus
 extern "C" {
 #endif
 
-#ifdef OPENSSL_SYS_VMS
-#undef BN_LLONG /* experimental, so far... */
-#endif
+/* These preprocessor symbols control various aspects of the bignum headers and
+ * library code. They're not defined by any "normal" configuration, as they are
+ * intended for development and testing purposes. NB: defining all three can be
+ * useful for debugging application code as well as openssl itself.
+ *
+ * BN_DEBUG - turn on various debugging alterations to the bignum code
+ * BN_DEBUG_RAND - uses random poisoning of unused words to trip up
+ * mismanagement of bignum internals. You must also define BN_DEBUG.
+ */
+/* #define BN_DEBUG */
+/* #define BN_DEBUG_RAND */
 
 #define BN_MUL_COMBA
 #define BN_SQR_COMBA
@@ -143,10 +165,12 @@ extern "C" {
 #endif
 
 #ifdef THIRTY_TWO_BIT
-#if defined(OPENSSL_SYS_WIN32) && !defined(__GNUC__)
-#define BN_ULLONG	unsigned _int64
-#else
-#define BN_ULLONG	unsigned long long
+#ifdef BN_LLONG
+# if defined(OPENSSL_SYS_WIN32) && !defined(__GNUC__)
+#  define BN_ULLONG	unsigned __int64
+# else
+#  define BN_ULLONG	unsigned long long
+# endif
 #endif
 #define BN_ULONG	unsigned long
 #define BN_LONG		long
@@ -219,17 +243,39 @@ extern "C" {
 
 #define BN_DEFAULT_BITS	1280
 
-#ifdef BIGNUM
-#undef BIGNUM
-#endif
-
 #define BN_FLG_MALLOCED		0x01
 #define BN_FLG_STATIC_DATA	0x02
+#define BN_FLG_EXP_CONSTTIME	0x04 /* avoid leaking exponent information through timings
+                            	      * (BN_mod_exp_mont() will call BN_mod_exp_mont_consttime) */
+#ifndef OPENSSL_NO_DEPRECATED
 #define BN_FLG_FREE		0x8000	/* used for debuging */
+#endif
 #define BN_set_flags(b,n)	((b)->flags|=(n))
 #define BN_get_flags(b,n)	((b)->flags&(n))
 
-typedef struct bignum_st
+/* get a clone of a BIGNUM with changed flags, for *temporary* use only
+ * (the two BIGNUMs cannot not be used in parallel!) */
+#define BN_with_flags(dest,b,n)  ((dest)->d=(b)->d, \
+                                  (dest)->top=(b)->top, \
+                                  (dest)->dmax=(b)->dmax, \
+                                  (dest)->neg=(b)->neg, \
+                                  (dest)->flags=(((dest)->flags & BN_FLG_MALLOCED) \
+                                                 |  ((b)->flags & ~BN_FLG_MALLOCED) \
+                                                 |  BN_FLG_STATIC_DATA \
+                                                 |  (n)))
+
+/* Already declared in ossl_typ.h */
+#if 0
+typedef struct bignum_st BIGNUM;
+/* Used for temp variables (declaration hidden in bn_lcl.h) */
+typedef struct bignum_ctx BN_CTX;
+typedef struct bn_blinding_st BN_BLINDING;
+typedef struct bn_mont_ctx_st BN_MONT_CTX;
+typedef struct bn_recp_ctx_st BN_RECP_CTX;
+typedef struct bn_gencb_st BN_GENCB;
+#endif
+
+struct bignum_st
 	{
 	BN_ULONG *d;	/* Pointer to an array of 'BN_BITS2' bit chunks. */
 	int top;	/* Index of last used d +1. */
@@ -237,23 +283,10 @@ typedef struct bignum_st
 	int dmax;	/* Size of the d array. */
 	int neg;	/* one if the number is negative */
 	int flags;
-	} BIGNUM;
-
-/* Used for temp variables (declaration hidden in bn_lcl.h) */
-typedef struct bignum_ctx BN_CTX;
-
-typedef struct bn_blinding_st
-	{
-	int init;
-	BIGNUM *A;
-	BIGNUM *Ai;
-	BIGNUM *mod; /* just a reference */
-	unsigned long thread_id; /* added in OpenSSL 0.9.6j and 0.9.7b;
-				  * used only by crypto/rsa/rsa_eay.c, rsa_lib.c */
-	} BN_BLINDING;
+	};
 
 /* Used for montgomery multiplication */
-typedef struct bn_mont_ctx_st
+struct bn_mont_ctx_st
 	{
 	int ri;        /* number of bits in R */
 	BIGNUM RR;     /* used to convert to montgomery form */
@@ -262,19 +295,47 @@ typedef struct bn_mont_ctx_st
 	                * (Ni is only stored for bignum algorithm) */
 	BN_ULONG n0;   /* least significant word of Ni */
 	int flags;
-	} BN_MONT_CTX;
+	};
 
 /* Used for reciprocal division/mod functions
  * It cannot be shared between threads
  */
-typedef struct bn_recp_ctx_st
+struct bn_recp_ctx_st
 	{
 	BIGNUM N;	/* the divisor */
 	BIGNUM Nr;	/* the reciprocal */
 	int num_bits;
 	int shift;
 	int flags;
-	} BN_RECP_CTX;
+	};
+
+/* Used for slow "generation" functions. */
+struct bn_gencb_st
+	{
+	unsigned int ver;	/* To handle binary (in)compatibility */
+	void *arg;		/* callback-specific data */
+	union
+		{
+		/* if(ver==1) - handles old style callbacks */
+		void (*cb_1)(int, int, void *);
+		/* if(ver==2) - new callback style */
+		int (*cb_2)(int, int, BN_GENCB *);
+		} cb;
+	};
+/* Wrapper function to make using BN_GENCB easier,  */
+int BN_GENCB_call(BN_GENCB *cb, int a, int b);
+/* Macro to populate a BN_GENCB structure with an "old"-style callback */
+#define BN_GENCB_set_old(gencb, callback, cb_arg) { \
+		BN_GENCB *tmp_gencb = (gencb); \
+		tmp_gencb->ver = 1; \
+		tmp_gencb->arg = (cb_arg); \
+		tmp_gencb->cb.cb_1 = (callback); }
+/* Macro to populate a BN_GENCB structure with a "new"-style callback */
+#define BN_GENCB_set(gencb, callback, cb_arg) { \
+		BN_GENCB *tmp_gencb = (gencb); \
+		tmp_gencb->ver = 2; \
+		tmp_gencb->arg = (cb_arg); \
+		tmp_gencb->cb.cb_2 = (callback); }
 
 #define BN_prime_checks 0 /* default: select number of iterations
 			     based on the size of the number */
@@ -299,24 +360,33 @@ typedef struct bn_recp_ctx_st
 
 #define BN_num_bytes(a)	((BN_num_bits(a)+7)/8)
 
-/* Note that BN_abs_is_word does not work reliably for w == 0 */
-#define BN_abs_is_word(a,w) (((a)->top == 1) && ((a)->d[0] == (BN_ULONG)(w)))
-#define BN_is_zero(a)       (((a)->top == 0) || BN_abs_is_word(a,0))
+/* Note that BN_abs_is_word didn't work reliably for w == 0 until 0.9.8 */
+#define BN_abs_is_word(a,w) ((((a)->top == 1) && ((a)->d[0] == (BN_ULONG)(w))) || \
+				(((w) == 0) && ((a)->top == 0)))
+#define BN_is_zero(a)       ((a)->top == 0)
 #define BN_is_one(a)        (BN_abs_is_word((a),1) && !(a)->neg)
-#define BN_is_word(a,w)     ((w) ? BN_abs_is_word((a),(w)) && !(a)->neg : \
-                                   BN_is_zero((a)))
+#define BN_is_word(a,w)     (BN_abs_is_word((a),(w)) && (!(w) || !(a)->neg))
 #define BN_is_odd(a)	    (((a)->top > 0) && ((a)->d[0] & 1))
 
 #define BN_one(a)	(BN_set_word((a),1))
+#define BN_zero_ex(a) \
+	do { \
+		BIGNUM *_tmp_bn = (a); \
+		_tmp_bn->top = 0; \
+		_tmp_bn->neg = 0; \
+	} while(0)
+#ifdef OPENSSL_NO_DEPRECATED
+#define BN_zero(a)	BN_zero_ex(a)
+#else
 #define BN_zero(a)	(BN_set_word((a),0))
-
-/*#define BN_ascii2bn(a)	BN_hex2bn(a) */
-/*#define BN_bn2ascii(a)	BN_bn2hex(a) */
+#endif
 
 const BIGNUM *BN_value_one(void);
 char *	BN_options(void);
 BN_CTX *BN_CTX_new(void);
+#ifndef OPENSSL_NO_DEPRECATED
 void	BN_CTX_init(BN_CTX *c);
+#endif
 void	BN_CTX_free(BN_CTX *c);
 void	BN_CTX_start(BN_CTX *ctx);
 BIGNUM *BN_CTX_get(BN_CTX *ctx);
@@ -342,6 +412,16 @@ int	BN_uadd(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
 int	BN_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
 int	BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
 int	BN_sqr(BIGNUM *r, const BIGNUM *a,BN_CTX *ctx);
+/** BN_set_negative sets sign of a BIGNUM
+ * \param  b  pointer to the BIGNUM object
+ * \param  n  0 if the BIGNUM b should be positive and a value != 0 otherwise 
+ */
+void	BN_set_negative(BIGNUM *b, int n);
+/** BN_is_negative returns 1 if the BIGNUM is negative
+ * \param  a  pointer to the BIGNUM object
+ * \return 1 if a < 0 and 0 otherwise
+ */
+#define BN_is_negative(a) ((a)->neg != 0)
 
 int	BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d,
 	BN_CTX *ctx);
@@ -378,6 +458,8 @@ int	BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
 	const BIGNUM *m,BN_CTX *ctx);
 int	BN_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
 	const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
+	const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont);
 int	BN_mod_exp_mont_word(BIGNUM *r, BN_ULONG a, const BIGNUM *p,
 	const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
 int	BN_mod_exp2_mont(BIGNUM *r, const BIGNUM *a1, const BIGNUM *p1,
@@ -413,6 +495,9 @@ BIGNUM *BN_mod_inverse(BIGNUM *ret,
 	const BIGNUM *a, const BIGNUM *n,BN_CTX *ctx);
 BIGNUM *BN_mod_sqrt(BIGNUM *ret,
 	const BIGNUM *a, const BIGNUM *n,BN_CTX *ctx);
+
+/* Deprecated versions */
+#ifndef OPENSSL_NO_DEPRECATED
 BIGNUM *BN_generate_prime(BIGNUM *ret,int bits,int safe,
 	const BIGNUM *add, const BIGNUM *rem,
 	void (*callback)(int,int,void *),void *cb_arg);
@@ -422,6 +507,14 @@ int	BN_is_prime(const BIGNUM *p,int nchecks,
 int	BN_is_prime_fasttest(const BIGNUM *p,int nchecks,
 	void (*callback)(int,int,void *),BN_CTX *ctx,void *cb_arg,
 	int do_trial_division);
+#endif /* !defined(OPENSSL_NO_DEPRECATED) */
+
+/* Newer versions */
+int	BN_generate_prime_ex(BIGNUM *ret,int bits,int safe, const BIGNUM *add,
+		const BIGNUM *rem, BN_GENCB *cb);
+int	BN_is_prime_ex(const BIGNUM *p,int nchecks, BN_CTX *ctx, BN_GENCB *cb);
+int	BN_is_prime_fasttest_ex(const BIGNUM *p,int nchecks, BN_CTX *ctx,
+		int do_trial_division, BN_GENCB *cb);
 
 BN_MONT_CTX *BN_MONT_CTX_new(void );
 void BN_MONT_CTX_init(BN_MONT_CTX *ctx);
@@ -434,15 +527,34 @@ int BN_from_montgomery(BIGNUM *r,const BIGNUM *a,
 void BN_MONT_CTX_free(BN_MONT_CTX *mont);
 int BN_MONT_CTX_set(BN_MONT_CTX *mont,const BIGNUM *mod,BN_CTX *ctx);
 BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to,BN_MONT_CTX *from);
+BN_MONT_CTX *BN_MONT_CTX_set_locked(BN_MONT_CTX **pmont, int lock,
+					const BIGNUM *mod, BN_CTX *ctx);
+
+/* BN_BLINDING flags */
+#define	BN_BLINDING_NO_UPDATE	0x00000001
+#define	BN_BLINDING_NO_RECREATE	0x00000002
 
-BN_BLINDING *BN_BLINDING_new(BIGNUM *A,BIGNUM *Ai,BIGNUM *mod);
+BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod);
 void BN_BLINDING_free(BN_BLINDING *b);
 int BN_BLINDING_update(BN_BLINDING *b,BN_CTX *ctx);
-int BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *r, BN_CTX *ctx);
+int BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx);
 int BN_BLINDING_invert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx);
-
+int BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b, BN_CTX *);
+int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b, BN_CTX *);
+unsigned long BN_BLINDING_get_thread_id(const BN_BLINDING *);
+void BN_BLINDING_set_thread_id(BN_BLINDING *, unsigned long);
+unsigned long BN_BLINDING_get_flags(const BN_BLINDING *);
+void BN_BLINDING_set_flags(BN_BLINDING *, unsigned long);
+BN_BLINDING *BN_BLINDING_create_param(BN_BLINDING *b,
+	const BIGNUM *e, BIGNUM *m, BN_CTX *ctx,
+	int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+			  const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx),
+	BN_MONT_CTX *m_ctx);
+
+#ifndef OPENSSL_NO_DEPRECATED
 void BN_set_params(int mul,int high,int low,int mont);
 int BN_get_params(int which); /* 0, mul, 1 high, 2 low, 3 mont */
+#endif
 
 void	BN_RECP_CTX_init(BN_RECP_CTX *recp);
 BN_RECP_CTX *BN_RECP_CTX_new(void);
@@ -455,15 +567,162 @@ int	BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
 int	BN_div_recp(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m,
 	BN_RECP_CTX *recp, BN_CTX *ctx);
 
+/* Functions for arithmetic over binary polynomials represented by BIGNUMs. 
+ *
+ * The BIGNUM::neg property of BIGNUMs representing binary polynomials is
+ * ignored.
+ *
+ * Note that input arguments are not const so that their bit arrays can
+ * be expanded to the appropriate size if needed.
+ */
+
+int	BN_GF2m_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b); /*r = a + b*/
+#define BN_GF2m_sub(r, a, b) BN_GF2m_add(r, a, b)
+int	BN_GF2m_mod(BIGNUM *r, const BIGNUM *a, const BIGNUM *p); /*r=a mod p*/
+int	BN_GF2m_mod_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
+	const BIGNUM *p, BN_CTX *ctx); /* r = (a * b) mod p */
+int	BN_GF2m_mod_sqr(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+	BN_CTX *ctx); /* r = (a * a) mod p */
+int	BN_GF2m_mod_inv(BIGNUM *r, const BIGNUM *b, const BIGNUM *p,
+	BN_CTX *ctx); /* r = (1 / b) mod p */
+int	BN_GF2m_mod_div(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
+	const BIGNUM *p, BN_CTX *ctx); /* r = (a / b) mod p */
+int	BN_GF2m_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
+	const BIGNUM *p, BN_CTX *ctx); /* r = (a ^ b) mod p */
+int	BN_GF2m_mod_sqrt(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+	BN_CTX *ctx); /* r = sqrt(a) mod p */
+int	BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+	BN_CTX *ctx); /* r^2 + r = a mod p */
+#define BN_GF2m_cmp(a, b) BN_ucmp((a), (b))
+/* Some functions allow for representation of the irreducible polynomials
+ * as an unsigned int[], say p.  The irreducible f(t) is then of the form:
+ *     t^p[0] + t^p[1] + ... + t^p[k]
+ * where m = p[0] > p[1] > ... > p[k] = 0.
+ */
+int	BN_GF2m_mod_arr(BIGNUM *r, const BIGNUM *a, const unsigned int p[]);
+	/* r = a mod p */
+int	BN_GF2m_mod_mul_arr(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
+	const unsigned int p[], BN_CTX *ctx); /* r = (a * b) mod p */
+int	BN_GF2m_mod_sqr_arr(BIGNUM *r, const BIGNUM *a, const unsigned int p[],
+	BN_CTX *ctx); /* r = (a * a) mod p */
+int	BN_GF2m_mod_inv_arr(BIGNUM *r, const BIGNUM *b, const unsigned int p[],
+	BN_CTX *ctx); /* r = (1 / b) mod p */
+int	BN_GF2m_mod_div_arr(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
+	const unsigned int p[], BN_CTX *ctx); /* r = (a / b) mod p */
+int	BN_GF2m_mod_exp_arr(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
+	const unsigned int p[], BN_CTX *ctx); /* r = (a ^ b) mod p */
+int	BN_GF2m_mod_sqrt_arr(BIGNUM *r, const BIGNUM *a,
+	const unsigned int p[], BN_CTX *ctx); /* r = sqrt(a) mod p */
+int	BN_GF2m_mod_solve_quad_arr(BIGNUM *r, const BIGNUM *a,
+	const unsigned int p[], BN_CTX *ctx); /* r^2 + r = a mod p */
+int	BN_GF2m_poly2arr(const BIGNUM *a, unsigned int p[], int max);
+int	BN_GF2m_arr2poly(const unsigned int p[], BIGNUM *a);
+
+/* faster mod functions for the 'NIST primes' 
+ * 0 <= a < p^2 */
+int BN_nist_mod_192(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
+int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
+int BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
+int BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
+int BN_nist_mod_521(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
+
+const BIGNUM *BN_get0_nist_prime_192(void);
+const BIGNUM *BN_get0_nist_prime_224(void);
+const BIGNUM *BN_get0_nist_prime_256(void);
+const BIGNUM *BN_get0_nist_prime_384(void);
+const BIGNUM *BN_get0_nist_prime_521(void);
+
 /* library internal functions */
 
 #define bn_expand(a,bits) ((((((bits+BN_BITS2-1))/BN_BITS2)) <= (a)->dmax)?\
-	(a):bn_expand2((a),(bits)/BN_BITS2+1))
+	(a):bn_expand2((a),(bits+BN_BITS2-1)/BN_BITS2))
 #define bn_wexpand(a,words) (((words) <= (a)->dmax)?(a):bn_expand2((a),(words)))
 BIGNUM *bn_expand2(BIGNUM *a, int words);
-BIGNUM *bn_dup_expand(const BIGNUM *a, int words);
+#ifndef OPENSSL_NO_DEPRECATED
+BIGNUM *bn_dup_expand(const BIGNUM *a, int words); /* unused */
+#endif
+
+/* Bignum consistency macros
+ * There is one "API" macro, bn_fix_top(), for stripping leading zeroes from
+ * bignum data after direct manipulations on the data. There is also an
+ * "internal" macro, bn_check_top(), for verifying that there are no leading
+ * zeroes. Unfortunately, some auditing is required due to the fact that
+ * bn_fix_top() has become an overabused duct-tape because bignum data is
+ * occasionally passed around in an inconsistent state. So the following
+ * changes have been made to sort this out;
+ * - bn_fix_top()s implementation has been moved to bn_correct_top()
+ * - if BN_DEBUG isn't defined, bn_fix_top() maps to bn_correct_top(), and
+ *   bn_check_top() is as before.
+ * - if BN_DEBUG *is* defined;
+ *   - bn_check_top() tries to pollute unused words even if the bignum 'top' is
+ *     consistent. (ed: only if BN_DEBUG_RAND is defined)
+ *   - bn_fix_top() maps to bn_check_top() rather than "fixing" anything.
+ * The idea is to have debug builds flag up inconsistent bignums when they
+ * occur. If that occurs in a bn_fix_top(), we examine the code in question; if
+ * the use of bn_fix_top() was appropriate (ie. it follows directly after code
+ * that manipulates the bignum) it is converted to bn_correct_top(), and if it
+ * was not appropriate, we convert it permanently to bn_check_top() and track
+ * down the cause of the bug. Eventually, no internal code should be using the
+ * bn_fix_top() macro. External applications and libraries should try this with
+ * their own code too, both in terms of building against the openssl headers
+ * with BN_DEBUG defined *and* linking with a version of OpenSSL built with it
+ * defined. This not only improves external code, it provides more test
+ * coverage for openssl's own code.
+ */
+
+#ifdef BN_DEBUG
+
+/* We only need assert() when debugging */
+#include <assert.h>
 
-#define bn_fix_top(a) \
+#ifdef BN_DEBUG_RAND
+/* To avoid "make update" cvs wars due to BN_DEBUG, use some tricks */
+#ifndef RAND_pseudo_bytes
+int RAND_pseudo_bytes(unsigned char *buf,int num);
+#define BN_DEBUG_TRIX
+#endif
+#define bn_pollute(a) \
+	do { \
+		const BIGNUM *_bnum1 = (a); \
+		if(_bnum1->top < _bnum1->dmax) { \
+			unsigned char _tmp_char; \
+			/* We cast away const without the compiler knowing, any \
+			 * *genuinely* constant variables that aren't mutable \
+			 * wouldn't be constructed with top!=dmax. */ \
+			BN_ULONG *_not_const; \
+			memcpy(&_not_const, &_bnum1->d, sizeof(BN_ULONG*)); \
+			RAND_pseudo_bytes(&_tmp_char, 1); \
+			memset((unsigned char *)(_not_const + _bnum1->top), _tmp_char, \
+				(_bnum1->dmax - _bnum1->top) * sizeof(BN_ULONG)); \
+		} \
+	} while(0)
+#ifdef BN_DEBUG_TRIX
+#undef RAND_pseudo_bytes
+#endif
+#else
+#define bn_pollute(a)
+#endif
+#define bn_check_top(a) \
+	do { \
+		const BIGNUM *_bnum2 = (a); \
+		if (_bnum2 != NULL) { \
+			assert((_bnum2->top == 0) || \
+				(_bnum2->d[_bnum2->top - 1] != 0)); \
+			bn_pollute(_bnum2); \
+		} \
+	} while(0)
+
+#define bn_fix_top(a)		bn_check_top(a)
+
+#else /* !BN_DEBUG */
+
+#define bn_pollute(a)
+#define bn_check_top(a)
+#define bn_fix_top(a)		bn_correct_top(a)
+
+#endif
+
+#define bn_correct_top(a) \
         { \
         BN_ULONG *ftl; \
 	if ((a)->top > 0) \
@@ -471,6 +730,7 @@ BIGNUM *bn_dup_expand(const BIGNUM *a, int words);
 		for (ftl= &((a)->d[(a)->top-1]); (a)->top > 0; (a)->top--) \
 		if (*(ftl--)) break; \
 		} \
+	bn_pollute(a); \
 	}
 
 BN_ULONG bn_mul_add_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w);
@@ -480,15 +740,17 @@ BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d);
 BN_ULONG bn_add_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,int num);
 BN_ULONG bn_sub_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,int num);
 
-#ifdef BN_DEBUG
-void bn_dump1(FILE *o, const char *a, const BN_ULONG *b,int n);
-# define bn_print(a) {fprintf(stderr, #a "="); BN_print_fp(stderr,a); \
-   fprintf(stderr,"\n");}
-# define bn_dump(a,n) bn_dump1(stderr,#a,a,n);
-#else
-# define bn_print(a)
-# define bn_dump(a,b)
-#endif
+/* Primes from RFC 2409 */
+BIGNUM *get_rfc2409_prime_768(BIGNUM *bn);
+BIGNUM *get_rfc2409_prime_1024(BIGNUM *bn);
+
+/* Primes from RFC 3526 */
+BIGNUM *get_rfc3526_prime_1536(BIGNUM *bn);
+BIGNUM *get_rfc3526_prime_2048(BIGNUM *bn);
+BIGNUM *get_rfc3526_prime_3072(BIGNUM *bn);
+BIGNUM *get_rfc3526_prime_4096(BIGNUM *bn);
+BIGNUM *get_rfc3526_prime_6144(BIGNUM *bn);
+BIGNUM *get_rfc3526_prime_8192(BIGNUM *bn);
 
 int BN_bntest_rand(BIGNUM *rnd, int bits, int top,int bottom);
 
@@ -501,20 +763,35 @@ void ERR_load_BN_strings(void);
 /* Error codes for the BN functions. */
 
 /* Function codes. */
-#define BN_F_BN_BLINDING_CONVERT			 100
-#define BN_F_BN_BLINDING_INVERT				 101
+#define BN_F_BNRAND					 127
+#define BN_F_BN_BLINDING_CONVERT_EX			 100
+#define BN_F_BN_BLINDING_CREATE_PARAM			 128
+#define BN_F_BN_BLINDING_INVERT_EX			 101
 #define BN_F_BN_BLINDING_NEW				 102
 #define BN_F_BN_BLINDING_UPDATE				 103
 #define BN_F_BN_BN2DEC					 104
 #define BN_F_BN_BN2HEX					 105
 #define BN_F_BN_CTX_GET					 116
 #define BN_F_BN_CTX_NEW					 106
+#define BN_F_BN_CTX_START				 129
 #define BN_F_BN_DIV					 107
+#define BN_F_BN_DIV_RECP				 130
+#define BN_F_BN_EXP					 123
 #define BN_F_BN_EXPAND2					 108
 #define BN_F_BN_EXPAND_INTERNAL				 120
+#define BN_F_BN_GF2M_MOD				 131
+#define BN_F_BN_GF2M_MOD_EXP				 132
+#define BN_F_BN_GF2M_MOD_MUL				 133
+#define BN_F_BN_GF2M_MOD_SOLVE_QUAD			 134
+#define BN_F_BN_GF2M_MOD_SOLVE_QUAD_ARR			 135
+#define BN_F_BN_GF2M_MOD_SQR				 136
+#define BN_F_BN_GF2M_MOD_SQRT				 137
 #define BN_F_BN_MOD_EXP2_MONT				 118
 #define BN_F_BN_MOD_EXP_MONT				 109
+#define BN_F_BN_MOD_EXP_MONT_CONSTTIME			 124
 #define BN_F_BN_MOD_EXP_MONT_WORD			 117
+#define BN_F_BN_MOD_EXP_RECP				 125
+#define BN_F_BN_MOD_EXP_SIMPLE				 126
 #define BN_F_BN_MOD_INVERSE				 110
 #define BN_F_BN_MOD_LSHIFT_QUICK			 119
 #define BN_F_BN_MOD_MUL_RECIPROCAL			 111
@@ -539,6 +816,7 @@ void ERR_load_BN_strings(void);
 #define BN_R_NOT_A_SQUARE				 111
 #define BN_R_NOT_INITIALIZED				 107
 #define BN_R_NO_INVERSE					 108
+#define BN_R_NO_SOLUTION				 116
 #define BN_R_P_IS_NOT_PRIME				 112
 #define BN_R_TOO_MANY_ITERATIONS			 113
 #define BN_R_TOO_MANY_TEMPORARY_VARIABLES		 109
diff --git a/crypto/openssl/crypto/bn/bn_add.c b/crypto/openssl/crypto/bn/bn_add.c
index 6cba07e9f670..9405163706aa 100644
--- a/crypto/openssl/crypto/bn/bn_add.c
+++ b/crypto/openssl/crypto/bn/bn_add.c
@@ -64,7 +64,7 @@
 int BN_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
 	{
 	const BIGNUM *tmp;
-	int a_neg = a->neg;
+	int a_neg = a->neg, ret;
 
 	bn_check_top(a);
 	bn_check_top(b);
@@ -95,20 +95,17 @@ int BN_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
 		return(1);
 		}
 
-	if (!BN_uadd(r,a,b)) return(0);
-	if (a_neg) /* both are neg */
-		r->neg=1;
-	else
-		r->neg=0;
-	return(1);
+	ret = BN_uadd(r,a,b);
+	r->neg = a_neg;
+	bn_check_top(r);
+	return ret;
 	}
 
-/* unsigned add of b to a, r must be large enough */
+/* unsigned add of b to a */
 int BN_uadd(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
 	{
-	register int i;
-	int max,min;
-	BN_ULONG *ap,*bp,*rp,carry,t1;
+	int max,min,dif;
+	BN_ULONG *ap,*bp,*rp,carry,t1,t2;
 	const BIGNUM *tmp;
 
 	bn_check_top(a);
@@ -116,11 +113,12 @@ int BN_uadd(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
 
 	if (a->top < b->top)
 		{ tmp=a; a=b; b=tmp; }
-	max=a->top;
-	min=b->top;
+	max = a->top;
+	min = b->top;
+	dif = max - min;
 
 	if (bn_wexpand(r,max+1) == NULL)
-		return(0);
+		return 0;
 
 	r->top=max;
 
@@ -128,46 +126,46 @@ int BN_uadd(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
 	ap=a->d;
 	bp=b->d;
 	rp=r->d;
-	carry=0;
 
 	carry=bn_add_words(rp,ap,bp,min);
 	rp+=min;
 	ap+=min;
 	bp+=min;
-	i=min;
 
 	if (carry)
 		{
-		while (i < max)
+		while (dif)
 			{
-			i++;
-			t1= *(ap++);
-			if ((*(rp++)=(t1+1)&BN_MASK2) >= t1)
+			dif--;
+			t1 = *(ap++);
+			t2 = (t1+1) & BN_MASK2;
+			*(rp++) = t2;
+			if (t2)
 				{
 				carry=0;
 				break;
 				}
 			}
-		if ((i >= max) && carry)
+		if (carry)
 			{
-			*(rp++)=1;
+			/* carry != 0 => dif == 0 */
+			*rp = 1;
 			r->top++;
 			}
 		}
-	if (rp != ap)
-		{
-		for (; i<max; i++)
-			*(rp++)= *(ap++);
-		}
-	/* memcpy(rp,ap,sizeof(*ap)*(max-i));*/
+	if (dif && rp != ap)
+		while (dif--)
+			/* copy remaining words if ap != rp */
+			*(rp++) = *(ap++);
 	r->neg = 0;
-	return(1);
+	bn_check_top(r);
+	return 1;
 	}
 
 /* unsigned subtraction of b from a, a must be larger than b. */
 int BN_usub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
 	{
-	int max,min;
+	int max,min,dif;
 	register BN_ULONG t1,t2,*ap,*bp,*rp;
 	int i,carry;
 #if defined(IRIX_CC_BUG) && !defined(LINT)
@@ -177,14 +175,16 @@ int BN_usub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
 	bn_check_top(a);
 	bn_check_top(b);
 
-	if (a->top < b->top) /* hmm... should not be happening */
+	max = a->top;
+	min = b->top;
+	dif = max - min;
+
+	if (dif < 0)	/* hmm... should not be happening */
 		{
 		BNerr(BN_F_BN_USUB,BN_R_ARG2_LT_ARG3);
 		return(0);
 		}
 
-	max=a->top;
-	min=b->top;
 	if (bn_wexpand(r,max) == NULL) return(0);
 
 	ap=a->d;
@@ -193,7 +193,7 @@ int BN_usub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
 
 #if 1
 	carry=0;
-	for (i=0; i<min; i++)
+	for (i = min; i != 0; i--)
 		{
 		t1= *(ap++);
 		t2= *(bp++);
@@ -217,17 +217,20 @@ int BN_usub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
 	ap+=min;
 	bp+=min;
 	rp+=min;
-	i=min;
 #endif
 	if (carry) /* subtracted */
 		{
-		while (i < max)
+		if (!dif)
+			/* error: a < b */
+			return 0;
+		while (dif)
 			{
-			i++;
-			t1= *(ap++);
-			t2=(t1-1)&BN_MASK2;
-			*(rp++)=t2;
-			if (t1 > t2) break;
+			dif--;
+			t1 = *(ap++);
+			t2 = (t1-1)&BN_MASK2;
+			*(rp++) = t2;
+			if (t1)
+				break;
 			}
 		}
 #if 0
@@ -237,13 +240,13 @@ int BN_usub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
 		{
 		for (;;)
 			{
-			if (i++ >= max) break;
+			if (!dif--) break;
 			rp[0]=ap[0];
-			if (i++ >= max) break;
+			if (!dif--) break;
 			rp[1]=ap[1];
-			if (i++ >= max) break;
+			if (!dif--) break;
 			rp[2]=ap[2];
-			if (i++ >= max) break;
+			if (!dif--) break;
 			rp[3]=ap[3];
 			rp+=4;
 			ap+=4;
@@ -253,7 +256,7 @@ int BN_usub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
 
 	r->top=max;
 	r->neg=0;
-	bn_fix_top(r);
+	bn_correct_top(r);
 	return(1);
 	}
 
@@ -304,6 +307,7 @@ int BN_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
 		if (!BN_usub(r,a,b)) return(0);
 		r->neg=0;
 		}
+	bn_check_top(r);
 	return(1);
 	}
 
diff --git a/crypto/openssl/crypto/bn/bn_asm.c b/crypto/openssl/crypto/bn/bn_asm.c
index be8aa3ffc5a4..99bc2de4913e 100644
--- a/crypto/openssl/crypto/bn/bn_asm.c
+++ b/crypto/openssl/crypto/bn/bn_asm.c
@@ -237,7 +237,7 @@ BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d)
 	if (d == 0) return(BN_MASK2);
 
 	i=BN_num_bits_word(d);
-	assert((i == BN_BITS2) || (h > (BN_ULONG)1<<i));
+	assert((i == BN_BITS2) || (h <= (BN_ULONG)1<<i));
 
 	i=BN_BITS2-i;
 	if (h >= d) h-=d;
@@ -459,6 +459,34 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, int n)
 #define sqr_add_c2(a,i,j,c0,c1,c2) \
 	mul_add_c2((a)[i],(a)[j],c0,c1,c2)
 
+#elif defined(BN_UMULT_LOHI)
+
+#define mul_add_c(a,b,c0,c1,c2)	{	\
+	BN_ULONG ta=(a),tb=(b);		\
+	BN_UMULT_LOHI(t1,t2,ta,tb);	\
+	c0 += t1; t2 += (c0<t1)?1:0;	\
+	c1 += t2; c2 += (c1<t2)?1:0;	\
+	}
+
+#define mul_add_c2(a,b,c0,c1,c2) {	\
+	BN_ULONG ta=(a),tb=(b),t0;	\
+	BN_UMULT_LOHI(t0,t1,ta,tb);	\
+	t2 = t1+t1; c2 += (t2<t1)?1:0;	\
+	t1 = t0+t0; t2 += (t1<t0)?1:0;	\
+	c0 += t1; t2 += (c0<t1)?1:0;	\
+	c1 += t2; c2 += (c1<t2)?1:0;	\
+	}
+
+#define sqr_add_c(a,i,c0,c1,c2)	{	\
+	BN_ULONG ta=(a)[i];		\
+	BN_UMULT_LOHI(t1,t2,ta,ta);	\
+	c0 += t1; t2 += (c0<t1)?1:0;	\
+	c1 += t2; c2 += (c1<t2)?1:0;	\
+	}
+
+#define sqr_add_c2(a,i,j,c0,c1,c2)	\
+	mul_add_c2((a)[i],(a)[j],c0,c1,c2)
+
 #elif defined(BN_UMULT_HIGH)
 
 #define mul_add_c(a,b,c0,c1,c2)	{	\
diff --git a/crypto/openssl/crypto/bn/bn_blind.c b/crypto/openssl/crypto/bn/bn_blind.c
index 2d287e6d1bb1..ca22d4f8bdcb 100644
--- a/crypto/openssl/crypto/bn/bn_blind.c
+++ b/crypto/openssl/crypto/bn/bn_blind.c
@@ -1,4 +1,57 @@
 /* crypto/bn/bn_blind.c */
+/* ====================================================================
+ * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -60,11 +113,28 @@
 #include "cryptlib.h"
 #include "bn_lcl.h"
 
-BN_BLINDING *BN_BLINDING_new(BIGNUM *A, BIGNUM *Ai, BIGNUM *mod)
+#define BN_BLINDING_COUNTER	32
+
+struct bn_blinding_st
+	{
+	BIGNUM *A;
+	BIGNUM *Ai;
+	BIGNUM *e;
+	BIGNUM *mod; /* just a reference */
+	unsigned long thread_id; /* added in OpenSSL 0.9.6j and 0.9.7b;
+				  * used only by crypto/rsa/rsa_eay.c, rsa_lib.c */
+	unsigned int  counter;
+	unsigned long flags;
+	BN_MONT_CTX *m_ctx;
+	int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+			  const BIGNUM *m, BN_CTX *ctx,
+			  BN_MONT_CTX *m_ctx);
+	};
+
+BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod)
 	{
 	BN_BLINDING *ret=NULL;
 
-	bn_check_top(Ai);
 	bn_check_top(mod);
 
 	if ((ret=(BN_BLINDING *)OPENSSL_malloc(sizeof(BN_BLINDING))) == NULL)
@@ -73,11 +143,16 @@ BN_BLINDING *BN_BLINDING_new(BIGNUM *A, BIGNUM *Ai, BIGNUM *mod)
 		return(NULL);
 		}
 	memset(ret,0,sizeof(BN_BLINDING));
-	if ((ret->A=BN_new()) == NULL) goto err;
-	if ((ret->Ai=BN_new()) == NULL) goto err;
-	if (!BN_copy(ret->A,A)) goto err;
-	if (!BN_copy(ret->Ai,Ai)) goto err;
-	ret->mod=mod;
+	if (A != NULL)
+		{
+		if ((ret->A  = BN_dup(A))  == NULL) goto err;
+		}
+	if (Ai != NULL)
+		{
+		if ((ret->Ai = BN_dup(Ai)) == NULL) goto err;
+		}
+	ret->mod = mod;
+	ret->counter = BN_BLINDING_COUNTER;
 	return(ret);
 err:
 	if (ret != NULL) BN_BLINDING_free(ret);
@@ -91,6 +166,7 @@ void BN_BLINDING_free(BN_BLINDING *r)
 
 	if (r->A  != NULL) BN_free(r->A );
 	if (r->Ai != NULL) BN_free(r->Ai);
+	if (r->e  != NULL) BN_free(r->e );
 	OPENSSL_free(r);
 	}
 
@@ -103,42 +179,181 @@ int BN_BLINDING_update(BN_BLINDING *b, BN_CTX *ctx)
 		BNerr(BN_F_BN_BLINDING_UPDATE,BN_R_NOT_INITIALIZED);
 		goto err;
 		}
-		
-	if (!BN_mod_mul(b->A,b->A,b->A,b->mod,ctx)) goto err;
-	if (!BN_mod_mul(b->Ai,b->Ai,b->Ai,b->mod,ctx)) goto err;
+
+	if (--(b->counter) == 0 && b->e != NULL &&
+		!(b->flags & BN_BLINDING_NO_RECREATE))
+		{
+		/* re-create blinding parameters */
+		if (!BN_BLINDING_create_param(b, NULL, NULL, ctx, NULL, NULL))
+			goto err;
+		}
+	else if (!(b->flags & BN_BLINDING_NO_UPDATE))
+		{
+		if (!BN_mod_mul(b->A,b->A,b->A,b->mod,ctx)) goto err;
+		if (!BN_mod_mul(b->Ai,b->Ai,b->Ai,b->mod,ctx)) goto err;
+		}
 
 	ret=1;
 err:
+	if (b->counter == 0)
+		b->counter = BN_BLINDING_COUNTER;
 	return(ret);
 	}
 
 int BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx)
 	{
+	return BN_BLINDING_convert_ex(n, NULL, b, ctx);
+	}
+
+int BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b, BN_CTX *ctx)
+	{
+	int ret = 1;
+
 	bn_check_top(n);
 
 	if ((b->A == NULL) || (b->Ai == NULL))
 		{
-		BNerr(BN_F_BN_BLINDING_CONVERT,BN_R_NOT_INITIALIZED);
+		BNerr(BN_F_BN_BLINDING_CONVERT_EX,BN_R_NOT_INITIALIZED);
 		return(0);
 		}
-	return(BN_mod_mul(n,n,b->A,b->mod,ctx));
+
+	if (r != NULL)
+		{
+		if (!BN_copy(r, b->Ai)) ret=0;
+		}
+
+	if (!BN_mod_mul(n,n,b->A,b->mod,ctx)) ret=0;
+	
+	return ret;
 	}
 
 int BN_BLINDING_invert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx)
 	{
+	return BN_BLINDING_invert_ex(n, NULL, b, ctx);
+	}
+
+int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b, BN_CTX *ctx)
+	{
 	int ret;
 
 	bn_check_top(n);
 	if ((b->A == NULL) || (b->Ai == NULL))
 		{
-		BNerr(BN_F_BN_BLINDING_INVERT,BN_R_NOT_INITIALIZED);
+		BNerr(BN_F_BN_BLINDING_INVERT_EX,BN_R_NOT_INITIALIZED);
 		return(0);
 		}
-	if ((ret=BN_mod_mul(n,n,b->Ai,b->mod,ctx)) >= 0)
+
+	if (r != NULL)
+		ret = BN_mod_mul(n, n, r, b->mod, ctx);
+	else
+		ret = BN_mod_mul(n, n, b->Ai, b->mod, ctx);
+
+	if (ret >= 0)
 		{
 		if (!BN_BLINDING_update(b,ctx))
 			return(0);
 		}
+	bn_check_top(n);
 	return(ret);
 	}
 
+unsigned long BN_BLINDING_get_thread_id(const BN_BLINDING *b)
+	{
+	return b->thread_id;
+	}
+
+void BN_BLINDING_set_thread_id(BN_BLINDING *b, unsigned long n)
+	{
+	b->thread_id = n;
+	}
+
+unsigned long BN_BLINDING_get_flags(const BN_BLINDING *b)
+	{
+	return b->flags;
+	}
+
+void BN_BLINDING_set_flags(BN_BLINDING *b, unsigned long flags)
+	{
+	b->flags = flags;
+	}
+
+BN_BLINDING *BN_BLINDING_create_param(BN_BLINDING *b,
+	const BIGNUM *e, BIGNUM *m, BN_CTX *ctx,
+	int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+			  const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx),
+	BN_MONT_CTX *m_ctx)
+{
+	int    retry_counter = 32;
+	BN_BLINDING *ret = NULL;
+
+	if (b == NULL)
+		ret = BN_BLINDING_new(NULL, NULL, m);
+	else
+		ret = b;
+
+	if (ret == NULL)
+		goto err;
+
+	if (ret->A  == NULL && (ret->A  = BN_new()) == NULL)
+		goto err;
+	if (ret->Ai == NULL && (ret->Ai	= BN_new()) == NULL)
+		goto err;
+
+	if (e != NULL)
+		{
+		if (ret->e != NULL)
+			BN_free(ret->e);
+		ret->e = BN_dup(e);
+		}
+	if (ret->e == NULL)
+		goto err;
+
+	if (bn_mod_exp != NULL)
+		ret->bn_mod_exp = bn_mod_exp;
+	if (m_ctx != NULL)
+		ret->m_ctx = m_ctx;
+
+	do {
+		if (!BN_rand_range(ret->A, ret->mod)) goto err;
+		if (BN_mod_inverse(ret->Ai, ret->A, ret->mod, ctx) == NULL)
+			{
+			/* this should almost never happen for good RSA keys */
+			unsigned long error = ERR_peek_last_error();
+			if (ERR_GET_REASON(error) == BN_R_NO_INVERSE)
+				{
+				if (retry_counter-- == 0)
+				{
+					BNerr(BN_F_BN_BLINDING_CREATE_PARAM,
+						BN_R_TOO_MANY_ITERATIONS);
+					goto err;
+				}
+				ERR_clear_error();
+				}
+			else
+				goto err;
+			}
+		else
+			break;
+	} while (1);
+
+	if (ret->bn_mod_exp != NULL && ret->m_ctx != NULL)
+		{
+		if (!ret->bn_mod_exp(ret->A, ret->A, ret->e, ret->mod, ctx, ret->m_ctx))
+			goto err;
+		}
+	else
+		{
+		if (!BN_mod_exp(ret->A, ret->A, ret->e, ret->mod, ctx))
+			goto err;
+		}
+
+	return ret;
+err:
+	if (b == NULL && ret != NULL)
+		{
+		BN_BLINDING_free(ret);
+		ret = NULL;
+		}
+
+	return ret;
+}
diff --git a/crypto/openssl/crypto/bn/bn_const.c b/crypto/openssl/crypto/bn/bn_const.c
new file mode 100755
index 000000000000..eb60a25b3c73
--- /dev/null
+++ b/crypto/openssl/crypto/bn/bn_const.c
@@ -0,0 +1,402 @@
+/* crypto/bn/knownprimes.c */
+/* Insert boilerplate */
+
+#include "bn.h"
+
+/* "First Oakley Default Group" from RFC2409, section 6.1.
+ *
+ * The prime is: 2^768 - 2 ^704 - 1 + 2^64 * { [2^638 pi] + 149686 }
+ *
+ * RFC2409 specifies a generator of 2.
+ * RFC2412 specifies a generator of of 22.
+ */
+
+BIGNUM *get_rfc2409_prime_768(BIGNUM *bn)
+	{
+	static const unsigned char RFC2409_PRIME_768[]={
+		0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,
+		0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,
+		0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6,
+		0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
+		0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,
+		0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,
+		0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9,
+		0xA6,0x3A,0x36,0x20,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
+		};
+	return BN_bin2bn(RFC2409_PRIME_768,sizeof(RFC2409_PRIME_768),bn);
+	}
+
+/* "Second Oakley Default Group" from RFC2409, section 6.2.
+ *
+ * The prime is: 2^1024 - 2^960 - 1 + 2^64 * { [2^894 pi] + 129093 }.
+ *
+ * RFC2409 specifies a generator of 2.
+ * RFC2412 specifies a generator of 22.
+ */
+
+BIGNUM *get_rfc2409_prime_1024(BIGNUM *bn)
+	{
+	static const unsigned char RFC2409_PRIME_1024[]={
+		0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,
+		0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,
+		0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6,
+		0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
+		0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,
+		0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,
+		0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9,
+		0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
+		0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,
+		0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE6,0x53,0x81,
+		0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
+		};
+	return BN_bin2bn(RFC2409_PRIME_1024,sizeof(RFC2409_PRIME_1024),bn);
+	}
+
+/* "1536-bit MODP Group" from RFC3526, Section 2.
+ *
+ * The prime is: 2^1536 - 2^1472 - 1 + 2^64 * { [2^1406 pi] + 741804 }
+ *
+ * RFC3526 specifies a generator of 2.
+ * RFC2312 specifies a generator of 22.
+ */
+
+BIGNUM *get_rfc3526_prime_1536(BIGNUM *bn)
+	{
+	static const unsigned char RFC3526_PRIME_1536[]={
+		0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,
+		0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,
+		0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6,
+		0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
+		0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,
+		0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,
+		0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9,
+		0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
+		0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,
+		0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,
+		0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,0x98,0xDA,0x48,0x36,
+		0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
+		0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,
+		0x20,0x85,0x52,0xBB,0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,
+		0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,0xF1,0x74,0x6C,0x08,
+		0xCA,0x23,0x73,0x27,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
+		};
+	return BN_bin2bn(RFC3526_PRIME_1536,sizeof(RFC3526_PRIME_1536),bn);
+	}
+
+/* "2048-bit MODP Group" from RFC3526, Section 3.
+ *
+ * The prime is: 2^2048 - 2^1984 - 1 + 2^64 * { [2^1918 pi] + 124476 }
+ *
+ * RFC3526 specifies a generator of 2.
+ */
+
+BIGNUM *get_rfc3526_prime_2048(BIGNUM *bn)
+	{
+	static const unsigned char RFC3526_PRIME_2048[]={
+		0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,
+		0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,
+		0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6,
+		0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
+		0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,
+		0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,
+		0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9,
+		0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
+		0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,
+		0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,
+		0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,0x98,0xDA,0x48,0x36,
+		0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
+		0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,
+		0x20,0x85,0x52,0xBB,0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,
+		0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,0xF1,0x74,0x6C,0x08,
+		0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B,
+		0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2,
+		0xEC,0x07,0xA2,0x8F,0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9,
+		0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,0x39,0x95,0x49,0x7C,
+		0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10,
+		0x15,0x72,0x8E,0x5A,0x8A,0xAC,0xAA,0x68,0xFF,0xFF,0xFF,0xFF,
+		0xFF,0xFF,0xFF,0xFF,
+		};
+	return BN_bin2bn(RFC3526_PRIME_2048,sizeof(RFC3526_PRIME_2048),bn);
+	}
+
+/* "3072-bit MODP Group" from RFC3526, Section 4.
+ *
+ * The prime is: 2^3072 - 2^3008 - 1 + 2^64 * { [2^2942 pi] + 1690314 }
+ *
+ * RFC3526 specifies a generator of 2.
+ */
+
+BIGNUM *get_rfc3526_prime_3072(BIGNUM *bn)
+	{
+	static const unsigned char RFC3526_PRIME_3072[]={
+		0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,
+		0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,
+		0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6,
+		0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
+		0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,
+		0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,
+		0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9,
+		0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
+		0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,
+		0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,
+		0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,0x98,0xDA,0x48,0x36,
+		0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
+		0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,
+		0x20,0x85,0x52,0xBB,0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,
+		0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,0xF1,0x74,0x6C,0x08,
+		0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B,
+		0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2,
+		0xEC,0x07,0xA2,0x8F,0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9,
+		0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,0x39,0x95,0x49,0x7C,
+		0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10,
+		0x15,0x72,0x8E,0x5A,0x8A,0xAA,0xC4,0x2D,0xAD,0x33,0x17,0x0D,
+		0x04,0x50,0x7A,0x33,0xA8,0x55,0x21,0xAB,0xDF,0x1C,0xBA,0x64,
+		0xEC,0xFB,0x85,0x04,0x58,0xDB,0xEF,0x0A,0x8A,0xEA,0x71,0x57,
+		0x5D,0x06,0x0C,0x7D,0xB3,0x97,0x0F,0x85,0xA6,0xE1,0xE4,0xC7,
+		0xAB,0xF5,0xAE,0x8C,0xDB,0x09,0x33,0xD7,0x1E,0x8C,0x94,0xE0,
+		0x4A,0x25,0x61,0x9D,0xCE,0xE3,0xD2,0x26,0x1A,0xD2,0xEE,0x6B,
+		0xF1,0x2F,0xFA,0x06,0xD9,0x8A,0x08,0x64,0xD8,0x76,0x02,0x73,
+		0x3E,0xC8,0x6A,0x64,0x52,0x1F,0x2B,0x18,0x17,0x7B,0x20,0x0C,
+		0xBB,0xE1,0x17,0x57,0x7A,0x61,0x5D,0x6C,0x77,0x09,0x88,0xC0,
+		0xBA,0xD9,0x46,0xE2,0x08,0xE2,0x4F,0xA0,0x74,0xE5,0xAB,0x31,
+		0x43,0xDB,0x5B,0xFC,0xE0,0xFD,0x10,0x8E,0x4B,0x82,0xD1,0x20,
+		0xA9,0x3A,0xD2,0xCA,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
+		};
+	return BN_bin2bn(RFC3526_PRIME_3072,sizeof(RFC3526_PRIME_3072),bn);
+	}
+
+/* "4096-bit MODP Group" from RFC3526, Section 5.
+ *
+ * The prime is: 2^4096 - 2^4032 - 1 + 2^64 * { [2^3966 pi] + 240904 }
+ *
+ * RFC3526 specifies a generator of 2.
+ */
+
+BIGNUM *get_rfc3526_prime_4096(BIGNUM *bn)
+	{
+	static const unsigned char RFC3526_PRIME_4096[]={
+		0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,
+		0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,
+		0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6,
+		0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
+		0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,
+		0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,
+		0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9,
+		0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
+		0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,
+		0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,
+		0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,0x98,0xDA,0x48,0x36,
+		0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
+		0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,
+		0x20,0x85,0x52,0xBB,0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,
+		0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,0xF1,0x74,0x6C,0x08,
+		0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B,
+		0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2,
+		0xEC,0x07,0xA2,0x8F,0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9,
+		0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,0x39,0x95,0x49,0x7C,
+		0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10,
+		0x15,0x72,0x8E,0x5A,0x8A,0xAA,0xC4,0x2D,0xAD,0x33,0x17,0x0D,
+		0x04,0x50,0x7A,0x33,0xA8,0x55,0x21,0xAB,0xDF,0x1C,0xBA,0x64,
+		0xEC,0xFB,0x85,0x04,0x58,0xDB,0xEF,0x0A,0x8A,0xEA,0x71,0x57,
+		0x5D,0x06,0x0C,0x7D,0xB3,0x97,0x0F,0x85,0xA6,0xE1,0xE4,0xC7,
+		0xAB,0xF5,0xAE,0x8C,0xDB,0x09,0x33,0xD7,0x1E,0x8C,0x94,0xE0,
+		0x4A,0x25,0x61,0x9D,0xCE,0xE3,0xD2,0x26,0x1A,0xD2,0xEE,0x6B,
+		0xF1,0x2F,0xFA,0x06,0xD9,0x8A,0x08,0x64,0xD8,0x76,0x02,0x73,
+		0x3E,0xC8,0x6A,0x64,0x52,0x1F,0x2B,0x18,0x17,0x7B,0x20,0x0C,
+		0xBB,0xE1,0x17,0x57,0x7A,0x61,0x5D,0x6C,0x77,0x09,0x88,0xC0,
+		0xBA,0xD9,0x46,0xE2,0x08,0xE2,0x4F,0xA0,0x74,0xE5,0xAB,0x31,
+		0x43,0xDB,0x5B,0xFC,0xE0,0xFD,0x10,0x8E,0x4B,0x82,0xD1,0x20,
+		0xA9,0x21,0x08,0x01,0x1A,0x72,0x3C,0x12,0xA7,0x87,0xE6,0xD7,
+		0x88,0x71,0x9A,0x10,0xBD,0xBA,0x5B,0x26,0x99,0xC3,0x27,0x18,
+		0x6A,0xF4,0xE2,0x3C,0x1A,0x94,0x68,0x34,0xB6,0x15,0x0B,0xDA,
+		0x25,0x83,0xE9,0xCA,0x2A,0xD4,0x4C,0xE8,0xDB,0xBB,0xC2,0xDB,
+		0x04,0xDE,0x8E,0xF9,0x2E,0x8E,0xFC,0x14,0x1F,0xBE,0xCA,0xA6,
+		0x28,0x7C,0x59,0x47,0x4E,0x6B,0xC0,0x5D,0x99,0xB2,0x96,0x4F,
+		0xA0,0x90,0xC3,0xA2,0x23,0x3B,0xA1,0x86,0x51,0x5B,0xE7,0xED,
+		0x1F,0x61,0x29,0x70,0xCE,0xE2,0xD7,0xAF,0xB8,0x1B,0xDD,0x76,
+		0x21,0x70,0x48,0x1C,0xD0,0x06,0x91,0x27,0xD5,0xB0,0x5A,0xA9,
+		0x93,0xB4,0xEA,0x98,0x8D,0x8F,0xDD,0xC1,0x86,0xFF,0xB7,0xDC,
+		0x90,0xA6,0xC0,0x8F,0x4D,0xF4,0x35,0xC9,0x34,0x06,0x31,0x99,
+		0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
+		};
+	return BN_bin2bn(RFC3526_PRIME_4096,sizeof(RFC3526_PRIME_4096),bn);
+	}
+
+/* "6144-bit MODP Group" from RFC3526, Section 6.
+ *
+ * The prime is: 2^6144 - 2^6080 - 1 + 2^64 * { [2^6014 pi] + 929484 }
+ *
+ * RFC3526 specifies a generator of 2.
+ */
+
+BIGNUM *get_rfc3526_prime_6144(BIGNUM *bn)
+	{
+	static const unsigned char RFC3526_PRIME_6144[]={
+		0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,
+		0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,
+		0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6,
+		0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
+		0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,
+		0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,
+		0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9,
+		0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
+		0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,
+		0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,
+		0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,0x98,0xDA,0x48,0x36,
+		0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
+		0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,
+		0x20,0x85,0x52,0xBB,0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,
+		0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,0xF1,0x74,0x6C,0x08,
+		0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B,
+		0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2,
+		0xEC,0x07,0xA2,0x8F,0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9,
+		0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,0x39,0x95,0x49,0x7C,
+		0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10,
+		0x15,0x72,0x8E,0x5A,0x8A,0xAA,0xC4,0x2D,0xAD,0x33,0x17,0x0D,
+		0x04,0x50,0x7A,0x33,0xA8,0x55,0x21,0xAB,0xDF,0x1C,0xBA,0x64,
+		0xEC,0xFB,0x85,0x04,0x58,0xDB,0xEF,0x0A,0x8A,0xEA,0x71,0x57,
+		0x5D,0x06,0x0C,0x7D,0xB3,0x97,0x0F,0x85,0xA6,0xE1,0xE4,0xC7,
+		0xAB,0xF5,0xAE,0x8C,0xDB,0x09,0x33,0xD7,0x1E,0x8C,0x94,0xE0,
+		0x4A,0x25,0x61,0x9D,0xCE,0xE3,0xD2,0x26,0x1A,0xD2,0xEE,0x6B,
+		0xF1,0x2F,0xFA,0x06,0xD9,0x8A,0x08,0x64,0xD8,0x76,0x02,0x73,
+		0x3E,0xC8,0x6A,0x64,0x52,0x1F,0x2B,0x18,0x17,0x7B,0x20,0x0C,
+		0xBB,0xE1,0x17,0x57,0x7A,0x61,0x5D,0x6C,0x77,0x09,0x88,0xC0,
+		0xBA,0xD9,0x46,0xE2,0x08,0xE2,0x4F,0xA0,0x74,0xE5,0xAB,0x31,
+		0x43,0xDB,0x5B,0xFC,0xE0,0xFD,0x10,0x8E,0x4B,0x82,0xD1,0x20,
+		0xA9,0x21,0x08,0x01,0x1A,0x72,0x3C,0x12,0xA7,0x87,0xE6,0xD7,
+		0x88,0x71,0x9A,0x10,0xBD,0xBA,0x5B,0x26,0x99,0xC3,0x27,0x18,
+		0x6A,0xF4,0xE2,0x3C,0x1A,0x94,0x68,0x34,0xB6,0x15,0x0B,0xDA,
+		0x25,0x83,0xE9,0xCA,0x2A,0xD4,0x4C,0xE8,0xDB,0xBB,0xC2,0xDB,
+		0x04,0xDE,0x8E,0xF9,0x2E,0x8E,0xFC,0x14,0x1F,0xBE,0xCA,0xA6,
+		0x28,0x7C,0x59,0x47,0x4E,0x6B,0xC0,0x5D,0x99,0xB2,0x96,0x4F,
+		0xA0,0x90,0xC3,0xA2,0x23,0x3B,0xA1,0x86,0x51,0x5B,0xE7,0xED,
+		0x1F,0x61,0x29,0x70,0xCE,0xE2,0xD7,0xAF,0xB8,0x1B,0xDD,0x76,
+		0x21,0x70,0x48,0x1C,0xD0,0x06,0x91,0x27,0xD5,0xB0,0x5A,0xA9,
+		0x93,0xB4,0xEA,0x98,0x8D,0x8F,0xDD,0xC1,0x86,0xFF,0xB7,0xDC,
+		0x90,0xA6,0xC0,0x8F,0x4D,0xF4,0x35,0xC9,0x34,0x02,0x84,0x92,
+		0x36,0xC3,0xFA,0xB4,0xD2,0x7C,0x70,0x26,0xC1,0xD4,0xDC,0xB2,
+		0x60,0x26,0x46,0xDE,0xC9,0x75,0x1E,0x76,0x3D,0xBA,0x37,0xBD,
+		0xF8,0xFF,0x94,0x06,0xAD,0x9E,0x53,0x0E,0xE5,0xDB,0x38,0x2F,
+		0x41,0x30,0x01,0xAE,0xB0,0x6A,0x53,0xED,0x90,0x27,0xD8,0x31,
+		0x17,0x97,0x27,0xB0,0x86,0x5A,0x89,0x18,0xDA,0x3E,0xDB,0xEB,
+		0xCF,0x9B,0x14,0xED,0x44,0xCE,0x6C,0xBA,0xCE,0xD4,0xBB,0x1B,
+		0xDB,0x7F,0x14,0x47,0xE6,0xCC,0x25,0x4B,0x33,0x20,0x51,0x51,
+		0x2B,0xD7,0xAF,0x42,0x6F,0xB8,0xF4,0x01,0x37,0x8C,0xD2,0xBF,
+		0x59,0x83,0xCA,0x01,0xC6,0x4B,0x92,0xEC,0xF0,0x32,0xEA,0x15,
+		0xD1,0x72,0x1D,0x03,0xF4,0x82,0xD7,0xCE,0x6E,0x74,0xFE,0xF6,
+		0xD5,0x5E,0x70,0x2F,0x46,0x98,0x0C,0x82,0xB5,0xA8,0x40,0x31,
+		0x90,0x0B,0x1C,0x9E,0x59,0xE7,0xC9,0x7F,0xBE,0xC7,0xE8,0xF3,
+		0x23,0xA9,0x7A,0x7E,0x36,0xCC,0x88,0xBE,0x0F,0x1D,0x45,0xB7,
+		0xFF,0x58,0x5A,0xC5,0x4B,0xD4,0x07,0xB2,0x2B,0x41,0x54,0xAA,
+		0xCC,0x8F,0x6D,0x7E,0xBF,0x48,0xE1,0xD8,0x14,0xCC,0x5E,0xD2,
+		0x0F,0x80,0x37,0xE0,0xA7,0x97,0x15,0xEE,0xF2,0x9B,0xE3,0x28,
+		0x06,0xA1,0xD5,0x8B,0xB7,0xC5,0xDA,0x76,0xF5,0x50,0xAA,0x3D,
+		0x8A,0x1F,0xBF,0xF0,0xEB,0x19,0xCC,0xB1,0xA3,0x13,0xD5,0x5C,
+		0xDA,0x56,0xC9,0xEC,0x2E,0xF2,0x96,0x32,0x38,0x7F,0xE8,0xD7,
+		0x6E,0x3C,0x04,0x68,0x04,0x3E,0x8F,0x66,0x3F,0x48,0x60,0xEE,
+		0x12,0xBF,0x2D,0x5B,0x0B,0x74,0x74,0xD6,0xE6,0x94,0xF9,0x1E,
+		0x6D,0xCC,0x40,0x24,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
+		};
+	return BN_bin2bn(RFC3526_PRIME_6144,sizeof(RFC3526_PRIME_6144),bn);
+	}
+
+/* "8192-bit MODP Group" from RFC3526, Section 7.
+ *
+ * The prime is: 2^8192 - 2^8128 - 1 + 2^64 * { [2^8062 pi] + 4743158 }
+ *
+ * RFC3526 specifies a generator of 2.
+ */
+
+BIGNUM *get_rfc3526_prime_8192(BIGNUM *bn)
+	{
+	static const unsigned char RFC3526_PRIME_8192[]={
+		0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,
+		0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,
+		0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6,
+		0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
+		0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,
+		0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,
+		0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9,
+		0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
+		0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,
+		0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,
+		0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,0x98,0xDA,0x48,0x36,
+		0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
+		0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,
+		0x20,0x85,0x52,0xBB,0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,
+		0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,0xF1,0x74,0x6C,0x08,
+		0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B,
+		0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2,
+		0xEC,0x07,0xA2,0x8F,0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9,
+		0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,0x39,0x95,0x49,0x7C,
+		0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10,
+		0x15,0x72,0x8E,0x5A,0x8A,0xAA,0xC4,0x2D,0xAD,0x33,0x17,0x0D,
+		0x04,0x50,0x7A,0x33,0xA8,0x55,0x21,0xAB,0xDF,0x1C,0xBA,0x64,
+		0xEC,0xFB,0x85,0x04,0x58,0xDB,0xEF,0x0A,0x8A,0xEA,0x71,0x57,
+		0x5D,0x06,0x0C,0x7D,0xB3,0x97,0x0F,0x85,0xA6,0xE1,0xE4,0xC7,
+		0xAB,0xF5,0xAE,0x8C,0xDB,0x09,0x33,0xD7,0x1E,0x8C,0x94,0xE0,
+		0x4A,0x25,0x61,0x9D,0xCE,0xE3,0xD2,0x26,0x1A,0xD2,0xEE,0x6B,
+		0xF1,0x2F,0xFA,0x06,0xD9,0x8A,0x08,0x64,0xD8,0x76,0x02,0x73,
+		0x3E,0xC8,0x6A,0x64,0x52,0x1F,0x2B,0x18,0x17,0x7B,0x20,0x0C,
+		0xBB,0xE1,0x17,0x57,0x7A,0x61,0x5D,0x6C,0x77,0x09,0x88,0xC0,
+		0xBA,0xD9,0x46,0xE2,0x08,0xE2,0x4F,0xA0,0x74,0xE5,0xAB,0x31,
+		0x43,0xDB,0x5B,0xFC,0xE0,0xFD,0x10,0x8E,0x4B,0x82,0xD1,0x20,
+		0xA9,0x21,0x08,0x01,0x1A,0x72,0x3C,0x12,0xA7,0x87,0xE6,0xD7,
+		0x88,0x71,0x9A,0x10,0xBD,0xBA,0x5B,0x26,0x99,0xC3,0x27,0x18,
+		0x6A,0xF4,0xE2,0x3C,0x1A,0x94,0x68,0x34,0xB6,0x15,0x0B,0xDA,
+		0x25,0x83,0xE9,0xCA,0x2A,0xD4,0x4C,0xE8,0xDB,0xBB,0xC2,0xDB,
+		0x04,0xDE,0x8E,0xF9,0x2E,0x8E,0xFC,0x14,0x1F,0xBE,0xCA,0xA6,
+		0x28,0x7C,0x59,0x47,0x4E,0x6B,0xC0,0x5D,0x99,0xB2,0x96,0x4F,
+		0xA0,0x90,0xC3,0xA2,0x23,0x3B,0xA1,0x86,0x51,0x5B,0xE7,0xED,
+		0x1F,0x61,0x29,0x70,0xCE,0xE2,0xD7,0xAF,0xB8,0x1B,0xDD,0x76,
+		0x21,0x70,0x48,0x1C,0xD0,0x06,0x91,0x27,0xD5,0xB0,0x5A,0xA9,
+		0x93,0xB4,0xEA,0x98,0x8D,0x8F,0xDD,0xC1,0x86,0xFF,0xB7,0xDC,
+		0x90,0xA6,0xC0,0x8F,0x4D,0xF4,0x35,0xC9,0x34,0x02,0x84,0x92,
+		0x36,0xC3,0xFA,0xB4,0xD2,0x7C,0x70,0x26,0xC1,0xD4,0xDC,0xB2,
+		0x60,0x26,0x46,0xDE,0xC9,0x75,0x1E,0x76,0x3D,0xBA,0x37,0xBD,
+		0xF8,0xFF,0x94,0x06,0xAD,0x9E,0x53,0x0E,0xE5,0xDB,0x38,0x2F,
+		0x41,0x30,0x01,0xAE,0xB0,0x6A,0x53,0xED,0x90,0x27,0xD8,0x31,
+		0x17,0x97,0x27,0xB0,0x86,0x5A,0x89,0x18,0xDA,0x3E,0xDB,0xEB,
+		0xCF,0x9B,0x14,0xED,0x44,0xCE,0x6C,0xBA,0xCE,0xD4,0xBB,0x1B,
+		0xDB,0x7F,0x14,0x47,0xE6,0xCC,0x25,0x4B,0x33,0x20,0x51,0x51,
+		0x2B,0xD7,0xAF,0x42,0x6F,0xB8,0xF4,0x01,0x37,0x8C,0xD2,0xBF,
+		0x59,0x83,0xCA,0x01,0xC6,0x4B,0x92,0xEC,0xF0,0x32,0xEA,0x15,
+		0xD1,0x72,0x1D,0x03,0xF4,0x82,0xD7,0xCE,0x6E,0x74,0xFE,0xF6,
+		0xD5,0x5E,0x70,0x2F,0x46,0x98,0x0C,0x82,0xB5,0xA8,0x40,0x31,
+		0x90,0x0B,0x1C,0x9E,0x59,0xE7,0xC9,0x7F,0xBE,0xC7,0xE8,0xF3,
+		0x23,0xA9,0x7A,0x7E,0x36,0xCC,0x88,0xBE,0x0F,0x1D,0x45,0xB7,
+		0xFF,0x58,0x5A,0xC5,0x4B,0xD4,0x07,0xB2,0x2B,0x41,0x54,0xAA,
+		0xCC,0x8F,0x6D,0x7E,0xBF,0x48,0xE1,0xD8,0x14,0xCC,0x5E,0xD2,
+		0x0F,0x80,0x37,0xE0,0xA7,0x97,0x15,0xEE,0xF2,0x9B,0xE3,0x28,
+		0x06,0xA1,0xD5,0x8B,0xB7,0xC5,0xDA,0x76,0xF5,0x50,0xAA,0x3D,
+		0x8A,0x1F,0xBF,0xF0,0xEB,0x19,0xCC,0xB1,0xA3,0x13,0xD5,0x5C,
+		0xDA,0x56,0xC9,0xEC,0x2E,0xF2,0x96,0x32,0x38,0x7F,0xE8,0xD7,
+		0x6E,0x3C,0x04,0x68,0x04,0x3E,0x8F,0x66,0x3F,0x48,0x60,0xEE,
+		0x12,0xBF,0x2D,0x5B,0x0B,0x74,0x74,0xD6,0xE6,0x94,0xF9,0x1E,
+		0x6D,0xBE,0x11,0x59,0x74,0xA3,0x92,0x6F,0x12,0xFE,0xE5,0xE4,
+		0x38,0x77,0x7C,0xB6,0xA9,0x32,0xDF,0x8C,0xD8,0xBE,0xC4,0xD0,
+		0x73,0xB9,0x31,0xBA,0x3B,0xC8,0x32,0xB6,0x8D,0x9D,0xD3,0x00,
+		0x74,0x1F,0xA7,0xBF,0x8A,0xFC,0x47,0xED,0x25,0x76,0xF6,0x93,
+		0x6B,0xA4,0x24,0x66,0x3A,0xAB,0x63,0x9C,0x5A,0xE4,0xF5,0x68,
+		0x34,0x23,0xB4,0x74,0x2B,0xF1,0xC9,0x78,0x23,0x8F,0x16,0xCB,
+		0xE3,0x9D,0x65,0x2D,0xE3,0xFD,0xB8,0xBE,0xFC,0x84,0x8A,0xD9,
+		0x22,0x22,0x2E,0x04,0xA4,0x03,0x7C,0x07,0x13,0xEB,0x57,0xA8,
+		0x1A,0x23,0xF0,0xC7,0x34,0x73,0xFC,0x64,0x6C,0xEA,0x30,0x6B,
+		0x4B,0xCB,0xC8,0x86,0x2F,0x83,0x85,0xDD,0xFA,0x9D,0x4B,0x7F,
+		0xA2,0xC0,0x87,0xE8,0x79,0x68,0x33,0x03,0xED,0x5B,0xDD,0x3A,
+		0x06,0x2B,0x3C,0xF5,0xB3,0xA2,0x78,0xA6,0x6D,0x2A,0x13,0xF8,
+		0x3F,0x44,0xF8,0x2D,0xDF,0x31,0x0E,0xE0,0x74,0xAB,0x6A,0x36,
+		0x45,0x97,0xE8,0x99,0xA0,0x25,0x5D,0xC1,0x64,0xF3,0x1C,0xC5,
+		0x08,0x46,0x85,0x1D,0xF9,0xAB,0x48,0x19,0x5D,0xED,0x7E,0xA1,
+		0xB1,0xD5,0x10,0xBD,0x7E,0xE7,0x4D,0x73,0xFA,0xF3,0x6B,0xC3,
+		0x1E,0xCF,0xA2,0x68,0x35,0x90,0x46,0xF4,0xEB,0x87,0x9F,0x92,
+		0x40,0x09,0x43,0x8B,0x48,0x1C,0x6C,0xD7,0x88,0x9A,0x00,0x2E,
+		0xD5,0xEE,0x38,0x2B,0xC9,0x19,0x0D,0xA6,0xFC,0x02,0x6E,0x47,
+		0x95,0x58,0xE4,0x47,0x56,0x77,0xE9,0xAA,0x9E,0x30,0x50,0xE2,
+		0x76,0x56,0x94,0xDF,0xC8,0x1F,0x56,0xE8,0x80,0xB9,0x6E,0x71,
+		0x60,0xC9,0x80,0xDD,0x98,0xED,0xD3,0xDF,0xFF,0xFF,0xFF,0xFF,
+		0xFF,0xFF,0xFF,0xFF,
+		};
+	return BN_bin2bn(RFC3526_PRIME_8192,sizeof(RFC3526_PRIME_8192),bn);
+	}
+
diff --git a/crypto/openssl/crypto/bn/bn_ctx.c b/crypto/openssl/crypto/bn/bn_ctx.c
index 7daf19eb8436..b3452f1a91e3 100644
--- a/crypto/openssl/crypto/bn/bn_ctx.c
+++ b/crypto/openssl/crypto/bn/bn_ctx.c
@@ -1,7 +1,7 @@
 /* crypto/bn/bn_ctx.c */
 /* Written by Ulf Moeller for the OpenSSL project. */
 /* ====================================================================
- * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2004 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -54,9 +54,10 @@
  *
  */
 
-#ifndef BN_CTX_DEBUG
-# undef NDEBUG /* avoid conflicting definitions */
-# define NDEBUG
+#if !defined(BN_CTX_DEBUG) && !defined(BN_DEBUG)
+#ifndef NDEBUG
+#define NDEBUG
+#endif
 #endif
 
 #include <stdio.h>
@@ -65,91 +66,389 @@
 #include "cryptlib.h"
 #include "bn_lcl.h"
 
+/* TODO list
+ *
+ * 1. Check a bunch of "(words+1)" type hacks in various bignum functions and
+ * check they can be safely removed.
+ *  - Check +1 and other ugliness in BN_from_montgomery()
+ *
+ * 2. Consider allowing a BN_new_ex() that, at least, lets you specify an
+ * appropriate 'block' size that will be honoured by bn_expand_internal() to
+ * prevent piddly little reallocations. OTOH, profiling bignum expansions in
+ * BN_CTX doesn't show this to be a big issue.
+ */
+
+/* How many bignums are in each "pool item"; */
+#define BN_CTX_POOL_SIZE	16
+/* The stack frame info is resizing, set a first-time expansion size; */
+#define BN_CTX_START_FRAMES	32
 
-BN_CTX *BN_CTX_new(void)
+/***********/
+/* BN_POOL */
+/***********/
+
+/* A bundle of bignums that can be linked with other bundles */
+typedef struct bignum_pool_item
+	{
+	/* The bignum values */
+	BIGNUM vals[BN_CTX_POOL_SIZE];
+	/* Linked-list admin */
+	struct bignum_pool_item *prev, *next;
+	} BN_POOL_ITEM;
+/* A linked-list of bignums grouped in bundles */
+typedef struct bignum_pool
+	{
+	/* Linked-list admin */
+	BN_POOL_ITEM *head, *current, *tail;
+	/* Stack depth and allocation size */
+	unsigned used, size;
+	} BN_POOL;
+static void		BN_POOL_init(BN_POOL *);
+static void		BN_POOL_finish(BN_POOL *);
+#ifndef OPENSSL_NO_DEPRECATED
+static void		BN_POOL_reset(BN_POOL *);
+#endif
+static BIGNUM *		BN_POOL_get(BN_POOL *);
+static void		BN_POOL_release(BN_POOL *, unsigned int);
+
+/************/
+/* BN_STACK */
+/************/
+
+/* A wrapper to manage the "stack frames" */
+typedef struct bignum_ctx_stack
 	{
-	BN_CTX *ret;
+	/* Array of indexes into the bignum stack */
+	unsigned int *indexes;
+	/* Number of stack frames, and the size of the allocated array */
+	unsigned int depth, size;
+	} BN_STACK;
+static void		BN_STACK_init(BN_STACK *);
+static void		BN_STACK_finish(BN_STACK *);
+#ifndef OPENSSL_NO_DEPRECATED
+static void		BN_STACK_reset(BN_STACK *);
+#endif
+static int		BN_STACK_push(BN_STACK *, unsigned int);
+static unsigned int	BN_STACK_pop(BN_STACK *);
+
+/**********/
+/* BN_CTX */
+/**********/
+
+/* The opaque BN_CTX type */
+struct bignum_ctx
+	{
+	/* The bignum bundles */
+	BN_POOL pool;
+	/* The "stack frames", if you will */
+	BN_STACK stack;
+	/* The number of bignums currently assigned */
+	unsigned int used;
+	/* Depth of stack overflow */
+	int err_stack;
+	/* Block "gets" until an "end" (compatibility behaviour) */
+	int too_many;
+	};
 
-	ret=(BN_CTX *)OPENSSL_malloc(sizeof(BN_CTX));
-	if (ret == NULL)
+/* Enable this to find BN_CTX bugs */
+#ifdef BN_CTX_DEBUG
+static const char *ctxdbg_cur = NULL;
+static void ctxdbg(BN_CTX *ctx)
+	{
+	unsigned int bnidx = 0, fpidx = 0;
+	BN_POOL_ITEM *item = ctx->pool.head;
+	BN_STACK *stack = &ctx->stack;
+	fprintf(stderr,"(%08x): ", (unsigned int)ctx);
+	while(bnidx < ctx->used)
 		{
-		BNerr(BN_F_BN_CTX_NEW,ERR_R_MALLOC_FAILURE);
-		return(NULL);
+		fprintf(stderr,"%02x ", item->vals[bnidx++ % BN_CTX_POOL_SIZE].dmax);
+		if(!(bnidx % BN_CTX_POOL_SIZE))
+			item = item->next;
 		}
-
-	BN_CTX_init(ret);
-	ret->flags=BN_FLG_MALLOCED;
-	return(ret);
+	fprintf(stderr,"\n");
+	bnidx = 0;
+	fprintf(stderr,"          : ");
+	while(fpidx < stack->depth)
+		{
+		while(bnidx++ < stack->indexes[fpidx])
+			fprintf(stderr,"   ");
+		fprintf(stderr,"^^ ");
+		bnidx++;
+		fpidx++;
+		}
+	fprintf(stderr,"\n");
 	}
+#define CTXDBG_ENTRY(str, ctx)	do { \
+				ctxdbg_cur = (str); \
+				fprintf(stderr,"Starting %s\n", ctxdbg_cur); \
+				ctxdbg(ctx); \
+				} while(0)
+#define CTXDBG_EXIT(ctx)	do { \
+				fprintf(stderr,"Ending %s\n", ctxdbg_cur); \
+				ctxdbg(ctx); \
+				} while(0)
+#define CTXDBG_RET(ctx,ret)
+#else
+#define CTXDBG_ENTRY(str, ctx)
+#define CTXDBG_EXIT(ctx)
+#define CTXDBG_RET(ctx,ret)
+#endif
 
+/* This function is an evil legacy and should not be used. This implementation
+ * is WYSIWYG, though I've done my best. */
+#ifndef OPENSSL_NO_DEPRECATED
 void BN_CTX_init(BN_CTX *ctx)
 	{
-#if 0 /* explicit version */
-	int i;
-	ctx->tos = 0;
-	ctx->flags = 0;
-	ctx->depth = 0;
+	/* Assume the caller obtained the context via BN_CTX_new() and so is
+	 * trying to reset it for use. Nothing else makes sense, least of all
+	 * binary compatibility from a time when they could declare a static
+	 * variable. */
+	BN_POOL_reset(&ctx->pool);
+	BN_STACK_reset(&ctx->stack);
+	ctx->used = 0;
+	ctx->err_stack = 0;
 	ctx->too_many = 0;
-	for (i = 0; i < BN_CTX_NUM; i++)
-		BN_init(&(ctx->bn[i]));
-#else
-	memset(ctx, 0, sizeof *ctx);
+	}
 #endif
+
+BN_CTX *BN_CTX_new(void)
+	{
+	BN_CTX *ret = OPENSSL_malloc(sizeof(BN_CTX));
+	if(!ret)
+		{
+		BNerr(BN_F_BN_CTX_NEW,ERR_R_MALLOC_FAILURE);
+		return NULL;
+		}
+	/* Initialise the structure */
+	BN_POOL_init(&ret->pool);
+	BN_STACK_init(&ret->stack);
+	ret->used = 0;
+	ret->err_stack = 0;
+	ret->too_many = 0;
+	return ret;
 	}
 
 void BN_CTX_free(BN_CTX *ctx)
 	{
-	int i;
-
-	if (ctx == NULL) return;
-	assert(ctx->depth == 0);
-
-	for (i=0; i < BN_CTX_NUM; i++)
-		BN_clear_free(&(ctx->bn[i]));
-	if (ctx->flags & BN_FLG_MALLOCED)
-		OPENSSL_free(ctx);
+	if (ctx == NULL)
+		return;
+#ifdef BN_CTX_DEBUG
+	{
+	BN_POOL_ITEM *pool = ctx->pool.head;
+	fprintf(stderr,"BN_CTX_free, stack-size=%d, pool-bignums=%d\n",
+		ctx->stack.size, ctx->pool.size);
+	fprintf(stderr,"dmaxs: ");
+	while(pool) {
+		unsigned loop = 0;
+		while(loop < BN_CTX_POOL_SIZE)
+			fprintf(stderr,"%02x ", pool->vals[loop++].dmax);
+		pool = pool->next;
+	}
+	fprintf(stderr,"\n");
+	}
+#endif
+	BN_STACK_finish(&ctx->stack);
+	BN_POOL_finish(&ctx->pool);
+	OPENSSL_free(ctx);
 	}
 
 void BN_CTX_start(BN_CTX *ctx)
 	{
-	if (ctx->depth < BN_CTX_NUM_POS)
-		ctx->pos[ctx->depth] = ctx->tos;
-	ctx->depth++;
+	CTXDBG_ENTRY("BN_CTX_start", ctx);
+	/* If we're already overflowing ... */
+	if(ctx->err_stack || ctx->too_many)
+		ctx->err_stack++;
+	/* (Try to) get a new frame pointer */
+	else if(!BN_STACK_push(&ctx->stack, ctx->used))
+		{
+		BNerr(BN_F_BN_CTX_START,BN_R_TOO_MANY_TEMPORARY_VARIABLES);
+		ctx->err_stack++;
+		}
+	CTXDBG_EXIT(ctx);
 	}
 
+void BN_CTX_end(BN_CTX *ctx)
+	{
+	CTXDBG_ENTRY("BN_CTX_end", ctx);
+	if(ctx->err_stack)
+		ctx->err_stack--;
+	else
+		{
+		unsigned int fp = BN_STACK_pop(&ctx->stack);
+		/* Does this stack frame have anything to release? */
+		if(fp < ctx->used)
+			BN_POOL_release(&ctx->pool, ctx->used - fp);
+		ctx->used = fp;
+		/* Unjam "too_many" in case "get" had failed */
+		ctx->too_many = 0;
+		}
+	CTXDBG_EXIT(ctx);
+	}
 
 BIGNUM *BN_CTX_get(BN_CTX *ctx)
 	{
-	/* Note: If BN_CTX_get is ever changed to allocate BIGNUMs dynamically,
-	 * make sure that if BN_CTX_get fails once it will return NULL again
-	 * until BN_CTX_end is called.  (This is so that callers have to check
-	 * only the last return value.)
-	 */
-	if (ctx->depth > BN_CTX_NUM_POS || ctx->tos >= BN_CTX_NUM)
+	BIGNUM *ret;
+	CTXDBG_ENTRY("BN_CTX_get", ctx);
+	if(ctx->err_stack || ctx->too_many) return NULL;
+	if((ret = BN_POOL_get(&ctx->pool)) == NULL)
+		{
+		/* Setting too_many prevents repeated "get" attempts from
+		 * cluttering the error stack. */
+		ctx->too_many = 1;
+		BNerr(BN_F_BN_CTX_GET,BN_R_TOO_MANY_TEMPORARY_VARIABLES);
+		return NULL;
+		}
+	/* OK, make sure the returned bignum is "zero" */
+	BN_zero(ret);
+	ctx->used++;
+	CTXDBG_RET(ctx, ret);
+	return ret;
+	}
+
+/************/
+/* BN_STACK */
+/************/
+
+static void BN_STACK_init(BN_STACK *st)
+	{
+	st->indexes = NULL;
+	st->depth = st->size = 0;
+	}
+
+static void BN_STACK_finish(BN_STACK *st)
+	{
+	if(st->size) OPENSSL_free(st->indexes);
+	}
+
+#ifndef OPENSSL_NO_DEPRECATED
+static void BN_STACK_reset(BN_STACK *st)
+	{
+	st->depth = 0;
+	}
+#endif
+
+static int BN_STACK_push(BN_STACK *st, unsigned int idx)
+	{
+	if(st->depth == st->size)
+		/* Need to expand */
+		{
+		unsigned int newsize = (st->size ?
+				(st->size * 3 / 2) : BN_CTX_START_FRAMES);
+		unsigned int *newitems = OPENSSL_malloc(newsize *
+						sizeof(unsigned int));
+		if(!newitems) return 0;
+		if(st->depth)
+			memcpy(newitems, st->indexes, st->depth *
+						sizeof(unsigned int));
+		if(st->size) OPENSSL_free(st->indexes);
+		st->indexes = newitems;
+		st->size = newsize;
+		}
+	st->indexes[(st->depth)++] = idx;
+	return 1;
+	}
+
+static unsigned int BN_STACK_pop(BN_STACK *st)
+	{
+	return st->indexes[--(st->depth)];
+	}
+
+/***********/
+/* BN_POOL */
+/***********/
+
+static void BN_POOL_init(BN_POOL *p)
+	{
+	p->head = p->current = p->tail = NULL;
+	p->used = p->size = 0;
+	}
+
+static void BN_POOL_finish(BN_POOL *p)
+	{
+	while(p->head)
 		{
-		if (!ctx->too_many)
+		unsigned int loop = 0;
+		BIGNUM *bn = p->head->vals;
+		while(loop++ < BN_CTX_POOL_SIZE)
 			{
-			BNerr(BN_F_BN_CTX_GET,BN_R_TOO_MANY_TEMPORARY_VARIABLES);
-			/* disable error code until BN_CTX_end is called: */
-			ctx->too_many = 1;
+			if(bn->d) BN_clear_free(bn);
+			bn++;
 			}
-		return NULL;
+		p->current = p->head->next;
+		OPENSSL_free(p->head);
+		p->head = p->current;
 		}
-	return (&(ctx->bn[ctx->tos++]));
 	}
 
-void BN_CTX_end(BN_CTX *ctx)
+#ifndef OPENSSL_NO_DEPRECATED
+static void BN_POOL_reset(BN_POOL *p)
 	{
-	if (ctx == NULL) return;
-	assert(ctx->depth > 0);
-	if (ctx->depth == 0)
-		/* should never happen, but we can tolerate it if not in
-		 * debug mode (could be a 'goto err' in the calling function
-		 * before BN_CTX_start was reached) */
-		BN_CTX_start(ctx);
+	BN_POOL_ITEM *item = p->head;
+	while(item)
+		{
+		unsigned int loop = 0;
+		BIGNUM *bn = item->vals;
+		while(loop++ < BN_CTX_POOL_SIZE)
+			{
+			if(bn->d) BN_clear(bn);
+			bn++;
+			}
+		item = item->next;
+		}
+	p->current = p->head;
+	p->used = 0;
+	}
+#endif
 
-	ctx->too_many = 0;
-	ctx->depth--;
-	if (ctx->depth < BN_CTX_NUM_POS)
-		ctx->tos = ctx->pos[ctx->depth];
+static BIGNUM *BN_POOL_get(BN_POOL *p)
+	{
+	if(p->used == p->size)
+		{
+		BIGNUM *bn;
+		unsigned int loop = 0;
+		BN_POOL_ITEM *item = OPENSSL_malloc(sizeof(BN_POOL_ITEM));
+		if(!item) return NULL;
+		/* Initialise the structure */
+		bn = item->vals;
+		while(loop++ < BN_CTX_POOL_SIZE)
+			BN_init(bn++);
+		item->prev = p->tail;
+		item->next = NULL;
+		/* Link it in */
+		if(!p->head)
+			p->head = p->current = p->tail = item;
+		else
+			{
+			p->tail->next = item;
+			p->tail = item;
+			p->current = item;
+			}
+		p->size += BN_CTX_POOL_SIZE;
+		p->used++;
+		/* Return the first bignum from the new pool */
+		return item->vals;
+		}
+	if(!p->used)
+		p->current = p->head;
+	else if((p->used % BN_CTX_POOL_SIZE) == 0)
+		p->current = p->current->next;
+	return p->current->vals + ((p->used++) % BN_CTX_POOL_SIZE);
+	}
+
+static void BN_POOL_release(BN_POOL *p, unsigned int num)
+	{
+	unsigned int offset = (p->used - 1) % BN_CTX_POOL_SIZE;
+	p->used -= num;
+	while(num--)
+		{
+		bn_check_top(p->current->vals + offset);
+		if(!offset)
+			{
+			offset = BN_CTX_POOL_SIZE - 1;
+			p->current = p->current->prev;
+			}
+		else
+			offset--;
+		}
 	}
+
diff --git a/crypto/openssl/crypto/bn/bn_depr.c b/crypto/openssl/crypto/bn/bn_depr.c
new file mode 100644
index 000000000000..27535e4fca00
--- /dev/null
+++ b/crypto/openssl/crypto/bn/bn_depr.c
@@ -0,0 +1,112 @@
+/* crypto/bn/bn_depr.c */
+/* ====================================================================
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* Support for deprecated functions goes here - static linkage will only slurp
+ * this code if applications are using them directly. */
+
+#include <stdio.h>
+#include <time.h>
+#include "cryptlib.h"
+#include "bn_lcl.h"
+#include <openssl/rand.h>
+
+static void *dummy=&dummy;
+
+#ifndef OPENSSL_NO_DEPRECATED
+BIGNUM *BN_generate_prime(BIGNUM *ret, int bits, int safe,
+	const BIGNUM *add, const BIGNUM *rem,
+	void (*callback)(int,int,void *), void *cb_arg)
+	{
+	BN_GENCB cb;
+	BIGNUM *rnd=NULL;
+	int found = 0;
+
+	BN_GENCB_set_old(&cb, callback, cb_arg);
+
+	if (ret == NULL)
+		{
+		if ((rnd=BN_new()) == NULL) goto err;
+		}
+	else
+		rnd=ret;
+	if(!BN_generate_prime_ex(rnd, bits, safe, add, rem, &cb))
+		goto err;
+
+	/* we have a prime :-) */
+	found = 1;
+err:
+	if (!found && (ret == NULL) && (rnd != NULL)) BN_free(rnd);
+	return(found ? rnd : NULL);
+	}
+
+int BN_is_prime(const BIGNUM *a, int checks, void (*callback)(int,int,void *),
+	BN_CTX *ctx_passed, void *cb_arg)
+	{
+	BN_GENCB cb;
+	BN_GENCB_set_old(&cb, callback, cb_arg);
+	return BN_is_prime_ex(a, checks, ctx_passed, &cb);
+	}
+
+int BN_is_prime_fasttest(const BIGNUM *a, int checks,
+		void (*callback)(int,int,void *),
+		BN_CTX *ctx_passed, void *cb_arg,
+		int do_trial_division)
+	{
+	BN_GENCB cb;
+	BN_GENCB_set_old(&cb, callback, cb_arg);
+	return BN_is_prime_fasttest_ex(a, checks, ctx_passed,
+				do_trial_division, &cb);
+	}
+#endif
diff --git a/crypto/openssl/crypto/bn/bn_div.c b/crypto/openssl/crypto/bn/bn_div.c
index 580d1201bc25..2857f44861a7 100644
--- a/crypto/openssl/crypto/bn/bn_div.c
+++ b/crypto/openssl/crypto/bn/bn_div.c
@@ -179,12 +179,14 @@ int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d,
 int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
 	   BN_CTX *ctx)
 	{
-	int norm_shift,i,j,loop;
+	int norm_shift,i,loop;
 	BIGNUM *tmp,wnum,*snum,*sdiv,*res;
 	BN_ULONG *resp,*wnump;
 	BN_ULONG d0,d1;
 	int num_n,div_n;
 
+	bn_check_top(dv);
+	bn_check_top(rm);
 	bn_check_top(num);
 	bn_check_top(divisor);
 
@@ -210,7 +212,6 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
 		res=BN_CTX_get(ctx);
 	else	res=dv;
 	if (sdiv == NULL || res == NULL) goto err;
-	tmp->neg=0;
 
 	/* First we normalise the numbers */
 	norm_shift=BN_BITS2-((BN_num_bits(divisor))%BN_BITS2);
@@ -222,17 +223,17 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
 	div_n=sdiv->top;
 	num_n=snum->top;
 	loop=num_n-div_n;
-
 	/* Lets setup a 'window' into snum
 	 * This is the part that corresponds to the current
 	 * 'area' being divided */
-	BN_init(&wnum);
-	wnum.d=	 &(snum->d[loop]);
-	wnum.top= div_n;
-	wnum.dmax= snum->dmax+1; /* a bit of a lie */
+	wnum.neg   = 0;
+	wnum.d     = &(snum->d[loop]);
+	wnum.top   = div_n;
+	/* only needed when BN_ucmp messes up the values between top and max */
+	wnum.dmax  = snum->dmax - loop; /* so we don't step out of bounds */
 
 	/* Get the top 2 words of sdiv */
-	/* i=sdiv->top; */
+	/* div_n=sdiv->top; */
 	d0=sdiv->d[div_n-1];
 	d1=(div_n == 1)?0:sdiv->d[div_n-2];
 
@@ -250,19 +251,28 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
 
 	if (BN_ucmp(&wnum,sdiv) >= 0)
 		{
-		if (!BN_usub(&wnum,&wnum,sdiv)) goto err;
+		/* If BN_DEBUG_RAND is defined BN_ucmp changes (via
+		 * bn_pollute) the const bignum arguments =>
+		 * clean the values between top and max again */
+		bn_clear_top2max(&wnum);
+		bn_sub_words(wnum.d, wnum.d, sdiv->d, div_n);
 		*resp=1;
-		res->d[res->top-1]=1;
 		}
 	else
 		res->top--;
+	/* if res->top == 0 then clear the neg value otherwise decrease
+	 * the resp pointer */
 	if (res->top == 0)
 		res->neg = 0;
-	resp--;
+	else
+		resp--;
 
-	for (i=0; i<loop-1; i++)
+	for (i=0; i<loop-1; i++, wnump--, resp--)
 		{
 		BN_ULONG q,l0;
+		/* the first part of the loop uses the top two words of
+		 * snum and sdiv to calculate a BN_ULONG q such that
+		 * | wnum - sdiv * q | < sdiv */
 #if defined(BN_DIV3W) && !defined(OPENSSL_NO_ASM)
 		BN_ULONG bn_div_3_words(BN_ULONG*,BN_ULONG,BN_ULONG);
 		q=bn_div_3_words(wnump,d1,d0);
@@ -346,27 +356,28 @@ X) -> 0x%08X\n",
 #endif /* !BN_DIV3W */
 
 		l0=bn_mul_words(tmp->d,sdiv->d,div_n,q);
-		wnum.d--; wnum.top++;
 		tmp->d[div_n]=l0;
-		for (j=div_n+1; j>0; j--)
-			if (tmp->d[j-1]) break;
-		tmp->top=j;
-
-		j=wnum.top;
-		if (!BN_sub(&wnum,&wnum,tmp)) goto err;
-
-		snum->top=snum->top+wnum.top-j;
-
-		if (wnum.neg)
+		wnum.d--;
+		/* ingore top values of the bignums just sub the two 
+		 * BN_ULONG arrays with bn_sub_words */
+		if (bn_sub_words(wnum.d, wnum.d, tmp->d, div_n+1))
 			{
+			/* Note: As we have considered only the leading
+			 * two BN_ULONGs in the calculation of q, sdiv * q
+			 * might be greater than wnum (but then (q-1) * sdiv
+			 * is less or equal than wnum)
+			 */
 			q--;
-			j=wnum.top;
-			if (!BN_add(&wnum,&wnum,sdiv)) goto err;
-			snum->top+=wnum.top-j;
+			if (bn_add_words(wnum.d, wnum.d, sdiv->d, div_n))
+				/* we can't have an overflow here (assuming
+				 * that q != 0, but if q == 0 then tmp is
+				 * zero anyway) */
+				(*wnump)++;
 			}
-		*(resp--)=q;
-		wnump--;
+		/* store part of the result */
+		*resp = q;
 		}
+	bn_correct_top(snum);
 	if (rm != NULL)
 		{
 		/* Keep a copy of the neg flag in num because if rm==num
@@ -376,10 +387,12 @@ X) -> 0x%08X\n",
 		BN_rshift(rm,snum,norm_shift);
 		if (!BN_is_zero(rm))
 			rm->neg = neg;
+		bn_check_top(rm);
 		}
 	BN_CTX_end(ctx);
 	return(1);
 err:
+	bn_check_top(rm);
 	BN_CTX_end(ctx);
 	return(0);
 	}
diff --git a/crypto/openssl/crypto/bn/bn_err.c b/crypto/openssl/crypto/bn/bn_err.c
index fb84ee96d8d2..a253959a5c94 100644
--- a/crypto/openssl/crypto/bn/bn_err.c
+++ b/crypto/openssl/crypto/bn/bn_err.c
@@ -1,6 +1,6 @@
 /* crypto/bn/bn_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -64,52 +64,72 @@
 
 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_BN,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_BN,0,reason)
+
 static ERR_STRING_DATA BN_str_functs[]=
 	{
-{ERR_PACK(0,BN_F_BN_BLINDING_CONVERT,0),	"BN_BLINDING_convert"},
-{ERR_PACK(0,BN_F_BN_BLINDING_INVERT,0),	"BN_BLINDING_invert"},
-{ERR_PACK(0,BN_F_BN_BLINDING_NEW,0),	"BN_BLINDING_new"},
-{ERR_PACK(0,BN_F_BN_BLINDING_UPDATE,0),	"BN_BLINDING_update"},
-{ERR_PACK(0,BN_F_BN_BN2DEC,0),	"BN_bn2dec"},
-{ERR_PACK(0,BN_F_BN_BN2HEX,0),	"BN_bn2hex"},
-{ERR_PACK(0,BN_F_BN_CTX_GET,0),	"BN_CTX_get"},
-{ERR_PACK(0,BN_F_BN_CTX_NEW,0),	"BN_CTX_new"},
-{ERR_PACK(0,BN_F_BN_DIV,0),	"BN_div"},
-{ERR_PACK(0,BN_F_BN_EXPAND2,0),	"bn_expand2"},
-{ERR_PACK(0,BN_F_BN_EXPAND_INTERNAL,0),	"BN_EXPAND_INTERNAL"},
-{ERR_PACK(0,BN_F_BN_MOD_EXP2_MONT,0),	"BN_mod_exp2_mont"},
-{ERR_PACK(0,BN_F_BN_MOD_EXP_MONT,0),	"BN_mod_exp_mont"},
-{ERR_PACK(0,BN_F_BN_MOD_EXP_MONT_WORD,0),	"BN_mod_exp_mont_word"},
-{ERR_PACK(0,BN_F_BN_MOD_INVERSE,0),	"BN_mod_inverse"},
-{ERR_PACK(0,BN_F_BN_MOD_LSHIFT_QUICK,0),	"BN_mod_lshift_quick"},
-{ERR_PACK(0,BN_F_BN_MOD_MUL_RECIPROCAL,0),	"BN_mod_mul_reciprocal"},
-{ERR_PACK(0,BN_F_BN_MOD_SQRT,0),	"BN_mod_sqrt"},
-{ERR_PACK(0,BN_F_BN_MPI2BN,0),	"BN_mpi2bn"},
-{ERR_PACK(0,BN_F_BN_NEW,0),	"BN_new"},
-{ERR_PACK(0,BN_F_BN_RAND,0),	"BN_rand"},
-{ERR_PACK(0,BN_F_BN_RAND_RANGE,0),	"BN_rand_range"},
-{ERR_PACK(0,BN_F_BN_USUB,0),	"BN_usub"},
+{ERR_FUNC(BN_F_BNRAND),	"BNRAND"},
+{ERR_FUNC(BN_F_BN_BLINDING_CONVERT_EX),	"BN_BLINDING_convert_ex"},
+{ERR_FUNC(BN_F_BN_BLINDING_CREATE_PARAM),	"BN_BLINDING_create_param"},
+{ERR_FUNC(BN_F_BN_BLINDING_INVERT_EX),	"BN_BLINDING_invert_ex"},
+{ERR_FUNC(BN_F_BN_BLINDING_NEW),	"BN_BLINDING_new"},
+{ERR_FUNC(BN_F_BN_BLINDING_UPDATE),	"BN_BLINDING_update"},
+{ERR_FUNC(BN_F_BN_BN2DEC),	"BN_bn2dec"},
+{ERR_FUNC(BN_F_BN_BN2HEX),	"BN_bn2hex"},
+{ERR_FUNC(BN_F_BN_CTX_GET),	"BN_CTX_get"},
+{ERR_FUNC(BN_F_BN_CTX_NEW),	"BN_CTX_new"},
+{ERR_FUNC(BN_F_BN_CTX_START),	"BN_CTX_start"},
+{ERR_FUNC(BN_F_BN_DIV),	"BN_div"},
+{ERR_FUNC(BN_F_BN_DIV_RECP),	"BN_div_recp"},
+{ERR_FUNC(BN_F_BN_EXP),	"BN_exp"},
+{ERR_FUNC(BN_F_BN_EXPAND2),	"bn_expand2"},
+{ERR_FUNC(BN_F_BN_EXPAND_INTERNAL),	"BN_EXPAND_INTERNAL"},
+{ERR_FUNC(BN_F_BN_GF2M_MOD),	"BN_GF2m_mod"},
+{ERR_FUNC(BN_F_BN_GF2M_MOD_EXP),	"BN_GF2m_mod_exp"},
+{ERR_FUNC(BN_F_BN_GF2M_MOD_MUL),	"BN_GF2m_mod_mul"},
+{ERR_FUNC(BN_F_BN_GF2M_MOD_SOLVE_QUAD),	"BN_GF2m_mod_solve_quad"},
+{ERR_FUNC(BN_F_BN_GF2M_MOD_SOLVE_QUAD_ARR),	"BN_GF2m_mod_solve_quad_arr"},
+{ERR_FUNC(BN_F_BN_GF2M_MOD_SQR),	"BN_GF2m_mod_sqr"},
+{ERR_FUNC(BN_F_BN_GF2M_MOD_SQRT),	"BN_GF2m_mod_sqrt"},
+{ERR_FUNC(BN_F_BN_MOD_EXP2_MONT),	"BN_mod_exp2_mont"},
+{ERR_FUNC(BN_F_BN_MOD_EXP_MONT),	"BN_mod_exp_mont"},
+{ERR_FUNC(BN_F_BN_MOD_EXP_MONT_CONSTTIME),	"BN_mod_exp_mont_consttime"},
+{ERR_FUNC(BN_F_BN_MOD_EXP_MONT_WORD),	"BN_mod_exp_mont_word"},
+{ERR_FUNC(BN_F_BN_MOD_EXP_RECP),	"BN_mod_exp_recp"},
+{ERR_FUNC(BN_F_BN_MOD_EXP_SIMPLE),	"BN_mod_exp_simple"},
+{ERR_FUNC(BN_F_BN_MOD_INVERSE),	"BN_mod_inverse"},
+{ERR_FUNC(BN_F_BN_MOD_LSHIFT_QUICK),	"BN_mod_lshift_quick"},
+{ERR_FUNC(BN_F_BN_MOD_MUL_RECIPROCAL),	"BN_mod_mul_reciprocal"},
+{ERR_FUNC(BN_F_BN_MOD_SQRT),	"BN_mod_sqrt"},
+{ERR_FUNC(BN_F_BN_MPI2BN),	"BN_mpi2bn"},
+{ERR_FUNC(BN_F_BN_NEW),	"BN_new"},
+{ERR_FUNC(BN_F_BN_RAND),	"BN_rand"},
+{ERR_FUNC(BN_F_BN_RAND_RANGE),	"BN_rand_range"},
+{ERR_FUNC(BN_F_BN_USUB),	"BN_usub"},
 {0,NULL}
 	};
 
 static ERR_STRING_DATA BN_str_reasons[]=
 	{
-{BN_R_ARG2_LT_ARG3                       ,"arg2 lt arg3"},
-{BN_R_BAD_RECIPROCAL                     ,"bad reciprocal"},
-{BN_R_BIGNUM_TOO_LONG                    ,"bignum too long"},
-{BN_R_CALLED_WITH_EVEN_MODULUS           ,"called with even modulus"},
-{BN_R_DIV_BY_ZERO                        ,"div by zero"},
-{BN_R_ENCODING_ERROR                     ,"encoding error"},
-{BN_R_EXPAND_ON_STATIC_BIGNUM_DATA       ,"expand on static bignum data"},
-{BN_R_INPUT_NOT_REDUCED                  ,"input not reduced"},
-{BN_R_INVALID_LENGTH                     ,"invalid length"},
-{BN_R_INVALID_RANGE                      ,"invalid range"},
-{BN_R_NOT_A_SQUARE                       ,"not a square"},
-{BN_R_NOT_INITIALIZED                    ,"not initialized"},
-{BN_R_NO_INVERSE                         ,"no inverse"},
-{BN_R_P_IS_NOT_PRIME                     ,"p is not prime"},
-{BN_R_TOO_MANY_ITERATIONS                ,"too many iterations"},
-{BN_R_TOO_MANY_TEMPORARY_VARIABLES       ,"too many temporary variables"},
+{ERR_REASON(BN_R_ARG2_LT_ARG3)           ,"arg2 lt arg3"},
+{ERR_REASON(BN_R_BAD_RECIPROCAL)         ,"bad reciprocal"},
+{ERR_REASON(BN_R_BIGNUM_TOO_LONG)        ,"bignum too long"},
+{ERR_REASON(BN_R_CALLED_WITH_EVEN_MODULUS),"called with even modulus"},
+{ERR_REASON(BN_R_DIV_BY_ZERO)            ,"div by zero"},
+{ERR_REASON(BN_R_ENCODING_ERROR)         ,"encoding error"},
+{ERR_REASON(BN_R_EXPAND_ON_STATIC_BIGNUM_DATA),"expand on static bignum data"},
+{ERR_REASON(BN_R_INPUT_NOT_REDUCED)      ,"input not reduced"},
+{ERR_REASON(BN_R_INVALID_LENGTH)         ,"invalid length"},
+{ERR_REASON(BN_R_INVALID_RANGE)          ,"invalid range"},
+{ERR_REASON(BN_R_NOT_A_SQUARE)           ,"not a square"},
+{ERR_REASON(BN_R_NOT_INITIALIZED)        ,"not initialized"},
+{ERR_REASON(BN_R_NO_INVERSE)             ,"no inverse"},
+{ERR_REASON(BN_R_NO_SOLUTION)            ,"no solution"},
+{ERR_REASON(BN_R_P_IS_NOT_PRIME)         ,"p is not prime"},
+{ERR_REASON(BN_R_TOO_MANY_ITERATIONS)    ,"too many iterations"},
+{ERR_REASON(BN_R_TOO_MANY_TEMPORARY_VARIABLES),"too many temporary variables"},
 {0,NULL}
 	};
 
@@ -123,8 +143,8 @@ void ERR_load_BN_strings(void)
 		{
 		init=0;
 #ifndef OPENSSL_NO_ERR
-		ERR_load_strings(ERR_LIB_BN,BN_str_functs);
-		ERR_load_strings(ERR_LIB_BN,BN_str_reasons);
+		ERR_load_strings(0,BN_str_functs);
+		ERR_load_strings(0,BN_str_reasons);
 #endif
 
 		}
diff --git a/crypto/openssl/crypto/bn/bn_exp.c b/crypto/openssl/crypto/bn/bn_exp.c
index afdfd580fb43..8f8c69448191 100644
--- a/crypto/openssl/crypto/bn/bn_exp.c
+++ b/crypto/openssl/crypto/bn/bn_exp.c
@@ -56,7 +56,7 @@
  * [including the GNU Public Licence.]
  */
 /* ====================================================================
- * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -113,6 +113,7 @@
 #include "cryptlib.h"
 #include "bn_lcl.h"
 
+/* maximum precomputation table size for *variable* sliding windows */
 #define TABLE_SIZE	32
 
 /* this one works - simple but works */
@@ -121,6 +122,13 @@ int BN_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
 	int i,bits,ret=0;
 	BIGNUM *v,*rr;
 
+	if (BN_get_flags(p, BN_FLG_EXP_CONSTTIME) != 0)
+		{
+		/* BN_FLG_EXP_CONSTTIME only supported by BN_mod_exp_mont() */
+		BNerr(BN_F_BN_EXP,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+		return -1;
+		}
+
 	BN_CTX_start(ctx);
 	if ((r == a) || (r == p))
 		rr = BN_CTX_get(ctx);
@@ -147,6 +155,7 @@ int BN_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
 err:
 	if (r != rr) BN_copy(r,rr);
 	BN_CTX_end(ctx);
+	bn_check_top(r);
 	return(ret);
 	}
 
@@ -204,7 +213,7 @@ int BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
 	if (BN_is_odd(m))
 		{
 #  ifdef MONT_EXP_WORD
-		if (a->top == 1 && !a->neg)
+		if (a->top == 1 && !a->neg && (BN_get_flags(p, BN_FLG_EXP_CONSTTIME) == 0))
 			{
 			BN_ULONG A = a->d[0];
 			ret=BN_mod_exp_mont_word(r,A,p,m,ctx,NULL);
@@ -221,6 +230,7 @@ int BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
 		{ ret=BN_mod_exp_simple(r,a,p,m,ctx); }
 #endif
 
+	bn_check_top(r);
 	return(ret);
 	}
 
@@ -229,11 +239,19 @@ int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
 		    const BIGNUM *m, BN_CTX *ctx)
 	{
 	int i,j,bits,ret=0,wstart,wend,window,wvalue;
-	int start=1,ts=0;
+	int start=1;
 	BIGNUM *aa;
-	BIGNUM val[TABLE_SIZE];
+	/* Table of variables obtained from 'ctx' */
+	BIGNUM *val[TABLE_SIZE];
 	BN_RECP_CTX recp;
 
+	if (BN_get_flags(p, BN_FLG_EXP_CONSTTIME) != 0)
+		{
+		/* BN_FLG_EXP_CONSTTIME only supported by BN_mod_exp_mont() */
+		BNerr(BN_F_BN_MOD_EXP_RECP,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+		return -1;
+		}
+
 	bits=BN_num_bits(p);
 
 	if (bits == 0)
@@ -243,7 +261,9 @@ int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
 		}
 
 	BN_CTX_start(ctx);
-	if ((aa = BN_CTX_get(ctx)) == NULL) goto err;
+	aa = BN_CTX_get(ctx);
+	val[0] = BN_CTX_get(ctx);
+	if(!aa || !val[0]) goto err;
 
 	BN_RECP_CTX_init(&recp);
 	if (m->neg)
@@ -258,29 +278,27 @@ int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
 		if (BN_RECP_CTX_set(&recp,m,ctx) <= 0) goto err;
 		}
 
-	BN_init(&(val[0]));
-	ts=1;
-
-	if (!BN_nnmod(&(val[0]),a,m,ctx)) goto err;		/* 1 */
-	if (BN_is_zero(&(val[0])))
+	if (!BN_nnmod(val[0],a,m,ctx)) goto err;		/* 1 */
+	if (BN_is_zero(val[0]))
 		{
-		ret = BN_zero(r);
+		BN_zero(r);
+		ret = 1;
 		goto err;
 		}
 
 	window = BN_window_bits_for_exponent_size(bits);
 	if (window > 1)
 		{
-		if (!BN_mod_mul_reciprocal(aa,&(val[0]),&(val[0]),&recp,ctx))
+		if (!BN_mod_mul_reciprocal(aa,val[0],val[0],&recp,ctx))
 			goto err;				/* 2 */
 		j=1<<(window-1);
 		for (i=1; i<j; i++)
 			{
-			BN_init(&val[i]);
-			if (!BN_mod_mul_reciprocal(&(val[i]),&(val[i-1]),aa,&recp,ctx))
+			if(((val[i] = BN_CTX_get(ctx)) == NULL) ||
+					!BN_mod_mul_reciprocal(val[i],val[i-1],
+						aa,&recp,ctx))
 				goto err;
 			}
-		ts=i;
 		}
 		
 	start=1;	/* This is used to avoid multiplication etc
@@ -332,7 +350,7 @@ int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
 				}
 		
 		/* wvalue will be an odd number < 2^window */
-		if (!BN_mod_mul_reciprocal(r,r,&(val[wvalue>>1]),&recp,ctx))
+		if (!BN_mod_mul_reciprocal(r,r,val[wvalue>>1],&recp,ctx))
 			goto err;
 
 		/* move the 'window' down further */
@@ -344,9 +362,8 @@ int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
 	ret=1;
 err:
 	BN_CTX_end(ctx);
-	for (i=0; i<ts; i++)
-		BN_clear_free(&(val[i]));
 	BN_RECP_CTX_free(&recp);
+	bn_check_top(r);
 	return(ret);
 	}
 
@@ -355,17 +372,23 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
 		    const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont)
 	{
 	int i,j,bits,ret=0,wstart,wend,window,wvalue;
-	int start=1,ts=0;
+	int start=1;
 	BIGNUM *d,*r;
 	const BIGNUM *aa;
-	BIGNUM val[TABLE_SIZE];
+	/* Table of variables obtained from 'ctx' */
+	BIGNUM *val[TABLE_SIZE];
 	BN_MONT_CTX *mont=NULL;
 
+	if (BN_get_flags(p, BN_FLG_EXP_CONSTTIME) != 0)
+		{
+		return BN_mod_exp_mont_consttime(rr, a, p, m, ctx, in_mont);
+		}
+
 	bn_check_top(a);
 	bn_check_top(p);
 	bn_check_top(m);
 
-	if (!(m->d[0] & 1))
+	if (!BN_is_odd(m))
 		{
 		BNerr(BN_F_BN_MOD_EXP_MONT,BN_R_CALLED_WITH_EVEN_MODULUS);
 		return(0);
@@ -380,7 +403,8 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
 	BN_CTX_start(ctx);
 	d = BN_CTX_get(ctx);
 	r = BN_CTX_get(ctx);
-	if (d == NULL || r == NULL) goto err;
+	val[0] = BN_CTX_get(ctx);
+	if (!d || !r || !val[0]) goto err;
 
 	/* If this is not done, things will break in the montgomery
 	 * part */
@@ -393,35 +417,34 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
 		if (!BN_MONT_CTX_set(mont,m,ctx)) goto err;
 		}
 
-	BN_init(&val[0]);
-	ts=1;
 	if (a->neg || BN_ucmp(a,m) >= 0)
 		{
-		if (!BN_nnmod(&(val[0]),a,m,ctx))
+		if (!BN_nnmod(val[0],a,m,ctx))
 			goto err;
-		aa= &(val[0]);
+		aa= val[0];
 		}
 	else
 		aa=a;
 	if (BN_is_zero(aa))
 		{
-		ret = BN_zero(rr);
+		BN_zero(rr);
+		ret = 1;
 		goto err;
 		}
-	if (!BN_to_montgomery(&(val[0]),aa,mont,ctx)) goto err; /* 1 */
+	if (!BN_to_montgomery(val[0],aa,mont,ctx)) goto err; /* 1 */
 
 	window = BN_window_bits_for_exponent_size(bits);
 	if (window > 1)
 		{
-		if (!BN_mod_mul_montgomery(d,&(val[0]),&(val[0]),mont,ctx)) goto err; /* 2 */
+		if (!BN_mod_mul_montgomery(d,val[0],val[0],mont,ctx)) goto err; /* 2 */
 		j=1<<(window-1);
 		for (i=1; i<j; i++)
 			{
-			BN_init(&(val[i]));
-			if (!BN_mod_mul_montgomery(&(val[i]),&(val[i-1]),d,mont,ctx))
+			if(((val[i] = BN_CTX_get(ctx)) == NULL) ||
+					!BN_mod_mul_montgomery(val[i],val[i-1],
+						d,mont,ctx))
 				goto err;
 			}
-		ts=i;
 		}
 
 	start=1;	/* This is used to avoid multiplication etc
@@ -474,7 +497,7 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
 				}
 		
 		/* wvalue will be an odd number < 2^window */
-		if (!BN_mod_mul_montgomery(r,r,&(val[wvalue>>1]),mont,ctx))
+		if (!BN_mod_mul_montgomery(r,r,val[wvalue>>1],mont,ctx))
 			goto err;
 
 		/* move the 'window' down further */
@@ -488,8 +511,213 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
 err:
 	if ((in_mont == NULL) && (mont != NULL)) BN_MONT_CTX_free(mont);
 	BN_CTX_end(ctx);
-	for (i=0; i<ts; i++)
-		BN_clear_free(&(val[i]));
+	bn_check_top(rr);
+	return(ret);
+	}
+
+
+/* BN_mod_exp_mont_consttime() stores the precomputed powers in a specific layout
+ * so that accessing any of these table values shows the same access pattern as far
+ * as cache lines are concerned.  The following functions are used to transfer a BIGNUM
+ * from/to that table. */
+
+static int MOD_EXP_CTIME_COPY_TO_PREBUF(BIGNUM *b, int top, unsigned char *buf, int idx, int width)
+	{
+	size_t i, j;
+
+	if (bn_wexpand(b, top) == NULL)
+		return 0;
+	while (b->top < top)
+		{
+		b->d[b->top++] = 0;
+		}
+	
+	for (i = 0, j=idx; i < top * sizeof b->d[0]; i++, j+=width)
+		{
+		buf[j] = ((unsigned char*)b->d)[i];
+		}
+
+	bn_correct_top(b);
+	return 1;
+	}
+
+static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top, unsigned char *buf, int idx, int width)
+	{
+	size_t i, j;
+
+	if (bn_wexpand(b, top) == NULL)
+		return 0;
+
+	for (i=0, j=idx; i < top * sizeof b->d[0]; i++, j+=width)
+		{
+		((unsigned char*)b->d)[i] = buf[j];
+		}
+
+	b->top = top;
+	bn_correct_top(b);
+	return 1;
+	}	
+
+/* Given a pointer value, compute the next address that is a cache line multiple. */
+#define MOD_EXP_CTIME_ALIGN(x_) \
+	((unsigned char*)(x_) + (MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH - (((BN_ULONG)(x_)) & (MOD_EXP_CTIME_MIN_CACHE_LINE_MASK))))
+
+/* This variant of BN_mod_exp_mont() uses fixed windows and the special
+ * precomputation memory layout to limit data-dependency to a minimum
+ * to protect secret exponents (cf. the hyper-threading timing attacks
+ * pointed out by Colin Percival,
+ * http://www.daemonology.net/hyperthreading-considered-harmful/)
+ */
+int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
+		    const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont)
+	{
+	int i,bits,ret=0,idx,window,wvalue;
+	int top;
+ 	BIGNUM *r;
+	const BIGNUM *aa;
+	BN_MONT_CTX *mont=NULL;
+
+	int numPowers;
+	unsigned char *powerbufFree=NULL;
+	int powerbufLen = 0;
+	unsigned char *powerbuf=NULL;
+	BIGNUM *computeTemp=NULL, *am=NULL;
+
+	bn_check_top(a);
+	bn_check_top(p);
+	bn_check_top(m);
+
+	top = m->top;
+
+	if (!(m->d[0] & 1))
+		{
+		BNerr(BN_F_BN_MOD_EXP_MONT_CONSTTIME,BN_R_CALLED_WITH_EVEN_MODULUS);
+		return(0);
+		}
+	bits=BN_num_bits(p);
+	if (bits == 0)
+		{
+		ret = BN_one(rr);
+		return ret;
+		}
+
+ 	/* Initialize BIGNUM context and allocate intermediate result */
+	BN_CTX_start(ctx);
+	r = BN_CTX_get(ctx);
+	if (r == NULL) goto err;
+
+	/* Allocate a montgomery context if it was not supplied by the caller.
+	 * If this is not done, things will break in the montgomery part.
+ 	 */
+	if (in_mont != NULL)
+		mont=in_mont;
+	else
+		{
+		if ((mont=BN_MONT_CTX_new()) == NULL) goto err;
+		if (!BN_MONT_CTX_set(mont,m,ctx)) goto err;
+		}
+
+	/* Get the window size to use with size of p. */
+	window = BN_window_bits_for_ctime_exponent_size(bits);
+
+	/* Allocate a buffer large enough to hold all of the pre-computed
+	 * powers of a.
+	 */
+	numPowers = 1 << window;
+	powerbufLen = sizeof(m->d[0])*top*numPowers;
+	if ((powerbufFree=(unsigned char*)OPENSSL_malloc(powerbufLen+MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH)) == NULL)
+		goto err;
+		
+	powerbuf = MOD_EXP_CTIME_ALIGN(powerbufFree);
+	memset(powerbuf, 0, powerbufLen);
+
+ 	/* Initialize the intermediate result. Do this early to save double conversion,
+	 * once each for a^0 and intermediate result.
+	 */
+ 	if (!BN_to_montgomery(r,BN_value_one(),mont,ctx)) goto err;
+	if (!MOD_EXP_CTIME_COPY_TO_PREBUF(r, top, powerbuf, 0, numPowers)) goto err;
+
+	/* Initialize computeTemp as a^1 with montgomery precalcs */
+	computeTemp = BN_CTX_get(ctx);
+	am = BN_CTX_get(ctx);
+	if (computeTemp==NULL || am==NULL) goto err;
+
+	if (a->neg || BN_ucmp(a,m) >= 0)
+		{
+		if (!BN_mod(am,a,m,ctx))
+			goto err;
+		aa= am;
+		}
+	else
+		aa=a;
+	if (!BN_to_montgomery(am,aa,mont,ctx)) goto err;
+	if (!BN_copy(computeTemp, am)) goto err;
+	if (!MOD_EXP_CTIME_COPY_TO_PREBUF(am, top, powerbuf, 1, numPowers)) goto err;
+
+	/* If the window size is greater than 1, then calculate
+	 * val[i=2..2^winsize-1]. Powers are computed as a*a^(i-1)
+	 * (even powers could instead be computed as (a^(i/2))^2
+	 * to use the slight performance advantage of sqr over mul).
+	 */
+	if (window > 1)
+		{
+		for (i=2; i<numPowers; i++)
+			{
+			/* Calculate a^i = a^(i-1) * a */
+			if (!BN_mod_mul_montgomery(computeTemp,am,computeTemp,mont,ctx))
+				goto err;
+			if (!MOD_EXP_CTIME_COPY_TO_PREBUF(computeTemp, top, powerbuf, i, numPowers)) goto err;
+			}
+		}
+
+ 	/* Adjust the number of bits up to a multiple of the window size.
+ 	 * If the exponent length is not a multiple of the window size, then
+ 	 * this pads the most significant bits with zeros to normalize the
+ 	 * scanning loop to there's no special cases.
+ 	 *
+ 	 * * NOTE: Making the window size a power of two less than the native
+	 * * word size ensures that the padded bits won't go past the last
+ 	 * * word in the internal BIGNUM structure. Going past the end will
+ 	 * * still produce the correct result, but causes a different branch
+ 	 * * to be taken in the BN_is_bit_set function.
+ 	 */
+ 	bits = ((bits+window-1)/window)*window;
+ 	idx=bits-1;	/* The top bit of the window */
+
+ 	/* Scan the exponent one window at a time starting from the most
+ 	 * significant bits.
+ 	 */
+ 	while (idx >= 0)
+  		{
+ 		wvalue=0; /* The 'value' of the window */
+ 		
+ 		/* Scan the window, squaring the result as we go */
+ 		for (i=0; i<window; i++,idx--)
+ 			{
+			if (!BN_mod_mul_montgomery(r,r,r,mont,ctx))	goto err;
+			wvalue = (wvalue<<1)+BN_is_bit_set(p,idx);
+  			}
+ 		
+		/* Fetch the appropriate pre-computed value from the pre-buf */
+		if (!MOD_EXP_CTIME_COPY_FROM_PREBUF(computeTemp, top, powerbuf, wvalue, numPowers)) goto err;
+
+ 		/* Multiply the result into the intermediate result */
+ 		if (!BN_mod_mul_montgomery(r,r,computeTemp,mont,ctx)) goto err;
+  		}
+
+ 	/* Convert the final result from montgomery to standard format */
+	if (!BN_from_montgomery(rr,r,mont,ctx)) goto err;
+	ret=1;
+err:
+	if ((in_mont == NULL) && (mont != NULL)) BN_MONT_CTX_free(mont);
+	if (powerbuf!=NULL)
+		{
+		OPENSSL_cleanse(powerbuf,powerbufLen);
+		OPENSSL_free(powerbufFree);
+		}
+ 	if (am!=NULL) BN_clear(am);
+ 	if (computeTemp!=NULL) BN_clear(computeTemp);
+	BN_CTX_end(ctx);
 	return(ret);
 	}
 
@@ -517,10 +745,17 @@ int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p,
 #define BN_TO_MONTGOMERY_WORD(r, w, mont) \
 		(BN_set_word(r, (w)) && BN_to_montgomery(r, r, (mont), ctx))
 
+	if (BN_get_flags(p, BN_FLG_EXP_CONSTTIME) != 0)
+		{
+		/* BN_FLG_EXP_CONSTTIME only supported by BN_mod_exp_mont() */
+		BNerr(BN_F_BN_MOD_EXP_MONT_WORD,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+		return -1;
+		}
+
 	bn_check_top(p);
 	bn_check_top(m);
 
-	if (m->top == 0 || !(m->d[0] & 1))
+	if (!BN_is_odd(m))
 		{
 		BNerr(BN_F_BN_MOD_EXP_MONT_WORD,BN_R_CALLED_WITH_EVEN_MODULUS);
 		return(0);
@@ -536,7 +771,8 @@ int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p,
 		}
 	if (a == 0)
 		{
-		ret = BN_zero(rr);
+		BN_zero(rr);
+		ret = 1;
 		return ret;
 		}
 
@@ -630,19 +866,27 @@ int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p,
 err:
 	if ((in_mont == NULL) && (mont != NULL)) BN_MONT_CTX_free(mont);
 	BN_CTX_end(ctx);
+	bn_check_top(rr);
 	return(ret);
 	}
 
 
 /* The old fallback, simple version :-) */
-int BN_mod_exp_simple(BIGNUM *r,
-	const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
-	BN_CTX *ctx)
+int BN_mod_exp_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+		const BIGNUM *m, BN_CTX *ctx)
 	{
-	int i,j,bits,ret=0,wstart,wend,window,wvalue,ts=0;
+	int i,j,bits,ret=0,wstart,wend,window,wvalue;
 	int start=1;
 	BIGNUM *d;
-	BIGNUM val[TABLE_SIZE];
+	/* Table of variables obtained from 'ctx' */
+	BIGNUM *val[TABLE_SIZE];
+
+	if (BN_get_flags(p, BN_FLG_EXP_CONSTTIME) != 0)
+		{
+		/* BN_FLG_EXP_CONSTTIME only supported by BN_mod_exp_mont() */
+		BNerr(BN_F_BN_MOD_EXP_SIMPLE,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+		return -1;
+		}
 
 	bits=BN_num_bits(p);
 
@@ -653,30 +897,30 @@ int BN_mod_exp_simple(BIGNUM *r,
 		}
 
 	BN_CTX_start(ctx);
-	if ((d = BN_CTX_get(ctx)) == NULL) goto err;
+	d = BN_CTX_get(ctx);
+	val[0] = BN_CTX_get(ctx);
+	if(!d || !val[0]) goto err;
 
-	BN_init(&(val[0]));
-	ts=1;
-	if (!BN_nnmod(&(val[0]),a,m,ctx)) goto err;		/* 1 */
-	if (BN_is_zero(&(val[0])))
+	if (!BN_nnmod(val[0],a,m,ctx)) goto err;		/* 1 */
+	if (BN_is_zero(val[0]))
 		{
-		ret = BN_zero(r);
+		BN_zero(r);
+		ret = 1;
 		goto err;
 		}
 
 	window = BN_window_bits_for_exponent_size(bits);
 	if (window > 1)
 		{
-		if (!BN_mod_mul(d,&(val[0]),&(val[0]),m,ctx))
+		if (!BN_mod_mul(d,val[0],val[0],m,ctx))
 			goto err;				/* 2 */
 		j=1<<(window-1);
 		for (i=1; i<j; i++)
 			{
-			BN_init(&(val[i]));
-			if (!BN_mod_mul(&(val[i]),&(val[i-1]),d,m,ctx))
+			if(((val[i] = BN_CTX_get(ctx)) == NULL) ||
+					!BN_mod_mul(val[i],val[i-1],d,m,ctx))
 				goto err;
 			}
-		ts=i;
 		}
 
 	start=1;	/* This is used to avoid multiplication etc
@@ -728,7 +972,7 @@ int BN_mod_exp_simple(BIGNUM *r,
 				}
 		
 		/* wvalue will be an odd number < 2^window */
-		if (!BN_mod_mul(r,r,&(val[wvalue>>1]),m,ctx))
+		if (!BN_mod_mul(r,r,val[wvalue>>1],m,ctx))
 			goto err;
 
 		/* move the 'window' down further */
@@ -740,8 +984,7 @@ int BN_mod_exp_simple(BIGNUM *r,
 	ret=1;
 err:
 	BN_CTX_end(ctx);
-	for (i=0; i<ts; i++)
-		BN_clear_free(&(val[i]));
+	bn_check_top(r);
 	return(ret);
 	}
 
diff --git a/crypto/openssl/crypto/bn/bn_exp2.c b/crypto/openssl/crypto/bn/bn_exp2.c
index 73ccd58a83aa..b3f43cec8c1c 100644
--- a/crypto/openssl/crypto/bn/bn_exp2.c
+++ b/crypto/openssl/crypto/bn/bn_exp2.c
@@ -120,10 +120,11 @@ int BN_mod_exp2_mont(BIGNUM *rr, const BIGNUM *a1, const BIGNUM *p1,
 	BN_CTX *ctx, BN_MONT_CTX *in_mont)
 	{
 	int i,j,bits,b,bits1,bits2,ret=0,wpos1,wpos2,window1,window2,wvalue1,wvalue2;
-	int r_is_one=1,ts1=0,ts2=0;
+	int r_is_one=1;
 	BIGNUM *d,*r;
 	const BIGNUM *a_mod_m;
-	BIGNUM val1[TABLE_SIZE], val2[TABLE_SIZE];
+	/* Tables of variables obtained from 'ctx' */
+	BIGNUM *val1[TABLE_SIZE], *val2[TABLE_SIZE];
 	BN_MONT_CTX *mont=NULL;
 
 	bn_check_top(a1);
@@ -150,7 +151,9 @@ int BN_mod_exp2_mont(BIGNUM *rr, const BIGNUM *a1, const BIGNUM *p1,
 	BN_CTX_start(ctx);
 	d = BN_CTX_get(ctx);
 	r = BN_CTX_get(ctx);
-	if (d == NULL || r == NULL) goto err;
+	val1[0] = BN_CTX_get(ctx);
+	val2[0] = BN_CTX_get(ctx);
+	if(!d || !r || !val1[0] || !val2[0]) goto err;
 
 	if (in_mont != NULL)
 		mont=in_mont;
@@ -166,69 +169,67 @@ int BN_mod_exp2_mont(BIGNUM *rr, const BIGNUM *a1, const BIGNUM *p1,
 	/*
 	 * Build table for a1:   val1[i] := a1^(2*i + 1) mod m  for i = 0 .. 2^(window1-1)
 	 */
-	BN_init(&val1[0]);
-	ts1=1;
 	if (a1->neg || BN_ucmp(a1,m) >= 0)
 		{
-		if (!BN_mod(&(val1[0]),a1,m,ctx))
+		if (!BN_mod(val1[0],a1,m,ctx))
 			goto err;
-		a_mod_m = &(val1[0]);
+		a_mod_m = val1[0];
 		}
 	else
 		a_mod_m = a1;
 	if (BN_is_zero(a_mod_m))
 		{
-		ret = BN_zero(rr);
+		BN_zero(rr);
+		ret = 1;
 		goto err;
 		}
 
-	if (!BN_to_montgomery(&(val1[0]),a_mod_m,mont,ctx)) goto err;
+	if (!BN_to_montgomery(val1[0],a_mod_m,mont,ctx)) goto err;
 	if (window1 > 1)
 		{
-		if (!BN_mod_mul_montgomery(d,&(val1[0]),&(val1[0]),mont,ctx)) goto err;
+		if (!BN_mod_mul_montgomery(d,val1[0],val1[0],mont,ctx)) goto err;
 
 		j=1<<(window1-1);
 		for (i=1; i<j; i++)
 			{
-			BN_init(&(val1[i]));
-			if (!BN_mod_mul_montgomery(&(val1[i]),&(val1[i-1]),d,mont,ctx))
+			if(((val1[i] = BN_CTX_get(ctx)) == NULL) ||
+					!BN_mod_mul_montgomery(val1[i],val1[i-1],
+						d,mont,ctx))
 				goto err;
 			}
-		ts1=i;
 		}
 
 
 	/*
 	 * Build table for a2:   val2[i] := a2^(2*i + 1) mod m  for i = 0 .. 2^(window2-1)
 	 */
-	BN_init(&val2[0]);
-	ts2=1;
 	if (a2->neg || BN_ucmp(a2,m) >= 0)
 		{
-		if (!BN_mod(&(val2[0]),a2,m,ctx))
+		if (!BN_mod(val2[0],a2,m,ctx))
 			goto err;
-		a_mod_m = &(val2[0]);
+		a_mod_m = val2[0];
 		}
 	else
 		a_mod_m = a2;
 	if (BN_is_zero(a_mod_m))
 		{
-		ret = BN_zero(rr);
+		BN_zero(rr);
+		ret = 1;
 		goto err;
 		}
-	if (!BN_to_montgomery(&(val2[0]),a_mod_m,mont,ctx)) goto err;
+	if (!BN_to_montgomery(val2[0],a_mod_m,mont,ctx)) goto err;
 	if (window2 > 1)
 		{
-		if (!BN_mod_mul_montgomery(d,&(val2[0]),&(val2[0]),mont,ctx)) goto err;
+		if (!BN_mod_mul_montgomery(d,val2[0],val2[0],mont,ctx)) goto err;
 
 		j=1<<(window2-1);
 		for (i=1; i<j; i++)
 			{
-			BN_init(&(val2[i]));
-			if (!BN_mod_mul_montgomery(&(val2[i]),&(val2[i-1]),d,mont,ctx))
+			if(((val2[i] = BN_CTX_get(ctx)) == NULL) ||
+					!BN_mod_mul_montgomery(val2[i],val2[i-1],
+						d,mont,ctx))
 				goto err;
 			}
-		ts2=i;
 		}
 
 
@@ -285,7 +286,7 @@ int BN_mod_exp2_mont(BIGNUM *rr, const BIGNUM *a1, const BIGNUM *p1,
 		if (wvalue1 && b == wpos1)
 			{
 			/* wvalue1 is odd and < 2^window1 */
-			if (!BN_mod_mul_montgomery(r,r,&(val1[wvalue1>>1]),mont,ctx))
+			if (!BN_mod_mul_montgomery(r,r,val1[wvalue1>>1],mont,ctx))
 				goto err;
 			wvalue1 = 0;
 			r_is_one = 0;
@@ -294,7 +295,7 @@ int BN_mod_exp2_mont(BIGNUM *rr, const BIGNUM *a1, const BIGNUM *p1,
 		if (wvalue2 && b == wpos2)
 			{
 			/* wvalue2 is odd and < 2^window2 */
-			if (!BN_mod_mul_montgomery(r,r,&(val2[wvalue2>>1]),mont,ctx))
+			if (!BN_mod_mul_montgomery(r,r,val2[wvalue2>>1],mont,ctx))
 				goto err;
 			wvalue2 = 0;
 			r_is_one = 0;
@@ -305,9 +306,6 @@ int BN_mod_exp2_mont(BIGNUM *rr, const BIGNUM *a1, const BIGNUM *p1,
 err:
 	if ((in_mont == NULL) && (mont != NULL)) BN_MONT_CTX_free(mont);
 	BN_CTX_end(ctx);
-	for (i=0; i<ts1; i++)
-		BN_clear_free(&(val1[i]));
-	for (i=0; i<ts2; i++)
-		BN_clear_free(&(val2[i]));
+	bn_check_top(rr);
 	return(ret);
 	}
diff --git a/crypto/openssl/crypto/bn/bn_gcd.c b/crypto/openssl/crypto/bn/bn_gcd.c
index 7649f63fd22a..f02e6fcdb422 100644
--- a/crypto/openssl/crypto/bn/bn_gcd.c
+++ b/crypto/openssl/crypto/bn/bn_gcd.c
@@ -140,6 +140,7 @@ int BN_gcd(BIGNUM *r, const BIGNUM *in_a, const BIGNUM *in_b, BN_CTX *ctx)
 	ret=1;
 err:
 	BN_CTX_end(ctx);
+	bn_check_top(r);
 	return(ret);
 	}
 
@@ -194,6 +195,7 @@ static BIGNUM *euclid(BIGNUM *a, BIGNUM *b)
 		{
 		if (!BN_lshift(a,a,shifts)) goto err;
 		}
+	bn_check_top(a);
 	return(a);
 err:
 	return(NULL);
@@ -486,5 +488,6 @@ BIGNUM *BN_mod_inverse(BIGNUM *in,
 err:
 	if ((ret == NULL) && (in == NULL)) BN_free(R);
 	BN_CTX_end(ctx);
+	bn_check_top(ret);
 	return(ret);
 	}
diff --git a/crypto/openssl/crypto/bn/bn_gf2m.c b/crypto/openssl/crypto/bn/bn_gf2m.c
new file mode 100644
index 000000000000..6a793857e130
--- /dev/null
+++ b/crypto/openssl/crypto/bn/bn_gf2m.c
@@ -0,0 +1,1091 @@
+/* crypto/bn/bn_gf2m.c */
+/* ====================================================================
+ * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
+ *
+ * The Elliptic Curve Public-Key Crypto Library (ECC Code) included
+ * herein is developed by SUN MICROSYSTEMS, INC., and is contributed
+ * to the OpenSSL project.
+ *
+ * The ECC Code is licensed pursuant to the OpenSSL open source
+ * license provided below.
+ *
+ * In addition, Sun covenants to all licensees who provide a reciprocal
+ * covenant with respect to their own patents if any, not to sue under
+ * current and future patent claims necessarily infringed by the making,
+ * using, practicing, selling, offering for sale and/or otherwise
+ * disposing of the ECC Code as delivered hereunder (or portions thereof),
+ * provided that such covenant shall not apply:
+ *  1) for code that a licensee deletes from the ECC Code;
+ *  2) separates from the ECC Code; or
+ *  3) for infringements caused by:
+ *       i) the modification of the ECC Code or
+ *      ii) the combination of the ECC Code with other software or
+ *          devices where such combination causes the infringement.
+ *
+ * The software is originally written by Sheueling Chang Shantz and
+ * Douglas Stebila of Sun Microsystems Laboratories.
+ *
+ */
+
+/* NOTE: This file is licensed pursuant to the OpenSSL license below
+ * and may be modified; but after modifications, the above covenant
+ * may no longer apply!  In such cases, the corresponding paragraph
+ * ["In addition, Sun covenants ... causes the infringement."] and
+ * this note can be edited out; but please keep the Sun copyright
+ * notice and attribution. */
+
+/* ====================================================================
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <assert.h>
+#include <limits.h>
+#include <stdio.h>
+#include "cryptlib.h"
+#include "bn_lcl.h"
+
+/* Maximum number of iterations before BN_GF2m_mod_solve_quad_arr should fail. */
+#define MAX_ITERATIONS 50
+
+static const BN_ULONG SQR_tb[16] =
+  {     0,     1,     4,     5,    16,    17,    20,    21,
+       64,    65,    68,    69,    80,    81,    84,    85 };
+/* Platform-specific macros to accelerate squaring. */
+#if defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG)
+#define SQR1(w) \
+    SQR_tb[(w) >> 60 & 0xF] << 56 | SQR_tb[(w) >> 56 & 0xF] << 48 | \
+    SQR_tb[(w) >> 52 & 0xF] << 40 | SQR_tb[(w) >> 48 & 0xF] << 32 | \
+    SQR_tb[(w) >> 44 & 0xF] << 24 | SQR_tb[(w) >> 40 & 0xF] << 16 | \
+    SQR_tb[(w) >> 36 & 0xF] <<  8 | SQR_tb[(w) >> 32 & 0xF]
+#define SQR0(w) \
+    SQR_tb[(w) >> 28 & 0xF] << 56 | SQR_tb[(w) >> 24 & 0xF] << 48 | \
+    SQR_tb[(w) >> 20 & 0xF] << 40 | SQR_tb[(w) >> 16 & 0xF] << 32 | \
+    SQR_tb[(w) >> 12 & 0xF] << 24 | SQR_tb[(w) >>  8 & 0xF] << 16 | \
+    SQR_tb[(w) >>  4 & 0xF] <<  8 | SQR_tb[(w)       & 0xF]
+#endif
+#ifdef THIRTY_TWO_BIT
+#define SQR1(w) \
+    SQR_tb[(w) >> 28 & 0xF] << 24 | SQR_tb[(w) >> 24 & 0xF] << 16 | \
+    SQR_tb[(w) >> 20 & 0xF] <<  8 | SQR_tb[(w) >> 16 & 0xF]
+#define SQR0(w) \
+    SQR_tb[(w) >> 12 & 0xF] << 24 | SQR_tb[(w) >>  8 & 0xF] << 16 | \
+    SQR_tb[(w) >>  4 & 0xF] <<  8 | SQR_tb[(w)       & 0xF]
+#endif
+#ifdef SIXTEEN_BIT
+#define SQR1(w) \
+    SQR_tb[(w) >> 12 & 0xF] <<  8 | SQR_tb[(w) >>  8 & 0xF]
+#define SQR0(w) \
+    SQR_tb[(w) >>  4 & 0xF] <<  8 | SQR_tb[(w)       & 0xF]
+#endif
+#ifdef EIGHT_BIT
+#define SQR1(w) \
+    SQR_tb[(w) >>  4 & 0xF]
+#define SQR0(w) \
+    SQR_tb[(w)       & 15]
+#endif
+
+/* Product of two polynomials a, b each with degree < BN_BITS2 - 1,
+ * result is a polynomial r with degree < 2 * BN_BITS - 1
+ * The caller MUST ensure that the variables have the right amount
+ * of space allocated.
+ */
+#ifdef EIGHT_BIT
+static void bn_GF2m_mul_1x1(BN_ULONG *r1, BN_ULONG *r0, const BN_ULONG a, const BN_ULONG b)
+	{
+	register BN_ULONG h, l, s;
+	BN_ULONG tab[4], top1b = a >> 7;
+	register BN_ULONG a1, a2;
+
+	a1 = a & (0x7F); a2 = a1 << 1;
+
+	tab[0] = 0; tab[1] = a1; tab[2] = a2; tab[3] = a1^a2;
+
+	s = tab[b      & 0x3]; l  = s;
+	s = tab[b >> 2 & 0x3]; l ^= s << 2; h  = s >> 6;
+	s = tab[b >> 4 & 0x3]; l ^= s << 4; h ^= s >> 4;
+	s = tab[b >> 6      ]; l ^= s << 6; h ^= s >> 2;
+	
+	/* compensate for the top bit of a */
+
+	if (top1b & 01) { l ^= b << 7; h ^= b >> 1; } 
+
+	*r1 = h; *r0 = l;
+	} 
+#endif
+#ifdef SIXTEEN_BIT
+static void bn_GF2m_mul_1x1(BN_ULONG *r1, BN_ULONG *r0, const BN_ULONG a, const BN_ULONG b)
+	{
+	register BN_ULONG h, l, s;
+	BN_ULONG tab[4], top1b = a >> 15; 
+	register BN_ULONG a1, a2;
+
+	a1 = a & (0x7FFF); a2 = a1 << 1;
+
+	tab[0] = 0; tab[1] = a1; tab[2] = a2; tab[3] = a1^a2;
+
+	s = tab[b      & 0x3]; l  = s;
+	s = tab[b >> 2 & 0x3]; l ^= s <<  2; h  = s >> 14;
+	s = tab[b >> 4 & 0x3]; l ^= s <<  4; h ^= s >> 12;
+	s = tab[b >> 6 & 0x3]; l ^= s <<  6; h ^= s >> 10;
+	s = tab[b >> 8 & 0x3]; l ^= s <<  8; h ^= s >>  8;
+	s = tab[b >>10 & 0x3]; l ^= s << 10; h ^= s >>  6;
+	s = tab[b >>12 & 0x3]; l ^= s << 12; h ^= s >>  4;
+	s = tab[b >>14      ]; l ^= s << 14; h ^= s >>  2;
+
+	/* compensate for the top bit of a */
+
+	if (top1b & 01) { l ^= b << 15; h ^= b >> 1; } 
+
+	*r1 = h; *r0 = l;
+	} 
+#endif
+#ifdef THIRTY_TWO_BIT
+static void bn_GF2m_mul_1x1(BN_ULONG *r1, BN_ULONG *r0, const BN_ULONG a, const BN_ULONG b)
+	{
+	register BN_ULONG h, l, s;
+	BN_ULONG tab[8], top2b = a >> 30; 
+	register BN_ULONG a1, a2, a4;
+
+	a1 = a & (0x3FFFFFFF); a2 = a1 << 1; a4 = a2 << 1;
+
+	tab[0] =  0; tab[1] = a1;    tab[2] = a2;    tab[3] = a1^a2;
+	tab[4] = a4; tab[5] = a1^a4; tab[6] = a2^a4; tab[7] = a1^a2^a4;
+
+	s = tab[b       & 0x7]; l  = s;
+	s = tab[b >>  3 & 0x7]; l ^= s <<  3; h  = s >> 29;
+	s = tab[b >>  6 & 0x7]; l ^= s <<  6; h ^= s >> 26;
+	s = tab[b >>  9 & 0x7]; l ^= s <<  9; h ^= s >> 23;
+	s = tab[b >> 12 & 0x7]; l ^= s << 12; h ^= s >> 20;
+	s = tab[b >> 15 & 0x7]; l ^= s << 15; h ^= s >> 17;
+	s = tab[b >> 18 & 0x7]; l ^= s << 18; h ^= s >> 14;
+	s = tab[b >> 21 & 0x7]; l ^= s << 21; h ^= s >> 11;
+	s = tab[b >> 24 & 0x7]; l ^= s << 24; h ^= s >>  8;
+	s = tab[b >> 27 & 0x7]; l ^= s << 27; h ^= s >>  5;
+	s = tab[b >> 30      ]; l ^= s << 30; h ^= s >>  2;
+
+	/* compensate for the top two bits of a */
+
+	if (top2b & 01) { l ^= b << 30; h ^= b >> 2; } 
+	if (top2b & 02) { l ^= b << 31; h ^= b >> 1; } 
+
+	*r1 = h; *r0 = l;
+	} 
+#endif
+#if defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG)
+static void bn_GF2m_mul_1x1(BN_ULONG *r1, BN_ULONG *r0, const BN_ULONG a, const BN_ULONG b)
+	{
+	register BN_ULONG h, l, s;
+	BN_ULONG tab[16], top3b = a >> 61;
+	register BN_ULONG a1, a2, a4, a8;
+
+	a1 = a & (0x1FFFFFFFFFFFFFFFULL); a2 = a1 << 1; a4 = a2 << 1; a8 = a4 << 1;
+
+	tab[ 0] = 0;     tab[ 1] = a1;       tab[ 2] = a2;       tab[ 3] = a1^a2;
+	tab[ 4] = a4;    tab[ 5] = a1^a4;    tab[ 6] = a2^a4;    tab[ 7] = a1^a2^a4;
+	tab[ 8] = a8;    tab[ 9] = a1^a8;    tab[10] = a2^a8;    tab[11] = a1^a2^a8;
+	tab[12] = a4^a8; tab[13] = a1^a4^a8; tab[14] = a2^a4^a8; tab[15] = a1^a2^a4^a8;
+
+	s = tab[b       & 0xF]; l  = s;
+	s = tab[b >>  4 & 0xF]; l ^= s <<  4; h  = s >> 60;
+	s = tab[b >>  8 & 0xF]; l ^= s <<  8; h ^= s >> 56;
+	s = tab[b >> 12 & 0xF]; l ^= s << 12; h ^= s >> 52;
+	s = tab[b >> 16 & 0xF]; l ^= s << 16; h ^= s >> 48;
+	s = tab[b >> 20 & 0xF]; l ^= s << 20; h ^= s >> 44;
+	s = tab[b >> 24 & 0xF]; l ^= s << 24; h ^= s >> 40;
+	s = tab[b >> 28 & 0xF]; l ^= s << 28; h ^= s >> 36;
+	s = tab[b >> 32 & 0xF]; l ^= s << 32; h ^= s >> 32;
+	s = tab[b >> 36 & 0xF]; l ^= s << 36; h ^= s >> 28;
+	s = tab[b >> 40 & 0xF]; l ^= s << 40; h ^= s >> 24;
+	s = tab[b >> 44 & 0xF]; l ^= s << 44; h ^= s >> 20;
+	s = tab[b >> 48 & 0xF]; l ^= s << 48; h ^= s >> 16;
+	s = tab[b >> 52 & 0xF]; l ^= s << 52; h ^= s >> 12;
+	s = tab[b >> 56 & 0xF]; l ^= s << 56; h ^= s >>  8;
+	s = tab[b >> 60      ]; l ^= s << 60; h ^= s >>  4;
+
+	/* compensate for the top three bits of a */
+
+	if (top3b & 01) { l ^= b << 61; h ^= b >> 3; } 
+	if (top3b & 02) { l ^= b << 62; h ^= b >> 2; } 
+	if (top3b & 04) { l ^= b << 63; h ^= b >> 1; } 
+
+	*r1 = h; *r0 = l;
+	} 
+#endif
+
+/* Product of two polynomials a, b each with degree < 2 * BN_BITS2 - 1,
+ * result is a polynomial r with degree < 4 * BN_BITS2 - 1
+ * The caller MUST ensure that the variables have the right amount
+ * of space allocated.
+ */
+static void bn_GF2m_mul_2x2(BN_ULONG *r, const BN_ULONG a1, const BN_ULONG a0, const BN_ULONG b1, const BN_ULONG b0)
+	{
+	BN_ULONG m1, m0;
+	/* r[3] = h1, r[2] = h0; r[1] = l1; r[0] = l0 */
+	bn_GF2m_mul_1x1(r+3, r+2, a1, b1);
+	bn_GF2m_mul_1x1(r+1, r, a0, b0);
+	bn_GF2m_mul_1x1(&m1, &m0, a0 ^ a1, b0 ^ b1);
+	/* Correction on m1 ^= l1 ^ h1; m0 ^= l0 ^ h0; */
+	r[2] ^= m1 ^ r[1] ^ r[3];  /* h0 ^= m1 ^ l1 ^ h1; */
+	r[1] = r[3] ^ r[2] ^ r[0] ^ m1 ^ m0;  /* l1 ^= l0 ^ h0 ^ m0; */
+	}
+
+
+/* Add polynomials a and b and store result in r; r could be a or b, a and b 
+ * could be equal; r is the bitwise XOR of a and b.
+ */
+int	BN_GF2m_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
+	{
+	int i;
+	const BIGNUM *at, *bt;
+
+	bn_check_top(a);
+	bn_check_top(b);
+
+	if (a->top < b->top) { at = b; bt = a; }
+	else { at = a; bt = b; }
+
+	bn_wexpand(r, at->top);
+
+	for (i = 0; i < bt->top; i++)
+		{
+		r->d[i] = at->d[i] ^ bt->d[i];
+		}
+	for (; i < at->top; i++)
+		{
+		r->d[i] = at->d[i];
+		}
+	
+	r->top = at->top;
+	bn_correct_top(r);
+	
+	return 1;
+	}
+
+
+/* Some functions allow for representation of the irreducible polynomials
+ * as an int[], say p.  The irreducible f(t) is then of the form:
+ *     t^p[0] + t^p[1] + ... + t^p[k]
+ * where m = p[0] > p[1] > ... > p[k] = 0.
+ */
+
+
+/* Performs modular reduction of a and store result in r.  r could be a. */
+int BN_GF2m_mod_arr(BIGNUM *r, const BIGNUM *a, const unsigned int p[])
+	{
+	int j, k;
+	int n, dN, d0, d1;
+	BN_ULONG zz, *z;
+
+	bn_check_top(a);
+
+	if (!p[0])
+		{
+		/* reduction mod 1 => return 0 */
+		BN_zero(r);
+		return 1;
+		}
+
+	/* Since the algorithm does reduction in the r value, if a != r, copy
+	 * the contents of a into r so we can do reduction in r. 
+	 */
+	if (a != r)
+		{
+		if (!bn_wexpand(r, a->top)) return 0;
+		for (j = 0; j < a->top; j++)
+			{
+			r->d[j] = a->d[j];
+			}
+		r->top = a->top;
+		}
+	z = r->d;
+
+	/* start reduction */
+	dN = p[0] / BN_BITS2;  
+	for (j = r->top - 1; j > dN;)
+		{
+		zz = z[j];
+		if (z[j] == 0) { j--; continue; }
+		z[j] = 0;
+
+		for (k = 1; p[k] != 0; k++)
+			{
+			/* reducing component t^p[k] */
+			n = p[0] - p[k];
+			d0 = n % BN_BITS2;  d1 = BN_BITS2 - d0;
+			n /= BN_BITS2; 
+			z[j-n] ^= (zz>>d0);
+			if (d0) z[j-n-1] ^= (zz<<d1);
+			}
+
+		/* reducing component t^0 */
+		n = dN;  
+		d0 = p[0] % BN_BITS2;
+		d1 = BN_BITS2 - d0;
+		z[j-n] ^= (zz >> d0);
+		if (d0) z[j-n-1] ^= (zz << d1);
+		}
+
+	/* final round of reduction */
+	while (j == dN)
+		{
+
+		d0 = p[0] % BN_BITS2;
+		zz = z[dN] >> d0;
+		if (zz == 0) break;
+		d1 = BN_BITS2 - d0;
+		
+		if (d0) z[dN] = (z[dN] << d1) >> d1; /* clear up the top d1 bits */
+		z[0] ^= zz; /* reduction t^0 component */
+
+		for (k = 1; p[k] != 0; k++)
+			{
+			BN_ULONG tmp_ulong;
+
+			/* reducing component t^p[k]*/
+			n = p[k] / BN_BITS2;   
+			d0 = p[k] % BN_BITS2;
+			d1 = BN_BITS2 - d0;
+			z[n] ^= (zz << d0);
+			tmp_ulong = zz >> d1;
+                        if (d0 && tmp_ulong)
+                                z[n+1] ^= tmp_ulong;
+			}
+
+		
+		}
+
+	bn_correct_top(r);
+	return 1;
+	}
+
+/* Performs modular reduction of a by p and store result in r.  r could be a.
+ *
+ * This function calls down to the BN_GF2m_mod_arr implementation; this wrapper
+ * function is only provided for convenience; for best performance, use the 
+ * BN_GF2m_mod_arr function.
+ */
+int	BN_GF2m_mod(BIGNUM *r, const BIGNUM *a, const BIGNUM *p)
+	{
+	int ret = 0;
+	const int max = BN_num_bits(p);
+	unsigned int *arr=NULL;
+	bn_check_top(a);
+	bn_check_top(p);
+	if ((arr = (unsigned int *)OPENSSL_malloc(sizeof(unsigned int) * max)) == NULL) goto err;
+	ret = BN_GF2m_poly2arr(p, arr, max);
+	if (!ret || ret > max)
+		{
+		BNerr(BN_F_BN_GF2M_MOD,BN_R_INVALID_LENGTH);
+		goto err;
+		}
+	ret = BN_GF2m_mod_arr(r, a, arr);
+	bn_check_top(r);
+err:
+	if (arr) OPENSSL_free(arr);
+	return ret;
+	}
+
+
+/* Compute the product of two polynomials a and b, reduce modulo p, and store
+ * the result in r.  r could be a or b; a could be b.
+ */
+int	BN_GF2m_mod_mul_arr(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const unsigned int p[], BN_CTX *ctx)
+	{
+	int zlen, i, j, k, ret = 0;
+	BIGNUM *s;
+	BN_ULONG x1, x0, y1, y0, zz[4];
+
+	bn_check_top(a);
+	bn_check_top(b);
+
+	if (a == b)
+		{
+		return BN_GF2m_mod_sqr_arr(r, a, p, ctx);
+		}
+
+	BN_CTX_start(ctx);
+	if ((s = BN_CTX_get(ctx)) == NULL) goto err;
+	
+	zlen = a->top + b->top + 4;
+	if (!bn_wexpand(s, zlen)) goto err;
+	s->top = zlen;
+
+	for (i = 0; i < zlen; i++) s->d[i] = 0;
+
+	for (j = 0; j < b->top; j += 2)
+		{
+		y0 = b->d[j];
+		y1 = ((j+1) == b->top) ? 0 : b->d[j+1];
+		for (i = 0; i < a->top; i += 2)
+			{
+			x0 = a->d[i];
+			x1 = ((i+1) == a->top) ? 0 : a->d[i+1];
+			bn_GF2m_mul_2x2(zz, x1, x0, y1, y0);
+			for (k = 0; k < 4; k++) s->d[i+j+k] ^= zz[k];
+			}
+		}
+
+	bn_correct_top(s);
+	if (BN_GF2m_mod_arr(r, s, p))
+		ret = 1;
+	bn_check_top(r);
+
+err:
+	BN_CTX_end(ctx);
+	return ret;
+	}
+
+/* Compute the product of two polynomials a and b, reduce modulo p, and store
+ * the result in r.  r could be a or b; a could equal b.
+ *
+ * This function calls down to the BN_GF2m_mod_mul_arr implementation; this wrapper
+ * function is only provided for convenience; for best performance, use the 
+ * BN_GF2m_mod_mul_arr function.
+ */
+int	BN_GF2m_mod_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *p, BN_CTX *ctx)
+	{
+	int ret = 0;
+	const int max = BN_num_bits(p);
+	unsigned int *arr=NULL;
+	bn_check_top(a);
+	bn_check_top(b);
+	bn_check_top(p);
+	if ((arr = (unsigned int *)OPENSSL_malloc(sizeof(unsigned int) * max)) == NULL) goto err;
+	ret = BN_GF2m_poly2arr(p, arr, max);
+	if (!ret || ret > max)
+		{
+		BNerr(BN_F_BN_GF2M_MOD_MUL,BN_R_INVALID_LENGTH);
+		goto err;
+		}
+	ret = BN_GF2m_mod_mul_arr(r, a, b, arr, ctx);
+	bn_check_top(r);
+err:
+	if (arr) OPENSSL_free(arr);
+	return ret;
+	}
+
+
+/* Square a, reduce the result mod p, and store it in a.  r could be a. */
+int	BN_GF2m_mod_sqr_arr(BIGNUM *r, const BIGNUM *a, const unsigned int p[], BN_CTX *ctx)
+	{
+	int i, ret = 0;
+	BIGNUM *s;
+
+	bn_check_top(a);
+	BN_CTX_start(ctx);
+	if ((s = BN_CTX_get(ctx)) == NULL) return 0;
+	if (!bn_wexpand(s, 2 * a->top)) goto err;
+
+	for (i = a->top - 1; i >= 0; i--)
+		{
+		s->d[2*i+1] = SQR1(a->d[i]);
+		s->d[2*i  ] = SQR0(a->d[i]);
+		}
+
+	s->top = 2 * a->top;
+	bn_correct_top(s);
+	if (!BN_GF2m_mod_arr(r, s, p)) goto err;
+	bn_check_top(r);
+	ret = 1;
+err:
+	BN_CTX_end(ctx);
+	return ret;
+	}
+
+/* Square a, reduce the result mod p, and store it in a.  r could be a.
+ *
+ * This function calls down to the BN_GF2m_mod_sqr_arr implementation; this wrapper
+ * function is only provided for convenience; for best performance, use the 
+ * BN_GF2m_mod_sqr_arr function.
+ */
+int	BN_GF2m_mod_sqr(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
+	{
+	int ret = 0;
+	const int max = BN_num_bits(p);
+	unsigned int *arr=NULL;
+
+	bn_check_top(a);
+	bn_check_top(p);
+	if ((arr = (unsigned int *)OPENSSL_malloc(sizeof(unsigned int) * max)) == NULL) goto err;
+	ret = BN_GF2m_poly2arr(p, arr, max);
+	if (!ret || ret > max)
+		{
+		BNerr(BN_F_BN_GF2M_MOD_SQR,BN_R_INVALID_LENGTH);
+		goto err;
+		}
+	ret = BN_GF2m_mod_sqr_arr(r, a, arr, ctx);
+	bn_check_top(r);
+err:
+	if (arr) OPENSSL_free(arr);
+	return ret;
+	}
+
+
+/* Invert a, reduce modulo p, and store the result in r. r could be a. 
+ * Uses Modified Almost Inverse Algorithm (Algorithm 10) from
+ *     Hankerson, D., Hernandez, J.L., and Menezes, A.  "Software Implementation
+ *     of Elliptic Curve Cryptography Over Binary Fields".
+ */
+int BN_GF2m_mod_inv(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
+	{
+	BIGNUM *b, *c, *u, *v, *tmp;
+	int ret = 0;
+
+	bn_check_top(a);
+	bn_check_top(p);
+
+	BN_CTX_start(ctx);
+	
+	b = BN_CTX_get(ctx);
+	c = BN_CTX_get(ctx);
+	u = BN_CTX_get(ctx);
+	v = BN_CTX_get(ctx);
+	if (v == NULL) goto err;
+
+	if (!BN_one(b)) goto err;
+	if (!BN_GF2m_mod(u, a, p)) goto err;
+	if (!BN_copy(v, p)) goto err;
+
+	if (BN_is_zero(u)) goto err;
+
+	while (1)
+		{
+		while (!BN_is_odd(u))
+			{
+			if (!BN_rshift1(u, u)) goto err;
+			if (BN_is_odd(b))
+				{
+				if (!BN_GF2m_add(b, b, p)) goto err;
+				}
+			if (!BN_rshift1(b, b)) goto err;
+			}
+
+		if (BN_abs_is_word(u, 1)) break;
+
+		if (BN_num_bits(u) < BN_num_bits(v))
+			{
+			tmp = u; u = v; v = tmp;
+			tmp = b; b = c; c = tmp;
+			}
+		
+		if (!BN_GF2m_add(u, u, v)) goto err;
+		if (!BN_GF2m_add(b, b, c)) goto err;
+		}
+
+
+	if (!BN_copy(r, b)) goto err;
+	bn_check_top(r);
+	ret = 1;
+
+err:
+  	BN_CTX_end(ctx);
+	return ret;
+	}
+
+/* Invert xx, reduce modulo p, and store the result in r. r could be xx. 
+ *
+ * This function calls down to the BN_GF2m_mod_inv implementation; this wrapper
+ * function is only provided for convenience; for best performance, use the 
+ * BN_GF2m_mod_inv function.
+ */
+int BN_GF2m_mod_inv_arr(BIGNUM *r, const BIGNUM *xx, const unsigned int p[], BN_CTX *ctx)
+	{
+	BIGNUM *field;
+	int ret = 0;
+
+	bn_check_top(xx);
+	BN_CTX_start(ctx);
+	if ((field = BN_CTX_get(ctx)) == NULL) goto err;
+	if (!BN_GF2m_arr2poly(p, field)) goto err;
+	
+	ret = BN_GF2m_mod_inv(r, xx, field, ctx);
+	bn_check_top(r);
+
+err:
+	BN_CTX_end(ctx);
+	return ret;
+	}
+
+
+#ifndef OPENSSL_SUN_GF2M_DIV
+/* Divide y by x, reduce modulo p, and store the result in r. r could be x 
+ * or y, x could equal y.
+ */
+int BN_GF2m_mod_div(BIGNUM *r, const BIGNUM *y, const BIGNUM *x, const BIGNUM *p, BN_CTX *ctx)
+	{
+	BIGNUM *xinv = NULL;
+	int ret = 0;
+
+	bn_check_top(y);
+	bn_check_top(x);
+	bn_check_top(p);
+
+	BN_CTX_start(ctx);
+	xinv = BN_CTX_get(ctx);
+	if (xinv == NULL) goto err;
+	
+	if (!BN_GF2m_mod_inv(xinv, x, p, ctx)) goto err;
+	if (!BN_GF2m_mod_mul(r, y, xinv, p, ctx)) goto err;
+	bn_check_top(r);
+	ret = 1;
+
+err:
+	BN_CTX_end(ctx);
+	return ret;
+	}
+#else
+/* Divide y by x, reduce modulo p, and store the result in r. r could be x 
+ * or y, x could equal y.
+ * Uses algorithm Modular_Division_GF(2^m) from 
+ *     Chang-Shantz, S.  "From Euclid's GCD to Montgomery Multiplication to 
+ *     the Great Divide".
+ */
+int BN_GF2m_mod_div(BIGNUM *r, const BIGNUM *y, const BIGNUM *x, const BIGNUM *p, BN_CTX *ctx)
+	{
+	BIGNUM *a, *b, *u, *v;
+	int ret = 0;
+
+	bn_check_top(y);
+	bn_check_top(x);
+	bn_check_top(p);
+
+	BN_CTX_start(ctx);
+	
+	a = BN_CTX_get(ctx);
+	b = BN_CTX_get(ctx);
+	u = BN_CTX_get(ctx);
+	v = BN_CTX_get(ctx);
+	if (v == NULL) goto err;
+
+	/* reduce x and y mod p */
+	if (!BN_GF2m_mod(u, y, p)) goto err;
+	if (!BN_GF2m_mod(a, x, p)) goto err;
+	if (!BN_copy(b, p)) goto err;
+	
+	while (!BN_is_odd(a))
+		{
+		if (!BN_rshift1(a, a)) goto err;
+		if (BN_is_odd(u)) if (!BN_GF2m_add(u, u, p)) goto err;
+		if (!BN_rshift1(u, u)) goto err;
+		}
+
+	do
+		{
+		if (BN_GF2m_cmp(b, a) > 0)
+			{
+			if (!BN_GF2m_add(b, b, a)) goto err;
+			if (!BN_GF2m_add(v, v, u)) goto err;
+			do
+				{
+				if (!BN_rshift1(b, b)) goto err;
+				if (BN_is_odd(v)) if (!BN_GF2m_add(v, v, p)) goto err;
+				if (!BN_rshift1(v, v)) goto err;
+				} while (!BN_is_odd(b));
+			}
+		else if (BN_abs_is_word(a, 1))
+			break;
+		else
+			{
+			if (!BN_GF2m_add(a, a, b)) goto err;
+			if (!BN_GF2m_add(u, u, v)) goto err;
+			do
+				{
+				if (!BN_rshift1(a, a)) goto err;
+				if (BN_is_odd(u)) if (!BN_GF2m_add(u, u, p)) goto err;
+				if (!BN_rshift1(u, u)) goto err;
+				} while (!BN_is_odd(a));
+			}
+		} while (1);
+
+	if (!BN_copy(r, u)) goto err;
+	bn_check_top(r);
+	ret = 1;
+
+err:
+  	BN_CTX_end(ctx);
+	return ret;
+	}
+#endif
+
+/* Divide yy by xx, reduce modulo p, and store the result in r. r could be xx 
+ * or yy, xx could equal yy.
+ *
+ * This function calls down to the BN_GF2m_mod_div implementation; this wrapper
+ * function is only provided for convenience; for best performance, use the 
+ * BN_GF2m_mod_div function.
+ */
+int BN_GF2m_mod_div_arr(BIGNUM *r, const BIGNUM *yy, const BIGNUM *xx, const unsigned int p[], BN_CTX *ctx)
+	{
+	BIGNUM *field;
+	int ret = 0;
+
+	bn_check_top(yy);
+	bn_check_top(xx);
+
+	BN_CTX_start(ctx);
+	if ((field = BN_CTX_get(ctx)) == NULL) goto err;
+	if (!BN_GF2m_arr2poly(p, field)) goto err;
+	
+	ret = BN_GF2m_mod_div(r, yy, xx, field, ctx);
+	bn_check_top(r);
+
+err:
+	BN_CTX_end(ctx);
+	return ret;
+	}
+
+
+/* Compute the bth power of a, reduce modulo p, and store
+ * the result in r.  r could be a.
+ * Uses simple square-and-multiply algorithm A.5.1 from IEEE P1363.
+ */
+int	BN_GF2m_mod_exp_arr(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const unsigned int p[], BN_CTX *ctx)
+	{
+	int ret = 0, i, n;
+	BIGNUM *u;
+
+	bn_check_top(a);
+	bn_check_top(b);
+
+	if (BN_is_zero(b))
+		return(BN_one(r));
+
+	if (BN_abs_is_word(b, 1))
+		return (BN_copy(r, a) != NULL);
+
+	BN_CTX_start(ctx);
+	if ((u = BN_CTX_get(ctx)) == NULL) goto err;
+	
+	if (!BN_GF2m_mod_arr(u, a, p)) goto err;
+	
+	n = BN_num_bits(b) - 1;
+	for (i = n - 1; i >= 0; i--)
+		{
+		if (!BN_GF2m_mod_sqr_arr(u, u, p, ctx)) goto err;
+		if (BN_is_bit_set(b, i))
+			{
+			if (!BN_GF2m_mod_mul_arr(u, u, a, p, ctx)) goto err;
+			}
+		}
+	if (!BN_copy(r, u)) goto err;
+	bn_check_top(r);
+	ret = 1;
+err:
+	BN_CTX_end(ctx);
+	return ret;
+	}
+
+/* Compute the bth power of a, reduce modulo p, and store
+ * the result in r.  r could be a.
+ *
+ * This function calls down to the BN_GF2m_mod_exp_arr implementation; this wrapper
+ * function is only provided for convenience; for best performance, use the 
+ * BN_GF2m_mod_exp_arr function.
+ */
+int BN_GF2m_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *p, BN_CTX *ctx)
+	{
+	int ret = 0;
+	const int max = BN_num_bits(p);
+	unsigned int *arr=NULL;
+	bn_check_top(a);
+	bn_check_top(b);
+	bn_check_top(p);
+	if ((arr = (unsigned int *)OPENSSL_malloc(sizeof(unsigned int) * max)) == NULL) goto err;
+	ret = BN_GF2m_poly2arr(p, arr, max);
+	if (!ret || ret > max)
+		{
+		BNerr(BN_F_BN_GF2M_MOD_EXP,BN_R_INVALID_LENGTH);
+		goto err;
+		}
+	ret = BN_GF2m_mod_exp_arr(r, a, b, arr, ctx);
+	bn_check_top(r);
+err:
+	if (arr) OPENSSL_free(arr);
+	return ret;
+	}
+
+/* Compute the square root of a, reduce modulo p, and store
+ * the result in r.  r could be a.
+ * Uses exponentiation as in algorithm A.4.1 from IEEE P1363.
+ */
+int	BN_GF2m_mod_sqrt_arr(BIGNUM *r, const BIGNUM *a, const unsigned int p[], BN_CTX *ctx)
+	{
+	int ret = 0;
+	BIGNUM *u;
+
+	bn_check_top(a);
+
+	if (!p[0])
+		{
+		/* reduction mod 1 => return 0 */
+		BN_zero(r);
+		return 1;
+		}
+
+	BN_CTX_start(ctx);
+	if ((u = BN_CTX_get(ctx)) == NULL) goto err;
+	
+	if (!BN_set_bit(u, p[0] - 1)) goto err;
+	ret = BN_GF2m_mod_exp_arr(r, a, u, p, ctx);
+	bn_check_top(r);
+
+err:
+	BN_CTX_end(ctx);
+	return ret;
+	}
+
+/* Compute the square root of a, reduce modulo p, and store
+ * the result in r.  r could be a.
+ *
+ * This function calls down to the BN_GF2m_mod_sqrt_arr implementation; this wrapper
+ * function is only provided for convenience; for best performance, use the 
+ * BN_GF2m_mod_sqrt_arr function.
+ */
+int BN_GF2m_mod_sqrt(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
+	{
+	int ret = 0;
+	const int max = BN_num_bits(p);
+	unsigned int *arr=NULL;
+	bn_check_top(a);
+	bn_check_top(p);
+	if ((arr = (unsigned int *)OPENSSL_malloc(sizeof(unsigned int) * max)) == NULL) goto err;
+	ret = BN_GF2m_poly2arr(p, arr, max);
+	if (!ret || ret > max)
+		{
+		BNerr(BN_F_BN_GF2M_MOD_SQRT,BN_R_INVALID_LENGTH);
+		goto err;
+		}
+	ret = BN_GF2m_mod_sqrt_arr(r, a, arr, ctx);
+	bn_check_top(r);
+err:
+	if (arr) OPENSSL_free(arr);
+	return ret;
+	}
+
+/* Find r such that r^2 + r = a mod p.  r could be a. If no r exists returns 0.
+ * Uses algorithms A.4.7 and A.4.6 from IEEE P1363.
+ */
+int BN_GF2m_mod_solve_quad_arr(BIGNUM *r, const BIGNUM *a_, const unsigned int p[], BN_CTX *ctx)
+	{
+	int ret = 0, count = 0;
+	unsigned int j;
+	BIGNUM *a, *z, *rho, *w, *w2, *tmp;
+
+	bn_check_top(a_);
+
+	if (!p[0])
+		{
+		/* reduction mod 1 => return 0 */
+		BN_zero(r);
+		return 1;
+		}
+
+	BN_CTX_start(ctx);
+	a = BN_CTX_get(ctx);
+	z = BN_CTX_get(ctx);
+	w = BN_CTX_get(ctx);
+	if (w == NULL) goto err;
+
+	if (!BN_GF2m_mod_arr(a, a_, p)) goto err;
+	
+	if (BN_is_zero(a))
+		{
+		BN_zero(r);
+		ret = 1;
+		goto err;
+		}
+
+	if (p[0] & 0x1) /* m is odd */
+		{
+		/* compute half-trace of a */
+		if (!BN_copy(z, a)) goto err;
+		for (j = 1; j <= (p[0] - 1) / 2; j++)
+			{
+			if (!BN_GF2m_mod_sqr_arr(z, z, p, ctx)) goto err;
+			if (!BN_GF2m_mod_sqr_arr(z, z, p, ctx)) goto err;
+			if (!BN_GF2m_add(z, z, a)) goto err;
+			}
+		
+		}
+	else /* m is even */
+		{
+		rho = BN_CTX_get(ctx);
+		w2 = BN_CTX_get(ctx);
+		tmp = BN_CTX_get(ctx);
+		if (tmp == NULL) goto err;
+		do
+			{
+			if (!BN_rand(rho, p[0], 0, 0)) goto err;
+			if (!BN_GF2m_mod_arr(rho, rho, p)) goto err;
+			BN_zero(z);
+			if (!BN_copy(w, rho)) goto err;
+			for (j = 1; j <= p[0] - 1; j++)
+				{
+				if (!BN_GF2m_mod_sqr_arr(z, z, p, ctx)) goto err;
+				if (!BN_GF2m_mod_sqr_arr(w2, w, p, ctx)) goto err;
+				if (!BN_GF2m_mod_mul_arr(tmp, w2, a, p, ctx)) goto err;
+				if (!BN_GF2m_add(z, z, tmp)) goto err;
+				if (!BN_GF2m_add(w, w2, rho)) goto err;
+				}
+			count++;
+			} while (BN_is_zero(w) && (count < MAX_ITERATIONS));
+		if (BN_is_zero(w))
+			{
+			BNerr(BN_F_BN_GF2M_MOD_SOLVE_QUAD_ARR,BN_R_TOO_MANY_ITERATIONS);
+			goto err;
+			}
+		}
+	
+	if (!BN_GF2m_mod_sqr_arr(w, z, p, ctx)) goto err;
+	if (!BN_GF2m_add(w, z, w)) goto err;
+	if (BN_GF2m_cmp(w, a))
+		{
+		BNerr(BN_F_BN_GF2M_MOD_SOLVE_QUAD_ARR, BN_R_NO_SOLUTION);
+		goto err;
+		}
+
+	if (!BN_copy(r, z)) goto err;
+	bn_check_top(r);
+
+	ret = 1;
+
+err:
+	BN_CTX_end(ctx);
+	return ret;
+	}
+
+/* Find r such that r^2 + r = a mod p.  r could be a. If no r exists returns 0.
+ *
+ * This function calls down to the BN_GF2m_mod_solve_quad_arr implementation; this wrapper
+ * function is only provided for convenience; for best performance, use the 
+ * BN_GF2m_mod_solve_quad_arr function.
+ */
+int BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
+	{
+	int ret = 0;
+	const int max = BN_num_bits(p);
+	unsigned int *arr=NULL;
+	bn_check_top(a);
+	bn_check_top(p);
+	if ((arr = (unsigned int *)OPENSSL_malloc(sizeof(unsigned int) *
+						max)) == NULL) goto err;
+	ret = BN_GF2m_poly2arr(p, arr, max);
+	if (!ret || ret > max)
+		{
+		BNerr(BN_F_BN_GF2M_MOD_SOLVE_QUAD,BN_R_INVALID_LENGTH);
+		goto err;
+		}
+	ret = BN_GF2m_mod_solve_quad_arr(r, a, arr, ctx);
+	bn_check_top(r);
+err:
+	if (arr) OPENSSL_free(arr);
+	return ret;
+	}
+
+/* Convert the bit-string representation of a polynomial
+ * ( \sum_{i=0}^n a_i * x^i , where a_0 is *not* zero) into an array
+ * of integers corresponding to the bits with non-zero coefficient.
+ * Up to max elements of the array will be filled.  Return value is total
+ * number of coefficients that would be extracted if array was large enough.
+ */
+int BN_GF2m_poly2arr(const BIGNUM *a, unsigned int p[], int max)
+	{
+	int i, j, k = 0;
+	BN_ULONG mask;
+
+	if (BN_is_zero(a) || !BN_is_bit_set(a, 0))
+		/* a_0 == 0 => return error (the unsigned int array
+		 * must be terminated by 0)
+		 */
+		return 0;
+
+	for (i = a->top - 1; i >= 0; i--)
+		{
+		if (!a->d[i])
+			/* skip word if a->d[i] == 0 */
+			continue;
+		mask = BN_TBIT;
+		for (j = BN_BITS2 - 1; j >= 0; j--)
+			{
+			if (a->d[i] & mask) 
+				{
+				if (k < max) p[k] = BN_BITS2 * i + j;
+				k++;
+				}
+			mask >>= 1;
+			}
+		}
+
+	return k;
+	}
+
+/* Convert the coefficient array representation of a polynomial to a 
+ * bit-string.  The array must be terminated by 0.
+ */
+int BN_GF2m_arr2poly(const unsigned int p[], BIGNUM *a)
+	{
+	int i;
+
+	bn_check_top(a);
+	BN_zero(a);
+	for (i = 0; p[i] != 0; i++)
+		{
+		if (BN_set_bit(a, p[i]) == 0)
+			return 0;
+		}
+	BN_set_bit(a, 0);
+	bn_check_top(a);
+
+	return 1;
+	}
+
diff --git a/crypto/openssl/crypto/bn/bn_kron.c b/crypto/openssl/crypto/bn/bn_kron.c
index 49f75594aed0..740359b7520d 100644
--- a/crypto/openssl/crypto/bn/bn_kron.c
+++ b/crypto/openssl/crypto/bn/bn_kron.c
@@ -53,9 +53,9 @@
  *
  */
 
+#include "cryptlib.h"
 #include "bn_lcl.h"
 
-
 /* least significant word */
 #define BN_lsw(n) (((n)->top == 0) ? (BN_ULONG) 0 : (n)->d[0])
 
@@ -74,6 +74,9 @@ int BN_kronecker(const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
 	 */
 	static const int tab[8] = {0, 1, 0, -1, 0, -1, 0, 1};
 
+	bn_check_top(a);
+	bn_check_top(b);
+
 	BN_CTX_start(ctx);
 	A = BN_CTX_get(ctx);
 	B = BN_CTX_get(ctx);
@@ -172,8 +175,7 @@ int BN_kronecker(const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
 		tmp = A; A = B; B = tmp;
 		tmp->neg = 0;
 		}
-	
- end:
+end:
 	BN_CTX_end(ctx);
 	if (err)
 		return -2;
diff --git a/crypto/openssl/crypto/bn/bn_lcl.h b/crypto/openssl/crypto/bn/bn_lcl.h
index 253e195e2385..ad4ca7ff305a 100644
--- a/crypto/openssl/crypto/bn/bn_lcl.h
+++ b/crypto/openssl/crypto/bn/bn_lcl.h
@@ -119,20 +119,6 @@ extern "C" {
 #endif
 
 
-/* Used for temp variables */
-#define BN_CTX_NUM	32
-#define BN_CTX_NUM_POS	12
-struct bignum_ctx
-	{
-	int tos;
-	BIGNUM bn[BN_CTX_NUM];
-	int flags;
-	int depth;
-	int pos[BN_CTX_NUM_POS];
-	int too_many;
-	} /* BN_CTX */;
-
-
 /*
  * BN_window_bits_for_exponent_size -- macro for sliding window mod_exp functions
  *
@@ -177,6 +163,45 @@ struct bignum_ctx
 
 
 
+/* BN_mod_exp_mont_conttime is based on the assumption that the
+ * L1 data cache line width of the target processor is at least
+ * the following value.
+ */
+#define MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH	( 64 )
+#define MOD_EXP_CTIME_MIN_CACHE_LINE_MASK	(MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH - 1)
+
+/* Window sizes optimized for fixed window size modular exponentiation
+ * algorithm (BN_mod_exp_mont_consttime).
+ *
+ * To achieve the security goals of BN_mode_exp_mont_consttime, the
+ * maximum size of the window must not exceed
+ * log_2(MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH). 
+ *
+ * Window size thresholds are defined for cache line sizes of 32 and 64,
+ * cache line sizes where log_2(32)=5 and log_2(64)=6 respectively. A
+ * window size of 7 should only be used on processors that have a 128
+ * byte or greater cache line size.
+ */
+#if MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH == 64
+
+#  define BN_window_bits_for_ctime_exponent_size(b) \
+		((b) > 937 ? 6 : \
+		 (b) > 306 ? 5 : \
+		 (b) >  89 ? 4 : \
+		 (b) >  22 ? 3 : 1)
+#  define BN_MAX_WINDOW_BITS_FOR_CTIME_EXPONENT_SIZE	(6)
+
+#elif MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH == 32
+
+#  define BN_window_bits_for_ctime_exponent_size(b) \
+		((b) > 306 ? 5 : \
+		 (b) >  89 ? 4 : \
+		 (b) >  22 ? 3 : 1)
+#  define BN_MAX_WINDOW_BITS_FOR_CTIME_EXPONENT_SIZE	(5)
+
+#endif
+
+
 /* Pentium pro 16,16,16,32,64 */
 /* Alpha       16,16,16,16.64 */
 #define BN_MULL_SIZE_NORMAL			(16) /* 32 */
@@ -245,6 +270,15 @@ struct bignum_ctx
 		: "a"(a),"g"(b)		\
 		: "cc");
 #  endif
+# elif (defined(_M_AMD64) || defined(_M_X64)) && defined(SIXTY_FOUR_BIT)
+#  if defined(_MSC_VER) && _MSC_VER>=1400
+    unsigned __int64 __umulh	(unsigned __int64 a,unsigned __int64 b);
+    unsigned __int64 _umul128	(unsigned __int64 a,unsigned __int64 b,
+				 unsigned __int64 *h);
+#   pragma intrinsic(__umulh,_umul128)
+#   define BN_UMULT_HIGH(a,b)		__umulh((a),(b))
+#   define BN_UMULT_LOHI(low,high,a,b)	((low)=_umul128((a),(b),&(high)))
+#  endif
 # endif		/* cpu */
 #endif		/* OPENSSL_NO_ASM */
 
@@ -254,44 +288,17 @@ struct bignum_ctx
 #define Lw(t)    (((BN_ULONG)(t))&BN_MASK2)
 #define Hw(t)    (((BN_ULONG)((t)>>BN_BITS2))&BN_MASK2)
 
-/* This is used for internal error checking and is not normally used */
-#ifdef BN_DEBUG
-# include <assert.h>
-# define bn_check_top(a) assert ((a)->top >= 0 && (a)->top <= (a)->dmax);
-#else
-# define bn_check_top(a)
-#endif
-
-/* This macro is to add extra stuff for development checking */
-#ifdef BN_DEBUG
-#define	bn_set_max(r) ((r)->max=(r)->top,BN_set_flags((r),BN_FLG_STATIC_DATA))
-#else
-#define	bn_set_max(r)
-#endif
-
-/* These macros are used to 'take' a section of a bignum for read only use */
-#define bn_set_low(r,a,n) \
-	{ \
-	(r)->top=((a)->top > (n))?(n):(a)->top; \
-	(r)->d=(a)->d; \
-	(r)->neg=(a)->neg; \
-	(r)->flags|=BN_FLG_STATIC_DATA; \
-	bn_set_max(r); \
-	}
-
-#define bn_set_high(r,a,n) \
+#ifdef BN_DEBUG_RAND
+#define bn_clear_top2max(a) \
 	{ \
-	if ((a)->top > (n)) \
-		{ \
-		(r)->top=(a)->top-n; \
-		(r)->d= &((a)->d[n]); \
-		} \
-	else \
-		(r)->top=0; \
-	(r)->neg=(a)->neg; \
-	(r)->flags|=BN_FLG_STATIC_DATA; \
-	bn_set_max(r); \
+	int      ind = (a)->dmax - (a)->top; \
+	BN_ULONG *ftl = &(a)->d[(a)->top-1]; \
+	for (; ind != 0; ind--) \
+		*(++ftl) = 0x0; \
 	}
+#else
+#define bn_clear_top2max(a)
+#endif
 
 #ifdef BN_LLONG
 #define mul_add(r,a,w,c) { \
@@ -315,6 +322,33 @@ struct bignum_ctx
 	(r1)=Hw(t); \
 	}
 
+#elif defined(BN_UMULT_LOHI)
+#define mul_add(r,a,w,c) {		\
+	BN_ULONG high,low,ret,tmp=(a);	\
+	ret =  (r);			\
+	BN_UMULT_LOHI(low,high,w,tmp);	\
+	ret += (c);			\
+	(c) =  (ret<(c))?1:0;		\
+	(c) += high;			\
+	ret += low;			\
+	(c) += (ret<low)?1:0;		\
+	(r) =  ret;			\
+	}
+
+#define mul(r,a,w,c)	{		\
+	BN_ULONG high,low,ret,ta=(a);	\
+	BN_UMULT_LOHI(low,high,w,ta);	\
+	ret =  low + (c);		\
+	(c) =  high;			\
+	(c) += (ret<low)?1:0;		\
+	(r) =  ret;			\
+	}
+
+#define sqr(r0,r1,a)	{		\
+	BN_ULONG tmp=(a);		\
+	BN_UMULT_LOHI(r0,r1,tmp,tmp);	\
+	}
+
 #elif defined(BN_UMULT_HIGH)
 #define mul_add(r,a,w,c) {		\
 	BN_ULONG high,low,ret,tmp=(a);	\
@@ -433,18 +467,20 @@ void bn_sqr_comba4(BN_ULONG *r,const BN_ULONG *a);
 int bn_cmp_words(const BN_ULONG *a,const BN_ULONG *b,int n);
 int bn_cmp_part_words(const BN_ULONG *a, const BN_ULONG *b,
 	int cl, int dl);
-#ifdef BN_RECURSION
-void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
-	BN_ULONG *t);
-void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int tn,
-	int n, BN_ULONG *t);
+void bn_mul_recursive(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b,int n2,
+	int dna,int dnb,BN_ULONG *t);
+void bn_mul_part_recursive(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b,
+	int n,int tna,int tnb,BN_ULONG *t);
+void bn_sqr_recursive(BN_ULONG *r,const BN_ULONG *a, int n2, BN_ULONG *t);
+void bn_mul_low_normal(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b, int n);
 void bn_mul_low_recursive(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b,int n2,
 	BN_ULONG *t);
 void bn_mul_high(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b,BN_ULONG *l,int n2,
 	BN_ULONG *t);
-void bn_sqr_recursive(BN_ULONG *r,const BN_ULONG *a, int n2, BN_ULONG *t);
-#endif
-void bn_mul_low_normal(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b, int n);
+BN_ULONG bn_add_part_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
+	int cl, int dl);
+BN_ULONG bn_sub_part_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
+	int cl, int dl);
 
 #ifdef  __cplusplus
 }
diff --git a/crypto/openssl/crypto/bn/bn_lib.c b/crypto/openssl/crypto/bn/bn_lib.c
index e1660450bc0f..3c4d5459f61f 100644
--- a/crypto/openssl/crypto/bn/bn_lib.c
+++ b/crypto/openssl/crypto/bn/bn_lib.c
@@ -69,6 +69,8 @@
 
 const char *BN_version="Big Number" OPENSSL_VERSION_PTEXT;
 
+/* This stuff appears to be completely unused, so is deprecated */
+#ifndef OPENSSL_NO_DEPRECATED
 /* For a 32 bit machine
  * 2 -   4 ==  128
  * 3 -   8 ==  256
@@ -91,28 +93,28 @@ void BN_set_params(int mult, int high, int low, int mont)
 	{
 	if (mult >= 0)
 		{
-		if (mult > (sizeof(int)*8)-1)
+		if (mult > (int)(sizeof(int)*8)-1)
 			mult=sizeof(int)*8-1;
 		bn_limit_bits=mult;
 		bn_limit_num=1<<mult;
 		}
 	if (high >= 0)
 		{
-		if (high > (sizeof(int)*8)-1)
+		if (high > (int)(sizeof(int)*8)-1)
 			high=sizeof(int)*8-1;
 		bn_limit_bits_high=high;
 		bn_limit_num_high=1<<high;
 		}
 	if (low >= 0)
 		{
-		if (low > (sizeof(int)*8)-1)
+		if (low > (int)(sizeof(int)*8)-1)
 			low=sizeof(int)*8-1;
 		bn_limit_bits_low=low;
 		bn_limit_num_low=1<<low;
 		}
 	if (mont >= 0)
 		{
-		if (mont > (sizeof(int)*8)-1)
+		if (mont > (int)(sizeof(int)*8)-1)
 			mont=sizeof(int)*8-1;
 		bn_limit_bits_mont=mont;
 		bn_limit_num_mont=1<<mont;
@@ -127,11 +129,12 @@ int BN_get_params(int which)
 	else if (which == 3) return(bn_limit_bits_mont);
 	else return(0);
 	}
+#endif
 
 const BIGNUM *BN_value_one(void)
 	{
 	static BN_ULONG data_one=1L;
-	static BIGNUM const_one={&data_one,1,1,0};
+	static BIGNUM const_one={&data_one,1,1,0,BN_FLG_STATIC_DATA};
 
 	return(&const_one);
 	}
@@ -244,16 +247,11 @@ int BN_num_bits_word(BN_ULONG l)
 
 int BN_num_bits(const BIGNUM *a)
 	{
-	BN_ULONG l;
-	int i;
-
+	int i = a->top - 1;
 	bn_check_top(a);
 
-	if (a->top == 0) return(0);
-	l=a->d[a->top-1];
-	assert(l != 0);
-	i=(a->top-1)*BN_BITS2;
-	return(i+BN_num_bits_word(l));
+	if (BN_is_zero(a)) return 0;
+	return ((i*BN_BITS2) + BN_num_bits_word(a->d[i]));
 	}
 
 void BN_clear_free(BIGNUM *a)
@@ -261,6 +259,7 @@ void BN_clear_free(BIGNUM *a)
 	int i;
 
 	if (a == NULL) return;
+	bn_check_top(a);
 	if (a->d != NULL)
 		{
 		OPENSSL_cleanse(a->d,a->dmax*sizeof(a->d[0]));
@@ -276,16 +275,24 @@ void BN_clear_free(BIGNUM *a)
 void BN_free(BIGNUM *a)
 	{
 	if (a == NULL) return;
+	bn_check_top(a);
 	if ((a->d != NULL) && !(BN_get_flags(a,BN_FLG_STATIC_DATA)))
 		OPENSSL_free(a->d);
-	a->flags|=BN_FLG_FREE; /* REMOVE? */
 	if (a->flags & BN_FLG_MALLOCED)
 		OPENSSL_free(a);
+	else
+		{
+#ifndef OPENSSL_NO_DEPRECATED
+		a->flags|=BN_FLG_FREE;
+#endif
+		a->d = NULL;
+		}
 	}
 
 void BN_init(BIGNUM *a)
 	{
 	memset(a,0,sizeof(BIGNUM));
+	bn_check_top(a);
 	}
 
 BIGNUM *BN_new(void)
@@ -302,6 +309,7 @@ BIGNUM *BN_new(void)
 	ret->neg=0;
 	ret->dmax=0;
 	ret->d=NULL;
+	bn_check_top(ret);
 	return(ret);
 	}
 
@@ -313,19 +321,19 @@ static BN_ULONG *bn_expand_internal(const BIGNUM *b, int words)
 	const BN_ULONG *B;
 	int i;
 
+	bn_check_top(b);
+
 	if (words > (INT_MAX/(4*BN_BITS2)))
 		{
 		BNerr(BN_F_BN_EXPAND_INTERNAL,BN_R_BIGNUM_TOO_LONG);
 		return NULL;
 		}
-
-	bn_check_top(b);	
 	if (BN_get_flags(b,BN_FLG_STATIC_DATA))
 		{
 		BNerr(BN_F_BN_EXPAND_INTERNAL,BN_R_EXPAND_ON_STATIC_BIGNUM_DATA);
 		return(NULL);
 		}
-	a=A=(BN_ULONG *)OPENSSL_malloc(sizeof(BN_ULONG)*(words+1));
+	a=A=(BN_ULONG *)OPENSSL_malloc(sizeof(BN_ULONG)*words);
 	if (A == NULL)
 		{
 		BNerr(BN_F_BN_EXPAND_INTERNAL,ERR_R_MALLOC_FAILURE);
@@ -363,19 +371,8 @@ static BN_ULONG *bn_expand_internal(const BIGNUM *b, int words)
 			}
 		}
 
-	/* Now need to zero any data between b->top and b->max */
-	/* XXX Why? */
-
-	A= &(a[b->top]);
-	for (i=(words - b->top)>>3; i>0; i--,A+=8)
-		{
-		A[0]=0; A[1]=0; A[2]=0; A[3]=0;
-		A[4]=0; A[5]=0; A[6]=0; A[7]=0;
-		}
-	for (i=(words - b->top)&7; i>0; i--,A++)
-		A[0]=0;
 #else
-	memset(A,0,sizeof(BN_ULONG)*(words+1));
+	memset(A,0,sizeof(BN_ULONG)*words);
 	memcpy(A,b->d,sizeof(b->d[0])*b->top);
 #endif
 		
@@ -393,16 +390,19 @@ static BN_ULONG *bn_expand_internal(const BIGNUM *b, int words)
  * while bn_dup_expand() makes sure allocation is made only once.
  */
 
+#ifndef OPENSSL_NO_DEPRECATED
 BIGNUM *bn_dup_expand(const BIGNUM *b, int words)
 	{
 	BIGNUM *r = NULL;
 
+	bn_check_top(b);
+
 	/* This function does not work if
 	 *      words <= b->dmax && top < words
 	 * because BN_dup() does not preserve 'dmax'!
 	 * (But bn_dup_expand() is not used anywhere yet.)
 	 */
-	
+
 	if (words > b->dmax)
 		{
 		BN_ULONG *a = bn_expand_internal(b, words);
@@ -431,48 +431,67 @@ BIGNUM *bn_dup_expand(const BIGNUM *b, int words)
 		r = BN_dup(b);
 		}
 
+	bn_check_top(r);
 	return r;
 	}
+#endif
 
 /* This is an internal function that should not be used in applications.
- * It ensures that 'b' has enough room for a 'words' word number number.
+ * It ensures that 'b' has enough room for a 'words' word number
+ * and initialises any unused part of b->d with leading zeros.
  * It is mostly used by the various BIGNUM routines. If there is an error,
  * NULL is returned. If not, 'b' is returned. */
 
 BIGNUM *bn_expand2(BIGNUM *b, int words)
 	{
+	bn_check_top(b);
+
 	if (words > b->dmax)
 		{
 		BN_ULONG *a = bn_expand_internal(b, words);
+		if(!a) return NULL;
+		if(b->d) OPENSSL_free(b->d);
+		b->d=a;
+		b->dmax=words;
+		}
 
-		if (a)
+/* None of this should be necessary because of what b->top means! */
+#if 0
+	/* NB: bn_wexpand() calls this only if the BIGNUM really has to grow */
+	if (b->top < b->dmax)
+		{
+		int i;
+		BN_ULONG *A = &(b->d[b->top]);
+		for (i=(b->dmax - b->top)>>3; i>0; i--,A+=8)
 			{
-			if (b->d)
-				OPENSSL_free(b->d);
-			b->d=a;
-			b->dmax=words;
+			A[0]=0; A[1]=0; A[2]=0; A[3]=0;
+			A[4]=0; A[5]=0; A[6]=0; A[7]=0;
 			}
-		else
-			b = NULL;
+		for (i=(b->dmax - b->top)&7; i>0; i--,A++)
+			A[0]=0;
+		assert(A == &(b->d[b->dmax]));
 		}
+#endif
+	bn_check_top(b);
 	return b;
 	}
 
 BIGNUM *BN_dup(const BIGNUM *a)
 	{
-	BIGNUM *r, *t;
+	BIGNUM *t;
 
 	if (a == NULL) return NULL;
-
 	bn_check_top(a);
 
 	t = BN_new();
-	if (t == NULL) return(NULL);
-	r = BN_copy(t, a);
-	/* now  r == t || r == NULL */
-	if (r == NULL)
+	if (t == NULL) return NULL;
+	if(!BN_copy(t, a))
+		{
 		BN_free(t);
-	return r;
+		return NULL;
+		}
+	bn_check_top(t);
+	return t;
 	}
 
 BIGNUM *BN_copy(BIGNUM *a, const BIGNUM *b)
@@ -506,11 +525,9 @@ BIGNUM *BN_copy(BIGNUM *a, const BIGNUM *b)
 	memcpy(a->d,b->d,sizeof(b->d[0])*b->top);
 #endif
 
-/*	memset(&(a->d[b->top]),0,sizeof(a->d[0])*(a->max-b->top));*/
 	a->top=b->top;
-	if ((a->top == 0) && (a->d != NULL))
-		a->d[0]=0;
 	a->neg=b->neg;
+	bn_check_top(a);
 	return(a);
 	}
 
@@ -520,6 +537,9 @@ void BN_swap(BIGNUM *a, BIGNUM *b)
 	BN_ULONG *tmp_d;
 	int tmp_top, tmp_dmax, tmp_neg;
 	
+	bn_check_top(a);
+	bn_check_top(b);
+
 	flags_old_a = a->flags;
 	flags_old_b = b->flags;
 
@@ -540,11 +560,13 @@ void BN_swap(BIGNUM *a, BIGNUM *b)
 	
 	a->flags = (flags_old_a & BN_FLG_MALLOCED) | (flags_old_b & BN_FLG_STATIC_DATA);
 	b->flags = (flags_old_b & BN_FLG_MALLOCED) | (flags_old_a & BN_FLG_STATIC_DATA);
+	bn_check_top(a);
+	bn_check_top(b);
 	}
 
-
 void BN_clear(BIGNUM *a)
 	{
+	bn_check_top(a);
 	if (a->d != NULL)
 		memset(a->d,0,a->dmax*sizeof(a->d[0]));
 	a->top=0;
@@ -553,49 +575,22 @@ void BN_clear(BIGNUM *a)
 
 BN_ULONG BN_get_word(const BIGNUM *a)
 	{
-	int i,n;
-	BN_ULONG ret=0;
-
-	n=BN_num_bytes(a);
-	if (n > sizeof(BN_ULONG))
-		return(BN_MASK2);
-	for (i=a->top-1; i>=0; i--)
-		{
-#ifndef SIXTY_FOUR_BIT /* the data item > unsigned long */
-		ret<<=BN_BITS4; /* stops the compiler complaining */
-		ret<<=BN_BITS4;
-#else
-		ret=0;
-#endif
-		ret|=a->d[i];
-		}
-	return(ret);
+	if (a->top > 1)
+		return BN_MASK2;
+	else if (a->top == 1)
+		return a->d[0];
+	/* a->top == 0 */
+	return 0;
 	}
 
 int BN_set_word(BIGNUM *a, BN_ULONG w)
 	{
-	int i,n;
-	if (bn_expand(a,sizeof(BN_ULONG)*8) == NULL) return(0);
-
-	n=sizeof(BN_ULONG)/BN_BYTES;
-	a->neg=0;
-	a->top=0;
-	a->d[0]=(BN_ULONG)w&BN_MASK2;
-	if (a->d[0] != 0) a->top=1;
-	for (i=1; i<n; i++)
-		{
-		/* the following is done instead of
-		 * w>>=BN_BITS2 so compilers don't complain
-		 * on builds where sizeof(long) == BN_TYPES */
-#ifndef SIXTY_FOUR_BIT /* the data item > unsigned long */
-		w>>=BN_BITS4;
-		w>>=BN_BITS4;
-#else
-		w=0;
-#endif
-		a->d[i]=(BN_ULONG)w&BN_MASK2;
-		if (a->d[i] != 0) a->top=i+1;
-		}
+	bn_check_top(a);
+	if (bn_expand(a,(int)sizeof(BN_ULONG)*8) == NULL) return(0);
+	a->neg = 0;
+	a->d[0] = w;
+	a->top = (w ? 1 : 0);
+	bn_check_top(a);
 	return(1);
 	}
 
@@ -604,9 +599,12 @@ BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret)
 	unsigned int i,m;
 	unsigned int n;
 	BN_ULONG l;
+	BIGNUM  *bn = NULL;
 
-	if (ret == NULL) ret=BN_new();
+	if (ret == NULL)
+		ret = bn = BN_new();
 	if (ret == NULL) return(NULL);
+	bn_check_top(ret);
 	l=0;
 	n=len;
 	if (n == 0)
@@ -614,13 +612,16 @@ BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret)
 		ret->top=0;
 		return(ret);
 		}
-	if (bn_expand(ret,(int)(n+2)*8) == NULL)
-		return(NULL);
 	i=((n-1)/BN_BYTES)+1;
 	m=((n-1)%(BN_BYTES));
+	if (bn_wexpand(ret, (int)i) == NULL)
+		{
+		if (bn) BN_free(bn);
+		return NULL;
+		}
 	ret->top=i;
 	ret->neg=0;
-	while (n-- > 0)
+	while (n--)
 		{
 		l=(l<<8L)| *(s++);
 		if (m-- == 0)
@@ -632,7 +633,7 @@ BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret)
 		}
 	/* need to call this due to clear byte at top if avoiding
 	 * having the top bit set (-ve number) */
-	bn_fix_top(ret);
+	bn_correct_top(ret);
 	return(ret);
 	}
 
@@ -642,8 +643,9 @@ int BN_bn2bin(const BIGNUM *a, unsigned char *to)
 	int n,i;
 	BN_ULONG l;
 
+	bn_check_top(a);
 	n=i=BN_num_bytes(a);
-	while (i-- > 0)
+	while (i--)
 		{
 		l=a->d[i/BN_BYTES];
 		*(to++)=(unsigned char)(l>>(8*(i%BN_BYTES)))&0xff;
@@ -668,7 +670,7 @@ int BN_ucmp(const BIGNUM *a, const BIGNUM *b)
 		t1= ap[i];
 		t2= bp[i];
 		if (t1 != t2)
-			return(t1 > t2?1:-1);
+			return((t1 > t2) ? 1 : -1);
 		}
 	return(0);
 	}
@@ -718,6 +720,9 @@ int BN_set_bit(BIGNUM *a, int n)
 	{
 	int i,j,k;
 
+	if (n < 0)
+		return 0;
+
 	i=n/BN_BITS2;
 	j=n%BN_BITS2;
 	if (a->top <= i)
@@ -729,6 +734,7 @@ int BN_set_bit(BIGNUM *a, int n)
 		}
 
 	a->d[i]|=(((BN_ULONG)1)<<j);
+	bn_check_top(a);
 	return(1);
 	}
 
@@ -736,12 +742,15 @@ int BN_clear_bit(BIGNUM *a, int n)
 	{
 	int i,j;
 
+	bn_check_top(a);
+	if (n < 0) return 0;
+
 	i=n/BN_BITS2;
 	j=n%BN_BITS2;
 	if (a->top <= i) return(0);
 
 	a->d[i]&=(~(((BN_ULONG)1)<<j));
-	bn_fix_top(a);
+	bn_correct_top(a);
 	return(1);
 	}
 
@@ -749,10 +758,11 @@ int BN_is_bit_set(const BIGNUM *a, int n)
 	{
 	int i,j;
 
-	if (n < 0) return(0);
+	bn_check_top(a);
+	if (n < 0) return 0;
 	i=n/BN_BITS2;
 	j=n%BN_BITS2;
-	if (a->top <= i) return(0);
+	if (a->top <= i) return 0;
 	return((a->d[i]&(((BN_ULONG)1)<<j))?1:0);
 	}
 
@@ -760,9 +770,12 @@ int BN_mask_bits(BIGNUM *a, int n)
 	{
 	int b,w;
 
+	bn_check_top(a);
+	if (n < 0) return 0;
+
 	w=n/BN_BITS2;
 	b=n%BN_BITS2;
-	if (w >= a->top) return(0);
+	if (w >= a->top) return 0;
 	if (b == 0)
 		a->top=w;
 	else
@@ -770,10 +783,18 @@ int BN_mask_bits(BIGNUM *a, int n)
 		a->top=w+1;
 		a->d[w]&= ~(BN_MASK2<<b);
 		}
-	bn_fix_top(a);
+	bn_correct_top(a);
 	return(1);
 	}
 
+void BN_set_negative(BIGNUM *a, int b)
+	{
+	if (b && !BN_is_zero(a))
+		a->neg = 1;
+	else
+		a->neg = 0;
+	}
+
 int bn_cmp_words(const BN_ULONG *a, const BN_ULONG *b, int n)
 	{
 	int i;
diff --git a/crypto/openssl/crypto/bn/bn_mod.c b/crypto/openssl/crypto/bn/bn_mod.c
index 5cf82480d7ba..77d6ddb91a5f 100644
--- a/crypto/openssl/crypto/bn/bn_mod.c
+++ b/crypto/openssl/crypto/bn/bn_mod.c
@@ -149,7 +149,7 @@ int BN_mod_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m, BN_
  * and less than  m */
 int BN_mod_add_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m)
 	{
-	if (!BN_add(r, a, b)) return 0;
+	if (!BN_uadd(r, a, b)) return 0;
 	if (BN_ucmp(r, m) >= 0)
 		return BN_usub(r, r, m);
 	return 1;
@@ -192,6 +192,7 @@ int BN_mod_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m,
 	else
 		{ if (!BN_mul(t,a,b,ctx)) goto err; }
 	if (!BN_nnmod(r,t,m,ctx)) goto err;
+	bn_check_top(r);
 	ret=1;
 err:
 	BN_CTX_end(ctx);
@@ -210,6 +211,7 @@ int BN_mod_sqr(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx)
 int BN_mod_lshift1(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx)
 	{
 	if (!BN_lshift1(r, a)) return 0;
+	bn_check_top(r);
 	return BN_nnmod(r, r, m, ctx);
 	}
 
@@ -219,6 +221,7 @@ int BN_mod_lshift1(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx)
 int BN_mod_lshift1_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *m)
 	{
 	if (!BN_lshift1(r, a)) return 0;
+	bn_check_top(r);
 	if (BN_cmp(r, m) >= 0)
 		return BN_sub(r, r, m);
 	return 1;
@@ -240,6 +243,7 @@ int BN_mod_lshift(BIGNUM *r, const BIGNUM *a, int n, const BIGNUM *m, BN_CTX *ct
 		}
 	
 	ret = BN_mod_lshift_quick(r, r, n, (abs_m ? abs_m : m));
+	bn_check_top(r);
 
 	if (abs_m)
 		BN_free(abs_m);
@@ -291,6 +295,7 @@ int BN_mod_lshift_quick(BIGNUM *r, const BIGNUM *a, int n, const BIGNUM *m)
 			if (!BN_sub(r, r, m)) return 0;
 			}
 		}
+	bn_check_top(r);
 	
 	return 1;
 	}
diff --git a/crypto/openssl/crypto/bn/bn_mont.c b/crypto/openssl/crypto/bn/bn_mont.c
index c9ebdbaabeb9..42376dae6bdf 100644
--- a/crypto/openssl/crypto/bn/bn_mont.c
+++ b/crypto/openssl/crypto/bn/bn_mont.c
@@ -90,6 +90,7 @@ int BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
 		}
 	/* reduce from aRR to aR */
 	if (!BN_from_montgomery(r,tmp,mont,ctx)) goto err;
+	bn_check_top(r);
 	ret=1;
 err:
 	BN_CTX_end(ctx);
@@ -172,7 +173,7 @@ int BN_from_montgomery(BIGNUM *ret, const BIGNUM *a, BN_MONT_CTX *mont,
 			for (x=2; (((++nrp[x])&BN_MASK2) == 0); x++) ;
 			}
 		}
-	bn_fix_top(r);
+	bn_correct_top(r);
 	
 	/* mont->ri will be a multiple of the word size */
 #if 0
@@ -229,6 +230,7 @@ int BN_from_montgomery(BIGNUM *ret, const BIGNUM *a, BN_MONT_CTX *mont,
 		if (!BN_usub(ret,ret,&(mont->N))) goto err;
 		}
 	retn=1;
+	bn_check_top(ret);
  err:
 	BN_CTX_end(ctx);
 	return(retn);
@@ -269,11 +271,13 @@ void BN_MONT_CTX_free(BN_MONT_CTX *mont)
 
 int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
 	{
-	BIGNUM Ri,*R;
+	int ret = 0;
+	BIGNUM *Ri,*R;
 
-	BN_init(&Ri);
+	BN_CTX_start(ctx);
+	if((Ri = BN_CTX_get(ctx)) == NULL) goto err;
 	R= &(mont->RR);					/* grab RR as a temp */
-	BN_copy(&(mont->N),mod);			/* Set N */
+	if (!BN_copy(&(mont->N),mod)) goto err;		/* Set N */
 	mont->N.neg = 0;
 
 #ifdef MONT_WORD
@@ -282,57 +286,56 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
 		BN_ULONG buf[2];
 
 		mont->ri=(BN_num_bits(mod)+(BN_BITS2-1))/BN_BITS2*BN_BITS2;
-		if (!(BN_zero(R))) goto err;
+		BN_zero(R);
 		if (!(BN_set_bit(R,BN_BITS2))) goto err;	/* R */
 
 		buf[0]=mod->d[0]; /* tmod = N mod word size */
 		buf[1]=0;
 		tmod.d=buf;
-		tmod.top=1;
+		tmod.top = buf[0] != 0 ? 1 : 0;
 		tmod.dmax=2;
 		tmod.neg=0;
 							/* Ri = R^-1 mod N*/
-		if ((BN_mod_inverse(&Ri,R,&tmod,ctx)) == NULL)
+		if ((BN_mod_inverse(Ri,R,&tmod,ctx)) == NULL)
 			goto err;
-		if (!BN_lshift(&Ri,&Ri,BN_BITS2)) goto err; /* R*Ri */
-		if (!BN_is_zero(&Ri))
+		if (!BN_lshift(Ri,Ri,BN_BITS2)) goto err; /* R*Ri */
+		if (!BN_is_zero(Ri))
 			{
-			if (!BN_sub_word(&Ri,1)) goto err;
+			if (!BN_sub_word(Ri,1)) goto err;
 			}
 		else /* if N mod word size == 1 */
 			{
-			if (!BN_set_word(&Ri,BN_MASK2)) goto err;  /* Ri-- (mod word size) */
+			if (!BN_set_word(Ri,BN_MASK2)) goto err;  /* Ri-- (mod word size) */
 			}
-		if (!BN_div(&Ri,NULL,&Ri,&tmod,ctx)) goto err;
+		if (!BN_div(Ri,NULL,Ri,&tmod,ctx)) goto err;
 		/* Ni = (R*Ri-1)/N,
 		 * keep only least significant word: */
-		mont->n0 = (Ri.top > 0) ? Ri.d[0] : 0;
-		BN_free(&Ri);
+		mont->n0 = (Ri->top > 0) ? Ri->d[0] : 0;
 		}
 #else /* !MONT_WORD */
 		{ /* bignum version */
 		mont->ri=BN_num_bits(&mont->N);
-		if (!BN_zero(R)) goto err;
+		BN_zero(R);
 		if (!BN_set_bit(R,mont->ri)) goto err;  /* R = 2^ri */
 		                                        /* Ri = R^-1 mod N*/
-		if ((BN_mod_inverse(&Ri,R,&mont->N,ctx)) == NULL)
+		if ((BN_mod_inverse(Ri,R,&mont->N,ctx)) == NULL)
 			goto err;
-		if (!BN_lshift(&Ri,&Ri,mont->ri)) goto err; /* R*Ri */
-		if (!BN_sub_word(&Ri,1)) goto err;
+		if (!BN_lshift(Ri,Ri,mont->ri)) goto err; /* R*Ri */
+		if (!BN_sub_word(Ri,1)) goto err;
 							/* Ni = (R*Ri-1) / N */
-		if (!BN_div(&(mont->Ni),NULL,&Ri,&mont->N,ctx)) goto err;
-		BN_free(&Ri);
+		if (!BN_div(&(mont->Ni),NULL,Ri,&mont->N,ctx)) goto err;
 		}
 #endif
 
 	/* setup RR for conversions */
-	if (!BN_zero(&(mont->RR))) goto err;
+	BN_zero(&(mont->RR));
 	if (!BN_set_bit(&(mont->RR),mont->ri*2)) goto err;
 	if (!BN_mod(&(mont->RR),&(mont->RR),&(mont->N),ctx)) goto err;
 
-	return(1);
+	ret = 1;
 err:
-	return(0);
+	BN_CTX_end(ctx);
+	return ret;
 	}
 
 BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to, BN_MONT_CTX *from)
@@ -347,3 +350,21 @@ BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to, BN_MONT_CTX *from)
 	return(to);
 	}
 
+BN_MONT_CTX *BN_MONT_CTX_set_locked(BN_MONT_CTX **pmont, int lock,
+					const BIGNUM *mod, BN_CTX *ctx)
+	{
+	if (*pmont)
+		return *pmont;
+	CRYPTO_w_lock(lock);
+	if (!*pmont)
+		{
+		BN_MONT_CTX *mtmp;
+		mtmp = BN_MONT_CTX_new();
+		if (mtmp && !BN_MONT_CTX_set(mtmp, mod, ctx))
+			BN_MONT_CTX_free(mtmp);
+		else
+			*pmont = mtmp;
+		}
+	CRYPTO_w_unlock(lock);
+	return *pmont;
+	}
diff --git a/crypto/openssl/crypto/bn/bn_mpi.c b/crypto/openssl/crypto/bn/bn_mpi.c
index 05fa9d1e9a5c..a054d21aed6b 100644
--- a/crypto/openssl/crypto/bn/bn_mpi.c
+++ b/crypto/openssl/crypto/bn/bn_mpi.c
@@ -124,6 +124,7 @@ BIGNUM *BN_mpi2bn(const unsigned char *d, int n, BIGNUM *a)
 		{
 		BN_clear_bit(a,BN_num_bits(a)-1);
 		}
+	bn_check_top(a);
 	return(a);
 	}
 
diff --git a/crypto/openssl/crypto/bn/bn_mul.c b/crypto/openssl/crypto/bn/bn_mul.c
index 3ae3822bc2af..aec1eafc65fb 100644
--- a/crypto/openssl/crypto/bn/bn_mul.c
+++ b/crypto/openssl/crypto/bn/bn_mul.c
@@ -56,10 +56,325 @@
  * [including the GNU Public Licence.]
  */
 
+#ifndef BN_DEBUG
+# undef NDEBUG /* avoid conflicting definitions */
+# define NDEBUG
+#endif
+
 #include <stdio.h>
+#include <assert.h>
 #include "cryptlib.h"
 #include "bn_lcl.h"
 
+#if defined(OPENSSL_NO_ASM) || !defined(OPENSSL_BN_ASM_PART_WORDS)
+/* Here follows specialised variants of bn_add_words() and
+   bn_sub_words().  They have the property performing operations on
+   arrays of different sizes.  The sizes of those arrays is expressed through
+   cl, which is the common length ( basicall, min(len(a),len(b)) ), and dl,
+   which is the delta between the two lengths, calculated as len(a)-len(b).
+   All lengths are the number of BN_ULONGs...  For the operations that require
+   a result array as parameter, it must have the length cl+abs(dl).
+   These functions should probably end up in bn_asm.c as soon as there are
+   assembler counterparts for the systems that use assembler files.  */
+
+BN_ULONG bn_sub_part_words(BN_ULONG *r,
+	const BN_ULONG *a, const BN_ULONG *b,
+	int cl, int dl)
+	{
+	BN_ULONG c, t;
+
+	assert(cl >= 0);
+	c = bn_sub_words(r, a, b, cl);
+
+	if (dl == 0)
+		return c;
+
+	r += cl;
+	a += cl;
+	b += cl;
+
+	if (dl < 0)
+		{
+#ifdef BN_COUNT
+		fprintf(stderr, "  bn_sub_part_words %d + %d (dl < 0, c = %d)\n", cl, dl, c);
+#endif
+		for (;;)
+			{
+			t = b[0];
+			r[0] = (0-t-c)&BN_MASK2;
+			if (t != 0) c=1;
+			if (++dl >= 0) break;
+
+			t = b[1];
+			r[1] = (0-t-c)&BN_MASK2;
+			if (t != 0) c=1;
+			if (++dl >= 0) break;
+
+			t = b[2];
+			r[2] = (0-t-c)&BN_MASK2;
+			if (t != 0) c=1;
+			if (++dl >= 0) break;
+
+			t = b[3];
+			r[3] = (0-t-c)&BN_MASK2;
+			if (t != 0) c=1;
+			if (++dl >= 0) break;
+
+			b += 4;
+			r += 4;
+			}
+		}
+	else
+		{
+		int save_dl = dl;
+#ifdef BN_COUNT
+		fprintf(stderr, "  bn_sub_part_words %d + %d (dl > 0, c = %d)\n", cl, dl, c);
+#endif
+		while(c)
+			{
+			t = a[0];
+			r[0] = (t-c)&BN_MASK2;
+			if (t != 0) c=0;
+			if (--dl <= 0) break;
+
+			t = a[1];
+			r[1] = (t-c)&BN_MASK2;
+			if (t != 0) c=0;
+			if (--dl <= 0) break;
+
+			t = a[2];
+			r[2] = (t-c)&BN_MASK2;
+			if (t != 0) c=0;
+			if (--dl <= 0) break;
+
+			t = a[3];
+			r[3] = (t-c)&BN_MASK2;
+			if (t != 0) c=0;
+			if (--dl <= 0) break;
+
+			save_dl = dl;
+			a += 4;
+			r += 4;
+			}
+		if (dl > 0)
+			{
+#ifdef BN_COUNT
+			fprintf(stderr, "  bn_sub_part_words %d + %d (dl > 0, c == 0)\n", cl, dl);
+#endif
+			if (save_dl > dl)
+				{
+				switch (save_dl - dl)
+					{
+				case 1:
+					r[1] = a[1];
+					if (--dl <= 0) break;
+				case 2:
+					r[2] = a[2];
+					if (--dl <= 0) break;
+				case 3:
+					r[3] = a[3];
+					if (--dl <= 0) break;
+					}
+				a += 4;
+				r += 4;
+				}
+			}
+		if (dl > 0)
+			{
+#ifdef BN_COUNT
+			fprintf(stderr, "  bn_sub_part_words %d + %d (dl > 0, copy)\n", cl, dl);
+#endif
+			for(;;)
+				{
+				r[0] = a[0];
+				if (--dl <= 0) break;
+				r[1] = a[1];
+				if (--dl <= 0) break;
+				r[2] = a[2];
+				if (--dl <= 0) break;
+				r[3] = a[3];
+				if (--dl <= 0) break;
+
+				a += 4;
+				r += 4;
+				}
+			}
+		}
+	return c;
+	}
+#endif
+
+BN_ULONG bn_add_part_words(BN_ULONG *r,
+	const BN_ULONG *a, const BN_ULONG *b,
+	int cl, int dl)
+	{
+	BN_ULONG c, l, t;
+
+	assert(cl >= 0);
+	c = bn_add_words(r, a, b, cl);
+
+	if (dl == 0)
+		return c;
+
+	r += cl;
+	a += cl;
+	b += cl;
+
+	if (dl < 0)
+		{
+		int save_dl = dl;
+#ifdef BN_COUNT
+		fprintf(stderr, "  bn_add_part_words %d + %d (dl < 0, c = %d)\n", cl, dl, c);
+#endif
+		while (c)
+			{
+			l=(c+b[0])&BN_MASK2;
+			c=(l < c);
+			r[0]=l;
+			if (++dl >= 0) break;
+
+			l=(c+b[1])&BN_MASK2;
+			c=(l < c);
+			r[1]=l;
+			if (++dl >= 0) break;
+
+			l=(c+b[2])&BN_MASK2;
+			c=(l < c);
+			r[2]=l;
+			if (++dl >= 0) break;
+
+			l=(c+b[3])&BN_MASK2;
+			c=(l < c);
+			r[3]=l;
+			if (++dl >= 0) break;
+
+			save_dl = dl;
+			b+=4;
+			r+=4;
+			}
+		if (dl < 0)
+			{
+#ifdef BN_COUNT
+			fprintf(stderr, "  bn_add_part_words %d + %d (dl < 0, c == 0)\n", cl, dl);
+#endif
+			if (save_dl < dl)
+				{
+				switch (dl - save_dl)
+					{
+				case 1:
+					r[1] = b[1];
+					if (++dl >= 0) break;
+				case 2:
+					r[2] = b[2];
+					if (++dl >= 0) break;
+				case 3:
+					r[3] = b[3];
+					if (++dl >= 0) break;
+					}
+				b += 4;
+				r += 4;
+				}
+			}
+		if (dl < 0)
+			{
+#ifdef BN_COUNT
+			fprintf(stderr, "  bn_add_part_words %d + %d (dl < 0, copy)\n", cl, dl);
+#endif
+			for(;;)
+				{
+				r[0] = b[0];
+				if (++dl >= 0) break;
+				r[1] = b[1];
+				if (++dl >= 0) break;
+				r[2] = b[2];
+				if (++dl >= 0) break;
+				r[3] = b[3];
+				if (++dl >= 0) break;
+
+				b += 4;
+				r += 4;
+				}
+			}
+		}
+	else
+		{
+		int save_dl = dl;
+#ifdef BN_COUNT
+		fprintf(stderr, "  bn_add_part_words %d + %d (dl > 0)\n", cl, dl);
+#endif
+		while (c)
+			{
+			t=(a[0]+c)&BN_MASK2;
+			c=(t < c);
+			r[0]=t;
+			if (--dl <= 0) break;
+
+			t=(a[1]+c)&BN_MASK2;
+			c=(t < c);
+			r[1]=t;
+			if (--dl <= 0) break;
+
+			t=(a[2]+c)&BN_MASK2;
+			c=(t < c);
+			r[2]=t;
+			if (--dl <= 0) break;
+
+			t=(a[3]+c)&BN_MASK2;
+			c=(t < c);
+			r[3]=t;
+			if (--dl <= 0) break;
+
+			save_dl = dl;
+			a+=4;
+			r+=4;
+			}
+#ifdef BN_COUNT
+		fprintf(stderr, "  bn_add_part_words %d + %d (dl > 0, c == 0)\n", cl, dl);
+#endif
+		if (dl > 0)
+			{
+			if (save_dl > dl)
+				{
+				switch (save_dl - dl)
+					{
+				case 1:
+					r[1] = a[1];
+					if (--dl <= 0) break;
+				case 2:
+					r[2] = a[2];
+					if (--dl <= 0) break;
+				case 3:
+					r[3] = a[3];
+					if (--dl <= 0) break;
+					}
+				a += 4;
+				r += 4;
+				}
+			}
+		if (dl > 0)
+			{
+#ifdef BN_COUNT
+			fprintf(stderr, "  bn_add_part_words %d + %d (dl > 0, copy)\n", cl, dl);
+#endif
+			for(;;)
+				{
+				r[0] = a[0];
+				if (--dl <= 0) break;
+				r[1] = a[1];
+				if (--dl <= 0) break;
+				r[2] = a[2];
+				if (--dl <= 0) break;
+				r[3] = a[3];
+				if (--dl <= 0) break;
+
+				a += 4;
+				r += 4;
+				}
+			}
+		}
+	return c;
+	}
+
 #ifdef BN_RECURSION
 /* Karatsuba recursive multiplication algorithm
  * (cf. Knuth, The Art of Computer Programming, Vol. 2) */
@@ -75,14 +390,15 @@
  * a[1]*b[1]
  */
 void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
-	     BN_ULONG *t)
+	int dna, int dnb, BN_ULONG *t)
 	{
 	int n=n2/2,c1,c2;
+	int tna=n+dna, tnb=n+dnb;
 	unsigned int neg,zero;
 	BN_ULONG ln,lo,*p;
 
 # ifdef BN_COUNT
-	printf(" bn_mul_recursive %d * %d\n",n2,n2);
+	fprintf(stderr," bn_mul_recursive %d * %d\n",n2,n2);
 # endif
 # ifdef BN_MUL_COMBA
 #  if 0
@@ -92,34 +408,40 @@ void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
 		return;
 		}
 #  endif
-	if (n2 == 8)
+	/* Only call bn_mul_comba 8 if n2 == 8 and the
+	 * two arrays are complete [steve]
+	 */
+	if (n2 == 8 && dna == 0 && dnb == 0)
 		{
 		bn_mul_comba8(r,a,b);
 		return; 
 		}
 # endif /* BN_MUL_COMBA */
+	/* Else do normal multiply */
 	if (n2 < BN_MUL_RECURSIVE_SIZE_NORMAL)
 		{
-		/* This should not happen */
-		bn_mul_normal(r,a,n2,b,n2);
+		bn_mul_normal(r,a,n2+dna,b,n2+dnb);
+		if ((dna + dnb) < 0)
+			memset(&r[2*n2 + dna + dnb], 0,
+				sizeof(BN_ULONG) * -(dna + dnb));
 		return;
 		}
 	/* r=(a[0]-a[1])*(b[1]-b[0]) */
-	c1=bn_cmp_words(a,&(a[n]),n);
-	c2=bn_cmp_words(&(b[n]),b,n);
+	c1=bn_cmp_part_words(a,&(a[n]),tna,n-tna);
+	c2=bn_cmp_part_words(&(b[n]),b,tnb,tnb-n);
 	zero=neg=0;
 	switch (c1*3+c2)
 		{
 	case -4:
-		bn_sub_words(t,      &(a[n]),a,      n); /* - */
-		bn_sub_words(&(t[n]),b,      &(b[n]),n); /* - */
+		bn_sub_part_words(t,      &(a[n]),a,      tna,tna-n); /* - */
+		bn_sub_part_words(&(t[n]),b,      &(b[n]),tnb,n-tnb); /* - */
 		break;
 	case -3:
 		zero=1;
 		break;
 	case -2:
-		bn_sub_words(t,      &(a[n]),a,      n); /* - */
-		bn_sub_words(&(t[n]),&(b[n]),b,      n); /* + */
+		bn_sub_part_words(t,      &(a[n]),a,      tna,tna-n); /* - */
+		bn_sub_part_words(&(t[n]),&(b[n]),b,      tnb,tnb-n); /* + */
 		neg=1;
 		break;
 	case -1:
@@ -128,21 +450,22 @@ void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
 		zero=1;
 		break;
 	case 2:
-		bn_sub_words(t,      a,      &(a[n]),n); /* + */
-		bn_sub_words(&(t[n]),b,      &(b[n]),n); /* - */
+		bn_sub_part_words(t,      a,      &(a[n]),tna,n-tna); /* + */
+		bn_sub_part_words(&(t[n]),b,      &(b[n]),tnb,n-tnb); /* - */
 		neg=1;
 		break;
 	case 3:
 		zero=1;
 		break;
 	case 4:
-		bn_sub_words(t,      a,      &(a[n]),n);
-		bn_sub_words(&(t[n]),&(b[n]),b,      n);
+		bn_sub_part_words(t,      a,      &(a[n]),tna,n-tna);
+		bn_sub_part_words(&(t[n]),&(b[n]),b,      tnb,tnb-n);
 		break;
 		}
 
 # ifdef BN_MUL_COMBA
-	if (n == 4)
+	if (n == 4 && dna == 0 && dnb == 0) /* XXX: bn_mul_comba4 could take
+					       extra args to do this well */
 		{
 		if (!zero)
 			bn_mul_comba4(&(t[n2]),t,&(t[n]));
@@ -152,7 +475,9 @@ void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
 		bn_mul_comba4(r,a,b);
 		bn_mul_comba4(&(r[n2]),&(a[n]),&(b[n]));
 		}
-	else if (n == 8)
+	else if (n == 8 && dna == 0 && dnb == 0) /* XXX: bn_mul_comba8 could
+						    take extra args to do this
+						    well */
 		{
 		if (!zero)
 			bn_mul_comba8(&(t[n2]),t,&(t[n]));
@@ -167,11 +492,11 @@ void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
 		{
 		p= &(t[n2*2]);
 		if (!zero)
-			bn_mul_recursive(&(t[n2]),t,&(t[n]),n,p);
+			bn_mul_recursive(&(t[n2]),t,&(t[n]),n,0,0,p);
 		else
 			memset(&(t[n2]),0,n2*sizeof(BN_ULONG));
-		bn_mul_recursive(r,a,b,n,p);
-		bn_mul_recursive(&(r[n2]),&(a[n]),&(b[n]),n,p);
+		bn_mul_recursive(r,a,b,n,0,0,p);
+		bn_mul_recursive(&(r[n2]),&(a[n]),&(b[n]),n,dna,dnb,p);
 		}
 
 	/* t[32] holds (a[0]-a[1])*(b[1]-b[0]), c1 is the sign
@@ -220,39 +545,39 @@ void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
 
 /* n+tn is the word length
  * t needs to be n*4 is size, as does r */
-void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int tn,
-	     int n, BN_ULONG *t)
+void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n,
+	     int tna, int tnb, BN_ULONG *t)
 	{
 	int i,j,n2=n*2;
 	int c1,c2,neg,zero;
 	BN_ULONG ln,lo,*p;
 
 # ifdef BN_COUNT
-	printf(" bn_mul_part_recursive %d * %d\n",tn+n,tn+n);
+	fprintf(stderr," bn_mul_part_recursive (%d+%d) * (%d+%d)\n",
+		tna, n, tnb, n);
 # endif
 	if (n < 8)
 		{
-		i=tn+n;
-		bn_mul_normal(r,a,i,b,i);
+		bn_mul_normal(r,a,n+tna,b,n+tnb);
 		return;
 		}
 
 	/* r=(a[0]-a[1])*(b[1]-b[0]) */
-	c1=bn_cmp_words(a,&(a[n]),n);
-	c2=bn_cmp_words(&(b[n]),b,n);
+	c1=bn_cmp_part_words(a,&(a[n]),tna,n-tna);
+	c2=bn_cmp_part_words(&(b[n]),b,tnb,tnb-n);
 	zero=neg=0;
 	switch (c1*3+c2)
 		{
 	case -4:
-		bn_sub_words(t,      &(a[n]),a,      n); /* - */
-		bn_sub_words(&(t[n]),b,      &(b[n]),n); /* - */
+		bn_sub_part_words(t,      &(a[n]),a,      tna,tna-n); /* - */
+		bn_sub_part_words(&(t[n]),b,      &(b[n]),tnb,n-tnb); /* - */
 		break;
 	case -3:
 		zero=1;
 		/* break; */
 	case -2:
-		bn_sub_words(t,      &(a[n]),a,      n); /* - */
-		bn_sub_words(&(t[n]),&(b[n]),b,      n); /* + */
+		bn_sub_part_words(t,      &(a[n]),a,      tna,tna-n); /* - */
+		bn_sub_part_words(&(t[n]),&(b[n]),b,      tnb,tnb-n); /* + */
 		neg=1;
 		break;
 	case -1:
@@ -261,16 +586,16 @@ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int tn,
 		zero=1;
 		/* break; */
 	case 2:
-		bn_sub_words(t,      a,      &(a[n]),n); /* + */
-		bn_sub_words(&(t[n]),b,      &(b[n]),n); /* - */
+		bn_sub_part_words(t,      a,      &(a[n]),tna,n-tna); /* + */
+		bn_sub_part_words(&(t[n]),b,      &(b[n]),tnb,n-tnb); /* - */
 		neg=1;
 		break;
 	case 3:
 		zero=1;
 		/* break; */
 	case 4:
-		bn_sub_words(t,      a,      &(a[n]),n);
-		bn_sub_words(&(t[n]),&(b[n]),b,      n);
+		bn_sub_part_words(t,      a,      &(a[n]),tna,n-tna);
+		bn_sub_part_words(&(t[n]),&(b[n]),b,      tnb,tnb-n);
 		break;
 		}
 		/* The zero case isn't yet implemented here. The speedup
@@ -289,54 +614,59 @@ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int tn,
 		{
 		bn_mul_comba8(&(t[n2]),t,&(t[n]));
 		bn_mul_comba8(r,a,b);
-		bn_mul_normal(&(r[n2]),&(a[n]),tn,&(b[n]),tn);
-		memset(&(r[n2+tn*2]),0,sizeof(BN_ULONG)*(n2-tn*2));
+		bn_mul_normal(&(r[n2]),&(a[n]),tna,&(b[n]),tnb);
+		memset(&(r[n2+tna+tnb]),0,sizeof(BN_ULONG)*(n2-tna-tnb));
 		}
 	else
 		{
 		p= &(t[n2*2]);
-		bn_mul_recursive(&(t[n2]),t,&(t[n]),n,p);
-		bn_mul_recursive(r,a,b,n,p);
+		bn_mul_recursive(&(t[n2]),t,&(t[n]),n,0,0,p);
+		bn_mul_recursive(r,a,b,n,0,0,p);
 		i=n/2;
 		/* If there is only a bottom half to the number,
 		 * just do it */
-		j=tn-i;
+		if (tna > tnb)
+			j = tna - i;
+		else
+			j = tnb - i;
 		if (j == 0)
 			{
-			bn_mul_recursive(&(r[n2]),&(a[n]),&(b[n]),i,p);
+			bn_mul_recursive(&(r[n2]),&(a[n]),&(b[n]),
+				i,tna-i,tnb-i,p);
 			memset(&(r[n2+i*2]),0,sizeof(BN_ULONG)*(n2-i*2));
 			}
 		else if (j > 0) /* eg, n == 16, i == 8 and tn == 11 */
 				{
 				bn_mul_part_recursive(&(r[n2]),&(a[n]),&(b[n]),
-					j,i,p);
-				memset(&(r[n2+tn*2]),0,
-					sizeof(BN_ULONG)*(n2-tn*2));
+					i,tna-i,tnb-i,p);
+				memset(&(r[n2+tna+tnb]),0,
+					sizeof(BN_ULONG)*(n2-tna-tnb));
 				}
 		else /* (j < 0) eg, n == 16, i == 8 and tn == 5 */
 			{
 			memset(&(r[n2]),0,sizeof(BN_ULONG)*n2);
-			if (tn < BN_MUL_RECURSIVE_SIZE_NORMAL)
+			if (tna < BN_MUL_RECURSIVE_SIZE_NORMAL
+				&& tnb < BN_MUL_RECURSIVE_SIZE_NORMAL)
 				{
-				bn_mul_normal(&(r[n2]),&(a[n]),tn,&(b[n]),tn);
+				bn_mul_normal(&(r[n2]),&(a[n]),tna,&(b[n]),tnb);
 				}
 			else
 				{
 				for (;;)
 					{
 					i/=2;
-					if (i < tn)
+					if (i < tna && i < tnb)
 						{
 						bn_mul_part_recursive(&(r[n2]),
 							&(a[n]),&(b[n]),
-							tn-i,i,p);
+							i,tna-i,tnb-i,p);
 						break;
 						}
-					else if (i == tn)
+					else if (i <= tna && i <= tnb)
 						{
 						bn_mul_recursive(&(r[n2]),
 							&(a[n]),&(b[n]),
-							i,p);
+							i,tna-i,tnb-i,p);
 						break;
 						}
 					}
@@ -397,10 +727,10 @@ void bn_mul_low_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
 	int n=n2/2;
 
 # ifdef BN_COUNT
-	printf(" bn_mul_low_recursive %d * %d\n",n2,n2);
+	fprintf(stderr," bn_mul_low_recursive %d * %d\n",n2,n2);
 # endif
 
-	bn_mul_recursive(r,a,b,n,&(t[0]));
+	bn_mul_recursive(r,a,b,n,0,0,&(t[0]));
 	if (n >= BN_MUL_LOW_RECURSIVE_SIZE_NORMAL)
 		{
 		bn_mul_low_recursive(&(t[0]),&(a[0]),&(b[n]),n,&(t[n2]));
@@ -431,7 +761,7 @@ void bn_mul_high(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, BN_ULONG *l, int n2,
 	BN_ULONG ll,lc,*lp,*mp;
 
 # ifdef BN_COUNT
-	printf(" bn_mul_high %d * %d\n",n2,n2);
+	fprintf(stderr," bn_mul_high %d * %d\n",n2,n2);
 # endif
 	n=n2/2;
 
@@ -484,8 +814,8 @@ void bn_mul_high(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, BN_ULONG *l, int n2,
 	else
 # endif
 		{
-		bn_mul_recursive(&(t[0]),&(r[0]),&(r[n]),n,&(t[n2]));
-		bn_mul_recursive(r,&(a[n]),&(b[n]),n,&(t[n2]));
+		bn_mul_recursive(&(t[0]),&(r[0]),&(r[n]),n,0,0,&(t[n2]));
+		bn_mul_recursive(r,&(a[n]),&(b[n]),n,0,0,&(t[n2]));
 		}
 
 	/* s0 == low(al*bl)
@@ -610,19 +940,19 @@ void bn_mul_high(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, BN_ULONG *l, int n2,
 
 int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
 	{
+	int ret=0;
 	int top,al,bl;
 	BIGNUM *rr;
-	int ret = 0;
 #if defined(BN_MUL_COMBA) || defined(BN_RECURSION)
 	int i;
 #endif
 #ifdef BN_RECURSION
-	BIGNUM *t;
-	int j,k;
+	BIGNUM *t=NULL;
+	int j=0,k;
 #endif
 
 #ifdef BN_COUNT
-	printf("BN_mul %d * %d\n",a->top,b->top);
+	fprintf(stderr,"BN_mul %d * %d\n",a->top,b->top);
 #endif
 
 	bn_check_top(a);
@@ -634,7 +964,7 @@ int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
 
 	if ((al == 0) || (bl == 0))
 		{
-		if (!BN_zero(r)) goto err;
+		BN_zero(r);
 		return(1);
 		}
 	top=al+bl;
@@ -675,21 +1005,55 @@ int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
 #ifdef BN_RECURSION
 	if ((al >= BN_MULL_SIZE_NORMAL) && (bl >= BN_MULL_SIZE_NORMAL))
 		{
-		if (i == 1 && !BN_get_flags(b,BN_FLG_STATIC_DATA) && bl<b->dmax)
+		if (i >= -1 && i <= 1)
 			{
-#if 0	/* tribute to const-ification, bl<b->dmax above covers for this */
-			if (bn_wexpand(b,al) == NULL) goto err;
-#endif
-			b->d[bl]=0;
+			int sav_j =0;
+			/* Find out the power of two lower or equal
+			   to the longest of the two numbers */
+			if (i >= 0)
+				{
+				j = BN_num_bits_word((BN_ULONG)al);
+				}
+			if (i == -1)
+				{
+				j = BN_num_bits_word((BN_ULONG)bl);
+				}
+			sav_j = j;
+			j = 1<<(j-1);
+			assert(j <= al || j <= bl);
+			k = j+j;
+			t = BN_CTX_get(ctx);
+			if (al > j || bl > j)
+				{
+				bn_wexpand(t,k*4);
+				bn_wexpand(rr,k*4);
+				bn_mul_part_recursive(rr->d,a->d,b->d,
+					j,al-j,bl-j,t->d);
+				}
+			else	/* al <= j || bl <= j */
+				{
+				bn_wexpand(t,k*2);
+				bn_wexpand(rr,k*2);
+				bn_mul_recursive(rr->d,a->d,b->d,
+					j,al-j,bl-j,t->d);
+				}
+			rr->top=top;
+			goto end;
+			}
+#if 0
+		if (i == 1 && !BN_get_flags(b,BN_FLG_STATIC_DATA))
+			{
+			BIGNUM *tmp_bn = (BIGNUM *)b;
+			if (bn_wexpand(tmp_bn,al) == NULL) goto err;
+			tmp_bn->d[bl]=0;
 			bl++;
 			i--;
 			}
-		else if (i == -1 && !BN_get_flags(a,BN_FLG_STATIC_DATA) && al<a->dmax)
+		else if (i == -1 && !BN_get_flags(a,BN_FLG_STATIC_DATA))
 			{
-#if 0	/* tribute to const-ification, al<a->dmax above covers for this */
-			if (bn_wexpand(a,bl) == NULL) goto err;
-#endif
-			a->d[al]=0;
+			BIGNUM *tmp_bn = (BIGNUM *)a;
+			if (bn_wexpand(tmp_bn,bl) == NULL) goto err;
+			tmp_bn->d[al]=0;
 			al++;
 			i++;
 			}
@@ -706,26 +1070,17 @@ int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
 				if (bn_wexpand(t,k*2) == NULL) goto err;
 				if (bn_wexpand(rr,k*2) == NULL) goto err;
 				bn_mul_recursive(rr->d,a->d,b->d,al,t->d);
-				rr->top=top;
-				goto end;
 				}
-#if 0	/* tribute to const-ification, rsa/dsa performance is not affected */
 			else
 				{
-				if (bn_wexpand(a,k) == NULL ) goto err;
-				if (bn_wexpand(b,k) == NULL ) goto err;
-				if (bn_wexpand(t,k*4) == NULL ) goto err;
-				if (bn_wexpand(rr,k*4) == NULL ) goto err;
-				for (i=a->top; i<k; i++)
-					a->d[i]=0;
-				for (i=b->top; i<k; i++)
-					b->d[i]=0;
+				if (bn_wexpand(t,k*4) == NULL) goto err;
+				if (bn_wexpand(rr,k*4) == NULL) goto err;
 				bn_mul_part_recursive(rr->d,a->d,b->d,al-j,j,t->d);
 				}
 			rr->top=top;
 			goto end;
-#endif
 			}
+#endif
 		}
 #endif /* BN_RECURSION */
 	if (bn_wexpand(rr,top) == NULL) goto err;
@@ -735,10 +1090,11 @@ int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
 #if defined(BN_MUL_COMBA) || defined(BN_RECURSION)
 end:
 #endif
-	bn_fix_top(rr);
+	bn_correct_top(rr);
 	if (r != rr) BN_copy(r,rr);
 	ret=1;
 err:
+	bn_check_top(r);
 	BN_CTX_end(ctx);
 	return(ret);
 	}
@@ -748,7 +1104,7 @@ void bn_mul_normal(BN_ULONG *r, BN_ULONG *a, int na, BN_ULONG *b, int nb)
 	BN_ULONG *rr;
 
 #ifdef BN_COUNT
-	printf(" bn_mul_normal %d * %d\n",na,nb);
+	fprintf(stderr," bn_mul_normal %d * %d\n",na,nb);
 #endif
 
 	if (na < nb)
@@ -761,7 +1117,13 @@ void bn_mul_normal(BN_ULONG *r, BN_ULONG *a, int na, BN_ULONG *b, int nb)
 
 		}
 	rr= &(r[na]);
-	rr[0]=bn_mul_words(r,a,na,b[0]);
+	if (nb <= 0)
+		{
+		(void)bn_mul_words(r,a,na,0);
+		return;
+		}
+	else
+		rr[0]=bn_mul_words(r,a,na,b[0]);
 
 	for (;;)
 		{
@@ -782,7 +1144,7 @@ void bn_mul_normal(BN_ULONG *r, BN_ULONG *a, int na, BN_ULONG *b, int nb)
 void bn_mul_low_normal(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n)
 	{
 #ifdef BN_COUNT
-	printf(" bn_mul_low_normal %d * %d\n",n,n);
+	fprintf(stderr," bn_mul_low_normal %d * %d\n",n,n);
 #endif
 	bn_mul_words(r,a,n,b[0]);
 
diff --git a/crypto/openssl/crypto/bn/bn_nist.c b/crypto/openssl/crypto/bn/bn_nist.c
new file mode 100644
index 000000000000..f8e306bb82d3
--- /dev/null
+++ b/crypto/openssl/crypto/bn/bn_nist.c
@@ -0,0 +1,775 @@
+/* crypto/bn/bn_nist.c */
+/*
+ * Written by Nils Larsch for the OpenSSL project
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include "bn_lcl.h"
+#include "cryptlib.h"
+
+#define BN_NIST_192_TOP	(192+BN_BITS2-1)/BN_BITS2
+#define BN_NIST_224_TOP	(224+BN_BITS2-1)/BN_BITS2
+#define BN_NIST_256_TOP	(256+BN_BITS2-1)/BN_BITS2
+#define BN_NIST_384_TOP	(384+BN_BITS2-1)/BN_BITS2
+#define BN_NIST_521_TOP	(521+BN_BITS2-1)/BN_BITS2
+
+#if BN_BITS2 == 64
+static const BN_ULONG _nist_p_192[] =
+	{0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFEULL,
+	0xFFFFFFFFFFFFFFFFULL};
+static const BN_ULONG _nist_p_224[] =
+	{0x0000000000000001ULL,0xFFFFFFFF00000000ULL,
+	0xFFFFFFFFFFFFFFFFULL,0x00000000FFFFFFFFULL};
+static const BN_ULONG _nist_p_256[] =
+	{0xFFFFFFFFFFFFFFFFULL,0x00000000FFFFFFFFULL,
+	0x0000000000000000ULL,0xFFFFFFFF00000001ULL};
+static const BN_ULONG _nist_p_384[] =
+	{0x00000000FFFFFFFFULL,0xFFFFFFFF00000000ULL,
+	0xFFFFFFFFFFFFFFFEULL,0xFFFFFFFFFFFFFFFFULL,
+	0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL};
+static const BN_ULONG _nist_p_521[] =
+	{0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL,
+	0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL,
+	0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL,
+	0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL,
+	0x00000000000001FFULL};
+#elif BN_BITS2 == 32
+static const BN_ULONG _nist_p_192[] = {0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFE,
+	0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF};
+static const BN_ULONG _nist_p_224[] = {0x00000001,0x00000000,0x00000000,
+	0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF};
+static const BN_ULONG _nist_p_256[] = {0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,
+	0x00000000,0x00000000,0x00000000,0x00000001,0xFFFFFFFF};
+static const BN_ULONG _nist_p_384[] = {0xFFFFFFFF,0x00000000,0x00000000,
+	0xFFFFFFFF,0xFFFFFFFE,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,
+	0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF};
+static const BN_ULONG _nist_p_521[] = {0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,
+	0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,
+	0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,
+	0xFFFFFFFF,0x000001FF};
+#elif BN_BITS2 == 16
+static const BN_ULONG _nist_p_192[] = {0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFE,
+	0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF};
+static const BN_ULONG _nist_p_224[] = {0x0001,0x0000,0x0000,0x0000,0x0000,
+	0x0000,0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF};
+static const BN_ULONG _nist_p_256[] = {0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF,
+	0xFFFF,0x0000,0x0000,0x0000,0x0000,0x0000,0x0000,0x0001,0x0000,0xFFFF,
+	0xFFFF};
+static const BN_ULONG _nist_p_384[] = {0xFFFF,0xFFFF,0x0000,0x0000,0x0000,
+	0x0000,0xFFFF,0xFFFF,0xFFFE,0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF,
+	0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF};
+static const BN_ULONG _nist_p_521[] = {0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF,
+	0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF,
+	0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF,
+	0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF,0xFFFF,0x01FF};
+#elif BN_BITS2 == 8
+static const BN_ULONG _nist_p_192[] = {0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
+	0xFE,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
+	0xFF,0xFF};
+static const BN_ULONG _nist_p_224[] = {0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
+	0xFF,0xFF,0xFF,0xFF,0xFF,0xFF};
+static const BN_ULONG _nist_p_256[] = {0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
+	0xFF,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x01,0x00,0x00,0x00,0xFF,0xFF,0xFF,0xFF};
+static const BN_ULONG _nist_p_384[] = {0xFF,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0xFF,0xFF,0xFF,0xFF,0xFE,0xFF,0xFF,0xFF,0xFF,0xFF,
+	0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
+	0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF};
+static const BN_ULONG _nist_p_521[] = {0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
+	0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
+	0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
+	0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
+	0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
+	0xFF,0x01};
+#endif
+
+const BIGNUM *BN_get0_nist_prime_192(void)
+	{
+	static BIGNUM const_nist_192 = { (BN_ULONG *)_nist_p_192,
+		BN_NIST_192_TOP, BN_NIST_192_TOP, 0, BN_FLG_STATIC_DATA };
+	return &const_nist_192;
+	}
+
+const BIGNUM *BN_get0_nist_prime_224(void)
+	{
+	static BIGNUM const_nist_224 = { (BN_ULONG *)_nist_p_224,
+		BN_NIST_224_TOP, BN_NIST_224_TOP, 0, BN_FLG_STATIC_DATA };
+	return &const_nist_224;
+	}
+
+const BIGNUM *BN_get0_nist_prime_256(void)
+	{
+	static BIGNUM const_nist_256 = { (BN_ULONG *)_nist_p_256,
+		BN_NIST_256_TOP, BN_NIST_256_TOP, 0, BN_FLG_STATIC_DATA };
+	return &const_nist_256;
+	}
+
+const BIGNUM *BN_get0_nist_prime_384(void)
+	{
+	static BIGNUM const_nist_384 = { (BN_ULONG *)_nist_p_384,
+		BN_NIST_384_TOP, BN_NIST_384_TOP, 0, BN_FLG_STATIC_DATA };
+	return &const_nist_384;
+	}
+
+const BIGNUM *BN_get0_nist_prime_521(void)
+	{
+	static BIGNUM const_nist_521 = { (BN_ULONG *)_nist_p_521,
+		BN_NIST_521_TOP, BN_NIST_521_TOP, 0, BN_FLG_STATIC_DATA };
+	return &const_nist_521;
+	}
+
+/* some misc internal functions */
+#if BN_BITS2 != 64
+static BN_ULONG _256_data[BN_NIST_256_TOP*6];
+static int _is_set_256_data = 0;
+static void _init_256_data(void);
+
+static BN_ULONG _384_data[BN_NIST_384_TOP*8];
+static int _is_set_384_data = 0;
+static void _init_384_data(void);
+#endif
+
+#define BN_NIST_ADD_ONE(a)	while (!(++(*(a)))) ++(a);
+
+static void nist_cp_bn_0(BN_ULONG *buf, BN_ULONG *a, int top, int max)
+        {
+	int i;
+        BN_ULONG *_tmp1 = (buf), *_tmp2 = (a);
+        for (i = (top); i != 0; i--)
+                *_tmp1++ = *_tmp2++;
+        for (i = (max) - (top); i != 0; i--)
+                *_tmp1++ = (BN_ULONG) 0;
+        }
+
+static void nist_cp_bn(BN_ULONG *buf, BN_ULONG *a, int top)
+        { 
+	int i;
+        BN_ULONG *_tmp1 = (buf), *_tmp2 = (a);
+        for (i = (top); i != 0; i--)
+                *_tmp1++ = *_tmp2++;
+        }
+
+#if BN_BITS2 == 64
+#define bn_cp_64(to, n, from, m)	(to)[n] = (from)[m];
+#define bn_64_set_0(to, n)		(to)[n] = (BN_ULONG)0;
+/* TBD */
+#define bn_cp_32(to, n, from, m)	(to)[n] = (from)[m];
+#define bn_32_set_0(to, n)		(to)[n] = (BN_ULONG)0;
+#else
+#define bn_cp_64(to, n, from, m) \
+	{ \
+	bn_cp_32(to, (n)*2, from, (m)*2); \
+	bn_cp_32(to, (n)*2+1, from, (m)*2+1); \
+	}
+#define bn_64_set_0(to, n) \
+	{ \
+	bn_32_set_0(to, (n)*2); \
+	bn_32_set_0(to, (n)*2+1); \
+	}
+#if BN_BITS2 == 32
+#define bn_cp_32(to, n, from, m)	(to)[n] = (from)[m];
+#define bn_32_set_0(to, n)		(to)[n] = (BN_ULONG)0;
+#elif BN_BITS2 == 16
+#define bn_cp_32(to, n, from, m) \
+	{ \
+	(to)[(n)*2]   = (from)[(m)*2];  \
+	(to)[(n)*2+1] = (from)[(m)*2+1];\
+	}
+#define bn_32_set_0(to, n) { (to)[(n)*2] = 0; (to)[(n)*2+1] = 0; }
+#elif BN_BITS2 == 8
+#define bn_cp_32(to, n, from, m) \
+	{ \
+	(to)[(n)*4]   = (from)[(m)*4];  \
+	(to)[(n)*4+1] = (from)[(m)*4+1];\
+	(to)[(n)*4+2] = (from)[(m)*4+2];\
+	(to)[(n)*4+3] = (from)[(m)*4+3];\
+	}
+#define bn_32_set_0(to, n) \
+	{ (to)[(n)*4]   = (BN_ULONG)0; (to)[(n)*4+1] = (BN_ULONG)0; \
+	  (to)[(n)*4+2] = (BN_ULONG)0; (to)[(n)*4+3] = (BN_ULONG)0; }
+#endif
+#endif /* BN_BITS2 != 64 */
+
+
+#define nist_set_192(to, from, a1, a2, a3) \
+	{ \
+	if (a3 != 0) bn_cp_64(to, 0, from, (a3) - 3) else bn_64_set_0(to, 0)\
+	bn_cp_64(to, 1, from, (a2) - 3) \
+	if (a1 != 0) bn_cp_64(to, 2, from, (a1) - 3) else bn_64_set_0(to, 2)\
+	}
+
+int BN_nist_mod_192(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
+	BN_CTX *ctx)
+	{
+	int      top = a->top, i;
+	BN_ULONG carry = 0;
+	register BN_ULONG *r_d, *a_d = a->d;
+	BN_ULONG t_d[BN_NIST_192_TOP],
+	         buf[BN_NIST_192_TOP];
+
+	i = BN_ucmp(field, a);
+	if (i == 0)
+		{
+		BN_zero(r);
+		return 1;
+		}
+	else if (i > 0)
+		return (r == a) ? 1 : (BN_copy(r ,a) != NULL);
+
+	if (top == BN_NIST_192_TOP)
+		return BN_usub(r, a, field);
+
+	if (r != a)
+		{
+		if (!bn_wexpand(r, BN_NIST_192_TOP))
+			return 0;
+		r_d = r->d;
+		nist_cp_bn(r_d, a_d, BN_NIST_192_TOP);
+		}
+	else
+		r_d = a_d;
+
+	nist_cp_bn_0(buf, a_d + BN_NIST_192_TOP, top - BN_NIST_192_TOP, BN_NIST_192_TOP);
+
+#if defined(OPENSSL_SYS_VMS) && defined(__DECC)
+# pragma message save
+# pragma message disable BADSUBSCRIPT
+#endif
+
+	nist_set_192(t_d, buf, 0, 3, 3);
+	if (bn_add_words(r_d, r_d, t_d, BN_NIST_192_TOP))
+		++carry;
+
+	nist_set_192(t_d, buf, 4, 4, 0);
+	if (bn_add_words(r_d, r_d, t_d, BN_NIST_192_TOP))
+		++carry;
+
+#if defined(OPENSSL_SYS_VMS) && defined(__DECC)
+# pragma message restore
+#endif
+
+	nist_set_192(t_d, buf, 5, 5, 5)
+	if (bn_add_words(r_d, r_d, t_d, BN_NIST_192_TOP))
+		++carry;
+
+	while (carry)
+		{
+		if (bn_sub_words(r_d, r_d, _nist_p_192, BN_NIST_192_TOP))
+			--carry; 
+		}
+	r->top = BN_NIST_192_TOP;
+	bn_correct_top(r);
+	if (BN_ucmp(r, field) >= 0)
+		{
+		bn_sub_words(r_d, r_d, _nist_p_192, BN_NIST_192_TOP);
+		bn_correct_top(r);
+		}
+
+	bn_check_top(r);
+	return 1;
+	}
+
+#define nist_set_224(to, from, a1, a2, a3, a4, a5, a6, a7) \
+	{ \
+	if (a7 != 0) bn_cp_32(to, 0, from, (a7) - 7) else bn_32_set_0(to, 0)\
+	if (a6 != 0) bn_cp_32(to, 1, from, (a6) - 7) else bn_32_set_0(to, 1)\
+	if (a5 != 0) bn_cp_32(to, 2, from, (a5) - 7) else bn_32_set_0(to, 2)\
+	if (a4 != 0) bn_cp_32(to, 3, from, (a4) - 7) else bn_32_set_0(to, 3)\
+	if (a3 != 0) bn_cp_32(to, 4, from, (a3) - 7) else bn_32_set_0(to, 4)\
+	if (a2 != 0) bn_cp_32(to, 5, from, (a2) - 7) else bn_32_set_0(to, 5)\
+	if (a1 != 0) bn_cp_32(to, 6, from, (a1) - 7) else bn_32_set_0(to, 6)\
+	}
+
+int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
+	BN_CTX *ctx)
+	{
+#if BN_BITS2 != 64
+	int	top = a->top, i;
+	int	carry = 0;
+	BN_ULONG *r_d, *a_d = a->d;
+	BN_ULONG t_d[BN_NIST_224_TOP],
+	         buf[BN_NIST_224_TOP];
+
+	i = BN_ucmp(field, a);
+	if (i == 0)
+		{
+		BN_zero(r);
+		return 1;
+		}
+	else if (i > 0)
+		return (r == a)? 1 : (BN_copy(r ,a) != NULL);
+
+	if (top == BN_NIST_224_TOP)
+		return BN_usub(r, a, field);
+
+	if (r != a)
+		{
+		if (!bn_wexpand(r, BN_NIST_224_TOP))
+			return 0;
+		r_d = r->d;
+		nist_cp_bn(r_d, a_d, BN_NIST_224_TOP);
+		}
+	else
+		r_d = a_d;
+
+	nist_cp_bn_0(buf, a_d + BN_NIST_224_TOP, top - BN_NIST_224_TOP, BN_NIST_224_TOP);
+
+	nist_set_224(t_d, buf, 10, 9, 8, 7, 0, 0, 0);
+	if (bn_add_words(r_d, r_d, t_d, BN_NIST_224_TOP))
+		++carry;
+	nist_set_224(t_d, buf, 0, 13, 12, 11, 0, 0, 0);
+	if (bn_add_words(r_d, r_d, t_d, BN_NIST_224_TOP))
+		++carry;
+	nist_set_224(t_d, buf, 13, 12, 11, 10, 9, 8, 7);
+	if (bn_sub_words(r_d, r_d, t_d, BN_NIST_224_TOP))
+		--carry;
+	nist_set_224(t_d, buf, 0, 0, 0, 0, 13, 12, 11);
+	if (bn_sub_words(r_d, r_d, t_d, BN_NIST_224_TOP))
+		--carry;
+
+	if (carry > 0)
+		while (carry)
+			{
+			if (bn_sub_words(r_d,r_d,_nist_p_224,BN_NIST_224_TOP))
+				--carry;
+			}
+	else if (carry < 0)
+		while (carry)
+			{
+			if (bn_add_words(r_d,r_d,_nist_p_224,BN_NIST_224_TOP))
+				++carry;
+			}
+
+	r->top = BN_NIST_224_TOP;
+	bn_correct_top(r);
+	if (BN_ucmp(r, field) >= 0)
+		{
+		bn_sub_words(r_d, r_d, _nist_p_224, BN_NIST_224_TOP);
+		bn_correct_top(r);
+		}
+	bn_check_top(r);
+	return 1;
+#else
+	return 0;
+#endif
+	}
+
+#if BN_BITS2 != 64
+static void _init_256_data(void)
+	{
+	int	i;
+	BN_ULONG *tmp1 = _256_data;
+	const BN_ULONG *tmp2 = tmp1;
+
+	memcpy(tmp1, _nist_p_256, BN_NIST_256_TOP * sizeof(BN_ULONG));
+	tmp1 += BN_NIST_256_TOP;
+
+	for (i=0; i<5; i++)
+		{
+		bn_add_words(tmp1, _nist_p_256, tmp2, BN_NIST_256_TOP);
+		tmp2  = tmp1;
+		tmp1 += BN_NIST_256_TOP;
+		}
+	_is_set_256_data = 1;
+	}
+#endif
+
+#define nist_set_256(to, from, a1, a2, a3, a4, a5, a6, a7, a8) \
+	{ \
+	if (a8 != 0) bn_cp_32(to, 0, from, (a8) - 8) else bn_32_set_0(to, 0)\
+	if (a7 != 0) bn_cp_32(to, 1, from, (a7) - 8) else bn_32_set_0(to, 1)\
+	if (a6 != 0) bn_cp_32(to, 2, from, (a6) - 8) else bn_32_set_0(to, 2)\
+	if (a5 != 0) bn_cp_32(to, 3, from, (a5) - 8) else bn_32_set_0(to, 3)\
+	if (a4 != 0) bn_cp_32(to, 4, from, (a4) - 8) else bn_32_set_0(to, 4)\
+	if (a3 != 0) bn_cp_32(to, 5, from, (a3) - 8) else bn_32_set_0(to, 5)\
+	if (a2 != 0) bn_cp_32(to, 6, from, (a2) - 8) else bn_32_set_0(to, 6)\
+	if (a1 != 0) bn_cp_32(to, 7, from, (a1) - 8) else bn_32_set_0(to, 7)\
+	}
+
+int BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
+	BN_CTX *ctx)
+	{
+#if BN_BITS2 != 64
+	int	i, top = a->top;
+	int	carry = 0;
+	register BN_ULONG *a_d = a->d, *r_d;
+	BN_ULONG t_d[BN_NIST_256_TOP],
+	         t_d2[BN_NIST_256_TOP],
+	         buf[BN_NIST_256_TOP];
+
+	if (!_is_set_256_data)
+		{
+		CRYPTO_w_lock(CRYPTO_LOCK_BN);
+		
+		if (!_is_set_256_data)
+			_init_256_data();
+		
+		CRYPTO_w_unlock(CRYPTO_LOCK_BN);
+		}
+	
+	i = BN_ucmp(field, a);
+	if (i == 0)
+		{
+		BN_zero(r);
+		return 1;
+		}
+	else if (i > 0)
+		return (r == a)? 1 : (BN_copy(r ,a) != NULL);
+
+	if (top == BN_NIST_256_TOP)
+		return BN_usub(r, a, field);
+
+	if (r != a)
+		{
+		if (!bn_wexpand(r, BN_NIST_256_TOP))
+			return 0;
+		r_d = r->d;
+		nist_cp_bn(r_d, a_d, BN_NIST_256_TOP);
+		}
+	else
+		r_d = a_d;
+
+	nist_cp_bn_0(buf, a_d + BN_NIST_256_TOP, top - BN_NIST_256_TOP, BN_NIST_256_TOP);
+
+	/*S1*/
+	nist_set_256(t_d, buf, 15, 14, 13, 12, 11, 0, 0, 0);
+	/*S2*/
+	nist_set_256(t_d2,buf, 0, 15, 14, 13, 12, 0, 0, 0);
+	if (bn_add_words(t_d, t_d, t_d2, BN_NIST_256_TOP))
+		carry = 2;
+	/* left shift */
+		{
+		register BN_ULONG *ap,t,c;
+		ap = t_d;
+		c=0;
+		for (i = BN_NIST_256_TOP; i != 0; --i)
+			{
+			t= *ap;
+			*(ap++)=((t<<1)|c)&BN_MASK2;
+			c=(t & BN_TBIT)?1:0;
+			}
+		if (c)
+			++carry;
+		}
+
+	if (bn_add_words(r_d, r_d, t_d, BN_NIST_256_TOP))
+		++carry;
+	/*S3*/
+	nist_set_256(t_d, buf, 15, 14, 0, 0, 0, 10, 9, 8);
+	if (bn_add_words(r_d, r_d, t_d, BN_NIST_256_TOP))
+		++carry;
+	/*S4*/
+	nist_set_256(t_d, buf, 8, 13, 15, 14, 13, 11, 10, 9);
+	if (bn_add_words(r_d, r_d, t_d, BN_NIST_256_TOP))
+		++carry;
+	/*D1*/
+	nist_set_256(t_d, buf, 10, 8, 0, 0, 0, 13, 12, 11);
+	if (bn_sub_words(r_d, r_d, t_d, BN_NIST_256_TOP))
+		--carry;
+	/*D2*/
+	nist_set_256(t_d, buf, 11, 9, 0, 0, 15, 14, 13, 12);
+	if (bn_sub_words(r_d, r_d, t_d, BN_NIST_256_TOP))
+		--carry;
+	/*D3*/
+	nist_set_256(t_d, buf, 12, 0, 10, 9, 8, 15, 14, 13);
+	if (bn_sub_words(r_d, r_d, t_d, BN_NIST_256_TOP))
+		--carry;
+	/*D4*/
+	nist_set_256(t_d, buf, 13, 0, 11, 10, 9, 0, 15, 14);
+	if (bn_sub_words(r_d, r_d, t_d, BN_NIST_256_TOP))
+		--carry;
+	
+	if (carry)
+		{
+		if (carry > 0)
+			bn_sub_words(r_d, r_d, _256_data + BN_NIST_256_TOP *
+				--carry, BN_NIST_256_TOP);
+		else
+			{
+			carry = -carry;
+			bn_add_words(r_d, r_d, _256_data + BN_NIST_256_TOP *
+				--carry, BN_NIST_256_TOP);
+			}
+		}
+
+	r->top = BN_NIST_256_TOP;
+	bn_correct_top(r);
+	if (BN_ucmp(r, field) >= 0)
+		{
+		bn_sub_words(r_d, r_d, _nist_p_256, BN_NIST_256_TOP);
+		bn_correct_top(r);
+		}
+	bn_check_top(r);
+	return 1;
+#else
+	return 0;
+#endif
+	}
+
+#if BN_BITS2 != 64
+static void _init_384_data(void)
+	{
+	int	i;
+	BN_ULONG *tmp1 = _384_data;
+	const BN_ULONG *tmp2 = tmp1;
+
+	memcpy(tmp1, _nist_p_384, BN_NIST_384_TOP * sizeof(BN_ULONG));
+	tmp1 += BN_NIST_384_TOP;
+
+	for (i=0; i<7; i++)
+		{
+		bn_add_words(tmp1, _nist_p_384, tmp2, BN_NIST_384_TOP);
+		tmp2  = tmp1;
+		tmp1 += BN_NIST_384_TOP;
+		}
+	_is_set_384_data = 1;
+	}
+#endif
+
+#define nist_set_384(to,from,a1,a2,a3,a4,a5,a6,a7,a8,a9,a10,a11,a12) \
+	{ \
+	if (a12 != 0) bn_cp_32(to, 0, from,  (a12) - 12) else bn_32_set_0(to, 0)\
+	if (a11 != 0) bn_cp_32(to, 1, from,  (a11) - 12) else bn_32_set_0(to, 1)\
+	if (a10 != 0) bn_cp_32(to, 2, from,  (a10) - 12) else bn_32_set_0(to, 2)\
+	if (a9 != 0)  bn_cp_32(to, 3, from,  (a9) - 12)  else bn_32_set_0(to, 3)\
+	if (a8 != 0)  bn_cp_32(to, 4, from,  (a8) - 12)  else bn_32_set_0(to, 4)\
+	if (a7 != 0)  bn_cp_32(to, 5, from,  (a7) - 12)  else bn_32_set_0(to, 5)\
+	if (a6 != 0)  bn_cp_32(to, 6, from,  (a6) - 12)  else bn_32_set_0(to, 6)\
+	if (a5 != 0)  bn_cp_32(to, 7, from,  (a5) - 12)  else bn_32_set_0(to, 7)\
+	if (a4 != 0)  bn_cp_32(to, 8, from,  (a4) - 12)  else bn_32_set_0(to, 8)\
+	if (a3 != 0)  bn_cp_32(to, 9, from,  (a3) - 12)  else bn_32_set_0(to, 9)\
+	if (a2 != 0)  bn_cp_32(to, 10, from, (a2) - 12)  else bn_32_set_0(to, 10)\
+	if (a1 != 0)  bn_cp_32(to, 11, from, (a1) - 12)  else bn_32_set_0(to, 11)\
+	}
+
+int BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
+	BN_CTX *ctx)
+	{
+#if BN_BITS2 != 64
+	int	i, top = a->top;
+	int	carry = 0;
+	register BN_ULONG *r_d, *a_d = a->d;
+	BN_ULONG t_d[BN_NIST_384_TOP],
+	         buf[BN_NIST_384_TOP];
+
+	if (!_is_set_384_data)
+		{
+		CRYPTO_w_lock(CRYPTO_LOCK_BN);
+		
+		if (!_is_set_384_data)
+			_init_384_data();
+
+		CRYPTO_w_unlock(CRYPTO_LOCK_BN);
+		}
+
+	i = BN_ucmp(field, a);
+	if (i == 0)
+		{
+		BN_zero(r);
+		return 1;
+		}
+	else if (i > 0)
+		return (r == a)? 1 : (BN_copy(r ,a) != NULL);
+
+	if (top == BN_NIST_384_TOP)
+		return BN_usub(r, a, field);
+
+	if (r != a)
+		{
+		if (!bn_wexpand(r, BN_NIST_384_TOP))
+			return 0;
+		r_d = r->d;
+		nist_cp_bn(r_d, a_d, BN_NIST_384_TOP);
+		}
+	else
+		r_d = a_d;
+
+	nist_cp_bn_0(buf, a_d + BN_NIST_384_TOP, top - BN_NIST_384_TOP, BN_NIST_384_TOP);
+
+	/*S1*/
+	nist_set_256(t_d, buf, 0, 0, 0, 0, 0, 23-4, 22-4, 21-4);
+		/* left shift */
+		{
+		register BN_ULONG *ap,t,c;
+		ap = t_d;
+		c=0;
+		for (i = BN_NIST_256_TOP; i != 0; --i)
+			{
+			t= *ap;
+			*(ap++)=((t<<1)|c)&BN_MASK2;
+			c=(t & BN_TBIT)?1:0;
+			}
+		}
+	if (bn_add_words(r_d+(128/BN_BITS2), r_d+(128/BN_BITS2), 
+		t_d, BN_NIST_256_TOP))
+		++carry;
+	/*S2 */
+	if (bn_add_words(r_d, r_d, buf, BN_NIST_384_TOP))
+		++carry;
+	/*S3*/
+	nist_set_384(t_d,buf,20,19,18,17,16,15,14,13,12,23,22,21);
+	if (bn_add_words(r_d, r_d, t_d, BN_NIST_384_TOP))
+		++carry;
+	/*S4*/
+	nist_set_384(t_d,buf,19,18,17,16,15,14,13,12,20,0,23,0);
+	if (bn_add_words(r_d, r_d, t_d, BN_NIST_384_TOP))
+		++carry;
+	/*S5*/
+	nist_set_256(t_d, buf, 0, 0, 0, 0, 23-4, 22-4, 21-4, 20-4);
+	if (bn_add_words(r_d+(128/BN_BITS2), r_d+(128/BN_BITS2), 
+		t_d, BN_NIST_256_TOP))
+		++carry;
+	/*S6*/
+	nist_set_384(t_d,buf,0,0,0,0,0,0,23,22,21,0,0,20);
+	if (bn_add_words(r_d, r_d, t_d, BN_NIST_384_TOP))
+		++carry;
+	/*D1*/
+	nist_set_384(t_d,buf,22,21,20,19,18,17,16,15,14,13,12,23);
+	if (bn_sub_words(r_d, r_d, t_d, BN_NIST_384_TOP))
+		--carry;
+	/*D2*/
+	nist_set_384(t_d,buf,0,0,0,0,0,0,0,23,22,21,20,0);
+	if (bn_sub_words(r_d, r_d, t_d, BN_NIST_384_TOP))
+		--carry;
+	/*D3*/
+	nist_set_384(t_d,buf,0,0,0,0,0,0,0,23,23,0,0,0);
+	if (bn_sub_words(r_d, r_d, t_d, BN_NIST_384_TOP))
+		--carry;
+	
+	if (carry)
+		{
+		if (carry > 0)
+			bn_sub_words(r_d, r_d, _384_data + BN_NIST_384_TOP *
+				--carry, BN_NIST_384_TOP);
+		else
+			{
+			carry = -carry;
+			bn_add_words(r_d, r_d, _384_data + BN_NIST_384_TOP *
+				--carry, BN_NIST_384_TOP);
+			}
+		}
+
+	r->top = BN_NIST_384_TOP;
+	bn_correct_top(r);
+	if (BN_ucmp(r, field) >= 0)
+		{
+		bn_sub_words(r_d, r_d, _nist_p_384, BN_NIST_384_TOP);
+		bn_correct_top(r);
+		}
+	bn_check_top(r);
+	return 1;
+#else
+	return 0;
+#endif
+	}
+
+int BN_nist_mod_521(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
+	BN_CTX *ctx)
+	{
+#if BN_BITS2 == 64
+#define BN_NIST_521_TOP_MASK	(BN_ULONG)0x1FF
+#elif BN_BITS2 == 32
+#define BN_NIST_521_TOP_MASK	(BN_ULONG)0x1FF
+#elif BN_BITS2 == 16
+#define BN_NIST_521_TOP_MASK	(BN_ULONG)0x1FF
+#elif BN_BITS2 == 8
+#define BN_NIST_521_TOP_MASK	(BN_ULONG)0x1
+#endif
+	int	top, ret = 0;
+	BN_ULONG *r_d;
+	BIGNUM	*tmp;
+
+	/* check whether a reduction is necessary */
+	top = a->top;
+	if (top < BN_NIST_521_TOP  || ( top == BN_NIST_521_TOP &&
+           (!(a->d[BN_NIST_521_TOP-1] & ~(BN_NIST_521_TOP_MASK)))))
+		return (r == a)? 1 : (BN_copy(r ,a) != NULL);
+
+	BN_CTX_start(ctx);
+	tmp = BN_CTX_get(ctx);
+	if (!tmp)
+		goto err;
+
+	if (!bn_wexpand(tmp, BN_NIST_521_TOP))
+		goto err;
+	nist_cp_bn(tmp->d, a->d, BN_NIST_521_TOP);
+
+	tmp->top = BN_NIST_521_TOP;
+        tmp->d[BN_NIST_521_TOP-1]  &= BN_NIST_521_TOP_MASK;
+	bn_correct_top(tmp);
+
+	if (!BN_rshift(r, a, 521))
+		goto err;
+
+	if (!BN_uadd(r, tmp, r))
+		goto err;
+	top = r->top;
+	r_d = r->d;
+	if (top == BN_NIST_521_TOP  && 
+           (r_d[BN_NIST_521_TOP-1] & ~(BN_NIST_521_TOP_MASK)))
+		{
+		BN_NIST_ADD_ONE(r_d)
+		r_d[BN_NIST_521_TOP-1] &= BN_NIST_521_TOP_MASK; 
+		}
+	bn_correct_top(r);
+
+	ret = 1;
+err:
+	BN_CTX_end(ctx);
+
+	bn_check_top(r);
+	return ret;
+	}
diff --git a/crypto/openssl/crypto/bn/bn_prime.c b/crypto/openssl/crypto/bn/bn_prime.c
index e072d9255c4c..d57f6582110f 100644
--- a/crypto/openssl/crypto/bn/bn_prime.c
+++ b/crypto/openssl/crypto/bn/bn_prime.c
@@ -115,6 +115,11 @@
 #include "bn_lcl.h"
 #include <openssl/rand.h>
 
+/* NB: these functions have been "upgraded", the deprecated versions (which are
+ * compatibility wrappers using these functions) are in bn_depr.c.
+ * - Geoff
+ */
+
 /* The quick sieve algorithm approach to weeding out primes is
  * Philip Zimmermann's, as implemented in PGP.  I have had a read of
  * his comments and implemented my own version.
@@ -129,51 +134,69 @@ static int probable_prime_dh(BIGNUM *rnd, int bits,
 static int probable_prime_dh_safe(BIGNUM *rnd, int bits,
 	const BIGNUM *add, const BIGNUM *rem, BN_CTX *ctx);
 
-BIGNUM *BN_generate_prime(BIGNUM *ret, int bits, int safe,
-	const BIGNUM *add, const BIGNUM *rem,
-	void (*callback)(int,int,void *), void *cb_arg)
+int BN_GENCB_call(BN_GENCB *cb, int a, int b)
+	{
+	/* No callback means continue */
+	if(!cb) return 1;
+	switch(cb->ver)
+		{
+	case 1:
+		/* Deprecated-style callbacks */
+		if(!cb->cb.cb_1)
+			return 1;
+		cb->cb.cb_1(a, b, cb->arg);
+		return 1;
+	case 2:
+		/* New-style callbacks */
+		return cb->cb.cb_2(a, b, cb);
+	default:
+		break;
+		}
+	/* Unrecognised callback type */
+	return 0;
+	}
+
+int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe,
+	const BIGNUM *add, const BIGNUM *rem, BN_GENCB *cb)
 	{
-	BIGNUM *rnd=NULL;
-	BIGNUM t;
+	BIGNUM *t;
 	int found=0;
 	int i,j,c1=0;
 	BN_CTX *ctx;
 	int checks = BN_prime_checks_for_size(bits);
 
-	BN_init(&t);
 	ctx=BN_CTX_new();
 	if (ctx == NULL) goto err;
-	if (ret == NULL)
-		{
-		if ((rnd=BN_new()) == NULL) goto err;
-		}
-	else
-		rnd=ret;
+	BN_CTX_start(ctx);
+	t = BN_CTX_get(ctx);
+	if(!t) goto err;
 loop: 
 	/* make a random number and set the top and bottom bits */
 	if (add == NULL)
 		{
-		if (!probable_prime(rnd,bits)) goto err;
+		if (!probable_prime(ret,bits)) goto err;
 		}
 	else
 		{
 		if (safe)
 			{
-			if (!probable_prime_dh_safe(rnd,bits,add,rem,ctx))
+			if (!probable_prime_dh_safe(ret,bits,add,rem,ctx))
 				 goto err;
 			}
 		else
 			{
-			if (!probable_prime_dh(rnd,bits,add,rem,ctx))
+			if (!probable_prime_dh(ret,bits,add,rem,ctx))
 				goto err;
 			}
 		}
-	/* if (BN_mod_word(rnd,(BN_ULONG)3) == 1) goto loop; */
-	if (callback != NULL) callback(0,c1++,cb_arg);
+	/* if (BN_mod_word(ret,(BN_ULONG)3) == 1) goto loop; */
+	if(!BN_GENCB_call(cb, 0, c1++))
+		/* aborted */
+		goto err;
 
 	if (!safe)
 		{
-		i=BN_is_prime_fasttest(rnd,checks,callback,ctx,cb_arg,0);
+		i=BN_is_prime_fasttest_ex(ret,checks,ctx,0,cb);
 		if (i == -1) goto err;
 		if (i == 0) goto loop;
 		}
@@ -183,41 +206,42 @@ loop:
 		 * check that (p-1)/2 is prime.
 		 * Since a prime is odd, We just
 		 * need to divide by 2 */
-		if (!BN_rshift1(&t,rnd)) goto err;
+		if (!BN_rshift1(t,ret)) goto err;
 
 		for (i=0; i<checks; i++)
 			{
-			j=BN_is_prime_fasttest(rnd,1,callback,ctx,cb_arg,0);
+			j=BN_is_prime_fasttest_ex(ret,1,ctx,0,cb);
 			if (j == -1) goto err;
 			if (j == 0) goto loop;
 
-			j=BN_is_prime_fasttest(&t,1,callback,ctx,cb_arg,0);
+			j=BN_is_prime_fasttest_ex(t,1,ctx,0,cb);
 			if (j == -1) goto err;
 			if (j == 0) goto loop;
 
-			if (callback != NULL) callback(2,c1-1,cb_arg);
+			if(!BN_GENCB_call(cb, 2, c1-1))
+				goto err;
 			/* We have a safe prime test pass */
 			}
 		}
 	/* we have a prime :-) */
 	found = 1;
 err:
-	if (!found && (ret == NULL) && (rnd != NULL)) BN_free(rnd);
-	BN_free(&t);
-	if (ctx != NULL) BN_CTX_free(ctx);
-	return(found ? rnd : NULL);
+	if (ctx != NULL)
+		{
+		BN_CTX_end(ctx);
+		BN_CTX_free(ctx);
+		}
+	bn_check_top(ret);
+	return found;
 	}
 
-int BN_is_prime(const BIGNUM *a, int checks, void (*callback)(int,int,void *),
-	BN_CTX *ctx_passed, void *cb_arg)
+int BN_is_prime_ex(const BIGNUM *a, int checks, BN_CTX *ctx_passed, BN_GENCB *cb)
 	{
-	return BN_is_prime_fasttest(a, checks, callback, ctx_passed, cb_arg, 0);
+	return BN_is_prime_fasttest_ex(a, checks, ctx_passed, 0, cb);
 	}
 
-int BN_is_prime_fasttest(const BIGNUM *a, int checks,
-		void (*callback)(int,int,void *),
-		BN_CTX *ctx_passed, void *cb_arg,
-		int do_trial_division)
+int BN_is_prime_fasttest_ex(const BIGNUM *a, int checks, BN_CTX *ctx_passed,
+		int do_trial_division, BN_GENCB *cb)
 	{
 	int i, j, ret = -1;
 	int k;
@@ -234,13 +258,15 @@ int BN_is_prime_fasttest(const BIGNUM *a, int checks,
 
 	/* first look for small factors */
 	if (!BN_is_odd(a))
-		return 0;
+		/* a is even => a is prime if and only if a == 2 */
+		return BN_is_word(a, 2);
 	if (do_trial_division)
 		{
 		for (i = 1; i < NUMPRIMES; i++)
 			if (BN_mod_word(a, primes[i]) == 0) 
 				return 0;
-		if (callback != NULL) callback(1, -1, cb_arg);
+		if(!BN_GENCB_call(cb, 1, -1))
+			goto err;
 		}
 
 	if (ctx_passed != NULL)
@@ -306,7 +332,8 @@ int BN_is_prime_fasttest(const BIGNUM *a, int checks,
 			ret=0;
 			goto err;
 			}
-		if (callback != NULL) callback(1,i,cb_arg);
+		if(!BN_GENCB_call(cb, 1, i))
+			goto err;
 		}
 	ret=1;
 err:
@@ -343,6 +370,7 @@ static int witness(BIGNUM *w, const BIGNUM *a, const BIGNUM *a1,
 		}
 	/* If we get here, 'w' is the (a-1)/2-th power of the original 'w',
 	 * and it is neither -1 nor +1 -- so 'a' cannot be prime */
+	bn_check_top(w);
 	return 1;
 	}
 
@@ -374,6 +402,7 @@ again:
 			}
 		}
 	if (!BN_add_word(rnd,delta)) return(0);
+	bn_check_top(rnd);
 	return(1);
 	}
 
@@ -411,6 +440,7 @@ static int probable_prime_dh(BIGNUM *rnd, int bits,
 	ret=1;
 err:
 	BN_CTX_end(ctx);
+	bn_check_top(rnd);
 	return(ret);
 	}
 
@@ -462,5 +492,6 @@ static int probable_prime_dh_safe(BIGNUM *p, int bits, const BIGNUM *padd,
 	ret=1;
 err:
 	BN_CTX_end(ctx);
+	bn_check_top(p);
 	return(ret);
 	}
diff --git a/crypto/openssl/crypto/bn/bn_prime.pl b/crypto/openssl/crypto/bn/bn_prime.pl
index 9fc376548652..e583d1d53b9d 100644
--- a/crypto/openssl/crypto/bn/bn_prime.pl
+++ b/crypto/openssl/crypto/bn/bn_prime.pl
@@ -11,7 +11,7 @@ loop: while ($#primes < $num-1)
 	$p+=2;
 	$s=int(sqrt($p));
 
-	for ($i=0; $primes[$i]<=$s; $i++)
+	for ($i=0; defined($primes[$i]) && $primes[$i]<=$s; $i++)
 		{
 		next loop if (($p%$primes[$i]) == 0);
 		}
diff --git a/crypto/openssl/crypto/bn/bn_print.c b/crypto/openssl/crypto/bn/bn_print.c
index 0d942603b1b1..055d048856cd 100644
--- a/crypto/openssl/crypto/bn/bn_print.c
+++ b/crypto/openssl/crypto/bn/bn_print.c
@@ -79,7 +79,7 @@ char *BN_bn2hex(const BIGNUM *a)
 		}
 	p=buf;
 	if (a->neg) *(p++)='-';
-	if (a->top == 0) *(p++)='0';
+	if (BN_is_zero(a)) *(p++)='0';
 	for (i=a->top-1; i >=0; i--)
 		{
 		for (j=BN_BITS2-8; j >= 0; j-=8)
@@ -102,14 +102,19 @@ err:
 /* Must 'OPENSSL_free' the returned data */
 char *BN_bn2dec(const BIGNUM *a)
 	{
-	int i=0,num;
+	int i=0,num, ok = 0;
 	char *buf=NULL;
 	char *p;
 	BIGNUM *t=NULL;
 	BN_ULONG *bn_data=NULL,*lp;
 
+	/* get an upper bound for the length of the decimal integer
+	 * num <= (BN_num_bits(a) + 1) * log(2)
+	 *     <= 3 * BN_num_bits(a) * 0.1001 + log(2) + 1     (rounding error)
+	 *     <= BN_num_bits(a)/10 + BN_num_bits/1000 + 1 + 1 
+	 */
 	i=BN_num_bits(a)*3;
-	num=(i/10+i/1000+3)+1;
+	num=(i/10+i/1000+1)+1;
 	bn_data=(BN_ULONG *)OPENSSL_malloc((num/BN_DEC_NUM+1)*sizeof(BN_ULONG));
 	buf=(char *)OPENSSL_malloc(num+3);
 	if ((buf == NULL) || (bn_data == NULL))
@@ -122,14 +127,16 @@ char *BN_bn2dec(const BIGNUM *a)
 #define BUF_REMAIN (num+3 - (size_t)(p - buf))
 	p=buf;
 	lp=bn_data;
-	if (t->neg) *(p++)='-';
-	if (t->top == 0)
+	if (BN_is_zero(t))
 		{
 		*(p++)='0';
 		*(p++)='\0';
 		}
 	else
 		{
+		if (BN_is_negative(t))
+			*p++ = '-';
+
 		i=0;
 		while (!BN_is_zero(t))
 			{
@@ -149,9 +156,16 @@ char *BN_bn2dec(const BIGNUM *a)
 			while (*p) p++;
 			}
 		}
+	ok = 1;
 err:
 	if (bn_data != NULL) OPENSSL_free(bn_data);
 	if (t != NULL) BN_free(t);
+	if (!ok && buf)
+		{
+		OPENSSL_free(buf);
+		buf = NULL;
+		}
+
 	return(buf);
 	}
 
@@ -211,10 +225,11 @@ int BN_hex2bn(BIGNUM **bn, const char *a)
 		j-=(BN_BYTES*2);
 		}
 	ret->top=h;
-	bn_fix_top(ret);
+	bn_correct_top(ret);
 	ret->neg=neg;
 
 	*bn=ret;
+	bn_check_top(ret);
 	return(num);
 err:
 	if (*bn == NULL) BN_free(ret);
@@ -270,8 +285,9 @@ int BN_dec2bn(BIGNUM **bn, const char *a)
 		}
 	ret->neg=neg;
 
-	bn_fix_top(ret);
+	bn_correct_top(ret);
 	*bn=ret;
+	bn_check_top(ret);
 	return(num);
 err:
 	if (*bn == NULL) BN_free(ret);
@@ -300,7 +316,7 @@ int BN_print(BIO *bp, const BIGNUM *a)
 	int ret=0;
 
 	if ((a->neg) && (BIO_write(bp,"-",1) != 1)) goto end;
-	if ((a->top == 0) && (BIO_write(bp,"0",1) != 1)) goto end;
+	if (BN_is_zero(a) && (BIO_write(bp,"0",1) != 1)) goto end;
 	for (i=a->top-1; i >=0; i--)
 		{
 		for (j=BN_BITS2-4; j >= 0; j-=4)
@@ -320,14 +336,3 @@ end:
 	return(ret);
 	}
 #endif
-
-#ifdef BN_DEBUG
-void bn_dump1(FILE *o, const char *a, const BN_ULONG *b,int n)
-	{
-	int i;
-	fprintf(o, "%s=", a);
-	for (i=n-1;i>=0;i--)
-		fprintf(o, "%08lX", b[i]); /* assumes 32-bit BN_ULONG */
-	fprintf(o, "\n");
-	}
-#endif
diff --git a/crypto/openssl/crypto/bn/bn_rand.c b/crypto/openssl/crypto/bn/bn_rand.c
index 893c9d2af9ec..f51830b12ba8 100644
--- a/crypto/openssl/crypto/bn/bn_rand.c
+++ b/crypto/openssl/crypto/bn/bn_rand.c
@@ -134,13 +134,13 @@ static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom)
 	buf=(unsigned char *)OPENSSL_malloc(bytes);
 	if (buf == NULL)
 		{
-		BNerr(BN_F_BN_RAND,ERR_R_MALLOC_FAILURE);
+		BNerr(BN_F_BNRAND,ERR_R_MALLOC_FAILURE);
 		goto err;
 		}
 
 	/* make a random number and set the top and bottom bits */
 	time(&tim);
-	RAND_add(&tim,sizeof(tim),0);
+	RAND_add(&tim,sizeof(tim),0.0);
 
 	if (pseudorand)
 		{
@@ -204,6 +204,7 @@ err:
 		OPENSSL_cleanse(buf,bytes);
 		OPENSSL_free(buf);
 		}
+	bn_check_top(rnd);
 	return(ret);
 	}
 
@@ -230,6 +231,7 @@ static int bn_rand_range(int pseudo, BIGNUM *r, BIGNUM *range)
 	{
 	int (*bn_rand)(BIGNUM *, int, int, int) = pseudo ? BN_pseudo_rand : BN_rand;
 	int n;
+	int count = 100;
 
 	if (range->neg || BN_is_zero(range))
 		{
@@ -242,9 +244,7 @@ static int bn_rand_range(int pseudo, BIGNUM *r, BIGNUM *range)
 	/* BN_is_bit_set(range, n - 1) always holds */
 
 	if (n == 1)
-		{
-		if (!BN_zero(r)) return 0;
-		}
+		BN_zero(r);
 	else if (!BN_is_bit_set(range, n - 2) && !BN_is_bit_set(range, n - 3))
 		{
 		/* range = 100..._2,
@@ -263,6 +263,13 @@ static int bn_rand_range(int pseudo, BIGNUM *r, BIGNUM *range)
 				if (BN_cmp(r, range) >= 0)
 					if (!BN_sub(r, r, range)) return 0;
 				}
+
+			if (!--count)
+				{
+				BNerr(BN_F_BN_RAND_RANGE, BN_R_TOO_MANY_ITERATIONS);
+				return 0;
+				}
+			
 			}
 		while (BN_cmp(r, range) >= 0);
 		}
@@ -272,10 +279,17 @@ static int bn_rand_range(int pseudo, BIGNUM *r, BIGNUM *range)
 			{
 			/* range = 11..._2  or  range = 101..._2 */
 			if (!bn_rand(r, n, -1, 0)) return 0;
+
+			if (!--count)
+				{
+				BNerr(BN_F_BN_RAND_RANGE, BN_R_TOO_MANY_ITERATIONS);
+				return 0;
+				}
 			}
 		while (BN_cmp(r, range) >= 0);
 		}
 
+	bn_check_top(r);
 	return 1;
 	}
 
diff --git a/crypto/openssl/crypto/bn/bn_recp.c b/crypto/openssl/crypto/bn/bn_recp.c
index ef5fdd470808..2e8efb8dae29 100644
--- a/crypto/openssl/crypto/bn/bn_recp.c
+++ b/crypto/openssl/crypto/bn/bn_recp.c
@@ -94,7 +94,7 @@ void BN_RECP_CTX_free(BN_RECP_CTX *recp)
 int BN_RECP_CTX_set(BN_RECP_CTX *recp, const BIGNUM *d, BN_CTX *ctx)
 	{
 	if (!BN_copy(&(recp->N),d)) return 0;
-	if (!BN_zero(&(recp->Nr))) return 0;
+	BN_zero(&(recp->Nr));
 	recp->num_bits=BN_num_bits(d);
 	recp->shift=0;
 	return(1);
@@ -123,6 +123,7 @@ int BN_mod_mul_reciprocal(BIGNUM *r, const BIGNUM *x, const BIGNUM *y,
 	ret = BN_div_recp(NULL,r,ca,recp,ctx);
 err:
 	BN_CTX_end(ctx);
+	bn_check_top(r);
 	return(ret);
 	}
 
@@ -147,7 +148,7 @@ int BN_div_recp(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m,
 
 	if (BN_ucmp(m,&(recp->N)) < 0)
 		{
-		if (!BN_zero(d)) return 0;
+		BN_zero(d);
 		if (!BN_copy(r,m)) return 0;
 		BN_CTX_end(ctx);
 		return(1);
@@ -190,7 +191,7 @@ int BN_div_recp(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m,
 		{
 		if (j++ > 2)
 			{
-			BNerr(BN_F_BN_MOD_MUL_RECIPROCAL,BN_R_BAD_RECIPROCAL);
+			BNerr(BN_F_BN_DIV_RECP,BN_R_BAD_RECIPROCAL);
 			goto err;
 			}
 		if (!BN_usub(r,r,&(recp->N))) goto err;
@@ -203,6 +204,8 @@ int BN_div_recp(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m,
 	ret=1;
 err:
 	BN_CTX_end(ctx);
+	bn_check_top(dv);
+	bn_check_top(rem);
 	return(ret);
 	} 
 
@@ -214,17 +217,18 @@ err:
 int BN_reciprocal(BIGNUM *r, const BIGNUM *m, int len, BN_CTX *ctx)
 	{
 	int ret= -1;
-	BIGNUM t;
+	BIGNUM *t;
 
-	BN_init(&t);
+	BN_CTX_start(ctx);
+	if((t = BN_CTX_get(ctx)) == NULL) goto err;
 
-	if (!BN_zero(&t)) goto err;
-	if (!BN_set_bit(&t,len)) goto err;
+	if (!BN_set_bit(t,len)) goto err;
 
-	if (!BN_div(r,NULL,&t,m,ctx)) goto err;
+	if (!BN_div(r,NULL,t,m,ctx)) goto err;
 
 	ret=len;
 err:
-	BN_free(&t);
+	bn_check_top(r);
+	BN_CTX_end(ctx);
 	return(ret);
 	}
diff --git a/crypto/openssl/crypto/bn/bn_shift.c b/crypto/openssl/crypto/bn/bn_shift.c
index 70f785ea185b..de9312dce231 100644
--- a/crypto/openssl/crypto/bn/bn_shift.c
+++ b/crypto/openssl/crypto/bn/bn_shift.c
@@ -65,6 +65,9 @@ int BN_lshift1(BIGNUM *r, const BIGNUM *a)
 	register BN_ULONG *ap,*rp,t,c;
 	int i;
 
+	bn_check_top(r);
+	bn_check_top(a);
+
 	if (r != a)
 		{
 		r->neg=a->neg;
@@ -89,6 +92,7 @@ int BN_lshift1(BIGNUM *r, const BIGNUM *a)
 		*rp=1;
 		r->top++;
 		}
+	bn_check_top(r);
 	return(1);
 	}
 
@@ -97,6 +101,9 @@ int BN_rshift1(BIGNUM *r, const BIGNUM *a)
 	BN_ULONG *ap,*rp,t,c;
 	int i;
 
+	bn_check_top(r);
+	bn_check_top(a);
+
 	if (BN_is_zero(a))
 		{
 		BN_zero(r);
@@ -117,7 +124,8 @@ int BN_rshift1(BIGNUM *r, const BIGNUM *a)
 		rp[i]=((t>>1)&BN_MASK2)|c;
 		c=(t&1)?BN_TBIT:0;
 		}
-	bn_fix_top(r);
+	bn_correct_top(r);
+	bn_check_top(r);
 	return(1);
 	}
 
@@ -127,6 +135,9 @@ int BN_lshift(BIGNUM *r, const BIGNUM *a, int n)
 	BN_ULONG *t,*f;
 	BN_ULONG l;
 
+	bn_check_top(r);
+	bn_check_top(a);
+
 	r->neg=a->neg;
 	nw=n/BN_BITS2;
 	if (bn_wexpand(r,a->top+nw+1) == NULL) return(0);
@@ -149,7 +160,8 @@ int BN_lshift(BIGNUM *r, const BIGNUM *a, int n)
 /*	for (i=0; i<nw; i++)
 		t[i]=0;*/
 	r->top=a->top+nw+1;
-	bn_fix_top(r);
+	bn_correct_top(r);
+	bn_check_top(r);
 	return(1);
 	}
 
@@ -159,6 +171,9 @@ int BN_rshift(BIGNUM *r, const BIGNUM *a, int n)
 	BN_ULONG *t,*f;
 	BN_ULONG l,tmp;
 
+	bn_check_top(r);
+	bn_check_top(a);
+
 	nw=n/BN_BITS2;
 	rb=n%BN_BITS2;
 	lb=BN_BITS2-rb;
@@ -185,13 +200,13 @@ int BN_rshift(BIGNUM *r, const BIGNUM *a, int n)
 
 	if (rb == 0)
 		{
-		for (i=j+1; i > 0; i--)
+		for (i=j; i != 0; i--)
 			*(t++)= *(f++);
 		}
 	else
 		{
 		l= *(f++);
-		for (i=1; i<j; i++)
+		for (i=j-1; i != 0; i--)
 			{
 			tmp =(l>>rb)&BN_MASK2;
 			l= *(f++);
@@ -199,7 +214,7 @@ int BN_rshift(BIGNUM *r, const BIGNUM *a, int n)
 			}
 		*(t++) =(l>>rb)&BN_MASK2;
 		}
-	*t=0;
-	bn_fix_top(r);
+	bn_correct_top(r);
+	bn_check_top(r);
 	return(1);
 	}
diff --git a/crypto/openssl/crypto/bn/bn_sqr.c b/crypto/openssl/crypto/bn/bn_sqr.c
index c1d0cca438dc..270d0cd348b9 100644
--- a/crypto/openssl/crypto/bn/bn_sqr.c
+++ b/crypto/openssl/crypto/bn/bn_sqr.c
@@ -77,16 +77,16 @@ int BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx)
 	if (al <= 0)
 		{
 		r->top=0;
-		return(1);
+		return 1;
 		}
 
 	BN_CTX_start(ctx);
 	rr=(a != r) ? r : BN_CTX_get(ctx);
 	tmp=BN_CTX_get(ctx);
-	if (tmp == NULL) goto err;
+	if (!rr || !tmp) goto err;
 
-	max=(al+al);
-	if (bn_wexpand(rr,max+1) == NULL) goto err;
+	max = 2 * al; /* Non-zero (from above) */
+	if (bn_wexpand(rr,max) == NULL) goto err;
 
 	if (al == 4)
 		{
@@ -138,12 +138,18 @@ int BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx)
 #endif
 		}
 
-	rr->top=max;
 	rr->neg=0;
-	if ((max > 0) && (rr->d[max-1] == 0)) rr->top--;
+	/* If the most-significant half of the top word of 'a' is zero, then
+	 * the square of 'a' will max-1 words. */
+	if(a->d[al - 1] == (a->d[al - 1] & BN_MASK2l))
+		rr->top = max - 1;
+	else
+		rr->top = max;
 	if (rr != r) BN_copy(r,rr);
 	ret = 1;
  err:
+	bn_check_top(rr);
+	bn_check_top(tmp);
 	BN_CTX_end(ctx);
 	return(ret);
 	}
diff --git a/crypto/openssl/crypto/bn/bn_sqrt.c b/crypto/openssl/crypto/bn/bn_sqrt.c
index e2a1105dc838..6beaf9e5e5dd 100644
--- a/crypto/openssl/crypto/bn/bn_sqrt.c
+++ b/crypto/openssl/crypto/bn/bn_sqrt.c
@@ -1,4 +1,4 @@
-/* crypto/bn/bn_mod.c */
+/* crypto/bn/bn_sqrt.c */
 /* Written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>
  * and Bodo Moeller for the OpenSSL project. */
 /* ====================================================================
@@ -65,14 +65,12 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
  * using the Tonelli/Shanks algorithm (cf. Henri Cohen, "A Course
  * in Algebraic Computational Number Theory", algorithm 1.5.1).
  * 'p' must be prime!
- * If 'a' is not a square, this is not necessarily detected by
- * the algorithms; a bogus result must be expected in this case.
  */
 	{
 	BIGNUM *ret = in;
 	int err = 1;
 	int r;
-	BIGNUM *b, *q, *t, *x, *y;
+	BIGNUM *A, *b, *q, *t, *x, *y;
 	int e, i, j;
 	
 	if (!BN_is_odd(p) || BN_abs_is_word(p, 1))
@@ -85,9 +83,11 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
 				goto end;
 			if (!BN_set_word(ret, BN_is_bit_set(a, 0)))
 				{
-				BN_free(ret);
+				if (ret != in)
+					BN_free(ret);
 				return NULL;
 				}
+			bn_check_top(ret);
 			return ret;
 			}
 
@@ -103,23 +103,16 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
 			goto end;
 		if (!BN_set_word(ret, BN_is_one(a)))
 			{
-			BN_free(ret);
+			if (ret != in)
+				BN_free(ret);
 			return NULL;
 			}
+		bn_check_top(ret);
 		return ret;
 		}
 
-#if 0 /* if BN_mod_sqrt is used with correct input, this just wastes time */
-	r = BN_kronecker(a, p, ctx);
-	if (r < -1) return NULL;
-	if (r == -1)
-		{
-		BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
-		return(NULL);
-		}
-#endif
-
 	BN_CTX_start(ctx);
+	A = BN_CTX_get(ctx);
 	b = BN_CTX_get(ctx);
 	q = BN_CTX_get(ctx);
 	t = BN_CTX_get(ctx);
@@ -131,6 +124,9 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
 		ret = BN_new();
 	if (ret == NULL) goto end;
 
+	/* A = a mod p */
+	if (!BN_nnmod(A, a, p, ctx)) goto end;
+
 	/* now write  |p| - 1  as  2^e*q  where  q  is odd */
 	e = 1;
 	while (!BN_is_bit_set(p, e))
@@ -149,9 +145,9 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
 		if (!BN_rshift(q, p, 2)) goto end;
 		q->neg = 0;
 		if (!BN_add_word(q, 1)) goto end;
-		if (!BN_mod_exp(ret, a, q, p, ctx)) goto end;
+		if (!BN_mod_exp(ret, A, q, p, ctx)) goto end;
 		err = 0;
-		goto end;
+		goto vrfy;
 		}
 	
 	if (e == 2)
@@ -182,15 +178,8 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
 		 * November 1992.)
 		 */
 
-		/* make sure that  a  is reduced modulo p */
-		if (a->neg || BN_ucmp(a, p) >= 0)
-			{
-			if (!BN_nnmod(x, a, p, ctx)) goto end;
-			a = x; /* use x as temporary variable */
-			}
-
 		/* t := 2*a */
-		if (!BN_mod_lshift1_quick(t, a, p)) goto end;
+		if (!BN_mod_lshift1_quick(t, A, p)) goto end;
 
 		/* b := (2*a)^((|p|-5)/8) */
 		if (!BN_rshift(q, p, 3)) goto end;
@@ -205,12 +194,12 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
 		if (!BN_sub_word(t, 1)) goto end;
 
 		/* x = a*b*t */
-		if (!BN_mod_mul(x, a, b, p, ctx)) goto end;
+		if (!BN_mod_mul(x, A, b, p, ctx)) goto end;
 		if (!BN_mod_mul(x, x, t, p, ctx)) goto end;
 
 		if (!BN_copy(ret, x)) goto end;
 		err = 0;
-		goto end;
+		goto vrfy;
 		}
 	
 	/* e > 2, so we really have to use the Tonelli/Shanks algorithm.
@@ -297,11 +286,11 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
 	/* x := a^((q-1)/2) */
 	if (BN_is_zero(t)) /* special case: p = 2^e + 1 */
 		{
-		if (!BN_nnmod(t, a, p, ctx)) goto end;
+		if (!BN_nnmod(t, A, p, ctx)) goto end;
 		if (BN_is_zero(t))
 			{
 			/* special case: a == 0  (mod p) */
-			if (!BN_zero(ret)) goto end;
+			BN_zero(ret);
 			err = 0;
 			goto end;
 			}
@@ -310,11 +299,11 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
 		}
 	else
 		{
-		if (!BN_mod_exp(x, a, t, p, ctx)) goto end;
+		if (!BN_mod_exp(x, A, t, p, ctx)) goto end;
 		if (BN_is_zero(x))
 			{
 			/* special case: a == 0  (mod p) */
-			if (!BN_zero(ret)) goto end;
+			BN_zero(ret);
 			err = 0;
 			goto end;
 			}
@@ -322,10 +311,10 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
 
 	/* b := a*x^2  (= a^q) */
 	if (!BN_mod_sqr(b, x, p, ctx)) goto end;
-	if (!BN_mod_mul(b, b, a, p, ctx)) goto end;
+	if (!BN_mod_mul(b, b, A, p, ctx)) goto end;
 	
 	/* x := a*x    (= a^((q+1)/2)) */
-	if (!BN_mod_mul(x, x, a, p, ctx)) goto end;
+	if (!BN_mod_mul(x, x, A, p, ctx)) goto end;
 
 	while (1)
 		{
@@ -342,7 +331,7 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
 			{
 			if (!BN_copy(ret, x)) goto end;
 			err = 0;
-			goto end;
+			goto vrfy;
 			}
 
 
@@ -373,6 +362,22 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
 		e = i;
 		}
 
+ vrfy:
+	if (!err)
+		{
+		/* verify the result -- the input might have been not a square
+		 * (test added in 0.9.8) */
+		
+		if (!BN_mod_sqr(x, ret, p, ctx))
+			err = 1;
+		
+		if (!err && 0 != BN_cmp(x, A))
+			{
+			BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
+			err = 1;
+			}
+		}
+
  end:
 	if (err)
 		{
@@ -383,5 +388,6 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
 		ret = NULL;
 		}
 	BN_CTX_end(ctx);
+	bn_check_top(ret);
 	return ret;
 	}
diff --git a/crypto/openssl/crypto/bn/bn_word.c b/crypto/openssl/crypto/bn/bn_word.c
index 988e0ca7b37f..ee7b87c45ccd 100644
--- a/crypto/openssl/crypto/bn/bn_word.c
+++ b/crypto/openssl/crypto/bn/bn_word.c
@@ -69,6 +69,10 @@ BN_ULONG BN_mod_word(const BIGNUM *a, BN_ULONG w)
 #endif
 	int i;
 
+	if (w == 0)
+		return (BN_ULONG)-1;
+
+	bn_check_top(a);
 	w&=BN_MASK2;
 	for (i=a->top-1; i>=0; i--)
 		{
@@ -85,12 +89,24 @@ BN_ULONG BN_mod_word(const BIGNUM *a, BN_ULONG w)
 
 BN_ULONG BN_div_word(BIGNUM *a, BN_ULONG w)
 	{
-	BN_ULONG ret;
-	int i;
+	BN_ULONG ret = 0;
+	int i, j;
+
+	bn_check_top(a);
+	w &= BN_MASK2;
+
+	if (!w)
+		/* actually this an error (division by zero) */
+		return (BN_ULONG)-1;
+	if (a->top == 0)
+		return 0;
+
+	/* normalize input (so bn_div_words doesn't complain) */
+	j = BN_BITS2 - BN_num_bits_word(w);
+	w <<= j;
+	if (!BN_lshift(a, a, j))
+		return (BN_ULONG)-1;
 
-	if (a->top == 0) return(0);
-	ret=0;
-	w&=BN_MASK2;
 	for (i=a->top-1; i>=0; i--)
 		{
 		BN_ULONG l,d;
@@ -102,6 +118,8 @@ BN_ULONG BN_div_word(BIGNUM *a, BN_ULONG w)
 		}
 	if ((a->top > 0) && (a->d[a->top-1] == 0))
 		a->top--;
+	ret >>= j;
+	bn_check_top(a);
 	return(ret);
 	}
 
@@ -110,6 +128,14 @@ int BN_add_word(BIGNUM *a, BN_ULONG w)
 	BN_ULONG l;
 	int i;
 
+	bn_check_top(a);
+	w &= BN_MASK2;
+
+	/* degenerate case: w is zero */
+	if (!w) return 1;
+	/* degenerate case: a is zero */
+	if(BN_is_zero(a)) return BN_set_word(a, w);
+	/* handle 'a' when negative */
 	if (a->neg)
 		{
 		a->neg=0;
@@ -118,15 +144,17 @@ int BN_add_word(BIGNUM *a, BN_ULONG w)
 			a->neg=!(a->neg);
 		return(i);
 		}
-	w&=BN_MASK2;
-	if (bn_wexpand(a,a->top+1) == NULL) return(0);
+	/* Only expand (and risk failing) if it's possibly necessary */
+	if (((BN_ULONG)(a->d[a->top - 1] + 1) == 0) &&
+			(bn_wexpand(a,a->top+1) == NULL))
+		return(0);
 	i=0;
 	for (;;)
 		{
 		if (i >= a->top)
 			l=w;
 		else
-			l=(a->d[i]+(BN_ULONG)w)&BN_MASK2;
+			l=(a->d[i]+w)&BN_MASK2;
 		a->d[i]=l;
 		if (w > l)
 			w=1;
@@ -136,6 +164,7 @@ int BN_add_word(BIGNUM *a, BN_ULONG w)
 		}
 	if (i >= a->top)
 		a->top++;
+	bn_check_top(a);
 	return(1);
 	}
 
@@ -143,7 +172,21 @@ int BN_sub_word(BIGNUM *a, BN_ULONG w)
 	{
 	int i;
 
-	if (BN_is_zero(a) || a->neg)
+	bn_check_top(a);
+	w &= BN_MASK2;
+
+	/* degenerate case: w is zero */
+	if (!w) return 1;
+	/* degenerate case: a is zero */
+	if(BN_is_zero(a))
+		{
+		i = BN_set_word(a,w);
+		if (i != 0)
+			BN_set_negative(a, 1);
+		return i;
+		}
+	/* handle 'a' when negative */
+	if (a->neg)
 		{
 		a->neg=0;
 		i=BN_add_word(a,w);
@@ -151,7 +194,6 @@ int BN_sub_word(BIGNUM *a, BN_ULONG w)
 		return(i);
 		}
 
-	w&=BN_MASK2;
 	if ((a->top == 1) && (a->d[0] < w))
 		{
 		a->d[0]=w-a->d[0];
@@ -175,6 +217,7 @@ int BN_sub_word(BIGNUM *a, BN_ULONG w)
 		}
 	if ((a->d[i] == 0) && (i == (a->top-1)))
 		a->top--;
+	bn_check_top(a);
 	return(1);
 	}
 
@@ -182,6 +225,7 @@ int BN_mul_word(BIGNUM *a, BN_ULONG w)
 	{
 	BN_ULONG ll;
 
+	bn_check_top(a);
 	w&=BN_MASK2;
 	if (a->top)
 		{
@@ -197,6 +241,7 @@ int BN_mul_word(BIGNUM *a, BN_ULONG w)
 				}
 			}
 		}
+	bn_check_top(a);
 	return(1);
 	}
 
diff --git a/crypto/openssl/crypto/bn/bntest.c b/crypto/openssl/crypto/bn/bntest.c
index 28cd3339da6f..c885300a669f 100644
--- a/crypto/openssl/crypto/bn/bntest.c
+++ b/crypto/openssl/crypto/bn/bntest.c
@@ -55,6 +55,25 @@
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
  */
+/* ====================================================================
+ * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
+ *
+ * Portions of the attached software ("Contribution") are developed by 
+ * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
+ *
+ * The Contribution is licensed pursuant to the Eric Young open source
+ * license provided above.
+ *
+ * The binary polynomial arithmetic software is originally written by 
+ * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories.
+ *
+ */
+
+/* Until the key-gen callbacks are modified to use newer prototypes, we allow
+ * deprecated functions for openssl-internal code */
+#ifdef OPENSSL_NO_DEPRECATED
+#undef OPENSSL_NO_DEPRECATED
+#endif
 
 #include <stdio.h>
 #include <stdlib.h>
@@ -79,6 +98,7 @@ int test_lshift(BIO *bp,BN_CTX *ctx,BIGNUM *a_);
 int test_rshift1(BIO *bp);
 int test_rshift(BIO *bp,BN_CTX *ctx);
 int test_div(BIO *bp,BN_CTX *ctx);
+int test_div_word(BIO *bp);
 int test_div_recp(BIO *bp,BN_CTX *ctx);
 int test_mul(BIO *bp);
 int test_sqr(BIO *bp,BN_CTX *ctx);
@@ -86,7 +106,17 @@ int test_mont(BIO *bp,BN_CTX *ctx);
 int test_mod(BIO *bp,BN_CTX *ctx);
 int test_mod_mul(BIO *bp,BN_CTX *ctx);
 int test_mod_exp(BIO *bp,BN_CTX *ctx);
+int test_mod_exp_mont_consttime(BIO *bp,BN_CTX *ctx);
 int test_exp(BIO *bp,BN_CTX *ctx);
+int test_gf2m_add(BIO *bp);
+int test_gf2m_mod(BIO *bp);
+int test_gf2m_mod_mul(BIO *bp,BN_CTX *ctx);
+int test_gf2m_mod_sqr(BIO *bp,BN_CTX *ctx);
+int test_gf2m_mod_inv(BIO *bp,BN_CTX *ctx);
+int test_gf2m_mod_div(BIO *bp,BN_CTX *ctx);
+int test_gf2m_mod_exp(BIO *bp,BN_CTX *ctx);
+int test_gf2m_mod_sqrt(BIO *bp,BN_CTX *ctx);
+int test_gf2m_mod_solve_quad(BIO *bp,BN_CTX *ctx);
 int test_kron(BIO *bp,BN_CTX *ctx);
 int test_sqrt(BIO *bp,BN_CTX *ctx);
 int rand_neg(void);
@@ -193,6 +223,10 @@ int main(int argc, char *argv[])
 	if (!test_div(out,ctx)) goto err;
 	BIO_flush(out);
 
+	message(out,"BN_div_word");
+	if (!test_div_word(out)) goto err;
+	BIO_flush(out);
+
 	message(out,"BN_div_recp");
 	if (!test_div_recp(out,ctx)) goto err;
 	BIO_flush(out);
@@ -213,6 +247,10 @@ int main(int argc, char *argv[])
 	if (!test_mod_exp(out,ctx)) goto err;
 	BIO_flush(out);
 
+	message(out,"BN_mod_exp_mont_consttime");
+	if (!test_mod_exp_mont_consttime(out,ctx)) goto err;
+	BIO_flush(out);
+
 	message(out,"BN_exp");
 	if (!test_exp(out,ctx)) goto err;
 	BIO_flush(out);
@@ -225,6 +263,42 @@ int main(int argc, char *argv[])
 	if (!test_sqrt(out,ctx)) goto err;
 	BIO_flush(out);
 
+	message(out,"BN_GF2m_add");
+	if (!test_gf2m_add(out)) goto err;
+	BIO_flush(out);
+
+	message(out,"BN_GF2m_mod");
+	if (!test_gf2m_mod(out)) goto err;
+	BIO_flush(out);
+
+	message(out,"BN_GF2m_mod_mul");
+	if (!test_gf2m_mod_mul(out,ctx)) goto err;
+	BIO_flush(out);
+
+	message(out,"BN_GF2m_mod_sqr");
+	if (!test_gf2m_mod_sqr(out,ctx)) goto err;
+	BIO_flush(out);
+
+	message(out,"BN_GF2m_mod_inv");
+	if (!test_gf2m_mod_inv(out,ctx)) goto err;
+	BIO_flush(out);
+
+	message(out,"BN_GF2m_mod_div");
+	if (!test_gf2m_mod_div(out,ctx)) goto err;
+	BIO_flush(out);
+
+	message(out,"BN_GF2m_mod_exp");
+	if (!test_gf2m_mod_exp(out,ctx)) goto err;
+	BIO_flush(out);
+
+	message(out,"BN_GF2m_mod_sqrt");
+	if (!test_gf2m_mod_sqrt(out,ctx)) goto err;
+	BIO_flush(out);
+
+	message(out,"BN_GF2m_mod_solve_quad");
+	if (!test_gf2m_mod_solve_quad(out,ctx)) goto err;
+	BIO_flush(out);
+
 	BN_CTX_free(ctx);
 	BIO_free(out);
 
@@ -232,7 +306,7 @@ int main(int argc, char *argv[])
 	EXIT(0);
 err:
 	BIO_puts(out,"1\n"); /* make sure the Perl script fed by bc notices
-	                      * the failure, see test_bn in test/Makefile */
+	                      * the failure, see test_bn in test/Makefile.ssl*/
 	BIO_flush(out);
 	ERR_load_crypto_strings();
 	ERR_print_errors_fp(stderr);
@@ -399,6 +473,78 @@ int test_div(BIO *bp, BN_CTX *ctx)
 	return(1);
 	}
 
+static void print_word(BIO *bp,BN_ULONG w)
+	{
+#ifdef SIXTY_FOUR_BIT
+	if (sizeof(w) > sizeof(unsigned long))
+		{
+		unsigned long	h=(unsigned long)(w>>32),
+				l=(unsigned long)(w);
+
+		if (h)	BIO_printf(bp,"%lX%08lX",h,l);
+		else	BIO_printf(bp,"%lX",l);
+		return;
+		}
+#endif
+	BIO_printf(bp,"%lX",w);
+	}
+
+int test_div_word(BIO *bp)
+	{
+	BIGNUM   a,b;
+	BN_ULONG r,s;
+	int i;
+
+	BN_init(&a);
+	BN_init(&b);
+
+	for (i=0; i<num0; i++)
+		{
+		do {
+			BN_bntest_rand(&a,512,-1,0);
+			BN_bntest_rand(&b,BN_BITS2,-1,0);
+			s = b.d[0];
+		} while (!s);
+
+		BN_copy(&b, &a);
+		r = BN_div_word(&b, s);
+
+		if (bp != NULL)
+			{
+			if (!results)
+				{
+				BN_print(bp,&a);
+				BIO_puts(bp," / ");
+				print_word(bp,s);
+				BIO_puts(bp," - ");
+				}
+			BN_print(bp,&b);
+			BIO_puts(bp,"\n");
+
+			if (!results)
+				{
+				BN_print(bp,&a);
+				BIO_puts(bp," % ");
+				print_word(bp,s);
+				BIO_puts(bp," - ");
+				}
+			print_word(bp,r);
+			BIO_puts(bp,"\n");
+			}
+		BN_mul_word(&b,s);
+		BN_add_word(&b,r);
+		BN_sub(&b,&a,&b);
+		if(!BN_is_zero(&b))
+		    {
+		    fprintf(stderr,"Division (word) test failed!\n");
+		    return 0;
+		    }
+		}
+	BN_free(&a);
+	BN_free(&b);
+	return(1);
+	}
+
 int test_div_recp(BIO *bp, BN_CTX *ctx)
 	{
 	BIGNUM a,b,c,d,e;
@@ -813,6 +959,57 @@ int test_mod_exp(BIO *bp, BN_CTX *ctx)
 	return(1);
 	}
 
+int test_mod_exp_mont_consttime(BIO *bp, BN_CTX *ctx)
+	{
+	BIGNUM *a,*b,*c,*d,*e;
+	int i;
+
+	a=BN_new();
+	b=BN_new();
+	c=BN_new();
+	d=BN_new();
+	e=BN_new();
+
+	BN_bntest_rand(c,30,0,1); /* must be odd for montgomery */
+	for (i=0; i<num2; i++)
+		{
+		BN_bntest_rand(a,20+i*5,0,0); /**/
+		BN_bntest_rand(b,2+i,0,0); /**/
+
+		if (!BN_mod_exp_mont_consttime(d,a,b,c,ctx,NULL))
+			return(00);
+
+		if (bp != NULL)
+			{
+			if (!results)
+				{
+				BN_print(bp,a);
+				BIO_puts(bp," ^ ");
+				BN_print(bp,b);
+				BIO_puts(bp," % ");
+				BN_print(bp,c);
+				BIO_puts(bp," - ");
+				}
+			BN_print(bp,d);
+			BIO_puts(bp,"\n");
+			}
+		BN_exp(e,a,b,ctx);
+		BN_sub(e,e,d);
+		BN_div(a,b,e,c,ctx);
+		if(!BN_is_zero(b))
+		    {
+		    fprintf(stderr,"Modulo exponentiation test failed!\n");
+		    return 0;
+		    }
+		}
+	BN_free(a);
+	BN_free(b);
+	BN_free(c);
+	BN_free(d);
+	BN_free(e);
+	return(1);
+	}
+
 int test_exp(BIO *bp, BN_CTX *ctx)
 	{
 	BIGNUM *a,*b,*d,*e,*one;
@@ -863,7 +1060,582 @@ int test_exp(BIO *bp, BN_CTX *ctx)
 	return(1);
 	}
 
-static void genprime_cb(int p, int n, void *arg)
+int test_gf2m_add(BIO *bp)
+	{
+	BIGNUM a,b,c;
+	int i, ret = 0;
+
+	BN_init(&a);
+	BN_init(&b);
+	BN_init(&c);
+
+	for (i=0; i<num0; i++)
+		{
+		BN_rand(&a,512,0,0);
+		BN_copy(&b, BN_value_one());
+		a.neg=rand_neg();
+		b.neg=rand_neg();
+		BN_GF2m_add(&c,&a,&b);
+#if 0 /* make test uses ouput in bc but bc can't handle GF(2^m) arithmetic */
+		if (bp != NULL)
+			{
+			if (!results)
+				{
+				BN_print(bp,&a);
+				BIO_puts(bp," ^ ");
+				BN_print(bp,&b);
+				BIO_puts(bp," = ");
+				}
+			BN_print(bp,&c);
+			BIO_puts(bp,"\n");
+			}
+#endif
+		/* Test that two added values have the correct parity. */
+		if((BN_is_odd(&a) && BN_is_odd(&c)) || (!BN_is_odd(&a) && !BN_is_odd(&c)))
+			{
+		    fprintf(stderr,"GF(2^m) addition test (a) failed!\n");
+			goto err;
+			}
+		BN_GF2m_add(&c,&c,&c);
+		/* Test that c + c = 0. */
+		if(!BN_is_zero(&c))
+		    {
+		    fprintf(stderr,"GF(2^m) addition test (b) failed!\n");
+			goto err;
+		    }
+		}
+	ret = 1;
+  err:
+	BN_free(&a);
+	BN_free(&b);
+	BN_free(&c);
+	return ret;
+	}
+
+int test_gf2m_mod(BIO *bp)
+	{
+	BIGNUM *a,*b[2],*c,*d,*e;
+	int i, j, ret = 0;
+	unsigned int p0[] = {163,7,6,3,0};
+	unsigned int p1[] = {193,15,0};
+
+	a=BN_new();
+	b[0]=BN_new();
+	b[1]=BN_new();
+	c=BN_new();
+	d=BN_new();
+	e=BN_new();
+
+	BN_GF2m_arr2poly(p0, b[0]);
+	BN_GF2m_arr2poly(p1, b[1]);
+
+	for (i=0; i<num0; i++)
+		{
+		BN_bntest_rand(a, 1024, 0, 0);
+		for (j=0; j < 2; j++)
+			{
+			BN_GF2m_mod(c, a, b[j]);
+#if 0 /* make test uses ouput in bc but bc can't handle GF(2^m) arithmetic */
+			if (bp != NULL)
+				{
+				if (!results)
+					{
+					BN_print(bp,a);
+					BIO_puts(bp," % ");
+					BN_print(bp,b[j]);
+					BIO_puts(bp," - ");
+					BN_print(bp,c);
+					BIO_puts(bp,"\n");
+					}
+				}
+#endif
+			BN_GF2m_add(d, a, c);
+			BN_GF2m_mod(e, d, b[j]);
+			/* Test that a + (a mod p) mod p == 0. */
+			if(!BN_is_zero(e))
+				{
+				fprintf(stderr,"GF(2^m) modulo test failed!\n");
+				goto err;
+				}
+			}
+		}
+	ret = 1;
+  err:
+	BN_free(a);
+	BN_free(b[0]);
+	BN_free(b[1]);
+	BN_free(c);
+	BN_free(d);
+	BN_free(e);
+	return ret;
+	}
+
+int test_gf2m_mod_mul(BIO *bp,BN_CTX *ctx)
+	{
+	BIGNUM *a,*b[2],*c,*d,*e,*f,*g,*h;
+	int i, j, ret = 0;
+	unsigned int p0[] = {163,7,6,3,0};
+	unsigned int p1[] = {193,15,0};
+
+	a=BN_new();
+	b[0]=BN_new();
+	b[1]=BN_new();
+	c=BN_new();
+	d=BN_new();
+	e=BN_new();
+	f=BN_new();
+	g=BN_new();
+	h=BN_new();
+
+	BN_GF2m_arr2poly(p0, b[0]);
+	BN_GF2m_arr2poly(p1, b[1]);
+
+	for (i=0; i<num0; i++)
+		{
+		BN_bntest_rand(a, 1024, 0, 0);
+		BN_bntest_rand(c, 1024, 0, 0);
+		BN_bntest_rand(d, 1024, 0, 0);
+		for (j=0; j < 2; j++)
+			{
+			BN_GF2m_mod_mul(e, a, c, b[j], ctx);
+#if 0 /* make test uses ouput in bc but bc can't handle GF(2^m) arithmetic */
+			if (bp != NULL)
+				{
+				if (!results)
+					{
+					BN_print(bp,a);
+					BIO_puts(bp," * ");
+					BN_print(bp,c);
+					BIO_puts(bp," % ");
+					BN_print(bp,b[j]);
+					BIO_puts(bp," - ");
+					BN_print(bp,e);
+					BIO_puts(bp,"\n");
+					}
+				}
+#endif
+			BN_GF2m_add(f, a, d);
+			BN_GF2m_mod_mul(g, f, c, b[j], ctx);
+			BN_GF2m_mod_mul(h, d, c, b[j], ctx);
+			BN_GF2m_add(f, e, g);
+			BN_GF2m_add(f, f, h);
+			/* Test that (a+d)*c = a*c + d*c. */
+			if(!BN_is_zero(f))
+				{
+				fprintf(stderr,"GF(2^m) modular multiplication test failed!\n");
+				goto err;
+				}
+			}
+		}
+	ret = 1;
+  err:
+	BN_free(a);
+	BN_free(b[0]);
+	BN_free(b[1]);
+	BN_free(c);
+	BN_free(d);
+	BN_free(e);
+	BN_free(f);
+	BN_free(g);
+	BN_free(h);
+	return ret;
+	}
+
+int test_gf2m_mod_sqr(BIO *bp,BN_CTX *ctx)
+	{
+	BIGNUM *a,*b[2],*c,*d;
+	int i, j, ret = 0;
+	unsigned int p0[] = {163,7,6,3,0};
+	unsigned int p1[] = {193,15,0};
+
+	a=BN_new();
+	b[0]=BN_new();
+	b[1]=BN_new();
+	c=BN_new();
+	d=BN_new();
+
+	BN_GF2m_arr2poly(p0, b[0]);
+	BN_GF2m_arr2poly(p1, b[1]);
+
+	for (i=0; i<num0; i++)
+		{
+		BN_bntest_rand(a, 1024, 0, 0);
+		for (j=0; j < 2; j++)
+			{
+			BN_GF2m_mod_sqr(c, a, b[j], ctx);
+			BN_copy(d, a);
+			BN_GF2m_mod_mul(d, a, d, b[j], ctx);
+#if 0 /* make test uses ouput in bc but bc can't handle GF(2^m) arithmetic */
+			if (bp != NULL)
+				{
+				if (!results)
+					{
+					BN_print(bp,a);
+					BIO_puts(bp," ^ 2 % ");
+					BN_print(bp,b[j]);
+					BIO_puts(bp, " = ");
+					BN_print(bp,c);
+					BIO_puts(bp,"; a * a = ");
+					BN_print(bp,d);
+					BIO_puts(bp,"\n");
+					}
+				}
+#endif
+			BN_GF2m_add(d, c, d);
+			/* Test that a*a = a^2. */
+			if(!BN_is_zero(d))
+				{
+				fprintf(stderr,"GF(2^m) modular squaring test failed!\n");
+				goto err;
+				}
+			}
+		}
+	ret = 1;
+  err:
+	BN_free(a);
+	BN_free(b[0]);
+	BN_free(b[1]);
+	BN_free(c);
+	BN_free(d);
+	return ret;
+	}
+
+int test_gf2m_mod_inv(BIO *bp,BN_CTX *ctx)
+	{
+	BIGNUM *a,*b[2],*c,*d;
+	int i, j, ret = 0;
+	unsigned int p0[] = {163,7,6,3,0};
+	unsigned int p1[] = {193,15,0};
+
+	a=BN_new();
+	b[0]=BN_new();
+	b[1]=BN_new();
+	c=BN_new();
+	d=BN_new();
+
+	BN_GF2m_arr2poly(p0, b[0]);
+	BN_GF2m_arr2poly(p1, b[1]);
+
+	for (i=0; i<num0; i++)
+		{
+		BN_bntest_rand(a, 512, 0, 0); 
+		for (j=0; j < 2; j++)
+			{
+			BN_GF2m_mod_inv(c, a, b[j], ctx);
+			BN_GF2m_mod_mul(d, a, c, b[j], ctx);
+#if 0 /* make test uses ouput in bc but bc can't handle GF(2^m) arithmetic */
+			if (bp != NULL)
+				{
+				if (!results)
+					{
+					BN_print(bp,a);
+					BIO_puts(bp, " * ");
+					BN_print(bp,c);
+					BIO_puts(bp," - 1 % ");
+					BN_print(bp,b[j]);
+					BIO_puts(bp,"\n");
+					}
+				}
+#endif
+			/* Test that ((1/a)*a) = 1. */
+			if(!BN_is_one(d))
+				{
+				fprintf(stderr,"GF(2^m) modular inversion test failed!\n");
+				goto err;
+				}
+			}
+		}
+	ret = 1;
+  err:
+	BN_free(a);
+	BN_free(b[0]);
+	BN_free(b[1]);
+	BN_free(c);
+	BN_free(d);
+	return ret;
+	}
+
+int test_gf2m_mod_div(BIO *bp,BN_CTX *ctx)
+	{
+	BIGNUM *a,*b[2],*c,*d,*e,*f;
+	int i, j, ret = 0;
+	unsigned int p0[] = {163,7,6,3,0};
+	unsigned int p1[] = {193,15,0};
+
+	a=BN_new();
+	b[0]=BN_new();
+	b[1]=BN_new();
+	c=BN_new();
+	d=BN_new();
+	e=BN_new();
+	f=BN_new();
+
+	BN_GF2m_arr2poly(p0, b[0]);
+	BN_GF2m_arr2poly(p1, b[1]);
+
+	for (i=0; i<num0; i++)
+		{
+		BN_bntest_rand(a, 512, 0, 0); 
+		BN_bntest_rand(c, 512, 0, 0);
+		for (j=0; j < 2; j++)
+			{
+			BN_GF2m_mod_div(d, a, c, b[j], ctx);
+			BN_GF2m_mod_mul(e, d, c, b[j], ctx);
+			BN_GF2m_mod_div(f, a, e, b[j], ctx);
+#if 0 /* make test uses ouput in bc but bc can't handle GF(2^m) arithmetic */
+			if (bp != NULL)
+				{
+				if (!results)
+					{
+					BN_print(bp,a);
+					BIO_puts(bp, " = ");
+					BN_print(bp,c);
+					BIO_puts(bp," * ");
+					BN_print(bp,d);
+					BIO_puts(bp, " % ");
+					BN_print(bp,b[j]);
+					BIO_puts(bp,"\n");
+					}
+				}
+#endif
+			/* Test that ((a/c)*c)/a = 1. */
+			if(!BN_is_one(f))
+				{
+				fprintf(stderr,"GF(2^m) modular division test failed!\n");
+				goto err;
+				}
+			}
+		}
+	ret = 1;
+  err:
+	BN_free(a);
+	BN_free(b[0]);
+	BN_free(b[1]);
+	BN_free(c);
+	BN_free(d);
+	BN_free(e);
+	BN_free(f);
+	return ret;
+	}
+
+int test_gf2m_mod_exp(BIO *bp,BN_CTX *ctx)
+	{
+	BIGNUM *a,*b[2],*c,*d,*e,*f;
+	int i, j, ret = 0;
+	unsigned int p0[] = {163,7,6,3,0};
+	unsigned int p1[] = {193,15,0};
+
+	a=BN_new();
+	b[0]=BN_new();
+	b[1]=BN_new();
+	c=BN_new();
+	d=BN_new();
+	e=BN_new();
+	f=BN_new();
+
+	BN_GF2m_arr2poly(p0, b[0]);
+	BN_GF2m_arr2poly(p1, b[1]);
+
+	for (i=0; i<num0; i++)
+		{
+		BN_bntest_rand(a, 512, 0, 0);
+		BN_bntest_rand(c, 512, 0, 0);
+		BN_bntest_rand(d, 512, 0, 0);
+		for (j=0; j < 2; j++)
+			{
+			BN_GF2m_mod_exp(e, a, c, b[j], ctx);
+			BN_GF2m_mod_exp(f, a, d, b[j], ctx);
+			BN_GF2m_mod_mul(e, e, f, b[j], ctx);
+			BN_add(f, c, d);
+			BN_GF2m_mod_exp(f, a, f, b[j], ctx);
+#if 0 /* make test uses ouput in bc but bc can't handle GF(2^m) arithmetic */
+			if (bp != NULL)
+				{
+				if (!results)
+					{
+					BN_print(bp,a);
+					BIO_puts(bp, " ^ (");
+					BN_print(bp,c);
+					BIO_puts(bp," + ");
+					BN_print(bp,d);
+					BIO_puts(bp, ") = ");
+					BN_print(bp,e);
+					BIO_puts(bp, "; - ");
+					BN_print(bp,f);
+					BIO_puts(bp, " % ");
+					BN_print(bp,b[j]);
+					BIO_puts(bp,"\n");
+					}
+				}
+#endif
+			BN_GF2m_add(f, e, f);
+			/* Test that a^(c+d)=a^c*a^d. */
+			if(!BN_is_zero(f))
+				{
+				fprintf(stderr,"GF(2^m) modular exponentiation test failed!\n");
+				goto err;
+				}
+			}
+		}
+	ret = 1;
+  err:
+	BN_free(a);
+	BN_free(b[0]);
+	BN_free(b[1]);
+	BN_free(c);
+	BN_free(d);
+	BN_free(e);
+	BN_free(f);
+	return ret;
+	}
+
+int test_gf2m_mod_sqrt(BIO *bp,BN_CTX *ctx)
+	{
+	BIGNUM *a,*b[2],*c,*d,*e,*f;
+	int i, j, ret = 0;
+	unsigned int p0[] = {163,7,6,3,0};
+	unsigned int p1[] = {193,15,0};
+
+	a=BN_new();
+	b[0]=BN_new();
+	b[1]=BN_new();
+	c=BN_new();
+	d=BN_new();
+	e=BN_new();
+	f=BN_new();
+
+	BN_GF2m_arr2poly(p0, b[0]);
+	BN_GF2m_arr2poly(p1, b[1]);
+
+	for (i=0; i<num0; i++)
+		{
+		BN_bntest_rand(a, 512, 0, 0);
+		for (j=0; j < 2; j++)
+			{
+			BN_GF2m_mod(c, a, b[j]);
+			BN_GF2m_mod_sqrt(d, a, b[j], ctx);
+			BN_GF2m_mod_sqr(e, d, b[j], ctx);
+#if 0 /* make test uses ouput in bc but bc can't handle GF(2^m) arithmetic */
+			if (bp != NULL)
+				{
+				if (!results)
+					{
+					BN_print(bp,d);
+					BIO_puts(bp, " ^ 2 - ");
+					BN_print(bp,a);
+					BIO_puts(bp,"\n");
+					}
+				}
+#endif
+			BN_GF2m_add(f, c, e);
+			/* Test that d^2 = a, where d = sqrt(a). */
+			if(!BN_is_zero(f))
+				{
+				fprintf(stderr,"GF(2^m) modular square root test failed!\n");
+				goto err;
+				}
+			}
+		}
+	ret = 1;
+  err:
+	BN_free(a);
+	BN_free(b[0]);
+	BN_free(b[1]);
+	BN_free(c);
+	BN_free(d);
+	BN_free(e);
+	BN_free(f);
+	return ret;
+	}
+
+int test_gf2m_mod_solve_quad(BIO *bp,BN_CTX *ctx)
+	{
+	BIGNUM *a,*b[2],*c,*d,*e;
+	int i, j, s = 0, t, ret = 0;
+	unsigned int p0[] = {163,7,6,3,0};
+	unsigned int p1[] = {193,15,0};
+
+	a=BN_new();
+	b[0]=BN_new();
+	b[1]=BN_new();
+	c=BN_new();
+	d=BN_new();
+	e=BN_new();
+
+	BN_GF2m_arr2poly(p0, b[0]);
+	BN_GF2m_arr2poly(p1, b[1]);
+
+	for (i=0; i<num0; i++)
+		{
+		BN_bntest_rand(a, 512, 0, 0);
+		for (j=0; j < 2; j++)
+			{
+			t = BN_GF2m_mod_solve_quad(c, a, b[j], ctx);
+			if (t)
+				{
+				s++;
+				BN_GF2m_mod_sqr(d, c, b[j], ctx);
+				BN_GF2m_add(d, c, d);
+				BN_GF2m_mod(e, a, b[j]);
+#if 0 /* make test uses ouput in bc but bc can't handle GF(2^m) arithmetic */
+				if (bp != NULL)
+					{
+					if (!results)
+						{
+						BN_print(bp,c);
+						BIO_puts(bp, " is root of z^2 + z = ");
+						BN_print(bp,a);
+						BIO_puts(bp, " % ");
+						BN_print(bp,b[j]);
+						BIO_puts(bp, "\n");
+						}
+					}
+#endif
+				BN_GF2m_add(e, e, d);
+				/* Test that solution of quadratic c satisfies c^2 + c = a. */
+				if(!BN_is_zero(e))
+					{
+					fprintf(stderr,"GF(2^m) modular solve quadratic test failed!\n");
+					goto err;
+					}
+
+				}
+			else 
+				{
+#if 0 /* make test uses ouput in bc but bc can't handle GF(2^m) arithmetic */
+				if (bp != NULL)
+					{
+					if (!results)
+						{
+						BIO_puts(bp, "There are no roots of z^2 + z = ");
+						BN_print(bp,a);
+						BIO_puts(bp, " % ");
+						BN_print(bp,b[j]);
+						BIO_puts(bp, "\n");
+						}
+					}
+#endif
+				}
+			}
+		}
+	if (s == 0)
+		{	
+		fprintf(stderr,"All %i tests of GF(2^m) modular solve quadratic resulted in no roots;\n", num0);
+		fprintf(stderr,"this is very unlikely and probably indicates an error.\n");
+		goto err;
+		}
+	ret = 1;
+  err:
+	BN_free(a);
+	BN_free(b[0]);
+	BN_free(b[1]);
+	BN_free(c);
+	BN_free(d);
+	BN_free(e);
+	return ret;
+	}
+
+static int genprime_cb(int p, int n, BN_GENCB *arg)
 	{
 	char c='*';
 
@@ -873,12 +1645,12 @@ static void genprime_cb(int p, int n, void *arg)
 	if (p == 3) c='\n';
 	putc(c, stderr);
 	fflush(stderr);
-	(void)n;
-	(void)arg;
+	return 1;
 	}
 
 int test_kron(BIO *bp, BN_CTX *ctx)
 	{
+	BN_GENCB cb;
 	BIGNUM *a,*b,*r,*t;
 	int i;
 	int legendre, kronecker;
@@ -889,6 +1661,8 @@ int test_kron(BIO *bp, BN_CTX *ctx)
 	r = BN_new();
 	t = BN_new();
 	if (a == NULL || b == NULL || r == NULL || t == NULL) goto err;
+
+	BN_GENCB_set(&cb, genprime_cb, NULL);
 	
 	/* We test BN_kronecker(a, b, ctx) just for  b  odd (Jacobi symbol).
 	 * In this case we know that if  b  is prime, then BN_kronecker(a, b, ctx)
@@ -899,7 +1673,7 @@ int test_kron(BIO *bp, BN_CTX *ctx)
 	 * don't want to test whether  b  is prime but whether BN_kronecker
 	 * works.) */
 
-	if (!BN_generate_prime(b, 512, 0, NULL, NULL, genprime_cb, NULL)) goto err;
+	if (!BN_generate_prime_ex(b, 512, 0, NULL, NULL, &cb)) goto err;
 	b->neg = rand_neg();
 	putc('\n', stderr);
 
@@ -967,6 +1741,7 @@ int test_kron(BIO *bp, BN_CTX *ctx)
 
 int test_sqrt(BIO *bp, BN_CTX *ctx)
 	{
+	BN_GENCB cb;
 	BIGNUM *a,*p,*r;
 	int i, j;
 	int ret = 0;
@@ -975,7 +1750,9 @@ int test_sqrt(BIO *bp, BN_CTX *ctx)
 	p = BN_new();
 	r = BN_new();
 	if (a == NULL || p == NULL || r == NULL) goto err;
-	
+
+	BN_GENCB_set(&cb, genprime_cb, NULL);
+
 	for (i = 0; i < 16; i++)
 		{
 		if (i < 8)
@@ -989,7 +1766,7 @@ int test_sqrt(BIO *bp, BN_CTX *ctx)
 			if (!BN_set_word(a, 32)) goto err;
 			if (!BN_set_word(r, 2*i + 1)) goto err;
 		
-			if (!BN_generate_prime(p, 256, 0, a, r, genprime_cb, NULL)) goto err;
+			if (!BN_generate_prime_ex(p, 256, 0, a, r, &cb)) goto err;
 			putc('\n', stderr);
 			}
 		p->neg = rand_neg();
diff --git a/crypto/openssl/crypto/bn/expspeed.c b/crypto/openssl/crypto/bn/expspeed.c
index 07a1bcf51cfc..4d5f221f33ad 100644
--- a/crypto/openssl/crypto/bn/expspeed.c
+++ b/crypto/openssl/crypto/bn/expspeed.c
@@ -321,7 +321,7 @@ void do_mul_exp(BIGNUM *r, BIGNUM *a, BIGNUM *b, BIGNUM *c, BN_CTX *ctx)
 #else /* TEST_SQRT */
 			"2*sqrt [prime == %d (mod 64)] %4d %4d mod %4d"
 #endif
-			" -> %8.3fms %5.1f (%ld)\n",
+			" -> %8.6fms %5.1f (%ld)\n",
 #ifdef TEST_SQRT
 			P_MOD_64,
 #endif
diff --git a/crypto/openssl/crypto/bn/exptest.c b/crypto/openssl/crypto/bn/exptest.c
index b09cf8870550..f598a07cf5c9 100644
--- a/crypto/openssl/crypto/bn/exptest.c
+++ b/crypto/openssl/crypto/bn/exptest.c
@@ -77,7 +77,7 @@ int main(int argc, char *argv[])
 	BIO *out=NULL;
 	int i,ret;
 	unsigned char c;
-	BIGNUM *r_mont,*r_recp,*r_simple,*a,*b,*m;
+	BIGNUM *r_mont,*r_mont_const,*r_recp,*r_simple,*a,*b,*m;
 
 	RAND_seed(rnd_seed, sizeof rnd_seed); /* or BN_rand may fail, and we don't
 	                                       * even check its return value
@@ -88,6 +88,7 @@ int main(int argc, char *argv[])
 	ctx=BN_CTX_new();
 	if (ctx == NULL) EXIT(1);
 	r_mont=BN_new();
+	r_mont_const=BN_new();
 	r_recp=BN_new();
 	r_simple=BN_new();
 	a=BN_new();
@@ -143,8 +144,17 @@ int main(int argc, char *argv[])
 			EXIT(1);
 			}
 
+		ret=BN_mod_exp_mont_consttime(r_mont_const,a,b,m,ctx,NULL);
+		if (ret <= 0)
+			{
+			printf("BN_mod_exp_mont_consttime() problems\n");
+			ERR_print_errors(out);
+			EXIT(1);
+			}
+
 		if (BN_cmp(r_simple, r_mont) == 0
-		    && BN_cmp(r_simple,r_recp) == 0)
+		    && BN_cmp(r_simple,r_recp) == 0
+			&& BN_cmp(r_simple,r_mont_const) == 0)
 			{
 			printf(".");
 			fflush(stdout);
@@ -153,6 +163,8 @@ int main(int argc, char *argv[])
 		  	{
 			if (BN_cmp(r_simple,r_mont) != 0)
 				printf("\nsimple and mont results differ\n");
+			if (BN_cmp(r_simple,r_mont) != 0)
+				printf("\nsimple and mont const time results differ\n");
 			if (BN_cmp(r_simple,r_recp) != 0)
 				printf("\nsimple and recp results differ\n");
 
@@ -162,11 +174,13 @@ int main(int argc, char *argv[])
 			printf("\nsimple   =");	BN_print(out,r_simple);
 			printf("\nrecp     =");	BN_print(out,r_recp);
 			printf("\nmont     ="); BN_print(out,r_mont);
+			printf("\nmont_ct  ="); BN_print(out,r_mont_const);
 			printf("\n");
 			EXIT(1);
 			}
 		}
 	BN_free(r_mont);
+	BN_free(r_mont_const);
 	BN_free(r_recp);
 	BN_free(r_simple);
 	BN_free(a);
@@ -181,6 +195,9 @@ int main(int argc, char *argv[])
 err:
 	ERR_load_crypto_strings();
 	ERR_print_errors(out);
+#ifdef OPENSSL_SYS_NETWARE
+    printf("ERROR\n");
+#endif
 	EXIT(1);
 	return(1);
 	}
diff --git a/crypto/openssl/crypto/buffer/Makefile b/crypto/openssl/crypto/buffer/Makefile
index 8593dce0e480..9f3a88d2d6a1 100644
--- a/crypto/openssl/crypto/buffer/Makefile
+++ b/crypto/openssl/crypto/buffer/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/buffer/Makefile
+# OpenSSL/crypto/buffer/Makefile
 #
 
 DIR=	buffer
@@ -7,11 +7,6 @@ TOP=	../..
 CC=	cc
 INCLUDES= -I.. -I$(TOP) -I../../include
 CFLAG=-g
-INSTALL_PREFIX=
-OPENSSLDIR=     /usr/local/ssl
-INSTALLTOP=/usr/local/ssl
-MAKEDEPPROG=	makedepend
-MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=	Makefile
 AR=		ar r
 
@@ -51,7 +46,8 @@ links:
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
 
 install:
-	@for i in $(EXHEADER) ; \
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+	@headerlist="$(EXHEADER)"; for i in $$headerlist ; \
 	do  \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
@@ -66,6 +62,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
+	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
@@ -81,12 +78,13 @@ buf_err.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 buf_err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 buf_err.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
 buf_err.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-buf_err.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-buf_err.o: ../../include/openssl/symhacks.h buf_err.c
+buf_err.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+buf_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+buf_err.o: buf_err.c
 buffer.o: ../../e_os.h ../../include/openssl/bio.h
 buffer.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 buffer.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 buffer.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-buffer.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-buffer.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-buffer.o: ../cryptlib.h buffer.c
+buffer.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+buffer.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+buffer.o: ../../include/openssl/symhacks.h ../cryptlib.h buffer.c
diff --git a/crypto/openssl/crypto/buffer/buf_err.c b/crypto/openssl/crypto/buffer/buf_err.c
index 5eee653e14d0..8fc67d354282 100644
--- a/crypto/openssl/crypto/buffer/buf_err.c
+++ b/crypto/openssl/crypto/buffer/buf_err.c
@@ -1,6 +1,6 @@
 /* crypto/buffer/buf_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -64,11 +64,18 @@
 
 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_BUF,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_BUF,0,reason)
+
 static ERR_STRING_DATA BUF_str_functs[]=
 	{
-{ERR_PACK(0,BUF_F_BUF_MEM_GROW,0),	"BUF_MEM_grow"},
-{ERR_PACK(0,BUF_F_BUF_MEM_NEW,0),	"BUF_MEM_new"},
-{ERR_PACK(0,BUF_F_BUF_STRDUP,0),	"BUF_strdup"},
+{ERR_FUNC(BUF_F_BUF_MEMDUP),	"BUF_memdup"},
+{ERR_FUNC(BUF_F_BUF_MEM_GROW),	"BUF_MEM_grow"},
+{ERR_FUNC(BUF_F_BUF_MEM_GROW_CLEAN),	"BUF_MEM_grow_clean"},
+{ERR_FUNC(BUF_F_BUF_MEM_NEW),	"BUF_MEM_new"},
+{ERR_FUNC(BUF_F_BUF_STRDUP),	"BUF_strdup"},
+{ERR_FUNC(BUF_F_BUF_STRNDUP),	"BUF_strndup"},
 {0,NULL}
 	};
 
@@ -87,8 +94,8 @@ void ERR_load_BUF_strings(void)
 		{
 		init=0;
 #ifndef OPENSSL_NO_ERR
-		ERR_load_strings(ERR_LIB_BUF,BUF_str_functs);
-		ERR_load_strings(ERR_LIB_BUF,BUF_str_reasons);
+		ERR_load_strings(0,BUF_str_functs);
+		ERR_load_strings(0,BUF_str_reasons);
 #endif
 
 		}
diff --git a/crypto/openssl/crypto/buffer/buffer.c b/crypto/openssl/crypto/buffer/buffer.c
index d96487e7dbd0..3bf03c7eff07 100644
--- a/crypto/openssl/crypto/buffer/buffer.c
+++ b/crypto/openssl/crypto/buffer/buffer.c
@@ -149,7 +149,7 @@ int BUF_MEM_grow_clean(BUF_MEM *str, int len)
 		ret=OPENSSL_realloc_clean(str->data,str->max,n);
 	if (ret == NULL)
 		{
-		BUFerr(BUF_F_BUF_MEM_GROW,ERR_R_MALLOC_FAILURE);
+		BUFerr(BUF_F_BUF_MEM_GROW_CLEAN,ERR_R_MALLOC_FAILURE);
 		len=0;
 		}
 	else
@@ -164,22 +164,41 @@ int BUF_MEM_grow_clean(BUF_MEM *str, int len)
 
 char *BUF_strdup(const char *str)
 	{
+	if (str == NULL) return(NULL);
+	return BUF_strndup(str, strlen(str));
+	}
+
+char *BUF_strndup(const char *str, size_t siz)
+	{
 	char *ret;
-	int n;
 
 	if (str == NULL) return(NULL);
 
-	n=strlen(str);
-	ret=OPENSSL_malloc(n+1);
+	ret=OPENSSL_malloc(siz+1);
 	if (ret == NULL) 
 		{
-		BUFerr(BUF_F_BUF_STRDUP,ERR_R_MALLOC_FAILURE);
+		BUFerr(BUF_F_BUF_STRNDUP,ERR_R_MALLOC_FAILURE);
 		return(NULL);
 		}
-	memcpy(ret,str,n+1);
+	BUF_strlcpy(ret,str,siz+1);
 	return(ret);
 	}
 
+void *BUF_memdup(const void *data, size_t siz)
+	{
+	void *ret;
+
+	if (data == NULL) return(NULL);
+
+	ret=OPENSSL_malloc(siz);
+	if (ret == NULL) 
+		{
+		BUFerr(BUF_F_BUF_MEMDUP,ERR_R_MALLOC_FAILURE);
+		return(NULL);
+		}
+	return memcpy(ret, data, siz);
+	}	
+
 size_t BUF_strlcpy(char *dst, const char *src, size_t size)
 	{
 	size_t l = 0;
diff --git a/crypto/openssl/crypto/buffer/buffer.h b/crypto/openssl/crypto/buffer/buffer.h
index 465dc34f3fea..1db960745037 100644
--- a/crypto/openssl/crypto/buffer/buffer.h
+++ b/crypto/openssl/crypto/buffer/buffer.h
@@ -59,25 +59,35 @@
 #ifndef HEADER_BUFFER_H
 #define HEADER_BUFFER_H
 
+#include <openssl/ossl_typ.h>
+
 #ifdef  __cplusplus
 extern "C" {
 #endif
 
 #include <stddef.h>
+
+#if !defined(NO_SYS_TYPES_H)
 #include <sys/types.h>
+#endif
+
+/* Already declared in ossl_typ.h */
+/* typedef struct buf_mem_st BUF_MEM; */
 
-typedef struct buf_mem_st
+struct buf_mem_st
 	{
 	int length;	/* current number of bytes */
 	char *data;
 	int max;	/* size of buffer */
-	} BUF_MEM;
+	};
 
 BUF_MEM *BUF_MEM_new(void);
 void	BUF_MEM_free(BUF_MEM *a);
 int	BUF_MEM_grow(BUF_MEM *str, int len);
 int	BUF_MEM_grow_clean(BUF_MEM *str, int len);
 char *	BUF_strdup(const char *str);
+char *	BUF_strndup(const char *str, size_t siz);
+void *	BUF_memdup(const void *data, size_t siz);
 
 /* safe string functions */
 size_t BUF_strlcpy(char *dst,const char *src,size_t siz);
@@ -93,9 +103,12 @@ void ERR_load_BUF_strings(void);
 /* Error codes for the BUF functions. */
 
 /* Function codes. */
+#define BUF_F_BUF_MEMDUP				 103
 #define BUF_F_BUF_MEM_GROW				 100
+#define BUF_F_BUF_MEM_GROW_CLEAN			 105
 #define BUF_F_BUF_MEM_NEW				 101
 #define BUF_F_BUF_STRDUP				 102
+#define BUF_F_BUF_STRNDUP				 104
 
 /* Reason codes. */
 
diff --git a/crypto/openssl/crypto/cast/Makefile b/crypto/openssl/crypto/cast/Makefile
index f338e88ad560..149956ee90f5 100644
--- a/crypto/openssl/crypto/cast/Makefile
+++ b/crypto/openssl/crypto/cast/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/cast/Makefile
+# OpenSSL/crypto/cast/Makefile
 #
 
 DIR=	cast
@@ -8,23 +8,14 @@ CC=	cc
 CPP=	$(CC) -E
 INCLUDES=
 CFLAG=-g
-INSTALL_PREFIX=
-OPENSSLDIR=     /usr/local/ssl
-INSTALLTOP=/usr/local/ssl
-MAKEDEPPROG=	makedepend
-MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=	Makefile
 AR=		ar r
 
 CAST_ENC=c_enc.o
-# or use
-#CAST_ENC=asm/cx86-elf.o
-#CAST_ENC=asm/cx86-out.o
-#CAST_ENC=asm/cx86-sol.o
-#CAST_ENC=asm/cx86bdsi.o
 
 CFLAGS= $(INCLUDES) $(CFLAG)
 ASFLAGS= $(INCLUDES) $(ASFLAG)
+AFLAGS= $(ASFLAGS)
 
 GENERAL=Makefile
 TEST=casttest.c
@@ -51,20 +42,15 @@ lib:	$(LIBOBJ)
 	$(RANLIB) $(LIB) || echo Never mind.
 	@touch lib
 
-# elf
-asm/cx86-elf.s: asm/cast-586.pl ../perlasm/x86asm.pl ../perlasm/cbc.pl
-	(cd asm; $(PERL) cast-586.pl elf $(CLAGS) $(PROCESSOR) > cx86-elf.s)
-
+# ELF
+cx86-elf.s: asm/cast-586.pl ../perlasm/x86asm.pl ../perlasm/cbc.pl
+	(cd asm; $(PERL) cast-586.pl elf $(CLAGS) $(PROCESSOR) > ../$@)
+# COFF
+cx86-cof.s: asm/cast-586.pl ../perlasm/x86asm.pl ../perlasm/cbc.pl
+	(cd asm; $(PERL) cast-586.pl coff $(CLAGS) $(PROCESSOR) > ../$@)
 # a.out
-asm/cx86-out.o: asm/cx86unix.cpp
-	$(CPP) -DOUT asm/cx86unix.cpp | as -o asm/cx86-out.o
-
-# bsdi
-asm/cx86bsdi.o: asm/cx86unix.cpp
-	$(CPP) -DBSDI asm/cx86unix.cpp | sed 's/ :/:/' | as -o asm/cx86bsdi.o
-
-asm/cx86unix.cpp: asm/cast-586.pl ../perlasm/x86asm.pl ../perlasm/cbc.pl
-	(cd asm; $(PERL) cast-586.pl cpp $(PROCESSOR) >cx86unix.cpp)
+cx86-out.s: asm/cast-586.pl ../perlasm/x86asm.pl ../perlasm/cbc.pl
+	(cd asm; $(PERL) cast-586.pl a.out $(CLAGS) $(PROCESSOR) > ../$@)
 
 files:
 	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
@@ -75,7 +61,8 @@ links:
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
 
 install:
-	@for i in $(EXHEADER) ; \
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+	@headerlist="$(EXHEADER)"; for i in $$headerlist ; \
 	do  \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
@@ -90,6 +77,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
+	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
@@ -97,7 +85,7 @@ dclean:
 	mv -f Makefile.new $(MAKEFILE)
 
 clean:
-	rm -f asm/cx86unix.cpp asm/*-elf.* *.o asm/*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+	rm -f *.s *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
diff --git a/crypto/openssl/crypto/cast/cast.h b/crypto/openssl/crypto/cast/cast.h
index b28e4e4f3b3c..90b45b950aa8 100644
--- a/crypto/openssl/crypto/cast/cast.h
+++ b/crypto/openssl/crypto/cast/cast.h
@@ -63,6 +63,8 @@
 extern "C" {
 #endif
 
+#include <openssl/opensslconf.h>
+
 #ifdef OPENSSL_NO_CAST
 #error CAST is disabled.
 #endif
diff --git a/crypto/openssl/crypto/cast/cast_lcl.h b/crypto/openssl/crypto/cast/cast_lcl.h
index 37f41cc6a4de..e756021a33dc 100644
--- a/crypto/openssl/crypto/cast/cast_lcl.h
+++ b/crypto/openssl/crypto/cast/cast_lcl.h
@@ -64,11 +64,6 @@
 #endif
 
 
-#ifdef OPENSSL_BUILD_SHLIBCRYPTO
-# undef OPENSSL_EXTERN
-# define OPENSSL_EXTERN OPENSSL_EXPORT
-#endif
-
 #undef c2l
 #define c2l(c,l)	(l =((unsigned long)(*((c)++)))    , \
 			 l|=((unsigned long)(*((c)++)))<< 8L, \
@@ -222,11 +217,11 @@
 	}
 #endif
 
-OPENSSL_EXTERN const CAST_LONG CAST_S_table0[256];
-OPENSSL_EXTERN const CAST_LONG CAST_S_table1[256];
-OPENSSL_EXTERN const CAST_LONG CAST_S_table2[256];
-OPENSSL_EXTERN const CAST_LONG CAST_S_table3[256];
-OPENSSL_EXTERN const CAST_LONG CAST_S_table4[256];
-OPENSSL_EXTERN const CAST_LONG CAST_S_table5[256];
-OPENSSL_EXTERN const CAST_LONG CAST_S_table6[256];
-OPENSSL_EXTERN const CAST_LONG CAST_S_table7[256];
+extern const CAST_LONG CAST_S_table0[256];
+extern const CAST_LONG CAST_S_table1[256];
+extern const CAST_LONG CAST_S_table2[256];
+extern const CAST_LONG CAST_S_table3[256];
+extern const CAST_LONG CAST_S_table4[256];
+extern const CAST_LONG CAST_S_table5[256];
+extern const CAST_LONG CAST_S_table6[256];
+extern const CAST_LONG CAST_S_table7[256];
diff --git a/crypto/openssl/crypto/cast/cast_spd.c b/crypto/openssl/crypto/cast/cast_spd.c
index 76abf50d9841..d650af475c3b 100644
--- a/crypto/openssl/crypto/cast/cast_spd.c
+++ b/crypto/openssl/crypto/cast/cast_spd.c
@@ -69,7 +69,10 @@
 #include OPENSSL_UNISTD_IO
 OPENSSL_DECLARE_EXIT
 
+#ifndef OPENSSL_SYS_NETWARE
 #include <signal.h>
+#endif
+
 #ifndef _IRIX
 #include <time.h>
 #endif
diff --git a/crypto/openssl/crypto/cast/castopts.c b/crypto/openssl/crypto/cast/castopts.c
index 1b858d153bb9..33b2c7b06fd7 100644
--- a/crypto/openssl/crypto/cast/castopts.c
+++ b/crypto/openssl/crypto/cast/castopts.c
@@ -69,7 +69,10 @@
 #include OPENSSL_UNISTD_IO
 OPENSSL_DECLARE_EXIT
 
+#ifndef OPENSSL_SYS_NETWARE
 #include <signal.h>
+#endif
+
 #ifndef _IRIX
 #include <time.h>
 #endif
diff --git a/crypto/openssl/crypto/cast/casttest.c b/crypto/openssl/crypto/cast/casttest.c
index 83e5a16c73f2..0d020d697596 100644
--- a/crypto/openssl/crypto/cast/casttest.c
+++ b/crypto/openssl/crypto/cast/casttest.c
@@ -59,6 +59,7 @@
 #include <stdio.h>
 #include <string.h>
 #include <stdlib.h>
+#include <openssl/opensslconf.h> /* To see if OPENSSL_NO_CAST is defined */
 
 #include "../e_os.h"
 
diff --git a/crypto/openssl/crypto/comp/Makefile b/crypto/openssl/crypto/comp/Makefile
index 1f0fcb78424e..efda832dce47 100644
--- a/crypto/openssl/crypto/comp/Makefile
+++ b/crypto/openssl/crypto/comp/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/comp/Makefile
+# OpenSSL/crypto/comp/Makefile
 #
 
 DIR=	comp
@@ -7,11 +7,6 @@ TOP=	../..
 CC=	cc
 INCLUDES= -I.. -I$(TOP) -I../../include
 CFLAG=-g
-INSTALL_PREFIX=
-OPENSSLDIR=     /usr/local/ssl
-INSTALLTOP=/usr/local/ssl
-MAKEDEPPROG=	makedepend
-MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=	Makefile
 AR=		ar r
 
@@ -54,7 +49,8 @@ links:
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
 
 install:
-	@for i in $(EXHEADER) ; \
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+	@headerlist="$(EXHEADER)"; for i in $$headerlist ; \
 	do  \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
@@ -69,6 +65,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
+	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(LIBSRC)
 
 dclean:
@@ -81,32 +78,31 @@ clean:
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
 c_rle.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-c_rle.o: ../../include/openssl/bn.h ../../include/openssl/comp.h
-c_rle.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-c_rle.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-c_rle.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-c_rle.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
-c_rle.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h c_rle.c
+c_rle.o: ../../include/openssl/comp.h ../../include/openssl/crypto.h
+c_rle.o: ../../include/openssl/e_os2.h ../../include/openssl/obj_mac.h
+c_rle.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+c_rle.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+c_rle.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+c_rle.o: ../../include/openssl/symhacks.h c_rle.c
 c_zlib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-c_zlib.o: ../../include/openssl/bn.h ../../include/openssl/comp.h
-c_zlib.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-c_zlib.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-c_zlib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-c_zlib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
-c_zlib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-c_zlib.o: c_zlib.c
+c_zlib.o: ../../include/openssl/comp.h ../../include/openssl/crypto.h
+c_zlib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+c_zlib.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+c_zlib.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+c_zlib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+c_zlib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+c_zlib.o: ../../include/openssl/symhacks.h c_zlib.c
 comp_err.o: ../../include/openssl/bio.h ../../include/openssl/comp.h
 comp_err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 comp_err.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
 comp_err.o: ../../include/openssl/opensslconf.h
-comp_err.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-comp_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-comp_err.o: comp_err.c
+comp_err.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+comp_err.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+comp_err.o: ../../include/openssl/symhacks.h comp_err.c
 comp_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-comp_lib.o: ../../include/openssl/bn.h ../../include/openssl/comp.h
-comp_lib.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-comp_lib.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-comp_lib.o: ../../include/openssl/opensslconf.h
+comp_lib.o: ../../include/openssl/comp.h ../../include/openssl/crypto.h
+comp_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/obj_mac.h
+comp_lib.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 comp_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 comp_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 comp_lib.o: ../../include/openssl/symhacks.h comp_lib.c
diff --git a/crypto/openssl/crypto/comp/c_zlib.c b/crypto/openssl/crypto/comp/c_zlib.c
index 345b59d75dd0..941b807eb391 100644
--- a/crypto/openssl/crypto/comp/c_zlib.c
+++ b/crypto/openssl/crypto/comp/c_zlib.c
@@ -3,6 +3,7 @@
 #include <string.h>
 #include <openssl/objects.h>
 #include <openssl/comp.h>
+#include <openssl/err.h>
 
 COMP_METHOD *COMP_zlib(void );
 
@@ -23,6 +24,14 @@ static COMP_METHOD zlib_method_nozlib={
 
 #include <zlib.h>
 
+static int zlib_stateful_init(COMP_CTX *ctx);
+static void zlib_stateful_finish(COMP_CTX *ctx);
+static int zlib_stateful_compress_block(COMP_CTX *ctx, unsigned char *out,
+	unsigned int olen, unsigned char *in, unsigned int ilen);
+static int zlib_stateful_expand_block(COMP_CTX *ctx, unsigned char *out,
+	unsigned int olen, unsigned char *in, unsigned int ilen);
+
+#if 0
 static int zlib_compress_block(COMP_CTX *ctx, unsigned char *out,
 	unsigned int olen, unsigned char *in, unsigned int ilen);
 static int zlib_expand_block(COMP_CTX *ctx, unsigned char *out,
@@ -31,7 +40,7 @@ static int zlib_expand_block(COMP_CTX *ctx, unsigned char *out,
 static int zz_uncompress(Bytef *dest, uLongf *destLen, const Bytef *source,
 	uLong sourceLen);
 
-static COMP_METHOD zlib_method={
+static COMP_METHOD zlib_stateless_method={
 	NID_zlib_compression,
 	LN_zlib_compression,
 	NULL,
@@ -41,56 +50,195 @@ static COMP_METHOD zlib_method={
 	NULL,
 	NULL,
 	};
+#endif
+
+static COMP_METHOD zlib_stateful_method={
+	NID_zlib_compression,
+	LN_zlib_compression,
+	zlib_stateful_init,
+	zlib_stateful_finish,
+	zlib_stateful_compress_block,
+	zlib_stateful_expand_block,
+	NULL,
+	NULL,
+	};
 
 /* 
  * When OpenSSL is built on Windows, we do not want to require that
  * the ZLIB.DLL be available in order for the OpenSSL DLLs to
  * work.  Therefore, all ZLIB routines are loaded at run time
- * and we do not link to a .LIB file.
+ * and we do not link to a .LIB file when ZLIB_SHARED is set.
  */
 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32)
 # include <windows.h>
-
-# define Z_CALLCONV _stdcall
-# define ZLIB_SHARED
-#else
-# define Z_CALLCONV
 #endif /* !(OPENSSL_SYS_WINDOWS || OPENSSL_SYS_WIN32) */
 
 #ifdef ZLIB_SHARED
 #include <openssl/dso.h>
 
-/* Prototypes for built in stubs */
-static int stub_compress(Bytef *dest,uLongf *destLen,
-	const Bytef *source, uLong sourceLen);
-static int stub_inflateEnd(z_streamp strm);
-static int stub_inflate(z_streamp strm, int flush);
-static int stub_inflateInit_(z_streamp strm, const char * version,
-	int stream_size);
-
 /* Function pointers */
-typedef int (Z_CALLCONV *compress_ft)(Bytef *dest,uLongf *destLen,
+typedef int (*compress_ft)(Bytef *dest,uLongf *destLen,
 	const Bytef *source, uLong sourceLen);
-typedef int (Z_CALLCONV *inflateEnd_ft)(z_streamp strm);
-typedef int (Z_CALLCONV *inflate_ft)(z_streamp strm, int flush);
-typedef int (Z_CALLCONV *inflateInit__ft)(z_streamp strm,
+typedef int (*inflateEnd_ft)(z_streamp strm);
+typedef int (*inflate_ft)(z_streamp strm, int flush);
+typedef int (*inflateInit__ft)(z_streamp strm,
+	const char * version, int stream_size);
+typedef int (*deflateEnd_ft)(z_streamp strm);
+typedef int (*deflate_ft)(z_streamp strm, int flush);
+typedef int (*deflateInit__ft)(z_streamp strm, int level,
 	const char * version, int stream_size);
 static compress_ft	p_compress=NULL;
 static inflateEnd_ft	p_inflateEnd=NULL;
 static inflate_ft	p_inflate=NULL;
 static inflateInit__ft	p_inflateInit_=NULL;
+static deflateEnd_ft	p_deflateEnd=NULL;
+static deflate_ft	p_deflate=NULL;
+static deflateInit__ft	p_deflateInit_=NULL;
 
 static int zlib_loaded = 0;     /* only attempt to init func pts once */
 static DSO *zlib_dso = NULL;
 
-#define compress                stub_compress
-#define inflateEnd              stub_inflateEnd
-#define inflate                 stub_inflate
-#define inflateInit_            stub_inflateInit_
+#define compress                p_compress
+#define inflateEnd              p_inflateEnd
+#define inflate                 p_inflate
+#define inflateInit_            p_inflateInit_
+#define deflateEnd              p_deflateEnd
+#define deflate                 p_deflate
+#define deflateInit_            p_deflateInit_
 #endif /* ZLIB_SHARED */
 
+struct zlib_state
+	{
+	z_stream istream;
+	z_stream ostream;
+	};
+
+static int zlib_stateful_ex_idx = -1;
+
+static void zlib_stateful_free_ex_data(void *obj, void *item,
+	CRYPTO_EX_DATA *ad, int ind,long argl, void *argp)
+	{
+	struct zlib_state *state = (struct zlib_state *)item;
+	inflateEnd(&state->istream);
+	deflateEnd(&state->ostream);
+	OPENSSL_free(state);
+	}
+
+static int zlib_stateful_init(COMP_CTX *ctx)
+	{
+	int err;
+	struct zlib_state *state =
+		(struct zlib_state *)OPENSSL_malloc(sizeof(struct zlib_state));
+
+	if (state == NULL)
+		goto err;
+
+	state->istream.zalloc = Z_NULL;
+	state->istream.zfree = Z_NULL;
+	state->istream.opaque = Z_NULL;
+	state->istream.next_in = Z_NULL;
+	state->istream.next_out = Z_NULL;
+	state->istream.avail_in = 0;
+	state->istream.avail_out = 0;
+	err = inflateInit_(&state->istream,
+		ZLIB_VERSION, sizeof(z_stream));
+	if (err != Z_OK)
+		goto err;
+
+	state->ostream.zalloc = Z_NULL;
+	state->ostream.zfree = Z_NULL;
+	state->ostream.opaque = Z_NULL;
+	state->ostream.next_in = Z_NULL;
+	state->ostream.next_out = Z_NULL;
+	state->ostream.avail_in = 0;
+	state->ostream.avail_out = 0;
+	err = deflateInit_(&state->ostream,Z_DEFAULT_COMPRESSION,
+		ZLIB_VERSION, sizeof(z_stream));
+	if (err != Z_OK)
+		goto err;
+
+	CRYPTO_new_ex_data(CRYPTO_EX_INDEX_COMP,ctx,&ctx->ex_data);
+	if (zlib_stateful_ex_idx == -1)
+		{
+		CRYPTO_w_lock(CRYPTO_LOCK_COMP);
+		if (zlib_stateful_ex_idx == -1)
+			zlib_stateful_ex_idx =
+				CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_COMP,
+					0,NULL,NULL,NULL,zlib_stateful_free_ex_data);
+		CRYPTO_w_unlock(CRYPTO_LOCK_COMP);
+		if (zlib_stateful_ex_idx == -1)
+			goto err;
+		}
+	CRYPTO_set_ex_data(&ctx->ex_data,zlib_stateful_ex_idx,state);
+	return 1;
+ err:
+	if (state) OPENSSL_free(state);
+	return 0;
+	}
+
+static void zlib_stateful_finish(COMP_CTX *ctx)
+	{
+	CRYPTO_free_ex_data(CRYPTO_EX_INDEX_COMP,ctx,&ctx->ex_data);
+	}
+
+static int zlib_stateful_compress_block(COMP_CTX *ctx, unsigned char *out,
+	unsigned int olen, unsigned char *in, unsigned int ilen)
+	{
+	int err = Z_OK;
+	struct zlib_state *state =
+		(struct zlib_state *)CRYPTO_get_ex_data(&ctx->ex_data,
+			zlib_stateful_ex_idx);
+
+	if (state == NULL)
+		return -1;
+
+	state->ostream.next_in = in;
+	state->ostream.avail_in = ilen;
+	state->ostream.next_out = out;
+	state->ostream.avail_out = olen;
+	if (ilen > 0)
+		err = deflate(&state->ostream, Z_SYNC_FLUSH);
+	if (err != Z_OK)
+		return -1;
+#ifdef DEBUG_ZLIB
+	fprintf(stderr,"compress(%4d)->%4d %s\n",
+		ilen,olen - state->ostream.avail_out,
+		(ilen != olen - state->ostream.avail_out)?"zlib":"clear");
+#endif
+	return olen - state->ostream.avail_out;
+	}
+
+static int zlib_stateful_expand_block(COMP_CTX *ctx, unsigned char *out,
+	unsigned int olen, unsigned char *in, unsigned int ilen)
+	{
+	int err = Z_OK;
+
+	struct zlib_state *state =
+		(struct zlib_state *)CRYPTO_get_ex_data(&ctx->ex_data,
+			zlib_stateful_ex_idx);
+
+	if (state == NULL)
+		return 0;
+
+	state->istream.next_in = in;
+	state->istream.avail_in = ilen;
+	state->istream.next_out = out;
+	state->istream.avail_out = olen;
+	if (ilen > 0)
+		err = inflate(&state->istream, Z_SYNC_FLUSH);
+	if (err != Z_OK)
+		return -1;
+#ifdef DEBUG_ZLIB
+	fprintf(stderr,"expand(%4d)->%4d %s\n",
+		ilen,olen - state->istream.avail_out,
+		(ilen != olen - state->istream.avail_out)?"zlib":"clear");
+#endif
+	return olen - state->istream.avail_out;
+	}
+
+#if 0
 static int zlib_compress_block(COMP_CTX *ctx, unsigned char *out,
-	     unsigned int olen, unsigned char *in, unsigned int ilen)
+	unsigned int olen, unsigned char *in, unsigned int ilen)
 	{
 	unsigned long l;
 	int i;
@@ -123,7 +271,7 @@ static int zlib_compress_block(COMP_CTX *ctx, unsigned char *out,
 	}
 
 static int zlib_expand_block(COMP_CTX *ctx, unsigned char *out,
-	     unsigned int olen, unsigned char *in, unsigned int ilen)
+	unsigned int olen, unsigned char *in, unsigned int ilen)
 	{
 	unsigned long l;
 	int i;
@@ -165,7 +313,8 @@ static int zz_uncompress (Bytef *dest, uLongf *destLen, const Bytef *source,
     stream.zalloc = (alloc_func)0;
     stream.zfree = (free_func)0;
 
-    err = inflateInit(&stream);
+    err = inflateInit_(&stream,
+	    ZLIB_VERSION, sizeof(z_stream));
     if (err != Z_OK) return err;
 
     err = inflate(&stream, Z_FINISH);
@@ -178,6 +327,7 @@ static int zz_uncompress (Bytef *dest, uLongf *destLen, const Bytef *source,
     err = inflateEnd(&stream);
     return err;
 }
+#endif
 
 #endif
 
@@ -190,16 +340,6 @@ COMP_METHOD *COMP_zlib(void)
 		{
 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32)
 		zlib_dso = DSO_load(NULL, "ZLIB1", NULL, 0);
-		if (!zlib_dso)
-			{
-			zlib_dso = DSO_load(NULL, "ZLIB", NULL, 0);
-			if (zlib_dso)
-				{
-				/* Clear the errors from the first failed
-				   DSO_load() */
-				ERR_clear_error();
-				}
-			}
 #else
 		zlib_dso = DSO_load(NULL, "z", NULL, 0);
 #endif
@@ -217,54 +357,31 @@ COMP_METHOD *COMP_zlib(void)
 			p_inflateInit_
 				= (inflateInit__ft) DSO_bind_func(zlib_dso,
 					"inflateInit_");
-			zlib_loaded++;
+			p_deflateEnd
+				= (deflateEnd_ft) DSO_bind_func(zlib_dso,
+					"deflateEnd");
+			p_deflate
+				= (deflate_ft) DSO_bind_func(zlib_dso,
+					"deflate");
+			p_deflateInit_
+				= (deflateInit__ft) DSO_bind_func(zlib_dso,
+					"deflateInit_");
+
+			if (p_compress && p_inflateEnd && p_inflate
+				&& p_inflateInit_ && p_deflateEnd
+				&& p_deflate && p_deflateInit_)
+				zlib_loaded++;
 			}
 		}
 
 #endif
+#ifdef ZLIB_SHARED
+	if (zlib_loaded)
+#endif
 #if defined(ZLIB) || defined(ZLIB_SHARED)
-	meth = &zlib_method;
+		meth = &zlib_stateful_method;
 #endif
 
 	return(meth);
 	}
 
-#ifdef ZLIB_SHARED
-/* Stubs for each function to be dynamicly loaded */
-static int 
-stub_compress(Bytef *dest,uLongf *destLen,const Bytef *source, uLong sourceLen)
-	{
-	if (p_compress)
-		return(p_compress(dest,destLen,source,sourceLen));
-	else
-		return(Z_MEM_ERROR);
-	}
-
-static int
-stub_inflateEnd(z_streamp strm)
-	{
-	if ( p_inflateEnd )
-		return(p_inflateEnd(strm));
-	else
-		return(Z_MEM_ERROR);
-	}
-
-static int
-stub_inflate(z_streamp strm, int flush)
-	{
-	if ( p_inflate )
-		return(p_inflate(strm,flush));
-	else
-		return(Z_MEM_ERROR);
-	}
-
-static int
-stub_inflateInit_(z_streamp strm, const char * version, int stream_size)
-	{
-	if ( p_inflateInit_ )
-		return(p_inflateInit_(strm,version,stream_size));
-	else
-		return(Z_MEM_ERROR);
-	}
-
-#endif /* ZLIB_SHARED */
diff --git a/crypto/openssl/crypto/comp/comp.h b/crypto/openssl/crypto/comp/comp.h
index ab48b78ae971..5d59354a5715 100644
--- a/crypto/openssl/crypto/comp/comp.h
+++ b/crypto/openssl/crypto/comp/comp.h
@@ -8,19 +8,26 @@
 extern "C" {
 #endif
 
+typedef struct comp_ctx_st COMP_CTX;
+
 typedef struct comp_method_st
 	{
 	int type;		/* NID for compression library */
 	const char *name;	/* A text string to identify the library */
-	int (*init)();
-	void (*finish)();
-	int (*compress)();
-	int (*expand)();
-	long (*ctrl)();
-	long (*callback_ctrl)();
+	int (*init)(COMP_CTX *ctx);
+	void (*finish)(COMP_CTX *ctx);
+	int (*compress)(COMP_CTX *ctx,
+			unsigned char *out, unsigned int olen,
+			unsigned char *in, unsigned int ilen);
+	int (*expand)(COMP_CTX *ctx,
+		      unsigned char *out, unsigned int olen,
+		      unsigned char *in, unsigned int ilen);
+	/* The following two do NOTHING, but are kept for backward compatibility */
+	long (*ctrl)(void);
+	long (*callback_ctrl)(void);
 	} COMP_METHOD;
 
-typedef struct comp_ctx_st
+struct comp_ctx_st
 	{
 	COMP_METHOD *meth;
 	unsigned long compress_in;
@@ -29,7 +36,7 @@ typedef struct comp_ctx_st
 	unsigned long expand_out;
 
 	CRYPTO_EX_DATA	ex_data;
-	} COMP_CTX;
+	};
 
 
 COMP_CTX *COMP_CTX_new(COMP_METHOD *meth);
diff --git a/crypto/openssl/crypto/comp/comp_err.c b/crypto/openssl/crypto/comp/comp_err.c
index 1652b8c2c4a1..bf7aa3af762b 100644
--- a/crypto/openssl/crypto/comp/comp_err.c
+++ b/crypto/openssl/crypto/comp/comp_err.c
@@ -1,6 +1,6 @@
 /* crypto/comp/comp_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -64,6 +64,10 @@
 
 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_COMP,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_COMP,0,reason)
+
 static ERR_STRING_DATA COMP_str_functs[]=
 	{
 {0,NULL}
@@ -84,8 +88,8 @@ void ERR_load_COMP_strings(void)
 		{
 		init=0;
 #ifndef OPENSSL_NO_ERR
-		ERR_load_strings(ERR_LIB_COMP,COMP_str_functs);
-		ERR_load_strings(ERR_LIB_COMP,COMP_str_reasons);
+		ERR_load_strings(0,COMP_str_functs);
+		ERR_load_strings(0,COMP_str_reasons);
 #endif
 
 		}
diff --git a/crypto/openssl/crypto/comp/comp_lib.c b/crypto/openssl/crypto/comp/comp_lib.c
index beb98ce8ccc8..b60ae371e8d1 100644
--- a/crypto/openssl/crypto/comp/comp_lib.c
+++ b/crypto/openssl/crypto/comp/comp_lib.c
@@ -20,17 +20,11 @@ COMP_CTX *COMP_CTX_new(COMP_METHOD *meth)
 		OPENSSL_free(ret);
 		ret=NULL;
 		}
-#if 0
-	else
-		CRYPTO_new_ex_data(rsa_meth,(char *)ret,&ret->ex_data);
-#endif
 	return(ret);
 	}
 
 void COMP_CTX_free(COMP_CTX *ctx)
 	{
-	/* CRYPTO_free_ex_data(rsa_meth,(char *)ctx,&ctx->ex_data); */
-
 	if(ctx == NULL)
 	    return;
 
diff --git a/crypto/openssl/crypto/conf/Makefile b/crypto/openssl/crypto/conf/Makefile
index 155cc6c8fb1d..78bb3241065d 100644
--- a/crypto/openssl/crypto/conf/Makefile
+++ b/crypto/openssl/crypto/conf/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/conf/Makefile
+# OpenSSL/crypto/conf/Makefile
 #
 
 DIR=	conf
@@ -7,11 +7,6 @@ TOP=	../..
 CC=	cc
 INCLUDES= -I.. -I$(TOP) -I../../include
 CFLAG=-g
-INSTALL_PREFIX=
-OPENSSLDIR=     /usr/local/ssl
-INSTALLTOP=/usr/local/ssl
-MAKEDEPPROG=	makedepend
-MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=	Makefile
 AR=		ar r
 
@@ -54,7 +49,8 @@ links:
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
 
 install:
-	@for i in $(EXHEADER) ; \
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+	@headerlist="$(EXHEADER)"; for i in $$headerlist ; \
 	do  \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
@@ -69,6 +65,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
+	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(LIBSRC)
 
 dclean:
@@ -84,98 +81,72 @@ conf_api.o: ../../e_os.h ../../include/openssl/bio.h
 conf_api.o: ../../include/openssl/conf.h ../../include/openssl/conf_api.h
 conf_api.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 conf_api.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-conf_api.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-conf_api.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-conf_api.o: conf_api.c
+conf_api.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+conf_api.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+conf_api.o: ../../include/openssl/symhacks.h conf_api.c
 conf_def.o: ../../e_os.h ../../include/openssl/bio.h
 conf_def.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
 conf_def.o: ../../include/openssl/conf_api.h ../../include/openssl/crypto.h
 conf_def.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 conf_def.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-conf_def.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-conf_def.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-conf_def.o: ../cryptlib.h conf_def.c conf_def.h
+conf_def.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+conf_def.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+conf_def.o: ../../include/openssl/symhacks.h ../cryptlib.h conf_def.c
+conf_def.o: conf_def.h
 conf_err.o: ../../include/openssl/bio.h ../../include/openssl/conf.h
 conf_err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 conf_err.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
 conf_err.o: ../../include/openssl/opensslconf.h
-conf_err.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-conf_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-conf_err.o: conf_err.c
+conf_err.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+conf_err.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+conf_err.o: ../../include/openssl/symhacks.h conf_err.c
 conf_lib.o: ../../include/openssl/bio.h ../../include/openssl/conf.h
 conf_lib.o: ../../include/openssl/conf_api.h ../../include/openssl/crypto.h
 conf_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 conf_lib.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-conf_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-conf_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-conf_lib.o: conf_lib.c
-conf_mall.o: ../../e_os.h ../../include/openssl/aes.h
-conf_mall.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-conf_mall.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-conf_mall.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+conf_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+conf_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+conf_lib.o: ../../include/openssl/symhacks.h conf_lib.c
+conf_mall.o: ../../e_os.h ../../include/openssl/asn1.h
+conf_mall.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 conf_mall.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-conf_mall.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-conf_mall.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
 conf_mall.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h
-conf_mall.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-conf_mall.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-conf_mall.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-conf_mall.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-conf_mall.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+conf_mall.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+conf_mall.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
+conf_mall.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+conf_mall.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 conf_mall.o: ../../include/openssl/objects.h
 conf_mall.o: ../../include/openssl/opensslconf.h
 conf_mall.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-conf_mall.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
-conf_mall.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-conf_mall.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-conf_mall.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+conf_mall.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
 conf_mall.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-conf_mall.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-conf_mall.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
+conf_mall.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
 conf_mall.o: ../../include/openssl/x509_vfy.h ../cryptlib.h conf_mall.c
-conf_mod.o: ../../e_os.h ../../include/openssl/aes.h
-conf_mod.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-conf_mod.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-conf_mod.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+conf_mod.o: ../../e_os.h ../../include/openssl/asn1.h
+conf_mod.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 conf_mod.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-conf_mod.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-conf_mod.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
 conf_mod.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h
-conf_mod.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-conf_mod.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-conf_mod.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-conf_mod.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+conf_mod.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+conf_mod.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+conf_mod.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 conf_mod.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 conf_mod.o: ../../include/openssl/opensslconf.h
 conf_mod.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-conf_mod.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-conf_mod.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-conf_mod.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-conf_mod.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-conf_mod.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-conf_mod.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-conf_mod.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-conf_mod.o: ../cryptlib.h conf_mod.c
-conf_sap.o: ../../e_os.h ../../include/openssl/aes.h
-conf_sap.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-conf_sap.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-conf_sap.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+conf_mod.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+conf_mod.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+conf_mod.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+conf_mod.o: ../../include/openssl/x509_vfy.h ../cryptlib.h conf_mod.c
+conf_sap.o: ../../e_os.h ../../include/openssl/asn1.h
+conf_sap.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 conf_sap.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-conf_sap.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-conf_sap.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
 conf_sap.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h
-conf_sap.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-conf_sap.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-conf_sap.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-conf_sap.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-conf_sap.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+conf_sap.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+conf_sap.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
+conf_sap.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+conf_sap.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 conf_sap.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 conf_sap.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-conf_sap.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
-conf_sap.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-conf_sap.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-conf_sap.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+conf_sap.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
 conf_sap.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-conf_sap.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-conf_sap.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
+conf_sap.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
 conf_sap.o: ../../include/openssl/x509_vfy.h ../cryptlib.h conf_sap.c
diff --git a/crypto/openssl/crypto/conf/conf.h b/crypto/openssl/crypto/conf/conf.h
index f4671442ab10..4c073dd83171 100644
--- a/crypto/openssl/crypto/conf/conf.h
+++ b/crypto/openssl/crypto/conf/conf.h
@@ -65,6 +65,8 @@
 #include <openssl/safestack.h>
 #include <openssl/e_os2.h>
 
+#include <openssl/ossl_typ.h>
+
 #ifdef  __cplusplus
 extern "C" {
 #endif
@@ -81,7 +83,6 @@ DECLARE_STACK_OF(CONF_MODULE)
 DECLARE_STACK_OF(CONF_IMODULE)
 
 struct conf_st;
-typedef struct conf_st CONF;
 struct conf_method_st;
 typedef struct conf_method_st CONF_METHOD;
 
@@ -212,6 +213,8 @@ void ERR_load_CONF_strings(void);
 #define CONF_F_CONF_LOAD_BIO				 102
 #define CONF_F_CONF_LOAD_FP				 103
 #define CONF_F_CONF_MODULES_LOAD			 116
+#define CONF_F_DEF_LOAD					 120
+#define CONF_F_DEF_LOAD_BIO				 121
 #define CONF_F_MODULE_INIT				 115
 #define CONF_F_MODULE_LOAD_DSO				 117
 #define CONF_F_MODULE_RUN				 118
diff --git a/crypto/openssl/crypto/conf/conf_def.c b/crypto/openssl/crypto/conf/conf_def.c
index b5a876ae68a5..8083a009d71a 100644
--- a/crypto/openssl/crypto/conf/conf_def.c
+++ b/crypto/openssl/crypto/conf/conf_def.c
@@ -60,6 +60,7 @@
 
 #include <stdio.h>
 #include <string.h>
+#include "cryptlib.h"
 #include <openssl/stack.h>
 #include <openssl/lhash.h>
 #include <openssl/conf.h>
@@ -67,7 +68,6 @@
 #include "conf_def.h"
 #include <openssl/buffer.h>
 #include <openssl/err.h>
-#include "cryptlib.h"
 
 static char *eat_ws(CONF *conf, char *p);
 static char *eat_alpha_numeric(CONF *conf, char *p);
@@ -194,9 +194,9 @@ static int def_load(CONF *conf, const char *name, long *line)
 	if (in == NULL)
 		{
 		if (ERR_GET_REASON(ERR_peek_last_error()) == BIO_R_NO_SUCH_FILE)
-			CONFerr(CONF_F_CONF_LOAD,CONF_R_NO_SUCH_FILE);
+			CONFerr(CONF_F_DEF_LOAD,CONF_R_NO_SUCH_FILE);
 		else
-			CONFerr(CONF_F_CONF_LOAD,ERR_R_SYS_LIB);
+			CONFerr(CONF_F_DEF_LOAD,ERR_R_SYS_LIB);
 		return 0;
 		}
 
@@ -225,28 +225,28 @@ static int def_load_bio(CONF *conf, BIO *in, long *line)
 
 	if ((buff=BUF_MEM_new()) == NULL)
 		{
-		CONFerr(CONF_F_CONF_LOAD_BIO,ERR_R_BUF_LIB);
+		CONFerr(CONF_F_DEF_LOAD_BIO,ERR_R_BUF_LIB);
 		goto err;
 		}
 
 	section=(char *)OPENSSL_malloc(10);
 	if (section == NULL)
 		{
-		CONFerr(CONF_F_CONF_LOAD_BIO,ERR_R_MALLOC_FAILURE);
+		CONFerr(CONF_F_DEF_LOAD_BIO,ERR_R_MALLOC_FAILURE);
 		goto err;
 		}
 	BUF_strlcpy(section,"default",10);
 
 	if (_CONF_new_data(conf) == 0)
 		{
-		CONFerr(CONF_F_CONF_LOAD_BIO,ERR_R_MALLOC_FAILURE);
+		CONFerr(CONF_F_DEF_LOAD_BIO,ERR_R_MALLOC_FAILURE);
 		goto err;
 		}
 
 	sv=_CONF_new_section(conf,section);
 	if (sv == NULL)
 		{
-		CONFerr(CONF_F_CONF_LOAD_BIO,
+		CONFerr(CONF_F_DEF_LOAD_BIO,
 					CONF_R_UNABLE_TO_CREATE_NEW_SECTION);
 		goto err;
 		}
@@ -258,7 +258,7 @@ static int def_load_bio(CONF *conf, BIO *in, long *line)
 		{
 		if (!BUF_MEM_grow(buff,bufnum+CONFBUFSIZE))
 			{
-			CONFerr(CONF_F_CONF_LOAD_BIO,ERR_R_BUF_LIB);
+			CONFerr(CONF_F_DEF_LOAD_BIO,ERR_R_BUF_LIB);
 			goto err;
 			}
 		p= &(buff->data[bufnum]);
@@ -329,7 +329,7 @@ again:
 					ss=p;
 					goto again;
 					}
-				CONFerr(CONF_F_CONF_LOAD_BIO,
+				CONFerr(CONF_F_DEF_LOAD_BIO,
 					CONF_R_MISSING_CLOSE_SQUARE_BRACKET);
 				goto err;
 				}
@@ -339,7 +339,7 @@ again:
 				sv=_CONF_new_section(conf,section);
 			if (sv == NULL)
 				{
-				CONFerr(CONF_F_CONF_LOAD_BIO,
+				CONFerr(CONF_F_DEF_LOAD_BIO,
 					CONF_R_UNABLE_TO_CREATE_NEW_SECTION);
 				goto err;
 				}
@@ -362,7 +362,7 @@ again:
 			p=eat_ws(conf, end);
 			if (*p != '=')
 				{
-				CONFerr(CONF_F_CONF_LOAD_BIO,
+				CONFerr(CONF_F_DEF_LOAD_BIO,
 						CONF_R_MISSING_EQUAL_SIGN);
 				goto err;
 				}
@@ -379,7 +379,7 @@ again:
 
 			if (!(v=(CONF_VALUE *)OPENSSL_malloc(sizeof(CONF_VALUE))))
 				{
-				CONFerr(CONF_F_CONF_LOAD_BIO,
+				CONFerr(CONF_F_DEF_LOAD_BIO,
 							ERR_R_MALLOC_FAILURE);
 				goto err;
 				}
@@ -388,7 +388,7 @@ again:
 			v->value=NULL;
 			if (v->name == NULL)
 				{
-				CONFerr(CONF_F_CONF_LOAD_BIO,
+				CONFerr(CONF_F_DEF_LOAD_BIO,
 							ERR_R_MALLOC_FAILURE);
 				goto err;
 				}
@@ -402,7 +402,7 @@ again:
 					tv=_CONF_new_section(conf,psection);
 				if (tv == NULL)
 					{
-					CONFerr(CONF_F_CONF_LOAD_BIO,
+					CONFerr(CONF_F_DEF_LOAD_BIO,
 					   CONF_R_UNABLE_TO_CREATE_NEW_SECTION);
 					goto err;
 					}
@@ -416,7 +416,7 @@ again:
 #if 1
 			if (_CONF_add_string(conf, tv, v) == 0)
 				{
-				CONFerr(CONF_F_CONF_LOAD_BIO,
+				CONFerr(CONF_F_DEF_LOAD_BIO,
 							ERR_R_MALLOC_FAILURE);
 				goto err;
 				}
@@ -424,7 +424,7 @@ again:
 			v->section=tv->section;	
 			if (!sk_CONF_VALUE_push(ts,v))
 				{
-				CONFerr(CONF_F_CONF_LOAD_BIO,
+				CONFerr(CONF_F_DEF_LOAD_BIO,
 							ERR_R_MALLOC_FAILURE);
 				goto err;
 				}
@@ -613,13 +613,13 @@ static int str_copy(CONF *conf, char *section, char **pto, char *from)
 				e++;
 				}
 			/* So at this point we have
-			 * ns which is the start of the name string which is
+			 * np which is the start of the name string which is
 			 *   '\0' terminated. 
-			 * cs which is the start of the section string which is
+			 * cp which is the start of the section string which is
 			 *   '\0' terminated.
 			 * e is the 'next point after'.
-			 * r and s are the chars replaced by the '\0'
-			 * rp and sp is where 'r' and 's' came from.
+			 * r and rr are the chars replaced by the '\0'
+			 * rp and rrp is where 'r' and 'rr' came from.
 			 */
 			p=_CONF_get_string(conf,cp,np);
 			if (rrp != NULL) *rrp=rr;
@@ -629,7 +629,7 @@ static int str_copy(CONF *conf, char *section, char **pto, char *from)
 				CONFerr(CONF_F_STR_COPY,CONF_R_VARIABLE_HAS_NO_VALUE);
 				goto err;
 				}
-			BUF_MEM_grow_clean(buf,(strlen(p)+len-(e-from)));
+			BUF_MEM_grow_clean(buf,(strlen(p)+buf->length-(e-from)));
 			while (*p)
 				buf->data[to++]= *(p++);
 
@@ -638,6 +638,11 @@ static int str_copy(CONF *conf, char *section, char **pto, char *from)
 			   points at.  /RL */
 			len -= e-from;
 			from=e;
+
+			/* In case there were no braces or parenthesis around
+			   the variable reference, we have to put back the
+			   character that was replaced with a '\0'.  /RL */
+			*rp = r;
 			}
 		else
 			buf->data[to++]= *(from++);
diff --git a/crypto/openssl/crypto/conf/conf_err.c b/crypto/openssl/crypto/conf/conf_err.c
index ee07bfe9d932..62506897462e 100644
--- a/crypto/openssl/crypto/conf/conf_err.c
+++ b/crypto/openssl/crypto/conf/conf_err.c
@@ -1,6 +1,6 @@
 /* crypto/conf/conf_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -64,47 +64,53 @@
 
 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_CONF,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_CONF,0,reason)
+
 static ERR_STRING_DATA CONF_str_functs[]=
 	{
-{ERR_PACK(0,CONF_F_CONF_DUMP_FP,0),	"CONF_dump_fp"},
-{ERR_PACK(0,CONF_F_CONF_LOAD,0),	"CONF_load"},
-{ERR_PACK(0,CONF_F_CONF_LOAD_BIO,0),	"CONF_load_bio"},
-{ERR_PACK(0,CONF_F_CONF_LOAD_FP,0),	"CONF_load_fp"},
-{ERR_PACK(0,CONF_F_CONF_MODULES_LOAD,0),	"CONF_modules_load"},
-{ERR_PACK(0,CONF_F_MODULE_INIT,0),	"MODULE_INIT"},
-{ERR_PACK(0,CONF_F_MODULE_LOAD_DSO,0),	"MODULE_LOAD_DSO"},
-{ERR_PACK(0,CONF_F_MODULE_RUN,0),	"MODULE_RUN"},
-{ERR_PACK(0,CONF_F_NCONF_DUMP_BIO,0),	"NCONF_dump_bio"},
-{ERR_PACK(0,CONF_F_NCONF_DUMP_FP,0),	"NCONF_dump_fp"},
-{ERR_PACK(0,CONF_F_NCONF_GET_NUMBER,0),	"NCONF_get_number"},
-{ERR_PACK(0,CONF_F_NCONF_GET_NUMBER_E,0),	"NCONF_get_number_e"},
-{ERR_PACK(0,CONF_F_NCONF_GET_SECTION,0),	"NCONF_get_section"},
-{ERR_PACK(0,CONF_F_NCONF_GET_STRING,0),	"NCONF_get_string"},
-{ERR_PACK(0,CONF_F_NCONF_LOAD,0),	"NCONF_load"},
-{ERR_PACK(0,CONF_F_NCONF_LOAD_BIO,0),	"NCONF_load_bio"},
-{ERR_PACK(0,CONF_F_NCONF_LOAD_FP,0),	"NCONF_load_fp"},
-{ERR_PACK(0,CONF_F_NCONF_NEW,0),	"NCONF_new"},
-{ERR_PACK(0,CONF_F_STR_COPY,0),	"STR_COPY"},
+{ERR_FUNC(CONF_F_CONF_DUMP_FP),	"CONF_dump_fp"},
+{ERR_FUNC(CONF_F_CONF_LOAD),	"CONF_load"},
+{ERR_FUNC(CONF_F_CONF_LOAD_BIO),	"CONF_load_bio"},
+{ERR_FUNC(CONF_F_CONF_LOAD_FP),	"CONF_load_fp"},
+{ERR_FUNC(CONF_F_CONF_MODULES_LOAD),	"CONF_modules_load"},
+{ERR_FUNC(CONF_F_DEF_LOAD),	"DEF_LOAD"},
+{ERR_FUNC(CONF_F_DEF_LOAD_BIO),	"DEF_LOAD_BIO"},
+{ERR_FUNC(CONF_F_MODULE_INIT),	"MODULE_INIT"},
+{ERR_FUNC(CONF_F_MODULE_LOAD_DSO),	"MODULE_LOAD_DSO"},
+{ERR_FUNC(CONF_F_MODULE_RUN),	"MODULE_RUN"},
+{ERR_FUNC(CONF_F_NCONF_DUMP_BIO),	"NCONF_dump_bio"},
+{ERR_FUNC(CONF_F_NCONF_DUMP_FP),	"NCONF_dump_fp"},
+{ERR_FUNC(CONF_F_NCONF_GET_NUMBER),	"NCONF_get_number"},
+{ERR_FUNC(CONF_F_NCONF_GET_NUMBER_E),	"NCONF_get_number_e"},
+{ERR_FUNC(CONF_F_NCONF_GET_SECTION),	"NCONF_get_section"},
+{ERR_FUNC(CONF_F_NCONF_GET_STRING),	"NCONF_get_string"},
+{ERR_FUNC(CONF_F_NCONF_LOAD),	"NCONF_load"},
+{ERR_FUNC(CONF_F_NCONF_LOAD_BIO),	"NCONF_load_bio"},
+{ERR_FUNC(CONF_F_NCONF_LOAD_FP),	"NCONF_load_fp"},
+{ERR_FUNC(CONF_F_NCONF_NEW),	"NCONF_new"},
+{ERR_FUNC(CONF_F_STR_COPY),	"STR_COPY"},
 {0,NULL}
 	};
 
 static ERR_STRING_DATA CONF_str_reasons[]=
 	{
-{CONF_R_ERROR_LOADING_DSO                ,"error loading dso"},
-{CONF_R_MISSING_CLOSE_SQUARE_BRACKET     ,"missing close square bracket"},
-{CONF_R_MISSING_EQUAL_SIGN               ,"missing equal sign"},
-{CONF_R_MISSING_FINISH_FUNCTION          ,"missing finish function"},
-{CONF_R_MISSING_INIT_FUNCTION            ,"missing init function"},
-{CONF_R_MODULE_INITIALIZATION_ERROR      ,"module initialization error"},
-{CONF_R_NO_CLOSE_BRACE                   ,"no close brace"},
-{CONF_R_NO_CONF                          ,"no conf"},
-{CONF_R_NO_CONF_OR_ENVIRONMENT_VARIABLE  ,"no conf or environment variable"},
-{CONF_R_NO_SECTION                       ,"no section"},
-{CONF_R_NO_SUCH_FILE                     ,"no such file"},
-{CONF_R_NO_VALUE                         ,"no value"},
-{CONF_R_UNABLE_TO_CREATE_NEW_SECTION     ,"unable to create new section"},
-{CONF_R_UNKNOWN_MODULE_NAME              ,"unknown module name"},
-{CONF_R_VARIABLE_HAS_NO_VALUE            ,"variable has no value"},
+{ERR_REASON(CONF_R_ERROR_LOADING_DSO)    ,"error loading dso"},
+{ERR_REASON(CONF_R_MISSING_CLOSE_SQUARE_BRACKET),"missing close square bracket"},
+{ERR_REASON(CONF_R_MISSING_EQUAL_SIGN)   ,"missing equal sign"},
+{ERR_REASON(CONF_R_MISSING_FINISH_FUNCTION),"missing finish function"},
+{ERR_REASON(CONF_R_MISSING_INIT_FUNCTION),"missing init function"},
+{ERR_REASON(CONF_R_MODULE_INITIALIZATION_ERROR),"module initialization error"},
+{ERR_REASON(CONF_R_NO_CLOSE_BRACE)       ,"no close brace"},
+{ERR_REASON(CONF_R_NO_CONF)              ,"no conf"},
+{ERR_REASON(CONF_R_NO_CONF_OR_ENVIRONMENT_VARIABLE),"no conf or environment variable"},
+{ERR_REASON(CONF_R_NO_SECTION)           ,"no section"},
+{ERR_REASON(CONF_R_NO_SUCH_FILE)         ,"no such file"},
+{ERR_REASON(CONF_R_NO_VALUE)             ,"no value"},
+{ERR_REASON(CONF_R_UNABLE_TO_CREATE_NEW_SECTION),"unable to create new section"},
+{ERR_REASON(CONF_R_UNKNOWN_MODULE_NAME)  ,"unknown module name"},
+{ERR_REASON(CONF_R_VARIABLE_HAS_NO_VALUE),"variable has no value"},
 {0,NULL}
 	};
 
@@ -118,8 +124,8 @@ void ERR_load_CONF_strings(void)
 		{
 		init=0;
 #ifndef OPENSSL_NO_ERR
-		ERR_load_strings(ERR_LIB_CONF,CONF_str_functs);
-		ERR_load_strings(ERR_LIB_CONF,CONF_str_reasons);
+		ERR_load_strings(0,CONF_str_functs);
+		ERR_load_strings(0,CONF_str_reasons);
 #endif
 
 		}
diff --git a/crypto/openssl/crypto/conf/conf_lib.c b/crypto/openssl/crypto/conf/conf_lib.c
index 6a3cf109ddc5..a55a5457c634 100644
--- a/crypto/openssl/crypto/conf/conf_lib.c
+++ b/crypto/openssl/crypto/conf/conf_lib.c
@@ -184,7 +184,7 @@ long CONF_get_number(LHASH *conf,const char *group,const char *name)
 	if (status == 0)
 		{
 		/* This function does not believe in errors... */
-		ERR_get_error();
+		ERR_clear_error();
 		}
 	return result;
 	}
diff --git a/crypto/openssl/crypto/conf/conf_mod.c b/crypto/openssl/crypto/conf/conf_mod.c
index d45adea85131..587211a59c19 100644
--- a/crypto/openssl/crypto/conf/conf_mod.c
+++ b/crypto/openssl/crypto/conf/conf_mod.c
@@ -231,7 +231,7 @@ static int module_run(const CONF *cnf, char *name, char *value,
 		if (!(flags & CONF_MFLAGS_SILENT))
 			{
 			char rcode[DECIMAL_SIZE(ret)+1];
-			CONFerr(CONF_F_CONF_MODULES_LOAD, CONF_R_MODULE_INITIALIZATION_ERROR);
+			CONFerr(CONF_F_MODULE_RUN, CONF_R_MODULE_INITIALIZATION_ERROR);
 			BIO_snprintf(rcode, sizeof rcode, "%-8d", ret);
 			ERR_add_error_data(6, "module=", name, ", value=", value, ", retcode=", rcode);
 			}
@@ -254,7 +254,7 @@ static CONF_MODULE *module_load_dso(const CONF *cnf, char *name, char *value,
 	path = NCONF_get_string(cnf, value, "path");
 	if (!path)
 		{
-		ERR_get_error();
+		ERR_clear_error();
 		path = name;
 		}
 	dso = DSO_load(NULL, path, NULL, 0);
diff --git a/crypto/openssl/crypto/cpt_err.c b/crypto/openssl/crypto/cpt_err.c
index 1b4a1cb4d400..06a6109cceed 100644
--- a/crypto/openssl/crypto/cpt_err.c
+++ b/crypto/openssl/crypto/cpt_err.c
@@ -1,6 +1,6 @@
 /* crypto/cpt_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -64,23 +64,27 @@
 
 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_CRYPTO,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_CRYPTO,0,reason)
+
 static ERR_STRING_DATA CRYPTO_str_functs[]=
 	{
-{ERR_PACK(0,CRYPTO_F_CRYPTO_GET_EX_NEW_INDEX,0),	"CRYPTO_get_ex_new_index"},
-{ERR_PACK(0,CRYPTO_F_CRYPTO_GET_NEW_DYNLOCKID,0),	"CRYPTO_get_new_dynlockid"},
-{ERR_PACK(0,CRYPTO_F_CRYPTO_GET_NEW_LOCKID,0),	"CRYPTO_get_new_lockid"},
-{ERR_PACK(0,CRYPTO_F_CRYPTO_SET_EX_DATA,0),	"CRYPTO_set_ex_data"},
-{ERR_PACK(0,CRYPTO_F_DEF_ADD_INDEX,0),	"DEF_ADD_INDEX"},
-{ERR_PACK(0,CRYPTO_F_DEF_GET_CLASS,0),	"DEF_GET_CLASS"},
-{ERR_PACK(0,CRYPTO_F_INT_DUP_EX_DATA,0),	"INT_DUP_EX_DATA"},
-{ERR_PACK(0,CRYPTO_F_INT_FREE_EX_DATA,0),	"INT_FREE_EX_DATA"},
-{ERR_PACK(0,CRYPTO_F_INT_NEW_EX_DATA,0),	"INT_NEW_EX_DATA"},
+{ERR_FUNC(CRYPTO_F_CRYPTO_GET_EX_NEW_INDEX),	"CRYPTO_get_ex_new_index"},
+{ERR_FUNC(CRYPTO_F_CRYPTO_GET_NEW_DYNLOCKID),	"CRYPTO_get_new_dynlockid"},
+{ERR_FUNC(CRYPTO_F_CRYPTO_GET_NEW_LOCKID),	"CRYPTO_get_new_lockid"},
+{ERR_FUNC(CRYPTO_F_CRYPTO_SET_EX_DATA),	"CRYPTO_set_ex_data"},
+{ERR_FUNC(CRYPTO_F_DEF_ADD_INDEX),	"DEF_ADD_INDEX"},
+{ERR_FUNC(CRYPTO_F_DEF_GET_CLASS),	"DEF_GET_CLASS"},
+{ERR_FUNC(CRYPTO_F_INT_DUP_EX_DATA),	"INT_DUP_EX_DATA"},
+{ERR_FUNC(CRYPTO_F_INT_FREE_EX_DATA),	"INT_FREE_EX_DATA"},
+{ERR_FUNC(CRYPTO_F_INT_NEW_EX_DATA),	"INT_NEW_EX_DATA"},
 {0,NULL}
 	};
 
 static ERR_STRING_DATA CRYPTO_str_reasons[]=
 	{
-{CRYPTO_R_NO_DYNLOCK_CREATE_CALLBACK     ,"no dynlock create callback"},
+{ERR_REASON(CRYPTO_R_NO_DYNLOCK_CREATE_CALLBACK),"no dynlock create callback"},
 {0,NULL}
 	};
 
@@ -94,8 +98,8 @@ void ERR_load_CRYPTO_strings(void)
 		{
 		init=0;
 #ifndef OPENSSL_NO_ERR
-		ERR_load_strings(ERR_LIB_CRYPTO,CRYPTO_str_functs);
-		ERR_load_strings(ERR_LIB_CRYPTO,CRYPTO_str_reasons);
+		ERR_load_strings(0,CRYPTO_str_functs);
+		ERR_load_strings(0,CRYPTO_str_reasons);
 #endif
 
 		}
diff --git a/crypto/openssl/crypto/cryptlib.c b/crypto/openssl/crypto/cryptlib.c
index b8e700ce526f..315559c71cef 100644
--- a/crypto/openssl/crypto/cryptlib.c
+++ b/crypto/openssl/crypto/cryptlib.c
@@ -1,4 +1,57 @@
 /* crypto/cryptlib.c */
+/* ====================================================================
+ * Copyright (c) 1998-2003 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -55,11 +108,13 @@
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
  */
+/* ====================================================================
+ * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
+ * ECDH support in OpenSSL originally developed by 
+ * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
+ */
 
-#include <stdio.h>
-#include <string.h>
 #include "cryptlib.h"
-#include <openssl/crypto.h>
 #include <openssl/safestack.h>
 
 #if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_WIN16)
@@ -104,10 +159,14 @@ static const char* lock_names[CRYPTO_NUM_LOCKS] =
 	"dynlock",
 	"engine",
 	"ui",
-	"hwcrhk",		/* This is a HACK which will disappear in 0.9.8 */
-	"fips",
-	"fips2",
-#if CRYPTO_NUM_LOCKS != 35
+	"ecdsa",
+	"ec",
+	"ecdh",
+	"bn",
+	"ec_pre_comp",
+	"store",
+	"comp",
+#if CRYPTO_NUM_LOCKS != 39
 # error "Inconsistency between crypto.h and cryptlib.c"
 #endif
 	};
@@ -480,18 +539,74 @@ const char *CRYPTO_get_lock_name(int type)
 		return(sk_value(app_locks,type-CRYPTO_NUM_LOCKS));
 	}
 
-#ifdef _DLL
-#ifdef OPENSSL_SYS_WIN32
+#if	defined(__i386)   || defined(__i386__)   || defined(_M_IX86) || \
+	defined(__INTEL__) || \
+	defined(__x86_64) || defined(__x86_64__) || defined(_M_AMD64)
+
+unsigned long  OPENSSL_ia32cap_P=0;
+unsigned long *OPENSSL_ia32cap_loc(void) { return &OPENSSL_ia32cap_P; }
+
+#if defined(OPENSSL_CPUID_OBJ) && !defined(OPENSSL_NO_ASM) && !defined(I386_ONLY)
+#define OPENSSL_CPUID_SETUP
+void OPENSSL_cpuid_setup(void)
+{ static int trigger=0;
+  unsigned long OPENSSL_ia32_cpuid(void);
+  char *env;
+
+    if (trigger)	return;
+
+    trigger=1;
+    if ((env=getenv("OPENSSL_ia32cap")))
+	OPENSSL_ia32cap_P = strtoul(env,NULL,0)|(1<<10);
+    else
+	OPENSSL_ia32cap_P = OPENSSL_ia32_cpuid()|(1<<10);
+    /*
+     * |(1<<10) sets a reserved bit to signal that variable
+     * was initialized already... This is to avoid interference
+     * with cpuid snippets in ELF .init segment.
+     */
+}
+#endif
+
+#else
+unsigned long *OPENSSL_ia32cap_loc(void) { return NULL; }
+#endif
+int OPENSSL_NONPIC_relocated = 0;
+#if !defined(OPENSSL_CPUID_SETUP)
+void OPENSSL_cpuid_setup(void) {}
+#endif
+
+#if (defined(_WIN32) || defined(__CYGWIN__)) && defined(_WINDLL)
+#ifdef __CYGWIN__
+/* pick DLL_[PROCESS|THREAD]_[ATTACH|DETACH] definitions */
+#include <windows.h>
+#endif
 
 /* All we really need to do is remove the 'error' state when a thread
  * detaches */
 
-BOOL WINAPI DLLEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason,
+BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason,
 	     LPVOID lpvReserved)
 	{
 	switch(fdwReason)
 		{
 	case DLL_PROCESS_ATTACH:
+		OPENSSL_cpuid_setup();
+#if defined(_WIN32_WINNT)
+		{
+		IMAGE_DOS_HEADER *dos_header = (IMAGE_DOS_HEADER *)hinstDLL;
+		IMAGE_NT_HEADERS *nt_headers;
+
+		if (dos_header->e_magic==IMAGE_DOS_SIGNATURE)
+			{
+			nt_headers = (IMAGE_NT_HEADERS *)((char *)dos_header
+						+ dos_header->e_lfanew);
+			if (nt_headers->Signature==IMAGE_NT_SIGNATURE &&
+			    hinstDLL!=(HINSTANCE)(nt_headers->OptionalHeader.ImageBase))
+				OPENSSL_NONPIC_relocated=1;
+			}
+		}
+#endif
 		break;
 	case DLL_THREAD_ATTACH:
 		break;
@@ -505,131 +620,139 @@ BOOL WINAPI DLLEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason,
 	}
 #endif
 
-#endif
+#if defined(_WIN32) && !defined(__CYGWIN__)
+#include <tchar.h>
 
-void OpenSSLDie(const char *file,int line,const char *assertion)
-	{
-	fprintf(stderr,
-		"%s(%d): OpenSSL internal error, assertion failed: %s\n",
-		file,line,assertion);
-	abort();
-	}
+#if defined(_WIN32_WINNT) && _WIN32_WINNT>=0x0333
+int OPENSSL_isservice(void)
+{ HWINSTA h;
+  DWORD len;
+  WCHAR *name;
 
-#ifdef OPENSSL_FIPS
-static int fips_started = 0;
-static int fips_mode = 0;
-static void *fips_rand_check = 0;
-static unsigned long fips_thread = 0;
+    (void)GetDesktopWindow(); /* return value is ignored */
 
-void fips_set_started(void)
-	{
-	fips_started = 1;
-	}
+    h = GetProcessWindowStation();
+    if (h==NULL) return -1;
 
-int fips_is_started(void)
-	{
-	return fips_started;
-	}
-
-int fips_is_owning_thread(void)
-	{
-	int ret = 0;
-
-	if (fips_is_started())
-		{
-		CRYPTO_r_lock(CRYPTO_LOCK_FIPS2);
-		if (fips_thread != 0 && fips_thread == CRYPTO_thread_id())
-			ret = 1;
-		CRYPTO_r_unlock(CRYPTO_LOCK_FIPS2);
-		}
-	return ret;
-	}
-
-int fips_set_owning_thread(void)
-	{
-	int ret = 0;
+    if (GetUserObjectInformationW (h,UOI_NAME,NULL,0,&len) ||
+	GetLastError() != ERROR_INSUFFICIENT_BUFFER)
+	return -1;
 
-	if (fips_is_started())
-		{
-		CRYPTO_w_lock(CRYPTO_LOCK_FIPS2);
-		if (fips_thread == 0)
-			{
-			fips_thread = CRYPTO_thread_id();
-			ret = 1;
-			}
-		CRYPTO_w_unlock(CRYPTO_LOCK_FIPS2);
-		}
-	return ret;
-	}
-
-int fips_clear_owning_thread(void)
-	{
-	int ret = 0;
-
-	if (fips_is_started())
-		{
-		CRYPTO_w_lock(CRYPTO_LOCK_FIPS2);
-		if (fips_thread == CRYPTO_thread_id())
-			{
-			fips_thread = 0;
-			ret = 1;
-			}
-		CRYPTO_w_unlock(CRYPTO_LOCK_FIPS2);
-		}
-	return ret;
-	}
-
-void fips_set_mode(int onoff)
-	{
-	int owning_thread = fips_is_owning_thread();
-
-	if (fips_is_started())
-		{
-		if (!owning_thread) CRYPTO_w_lock(CRYPTO_LOCK_FIPS);
-		fips_mode = onoff;
-		if (!owning_thread) CRYPTO_w_unlock(CRYPTO_LOCK_FIPS);
-		}
-	}
+    if (len>512) return -1;		/* paranoia */
+    len++,len&=~1;			/* paranoia */
+#ifdef _MSC_VER
+    name=(WCHAR *)_alloca(len+sizeof(WCHAR));
+#else
+    name=(WCHAR *)alloca(len+sizeof(WCHAR));
+#endif
+    if (!GetUserObjectInformationW (h,UOI_NAME,name,len,&len))
+	return -1;
+
+    len++,len&=~1;			/* paranoia */
+    name[len/sizeof(WCHAR)]=L'\0';	/* paranoia */
+#if 1
+    /* This doesn't cover "interactive" services [working with real
+     * WinSta0's] nor programs started non-interactively by Task
+     * Scheduler [those are working with SAWinSta]. */
+    if (wcsstr(name,L"Service-0x"))	return 1;
+#else
+    /* This covers all non-interactive programs such as services. */
+    if (!wcsstr(name,L"WinSta0"))	return 1;
+#endif
+    else				return 0;
+}
+#else
+int OPENSSL_isservice(void) { return 0; }
+#endif
 
-void fips_set_rand_check(void *rand_check)
-	{
-	int owning_thread = fips_is_owning_thread();
+void OPENSSL_showfatal (const char *fmta,...)
+{ va_list ap;
+  TCHAR buf[256];
+  const TCHAR *fmt;
+#ifdef STD_ERROR_HANDLE	/* what a dirty trick! */
+  HANDLE h;
+
+    if ((h=GetStdHandle(STD_ERROR_HANDLE)) != NULL &&
+	GetFileType(h)!=FILE_TYPE_UNKNOWN)
+    {	/* must be console application */
+	va_start (ap,fmta);
+	vfprintf (stderr,fmta,ap);
+	va_end (ap);
+	return;
+    }
+#endif
 
-	if (fips_is_started())
-		{
-		if (!owning_thread) CRYPTO_w_lock(CRYPTO_LOCK_FIPS);
-		fips_rand_check = rand_check;
-		if (!owning_thread) CRYPTO_w_unlock(CRYPTO_LOCK_FIPS);
-		}
-	}
+    if (sizeof(TCHAR)==sizeof(char))
+	fmt=(const TCHAR *)fmta;
+    else do
+    { int    keepgoing;
+      size_t len_0=strlen(fmta)+1,i;
+      WCHAR *fmtw;
 
-int FIPS_mode(void)
-	{
-	int ret = 0;
-	int owning_thread = fips_is_owning_thread();
+#ifdef _MSC_VER
+	fmtw = (WCHAR *)_alloca (len_0*sizeof(WCHAR));
+#else
+	fmtw = (WCHAR *)alloca (len_0*sizeof(WCHAR));
+#endif
+	if (fmtw == NULL) { fmt=(const TCHAR *)L"no stack?"; break; }
 
-	if (fips_is_started())
-		{
-		if (!owning_thread) CRYPTO_r_lock(CRYPTO_LOCK_FIPS);
-		ret = fips_mode;
-		if (!owning_thread) CRYPTO_r_unlock(CRYPTO_LOCK_FIPS);
+#ifndef OPENSSL_NO_MULTIBYTE
+	if (!MultiByteToWideChar(CP_ACP,0,fmta,len_0,fmtw,len_0))
+#endif
+	    for (i=0;i<len_0;i++) fmtw[i]=(WCHAR)fmta[i];
+
+	for (i=0;i<len_0;i++)
+	{   if (fmtw[i]==L'%') do
+	    {	keepgoing=0;
+		switch (fmtw[i+1])
+		{   case L'0': case L'1': case L'2': case L'3': case L'4':
+		    case L'5': case L'6': case L'7': case L'8': case L'9':
+		    case L'.': case L'*':
+		    case L'-':	i++; keepgoing=1; break;
+		    case L's':	fmtw[i+1]=L'S';   break;
+		    case L'S':	fmtw[i+1]=L's';   break;
+		    case L'c':	fmtw[i+1]=L'C';   break;
+		    case L'C':	fmtw[i+1]=L'c';   break;
 		}
-	return ret;
-	}
+	    } while (keepgoing);
+	}
+	fmt = (const TCHAR *)fmtw;
+    } while (0);
+
+    va_start (ap,fmta);
+    _vsntprintf (buf,sizeof(buf)/sizeof(TCHAR)-1,fmt,ap);
+    buf [sizeof(buf)/sizeof(TCHAR)-1] = _T('\0');
+    va_end (ap);
+
+#if defined(_WIN32_WINNT) && _WIN32_WINNT>=0x0333
+    /* this -------------v--- guards NT-specific calls */
+    if (GetVersion() < 0x80000000 && OPENSSL_isservice())
+    {	HANDLE h = RegisterEventSource(0,_T("OPENSSL"));
+	const TCHAR *pmsg=buf;
+	ReportEvent(h,EVENTLOG_ERROR_TYPE,0,0,0,1,0,&pmsg,0);
+	DeregisterEventSource(h);
+    }
+    else
+#endif
+	MessageBox (NULL,buf,_T("OpenSSL: FATAL"),MB_OK|MB_ICONSTOP);
+}
+#else
+void OPENSSL_showfatal (const char *fmta,...)
+{ va_list ap;
+
+    va_start (ap,fmta);
+    vfprintf (stderr,fmta,ap);
+    va_end (ap);
+}
+int OPENSSL_isservice (void) { return 0; }
+#endif
 
-void *FIPS_rand_check(void)
+void OpenSSLDie(const char *file,int line,const char *assertion)
 	{
-	void *ret = 0;
-	int owning_thread = fips_is_owning_thread();
-
-	if (fips_is_started())
-		{
-		if (!owning_thread) CRYPTO_r_lock(CRYPTO_LOCK_FIPS);
-		ret = fips_rand_check;
-		if (!owning_thread) CRYPTO_r_unlock(CRYPTO_LOCK_FIPS);
-		}
-	return ret;
+	OPENSSL_showfatal(
+		"%s(%d): OpenSSL internal error, assertion failed: %s\n",
+		file,line,assertion);
+	abort();
 	}
 
-#endif /* OPENSSL_FIPS */
-
+void *OPENSSL_stderr(void)	{ return stderr; }
diff --git a/crypto/openssl/crypto/cryptlib.h b/crypto/openssl/crypto/cryptlib.h
index 0d6b9d59f0b1..5ceaa964b532 100644
--- a/crypto/openssl/crypto/cryptlib.h
+++ b/crypto/openssl/crypto/cryptlib.h
@@ -64,6 +64,11 @@
 
 #include "e_os.h"
 
+#ifdef OPENSSL_USE_APPLINK
+#define BIO_FLAGS_UPLINK 0x8000
+#include "ms/uplink.h"
+#endif
+
 #include <openssl/crypto.h>
 #include <openssl/buffer.h> 
 #include <openssl/bio.h> 
@@ -93,6 +98,13 @@ extern "C" {
 #define DECIMAL_SIZE(type)	((sizeof(type)*8+2)/3+1)
 #define HEX_SIZE(type)		(sizeof(type)*2)
 
+void OPENSSL_cpuid_setup(void);
+extern unsigned long OPENSSL_ia32cap_P;
+void OPENSSL_showfatal(const char *,...);
+void *OPENSSL_stderr(void);
+extern int OPENSSL_NONPIC_relocated;
+int OPENSSL_isservice(void);
+
 #ifdef  __cplusplus
 }
 #endif
diff --git a/crypto/openssl/crypto/crypto.h b/crypto/openssl/crypto/crypto.h
index b779a14d12f1..d2b5ffe3325b 100644
--- a/crypto/openssl/crypto/crypto.h
+++ b/crypto/openssl/crypto/crypto.h
@@ -1,4 +1,57 @@
 /* crypto/crypto.h */
+/* ====================================================================
+ * Copyright (c) 1998-2003 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -55,12 +108,19 @@
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
  */
+/* ====================================================================
+ * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
+ * ECDH support in OpenSSL originally developed by 
+ * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
+ */
 
 #ifndef HEADER_CRYPTO_H
 #define HEADER_CRYPTO_H
 
 #include <stdlib.h>
 
+#include <openssl/e_os2.h>
+
 #ifndef OPENSSL_NO_FP_API
 #include <stdio.h>
 #endif
@@ -68,6 +128,7 @@
 #include <openssl/stack.h>
 #include <openssl/safestack.h>
 #include <openssl/opensslv.h>
+#include <openssl/ossl_typ.h>
 
 #ifdef CHARSET_EBCDIC
 #include <openssl/ebcdic.h>
@@ -92,15 +153,39 @@ extern "C" {
 #define SSLEAY_PLATFORM		4
 #define SSLEAY_DIR		5
 
+/* Already declared in ossl_typ.h */
+#if 0
+typedef struct crypto_ex_data_st CRYPTO_EX_DATA;
+/* Called when a new object is created */
+typedef int CRYPTO_EX_new(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
+					int idx, long argl, void *argp);
+/* Called when an object is free()ed */
+typedef void CRYPTO_EX_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
+					int idx, long argl, void *argp);
+/* Called when we need to dup an object */
+typedef int CRYPTO_EX_dup(CRYPTO_EX_DATA *to, CRYPTO_EX_DATA *from, void *from_d, 
+					int idx, long argl, void *argp);
+#endif
+
+/* A generic structure to pass assorted data in a expandable way */
+typedef struct openssl_item_st
+	{
+	int code;
+	void *value;		/* Not used for flag attributes */
+	size_t value_size;	/* Max size of value for output, length for input */
+	size_t *value_length;	/* Returned length of value for output */
+	} OPENSSL_ITEM;
+
+
 /* When changing the CRYPTO_LOCK_* list, be sure to maintin the text lock
  * names in cryptlib.c
  */
 
-#define CRYPTO_LOCK_ERR			1
-#define CRYPTO_LOCK_EX_DATA		2
-#define CRYPTO_LOCK_X509		3
-#define CRYPTO_LOCK_X509_INFO		4
-#define CRYPTO_LOCK_X509_PKEY		5
+#define	CRYPTO_LOCK_ERR			1
+#define	CRYPTO_LOCK_EX_DATA		2
+#define	CRYPTO_LOCK_X509		3
+#define	CRYPTO_LOCK_X509_INFO		4
+#define	CRYPTO_LOCK_X509_PKEY		5
 #define CRYPTO_LOCK_X509_CRL		6
 #define CRYPTO_LOCK_X509_REQ		7
 #define CRYPTO_LOCK_DSA			8
@@ -127,10 +212,14 @@ extern "C" {
 #define CRYPTO_LOCK_DYNLOCK		29
 #define CRYPTO_LOCK_ENGINE		30
 #define CRYPTO_LOCK_UI			31
-#define CRYPTO_LOCK_HWCRHK		32 /* This is a HACK which will disappear in 0.9.8 */
-#define CRYPTO_LOCK_FIPS		33
-#define CRYPTO_LOCK_FIPS2		34
-#define CRYPTO_NUM_LOCKS		35
+#define CRYPTO_LOCK_ECDSA               32
+#define CRYPTO_LOCK_EC			33
+#define CRYPTO_LOCK_ECDH		34
+#define CRYPTO_LOCK_BN  		35
+#define CRYPTO_LOCK_EC_PRE_COMP		36
+#define CRYPTO_LOCK_STORE		37
+#define CRYPTO_LOCK_COMP		38
+#define CRYPTO_NUM_LOCKS		39
 
 #define CRYPTO_LOCK		1
 #define CRYPTO_UNLOCK		2
@@ -191,21 +280,11 @@ typedef struct
 /* predec of the BIO type */
 typedef struct bio_st BIO_dummy;
 
-typedef struct crypto_ex_data_st
+struct crypto_ex_data_st
 	{
 	STACK *sk;
 	int dummy; /* gcc is screwing up this data structure :-( */
-	} CRYPTO_EX_DATA;
-
-/* Called when a new object is created */
-typedef int CRYPTO_EX_new(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
-					int idx, long argl, void *argp);
-/* Called when an object is free()ed */
-typedef void CRYPTO_EX_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
-					int idx, long argl, void *argp);
-/* Called when we need to dup an object */
-typedef int CRYPTO_EX_dup(CRYPTO_EX_DATA *to, CRYPTO_EX_DATA *from, void *from_d, 
-					int idx, long argl, void *argp);
+	};
 
 /* This stuff is basically class callback functions
  * The current classes are SSL_CTX, SSL, SSL_SESSION, and a few more */
@@ -237,6 +316,10 @@ DECLARE_STACK_OF(CRYPTO_EX_DATA_FUNCS)
 #define CRYPTO_EX_INDEX_ENGINE		9
 #define CRYPTO_EX_INDEX_X509		10
 #define CRYPTO_EX_INDEX_UI		11
+#define CRYPTO_EX_INDEX_ECDSA		12
+#define CRYPTO_EX_INDEX_ECDH		13
+#define CRYPTO_EX_INDEX_COMP		14
+#define CRYPTO_EX_INDEX_STORE		15
 
 /* Dynamically assigned indexes start from this value (don't use directly, use
  * via CRYPTO_ex_data_new_class). */
@@ -434,12 +517,10 @@ void CRYPTO_mem_leaks_cb(CRYPTO_MEM_LEAK_CB *cb);
 
 /* die if we have to */
 void OpenSSLDie(const char *file,int line,const char *assertion);
-#define OPENSSL_assert(e)	((e) ? (void)0 : OpenSSLDie(__FILE__, __LINE__, #e))
+#define OPENSSL_assert(e)       (void)((e) ? 0 : (OpenSSLDie(__FILE__, __LINE__, #e),1))
 
-#ifdef OPENSSL_FIPS
-int FIPS_mode(void);
-void *FIPS_rand_check(void);
-#endif /* def OPENSSL_FIPS */
+unsigned long *OPENSSL_ia32cap_loc(void);
+#define OPENSSL_ia32cap (*(OPENSSL_ia32cap_loc()))
 
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
diff --git a/crypto/openssl/crypto/cversion.c b/crypto/openssl/crypto/cversion.c
index beeeb14013e7..ea9f25fd1666 100644
--- a/crypto/openssl/crypto/cversion.c
+++ b/crypto/openssl/crypto/cversion.c
@@ -56,10 +56,7 @@
  * [including the GNU Public Licence.]
  */
 
-#include <stdio.h>
-#include <string.h>
 #include "cryptlib.h"
-#include <openssl/crypto.h>
 
 #ifndef NO_WINDOWS_BRAINDEATH
 #include "buildinf.h"
diff --git a/crypto/openssl/crypto/des/FILES0 b/crypto/openssl/crypto/des/FILES0
index 1c2e1f75b96f..4c7ea2de7a06 100644
--- a/crypto/openssl/crypto/des/FILES0
+++ b/crypto/openssl/crypto/des/FILES0
@@ -8,7 +8,7 @@ README		- What this package is.
 VERSION		- Which version this is and what was changed.
 KERBEROS	- Kerberos version 4 notes.
 Makefile.PL	- An old makefile to build with perl5, not current.
-Makefile	- The SSLeay makefile
+Makefile.ssl	- The SSLeay makefile
 Makefile.uni	- The normal unix makefile.
 GNUmakefile	- The makefile for use with glibc.
 makefile.bc	- A Borland C makefile
diff --git a/crypto/openssl/crypto/des/Makefile b/crypto/openssl/crypto/des/Makefile
index b6c2b9a8dfe0..523dfe38f27c 100644
--- a/crypto/openssl/crypto/des/Makefile
+++ b/crypto/openssl/crypto/des/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/des/Makefile
+# OpenSSL/crypto/des/Makefile
 #
 
 DIR=	des
@@ -8,11 +8,6 @@ CC=	cc
 CPP=	$(CC) -E
 INCLUDES=-I$(TOP) -I../../include
 CFLAG=-g
-INSTALL_PREFIX=
-OPENSSLDIR=     /usr/local/ssl
-INSTALLTOP=/usr/local/ssl
-MAKEDEPPROG=	makedepend
-MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=	Makefile
 AR=		ar r
 RANLIB=		ranlib
@@ -22,6 +17,7 @@ DES_ENC=	des_enc.o fcrypt_b.o
 
 CFLAGS= $(INCLUDES) $(CFLAG)
 ASFLAGS= $(INCLUDES) $(ASFLAG)
+AFLAGS= $(ASFLAGS)
 
 GENERAL=Makefile
 TEST=destest.c
@@ -65,32 +61,24 @@ lib:	$(LIBOBJ)
 des: des.o cbc3_enc.o lib
 	$(CC) $(CFLAGS) -o des des.o cbc3_enc.o $(LIB)
 
-# elf
-asm/dx86-elf.s:	asm/des-586.pl ../perlasm/x86asm.pl ../perlasm/cbc.pl
-	(cd asm; $(PERL) des-586.pl elf $(CFLAGS) > dx86-elf.s)
-
-asm/yx86-elf.s:	asm/crypt586.pl ../perlasm/x86asm.pl ../perlasm/cbc.pl
-	(cd asm; $(PERL) crypt586.pl elf $(CFLAGS) > yx86-elf.s)
-
+des_enc-sparc.S:	asm/des_enc.m4
+	m4 -B 8192 asm/des_enc.m4 > des_enc-sparc.S
+
+# ELF
+dx86-elf.s:	asm/des-586.pl ../perlasm/x86asm.pl ../perlasm/cbc.pl
+	(cd asm; $(PERL) des-586.pl elf $(CFLAGS) > ../$@)
+yx86-elf.s:	asm/crypt586.pl ../perlasm/x86asm.pl ../perlasm/cbc.pl
+	(cd asm; $(PERL) crypt586.pl elf $(CFLAGS) > ../$@)
+# COFF
+dx86-cof.s: asm/des-586.pl ../perlasm/x86asm.pl ../perlasm/cbc.pl
+	(cd asm; $(PERL) des-586.pl coff $(CFLAGS) > ../$@)
+yx86-cof.s: asm/crypt586.pl ../perlasm/x86asm.pl ../perlasm/cbc.pl
+	(cd asm; $(PERL) crypt586.pl coff $(CFLAGS) > ../$@)
 # a.out
-asm/dx86-out.o: asm/dx86unix.cpp
-	$(CPP) -DOUT asm/dx86unix.cpp | as -o asm/dx86-out.o
-
-asm/yx86-out.o: asm/yx86unix.cpp
-	$(CPP) -DOUT asm/yx86unix.cpp | as -o asm/yx86-out.o
-
-# bsdi
-asm/dx86bsdi.o: asm/dx86unix.cpp
-	$(CPP) -DBSDI asm/dx86unix.cpp | sed 's/ :/:/' | as -o asm/dx86bsdi.o
-
-asm/yx86bsdi.o: asm/yx86unix.cpp
-	$(CPP) -DBSDI asm/yx86unix.cpp | sed 's/ :/:/' | as -o asm/yx86bsdi.o
-
-asm/dx86unix.cpp: asm/des-586.pl ../perlasm/x86asm.pl ../perlasm/cbc.pl
-	(cd asm; $(PERL) des-586.pl cpp >dx86unix.cpp)
-
-asm/yx86unix.cpp: asm/crypt586.pl ../perlasm/x86asm.pl
-	(cd asm; $(PERL) crypt586.pl cpp >yx86unix.cpp)
+dx86-out.s: asm/des-586.pl ../perlasm/x86asm.pl ../perlasm/cbc.pl
+	(cd asm; $(PERL) des-586.pl a.out $(CFLAGS) > ../$@)
+yx86-out.s: asm/crypt586.pl ../perlasm/x86asm.pl ../perlasm/cbc.pl
+	(cd asm; $(PERL) crypt586.pl a.out $(CFLAGS) > ../$@)
 
 files:
 	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
@@ -100,10 +88,12 @@ links:
 	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
 
-install: installs
-
-installs:
-	@for i in $(EXHEADER) ; \
+# We need to use force because 'install' matches 'INSTALL' on case
+# insensitive systems
+FRC.install:
+install: FRC.install
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+	@headerlist="$(EXHEADER)"; for i in $$headerlist ; \
 	do  \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
@@ -118,6 +108,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
+	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
@@ -125,83 +116,77 @@ dclean:
 	mv -f Makefile.new $(MAKEFILE)
 
 clean:
-	rm -f asm/dx86unix.cpp asm/yx86unix.cpp asm/*-elf.* *.o asm/*.o *.obj des lib tags core .pure .nfs* *.old *.bak fluff
+	rm -f *.s *.o *.obj des lib tags core .pure .nfs* *.old *.bak fluff
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-cbc_cksm.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-cbc_cksm.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
-cbc_cksm.o: ../../include/openssl/opensslconf.h
-cbc_cksm.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+cbc_cksm.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
+cbc_cksm.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
+cbc_cksm.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
 cbc_cksm.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 cbc_cksm.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
 cbc_cksm.o: cbc_cksm.c des_locl.h
-cbc_enc.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-cbc_enc.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
-cbc_enc.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-cbc_enc.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-cbc_enc.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-cbc_enc.o: ../../include/openssl/ui_compat.h cbc_enc.c des_locl.h ncbc_enc.c
-cfb64ede.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+cbc_enc.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
+cbc_enc.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
+cbc_enc.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+cbc_enc.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+cbc_enc.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
+cbc_enc.o: cbc_enc.c des_locl.h ncbc_enc.c
+cfb64ede.o: ../../e_os.h ../../include/openssl/des.h
 cfb64ede.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
 cfb64ede.o: ../../include/openssl/opensslconf.h
-cfb64ede.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+cfb64ede.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
 cfb64ede.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 cfb64ede.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
 cfb64ede.o: cfb64ede.c des_locl.h
-cfb64enc.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-cfb64enc.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
-cfb64enc.o: ../../include/openssl/opensslconf.h
-cfb64enc.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+cfb64enc.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
+cfb64enc.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
+cfb64enc.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
 cfb64enc.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 cfb64enc.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
 cfb64enc.o: cfb64enc.c des_locl.h
-cfb_enc.o: ../../e_os.h ../../include/openssl/crypto.h
-cfb_enc.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-cfb_enc.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
-cfb_enc.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-cfb_enc.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-cfb_enc.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-cfb_enc.o: cfb_enc.c des_locl.h
-des_enc.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-des_enc.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
-des_enc.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-des_enc.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-des_enc.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-des_enc.o: ../../include/openssl/ui_compat.h des_enc.c des_locl.h ncbc_enc.c
-des_old.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-des_old.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
-des_old.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+cfb_enc.o: ../../e_os.h ../../include/openssl/des.h
+cfb_enc.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
+cfb_enc.o: ../../include/openssl/opensslconf.h ../../include/openssl/ossl_typ.h
+cfb_enc.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+cfb_enc.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+cfb_enc.o: ../../include/openssl/ui_compat.h cfb_enc.c des_locl.h
+des_enc.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
+des_enc.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
+des_enc.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+des_enc.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+des_enc.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
+des_enc.o: des_enc.c des_locl.h ncbc_enc.c
+des_old.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
+des_old.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
 des_old.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
 des_old.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 des_old.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
 des_old.o: ../../include/openssl/ui_compat.h des_old.c
-des_old2.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-des_old2.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
-des_old2.o: ../../include/openssl/opensslconf.h
-des_old2.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-des_old2.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
-des_old2.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-des_old2.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-des_old2.o: des_old2.c
-ecb3_enc.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-ecb3_enc.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
-ecb3_enc.o: ../../include/openssl/opensslconf.h
-ecb3_enc.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+des_old2.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
+des_old2.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
+des_old2.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
+des_old2.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+des_old2.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+des_old2.o: ../../include/openssl/ui_compat.h des_old2.c
+ecb3_enc.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
+ecb3_enc.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
+ecb3_enc.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
 ecb3_enc.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 ecb3_enc.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
 ecb3_enc.o: des_locl.h ecb3_enc.c
 ecb_enc.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
 ecb_enc.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
 ecb_enc.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
-ecb_enc.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-ecb_enc.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-ecb_enc.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-ecb_enc.o: des_locl.h des_ver.h ecb_enc.c spr.h
-ede_cbcm_enc.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-ede_cbcm_enc.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
+ecb_enc.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+ecb_enc.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+ecb_enc.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+ecb_enc.o: ../../include/openssl/ui_compat.h des_locl.h des_ver.h ecb_enc.c
+ecb_enc.o: spr.h
+ede_cbcm_enc.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
+ede_cbcm_enc.o: ../../include/openssl/e_os2.h
 ede_cbcm_enc.o: ../../include/openssl/opensslconf.h
-ede_cbcm_enc.o: ../../include/openssl/opensslv.h
+ede_cbcm_enc.o: ../../include/openssl/ossl_typ.h
 ede_cbcm_enc.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 ede_cbcm_enc.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
 ede_cbcm_enc.o: ../../include/openssl/ui_compat.h des_locl.h ede_cbcm_enc.c
@@ -210,10 +195,11 @@ enc_read.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 enc_read.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
 enc_read.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 enc_read.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-enc_read.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-enc_read.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-enc_read.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-enc_read.o: ../cryptlib.h des_locl.h enc_read.c
+enc_read.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+enc_read.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+enc_read.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+enc_read.o: ../../include/openssl/ui_compat.h ../cryptlib.h des_locl.h
+enc_read.o: enc_read.c
 enc_writ.o: ../../e_os.h ../../include/openssl/bio.h
 enc_writ.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 enc_writ.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
@@ -224,91 +210,83 @@ enc_writ.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
 enc_writ.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 enc_writ.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
 enc_writ.o: ../cryptlib.h des_locl.h enc_writ.c
-fcrypt.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-fcrypt.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
-fcrypt.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-fcrypt.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-fcrypt.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-fcrypt.o: ../../include/openssl/ui_compat.h des_locl.h fcrypt.c
-fcrypt_b.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-fcrypt_b.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
-fcrypt_b.o: ../../include/openssl/opensslconf.h
-fcrypt_b.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+fcrypt.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
+fcrypt.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
+fcrypt.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+fcrypt.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+fcrypt.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
+fcrypt.o: des_locl.h fcrypt.c
+fcrypt_b.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
+fcrypt_b.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
+fcrypt_b.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
 fcrypt_b.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 fcrypt_b.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
 fcrypt_b.o: des_locl.h fcrypt_b.c
-ofb64ede.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-ofb64ede.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
-ofb64ede.o: ../../include/openssl/opensslconf.h
-ofb64ede.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+ofb64ede.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
+ofb64ede.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
+ofb64ede.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
 ofb64ede.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 ofb64ede.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
 ofb64ede.o: des_locl.h ofb64ede.c
-ofb64enc.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-ofb64enc.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
-ofb64enc.o: ../../include/openssl/opensslconf.h
-ofb64enc.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+ofb64enc.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
+ofb64enc.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
+ofb64enc.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
 ofb64enc.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 ofb64enc.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
 ofb64enc.o: des_locl.h ofb64enc.c
-ofb_enc.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-ofb_enc.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
-ofb_enc.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-ofb_enc.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-ofb_enc.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-ofb_enc.o: ../../include/openssl/ui_compat.h des_locl.h ofb_enc.c
-pcbc_enc.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-pcbc_enc.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
-pcbc_enc.o: ../../include/openssl/opensslconf.h
-pcbc_enc.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+ofb_enc.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
+ofb_enc.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
+ofb_enc.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+ofb_enc.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+ofb_enc.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
+ofb_enc.o: des_locl.h ofb_enc.c
+pcbc_enc.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
+pcbc_enc.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
+pcbc_enc.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
 pcbc_enc.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 pcbc_enc.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
 pcbc_enc.o: des_locl.h pcbc_enc.c
-qud_cksm.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-qud_cksm.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
-qud_cksm.o: ../../include/openssl/opensslconf.h
-qud_cksm.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+qud_cksm.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
+qud_cksm.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
+qud_cksm.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
 qud_cksm.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 qud_cksm.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
 qud_cksm.o: des_locl.h qud_cksm.c
-rand_key.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-rand_key.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
-rand_key.o: ../../include/openssl/opensslconf.h
-rand_key.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-rand_key.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
-rand_key.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-rand_key.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-rand_key.o: rand_key.c
+rand_key.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
+rand_key.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
+rand_key.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
+rand_key.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+rand_key.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+rand_key.o: ../../include/openssl/ui_compat.h rand_key.c
 read2pwd.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
 read2pwd.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
 read2pwd.o: ../../include/openssl/opensslconf.h
-read2pwd.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-read2pwd.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-read2pwd.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-read2pwd.o: read2pwd.c
-rpc_enc.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-rpc_enc.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
-rpc_enc.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-rpc_enc.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-rpc_enc.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-rpc_enc.o: ../../include/openssl/ui_compat.h des_locl.h des_ver.h rpc_des.h
-rpc_enc.o: rpc_enc.c
-set_key.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-set_key.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
-set_key.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-set_key.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-set_key.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-set_key.o: ../../include/openssl/ui_compat.h des_locl.h set_key.c
+read2pwd.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+read2pwd.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+read2pwd.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+read2pwd.o: ../../include/openssl/ui_compat.h read2pwd.c
+rpc_enc.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
+rpc_enc.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
+rpc_enc.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+rpc_enc.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+rpc_enc.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
+rpc_enc.o: des_locl.h des_ver.h rpc_des.h rpc_enc.c
+set_key.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
+set_key.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
+set_key.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+set_key.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+set_key.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
+set_key.o: des_locl.h set_key.c
 str2key.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
 str2key.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
 str2key.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-str2key.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-str2key.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-str2key.o: ../../include/openssl/ui_compat.h des_locl.h str2key.c
-xcbc_enc.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-xcbc_enc.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
-xcbc_enc.o: ../../include/openssl/opensslconf.h
-xcbc_enc.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+str2key.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+str2key.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+str2key.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
+str2key.o: des_locl.h str2key.c
+xcbc_enc.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
+xcbc_enc.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
+xcbc_enc.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
 xcbc_enc.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 xcbc_enc.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
 xcbc_enc.o: des_locl.h xcbc_enc.c
diff --git a/crypto/openssl/crypto/des/asm/des_enc.m4 b/crypto/openssl/crypto/des/asm/des_enc.m4
new file mode 100644
index 000000000000..f5b1928f99c4
--- /dev/null
+++ b/crypto/openssl/crypto/des/asm/des_enc.m4
@@ -0,0 +1,1980 @@
+!  des_enc.m4
+!  des_enc.S  (generated from des_enc.m4)
+!
+!  UltraSPARC assembler version of the LibDES/SSLeay/OpenSSL des_enc.c file.
+!
+!  Version 1.0. 32-bit version.
+!
+!  June 8, 2000.
+!
+!  Version 2.0. 32/64-bit, PIC-ification, blended CPU adaptation
+!		by Andy Polyakov.
+!
+!  January 1, 2003.
+!
+!  Assembler version: Copyright Svend Olaf Mikkelsen.
+!
+!  Original C code: Copyright Eric A. Young.
+!
+!  This code can be freely used by LibDES/SSLeay/OpenSSL users.
+!
+!  The LibDES/SSLeay/OpenSSL copyright notices must be respected.
+!
+!  This version can be redistributed.
+!
+!  To expand the m4 macros: m4 -B 8192 des_enc.m4 > des_enc.S
+!
+!  Global registers 1 to 5 are used. This is the same as done by the
+!  cc compiler. The UltraSPARC load/store little endian feature is used.
+!
+!  Instruction grouping often refers to one CPU cycle.
+!
+!  Assemble through gcc: gcc -c -mcpu=ultrasparc -o des_enc.o des_enc.S
+!
+!  Assemble through cc:  cc -c -xarch=v8plusa -o des_enc.o des_enc.S
+!
+!  Performance improvement according to './apps/openssl speed des'
+!
+!	32-bit build:
+!		23%  faster than cc-5.2 -xarch=v8plus -xO5
+!		115% faster than gcc-3.2.1 -m32 -mcpu=ultrasparc -O5
+!	64-bit build:
+!		50%  faster than cc-5.2 -xarch=v9 -xO5
+!		100% faster than gcc-3.2.1 -m64 -mcpu=ultrasparc -O5
+!
+
+.ident "des_enc.m4 2.1"
+
+#if defined(__SUNPRO_C) && defined(__sparcv9)
+# define ABI64  /* They've said -xarch=v9 at command line */
+#elif defined(__GNUC__) && defined(__arch64__)
+# define ABI64  /* They've said -m64 at command line */
+#endif
+
+#ifdef ABI64
+  .register	%g2,#scratch
+  .register	%g3,#scratch
+# define	FRAME	-192
+# define	BIAS	2047
+# define	LDPTR	ldx
+# define	STPTR	stx
+# define	ARG0	128
+# define	ARGSZ	8
+# ifndef OPENSSL_SYSNAME_ULTRASPARC
+# define OPENSSL_SYSNAME_ULTRASPARC
+# endif
+#else
+# define	FRAME	-96
+# define	BIAS	0
+# define	LDPTR	ld
+# define	STPTR	st
+# define	ARG0	68
+# define	ARGSZ	4
+#endif
+
+#define LOOPS 7
+
+#define global0 %g0
+#define global1 %g1
+#define global2 %g2
+#define global3 %g3
+#define global4 %g4
+#define global5 %g5
+
+#define local0 %l0
+#define local1 %l1
+#define local2 %l2
+#define local3 %l3
+#define local4 %l4
+#define local5 %l5
+#define local7 %l6
+#define local6 %l7
+
+#define in0 %i0
+#define in1 %i1
+#define in2 %i2
+#define in3 %i3
+#define in4 %i4
+#define in5 %i5
+#define in6 %i6
+#define in7 %i7
+
+#define out0 %o0
+#define out1 %o1
+#define out2 %o2
+#define out3 %o3
+#define out4 %o4
+#define out5 %o5
+#define out6 %o6
+#define out7 %o7
+
+#define stub stb
+
+changequote({,})
+
+
+! Macro definitions:
+
+
+! {ip_macro}
+!
+! The logic used in initial and final permutations is the same as in
+! the C code. The permutations are done with a clever shift, xor, and
+! technique.
+!
+! The macro also loads address sbox 1 to 5 to global 1 to 5, address
+! sbox 6 to local6, and addres sbox 8 to out3.
+!
+! Rotates the halfs 3 left to bring the sbox bits in convenient positions.
+!
+! Loads key first round from address in parameter 5 to out0, out1.
+!
+! After the the original LibDES initial permutation, the resulting left
+! is in the variable initially used for right and vice versa. The macro
+! implements the possibility to keep the halfs in the original registers.
+!
+! parameter 1  left
+! parameter 2  right
+! parameter 3  result left (modify in first round)
+! parameter 4  result right (use in first round)
+! parameter 5  key address
+! parameter 6  1/2 for include encryption/decryption
+! parameter 7  1 for move in1 to in3
+! parameter 8  1 for move in3 to in4, 2 for move in4 to in3
+! parameter 9  1 for load ks3 and ks2 to in4 and in3
+
+define(ip_macro, {
+
+! {ip_macro}
+! $1 $2 $4 $3 $5 $6 $7 $8 $9
+
+	ld	[out2+256], local1
+	srl	$2, 4, local4
+
+	xor	local4, $1, local4
+	ifelse($7,1,{mov in1, in3},{nop})
+
+	ld	[out2+260], local2
+	and	local4, local1, local4
+	ifelse($8,1,{mov in3, in4},{})
+	ifelse($8,2,{mov in4, in3},{})
+
+	ld	[out2+280], out4          ! loop counter
+	sll	local4, 4, local1
+	xor	$1, local4, $1
+
+	ld	[out2+264], local3
+	srl	$1, 16, local4
+	xor	$2, local1, $2
+
+	ifelse($9,1,{LDPTR	KS3, in4},{})
+	xor	local4, $2, local4
+	nop	!sethi	%hi(DES_SPtrans), global1 ! sbox addr
+
+	ifelse($9,1,{LDPTR	KS2, in3},{})
+	and	local4, local2, local4
+	nop	!or	global1, %lo(DES_SPtrans), global1   ! sbox addr
+
+	sll	local4, 16, local1
+	xor	$2, local4, $2
+
+	srl	$2, 2, local4
+	xor	$1, local1, $1
+
+	sethi	%hi(16711680), local5
+	xor	local4, $1, local4
+
+	and	local4, local3, local4
+	or	local5, 255, local5
+
+	sll	local4, 2, local2
+	xor	$1, local4, $1
+
+	srl	$1, 8, local4
+	xor	$2, local2, $2
+
+	xor	local4, $2, local4
+	add	global1, 768, global4
+
+	and	local4, local5, local4
+	add	global1, 1024, global5
+
+	ld	[out2+272], local7
+	sll	local4, 8, local1
+	xor	$2, local4, $2
+
+	srl	$2, 1, local4
+	xor	$1, local1, $1
+
+	ld	[$5], out0                ! key 7531
+	xor	local4, $1, local4
+	add	global1, 256, global2
+
+	ld	[$5+4], out1              ! key 8642
+	and	local4, local7, local4
+	add	global1, 512, global3
+
+	sll	local4, 1, local1
+	xor	$1, local4, $1
+
+	sll	$1, 3, local3
+	xor	$2, local1, $2
+
+	sll	$2, 3, local2
+	add	global1, 1280, local6     ! address sbox 8
+
+	srl	$1, 29, local4
+	add	global1, 1792, out3       ! address sbox 8
+
+	srl	$2, 29, local1
+	or	local4, local3, $4
+
+	or	local2, local1, $3
+
+	ifelse($6, 1, {
+
+		ld	[out2+284], local5     ! 0x0000FC00 used in the rounds
+		or	local2, local1, $3
+		xor	$4, out0, local1
+
+		call .des_enc.1
+		and	local1, 252, local1
+
+	},{})
+
+	ifelse($6, 2, {
+
+		ld	[out2+284], local5     ! 0x0000FC00 used in the rounds
+		or	local2, local1, $3
+		xor	$4, out0, local1
+
+		call .des_dec.1
+		and	local1, 252, local1
+
+	},{})
+})
+
+
+! {rounds_macro}
+!
+! The logic used in the DES rounds is the same as in the C code,
+! except that calculations for sbox 1 and sbox 5 begin before
+! the previous round is finished.
+!
+! In each round one half (work) is modified based on key and the
+! other half (use).
+!
+! In this version we do two rounds in a loop repeated 7 times
+! and two rounds seperately.
+!
+! One half has the bits for the sboxes in the following positions:
+!
+!	777777xx555555xx333333xx111111xx
+!
+!	88xx666666xx444444xx222222xx8888
+!
+! The bits for each sbox are xor-ed with the key bits for that box.
+! The above xx bits are cleared, and the result used for lookup in
+! the sbox table. Each sbox entry contains the 4 output bits permuted
+! into 32 bits according to the P permutation.
+!
+! In the description of DES, left and right are switched after
+! each round, except after last round. In this code the original
+! left and right are kept in the same register in all rounds, meaning
+! that after the 16 rounds the result for right is in the register
+! originally used for left.
+!
+! parameter 1  first work (left in first round)
+! parameter 2  first use (right in first round)
+! parameter 3  enc/dec  1/-1
+! parameter 4  loop label
+! parameter 5  key address register
+! parameter 6  optional address for key next encryption/decryption
+! parameter 7  not empty for include retl
+!
+! also compares in2 to 8
+
+define(rounds_macro, {
+
+! {rounds_macro}
+! $1 $2 $3 $4 $5 $6 $7 $8 $9
+
+	xor	$2, out0, local1
+
+	ld	[out2+284], local5        ! 0x0000FC00
+	ba	$4
+	and	local1, 252, local1
+
+	.align 32
+
+$4:
+	! local6 is address sbox 6
+	! out3   is address sbox 8
+	! out4   is loop counter
+
+	ld	[global1+local1], local1
+	xor	$2, out1, out1            ! 8642
+	xor	$2, out0, out0            ! 7531
+	fmovs	%f0, %f0                  ! fxor used for alignment
+
+	srl	out1, 4, local0           ! rotate 4 right
+	and	out0, local5, local3      ! 3
+	fmovs	%f0, %f0
+
+	ld	[$5+$3*8], local7         ! key 7531 next round
+	srl	local3, 8, local3         ! 3
+	and	local0, 252, local2       ! 2
+	fmovs	%f0, %f0
+
+	ld	[global3+local3],local3   ! 3
+	sll	out1, 28, out1            ! rotate
+	xor	$1, local1, $1            ! 1 finished, local1 now sbox 7
+
+	ld	[global2+local2], local2  ! 2 
+	srl	out0, 24, local1          ! 7
+	or	out1, local0, out1        ! rotate
+
+	ldub	[out2+local1], local1     ! 7 (and 0xFC)
+	srl	out1, 24, local0          ! 8
+	and	out1, local5, local4      ! 4
+
+	ldub	[out2+local0], local0     ! 8 (and 0xFC)
+	srl	local4, 8, local4         ! 4
+	xor	$1, local2, $1            ! 2 finished local2 now sbox 6
+
+	ld	[global4+local4],local4   ! 4
+	srl	out1, 16, local2          ! 6
+	xor	$1, local3, $1            ! 3 finished local3 now sbox 5
+
+	ld	[out3+local0],local0      ! 8
+	and	local2, 252, local2       ! 6
+	add	global1, 1536, local5     ! address sbox 7
+
+	ld	[local6+local2], local2   ! 6
+	srl	out0, 16, local3          ! 5
+	xor	$1, local4, $1            ! 4 finished
+
+	ld	[local5+local1],local1    ! 7
+	and	local3, 252, local3       ! 5
+	xor	$1, local0, $1            ! 8 finished
+
+	ld	[global5+local3],local3   ! 5
+	xor	$1, local2, $1            ! 6 finished
+	subcc	out4, 1, out4
+
+	ld	[$5+$3*8+4], out0         ! key 8642 next round
+	xor	$1, local7, local2        ! sbox 5 next round
+	xor	$1, local1, $1            ! 7 finished
+
+	srl	local2, 16, local2        ! sbox 5 next round
+	xor	$1, local3, $1            ! 5 finished
+
+	ld	[$5+$3*16+4], out1        ! key 8642 next round again
+	and	local2, 252, local2       ! sbox5 next round
+! next round
+	xor	$1, local7, local7        ! 7531
+
+	ld	[global5+local2], local2  ! 5
+	srl	local7, 24, local3        ! 7
+	xor	$1, out0, out0            ! 8642
+
+	ldub	[out2+local3], local3     ! 7 (and 0xFC)
+	srl	out0, 4, local0           ! rotate 4 right
+	and	local7, 252, local1       ! 1
+
+	sll	out0, 28, out0            ! rotate
+	xor	$2, local2, $2            ! 5 finished local2 used
+
+	srl	local0, 8, local4         ! 4
+	and	local0, 252, local2       ! 2
+	ld	[local5+local3], local3   ! 7
+
+	srl	local0, 16, local5        ! 6
+	or	out0, local0, out0        ! rotate
+	ld	[global2+local2], local2  ! 2
+
+	srl	out0, 24, local0
+	ld	[$5+$3*16], out0          ! key 7531 next round
+	and	local4, 252, local4	  ! 4
+
+	and	local5, 252, local5       ! 6
+	ld	[global4+local4], local4  ! 4
+	xor	$2, local3, $2            ! 7 finished local3 used
+
+	and	local0, 252, local0       ! 8
+	ld	[local6+local5], local5   ! 6
+	xor	$2, local2, $2            ! 2 finished local2 now sbox 3
+
+	srl	local7, 8, local2         ! 3 start
+	ld	[out3+local0], local0     ! 8
+	xor	$2, local4, $2            ! 4 finished
+
+	and	local2, 252, local2       ! 3
+	ld	[global1+local1], local1  ! 1
+	xor	$2, local5, $2            ! 6 finished local5 used
+
+	ld	[global3+local2], local2  ! 3
+	xor	$2, local0, $2            ! 8 finished
+	add	$5, $3*16, $5             ! enc add 8, dec add -8 to key pointer
+
+	ld	[out2+284], local5        ! 0x0000FC00
+	xor	$2, out0, local4          ! sbox 1 next round
+	xor	$2, local1, $2            ! 1 finished
+
+	xor	$2, local2, $2            ! 3 finished
+#ifdef OPENSSL_SYSNAME_ULTRASPARC
+	bne,pt	%icc, $4
+#else
+	bne	$4
+#endif
+	and	local4, 252, local1       ! sbox 1 next round
+
+! two rounds more:
+
+	ld	[global1+local1], local1
+	xor	$2, out1, out1
+	xor	$2, out0, out0
+
+	srl	out1, 4, local0           ! rotate
+	and	out0, local5, local3
+
+	ld	[$5+$3*8], local7         ! key 7531
+	srl	local3, 8, local3
+	and	local0, 252, local2
+
+	ld	[global3+local3],local3
+	sll	out1, 28, out1            ! rotate
+	xor	$1, local1, $1            ! 1 finished, local1 now sbox 7
+
+	ld	[global2+local2], local2
+	srl	out0, 24, local1
+	or	out1, local0, out1        ! rotate
+
+	ldub	[out2+local1], local1
+	srl	out1, 24, local0
+	and	out1, local5, local4
+
+	ldub	[out2+local0], local0
+	srl	local4, 8, local4
+	xor	$1, local2, $1            ! 2 finished local2 now sbox 6
+
+	ld	[global4+local4],local4
+	srl	out1, 16, local2
+	xor	$1, local3, $1            ! 3 finished local3 now sbox 5
+
+	ld	[out3+local0],local0
+	and	local2, 252, local2
+	add	global1, 1536, local5     ! address sbox 7
+
+	ld	[local6+local2], local2
+	srl	out0, 16, local3
+	xor	$1, local4, $1            ! 4 finished
+
+	ld	[local5+local1],local1
+	and	local3, 252, local3
+	xor	$1, local0, $1
+
+	ld	[global5+local3],local3
+	xor	$1, local2, $1            ! 6 finished
+	cmp	in2, 8
+
+	ifelse($6,{}, {}, {ld	[out2+280], out4})  ! loop counter
+	xor	$1, local7, local2        ! sbox 5 next round
+	xor	$1, local1, $1            ! 7 finished
+
+	ld	[$5+$3*8+4], out0
+	srl	local2, 16, local2        ! sbox 5 next round
+	xor	$1, local3, $1            ! 5 finished
+
+	and	local2, 252, local2
+! next round (two rounds more)
+	xor	$1, local7, local7        ! 7531
+
+	ld	[global5+local2], local2
+	srl	local7, 24, local3
+	xor	$1, out0, out0            ! 8642
+
+	ldub	[out2+local3], local3
+	srl	out0, 4, local0           ! rotate
+	and	local7, 252, local1
+
+	sll	out0, 28, out0            ! rotate
+	xor	$2, local2, $2            ! 5 finished local2 used
+
+	srl	local0, 8, local4
+	and	local0, 252, local2
+	ld	[local5+local3], local3
+
+	srl	local0, 16, local5
+	or	out0, local0, out0        ! rotate
+	ld	[global2+local2], local2
+
+	srl	out0, 24, local0
+	ifelse($6,{}, {}, {ld	[$6], out0})   ! key next encryption/decryption
+	and	local4, 252, local4
+
+	and	local5, 252, local5
+	ld	[global4+local4], local4
+	xor	$2, local3, $2            ! 7 finished local3 used
+
+	and	local0, 252, local0
+	ld	[local6+local5], local5
+	xor	$2, local2, $2            ! 2 finished local2 now sbox 3
+
+	srl	local7, 8, local2         ! 3 start
+	ld	[out3+local0], local0
+	xor	$2, local4, $2
+
+	and	local2, 252, local2
+	ld	[global1+local1], local1
+	xor	$2, local5, $2            ! 6 finished local5 used
+
+	ld	[global3+local2], local2
+	srl	$1, 3, local3
+	xor	$2, local0, $2
+
+	ifelse($6,{}, {}, {ld	[$6+4], out1}) ! key next encryption/decryption
+	sll	$1, 29, local4
+	xor	$2, local1, $2
+
+	ifelse($7,{}, {}, {retl})
+	xor	$2, local2, $2
+})
+
+
+! {fp_macro}
+!
+!  parameter 1   right (original left)
+!  parameter 2   left (original right)
+!  parameter 3   1 for optional store to [in0]
+!  parameter 4   1 for load input/output address to local5/7
+!
+!  The final permutation logic switches the halfes, meaning that
+!  left and right ends up the the registers originally used.
+
+define(fp_macro, {
+
+! {fp_macro}
+! $1 $2 $3 $4 $5 $6 $7 $8 $9
+
+	! initially undo the rotate 3 left done after initial permutation
+	! original left is received shifted 3 right and 29 left in local3/4
+
+	sll	$2, 29, local1
+	or	local3, local4, $1
+
+	srl	$2, 3, $2
+	sethi	%hi(0x55555555), local2
+
+	or	$2, local1, $2
+	or	local2, %lo(0x55555555), local2
+
+	srl	$2, 1, local3
+	sethi	%hi(0x00ff00ff), local1
+	xor	local3, $1, local3
+	or	local1, %lo(0x00ff00ff), local1
+	and	local3, local2, local3
+	sethi	%hi(0x33333333), local4
+	sll	local3, 1, local2
+
+	xor	$1, local3, $1
+
+	srl	$1, 8, local3
+	xor	$2, local2, $2
+	xor	local3, $2, local3
+	or	local4, %lo(0x33333333), local4
+	and	local3, local1, local3
+	sethi	%hi(0x0000ffff), local1
+	sll	local3, 8, local2
+
+	xor	$2, local3, $2
+
+	srl	$2, 2, local3
+	xor	$1, local2, $1
+	xor	local3, $1, local3
+	or	local1, %lo(0x0000ffff), local1
+	and	local3, local4, local3
+	sethi	%hi(0x0f0f0f0f), local4
+	sll	local3, 2, local2
+
+	ifelse($4,1, {LDPTR INPUT, local5})
+	xor	$1, local3, $1
+
+	ifelse($4,1, {LDPTR OUTPUT, local7})
+	srl	$1, 16, local3
+	xor	$2, local2, $2
+	xor	local3, $2, local3
+	or	local4, %lo(0x0f0f0f0f), local4
+	and	local3, local1, local3
+	sll	local3, 16, local2
+
+	xor	$2, local3, local1
+
+	srl	local1, 4, local3
+	xor	$1, local2, $1
+	xor	local3, $1, local3
+	and	local3, local4, local3
+	sll	local3, 4, local2
+
+	xor	$1, local3, $1
+
+	! optional store:
+
+	ifelse($3,1, {st $1, [in0]})
+
+	xor	local1, local2, $2
+
+	ifelse($3,1, {st $2, [in0+4]})
+
+})
+
+
+! {fp_ip_macro}
+!
+! Does initial permutation for next block mixed with
+! final permutation for current block.
+!
+! parameter 1   original left
+! parameter 2   original right
+! parameter 3   left ip
+! parameter 4   right ip
+! parameter 5   1: load ks1/ks2 to in3/in4, add 120 to in4
+!                2: mov in4 to in3
+!
+! also adds -8 to length in2 and loads loop counter to out4
+
+define(fp_ip_macro, {
+
+! {fp_ip_macro}
+! $1 $2 $3 $4 $5 $6 $7 $8 $9
+
+	define({temp1},{out4})
+	define({temp2},{local3})
+
+	define({ip1},{local1})
+	define({ip2},{local2})
+	define({ip4},{local4})
+	define({ip5},{local5})
+
+	! $1 in local3, local4
+
+	ld	[out2+256], ip1
+	sll	out5, 29, temp1
+	or	local3, local4, $1
+
+	srl	out5, 3, $2
+	ifelse($5,2,{mov in4, in3})
+
+	ld	[out2+272], ip5
+	srl	$4, 4, local0
+	or	$2, temp1, $2
+
+	srl	$2, 1, temp1
+	xor	temp1, $1, temp1
+
+	and	temp1, ip5, temp1
+	xor	local0, $3, local0
+
+	sll	temp1, 1, temp2
+	xor	$1, temp1, $1
+
+	and	local0, ip1, local0
+	add	in2, -8, in2
+
+	sll	local0, 4, local7
+	xor	$3, local0, $3
+
+	ld	[out2+268], ip4
+	srl	$1, 8, temp1
+	xor	$2, temp2, $2
+	ld	[out2+260], ip2
+	srl	$3, 16, local0
+	xor	$4, local7, $4
+	xor	temp1, $2, temp1
+	xor	local0, $4, local0
+	and	temp1, ip4, temp1
+	and	local0, ip2, local0
+	sll	temp1, 8, temp2
+	xor	$2, temp1, $2
+	sll	local0, 16, local7
+	xor	$4, local0, $4
+
+	srl	$2, 2, temp1
+	xor	$1, temp2, $1
+
+	ld	[out2+264], temp2         ! ip3
+	srl	$4, 2, local0
+	xor	$3, local7, $3
+	xor	temp1, $1, temp1
+	xor	local0, $3, local0
+	and	temp1, temp2, temp1
+	and	local0, temp2, local0
+	sll	temp1, 2, temp2
+	xor	$1, temp1, $1
+	sll	local0, 2, local7
+	xor	$3, local0, $3
+
+	srl	$1, 16, temp1
+	xor	$2, temp2, $2
+	srl	$3, 8, local0
+	xor	$4, local7, $4
+	xor	temp1, $2, temp1
+	xor	local0, $4, local0
+	and	temp1, ip2, temp1
+	and	local0, ip4, local0
+	sll	temp1, 16, temp2
+	xor	$2, temp1, local4
+	sll	local0, 8, local7
+	xor	$4, local0, $4
+
+	srl	$4, 1, local0
+	xor	$3, local7, $3
+
+	srl	local4, 4, temp1
+	xor	local0, $3, local0
+
+	xor	$1, temp2, $1
+	and	local0, ip5, local0
+
+	sll	local0, 1, local7
+	xor	temp1, $1, temp1
+
+	xor	$3, local0, $3
+	xor	$4, local7, $4
+
+	sll	$3, 3, local5
+	and	temp1, ip1, temp1
+
+	sll	temp1, 4, temp2
+	xor	$1, temp1, $1
+
+	ifelse($5,1,{LDPTR	KS2, in4})
+	sll	$4, 3, local2
+	xor	local4, temp2, $2
+
+	! reload since used as temporar:
+
+	ld	[out2+280], out4          ! loop counter
+
+	srl	$3, 29, local0
+	ifelse($5,1,{add in4, 120, in4})
+
+	ifelse($5,1,{LDPTR	KS1, in3})
+	srl	$4, 29, local7
+
+	or	local0, local5, $4
+	or	local2, local7, $3
+
+})
+
+
+
+! {load_little_endian}
+!
+! parameter 1  address
+! parameter 2  destination left
+! parameter 3  destination right
+! parameter 4  temporar
+! parameter 5  label
+
+define(load_little_endian, {
+
+! {load_little_endian}
+! $1 $2 $3 $4 $5 $6 $7 $8 $9
+
+	! first in memory to rightmost in register
+
+#ifdef OPENSSL_SYSNAME_ULTRASPARC
+	andcc	$1, 3, global0
+	bne,pn	%icc, $5
+	nop
+
+	lda	[$1] 0x88, $2
+	add	$1, 4, $4
+
+	ba,pt	%icc, $5a
+	lda	[$4] 0x88, $3
+#endif
+
+$5:
+	ldub	[$1+3], $2
+
+	ldub	[$1+2], $4
+	sll	$2, 8, $2
+	or	$2, $4, $2
+
+	ldub	[$1+1], $4
+	sll	$2, 8, $2
+	or	$2, $4, $2
+
+	ldub	[$1+0], $4
+	sll	$2, 8, $2
+	or	$2, $4, $2
+
+
+	ldub	[$1+3+4], $3
+
+	ldub	[$1+2+4], $4
+	sll	$3, 8, $3
+	or	$3, $4, $3
+
+	ldub	[$1+1+4], $4
+	sll	$3, 8, $3
+	or	$3, $4, $3
+
+	ldub	[$1+0+4], $4
+	sll	$3, 8, $3
+	or	$3, $4, $3
+$5a:
+
+})
+
+
+! {load_little_endian_inc}
+!
+! parameter 1  address
+! parameter 2  destination left
+! parameter 3  destination right
+! parameter 4  temporar
+! parameter 4  label
+!
+! adds 8 to address
+
+define(load_little_endian_inc, {
+
+! {load_little_endian_inc}
+! $1 $2 $3 $4 $5 $6 $7 $8 $9
+
+	! first in memory to rightmost in register
+
+#ifdef OPENSSL_SYSNAME_ULTRASPARC
+	andcc	$1, 3, global0
+	bne,pn	%icc, $5
+	nop
+
+	lda	[$1] 0x88, $2
+	add	$1, 4, $1
+
+	lda	[$1] 0x88, $3
+	ba,pt	%icc, $5a
+	add	$1, 4, $1
+#endif
+
+$5:
+	ldub	[$1+3], $2
+
+	ldub	[$1+2], $4
+	sll	$2, 8, $2
+	or	$2, $4, $2
+
+	ldub	[$1+1], $4
+	sll	$2, 8, $2
+	or	$2, $4, $2
+
+	ldub	[$1+0], $4
+	sll	$2, 8, $2
+	or	$2, $4, $2
+
+	ldub	[$1+3+4], $3
+	add	$1, 8, $1
+
+	ldub	[$1+2+4-8], $4
+	sll	$3, 8, $3
+	or	$3, $4, $3
+
+	ldub	[$1+1+4-8], $4
+	sll	$3, 8, $3
+	or	$3, $4, $3
+
+	ldub	[$1+0+4-8], $4
+	sll	$3, 8, $3
+	or	$3, $4, $3
+$5a:
+
+})
+
+
+! {load_n_bytes}
+!
+! Loads 1 to 7 bytes little endian
+! Remaining bytes are zeroed.
+!
+! parameter 1  address
+! parameter 2  length
+! parameter 3  destination register left
+! parameter 4  destination register right
+! parameter 5  temp
+! parameter 6  temp2
+! parameter 7  label
+! parameter 8  return label
+
+define(load_n_bytes, {
+
+! {load_n_bytes}
+! $1 $2 $5 $6 $7 $8 $7 $8 $9
+
+$7.0:	call	.+8
+	sll	$2, 2, $6
+
+	add	%o7,$7.jmp.table-$7.0,$5
+
+	add	$5, $6, $5
+	mov	0, $4
+
+	ld	[$5], $5
+
+	jmp	%o7+$5
+	mov	0, $3
+
+$7.7:
+	ldub	[$1+6], $5
+	sll	$5, 16, $5
+	or	$3, $5, $3
+$7.6:
+	ldub	[$1+5], $5
+	sll	$5, 8, $5
+	or	$3, $5, $3
+$7.5:
+	ldub	[$1+4], $5
+	or	$3, $5, $3
+$7.4:
+	ldub	[$1+3], $5
+	sll	$5, 24, $5
+	or	$4, $5, $4
+$7.3:
+	ldub	[$1+2], $5
+	sll	$5, 16, $5
+	or	$4, $5, $4
+$7.2:
+	ldub	[$1+1], $5
+	sll	$5, 8, $5
+	or	$4, $5, $4
+$7.1:
+	ldub	[$1+0], $5
+	ba	$8
+	or	$4, $5, $4
+
+	.align 4
+
+$7.jmp.table:
+	.word	0
+	.word	$7.1-$7.0
+	.word	$7.2-$7.0
+	.word	$7.3-$7.0
+	.word	$7.4-$7.0
+	.word	$7.5-$7.0
+	.word	$7.6-$7.0
+	.word	$7.7-$7.0
+})
+
+
+! {store_little_endian}
+!
+! parameter 1  address
+! parameter 2  source left
+! parameter 3  source right
+! parameter 4  temporar
+
+define(store_little_endian, {
+
+! {store_little_endian}
+! $1 $2 $3 $4 $5 $6 $7 $8 $9
+
+	! rightmost in register to first in memory
+
+#ifdef OPENSSL_SYSNAME_ULTRASPARC
+	andcc	$1, 3, global0
+	bne,pn	%icc, $5
+	nop
+
+	sta	$2, [$1] 0x88
+	add	$1, 4, $4
+
+	ba,pt	%icc, $5a
+	sta	$3, [$4] 0x88
+#endif
+
+$5:
+	and	$2, 255, $4
+	stub	$4, [$1+0]
+
+	srl	$2, 8, $4
+	and	$4, 255, $4
+	stub	$4, [$1+1]
+
+	srl	$2, 16, $4
+	and	$4, 255, $4
+	stub	$4, [$1+2]
+
+	srl	$2, 24, $4
+	stub	$4, [$1+3]
+
+
+	and	$3, 255, $4
+	stub	$4, [$1+0+4]
+
+	srl	$3, 8, $4
+	and	$4, 255, $4
+	stub	$4, [$1+1+4]
+
+	srl	$3, 16, $4
+	and	$4, 255, $4
+	stub	$4, [$1+2+4]
+
+	srl	$3, 24, $4
+	stub	$4, [$1+3+4]
+
+$5a:
+
+})
+
+
+! {store_n_bytes}
+!
+! Stores 1 to 7 bytes little endian
+!
+! parameter 1  address
+! parameter 2  length
+! parameter 3  source register left
+! parameter 4  source register right
+! parameter 5  temp
+! parameter 6  temp2
+! parameter 7  label
+! parameter 8  return label
+
+define(store_n_bytes, {
+
+! {store_n_bytes}
+! $1 $2 $5 $6 $7 $8 $7 $8 $9
+
+$7.0:	call	.+8
+	sll	$2, 2, $6
+
+	add	%o7,$7.jmp.table-$7.0,$5
+
+	add	$5, $6, $5
+
+	ld	[$5], $5
+
+	jmp	%o7+$5
+	nop
+
+$7.7:
+	srl	$3, 16, $5
+	and	$5, 0xff, $5
+	stub	$5, [$1+6]
+$7.6:
+	srl	$3, 8, $5
+	and	$5, 0xff, $5
+	stub	$5, [$1+5]
+$7.5:
+	and	$3, 0xff, $5
+	stub	$5, [$1+4]
+$7.4:
+	srl	$4, 24, $5
+	stub	$5, [$1+3]
+$7.3:
+	srl	$4, 16, $5
+	and	$5, 0xff, $5
+	stub	$5, [$1+2]
+$7.2:
+	srl	$4, 8, $5
+	and	$5, 0xff, $5
+	stub	$5, [$1+1]
+$7.1:
+	and	$4, 0xff, $5
+
+
+	ba	$8
+	stub	$5, [$1]
+
+	.align 4
+
+$7.jmp.table:
+
+	.word	0
+	.word	$7.1-$7.0
+	.word	$7.2-$7.0
+	.word	$7.3-$7.0
+	.word	$7.4-$7.0
+	.word	$7.5-$7.0
+	.word	$7.6-$7.0
+	.word	$7.7-$7.0
+})
+
+
+define(testvalue,{1})
+
+define(register_init, {
+
+! For test purposes:
+
+	sethi	%hi(testvalue), local0
+	or	local0, %lo(testvalue), local0
+
+	ifelse($1,{},{}, {mov	local0, $1})
+	ifelse($2,{},{}, {mov	local0, $2})
+	ifelse($3,{},{}, {mov	local0, $3})
+	ifelse($4,{},{}, {mov	local0, $4})
+	ifelse($5,{},{}, {mov	local0, $5})
+	ifelse($6,{},{}, {mov	local0, $6})
+	ifelse($7,{},{}, {mov	local0, $7})
+	ifelse($8,{},{}, {mov	local0, $8})
+
+	mov	local0, local1
+	mov	local0, local2
+	mov	local0, local3
+	mov	local0, local4
+	mov	local0, local5
+	mov	local0, local7
+	mov	local0, local6
+	mov	local0, out0
+	mov	local0, out1
+	mov	local0, out2
+	mov	local0, out3
+	mov	local0, out4
+	mov	local0, out5
+	mov	local0, global1
+	mov	local0, global2
+	mov	local0, global3
+	mov	local0, global4
+	mov	local0, global5
+
+})
+
+.section	".text"
+
+	.align 32
+
+.des_enc:
+
+	! key address in3
+	! loads key next encryption/decryption first round from [in4]
+
+	rounds_macro(in5, out5, 1, .des_enc.1, in3, in4, retl)
+
+
+	.align 32
+
+.des_dec:
+
+	! implemented with out5 as first parameter to avoid
+	! register exchange in ede modes
+
+	! key address in4
+	! loads key next encryption/decryption first round from [in3]
+
+	rounds_macro(out5, in5, -1, .des_dec.1, in4, in3, retl)
+
+
+
+! void DES_encrypt1(data, ks, enc)
+! *******************************
+
+	.align 32
+	.global DES_encrypt1
+	.type	 DES_encrypt1,#function
+
+DES_encrypt1:
+
+	save	%sp, FRAME, %sp
+
+	call	.PIC.me.up
+	mov	.PIC.me.up-(.-4),out0
+
+	ld	[in0], in5                ! left
+	cmp	in2, 0                    ! enc
+
+#ifdef OPENSSL_SYSNAME_ULTRASPARC
+	be,pn	%icc, .encrypt.dec        ! enc/dec
+#else
+	be	.encrypt.dec
+#endif
+	ld	[in0+4], out5             ! right
+
+	! parameter 6  1/2 for include encryption/decryption
+	! parameter 7  1 for move in1 to in3
+	! parameter 8  1 for move in3 to in4, 2 for move in4 to in3
+
+	ip_macro(in5, out5, in5, out5, in3, 0, 1, 1)
+
+	rounds_macro(in5, out5, 1, .des_encrypt1.1, in3, in4) ! in4 not used
+
+	fp_macro(in5, out5, 1)            ! 1 for store to [in0]
+
+	ret
+	restore
+
+.encrypt.dec:
+
+	add	in1, 120, in3             ! use last subkey for first round
+
+	! parameter 6  1/2 for include encryption/decryption
+	! parameter 7  1 for move in1 to in3
+	! parameter 8  1 for move in3 to in4, 2 for move in4 to in3
+
+	ip_macro(in5, out5, out5, in5, in4, 2, 0, 1) ! include dec,  ks in4
+
+	fp_macro(out5, in5, 1)            ! 1 for store to [in0]
+
+	ret
+	restore
+
+.DES_encrypt1.end:
+	.size	 DES_encrypt1,.DES_encrypt1.end-DES_encrypt1
+
+
+! void DES_encrypt2(data, ks, enc)
+!*********************************
+
+	! encrypts/decrypts without initial/final permutation
+
+	.align 32
+	.global DES_encrypt2
+	.type	 DES_encrypt2,#function
+
+DES_encrypt2:
+
+	save	%sp, FRAME, %sp
+
+	call	.PIC.me.up
+	mov	.PIC.me.up-(.-4),out0
+
+	! Set sbox address 1 to 6 and rotate halfs 3 left
+	! Errors caught by destest? Yes. Still? *NO*
+
+	!sethi	%hi(DES_SPtrans), global1 ! address sbox 1
+
+	!or	global1, %lo(DES_SPtrans), global1  ! sbox 1
+
+	add	global1, 256, global2     ! sbox 2
+	add	global1, 512, global3     ! sbox 3
+
+	ld	[in0], out5               ! right
+	add	global1, 768, global4     ! sbox 4
+	add	global1, 1024, global5    ! sbox 5
+
+	ld	[in0+4], in5              ! left
+	add	global1, 1280, local6     ! sbox 6
+	add	global1, 1792, out3       ! sbox 8
+
+	! rotate
+
+	sll	in5, 3, local5
+	mov	in1, in3                  ! key address to in3
+
+	sll	out5, 3, local7
+	srl	in5, 29, in5
+
+	srl	out5, 29, out5
+	add	in5, local5, in5
+
+	add	out5, local7, out5
+	cmp	in2, 0
+
+	! we use our own stackframe
+
+#ifdef OPENSSL_SYSNAME_ULTRASPARC
+	be,pn	%icc, .encrypt2.dec       ! decryption
+#else
+	be	.encrypt2.dec
+#endif
+	STPTR	in0, [%sp+BIAS+ARG0+0*ARGSZ]
+
+	ld	[in3], out0               ! key 7531 first round
+	mov	LOOPS, out4               ! loop counter
+
+	ld	[in3+4], out1             ! key 8642 first round
+	sethi	%hi(0x0000FC00), local5
+
+	call .des_enc
+	mov	in3, in4
+
+	! rotate
+	sll	in5, 29, in0
+	srl	in5, 3, in5
+	sll	out5, 29, in1
+	add	in5, in0, in5
+	srl	out5, 3, out5
+	LDPTR	[%sp+BIAS+ARG0+0*ARGSZ], in0
+	add	out5, in1, out5
+	st	in5, [in0]
+	st	out5, [in0+4]
+
+	ret
+	restore
+
+
+.encrypt2.dec:
+
+	add in3, 120, in4
+
+	ld	[in4], out0               ! key 7531 first round
+	mov	LOOPS, out4               ! loop counter
+
+	ld	[in4+4], out1             ! key 8642 first round
+	sethi	%hi(0x0000FC00), local5
+
+	mov	in5, local1               ! left expected in out5
+	mov	out5, in5
+
+	call .des_dec
+	mov	local1, out5
+
+.encrypt2.finish:
+
+	! rotate
+	sll	in5, 29, in0
+	srl	in5, 3, in5
+	sll	out5, 29, in1
+	add	in5, in0, in5
+	srl	out5, 3, out5
+	LDPTR	[%sp+BIAS+ARG0+0*ARGSZ], in0
+	add	out5, in1, out5
+	st	out5, [in0]
+	st	in5, [in0+4]
+
+	ret
+	restore
+
+.DES_encrypt2.end:
+	.size	 DES_encrypt2, .DES_encrypt2.end-DES_encrypt2
+
+
+! void DES_encrypt3(data, ks1, ks2, ks3)
+! **************************************
+
+	.align 32
+	.global DES_encrypt3
+	.type	 DES_encrypt3,#function
+
+DES_encrypt3:
+
+	save	%sp, FRAME, %sp
+	
+	call	.PIC.me.up
+	mov	.PIC.me.up-(.-4),out0
+
+	ld	[in0], in5                ! left
+	add	in2, 120, in4             ! ks2
+
+	ld	[in0+4], out5             ! right
+	mov	in3, in2                  ! save ks3
+
+	! parameter 6  1/2 for include encryption/decryption
+	! parameter 7  1 for mov in1 to in3
+	! parameter 8  1 for mov in3 to in4
+	! parameter 9  1 for load ks3 and ks2 to in4 and in3
+
+	ip_macro(in5, out5, in5, out5, in3, 1, 1, 0, 0)
+
+	call	.des_dec
+	mov	in2, in3                  ! preload ks3
+
+	call	.des_enc
+	nop
+
+	fp_macro(in5, out5, 1)
+
+	ret
+	restore
+
+.DES_encrypt3.end:
+	.size	 DES_encrypt3,.DES_encrypt3.end-DES_encrypt3
+
+
+! void DES_decrypt3(data, ks1, ks2, ks3)
+! **************************************
+
+	.align 32
+	.global DES_decrypt3
+	.type	 DES_decrypt3,#function
+
+DES_decrypt3:
+
+	save	%sp, FRAME, %sp
+	
+	call	.PIC.me.up
+	mov	.PIC.me.up-(.-4),out0
+
+	ld	[in0], in5                ! left
+	add	in3, 120, in4             ! ks3
+
+	ld	[in0+4], out5             ! right
+	mov	in2, in3                  ! ks2
+
+	! parameter 6  1/2 for include encryption/decryption
+	! parameter 7  1 for mov in1 to in3
+	! parameter 8  1 for mov in3 to in4
+	! parameter 9  1 for load ks3 and ks2 to in4 and in3
+
+	ip_macro(in5, out5, out5, in5, in4, 2, 0, 0, 0)
+
+	call	.des_enc
+	add	in1, 120, in4             ! preload ks1
+
+	call	.des_dec
+	nop
+
+	fp_macro(out5, in5, 1)
+
+	ret
+	restore
+
+.DES_decrypt3.end:
+	.size	 DES_decrypt3,.DES_decrypt3.end-DES_decrypt3
+
+	.align	256
+	.type	 .des_and,#object
+	.size	 .des_and,284
+
+.des_and:
+
+! This table is used for AND 0xFC when it is known that register
+! bits 8-31 are zero. Makes it possible to do three arithmetic
+! operations in one cycle.
+
+	.byte  0, 0, 0, 0, 4, 4, 4, 4
+	.byte  8, 8, 8, 8, 12, 12, 12, 12
+	.byte  16, 16, 16, 16, 20, 20, 20, 20
+	.byte  24, 24, 24, 24, 28, 28, 28, 28
+	.byte  32, 32, 32, 32, 36, 36, 36, 36
+	.byte  40, 40, 40, 40, 44, 44, 44, 44
+	.byte  48, 48, 48, 48, 52, 52, 52, 52
+	.byte  56, 56, 56, 56, 60, 60, 60, 60
+	.byte  64, 64, 64, 64, 68, 68, 68, 68
+	.byte  72, 72, 72, 72, 76, 76, 76, 76
+	.byte  80, 80, 80, 80, 84, 84, 84, 84
+	.byte  88, 88, 88, 88, 92, 92, 92, 92
+	.byte  96, 96, 96, 96, 100, 100, 100, 100
+	.byte  104, 104, 104, 104, 108, 108, 108, 108
+	.byte  112, 112, 112, 112, 116, 116, 116, 116
+	.byte  120, 120, 120, 120, 124, 124, 124, 124
+	.byte  128, 128, 128, 128, 132, 132, 132, 132
+	.byte  136, 136, 136, 136, 140, 140, 140, 140
+	.byte  144, 144, 144, 144, 148, 148, 148, 148
+	.byte  152, 152, 152, 152, 156, 156, 156, 156
+	.byte  160, 160, 160, 160, 164, 164, 164, 164
+	.byte  168, 168, 168, 168, 172, 172, 172, 172
+	.byte  176, 176, 176, 176, 180, 180, 180, 180
+	.byte  184, 184, 184, 184, 188, 188, 188, 188
+	.byte  192, 192, 192, 192, 196, 196, 196, 196
+	.byte  200, 200, 200, 200, 204, 204, 204, 204
+	.byte  208, 208, 208, 208, 212, 212, 212, 212
+	.byte  216, 216, 216, 216, 220, 220, 220, 220
+	.byte  224, 224, 224, 224, 228, 228, 228, 228
+	.byte  232, 232, 232, 232, 236, 236, 236, 236
+	.byte  240, 240, 240, 240, 244, 244, 244, 244
+	.byte  248, 248, 248, 248, 252, 252, 252, 252
+
+	! 5 numbers for initil/final permutation
+
+	.word   0x0f0f0f0f                ! offset 256
+	.word	0x0000ffff                ! 260
+	.word	0x33333333                ! 264
+	.word	0x00ff00ff                ! 268
+	.word	0x55555555                ! 272
+
+	.word	0                         ! 276
+	.word	LOOPS                     ! 280
+	.word	0x0000FC00                ! 284
+.PIC.DES_SPtrans:
+	.word	%r_disp32(DES_SPtrans)
+
+! input:	out0	offset between .PIC.me.up and caller
+! output:	out0	pointer to .PIC.me.up
+!		out2	pointer to .des_and
+!		global1	pointer to DES_SPtrans
+	.align	32
+.PIC.me.up:
+	add	out0,%o7,out0			! pointer to .PIC.me.up
+#if 1
+	ld	[out0+(.PIC.DES_SPtrans-.PIC.me.up)],global1
+	add	global1,(.PIC.DES_SPtrans-.PIC.me.up),global1
+	add	global1,out0,global1
+#else
+# ifdef OPENSSL_PIC
+	! In case anybody wonders why this code is same for both ABI.
+	! To start with it is not. Do note LDPTR below. But of course
+	! you must be wondering why the rest of it does not contain
+	! things like %hh, %hm and %lm. Well, those are needed only
+	! if OpenSSL library *itself* will become larger than 4GB,
+	! which is not going to happen any time soon. 
+	sethi	%hi(DES_SPtrans),global1
+	or	global1,%lo(DES_SPtrans),global1
+	sethi	%hi(_GLOBAL_OFFSET_TABLE_-(.PIC.me.up-.)),out2
+	add	global1,out0,global1
+	add	out2,%lo(_GLOBAL_OFFSET_TABLE_-(.PIC.me.up-.)),out2
+	LDPTR	[out2+global1],global1
+# elif 0
+	setn	DES_SPtrans,out2,global1	! synthetic instruction !
+# elif defined(ABI64)
+	sethi	%hh(DES_SPtrans),out2
+	or	out2,%hm(DES_SPtrans),out2
+	sethi	%lm(DES_SPtrans),global1
+	or	global1,%lo(DES_SPtrans),global1
+	sllx	out2,32,out2
+	or	out2,global1,global1
+# else
+	sethi	%hi(DES_SPtrans),global1
+	or	global1,%lo(DES_SPtrans),global1
+# endif
+#endif
+	retl
+	add	out0,.des_and-.PIC.me.up,out2
+
+! void DES_ncbc_encrypt(input, output, length, schedule, ivec, enc)
+! *****************************************************************
+
+
+	.align 32
+	.global DES_ncbc_encrypt
+	.type	 DES_ncbc_encrypt,#function
+
+DES_ncbc_encrypt:
+
+	save	%sp, FRAME, %sp
+	
+	define({INPUT},  { [%sp+BIAS+ARG0+0*ARGSZ] })
+	define({OUTPUT}, { [%sp+BIAS+ARG0+1*ARGSZ] })
+	define({IVEC},   { [%sp+BIAS+ARG0+4*ARGSZ] })
+
+	call	.PIC.me.up
+	mov	.PIC.me.up-(.-4),out0
+
+	cmp	in5, 0                    ! enc   
+
+#ifdef OPENSSL_SYSNAME_ULTRASPARC
+	be,pn	%icc, .ncbc.dec
+#else
+	be	.ncbc.dec
+#endif
+	STPTR	in4, IVEC
+
+	! addr  left  right  temp  label
+	load_little_endian(in4, in5, out5, local3, .LLE1)  ! iv
+
+	addcc	in2, -8, in2              ! bytes missing when first block done
+
+#ifdef OPENSSL_SYSNAME_ULTRASPARC
+	bl,pn	%icc, .ncbc.enc.seven.or.less
+#else
+	bl	.ncbc.enc.seven.or.less
+#endif
+	mov	in3, in4                  ! schedule
+
+.ncbc.enc.next.block:
+
+	load_little_endian(in0, out4, global4, local3, .LLE2)  ! block
+
+.ncbc.enc.next.block_1:
+
+	xor	in5, out4, in5            ! iv xor
+	xor	out5, global4, out5       ! iv xor
+
+	! parameter 8  1 for move in3 to in4, 2 for move in4 to in3
+	ip_macro(in5, out5, in5, out5, in3, 0, 0, 2)
+
+.ncbc.enc.next.block_2:
+
+!//	call .des_enc                     ! compares in2 to 8
+!	rounds inlined for alignment purposes
+
+	add	global1, 768, global4     ! address sbox 4 since register used below
+
+	rounds_macro(in5, out5, 1, .ncbc.enc.1, in3, in4) ! include encryption  ks in3
+
+#ifdef OPENSSL_SYSNAME_ULTRASPARC
+	bl,pn	%icc, .ncbc.enc.next.block_fp
+#else
+	bl	.ncbc.enc.next.block_fp
+#endif
+	add	in0, 8, in0               ! input address
+
+	! If 8 or more bytes are to be encrypted after this block,
+	! we combine final permutation for this block with initial
+	! permutation for next block. Load next block:
+
+	load_little_endian(in0, global3, global4, local5, .LLE12)
+
+	!  parameter 1   original left
+	!  parameter 2   original right
+	!  parameter 3   left ip
+	!  parameter 4   right ip
+	!  parameter 5   1: load ks1/ks2 to in3/in4, add 120 to in4
+	!                2: mov in4 to in3
+	!
+	! also adds -8 to length in2 and loads loop counter to out4
+
+	fp_ip_macro(out0, out1, global3, global4, 2)
+
+	store_little_endian(in1, out0, out1, local3, .SLE10)  ! block
+
+	ld	[in3], out0               ! key 7531 first round next block
+	mov 	in5, local1
+	xor	global3, out5, in5        ! iv xor next block
+
+	ld	[in3+4], out1             ! key 8642
+	add	global1, 512, global3     ! address sbox 3 since register used
+	xor	global4, local1, out5     ! iv xor next block
+
+	ba	.ncbc.enc.next.block_2
+	add	in1, 8, in1               ! output adress
+
+.ncbc.enc.next.block_fp:
+
+	fp_macro(in5, out5)
+
+	store_little_endian(in1, in5, out5, local3, .SLE1)  ! block
+
+	addcc   in2, -8, in2              ! bytes missing when next block done
+
+#ifdef OPENSSL_SYSNAME_ULTRASPARC
+	bpos,pt	%icc, .ncbc.enc.next.block  ! also jumps if 0
+#else
+	bpos	.ncbc.enc.next.block
+#endif
+	add	in1, 8, in1
+
+.ncbc.enc.seven.or.less:
+
+	cmp	in2, -8
+
+#ifdef OPENSSL_SYSNAME_ULTRASPARC
+	ble,pt	%icc, .ncbc.enc.finish
+#else
+	ble	.ncbc.enc.finish
+#endif
+	nop
+
+	add	in2, 8, local1            ! bytes to load
+
+	! addr, length, dest left, dest right, temp, temp2, label, ret label
+	load_n_bytes(in0, local1, global4, out4, local2, local3, .LNB1, .ncbc.enc.next.block_1)
+
+	! Loads 1 to 7 bytes little endian to global4, out4
+
+
+.ncbc.enc.finish:
+
+	LDPTR	IVEC, local4
+	store_little_endian(local4, in5, out5, local5, .SLE2)  ! ivec
+
+	ret
+	restore
+
+
+.ncbc.dec:
+
+	STPTR	in0, INPUT
+	cmp	in2, 0                    ! length
+	add	in3, 120, in3
+
+	LDPTR	IVEC, local7              ! ivec
+#ifdef OPENSSL_SYSNAME_ULTRASPARC
+	ble,pn	%icc, .ncbc.dec.finish
+#else
+	ble	.ncbc.dec.finish
+#endif
+	mov	in3, in4                  ! schedule
+
+	STPTR	in1, OUTPUT
+	mov	in0, local5               ! input
+
+	load_little_endian(local7, in0, in1, local3, .LLE3)   ! ivec
+
+.ncbc.dec.next.block:
+
+	load_little_endian(local5, in5, out5, local3, .LLE4)  ! block
+
+	! parameter 6  1/2 for include encryption/decryption
+	! parameter 7  1 for mov in1 to in3
+	! parameter 8  1 for mov in3 to in4
+
+	ip_macro(in5, out5, out5, in5, in4, 2, 0, 1) ! include decryprion  ks in4
+
+	fp_macro(out5, in5, 0, 1) ! 1 for input and output address to local5/7
+
+	! in2 is bytes left to be stored
+	! in2 is compared to 8 in the rounds
+
+	xor	out5, in0, out4           ! iv xor
+#ifdef OPENSSL_SYSNAME_ULTRASPARC
+	bl,pn	%icc, .ncbc.dec.seven.or.less
+#else
+	bl	.ncbc.dec.seven.or.less
+#endif
+	xor	in5, in1, global4         ! iv xor
+
+	! Load ivec next block now, since input and output address might be the same.
+
+	load_little_endian_inc(local5, in0, in1, local3, .LLE5)  ! iv
+
+	store_little_endian(local7, out4, global4, local3, .SLE3)
+
+	STPTR	local5, INPUT
+	add	local7, 8, local7
+	addcc   in2, -8, in2
+
+#ifdef OPENSSL_SYSNAME_ULTRASPARC
+	bg,pt	%icc, .ncbc.dec.next.block
+#else
+	bg	.ncbc.dec.next.block
+#endif
+	STPTR	local7, OUTPUT
+
+
+.ncbc.dec.store.iv:
+
+	LDPTR	IVEC, local4              ! ivec
+	store_little_endian(local4, in0, in1, local5, .SLE4)
+
+.ncbc.dec.finish:
+
+	ret
+	restore
+
+.ncbc.dec.seven.or.less:
+
+	load_little_endian_inc(local5, in0, in1, local3, .LLE13)     ! ivec
+
+	store_n_bytes(local7, in2, global4, out4, local3, local4, .SNB1, .ncbc.dec.store.iv)
+
+
+.DES_ncbc_encrypt.end:
+	.size	 DES_ncbc_encrypt, .DES_ncbc_encrypt.end-DES_ncbc_encrypt
+
+
+! void DES_ede3_cbc_encrypt(input, output, lenght, ks1, ks2, ks3, ivec, enc)
+! **************************************************************************
+
+
+	.align 32
+	.global DES_ede3_cbc_encrypt
+	.type	 DES_ede3_cbc_encrypt,#function
+
+DES_ede3_cbc_encrypt:
+
+	save	%sp, FRAME, %sp
+
+	define({KS1}, { [%sp+BIAS+ARG0+3*ARGSZ] })
+	define({KS2}, { [%sp+BIAS+ARG0+4*ARGSZ] })
+	define({KS3}, { [%sp+BIAS+ARG0+5*ARGSZ] })
+
+	call	.PIC.me.up
+	mov	.PIC.me.up-(.-4),out0
+
+	LDPTR	[%fp+BIAS+ARG0+7*ARGSZ], local3          ! enc
+	LDPTR	[%fp+BIAS+ARG0+6*ARGSZ], local4          ! ivec
+	cmp	local3, 0                 ! enc
+
+#ifdef OPENSSL_SYSNAME_ULTRASPARC
+	be,pn	%icc, .ede3.dec
+#else
+	be	.ede3.dec
+#endif
+	STPTR	in4, KS2
+
+	STPTR	in5, KS3
+
+	load_little_endian(local4, in5, out5, local3, .LLE6)  ! ivec
+
+	addcc	in2, -8, in2              ! bytes missing after next block
+
+#ifdef OPENSSL_SYSNAME_ULTRASPARC
+	bl,pn	%icc,  .ede3.enc.seven.or.less
+#else
+	bl	.ede3.enc.seven.or.less
+#endif
+	STPTR	in3, KS1
+
+.ede3.enc.next.block:
+
+	load_little_endian(in0, out4, global4, local3, .LLE7)
+
+.ede3.enc.next.block_1:
+
+	LDPTR	KS2, in4
+	xor	in5, out4, in5            ! iv xor
+	xor	out5, global4, out5       ! iv xor
+
+	LDPTR	KS1, in3
+	add	in4, 120, in4             ! for decryption we use last subkey first
+	nop
+
+	ip_macro(in5, out5, in5, out5, in3)
+
+.ede3.enc.next.block_2:
+
+	call .des_enc                     ! ks1 in3
+	nop
+
+	call .des_dec                     ! ks2 in4
+	LDPTR	KS3, in3
+
+	call .des_enc                     ! ks3 in3  compares in2 to 8
+	nop
+
+#ifdef OPENSSL_SYSNAME_ULTRASPARC
+	bl,pn	%icc, .ede3.enc.next.block_fp
+#else
+	bl	.ede3.enc.next.block_fp
+#endif
+	add	in0, 8, in0
+
+	! If 8 or more bytes are to be encrypted after this block,
+	! we combine final permutation for this block with initial
+	! permutation for next block. Load next block:
+
+	load_little_endian(in0, global3, global4, local5, .LLE11)
+
+	!  parameter 1   original left
+	!  parameter 2   original right
+	!  parameter 3   left ip
+	!  parameter 4   right ip
+	!  parameter 5   1: load ks1/ks2 to in3/in4, add 120 to in4
+	!                2: mov in4 to in3
+	!
+	! also adds -8 to length in2 and loads loop counter to out4
+
+	fp_ip_macro(out0, out1, global3, global4, 1)
+
+	store_little_endian(in1, out0, out1, local3, .SLE9)  ! block
+
+	mov 	in5, local1
+	xor	global3, out5, in5        ! iv xor next block
+
+	ld	[in3], out0               ! key 7531
+	add	global1, 512, global3     ! address sbox 3
+	xor	global4, local1, out5     ! iv xor next block
+
+	ld	[in3+4], out1             ! key 8642
+	add	global1, 768, global4     ! address sbox 4
+	ba	.ede3.enc.next.block_2
+	add	in1, 8, in1
+
+.ede3.enc.next.block_fp:
+
+	fp_macro(in5, out5)
+
+	store_little_endian(in1, in5, out5, local3, .SLE5)  ! block
+
+	addcc   in2, -8, in2              ! bytes missing when next block done
+
+#ifdef OPENSSL_SYSNAME_ULTRASPARC
+	bpos,pt	%icc, .ede3.enc.next.block
+#else
+	bpos	.ede3.enc.next.block
+#endif
+	add	in1, 8, in1
+
+.ede3.enc.seven.or.less:
+
+	cmp	in2, -8
+
+#ifdef OPENSSL_SYSNAME_ULTRASPARC
+	ble,pt	%icc, .ede3.enc.finish
+#else
+	ble	.ede3.enc.finish
+#endif
+	nop
+
+	add	in2, 8, local1            ! bytes to load
+
+	! addr, length, dest left, dest right, temp, temp2, label, ret label
+	load_n_bytes(in0, local1, global4, out4, local2, local3, .LNB2, .ede3.enc.next.block_1)
+
+.ede3.enc.finish:
+
+	LDPTR	[%fp+BIAS+ARG0+6*ARGSZ], local4          ! ivec
+	store_little_endian(local4, in5, out5, local5, .SLE6)  ! ivec
+
+	ret
+	restore
+
+.ede3.dec:
+
+	STPTR	in0, INPUT
+	add	in5, 120, in5
+
+	STPTR	in1, OUTPUT
+	mov	in0, local5
+	add	in3, 120, in3
+
+	STPTR	in3, KS1
+	cmp	in2, 0
+
+#ifdef OPENSSL_SYSNAME_ULTRASPARC
+	ble	%icc, .ede3.dec.finish
+#else
+	ble	.ede3.dec.finish
+#endif
+	STPTR	in5, KS3
+
+	LDPTR	[%fp+BIAS+ARG0+6*ARGSZ], local7          ! iv
+	load_little_endian(local7, in0, in1, local3, .LLE8)
+
+.ede3.dec.next.block:
+
+	load_little_endian(local5, in5, out5, local3, .LLE9)
+
+	! parameter 6  1/2 for include encryption/decryption
+	! parameter 7  1 for mov in1 to in3
+	! parameter 8  1 for mov in3 to in4
+	! parameter 9  1 for load ks3 and ks2 to in4 and in3
+
+	ip_macro(in5, out5, out5, in5, in4, 2, 0, 0, 1) ! inc .des_dec ks3 in4
+
+	call .des_enc                     ! ks2 in3
+	LDPTR	KS1, in4
+
+	call .des_dec                     ! ks1 in4
+	nop
+
+	fp_macro(out5, in5, 0, 1)   ! 1 for input and output address local5/7
+
+	! in2 is bytes left to be stored
+	! in2 is compared to 8 in the rounds
+
+	xor	out5, in0, out4
+#ifdef OPENSSL_SYSNAME_ULTRASPARC
+	bl,pn	%icc, .ede3.dec.seven.or.less
+#else
+	bl	.ede3.dec.seven.or.less
+#endif
+	xor	in5, in1, global4
+
+	load_little_endian_inc(local5, in0, in1, local3, .LLE10)   ! iv next block
+
+	store_little_endian(local7, out4, global4, local3, .SLE7)  ! block
+
+	STPTR	local5, INPUT
+	addcc   in2, -8, in2
+	add	local7, 8, local7
+
+#ifdef OPENSSL_SYSNAME_ULTRASPARC
+	bg,pt	%icc, .ede3.dec.next.block
+#else
+	bg	.ede3.dec.next.block
+#endif
+	STPTR	local7, OUTPUT
+
+.ede3.dec.store.iv:
+
+	LDPTR	[%fp+BIAS+ARG0+6*ARGSZ], local4          ! ivec
+	store_little_endian(local4, in0, in1, local5, .SLE8)  ! ivec
+
+.ede3.dec.finish:
+
+	ret
+	restore
+
+.ede3.dec.seven.or.less:
+
+	load_little_endian_inc(local5, in0, in1, local3, .LLE14)     ! iv
+
+	store_n_bytes(local7, in2, global4, out4, local3, local4, .SNB2, .ede3.dec.store.iv)
+
+
+.DES_ede3_cbc_encrypt.end:
+	.size	 DES_ede3_cbc_encrypt,.DES_ede3_cbc_encrypt.end-DES_ede3_cbc_encrypt
diff --git a/crypto/openssl/crypto/des/cfb64ede.c b/crypto/openssl/crypto/des/cfb64ede.c
index f422fef1d6cf..de34ecceb96d 100644
--- a/crypto/openssl/crypto/des/cfb64ede.c
+++ b/crypto/openssl/crypto/des/cfb64ede.c
@@ -57,6 +57,7 @@
  */
 
 #include "des_locl.h"
+#include "e_os.h"
 
 /* The input and output encrypted as though 64bit cfb mode is being
  * used.  The extra state information to record how much of the
@@ -151,8 +152,8 @@ void DES_ede3_cfb_encrypt(const unsigned char *in,unsigned char *out,
 			  DES_cblock *ivec,int enc)
 	{
 	register DES_LONG d0,d1,v0,v1;
-	register long l=length;
-	register int num=numbits,n=(numbits+7)/8,i;
+	register unsigned long l=length,n=((unsigned int)numbits+7)/8;
+	register int num=numbits,i;
 	DES_LONG ti[2];
 	unsigned char *iv;
 	unsigned char ovec[16];
diff --git a/crypto/openssl/crypto/des/cfb_enc.c b/crypto/openssl/crypto/des/cfb_enc.c
index 03cabb223cdf..720f29a28e62 100644
--- a/crypto/openssl/crypto/des/cfb_enc.c
+++ b/crypto/openssl/crypto/des/cfb_enc.c
@@ -58,6 +58,7 @@
 
 #include "e_os.h"
 #include "des_locl.h"
+#include <assert.h>
 
 /* The input and output are loaded in multiples of 8 bits.
  * What this means is that if you hame numbits=12 and length=2
@@ -72,19 +73,29 @@ void DES_cfb_encrypt(const unsigned char *in, unsigned char *out, int numbits,
 		     int enc)
 	{
 	register DES_LONG d0,d1,v0,v1;
-	register unsigned long l=length,n=(numbits+7)/8;
-	register int num=numbits,i;
+	register unsigned long l=length;
+	register int num=numbits/8,n=(numbits+7)/8,i,rem=numbits%8;
 	DES_LONG ti[2];
 	unsigned char *iv;
+#ifndef L_ENDIAN
 	unsigned char ovec[16];
+#else
+	unsigned int  sh[4];
+	unsigned char *ovec=(unsigned char *)sh;
 
-	if (num > 64) return;
+	/* I kind of count that compiler optimizes away this assertioni,*/
+	assert (sizeof(sh[0])==4);	/* as this holds true for all,	*/
+					/* but 16-bit platforms...	*/
+					
+#endif
+
+	if (numbits<=0 || numbits > 64) return;
 	iv = &(*ivec)[0];
 	c2l(iv,v0);
 	c2l(iv,v1);
 	if (enc)
 		{
-		while (l >= n)
+		while (l >= (unsigned long)n)
 			{
 			l-=n;
 			ti[0]=v0;
@@ -98,35 +109,40 @@ void DES_cfb_encrypt(const unsigned char *in, unsigned char *out, int numbits,
 			out+=n;
 			/* 30-08-94 - eay - changed because l>>32 and
 			 * l<<32 are bad under gcc :-( */
-			if (num == 32)
+			if (numbits == 32)
 				{ v0=v1; v1=d0; }
-			else if (num == 64)
+			else if (numbits == 64)
 				{ v0=d0; v1=d1; }
 			else
 				{
+#ifndef L_ENDIAN
 				iv=&ovec[0];
 				l2c(v0,iv);
 				l2c(v1,iv);
 				l2c(d0,iv);
 				l2c(d1,iv);
-				/* shift ovec left most of the bits... */
-				memmove(ovec,ovec+num/8,8+(num%8 ? 1 : 0));
-				/* now the remaining bits */
-				if(num%8 != 0)
+#else
+				sh[0]=v0, sh[1]=v1, sh[2]=d0, sh[3]=d1;
+#endif
+				if (rem==0)
+					memmove(ovec,ovec+num,8);
+				else
 					for(i=0 ; i < 8 ; ++i)
-						{
-						ovec[i]<<=num%8;
-						ovec[i]|=ovec[i+1]>>(8-num%8);
-						}
+						ovec[i]=ovec[i+num]<<rem |
+							ovec[i+num+1]>>(8-rem);
+#ifdef L_ENDIAN
+				v0=sh[0], v1=sh[1];
+#else
 				iv=&ovec[0];
 				c2l(iv,v0);
 				c2l(iv,v1);
+#endif
 				}
 			}
 		}
 	else
 		{
-		while (l >= n)
+		while (l >= (unsigned long)n)
 			{
 			l-=n;
 			ti[0]=v0;
@@ -136,29 +152,34 @@ void DES_cfb_encrypt(const unsigned char *in, unsigned char *out, int numbits,
 			in+=n;
 			/* 30-08-94 - eay - changed because l>>32 and
 			 * l<<32 are bad under gcc :-( */
-			if (num == 32)
+			if (numbits == 32)
 				{ v0=v1; v1=d0; }
-			else if (num == 64)
+			else if (numbits == 64)
 				{ v0=d0; v1=d1; }
 			else
 				{
+#ifndef L_ENDIAN
 				iv=&ovec[0];
 				l2c(v0,iv);
 				l2c(v1,iv);
 				l2c(d0,iv);
 				l2c(d1,iv);
-				/* shift ovec left most of the bits... */
-				memmove(ovec,ovec+num/8,8+(num%8 ? 1 : 0));
-				/* now the remaining bits */
-				if(num%8 != 0)
+#else
+				sh[0]=v0, sh[1]=v1, sh[2]=d0, sh[3]=d1;
+#endif
+				if (rem==0)
+					memmove(ovec,ovec+num,8);
+				else
 					for(i=0 ; i < 8 ; ++i)
-						{
-						ovec[i]<<=num%8;
-						ovec[i]|=ovec[i+1]>>(8-num%8);
-						}
+						ovec[i]=ovec[i+num]<<rem |
+							ovec[i+num+1]>>(8-rem);
+#ifdef L_ENDIAN
+				v0=sh[0], v1=sh[1];
+#else
 				iv=&ovec[0];
 				c2l(iv,v0);
 				c2l(iv,v1);
+#endif
 				}
 			d0^=ti[0];
 			d1^=ti[1];
diff --git a/crypto/openssl/crypto/des/des.h b/crypto/openssl/crypto/des/des.h
index c5df1c9c7b3c..3cbc2b568e91 100644
--- a/crypto/openssl/crypto/des/des.h
+++ b/crypto/openssl/crypto/des/des.h
@@ -59,13 +59,13 @@
 #ifndef HEADER_NEW_DES_H
 #define HEADER_NEW_DES_H
 
+#include <openssl/e_os2.h>	/* OPENSSL_EXTERN, OPENSSL_NO_DES,
+				   DES_LONG (via openssl/opensslconf.h */
+
 #ifdef OPENSSL_NO_DES
 #error DES is disabled.
 #endif
 
-#include <openssl/opensslconf.h> /* DES_LONG */
-#include <openssl/e_os2.h>	/* OPENSSL_EXTERN */
-
 #ifdef OPENSSL_BUILD_SHLIBCRYPTO
 # undef OPENSSL_EXTERN
 # define OPENSSL_EXTERN OPENSSL_EXPORT
@@ -128,7 +128,7 @@ OPENSSL_DECLARE_GLOBAL(int,DES_rw_mode);	/* defaults to DES_PCBC_MODE */
 #define DES_rw_mode OPENSSL_GLOBAL_REF(DES_rw_mode)
 
 const char *DES_options(void);
-void DES_ecb3_encrypt(const unsigned char *input, unsigned char *output,
+void DES_ecb3_encrypt(const_DES_cblock *input, DES_cblock *output,
 		      DES_key_schedule *ks1,DES_key_schedule *ks2,
 		      DES_key_schedule *ks3, int enc);
 DES_LONG DES_cbc_cksum(const unsigned char *input,DES_cblock *output,
diff --git a/crypto/openssl/crypto/des/des_enc.c b/crypto/openssl/crypto/des/des_enc.c
index 8dd30e2cb72a..1c37ab96d3de 100644
--- a/crypto/openssl/crypto/des/des_enc.c
+++ b/crypto/openssl/crypto/des/des_enc.c
@@ -58,8 +58,6 @@
 
 #include "des_locl.h"
 
-#ifndef OPENSSL_FIPS
-
 void DES_encrypt1(DES_LONG *data, DES_key_schedule *ks, int enc)
 	{
 	register DES_LONG l,r,t,u;
@@ -289,12 +287,8 @@ void DES_decrypt3(DES_LONG *data, DES_key_schedule *ks1,
 	data[1]=r;
 	}
 
-#endif /* ndef OPENSSL_FIPS */
-
 #ifndef DES_DEFAULT_OPTIONS
 
-#if !defined(OPENSSL_FIPS) || !defined(I386_ONLY)
-
 #undef CBC_ENC_C__DONT_UPDATE_IV
 #include "ncbc_enc.c" /* DES_ncbc_encrypt */
 
@@ -410,6 +404,4 @@ void DES_ede3_cbc_encrypt(const unsigned char *input, unsigned char *output,
 	tin[0]=tin[1]=0;
 	}
 
-#endif /* !defined(OPENSSL_FIPS) || !defined(I386_ONLY) */
-
 #endif /* DES_DEFAULT_OPTIONS */
diff --git a/crypto/openssl/crypto/des/des_locl.h b/crypto/openssl/crypto/des/des_locl.h
index e44e8e98b250..4b9ecff23391 100644
--- a/crypto/openssl/crypto/des/des_locl.h
+++ b/crypto/openssl/crypto/des/des_locl.h
@@ -160,7 +160,7 @@
 				} \
 			}
 
-#if defined(OPENSSL_SYS_WIN32) && defined(_MSC_VER)
+#if (defined(OPENSSL_SYS_WIN32) && defined(_MSC_VER)) || defined(__ICC)
 #define	ROTATE(a,n)	(_lrotr(a,n))
 #elif defined(__GNUC__) && __GNUC__>=2 && !defined(__STRICT_ANSI__) && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM) && !defined(PEDANTIC)
 # if defined(__i386) || defined(__i386__) || defined(__x86_64) || defined(__x86_64__)
@@ -421,7 +421,7 @@
 	PERM_OP(l,r,tt, 4,0x0f0f0f0fL); \
 	}
 
-OPENSSL_EXTERN const DES_LONG DES_SPtrans[8][64];
+extern const DES_LONG DES_SPtrans[8][64];
 
 void fcrypt_body(DES_LONG *out,DES_key_schedule *ks,
 		 DES_LONG Eswap0, DES_LONG Eswap1);
diff --git a/crypto/openssl/crypto/des/des_old.c b/crypto/openssl/crypto/des/des_old.c
index 88e9802aad03..7e4cd7180d18 100644
--- a/crypto/openssl/crypto/des/des_old.c
+++ b/crypto/openssl/crypto/des/des_old.c
@@ -84,7 +84,7 @@ void _ossl_old_des_ecb3_encrypt(_ossl_old_des_cblock *input,_ossl_old_des_cblock
 	des_key_schedule ks1,des_key_schedule ks2,
 	des_key_schedule ks3, int enc)
 	{
-	DES_ecb3_encrypt((const unsigned char *)input, (unsigned char *)output,
+	DES_ecb3_encrypt((const_DES_cblock *)input, output,
 		(DES_key_schedule *)ks1, (DES_key_schedule *)ks2,
 		(DES_key_schedule *)ks3, enc);
 	}
diff --git a/crypto/openssl/crypto/des/des_old.h b/crypto/openssl/crypto/des/des_old.h
index 1d840b474a64..1b0620c3a2e1 100644
--- a/crypto/openssl/crypto/des/des_old.h
+++ b/crypto/openssl/crypto/des/des_old.h
@@ -91,6 +91,8 @@
 #ifndef HEADER_DES_H
 #define HEADER_DES_H
 
+#include <openssl/e_os2.h>	/* OPENSSL_EXTERN, OPENSSL_NO_DES, DES_LONG */
+
 #ifdef OPENSSL_NO_DES
 #error DES is disabled.
 #endif
@@ -103,8 +105,6 @@
 #error <openssl/des_old.h> replaces <kerberos/des.h>.
 #endif
 
-#include <openssl/opensslconf.h> /* DES_LONG */
-#include <openssl/e_os2.h>	/* OPENSSL_EXTERN */
 #include <openssl/symhacks.h>
 
 #ifdef OPENSSL_BUILD_SHLIBCRYPTO
@@ -116,6 +116,10 @@
 extern "C" {
 #endif
 
+#ifdef _
+#undef _
+#endif
+
 typedef unsigned char _ossl_old_des_cblock[8];
 typedef struct _ossl_old_des_ks_struct
 	{
@@ -171,9 +175,9 @@ typedef struct _ossl_old_des_ks_struct
 	DES_enc_write((f),(b),(l),&(k),(iv))
 #define des_fcrypt(b,s,r)\
 	DES_fcrypt((b),(s),(r))
+#if 0
 #define des_crypt(b,s)\
 	DES_crypt((b),(s))
-#if 0
 #if !defined(PERL5) && !defined(__FreeBSD__) && !defined(NeXT) && !defined(__OpenBSD__)
 #define crypt(b,s)\
 	DES_crypt((b),(s))
diff --git a/crypto/openssl/crypto/des/des_opts.c b/crypto/openssl/crypto/des/des_opts.c
index 79278b920eb0..2df82962c5ab 100644
--- a/crypto/openssl/crypto/des/des_opts.c
+++ b/crypto/openssl/crypto/des/des_opts.c
@@ -71,7 +71,11 @@
 #include <io.h>
 extern void exit();
 #endif
+
+#ifndef OPENSSL_SYS_NETWARE
 #include <signal.h>
+#endif
+
 #ifndef _IRIX
 #include <time.h>
 #endif
diff --git a/crypto/openssl/crypto/des/destest.c b/crypto/openssl/crypto/des/destest.c
index e3e9d77f144e..64b92a34fe97 100644
--- a/crypto/openssl/crypto/des/destest.c
+++ b/crypto/openssl/crypto/des/destest.c
@@ -84,7 +84,7 @@ int main(int argc, char *argv[])
 #else
 #include <openssl/des.h>
 
-#define crypt(c,s) (des_crypt((c),(s)))
+#define crypt(c,s) (DES_crypt((c),(s)))
 
 /* tisk tisk - the test keys don't all have odd parity :-( */
 /* test data */
@@ -333,7 +333,8 @@ static int cfb64_test(unsigned char *cfb_cipher);
 static int ede_cfb64_test(unsigned char *cfb_cipher);
 int main(int argc, char *argv[])
 	{
-	int i,j,err=0;
+	int j,err=0;
+	unsigned int i;
 	des_cblock in,out,outin,iv3,iv2;
 	des_key_schedule ks,ks2,ks3;
 	unsigned char cbc_in[40];
@@ -391,7 +392,7 @@ int main(int argc, char *argv[])
 	DES_ede3_cbcm_encrypt(cbc_out,cbc_in,i,&ks,&ks2,&ks3,&iv3,&iv2,DES_DECRYPT);
 	if (memcmp(cbc_in,cbc_data,strlen((char *)cbc_data)+1) != 0)
 		{
-		int n;
+		unsigned int n;
 
 		printf("des_ede3_cbcm_encrypt decrypt error\n");
 		for(n=0 ; n < i ; ++n)
@@ -439,8 +440,8 @@ int main(int argc, char *argv[])
 		memcpy(in,plain_data[i],8);
 		memset(out,0,8);
 		memset(outin,0,8);
-		des_ecb2_encrypt(in,out,ks,ks2,DES_ENCRYPT);
-		des_ecb2_encrypt(out,outin,ks,ks2,DES_DECRYPT);
+		des_ecb2_encrypt(&in,&out,ks,ks2,DES_ENCRYPT);
+		des_ecb2_encrypt(&out,&outin,ks,ks2,DES_DECRYPT);
 
 		if (memcmp(out,cipher_ecb2[i],8) != 0)
 			{
@@ -540,7 +541,7 @@ int main(int argc, char *argv[])
 	if (memcmp(cbc_out,cbc3_ok,
 		(unsigned int)(strlen((char *)cbc_data)+1+7)/8*8) != 0)
 		{
-		int n;
+		unsigned int n;
 
 		printf("des_ede3_cbc_encrypt encrypt error\n");
 		for(n=0 ; n < i ; ++n)
@@ -556,7 +557,7 @@ int main(int argc, char *argv[])
 	des_ede3_cbc_encrypt(cbc_out,cbc_in,i,ks,ks2,ks3,&iv3,DES_DECRYPT);
 	if (memcmp(cbc_in,cbc_data,strlen((char *)cbc_data)+1) != 0)
 		{
-		int n;
+		unsigned int n;
 
 		printf("des_ede3_cbc_encrypt decrypt error\n");
 		for(n=0 ; n < i ; ++n)
@@ -820,6 +821,9 @@ plain[8+4], plain[8+5], plain[8+6], plain[8+7]);
 		printf("fast crypt error, %s should be yA1Rp/1hZXIJk\n",str);
 		err=1;
 		}
+#ifdef OPENSSL_SYS_NETWARE
+    if (err) printf("ERROR: %d\n", err);
+#endif
 	printf("\n");
 	return(err);
 	}
diff --git a/crypto/openssl/crypto/des/ecb3_enc.c b/crypto/openssl/crypto/des/ecb3_enc.c
index fa0c9c4d4fc6..c3437bc60621 100644
--- a/crypto/openssl/crypto/des/ecb3_enc.c
+++ b/crypto/openssl/crypto/des/ecb3_enc.c
@@ -58,13 +58,15 @@
 
 #include "des_locl.h"
 
-void DES_ecb3_encrypt(const unsigned char *in, unsigned char *out,
+void DES_ecb3_encrypt(const_DES_cblock *input, DES_cblock *output,
 		      DES_key_schedule *ks1, DES_key_schedule *ks2,
 		      DES_key_schedule *ks3,
 	     int enc)
 	{
 	register DES_LONG l0,l1;
 	DES_LONG ll[2];
+	const unsigned char *in = &(*input)[0];
+	unsigned char *out = &(*output)[0];
 
 	c2l(in,l0);
 	c2l(in,l1);
diff --git a/crypto/openssl/crypto/des/ede_cbcm_enc.c b/crypto/openssl/crypto/des/ede_cbcm_enc.c
index fa45aa272ba5..adfcb75cf387 100644
--- a/crypto/openssl/crypto/des/ede_cbcm_enc.c
+++ b/crypto/openssl/crypto/des/ede_cbcm_enc.c
@@ -68,6 +68,8 @@ http://www.cs.technion.ac.il/users/wwwb/cgi-bin/tr-get.cgi/1998/CS/CS0928.ps.gz
 
 */
 
+#include <openssl/opensslconf.h> /* To see if OPENSSL_NO_DESCBCM is defined */
+
 #ifndef OPENSSL_NO_DESCBCM
 #include "des_locl.h"
 
diff --git a/crypto/openssl/crypto/des/fcrypt.c b/crypto/openssl/crypto/des/fcrypt.c
index 2758c32656af..ccbdff250f70 100644
--- a/crypto/openssl/crypto/des/fcrypt.c
+++ b/crypto/openssl/crypto/des/fcrypt.c
@@ -58,9 +58,6 @@ static unsigned const char cov_2char[64]={
 0x73,0x74,0x75,0x76,0x77,0x78,0x79,0x7A
 };
 
-void fcrypt_body(DES_LONG *out,DES_key_schedule *ks,
-		 DES_LONG Eswap0, DES_LONG Eswap1);
-
 char *DES_crypt(const char *buf, const char *salt)
 	{
 	static char buff[14];
diff --git a/crypto/openssl/crypto/des/read2pwd.c b/crypto/openssl/crypto/des/read2pwd.c
index 3a63c4016ccf..ee6969f76eb5 100644
--- a/crypto/openssl/crypto/des/read2pwd.c
+++ b/crypto/openssl/crypto/des/read2pwd.c
@@ -112,6 +112,7 @@
 #include <string.h>
 #include <openssl/des.h>
 #include <openssl/ui.h>
+#include <openssl/crypto.h>
 
 int DES_read_password(DES_cblock *key, const char *prompt, int verify)
 	{
diff --git a/crypto/openssl/crypto/des/set_key.c b/crypto/openssl/crypto/des/set_key.c
index 8881d46a7ad6..55efe03f4233 100644
--- a/crypto/openssl/crypto/des/set_key.c
+++ b/crypto/openssl/crypto/des/set_key.c
@@ -65,8 +65,6 @@
  */
 #include "des_locl.h"
 
-#ifndef OPENSSL_FIPS
-
 OPENSSL_IMPLEMENT_GLOBAL(int,DES_check_key);	/* defaults to false */
 
 static const unsigned char odd_parity[256]={
@@ -89,7 +87,7 @@ static const unsigned char odd_parity[256]={
 
 void DES_set_odd_parity(DES_cblock *key)
 	{
-	int i;
+	unsigned int i;
 
 	for (i=0; i<DES_KEY_SZ; i++)
 		(*key)[i]=odd_parity[(*key)[i]];
@@ -97,7 +95,7 @@ void DES_set_odd_parity(DES_cblock *key)
 
 int DES_check_key_parity(const_DES_cblock *key)
 	{
-	int i;
+	unsigned int i;
 
 	for (i=0; i<DES_KEY_SZ; i++)
 		{
@@ -407,5 +405,3 @@ void des_fixup_key_parity(des_cblock *key)
 	des_set_odd_parity(key);
 	}
 */
-
-#endif /* ndef OPENSSL_FIPS */
diff --git a/crypto/openssl/crypto/des/speed.c b/crypto/openssl/crypto/des/speed.c
index 48fc1d49fc24..1616f4b7c959 100644
--- a/crypto/openssl/crypto/des/speed.c
+++ b/crypto/openssl/crypto/des/speed.c
@@ -69,7 +69,11 @@
 #include OPENSSL_UNISTD_IO
 OPENSSL_DECLARE_EXIT
 
+#ifndef OPENSSL_SYS_NETWARE
 #include <signal.h>
+#define crypt(c,s) (des_crypt((c),(s)))
+#endif
+
 #ifndef _IRIX
 #include <time.h>
 #endif
diff --git a/crypto/openssl/crypto/des/str2key.c b/crypto/openssl/crypto/des/str2key.c
index 0373db469c9a..9c2054bda6b9 100644
--- a/crypto/openssl/crypto/des/str2key.c
+++ b/crypto/openssl/crypto/des/str2key.c
@@ -57,6 +57,7 @@
  */
 
 #include "des_locl.h"
+#include <openssl/crypto.h>
 
 void DES_string_to_key(const char *str, DES_cblock *key)
 	{
diff --git a/crypto/openssl/crypto/dh/Makefile b/crypto/openssl/crypto/dh/Makefile
index a0e8217fa8af..d368e33b4ced 100644
--- a/crypto/openssl/crypto/dh/Makefile
+++ b/crypto/openssl/crypto/dh/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/dh/Makefile
+# OpenSSL/crypto/dh/Makefile
 #
 
 DIR=	dh
@@ -7,11 +7,6 @@ TOP=	../..
 CC=	cc
 INCLUDES= -I.. -I$(TOP) -I../../include
 CFLAG=-g
-INSTALL_PREFIX=
-OPENSSLDIR=     /usr/local/ssl
-INSTALLTOP=/usr/local/ssl
-MAKEDEPPROG=	makedepend
-MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=	Makefile
 AR=		ar r
 
@@ -22,8 +17,8 @@ TEST= dhtest.c
 APPS=
 
 LIB=$(TOP)/libcrypto.a
-LIBSRC= dh_asn1.c dh_gen.c dh_key.c dh_lib.c dh_check.c dh_err.c
-LIBOBJ= dh_asn1.o dh_gen.o dh_key.o dh_lib.o dh_check.o dh_err.o
+LIBSRC= dh_asn1.c dh_gen.c dh_key.c dh_lib.c dh_check.c dh_err.c dh_depr.c
+LIBOBJ= dh_asn1.o dh_gen.o dh_key.o dh_lib.o dh_check.o dh_err.o dh_depr.o
 
 SRC= $(LIBSRC)
 
@@ -51,7 +46,8 @@ links:
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
 
 install:
-	@for i in $(EXHEADER) ; \
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+	@headerlist="$(EXHEADER)"; for i in $$headerlist ; \
 	do  \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
@@ -66,6 +62,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
+	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
@@ -95,13 +92,21 @@ dh_check.o: ../../include/openssl/opensslconf.h
 dh_check.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 dh_check.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 dh_check.o: ../../include/openssl/symhacks.h ../cryptlib.h dh_check.c
-dh_err.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-dh_err.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
-dh_err.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-dh_err.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-dh_err.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-dh_err.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-dh_err.o: ../../include/openssl/symhacks.h dh_err.c
+dh_depr.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
+dh_depr.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+dh_depr.o: ../../include/openssl/dh.h ../../include/openssl/e_os2.h
+dh_depr.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+dh_depr.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+dh_depr.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+dh_depr.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+dh_depr.o: ../cryptlib.h dh_depr.c
+dh_err.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
+dh_err.o: ../../include/openssl/dh.h ../../include/openssl/e_os2.h
+dh_err.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+dh_err.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+dh_err.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+dh_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+dh_err.o: dh_err.c
 dh_gen.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 dh_gen.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 dh_gen.o: ../../include/openssl/dh.h ../../include/openssl/e_os2.h
@@ -118,14 +123,11 @@ dh_key.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 dh_key.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
 dh_key.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 dh_key.o: ../../include/openssl/symhacks.h ../cryptlib.h dh_key.c
-dh_lib.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
-dh_lib.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-dh_lib.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
-dh_lib.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+dh_lib.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
+dh_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+dh_lib.o: ../../include/openssl/dh.h ../../include/openssl/e_os2.h
 dh_lib.o: ../../include/openssl/engine.h ../../include/openssl/err.h
 dh_lib.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 dh_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-dh_lib.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
 dh_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-dh_lib.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-dh_lib.o: ../cryptlib.h dh_lib.c
+dh_lib.o: ../../include/openssl/symhacks.h ../cryptlib.h dh_lib.c
diff --git a/crypto/openssl/crypto/dh/dh.h b/crypto/openssl/crypto/dh/dh.h
index 05851f84294c..4d0c5653166f 100644
--- a/crypto/openssl/crypto/dh/dh.h
+++ b/crypto/openssl/crypto/dh/dh.h
@@ -59,6 +59,8 @@
 #ifndef HEADER_DH_H
 #define HEADER_DH_H
 
+#include <openssl/e_os2.h>
+
 #ifdef OPENSSL_NO_DH
 #error DH is disabled.
 #endif
@@ -66,19 +68,30 @@
 #ifndef OPENSSL_NO_BIO
 #include <openssl/bio.h>
 #endif
-#include <openssl/bn.h>
-#include <openssl/crypto.h>
 #include <openssl/ossl_typ.h>
+#ifndef OPENSSL_NO_DEPRECATED
+#include <openssl/bn.h>
+#endif
 	
-#define DH_FLAG_CACHE_MONT_P	0x01
+#define DH_FLAG_CACHE_MONT_P     0x01
+#define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DH
+                                       * implementation now uses constant time
+                                       * modular exponentiation for secret exponents
+                                       * by default. This flag causes the
+                                       * faster variable sliding window method to
+                                       * be used for all exponents.
+                                       */
 
 #ifdef  __cplusplus
 extern "C" {
 #endif
 
-typedef struct dh_st DH;
+/* Already defined in ossl_typ.h */
+/* typedef struct dh_st DH; */
+/* typedef struct dh_method DH_METHOD; */
 
-typedef struct dh_method {
+struct dh_method
+	{
 	const char *name;
 	/* Methods here */
 	int (*generate_key)(DH *dh);
@@ -91,7 +104,9 @@ typedef struct dh_method {
 	int (*finish)(DH *dh);
 	int flags;
 	char *app_data;
-} DH_METHOD;
+	/* If this is non-NULL, it will be used to generate parameters */
+	int (*generate_params)(DH *dh, int prime_len, int generator, BN_GENCB *cb);
+	};
 
 struct dh_st
 	{
@@ -106,7 +121,7 @@ struct dh_st
 	BIGNUM *priv_key;	/* x */
 
 	int flags;
-	char *method_mont_p;
+	BN_MONT_CTX *method_mont_p;
 	/* Place holders if we want to do X9.42 DH */
 	BIGNUM *q;
 	BIGNUM *j;
@@ -130,25 +145,21 @@ struct dh_st
 #define DH_UNABLE_TO_CHECK_GENERATOR	0x04
 #define DH_NOT_SUITABLE_GENERATOR	0x08
 
+/* DH_check_pub_key error codes */
+#define DH_CHECK_PUBKEY_TOO_SMALL	0x01
+#define DH_CHECK_PUBKEY_TOO_LARGE	0x02
+
 /* primes p where (p-1)/2 is prime too are called "safe"; we define
    this for backward compatibility: */
 #define DH_CHECK_P_NOT_STRONG_PRIME	DH_CHECK_P_NOT_SAFE_PRIME
 
-#define DHparams_dup(x) (DH *)ASN1_dup((int (*)())i2d_DHparams, \
-		(char *(*)())d2i_DHparams,(char *)(x))
+#define DHparams_dup(x) ASN1_dup_of_const(DH,i2d_DHparams,d2i_DHparams,x)
 #define d2i_DHparams_fp(fp,x) (DH *)ASN1_d2i_fp((char *(*)())DH_new, \
 		(char *(*)())d2i_DHparams,(fp),(unsigned char **)(x))
 #define i2d_DHparams_fp(fp,x) ASN1_i2d_fp(i2d_DHparams,(fp), \
 		(unsigned char *)(x))
-#define d2i_DHparams_bio(bp,x) (DH *)ASN1_d2i_bio((char *(*)())DH_new, \
-		(char *(*)())d2i_DHparams,(bp),(unsigned char **)(x))
-#ifdef  __cplusplus
-#define i2d_DHparams_bio(bp,x) ASN1_i2d_bio((int (*)())i2d_DHparams,(bp), \
-		(unsigned char *)(x))
-#else
-#define i2d_DHparams_bio(bp,x) ASN1_i2d_bio(i2d_DHparams,(bp), \
-		(unsigned char *)(x))
-#endif
+#define d2i_DHparams_bio(bp,x) ASN1_d2i_bio_of(DH,DH_new,d2i_DHparams,bp,x)
+#define i2d_DHparams_bio(bp,x) ASN1_i2d_bio_of_const(DH,i2d_DHparams,bp,x)
 
 const DH_METHOD *DH_OpenSSL(void);
 
@@ -165,9 +176,18 @@ int DH_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
 	     CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
 int DH_set_ex_data(DH *d, int idx, void *arg);
 void *DH_get_ex_data(DH *d, int idx);
+
+/* Deprecated version */
+#ifndef OPENSSL_NO_DEPRECATED
 DH *	DH_generate_parameters(int prime_len,int generator,
 		void (*callback)(int,int,void *),void *cb_arg);
+#endif /* !defined(OPENSSL_NO_DEPRECATED) */
+
+/* New version */
+int	DH_generate_parameters_ex(DH *dh, int prime_len,int generator, BN_GENCB *cb);
+
 int	DH_check(const DH *dh,int *codes);
+int	DH_check_pub_key(const DH *dh,const BIGNUM *pub_key, int *codes);
 int	DH_generate_key(DH *dh);
 int	DH_compute_key(unsigned char *key,const BIGNUM *pub_key,DH *dh);
 DH *	d2i_DHparams(DH **a,const unsigned char **pp, long length);
@@ -190,15 +210,17 @@ void ERR_load_DH_strings(void);
 /* Error codes for the DH functions. */
 
 /* Function codes. */
+#define DH_F_COMPUTE_KEY				 102
 #define DH_F_DHPARAMS_PRINT				 100
 #define DH_F_DHPARAMS_PRINT_FP				 101
-#define DH_F_DH_COMPUTE_KEY				 102
-#define DH_F_DH_GENERATE_KEY				 103
-#define DH_F_DH_GENERATE_PARAMETERS			 104
+#define DH_F_DH_BUILTIN_GENPARAMS			 106
 #define DH_F_DH_NEW_METHOD				 105
+#define DH_F_GENERATE_KEY				 103
+#define DH_F_GENERATE_PARAMETERS			 104
 
 /* Reason codes. */
 #define DH_R_BAD_GENERATOR				 101
+#define DH_R_INVALID_PUBKEY				 102
 #define DH_R_NO_PRIVATE_VALUE				 100
 
 #ifdef  __cplusplus
diff --git a/crypto/openssl/crypto/dh/dh_check.c b/crypto/openssl/crypto/dh/dh_check.c
index a7e9920efb0f..058aec75bcd9 100644
--- a/crypto/openssl/crypto/dh/dh_check.c
+++ b/crypto/openssl/crypto/dh/dh_check.c
@@ -70,8 +70,6 @@
  * should hold.
  */
 
-#ifndef OPENSSL_FIPS
-
 int DH_check(const DH *dh, int *ret)
 	{
 	int ok=0;
@@ -106,12 +104,12 @@ int DH_check(const DH *dh, int *ret)
 	else
 		*ret|=DH_UNABLE_TO_CHECK_GENERATOR;
 
-	if (!BN_is_prime(dh->p,BN_prime_checks,NULL,ctx,NULL))
+	if (!BN_is_prime_ex(dh->p,BN_prime_checks,ctx,NULL))
 		*ret|=DH_CHECK_P_NOT_PRIME;
 	else
 		{
 		if (!BN_rshift1(q,dh->p)) goto err;
-		if (!BN_is_prime(q,BN_prime_checks,NULL,ctx,NULL))
+		if (!BN_is_prime_ex(q,BN_prime_checks,ctx,NULL))
 			*ret|=DH_CHECK_P_NOT_SAFE_PRIME;
 		}
 	ok=1;
@@ -121,4 +119,24 @@ err:
 	return(ok);
 	}
 
-#endif
+int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret)
+	{
+	int ok=0;
+	BIGNUM *q=NULL;
+
+	*ret=0;
+	q=BN_new();
+	if (q == NULL) goto err;
+	BN_set_word(q,1);
+	if (BN_cmp(pub_key,q) <= 0)
+		*ret|=DH_CHECK_PUBKEY_TOO_SMALL;
+	BN_copy(q,dh->p);
+	BN_sub_word(q,1);
+	if (BN_cmp(pub_key,q) >= 0)
+		*ret|=DH_CHECK_PUBKEY_TOO_LARGE;
+
+	ok = 1;
+err:
+	if (q != NULL) BN_free(q);
+	return(ok);
+	}
diff --git a/crypto/openssl/crypto/dh/dh_depr.c b/crypto/openssl/crypto/dh/dh_depr.c
new file mode 100644
index 000000000000..acc05f252c1e
--- /dev/null
+++ b/crypto/openssl/crypto/dh/dh_depr.c
@@ -0,0 +1,83 @@
+/* crypto/dh/dh_depr.c */
+/* ====================================================================
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+/* This file contains deprecated functions as wrappers to the new ones */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/dh.h>
+
+static void *dummy=&dummy;
+
+#ifndef OPENSSL_NO_DEPRECATED
+DH *DH_generate_parameters(int prime_len, int generator,
+	     void (*callback)(int,int,void *), void *cb_arg)
+	{
+	BN_GENCB cb;
+	DH *ret=NULL;
+
+	if((ret=DH_new()) == NULL)
+		return NULL;
+
+	BN_GENCB_set_old(&cb, callback, cb_arg);
+
+	if(DH_generate_parameters_ex(ret, prime_len, generator, &cb))
+		return ret;
+	DH_free(ret);
+	return NULL;
+	}
+#endif
diff --git a/crypto/openssl/crypto/dh/dh_err.c b/crypto/openssl/crypto/dh/dh_err.c
index c2715044c912..b14a94f36a43 100644
--- a/crypto/openssl/crypto/dh/dh_err.c
+++ b/crypto/openssl/crypto/dh/dh_err.c
@@ -1,6 +1,6 @@
 /* crypto/dh/dh_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2003 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -64,21 +64,27 @@
 
 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_DH,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_DH,0,reason)
+
 static ERR_STRING_DATA DH_str_functs[]=
 	{
-{ERR_PACK(0,DH_F_DHPARAMS_PRINT,0),	"DHparams_print"},
-{ERR_PACK(0,DH_F_DHPARAMS_PRINT_FP,0),	"DHparams_print_fp"},
-{ERR_PACK(0,DH_F_DH_COMPUTE_KEY,0),	"DH_compute_key"},
-{ERR_PACK(0,DH_F_DH_GENERATE_KEY,0),	"DH_generate_key"},
-{ERR_PACK(0,DH_F_DH_GENERATE_PARAMETERS,0),	"DH_generate_parameters"},
-{ERR_PACK(0,DH_F_DH_NEW_METHOD,0),	"DH_new_method"},
+{ERR_FUNC(DH_F_COMPUTE_KEY),	"COMPUTE_KEY"},
+{ERR_FUNC(DH_F_DHPARAMS_PRINT),	"DHparams_print"},
+{ERR_FUNC(DH_F_DHPARAMS_PRINT_FP),	"DHparams_print_fp"},
+{ERR_FUNC(DH_F_DH_BUILTIN_GENPARAMS),	"DH_BUILTIN_GENPARAMS"},
+{ERR_FUNC(DH_F_DH_NEW_METHOD),	"DH_new_method"},
+{ERR_FUNC(DH_F_GENERATE_KEY),	"GENERATE_KEY"},
+{ERR_FUNC(DH_F_GENERATE_PARAMETERS),	"GENERATE_PARAMETERS"},
 {0,NULL}
 	};
 
 static ERR_STRING_DATA DH_str_reasons[]=
 	{
-{DH_R_BAD_GENERATOR                      ,"bad generator"},
-{DH_R_NO_PRIVATE_VALUE                   ,"no private value"},
+{ERR_REASON(DH_R_BAD_GENERATOR)          ,"bad generator"},
+{ERR_REASON(DH_R_INVALID_PUBKEY)         ,"invalid public key"},
+{ERR_REASON(DH_R_NO_PRIVATE_VALUE)       ,"no private value"},
 {0,NULL}
 	};
 
@@ -92,8 +98,8 @@ void ERR_load_DH_strings(void)
 		{
 		init=0;
 #ifndef OPENSSL_NO_ERR
-		ERR_load_strings(ERR_LIB_DH,DH_str_functs);
-		ERR_load_strings(ERR_LIB_DH,DH_str_reasons);
+		ERR_load_strings(0,DH_str_functs);
+		ERR_load_strings(0,DH_str_reasons);
 #endif
 
 		}
diff --git a/crypto/openssl/crypto/dh/dh_gen.c b/crypto/openssl/crypto/dh/dh_gen.c
index a49b6f9adb83..cfd5b118681e 100644
--- a/crypto/openssl/crypto/dh/dh_gen.c
+++ b/crypto/openssl/crypto/dh/dh_gen.c
@@ -56,11 +56,25 @@
  * [including the GNU Public Licence.]
  */
 
+/* NB: These functions have been upgraded - the previous prototypes are in
+ * dh_depr.c as wrappers to these ones.
+ *  - Geoff
+ */
+
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/bn.h>
 #include <openssl/dh.h>
 
+static int dh_builtin_genparams(DH *ret, int prime_len, int generator, BN_GENCB *cb);
+
+int DH_generate_parameters_ex(DH *ret, int prime_len, int generator, BN_GENCB *cb)
+	{
+	if(ret->meth->generate_params)
+		return ret->meth->generate_params(ret, prime_len, generator, cb);
+	return dh_builtin_genparams(ret, prime_len, generator, cb);
+	}
+
 /* We generate DH parameters as follows
  * find a prime q which is prime_len/2 bits long.
  * p=(2*q)+1 or (p-1)/2 = q
@@ -86,29 +100,26 @@
  * It's just as OK (and in some sense better) to use a generator of the
  * order-q subgroup.
  */
-
-#ifndef OPENSSL_FIPS
-
-DH *DH_generate_parameters(int prime_len, int generator,
-	     void (*callback)(int,int,void *), void *cb_arg)
+static int dh_builtin_genparams(DH *ret, int prime_len, int generator, BN_GENCB *cb)
 	{
-	BIGNUM *p=NULL,*t1,*t2;
-	DH *ret=NULL;
+	BIGNUM *t1,*t2;
 	int g,ok= -1;
 	BN_CTX *ctx=NULL;
 
-	ret=DH_new();
-	if (ret == NULL) goto err;
 	ctx=BN_CTX_new();
 	if (ctx == NULL) goto err;
 	BN_CTX_start(ctx);
 	t1 = BN_CTX_get(ctx);
 	t2 = BN_CTX_get(ctx);
 	if (t1 == NULL || t2 == NULL) goto err;
+
+	/* Make sure 'ret' has the necessary elements */
+	if(!ret->p && ((ret->p = BN_new()) == NULL)) goto err;
+	if(!ret->g && ((ret->g = BN_new()) == NULL)) goto err;
 	
 	if (generator <= 1)
 		{
-		DHerr(DH_F_DH_GENERATE_PARAMETERS, DH_R_BAD_GENERATOR);
+		DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_BAD_GENERATOR);
 		goto err;
 		}
 	if (generator == DH_GENERATOR_2)
@@ -144,17 +155,14 @@ DH *DH_generate_parameters(int prime_len, int generator,
 		g=generator;
 		}
 	
-	p=BN_generate_prime(NULL,prime_len,1,t1,t2,callback,cb_arg);
-	if (p == NULL) goto err;
-	if (callback != NULL) callback(3,0,cb_arg);
-	ret->p=p;
-	ret->g=BN_new();
+	if(!BN_generate_prime_ex(ret->p,prime_len,1,t1,t2,cb)) goto err;
+	if(!BN_GENCB_call(cb, 3, 0)) goto err;
 	if (!BN_set_word(ret->g,g)) goto err;
 	ok=1;
 err:
 	if (ok == -1)
 		{
-		DHerr(DH_F_DH_GENERATE_PARAMETERS,ERR_R_BN_LIB);
+		DHerr(DH_F_DH_BUILTIN_GENPARAMS,ERR_R_BN_LIB);
 		ok=0;
 		}
 
@@ -163,12 +171,5 @@ err:
 		BN_CTX_end(ctx);
 		BN_CTX_free(ctx);
 		}
-	if (!ok && (ret != NULL))
-		{
-		DH_free(ret);
-		ret=NULL;
-		}
-	return(ret);
+	return ok;
 	}
-
-#endif
diff --git a/crypto/openssl/crypto/dh/dh_key.c b/crypto/openssl/crypto/dh/dh_key.c
index ff125c2296fb..79984e13bc92 100644
--- a/crypto/openssl/crypto/dh/dh_key.c
+++ b/crypto/openssl/crypto/dh/dh_key.c
@@ -62,8 +62,6 @@
 #include <openssl/rand.h>
 #include <openssl/dh.h>
 
-#ifndef OPENSSL_FIPS
-
 static int generate_key(DH *dh);
 static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh);
 static int dh_bn_mod_exp(const DH *dh, BIGNUM *r,
@@ -91,6 +89,7 @@ dh_bn_mod_exp,
 dh_init,
 dh_finish,
 0,
+NULL,
 NULL
 };
 
@@ -105,7 +104,7 @@ static int generate_key(DH *dh)
 	int generate_new_key=0;
 	unsigned l;
 	BN_CTX *ctx;
-	BN_MONT_CTX *mont;
+	BN_MONT_CTX *mont=NULL;
 	BIGNUM *pub_key=NULL,*priv_key=NULL;
 
 	ctx = BN_CTX_new();
@@ -128,28 +127,43 @@ static int generate_key(DH *dh)
 	else
 		pub_key=dh->pub_key;
 
-	if ((dh->method_mont_p == NULL) && (dh->flags & DH_FLAG_CACHE_MONT_P))
+
+	if (dh->flags & DH_FLAG_CACHE_MONT_P)
 		{
-		if ((dh->method_mont_p=(char *)BN_MONT_CTX_new()) != NULL)
-			if (!BN_MONT_CTX_set((BN_MONT_CTX *)dh->method_mont_p,
-				dh->p,ctx)) goto err;
+		mont = BN_MONT_CTX_set_locked(&dh->method_mont_p,
+				CRYPTO_LOCK_DH, dh->p, ctx);
+		if (!mont)
+			goto err;
 		}
-	mont=(BN_MONT_CTX *)dh->method_mont_p;
 
 	if (generate_new_key)
 		{
 		l = dh->length ? dh->length : BN_num_bits(dh->p)-1; /* secret exponent length */
 		if (!BN_rand(priv_key, l, 0, 0)) goto err;
 		}
-	if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, priv_key,dh->p,ctx,mont))
-		goto err;
+
+	{
+		BIGNUM local_prk;
+		BIGNUM *prk;
+
+		if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0)
+			{
+			BN_init(&local_prk);
+			prk = &local_prk;
+			BN_with_flags(prk, priv_key, BN_FLG_EXP_CONSTTIME);
+			}
+		else
+			prk = priv_key;
+
+		if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, prk, dh->p, ctx, mont)) goto err;
+	}
 		
 	dh->pub_key=pub_key;
 	dh->priv_key=priv_key;
 	ok=1;
 err:
 	if (ok != 1)
-		DHerr(DH_F_DH_GENERATE_KEY,ERR_R_BN_LIB);
+		DHerr(DH_F_GENERATE_KEY,ERR_R_BN_LIB);
 
 	if ((pub_key != NULL)  && (dh->pub_key == NULL))  BN_free(pub_key);
 	if ((priv_key != NULL) && (dh->priv_key == NULL)) BN_free(priv_key);
@@ -160,9 +174,10 @@ err:
 static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
 	{
 	BN_CTX *ctx;
-	BN_MONT_CTX *mont;
+	BN_MONT_CTX *mont=NULL;
 	BIGNUM *tmp;
 	int ret= -1;
+        int check_result;
 
 	ctx = BN_CTX_new();
 	if (ctx == NULL) goto err;
@@ -171,27 +186,42 @@ static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
 	
 	if (dh->priv_key == NULL)
 		{
-		DHerr(DH_F_DH_COMPUTE_KEY,DH_R_NO_PRIVATE_VALUE);
+		DHerr(DH_F_COMPUTE_KEY,DH_R_NO_PRIVATE_VALUE);
 		goto err;
 		}
-	if ((dh->method_mont_p == NULL) && (dh->flags & DH_FLAG_CACHE_MONT_P))
+
+	if (dh->flags & DH_FLAG_CACHE_MONT_P)
 		{
-		if ((dh->method_mont_p=(char *)BN_MONT_CTX_new()) != NULL)
-			if (!BN_MONT_CTX_set((BN_MONT_CTX *)dh->method_mont_p,
-				dh->p,ctx)) goto err;
+		mont = BN_MONT_CTX_set_locked(&dh->method_mont_p,
+				CRYPTO_LOCK_DH, dh->p, ctx);
+		if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0)
+			{
+			/* XXX */
+			BN_set_flags(dh->priv_key, BN_FLG_EXP_CONSTTIME);
+			}
+		if (!mont)
+			goto err;
+		}
+
+        if (!DH_check_pub_key(dh, pub_key, &check_result) || check_result)
+		{
+		DHerr(DH_F_COMPUTE_KEY,DH_R_INVALID_PUBKEY);
+		goto err;
 		}
 
-	mont=(BN_MONT_CTX *)dh->method_mont_p;
 	if (!dh->meth->bn_mod_exp(dh, tmp, pub_key, dh->priv_key,dh->p,ctx,mont))
 		{
-		DHerr(DH_F_DH_COMPUTE_KEY,ERR_R_BN_LIB);
+		DHerr(DH_F_COMPUTE_KEY,ERR_R_BN_LIB);
 		goto err;
 		}
 
 	ret=BN_bn2bin(tmp,key);
 err:
-	BN_CTX_end(ctx);
-	BN_CTX_free(ctx);
+	if (ctx != NULL)
+		{
+		BN_CTX_end(ctx);
+		BN_CTX_free(ctx);
+		}
 	return(ret);
 	}
 
@@ -200,7 +230,10 @@ static int dh_bn_mod_exp(const DH *dh, BIGNUM *r,
 			const BIGNUM *m, BN_CTX *ctx,
 			BN_MONT_CTX *m_ctx)
 	{
-	if (a->top == 1)
+	/* If a is only one word long and constant time is false, use the faster
+	 * exponenentiation function.
+	 */
+	if (a->top == 1 && ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) != 0))
 		{
 		BN_ULONG A = a->d[0];
 		return BN_mod_exp_mont_word(r,A,p,m,ctx,m_ctx);
@@ -219,8 +252,6 @@ static int dh_init(DH *dh)
 static int dh_finish(DH *dh)
 	{
 	if(dh->method_mont_p)
-		BN_MONT_CTX_free((BN_MONT_CTX *)dh->method_mont_p);
+		BN_MONT_CTX_free(dh->method_mont_p);
 	return(1);
 	}
-
-#endif
diff --git a/crypto/openssl/crypto/dh/dhtest.c b/crypto/openssl/crypto/dh/dhtest.c
index d75077f9fa08..882f5c310a79 100644
--- a/crypto/openssl/crypto/dh/dhtest.c
+++ b/crypto/openssl/crypto/dh/dhtest.c
@@ -56,6 +56,12 @@
  * [including the GNU Public Licence.]
  */
 
+/* Until the key-gen callbacks are modified to use newer prototypes, we allow
+ * deprecated functions for openssl-internal code */
+#ifdef OPENSSL_NO_DEPRECATED
+#undef OPENSSL_NO_DEPRECATED
+#endif
+
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -83,12 +89,13 @@ int main(int argc, char *argv[])
 #define MS_CALLBACK
 #endif
 
-static void MS_CALLBACK cb(int p, int n, void *arg);
+static int MS_CALLBACK cb(int p, int n, BN_GENCB *arg);
 
 static const char rnd_seed[] = "string to make the random number generator think it has entropy";
 
 int main(int argc, char *argv[])
 	{
+	BN_GENCB _cb;
 	DH *a;
 	DH *b=NULL;
 	char buf[12];
@@ -110,8 +117,10 @@ int main(int argc, char *argv[])
 	if (out == NULL) EXIT(1);
 	BIO_set_fp(out,stdout,BIO_NOCLOSE);
 
-	a=DH_generate_parameters(64,DH_GENERATOR_5,cb,out);
-	if (a == NULL) goto err;
+	BN_GENCB_set(&_cb, &cb, out);
+	if(((a = DH_new()) == NULL) || !DH_generate_parameters_ex(a, 64,
+				DH_GENERATOR_5, &_cb))
+		goto err;
 
 	if (!DH_check(a, &i)) goto err;
 	if (i & DH_CHECK_P_NOT_PRIME)
@@ -136,6 +145,10 @@ int main(int argc, char *argv[])
 	b->g=BN_dup(a->g);
 	if ((b->p == NULL) || (b->g == NULL)) goto err;
 
+	/* Set a to run with normal modexp and b to use constant time */
+	a->flags &= ~DH_FLAG_NO_EXP_CONSTTIME;
+	b->flags |= DH_FLAG_NO_EXP_CONSTTIME;
+
 	if (!DH_generate_key(a)) goto err;
 	BIO_puts(out,"pri 1=");
 	BN_print(out,a->priv_key);
@@ -188,14 +201,14 @@ err:
 	if(b != NULL) DH_free(b);
 	if(a != NULL) DH_free(a);
 	BIO_free(out);
-	CRYPTO_cleanup_all_ex_data();
-	ERR_remove_state(0);
-	CRYPTO_mem_leaks_fp(stderr);
+#ifdef OPENSSL_SYS_NETWARE
+    if (ret) printf("ERROR: %d\n", ret);
+#endif
 	EXIT(ret);
 	return(ret);
 	}
 
-static void MS_CALLBACK cb(int p, int n, void *arg)
+static int MS_CALLBACK cb(int p, int n, BN_GENCB *arg)
 	{
 	char c='*';
 
@@ -203,10 +216,11 @@ static void MS_CALLBACK cb(int p, int n, void *arg)
 	if (p == 1) c='+';
 	if (p == 2) c='*';
 	if (p == 3) c='\n';
-	BIO_write((BIO *)arg,&c,1);
-	(void)BIO_flush((BIO *)arg);
+	BIO_write(arg->arg,&c,1);
+	(void)BIO_flush(arg->arg);
 #ifdef LINT
 	p=n;
 #endif
+	return 1;
 	}
 #endif
diff --git a/crypto/openssl/crypto/dsa/Makefile b/crypto/openssl/crypto/dsa/Makefile
index 418db981d31c..676baf7d49ce 100644
--- a/crypto/openssl/crypto/dsa/Makefile
+++ b/crypto/openssl/crypto/dsa/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/dsa/Makefile
+# OpenSSL/crypto/dsa/Makefile
 #
 
 DIR=	dsa
@@ -7,11 +7,6 @@ TOP=	../..
 CC=	cc
 INCLUDES= -I.. -I$(TOP) -I../../include
 CFLAG=-g
-INSTALL_PREFIX=
-OPENSSLDIR=     /usr/local/ssl
-INSTALLTOP=/usr/local/ssl
-MAKEDEPPROG=	makedepend
-MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=	Makefile
 AR=		ar r
 
@@ -23,9 +18,9 @@ APPS=
 
 LIB=$(TOP)/libcrypto.a
 LIBSRC= dsa_gen.c dsa_key.c dsa_lib.c dsa_asn1.c dsa_vrf.c dsa_sign.c \
-	dsa_err.c dsa_ossl.c
+	dsa_err.c dsa_ossl.c dsa_depr.c
 LIBOBJ= dsa_gen.o dsa_key.o dsa_lib.o dsa_asn1.o dsa_vrf.o dsa_sign.o \
-	dsa_err.o dsa_ossl.o
+	dsa_err.o dsa_ossl.o dsa_depr.o
 
 SRC= $(LIBSRC)
 
@@ -53,7 +48,8 @@ links:
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
 
 install:
-	@for i in $(EXHEADER) ; \
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+	@headerlist="$(EXHEADER)"; for i in $$headerlist ; \
 	do  \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
@@ -68,6 +64,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
+	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
@@ -81,51 +78,50 @@ clean:
 
 dsa_asn1.o: ../../e_os.h ../../include/openssl/asn1.h
 dsa_asn1.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
-dsa_asn1.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-dsa_asn1.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+dsa_asn1.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 dsa_asn1.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 dsa_asn1.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
 dsa_asn1.o: ../../include/openssl/opensslconf.h
 dsa_asn1.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 dsa_asn1.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 dsa_asn1.o: ../../include/openssl/symhacks.h ../cryptlib.h dsa_asn1.c
-dsa_err.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-dsa_err.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+dsa_depr.o: ../../e_os.h ../../include/openssl/asn1.h
+dsa_depr.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+dsa_depr.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+dsa_depr.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+dsa_depr.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+dsa_depr.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+dsa_depr.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+dsa_depr.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+dsa_depr.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
+dsa_depr.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+dsa_depr.o: ../../include/openssl/symhacks.h ../cryptlib.h dsa_depr.c
+dsa_err.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
 dsa_err.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 dsa_err.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
 dsa_err.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 dsa_err.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
 dsa_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 dsa_err.o: dsa_err.c
-dsa_gen.o: ../../e_os.h ../../include/openssl/aes.h
-dsa_gen.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-dsa_gen.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-dsa_gen.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-dsa_gen.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-dsa_gen.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
+dsa_gen.o: ../../e_os.h ../../include/openssl/asn1.h
+dsa_gen.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+dsa_gen.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 dsa_gen.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 dsa_gen.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-dsa_gen.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-dsa_gen.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-dsa_gen.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-dsa_gen.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-dsa_gen.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-dsa_gen.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
-dsa_gen.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-dsa_gen.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-dsa_gen.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+dsa_gen.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+dsa_gen.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+dsa_gen.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+dsa_gen.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
 dsa_gen.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-dsa_gen.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-dsa_gen.o: ../../include/openssl/ui_compat.h ../cryptlib.h dsa_gen.c
+dsa_gen.o: ../../include/openssl/symhacks.h ../cryptlib.h dsa_gen.c
 dsa_key.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 dsa_key.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-dsa_key.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-dsa_key.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-dsa_key.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-dsa_key.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-dsa_key.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
-dsa_key.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-dsa_key.o: ../cryptlib.h dsa_key.c
+dsa_key.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+dsa_key.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+dsa_key.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+dsa_key.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
+dsa_key.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+dsa_key.o: ../../include/openssl/symhacks.h ../cryptlib.h dsa_key.c
 dsa_lib.o: ../../e_os.h ../../include/openssl/asn1.h
 dsa_lib.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 dsa_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
@@ -133,16 +129,15 @@ dsa_lib.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
 dsa_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
 dsa_lib.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
 dsa_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-dsa_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
-dsa_lib.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+dsa_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
 dsa_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-dsa_lib.o: ../../include/openssl/ui.h ../cryptlib.h dsa_lib.c
+dsa_lib.o: ../cryptlib.h dsa_lib.c
 dsa_ossl.o: ../../e_os.h ../../include/openssl/asn1.h
 dsa_ossl.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 dsa_ossl.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-dsa_ossl.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-dsa_ossl.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-dsa_ossl.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+dsa_ossl.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+dsa_ossl.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+dsa_ossl.o: ../../include/openssl/opensslconf.h
 dsa_ossl.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 dsa_ossl.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
 dsa_ossl.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
@@ -150,24 +145,20 @@ dsa_ossl.o: ../cryptlib.h dsa_ossl.c
 dsa_sign.o: ../../e_os.h ../../include/openssl/asn1.h
 dsa_sign.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 dsa_sign.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-dsa_sign.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-dsa_sign.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-dsa_sign.o: ../../include/openssl/err.h ../../include/openssl/fips.h
-dsa_sign.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+dsa_sign.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+dsa_sign.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+dsa_sign.o: ../../include/openssl/opensslconf.h
 dsa_sign.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-dsa_sign.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
-dsa_sign.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-dsa_sign.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+dsa_sign.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
+dsa_sign.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 dsa_sign.o: ../cryptlib.h dsa_sign.c
 dsa_vrf.o: ../../e_os.h ../../include/openssl/asn1.h
 dsa_vrf.o: ../../include/openssl/asn1_mac.h ../../include/openssl/bio.h
 dsa_vrf.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-dsa_vrf.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
-dsa_vrf.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-dsa_vrf.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-dsa_vrf.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
-dsa_vrf.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-dsa_vrf.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
-dsa_vrf.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+dsa_vrf.o: ../../include/openssl/crypto.h ../../include/openssl/dsa.h
+dsa_vrf.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+dsa_vrf.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+dsa_vrf.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+dsa_vrf.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
 dsa_vrf.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-dsa_vrf.o: ../../include/openssl/ui.h ../cryptlib.h dsa_vrf.c
+dsa_vrf.o: ../cryptlib.h dsa_vrf.c
diff --git a/crypto/openssl/crypto/dsa/dsa.h b/crypto/openssl/crypto/dsa/dsa.h
index 225ff391f9be..b12db98b1303 100644
--- a/crypto/openssl/crypto/dsa/dsa.h
+++ b/crypto/openssl/crypto/dsa/dsa.h
@@ -65,6 +65,8 @@
 #ifndef HEADER_DSA_H
 #define HEADER_DSA_H
 
+#include <openssl/e_os2.h>
+
 #ifdef OPENSSL_NO_DSA
 #error DSA is disabled.
 #endif
@@ -72,24 +74,32 @@
 #ifndef OPENSSL_NO_BIO
 #include <openssl/bio.h>
 #endif
-#include <openssl/bn.h>
 #include <openssl/crypto.h>
 #include <openssl/ossl_typ.h>
+
+#ifndef OPENSSL_NO_DEPRECATED
+#include <openssl/bn.h>
 #ifndef OPENSSL_NO_DH
 # include <openssl/dh.h>
 #endif
+#endif
 
 #define DSA_FLAG_CACHE_MONT_P	0x01
-
-#if defined(OPENSSL_FIPS)
-#define FIPS_DSA_SIZE_T	int
-#endif
+#define DSA_FLAG_NO_EXP_CONSTTIME       0x02 /* new with 0.9.7h; the built-in DSA
+                                              * implementation now uses constant time
+                                              * modular exponentiation for secret exponents
+                                              * by default. This flag causes the
+                                              * faster variable sliding window method to
+                                              * be used for all exponents.
+                                              */
 
 #ifdef  __cplusplus
 extern "C" {
 #endif
 
-typedef struct dsa_st DSA;
+/* Already defined in ossl_typ.h */
+/* typedef struct dsa_st DSA; */
+/* typedef struct dsa_method DSA_METHOD; */
 
 typedef struct DSA_SIG_st
 	{
@@ -97,7 +107,8 @@ typedef struct DSA_SIG_st
 	BIGNUM *s;
 	} DSA_SIG;
 
-typedef struct dsa_method {
+struct dsa_method
+	{
 	const char *name;
 	DSA_SIG * (*dsa_do_sign)(const unsigned char *dgst, int dlen, DSA *dsa);
 	int (*dsa_sign_setup)(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
@@ -114,7 +125,14 @@ typedef struct dsa_method {
 	int (*finish)(DSA *dsa);
 	int flags;
 	char *app_data;
-} DSA_METHOD;
+	/* If this is non-NULL, it is used to generate DSA parameters */
+	int (*dsa_paramgen)(DSA *dsa, int bits,
+			unsigned char *seed, int seed_len,
+			int *counter_ret, unsigned long *h_ret,
+			BN_GENCB *cb);
+	/* If this is non-NULL, it is used to generate DSA keys */
+	int (*dsa_keygen)(DSA *dsa);
+	};
 
 struct dsa_st
 	{
@@ -135,7 +153,7 @@ struct dsa_st
 
 	int flags;
 	/* Normally used to cache montgomery values */
-	char *method_mont_p;
+	BN_MONT_CTX *method_mont_p;
 	int references;
 	CRYPTO_EX_DATA ex_data;
 	const DSA_METHOD *meth;
@@ -143,16 +161,13 @@ struct dsa_st
 	ENGINE *engine;
 	};
 
-#define DSAparams_dup(x) (DSA *)ASN1_dup((int (*)())i2d_DSAparams, \
-		(char *(*)())d2i_DSAparams,(char *)(x))
+#define DSAparams_dup(x) ASN1_dup_of_const(DSA,i2d_DSAparams,d2i_DSAparams,x)
 #define d2i_DSAparams_fp(fp,x) (DSA *)ASN1_d2i_fp((char *(*)())DSA_new, \
 		(char *(*)())d2i_DSAparams,(fp),(unsigned char **)(x))
 #define i2d_DSAparams_fp(fp,x) ASN1_i2d_fp(i2d_DSAparams,(fp), \
 		(unsigned char *)(x))
-#define d2i_DSAparams_bio(bp,x) (DSA *)ASN1_d2i_bio((char *(*)())DSA_new, \
-		(char *(*)())d2i_DSAparams,(bp),(unsigned char **)(x))
-#define i2d_DSAparams_bio(bp,x) ASN1_i2d_bio(i2d_DSAparams,(bp), \
-		(unsigned char *)(x))
+#define d2i_DSAparams_bio(bp,x) ASN1_d2i_bio_of(DSA,DSA_new,d2i_DSAparams,bp,x)
+#define i2d_DSAparams_bio(bp,x) ASN1_i2d_bio_of_const(DSA,i2d_DSAparams,bp,x)
 
 
 DSA_SIG * DSA_SIG_new(void);
@@ -190,10 +205,20 @@ void *DSA_get_ex_data(DSA *d, int idx);
 DSA *	d2i_DSAPublicKey(DSA **a, const unsigned char **pp, long length);
 DSA *	d2i_DSAPrivateKey(DSA **a, const unsigned char **pp, long length);
 DSA * 	d2i_DSAparams(DSA **a, const unsigned char **pp, long length);
+
+/* Deprecated version */
+#ifndef OPENSSL_NO_DEPRECATED
 DSA *	DSA_generate_parameters(int bits,
 		unsigned char *seed,int seed_len,
 		int *counter_ret, unsigned long *h_ret,void
 		(*callback)(int, int, void *),void *cb_arg);
+#endif /* !defined(OPENSSL_NO_DEPRECATED) */
+
+/* New version */
+int	DSA_generate_parameters_ex(DSA *dsa, int bits,
+		unsigned char *seed,int seed_len,
+		int *counter_ret, unsigned long *h_ret, BN_GENCB *cb);
+
 int	DSA_generate_key(DSA *a);
 int	i2d_DSAPublicKey(const DSA *a, unsigned char **pp);
 int 	i2d_DSAPrivateKey(const DSA *a, unsigned char **pp);
diff --git a/crypto/openssl/crypto/dsa/dsa_depr.c b/crypto/openssl/crypto/dsa/dsa_depr.c
new file mode 100644
index 000000000000..f2da680eb466
--- /dev/null
+++ b/crypto/openssl/crypto/dsa/dsa_depr.c
@@ -0,0 +1,106 @@
+/* crypto/dsa/dsa_depr.c */
+/* ====================================================================
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* This file contains deprecated function(s) that are now wrappers to the new
+ * version(s). */
+
+#undef GENUINE_DSA
+
+#ifdef GENUINE_DSA
+/* Parameter generation follows the original release of FIPS PUB 186,
+ * Appendix 2.2 (i.e. use SHA as defined in FIPS PUB 180) */
+#define HASH    EVP_sha()
+#else
+/* Parameter generation follows the updated Appendix 2.2 for FIPS PUB 186,
+ * also Appendix 2.2 of FIPS PUB 186-1 (i.e. use SHA as defined in
+ * FIPS PUB 180-1) */
+#define HASH    EVP_sha1()
+#endif 
+
+static void *dummy=&dummy;
+
+#ifndef OPENSSL_NO_SHA
+
+#include <stdio.h>
+#include <time.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/bn.h>
+#include <openssl/dsa.h>
+#include <openssl/rand.h>
+#include <openssl/sha.h>
+
+#ifndef OPENSSL_NO_DEPRECATED
+DSA *DSA_generate_parameters(int bits,
+		unsigned char *seed_in, int seed_len,
+		int *counter_ret, unsigned long *h_ret,
+		void (*callback)(int, int, void *),
+		void *cb_arg)
+	{
+	BN_GENCB cb;
+	DSA *ret;
+
+	if ((ret=DSA_new()) == NULL) return NULL;
+
+	BN_GENCB_set_old(&cb, callback, cb_arg);
+
+	if(DSA_generate_parameters_ex(ret, bits, seed_in, seed_len,
+				counter_ret, h_ret, &cb))
+		return ret;
+	DSA_free(ret);
+	return NULL;
+	}
+#endif
+#endif
diff --git a/crypto/openssl/crypto/dsa/dsa_err.c b/crypto/openssl/crypto/dsa/dsa_err.c
index 79aa4ff526c4..fd42053572bc 100644
--- a/crypto/openssl/crypto/dsa/dsa_err.c
+++ b/crypto/openssl/crypto/dsa/dsa_err.c
@@ -1,6 +1,6 @@
 /* crypto/dsa/dsa_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -64,29 +64,33 @@
 
 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_DSA,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_DSA,0,reason)
+
 static ERR_STRING_DATA DSA_str_functs[]=
 	{
-{ERR_PACK(0,DSA_F_D2I_DSA_SIG,0),	"d2i_DSA_SIG"},
-{ERR_PACK(0,DSA_F_DSAPARAMS_PRINT,0),	"DSAparams_print"},
-{ERR_PACK(0,DSA_F_DSAPARAMS_PRINT_FP,0),	"DSAparams_print_fp"},
-{ERR_PACK(0,DSA_F_DSA_DO_SIGN,0),	"DSA_do_sign"},
-{ERR_PACK(0,DSA_F_DSA_DO_VERIFY,0),	"DSA_do_verify"},
-{ERR_PACK(0,DSA_F_DSA_NEW_METHOD,0),	"DSA_new_method"},
-{ERR_PACK(0,DSA_F_DSA_PRINT,0),	"DSA_print"},
-{ERR_PACK(0,DSA_F_DSA_PRINT_FP,0),	"DSA_print_fp"},
-{ERR_PACK(0,DSA_F_DSA_SIGN,0),	"DSA_sign"},
-{ERR_PACK(0,DSA_F_DSA_SIGN_SETUP,0),	"DSA_sign_setup"},
-{ERR_PACK(0,DSA_F_DSA_SIG_NEW,0),	"DSA_SIG_new"},
-{ERR_PACK(0,DSA_F_DSA_VERIFY,0),	"DSA_verify"},
-{ERR_PACK(0,DSA_F_I2D_DSA_SIG,0),	"i2d_DSA_SIG"},
-{ERR_PACK(0,DSA_F_SIG_CB,0),	"SIG_CB"},
+{ERR_FUNC(DSA_F_D2I_DSA_SIG),	"d2i_DSA_SIG"},
+{ERR_FUNC(DSA_F_DSAPARAMS_PRINT),	"DSAparams_print"},
+{ERR_FUNC(DSA_F_DSAPARAMS_PRINT_FP),	"DSAparams_print_fp"},
+{ERR_FUNC(DSA_F_DSA_DO_SIGN),	"DSA_do_sign"},
+{ERR_FUNC(DSA_F_DSA_DO_VERIFY),	"DSA_do_verify"},
+{ERR_FUNC(DSA_F_DSA_NEW_METHOD),	"DSA_new_method"},
+{ERR_FUNC(DSA_F_DSA_PRINT),	"DSA_print"},
+{ERR_FUNC(DSA_F_DSA_PRINT_FP),	"DSA_print_fp"},
+{ERR_FUNC(DSA_F_DSA_SIGN),	"DSA_sign"},
+{ERR_FUNC(DSA_F_DSA_SIGN_SETUP),	"DSA_sign_setup"},
+{ERR_FUNC(DSA_F_DSA_SIG_NEW),	"DSA_SIG_new"},
+{ERR_FUNC(DSA_F_DSA_VERIFY),	"DSA_verify"},
+{ERR_FUNC(DSA_F_I2D_DSA_SIG),	"i2d_DSA_SIG"},
+{ERR_FUNC(DSA_F_SIG_CB),	"SIG_CB"},
 {0,NULL}
 	};
 
 static ERR_STRING_DATA DSA_str_reasons[]=
 	{
-{DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE       ,"data too large for key size"},
-{DSA_R_MISSING_PARAMETERS                ,"missing parameters"},
+{ERR_REASON(DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE),"data too large for key size"},
+{ERR_REASON(DSA_R_MISSING_PARAMETERS)    ,"missing parameters"},
 {0,NULL}
 	};
 
@@ -100,8 +104,8 @@ void ERR_load_DSA_strings(void)
 		{
 		init=0;
 #ifndef OPENSSL_NO_ERR
-		ERR_load_strings(ERR_LIB_DSA,DSA_str_functs);
-		ERR_load_strings(ERR_LIB_DSA,DSA_str_reasons);
+		ERR_load_strings(0,DSA_str_functs);
+		ERR_load_strings(0,DSA_str_reasons);
 #endif
 
 		}
diff --git a/crypto/openssl/crypto/dsa/dsa_gen.c b/crypto/openssl/crypto/dsa/dsa_gen.c
index e307beb3da75..6a6be3b57537 100644
--- a/crypto/openssl/crypto/dsa/dsa_gen.c
+++ b/crypto/openssl/crypto/dsa/dsa_gen.c
@@ -69,6 +69,8 @@
 #define HASH    EVP_sha1()
 #endif 
 
+#include <openssl/opensslconf.h> /* To see if OPENSSL_NO_SHA is defined */
+
 #ifndef OPENSSL_NO_SHA
 
 #include <stdio.h>
@@ -80,12 +82,24 @@
 #include <openssl/rand.h>
 #include <openssl/sha.h>
 
-#ifndef OPENSSL_FIPS
-DSA *DSA_generate_parameters(int bits,
+static int dsa_builtin_paramgen(DSA *ret, int bits,
+		unsigned char *seed_in, int seed_len,
+		int *counter_ret, unsigned long *h_ret, BN_GENCB *cb);
+
+int DSA_generate_parameters_ex(DSA *ret, int bits,
+		unsigned char *seed_in, int seed_len,
+		int *counter_ret, unsigned long *h_ret, BN_GENCB *cb)
+	{
+	if(ret->meth->dsa_paramgen)
+		return ret->meth->dsa_paramgen(ret, bits, seed_in, seed_len,
+				counter_ret, h_ret, cb);
+	return dsa_builtin_paramgen(ret, bits, seed_in, seed_len,
+			counter_ret, h_ret, cb);
+	}
+
+static int dsa_builtin_paramgen(DSA *ret, int bits,
 		unsigned char *seed_in, int seed_len,
-		int *counter_ret, unsigned long *h_ret,
-		void (*callback)(int, int, void *),
-		void *cb_arg)
+		int *counter_ret, unsigned long *h_ret, BN_GENCB *cb)
 	{
 	int ok=0;
 	unsigned char seed[SHA_DIGEST_LENGTH];
@@ -97,9 +111,8 @@ DSA *DSA_generate_parameters(int bits,
 	int k,n=0,i,b,m=0;
 	int counter=0;
 	int r=0;
-	BN_CTX *ctx=NULL,*ctx2=NULL,*ctx3=NULL;
+	BN_CTX *ctx=NULL;
 	unsigned int h=2;
-	DSA *ret=NULL;
 
 	if (bits < 512) bits=512;
 	bits=(bits+63)/64*64;
@@ -113,23 +126,21 @@ DSA *DSA_generate_parameters(int bits,
 		memcpy(seed,seed_in,seed_len);
 
 	if ((ctx=BN_CTX_new()) == NULL) goto err;
-	if ((ctx2=BN_CTX_new()) == NULL) goto err;
-	if ((ctx3=BN_CTX_new()) == NULL) goto err;
-	if ((ret=DSA_new()) == NULL) goto err;
 
 	if ((mont=BN_MONT_CTX_new()) == NULL) goto err;
 
-	BN_CTX_start(ctx2);
-	r0 = BN_CTX_get(ctx2);
-	g = BN_CTX_get(ctx2);
-	W = BN_CTX_get(ctx2);
-	q = BN_CTX_get(ctx2);
-	X = BN_CTX_get(ctx2);
-	c = BN_CTX_get(ctx2);
-	p = BN_CTX_get(ctx2);
-	test = BN_CTX_get(ctx2);
+	BN_CTX_start(ctx);
+	r0 = BN_CTX_get(ctx);
+	g = BN_CTX_get(ctx);
+	W = BN_CTX_get(ctx);
+	q = BN_CTX_get(ctx);
+	X = BN_CTX_get(ctx);
+	c = BN_CTX_get(ctx);
+	p = BN_CTX_get(ctx);
+	test = BN_CTX_get(ctx);
 
-	BN_lshift(test,BN_value_one(),bits-1);
+	if (!BN_lshift(test,BN_value_one(),bits-1))
+		goto err;
 
 	for (;;)
 		{
@@ -138,7 +149,8 @@ DSA *DSA_generate_parameters(int bits,
 			int seed_is_random;
 
 			/* step 1 */
-			if (callback != NULL) callback(0,m++,cb_arg);
+			if(!BN_GENCB_call(cb, 0, m++))
+				goto err;
 
 			if (!seed_len)
 				{
@@ -171,7 +183,8 @@ DSA *DSA_generate_parameters(int bits,
 			if (!BN_bin2bn(md,SHA_DIGEST_LENGTH,q)) goto err;
 
 			/* step 4 */
-			r = BN_is_prime_fasttest(q, DSS_prime_checks, callback, ctx3, cb_arg, seed_is_random);
+			r = BN_is_prime_fasttest_ex(q, DSS_prime_checks, ctx,
+					seed_is_random, cb);
 			if (r > 0)
 				break;
 			if (r != 0)
@@ -181,8 +194,8 @@ DSA *DSA_generate_parameters(int bits,
 			/* step 5 */
 			}
 
-		if (callback != NULL) callback(2,0,cb_arg);
-		if (callback != NULL) callback(3,0,cb_arg);
+		if(!BN_GENCB_call(cb, 2, 0)) goto err;
+		if(!BN_GENCB_call(cb, 3, 0)) goto err;
 
 		/* step 6 */
 		counter=0;
@@ -193,8 +206,8 @@ DSA *DSA_generate_parameters(int bits,
 
 		for (;;)
 			{
-			if (callback != NULL && counter != 0)
-				callback(0,counter,cb_arg);
+			if ((counter != 0) && !BN_GENCB_call(cb, 0, counter))
+				goto err;
 
 			/* step 7 */
 			BN_zero(W);
@@ -213,26 +226,27 @@ DSA *DSA_generate_parameters(int bits,
 				/* step 8 */
 				if (!BN_bin2bn(md,SHA_DIGEST_LENGTH,r0))
 					goto err;
-				BN_lshift(r0,r0,160*k);
-				BN_add(W,W,r0);
+				if (!BN_lshift(r0,r0,160*k)) goto err;
+				if (!BN_add(W,W,r0)) goto err;
 				}
 
 			/* more of step 8 */
-			BN_mask_bits(W,bits-1);
-			BN_copy(X,W); /* this should be ok */
-			BN_add(X,X,test); /* this should be ok */
+			if (!BN_mask_bits(W,bits-1)) goto err;
+			if (!BN_copy(X,W)) goto err;
+			if (!BN_add(X,X,test)) goto err;
 
 			/* step 9 */
-			BN_lshift1(r0,q);
-			BN_mod(c,X,r0,ctx);
-			BN_sub(r0,c,BN_value_one());
-			BN_sub(p,X,r0);
+			if (!BN_lshift1(r0,q)) goto err;
+			if (!BN_mod(c,X,r0,ctx)) goto err;
+			if (!BN_sub(r0,c,BN_value_one())) goto err;
+			if (!BN_sub(p,X,r0)) goto err;
 
 			/* step 10 */
 			if (BN_cmp(p,test) >= 0)
 				{
 				/* step 11 */
-				r = BN_is_prime_fasttest(p, DSS_prime_checks, callback, ctx3, cb_arg, 1);
+				r = BN_is_prime_fasttest_ex(p, DSS_prime_checks,
+						ctx, 1, cb);
 				if (r > 0)
 						goto end; /* found it */
 				if (r != 0)
@@ -248,52 +262,54 @@ DSA *DSA_generate_parameters(int bits,
 			}
 		}
 end:
-	if (callback != NULL) callback(2,1,cb_arg);
+	if(!BN_GENCB_call(cb, 2, 1))
+		goto err;
 
 	/* We now need to generate g */
 	/* Set r0=(p-1)/q */
-	BN_sub(test,p,BN_value_one());
-	BN_div(r0,NULL,test,q,ctx);
+	if (!BN_sub(test,p,BN_value_one())) goto err;
+	if (!BN_div(r0,NULL,test,q,ctx)) goto err;
 
-	BN_set_word(test,h);
-	BN_MONT_CTX_set(mont,p,ctx);
+	if (!BN_set_word(test,h)) goto err;
+	if (!BN_MONT_CTX_set(mont,p,ctx)) goto err;
 
 	for (;;)
 		{
 		/* g=test^r0%p */
-		BN_mod_exp_mont(g,test,r0,p,ctx,mont);
+		if (!BN_mod_exp_mont(g,test,r0,p,ctx,mont)) goto err;
 		if (!BN_is_one(g)) break;
-		BN_add(test,test,BN_value_one());
+		if (!BN_add(test,test,BN_value_one())) goto err;
 		h++;
 		}
 
-	if (callback != NULL) callback(3,1,cb_arg);
+	if(!BN_GENCB_call(cb, 3, 1))
+		goto err;
 
 	ok=1;
 err:
-	if (!ok)
-		{
-		if (ret != NULL) DSA_free(ret);
-		}
-	else
+	if (ok)
 		{
+		if(ret->p) BN_free(ret->p);
+		if(ret->q) BN_free(ret->q);
+		if(ret->g) BN_free(ret->g);
 		ret->p=BN_dup(p);
 		ret->q=BN_dup(q);
 		ret->g=BN_dup(g);
+		if (ret->p == NULL || ret->q == NULL || ret->g == NULL)
+			{
+			ok=0;
+			goto err;
+			}
 		if ((m > 1) && (seed_in != NULL)) memcpy(seed_in,seed,20);
 		if (counter_ret != NULL) *counter_ret=counter;
 		if (h_ret != NULL) *h_ret=h;
 		}
-	if (ctx != NULL) BN_CTX_free(ctx);
-	if (ctx2 != NULL)
+	if(ctx)
 		{
-		BN_CTX_end(ctx2);
-		BN_CTX_free(ctx2);
+		BN_CTX_end(ctx);
+		BN_CTX_free(ctx);
 		}
-	if (ctx3 != NULL) BN_CTX_free(ctx3);
 	if (mont != NULL) BN_MONT_CTX_free(mont);
-	return(ok?ret:NULL);
+	return ok;
 	}
-#endif /* ndef OPENSSL_FIPS */
-#endif /* ndef OPENSSL_NO_SHA */
-
+#endif
diff --git a/crypto/openssl/crypto/dsa/dsa_key.c b/crypto/openssl/crypto/dsa/dsa_key.c
index 30607ca579fe..0423f2e00cd2 100644
--- a/crypto/openssl/crypto/dsa/dsa_key.c
+++ b/crypto/openssl/crypto/dsa/dsa_key.c
@@ -56,17 +56,25 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef OPENSSL_NO_SHA
 #include <stdio.h>
 #include <time.h>
 #include "cryptlib.h"
+#ifndef OPENSSL_NO_SHA
 #include <openssl/bn.h>
 #include <openssl/dsa.h>
 #include <openssl/rand.h>
 
-#ifndef OPENSSL_FIPS
+static int dsa_builtin_keygen(DSA *dsa);
+
 int DSA_generate_key(DSA *dsa)
 	{
+	if(dsa->meth->dsa_keygen)
+		return dsa->meth->dsa_keygen(dsa);
+	return dsa_builtin_keygen(dsa);
+	}
+
+static int dsa_builtin_keygen(DSA *dsa)
+	{
 	int ok=0;
 	BN_CTX *ctx=NULL;
 	BIGNUM *pub_key=NULL,*priv_key=NULL;
@@ -90,8 +98,22 @@ int DSA_generate_key(DSA *dsa)
 		}
 	else
 		pub_key=dsa->pub_key;
+	
+	{
+		BIGNUM local_prk;
+		BIGNUM *prk;
 
-	if (!BN_mod_exp(pub_key,dsa->g,priv_key,dsa->p,ctx)) goto err;
+		if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0)
+			{
+			BN_init(&local_prk);
+			prk = &local_prk;
+			BN_with_flags(prk, priv_key, BN_FLG_EXP_CONSTTIME);
+			}
+		else
+			prk = priv_key;
+
+		if (!BN_mod_exp(pub_key,dsa->g,prk,dsa->p,ctx)) goto err;
+	}
 
 	dsa->priv_key=priv_key;
 	dsa->pub_key=pub_key;
@@ -104,4 +126,3 @@ err:
 	return(ok);
 	}
 #endif
-#endif
diff --git a/crypto/openssl/crypto/dsa/dsa_lib.c b/crypto/openssl/crypto/dsa/dsa_lib.c
index 4171af24c6cd..b9825791bab4 100644
--- a/crypto/openssl/crypto/dsa/dsa_lib.c
+++ b/crypto/openssl/crypto/dsa/dsa_lib.c
@@ -66,6 +66,9 @@
 #ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
 #endif
+#ifndef OPENSSL_NO_DH
+#include <openssl/dh.h>
+#endif
 
 const char *DSA_version="DSA" OPENSSL_VERSION_PTEXT;
 
diff --git a/crypto/openssl/crypto/dsa/dsa_ossl.c b/crypto/openssl/crypto/dsa/dsa_ossl.c
index f1a85afcde86..3fd8a35613d3 100644
--- a/crypto/openssl/crypto/dsa/dsa_ossl.c
+++ b/crypto/openssl/crypto/dsa/dsa_ossl.c
@@ -65,33 +65,63 @@
 #include <openssl/rand.h>
 #include <openssl/asn1.h>
 
-#ifndef OPENSSL_FIPS
 static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
 static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp);
 static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
 		  DSA *dsa);
 static int dsa_init(DSA *dsa);
 static int dsa_finish(DSA *dsa);
-static int dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1, BIGNUM *p1,
-		BIGNUM *a2, BIGNUM *p2, BIGNUM *m, BN_CTX *ctx,
-		BN_MONT_CTX *in_mont);
-static int dsa_bn_mod_exp(DSA *dsa, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
-				const BIGNUM *m, BN_CTX *ctx,
-				BN_MONT_CTX *m_ctx);
 
 static DSA_METHOD openssl_dsa_meth = {
 "OpenSSL DSA method",
 dsa_do_sign,
 dsa_sign_setup,
 dsa_do_verify,
-dsa_mod_exp,
-dsa_bn_mod_exp,
+NULL, /* dsa_mod_exp, */
+NULL, /* dsa_bn_mod_exp, */
 dsa_init,
 dsa_finish,
 0,
+NULL,
+NULL,
 NULL
 };
 
+/* These macro wrappers replace attempts to use the dsa_mod_exp() and
+ * bn_mod_exp() handlers in the DSA_METHOD structure. We avoid the problem of
+ * having a the macro work as an expression by bundling an "err_instr". So;
+ * 
+ *     if (!dsa->meth->bn_mod_exp(dsa, r,dsa->g,&k,dsa->p,ctx,
+ *                 dsa->method_mont_p)) goto err;
+ *
+ * can be replaced by;
+ *
+ *     DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, &k, dsa->p, ctx,
+ *                 dsa->method_mont_p);
+ */
+
+#define DSA_MOD_EXP(err_instr,dsa,rr,a1,p1,a2,p2,m,ctx,in_mont) \
+	do { \
+	int _tmp_res53; \
+	if((dsa)->meth->dsa_mod_exp) \
+		_tmp_res53 = (dsa)->meth->dsa_mod_exp((dsa), (rr), (a1), (p1), \
+				(a2), (p2), (m), (ctx), (in_mont)); \
+	else \
+		_tmp_res53 = BN_mod_exp2_mont((rr), (a1), (p1), (a2), (p2), \
+				(m), (ctx), (in_mont)); \
+	if(!_tmp_res53) err_instr; \
+	} while(0)
+#define DSA_BN_MOD_EXP(err_instr,dsa,r,a,p,m,ctx,m_ctx) \
+	do { \
+	int _tmp_res53; \
+	if((dsa)->meth->bn_mod_exp) \
+		_tmp_res53 = (dsa)->meth->bn_mod_exp((dsa), (r), (a), (p), \
+				(m), (ctx), (m_ctx)); \
+	else \
+		_tmp_res53 = BN_mod_exp_mont((r), (a), (p), (m), (ctx), (m_ctx)); \
+	if(!_tmp_res53) err_instr; \
+	} while(0)
+
 const DSA_METHOD *DSA_OpenSSL(void)
 {
 	return &openssl_dsa_meth;
@@ -172,7 +202,7 @@ err:
 static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
 	{
 	BN_CTX *ctx;
-	BIGNUM k,*kinv=NULL,*r=NULL;
+	BIGNUM k,kq,*K,*kinv=NULL,*r=NULL;
 	int ret=0;
 
 	if (!dsa->p || !dsa->q || !dsa->g)
@@ -182,6 +212,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
 		}
 
 	BN_init(&k);
+	BN_init(&kq);
 
 	if (ctx_in == NULL)
 		{
@@ -191,23 +222,50 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
 		ctx=ctx_in;
 
 	if ((r=BN_new()) == NULL) goto err;
-	kinv=NULL;
 
 	/* Get random k */
 	do
 		if (!BN_rand_range(&k, dsa->q)) goto err;
 	while (BN_is_zero(&k));
+	if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0)
+		{
+		BN_set_flags(&k, BN_FLG_EXP_CONSTTIME);
+		}
 
-	if ((dsa->method_mont_p == NULL) && (dsa->flags & DSA_FLAG_CACHE_MONT_P))
+	if (dsa->flags & DSA_FLAG_CACHE_MONT_P)
 		{
-		if ((dsa->method_mont_p=(char *)BN_MONT_CTX_new()) != NULL)
-			if (!BN_MONT_CTX_set((BN_MONT_CTX *)dsa->method_mont_p,
-				dsa->p,ctx)) goto err;
+		if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,
+						CRYPTO_LOCK_DSA,
+						dsa->p, ctx))
+			goto err;
 		}
 
 	/* Compute r = (g^k mod p) mod q */
-	if (!dsa->meth->bn_mod_exp(dsa, r,dsa->g,&k,dsa->p,ctx,
-		(BN_MONT_CTX *)dsa->method_mont_p)) goto err;
+
+	if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0)
+		{
+		if (!BN_copy(&kq, &k)) goto err;
+
+		/* We do not want timing information to leak the length of k,
+		 * so we compute g^k using an equivalent exponent of fixed length.
+		 *
+		 * (This is a kludge that we need because the BN_mod_exp_mont()
+		 * does not let us specify the desired timing behaviour.) */
+
+		if (!BN_add(&kq, &kq, dsa->q)) goto err;
+		if (BN_num_bits(&kq) <= BN_num_bits(dsa->q))
+			{
+			if (!BN_add(&kq, &kq, dsa->q)) goto err;
+			}
+
+		K = &kq;
+		}
+	else
+		{
+		K = &k;
+		}
+	DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx,
+			dsa->method_mont_p);
 	if (!BN_mod(r,r,dsa->q,ctx)) goto err;
 
 	/* Compute  part of 's = inv(k) (m + xr) mod q' */
@@ -229,6 +287,7 @@ err:
 	if (ctx_in == NULL) BN_CTX_free(ctx);
 	if (kinv != NULL) BN_clear_free(kinv);
 	BN_clear_free(&k);
+	BN_clear_free(&kq);
 	return(ret);
 	}
 
@@ -251,12 +310,14 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
 
 	if ((ctx=BN_CTX_new()) == NULL) goto err;
 
-	if (BN_is_zero(sig->r) || sig->r->neg || BN_ucmp(sig->r, dsa->q) >= 0)
+	if (BN_is_zero(sig->r) || BN_is_negative(sig->r) ||
+	    BN_ucmp(sig->r, dsa->q) >= 0)
 		{
 		ret = 0;
 		goto err;
 		}
-	if (BN_is_zero(sig->s) || sig->s->neg || BN_ucmp(sig->s, dsa->q) >= 0)
+	if (BN_is_zero(sig->s) || BN_is_negative(sig->s) ||
+	    BN_ucmp(sig->s, dsa->q) >= 0)
 		{
 		ret = 0;
 		goto err;
@@ -275,44 +336,28 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
 	/* u2 = r * w mod q */
 	if (!BN_mod_mul(&u2,sig->r,&u2,dsa->q,ctx)) goto err;
 
-	if ((dsa->method_mont_p == NULL) && (dsa->flags & DSA_FLAG_CACHE_MONT_P))
+
+	if (dsa->flags & DSA_FLAG_CACHE_MONT_P)
 		{
-		if ((dsa->method_mont_p=(char *)BN_MONT_CTX_new()) != NULL)
-			if (!BN_MONT_CTX_set((BN_MONT_CTX *)dsa->method_mont_p,
-				dsa->p,ctx)) goto err;
+		mont = BN_MONT_CTX_set_locked(&dsa->method_mont_p,
+					CRYPTO_LOCK_DSA, dsa->p, ctx);
+		if (!mont)
+			goto err;
 		}
-	mont=(BN_MONT_CTX *)dsa->method_mont_p;
 
-#if 0
-	{
-	BIGNUM t2;
-
-	BN_init(&t2);
-	/* v = ( g^u1 * y^u2 mod p ) mod q */
-	/* let t1 = g ^ u1 mod p */
-	if (!BN_mod_exp_mont(&t1,dsa->g,&u1,dsa->p,ctx,mont)) goto err;
-	/* let t2 = y ^ u2 mod p */
-	if (!BN_mod_exp_mont(&t2,dsa->pub_key,&u2,dsa->p,ctx,mont)) goto err;
-	/* let u1 = t1 * t2 mod p */
-	if (!BN_mod_mul(&u1,&t1,&t2,dsa->p,ctx)) goto err_bn;
-	BN_free(&t2);
-	}
-	/* let u1 = u1 mod q */
-	if (!BN_mod(&u1,&u1,dsa->q,ctx)) goto err;
-#else
-	{
-	if (!dsa->meth->dsa_mod_exp(dsa, &t1,dsa->g,&u1,dsa->pub_key,&u2,
-						dsa->p,ctx,mont)) goto err;
+
+	DSA_MOD_EXP(goto err, dsa, &t1, dsa->g, &u1, dsa->pub_key, &u2, dsa->p, ctx, mont);
 	/* BN_copy(&u1,&t1); */
 	/* let u1 = u1 mod q */
 	if (!BN_mod(&u1,&t1,dsa->q,ctx)) goto err;
-	}
-#endif
+
 	/* V is now in u1.  If the signature is correct, it will be
 	 * equal to R. */
 	ret=(BN_ucmp(&u1, sig->r) == 0);
 
 	err:
+	/* XXX: surely this is wrong - if ret is 0, it just didn't verify;
+	   there is no error in BN. Test should be ret == -1 (Ben) */
 	if (ret != 1) DSAerr(DSA_F_DSA_DO_VERIFY,ERR_R_BN_LIB);
 	if (ctx != NULL) BN_CTX_free(ctx);
 	BN_free(&u1);
@@ -330,21 +375,7 @@ static int dsa_init(DSA *dsa)
 static int dsa_finish(DSA *dsa)
 {
 	if(dsa->method_mont_p)
-		BN_MONT_CTX_free((BN_MONT_CTX *)dsa->method_mont_p);
+		BN_MONT_CTX_free(dsa->method_mont_p);
 	return(1);
 }
 
-static int dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1, BIGNUM *p1,
-		BIGNUM *a2, BIGNUM *p2, BIGNUM *m, BN_CTX *ctx,
-		BN_MONT_CTX *in_mont)
-{
-	return BN_mod_exp2_mont(rr, a1, p1, a2, p2, m, ctx, in_mont);
-}
-	
-static int dsa_bn_mod_exp(DSA *dsa, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
-				const BIGNUM *m, BN_CTX *ctx,
-				BN_MONT_CTX *m_ctx)
-{
-	return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
-}
-#endif
diff --git a/crypto/openssl/crypto/dsa/dsa_sign.c b/crypto/openssl/crypto/dsa/dsa_sign.c
index 3c9753bac391..89205026f01b 100644
--- a/crypto/openssl/crypto/dsa/dsa_sign.c
+++ b/crypto/openssl/crypto/dsa/dsa_sign.c
@@ -64,17 +64,9 @@
 #include <openssl/dsa.h>
 #include <openssl/rand.h>
 #include <openssl/asn1.h>
-#ifndef OPENSSL_NO_ENGINE
-#include <openssl/engine.h>
-#endif
-#include <openssl/fips.h>
 
 DSA_SIG * DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
 	{
-#ifdef OPENSSL_FIPS
-	if(FIPS_mode() && !FIPS_dsa_check(dsa))
-		return NULL;
-#endif
 	return dsa->meth->dsa_do_sign(dgst, dlen, dsa);
 	}
 
@@ -95,10 +87,6 @@ int DSA_sign(int type, const unsigned char *dgst, int dlen, unsigned char *sig,
 
 int DSA_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
 	{
-#ifdef OPENSSL_FIPS
-	if(FIPS_mode() && !FIPS_dsa_check(dsa))
-		return 0;
-#endif
 	return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp);
 	}
 
diff --git a/crypto/openssl/crypto/dsa/dsa_vrf.c b/crypto/openssl/crypto/dsa/dsa_vrf.c
index 8ef0c4502527..c4aeddd05604 100644
--- a/crypto/openssl/crypto/dsa/dsa_vrf.c
+++ b/crypto/openssl/crypto/dsa/dsa_vrf.c
@@ -65,18 +65,10 @@
 #include <openssl/rand.h>
 #include <openssl/asn1.h>
 #include <openssl/asn1_mac.h>
-#ifndef OPENSSL_NO_ENGINE
-#include <openssl/engine.h>
-#endif
-#include <openssl/fips.h>
 
 int DSA_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
 		  DSA *dsa)
 	{
-#ifdef OPENSSL_FIPS
-	if(FIPS_mode() && !FIPS_dsa_check(dsa))
-		return -1;
-#endif
 	return dsa->meth->dsa_do_verify(dgst, dgst_len, sig, dsa);
 	}
 
diff --git a/crypto/openssl/crypto/dsa/dsatest.c b/crypto/openssl/crypto/dsa/dsatest.c
index 4734ce4af851..912317bb443c 100644
--- a/crypto/openssl/crypto/dsa/dsatest.c
+++ b/crypto/openssl/crypto/dsa/dsatest.c
@@ -56,6 +56,12 @@
  * [including the GNU Public Licence.]
  */
 
+/* Until the key-gen callbacks are modified to use newer prototypes, we allow
+ * deprecated functions for openssl-internal code */
+#ifdef OPENSSL_NO_DEPRECATED
+#undef OPENSSL_NO_DEPRECATED
+#endif
+
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -68,6 +74,7 @@
 #include <openssl/rand.h>
 #include <openssl/bio.h>
 #include <openssl/err.h>
+#include <openssl/bn.h>
 
 #ifdef OPENSSL_NO_DSA
 int main(int argc, char *argv[])
@@ -84,7 +91,7 @@ int main(int argc, char *argv[])
 #define MS_CALLBACK
 #endif
 
-static void MS_CALLBACK dsa_cb(int p, int n, void *arg);
+static int MS_CALLBACK dsa_cb(int p, int n, BN_GENCB *arg);
 
 /* seed, out_p, out_q, out_g are taken from the updated Appendix 5 to
  * FIPS PUB 186 and also appear in Appendix 5 to FIPS PIB 186-1 */
@@ -129,6 +136,7 @@ static BIO *bio_err=NULL;
 
 int main(int argc, char **argv)
 	{
+	BN_GENCB cb;
 	DSA *dsa=NULL;
 	int counter,ret=0,i,j;
 	unsigned char buf[256];
@@ -148,7 +156,10 @@ int main(int argc, char **argv)
 
 	BIO_printf(bio_err,"test generation of DSA parameters\n");
 
-	dsa=DSA_generate_parameters(512,seed,20,&counter,&h,dsa_cb,bio_err);
+	BN_GENCB_set(&cb, dsa_cb, bio_err);
+	if(((dsa = DSA_new()) == NULL) || !DSA_generate_parameters_ex(dsa, 512,
+				seed, 20, &counter, &h, &cb))
+		goto end;
 
 	BIO_printf(bio_err,"seed\n");
 	for (i=0; i<20; i+=4)
@@ -156,7 +167,7 @@ int main(int argc, char **argv)
 		BIO_printf(bio_err,"%02X%02X%02X%02X ",
 			seed[i],seed[i+1],seed[i+2],seed[i+3]);
 		}
-	BIO_printf(bio_err,"\ncounter=%d h=%d\n",counter,h);
+	BIO_printf(bio_err,"\ncounter=%d h=%ld\n",counter,h);
 		
 	if (dsa == NULL) goto end;
 	DSA_print(bio_err,dsa,0);
@@ -194,10 +205,19 @@ int main(int argc, char **argv)
 		BIO_printf(bio_err,"g value is wrong\n");
 		goto end;
 		}
+
+	dsa->flags |= DSA_FLAG_NO_EXP_CONSTTIME;
+	DSA_generate_key(dsa);
+	DSA_sign(0, str1, 20, sig, &siglen, dsa);
+	if (DSA_verify(0, str1, 20, sig, siglen, dsa) == 1)
+		ret=1;
+
+	dsa->flags &= ~DSA_FLAG_NO_EXP_CONSTTIME;
 	DSA_generate_key(dsa);
 	DSA_sign(0, str1, 20, sig, &siglen, dsa);
 	if (DSA_verify(0, str1, 20, sig, siglen, dsa) == 1)
 		ret=1;
+
 end:
 	if (!ret)
 		ERR_print_errors(bio_err);
@@ -211,17 +231,14 @@ end:
 		BIO_free(bio_err);
 		bio_err = NULL;
 		}
+#ifdef OPENSSL_SYS_NETWARE
+    if (!ret) printf("ERROR\n");
+#endif
 	EXIT(!ret);
 	return(0);
 	}
 
-static int cb_exit(int ec)
-	{
-	EXIT(ec);
-	return(0);		/* To keep some compilers quiet */
-	}
-
-static void MS_CALLBACK dsa_cb(int p, int n, void *arg)
+static int MS_CALLBACK dsa_cb(int p, int n, BN_GENCB *arg)
 	{
 	char c='*';
 	static int ok=0,num=0;
@@ -230,13 +247,14 @@ static void MS_CALLBACK dsa_cb(int p, int n, void *arg)
 	if (p == 1) c='+';
 	if (p == 2) { c='*'; ok++; }
 	if (p == 3) c='\n';
-	BIO_write(arg,&c,1);
-	(void)BIO_flush(arg);
+	BIO_write(arg->arg,&c,1);
+	(void)BIO_flush(arg->arg);
 
 	if (!ok && (p == 0) && (num > 1))
 		{
 		BIO_printf((BIO *)arg,"error in dsatest\n");
-		cb_exit(1);
+		return 0;
 		}
+	return 1;
 	}
 #endif
diff --git a/crypto/openssl/crypto/dso/Makefile b/crypto/openssl/crypto/dso/Makefile
index dd8d24348583..07f5d8d159e6 100644
--- a/crypto/openssl/crypto/dso/Makefile
+++ b/crypto/openssl/crypto/dso/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/dso/Makefile
+# OpenSSL/crypto/dso/Makefile
 #
 
 DIR=	dso
@@ -7,11 +7,6 @@ TOP=	../..
 CC=	cc
 INCLUDES= -I.. -I$(TOP) -I../../include
 CFLAG=-g
-INSTALL_PREFIX=
-OPENSSLDIR=     /usr/local/ssl
-INSTALLTOP=/usr/local/ssl
-MAKEDEPPROG=	makedepend
-MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=	Makefile
 AR=		ar r
 
@@ -53,7 +48,8 @@ links:
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
 
 install:
-	@for i in $(EXHEADER) ; \
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+	@headerlist="$(EXHEADER)"; for i in $$headerlist ; \
 	do  \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
@@ -68,6 +64,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
+	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
@@ -84,43 +81,47 @@ dso_dl.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 dso_dl.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h
 dso_dl.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
 dso_dl.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-dso_dl.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-dso_dl.o: ../../include/openssl/symhacks.h ../cryptlib.h dso_dl.c
+dso_dl.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+dso_dl.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+dso_dl.o: ../cryptlib.h dso_dl.c
 dso_dlfcn.o: ../../e_os.h ../../include/openssl/bio.h
 dso_dlfcn.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 dso_dlfcn.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h
 dso_dlfcn.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
 dso_dlfcn.o: ../../include/openssl/opensslconf.h
-dso_dlfcn.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-dso_dlfcn.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-dso_dlfcn.o: ../cryptlib.h dso_dlfcn.c
+dso_dlfcn.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+dso_dlfcn.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+dso_dlfcn.o: ../../include/openssl/symhacks.h ../cryptlib.h dso_dlfcn.c
 dso_err.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
 dso_err.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h
 dso_err.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
 dso_err.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-dso_err.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-dso_err.o: ../../include/openssl/symhacks.h dso_err.c
+dso_err.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+dso_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+dso_err.o: dso_err.c
 dso_lib.o: ../../e_os.h ../../include/openssl/bio.h
 dso_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 dso_lib.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h
 dso_lib.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
 dso_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-dso_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-dso_lib.o: ../../include/openssl/symhacks.h ../cryptlib.h dso_lib.c
+dso_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+dso_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+dso_lib.o: ../cryptlib.h dso_lib.c
 dso_null.o: ../../e_os.h ../../include/openssl/bio.h
 dso_null.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 dso_null.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h
 dso_null.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
 dso_null.o: ../../include/openssl/opensslconf.h
-dso_null.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-dso_null.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-dso_null.o: ../cryptlib.h dso_null.c
+dso_null.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+dso_null.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+dso_null.o: ../../include/openssl/symhacks.h ../cryptlib.h dso_null.c
 dso_openssl.o: ../../e_os.h ../../include/openssl/bio.h
 dso_openssl.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 dso_openssl.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h
 dso_openssl.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
 dso_openssl.o: ../../include/openssl/opensslconf.h
 dso_openssl.o: ../../include/openssl/opensslv.h
+dso_openssl.o: ../../include/openssl/ossl_typ.h
 dso_openssl.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 dso_openssl.o: ../../include/openssl/symhacks.h ../cryptlib.h dso_openssl.c
 dso_vms.o: ../../e_os.h ../../include/openssl/bio.h
@@ -128,13 +129,14 @@ dso_vms.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 dso_vms.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h
 dso_vms.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
 dso_vms.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-dso_vms.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-dso_vms.o: ../../include/openssl/symhacks.h ../cryptlib.h dso_vms.c
+dso_vms.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+dso_vms.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+dso_vms.o: ../cryptlib.h dso_vms.c
 dso_win32.o: ../../e_os.h ../../include/openssl/bio.h
 dso_win32.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 dso_win32.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h
 dso_win32.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
 dso_win32.o: ../../include/openssl/opensslconf.h
-dso_win32.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-dso_win32.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-dso_win32.o: ../cryptlib.h dso_win32.c
+dso_win32.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+dso_win32.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+dso_win32.o: ../../include/openssl/symhacks.h ../cryptlib.h dso_win32.c
diff --git a/crypto/openssl/crypto/dso/dso.h b/crypto/openssl/crypto/dso/dso.h
index aa721f7febb6..3e51913a725b 100644
--- a/crypto/openssl/crypto/dso/dso.h
+++ b/crypto/openssl/crypto/dso/dso.h
@@ -1,4 +1,4 @@
-/* dso.h */
+/* dso.h -*- mode:C; c-file-style: "eay" -*- */
 /* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
  * project 2000.
  */
@@ -95,6 +95,13 @@ extern "C" {
  */
 #define DSO_FLAG_UPCASE_SYMBOL			0x10
 
+/* This flag loads the library with public symbols.
+ * Meaning: The exported symbols of this library are public
+ * to all libraries loaded after this library.
+ * At the moment only implemented in unix.
+ */
+#define DSO_FLAG_GLOBAL_SYMBOLS			0x20
+
 
 typedef void (*DSO_FUNC_TYPE)(void);
 
@@ -107,6 +114,22 @@ typedef struct dso_st DSO;
  * condition) or a newly allocated string containing the transformed form that
  * the caller will need to free with OPENSSL_free() when done. */
 typedef char* (*DSO_NAME_CONVERTER_FUNC)(DSO *, const char *);
+/* The function prototype used for method functions (or caller-provided
+ * callbacks) that merge two file specifications. They are passed a
+ * DSO structure pointer (or NULL if they are to be used independantly of
+ * a DSO object) and two file specifications to merge. They should
+ * either return NULL (if there is an error condition) or a newly allocated
+ * string containing the result of merging that the caller will need
+ * to free with OPENSSL_free() when done.
+ * Here, merging means that bits and pieces are taken from each of the
+ * file specifications and added together in whatever fashion that is
+ * sensible for the DSO method in question.  The only rule that really
+ * applies is that if the two specification contain pieces of the same
+ * type, the copy from the first string takes priority.  One could see
+ * it as the first specification is the one given by the user and the
+ * second being a bunch of defaults to add on if they're missing in the
+ * first. */
+typedef char* (*DSO_MERGER_FUNC)(DSO *, const char *, const char *);
 
 typedef struct dso_meth_st
 	{
@@ -140,6 +163,9 @@ typedef struct dso_meth_st
 	/* The default DSO_METHOD-specific function for converting filenames to
 	 * a canonical native form. */
 	DSO_NAME_CONVERTER_FUNC dso_name_converter;
+	/* The default DSO_METHOD-specific function for converting filenames to
+	 * a canonical native form. */
+	DSO_MERGER_FUNC dso_merger;
 
 	/* [De]Initialisation handlers. */
 	int (*init)(DSO *dso);
@@ -164,9 +190,13 @@ struct dso_st
 	 * don't touch meth_data! */
 	CRYPTO_EX_DATA ex_data;
 	/* If this callback function pointer is set to non-NULL, then it will
-	 * be used on DSO_load() in place of meth->dso_name_converter. NB: This
+	 * be used in DSO_load() in place of meth->dso_name_converter. NB: This
 	 * should normally set using DSO_set_name_converter(). */
 	DSO_NAME_CONVERTER_FUNC name_converter;
+	/* If this callback function pointer is set to non-NULL, then it will
+	 * be used in DSO_load() in place of meth->dso_merger. NB: This
+	 * should normally set using DSO_set_merger(). */
+	DSO_MERGER_FUNC merger;
 	/* This is populated with (a copy of) the platform-independant
 	 * filename used for this DSO. */
 	char *filename;
@@ -209,6 +239,11 @@ int	DSO_set_filename(DSO *dso, const char *filename);
  * caller-created DSO_METHODs can do the same thing. A non-NULL return value
  * will need to be OPENSSL_free()'d. */
 char	*DSO_convert_filename(DSO *dso, const char *filename);
+/* This function will invoke the DSO's merger callback to merge two file
+ * specifications, or if the callback isn't set it will instead use the
+ * DSO_METHOD's merger.  A non-NULL return value will need to be
+ * OPENSSL_free()'d. */
+char	*DSO_merge(DSO *dso, const char *filespec1, const char *filespec2);
 /* If the DSO is currently loaded, this returns the filename that it was loaded
  * under, otherwise it returns NULL. So it is also useful as a test as to
  * whether the DSO is currently loaded. NB: This will not necessarily return
@@ -273,11 +308,13 @@ void ERR_load_DSO_strings(void);
 #define DSO_F_DLFCN_BIND_FUNC				 100
 #define DSO_F_DLFCN_BIND_VAR				 101
 #define DSO_F_DLFCN_LOAD				 102
+#define DSO_F_DLFCN_MERGER				 130
 #define DSO_F_DLFCN_NAME_CONVERTER			 123
 #define DSO_F_DLFCN_UNLOAD				 103
 #define DSO_F_DL_BIND_FUNC				 104
 #define DSO_F_DL_BIND_VAR				 105
 #define DSO_F_DL_LOAD					 106
+#define DSO_F_DL_MERGER					 131
 #define DSO_F_DL_NAME_CONVERTER				 124
 #define DSO_F_DL_UNLOAD					 107
 #define DSO_F_DSO_BIND_FUNC				 108
@@ -288,27 +325,36 @@ void ERR_load_DSO_strings(void);
 #define DSO_F_DSO_GET_FILENAME				 127
 #define DSO_F_DSO_GET_LOADED_FILENAME			 128
 #define DSO_F_DSO_LOAD					 112
+#define DSO_F_DSO_MERGE					 132
 #define DSO_F_DSO_NEW_METHOD				 113
 #define DSO_F_DSO_SET_FILENAME				 129
 #define DSO_F_DSO_SET_NAME_CONVERTER			 122
 #define DSO_F_DSO_UP_REF				 114
-#define DSO_F_VMS_BIND_VAR				 115
+#define DSO_F_VMS_BIND_SYM				 115
 #define DSO_F_VMS_LOAD					 116
+#define DSO_F_VMS_MERGER				 133
 #define DSO_F_VMS_UNLOAD				 117
 #define DSO_F_WIN32_BIND_FUNC				 118
 #define DSO_F_WIN32_BIND_VAR				 119
+#define DSO_F_WIN32_JOINER				 135
 #define DSO_F_WIN32_LOAD				 120
+#define DSO_F_WIN32_MERGER				 134
 #define DSO_F_WIN32_NAME_CONVERTER			 125
+#define DSO_F_WIN32_SPLITTER				 136
 #define DSO_F_WIN32_UNLOAD				 121
 
 /* Reason codes. */
 #define DSO_R_CTRL_FAILED				 100
 #define DSO_R_DSO_ALREADY_LOADED			 110
+#define DSO_R_EMPTY_FILE_STRUCTURE			 113
+#define DSO_R_FAILURE					 114
 #define DSO_R_FILENAME_TOO_BIG				 101
 #define DSO_R_FINISH_FAILED				 102
+#define DSO_R_INCORRECT_FILE_SYNTAX			 115
 #define DSO_R_LOAD_FAILED				 103
 #define DSO_R_NAME_TRANSLATION_FAILED			 109
 #define DSO_R_NO_FILENAME				 111
+#define DSO_R_NO_FILE_SPECIFICATION			 116
 #define DSO_R_NULL_HANDLE				 104
 #define DSO_R_SET_FILENAME_FAILED			 112
 #define DSO_R_STACK_ERROR				 105
diff --git a/crypto/openssl/crypto/dso/dso_dl.c b/crypto/openssl/crypto/dso/dso_dl.c
index 79d2cb4d8c8d..417abb6ea95f 100644
--- a/crypto/openssl/crypto/dso/dso_dl.c
+++ b/crypto/openssl/crypto/dso/dso_dl.c
@@ -1,4 +1,4 @@
-/* dso_dl.c */
+/* dso_dl.c -*- mode:C; c-file-style: "eay" -*- */
 /* Written by Richard Levitte (richard@levitte.org) for the OpenSSL
  * project 2000.
  */
@@ -84,6 +84,7 @@ static int dl_finish(DSO *dso);
 static int dl_ctrl(DSO *dso, int cmd, long larg, void *parg);
 #endif
 static char *dl_name_converter(DSO *dso, const char *filename);
+static char *dl_merger(DSO *dso, const char *filespec1, const char *filespec2);
 
 static DSO_METHOD dso_meth_dl = {
 	"OpenSSL 'dl' shared library method",
@@ -98,6 +99,7 @@ static DSO_METHOD dso_meth_dl = {
 #endif
 	NULL, /* ctrl */
 	dl_name_converter,
+	dl_merger,
 	NULL, /* init */
 	NULL  /* finish */
 	};
@@ -126,7 +128,8 @@ static int dl_load(DSO *dso)
 		DSOerr(DSO_F_DL_LOAD,DSO_R_NO_FILENAME);
 		goto err;
 		}
-	ptr = shl_load(filename, BIND_IMMEDIATE|DYNAMIC_PATH, 0L);
+	ptr = shl_load(filename, BIND_IMMEDIATE |
+		(dso->flags&DSO_FLAG_NO_NAME_TRANSLATION?0:DYNAMIC_PATH), 0L);
 	if(ptr == NULL)
 		{
 		DSOerr(DSO_F_DL_LOAD,DSO_R_LOAD_FAILED);
@@ -238,6 +241,72 @@ static DSO_FUNC_TYPE dl_bind_func(DSO *dso, const char *symname)
 	return((DSO_FUNC_TYPE)sym);
 	}
 
+static char *dl_merger(DSO *dso, const char *filespec1, const char *filespec2)
+	{
+	char *merged;
+
+	if(!filespec1 && !filespec2)
+		{
+		DSOerr(DSO_F_DL_MERGER,
+				ERR_R_PASSED_NULL_PARAMETER);
+		return(NULL);
+		}
+	/* If the first file specification is a rooted path, it rules.
+	   same goes if the second file specification is missing. */
+	if (!filespec2 || filespec1[0] == '/')
+		{
+		merged = OPENSSL_malloc(strlen(filespec1) + 1);
+		if(!merged)
+			{
+			DSOerr(DSO_F_DL_MERGER,
+				ERR_R_MALLOC_FAILURE);
+			return(NULL);
+			}
+		strcpy(merged, filespec1);
+		}
+	/* If the first file specification is missing, the second one rules. */
+	else if (!filespec1)
+		{
+		merged = OPENSSL_malloc(strlen(filespec2) + 1);
+		if(!merged)
+			{
+			DSOerr(DSO_F_DL_MERGER,
+				ERR_R_MALLOC_FAILURE);
+			return(NULL);
+			}
+		strcpy(merged, filespec2);
+		}
+	else
+		/* This part isn't as trivial as it looks.  It assumes that
+		   the second file specification really is a directory, and
+		   makes no checks whatsoever.  Therefore, the result becomes
+		   the concatenation of filespec2 followed by a slash followed
+		   by filespec1. */
+		{
+		int spec2len, len;
+
+		spec2len = (filespec2 ? strlen(filespec2) : 0);
+		len = spec2len + (filespec1 ? strlen(filespec1) : 0);
+
+		if(filespec2 && filespec2[spec2len - 1] == '/')
+			{
+			spec2len--;
+			len--;
+			}
+		merged = OPENSSL_malloc(len + 2);
+		if(!merged)
+			{
+			DSOerr(DSO_F_DL_MERGER,
+				ERR_R_MALLOC_FAILURE);
+			return(NULL);
+			}
+		strcpy(merged, filespec2);
+		merged[spec2len] = '/';
+		strcpy(&merged[spec2len + 1], filespec1);
+		}
+	return(merged);
+	}
+
 /* This function is identical to the one in dso_dlfcn.c, but as it is highly
  * unlikely that both the "dl" *and* "dlfcn" variants are being compiled at the
  * same time, there's no great duplicating the code. Figuring out an elegant 
diff --git a/crypto/openssl/crypto/dso/dso_dlfcn.c b/crypto/openssl/crypto/dso/dso_dlfcn.c
index 9d49ebc25373..1fd10104c521 100644
--- a/crypto/openssl/crypto/dso/dso_dlfcn.c
+++ b/crypto/openssl/crypto/dso/dso_dlfcn.c
@@ -1,4 +1,4 @@
-/* dso_dlfcn.c */
+/* dso_dlfcn.c -*- mode:C; c-file-style: "eay" -*- */
 /* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
  * project 2000.
  */
@@ -85,6 +85,8 @@ static int dlfcn_finish(DSO *dso);
 static long dlfcn_ctrl(DSO *dso, int cmd, long larg, void *parg);
 #endif
 static char *dlfcn_name_converter(DSO *dso, const char *filename);
+static char *dlfcn_merger(DSO *dso, const char *filespec1,
+	const char *filespec2);
 
 static DSO_METHOD dso_meth_dlfcn = {
 	"OpenSSL 'dlfcn' shared library method",
@@ -99,6 +101,7 @@ static DSO_METHOD dso_meth_dlfcn = {
 #endif
 	NULL, /* ctrl */
 	dlfcn_name_converter,
+	dlfcn_merger,
 	NULL, /* init */
 	NULL  /* finish */
 	};
@@ -141,13 +144,19 @@ static int dlfcn_load(DSO *dso)
 	void *ptr = NULL;
 	/* See applicable comments in dso_dl.c */
 	char *filename = DSO_convert_filename(dso, NULL);
+	int flags = DLOPEN_FLAG;
 
 	if(filename == NULL)
 		{
 		DSOerr(DSO_F_DLFCN_LOAD,DSO_R_NO_FILENAME);
 		goto err;
 		}
-	ptr = dlopen(filename, DLOPEN_FLAG);
+
+#ifdef RTLD_GLOBAL
+	if (dso->flags & DSO_FLAG_GLOBAL_SYMBOLS)
+		flags |= RTLD_GLOBAL;
+#endif
+	ptr = dlopen(filename, flags);
 	if(ptr == NULL)
 		{
 		DSOerr(DSO_F_DLFCN_LOAD,DSO_R_LOAD_FAILED);
@@ -228,7 +237,7 @@ static void *dlfcn_bind_var(DSO *dso, const char *symname)
 static DSO_FUNC_TYPE dlfcn_bind_func(DSO *dso, const char *symname)
 	{
 	void *ptr;
-	DSO_FUNC_TYPE sym;
+	DSO_FUNC_TYPE sym, *tsym = &sym;
 
 	if((dso == NULL) || (symname == NULL))
 		{
@@ -246,7 +255,7 @@ static DSO_FUNC_TYPE dlfcn_bind_func(DSO *dso, const char *symname)
 		DSOerr(DSO_F_DLFCN_BIND_FUNC,DSO_R_NULL_HANDLE);
 		return(NULL);
 		}
-	sym = (DSO_FUNC_TYPE)dlsym(ptr, symname);
+	*(void **)(tsym) = dlsym(ptr, symname);
 	if(sym == NULL)
 		{
 		DSOerr(DSO_F_DLFCN_BIND_FUNC,DSO_R_SYM_FAILURE);
@@ -256,6 +265,73 @@ static DSO_FUNC_TYPE dlfcn_bind_func(DSO *dso, const char *symname)
 	return(sym);
 	}
 
+static char *dlfcn_merger(DSO *dso, const char *filespec1,
+	const char *filespec2)
+	{
+	char *merged;
+
+	if(!filespec1 && !filespec2)
+		{
+		DSOerr(DSO_F_DLFCN_MERGER,
+				ERR_R_PASSED_NULL_PARAMETER);
+		return(NULL);
+		}
+	/* If the first file specification is a rooted path, it rules.
+	   same goes if the second file specification is missing. */
+	if (!filespec2 || filespec1[0] == '/')
+		{
+		merged = OPENSSL_malloc(strlen(filespec1) + 1);
+		if(!merged)
+			{
+			DSOerr(DSO_F_DLFCN_MERGER,
+				ERR_R_MALLOC_FAILURE);
+			return(NULL);
+			}
+		strcpy(merged, filespec1);
+		}
+	/* If the first file specification is missing, the second one rules. */
+	else if (!filespec1)
+		{
+		merged = OPENSSL_malloc(strlen(filespec2) + 1);
+		if(!merged)
+			{
+			DSOerr(DSO_F_DLFCN_MERGER,
+				ERR_R_MALLOC_FAILURE);
+			return(NULL);
+			}
+		strcpy(merged, filespec2);
+		}
+	else
+		/* This part isn't as trivial as it looks.  It assumes that
+		   the second file specification really is a directory, and
+		   makes no checks whatsoever.  Therefore, the result becomes
+		   the concatenation of filespec2 followed by a slash followed
+		   by filespec1. */
+		{
+		int spec2len, len;
+
+		spec2len = (filespec2 ? strlen(filespec2) : 0);
+		len = spec2len + (filespec1 ? strlen(filespec1) : 0);
+
+		if(filespec2 && filespec2[spec2len - 1] == '/')
+			{
+			spec2len--;
+			len--;
+			}
+		merged = OPENSSL_malloc(len + 2);
+		if(!merged)
+			{
+			DSOerr(DSO_F_DLFCN_MERGER,
+				ERR_R_MALLOC_FAILURE);
+			return(NULL);
+			}
+		strcpy(merged, filespec2);
+		merged[spec2len] = '/';
+		strcpy(&merged[spec2len + 1], filespec1);
+		}
+	return(merged);
+	}
+
 static char *dlfcn_name_converter(DSO *dso, const char *filename)
 	{
 	char *translated;
diff --git a/crypto/openssl/crypto/dso/dso_err.c b/crypto/openssl/crypto/dso/dso_err.c
index cf452de1aa06..aa91170b1be9 100644
--- a/crypto/openssl/crypto/dso/dso_err.c
+++ b/crypto/openssl/crypto/dso/dso_err.c
@@ -1,6 +1,6 @@
 /* crypto/dso/dso_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -64,56 +64,71 @@
 
 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_DSO,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_DSO,0,reason)
+
 static ERR_STRING_DATA DSO_str_functs[]=
 	{
-{ERR_PACK(0,DSO_F_DLFCN_BIND_FUNC,0),	"DLFCN_BIND_FUNC"},
-{ERR_PACK(0,DSO_F_DLFCN_BIND_VAR,0),	"DLFCN_BIND_VAR"},
-{ERR_PACK(0,DSO_F_DLFCN_LOAD,0),	"DLFCN_LOAD"},
-{ERR_PACK(0,DSO_F_DLFCN_NAME_CONVERTER,0),	"DLFCN_NAME_CONVERTER"},
-{ERR_PACK(0,DSO_F_DLFCN_UNLOAD,0),	"DLFCN_UNLOAD"},
-{ERR_PACK(0,DSO_F_DL_BIND_FUNC,0),	"DL_BIND_FUNC"},
-{ERR_PACK(0,DSO_F_DL_BIND_VAR,0),	"DL_BIND_VAR"},
-{ERR_PACK(0,DSO_F_DL_LOAD,0),	"DL_LOAD"},
-{ERR_PACK(0,DSO_F_DL_NAME_CONVERTER,0),	"DL_NAME_CONVERTER"},
-{ERR_PACK(0,DSO_F_DL_UNLOAD,0),	"DL_UNLOAD"},
-{ERR_PACK(0,DSO_F_DSO_BIND_FUNC,0),	"DSO_bind_func"},
-{ERR_PACK(0,DSO_F_DSO_BIND_VAR,0),	"DSO_bind_var"},
-{ERR_PACK(0,DSO_F_DSO_CONVERT_FILENAME,0),	"DSO_convert_filename"},
-{ERR_PACK(0,DSO_F_DSO_CTRL,0),	"DSO_ctrl"},
-{ERR_PACK(0,DSO_F_DSO_FREE,0),	"DSO_free"},
-{ERR_PACK(0,DSO_F_DSO_GET_FILENAME,0),	"DSO_get_filename"},
-{ERR_PACK(0,DSO_F_DSO_GET_LOADED_FILENAME,0),	"DSO_get_loaded_filename"},
-{ERR_PACK(0,DSO_F_DSO_LOAD,0),	"DSO_load"},
-{ERR_PACK(0,DSO_F_DSO_NEW_METHOD,0),	"DSO_new_method"},
-{ERR_PACK(0,DSO_F_DSO_SET_FILENAME,0),	"DSO_set_filename"},
-{ERR_PACK(0,DSO_F_DSO_SET_NAME_CONVERTER,0),	"DSO_set_name_converter"},
-{ERR_PACK(0,DSO_F_DSO_UP_REF,0),	"DSO_up_ref"},
-{ERR_PACK(0,DSO_F_VMS_BIND_VAR,0),	"VMS_BIND_VAR"},
-{ERR_PACK(0,DSO_F_VMS_LOAD,0),	"VMS_LOAD"},
-{ERR_PACK(0,DSO_F_VMS_UNLOAD,0),	"VMS_UNLOAD"},
-{ERR_PACK(0,DSO_F_WIN32_BIND_FUNC,0),	"WIN32_BIND_FUNC"},
-{ERR_PACK(0,DSO_F_WIN32_BIND_VAR,0),	"WIN32_BIND_VAR"},
-{ERR_PACK(0,DSO_F_WIN32_LOAD,0),	"WIN32_LOAD"},
-{ERR_PACK(0,DSO_F_WIN32_NAME_CONVERTER,0),	"WIN32_NAME_CONVERTER"},
-{ERR_PACK(0,DSO_F_WIN32_UNLOAD,0),	"WIN32_UNLOAD"},
+{ERR_FUNC(DSO_F_DLFCN_BIND_FUNC),	"DLFCN_BIND_FUNC"},
+{ERR_FUNC(DSO_F_DLFCN_BIND_VAR),	"DLFCN_BIND_VAR"},
+{ERR_FUNC(DSO_F_DLFCN_LOAD),	"DLFCN_LOAD"},
+{ERR_FUNC(DSO_F_DLFCN_MERGER),	"DLFCN_MERGER"},
+{ERR_FUNC(DSO_F_DLFCN_NAME_CONVERTER),	"DLFCN_NAME_CONVERTER"},
+{ERR_FUNC(DSO_F_DLFCN_UNLOAD),	"DLFCN_UNLOAD"},
+{ERR_FUNC(DSO_F_DL_BIND_FUNC),	"DL_BIND_FUNC"},
+{ERR_FUNC(DSO_F_DL_BIND_VAR),	"DL_BIND_VAR"},
+{ERR_FUNC(DSO_F_DL_LOAD),	"DL_LOAD"},
+{ERR_FUNC(DSO_F_DL_MERGER),	"DL_MERGER"},
+{ERR_FUNC(DSO_F_DL_NAME_CONVERTER),	"DL_NAME_CONVERTER"},
+{ERR_FUNC(DSO_F_DL_UNLOAD),	"DL_UNLOAD"},
+{ERR_FUNC(DSO_F_DSO_BIND_FUNC),	"DSO_bind_func"},
+{ERR_FUNC(DSO_F_DSO_BIND_VAR),	"DSO_bind_var"},
+{ERR_FUNC(DSO_F_DSO_CONVERT_FILENAME),	"DSO_convert_filename"},
+{ERR_FUNC(DSO_F_DSO_CTRL),	"DSO_ctrl"},
+{ERR_FUNC(DSO_F_DSO_FREE),	"DSO_free"},
+{ERR_FUNC(DSO_F_DSO_GET_FILENAME),	"DSO_get_filename"},
+{ERR_FUNC(DSO_F_DSO_GET_LOADED_FILENAME),	"DSO_get_loaded_filename"},
+{ERR_FUNC(DSO_F_DSO_LOAD),	"DSO_load"},
+{ERR_FUNC(DSO_F_DSO_MERGE),	"DSO_merge"},
+{ERR_FUNC(DSO_F_DSO_NEW_METHOD),	"DSO_new_method"},
+{ERR_FUNC(DSO_F_DSO_SET_FILENAME),	"DSO_set_filename"},
+{ERR_FUNC(DSO_F_DSO_SET_NAME_CONVERTER),	"DSO_set_name_converter"},
+{ERR_FUNC(DSO_F_DSO_UP_REF),	"DSO_up_ref"},
+{ERR_FUNC(DSO_F_VMS_BIND_SYM),	"VMS_BIND_SYM"},
+{ERR_FUNC(DSO_F_VMS_LOAD),	"VMS_LOAD"},
+{ERR_FUNC(DSO_F_VMS_MERGER),	"VMS_MERGER"},
+{ERR_FUNC(DSO_F_VMS_UNLOAD),	"VMS_UNLOAD"},
+{ERR_FUNC(DSO_F_WIN32_BIND_FUNC),	"WIN32_BIND_FUNC"},
+{ERR_FUNC(DSO_F_WIN32_BIND_VAR),	"WIN32_BIND_VAR"},
+{ERR_FUNC(DSO_F_WIN32_JOINER),	"WIN32_JOINER"},
+{ERR_FUNC(DSO_F_WIN32_LOAD),	"WIN32_LOAD"},
+{ERR_FUNC(DSO_F_WIN32_MERGER),	"WIN32_MERGER"},
+{ERR_FUNC(DSO_F_WIN32_NAME_CONVERTER),	"WIN32_NAME_CONVERTER"},
+{ERR_FUNC(DSO_F_WIN32_SPLITTER),	"WIN32_SPLITTER"},
+{ERR_FUNC(DSO_F_WIN32_UNLOAD),	"WIN32_UNLOAD"},
 {0,NULL}
 	};
 
 static ERR_STRING_DATA DSO_str_reasons[]=
 	{
-{DSO_R_CTRL_FAILED                       ,"control command failed"},
-{DSO_R_DSO_ALREADY_LOADED                ,"dso already loaded"},
-{DSO_R_FILENAME_TOO_BIG                  ,"filename too big"},
-{DSO_R_FINISH_FAILED                     ,"cleanup method function failed"},
-{DSO_R_LOAD_FAILED                       ,"could not load the shared library"},
-{DSO_R_NAME_TRANSLATION_FAILED           ,"name translation failed"},
-{DSO_R_NO_FILENAME                       ,"no filename"},
-{DSO_R_NULL_HANDLE                       ,"a null shared library handle was used"},
-{DSO_R_SET_FILENAME_FAILED               ,"set filename failed"},
-{DSO_R_STACK_ERROR                       ,"the meth_data stack is corrupt"},
-{DSO_R_SYM_FAILURE                       ,"could not bind to the requested symbol name"},
-{DSO_R_UNLOAD_FAILED                     ,"could not unload the shared library"},
-{DSO_R_UNSUPPORTED                       ,"functionality not supported"},
+{ERR_REASON(DSO_R_CTRL_FAILED)           ,"control command failed"},
+{ERR_REASON(DSO_R_DSO_ALREADY_LOADED)    ,"dso already loaded"},
+{ERR_REASON(DSO_R_EMPTY_FILE_STRUCTURE)  ,"empty file structure"},
+{ERR_REASON(DSO_R_FAILURE)               ,"failure"},
+{ERR_REASON(DSO_R_FILENAME_TOO_BIG)      ,"filename too big"},
+{ERR_REASON(DSO_R_FINISH_FAILED)         ,"cleanup method function failed"},
+{ERR_REASON(DSO_R_INCORRECT_FILE_SYNTAX) ,"incorrect file syntax"},
+{ERR_REASON(DSO_R_LOAD_FAILED)           ,"could not load the shared library"},
+{ERR_REASON(DSO_R_NAME_TRANSLATION_FAILED),"name translation failed"},
+{ERR_REASON(DSO_R_NO_FILENAME)           ,"no filename"},
+{ERR_REASON(DSO_R_NO_FILE_SPECIFICATION) ,"no file specification"},
+{ERR_REASON(DSO_R_NULL_HANDLE)           ,"a null shared library handle was used"},
+{ERR_REASON(DSO_R_SET_FILENAME_FAILED)   ,"set filename failed"},
+{ERR_REASON(DSO_R_STACK_ERROR)           ,"the meth_data stack is corrupt"},
+{ERR_REASON(DSO_R_SYM_FAILURE)           ,"could not bind to the requested symbol name"},
+{ERR_REASON(DSO_R_UNLOAD_FAILED)         ,"could not unload the shared library"},
+{ERR_REASON(DSO_R_UNSUPPORTED)           ,"functionality not supported"},
 {0,NULL}
 	};
 
@@ -127,8 +142,8 @@ void ERR_load_DSO_strings(void)
 		{
 		init=0;
 #ifndef OPENSSL_NO_ERR
-		ERR_load_strings(ERR_LIB_DSO,DSO_str_functs);
-		ERR_load_strings(ERR_LIB_DSO,DSO_str_reasons);
+		ERR_load_strings(0,DSO_str_functs);
+		ERR_load_strings(0,DSO_str_reasons);
 #endif
 
 		}
diff --git a/crypto/openssl/crypto/dso/dso_lib.c b/crypto/openssl/crypto/dso/dso_lib.c
index 48d9fdb25e2b..49bdd7130976 100644
--- a/crypto/openssl/crypto/dso/dso_lib.c
+++ b/crypto/openssl/crypto/dso/dso_lib.c
@@ -1,4 +1,4 @@
-/* dso_lib.c */
+/* dso_lib.c -*- mode:C; c-file-style: "eay" -*- */
 /* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
  * project 2000.
  */
@@ -390,6 +390,33 @@ int DSO_set_filename(DSO *dso, const char *filename)
 	return(1);
 	}
 
+char *DSO_merge(DSO *dso, const char *filespec1, const char *filespec2)
+	{
+	char *result = NULL;
+
+	if(dso == NULL || filespec1 == NULL)
+		{
+		DSOerr(DSO_F_DSO_MERGE,ERR_R_PASSED_NULL_PARAMETER);
+		return(NULL);
+		}
+	if(filespec1 == NULL)
+		filespec1 = dso->filename;
+	if(filespec1 == NULL)
+		{
+		DSOerr(DSO_F_DSO_MERGE,DSO_R_NO_FILE_SPECIFICATION);
+		return(NULL);
+		}
+	if((dso->flags & DSO_FLAG_NO_NAME_TRANSLATION) == 0)
+		{
+		if(dso->merger != NULL)
+			result = dso->merger(dso, filespec1, filespec2);
+		else if(dso->meth->dso_merger != NULL)
+			result = dso->meth->dso_merger(dso,
+				filespec1, filespec2);
+		}
+	return(result);
+	}
+
 char *DSO_convert_filename(DSO *dso, const char *filename)
 	{
 	char *result = NULL;
diff --git a/crypto/openssl/crypto/dso/dso_null.c b/crypto/openssl/crypto/dso/dso_null.c
index fa13a7cb0f18..497298465127 100644
--- a/crypto/openssl/crypto/dso/dso_null.c
+++ b/crypto/openssl/crypto/dso/dso_null.c
@@ -75,6 +75,8 @@ static DSO_METHOD dso_meth_null = {
 	NULL, /* unbind_func */
 #endif
 	NULL, /* ctrl */
+	NULL, /* dso_name_converter */
+	NULL, /* dso_merger */
 	NULL, /* init */
 	NULL  /* finish */
 	};
diff --git a/crypto/openssl/crypto/ebcdic.c b/crypto/openssl/crypto/ebcdic.c
index d1bece87f7d7..43e53bcaf7d9 100644
--- a/crypto/openssl/crypto/ebcdic.c
+++ b/crypto/openssl/crypto/ebcdic.c
@@ -1,6 +1,14 @@
 /* crypto/ebcdic.c */
 
-#ifdef CHARSET_EBCDIC
+#ifndef CHARSET_EBCDIC
+
+#include <openssl/e_os2.h>
+#if defined(PEDANTIC) || defined(__DECC) || defined(OPENSSL_SYS_MACOSX)
+static void *dummy=&dummy;
+#endif
+
+#else /*CHARSET_EBCDIC*/
+
 #include "ebcdic.h"
 /*      Initial Port for  Apache-1.3     by <Martin.Kraemer@Mch.SNI.De>
  *      Adapted for       OpenSSL-0.9.4  by <Martin.Kraemer@Mch.SNI.De>
@@ -210,9 +218,4 @@ ascii2ebcdic(void *dest, const void *srce, size_t count)
     return dest;
 }
 
-#else /*CHARSET_EBCDIC*/
-#include <openssl/e_os2.h>
-#if defined(PEDANTIC) || defined(__DECC) || defined(OPENSSL_SYS_MACOSX)
-static void *dummy=&dummy;
-#endif
 #endif
diff --git a/crypto/openssl/crypto/ec/Makefile b/crypto/openssl/crypto/ec/Makefile
index 92272f288155..42f7bb7fc8d4 100644
--- a/crypto/openssl/crypto/ec/Makefile
+++ b/crypto/openssl/crypto/ec/Makefile
@@ -7,11 +7,6 @@ TOP=	../..
 CC=	cc
 INCLUDES= -I.. -I$(TOP) -I../../include
 CFLAG=-g
-INSTALL_PREFIX=
-OPENSSLDIR=     /usr/local/ssl
-INSTALLTOP=/usr/local/ssl
-MAKEDEPPROG=	makedepend
-MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=	Makefile
 AR=		ar r
 
@@ -22,11 +17,13 @@ TEST=ectest.c
 APPS=
 
 LIB=$(TOP)/libcrypto.a
-LIBSRC=	ec_lib.c ecp_smpl.c ecp_mont.c ecp_recp.c ecp_nist.c ec_cvt.c ec_mult.c \
-	ec_err.c
+LIBSRC=	ec_lib.c ecp_smpl.c ecp_mont.c ecp_nist.c ec_cvt.c ec_mult.c\
+	ec_err.c ec_curve.c ec_check.c ec_print.c ec_asn1.c ec_key.c\
+	ec2_smpl.c ec2_smpt.c ec2_mult.c
 
-LIBOBJ=	ec_lib.o ecp_smpl.o ecp_mont.o ecp_recp.o ecp_nist.o ec_cvt.o ec_mult.o \
-	ec_err.o
+LIBOBJ=	ec_lib.o ecp_smpl.o ecp_mont.o ecp_nist.o ec_cvt.o ec_mult.o\
+	ec_err.o ec_curve.o ec_check.o ec_print.o ec_asn1.o ec_key.o\
+	ec2_smpl.o ec2_mult.o
 
 SRC= $(LIBSRC)
 
@@ -54,7 +51,8 @@ links:
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
 
 install:
-	@for i in $(EXHEADER) ; \
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+	@headerlist="$(EXHEADER)"; for i in $$headerlist ; \
 	do  \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
@@ -69,6 +67,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
+	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
@@ -80,47 +79,115 @@ clean:
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-ec_cvt.o: ../../include/openssl/bn.h ../../include/openssl/e_os2.h
-ec_cvt.o: ../../include/openssl/ec.h ../../include/openssl/opensslconf.h
+ec2_mult.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+ec2_mult.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
+ec2_mult.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+ec2_mult.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+ec2_mult.o: ../../include/openssl/obj_mac.h ../../include/openssl/opensslconf.h
+ec2_mult.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+ec2_mult.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+ec2_mult.o: ../../include/openssl/symhacks.h ec2_mult.c ec_lcl.h
+ec2_smpl.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+ec2_smpl.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
+ec2_smpl.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+ec2_smpl.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+ec2_smpl.o: ../../include/openssl/obj_mac.h ../../include/openssl/opensslconf.h
+ec2_smpl.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+ec2_smpl.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+ec2_smpl.o: ../../include/openssl/symhacks.h ec2_smpl.c ec2_smpt.c ec_lcl.h
+ec2_smpt.o: ec2_smpt.c
+ec_asn1.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
+ec_asn1.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+ec_asn1.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+ec_asn1.o: ../../include/openssl/ec.h ../../include/openssl/err.h
+ec_asn1.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+ec_asn1.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+ec_asn1.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+ec_asn1.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+ec_asn1.o: ../../include/openssl/symhacks.h ec_asn1.c ec_lcl.h
+ec_check.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+ec_check.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
+ec_check.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+ec_check.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+ec_check.o: ../../include/openssl/obj_mac.h ../../include/openssl/opensslconf.h
+ec_check.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+ec_check.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+ec_check.o: ../../include/openssl/symhacks.h ec_check.c ec_lcl.h
+ec_curve.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+ec_curve.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
+ec_curve.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+ec_curve.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+ec_curve.o: ../../include/openssl/obj_mac.h ../../include/openssl/opensslconf.h
+ec_curve.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+ec_curve.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+ec_curve.o: ../../include/openssl/symhacks.h ec_curve.c ec_lcl.h
+ec_cvt.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+ec_cvt.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
+ec_cvt.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+ec_cvt.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+ec_cvt.o: ../../include/openssl/obj_mac.h ../../include/openssl/opensslconf.h
+ec_cvt.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+ec_cvt.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 ec_cvt.o: ../../include/openssl/symhacks.h ec_cvt.c ec_lcl.h
-ec_err.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+ec_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 ec_err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 ec_err.o: ../../include/openssl/ec.h ../../include/openssl/err.h
 ec_err.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-ec_err.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-ec_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-ec_err.o: ec_err.c
-ec_lib.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-ec_lib.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-ec_lib.o: ../../include/openssl/ec.h ../../include/openssl/err.h
-ec_lib.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-ec_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-ec_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-ec_lib.o: ec_lcl.h ec_lib.c
-ec_mult.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-ec_mult.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-ec_mult.o: ../../include/openssl/ec.h ../../include/openssl/err.h
-ec_mult.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-ec_mult.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-ec_mult.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-ec_mult.o: ec_lcl.h ec_mult.c
-ecp_mont.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-ecp_mont.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-ecp_mont.o: ../../include/openssl/ec.h ../../include/openssl/err.h
-ecp_mont.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-ecp_mont.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-ecp_mont.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-ecp_mont.o: ec_lcl.h ecp_mont.c
-ecp_nist.o: ../../include/openssl/bn.h ../../include/openssl/e_os2.h
-ecp_nist.o: ../../include/openssl/ec.h ../../include/openssl/opensslconf.h
+ec_err.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+ec_err.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+ec_err.o: ../../include/openssl/symhacks.h ec_err.c
+ec_key.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+ec_key.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
+ec_key.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+ec_key.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+ec_key.o: ../../include/openssl/obj_mac.h ../../include/openssl/opensslconf.h
+ec_key.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+ec_key.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+ec_key.o: ../../include/openssl/symhacks.h ec_key.c ec_lcl.h
+ec_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+ec_lib.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
+ec_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+ec_lib.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+ec_lib.o: ../../include/openssl/obj_mac.h ../../include/openssl/opensslconf.h
+ec_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+ec_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+ec_lib.o: ../../include/openssl/symhacks.h ec_lcl.h ec_lib.c
+ec_mult.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+ec_mult.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
+ec_mult.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+ec_mult.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+ec_mult.o: ../../include/openssl/obj_mac.h ../../include/openssl/opensslconf.h
+ec_mult.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+ec_mult.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+ec_mult.o: ../../include/openssl/symhacks.h ec_lcl.h ec_mult.c
+ec_print.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+ec_print.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
+ec_print.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+ec_print.o: ../../include/openssl/obj_mac.h ../../include/openssl/opensslconf.h
+ec_print.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+ec_print.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+ec_print.o: ../../include/openssl/symhacks.h ec_lcl.h ec_print.c
+ecp_mont.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+ecp_mont.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
+ecp_mont.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+ecp_mont.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+ecp_mont.o: ../../include/openssl/obj_mac.h ../../include/openssl/opensslconf.h
+ecp_mont.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+ecp_mont.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+ecp_mont.o: ../../include/openssl/symhacks.h ec_lcl.h ecp_mont.c
+ecp_nist.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+ecp_nist.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
+ecp_nist.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+ecp_nist.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+ecp_nist.o: ../../include/openssl/obj_mac.h ../../include/openssl/opensslconf.h
+ecp_nist.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+ecp_nist.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 ecp_nist.o: ../../include/openssl/symhacks.h ec_lcl.h ecp_nist.c
-ecp_recp.o: ../../include/openssl/bn.h ../../include/openssl/e_os2.h
-ecp_recp.o: ../../include/openssl/ec.h ../../include/openssl/opensslconf.h
-ecp_recp.o: ../../include/openssl/symhacks.h ec_lcl.h ecp_recp.c
-ecp_smpl.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-ecp_smpl.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-ecp_smpl.o: ../../include/openssl/ec.h ../../include/openssl/err.h
-ecp_smpl.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-ecp_smpl.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-ecp_smpl.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-ecp_smpl.o: ec_lcl.h ecp_smpl.c
+ecp_smpl.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+ecp_smpl.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
+ecp_smpl.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+ecp_smpl.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+ecp_smpl.o: ../../include/openssl/obj_mac.h ../../include/openssl/opensslconf.h
+ecp_smpl.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+ecp_smpl.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+ecp_smpl.o: ../../include/openssl/symhacks.h ec_lcl.h ecp_smpl.c
diff --git a/crypto/openssl/crypto/ec/ec.h b/crypto/openssl/crypto/ec/ec.h
index 6d6a9b712732..919c736388dc 100644
--- a/crypto/openssl/crypto/ec/ec.h
+++ b/crypto/openssl/crypto/ec/ec.h
@@ -1,6 +1,9 @@
 /* crypto/ec/ec.h */
+/*
+ * Originally written by Bodo Moeller for the OpenSSL project.
+ */
 /* ====================================================================
- * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2003 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -52,19 +55,41 @@
  * Hudson (tjh@cryptsoft.com).
  *
  */
+/* ====================================================================
+ * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
+ *
+ * Portions of the attached software ("Contribution") are developed by 
+ * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
+ *
+ * The Contribution is licensed pursuant to the OpenSSL open source
+ * license provided above.
+ *
+ * The elliptic curve binary polynomial software is originally written by 
+ * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories.
+ *
+ */
 
 #ifndef HEADER_EC_H
 #define HEADER_EC_H
 
+#include <openssl/opensslconf.h>
+
 #ifdef OPENSSL_NO_EC
 #error EC is disabled.
 #endif
 
-#include <openssl/bn.h>
+#include <openssl/asn1.h>
 #include <openssl/symhacks.h>
+#ifndef OPENSSL_NO_DEPRECATED
+#include <openssl/bn.h>
+#endif
 
 #ifdef  __cplusplus
 extern "C" {
+#elif defined(__SUNPRO_C)
+# if __SUNPRO_C >= 0x520
+# pragma error_messages (off,E_ARRAY_OF_INCOMPLETE_NONAME,E_ARRAY_OF_INCOMPLETE)
+# endif
 #endif
 
 
@@ -84,7 +109,8 @@ typedef struct ec_group_st
 	 -- field definition
 	 -- curve coefficients
 	 -- optional generator with associated information (order, cofactor)
-	 -- optional extra data (TODO: precomputed table for fast computation of multiples of generator)
+	 -- optional extra data (precomputed table for fast computation of multiples of generator)
+	 -- ASN1 stuff
 	*/
 	EC_GROUP;
 
@@ -96,40 +122,84 @@ typedef struct ec_point_st EC_POINT;
  */
 const EC_METHOD *EC_GFp_simple_method(void);
 const EC_METHOD *EC_GFp_mont_method(void);
-#if 0
-const EC_METHOD *EC_GFp_recp_method(void); /* TODO */
-const EC_METHOD *EC_GFp_nist_method(void); /* TODO */
-#endif
+const EC_METHOD *EC_GFp_nist_method(void);
+
+/* EC_METHOD for curves over GF(2^m).
+ */
+const EC_METHOD *EC_GF2m_simple_method(void);
 
 
 EC_GROUP *EC_GROUP_new(const EC_METHOD *);
 void EC_GROUP_free(EC_GROUP *);
 void EC_GROUP_clear_free(EC_GROUP *);
 int EC_GROUP_copy(EC_GROUP *, const EC_GROUP *);
+EC_GROUP *EC_GROUP_dup(const EC_GROUP *);
 
 const EC_METHOD *EC_GROUP_method_of(const EC_GROUP *);
-	
+int EC_METHOD_get_field_type(const EC_METHOD *);
+
+int EC_GROUP_set_generator(EC_GROUP *, const EC_POINT *generator, const BIGNUM *order, const BIGNUM *cofactor);
+const EC_POINT *EC_GROUP_get0_generator(const EC_GROUP *);
+int EC_GROUP_get_order(const EC_GROUP *, BIGNUM *order, BN_CTX *);
+int EC_GROUP_get_cofactor(const EC_GROUP *, BIGNUM *cofactor, BN_CTX *);
+
+void EC_GROUP_set_curve_name(EC_GROUP *, int nid);
+int EC_GROUP_get_curve_name(const EC_GROUP *);
+
+void EC_GROUP_set_asn1_flag(EC_GROUP *, int flag);
+int EC_GROUP_get_asn1_flag(const EC_GROUP *);
+
+void EC_GROUP_set_point_conversion_form(EC_GROUP *, point_conversion_form_t);
+point_conversion_form_t EC_GROUP_get_point_conversion_form(const EC_GROUP *);
+
+unsigned char *EC_GROUP_get0_seed(const EC_GROUP *);
+size_t EC_GROUP_get_seed_len(const EC_GROUP *);
+size_t EC_GROUP_set_seed(EC_GROUP *, const unsigned char *, size_t len);
 
-/* We don't have types for field specifications and field elements in general.
- * Otherwise we could declare
- *     int EC_GROUP_set_curve(EC_GROUP *, .....);
- */
 int EC_GROUP_set_curve_GFp(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
 int EC_GROUP_get_curve_GFp(const EC_GROUP *, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *);
+int EC_GROUP_set_curve_GF2m(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
+int EC_GROUP_get_curve_GF2m(const EC_GROUP *, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *);
+
+/* returns the number of bits needed to represent a field element */
+int EC_GROUP_get_degree(const EC_GROUP *);
+
+/* EC_GROUP_check() returns 1 if 'group' defines a valid group, 0 otherwise */
+int EC_GROUP_check(const EC_GROUP *group, BN_CTX *ctx);
+/* EC_GROUP_check_discriminant() returns 1 if the discriminant of the
+ * elliptic curve is not zero, 0 otherwise */
+int EC_GROUP_check_discriminant(const EC_GROUP *, BN_CTX *);
+
+/* EC_GROUP_cmp() returns 0 if both groups are equal and 1 otherwise */
+int EC_GROUP_cmp(const EC_GROUP *, const EC_GROUP *, BN_CTX *);
 
-/* EC_GROUP_new_GFp() calls EC_GROUP_new() and EC_GROUP_set_GFp()
+/* EC_GROUP_new_GF*() calls EC_GROUP_new() and EC_GROUP_set_GF*()
  * after choosing an appropriate EC_METHOD */
 EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
+EC_GROUP *EC_GROUP_new_curve_GF2m(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
+
+/* EC_GROUP_new_by_curve_name() creates a EC_GROUP structure
+ * specified by a curve name (in form of a NID) */
+EC_GROUP *EC_GROUP_new_by_curve_name(int nid);
+/* handling of internal curves */
+typedef struct { 
+	int nid;
+	const char *comment;
+	} EC_builtin_curve;
+/* EC_builtin_curves(EC_builtin_curve *r, size_t size) returns number 
+ * of all available curves or zero if a error occurred. 
+ * In case r ist not zero nitems EC_builtin_curve structures 
+ * are filled with the data of the first nitems internal groups */
+size_t EC_get_builtin_curves(EC_builtin_curve *r, size_t nitems);
 
-int EC_GROUP_set_generator(EC_GROUP *, const EC_POINT *generator, const BIGNUM *order, const BIGNUM *cofactor);
-EC_POINT *EC_GROUP_get0_generator(const EC_GROUP *);
-int EC_GROUP_get_order(const EC_GROUP *, BIGNUM *order, BN_CTX *);
-int EC_GROUP_get_cofactor(const EC_GROUP *, BIGNUM *cofactor, BN_CTX *);
+
+/* EC_POINT functions */
 
 EC_POINT *EC_POINT_new(const EC_GROUP *);
 void EC_POINT_free(EC_POINT *);
 void EC_POINT_clear_free(EC_POINT *);
 int EC_POINT_copy(EC_POINT *, const EC_POINT *);
+EC_POINT *EC_POINT_dup(const EC_POINT *, const EC_GROUP *);
  
 const EC_METHOD *EC_POINT_method_of(const EC_POINT *);
 
@@ -145,11 +215,28 @@ int EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *, const EC_POINT *,
 int EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP *, EC_POINT *,
 	const BIGNUM *x, int y_bit, BN_CTX *);
 
+int EC_POINT_set_affine_coordinates_GF2m(const EC_GROUP *, EC_POINT *,
+	const BIGNUM *x, const BIGNUM *y, BN_CTX *);
+int EC_POINT_get_affine_coordinates_GF2m(const EC_GROUP *, const EC_POINT *,
+	BIGNUM *x, BIGNUM *y, BN_CTX *);
+int EC_POINT_set_compressed_coordinates_GF2m(const EC_GROUP *, EC_POINT *,
+	const BIGNUM *x, int y_bit, BN_CTX *);
+
 size_t EC_POINT_point2oct(const EC_GROUP *, const EC_POINT *, point_conversion_form_t form,
         unsigned char *buf, size_t len, BN_CTX *);
 int EC_POINT_oct2point(const EC_GROUP *, EC_POINT *,
         const unsigned char *buf, size_t len, BN_CTX *);
 
+/* other interfaces to point2oct/oct2point: */
+BIGNUM *EC_POINT_point2bn(const EC_GROUP *, const EC_POINT *,
+	point_conversion_form_t form, BIGNUM *, BN_CTX *);
+EC_POINT *EC_POINT_bn2point(const EC_GROUP *, const BIGNUM *,
+	EC_POINT *, BN_CTX *);
+char *EC_POINT_point2hex(const EC_GROUP *, const EC_POINT *,
+	point_conversion_form_t form, BN_CTX *);
+EC_POINT *EC_POINT_hex2point(const EC_GROUP *, const char *,
+	EC_POINT *, BN_CTX *);
+
 int EC_POINT_add(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, const EC_POINT *b, BN_CTX *);
 int EC_POINT_dbl(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, BN_CTX *);
 int EC_POINT_invert(const EC_GROUP *, EC_POINT *, BN_CTX *);
@@ -164,9 +251,112 @@ int EC_POINTs_make_affine(const EC_GROUP *, size_t num, EC_POINT *[], BN_CTX *);
 
 int EC_POINTs_mul(const EC_GROUP *, EC_POINT *r, const BIGNUM *, size_t num, const EC_POINT *[], const BIGNUM *[], BN_CTX *);
 int EC_POINT_mul(const EC_GROUP *, EC_POINT *r, const BIGNUM *, const EC_POINT *, const BIGNUM *, BN_CTX *);
+
+/* EC_GROUP_precompute_mult() stores multiples of generator for faster point multiplication */
 int EC_GROUP_precompute_mult(EC_GROUP *, BN_CTX *);
+/* EC_GROUP_have_precompute_mult() reports whether such precomputation has been done */
+int EC_GROUP_have_precompute_mult(const EC_GROUP *);
+
+
 
+/* ASN1 stuff */
 
+/* EC_GROUP_get_basis_type() returns the NID of the basis type
+ * used to represent the field elements */
+int EC_GROUP_get_basis_type(const EC_GROUP *);
+int EC_GROUP_get_trinomial_basis(const EC_GROUP *, unsigned int *k);
+int EC_GROUP_get_pentanomial_basis(const EC_GROUP *, unsigned int *k1, 
+	unsigned int *k2, unsigned int *k3);
+
+#define OPENSSL_EC_NAMED_CURVE	0x001
+
+typedef struct ecpk_parameters_st ECPKPARAMETERS;
+
+EC_GROUP *d2i_ECPKParameters(EC_GROUP **, const unsigned char **in, long len);
+int i2d_ECPKParameters(const EC_GROUP *, unsigned char **out);
+
+#define d2i_ECPKParameters_bio(bp,x) ASN1_d2i_bio_of(EC_GROUP,NULL,d2i_ECPKParameters,bp,x)
+#define i2d_ECPKParameters_bio(bp,x) ASN1_i2d_bio_of_const(EC_GROUP,i2d_ECPKParameters,bp,x)
+#define d2i_ECPKParameters_fp(fp,x) (EC_GROUP *)ASN1_d2i_fp(NULL, \
+                (char *(*)())d2i_ECPKParameters,(fp),(unsigned char **)(x))
+#define i2d_ECPKParameters_fp(fp,x) ASN1_i2d_fp(i2d_ECPKParameters,(fp), \
+		(unsigned char *)(x))
+
+#ifndef OPENSSL_NO_BIO
+int     ECPKParameters_print(BIO *bp, const EC_GROUP *x, int off);
+#endif
+#ifndef OPENSSL_NO_FP_API
+int     ECPKParameters_print_fp(FILE *fp, const EC_GROUP *x, int off);
+#endif
+
+/* the EC_KEY stuff */
+typedef struct ec_key_st EC_KEY;
+
+/* some values for the encoding_flag */
+#define EC_PKEY_NO_PARAMETERS	0x001
+#define EC_PKEY_NO_PUBKEY	0x002
+
+EC_KEY *EC_KEY_new(void);
+EC_KEY *EC_KEY_new_by_curve_name(int nid);
+void EC_KEY_free(EC_KEY *);
+EC_KEY *EC_KEY_copy(EC_KEY *, const EC_KEY *);
+EC_KEY *EC_KEY_dup(const EC_KEY *);
+
+int EC_KEY_up_ref(EC_KEY *);
+
+const EC_GROUP *EC_KEY_get0_group(const EC_KEY *);
+int EC_KEY_set_group(EC_KEY *, const EC_GROUP *);
+const BIGNUM *EC_KEY_get0_private_key(const EC_KEY *);
+int EC_KEY_set_private_key(EC_KEY *, const BIGNUM *);
+const EC_POINT *EC_KEY_get0_public_key(const EC_KEY *);
+int EC_KEY_set_public_key(EC_KEY *, const EC_POINT *);
+unsigned EC_KEY_get_enc_flags(const EC_KEY *);
+void EC_KEY_set_enc_flags(EC_KEY *, unsigned int);
+point_conversion_form_t EC_KEY_get_conv_form(const EC_KEY *);
+void EC_KEY_set_conv_form(EC_KEY *, point_conversion_form_t);
+/* functions to set/get method specific data  */
+void *EC_KEY_get_key_method_data(EC_KEY *, 
+	void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *));
+void EC_KEY_insert_key_method_data(EC_KEY *, void *data,
+	void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *));
+/* wrapper functions for the underlying EC_GROUP object */
+void EC_KEY_set_asn1_flag(EC_KEY *, int);
+int EC_KEY_precompute_mult(EC_KEY *, BN_CTX *ctx);
+
+/* EC_KEY_generate_key() creates a ec private (public) key */
+int EC_KEY_generate_key(EC_KEY *);
+/* EC_KEY_check_key() */
+int EC_KEY_check_key(const EC_KEY *);
+
+/* de- and encoding functions for SEC1 ECPrivateKey */
+EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigned char **in, long len);
+int i2d_ECPrivateKey(EC_KEY *a, unsigned char **out);
+/* de- and encoding functions for EC parameters */
+EC_KEY *d2i_ECParameters(EC_KEY **a, const unsigned char **in, long len);
+int i2d_ECParameters(EC_KEY *a, unsigned char **out);
+/* de- and encoding functions for EC public key
+ * (octet string, not DER -- hence 'o2i' and 'i2o') */
+EC_KEY *o2i_ECPublicKey(EC_KEY **a, const unsigned char **in, long len);
+int i2o_ECPublicKey(EC_KEY *a, unsigned char **out);
+
+#ifndef OPENSSL_NO_BIO
+int	ECParameters_print(BIO *bp, const EC_KEY *x);
+int	EC_KEY_print(BIO *bp, const EC_KEY *x, int off);
+#endif
+#ifndef OPENSSL_NO_FP_API
+int	ECParameters_print_fp(FILE *fp, const EC_KEY *x);
+int	EC_KEY_print_fp(FILE *fp, const EC_KEY *x, int off);
+#endif
+
+#define ECParameters_dup(x) ASN1_dup_of(EC_KEY,i2d_ECParameters,d2i_ECParameters,x)
+
+#ifndef __cplusplus
+#if defined(__SUNPRO_C)
+#  if __SUNPRO_C >= 0x520
+# pragma error_messages (default,E_ARRAY_OF_INCOMPLETE_NONAME,E_ARRAY_OF_INCOMPLETE)
+#  endif
+# endif
+#endif
 
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
@@ -178,51 +368,122 @@ void ERR_load_EC_strings(void);
 
 /* Function codes. */
 #define EC_F_COMPUTE_WNAF				 143
+#define EC_F_D2I_ECPARAMETERS				 144
+#define EC_F_D2I_ECPKPARAMETERS				 145
+#define EC_F_D2I_ECPRIVATEKEY				 146
+#define EC_F_ECPARAMETERS_PRINT				 147
+#define EC_F_ECPARAMETERS_PRINT_FP			 148
+#define EC_F_ECPKPARAMETERS_PRINT			 149
+#define EC_F_ECPKPARAMETERS_PRINT_FP			 150
+#define EC_F_ECP_NIST_MOD_192				 203
+#define EC_F_ECP_NIST_MOD_224				 204
+#define EC_F_ECP_NIST_MOD_256				 205
+#define EC_F_ECP_NIST_MOD_521				 206
+#define EC_F_EC_ASN1_GROUP2CURVE			 153
+#define EC_F_EC_ASN1_GROUP2FIELDID			 154
+#define EC_F_EC_ASN1_GROUP2PARAMETERS			 155
+#define EC_F_EC_ASN1_GROUP2PKPARAMETERS			 156
+#define EC_F_EC_ASN1_PARAMETERS2GROUP			 157
+#define EC_F_EC_ASN1_PKPARAMETERS2GROUP			 158
+#define EC_F_EC_EX_DATA_SET_DATA			 211
+#define EC_F_EC_GF2M_MONTGOMERY_POINT_MULTIPLY		 208
+#define EC_F_EC_GF2M_SIMPLE_GROUP_CHECK_DISCRIMINANT	 159
+#define EC_F_EC_GF2M_SIMPLE_GROUP_SET_CURVE		 195
+#define EC_F_EC_GF2M_SIMPLE_OCT2POINT			 160
+#define EC_F_EC_GF2M_SIMPLE_POINT2OCT			 161
+#define EC_F_EC_GF2M_SIMPLE_POINT_GET_AFFINE_COORDINATES 162
+#define EC_F_EC_GF2M_SIMPLE_POINT_SET_AFFINE_COORDINATES 163
+#define EC_F_EC_GF2M_SIMPLE_SET_COMPRESSED_COORDINATES	 164
 #define EC_F_EC_GFP_MONT_FIELD_DECODE			 133
 #define EC_F_EC_GFP_MONT_FIELD_ENCODE			 134
 #define EC_F_EC_GFP_MONT_FIELD_MUL			 131
+#define EC_F_EC_GFP_MONT_FIELD_SET_TO_ONE		 209
 #define EC_F_EC_GFP_MONT_FIELD_SQR			 132
+#define EC_F_EC_GFP_MONT_GROUP_SET_CURVE		 189
+#define EC_F_EC_GFP_MONT_GROUP_SET_CURVE_GFP		 135
+#define EC_F_EC_GFP_NIST_FIELD_MUL			 200
+#define EC_F_EC_GFP_NIST_FIELD_SQR			 201
+#define EC_F_EC_GFP_NIST_GROUP_SET_CURVE		 202
+#define EC_F_EC_GFP_SIMPLE_GROUP_CHECK_DISCRIMINANT	 165
+#define EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE		 166
 #define EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE_GFP		 100
 #define EC_F_EC_GFP_SIMPLE_GROUP_SET_GENERATOR		 101
 #define EC_F_EC_GFP_SIMPLE_MAKE_AFFINE			 102
 #define EC_F_EC_GFP_SIMPLE_OCT2POINT			 103
 #define EC_F_EC_GFP_SIMPLE_POINT2OCT			 104
 #define EC_F_EC_GFP_SIMPLE_POINTS_MAKE_AFFINE		 137
+#define EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES	 167
 #define EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES_GFP 105
+#define EC_F_EC_GFP_SIMPLE_POINT_SET_AFFINE_COORDINATES	 168
 #define EC_F_EC_GFP_SIMPLE_POINT_SET_AFFINE_COORDINATES_GFP 128
+#define EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES	 169
 #define EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP 129
+#define EC_F_EC_GROUP_CHECK				 170
+#define EC_F_EC_GROUP_CHECK_DISCRIMINANT		 171
 #define EC_F_EC_GROUP_COPY				 106
 #define EC_F_EC_GROUP_GET0_GENERATOR			 139
 #define EC_F_EC_GROUP_GET_COFACTOR			 140
+#define EC_F_EC_GROUP_GET_CURVE_GF2M			 172
 #define EC_F_EC_GROUP_GET_CURVE_GFP			 130
+#define EC_F_EC_GROUP_GET_DEGREE			 173
 #define EC_F_EC_GROUP_GET_ORDER				 141
+#define EC_F_EC_GROUP_GET_PENTANOMIAL_BASIS		 193
+#define EC_F_EC_GROUP_GET_TRINOMIAL_BASIS		 194
 #define EC_F_EC_GROUP_NEW				 108
+#define EC_F_EC_GROUP_NEW_BY_CURVE_NAME			 174
+#define EC_F_EC_GROUP_NEW_FROM_DATA			 175
 #define EC_F_EC_GROUP_PRECOMPUTE_MULT			 142
+#define EC_F_EC_GROUP_SET_CURVE_GF2M			 176
 #define EC_F_EC_GROUP_SET_CURVE_GFP			 109
 #define EC_F_EC_GROUP_SET_EXTRA_DATA			 110
 #define EC_F_EC_GROUP_SET_GENERATOR			 111
+#define EC_F_EC_KEY_CHECK_KEY				 177
+#define EC_F_EC_KEY_COPY				 178
+#define EC_F_EC_KEY_GENERATE_KEY			 179
+#define EC_F_EC_KEY_NEW					 182
+#define EC_F_EC_KEY_PRINT				 180
+#define EC_F_EC_KEY_PRINT_FP				 181
 #define EC_F_EC_POINTS_MAKE_AFFINE			 136
 #define EC_F_EC_POINTS_MUL				 138
 #define EC_F_EC_POINT_ADD				 112
 #define EC_F_EC_POINT_CMP				 113
 #define EC_F_EC_POINT_COPY				 114
 #define EC_F_EC_POINT_DBL				 115
+#define EC_F_EC_POINT_GET_AFFINE_COORDINATES_GF2M	 183
 #define EC_F_EC_POINT_GET_AFFINE_COORDINATES_GFP	 116
 #define EC_F_EC_POINT_GET_JPROJECTIVE_COORDINATES_GFP	 117
+#define EC_F_EC_POINT_INVERT				 210
 #define EC_F_EC_POINT_IS_AT_INFINITY			 118
 #define EC_F_EC_POINT_IS_ON_CURVE			 119
 #define EC_F_EC_POINT_MAKE_AFFINE			 120
+#define EC_F_EC_POINT_MUL				 184
 #define EC_F_EC_POINT_NEW				 121
 #define EC_F_EC_POINT_OCT2POINT				 122
 #define EC_F_EC_POINT_POINT2OCT				 123
+#define EC_F_EC_POINT_SET_AFFINE_COORDINATES_GF2M	 185
 #define EC_F_EC_POINT_SET_AFFINE_COORDINATES_GFP	 124
+#define EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GF2M	 186
 #define EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GFP	 125
 #define EC_F_EC_POINT_SET_JPROJECTIVE_COORDINATES_GFP	 126
 #define EC_F_EC_POINT_SET_TO_INFINITY			 127
-#define EC_F_GFP_MONT_GROUP_SET_CURVE_GFP		 135
+#define EC_F_EC_PRE_COMP_DUP				 207
+#define EC_F_EC_WNAF_MUL				 187
+#define EC_F_EC_WNAF_PRECOMPUTE_MULT			 188
+#define EC_F_I2D_ECPARAMETERS				 190
+#define EC_F_I2D_ECPKPARAMETERS				 191
+#define EC_F_I2D_ECPRIVATEKEY				 192
+#define EC_F_I2O_ECPUBLICKEY				 151
+#define EC_F_O2I_ECPUBLICKEY				 152
 
 /* Reason codes. */
+#define EC_R_ASN1_ERROR					 115
+#define EC_R_ASN1_UNKNOWN_FIELD				 116
 #define EC_R_BUFFER_TOO_SMALL				 100
+#define EC_R_D2I_ECPKPARAMETERS_FAILURE			 117
+#define EC_R_DISCRIMINANT_IS_ZERO			 118
+#define EC_R_EC_GROUP_NEW_BY_NAME_FAILURE		 119
+#define EC_R_GROUP2PKPARAMETERS_FAILURE			 120
+#define EC_R_I2D_ECPKPARAMETERS_FAILURE			 121
 #define EC_R_INCOMPATIBLE_OBJECTS			 101
 #define EC_R_INVALID_ARGUMENT				 112
 #define EC_R_INVALID_COMPRESSED_POINT			 110
@@ -230,12 +491,26 @@ void ERR_load_EC_strings(void);
 #define EC_R_INVALID_ENCODING				 102
 #define EC_R_INVALID_FIELD				 103
 #define EC_R_INVALID_FORM				 104
+#define EC_R_INVALID_GROUP_ORDER			 122
+#define EC_R_INVALID_PRIVATE_KEY			 123
+#define EC_R_MISSING_PARAMETERS				 124
+#define EC_R_MISSING_PRIVATE_KEY			 125
+#define EC_R_NOT_A_NIST_PRIME				 135
+#define EC_R_NOT_A_SUPPORTED_NIST_PRIME			 136
+#define EC_R_NOT_IMPLEMENTED				 126
 #define EC_R_NOT_INITIALIZED				 111
+#define EC_R_NO_FIELD_MOD				 133
+#define EC_R_PASSED_NULL_PARAMETER			 134
+#define EC_R_PKPARAMETERS2GROUP_FAILURE			 127
 #define EC_R_POINT_AT_INFINITY				 106
 #define EC_R_POINT_IS_NOT_ON_CURVE			 107
 #define EC_R_SLOT_FULL					 108
 #define EC_R_UNDEFINED_GENERATOR			 113
+#define EC_R_UNDEFINED_ORDER				 128
+#define EC_R_UNKNOWN_GROUP				 129
 #define EC_R_UNKNOWN_ORDER				 114
+#define EC_R_UNSUPPORTED_FIELD				 131
+#define EC_R_WRONG_ORDER				 130
 
 #ifdef  __cplusplus
 }
diff --git a/crypto/openssl/crypto/ec/ec2_mult.c b/crypto/openssl/crypto/ec/ec2_mult.c
new file mode 100644
index 000000000000..ff368fd7d7b3
--- /dev/null
+++ b/crypto/openssl/crypto/ec/ec2_mult.c
@@ -0,0 +1,380 @@
+/* crypto/ec/ec2_mult.c */
+/* ====================================================================
+ * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
+ *
+ * The Elliptic Curve Public-Key Crypto Library (ECC Code) included
+ * herein is developed by SUN MICROSYSTEMS, INC., and is contributed
+ * to the OpenSSL project.
+ *
+ * The ECC Code is licensed pursuant to the OpenSSL open source
+ * license provided below.
+ *
+ * The software is originally written by Sheueling Chang Shantz and
+ * Douglas Stebila of Sun Microsystems Laboratories.
+ *
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2003 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/err.h>
+
+#include "ec_lcl.h"
+
+
+/* Compute the x-coordinate x/z for the point 2*(x/z) in Montgomery projective 
+ * coordinates.
+ * Uses algorithm Mdouble in appendix of 
+ *     Lopez, J. and Dahab, R.  "Fast multiplication on elliptic curves over 
+ *     GF(2^m) without precomputation".
+ * modified to not require precomputation of c=b^{2^{m-1}}.
+ */
+static int gf2m_Mdouble(const EC_GROUP *group, BIGNUM *x, BIGNUM *z, BN_CTX *ctx)
+	{
+	BIGNUM *t1;
+	int ret = 0;
+	
+	/* Since Mdouble is static we can guarantee that ctx != NULL. */
+	BN_CTX_start(ctx);
+	t1 = BN_CTX_get(ctx);
+	if (t1 == NULL) goto err;
+
+	if (!group->meth->field_sqr(group, x, x, ctx)) goto err;
+	if (!group->meth->field_sqr(group, t1, z, ctx)) goto err;
+	if (!group->meth->field_mul(group, z, x, t1, ctx)) goto err;
+	if (!group->meth->field_sqr(group, x, x, ctx)) goto err;
+	if (!group->meth->field_sqr(group, t1, t1, ctx)) goto err;
+	if (!group->meth->field_mul(group, t1, &group->b, t1, ctx)) goto err;
+	if (!BN_GF2m_add(x, x, t1)) goto err;
+
+	ret = 1;
+
+ err:
+	BN_CTX_end(ctx);
+	return ret;
+	}
+
+/* Compute the x-coordinate x1/z1 for the point (x1/z1)+(x2/x2) in Montgomery 
+ * projective coordinates.
+ * Uses algorithm Madd in appendix of 
+ *     Lopex, J. and Dahab, R.  "Fast multiplication on elliptic curves over 
+ *     GF(2^m) without precomputation".
+ */
+static int gf2m_Madd(const EC_GROUP *group, const BIGNUM *x, BIGNUM *x1, BIGNUM *z1, 
+	const BIGNUM *x2, const BIGNUM *z2, BN_CTX *ctx)
+	{
+	BIGNUM *t1, *t2;
+	int ret = 0;
+	
+	/* Since Madd is static we can guarantee that ctx != NULL. */
+	BN_CTX_start(ctx);
+	t1 = BN_CTX_get(ctx);
+	t2 = BN_CTX_get(ctx);
+	if (t2 == NULL) goto err;
+
+	if (!BN_copy(t1, x)) goto err;
+	if (!group->meth->field_mul(group, x1, x1, z2, ctx)) goto err;
+	if (!group->meth->field_mul(group, z1, z1, x2, ctx)) goto err;
+	if (!group->meth->field_mul(group, t2, x1, z1, ctx)) goto err;
+	if (!BN_GF2m_add(z1, z1, x1)) goto err;
+	if (!group->meth->field_sqr(group, z1, z1, ctx)) goto err;
+	if (!group->meth->field_mul(group, x1, z1, t1, ctx)) goto err;
+	if (!BN_GF2m_add(x1, x1, t2)) goto err;
+
+	ret = 1;
+
+ err:
+	BN_CTX_end(ctx);
+	return ret;
+	}
+
+/* Compute the x, y affine coordinates from the point (x1, z1) (x2, z2) 
+ * using Montgomery point multiplication algorithm Mxy() in appendix of 
+ *     Lopex, J. and Dahab, R.  "Fast multiplication on elliptic curves over 
+ *     GF(2^m) without precomputation".
+ * Returns:
+ *     0 on error
+ *     1 if return value should be the point at infinity
+ *     2 otherwise
+ */
+static int gf2m_Mxy(const EC_GROUP *group, const BIGNUM *x, const BIGNUM *y, BIGNUM *x1, 
+	BIGNUM *z1, BIGNUM *x2, BIGNUM *z2, BN_CTX *ctx)
+	{
+	BIGNUM *t3, *t4, *t5;
+	int ret = 0;
+	
+	if (BN_is_zero(z1))
+		{
+		BN_zero(x2);
+		BN_zero(z2);
+		return 1;
+		}
+	
+	if (BN_is_zero(z2))
+		{
+		if (!BN_copy(x2, x)) return 0;
+		if (!BN_GF2m_add(z2, x, y)) return 0;
+		return 2;
+		}
+		
+	/* Since Mxy is static we can guarantee that ctx != NULL. */
+	BN_CTX_start(ctx);
+	t3 = BN_CTX_get(ctx);
+	t4 = BN_CTX_get(ctx);
+	t5 = BN_CTX_get(ctx);
+	if (t5 == NULL) goto err;
+
+	if (!BN_one(t5)) goto err;
+
+	if (!group->meth->field_mul(group, t3, z1, z2, ctx)) goto err;
+
+	if (!group->meth->field_mul(group, z1, z1, x, ctx)) goto err;
+	if (!BN_GF2m_add(z1, z1, x1)) goto err;
+	if (!group->meth->field_mul(group, z2, z2, x, ctx)) goto err;
+	if (!group->meth->field_mul(group, x1, z2, x1, ctx)) goto err;
+	if (!BN_GF2m_add(z2, z2, x2)) goto err;
+
+	if (!group->meth->field_mul(group, z2, z2, z1, ctx)) goto err;
+	if (!group->meth->field_sqr(group, t4, x, ctx)) goto err;
+	if (!BN_GF2m_add(t4, t4, y)) goto err;
+	if (!group->meth->field_mul(group, t4, t4, t3, ctx)) goto err;
+	if (!BN_GF2m_add(t4, t4, z2)) goto err;
+
+	if (!group->meth->field_mul(group, t3, t3, x, ctx)) goto err;
+	if (!group->meth->field_div(group, t3, t5, t3, ctx)) goto err;
+	if (!group->meth->field_mul(group, t4, t3, t4, ctx)) goto err;
+	if (!group->meth->field_mul(group, x2, x1, t3, ctx)) goto err;
+	if (!BN_GF2m_add(z2, x2, x)) goto err;
+
+	if (!group->meth->field_mul(group, z2, z2, t4, ctx)) goto err;
+	if (!BN_GF2m_add(z2, z2, y)) goto err;
+
+	ret = 2;
+
+ err:
+	BN_CTX_end(ctx);
+	return ret;
+	}
+
+/* Computes scalar*point and stores the result in r.
+ * point can not equal r.
+ * Uses algorithm 2P of
+ *     Lopex, J. and Dahab, R.  "Fast multiplication on elliptic curves over 
+ *     GF(2^m) without precomputation".
+ */
+static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
+	const EC_POINT *point, BN_CTX *ctx)
+	{
+	BIGNUM *x1, *x2, *z1, *z2;
+	int ret = 0, i, j;
+	BN_ULONG mask;
+
+	if (r == point)
+		{
+		ECerr(EC_F_EC_GF2M_MONTGOMERY_POINT_MULTIPLY, EC_R_INVALID_ARGUMENT);
+		return 0;
+		}
+	
+	/* if result should be point at infinity */
+	if ((scalar == NULL) || BN_is_zero(scalar) || (point == NULL) || 
+		EC_POINT_is_at_infinity(group, point))
+		{
+		return EC_POINT_set_to_infinity(group, r);
+		}
+
+	/* only support affine coordinates */
+	if (!point->Z_is_one) return 0;
+
+	/* Since point_multiply is static we can guarantee that ctx != NULL. */
+	BN_CTX_start(ctx);
+	x1 = BN_CTX_get(ctx);
+	z1 = BN_CTX_get(ctx);
+	if (z1 == NULL) goto err;
+
+	x2 = &r->X;
+	z2 = &r->Y;
+
+	if (!BN_GF2m_mod_arr(x1, &point->X, group->poly)) goto err; /* x1 = x */
+	if (!BN_one(z1)) goto err; /* z1 = 1 */
+	if (!group->meth->field_sqr(group, z2, x1, ctx)) goto err; /* z2 = x1^2 = x^2 */
+	if (!group->meth->field_sqr(group, x2, z2, ctx)) goto err;
+	if (!BN_GF2m_add(x2, x2, &group->b)) goto err; /* x2 = x^4 + b */
+
+	/* find top most bit and go one past it */
+	i = scalar->top - 1; j = BN_BITS2 - 1;
+	mask = BN_TBIT;
+	while (!(scalar->d[i] & mask)) { mask >>= 1; j--; }
+	mask >>= 1; j--;
+	/* if top most bit was at word break, go to next word */
+	if (!mask) 
+		{
+		i--; j = BN_BITS2 - 1;
+		mask = BN_TBIT;
+		}
+
+	for (; i >= 0; i--)
+		{
+		for (; j >= 0; j--)
+			{
+			if (scalar->d[i] & mask)
+				{
+				if (!gf2m_Madd(group, &point->X, x1, z1, x2, z2, ctx)) goto err;
+				if (!gf2m_Mdouble(group, x2, z2, ctx)) goto err;
+				}
+			else
+				{
+				if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx)) goto err;
+				if (!gf2m_Mdouble(group, x1, z1, ctx)) goto err;
+				}
+			mask >>= 1;
+			}
+		j = BN_BITS2 - 1;
+		mask = BN_TBIT;
+		}
+
+	/* convert out of "projective" coordinates */
+	i = gf2m_Mxy(group, &point->X, &point->Y, x1, z1, x2, z2, ctx);
+	if (i == 0) goto err;
+	else if (i == 1) 
+		{
+		if (!EC_POINT_set_to_infinity(group, r)) goto err;
+		}
+	else
+		{
+		if (!BN_one(&r->Z)) goto err;
+		r->Z_is_one = 1;
+		}
+
+	/* GF(2^m) field elements should always have BIGNUM::neg = 0 */
+	BN_set_negative(&r->X, 0);
+	BN_set_negative(&r->Y, 0);
+
+	ret = 1;
+
+ err:
+	BN_CTX_end(ctx);
+	return ret;
+	}
+
+
+/* Computes the sum
+ *     scalar*group->generator + scalars[0]*points[0] + ... + scalars[num-1]*points[num-1]
+ * gracefully ignoring NULL scalar values.
+ */
+int ec_GF2m_simple_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
+	size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *ctx)
+	{
+	BN_CTX *new_ctx = NULL;
+	int ret = 0;
+	size_t i;
+	EC_POINT *p=NULL;
+
+	if (ctx == NULL)
+		{
+		ctx = new_ctx = BN_CTX_new();
+		if (ctx == NULL)
+			return 0;
+		}
+
+	/* This implementation is more efficient than the wNAF implementation for 2
+	 * or fewer points.  Use the ec_wNAF_mul implementation for 3 or more points,
+	 * or if we can perform a fast multiplication based on precomputation.
+	 */
+	if ((scalar && (num > 1)) || (num > 2) || (num == 0 && EC_GROUP_have_precompute_mult(group)))
+		{
+		ret = ec_wNAF_mul(group, r, scalar, num, points, scalars, ctx);
+		goto err;
+		}
+
+	if ((p = EC_POINT_new(group)) == NULL) goto err;
+
+	if (!EC_POINT_set_to_infinity(group, r)) goto err;
+
+	if (scalar)
+		{
+		if (!ec_GF2m_montgomery_point_multiply(group, p, scalar, group->generator, ctx)) goto err;
+		if (BN_is_negative(scalar)) 
+			if (!group->meth->invert(group, p, ctx)) goto err;
+		if (!group->meth->add(group, r, r, p, ctx)) goto err;
+		}
+
+	for (i = 0; i < num; i++)
+		{
+		if (!ec_GF2m_montgomery_point_multiply(group, p, scalars[i], points[i], ctx)) goto err;
+		if (BN_is_negative(scalars[i]))
+			if (!group->meth->invert(group, p, ctx)) goto err;
+		if (!group->meth->add(group, r, r, p, ctx)) goto err;
+		}
+
+	ret = 1;
+
+  err:
+	if (p) EC_POINT_free(p);
+	if (new_ctx != NULL)
+		BN_CTX_free(new_ctx);
+	return ret;
+	}
+
+
+/* Precomputation for point multiplication: fall back to wNAF methods
+ * because ec_GF2m_simple_mul() uses ec_wNAF_mul() if appropriate */
+
+int ec_GF2m_precompute_mult(EC_GROUP *group, BN_CTX *ctx)
+	{
+	return ec_wNAF_precompute_mult(group, ctx);
+ 	}
+
+int ec_GF2m_have_precompute_mult(const EC_GROUP *group)
+	{
+	return ec_wNAF_have_precompute_mult(group);
+ 	}
diff --git a/crypto/openssl/crypto/ec/ec2_smpl.c b/crypto/openssl/crypto/ec/ec2_smpl.c
new file mode 100644
index 000000000000..5cd1eac41fc3
--- /dev/null
+++ b/crypto/openssl/crypto/ec/ec2_smpl.c
@@ -0,0 +1,971 @@
+/* crypto/ec/ec2_smpl.c */
+/* ====================================================================
+ * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
+ *
+ * The Elliptic Curve Public-Key Crypto Library (ECC Code) included
+ * herein is developed by SUN MICROSYSTEMS, INC., and is contributed
+ * to the OpenSSL project.
+ *
+ * The ECC Code is licensed pursuant to the OpenSSL open source
+ * license provided below.
+ *
+ * The software is originally written by Sheueling Chang Shantz and
+ * Douglas Stebila of Sun Microsystems Laboratories.
+ *
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2003 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/err.h>
+
+#include "ec_lcl.h"
+
+
+const EC_METHOD *EC_GF2m_simple_method(void)
+	{
+	static const EC_METHOD ret = {
+		NID_X9_62_characteristic_two_field,
+		ec_GF2m_simple_group_init,
+		ec_GF2m_simple_group_finish,
+		ec_GF2m_simple_group_clear_finish,
+		ec_GF2m_simple_group_copy,
+		ec_GF2m_simple_group_set_curve,
+		ec_GF2m_simple_group_get_curve,
+		ec_GF2m_simple_group_get_degree,
+		ec_GF2m_simple_group_check_discriminant,
+		ec_GF2m_simple_point_init,
+		ec_GF2m_simple_point_finish,
+		ec_GF2m_simple_point_clear_finish,
+		ec_GF2m_simple_point_copy,
+		ec_GF2m_simple_point_set_to_infinity,
+		0 /* set_Jprojective_coordinates_GFp */,
+		0 /* get_Jprojective_coordinates_GFp */,
+		ec_GF2m_simple_point_set_affine_coordinates,
+		ec_GF2m_simple_point_get_affine_coordinates,
+		ec_GF2m_simple_set_compressed_coordinates,
+		ec_GF2m_simple_point2oct,
+		ec_GF2m_simple_oct2point,
+		ec_GF2m_simple_add,
+		ec_GF2m_simple_dbl,
+		ec_GF2m_simple_invert,
+		ec_GF2m_simple_is_at_infinity,
+		ec_GF2m_simple_is_on_curve,
+		ec_GF2m_simple_cmp,
+		ec_GF2m_simple_make_affine,
+		ec_GF2m_simple_points_make_affine,
+
+		/* the following three method functions are defined in ec2_mult.c */
+		ec_GF2m_simple_mul,
+		ec_GF2m_precompute_mult,
+		ec_GF2m_have_precompute_mult,
+
+		ec_GF2m_simple_field_mul,
+		ec_GF2m_simple_field_sqr,
+		ec_GF2m_simple_field_div,
+		0 /* field_encode */,
+		0 /* field_decode */,
+		0 /* field_set_to_one */ };
+
+	return &ret;
+	}
+
+
+/* Initialize a GF(2^m)-based EC_GROUP structure.
+ * Note that all other members are handled by EC_GROUP_new.
+ */
+int ec_GF2m_simple_group_init(EC_GROUP *group)
+	{
+	BN_init(&group->field);
+	BN_init(&group->a);
+	BN_init(&group->b);
+	return 1;
+	}
+
+
+/* Free a GF(2^m)-based EC_GROUP structure.
+ * Note that all other members are handled by EC_GROUP_free.
+ */
+void ec_GF2m_simple_group_finish(EC_GROUP *group)
+	{
+	BN_free(&group->field);
+	BN_free(&group->a);
+	BN_free(&group->b);
+	}
+
+
+/* Clear and free a GF(2^m)-based EC_GROUP structure.
+ * Note that all other members are handled by EC_GROUP_clear_free.
+ */
+void ec_GF2m_simple_group_clear_finish(EC_GROUP *group)
+	{
+	BN_clear_free(&group->field);
+	BN_clear_free(&group->a);
+	BN_clear_free(&group->b);
+	group->poly[0] = 0;
+	group->poly[1] = 0;
+	group->poly[2] = 0;
+	group->poly[3] = 0;
+	group->poly[4] = 0;
+	}
+
+
+/* Copy a GF(2^m)-based EC_GROUP structure.
+ * Note that all other members are handled by EC_GROUP_copy.
+ */
+int ec_GF2m_simple_group_copy(EC_GROUP *dest, const EC_GROUP *src)
+	{
+	int i;
+	if (!BN_copy(&dest->field, &src->field)) return 0;
+	if (!BN_copy(&dest->a, &src->a)) return 0;
+	if (!BN_copy(&dest->b, &src->b)) return 0;
+	dest->poly[0] = src->poly[0];
+	dest->poly[1] = src->poly[1];
+	dest->poly[2] = src->poly[2];
+	dest->poly[3] = src->poly[3];
+	dest->poly[4] = src->poly[4];
+	bn_wexpand(&dest->a, (int)(dest->poly[0] + BN_BITS2 - 1) / BN_BITS2);
+	bn_wexpand(&dest->b, (int)(dest->poly[0] + BN_BITS2 - 1) / BN_BITS2);
+	for (i = dest->a.top; i < dest->a.dmax; i++) dest->a.d[i] = 0;
+	for (i = dest->b.top; i < dest->b.dmax; i++) dest->b.d[i] = 0;
+	return 1;
+	}
+
+
+/* Set the curve parameters of an EC_GROUP structure. */
+int ec_GF2m_simple_group_set_curve(EC_GROUP *group,
+	const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
+	{
+	int ret = 0, i;
+
+	/* group->field */
+	if (!BN_copy(&group->field, p)) goto err;
+	i = BN_GF2m_poly2arr(&group->field, group->poly, 5);
+	if ((i != 5) && (i != 3))
+		{
+		ECerr(EC_F_EC_GF2M_SIMPLE_GROUP_SET_CURVE, EC_R_UNSUPPORTED_FIELD);
+		goto err;
+		}
+
+	/* group->a */
+	if (!BN_GF2m_mod_arr(&group->a, a, group->poly)) goto err;
+	bn_wexpand(&group->a, (int)(group->poly[0] + BN_BITS2 - 1) / BN_BITS2);
+	for (i = group->a.top; i < group->a.dmax; i++) group->a.d[i] = 0;
+	
+	/* group->b */
+	if (!BN_GF2m_mod_arr(&group->b, b, group->poly)) goto err;
+	bn_wexpand(&group->b, (int)(group->poly[0] + BN_BITS2 - 1) / BN_BITS2);
+	for (i = group->b.top; i < group->b.dmax; i++) group->b.d[i] = 0;
+		
+	ret = 1;
+  err:
+	return ret;
+	}
+
+
+/* Get the curve parameters of an EC_GROUP structure.
+ * If p, a, or b are NULL then there values will not be set but the method will return with success.
+ */
+int ec_GF2m_simple_group_get_curve(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *ctx)
+	{
+	int ret = 0;
+	
+	if (p != NULL)
+		{
+		if (!BN_copy(p, &group->field)) return 0;
+		}
+
+	if (a != NULL)
+		{
+		if (!BN_copy(a, &group->a)) goto err;
+		}
+
+	if (b != NULL)
+		{
+		if (!BN_copy(b, &group->b)) goto err;
+		}
+	
+	ret = 1;
+	
+  err:
+	return ret;
+	}
+
+
+/* Gets the degree of the field.  For a curve over GF(2^m) this is the value m. */
+int ec_GF2m_simple_group_get_degree(const EC_GROUP *group)
+	{
+	return BN_num_bits(&group->field)-1;
+	}
+
+
+/* Checks the discriminant of the curve.
+ * y^2 + x*y = x^3 + a*x^2 + b is an elliptic curve <=> b != 0 (mod p) 
+ */
+int ec_GF2m_simple_group_check_discriminant(const EC_GROUP *group, BN_CTX *ctx)
+	{
+	int ret = 0;
+	BIGNUM *b;
+	BN_CTX *new_ctx = NULL;
+
+	if (ctx == NULL)
+		{
+		ctx = new_ctx = BN_CTX_new();
+		if (ctx == NULL)
+			{
+			ECerr(EC_F_EC_GF2M_SIMPLE_GROUP_CHECK_DISCRIMINANT, ERR_R_MALLOC_FAILURE);
+			goto err;
+			}
+		}
+	BN_CTX_start(ctx);
+	b = BN_CTX_get(ctx);
+	if (b == NULL) goto err;
+
+	if (!BN_GF2m_mod_arr(b, &group->b, group->poly)) goto err;
+	
+	/* check the discriminant:
+	 * y^2 + x*y = x^3 + a*x^2 + b is an elliptic curve <=> b != 0 (mod p) 
+	 */
+	if (BN_is_zero(b)) goto err;
+
+	ret = 1;
+
+err:
+	if (ctx != NULL)
+		BN_CTX_end(ctx);
+	if (new_ctx != NULL)
+		BN_CTX_free(new_ctx);
+	return ret;
+	}
+
+
+/* Initializes an EC_POINT. */
+int ec_GF2m_simple_point_init(EC_POINT *point)
+	{
+	BN_init(&point->X);
+	BN_init(&point->Y);
+	BN_init(&point->Z);
+	return 1;
+	}
+
+
+/* Frees an EC_POINT. */
+void ec_GF2m_simple_point_finish(EC_POINT *point)
+	{
+	BN_free(&point->X);
+	BN_free(&point->Y);
+	BN_free(&point->Z);
+	}
+
+
+/* Clears and frees an EC_POINT. */
+void ec_GF2m_simple_point_clear_finish(EC_POINT *point)
+	{
+	BN_clear_free(&point->X);
+	BN_clear_free(&point->Y);
+	BN_clear_free(&point->Z);
+	point->Z_is_one = 0;
+	}
+
+
+/* Copy the contents of one EC_POINT into another.  Assumes dest is initialized. */
+int ec_GF2m_simple_point_copy(EC_POINT *dest, const EC_POINT *src)
+	{
+	if (!BN_copy(&dest->X, &src->X)) return 0;
+	if (!BN_copy(&dest->Y, &src->Y)) return 0;
+	if (!BN_copy(&dest->Z, &src->Z)) return 0;
+	dest->Z_is_one = src->Z_is_one;
+
+	return 1;
+	}
+
+
+/* Set an EC_POINT to the point at infinity.  
+ * A point at infinity is represented by having Z=0.
+ */
+int ec_GF2m_simple_point_set_to_infinity(const EC_GROUP *group, EC_POINT *point)
+	{
+	point->Z_is_one = 0;
+	BN_zero(&point->Z);
+	return 1;
+	}
+
+
+/* Set the coordinates of an EC_POINT using affine coordinates. 
+ * Note that the simple implementation only uses affine coordinates.
+ */
+int ec_GF2m_simple_point_set_affine_coordinates(const EC_GROUP *group, EC_POINT *point,
+	const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx)
+	{
+	int ret = 0;	
+	if (x == NULL || y == NULL)
+		{
+		ECerr(EC_F_EC_GF2M_SIMPLE_POINT_SET_AFFINE_COORDINATES, ERR_R_PASSED_NULL_PARAMETER);
+		return 0;
+		}
+
+	if (!BN_copy(&point->X, x)) goto err;
+	BN_set_negative(&point->X, 0);
+	if (!BN_copy(&point->Y, y)) goto err;
+	BN_set_negative(&point->Y, 0);
+	if (!BN_copy(&point->Z, BN_value_one())) goto err;
+	BN_set_negative(&point->Z, 0);
+	point->Z_is_one = 1;
+	ret = 1;
+
+  err:
+	return ret;
+	}
+
+
+/* Gets the affine coordinates of an EC_POINT. 
+ * Note that the simple implementation only uses affine coordinates.
+ */
+int ec_GF2m_simple_point_get_affine_coordinates(const EC_GROUP *group, const EC_POINT *point,
+	BIGNUM *x, BIGNUM *y, BN_CTX *ctx)
+	{
+	int ret = 0;
+
+	if (EC_POINT_is_at_infinity(group, point))
+		{
+		ECerr(EC_F_EC_GF2M_SIMPLE_POINT_GET_AFFINE_COORDINATES, EC_R_POINT_AT_INFINITY);
+		return 0;
+		}
+
+	if (BN_cmp(&point->Z, BN_value_one())) 
+		{
+		ECerr(EC_F_EC_GF2M_SIMPLE_POINT_GET_AFFINE_COORDINATES, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+		return 0;
+		}
+	if (x != NULL)
+		{
+		if (!BN_copy(x, &point->X)) goto err;
+		BN_set_negative(x, 0);
+		}
+	if (y != NULL)
+		{
+		if (!BN_copy(y, &point->Y)) goto err;
+		BN_set_negative(y, 0);
+		}
+	ret = 1;
+		
+ err:
+	return ret;
+	}
+
+
+/* Include patented algorithms. */
+#include "ec2_smpt.c"
+
+
+/* Converts an EC_POINT to an octet string.  
+ * If buf is NULL, the encoded length will be returned.
+ * If the length len of buf is smaller than required an error will be returned.
+ *
+ * The point compression section of this function is patented by Certicom Corp. 
+ * under US Patent 6,141,420.  Point compression is disabled by default and can 
+ * be enabled by defining the preprocessor macro OPENSSL_EC_BIN_PT_COMP at 
+ * Configure-time.
+ */
+size_t ec_GF2m_simple_point2oct(const EC_GROUP *group, const EC_POINT *point, point_conversion_form_t form,
+	unsigned char *buf, size_t len, BN_CTX *ctx)
+	{
+	size_t ret;
+	BN_CTX *new_ctx = NULL;
+	int used_ctx = 0;
+	BIGNUM *x, *y, *yxi;
+	size_t field_len, i, skip;
+
+#ifndef OPENSSL_EC_BIN_PT_COMP
+	if ((form == POINT_CONVERSION_COMPRESSED) || (form == POINT_CONVERSION_HYBRID)) 
+		{
+		ECerr(EC_F_EC_GF2M_SIMPLE_POINT2OCT, ERR_R_DISABLED);
+		goto err;
+		}
+#endif
+
+	if ((form != POINT_CONVERSION_COMPRESSED)
+		&& (form != POINT_CONVERSION_UNCOMPRESSED)
+		&& (form != POINT_CONVERSION_HYBRID))
+		{
+		ECerr(EC_F_EC_GF2M_SIMPLE_POINT2OCT, EC_R_INVALID_FORM);
+		goto err;
+		}
+
+	if (EC_POINT_is_at_infinity(group, point))
+		{
+		/* encodes to a single 0 octet */
+		if (buf != NULL)
+			{
+			if (len < 1)
+				{
+				ECerr(EC_F_EC_GF2M_SIMPLE_POINT2OCT, EC_R_BUFFER_TOO_SMALL);
+				return 0;
+				}
+			buf[0] = 0;
+			}
+		return 1;
+		}
+
+
+	/* ret := required output buffer length */
+	field_len = (EC_GROUP_get_degree(group) + 7) / 8;
+	ret = (form == POINT_CONVERSION_COMPRESSED) ? 1 + field_len : 1 + 2*field_len;
+
+	/* if 'buf' is NULL, just return required length */
+	if (buf != NULL)
+		{
+		if (len < ret)
+			{
+			ECerr(EC_F_EC_GF2M_SIMPLE_POINT2OCT, EC_R_BUFFER_TOO_SMALL);
+			goto err;
+			}
+
+		if (ctx == NULL)
+			{
+			ctx = new_ctx = BN_CTX_new();
+			if (ctx == NULL)
+				return 0;
+			}
+
+		BN_CTX_start(ctx);
+		used_ctx = 1;
+		x = BN_CTX_get(ctx);
+		y = BN_CTX_get(ctx);
+		yxi = BN_CTX_get(ctx);
+		if (yxi == NULL) goto err;
+
+		if (!EC_POINT_get_affine_coordinates_GF2m(group, point, x, y, ctx)) goto err;
+
+		buf[0] = form;
+#ifdef OPENSSL_EC_BIN_PT_COMP
+		if ((form != POINT_CONVERSION_UNCOMPRESSED) && !BN_is_zero(x))
+			{
+			if (!group->meth->field_div(group, yxi, y, x, ctx)) goto err;
+			if (BN_is_odd(yxi)) buf[0]++;
+			}
+#endif
+
+		i = 1;
+		
+		skip = field_len - BN_num_bytes(x);
+		if (skip > field_len)
+			{
+			ECerr(EC_F_EC_GF2M_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR);
+			goto err;
+			}
+		while (skip > 0)
+			{
+			buf[i++] = 0;
+			skip--;
+			}
+		skip = BN_bn2bin(x, buf + i);
+		i += skip;
+		if (i != 1 + field_len)
+			{
+			ECerr(EC_F_EC_GF2M_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR);
+			goto err;
+			}
+
+		if (form == POINT_CONVERSION_UNCOMPRESSED || form == POINT_CONVERSION_HYBRID)
+			{
+			skip = field_len - BN_num_bytes(y);
+			if (skip > field_len)
+				{
+				ECerr(EC_F_EC_GF2M_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR);
+				goto err;
+				}
+			while (skip > 0)
+				{
+				buf[i++] = 0;
+				skip--;
+				}
+			skip = BN_bn2bin(y, buf + i);
+			i += skip;
+			}
+
+		if (i != ret)
+			{
+			ECerr(EC_F_EC_GF2M_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR);
+			goto err;
+			}
+		}
+	
+	if (used_ctx)
+		BN_CTX_end(ctx);
+	if (new_ctx != NULL)
+		BN_CTX_free(new_ctx);
+	return ret;
+
+ err:
+	if (used_ctx)
+		BN_CTX_end(ctx);
+	if (new_ctx != NULL)
+		BN_CTX_free(new_ctx);
+	return 0;
+	}
+
+
+/* Converts an octet string representation to an EC_POINT. 
+ * Note that the simple implementation only uses affine coordinates.
+ */
+int ec_GF2m_simple_oct2point(const EC_GROUP *group, EC_POINT *point,
+	const unsigned char *buf, size_t len, BN_CTX *ctx)
+	{
+	point_conversion_form_t form;
+	int y_bit;
+	BN_CTX *new_ctx = NULL;
+	BIGNUM *x, *y, *yxi;
+	size_t field_len, enc_len;
+	int ret = 0;
+
+	if (len == 0)
+		{
+		ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_BUFFER_TOO_SMALL);
+		return 0;
+		}
+	form = buf[0];
+	y_bit = form & 1;
+	form = form & ~1U;
+	if ((form != 0)	&& (form != POINT_CONVERSION_COMPRESSED)
+		&& (form != POINT_CONVERSION_UNCOMPRESSED)
+		&& (form != POINT_CONVERSION_HYBRID))
+		{
+		ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
+		return 0;
+		}
+	if ((form == 0 || form == POINT_CONVERSION_UNCOMPRESSED) && y_bit)
+		{
+		ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
+		return 0;
+		}
+
+	if (form == 0)
+		{
+		if (len != 1)
+			{
+			ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
+			return 0;
+			}
+
+		return EC_POINT_set_to_infinity(group, point);
+		}
+	
+	field_len = (EC_GROUP_get_degree(group) + 7) / 8;
+	enc_len = (form == POINT_CONVERSION_COMPRESSED) ? 1 + field_len : 1 + 2*field_len;
+
+	if (len != enc_len)
+		{
+		ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
+		return 0;
+		}
+
+	if (ctx == NULL)
+		{
+		ctx = new_ctx = BN_CTX_new();
+		if (ctx == NULL)
+			return 0;
+		}
+
+	BN_CTX_start(ctx);
+	x = BN_CTX_get(ctx);
+	y = BN_CTX_get(ctx);
+	yxi = BN_CTX_get(ctx);
+	if (yxi == NULL) goto err;
+
+	if (!BN_bin2bn(buf + 1, field_len, x)) goto err;
+	if (BN_ucmp(x, &group->field) >= 0)
+		{
+		ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
+		goto err;
+		}
+
+	if (form == POINT_CONVERSION_COMPRESSED)
+		{
+		if (!EC_POINT_set_compressed_coordinates_GF2m(group, point, x, y_bit, ctx)) goto err;
+		}
+	else
+		{
+		if (!BN_bin2bn(buf + 1 + field_len, field_len, y)) goto err;
+		if (BN_ucmp(y, &group->field) >= 0)
+			{
+			ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
+			goto err;
+			}
+		if (form == POINT_CONVERSION_HYBRID)
+			{
+			if (!group->meth->field_div(group, yxi, y, x, ctx)) goto err;
+			if (y_bit != BN_is_odd(yxi))
+				{
+				ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
+				goto err;
+				}
+			}
+
+		if (!EC_POINT_set_affine_coordinates_GF2m(group, point, x, y, ctx)) goto err;
+		}
+	
+	if (!EC_POINT_is_on_curve(group, point, ctx)) /* test required by X9.62 */
+		{
+		ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_POINT_IS_NOT_ON_CURVE);
+		goto err;
+		}
+
+	ret = 1;
+	
+ err:
+	BN_CTX_end(ctx);
+	if (new_ctx != NULL)
+		BN_CTX_free(new_ctx);
+	return ret;
+	}
+
+
+/* Computes a + b and stores the result in r.  r could be a or b, a could be b.
+ * Uses algorithm A.10.2 of IEEE P1363.
+ */
+int ec_GF2m_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx)
+	{
+	BN_CTX *new_ctx = NULL;
+	BIGNUM *x0, *y0, *x1, *y1, *x2, *y2, *s, *t;
+	int ret = 0;
+	
+	if (EC_POINT_is_at_infinity(group, a))
+		{
+		if (!EC_POINT_copy(r, b)) return 0;
+		return 1;
+		}
+
+	if (EC_POINT_is_at_infinity(group, b))
+		{
+		if (!EC_POINT_copy(r, a)) return 0;
+		return 1;
+		}
+
+	if (ctx == NULL)
+		{
+		ctx = new_ctx = BN_CTX_new();
+		if (ctx == NULL)
+			return 0;
+		}
+
+	BN_CTX_start(ctx);
+	x0 = BN_CTX_get(ctx);
+	y0 = BN_CTX_get(ctx);
+	x1 = BN_CTX_get(ctx);
+	y1 = BN_CTX_get(ctx);
+	x2 = BN_CTX_get(ctx);
+	y2 = BN_CTX_get(ctx);
+	s = BN_CTX_get(ctx);
+	t = BN_CTX_get(ctx);
+	if (t == NULL) goto err;
+
+	if (a->Z_is_one) 
+		{
+		if (!BN_copy(x0, &a->X)) goto err;
+		if (!BN_copy(y0, &a->Y)) goto err;
+		}
+	else
+		{
+		if (!EC_POINT_get_affine_coordinates_GF2m(group, a, x0, y0, ctx)) goto err;
+		}
+	if (b->Z_is_one) 
+		{
+		if (!BN_copy(x1, &b->X)) goto err;
+		if (!BN_copy(y1, &b->Y)) goto err;
+		}
+	else
+		{
+		if (!EC_POINT_get_affine_coordinates_GF2m(group, b, x1, y1, ctx)) goto err;
+		}
+
+
+	if (BN_GF2m_cmp(x0, x1))
+		{
+		if (!BN_GF2m_add(t, x0, x1)) goto err;
+		if (!BN_GF2m_add(s, y0, y1)) goto err;
+		if (!group->meth->field_div(group, s, s, t, ctx)) goto err;
+		if (!group->meth->field_sqr(group, x2, s, ctx)) goto err;
+		if (!BN_GF2m_add(x2, x2, &group->a)) goto err;
+		if (!BN_GF2m_add(x2, x2, s)) goto err;
+		if (!BN_GF2m_add(x2, x2, t)) goto err;
+		}
+	else
+		{
+		if (BN_GF2m_cmp(y0, y1) || BN_is_zero(x1))
+			{
+			if (!EC_POINT_set_to_infinity(group, r)) goto err;
+			ret = 1;
+			goto err;
+			}
+		if (!group->meth->field_div(group, s, y1, x1, ctx)) goto err;
+		if (!BN_GF2m_add(s, s, x1)) goto err;
+		
+		if (!group->meth->field_sqr(group, x2, s, ctx)) goto err;
+		if (!BN_GF2m_add(x2, x2, s)) goto err;
+		if (!BN_GF2m_add(x2, x2, &group->a)) goto err;
+		}
+
+	if (!BN_GF2m_add(y2, x1, x2)) goto err;
+	if (!group->meth->field_mul(group, y2, y2, s, ctx)) goto err;
+	if (!BN_GF2m_add(y2, y2, x2)) goto err;
+	if (!BN_GF2m_add(y2, y2, y1)) goto err;
+
+	if (!EC_POINT_set_affine_coordinates_GF2m(group, r, x2, y2, ctx)) goto err;
+
+	ret = 1;
+
+ err:
+	BN_CTX_end(ctx);
+	if (new_ctx != NULL)
+		BN_CTX_free(new_ctx);
+	return ret;
+	}
+
+
+/* Computes 2 * a and stores the result in r.  r could be a.
+ * Uses algorithm A.10.2 of IEEE P1363.
+ */
+int ec_GF2m_simple_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, BN_CTX *ctx)
+	{
+	return ec_GF2m_simple_add(group, r, a, a, ctx);
+	}
+
+
+int ec_GF2m_simple_invert(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx)
+	{
+	if (EC_POINT_is_at_infinity(group, point) || BN_is_zero(&point->Y))
+		/* point is its own inverse */
+		return 1;
+	
+	if (!EC_POINT_make_affine(group, point, ctx)) return 0;
+	return BN_GF2m_add(&point->Y, &point->X, &point->Y);
+	}
+
+
+/* Indicates whether the given point is the point at infinity. */
+int ec_GF2m_simple_is_at_infinity(const EC_GROUP *group, const EC_POINT *point)
+	{
+	return BN_is_zero(&point->Z);
+	}
+
+
+/* Determines whether the given EC_POINT is an actual point on the curve defined
+ * in the EC_GROUP.  A point is valid if it satisfies the Weierstrass equation:
+ *      y^2 + x*y = x^3 + a*x^2 + b.
+ */
+int ec_GF2m_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_CTX *ctx)
+	{
+	int ret = -1;
+	BN_CTX *new_ctx = NULL;
+	BIGNUM *lh, *y2;
+	int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
+	int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
+
+	if (EC_POINT_is_at_infinity(group, point))
+		return 1;
+
+	field_mul = group->meth->field_mul;
+	field_sqr = group->meth->field_sqr;	
+
+	/* only support affine coordinates */
+	if (!point->Z_is_one) goto err;
+
+	if (ctx == NULL)
+		{
+		ctx = new_ctx = BN_CTX_new();
+		if (ctx == NULL)
+			return -1;
+		}
+
+	BN_CTX_start(ctx);
+	y2 = BN_CTX_get(ctx);
+	lh = BN_CTX_get(ctx);
+	if (lh == NULL) goto err;
+
+	/* We have a curve defined by a Weierstrass equation
+	 *      y^2 + x*y = x^3 + a*x^2 + b.
+	 *  <=> x^3 + a*x^2 + x*y + b + y^2 = 0
+	 *  <=> ((x + a) * x + y ) * x + b + y^2 = 0
+	 */
+	if (!BN_GF2m_add(lh, &point->X, &group->a)) goto err;
+	if (!field_mul(group, lh, lh, &point->X, ctx)) goto err;
+	if (!BN_GF2m_add(lh, lh, &point->Y)) goto err;
+	if (!field_mul(group, lh, lh, &point->X, ctx)) goto err;
+	if (!BN_GF2m_add(lh, lh, &group->b)) goto err;
+	if (!field_sqr(group, y2, &point->Y, ctx)) goto err;
+	if (!BN_GF2m_add(lh, lh, y2)) goto err;
+	ret = BN_is_zero(lh);
+ err:
+	if (ctx) BN_CTX_end(ctx);
+	if (new_ctx) BN_CTX_free(new_ctx);
+	return ret;
+	}
+
+
+/* Indicates whether two points are equal.
+ * Return values:
+ *  -1   error
+ *   0   equal (in affine coordinates)
+ *   1   not equal
+ */
+int ec_GF2m_simple_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx)
+	{
+	BIGNUM *aX, *aY, *bX, *bY;
+	BN_CTX *new_ctx = NULL;
+	int ret = -1;
+
+	if (EC_POINT_is_at_infinity(group, a))
+		{
+		return EC_POINT_is_at_infinity(group, b) ? 0 : 1;
+		}
+	
+	if (a->Z_is_one && b->Z_is_one)
+		{
+		return ((BN_cmp(&a->X, &b->X) == 0) && BN_cmp(&a->Y, &b->Y) == 0) ? 0 : 1;
+		}
+
+	if (ctx == NULL)
+		{
+		ctx = new_ctx = BN_CTX_new();
+		if (ctx == NULL)
+			return -1;
+		}
+
+	BN_CTX_start(ctx);
+	aX = BN_CTX_get(ctx);
+	aY = BN_CTX_get(ctx);
+	bX = BN_CTX_get(ctx);
+	bY = BN_CTX_get(ctx);
+	if (bY == NULL) goto err;
+
+	if (!EC_POINT_get_affine_coordinates_GF2m(group, a, aX, aY, ctx)) goto err;
+	if (!EC_POINT_get_affine_coordinates_GF2m(group, b, bX, bY, ctx)) goto err;
+	ret = ((BN_cmp(aX, bX) == 0) && BN_cmp(aY, bY) == 0) ? 0 : 1;
+
+  err:	
+	if (ctx) BN_CTX_end(ctx);
+	if (new_ctx) BN_CTX_free(new_ctx);
+	return ret;
+	}
+
+
+/* Forces the given EC_POINT to internally use affine coordinates. */
+int ec_GF2m_simple_make_affine(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx)
+	{
+	BN_CTX *new_ctx = NULL;
+	BIGNUM *x, *y;
+	int ret = 0;
+
+	if (point->Z_is_one || EC_POINT_is_at_infinity(group, point))
+		return 1;
+	
+	if (ctx == NULL)
+		{
+		ctx = new_ctx = BN_CTX_new();
+		if (ctx == NULL)
+			return 0;
+		}
+
+	BN_CTX_start(ctx);
+	x = BN_CTX_get(ctx);
+	y = BN_CTX_get(ctx);
+	if (y == NULL) goto err;
+	
+	if (!EC_POINT_get_affine_coordinates_GF2m(group, point, x, y, ctx)) goto err;
+	if (!BN_copy(&point->X, x)) goto err;
+	if (!BN_copy(&point->Y, y)) goto err;
+	if (!BN_one(&point->Z)) goto err;
+	
+	ret = 1;		
+
+  err:
+	if (ctx) BN_CTX_end(ctx);
+	if (new_ctx) BN_CTX_free(new_ctx);
+	return ret;
+	}
+
+
+/* Forces each of the EC_POINTs in the given array to use affine coordinates. */
+int ec_GF2m_simple_points_make_affine(const EC_GROUP *group, size_t num, EC_POINT *points[], BN_CTX *ctx)
+	{
+	size_t i;
+
+	for (i = 0; i < num; i++)
+		{
+		if (!group->meth->make_affine(group, points[i], ctx)) return 0;
+		}
+
+	return 1;
+	}
+
+
+/* Wrapper to simple binary polynomial field multiplication implementation. */
+int ec_GF2m_simple_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
+	{
+	return BN_GF2m_mod_mul_arr(r, a, b, group->poly, ctx);
+	}
+
+
+/* Wrapper to simple binary polynomial field squaring implementation. */
+int ec_GF2m_simple_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, BN_CTX *ctx)
+	{
+	return BN_GF2m_mod_sqr_arr(r, a, group->poly, ctx);
+	}
+
+
+/* Wrapper to simple binary polynomial field division implementation. */
+int ec_GF2m_simple_field_div(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
+	{
+	return BN_GF2m_mod_div(r, a, b, &group->field, ctx);
+	}
diff --git a/crypto/openssl/crypto/ec/ec2_smpt.c b/crypto/openssl/crypto/ec/ec2_smpt.c
new file mode 100644
index 000000000000..72a8d570517f
--- /dev/null
+++ b/crypto/openssl/crypto/ec/ec2_smpt.c
@@ -0,0 +1,141 @@
+/* crypto/ec/ec2_smpt.c */
+/* This code was originally written by Douglas Stebila 
+ * <dstebila@student.math.uwaterloo.ca> for the OpenSSL project.
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+/* Calaculates and sets the affine coordinates of an EC_POINT from the given
+ * compressed coordinates.  Uses algorithm 2.3.4 of SEC 1. 
+ * Note that the simple implementation only uses affine coordinates.
+ *
+ * This algorithm is patented by Certicom Corp. under US Patent 6,141,420
+ * (for licensing information, contact licensing@certicom.com).
+ * This function is disabled by default and can be enabled by defining the 
+ * preprocessor macro OPENSSL_EC_BIN_PT_COMP at Configure-time.
+ */
+int ec_GF2m_simple_set_compressed_coordinates(const EC_GROUP *group, EC_POINT *point,
+	const BIGNUM *x_, int y_bit, BN_CTX *ctx)
+	{
+#ifndef OPENSSL_EC_BIN_PT_COMP	
+	ECerr(EC_F_EC_GF2M_SIMPLE_SET_COMPRESSED_COORDINATES, ERR_R_DISABLED);
+	return 0;
+#else
+	BN_CTX *new_ctx = NULL;
+	BIGNUM *tmp, *x, *y, *z;
+	int ret = 0, z0;
+
+	/* clear error queue */
+	ERR_clear_error();
+
+	if (ctx == NULL)
+		{
+		ctx = new_ctx = BN_CTX_new();
+		if (ctx == NULL)
+			return 0;
+		}
+
+	y_bit = (y_bit != 0) ? 1 : 0;
+
+	BN_CTX_start(ctx);
+	tmp = BN_CTX_get(ctx);
+	x = BN_CTX_get(ctx);
+	y = BN_CTX_get(ctx);
+	z = BN_CTX_get(ctx);
+	if (z == NULL) goto err;
+
+	if (!BN_GF2m_mod_arr(x, x_, group->poly)) goto err;
+	if (BN_is_zero(x))
+		{
+		if (!BN_GF2m_mod_sqrt_arr(y, &group->b, group->poly, ctx)) goto err;
+		}
+	else
+		{
+		if (!group->meth->field_sqr(group, tmp, x, ctx)) goto err;
+		if (!group->meth->field_div(group, tmp, &group->b, tmp, ctx)) goto err;
+		if (!BN_GF2m_add(tmp, &group->a, tmp)) goto err;
+		if (!BN_GF2m_add(tmp, x, tmp)) goto err;
+		if (!BN_GF2m_mod_solve_quad_arr(z, tmp, group->poly, ctx))
+			{
+			unsigned long err = ERR_peek_last_error();
+			
+			if (ERR_GET_LIB(err) == ERR_LIB_BN && ERR_GET_REASON(err) == BN_R_NO_SOLUTION)
+				{
+				ERR_clear_error();
+				ECerr(EC_F_EC_GF2M_SIMPLE_SET_COMPRESSED_COORDINATES, EC_R_INVALID_COMPRESSED_POINT);
+				}
+			else
+				ECerr(EC_F_EC_GF2M_SIMPLE_SET_COMPRESSED_COORDINATES, ERR_R_BN_LIB);
+			goto err;
+			}
+		z0 = (BN_is_odd(z)) ? 1 : 0;
+		if (!group->meth->field_mul(group, y, x, z, ctx)) goto err;
+		if (z0 != y_bit)
+			{
+			if (!BN_GF2m_add(y, y, x)) goto err;
+			}
+		}
+
+	if (!EC_POINT_set_affine_coordinates_GF2m(group, point, x, y, ctx)) goto err;
+
+	ret = 1;
+
+ err:
+	BN_CTX_end(ctx);
+	if (new_ctx != NULL)
+		BN_CTX_free(new_ctx);
+	return ret;
+#endif
+	}
diff --git a/crypto/openssl/crypto/ec/ec_asn1.c b/crypto/openssl/crypto/ec/ec_asn1.c
new file mode 100644
index 000000000000..dec913b8addc
--- /dev/null
+++ b/crypto/openssl/crypto/ec/ec_asn1.c
@@ -0,0 +1,1379 @@
+/* crypto/ec/ec_asn1.c */
+/*
+ * Written by Nils Larsch for the OpenSSL project.
+ */
+/* ====================================================================
+ * Copyright (c) 2000-2003 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <string.h>
+#include "ec_lcl.h"
+#include <openssl/err.h>
+#include <openssl/asn1t.h>
+#include <openssl/objects.h>
+
+
+int EC_GROUP_get_basis_type(const EC_GROUP *group)
+	{
+	int i=0;
+
+	if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
+		NID_X9_62_characteristic_two_field)
+		/* everything else is currently not supported */
+		return 0;
+
+	while (group->poly[i] != 0)
+		i++;
+
+	if (i == 4)
+		return NID_X9_62_ppBasis;
+	else if (i == 2)
+		return NID_X9_62_tpBasis;
+	else
+		/* everything else is currently not supported */
+		return 0;
+	}
+
+int EC_GROUP_get_trinomial_basis(const EC_GROUP *group, unsigned int *k)
+	{
+	if (group == NULL)
+		return 0;
+
+	if (EC_GROUP_method_of(group)->group_set_curve != ec_GF2m_simple_group_set_curve
+	    || !((group->poly[0] != 0) && (group->poly[1] != 0) && (group->poly[2] == 0)))
+		{
+		ECerr(EC_F_EC_GROUP_GET_TRINOMIAL_BASIS, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+		return 0;
+		}
+
+	if (k)
+		*k = group->poly[1];
+
+	return 1;
+	}
+
+int EC_GROUP_get_pentanomial_basis(const EC_GROUP *group, unsigned int *k1,
+	unsigned int *k2, unsigned int *k3)
+	{
+	if (group == NULL)
+		return 0;
+
+	if (EC_GROUP_method_of(group)->group_set_curve != ec_GF2m_simple_group_set_curve
+	    || !((group->poly[0] != 0) && (group->poly[1] != 0) && (group->poly[2] != 0) && (group->poly[3] != 0) && (group->poly[4] == 0)))
+		{
+		ECerr(EC_F_EC_GROUP_GET_PENTANOMIAL_BASIS, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+		return 0;
+		}
+
+	if (k1)
+		*k1 = group->poly[3];
+	if (k2)
+		*k2 = group->poly[2];
+	if (k3)
+		*k3 = group->poly[1];
+
+	return 1;
+	}
+
+
+
+/* some structures needed for the asn1 encoding */
+typedef struct x9_62_pentanomial_st {
+	long k1;
+	long k2;
+	long k3;
+	} X9_62_PENTANOMIAL;
+
+typedef struct x9_62_characteristic_two_st {
+	long m;
+	ASN1_OBJECT  *type;
+	union	{
+		char *ptr;
+		/* NID_X9_62_onBasis */
+		ASN1_NULL    *onBasis;
+		/* NID_X9_62_tpBasis */
+		ASN1_INTEGER *tpBasis;
+		/* NID_X9_62_ppBasis */
+		X9_62_PENTANOMIAL *ppBasis;
+		/* anything else */
+		ASN1_TYPE *other;
+		} p;
+	} X9_62_CHARACTERISTIC_TWO;
+
+typedef struct x9_62_fieldid_st {
+        ASN1_OBJECT *fieldType;
+	union	{
+		char *ptr;
+		/* NID_X9_62_prime_field */
+		ASN1_INTEGER *prime;
+		/* NID_X9_62_characteristic_two_field */
+		X9_62_CHARACTERISTIC_TWO *char_two;
+		/* anything else */
+		ASN1_TYPE *other;
+		} p;
+	} X9_62_FIELDID;
+
+typedef struct x9_62_curve_st {
+        ASN1_OCTET_STRING *a;
+        ASN1_OCTET_STRING *b;
+        ASN1_BIT_STRING   *seed;
+        } X9_62_CURVE;
+
+typedef struct ec_parameters_st {
+        long              version;
+        X9_62_FIELDID     *fieldID;
+        X9_62_CURVE       *curve;
+        ASN1_OCTET_STRING *base;
+        ASN1_INTEGER      *order;
+        ASN1_INTEGER      *cofactor;
+        } ECPARAMETERS;
+
+struct ecpk_parameters_st {
+	int	type;
+	union {
+		ASN1_OBJECT  *named_curve;
+		ECPARAMETERS *parameters;
+		ASN1_NULL    *implicitlyCA;
+	} value;
+	}/* ECPKPARAMETERS */;
+
+/* SEC1 ECPrivateKey */
+typedef struct ec_privatekey_st {
+	long              version;
+	ASN1_OCTET_STRING *privateKey;
+        ECPKPARAMETERS    *parameters;
+	ASN1_BIT_STRING   *publicKey;
+	} EC_PRIVATEKEY;
+
+/* the OpenSSL ASN.1 definitions */
+ASN1_SEQUENCE(X9_62_PENTANOMIAL) = {
+	ASN1_SIMPLE(X9_62_PENTANOMIAL, k1, LONG),
+	ASN1_SIMPLE(X9_62_PENTANOMIAL, k2, LONG),
+	ASN1_SIMPLE(X9_62_PENTANOMIAL, k3, LONG)
+} ASN1_SEQUENCE_END(X9_62_PENTANOMIAL)
+
+DECLARE_ASN1_ALLOC_FUNCTIONS(X9_62_PENTANOMIAL)
+IMPLEMENT_ASN1_ALLOC_FUNCTIONS(X9_62_PENTANOMIAL)
+
+ASN1_ADB_TEMPLATE(char_two_def) = ASN1_SIMPLE(X9_62_CHARACTERISTIC_TWO, p.other, ASN1_ANY);
+
+ASN1_ADB(X9_62_CHARACTERISTIC_TWO) = {
+	ADB_ENTRY(NID_X9_62_onBasis, ASN1_SIMPLE(X9_62_CHARACTERISTIC_TWO, p.onBasis, ASN1_NULL)),
+	ADB_ENTRY(NID_X9_62_tpBasis, ASN1_SIMPLE(X9_62_CHARACTERISTIC_TWO, p.tpBasis, ASN1_INTEGER)),
+	ADB_ENTRY(NID_X9_62_ppBasis, ASN1_SIMPLE(X9_62_CHARACTERISTIC_TWO, p.ppBasis, X9_62_PENTANOMIAL))
+} ASN1_ADB_END(X9_62_CHARACTERISTIC_TWO, 0, type, 0, &char_two_def_tt, NULL);
+
+ASN1_SEQUENCE(X9_62_CHARACTERISTIC_TWO) = {
+	ASN1_SIMPLE(X9_62_CHARACTERISTIC_TWO, m, LONG),
+	ASN1_SIMPLE(X9_62_CHARACTERISTIC_TWO, type, ASN1_OBJECT),
+	ASN1_ADB_OBJECT(X9_62_CHARACTERISTIC_TWO)
+} ASN1_SEQUENCE_END(X9_62_CHARACTERISTIC_TWO)
+
+DECLARE_ASN1_ALLOC_FUNCTIONS(X9_62_CHARACTERISTIC_TWO)
+IMPLEMENT_ASN1_ALLOC_FUNCTIONS(X9_62_CHARACTERISTIC_TWO)
+
+ASN1_ADB_TEMPLATE(fieldID_def) = ASN1_SIMPLE(X9_62_FIELDID, p.other, ASN1_ANY);
+
+ASN1_ADB(X9_62_FIELDID) = {
+	ADB_ENTRY(NID_X9_62_prime_field, ASN1_SIMPLE(X9_62_FIELDID, p.prime, ASN1_INTEGER)),
+	ADB_ENTRY(NID_X9_62_characteristic_two_field, ASN1_SIMPLE(X9_62_FIELDID, p.char_two, X9_62_CHARACTERISTIC_TWO))
+} ASN1_ADB_END(X9_62_FIELDID, 0, fieldType, 0, &fieldID_def_tt, NULL);
+
+ASN1_SEQUENCE(X9_62_FIELDID) = {
+	ASN1_SIMPLE(X9_62_FIELDID, fieldType, ASN1_OBJECT),
+	ASN1_ADB_OBJECT(X9_62_FIELDID)
+} ASN1_SEQUENCE_END(X9_62_FIELDID)
+
+ASN1_SEQUENCE(X9_62_CURVE) = {
+	ASN1_SIMPLE(X9_62_CURVE, a, ASN1_OCTET_STRING),
+	ASN1_SIMPLE(X9_62_CURVE, b, ASN1_OCTET_STRING),
+	ASN1_OPT(X9_62_CURVE, seed, ASN1_BIT_STRING)
+} ASN1_SEQUENCE_END(X9_62_CURVE)
+
+ASN1_SEQUENCE(ECPARAMETERS) = {
+	ASN1_SIMPLE(ECPARAMETERS, version, LONG),
+	ASN1_SIMPLE(ECPARAMETERS, fieldID, X9_62_FIELDID),
+	ASN1_SIMPLE(ECPARAMETERS, curve, X9_62_CURVE),
+	ASN1_SIMPLE(ECPARAMETERS, base, ASN1_OCTET_STRING),
+	ASN1_SIMPLE(ECPARAMETERS, order, ASN1_INTEGER),
+	ASN1_OPT(ECPARAMETERS, cofactor, ASN1_INTEGER)
+} ASN1_SEQUENCE_END(ECPARAMETERS)
+
+DECLARE_ASN1_ALLOC_FUNCTIONS(ECPARAMETERS)
+IMPLEMENT_ASN1_ALLOC_FUNCTIONS(ECPARAMETERS)
+
+ASN1_CHOICE(ECPKPARAMETERS) = {
+	ASN1_SIMPLE(ECPKPARAMETERS, value.named_curve, ASN1_OBJECT),
+	ASN1_SIMPLE(ECPKPARAMETERS, value.parameters, ECPARAMETERS),
+	ASN1_SIMPLE(ECPKPARAMETERS, value.implicitlyCA, ASN1_NULL)
+} ASN1_CHOICE_END(ECPKPARAMETERS)
+
+DECLARE_ASN1_FUNCTIONS_const(ECPKPARAMETERS)
+DECLARE_ASN1_ENCODE_FUNCTIONS_const(ECPKPARAMETERS, ECPKPARAMETERS)
+IMPLEMENT_ASN1_FUNCTIONS_const(ECPKPARAMETERS)
+
+ASN1_SEQUENCE(EC_PRIVATEKEY) = {
+	ASN1_SIMPLE(EC_PRIVATEKEY, version, LONG),
+	ASN1_SIMPLE(EC_PRIVATEKEY, privateKey, ASN1_OCTET_STRING),
+	ASN1_EXP_OPT(EC_PRIVATEKEY, parameters, ECPKPARAMETERS, 0),
+	ASN1_EXP_OPT(EC_PRIVATEKEY, publicKey, ASN1_BIT_STRING, 1)
+} ASN1_SEQUENCE_END(EC_PRIVATEKEY)
+
+DECLARE_ASN1_FUNCTIONS_const(EC_PRIVATEKEY)
+DECLARE_ASN1_ENCODE_FUNCTIONS_const(EC_PRIVATEKEY, EC_PRIVATEKEY)
+IMPLEMENT_ASN1_FUNCTIONS_const(EC_PRIVATEKEY)
+
+/* some declarations of internal function */
+
+/* ec_asn1_group2field() sets the values in a X9_62_FIELDID object */ 
+static int ec_asn1_group2fieldid(const EC_GROUP *, X9_62_FIELDID *);
+/* ec_asn1_group2curve() sets the values in a X9_62_CURVE object */ 
+static int ec_asn1_group2curve(const EC_GROUP *, X9_62_CURVE *);
+/* ec_asn1_parameters2group() creates a EC_GROUP object from a
+ * ECPARAMETERS object */
+static EC_GROUP *ec_asn1_parameters2group(const ECPARAMETERS *); 
+/* ec_asn1_group2parameters() creates a ECPARAMETERS object from a 
+ * EC_GROUP object */
+static ECPARAMETERS *ec_asn1_group2parameters(const EC_GROUP *,ECPARAMETERS *);
+/* ec_asn1_pkparameters2group() creates a EC_GROUP object from a
+ * ECPKPARAMETERS object */
+static EC_GROUP *ec_asn1_pkparameters2group(const ECPKPARAMETERS *); 
+/* ec_asn1_group2pkparameters() creates a ECPKPARAMETERS object from a 
+ * EC_GROUP object */
+static ECPKPARAMETERS *ec_asn1_group2pkparameters(const EC_GROUP *, 
+	ECPKPARAMETERS *);
+
+
+/* the function definitions */
+
+static int ec_asn1_group2fieldid(const EC_GROUP *group, X9_62_FIELDID *field)
+	{
+	int			ok=0, nid;
+	BIGNUM			*tmp = NULL;
+	
+	if (group == NULL || field == NULL)
+		return 0;
+
+	/* clear the old values (if necessary) */
+	if (field->fieldType != NULL)
+		ASN1_OBJECT_free(field->fieldType);
+	if (field->p.other != NULL)
+		ASN1_TYPE_free(field->p.other);
+
+	nid = EC_METHOD_get_field_type(EC_GROUP_method_of(group));
+	/* set OID for the field */
+	if ((field->fieldType = OBJ_nid2obj(nid)) == NULL)
+		{
+		ECerr(EC_F_EC_ASN1_GROUP2FIELDID, ERR_R_OBJ_LIB);
+		goto err;
+		}
+
+	if (nid == NID_X9_62_prime_field)
+		{
+		if ((tmp = BN_new()) == NULL) 
+			{
+			ECerr(EC_F_EC_ASN1_GROUP2FIELDID, ERR_R_MALLOC_FAILURE);
+			goto err;
+			}
+		/* the parameters are specified by the prime number p */
+		if (!EC_GROUP_get_curve_GFp(group, tmp, NULL, NULL, NULL))
+			{
+			ECerr(EC_F_EC_ASN1_GROUP2FIELDID, ERR_R_EC_LIB);
+			goto err;
+			}
+		/* set the prime number */
+		field->p.prime = BN_to_ASN1_INTEGER(tmp,NULL);
+		if (field->p.prime == NULL)
+			{
+			ECerr(EC_F_EC_ASN1_GROUP2FIELDID, ERR_R_ASN1_LIB);
+			goto err;
+			}
+		}
+	else	/* nid == NID_X9_62_characteristic_two_field */
+		{
+		int		field_type;
+		X9_62_CHARACTERISTIC_TWO *char_two;
+
+		field->p.char_two = X9_62_CHARACTERISTIC_TWO_new();
+		char_two = field->p.char_two;
+
+		if (char_two == NULL)
+			{
+			ECerr(EC_F_EC_ASN1_GROUP2FIELDID, ERR_R_MALLOC_FAILURE);
+			goto err;
+			}
+	
+		char_two->m = (long)EC_GROUP_get_degree(group);
+
+		field_type = EC_GROUP_get_basis_type(group);
+
+		if (field_type == 0)
+			{
+			ECerr(EC_F_EC_ASN1_GROUP2FIELDID, ERR_R_EC_LIB);
+			goto err;
+			}
+		/* set base type OID */
+		if ((char_two->type = OBJ_nid2obj(field_type)) == NULL)
+			{
+			ECerr(EC_F_EC_ASN1_GROUP2FIELDID, ERR_R_OBJ_LIB);
+			goto err;
+			}
+
+		if (field_type == NID_X9_62_tpBasis)
+			{
+			unsigned int k;
+
+			if (!EC_GROUP_get_trinomial_basis(group, &k))
+				goto err;
+
+			char_two->p.tpBasis = ASN1_INTEGER_new();
+			if (!char_two->p.tpBasis)
+				{
+				ECerr(EC_F_EC_ASN1_GROUP2FIELDID, ERR_R_MALLOC_FAILURE);
+				goto err;
+				}
+			if (!ASN1_INTEGER_set(char_two->p.tpBasis, (long)k))
+				{
+				ECerr(EC_F_EC_ASN1_GROUP2FIELDID,
+					ERR_R_ASN1_LIB);
+				goto err;
+				}
+			}
+		else if (field_type == NID_X9_62_ppBasis)
+			{
+			unsigned int k1, k2, k3;
+
+			if (!EC_GROUP_get_pentanomial_basis(group, &k1, &k2, &k3))
+				goto err;
+
+			char_two->p.ppBasis = X9_62_PENTANOMIAL_new();
+			if (!char_two->p.ppBasis)
+				{
+				ECerr(EC_F_EC_ASN1_GROUP2FIELDID, ERR_R_MALLOC_FAILURE);
+				goto err;
+				}
+
+			/* set k? values */
+			char_two->p.ppBasis->k1 = (long)k1;
+			char_two->p.ppBasis->k2 = (long)k2;
+			char_two->p.ppBasis->k3 = (long)k3;
+			}
+		else /* field_type == NID_X9_62_onBasis */
+			{
+			/* for ONB the parameters are (asn1) NULL */
+			char_two->p.onBasis = ASN1_NULL_new();
+			if (!char_two->p.onBasis)
+				{
+				ECerr(EC_F_EC_ASN1_GROUP2FIELDID, ERR_R_MALLOC_FAILURE);
+				goto err;
+				}
+			}
+		}
+
+	ok = 1;
+
+err :	if (tmp)
+		BN_free(tmp);
+	return(ok);
+}
+
+static int ec_asn1_group2curve(const EC_GROUP *group, X9_62_CURVE *curve)
+	{
+	int           ok=0, nid;
+	BIGNUM        *tmp_1=NULL, *tmp_2=NULL;
+	unsigned char *buffer_1=NULL, *buffer_2=NULL,
+	              *a_buf=NULL, *b_buf=NULL;
+	size_t        len_1, len_2;
+	unsigned char char_zero = 0;
+
+	if (!group || !curve || !curve->a || !curve->b)
+		return 0;
+
+	if ((tmp_1 = BN_new()) == NULL || (tmp_2 = BN_new()) == NULL)
+		{
+		ECerr(EC_F_EC_ASN1_GROUP2CURVE, ERR_R_MALLOC_FAILURE);
+		goto err;
+		}
+
+	nid = EC_METHOD_get_field_type(EC_GROUP_method_of(group));
+
+	/* get a and b */
+	if (nid == NID_X9_62_prime_field)
+		{
+		if (!EC_GROUP_get_curve_GFp(group, NULL, tmp_1, tmp_2, NULL))
+			{
+			ECerr(EC_F_EC_ASN1_GROUP2CURVE, ERR_R_EC_LIB);
+			goto err;
+			}
+		}
+	else	/* nid == NID_X9_62_characteristic_two_field */
+		{
+		if (!EC_GROUP_get_curve_GF2m(group, NULL, tmp_1, tmp_2, NULL))
+			{
+			ECerr(EC_F_EC_ASN1_GROUP2CURVE, ERR_R_EC_LIB);
+			goto err;
+			}
+		}
+
+	len_1 = (size_t)BN_num_bytes(tmp_1);
+	len_2 = (size_t)BN_num_bytes(tmp_2);
+
+	if (len_1 == 0)
+		{
+		/* len_1 == 0 => a == 0 */
+		a_buf = &char_zero;
+		len_1 = 1;
+		}
+	else
+		{
+		if ((buffer_1 = OPENSSL_malloc(len_1)) == NULL)
+			{
+			ECerr(EC_F_EC_ASN1_GROUP2CURVE,
+			      ERR_R_MALLOC_FAILURE);
+			goto err;
+			}
+		if ( (len_1 = BN_bn2bin(tmp_1, buffer_1)) == 0)
+			{
+			ECerr(EC_F_EC_ASN1_GROUP2CURVE, ERR_R_BN_LIB);
+			goto err;
+			}
+		a_buf = buffer_1;
+		}
+
+	if (len_2 == 0)
+		{
+		/* len_2 == 0 => b == 0 */
+		b_buf = &char_zero;
+		len_2 = 1;
+		}
+	else
+		{
+		if ((buffer_2 = OPENSSL_malloc(len_2)) == NULL)
+			{
+			ECerr(EC_F_EC_ASN1_GROUP2CURVE,
+			      ERR_R_MALLOC_FAILURE);
+			goto err;
+			}
+		if ( (len_2 = BN_bn2bin(tmp_2, buffer_2)) == 0)
+			{
+			ECerr(EC_F_EC_ASN1_GROUP2CURVE, ERR_R_BN_LIB);
+			goto err;
+			}
+		b_buf = buffer_2;
+		}
+	
+	/* set a and b */
+	if (!M_ASN1_OCTET_STRING_set(curve->a, a_buf, len_1) ||
+	    !M_ASN1_OCTET_STRING_set(curve->b, b_buf, len_2))
+		{
+		ECerr(EC_F_EC_ASN1_GROUP2CURVE, ERR_R_ASN1_LIB);
+		goto err;
+		}
+	
+	/* set the seed (optional) */
+	if (group->seed)
+		{	
+		if (!curve->seed)
+			if ((curve->seed = ASN1_BIT_STRING_new()) == NULL)
+				{
+				ECerr(EC_F_EC_ASN1_GROUP2CURVE, ERR_R_MALLOC_FAILURE);
+				goto err;
+				}
+		if (!ASN1_BIT_STRING_set(curve->seed, group->seed, 
+		                         (int)group->seed_len))
+			{
+			ECerr(EC_F_EC_ASN1_GROUP2CURVE, ERR_R_ASN1_LIB);
+			goto err;
+			}
+		}
+	else
+		{
+		if (curve->seed)
+			{
+			ASN1_BIT_STRING_free(curve->seed);
+			curve->seed = NULL;
+			}
+		}
+
+	ok = 1;
+
+err:	if (buffer_1)
+		OPENSSL_free(buffer_1);
+	if (buffer_2)
+		OPENSSL_free(buffer_2);
+	if (tmp_1)
+		BN_free(tmp_1);
+	if (tmp_2)
+		BN_free(tmp_2);
+	return(ok);
+	}
+
+static ECPARAMETERS *ec_asn1_group2parameters(const EC_GROUP *group,
+                                              ECPARAMETERS *param)
+	{
+	int	ok=0;
+	size_t  len=0;
+	ECPARAMETERS   *ret=NULL;
+	BIGNUM	       *tmp=NULL;
+	unsigned char  *buffer=NULL;
+	const EC_POINT *point=NULL;
+	point_conversion_form_t form;
+
+	if ((tmp = BN_new()) == NULL)
+		{
+		ECerr(EC_F_EC_ASN1_GROUP2PARAMETERS, ERR_R_MALLOC_FAILURE);
+		goto err;
+		}
+
+	if (param == NULL)
+	{
+		if ((ret = ECPARAMETERS_new()) == NULL)
+			{
+			ECerr(EC_F_EC_ASN1_GROUP2PARAMETERS, 
+			      ERR_R_MALLOC_FAILURE);
+			goto err;
+			}
+	}
+	else
+		ret = param;
+
+	/* set the version (always one) */
+	ret->version = (long)0x1;
+
+	/* set the fieldID */
+	if (!ec_asn1_group2fieldid(group, ret->fieldID))
+		{
+		ECerr(EC_F_EC_ASN1_GROUP2PARAMETERS, ERR_R_EC_LIB);
+		goto err;
+		}
+
+	/* set the curve */
+	if (!ec_asn1_group2curve(group, ret->curve))
+		{
+		ECerr(EC_F_EC_ASN1_GROUP2PARAMETERS, ERR_R_EC_LIB);
+		goto err;
+		}
+
+	/* set the base point */
+	if ((point = EC_GROUP_get0_generator(group)) == NULL)
+		{
+		ECerr(EC_F_EC_ASN1_GROUP2PARAMETERS, EC_R_UNDEFINED_GENERATOR);
+		goto err;
+		}
+
+	form = EC_GROUP_get_point_conversion_form(group);
+
+	len = EC_POINT_point2oct(group, point, form, NULL, len, NULL);
+	if (len == 0)
+		{
+		ECerr(EC_F_EC_ASN1_GROUP2PARAMETERS, ERR_R_EC_LIB);
+		goto err;
+		}
+	if ((buffer = OPENSSL_malloc(len)) == NULL)
+		{
+		ECerr(EC_F_EC_ASN1_GROUP2PARAMETERS, ERR_R_MALLOC_FAILURE);
+		goto err;
+		}
+	if (!EC_POINT_point2oct(group, point, form, buffer, len, NULL))
+		{
+		ECerr(EC_F_EC_ASN1_GROUP2PARAMETERS, ERR_R_EC_LIB);
+		goto err;
+		}
+	if (ret->base == NULL && (ret->base = ASN1_OCTET_STRING_new()) == NULL)
+		{
+		ECerr(EC_F_EC_ASN1_GROUP2PARAMETERS, ERR_R_MALLOC_FAILURE);
+		goto err;
+		}
+	if (!ASN1_OCTET_STRING_set(ret->base, buffer, len))
+		{
+		ECerr(EC_F_EC_ASN1_GROUP2PARAMETERS, ERR_R_ASN1_LIB);
+		goto err;
+		}
+
+	/* set the order */
+	if (!EC_GROUP_get_order(group, tmp, NULL))
+		{
+		ECerr(EC_F_EC_ASN1_GROUP2PARAMETERS, ERR_R_EC_LIB);
+		goto err;
+		}
+	ret->order = BN_to_ASN1_INTEGER(tmp, ret->order);
+	if (ret->order == NULL)
+		{
+		ECerr(EC_F_EC_ASN1_GROUP2PARAMETERS, ERR_R_ASN1_LIB);
+		goto err;
+		}
+
+	/* set the cofactor (optional) */
+	if (EC_GROUP_get_cofactor(group, tmp, NULL))
+		{
+		ret->cofactor = BN_to_ASN1_INTEGER(tmp, ret->cofactor);
+		if (ret->cofactor == NULL)
+			{
+			ECerr(EC_F_EC_ASN1_GROUP2PARAMETERS, ERR_R_ASN1_LIB);
+			goto err;
+			}
+		}
+
+	ok = 1;
+
+err :	if(!ok)
+		{
+		if (ret && !param)
+			ECPARAMETERS_free(ret);
+		ret = NULL;
+		}
+	if (tmp)
+		BN_free(tmp);
+	if (buffer)
+		OPENSSL_free(buffer);
+	return(ret);
+	}
+
+ECPKPARAMETERS *ec_asn1_group2pkparameters(const EC_GROUP *group, 
+                                           ECPKPARAMETERS *params)
+	{
+	int            ok = 1, tmp;
+	ECPKPARAMETERS *ret = params;
+
+	if (ret == NULL)
+		{
+		if ((ret = ECPKPARAMETERS_new()) == NULL)
+			{
+			ECerr(EC_F_EC_ASN1_GROUP2PKPARAMETERS, 
+			      ERR_R_MALLOC_FAILURE);
+			return NULL;
+			}
+		}
+	else
+		{
+		if (ret->type == 0 && ret->value.named_curve)
+			ASN1_OBJECT_free(ret->value.named_curve);
+		else if (ret->type == 1 && ret->value.parameters)
+			ECPARAMETERS_free(ret->value.parameters);
+		}
+
+	if (EC_GROUP_get_asn1_flag(group))
+		{
+		/* use the asn1 OID to describe the
+		 * the elliptic curve parameters
+		 */
+		tmp = EC_GROUP_get_curve_name(group);
+		if (tmp)
+			{
+			ret->type = 0;
+			if ((ret->value.named_curve = OBJ_nid2obj(tmp)) == NULL)
+				ok = 0;
+			}
+		else
+			/* we don't kmow the nid => ERROR */
+			ok = 0;
+		}
+	else
+		{	
+		/* use the ECPARAMETERS structure */
+		ret->type = 1;
+		if ((ret->value.parameters = ec_asn1_group2parameters(
+		     group, NULL)) == NULL)
+			ok = 0;
+		}
+
+	if (!ok)
+		{
+		ECPKPARAMETERS_free(ret);
+		return NULL;
+		}
+	return ret;
+	}
+
+static EC_GROUP *ec_asn1_parameters2group(const ECPARAMETERS *params)
+	{
+	int			ok = 0, tmp;
+	EC_GROUP		*ret = NULL;
+	BIGNUM			*p = NULL, *a = NULL, *b = NULL;
+	EC_POINT		*point=NULL;
+
+	if (!params->fieldID || !params->fieldID->fieldType || 
+	    !params->fieldID->p.ptr)
+		{
+		ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_ASN1_ERROR);
+		goto err;
+		}
+
+	/* now extract the curve parameters a and b */
+	if (!params->curve || !params->curve->a || 
+	    !params->curve->a->data || !params->curve->b ||
+	    !params->curve->b->data)
+		{
+		ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_ASN1_ERROR);
+		goto err;
+		}
+	a = BN_bin2bn(params->curve->a->data, params->curve->a->length, NULL);
+	if (a == NULL)
+		{
+		ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, ERR_R_BN_LIB);
+		goto err;
+		}
+	b = BN_bin2bn(params->curve->b->data, params->curve->b->length, NULL);
+	if (b == NULL)
+		{
+		ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, ERR_R_BN_LIB);
+		goto err;
+		}
+
+	/* get the field parameters */
+	tmp = OBJ_obj2nid(params->fieldID->fieldType);
+
+	if (tmp == NID_X9_62_characteristic_two_field)
+		{
+		X9_62_CHARACTERISTIC_TWO *char_two;
+
+		char_two = params->fieldID->p.char_two;
+
+		if ((p = BN_new()) == NULL)
+			{
+			ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, ERR_R_MALLOC_FAILURE);
+			goto err;
+			}
+
+		/* get the base type */
+		tmp = OBJ_obj2nid(char_two->type);
+
+		if (tmp ==  NID_X9_62_tpBasis)
+			{
+			long tmp_long;
+
+			if (!char_two->p.tpBasis)
+				{
+				ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_ASN1_ERROR);
+				goto err;
+				}
+
+			tmp_long = ASN1_INTEGER_get(char_two->p.tpBasis);
+			/* create the polynomial */
+			if (!BN_set_bit(p, (int)char_two->m))
+				goto err;
+			if (!BN_set_bit(p, (int)tmp_long))
+				goto err;
+			if (!BN_set_bit(p, 0))
+				goto err;
+			}
+		else if (tmp == NID_X9_62_ppBasis)
+			{
+			X9_62_PENTANOMIAL *penta;
+
+			penta = char_two->p.ppBasis;
+			if (!penta)
+				{
+				ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_ASN1_ERROR);
+				goto err;
+				}
+			/* create the polynomial */
+			if (!BN_set_bit(p, (int)char_two->m)) goto err;
+			if (!BN_set_bit(p, (int)penta->k1)) goto err;
+			if (!BN_set_bit(p, (int)penta->k2)) goto err;
+			if (!BN_set_bit(p, (int)penta->k3)) goto err;
+			if (!BN_set_bit(p, 0)) goto err;
+			}
+		else if (tmp == NID_X9_62_onBasis)
+			{
+			ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_NOT_IMPLEMENTED);
+			goto err;
+			}
+		else /* error */
+			{
+			ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_ASN1_ERROR);
+			goto err;
+			}
+
+		/* create the EC_GROUP structure */
+		ret = EC_GROUP_new_curve_GF2m(p, a, b, NULL);
+		}
+	else if (tmp == NID_X9_62_prime_field)
+		{
+		/* we have a curve over a prime field */
+		/* extract the prime number */
+		if (!params->fieldID->p.prime)
+			{
+			ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_ASN1_ERROR);
+			goto err;
+			}
+		p = ASN1_INTEGER_to_BN(params->fieldID->p.prime, NULL);
+		if (p == NULL)
+			{
+			ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, ERR_R_ASN1_LIB);
+			goto err;
+			}
+		/* create the EC_GROUP structure */
+		ret = EC_GROUP_new_curve_GFp(p, a, b, NULL);
+		}
+	else
+		{
+		ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_INVALID_FIELD);
+		goto err;
+		}
+
+	if (ret == NULL)
+		{
+		ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, ERR_R_EC_LIB);
+		goto err;
+		}
+
+	/* extract seed (optional) */
+	if (params->curve->seed != NULL)
+		{
+		if (ret->seed != NULL)
+			OPENSSL_free(ret->seed);
+		if (!(ret->seed = OPENSSL_malloc(params->curve->seed->length)))
+			{
+			ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, 
+			      ERR_R_MALLOC_FAILURE);
+			goto err;
+			}
+		memcpy(ret->seed, params->curve->seed->data, 
+		       params->curve->seed->length);
+		ret->seed_len = params->curve->seed->length;
+		}
+
+	if (!params->order || !params->base || !params->base->data)
+		{
+		ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_ASN1_ERROR);
+		goto err;
+		}
+
+	if ((point = EC_POINT_new(ret)) == NULL) goto err;
+
+	/* set the point conversion form */
+	EC_GROUP_set_point_conversion_form(ret, (point_conversion_form_t)
+				(params->base->data[0] & ~0x01));
+
+	/* extract the ec point */
+	if (!EC_POINT_oct2point(ret, point, params->base->data, 
+		                params->base->length, NULL))
+		{
+		ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, ERR_R_EC_LIB);
+		goto err;
+		}
+
+	/* extract the order */
+	if ((a = ASN1_INTEGER_to_BN(params->order, a)) == NULL)
+		{
+		ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, ERR_R_ASN1_LIB);
+		goto err;
+		}
+	
+	/* extract the cofactor (optional) */
+	if (params->cofactor == NULL)
+		{
+		if (b)
+			{
+			BN_free(b);
+			b = NULL;
+			}
+		}
+	else
+		if ((b = ASN1_INTEGER_to_BN(params->cofactor, b)) == NULL)
+			{
+			ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, ERR_R_ASN1_LIB);
+			goto err;
+			}
+	/* set the generator, order and cofactor (if present) */
+	if (!EC_GROUP_set_generator(ret, point, a, b))
+		{
+		ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, ERR_R_EC_LIB);
+		goto err;
+		}
+
+	ok = 1;
+
+err:	if (!ok)
+		{
+		if (ret) 
+			EC_GROUP_clear_free(ret);
+		ret = NULL;
+		}
+
+	if (p)	
+		BN_free(p);
+	if (a)	
+		BN_free(a);
+	if (b)	
+		BN_free(b);
+	if (point)	
+		EC_POINT_free(point);
+	return(ret);
+}
+
+EC_GROUP *ec_asn1_pkparameters2group(const ECPKPARAMETERS *params)
+	{
+	EC_GROUP *ret=NULL;
+	int      tmp=0;
+
+	if (params == NULL)
+		{
+		ECerr(EC_F_EC_ASN1_PKPARAMETERS2GROUP, 
+		      EC_R_MISSING_PARAMETERS);
+		return NULL;
+		}
+
+	if (params->type == 0)
+		{ /* the curve is given by an OID */
+		tmp = OBJ_obj2nid(params->value.named_curve);
+		if ((ret = EC_GROUP_new_by_curve_name(tmp)) == NULL)
+			{
+			ECerr(EC_F_EC_ASN1_PKPARAMETERS2GROUP, 
+			      EC_R_EC_GROUP_NEW_BY_NAME_FAILURE);
+			return NULL;
+			}
+		EC_GROUP_set_asn1_flag(ret, OPENSSL_EC_NAMED_CURVE);
+		}
+	else if (params->type == 1)
+		{ /* the parameters are given by a ECPARAMETERS
+		   * structure */
+		ret = ec_asn1_parameters2group(params->value.parameters);
+		if (!ret)
+			{
+			ECerr(EC_F_EC_ASN1_PKPARAMETERS2GROUP, ERR_R_EC_LIB);
+			return NULL;
+			}
+		EC_GROUP_set_asn1_flag(ret, 0x0);
+		}
+	else if (params->type == 2)
+		{ /* implicitlyCA */
+		return NULL;
+		}
+	else
+		{
+		ECerr(EC_F_EC_ASN1_PKPARAMETERS2GROUP, EC_R_ASN1_ERROR);
+		return NULL;
+		}
+
+	return ret;
+	}
+
+/* EC_GROUP <-> DER encoding of ECPKPARAMETERS */
+
+EC_GROUP *d2i_ECPKParameters(EC_GROUP **a, const unsigned char **in, long len)
+	{
+	EC_GROUP	*group  = NULL;
+	ECPKPARAMETERS	*params = NULL;
+
+	if ((params = d2i_ECPKPARAMETERS(NULL, in, len)) == NULL)
+		{
+		ECerr(EC_F_D2I_ECPKPARAMETERS, EC_R_D2I_ECPKPARAMETERS_FAILURE);
+		ECPKPARAMETERS_free(params);
+		return NULL;
+		}
+	
+	if ((group = ec_asn1_pkparameters2group(params)) == NULL)
+		{
+		ECerr(EC_F_D2I_ECPKPARAMETERS, EC_R_PKPARAMETERS2GROUP_FAILURE);
+		return NULL; 
+		}
+
+	
+	if (a && *a)
+		EC_GROUP_clear_free(*a);
+	if (a)
+		*a = group;
+
+	ECPKPARAMETERS_free(params);
+	return(group);
+	}
+
+int i2d_ECPKParameters(const EC_GROUP *a, unsigned char **out)
+	{
+	int		ret=0;
+	ECPKPARAMETERS	*tmp = ec_asn1_group2pkparameters(a, NULL);
+	if (tmp == NULL)
+		{
+		ECerr(EC_F_I2D_ECPKPARAMETERS, EC_R_GROUP2PKPARAMETERS_FAILURE);
+		return 0;
+		}
+	if ((ret = i2d_ECPKPARAMETERS(tmp, out)) == 0)
+		{
+		ECerr(EC_F_I2D_ECPKPARAMETERS, EC_R_I2D_ECPKPARAMETERS_FAILURE);
+		ECPKPARAMETERS_free(tmp);
+		return 0;
+		}	
+	ECPKPARAMETERS_free(tmp);
+	return(ret);
+	}
+
+/* some EC_KEY functions */
+
+EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigned char **in, long len)
+	{
+	int             ok=0;
+	EC_KEY          *ret=NULL;
+	EC_PRIVATEKEY   *priv_key=NULL;
+
+	if ((priv_key = EC_PRIVATEKEY_new()) == NULL)
+		{
+		ECerr(EC_F_D2I_ECPRIVATEKEY, ERR_R_MALLOC_FAILURE);
+		return NULL;
+		}
+
+	if ((priv_key = d2i_EC_PRIVATEKEY(&priv_key, in, len)) == NULL)
+		{
+		ECerr(EC_F_D2I_ECPRIVATEKEY, ERR_R_EC_LIB);
+		EC_PRIVATEKEY_free(priv_key);
+		return NULL;
+		}
+
+	if (a == NULL || *a == NULL)
+		{
+		if ((ret = EC_KEY_new()) == NULL)	
+			{
+			ECerr(EC_F_D2I_ECPRIVATEKEY,
+                                 ERR_R_MALLOC_FAILURE);
+			goto err;
+			}
+		if (a)
+			*a = ret;
+		}
+	else
+		ret = *a;
+
+	if (priv_key->parameters)
+		{
+		if (ret->group)
+			EC_GROUP_clear_free(ret->group);
+		ret->group = ec_asn1_pkparameters2group(priv_key->parameters);
+		}
+
+	if (ret->group == NULL)
+		{
+		ECerr(EC_F_D2I_ECPRIVATEKEY, ERR_R_EC_LIB);
+		goto err;
+		}
+
+	ret->version = priv_key->version;
+
+	if (priv_key->privateKey)
+		{
+		ret->priv_key = BN_bin2bn(
+			M_ASN1_STRING_data(priv_key->privateKey),
+			M_ASN1_STRING_length(priv_key->privateKey),
+			ret->priv_key);
+		if (ret->priv_key == NULL)
+			{
+			ECerr(EC_F_D2I_ECPRIVATEKEY,
+                              ERR_R_BN_LIB);
+			goto err;
+			}
+		}
+	else
+		{
+		ECerr(EC_F_D2I_ECPRIVATEKEY, 
+                      EC_R_MISSING_PRIVATE_KEY);
+		goto err;
+		}
+
+	if (priv_key->publicKey)
+		{
+		const unsigned char *pub_oct;
+		size_t pub_oct_len;
+
+		if (ret->pub_key)
+			EC_POINT_clear_free(ret->pub_key);
+		ret->pub_key = EC_POINT_new(ret->group);
+		if (ret->pub_key == NULL)
+			{
+			ECerr(EC_F_D2I_ECPRIVATEKEY, ERR_R_EC_LIB);
+			goto err;
+			}
+		pub_oct     = M_ASN1_STRING_data(priv_key->publicKey);
+		pub_oct_len = M_ASN1_STRING_length(priv_key->publicKey);
+		/* save the point conversion form */
+		ret->conv_form = (point_conversion_form_t)(pub_oct[0] & ~0x01);
+		if (!EC_POINT_oct2point(ret->group, ret->pub_key,
+			pub_oct, pub_oct_len, NULL))
+			{
+			ECerr(EC_F_D2I_ECPRIVATEKEY, ERR_R_EC_LIB);
+			goto err;
+			}
+		}
+
+	ok = 1;
+err:
+	if (!ok)
+		{
+		if (ret)
+			EC_KEY_free(ret);
+		ret = NULL;
+		}
+
+	if (priv_key)
+		EC_PRIVATEKEY_free(priv_key);
+
+	return(ret);
+	}
+
+int	i2d_ECPrivateKey(EC_KEY *a, unsigned char **out)
+	{
+	int             ret=0, ok=0;
+	unsigned char   *buffer=NULL;
+	size_t          buf_len=0, tmp_len;
+	EC_PRIVATEKEY   *priv_key=NULL;
+
+	if (a == NULL || a->group == NULL || a->priv_key == NULL)
+		{
+		ECerr(EC_F_I2D_ECPRIVATEKEY,
+                      ERR_R_PASSED_NULL_PARAMETER);
+		goto err;
+		}
+
+	if ((priv_key = EC_PRIVATEKEY_new()) == NULL)
+		{
+		ECerr(EC_F_I2D_ECPRIVATEKEY,
+                      ERR_R_MALLOC_FAILURE);
+		goto err;
+		}
+
+	priv_key->version = a->version;
+
+	buf_len = (size_t)BN_num_bytes(a->priv_key);
+	buffer = OPENSSL_malloc(buf_len);
+	if (buffer == NULL)
+		{
+		ECerr(EC_F_I2D_ECPRIVATEKEY,
+                      ERR_R_MALLOC_FAILURE);
+		goto err;
+		}
+	
+	if (!BN_bn2bin(a->priv_key, buffer))
+		{
+		ECerr(EC_F_I2D_ECPRIVATEKEY, ERR_R_BN_LIB);
+		goto err;
+		}
+
+	if (!M_ASN1_OCTET_STRING_set(priv_key->privateKey, buffer, buf_len))
+		{
+		ECerr(EC_F_I2D_ECPRIVATEKEY, ERR_R_ASN1_LIB);
+		goto err;
+		}	
+
+	if (!(a->enc_flag & EC_PKEY_NO_PARAMETERS))
+		{
+		if ((priv_key->parameters = ec_asn1_group2pkparameters(
+			a->group, priv_key->parameters)) == NULL)
+			{
+			ECerr(EC_F_I2D_ECPRIVATEKEY, ERR_R_EC_LIB);
+			goto err;
+			}
+		}
+
+	if (!(a->enc_flag & EC_PKEY_NO_PUBKEY))
+		{
+		priv_key->publicKey = M_ASN1_BIT_STRING_new();
+		if (priv_key->publicKey == NULL)
+			{
+			ECerr(EC_F_I2D_ECPRIVATEKEY,
+				ERR_R_MALLOC_FAILURE);
+			goto err;
+			}
+
+		tmp_len = EC_POINT_point2oct(a->group, a->pub_key, 
+				a->conv_form, NULL, 0, NULL);
+
+		if (tmp_len > buf_len)
+			{
+			unsigned char *tmp_buffer = OPENSSL_realloc(buffer, tmp_len);
+			if (!tmp_buffer)
+				{
+				ECerr(EC_F_I2D_ECPRIVATEKEY, ERR_R_MALLOC_FAILURE);
+				goto err;
+				}
+			buffer = tmp_buffer;
+			buf_len = tmp_len;
+			}
+
+		if (!EC_POINT_point2oct(a->group, a->pub_key, 
+			a->conv_form, buffer, buf_len, NULL))
+			{
+			ECerr(EC_F_I2D_ECPRIVATEKEY, ERR_R_EC_LIB);
+			goto err;
+			}
+
+		if (!M_ASN1_BIT_STRING_set(priv_key->publicKey, buffer, 
+				buf_len))
+			{
+			ECerr(EC_F_I2D_ECPRIVATEKEY, ERR_R_ASN1_LIB);
+			goto err;
+			}
+		}
+
+	if ((ret = i2d_EC_PRIVATEKEY(priv_key, out)) == 0)
+		{
+		ECerr(EC_F_I2D_ECPRIVATEKEY, ERR_R_EC_LIB);
+		goto err;
+		}
+	ok=1;
+err:
+	if (buffer)
+		OPENSSL_free(buffer);
+	if (priv_key)
+		EC_PRIVATEKEY_free(priv_key);
+	return(ok?ret:0);
+	}
+
+int i2d_ECParameters(EC_KEY *a, unsigned char **out)
+	{
+	if (a == NULL)
+		{
+		ECerr(EC_F_I2D_ECPARAMETERS, ERR_R_PASSED_NULL_PARAMETER);
+		return 0;
+		}
+	return i2d_ECPKParameters(a->group, out);
+	}
+
+EC_KEY *d2i_ECParameters(EC_KEY **a, const unsigned char **in, long len)
+	{
+	EC_KEY   *ret;
+
+	if (in == NULL || *in == NULL)
+		{
+		ECerr(EC_F_D2I_ECPARAMETERS, ERR_R_PASSED_NULL_PARAMETER);
+		return NULL;
+		}
+
+	if (a == NULL || *a == NULL)
+		{
+		if ((ret = EC_KEY_new()) == NULL)
+			{
+			ECerr(EC_F_D2I_ECPARAMETERS, ERR_R_MALLOC_FAILURE);
+			return NULL;
+			}
+		if (a)
+			*a = ret;
+		}
+	else
+		ret = *a;
+
+	if (!d2i_ECPKParameters(&ret->group, in, len))
+		{
+		ECerr(EC_F_D2I_ECPARAMETERS, ERR_R_EC_LIB);
+		return NULL;
+		}
+
+	return ret;
+	}
+
+EC_KEY *o2i_ECPublicKey(EC_KEY **a, const unsigned char **in, long len)
+	{
+	EC_KEY *ret=NULL;
+
+	if (a == NULL || (*a) == NULL || (*a)->group == NULL)
+		{
+		/* sorry, but a EC_GROUP-structur is necessary
+                 * to set the public key */
+		ECerr(EC_F_O2I_ECPUBLICKEY, ERR_R_PASSED_NULL_PARAMETER);
+		return 0;
+		}
+	ret = *a;
+	if (ret->pub_key == NULL && 
+		(ret->pub_key = EC_POINT_new(ret->group)) == NULL)
+		{
+		ECerr(EC_F_O2I_ECPUBLICKEY, ERR_R_MALLOC_FAILURE);
+		return 0;
+		}
+	if (!EC_POINT_oct2point(ret->group, ret->pub_key, *in, len, NULL))
+		{
+		ECerr(EC_F_O2I_ECPUBLICKEY, ERR_R_EC_LIB);
+		return 0;
+		}
+	/* save the point conversion form */
+	ret->conv_form = (point_conversion_form_t)(*in[0] & ~0x01);
+	*in += len;
+	return ret;
+	}
+
+int i2o_ECPublicKey(EC_KEY *a, unsigned char **out)
+	{
+        size_t buf_len=0;
+	int new_buffer = 0;
+
+        if (a == NULL) 
+		{
+		ECerr(EC_F_I2O_ECPUBLICKEY, ERR_R_PASSED_NULL_PARAMETER);
+		return 0;
+		}
+
+        buf_len = EC_POINT_point2oct(a->group, a->pub_key, 
+                              a->conv_form, NULL, 0, NULL);
+
+	if (out == NULL || buf_len == 0)
+	/* out == NULL => just return the length of the octet string */
+		return buf_len;
+
+	if (*out == NULL)
+		{
+		if ((*out = OPENSSL_malloc(buf_len)) == NULL)
+			{
+			ECerr(EC_F_I2O_ECPUBLICKEY, ERR_R_MALLOC_FAILURE);
+			return 0;
+			}
+		new_buffer = 1;
+		}
+        if (!EC_POINT_point2oct(a->group, a->pub_key, a->conv_form,
+				*out, buf_len, NULL))
+		{
+		ECerr(EC_F_I2O_ECPUBLICKEY, ERR_R_EC_LIB);
+		OPENSSL_free(*out);
+		*out = NULL;
+		return 0;
+		}
+	if (!new_buffer)
+		*out += buf_len;
+	return buf_len;
+	}
diff --git a/crypto/openssl/crypto/ec/ec_check.c b/crypto/openssl/crypto/ec/ec_check.c
new file mode 100644
index 000000000000..0e316b4b3ff0
--- /dev/null
+++ b/crypto/openssl/crypto/ec/ec_check.c
@@ -0,0 +1,123 @@
+/* crypto/ec/ec_check.c */
+/* ====================================================================
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include "ec_lcl.h"
+#include <openssl/err.h>
+
+int EC_GROUP_check(const EC_GROUP *group, BN_CTX *ctx)
+	{
+	int ret = 0;
+	BIGNUM *order;
+	BN_CTX *new_ctx = NULL;
+	EC_POINT *point = NULL;
+
+	if (ctx == NULL)
+		{
+		ctx = new_ctx = BN_CTX_new();
+		if (ctx == NULL)
+			{
+			ECerr(EC_F_EC_GROUP_CHECK, ERR_R_MALLOC_FAILURE);
+			goto err;
+			}
+		}
+	BN_CTX_start(ctx);
+	if ((order = BN_CTX_get(ctx)) == NULL) goto err;
+
+	/* check the discriminant */
+	if (!EC_GROUP_check_discriminant(group, ctx))
+		{
+		ECerr(EC_F_EC_GROUP_CHECK, EC_R_DISCRIMINANT_IS_ZERO);
+		goto err;
+		}
+
+	/* check the generator */
+	if (group->generator == NULL)
+		{
+		ECerr(EC_F_EC_GROUP_CHECK, EC_R_UNDEFINED_GENERATOR);
+		goto err;
+		}
+	if (!EC_POINT_is_on_curve(group, group->generator, ctx))
+		{
+		ECerr(EC_F_EC_GROUP_CHECK, EC_R_POINT_IS_NOT_ON_CURVE);
+		goto err;
+		}
+
+	/* check the order of the generator */
+	if ((point = EC_POINT_new(group)) == NULL) goto err;
+	if (!EC_GROUP_get_order(group, order, ctx)) goto err; 
+	if (BN_is_zero(order))
+		{
+		ECerr(EC_F_EC_GROUP_CHECK, EC_R_UNDEFINED_ORDER);
+		goto err;
+		}
+	
+	if (!EC_POINT_mul(group, point, order, NULL, NULL, ctx)) goto err;
+	if (!EC_POINT_is_at_infinity(group, point))
+		{
+		ECerr(EC_F_EC_GROUP_CHECK, EC_R_INVALID_GROUP_ORDER);
+		goto err;
+		}
+
+	ret = 1;
+
+err:
+	if (ctx != NULL)
+		BN_CTX_end(ctx);
+	if (new_ctx != NULL)
+		BN_CTX_free(new_ctx);
+	if (point)
+		EC_POINT_free(point);
+	return ret;
+	}
diff --git a/crypto/openssl/crypto/ec/ec_curve.c b/crypto/openssl/crypto/ec/ec_curve.c
new file mode 100644
index 000000000000..beac20969b75
--- /dev/null
+++ b/crypto/openssl/crypto/ec/ec_curve.c
@@ -0,0 +1,1270 @@
+/* crypto/ec/ec_curve.c */
+/*
+ * Written by Nils Larsch for the OpenSSL project.
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2004 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+/* ====================================================================
+ * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
+ *
+ * Portions of the attached software ("Contribution") are developed by 
+ * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
+ *
+ * The Contribution is licensed pursuant to the OpenSSL open source
+ * license provided above.
+ *
+ * The elliptic curve binary polynomial software is originally written by 
+ * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories.
+ *
+ */
+
+#include "ec_lcl.h"
+#include <openssl/err.h>
+#include <openssl/obj_mac.h>
+
+typedef struct ec_curve_data_st {
+	int	field_type;	/* either NID_X9_62_prime_field or
+				 * NID_X9_62_characteristic_two_field */
+	const char *p;		/* either a prime number or a polynomial */
+	const char *a;
+	const char *b;
+	const char *x;		/* the x coordinate of the generator */
+	const char *y;		/* the y coordinate of the generator */
+	const char *order;	/* the order of the group generated by the
+				 * generator */
+	const BN_ULONG cofactor;/* the cofactor */
+	const unsigned char *seed;/* the seed (optional) */
+	size_t	seed_len;
+	const char *comment;	/* a short description of the curve */
+} EC_CURVE_DATA;
+
+/* the nist prime curves */
+static const unsigned char _EC_NIST_PRIME_192_SEED[] = {
+	0x30,0x45,0xAE,0x6F,0xC8,0x42,0x2F,0x64,0xED,0x57,
+	0x95,0x28,0xD3,0x81,0x20,0xEA,0xE1,0x21,0x96,0xD5};
+static const EC_CURVE_DATA _EC_NIST_PRIME_192 = {
+	NID_X9_62_prime_field,
+	"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF",
+	"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC",
+	"64210519E59C80E70FA7E9AB72243049FEB8DEECC146B9B1",
+	"188DA80EB03090F67CBF20EB43A18800F4FF0AFD82FF1012",
+	"07192b95ffc8da78631011ed6b24cdd573f977a11e794811",
+	"FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22831",1,
+	_EC_NIST_PRIME_192_SEED, 20,
+	"NIST/X9.62/SECG curve over a 192 bit prime field"
+	};
+
+static const unsigned char _EC_NIST_PRIME_224_SEED[] = {
+	0xBD,0x71,0x34,0x47,0x99,0xD5,0xC7,0xFC,0xDC,0x45,
+	0xB5,0x9F,0xA3,0xB9,0xAB,0x8F,0x6A,0x94,0x8B,0xC5};
+static const EC_CURVE_DATA _EC_NIST_PRIME_224 = {
+	NID_X9_62_prime_field,
+	"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001",
+	"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE",
+	"B4050A850C04B3ABF54132565044B0B7D7BFD8BA270B39432355FFB4",
+	"B70E0CBD6BB4BF7F321390B94A03C1D356C21122343280D6115C1D21",
+	"bd376388b5f723fb4c22dfe6cd4375a05a07476444d5819985007e34",
+	"FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D",1,
+	_EC_NIST_PRIME_224_SEED, 20,
+	"NIST/SECG curve over a 224 bit prime field"
+	};
+
+static const unsigned char _EC_NIST_PRIME_384_SEED[] = {
+	0xA3,0x35,0x92,0x6A,0xA3,0x19,0xA2,0x7A,0x1D,0x00,
+	0x89,0x6A,0x67,0x73,0xA4,0x82,0x7A,0xCD,0xAC,0x73};
+static const EC_CURVE_DATA _EC_NIST_PRIME_384 = {
+	NID_X9_62_prime_field,
+	"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFF"
+	"FFF0000000000000000FFFFFFFF",
+	"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFF"
+	"FFF0000000000000000FFFFFFFC",
+	"B3312FA7E23EE7E4988E056BE3F82D19181D9C6EFE8141120314088F5013875AC6563"
+	"98D8A2ED19D2A85C8EDD3EC2AEF",
+	"AA87CA22BE8B05378EB1C71EF320AD746E1D3B628BA79B9859F741E082542A385502F"
+	"25DBF55296C3A545E3872760AB7",
+	"3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b"
+	"1ce1d7e819d7a431d7c90ea0e5f",
+	"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC7634D81F4372DDF581A0"
+	"DB248B0A77AECEC196ACCC52973",1,
+	_EC_NIST_PRIME_384_SEED, 20,
+	"NIST/SECG curve over a 384 bit prime field"
+	};
+
+static const unsigned char _EC_NIST_PRIME_521_SEED[] = {
+	0xD0,0x9E,0x88,0x00,0x29,0x1C,0xB8,0x53,0x96,0xCC,
+	0x67,0x17,0x39,0x32,0x84,0xAA,0xA0,0xDA,0x64,0xBA};
+static const EC_CURVE_DATA _EC_NIST_PRIME_521 = {
+	NID_X9_62_prime_field,
+	"1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+	"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
+	"1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+	"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC",
+	"051953EB9618E1C9A1F929A21A0B68540EEA2DA725B99B315F3B8B489918EF109E156"
+	"193951EC7E937B1652C0BD3BB1BF073573DF883D2C34F1EF451FD46B503F00",
+	"C6858E06B70404E9CD9E3ECB662395B4429C648139053FB521F828AF606B4D3DBAA14"
+	"B5E77EFE75928FE1DC127A2FFA8DE3348B3C1856A429BF97E7E31C2E5BD66",
+	"011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c9"
+	"7ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650",
+	"1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA51"
+	"868783BF2F966B7FCC0148F709A5D03BB5C9B8899C47AEBB6FB71E91386409",1,
+	_EC_NIST_PRIME_521_SEED, 20,
+	"NIST/SECG curve over a 521 bit prime field"
+	};
+/* the x9.62 prime curves (minus the nist prime curves) */
+static const unsigned char _EC_X9_62_PRIME_192V2_SEED[] = {
+	0x31,0xA9,0x2E,0xE2,0x02,0x9F,0xD1,0x0D,0x90,0x1B,
+	0x11,0x3E,0x99,0x07,0x10,0xF0,0xD2,0x1A,0xC6,0xB6};
+static const EC_CURVE_DATA _EC_X9_62_PRIME_192V2 = {
+	NID_X9_62_prime_field,
+	"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF",
+	"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC",
+	"CC22D6DFB95C6B25E49C0D6364A4E5980C393AA21668D953",
+	"EEA2BAE7E1497842F2DE7769CFE9C989C072AD696F48034A",
+	"6574d11d69b6ec7a672bb82a083df2f2b0847de970b2de15",
+	"FFFFFFFFFFFFFFFFFFFFFFFE5FB1A724DC80418648D8DD31",1,
+	_EC_X9_62_PRIME_192V2_SEED, 20,
+	"X9.62 curve over a 192 bit prime field"
+	};
+
+static const unsigned char _EC_X9_62_PRIME_192V3_SEED[] = {
+	0xC4,0x69,0x68,0x44,0x35,0xDE,0xB3,0x78,0xC4,0xB6,
+	0x5C,0xA9,0x59,0x1E,0x2A,0x57,0x63,0x05,0x9A,0x2E};
+static const EC_CURVE_DATA _EC_X9_62_PRIME_192V3 = {
+	NID_X9_62_prime_field,
+	"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF",
+	"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC",
+	"22123DC2395A05CAA7423DAECCC94760A7D462256BD56916",
+	"7D29778100C65A1DA1783716588DCE2B8B4AEE8E228F1896",
+	"38a90f22637337334b49dcb66a6dc8f9978aca7648a943b0",
+	"FFFFFFFFFFFFFFFFFFFFFFFF7A62D031C83F4294F640EC13",1,
+	_EC_X9_62_PRIME_192V3_SEED, 20,
+	"X9.62 curve over a 192 bit prime field"
+	};
+
+static const unsigned char _EC_X9_62_PRIME_239V1_SEED[] = {
+	0xE4,0x3B,0xB4,0x60,0xF0,0xB8,0x0C,0xC0,0xC0,0xB0,
+	0x75,0x79,0x8E,0x94,0x80,0x60,0xF8,0x32,0x1B,0x7D};
+static const EC_CURVE_DATA _EC_X9_62_PRIME_239V1 = {
+	NID_X9_62_prime_field,
+	"7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFF",
+	"7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFC",
+	"6B016C3BDCF18941D0D654921475CA71A9DB2FB27D1D37796185C2942C0A",
+	"0FFA963CDCA8816CCC33B8642BEDF905C3D358573D3F27FBBD3B3CB9AAAF",
+	"7debe8e4e90a5dae6e4054ca530ba04654b36818ce226b39fccb7b02f1ae",
+	"7FFFFFFFFFFFFFFFFFFFFFFF7FFFFF9E5E9A9F5D9071FBD1522688909D0B",1,
+	_EC_X9_62_PRIME_239V1_SEED, 20,
+	"X9.62 curve over a 239 bit prime field"
+	};
+
+static const unsigned char _EC_X9_62_PRIME_239V2_SEED[] = {
+	0xE8,0xB4,0x01,0x16,0x04,0x09,0x53,0x03,0xCA,0x3B,
+	0x80,0x99,0x98,0x2B,0xE0,0x9F,0xCB,0x9A,0xE6,0x16};
+static const EC_CURVE_DATA _EC_X9_62_PRIME_239V2 = {
+	NID_X9_62_prime_field,
+	"7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFF",
+	"7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFC",
+	"617FAB6832576CBBFED50D99F0249C3FEE58B94BA0038C7AE84C8C832F2C",
+	"38AF09D98727705120C921BB5E9E26296A3CDCF2F35757A0EAFD87B830E7",
+	"5b0125e4dbea0ec7206da0fc01d9b081329fb555de6ef460237dff8be4ba",
+	"7FFFFFFFFFFFFFFFFFFFFFFF800000CFA7E8594377D414C03821BC582063",1,
+	_EC_X9_62_PRIME_239V2_SEED, 20,
+	"X9.62 curve over a 239 bit prime field"
+	};
+
+static const unsigned char _EC_X9_62_PRIME_239V3_SEED[] = {
+	0x7D,0x73,0x74,0x16,0x8F,0xFE,0x34,0x71,0xB6,0x0A,
+	0x85,0x76,0x86,0xA1,0x94,0x75,0xD3,0xBF,0xA2,0xFF};
+static const EC_CURVE_DATA _EC_X9_62_PRIME_239V3 = {
+	NID_X9_62_prime_field,
+	"7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFF",
+	"7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFC",
+	"255705FA2A306654B1F4CB03D6A750A30C250102D4988717D9BA15AB6D3E",
+	"6768AE8E18BB92CFCF005C949AA2C6D94853D0E660BBF854B1C9505FE95A",
+	"1607e6898f390c06bc1d552bad226f3b6fcfe48b6e818499af18e3ed6cf3",
+	"7FFFFFFFFFFFFFFFFFFFFFFF7FFFFF975DEB41B3A6057C3C432146526551",1,
+	_EC_X9_62_PRIME_239V3_SEED, 20,
+	"X9.62 curve over a 239 bit prime field"
+	};
+
+static const unsigned char _EC_X9_62_PRIME_256V1_SEED[] = {
+	0xC4,0x9D,0x36,0x08,0x86,0xE7,0x04,0x93,0x6A,0x66,
+	0x78,0xE1,0x13,0x9D,0x26,0xB7,0x81,0x9F,0x7E,0x90};
+static const EC_CURVE_DATA _EC_X9_62_PRIME_256V1 = {
+	NID_X9_62_prime_field,
+	"FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF",
+	"FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC",
+	"5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B",
+	"6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296",
+	"4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5",
+	"FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551",1,
+	_EC_X9_62_PRIME_256V1_SEED, 20,
+	"X9.62/SECG curve over a 256 bit prime field"
+	};
+/* the secg prime curves (minus the nist and x9.62 prime curves) */
+static const unsigned char _EC_SECG_PRIME_112R1_SEED[] = {
+	0x00,0xF5,0x0B,0x02,0x8E,0x4D,0x69,0x6E,0x67,0x68,
+	0x75,0x61,0x51,0x75,0x29,0x04,0x72,0x78,0x3F,0xB1};
+static const EC_CURVE_DATA _EC_SECG_PRIME_112R1 = {
+	NID_X9_62_prime_field,
+	"DB7C2ABF62E35E668076BEAD208B",
+	"DB7C2ABF62E35E668076BEAD2088",
+	"659EF8BA043916EEDE8911702B22",
+	"09487239995A5EE76B55F9C2F098",
+	"a89ce5af8724c0a23e0e0ff77500",
+	"DB7C2ABF62E35E7628DFAC6561C5",1,
+	_EC_SECG_PRIME_112R1_SEED, 20,
+	"SECG/WTLS curve over a 112 bit prime field"
+	};
+
+static const unsigned char _EC_SECG_PRIME_112R2_SEED[] = {
+	0x00,0x27,0x57,0xA1,0x11,0x4D,0x69,0x6E,0x67,0x68,
+	0x75,0x61,0x51,0x75,0x53,0x16,0xC0,0x5E,0x0B,0xD4};
+static const EC_CURVE_DATA _EC_SECG_PRIME_112R2 = {
+	NID_X9_62_prime_field,
+	"DB7C2ABF62E35E668076BEAD208B",
+	"6127C24C05F38A0AAAF65C0EF02C",
+	"51DEF1815DB5ED74FCC34C85D709",
+	"4BA30AB5E892B4E1649DD0928643",
+	"adcd46f5882e3747def36e956e97",
+	"36DF0AAFD8B8D7597CA10520D04B",4, 
+	_EC_SECG_PRIME_112R2_SEED, 20,
+	"SECG curve over a 112 bit prime field"
+	};
+
+static const unsigned char _EC_SECG_PRIME_128R1_SEED[] = {
+	0x00,0x0E,0x0D,0x4D,0x69,0x6E,0x67,0x68,0x75,0x61,
+	0x51,0x75,0x0C,0xC0,0x3A,0x44,0x73,0xD0,0x36,0x79};
+static const EC_CURVE_DATA _EC_SECG_PRIME_128R1 = {
+	NID_X9_62_prime_field,
+	"FFFFFFFDFFFFFFFFFFFFFFFFFFFFFFFF",
+	"FFFFFFFDFFFFFFFFFFFFFFFFFFFFFFFC",
+	"E87579C11079F43DD824993C2CEE5ED3",
+	"161FF7528B899B2D0C28607CA52C5B86",
+	"cf5ac8395bafeb13c02da292dded7a83",
+	"FFFFFFFE0000000075A30D1B9038A115",1,
+	_EC_SECG_PRIME_128R1_SEED, 20,
+	"SECG curve over a 128 bit prime field"
+	};
+
+static const unsigned char _EC_SECG_PRIME_128R2_SEED[] = {
+	0x00,0x4D,0x69,0x6E,0x67,0x68,0x75,0x61,0x51,0x75,
+	0x12,0xD8,0xF0,0x34,0x31,0xFC,0xE6,0x3B,0x88,0xF4};
+static const EC_CURVE_DATA _EC_SECG_PRIME_128R2 = {
+	NID_X9_62_prime_field,
+	"FFFFFFFDFFFFFFFFFFFFFFFFFFFFFFFF",
+	"D6031998D1B3BBFEBF59CC9BBFF9AEE1",
+	"5EEEFCA380D02919DC2C6558BB6D8A5D",
+	"7B6AA5D85E572983E6FB32A7CDEBC140",
+	"27b6916a894d3aee7106fe805fc34b44",
+	"3FFFFFFF7FFFFFFFBE0024720613B5A3",4,
+	_EC_SECG_PRIME_128R2_SEED, 20,
+	"SECG curve over a 128 bit prime field"
+	};
+
+static const EC_CURVE_DATA _EC_SECG_PRIME_160K1 = {
+	NID_X9_62_prime_field,
+	"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFAC73",
+	"0",
+	"7",
+	"3B4C382CE37AA192A4019E763036F4F5DD4D7EBB",
+	"938cf935318fdced6bc28286531733c3f03c4fee",
+	"0100000000000000000001B8FA16DFAB9ACA16B6B3",1,
+	NULL, 0,
+	"SECG curve over a 160 bit prime field"
+	};
+
+static const unsigned char _EC_SECG_PRIME_160R1_SEED[] = {
+	0x10,0x53,0xCD,0xE4,0x2C,0x14,0xD6,0x96,0xE6,0x76,
+	0x87,0x56,0x15,0x17,0x53,0x3B,0xF3,0xF8,0x33,0x45};
+static const EC_CURVE_DATA _EC_SECG_PRIME_160R1 = {
+	NID_X9_62_prime_field,
+	"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFF",
+	"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFC",
+	"1C97BEFC54BD7A8B65ACF89F81D4D4ADC565FA45",
+	"4A96B5688EF573284664698968C38BB913CBFC82",
+	"23a628553168947d59dcc912042351377ac5fb32",
+	"0100000000000000000001F4C8F927AED3CA752257",1,
+	_EC_SECG_PRIME_160R1_SEED, 20,
+	"SECG curve over a 160 bit prime field"
+	};
+
+static const unsigned char _EC_SECG_PRIME_160R2_SEED[] = {
+	0xB9,0x9B,0x99,0xB0,0x99,0xB3,0x23,0xE0,0x27,0x09,
+	0xA4,0xD6,0x96,0xE6,0x76,0x87,0x56,0x15,0x17,0x51};
+static const EC_CURVE_DATA _EC_SECG_PRIME_160R2 = {
+	NID_X9_62_prime_field,
+	"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFAC73",
+	"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFAC70",
+	"B4E134D3FB59EB8BAB57274904664D5AF50388BA",
+	"52DCB034293A117E1F4FF11B30F7199D3144CE6D",
+	"feaffef2e331f296e071fa0df9982cfea7d43f2e",
+	"0100000000000000000000351EE786A818F3A1A16B",1,
+	_EC_SECG_PRIME_160R2_SEED, 20,
+	"SECG/WTLS curve over a 160 bit prime field"
+	};
+
+static const EC_CURVE_DATA _EC_SECG_PRIME_192K1 = {
+	NID_X9_62_prime_field,
+	"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFEE37",
+	"0",
+	"3",
+	"DB4FF10EC057E9AE26B07D0280B7F4341DA5D1B1EAE06C7D",
+	"9b2f2f6d9c5628a7844163d015be86344082aa88d95e2f9d",
+	"FFFFFFFFFFFFFFFFFFFFFFFE26F2FC170F69466A74DEFD8D",1,
+	NULL, 20,
+	"SECG curve over a 192 bit prime field"
+	};
+
+static const EC_CURVE_DATA _EC_SECG_PRIME_224K1 = {
+	NID_X9_62_prime_field,
+	"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFE56D",
+	"0",
+	"5",
+	"A1455B334DF099DF30FC28A169A467E9E47075A90F7E650EB6B7A45C",
+	"7e089fed7fba344282cafbd6f7e319f7c0b0bd59e2ca4bdb556d61a5",
+	"010000000000000000000000000001DCE8D2EC6184CAF0A971769FB1F7",1,
+	NULL, 20,
+	"SECG curve over a 224 bit prime field"
+	};
+
+static const EC_CURVE_DATA _EC_SECG_PRIME_256K1 = {
+	NID_X9_62_prime_field,
+	"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F",
+	"0",
+	"7",
+	"79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798",
+	"483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8",
+	"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141",1,
+	NULL, 20,
+	"SECG curve over a 256 bit prime field"
+	};
+
+/* some wap/wtls curves */
+static const EC_CURVE_DATA _EC_WTLS_8 = {
+	NID_X9_62_prime_field,
+	"FFFFFFFFFFFFFFFFFFFFFFFFFDE7",
+	"0",
+	"3",
+	"1",
+	"2",
+	"0100000000000001ECEA551AD837E9",1,
+	NULL, 20,
+	"WTLS curve over a 112 bit prime field"
+	};
+
+static const EC_CURVE_DATA _EC_WTLS_9 = {
+	NID_X9_62_prime_field,
+	"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC808F",
+	"0",
+	"3",
+	"1",
+	"2",
+	"0100000000000000000001CDC98AE0E2DE574ABF33",1,
+	NULL, 20,
+	"WTLS curve over a 160 bit prime field"
+	};
+
+static const EC_CURVE_DATA _EC_WTLS_12 = {
+	NID_X9_62_prime_field,
+	"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001",
+	"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE",
+	"B4050A850C04B3ABF54132565044B0B7D7BFD8BA270B39432355FFB4",
+	"B70E0CBD6BB4BF7F321390B94A03C1D356C21122343280D6115C1D21",
+	"bd376388b5f723fb4c22dfe6cd4375a05a07476444d5819985007e34",
+	"FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D", 1,
+	NULL, 0,
+	"WTLS curvs over a 224 bit prime field"
+	};
+
+/* characteristic two curves */
+static const unsigned char _EC_SECG_CHAR2_113R1_SEED[] = {
+	0x10,0xE7,0x23,0xAB,0x14,0xD6,0x96,0xE6,0x76,0x87,
+	0x56,0x15,0x17,0x56,0xFE,0xBF,0x8F,0xCB,0x49,0xA9};
+static const EC_CURVE_DATA _EC_SECG_CHAR2_113R1 = {
+	NID_X9_62_characteristic_two_field,
+	"020000000000000000000000000201",
+	"003088250CA6E7C7FE649CE85820F7",
+	"00E8BEE4D3E2260744188BE0E9C723",
+	"009D73616F35F4AB1407D73562C10F",
+	"00A52830277958EE84D1315ED31886",
+	"0100000000000000D9CCEC8A39E56F", 2,
+	_EC_SECG_CHAR2_113R1_SEED, 20,
+	"SECG curve over a 113 bit binary field"
+	};
+
+static const unsigned char _EC_SECG_CHAR2_113R2_SEED[] = {
+	0x10,0xC0,0xFB,0x15,0x76,0x08,0x60,0xDE,0xF1,0xEE,
+	0xF4,0xD6,0x96,0xE6,0x76,0x87,0x56,0x15,0x17,0x5D};
+static const EC_CURVE_DATA _EC_SECG_CHAR2_113R2 = {
+	NID_X9_62_characteristic_two_field,
+	"020000000000000000000000000201",
+	"00689918DBEC7E5A0DD6DFC0AA55C7",
+	"0095E9A9EC9B297BD4BF36E059184F",
+	"01A57A6A7B26CA5EF52FCDB8164797",
+	"00B3ADC94ED1FE674C06E695BABA1D",
+	"010000000000000108789B2496AF93", 2,
+	_EC_SECG_CHAR2_113R2_SEED, 20,
+	"SECG curve over a 113 bit binary field"
+	};
+
+static const unsigned char _EC_SECG_CHAR2_131R1_SEED[] = {
+	0x4D,0x69,0x6E,0x67,0x68,0x75,0x61,0x51,0x75,0x98,
+	0x5B,0xD3,0xAD,0xBA,0xDA,0x21,0xB4,0x3A,0x97,0xE2};
+static const EC_CURVE_DATA _EC_SECG_CHAR2_131R1 = {
+	NID_X9_62_characteristic_two_field,
+	"080000000000000000000000000000010D",
+	"07A11B09A76B562144418FF3FF8C2570B8",
+	"0217C05610884B63B9C6C7291678F9D341",
+	"0081BAF91FDF9833C40F9C181343638399",
+	"078C6E7EA38C001F73C8134B1B4EF9E150",
+	"0400000000000000023123953A9464B54D", 2,
+	_EC_SECG_CHAR2_131R1_SEED, 20,
+	"SECG/WTLS curve over a 131 bit binary field"
+	};
+
+static const unsigned char _EC_SECG_CHAR2_131R2_SEED[] = {
+	0x98,0x5B,0xD3,0xAD,0xBA,0xD4,0xD6,0x96,0xE6,0x76,
+	0x87,0x56,0x15,0x17,0x5A,0x21,0xB4,0x3A,0x97,0xE3};
+static const EC_CURVE_DATA _EC_SECG_CHAR2_131R2 = {
+	NID_X9_62_characteristic_two_field,
+	"080000000000000000000000000000010D",
+	"03E5A88919D7CAFCBF415F07C2176573B2",
+	"04B8266A46C55657AC734CE38F018F2192",
+	"0356DCD8F2F95031AD652D23951BB366A8",
+	"0648F06D867940A5366D9E265DE9EB240F",
+	"0400000000000000016954A233049BA98F", 2,
+	_EC_SECG_CHAR2_131R2_SEED, 20,
+	"SECG curve over a 131 bit binary field"
+	};
+
+static const EC_CURVE_DATA _EC_NIST_CHAR2_163K = {
+	NID_X9_62_characteristic_two_field,
+	"0800000000000000000000000000000000000000C9",
+	"1",
+	"1",
+	"02FE13C0537BBC11ACAA07D793DE4E6D5E5C94EEE8",
+	"0289070FB05D38FF58321F2E800536D538CCDAA3D9",
+	"04000000000000000000020108A2E0CC0D99F8A5EF", 2,
+	NULL, 0,
+	"NIST/SECG/WTLS curve over a 163 bit binary field"
+	};
+
+static const unsigned char _EC_SECG_CHAR2_163R1_SEED[] = {
+	0x24,0xB7,0xB1,0x37,0xC8,0xA1,0x4D,0x69,0x6E,0x67,
+	0x68,0x75,0x61,0x51,0x75,0x6F,0xD0,0xDA,0x2E,0x5C};
+static const EC_CURVE_DATA _EC_SECG_CHAR2_163R1 = {
+	NID_X9_62_characteristic_two_field,
+	"0800000000000000000000000000000000000000C9",
+	"07B6882CAAEFA84F9554FF8428BD88E246D2782AE2",
+	"0713612DCDDCB40AAB946BDA29CA91F73AF958AFD9",
+	"0369979697AB43897789566789567F787A7876A654",
+	"00435EDB42EFAFB2989D51FEFCE3C80988F41FF883",
+	"03FFFFFFFFFFFFFFFFFFFF48AAB689C29CA710279B", 2,
+/* The algorithm used to derive the curve parameters from
+ * the seed used here is slightly different than the
+ * algorithm described in X9.62 .
+ */
+#if 0
+	_EC_SECG_CHAR2_163R1_SEED, 20,
+#else
+	NULL, 0,
+#endif
+	"SECG curve over a 163 bit binary field"
+	};
+
+static const unsigned char _EC_NIST_CHAR2_163B_SEED[] = {
+	0x85,0xE2,0x5B,0xFE,0x5C,0x86,0x22,0x6C,0xDB,0x12,
+	0x01,0x6F,0x75,0x53,0xF9,0xD0,0xE6,0x93,0xA2,0x68};
+static const EC_CURVE_DATA _EC_NIST_CHAR2_163B ={
+	NID_X9_62_characteristic_two_field,
+	"0800000000000000000000000000000000000000C9",
+	"1",
+	"020A601907B8C953CA1481EB10512F78744A3205FD",
+	"03F0EBA16286A2D57EA0991168D4994637E8343E36",
+	"00D51FBC6C71A0094FA2CDD545B11C5C0C797324F1",
+	"040000000000000000000292FE77E70C12A4234C33", 2,
+/* The seed here was used to created the curve parameters in normal
+ * basis representation (and not the polynomial representation used here) 
+ */
+#if 0
+	_EC_NIST_CHAR2_163B_SEED, 20,
+#else
+	NULL, 0,
+#endif
+	"NIST/SECG curve over a 163 bit binary field"
+	};
+
+static const unsigned char _EC_SECG_CHAR2_193R1_SEED[] = {
+	0x10,0x3F,0xAE,0xC7,0x4D,0x69,0x6E,0x67,0x68,0x75,
+	0x61,0x51,0x75,0x77,0x7F,0xC5,0xB1,0x91,0xEF,0x30};
+static const EC_CURVE_DATA _EC_SECG_CHAR2_193R1 = {
+	NID_X9_62_characteristic_two_field,
+	"02000000000000000000000000000000000000000000008001",
+	"0017858FEB7A98975169E171F77B4087DE098AC8A911DF7B01",
+	"00FDFB49BFE6C3A89FACADAA7A1E5BBC7CC1C2E5D831478814",
+	"01F481BC5F0FF84A74AD6CDF6FDEF4BF6179625372D8C0C5E1",
+	"0025E399F2903712CCF3EA9E3A1AD17FB0B3201B6AF7CE1B05",
+	"01000000000000000000000000C7F34A778F443ACC920EBA49", 2,
+	_EC_SECG_CHAR2_193R1_SEED, 20,
+	"SECG curve over a 193 bit binary field"
+	};
+
+static const unsigned char _EC_SECG_CHAR2_193R2_SEED[] = {
+	0x10,0xB7,0xB4,0xD6,0x96,0xE6,0x76,0x87,0x56,0x15,
+	0x17,0x51,0x37,0xC8,0xA1,0x6F,0xD0,0xDA,0x22,0x11};
+static const EC_CURVE_DATA _EC_SECG_CHAR2_193R2 = {
+	NID_X9_62_characteristic_two_field,
+	"02000000000000000000000000000000000000000000008001",
+	"0163F35A5137C2CE3EA6ED8667190B0BC43ECD69977702709B",
+	"00C9BB9E8927D4D64C377E2AB2856A5B16E3EFB7F61D4316AE",
+	"00D9B67D192E0367C803F39E1A7E82CA14A651350AAE617E8F",
+	"01CE94335607C304AC29E7DEFBD9CA01F596F927224CDECF6C",
+	"010000000000000000000000015AAB561B005413CCD4EE99D5", 2,
+	_EC_SECG_CHAR2_193R2_SEED, 20,
+	"SECG curve over a 193 bit binary field"
+	};
+
+static const EC_CURVE_DATA _EC_NIST_CHAR2_233K = {
+	NID_X9_62_characteristic_two_field,
+	"020000000000000000000000000000000000000004000000000000000001",
+	"0",
+	"1",
+	"017232BA853A7E731AF129F22FF4149563A419C26BF50A4C9D6EEFAD6126",
+	"01DB537DECE819B7F70F555A67C427A8CD9BF18AEB9B56E0C11056FAE6A3",
+	"008000000000000000000000000000069D5BB915BCD46EFB1AD5F173ABDF", 4,
+	NULL, 0,
+	"NIST/SECG/WTLS curve over a 233 bit binary field"
+	};
+
+static const unsigned char _EC_NIST_CHAR2_233B_SEED[] = {
+	0x74,0xD5,0x9F,0xF0,0x7F,0x6B,0x41,0x3D,0x0E,0xA1,
+	0x4B,0x34,0x4B,0x20,0xA2,0xDB,0x04,0x9B,0x50,0xC3};
+static const EC_CURVE_DATA _EC_NIST_CHAR2_233B = {
+	NID_X9_62_characteristic_two_field,
+	"020000000000000000000000000000000000000004000000000000000001",
+	"000000000000000000000000000000000000000000000000000000000001",
+	"0066647EDE6C332C7F8C0923BB58213B333B20E9CE4281FE115F7D8F90AD",
+	"00FAC9DFCBAC8313BB2139F1BB755FEF65BC391F8B36F8F8EB7371FD558B",
+	"01006A08A41903350678E58528BEBF8A0BEFF867A7CA36716F7E01F81052",
+	"01000000000000000000000000000013E974E72F8A6922031D2603CFE0D7", 2,
+	_EC_NIST_CHAR2_233B_SEED, 20,
+	"NIST/SECG/WTLS curve over a 233 bit binary field"
+	};
+
+static const EC_CURVE_DATA _EC_SECG_CHAR2_239K1 = {
+	NID_X9_62_characteristic_two_field,
+	"800000000000000000004000000000000000000000000000000000000001",
+	"0",
+	"1",
+	"29A0B6A887A983E9730988A68727A8B2D126C44CC2CC7B2A6555193035DC",
+	"76310804F12E549BDB011C103089E73510ACB275FC312A5DC6B76553F0CA",
+	"2000000000000000000000000000005A79FEC67CB6E91F1C1DA800E478A5", 4,
+	NULL, 0,
+	"SECG curve over a 239 bit binary field"
+	};
+
+static const EC_CURVE_DATA _EC_NIST_CHAR2_283K = {
+	NID_X9_62_characteristic_two_field,
+	"080000000000000000000000000000000000000000000000000000000000000000001"
+	"0A1",
+	"0",
+	"1",
+	"0503213F78CA44883F1A3B8162F188E553CD265F23C1567A16876913B0C2AC2458492"
+	"836",
+	"01CCDA380F1C9E318D90F95D07E5426FE87E45C0E8184698E45962364E34116177DD2"
+	"259",
+	"01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE9AE2ED07577265DFF7F94451E061E163"
+	"C61", 4,
+	NULL, 20,
+	"NIST/SECG curve over a 283 bit binary field"
+	};
+
+static const unsigned char _EC_NIST_CHAR2_283B_SEED[] = {
+	0x77,0xE2,0xB0,0x73,0x70,0xEB,0x0F,0x83,0x2A,0x6D,
+	0xD5,0xB6,0x2D,0xFC,0x88,0xCD,0x06,0xBB,0x84,0xBE};
+static const EC_CURVE_DATA _EC_NIST_CHAR2_283B = {
+	NID_X9_62_characteristic_two_field,
+	"080000000000000000000000000000000000000000000000000000000000000000001"
+	"0A1",
+	"000000000000000000000000000000000000000000000000000000000000000000000"
+	"001",
+	"027B680AC8B8596DA5A4AF8A19A0303FCA97FD7645309FA2A581485AF6263E313B79A"
+	"2F5",
+	"05F939258DB7DD90E1934F8C70B0DFEC2EED25B8557EAC9C80E2E198F8CDBECD86B12"
+	"053",
+	"03676854FE24141CB98FE6D4B20D02B4516FF702350EDDB0826779C813F0DF45BE811"
+	"2F4",
+	"03FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEF90399660FC938A90165B042A7CEFADB"
+	"307", 2,
+	_EC_NIST_CHAR2_283B_SEED, 20,
+	"NIST/SECG curve over a 283 bit binary field"
+	};
+
+static const EC_CURVE_DATA _EC_NIST_CHAR2_409K = {
+	NID_X9_62_characteristic_two_field,
+	"020000000000000000000000000000000000000000000000000000000000000000000"
+	"00000000000008000000000000000000001",
+	"0",
+	"1",
+	"0060F05F658F49C1AD3AB1890F7184210EFD0987E307C84C27ACCFB8F9F67CC2C4601"
+	"89EB5AAAA62EE222EB1B35540CFE9023746",
+	"01E369050B7C4E42ACBA1DACBF04299C3460782F918EA427E6325165E9EA10E3DA5F6"
+	"C42E9C55215AA9CA27A5863EC48D8E0286B",
+	"007FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE5F83B2D4EA20400"
+	"EC4557D5ED3E3E7CA5B4B5C83B8E01E5FCF", 4,
+	NULL, 0,
+	"NIST/SECG curve over a 409 bit binary field"
+	};
+
+static const unsigned char _EC_NIST_CHAR2_409B_SEED[] = {
+	0x40,0x99,0xB5,0xA4,0x57,0xF9,0xD6,0x9F,0x79,0x21,
+	0x3D,0x09,0x4C,0x4B,0xCD,0x4D,0x42,0x62,0x21,0x0B};
+static const EC_CURVE_DATA _EC_NIST_CHAR2_409B = {
+	NID_X9_62_characteristic_two_field,
+	"020000000000000000000000000000000000000000000000000000000000000000000"
+	"00000000000008000000000000000000001",
+	"000000000000000000000000000000000000000000000000000000000000000000000"
+	"00000000000000000000000000000000001",
+	"0021A5C2C8EE9FEB5C4B9A753B7B476B7FD6422EF1F3DD674761FA99D6AC27C8A9A19"
+	"7B272822F6CD57A55AA4F50AE317B13545F",
+	"015D4860D088DDB3496B0C6064756260441CDE4AF1771D4DB01FFE5B34E59703DC255"
+	"A868A1180515603AEAB60794E54BB7996A7",
+	"0061B1CFAB6BE5F32BBFA78324ED106A7636B9C5A7BD198D0158AA4F5488D08F38514"
+	"F1FDF4B4F40D2181B3681C364BA0273C706",
+	"010000000000000000000000000000000000000000000000000001E2AAD6A612F3330"
+	"7BE5FA47C3C9E052F838164CD37D9A21173", 2,
+	_EC_NIST_CHAR2_409B_SEED, 20,
+	"NIST/SECG curve over a 409 bit binary field"
+	};
+
+static const EC_CURVE_DATA _EC_NIST_CHAR2_571K = {
+	NID_X9_62_characteristic_two_field,
+	"800000000000000000000000000000000000000000000000000000000000000000000"
+	"000000000000000000000000000000000000000000000000000000000000000000000"
+	"00425",
+	"0",
+	"1",
+	"026EB7A859923FBC82189631F8103FE4AC9CA2970012D5D46024804801841CA443709"
+	"58493B205E647DA304DB4CEB08CBBD1BA39494776FB988B47174DCA88C7E2945283A0"
+	"1C8972",
+	"0349DC807F4FBF374F4AEADE3BCA95314DD58CEC9F307A54FFC61EFC006D8A2C9D497"
+	"9C0AC44AEA74FBEBBB9F772AEDCB620B01A7BA7AF1B320430C8591984F601CD4C143E"
+	"F1C7A3",
+	"020000000000000000000000000000000000000000000000000000000000000000000"
+	"000131850E1F19A63E4B391A8DB917F4138B630D84BE5D639381E91DEB45CFE778F63"
+	"7C1001", 4,
+	NULL, 0,
+	"NIST/SECG curve over a 571 bit binary field"
+	};
+
+static const unsigned char _EC_NIST_CHAR2_571B_SEED[] = {
+	0x2A,0xA0,0x58,0xF7,0x3A,0x0E,0x33,0xAB,0x48,0x6B,
+	0x0F,0x61,0x04,0x10,0xC5,0x3A,0x7F,0x13,0x23,0x10};
+static const EC_CURVE_DATA _EC_NIST_CHAR2_571B = {
+	NID_X9_62_characteristic_two_field,
+	"800000000000000000000000000000000000000000000000000000000000000000000"
+	"000000000000000000000000000000000000000000000000000000000000000000000"
+	"00425",
+	"000000000000000000000000000000000000000000000000000000000000000000000"
+	"000000000000000000000000000000000000000000000000000000000000000000000"
+	"000001",
+	"02F40E7E2221F295DE297117B7F3D62F5C6A97FFCB8CEFF1CD6BA8CE4A9A18AD84FFA"
+	"BBD8EFA59332BE7AD6756A66E294AFD185A78FF12AA520E4DE739BACA0C7FFEFF7F29"
+	"55727A",
+	"0303001D34B856296C16C0D40D3CD7750A93D1D2955FA80AA5F40FC8DB7B2ABDBDE53"
+	"950F4C0D293CDD711A35B67FB1499AE60038614F1394ABFA3B4C850D927E1E7769C8E"
+	"EC2D19",
+	"037BF27342DA639B6DCCFFFEB73D69D78C6C27A6009CBBCA1980F8533921E8A684423"
+	"E43BAB08A576291AF8F461BB2A8B3531D2F0485C19B16E2F1516E23DD3C1A4827AF1B"
+	"8AC15B",
+	"03FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+	"FFFE661CE18FF55987308059B186823851EC7DD9CA1161DE93D5174D66E8382E9BB2F"
+	"E84E47", 2,
+	_EC_NIST_CHAR2_571B_SEED, 20,
+	"NIST/SECG curve over a 571 bit binary field"
+	};
+
+static const unsigned char _EC_X9_62_CHAR2_163V1_SEED[] = {
+	0xD2,0xC0,0xFB,0x15,0x76,0x08,0x60,0xDE,0xF1,0xEE,
+	0xF4,0xD6,0x96,0xE6,0x76,0x87,0x56,0x15,0x17,0x54};
+static const EC_CURVE_DATA _EC_X9_62_CHAR2_163V1 = {
+	NID_X9_62_characteristic_two_field,
+	"080000000000000000000000000000000000000107",
+	"072546B5435234A422E0789675F432C89435DE5242",
+	"00C9517D06D5240D3CFF38C74B20B6CD4D6F9DD4D9",
+	"07AF69989546103D79329FCC3D74880F33BBE803CB",
+	"01EC23211B5966ADEA1D3F87F7EA5848AEF0B7CA9F",
+	"0400000000000000000001E60FC8821CC74DAEAFC1", 2,
+	_EC_X9_62_CHAR2_163V1_SEED, 20,
+	"X9.62 curve over a 163 bit binary field"
+	};
+
+static const unsigned char _EC_X9_62_CHAR2_163V2_SEED[] = {
+	0x53,0x81,0x4C,0x05,0x0D,0x44,0xD6,0x96,0xE6,0x76,
+	0x87,0x56,0x15,0x17,0x58,0x0C,0xA4,0xE2,0x9F,0xFD};
+static const EC_CURVE_DATA _EC_X9_62_CHAR2_163V2 = {
+	NID_X9_62_characteristic_two_field,
+ 	"080000000000000000000000000000000000000107",
+	"0108B39E77C4B108BED981ED0E890E117C511CF072",
+	"0667ACEB38AF4E488C407433FFAE4F1C811638DF20",
+	"0024266E4EB5106D0A964D92C4860E2671DB9B6CC5",
+	"079F684DDF6684C5CD258B3890021B2386DFD19FC5",
+	"03FFFFFFFFFFFFFFFFFFFDF64DE1151ADBB78F10A7", 2,
+	_EC_X9_62_CHAR2_163V2_SEED, 20,
+	"X9.62 curve over a 163 bit binary field"
+	};
+
+static const unsigned char _EC_X9_62_CHAR2_163V3_SEED[] = {
+	0x50,0xCB,0xF1,0xD9,0x5C,0xA9,0x4D,0x69,0x6E,0x67,
+	0x68,0x75,0x61,0x51,0x75,0xF1,0x6A,0x36,0xA3,0xB8};
+static const EC_CURVE_DATA _EC_X9_62_CHAR2_163V3 = {
+	NID_X9_62_characteristic_two_field,
+	"080000000000000000000000000000000000000107",
+	"07A526C63D3E25A256A007699F5447E32AE456B50E",
+	"03F7061798EB99E238FD6F1BF95B48FEEB4854252B",
+	"02F9F87B7C574D0BDECF8A22E6524775F98CDEBDCB",
+	"05B935590C155E17EA48EB3FF3718B893DF59A05D0",
+	"03FFFFFFFFFFFFFFFFFFFE1AEE140F110AFF961309", 2,
+	_EC_X9_62_CHAR2_163V3_SEED, 20,
+	"X9.62 curve over a 163 bit binary field"
+	};
+
+static const EC_CURVE_DATA _EC_X9_62_CHAR2_176V1 = {
+	NID_X9_62_characteristic_two_field,
+	"0100000000000000000000000000000000080000000007",
+	"E4E6DB2995065C407D9D39B8D0967B96704BA8E9C90B",
+	"5DDA470ABE6414DE8EC133AE28E9BBD7FCEC0AE0FFF2",
+	"8D16C2866798B600F9F08BB4A8E860F3298CE04A5798",
+	"6FA4539C2DADDDD6BAB5167D61B436E1D92BB16A562C",
+	"00010092537397ECA4F6145799D62B0A19CE06FE26AD", 0xFF6E,
+	NULL, 0,
+	"X9.62 curve over a 176 bit binary field"
+	};
+
+static const unsigned char _EC_X9_62_CHAR2_191V1_SEED[] = {
+	0x4E,0x13,0xCA,0x54,0x27,0x44,0xD6,0x96,0xE6,0x76,
+	0x87,0x56,0x15,0x17,0x55,0x2F,0x27,0x9A,0x8C,0x84};
+static const EC_CURVE_DATA _EC_X9_62_CHAR2_191V1 = {
+	NID_X9_62_characteristic_two_field,
+	"800000000000000000000000000000000000000000000201",
+	"2866537B676752636A68F56554E12640276B649EF7526267",
+	"2E45EF571F00786F67B0081B9495A3D95462F5DE0AA185EC",
+	"36B3DAF8A23206F9C4F299D7B21A9C369137F2C84AE1AA0D",
+	"765BE73433B3F95E332932E70EA245CA2418EA0EF98018FB",
+	"40000000000000000000000004A20E90C39067C893BBB9A5", 2,
+	_EC_X9_62_CHAR2_191V1_SEED, 20,
+	"X9.62 curve over a 191 bit binary field"
+	};
+
+static const unsigned char _EC_X9_62_CHAR2_191V2_SEED[] = {
+	0x08,0x71,0xEF,0x2F,0xEF,0x24,0xD6,0x96,0xE6,0x76,
+	0x87,0x56,0x15,0x17,0x58,0xBE,0xE0,0xD9,0x5C,0x15};
+static const EC_CURVE_DATA _EC_X9_62_CHAR2_191V2 = {
+	NID_X9_62_characteristic_two_field,
+	"800000000000000000000000000000000000000000000201",
+	"401028774D7777C7B7666D1366EA432071274F89FF01E718",
+	"0620048D28BCBD03B6249C99182B7C8CD19700C362C46A01",
+	"3809B2B7CC1B28CC5A87926AAD83FD28789E81E2C9E3BF10",
+	"17434386626D14F3DBF01760D9213A3E1CF37AEC437D668A",
+	"20000000000000000000000050508CB89F652824E06B8173", 4,
+	_EC_X9_62_CHAR2_191V2_SEED, 20,
+	"X9.62 curve over a 191 bit binary field"
+	};
+
+static const unsigned char _EC_X9_62_CHAR2_191V3_SEED[] = {
+	0xE0,0x53,0x51,0x2D,0xC6,0x84,0xD6,0x96,0xE6,0x76,
+	0x87,0x56,0x15,0x17,0x50,0x67,0xAE,0x78,0x6D,0x1F};
+static const EC_CURVE_DATA _EC_X9_62_CHAR2_191V3 = {
+	NID_X9_62_characteristic_two_field,
+	"800000000000000000000000000000000000000000000201",
+	"6C01074756099122221056911C77D77E77A777E7E7E77FCB",
+	"71FE1AF926CF847989EFEF8DB459F66394D90F32AD3F15E8",
+	"375D4CE24FDE434489DE8746E71786015009E66E38A926DD",
+	"545A39176196575D985999366E6AD34CE0A77CD7127B06BE",
+	"155555555555555555555555610C0B196812BFB6288A3EA3", 6,
+	_EC_X9_62_CHAR2_191V3_SEED, 20,
+	"X9.62 curve over a 191 bit binary field"
+	};
+
+static const EC_CURVE_DATA _EC_X9_62_CHAR2_208W1 = {
+	NID_X9_62_characteristic_two_field,
+	"010000000000000000000000000000000800000000000000000007",
+	"0000000000000000000000000000000000000000000000000000",
+	"C8619ED45A62E6212E1160349E2BFA844439FAFC2A3FD1638F9E",
+	"89FDFBE4ABE193DF9559ECF07AC0CE78554E2784EB8C1ED1A57A",
+	"0F55B51A06E78E9AC38A035FF520D8B01781BEB1A6BB08617DE3",
+	"000101BAF95C9723C57B6C21DA2EFF2D5ED588BDD5717E212F9D", 0xFE48,
+	NULL, 0,
+	"X9.62 curve over a 208 bit binary field"
+	};
+
+static const unsigned char _EC_X9_62_CHAR2_239V1_SEED[] = {
+	0xD3,0x4B,0x9A,0x4D,0x69,0x6E,0x67,0x68,0x75,0x61,
+	0x51,0x75,0xCA,0x71,0xB9,0x20,0xBF,0xEF,0xB0,0x5D};
+static const EC_CURVE_DATA _EC_X9_62_CHAR2_239V1 = {
+	NID_X9_62_characteristic_two_field,
+	"800000000000000000000000000000000000000000000000001000000001",
+	"32010857077C5431123A46B808906756F543423E8D27877578125778AC76",
+	"790408F2EEDAF392B012EDEFB3392F30F4327C0CA3F31FC383C422AA8C16",
+	"57927098FA932E7C0A96D3FD5B706EF7E5F5C156E16B7E7C86038552E91D",
+	"61D8EE5077C33FECF6F1A16B268DE469C3C7744EA9A971649FC7A9616305",
+	"2000000000000000000000000000000F4D42FFE1492A4993F1CAD666E447", 4,
+	_EC_X9_62_CHAR2_239V1_SEED, 20,
+	"X9.62 curve over a 239 bit binary field"
+	};
+
+static const unsigned char _EC_X9_62_CHAR2_239V2_SEED[] = {
+	0x2A,0xA6,0x98,0x2F,0xDF,0xA4,0xD6,0x96,0xE6,0x76,
+	0x87,0x56,0x15,0x17,0x5D,0x26,0x67,0x27,0x27,0x7D};
+static const EC_CURVE_DATA _EC_X9_62_CHAR2_239V2 = {
+	NID_X9_62_characteristic_two_field,
+	"800000000000000000000000000000000000000000000000001000000001",
+	"4230017757A767FAE42398569B746325D45313AF0766266479B75654E65F",
+	"5037EA654196CFF0CD82B2C14A2FCF2E3FF8775285B545722F03EACDB74B",
+	"28F9D04E900069C8DC47A08534FE76D2B900B7D7EF31F5709F200C4CA205",
+	"5667334C45AFF3B5A03BAD9DD75E2C71A99362567D5453F7FA6E227EC833",
+	"1555555555555555555555555555553C6F2885259C31E3FCDF154624522D", 6,
+	_EC_X9_62_CHAR2_239V2_SEED, 20,
+	"X9.62 curve over a 239 bit binary field"
+	};
+
+static const unsigned char _EC_X9_62_CHAR2_239V3_SEED[] = {
+	0x9E,0x07,0x6F,0x4D,0x69,0x6E,0x67,0x68,0x75,0x61,
+	0x51,0x75,0xE1,0x1E,0x9F,0xDD,0x77,0xF9,0x20,0x41};
+static const EC_CURVE_DATA _EC_X9_62_CHAR2_239V3 = {
+	NID_X9_62_characteristic_two_field,
+	"800000000000000000000000000000000000000000000000001000000001",
+	"01238774666A67766D6676F778E676B66999176666E687666D8766C66A9F",
+	"6A941977BA9F6A435199ACFC51067ED587F519C5ECB541B8E44111DE1D40",
+	"70F6E9D04D289C4E89913CE3530BFDE903977D42B146D539BF1BDE4E9C92",
+	"2E5A0EAF6E5E1305B9004DCE5C0ED7FE59A35608F33837C816D80B79F461",
+	"0CCCCCCCCCCCCCCCCCCCCCCCCCCCCCAC4912D2D9DF903EF9888B8A0E4CFF", 0xA,
+	_EC_X9_62_CHAR2_239V3_SEED, 20,
+	"X9.62 curve over a 239 bit binary field"
+	};
+
+static const EC_CURVE_DATA _EC_X9_62_CHAR2_272W1 = {
+	NID_X9_62_characteristic_two_field,
+	"010000000000000000000000000000000000000000000000000000010000000000000"
+	"B",
+	"91A091F03B5FBA4AB2CCF49C4EDD220FB028712D42BE752B2C40094DBACDB586FB20",
+	"7167EFC92BB2E3CE7C8AAAFF34E12A9C557003D7C73A6FAF003F99F6CC8482E540F7",
+	"6108BABB2CEEBCF787058A056CBE0CFE622D7723A289E08A07AE13EF0D10D171DD8D",
+	"10C7695716851EEF6BA7F6872E6142FBD241B830FF5EFCACECCAB05E02005DDE9D23",
+	"000100FAF51354E0E39E4892DF6E319C72C8161603FA45AA7B998A167B8F1E629521",
+	0xFF06,
+	NULL, 0,
+	"X9.62 curve over a 272 bit binary field"
+	};
+
+static const EC_CURVE_DATA _EC_X9_62_CHAR2_304W1 = {
+	NID_X9_62_characteristic_two_field,
+	"010000000000000000000000000000000000000000000000000000000000000000000"
+	"000000807",
+	"FD0D693149A118F651E6DCE6802085377E5F882D1B510B44160074C1288078365A039"
+	"6C8E681",
+	"BDDB97E555A50A908E43B01C798EA5DAA6788F1EA2794EFCF57166B8C14039601E558"
+	"27340BE",
+	"197B07845E9BE2D96ADB0F5F3C7F2CFFBD7A3EB8B6FEC35C7FD67F26DDF6285A644F7"
+	"40A2614",
+	"E19FBEB76E0DA171517ECF401B50289BF014103288527A9B416A105E80260B549FDC1"
+	"B92C03B",
+	"000101D556572AABAC800101D556572AABAC8001022D5C91DD173F8FB561DA6899164"
+	"443051D", 0xFE2E,
+	NULL, 0,
+	"X9.62 curve over a 304 bit binary field"
+	};
+
+static const unsigned char _EC_X9_62_CHAR2_359V1_SEED[] = {
+	0x2B,0x35,0x49,0x20,0xB7,0x24,0xD6,0x96,0xE6,0x76,
+	0x87,0x56,0x15,0x17,0x58,0x5B,0xA1,0x33,0x2D,0xC6};
+static const EC_CURVE_DATA _EC_X9_62_CHAR2_359V1 = {
+	NID_X9_62_characteristic_two_field,
+	"800000000000000000000000000000000000000000000000000000000000000000000"
+	"000100000000000000001",
+	"5667676A654B20754F356EA92017D946567C46675556F19556A04616B567D223A5E05"
+	"656FB549016A96656A557",
+	"2472E2D0197C49363F1FE7F5B6DB075D52B6947D135D8CA445805D39BC34562608968"
+	"7742B6329E70680231988",
+	"3C258EF3047767E7EDE0F1FDAA79DAEE3841366A132E163ACED4ED2401DF9C6BDCDE9"
+	"8E8E707C07A2239B1B097",
+	"53D7E08529547048121E9C95F3791DD804963948F34FAE7BF44EA82365DC7868FE57E"
+	"4AE2DE211305A407104BD",
+	"01AF286BCA1AF286BCA1AF286BCA1AF286BCA1AF286BC9FB8F6B85C556892C20A7EB9"
+	"64FE7719E74F490758D3B", 0x4C,
+	_EC_X9_62_CHAR2_359V1_SEED, 20,
+	"X9.62 curve over a 359 bit binary field"
+	};
+
+static const EC_CURVE_DATA _EC_X9_62_CHAR2_368W1 = {
+	NID_X9_62_characteristic_two_field,
+	"010000000000000000000000000000000000000000000000000000000000000000000"
+	"0002000000000000000000007",
+	"E0D2EE25095206F5E2A4F9ED229F1F256E79A0E2B455970D8D0D865BD94778C576D62"
+	"F0AB7519CCD2A1A906AE30D",
+	"FC1217D4320A90452C760A58EDCD30C8DD069B3C34453837A34ED50CB54917E1C2112"
+	"D84D164F444F8F74786046A",
+	"1085E2755381DCCCE3C1557AFA10C2F0C0C2825646C5B34A394CBCFA8BC16B22E7E78"
+	"9E927BE216F02E1FB136A5F",
+	"7B3EB1BDDCBA62D5D8B2059B525797FC73822C59059C623A45FF3843CEE8F87CD1855"
+	"ADAA81E2A0750B80FDA2310",
+	"00010090512DA9AF72B08349D98A5DD4C7B0532ECA51CE03E2D10F3B7AC579BD87E90"
+	"9AE40A6F131E9CFCE5BD967", 0xFF70,
+	NULL, 0,
+	"X9.62 curve over a 368 bit binary field"
+	};
+
+static const EC_CURVE_DATA _EC_X9_62_CHAR2_431R1 = {
+	NID_X9_62_characteristic_two_field,
+	"800000000000000000000000000000000000000000000000000000000000000000000"
+	"000000001000000000000000000000000000001",
+	"1A827EF00DD6FC0E234CAF046C6A5D8A85395B236CC4AD2CF32A0CADBDC9DDF620B0E"
+	"B9906D0957F6C6FEACD615468DF104DE296CD8F",
+	"10D9B4A3D9047D8B154359ABFB1B7F5485B04CEB868237DDC9DEDA982A679A5A919B6"
+	"26D4E50A8DD731B107A9962381FB5D807BF2618",
+	"120FC05D3C67A99DE161D2F4092622FECA701BE4F50F4758714E8A87BBF2A658EF8C2"
+	"1E7C5EFE965361F6C2999C0C247B0DBD70CE6B7",
+	"20D0AF8903A96F8D5FA2C255745D3C451B302C9346D9B7E485E7BCE41F6B591F3E8F6"
+	"ADDCBB0BC4C2F947A7DE1A89B625D6A598B3760",
+	"0340340340340340340340340340340340340340340340340340340323C313FAB5058"
+	"9703B5EC68D3587FEC60D161CC149C1AD4A91", 0x2760,
+	NULL, 0,
+	"X9.62 curve over a 431 bit binary field"
+	};
+
+static const EC_CURVE_DATA _EC_WTLS_1 = {
+	NID_X9_62_characteristic_two_field,
+	"020000000000000000000000000201",
+	"1",
+	"1",
+	"01667979A40BA497E5D5C270780617",
+	"00F44B4AF1ECC2630E08785CEBCC15",
+	"00FFFFFFFFFFFFFFFDBF91AF6DEA73", 2,
+	NULL, 0,
+	"WTLS curve over a 113 bit binary field"
+	};
+
+/* IPSec curves */
+/* NOTE: The of curves over a extension field of non prime degree
+ * is not recommended (Weil-descent).
+ * As the group order is not a prime this curve is not suitable
+ * for ECDSA.
+ */
+static const EC_CURVE_DATA _EC_IPSEC_155_ID3 = {
+	NID_X9_62_characteristic_two_field,
+	"0800000000000000000000004000000000000001",
+	"0",
+	"07338f",
+	"7b",
+	"1c8",
+	"2AAAAAAAAAAAAAAAAAAC7F3C7881BD0868FA86C",3,
+	NULL, 0,
+	"\n\tIPSec/IKE/Oakley curve #3 over a 155 bit binary field.\n"
+	"\tNot suitable for ECDSA.\n\tQuestionable extension field!"
+	};
+
+/* NOTE: The of curves over a extension field of non prime degree
+ * is not recommended (Weil-descent).
+ * As the group order is not a prime this curve is not suitable
+ * for ECDSA.
+ */
+static const EC_CURVE_DATA _EC_IPSEC_185_ID4 = {
+	NID_X9_62_characteristic_two_field,
+	"020000000000000000000000000000200000000000000001",
+	"0",
+	"1ee9",
+	"18",
+	"0d",
+	"FFFFFFFFFFFFFFFFFFFFFFEDF97C44DB9F2420BAFCA75E",2,
+	NULL, 0,
+	"\n\tIPSec/IKE/Oakley curve #4 over a 185 bit binary field.\n"
+	"\tNot suitable for ECDSA.\n\tQuestionable extension field!"
+	};
+
+typedef struct _ec_list_element_st {
+	int	nid;
+	const EC_CURVE_DATA *data;
+	} ec_list_element;
+
+static const ec_list_element curve_list[] = {
+	/* prime field curves */	
+	/* secg curves */
+	{ NID_secp112r1, &_EC_SECG_PRIME_112R1},
+	{ NID_secp112r2, &_EC_SECG_PRIME_112R2},
+	{ NID_secp128r1, &_EC_SECG_PRIME_128R1},
+	{ NID_secp128r2, &_EC_SECG_PRIME_128R2},
+	{ NID_secp160k1, &_EC_SECG_PRIME_160K1},
+	{ NID_secp160r1, &_EC_SECG_PRIME_160R1},
+	{ NID_secp160r2, &_EC_SECG_PRIME_160R2},
+	/* SECG secp192r1 is the same as X9.62 prime192v1 and hence omitted */
+	{ NID_secp192k1, &_EC_SECG_PRIME_192K1},
+	{ NID_secp224k1, &_EC_SECG_PRIME_224K1},
+	{ NID_secp224r1, &_EC_NIST_PRIME_224},
+	{ NID_secp256k1, &_EC_SECG_PRIME_256K1},
+	/* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */
+	{ NID_secp384r1, &_EC_NIST_PRIME_384},
+	{ NID_secp521r1, &_EC_NIST_PRIME_521},
+	/* X9.62 curves */
+	{ NID_X9_62_prime192v1, &_EC_NIST_PRIME_192},
+	{ NID_X9_62_prime192v2, &_EC_X9_62_PRIME_192V2},
+	{ NID_X9_62_prime192v3, &_EC_X9_62_PRIME_192V3},
+	{ NID_X9_62_prime239v1, &_EC_X9_62_PRIME_239V1},
+	{ NID_X9_62_prime239v2, &_EC_X9_62_PRIME_239V2},
+	{ NID_X9_62_prime239v3, &_EC_X9_62_PRIME_239V3},
+	{ NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1},
+	/* characteristic two field curves */
+	/* NIST/SECG curves */
+	{ NID_sect113r1, &_EC_SECG_CHAR2_113R1},
+	{ NID_sect113r2, &_EC_SECG_CHAR2_113R2},
+	{ NID_sect131r1, &_EC_SECG_CHAR2_131R1},
+	{ NID_sect131r2, &_EC_SECG_CHAR2_131R2},
+	{ NID_sect163k1, &_EC_NIST_CHAR2_163K },
+	{ NID_sect163r1, &_EC_SECG_CHAR2_163R1},
+	{ NID_sect163r2, &_EC_NIST_CHAR2_163B },
+	{ NID_sect193r1, &_EC_SECG_CHAR2_193R1},
+	{ NID_sect193r2, &_EC_SECG_CHAR2_193R2},
+	{ NID_sect233k1, &_EC_NIST_CHAR2_233K },
+	{ NID_sect233r1, &_EC_NIST_CHAR2_233B },
+	{ NID_sect239k1, &_EC_SECG_CHAR2_239K1},
+	{ NID_sect283k1, &_EC_NIST_CHAR2_283K },
+	{ NID_sect283r1, &_EC_NIST_CHAR2_283B },
+	{ NID_sect409k1, &_EC_NIST_CHAR2_409K },
+	{ NID_sect409r1, &_EC_NIST_CHAR2_409B },
+	{ NID_sect571k1, &_EC_NIST_CHAR2_571K },
+	{ NID_sect571r1, &_EC_NIST_CHAR2_571B },
+	/* X9.62 curves */
+	{ NID_X9_62_c2pnb163v1, &_EC_X9_62_CHAR2_163V1},
+	{ NID_X9_62_c2pnb163v2, &_EC_X9_62_CHAR2_163V2},
+	{ NID_X9_62_c2pnb163v3, &_EC_X9_62_CHAR2_163V3},
+	{ NID_X9_62_c2pnb176v1, &_EC_X9_62_CHAR2_176V1},
+	{ NID_X9_62_c2tnb191v1, &_EC_X9_62_CHAR2_191V1},
+	{ NID_X9_62_c2tnb191v2, &_EC_X9_62_CHAR2_191V2},
+	{ NID_X9_62_c2tnb191v3, &_EC_X9_62_CHAR2_191V3},
+	{ NID_X9_62_c2pnb208w1, &_EC_X9_62_CHAR2_208W1},
+	{ NID_X9_62_c2tnb239v1, &_EC_X9_62_CHAR2_239V1},
+	{ NID_X9_62_c2tnb239v2, &_EC_X9_62_CHAR2_239V2},
+	{ NID_X9_62_c2tnb239v3, &_EC_X9_62_CHAR2_239V3},
+	{ NID_X9_62_c2pnb272w1, &_EC_X9_62_CHAR2_272W1},
+	{ NID_X9_62_c2pnb304w1, &_EC_X9_62_CHAR2_304W1},
+	{ NID_X9_62_c2tnb359v1, &_EC_X9_62_CHAR2_359V1},
+	{ NID_X9_62_c2pnb368w1, &_EC_X9_62_CHAR2_368W1},
+	{ NID_X9_62_c2tnb431r1, &_EC_X9_62_CHAR2_431R1},
+	/* the WAP/WTLS curves
+	 * [unlike SECG, spec has its own OIDs for curves from X9.62] */
+	{ NID_wap_wsg_idm_ecid_wtls1, &_EC_WTLS_1},
+	{ NID_wap_wsg_idm_ecid_wtls3, &_EC_NIST_CHAR2_163K},
+	{ NID_wap_wsg_idm_ecid_wtls4, &_EC_SECG_CHAR2_113R1},
+	{ NID_wap_wsg_idm_ecid_wtls5, &_EC_X9_62_CHAR2_163V1},
+	{ NID_wap_wsg_idm_ecid_wtls6, &_EC_SECG_PRIME_112R1},
+	{ NID_wap_wsg_idm_ecid_wtls7, &_EC_SECG_PRIME_160R2},
+	{ NID_wap_wsg_idm_ecid_wtls8, &_EC_WTLS_8},
+	{ NID_wap_wsg_idm_ecid_wtls9, &_EC_WTLS_9 },
+	{ NID_wap_wsg_idm_ecid_wtls10, &_EC_NIST_CHAR2_233K},
+	{ NID_wap_wsg_idm_ecid_wtls11, &_EC_NIST_CHAR2_233B},
+	{ NID_wap_wsg_idm_ecid_wtls12, &_EC_WTLS_12},
+	/* IPSec curves */
+	{ NID_ipsec3, &_EC_IPSEC_155_ID3},
+	{ NID_ipsec4, &_EC_IPSEC_185_ID4},
+};
+
+static size_t curve_list_length = sizeof(curve_list)/sizeof(ec_list_element);
+
+static EC_GROUP *ec_group_new_from_data(const EC_CURVE_DATA *data)
+	{
+	EC_GROUP *group=NULL;
+	EC_POINT *P=NULL;
+	BN_CTX	 *ctx=NULL;
+	BIGNUM 	 *p=NULL, *a=NULL, *b=NULL, *x=NULL, *y=NULL, *order=NULL;
+	int	 ok=0;
+
+	if ((ctx = BN_CTX_new()) == NULL)
+		{
+		ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_MALLOC_FAILURE);
+		goto err;
+		}
+	if ((p = BN_new()) == NULL || (a = BN_new()) == NULL || 
+		(b = BN_new()) == NULL || (x = BN_new()) == NULL ||
+		(y = BN_new()) == NULL || (order = BN_new()) == NULL)
+		{
+		ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_MALLOC_FAILURE);
+		goto err;
+		}
+	
+	if (!BN_hex2bn(&p, data->p) || !BN_hex2bn(&a, data->a)
+		|| !BN_hex2bn(&b, data->b))
+		{
+		ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_BN_LIB);
+		goto err;
+		}
+
+	if (data->field_type == NID_X9_62_prime_field)
+		{
+		if ((group = EC_GROUP_new_curve_GFp(p, a, b, ctx)) == NULL)
+			{
+			ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
+			goto err;
+			}
+		}
+		else
+		{ /* field_type == NID_X9_62_characteristic_two_field */
+		if ((group = EC_GROUP_new_curve_GF2m(p, a, b, ctx)) == NULL)
+			{
+			ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
+			goto err;
+			}
+		}
+
+	if ((P = EC_POINT_new(group)) == NULL)
+		{
+		ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
+		goto err;
+		}
+	
+	if (!BN_hex2bn(&x, data->x) || !BN_hex2bn(&y, data->y))
+		{
+		ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_BN_LIB);
+		goto err;
+		}
+	if (!EC_POINT_set_affine_coordinates_GF2m(group, P, x, y, ctx))
+		{
+		ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
+		goto err;
+		}
+	if (!BN_hex2bn(&order, data->order) || !BN_set_word(x, data->cofactor))
+		{
+		ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_BN_LIB);
+		goto err;
+		}
+	if (!EC_GROUP_set_generator(group, P, order, x))
+		{
+		ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
+		goto err;
+		}
+	if (data->seed)
+		{
+		if (!EC_GROUP_set_seed(group, data->seed, data->seed_len))
+			{
+			ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
+			goto err;
+			}
+		}
+	ok=1;
+err:
+	if (!ok)
+		{
+		EC_GROUP_free(group);
+		group = NULL;
+		}
+	if (P)
+		EC_POINT_free(P);
+	if (ctx)
+		BN_CTX_free(ctx);
+	if (p)
+		BN_free(p);
+	if (a)
+		BN_free(a);
+	if (b)
+		BN_free(b);
+	if (order)
+		BN_free(order);
+	if (x)
+		BN_free(x);
+	if (y)
+		BN_free(y);
+	return group;
+	}
+
+EC_GROUP *EC_GROUP_new_by_curve_name(int nid)
+	{
+	size_t i;
+	EC_GROUP *ret = NULL;
+
+	if (nid <= 0)
+		return NULL;
+
+	for (i=0; i<curve_list_length; i++)
+		if (curve_list[i].nid == nid)
+			{
+			ret = ec_group_new_from_data(curve_list[i].data);
+			break;
+			}
+
+	if (ret == NULL)
+		{
+		ECerr(EC_F_EC_GROUP_NEW_BY_CURVE_NAME, EC_R_UNKNOWN_GROUP);
+		return NULL;
+		}
+
+	EC_GROUP_set_curve_name(ret, nid);
+
+	return ret;
+	}
+
+size_t EC_get_builtin_curves(EC_builtin_curve *r, size_t nitems)
+	{
+	size_t	i, min;
+
+	if (r == NULL || nitems == 0)
+		return curve_list_length;
+
+	min = nitems < curve_list_length ? nitems : curve_list_length;
+
+	for (i = 0; i < min; i++)
+		{
+		r[i].nid = curve_list[i].nid;
+		r[i].comment = curve_list[i].data->comment;
+		}
+
+	return curve_list_length;
+	}
diff --git a/crypto/openssl/crypto/ec/ec_cvt.c b/crypto/openssl/crypto/ec/ec_cvt.c
index 45b0ec33a0ba..d45640bab902 100644
--- a/crypto/openssl/crypto/ec/ec_cvt.c
+++ b/crypto/openssl/crypto/ec/ec_cvt.c
@@ -1,6 +1,9 @@
 /* crypto/ec/ec_cvt.c */
+/*
+ * Originally written by Bodo Moeller for the OpenSSL project.
+ */
 /* ====================================================================
- * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -52,7 +55,21 @@
  * Hudson (tjh@cryptsoft.com).
  *
  */
+/* ====================================================================
+ * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
+ *
+ * Portions of the attached software ("Contribution") are developed by 
+ * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
+ *
+ * The Contribution is licensed pursuant to the OpenSSL open source
+ * license provided above.
+ *
+ * The elliptic curve binary polynomial software is originally written by
+ * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories.
+ *
+ */
 
+#include <openssl/err.h>
 #include "ec_lcl.h"
 
 
@@ -60,11 +77,8 @@ EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, const BIGNUM
 	{
 	const EC_METHOD *meth;
 	EC_GROUP *ret;
-	
-	/* Finally, this will use EC_GFp_nist_method if 'p' is a special
-	 * prime with optimized modular arithmetics (for NIST curves)
-	 */
-	meth = EC_GFp_mont_method();
+
+	meth = EC_GFp_nist_method();
 	
 	ret = EC_GROUP_new(meth);
 	if (ret == NULL)
@@ -72,6 +86,56 @@ EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, const BIGNUM
 
 	if (!EC_GROUP_set_curve_GFp(ret, p, a, b, ctx))
 		{
+		unsigned long err;
+		  
+		err = ERR_peek_last_error();
+
+		if (!(ERR_GET_LIB(err) == ERR_LIB_EC &&
+			((ERR_GET_REASON(err) == EC_R_NOT_A_NIST_PRIME) ||
+			 (ERR_GET_REASON(err) == EC_R_NOT_A_SUPPORTED_NIST_PRIME))))
+			{
+			/* real error */
+			
+			EC_GROUP_clear_free(ret);
+			return NULL;
+			}
+			
+		
+		/* not an actual error, we just cannot use EC_GFp_nist_method */
+
+		ERR_clear_error();
+
+		EC_GROUP_clear_free(ret);
+		meth = EC_GFp_mont_method();
+
+		ret = EC_GROUP_new(meth);
+		if (ret == NULL)
+			return NULL;
+
+		if (!EC_GROUP_set_curve_GFp(ret, p, a, b, ctx))
+			{
+			EC_GROUP_clear_free(ret);
+			return NULL;
+			}
+		}
+
+	return ret;
+	}
+
+
+EC_GROUP *EC_GROUP_new_curve_GF2m(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
+	{
+	const EC_METHOD *meth;
+	EC_GROUP *ret;
+	
+	meth = EC_GF2m_simple_method();
+	
+	ret = EC_GROUP_new(meth);
+	if (ret == NULL)
+		return NULL;
+
+	if (!EC_GROUP_set_curve_GF2m(ret, p, a, b, ctx))
+		{
 		EC_GROUP_clear_free(ret);
 		return NULL;
 		}
diff --git a/crypto/openssl/crypto/ec/ec_err.c b/crypto/openssl/crypto/ec/ec_err.c
index d37b6aba87fd..38302b9b549d 100644
--- a/crypto/openssl/crypto/ec/ec_err.c
+++ b/crypto/openssl/crypto/ec/ec_err.c
@@ -1,6 +1,6 @@
 /* crypto/ec/ec_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -64,70 +64,159 @@
 
 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_EC,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_EC,0,reason)
+
 static ERR_STRING_DATA EC_str_functs[]=
 	{
-{ERR_PACK(0,EC_F_COMPUTE_WNAF,0),	"COMPUTE_WNAF"},
-{ERR_PACK(0,EC_F_EC_GFP_MONT_FIELD_DECODE,0),	"ec_GFp_mont_field_decode"},
-{ERR_PACK(0,EC_F_EC_GFP_MONT_FIELD_ENCODE,0),	"ec_GFp_mont_field_encode"},
-{ERR_PACK(0,EC_F_EC_GFP_MONT_FIELD_MUL,0),	"ec_GFp_mont_field_mul"},
-{ERR_PACK(0,EC_F_EC_GFP_MONT_FIELD_SQR,0),	"ec_GFp_mont_field_sqr"},
-{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE_GFP,0),	"ec_GFp_simple_group_set_curve_GFp"},
-{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_GROUP_SET_GENERATOR,0),	"ec_GFp_simple_group_set_generator"},
-{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_MAKE_AFFINE,0),	"ec_GFp_simple_make_affine"},
-{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_OCT2POINT,0),	"ec_GFp_simple_oct2point"},
-{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_POINT2OCT,0),	"ec_GFp_simple_point2oct"},
-{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_POINTS_MAKE_AFFINE,0),	"ec_GFp_simple_points_make_affine"},
-{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES_GFP,0),	"ec_GFp_simple_point_get_affine_coordinates_GFp"},
-{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_POINT_SET_AFFINE_COORDINATES_GFP,0),	"ec_GFp_simple_point_set_affine_coordinates_GFp"},
-{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP,0),	"ec_GFp_simple_set_compressed_coordinates_GFp"},
-{ERR_PACK(0,EC_F_EC_GROUP_COPY,0),	"EC_GROUP_copy"},
-{ERR_PACK(0,EC_F_EC_GROUP_GET0_GENERATOR,0),	"EC_GROUP_get0_generator"},
-{ERR_PACK(0,EC_F_EC_GROUP_GET_COFACTOR,0),	"EC_GROUP_get_cofactor"},
-{ERR_PACK(0,EC_F_EC_GROUP_GET_CURVE_GFP,0),	"EC_GROUP_get_curve_GFp"},
-{ERR_PACK(0,EC_F_EC_GROUP_GET_ORDER,0),	"EC_GROUP_get_order"},
-{ERR_PACK(0,EC_F_EC_GROUP_NEW,0),	"EC_GROUP_new"},
-{ERR_PACK(0,EC_F_EC_GROUP_PRECOMPUTE_MULT,0),	"EC_GROUP_precompute_mult"},
-{ERR_PACK(0,EC_F_EC_GROUP_SET_CURVE_GFP,0),	"EC_GROUP_set_curve_GFp"},
-{ERR_PACK(0,EC_F_EC_GROUP_SET_EXTRA_DATA,0),	"EC_GROUP_set_extra_data"},
-{ERR_PACK(0,EC_F_EC_GROUP_SET_GENERATOR,0),	"EC_GROUP_set_generator"},
-{ERR_PACK(0,EC_F_EC_POINTS_MAKE_AFFINE,0),	"EC_POINTs_make_affine"},
-{ERR_PACK(0,EC_F_EC_POINTS_MUL,0),	"EC_POINTs_mul"},
-{ERR_PACK(0,EC_F_EC_POINT_ADD,0),	"EC_POINT_add"},
-{ERR_PACK(0,EC_F_EC_POINT_CMP,0),	"EC_POINT_cmp"},
-{ERR_PACK(0,EC_F_EC_POINT_COPY,0),	"EC_POINT_copy"},
-{ERR_PACK(0,EC_F_EC_POINT_DBL,0),	"EC_POINT_dbl"},
-{ERR_PACK(0,EC_F_EC_POINT_GET_AFFINE_COORDINATES_GFP,0),	"EC_POINT_get_affine_coordinates_GFp"},
-{ERR_PACK(0,EC_F_EC_POINT_GET_JPROJECTIVE_COORDINATES_GFP,0),	"EC_POINT_get_Jprojective_coordinates_GFp"},
-{ERR_PACK(0,EC_F_EC_POINT_IS_AT_INFINITY,0),	"EC_POINT_is_at_infinity"},
-{ERR_PACK(0,EC_F_EC_POINT_IS_ON_CURVE,0),	"EC_POINT_is_on_curve"},
-{ERR_PACK(0,EC_F_EC_POINT_MAKE_AFFINE,0),	"EC_POINT_make_affine"},
-{ERR_PACK(0,EC_F_EC_POINT_NEW,0),	"EC_POINT_new"},
-{ERR_PACK(0,EC_F_EC_POINT_OCT2POINT,0),	"EC_POINT_oct2point"},
-{ERR_PACK(0,EC_F_EC_POINT_POINT2OCT,0),	"EC_POINT_point2oct"},
-{ERR_PACK(0,EC_F_EC_POINT_SET_AFFINE_COORDINATES_GFP,0),	"EC_POINT_set_affine_coordinates_GFp"},
-{ERR_PACK(0,EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GFP,0),	"EC_POINT_set_compressed_coordinates_GFp"},
-{ERR_PACK(0,EC_F_EC_POINT_SET_JPROJECTIVE_COORDINATES_GFP,0),	"EC_POINT_set_Jprojective_coordinates_GFp"},
-{ERR_PACK(0,EC_F_EC_POINT_SET_TO_INFINITY,0),	"EC_POINT_set_to_infinity"},
-{ERR_PACK(0,EC_F_GFP_MONT_GROUP_SET_CURVE_GFP,0),	"GFP_MONT_GROUP_SET_CURVE_GFP"},
+{ERR_FUNC(EC_F_COMPUTE_WNAF),	"COMPUTE_WNAF"},
+{ERR_FUNC(EC_F_D2I_ECPARAMETERS),	"d2i_ECParameters"},
+{ERR_FUNC(EC_F_D2I_ECPKPARAMETERS),	"d2i_ECPKParameters"},
+{ERR_FUNC(EC_F_D2I_ECPRIVATEKEY),	"d2i_ECPrivateKey"},
+{ERR_FUNC(EC_F_ECPARAMETERS_PRINT),	"ECParameters_print"},
+{ERR_FUNC(EC_F_ECPARAMETERS_PRINT_FP),	"ECParameters_print_fp"},
+{ERR_FUNC(EC_F_ECPKPARAMETERS_PRINT),	"ECPKParameters_print"},
+{ERR_FUNC(EC_F_ECPKPARAMETERS_PRINT_FP),	"ECPKParameters_print_fp"},
+{ERR_FUNC(EC_F_ECP_NIST_MOD_192),	"ECP_NIST_MOD_192"},
+{ERR_FUNC(EC_F_ECP_NIST_MOD_224),	"ECP_NIST_MOD_224"},
+{ERR_FUNC(EC_F_ECP_NIST_MOD_256),	"ECP_NIST_MOD_256"},
+{ERR_FUNC(EC_F_ECP_NIST_MOD_521),	"ECP_NIST_MOD_521"},
+{ERR_FUNC(EC_F_EC_ASN1_GROUP2CURVE),	"EC_ASN1_GROUP2CURVE"},
+{ERR_FUNC(EC_F_EC_ASN1_GROUP2FIELDID),	"EC_ASN1_GROUP2FIELDID"},
+{ERR_FUNC(EC_F_EC_ASN1_GROUP2PARAMETERS),	"EC_ASN1_GROUP2PARAMETERS"},
+{ERR_FUNC(EC_F_EC_ASN1_GROUP2PKPARAMETERS),	"EC_ASN1_GROUP2PKPARAMETERS"},
+{ERR_FUNC(EC_F_EC_ASN1_PARAMETERS2GROUP),	"EC_ASN1_PARAMETERS2GROUP"},
+{ERR_FUNC(EC_F_EC_ASN1_PKPARAMETERS2GROUP),	"EC_ASN1_PKPARAMETERS2GROUP"},
+{ERR_FUNC(EC_F_EC_EX_DATA_SET_DATA),	"EC_EX_DATA_set_data"},
+{ERR_FUNC(EC_F_EC_GF2M_MONTGOMERY_POINT_MULTIPLY),	"EC_GF2M_MONTGOMERY_POINT_MULTIPLY"},
+{ERR_FUNC(EC_F_EC_GF2M_SIMPLE_GROUP_CHECK_DISCRIMINANT),	"ec_GF2m_simple_group_check_discriminant"},
+{ERR_FUNC(EC_F_EC_GF2M_SIMPLE_GROUP_SET_CURVE),	"ec_GF2m_simple_group_set_curve"},
+{ERR_FUNC(EC_F_EC_GF2M_SIMPLE_OCT2POINT),	"ec_GF2m_simple_oct2point"},
+{ERR_FUNC(EC_F_EC_GF2M_SIMPLE_POINT2OCT),	"ec_GF2m_simple_point2oct"},
+{ERR_FUNC(EC_F_EC_GF2M_SIMPLE_POINT_GET_AFFINE_COORDINATES),	"ec_GF2m_simple_point_get_affine_coordinates"},
+{ERR_FUNC(EC_F_EC_GF2M_SIMPLE_POINT_SET_AFFINE_COORDINATES),	"ec_GF2m_simple_point_set_affine_coordinates"},
+{ERR_FUNC(EC_F_EC_GF2M_SIMPLE_SET_COMPRESSED_COORDINATES),	"ec_GF2m_simple_set_compressed_coordinates"},
+{ERR_FUNC(EC_F_EC_GFP_MONT_FIELD_DECODE),	"ec_GFp_mont_field_decode"},
+{ERR_FUNC(EC_F_EC_GFP_MONT_FIELD_ENCODE),	"ec_GFp_mont_field_encode"},
+{ERR_FUNC(EC_F_EC_GFP_MONT_FIELD_MUL),	"ec_GFp_mont_field_mul"},
+{ERR_FUNC(EC_F_EC_GFP_MONT_FIELD_SET_TO_ONE),	"ec_GFp_mont_field_set_to_one"},
+{ERR_FUNC(EC_F_EC_GFP_MONT_FIELD_SQR),	"ec_GFp_mont_field_sqr"},
+{ERR_FUNC(EC_F_EC_GFP_MONT_GROUP_SET_CURVE),	"ec_GFp_mont_group_set_curve"},
+{ERR_FUNC(EC_F_EC_GFP_MONT_GROUP_SET_CURVE_GFP),	"EC_GFP_MONT_GROUP_SET_CURVE_GFP"},
+{ERR_FUNC(EC_F_EC_GFP_NIST_FIELD_MUL),	"ec_GFp_nist_field_mul"},
+{ERR_FUNC(EC_F_EC_GFP_NIST_FIELD_SQR),	"ec_GFp_nist_field_sqr"},
+{ERR_FUNC(EC_F_EC_GFP_NIST_GROUP_SET_CURVE),	"ec_GFp_nist_group_set_curve"},
+{ERR_FUNC(EC_F_EC_GFP_SIMPLE_GROUP_CHECK_DISCRIMINANT),	"ec_GFp_simple_group_check_discriminant"},
+{ERR_FUNC(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE),	"ec_GFp_simple_group_set_curve"},
+{ERR_FUNC(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE_GFP),	"EC_GFP_SIMPLE_GROUP_SET_CURVE_GFP"},
+{ERR_FUNC(EC_F_EC_GFP_SIMPLE_GROUP_SET_GENERATOR),	"EC_GFP_SIMPLE_GROUP_SET_GENERATOR"},
+{ERR_FUNC(EC_F_EC_GFP_SIMPLE_MAKE_AFFINE),	"ec_GFp_simple_make_affine"},
+{ERR_FUNC(EC_F_EC_GFP_SIMPLE_OCT2POINT),	"ec_GFp_simple_oct2point"},
+{ERR_FUNC(EC_F_EC_GFP_SIMPLE_POINT2OCT),	"ec_GFp_simple_point2oct"},
+{ERR_FUNC(EC_F_EC_GFP_SIMPLE_POINTS_MAKE_AFFINE),	"ec_GFp_simple_points_make_affine"},
+{ERR_FUNC(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES),	"ec_GFp_simple_point_get_affine_coordinates"},
+{ERR_FUNC(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES_GFP),	"EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES_GFP"},
+{ERR_FUNC(EC_F_EC_GFP_SIMPLE_POINT_SET_AFFINE_COORDINATES),	"ec_GFp_simple_point_set_affine_coordinates"},
+{ERR_FUNC(EC_F_EC_GFP_SIMPLE_POINT_SET_AFFINE_COORDINATES_GFP),	"EC_GFP_SIMPLE_POINT_SET_AFFINE_COORDINATES_GFP"},
+{ERR_FUNC(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES),	"ec_GFp_simple_set_compressed_coordinates"},
+{ERR_FUNC(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP),	"EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP"},
+{ERR_FUNC(EC_F_EC_GROUP_CHECK),	"EC_GROUP_check"},
+{ERR_FUNC(EC_F_EC_GROUP_CHECK_DISCRIMINANT),	"EC_GROUP_check_discriminant"},
+{ERR_FUNC(EC_F_EC_GROUP_COPY),	"EC_GROUP_copy"},
+{ERR_FUNC(EC_F_EC_GROUP_GET0_GENERATOR),	"EC_GROUP_get0_generator"},
+{ERR_FUNC(EC_F_EC_GROUP_GET_COFACTOR),	"EC_GROUP_get_cofactor"},
+{ERR_FUNC(EC_F_EC_GROUP_GET_CURVE_GF2M),	"EC_GROUP_get_curve_GF2m"},
+{ERR_FUNC(EC_F_EC_GROUP_GET_CURVE_GFP),	"EC_GROUP_get_curve_GFp"},
+{ERR_FUNC(EC_F_EC_GROUP_GET_DEGREE),	"EC_GROUP_get_degree"},
+{ERR_FUNC(EC_F_EC_GROUP_GET_ORDER),	"EC_GROUP_get_order"},
+{ERR_FUNC(EC_F_EC_GROUP_GET_PENTANOMIAL_BASIS),	"EC_GROUP_get_pentanomial_basis"},
+{ERR_FUNC(EC_F_EC_GROUP_GET_TRINOMIAL_BASIS),	"EC_GROUP_get_trinomial_basis"},
+{ERR_FUNC(EC_F_EC_GROUP_NEW),	"EC_GROUP_new"},
+{ERR_FUNC(EC_F_EC_GROUP_NEW_BY_CURVE_NAME),	"EC_GROUP_new_by_curve_name"},
+{ERR_FUNC(EC_F_EC_GROUP_NEW_FROM_DATA),	"EC_GROUP_NEW_FROM_DATA"},
+{ERR_FUNC(EC_F_EC_GROUP_PRECOMPUTE_MULT),	"EC_GROUP_precompute_mult"},
+{ERR_FUNC(EC_F_EC_GROUP_SET_CURVE_GF2M),	"EC_GROUP_set_curve_GF2m"},
+{ERR_FUNC(EC_F_EC_GROUP_SET_CURVE_GFP),	"EC_GROUP_set_curve_GFp"},
+{ERR_FUNC(EC_F_EC_GROUP_SET_EXTRA_DATA),	"EC_GROUP_SET_EXTRA_DATA"},
+{ERR_FUNC(EC_F_EC_GROUP_SET_GENERATOR),	"EC_GROUP_set_generator"},
+{ERR_FUNC(EC_F_EC_KEY_CHECK_KEY),	"EC_KEY_check_key"},
+{ERR_FUNC(EC_F_EC_KEY_COPY),	"EC_KEY_copy"},
+{ERR_FUNC(EC_F_EC_KEY_GENERATE_KEY),	"EC_KEY_generate_key"},
+{ERR_FUNC(EC_F_EC_KEY_NEW),	"EC_KEY_new"},
+{ERR_FUNC(EC_F_EC_KEY_PRINT),	"EC_KEY_print"},
+{ERR_FUNC(EC_F_EC_KEY_PRINT_FP),	"EC_KEY_print_fp"},
+{ERR_FUNC(EC_F_EC_POINTS_MAKE_AFFINE),	"EC_POINTs_make_affine"},
+{ERR_FUNC(EC_F_EC_POINTS_MUL),	"EC_POINTs_mul"},
+{ERR_FUNC(EC_F_EC_POINT_ADD),	"EC_POINT_add"},
+{ERR_FUNC(EC_F_EC_POINT_CMP),	"EC_POINT_cmp"},
+{ERR_FUNC(EC_F_EC_POINT_COPY),	"EC_POINT_copy"},
+{ERR_FUNC(EC_F_EC_POINT_DBL),	"EC_POINT_dbl"},
+{ERR_FUNC(EC_F_EC_POINT_GET_AFFINE_COORDINATES_GF2M),	"EC_POINT_get_affine_coordinates_GF2m"},
+{ERR_FUNC(EC_F_EC_POINT_GET_AFFINE_COORDINATES_GFP),	"EC_POINT_get_affine_coordinates_GFp"},
+{ERR_FUNC(EC_F_EC_POINT_GET_JPROJECTIVE_COORDINATES_GFP),	"EC_POINT_get_Jprojective_coordinates_GFp"},
+{ERR_FUNC(EC_F_EC_POINT_INVERT),	"EC_POINT_invert"},
+{ERR_FUNC(EC_F_EC_POINT_IS_AT_INFINITY),	"EC_POINT_is_at_infinity"},
+{ERR_FUNC(EC_F_EC_POINT_IS_ON_CURVE),	"EC_POINT_is_on_curve"},
+{ERR_FUNC(EC_F_EC_POINT_MAKE_AFFINE),	"EC_POINT_make_affine"},
+{ERR_FUNC(EC_F_EC_POINT_MUL),	"EC_POINT_mul"},
+{ERR_FUNC(EC_F_EC_POINT_NEW),	"EC_POINT_new"},
+{ERR_FUNC(EC_F_EC_POINT_OCT2POINT),	"EC_POINT_oct2point"},
+{ERR_FUNC(EC_F_EC_POINT_POINT2OCT),	"EC_POINT_point2oct"},
+{ERR_FUNC(EC_F_EC_POINT_SET_AFFINE_COORDINATES_GF2M),	"EC_POINT_set_affine_coordinates_GF2m"},
+{ERR_FUNC(EC_F_EC_POINT_SET_AFFINE_COORDINATES_GFP),	"EC_POINT_set_affine_coordinates_GFp"},
+{ERR_FUNC(EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GF2M),	"EC_POINT_set_compressed_coordinates_GF2m"},
+{ERR_FUNC(EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GFP),	"EC_POINT_set_compressed_coordinates_GFp"},
+{ERR_FUNC(EC_F_EC_POINT_SET_JPROJECTIVE_COORDINATES_GFP),	"EC_POINT_set_Jprojective_coordinates_GFp"},
+{ERR_FUNC(EC_F_EC_POINT_SET_TO_INFINITY),	"EC_POINT_set_to_infinity"},
+{ERR_FUNC(EC_F_EC_PRE_COMP_DUP),	"EC_PRE_COMP_DUP"},
+{ERR_FUNC(EC_F_EC_WNAF_MUL),	"ec_wNAF_mul"},
+{ERR_FUNC(EC_F_EC_WNAF_PRECOMPUTE_MULT),	"ec_wNAF_precompute_mult"},
+{ERR_FUNC(EC_F_I2D_ECPARAMETERS),	"i2d_ECParameters"},
+{ERR_FUNC(EC_F_I2D_ECPKPARAMETERS),	"i2d_ECPKParameters"},
+{ERR_FUNC(EC_F_I2D_ECPRIVATEKEY),	"i2d_ECPrivateKey"},
+{ERR_FUNC(EC_F_I2O_ECPUBLICKEY),	"i2o_ECPublicKey"},
+{ERR_FUNC(EC_F_O2I_ECPUBLICKEY),	"o2i_ECPublicKey"},
 {0,NULL}
 	};
 
 static ERR_STRING_DATA EC_str_reasons[]=
 	{
-{EC_R_BUFFER_TOO_SMALL                   ,"buffer too small"},
-{EC_R_INCOMPATIBLE_OBJECTS               ,"incompatible objects"},
-{EC_R_INVALID_ARGUMENT                   ,"invalid argument"},
-{EC_R_INVALID_COMPRESSED_POINT           ,"invalid compressed point"},
-{EC_R_INVALID_COMPRESSION_BIT            ,"invalid compression bit"},
-{EC_R_INVALID_ENCODING                   ,"invalid encoding"},
-{EC_R_INVALID_FIELD                      ,"invalid field"},
-{EC_R_INVALID_FORM                       ,"invalid form"},
-{EC_R_NOT_INITIALIZED                    ,"not initialized"},
-{EC_R_POINT_AT_INFINITY                  ,"point at infinity"},
-{EC_R_POINT_IS_NOT_ON_CURVE              ,"point is not on curve"},
-{EC_R_SLOT_FULL                          ,"slot full"},
-{EC_R_UNDEFINED_GENERATOR                ,"undefined generator"},
-{EC_R_UNKNOWN_ORDER                      ,"unknown order"},
+{ERR_REASON(EC_R_ASN1_ERROR)             ,"asn1 error"},
+{ERR_REASON(EC_R_ASN1_UNKNOWN_FIELD)     ,"asn1 unknown field"},
+{ERR_REASON(EC_R_BUFFER_TOO_SMALL)       ,"buffer too small"},
+{ERR_REASON(EC_R_D2I_ECPKPARAMETERS_FAILURE),"d2i ecpkparameters failure"},
+{ERR_REASON(EC_R_DISCRIMINANT_IS_ZERO)   ,"discriminant is zero"},
+{ERR_REASON(EC_R_EC_GROUP_NEW_BY_NAME_FAILURE),"ec group new by name failure"},
+{ERR_REASON(EC_R_GROUP2PKPARAMETERS_FAILURE),"group2pkparameters failure"},
+{ERR_REASON(EC_R_I2D_ECPKPARAMETERS_FAILURE),"i2d ecpkparameters failure"},
+{ERR_REASON(EC_R_INCOMPATIBLE_OBJECTS)   ,"incompatible objects"},
+{ERR_REASON(EC_R_INVALID_ARGUMENT)       ,"invalid argument"},
+{ERR_REASON(EC_R_INVALID_COMPRESSED_POINT),"invalid compressed point"},
+{ERR_REASON(EC_R_INVALID_COMPRESSION_BIT),"invalid compression bit"},
+{ERR_REASON(EC_R_INVALID_ENCODING)       ,"invalid encoding"},
+{ERR_REASON(EC_R_INVALID_FIELD)          ,"invalid field"},
+{ERR_REASON(EC_R_INVALID_FORM)           ,"invalid form"},
+{ERR_REASON(EC_R_INVALID_GROUP_ORDER)    ,"invalid group order"},
+{ERR_REASON(EC_R_INVALID_PRIVATE_KEY)    ,"invalid private key"},
+{ERR_REASON(EC_R_MISSING_PARAMETERS)     ,"missing parameters"},
+{ERR_REASON(EC_R_MISSING_PRIVATE_KEY)    ,"missing private key"},
+{ERR_REASON(EC_R_NOT_A_NIST_PRIME)       ,"not a NIST prime"},
+{ERR_REASON(EC_R_NOT_A_SUPPORTED_NIST_PRIME),"not a supported NIST prime"},
+{ERR_REASON(EC_R_NOT_IMPLEMENTED)        ,"not implemented"},
+{ERR_REASON(EC_R_NOT_INITIALIZED)        ,"not initialized"},
+{ERR_REASON(EC_R_NO_FIELD_MOD)           ,"no field mod"},
+{ERR_REASON(EC_R_PASSED_NULL_PARAMETER)  ,"passed null parameter"},
+{ERR_REASON(EC_R_PKPARAMETERS2GROUP_FAILURE),"pkparameters2group failure"},
+{ERR_REASON(EC_R_POINT_AT_INFINITY)      ,"point at infinity"},
+{ERR_REASON(EC_R_POINT_IS_NOT_ON_CURVE)  ,"point is not on curve"},
+{ERR_REASON(EC_R_SLOT_FULL)              ,"slot full"},
+{ERR_REASON(EC_R_UNDEFINED_GENERATOR)    ,"undefined generator"},
+{ERR_REASON(EC_R_UNDEFINED_ORDER)        ,"undefined order"},
+{ERR_REASON(EC_R_UNKNOWN_GROUP)          ,"unknown group"},
+{ERR_REASON(EC_R_UNKNOWN_ORDER)          ,"unknown order"},
+{ERR_REASON(EC_R_UNSUPPORTED_FIELD)      ,"unsupported field"},
+{ERR_REASON(EC_R_WRONG_ORDER)            ,"wrong order"},
 {0,NULL}
 	};
 
@@ -141,8 +230,8 @@ void ERR_load_EC_strings(void)
 		{
 		init=0;
 #ifndef OPENSSL_NO_ERR
-		ERR_load_strings(ERR_LIB_EC,EC_str_functs);
-		ERR_load_strings(ERR_LIB_EC,EC_str_reasons);
+		ERR_load_strings(0,EC_str_functs);
+		ERR_load_strings(0,EC_str_reasons);
 #endif
 
 		}
diff --git a/crypto/openssl/crypto/ec/ec_key.c b/crypto/openssl/crypto/ec/ec_key.c
new file mode 100644
index 000000000000..3d6c900b95a7
--- /dev/null
+++ b/crypto/openssl/crypto/ec/ec_key.c
@@ -0,0 +1,465 @@
+/* crypto/ec/ec_key.c */
+/*
+ * Written by Nils Larsch for the OpenSSL project.
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+/* ====================================================================
+ * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
+ * Portions originally developed by SUN MICROSYSTEMS, INC., and 
+ * contributed to the OpenSSL project.
+ */
+
+#include <string.h>
+#include "ec_lcl.h"
+#include <openssl/err.h>
+#include <string.h>
+
+EC_KEY *EC_KEY_new(void)
+	{
+	EC_KEY *ret;
+
+	ret=(EC_KEY *)OPENSSL_malloc(sizeof(EC_KEY));
+	if (ret == NULL)
+		{
+		ECerr(EC_F_EC_KEY_NEW, ERR_R_MALLOC_FAILURE);
+		return(NULL);
+		}
+
+	ret->version = 1;	
+	ret->group   = NULL;
+	ret->pub_key = NULL;
+	ret->priv_key= NULL;
+	ret->enc_flag= 0; 
+	ret->conv_form = POINT_CONVERSION_UNCOMPRESSED;
+	ret->references= 1;
+	ret->method_data = NULL;
+	return(ret);
+	}
+
+EC_KEY *EC_KEY_new_by_curve_name(int nid)
+	{
+	EC_KEY *ret = EC_KEY_new();
+	if (ret == NULL)
+		return NULL;
+	ret->group = EC_GROUP_new_by_curve_name(nid);
+	if (ret->group == NULL)
+		{
+		EC_KEY_free(ret);
+		return NULL;
+		}
+	return ret;
+	}
+
+void EC_KEY_free(EC_KEY *r)
+	{
+	int i;
+
+	if (r == NULL) return;
+
+	i=CRYPTO_add(&r->references,-1,CRYPTO_LOCK_EC);
+#ifdef REF_PRINT
+	REF_PRINT("EC_KEY",r);
+#endif
+	if (i > 0) return;
+#ifdef REF_CHECK
+	if (i < 0)
+		{
+		fprintf(stderr,"EC_KEY_free, bad reference count\n");
+		abort();
+		}
+#endif
+
+	if (r->group    != NULL) 
+		EC_GROUP_free(r->group);
+	if (r->pub_key  != NULL)
+		EC_POINT_free(r->pub_key);
+	if (r->priv_key != NULL)
+		BN_clear_free(r->priv_key);
+
+	EC_EX_DATA_free_all_data(&r->method_data);
+
+	OPENSSL_cleanse((void *)r, sizeof(EC_KEY));
+
+	OPENSSL_free(r);
+	}
+
+EC_KEY *EC_KEY_copy(EC_KEY *dest, const EC_KEY *src)
+	{
+	EC_EXTRA_DATA *d;
+
+	if (dest == NULL || src == NULL)
+		{
+		ECerr(EC_F_EC_KEY_COPY, ERR_R_PASSED_NULL_PARAMETER);
+		return NULL;
+		}
+	/* copy the parameters */
+	if (src->group)
+		{
+		const EC_METHOD *meth = EC_GROUP_method_of(src->group);
+		/* clear the old group */
+		if (dest->group)
+			EC_GROUP_free(dest->group);
+		dest->group = EC_GROUP_new(meth);
+		if (dest->group == NULL)
+			return NULL;
+		if (!EC_GROUP_copy(dest->group, src->group))
+			return NULL;
+		}
+	/*  copy the public key */
+	if (src->pub_key && src->group)
+		{
+		if (dest->pub_key)
+			EC_POINT_free(dest->pub_key);
+		dest->pub_key = EC_POINT_new(src->group);
+		if (dest->pub_key == NULL)
+			return NULL;
+		if (!EC_POINT_copy(dest->pub_key, src->pub_key))
+			return NULL;
+		}
+	/* copy the private key */
+	if (src->priv_key)
+		{
+		if (dest->priv_key == NULL)
+			{
+			dest->priv_key = BN_new();
+			if (dest->priv_key == NULL)
+				return NULL;
+			}
+		if (!BN_copy(dest->priv_key, src->priv_key))
+			return NULL;
+		}
+	/* copy method/extra data */
+	EC_EX_DATA_free_all_data(&dest->method_data);
+
+	for (d = src->method_data; d != NULL; d = d->next)
+		{
+		void *t = d->dup_func(d->data);
+		
+		if (t == NULL)
+			return 0;
+		if (!EC_EX_DATA_set_data(&dest->method_data, t, d->dup_func, d->free_func, d->clear_free_func))
+			return 0;
+		}
+
+	/* copy the rest */
+	dest->enc_flag  = src->enc_flag;
+	dest->conv_form = src->conv_form;
+	dest->version   = src->version;
+
+	return dest;
+	}
+
+EC_KEY *EC_KEY_dup(const EC_KEY *ec_key)
+	{
+	EC_KEY *ret = EC_KEY_new();
+	if (ret == NULL)
+		return NULL;
+	if (EC_KEY_copy(ret, ec_key) == NULL)
+		{
+		EC_KEY_free(ret);
+		return NULL;
+		}
+	return ret;
+	}
+
+int EC_KEY_up_ref(EC_KEY *r)
+	{
+	int i = CRYPTO_add(&r->references, 1, CRYPTO_LOCK_EC);
+#ifdef REF_PRINT
+	REF_PRINT("EC_KEY",r);
+#endif
+#ifdef REF_CHECK
+	if (i < 2)
+		{
+		fprintf(stderr, "EC_KEY_up, bad reference count\n");
+		abort();
+		}
+#endif
+	return ((i > 1) ? 1 : 0);
+	}
+
+int EC_KEY_generate_key(EC_KEY *eckey)
+	{	
+	int	ok = 0;
+	BN_CTX	*ctx = NULL;
+	BIGNUM	*priv_key = NULL, *order = NULL;
+	EC_POINT *pub_key = NULL;
+
+	if (!eckey || !eckey->group)
+		{
+		ECerr(EC_F_EC_KEY_GENERATE_KEY, ERR_R_PASSED_NULL_PARAMETER);
+		return 0;
+		}
+
+	if ((order = BN_new()) == NULL) goto err;
+	if ((ctx = BN_CTX_new()) == NULL) goto err;
+
+	if (eckey->priv_key == NULL)
+		{
+		priv_key = BN_new();
+		if (priv_key == NULL)
+			goto err;
+		}
+	else
+		priv_key = eckey->priv_key;
+
+	if (!EC_GROUP_get_order(eckey->group, order, ctx))
+		goto err;
+
+	do
+		if (!BN_rand_range(priv_key, order))
+			goto err;
+	while (BN_is_zero(priv_key));
+
+	if (eckey->pub_key == NULL)
+		{
+		pub_key = EC_POINT_new(eckey->group);
+		if (pub_key == NULL)
+			goto err;
+		}
+	else
+		pub_key = eckey->pub_key;
+
+	if (!EC_POINT_mul(eckey->group, pub_key, priv_key, NULL, NULL, ctx))
+		goto err;
+
+	eckey->priv_key = priv_key;
+	eckey->pub_key  = pub_key;
+
+	ok=1;
+
+err:	
+	if (order)
+		BN_free(order);
+	if (pub_key  != NULL && eckey->pub_key  == NULL)
+		EC_POINT_free(pub_key);
+	if (priv_key != NULL && eckey->priv_key == NULL)
+		BN_free(priv_key);
+	if (ctx != NULL)
+		BN_CTX_free(ctx);
+	return(ok);
+	}
+
+int EC_KEY_check_key(const EC_KEY *eckey)
+	{
+	int	ok   = 0;
+	BN_CTX	*ctx = NULL;
+	BIGNUM	*order  = NULL;
+	EC_POINT *point = NULL;
+
+	if (!eckey || !eckey->group || !eckey->pub_key)
+		{
+		ECerr(EC_F_EC_KEY_CHECK_KEY, ERR_R_PASSED_NULL_PARAMETER);
+		return 0;
+		}
+	
+	if ((ctx = BN_CTX_new()) == NULL)
+		goto err;
+	if ((order = BN_new()) == NULL)
+		goto err;
+	if ((point = EC_POINT_new(eckey->group)) == NULL)
+		goto err;
+
+	/* testing whether the pub_key is on the elliptic curve */
+	if (!EC_POINT_is_on_curve(eckey->group, eckey->pub_key, ctx))
+		{
+		ECerr(EC_F_EC_KEY_CHECK_KEY, EC_R_POINT_IS_NOT_ON_CURVE);
+		goto err;
+		}
+	/* testing whether pub_key * order is the point at infinity */
+	if (!EC_GROUP_get_order(eckey->group, order, ctx))
+		{
+		ECerr(EC_F_EC_KEY_CHECK_KEY, EC_R_INVALID_GROUP_ORDER);
+		goto err;
+		}
+	if (!EC_POINT_copy(point, eckey->pub_key))
+		{
+		ECerr(EC_F_EC_KEY_CHECK_KEY, ERR_R_EC_LIB);
+		goto err;
+		}
+	if (!EC_POINT_mul(eckey->group, point, order, NULL, NULL, ctx))
+		{
+		ECerr(EC_F_EC_KEY_CHECK_KEY, ERR_R_EC_LIB);
+		goto err;
+		}
+	if (!EC_POINT_is_at_infinity(eckey->group, point))
+		{
+		ECerr(EC_F_EC_KEY_CHECK_KEY, EC_R_WRONG_ORDER);
+		goto err;
+		}
+	/* in case the priv_key is present : 
+	 * check if generator * priv_key == pub_key 
+	 */
+	if (eckey->priv_key)
+		{
+		if (BN_cmp(eckey->priv_key, order) >= 0)
+			{
+			ECerr(EC_F_EC_KEY_CHECK_KEY, EC_R_WRONG_ORDER);
+			goto err;
+			}
+		if (!EC_POINT_mul(eckey->group, point, eckey->priv_key,
+			NULL, NULL, ctx))
+			{
+			ECerr(EC_F_EC_KEY_CHECK_KEY, ERR_R_EC_LIB);
+			goto err;
+			}
+		if (EC_POINT_cmp(eckey->group, point, eckey->pub_key, 
+			ctx) != 0)
+			{
+			ECerr(EC_F_EC_KEY_CHECK_KEY, EC_R_INVALID_PRIVATE_KEY);
+			goto err;
+			}
+		}
+	ok = 1;
+err:
+	if (ctx   != NULL)
+		BN_CTX_free(ctx);
+	if (order != NULL)
+		BN_free(order);
+	if (point != NULL)
+		EC_POINT_free(point);
+	return(ok);
+	}
+
+const EC_GROUP *EC_KEY_get0_group(const EC_KEY *key)
+	{
+	return key->group;
+	}
+
+int EC_KEY_set_group(EC_KEY *key, const EC_GROUP *group)
+	{
+	if (key->group != NULL)
+		EC_GROUP_free(key->group);
+	key->group = EC_GROUP_dup(group);
+	return (key->group == NULL) ? 0 : 1;
+	}
+
+const BIGNUM *EC_KEY_get0_private_key(const EC_KEY *key)
+	{
+	return key->priv_key;
+	}
+
+int EC_KEY_set_private_key(EC_KEY *key, const BIGNUM *priv_key)
+	{
+	if (key->priv_key)
+		BN_clear_free(key->priv_key);
+	key->priv_key = BN_dup(priv_key);
+	return (key->priv_key == NULL) ? 0 : 1;
+	}
+
+const EC_POINT *EC_KEY_get0_public_key(const EC_KEY *key)
+	{
+	return key->pub_key;
+	}
+
+int EC_KEY_set_public_key(EC_KEY *key, const EC_POINT *pub_key)
+	{
+	if (key->pub_key != NULL)
+		EC_POINT_free(key->pub_key);
+	key->pub_key = EC_POINT_dup(pub_key, key->group);
+	return (key->pub_key == NULL) ? 0 : 1;
+	}
+
+unsigned int EC_KEY_get_enc_flags(const EC_KEY *key)
+	{
+	return key->enc_flag;
+	}
+
+void EC_KEY_set_enc_flags(EC_KEY *key, unsigned int flags)
+	{
+	key->enc_flag = flags;
+	}
+
+point_conversion_form_t EC_KEY_get_conv_form(const EC_KEY *key)
+	{
+	return key->conv_form;
+	}
+
+void EC_KEY_set_conv_form(EC_KEY *key, point_conversion_form_t cform)
+	{
+	key->conv_form = cform;
+	if (key->group != NULL)
+		EC_GROUP_set_point_conversion_form(key->group, cform);
+	}
+
+void *EC_KEY_get_key_method_data(EC_KEY *key,
+	void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *))
+	{
+	return EC_EX_DATA_get_data(key->method_data, dup_func, free_func, clear_free_func);
+	}
+
+void EC_KEY_insert_key_method_data(EC_KEY *key, void *data,
+	void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *))
+	{
+	EC_EXTRA_DATA *ex_data;
+	CRYPTO_w_lock(CRYPTO_LOCK_EC);
+	ex_data = EC_EX_DATA_get_data(key->method_data, dup_func, free_func, clear_free_func);
+	if (ex_data == NULL)
+		EC_EX_DATA_set_data(&key->method_data, data, dup_func, free_func, clear_free_func);
+	CRYPTO_w_unlock(CRYPTO_LOCK_EC);
+	}
+
+void EC_KEY_set_asn1_flag(EC_KEY *key, int flag)
+	{
+	if (key->group != NULL)
+		EC_GROUP_set_asn1_flag(key->group, flag);
+	}
+
+int EC_KEY_precompute_mult(EC_KEY *key, BN_CTX *ctx)
+	{
+	if (key->group == NULL)
+		return 0;
+	return EC_GROUP_precompute_mult(key->group, ctx);
+	}
diff --git a/crypto/openssl/crypto/ec/ec_lcl.h b/crypto/openssl/crypto/ec/ec_lcl.h
index cc4cf277550d..fdd7aa275563 100644
--- a/crypto/openssl/crypto/ec/ec_lcl.h
+++ b/crypto/openssl/crypto/ec/ec_lcl.h
@@ -1,6 +1,9 @@
 /* crypto/ec/ec_lcl.h */
+/*
+ * Originally written by Bodo Moeller for the OpenSSL project.
+ */
 /* ====================================================================
- * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2003 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -52,35 +55,56 @@
  * Hudson (tjh@cryptsoft.com).
  *
  */
+/* ====================================================================
+ * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
+ *
+ * Portions of the attached software ("Contribution") are developed by 
+ * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
+ *
+ * The Contribution is licensed pursuant to the OpenSSL open source
+ * license provided above.
+ *
+ * The elliptic curve binary polynomial software is originally written by 
+ * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories.
+ *
+ */
 
 
 #include <stdlib.h>
 
+#include <openssl/obj_mac.h>
 #include <openssl/ec.h>
+#include <openssl/bn.h>
 
+#if defined(__SUNPRO_C)
+# if __SUNPRO_C >= 0x520
+# pragma error_messages (off,E_ARRAY_OF_INCOMPLETE_NONAME,E_ARRAY_OF_INCOMPLETE)
+# endif
+#endif
 
 /* Structure details are not part of the exported interface,
  * so all this may change in future versions. */
 
 struct ec_method_st {
+	/* used by EC_METHOD_get_field_type: */
+	int field_type; /* a NID */
+
 	/* used by EC_GROUP_new, EC_GROUP_free, EC_GROUP_clear_free, EC_GROUP_copy: */
 	int (*group_init)(EC_GROUP *);
 	void (*group_finish)(EC_GROUP *);
 	void (*group_clear_finish)(EC_GROUP *);
 	int (*group_copy)(EC_GROUP *, const EC_GROUP *);
 
-	/* used by EC_GROUP_set_curve_GFp and EC_GROUP_get_curve_GFp: */
-	int (*group_set_curve_GFp)(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
-	int (*group_get_curve_GFp)(const EC_GROUP *, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *);
+	/* used by EC_GROUP_set_curve_GFp, EC_GROUP_get_curve_GFp, */
+	/* EC_GROUP_set_curve_GF2m, and EC_GROUP_get_curve_GF2m: */
+	int (*group_set_curve)(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
+	int (*group_get_curve)(const EC_GROUP *, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *);
 
-	/* used by EC_GROUP_set_generator, EC_GROUP_get0_generator,
-	 * EC_GROUP_get_order, EC_GROUP_get_cofactor:
-	 */
-	int (*group_set_generator)(EC_GROUP *, const EC_POINT *generator,
-	        const BIGNUM *order, const BIGNUM *cofactor);
-	EC_POINT *(*group_get0_generator)(const EC_GROUP *);
-	int (*group_get_order)(const EC_GROUP *, BIGNUM *order, BN_CTX *);
-	int (*group_get_cofactor)(const EC_GROUP *, BIGNUM *cofactor, BN_CTX *);
+	/* used by EC_GROUP_get_degree: */
+	int (*group_get_degree)(const EC_GROUP *);
+
+	/* used by EC_GROUP_check: */
+	int (*group_check_discriminant)(const EC_GROUP *, BN_CTX *);
 
 	/* used by EC_POINT_new, EC_POINT_free, EC_POINT_clear_free, EC_POINT_copy: */
 	int (*point_init)(EC_POINT *);
@@ -89,20 +113,22 @@ struct ec_method_st {
 	int (*point_copy)(EC_POINT *, const EC_POINT *);
 
 	/* used by EC_POINT_set_to_infinity,
-	 * EC_POINT_set_Jprojective_coordinates_GFp, EC_POINT_get_Jprojective_coordinates_GFp,
-	 * EC_POINT_set_affine_coordinates_GFp, EC_POINT_get_affine_coordinates_GFp,
-	 * EC_POINT_set_compressed_coordinates_GFp:
+	 * EC_POINT_set_Jprojective_coordinates_GFp,
+	 * EC_POINT_get_Jprojective_coordinates_GFp,
+	 * EC_POINT_set_affine_coordinates_GFp,     ..._GF2m,
+	 * EC_POINT_get_affine_coordinates_GFp,     ..._GF2m,
+	 * EC_POINT_set_compressed_coordinates_GFp, ..._GF2m:
 	 */
 	int (*point_set_to_infinity)(const EC_GROUP *, EC_POINT *);
 	int (*point_set_Jprojective_coordinates_GFp)(const EC_GROUP *, EC_POINT *,
 		const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *);
 	int (*point_get_Jprojective_coordinates_GFp)(const EC_GROUP *, const EC_POINT *,
 		BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *);
-	int (*point_set_affine_coordinates_GFp)(const EC_GROUP *, EC_POINT *,
+	int (*point_set_affine_coordinates)(const EC_GROUP *, EC_POINT *,
 		const BIGNUM *x, const BIGNUM *y, BN_CTX *);
-	int (*point_get_affine_coordinates_GFp)(const EC_GROUP *, const EC_POINT *,
+	int (*point_get_affine_coordinates)(const EC_GROUP *, const EC_POINT *,
 		BIGNUM *x, BIGNUM *y, BN_CTX *);
-	int (*point_set_compressed_coordinates_GFp)(const EC_GROUP *, EC_POINT *,
+	int (*point_set_compressed_coordinates)(const EC_GROUP *, EC_POINT *,
 		const BIGNUM *x, int y_bit, BN_CTX *);
 
 	/* used by EC_POINT_point2oct, EC_POINT_oct2point: */
@@ -125,34 +151,65 @@ struct ec_method_st {
 	int (*make_affine)(const EC_GROUP *, EC_POINT *, BN_CTX *);
 	int (*points_make_affine)(const EC_GROUP *, size_t num, EC_POINT *[], BN_CTX *);
 
+	/* used by EC_POINTs_mul, EC_POINT_mul, EC_POINT_precompute_mult, EC_POINT_have_precompute_mult
+	 * (default implementations are used if the 'mul' pointer is 0): */
+	int (*mul)(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
+		size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *);
+	int (*precompute_mult)(EC_GROUP *group, BN_CTX *);
+	int (*have_precompute_mult)(const EC_GROUP *group);
+
 
 	/* internal functions */
 
-	/* 'field_mul' and 'field_sqr' can be used by 'add' and 'dbl' so that
+	/* 'field_mul', 'field_sqr', and 'field_div' can be used by 'add' and 'dbl' so that
 	 * the same implementations of point operations can be used with different
 	 * optimized implementations of expensive field operations: */
 	int (*field_mul)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
 	int (*field_sqr)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *);
+	int (*field_div)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
 
 	int (*field_encode)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *); /* e.g. to Montgomery */
 	int (*field_decode)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *); /* e.g. from Montgomery */
 	int (*field_set_to_one)(const EC_GROUP *, BIGNUM *r, BN_CTX *);
 } /* EC_METHOD */;
 
+typedef struct ec_extra_data_st {
+	struct ec_extra_data_st *next;
+	void *data;
+	void *(*dup_func)(void *);
+	void (*free_func)(void *);
+	void (*clear_free_func)(void *);
+} EC_EXTRA_DATA; /* used in EC_GROUP */
 
 struct ec_group_st {
 	const EC_METHOD *meth;
 
-	void *extra_data;
-	void *(*extra_data_dup_func)(void *);
-	void (*extra_data_free_func)(void *);
-	void (*extra_data_clear_free_func)(void *);
+	EC_POINT *generator; /* optional */
+	BIGNUM order, cofactor;
+
+	int curve_name;/* optional NID for named curve */
+	int asn1_flag; /* flag to control the asn1 encoding */
+	point_conversion_form_t asn1_form;
+
+	unsigned char *seed; /* optional seed for parameters (appears in ASN1) */
+	size_t seed_len;
 
-	/* All members except 'meth' and 'extra_data...' are handled by
-	 * the method functions, even if they appear generic */
+	EC_EXTRA_DATA *extra_data; /* linked list */
+
+	/* The following members are handled by the method functions,
+	 * even if they appear generic */
 	
 	BIGNUM field; /* Field specification.
-	               * For curves over GF(p), this is the modulus. */
+	               * For curves over GF(p), this is the modulus;
+	               * for curves over GF(2^m), this is the 
+	               * irreducible polynomial defining the field.
+	               */
+
+	unsigned int poly[5]; /* Field specification for curves over GF(2^m).
+	                       * The irreducible f(t) is then of the form:
+	                       *     t^poly[0] + t^poly[1] + ... + t^poly[k]
+	                       * where m = poly[0] > poly[1] > ... > poly[k] = 0.
+	                       */
 
 	BIGNUM a, b; /* Curve coefficients.
 	              * (Here the assumption is that BIGNUMs can be used
@@ -160,29 +217,49 @@ struct ec_group_st {
 	              * For characteristic  > 3,  the curve is defined
 	              * by a Weierstrass equation of the form
 	              *     y^2 = x^3 + a*x + b.
+	              * For characteristic  2,  the curve is defined by
+	              * an equation of the form
+	              *     y^2 + x*y = x^3 + a*x^2 + b.
 	              */
-	int a_is_minus3; /* enable optimized point arithmetics for special case */
 
-	EC_POINT *generator; /* optional */
-	BIGNUM order, cofactor;
+	int a_is_minus3; /* enable optimized point arithmetics for special case */
 
 	void *field_data1; /* method-specific (e.g., Montgomery structure) */
 	void *field_data2; /* method-specific */
+	int (*field_mod_func)(BIGNUM *, const BIGNUM *, const BIGNUM *,	BN_CTX *); /* method-specific */
 } /* EC_GROUP */;
 
+struct ec_key_st {
+	int version;
+
+	EC_GROUP *group;
+
+	EC_POINT *pub_key;
+	BIGNUM	 *priv_key;
+
+	unsigned int enc_flag;
+	point_conversion_form_t conv_form;
 
-/* Basically a 'mixin' for extra data, but available for EC_GROUPs only
+	int 	references;
+
+	EC_EXTRA_DATA *method_data;
+} /* EC_KEY */;
+
+/* Basically a 'mixin' for extra data, but available for EC_GROUPs/EC_KEYs only
  * (with visibility limited to 'package' level for now).
  * We use the function pointers as index for retrieval; this obviates
  * global ex_data-style index tables.
- * (Currently, we have one slot only, but is is possible to extend this
- * if necessary.) */
-int EC_GROUP_set_extra_data(EC_GROUP *, void *extra_data, void *(*extra_data_dup_func)(void *),
-	void (*extra_data_free_func)(void *), void (*extra_data_clear_free_func)(void *));
-void *EC_GROUP_get_extra_data(const EC_GROUP *, void *(*extra_data_dup_func)(void *),
-	void (*extra_data_free_func)(void *), void (*extra_data_clear_free_func)(void *));
-void EC_GROUP_free_extra_data(EC_GROUP *);
-void EC_GROUP_clear_free_extra_data(EC_GROUP *);
+ */
+int EC_EX_DATA_set_data(EC_EXTRA_DATA **, void *data,
+	void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *));
+void *EC_EX_DATA_get_data(const EC_EXTRA_DATA *,
+	void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *));
+void EC_EX_DATA_free_data(EC_EXTRA_DATA **,
+	void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *));
+void EC_EX_DATA_clear_free_data(EC_EXTRA_DATA **,
+	void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *));
+void EC_EX_DATA_free_all_data(EC_EXTRA_DATA **);
+void EC_EX_DATA_clear_free_all_data(EC_EXTRA_DATA **);
 
 
 
@@ -201,18 +278,23 @@ struct ec_point_st {
 
 
 
+/* method functions in ec_mult.c
+ * (ec_lib.c uses these as defaults if group->method->mul is 0) */
+int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
+	size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *);
+int ec_wNAF_precompute_mult(EC_GROUP *group, BN_CTX *);
+int ec_wNAF_have_precompute_mult(const EC_GROUP *group);
+
+
 /* method functions in ecp_smpl.c */
 int ec_GFp_simple_group_init(EC_GROUP *);
 void ec_GFp_simple_group_finish(EC_GROUP *);
 void ec_GFp_simple_group_clear_finish(EC_GROUP *);
 int ec_GFp_simple_group_copy(EC_GROUP *, const EC_GROUP *);
-int ec_GFp_simple_group_set_curve_GFp(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
-int ec_GFp_simple_group_get_curve_GFp(const EC_GROUP *, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *);
-int ec_GFp_simple_group_set_generator(EC_GROUP *, const EC_POINT *generator,
-	const BIGNUM *order, const BIGNUM *cofactor);
-EC_POINT *ec_GFp_simple_group_get0_generator(const EC_GROUP *);
-int ec_GFp_simple_group_get_order(const EC_GROUP *, BIGNUM *order, BN_CTX *);
-int ec_GFp_simple_group_get_cofactor(const EC_GROUP *, BIGNUM *cofactor, BN_CTX *);
+int ec_GFp_simple_group_set_curve(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
+int ec_GFp_simple_group_get_curve(const EC_GROUP *, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *);
+int ec_GFp_simple_group_get_degree(const EC_GROUP *);
+int ec_GFp_simple_group_check_discriminant(const EC_GROUP *, BN_CTX *);
 int ec_GFp_simple_point_init(EC_POINT *);
 void ec_GFp_simple_point_finish(EC_POINT *);
 void ec_GFp_simple_point_clear_finish(EC_POINT *);
@@ -222,11 +304,11 @@ int ec_GFp_simple_set_Jprojective_coordinates_GFp(const EC_GROUP *, EC_POINT *,
 	const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *);
 int ec_GFp_simple_get_Jprojective_coordinates_GFp(const EC_GROUP *, const EC_POINT *,
 	BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *);
-int ec_GFp_simple_point_set_affine_coordinates_GFp(const EC_GROUP *, EC_POINT *,
+int ec_GFp_simple_point_set_affine_coordinates(const EC_GROUP *, EC_POINT *,
 	const BIGNUM *x, const BIGNUM *y, BN_CTX *);
-int ec_GFp_simple_point_get_affine_coordinates_GFp(const EC_GROUP *, const EC_POINT *,
+int ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP *, const EC_POINT *,
 	BIGNUM *x, BIGNUM *y, BN_CTX *);
-int ec_GFp_simple_set_compressed_coordinates_GFp(const EC_GROUP *, EC_POINT *,
+int ec_GFp_simple_set_compressed_coordinates(const EC_GROUP *, EC_POINT *,
 	const BIGNUM *x, int y_bit, BN_CTX *);
 size_t ec_GFp_simple_point2oct(const EC_GROUP *, const EC_POINT *, point_conversion_form_t form,
 	unsigned char *buf, size_t len, BN_CTX *);
@@ -246,7 +328,7 @@ int ec_GFp_simple_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX
 
 /* method functions in ecp_mont.c */
 int ec_GFp_mont_group_init(EC_GROUP *);
-int ec_GFp_mont_group_set_curve_GFp(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
+int ec_GFp_mont_group_set_curve(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
 void ec_GFp_mont_group_finish(EC_GROUP *);
 void ec_GFp_mont_group_clear_finish(EC_GROUP *);
 int ec_GFp_mont_group_copy(EC_GROUP *, const EC_GROUP *);
@@ -257,21 +339,52 @@ int ec_GFp_mont_field_decode(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CT
 int ec_GFp_mont_field_set_to_one(const EC_GROUP *, BIGNUM *r, BN_CTX *);
 
 
-/* method functions in ecp_recp.c */
-int ec_GFp_recp_group_init(EC_GROUP *);
-int ec_GFp_recp_group_set_curve_GFp(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
-void ec_GFp_recp_group_finish(EC_GROUP *);
-void ec_GFp_recp_group_clear_finish(EC_GROUP *);
-int ec_GFp_recp_group_copy(EC_GROUP *, const EC_GROUP *);
-int ec_GFp_recp_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
-int ec_GFp_recp_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *);
-
-
 /* method functions in ecp_nist.c */
-int ec_GFp_nist_group_init(EC_GROUP *);
-int ec_GFp_nist_group_set_curve_GFp(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
-void ec_GFp_nist_group_finish(EC_GROUP *);
-void ec_GFp_nist_group_clear_finish(EC_GROUP *);
-int ec_GFp_nist_group_copy(EC_GROUP *, const EC_GROUP *);
+int ec_GFp_nist_group_copy(EC_GROUP *dest, const EC_GROUP *src);
+int ec_GFp_nist_group_set_curve(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
 int ec_GFp_nist_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
 int ec_GFp_nist_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *);
+
+
+/* method functions in ec2_smpl.c */
+int ec_GF2m_simple_group_init(EC_GROUP *);
+void ec_GF2m_simple_group_finish(EC_GROUP *);
+void ec_GF2m_simple_group_clear_finish(EC_GROUP *);
+int ec_GF2m_simple_group_copy(EC_GROUP *, const EC_GROUP *);
+int ec_GF2m_simple_group_set_curve(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
+int ec_GF2m_simple_group_get_curve(const EC_GROUP *, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *);
+int ec_GF2m_simple_group_get_degree(const EC_GROUP *);
+int ec_GF2m_simple_group_check_discriminant(const EC_GROUP *, BN_CTX *);
+int ec_GF2m_simple_point_init(EC_POINT *);
+void ec_GF2m_simple_point_finish(EC_POINT *);
+void ec_GF2m_simple_point_clear_finish(EC_POINT *);
+int ec_GF2m_simple_point_copy(EC_POINT *, const EC_POINT *);
+int ec_GF2m_simple_point_set_to_infinity(const EC_GROUP *, EC_POINT *);
+int ec_GF2m_simple_point_set_affine_coordinates(const EC_GROUP *, EC_POINT *,
+	const BIGNUM *x, const BIGNUM *y, BN_CTX *);
+int ec_GF2m_simple_point_get_affine_coordinates(const EC_GROUP *, const EC_POINT *,
+	BIGNUM *x, BIGNUM *y, BN_CTX *);
+int ec_GF2m_simple_set_compressed_coordinates(const EC_GROUP *, EC_POINT *,
+	const BIGNUM *x, int y_bit, BN_CTX *);
+size_t ec_GF2m_simple_point2oct(const EC_GROUP *, const EC_POINT *, point_conversion_form_t form,
+	unsigned char *buf, size_t len, BN_CTX *);
+int ec_GF2m_simple_oct2point(const EC_GROUP *, EC_POINT *,
+	const unsigned char *buf, size_t len, BN_CTX *);
+int ec_GF2m_simple_add(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, const EC_POINT *b, BN_CTX *);
+int ec_GF2m_simple_dbl(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, BN_CTX *);
+int ec_GF2m_simple_invert(const EC_GROUP *, EC_POINT *, BN_CTX *);
+int ec_GF2m_simple_is_at_infinity(const EC_GROUP *, const EC_POINT *);
+int ec_GF2m_simple_is_on_curve(const EC_GROUP *, const EC_POINT *, BN_CTX *);
+int ec_GF2m_simple_cmp(const EC_GROUP *, const EC_POINT *a, const EC_POINT *b, BN_CTX *);
+int ec_GF2m_simple_make_affine(const EC_GROUP *, EC_POINT *, BN_CTX *);
+int ec_GF2m_simple_points_make_affine(const EC_GROUP *, size_t num, EC_POINT *[], BN_CTX *);
+int ec_GF2m_simple_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
+int ec_GF2m_simple_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *);
+int ec_GF2m_simple_field_div(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
+
+
+/* method functions in ec2_mult.c */
+int ec_GF2m_simple_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
+	size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *);
+int ec_GF2m_precompute_mult(EC_GROUP *group, BN_CTX *ctx);
+int ec_GF2m_have_precompute_mult(const EC_GROUP *group);
diff --git a/crypto/openssl/crypto/ec/ec_lib.c b/crypto/openssl/crypto/ec/ec_lib.c
index deb522060f2a..5af84376c602 100644
--- a/crypto/openssl/crypto/ec/ec_lib.c
+++ b/crypto/openssl/crypto/ec/ec_lib.c
@@ -1,6 +1,9 @@
 /* crypto/ec/ec_lib.c */
+/*
+ * Originally written by Bodo Moeller for the OpenSSL project.
+ */
 /* ====================================================================
- * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2003 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -52,6 +55,11 @@
  * Hudson (tjh@cryptsoft.com).
  *
  */
+/* ====================================================================
+ * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
+ * Binary polynomial ECC support in OpenSSL originally developed by 
+ * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
+ */
 
 #include <string.h>
 
@@ -90,10 +98,18 @@ EC_GROUP *EC_GROUP_new(const EC_METHOD *meth)
 	ret->meth = meth;
 
 	ret->extra_data = NULL;
-	ret->extra_data_dup_func = 0;
-	ret->extra_data_free_func = 0;
-	ret->extra_data_clear_free_func = 0;
-	
+
+	ret->generator = NULL;
+	BN_init(&ret->order);
+	BN_init(&ret->cofactor);
+
+	ret->curve_name = 0;	
+	ret->asn1_flag  = 0;
+	ret->asn1_form  = POINT_CONVERSION_UNCOMPRESSED;
+
+	ret->seed = NULL;
+	ret->seed_len = 0;
+
 	if (!meth->group_init(ret))
 		{
 		OPENSSL_free(ret);
@@ -111,7 +127,15 @@ void EC_GROUP_free(EC_GROUP *group)
 	if (group->meth->group_finish != 0)
 		group->meth->group_finish(group);
 
-	EC_GROUP_free_extra_data(group);
+	EC_EX_DATA_free_all_data(&group->extra_data);
+
+	if (group->generator != NULL)
+		EC_POINT_free(group->generator);
+	BN_free(&group->order);
+	BN_free(&group->cofactor);
+
+	if (group->seed)
+		OPENSSL_free(group->seed);
 
 	OPENSSL_free(group);
 	}
@@ -123,10 +147,21 @@ void EC_GROUP_clear_free(EC_GROUP *group)
 
 	if (group->meth->group_clear_finish != 0)
 		group->meth->group_clear_finish(group);
-	else if (group->meth != NULL && group->meth->group_finish != 0)
+	else if (group->meth->group_finish != 0)
 		group->meth->group_finish(group);
 
-	EC_GROUP_clear_free_extra_data(group);
+	EC_EX_DATA_clear_free_all_data(&group->extra_data);
+
+	if (group->generator != NULL)
+		EC_POINT_clear_free(group->generator);
+	BN_clear_free(&group->order);
+	BN_clear_free(&group->cofactor);
+
+	if (group->seed)
+		{
+		OPENSSL_cleanse(group->seed, group->seed_len);
+		OPENSSL_free(group->seed);
+		}
 
 	OPENSSL_cleanse(group, sizeof *group);
 	OPENSSL_free(group);
@@ -135,6 +170,8 @@ void EC_GROUP_clear_free(EC_GROUP *group)
 
 int EC_GROUP_copy(EC_GROUP *dest, const EC_GROUP *src)
 	{
+	EC_EXTRA_DATA *d;
+
 	if (dest->meth->group_copy == 0)
 		{
 		ECerr(EC_F_EC_GROUP_COPY, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
@@ -148,161 +185,507 @@ int EC_GROUP_copy(EC_GROUP *dest, const EC_GROUP *src)
 	if (dest == src)
 		return 1;
 	
-	EC_GROUP_clear_free_extra_data(dest);
-	if (src->extra_data_dup_func)
+	EC_EX_DATA_free_all_data(&dest->extra_data);
+
+	for (d = src->extra_data; d != NULL; d = d->next)
 		{
-		if (src->extra_data != NULL)
+		void *t = d->dup_func(d->data);
+		
+		if (t == NULL)
+			return 0;
+		if (!EC_EX_DATA_set_data(&dest->extra_data, t, d->dup_func, d->free_func, d->clear_free_func))
+			return 0;
+		}
+
+	if (src->generator != NULL)
+		{
+		if (dest->generator == NULL)
+			{
+			dest->generator = EC_POINT_new(dest);
+			if (dest->generator == NULL) return 0;
+			}
+		if (!EC_POINT_copy(dest->generator, src->generator)) return 0;
+		}
+	else
+		{
+		/* src->generator == NULL */
+		if (dest->generator != NULL)
 			{
-			dest->extra_data = src->extra_data_dup_func(src->extra_data);
-			if (dest->extra_data == NULL)
-				return 0;
+			EC_POINT_clear_free(dest->generator);
+			dest->generator = NULL;
 			}
+		}
+
+	if (!BN_copy(&dest->order, &src->order)) return 0;
+	if (!BN_copy(&dest->cofactor, &src->cofactor)) return 0;
 
-		dest->extra_data_dup_func = src->extra_data_dup_func;
-		dest->extra_data_free_func = src->extra_data_free_func;
-		dest->extra_data_clear_free_func = src->extra_data_clear_free_func;
+	dest->curve_name = src->curve_name;
+	dest->asn1_flag  = src->asn1_flag;
+	dest->asn1_form  = src->asn1_form;
+
+	if (src->seed)
+		{
+		if (dest->seed)
+			OPENSSL_free(dest->seed);
+		dest->seed = OPENSSL_malloc(src->seed_len);
+		if (dest->seed == NULL)
+			return 0;
+		if (!memcpy(dest->seed, src->seed, src->seed_len))
+			return 0;
+		dest->seed_len = src->seed_len;
+		}
+	else
+		{
+		if (dest->seed)
+			OPENSSL_free(dest->seed);
+		dest->seed = NULL;
+		dest->seed_len = 0;
 		}
+	
 
 	return dest->meth->group_copy(dest, src);
 	}
 
 
+EC_GROUP *EC_GROUP_dup(const EC_GROUP *a)
+	{
+	EC_GROUP *t = NULL;
+	int ok = 0;
+
+	if (a == NULL) return NULL;
+
+	if ((t = EC_GROUP_new(a->meth)) == NULL) return(NULL);
+	if (!EC_GROUP_copy(t, a)) goto err;
+
+	ok = 1;
+
+  err:	
+	if (!ok)
+		{
+		if (t) EC_GROUP_free(t);
+		return NULL;
+		}
+	else return t;
+	}
+
+
 const EC_METHOD *EC_GROUP_method_of(const EC_GROUP *group)
 	{
 	return group->meth;
 	}
 
 
+int EC_METHOD_get_field_type(const EC_METHOD *meth)
+        {
+        return meth->field_type;
+        }
+
+
+int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator, const BIGNUM *order, const BIGNUM *cofactor)
+	{
+	if (generator == NULL)
+		{
+		ECerr(EC_F_EC_GROUP_SET_GENERATOR, ERR_R_PASSED_NULL_PARAMETER);
+		return 0   ;
+		}
+
+	if (group->generator == NULL)
+		{
+		group->generator = EC_POINT_new(group);
+		if (group->generator == NULL) return 0;
+		}
+	if (!EC_POINT_copy(group->generator, generator)) return 0;
+
+	if (order != NULL)
+		{ if (!BN_copy(&group->order, order)) return 0; }	
+	else
+		BN_zero(&group->order);
+
+	if (cofactor != NULL)
+		{ if (!BN_copy(&group->cofactor, cofactor)) return 0; }	
+	else
+		BN_zero(&group->cofactor);
+
+	return 1;
+	}
+
+
+const EC_POINT *EC_GROUP_get0_generator(const EC_GROUP *group)
+	{
+	return group->generator;
+	}
+
+
+int EC_GROUP_get_order(const EC_GROUP *group, BIGNUM *order, BN_CTX *ctx)
+	{
+	if (!BN_copy(order, &group->order))
+		return 0;
+
+	return !BN_is_zero(order);
+	}
+
+
+int EC_GROUP_get_cofactor(const EC_GROUP *group, BIGNUM *cofactor, BN_CTX *ctx)
+	{
+	if (!BN_copy(cofactor, &group->cofactor))
+		return 0;
+
+	return !BN_is_zero(&group->cofactor);
+	}
+
+
+void EC_GROUP_set_curve_name(EC_GROUP *group, int nid)
+	{
+	group->curve_name = nid;
+	}
+
+
+int EC_GROUP_get_curve_name(const EC_GROUP *group)
+	{
+	return group->curve_name;
+	}
+
+
+void EC_GROUP_set_asn1_flag(EC_GROUP *group, int flag)
+	{
+	group->asn1_flag = flag;
+	}
+
+
+int EC_GROUP_get_asn1_flag(const EC_GROUP *group)
+	{
+	return group->asn1_flag;
+	}
+
+
+void EC_GROUP_set_point_conversion_form(EC_GROUP *group, 
+                                        point_conversion_form_t form)
+	{
+	group->asn1_form = form;
+	}
+
+
+point_conversion_form_t EC_GROUP_get_point_conversion_form(const EC_GROUP *group)
+	{
+	return group->asn1_form;
+	}
+
+
+size_t EC_GROUP_set_seed(EC_GROUP *group, const unsigned char *p, size_t len)
+	{
+	if (group->seed)
+		{
+		OPENSSL_free(group->seed);
+		group->seed = NULL;
+		group->seed_len = 0;
+		}
+
+	if (!len || !p)
+		return 1;
+
+	if ((group->seed = OPENSSL_malloc(len)) == NULL)
+		return 0;
+	memcpy(group->seed, p, len);
+	group->seed_len = len;
+
+	return len;
+	}
+
+
+unsigned char *EC_GROUP_get0_seed(const EC_GROUP *group)
+	{
+	return group->seed;
+	}
+
+
+size_t EC_GROUP_get_seed_len(const EC_GROUP *group)
+	{
+	return group->seed_len;
+	}
+
+
 int EC_GROUP_set_curve_GFp(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
 	{
-	if (group->meth->group_set_curve_GFp == 0)
+	if (group->meth->group_set_curve == 0)
 		{
 		ECerr(EC_F_EC_GROUP_SET_CURVE_GFP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
 		return 0;
 		}
-	return group->meth->group_set_curve_GFp(group, p, a, b, ctx);
+	return group->meth->group_set_curve(group, p, a, b, ctx);
 	}
 
 
 int EC_GROUP_get_curve_GFp(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *ctx)
 	{
-	if (group->meth->group_get_curve_GFp == 0)
+	if (group->meth->group_get_curve == 0)
 		{
 		ECerr(EC_F_EC_GROUP_GET_CURVE_GFP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
 		return 0;
 		}
-	return group->meth->group_get_curve_GFp(group, p, a, b, ctx);
+	return group->meth->group_get_curve(group, p, a, b, ctx);
 	}
 
 
-int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator, const BIGNUM *order, const BIGNUM *cofactor)
+int EC_GROUP_set_curve_GF2m(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
 	{
-	if (group->meth->group_set_generator == 0)
+	if (group->meth->group_set_curve == 0)
 		{
-		ECerr(EC_F_EC_GROUP_SET_GENERATOR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+		ECerr(EC_F_EC_GROUP_SET_CURVE_GF2M, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
 		return 0;
 		}
-	return group->meth->group_set_generator(group, generator, order, cofactor);
+	return group->meth->group_set_curve(group, p, a, b, ctx);
 	}
 
 
-EC_POINT *EC_GROUP_get0_generator(const EC_GROUP *group)
+int EC_GROUP_get_curve_GF2m(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *ctx)
 	{
-	if (group->meth->group_get0_generator == 0)
+	if (group->meth->group_get_curve == 0)
 		{
-		ECerr(EC_F_EC_GROUP_GET0_GENERATOR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+		ECerr(EC_F_EC_GROUP_GET_CURVE_GF2M, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
 		return 0;
 		}
-	return group->meth->group_get0_generator(group);
+	return group->meth->group_get_curve(group, p, a, b, ctx);
 	}
 
 
-int EC_GROUP_get_order(const EC_GROUP *group, BIGNUM *order, BN_CTX *ctx)
+int EC_GROUP_get_degree(const EC_GROUP *group)
 	{
-	if (group->meth->group_get_order == 0)
+	if (group->meth->group_get_degree == 0)
 		{
-		ECerr(EC_F_EC_GROUP_GET_ORDER, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+		ECerr(EC_F_EC_GROUP_GET_DEGREE, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
 		return 0;
 		}
-	return group->meth->group_get_order(group, order, ctx);
+	return group->meth->group_get_degree(group);
 	}
 
 
-int EC_GROUP_get_cofactor(const EC_GROUP *group, BIGNUM *cofactor, BN_CTX *ctx)
+int EC_GROUP_check_discriminant(const EC_GROUP *group, BN_CTX *ctx)
 	{
-	if (group->meth->group_get_cofactor == 0)
+	if (group->meth->group_check_discriminant == 0)
 		{
-		ECerr(EC_F_EC_GROUP_GET_COFACTOR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+		ECerr(EC_F_EC_GROUP_CHECK_DISCRIMINANT, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
 		return 0;
 		}
-	return group->meth->group_get_cofactor(group, cofactor, ctx);
+	return group->meth->group_check_discriminant(group, ctx);
 	}
 
 
-/* this has 'package' visibility */
-int EC_GROUP_set_extra_data(EC_GROUP *group, void *extra_data, void *(*extra_data_dup_func)(void *),
-	void (*extra_data_free_func)(void *), void (*extra_data_clear_free_func)(void *))
+int EC_GROUP_cmp(const EC_GROUP *a, const EC_GROUP *b, BN_CTX *ctx)
 	{
-	if ((group->extra_data != NULL)
-		|| (group->extra_data_dup_func != 0)
-		|| (group->extra_data_free_func != 0)
-		|| (group->extra_data_clear_free_func != 0))
-		{
-		ECerr(EC_F_EC_GROUP_SET_EXTRA_DATA, EC_R_SLOT_FULL);
+	int    r = 0;
+	BIGNUM *a1, *a2, *a3, *b1, *b2, *b3;
+	BN_CTX *ctx_new = NULL;
+
+	/* compare the field types*/
+	if (EC_METHOD_get_field_type(EC_GROUP_method_of(a)) !=
+	    EC_METHOD_get_field_type(EC_GROUP_method_of(b)))
+		return 1;
+	/* compare the curve name (if present) */
+	if (EC_GROUP_get_curve_name(a) && EC_GROUP_get_curve_name(b) &&
+	    EC_GROUP_get_curve_name(a) == EC_GROUP_get_curve_name(b))
 		return 0;
+
+	if (!ctx)
+		ctx_new = ctx = BN_CTX_new();
+	if (!ctx)
+		return -1;
+	
+	BN_CTX_start(ctx);
+	a1 = BN_CTX_get(ctx);
+	a2 = BN_CTX_get(ctx);
+	a3 = BN_CTX_get(ctx);
+	b1 = BN_CTX_get(ctx);
+	b2 = BN_CTX_get(ctx);
+	b3 = BN_CTX_get(ctx);
+	if (!b3)
+		{
+		BN_CTX_end(ctx);
+		if (ctx_new)
+			BN_CTX_free(ctx);
+		return -1;
 		}
 
-	group->extra_data = extra_data;
-	group->extra_data_dup_func = extra_data_dup_func;
-	group->extra_data_free_func = extra_data_free_func;
-	group->extra_data_clear_free_func = extra_data_clear_free_func;
-	return 1;
+	/* XXX This approach assumes that the external representation
+	 * of curves over the same field type is the same.
+	 */
+	if (!a->meth->group_get_curve(a, a1, a2, a3, ctx) ||
+	    !b->meth->group_get_curve(b, b1, b2, b3, ctx))
+		r = 1;
+
+	if (r || BN_cmp(a1, b1) || BN_cmp(a2, b2) || BN_cmp(a3, b3))
+		r = 1;
+
+	/* XXX EC_POINT_cmp() assumes that the methods are equal */
+	if (r || EC_POINT_cmp(a, EC_GROUP_get0_generator(a),
+	    EC_GROUP_get0_generator(b), ctx))
+		r = 1;
+
+	if (!r)
+		{
+		/* compare the order and cofactor */
+		if (!EC_GROUP_get_order(a, a1, ctx) ||
+		    !EC_GROUP_get_order(b, b1, ctx) ||
+		    !EC_GROUP_get_cofactor(a, a2, ctx) ||
+		    !EC_GROUP_get_cofactor(b, b2, ctx))
+			{
+			BN_CTX_end(ctx);
+			if (ctx_new)
+				BN_CTX_free(ctx);
+			return -1;
+			}
+		if (BN_cmp(a1, b1) || BN_cmp(a2, b2))
+			r = 1;
+		}
+
+	BN_CTX_end(ctx);
+	if (ctx_new)
+		BN_CTX_free(ctx);
+
+	return r;
 	}
 
 
 /* this has 'package' visibility */
-void *EC_GROUP_get_extra_data(const EC_GROUP *group, void *(*extra_data_dup_func)(void *),
-	void (*extra_data_free_func)(void *), void (*extra_data_clear_free_func)(void *))
+int EC_EX_DATA_set_data(EC_EXTRA_DATA **ex_data, void *data,
+	void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *))
 	{
-	if ((group->extra_data_dup_func != extra_data_dup_func)
-		|| (group->extra_data_free_func != extra_data_free_func)
-		|| (group->extra_data_clear_free_func != extra_data_clear_free_func))
+	EC_EXTRA_DATA *d;
+
+	if (ex_data == NULL)
+		return 0;
+
+	for (d = *ex_data; d != NULL; d = d->next)
 		{
-#if 0 /* this was an error in 0.9.7, but that does not make a lot of sense */
-		ECerr(..._F_EC_GROUP_GET_EXTRA_DATA, ..._R_NO_SUCH_EXTRA_DATA);
-#endif
-		return NULL;
+		if (d->dup_func == dup_func && d->free_func == free_func && d->clear_free_func == clear_free_func)
+			{
+			ECerr(EC_F_EC_EX_DATA_SET_DATA, EC_R_SLOT_FULL);
+			return 0;
+			}
 		}
 
-	return group->extra_data;
+	if (data == NULL)
+		/* no explicit entry needed */
+		return 1;
+
+	d = OPENSSL_malloc(sizeof *d);
+	if (d == NULL)
+		return 0;
+
+	d->data = data;
+	d->dup_func = dup_func;
+	d->free_func = free_func;
+	d->clear_free_func = clear_free_func;
+
+	d->next = *ex_data;
+	*ex_data = d;
+
+	return 1;
 	}
 
+/* this has 'package' visibility */
+void *EC_EX_DATA_get_data(const EC_EXTRA_DATA *ex_data,
+	void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *))
+	{
+	const EC_EXTRA_DATA *d;
+
+	for (d = ex_data; d != NULL; d = d->next)
+		{
+		if (d->dup_func == dup_func && d->free_func == free_func && d->clear_free_func == clear_free_func)
+			return d->data;
+		}
+	
+	return NULL;
+	}
 
 /* this has 'package' visibility */
-void EC_GROUP_free_extra_data(EC_GROUP *group)
+void EC_EX_DATA_free_data(EC_EXTRA_DATA **ex_data,
+	void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *))
 	{
-	if (group->extra_data_free_func)
-		group->extra_data_free_func(group->extra_data);
-	group->extra_data = NULL;
-	group->extra_data_dup_func = 0;
-	group->extra_data_free_func = 0;
-	group->extra_data_clear_free_func = 0;
+	EC_EXTRA_DATA **p;
+
+	if (ex_data == NULL)
+		return;
+
+	for (p = ex_data; *p != NULL; p = &((*p)->next))
+		{
+		if ((*p)->dup_func == dup_func && (*p)->free_func == free_func && (*p)->clear_free_func == clear_free_func)
+			{
+			EC_EXTRA_DATA *next = (*p)->next;
+
+			(*p)->free_func((*p)->data);
+			OPENSSL_free(*p);
+			
+			*p = next;
+			return;
+			}
+		}
 	}
 
+/* this has 'package' visibility */
+void EC_EX_DATA_clear_free_data(EC_EXTRA_DATA **ex_data,
+	void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *))
+	{
+	EC_EXTRA_DATA **p;
+
+	if (ex_data == NULL)
+		return;
+
+	for (p = ex_data; *p != NULL; p = &((*p)->next))
+		{
+		if ((*p)->dup_func == dup_func && (*p)->free_func == free_func && (*p)->clear_free_func == clear_free_func)
+			{
+			EC_EXTRA_DATA *next = (*p)->next;
+
+			(*p)->clear_free_func((*p)->data);
+			OPENSSL_free(*p);
+			
+			*p = next;
+			return;
+			}
+		}
+	}
 
 /* this has 'package' visibility */
-void EC_GROUP_clear_free_extra_data(EC_GROUP *group)
+void EC_EX_DATA_free_all_data(EC_EXTRA_DATA **ex_data)
 	{
-	if (group->extra_data_clear_free_func)
-		group->extra_data_clear_free_func(group->extra_data);
-	else if (group->extra_data_free_func)
-		group->extra_data_free_func(group->extra_data);
-	group->extra_data = NULL;
-	group->extra_data_dup_func = 0;
-	group->extra_data_free_func = 0;
-	group->extra_data_clear_free_func = 0;
+	EC_EXTRA_DATA *d;
+
+	if (ex_data == NULL)
+		return;
+
+	d = *ex_data;
+	while (d)
+		{
+		EC_EXTRA_DATA *next = d->next;
+		
+		d->free_func(d->data);
+		OPENSSL_free(d);
+		
+		d = next;
+		}
+	*ex_data = NULL;
 	}
 
+/* this has 'package' visibility */
+void EC_EX_DATA_clear_free_all_data(EC_EXTRA_DATA **ex_data)
+	{
+	EC_EXTRA_DATA *d;
+
+	if (ex_data == NULL)
+		return;
+
+	d = *ex_data;
+	while (d)
+		{
+		EC_EXTRA_DATA *next = d->next;
+		
+		d->clear_free_func(d->data);
+		OPENSSL_free(d);
+		
+		d = next;
+		}
+	*ex_data = NULL;
+	}
 
 
 /* functions for EC_POINT objects */
@@ -382,6 +765,25 @@ int EC_POINT_copy(EC_POINT *dest, const EC_POINT *src)
 	}
 
 
+EC_POINT *EC_POINT_dup(const EC_POINT *a, const EC_GROUP *group)
+	{
+	EC_POINT *t;
+	int r;
+
+	if (a == NULL) return NULL;
+
+	t = EC_POINT_new(group);
+	if (t == NULL) return(NULL);
+	r = EC_POINT_copy(t, a);
+	if (!r)
+		{
+		EC_POINT_free(t);
+		return NULL;
+		}
+	else return t;
+	}
+
+
 const EC_METHOD *EC_POINT_method_of(const EC_POINT *point)
 	{
 	return point->meth;
@@ -441,7 +843,7 @@ int EC_POINT_get_Jprojective_coordinates_GFp(const EC_GROUP *group, const EC_POI
 int EC_POINT_set_affine_coordinates_GFp(const EC_GROUP *group, EC_POINT *point,
 	const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx)
 	{
-	if (group->meth->point_set_affine_coordinates_GFp == 0)
+	if (group->meth->point_set_affine_coordinates == 0)
 		{
 		ECerr(EC_F_EC_POINT_SET_AFFINE_COORDINATES_GFP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
 		return 0;
@@ -451,14 +853,31 @@ int EC_POINT_set_affine_coordinates_GFp(const EC_GROUP *group, EC_POINT *point,
 		ECerr(EC_F_EC_POINT_SET_AFFINE_COORDINATES_GFP, EC_R_INCOMPATIBLE_OBJECTS);
 		return 0;
 		}
-	return group->meth->point_set_affine_coordinates_GFp(group, point, x, y, ctx);
+	return group->meth->point_set_affine_coordinates(group, point, x, y, ctx);
+	}
+
+
+int EC_POINT_set_affine_coordinates_GF2m(const EC_GROUP *group, EC_POINT *point,
+	const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx)
+	{
+	if (group->meth->point_set_affine_coordinates == 0)
+		{
+		ECerr(EC_F_EC_POINT_SET_AFFINE_COORDINATES_GF2M, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+		return 0;
+		}
+	if (group->meth != point->meth)
+		{
+		ECerr(EC_F_EC_POINT_SET_AFFINE_COORDINATES_GF2M, EC_R_INCOMPATIBLE_OBJECTS);
+		return 0;
+		}
+	return group->meth->point_set_affine_coordinates(group, point, x, y, ctx);
 	}
 
 
 int EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group, const EC_POINT *point,
 	BIGNUM *x, BIGNUM *y, BN_CTX *ctx)
 	{
-	if (group->meth->point_get_affine_coordinates_GFp == 0)
+	if (group->meth->point_get_affine_coordinates == 0)
 		{
 		ECerr(EC_F_EC_POINT_GET_AFFINE_COORDINATES_GFP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
 		return 0;
@@ -468,14 +887,31 @@ int EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group, const EC_POINT *p
 		ECerr(EC_F_EC_POINT_GET_AFFINE_COORDINATES_GFP, EC_R_INCOMPATIBLE_OBJECTS);
 		return 0;
 		}
-	return group->meth->point_get_affine_coordinates_GFp(group, point, x, y, ctx);
+	return group->meth->point_get_affine_coordinates(group, point, x, y, ctx);
+	}
+
+
+int EC_POINT_get_affine_coordinates_GF2m(const EC_GROUP *group, const EC_POINT *point,
+	BIGNUM *x, BIGNUM *y, BN_CTX *ctx)
+	{
+	if (group->meth->point_get_affine_coordinates == 0)
+		{
+		ECerr(EC_F_EC_POINT_GET_AFFINE_COORDINATES_GF2M, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+		return 0;
+		}
+	if (group->meth != point->meth)
+		{
+		ECerr(EC_F_EC_POINT_GET_AFFINE_COORDINATES_GF2M, EC_R_INCOMPATIBLE_OBJECTS);
+		return 0;
+		}
+	return group->meth->point_get_affine_coordinates(group, point, x, y, ctx);
 	}
 
 
 int EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP *group, EC_POINT *point,
 	const BIGNUM *x, int y_bit, BN_CTX *ctx)
 	{
-	if (group->meth->point_set_compressed_coordinates_GFp == 0)
+	if (group->meth->point_set_compressed_coordinates == 0)
 		{
 		ECerr(EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GFP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
 		return 0;
@@ -485,7 +921,24 @@ int EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP *group, EC_POINT *poi
 		ECerr(EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GFP, EC_R_INCOMPATIBLE_OBJECTS);
 		return 0;
 		}
-	return group->meth->point_set_compressed_coordinates_GFp(group, point, x, y_bit, ctx);
+	return group->meth->point_set_compressed_coordinates(group, point, x, y_bit, ctx);
+	}
+
+
+int EC_POINT_set_compressed_coordinates_GF2m(const EC_GROUP *group, EC_POINT *point,
+	const BIGNUM *x, int y_bit, BN_CTX *ctx)
+	{
+	if (group->meth->point_set_compressed_coordinates == 0)
+		{
+		ECerr(EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GF2M, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+		return 0;
+		}
+	if (group->meth != point->meth)
+		{
+		ECerr(EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GF2M, EC_R_INCOMPATIBLE_OBJECTS);
+		return 0;
+		}
+	return group->meth->point_set_compressed_coordinates(group, point, x, y_bit, ctx);
 	}
 
 
@@ -559,12 +1012,12 @@ int EC_POINT_invert(const EC_GROUP *group, EC_POINT *a, BN_CTX *ctx)
 	{
 	if (group->meth->dbl == 0)
 		{
-		ECerr(EC_F_EC_POINT_DBL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+		ECerr(EC_F_EC_POINT_INVERT, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
 		return 0;
 		}
 	if (group->meth != a->meth)
 		{
-		ECerr(EC_F_EC_POINT_DBL, EC_R_INCOMPATIBLE_OBJECTS);
+		ECerr(EC_F_EC_POINT_INVERT, EC_R_INCOMPATIBLE_OBJECTS);
 		return 0;
 		}
 	return group->meth->invert(group, a, ctx);
@@ -654,3 +1107,58 @@ int EC_POINTs_make_affine(const EC_GROUP *group, size_t num, EC_POINT *points[],
 		}
 	return group->meth->points_make_affine(group, num, points, ctx);
 	}
+
+
+/* Functions for point multiplication.
+ *
+ * If group->meth->mul is 0, we use the wNAF-based implementations in ec_mult.c;
+ * otherwise we dispatch through methods.
+ */
+
+int EC_POINTs_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
+	size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *ctx)
+	{
+	if (group->meth->mul == 0)
+		/* use default */
+		return ec_wNAF_mul(group, r, scalar, num, points, scalars, ctx);
+
+	return group->meth->mul(group, r, scalar, num, points, scalars, ctx);
+	}
+
+int EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar,
+	const EC_POINT *point, const BIGNUM *p_scalar, BN_CTX *ctx)
+	{
+	/* just a convenient interface to EC_POINTs_mul() */
+
+	const EC_POINT *points[1];
+	const BIGNUM *scalars[1];
+
+	points[0] = point;
+	scalars[0] = p_scalar;
+
+	return EC_POINTs_mul(group, r, g_scalar, (point != NULL && p_scalar != NULL), points, scalars, ctx);
+	}
+
+int EC_GROUP_precompute_mult(EC_GROUP *group, BN_CTX *ctx)
+	{
+	if (group->meth->mul == 0)
+		/* use default */
+		return ec_wNAF_precompute_mult(group, ctx);
+
+	if (group->meth->precompute_mult != 0)
+		return group->meth->precompute_mult(group, ctx);
+	else
+		return 1; /* nothing to do, so report success */
+	}
+
+int EC_GROUP_have_precompute_mult(const EC_GROUP *group)
+	{
+	if (group->meth->mul == 0)
+		/* use default */
+		return ec_wNAF_have_precompute_mult(group);
+
+	if (group->meth->have_precompute_mult != 0)
+		return group->meth->have_precompute_mult(group);
+	else
+		return 0; /* cannot tell whether precomputation has been performed */
+	}
diff --git a/crypto/openssl/crypto/ec/ec_mult.c b/crypto/openssl/crypto/ec/ec_mult.c
index 16822a73cf51..a045139a0015 100644
--- a/crypto/openssl/crypto/ec/ec_mult.c
+++ b/crypto/openssl/crypto/ec/ec_mult.c
@@ -1,6 +1,9 @@
 /* crypto/ec/ec_mult.c */
+/*
+ * Originally written by Bodo Moeller and Nils Larsch for the OpenSSL project.
+ */
 /* ====================================================================
- * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2003 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -52,41 +55,145 @@
  * Hudson (tjh@cryptsoft.com).
  *
  */
+/* ====================================================================
+ * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
+ * Portions of this software developed by SUN MICROSYSTEMS, INC.,
+ * and contributed to the OpenSSL project.
+ */
+
+#include <string.h>
 
 #include <openssl/err.h>
 
 #include "ec_lcl.h"
 
 
-/* TODO: optional precomputation of multiples of the generator */
+/*
+ * This file implements the wNAF-based interleaving multi-exponentation method
+ * (<URL:http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller.html#multiexp>);
+ * for multiplication with precomputation, we use wNAF splitting
+ * (<URL:http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller.html#fastexp>).
+ */
 
 
 
-/*
- * wNAF-based interleaving multi-exponentation method
- * (<URL:http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller.html#multiexp>)
- */
 
+/* structure for precomputed multiples of the generator */
+typedef struct ec_pre_comp_st {
+	const EC_GROUP *group; /* parent EC_GROUP object */
+	size_t blocksize;      /* block size for wNAF splitting */
+	size_t numblocks;      /* max. number of blocks for which we have precomputation */
+	size_t w;              /* window size */
+	EC_POINT **points;     /* array with pre-calculated multiples of generator:
+	                        * 'num' pointers to EC_POINT objects followed by a NULL */
+	size_t num;            /* numblocks * 2^(w-1) */
+	int references;
+} EC_PRE_COMP;
+ 
+/* functions to manage EC_PRE_COMP within the EC_GROUP extra_data framework */
+static void *ec_pre_comp_dup(void *);
+static void ec_pre_comp_free(void *);
+static void ec_pre_comp_clear_free(void *);
+
+static EC_PRE_COMP *ec_pre_comp_new(const EC_GROUP *group)
+	{
+	EC_PRE_COMP *ret = NULL;
+
+	if (!group)
+		return NULL;
+
+	ret = (EC_PRE_COMP *)OPENSSL_malloc(sizeof(EC_PRE_COMP));
+	if (!ret)
+		return ret;
+	ret->group = group;
+	ret->blocksize = 8; /* default */
+	ret->numblocks = 0;
+	ret->w = 4; /* default */
+	ret->points = NULL;
+	ret->num = 0;
+	ret->references = 1;
+	return ret;
+	}
+
+static void *ec_pre_comp_dup(void *src_)
+	{
+	EC_PRE_COMP *src = src_;
+
+	/* no need to actually copy, these objects never change! */
+
+	CRYPTO_add(&src->references, 1, CRYPTO_LOCK_EC_PRE_COMP);
+
+	return src_;
+	}
+
+static void ec_pre_comp_free(void *pre_)
+	{
+	int i;
+	EC_PRE_COMP *pre = pre_;
+
+	if (!pre)
+		return;
+
+	i = CRYPTO_add(&pre->references, -1, CRYPTO_LOCK_EC_PRE_COMP);
+	if (i > 0)
+		return;
+
+	if (pre->points)
+		{
+		EC_POINT **p;
+
+		for (p = pre->points; *p != NULL; p++)
+			EC_POINT_free(*p);
+		OPENSSL_free(pre->points);
+		}
+	OPENSSL_free(pre);
+	}
+
+static void ec_pre_comp_clear_free(void *pre_)
+	{
+	int i;
+	EC_PRE_COMP *pre = pre_;
 
-/* Determine the width-(w+1) Non-Adjacent Form (wNAF) of 'scalar'.
+	if (!pre)
+		return;
+
+	i = CRYPTO_add(&pre->references, -1, CRYPTO_LOCK_EC_PRE_COMP);
+	if (i > 0)
+		return;
+
+	if (pre->points)
+		{
+		EC_POINT **p;
+
+		for (p = pre->points; *p != NULL; p++)
+			EC_POINT_clear_free(*p);
+		OPENSSL_cleanse(pre->points, sizeof pre->points);
+		OPENSSL_free(pre->points);
+		}
+	OPENSSL_cleanse(pre, sizeof pre);
+	OPENSSL_free(pre);
+	}
+
+
+
+
+/* Determine the modified width-(w+1) Non-Adjacent Form (wNAF) of 'scalar'.
  * This is an array  r[]  of values that are either zero or odd with an
  * absolute value less than  2^w  satisfying
  *     scalar = \sum_j r[j]*2^j
- * where at most one of any  w+1  consecutive digits is non-zero.
+ * where at most one of any  w+1  consecutive digits is non-zero
+ * with the exception that the most significant digit may be only
+ * w-1 zeros away from that next non-zero digit.
  */
-static signed char *compute_wNAF(const BIGNUM *scalar, int w, size_t *ret_len, BN_CTX *ctx)
+static signed char *compute_wNAF(const BIGNUM *scalar, int w, size_t *ret_len)
 	{
-	BIGNUM *c;
+	int window_val;
 	int ok = 0;
 	signed char *r = NULL;
 	int sign = 1;
 	int bit, next_bit, mask;
 	size_t len = 0, j;
 	
-	BN_CTX_start(ctx);
-	c = BN_CTX_get(ctx);
-	if (c == NULL) goto err;
-	
 	if (w <= 0 || w > 7) /* 'signed char' can represent integers with absolute values less than 2^7 */
 		{
 		ECerr(EC_F_COMPUTE_WNAF, ERR_R_INTERNAL_ERROR);
@@ -96,60 +203,86 @@ static signed char *compute_wNAF(const BIGNUM *scalar, int w, size_t *ret_len, B
 	next_bit = bit << 1; /* at most 256 */
 	mask = next_bit - 1; /* at most 255 */
 
-	if (!BN_copy(c, scalar)) goto err;
-	if (c->neg)
+	if (BN_is_negative(scalar))
 		{
 		sign = -1;
-		c->neg = 0;
 		}
 
-	len = BN_num_bits(c) + 1; /* wNAF may be one digit longer than binary representation */
-	r = OPENSSL_malloc(len);
+	len = BN_num_bits(scalar);
+	r = OPENSSL_malloc(len + 1); /* modified wNAF may be one digit longer than binary representation
+	                              * (*ret_len will be set to the actual length, i.e. at most
+	                              * BN_num_bits(scalar) + 1) */
 	if (r == NULL) goto err;
 
+	if (scalar->d == NULL || scalar->top == 0)
+		{
+		ECerr(EC_F_COMPUTE_WNAF, ERR_R_INTERNAL_ERROR);
+		goto err;
+		}
+	window_val = scalar->d[0] & mask;
 	j = 0;
-	while (!BN_is_zero(c))
+	while ((window_val != 0) || (j + w + 1 < len)) /* if j+w+1 >= len, window_val will not increase */
 		{
-		int u = 0;
+		int digit = 0;
+
+		/* 0 <= window_val <= 2^(w+1) */
 
-		if (BN_is_odd(c)) 
+		if (window_val & 1)
 			{
-			if (c->d == NULL || c->top == 0)
+			/* 0 < window_val < 2^(w+1) */
+
+			if (window_val & bit)
 				{
-				ECerr(EC_F_COMPUTE_WNAF, ERR_R_INTERNAL_ERROR);
-				goto err;
+				digit = window_val - next_bit; /* -2^w < digit < 0 */
+
+#if 1 /* modified wNAF */
+				if (j + w + 1 >= len)
+					{
+					/* special case for generating modified wNAFs:
+					 * no new bits will be added into window_val,
+					 * so using a positive digit here will decrease
+					 * the total length of the representation */
+					
+					digit = window_val & (mask >> 1); /* 0 < digit < 2^w */
+					}
+#endif
 				}
-			u = c->d[0] & mask;
-			if (u & bit)
+			else
 				{
-				u -= next_bit;
-				/* u < 0 */
-				if (!BN_add_word(c, -u)) goto err;
+				digit = window_val; /* 0 < digit < 2^w */
 				}
-			else
+			
+			if (digit <= -bit || digit >= bit || !(digit & 1))
 				{
-				/* u > 0 */
-				if (!BN_sub_word(c, u)) goto err;
+				ECerr(EC_F_COMPUTE_WNAF, ERR_R_INTERNAL_ERROR);
+				goto err;
 				}
 
-			if (u <= -bit || u >= bit || !(u & 1) || c->neg)
+			window_val -= digit;
+
+			/* now window_val is 0 or 2^(w+1) in standard wNAF generation;
+			 * for modified window NAFs, it may also be 2^w
+			 */
+			if (window_val != 0 && window_val != next_bit && window_val != bit)
 				{
 				ECerr(EC_F_COMPUTE_WNAF, ERR_R_INTERNAL_ERROR);
 				goto err;
 				}
 			}
 
-		r[j++] = sign * u;
-		
-		if (BN_is_odd(c))
+		r[j++] = sign * digit;
+
+		window_val >>= 1;
+		window_val += bit * BN_is_bit_set(scalar, j + w);
+
+		if (window_val > next_bit)
 			{
 			ECerr(EC_F_COMPUTE_WNAF, ERR_R_INTERNAL_ERROR);
 			goto err;
 			}
-		if (!BN_rshift1(c, c)) goto err;
 		}
 
-	if (j > len)
+	if (j > len + 1)
 		{
 		ECerr(EC_F_COMPUTE_WNAF, ERR_R_INTERNAL_ERROR);
 		goto err;
@@ -158,7 +291,6 @@ static signed char *compute_wNAF(const BIGNUM *scalar, int w, size_t *ret_len, B
 	ok = 1;
 
  err:
-	BN_CTX_end(ctx);
 	if (!ok)
 		{
 		OPENSSL_free(r);
@@ -181,7 +313,7 @@ static signed char *compute_wNAF(const BIGNUM *scalar, int w, size_t *ret_len, B
 		  (b) >=  300 ? 4 : \
 		  (b) >=   70 ? 3 : \
 		  (b) >=   20 ? 2 : \
-		   1))
+		  1))
 
 /* Compute
  *      \sum scalars[i]*points[i],
@@ -189,13 +321,15 @@ static signed char *compute_wNAF(const BIGNUM *scalar, int w, size_t *ret_len, B
  *      scalar*generator
  * in the addition if scalar != NULL
  */
-int EC_POINTs_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
+int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
 	size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *ctx)
 	{
 	BN_CTX *new_ctx = NULL;
-	EC_POINT *generator = NULL;
+	const EC_POINT *generator = NULL;
 	EC_POINT *tmp = NULL;
 	size_t totalnum;
+	size_t blocksize = 0, numblocks = 0; /* for wNAF splitting */
+	size_t pre_points_per_block = 0;
 	size_t i, j;
 	int k;
 	int r_is_inverted = 0;
@@ -207,12 +341,15 @@ int EC_POINTs_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
 	size_t num_val;
 	EC_POINT **val = NULL; /* precomputation */
 	EC_POINT **v;
-	EC_POINT ***val_sub = NULL; /* pointers to sub-arrays of 'val' */
+	EC_POINT ***val_sub = NULL; /* pointers to sub-arrays of 'val' or 'pre_comp->points' */
+	const EC_PRE_COMP *pre_comp = NULL;
+	int num_scalar = 0; /* flag: will be set to 1 if 'scalar' must be treated like other scalars,
+	                     * i.e. precomputation is not available */
 	int ret = 0;
 	
 	if (group->meth != r->meth)
 		{
-		ECerr(EC_F_EC_POINTS_MUL, EC_R_INCOMPATIBLE_OBJECTS);
+		ECerr(EC_F_EC_WNAF_MUL, EC_R_INCOMPATIBLE_OBJECTS);
 		return 0;
 		}
 
@@ -221,59 +358,218 @@ int EC_POINTs_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
 		return EC_POINT_set_to_infinity(group, r);
 		}
 
-	if (scalar != NULL)
-		{
-		generator = EC_GROUP_get0_generator(group);
-		if (generator == NULL)
-			{
-			ECerr(EC_F_EC_POINTS_MUL, EC_R_UNDEFINED_GENERATOR);
-			return 0;
-			}
-		}
-	
 	for (i = 0; i < num; i++)
 		{
 		if (group->meth != points[i]->meth)
 			{
-			ECerr(EC_F_EC_POINTS_MUL, EC_R_INCOMPATIBLE_OBJECTS);
+			ECerr(EC_F_EC_WNAF_MUL, EC_R_INCOMPATIBLE_OBJECTS);
 			return 0;
 			}
 		}
 
-	totalnum = num + (scalar != NULL);
+	if (ctx == NULL)
+		{
+		ctx = new_ctx = BN_CTX_new();
+		if (ctx == NULL)
+			goto err;
+		}
 
-	wsize = OPENSSL_malloc(totalnum * sizeof wsize[0]);
-	wNAF_len = OPENSSL_malloc(totalnum * sizeof wNAF_len[0]);
-	wNAF = OPENSSL_malloc((totalnum + 1) * sizeof wNAF[0]);
-	if (wNAF != NULL)
+	if (scalar != NULL)
 		{
-		wNAF[0] = NULL; /* preliminary pivot */
+		generator = EC_GROUP_get0_generator(group);
+		if (generator == NULL)
+			{
+			ECerr(EC_F_EC_WNAF_MUL, EC_R_UNDEFINED_GENERATOR);
+			goto err;
+			}
+		
+		/* look if we can use precomputed multiples of generator */
+
+		pre_comp = EC_EX_DATA_get_data(group->extra_data, ec_pre_comp_dup, ec_pre_comp_free, ec_pre_comp_clear_free);
+
+		if (pre_comp && pre_comp->numblocks && (EC_POINT_cmp(group, generator, pre_comp->points[0], ctx) == 0))
+			{
+			blocksize = pre_comp->blocksize;
+
+			/* determine maximum number of blocks that wNAF splitting may yield
+			 * (NB: maximum wNAF length is bit length plus one) */
+			numblocks = (BN_num_bits(scalar) / blocksize) + 1;
+
+			/* we cannot use more blocks than we have precomputation for */
+			if (numblocks > pre_comp->numblocks)
+				numblocks = pre_comp->numblocks;
+
+			pre_points_per_block = 1u << (pre_comp->w - 1);
+
+			/* check that pre_comp looks sane */
+			if (pre_comp->num != (pre_comp->numblocks * pre_points_per_block))
+				{
+				ECerr(EC_F_EC_WNAF_MUL, ERR_R_INTERNAL_ERROR);
+				goto err;
+				}
+			}
+		else
+			{
+			/* can't use precomputation */
+			pre_comp = NULL;
+			numblocks = 1;
+			num_scalar = 1; /* treat 'scalar' like 'num'-th element of 'scalars' */
+			}
 		}
-	if (wsize == NULL || wNAF_len == NULL || wNAF == NULL) goto err;
+	
+	totalnum = num + numblocks;
 
-	/* num_val := total number of points to precompute */
+	wsize    = OPENSSL_malloc(totalnum * sizeof wsize[0]);
+	wNAF_len = OPENSSL_malloc(totalnum * sizeof wNAF_len[0]);
+	wNAF     = OPENSSL_malloc((totalnum + 1) * sizeof wNAF[0]); /* includes space for pivot */
+	val_sub  = OPENSSL_malloc(totalnum * sizeof val_sub[0]);
+		 
+	if (!wsize || !wNAF_len || !wNAF || !val_sub)
+		goto err;
+
+	wNAF[0] = NULL;	/* preliminary pivot */
+
+	/* num_val will be the total number of temporarily precomputed points */
 	num_val = 0;
-	for (i = 0; i < totalnum; i++)
+
+	for (i = 0; i < num + num_scalar; i++)
 		{
 		size_t bits;
 
 		bits = i < num ? BN_num_bits(scalars[i]) : BN_num_bits(scalar);
 		wsize[i] = EC_window_bits_for_scalar_size(bits);
 		num_val += 1u << (wsize[i] - 1);
+		wNAF[i + 1] = NULL; /* make sure we always have a pivot */
+		wNAF[i] = compute_wNAF((i < num ? scalars[i] : scalar), wsize[i], &wNAF_len[i]);
+		if (wNAF[i] == NULL)
+			goto err;
+		if (wNAF_len[i] > max_len)
+			max_len = wNAF_len[i];
+		}
+
+	if (numblocks)
+		{
+		/* we go here iff scalar != NULL */
+		
+		if (pre_comp == NULL)
+			{
+			if (num_scalar != 1)
+				{
+				ECerr(EC_F_EC_WNAF_MUL, ERR_R_INTERNAL_ERROR);
+				goto err;
+				}
+			/* we have already generated a wNAF for 'scalar' */
+			}
+		else
+			{
+			signed char *tmp_wNAF = NULL;
+			size_t tmp_len = 0;
+			
+			if (num_scalar != 0)
+				{
+				ECerr(EC_F_EC_WNAF_MUL, ERR_R_INTERNAL_ERROR);
+				goto err;
+				}
+
+			/* use the window size for which we have precomputation */
+			wsize[num] = pre_comp->w;
+			tmp_wNAF = compute_wNAF(scalar, wsize[num], &tmp_len);
+			if (!tmp_wNAF)
+				goto err;
+
+			if (tmp_len <= max_len)
+				{
+				/* One of the other wNAFs is at least as long
+				 * as the wNAF belonging to the generator,
+				 * so wNAF splitting will not buy us anything. */
+
+				numblocks = 1;
+				totalnum = num + 1; /* don't use wNAF splitting */
+				wNAF[num] = tmp_wNAF;
+				wNAF[num + 1] = NULL;
+				wNAF_len[num] = tmp_len;
+				if (tmp_len > max_len)
+					max_len = tmp_len;
+				/* pre_comp->points starts with the points that we need here: */
+				val_sub[num] = pre_comp->points;
+				}
+			else
+				{
+				/* don't include tmp_wNAF directly into wNAF array
+				 * - use wNAF splitting and include the blocks */
+
+				signed char *pp;
+				EC_POINT **tmp_points;
+				
+				if (tmp_len < numblocks * blocksize)
+					{
+					/* possibly we can do with fewer blocks than estimated */
+					numblocks = (tmp_len + blocksize - 1) / blocksize;
+					if (numblocks > pre_comp->numblocks)
+						{
+						ECerr(EC_F_EC_WNAF_MUL, ERR_R_INTERNAL_ERROR);
+						goto err;
+						}
+					totalnum = num + numblocks;
+					}
+				
+				/* split wNAF in 'numblocks' parts */
+				pp = tmp_wNAF;
+				tmp_points = pre_comp->points;
+
+				for (i = num; i < totalnum; i++)
+					{
+					if (i < totalnum - 1)
+						{
+						wNAF_len[i] = blocksize;
+						if (tmp_len < blocksize)
+							{
+							ECerr(EC_F_EC_WNAF_MUL, ERR_R_INTERNAL_ERROR);
+							goto err;
+							}
+						tmp_len -= blocksize;
+						}
+					else
+						/* last block gets whatever is left
+						 * (this could be more or less than 'blocksize'!) */
+						wNAF_len[i] = tmp_len;
+					
+					wNAF[i + 1] = NULL;
+					wNAF[i] = OPENSSL_malloc(wNAF_len[i]);
+					if (wNAF[i] == NULL)
+						{
+						OPENSSL_free(tmp_wNAF);
+						goto err;
+						}
+					memcpy(wNAF[i], pp, wNAF_len[i]);
+					if (wNAF_len[i] > max_len)
+						max_len = wNAF_len[i];
+
+					if (*tmp_points == NULL)
+						{
+						ECerr(EC_F_EC_WNAF_MUL, ERR_R_INTERNAL_ERROR);
+						OPENSSL_free(tmp_wNAF);
+						goto err;
+						}
+					val_sub[i] = tmp_points;
+					tmp_points += pre_points_per_block;
+					pp += blocksize;
+					}
+				OPENSSL_free(tmp_wNAF);
+				}
+			}
 		}
 
-	/* all precomputed points go into a single array 'val',
-	 * 'val_sub[i]' is a pointer to the subarray for the i-th point */
+	/* All points we precompute now go into a single array 'val'.
+	 * 'val_sub[i]' is a pointer to the subarray for the i-th point,
+	 * or to a subarray of 'pre_comp->points' if we already have precomputation. */
 	val = OPENSSL_malloc((num_val + 1) * sizeof val[0]);
 	if (val == NULL) goto err;
 	val[num_val] = NULL; /* pivot element */
 
-	val_sub = OPENSSL_malloc(totalnum * sizeof val_sub[0]);
-	if (val_sub == NULL) goto err;
-
 	/* allocate points for precomputation */
 	v = val;
-	for (i = 0; i < totalnum; i++)
+	for (i = 0; i < num + num_scalar; i++)
 		{
 		val_sub[i] = v;
 		for (j = 0; j < (1u << (wsize[i] - 1)); j++)
@@ -285,19 +581,12 @@ int EC_POINTs_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
 		}
 	if (!(v == val + num_val))
 		{
-		ECerr(EC_F_EC_POINTS_MUL, ERR_R_INTERNAL_ERROR);
+		ECerr(EC_F_EC_WNAF_MUL, ERR_R_INTERNAL_ERROR);
 		goto err;
 		}
 
-	if (ctx == NULL)
-		{
-		ctx = new_ctx = BN_CTX_new();
-		if (ctx == NULL)
-			goto err;
-		}
-	
-	tmp = EC_POINT_new(group);
-	if (tmp == NULL) goto err;
+	if (!(tmp = EC_POINT_new(group)))
+		goto err;
 
 	/* prepare precomputed values:
 	 *    val_sub[i][0] :=     points[i]
@@ -305,7 +594,7 @@ int EC_POINTs_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
 	 *    val_sub[i][2] := 5 * points[i]
 	 *    ...
 	 */
-	for (i = 0; i < totalnum; i++)
+	for (i = 0; i < num + num_scalar; i++)
 		{
 		if (i < num)
 			{
@@ -324,16 +613,11 @@ int EC_POINTs_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
 				if (!EC_POINT_add(group, val_sub[i][j], val_sub[i][j - 1], tmp, ctx)) goto err;
 				}
 			}
-
-		wNAF[i + 1] = NULL; /* make sure we always have a pivot */
-		wNAF[i] = compute_wNAF((i < num ? scalars[i] : scalar), wsize[i], &wNAF_len[i], ctx);
-		if (wNAF[i] == NULL) goto err;
-		if (wNAF_len[i] > max_len)
-			max_len = wNAF_len[i];
 		}
 
 #if 1 /* optional; EC_window_bits_for_scalar_size assumes we do this step */
-	if (!EC_POINTs_make_affine(group, num_val, val, ctx)) goto err;
+	if (!EC_POINTs_make_affine(group, num_val, val, ctx))
+		goto err;
 #endif
 
 	r_is_at_infinity = 1;
@@ -429,57 +713,198 @@ int EC_POINTs_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
 	}
 
 
-int EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar, const EC_POINT *point, const BIGNUM *p_scalar, BN_CTX *ctx)
-	{
-	const EC_POINT *points[1];
-	const BIGNUM *scalars[1];
-
-	points[0] = point;
-	scalars[0] = p_scalar;
-
-	return EC_POINTs_mul(group, r, g_scalar, (point != NULL && p_scalar != NULL), points, scalars, ctx);
-	}
-
-
-int EC_GROUP_precompute_mult(EC_GROUP *group, BN_CTX *ctx)
+/* ec_wNAF_precompute_mult()
+ * creates an EC_PRE_COMP object with preprecomputed multiples of the generator
+ * for use with wNAF splitting as implemented in ec_wNAF_mul().
+ * 
+ * 'pre_comp->points' is an array of multiples of the generator
+ * of the following form:
+ * points[0] =     generator;
+ * points[1] = 3 * generator;
+ * ...
+ * points[2^(w-1)-1] =     (2^(w-1)-1) * generator;
+ * points[2^(w-1)]   =     2^blocksize * generator;
+ * points[2^(w-1)+1] = 3 * 2^blocksize * generator;
+ * ...
+ * points[2^(w-1)*(numblocks-1)-1] = (2^(w-1)) *  2^(blocksize*(numblocks-2)) * generator
+ * points[2^(w-1)*(numblocks-1)]   =              2^(blocksize*(numblocks-1)) * generator
+ * ...
+ * points[2^(w-1)*numblocks-1]     = (2^(w-1)) *  2^(blocksize*(numblocks-1)) * generator
+ * points[2^(w-1)*numblocks]       = NULL
+ */
+int ec_wNAF_precompute_mult(EC_GROUP *group, BN_CTX *ctx)
 	{
 	const EC_POINT *generator;
+	EC_POINT *tmp_point = NULL, *base = NULL, **var;
 	BN_CTX *new_ctx = NULL;
 	BIGNUM *order;
+	size_t i, bits, w, pre_points_per_block, blocksize, numblocks, num;
+	EC_POINT **points = NULL;
+	EC_PRE_COMP *pre_comp;
 	int ret = 0;
 
+	/* if there is an old EC_PRE_COMP object, throw it away */
+	EC_EX_DATA_free_data(&group->extra_data, ec_pre_comp_dup, ec_pre_comp_free, ec_pre_comp_clear_free);
+
+	if ((pre_comp = ec_pre_comp_new(group)) == NULL)
+		return 0;
+
 	generator = EC_GROUP_get0_generator(group);
 	if (generator == NULL)
 		{
-		ECerr(EC_F_EC_GROUP_PRECOMPUTE_MULT, EC_R_UNDEFINED_GENERATOR);
-		return 0;
+		ECerr(EC_F_EC_WNAF_PRECOMPUTE_MULT, EC_R_UNDEFINED_GENERATOR);
+		goto err;
 		}
 
 	if (ctx == NULL)
 		{
 		ctx = new_ctx = BN_CTX_new();
 		if (ctx == NULL)
-			return 0;
+			goto err;
 		}
 	
 	BN_CTX_start(ctx);
 	order = BN_CTX_get(ctx);
 	if (order == NULL) goto err;
 	
-	if (!EC_GROUP_get_order(group, order, ctx)) return 0;
+	if (!EC_GROUP_get_order(group, order, ctx)) goto err;		
 	if (BN_is_zero(order))
 		{
-		ECerr(EC_F_EC_GROUP_PRECOMPUTE_MULT, EC_R_UNKNOWN_ORDER);
+		ECerr(EC_F_EC_WNAF_PRECOMPUTE_MULT, EC_R_UNKNOWN_ORDER);
 		goto err;
 		}
 
-	/* TODO */
+	bits = BN_num_bits(order);
+	/* The following parameters mean we precompute (approximately)
+	 * one point per bit.
+	 *
+	 * TBD: The combination  8, 4  is perfect for 160 bits; for other
+	 * bit lengths, other parameter combinations might provide better
+	 * efficiency.
+	 */
+	blocksize = 8;
+	w = 4;
+	if (EC_window_bits_for_scalar_size(bits) > w)
+		{
+		/* let's not make the window too small ... */
+		w = EC_window_bits_for_scalar_size(bits);
+		}
 
-	ret = 1;
+	numblocks = (bits + blocksize - 1) / blocksize; /* max. number of blocks to use for wNAF splitting */
+	
+	pre_points_per_block = 1u << (w - 1);
+	num = pre_points_per_block * numblocks; /* number of points to compute and store */
+
+	points = OPENSSL_malloc(sizeof (EC_POINT*)*(num + 1));
+	if (!points)
+		{
+		ECerr(EC_F_EC_WNAF_PRECOMPUTE_MULT, ERR_R_MALLOC_FAILURE);
+		goto err;
+		}
+
+	var = points;
+	var[num] = NULL; /* pivot */
+	for (i = 0; i < num; i++)
+		{
+		if ((var[i] = EC_POINT_new(group)) == NULL)
+			{
+			ECerr(EC_F_EC_WNAF_PRECOMPUTE_MULT, ERR_R_MALLOC_FAILURE);
+			goto err;
+			}
+		}
+
+	if (!(tmp_point = EC_POINT_new(group)) || !(base = EC_POINT_new(group)))
+		{
+		ECerr(EC_F_EC_WNAF_PRECOMPUTE_MULT, ERR_R_MALLOC_FAILURE);
+		goto err;
+		}	
+	
+	if (!EC_POINT_copy(base, generator))
+		goto err;
+	
+	/* do the precomputation */
+	for (i = 0; i < numblocks; i++)
+		{
+		size_t j;
+
+		if (!EC_POINT_dbl(group, tmp_point, base, ctx))
+			goto err;
+
+		if (!EC_POINT_copy(*var++, base))
+			goto err;
+
+		for (j = 1; j < pre_points_per_block; j++, var++)
+			{
+			/* calculate odd multiples of the current base point */
+			if (!EC_POINT_add(group, *var, tmp_point, *(var - 1), ctx))
+				goto err;
+			}
+
+		if (i < numblocks - 1)
+			{
+			/* get the next base (multiply current one by 2^blocksize) */
+			size_t k;
+
+			if (blocksize <= 2)
+				{
+				ECerr(EC_F_EC_WNAF_PRECOMPUTE_MULT, ERR_R_INTERNAL_ERROR);
+				goto err;
+				}				
+
+			if (!EC_POINT_dbl(group, base, tmp_point, ctx))
+				goto err;
+			for (k = 2; k < blocksize; k++)
+				{
+				if (!EC_POINT_dbl(group,base,base,ctx))
+					goto err;
+				}
+			}
+ 		}
+
+	if (!EC_POINTs_make_affine(group, num, points, ctx))
+		goto err;
 	
+	pre_comp->group = group;
+	pre_comp->blocksize = blocksize;
+	pre_comp->numblocks = numblocks;
+	pre_comp->w = w;
+	pre_comp->points = points;
+	points = NULL;
+	pre_comp->num = num;
+
+	if (!EC_EX_DATA_set_data(&group->extra_data, pre_comp,
+		ec_pre_comp_dup, ec_pre_comp_free, ec_pre_comp_clear_free))
+		goto err;
+	pre_comp = NULL;
+
+	ret = 1;
  err:
-	BN_CTX_end(ctx);
+	if (ctx != NULL)
+		BN_CTX_end(ctx);
 	if (new_ctx != NULL)
 		BN_CTX_free(new_ctx);
+	if (pre_comp)
+		ec_pre_comp_free(pre_comp);
+	if (points)
+		{
+		EC_POINT **p;
+
+		for (p = points; *p != NULL; p++)
+			EC_POINT_free(*p);
+		OPENSSL_free(points);
+		}
+	if (tmp_point)
+		EC_POINT_free(tmp_point);
+	if (base)
+		EC_POINT_free(base);
 	return ret;
 	}
+
+
+int ec_wNAF_have_precompute_mult(const EC_GROUP *group)
+	{
+	if (EC_EX_DATA_get_data(group->extra_data, ec_pre_comp_dup, ec_pre_comp_free, ec_pre_comp_clear_free) != NULL)
+		return 1;
+	else
+		return 0;
+	}
diff --git a/crypto/openssl/crypto/ec/ec_print.c b/crypto/openssl/crypto/ec/ec_print.c
new file mode 100644
index 000000000000..f7c8a303acaf
--- /dev/null
+++ b/crypto/openssl/crypto/ec/ec_print.c
@@ -0,0 +1,195 @@
+/* crypto/ec/ec_print.c */
+/* ====================================================================
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/crypto.h>
+#include "ec_lcl.h"
+
+BIGNUM *EC_POINT_point2bn(const EC_GROUP *group, 
+                          const EC_POINT *point, 
+                          point_conversion_form_t form,
+                          BIGNUM *ret,
+                          BN_CTX *ctx)
+	{
+	size_t        buf_len=0;
+	unsigned char *buf;
+
+	buf_len = EC_POINT_point2oct(group, point, form,
+                                     NULL, 0, ctx);
+	if (buf_len == 0)
+		return NULL;
+
+	if ((buf = OPENSSL_malloc(buf_len)) == NULL)
+		return NULL;
+
+	if (!EC_POINT_point2oct(group, point, form, buf, buf_len, ctx))
+		{
+		OPENSSL_free(buf);
+		return NULL;
+		}
+
+	ret = BN_bin2bn(buf, buf_len, ret);
+
+	OPENSSL_free(buf);
+
+	return ret;
+}
+
+EC_POINT *EC_POINT_bn2point(const EC_GROUP *group,
+                            const BIGNUM *bn,
+                            EC_POINT *point, 
+                            BN_CTX *ctx)
+	{
+	size_t        buf_len=0;
+	unsigned char *buf;
+	EC_POINT      *ret;
+
+	if ((buf_len = BN_num_bytes(bn)) == 0) return NULL;
+	buf = OPENSSL_malloc(buf_len);
+	if (buf == NULL)
+		return NULL;
+
+	if (!BN_bn2bin(bn, buf)) 
+		{
+		OPENSSL_free(buf);
+		return NULL;
+		}
+
+	if (point == NULL)
+		{
+		if ((ret = EC_POINT_new(group)) == NULL)
+			{
+			OPENSSL_free(buf);
+			return NULL;
+			}
+		}
+	else
+		ret = point;
+
+	if (!EC_POINT_oct2point(group, ret, buf, buf_len, ctx))
+		{
+		if (point == NULL)
+			EC_POINT_clear_free(ret);
+		OPENSSL_free(buf);
+		return NULL;
+		}
+
+	OPENSSL_free(buf);
+	return ret;
+	}
+
+static const char *HEX_DIGITS = "0123456789ABCDEF";
+
+/* the return value must be freed (using OPENSSL_free()) */
+char *EC_POINT_point2hex(const EC_GROUP *group,
+                         const EC_POINT *point,
+                         point_conversion_form_t form,
+                         BN_CTX *ctx)
+	{
+	char          *ret, *p;
+	size_t        buf_len=0,i;
+	unsigned char *buf, *pbuf;
+
+	buf_len = EC_POINT_point2oct(group, point, form,
+                                     NULL, 0, ctx);
+	if (buf_len == 0)
+		return NULL;
+
+	if ((buf = OPENSSL_malloc(buf_len)) == NULL)
+		return NULL;
+
+	if (!EC_POINT_point2oct(group, point, form, buf, buf_len, ctx))
+		{
+		OPENSSL_free(buf);
+		return NULL;
+		}
+
+	ret = (char *)OPENSSL_malloc(buf_len*2+2);
+	if (ret == NULL)
+		{
+		OPENSSL_free(buf);
+		return NULL;
+		}
+	p = ret;
+	pbuf = buf;
+	for (i=buf_len; i > 0; i--)
+		{
+			int v = (int) *(pbuf++);
+			*(p++)=HEX_DIGITS[v>>4];
+			*(p++)=HEX_DIGITS[v&0x0F];
+		}
+	*p='\0';
+
+	OPENSSL_free(buf);
+
+	return ret;
+	}
+
+EC_POINT *EC_POINT_hex2point(const EC_GROUP *group,
+                             const char *buf,
+                             EC_POINT *point,
+                             BN_CTX *ctx)
+	{
+	EC_POINT *ret=NULL;
+	BIGNUM   *tmp_bn=NULL;
+
+	if (!BN_hex2bn(&tmp_bn, buf))
+		return NULL;
+
+	ret = EC_POINT_bn2point(group, tmp_bn, point, ctx);
+
+	BN_clear_free(tmp_bn);
+
+	return ret;
+	}
diff --git a/crypto/openssl/crypto/ec/ecp_mont.c b/crypto/openssl/crypto/ec/ecp_mont.c
index 7b30d4c38a7a..9fc4a466a59f 100644
--- a/crypto/openssl/crypto/ec/ecp_mont.c
+++ b/crypto/openssl/crypto/ec/ecp_mont.c
@@ -1,4 +1,7 @@
 /* crypto/ec/ecp_mont.c */
+/*
+ * Originally written by Bodo Moeller for the OpenSSL project.
+ */
 /* ====================================================================
  * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
  *
@@ -52,6 +55,11 @@
  * Hudson (tjh@cryptsoft.com).
  *
  */
+/* ====================================================================
+ * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
+ * Portions of this software developed by SUN MICROSYSTEMS, INC.,
+ * and contributed to the OpenSSL project.
+ */
 
 #include <openssl/err.h>
 
@@ -61,16 +69,15 @@
 const EC_METHOD *EC_GFp_mont_method(void)
 	{
 	static const EC_METHOD ret = {
+		NID_X9_62_prime_field,
 		ec_GFp_mont_group_init,
 		ec_GFp_mont_group_finish,
 		ec_GFp_mont_group_clear_finish,
 		ec_GFp_mont_group_copy,
-		ec_GFp_mont_group_set_curve_GFp,
-		ec_GFp_simple_group_get_curve_GFp,
-		ec_GFp_simple_group_set_generator,
-		ec_GFp_simple_group_get0_generator,
-		ec_GFp_simple_group_get_order,
-		ec_GFp_simple_group_get_cofactor,
+		ec_GFp_mont_group_set_curve,
+		ec_GFp_simple_group_get_curve,
+		ec_GFp_simple_group_get_degree,
+		ec_GFp_simple_group_check_discriminant,
 		ec_GFp_simple_point_init,
 		ec_GFp_simple_point_finish,
 		ec_GFp_simple_point_clear_finish,
@@ -78,9 +85,9 @@ const EC_METHOD *EC_GFp_mont_method(void)
 		ec_GFp_simple_point_set_to_infinity,
 		ec_GFp_simple_set_Jprojective_coordinates_GFp,
 		ec_GFp_simple_get_Jprojective_coordinates_GFp,
-		ec_GFp_simple_point_set_affine_coordinates_GFp,
-		ec_GFp_simple_point_get_affine_coordinates_GFp,
-		ec_GFp_simple_set_compressed_coordinates_GFp,
+		ec_GFp_simple_point_set_affine_coordinates,
+		ec_GFp_simple_point_get_affine_coordinates,
+		ec_GFp_simple_set_compressed_coordinates,
 		ec_GFp_simple_point2oct,
 		ec_GFp_simple_oct2point,
 		ec_GFp_simple_add,
@@ -91,8 +98,12 @@ const EC_METHOD *EC_GFp_mont_method(void)
 		ec_GFp_simple_cmp,
 		ec_GFp_simple_make_affine,
 		ec_GFp_simple_points_make_affine,
+		0 /* mul */,
+		0 /* precompute_mult */,
+		0 /* have_precompute_mult */,	
 		ec_GFp_mont_field_mul,
 		ec_GFp_mont_field_sqr,
+		0 /* field_div */,
 		ec_GFp_mont_field_encode,
 		ec_GFp_mont_field_decode,
 		ec_GFp_mont_field_set_to_one };
@@ -112,66 +123,6 @@ int ec_GFp_mont_group_init(EC_GROUP *group)
 	}
 
 
-int ec_GFp_mont_group_set_curve_GFp(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
-	{
-	BN_CTX *new_ctx = NULL;
-	BN_MONT_CTX *mont = NULL;
-	BIGNUM *one = NULL;
-	int ret = 0;
-
-	if (group->field_data1 != NULL)
-		{
-		BN_MONT_CTX_free(group->field_data1);
-		group->field_data1 = NULL;
-		}
-	if (group->field_data2 != NULL)
-		{
-		BN_free(group->field_data2);
-		group->field_data2 = NULL;
-		}
-	
-	if (ctx == NULL)
-		{
-		ctx = new_ctx = BN_CTX_new();
-		if (ctx == NULL)
-			return 0;
-		}
-
-	mont = BN_MONT_CTX_new();
-	if (mont == NULL) goto err;
-	if (!BN_MONT_CTX_set(mont, p, ctx))
-		{
-		ECerr(EC_F_GFP_MONT_GROUP_SET_CURVE_GFP, ERR_R_BN_LIB);
-		goto err;
-		}
-	one = BN_new();
-	if (one == NULL) goto err;
-	if (!BN_to_montgomery(one, BN_value_one(), mont, ctx)) goto err;
-
-	group->field_data1 = mont;
-	mont = NULL;
-	group->field_data2 = one;
-	one = NULL;
-
-	ret = ec_GFp_simple_group_set_curve_GFp(group, p, a, b, ctx);
-
-	if (!ret)
-		{
-		BN_MONT_CTX_free(group->field_data1);
-		group->field_data1 = NULL;
-		BN_free(group->field_data2);
-		group->field_data2 = NULL;
-		}
-
- err:
-	if (new_ctx != NULL)
-		BN_CTX_free(new_ctx);
-	if (mont != NULL)
-		BN_MONT_CTX_free(mont);
-	return ret;
-	}
-
-
 void ec_GFp_mont_group_finish(EC_GROUP *group)
 	{
 	if (group->field_data1 != NULL)
@@ -243,6 +194,66 @@ int ec_GFp_mont_group_copy(EC_GROUP *dest, const EC_GROUP *src)
 	}
 
 
+int ec_GFp_mont_group_set_curve(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
+	{
+	BN_CTX *new_ctx = NULL;
+	BN_MONT_CTX *mont = NULL;
+	BIGNUM *one = NULL;
+	int ret = 0;
+
+	if (group->field_data1 != NULL)
+		{
+		BN_MONT_CTX_free(group->field_data1);
+		group->field_data1 = NULL;
+		}
+	if (group->field_data2 != NULL)
+		{
+		BN_free(group->field_data2);
+		group->field_data2 = NULL;
+		}
+	
+	if (ctx == NULL)
+		{
+		ctx = new_ctx = BN_CTX_new();
+		if (ctx == NULL)
+			return 0;
+		}
+
+	mont = BN_MONT_CTX_new();
+	if (mont == NULL) goto err;
+	if (!BN_MONT_CTX_set(mont, p, ctx))
+		{
+		ECerr(EC_F_EC_GFP_MONT_GROUP_SET_CURVE, ERR_R_BN_LIB);
+		goto err;
+		}
+	one = BN_new();
+	if (one == NULL) goto err;
+	if (!BN_to_montgomery(one, BN_value_one(), mont, ctx)) goto err;
+
+	group->field_data1 = mont;
+	mont = NULL;
+	group->field_data2 = one;
+	one = NULL;
+
+	ret = ec_GFp_simple_group_set_curve(group, p, a, b, ctx);
+
+	if (!ret)
+		{
+		BN_MONT_CTX_free(group->field_data1);
+		group->field_data1 = NULL;
+		BN_free(group->field_data2);
+		group->field_data2 = NULL;
+		}
+
+ err:
+	if (new_ctx != NULL)
+		BN_CTX_free(new_ctx);
+	if (mont != NULL)
+		BN_MONT_CTX_free(mont);
+	return ret;
+	}
+
+
 int ec_GFp_mont_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
 	{
 	if (group->field_data1 == NULL)
@@ -295,7 +306,7 @@ int ec_GFp_mont_field_set_to_one(const EC_GROUP *group, BIGNUM *r, BN_CTX *ctx)
 	{
 	if (group->field_data2 == NULL)
 		{
-		ECerr(EC_F_EC_GFP_MONT_FIELD_DECODE, EC_R_NOT_INITIALIZED);
+		ECerr(EC_F_EC_GFP_MONT_FIELD_SET_TO_ONE, EC_R_NOT_INITIALIZED);
 		return 0;
 		}
 
diff --git a/crypto/openssl/crypto/ec/ecp_nist.c b/crypto/openssl/crypto/ec/ecp_nist.c
index ed0774867545..71893d5eaba1 100644
--- a/crypto/openssl/crypto/ec/ecp_nist.c
+++ b/crypto/openssl/crypto/ec/ecp_nist.c
@@ -1,6 +1,9 @@
 /* crypto/ec/ecp_nist.c */
+/*
+ * Written by Nils Larsch for the OpenSSL project.
+ */
 /* ====================================================================
- * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2003 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -52,23 +55,30 @@
  * Hudson (tjh@cryptsoft.com).
  *
  */
+/* ====================================================================
+ * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
+ * Portions of this software developed by SUN MICROSYSTEMS, INC.,
+ * and contributed to the OpenSSL project.
+ */
 
+#include <limits.h>
+
+#include <openssl/err.h>
+#include <openssl/obj_mac.h>
 #include "ec_lcl.h"
 
-#if 0
 const EC_METHOD *EC_GFp_nist_method(void)
 	{
 	static const EC_METHOD ret = {
-		ec_GFp_nist_group_init,
-		ec_GFp_nist_group_finish,
-		ec_GFp_nist_group_clear_finish,
+		NID_X9_62_prime_field,
+		ec_GFp_simple_group_init,
+		ec_GFp_simple_group_finish,
+		ec_GFp_simple_group_clear_finish,
 		ec_GFp_nist_group_copy,
-		ec_GFp_nist_group_set_curve_GFp,
-		ec_GFp_simple_group_get_curve_GFp,
-		ec_GFp_simple_group_set_generator,
-		ec_GFp_simple_group_get0_generator,
-		ec_GFp_simple_group_get_order,
-		ec_GFp_simple_group_get_cofactor,
+		ec_GFp_nist_group_set_curve,
+		ec_GFp_simple_group_get_curve,
+		ec_GFp_simple_group_get_degree,
+		ec_GFp_simple_group_check_discriminant,
 		ec_GFp_simple_point_init,
 		ec_GFp_simple_point_finish,
 		ec_GFp_simple_point_clear_finish,
@@ -76,9 +86,9 @@ const EC_METHOD *EC_GFp_nist_method(void)
 		ec_GFp_simple_point_set_to_infinity,
 		ec_GFp_simple_set_Jprojective_coordinates_GFp,
 		ec_GFp_simple_get_Jprojective_coordinates_GFp,
-		ec_GFp_simple_point_set_affine_coordinates_GFp,
-		ec_GFp_simple_point_get_affine_coordinates_GFp,
-		ec_GFp_simple_set_compressed_coordinates_GFp,
+		ec_GFp_simple_point_set_affine_coordinates,
+		ec_GFp_simple_point_get_affine_coordinates,
+		ec_GFp_simple_set_compressed_coordinates,
 		ec_GFp_simple_point2oct,
 		ec_GFp_simple_oct2point,
 		ec_GFp_simple_add,
@@ -89,46 +99,138 @@ const EC_METHOD *EC_GFp_nist_method(void)
 		ec_GFp_simple_cmp,
 		ec_GFp_simple_make_affine,
 		ec_GFp_simple_points_make_affine,
+		0 /* mul */,
+		0 /* precompute_mult */,
+		0 /* have_precompute_mult */,	
 		ec_GFp_nist_field_mul,
 		ec_GFp_nist_field_sqr,
+		0 /* field_div */,
 		0 /* field_encode */,
 		0 /* field_decode */,
 		0 /* field_set_to_one */ };
 
 	return &ret;
 	}
-#endif
 
+#if BN_BITS2 == 64
+#define	NO_32_BIT_TYPE
+#endif
 
-int ec_GFp_nist_group_init(EC_GROUP *group)
+int ec_GFp_nist_group_copy(EC_GROUP *dest, const EC_GROUP *src)
 	{
-	int ok;
+	dest->field_mod_func = src->field_mod_func;
 
-	ok = ec_GFp_simple_group_init(group);
-	group->field_data1 = NULL;
-	return ok;
+	return ec_GFp_simple_group_copy(dest, src);
 	}
 
-
-int ec_GFp_nist_group_set_curve_GFp(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
-/* TODO */
-
-
-void ec_GFp_nist_group_finish(EC_GROUP *group);
-/* TODO */
-
-
-void ec_GFp_nist_group_clear_finish(EC_GROUP *group);
-/* TODO */
-
-
-int ec_GFp_nist_group_copy(EC_GROUP *dest, const EC_GROUP *src);
-/* TODO */
+int ec_GFp_nist_group_set_curve(EC_GROUP *group, const BIGNUM *p,
+	const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
+	{
+	int ret = 0;
+	BN_CTX *new_ctx = NULL;
+	BIGNUM *tmp_bn;
+	
+	if (ctx == NULL)
+		if ((ctx = new_ctx = BN_CTX_new()) == NULL) return 0;
+
+	BN_CTX_start(ctx);
+	if ((tmp_bn = BN_CTX_get(ctx)) == NULL) goto err;
+
+	if (BN_ucmp(BN_get0_nist_prime_192(), p) == 0)
+		group->field_mod_func = BN_nist_mod_192;
+	else if (BN_ucmp(BN_get0_nist_prime_224(), p) == 0)
+		{
+#ifndef NO_32_BIT_TYPE
+		group->field_mod_func = BN_nist_mod_224;
+#else
+		ECerr(EC_F_EC_GFP_NIST_GROUP_SET_CURVE, EC_R_NOT_A_SUPPORTED_NIST_PRIME);
+		goto err;
+#endif
+		}
+	else if (BN_ucmp(BN_get0_nist_prime_256(), p) == 0)
+		{
+#ifndef NO_32_BIT_TYPE
+		group->field_mod_func = BN_nist_mod_256;
+#else
+		ECerr(EC_F_EC_GFP_NIST_GROUP_SET_CURVE, EC_R_NOT_A_SUPPORTED_NIST_PRIME);
+		goto err;
+#endif
+		}
+	else if (BN_ucmp(BN_get0_nist_prime_384(), p) == 0)
+		{
+#ifndef NO_32_BIT_TYPE
+		group->field_mod_func = BN_nist_mod_384;
+#else
+		ECerr(EC_F_EC_GFP_NIST_GROUP_SET_CURVE, EC_R_NOT_A_SUPPORTED_NIST_PRIME);
+		goto err;
+#endif
+		}
+	else if (BN_ucmp(BN_get0_nist_prime_521(), p) == 0)
+		/* this one works in the NO_32_BIT_TYPE case */
+		group->field_mod_func = BN_nist_mod_521;
+	else
+		{
+		ECerr(EC_F_EC_GFP_NIST_GROUP_SET_CURVE, EC_R_NOT_A_NIST_PRIME);
+		goto err;
+		}
+
+	ret = ec_GFp_simple_group_set_curve(group, p, a, b, ctx);
+
+ err:
+	BN_CTX_end(ctx);
+	if (new_ctx != NULL)
+		BN_CTX_free(new_ctx);
+	return ret;
+	}
 
 
-int ec_GFp_nist_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
-/* TODO */
+int ec_GFp_nist_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
+	const BIGNUM *b, BN_CTX *ctx)
+	{
+	int	ret=0;
+	BN_CTX	*ctx_new=NULL;
+
+	if (!group || !r || !a || !b)
+		{
+		ECerr(EC_F_EC_GFP_NIST_FIELD_MUL, ERR_R_PASSED_NULL_PARAMETER);
+		goto err;
+		}
+	if (!ctx)
+		if ((ctx_new = ctx = BN_CTX_new()) == NULL) goto err;
+
+	if (!BN_mul(r, a, b, ctx)) goto err;
+	if (!group->field_mod_func(r, r, &group->field, ctx))
+		goto err;
+
+	ret=1;
+err:
+	if (ctx_new)
+		BN_CTX_free(ctx_new);
+	return ret;
+	}
 
 
-int ec_GFp_nist_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, BN_CTX *ctx);
-/* TODO */
+int ec_GFp_nist_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
+	BN_CTX *ctx)
+	{
+	int	ret=0;
+	BN_CTX	*ctx_new=NULL;
+
+	if (!group || !r || !a)
+		{
+		ECerr(EC_F_EC_GFP_NIST_FIELD_SQR, EC_R_PASSED_NULL_PARAMETER);
+		goto err;
+		}
+	if (!ctx)
+		if ((ctx_new = ctx = BN_CTX_new()) == NULL) goto err;
+
+	if (!BN_sqr(r, a, ctx)) goto err;
+	if (!group->field_mod_func(r, r, &group->field, ctx))
+		goto err;
+
+	ret=1;
+err:
+	if (ctx_new)
+		BN_CTX_free(ctx_new);
+	return ret;
+	}
diff --git a/crypto/openssl/crypto/ec/ecp_smpl.c b/crypto/openssl/crypto/ec/ecp_smpl.c
index e9a51fb87a1c..4d26f8bdf692 100644
--- a/crypto/openssl/crypto/ec/ecp_smpl.c
+++ b/crypto/openssl/crypto/ec/ecp_smpl.c
@@ -1,8 +1,10 @@
 /* crypto/ec/ecp_smpl.c */
 /* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>
- * for the OpenSSL project. */
+ * for the OpenSSL project. 
+ * Includes code written by Bodo Moeller for the OpenSSL project.
+*/
 /* ====================================================================
- * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -54,25 +56,29 @@
  * Hudson (tjh@cryptsoft.com).
  *
  */
+/* ====================================================================
+ * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
+ * Portions of this software developed by SUN MICROSYSTEMS, INC.,
+ * and contributed to the OpenSSL project.
+ */
 
 #include <openssl/err.h>
+#include <openssl/symhacks.h>
 
 #include "ec_lcl.h"
 
-
 const EC_METHOD *EC_GFp_simple_method(void)
 	{
 	static const EC_METHOD ret = {
+		NID_X9_62_prime_field,
 		ec_GFp_simple_group_init,
 		ec_GFp_simple_group_finish,
 		ec_GFp_simple_group_clear_finish,
 		ec_GFp_simple_group_copy,
-		ec_GFp_simple_group_set_curve_GFp,
-		ec_GFp_simple_group_get_curve_GFp,
-		ec_GFp_simple_group_set_generator,
-		ec_GFp_simple_group_get0_generator,
-		ec_GFp_simple_group_get_order,
-		ec_GFp_simple_group_get_cofactor,
+		ec_GFp_simple_group_set_curve,
+		ec_GFp_simple_group_get_curve,
+		ec_GFp_simple_group_get_degree,
+		ec_GFp_simple_group_check_discriminant,
 		ec_GFp_simple_point_init,
 		ec_GFp_simple_point_finish,
 		ec_GFp_simple_point_clear_finish,
@@ -80,9 +86,9 @@ const EC_METHOD *EC_GFp_simple_method(void)
 		ec_GFp_simple_point_set_to_infinity,
 		ec_GFp_simple_set_Jprojective_coordinates_GFp,
 		ec_GFp_simple_get_Jprojective_coordinates_GFp,
-		ec_GFp_simple_point_set_affine_coordinates_GFp,
-		ec_GFp_simple_point_get_affine_coordinates_GFp,
-		ec_GFp_simple_set_compressed_coordinates_GFp,
+		ec_GFp_simple_point_set_affine_coordinates,
+		ec_GFp_simple_point_get_affine_coordinates,
+		ec_GFp_simple_set_compressed_coordinates,
 		ec_GFp_simple_point2oct,
 		ec_GFp_simple_oct2point,
 		ec_GFp_simple_add,
@@ -93,8 +99,12 @@ const EC_METHOD *EC_GFp_simple_method(void)
 		ec_GFp_simple_cmp,
 		ec_GFp_simple_make_affine,
 		ec_GFp_simple_points_make_affine,
+		0 /* mul */,
+		0 /* precompute_mult */,
+		0 /* have_precompute_mult */,	
 		ec_GFp_simple_field_mul,
 		ec_GFp_simple_field_sqr,
+		0 /* field_div */,
 		0 /* field_encode */,
 		0 /* field_decode */,
 		0 /* field_set_to_one */ };
@@ -103,15 +113,26 @@ const EC_METHOD *EC_GFp_simple_method(void)
 	}
 
 
+/* Most method functions in this file are designed to work with
+ * non-trivial representations of field elements if necessary
+ * (see ecp_mont.c): while standard modular addition and subtraction
+ * are used, the field_mul and field_sqr methods will be used for
+ * multiplication, and field_encode and field_decode (if defined)
+ * will be used for converting between representations.
+
+ * Functions ec_GFp_simple_points_make_affine() and
+ * ec_GFp_simple_point_get_affine_coordinates() specifically assume
+ * that if a non-trivial representation is used, it is a Montgomery
+ * representation (i.e. 'encoding' means multiplying by some factor R).
+ */
+
+
 int ec_GFp_simple_group_init(EC_GROUP *group)
 	{
 	BN_init(&group->field);
 	BN_init(&group->a);
 	BN_init(&group->b);
 	group->a_is_minus3 = 0;
-	group->generator = NULL;
-	BN_init(&group->order);
-	BN_init(&group->cofactor);
 	return 1;
 	}
 
@@ -121,10 +142,6 @@ void ec_GFp_simple_group_finish(EC_GROUP *group)
 	BN_free(&group->field);
 	BN_free(&group->a);
 	BN_free(&group->b);
-	if (group->generator != NULL)
-		EC_POINT_free(group->generator);
-	BN_free(&group->order);
-	BN_free(&group->cofactor);
 	}
 
 
@@ -133,13 +150,6 @@ void ec_GFp_simple_group_clear_finish(EC_GROUP *group)
 	BN_clear_free(&group->field);
 	BN_clear_free(&group->a);
 	BN_clear_free(&group->b);
-	if (group->generator != NULL)
-		{
-		EC_POINT_clear_free(group->generator);
-		group->generator = NULL;
-		}
-	BN_clear_free(&group->order);
-	BN_clear_free(&group->cofactor);
 	}
 
 
@@ -151,33 +161,11 @@ int ec_GFp_simple_group_copy(EC_GROUP *dest, const EC_GROUP *src)
 
 	dest->a_is_minus3 = src->a_is_minus3;
 
-	if (src->generator != NULL)
-		{
-		if (dest->generator == NULL)
-			{
-			dest->generator = EC_POINT_new(dest);
-			if (dest->generator == NULL) return 0;
-			}
-		if (!EC_POINT_copy(dest->generator, src->generator)) return 0;
-		}
-	else
-		{
-		/* src->generator == NULL */
-		if (dest->generator != NULL)
-			{
-			EC_POINT_clear_free(dest->generator);
-			dest->generator = NULL;
-			}
-		}
-
-	if (!BN_copy(&dest->order, &src->order)) return 0;
-	if (!BN_copy(&dest->cofactor, &src->cofactor)) return 0;
-
 	return 1;
 	}
 
 
-int ec_GFp_simple_group_set_curve_GFp(EC_GROUP *group,
+int ec_GFp_simple_group_set_curve(EC_GROUP *group,
 	const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
 	{
 	int ret = 0;
@@ -187,7 +175,7 @@ int ec_GFp_simple_group_set_curve_GFp(EC_GROUP *group,
 	/* p must be a prime > 3 */
 	if (BN_num_bits(p) <= 2 || !BN_is_odd(p))
 		{
-		ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE_GFP, EC_R_INVALID_FIELD);
+		ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE, EC_R_INVALID_FIELD);
 		return 0;
 		}
 
@@ -204,7 +192,7 @@ int ec_GFp_simple_group_set_curve_GFp(EC_GROUP *group,
 
 	/* group->field */
 	if (!BN_copy(&group->field, p)) goto err;
-	group->field.neg = 0;
+	BN_set_negative(&group->field, 0);
 
 	/* group->a */
 	if (!BN_nnmod(tmp_a, a, p, ctx)) goto err;
@@ -232,7 +220,7 @@ int ec_GFp_simple_group_set_curve_GFp(EC_GROUP *group,
 	}
 
 
-int ec_GFp_simple_group_get_curve_GFp(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *ctx)
+int ec_GFp_simple_group_get_curve(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *ctx)
 	{
 	int ret = 0;
 	BN_CTX *new_ctx = NULL;
@@ -283,58 +271,76 @@ int ec_GFp_simple_group_get_curve_GFp(const EC_GROUP *group, BIGNUM *p, BIGNUM *
 	}
 
 
+int ec_GFp_simple_group_get_degree(const EC_GROUP *group)
+	{
+	return BN_num_bits(&group->field);
+	}
+
 
-int ec_GFp_simple_group_set_generator(EC_GROUP *group, const EC_POINT *generator,
-	const BIGNUM *order, const BIGNUM *cofactor)
+int ec_GFp_simple_group_check_discriminant(const EC_GROUP *group, BN_CTX *ctx)
 	{
-	if (generator == NULL)
+	int ret = 0;
+	BIGNUM *a,*b,*order,*tmp_1,*tmp_2;
+	const BIGNUM *p = &group->field;
+	BN_CTX *new_ctx = NULL;
+
+	if (ctx == NULL)
 		{
-		ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_GENERATOR, ERR_R_PASSED_NULL_PARAMETER);
-		return 0   ;
+		ctx = new_ctx = BN_CTX_new();
+		if (ctx == NULL)
+			{
+			ECerr(EC_F_EC_GFP_SIMPLE_GROUP_CHECK_DISCRIMINANT, ERR_R_MALLOC_FAILURE);
+			goto err;
+			}
 		}
+	BN_CTX_start(ctx);
+	a = BN_CTX_get(ctx);
+	b = BN_CTX_get(ctx);
+	tmp_1 = BN_CTX_get(ctx);
+	tmp_2 = BN_CTX_get(ctx);
+	order = BN_CTX_get(ctx);
+	if (order == NULL) goto err;
 
-	if (group->generator == NULL)
+	if (group->meth->field_decode)
 		{
-		group->generator = EC_POINT_new(group);
-		if (group->generator == NULL) return 0;
+		if (!group->meth->field_decode(group, a, &group->a, ctx)) goto err;
+		if (!group->meth->field_decode(group, b, &group->b, ctx)) goto err;
 		}
-	if (!EC_POINT_copy(group->generator, generator)) return 0;
-
-	if (order != NULL)
-		{ if (!BN_copy(&group->order, order)) return 0; }	
-	else
-		{ if (!BN_zero(&group->order)) return 0; }	
-
-	if (cofactor != NULL)
-		{ if (!BN_copy(&group->cofactor, cofactor)) return 0; }	
 	else
-		{ if (!BN_zero(&group->cofactor)) return 0; }	
-
-	return 1;
-	}
-
-
-EC_POINT *ec_GFp_simple_group_get0_generator(const EC_GROUP *group)
-	{
-	return group->generator;
-	}
-
-
-int ec_GFp_simple_group_get_order(const EC_GROUP *group, BIGNUM *order, BN_CTX *ctx)
-	{
-	if (!BN_copy(order, &group->order))
-		return 0;
-
-	return !BN_is_zero(&group->order);
-	}
+		{
+		if (!BN_copy(a, &group->a)) goto err;
+		if (!BN_copy(b, &group->b)) goto err;
+		}
+	
+	/* check the discriminant:
+	 * y^2 = x^3 + a*x + b is an elliptic curve <=> 4*a^3 + 27*b^2 != 0 (mod p) 
+         * 0 =< a, b < p */
+	if (BN_is_zero(a))
+		{
+		if (BN_is_zero(b)) goto err;
+		}
+	else if (!BN_is_zero(b))
+		{
+		if (!BN_mod_sqr(tmp_1, a, p, ctx)) goto err;
+		if (!BN_mod_mul(tmp_2, tmp_1, a, p, ctx)) goto err;
+		if (!BN_lshift(tmp_1, tmp_2, 2)) goto err;
+		/* tmp_1 = 4*a^3 */
 
+		if (!BN_mod_sqr(tmp_2, b, p, ctx)) goto err;
+		if (!BN_mul_word(tmp_2, 27)) goto err;
+		/* tmp_2 = 27*b^2 */
 
-int ec_GFp_simple_group_get_cofactor(const EC_GROUP *group, BIGNUM *cofactor, BN_CTX *ctx)
-	{
-	if (!BN_copy(cofactor, &group->cofactor))
-		return 0;
+		if (!BN_mod_add(a, tmp_1, tmp_2, p, ctx)) goto err;
+		if (BN_is_zero(a)) goto err;
+		}
+	ret = 1;
 
-	return !BN_is_zero(&group->cofactor);
+err:
+	if (ctx != NULL)
+		BN_CTX_end(ctx);
+	if (new_ctx != NULL)
+		BN_CTX_free(new_ctx);
+	return ret;
 	}
 
 
@@ -380,7 +386,8 @@ int ec_GFp_simple_point_copy(EC_POINT *dest, const EC_POINT *src)
 int ec_GFp_simple_point_set_to_infinity(const EC_GROUP *group, EC_POINT *point)
 	{
 	point->Z_is_one = 0;
-	return (BN_zero(&point->Z));
+	BN_zero(&point->Z);
+	return 1;
 	}
 
 
@@ -497,13 +504,13 @@ int ec_GFp_simple_get_Jprojective_coordinates_GFp(const EC_GROUP *group, const E
 	}
 
 
-int ec_GFp_simple_point_set_affine_coordinates_GFp(const EC_GROUP *group, EC_POINT *point,
+int ec_GFp_simple_point_set_affine_coordinates(const EC_GROUP *group, EC_POINT *point,
 	const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx)
 	{
 	if (x == NULL || y == NULL)
 		{
 		/* unlike for projective coordinates, we do not tolerate this */
-		ECerr(EC_F_EC_GFP_SIMPLE_POINT_SET_AFFINE_COORDINATES_GFP, ERR_R_PASSED_NULL_PARAMETER);
+		ECerr(EC_F_EC_GFP_SIMPLE_POINT_SET_AFFINE_COORDINATES, ERR_R_PASSED_NULL_PARAMETER);
 		return 0;
 		}
 
@@ -511,17 +518,17 @@ int ec_GFp_simple_point_set_affine_coordinates_GFp(const EC_GROUP *group, EC_POI
 	}
 
 
-int ec_GFp_simple_point_get_affine_coordinates_GFp(const EC_GROUP *group, const EC_POINT *point,
+int ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP *group, const EC_POINT *point,
 	BIGNUM *x, BIGNUM *y, BN_CTX *ctx)
 	{
 	BN_CTX *new_ctx = NULL;
-	BIGNUM *X, *Y, *Z, *Z_1, *Z_2, *Z_3;
-	const BIGNUM *X_, *Y_, *Z_;
+	BIGNUM *Z, *Z_1, *Z_2, *Z_3;
+	const BIGNUM *Z_;
 	int ret = 0;
 
 	if (EC_POINT_is_at_infinity(group, point))
 		{
-		ECerr(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES_GFP, EC_R_POINT_AT_INFINITY);
+		ECerr(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES, EC_R_POINT_AT_INFINITY);
 		return 0;
 		}
 
@@ -533,8 +540,6 @@ int ec_GFp_simple_point_get_affine_coordinates_GFp(const EC_GROUP *group, const
 		}
 
 	BN_CTX_start(ctx);
-	X = BN_CTX_get(ctx);
-	Y = BN_CTX_get(ctx);
 	Z = BN_CTX_get(ctx);
 	Z_1 = BN_CTX_get(ctx);
 	Z_2 = BN_CTX_get(ctx);
@@ -545,34 +550,44 @@ int ec_GFp_simple_point_get_affine_coordinates_GFp(const EC_GROUP *group, const
 	
 	if (group->meth->field_decode)
 		{
-		if (!group->meth->field_decode(group, X, &point->X, ctx)) goto err;
-		if (!group->meth->field_decode(group, Y, &point->Y, ctx)) goto err;
 		if (!group->meth->field_decode(group, Z, &point->Z, ctx)) goto err;
-		X_ = X; Y_ = Y;	Z_ = Z;
+		Z_ = Z;
 		}
 	else
 		{
-		X_ = &point->X;
-		Y_ = &point->Y;
 		Z_ = &point->Z;
 		}
 	
 	if (BN_is_one(Z_))
 		{
-		if (x != NULL)
+		if (group->meth->field_decode)
 			{
-			if (!BN_copy(x, X_)) goto err;
+			if (x != NULL)
+				{
+				if (!group->meth->field_decode(group, x, &point->X, ctx)) goto err;
+				}
+			if (y != NULL)
+				{
+				if (!group->meth->field_decode(group, y, &point->Y, ctx)) goto err;
+				}
 			}
-		if (y != NULL)
+		else
 			{
-			if (!BN_copy(y, Y_)) goto err;
+			if (x != NULL)
+				{
+				if (!BN_copy(x, &point->X)) goto err;
+				}
+			if (y != NULL)
+				{
+				if (!BN_copy(y, &point->Y)) goto err;
+				}
 			}
 		}
 	else
 		{
 		if (!BN_mod_inverse(Z_1, Z_, &group->field, ctx))
 			{
-			ECerr(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES_GFP, ERR_R_BN_LIB);
+			ECerr(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES, ERR_R_BN_LIB);
 			goto err;
 			}
 		
@@ -588,15 +603,8 @@ int ec_GFp_simple_point_get_affine_coordinates_GFp(const EC_GROUP *group, const
 	
 		if (x != NULL)
 			{
-			if (group->meth->field_encode == 0)
-				{
-				/* field_mul works on standard representation */
-				if (!group->meth->field_mul(group, x, X_, Z_2, ctx)) goto err;
-				}
-			else
-				{
-				if (!BN_mod_mul(x, X_, Z_2, &group->field, ctx)) goto err;
-				}
+			/* in the Montgomery case, field_mul will cancel out Montgomery factor in X: */
+			if (!group->meth->field_mul(group, x, &point->X, Z_2, ctx)) goto err;
 			}
 
 		if (y != NULL)
@@ -605,14 +613,14 @@ int ec_GFp_simple_point_get_affine_coordinates_GFp(const EC_GROUP *group, const
 				{
 				/* field_mul works on standard representation */
 				if (!group->meth->field_mul(group, Z_3, Z_2, Z_1, ctx)) goto err;
-				if (!group->meth->field_mul(group, y, Y_, Z_3, ctx)) goto err;
-				
 				}
 			else
 				{
 				if (!BN_mod_mul(Z_3, Z_2, Z_1, &group->field, ctx)) goto err;
-				if (!BN_mod_mul(y, Y_, Z_3, &group->field, ctx)) goto err;
 				}
+
+			/* in the Montgomery case, field_mul will cancel out Montgomery factor in Y: */
+			if (!group->meth->field_mul(group, y, &point->Y, Z_3, ctx)) goto err;
 			}
 		}
 
@@ -626,13 +634,16 @@ int ec_GFp_simple_point_get_affine_coordinates_GFp(const EC_GROUP *group, const
 	}
 
 
-int ec_GFp_simple_set_compressed_coordinates_GFp(const EC_GROUP *group, EC_POINT *point,
+int ec_GFp_simple_set_compressed_coordinates(const EC_GROUP *group, EC_POINT *point,
 	const BIGNUM *x_, int y_bit, BN_CTX *ctx)
 	{
 	BN_CTX *new_ctx = NULL;
 	BIGNUM *tmp1, *tmp2, *x, *y;
 	int ret = 0;
 
+	/* clear error queue*/
+	ERR_clear_error();
+
 	if (ctx == NULL)
 		{
 		ctx = new_ctx = BN_CTX_new();
@@ -704,19 +715,17 @@ int ec_GFp_simple_set_compressed_coordinates_GFp(const EC_GROUP *group, EC_POINT
 	
 	if (!BN_mod_sqrt(y, tmp1, &group->field, ctx))
 		{
-		unsigned long err = ERR_peek_error();
+		unsigned long err = ERR_peek_last_error();
 		
 		if (ERR_GET_LIB(err) == ERR_LIB_BN && ERR_GET_REASON(err) == BN_R_NOT_A_SQUARE)
 			{
-			(void)ERR_get_error();
-			ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP, EC_R_INVALID_COMPRESSED_POINT);
+			ERR_clear_error();
+			ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES, EC_R_INVALID_COMPRESSED_POINT);
 			}
 		else
-			ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP, ERR_R_BN_LIB);
+			ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES, ERR_R_BN_LIB);
 		goto err;
 		}
-	/* If tmp1 is not a square (i.e. there is no point on the curve with
-	 * our x), then y now is a nonsense value too */
 
 	if (y_bit != BN_is_odd(y))
 		{
@@ -728,16 +737,17 @@ int ec_GFp_simple_set_compressed_coordinates_GFp(const EC_GROUP *group, EC_POINT
 			if (kron == -2) goto err;
 
 			if (kron == 1)
-				ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP, EC_R_INVALID_COMPRESSION_BIT);
+				ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES, EC_R_INVALID_COMPRESSION_BIT);
 			else
-				ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP, EC_R_INVALID_COMPRESSED_POINT);
+				/* BN_mod_sqrt() should have cought this error (not a square) */
+				ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES, EC_R_INVALID_COMPRESSED_POINT);
 			goto err;
 			}
 		if (!BN_usub(y, &group->field, y)) goto err;
 		}
 	if (y_bit != BN_is_odd(y))
 		{
-		ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP, ERR_R_INTERNAL_ERROR);
+		ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES, ERR_R_INTERNAL_ERROR);
 		goto err;
 		}
 
@@ -1088,7 +1098,7 @@ int ec_GFp_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, con
 		else
 			{
 			/* a is the inverse of b */
-			if (!BN_zero(&r->Z)) goto end;
+			BN_zero(&r->Z);
 			r->Z_is_one = 0;
 			ret = 1;
 			goto end;
@@ -1164,7 +1174,7 @@ int ec_GFp_simple_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, BN_
 	
 	if (EC_POINT_is_at_infinity(group, a))
 		{
-		if (!BN_zero(&r->Z)) return 0;
+		BN_zero(&r->Z);
 		r->Z_is_one = 0;
 		return 1;
 		}
@@ -1292,7 +1302,7 @@ int ec_GFp_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_C
 	int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
 	const BIGNUM *p;
 	BN_CTX *new_ctx = NULL;
-	BIGNUM *rh, *tmp1, *tmp2, *Z4, *Z6;
+	BIGNUM *rh, *tmp, *Z4, *Z6;
 	int ret = -1;
 
 	if (EC_POINT_is_at_infinity(group, point))
@@ -1311,8 +1321,7 @@ int ec_GFp_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_C
 
 	BN_CTX_start(ctx);
 	rh = BN_CTX_get(ctx);
-	tmp1 = BN_CTX_get(ctx);
-	tmp2 = BN_CTX_get(ctx);
+	tmp = BN_CTX_get(ctx);
 	Z4 = BN_CTX_get(ctx);
 	Z6 = BN_CTX_get(ctx);
 	if (Z6 == NULL) goto err;
@@ -1326,59 +1335,49 @@ int ec_GFp_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_C
 	 * To test this, we add up the right-hand side in 'rh'.
 	 */
 
-	/* rh := X^3 */
+	/* rh := X^2 */
 	if (!field_sqr(group, rh, &point->X, ctx)) goto err;
-	if (!field_mul(group, rh, rh, &point->X, ctx)) goto err;
 
 	if (!point->Z_is_one)
 		{
-		if (!field_sqr(group, tmp1, &point->Z, ctx)) goto err;
-		if (!field_sqr(group, Z4, tmp1, ctx)) goto err;
-		if (!field_mul(group, Z6, Z4, tmp1, ctx)) goto err;
+		if (!field_sqr(group, tmp, &point->Z, ctx)) goto err;
+		if (!field_sqr(group, Z4, tmp, ctx)) goto err;
+		if (!field_mul(group, Z6, Z4, tmp, ctx)) goto err;
 
-		/* rh := rh + a*X*Z^4 */
-		if (!field_mul(group, tmp1, &point->X, Z4, ctx)) goto err;
+		/* rh := (rh + a*Z^4)*X */
 		if (group->a_is_minus3)
 			{
-			if (!BN_mod_lshift1_quick(tmp2, tmp1, p)) goto err;
-			if (!BN_mod_add_quick(tmp2, tmp2, tmp1, p)) goto err;
-			if (!BN_mod_sub_quick(rh, rh, tmp2, p)) goto err;
+			if (!BN_mod_lshift1_quick(tmp, Z4, p)) goto err;
+			if (!BN_mod_add_quick(tmp, tmp, Z4, p)) goto err;
+			if (!BN_mod_sub_quick(rh, rh, tmp, p)) goto err;
+			if (!field_mul(group, rh, rh, &point->X, ctx)) goto err;
 			}
 		else
 			{
-			if (!field_mul(group, tmp2, tmp1, &group->a, ctx)) goto err;
-			if (!BN_mod_add_quick(rh, rh, tmp2, p)) goto err;
+			if (!field_mul(group, tmp, Z4, &group->a, ctx)) goto err;
+			if (!BN_mod_add_quick(rh, rh, tmp, p)) goto err;
+			if (!field_mul(group, rh, rh, &point->X, ctx)) goto err;
 			}
 
 		/* rh := rh + b*Z^6 */
-		if (!field_mul(group, tmp1, &group->b, Z6, ctx)) goto err;
-		if (!BN_mod_add_quick(rh, rh, tmp1, p)) goto err;
+		if (!field_mul(group, tmp, &group->b, Z6, ctx)) goto err;
+		if (!BN_mod_add_quick(rh, rh, tmp, p)) goto err;
 		}
 	else
 		{
 		/* point->Z_is_one */
 
-		/* rh := rh + a*X */
-		if (group->a_is_minus3)
-			{
-			if (!BN_mod_lshift1_quick(tmp2, &point->X, p)) goto err;
-			if (!BN_mod_add_quick(tmp2, tmp2, &point->X, p)) goto err;
-			if (!BN_mod_sub_quick(rh, rh, tmp2, p)) goto err;
-			}
-		else
-			{
-			if (!field_mul(group, tmp2, &point->X, &group->a, ctx)) goto err;
-			if (!BN_mod_add_quick(rh, rh, tmp2, p)) goto err;
-			}
-
+		/* rh := (rh + a)*X */
+		if (!BN_mod_add_quick(rh, rh, &group->a, p)) goto err;
+		if (!field_mul(group, rh, rh, &point->X, ctx)) goto err;
 		/* rh := rh + b */
 		if (!BN_mod_add_quick(rh, rh, &group->b, p)) goto err;
 		}
 
 	/* 'lh' := Y^2 */
-	if (!field_sqr(group, tmp1, &point->Y, ctx)) goto err;
+	if (!field_sqr(group, tmp, &point->Y, ctx)) goto err;
 
-	ret = (0 == BN_cmp(tmp1, rh));
+	ret = (0 == BN_ucmp(tmp, rh));
 
  err:
 	BN_CTX_end(ctx);
diff --git a/crypto/openssl/crypto/ec/ectest.c b/crypto/openssl/crypto/ec/ectest.c
index 345d3e428925..9d469f1cfab4 100644
--- a/crypto/openssl/crypto/ec/ectest.c
+++ b/crypto/openssl/crypto/ec/ectest.c
@@ -1,4 +1,7 @@
 /* crypto/ec/ectest.c */
+/*
+ * Originally written by Bodo Moeller for the OpenSSL project.
+ */
 /* ====================================================================
  * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
  *
@@ -52,6 +55,19 @@
  * Hudson (tjh@cryptsoft.com).
  *
  */
+/* ====================================================================
+ * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
+ *
+ * Portions of the attached software ("Contribution") are developed by 
+ * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
+ *
+ * The Contribution is licensed pursuant to the OpenSSL open source
+ * license provided above.
+ *
+ * The elliptic curve binary polynomial software is originally written by 
+ * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories.
+ *
+ */
 
 #include <stdio.h>
 #include <stdlib.h>
@@ -74,6 +90,15 @@ int main(int argc, char * argv[]) { puts("Elliptic curves are disabled."); retur
 #include <openssl/engine.h>
 #endif
 #include <openssl/err.h>
+#include <openssl/obj_mac.h>
+#include <openssl/objects.h>
+#include <openssl/rand.h>
+#include <openssl/bn.h>
+
+#if defined(_MSC_VER) && defined(_MIPS_) && (_MSC_VER/100==12)
+/* suppress "too big too optimize" warning */
+#pragma warning(disable:4959)
+#endif
 
 #define ABORT do { \
 	fflush(stdout); \
@@ -82,47 +107,59 @@ int main(int argc, char * argv[]) { puts("Elliptic curves are disabled."); retur
 	EXIT(1); \
 } while (0)
 
+void prime_field_tests(void);
+void char2_field_tests(void);
+void internal_curve_test(void);
+
+#define TIMING_BASE_PT 0
+#define TIMING_RAND_PT 1
+#define TIMING_SIMUL 2
+
 #if 0
-static void timings(EC_GROUP *group, int multi, BN_CTX *ctx)
+static void timings(EC_GROUP *group, int type, BN_CTX *ctx)
 	{
 	clock_t clck;
 	int i, j;
-	BIGNUM *s, *s0;
+	BIGNUM *s;
+	BIGNUM *r[10], *r0[10];
 	EC_POINT *P;
 		
 	s = BN_new();
-	s0 = BN_new();
-	if (s == NULL || s0 == NULL) ABORT;
+	if (s == NULL) ABORT;
 
-	if (!EC_GROUP_get_curve_GFp(group, s, NULL, NULL, ctx)) ABORT;
-	fprintf(stdout, "Timings for %d bit prime, ", (int)BN_num_bits(s));
+	fprintf(stdout, "Timings for %d-bit field, ", EC_GROUP_get_degree(group));
 	if (!EC_GROUP_get_order(group, s, ctx)) ABORT;
-	fprintf(stdout, "%d bit scalars ", (int)BN_num_bits(s));
+	fprintf(stdout, "%d-bit scalars ", (int)BN_num_bits(s));
 	fflush(stdout);
 
 	P = EC_POINT_new(group);
 	if (P == NULL) ABORT;
 	EC_POINT_copy(P, EC_GROUP_get0_generator(group));
 
-	clck = clock();
 	for (i = 0; i < 10; i++)
 		{
-		if (!BN_pseudo_rand(s, BN_num_bits(s), 0, 0)) ABORT;
-		if (multi)
+		if ((r[i] = BN_new()) == NULL) ABORT;
+		if (!BN_pseudo_rand(r[i], BN_num_bits(s), 0, 0)) ABORT;
+		if (type != TIMING_BASE_PT)
 			{
-			if (!BN_pseudo_rand(s0, BN_num_bits(s), 0, 0)) ABORT;
+			if ((r0[i] = BN_new()) == NULL) ABORT;
+			if (!BN_pseudo_rand(r0[i], BN_num_bits(s), 0, 0)) ABORT;
 			}
+		}
+
+	clck = clock();
+	for (i = 0; i < 10; i++)
+		{
 		for (j = 0; j < 10; j++)
 			{
-			if (!EC_POINT_mul(group, P, s, multi ? P : NULL, multi ? s0 : NULL, ctx)) ABORT;
+			if (!EC_POINT_mul(group, P, (type != TIMING_RAND_PT) ? r[i] : NULL, 
+				(type != TIMING_BASE_PT) ? P : NULL, (type != TIMING_BASE_PT) ? r0[i] : NULL, ctx)) ABORT;
 			}
-		fprintf(stdout, ".");
-		fflush(stdout);
 		}
-	fprintf(stdout, "\n");
-	
 	clck = clock() - clck;
 
+	fprintf(stdout, "\n");
+
 #ifdef CLOCKS_PER_SEC
 	/* "To determine the time in seconds, the value returned
 	 * by the clock function should be divided by the value
@@ -136,43 +173,40 @@ static void timings(EC_GROUP *group, int multi, BN_CTX *ctx)
 #	define CLOCKS_PER_SEC 1
 #endif
 
-	fprintf(stdout, "%i %s in %.2f " UNIT "\n", i*j,
-		multi ? "s*P+t*Q operations" : "point multiplications",
-		(double)clck/CLOCKS_PER_SEC);
+	if (type == TIMING_BASE_PT) {
+		fprintf(stdout, "%i %s in %.2f " UNIT "\n", i*j,
+			"base point multiplications", (double)clck/CLOCKS_PER_SEC);
+	} else if (type == TIMING_RAND_PT) {
+		fprintf(stdout, "%i %s in %.2f " UNIT "\n", i*j,
+			"random point multiplications", (double)clck/CLOCKS_PER_SEC);
+	} else if (type == TIMING_SIMUL) {
+		fprintf(stdout, "%i %s in %.2f " UNIT "\n", i*j,
+			"s*P+t*Q operations", (double)clck/CLOCKS_PER_SEC);
+	}
 	fprintf(stdout, "average: %.4f " UNIT "\n", (double)clck/(CLOCKS_PER_SEC*i*j));
 
 	EC_POINT_free(P);
 	BN_free(s);
-	BN_free(s0);
+	for (i = 0; i < 10; i++)
+		{
+		BN_free(r[i]);
+		if (type != TIMING_BASE_PT) BN_free(r0[i]);
+		}
 	}
 #endif
 
-int main(int argc, char *argv[])
+void prime_field_tests()
 	{	
 	BN_CTX *ctx = NULL;
 	BIGNUM *p, *a, *b;
 	EC_GROUP *group;
-	EC_GROUP *P_192 = NULL, *P_224 = NULL, *P_256 = NULL, *P_384 = NULL, *P_521 = NULL;
+	EC_GROUP *P_160 = NULL, *P_192 = NULL, *P_224 = NULL, *P_256 = NULL, *P_384 = NULL, *P_521 = NULL;
 	EC_POINT *P, *Q, *R;
 	BIGNUM *x, *y, *z;
 	unsigned char buf[100];
 	size_t i, len;
 	int k;
 	
-	/* enable memory leak checking unless explicitly disabled */
-	if (!((getenv("OPENSSL_DEBUG_MEMORY") != NULL) && (0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off"))))
-		{
-		CRYPTO_malloc_debug_init();
-		CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
-		}
-	else
-		{
-		/* OPENSSL_DEBUG_MEMORY=off */
-		CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0);
-		}
-	CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
-	ERR_load_crypto_strings();
-
 #if 1 /* optional */
 	ctx = BN_CTX_new();
 	if (!ctx) ABORT;
@@ -197,7 +231,7 @@ int main(int argc, char *argv[])
 		EC_GROUP *tmp;
 		tmp = EC_GROUP_new(EC_GROUP_method_of(group));
 		if (!tmp) ABORT;
-		if (!EC_GROUP_copy(tmp, group));
+		if (!EC_GROUP_copy(tmp, group)) ABORT;
 		EC_GROUP_free(group);
 		group = tmp;
 	}
@@ -317,10 +351,56 @@ int main(int argc, char *argv[])
 	if (0 != EC_POINT_cmp(group, P, R, ctx)) ABORT;
 
 
+	/* Curve secp160r1 (Certicom Research SEC 2 Version 1.0, section 2.4.2, 2000)
+	 * -- not a NIST curve, but commonly used */
+	
+	if (!BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFF")) ABORT;
+	if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) ABORT;
+	if (!BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFC")) ABORT;
+	if (!BN_hex2bn(&b, "1C97BEFC54BD7A8B65ACF89F81D4D4ADC565FA45")) ABORT;
+	if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) ABORT;
+
+	if (!BN_hex2bn(&x, "4A96B5688EF573284664698968C38BB913CBFC82")) ABORT;
+	if (!BN_hex2bn(&y, "23a628553168947d59dcc912042351377ac5fb32")) ABORT;
+	if (!EC_POINT_set_affine_coordinates_GFp(group, P, x, y, ctx)) ABORT;
+	if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT;
+	if (!BN_hex2bn(&z, "0100000000000000000001F4C8F927AED3CA752257")) ABORT;
+	if (!EC_GROUP_set_generator(group, P, z, BN_value_one())) ABORT;
+
+	if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) ABORT;
+	fprintf(stdout, "\nSEC2 curve secp160r1 -- Generator:\n     x = 0x");
+	BN_print_fp(stdout, x);
+	fprintf(stdout, "\n     y = 0x");
+	BN_print_fp(stdout, y);
+	fprintf(stdout, "\n");
+	/* G_y value taken from the standard: */
+	if (!BN_hex2bn(&z, "23a628553168947d59dcc912042351377ac5fb32")) ABORT;
+	if (0 != BN_cmp(y, z)) ABORT;
+
+	fprintf(stdout, "verify degree ...");
+	if (EC_GROUP_get_degree(group) != 160) ABORT;
+	fprintf(stdout, " ok\n");
+	
+	fprintf(stdout, "verify group order ...");
+	fflush(stdout);
+	if (!EC_GROUP_get_order(group, z, ctx)) ABORT;
+	if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
+	if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
+	fprintf(stdout, ".");
+	fflush(stdout);
+	if (!EC_GROUP_precompute_mult(group, ctx)) ABORT;
+	if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
+	if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
+	fprintf(stdout, " ok\n");
+
+	if (!(P_160 = EC_GROUP_new(EC_GROUP_method_of(group)))) ABORT;
+	if (!EC_GROUP_copy(P_160, group)) ABORT;
+
+
 	/* Curve P-192 (FIPS PUB 186-2, App. 6) */
 	
 	if (!BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF")) ABORT;
-	if (1 != BN_is_prime(p, BN_prime_checks, 0, ctx, NULL)) ABORT;
+	if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) ABORT;
 	if (!BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC")) ABORT;
 	if (!BN_hex2bn(&b, "64210519E59C80E70FA7E9AB72243049FEB8DEECC146B9B1")) ABORT;
 	if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) ABORT;
@@ -340,6 +420,10 @@ int main(int argc, char *argv[])
 	/* G_y value taken from the standard: */
 	if (!BN_hex2bn(&z, "07192B95FFC8DA78631011ED6B24CDD573F977A11E794811")) ABORT;
 	if (0 != BN_cmp(y, z)) ABORT;
+
+	fprintf(stdout, "verify degree ...");
+	if (EC_GROUP_get_degree(group) != 192) ABORT;
+	fprintf(stdout, " ok\n");
 	
 	fprintf(stdout, "verify group order ...");
 	fflush(stdout);
@@ -348,7 +432,9 @@ int main(int argc, char *argv[])
 	if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
 	fprintf(stdout, ".");
 	fflush(stdout);
+#if 0
 	if (!EC_GROUP_precompute_mult(group, ctx)) ABORT;
+#endif
 	if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
 	if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
 	fprintf(stdout, " ok\n");
@@ -360,7 +446,7 @@ int main(int argc, char *argv[])
 	/* Curve P-224 (FIPS PUB 186-2, App. 6) */
 	
 	if (!BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001")) ABORT;
-	if (1 != BN_is_prime(p, BN_prime_checks, 0, ctx, NULL)) ABORT;
+	if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) ABORT;
 	if (!BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE")) ABORT;
 	if (!BN_hex2bn(&b, "B4050A850C04B3ABF54132565044B0B7D7BFD8BA270B39432355FFB4")) ABORT;
 	if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) ABORT;
@@ -381,6 +467,10 @@ int main(int argc, char *argv[])
 	if (!BN_hex2bn(&z, "BD376388B5F723FB4C22DFE6CD4375A05A07476444D5819985007E34")) ABORT;
 	if (0 != BN_cmp(y, z)) ABORT;
 	
+	fprintf(stdout, "verify degree ...");
+	if (EC_GROUP_get_degree(group) != 224) ABORT;
+	fprintf(stdout, " ok\n");
+	
 	fprintf(stdout, "verify group order ...");
 	fflush(stdout);
 	if (!EC_GROUP_get_order(group, z, ctx)) ABORT;
@@ -388,7 +478,9 @@ int main(int argc, char *argv[])
 	if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
 	fprintf(stdout, ".");
 	fflush(stdout);
+#if 0
 	if (!EC_GROUP_precompute_mult(group, ctx)) ABORT;
+#endif
 	if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
 	if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
 	fprintf(stdout, " ok\n");
@@ -400,7 +492,7 @@ int main(int argc, char *argv[])
 	/* Curve P-256 (FIPS PUB 186-2, App. 6) */
 	
 	if (!BN_hex2bn(&p, "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF")) ABORT;
-	if (1 != BN_is_prime(p, BN_prime_checks, 0, ctx, NULL)) ABORT;
+	if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) ABORT;
 	if (!BN_hex2bn(&a, "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC")) ABORT;
 	if (!BN_hex2bn(&b, "5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B")) ABORT;
 	if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) ABORT;
@@ -422,6 +514,10 @@ int main(int argc, char *argv[])
 	if (!BN_hex2bn(&z, "4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5")) ABORT;
 	if (0 != BN_cmp(y, z)) ABORT;
 	
+	fprintf(stdout, "verify degree ...");
+	if (EC_GROUP_get_degree(group) != 256) ABORT;
+	fprintf(stdout, " ok\n");
+	
 	fprintf(stdout, "verify group order ...");
 	fflush(stdout);
 	if (!EC_GROUP_get_order(group, z, ctx)) ABORT;
@@ -429,7 +525,9 @@ int main(int argc, char *argv[])
 	if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
 	fprintf(stdout, ".");
 	fflush(stdout);
+#if 0
 	if (!EC_GROUP_precompute_mult(group, ctx)) ABORT;
+#endif
 	if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
 	if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
 	fprintf(stdout, " ok\n");
@@ -442,7 +540,7 @@ int main(int argc, char *argv[])
 	
 	if (!BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
 		"FFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFF")) ABORT;
-	if (1 != BN_is_prime(p, BN_prime_checks, 0, ctx, NULL)) ABORT;
+	if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) ABORT;
 	if (!BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
 		"FFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFC")) ABORT;
 	if (!BN_hex2bn(&b, "B3312FA7E23EE7E4988E056BE3F82D19181D9C6EFE8141"
@@ -468,6 +566,10 @@ int main(int argc, char *argv[])
 		"7CE9DA3113B5F0B8C00A60B1CE1D7E819D7A431D7C90EA0E5F")) ABORT;
 	if (0 != BN_cmp(y, z)) ABORT;
 	
+	fprintf(stdout, "verify degree ...");
+	if (EC_GROUP_get_degree(group) != 384) ABORT;
+	fprintf(stdout, " ok\n");
+	
 	fprintf(stdout, "verify group order ...");
 	fflush(stdout);
 	if (!EC_GROUP_get_order(group, z, ctx)) ABORT;
@@ -475,7 +577,9 @@ int main(int argc, char *argv[])
 	if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
 	fprintf(stdout, ".");
 	fflush(stdout);
+#if 0
 	if (!EC_GROUP_precompute_mult(group, ctx)) ABORT;
+#endif
 	if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
 	if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
 	fprintf(stdout, " ok\n");
@@ -489,7 +593,7 @@ int main(int argc, char *argv[])
 	if (!BN_hex2bn(&p, "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
 		"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
 		"FFFFFFFFFFFFFFFFFFFFFFFFFFFF")) ABORT;
-	if (1 != BN_is_prime(p, BN_prime_checks, 0, ctx, NULL)) ABORT;
+	if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) ABORT;
 	if (!BN_hex2bn(&a, "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
 		"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
 		"FFFFFFFFFFFFFFFFFFFFFFFFFFFC")) ABORT;
@@ -520,6 +624,10 @@ int main(int argc, char *argv[])
 		"7086A272C24088BE94769FD16650")) ABORT;
 	if (0 != BN_cmp(y, z)) ABORT;
 	
+	fprintf(stdout, "verify degree ...");
+	if (EC_GROUP_get_degree(group) != 521) ABORT;
+	fprintf(stdout, " ok\n");
+	
 	fprintf(stdout, "verify group order ...");
 	fflush(stdout);
 	if (!EC_GROUP_get_order(group, z, ctx)) ABORT;
@@ -527,7 +635,9 @@ int main(int argc, char *argv[])
 	if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
 	fprintf(stdout, ".");
 	fflush(stdout);
+#if 0
 	if (!EC_GROUP_precompute_mult(group, ctx)) ABORT;
+#endif
 	if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
 	if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
 	fprintf(stdout, " ok\n");
@@ -577,7 +687,7 @@ int main(int argc, char *argv[])
 
 		if (!BN_pseudo_rand(y, BN_num_bits(y), 0, 0)) ABORT;
 		if (!BN_add(z, z, y)) ABORT;
-		z->neg = 1;
+		BN_set_negative(z, 1);
 		scalars[0] = y;
 		scalars[1] = z; /* z = -(order + y) */
 
@@ -589,7 +699,7 @@ int main(int argc, char *argv[])
 
 		if (!BN_pseudo_rand(x, BN_num_bits(y) - 1, 0, 0)) ABORT;
 		if (!BN_add(z, x, y)) ABORT;
-		z->neg = 1;
+		BN_set_negative(z, 1);
 		scalars[0] = x;
 		scalars[1] = y;
 		scalars[2] = z; /* z = -(x+y) */
@@ -602,16 +712,24 @@ int main(int argc, char *argv[])
 
 
 #if 0
-	timings(P_192, 0, ctx);
-	timings(P_192, 1, ctx);
-	timings(P_224, 0, ctx);
-	timings(P_224, 1, ctx);
-	timings(P_256, 0, ctx);
-	timings(P_256, 1, ctx);
-	timings(P_384, 0, ctx);
-	timings(P_384, 1, ctx);
-	timings(P_521, 0, ctx);
-	timings(P_521, 1, ctx);
+	timings(P_160, TIMING_BASE_PT, ctx);
+	timings(P_160, TIMING_RAND_PT, ctx);
+	timings(P_160, TIMING_SIMUL, ctx);
+	timings(P_192, TIMING_BASE_PT, ctx);
+	timings(P_192, TIMING_RAND_PT, ctx);
+	timings(P_192, TIMING_SIMUL, ctx);
+	timings(P_224, TIMING_BASE_PT, ctx);
+	timings(P_224, TIMING_RAND_PT, ctx);
+	timings(P_224, TIMING_SIMUL, ctx);
+	timings(P_256, TIMING_BASE_PT, ctx);
+	timings(P_256, TIMING_RAND_PT, ctx);
+	timings(P_256, TIMING_SIMUL, ctx);
+	timings(P_384, TIMING_BASE_PT, ctx);
+	timings(P_384, TIMING_RAND_PT, ctx);
+	timings(P_384, TIMING_SIMUL, ctx);
+	timings(P_521, TIMING_BASE_PT, ctx);
+	timings(P_521, TIMING_RAND_PT, ctx);
+	timings(P_521, TIMING_SIMUL, ctx);
 #endif
 
 
@@ -624,12 +742,587 @@ int main(int argc, char *argv[])
 	EC_POINT_free(R);
 	BN_free(x); BN_free(y); BN_free(z);
 
+	if (P_160) EC_GROUP_free(P_160);
 	if (P_192) EC_GROUP_free(P_192);
 	if (P_224) EC_GROUP_free(P_224);
 	if (P_256) EC_GROUP_free(P_256);
 	if (P_384) EC_GROUP_free(P_384);
 	if (P_521) EC_GROUP_free(P_521);
 
+	}
+
+/* Change test based on whether binary point compression is enabled or not. */
+#ifdef OPENSSL_EC_BIN_PT_COMP
+#define CHAR2_CURVE_TEST_INTERNAL(_name, _p, _a, _b, _x, _y, _y_bit, _order, _cof, _degree, _variable) \
+	if (!BN_hex2bn(&x, _x)) ABORT; \
+	if (!EC_POINT_set_compressed_coordinates_GF2m(group, P, x, _y_bit, ctx)) ABORT; \
+	if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT; \
+	if (!BN_hex2bn(&z, _order)) ABORT; \
+	if (!BN_hex2bn(&cof, _cof)) ABORT; \
+	if (!EC_GROUP_set_generator(group, P, z, cof)) ABORT; \
+	if (!EC_POINT_get_affine_coordinates_GF2m(group, P, x, y, ctx)) ABORT; \
+	fprintf(stdout, "\n%s -- Generator:\n     x = 0x", _name); \
+	BN_print_fp(stdout, x); \
+	fprintf(stdout, "\n     y = 0x"); \
+	BN_print_fp(stdout, y); \
+	fprintf(stdout, "\n"); \
+	/* G_y value taken from the standard: */ \
+	if (!BN_hex2bn(&z, _y)) ABORT; \
+	if (0 != BN_cmp(y, z)) ABORT;
+#else 
+#define CHAR2_CURVE_TEST_INTERNAL(_name, _p, _a, _b, _x, _y, _y_bit, _order, _cof, _degree, _variable) \
+	if (!BN_hex2bn(&x, _x)) ABORT; \
+	if (!BN_hex2bn(&y, _y)) ABORT; \
+	if (!EC_POINT_set_affine_coordinates_GF2m(group, P, x, y, ctx)) ABORT; \
+	if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT; \
+	if (!BN_hex2bn(&z, _order)) ABORT; \
+	if (!BN_hex2bn(&cof, _cof)) ABORT; \
+	if (!EC_GROUP_set_generator(group, P, z, cof)) ABORT; \
+	fprintf(stdout, "\n%s -- Generator:\n     x = 0x", _name); \
+	BN_print_fp(stdout, x); \
+	fprintf(stdout, "\n     y = 0x"); \
+	BN_print_fp(stdout, y); \
+	fprintf(stdout, "\n");
+#endif
+
+#define CHAR2_CURVE_TEST(_name, _p, _a, _b, _x, _y, _y_bit, _order, _cof, _degree, _variable) \
+	if (!BN_hex2bn(&p, _p)) ABORT; \
+	if (!BN_hex2bn(&a, _a)) ABORT; \
+	if (!BN_hex2bn(&b, _b)) ABORT; \
+	if (!EC_GROUP_set_curve_GF2m(group, p, a, b, ctx)) ABORT; \
+	CHAR2_CURVE_TEST_INTERNAL(_name, _p, _a, _b, _x, _y, _y_bit, _order, _cof, _degree, _variable) \
+	fprintf(stdout, "verify degree ..."); \
+	if (EC_GROUP_get_degree(group) != _degree) ABORT; \
+	fprintf(stdout, " ok\n"); \
+	fprintf(stdout, "verify group order ..."); \
+	fflush(stdout); \
+	if (!EC_GROUP_get_order(group, z, ctx)) ABORT; \
+	if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT; \
+	if (!EC_POINT_is_at_infinity(group, Q)) ABORT; \
+	fprintf(stdout, "."); \
+	fflush(stdout); \
+	/* if (!EC_GROUP_precompute_mult(group, ctx)) ABORT; */ \
+	if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT; \
+	if (!EC_POINT_is_at_infinity(group, Q)) ABORT; \
+	fprintf(stdout, " ok\n"); \
+	if (!(_variable = EC_GROUP_new(EC_GROUP_method_of(group)))) ABORT; \
+	if (!EC_GROUP_copy(_variable, group)) ABORT;
+
+void char2_field_tests()
+	{	
+	BN_CTX *ctx = NULL;
+	BIGNUM *p, *a, *b;
+	EC_GROUP *group;
+	EC_GROUP *C2_K163 = NULL, *C2_K233 = NULL, *C2_K283 = NULL, *C2_K409 = NULL, *C2_K571 = NULL;
+	EC_GROUP *C2_B163 = NULL, *C2_B233 = NULL, *C2_B283 = NULL, *C2_B409 = NULL, *C2_B571 = NULL;
+	EC_POINT *P, *Q, *R;
+	BIGNUM *x, *y, *z, *cof;
+	unsigned char buf[100];
+	size_t i, len;
+	int k;
+	
+#if 1 /* optional */
+	ctx = BN_CTX_new();
+	if (!ctx) ABORT;
+#endif
+
+	p = BN_new();
+	a = BN_new();
+	b = BN_new();
+	if (!p || !a || !b) ABORT;
+
+	if (!BN_hex2bn(&p, "13")) ABORT;
+	if (!BN_hex2bn(&a, "3")) ABORT;
+	if (!BN_hex2bn(&b, "1")) ABORT;
+	
+	group = EC_GROUP_new(EC_GF2m_simple_method()); /* applications should use EC_GROUP_new_curve_GF2m
+	                                                * so that the library gets to choose the EC_METHOD */
+	if (!group) ABORT;
+	if (!EC_GROUP_set_curve_GF2m(group, p, a, b, ctx)) ABORT;
+
+	{
+		EC_GROUP *tmp;
+		tmp = EC_GROUP_new(EC_GROUP_method_of(group));
+		if (!tmp) ABORT;
+		if (!EC_GROUP_copy(tmp, group)) ABORT;
+		EC_GROUP_free(group);
+		group = tmp;
+	}
+	
+	if (!EC_GROUP_get_curve_GF2m(group, p, a, b, ctx)) ABORT;
+
+	fprintf(stdout, "Curve defined by Weierstrass equation\n     y^2 + x*y = x^3 + a*x^2 + b  (mod 0x");
+	BN_print_fp(stdout, p);
+	fprintf(stdout, ")\n     a = 0x");
+	BN_print_fp(stdout, a);
+	fprintf(stdout, "\n     b = 0x");
+	BN_print_fp(stdout, b);
+	fprintf(stdout, "\n(0x... means binary polynomial)\n");
+
+	P = EC_POINT_new(group);
+	Q = EC_POINT_new(group);
+	R = EC_POINT_new(group);
+	if (!P || !Q || !R) ABORT;
+	
+	if (!EC_POINT_set_to_infinity(group, P)) ABORT;
+	if (!EC_POINT_is_at_infinity(group, P)) ABORT;
+
+	buf[0] = 0;
+	if (!EC_POINT_oct2point(group, Q, buf, 1, ctx)) ABORT;
+
+	if (!EC_POINT_add(group, P, P, Q, ctx)) ABORT;
+	if (!EC_POINT_is_at_infinity(group, P)) ABORT;
+
+	x = BN_new();
+	y = BN_new();
+	z = BN_new();
+	cof = BN_new();
+	if (!x || !y || !z || !cof) ABORT;
+
+	if (!BN_hex2bn(&x, "6")) ABORT;
+/* Change test based on whether binary point compression is enabled or not. */
+#ifdef OPENSSL_EC_BIN_PT_COMP
+	if (!EC_POINT_set_compressed_coordinates_GF2m(group, Q, x, 1, ctx)) ABORT;
+#else
+	if (!BN_hex2bn(&y, "8")) ABORT;
+	if (!EC_POINT_set_affine_coordinates_GF2m(group, Q, x, y, ctx)) ABORT;
+#endif
+	if (!EC_POINT_is_on_curve(group, Q, ctx))
+		{
+/* Change test based on whether binary point compression is enabled or not. */
+#ifdef OPENSSL_EC_BIN_PT_COMP
+		if (!EC_POINT_get_affine_coordinates_GF2m(group, Q, x, y, ctx)) ABORT;
+#endif
+		fprintf(stderr, "Point is not on curve: x = 0x");
+		BN_print_fp(stderr, x);
+		fprintf(stderr, ", y = 0x");
+		BN_print_fp(stderr, y);
+		fprintf(stderr, "\n");
+		ABORT;
+		}
+
+	fprintf(stdout, "A cyclic subgroup:\n");
+	k = 100;
+	do
+		{
+		if (k-- == 0) ABORT;
+
+		if (EC_POINT_is_at_infinity(group, P))
+			fprintf(stdout, "     point at infinity\n");
+		else
+			{
+			if (!EC_POINT_get_affine_coordinates_GF2m(group, P, x, y, ctx)) ABORT;
+
+			fprintf(stdout, "     x = 0x");
+			BN_print_fp(stdout, x);
+			fprintf(stdout, ", y = 0x");
+			BN_print_fp(stdout, y);
+			fprintf(stdout, "\n");
+			}
+		
+		if (!EC_POINT_copy(R, P)) ABORT;
+		if (!EC_POINT_add(group, P, P, Q, ctx)) ABORT;
+		}
+	while (!EC_POINT_is_at_infinity(group, P));
+
+	if (!EC_POINT_add(group, P, Q, R, ctx)) ABORT;
+	if (!EC_POINT_is_at_infinity(group, P)) ABORT;
+
+/* Change test based on whether binary point compression is enabled or not. */
+#ifdef OPENSSL_EC_BIN_PT_COMP
+	len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_COMPRESSED, buf, sizeof buf, ctx);
+	if (len == 0) ABORT;
+	if (!EC_POINT_oct2point(group, P, buf, len, ctx)) ABORT;
+	if (0 != EC_POINT_cmp(group, P, Q, ctx)) ABORT;
+	fprintf(stdout, "Generator as octet string, compressed form:\n     ");
+	for (i = 0; i < len; i++) fprintf(stdout, "%02X", buf[i]);
+#endif
+	
+	len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_UNCOMPRESSED, buf, sizeof buf, ctx);
+	if (len == 0) ABORT;
+	if (!EC_POINT_oct2point(group, P, buf, len, ctx)) ABORT;
+	if (0 != EC_POINT_cmp(group, P, Q, ctx)) ABORT;
+	fprintf(stdout, "\nGenerator as octet string, uncompressed form:\n     ");
+	for (i = 0; i < len; i++) fprintf(stdout, "%02X", buf[i]);
+	
+/* Change test based on whether binary point compression is enabled or not. */
+#ifdef OPENSSL_EC_BIN_PT_COMP
+	len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_HYBRID, buf, sizeof buf, ctx);
+	if (len == 0) ABORT;
+	if (!EC_POINT_oct2point(group, P, buf, len, ctx)) ABORT;
+	if (0 != EC_POINT_cmp(group, P, Q, ctx)) ABORT;
+	fprintf(stdout, "\nGenerator as octet string, hybrid form:\n     ");
+	for (i = 0; i < len; i++) fprintf(stdout, "%02X", buf[i]);
+#endif
+
+	fprintf(stdout, "\n");
+	
+	if (!EC_POINT_invert(group, P, ctx)) ABORT;
+	if (0 != EC_POINT_cmp(group, P, R, ctx)) ABORT;
+
+
+	/* Curve K-163 (FIPS PUB 186-2, App. 6) */
+	CHAR2_CURVE_TEST
+		(
+		"NIST curve K-163",
+		"0800000000000000000000000000000000000000C9",
+		"1",
+		"1",
+		"02FE13C0537BBC11ACAA07D793DE4E6D5E5C94EEE8",
+		"0289070FB05D38FF58321F2E800536D538CCDAA3D9",
+		1,
+		"04000000000000000000020108A2E0CC0D99F8A5EF",
+		"2",
+		163,
+		C2_K163
+		);
+
+	/* Curve B-163 (FIPS PUB 186-2, App. 6) */
+	CHAR2_CURVE_TEST
+		(
+		"NIST curve B-163",
+		"0800000000000000000000000000000000000000C9",
+		"1",
+		"020A601907B8C953CA1481EB10512F78744A3205FD",
+		"03F0EBA16286A2D57EA0991168D4994637E8343E36",
+		"00D51FBC6C71A0094FA2CDD545B11C5C0C797324F1",
+		1,
+		"040000000000000000000292FE77E70C12A4234C33",
+		"2",
+		163,
+		C2_B163
+		);
+
+	/* Curve K-233 (FIPS PUB 186-2, App. 6) */
+	CHAR2_CURVE_TEST
+		(
+		"NIST curve K-233",
+		"020000000000000000000000000000000000000004000000000000000001",
+		"0",
+		"1",
+		"017232BA853A7E731AF129F22FF4149563A419C26BF50A4C9D6EEFAD6126",
+		"01DB537DECE819B7F70F555A67C427A8CD9BF18AEB9B56E0C11056FAE6A3",
+		0,
+		"008000000000000000000000000000069D5BB915BCD46EFB1AD5F173ABDF",
+		"4",
+		233,
+		C2_K233
+		);
+
+	/* Curve B-233 (FIPS PUB 186-2, App. 6) */
+	CHAR2_CURVE_TEST
+		(
+		"NIST curve B-233",
+		"020000000000000000000000000000000000000004000000000000000001",
+		"000000000000000000000000000000000000000000000000000000000001",
+		"0066647EDE6C332C7F8C0923BB58213B333B20E9CE4281FE115F7D8F90AD",
+		"00FAC9DFCBAC8313BB2139F1BB755FEF65BC391F8B36F8F8EB7371FD558B",
+		"01006A08A41903350678E58528BEBF8A0BEFF867A7CA36716F7E01F81052",
+		1,
+		"01000000000000000000000000000013E974E72F8A6922031D2603CFE0D7",
+		"2",
+		233,
+		C2_B233
+		);
+
+	/* Curve K-283 (FIPS PUB 186-2, App. 6) */
+	CHAR2_CURVE_TEST
+		(
+		"NIST curve K-283",
+		"0800000000000000000000000000000000000000000000000000000000000000000010A1",
+		"0",
+		"1",
+		"0503213F78CA44883F1A3B8162F188E553CD265F23C1567A16876913B0C2AC2458492836",
+		"01CCDA380F1C9E318D90F95D07E5426FE87E45C0E8184698E45962364E34116177DD2259",
+		0,
+		"01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE9AE2ED07577265DFF7F94451E061E163C61",
+		"4",
+		283,
+		C2_K283
+		);
+
+	/* Curve B-283 (FIPS PUB 186-2, App. 6) */
+	CHAR2_CURVE_TEST
+		(
+		"NIST curve B-283",
+		"0800000000000000000000000000000000000000000000000000000000000000000010A1",
+		"000000000000000000000000000000000000000000000000000000000000000000000001",
+		"027B680AC8B8596DA5A4AF8A19A0303FCA97FD7645309FA2A581485AF6263E313B79A2F5",
+		"05F939258DB7DD90E1934F8C70B0DFEC2EED25B8557EAC9C80E2E198F8CDBECD86B12053",
+		"03676854FE24141CB98FE6D4B20D02B4516FF702350EDDB0826779C813F0DF45BE8112F4",
+		1,
+		"03FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEF90399660FC938A90165B042A7CEFADB307",
+		"2",
+		283,
+		C2_B283
+		);
+
+	/* Curve K-409 (FIPS PUB 186-2, App. 6) */
+	CHAR2_CURVE_TEST
+		(
+		"NIST curve K-409",
+		"02000000000000000000000000000000000000000000000000000000000000000000000000000000008000000000000000000001",
+		"0",
+		"1",
+		"0060F05F658F49C1AD3AB1890F7184210EFD0987E307C84C27ACCFB8F9F67CC2C460189EB5AAAA62EE222EB1B35540CFE9023746",
+		"01E369050B7C4E42ACBA1DACBF04299C3460782F918EA427E6325165E9EA10E3DA5F6C42E9C55215AA9CA27A5863EC48D8E0286B",
+		1,
+		"007FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE5F83B2D4EA20400EC4557D5ED3E3E7CA5B4B5C83B8E01E5FCF",
+		"4",
+		409,
+		C2_K409
+		);
+
+	/* Curve B-409 (FIPS PUB 186-2, App. 6) */
+	CHAR2_CURVE_TEST
+		(
+		"NIST curve B-409",
+		"02000000000000000000000000000000000000000000000000000000000000000000000000000000008000000000000000000001",
+		"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001",
+		"0021A5C2C8EE9FEB5C4B9A753B7B476B7FD6422EF1F3DD674761FA99D6AC27C8A9A197B272822F6CD57A55AA4F50AE317B13545F",
+		"015D4860D088DDB3496B0C6064756260441CDE4AF1771D4DB01FFE5B34E59703DC255A868A1180515603AEAB60794E54BB7996A7",
+		"0061B1CFAB6BE5F32BBFA78324ED106A7636B9C5A7BD198D0158AA4F5488D08F38514F1FDF4B4F40D2181B3681C364BA0273C706",
+		1,
+		"010000000000000000000000000000000000000000000000000001E2AAD6A612F33307BE5FA47C3C9E052F838164CD37D9A21173",
+		"2",
+		409,
+		C2_B409
+		);
+
+	/* Curve K-571 (FIPS PUB 186-2, App. 6) */
+	CHAR2_CURVE_TEST
+		(
+		"NIST curve K-571",
+		"80000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000425",
+		"0",
+		"1",
+		"026EB7A859923FBC82189631F8103FE4AC9CA2970012D5D46024804801841CA44370958493B205E647DA304DB4CEB08CBBD1BA39494776FB988B47174DCA88C7E2945283A01C8972",
+		"0349DC807F4FBF374F4AEADE3BCA95314DD58CEC9F307A54FFC61EFC006D8A2C9D4979C0AC44AEA74FBEBBB9F772AEDCB620B01A7BA7AF1B320430C8591984F601CD4C143EF1C7A3",
+		0,
+		"020000000000000000000000000000000000000000000000000000000000000000000000131850E1F19A63E4B391A8DB917F4138B630D84BE5D639381E91DEB45CFE778F637C1001",
+		"4",
+		571,
+		C2_K571
+		);
+
+	/* Curve B-571 (FIPS PUB 186-2, App. 6) */
+	CHAR2_CURVE_TEST
+		(
+		"NIST curve B-571",
+		"80000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000425",
+		"000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001",
+		"02F40E7E2221F295DE297117B7F3D62F5C6A97FFCB8CEFF1CD6BA8CE4A9A18AD84FFABBD8EFA59332BE7AD6756A66E294AFD185A78FF12AA520E4DE739BACA0C7FFEFF7F2955727A",
+		"0303001D34B856296C16C0D40D3CD7750A93D1D2955FA80AA5F40FC8DB7B2ABDBDE53950F4C0D293CDD711A35B67FB1499AE60038614F1394ABFA3B4C850D927E1E7769C8EEC2D19",
+		"037BF27342DA639B6DCCFFFEB73D69D78C6C27A6009CBBCA1980F8533921E8A684423E43BAB08A576291AF8F461BB2A8B3531D2F0485C19B16E2F1516E23DD3C1A4827AF1B8AC15B",
+		1,
+		"03FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE661CE18FF55987308059B186823851EC7DD9CA1161DE93D5174D66E8382E9BB2FE84E47",
+		"2",
+		571,
+		C2_B571
+		);
+
+	/* more tests using the last curve */
+
+	if (!EC_POINT_copy(Q, P)) ABORT;
+	if (EC_POINT_is_at_infinity(group, Q)) ABORT;
+	if (!EC_POINT_dbl(group, P, P, ctx)) ABORT;
+	if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT;
+	if (!EC_POINT_invert(group, Q, ctx)) ABORT; /* P = -2Q */
+
+	if (!EC_POINT_add(group, R, P, Q, ctx)) ABORT;
+	if (!EC_POINT_add(group, R, R, Q, ctx)) ABORT;
+	if (!EC_POINT_is_at_infinity(group, R)) ABORT; /* R = P + 2Q */
+
+	{
+		const EC_POINT *points[3];
+		const BIGNUM *scalars[3];
+	
+		if (EC_POINT_is_at_infinity(group, Q)) ABORT;
+		points[0] = Q;
+		points[1] = Q;
+		points[2] = Q;
+
+		if (!BN_add(y, z, BN_value_one())) ABORT;
+		if (BN_is_odd(y)) ABORT;
+		if (!BN_rshift1(y, y)) ABORT;
+		scalars[0] = y; /* (group order + 1)/2,  so  y*Q + y*Q = Q */
+		scalars[1] = y;
+
+		fprintf(stdout, "combined multiplication ...");
+		fflush(stdout);
+
+		/* z is still the group order */
+		if (!EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx)) ABORT;
+		if (!EC_POINTs_mul(group, R, z, 2, points, scalars, ctx)) ABORT;
+		if (0 != EC_POINT_cmp(group, P, R, ctx)) ABORT;
+		if (0 != EC_POINT_cmp(group, R, Q, ctx)) ABORT;
+
+		fprintf(stdout, ".");
+		fflush(stdout);
+
+		if (!BN_pseudo_rand(y, BN_num_bits(y), 0, 0)) ABORT;
+		if (!BN_add(z, z, y)) ABORT;
+		BN_set_negative(z, 1);
+		scalars[0] = y;
+		scalars[1] = z; /* z = -(order + y) */
+
+		if (!EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx)) ABORT;
+		if (!EC_POINT_is_at_infinity(group, P)) ABORT;
+
+		fprintf(stdout, ".");
+		fflush(stdout);
+
+		if (!BN_pseudo_rand(x, BN_num_bits(y) - 1, 0, 0)) ABORT;
+		if (!BN_add(z, x, y)) ABORT;
+		BN_set_negative(z, 1);
+		scalars[0] = x;
+		scalars[1] = y;
+		scalars[2] = z; /* z = -(x+y) */
+
+		if (!EC_POINTs_mul(group, P, NULL, 3, points, scalars, ctx)) ABORT;
+		if (!EC_POINT_is_at_infinity(group, P)) ABORT;
+
+		fprintf(stdout, " ok\n\n");
+	}
+
+
+#if 0
+	timings(C2_K163, TIMING_BASE_PT, ctx);
+	timings(C2_K163, TIMING_RAND_PT, ctx);
+	timings(C2_K163, TIMING_SIMUL, ctx);
+	timings(C2_B163, TIMING_BASE_PT, ctx);
+	timings(C2_B163, TIMING_RAND_PT, ctx);
+	timings(C2_B163, TIMING_SIMUL, ctx);
+	timings(C2_K233, TIMING_BASE_PT, ctx);
+	timings(C2_K233, TIMING_RAND_PT, ctx);
+	timings(C2_K233, TIMING_SIMUL, ctx);
+	timings(C2_B233, TIMING_BASE_PT, ctx);
+	timings(C2_B233, TIMING_RAND_PT, ctx);
+	timings(C2_B233, TIMING_SIMUL, ctx);
+	timings(C2_K283, TIMING_BASE_PT, ctx);
+	timings(C2_K283, TIMING_RAND_PT, ctx);
+	timings(C2_K283, TIMING_SIMUL, ctx);
+	timings(C2_B283, TIMING_BASE_PT, ctx);
+	timings(C2_B283, TIMING_RAND_PT, ctx);
+	timings(C2_B283, TIMING_SIMUL, ctx);
+	timings(C2_K409, TIMING_BASE_PT, ctx);
+	timings(C2_K409, TIMING_RAND_PT, ctx);
+	timings(C2_K409, TIMING_SIMUL, ctx);
+	timings(C2_B409, TIMING_BASE_PT, ctx);
+	timings(C2_B409, TIMING_RAND_PT, ctx);
+	timings(C2_B409, TIMING_SIMUL, ctx);
+	timings(C2_K571, TIMING_BASE_PT, ctx);
+	timings(C2_K571, TIMING_RAND_PT, ctx);
+	timings(C2_K571, TIMING_SIMUL, ctx);
+	timings(C2_B571, TIMING_BASE_PT, ctx);
+	timings(C2_B571, TIMING_RAND_PT, ctx);
+	timings(C2_B571, TIMING_SIMUL, ctx);
+#endif
+
+
+	if (ctx)
+		BN_CTX_free(ctx);
+	BN_free(p); BN_free(a);	BN_free(b);
+	EC_GROUP_free(group);
+	EC_POINT_free(P);
+	EC_POINT_free(Q);
+	EC_POINT_free(R);
+	BN_free(x); BN_free(y); BN_free(z); BN_free(cof);
+
+	if (C2_K163) EC_GROUP_free(C2_K163);
+	if (C2_B163) EC_GROUP_free(C2_B163);
+	if (C2_K233) EC_GROUP_free(C2_K233);
+	if (C2_B233) EC_GROUP_free(C2_B233);
+	if (C2_K283) EC_GROUP_free(C2_K283);
+	if (C2_B283) EC_GROUP_free(C2_B283);
+	if (C2_K409) EC_GROUP_free(C2_K409);
+	if (C2_B409) EC_GROUP_free(C2_B409);
+	if (C2_K571) EC_GROUP_free(C2_K571);
+	if (C2_B571) EC_GROUP_free(C2_B571);
+
+	}
+
+void internal_curve_test(void)
+	{
+	EC_builtin_curve *curves = NULL;
+	size_t crv_len = 0, n = 0;
+	int    ok = 1;
+
+	crv_len = EC_get_builtin_curves(NULL, 0);
+
+	curves = OPENSSL_malloc(sizeof(EC_builtin_curve) * crv_len);
+
+	if (curves == NULL)
+		return;
+
+	if (!EC_get_builtin_curves(curves, crv_len))
+		{
+		OPENSSL_free(curves);
+		return;
+		}
+
+	fprintf(stdout, "testing internal curves: ");
+		
+	for (n = 0; n < crv_len; n++)
+		{
+		EC_GROUP *group = NULL;
+		int nid = curves[n].nid;
+		if ((group = EC_GROUP_new_by_curve_name(nid)) == NULL)
+			{
+			ok = 0;
+			fprintf(stdout, "\nEC_GROUP_new_curve_name() failed with"
+				" curve %s\n", OBJ_nid2sn(nid));
+			/* try next curve */
+			continue;
+			}
+		if (!EC_GROUP_check(group, NULL))
+			{
+			ok = 0;
+			fprintf(stdout, "\nEC_GROUP_check() failed with"
+				" curve %s\n", OBJ_nid2sn(nid));
+			EC_GROUP_free(group);
+			/* try the next curve */
+			continue;
+			}
+		fprintf(stdout, ".");
+		fflush(stdout);
+		EC_GROUP_free(group);
+		}
+	if (ok)
+		fprintf(stdout, " ok\n");
+	else
+		fprintf(stdout, " failed\n");
+	OPENSSL_free(curves);
+	return;
+	}
+
+static const char rnd_seed[] = "string to make the random number generator think it has entropy";
+
+int main(int argc, char *argv[])
+	{	
+	
+	/* enable memory leak checking unless explicitly disabled */
+	if (!((getenv("OPENSSL_DEBUG_MEMORY") != NULL) && (0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off"))))
+		{
+		CRYPTO_malloc_debug_init();
+		CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
+		}
+	else
+		{
+		/* OPENSSL_DEBUG_MEMORY=off */
+		CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0);
+		}
+	CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
+	ERR_load_crypto_strings();
+
+	RAND_seed(rnd_seed, sizeof rnd_seed); /* or BN_generate_prime may fail */
+
+	prime_field_tests();
+	puts("");
+	char2_field_tests();
+	/* test the internal curves */
+	internal_curve_test();
+
 #ifndef OPENSSL_NO_ENGINE
 	ENGINE_cleanup();
 #endif
diff --git a/crypto/openssl/crypto/ecdh/Makefile b/crypto/openssl/crypto/ecdh/Makefile
new file mode 100644
index 000000000000..95aa69fea58f
--- /dev/null
+++ b/crypto/openssl/crypto/ecdh/Makefile
@@ -0,0 +1,111 @@
+#
+# crypto/ecdh/Makefile
+#
+
+DIR=	ecdh
+TOP=	../..
+CC=	cc
+INCLUDES= -I.. -I$(TOP) -I../../include
+CFLAG=-g -Wall
+MAKEFILE=	Makefile
+AR=		ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST=ecdhtest.c
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC=	ech_lib.c ech_ossl.c ech_key.c ech_err.c
+
+LIBOBJ=	ech_lib.o ech_ossl.o ech_key.o ech_err.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= ecdh.h
+HEADER=	ech_locl.h $(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB) || echo Never mind.
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
+
+links:
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+	@headerlist="$(EXHEADER)"; for i in $$headerlist; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
+	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o */*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+ech_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+ech_err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+ech_err.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+ech_err.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+ech_err.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+ech_err.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+ech_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+ech_err.o: ech_err.c
+ech_key.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+ech_key.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+ech_key.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+ech_key.o: ../../include/openssl/engine.h ../../include/openssl/opensslconf.h
+ech_key.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+ech_key.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+ech_key.o: ../../include/openssl/symhacks.h ech_key.c ech_locl.h
+ech_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+ech_lib.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+ech_lib.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+ech_lib.o: ../../include/openssl/engine.h ../../include/openssl/err.h
+ech_lib.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+ech_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+ech_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+ech_lib.o: ../../include/openssl/symhacks.h ech_lib.c ech_locl.h
+ech_ossl.o: ../../e_os.h ../../include/openssl/asn1.h
+ech_ossl.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+ech_ossl.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+ech_ossl.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+ech_ossl.o: ../../include/openssl/ecdh.h ../../include/openssl/err.h
+ech_ossl.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+ech_ossl.o: ../../include/openssl/opensslconf.h
+ech_ossl.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+ech_ossl.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+ech_ossl.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+ech_ossl.o: ../cryptlib.h ech_locl.h ech_ossl.c
diff --git a/crypto/openssl/crypto/ecdh/ecdh.h b/crypto/openssl/crypto/ecdh/ecdh.h
new file mode 100644
index 000000000000..b4b58ee65ba2
--- /dev/null
+++ b/crypto/openssl/crypto/ecdh/ecdh.h
@@ -0,0 +1,123 @@
+/* crypto/ecdh/ecdh.h */
+/* ====================================================================
+ * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
+ *
+ * The Elliptic Curve Public-Key Crypto Library (ECC Code) included
+ * herein is developed by SUN MICROSYSTEMS, INC., and is contributed
+ * to the OpenSSL project.
+ *
+ * The ECC Code is licensed pursuant to the OpenSSL open source
+ * license provided below.
+ *
+ * The ECDH software is originally written by Douglas Stebila of
+ * Sun Microsystems Laboratories.
+ *
+ */
+/* ====================================================================
+ * Copyright (c) 2000-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+#ifndef HEADER_ECDH_H
+#define HEADER_ECDH_H
+
+#include <openssl/opensslconf.h>
+
+#ifdef OPENSSL_NO_ECDH
+#error ECDH is disabled.
+#endif
+
+#include <openssl/ec.h>
+#include <openssl/ossl_typ.h>
+#ifndef OPENSSL_NO_DEPRECATED
+#include <openssl/bn.h>
+#endif
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+const ECDH_METHOD *ECDH_OpenSSL(void);
+
+void	  ECDH_set_default_method(const ECDH_METHOD *);
+const ECDH_METHOD *ECDH_get_default_method(void);
+int 	  ECDH_set_method(EC_KEY *, const ECDH_METHOD *);
+
+int ECDH_compute_key(void *out, size_t outlen, const EC_POINT *pub_key, EC_KEY *ecdh,
+                     void *(*KDF)(const void *in, size_t inlen, void *out, size_t *outlen));
+
+int 	  ECDH_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new 
+		*new_func, CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
+int 	  ECDH_set_ex_data(EC_KEY *d, int idx, void *arg);
+void 	  *ECDH_get_ex_data(EC_KEY *d, int idx);
+
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+void ERR_load_ECDH_strings(void);
+
+/* Error codes for the ECDH functions. */
+
+/* Function codes. */
+#define ECDH_F_ECDH_COMPUTE_KEY				 100
+#define ECDH_F_ECDH_DATA_NEW_METHOD			 101
+
+/* Reason codes. */
+#define ECDH_R_KDF_FAILED				 102
+#define ECDH_R_NO_PRIVATE_VALUE				 100
+#define ECDH_R_POINT_ARITHMETIC_FAILURE			 101
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
diff --git a/crypto/openssl/crypto/ecdh/ecdhtest.c b/crypto/openssl/crypto/ecdh/ecdhtest.c
new file mode 100644
index 000000000000..01baa5f4942f
--- /dev/null
+++ b/crypto/openssl/crypto/ecdh/ecdhtest.c
@@ -0,0 +1,368 @@
+/* crypto/ecdh/ecdhtest.c */
+/* ====================================================================
+ * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
+ *
+ * The Elliptic Curve Public-Key Crypto Library (ECC Code) included
+ * herein is developed by SUN MICROSYSTEMS, INC., and is contributed
+ * to the OpenSSL project.
+ *
+ * The ECC Code is licensed pursuant to the OpenSSL open source
+ * license provided below.
+ *
+ * The ECDH software is originally written by Douglas Stebila of
+ * Sun Microsystems Laboratories.
+ *
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2003 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "../e_os.h"
+
+#include <openssl/opensslconf.h>	/* for OPENSSL_NO_ECDH */
+#include <openssl/crypto.h>
+#include <openssl/bio.h>
+#include <openssl/bn.h>
+#include <openssl/objects.h>
+#include <openssl/rand.h>
+#include <openssl/sha.h>
+#include <openssl/err.h>
+
+#ifdef OPENSSL_NO_ECDH
+int main(int argc, char *argv[])
+{
+    printf("No ECDH support\n");
+    return(0);
+}
+#else
+#include <openssl/ec.h>
+#include <openssl/ecdh.h>
+
+#ifdef OPENSSL_SYS_WIN16
+#define MS_CALLBACK	_far _loadds
+#else
+#define MS_CALLBACK
+#endif
+
+#if 0
+static void MS_CALLBACK cb(int p, int n, void *arg);
+#endif
+
+static const char rnd_seed[] = "string to make the random number generator think it has entropy";
+
+
+static const int KDF1_SHA1_len = 20;
+static void *KDF1_SHA1(const void *in, size_t inlen, void *out, size_t *outlen)
+	{
+#ifndef OPENSSL_NO_SHA
+	if (*outlen < SHA_DIGEST_LENGTH)
+		return NULL;
+	else
+		*outlen = SHA_DIGEST_LENGTH;
+	return SHA1(in, inlen, out);
+#else
+	return NULL;
+#endif
+	}
+
+
+static int test_ecdh_curve(int nid, const char *text, BN_CTX *ctx, BIO *out)
+	{
+	EC_KEY *a=NULL;
+	EC_KEY *b=NULL;
+	BIGNUM *x_a=NULL, *y_a=NULL,
+	       *x_b=NULL, *y_b=NULL;
+	char buf[12];
+	unsigned char *abuf=NULL,*bbuf=NULL;
+	int i,alen,blen,aout,bout,ret=0;
+	const EC_GROUP *group;
+
+	a = EC_KEY_new_by_curve_name(nid);
+	b = EC_KEY_new_by_curve_name(nid);
+	if (a == NULL || b == NULL)
+		goto err;
+
+	group = EC_KEY_get0_group(a);
+
+	if ((x_a=BN_new()) == NULL) goto err;
+	if ((y_a=BN_new()) == NULL) goto err;
+	if ((x_b=BN_new()) == NULL) goto err;
+	if ((y_b=BN_new()) == NULL) goto err;
+
+	BIO_puts(out,"Testing key generation with ");
+	BIO_puts(out,text);
+#ifdef NOISY
+	BIO_puts(out,"\n");
+#else
+	BIO_flush(out);
+#endif
+
+	if (!EC_KEY_generate_key(a)) goto err;
+	
+	if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) == NID_X9_62_prime_field) 
+		{
+		if (!EC_POINT_get_affine_coordinates_GFp(group,
+			EC_KEY_get0_public_key(a), x_a, y_a, ctx)) goto err;
+		}
+	else
+		{
+		if (!EC_POINT_get_affine_coordinates_GF2m(group,
+			EC_KEY_get0_public_key(a), x_a, y_a, ctx)) goto err;
+		}
+#ifdef NOISY
+	BIO_puts(out,"  pri 1=");
+	BN_print(out,a->priv_key);
+	BIO_puts(out,"\n  pub 1=");
+	BN_print(out,x_a);
+	BIO_puts(out,",");
+	BN_print(out,y_a);
+	BIO_puts(out,"\n");
+#else
+	BIO_printf(out," .");
+	BIO_flush(out);
+#endif
+
+	if (!EC_KEY_generate_key(b)) goto err;
+
+	if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) == NID_X9_62_prime_field) 
+		{
+		if (!EC_POINT_get_affine_coordinates_GFp(group, 
+			EC_KEY_get0_public_key(b), x_b, y_b, ctx)) goto err;
+		}
+	else
+		{
+		if (!EC_POINT_get_affine_coordinates_GF2m(group, 
+			EC_KEY_get0_public_key(b), x_b, y_b, ctx)) goto err;
+		}
+
+#ifdef NOISY
+	BIO_puts(out,"  pri 2=");
+	BN_print(out,b->priv_key);
+	BIO_puts(out,"\n  pub 2=");
+	BN_print(out,x_b);
+	BIO_puts(out,",");
+	BN_print(out,y_b);
+	BIO_puts(out,"\n");
+#else
+	BIO_printf(out,".");
+	BIO_flush(out);
+#endif
+
+	alen=KDF1_SHA1_len;
+	abuf=(unsigned char *)OPENSSL_malloc(alen);
+	aout=ECDH_compute_key(abuf,alen,EC_KEY_get0_public_key(b),a,KDF1_SHA1);
+
+#ifdef NOISY
+	BIO_puts(out,"  key1 =");
+	for (i=0; i<aout; i++)
+		{
+		sprintf(buf,"%02X",abuf[i]);
+		BIO_puts(out,buf);
+		}
+	BIO_puts(out,"\n");
+#else
+	BIO_printf(out,".");
+	BIO_flush(out);
+#endif
+
+	blen=KDF1_SHA1_len;
+	bbuf=(unsigned char *)OPENSSL_malloc(blen);
+	bout=ECDH_compute_key(bbuf,blen,EC_KEY_get0_public_key(a),b,KDF1_SHA1);
+
+#ifdef NOISY
+	BIO_puts(out,"  key2 =");
+	for (i=0; i<bout; i++)
+		{
+		sprintf(buf,"%02X",bbuf[i]);
+		BIO_puts(out,buf);
+		}
+	BIO_puts(out,"\n");
+#else
+	BIO_printf(out,".");
+	BIO_flush(out);
+#endif
+
+	if ((aout < 4) || (bout != aout) || (memcmp(abuf,bbuf,aout) != 0))
+		{
+#ifndef NOISY
+		BIO_printf(out, " failed\n\n");
+		BIO_printf(out, "key a:\n");
+		BIO_printf(out, "private key: ");
+		BN_print(out, EC_KEY_get0_private_key(a));
+		BIO_printf(out, "\n");
+		BIO_printf(out, "public key (x,y): ");
+		BN_print(out, x_a);
+		BIO_printf(out, ",");
+		BN_print(out, y_a);
+		BIO_printf(out, "\nkey b:\n");
+		BIO_printf(out, "private key: ");
+		BN_print(out, EC_KEY_get0_private_key(b));
+		BIO_printf(out, "\n");
+		BIO_printf(out, "public key (x,y): ");
+		BN_print(out, x_b);
+		BIO_printf(out, ",");
+		BN_print(out, y_b);
+		BIO_printf(out, "\n");
+		BIO_printf(out, "generated key a: ");
+		for (i=0; i<bout; i++)
+			{
+			sprintf(buf, "%02X", bbuf[i]);
+			BIO_puts(out, buf);
+			}
+		BIO_printf(out, "\n");
+		BIO_printf(out, "generated key b: ");
+		for (i=0; i<aout; i++)
+			{
+			sprintf(buf, "%02X", abuf[i]);
+			BIO_puts(out,buf);
+			}
+		BIO_printf(out, "\n");
+#endif
+		fprintf(stderr,"Error in ECDH routines\n");
+		ret=0;
+		}
+	else
+		{
+#ifndef NOISY
+		BIO_printf(out, " ok\n");
+#endif
+		ret=1;
+		}
+err:
+	ERR_print_errors_fp(stderr);
+
+	if (abuf != NULL) OPENSSL_free(abuf);
+	if (bbuf != NULL) OPENSSL_free(bbuf);
+	if (x_a) BN_free(x_a);
+	if (y_a) BN_free(y_a);
+	if (x_b) BN_free(x_b);
+	if (y_b) BN_free(y_b);
+	if (b) EC_KEY_free(b);
+	if (a) EC_KEY_free(a);
+	return(ret);
+	}
+
+int main(int argc, char *argv[])
+	{
+	BN_CTX *ctx=NULL;
+	int ret=1;
+	BIO *out;
+
+	CRYPTO_malloc_debug_init();
+	CRYPTO_dbg_set_options(V_CRYPTO_MDEBUG_ALL);
+	CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
+
+#ifdef OPENSSL_SYS_WIN32
+	CRYPTO_malloc_init();
+#endif
+
+	RAND_seed(rnd_seed, sizeof rnd_seed);
+
+	out=BIO_new(BIO_s_file());
+	if (out == NULL) EXIT(1);
+	BIO_set_fp(out,stdout,BIO_NOCLOSE);
+
+	if ((ctx=BN_CTX_new()) == NULL) goto err;
+
+	/* NIST PRIME CURVES TESTS */
+	if (!test_ecdh_curve(NID_X9_62_prime192v1, "NIST Prime-Curve P-192", ctx, out)) goto err;
+	if (!test_ecdh_curve(NID_secp224r1, "NIST Prime-Curve P-224", ctx, out)) goto err;
+	if (!test_ecdh_curve(NID_X9_62_prime256v1, "NIST Prime-Curve P-256", ctx, out)) goto err;
+	if (!test_ecdh_curve(NID_secp384r1, "NIST Prime-Curve P-384", ctx, out)) goto err;
+	if (!test_ecdh_curve(NID_secp521r1, "NIST Prime-Curve P-521", ctx, out)) goto err;
+	/* NIST BINARY CURVES TESTS */
+	if (!test_ecdh_curve(NID_sect163k1, "NIST Binary-Curve K-163", ctx, out)) goto err;
+	if (!test_ecdh_curve(NID_sect163r2, "NIST Binary-Curve B-163", ctx, out)) goto err;
+	if (!test_ecdh_curve(NID_sect233k1, "NIST Binary-Curve K-233", ctx, out)) goto err;
+	if (!test_ecdh_curve(NID_sect233r1, "NIST Binary-Curve B-233", ctx, out)) goto err;
+	if (!test_ecdh_curve(NID_sect283k1, "NIST Binary-Curve K-283", ctx, out)) goto err;
+	if (!test_ecdh_curve(NID_sect283r1, "NIST Binary-Curve B-283", ctx, out)) goto err;
+	if (!test_ecdh_curve(NID_sect409k1, "NIST Binary-Curve K-409", ctx, out)) goto err;
+	if (!test_ecdh_curve(NID_sect409r1, "NIST Binary-Curve B-409", ctx, out)) goto err;
+	if (!test_ecdh_curve(NID_sect571k1, "NIST Binary-Curve K-571", ctx, out)) goto err;
+	if (!test_ecdh_curve(NID_sect571r1, "NIST Binary-Curve B-571", ctx, out)) goto err;
+
+	ret = 0;
+
+err:
+	ERR_print_errors_fp(stderr);
+	if (ctx) BN_CTX_free(ctx);
+	BIO_free(out);
+	CRYPTO_cleanup_all_ex_data();
+	ERR_remove_state(0);
+	CRYPTO_mem_leaks_fp(stderr);
+	EXIT(ret);
+	return(ret);
+	}
+
+#if 0
+static void MS_CALLBACK cb(int p, int n, void *arg)
+	{
+	char c='*';
+
+	if (p == 0) c='.';
+	if (p == 1) c='+';
+	if (p == 2) c='*';
+	if (p == 3) c='\n';
+	BIO_write((BIO *)arg,&c,1);
+	(void)BIO_flush((BIO *)arg);
+#ifdef LINT
+	p=n;
+#endif
+	}
+#endif
+#endif
diff --git a/crypto/openssl/crypto/ecdh/ech_err.c b/crypto/openssl/crypto/ecdh/ech_err.c
new file mode 100644
index 000000000000..626f49ba330b
--- /dev/null
+++ b/crypto/openssl/crypto/ecdh/ech_err.c
@@ -0,0 +1,101 @@
+/* crypto/ecdh/ech_err.c */
+/* ====================================================================
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include <openssl/ecdh.h>
+
+/* BEGIN ERROR CODES */
+#ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_ECDH,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_ECDH,0,reason)
+
+static ERR_STRING_DATA ECDH_str_functs[]=
+	{
+{ERR_FUNC(ECDH_F_ECDH_COMPUTE_KEY),	"ECDH_compute_key"},
+{ERR_FUNC(ECDH_F_ECDH_DATA_NEW_METHOD),	"ECDH_DATA_new_method"},
+{0,NULL}
+	};
+
+static ERR_STRING_DATA ECDH_str_reasons[]=
+	{
+{ERR_REASON(ECDH_R_KDF_FAILED)           ,"KDF failed"},
+{ERR_REASON(ECDH_R_NO_PRIVATE_VALUE)     ,"no private value"},
+{ERR_REASON(ECDH_R_POINT_ARITHMETIC_FAILURE),"point arithmetic failure"},
+{0,NULL}
+	};
+
+#endif
+
+void ERR_load_ECDH_strings(void)
+	{
+	static int init=1;
+
+	if (init)
+		{
+		init=0;
+#ifndef OPENSSL_NO_ERR
+		ERR_load_strings(0,ECDH_str_functs);
+		ERR_load_strings(0,ECDH_str_reasons);
+#endif
+
+		}
+	}
diff --git a/crypto/openssl/crypto/ecdh/ech_key.c b/crypto/openssl/crypto/ecdh/ech_key.c
new file mode 100644
index 000000000000..f44da9298b5e
--- /dev/null
+++ b/crypto/openssl/crypto/ecdh/ech_key.c
@@ -0,0 +1,83 @@
+/* crypto/ecdh/ecdh_key.c */
+/* ====================================================================
+ * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
+ *
+ * The Elliptic Curve Public-Key Crypto Library (ECC Code) included
+ * herein is developed by SUN MICROSYSTEMS, INC., and is contributed
+ * to the OpenSSL project.
+ *
+ * The ECC Code is licensed pursuant to the OpenSSL open source
+ * license provided below.
+ *
+ * The ECDH software is originally written by Douglas Stebila of
+ * Sun Microsystems Laboratories.
+ *
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2003 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include "ech_locl.h"
+#ifndef OPENSSL_NO_ENGINE
+#include <openssl/engine.h>
+#endif
+
+int ECDH_compute_key(void *out, size_t outlen, const EC_POINT *pub_key,
+	EC_KEY *eckey,
+	void *(*KDF)(const void *in, size_t inlen, void *out, size_t *outlen))
+{
+	ECDH_DATA *ecdh = ecdh_check(eckey);
+	if (ecdh == NULL)
+		return 0;
+	return ecdh->meth->compute_key(out, outlen, pub_key, eckey, KDF);
+}
diff --git a/crypto/openssl/crypto/ecdh/ech_lib.c b/crypto/openssl/crypto/ecdh/ech_lib.c
new file mode 100644
index 000000000000..01e75e2a5c0c
--- /dev/null
+++ b/crypto/openssl/crypto/ecdh/ech_lib.c
@@ -0,0 +1,247 @@
+/* crypto/ecdh/ech_lib.c */
+/* ====================================================================
+ * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
+ *
+ * The Elliptic Curve Public-Key Crypto Library (ECC Code) included
+ * herein is developed by SUN MICROSYSTEMS, INC., and is contributed
+ * to the OpenSSL project.
+ *
+ * The ECC Code is licensed pursuant to the OpenSSL open source
+ * license provided below.
+ *
+ * The ECDH software is originally written by Douglas Stebila of
+ * Sun Microsystems Laboratories.
+ *
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2003 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include "ech_locl.h"
+#include <string.h>
+#ifndef OPENSSL_NO_ENGINE
+#include <openssl/engine.h>
+#endif
+#include <openssl/err.h>
+
+const char *ECDH_version="ECDH" OPENSSL_VERSION_PTEXT;
+
+static const ECDH_METHOD *default_ECDH_method = NULL;
+
+static void *ecdh_data_new(void);
+static void *ecdh_data_dup(void *);
+static void  ecdh_data_free(void *);
+
+void ECDH_set_default_method(const ECDH_METHOD *meth)
+	{
+	default_ECDH_method = meth;
+	}
+
+const ECDH_METHOD *ECDH_get_default_method(void)
+	{
+	if(!default_ECDH_method) 
+		default_ECDH_method = ECDH_OpenSSL();
+	return default_ECDH_method;
+	}
+
+int ECDH_set_method(EC_KEY *eckey, const ECDH_METHOD *meth)
+	{
+	const ECDH_METHOD *mtmp;
+	ECDH_DATA *ecdh;
+
+	ecdh = ecdh_check(eckey);
+
+	if (ecdh == NULL)
+		return 0;
+
+        mtmp = ecdh->meth;
+#if 0
+        if (mtmp->finish)
+		mtmp->finish(eckey);
+#endif
+#ifndef OPENSSL_NO_ENGINE
+	if (ecdh->engine)
+		{
+		ENGINE_finish(ecdh->engine);
+		ecdh->engine = NULL;
+		}
+#endif
+        ecdh->meth = meth;
+#if 0
+        if (meth->init) 
+		meth->init(eckey);
+#endif
+        return 1;
+	}
+
+static ECDH_DATA *ECDH_DATA_new_method(ENGINE *engine)
+	{
+	ECDH_DATA *ret;
+
+	ret=(ECDH_DATA *)OPENSSL_malloc(sizeof(ECDH_DATA));
+	if (ret == NULL)
+		{
+		ECDHerr(ECDH_F_ECDH_DATA_NEW_METHOD, ERR_R_MALLOC_FAILURE);
+		return(NULL);
+		}
+
+	ret->init = NULL;
+
+	ret->meth = ECDH_get_default_method();
+	ret->engine = engine;
+#ifndef OPENSSL_NO_ENGINE
+	if (!ret->engine)
+		ret->engine = ENGINE_get_default_ECDH();
+	if (ret->engine)
+		{
+		ret->meth = ENGINE_get_ECDH(ret->engine);
+		if (!ret->meth)
+			{
+			ECDHerr(ECDH_F_ECDH_DATA_NEW_METHOD, ERR_R_ENGINE_LIB);
+			ENGINE_finish(ret->engine);
+			OPENSSL_free(ret);
+			return NULL;
+			}
+		}
+#endif
+
+	ret->flags = ret->meth->flags;
+	CRYPTO_new_ex_data(CRYPTO_EX_INDEX_ECDH, ret, &ret->ex_data);
+#if 0
+	if ((ret->meth->init != NULL) && !ret->meth->init(ret))
+		{
+		CRYPTO_free_ex_data(CRYPTO_EX_INDEX_ECDH, ret, &ret->ex_data);
+		OPENSSL_free(ret);
+		ret=NULL;
+		}
+#endif	
+	return(ret);
+	}
+
+static void *ecdh_data_new(void)
+	{
+	return (void *)ECDH_DATA_new_method(NULL);
+	}
+
+static void *ecdh_data_dup(void *data)
+{
+	ECDH_DATA *r = (ECDH_DATA *)data;
+
+	/* XXX: dummy operation */
+	if (r == NULL)
+		return NULL;
+
+	return (void *)ecdh_data_new();
+}
+
+void ecdh_data_free(void *data)
+	{
+	ECDH_DATA *r = (ECDH_DATA *)data;
+
+#ifndef OPENSSL_NO_ENGINE
+	if (r->engine)
+		ENGINE_finish(r->engine);
+#endif
+
+	CRYPTO_free_ex_data(CRYPTO_EX_INDEX_ECDH, r, &r->ex_data);
+
+	OPENSSL_cleanse((void *)r, sizeof(ECDH_DATA));
+
+	OPENSSL_free(r);
+	}
+
+ECDH_DATA *ecdh_check(EC_KEY *key)
+	{
+	ECDH_DATA *ecdh_data;
+ 
+	void *data = EC_KEY_get_key_method_data(key, ecdh_data_dup,
+					ecdh_data_free, ecdh_data_free);
+	if (data == NULL)
+	{
+		ecdh_data = (ECDH_DATA *)ecdh_data_new();
+		if (ecdh_data == NULL)
+			return NULL;
+		EC_KEY_insert_key_method_data(key, (void *)ecdh_data,
+			ecdh_data_dup, ecdh_data_free, ecdh_data_free);
+	}
+	else
+		ecdh_data = (ECDH_DATA *)data;
+	
+
+	return ecdh_data;
+	}
+
+int ECDH_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+	     CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
+	{
+	return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_ECDH, argl, argp,
+				new_func, dup_func, free_func);
+	}
+
+int ECDH_set_ex_data(EC_KEY *d, int idx, void *arg)
+	{
+	ECDH_DATA *ecdh;
+	ecdh = ecdh_check(d);
+	if (ecdh == NULL)
+		return 0;
+	return(CRYPTO_set_ex_data(&ecdh->ex_data,idx,arg));
+	}
+
+void *ECDH_get_ex_data(EC_KEY *d, int idx)
+	{
+	ECDH_DATA *ecdh;
+	ecdh = ecdh_check(d);
+	if (ecdh == NULL)
+		return NULL;
+	return(CRYPTO_get_ex_data(&ecdh->ex_data,idx));
+	}
diff --git a/crypto/openssl/crypto/ecdh/ech_locl.h b/crypto/openssl/crypto/ecdh/ech_locl.h
new file mode 100644
index 000000000000..f658526a7e3a
--- /dev/null
+++ b/crypto/openssl/crypto/ecdh/ech_locl.h
@@ -0,0 +1,94 @@
+/* crypto/ecdh/ech_locl.h */
+/* ====================================================================
+ * Copyright (c) 2000-2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_ECH_LOCL_H
+#define HEADER_ECH_LOCL_H
+
+#include <openssl/ecdh.h>
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+struct ecdh_method 
+	{
+	const char *name;
+	int (*compute_key)(void *key, size_t outlen, const EC_POINT *pub_key, EC_KEY *ecdh,
+	                   void *(*KDF)(const void *in, size_t inlen, void *out, size_t *outlen));
+#if 0
+	int (*init)(EC_KEY *eckey);
+	int (*finish)(EC_KEY *eckey);
+#endif
+	int flags;
+	char *app_data;
+	};
+
+typedef struct ecdh_data_st {
+	/* EC_KEY_METH_DATA part */
+	int (*init)(EC_KEY *);
+	/* method specific part */
+	ENGINE	*engine;
+	int	flags;
+	const ECDH_METHOD *meth;
+	CRYPTO_EX_DATA ex_data;
+} ECDH_DATA;
+
+ECDH_DATA *ecdh_check(EC_KEY *);
+
+#ifdef  __cplusplus
+}
+#endif
+
+#endif /* HEADER_ECH_LOCL_H */
diff --git a/crypto/openssl/crypto/ecdh/ech_ossl.c b/crypto/openssl/crypto/ecdh/ech_ossl.c
new file mode 100644
index 000000000000..2a40ff12dfa8
--- /dev/null
+++ b/crypto/openssl/crypto/ecdh/ech_ossl.c
@@ -0,0 +1,213 @@
+/* crypto/ecdh/ech_ossl.c */
+/* ====================================================================
+ * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
+ *
+ * The Elliptic Curve Public-Key Crypto Library (ECC Code) included
+ * herein is developed by SUN MICROSYSTEMS, INC., and is contributed
+ * to the OpenSSL project.
+ *
+ * The ECC Code is licensed pursuant to the OpenSSL open source
+ * license provided below.
+ *
+ * The ECDH software is originally written by Douglas Stebila of
+ * Sun Microsystems Laboratories.
+ *
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2003 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+#include <string.h>
+#include <limits.h>
+
+#include "cryptlib.h"
+
+#include "ech_locl.h"
+#include <openssl/err.h>
+#include <openssl/sha.h>
+#include <openssl/obj_mac.h>
+#include <openssl/bn.h>
+
+static int ecdh_compute_key(void *out, size_t len, const EC_POINT *pub_key,
+	EC_KEY *ecdh, 
+	void *(*KDF)(const void *in, size_t inlen, void *out, size_t *outlen));
+
+static ECDH_METHOD openssl_ecdh_meth = {
+	"OpenSSL ECDH method",
+	ecdh_compute_key,
+#if 0
+	NULL, /* init     */
+	NULL, /* finish   */
+#endif
+	0,    /* flags    */
+	NULL  /* app_data */
+};
+
+const ECDH_METHOD *ECDH_OpenSSL(void)
+	{
+	return &openssl_ecdh_meth;
+	}
+
+
+/* This implementation is based on the following primitives in the IEEE 1363 standard:
+ *  - ECKAS-DH1
+ *  - ECSVDP-DH
+ * Finally an optional KDF is applied.
+ */
+static int ecdh_compute_key(void *out, size_t outlen, const EC_POINT *pub_key,
+	EC_KEY *ecdh,
+	void *(*KDF)(const void *in, size_t inlen, void *out, size_t *outlen))
+	{
+	BN_CTX *ctx;
+	EC_POINT *tmp=NULL;
+	BIGNUM *x=NULL, *y=NULL;
+	const BIGNUM *priv_key;
+	const EC_GROUP* group;
+	int ret= -1;
+	size_t buflen, len;
+	unsigned char *buf=NULL;
+
+	if (outlen > INT_MAX)
+		{
+		ECDHerr(ECDH_F_ECDH_COMPUTE_KEY,ERR_R_MALLOC_FAILURE); /* sort of, anyway */
+		return -1;
+		}
+
+	if ((ctx = BN_CTX_new()) == NULL) goto err;
+	BN_CTX_start(ctx);
+	x = BN_CTX_get(ctx);
+	y = BN_CTX_get(ctx);
+	
+	priv_key = EC_KEY_get0_private_key(ecdh);
+	if (priv_key == NULL)
+		{
+		ECDHerr(ECDH_F_ECDH_COMPUTE_KEY,ECDH_R_NO_PRIVATE_VALUE);
+		goto err;
+		}
+
+	group = EC_KEY_get0_group(ecdh);
+	if ((tmp=EC_POINT_new(group)) == NULL)
+		{
+		ECDHerr(ECDH_F_ECDH_COMPUTE_KEY,ERR_R_MALLOC_FAILURE);
+		goto err;
+		}
+
+	if (!EC_POINT_mul(group, tmp, NULL, pub_key, priv_key, ctx)) 
+		{
+		ECDHerr(ECDH_F_ECDH_COMPUTE_KEY,ECDH_R_POINT_ARITHMETIC_FAILURE);
+		goto err;
+		}
+		
+	if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) == NID_X9_62_prime_field) 
+		{
+		if (!EC_POINT_get_affine_coordinates_GFp(group, tmp, x, y, ctx)) 
+			{
+			ECDHerr(ECDH_F_ECDH_COMPUTE_KEY,ECDH_R_POINT_ARITHMETIC_FAILURE);
+			goto err;
+			}
+		}
+	else
+		{
+		if (!EC_POINT_get_affine_coordinates_GF2m(group, tmp, x, y, ctx)) 
+			{
+			ECDHerr(ECDH_F_ECDH_COMPUTE_KEY,ECDH_R_POINT_ARITHMETIC_FAILURE);
+			goto err;
+			}
+		}
+
+	buflen = (EC_GROUP_get_degree(group) + 7)/8;
+	len = BN_num_bytes(x);
+	if (len > buflen)
+		{
+		ECDHerr(ECDH_F_ECDH_COMPUTE_KEY,ERR_R_INTERNAL_ERROR);
+		goto err;
+		}
+	if ((buf = OPENSSL_malloc(buflen)) == NULL)
+		{
+		ECDHerr(ECDH_F_ECDH_COMPUTE_KEY,ERR_R_MALLOC_FAILURE);
+		goto err;
+		}
+	
+	memset(buf, 0, buflen - len);
+	if (len != (size_t)BN_bn2bin(x, buf + buflen - len))
+		{
+		ECDHerr(ECDH_F_ECDH_COMPUTE_KEY,ERR_R_BN_LIB);
+		goto err;
+		}
+
+	if (KDF != 0)
+		{
+		if (KDF(buf, buflen, out, &outlen) == NULL)
+			{
+			ECDHerr(ECDH_F_ECDH_COMPUTE_KEY,ECDH_R_KDF_FAILED);
+			goto err;
+			}
+		ret = outlen;
+		}
+	else
+		{
+		/* no KDF, just copy as much as we can */
+		if (outlen > buflen)
+			outlen = buflen;
+		memcpy(out, buf, outlen);
+		ret = outlen;
+		}
+	
+err:
+	if (tmp) EC_POINT_free(tmp);
+	if (ctx) BN_CTX_end(ctx);
+	if (ctx) BN_CTX_free(ctx);
+	if (buf) OPENSSL_free(buf);
+	return(ret);
+	}
diff --git a/crypto/openssl/crypto/ecdsa/Makefile b/crypto/openssl/crypto/ecdsa/Makefile
new file mode 100644
index 000000000000..16a93cd3ae83
--- /dev/null
+++ b/crypto/openssl/crypto/ecdsa/Makefile
@@ -0,0 +1,125 @@
+#
+# crypto/ecdsa/Makefile
+#
+
+DIR=	ecdsa
+TOP=	../..
+CC=	cc
+INCLUDES= -I.. -I$(TOP) -I../../include
+CFLAG=-g -Wall
+MAKEFILE=	Makefile
+AR=		ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST=ecdsatest.c
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC=	ecs_lib.c ecs_asn1.c ecs_ossl.c ecs_sign.c ecs_vrf.c ecs_err.c
+
+LIBOBJ=	ecs_lib.o ecs_asn1.o ecs_ossl.o ecs_sign.o ecs_vrf.o ecs_err.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= ecdsa.h
+HEADER=	ecs_locl.h $(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB) || echo Never mind.
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
+
+links:
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+	@headerlist="$(EXHEADER)"; for i in $$headerlist; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
+	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o */*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+ecs_asn1.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
+ecs_asn1.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
+ecs_asn1.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+ecs_asn1.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+ecs_asn1.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+ecs_asn1.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+ecs_asn1.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+ecs_asn1.o: ../../include/openssl/symhacks.h ecs_asn1.c ecs_locl.h
+ecs_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+ecs_err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+ecs_err.o: ../../include/openssl/ec.h ../../include/openssl/ecdsa.h
+ecs_err.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+ecs_err.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+ecs_err.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+ecs_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+ecs_err.o: ecs_err.c
+ecs_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+ecs_lib.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
+ecs_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+ecs_lib.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
+ecs_lib.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+ecs_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+ecs_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+ecs_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+ecs_lib.o: ecs_lib.c ecs_locl.h
+ecs_ossl.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+ecs_ossl.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
+ecs_ossl.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+ecs_ossl.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+ecs_ossl.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+ecs_ossl.o: ../../include/openssl/opensslconf.h
+ecs_ossl.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+ecs_ossl.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+ecs_ossl.o: ../../include/openssl/symhacks.h ecs_locl.h ecs_ossl.c
+ecs_sign.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+ecs_sign.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+ecs_sign.o: ../../include/openssl/ec.h ../../include/openssl/ecdsa.h
+ecs_sign.o: ../../include/openssl/engine.h ../../include/openssl/opensslconf.h
+ecs_sign.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+ecs_sign.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+ecs_sign.o: ../../include/openssl/symhacks.h ecs_locl.h ecs_sign.c
+ecs_vrf.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+ecs_vrf.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+ecs_vrf.o: ../../include/openssl/ec.h ../../include/openssl/ecdsa.h
+ecs_vrf.o: ../../include/openssl/engine.h ../../include/openssl/opensslconf.h
+ecs_vrf.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+ecs_vrf.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+ecs_vrf.o: ../../include/openssl/symhacks.h ecs_locl.h ecs_vrf.c
diff --git a/crypto/openssl/crypto/ecdsa/ecdsa.h b/crypto/openssl/crypto/ecdsa/ecdsa.h
new file mode 100644
index 000000000000..76c5a4aa2ae0
--- /dev/null
+++ b/crypto/openssl/crypto/ecdsa/ecdsa.h
@@ -0,0 +1,270 @@
+/* crypto/ecdsa/ecdsa.h */
+/**
+ * \file   crypto/ecdsa/ecdsa.h Include file for the OpenSSL ECDSA functions
+ * \author Written by Nils Larsch for the OpenSSL project
+ */
+/* ====================================================================
+ * Copyright (c) 2000-2003 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+#ifndef HEADER_ECDSA_H
+#define HEADER_ECDSA_H
+
+#include <openssl/opensslconf.h>
+
+#ifdef OPENSSL_NO_ECDSA
+#error ECDSA is disabled.
+#endif
+
+#include <openssl/ec.h>
+#include <openssl/ossl_typ.h>
+#ifndef OPENSSL_NO_DEPRECATED
+#include <openssl/bn.h>
+#endif
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef struct ECDSA_SIG_st
+	{
+	BIGNUM *r;
+	BIGNUM *s;
+	} ECDSA_SIG;
+
+/** ECDSA_SIG *ECDSA_SIG_new(void)
+ * allocates and initialize a ECDSA_SIG structure
+ * \return pointer to a ECDSA_SIG structure or NULL if an error occurred
+ */
+ECDSA_SIG *ECDSA_SIG_new(void);
+
+/** ECDSA_SIG_free
+ * frees a ECDSA_SIG structure
+ * \param a pointer to the ECDSA_SIG structure
+ */
+void	  ECDSA_SIG_free(ECDSA_SIG *a);
+
+/** i2d_ECDSA_SIG
+ * DER encode content of ECDSA_SIG object (note: this function modifies *pp
+ * (*pp += length of the DER encoded signature)).
+ * \param a  pointer to the ECDSA_SIG object
+ * \param pp pointer to a unsigned char pointer for the output or NULL
+ * \return the length of the DER encoded ECDSA_SIG object or 0 
+ */
+int	  i2d_ECDSA_SIG(const ECDSA_SIG *a, unsigned char **pp);
+
+/** d2i_ECDSA_SIG
+ * decodes a DER encoded ECDSA signature (note: this function changes *pp
+ * (*pp += len)). 
+ * \param v pointer to ECDSA_SIG pointer (may be NULL)
+ * \param pp buffer with the DER encoded signature
+ * \param len bufferlength
+ * \return pointer to the decoded ECDSA_SIG structure (or NULL)
+ */
+ECDSA_SIG *d2i_ECDSA_SIG(ECDSA_SIG **v, const unsigned char **pp, long len);
+
+/** ECDSA_do_sign
+ * computes the ECDSA signature of the given hash value using
+ * the supplied private key and returns the created signature.
+ * \param dgst pointer to the hash value
+ * \param dgst_len length of the hash value
+ * \param eckey pointer to the EC_KEY object containing a private EC key
+ * \return pointer to a ECDSA_SIG structure or NULL
+ */
+ECDSA_SIG *ECDSA_do_sign(const unsigned char *dgst,int dgst_len,EC_KEY *eckey);
+
+/** ECDSA_do_sign_ex
+ * computes ECDSA signature of a given hash value using the supplied
+ * private key (note: sig must point to ECDSA_size(eckey) bytes of memory).
+ * \param dgst pointer to the hash value to sign
+ * \param dgstlen length of the hash value
+ * \param kinv optional pointer to a pre-computed inverse k
+ * \param rp optional pointer to the pre-computed rp value (see 
+ *        ECDSA_sign_setup
+ * \param eckey pointer to the EC_KEY object containing a private EC key
+ * \return pointer to a ECDSA_SIG structure or NULL
+ */
+ECDSA_SIG *ECDSA_do_sign_ex(const unsigned char *dgst, int dgstlen, 
+		const BIGNUM *kinv, const BIGNUM *rp, EC_KEY *eckey);
+
+/** ECDSA_do_verify
+ * verifies that the supplied signature is a valid ECDSA
+ * signature of the supplied hash value using the supplied public key.
+ * \param dgst pointer to the hash value
+ * \param dgst_len length of the hash value
+ * \param sig  pointer to the ECDSA_SIG structure
+ * \param eckey pointer to the EC_KEY object containing a public EC key
+ * \return 1 if the signature is valid, 0 if the signature is invalid and -1 on error
+ */
+int	  ECDSA_do_verify(const unsigned char *dgst, int dgst_len,
+		const ECDSA_SIG *sig, EC_KEY* eckey);
+
+const ECDSA_METHOD *ECDSA_OpenSSL(void);
+
+/** ECDSA_set_default_method
+ * sets the default ECDSA method
+ * \param meth the new default ECDSA_METHOD
+ */
+void	  ECDSA_set_default_method(const ECDSA_METHOD *meth);
+
+/** ECDSA_get_default_method
+ * returns the default ECDSA method
+ * \return pointer to ECDSA_METHOD structure containing the default method
+ */
+const ECDSA_METHOD *ECDSA_get_default_method(void);
+
+/** ECDSA_set_method
+ * sets method to be used for the ECDSA operations
+ * \param eckey pointer to the EC_KEY object
+ * \param meth  pointer to the new method
+ * \return 1 on success and 0 otherwise 
+ */
+int 	  ECDSA_set_method(EC_KEY *eckey, const ECDSA_METHOD *meth);
+
+/** ECDSA_size
+ * returns the maximum length of the DER encoded signature
+ * \param  eckey pointer to a EC_KEY object
+ * \return numbers of bytes required for the DER encoded signature
+ */
+int	  ECDSA_size(const EC_KEY *eckey);
+
+/** ECDSA_sign_setup
+ * precompute parts of the signing operation. 
+ * \param eckey pointer to the EC_KEY object containing a private EC key
+ * \param ctx  pointer to a BN_CTX object (may be NULL)
+ * \param kinv pointer to a BIGNUM pointer for the inverse of k
+ * \param rp   pointer to a BIGNUM pointer for x coordinate of k * generator
+ * \return 1 on success and 0 otherwise
+ */
+int 	  ECDSA_sign_setup(EC_KEY *eckey, BN_CTX *ctx, BIGNUM **kinv, 
+		BIGNUM **rp);
+
+/** ECDSA_sign
+ * computes ECDSA signature of a given hash value using the supplied
+ * private key (note: sig must point to ECDSA_size(eckey) bytes of memory).
+ * \param type this parameter is ignored
+ * \param dgst pointer to the hash value to sign
+ * \param dgstlen length of the hash value
+ * \param sig buffer to hold the DER encoded signature
+ * \param siglen pointer to the length of the returned signature
+ * \param eckey pointer to the EC_KEY object containing a private EC key
+ * \return 1 on success and 0 otherwise
+ */
+int	  ECDSA_sign(int type, const unsigned char *dgst, int dgstlen, 
+		unsigned char *sig, unsigned int *siglen, EC_KEY *eckey);
+
+
+/** ECDSA_sign_ex
+ * computes ECDSA signature of a given hash value using the supplied
+ * private key (note: sig must point to ECDSA_size(eckey) bytes of memory).
+ * \param type this parameter is ignored
+ * \param dgst pointer to the hash value to sign
+ * \param dgstlen length of the hash value
+ * \param sig buffer to hold the DER encoded signature
+ * \param siglen pointer to the length of the returned signature
+ * \param kinv optional pointer to a pre-computed inverse k
+ * \param rp optional pointer to the pre-computed rp value (see 
+ *        ECDSA_sign_setup
+ * \param eckey pointer to the EC_KEY object containing a private EC key
+ * \return 1 on success and 0 otherwise
+ */
+int	  ECDSA_sign_ex(int type, const unsigned char *dgst, int dgstlen, 
+		unsigned char *sig, unsigned int *siglen, const BIGNUM *kinv,
+		const BIGNUM *rp, EC_KEY *eckey);
+
+/** ECDSA_verify
+ * verifies that the given signature is valid ECDSA signature
+ * of the supplied hash value using the specified public key.
+ * \param type this parameter is ignored
+ * \param dgst pointer to the hash value 
+ * \param dgstlen length of the hash value
+ * \param sig  pointer to the DER encoded signature
+ * \param siglen length of the DER encoded signature
+ * \param eckey pointer to the EC_KEY object containing a public EC key
+ * \return 1 if the signature is valid, 0 if the signature is invalid and -1 on error
+ */
+int 	  ECDSA_verify(int type, const unsigned char *dgst, int dgstlen, 
+		const unsigned char *sig, int siglen, EC_KEY *eckey);
+
+/* the standard ex_data functions */
+int 	  ECDSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new 
+		*new_func, CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
+int 	  ECDSA_set_ex_data(EC_KEY *d, int idx, void *arg);
+void 	  *ECDSA_get_ex_data(EC_KEY *d, int idx);
+
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+void ERR_load_ECDSA_strings(void);
+
+/* Error codes for the ECDSA functions. */
+
+/* Function codes. */
+#define ECDSA_F_ECDSA_DATA_NEW_METHOD			 100
+#define ECDSA_F_ECDSA_DO_SIGN				 101
+#define ECDSA_F_ECDSA_DO_VERIFY				 102
+#define ECDSA_F_ECDSA_SIGN_SETUP			 103
+
+/* Reason codes. */
+#define ECDSA_R_BAD_SIGNATURE				 100
+#define ECDSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE		 101
+#define ECDSA_R_ERR_EC_LIB				 102
+#define ECDSA_R_MISSING_PARAMETERS			 103
+#define ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED		 104
+#define ECDSA_R_SIGNATURE_MALLOC_FAILED			 105
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
diff --git a/crypto/openssl/crypto/ecdsa/ecdsatest.c b/crypto/openssl/crypto/ecdsa/ecdsatest.c
new file mode 100644
index 000000000000..59be39bb41c0
--- /dev/null
+++ b/crypto/openssl/crypto/ecdsa/ecdsatest.c
@@ -0,0 +1,500 @@
+/* crypto/ecdsa/ecdsatest.c */
+/*
+ * Written by Nils Larsch for the OpenSSL project.
+ */
+/* ====================================================================
+ * Copyright (c) 2000-2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+/* ====================================================================
+ * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
+ *
+ * Portions of the attached software ("Contribution") are developed by 
+ * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
+ *
+ * The Contribution is licensed pursuant to the OpenSSL open source
+ * license provided above.
+ *
+ * The elliptic curve binary polynomial software is originally written by 
+ * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories.
+ *
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <openssl/opensslconf.h> /* To see if OPENSSL_NO_ECDSA is defined */
+
+#ifdef OPENSSL_NO_ECDSA
+int main(int argc, char * argv[])
+	{
+	puts("Elliptic curves are disabled.");
+	return 0;
+	}
+#else
+
+#include <openssl/crypto.h>
+#include <openssl/bio.h>
+#include <openssl/evp.h>
+#include <openssl/bn.h>
+#include <openssl/ecdsa.h>
+#ifndef OPENSSL_NO_ENGINE
+#include <openssl/engine.h>
+#endif
+#include <openssl/err.h>
+#include <openssl/rand.h>
+
+static const char rnd_seed[] = "string to make the random number generator "
+	"think it has entropy";
+
+/* declaration of the test functions */
+int x9_62_tests(BIO *);
+int x9_62_test_internal(BIO *out, int nid, const char *r, const char *s);
+int test_builtin(BIO *);
+
+/* functions to change the RAND_METHOD */
+int change_rand(void);
+int restore_rand(void);
+int fbytes(unsigned char *buf, int num);
+
+RAND_METHOD	fake_rand;
+const RAND_METHOD *old_rand;
+
+int change_rand(void)
+	{
+	/* save old rand method */
+	if ((old_rand = RAND_get_rand_method()) == NULL)
+		return 0;
+
+	fake_rand.seed    = old_rand->seed;
+	fake_rand.cleanup = old_rand->cleanup;
+	fake_rand.add     = old_rand->add;
+	fake_rand.status  = old_rand->status;
+	/* use own random function */
+	fake_rand.bytes      = fbytes;
+	fake_rand.pseudorand = old_rand->bytes;
+	/* set new RAND_METHOD */
+	if (!RAND_set_rand_method(&fake_rand))
+		return 0;
+	return 1;
+	}
+
+int restore_rand(void)
+	{
+	if (!RAND_set_rand_method(old_rand))
+		return 0;
+	else
+		return 1;
+	}
+
+static int fbytes_counter = 0;
+static const char *numbers[8] = {
+	"651056770906015076056810763456358567190100156695615665659",
+	"6140507067065001063065065565667405560006161556565665656654",
+	"8763001015071075675010661307616710783570106710677817767166"
+	"71676178726717",
+	"7000000175690566466555057817571571075705015757757057795755"
+	"55657156756655",
+	"1275552191113212300012030439187146164646146646466749494799",
+	"1542725565216523985789236956265265265235675811949404040041",
+	"1456427555219115346513212300075341203043918714616464614664"
+	"64667494947990",
+	"1712787255652165239672857892369562652652652356758119494040"
+	"40041670216363"};
+
+int fbytes(unsigned char *buf, int num)
+	{
+	int	ret;
+	BIGNUM	*tmp = NULL;
+
+	if (fbytes_counter >= 8)
+		return 0;
+	tmp = BN_new();
+	if (!tmp)
+		return 0;
+	if (!BN_dec2bn(&tmp, numbers[fbytes_counter]))
+		{
+		BN_free(tmp);
+		return 0;
+		}
+	fbytes_counter ++;
+	ret = BN_bn2bin(tmp, buf);	
+	if (ret == 0 || ret != num)
+		ret = 0;
+	else
+		ret = 1;
+	if (tmp)
+		BN_free(tmp);
+	return ret;
+	}
+
+/* some tests from the X9.62 draft */
+int x9_62_test_internal(BIO *out, int nid, const char *r_in, const char *s_in)
+	{
+	int	ret = 0;
+	const char message[] = "abc";
+	unsigned char digest[20];
+	unsigned int  dgst_len = 0;
+	EVP_MD_CTX md_ctx;
+	EC_KEY    *key = NULL;
+	ECDSA_SIG *signature = NULL;
+	BIGNUM    *r = NULL, *s = NULL;
+
+	EVP_MD_CTX_init(&md_ctx);
+	/* get the message digest */
+	EVP_DigestInit(&md_ctx, EVP_ecdsa());
+	EVP_DigestUpdate(&md_ctx, (const void*)message, 3);
+	EVP_DigestFinal(&md_ctx, digest, &dgst_len);
+
+	BIO_printf(out, "testing %s: ", OBJ_nid2sn(nid));
+	/* create the key */
+	if ((key = EC_KEY_new_by_curve_name(nid)) == NULL)
+		goto x962_int_err;
+	if (!EC_KEY_generate_key(key))
+		goto x962_int_err;
+	BIO_printf(out, ".");
+	BIO_flush(out);
+	/* create the signature */
+	signature = ECDSA_do_sign(digest, 20, key);
+	if (signature == NULL)
+		goto x962_int_err;
+	BIO_printf(out, ".");
+	BIO_flush(out);
+	/* compare the created signature with the expected signature */
+	if ((r = BN_new()) == NULL || (s = BN_new()) == NULL)
+		goto x962_int_err;
+	if (!BN_dec2bn(&r, r_in) ||
+	    !BN_dec2bn(&s, s_in))
+		goto x962_int_err;
+	if (BN_cmp(signature->r ,r) || BN_cmp(signature->s, s))
+		goto x962_int_err;
+	BIO_printf(out, ".");
+	BIO_flush(out);
+	/* verify the signature */
+	if (ECDSA_do_verify(digest, 20, signature, key) != 1)
+		goto x962_int_err;
+	BIO_printf(out, ".");
+	BIO_flush(out);
+
+	BIO_printf(out, " ok\n");
+	ret = 1;
+x962_int_err:
+	if (!ret)
+		BIO_printf(out, " failed\n");
+	if (key)
+		EC_KEY_free(key);
+	if (signature)
+		ECDSA_SIG_free(signature);
+	if (r)
+		BN_free(r);
+	if (s)
+		BN_free(s);
+	EVP_MD_CTX_cleanup(&md_ctx);
+	return ret;
+	}
+
+int x9_62_tests(BIO *out)
+	{
+	int ret = 0;
+
+	BIO_printf(out, "some tests from X9.62:\n");
+
+	/* set own rand method */
+	if (!change_rand())
+		goto x962_err;
+
+	if (!x9_62_test_internal(out, NID_X9_62_prime192v1,
+		"3342403536405981729393488334694600415596881826869351677613",
+		"5735822328888155254683894997897571951568553642892029982342"))
+		goto x962_err;
+	if (!x9_62_test_internal(out, NID_X9_62_prime239v1,
+		"3086361431751678114926225473006680188549593787585317781474"
+		"62058306432176",
+		"3238135532097973577080787768312505059318910517550078427819"
+		"78505179448783"))
+		goto x962_err;
+	if (!x9_62_test_internal(out, NID_X9_62_c2tnb191v1,
+		"87194383164871543355722284926904419997237591535066528048",
+		"308992691965804947361541664549085895292153777025772063598"))
+		goto x962_err;
+	if (!x9_62_test_internal(out, NID_X9_62_c2tnb239v1,
+		"2159633321041961198501834003903461262881815148684178964245"
+		"5876922391552",
+		"1970303740007316867383349976549972270528498040721988191026"
+		"49413465737174"))
+		goto x962_err;
+
+	ret = 1;
+x962_err:
+	if (!restore_rand())
+		ret = 0;
+	return ret;
+	}
+
+int test_builtin(BIO *out)
+	{
+	EC_builtin_curve *curves = NULL;
+	size_t		crv_len = 0, n = 0;
+	EC_KEY		*eckey = NULL, *wrong_eckey = NULL;
+	EC_GROUP	*group;
+	unsigned char	digest[20], wrong_digest[20];
+	unsigned char	*signature = NULL; 
+	unsigned int	sig_len;
+	int		nid, ret =  0;
+	
+	/* fill digest values with some random data */
+	if (!RAND_pseudo_bytes(digest, 20) ||
+	    !RAND_pseudo_bytes(wrong_digest, 20))
+		{
+		BIO_printf(out, "ERROR: unable to get random data\n");
+		goto builtin_err;
+		}
+
+	/* create and verify a ecdsa signature with every availble curve
+	 * (with ) */
+	BIO_printf(out, "\ntesting ECDSA_sign() and ECDSA_verify() "
+		"with some internal curves:\n");
+
+	/* get a list of all internal curves */
+	crv_len = EC_get_builtin_curves(NULL, 0);
+
+	curves = OPENSSL_malloc(sizeof(EC_builtin_curve) * crv_len);
+
+	if (curves == NULL)
+		{
+		BIO_printf(out, "malloc error\n");
+		goto builtin_err;
+		}
+	
+	if (!EC_get_builtin_curves(curves, crv_len))
+		{
+		BIO_printf(out, "unable to get internal curves\n");
+		goto builtin_err;
+		}
+
+	/* now create and verify a signature for every curve */
+	for (n = 0; n < crv_len; n++)
+		{
+		unsigned char dirt, offset;
+
+		nid = curves[n].nid;
+		if (nid == NID_ipsec4)
+			continue;
+		/* create new ecdsa key (== EC_KEY) */
+		if ((eckey = EC_KEY_new()) == NULL)
+			goto builtin_err;
+		group = EC_GROUP_new_by_curve_name(nid);
+		if (group == NULL)
+			goto builtin_err;
+		if (EC_KEY_set_group(eckey, group) == 0)
+			goto builtin_err;
+		EC_GROUP_free(group);
+		if (EC_GROUP_get_degree(EC_KEY_get0_group(eckey)) < 160)
+			/* drop the curve */ 
+			{
+			EC_KEY_free(eckey);
+			eckey = NULL;
+			continue;
+			}
+		BIO_printf(out, "%s: ", OBJ_nid2sn(nid));
+		/* create key */
+		if (!EC_KEY_generate_key(eckey))
+			{
+			BIO_printf(out, " failed\n");
+			goto builtin_err;
+			}
+		/* create second key */
+		if ((wrong_eckey = EC_KEY_new()) == NULL)
+			goto builtin_err;
+		group = EC_GROUP_new_by_curve_name(nid);
+		if (group == NULL)
+			goto builtin_err;
+		if (EC_KEY_set_group(wrong_eckey, group) == 0)
+			goto builtin_err;
+		EC_GROUP_free(group);
+		if (!EC_KEY_generate_key(wrong_eckey))
+			{
+			BIO_printf(out, " failed\n");
+			goto builtin_err;
+			}
+
+		BIO_printf(out, ".");
+		BIO_flush(out);
+		/* check key */
+		if (!EC_KEY_check_key(eckey))
+			{
+			BIO_printf(out, " failed\n");
+			goto builtin_err;
+			}
+		BIO_printf(out, ".");
+		BIO_flush(out);
+		/* create signature */
+		sig_len = ECDSA_size(eckey);
+		if ((signature = OPENSSL_malloc(sig_len)) == NULL)
+			goto builtin_err;
+                if (!ECDSA_sign(0, digest, 20, signature, &sig_len, eckey))
+			{
+			BIO_printf(out, " failed\n");
+			goto builtin_err;
+			}
+		BIO_printf(out, ".");
+		BIO_flush(out);
+		/* verify signature */
+		if (ECDSA_verify(0, digest, 20, signature, sig_len, eckey) != 1)
+			{
+			BIO_printf(out, " failed\n");
+			goto builtin_err;
+			}
+		BIO_printf(out, ".");
+		BIO_flush(out);
+		/* verify signature with the wrong key */
+		if (ECDSA_verify(0, digest, 20, signature, sig_len, 
+			wrong_eckey) == 1)
+			{
+			BIO_printf(out, " failed\n");
+			goto builtin_err;
+			}
+		BIO_printf(out, ".");
+		BIO_flush(out);
+		/* wrong digest */
+		if (ECDSA_verify(0, wrong_digest, 20, signature, sig_len,
+			eckey) == 1)
+			{
+			BIO_printf(out, " failed\n");
+			goto builtin_err;
+			}
+		BIO_printf(out, ".");
+		BIO_flush(out);
+		/* modify a single byte of the signature */
+		offset = signature[10] % sig_len;
+		dirt   = signature[11];
+		signature[offset] ^= dirt ? dirt : 1; 
+		if (ECDSA_verify(0, digest, 20, signature, sig_len, eckey) == 1)
+			{
+			BIO_printf(out, " failed\n");
+			goto builtin_err;
+			}
+		BIO_printf(out, ".");
+		BIO_flush(out);
+		
+		BIO_printf(out, " ok\n");
+		/* cleanup */
+		OPENSSL_free(signature);
+		signature = NULL;
+		EC_KEY_free(eckey);
+		eckey = NULL;
+		EC_KEY_free(wrong_eckey);
+		wrong_eckey = NULL;
+		}
+
+	ret = 1;	
+builtin_err:
+	if (eckey)
+		EC_KEY_free(eckey);
+	if (wrong_eckey)
+		EC_KEY_free(wrong_eckey);
+	if (signature)
+		OPENSSL_free(signature);
+	if (curves)
+		OPENSSL_free(curves);
+
+	return ret;
+	}
+
+int main(void)
+	{
+	int 	ret = 1;
+	BIO	*out;
+
+	out = BIO_new_fp(stdout, BIO_NOCLOSE);
+	
+	/* enable memory leak checking unless explicitly disabled */
+	if (!((getenv("OPENSSL_DEBUG_MEMORY") != NULL) && 
+		(0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off"))))
+		{
+		CRYPTO_malloc_debug_init();
+		CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
+		}
+	else
+		{
+		/* OPENSSL_DEBUG_MEMORY=off */
+		CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0);
+		}
+	CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
+
+	ERR_load_crypto_strings();
+
+	/* initialize the prng */
+	RAND_seed(rnd_seed, sizeof(rnd_seed));
+
+	/* the tests */
+	if (!x9_62_tests(out))  goto err;
+	if (!test_builtin(out)) goto err;
+	
+	ret = 0;
+err:	
+	if (ret) 	
+		BIO_printf(out, "\nECDSA test failed\n");
+	else 
+		BIO_printf(out, "\nECDSA test passed\n");
+	if (ret)
+		ERR_print_errors(out);
+	CRYPTO_cleanup_all_ex_data();
+	ERR_remove_state(0);
+	ERR_free_strings();
+	CRYPTO_mem_leaks(out);
+	if (out != NULL)
+		BIO_free(out);
+	return ret;
+	}	
+#endif
diff --git a/crypto/openssl/crypto/ecdsa/ecs_asn1.c b/crypto/openssl/crypto/ecdsa/ecs_asn1.c
new file mode 100644
index 000000000000..b295489400e7
--- /dev/null
+++ b/crypto/openssl/crypto/ecdsa/ecs_asn1.c
@@ -0,0 +1,67 @@
+/* crypto/ecdsa/ecs_asn1.c */
+/* ====================================================================
+ * Copyright (c) 2000-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include "ecs_locl.h"
+#include <openssl/err.h>
+#include <openssl/asn1t.h>
+
+ASN1_SEQUENCE(ECDSA_SIG) = {
+	ASN1_SIMPLE(ECDSA_SIG, r, CBIGNUM),
+	ASN1_SIMPLE(ECDSA_SIG, s, CBIGNUM)
+} ASN1_SEQUENCE_END(ECDSA_SIG)
+
+DECLARE_ASN1_FUNCTIONS_const(ECDSA_SIG)
+DECLARE_ASN1_ENCODE_FUNCTIONS_const(ECDSA_SIG, ECDSA_SIG)
+IMPLEMENT_ASN1_FUNCTIONS_const(ECDSA_SIG)
diff --git a/crypto/openssl/crypto/ecdsa/ecs_err.c b/crypto/openssl/crypto/ecdsa/ecs_err.c
new file mode 100644
index 000000000000..90f1942e79fd
--- /dev/null
+++ b/crypto/openssl/crypto/ecdsa/ecs_err.c
@@ -0,0 +1,106 @@
+/* crypto/ecdsa/ecs_err.c */
+/* ====================================================================
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include <openssl/ecdsa.h>
+
+/* BEGIN ERROR CODES */
+#ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_ECDSA,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_ECDSA,0,reason)
+
+static ERR_STRING_DATA ECDSA_str_functs[]=
+	{
+{ERR_FUNC(ECDSA_F_ECDSA_DATA_NEW_METHOD),	"ECDSA_DATA_new_method"},
+{ERR_FUNC(ECDSA_F_ECDSA_DO_SIGN),	"ECDSA_do_sign"},
+{ERR_FUNC(ECDSA_F_ECDSA_DO_VERIFY),	"ECDSA_do_verify"},
+{ERR_FUNC(ECDSA_F_ECDSA_SIGN_SETUP),	"ECDSA_sign_setup"},
+{0,NULL}
+	};
+
+static ERR_STRING_DATA ECDSA_str_reasons[]=
+	{
+{ERR_REASON(ECDSA_R_BAD_SIGNATURE)       ,"bad signature"},
+{ERR_REASON(ECDSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE),"data too large for key size"},
+{ERR_REASON(ECDSA_R_ERR_EC_LIB)          ,"err ec lib"},
+{ERR_REASON(ECDSA_R_MISSING_PARAMETERS)  ,"missing parameters"},
+{ERR_REASON(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED),"random number generation failed"},
+{ERR_REASON(ECDSA_R_SIGNATURE_MALLOC_FAILED),"signature malloc failed"},
+{0,NULL}
+	};
+
+#endif
+
+void ERR_load_ECDSA_strings(void)
+	{
+	static int init=1;
+
+	if (init)
+		{
+		init=0;
+#ifndef OPENSSL_NO_ERR
+		ERR_load_strings(0,ECDSA_str_functs);
+		ERR_load_strings(0,ECDSA_str_reasons);
+#endif
+
+		}
+	}
diff --git a/crypto/openssl/crypto/ecdsa/ecs_lib.c b/crypto/openssl/crypto/ecdsa/ecs_lib.c
new file mode 100644
index 000000000000..1fb9bc9600c8
--- /dev/null
+++ b/crypto/openssl/crypto/ecdsa/ecs_lib.c
@@ -0,0 +1,261 @@
+/* crypto/ecdsa/ecs_lib.c */
+/* ====================================================================
+ * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <string.h>
+#include "ecs_locl.h"
+#ifndef OPENSSL_NO_ENGINE
+#include <openssl/engine.h>
+#endif
+#include <openssl/err.h>
+#include <openssl/bn.h>
+
+const char *ECDSA_version="ECDSA" OPENSSL_VERSION_PTEXT;
+
+static const ECDSA_METHOD *default_ECDSA_method = NULL;
+
+static void *ecdsa_data_new(void);
+static void *ecdsa_data_dup(void *);
+static void  ecdsa_data_free(void *);
+
+void ECDSA_set_default_method(const ECDSA_METHOD *meth)
+{
+	default_ECDSA_method = meth;
+}
+
+const ECDSA_METHOD *ECDSA_get_default_method(void)
+{
+	if(!default_ECDSA_method) 
+		default_ECDSA_method = ECDSA_OpenSSL();
+	return default_ECDSA_method;
+}
+
+int ECDSA_set_method(EC_KEY *eckey, const ECDSA_METHOD *meth)
+{
+        const ECDSA_METHOD *mtmp;
+	ECDSA_DATA *ecdsa;
+
+	ecdsa = ecdsa_check(eckey);
+
+	if (ecdsa == NULL)
+		return 0;
+
+        mtmp = ecdsa->meth;
+#ifndef OPENSSL_NO_ENGINE
+	if (ecdsa->engine)
+	{
+		ENGINE_finish(ecdsa->engine);
+		ecdsa->engine = NULL;
+	}
+#endif
+        ecdsa->meth = meth;
+
+        return 1;
+}
+
+static ECDSA_DATA *ECDSA_DATA_new_method(ENGINE *engine)
+{
+	ECDSA_DATA *ret;
+
+	ret=(ECDSA_DATA *)OPENSSL_malloc(sizeof(ECDSA_DATA));
+	if (ret == NULL)
+	{
+		ECDSAerr(ECDSA_F_ECDSA_DATA_NEW_METHOD, ERR_R_MALLOC_FAILURE);
+		return(NULL);
+	}
+
+	ret->init = NULL;
+
+	ret->meth = ECDSA_get_default_method();
+	ret->engine = engine;
+#ifndef OPENSSL_NO_ENGINE
+	if (!ret->engine)
+		ret->engine = ENGINE_get_default_ECDSA();
+	if (ret->engine)
+	{
+		ret->meth = ENGINE_get_ECDSA(ret->engine);
+		if (!ret->meth)
+		{
+			ECDSAerr(ECDSA_F_ECDSA_DATA_NEW_METHOD, ERR_R_ENGINE_LIB);
+			ENGINE_finish(ret->engine);
+			OPENSSL_free(ret);
+			return NULL;
+		}
+	}
+#endif
+
+	ret->flags = ret->meth->flags;
+	CRYPTO_new_ex_data(CRYPTO_EX_INDEX_ECDSA, ret, &ret->ex_data);
+#if 0
+	if ((ret->meth->init != NULL) && !ret->meth->init(ret))
+	{
+		CRYPTO_free_ex_data(CRYPTO_EX_INDEX_ECDSA, ret, &ret->ex_data);
+		OPENSSL_free(ret);
+		ret=NULL;
+	}
+#endif	
+	return(ret);
+}
+
+static void *ecdsa_data_new(void)
+{
+	return (void *)ECDSA_DATA_new_method(NULL);
+}
+
+static void *ecdsa_data_dup(void *data)
+{
+	ECDSA_DATA *r = (ECDSA_DATA *)data;
+
+	/* XXX: dummy operation */
+	if (r == NULL)
+		return NULL;
+
+	return ecdsa_data_new();
+}
+
+static void ecdsa_data_free(void *data)
+{
+	ECDSA_DATA *r = (ECDSA_DATA *)data;
+
+#ifndef OPENSSL_NO_ENGINE
+	if (r->engine)
+		ENGINE_finish(r->engine);
+#endif
+	CRYPTO_free_ex_data(CRYPTO_EX_INDEX_ECDSA, r, &r->ex_data);
+
+	OPENSSL_cleanse((void *)r, sizeof(ECDSA_DATA));
+
+	OPENSSL_free(r);
+}
+
+ECDSA_DATA *ecdsa_check(EC_KEY *key)
+{
+	ECDSA_DATA *ecdsa_data;
+ 
+	void *data = EC_KEY_get_key_method_data(key, ecdsa_data_dup,
+					ecdsa_data_free, ecdsa_data_free);
+	if (data == NULL)
+	{
+		ecdsa_data = (ECDSA_DATA *)ecdsa_data_new();
+		if (ecdsa_data == NULL)
+			return NULL;
+		EC_KEY_insert_key_method_data(key, (void *)ecdsa_data,
+			ecdsa_data_dup, ecdsa_data_free, ecdsa_data_free);
+	}
+	else
+		ecdsa_data = (ECDSA_DATA *)data;
+	
+
+	return ecdsa_data;
+}
+
+int ECDSA_size(const EC_KEY *r)
+{
+	int ret,i;
+	ASN1_INTEGER bs;
+	BIGNUM	*order=NULL;
+	unsigned char buf[4];
+	const EC_GROUP *group;
+
+	if (r == NULL)
+		return 0;
+	group = EC_KEY_get0_group(r);
+	if (group == NULL)
+		return 0;
+
+	if ((order = BN_new()) == NULL) return 0;
+	if (!EC_GROUP_get_order(group,order,NULL))
+	{
+		BN_clear_free(order);
+		return 0;
+	} 
+	i=BN_num_bits(order);
+	bs.length=(i+7)/8;
+	bs.data=buf;
+	bs.type=V_ASN1_INTEGER;
+	/* If the top bit is set the asn1 encoding is 1 larger. */
+	buf[0]=0xff;	
+
+	i=i2d_ASN1_INTEGER(&bs,NULL);
+	i+=i; /* r and s */
+	ret=ASN1_object_size(1,i,V_ASN1_SEQUENCE);
+	BN_clear_free(order);
+	return(ret);
+}
+
+
+int ECDSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+	     CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
+{
+	return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_ECDSA, argl, argp,
+				new_func, dup_func, free_func);
+}
+
+int ECDSA_set_ex_data(EC_KEY *d, int idx, void *arg)
+{
+	ECDSA_DATA *ecdsa;
+	ecdsa = ecdsa_check(d);
+	if (ecdsa == NULL)
+		return 0;
+	return(CRYPTO_set_ex_data(&ecdsa->ex_data,idx,arg));
+}
+
+void *ECDSA_get_ex_data(EC_KEY *d, int idx)
+{
+	ECDSA_DATA *ecdsa;
+	ecdsa = ecdsa_check(d);
+	if (ecdsa == NULL)
+		return NULL;
+	return(CRYPTO_get_ex_data(&ecdsa->ex_data,idx));
+}
diff --git a/crypto/openssl/crypto/ecdsa/ecs_locl.h b/crypto/openssl/crypto/ecdsa/ecs_locl.h
new file mode 100644
index 000000000000..3a69a840e211
--- /dev/null
+++ b/crypto/openssl/crypto/ecdsa/ecs_locl.h
@@ -0,0 +1,107 @@
+/* crypto/ecdsa/ecs_locl.h */
+/*
+ * Written by Nils Larsch for the OpenSSL project
+ */
+/* ====================================================================
+ * Copyright (c) 2000-2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_ECS_LOCL_H
+#define HEADER_ECS_LOCL_H
+
+#include <openssl/ecdsa.h>
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+struct ecdsa_method 
+	{
+	const char *name;
+	ECDSA_SIG *(*ecdsa_do_sign)(const unsigned char *dgst, int dgst_len, 
+			const BIGNUM *inv, const BIGNUM *rp, EC_KEY *eckey);
+	int (*ecdsa_sign_setup)(EC_KEY *eckey, BN_CTX *ctx, BIGNUM **kinv, 
+			BIGNUM **r);
+	int (*ecdsa_do_verify)(const unsigned char *dgst, int dgst_len, 
+			const ECDSA_SIG *sig, EC_KEY *eckey);
+#if 0
+	int (*init)(EC_KEY *eckey);
+	int (*finish)(EC_KEY *eckey);
+#endif
+	int flags;
+	char *app_data;
+	};
+
+typedef struct ecdsa_data_st {
+	/* EC_KEY_METH_DATA part */
+	int (*init)(EC_KEY *);
+	/* method (ECDSA) specific part */
+	ENGINE	*engine;
+	int	flags;
+	const ECDSA_METHOD *meth;
+	CRYPTO_EX_DATA ex_data;
+} ECDSA_DATA;
+
+/** ecdsa_check
+ * checks whether ECKEY->meth_data is a pointer to a ECDSA_DATA structure
+ * and if not it removes the old meth_data and creates a ECDSA_DATA structure.
+ * \param  eckey pointer to a EC_KEY object
+ * \return pointer to a ECDSA_DATA structure
+ */
+ECDSA_DATA *ecdsa_check(EC_KEY *eckey);
+
+#ifdef  __cplusplus
+}
+#endif
+
+#endif /* HEADER_ECS_LOCL_H */
diff --git a/crypto/openssl/crypto/ecdsa/ecs_ossl.c b/crypto/openssl/crypto/ecdsa/ecs_ossl.c
new file mode 100644
index 000000000000..8be45ddc9369
--- /dev/null
+++ b/crypto/openssl/crypto/ecdsa/ecs_ossl.c
@@ -0,0 +1,442 @@
+/* crypto/ecdsa/ecs_ossl.c */
+/*
+ * Written by Nils Larsch for the OpenSSL project
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2004 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include "ecs_locl.h"
+#include <openssl/err.h>
+#include <openssl/obj_mac.h>
+#include <openssl/bn.h>
+
+static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dlen, 
+		const BIGNUM *, const BIGNUM *, EC_KEY *eckey);
+static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, 
+		BIGNUM **rp);
+static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len, 
+		const ECDSA_SIG *sig, EC_KEY *eckey);
+
+static ECDSA_METHOD openssl_ecdsa_meth = {
+	"OpenSSL ECDSA method",
+	ecdsa_do_sign,
+	ecdsa_sign_setup,
+	ecdsa_do_verify,
+#if 0
+	NULL, /* init     */
+	NULL, /* finish   */
+#endif
+	0,    /* flags    */
+	NULL  /* app_data */
+};
+
+const ECDSA_METHOD *ECDSA_OpenSSL(void)
+{
+	return &openssl_ecdsa_meth;
+}
+
+static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
+		BIGNUM **rp)
+{
+	BN_CTX   *ctx = NULL;
+	BIGNUM	 *k = NULL, *r = NULL, *order = NULL, *X = NULL;
+	EC_POINT *tmp_point=NULL;
+	const EC_GROUP *group;
+	int 	 ret = 0;
+
+	if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL)
+	{
+		ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_PASSED_NULL_PARAMETER);
+		return 0;
+	}
+
+	if (ctx_in == NULL) 
+	{
+		if ((ctx = BN_CTX_new()) == NULL)
+		{
+			ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,ERR_R_MALLOC_FAILURE);
+			return 0;
+		}
+	}
+	else
+		ctx = ctx_in;
+
+	k     = BN_new();	/* this value is later returned in *kinvp */
+	r     = BN_new();	/* this value is later returned in *rp    */
+	order = BN_new();
+	X     = BN_new();
+	if (!k || !r || !order || !X)
+	{
+		ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_MALLOC_FAILURE);
+		goto err;
+	}
+	if ((tmp_point = EC_POINT_new(group)) == NULL)
+	{
+		ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
+		goto err;
+	}
+	if (!EC_GROUP_get_order(group, order, ctx))
+	{
+		ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
+		goto err;
+	}
+	
+	do
+	{
+		/* get random k */	
+		do
+			if (!BN_rand_range(k, order))
+			{
+				ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,
+				 ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED);	
+				goto err;
+			}
+		while (BN_is_zero(k));
+
+		/* compute r the x-coordinate of generator * k */
+		if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx))
+		{
+			ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
+			goto err;
+		}
+		if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) == NID_X9_62_prime_field)
+		{
+			if (!EC_POINT_get_affine_coordinates_GFp(group,
+				tmp_point, X, NULL, ctx))
+			{
+				ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,ERR_R_EC_LIB);
+				goto err;
+			}
+		}
+		else /* NID_X9_62_characteristic_two_field */
+		{
+			if (!EC_POINT_get_affine_coordinates_GF2m(group,
+				tmp_point, X, NULL, ctx))
+			{
+				ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,ERR_R_EC_LIB);
+				goto err;
+			}
+		}
+		if (!BN_nnmod(r, X, order, ctx))
+		{
+			ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
+			goto err;
+		}
+	}
+	while (BN_is_zero(r));
+
+	/* compute the inverse of k */
+	if (!BN_mod_inverse(k, k, order, ctx))
+	{
+		ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB);
+		goto err;	
+	}
+	/* clear old values if necessary */
+	if (*rp != NULL)
+		BN_clear_free(*rp);
+	if (*kinvp != NULL) 
+		BN_clear_free(*kinvp);
+	/* save the pre-computed values  */
+	*rp    = r;
+	*kinvp = k;
+	ret = 1;
+err:
+	if (!ret)
+	{
+		if (k != NULL) BN_clear_free(k);
+		if (r != NULL) BN_clear_free(r);
+	}
+	if (ctx_in == NULL) 
+		BN_CTX_free(ctx);
+	if (order != NULL)
+		BN_free(order);
+	if (tmp_point != NULL) 
+		EC_POINT_free(tmp_point);
+	if (X)
+		BN_clear_free(X);
+	return(ret);
+}
+
+
+static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len, 
+		const BIGNUM *in_kinv, const BIGNUM *in_r, EC_KEY *eckey)
+{
+	int     ok = 0;
+	BIGNUM *kinv=NULL, *s, *m=NULL,*tmp=NULL,*order=NULL;
+	const BIGNUM *ckinv;
+	BN_CTX     *ctx = NULL;
+	const EC_GROUP   *group;
+	ECDSA_SIG  *ret;
+	ECDSA_DATA *ecdsa;
+	const BIGNUM *priv_key;
+
+	ecdsa    = ecdsa_check(eckey);
+	group    = EC_KEY_get0_group(eckey);
+	priv_key = EC_KEY_get0_private_key(eckey);
+	
+	if (group == NULL || priv_key == NULL || ecdsa == NULL)
+	{
+		ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_PASSED_NULL_PARAMETER);
+		return NULL;
+	}
+
+	ret = ECDSA_SIG_new();
+	if (!ret)
+	{
+		ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+	s = ret->s;
+
+	if ((ctx = BN_CTX_new()) == NULL || (order = BN_new()) == NULL ||
+		(tmp = BN_new()) == NULL || (m = BN_new()) == NULL)
+	{
+		ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE);
+		goto err;
+	}
+
+	if (!EC_GROUP_get_order(group, order, ctx))
+	{
+		ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_EC_LIB);
+		goto err;
+	}
+	if (dgst_len > BN_num_bytes(order))
+	{
+		ECDSAerr(ECDSA_F_ECDSA_DO_SIGN,
+			ECDSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
+		goto err;
+	}
+
+	if (!BN_bin2bn(dgst, dgst_len, m))
+	{
+		ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
+		goto err;
+	}
+	do
+	{
+		if (in_kinv == NULL || in_r == NULL)
+		{
+			if (!ECDSA_sign_setup(eckey, ctx, &kinv, &ret->r))
+			{
+				ECDSAerr(ECDSA_F_ECDSA_DO_SIGN,ERR_R_ECDSA_LIB);
+				goto err;
+			}
+			ckinv = kinv;
+		}
+		else
+		{
+			ckinv  = in_kinv;
+			if (BN_copy(ret->r, in_r) == NULL)
+			{
+				ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE);
+				goto err;
+			}
+		}
+
+		if (!BN_mod_mul(tmp, priv_key, ret->r, order, ctx))
+		{
+			ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
+			goto err;
+		}
+		if (!BN_mod_add_quick(s, tmp, m, order))
+		{
+			ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
+			goto err;
+		}
+		if (!BN_mod_mul(s, s, ckinv, order, ctx))
+		{
+			ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
+			goto err;
+		}
+	}
+	while (BN_is_zero(s));
+
+	ok = 1;
+err:
+	if (!ok)
+	{
+		ECDSA_SIG_free(ret);
+		ret = NULL;
+	}
+	if (ctx)
+		BN_CTX_free(ctx);
+	if (m)
+		BN_clear_free(m);
+	if (tmp)
+		BN_clear_free(tmp);
+	if (order)
+		BN_free(order);
+	if (kinv)
+		BN_clear_free(kinv);
+	return ret;
+}
+
+static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len,
+		const ECDSA_SIG *sig, EC_KEY *eckey)
+{
+	int ret = -1;
+	BN_CTX   *ctx;
+	BIGNUM   *order, *u1, *u2, *m, *X;
+	EC_POINT *point = NULL;
+	const EC_GROUP *group;
+	const EC_POINT *pub_key;
+
+	/* check input values */
+	if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL ||
+	    (pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL)
+	{
+		ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ECDSA_R_MISSING_PARAMETERS);
+		return -1;
+	}
+
+	ctx = BN_CTX_new();
+	if (!ctx)
+	{
+		ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_MALLOC_FAILURE);
+		return -1;
+	}
+	BN_CTX_start(ctx);
+	order = BN_CTX_get(ctx);	
+	u1    = BN_CTX_get(ctx);
+	u2    = BN_CTX_get(ctx);
+	m     = BN_CTX_get(ctx);
+	X     = BN_CTX_get(ctx);
+	if (!X)
+	{
+		ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
+		goto err;
+	}
+	
+	if (!EC_GROUP_get_order(group, order, ctx))
+	{
+		ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);
+		goto err;
+	}
+
+	if (BN_is_zero(sig->r)          || BN_is_negative(sig->r) || 
+	    BN_ucmp(sig->r, order) >= 0 || BN_is_zero(sig->s)  ||
+	    BN_is_negative(sig->s)      || BN_ucmp(sig->s, order) >= 0)
+	{
+		ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ECDSA_R_BAD_SIGNATURE);
+		ret = 0;	/* signature is invalid */
+		goto err;
+	}
+	/* calculate tmp1 = inv(S) mod order */
+	if (!BN_mod_inverse(u2, sig->s, order, ctx))
+	{
+		ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
+		goto err;
+	}
+	/* digest -> m */
+	if (!BN_bin2bn(dgst, dgst_len, m))
+	{
+		ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
+		goto err;
+	}
+	/* u1 = m * tmp mod order */
+	if (!BN_mod_mul(u1, m, u2, order, ctx))
+	{
+		ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
+		goto err;
+	}
+	/* u2 = r * w mod q */
+	if (!BN_mod_mul(u2, sig->r, u2, order, ctx))
+	{
+		ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
+		goto err;
+	}
+
+	if ((point = EC_POINT_new(group)) == NULL)
+	{
+		ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_MALLOC_FAILURE);
+		goto err;
+	}
+	if (!EC_POINT_mul(group, point, u1, pub_key, u2, ctx))
+	{
+		ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);
+		goto err;
+	}
+	if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) == NID_X9_62_prime_field)
+	{
+		if (!EC_POINT_get_affine_coordinates_GFp(group,
+			point, X, NULL, ctx))
+		{
+			ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);
+			goto err;
+		}
+	}
+	else /* NID_X9_62_characteristic_two_field */
+	{
+		if (!EC_POINT_get_affine_coordinates_GF2m(group,
+			point, X, NULL, ctx))
+		{
+			ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);
+			goto err;
+		}
+	}
+	
+	if (!BN_nnmod(u1, X, order, ctx))
+	{
+		ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
+		goto err;
+	}
+	/*  if the signature is correct u1 is equal to sig->r */
+	ret = (BN_ucmp(u1, sig->r) == 0);
+err:
+	BN_CTX_end(ctx);
+	BN_CTX_free(ctx);
+	if (point)
+		EC_POINT_free(point);
+	return ret;
+}
diff --git a/crypto/openssl/crypto/ecdsa/ecs_sign.c b/crypto/openssl/crypto/ecdsa/ecs_sign.c
new file mode 100644
index 000000000000..74b1fe8caff4
--- /dev/null
+++ b/crypto/openssl/crypto/ecdsa/ecs_sign.c
@@ -0,0 +1,104 @@
+/* crypto/ecdsa/ecdsa_sign.c */
+/* ====================================================================
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include "ecs_locl.h"
+#ifndef OPENSSL_NO_ENGINE
+#include <openssl/engine.h>
+#endif
+
+ECDSA_SIG *ECDSA_do_sign(const unsigned char *dgst, int dlen, EC_KEY *eckey)
+{
+	return ECDSA_do_sign_ex(dgst, dlen, NULL, NULL, eckey);
+}
+
+ECDSA_SIG *ECDSA_do_sign_ex(const unsigned char *dgst, int dlen,
+	const BIGNUM *kinv, const BIGNUM *rp, EC_KEY *eckey)
+{
+	ECDSA_DATA *ecdsa = ecdsa_check(eckey);
+	if (ecdsa == NULL)
+		return NULL;
+	return ecdsa->meth->ecdsa_do_sign(dgst, dlen, kinv, rp, eckey);
+}
+
+int ECDSA_sign(int type, const unsigned char *dgst, int dlen, unsigned char 
+		*sig, unsigned int *siglen, EC_KEY *eckey)
+{
+	return ECDSA_sign_ex(type, dgst, dlen, sig, siglen, NULL, NULL, eckey);
+}
+
+int ECDSA_sign_ex(int type, const unsigned char *dgst, int dlen, unsigned char 
+	*sig, unsigned int *siglen, const BIGNUM *kinv, const BIGNUM *r, 
+	EC_KEY *eckey)
+{
+	ECDSA_SIG *s;
+	s = ECDSA_do_sign_ex(dgst, dlen, kinv, r, eckey);
+	if (s == NULL)
+	{
+		*siglen=0;
+		return 0;
+	}
+	*siglen = i2d_ECDSA_SIG(s, &sig);
+	ECDSA_SIG_free(s);
+	return 1;
+}
+
+int ECDSA_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, 
+		BIGNUM **rp)
+{
+	ECDSA_DATA *ecdsa = ecdsa_check(eckey);
+	if (ecdsa == NULL)
+		return 0;
+	return ecdsa->meth->ecdsa_sign_setup(eckey, ctx_in, kinvp, rp); 
+}
diff --git a/crypto/openssl/crypto/ecdsa/ecs_vrf.c b/crypto/openssl/crypto/ecdsa/ecs_vrf.c
new file mode 100644
index 000000000000..ef9acf7b6102
--- /dev/null
+++ b/crypto/openssl/crypto/ecdsa/ecs_vrf.c
@@ -0,0 +1,96 @@
+/* crypto/ecdsa/ecdsa_vrf.c */
+/*
+ * Written by Nils Larsch for the OpenSSL project
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include "ecs_locl.h"
+#ifndef OPENSSL_NO_ENGINE
+#include <openssl/engine.h>
+#endif
+
+/* returns
+ *      1: correct signature
+ *      0: incorrect signature
+ *     -1: error
+ */
+int ECDSA_do_verify(const unsigned char *dgst, int dgst_len, 
+		const ECDSA_SIG *sig, EC_KEY *eckey)
+	{
+	ECDSA_DATA *ecdsa = ecdsa_check(eckey);
+	if (ecdsa == NULL)
+		return 0;
+	return ecdsa->meth->ecdsa_do_verify(dgst, dgst_len, sig, eckey);
+	}
+
+/* returns
+ *      1: correct signature
+ *      0: incorrect signature
+ *     -1: error
+ */
+int ECDSA_verify(int type, const unsigned char *dgst, int dgst_len,
+		const unsigned char *sigbuf, int sig_len, EC_KEY *eckey)
+ 	{
+	ECDSA_SIG *s;
+	int ret=-1;
+
+	s = ECDSA_SIG_new();
+	if (s == NULL) return(ret);
+	if (d2i_ECDSA_SIG(&s, &sigbuf, sig_len) == NULL) goto err;
+	ret=ECDSA_do_verify(dgst, dgst_len, s, eckey);
+err:
+	ECDSA_SIG_free(s);
+	return(ret);
+	}
diff --git a/crypto/openssl/crypto/engine/Makefile b/crypto/openssl/crypto/engine/Makefile
index 61942acf6d55..13f211a0aef8 100644
--- a/crypto/openssl/crypto/engine/Makefile
+++ b/crypto/openssl/crypto/engine/Makefile
@@ -7,11 +7,6 @@ TOP=	../..
 CC=	cc
 INCLUDES= -I.. -I$(TOP) -I../../include
 CFLAG=-g
-INSTALL_PREFIX=
-OPENSSLDIR=     /usr/local/ssl
-INSTALLTOP=/usr/local/ssl
-MAKEDEPPROG=	makedepend
-MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=	Makefile
 AR=		ar r
 
@@ -24,16 +19,14 @@ APPS=
 LIB=$(TOP)/libcrypto.a
 LIBSRC= eng_err.c eng_lib.c eng_list.c eng_init.c eng_ctrl.c \
 	eng_table.c eng_pkey.c eng_fat.c eng_all.c \
-	tb_rsa.c tb_dsa.c tb_dh.c tb_rand.c tb_cipher.c tb_digest.c \
-	eng_openssl.c eng_dyn.c eng_cnf.c \
-	hw_atalla.c hw_cswift.c hw_ncipher.c hw_nuron.c hw_ubsec.c \
-	hw_cryptodev.c hw_aep.c hw_sureware.c hw_4758_cca.c
+	tb_rsa.c tb_dsa.c tb_ecdsa.c tb_dh.c tb_ecdh.c tb_rand.c tb_store.c \
+	tb_cipher.c tb_digest.c \
+	eng_openssl.c eng_cnf.c eng_dyn.c eng_cryptodev.c eng_padlock.c
 LIBOBJ= eng_err.o eng_lib.o eng_list.o eng_init.o eng_ctrl.o \
 	eng_table.o eng_pkey.o eng_fat.o eng_all.o \
-	tb_rsa.o tb_dsa.o tb_dh.o tb_rand.o tb_cipher.o tb_digest.o \
-	eng_openssl.o eng_dyn.o eng_cnf.o \
-	hw_atalla.o hw_cswift.o hw_ncipher.o hw_nuron.o hw_ubsec.o \
-	hw_cryptodev.o hw_aep.o hw_sureware.o hw_4758_cca.o
+	tb_rsa.o tb_dsa.o tb_ecdsa.o tb_dh.o tb_ecdh.o tb_rand.o tb_store.o \
+	tb_cipher.o tb_digest.o \
+	eng_openssl.o eng_cnf.o eng_dyn.o eng_cryptodev.o eng_padlock.o
 
 SRC= $(LIBSRC)
 
@@ -61,7 +54,8 @@ links:
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
 
 install:
-	@for i in $(EXHEADER) ; \
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+	@headerlist="$(EXHEADER)"; for i in $$headerlist ; \
 	do  \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
@@ -70,16 +64,13 @@ install:
 tags:
 	ctags $(SRC)
 
-errors:
-	$(PERL) $(TOP)/util/mkerr.pl -conf hw.ec \
-		-nostatic -staticloader -write hw_*.c
-
 tests:
 
 lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
+	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
@@ -91,446 +82,207 @@ clean:
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-eng_all.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-eng_all.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
-eng_all.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+eng_all.o: ../../e_os.h ../../include/openssl/bio.h
+eng_all.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 eng_all.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
 eng_all.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
 eng_all.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-eng_all.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
-eng_all.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+eng_all.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
 eng_all.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-eng_all.o: ../../include/openssl/ui.h eng_all.c eng_int.h
-eng_cnf.o: ../../e_os.h ../../include/openssl/asn1.h
-eng_cnf.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+eng_all.o: ../cryptlib.h eng_all.c eng_int.h
+eng_cnf.o: ../../e_os.h ../../include/openssl/bio.h
 eng_cnf.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
-eng_cnf.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
-eng_cnf.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+eng_cnf.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 eng_cnf.o: ../../include/openssl/engine.h ../../include/openssl/err.h
 eng_cnf.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 eng_cnf.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-eng_cnf.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
 eng_cnf.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-eng_cnf.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-eng_cnf.o: ../cryptlib.h eng_cnf.c
-eng_ctrl.o: ../../e_os.h ../../include/openssl/asn1.h
-eng_ctrl.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+eng_cnf.o: ../../include/openssl/symhacks.h ../cryptlib.h eng_cnf.c eng_int.h
+eng_cryptodev.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+eng_cryptodev.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
+eng_cryptodev.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
+eng_cryptodev.o: ../../include/openssl/evp.h ../../include/openssl/obj_mac.h
+eng_cryptodev.o: ../../include/openssl/objects.h
+eng_cryptodev.o: ../../include/openssl/opensslconf.h
+eng_cryptodev.o: ../../include/openssl/opensslv.h
+eng_cryptodev.o: ../../include/openssl/ossl_typ.h
+eng_cryptodev.o: ../../include/openssl/safestack.h
+eng_cryptodev.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+eng_cryptodev.o: eng_cryptodev.c
+eng_ctrl.o: ../../e_os.h ../../include/openssl/bio.h
 eng_ctrl.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-eng_ctrl.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
 eng_ctrl.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
 eng_ctrl.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
 eng_ctrl.o: ../../include/openssl/opensslconf.h
 eng_ctrl.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-eng_ctrl.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
 eng_ctrl.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-eng_ctrl.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-eng_ctrl.o: ../cryptlib.h eng_ctrl.c eng_int.h
-eng_dyn.o: ../../e_os.h ../../include/openssl/asn1.h
-eng_dyn.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+eng_ctrl.o: ../../include/openssl/symhacks.h ../cryptlib.h eng_ctrl.c eng_int.h
+eng_dyn.o: ../../e_os.h ../../include/openssl/bio.h
 eng_dyn.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-eng_dyn.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
 eng_dyn.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h
 eng_dyn.o: ../../include/openssl/engine.h ../../include/openssl/err.h
 eng_dyn.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 eng_dyn.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-eng_dyn.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
 eng_dyn.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-eng_dyn.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-eng_dyn.o: ../cryptlib.h eng_dyn.c eng_int.h
-eng_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-eng_err.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
-eng_err.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+eng_dyn.o: ../../include/openssl/symhacks.h ../cryptlib.h eng_dyn.c eng_int.h
+eng_err.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
 eng_err.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
 eng_err.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
 eng_err.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-eng_err.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
-eng_err.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+eng_err.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
 eng_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-eng_err.o: ../../include/openssl/ui.h eng_err.c
-eng_fat.o: ../../e_os.h ../../include/openssl/asn1.h
-eng_fat.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+eng_err.o: eng_err.c
+eng_fat.o: ../../e_os.h ../../include/openssl/bio.h
 eng_fat.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
-eng_fat.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
-eng_fat.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+eng_fat.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 eng_fat.o: ../../include/openssl/engine.h ../../include/openssl/err.h
 eng_fat.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 eng_fat.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-eng_fat.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
 eng_fat.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-eng_fat.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-eng_fat.o: ../cryptlib.h eng_fat.c eng_int.h
-eng_init.o: ../../e_os.h ../../include/openssl/asn1.h
-eng_init.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+eng_fat.o: ../../include/openssl/symhacks.h ../cryptlib.h eng_fat.c eng_int.h
+eng_init.o: ../../e_os.h ../../include/openssl/bio.h
 eng_init.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-eng_init.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
 eng_init.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
 eng_init.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
 eng_init.o: ../../include/openssl/opensslconf.h
 eng_init.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-eng_init.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
 eng_init.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-eng_init.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-eng_init.o: ../cryptlib.h eng_init.c eng_int.h
-eng_lib.o: ../../e_os.h ../../include/openssl/asn1.h
-eng_lib.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+eng_init.o: ../../include/openssl/symhacks.h ../cryptlib.h eng_init.c eng_int.h
+eng_lib.o: ../../e_os.h ../../include/openssl/bio.h
 eng_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-eng_lib.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
 eng_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
 eng_lib.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
 eng_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 eng_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
-eng_lib.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-eng_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-eng_lib.o: ../../include/openssl/ui.h ../cryptlib.h eng_int.h eng_lib.c
-eng_list.o: ../../e_os.h ../../include/openssl/asn1.h
-eng_list.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+eng_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+eng_lib.o: ../../include/openssl/symhacks.h ../cryptlib.h eng_int.h eng_lib.c
+eng_list.o: ../../e_os.h ../../include/openssl/bio.h
 eng_list.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-eng_list.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
 eng_list.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
 eng_list.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
 eng_list.o: ../../include/openssl/opensslconf.h
 eng_list.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-eng_list.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
 eng_list.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-eng_list.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-eng_list.o: ../cryptlib.h eng_int.h eng_list.c
-eng_openssl.o: ../../e_os.h ../../include/openssl/aes.h
-eng_openssl.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-eng_openssl.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-eng_openssl.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-eng_openssl.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-eng_openssl.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
+eng_list.o: ../../include/openssl/symhacks.h ../cryptlib.h eng_int.h eng_list.c
+eng_openssl.o: ../../e_os.h ../../include/openssl/asn1.h
+eng_openssl.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+eng_openssl.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
 eng_openssl.o: ../../include/openssl/dsa.h ../../include/openssl/dso.h
-eng_openssl.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-eng_openssl.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-eng_openssl.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-eng_openssl.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-eng_openssl.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+eng_openssl.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+eng_openssl.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+eng_openssl.o: ../../include/openssl/engine.h ../../include/openssl/err.h
+eng_openssl.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 eng_openssl.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 eng_openssl.o: ../../include/openssl/opensslconf.h
 eng_openssl.o: ../../include/openssl/opensslv.h
 eng_openssl.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pem.h
 eng_openssl.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs7.h
-eng_openssl.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h
-eng_openssl.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-eng_openssl.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-eng_openssl.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-eng_openssl.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-eng_openssl.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-eng_openssl.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-eng_openssl.o: ../cryptlib.h eng_openssl.c
-eng_pkey.o: ../../e_os.h ../../include/openssl/asn1.h
-eng_pkey.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+eng_openssl.o: ../../include/openssl/rand.h ../../include/openssl/rc4.h
+eng_openssl.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+eng_openssl.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+eng_openssl.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+eng_openssl.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_openssl.c
+eng_padlock.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
+eng_padlock.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
+eng_padlock.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h
+eng_padlock.o: ../../include/openssl/engine.h ../../include/openssl/err.h
+eng_padlock.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+eng_padlock.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+eng_padlock.o: ../../include/openssl/opensslconf.h
+eng_padlock.o: ../../include/openssl/opensslv.h
+eng_padlock.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
+eng_padlock.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+eng_padlock.o: ../../include/openssl/symhacks.h eng_padlock.c
+eng_pkey.o: ../../e_os.h ../../include/openssl/bio.h
 eng_pkey.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-eng_pkey.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
 eng_pkey.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
 eng_pkey.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
 eng_pkey.o: ../../include/openssl/opensslconf.h
 eng_pkey.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-eng_pkey.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
 eng_pkey.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-eng_pkey.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-eng_pkey.o: ../cryptlib.h eng_int.h eng_pkey.c
-eng_table.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-eng_table.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-eng_table.o: ../../include/openssl/bn.h ../../include/openssl/cast.h
-eng_table.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-eng_table.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-eng_table.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+eng_pkey.o: ../../include/openssl/symhacks.h ../cryptlib.h eng_int.h eng_pkey.c
+eng_table.o: ../../e_os.h ../../include/openssl/asn1.h
+eng_table.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+eng_table.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 eng_table.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-eng_table.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-eng_table.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-eng_table.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-eng_table.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-eng_table.o: ../../include/openssl/objects.h
+eng_table.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+eng_table.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 eng_table.o: ../../include/openssl/opensslconf.h
 eng_table.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-eng_table.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h
-eng_table.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-eng_table.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-eng_table.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-eng_table.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-eng_table.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-eng_table.o: eng_int.h eng_table.c
-hw_4758_cca.o: ../../e_os.h ../../include/openssl/aes.h
-hw_4758_cca.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-hw_4758_cca.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-hw_4758_cca.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-hw_4758_cca.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-hw_4758_cca.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-hw_4758_cca.o: ../../include/openssl/dsa.h ../../include/openssl/dso.h
-hw_4758_cca.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-hw_4758_cca.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-hw_4758_cca.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-hw_4758_cca.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-hw_4758_cca.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-hw_4758_cca.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-hw_4758_cca.o: ../../include/openssl/opensslconf.h
-hw_4758_cca.o: ../../include/openssl/opensslv.h
-hw_4758_cca.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-hw_4758_cca.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h
-hw_4758_cca.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-hw_4758_cca.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-hw_4758_cca.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-hw_4758_cca.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-hw_4758_cca.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-hw_4758_cca.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-hw_4758_cca.o: ../cryptlib.h hw_4758_cca.c hw_4758_cca_err.c hw_4758_cca_err.h
-hw_4758_cca.o: vendor_defns/hw_4758_cca.h
-hw_aep.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-hw_aep.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-hw_aep.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
-hw_aep.o: ../../include/openssl/dsa.h ../../include/openssl/dso.h
-hw_aep.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-hw_aep.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-hw_aep.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-hw_aep.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
-hw_aep.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-hw_aep.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-hw_aep.o: ../../include/openssl/ui.h hw_aep.c hw_aep_err.c hw_aep_err.h
-hw_aep.o: vendor_defns/aep.h
-hw_atalla.o: ../../e_os.h ../../include/openssl/asn1.h
-hw_atalla.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-hw_atalla.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-hw_atalla.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-hw_atalla.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h
-hw_atalla.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-hw_atalla.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-hw_atalla.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-hw_atalla.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
-hw_atalla.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-hw_atalla.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-hw_atalla.o: ../cryptlib.h hw_atalla.c hw_atalla_err.c hw_atalla_err.h
-hw_atalla.o: vendor_defns/atalla.h
-hw_cryptodev.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-hw_cryptodev.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-hw_cryptodev.o: ../../include/openssl/bn.h ../../include/openssl/cast.h
-hw_cryptodev.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-hw_cryptodev.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-hw_cryptodev.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-hw_cryptodev.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-hw_cryptodev.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-hw_cryptodev.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-hw_cryptodev.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-hw_cryptodev.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-hw_cryptodev.o: ../../include/openssl/objects.h
-hw_cryptodev.o: ../../include/openssl/opensslconf.h
-hw_cryptodev.o: ../../include/openssl/opensslv.h
-hw_cryptodev.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
-hw_cryptodev.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-hw_cryptodev.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-hw_cryptodev.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-hw_cryptodev.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-hw_cryptodev.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-hw_cryptodev.o: ../../include/openssl/ui_compat.h hw_cryptodev.c
-hw_cswift.o: ../../e_os.h ../../include/openssl/asn1.h
-hw_cswift.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-hw_cswift.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-hw_cswift.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-hw_cswift.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h
-hw_cswift.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-hw_cswift.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-hw_cswift.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-hw_cswift.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
-hw_cswift.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-hw_cswift.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-hw_cswift.o: ../cryptlib.h hw_cswift.c hw_cswift_err.c hw_cswift_err.h
-hw_cswift.o: vendor_defns/cswift.h
-hw_ncipher.o: ../../e_os.h ../../include/openssl/aes.h
-hw_ncipher.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-hw_ncipher.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-hw_ncipher.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-hw_ncipher.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-hw_ncipher.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-hw_ncipher.o: ../../include/openssl/dsa.h ../../include/openssl/dso.h
-hw_ncipher.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-hw_ncipher.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-hw_ncipher.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-hw_ncipher.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-hw_ncipher.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-hw_ncipher.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-hw_ncipher.o: ../../include/openssl/opensslconf.h
-hw_ncipher.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-hw_ncipher.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h
-hw_ncipher.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
-hw_ncipher.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-hw_ncipher.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-hw_ncipher.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-hw_ncipher.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-hw_ncipher.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-hw_ncipher.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-hw_ncipher.o: ../../include/openssl/x509_vfy.h ../cryptlib.h hw_ncipher.c
-hw_ncipher.o: hw_ncipher_err.c hw_ncipher_err.h vendor_defns/hwcryptohook.h
-hw_nuron.o: ../../e_os.h ../../include/openssl/asn1.h
-hw_nuron.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-hw_nuron.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-hw_nuron.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-hw_nuron.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h
-hw_nuron.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-hw_nuron.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-hw_nuron.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-hw_nuron.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
-hw_nuron.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-hw_nuron.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-hw_nuron.o: ../cryptlib.h hw_nuron.c hw_nuron_err.c hw_nuron_err.h
-hw_sureware.o: ../../e_os.h ../../include/openssl/aes.h
-hw_sureware.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-hw_sureware.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-hw_sureware.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-hw_sureware.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-hw_sureware.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-hw_sureware.o: ../../include/openssl/dsa.h ../../include/openssl/dso.h
-hw_sureware.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-hw_sureware.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-hw_sureware.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-hw_sureware.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-hw_sureware.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-hw_sureware.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-hw_sureware.o: ../../include/openssl/opensslconf.h
-hw_sureware.o: ../../include/openssl/opensslv.h
-hw_sureware.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pem.h
-hw_sureware.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs7.h
-hw_sureware.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h
-hw_sureware.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-hw_sureware.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-hw_sureware.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-hw_sureware.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-hw_sureware.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-hw_sureware.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-hw_sureware.o: ../cryptlib.h eng_int.h engine.h hw_sureware.c hw_sureware_err.c
-hw_sureware.o: hw_sureware_err.h vendor_defns/sureware.h
-hw_ubsec.o: ../../e_os.h ../../include/openssl/asn1.h
-hw_ubsec.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-hw_ubsec.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-hw_ubsec.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-hw_ubsec.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h
-hw_ubsec.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-hw_ubsec.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-hw_ubsec.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-hw_ubsec.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
-hw_ubsec.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-hw_ubsec.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-hw_ubsec.o: ../cryptlib.h hw_ubsec.c hw_ubsec_err.c hw_ubsec_err.h
-hw_ubsec.o: vendor_defns/hw_ubsec.h
-tb_cipher.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-tb_cipher.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-tb_cipher.o: ../../include/openssl/bn.h ../../include/openssl/cast.h
-tb_cipher.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-tb_cipher.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-tb_cipher.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-tb_cipher.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-tb_cipher.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-tb_cipher.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-tb_cipher.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-tb_cipher.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-tb_cipher.o: ../../include/openssl/objects.h
+eng_table.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+eng_table.o: ../../include/openssl/symhacks.h ../cryptlib.h eng_int.h
+eng_table.o: eng_table.c
+tb_cipher.o: ../../e_os.h ../../include/openssl/bio.h
+tb_cipher.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+tb_cipher.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
+tb_cipher.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
 tb_cipher.o: ../../include/openssl/opensslconf.h
 tb_cipher.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-tb_cipher.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h
-tb_cipher.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-tb_cipher.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-tb_cipher.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-tb_cipher.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-tb_cipher.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-tb_cipher.o: eng_int.h tb_cipher.c
-tb_dh.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-tb_dh.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-tb_dh.o: ../../include/openssl/bn.h ../../include/openssl/cast.h
-tb_dh.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-tb_dh.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-tb_dh.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-tb_dh.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-tb_dh.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-tb_dh.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-tb_dh.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-tb_dh.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-tb_dh.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-tb_dh.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-tb_dh.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h
-tb_dh.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-tb_dh.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-tb_dh.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+tb_cipher.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+tb_cipher.o: ../../include/openssl/symhacks.h ../cryptlib.h eng_int.h
+tb_cipher.o: tb_cipher.c
+tb_dh.o: ../../e_os.h ../../include/openssl/bio.h
+tb_dh.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+tb_dh.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
+tb_dh.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+tb_dh.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+tb_dh.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
 tb_dh.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-tb_dh.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h eng_int.h
-tb_dh.o: tb_dh.c
-tb_digest.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-tb_digest.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-tb_digest.o: ../../include/openssl/bn.h ../../include/openssl/cast.h
-tb_digest.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-tb_digest.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-tb_digest.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-tb_digest.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-tb_digest.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-tb_digest.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-tb_digest.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-tb_digest.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-tb_digest.o: ../../include/openssl/objects.h
+tb_dh.o: ../cryptlib.h eng_int.h tb_dh.c
+tb_digest.o: ../../e_os.h ../../include/openssl/bio.h
+tb_digest.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+tb_digest.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
+tb_digest.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
 tb_digest.o: ../../include/openssl/opensslconf.h
 tb_digest.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-tb_digest.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h
-tb_digest.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-tb_digest.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-tb_digest.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-tb_digest.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-tb_digest.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-tb_digest.o: eng_int.h tb_digest.c
-tb_dsa.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-tb_dsa.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-tb_dsa.o: ../../include/openssl/bn.h ../../include/openssl/cast.h
-tb_dsa.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-tb_dsa.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-tb_dsa.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-tb_dsa.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-tb_dsa.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-tb_dsa.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-tb_dsa.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-tb_dsa.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-tb_dsa.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-tb_dsa.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-tb_dsa.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h
-tb_dsa.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-tb_dsa.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-tb_dsa.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+tb_digest.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+tb_digest.o: ../../include/openssl/symhacks.h ../cryptlib.h eng_int.h
+tb_digest.o: tb_digest.c
+tb_dsa.o: ../../e_os.h ../../include/openssl/bio.h
+tb_dsa.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+tb_dsa.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
+tb_dsa.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+tb_dsa.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+tb_dsa.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
 tb_dsa.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-tb_dsa.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-tb_dsa.o: eng_int.h tb_dsa.c
-tb_rand.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-tb_rand.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-tb_rand.o: ../../include/openssl/bn.h ../../include/openssl/cast.h
-tb_rand.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-tb_rand.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-tb_rand.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-tb_rand.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-tb_rand.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-tb_rand.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-tb_rand.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-tb_rand.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-tb_rand.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-tb_rand.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-tb_rand.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h
-tb_rand.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-tb_rand.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-tb_rand.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+tb_dsa.o: ../cryptlib.h eng_int.h tb_dsa.c
+tb_ecdh.o: ../../e_os.h ../../include/openssl/bio.h
+tb_ecdh.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+tb_ecdh.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
+tb_ecdh.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+tb_ecdh.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+tb_ecdh.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+tb_ecdh.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+tb_ecdh.o: ../cryptlib.h eng_int.h tb_ecdh.c
+tb_ecdsa.o: ../../e_os.h ../../include/openssl/bio.h
+tb_ecdsa.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+tb_ecdsa.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
+tb_ecdsa.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+tb_ecdsa.o: ../../include/openssl/opensslconf.h
+tb_ecdsa.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+tb_ecdsa.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+tb_ecdsa.o: ../../include/openssl/symhacks.h ../cryptlib.h eng_int.h tb_ecdsa.c
+tb_rand.o: ../../e_os.h ../../include/openssl/bio.h
+tb_rand.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+tb_rand.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
+tb_rand.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+tb_rand.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+tb_rand.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
 tb_rand.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-tb_rand.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-tb_rand.o: eng_int.h tb_rand.c
-tb_rsa.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-tb_rsa.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-tb_rsa.o: ../../include/openssl/bn.h ../../include/openssl/cast.h
-tb_rsa.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-tb_rsa.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-tb_rsa.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-tb_rsa.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-tb_rsa.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-tb_rsa.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-tb_rsa.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-tb_rsa.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-tb_rsa.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-tb_rsa.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-tb_rsa.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h
-tb_rsa.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-tb_rsa.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-tb_rsa.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+tb_rand.o: ../cryptlib.h eng_int.h tb_rand.c
+tb_rsa.o: ../../e_os.h ../../include/openssl/bio.h
+tb_rsa.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+tb_rsa.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
+tb_rsa.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+tb_rsa.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+tb_rsa.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
 tb_rsa.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-tb_rsa.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-tb_rsa.o: eng_int.h tb_rsa.c
+tb_rsa.o: ../cryptlib.h eng_int.h tb_rsa.c
+tb_store.o: ../../e_os.h ../../include/openssl/bio.h
+tb_store.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+tb_store.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
+tb_store.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+tb_store.o: ../../include/openssl/opensslconf.h
+tb_store.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+tb_store.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+tb_store.o: ../../include/openssl/symhacks.h ../cryptlib.h eng_int.h tb_store.c
diff --git a/crypto/openssl/crypto/engine/eng_all.c b/crypto/openssl/crypto/engine/eng_all.c
index 0f6992a40dbf..86b2f9a1c33b 100644
--- a/crypto/openssl/crypto/engine/eng_all.c
+++ b/crypto/openssl/crypto/engine/eng_all.c
@@ -56,8 +56,7 @@
  *
  */
 
-#include <openssl/err.h>
-#include <openssl/engine.h>
+#include "cryptlib.h"
 #include "eng_int.h"
 
 void ENGINE_load_builtin_engines(void)
@@ -70,34 +69,42 @@ void ENGINE_load_builtin_engines(void)
 	ENGINE_load_openssl();
 #endif
 	ENGINE_load_dynamic();
+#ifndef OPENSSL_NO_STATIC_ENGINE
 #ifndef OPENSSL_NO_HW
+#ifndef OPENSSL_NO_HW_4758_CCA
+	ENGINE_load_4758cca();
+#endif
+#ifndef OPENSSL_NO_HW_AEP
+	ENGINE_load_aep();
+#endif
+#ifndef OPENSSL_NO_HW_ATALLA
+	ENGINE_load_atalla();
+#endif
 #ifndef OPENSSL_NO_HW_CSWIFT
 	ENGINE_load_cswift();
 #endif
 #ifndef OPENSSL_NO_HW_NCIPHER
 	ENGINE_load_chil();
 #endif
-#ifndef OPENSSL_NO_HW_ATALLA
-	ENGINE_load_atalla();
-#endif
 #ifndef OPENSSL_NO_HW_NURON
 	ENGINE_load_nuron();
 #endif
+#ifndef OPENSSL_NO_HW_SUREWARE
+	ENGINE_load_sureware();
+#endif
 #ifndef OPENSSL_NO_HW_UBSEC
 	ENGINE_load_ubsec();
 #endif
-#ifndef OPENSSL_NO_HW_AEP
-	ENGINE_load_aep();
+#ifndef OPENSSL_NO_HW_PADLOCK
+	ENGINE_load_padlock();
 #endif
-#ifndef OPENSSL_NO_HW_SUREWARE
-	ENGINE_load_sureware();
-#endif
-#ifndef OPENSSL_NO_HW_4758_CCA
-	ENGINE_load_4758cca();
 #endif
 #if defined(__OpenBSD__) || defined(__FreeBSD__)
 	ENGINE_load_cryptodev();
 #endif
+#if !defined(OPENSSL_NO_GMP) && !defined(OPENSSL_NO_HW_GMP)
+	ENGINE_load_gmp();
+#endif
 #endif
 	}
 
diff --git a/crypto/openssl/crypto/engine/eng_cnf.c b/crypto/openssl/crypto/engine/eng_cnf.c
index cdf670901adc..a97e01e619ff 100644
--- a/crypto/openssl/crypto/engine/eng_cnf.c
+++ b/crypto/openssl/crypto/engine/eng_cnf.c
@@ -56,11 +56,8 @@
  *
  */
 
-#include <stdio.h>
-#include <openssl/crypto.h>
-#include "cryptlib.h"
+#include "eng_int.h"
 #include <openssl/conf.h>
-#include <openssl/engine.h>
 
 /* #define ENGINE_CONF_DEBUG */
 
@@ -158,7 +155,7 @@ static int int_engine_configure(char *name, char *value, const CONF *cnf)
 		 	 */
 			if (!strcmp(ctrlvalue, "EMPTY"))
 				ctrlvalue = NULL;
-			else if (!strcmp(ctrlname, "init"))
+			if (!strcmp(ctrlname, "init"))
 				{
 				if (!NCONF_get_number_e(cnf, value, "init", &do_init))
 					goto err;
@@ -210,7 +207,7 @@ static int int_engine_module_init(CONF_IMODULE *md, const CONF *cnf)
 
 	if (!elist)
 		{
-		ENGINEerr(ENGINE_F_ENGINE_MODULE_INIT, ENGINE_R_ENGINES_SECTION_ERROR);
+		ENGINEerr(ENGINE_F_INT_ENGINE_MODULE_INIT, ENGINE_R_ENGINES_SECTION_ERROR);
 		return 0;
 		}
 
diff --git a/crypto/openssl/crypto/engine/eng_cryptodev.c b/crypto/openssl/crypto/engine/eng_cryptodev.c
new file mode 100644
index 000000000000..ab38cd52f097
--- /dev/null
+++ b/crypto/openssl/crypto/engine/eng_cryptodev.c
@@ -0,0 +1,1133 @@
+/*
+ * Copyright (c) 2002 Bob Beck <beck@openbsd.org>
+ * Copyright (c) 2002 Theo de Raadt
+ * Copyright (c) 2002 Markus Friedl
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#include <openssl/objects.h>
+#include <openssl/engine.h>
+#include <openssl/evp.h>
+#include <openssl/bn.h>
+
+#if (defined(__unix__) || defined(unix)) && !defined(USG) && \
+	(defined(OpenBSD) || defined(__FreeBSD_version))
+#include <sys/param.h>
+# if (OpenBSD >= 200112) || ((__FreeBSD_version >= 470101 && __FreeBSD_version < 500000) || __FreeBSD_version >= 500041)
+#  define HAVE_CRYPTODEV
+# endif
+# if (OpenBSD >= 200110)
+#  define HAVE_SYSLOG_R
+# endif
+#endif
+
+#ifndef HAVE_CRYPTODEV
+
+void
+ENGINE_load_cryptodev(void)
+{
+	/* This is a NOP on platforms without /dev/crypto */
+	return;
+}
+
+#else 
+ 
+#include <sys/types.h>
+#include <crypto/cryptodev.h>
+#include <sys/ioctl.h>
+#include <errno.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <stdarg.h>
+#include <syslog.h>
+#include <errno.h>
+#include <string.h>
+
+struct dev_crypto_state {
+	struct session_op d_sess;
+	int d_fd;
+};
+
+static u_int32_t cryptodev_asymfeat = 0;
+
+static int get_asym_dev_crypto(void);
+static int open_dev_crypto(void);
+static int get_dev_crypto(void);
+static int cryptodev_max_iv(int cipher);
+static int cryptodev_key_length_valid(int cipher, int len);
+static int cipher_nid_to_cryptodev(int nid);
+static int get_cryptodev_ciphers(const int **cnids);
+static int get_cryptodev_digests(const int **cnids);
+static int cryptodev_usable_ciphers(const int **nids);
+static int cryptodev_usable_digests(const int **nids);
+static int cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+    const unsigned char *in, unsigned int inl);
+static int cryptodev_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+    const unsigned char *iv, int enc);
+static int cryptodev_cleanup(EVP_CIPHER_CTX *ctx);
+static int cryptodev_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
+    const int **nids, int nid);
+static int cryptodev_engine_digests(ENGINE *e, const EVP_MD **digest,
+    const int **nids, int nid);
+static int bn2crparam(const BIGNUM *a, struct crparam *crp);
+static int crparam2bn(struct crparam *crp, BIGNUM *a);
+static void zapparams(struct crypt_kop *kop);
+static int cryptodev_asym(struct crypt_kop *kop, int rlen, BIGNUM *r,
+    int slen, BIGNUM *s);
+
+static int cryptodev_bn_mod_exp(BIGNUM *r, const BIGNUM *a,
+    const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+static int cryptodev_rsa_nocrt_mod_exp(BIGNUM *r0, const BIGNUM *I,
+    RSA *rsa);
+static int cryptodev_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx);
+static int cryptodev_dsa_bn_mod_exp(DSA *dsa, BIGNUM *r, BIGNUM *a,
+    const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+static int cryptodev_dsa_dsa_mod_exp(DSA *dsa, BIGNUM *t1, BIGNUM *g,
+    BIGNUM *u1, BIGNUM *pub_key, BIGNUM *u2, BIGNUM *p,
+    BN_CTX *ctx, BN_MONT_CTX *mont);
+static DSA_SIG *cryptodev_dsa_do_sign(const unsigned char *dgst,
+    int dlen, DSA *dsa);
+static int cryptodev_dsa_verify(const unsigned char *dgst, int dgst_len,
+    DSA_SIG *sig, DSA *dsa);
+static int cryptodev_mod_exp_dh(const DH *dh, BIGNUM *r, const BIGNUM *a,
+    const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
+    BN_MONT_CTX *m_ctx);
+static int cryptodev_dh_compute_key(unsigned char *key,
+    const BIGNUM *pub_key, DH *dh);
+static int cryptodev_ctrl(ENGINE *e, int cmd, long i, void *p,
+    void (*f)());
+void ENGINE_load_cryptodev(void);
+
+static const ENGINE_CMD_DEFN cryptodev_defns[] = {
+	{ 0, NULL, NULL, 0 }
+};
+
+static struct {
+	int	id;
+	int	nid;
+	int	ivmax;
+	int	keylen;
+} ciphers[] = {
+	{ CRYPTO_DES_CBC,		NID_des_cbc,		8,	 8, },
+	{ CRYPTO_3DES_CBC,		NID_des_ede3_cbc,	8,	24, },
+	{ CRYPTO_AES_CBC,		NID_aes_128_cbc,	16,	16, },
+	{ CRYPTO_BLF_CBC,		NID_bf_cbc,		8,	16, },
+	{ CRYPTO_CAST_CBC,		NID_cast5_cbc,		8,	16, },
+	{ CRYPTO_SKIPJACK_CBC,		NID_undef,		0,	 0, },
+	{ 0,				NID_undef,		0,	 0, },
+};
+
+static struct {
+	int	id;
+	int	nid;
+} digests[] = {
+	{ CRYPTO_SHA1_HMAC,		NID_hmacWithSHA1,	},
+	{ CRYPTO_RIPEMD160_HMAC,	NID_ripemd160,		},
+	{ CRYPTO_MD5_KPDK,		NID_undef,		},
+	{ CRYPTO_SHA1_KPDK,		NID_undef,		},
+	{ CRYPTO_MD5,			NID_md5,		},
+	{ CRYPTO_SHA1,			NID_undef,		},
+	{ 0,				NID_undef,		},
+};
+
+/*
+ * Return a fd if /dev/crypto seems usable, 0 otherwise.
+ */
+static int
+open_dev_crypto(void)
+{
+	static int fd = -1;
+
+	if (fd == -1) {
+		if ((fd = open("/dev/crypto", O_RDWR, 0)) == -1)
+			return (-1);
+		/* close on exec */
+		if (fcntl(fd, F_SETFD, 1) == -1) {
+			close(fd);
+			fd = -1;
+			return (-1);
+		}
+	}
+	return (fd);
+}
+
+static int
+get_dev_crypto(void)
+{
+	int fd, retfd;
+
+	if ((fd = open_dev_crypto()) == -1)
+		return (-1);
+	if (ioctl(fd, CRIOGET, &retfd) == -1)
+		return (-1);
+
+	/* close on exec */
+	if (fcntl(retfd, F_SETFD, 1) == -1) {
+		close(retfd);
+		return (-1);
+	}
+	return (retfd);
+}
+
+/* Caching version for asym operations */
+static int
+get_asym_dev_crypto(void)
+{
+	static int fd = -1;
+
+	if (fd == -1)
+		fd = get_dev_crypto();
+	return fd;
+}
+
+/*
+ * XXXX this needs to be set for each alg - and determined from
+ * a running card.
+ */
+static int
+cryptodev_max_iv(int cipher)
+{
+	int i;
+
+	for (i = 0; ciphers[i].id; i++)
+		if (ciphers[i].id == cipher)
+			return (ciphers[i].ivmax);
+	return (0);
+}
+
+/*
+ * XXXX this needs to be set for each alg - and determined from
+ * a running card. For now, fake it out - but most of these
+ * for real devices should return 1 for the supported key
+ * sizes the device can handle.
+ */
+static int
+cryptodev_key_length_valid(int cipher, int len)
+{
+	int i;
+
+	for (i = 0; ciphers[i].id; i++)
+		if (ciphers[i].id == cipher)
+			return (ciphers[i].keylen == len);
+	return (0);
+}
+
+/* convert libcrypto nids to cryptodev */
+static int
+cipher_nid_to_cryptodev(int nid)
+{
+	int i;
+
+	for (i = 0; ciphers[i].id; i++)
+		if (ciphers[i].nid == nid)
+			return (ciphers[i].id);
+	return (0);
+}
+
+/*
+ * Find out what ciphers /dev/crypto will let us have a session for.
+ * XXX note, that some of these openssl doesn't deal with yet!
+ * returning them here is harmless, as long as we return NULL
+ * when asked for a handler in the cryptodev_engine_ciphers routine
+ */
+static int
+get_cryptodev_ciphers(const int **cnids)
+{
+	static int nids[CRYPTO_ALGORITHM_MAX];
+	struct session_op sess;
+	int fd, i, count = 0;
+
+	if ((fd = get_dev_crypto()) < 0) {
+		*cnids = NULL;
+		return (0);
+	}
+	memset(&sess, 0, sizeof(sess));
+	sess.key = (caddr_t)"123456781234567812345678";
+
+	for (i = 0; ciphers[i].id && count < CRYPTO_ALGORITHM_MAX; i++) {
+		if (ciphers[i].nid == NID_undef)
+			continue;
+		sess.cipher = ciphers[i].id;
+		sess.keylen = ciphers[i].keylen;
+		sess.mac = 0;
+		if (ioctl(fd, CIOCGSESSION, &sess) != -1 &&
+		    ioctl(fd, CIOCFSESSION, &sess.ses) != -1)
+			nids[count++] = ciphers[i].nid;
+	}
+	close(fd);
+
+	if (count > 0)
+		*cnids = nids;
+	else
+		*cnids = NULL;
+	return (count);
+}
+
+/*
+ * Find out what digests /dev/crypto will let us have a session for.
+ * XXX note, that some of these openssl doesn't deal with yet!
+ * returning them here is harmless, as long as we return NULL
+ * when asked for a handler in the cryptodev_engine_digests routine
+ */
+static int
+get_cryptodev_digests(const int **cnids)
+{
+	static int nids[CRYPTO_ALGORITHM_MAX];
+	struct session_op sess;
+	int fd, i, count = 0;
+
+	if ((fd = get_dev_crypto()) < 0) {
+		*cnids = NULL;
+		return (0);
+	}
+	memset(&sess, 0, sizeof(sess));
+	for (i = 0; digests[i].id && count < CRYPTO_ALGORITHM_MAX; i++) {
+		if (digests[i].nid == NID_undef)
+			continue;
+		sess.mac = digests[i].id;
+		sess.cipher = 0;
+		if (ioctl(fd, CIOCGSESSION, &sess) != -1 &&
+		    ioctl(fd, CIOCFSESSION, &sess.ses) != -1)
+			nids[count++] = digests[i].nid;
+	}
+	close(fd);
+
+	if (count > 0)
+		*cnids = nids;
+	else
+		*cnids = NULL;
+	return (count);
+}
+
+/*
+ * Find the useable ciphers|digests from dev/crypto - this is the first
+ * thing called by the engine init crud which determines what it
+ * can use for ciphers from this engine. We want to return
+ * only what we can do, anythine else is handled by software.
+ *
+ * If we can't initialize the device to do anything useful for
+ * any reason, we want to return a NULL array, and 0 length,
+ * which forces everything to be done is software. By putting
+ * the initalization of the device in here, we ensure we can
+ * use this engine as the default, and if for whatever reason
+ * /dev/crypto won't do what we want it will just be done in
+ * software
+ *
+ * This can (should) be greatly expanded to perhaps take into
+ * account speed of the device, and what we want to do.
+ * (although the disabling of particular alg's could be controlled
+ * by the device driver with sysctl's.) - this is where we
+ * want most of the decisions made about what we actually want
+ * to use from /dev/crypto.
+ */
+static int
+cryptodev_usable_ciphers(const int **nids)
+{
+	return (get_cryptodev_ciphers(nids));
+}
+
+static int
+cryptodev_usable_digests(const int **nids)
+{
+	/*
+	 * XXXX just disable all digests for now, because it sucks.
+	 * we need a better way to decide this - i.e. I may not
+	 * want digests on slow cards like hifn on fast machines,
+	 * but might want them on slow or loaded machines, etc.
+	 * will also want them when using crypto cards that don't
+	 * suck moose gonads - would be nice to be able to decide something
+	 * as reasonable default without having hackery that's card dependent.
+	 * of course, the default should probably be just do everything,
+	 * with perhaps a sysctl to turn algoritms off (or have them off
+	 * by default) on cards that generally suck like the hifn.
+	 */
+	*nids = NULL;
+	return (0);
+}
+
+static int
+cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+    const unsigned char *in, unsigned int inl)
+{
+	struct crypt_op cryp;
+	struct dev_crypto_state *state = ctx->cipher_data;
+	struct session_op *sess = &state->d_sess;
+	void *iiv;
+	unsigned char save_iv[EVP_MAX_IV_LENGTH];
+
+	if (state->d_fd < 0)
+		return (0);
+	if (!inl)
+		return (1);
+	if ((inl % ctx->cipher->block_size) != 0)
+		return (0);
+
+	memset(&cryp, 0, sizeof(cryp));
+
+	cryp.ses = sess->ses;
+	cryp.flags = 0;
+	cryp.len = inl;
+	cryp.src = (caddr_t) in;
+	cryp.dst = (caddr_t) out;
+	cryp.mac = 0;
+
+	cryp.op = ctx->encrypt ? COP_ENCRYPT : COP_DECRYPT;
+
+	if (ctx->cipher->iv_len) {
+		cryp.iv = (caddr_t) ctx->iv;
+		if (!ctx->encrypt) {
+			iiv = (void *) in + inl - ctx->cipher->iv_len;
+			memcpy(save_iv, iiv, ctx->cipher->iv_len);
+		}
+	} else
+		cryp.iv = NULL;
+
+	if (ioctl(state->d_fd, CIOCCRYPT, &cryp) == -1) {
+		/* XXX need better errror handling
+		 * this can fail for a number of different reasons.
+		 */
+		return (0);
+	}
+
+	if (ctx->cipher->iv_len) {
+		if (ctx->encrypt)
+			iiv = (void *) out + inl - ctx->cipher->iv_len;
+		else
+			iiv = save_iv;
+		memcpy(ctx->iv, iiv, ctx->cipher->iv_len);
+	}
+	return (1);
+}
+
+static int
+cryptodev_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+    const unsigned char *iv, int enc)
+{
+	struct dev_crypto_state *state = ctx->cipher_data;
+	struct session_op *sess = &state->d_sess;
+	int cipher;
+
+	if ((cipher = cipher_nid_to_cryptodev(ctx->cipher->nid)) == NID_undef)
+		return (0);
+
+	if (ctx->cipher->iv_len > cryptodev_max_iv(cipher))
+		return (0);
+
+	if (!cryptodev_key_length_valid(cipher, ctx->key_len))
+		return (0);
+
+	memset(sess, 0, sizeof(struct session_op));
+
+	if ((state->d_fd = get_dev_crypto()) < 0)
+		return (0);
+
+	sess->key = (unsigned char *)key;
+	sess->keylen = ctx->key_len;
+	sess->cipher = cipher;
+
+	if (ioctl(state->d_fd, CIOCGSESSION, sess) == -1) {
+		close(state->d_fd);
+		state->d_fd = -1;
+		return (0);
+	}
+	return (1);
+}
+
+/*
+ * free anything we allocated earlier when initting a
+ * session, and close the session.
+ */
+static int
+cryptodev_cleanup(EVP_CIPHER_CTX *ctx)
+{
+	int ret = 0;
+	struct dev_crypto_state *state = ctx->cipher_data;
+	struct session_op *sess = &state->d_sess;
+
+	if (state->d_fd < 0)
+		return (0);
+
+	/* XXX if this ioctl fails, someting's wrong. the invoker
+	 * may have called us with a bogus ctx, or we could
+	 * have a device that for whatever reason just doesn't
+	 * want to play ball - it's not clear what's right
+	 * here - should this be an error? should it just
+	 * increase a counter, hmm. For right now, we return
+	 * 0 - I don't believe that to be "right". we could
+	 * call the gorpy openssl lib error handlers that
+	 * print messages to users of the library. hmm..
+	 */
+
+	if (ioctl(state->d_fd, CIOCFSESSION, &sess->ses) == -1) {
+		ret = 0;
+	} else {
+		ret = 1;
+	}
+	close(state->d_fd);
+	state->d_fd = -1;
+
+	return (ret);
+}
+
+/*
+ * libcrypto EVP stuff - this is how we get wired to EVP so the engine
+ * gets called when libcrypto requests a cipher NID.
+ */
+
+/* DES CBC EVP */
+const EVP_CIPHER cryptodev_des_cbc = {
+	NID_des_cbc,
+	8, 8, 8,
+	EVP_CIPH_CBC_MODE,
+	cryptodev_init_key,
+	cryptodev_cipher,
+	cryptodev_cleanup,
+	sizeof(struct dev_crypto_state),
+	EVP_CIPHER_set_asn1_iv,
+	EVP_CIPHER_get_asn1_iv,
+	NULL
+};
+
+/* 3DES CBC EVP */
+const EVP_CIPHER cryptodev_3des_cbc = {
+	NID_des_ede3_cbc,
+	8, 24, 8,
+	EVP_CIPH_CBC_MODE,
+	cryptodev_init_key,
+	cryptodev_cipher,
+	cryptodev_cleanup,
+	sizeof(struct dev_crypto_state),
+	EVP_CIPHER_set_asn1_iv,
+	EVP_CIPHER_get_asn1_iv,
+	NULL
+};
+
+const EVP_CIPHER cryptodev_bf_cbc = {
+	NID_bf_cbc,
+	8, 16, 8,
+	EVP_CIPH_CBC_MODE,
+	cryptodev_init_key,
+	cryptodev_cipher,
+	cryptodev_cleanup,
+	sizeof(struct dev_crypto_state),
+	EVP_CIPHER_set_asn1_iv,
+	EVP_CIPHER_get_asn1_iv,
+	NULL
+};
+
+const EVP_CIPHER cryptodev_cast_cbc = {
+	NID_cast5_cbc,
+	8, 16, 8,
+	EVP_CIPH_CBC_MODE,
+	cryptodev_init_key,
+	cryptodev_cipher,
+	cryptodev_cleanup,
+	sizeof(struct dev_crypto_state),
+	EVP_CIPHER_set_asn1_iv,
+	EVP_CIPHER_get_asn1_iv,
+	NULL
+};
+
+const EVP_CIPHER cryptodev_aes_cbc = {
+	NID_aes_128_cbc,
+	16, 16, 16,
+	EVP_CIPH_CBC_MODE,
+	cryptodev_init_key,
+	cryptodev_cipher,
+	cryptodev_cleanup,
+	sizeof(struct dev_crypto_state),
+	EVP_CIPHER_set_asn1_iv,
+	EVP_CIPHER_get_asn1_iv,
+	NULL
+};
+
+/*
+ * Registered by the ENGINE when used to find out how to deal with
+ * a particular NID in the ENGINE. this says what we'll do at the
+ * top level - note, that list is restricted by what we answer with
+ */
+static int
+cryptodev_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
+    const int **nids, int nid)
+{
+	if (!cipher)
+		return (cryptodev_usable_ciphers(nids));
+
+	switch (nid) {
+	case NID_des_ede3_cbc:
+		*cipher = &cryptodev_3des_cbc;
+		break;
+	case NID_des_cbc:
+		*cipher = &cryptodev_des_cbc;
+		break;
+	case NID_bf_cbc:
+		*cipher = &cryptodev_bf_cbc;
+		break;
+	case NID_cast5_cbc:
+		*cipher = &cryptodev_cast_cbc;
+		break;
+	case NID_aes_128_cbc:
+		*cipher = &cryptodev_aes_cbc;
+		break;
+	default:
+		*cipher = NULL;
+		break;
+	}
+	return (*cipher != NULL);
+}
+
+static int
+cryptodev_engine_digests(ENGINE *e, const EVP_MD **digest,
+    const int **nids, int nid)
+{
+	if (!digest)
+		return (cryptodev_usable_digests(nids));
+
+	switch (nid) {
+	case NID_md5:
+		*digest = NULL; /* need to make a clean md5 critter */
+		break;
+	default:
+		*digest = NULL;
+		break;
+	}
+	return (*digest != NULL);
+}
+
+/*
+ * Convert a BIGNUM to the representation that /dev/crypto needs.
+ * Upon completion of use, the caller is responsible for freeing
+ * crp->crp_p.
+ */
+static int
+bn2crparam(const BIGNUM *a, struct crparam *crp)
+{
+	int i, j, k;
+	ssize_t words, bytes, bits;
+	u_char *b;
+
+	crp->crp_p = NULL;
+	crp->crp_nbits = 0;
+
+	bits = BN_num_bits(a);
+	bytes = (bits + 7) / 8;
+
+	b = malloc(bytes);
+	if (b == NULL)
+		return (1);
+
+	crp->crp_p = b;
+	crp->crp_nbits = bits;
+
+	for (i = 0, j = 0; i < a->top; i++) {
+		for (k = 0; k < BN_BITS2 / 8; k++) {
+			if ((j + k) >= bytes)
+				return (0);
+			b[j + k] = a->d[i] >> (k * 8);
+		}
+		j += BN_BITS2 / 8;
+	}
+	return (0);
+}
+
+/* Convert a /dev/crypto parameter to a BIGNUM */
+static int
+crparam2bn(struct crparam *crp, BIGNUM *a)
+{
+	u_int8_t *pd;
+	int i, bytes;
+
+	bytes = (crp->crp_nbits + 7) / 8;
+
+	if (bytes == 0)
+		return (-1);
+
+	if ((pd = (u_int8_t *) malloc(bytes)) == NULL)
+		return (-1);
+
+	for (i = 0; i < bytes; i++)
+		pd[i] = crp->crp_p[bytes - i - 1];
+
+	BN_bin2bn(pd, bytes, a);
+	free(pd);
+
+	return (0);
+}
+
+static void
+zapparams(struct crypt_kop *kop)
+{
+	int i;
+
+	for (i = 0; i <= kop->crk_iparams + kop->crk_oparams; i++) {
+		if (kop->crk_param[i].crp_p)
+			free(kop->crk_param[i].crp_p);
+		kop->crk_param[i].crp_p = NULL;
+		kop->crk_param[i].crp_nbits = 0;
+	}
+}
+
+static int
+cryptodev_asym(struct crypt_kop *kop, int rlen, BIGNUM *r, int slen, BIGNUM *s)
+{
+	int fd, ret = -1;
+
+	if ((fd = get_asym_dev_crypto()) < 0)
+		return (ret);
+
+	if (r) {
+		kop->crk_param[kop->crk_iparams].crp_p = calloc(rlen, sizeof(char));
+		kop->crk_param[kop->crk_iparams].crp_nbits = rlen * 8;
+		kop->crk_oparams++;
+	}
+	if (s) {
+		kop->crk_param[kop->crk_iparams+1].crp_p = calloc(slen, sizeof(char));
+		kop->crk_param[kop->crk_iparams+1].crp_nbits = slen * 8;
+		kop->crk_oparams++;
+	}
+
+	if (ioctl(fd, CIOCKEY, kop) == 0) {
+		if (r)
+			crparam2bn(&kop->crk_param[kop->crk_iparams], r);
+		if (s)
+			crparam2bn(&kop->crk_param[kop->crk_iparams+1], s);
+		ret = 0;
+	}
+
+	return (ret);
+}
+
+static int
+cryptodev_bn_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+    const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont)
+{
+	struct crypt_kop kop;
+	int ret = 1;
+
+	/* Currently, we know we can do mod exp iff we can do any
+	 * asymmetric operations at all.
+	 */
+	if (cryptodev_asymfeat == 0) {
+		ret = BN_mod_exp(r, a, p, m, ctx);
+		return (ret);
+	}
+
+	memset(&kop, 0, sizeof kop);
+	kop.crk_op = CRK_MOD_EXP;
+
+	/* inputs: a^p % m */
+	if (bn2crparam(a, &kop.crk_param[0]))
+		goto err;
+	if (bn2crparam(p, &kop.crk_param[1]))
+		goto err;
+	if (bn2crparam(m, &kop.crk_param[2]))
+		goto err;
+	kop.crk_iparams = 3;
+
+	if (cryptodev_asym(&kop, BN_num_bytes(m), r, 0, NULL) == -1) {
+		const RSA_METHOD *meth = RSA_PKCS1_SSLeay();
+		ret = meth->bn_mod_exp(r, a, p, m, ctx, in_mont);
+	}
+err:
+	zapparams(&kop);
+	return (ret);
+}
+
+static int
+cryptodev_rsa_nocrt_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
+{
+	int r;
+	BN_CTX *ctx;
+
+	ctx = BN_CTX_new();
+	r = cryptodev_bn_mod_exp(r0, I, rsa->d, rsa->n, ctx, NULL);
+	BN_CTX_free(ctx);
+	return (r);
+}
+
+static int
+cryptodev_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
+{
+	struct crypt_kop kop;
+	int ret = 1;
+
+	if (!rsa->p || !rsa->q || !rsa->dmp1 || !rsa->dmq1 || !rsa->iqmp) {
+		/* XXX 0 means failure?? */
+		return (0);
+	}
+
+	memset(&kop, 0, sizeof kop);
+	kop.crk_op = CRK_MOD_EXP_CRT;
+	/* inputs: rsa->p rsa->q I rsa->dmp1 rsa->dmq1 rsa->iqmp */
+	if (bn2crparam(rsa->p, &kop.crk_param[0]))
+		goto err;
+	if (bn2crparam(rsa->q, &kop.crk_param[1]))
+		goto err;
+	if (bn2crparam(I, &kop.crk_param[2]))
+		goto err;
+	if (bn2crparam(rsa->dmp1, &kop.crk_param[3]))
+		goto err;
+	if (bn2crparam(rsa->dmq1, &kop.crk_param[4]))
+		goto err;
+	if (bn2crparam(rsa->iqmp, &kop.crk_param[5]))
+		goto err;
+	kop.crk_iparams = 6;
+
+	if (cryptodev_asym(&kop, BN_num_bytes(rsa->n), r0, 0, NULL) == -1) {
+		const RSA_METHOD *meth = RSA_PKCS1_SSLeay();
+		ret = (*meth->rsa_mod_exp)(r0, I, rsa, ctx);
+	}
+err:
+	zapparams(&kop);
+	return (ret);
+}
+
+static RSA_METHOD cryptodev_rsa = {
+	"cryptodev RSA method",
+	NULL,				/* rsa_pub_enc */
+	NULL,				/* rsa_pub_dec */
+	NULL,				/* rsa_priv_enc */
+	NULL,				/* rsa_priv_dec */
+	NULL,
+	NULL,
+	NULL,				/* init */
+	NULL,				/* finish */
+	0,				/* flags */
+	NULL,				/* app_data */
+	NULL,				/* rsa_sign */
+	NULL				/* rsa_verify */
+};
+
+static int
+cryptodev_dsa_bn_mod_exp(DSA *dsa, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+    const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
+{
+	return (cryptodev_bn_mod_exp(r, a, p, m, ctx, m_ctx));
+}
+
+static int
+cryptodev_dsa_dsa_mod_exp(DSA *dsa, BIGNUM *t1, BIGNUM *g,
+    BIGNUM *u1, BIGNUM *pub_key, BIGNUM *u2, BIGNUM *p,
+    BN_CTX *ctx, BN_MONT_CTX *mont)
+{
+	BIGNUM t2;
+	int ret = 0;
+
+	BN_init(&t2);
+
+	/* v = ( g^u1 * y^u2 mod p ) mod q */
+	/* let t1 = g ^ u1 mod p */
+	ret = 0;
+
+	if (!dsa->meth->bn_mod_exp(dsa,t1,dsa->g,u1,dsa->p,ctx,mont))
+		goto err;
+
+	/* let t2 = y ^ u2 mod p */
+	if (!dsa->meth->bn_mod_exp(dsa,&t2,dsa->pub_key,u2,dsa->p,ctx,mont))
+		goto err;
+	/* let u1 = t1 * t2 mod p */
+	if (!BN_mod_mul(u1,t1,&t2,dsa->p,ctx))
+		goto err;
+
+	BN_copy(t1,u1);
+
+	ret = 1;
+err:
+	BN_free(&t2);
+	return(ret);
+}
+
+static DSA_SIG *
+cryptodev_dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
+{
+	struct crypt_kop kop;
+	BIGNUM *r = NULL, *s = NULL;
+	DSA_SIG *dsaret = NULL;
+
+	if ((r = BN_new()) == NULL)
+		goto err;
+	if ((s = BN_new()) == NULL) {
+		BN_free(r);
+		goto err;
+	}
+
+	memset(&kop, 0, sizeof kop);
+	kop.crk_op = CRK_DSA_SIGN;
+
+	/* inputs: dgst dsa->p dsa->q dsa->g dsa->priv_key */
+	kop.crk_param[0].crp_p = (caddr_t)dgst;
+	kop.crk_param[0].crp_nbits = dlen * 8;
+	if (bn2crparam(dsa->p, &kop.crk_param[1]))
+		goto err;
+	if (bn2crparam(dsa->q, &kop.crk_param[2]))
+		goto err;
+	if (bn2crparam(dsa->g, &kop.crk_param[3]))
+		goto err;
+	if (bn2crparam(dsa->priv_key, &kop.crk_param[4]))
+		goto err;
+	kop.crk_iparams = 5;
+
+	if (cryptodev_asym(&kop, BN_num_bytes(dsa->q), r,
+	    BN_num_bytes(dsa->q), s) == 0) {
+		dsaret = DSA_SIG_new();
+		dsaret->r = r;
+		dsaret->s = s;
+	} else {
+		const DSA_METHOD *meth = DSA_OpenSSL();
+		BN_free(r);
+		BN_free(s);
+		dsaret = (meth->dsa_do_sign)(dgst, dlen, dsa);
+	}
+err:
+	kop.crk_param[0].crp_p = NULL;
+	zapparams(&kop);
+	return (dsaret);
+}
+
+static int
+cryptodev_dsa_verify(const unsigned char *dgst, int dlen,
+    DSA_SIG *sig, DSA *dsa)
+{
+	struct crypt_kop kop;
+	int dsaret = 1;
+
+	memset(&kop, 0, sizeof kop);
+	kop.crk_op = CRK_DSA_VERIFY;
+
+	/* inputs: dgst dsa->p dsa->q dsa->g dsa->pub_key sig->r sig->s */
+	kop.crk_param[0].crp_p = (caddr_t)dgst;
+	kop.crk_param[0].crp_nbits = dlen * 8;
+	if (bn2crparam(dsa->p, &kop.crk_param[1]))
+		goto err;
+	if (bn2crparam(dsa->q, &kop.crk_param[2]))
+		goto err;
+	if (bn2crparam(dsa->g, &kop.crk_param[3]))
+		goto err;
+	if (bn2crparam(dsa->pub_key, &kop.crk_param[4]))
+		goto err;
+	if (bn2crparam(sig->r, &kop.crk_param[5]))
+		goto err;
+	if (bn2crparam(sig->s, &kop.crk_param[6]))
+		goto err;
+	kop.crk_iparams = 7;
+
+	if (cryptodev_asym(&kop, 0, NULL, 0, NULL) == 0) {
+		dsaret = kop.crk_status;
+	} else {
+		const DSA_METHOD *meth = DSA_OpenSSL();
+
+		dsaret = (meth->dsa_do_verify)(dgst, dlen, sig, dsa);
+	}
+err:
+	kop.crk_param[0].crp_p = NULL;
+	zapparams(&kop);
+	return (dsaret);
+}
+
+static DSA_METHOD cryptodev_dsa = {
+	"cryptodev DSA method",
+	NULL,
+	NULL,				/* dsa_sign_setup */
+	NULL,
+	NULL,				/* dsa_mod_exp */
+	NULL,
+	NULL,				/* init */
+	NULL,				/* finish */
+	0,	/* flags */
+	NULL	/* app_data */
+};
+
+static int
+cryptodev_mod_exp_dh(const DH *dh, BIGNUM *r, const BIGNUM *a,
+    const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
+    BN_MONT_CTX *m_ctx)
+{
+	return (cryptodev_bn_mod_exp(r, a, p, m, ctx, m_ctx));
+}
+
+static int
+cryptodev_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
+{
+	struct crypt_kop kop;
+	int dhret = 1;
+	int fd, keylen;
+
+	if ((fd = get_asym_dev_crypto()) < 0) {
+		const DH_METHOD *meth = DH_OpenSSL();
+
+		return ((meth->compute_key)(key, pub_key, dh));
+	}
+
+	keylen = BN_num_bits(dh->p);
+
+	memset(&kop, 0, sizeof kop);
+	kop.crk_op = CRK_DH_COMPUTE_KEY;
+
+	/* inputs: dh->priv_key pub_key dh->p key */
+	if (bn2crparam(dh->priv_key, &kop.crk_param[0]))
+		goto err;
+	if (bn2crparam(pub_key, &kop.crk_param[1]))
+		goto err;
+	if (bn2crparam(dh->p, &kop.crk_param[2]))
+		goto err;
+	kop.crk_iparams = 3;
+
+	kop.crk_param[3].crp_p = key;
+	kop.crk_param[3].crp_nbits = keylen * 8;
+	kop.crk_oparams = 1;
+
+	if (ioctl(fd, CIOCKEY, &kop) == -1) {
+		const DH_METHOD *meth = DH_OpenSSL();
+
+		dhret = (meth->compute_key)(key, pub_key, dh);
+	}
+err:
+	kop.crk_param[3].crp_p = NULL;
+	zapparams(&kop);
+	return (dhret);
+}
+
+static DH_METHOD cryptodev_dh = {
+	"cryptodev DH method",
+	NULL,				/* cryptodev_dh_generate_key */
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	0,	/* flags */
+	NULL	/* app_data */
+};
+
+/*
+ * ctrl right now is just a wrapper that doesn't do much
+ * but I expect we'll want some options soon.
+ */
+static int
+cryptodev_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)())
+{
+#ifdef HAVE_SYSLOG_R
+	struct syslog_data sd = SYSLOG_DATA_INIT;
+#endif
+
+	switch (cmd) {
+	default:
+#ifdef HAVE_SYSLOG_R
+		syslog_r(LOG_ERR, &sd,
+		    "cryptodev_ctrl: unknown command %d", cmd);
+#else
+		syslog(LOG_ERR, "cryptodev_ctrl: unknown command %d", cmd);
+#endif
+		break;
+	}
+	return (1);
+}
+
+void
+ENGINE_load_cryptodev(void)
+{
+	ENGINE *engine = ENGINE_new();
+	int fd;
+
+	if (engine == NULL)
+		return;
+	if ((fd = get_dev_crypto()) < 0) {
+		ENGINE_free(engine);
+		return;
+	}
+
+	/*
+	 * find out what asymmetric crypto algorithms we support
+	 */
+	if (ioctl(fd, CIOCASYMFEAT, &cryptodev_asymfeat) == -1) {
+		close(fd);
+		ENGINE_free(engine);
+		return;
+	}
+	close(fd);
+
+	if (!ENGINE_set_id(engine, "cryptodev") ||
+	    !ENGINE_set_name(engine, "BSD cryptodev engine") ||
+	    !ENGINE_set_ciphers(engine, cryptodev_engine_ciphers) ||
+	    !ENGINE_set_digests(engine, cryptodev_engine_digests) ||
+	    !ENGINE_set_ctrl_function(engine, cryptodev_ctrl) ||
+	    !ENGINE_set_cmd_defns(engine, cryptodev_defns)) {
+		ENGINE_free(engine);
+		return;
+	}
+
+	if (ENGINE_set_RSA(engine, &cryptodev_rsa)) {
+		const RSA_METHOD *rsa_meth = RSA_PKCS1_SSLeay();
+
+		cryptodev_rsa.bn_mod_exp = rsa_meth->bn_mod_exp;
+		cryptodev_rsa.rsa_mod_exp = rsa_meth->rsa_mod_exp;
+		cryptodev_rsa.rsa_pub_enc = rsa_meth->rsa_pub_enc;
+		cryptodev_rsa.rsa_pub_dec = rsa_meth->rsa_pub_dec;
+		cryptodev_rsa.rsa_priv_enc = rsa_meth->rsa_priv_enc;
+		cryptodev_rsa.rsa_priv_dec = rsa_meth->rsa_priv_dec;
+		if (cryptodev_asymfeat & CRF_MOD_EXP) {
+			cryptodev_rsa.bn_mod_exp = cryptodev_bn_mod_exp;
+			if (cryptodev_asymfeat & CRF_MOD_EXP_CRT)
+				cryptodev_rsa.rsa_mod_exp =
+				    cryptodev_rsa_mod_exp;
+			else
+				cryptodev_rsa.rsa_mod_exp =
+				    cryptodev_rsa_nocrt_mod_exp;
+		}
+	}
+
+	if (ENGINE_set_DSA(engine, &cryptodev_dsa)) {
+		const DSA_METHOD *meth = DSA_OpenSSL();
+
+		memcpy(&cryptodev_dsa, meth, sizeof(DSA_METHOD));
+		if (cryptodev_asymfeat & CRF_DSA_SIGN)
+			cryptodev_dsa.dsa_do_sign = cryptodev_dsa_do_sign;
+		if (cryptodev_asymfeat & CRF_MOD_EXP) {
+			cryptodev_dsa.bn_mod_exp = cryptodev_dsa_bn_mod_exp;
+			cryptodev_dsa.dsa_mod_exp = cryptodev_dsa_dsa_mod_exp;
+		}
+		if (cryptodev_asymfeat & CRF_DSA_VERIFY)
+			cryptodev_dsa.dsa_do_verify = cryptodev_dsa_verify;
+	}
+
+	if (ENGINE_set_DH(engine, &cryptodev_dh)){
+		const DH_METHOD *dh_meth = DH_OpenSSL();
+
+		cryptodev_dh.generate_key = dh_meth->generate_key;
+		cryptodev_dh.compute_key = dh_meth->compute_key;
+		cryptodev_dh.bn_mod_exp = dh_meth->bn_mod_exp;
+		if (cryptodev_asymfeat & CRF_MOD_EXP) {
+			cryptodev_dh.bn_mod_exp = cryptodev_mod_exp_dh;
+			if (cryptodev_asymfeat & CRF_DH_COMPUTE_KEY)
+				cryptodev_dh.compute_key =
+				    cryptodev_dh_compute_key;
+		}
+	}
+
+	ENGINE_add(engine);
+	ENGINE_free(engine);
+	ERR_clear_error();
+}
+
+#endif /* HAVE_CRYPTODEV */
diff --git a/crypto/openssl/crypto/engine/eng_ctrl.c b/crypto/openssl/crypto/engine/eng_ctrl.c
index 412c73fb0fd3..95b6b455aaf4 100644
--- a/crypto/openssl/crypto/engine/eng_ctrl.c
+++ b/crypto/openssl/crypto/engine/eng_ctrl.c
@@ -53,10 +53,7 @@
  *
  */
 
-#include <openssl/crypto.h>
-#include "cryptlib.h"
 #include "eng_int.h"
-#include <openssl/engine.h>
 
 /* When querying a ENGINE-specific control command's 'description', this string
  * is used if the ENGINE_CMD_DEFN has cmd_desc set to NULL. */
@@ -103,7 +100,8 @@ static int int_ctrl_cmd_by_num(const ENGINE_CMD_DEFN *defn, unsigned int num)
 	return -1;
 	}
 
-static int int_ctrl_helper(ENGINE *e, int cmd, long i, void *p, void (*f)())
+static int int_ctrl_helper(ENGINE *e, int cmd, long i, void *p,
+			   void (*f)(void))
 	{
 	int idx;
 	char *s = (char *)p;
@@ -181,7 +179,7 @@ static int int_ctrl_helper(ENGINE *e, int cmd, long i, void *p, void (*f)())
 	return -1;
 	}
 
-int ENGINE_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)())
+int ENGINE_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void))
 	{
 	int ctrl_exists, ref_exists;
 	if(e == NULL)
@@ -251,13 +249,13 @@ int ENGINE_cmd_is_executable(ENGINE *e, int cmd)
 	}
 
 int ENGINE_ctrl_cmd(ENGINE *e, const char *cmd_name,
-        long i, void *p, void (*f)(), int cmd_optional)
+        long i, void *p, void (*f)(void), int cmd_optional)
         {
 	int num;
 
 	if((e == NULL) || (cmd_name == NULL))
 		{
-		ENGINEerr(ENGINE_F_ENGINE_CTRL_CMD_STRING,
+		ENGINEerr(ENGINE_F_ENGINE_CTRL_CMD,
 			ERR_R_PASSED_NULL_PARAMETER);
 		return 0;
 		}
diff --git a/crypto/openssl/crypto/engine/eng_dyn.c b/crypto/openssl/crypto/engine/eng_dyn.c
index 4139a16e76dc..acb30c34d899 100644
--- a/crypto/openssl/crypto/engine/eng_dyn.c
+++ b/crypto/openssl/crypto/engine/eng_dyn.c
@@ -57,11 +57,7 @@
  */
 
 
-#include <stdio.h>
-#include <openssl/crypto.h>
-#include "cryptlib.h"
 #include "eng_int.h"
-#include <openssl/engine.h>
 #include <openssl/dso.h>
 
 /* Shared libraries implementing ENGINEs for use by the "dynamic" ENGINE loader
@@ -70,7 +66,7 @@
 /* Our ENGINE handlers */
 static int dynamic_init(ENGINE *e);
 static int dynamic_finish(ENGINE *e);
-static int dynamic_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)());
+static int dynamic_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void));
 /* Predeclare our context type */
 typedef struct st_dynamic_data_ctx dynamic_data_ctx;
 /* The implementation for the important control command */
@@ -80,7 +76,9 @@ static int dynamic_load(ENGINE *e, dynamic_data_ctx *ctx);
 #define DYNAMIC_CMD_NO_VCHECK		(ENGINE_CMD_BASE + 1)
 #define DYNAMIC_CMD_ID			(ENGINE_CMD_BASE + 2)
 #define DYNAMIC_CMD_LIST_ADD		(ENGINE_CMD_BASE + 3)
-#define DYNAMIC_CMD_LOAD		(ENGINE_CMD_BASE + 4)
+#define DYNAMIC_CMD_DIR_LOAD		(ENGINE_CMD_BASE + 4)
+#define DYNAMIC_CMD_DIR_ADD		(ENGINE_CMD_BASE + 5)
+#define DYNAMIC_CMD_LOAD		(ENGINE_CMD_BASE + 6)
 
 /* The constants used when creating the ENGINE */
 static const char *engine_dynamic_id = "dynamic";
@@ -102,6 +100,14 @@ static const ENGINE_CMD_DEFN dynamic_cmd_defns[] = {
 		"LIST_ADD",
 		"Whether to add a loaded ENGINE to the internal list (0=no,1=yes,2=mandatory)",
 		ENGINE_CMD_FLAG_NUMERIC},
+	{DYNAMIC_CMD_DIR_LOAD,
+		"DIR_LOAD",
+		"Specifies whether to load from 'DIR_ADD' directories (0=no,1=yes,2=mandatory)",
+		ENGINE_CMD_FLAG_NUMERIC},
+	{DYNAMIC_CMD_DIR_ADD,
+		"DIR_ADD",
+		"Adds a directory from which ENGINEs can be loaded",
+		ENGINE_CMD_FLAG_STRING},
 	{DYNAMIC_CMD_LOAD,
 		"LOAD",
 		"Load up the ENGINE specified by other settings",
@@ -136,12 +142,18 @@ struct st_dynamic_data_ctx
 	const char *DYNAMIC_F1;
 	/* The symbol name for the "initialise ENGINE structure" function */
 	const char *DYNAMIC_F2;
+	/* Whether to never use 'dirs', use 'dirs' as a fallback, or only use
+	 * 'dirs' for loading. Default is to use 'dirs' as a fallback. */
+	int dir_load;
+	/* A stack of directories from which ENGINEs could be loaded */
+	STACK *dirs;
 	};
 
 /* This is the "ex_data" index we obtain and reserve for use with our context
  * structure. */
 static int dynamic_ex_data_idx = -1;
 
+static void int_free_str(void *s) { OPENSSL_free(s); }
 /* Because our ex_data element may or may not get allocated depending on whether
  * a "first-use" occurs before the ENGINE is freed, we have a memory leak
  * problem to solve. We can't declare a "new" handler for the ex_data as we
@@ -161,6 +173,8 @@ static void dynamic_data_ctx_free_func(void *parent, void *ptr,
 			OPENSSL_free((void*)ctx->DYNAMIC_LIBNAME);
 		if(ctx->engine_id)
 			OPENSSL_free((void*)ctx->engine_id);
+		if(ctx->dirs)
+			sk_pop_free(ctx->dirs, int_free_str);
 		OPENSSL_free(ctx);
 		}
 	}
@@ -175,7 +189,7 @@ static int dynamic_set_data_ctx(ENGINE *e, dynamic_data_ctx **ctx)
 	c = OPENSSL_malloc(sizeof(dynamic_data_ctx));
 	if(!c)
 		{
-		ENGINEerr(ENGINE_F_SET_DATA_CTX,ERR_R_MALLOC_FAILURE);
+		ENGINEerr(ENGINE_F_DYNAMIC_SET_DATA_CTX,ERR_R_MALLOC_FAILURE);
 		return 0;
 		}
 	memset(c, 0, sizeof(dynamic_data_ctx));
@@ -188,6 +202,14 @@ static int dynamic_set_data_ctx(ENGINE *e, dynamic_data_ctx **ctx)
 	c->list_add_value = 0;
 	c->DYNAMIC_F1 = "v_check";
 	c->DYNAMIC_F2 = "bind_engine";
+	c->dir_load = 1;
+	c->dirs = sk_new_null();
+	if(!c->dirs)
+		{
+		ENGINEerr(ENGINE_F_DYNAMIC_SET_DATA_CTX,ERR_R_MALLOC_FAILURE);
+		OPENSSL_free(c);
+		return 0;
+		}
 	CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
 	if((*ctx = (dynamic_data_ctx *)ENGINE_get_ex_data(e,
 				dynamic_ex_data_idx)) == NULL)
@@ -290,7 +312,7 @@ static int dynamic_finish(ENGINE *e)
 	return 0;
 	}
 
-static int dynamic_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)())
+static int dynamic_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void))
 	{
 	dynamic_data_ctx *ctx = dynamic_get_data_ctx(e);
 	int initialised;
@@ -346,6 +368,34 @@ static int dynamic_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)())
 		return 1;
 	case DYNAMIC_CMD_LOAD:
 		return dynamic_load(e, ctx);
+	case DYNAMIC_CMD_DIR_LOAD:
+		if((i < 0) || (i > 2))
+			{
+			ENGINEerr(ENGINE_F_DYNAMIC_CTRL,
+				ENGINE_R_INVALID_ARGUMENT);
+			return 0;
+			}
+		ctx->dir_load = (int)i;
+		return 1;
+	case DYNAMIC_CMD_DIR_ADD:
+		/* a NULL 'p' or a string of zero-length is the same thing */
+		if(!p || (strlen((const char *)p) < 1))
+			{
+			ENGINEerr(ENGINE_F_DYNAMIC_CTRL,
+				ENGINE_R_INVALID_ARGUMENT);
+			return 0;
+			}
+		{
+		char *tmp_str = BUF_strdup(p);
+		if(!tmp_str)
+			{
+			ENGINEerr(ENGINE_F_DYNAMIC_CTRL,
+				ERR_R_MALLOC_FAILURE);
+			return 0;
+			}
+		sk_insert(ctx->dirs, tmp_str, -1);
+		}
+		return 1;
 	default:
 		break;
 		}
@@ -353,16 +403,53 @@ static int dynamic_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)())
 	return 0;
 	}
 
+static int int_load(dynamic_data_ctx *ctx)
+	{
+	int num, loop;
+	/* Unless told not to, try a direct load */
+	if((ctx->dir_load != 2) && (DSO_load(ctx->dynamic_dso,
+				ctx->DYNAMIC_LIBNAME, NULL, 0)) != NULL)
+		return 1;
+	/* If we're not allowed to use 'dirs' or we have none, fail */
+	if(!ctx->dir_load || ((num = sk_num(ctx->dirs)) < 1))
+		return 0;
+	for(loop = 0; loop < num; loop++)
+		{
+		const char *s = sk_value(ctx->dirs, loop);
+		char *merge = DSO_merge(ctx->dynamic_dso, ctx->DYNAMIC_LIBNAME, s);
+		if(!merge)
+			return 0;
+		if(DSO_load(ctx->dynamic_dso, merge, NULL, 0))
+			{
+			/* Found what we're looking for */
+			OPENSSL_free(merge);
+			return 1;
+			}
+		OPENSSL_free(merge);
+		}
+	return 0;
+	}
+
 static int dynamic_load(ENGINE *e, dynamic_data_ctx *ctx)
 	{
 	ENGINE cpy;
 	dynamic_fns fns;
 
-	if(!ctx->DYNAMIC_LIBNAME || ((ctx->dynamic_dso = DSO_load(NULL,
-				ctx->DYNAMIC_LIBNAME, NULL, 0)) == NULL))
+	if(!ctx->dynamic_dso)
+		ctx->dynamic_dso = DSO_new();
+	if(!ctx->DYNAMIC_LIBNAME)
+		{
+		if(!ctx->engine_id)
+			return 0;
+		ctx->DYNAMIC_LIBNAME =
+			DSO_convert_filename(ctx->dynamic_dso, ctx->engine_id);
+		}
+	if(!int_load(ctx))
 		{
 		ENGINEerr(ENGINE_F_DYNAMIC_LOAD,
 			ENGINE_R_DSO_NOT_FOUND);
+		DSO_free(ctx->dynamic_dso);
+		ctx->dynamic_dso = NULL;
 		return 0;
 		}
 	/* We have to find a bind function otherwise it'll always end badly */
@@ -409,6 +496,7 @@ static int dynamic_load(ENGINE *e, dynamic_data_ctx *ctx)
 	 * engine.h, much of this would be simplified if each area of code
 	 * provided its own "summary" structure of all related callbacks. It
 	 * would also increase opaqueness. */
+	fns.static_state = ENGINE_get_static_state();
 	fns.err_fns = ERR_get_implementation();
 	fns.ex_data_fns = CRYPTO_get_ex_data_implementation();
 	CRYPTO_get_mem_functions(&fns.mem_fns.malloc_cb,
diff --git a/crypto/openssl/crypto/engine/eng_err.c b/crypto/openssl/crypto/engine/eng_err.c
index 814d95ee3283..62db507ce29d 100644
--- a/crypto/openssl/crypto/engine/eng_err.c
+++ b/crypto/openssl/crypto/engine/eng_err.c
@@ -1,6 +1,6 @@
 /* crypto/engine/eng_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2002 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -64,87 +64,92 @@
 
 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_ENGINE,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_ENGINE,0,reason)
+
 static ERR_STRING_DATA ENGINE_str_functs[]=
 	{
-{ERR_PACK(0,ENGINE_F_DYNAMIC_CTRL,0),	"DYNAMIC_CTRL"},
-{ERR_PACK(0,ENGINE_F_DYNAMIC_GET_DATA_CTX,0),	"DYNAMIC_GET_DATA_CTX"},
-{ERR_PACK(0,ENGINE_F_DYNAMIC_LOAD,0),	"DYNAMIC_LOAD"},
-{ERR_PACK(0,ENGINE_F_ENGINE_ADD,0),	"ENGINE_add"},
-{ERR_PACK(0,ENGINE_F_ENGINE_BY_ID,0),	"ENGINE_by_id"},
-{ERR_PACK(0,ENGINE_F_ENGINE_CMD_IS_EXECUTABLE,0),	"ENGINE_cmd_is_executable"},
-{ERR_PACK(0,ENGINE_F_ENGINE_CTRL,0),	"ENGINE_ctrl"},
-{ERR_PACK(0,ENGINE_F_ENGINE_CTRL_CMD,0),	"ENGINE_ctrl_cmd"},
-{ERR_PACK(0,ENGINE_F_ENGINE_CTRL_CMD_STRING,0),	"ENGINE_ctrl_cmd_string"},
-{ERR_PACK(0,ENGINE_F_ENGINE_FINISH,0),	"ENGINE_finish"},
-{ERR_PACK(0,ENGINE_F_ENGINE_FREE,0),	"ENGINE_free"},
-{ERR_PACK(0,ENGINE_F_ENGINE_GET_CIPHER,0),	"ENGINE_get_cipher"},
-{ERR_PACK(0,ENGINE_F_ENGINE_GET_DEFAULT_TYPE,0),	"ENGINE_GET_DEFAULT_TYPE"},
-{ERR_PACK(0,ENGINE_F_ENGINE_GET_DIGEST,0),	"ENGINE_get_digest"},
-{ERR_PACK(0,ENGINE_F_ENGINE_GET_NEXT,0),	"ENGINE_get_next"},
-{ERR_PACK(0,ENGINE_F_ENGINE_GET_PREV,0),	"ENGINE_get_prev"},
-{ERR_PACK(0,ENGINE_F_ENGINE_INIT,0),	"ENGINE_init"},
-{ERR_PACK(0,ENGINE_F_ENGINE_LIST_ADD,0),	"ENGINE_LIST_ADD"},
-{ERR_PACK(0,ENGINE_F_ENGINE_LIST_REMOVE,0),	"ENGINE_LIST_REMOVE"},
-{ERR_PACK(0,ENGINE_F_ENGINE_LOAD_PRIVATE_KEY,0),	"ENGINE_load_private_key"},
-{ERR_PACK(0,ENGINE_F_ENGINE_LOAD_PUBLIC_KEY,0),	"ENGINE_load_public_key"},
-{ERR_PACK(0,ENGINE_F_ENGINE_MODULE_INIT,0),	"ENGINE_MODULE_INIT"},
-{ERR_PACK(0,ENGINE_F_ENGINE_NEW,0),	"ENGINE_new"},
-{ERR_PACK(0,ENGINE_F_ENGINE_REMOVE,0),	"ENGINE_remove"},
-{ERR_PACK(0,ENGINE_F_ENGINE_SET_DEFAULT_STRING,0),	"ENGINE_set_default_string"},
-{ERR_PACK(0,ENGINE_F_ENGINE_SET_DEFAULT_TYPE,0),	"ENGINE_SET_DEFAULT_TYPE"},
-{ERR_PACK(0,ENGINE_F_ENGINE_SET_ID,0),	"ENGINE_set_id"},
-{ERR_PACK(0,ENGINE_F_ENGINE_SET_NAME,0),	"ENGINE_set_name"},
-{ERR_PACK(0,ENGINE_F_ENGINE_TABLE_REGISTER,0),	"ENGINE_TABLE_REGISTER"},
-{ERR_PACK(0,ENGINE_F_ENGINE_UNLOAD_KEY,0),	"ENGINE_UNLOAD_KEY"},
-{ERR_PACK(0,ENGINE_F_ENGINE_UP_REF,0),	"ENGINE_up_ref"},
-{ERR_PACK(0,ENGINE_F_INT_CTRL_HELPER,0),	"INT_CTRL_HELPER"},
-{ERR_PACK(0,ENGINE_F_INT_ENGINE_CONFIGURE,0),	"INT_ENGINE_CONFIGURE"},
-{ERR_PACK(0,ENGINE_F_LOG_MESSAGE,0),	"LOG_MESSAGE"},
-{ERR_PACK(0,ENGINE_F_SET_DATA_CTX,0),	"SET_DATA_CTX"},
+{ERR_FUNC(ENGINE_F_DYNAMIC_CTRL),	"DYNAMIC_CTRL"},
+{ERR_FUNC(ENGINE_F_DYNAMIC_GET_DATA_CTX),	"DYNAMIC_GET_DATA_CTX"},
+{ERR_FUNC(ENGINE_F_DYNAMIC_LOAD),	"DYNAMIC_LOAD"},
+{ERR_FUNC(ENGINE_F_DYNAMIC_SET_DATA_CTX),	"DYNAMIC_SET_DATA_CTX"},
+{ERR_FUNC(ENGINE_F_ENGINE_ADD),	"ENGINE_add"},
+{ERR_FUNC(ENGINE_F_ENGINE_BY_ID),	"ENGINE_by_id"},
+{ERR_FUNC(ENGINE_F_ENGINE_CMD_IS_EXECUTABLE),	"ENGINE_cmd_is_executable"},
+{ERR_FUNC(ENGINE_F_ENGINE_CTRL),	"ENGINE_ctrl"},
+{ERR_FUNC(ENGINE_F_ENGINE_CTRL_CMD),	"ENGINE_ctrl_cmd"},
+{ERR_FUNC(ENGINE_F_ENGINE_CTRL_CMD_STRING),	"ENGINE_ctrl_cmd_string"},
+{ERR_FUNC(ENGINE_F_ENGINE_FINISH),	"ENGINE_finish"},
+{ERR_FUNC(ENGINE_F_ENGINE_FREE_UTIL),	"ENGINE_FREE_UTIL"},
+{ERR_FUNC(ENGINE_F_ENGINE_GET_CIPHER),	"ENGINE_get_cipher"},
+{ERR_FUNC(ENGINE_F_ENGINE_GET_DEFAULT_TYPE),	"ENGINE_GET_DEFAULT_TYPE"},
+{ERR_FUNC(ENGINE_F_ENGINE_GET_DIGEST),	"ENGINE_get_digest"},
+{ERR_FUNC(ENGINE_F_ENGINE_GET_NEXT),	"ENGINE_get_next"},
+{ERR_FUNC(ENGINE_F_ENGINE_GET_PREV),	"ENGINE_get_prev"},
+{ERR_FUNC(ENGINE_F_ENGINE_INIT),	"ENGINE_init"},
+{ERR_FUNC(ENGINE_F_ENGINE_LIST_ADD),	"ENGINE_LIST_ADD"},
+{ERR_FUNC(ENGINE_F_ENGINE_LIST_REMOVE),	"ENGINE_LIST_REMOVE"},
+{ERR_FUNC(ENGINE_F_ENGINE_LOAD_PRIVATE_KEY),	"ENGINE_load_private_key"},
+{ERR_FUNC(ENGINE_F_ENGINE_LOAD_PUBLIC_KEY),	"ENGINE_load_public_key"},
+{ERR_FUNC(ENGINE_F_ENGINE_NEW),	"ENGINE_new"},
+{ERR_FUNC(ENGINE_F_ENGINE_REMOVE),	"ENGINE_remove"},
+{ERR_FUNC(ENGINE_F_ENGINE_SET_DEFAULT_STRING),	"ENGINE_set_default_string"},
+{ERR_FUNC(ENGINE_F_ENGINE_SET_DEFAULT_TYPE),	"ENGINE_SET_DEFAULT_TYPE"},
+{ERR_FUNC(ENGINE_F_ENGINE_SET_ID),	"ENGINE_set_id"},
+{ERR_FUNC(ENGINE_F_ENGINE_SET_NAME),	"ENGINE_set_name"},
+{ERR_FUNC(ENGINE_F_ENGINE_TABLE_REGISTER),	"ENGINE_TABLE_REGISTER"},
+{ERR_FUNC(ENGINE_F_ENGINE_UNLOAD_KEY),	"ENGINE_UNLOAD_KEY"},
+{ERR_FUNC(ENGINE_F_ENGINE_UNLOCKED_FINISH),	"ENGINE_UNLOCKED_FINISH"},
+{ERR_FUNC(ENGINE_F_ENGINE_UP_REF),	"ENGINE_up_ref"},
+{ERR_FUNC(ENGINE_F_INT_CTRL_HELPER),	"INT_CTRL_HELPER"},
+{ERR_FUNC(ENGINE_F_INT_ENGINE_CONFIGURE),	"INT_ENGINE_CONFIGURE"},
+{ERR_FUNC(ENGINE_F_INT_ENGINE_MODULE_INIT),	"INT_ENGINE_MODULE_INIT"},
+{ERR_FUNC(ENGINE_F_LOG_MESSAGE),	"LOG_MESSAGE"},
 {0,NULL}
 	};
 
 static ERR_STRING_DATA ENGINE_str_reasons[]=
 	{
-{ENGINE_R_ALREADY_LOADED                 ,"already loaded"},
-{ENGINE_R_ARGUMENT_IS_NOT_A_NUMBER       ,"argument is not a number"},
-{ENGINE_R_CMD_NOT_EXECUTABLE             ,"cmd not executable"},
-{ENGINE_R_COMMAND_TAKES_INPUT            ,"command takes input"},
-{ENGINE_R_COMMAND_TAKES_NO_INPUT         ,"command takes no input"},
-{ENGINE_R_CONFLICTING_ENGINE_ID          ,"conflicting engine id"},
-{ENGINE_R_CTRL_COMMAND_NOT_IMPLEMENTED   ,"ctrl command not implemented"},
-{ENGINE_R_DH_NOT_IMPLEMENTED             ,"dh not implemented"},
-{ENGINE_R_DSA_NOT_IMPLEMENTED            ,"dsa not implemented"},
-{ENGINE_R_DSO_FAILURE                    ,"DSO failure"},
-{ENGINE_R_DSO_NOT_FOUND                  ,"dso not found"},
-{ENGINE_R_ENGINES_SECTION_ERROR          ,"engines section error"},
-{ENGINE_R_ENGINE_IS_NOT_IN_LIST          ,"engine is not in the list"},
-{ENGINE_R_ENGINE_SECTION_ERROR           ,"engine section error"},
-{ENGINE_R_FAILED_LOADING_PRIVATE_KEY     ,"failed loading private key"},
-{ENGINE_R_FAILED_LOADING_PUBLIC_KEY      ,"failed loading public key"},
-{ENGINE_R_FINISH_FAILED                  ,"finish failed"},
-{ENGINE_R_GET_HANDLE_FAILED              ,"could not obtain hardware handle"},
-{ENGINE_R_ID_OR_NAME_MISSING             ,"'id' or 'name' missing"},
-{ENGINE_R_INIT_FAILED                    ,"init failed"},
-{ENGINE_R_INTERNAL_LIST_ERROR            ,"internal list error"},
-{ENGINE_R_INVALID_ARGUMENT               ,"invalid argument"},
-{ENGINE_R_INVALID_CMD_NAME               ,"invalid cmd name"},
-{ENGINE_R_INVALID_CMD_NUMBER             ,"invalid cmd number"},
-{ENGINE_R_INVALID_INIT_VALUE             ,"invalid init value"},
-{ENGINE_R_INVALID_STRING                 ,"invalid string"},
-{ENGINE_R_NOT_INITIALISED                ,"not initialised"},
-{ENGINE_R_NOT_LOADED                     ,"not loaded"},
-{ENGINE_R_NO_CONTROL_FUNCTION            ,"no control function"},
-{ENGINE_R_NO_INDEX                       ,"no index"},
-{ENGINE_R_NO_LOAD_FUNCTION               ,"no load function"},
-{ENGINE_R_NO_REFERENCE                   ,"no reference"},
-{ENGINE_R_NO_SUCH_ENGINE                 ,"no such engine"},
-{ENGINE_R_NO_UNLOAD_FUNCTION             ,"no unload function"},
-{ENGINE_R_PROVIDE_PARAMETERS             ,"provide parameters"},
-{ENGINE_R_RSA_NOT_IMPLEMENTED            ,"rsa not implemented"},
-{ENGINE_R_UNIMPLEMENTED_CIPHER           ,"unimplemented cipher"},
-{ENGINE_R_UNIMPLEMENTED_DIGEST           ,"unimplemented digest"},
-{ENGINE_R_VERSION_INCOMPATIBILITY        ,"version incompatibility"},
+{ERR_REASON(ENGINE_R_ALREADY_LOADED)     ,"already loaded"},
+{ERR_REASON(ENGINE_R_ARGUMENT_IS_NOT_A_NUMBER),"argument is not a number"},
+{ERR_REASON(ENGINE_R_CMD_NOT_EXECUTABLE) ,"cmd not executable"},
+{ERR_REASON(ENGINE_R_COMMAND_TAKES_INPUT),"command takes input"},
+{ERR_REASON(ENGINE_R_COMMAND_TAKES_NO_INPUT),"command takes no input"},
+{ERR_REASON(ENGINE_R_CONFLICTING_ENGINE_ID),"conflicting engine id"},
+{ERR_REASON(ENGINE_R_CTRL_COMMAND_NOT_IMPLEMENTED),"ctrl command not implemented"},
+{ERR_REASON(ENGINE_R_DH_NOT_IMPLEMENTED) ,"dh not implemented"},
+{ERR_REASON(ENGINE_R_DSA_NOT_IMPLEMENTED),"dsa not implemented"},
+{ERR_REASON(ENGINE_R_DSO_FAILURE)        ,"DSO failure"},
+{ERR_REASON(ENGINE_R_DSO_NOT_FOUND)      ,"dso not found"},
+{ERR_REASON(ENGINE_R_ENGINES_SECTION_ERROR),"engines section error"},
+{ERR_REASON(ENGINE_R_ENGINE_IS_NOT_IN_LIST),"engine is not in the list"},
+{ERR_REASON(ENGINE_R_ENGINE_SECTION_ERROR),"engine section error"},
+{ERR_REASON(ENGINE_R_FAILED_LOADING_PRIVATE_KEY),"failed loading private key"},
+{ERR_REASON(ENGINE_R_FAILED_LOADING_PUBLIC_KEY),"failed loading public key"},
+{ERR_REASON(ENGINE_R_FINISH_FAILED)      ,"finish failed"},
+{ERR_REASON(ENGINE_R_GET_HANDLE_FAILED)  ,"could not obtain hardware handle"},
+{ERR_REASON(ENGINE_R_ID_OR_NAME_MISSING) ,"'id' or 'name' missing"},
+{ERR_REASON(ENGINE_R_INIT_FAILED)        ,"init failed"},
+{ERR_REASON(ENGINE_R_INTERNAL_LIST_ERROR),"internal list error"},
+{ERR_REASON(ENGINE_R_INVALID_ARGUMENT)   ,"invalid argument"},
+{ERR_REASON(ENGINE_R_INVALID_CMD_NAME)   ,"invalid cmd name"},
+{ERR_REASON(ENGINE_R_INVALID_CMD_NUMBER) ,"invalid cmd number"},
+{ERR_REASON(ENGINE_R_INVALID_INIT_VALUE) ,"invalid init value"},
+{ERR_REASON(ENGINE_R_INVALID_STRING)     ,"invalid string"},
+{ERR_REASON(ENGINE_R_NOT_INITIALISED)    ,"not initialised"},
+{ERR_REASON(ENGINE_R_NOT_LOADED)         ,"not loaded"},
+{ERR_REASON(ENGINE_R_NO_CONTROL_FUNCTION),"no control function"},
+{ERR_REASON(ENGINE_R_NO_INDEX)           ,"no index"},
+{ERR_REASON(ENGINE_R_NO_LOAD_FUNCTION)   ,"no load function"},
+{ERR_REASON(ENGINE_R_NO_REFERENCE)       ,"no reference"},
+{ERR_REASON(ENGINE_R_NO_SUCH_ENGINE)     ,"no such engine"},
+{ERR_REASON(ENGINE_R_NO_UNLOAD_FUNCTION) ,"no unload function"},
+{ERR_REASON(ENGINE_R_PROVIDE_PARAMETERS) ,"provide parameters"},
+{ERR_REASON(ENGINE_R_RSA_NOT_IMPLEMENTED),"rsa not implemented"},
+{ERR_REASON(ENGINE_R_UNIMPLEMENTED_CIPHER),"unimplemented cipher"},
+{ERR_REASON(ENGINE_R_UNIMPLEMENTED_DIGEST),"unimplemented digest"},
+{ERR_REASON(ENGINE_R_VERSION_INCOMPATIBILITY),"version incompatibility"},
 {0,NULL}
 	};
 
@@ -158,8 +163,8 @@ void ERR_load_ENGINE_strings(void)
 		{
 		init=0;
 #ifndef OPENSSL_NO_ERR
-		ERR_load_strings(ERR_LIB_ENGINE,ENGINE_str_functs);
-		ERR_load_strings(ERR_LIB_ENGINE,ENGINE_str_reasons);
+		ERR_load_strings(0,ENGINE_str_functs);
+		ERR_load_strings(0,ENGINE_str_reasons);
 #endif
 
 		}
diff --git a/crypto/openssl/crypto/engine/eng_fat.c b/crypto/openssl/crypto/engine/eng_fat.c
index 7ccf7022ee38..27c1662f6254 100644
--- a/crypto/openssl/crypto/engine/eng_fat.c
+++ b/crypto/openssl/crypto/engine/eng_fat.c
@@ -52,11 +52,13 @@
  * Hudson (tjh@cryptsoft.com).
  *
  */
+/* ====================================================================
+ * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
+ * ECDH support in OpenSSL originally developed by 
+ * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
+ */
 
-#include <openssl/crypto.h>
-#include "cryptlib.h"
 #include "eng_int.h"
-#include <openssl/engine.h>
 #include <openssl/conf.h>
 
 int ENGINE_set_default(ENGINE *e, unsigned int flags)
@@ -77,6 +79,14 @@ int ENGINE_set_default(ENGINE *e, unsigned int flags)
 	if((flags & ENGINE_METHOD_DH) && !ENGINE_set_default_DH(e))
 		return 0;
 #endif
+#ifndef OPENSSL_NO_ECDH
+	if((flags & ENGINE_METHOD_ECDH) && !ENGINE_set_default_ECDH(e))
+		return 0;
+#endif
+#ifndef OPENSSL_NO_ECDSA
+	if((flags & ENGINE_METHOD_ECDSA) && !ENGINE_set_default_ECDSA(e))
+		return 0;
+#endif
 	if((flags & ENGINE_METHOD_RAND) && !ENGINE_set_default_RAND(e))
 		return 0;
 	return 1;
@@ -93,6 +103,10 @@ static int int_def_cb(const char *alg, int len, void *arg)
 		*pflags |= ENGINE_METHOD_RSA;
 	else if (!strncmp(alg, "DSA", len))
 		*pflags |= ENGINE_METHOD_DSA;
+	else if (!strncmp(alg, "ECDH", len))
+		*pflags |= ENGINE_METHOD_ECDH;
+	else if (!strncmp(alg, "ECDSA", len))
+		*pflags |= ENGINE_METHOD_ECDSA;
 	else if (!strncmp(alg, "DH", len))
 		*pflags |= ENGINE_METHOD_DH;
 	else if (!strncmp(alg, "RAND", len))
@@ -133,6 +147,12 @@ int ENGINE_register_complete(ENGINE *e)
 #ifndef OPENSSL_NO_DH
 	ENGINE_register_DH(e);
 #endif
+#ifndef OPENSSL_NO_ECDH
+	ENGINE_register_ECDH(e);
+#endif
+#ifndef OPENSSL_NO_ECDSA
+	ENGINE_register_ECDSA(e);
+#endif
 	ENGINE_register_RAND(e);
 	return 1;
 	}
diff --git a/crypto/openssl/crypto/engine/eng_init.c b/crypto/openssl/crypto/engine/eng_init.c
index 170c1791b305..7633cf5f1d09 100644
--- a/crypto/openssl/crypto/engine/eng_init.c
+++ b/crypto/openssl/crypto/engine/eng_init.c
@@ -53,10 +53,7 @@
  *
  */
 
-#include <openssl/crypto.h>
-#include "cryptlib.h"
 #include "eng_int.h"
-#include <openssl/engine.h>
 
 /* Initialise a engine type for use (or up its functional reference count
  * if it's already in use). This version is only used internally. */
@@ -114,7 +111,7 @@ int engine_unlocked_finish(ENGINE *e, int unlock_for_handlers)
 	/* Release the structural reference too */
 	if(!engine_free_util(e, 0))
 		{
-		ENGINEerr(ENGINE_F_ENGINE_FINISH,ENGINE_R_FINISH_FAILED);
+		ENGINEerr(ENGINE_F_ENGINE_UNLOCKED_FINISH,ENGINE_R_FINISH_FAILED);
 		return 0;
 		}
 	return to_return;
diff --git a/crypto/openssl/crypto/engine/eng_int.h b/crypto/openssl/crypto/engine/eng_int.h
index 38335f99cdaa..a5b1edebf4b9 100644
--- a/crypto/openssl/crypto/engine/eng_int.h
+++ b/crypto/openssl/crypto/engine/eng_int.h
@@ -55,10 +55,16 @@
  * Hudson (tjh@cryptsoft.com).
  *
  */
+/* ====================================================================
+ * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
+ * ECDH support in OpenSSL originally developed by 
+ * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
+ */
 
 #ifndef HEADER_ENGINE_INT_H
 #define HEADER_ENGINE_INT_H
 
+#include "cryptlib.h"
 /* Take public definitions from engine.h */
 #include <openssl/engine.h>
 
@@ -146,7 +152,10 @@ struct engine_st
 	const RSA_METHOD *rsa_meth;
 	const DSA_METHOD *dsa_meth;
 	const DH_METHOD *dh_meth;
+	const ECDH_METHOD *ecdh_meth;
+	const ECDSA_METHOD *ecdsa_meth;
 	const RAND_METHOD *rand_meth;
+	const STORE_METHOD *store_meth;
 	/* Cipher handling is via this callback */
 	ENGINE_CIPHERS_PTR ciphers;
 	/* Digest handling is via this callback */
diff --git a/crypto/openssl/crypto/engine/eng_lib.c b/crypto/openssl/crypto/engine/eng_lib.c
index a66d0f08af26..5815b867f493 100644
--- a/crypto/openssl/crypto/engine/eng_lib.c
+++ b/crypto/openssl/crypto/engine/eng_lib.c
@@ -56,11 +56,8 @@
  *
  */
 
-#include <openssl/crypto.h>
-#include "cryptlib.h"
 #include "eng_int.h"
-#include <openssl/rand.h> /* FIXME: This shouldn't be needed */
-#include <openssl/engine.h>
+#include <openssl/rand.h>
 
 /* The "new"/"free" stuff first */
 
@@ -92,6 +89,7 @@ void engine_set_all_null(ENGINE *e)
 	e->dsa_meth = NULL;
 	e->dh_meth = NULL;
 	e->rand_meth = NULL;
+	e->store_meth = NULL;
 	e->ciphers = NULL;
 	e->digests = NULL;
 	e->destroy = NULL;
@@ -110,7 +108,7 @@ int engine_free_util(ENGINE *e, int locked)
 
 	if(e == NULL)
 		{
-		ENGINEerr(ENGINE_F_ENGINE_FREE,
+		ENGINEerr(ENGINE_F_ENGINE_FREE_UTIL,
 			ERR_R_PASSED_NULL_PARAMETER);
 		return 0;
 		}
@@ -319,3 +317,13 @@ const ENGINE_CMD_DEFN *ENGINE_get_cmd_defns(const ENGINE *e)
 	{
 	return e->cmd_defns;
 	}
+
+/* eng_lib.o is pretty much linked into anything that touches ENGINE already, so
+ * put the "static_state" hack here. */
+
+static int internal_static_hack = 0;
+
+void *ENGINE_get_static_state(void)
+	{
+	return &internal_static_hack;
+	}
diff --git a/crypto/openssl/crypto/engine/eng_list.c b/crypto/openssl/crypto/engine/eng_list.c
index 1cc3217f4cc1..bd511944bafd 100644
--- a/crypto/openssl/crypto/engine/eng_list.c
+++ b/crypto/openssl/crypto/engine/eng_list.c
@@ -55,11 +55,13 @@
  * Hudson (tjh@cryptsoft.com).
  *
  */
+/* ====================================================================
+ * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
+ * ECDH support in OpenSSL originally developed by 
+ * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
+ */
 
-#include <openssl/crypto.h>
-#include "cryptlib.h"
 #include "eng_int.h"
-#include <openssl/engine.h>
 
 /* The linked-list of pointers to engine types. engine_list_head
  * incorporates an implicit structural reference but engine_list_tail
@@ -324,7 +326,14 @@ static void engine_cpy(ENGINE *dest, const ENGINE *src)
 #ifndef OPENSSL_NO_DH
 	dest->dh_meth = src->dh_meth;
 #endif
+#ifndef OPENSSL_NO_ECDH
+	dest->ecdh_meth = src->ecdh_meth;
+#endif
+#ifndef OPENSSL_NO_ECDSA
+	dest->ecdsa_meth = src->ecdsa_meth;
+#endif
 	dest->rand_meth = src->rand_meth;
+	dest->store_meth = src->store_meth;
 	dest->ciphers = src->ciphers;
 	dest->digests = src->digests;
 	dest->destroy = src->destroy;
@@ -340,6 +349,7 @@ static void engine_cpy(ENGINE *dest, const ENGINE *src)
 ENGINE *ENGINE_by_id(const char *id)
 	{
 	ENGINE *iterator;
+	char *load_dir = NULL;
 	if(id == NULL)
 		{
 		ENGINEerr(ENGINE_F_ENGINE_BY_ID,
@@ -373,6 +383,7 @@ ENGINE *ENGINE_by_id(const char *id)
 			}
 		}
 	CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+#if 0
 	if(iterator == NULL)
 		{
 		ENGINEerr(ENGINE_F_ENGINE_BY_ID,
@@ -380,6 +391,32 @@ ENGINE *ENGINE_by_id(const char *id)
 		ERR_add_error_data(2, "id=", id);
 		}
 	return iterator;
+#else
+	/* EEK! Experimental code starts */
+	if(iterator) return iterator;
+	/* Prevent infinite recusrion if we're looking for the dynamic engine. */
+	if (strcmp(id, "dynamic"))
+		{
+#ifdef OPENSSL_SYS_VMS
+		if((load_dir = getenv("OPENSSL_ENGINES")) == 0) load_dir = "SSLROOT:[ENGINES]";
+#else
+		if((load_dir = getenv("OPENSSL_ENGINES")) == 0) load_dir = ENGINESDIR;
+#endif
+		iterator = ENGINE_by_id("dynamic");
+		if(!iterator || !ENGINE_ctrl_cmd_string(iterator, "ID", id, 0) ||
+				!ENGINE_ctrl_cmd_string(iterator, "DIR_LOAD", "2", 0) ||
+				!ENGINE_ctrl_cmd_string(iterator, "DIR_ADD",
+					load_dir, 0) ||
+				!ENGINE_ctrl_cmd_string(iterator, "LOAD", NULL, 0))
+				goto notfound;
+		return iterator;
+		}
+notfound:
+	ENGINEerr(ENGINE_F_ENGINE_BY_ID,ENGINE_R_NO_SUCH_ENGINE);
+	ERR_add_error_data(2, "id=", id);
+	return NULL;
+	/* EEK! Experimental code ends */
+#endif
 	}
 
 int ENGINE_up_ref(ENGINE *e)
diff --git a/crypto/openssl/crypto/engine/eng_openssl.c b/crypto/openssl/crypto/engine/eng_openssl.c
index 54579eea2e67..7c139ae2efcb 100644
--- a/crypto/openssl/crypto/engine/eng_openssl.c
+++ b/crypto/openssl/crypto/engine/eng_openssl.c
@@ -55,6 +55,11 @@
  * Hudson (tjh@cryptsoft.com).
  *
  */
+/* ====================================================================
+ * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
+ * ECDH support in OpenSSL originally developed by 
+ * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
+ */
 
 
 #include <stdio.h>
@@ -64,6 +69,16 @@
 #include <openssl/dso.h>
 #include <openssl/pem.h>
 #include <openssl/evp.h>
+#include <openssl/rand.h>
+#ifndef OPENSSL_NO_RSA
+#include <openssl/rsa.h>
+#endif
+#ifndef OPENSSL_NO_DSA
+#include <openssl/dsa.h>
+#endif
+#ifndef OPENSSL_NO_DH
+#include <openssl/dh.h>
+#endif
 
 /* This testing gunk is implemented (and explained) lower down. It also assumes
  * the application explicitly calls "ENGINE_load_openssl()" because this is no
@@ -125,6 +140,12 @@ static int bind_helper(ENGINE *e)
 #ifndef OPENSSL_NO_DSA
 			|| !ENGINE_set_DSA(e, DSA_get_default_method())
 #endif
+#ifndef OPENSSL_NO_ECDH
+			|| !ENGINE_set_ECDH(e, ECDH_OpenSSL())
+#endif
+#ifndef OPENSSL_NO_ECDSA
+			|| !ENGINE_set_ECDSA(e, ECDSA_OpenSSL())
+#endif
 #ifndef OPENSSL_NO_DH
 			|| !ENGINE_set_DH(e, DH_get_default_method())
 #endif
@@ -236,6 +257,7 @@ static const EVP_CIPHER test_r4_cipher=
 	sizeof(TEST_RC4_KEY),
 	NULL,
 	NULL,
+	NULL,
 	NULL
 	};
 static const EVP_CIPHER test_r4_40_cipher=
@@ -249,6 +271,7 @@ static const EVP_CIPHER test_r4_40_cipher=
 	sizeof(TEST_RC4_KEY),
 	NULL, 
 	NULL,
+	NULL,
 	NULL
 	};
 static int openssl_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
@@ -290,7 +313,7 @@ static int test_sha1_init(EVP_MD_CTX *ctx)
 #endif
 	return SHA1_Init(ctx->md_data);
 	}
-static int test_sha1_update(EVP_MD_CTX *ctx,const void *data,unsigned long count)
+static int test_sha1_update(EVP_MD_CTX *ctx,const void *data,size_t count)
 	{
 #ifdef TEST_ENG_OPENSSL_SHA_P_UPDATE
 	fprintf(stderr, "(TEST_ENG_OPENSSL_SHA) test_sha1_update() called\n");
diff --git a/crypto/openssl/crypto/engine/eng_padlock.c b/crypto/openssl/crypto/engine/eng_padlock.c
index db9c52bfb566..8d92af6f8bd2 100644
--- a/crypto/openssl/crypto/engine/eng_padlock.c
+++ b/crypto/openssl/crypto/engine/eng_padlock.c
@@ -65,17 +65,17 @@
 
 #include <stdio.h>
 #include <string.h>
-#include <malloc.h>
-#ifdef _MSC_VER
-# define alloca   _alloca
-# define snprintf _snprintf
-#endif
 
+#include <openssl/opensslconf.h>
 #include <openssl/crypto.h>
 #include <openssl/dso.h>
 #include <openssl/engine.h>
 #include <openssl/evp.h>
+#ifndef OPENSSL_NO_AES
 #include <openssl/aes.h>
+#endif
+#include <openssl/rand.h>
+#include <openssl/err.h>
 
 #ifndef OPENSSL_NO_HW
 #ifndef OPENSSL_NO_HW_PADLOCK
@@ -101,13 +101,13 @@
    compiler choice is limited to GCC and Microsoft C. */
 #undef COMPILE_HW_PADLOCK
 #if !defined(I386_ONLY) && !defined(OPENSSL_NO_INLINE_ASM)
-# if defined(__i386__) || defined(__i386) || defined(_M_IX86)
+# if (defined(__GNUC__) && (defined(__i386__) || defined(__i386))) || \
+     (defined(_MSC_VER) && defined(_M_IX86))
 #  define COMPILE_HW_PADLOCK
+static ENGINE *ENGINE_padlock (void);
 # endif
 #endif
 
-static ENGINE *ENGINE_padlock (void);
-
 void ENGINE_load_padlock (void)
 {
 /* On non-x86 CPUs it just returns. */
@@ -121,6 +121,15 @@ void ENGINE_load_padlock (void)
 }
 
 #ifdef COMPILE_HW_PADLOCK
+/* We do these includes here to avoid header problems on platforms that
+   do not have the VIA padlock anyway... */
+#ifdef _MSC_VER
+# include <malloc.h>
+# define alloca _alloca
+#else
+# include <stdlib.h>
+#endif
+
 /* Function for ENGINE detection and control */
 static int padlock_available(void);
 static int padlock_init(ENGINE *e);
@@ -129,7 +138,9 @@ static int padlock_init(ENGINE *e);
 static RAND_METHOD padlock_rand;
 
 /* Cipher Stuff */
+#ifndef OPENSSL_NO_AES
 static int padlock_ciphers(ENGINE *e, const EVP_CIPHER **cipher, const int **nids, int nid);
+#endif
 
 /* Engine names */
 static const char *padlock_id = "padlock";
@@ -138,7 +149,9 @@ static char padlock_name[100];
 /* Available features */
 static int padlock_use_ace = 0;	/* Advanced Cryptography Engine */
 static int padlock_use_rng = 0;	/* Random Number Generator */
+#ifndef OPENSSL_NO_AES
 static int padlock_aes_align_required = 1;
+#endif
 
 /* ===== Engine "management" functions ===== */
 
@@ -154,7 +167,8 @@ padlock_bind_helper(ENGINE *e)
 #endif
 
 	/* Generate a nice engine name with available features */
-	snprintf(padlock_name, sizeof(padlock_name), "VIA PadLock (%s, %s)", 
+	BIO_snprintf(padlock_name, sizeof(padlock_name),
+		"VIA PadLock (%s, %s)", 
 		 padlock_use_rng ? "RNG" : "no-RNG",
 		 padlock_use_ace ? "ACE" : "no-ACE");
 
@@ -163,8 +177,9 @@ padlock_bind_helper(ENGINE *e)
 	    !ENGINE_set_name(e, padlock_name) ||
 
 	    !ENGINE_set_init_function(e, padlock_init) ||
-
+#ifndef OPENSSL_NO_AES
 	    (padlock_use_ace && !ENGINE_set_ciphers (e, padlock_ciphers)) ||
+#endif
 	    (padlock_use_rng && !ENGINE_set_RAND (e, &padlock_rand))) {
 		return 0;
 	}
@@ -222,6 +237,7 @@ IMPLEMENT_DYNAMIC_BIND_FN (padlock_bind_fn);
 
 /* ===== Here comes the "real" engine ===== */
 
+#ifndef OPENSSL_NO_AES
 /* Some AES-related constants */
 #define AES_BLOCK_SIZE		16
 #define AES_KEY_SIZE_128	16
@@ -241,10 +257,12 @@ struct padlock_cipher_data
 	union {	unsigned int pad[4];
 		struct {
 			int rounds:4;
-			int algo:3;
-			int keygen:1;
+			int dgst:1;	/* n/a in C3 */
+			int align:1;	/* n/a in C3 */
+			int ciphr:1;	/* n/a in C3 */
+			unsigned int keygen:1;
 			int interm:1;
-			int encdec:1;
+			unsigned int encdec:1;
 			int ksize:2;
 		} b;
 	} cword;		/* Control word */
@@ -258,6 +276,7 @@ struct padlock_cipher_data
  * so we accept the penatly...
  */
 static volatile struct padlock_cipher_data *padlock_saved_context;
+#endif
 
 /*
  * =======================================================
@@ -349,18 +368,20 @@ padlock_available(void)
 	return padlock_use_ace + padlock_use_rng;
 }
 
+#ifndef OPENSSL_NO_AES
 /* Our own htonl()/ntohl() */
 static inline void
 padlock_bswapl(AES_KEY *ks)
 {
 	size_t i = sizeof(ks->rd_key)/sizeof(ks->rd_key[0]);
-	unsigned long *key = ks->rd_key;
+	unsigned int *key = ks->rd_key;
 
 	while (i--) {
 		asm volatile ("bswapl %0" : "+r"(*key));
 		key++;
 	}
 }
+#endif
 
 /* Force key reload from memory to the CPU microcode.
    Loading EFLAGS from the stack clears EFLAGS[30] 
@@ -371,6 +392,7 @@ padlock_reload_key(void)
 	asm volatile ("pushfl; popfl");
 }
 
+#ifndef OPENSSL_NO_AES
 /*
  * This is heuristic key context tracing. At first one
  * believes that one should use atomic swap instructions,
@@ -385,14 +407,14 @@ padlock_verify_context(struct padlock_cipher_data *cdata)
 {
 	asm volatile (
 	"pushfl\n"
-"	bt	$30,(%%esp)\n"
+"	btl	$30,(%%esp)\n"
 "	jnc	1f\n"
-"	cmp	%2,%1\n"
+"	cmpl	%2,%1\n"
 "	je	1f\n"
-"	mov	%2,%0\n"
 "	popfl\n"
-"	sub	$4,%%esp\n"
-"1:	add	$4,%%esp"
+"	subl	$4,%%esp\n"
+"1:	addl	$4,%%esp\n"
+"	movl	%2,%0"
 	:"+m"(padlock_saved_context)
 	: "r"(padlock_saved_context), "r"(cdata) : "cc");
 }
@@ -420,10 +442,11 @@ static inline void *name(size_t cnt,		\
 }
 
 /* Generate all functions with appropriate opcodes */
-PADLOCK_XCRYPT_ASM(padlock_xcrypt_ecb, ".byte 0xf3,0x0f,0xa7,0xc8");	/* rep xcryptecb */
-PADLOCK_XCRYPT_ASM(padlock_xcrypt_cbc, ".byte 0xf3,0x0f,0xa7,0xd0");	/* rep xcryptcbc */
-PADLOCK_XCRYPT_ASM(padlock_xcrypt_cfb, ".byte 0xf3,0x0f,0xa7,0xe0");	/* rep xcryptcfb */
-PADLOCK_XCRYPT_ASM(padlock_xcrypt_ofb, ".byte 0xf3,0x0f,0xa7,0xe8");	/* rep xcryptofb */
+PADLOCK_XCRYPT_ASM(padlock_xcrypt_ecb, ".byte 0xf3,0x0f,0xa7,0xc8")	/* rep xcryptecb */
+PADLOCK_XCRYPT_ASM(padlock_xcrypt_cbc, ".byte 0xf3,0x0f,0xa7,0xd0")	/* rep xcryptcbc */
+PADLOCK_XCRYPT_ASM(padlock_xcrypt_cfb, ".byte 0xf3,0x0f,0xa7,0xe0")	/* rep xcryptcfb */
+PADLOCK_XCRYPT_ASM(padlock_xcrypt_ofb, ".byte 0xf3,0x0f,0xa7,0xe8")	/* rep xcryptofb */
+#endif
 
 /* The RNG call itself */
 static inline unsigned int
@@ -439,6 +462,29 @@ padlock_xstore(void *addr, unsigned int edx_in)
 	return eax_out;
 }
 
+/* Why not inline 'rep movsd'? I failed to find information on what
+ * value in Direction Flag one can expect and consequently have to
+ * apply "better-safe-than-sorry" approach and assume "undefined."
+ * I could explicitly clear it and restore the original value upon
+ * return from padlock_aes_cipher, but it's presumably too much
+ * trouble for too little gain...
+ *
+ * In case you wonder 'rep xcrypt*' instructions above are *not*
+ * affected by the Direction Flag and pointers advance toward
+ * larger addresses unconditionally.
+ */ 
+static inline unsigned char *
+padlock_memcpy(void *dst,const void *src,size_t n)
+{
+	long       *d=dst;
+	const long *s=src;
+
+	n /= sizeof(*d);
+	do { *d++ = *s++; } while (--n);
+
+	return dst;
+}
+
 #elif defined(_MSC_VER)
 /*
  * Unlike GCC these are real functions. In order to minimize impact
@@ -492,10 +538,10 @@ padlock_verify_context(void *cdata)
 		jnc	skip
 		cmp	ecx,padlock_saved_context
 		je	skip
-		mov	padlock_saved_context,ecx
 		popfd
 		sub	esp,4
 	skip:	add	esp,4
+		mov	padlock_saved_context,ecx
 		}
 }
 
@@ -563,9 +609,15 @@ padlock_bswapl(void *key)
 		popfd
 		}
 }
+
+/* MS actually specifies status of Direction Flag and compiler even
+ * manages to compile following as 'rep movsd' all by itself...
+ */
+#define padlock_memcpy(o,i,n) ((unsigned char *)memcpy((o),(i),(n)&~3U))
 #endif
 
 /* ===== AES encryption/decryption ===== */
+#ifndef OPENSSL_NO_AES
 
 #if defined(NID_aes_128_cfb128) && ! defined (NID_aes_128_cfb)
 #define NID_aes_128_cfb	NID_aes_128_cfb128
@@ -600,13 +652,13 @@ static int padlock_cipher_nids[] = {
 
 	NID_aes_192_ecb,
 	NID_aes_192_cbc,
-//	NID_aes_192_cfb,	/* FIXME: AES192/256 CFB/OFB don't work. */
-//	NID_aes_192_ofb,
+	NID_aes_192_cfb,
+	NID_aes_192_ofb,
 
 	NID_aes_256_ecb,
 	NID_aes_256_cbc,
-//	NID_aes_256_cfb,
-//	NID_aes_256_ofb,
+	NID_aes_256_cfb,
+	NID_aes_256_ofb,
 };
 static int padlock_cipher_nids_num = (sizeof(padlock_cipher_nids)/
 				      sizeof(padlock_cipher_nids[0]));
@@ -615,19 +667,24 @@ static int padlock_cipher_nids_num = (sizeof(padlock_cipher_nids)/
 static int padlock_aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
 				const unsigned char *iv, int enc);
 static int padlock_aes_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
-			      const unsigned char *in, unsigned int nbytes);
+			      const unsigned char *in, size_t nbytes);
 
-#define NEAREST_ALIGNED(ptr) ( (char *)(ptr) +		\
+#define NEAREST_ALIGNED(ptr) ( (unsigned char *)(ptr) +		\
 	( (0x10 - ((size_t)(ptr) & 0x0F)) & 0x0F )	)
 #define ALIGNED_CIPHER_DATA(ctx) ((struct padlock_cipher_data *)\
 	NEAREST_ALIGNED(ctx->cipher_data))
 
+#define EVP_CIPHER_block_size_ECB	AES_BLOCK_SIZE
+#define EVP_CIPHER_block_size_CBC	AES_BLOCK_SIZE
+#define EVP_CIPHER_block_size_OFB	1
+#define EVP_CIPHER_block_size_CFB	1
+
 /* Declaring so many ciphers by hand would be a pain.
    Instead introduce a bit of preprocessor magic :-) */
 #define	DECLARE_AES_EVP(ksize,lmode,umode)	\
 static const EVP_CIPHER padlock_aes_##ksize##_##lmode = {	\
 	NID_aes_##ksize##_##lmode,		\
-	AES_BLOCK_SIZE,			\
+	EVP_CIPHER_block_size_##umode,	\
 	AES_KEY_SIZE_##ksize,		\
 	AES_BLOCK_SIZE,			\
 	0 | EVP_CIPH_##umode##_MODE,	\
@@ -729,7 +786,10 @@ padlock_aes_init_key (EVP_CIPHER_CTX *ctx, const unsigned char *key,
 	memset(cdata, 0, sizeof(struct padlock_cipher_data));
 
 	/* Prepare Control word. */
-	cdata->cword.b.encdec = (ctx->encrypt == 0);
+	if (EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_OFB_MODE)
+		cdata->cword.b.encdec = 0;
+	else
+		cdata->cword.b.encdec = (ctx->encrypt == 0);
 	cdata->cword.b.rounds = 10 + (key_len - 128) / 32;
 	cdata->cword.b.ksize = (key_len - 128) / 64;
 
@@ -749,14 +809,16 @@ padlock_aes_init_key (EVP_CIPHER_CTX *ctx, const unsigned char *key,
 			   and is listed as hardware errata. They most
 			   likely will fix it at some point and then
 			   a check for stepping would be due here. */
-			if (enc)
+			if (EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_CFB_MODE ||
+			    EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_OFB_MODE ||
+			    enc)
 				AES_set_encrypt_key(key, key_len, &cdata->ks);
 			else
 				AES_set_decrypt_key(key, key_len, &cdata->ks);
-
-			/* OpenSSL internal functions use byte-swapped extended key. */
+#ifndef AES_ASM
+			/* OpenSSL C functions use byte-swapped extended key. */
 			padlock_bswapl(&cdata->ks);
-
+#endif
 			cdata->cword.b.keygen = 1;
 			break;
 
@@ -824,7 +886,7 @@ padlock_aes_cipher_omnivorous(EVP_CIPHER_CTX *ctx, unsigned char *out_arg,
 }
 
 #ifndef  PADLOCK_CHUNK
-# define PADLOCK_CHUNK	4096	/* Must be a power of 2 larger than 16 */
+# define PADLOCK_CHUNK	512	/* Must be a power of 2 larger than 16 */
 #endif
 #if PADLOCK_CHUNK<16 || PADLOCK_CHUNK&(PADLOCK_CHUNK-1)
 # error "insane PADLOCK_CHUNK..."
@@ -838,20 +900,68 @@ padlock_aes_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out_arg,
 {
 	struct padlock_cipher_data *cdata;
 	const  void *inp;
-	char  *out;
+	unsigned char  *out;
 	void  *iv;
 	int    inp_misaligned, out_misaligned, realign_in_loop;
 	size_t chunk, allocated=0;
 
+	/* ctx->num is maintained in byte-oriented modes,
+	   such as CFB and OFB... */
+	if ((chunk = ctx->num)) { /* borrow chunk variable */
+		unsigned char *ivp=ctx->iv;
+
+		switch (EVP_CIPHER_CTX_mode(ctx)) {
+		case EVP_CIPH_CFB_MODE:
+			if (chunk >= AES_BLOCK_SIZE)
+				return 0; /* bogus value */
+
+			if (ctx->encrypt)
+				while (chunk<AES_BLOCK_SIZE && nbytes!=0) {
+					ivp[chunk] = *(out_arg++) = *(in_arg++) ^ ivp[chunk];
+					chunk++, nbytes--;
+				}
+			else	while (chunk<AES_BLOCK_SIZE && nbytes!=0) {
+					unsigned char c = *(in_arg++);
+					*(out_arg++) = c ^ ivp[chunk];
+					ivp[chunk++] = c, nbytes--;
+				}
+
+			ctx->num = chunk%AES_BLOCK_SIZE;
+			break;
+		case EVP_CIPH_OFB_MODE:
+			if (chunk >= AES_BLOCK_SIZE)
+				return 0; /* bogus value */
+
+			while (chunk<AES_BLOCK_SIZE && nbytes!=0) {
+				*(out_arg++) = *(in_arg++) ^ ivp[chunk];
+				chunk++, nbytes--;
+			}
+
+			ctx->num = chunk%AES_BLOCK_SIZE;
+			break;
+		}
+	}
+
 	if (nbytes == 0)
 		return 1;
+#if 0
 	if (nbytes % AES_BLOCK_SIZE)
 		return 0; /* are we expected to do tail processing? */
+#else
+	/* nbytes is always multiple of AES_BLOCK_SIZE in ECB and CBC
+	   modes and arbitrary value in byte-oriented modes, such as
+	   CFB and OFB... */
+#endif
 
 	/* VIA promises CPUs that won't require alignment in the future.
 	   For now padlock_aes_align_required is initialized to 1 and
 	   the condition is never met... */
-	if (!padlock_aes_align_required)
+	/* C7 core is capable to manage unaligned input in non-ECB[!]
+	   mode, but performance penalties appear to be approximately
+	   same as for software alignment below or ~3x. They promise to
+	   improve it in the future, but for now we can just as well
+	   pretend that it can only handle aligned input... */
+	if (!padlock_aes_align_required && (nbytes%AES_BLOCK_SIZE)==0)
 		return padlock_aes_cipher_omnivorous(ctx, out_arg, in_arg, nbytes);
 
 	inp_misaligned = (((size_t)in_arg) & 0x0F);
@@ -863,7 +973,7 @@ padlock_aes_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out_arg,
 	 * in order to improve L1 cache utilization... */
 	realign_in_loop = out_misaligned|inp_misaligned;
 
-	if (!realign_in_loop)
+	if (!realign_in_loop && (nbytes%AES_BLOCK_SIZE)==0)
 		return padlock_aes_cipher_omnivorous(ctx, out_arg, in_arg, nbytes);
 
 	/* this takes one "if" out of the loops */
@@ -887,7 +997,7 @@ padlock_aes_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out_arg,
 	case EVP_CIPH_ECB_MODE:
 		do	{
 			if (inp_misaligned)
-				inp = memcpy(out, in_arg, chunk&~3);
+				inp = padlock_memcpy(out, in_arg, chunk);
 			else
 				inp = in_arg;
 			in_arg += chunk;
@@ -895,7 +1005,7 @@ padlock_aes_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out_arg,
 			padlock_xcrypt_ecb(chunk/AES_BLOCK_SIZE, cdata, out, inp);
 
 			if (out_misaligned)
-				out_arg = (char *)memcpy(out_arg, out, chunk&~3) + chunk;
+				out_arg = padlock_memcpy(out_arg, out, chunk) + chunk;
 			else
 				out     = out_arg+=chunk;
 
@@ -913,7 +1023,7 @@ padlock_aes_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out_arg,
 			chunk = PADLOCK_CHUNK;
 		cbc_shortcut: /* optimize for small input */
 			if (inp_misaligned)
-				inp = memcpy(out, in_arg, chunk&~3);
+				inp = padlock_memcpy(out, in_arg, chunk);
 			else
 				inp = in_arg;
 			in_arg += chunk;
@@ -921,7 +1031,7 @@ padlock_aes_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out_arg,
 			iv = padlock_xcrypt_cbc(chunk/AES_BLOCK_SIZE, cdata, out, inp);
 
 			if (out_misaligned)
-				out_arg = (char *)memcpy(out_arg, out, chunk&~3) + chunk;
+				out_arg = padlock_memcpy(out_arg, out, chunk) + chunk;
 			else
 				out     = out_arg+=chunk;
 
@@ -930,15 +1040,17 @@ padlock_aes_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out_arg,
 		break;
 
 	case EVP_CIPH_CFB_MODE:
-		memcpy (cdata->iv, ctx->iv, AES_BLOCK_SIZE);
-		goto cfb_shortcut;
+		memcpy (iv = cdata->iv, ctx->iv, AES_BLOCK_SIZE);
+		chunk &= ~(AES_BLOCK_SIZE-1);
+		if (chunk)	goto cfb_shortcut;
+		else		goto cfb_skiploop;
 		do	{
 			if (iv != cdata->iv)
 				memcpy(cdata->iv, iv, AES_BLOCK_SIZE);
 			chunk = PADLOCK_CHUNK;
 		cfb_shortcut: /* optimize for small input */
 			if (inp_misaligned)
-				inp = memcpy(out, in_arg, chunk&~3);
+				inp = padlock_memcpy(out, in_arg, chunk);
 			else
 				inp = in_arg;
 			in_arg += chunk;
@@ -946,19 +1058,53 @@ padlock_aes_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out_arg,
 			iv = padlock_xcrypt_cfb(chunk/AES_BLOCK_SIZE, cdata, out, inp);
 
 			if (out_misaligned)
-				out_arg = (char *)memcpy(out_arg, out, chunk&~3) + chunk;
+				out_arg = padlock_memcpy(out_arg, out, chunk) + chunk;
 			else
 				out     = out_arg+=chunk;
 
-		} while (nbytes -= chunk);
+			nbytes -= chunk;
+		} while (nbytes >= AES_BLOCK_SIZE);
+
+		cfb_skiploop:
+		if (nbytes) {
+			unsigned char *ivp = cdata->iv;
+
+			if (iv != ivp) {
+				memcpy(ivp, iv, AES_BLOCK_SIZE);
+				iv = ivp;
+			}
+			ctx->num = nbytes;
+			if (cdata->cword.b.encdec) {
+				cdata->cword.b.encdec=0;
+				padlock_reload_key();
+				padlock_xcrypt_ecb(1,cdata,ivp,ivp);
+				cdata->cword.b.encdec=1;
+				padlock_reload_key();
+				while(nbytes) {
+					unsigned char c = *(in_arg++);
+					*(out_arg++) = c ^ *ivp;
+					*(ivp++) = c, nbytes--;
+				}
+			}
+			else {	padlock_reload_key();
+				padlock_xcrypt_ecb(1,cdata,ivp,ivp);
+				padlock_reload_key();
+				while (nbytes) {
+					*ivp = *(out_arg++) = *(in_arg++) ^ *ivp;
+					ivp++, nbytes--;
+				}
+			}
+		}
+
 		memcpy(ctx->iv, iv, AES_BLOCK_SIZE);
 		break;
 
 	case EVP_CIPH_OFB_MODE:
 		memcpy(cdata->iv, ctx->iv, AES_BLOCK_SIZE);
-		do	{
+		chunk &= ~(AES_BLOCK_SIZE-1);
+		if (chunk) do	{
 			if (inp_misaligned)
-				inp = memcpy(out, in_arg, chunk&~3);
+				inp = padlock_memcpy(out, in_arg, chunk);
 			else
 				inp = in_arg;
 			in_arg += chunk;
@@ -966,13 +1112,27 @@ padlock_aes_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out_arg,
 			padlock_xcrypt_ofb(chunk/AES_BLOCK_SIZE, cdata, out, inp);
 
 			if (out_misaligned)
-				out_arg = (char *)memcpy(out_arg, out, chunk&~3) + chunk;
+				out_arg = padlock_memcpy(out_arg, out, chunk) + chunk;
 			else
 				out     = out_arg+=chunk;
 
 			nbytes -= chunk;
 			chunk   = PADLOCK_CHUNK;
-		} while (nbytes);
+		} while (nbytes >= AES_BLOCK_SIZE);
+
+		if (nbytes) {
+			unsigned char *ivp = cdata->iv;
+
+			ctx->num = nbytes;
+			padlock_reload_key();	/* empirically found */
+			padlock_xcrypt_ecb(1,cdata,ivp,ivp);
+			padlock_reload_key();	/* empirically found */
+			while (nbytes) {
+				*(out_arg++) = *(in_arg++) ^ *ivp;
+				ivp++, nbytes--;
+			}
+		}
+
 		memcpy(ctx->iv, cdata->iv, AES_BLOCK_SIZE);
 		break;
 
@@ -992,6 +1152,8 @@ padlock_aes_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out_arg,
 	return 1;
 }
 
+#endif /* OPENSSL_NO_AES */
+
 /* ===== Random Number Generator ===== */
 /*
  * This code is not engaged. The reason is that it does not comply
diff --git a/crypto/openssl/crypto/engine/eng_pkey.c b/crypto/openssl/crypto/engine/eng_pkey.c
index 8c69171511ec..bc8b21abec5a 100644
--- a/crypto/openssl/crypto/engine/eng_pkey.c
+++ b/crypto/openssl/crypto/engine/eng_pkey.c
@@ -53,10 +53,7 @@
  *
  */
 
-#include <openssl/crypto.h>
-#include "cryptlib.h"
 #include "eng_int.h"
-#include <openssl/engine.h>
 
 /* Basic get/set stuff */
 
diff --git a/crypto/openssl/crypto/engine/eng_table.c b/crypto/openssl/crypto/engine/eng_table.c
index c69a84a8bf4c..a83c3899ee11 100644
--- a/crypto/openssl/crypto/engine/eng_table.c
+++ b/crypto/openssl/crypto/engine/eng_table.c
@@ -52,49 +52,31 @@
  *
  */
 
+#include "cryptlib.h"
 #include <openssl/evp.h>
-#include <openssl/engine.h>
+#include <openssl/lhash.h>
 #include "eng_int.h"
 
-/* This is the type of item in the 'implementation' table. Each 'nid' hashes to
- * a (potentially NULL) ENGINE_PILE structure which contains a stack of ENGINE*
- * pointers. These pointers aren't references, because they're inserted and
- * removed during ENGINE creation and ENGINE destruction. They point to ENGINEs
- * that *exist* (ie. have a structural reference count greater than zero) rather
- * than ENGINEs that are *functional*. Each pointer in those stacks are to
- * ENGINEs that implements the algorithm corresponding to each 'nid'. */
-
 /* The type of the items in the table */
 typedef struct st_engine_pile
 	{
-	/* The 'nid' of the algorithm/mode this ENGINE_PILE structure represents
-	 * */
+	/* The 'nid' of this algorithm/mode */
 	int nid;
-	/* A stack of ENGINE pointers for ENGINEs that support this
-	 * algorithm/mode. In the event that 'funct' is NULL, the first entry in
-	 * this stack that initialises will be set as 'funct' and assumed as the
-	 * default for operations of this type. */
+	/* ENGINEs that implement this algorithm/mode. */
 	STACK_OF(ENGINE) *sk;
 	/* The default ENGINE to perform this algorithm/mode. */
 	ENGINE *funct;
-	/* This value optimises engine_table_select(). If it is called it sets
-	 * this value to 1. Any changes to this ENGINE_PILE resets it to zero.
-	 * As such, no ENGINE_init() thrashing is done unless ENGINEs
-	 * continually register (and/or unregister). */
+	/* Zero if 'sk' is newer than the cached 'funct', non-zero otherwise */
 	int uptodate;
 	} ENGINE_PILE;
 
-/* The type of the hash table of ENGINE_PILE structures such that each are
- * unique and keyed by the 'nid' value. */
+/* The type exposed in eng_int.h */
 struct st_engine_table
 	{
 	LHASH piles;
 	}; /* ENGINE_TABLE */
 
-/* This value stores global options controlling behaviour of (mostly) the
- * engine_table_select() function. It's a bitmask of flag values of the form
- * ENGINE_TABLE_FLAG_*** (as defined in engine.h) and is controlled by the
- * ENGINE_[get|set]_table_flags() function. */
+/* Global flags (ENGINE_TABLE_FLAG_***). */
 static unsigned int table_flags = 0;
 
 /* API function manipulating 'table_flags' */
@@ -121,10 +103,8 @@ static IMPLEMENT_LHASH_COMP_FN(engine_pile_cmp, const ENGINE_PILE *)
 static int int_table_check(ENGINE_TABLE **t, int create)
 	{
 	LHASH *lh;
-	if(*t)
-		return 1;
-	if(!create)
-		return 0;
+	if(*t) return 1;
+	if(!create) return 0;
 	if((lh = lh_new(LHASH_HASH_FN(engine_pile_hash),
 			LHASH_COMP_FN(engine_pile_cmp))) == NULL)
 		return 0;
@@ -154,9 +134,8 @@ int engine_table_register(ENGINE_TABLE **table, ENGINE_CLEANUP_CB *cleanup,
 		if(!fnd)
 			{
 			fnd = OPENSSL_malloc(sizeof(ENGINE_PILE));
-			if(!fnd)
-				goto end;
-			fnd->uptodate = 1;
+			if(!fnd) goto end;
+			fnd->uptodate = 0;
 			fnd->nid = *nids;
 			fnd->sk = sk_ENGINE_new_null();
 			if(!fnd->sk)
@@ -164,7 +143,7 @@ int engine_table_register(ENGINE_TABLE **table, ENGINE_CLEANUP_CB *cleanup,
 				OPENSSL_free(fnd);
 				goto end;
 				}
-			fnd->funct= NULL;
+			fnd->funct = NULL;
 			lh_insert(&(*table)->piles, fnd);
 			}
 		/* A registration shouldn't add duplciate entries */
@@ -173,7 +152,7 @@ int engine_table_register(ENGINE_TABLE **table, ENGINE_CLEANUP_CB *cleanup,
 		if(!sk_ENGINE_push(fnd->sk, e))
 			goto end;
 		/* "touch" this ENGINE_PILE */
-		fnd->uptodate = 0;
+		fnd->uptodate = 1;
 		if(setdefault)
 			{
 			if(!engine_unlocked_init(e))
@@ -201,7 +180,7 @@ static void int_unregister_cb(ENGINE_PILE *pile, ENGINE *e)
 		{
 		sk_ENGINE_delete(pile->sk, n);
 		/* "touch" this ENGINE_CIPHER */
-		pile->uptodate = 0;
+		pile->uptodate = 1;
 		}
 	if(pile->funct == e)
 		{
@@ -239,9 +218,7 @@ void engine_table_cleanup(ENGINE_TABLE **table)
 	CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
 	}
 
-/* Exposed API function to get a functional reference from the implementation
- * table (ie. try to get a functional reference from the tabled structural
- * references) for a given cipher 'nid' */
+/* return a functional reference for a given 'nid' */
 #ifndef ENGINE_TABLE_DEBUG
 ENGINE *engine_table_select(ENGINE_TABLE **table, int nid)
 #else
@@ -252,25 +229,21 @@ ENGINE *engine_table_select_tmp(ENGINE_TABLE **table, int nid, const char *f, in
 	ENGINE_PILE tmplate, *fnd=NULL;
 	int initres, loop = 0;
 
-	/* If 'engine_ciphers' is NULL, then it's absolutely *sure* that no
-	 * ENGINEs have registered any implementations! */
 	if(!(*table))
 		{
 #ifdef ENGINE_TABLE_DEBUG
-		fprintf(stderr, "engine_table_dbg: %s:%d, nid=%d, no "
-			"registered for anything!\n", f, l, nid);
+		fprintf(stderr, "engine_table_dbg: %s:%d, nid=%d, nothing "
+			"registered!\n", f, l, nid);
 #endif
 		return NULL;
 		}
 	CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
 	/* Check again inside the lock otherwise we could race against cleanup
 	 * operations. But don't worry about a fprintf(stderr). */
-	if(!int_table_check(table, 0))
-		goto end;
+	if(!int_table_check(table, 0)) goto end;
 	tmplate.nid = nid;
 	fnd = lh_retrieve(&(*table)->piles, &tmplate);
-	if(!fnd)
-		goto end;
+	if(!fnd) goto end;
 	if(fnd->funct && engine_unlocked_init(fnd->funct))
 		{
 #ifdef ENGINE_TABLE_DEBUG
@@ -296,34 +269,19 @@ trynext:
 #endif
 		goto end;
 		}
-#if 0
-	/* Don't need to get a reference if we hold the lock. If the locking has
-	 * to change in future, that would be different ... */
-	ret->struct_ref++; engine_ref_debug(ret, 0, 1)
-#endif
-	/* Try and initialise the ENGINE if it's already functional *or* if the
-	 * ENGINE_TABLE_FLAG_NOINIT flag is not set. */
+	/* Try to initialise the ENGINE? */
 	if((ret->funct_ref > 0) || !(table_flags & ENGINE_TABLE_FLAG_NOINIT))
 		initres = engine_unlocked_init(ret);
 	else
 		initres = 0;
-#if 0
-	/* Release the structural reference */
-	ret->struct_ref--; engine_ref_debug(ret, 0, -1);
-#endif
 	if(initres)
 		{
-		/* If we didn't have a default (functional reference) for this
-		 * 'nid' (or we had one but for whatever reason we're now
-		 * initialising a different one), use this opportunity to set
-		 * 'funct'. */
+		/* Update 'funct' */
 		if((fnd->funct != ret) && engine_unlocked_init(ret))
 			{
 			/* If there was a previous default we release it. */
 			if(fnd->funct)
 				engine_unlocked_finish(fnd->funct, 0);
-			/* We got an extra functional reference for the
-			 * per-'nid' default */
 			fnd->funct = ret;
 #ifdef ENGINE_TABLE_DEBUG
 			fprintf(stderr, "engine_table_dbg: %s:%d, nid=%d, "
@@ -338,13 +296,9 @@ trynext:
 		}
 	goto trynext;
 end:
-	/* Whatever happened - we should "untouch" our uptodate file seeing as
-	 * we have tried our best to find a functional reference for 'nid'. If
-	 * it failed, it is unlikely to succeed again until some future
-	 * registrations (or unregistrations) have taken place that affect that
-	 * 'nid'. */
-	if(fnd)
-		fnd->uptodate = 1;
+	/* If it failed, it is unlikely to succeed again until some future
+	 * registrations have taken place. In all cases, we cache. */
+	if(fnd) fnd->uptodate = 1;
 #ifdef ENGINE_TABLE_DEBUG
 	if(ret)
 		fprintf(stderr, "engine_table_dbg: %s:%d, nid=%d, caching "
diff --git a/crypto/openssl/crypto/engine/engine.h b/crypto/openssl/crypto/engine/engine.h
index 900f75ce8d6d..3ec59338ffd1 100644
--- a/crypto/openssl/crypto/engine/engine.h
+++ b/crypto/openssl/crypto/engine/engine.h
@@ -3,7 +3,7 @@
  * project 2000.
  */
 /* ====================================================================
- * Copyright (c) 1999-2001 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2004 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -55,6 +55,11 @@
  * Hudson (tjh@cryptsoft.com).
  *
  */
+/* ====================================================================
+ * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
+ * ECDH support in OpenSSL originally developed by 
+ * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
+ */
 
 #ifndef HEADER_ENGINE_H
 #define HEADER_ENGINE_H
@@ -65,7 +70,7 @@
 #error ENGINE is disabled.
 #endif
 
-#include <openssl/ossl_typ.h>
+#ifndef OPENSSL_NO_DEPRECATED
 #include <openssl/bn.h>
 #ifndef OPENSSL_NO_RSA
 #include <openssl/rsa.h>
@@ -76,34 +81,36 @@
 #ifndef OPENSSL_NO_DH
 #include <openssl/dh.h>
 #endif
+#ifndef OPENSSL_NO_ECDH
+#include <openssl/ecdh.h>
+#endif
+#ifndef OPENSSL_NO_ECDSA
+#include <openssl/ecdsa.h>
+#endif
 #include <openssl/rand.h>
+#include <openssl/store.h>
 #include <openssl/ui.h>
-#include <openssl/symhacks.h>
 #include <openssl/err.h>
+#endif
+
+#include <openssl/ossl_typ.h>
+#include <openssl/symhacks.h>
 
 #ifdef  __cplusplus
 extern "C" {
 #endif
 
-/* Fixups for missing algorithms */
-#ifdef OPENSSL_NO_RSA
-typedef void RSA_METHOD;
-#endif
-#ifdef OPENSSL_NO_DSA
-typedef void DSA_METHOD;
-#endif
-#ifdef OPENSSL_NO_DH
-typedef void DH_METHOD;
-#endif
-
 /* These flags are used to control combinations of algorithm (methods)
  * by bitwise "OR"ing. */
 #define ENGINE_METHOD_RSA		(unsigned int)0x0001
 #define ENGINE_METHOD_DSA		(unsigned int)0x0002
 #define ENGINE_METHOD_DH		(unsigned int)0x0004
 #define ENGINE_METHOD_RAND		(unsigned int)0x0008
+#define ENGINE_METHOD_ECDH		(unsigned int)0x0010
+#define ENGINE_METHOD_ECDSA		(unsigned int)0x0020
 #define ENGINE_METHOD_CIPHERS		(unsigned int)0x0040
 #define ENGINE_METHOD_DIGESTS		(unsigned int)0x0080
+#define ENGINE_METHOD_STORE		(unsigned int)0x0100
 /* Obvious all-or-nothing cases. */
 #define ENGINE_METHOD_ALL		(unsigned int)0xFFFF
 #define ENGINE_METHOD_NONE		(unsigned int)0x0000
@@ -173,9 +180,15 @@ typedef void DH_METHOD;
 						     handles/connections etc. */
 #define ENGINE_CTRL_SET_USER_INTERFACE          4 /* Alternative to callback */
 #define ENGINE_CTRL_SET_CALLBACK_DATA           5 /* User-specific data, used
-                                                     when calling the password
-                                                     callback and the user
-                                                     interface */
+						     when calling the password
+						     callback and the user
+						     interface */
+#define ENGINE_CTRL_LOAD_CONFIGURATION		6 /* Load a configuration, given
+						     a string that represents a
+						     file name or so */
+#define ENGINE_CTRL_LOAD_SECTION		7 /* Load data from a given
+						     section in the already loaded
+						     configuration */
 
 /* These control commands allow an application to deal with an arbitrary engine
  * in a dynamic way. Warn: Negative return values indicate errors FOR THESE
@@ -222,7 +235,7 @@ typedef void DH_METHOD;
 
 /* ENGINE implementations should start the numbering of their own control
  * commands from this value. (ie. ENGINE_CMD_BASE, ENGINE_CMD_BASE + 1, etc). */
-#define ENGINE_CMD_BASE		200
+#define ENGINE_CMD_BASE				200
 
 /* NB: These 2 nCipher "chil" control commands are deprecated, and their
  * functionality is now available through ENGINE-specific control commands
@@ -257,11 +270,11 @@ typedef struct ENGINE_CMD_DEFN_st
 	} ENGINE_CMD_DEFN;
 
 /* Generic function pointer */
-typedef int (*ENGINE_GEN_FUNC_PTR)();
+typedef int (*ENGINE_GEN_FUNC_PTR)(void);
 /* Generic function pointer taking no arguments */
 typedef int (*ENGINE_GEN_INT_FUNC_PTR)(ENGINE *);
 /* Specific control function pointer */
-typedef int (*ENGINE_CTRL_FUNC_PTR)(ENGINE *, int, long, void *, void (*f)());
+typedef int (*ENGINE_CTRL_FUNC_PTR)(ENGINE *, int, long, void *, void (*f)(void));
 /* Generic load_key function pointer */
 typedef EVP_PKEY * (*ENGINE_LOAD_KEY_PTR)(ENGINE *, const char *,
 	UI_METHOD *ui_method, void *callback_data);
@@ -305,15 +318,21 @@ ENGINE *ENGINE_by_id(const char *id);
 /* Add all the built-in engines. */
 void ENGINE_load_openssl(void);
 void ENGINE_load_dynamic(void);
-void ENGINE_load_cswift(void);
-void ENGINE_load_chil(void);
+#ifndef OPENSSL_NO_STATIC_ENGINE
+void ENGINE_load_4758cca(void);
+void ENGINE_load_aep(void);
 void ENGINE_load_atalla(void);
+void ENGINE_load_chil(void);
+void ENGINE_load_cswift(void);
+#ifndef OPENSSL_NO_GMP
+void ENGINE_load_gmp(void);
+#endif
 void ENGINE_load_nuron(void);
-void ENGINE_load_ubsec(void);
-void ENGINE_load_aep(void);
 void ENGINE_load_sureware(void);
-void ENGINE_load_4758cca(void);
+void ENGINE_load_ubsec(void);
+#endif
 void ENGINE_load_cryptodev(void);
+void ENGINE_load_padlock(void);
 void ENGINE_load_builtin_engines(void);
 
 /* Get and set global flags (ENGINE_TABLE_FLAG_***) for the implementation
@@ -337,6 +356,14 @@ int ENGINE_register_DSA(ENGINE *e);
 void ENGINE_unregister_DSA(ENGINE *e);
 void ENGINE_register_all_DSA(void);
 
+int ENGINE_register_ECDH(ENGINE *e);
+void ENGINE_unregister_ECDH(ENGINE *e);
+void ENGINE_register_all_ECDH(void);
+
+int ENGINE_register_ECDSA(ENGINE *e);
+void ENGINE_unregister_ECDSA(ENGINE *e);
+void ENGINE_register_all_ECDSA(void);
+
 int ENGINE_register_DH(ENGINE *e);
 void ENGINE_unregister_DH(ENGINE *e);
 void ENGINE_register_all_DH(void);
@@ -345,6 +372,10 @@ int ENGINE_register_RAND(ENGINE *e);
 void ENGINE_unregister_RAND(ENGINE *e);
 void ENGINE_register_all_RAND(void);
 
+int ENGINE_register_STORE(ENGINE *e);
+void ENGINE_unregister_STORE(ENGINE *e);
+void ENGINE_register_all_STORE(void);
+
 int ENGINE_register_ciphers(ENGINE *e);
 void ENGINE_unregister_ciphers(ENGINE *e);
 void ENGINE_register_all_ciphers(void);
@@ -367,7 +398,7 @@ int ENGINE_register_all_complete(void);
  * reference to an engine, but many control commands may require the engine be
  * functional. The caller should be aware of trying commands that require an
  * operational ENGINE, and only use functional references in such situations. */
-int ENGINE_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)());
+int ENGINE_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void));
 
 /* This function tests if an ENGINE-specific command is usable as a "setting".
  * Eg. in an application's config file that gets processed through
@@ -380,7 +411,7 @@ int ENGINE_cmd_is_executable(ENGINE *e, int cmd);
  * See the comment on ENGINE_ctrl_cmd_string() for an explanation on how to
  * use the cmd_name and cmd_optional. */
 int ENGINE_ctrl_cmd(ENGINE *e, const char *cmd_name,
-        long i, void *p, void (*f)(), int cmd_optional);
+        long i, void *p, void (*f)(void), int cmd_optional);
 
 /* This function passes a command-name and argument to an ENGINE. The cmd_name
  * is converted to a command number and the control command is called using
@@ -417,8 +448,11 @@ int ENGINE_set_id(ENGINE *e, const char *id);
 int ENGINE_set_name(ENGINE *e, const char *name);
 int ENGINE_set_RSA(ENGINE *e, const RSA_METHOD *rsa_meth);
 int ENGINE_set_DSA(ENGINE *e, const DSA_METHOD *dsa_meth);
+int ENGINE_set_ECDH(ENGINE *e, const ECDH_METHOD *ecdh_meth);
+int ENGINE_set_ECDSA(ENGINE *e, const ECDSA_METHOD *ecdsa_meth);
 int ENGINE_set_DH(ENGINE *e, const DH_METHOD *dh_meth);
 int ENGINE_set_RAND(ENGINE *e, const RAND_METHOD *rand_meth);
+int ENGINE_set_STORE(ENGINE *e, const STORE_METHOD *store_meth);
 int ENGINE_set_destroy_function(ENGINE *e, ENGINE_GEN_INT_FUNC_PTR destroy_f);
 int ENGINE_set_init_function(ENGINE *e, ENGINE_GEN_INT_FUNC_PTR init_f);
 int ENGINE_set_finish_function(ENGINE *e, ENGINE_GEN_INT_FUNC_PTR finish_f);
@@ -429,11 +463,11 @@ int ENGINE_set_ciphers(ENGINE *e, ENGINE_CIPHERS_PTR f);
 int ENGINE_set_digests(ENGINE *e, ENGINE_DIGESTS_PTR f);
 int ENGINE_set_flags(ENGINE *e, int flags);
 int ENGINE_set_cmd_defns(ENGINE *e, const ENGINE_CMD_DEFN *defns);
-/* These functions (and the "get" function lower down) allow control over any
- * per-structure ENGINE data. */
+/* These functions allow control over any per-structure ENGINE data. */
 int ENGINE_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
 		CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
 int ENGINE_set_ex_data(ENGINE *e, int idx, void *arg);
+void *ENGINE_get_ex_data(const ENGINE *e, int idx);
 
 /* This function cleans up anything that needs it. Eg. the ENGINE_add() function
  * automatically ensures the list cleanup function is registered to be called
@@ -449,8 +483,11 @@ const char *ENGINE_get_id(const ENGINE *e);
 const char *ENGINE_get_name(const ENGINE *e);
 const RSA_METHOD *ENGINE_get_RSA(const ENGINE *e);
 const DSA_METHOD *ENGINE_get_DSA(const ENGINE *e);
+const ECDH_METHOD *ENGINE_get_ECDH(const ENGINE *e);
+const ECDSA_METHOD *ENGINE_get_ECDSA(const ENGINE *e);
 const DH_METHOD *ENGINE_get_DH(const ENGINE *e);
 const RAND_METHOD *ENGINE_get_RAND(const ENGINE *e);
+const STORE_METHOD *ENGINE_get_STORE(const ENGINE *e);
 ENGINE_GEN_INT_FUNC_PTR ENGINE_get_destroy_function(const ENGINE *e);
 ENGINE_GEN_INT_FUNC_PTR ENGINE_get_init_function(const ENGINE *e);
 ENGINE_GEN_INT_FUNC_PTR ENGINE_get_finish_function(const ENGINE *e);
@@ -463,7 +500,6 @@ const EVP_CIPHER *ENGINE_get_cipher(ENGINE *e, int nid);
 const EVP_MD *ENGINE_get_digest(ENGINE *e, int nid);
 const ENGINE_CMD_DEFN *ENGINE_get_cmd_defns(const ENGINE *e);
 int ENGINE_get_flags(const ENGINE *e);
-void *ENGINE_get_ex_data(const ENGINE *e, int idx);
 
 /* FUNCTIONAL functions. These functions deal with ENGINE structures
  * that have (or will) be initialised for use. Broadly speaking, the
@@ -501,6 +537,8 @@ EVP_PKEY *ENGINE_load_public_key(ENGINE *e, const char *key_id,
 ENGINE *ENGINE_get_default_RSA(void);
 /* Same for the other "methods" */
 ENGINE *ENGINE_get_default_DSA(void);
+ENGINE *ENGINE_get_default_ECDH(void);
+ENGINE *ENGINE_get_default_ECDSA(void);
 ENGINE *ENGINE_get_default_DH(void);
 ENGINE *ENGINE_get_default_RAND(void);
 /* These functions can be used to get a functional reference to perform
@@ -516,6 +554,8 @@ int ENGINE_set_default_RSA(ENGINE *e);
 int ENGINE_set_default_string(ENGINE *e, const char *def_list);
 /* Same for the other "methods" */
 int ENGINE_set_default_DSA(ENGINE *e);
+int ENGINE_set_default_ECDH(ENGINE *e);
+int ENGINE_set_default_ECDSA(ENGINE *e);
 int ENGINE_set_default_DH(ENGINE *e);
 int ENGINE_set_default_RAND(ENGINE *e);
 int ENGINE_set_default_ciphers(ENGINE *e);
@@ -538,17 +578,20 @@ void ENGINE_add_conf_module(void);
 /**************************/
 
 /* Binary/behaviour compatibility levels */
-#define OSSL_DYNAMIC_VERSION		(unsigned long)0x00010200
+#define OSSL_DYNAMIC_VERSION		(unsigned long)0x00020000
 /* Binary versions older than this are too old for us (whether we're a loader or
  * a loadee) */
-#define OSSL_DYNAMIC_OLDEST		(unsigned long)0x00010200
+#define OSSL_DYNAMIC_OLDEST		(unsigned long)0x00020000
 
 /* When compiling an ENGINE entirely as an external shared library, loadable by
  * the "dynamic" ENGINE, these types are needed. The 'dynamic_fns' structure
  * type provides the calling application's (or library's) error functionality
  * and memory management function pointers to the loaded library. These should
  * be used/set in the loaded library code so that the loading application's
- * 'state' will be used/changed in all operations. */
+ * 'state' will be used/changed in all operations. The 'static_state' pointer
+ * allows the loaded library to know if it shares the same static data as the
+ * calling application (or library), and thus whether these callbacks need to be
+ * set or not. */
 typedef void *(*dyn_MEM_malloc_cb)(size_t);
 typedef void *(*dyn_MEM_realloc_cb)(void *, size_t);
 typedef void (*dyn_MEM_free_cb)(void *);
@@ -576,6 +619,7 @@ typedef struct st_dynamic_LOCK_fns {
 	} dynamic_LOCK_fns;
 /* The top-level structure */
 typedef struct st_dynamic_fns {
+	void 					*static_state;
 	const ERR_FNS				*err_fns;
 	const CRYPTO_EX_DATA_IMPL		*ex_data_fns;
 	dynamic_MEM_fns				mem_fns;
@@ -593,7 +637,7 @@ typedef struct st_dynamic_fns {
  * can be fully instantiated with IMPLEMENT_DYNAMIC_CHECK_FN(). */
 typedef unsigned long (*dynamic_v_check_fn)(unsigned long ossl_version);
 #define IMPLEMENT_DYNAMIC_CHECK_FN() \
-	unsigned long v_check(unsigned long v) { \
+	OPENSSL_EXPORT unsigned long v_check(unsigned long v) { \
 		if(v >= OSSL_DYNAMIC_OLDEST) return OSSL_DYNAMIC_VERSION; \
 		return 0; }
 
@@ -615,24 +659,35 @@ typedef unsigned long (*dynamic_v_check_fn)(unsigned long ossl_version);
 typedef int (*dynamic_bind_engine)(ENGINE *e, const char *id,
 				const dynamic_fns *fns);
 #define IMPLEMENT_DYNAMIC_BIND_FN(fn) \
+	OPENSSL_EXPORT \
 	int bind_engine(ENGINE *e, const char *id, const dynamic_fns *fns) { \
-		if (ERR_get_implementation() != fns->err_fns) \
-			{ \
-			if(!CRYPTO_set_mem_functions(fns->mem_fns.malloc_cb, \
-				fns->mem_fns.realloc_cb, fns->mem_fns.free_cb)) \
-				return 0; \
-			CRYPTO_set_locking_callback(fns->lock_fns.lock_locking_cb); \
-			CRYPTO_set_add_lock_callback(fns->lock_fns.lock_add_lock_cb); \
-			CRYPTO_set_dynlock_create_callback(fns->lock_fns.dynlock_create_cb); \
-			CRYPTO_set_dynlock_lock_callback(fns->lock_fns.dynlock_lock_cb); \
-			CRYPTO_set_dynlock_destroy_callback(fns->lock_fns.dynlock_destroy_cb); \
-			if(!CRYPTO_set_ex_data_implementation(fns->ex_data_fns)) \
-				return 0; \
-			if(!ERR_set_implementation(fns->err_fns)) return 0; \
-			} \
+		if(ENGINE_get_static_state() == fns->static_state) goto skip_cbs; \
+		if(!CRYPTO_set_mem_functions(fns->mem_fns.malloc_cb, \
+			fns->mem_fns.realloc_cb, fns->mem_fns.free_cb)) \
+			return 0; \
+		CRYPTO_set_locking_callback(fns->lock_fns.lock_locking_cb); \
+		CRYPTO_set_add_lock_callback(fns->lock_fns.lock_add_lock_cb); \
+		CRYPTO_set_dynlock_create_callback(fns->lock_fns.dynlock_create_cb); \
+		CRYPTO_set_dynlock_lock_callback(fns->lock_fns.dynlock_lock_cb); \
+		CRYPTO_set_dynlock_destroy_callback(fns->lock_fns.dynlock_destroy_cb); \
+		if(!CRYPTO_set_ex_data_implementation(fns->ex_data_fns)) \
+			return 0; \
+		if(!ERR_set_implementation(fns->err_fns)) return 0; \
+	skip_cbs: \
 		if(!fn(e,id)) return 0; \
 		return 1; }
 
+/* If the loading application (or library) and the loaded ENGINE library share
+ * the same static data (eg. they're both dynamically linked to the same
+ * libcrypto.so) we need a way to avoid trying to set system callbacks - this
+ * would fail, and for the same reason that it's unnecessary to try. If the
+ * loaded ENGINE has (or gets from through the loader) its own copy of the
+ * libcrypto static data, we will need to set the callbacks. The easiest way to
+ * detect this is to have a function that returns a pointer to some static data
+ * and let the loading application and loaded ENGINE compare their respective
+ * values. */
+void *ENGINE_get_static_state(void);
+
 #if defined(__OpenBSD__) || defined(__FreeBSD__)
 void ENGINE_setup_bsd_cryptodev(void);
 #endif
@@ -649,6 +704,7 @@ void ERR_load_ENGINE_strings(void);
 #define ENGINE_F_DYNAMIC_CTRL				 180
 #define ENGINE_F_DYNAMIC_GET_DATA_CTX			 181
 #define ENGINE_F_DYNAMIC_LOAD				 182
+#define ENGINE_F_DYNAMIC_SET_DATA_CTX			 183
 #define ENGINE_F_ENGINE_ADD				 105
 #define ENGINE_F_ENGINE_BY_ID				 106
 #define ENGINE_F_ENGINE_CMD_IS_EXECUTABLE		 170
@@ -656,7 +712,7 @@ void ERR_load_ENGINE_strings(void);
 #define ENGINE_F_ENGINE_CTRL_CMD			 178
 #define ENGINE_F_ENGINE_CTRL_CMD_STRING			 171
 #define ENGINE_F_ENGINE_FINISH				 107
-#define ENGINE_F_ENGINE_FREE				 108
+#define ENGINE_F_ENGINE_FREE_UTIL			 108
 #define ENGINE_F_ENGINE_GET_CIPHER			 185
 #define ENGINE_F_ENGINE_GET_DEFAULT_TYPE		 177
 #define ENGINE_F_ENGINE_GET_DIGEST			 186
@@ -667,7 +723,6 @@ void ERR_load_ENGINE_strings(void);
 #define ENGINE_F_ENGINE_LIST_REMOVE			 121
 #define ENGINE_F_ENGINE_LOAD_PRIVATE_KEY		 150
 #define ENGINE_F_ENGINE_LOAD_PUBLIC_KEY			 151
-#define ENGINE_F_ENGINE_MODULE_INIT			 187
 #define ENGINE_F_ENGINE_NEW				 122
 #define ENGINE_F_ENGINE_REMOVE				 123
 #define ENGINE_F_ENGINE_SET_DEFAULT_STRING		 189
@@ -676,11 +731,12 @@ void ERR_load_ENGINE_strings(void);
 #define ENGINE_F_ENGINE_SET_NAME			 130
 #define ENGINE_F_ENGINE_TABLE_REGISTER			 184
 #define ENGINE_F_ENGINE_UNLOAD_KEY			 152
+#define ENGINE_F_ENGINE_UNLOCKED_FINISH			 191
 #define ENGINE_F_ENGINE_UP_REF				 190
 #define ENGINE_F_INT_CTRL_HELPER			 172
 #define ENGINE_F_INT_ENGINE_CONFIGURE			 188
+#define ENGINE_F_INT_ENGINE_MODULE_INIT			 187
 #define ENGINE_F_LOG_MESSAGE				 141
-#define ENGINE_F_SET_DATA_CTX				 183
 
 /* Reason codes. */
 #define ENGINE_R_ALREADY_LOADED				 100
diff --git a/crypto/openssl/crypto/engine/enginetest.c b/crypto/openssl/crypto/engine/enginetest.c
index c2d0297392f1..cf82f490dbb5 100644
--- a/crypto/openssl/crypto/engine/enginetest.c
+++ b/crypto/openssl/crypto/engine/enginetest.c
@@ -72,7 +72,7 @@ int main(int argc, char *argv[])
 #include <openssl/engine.h>
 #include <openssl/err.h>
 
-static void display_engine_list()
+static void display_engine_list(void)
 	{
 	ENGINE *h;
 	int loop;
diff --git a/crypto/openssl/crypto/engine/tb_cipher.c b/crypto/openssl/crypto/engine/tb_cipher.c
index 50b3cec1fa59..177fc1fb739a 100644
--- a/crypto/openssl/crypto/engine/tb_cipher.c
+++ b/crypto/openssl/crypto/engine/tb_cipher.c
@@ -52,8 +52,6 @@
  *
  */
 
-#include <openssl/evp.h>
-#include <openssl/engine.h>
 #include "eng_int.h"
 
 /* If this symbol is defined then ENGINE_get_cipher_engine(), the function that
diff --git a/crypto/openssl/crypto/engine/tb_dh.c b/crypto/openssl/crypto/engine/tb_dh.c
index e290e1702b27..6e9d42876104 100644
--- a/crypto/openssl/crypto/engine/tb_dh.c
+++ b/crypto/openssl/crypto/engine/tb_dh.c
@@ -52,8 +52,6 @@
  *
  */
 
-#include <openssl/evp.h>
-#include <openssl/engine.h>
 #include "eng_int.h"
 
 /* If this symbol is defined then ENGINE_get_default_DH(), the function that is
diff --git a/crypto/openssl/crypto/engine/tb_digest.c b/crypto/openssl/crypto/engine/tb_digest.c
index e82d2a17c9c3..d3f4bb274753 100644
--- a/crypto/openssl/crypto/engine/tb_digest.c
+++ b/crypto/openssl/crypto/engine/tb_digest.c
@@ -52,8 +52,6 @@
  *
  */
 
-#include <openssl/evp.h>
-#include <openssl/engine.h>
 #include "eng_int.h"
 
 /* If this symbol is defined then ENGINE_get_digest_engine(), the function that
diff --git a/crypto/openssl/crypto/engine/tb_dsa.c b/crypto/openssl/crypto/engine/tb_dsa.c
index 80170591f201..e4674f5f0714 100644
--- a/crypto/openssl/crypto/engine/tb_dsa.c
+++ b/crypto/openssl/crypto/engine/tb_dsa.c
@@ -52,8 +52,6 @@
  *
  */
 
-#include <openssl/evp.h>
-#include <openssl/engine.h>
 #include "eng_int.h"
 
 /* If this symbol is defined then ENGINE_get_default_DSA(), the function that is
@@ -94,7 +92,7 @@ int ENGINE_set_default_DSA(ENGINE *e)
 	{
 	if(e->dsa_meth)
 		return engine_table_register(&dsa_table,
-				engine_unregister_all_DSA, e, &dummy_nid, 1, 0);
+				engine_unregister_all_DSA, e, &dummy_nid, 1, 1);
 	return 1;
 	}
 
diff --git a/crypto/openssl/crypto/engine/tb_ecdh.c b/crypto/openssl/crypto/engine/tb_ecdh.c
new file mode 100644
index 000000000000..59977f7dd0a6
--- /dev/null
+++ b/crypto/openssl/crypto/engine/tb_ecdh.c
@@ -0,0 +1,133 @@
+/* crypto/engine/tb_ecdh.c */
+/* ====================================================================
+ * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
+ *
+ * The Elliptic Curve Public-Key Crypto Library (ECC Code) included
+ * herein is developed by SUN MICROSYSTEMS, INC., and is contributed
+ * to the OpenSSL project.
+ *
+ * The ECC Code is licensed pursuant to the OpenSSL open source
+ * license provided below.
+ *
+ * The ECDH engine software is originally written by Nils Gura and
+ * Douglas Stebila of Sun Microsystems Laboratories.
+ *
+ */
+/* ====================================================================
+ * Copyright (c) 2000-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include "eng_int.h"
+
+/* If this symbol is defined then ENGINE_get_default_ECDH(), the function that is
+ * used by ECDH to hook in implementation code and cache defaults (etc), will
+ * display brief debugging summaries to stderr with the 'nid'. */
+/* #define ENGINE_ECDH_DEBUG */
+
+static ENGINE_TABLE *ecdh_table = NULL;
+static const int dummy_nid = 1;
+
+void ENGINE_unregister_ECDH(ENGINE *e)
+	{
+	engine_table_unregister(&ecdh_table, e);
+	}
+
+static void engine_unregister_all_ECDH(void)
+	{
+	engine_table_cleanup(&ecdh_table);
+	}
+
+int ENGINE_register_ECDH(ENGINE *e)
+	{
+	if(e->ecdh_meth)
+		return engine_table_register(&ecdh_table,
+				engine_unregister_all_ECDH, e, &dummy_nid, 1, 0);
+	return 1;
+	}
+
+void ENGINE_register_all_ECDH()
+	{
+	ENGINE *e;
+
+	for(e=ENGINE_get_first() ; e ; e=ENGINE_get_next(e))
+		ENGINE_register_ECDH(e);
+	}
+
+int ENGINE_set_default_ECDH(ENGINE *e)
+	{
+	if(e->ecdh_meth)
+		return engine_table_register(&ecdh_table,
+				engine_unregister_all_ECDH, e, &dummy_nid, 1, 0);
+	return 1;
+	}
+
+/* Exposed API function to get a functional reference from the implementation
+ * table (ie. try to get a functional reference from the tabled structural
+ * references). */
+ENGINE *ENGINE_get_default_ECDH(void)
+	{
+	return engine_table_select(&ecdh_table, dummy_nid);
+	}
+
+/* Obtains an ECDH implementation from an ENGINE functional reference */
+const ECDH_METHOD *ENGINE_get_ECDH(const ENGINE *e)
+	{
+	return e->ecdh_meth;
+	}
+
+/* Sets an ECDH implementation in an ENGINE structure */
+int ENGINE_set_ECDH(ENGINE *e, const ECDH_METHOD *ecdh_meth)
+	{
+	e->ecdh_meth = ecdh_meth;
+	return 1;
+	}
diff --git a/crypto/openssl/crypto/engine/tb_ecdsa.c b/crypto/openssl/crypto/engine/tb_ecdsa.c
new file mode 100644
index 000000000000..e30b02e8c59b
--- /dev/null
+++ b/crypto/openssl/crypto/engine/tb_ecdsa.c
@@ -0,0 +1,118 @@
+/* ====================================================================
+ * Copyright (c) 2000-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include "eng_int.h"
+
+/* If this symbol is defined then ENGINE_get_default_ECDSA(), the function that is
+ * used by ECDSA to hook in implementation code and cache defaults (etc), will
+ * display brief debugging summaries to stderr with the 'nid'. */
+/* #define ENGINE_ECDSA_DEBUG */
+
+static ENGINE_TABLE *ecdsa_table = NULL;
+static const int dummy_nid = 1;
+
+void ENGINE_unregister_ECDSA(ENGINE *e)
+	{
+	engine_table_unregister(&ecdsa_table, e);
+	}
+
+static void engine_unregister_all_ECDSA(void)
+	{
+	engine_table_cleanup(&ecdsa_table);
+	}
+
+int ENGINE_register_ECDSA(ENGINE *e)
+	{
+	if(e->ecdsa_meth)
+		return engine_table_register(&ecdsa_table,
+				engine_unregister_all_ECDSA, e, &dummy_nid, 1, 0);
+	return 1;
+	}
+
+void ENGINE_register_all_ECDSA()
+	{
+	ENGINE *e;
+
+	for(e=ENGINE_get_first() ; e ; e=ENGINE_get_next(e))
+		ENGINE_register_ECDSA(e);
+	}
+
+int ENGINE_set_default_ECDSA(ENGINE *e)
+	{
+	if(e->ecdsa_meth)
+		return engine_table_register(&ecdsa_table,
+				engine_unregister_all_ECDSA, e, &dummy_nid, 1, 0);
+	return 1;
+	}
+
+/* Exposed API function to get a functional reference from the implementation
+ * table (ie. try to get a functional reference from the tabled structural
+ * references). */
+ENGINE *ENGINE_get_default_ECDSA(void)
+	{
+	return engine_table_select(&ecdsa_table, dummy_nid);
+	}
+
+/* Obtains an ECDSA implementation from an ENGINE functional reference */
+const ECDSA_METHOD *ENGINE_get_ECDSA(const ENGINE *e)
+	{
+	return e->ecdsa_meth;
+	}
+
+/* Sets an ECDSA implementation in an ENGINE structure */
+int ENGINE_set_ECDSA(ENGINE *e, const ECDSA_METHOD *ecdsa_meth)
+	{
+	e->ecdsa_meth = ecdsa_meth;
+	return 1;
+	}
diff --git a/crypto/openssl/crypto/engine/tb_rand.c b/crypto/openssl/crypto/engine/tb_rand.c
index 69b67111bc64..f36f67c0f6f4 100644
--- a/crypto/openssl/crypto/engine/tb_rand.c
+++ b/crypto/openssl/crypto/engine/tb_rand.c
@@ -52,8 +52,6 @@
  *
  */
 
-#include <openssl/evp.h>
-#include <openssl/engine.h>
 #include "eng_int.h"
 
 /* If this symbol is defined then ENGINE_get_default_RAND(), the function that is
diff --git a/crypto/openssl/crypto/engine/tb_rsa.c b/crypto/openssl/crypto/engine/tb_rsa.c
index fee4867f5209..fbc707fd26c9 100644
--- a/crypto/openssl/crypto/engine/tb_rsa.c
+++ b/crypto/openssl/crypto/engine/tb_rsa.c
@@ -52,8 +52,6 @@
  *
  */
 
-#include <openssl/evp.h>
-#include <openssl/engine.h>
 #include "eng_int.h"
 
 /* If this symbol is defined then ENGINE_get_default_RSA(), the function that is
diff --git a/crypto/openssl/crypto/engine/tb_store.c b/crypto/openssl/crypto/engine/tb_store.c
new file mode 100644
index 000000000000..8cc435c935f2
--- /dev/null
+++ b/crypto/openssl/crypto/engine/tb_store.c
@@ -0,0 +1,123 @@
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include "eng_int.h"
+
+/* If this symbol is defined then ENGINE_get_default_STORE(), the function that is
+ * used by STORE to hook in implementation code and cache defaults (etc), will
+ * display brief debugging summaries to stderr with the 'nid'. */
+/* #define ENGINE_STORE_DEBUG */
+
+static ENGINE_TABLE *store_table = NULL;
+static const int dummy_nid = 1;
+
+void ENGINE_unregister_STORE(ENGINE *e)
+	{
+	engine_table_unregister(&store_table, e);
+	}
+
+static void engine_unregister_all_STORE(void)
+	{
+	engine_table_cleanup(&store_table);
+	}
+
+int ENGINE_register_STORE(ENGINE *e)
+	{
+	if(e->store_meth)
+		return engine_table_register(&store_table,
+				engine_unregister_all_STORE, e, &dummy_nid, 1, 0);
+	return 1;
+	}
+
+void ENGINE_register_all_STORE()
+	{
+	ENGINE *e;
+
+	for(e=ENGINE_get_first() ; e ; e=ENGINE_get_next(e))
+		ENGINE_register_STORE(e);
+	}
+
+/* The following two functions are removed because they're useless. */
+#if 0
+int ENGINE_set_default_STORE(ENGINE *e)
+	{
+	if(e->store_meth)
+		return engine_table_register(&store_table,
+				engine_unregister_all_STORE, e, &dummy_nid, 1, 1);
+	return 1;
+	}
+#endif
+
+#if 0
+/* Exposed API function to get a functional reference from the implementation
+ * table (ie. try to get a functional reference from the tabled structural
+ * references). */
+ENGINE *ENGINE_get_default_STORE(void)
+	{
+	return engine_table_select(&store_table, dummy_nid);
+	}
+#endif
+
+/* Obtains an STORE implementation from an ENGINE functional reference */
+const STORE_METHOD *ENGINE_get_STORE(const ENGINE *e)
+	{
+	return e->store_meth;
+	}
+
+/* Sets an STORE implementation in an ENGINE structure */
+int ENGINE_set_STORE(ENGINE *e, const STORE_METHOD *store_meth)
+	{
+	e->store_meth = store_meth;
+	return 1;
+	}
diff --git a/crypto/openssl/crypto/err/Makefile b/crypto/openssl/crypto/err/Makefile
index 10a69fcbe829..23e38409c8af 100644
--- a/crypto/openssl/crypto/err/Makefile
+++ b/crypto/openssl/crypto/err/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/err/Makefile
+# OpenSSL/crypto/err/Makefile
 #
 
 DIR=	err
@@ -7,11 +7,6 @@ TOP=	../..
 CC=	cc
 INCLUDES= -I.. -I$(TOP) -I../../include
 CFLAG=-g
-INSTALL_PREFIX=
-OPENSSLDIR=     /usr/local/ssl
-INSTALLTOP=/usr/local/ssl
-MAKEDEPPROG=	makedepend
-MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=	Makefile
 AR=		ar r
 
@@ -51,7 +46,8 @@ links:
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
 
 install:
-	@for i in $(EXHEADER) ; \
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+	@headerlist="$(EXHEADER)"; for i in $$headerlist ; \
 	do  \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
@@ -66,6 +62,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
+	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
@@ -81,38 +78,32 @@ err.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/buffer.h
 err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 err.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
 err.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-err.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-err.o: ../../include/openssl/symhacks.h ../cryptlib.h err.c
-err_all.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-err_all.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+err.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+err.o: ../cryptlib.h err.c
+err_all.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 err_all.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-err_all.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
-err_all.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-err_all.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-err_all.o: ../../include/openssl/dsa.h ../../include/openssl/dso.h
-err_all.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
-err_all.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-err_all.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
-err_all.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-err_all.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-err_all.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-err_all.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-err_all.o: ../../include/openssl/ocsp.h ../../include/openssl/opensslconf.h
-err_all.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-err_all.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs12.h
-err_all.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
-err_all.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-err_all.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-err_all.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-err_all.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-err_all.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-err_all.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
+err_all.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+err_all.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+err_all.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h
+err_all.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+err_all.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
+err_all.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+err_all.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+err_all.o: ../../include/openssl/objects.h ../../include/openssl/ocsp.h
+err_all.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+err_all.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pem2.h
+err_all.o: ../../include/openssl/pkcs12.h ../../include/openssl/pkcs7.h
+err_all.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
+err_all.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+err_all.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+err_all.o: ../../include/openssl/ui.h ../../include/openssl/x509.h
 err_all.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
 err_all.o: err_all.c
 err_prn.o: ../../e_os.h ../../include/openssl/bio.h
 err_prn.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 err_prn.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 err_prn.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-err_prn.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-err_prn.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-err_prn.o: ../cryptlib.h err_prn.c
+err_prn.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+err_prn.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+err_prn.o: ../../include/openssl/symhacks.h ../cryptlib.h err_prn.c
diff --git a/crypto/openssl/crypto/err/err.c b/crypto/openssl/crypto/err/err.c
index 0f518f495a3d..72e3f3a26c7c 100644
--- a/crypto/openssl/crypto/err/err.c
+++ b/crypto/openssl/crypto/err/err.c
@@ -112,9 +112,9 @@
 #include <stdio.h>
 #include <stdarg.h>
 #include <string.h>
+#include "cryptlib.h"
 #include <openssl/lhash.h>
 #include <openssl/crypto.h>
-#include "cryptlib.h"
 #include <openssl/buffer.h>
 #include <openssl/bio.h>
 #include <openssl/err.h>
@@ -149,7 +149,6 @@ static ERR_STRING_DATA ERR_str_libraries[]=
 {ERR_PACK(ERR_LIB_DSO,0,0)		,"DSO support routines"},
 {ERR_PACK(ERR_LIB_ENGINE,0,0)		,"engine routines"},
 {ERR_PACK(ERR_LIB_OCSP,0,0)		,"OCSP routines"},
-{ERR_PACK(ERR_LIB_FIPS,0,0)		,"FIPS routines"},
 {0,NULL},
 	};
 
@@ -209,6 +208,7 @@ static ERR_STRING_DATA ERR_str_reasons[]=
 {ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED	,"called a function you should not call"},
 {ERR_R_PASSED_NULL_PARAMETER		,"passed a null parameter"},
 {ERR_R_INTERNAL_ERROR			,"internal error"},
+{ERR_R_DISABLED				,"called a function that was disabled at compile-time"},
 
 {0,NULL},
 	};
@@ -541,7 +541,7 @@ static ERR_STRING_DATA SYS_str_reasons[NUM_SYS_STR_REASONS + 1];
  * will be returned for SYSerr(), which always gets an errno
  * value and never one of those 'standard' reason codes. */
 
-static void build_SYS_str_reasons()
+static void build_SYS_str_reasons(void)
 	{
 	/* OPENSSL_malloc cannot be used here, use static storage instead */
 	static char strerror_tab[NUM_SYS_STR_REASONS][LEN_SYS_STR_REASON];
@@ -582,13 +582,24 @@ static void build_SYS_str_reasons()
 #endif
 
 #define err_clear_data(p,i) \
+	do { \
 	if (((p)->err_data[i] != NULL) && \
 		(p)->err_data_flags[i] & ERR_TXT_MALLOCED) \
 		{  \
 		OPENSSL_free((p)->err_data[i]); \
 		(p)->err_data[i]=NULL; \
 		} \
-	(p)->err_data_flags[i]=0;
+	(p)->err_data_flags[i]=0; \
+	} while(0)
+
+#define err_clear(p,i) \
+	do { \
+	(p)->err_flags[i]=0; \
+	(p)->err_buffer[i]=0; \
+	err_clear_data(p,i); \
+	(p)->err_file[i]=NULL; \
+	(p)->err_line[i]= -1; \
+	} while(0)
 
 static void ERR_STATE_free(ERR_STATE *s)
 	{
@@ -620,7 +631,8 @@ static void err_load_strings(int lib, ERR_STRING_DATA *str)
 	{
 	while (str->error)
 		{
-		str->error|=ERR_PACK(lib,0,0);
+		if (lib)
+			str->error|=ERR_PACK(lib,0,0);
 		ERRFN(err_set_item)(str);
 		str++;
 		}
@@ -636,7 +648,8 @@ void ERR_unload_strings(int lib, ERR_STRING_DATA *str)
 	{
 	while (str->error)
 		{
-		str->error|=ERR_PACK(lib,0,0);
+		if (lib)
+			str->error|=ERR_PACK(lib,0,0);
 		ERRFN(err_del_item)(str);
 		str++;
 		}
@@ -679,6 +692,7 @@ void ERR_put_error(int lib, int func, int reason, const char *file,
 	es->top=(es->top+1)%ERR_NUM_ERRORS;
 	if (es->top == es->bottom)
 		es->bottom=(es->bottom+1)%ERR_NUM_ERRORS;
+	es->err_flags[es->top]=0;
 	es->err_buffer[es->top]=ERR_PACK(lib,func,reason);
 	es->err_file[es->top]=file;
 	es->err_line[es->top]=line;
@@ -694,10 +708,7 @@ void ERR_clear_error(void)
 
 	for (i=0; i<ERR_NUM_ERRORS; i++)
 		{
-		es->err_buffer[i]=0;
-		err_clear_data(es,i);
-		es->err_file[i]=NULL;
-		es->err_line[i]= -1;
+		err_clear(es,i);
 		}
 	es->top=es->bottom=0;
 	}
@@ -934,7 +945,7 @@ static unsigned long err_hash(const void *a_void)
 	{
 	unsigned long ret,l;
 
-	l=((ERR_STRING_DATA *)a_void)->error;
+	l=((const ERR_STRING_DATA *)a_void)->error;
 	ret=l^ERR_GET_LIB(l)^ERR_GET_FUNC(l);
 	return(ret^ret%19*13);
 	}
@@ -942,21 +953,21 @@ static unsigned long err_hash(const void *a_void)
 /* static int err_cmp(ERR_STRING_DATA *a, ERR_STRING_DATA *b) */
 static int err_cmp(const void *a_void, const void *b_void)
 	{
-	return((int)(((ERR_STRING_DATA *)a_void)->error -
-			((ERR_STRING_DATA *)b_void)->error));
+	return((int)(((const ERR_STRING_DATA *)a_void)->error -
+			((const ERR_STRING_DATA *)b_void)->error));
 	}
 
 /* static unsigned long pid_hash(ERR_STATE *a) */
 static unsigned long pid_hash(const void *a_void)
 	{
-	return(((ERR_STATE *)a_void)->pid*13);
+	return(((const ERR_STATE *)a_void)->pid*13);
 	}
 
 /* static int pid_cmp(ERR_STATE *a, ERR_STATE *b) */
 static int pid_cmp(const void *a_void, const void *b_void)
 	{
-	return((int)((long)((ERR_STATE *)a_void)->pid -
-			(long)((ERR_STATE *)b_void)->pid));
+	return((int)((long)((const ERR_STATE *)a_void)->pid -
+			(long)((const ERR_STATE *)b_void)->pid));
 	}
 
 void ERR_remove_state(unsigned long pid)
@@ -1066,7 +1077,7 @@ void ERR_add_error_data(int num, ...)
 				else
 					str=p;
 				}
-			BUF_strlcat(str,a,s+1);
+			BUF_strlcat(str,a,(size_t)s+1);
 			}
 		}
 	ERR_set_error_data(str,ERR_TXT_MALLOCED|ERR_TXT_STRING);
@@ -1074,3 +1085,33 @@ void ERR_add_error_data(int num, ...)
 err:
 	va_end(args);
 	}
+
+int ERR_set_mark(void)
+	{
+	ERR_STATE *es;
+
+	es=ERR_get_state();
+
+	if (es->bottom == es->top) return 0;
+	es->err_flags[es->top]|=ERR_FLAG_MARK;
+	return 1;
+	}
+
+int ERR_pop_to_mark(void)
+	{
+	ERR_STATE *es;
+
+	es=ERR_get_state();
+
+	while(es->bottom != es->top
+		&& (es->err_flags[es->top] & ERR_FLAG_MARK) == 0)
+		{
+		err_clear(es,es->top);
+		es->top-=1;
+		if (es->top == -1) es->top=ERR_NUM_ERRORS-1;
+		}
+		
+	if (es->bottom == es->top) return 0;
+	es->err_flags[es->top]&=~ERR_FLAG_MARK;
+	return 1;
+	}
diff --git a/crypto/openssl/crypto/err/err.h b/crypto/openssl/crypto/err/err.h
index 723c1f5314fb..b723cd977a44 100644
--- a/crypto/openssl/crypto/err/err.h
+++ b/crypto/openssl/crypto/err/err.h
@@ -59,11 +59,14 @@
 #ifndef HEADER_ERR_H
 #define HEADER_ERR_H
 
+#include <openssl/e_os2.h>
+
 #ifndef OPENSSL_NO_FP_API
 #include <stdio.h>
 #include <stdlib.h>
 #endif
 
+#include <openssl/ossl_typ.h>
 #ifndef OPENSSL_NO_BIO
 #include <openssl/bio.h>
 #endif
@@ -86,10 +89,13 @@ extern "C" {
 #define ERR_TXT_MALLOCED	0x01
 #define ERR_TXT_STRING		0x02
 
+#define ERR_FLAG_MARK		0x01
+
 #define ERR_NUM_ERRORS	16
 typedef struct err_state_st
 	{
 	unsigned long pid;
+	int err_flags[ERR_NUM_ERRORS];
 	unsigned long err_buffer[ERR_NUM_ERRORS];
 	char *err_data[ERR_NUM_ERRORS];
 	int err_data_flags[ERR_NUM_ERRORS];
@@ -131,7 +137,9 @@ typedef struct err_state_st
 #define ERR_LIB_OCSP            39
 #define ERR_LIB_UI              40
 #define ERR_LIB_COMP            41
-#define ERR_LIB_FIPS		42
+#define ERR_LIB_ECDSA		42
+#define ERR_LIB_ECDH		43
+#define ERR_LIB_STORE           44
 
 #define ERR_LIB_USER		128
 
@@ -160,7 +168,9 @@ typedef struct err_state_st
 #define OCSPerr(f,r) ERR_PUT_error(ERR_LIB_OCSP,(f),(r),__FILE__,__LINE__)
 #define UIerr(f,r) ERR_PUT_error(ERR_LIB_UI,(f),(r),__FILE__,__LINE__)
 #define COMPerr(f,r) ERR_PUT_error(ERR_LIB_COMP,(f),(r),__FILE__,__LINE__)
-#define FIPSerr(f,r) ERR_PUT_error(ERR_LIB_FIPS,(f),(r),__FILE__,__LINE__)
+#define ECDSAerr(f,r)  ERR_PUT_error(ERR_LIB_ECDSA,(f),(r),__FILE__,__LINE__)
+#define ECDHerr(f,r)  ERR_PUT_error(ERR_LIB_ECDH,(f),(r),__FILE__,__LINE__)
+#define STOREerr(f,r) ERR_PUT_error(ERR_LIB_STORE,(f),(r),__FILE__,__LINE__)
 
 /* Borland C seems too stupid to be able to shift and do longs in
  * the pre-processor :-( */
@@ -213,6 +223,9 @@ typedef struct err_state_st
 #define ERR_R_OCSP_LIB  ERR_LIB_OCSP     /* 39 */
 #define ERR_R_UI_LIB    ERR_LIB_UI       /* 40 */
 #define ERR_R_COMP_LIB	ERR_LIB_COMP     /* 41 */
+#define ERR_R_ECDSA_LIB ERR_LIB_ECDSA	 /* 42 */
+#define ERR_R_ECDH_LIB  ERR_LIB_ECDH	 /* 43 */
+#define ERR_R_STORE_LIB ERR_LIB_STORE    /* 44 */
 
 #define ERR_R_NESTED_ASN1_ERROR			58
 #define ERR_R_BAD_ASN1_OBJECT_HEADER		59
@@ -227,6 +240,7 @@ typedef struct err_state_st
 #define	ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED	(2|ERR_R_FATAL)
 #define	ERR_R_PASSED_NULL_PARAMETER		(3|ERR_R_FATAL)
 #define	ERR_R_INTERNAL_ERROR			(4|ERR_R_FATAL)
+#define	ERR_R_DISABLED				(5|ERR_R_FATAL)
 
 /* 99 is the maximum possible ERR_R_... code, higher values
  * are reserved for the individual libraries */
@@ -285,8 +299,11 @@ void ERR_release_err_state_table(LHASH **hash);
 
 int ERR_get_next_error_library(void);
 
-/* This opaque type encapsulates the low-level error-state functions */
-typedef struct st_ERR_FNS ERR_FNS;
+int ERR_set_mark(void);
+int ERR_pop_to_mark(void);
+
+/* Already defined in ossl_typ.h */
+/* typedef struct st_ERR_FNS ERR_FNS; */
 /* An application can use this function and provide the return value to loaded
  * modules that should use the application's ERR state/functionality */
 const ERR_FNS *ERR_get_implementation(void);
diff --git a/crypto/openssl/crypto/err/err_all.c b/crypto/openssl/crypto/err/err_all.c
index 4dc93008929e..bfb4c1ab12ba 100644
--- a/crypto/openssl/crypto/err/err_all.c
+++ b/crypto/openssl/crypto/err/err_all.c
@@ -73,6 +73,12 @@
 #ifndef OPENSSL_NO_DSA
 #include <openssl/dsa.h>
 #endif
+#ifndef OPENSSL_NO_ECDSA
+#include <openssl/ecdsa.h>
+#endif
+#ifndef OPENSSL_NO_ECDH
+#include <openssl/ecdh.h>
+#endif
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/pem2.h>
@@ -85,9 +91,9 @@
 #ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
 #endif
+#include <openssl/ui.h>
 #include <openssl/ocsp.h>
 #include <openssl/err.h>
-#include <openssl/fips.h>
 
 void ERR_load_crypto_strings(void)
 	{
@@ -118,6 +124,12 @@ void ERR_load_crypto_strings(void)
 #ifndef OPENSSL_NO_EC
 	ERR_load_EC_strings();
 #endif
+#ifndef OPENSSL_NO_ECDSA
+	ERR_load_ECDSA_strings();
+#endif
+#ifndef OPENSSL_NO_ECDH
+	ERR_load_ECDH_strings();
+#endif
 	/* skip ERR_load_SSL_strings() because it is not in this library */
 	ERR_load_BIO_strings();
 	ERR_load_PKCS7_strings();	
@@ -131,7 +143,4 @@ void ERR_load_crypto_strings(void)
 	ERR_load_OCSP_strings();
 	ERR_load_UI_strings();
 #endif
-#ifdef OPENSSL_FIPS
-	ERR_load_FIPS_strings();
-#endif
 	}
diff --git a/crypto/openssl/crypto/err/err_prn.c b/crypto/openssl/crypto/err/err_prn.c
index 81e34bd6ce7a..2224a901e5ea 100644
--- a/crypto/openssl/crypto/err/err_prn.c
+++ b/crypto/openssl/crypto/err/err_prn.c
@@ -57,9 +57,9 @@
  */
 
 #include <stdio.h>
+#include "cryptlib.h"
 #include <openssl/lhash.h>
 #include <openssl/crypto.h>
-#include "cryptlib.h"
 #include <openssl/buffer.h>
 #include <openssl/err.h>
 
@@ -86,7 +86,12 @@ void ERR_print_errors_cb(int (*cb)(const char *str, size_t len, void *u),
 #ifndef OPENSSL_NO_FP_API
 static int print_fp(const char *str, size_t len, void *fp)
 	{
-	return fprintf((FILE *)fp, "%s", str);
+	BIO bio;
+
+	BIO_set(&bio,BIO_s_file());
+	BIO_set_fp(&bio,fp,BIO_NOCLOSE);
+
+	return BIO_printf(&bio, "%s", str);
 	}
 void ERR_print_errors_fp(FILE *fp)
 	{
diff --git a/crypto/openssl/crypto/err/openssl.ec b/crypto/openssl/crypto/err/openssl.ec
index 447a7f87ed83..64200fcebaa3 100644
--- a/crypto/openssl/crypto/err/openssl.ec
+++ b/crypto/openssl/crypto/err/openssl.ec
@@ -27,7 +27,10 @@ L DSO		crypto/dso/dso.h		crypto/dso/dso_err.c
 L ENGINE	crypto/engine/engine.h		crypto/engine/eng_err.c
 L OCSP		crypto/ocsp/ocsp.h		crypto/ocsp/ocsp_err.c
 L UI		crypto/ui/ui.h			crypto/ui/ui_err.c
-L FIPS		fips/fips.h			fips/fips_err.h
+L COMP		crypto/comp/comp.h		crypto/comp/comp_err.c
+L ECDSA		crypto/ecdsa/ecdsa.h		crypto/ecdsa/ecs_err.c
+L ECDH		crypto/ecdh/ecdh.h		crypto/ecdh/ech_err.c
+L STORE		crypto/store/store.h		crypto/store/str_err.c
 
 # additional header files to be scanned for function names
 L NONE		crypto/x509/x509_vfy.h		NONE
diff --git a/crypto/openssl/crypto/evp/Makefile b/crypto/openssl/crypto/evp/Makefile
index afe41fcd98f6..b4f4487b1f84 100644
--- a/crypto/openssl/crypto/evp/Makefile
+++ b/crypto/openssl/crypto/evp/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/evp/Makefile
+# OpenSSL/crypto/evp/Makefile
 #
 
 DIR=	evp
@@ -7,11 +7,6 @@ TOP=	../..
 CC=	cc
 INCLUDES= -I.. -I$(TOP) -I../../include
 CFLAG=-g
-INSTALL_PREFIX=
-OPENSSLDIR=     /usr/local/ssl
-INSTALLTOP=/usr/local/ssl
-MAKEDEPPROG=	makedepend
-MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=	Makefile
 AR=		ar r
 
@@ -28,7 +23,7 @@ LIBSRC= encode.c digest.c evp_enc.c evp_key.c evp_acnf.c \
 	e_rc4.c e_aes.c names.c \
 	e_xcbc_d.c e_rc2.c e_cast.c e_rc5.c \
 	m_null.c m_md2.c m_md4.c m_md5.c m_sha.c m_sha1.c \
-	m_dss.c m_dss1.c m_mdc2.c m_ripemd.c \
+	m_dss.c m_dss1.c m_mdc2.c m_ripemd.c m_ecdsa.c\
 	p_open.c p_seal.c p_sign.c p_verify.c p_lib.c p_enc.c p_dec.c \
 	bio_md.c bio_b64.c bio_enc.c evp_err.c e_null.c \
 	c_all.c c_allc.c c_alld.c evp_lib.c bio_ok.c \
@@ -40,7 +35,7 @@ LIBOBJ=	encode.o digest.o evp_enc.o evp_key.o evp_acnf.o \
 	e_rc4.o e_aes.o names.o \
 	e_xcbc_d.o e_rc2.o e_cast.o e_rc5.o \
 	m_null.o m_md2.o m_md4.o m_md5.o m_sha.o m_sha1.o \
-	m_dss.o m_dss1.o m_mdc2.o m_ripemd.o \
+	m_dss.o m_dss1.o m_mdc2.o m_ripemd.o m_ecdsa.o\
 	p_open.o p_seal.o p_sign.o p_verify.o p_lib.o p_enc.o p_dec.o \
 	bio_md.o bio_b64.o bio_enc.o evp_err.o e_null.o \
 	c_all.o c_allc.o c_alld.o evp_lib.o bio_ok.o \
@@ -74,7 +69,8 @@ links:
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
 
 install:
-	@for i in $(EXHEADER) ; \
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+	@headerlist="$(EXHEADER)"; for i in $$headerlist ; \
 	do  \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
@@ -89,6 +85,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
+	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(LIBSRC)
 
 dclean:
@@ -100,977 +97,541 @@ clean:
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-bio_b64.o: ../../e_os.h ../../include/openssl/aes.h
-bio_b64.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-bio_b64.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-bio_b64.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-bio_b64.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-bio_b64.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-bio_b64.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+bio_b64.o: ../../e_os.h ../../include/openssl/asn1.h
+bio_b64.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+bio_b64.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 bio_b64.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-bio_b64.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-bio_b64.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-bio_b64.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-bio_b64.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-bio_b64.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-bio_b64.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rc2.h
-bio_b64.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-bio_b64.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-bio_b64.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-bio_b64.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bio_b64.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-bio_b64.o: ../cryptlib.h bio_b64.c
-bio_enc.o: ../../e_os.h ../../include/openssl/aes.h
-bio_enc.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-bio_enc.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-bio_enc.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-bio_enc.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-bio_enc.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-bio_enc.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+bio_b64.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+bio_b64.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+bio_b64.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+bio_b64.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bio_b64.o: ../../include/openssl/symhacks.h ../cryptlib.h bio_b64.c
+bio_enc.o: ../../e_os.h ../../include/openssl/asn1.h
+bio_enc.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+bio_enc.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 bio_enc.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-bio_enc.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-bio_enc.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-bio_enc.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-bio_enc.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-bio_enc.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-bio_enc.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rc2.h
-bio_enc.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-bio_enc.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-bio_enc.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-bio_enc.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bio_enc.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-bio_enc.o: ../cryptlib.h bio_enc.c
-bio_md.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-bio_md.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-bio_md.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-bio_md.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-bio_md.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-bio_md.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+bio_enc.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+bio_enc.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+bio_enc.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+bio_enc.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bio_enc.o: ../../include/openssl/symhacks.h ../cryptlib.h bio_enc.c
+bio_md.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+bio_md.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bio_md.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-bio_md.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-bio_md.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-bio_md.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-bio_md.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-bio_md.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-bio_md.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-bio_md.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-bio_md.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-bio_md.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-bio_md.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-bio_md.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-bio_md.o: ../../include/openssl/ui_compat.h ../cryptlib.h bio_md.c
-bio_ok.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-bio_ok.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-bio_ok.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-bio_ok.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-bio_ok.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-bio_ok.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+bio_md.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+bio_md.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+bio_md.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+bio_md.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+bio_md.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+bio_md.o: ../cryptlib.h bio_md.c
+bio_ok.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+bio_ok.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bio_ok.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-bio_ok.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-bio_ok.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-bio_ok.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-bio_ok.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-bio_ok.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-bio_ok.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-bio_ok.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h
-bio_ok.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-bio_ok.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-bio_ok.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-bio_ok.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bio_ok.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-bio_ok.o: ../cryptlib.h bio_ok.c
-c_all.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-c_all.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-c_all.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-c_all.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-c_all.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-c_all.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+bio_ok.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+bio_ok.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+bio_ok.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+bio_ok.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
+bio_ok.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bio_ok.o: ../../include/openssl/symhacks.h ../cryptlib.h bio_ok.c
+c_all.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+c_all.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 c_all.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
 c_all.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-c_all.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-c_all.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-c_all.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-c_all.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-c_all.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-c_all.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
-c_all.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-c_all.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-c_all.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-c_all.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-c_all.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-c_all.o: ../../include/openssl/ui_compat.h ../cryptlib.h c_all.c
-c_allc.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-c_allc.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-c_allc.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-c_allc.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-c_allc.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-c_allc.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-c_allc.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-c_allc.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-c_allc.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-c_allc.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-c_allc.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+c_all.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+c_all.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+c_all.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+c_all.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+c_all.o: ../../include/openssl/symhacks.h ../cryptlib.h c_all.c
+c_allc.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+c_allc.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+c_allc.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+c_allc.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+c_allc.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+c_allc.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 c_allc.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 c_allc.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 c_allc.o: ../../include/openssl/pkcs12.h ../../include/openssl/pkcs7.h
-c_allc.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-c_allc.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-c_allc.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-c_allc.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-c_allc.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-c_allc.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-c_allc.o: ../../include/openssl/x509_vfy.h ../cryptlib.h c_allc.c
-c_alld.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-c_alld.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-c_alld.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-c_alld.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-c_alld.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-c_alld.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-c_alld.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-c_alld.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-c_alld.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-c_alld.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-c_alld.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+c_allc.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+c_allc.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+c_allc.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+c_allc.o: ../cryptlib.h c_allc.c
+c_alld.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+c_alld.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+c_alld.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+c_alld.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+c_alld.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+c_alld.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 c_alld.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 c_alld.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 c_alld.o: ../../include/openssl/pkcs12.h ../../include/openssl/pkcs7.h
-c_alld.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-c_alld.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-c_alld.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-c_alld.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-c_alld.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-c_alld.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-c_alld.o: ../../include/openssl/x509_vfy.h ../cryptlib.h c_alld.c
-digest.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-digest.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-digest.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-digest.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-digest.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-digest.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+c_alld.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+c_alld.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+c_alld.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+c_alld.o: ../cryptlib.h c_alld.c
+digest.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+digest.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 digest.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
 digest.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-digest.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-digest.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-digest.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-digest.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-digest.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-digest.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
-digest.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-digest.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-digest.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-digest.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-digest.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-digest.o: ../../include/openssl/ui_compat.h ../cryptlib.h digest.c
+digest.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+digest.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+digest.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+digest.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+digest.o: ../../include/openssl/symhacks.h ../cryptlib.h digest.c
 e_aes.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-e_aes.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-e_aes.o: ../../include/openssl/bn.h ../../include/openssl/cast.h
-e_aes.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-e_aes.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-e_aes.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-e_aes.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-e_aes.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-e_aes.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-e_aes.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_aes.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
+e_aes.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+e_aes.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 e_aes.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 e_aes.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-e_aes.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rc2.h
-e_aes.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-e_aes.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-e_aes.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-e_aes.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-e_aes.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h e_aes.c
+e_aes.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+e_aes.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h e_aes.c
 e_aes.o: evp_locl.h
-e_bf.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-e_bf.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-e_bf.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-e_bf.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-e_bf.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-e_bf.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-e_bf.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-e_bf.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-e_bf.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-e_bf.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-e_bf.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+e_bf.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_bf.o: ../../include/openssl/blowfish.h ../../include/openssl/buffer.h
+e_bf.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+e_bf.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_bf.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 e_bf.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 e_bf.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-e_bf.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-e_bf.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-e_bf.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-e_bf.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-e_bf.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-e_bf.o: ../../include/openssl/ui_compat.h ../cryptlib.h e_bf.c evp_locl.h
-e_cast.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-e_cast.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-e_cast.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-e_cast.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-e_cast.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-e_cast.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-e_cast.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-e_cast.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-e_cast.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-e_cast.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-e_cast.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+e_bf.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+e_bf.o: ../../include/openssl/symhacks.h ../cryptlib.h e_bf.c evp_locl.h
+e_cast.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_cast.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_cast.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+e_cast.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_cast.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 e_cast.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 e_cast.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-e_cast.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-e_cast.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-e_cast.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-e_cast.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-e_cast.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-e_cast.o: ../../include/openssl/ui_compat.h ../cryptlib.h e_cast.c evp_locl.h
-e_des.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-e_des.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-e_des.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-e_des.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+e_cast.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+e_cast.o: ../../include/openssl/symhacks.h ../cryptlib.h e_cast.c evp_locl.h
+e_des.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_des.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 e_des.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-e_des.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
 e_des.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-e_des.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-e_des.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-e_des.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-e_des.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-e_des.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-e_des.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-e_des.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-e_des.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-e_des.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-e_des.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+e_des.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+e_des.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+e_des.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+e_des.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
+e_des.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 e_des.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
 e_des.o: ../../include/openssl/ui_compat.h ../cryptlib.h e_des.c evp_locl.h
-e_des3.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-e_des3.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-e_des3.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-e_des3.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+e_des3.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_des3.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 e_des3.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-e_des3.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
 e_des3.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-e_des3.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-e_des3.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-e_des3.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-e_des3.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-e_des3.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-e_des3.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-e_des3.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-e_des3.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-e_des3.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-e_des3.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+e_des3.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+e_des3.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+e_des3.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+e_des3.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
+e_des3.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 e_des3.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
 e_des3.o: ../../include/openssl/ui_compat.h ../cryptlib.h e_des3.c evp_locl.h
-e_idea.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-e_idea.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-e_idea.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-e_idea.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-e_idea.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-e_idea.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_idea.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_idea.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 e_idea.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 e_idea.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-e_idea.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-e_idea.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-e_idea.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+e_idea.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 e_idea.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 e_idea.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-e_idea.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-e_idea.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-e_idea.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-e_idea.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-e_idea.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-e_idea.o: ../../include/openssl/ui_compat.h ../cryptlib.h e_idea.c evp_locl.h
-e_null.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-e_null.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-e_null.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-e_null.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-e_null.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-e_null.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_idea.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+e_idea.o: ../../include/openssl/symhacks.h ../cryptlib.h e_idea.c evp_locl.h
+e_null.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_null.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 e_null.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-e_null.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-e_null.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-e_null.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-e_null.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-e_null.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-e_null.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-e_null.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-e_null.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-e_null.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-e_null.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-e_null.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-e_null.o: ../../include/openssl/ui_compat.h ../cryptlib.h e_null.c
-e_old.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-e_old.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-e_old.o: ../../include/openssl/bn.h ../../include/openssl/cast.h
-e_old.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-e_old.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-e_old.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-e_old.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-e_old.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-e_old.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-e_old.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-e_old.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-e_old.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rc2.h
-e_old.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-e_old.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-e_old.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-e_old.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-e_old.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h e_old.c
-e_rc2.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-e_rc2.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-e_rc2.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-e_rc2.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-e_rc2.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-e_rc2.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_null.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+e_null.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+e_null.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+e_null.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+e_null.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+e_null.o: ../cryptlib.h e_null.c
+e_old.o: e_old.c
+e_rc2.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_rc2.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 e_rc2.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-e_rc2.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-e_rc2.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-e_rc2.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-e_rc2.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-e_rc2.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-e_rc2.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-e_rc2.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-e_rc2.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-e_rc2.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-e_rc2.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-e_rc2.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-e_rc2.o: ../../include/openssl/ui_compat.h ../cryptlib.h e_rc2.c evp_locl.h
-e_rc4.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-e_rc4.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-e_rc4.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-e_rc4.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-e_rc4.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-e_rc4.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_rc2.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+e_rc2.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+e_rc2.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+e_rc2.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rc2.h
+e_rc2.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+e_rc2.o: ../../include/openssl/symhacks.h ../cryptlib.h e_rc2.c evp_locl.h
+e_rc4.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_rc4.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 e_rc4.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-e_rc4.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-e_rc4.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-e_rc4.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-e_rc4.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-e_rc4.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-e_rc4.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-e_rc4.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-e_rc4.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-e_rc4.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-e_rc4.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-e_rc4.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-e_rc4.o: ../../include/openssl/ui_compat.h ../cryptlib.h e_rc4.c
-e_rc5.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-e_rc5.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-e_rc5.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-e_rc5.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-e_rc5.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-e_rc5.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+e_rc4.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+e_rc4.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+e_rc4.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+e_rc4.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rc4.h
+e_rc4.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+e_rc4.o: ../../include/openssl/symhacks.h ../cryptlib.h e_rc4.c
+e_rc5.o: ../../e_os.h ../../include/openssl/bio.h
+e_rc5.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 e_rc5.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-e_rc5.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-e_rc5.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-e_rc5.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-e_rc5.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-e_rc5.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_rc5.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 e_rc5.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-e_rc5.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-e_rc5.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-e_rc5.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-e_rc5.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-e_rc5.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-e_rc5.o: ../../include/openssl/ui_compat.h ../cryptlib.h e_rc5.c evp_locl.h
-e_xcbc_d.o: ../../e_os.h ../../include/openssl/aes.h
-e_xcbc_d.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-e_xcbc_d.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-e_xcbc_d.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_rc5.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+e_rc5.o: ../../include/openssl/symhacks.h ../cryptlib.h e_rc5.c
+e_xcbc_d.o: ../../e_os.h ../../include/openssl/asn1.h
+e_xcbc_d.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 e_xcbc_d.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-e_xcbc_d.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-e_xcbc_d.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+e_xcbc_d.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
 e_xcbc_d.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-e_xcbc_d.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-e_xcbc_d.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-e_xcbc_d.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-e_xcbc_d.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-e_xcbc_d.o: ../../include/openssl/opensslconf.h
+e_xcbc_d.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+e_xcbc_d.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 e_xcbc_d.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-e_xcbc_d.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-e_xcbc_d.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-e_xcbc_d.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-e_xcbc_d.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+e_xcbc_d.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 e_xcbc_d.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
 e_xcbc_d.o: ../../include/openssl/ui_compat.h ../cryptlib.h e_xcbc_d.c
-encode.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-encode.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-encode.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-encode.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-encode.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-encode.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+encode.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+encode.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 encode.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-encode.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-encode.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-encode.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-encode.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-encode.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-encode.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-encode.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-encode.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-encode.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-encode.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-encode.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-encode.o: ../../include/openssl/ui_compat.h ../cryptlib.h encode.c
-evp_acnf.o: ../../e_os.h ../../include/openssl/aes.h
-evp_acnf.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-evp_acnf.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-evp_acnf.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+encode.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+encode.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+encode.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+encode.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+encode.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+encode.o: ../cryptlib.h encode.c
+evp_acnf.o: ../../e_os.h ../../include/openssl/asn1.h
+evp_acnf.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 evp_acnf.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-evp_acnf.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-evp_acnf.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
 evp_acnf.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-evp_acnf.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-evp_acnf.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-evp_acnf.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-evp_acnf.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-evp_acnf.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+evp_acnf.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+evp_acnf.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+evp_acnf.o: ../../include/openssl/opensslconf.h
 evp_acnf.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-evp_acnf.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-evp_acnf.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-evp_acnf.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-evp_acnf.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-evp_acnf.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-evp_acnf.o: ../../include/openssl/ui_compat.h ../cryptlib.h evp_acnf.c
-evp_enc.o: ../../e_os.h ../../include/openssl/aes.h
-evp_enc.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-evp_enc.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-evp_enc.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-evp_enc.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-evp_enc.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-evp_enc.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+evp_acnf.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+evp_acnf.o: ../../include/openssl/symhacks.h ../cryptlib.h evp_acnf.c
+evp_enc.o: ../../e_os.h ../../include/openssl/asn1.h
+evp_enc.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+evp_enc.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 evp_enc.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-evp_enc.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-evp_enc.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-evp_enc.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-evp_enc.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-evp_enc.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-evp_enc.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-evp_enc.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h
-evp_enc.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-evp_enc.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-evp_enc.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-evp_enc.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-evp_enc.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-evp_enc.o: ../cryptlib.h evp_enc.c evp_locl.h
-evp_err.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-evp_err.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-evp_err.o: ../../include/openssl/bn.h ../../include/openssl/cast.h
-evp_err.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-evp_err.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-evp_err.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+evp_enc.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+evp_enc.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+evp_enc.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+evp_enc.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
+evp_enc.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+evp_enc.o: ../../include/openssl/symhacks.h ../cryptlib.h evp_enc.c evp_locl.h
+evp_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+evp_err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 evp_err.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-evp_err.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-evp_err.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-evp_err.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-evp_err.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-evp_err.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-evp_err.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rc2.h
-evp_err.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-evp_err.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-evp_err.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-evp_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-evp_err.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-evp_err.o: evp_err.c
-evp_key.o: ../../e_os.h ../../include/openssl/aes.h
-evp_key.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-evp_key.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-evp_key.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-evp_key.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-evp_key.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-evp_key.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-evp_key.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-evp_key.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-evp_key.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-evp_key.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+evp_err.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+evp_err.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+evp_err.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+evp_err.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+evp_err.o: ../../include/openssl/symhacks.h evp_err.c
+evp_key.o: ../../e_os.h ../../include/openssl/asn1.h
+evp_key.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+evp_key.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+evp_key.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+evp_key.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+evp_key.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 evp_key.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 evp_key.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 evp_key.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-evp_key.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-evp_key.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-evp_key.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-evp_key.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-evp_key.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-evp_key.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
+evp_key.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+evp_key.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+evp_key.o: ../../include/openssl/ui.h ../../include/openssl/x509.h
 evp_key.o: ../../include/openssl/x509_vfy.h ../cryptlib.h evp_key.c
-evp_lib.o: ../../e_os.h ../../include/openssl/aes.h
-evp_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-evp_lib.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-evp_lib.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-evp_lib.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-evp_lib.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-evp_lib.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+evp_lib.o: ../../e_os.h ../../include/openssl/asn1.h
+evp_lib.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+evp_lib.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 evp_lib.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-evp_lib.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-evp_lib.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-evp_lib.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-evp_lib.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-evp_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-evp_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rc2.h
-evp_lib.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-evp_lib.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-evp_lib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-evp_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-evp_lib.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-evp_lib.o: ../cryptlib.h evp_lib.c
-evp_pbe.o: ../../e_os.h ../../include/openssl/aes.h
-evp_pbe.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-evp_pbe.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-evp_pbe.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-evp_pbe.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-evp_pbe.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-evp_pbe.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-evp_pbe.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-evp_pbe.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-evp_pbe.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-evp_pbe.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+evp_lib.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+evp_lib.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+evp_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+evp_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+evp_lib.o: ../../include/openssl/symhacks.h ../cryptlib.h evp_lib.c
+evp_pbe.o: ../../e_os.h ../../include/openssl/asn1.h
+evp_pbe.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+evp_pbe.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+evp_pbe.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+evp_pbe.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+evp_pbe.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 evp_pbe.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 evp_pbe.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 evp_pbe.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-evp_pbe.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-evp_pbe.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-evp_pbe.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-evp_pbe.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-evp_pbe.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-evp_pbe.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-evp_pbe.o: ../../include/openssl/x509_vfy.h ../cryptlib.h evp_pbe.c
-evp_pkey.o: ../../e_os.h ../../include/openssl/aes.h
-evp_pkey.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-evp_pkey.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-evp_pkey.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-evp_pkey.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-evp_pkey.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
+evp_pbe.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+evp_pbe.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+evp_pbe.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+evp_pbe.o: ../cryptlib.h evp_pbe.c
+evp_pkey.o: ../../e_os.h ../../include/openssl/asn1.h
+evp_pkey.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+evp_pkey.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 evp_pkey.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-evp_pkey.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-evp_pkey.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-evp_pkey.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-evp_pkey.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+evp_pkey.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+evp_pkey.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+evp_pkey.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 evp_pkey.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 evp_pkey.o: ../../include/openssl/opensslconf.h
 evp_pkey.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 evp_pkey.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
-evp_pkey.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-evp_pkey.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 evp_pkey.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 evp_pkey.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-evp_pkey.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-evp_pkey.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
+evp_pkey.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
 evp_pkey.o: ../../include/openssl/x509_vfy.h ../cryptlib.h evp_pkey.c
-m_dss.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-m_dss.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-m_dss.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-m_dss.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-m_dss.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-m_dss.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-m_dss.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-m_dss.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-m_dss.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-m_dss.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-m_dss.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-m_dss.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-m_dss.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-m_dss.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-m_dss.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-m_dss.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+m_dss.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+m_dss.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+m_dss.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+m_dss.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+m_dss.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+m_dss.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+m_dss.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+m_dss.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+m_dss.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
 m_dss.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 m_dss.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-m_dss.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
 m_dss.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 m_dss.o: ../cryptlib.h m_dss.c
-m_dss1.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-m_dss1.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-m_dss1.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-m_dss1.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-m_dss1.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-m_dss1.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-m_dss1.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-m_dss1.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-m_dss1.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-m_dss1.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-m_dss1.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-m_dss1.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-m_dss1.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-m_dss1.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-m_dss1.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-m_dss1.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+m_dss1.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+m_dss1.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+m_dss1.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+m_dss1.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+m_dss1.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+m_dss1.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+m_dss1.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+m_dss1.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+m_dss1.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
 m_dss1.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 m_dss1.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-m_dss1.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
 m_dss1.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 m_dss1.o: ../cryptlib.h m_dss1.c
-m_md2.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-m_md2.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-m_md2.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-m_md2.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-m_md2.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-m_md2.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-m_md2.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-m_md2.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+m_ecdsa.o: ../../e_os.h ../../include/openssl/asn1.h
+m_ecdsa.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+m_ecdsa.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+m_ecdsa.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+m_ecdsa.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+m_ecdsa.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+m_ecdsa.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+m_ecdsa.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+m_ecdsa.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+m_ecdsa.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+m_ecdsa.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+m_ecdsa.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+m_ecdsa.o: ../cryptlib.h m_ecdsa.c
+m_md2.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+m_md2.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+m_md2.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+m_md2.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+m_md2.o: ../../include/openssl/err.h ../../include/openssl/evp.h
 m_md2.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-m_md2.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-m_md2.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-m_md2.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-m_md2.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-m_md2.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-m_md2.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-m_md2.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-m_md2.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-m_md2.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-m_md2.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-m_md2.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-m_md2.o: ../cryptlib.h m_md2.c
-m_md4.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-m_md4.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-m_md4.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-m_md4.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-m_md4.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-m_md4.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-m_md4.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-m_md4.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-m_md4.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-m_md4.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-m_md4.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-m_md4.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-m_md4.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-m_md4.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-m_md4.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-m_md4.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-m_md4.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-m_md4.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-m_md4.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-m_md4.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-m_md4.o: ../cryptlib.h m_md4.c
-m_md5.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-m_md5.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-m_md5.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-m_md5.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-m_md5.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-m_md5.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-m_md5.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-m_md5.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-m_md5.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-m_md5.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-m_md5.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-m_md5.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-m_md5.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-m_md5.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-m_md5.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-m_md5.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-m_md5.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-m_md5.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-m_md5.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-m_md5.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-m_md5.o: ../cryptlib.h m_md5.c
-m_mdc2.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-m_mdc2.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-m_mdc2.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-m_mdc2.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-m_mdc2.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-m_mdc2.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+m_md2.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+m_md2.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+m_md2.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+m_md2.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+m_md2.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+m_md2.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+m_md2.o: ../../include/openssl/x509_vfy.h ../cryptlib.h m_md2.c
+m_md4.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+m_md4.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+m_md4.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+m_md4.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+m_md4.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+m_md4.o: ../../include/openssl/lhash.h ../../include/openssl/md4.h
+m_md4.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+m_md4.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+m_md4.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+m_md4.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+m_md4.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+m_md4.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+m_md4.o: ../../include/openssl/x509_vfy.h ../cryptlib.h m_md4.c
+m_md5.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+m_md5.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+m_md5.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+m_md5.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+m_md5.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+m_md5.o: ../../include/openssl/lhash.h ../../include/openssl/md5.h
+m_md5.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+m_md5.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+m_md5.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+m_md5.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+m_md5.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+m_md5.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+m_md5.o: ../../include/openssl/x509_vfy.h ../cryptlib.h m_md5.c
+m_mdc2.o: ../../e_os.h ../../include/openssl/bio.h
+m_mdc2.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 m_mdc2.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-m_mdc2.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-m_mdc2.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-m_mdc2.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-m_mdc2.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-m_mdc2.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+m_mdc2.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 m_mdc2.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-m_mdc2.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-m_mdc2.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-m_mdc2.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-m_mdc2.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-m_mdc2.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-m_mdc2.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-m_mdc2.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-m_mdc2.o: ../cryptlib.h m_mdc2.c
-m_null.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-m_null.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-m_null.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-m_null.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-m_null.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-m_null.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-m_null.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-m_null.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-m_null.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-m_null.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-m_null.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+m_mdc2.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+m_mdc2.o: ../../include/openssl/symhacks.h ../cryptlib.h m_mdc2.c
+m_null.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+m_null.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+m_null.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+m_null.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+m_null.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+m_null.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 m_null.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 m_null.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-m_null.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-m_null.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-m_null.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-m_null.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-m_null.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-m_null.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-m_null.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-m_null.o: ../cryptlib.h m_null.c
-m_ripemd.o: ../../e_os.h ../../include/openssl/aes.h
-m_ripemd.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-m_ripemd.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-m_ripemd.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-m_ripemd.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-m_ripemd.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-m_ripemd.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-m_ripemd.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-m_ripemd.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-m_ripemd.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-m_ripemd.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+m_null.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+m_null.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+m_null.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+m_null.o: ../../include/openssl/x509_vfy.h ../cryptlib.h m_null.c
+m_ripemd.o: ../../e_os.h ../../include/openssl/asn1.h
+m_ripemd.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+m_ripemd.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+m_ripemd.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+m_ripemd.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+m_ripemd.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 m_ripemd.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 m_ripemd.o: ../../include/openssl/opensslconf.h
 m_ripemd.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-m_ripemd.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-m_ripemd.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-m_ripemd.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-m_ripemd.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-m_ripemd.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-m_ripemd.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-m_ripemd.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-m_ripemd.o: ../cryptlib.h m_ripemd.c
-m_sha.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-m_sha.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-m_sha.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-m_sha.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-m_sha.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-m_sha.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-m_sha.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-m_sha.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-m_sha.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-m_sha.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-m_sha.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+m_ripemd.o: ../../include/openssl/pkcs7.h ../../include/openssl/ripemd.h
+m_ripemd.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+m_ripemd.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+m_ripemd.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+m_ripemd.o: ../../include/openssl/x509_vfy.h ../cryptlib.h m_ripemd.c
+m_sha.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+m_sha.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+m_sha.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+m_sha.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+m_sha.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+m_sha.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 m_sha.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 m_sha.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-m_sha.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-m_sha.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-m_sha.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+m_sha.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
 m_sha.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 m_sha.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-m_sha.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
 m_sha.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 m_sha.o: ../cryptlib.h m_sha.c
-m_sha1.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-m_sha1.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-m_sha1.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-m_sha1.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-m_sha1.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-m_sha1.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-m_sha1.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-m_sha1.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-m_sha1.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-m_sha1.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-m_sha1.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+m_sha1.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+m_sha1.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+m_sha1.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+m_sha1.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+m_sha1.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+m_sha1.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 m_sha1.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 m_sha1.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-m_sha1.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-m_sha1.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-m_sha1.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+m_sha1.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
 m_sha1.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 m_sha1.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-m_sha1.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
 m_sha1.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 m_sha1.o: ../cryptlib.h m_sha1.c
-names.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-names.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-names.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-names.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-names.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-names.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-names.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-names.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-names.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-names.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-names.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+names.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+names.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+names.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+names.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+names.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+names.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 names.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 names.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-names.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-names.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-names.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-names.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-names.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-names.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-names.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-names.o: ../cryptlib.h names.c
-p5_crpt.o: ../../e_os.h ../../include/openssl/aes.h
-p5_crpt.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-p5_crpt.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-p5_crpt.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-p5_crpt.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-p5_crpt.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-p5_crpt.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-p5_crpt.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-p5_crpt.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-p5_crpt.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-p5_crpt.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+names.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+names.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+names.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+names.o: ../../include/openssl/x509_vfy.h ../cryptlib.h names.c
+p5_crpt.o: ../../e_os.h ../../include/openssl/asn1.h
+p5_crpt.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+p5_crpt.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+p5_crpt.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+p5_crpt.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+p5_crpt.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 p5_crpt.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 p5_crpt.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 p5_crpt.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-p5_crpt.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-p5_crpt.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-p5_crpt.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-p5_crpt.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-p5_crpt.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-p5_crpt.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-p5_crpt.o: ../../include/openssl/x509_vfy.h ../cryptlib.h p5_crpt.c
-p5_crpt2.o: ../../e_os.h ../../include/openssl/aes.h
-p5_crpt2.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-p5_crpt2.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-p5_crpt2.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-p5_crpt2.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-p5_crpt2.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-p5_crpt2.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-p5_crpt2.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-p5_crpt2.o: ../../include/openssl/hmac.h ../../include/openssl/idea.h
-p5_crpt2.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-p5_crpt2.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-p5_crpt2.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+p5_crpt.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p5_crpt.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+p5_crpt.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+p5_crpt.o: ../cryptlib.h p5_crpt.c
+p5_crpt2.o: ../../e_os.h ../../include/openssl/asn1.h
+p5_crpt2.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+p5_crpt2.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+p5_crpt2.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+p5_crpt2.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+p5_crpt2.o: ../../include/openssl/evp.h ../../include/openssl/hmac.h
+p5_crpt2.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 p5_crpt2.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 p5_crpt2.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-p5_crpt2.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-p5_crpt2.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-p5_crpt2.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-p5_crpt2.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-p5_crpt2.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-p5_crpt2.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-p5_crpt2.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-p5_crpt2.o: ../cryptlib.h p5_crpt2.c
-p_dec.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-p_dec.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-p_dec.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-p_dec.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-p_dec.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-p_dec.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-p_dec.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-p_dec.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-p_dec.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-p_dec.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-p_dec.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+p5_crpt2.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+p5_crpt2.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+p5_crpt2.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+p5_crpt2.o: ../../include/openssl/x509_vfy.h ../cryptlib.h p5_crpt2.c
+p_dec.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+p_dec.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+p_dec.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+p_dec.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+p_dec.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+p_dec.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 p_dec.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 p_dec.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 p_dec.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
-p_dec.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-p_dec.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 p_dec.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 p_dec.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-p_dec.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-p_dec.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
+p_dec.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
 p_dec.o: ../../include/openssl/x509_vfy.h ../cryptlib.h p_dec.c
-p_enc.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-p_enc.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-p_enc.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-p_enc.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-p_enc.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-p_enc.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-p_enc.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-p_enc.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-p_enc.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-p_enc.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-p_enc.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+p_enc.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+p_enc.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+p_enc.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+p_enc.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+p_enc.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+p_enc.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 p_enc.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 p_enc.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 p_enc.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
-p_enc.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-p_enc.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 p_enc.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 p_enc.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-p_enc.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-p_enc.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
+p_enc.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
 p_enc.o: ../../include/openssl/x509_vfy.h ../cryptlib.h p_enc.c
-p_lib.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
+p_lib.o: ../../e_os.h ../../include/openssl/asn1.h
 p_lib.o: ../../include/openssl/asn1_mac.h ../../include/openssl/bio.h
-p_lib.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-p_lib.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-p_lib.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-p_lib.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
+p_lib.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+p_lib.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
 p_lib.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-p_lib.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-p_lib.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-p_lib.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-p_lib.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+p_lib.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+p_lib.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+p_lib.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 p_lib.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 p_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 p_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-p_lib.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-p_lib.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 p_lib.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 p_lib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-p_lib.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-p_lib.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
+p_lib.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
 p_lib.o: ../../include/openssl/x509_vfy.h ../cryptlib.h p_lib.c
-p_open.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-p_open.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-p_open.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-p_open.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-p_open.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-p_open.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-p_open.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-p_open.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-p_open.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-p_open.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-p_open.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+p_open.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+p_open.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+p_open.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+p_open.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+p_open.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+p_open.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 p_open.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 p_open.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-p_open.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-p_open.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-p_open.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+p_open.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
 p_open.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 p_open.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-p_open.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
 p_open.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 p_open.o: ../cryptlib.h p_open.c
-p_seal.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-p_seal.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-p_seal.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-p_seal.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-p_seal.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-p_seal.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-p_seal.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-p_seal.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-p_seal.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-p_seal.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-p_seal.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+p_seal.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+p_seal.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+p_seal.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+p_seal.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+p_seal.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+p_seal.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 p_seal.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 p_seal.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 p_seal.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
-p_seal.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-p_seal.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 p_seal.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 p_seal.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-p_seal.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-p_seal.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
+p_seal.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
 p_seal.o: ../../include/openssl/x509_vfy.h ../cryptlib.h p_seal.c
-p_sign.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-p_sign.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-p_sign.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-p_sign.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-p_sign.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-p_sign.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-p_sign.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-p_sign.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-p_sign.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-p_sign.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-p_sign.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+p_sign.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+p_sign.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+p_sign.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+p_sign.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+p_sign.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+p_sign.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 p_sign.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 p_sign.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-p_sign.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-p_sign.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-p_sign.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-p_sign.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-p_sign.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-p_sign.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-p_sign.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-p_sign.o: ../cryptlib.h p_sign.c
-p_verify.o: ../../e_os.h ../../include/openssl/aes.h
-p_verify.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-p_verify.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-p_verify.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-p_verify.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-p_verify.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-p_verify.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-p_verify.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-p_verify.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-p_verify.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-p_verify.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+p_sign.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+p_sign.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+p_sign.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+p_sign.o: ../../include/openssl/x509_vfy.h ../cryptlib.h p_sign.c
+p_verify.o: ../../e_os.h ../../include/openssl/asn1.h
+p_verify.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+p_verify.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+p_verify.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+p_verify.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+p_verify.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 p_verify.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 p_verify.o: ../../include/openssl/opensslconf.h
 p_verify.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-p_verify.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-p_verify.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-p_verify.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-p_verify.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-p_verify.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-p_verify.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-p_verify.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-p_verify.o: ../cryptlib.h p_verify.c
+p_verify.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+p_verify.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+p_verify.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+p_verify.o: ../../include/openssl/x509_vfy.h ../cryptlib.h p_verify.c
diff --git a/crypto/openssl/crypto/evp/bio_b64.c b/crypto/openssl/crypto/evp/bio_b64.c
index 33349c2f9892..fa5cbc7eb1ff 100644
--- a/crypto/openssl/crypto/evp/bio_b64.c
+++ b/crypto/openssl/crypto/evp/bio_b64.c
@@ -165,7 +165,7 @@ static int b64_read(BIO *b, char *out, int outl)
 		{
 		i=ctx->buf_len-ctx->buf_off;
 		if (i > outl) i=outl;
-		OPENSSL_assert(ctx->buf_off+i < sizeof ctx->buf);
+		OPENSSL_assert(ctx->buf_off+i < (int)sizeof(ctx->buf));
 		memcpy(out,&(ctx->buf[ctx->buf_off]),i);
 		ret=i;
 		out+=i;
diff --git a/crypto/openssl/crypto/evp/bio_enc.c b/crypto/openssl/crypto/evp/bio_enc.c
index ab8185150344..f6ac94c6e1bb 100644
--- a/crypto/openssl/crypto/evp/bio_enc.c
+++ b/crypto/openssl/crypto/evp/bio_enc.c
@@ -71,7 +71,7 @@ static int enc_new(BIO *h);
 static int enc_free(BIO *data);
 static long enc_callback_ctrl(BIO *h, int cmd, bio_info_cb *fps);
 #define ENC_BLOCK_SIZE	(1024*4)
-#define BUF_OFFSET	EVP_MAX_BLOCK_LENGTH
+#define BUF_OFFSET	(EVP_MAX_BLOCK_LENGTH*2)
 
 typedef struct enc_struct
 	{
@@ -405,8 +405,8 @@ EVP_CIPHER_ctx *c;
 	}
 */
 
-void BIO_set_cipher(BIO *b, const EVP_CIPHER *c, unsigned char *k,
-	     unsigned char *i, int e)
+void BIO_set_cipher(BIO *b, const EVP_CIPHER *c, const unsigned char *k,
+	     const unsigned char *i, int e)
 	{
 	BIO_ENC_CTX *ctx;
 
diff --git a/crypto/openssl/crypto/evp/bio_md.c b/crypto/openssl/crypto/evp/bio_md.c
index e4a4d663cb2e..76ff9fe815a0 100644
--- a/crypto/openssl/crypto/evp/bio_md.c
+++ b/crypto/openssl/crypto/evp/bio_md.c
@@ -153,7 +153,7 @@ static int md_write(BIO *b, const char *in, int inl)
 		{
 		if (ret > 0)
 			{
-			EVP_DigestUpdate(ctx,(unsigned char *)in,
+			EVP_DigestUpdate(ctx,(const unsigned char *)in,
 				(unsigned int)ret);
 			}
 		}
@@ -200,12 +200,6 @@ static long md_ctrl(BIO *b, int cmd, long num, void *ptr)
 		else
 			ret=0;
 		break;
-	case BIO_C_SET_MD_CTX:
-		if (b->init)
-			b->ptr=ptr;
-		else
-			ret=0;
-		break;
 	case BIO_C_DO_STATE_MACHINE:
 		BIO_clear_retry_flags(b);
 		ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
diff --git a/crypto/openssl/crypto/evp/bio_ok.c b/crypto/openssl/crypto/evp/bio_ok.c
index 4e3f10141bf3..98bc1ab40963 100644
--- a/crypto/openssl/crypto/evp/bio_ok.c
+++ b/crypto/openssl/crypto/evp/bio_ok.c
@@ -119,6 +119,7 @@
 
 #include <stdio.h>
 #include <errno.h>
+#include <assert.h>
 #include "cryptlib.h"
 #include <openssl/buffer.h>
 #include <openssl/bio.h>
@@ -141,22 +142,12 @@ static void block_in(BIO* b);
 #define IOBS		(OK_BLOCK_SIZE+ OK_BLOCK_BLOCK+ 3*EVP_MAX_MD_SIZE)
 #define WELLKNOWN "The quick brown fox jumped over the lazy dog's back."
 
-#ifndef L_ENDIAN
-#define swapem(x) \
-	((unsigned long int)((((unsigned long int)(x) & 0x000000ffU) << 24) | \
-			     (((unsigned long int)(x) & 0x0000ff00U) <<  8) | \
-			     (((unsigned long int)(x) & 0x00ff0000U) >>  8) | \
-			     (((unsigned long int)(x) & 0xff000000U) >> 24)))
-#else
-#define swapem(x) (x)
-#endif
-
 typedef struct ok_struct
 	{
-	int buf_len;
-	int buf_off;
-	int buf_len_save;
-	int buf_off_save;
+	size_t buf_len;
+	size_t buf_off;
+	size_t buf_len_save;
+	size_t buf_off_save;
 	int cont;		/* <= 0 when finished */
 	int finished;
 	EVP_MD_CTX md;
@@ -295,6 +286,8 @@ static int ok_write(BIO *b, const char *in, int inl)
 	int ret=0,n,i;
 	BIO_OK_CTX *ctx;
 
+	if (inl <= 0) return inl;
+
 	ctx=(BIO_OK_CTX *)b->ptr;
 	ret=inl;
 
@@ -330,7 +323,7 @@ static int ok_write(BIO *b, const char *in, int inl)
 		if ((in == NULL) || (inl <= 0)) return(0);
 
 		n= (inl+ ctx->buf_len > OK_BLOCK_SIZE+ OK_BLOCK_BLOCK) ? 
-				OK_BLOCK_SIZE+ OK_BLOCK_BLOCK- ctx->buf_len : inl;
+			(int)(OK_BLOCK_SIZE+OK_BLOCK_BLOCK-ctx->buf_len) : inl;
 
 		memcpy((unsigned char *)(&(ctx->buf[ctx->buf_len])),(unsigned char *)in,n);
 		ctx->buf_len+= n;
@@ -448,16 +441,18 @@ static long ok_callback_ctrl(BIO *b, int cmd, bio_info_cb *fp)
 	return(ret);
 	}
 
-static void longswap(void *_ptr, int len)
-{
-#ifndef L_ENDIAN
-	int i;
-	char *ptr=_ptr;
+static void longswap(void *_ptr, size_t len)
+{	const union { long one; char little; } is_endian = {1};
 
-	for(i= 0;i < len;i+= 4){
-		*((unsigned long *)&(ptr[i]))= swapem(*((unsigned long *)&(ptr[i])));
+	if (is_endian.little) {
+		size_t i;
+		unsigned char *p=_ptr,c;
+
+		for(i= 0;i < len;i+= 4) {
+			c=p[0],p[0]=p[3],p[3]=c;
+			c=p[1],p[1]=p[2],p[2]=c;
+		}
 	}
-#endif
 }
 
 static void sig_out(BIO* b)
@@ -496,7 +491,7 @@ static void sig_in(BIO* b)
 	ctx=b->ptr;
 	md=&ctx->md;
 
-	if(ctx->buf_len- ctx->buf_off < 2* md->digest->md_size) return;
+	if((int)(ctx->buf_len-ctx->buf_off) < 2*md->digest->md_size) return;
 
 	EVP_DigestInit_ex(md, md->digest, NULL);
 	memcpy(md->md_data, &(ctx->buf[ctx->buf_off]), md->digest->md_size);
@@ -533,9 +528,10 @@ static void block_out(BIO* b)
 	md=&ctx->md;
 
 	tl= ctx->buf_len- OK_BLOCK_BLOCK;
-	tl= swapem(tl);
-	memcpy(ctx->buf, &tl, OK_BLOCK_BLOCK);
-	tl= swapem(tl);
+	ctx->buf[0]=(unsigned char)(tl>>24);
+	ctx->buf[1]=(unsigned char)(tl>>16);
+	ctx->buf[2]=(unsigned char)(tl>>8);
+	ctx->buf[3]=(unsigned char)(tl);
 	EVP_DigestUpdate(md, (unsigned char*) &(ctx->buf[OK_BLOCK_BLOCK]), tl);
 	EVP_DigestFinal_ex(md, &(ctx->buf[ctx->buf_len]), NULL);
 	ctx->buf_len+= md->digest->md_size;
@@ -546,14 +542,18 @@ static void block_in(BIO* b)
 	{
 	BIO_OK_CTX *ctx;
 	EVP_MD_CTX *md;
-	long tl= 0;
+	unsigned long tl= 0;
 	unsigned char tmp[EVP_MAX_MD_SIZE];
 
 	ctx=b->ptr;
 	md=&ctx->md;
 
-	memcpy(&tl, ctx->buf, OK_BLOCK_BLOCK);
-	tl= swapem(tl);
+	assert(sizeof(tl)>=OK_BLOCK_BLOCK);	/* always true */
+	tl =ctx->buf[0]; tl<<=8;
+	tl|=ctx->buf[1]; tl<<=8;
+	tl|=ctx->buf[2]; tl<<=8;
+	tl|=ctx->buf[3];
+
 	if (ctx->buf_len < tl+ OK_BLOCK_BLOCK+ md->digest->md_size) return;
  
 	EVP_DigestUpdate(md, (unsigned char*) &(ctx->buf[OK_BLOCK_BLOCK]), tl);
diff --git a/crypto/openssl/crypto/evp/c_all.c b/crypto/openssl/crypto/evp/c_all.c
index fa60a73ead13..a5da52e62d8b 100644
--- a/crypto/openssl/crypto/evp/c_all.c
+++ b/crypto/openssl/crypto/evp/c_all.c
@@ -74,6 +74,12 @@ void OpenSSL_add_all_algorithms(void)
 
 void OPENSSL_add_all_algorithms_noconf(void)
 	{
+	/*
+	 * For the moment OPENSSL_cpuid_setup does something
+	 * only on IA-32, but we reserve the option for all
+	 * platforms...
+	 */
+	OPENSSL_cpuid_setup();
 	OpenSSL_add_all_ciphers();
 	OpenSSL_add_all_digests();
 #ifndef OPENSSL_NO_ENGINE
diff --git a/crypto/openssl/crypto/evp/c_alld.c b/crypto/openssl/crypto/evp/c_alld.c
index be91cdb03731..d270b0ee0331 100644
--- a/crypto/openssl/crypto/evp/c_alld.c
+++ b/crypto/openssl/crypto/evp/c_alld.c
@@ -75,7 +75,7 @@ void OpenSSL_add_all_digests(void)
 	EVP_add_digest_alias(SN_md5,"ssl2-md5");
 	EVP_add_digest_alias(SN_md5,"ssl3-md5");
 #endif
-#ifndef OPENSSL_NO_SHA
+#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA0)
 	EVP_add_digest(EVP_sha());
 #ifndef OPENSSL_NO_DSA
 	EVP_add_digest(EVP_dss());
@@ -91,6 +91,9 @@ void OpenSSL_add_all_digests(void)
 	EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1");
 	EVP_add_digest_alias(SN_dsaWithSHA1,"dss1");
 #endif
+#ifndef OPENSSL_NO_ECDSA
+	EVP_add_digest(EVP_ecdsa());
+#endif
 #endif
 #if !defined(OPENSSL_NO_MDC2) && !defined(OPENSSL_NO_DES)
 	EVP_add_digest(EVP_mdc2());
@@ -100,4 +103,12 @@ void OpenSSL_add_all_digests(void)
 	EVP_add_digest_alias(SN_ripemd160,"ripemd");
 	EVP_add_digest_alias(SN_ripemd160,"rmd160");
 #endif
+#ifndef OPENSSL_NO_SHA256
+	EVP_add_digest(EVP_sha224());
+	EVP_add_digest(EVP_sha256());
+#endif
+#ifndef OPENSSL_NO_SHA512
+	EVP_add_digest(EVP_sha384());
+	EVP_add_digest(EVP_sha512());
+#endif
 	}
diff --git a/crypto/openssl/crypto/evp/digest.c b/crypto/openssl/crypto/evp/digest.c
index 0623ddf1f05f..762e6d3450d3 100644
--- a/crypto/openssl/crypto/evp/digest.c
+++ b/crypto/openssl/crypto/evp/digest.c
@@ -159,7 +159,7 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
 			{
 			if (!ENGINE_init(impl))
 				{
-				EVPerr(EVP_F_EVP_DIGESTINIT, EVP_R_INITIALIZATION_ERROR);
+				EVPerr(EVP_F_EVP_DIGESTINIT_EX,EVP_R_INITIALIZATION_ERROR);
 				return 0;
 				}
 			}
@@ -173,7 +173,7 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
 			if(!d)
 				{
 				/* Same comment from evp_enc.c */
-				EVPerr(EVP_F_EVP_DIGESTINIT, EVP_R_INITIALIZATION_ERROR);
+				EVPerr(EVP_F_EVP_DIGESTINIT_EX,EVP_R_INITIALIZATION_ERROR);
 				return 0;
 				}
 			/* We'll use the ENGINE's private digest definition */
@@ -189,7 +189,7 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
 	else
 	if(!ctx->digest)
 		{
-		EVPerr(EVP_F_EVP_DIGESTINIT, EVP_R_NO_DIGEST_SET);
+		EVPerr(EVP_F_EVP_DIGESTINIT_EX,EVP_R_NO_DIGEST_SET);
 		return 0;
 		}
 #endif
@@ -208,9 +208,9 @@ skip_to_init:
 	}
 
 int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data,
-	     unsigned int count)
+	     size_t count)
 	{
-	return ctx->digest->update(ctx,data,(unsigned long)count);
+	return ctx->digest->update(ctx,data,count);
 	}
 
 /* The caller can assume that this removes any secret data from the context */
@@ -251,14 +251,14 @@ int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in)
 	unsigned char *tmp_buf;
 	if ((in == NULL) || (in->digest == NULL))
 		{
-		EVPerr(EVP_F_EVP_MD_CTX_COPY,EVP_R_INPUT_NOT_INITIALIZED);
+		EVPerr(EVP_F_EVP_MD_CTX_COPY_EX,EVP_R_INPUT_NOT_INITIALIZED);
 		return 0;
 		}
 #ifndef OPENSSL_NO_ENGINE
 	/* Make sure it's safe to copy a digest context using an ENGINE */
 	if (in->engine && !ENGINE_init(in->engine))
 		{
-		EVPerr(EVP_F_EVP_MD_CTX_COPY,ERR_R_ENGINE_LIB);
+		EVPerr(EVP_F_EVP_MD_CTX_COPY_EX,ERR_R_ENGINE_LIB);
 		return 0;
 		}
 #endif
@@ -285,7 +285,7 @@ int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in)
 	return 1;
 	}
 
-int EVP_Digest(void *data, unsigned int count,
+int EVP_Digest(const void *data, size_t count,
 		unsigned char *md, unsigned int *size, const EVP_MD *type, ENGINE *impl)
 	{
 	EVP_MD_CTX ctx;
diff --git a/crypto/openssl/crypto/evp/e_aes.c b/crypto/openssl/crypto/evp/e_aes.c
index 9844d7f9bcc6..bd6c0a3a62a3 100644
--- a/crypto/openssl/crypto/evp/e_aes.c
+++ b/crypto/openssl/crypto/evp/e_aes.c
@@ -48,10 +48,12 @@
  *
  */
 
+#include <openssl/opensslconf.h>
 #ifndef OPENSSL_NO_AES
 #include <openssl/evp.h>
 #include <openssl/err.h>
 #include <string.h>
+#include <assert.h>
 #include <openssl/aes.h>
 #include "evp_locl.h"
 
diff --git a/crypto/openssl/crypto/evp/e_bf.c b/crypto/openssl/crypto/evp/e_bf.c
index e74337567b51..cc224e536394 100644
--- a/crypto/openssl/crypto/evp/e_bf.c
+++ b/crypto/openssl/crypto/evp/e_bf.c
@@ -56,9 +56,9 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef OPENSSL_NO_BF
 #include <stdio.h>
 #include "cryptlib.h"
+#ifndef OPENSSL_NO_BF
 #include <openssl/evp.h>
 #include "evp_locl.h"
 #include <openssl/objects.h>
diff --git a/crypto/openssl/crypto/evp/e_cast.c b/crypto/openssl/crypto/evp/e_cast.c
index 3400fef187fb..d77bcd9298f5 100644
--- a/crypto/openssl/crypto/evp/e_cast.c
+++ b/crypto/openssl/crypto/evp/e_cast.c
@@ -56,10 +56,10 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef OPENSSL_NO_CAST
-
 #include <stdio.h>
 #include "cryptlib.h"
+
+#ifndef OPENSSL_NO_CAST
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include "evp_locl.h"
diff --git a/crypto/openssl/crypto/evp/e_des.c b/crypto/openssl/crypto/evp/e_des.c
index f2554ecc6a2e..856323648cd4 100644
--- a/crypto/openssl/crypto/evp/e_des.c
+++ b/crypto/openssl/crypto/evp/e_des.c
@@ -63,9 +63,11 @@
 #include <openssl/objects.h>
 #include "evp_locl.h"
 #include <openssl/des.h>
+#include <openssl/rand.h>
 
 static int des_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
 			const unsigned char *iv, int enc);
+static int des_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr);
 
 /* Because of various casts and different names can't use IMPLEMENT_BLOCK_CIPHER */
 
@@ -127,26 +129,48 @@ static int des_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
     }
 
 BLOCK_CIPHER_defs(des, DES_key_schedule, NID_des, 8, 8, 8, 64,
-			0, des_init_key, NULL,
+			EVP_CIPH_RAND_KEY, des_init_key, NULL,
 			EVP_CIPHER_set_asn1_iv,
 			EVP_CIPHER_get_asn1_iv,
-			NULL)
+			des_ctrl)
 
-BLOCK_CIPHER_def_cfb(des,DES_key_schedule,NID_des,8,8,1,0,des_init_key,NULL,
+BLOCK_CIPHER_def_cfb(des,DES_key_schedule,NID_des,8,8,1,
+		     EVP_CIPH_RAND_KEY, des_init_key,NULL,
 		     EVP_CIPHER_set_asn1_iv,
-		     EVP_CIPHER_get_asn1_iv,NULL)
+		     EVP_CIPHER_get_asn1_iv,des_ctrl)
 
-BLOCK_CIPHER_def_cfb(des,DES_key_schedule,NID_des,8,8,8,0,des_init_key,NULL,
+BLOCK_CIPHER_def_cfb(des,DES_key_schedule,NID_des,8,8,8,
+		     EVP_CIPH_RAND_KEY,des_init_key,NULL,
 		     EVP_CIPHER_set_asn1_iv,
-		     EVP_CIPHER_get_asn1_iv,NULL)
+		     EVP_CIPHER_get_asn1_iv,des_ctrl)
 
 static int des_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
 			const unsigned char *iv, int enc)
 	{
 	DES_cblock *deskey = (DES_cblock *)key;
-
+#ifdef EVP_CHECK_DES_KEY
+	if(DES_set_key_checked(deskey,ctx->cipher_data) != 0)
+		return 0;
+#else
 	DES_set_key_unchecked(deskey,ctx->cipher_data);
+#endif
 	return 1;
 	}
 
+static int des_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
+	{
+	
+	switch(type)
+		{
+	case EVP_CTRL_RAND_KEY:
+		if (RAND_bytes(ptr, 8) <= 0)
+			return 0;
+		DES_set_odd_parity((DES_cblock *)ptr);
+		return 1;
+
+	default:
+		return -1;
+		}
+	}
+
 #endif
diff --git a/crypto/openssl/crypto/evp/e_des3.c b/crypto/openssl/crypto/evp/e_des3.c
index b462d7c6af9d..ac148efab237 100644
--- a/crypto/openssl/crypto/evp/e_des3.c
+++ b/crypto/openssl/crypto/evp/e_des3.c
@@ -63,6 +63,7 @@
 #include <openssl/objects.h>
 #include "evp_locl.h"
 #include <openssl/des.h>
+#include <openssl/rand.h>
 
 static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
 			    const unsigned char *iv,int enc);
@@ -70,6 +71,8 @@ static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
 static int des_ede3_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
 			     const unsigned char *iv,int enc);
 
+static int des3_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr);
+
 typedef struct
     {
     DES_key_schedule ks1;/* key schedule */
@@ -85,7 +88,8 @@ static int des_ede_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 			      const unsigned char *in, unsigned int inl)
 {
 	BLOCK_CIPHER_ecb_loop()
-		DES_ecb3_encrypt(in + i,out + i, 
+		DES_ecb3_encrypt((const_DES_cblock *)(in + i),
+				 (DES_cblock *)(out + i),
 				 &data(ctx)->ks1, &data(ctx)->ks2,
 				 &data(ctx)->ks3,
 				 ctx->encrypt);
@@ -160,10 +164,10 @@ static int des_ede3_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
     }
 
 BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY, NID_des_ede, 8, 16, 8, 64,
-			0, des_ede_init_key, NULL, 
+			EVP_CIPH_RAND_KEY, des_ede_init_key, NULL, 
 			EVP_CIPHER_set_asn1_iv,
 			EVP_CIPHER_get_asn1_iv,
-			NULL)
+			des3_ctrl)
 
 #define des_ede3_cfb64_cipher des_ede_cfb64_cipher
 #define des_ede3_ofb_cipher des_ede_ofb_cipher
@@ -171,28 +175,35 @@ BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY, NID_des_ede, 8, 16, 8, 64,
 #define des_ede3_ecb_cipher des_ede_ecb_cipher
 
 BLOCK_CIPHER_defs(des_ede3, DES_EDE_KEY, NID_des_ede3, 8, 24, 8, 64,
-			0, des_ede3_init_key, NULL, 
+			EVP_CIPH_RAND_KEY, des_ede3_init_key, NULL, 
 			EVP_CIPHER_set_asn1_iv,
 			EVP_CIPHER_get_asn1_iv,
-			NULL)
+			des3_ctrl)
 
-BLOCK_CIPHER_def_cfb(des_ede3,DES_EDE_KEY,NID_des_ede3,24,8,1,0,
-		     des_ede3_init_key,NULL,
+BLOCK_CIPHER_def_cfb(des_ede3,DES_EDE_KEY,NID_des_ede3,24,8,1,
+		     EVP_CIPH_RAND_KEY, des_ede3_init_key,NULL,
 		     EVP_CIPHER_set_asn1_iv,
-		     EVP_CIPHER_get_asn1_iv,NULL)
+		     EVP_CIPHER_get_asn1_iv,
+		     des3_ctrl)
 
-BLOCK_CIPHER_def_cfb(des_ede3,DES_EDE_KEY,NID_des_ede3,24,8,8,0,
-		     des_ede3_init_key,NULL,
+BLOCK_CIPHER_def_cfb(des_ede3,DES_EDE_KEY,NID_des_ede3,24,8,8,
+		     EVP_CIPH_RAND_KEY, des_ede3_init_key,NULL,
 		     EVP_CIPHER_set_asn1_iv,
-		     EVP_CIPHER_get_asn1_iv,NULL)
+		     EVP_CIPHER_get_asn1_iv,
+		     des3_ctrl)
 
 static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
 			    const unsigned char *iv, int enc)
 	{
 	DES_cblock *deskey = (DES_cblock *)key;
-
+#ifdef EVP_CHECK_DES_KEY
+	if (DES_set_key_checked(&deskey[0],&data(ctx)->ks1)
+		!! DES_set_key_checked(&deskey[1],&data(ctx)->ks2))
+		return 0;
+#else
 	DES_set_key_unchecked(&deskey[0],&data(ctx)->ks1);
 	DES_set_key_unchecked(&deskey[1],&data(ctx)->ks2);
+#endif
 	memcpy(&data(ctx)->ks3,&data(ctx)->ks1,
 	       sizeof(data(ctx)->ks1));
 	return 1;
@@ -213,13 +224,41 @@ static int des_ede3_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
 	}
 #endif	/* KSSL_DEBUG */
 
+#ifdef EVP_CHECK_DES_KEY
+	if (DES_set_key_checked(&deskey[0],&data(ctx)->ks1)
+		|| DES_set_key_checked(&deskey[1],&data(ctx)->ks2)
+		|| DES_set_key_checked(&deskey[2],&data(ctx)->ks3))
+		return 0;
+#else
 	DES_set_key_unchecked(&deskey[0],&data(ctx)->ks1);
 	DES_set_key_unchecked(&deskey[1],&data(ctx)->ks2);
 	DES_set_key_unchecked(&deskey[2],&data(ctx)->ks3);
-
+#endif
 	return 1;
 	}
 
+static int des3_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
+	{
+
+	DES_cblock *deskey = ptr;
+
+	switch(type)
+		{
+	case EVP_CTRL_RAND_KEY:
+		if (RAND_bytes(ptr, c->key_len) <= 0)
+			return 0;
+		DES_set_odd_parity(deskey);
+		if (c->key_len >= 16)
+			DES_set_odd_parity(deskey + 1);
+		if (c->key_len >= 24)
+			DES_set_odd_parity(deskey + 2);
+		return 1;
+
+	default:
+		return -1;
+		}
+	}
+
 const EVP_CIPHER *EVP_des_ede(void)
 {
 	return &des_ede_ecb;
diff --git a/crypto/openssl/crypto/evp/e_idea.c b/crypto/openssl/crypto/evp/e_idea.c
index b9efa75ae7c8..48c33a774a5b 100644
--- a/crypto/openssl/crypto/evp/e_idea.c
+++ b/crypto/openssl/crypto/evp/e_idea.c
@@ -56,10 +56,10 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef OPENSSL_NO_IDEA
-
 #include <stdio.h>
 #include "cryptlib.h"
+
+#ifndef OPENSSL_NO_IDEA
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include "evp_locl.h"
diff --git a/crypto/openssl/crypto/evp/e_null.c b/crypto/openssl/crypto/evp/e_null.c
index 2420d7e5af80..5205259f18ca 100644
--- a/crypto/openssl/crypto/evp/e_null.c
+++ b/crypto/openssl/crypto/evp/e_null.c
@@ -76,6 +76,7 @@ static const EVP_CIPHER n_cipher=
 	0,
 	NULL,
 	NULL,
+	NULL,
 	NULL
 	};
 
@@ -95,7 +96,7 @@ static int null_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 	     const unsigned char *in, unsigned int inl)
 	{
 	if (in != out)
-		memcpy((char *)out,(char *)in,(int)inl);
+		memcpy((char *)out,(const char *)in,(size_t)inl);
 	return 1;
 	}
 
diff --git a/crypto/openssl/crypto/evp/e_old.c b/crypto/openssl/crypto/evp/e_old.c
index 4f217368bdce..1642af4869d0 100644
--- a/crypto/openssl/crypto/evp/e_old.c
+++ b/crypto/openssl/crypto/evp/e_old.c
@@ -56,6 +56,10 @@
  *
  */
 
+#ifdef OPENSSL_NO_DEPRECATED
+static void *dummy = &dummy;
+#else
+
 #include <openssl/evp.h>
 
 /* Define some deprecated functions, so older programs
@@ -66,43 +70,56 @@
 
 #ifndef OPENSSL_NO_BF
 #undef EVP_bf_cfb
+const EVP_CIPHER *EVP_bf_cfb(void);
 const EVP_CIPHER *EVP_bf_cfb(void) { return EVP_bf_cfb64(); }
 #endif
 
 #ifndef OPENSSL_NO_DES
 #undef EVP_des_cfb
+const EVP_CIPHER *EVP_des_cfb(void);
 const EVP_CIPHER *EVP_des_cfb(void) { return EVP_des_cfb64(); }
 #undef EVP_des_ede3_cfb
+const EVP_CIPHER *EVP_des_ede3_cfb(void);
 const EVP_CIPHER *EVP_des_ede3_cfb(void) { return EVP_des_ede3_cfb64(); }
 #undef EVP_des_ede_cfb
+const EVP_CIPHER *EVP_des_ede_cfb(void);
 const EVP_CIPHER *EVP_des_ede_cfb(void) { return EVP_des_ede_cfb64(); }
 #endif
 
 #ifndef OPENSSL_NO_IDEA
 #undef EVP_idea_cfb
+const EVP_CIPHER *EVP_idea_cfb(void);
 const EVP_CIPHER *EVP_idea_cfb(void) { return EVP_idea_cfb64(); }
 #endif
 
 #ifndef OPENSSL_NO_RC2
 #undef EVP_rc2_cfb
+const EVP_CIPHER *EVP_rc2_cfb(void);
 const EVP_CIPHER *EVP_rc2_cfb(void) { return EVP_rc2_cfb64(); }
 #endif
 
-#ifndef OPENSSL_NO_CAST5
+#ifndef OPENSSL_NO_CAST
 #undef EVP_cast5_cfb
+const EVP_CIPHER *EVP_cast5_cfb(void);
 const EVP_CIPHER *EVP_cast5_cfb(void) { return EVP_cast5_cfb64(); }
 #endif
 
 #ifndef OPENSSL_NO_RC5
 #undef EVP_rc5_32_12_16_cfb
+const EVP_CIPHER *EVP_rc5_32_12_16_cfb(void);
 const EVP_CIPHER *EVP_rc5_32_12_16_cfb(void) { return EVP_rc5_32_12_16_cfb64(); }
 #endif
 
 #ifndef OPENSSL_NO_AES
 #undef EVP_aes_128_cfb
+const EVP_CIPHER *EVP_aes_128_cfb(void);
 const EVP_CIPHER *EVP_aes_128_cfb(void) { return EVP_aes_128_cfb128(); }
 #undef EVP_aes_192_cfb
+const EVP_CIPHER *EVP_aes_192_cfb(void);
 const EVP_CIPHER *EVP_aes_192_cfb(void) { return EVP_aes_192_cfb128(); }
 #undef EVP_aes_256_cfb
+const EVP_CIPHER *EVP_aes_256_cfb(void);
 const EVP_CIPHER *EVP_aes_256_cfb(void) { return EVP_aes_256_cfb128(); }
 #endif
+
+#endif
diff --git a/crypto/openssl/crypto/evp/e_rc2.c b/crypto/openssl/crypto/evp/e_rc2.c
index d42cbfd17ec7..d37726ffae4b 100644
--- a/crypto/openssl/crypto/evp/e_rc2.c
+++ b/crypto/openssl/crypto/evp/e_rc2.c
@@ -56,10 +56,11 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef OPENSSL_NO_RC2
-
 #include <stdio.h>
 #include "cryptlib.h"
+
+#ifndef OPENSSL_NO_RC2
+
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include "evp_locl.h"
@@ -167,16 +168,17 @@ static int rc2_magic_to_meth(int i)
 static int rc2_get_asn1_type_and_iv(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
 	{
 	long num=0;
-	int i=0,l;
+	int i=0;
 	int key_bits;
+	unsigned int l;
 	unsigned char iv[EVP_MAX_IV_LENGTH];
 
 	if (type != NULL)
 		{
 		l=EVP_CIPHER_CTX_iv_length(c);
-		OPENSSL_assert(l <= sizeof iv);
+		OPENSSL_assert(l <= sizeof(iv));
 		i=ASN1_TYPE_get_int_octetstring(type,&num,iv,l);
-		if (i != l)
+		if (i != (int)l)
 			return(-1);
 		key_bits =rc2_magic_to_meth((int)num);
 		if (!key_bits)
diff --git a/crypto/openssl/crypto/evp/e_rc4.c b/crypto/openssl/crypto/evp/e_rc4.c
index d58f507837bd..67af850bea1a 100644
--- a/crypto/openssl/crypto/evp/e_rc4.c
+++ b/crypto/openssl/crypto/evp/e_rc4.c
@@ -56,10 +56,11 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef OPENSSL_NO_RC4
-
 #include <stdio.h>
 #include "cryptlib.h"
+
+#ifndef OPENSSL_NO_RC4
+
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/rc4.h>
@@ -89,6 +90,7 @@ static const EVP_CIPHER r4_cipher=
 	sizeof(EVP_RC4_KEY),
 	NULL,
 	NULL,
+	NULL,
 	NULL
 	};
 
@@ -103,6 +105,7 @@ static const EVP_CIPHER r4_40_cipher=
 	sizeof(EVP_RC4_KEY),
 	NULL, 
 	NULL,
+	NULL,
 	NULL
 	};
 
diff --git a/crypto/openssl/crypto/evp/e_rc5.c b/crypto/openssl/crypto/evp/e_rc5.c
index 3c7713b18163..19a10c640245 100644
--- a/crypto/openssl/crypto/evp/e_rc5.c
+++ b/crypto/openssl/crypto/evp/e_rc5.c
@@ -56,10 +56,11 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef OPENSSL_NO_RC5
-
 #include <stdio.h>
 #include "cryptlib.h"
+
+#ifndef OPENSSL_NO_RC5
+
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include "evp_locl.h"
diff --git a/crypto/openssl/crypto/evp/e_xcbc_d.c b/crypto/openssl/crypto/evp/e_xcbc_d.c
index a6f849e93d01..8832da24333c 100644
--- a/crypto/openssl/crypto/evp/e_xcbc_d.c
+++ b/crypto/openssl/crypto/evp/e_xcbc_d.c
@@ -56,9 +56,11 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef OPENSSL_NO_DES
 #include <stdio.h>
 #include "cryptlib.h"
+
+#ifndef OPENSSL_NO_DES
+
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/des.h>
@@ -89,6 +91,7 @@ static const EVP_CIPHER d_xcbc_cipher=
 	sizeof(DESX_CBC_KEY),
 	EVP_CIPHER_set_asn1_iv,
 	EVP_CIPHER_get_asn1_iv,
+	NULL,
 	NULL
 	};
 
diff --git a/crypto/openssl/crypto/evp/encode.c b/crypto/openssl/crypto/evp/encode.c
index 08209357ce0a..5921f0d710d8 100644
--- a/crypto/openssl/crypto/evp/encode.c
+++ b/crypto/openssl/crypto/evp/encode.c
@@ -129,14 +129,14 @@ void EVP_EncodeInit(EVP_ENCODE_CTX *ctx)
 	}
 
 void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl,
-	     unsigned char *in, int inl)
+	     const unsigned char *in, int inl)
 	{
 	int i,j;
 	unsigned int total=0;
 
 	*outl=0;
 	if (inl == 0) return;
-	OPENSSL_assert(ctx->length <= sizeof ctx->enc_data);
+	OPENSSL_assert(ctx->length <= (int)sizeof(ctx->enc_data));
 	if ((ctx->num+inl) < ctx->length)
 		{
 		memcpy(&(ctx->enc_data[ctx->num]),in,inl);
@@ -233,7 +233,7 @@ void EVP_DecodeInit(EVP_ENCODE_CTX *ctx)
  *  1 for full line
  */
 int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl,
-	     unsigned char *in, int inl)
+	     const unsigned char *in, int inl)
 	{
 	int seof= -1,eof=0,rv= -1,ret=0,i,v,tmp,n,ln,tmp2,exp_nl;
 	unsigned char *d;
@@ -259,7 +259,7 @@ int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl,
 		/* only save the good data :-) */
 		if (!B64_NOT_BASE64(v))
 			{
-			OPENSSL_assert(n < sizeof ctx->enc_data);
+			OPENSSL_assert(n < (int)sizeof(ctx->enc_data));
 			d[n++]=tmp;
 			ln++;
 			}
@@ -313,7 +313,7 @@ int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl,
 			/* There will never be more than two '=' */
 			}
 
-		if ((v == B64_EOF) || (n >= 64))
+		if ((v == B64_EOF && (n&3) == 0) || (n >= 64))
 			{
 			/* This is needed to work correctly on 64 byte input
 			 * lines.  We process the line and then need to
@@ -323,8 +323,8 @@ int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl,
 			if (n > 0)
 				{
 				v=EVP_DecodeBlock(out,d,n);
-				if (v < 0) { rv=0; goto end; }
 				n=0;
+				if (v < 0) { rv=0; goto end; }
 				ret+=(v-eof);
 				}
 			else
diff --git a/crypto/openssl/crypto/evp/evp.h b/crypto/openssl/crypto/evp/evp.h
index 115878ff1799..116a12ff9489 100644
--- a/crypto/openssl/crypto/evp/evp.h
+++ b/crypto/openssl/crypto/evp/evp.h
@@ -74,48 +74,6 @@
 #ifndef OPENSSL_NO_BIO
 #include <openssl/bio.h>
 #endif
-#ifndef OPENSSL_NO_MD2
-#include <openssl/md2.h>
-#endif
-#ifndef OPENSSL_NO_MD4
-#include <openssl/md4.h>
-#endif
-#ifndef OPENSSL_NO_MD5
-#include <openssl/md5.h>
-#endif
-#ifndef OPENSSL_NO_SHA
-#include <openssl/sha.h>
-#endif
-#ifndef OPENSSL_NO_RIPEMD
-#include <openssl/ripemd.h>
-#endif
-#ifndef OPENSSL_NO_DES
-#include <openssl/des.h>
-#endif
-#ifndef OPENSSL_NO_RC4
-#include <openssl/rc4.h>
-#endif
-#ifndef OPENSSL_NO_RC2
-#include <openssl/rc2.h>
-#endif
-#ifndef OPENSSL_NO_RC5
-#include <openssl/rc5.h>
-#endif
-#ifndef OPENSSL_NO_BF
-#include <openssl/blowfish.h>
-#endif
-#ifndef OPENSSL_NO_CAST
-#include <openssl/cast.h>
-#endif
-#ifndef OPENSSL_NO_IDEA
-#include <openssl/idea.h>
-#endif
-#ifndef OPENSSL_NO_MDC2
-#include <openssl/mdc2.h>
-#endif
-#ifndef OPENSSL_NO_AES
-#include <openssl/aes.h>
-#endif
 
 /*
 #define EVP_RC2_KEY_SIZE		16
@@ -124,7 +82,7 @@
 #define EVP_CAST5_KEY_SIZE		16
 #define EVP_RC5_32_12_16_KEY_SIZE	16
 */
-#define EVP_MAX_MD_SIZE			(16+20) /* The SSLv3 md5+sha1 type */
+#define EVP_MAX_MD_SIZE			64	/* longest known is SHA512 */
 #define EVP_MAX_KEY_LENGTH		32
 #define EVP_MAX_IV_LENGTH		16
 #define EVP_MAX_BLOCK_LENGTH		32
@@ -133,28 +91,18 @@
 /* Default PKCS#5 iteration count */
 #define PKCS5_DEFAULT_ITER		2048
 
-#ifndef OPENSSL_NO_RSA
-#include <openssl/rsa.h>
-#endif
-
-#ifndef OPENSSL_NO_DSA
-#include <openssl/dsa.h>
-#endif
-
-#ifndef OPENSSL_NO_DH
-#include <openssl/dh.h>
-#endif
-
 #include <openssl/objects.h>
 
 #define EVP_PK_RSA	0x0001
 #define EVP_PK_DSA	0x0002
 #define EVP_PK_DH	0x0004
+#define EVP_PK_EC	0x0008
 #define EVP_PKT_SIGN	0x0010
 #define EVP_PKT_ENC	0x0020
 #define EVP_PKT_EXCH	0x0040
 #define EVP_PKS_RSA	0x0100
 #define EVP_PKS_DSA	0x0200
+#define EVP_PKS_EC	0x0400
 #define EVP_PKT_EXP	0x1000 /* <= 512 bit key */
 
 #define EVP_PKEY_NONE	NID_undef
@@ -166,6 +114,7 @@
 #define EVP_PKEY_DSA3	NID_dsaWithSHA1
 #define EVP_PKEY_DSA4	NID_dsaWithSHA1_2
 #define EVP_PKEY_DH	NID_dhKeyAgreement
+#define EVP_PKEY_EC	NID_X9_62_id_ecPublicKey
 
 #ifdef	__cplusplus
 extern "C" {
@@ -190,6 +139,9 @@ struct evp_pkey_st
 #ifndef OPENSSL_NO_DH
 		struct dh_st *dh;	/* DH */
 #endif
+#ifndef OPENSSL_NO_EC
+		struct ec_key_st *ec;	/* ECC */
+#endif
 		} pkey;
 	int save_parameters;
 	STACK_OF(X509_ATTRIBUTE) *attributes; /* [ 0 ] */
@@ -275,38 +227,58 @@ struct env_md_st
 	int md_size;
 	unsigned long flags;
 	int (*init)(EVP_MD_CTX *ctx);
-	int (*update)(EVP_MD_CTX *ctx,const void *data,unsigned long count);
+	int (*update)(EVP_MD_CTX *ctx,const void *data,size_t count);
 	int (*final)(EVP_MD_CTX *ctx,unsigned char *md);
 	int (*copy)(EVP_MD_CTX *to,const EVP_MD_CTX *from);
 	int (*cleanup)(EVP_MD_CTX *ctx);
 
 	/* FIXME: prototype these some day */
-	int (*sign)();
-	int (*verify)();
+	int (*sign)(int type, const unsigned char *m, unsigned int m_length,
+		    unsigned char *sigret, unsigned int *siglen, void *key);
+	int (*verify)(int type, const unsigned char *m, unsigned int m_length,
+		      const unsigned char *sigbuf, unsigned int siglen,
+		      void *key);
 	int required_pkey_type[5]; /*EVP_PKEY_xxx */
 	int block_size;
 	int ctx_size; /* how big does the ctx->md_data need to be */
 	} /* EVP_MD */;
 
+typedef int evp_sign_method(int type,const unsigned char *m,
+			    unsigned int m_length,unsigned char *sigret,
+			    unsigned int *siglen, void *key);
+typedef int evp_verify_method(int type,const unsigned char *m,
+			    unsigned int m_length,const unsigned char *sigbuf,
+			    unsigned int siglen, void *key);
+
 #define EVP_MD_FLAG_ONESHOT	0x0001 /* digest can only handle a single
 					* block */
 
 #define EVP_PKEY_NULL_method	NULL,NULL,{0,0,0,0}
 
 #ifndef OPENSSL_NO_DSA
-#define EVP_PKEY_DSA_method	DSA_sign,DSA_verify, \
+#define EVP_PKEY_DSA_method	(evp_sign_method *)DSA_sign, \
+				(evp_verify_method *)DSA_verify, \
 				{EVP_PKEY_DSA,EVP_PKEY_DSA2,EVP_PKEY_DSA3, \
 					EVP_PKEY_DSA4,0}
 #else
 #define EVP_PKEY_DSA_method	EVP_PKEY_NULL_method
 #endif
 
+#ifndef OPENSSL_NO_ECDSA
+#define EVP_PKEY_ECDSA_method   (evp_sign_method *)ECDSA_sign, \
+				(evp_verify_method *)ECDSA_verify, \
+                                 {EVP_PKEY_EC,0,0,0}
+#else   
+#define EVP_PKEY_ECDSA_method   EVP_PKEY_NULL_method
+#endif
+
 #ifndef OPENSSL_NO_RSA
-#define EVP_PKEY_RSA_method	RSA_sign,RSA_verify, \
+#define EVP_PKEY_RSA_method	(evp_sign_method *)RSA_sign, \
+				(evp_verify_method *)RSA_verify, \
 				{EVP_PKEY_RSA,EVP_PKEY_RSA2,0,0}
 #define EVP_PKEY_RSA_ASN1_OCTET_STRING_method \
-				RSA_sign_ASN1_OCTET_STRING, \
-				RSA_verify_ASN1_OCTET_STRING, \
+				(evp_sign_method *)RSA_sign_ASN1_OCTET_STRING, \
+				(evp_verify_method *)RSA_verify_ASN1_OCTET_STRING, \
 				{EVP_PKEY_RSA,EVP_PKEY_RSA2,0,0}
 #else
 #define EVP_PKEY_RSA_method	EVP_PKEY_NULL_method
@@ -373,6 +345,8 @@ struct evp_cipher_st
 #define 	EVP_CIPH_CUSTOM_KEY_LENGTH	0x80
 /* Don't use standard block padding */
 #define 	EVP_CIPH_NO_PADDING		0x100
+/* cipher handles random key generation */
+#define 	EVP_CIPH_RAND_KEY		0x200
 
 /* ctrl() values */
 
@@ -382,6 +356,7 @@ struct evp_cipher_st
 #define 	EVP_CTRL_SET_RC2_KEY_BITS	0x3
 #define 	EVP_CTRL_GET_RC5_ROUNDS		0x4
 #define 	EVP_CTRL_SET_RC5_ROUNDS		0x5
+#define 	EVP_CTRL_RAND_KEY		0x6
 
 typedef struct evp_cipher_info_st
 	{
@@ -443,6 +418,11 @@ typedef int (EVP_PBE_KEYGEN)(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
 					(char *)(dh))
 #endif
 
+#ifndef OPENSSL_NO_EC
+#define EVP_PKEY_assign_EC_KEY(pkey,eckey) EVP_PKEY_assign((pkey),EVP_PKEY_EC,\
+                                        (char *)(eckey))
+#endif
+
 /* Add some extra combinations */
 #define EVP_get_digestbynid(a) EVP_get_digestbyname(OBJ_nid2sn(a))
 #define EVP_get_digestbyobj(a) EVP_get_digestbynid(OBJ_obj2nid(a))
@@ -499,7 +479,6 @@ void BIO_set_md(BIO *,const EVP_MD *md);
 #endif
 #define BIO_get_md(b,mdp)		BIO_ctrl(b,BIO_C_GET_MD,0,(char *)mdp)
 #define BIO_get_md_ctx(b,mdcp)     BIO_ctrl(b,BIO_C_GET_MD_CTX,0,(char *)mdcp)
-#define BIO_set_md_ctx(b,mdcp)     BIO_ctrl(b,BIO_C_SET_MD_CTX,0,(char *)mdcp)
 #define BIO_get_cipher_status(b)	BIO_ctrl(b,BIO_C_GET_CIPHER_STATUS,0,NULL)
 #define BIO_get_cipher_ctx(b,c_pp)	BIO_ctrl(b,BIO_C_GET_CIPHER_CTX,0,(char *)c_pp)
 
@@ -524,9 +503,9 @@ int     EVP_MD_CTX_copy_ex(EVP_MD_CTX *out,const EVP_MD_CTX *in);
 #define EVP_MD_CTX_test_flags(ctx,flgs) ((ctx)->flags&(flgs))
 int	EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl);
 int	EVP_DigestUpdate(EVP_MD_CTX *ctx,const void *d,
-			 unsigned int cnt);
+			 size_t cnt);
 int	EVP_DigestFinal_ex(EVP_MD_CTX *ctx,unsigned char *md,unsigned int *s);
-int	EVP_Digest(void *data, unsigned int count,
+int	EVP_Digest(const void *data, size_t count,
 		unsigned char *md, unsigned int *size, const EVP_MD *type, ENGINE *impl);
 
 int     EVP_MD_CTX_copy(EVP_MD_CTX *out,const EVP_MD_CTX *in);  
@@ -534,7 +513,7 @@ int	EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type);
 int	EVP_DigestFinal(EVP_MD_CTX *ctx,unsigned char *md,unsigned int *s);
 
 int	EVP_read_pw_string(char *buf,int length,const char *prompt,int verify);
-void	EVP_set_pw_prompt(char *prompt);
+void	EVP_set_pw_prompt(const char *prompt);
 char *	EVP_get_pw_prompt(void);
 
 int	EVP_BytesToKey(const EVP_CIPHER *type,const EVP_MD *md,
@@ -573,43 +552,48 @@ int	EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl);
 int	EVP_SignFinal(EVP_MD_CTX *ctx,unsigned char *md,unsigned int *s,
 		EVP_PKEY *pkey);
 
-int	EVP_VerifyFinal(EVP_MD_CTX *ctx,unsigned char *sigbuf,
+int	EVP_VerifyFinal(EVP_MD_CTX *ctx,const unsigned char *sigbuf,
 		unsigned int siglen,EVP_PKEY *pkey);
 
-int	EVP_OpenInit(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *type,unsigned char *ek,
-		int ekl,unsigned char *iv,EVP_PKEY *priv);
+int	EVP_OpenInit(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *type,
+		const unsigned char *ek, int ekl, const unsigned char *iv,
+		EVP_PKEY *priv);
 int	EVP_OpenFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl);
 
-int	EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, unsigned char **ek,
-		int *ekl, unsigned char *iv,EVP_PKEY **pubk, int npubk);
+int	EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
+		 unsigned char **ek, int *ekl, unsigned char *iv,
+		EVP_PKEY **pubk, int npubk);
 int	EVP_SealFinal(EVP_CIPHER_CTX *ctx,unsigned char *out,int *outl);
 
 void	EVP_EncodeInit(EVP_ENCODE_CTX *ctx);
-void	EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx,unsigned char *out,
-		int *outl,unsigned char *in,int inl);
+void	EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx,unsigned char *out,int *outl,
+		const unsigned char *in,int inl);
 void	EVP_EncodeFinal(EVP_ENCODE_CTX *ctx,unsigned char *out,int *outl);
 int	EVP_EncodeBlock(unsigned char *t, const unsigned char *f, int n);
 
 void	EVP_DecodeInit(EVP_ENCODE_CTX *ctx);
 int	EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx,unsigned char *out,int *outl,
-		unsigned char *in, int inl);
+		const unsigned char *in, int inl);
 int	EVP_DecodeFinal(EVP_ENCODE_CTX *ctx, unsigned
 		char *out, int *outl);
 int	EVP_DecodeBlock(unsigned char *t, const unsigned char *f, int n);
 
 void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *a);
 int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *a);
+EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void);
+void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *a);
 int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *x, int keylen);
 int EVP_CIPHER_CTX_set_padding(EVP_CIPHER_CTX *c, int pad);
 int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr);
+int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key);
 
 #ifndef OPENSSL_NO_BIO
 BIO_METHOD *BIO_f_md(void);
 BIO_METHOD *BIO_f_base64(void);
 BIO_METHOD *BIO_f_cipher(void);
 BIO_METHOD *BIO_f_reliable(void);
-void BIO_set_cipher(BIO *b,const EVP_CIPHER *c,unsigned char *k,
-	unsigned char *i, int enc);
+void BIO_set_cipher(BIO *b,const EVP_CIPHER *c,const unsigned char *k,
+		const unsigned char *i, int enc);
 #endif
 
 const EVP_MD *EVP_md_null(void);
@@ -627,6 +611,15 @@ const EVP_MD *EVP_sha(void);
 const EVP_MD *EVP_sha1(void);
 const EVP_MD *EVP_dss(void);
 const EVP_MD *EVP_dss1(void);
+const EVP_MD *EVP_ecdsa(void);
+#endif
+#ifndef OPENSSL_NO_SHA256
+const EVP_MD *EVP_sha224(void);
+const EVP_MD *EVP_sha256(void);
+#endif
+#ifndef OPENSSL_NO_SHA512
+const EVP_MD *EVP_sha384(void);
+const EVP_MD *EVP_sha512(void);
 #endif
 #ifndef OPENSSL_NO_MDC2
 const EVP_MD *EVP_mdc2(void);
@@ -770,10 +763,12 @@ const EVP_CIPHER *EVP_get_cipherbyname(const char *name);
 const EVP_MD *EVP_get_digestbyname(const char *name);
 void EVP_cleanup(void);
 
-int		EVP_PKEY_decrypt(unsigned char *dec_key,unsigned char *enc_key,
-			int enc_key_len,EVP_PKEY *private_key);
+int		EVP_PKEY_decrypt(unsigned char *dec_key,
+			const unsigned char *enc_key,int enc_key_len,
+			EVP_PKEY *private_key);
 int		EVP_PKEY_encrypt(unsigned char *enc_key,
-			unsigned char *key,int key_len,EVP_PKEY *pub_key);
+			const unsigned char *key,int key_len,
+			EVP_PKEY *pub_key);
 int		EVP_PKEY_type(int type);
 int		EVP_PKEY_bits(EVP_PKEY *pkey);
 int		EVP_PKEY_size(EVP_PKEY *pkey);
@@ -794,24 +789,31 @@ struct dh_st;
 int EVP_PKEY_set1_DH(EVP_PKEY *pkey,struct dh_st *key);
 struct dh_st *EVP_PKEY_get1_DH(EVP_PKEY *pkey);
 #endif
-
+#ifndef OPENSSL_NO_EC
+struct ec_key_st;
+int EVP_PKEY_set1_EC_KEY(EVP_PKEY *pkey,struct ec_key_st *key);
+struct ec_key_st *EVP_PKEY_get1_EC_KEY(EVP_PKEY *pkey);
+#endif
 
 EVP_PKEY *	EVP_PKEY_new(void);
 void		EVP_PKEY_free(EVP_PKEY *pkey);
-EVP_PKEY *	d2i_PublicKey(int type,EVP_PKEY **a, unsigned char **pp,
+
+EVP_PKEY *	d2i_PublicKey(int type,EVP_PKEY **a, const unsigned char **pp,
 			long length);
 int		i2d_PublicKey(EVP_PKEY *a, unsigned char **pp);
 
-EVP_PKEY *	d2i_PrivateKey(int type,EVP_PKEY **a, unsigned char **pp,
+EVP_PKEY *	d2i_PrivateKey(int type,EVP_PKEY **a, const unsigned char **pp,
 			long length);
-EVP_PKEY *	d2i_AutoPrivateKey(EVP_PKEY **a, unsigned char **pp,
+EVP_PKEY *	d2i_AutoPrivateKey(EVP_PKEY **a, const unsigned char **pp,
 			long length);
 int		i2d_PrivateKey(EVP_PKEY *a, unsigned char **pp);
 
-int EVP_PKEY_copy_parameters(EVP_PKEY *to,EVP_PKEY *from);
-int EVP_PKEY_missing_parameters(EVP_PKEY *pkey);
+int EVP_PKEY_copy_parameters(EVP_PKEY *to, const EVP_PKEY *from);
+int EVP_PKEY_missing_parameters(const EVP_PKEY *pkey);
 int EVP_PKEY_save_parameters(EVP_PKEY *pkey,int mode);
-int EVP_PKEY_cmp_parameters(EVP_PKEY *a,EVP_PKEY *b);
+int EVP_PKEY_cmp_parameters(const EVP_PKEY *a, const EVP_PKEY *b);
+
+int EVP_PKEY_cmp(const EVP_PKEY *a, const EVP_PKEY *b);
 
 int EVP_CIPHER_type(const EVP_CIPHER *ctx);
 
@@ -828,7 +830,7 @@ int PKCS5_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
 			 ASN1_TYPE *param, const EVP_CIPHER *cipher, const EVP_MD *md,
 			 int en_de);
 int PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen,
-			   unsigned char *salt, int saltlen, int iter,
+			   const unsigned char *salt, int saltlen, int iter,
 			   int keylen, unsigned char *out);
 int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
 			 ASN1_TYPE *param, const EVP_CIPHER *cipher, const EVP_MD *md,
@@ -851,26 +853,31 @@ void ERR_load_EVP_strings(void);
 /* Error codes for the EVP functions. */
 
 /* Function codes. */
-#define EVP_F_AES_INIT_KEY				 129
+#define EVP_F_AES_INIT_KEY				 133
 #define EVP_F_D2I_PKEY					 100
-#define EVP_F_EVP_CIPHERINIT				 123
+#define EVP_F_DSAPKEY2PKCS8				 134
+#define EVP_F_DSA_PKEY2PKCS8				 135
+#define EVP_F_ECDSA_PKEY2PKCS8				 129
+#define EVP_F_ECKEY_PKEY2PKCS8				 132
+#define EVP_F_EVP_CIPHERINIT_EX				 123
 #define EVP_F_EVP_CIPHER_CTX_CTRL			 124
 #define EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH		 122
-#define EVP_F_EVP_DECRYPTFINAL				 101
-#define EVP_F_EVP_DIGESTINIT				 128
-#define EVP_F_EVP_ENCRYPTFINAL				 127
-#define EVP_F_EVP_MD_CTX_COPY				 110
+#define EVP_F_EVP_DECRYPTFINAL_EX			 101
+#define EVP_F_EVP_DIGESTINIT_EX				 128
+#define EVP_F_EVP_ENCRYPTFINAL_EX			 127
+#define EVP_F_EVP_MD_CTX_COPY_EX			 110
 #define EVP_F_EVP_OPENINIT				 102
 #define EVP_F_EVP_PBE_ALG_ADD				 115
 #define EVP_F_EVP_PBE_CIPHERINIT			 116
 #define EVP_F_EVP_PKCS82PKEY				 111
-#define EVP_F_EVP_PKCS8_SET_BROKEN			 112
-#define EVP_F_EVP_PKEY2PKCS8				 113
+#define EVP_F_EVP_PKEY2PKCS8_BROKEN			 113
 #define EVP_F_EVP_PKEY_COPY_PARAMETERS			 103
 #define EVP_F_EVP_PKEY_DECRYPT				 104
 #define EVP_F_EVP_PKEY_ENCRYPT				 105
 #define EVP_F_EVP_PKEY_GET1_DH				 119
 #define EVP_F_EVP_PKEY_GET1_DSA				 120
+#define EVP_F_EVP_PKEY_GET1_ECDSA			 130
+#define EVP_F_EVP_PKEY_GET1_EC_KEY			 131
 #define EVP_F_EVP_PKEY_GET1_RSA				 121
 #define EVP_F_EVP_PKEY_NEW				 106
 #define EVP_F_EVP_RIJNDAEL				 126
@@ -878,11 +885,13 @@ void ERR_load_EVP_strings(void);
 #define EVP_F_EVP_VERIFYFINAL				 108
 #define EVP_F_PKCS5_PBE_KEYIVGEN			 117
 #define EVP_F_PKCS5_V2_PBE_KEYIVGEN			 118
+#define EVP_F_PKCS8_SET_BROKEN				 112
 #define EVP_F_RC2_MAGIC_TO_METH				 109
 #define EVP_F_RC5_CTRL					 125
 
 /* Reason codes. */
-#define EVP_R_AES_KEY_SETUP_FAILED			 140
+#define EVP_R_AES_KEY_SETUP_FAILED			 143
+#define EVP_R_ASN1_LIB					 140
 #define EVP_R_BAD_BLOCK_LENGTH				 136
 #define EVP_R_BAD_DECRYPT				 100
 #define EVP_R_BAD_KEY_LENGTH				 137
@@ -899,6 +908,8 @@ void ERR_load_EVP_strings(void);
 #define EVP_R_EXPECTING_AN_RSA_KEY			 127
 #define EVP_R_EXPECTING_A_DH_KEY			 128
 #define EVP_R_EXPECTING_A_DSA_KEY			 129
+#define EVP_R_EXPECTING_A_ECDSA_KEY			 141
+#define EVP_R_EXPECTING_A_EC_KEY			 142
 #define EVP_R_INITIALIZATION_ERROR			 134
 #define EVP_R_INPUT_NOT_INITIALIZED			 111
 #define EVP_R_INVALID_KEY_LENGTH			 130
diff --git a/crypto/openssl/crypto/evp/evp_enc.c b/crypto/openssl/crypto/evp/evp_enc.c
index 8ea5aa935dda..f0b725def6df 100644
--- a/crypto/openssl/crypto/evp/evp_enc.c
+++ b/crypto/openssl/crypto/evp/evp_enc.c
@@ -60,6 +60,7 @@
 #include "cryptlib.h"
 #include <openssl/evp.h>
 #include <openssl/err.h>
+#include <openssl/rand.h>
 #ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
 #endif
@@ -73,6 +74,13 @@ void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *ctx)
 	/* ctx->cipher=NULL; */
 	}
 
+EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void)
+	{
+	EVP_CIPHER_CTX *ctx=OPENSSL_malloc(sizeof *ctx);
+	if (ctx)
+		EVP_CIPHER_CTX_init(ctx);
+	return ctx;
+	}
 
 int EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
 	     const unsigned char *key, const unsigned char *iv, int enc)
@@ -116,7 +124,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp
 			{
 			if (!ENGINE_init(impl))
 				{
-				EVPerr(EVP_F_EVP_CIPHERINIT, EVP_R_INITIALIZATION_ERROR);
+				EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_INITIALIZATION_ERROR);
 				return 0;
 				}
 			}
@@ -133,7 +141,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp
 				 * control history, is that we should at least
 				 * be able to avoid using US mispellings of
 				 * "initialisation"? */
-				EVPerr(EVP_F_EVP_CIPHERINIT, EVP_R_INITIALIZATION_ERROR);
+				EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_INITIALIZATION_ERROR);
 				return 0;
 				}
 			/* We'll use the ENGINE's private cipher definition */
@@ -153,7 +161,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp
 			ctx->cipher_data=OPENSSL_malloc(ctx->cipher->ctx_size);
 			if (!ctx->cipher_data)
 				{
-				EVPerr(EVP_F_EVP_CIPHERINIT, ERR_R_MALLOC_FAILURE);
+				EVPerr(EVP_F_EVP_CIPHERINIT_EX, ERR_R_MALLOC_FAILURE);
 				return 0;
 				}
 			}
@@ -167,14 +175,14 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp
 			{
 			if(!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_INIT, 0, NULL))
 				{
-				EVPerr(EVP_F_EVP_CIPHERINIT, EVP_R_INITIALIZATION_ERROR);
+				EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_INITIALIZATION_ERROR);
 				return 0;
 				}
 			}
 		}
 	else if(!ctx->cipher)
 		{
-		EVPerr(EVP_F_EVP_CIPHERINIT, EVP_R_NO_CIPHER_SET);
+		EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_NO_CIPHER_SET);
 		return 0;
 		}
 #ifndef OPENSSL_NO_ENGINE
@@ -199,7 +207,8 @@ skip_to_init:
 
 			case EVP_CIPH_CBC_MODE:
 
-			OPENSSL_assert(EVP_CIPHER_CTX_iv_length(ctx) <= sizeof ctx->iv);
+			OPENSSL_assert(EVP_CIPHER_CTX_iv_length(ctx) <=
+					(int)sizeof(ctx->iv));
 			if(iv) memcpy(ctx->oiv, iv, EVP_CIPHER_CTX_iv_length(ctx));
 			memcpy(ctx->iv, ctx->oiv, EVP_CIPHER_CTX_iv_length(ctx));
 			break;
@@ -286,7 +295,7 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
 		}
 	i=ctx->buf_len;
 	bl=ctx->cipher->block_size;
-	OPENSSL_assert(bl <= sizeof ctx->buf);
+	OPENSSL_assert(bl <= (int)sizeof(ctx->buf));
 	if (i != 0)
 		{
 		if (i+inl < bl)
@@ -332,7 +341,8 @@ int EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
 
 int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
 	{
-	int i,n,b,bl,ret;
+	int n,ret;
+	unsigned int i, b, bl;
 
 	b=ctx->cipher->block_size;
 	OPENSSL_assert(b <= sizeof ctx->buf);
@@ -346,7 +356,7 @@ int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
 		{
 		if(bl)
 			{
-			EVPerr(EVP_F_EVP_ENCRYPTFINAL,EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH);
+			EVPerr(EVP_F_EVP_ENCRYPTFINAL_EX,EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH);
 			return 0;
 			}
 		*outl = 0;
@@ -368,7 +378,8 @@ int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
 int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
 	     const unsigned char *in, int inl)
 	{
-	int b, fix_len;
+	int fix_len;
+	unsigned int b;
 
 	if (inl == 0)
 		{
@@ -421,8 +432,8 @@ int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
 
 int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
 	{
-	int i,b;
-	int n;
+	int i,n;
+	unsigned int b;
 
 	*outl=0;
 	b=ctx->cipher->block_size;
@@ -430,7 +441,7 @@ int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
 		{
 		if(ctx->buf_len)
 			{
-			EVPerr(EVP_F_EVP_DECRYPTFINAL,EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH);
+			EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH);
 			return 0;
 			}
 		*outl = 0;
@@ -440,21 +451,21 @@ int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
 		{
 		if (ctx->buf_len || !ctx->final_used)
 			{
-			EVPerr(EVP_F_EVP_DECRYPTFINAL,EVP_R_WRONG_FINAL_BLOCK_LENGTH);
+			EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_WRONG_FINAL_BLOCK_LENGTH);
 			return(0);
 			}
 		OPENSSL_assert(b <= sizeof ctx->final);
 		n=ctx->final[b-1];
-		if (n > b)
+		if (n == 0 || n > (int)b)
 			{
-			EVPerr(EVP_F_EVP_DECRYPTFINAL,EVP_R_BAD_DECRYPT);
+			EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_BAD_DECRYPT);
 			return(0);
 			}
 		for (i=0; i<n; i++)
 			{
 			if (ctx->final[--b] != n)
 				{
-				EVPerr(EVP_F_EVP_DECRYPTFINAL,EVP_R_BAD_DECRYPT);
+				EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_BAD_DECRYPT);
 				return(0);
 				}
 			}
@@ -468,6 +479,15 @@ int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
 	return(1);
 	}
 
+void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx)
+	{
+	if (ctx)
+		{
+		EVP_CIPHER_CTX_cleanup(ctx);
+		OPENSSL_free(ctx);
+		}
+	}
+
 int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *c)
 	{
 	if (c->cipher != NULL)
@@ -531,3 +551,13 @@ int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr)
 	}
 	return ret;
 }
+
+int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key)
+	{
+	if (ctx->cipher->flags & EVP_CIPH_RAND_KEY)
+		return EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_RAND_KEY, 0, key);
+	if (RAND_bytes(key, ctx->key_len) <= 0)
+		return 0;
+	return 1;
+	}
+
diff --git a/crypto/openssl/crypto/evp/evp_err.c b/crypto/openssl/crypto/evp/evp_err.c
index be6d442521c8..e854aadfa28a 100644
--- a/crypto/openssl/crypto/evp/evp_err.c
+++ b/crypto/openssl/crypto/evp/evp_err.c
@@ -1,6 +1,6 @@
 /* crypto/evp/evp_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2002 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -64,83 +64,96 @@
 
 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_EVP,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_EVP,0,reason)
+
 static ERR_STRING_DATA EVP_str_functs[]=
 	{
-{ERR_PACK(0,EVP_F_AES_INIT_KEY,0),	"AES_INIT_KEY"},
-{ERR_PACK(0,EVP_F_D2I_PKEY,0),	"D2I_PKEY"},
-{ERR_PACK(0,EVP_F_EVP_CIPHERINIT,0),	"EVP_CipherInit"},
-{ERR_PACK(0,EVP_F_EVP_CIPHER_CTX_CTRL,0),	"EVP_CIPHER_CTX_ctrl"},
-{ERR_PACK(0,EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH,0),	"EVP_CIPHER_CTX_set_key_length"},
-{ERR_PACK(0,EVP_F_EVP_DECRYPTFINAL,0),	"EVP_DecryptFinal"},
-{ERR_PACK(0,EVP_F_EVP_DIGESTINIT,0),	"EVP_DigestInit"},
-{ERR_PACK(0,EVP_F_EVP_ENCRYPTFINAL,0),	"EVP_EncryptFinal"},
-{ERR_PACK(0,EVP_F_EVP_MD_CTX_COPY,0),	"EVP_MD_CTX_copy"},
-{ERR_PACK(0,EVP_F_EVP_OPENINIT,0),	"EVP_OpenInit"},
-{ERR_PACK(0,EVP_F_EVP_PBE_ALG_ADD,0),	"EVP_PBE_alg_add"},
-{ERR_PACK(0,EVP_F_EVP_PBE_CIPHERINIT,0),	"EVP_PBE_CipherInit"},
-{ERR_PACK(0,EVP_F_EVP_PKCS82PKEY,0),	"EVP_PKCS82PKEY"},
-{ERR_PACK(0,EVP_F_EVP_PKCS8_SET_BROKEN,0),	"EVP_PKCS8_SET_BROKEN"},
-{ERR_PACK(0,EVP_F_EVP_PKEY2PKCS8,0),	"EVP_PKEY2PKCS8"},
-{ERR_PACK(0,EVP_F_EVP_PKEY_COPY_PARAMETERS,0),	"EVP_PKEY_copy_parameters"},
-{ERR_PACK(0,EVP_F_EVP_PKEY_DECRYPT,0),	"EVP_PKEY_decrypt"},
-{ERR_PACK(0,EVP_F_EVP_PKEY_ENCRYPT,0),	"EVP_PKEY_encrypt"},
-{ERR_PACK(0,EVP_F_EVP_PKEY_GET1_DH,0),	"EVP_PKEY_get1_DH"},
-{ERR_PACK(0,EVP_F_EVP_PKEY_GET1_DSA,0),	"EVP_PKEY_get1_DSA"},
-{ERR_PACK(0,EVP_F_EVP_PKEY_GET1_RSA,0),	"EVP_PKEY_get1_RSA"},
-{ERR_PACK(0,EVP_F_EVP_PKEY_NEW,0),	"EVP_PKEY_new"},
-{ERR_PACK(0,EVP_F_EVP_RIJNDAEL,0),	"EVP_RIJNDAEL"},
-{ERR_PACK(0,EVP_F_EVP_SIGNFINAL,0),	"EVP_SignFinal"},
-{ERR_PACK(0,EVP_F_EVP_VERIFYFINAL,0),	"EVP_VerifyFinal"},
-{ERR_PACK(0,EVP_F_PKCS5_PBE_KEYIVGEN,0),	"PKCS5_PBE_keyivgen"},
-{ERR_PACK(0,EVP_F_PKCS5_V2_PBE_KEYIVGEN,0),	"PKCS5_v2_PBE_keyivgen"},
-{ERR_PACK(0,EVP_F_RC2_MAGIC_TO_METH,0),	"RC2_MAGIC_TO_METH"},
-{ERR_PACK(0,EVP_F_RC5_CTRL,0),	"RC5_CTRL"},
+{ERR_FUNC(EVP_F_AES_INIT_KEY),	"AES_INIT_KEY"},
+{ERR_FUNC(EVP_F_D2I_PKEY),	"D2I_PKEY"},
+{ERR_FUNC(EVP_F_DSAPKEY2PKCS8),	"DSAPKEY2PKCS8"},
+{ERR_FUNC(EVP_F_DSA_PKEY2PKCS8),	"DSA_PKEY2PKCS8"},
+{ERR_FUNC(EVP_F_ECDSA_PKEY2PKCS8),	"ECDSA_PKEY2PKCS8"},
+{ERR_FUNC(EVP_F_ECKEY_PKEY2PKCS8),	"ECKEY_PKEY2PKCS8"},
+{ERR_FUNC(EVP_F_EVP_CIPHERINIT_EX),	"EVP_CipherInit_ex"},
+{ERR_FUNC(EVP_F_EVP_CIPHER_CTX_CTRL),	"EVP_CIPHER_CTX_ctrl"},
+{ERR_FUNC(EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH),	"EVP_CIPHER_CTX_set_key_length"},
+{ERR_FUNC(EVP_F_EVP_DECRYPTFINAL_EX),	"EVP_DecryptFinal_ex"},
+{ERR_FUNC(EVP_F_EVP_DIGESTINIT_EX),	"EVP_DigestInit_ex"},
+{ERR_FUNC(EVP_F_EVP_ENCRYPTFINAL_EX),	"EVP_EncryptFinal_ex"},
+{ERR_FUNC(EVP_F_EVP_MD_CTX_COPY_EX),	"EVP_MD_CTX_copy_ex"},
+{ERR_FUNC(EVP_F_EVP_OPENINIT),	"EVP_OpenInit"},
+{ERR_FUNC(EVP_F_EVP_PBE_ALG_ADD),	"EVP_PBE_alg_add"},
+{ERR_FUNC(EVP_F_EVP_PBE_CIPHERINIT),	"EVP_PBE_CipherInit"},
+{ERR_FUNC(EVP_F_EVP_PKCS82PKEY),	"EVP_PKCS82PKEY"},
+{ERR_FUNC(EVP_F_EVP_PKEY2PKCS8_BROKEN),	"EVP_PKEY2PKCS8_broken"},
+{ERR_FUNC(EVP_F_EVP_PKEY_COPY_PARAMETERS),	"EVP_PKEY_copy_parameters"},
+{ERR_FUNC(EVP_F_EVP_PKEY_DECRYPT),	"EVP_PKEY_decrypt"},
+{ERR_FUNC(EVP_F_EVP_PKEY_ENCRYPT),	"EVP_PKEY_encrypt"},
+{ERR_FUNC(EVP_F_EVP_PKEY_GET1_DH),	"EVP_PKEY_get1_DH"},
+{ERR_FUNC(EVP_F_EVP_PKEY_GET1_DSA),	"EVP_PKEY_get1_DSA"},
+{ERR_FUNC(EVP_F_EVP_PKEY_GET1_ECDSA),	"EVP_PKEY_GET1_ECDSA"},
+{ERR_FUNC(EVP_F_EVP_PKEY_GET1_EC_KEY),	"EVP_PKEY_get1_EC_KEY"},
+{ERR_FUNC(EVP_F_EVP_PKEY_GET1_RSA),	"EVP_PKEY_get1_RSA"},
+{ERR_FUNC(EVP_F_EVP_PKEY_NEW),	"EVP_PKEY_new"},
+{ERR_FUNC(EVP_F_EVP_RIJNDAEL),	"EVP_RIJNDAEL"},
+{ERR_FUNC(EVP_F_EVP_SIGNFINAL),	"EVP_SignFinal"},
+{ERR_FUNC(EVP_F_EVP_VERIFYFINAL),	"EVP_VerifyFinal"},
+{ERR_FUNC(EVP_F_PKCS5_PBE_KEYIVGEN),	"PKCS5_PBE_keyivgen"},
+{ERR_FUNC(EVP_F_PKCS5_V2_PBE_KEYIVGEN),	"PKCS5_v2_PBE_keyivgen"},
+{ERR_FUNC(EVP_F_PKCS8_SET_BROKEN),	"PKCS8_set_broken"},
+{ERR_FUNC(EVP_F_RC2_MAGIC_TO_METH),	"RC2_MAGIC_TO_METH"},
+{ERR_FUNC(EVP_F_RC5_CTRL),	"RC5_CTRL"},
 {0,NULL}
 	};
 
 static ERR_STRING_DATA EVP_str_reasons[]=
 	{
-{EVP_R_AES_KEY_SETUP_FAILED              ,"aes key setup failed"},
-{EVP_R_BAD_BLOCK_LENGTH                  ,"bad block length"},
-{EVP_R_BAD_DECRYPT                       ,"bad decrypt"},
-{EVP_R_BAD_KEY_LENGTH                    ,"bad key length"},
-{EVP_R_BN_DECODE_ERROR                   ,"bn decode error"},
-{EVP_R_BN_PUBKEY_ERROR                   ,"bn pubkey error"},
-{EVP_R_CIPHER_PARAMETER_ERROR            ,"cipher parameter error"},
-{EVP_R_CTRL_NOT_IMPLEMENTED              ,"ctrl not implemented"},
-{EVP_R_CTRL_OPERATION_NOT_IMPLEMENTED    ,"ctrl operation not implemented"},
-{EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH ,"data not multiple of block length"},
-{EVP_R_DECODE_ERROR                      ,"decode error"},
-{EVP_R_DIFFERENT_KEY_TYPES               ,"different key types"},
-{EVP_R_ENCODE_ERROR                      ,"encode error"},
-{EVP_R_EVP_PBE_CIPHERINIT_ERROR          ,"evp pbe cipherinit error"},
-{EVP_R_EXPECTING_AN_RSA_KEY              ,"expecting an rsa key"},
-{EVP_R_EXPECTING_A_DH_KEY                ,"expecting a dh key"},
-{EVP_R_EXPECTING_A_DSA_KEY               ,"expecting a dsa key"},
-{EVP_R_INITIALIZATION_ERROR              ,"initialization error"},
-{EVP_R_INPUT_NOT_INITIALIZED             ,"input not initialized"},
-{EVP_R_INVALID_KEY_LENGTH                ,"invalid key length"},
-{EVP_R_IV_TOO_LARGE                      ,"iv too large"},
-{EVP_R_KEYGEN_FAILURE                    ,"keygen failure"},
-{EVP_R_MISSING_PARAMETERS                ,"missing parameters"},
-{EVP_R_NO_CIPHER_SET                     ,"no cipher set"},
-{EVP_R_NO_DIGEST_SET                     ,"no digest set"},
-{EVP_R_NO_DSA_PARAMETERS                 ,"no dsa parameters"},
-{EVP_R_NO_SIGN_FUNCTION_CONFIGURED       ,"no sign function configured"},
-{EVP_R_NO_VERIFY_FUNCTION_CONFIGURED     ,"no verify function configured"},
-{EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE         ,"pkcs8 unknown broken type"},
-{EVP_R_PUBLIC_KEY_NOT_RSA                ,"public key not rsa"},
-{EVP_R_UNKNOWN_PBE_ALGORITHM             ,"unknown pbe algorithm"},
-{EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS       ,"unsuported number of rounds"},
-{EVP_R_UNSUPPORTED_CIPHER                ,"unsupported cipher"},
-{EVP_R_UNSUPPORTED_KEYLENGTH             ,"unsupported keylength"},
-{EVP_R_UNSUPPORTED_KEY_DERIVATION_FUNCTION,"unsupported key derivation function"},
-{EVP_R_UNSUPPORTED_KEY_SIZE              ,"unsupported key size"},
-{EVP_R_UNSUPPORTED_PRF                   ,"unsupported prf"},
-{EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM ,"unsupported private key algorithm"},
-{EVP_R_UNSUPPORTED_SALT_TYPE             ,"unsupported salt type"},
-{EVP_R_WRONG_FINAL_BLOCK_LENGTH          ,"wrong final block length"},
-{EVP_R_WRONG_PUBLIC_KEY_TYPE             ,"wrong public key type"},
+{ERR_REASON(EVP_R_AES_KEY_SETUP_FAILED)  ,"aes key setup failed"},
+{ERR_REASON(EVP_R_ASN1_LIB)              ,"asn1 lib"},
+{ERR_REASON(EVP_R_BAD_BLOCK_LENGTH)      ,"bad block length"},
+{ERR_REASON(EVP_R_BAD_DECRYPT)           ,"bad decrypt"},
+{ERR_REASON(EVP_R_BAD_KEY_LENGTH)        ,"bad key length"},
+{ERR_REASON(EVP_R_BN_DECODE_ERROR)       ,"bn decode error"},
+{ERR_REASON(EVP_R_BN_PUBKEY_ERROR)       ,"bn pubkey error"},
+{ERR_REASON(EVP_R_CIPHER_PARAMETER_ERROR),"cipher parameter error"},
+{ERR_REASON(EVP_R_CTRL_NOT_IMPLEMENTED)  ,"ctrl not implemented"},
+{ERR_REASON(EVP_R_CTRL_OPERATION_NOT_IMPLEMENTED),"ctrl operation not implemented"},
+{ERR_REASON(EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH),"data not multiple of block length"},
+{ERR_REASON(EVP_R_DECODE_ERROR)          ,"decode error"},
+{ERR_REASON(EVP_R_DIFFERENT_KEY_TYPES)   ,"different key types"},
+{ERR_REASON(EVP_R_ENCODE_ERROR)          ,"encode error"},
+{ERR_REASON(EVP_R_EVP_PBE_CIPHERINIT_ERROR),"evp pbe cipherinit error"},
+{ERR_REASON(EVP_R_EXPECTING_AN_RSA_KEY)  ,"expecting an rsa key"},
+{ERR_REASON(EVP_R_EXPECTING_A_DH_KEY)    ,"expecting a dh key"},
+{ERR_REASON(EVP_R_EXPECTING_A_DSA_KEY)   ,"expecting a dsa key"},
+{ERR_REASON(EVP_R_EXPECTING_A_ECDSA_KEY) ,"expecting a ecdsa key"},
+{ERR_REASON(EVP_R_EXPECTING_A_EC_KEY)    ,"expecting a ec key"},
+{ERR_REASON(EVP_R_INITIALIZATION_ERROR)  ,"initialization error"},
+{ERR_REASON(EVP_R_INPUT_NOT_INITIALIZED) ,"input not initialized"},
+{ERR_REASON(EVP_R_INVALID_KEY_LENGTH)    ,"invalid key length"},
+{ERR_REASON(EVP_R_IV_TOO_LARGE)          ,"iv too large"},
+{ERR_REASON(EVP_R_KEYGEN_FAILURE)        ,"keygen failure"},
+{ERR_REASON(EVP_R_MISSING_PARAMETERS)    ,"missing parameters"},
+{ERR_REASON(EVP_R_NO_CIPHER_SET)         ,"no cipher set"},
+{ERR_REASON(EVP_R_NO_DIGEST_SET)         ,"no digest set"},
+{ERR_REASON(EVP_R_NO_DSA_PARAMETERS)     ,"no dsa parameters"},
+{ERR_REASON(EVP_R_NO_SIGN_FUNCTION_CONFIGURED),"no sign function configured"},
+{ERR_REASON(EVP_R_NO_VERIFY_FUNCTION_CONFIGURED),"no verify function configured"},
+{ERR_REASON(EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE),"pkcs8 unknown broken type"},
+{ERR_REASON(EVP_R_PUBLIC_KEY_NOT_RSA)    ,"public key not rsa"},
+{ERR_REASON(EVP_R_UNKNOWN_PBE_ALGORITHM) ,"unknown pbe algorithm"},
+{ERR_REASON(EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS),"unsuported number of rounds"},
+{ERR_REASON(EVP_R_UNSUPPORTED_CIPHER)    ,"unsupported cipher"},
+{ERR_REASON(EVP_R_UNSUPPORTED_KEYLENGTH) ,"unsupported keylength"},
+{ERR_REASON(EVP_R_UNSUPPORTED_KEY_DERIVATION_FUNCTION),"unsupported key derivation function"},
+{ERR_REASON(EVP_R_UNSUPPORTED_KEY_SIZE)  ,"unsupported key size"},
+{ERR_REASON(EVP_R_UNSUPPORTED_PRF)       ,"unsupported prf"},
+{ERR_REASON(EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM),"unsupported private key algorithm"},
+{ERR_REASON(EVP_R_UNSUPPORTED_SALT_TYPE) ,"unsupported salt type"},
+{ERR_REASON(EVP_R_WRONG_FINAL_BLOCK_LENGTH),"wrong final block length"},
+{ERR_REASON(EVP_R_WRONG_PUBLIC_KEY_TYPE) ,"wrong public key type"},
 {0,NULL}
 	};
 
@@ -154,8 +167,8 @@ void ERR_load_EVP_strings(void)
 		{
 		init=0;
 #ifndef OPENSSL_NO_ERR
-		ERR_load_strings(ERR_LIB_EVP,EVP_str_functs);
-		ERR_load_strings(ERR_LIB_EVP,EVP_str_reasons);
+		ERR_load_strings(0,EVP_str_functs);
+		ERR_load_strings(0,EVP_str_reasons);
 #endif
 
 		}
diff --git a/crypto/openssl/crypto/evp/evp_key.c b/crypto/openssl/crypto/evp/evp_key.c
index 5f387a94d321..361ea69ab6d5 100644
--- a/crypto/openssl/crypto/evp/evp_key.c
+++ b/crypto/openssl/crypto/evp/evp_key.c
@@ -66,7 +66,7 @@
 /* should be init to zeros. */
 static char prompt_string[80];
 
-void EVP_set_pw_prompt(char *prompt)
+void EVP_set_pw_prompt(const char *prompt)
 	{
 	if (prompt == NULL)
 		prompt_string[0]='\0';
@@ -126,7 +126,8 @@ int EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md,
 	EVP_MD_CTX_init(&c);
 	for (;;)
 		{
-		EVP_DigestInit_ex(&c,md, NULL);
+		if (!EVP_DigestInit_ex(&c,md, NULL))
+			return 0;
 		if (addmd++)
 			EVP_DigestUpdate(&c,&(md_buf[0]),mds);
 		EVP_DigestUpdate(&c,data,datal);
diff --git a/crypto/openssl/crypto/evp/evp_lib.c b/crypto/openssl/crypto/evp/evp_lib.c
index a63ba19317c8..36213964dd83 100644
--- a/crypto/openssl/crypto/evp/evp_lib.c
+++ b/crypto/openssl/crypto/evp/evp_lib.c
@@ -68,7 +68,7 @@ int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
 	if (c->cipher->set_asn1_parameters != NULL)
 		ret=c->cipher->set_asn1_parameters(c,type);
 	else
-		return -1;
+		ret=-1;
 	return(ret);
 	}
 
@@ -79,20 +79,21 @@ int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
 	if (c->cipher->get_asn1_parameters != NULL)
 		ret=c->cipher->get_asn1_parameters(c,type);
 	else
-		return -1;
+		ret=-1;
 	return(ret);
 	}
 
 int EVP_CIPHER_get_asn1_iv(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
 	{
-	int i=0,l;
+	int i=0;
+	unsigned int l;
 
 	if (type != NULL) 
 		{
 		l=EVP_CIPHER_CTX_iv_length(c);
-		OPENSSL_assert(l <= sizeof c->iv);
+		OPENSSL_assert(l <= sizeof(c->iv));
 		i=ASN1_TYPE_get_octetstring(type,c->oiv,l);
-		if (i != l)
+		if (i != (int)l)
 			return(-1);
 		else if (i > 0)
 			memcpy(c->iv,c->oiv,l);
@@ -102,12 +103,13 @@ int EVP_CIPHER_get_asn1_iv(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
 
 int EVP_CIPHER_set_asn1_iv(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
 	{
-	int i=0,j;
+	int i=0;
+	unsigned int j;
 
 	if (type != NULL)
 		{
 		j=EVP_CIPHER_CTX_iv_length(c);
-		OPENSSL_assert(j <= sizeof c->iv);
+		OPENSSL_assert(j <= sizeof(c->iv));
 		i=ASN1_TYPE_set_octetstring(type,c->oiv,j);
 		}
 	return(i);
diff --git a/crypto/openssl/crypto/evp/evp_pbe.c b/crypto/openssl/crypto/evp/evp_pbe.c
index 91e545a1416d..c26d2de0f388 100644
--- a/crypto/openssl/crypto/evp/evp_pbe.c
+++ b/crypto/openssl/crypto/evp/evp_pbe.c
@@ -74,7 +74,7 @@ const EVP_MD *md;
 EVP_PBE_KEYGEN *keygen;
 } EVP_PBE_CTL;
 
-int EVP_PBE_CipherInit (ASN1_OBJECT *pbe_obj, const char *pass, int passlen,
+int EVP_PBE_CipherInit(ASN1_OBJECT *pbe_obj, const char *pass, int passlen,
 	     ASN1_TYPE *param, EVP_CIPHER_CTX *ctx, int en_de)
 {
 
@@ -106,7 +106,8 @@ int EVP_PBE_CipherInit (ASN1_OBJECT *pbe_obj, const char *pass, int passlen,
 
 static int pbe_cmp(const char * const *a, const char * const *b)
 {
-	EVP_PBE_CTL **pbe1 = (EVP_PBE_CTL **) a,  **pbe2 = (EVP_PBE_CTL **)b;
+	const EVP_PBE_CTL * const *pbe1 = (const EVP_PBE_CTL * const *) a,
+			* const *pbe2 = (const EVP_PBE_CTL * const *)b;
 	return ((*pbe1)->pbe_nid - (*pbe2)->pbe_nid);
 }
 
diff --git a/crypto/openssl/crypto/evp/evp_pkey.c b/crypto/openssl/crypto/evp/evp_pkey.c
index eb481ec661da..0147f3e02a68 100644
--- a/crypto/openssl/crypto/evp/evp_pkey.c
+++ b/crypto/openssl/crypto/evp/evp_pkey.c
@@ -3,7 +3,7 @@
  * project 1999.
  */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2002 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -61,14 +61,24 @@
 #include "cryptlib.h"
 #include <openssl/x509.h>
 #include <openssl/rand.h>
+#ifndef OPENSSL_NO_RSA
+#include <openssl/rsa.h>
+#endif
+#ifndef OPENSSL_NO_DSA
+#include <openssl/dsa.h>
+#endif
+#include <openssl/bn.h>
 
 #ifndef OPENSSL_NO_DSA
 static int dsa_pkey2pkcs8(PKCS8_PRIV_KEY_INFO *p8inf, EVP_PKEY *pkey);
 #endif
+#ifndef OPENSSL_NO_EC
+static int eckey_pkey2pkcs8(PKCS8_PRIV_KEY_INFO *p8inf, EVP_PKEY *pkey);
+#endif
 
 /* Extract a private key from a PKCS8 structure */
 
-EVP_PKEY *EVP_PKCS82PKEY (PKCS8_PRIV_KEY_INFO *p8)
+EVP_PKEY *EVP_PKCS82PKEY(PKCS8_PRIV_KEY_INFO *p8)
 {
 	EVP_PKEY *pkey = NULL;
 #ifndef OPENSSL_NO_RSA
@@ -76,16 +86,24 @@ EVP_PKEY *EVP_PKCS82PKEY (PKCS8_PRIV_KEY_INFO *p8)
 #endif
 #ifndef OPENSSL_NO_DSA
 	DSA *dsa = NULL;
+	ASN1_TYPE *t1, *t2;
 	ASN1_INTEGER *privkey;
-	ASN1_TYPE *t1, *t2, *param = NULL;
 	STACK_OF(ASN1_TYPE) *ndsa = NULL;
+#endif
+#ifndef OPENSSL_NO_EC
+	EC_KEY *eckey = NULL;
+	const unsigned char *p_tmp;
+#endif
+#if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_EC)
+	ASN1_TYPE    *param = NULL;	
 	BN_CTX *ctx = NULL;
 	int plen;
 #endif
 	X509_ALGOR *a;
-	unsigned char *p;
+	const unsigned char *p;
 	const unsigned char *cp;
 	int pkeylen;
+	int  nid;
 	char obj_tmp[80];
 
 	if(p8->pkey->type == V_ASN1_OCTET_STRING) {
@@ -102,7 +120,8 @@ EVP_PKEY *EVP_PKCS82PKEY (PKCS8_PRIV_KEY_INFO *p8)
 		return NULL;
 	}
 	a = p8->pkeyalg;
-	switch (OBJ_obj2nid(a->algorithm))
+	nid = OBJ_obj2nid(a->algorithm);
+	switch(nid)
 	{
 #ifndef OPENSSL_NO_RSA
 		case NID_rsaEncryption:
@@ -208,6 +227,112 @@ EVP_PKEY *EVP_PKCS82PKEY (PKCS8_PRIV_KEY_INFO *p8)
 		return NULL;
 		break;
 #endif
+#ifndef OPENSSL_NO_EC
+		case NID_X9_62_id_ecPublicKey:
+		p_tmp = p;
+		/* extract the ec parameters */
+		param = p8->pkeyalg->parameter;
+
+		if (!param || ((param->type != V_ASN1_SEQUENCE) &&
+		    (param->type != V_ASN1_OBJECT)))
+		{
+			EVPerr(EVP_F_EVP_PKCS82PKEY, EVP_R_DECODE_ERROR);
+			goto ecerr;
+		}
+
+		if (param->type == V_ASN1_SEQUENCE)
+		{
+			cp = p = param->value.sequence->data;
+			plen = param->value.sequence->length;
+
+			if (!(eckey = d2i_ECParameters(NULL, &cp, plen)))
+			{
+				EVPerr(EVP_F_EVP_PKCS82PKEY,
+					EVP_R_DECODE_ERROR);
+				goto ecerr;
+			}
+		}
+		else
+		{
+			EC_GROUP *group;
+			cp = p = param->value.object->data;
+			plen = param->value.object->length;
+
+			/* type == V_ASN1_OBJECT => the parameters are given
+			 * by an asn1 OID
+			 */
+			if ((eckey = EC_KEY_new()) == NULL)
+			{
+				EVPerr(EVP_F_EVP_PKCS82PKEY,
+					ERR_R_MALLOC_FAILURE);
+				goto ecerr;
+			}
+			group = EC_GROUP_new_by_curve_name(OBJ_obj2nid(a->parameter->value.object));
+			if (group == NULL)
+				goto ecerr;
+			EC_GROUP_set_asn1_flag(group, OPENSSL_EC_NAMED_CURVE);
+			if (EC_KEY_set_group(eckey, group) == 0)
+				goto ecerr;
+			EC_GROUP_free(group);
+		}
+
+		/* We have parameters now set private key */
+		if (!d2i_ECPrivateKey(&eckey, &p_tmp, pkeylen))
+		{
+			EVPerr(EVP_F_EVP_PKCS82PKEY, EVP_R_DECODE_ERROR);
+			goto ecerr;
+		}
+
+		/* calculate public key (if necessary) */
+		if (EC_KEY_get0_public_key(eckey) == NULL)
+		{
+			const BIGNUM *priv_key;
+			const EC_GROUP *group;
+			EC_POINT *pub_key;
+			/* the public key was not included in the SEC1 private
+			 * key => calculate the public key */
+			group   = EC_KEY_get0_group(eckey);
+			pub_key = EC_POINT_new(group);
+			if (pub_key == NULL)
+			{
+				EVPerr(EVP_F_EVP_PKCS82PKEY, ERR_R_EC_LIB);
+				goto ecerr;
+			}
+			if (!EC_POINT_copy(pub_key, EC_GROUP_get0_generator(group)))
+			{
+				EC_POINT_free(pub_key);
+				EVPerr(EVP_F_EVP_PKCS82PKEY, ERR_R_EC_LIB);
+				goto ecerr;
+			}
+			priv_key = EC_KEY_get0_private_key(eckey);
+			if (!EC_POINT_mul(group, pub_key, priv_key, NULL, NULL, ctx))
+			{
+				EC_POINT_free(pub_key);
+				EVPerr(EVP_F_EVP_PKCS82PKEY, ERR_R_EC_LIB);
+				goto ecerr;
+			}
+			if (EC_KEY_set_public_key(eckey, pub_key) == 0)
+			{
+				EC_POINT_free(pub_key);
+				EVPerr(EVP_F_EVP_PKCS82PKEY, ERR_R_EC_LIB);
+				goto ecerr;
+			}
+			EC_POINT_free(pub_key);
+		}
+
+		EVP_PKEY_assign_EC_KEY(pkey, eckey);
+		if (ctx)
+			BN_CTX_free(ctx);
+		break;
+ecerr:
+		if (ctx)
+			BN_CTX_free(ctx);
+		if (eckey)
+			EC_KEY_free(eckey);
+		if (pkey)
+			EVP_PKEY_free(pkey);
+		return NULL;
+#endif
 		default:
 		EVPerr(EVP_F_EVP_PKCS82PKEY, EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM);
 		if (!a->algorithm) BUF_strlcpy (obj_tmp, "NULL", sizeof obj_tmp);
@@ -231,13 +356,17 @@ PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8_broken(EVP_PKEY *pkey, int broken)
 	PKCS8_PRIV_KEY_INFO *p8;
 
 	if (!(p8 = PKCS8_PRIV_KEY_INFO_new())) {	
-		EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+		EVPerr(EVP_F_EVP_PKEY2PKCS8_BROKEN,ERR_R_MALLOC_FAILURE);
 		return NULL;
 	}
 	p8->broken = broken;
-	ASN1_INTEGER_set (p8->version, 0);
+	if (!ASN1_INTEGER_set(p8->version, 0)) {
+		EVPerr(EVP_F_EVP_PKEY2PKCS8_BROKEN,ERR_R_MALLOC_FAILURE);
+		PKCS8_PRIV_KEY_INFO_free (p8);
+		return NULL;
+	}
 	if (!(p8->pkeyalg->parameter = ASN1_TYPE_new ())) {
-		EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+		EVPerr(EVP_F_EVP_PKEY2PKCS8_BROKEN,ERR_R_MALLOC_FAILURE);
 		PKCS8_PRIV_KEY_INFO_free (p8);
 		return NULL;
 	}
@@ -250,9 +379,9 @@ PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8_broken(EVP_PKEY *pkey, int broken)
 
 		p8->pkeyalg->algorithm = OBJ_nid2obj(NID_rsaEncryption);
 		p8->pkeyalg->parameter->type = V_ASN1_NULL;
-		if (!ASN1_pack_string ((char *)pkey, i2d_PrivateKey,
+		if (!ASN1_pack_string_of (EVP_PKEY,pkey, i2d_PrivateKey,
 					 &p8->pkey->value.octet_string)) {
-			EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+			EVPerr(EVP_F_EVP_PKEY2PKCS8_BROKEN,ERR_R_MALLOC_FAILURE);
 			PKCS8_PRIV_KEY_INFO_free (p8);
 			return NULL;
 		}
@@ -267,13 +396,22 @@ PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8_broken(EVP_PKEY *pkey, int broken)
 
 		break;
 #endif
+#ifndef OPENSSL_NO_EC
+		case EVP_PKEY_EC:
+		if (!eckey_pkey2pkcs8(p8, pkey))
+		{
+			PKCS8_PRIV_KEY_INFO_free(p8);
+			return(NULL);
+		}
+		break;
+#endif
 		default:
-		EVPerr(EVP_F_EVP_PKEY2PKCS8, EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM);
+		EVPerr(EVP_F_EVP_PKEY2PKCS8_BROKEN, EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM);
 		PKCS8_PRIV_KEY_INFO_free (p8);
 		return NULL;
 	}
 	RAND_add(p8->pkey->value.octet_string->data,
-		 p8->pkey->value.octet_string->length, 0);
+		 p8->pkey->value.octet_string->length, 0.0);
 	return p8;
 }
 
@@ -293,39 +431,43 @@ PKCS8_PRIV_KEY_INFO *PKCS8_set_broken(PKCS8_PRIV_KEY_INFO *p8, int broken)
 		break;
 
 		default:
-		EVPerr(EVP_F_EVP_PKCS8_SET_BROKEN,EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE);
+		EVPerr(EVP_F_PKCS8_SET_BROKEN,EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE);
 		return NULL;
-		break;
-		
 	}
 }
 
 #ifndef OPENSSL_NO_DSA
 static int dsa_pkey2pkcs8(PKCS8_PRIV_KEY_INFO *p8, EVP_PKEY *pkey)
 {
-	ASN1_STRING *params;
-	ASN1_INTEGER *prkey;
-	ASN1_TYPE *ttmp;
-	STACK_OF(ASN1_TYPE) *ndsa;
-	unsigned char *p, *q;
+	ASN1_STRING *params = NULL;
+	ASN1_INTEGER *prkey = NULL;
+	ASN1_TYPE *ttmp = NULL;
+	STACK_OF(ASN1_TYPE) *ndsa = NULL;
+	unsigned char *p = NULL, *q;
 	int len;
 
 	p8->pkeyalg->algorithm = OBJ_nid2obj(NID_dsa);
 	len = i2d_DSAparams (pkey->pkey.dsa, NULL);
 	if (!(p = OPENSSL_malloc(len))) {
-		EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
-		PKCS8_PRIV_KEY_INFO_free (p8);
-		return 0;
+		EVPerr(EVP_F_DSA_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+		goto err;
 	}
 	q = p;
 	i2d_DSAparams (pkey->pkey.dsa, &q);
-	params = ASN1_STRING_new();
-	ASN1_STRING_set(params, p, len);
+	if (!(params = ASN1_STRING_new())) {
+		EVPerr(EVP_F_DSA_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+		goto err;
+	}
+	if (!ASN1_STRING_set(params, p, len)) {
+		EVPerr(EVP_F_DSA_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+		goto err;
+	}
 	OPENSSL_free(p);
+	p = NULL;
 	/* Get private key into integer */
 	if (!(prkey = BN_to_ASN1_INTEGER (pkey->pkey.dsa->priv_key, NULL))) {
-		EVPerr(EVP_F_EVP_PKEY2PKCS8,EVP_R_ENCODE_ERROR);
-		return 0;
+		EVPerr(EVP_F_DSA_PKEY2PKCS8,EVP_R_ENCODE_ERROR);
+		goto err;
 	}
 
 	switch(p8->broken) {
@@ -333,15 +475,16 @@ static int dsa_pkey2pkcs8(PKCS8_PRIV_KEY_INFO *p8, EVP_PKEY *pkey)
 		case PKCS8_OK:
 		case PKCS8_NO_OCTET:
 
-		if (!ASN1_pack_string((char *)prkey, i2d_ASN1_INTEGER,
+		if (!ASN1_pack_string_of(ASN1_INTEGER,prkey, i2d_ASN1_INTEGER,
 					 &p8->pkey->value.octet_string)) {
-			EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
-			M_ASN1_INTEGER_free (prkey);
-			return 0;
+			EVPerr(EVP_F_DSA_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+			goto err;
 		}
 
 		M_ASN1_INTEGER_free (prkey);
+		prkey = NULL;
 		p8->pkeyalg->parameter->value.sequence = params;
+		params = NULL;
 		p8->pkeyalg->parameter->type = V_ASN1_SEQUENCE;
 
 		break;
@@ -349,32 +492,51 @@ static int dsa_pkey2pkcs8(PKCS8_PRIV_KEY_INFO *p8, EVP_PKEY *pkey)
 		case PKCS8_NS_DB:
 
 		p8->pkeyalg->parameter->value.sequence = params;
+		params = NULL;
 		p8->pkeyalg->parameter->type = V_ASN1_SEQUENCE;
-		ndsa = sk_ASN1_TYPE_new_null();
-		ttmp = ASN1_TYPE_new();
-		if (!(ttmp->value.integer = BN_to_ASN1_INTEGER (pkey->pkey.dsa->pub_key, NULL))) {
-			EVPerr(EVP_F_EVP_PKEY2PKCS8,EVP_R_ENCODE_ERROR);
-			PKCS8_PRIV_KEY_INFO_free(p8);
-			return 0;
+		if (!(ndsa = sk_ASN1_TYPE_new_null())) {
+			EVPerr(EVP_F_DSA_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+			goto err;
+		}
+		if (!(ttmp = ASN1_TYPE_new())) {
+			EVPerr(EVP_F_DSA_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+			goto err;
+		}
+		if (!(ttmp->value.integer =
+			BN_to_ASN1_INTEGER(pkey->pkey.dsa->pub_key, NULL))) {
+			EVPerr(EVP_F_DSA_PKEY2PKCS8,EVP_R_ENCODE_ERROR);
+			goto err;
 		}
 		ttmp->type = V_ASN1_INTEGER;
-		sk_ASN1_TYPE_push(ndsa, ttmp);
+		if (!sk_ASN1_TYPE_push(ndsa, ttmp)) {
+			EVPerr(EVP_F_DSA_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+			goto err;
+		}
 
-		ttmp = ASN1_TYPE_new();
+		if (!(ttmp = ASN1_TYPE_new())) {
+			EVPerr(EVP_F_DSA_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+			goto err;
+		}
 		ttmp->value.integer = prkey;
+		prkey = NULL;
 		ttmp->type = V_ASN1_INTEGER;
-		sk_ASN1_TYPE_push(ndsa, ttmp);
+		if (!sk_ASN1_TYPE_push(ndsa, ttmp)) {
+			EVPerr(EVP_F_DSA_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+			goto err;
+		}
+		ttmp = NULL;
 
-		p8->pkey->value.octet_string = ASN1_OCTET_STRING_new();
+		if (!(p8->pkey->value.octet_string = ASN1_OCTET_STRING_new())) {
+			EVPerr(EVP_F_DSA_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+			goto err;
+		}
 
 		if (!ASN1_seq_pack_ASN1_TYPE(ndsa, i2d_ASN1_TYPE,
 					 &p8->pkey->value.octet_string->data,
 					 &p8->pkey->value.octet_string->length)) {
 
-			EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
-			sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free);
-			M_ASN1_INTEGER_free(prkey);
-			return 0;
+			EVPerr(EVP_F_DSA_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+			goto err;
 		}
 		sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free);
 		break;
@@ -382,31 +544,251 @@ static int dsa_pkey2pkcs8(PKCS8_PRIV_KEY_INFO *p8, EVP_PKEY *pkey)
 		case PKCS8_EMBEDDED_PARAM:
 
 		p8->pkeyalg->parameter->type = V_ASN1_NULL;
-		ndsa = sk_ASN1_TYPE_new_null();
-		ttmp = ASN1_TYPE_new();
+		if (!(ndsa = sk_ASN1_TYPE_new_null())) {
+			EVPerr(EVP_F_DSA_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+			goto err;
+		}
+		if (!(ttmp = ASN1_TYPE_new())) {
+			EVPerr(EVP_F_DSA_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+			goto err;
+		}
 		ttmp->value.sequence = params;
+		params = NULL;
 		ttmp->type = V_ASN1_SEQUENCE;
-		sk_ASN1_TYPE_push(ndsa, ttmp);
+		if (!sk_ASN1_TYPE_push(ndsa, ttmp)) {
+			EVPerr(EVP_F_DSA_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+			goto err;
+		}
 
-		ttmp = ASN1_TYPE_new();
+		if (!(ttmp = ASN1_TYPE_new())) {
+			EVPerr(EVP_F_DSA_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+			goto err;
+		}
 		ttmp->value.integer = prkey;
+		prkey = NULL;
 		ttmp->type = V_ASN1_INTEGER;
-		sk_ASN1_TYPE_push(ndsa, ttmp);
+		if (!sk_ASN1_TYPE_push(ndsa, ttmp)) {
+			EVPerr(EVP_F_DSA_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+			goto err;
+		}
+		ttmp = NULL;
 
-		p8->pkey->value.octet_string = ASN1_OCTET_STRING_new();
+		if (!(p8->pkey->value.octet_string = ASN1_OCTET_STRING_new())) {
+			EVPerr(EVP_F_DSA_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+			goto err;
+		}
 
 		if (!ASN1_seq_pack_ASN1_TYPE(ndsa, i2d_ASN1_TYPE,
 					 &p8->pkey->value.octet_string->data,
 					 &p8->pkey->value.octet_string->length)) {
 
-			EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
-			sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free);
-			M_ASN1_INTEGER_free (prkey);
-			return 0;
+			EVPerr(EVP_F_DSA_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+			goto err;
 		}
 		sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free);
 		break;
 	}
 	return 1;
+err:
+	if (p != NULL) OPENSSL_free(p);
+	if (params != NULL) ASN1_STRING_free(params);
+	if (prkey != NULL) M_ASN1_INTEGER_free(prkey);
+	if (ttmp != NULL) ASN1_TYPE_free(ttmp);
+	if (ndsa != NULL) sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free);
+	return 0;
+}
+#endif
+
+#ifndef OPENSSL_NO_EC
+static int eckey_pkey2pkcs8(PKCS8_PRIV_KEY_INFO *p8, EVP_PKEY *pkey)
+{
+	EC_KEY		*ec_key;
+	const EC_GROUP  *group;
+	unsigned char	*p, *pp;
+	int 		nid, i, ret = 0;
+	unsigned int    tmp_flags, old_flags;
+
+	ec_key = pkey->pkey.ec;
+	if (ec_key == NULL || (group = EC_KEY_get0_group(ec_key)) == NULL) 
+	{
+		EVPerr(EVP_F_ECKEY_PKEY2PKCS8, EVP_R_MISSING_PARAMETERS);
+		return 0;
+	}
+
+	/* set the ec parameters OID */
+	if (p8->pkeyalg->algorithm)
+		ASN1_OBJECT_free(p8->pkeyalg->algorithm);
+
+	p8->pkeyalg->algorithm = OBJ_nid2obj(NID_X9_62_id_ecPublicKey);
+
+	/* set the ec parameters */
+
+	if (p8->pkeyalg->parameter)
+	{
+		ASN1_TYPE_free(p8->pkeyalg->parameter);
+		p8->pkeyalg->parameter = NULL;
+	}
+
+	if ((p8->pkeyalg->parameter = ASN1_TYPE_new()) == NULL)
+	{
+		EVPerr(EVP_F_ECKEY_PKEY2PKCS8, ERR_R_MALLOC_FAILURE);
+		return 0;
+	}
+	
+	if (EC_GROUP_get_asn1_flag(group)
+                     && (nid = EC_GROUP_get_curve_name(group)))
+	{
+		/* we have a 'named curve' => just set the OID */
+		p8->pkeyalg->parameter->type = V_ASN1_OBJECT;
+		p8->pkeyalg->parameter->value.object = OBJ_nid2obj(nid);
+	}
+	else	/* explicit parameters */
+	{
+		if ((i = i2d_ECParameters(ec_key, NULL)) == 0)
+		{
+			EVPerr(EVP_F_ECKEY_PKEY2PKCS8, ERR_R_EC_LIB);
+			return 0;
+		}
+		if ((p = (unsigned char *) OPENSSL_malloc(i)) == NULL)
+		{
+			EVPerr(EVP_F_ECKEY_PKEY2PKCS8, ERR_R_MALLOC_FAILURE);
+			return 0;
+		}	
+		pp = p;
+		if (!i2d_ECParameters(ec_key, &pp))
+		{
+			EVPerr(EVP_F_ECKEY_PKEY2PKCS8, ERR_R_EC_LIB);
+			OPENSSL_free(p);
+			return 0;
+		}
+		p8->pkeyalg->parameter->type = V_ASN1_SEQUENCE;
+		if ((p8->pkeyalg->parameter->value.sequence 
+			= ASN1_STRING_new()) == NULL)
+		{
+			EVPerr(EVP_F_ECKEY_PKEY2PKCS8, ERR_R_ASN1_LIB);
+			OPENSSL_free(p);
+			return 0;
+		}
+		ASN1_STRING_set(p8->pkeyalg->parameter->value.sequence, p, i);
+		OPENSSL_free(p);
+	}
+
+	/* set the private key */
+
+	/* do not include the parameters in the SEC1 private key
+	 * see PKCS#11 12.11 */
+	old_flags = EC_KEY_get_enc_flags(pkey->pkey.ec);
+	tmp_flags = old_flags | EC_PKEY_NO_PARAMETERS;
+	EC_KEY_set_enc_flags(pkey->pkey.ec, tmp_flags);
+	i = i2d_ECPrivateKey(pkey->pkey.ec, NULL);
+	if (!i)
+	{
+		EC_KEY_set_enc_flags(pkey->pkey.ec, old_flags);
+		EVPerr(EVP_F_ECKEY_PKEY2PKCS8, ERR_R_EC_LIB);
+		return 0;
+	}
+	p = (unsigned char *) OPENSSL_malloc(i);
+	if (!p)
+	{
+		EC_KEY_set_enc_flags(pkey->pkey.ec, old_flags);
+		EVPerr(EVP_F_ECKEY_PKEY2PKCS8, ERR_R_MALLOC_FAILURE);
+		return 0;
+	}
+	pp = p;
+	if (!i2d_ECPrivateKey(pkey->pkey.ec, &pp))
+	{
+		EC_KEY_set_enc_flags(pkey->pkey.ec, old_flags);
+		EVPerr(EVP_F_ECKEY_PKEY2PKCS8, ERR_R_EC_LIB);
+		OPENSSL_free(p);
+		return 0;
+	}
+	/* restore old encoding flags */
+	EC_KEY_set_enc_flags(pkey->pkey.ec, old_flags);
+
+	switch(p8->broken) {
+
+		case PKCS8_OK:
+		p8->pkey->value.octet_string = ASN1_OCTET_STRING_new();
+		if (!p8->pkey->value.octet_string ||
+		    !M_ASN1_OCTET_STRING_set(p8->pkey->value.octet_string,
+		    (const void *)p, i))
+
+		{
+			EVPerr(EVP_F_ECKEY_PKEY2PKCS8, ERR_R_MALLOC_FAILURE);
+		}
+		else
+			ret = 1;
+		break;
+		case PKCS8_NO_OCTET:		/* RSA specific */
+		case PKCS8_NS_DB:		/* DSA specific */
+		case PKCS8_EMBEDDED_PARAM:	/* DSA specific */
+		default:
+			EVPerr(EVP_F_ECKEY_PKEY2PKCS8,EVP_R_ENCODE_ERROR);
+	}
+	OPENSSL_cleanse(p, (size_t)i);
+	OPENSSL_free(p);
+	return ret;
 }
 #endif
+
+/* EVP_PKEY attribute functions */
+
+int EVP_PKEY_get_attr_count(const EVP_PKEY *key)
+{
+	return X509at_get_attr_count(key->attributes);
+}
+
+int EVP_PKEY_get_attr_by_NID(const EVP_PKEY *key, int nid,
+			  int lastpos)
+{
+	return X509at_get_attr_by_NID(key->attributes, nid, lastpos);
+}
+
+int EVP_PKEY_get_attr_by_OBJ(const EVP_PKEY *key, ASN1_OBJECT *obj,
+			  int lastpos)
+{
+	return X509at_get_attr_by_OBJ(key->attributes, obj, lastpos);
+}
+
+X509_ATTRIBUTE *EVP_PKEY_get_attr(const EVP_PKEY *key, int loc)
+{
+	return X509at_get_attr(key->attributes, loc);
+}
+
+X509_ATTRIBUTE *EVP_PKEY_delete_attr(EVP_PKEY *key, int loc)
+{
+	return X509at_delete_attr(key->attributes, loc);
+}
+
+int EVP_PKEY_add1_attr(EVP_PKEY *key, X509_ATTRIBUTE *attr)
+{
+	if(X509at_add1_attr(&key->attributes, attr)) return 1;
+	return 0;
+}
+
+int EVP_PKEY_add1_attr_by_OBJ(EVP_PKEY *key,
+			const ASN1_OBJECT *obj, int type,
+			const unsigned char *bytes, int len)
+{
+	if(X509at_add1_attr_by_OBJ(&key->attributes, obj,
+				type, bytes, len)) return 1;
+	return 0;
+}
+
+int EVP_PKEY_add1_attr_by_NID(EVP_PKEY *key,
+			int nid, int type,
+			const unsigned char *bytes, int len)
+{
+	if(X509at_add1_attr_by_NID(&key->attributes, nid,
+				type, bytes, len)) return 1;
+	return 0;
+}
+
+int EVP_PKEY_add1_attr_by_txt(EVP_PKEY *key,
+			const char *attrname, int type,
+			const unsigned char *bytes, int len)
+{
+	if(X509at_add1_attr_by_txt(&key->attributes, attrname,
+				type, bytes, len)) return 1;
+	return 0;
+}
diff --git a/crypto/openssl/crypto/evp/evp_test.c b/crypto/openssl/crypto/evp/evp_test.c
index a624cfd248a0..3bf8e9ab2709 100644
--- a/crypto/openssl/crypto/evp/evp_test.c
+++ b/crypto/openssl/crypto/evp/evp_test.c
@@ -52,6 +52,7 @@
 
 #include "../e_os.h"
 
+#include <openssl/opensslconf.h>
 #include <openssl/evp.h>
 #ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
@@ -136,7 +137,7 @@ static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn,
 		  const unsigned char *iv,int in,
 		  const unsigned char *plaintext,int pn,
 		  const unsigned char *ciphertext,int cn,
-		  int encdec,int multiplier)
+		  int encdec)
     {
     EVP_CIPHER_CTX ctx;
     unsigned char out[4096];
@@ -167,7 +168,7 @@ static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn,
 	    }
 	EVP_CIPHER_CTX_set_padding(&ctx,0);
 
-	if(!EVP_EncryptUpdate(&ctx,out,&outl,plaintext,pn*multiplier))
+	if(!EVP_EncryptUpdate(&ctx,out,&outl,plaintext,pn))
 	    {
 	    fprintf(stderr,"Encrypt failed\n");
 	    ERR_print_errors_fp(stderr);
@@ -180,7 +181,7 @@ static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn,
 	    test1_exit(7);
 	    }
 
-	if(outl+outl2 != cn*multiplier)
+	if(outl+outl2 != cn)
 	    {
 	    fprintf(stderr,"Ciphertext length mismatch got %d expected %d\n",
 		    outl+outl2,cn);
@@ -206,7 +207,7 @@ static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn,
 	    }
 	EVP_CIPHER_CTX_set_padding(&ctx,0);
 
-	if(!EVP_DecryptUpdate(&ctx,out,&outl,ciphertext,cn*multiplier))
+	if(!EVP_DecryptUpdate(&ctx,out,&outl,ciphertext,cn))
 	    {
 	    fprintf(stderr,"Decrypt failed\n");
 	    ERR_print_errors_fp(stderr);
@@ -219,7 +220,7 @@ static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn,
 	    test1_exit(7);
 	    }
 
-	if(outl+outl2 != cn*multiplier)
+	if(outl+outl2 != cn)
 	    {
 	    fprintf(stderr,"Plaintext length mismatch got %d expected %d\n",
 		    outl+outl2,cn);
@@ -244,7 +245,7 @@ static int test_cipher(const char *cipher,const unsigned char *key,int kn,
 		       const unsigned char *iv,int in,
 		       const unsigned char *plaintext,int pn,
 		       const unsigned char *ciphertext,int cn,
-		       int encdec,int multiplier)
+		       int encdec)
     {
     const EVP_CIPHER *c;
 
@@ -252,7 +253,7 @@ static int test_cipher(const char *cipher,const unsigned char *key,int kn,
     if(!c)
 	return 0;
 
-    test1(c,key,kn,iv,in,plaintext,pn,ciphertext,cn,encdec,multiplier);
+    test1(c,key,kn,iv,in,plaintext,pn,ciphertext,cn,encdec);
 
     return 1;
     }
@@ -368,7 +369,6 @@ int main(int argc,char **argv)
 	unsigned char *iv,*key,*plaintext,*ciphertext;
 	int encdec;
 	int kn,in,pn,cn;
-	int multiplier=1;
 
 	if(!fgets((char *)line,sizeof line,f))
 	    break;
@@ -393,17 +393,30 @@ int main(int argc,char **argv)
 	pn=convert(plaintext);
 	cn=convert(ciphertext);
 
-	if(strchr(cipher,'*'))
-	    {
-	    p=cipher;
-	    sstrsep(&p,"*");
-	    multiplier=atoi(sstrsep(&p,"*"));
-	    }
-
-	if(!test_cipher(cipher,key,kn,iv,in,plaintext,pn,ciphertext,cn,encdec,
-			multiplier)
+	if(!test_cipher(cipher,key,kn,iv,in,plaintext,pn,ciphertext,cn,encdec)
 	   && !test_digest(cipher,plaintext,pn,ciphertext,cn))
 	    {
+#ifdef OPENSSL_NO_AES
+	    if (strstr(cipher, "AES") == cipher)
+		{
+		fprintf(stdout, "Cipher disabled, skipping %s\n", cipher); 
+		continue;
+		}
+#endif
+#ifdef OPENSSL_NO_DES
+	    if (strstr(cipher, "DES") == cipher)
+		{
+		fprintf(stdout, "Cipher disabled, skipping %s\n", cipher); 
+		continue;
+		}
+#endif
+#ifdef OPENSSL_NO_RC4
+	    if (strstr(cipher, "RC4") == cipher)
+		{
+		fprintf(stdout, "Cipher disabled, skipping %s\n", cipher); 
+		continue;
+		}
+#endif
 	    fprintf(stderr,"Can't find %s\n",cipher);
 	    EXIT(3);
 	    }
diff --git a/crypto/openssl/crypto/evp/evptests.txt b/crypto/openssl/crypto/evp/evptests.txt
index dfe91a5bc0e4..80bd9c7765cb 100644
--- a/crypto/openssl/crypto/evp/evptests.txt
+++ b/crypto/openssl/crypto/evp/evptests.txt
@@ -92,102 +92,7 @@ AES-256-CBC:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:000
 AES-256-CBC:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:F58C4C04D6E5F1BA779EABFB5F7BFBD6:AE2D8A571E03AC9C9EB76FAC45AF8E51:9CFC4E967EDB808D679F777BC6702C7D
 AES-256-CBC:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:9CFC4E967EDB808D679F777BC6702C7D:30C81C46A35CE411E5FBC1191A0A52EF:39F23369A9D9BACFA530E26304231461
 AES-256-CBC:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:39F23369A9D9BACFA530E26304231461:F69F2445DF4F9B17AD2B417BE66C3710:B2EB05E2C39BE9FCDA6C19078C6A9D1B
-
-# CFB1-AES128.Encrypt
-
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:000102030405060708090a0b0c0d0e0f:00:00:1
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:00020406080a0c0e10121416181a1c1e:80:80:1
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:0004080c1014181c2024282c3034383d:80:80:1
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:0008101820283038404850586068707b:00:00:1
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:00102030405060708090a0b0c0d0e0f6:80:80:1
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:0020406080a0c0e10121416181a1c1ed:00:00:1
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:004080c1014181c2024282c3034383da:80:00:1
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:008101820283038404850586068707b4:80:00:1
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:0102030405060708090a0b0c0d0e0f68:80:80:1
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:020406080a0c0e10121416181a1c1ed1:80:00:1
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:04080c1014181c2024282c3034383da2:00:80:1
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:08101820283038404850586068707b45:00:80:1
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:102030405060708090a0b0c0d0e0f68b:00:00:1
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:20406080a0c0e10121416181a1c1ed16:00:00:1
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:4080c1014181c2024282c3034383da2c:00:80:1
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:8101820283038404850586068707b459:80:80:1
-# all of the above packed into one...
-# in: 0110 1011 1100 0001 = 6bc1
-# out: 0110 1000 1011 0011 = 68b3
-AES-128-CFB1*8:2b7e151628aed2a6abf7158809cf4f3c:000102030405060708090a0b0c0d0e0f:6bc1:68b3:1
-
-# CFB1-AES128.Decrypt
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:000102030405060708090a0b0c0d0e0f:00:00:0
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:00020406080a0c0e10121416181a1c1e:80:80:0
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:0004080c1014181c2024282c3034383d:80:80:0
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:0008101820283038404850586068707b:00:00:0
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:00102030405060708090a0b0c0d0e0f6:80:80:0
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:0020406080a0c0e10121416181a1c1ed:00:00:0
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:004080c1014181c2024282c3034383da:80:00:0
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:008101820283038404850586068707b4:80:00:0
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:0102030405060708090a0b0c0d0e0f68:80:80:0
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:020406080a0c0e10121416181a1c1ed1:80:00:0
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:04080c1014181c2024282c3034383da2:00:80:0
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:08101820283038404850586068707b45:00:80:0
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:102030405060708090a0b0c0d0e0f68b:00:00:0
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:20406080a0c0e10121416181a1c1ed16:00:00:0
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:4080c1014181c2024282c3034383da2c:00:80:0
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:8101820283038404850586068707b459:80:80:0
-# all of the above packed into one...
-# in: 0110 1000 1011 0011 = 68b3
-# out: 0110 1011 1100 0001 = 6bc1
-AES-128-CFB1*8:2b7e151628aed2a6abf7158809cf4f3c:000102030405060708090a0b0c0d0e0f:6bc1:68b3:0
-
-# TODO: CFB1-AES192 and 256
-
-# CFB8-AES128.Encrypt
-
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:000102030405060708090a0b0c0d0e0f:6b:3b:1
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0102030405060708090a0b0c0d0e0f3b:c1:79:1
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:02030405060708090a0b0c0d0e0f3b79:be:42:1
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:030405060708090a0b0c0d0e0f3b7942:e2:4c:1
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0405060708090a0b0c0d0e0f3b79424c:2e:9c:1
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:05060708090a0b0c0d0e0f3b79424c9c:40:0d:1
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:060708090a0b0c0d0e0f3b79424c9c0d:9f:d4:1
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0708090a0b0c0d0e0f3b79424c9c0dd4:96:36:1
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:08090a0b0c0d0e0f3b79424c9c0dd436:e9:ba:1
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:090a0b0c0d0e0f3b79424c9c0dd436ba:3d:ce:1
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0a0b0c0d0e0f3b79424c9c0dd436bace:7e:9e:1
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0b0c0d0e0f3b79424c9c0dd436bace9e:11:0e:1
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0c0d0e0f3b79424c9c0dd436bace9e0e:73:d4:1
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0d0e0f3b79424c9c0dd436bace9e0ed4:93:58:1
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0e0f3b79424c9c0dd436bace9e0ed458:17:6a:1
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0f3b79424c9c0dd436bace9e0ed4586a:2a:4f:1
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:3b79424c9c0dd436bace9e0ed4586a4f:ae:32:1
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:79424c9c0dd436bace9e0ed4586a4f32:2d:b9:1
-# all of the above packed into one
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:000102030405060708090a0b0c0d0e0f:6bc1bee22e409f96e93d7e117393172aae2d:3b79424c9c0dd436bace9e0ed4586a4f32b9:1
-
-# CFB8-AES128.Decrypt
-
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:000102030405060708090a0b0c0d0e0f:6b:3b:0
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0102030405060708090a0b0c0d0e0f3b:c1:79:0
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:02030405060708090a0b0c0d0e0f3b79:be:42:0
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:030405060708090a0b0c0d0e0f3b7942:e2:4c:0
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0405060708090a0b0c0d0e0f3b79424c:2e:9c:0
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:05060708090a0b0c0d0e0f3b79424c9c:40:0d:0
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:060708090a0b0c0d0e0f3b79424c9c0d:9f:d4:0
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0708090a0b0c0d0e0f3b79424c9c0dd4:96:36:0
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:08090a0b0c0d0e0f3b79424c9c0dd436:e9:ba:0
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:090a0b0c0d0e0f3b79424c9c0dd436ba:3d:ce:0
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0a0b0c0d0e0f3b79424c9c0dd436bace:7e:9e:0
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0b0c0d0e0f3b79424c9c0dd436bace9e:11:0e:0
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0c0d0e0f3b79424c9c0dd436bace9e0e:73:d4:0
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0d0e0f3b79424c9c0dd436bace9e0ed4:93:58:0
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0e0f3b79424c9c0dd436bace9e0ed458:17:6a:0
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0f3b79424c9c0dd436bace9e0ed4586a:2a:4f:0
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:3b79424c9c0dd436bace9e0ed4586a4f:ae:32:0
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:79424c9c0dd436bace9e0ed4586a4f32:2d:b9:0
-# all of the above packed into one
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:000102030405060708090a0b0c0d0e0f:6bc1bee22e409f96e93d7e117393172aae2d:3b79424c9c0dd436bace9e0ed4586a4f32b9:0
-
-# TODO: 192 and 256 bit keys
-
+# We don't support CFB{1,8}-AESxxx.{En,De}crypt
 # For all CFB128 encrypts and decrypts, the transformed sequence is
 #   AES-bits-CFB:key:IV/ciphertext':plaintext:ciphertext:encdec
 # CFB128-AES128.Encrypt 
@@ -269,16 +174,6 @@ DESX-CBC:0123456789abcdeff1e0d3c2b5a49786fedcba9876543210:fedcba9876543210:37363
 # DES EDE3 CBC tests (from destest)
 DES-EDE3-CBC:0123456789abcdeff1e0d3c2b5a49786fedcba9876543210:fedcba9876543210:37363534333231204E6F77206973207468652074696D6520666F722000000000:3FE301C962AC01D02213763C1CBD4CDC799657C064ECF5D41C673812CFDE9675
 
-# DES CFB1 from FIPS 81
-# plaintext: 0100 1110 0110 1111 0111 0111 = 4e6f77
-# ciphertext: 1100 1101 0001 1110 1100 1001 = cd1ec9
-
-DES-CFB1*8:0123456789abcdef:1234567890abcdef:4e6f77:cd1ec9
-
-# DES CFB8 from FIPS 81
-
-DES-CFB8:0123456789abcdef:1234567890abcdef:4e6f7720697320746865:f31fda07011462ee187f
-
 # RC4 tests (from rc4test)
 RC4:0123456789abcdef0123456789abcdef::0123456789abcdef:75b7878099e0c596
 RC4:0123456789abcdef0123456789abcdef::0000000000000000:7494c2e7104b0879
diff --git a/crypto/openssl/crypto/evp/m_dss.c b/crypto/openssl/crypto/evp/m_dss.c
index beb8d7fc5c93..a948c77fa497 100644
--- a/crypto/openssl/crypto/evp/m_dss.c
+++ b/crypto/openssl/crypto/evp/m_dss.c
@@ -61,12 +61,16 @@
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
+#ifndef OPENSSL_NO_DSA
+#include <openssl/dsa.h>
+#endif
 
 #ifndef OPENSSL_NO_SHA
+
 static int init(EVP_MD_CTX *ctx)
 	{ return SHA1_Init(ctx->md_data); }
 
-static int update(EVP_MD_CTX *ctx,const void *data,unsigned long count)
+static int update(EVP_MD_CTX *ctx,const void *data,size_t count)
 	{ return SHA1_Update(ctx->md_data,data,count); }
 
 static int final(EVP_MD_CTX *ctx,unsigned char *md)
diff --git a/crypto/openssl/crypto/evp/m_dss1.c b/crypto/openssl/crypto/evp/m_dss1.c
index f5668ebda0a0..c12e13972b50 100644
--- a/crypto/openssl/crypto/evp/m_dss1.c
+++ b/crypto/openssl/crypto/evp/m_dss1.c
@@ -56,17 +56,22 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef OPENSSL_NO_SHA
 #include <stdio.h>
 #include "cryptlib.h"
+
+#ifndef OPENSSL_NO_SHA
+
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
+#ifndef OPENSSL_NO_DSA
+#include <openssl/dsa.h>
+#endif
 
 static int init(EVP_MD_CTX *ctx)
 	{ return SHA1_Init(ctx->md_data); }
 
-static int update(EVP_MD_CTX *ctx,const void *data,unsigned long count)
+static int update(EVP_MD_CTX *ctx,const void *data,size_t count)
 	{ return SHA1_Update(ctx->md_data,data,count); }
 
 static int final(EVP_MD_CTX *ctx,unsigned char *md)
diff --git a/crypto/openssl/crypto/evp/m_ecdsa.c b/crypto/openssl/crypto/evp/m_ecdsa.c
new file mode 100644
index 000000000000..fad270faca2b
--- /dev/null
+++ b/crypto/openssl/crypto/evp/m_ecdsa.c
@@ -0,0 +1,148 @@
+/* crypto/evp/m_ecdsa.c */
+/* ====================================================================
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+
+#ifndef OPENSSL_NO_SHA
+static int init(EVP_MD_CTX *ctx)
+	{ return SHA1_Init(ctx->md_data); }
+
+static int update(EVP_MD_CTX *ctx,const void *data,size_t count)
+	{ return SHA1_Update(ctx->md_data,data,count); }
+
+static int final(EVP_MD_CTX *ctx,unsigned char *md)
+	{ return SHA1_Final(md,ctx->md_data); }
+
+static const EVP_MD ecdsa_md=
+	{
+	NID_ecdsa_with_SHA1,
+	NID_ecdsa_with_SHA1,
+	SHA_DIGEST_LENGTH,
+	0,
+	init,
+	update,
+	final,
+	NULL,
+	NULL,
+	EVP_PKEY_ECDSA_method,
+	SHA_CBLOCK,
+	sizeof(EVP_MD *)+sizeof(SHA_CTX),
+	};
+
+const EVP_MD *EVP_ecdsa(void)
+	{
+	return(&ecdsa_md);
+	}
+#endif
diff --git a/crypto/openssl/crypto/evp/m_md2.c b/crypto/openssl/crypto/evp/m_md2.c
index 50914c83b3af..5ce849f161dd 100644
--- a/crypto/openssl/crypto/evp/m_md2.c
+++ b/crypto/openssl/crypto/evp/m_md2.c
@@ -56,18 +56,23 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef OPENSSL_NO_MD2
 #include <stdio.h>
 #include "cryptlib.h"
+
+#ifndef OPENSSL_NO_MD2
+
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include <openssl/md2.h>
+#ifndef OPENSSL_NO_RSA
+#include <openssl/rsa.h>
+#endif
 
 static int init(EVP_MD_CTX *ctx)
 	{ return MD2_Init(ctx->md_data); }
 
-static int update(EVP_MD_CTX *ctx,const void *data,unsigned long count)
+static int update(EVP_MD_CTX *ctx,const void *data,size_t count)
 	{ return MD2_Update(ctx->md_data,data,count); }
 
 static int final(EVP_MD_CTX *ctx,unsigned char *md)
diff --git a/crypto/openssl/crypto/evp/m_md4.c b/crypto/openssl/crypto/evp/m_md4.c
index e19b6637546c..1e0b7c5b424e 100644
--- a/crypto/openssl/crypto/evp/m_md4.c
+++ b/crypto/openssl/crypto/evp/m_md4.c
@@ -56,18 +56,23 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef OPENSSL_NO_MD4
 #include <stdio.h>
 #include "cryptlib.h"
+
+#ifndef OPENSSL_NO_MD4
+
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include <openssl/md4.h>
+#ifndef OPENSSL_NO_RSA
+#include <openssl/rsa.h>
+#endif
 
 static int init(EVP_MD_CTX *ctx)
 	{ return MD4_Init(ctx->md_data); }
 
-static int update(EVP_MD_CTX *ctx,const void *data,unsigned long count)
+static int update(EVP_MD_CTX *ctx,const void *data,size_t count)
 	{ return MD4_Update(ctx->md_data,data,count); }
 
 static int final(EVP_MD_CTX *ctx,unsigned char *md)
diff --git a/crypto/openssl/crypto/evp/m_md5.c b/crypto/openssl/crypto/evp/m_md5.c
index b00a03e048b6..63c142119ebd 100644
--- a/crypto/openssl/crypto/evp/m_md5.c
+++ b/crypto/openssl/crypto/evp/m_md5.c
@@ -56,18 +56,23 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef OPENSSL_NO_MD5
 #include <stdio.h>
 #include "cryptlib.h"
+
+#ifndef OPENSSL_NO_MD5
+
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include <openssl/md5.h>
+#ifndef OPENSSL_NO_RSA
+#include <openssl/rsa.h>
+#endif
 
 static int init(EVP_MD_CTX *ctx)
 	{ return MD5_Init(ctx->md_data); }
 
-static int update(EVP_MD_CTX *ctx,const void *data,unsigned long count)
+static int update(EVP_MD_CTX *ctx,const void *data,size_t count)
 	{ return MD5_Update(ctx->md_data,data,count); }
 
 static int final(EVP_MD_CTX *ctx,unsigned char *md)
diff --git a/crypto/openssl/crypto/evp/m_mdc2.c b/crypto/openssl/crypto/evp/m_mdc2.c
index 9f6467c93143..36c4e9b13436 100644
--- a/crypto/openssl/crypto/evp/m_mdc2.c
+++ b/crypto/openssl/crypto/evp/m_mdc2.c
@@ -56,18 +56,21 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef OPENSSL_NO_MDC2
 #include <stdio.h>
 #include "cryptlib.h"
+
+#ifndef OPENSSL_NO_MDC2
+
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include <openssl/mdc2.h>
+#include <openssl/rsa.h>
 
 static int init(EVP_MD_CTX *ctx)
 	{ return MDC2_Init(ctx->md_data); }
 
-static int update(EVP_MD_CTX *ctx,const void *data,unsigned long count)
+static int update(EVP_MD_CTX *ctx,const void *data,size_t count)
 	{ return MDC2_Update(ctx->md_data,data,count); }
 
 static int final(EVP_MD_CTX *ctx,unsigned char *md)
diff --git a/crypto/openssl/crypto/evp/m_null.c b/crypto/openssl/crypto/evp/m_null.c
index f6f0a1d2c05f..cb0721699dba 100644
--- a/crypto/openssl/crypto/evp/m_null.c
+++ b/crypto/openssl/crypto/evp/m_null.c
@@ -65,7 +65,7 @@
 static int init(EVP_MD_CTX *ctx)
 	{ return 1; }
 
-static int update(EVP_MD_CTX *ctx,const void *data,unsigned long count)
+static int update(EVP_MD_CTX *ctx,const void *data,size_t count)
 	{ return 1; }
 
 static int final(EVP_MD_CTX *ctx,unsigned char *md)
diff --git a/crypto/openssl/crypto/evp/m_ripemd.c b/crypto/openssl/crypto/evp/m_ripemd.c
index 64725528dcc0..a1d60ee78d28 100644
--- a/crypto/openssl/crypto/evp/m_ripemd.c
+++ b/crypto/openssl/crypto/evp/m_ripemd.c
@@ -56,18 +56,23 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef OPENSSL_NO_RIPEMD
 #include <stdio.h>
 #include "cryptlib.h"
+
+#ifndef OPENSSL_NO_RIPEMD
+
 #include <openssl/ripemd.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
+#ifndef OPENSSL_NO_RSA
+#include <openssl/rsa.h>
+#endif
 
 static int init(EVP_MD_CTX *ctx)
 	{ return RIPEMD160_Init(ctx->md_data); }
 
-static int update(EVP_MD_CTX *ctx,const void *data,unsigned long count)
+static int update(EVP_MD_CTX *ctx,const void *data,size_t count)
 	{ return RIPEMD160_Update(ctx->md_data,data,count); }
 
 static int final(EVP_MD_CTX *ctx,unsigned char *md)
diff --git a/crypto/openssl/crypto/evp/m_sha.c b/crypto/openssl/crypto/evp/m_sha.c
index 10697c7ed382..acccc8f92d8e 100644
--- a/crypto/openssl/crypto/evp/m_sha.c
+++ b/crypto/openssl/crypto/evp/m_sha.c
@@ -56,17 +56,22 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef OPENSSL_NO_SHA
 #include <stdio.h>
 #include "cryptlib.h"
+
+#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA0)
+
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
+#ifndef OPENSSL_NO_RSA
+#include <openssl/rsa.h>
+#endif
 
 static int init(EVP_MD_CTX *ctx)
 	{ return SHA_Init(ctx->md_data); }
 
-static int update(EVP_MD_CTX *ctx,const void *data,unsigned long count)
+static int update(EVP_MD_CTX *ctx,const void *data,size_t count)
 	{ return SHA_Update(ctx->md_data,data,count); }
 
 static int final(EVP_MD_CTX *ctx,unsigned char *md)
diff --git a/crypto/openssl/crypto/evp/m_sha1.c b/crypto/openssl/crypto/evp/m_sha1.c
index d6be3502f0a2..4679b1c4638c 100644
--- a/crypto/openssl/crypto/evp/m_sha1.c
+++ b/crypto/openssl/crypto/evp/m_sha1.c
@@ -56,17 +56,22 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef OPENSSL_NO_SHA
 #include <stdio.h>
 #include "cryptlib.h"
+
+#ifndef OPENSSL_NO_SHA
+
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
+#ifndef OPENSSL_NO_RSA
+#include <openssl/rsa.h>
+#endif
 
 static int init(EVP_MD_CTX *ctx)
 	{ return SHA1_Init(ctx->md_data); }
 
-static int update(EVP_MD_CTX *ctx,const void *data,unsigned long count)
+static int update(EVP_MD_CTX *ctx,const void *data,size_t count)
 	{ return SHA1_Update(ctx->md_data,data,count); }
 
 static int final(EVP_MD_CTX *ctx,unsigned char *md)
@@ -93,3 +98,107 @@ const EVP_MD *EVP_sha1(void)
 	return(&sha1_md);
 	}
 #endif
+
+#ifndef OPENSSL_NO_SHA256
+static int init224(EVP_MD_CTX *ctx)
+	{ return SHA224_Init(ctx->md_data); }
+static int init256(EVP_MD_CTX *ctx)
+	{ return SHA256_Init(ctx->md_data); }
+/*
+ * Even though there're separate SHA224_[Update|Final], we call
+ * SHA256 functions even in SHA224 context. This is what happens
+ * there anyway, so we can spare few CPU cycles:-)
+ */
+static int update256(EVP_MD_CTX *ctx,const void *data,size_t count)
+	{ return SHA256_Update(ctx->md_data,data,count); }
+static int final256(EVP_MD_CTX *ctx,unsigned char *md)
+	{ return SHA256_Final(md,ctx->md_data); }
+
+static const EVP_MD sha224_md=
+	{
+	NID_sha224,
+	NID_sha224WithRSAEncryption,
+	SHA224_DIGEST_LENGTH,
+	0,
+	init224,
+	update256,
+	final256,
+	NULL,
+	NULL,
+	EVP_PKEY_RSA_method,
+	SHA256_CBLOCK,
+	sizeof(EVP_MD *)+sizeof(SHA256_CTX),
+	};
+
+const EVP_MD *EVP_sha224(void)
+	{ return(&sha224_md); }
+
+static const EVP_MD sha256_md=
+	{
+	NID_sha256,
+	NID_sha256WithRSAEncryption,
+	SHA256_DIGEST_LENGTH,
+	0,
+	init256,
+	update256,
+	final256,
+	NULL,
+	NULL,
+	EVP_PKEY_RSA_method,
+	SHA256_CBLOCK,
+	sizeof(EVP_MD *)+sizeof(SHA256_CTX),
+	};
+
+const EVP_MD *EVP_sha256(void)
+	{ return(&sha256_md); }
+#endif	/* ifndef OPENSSL_NO_SHA256 */
+
+#ifndef OPENSSL_NO_SHA512
+static int init384(EVP_MD_CTX *ctx)
+	{ return SHA384_Init(ctx->md_data); }
+static int init512(EVP_MD_CTX *ctx)
+	{ return SHA512_Init(ctx->md_data); }
+/* See comment in SHA224/256 section */
+static int update512(EVP_MD_CTX *ctx,const void *data,size_t count)
+	{ return SHA512_Update(ctx->md_data,data,count); }
+static int final512(EVP_MD_CTX *ctx,unsigned char *md)
+	{ return SHA512_Final(md,ctx->md_data); }
+
+static const EVP_MD sha384_md=
+	{
+	NID_sha384,
+	NID_sha384WithRSAEncryption,
+	SHA384_DIGEST_LENGTH,
+	0,
+	init384,
+	update512,
+	final512,
+	NULL,
+	NULL,
+	EVP_PKEY_RSA_method,
+	SHA512_CBLOCK,
+	sizeof(EVP_MD *)+sizeof(SHA512_CTX),
+	};
+
+const EVP_MD *EVP_sha384(void)
+	{ return(&sha384_md); }
+
+static const EVP_MD sha512_md=
+	{
+	NID_sha512,
+	NID_sha512WithRSAEncryption,
+	SHA512_DIGEST_LENGTH,
+	0,
+	init512,
+	update512,
+	final512,
+	NULL,
+	NULL,
+	EVP_PKEY_RSA_method,
+	SHA512_CBLOCK,
+	sizeof(EVP_MD *)+sizeof(SHA512_CTX),
+	};
+
+const EVP_MD *EVP_sha512(void)
+	{ return(&sha512_md); }
+#endif	/* ifndef OPENSSL_NO_SHA512 */
diff --git a/crypto/openssl/crypto/evp/names.c b/crypto/openssl/crypto/evp/names.c
index eb9f4329cd4d..88c1e780dd76 100644
--- a/crypto/openssl/crypto/evp/names.c
+++ b/crypto/openssl/crypto/evp/names.c
@@ -66,9 +66,9 @@ int EVP_add_cipher(const EVP_CIPHER *c)
 	{
 	int r;
 
-	r=OBJ_NAME_add(OBJ_nid2sn(c->nid),OBJ_NAME_TYPE_CIPHER_METH,(char *)c);
+	r=OBJ_NAME_add(OBJ_nid2sn(c->nid),OBJ_NAME_TYPE_CIPHER_METH,(const char *)c);
 	if (r == 0) return(0);
-	r=OBJ_NAME_add(OBJ_nid2ln(c->nid),OBJ_NAME_TYPE_CIPHER_METH,(char *)c);
+	r=OBJ_NAME_add(OBJ_nid2ln(c->nid),OBJ_NAME_TYPE_CIPHER_METH,(const char *)c);
 	return(r);
 	}
 
@@ -78,9 +78,9 @@ int EVP_add_digest(const EVP_MD *md)
 	const char *name;
 
 	name=OBJ_nid2sn(md->type);
-	r=OBJ_NAME_add(name,OBJ_NAME_TYPE_MD_METH,(char *)md);
+	r=OBJ_NAME_add(name,OBJ_NAME_TYPE_MD_METH,(const char *)md);
 	if (r == 0) return(0);
-	r=OBJ_NAME_add(OBJ_nid2ln(md->type),OBJ_NAME_TYPE_MD_METH,(char *)md);
+	r=OBJ_NAME_add(OBJ_nid2ln(md->type),OBJ_NAME_TYPE_MD_METH,(const char *)md);
 	if (r == 0) return(0);
 
 	if (md->type != md->pkey_type)
diff --git a/crypto/openssl/crypto/evp/p5_crpt.c b/crypto/openssl/crypto/evp/p5_crpt.c
index a1874e83b252..48d50014a041 100644
--- a/crypto/openssl/crypto/evp/p5_crpt.c
+++ b/crypto/openssl/crypto/evp/p5_crpt.c
@@ -110,12 +110,18 @@ int PKCS5_PBE_keyivgen(EVP_CIPHER_CTX *cctx, const char *pass, int passlen,
 	int i;
 	PBEPARAM *pbe;
 	int saltlen, iter;
-	unsigned char *salt, *pbuf;
+	unsigned char *salt;
+	const unsigned char *pbuf;
 
 	/* Extract useful info from parameter */
+	if (param == NULL || param->type != V_ASN1_SEQUENCE ||
+	    param->value.sequence == NULL) {
+		EVPerr(EVP_F_PKCS5_PBE_KEYIVGEN,EVP_R_DECODE_ERROR);
+		return 0;
+	}
+
 	pbuf = param->value.sequence->data;
-	if (!param || (param->type != V_ASN1_SEQUENCE) ||
-	   !(pbe = d2i_PBEPARAM (NULL, &pbuf, param->value.sequence->length))) {
+	if (!(pbe = d2i_PBEPARAM(NULL, &pbuf, param->value.sequence->length))) {
 		EVPerr(EVP_F_PKCS5_PBE_KEYIVGEN,EVP_R_DECODE_ERROR);
 		return 0;
 	}
@@ -140,7 +146,7 @@ int PKCS5_PBE_keyivgen(EVP_CIPHER_CTX *cctx, const char *pass, int passlen,
 		EVP_DigestFinal_ex (&ctx, md_tmp, NULL);
 	}
 	EVP_MD_CTX_cleanup(&ctx);
-	OPENSSL_assert(EVP_CIPHER_key_length(cipher) <= sizeof md_tmp);
+	OPENSSL_assert(EVP_CIPHER_key_length(cipher) <= (int)sizeof(md_tmp));
 	memcpy(key, md_tmp, EVP_CIPHER_key_length(cipher));
 	OPENSSL_assert(EVP_CIPHER_iv_length(cipher) <= 16);
 	memcpy(iv, md_tmp + (16 - EVP_CIPHER_iv_length(cipher)),
diff --git a/crypto/openssl/crypto/evp/p5_crpt2.c b/crypto/openssl/crypto/evp/p5_crpt2.c
index 1f94e1ef88b2..c969d5a2062a 100644
--- a/crypto/openssl/crypto/evp/p5_crpt2.c
+++ b/crypto/openssl/crypto/evp/p5_crpt2.c
@@ -55,10 +55,10 @@
  * Hudson (tjh@cryptsoft.com).
  *
  */
-#if !defined(OPENSSL_NO_HMAC) && !defined(OPENSSL_NO_SHA)
 #include <stdio.h>
 #include <stdlib.h>
 #include "cryptlib.h"
+#if !defined(OPENSSL_NO_HMAC) && !defined(OPENSSL_NO_SHA)
 #include <openssl/x509.h>
 #include <openssl/evp.h>
 #include <openssl/hmac.h>
@@ -77,7 +77,7 @@
  */
 
 int PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen,
-			   unsigned char *salt, int saltlen, int iter,
+			   const unsigned char *salt, int saltlen, int iter,
 			   int keylen, unsigned char *out)
 {
 	unsigned char digtmp[SHA_DIGEST_LENGTH], *p, itmp[4];
@@ -148,16 +148,23 @@ int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
                          ASN1_TYPE *param, const EVP_CIPHER *c, const EVP_MD *md,
                          int en_de)
 {
-	unsigned char *pbuf, *salt, key[EVP_MAX_KEY_LENGTH];
-	int saltlen, keylen, iter, plen;
+	unsigned char *salt, key[EVP_MAX_KEY_LENGTH];
+	const unsigned char *pbuf;
+	int saltlen, iter, plen;
+	unsigned int keylen;
 	PBE2PARAM *pbe2 = NULL;
 	const EVP_CIPHER *cipher;
 	PBKDF2PARAM *kdf = NULL;
 
+	if (param == NULL || param->type != V_ASN1_SEQUENCE ||
+	    param->value.sequence == NULL) {
+		EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN,EVP_R_DECODE_ERROR);
+		return 0;
+	}
+
 	pbuf = param->value.sequence->data;
 	plen = param->value.sequence->length;
-	if(!param || (param->type != V_ASN1_SEQUENCE) ||
-				   !(pbe2 = d2i_PBE2PARAM(NULL, &pbuf, plen))) {
+	if(!(pbe2 = d2i_PBE2PARAM(NULL, &pbuf, plen))) {
 		EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN,EVP_R_DECODE_ERROR);
 		return 0;
 	}
@@ -194,11 +201,16 @@ int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
 
 	/* Now decode key derivation function */
 
+	if(!pbe2->keyfunc->parameter ||
+		 (pbe2->keyfunc->parameter->type != V_ASN1_SEQUENCE))
+		{
+		EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN,EVP_R_DECODE_ERROR);
+		goto err;
+		}
+
 	pbuf = pbe2->keyfunc->parameter->value.sequence->data;
 	plen = pbe2->keyfunc->parameter->value.sequence->length;
-	if(!pbe2->keyfunc->parameter ||
-		 (pbe2->keyfunc->parameter->type != V_ASN1_SEQUENCE) ||
-				!(kdf = d2i_PBKDF2PARAM(NULL, &pbuf, plen)) ) {
+	if(!(kdf = d2i_PBKDF2PARAM(NULL, &pbuf, plen)) ) {
 		EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN,EVP_R_DECODE_ERROR);
 		goto err;
 	}
@@ -208,7 +220,7 @@ int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
 
 	/* Now check the parameters of the kdf */
 
-	if(kdf->keylength && (ASN1_INTEGER_get(kdf->keylength) != keylen)){
+	if(kdf->keylength && (ASN1_INTEGER_get(kdf->keylength) != (int)keylen)){
 		EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN,
 						EVP_R_UNSUPPORTED_KEYLENGTH);
 		goto err;
diff --git a/crypto/openssl/crypto/evp/p_dec.c b/crypto/openssl/crypto/evp/p_dec.c
index 8af620400e28..f64901f65349 100644
--- a/crypto/openssl/crypto/evp/p_dec.c
+++ b/crypto/openssl/crypto/evp/p_dec.c
@@ -66,7 +66,7 @@
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 
-int EVP_PKEY_decrypt(unsigned char *key, unsigned char *ek, int ekl,
+int EVP_PKEY_decrypt(unsigned char *key, const unsigned char *ek, int ekl,
 	     EVP_PKEY *priv)
 	{
 	int ret= -1;
diff --git a/crypto/openssl/crypto/evp/p_enc.c b/crypto/openssl/crypto/evp/p_enc.c
index 656883b9968c..c2dfdc52adc9 100644
--- a/crypto/openssl/crypto/evp/p_enc.c
+++ b/crypto/openssl/crypto/evp/p_enc.c
@@ -66,7 +66,7 @@
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 
-int EVP_PKEY_encrypt(unsigned char *ek, unsigned char *key, int key_len,
+int EVP_PKEY_encrypt(unsigned char *ek, const unsigned char *key, int key_len,
 	     EVP_PKEY *pubk)
 	{
 	int ret=0;
diff --git a/crypto/openssl/crypto/evp/p_lib.c b/crypto/openssl/crypto/evp/p_lib.c
index 215b94292aae..22155ecf62c4 100644
--- a/crypto/openssl/crypto/evp/p_lib.c
+++ b/crypto/openssl/crypto/evp/p_lib.c
@@ -58,24 +58,60 @@
 
 #include <stdio.h>
 #include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/evp.h>
 #include <openssl/asn1_mac.h>
 #include <openssl/x509.h>
+#ifndef OPENSSL_NO_RSA
+#include <openssl/rsa.h>
+#endif
+#ifndef OPENSSL_NO_DSA
+#include <openssl/dsa.h>
+#endif
+#ifndef OPENSSL_NO_DH
+#include <openssl/dh.h>
+#endif
 
 static void EVP_PKEY_free_it(EVP_PKEY *x);
 
 int EVP_PKEY_bits(EVP_PKEY *pkey)
 	{
+	if (0)
+		return 0;
 #ifndef OPENSSL_NO_RSA
-	if (pkey->type == EVP_PKEY_RSA)
+	else if (pkey->type == EVP_PKEY_RSA)
 		return(BN_num_bits(pkey->pkey.rsa->n));
-	else
 #endif
 #ifndef OPENSSL_NO_DSA
-		if (pkey->type == EVP_PKEY_DSA)
+	else if (pkey->type == EVP_PKEY_DSA)
 		return(BN_num_bits(pkey->pkey.dsa->p));
 #endif
+#ifndef OPENSSL_NO_EC
+	else if (pkey->type == EVP_PKEY_EC)
+		{
+		BIGNUM *order = BN_new();
+		const EC_GROUP *group;
+		int ret;
+
+		if (!order)
+			{
+			ERR_clear_error();
+			return 0;
+			}
+		group = EC_KEY_get0_group(pkey->pkey.ec);
+		if (!EC_GROUP_get_order(group, order, NULL))
+			{
+			ERR_clear_error();
+			return 0;
+			}
+
+		ret = BN_num_bits(order);
+		BN_free(order);
+		return ret;
+		}
+#endif
 	return(0);
 	}
 
@@ -92,6 +128,11 @@ int EVP_PKEY_size(EVP_PKEY *pkey)
 		if (pkey->type == EVP_PKEY_DSA)
 		return(DSA_size(pkey->pkey.dsa));
 #endif
+#ifndef OPENSSL_NO_ECDSA
+		if (pkey->type == EVP_PKEY_EC)
+		return(ECDSA_size(pkey->pkey.ec));
+#endif
+
 	return(0);
 	}
 
@@ -107,10 +148,20 @@ int EVP_PKEY_save_parameters(EVP_PKEY *pkey, int mode)
 		return(ret);
 		}
 #endif
+#ifndef OPENSSL_NO_EC
+	if (pkey->type == EVP_PKEY_EC)
+		{
+		int ret = pkey->save_parameters;
+
+		if (mode >= 0)
+			pkey->save_parameters = mode;
+		return(ret);
+		}
+#endif
 	return(0);
 	}
 
-int EVP_PKEY_copy_parameters(EVP_PKEY *to, EVP_PKEY *from)
+int EVP_PKEY_copy_parameters(EVP_PKEY *to, const EVP_PKEY *from)
 	{
 	if (to->type != from->type)
 		{
@@ -141,12 +192,23 @@ int EVP_PKEY_copy_parameters(EVP_PKEY *to, EVP_PKEY *from)
 		to->pkey.dsa->g=a;
 		}
 #endif
+#ifndef OPENSSL_NO_EC
+	if (to->type == EVP_PKEY_EC)
+		{
+		EC_GROUP *group = EC_GROUP_dup(EC_KEY_get0_group(from->pkey.ec));
+		if (group == NULL)
+			goto err;
+		if (EC_KEY_set_group(to->pkey.ec, group) == 0)
+			goto err;
+		EC_GROUP_free(group);
+		}
+#endif
 	return(1);
 err:
 	return(0);
 	}
 
-int EVP_PKEY_missing_parameters(EVP_PKEY *pkey)
+int EVP_PKEY_missing_parameters(const EVP_PKEY *pkey)
 	{
 #ifndef OPENSSL_NO_DSA
 	if (pkey->type == EVP_PKEY_DSA)
@@ -158,10 +220,18 @@ int EVP_PKEY_missing_parameters(EVP_PKEY *pkey)
 			return(1);
 		}
 #endif
+#ifndef OPENSSL_NO_EC
+	if (pkey->type == EVP_PKEY_EC)
+		{
+		if (EC_KEY_get0_group(pkey->pkey.ec) == NULL)
+			return(1);
+		}
+#endif
+
 	return(0);
 	}
 
-int EVP_PKEY_cmp_parameters(EVP_PKEY *a, EVP_PKEY *b)
+int EVP_PKEY_cmp_parameters(const EVP_PKEY *a, const EVP_PKEY *b)
 	{
 #ifndef OPENSSL_NO_DSA
 	if ((a->type == EVP_PKEY_DSA) && (b->type == EVP_PKEY_DSA))
@@ -174,9 +244,72 @@ int EVP_PKEY_cmp_parameters(EVP_PKEY *a, EVP_PKEY *b)
 			return(1);
 		}
 #endif
+#ifndef OPENSSL_NO_EC
+	if (a->type == EVP_PKEY_EC && b->type == EVP_PKEY_EC)
+		{
+		const EC_GROUP *group_a = EC_KEY_get0_group(a->pkey.ec),
+		               *group_b = EC_KEY_get0_group(b->pkey.ec);
+		if (EC_GROUP_cmp(group_a, group_b, NULL))
+			return 0;
+		else
+			return 1;
+		}
+#endif
 	return(-1);
 	}
 
+int EVP_PKEY_cmp(const EVP_PKEY *a, const EVP_PKEY *b)
+	{
+	if (a->type != b->type)
+		return -1;
+
+	if (EVP_PKEY_cmp_parameters(a, b) == 0)
+		return 0;
+
+	switch (a->type)
+		{
+#ifndef OPENSSL_NO_RSA
+	case EVP_PKEY_RSA:
+		if (BN_cmp(b->pkey.rsa->n,a->pkey.rsa->n) != 0
+			|| BN_cmp(b->pkey.rsa->e,a->pkey.rsa->e) != 0)
+			return 0;
+		break;
+#endif
+#ifndef OPENSSL_NO_DSA
+	case EVP_PKEY_DSA:
+		if (BN_cmp(b->pkey.dsa->pub_key,a->pkey.dsa->pub_key) != 0)
+			return 0;
+		break;
+#endif
+#ifndef OPENSSL_NO_EC
+	case EVP_PKEY_EC:
+		{
+		int  r;
+		const EC_GROUP *group = EC_KEY_get0_group(b->pkey.ec);
+		const EC_POINT *pa = EC_KEY_get0_public_key(a->pkey.ec),
+		               *pb = EC_KEY_get0_public_key(b->pkey.ec);
+		r = EC_POINT_cmp(group, pa, pb, NULL);
+		if (r != 0)
+			{
+			if (r == 1)
+				return 0;
+			else
+				return -2;
+			}
+		}
+ 		break;
+#endif
+#ifndef OPENSSL_NO_DH
+	case EVP_PKEY_DH:
+		return -2;
+#endif
+	default:
+		return -2;
+		}
+
+	return 1;
+	}
+
 EVP_PKEY *EVP_PKEY_new(void)
 	{
 	EVP_PKEY *ret;
@@ -246,6 +379,29 @@ DSA *EVP_PKEY_get1_DSA(EVP_PKEY *pkey)
 }
 #endif
 
+#ifndef OPENSSL_NO_EC
+
+int EVP_PKEY_set1_EC_KEY(EVP_PKEY *pkey, EC_KEY *key)
+{
+	int ret = EVP_PKEY_assign_EC_KEY(pkey,key);
+	if (ret)
+		EC_KEY_up_ref(key);
+	return ret;
+}
+
+EC_KEY *EVP_PKEY_get1_EC_KEY(EVP_PKEY *pkey)
+{
+	if (pkey->type != EVP_PKEY_EC)
+	{
+		EVPerr(EVP_F_EVP_PKEY_GET1_EC_KEY, EVP_R_EXPECTING_A_EC_KEY);
+		return NULL;
+	}
+	EC_KEY_up_ref(pkey->pkey.ec);
+	return pkey->pkey.ec;
+}
+#endif
+
+
 #ifndef OPENSSL_NO_DH
 
 int EVP_PKEY_set1_DH(EVP_PKEY *pkey, DH *key)
@@ -282,6 +438,8 @@ int EVP_PKEY_type(int type)
 		return(EVP_PKEY_DSA);
 	case EVP_PKEY_DH:
 		return(EVP_PKEY_DH);
+	case EVP_PKEY_EC:
+		return(EVP_PKEY_EC);
 	default:
 		return(NID_undef);
 		}
@@ -306,6 +464,8 @@ void EVP_PKEY_free(EVP_PKEY *x)
 		}
 #endif
 	EVP_PKEY_free_it(x);
+	if (x->attributes)
+		sk_X509_ATTRIBUTE_pop_free(x->attributes, X509_ATTRIBUTE_free);
 	OPENSSL_free(x);
 	}
 
@@ -327,6 +487,11 @@ static void EVP_PKEY_free_it(EVP_PKEY *x)
 		DSA_free(x->pkey.dsa);
 		break;
 #endif
+#ifndef OPENSSL_NO_EC
+	case EVP_PKEY_EC:
+		EC_KEY_free(x->pkey.ec);
+		break;
+#endif
 #ifndef OPENSSL_NO_DH
 	case EVP_PKEY_DH:
 		DH_free(x->pkey.dh);
diff --git a/crypto/openssl/crypto/evp/p_open.c b/crypto/openssl/crypto/evp/p_open.c
index 5a933d1cda38..9935206d0f3d 100644
--- a/crypto/openssl/crypto/evp/p_open.c
+++ b/crypto/openssl/crypto/evp/p_open.c
@@ -56,15 +56,19 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef OPENSSL_NO_RSA
 #include <stdio.h>
 #include "cryptlib.h"
+
+#ifndef OPENSSL_NO_RSA
+
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
+#include <openssl/rsa.h>
 
-int EVP_OpenInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, unsigned char *ek,
-	     int ekl, unsigned char *iv, EVP_PKEY *priv)
+int EVP_OpenInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
+	const unsigned char *ek, int ekl, const unsigned char *iv,
+	EVP_PKEY *priv)
 	{
 	unsigned char *key=NULL;
 	int i,size=0,ret=0;
diff --git a/crypto/openssl/crypto/evp/p_seal.c b/crypto/openssl/crypto/evp/p_seal.c
index 37e547fe7276..8cc8fcb0bd05 100644
--- a/crypto/openssl/crypto/evp/p_seal.c
+++ b/crypto/openssl/crypto/evp/p_seal.c
@@ -78,7 +78,7 @@ int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, unsigned char **ek
 	}
 	if ((npubk <= 0) || !pubk)
 		return 1;
-	if (RAND_bytes(key,EVP_MAX_KEY_LENGTH) <= 0)
+	if (EVP_CIPHER_CTX_rand_key(ctx, key) <= 0)
 		return 0;
 	if (EVP_CIPHER_CTX_iv_length(ctx))
 		RAND_pseudo_bytes(iv,EVP_CIPHER_CTX_iv_length(ctx));
diff --git a/crypto/openssl/crypto/evp/p_verify.c b/crypto/openssl/crypto/evp/p_verify.c
index d854d743a5e7..21a40a375e1b 100644
--- a/crypto/openssl/crypto/evp/p_verify.c
+++ b/crypto/openssl/crypto/evp/p_verify.c
@@ -62,7 +62,7 @@
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 
-int EVP_VerifyFinal(EVP_MD_CTX *ctx, unsigned char *sigbuf,
+int EVP_VerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sigbuf,
 	     unsigned int siglen, EVP_PKEY *pkey)
 	{
 	unsigned char m[EVP_MAX_MD_SIZE];
diff --git a/crypto/openssl/crypto/ex_data.c b/crypto/openssl/crypto/ex_data.c
index 5b2e345c27b7..8914218fe8f9 100644
--- a/crypto/openssl/crypto/ex_data.c
+++ b/crypto/openssl/crypto/ex_data.c
@@ -138,12 +138,8 @@
  *
  */
 
-#include <stdio.h>
-#include <stdlib.h>
-#include <openssl/buffer.h>
-#include <openssl/bio.h>
-#include <openssl/lhash.h>
 #include "cryptlib.h"
+#include <openssl/lhash.h>
 
 /* What an "implementation of ex_data functionality" looks like */
 struct st_CRYPTO_EX_DATA_IMPL
@@ -287,7 +283,7 @@ static void def_cleanup_util_cb(CRYPTO_EX_DATA_FUNCS *funcs)
 /* This callback is used in lh_doall to destroy all EX_CLASS_ITEM values from
  * "ex_data" prior to the ex_data hash table being itself destroyed. Doesn't do
  * any locking. */
-static void def_cleanup_cb(const void *a_void)
+static void def_cleanup_cb(void *a_void)
 	{
 	EX_CLASS_ITEM *item = (EX_CLASS_ITEM *)a_void;
 	sk_CRYPTO_EX_DATA_FUNCS_pop_free(item->meth, def_cleanup_util_cb);
diff --git a/crypto/openssl/crypto/hmac/Makefile b/crypto/openssl/crypto/hmac/Makefile
index 6033f0ae1858..01f10c396ff5 100644
--- a/crypto/openssl/crypto/hmac/Makefile
+++ b/crypto/openssl/crypto/hmac/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/md/Makefile
+# OpenSSL/crypto/md/Makefile
 #
 
 DIR=	hmac
@@ -7,11 +7,6 @@ TOP=	../..
 CC=	cc
 INCLUDES=
 CFLAG=-g
-INSTALL_PREFIX=
-OPENSSLDIR=     /usr/local/ssl
-INSTALLTOP=/usr/local/ssl
-MAKEDEPPROG=	makedepend
-MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=	Makefile
 AR=		ar r
 
@@ -51,7 +46,8 @@ links:
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
 
 install:
-	@for i in $(EXHEADER) ; \
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+	@headerlist="$(EXHEADER)"; for i in $$headerlist ; \
 	do  \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
@@ -66,6 +62,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
+	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
@@ -77,23 +74,12 @@ clean:
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-hmac.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-hmac.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-hmac.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-hmac.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-hmac.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-hmac.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+hmac.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+hmac.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 hmac.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 hmac.o: ../../include/openssl/evp.h ../../include/openssl/hmac.h
-hmac.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-hmac.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-hmac.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-hmac.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-hmac.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-hmac.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rc2.h
-hmac.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-hmac.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-hmac.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-hmac.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-hmac.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-hmac.o: ../cryptlib.h hmac.c
+hmac.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+hmac.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+hmac.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+hmac.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+hmac.o: ../../include/openssl/symhacks.h ../cryptlib.h hmac.c
diff --git a/crypto/openssl/crypto/hmac/hmac.c b/crypto/openssl/crypto/hmac/hmac.c
index 4c91f919d56d..c45e00149275 100644
--- a/crypto/openssl/crypto/hmac/hmac.c
+++ b/crypto/openssl/crypto/hmac/hmac.c
@@ -58,8 +58,8 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
-#include <openssl/hmac.h>
 #include "cryptlib.h"
+#include <openssl/hmac.h>
 
 void HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
 		  const EVP_MD *md, ENGINE *impl)
@@ -79,7 +79,7 @@ void HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
 		{
 		reset=1;
 		j=EVP_MD_block_size(md);
-		OPENSSL_assert(j <= sizeof ctx->key);
+		OPENSSL_assert(j <= (int)sizeof(ctx->key));
 		if (j < len)
 			{
 			EVP_DigestInit_ex(&ctx->md_ctx,md, impl);
@@ -89,7 +89,7 @@ void HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
 			}
 		else
 			{
-			OPENSSL_assert(len <= sizeof ctx->key);
+			OPENSSL_assert(len>=0 && len<=(int)sizeof(ctx->key));
 			memcpy(ctx->key,key,len);
 			ctx->key_length=len;
 			}
@@ -121,7 +121,7 @@ void HMAC_Init(HMAC_CTX *ctx, const void *key, int len,
 	HMAC_Init_ex(ctx,key,len,md, NULL);
 	}
 
-void HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, int len)
+void HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, size_t len)
 	{
 	EVP_DigestUpdate(&ctx->md_ctx,data,len);
 	}
@@ -156,7 +156,7 @@ void HMAC_CTX_cleanup(HMAC_CTX *ctx)
 	}
 
 unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len,
-		    const unsigned char *d, int n, unsigned char *md,
+		    const unsigned char *d, size_t n, unsigned char *md,
 		    unsigned int *md_len)
 	{
 	HMAC_CTX c;
diff --git a/crypto/openssl/crypto/hmac/hmac.h b/crypto/openssl/crypto/hmac/hmac.h
index 0364a1fcbd93..719fc408ace4 100644
--- a/crypto/openssl/crypto/hmac/hmac.h
+++ b/crypto/openssl/crypto/hmac/hmac.h
@@ -58,13 +58,15 @@
 #ifndef HEADER_HMAC_H
 #define HEADER_HMAC_H
 
+#include <openssl/opensslconf.h>
+
 #ifdef OPENSSL_NO_HMAC
 #error HMAC is disabled.
 #endif
 
 #include <openssl/evp.h>
 
-#define HMAC_MAX_MD_CBLOCK	64
+#define HMAC_MAX_MD_CBLOCK	128	/* largest known is SHA512 */
 
 #ifdef  __cplusplus
 extern "C" {
@@ -92,10 +94,10 @@ void HMAC_Init(HMAC_CTX *ctx, const void *key, int len,
 	       const EVP_MD *md); /* deprecated */
 void HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
 		  const EVP_MD *md, ENGINE *impl);
-void HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, int len);
+void HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, size_t len);
 void HMAC_Final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len);
 unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len,
-		    const unsigned char *d, int n, unsigned char *md,
+		    const unsigned char *d, size_t n, unsigned char *md,
 		    unsigned int *md_len);
 
 
diff --git a/crypto/openssl/crypto/ia64cpuid.S b/crypto/openssl/crypto/ia64cpuid.S
new file mode 100644
index 000000000000..04fbb3439eb7
--- /dev/null
+++ b/crypto/openssl/crypto/ia64cpuid.S
@@ -0,0 +1,121 @@
+// Works on all IA-64 platforms: Linux, HP-UX, Win64i...
+// On Win64i compile with ias.exe.
+.text
+.global	OPENSSL_rdtsc#
+.proc	OPENSSL_rdtsc#
+OPENSSL_rdtsc:
+{ .mib;	mov			r8=ar.itc
+	br.ret.sptk.many	b0		};;
+.endp   OPENSSL_rdtsc#
+
+.global	OPENSSL_atomic_add#
+.proc	OPENSSL_atomic_add#
+.align	32
+OPENSSL_atomic_add:
+{ .mii;	ld4		r2=[r32]
+	nop.i		0
+	nop.i		0		};;
+.Lspin:
+{ .mii;	mov		ar.ccv=r2
+	add		r8=r2,r33
+	mov		r3=r2		};;
+{ .mmi;	mf
+	cmpxchg4.acq	r2=[r32],r8,ar.ccv
+	nop.i		0		};;
+{ .mib;	cmp.ne		p6,p0=r2,r3
+	nop.i		0
+(p6)	br.dpnt		.Lspin		};;
+{ .mib;	nop.m		0
+	sxt4		r8=r8
+	br.ret.sptk.many	b0	};;
+.endp	OPENSSL_atomic_add#
+
+// Returns a structure comprising pointer to the top of stack of
+// the caller and pointer beyond backing storage for the current
+// register frame. The latter is required, because it might be
+// insufficient to wipe backing storage for the current frame
+// (as this procedure does), one might have to go further, toward
+// higher addresses to reach for whole "retroactively" saved
+// context...
+.global	OPENSSL_wipe_cpu#
+.proc	OPENSSL_wipe_cpu#
+.align	32
+OPENSSL_wipe_cpu:
+	.prologue
+	.fframe	0
+	.save	ar.pfs,r2
+	.save	ar.lc,r3
+{ .mib;	alloc		r2=ar.pfs,0,96,0,96
+	mov		r3=ar.lc
+	brp.loop.imp	.L_wipe_top,.L_wipe_end-16
+					};;
+{ .mii;	mov		r9=ar.bsp
+	mov		r8=pr
+	mov		ar.lc=96	};;
+	.body
+{ .mii;	add		r9=96*8-8,r9
+	mov		ar.ec=1		};;
+
+// One can sweep double as fast, but then we can't quarantee
+// that backing storage is wiped...
+.L_wipe_top:
+{ .mfi;	st8		[r9]=r0,-8
+	mov		f127=f0
+	mov		r127=r0		}
+{ .mfb;	nop.m		0
+	nop.f		0
+	br.ctop.sptk	.L_wipe_top	};;
+.L_wipe_end:
+
+{ .mfi;	mov		r11=r0
+	mov		f6=f0
+	mov		r14=r0		}
+{ .mfi;	mov		r15=r0
+	mov		f7=f0
+	mov		r16=r0		}
+{ .mfi;	mov		r17=r0
+	mov		f8=f0
+	mov		r18=r0		}
+{ .mfi;	mov		r19=r0
+	mov		f9=f0
+	mov		r20=r0		}
+{ .mfi;	mov		r21=r0
+	mov		f10=f0
+	mov		r22=r0		}
+{ .mfi;	mov		r23=r0
+	mov		f11=f0
+	mov		r24=r0		}
+{ .mfi;	mov		r25=r0
+	mov		f12=f0
+	mov		r26=r0		}
+{ .mfi;	mov		r27=r0
+	mov		f13=f0
+	mov		r28=r0		}
+{ .mfi;	mov		r29=r0
+	mov		f14=f0
+	mov		r30=r0		}
+{ .mfi;	mov		r31=r0
+	mov		f15=f0
+	nop.i		0		}
+{ .mfi;	mov		f16=f0		}
+{ .mfi;	mov		f17=f0		}
+{ .mfi;	mov		f18=f0		}
+{ .mfi;	mov		f19=f0		}
+{ .mfi;	mov		f20=f0		}
+{ .mfi;	mov		f21=f0		}
+{ .mfi;	mov		f22=f0		}
+{ .mfi;	mov		f23=f0		}
+{ .mfi;	mov		f24=f0		}
+{ .mfi;	mov		f25=f0		}
+{ .mfi;	mov		f26=f0		}
+{ .mfi;	mov		f27=f0		}
+{ .mfi;	mov		f28=f0		}
+{ .mfi;	mov		f29=f0		}
+{ .mfi;	mov		f30=f0		}
+{ .mfi;	add		r9=96*8+8,r9
+	mov		f31=f0
+	mov		pr=r8,0x1ffff	}
+{ .mib;	mov		r8=sp
+	mov		ar.lc=r3
+	br.ret.sptk	b0		};;
+.endp	OPENSSL_wipe_cpu#
diff --git a/crypto/openssl/crypto/idea/Makefile b/crypto/openssl/crypto/idea/Makefile
index fbf8a162e8e4..b2e7add666af 100644
--- a/crypto/openssl/crypto/idea/Makefile
+++ b/crypto/openssl/crypto/idea/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/idea/Makefile
+# OpenSSL/crypto/idea/Makefile
 #
 
 DIR=	idea
@@ -7,11 +7,6 @@ TOP=	../..
 CC=	cc
 INCLUDES=
 CFLAG=-g
-INSTALL_PREFIX=
-OPENSSLDIR=     /usr/local/ssl
-INSTALLTOP=/usr/local/ssl
-MAKEDEPPROG=	makedepend
-MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=	Makefile
 AR=		ar r
 
@@ -51,7 +46,8 @@ links:
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
 
 install:
-	@for i in $(EXHEADER) ; \
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+	@headerlist="$(EXHEADER)"; for i in $$headerlist ; \
 	do  \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
@@ -66,6 +62,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
+	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
diff --git a/crypto/openssl/crypto/idea/i_skey.c b/crypto/openssl/crypto/idea/i_skey.c
index 1c95bc9c7b88..3b1bbd8a45d8 100644
--- a/crypto/openssl/crypto/idea/i_skey.c
+++ b/crypto/openssl/crypto/idea/i_skey.c
@@ -94,10 +94,11 @@ void idea_set_encrypt_key(const unsigned char *key, IDEA_KEY_SCHEDULE *ks)
 		}
 	}
 
-void idea_set_decrypt_key(IDEA_KEY_SCHEDULE *ek, IDEA_KEY_SCHEDULE *dk)
+void idea_set_decrypt_key(const IDEA_KEY_SCHEDULE *ek, IDEA_KEY_SCHEDULE *dk)
 	{
 	int r;
-	register IDEA_INT *fp,*tp,t;
+	register IDEA_INT *tp,t;
+	const IDEA_INT *fp;
 
 	tp= &(dk->data[0][0]);
 	fp= &(ek->data[8][0]);
diff --git a/crypto/openssl/crypto/idea/idea.h b/crypto/openssl/crypto/idea/idea.h
index 67132414ee7b..bf97a37e39ba 100644
--- a/crypto/openssl/crypto/idea/idea.h
+++ b/crypto/openssl/crypto/idea/idea.h
@@ -59,6 +59,8 @@
 #ifndef HEADER_IDEA_H
 #define HEADER_IDEA_H
 
+#include <openssl/opensslconf.h> /* IDEA_INT, OPENSSL_NO_IDEA */
+
 #ifdef OPENSSL_NO_IDEA
 #error IDEA is disabled.
 #endif
@@ -66,7 +68,6 @@
 #define IDEA_ENCRYPT	1
 #define IDEA_DECRYPT	0
 
-#include <openssl/opensslconf.h> /* IDEA_INT */
 #define IDEA_BLOCK	8
 #define IDEA_KEY_LENGTH	16
 
@@ -83,7 +84,7 @@ const char *idea_options(void);
 void idea_ecb_encrypt(const unsigned char *in, unsigned char *out,
 	IDEA_KEY_SCHEDULE *ks);
 void idea_set_encrypt_key(const unsigned char *key, IDEA_KEY_SCHEDULE *ks);
-void idea_set_decrypt_key(IDEA_KEY_SCHEDULE *ek, IDEA_KEY_SCHEDULE *dk);
+void idea_set_decrypt_key(const IDEA_KEY_SCHEDULE *ek, IDEA_KEY_SCHEDULE *dk);
 void idea_cbc_encrypt(const unsigned char *in, unsigned char *out,
 	long length, IDEA_KEY_SCHEDULE *ks, unsigned char *iv,int enc);
 void idea_cfb64_encrypt(const unsigned char *in, unsigned char *out,
diff --git a/crypto/openssl/crypto/idea/idea_spd.c b/crypto/openssl/crypto/idea/idea_spd.c
index 48ffaff5209c..699353e8719e 100644
--- a/crypto/openssl/crypto/idea/idea_spd.c
+++ b/crypto/openssl/crypto/idea/idea_spd.c
@@ -69,7 +69,10 @@
 #include OPENSSL_UNISTD_IO
 OPENSSL_DECLARE_EXIT
 
+#ifndef OPENSSL_SYS_NETWARE
 #include <signal.h>
+#endif
+
 #ifndef _IRIX
 #include <time.h>
 #endif
diff --git a/crypto/openssl/crypto/idea/ideatest.c b/crypto/openssl/crypto/idea/ideatest.c
index 98f805d72a59..e6ffc7025e75 100644
--- a/crypto/openssl/crypto/idea/ideatest.c
+++ b/crypto/openssl/crypto/idea/ideatest.c
@@ -169,6 +169,9 @@ int main(int argc, char *argv[])
 	else
 		printf("ok\n");
 
+#ifdef OPENSSL_SYS_NETWARE
+    if (err) printf("ERROR: %d\n", err);
+#endif
 	EXIT(err);
 	return(err);
 	}
diff --git a/crypto/openssl/crypto/krb5/Makefile b/crypto/openssl/crypto/krb5/Makefile
index b931505abed1..14077390d692 100644
--- a/crypto/openssl/crypto/krb5/Makefile
+++ b/crypto/openssl/crypto/krb5/Makefile
@@ -7,11 +7,6 @@ TOP=	../..
 CC=	cc
 INCLUDES= -I.. -I$(TOP) -I../../include
 CFLAG=-g
-INSTALL_PREFIX=
-OPENSSLDIR=     /usr/local/ssl
-INSTALLTOP=/usr/local/ssl
-MAKEDEPPROG=	makedepend
-MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=	Makefile
 AR=		ar r
 
@@ -52,7 +47,8 @@ links:
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
 
 install:
-	@for i in $(EXHEADER) ; \
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+	@headerlist="$(EXHEADER)"; for i in $$headerlist ; \
 	do  \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
@@ -67,6 +63,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
+	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(LIBSRC)
 
 dclean:
@@ -79,9 +76,8 @@ clean:
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
 krb5_asn.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
-krb5_asn.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-krb5_asn.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-krb5_asn.o: ../../include/openssl/krb5_asn.h
+krb5_asn.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
+krb5_asn.o: ../../include/openssl/e_os2.h ../../include/openssl/krb5_asn.h
 krb5_asn.o: ../../include/openssl/opensslconf.h
 krb5_asn.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 krb5_asn.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
diff --git a/crypto/openssl/crypto/krb5/krb5_asn.h b/crypto/openssl/crypto/krb5/krb5_asn.h
index 3329477b0717..41725d0dc44e 100644
--- a/crypto/openssl/crypto/krb5/krb5_asn.h
+++ b/crypto/openssl/crypto/krb5/krb5_asn.h
@@ -225,7 +225,7 @@ DECLARE_STACK_OF(KRB5_AUTHENTBODY)
 **	void name##_free(type *a);
 **	DECLARE_ASN1_ENCODE_FUNCTIONS(type, name, name) =
 **	 DECLARE_ASN1_ENCODE_FUNCTIONS(type, itname, name) =
-**	  type *d2i_##name(type **a, unsigned char **in, long len);
+**	  type *d2i_##name(type **a, const unsigned char **in, long len);
 **	  int i2d_##name(type *a, unsigned char **out);
 **	  DECLARE_ASN1_ITEM(itname) = OPENSSL_EXTERN const ASN1_ITEM itname##_it
 */
diff --git a/crypto/openssl/crypto/lhash/Makefile b/crypto/openssl/crypto/lhash/Makefile
index a38423a5402a..82bddac47450 100644
--- a/crypto/openssl/crypto/lhash/Makefile
+++ b/crypto/openssl/crypto/lhash/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/lhash/Makefile
+# OpenSSL/crypto/lhash/Makefile
 #
 
 DIR=	lhash
@@ -7,11 +7,6 @@ TOP=	../..
 CC=	cc
 INCLUDES=
 CFLAG=-g
-INSTALL_PREFIX=
-OPENSSLDIR=     /usr/local/ssl
-INSTALLTOP=/usr/local/ssl
-MAKEDEPPROG=	makedepend
-MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=	Makefile
 AR=		ar r
 
@@ -51,7 +46,8 @@ links:
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
 
 install:
-	@for i in $(EXHEADER) ; \
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+	@headerlist="$(EXHEADER)"; for i in $$headerlist ; \
 	do  \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
@@ -66,6 +62,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
+	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
@@ -81,11 +78,11 @@ lh_stats.o: ../../e_os.h ../../include/openssl/bio.h
 lh_stats.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 lh_stats.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 lh_stats.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-lh_stats.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-lh_stats.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-lh_stats.o: ../cryptlib.h lh_stats.c
+lh_stats.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+lh_stats.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+lh_stats.o: ../../include/openssl/symhacks.h ../cryptlib.h lh_stats.c
 lhash.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
 lhash.o: ../../include/openssl/e_os2.h ../../include/openssl/lhash.h
 lhash.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-lhash.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-lhash.o: ../../include/openssl/symhacks.h lhash.c
+lhash.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+lhash.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h lhash.c
diff --git a/crypto/openssl/crypto/lhash/lhash.c b/crypto/openssl/crypto/lhash/lhash.c
index 0a16fcf27d58..55cb05579bc7 100644
--- a/crypto/openssl/crypto/lhash/lhash.c
+++ b/crypto/openssl/crypto/lhash/lhash.c
@@ -176,11 +176,11 @@ void lh_free(LHASH *lh)
 	OPENSSL_free(lh);
 	}
 
-void *lh_insert(LHASH *lh, const void *data)
+void *lh_insert(LHASH *lh, void *data)
 	{
 	unsigned long hash;
 	LHASH_NODE *nn,**rn;
-	const void *ret;
+	void *ret;
 
 	lh->error=0;
 	if (lh->up_load <= (lh->num_items*LH_LOAD_MULT/lh->num_nodes))
@@ -211,14 +211,14 @@ void *lh_insert(LHASH *lh, const void *data)
 		(*rn)->data=data;
 		lh->num_replace++;
 		}
-	return((void *)ret);
+	return(ret);
 	}
 
 void *lh_delete(LHASH *lh, const void *data)
 	{
 	unsigned long hash;
 	LHASH_NODE *nn,**rn;
-	const void *ret;
+	void *ret;
 
 	lh->error=0;
 	rn=getrn(lh,data,&hash);
@@ -242,14 +242,14 @@ void *lh_delete(LHASH *lh, const void *data)
 		(lh->down_load >= (lh->num_items*LH_LOAD_MULT/lh->num_nodes)))
 		contract(lh);
 
-	return((void *)ret);
+	return(ret);
 	}
 
 void *lh_retrieve(LHASH *lh, const void *data)
 	{
 	unsigned long hash;
 	LHASH_NODE **rn;
-	const void *ret;
+	void *ret;
 
 	lh->error=0;
 	rn=getrn(lh,data,&hash);
@@ -264,7 +264,7 @@ void *lh_retrieve(LHASH *lh, const void *data)
 		ret= (*rn)->data;
 		lh->num_retrieve++;
 		}
-	return((void *)ret);
+	return(ret);
 	}
 
 static void doall_util_fn(LHASH *lh, int use_arg, LHASH_DOALL_FN_TYPE func,
@@ -339,7 +339,7 @@ static void expand(LHASH *lh)
 		{
 		j=(int)lh->num_alloc_nodes*2;
 		n=(LHASH_NODE **)OPENSSL_realloc(lh->b,
-			(unsigned int)sizeof(LHASH_NODE *)*j);
+			(int)(sizeof(LHASH_NODE *)*j));
 		if (n == NULL)
 			{
 /*			fputs("realloc error in lhash",stderr); */
@@ -401,7 +401,7 @@ static LHASH_NODE **getrn(LHASH *lh, const void *data, unsigned long *rhash)
 	{
 	LHASH_NODE **ret,*n1;
 	unsigned long hash,nn;
-	int (*cf)();
+	LHASH_COMP_FN_TYPE cf;
 
 	hash=(*(lh->hash))(data);
 	lh->num_hash_calls++;
diff --git a/crypto/openssl/crypto/lhash/lhash.h b/crypto/openssl/crypto/lhash/lhash.h
index dee8207333bc..d392d0cd80d7 100644
--- a/crypto/openssl/crypto/lhash/lhash.h
+++ b/crypto/openssl/crypto/lhash/lhash.h
@@ -63,6 +63,7 @@
 #ifndef HEADER_LHASH_H
 #define HEADER_LHASH_H
 
+#include <openssl/e_os2.h>
 #ifndef OPENSSL_NO_FP_API
 #include <stdio.h>
 #endif
@@ -77,7 +78,7 @@ extern "C" {
 
 typedef struct lhash_node_st
 	{
-	const void *data;
+	void *data;
 	struct lhash_node_st *next;
 #ifndef OPENSSL_NO_HASH_COMP
 	unsigned long hash;
@@ -86,8 +87,8 @@ typedef struct lhash_node_st
 
 typedef int (*LHASH_COMP_FN_TYPE)(const void *, const void *);
 typedef unsigned long (*LHASH_HASH_FN_TYPE)(const void *);
-typedef void (*LHASH_DOALL_FN_TYPE)(const void *);
-typedef void (*LHASH_DOALL_ARG_FN_TYPE)(const void *, void *);
+typedef void (*LHASH_DOALL_FN_TYPE)(void *);
+typedef void (*LHASH_DOALL_ARG_FN_TYPE)(void *, void *);
 
 /* Macros for declaring and implementing type-safe wrappers for LHASH callbacks.
  * This way, callbacks can be provided to LHASH structures without function
@@ -117,18 +118,18 @@ typedef void (*LHASH_DOALL_ARG_FN_TYPE)(const void *, void *);
 
 /* Third: "doall" functions */
 #define DECLARE_LHASH_DOALL_FN(f_name,o_type) \
-	void f_name##_LHASH_DOALL(const void *);
+	void f_name##_LHASH_DOALL(void *);
 #define IMPLEMENT_LHASH_DOALL_FN(f_name,o_type) \
-	void f_name##_LHASH_DOALL(const void *arg) { \
+	void f_name##_LHASH_DOALL(void *arg) { \
 		o_type a = (o_type)arg; \
 		f_name(a); }
 #define LHASH_DOALL_FN(f_name) f_name##_LHASH_DOALL
 
 /* Fourth: "doall_arg" functions */
 #define DECLARE_LHASH_DOALL_ARG_FN(f_name,o_type,a_type) \
-	void f_name##_LHASH_DOALL_ARG(const void *, void *);
+	void f_name##_LHASH_DOALL_ARG(void *, void *);
 #define IMPLEMENT_LHASH_DOALL_ARG_FN(f_name,o_type,a_type) \
-	void f_name##_LHASH_DOALL_ARG(const void *arg1, void *arg2) { \
+	void f_name##_LHASH_DOALL_ARG(void *arg1, void *arg2) { \
 		o_type a = (o_type)arg1; \
 		a_type b = (a_type)arg2; \
 		f_name(a,b); }
@@ -172,7 +173,7 @@ typedef struct lhash_st
 
 LHASH *lh_new(LHASH_HASH_FN_TYPE h, LHASH_COMP_FN_TYPE c);
 void lh_free(LHASH *lh);
-void *lh_insert(LHASH *lh, const void *data);
+void *lh_insert(LHASH *lh, void *data);
 void *lh_delete(LHASH *lh, const void *data);
 void *lh_retrieve(LHASH *lh, const void *data);
 void lh_doall(LHASH *lh, LHASH_DOALL_FN_TYPE func);
diff --git a/crypto/openssl/crypto/md2/Makefile b/crypto/openssl/crypto/md2/Makefile
index 975eda236718..17f878aeb7d4 100644
--- a/crypto/openssl/crypto/md2/Makefile
+++ b/crypto/openssl/crypto/md2/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/md/Makefile
+# OpenSSL/crypto/md/Makefile
 #
 
 DIR=	md2
@@ -7,11 +7,6 @@ TOP=	../..
 CC=	cc
 INCLUDES=
 CFLAG=-g
-INSTALL_PREFIX=
-OPENSSLDIR=     /usr/local/ssl
-INSTALLTOP=/usr/local/ssl
-MAKEDEPPROG=	makedepend
-MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=	Makefile
 AR=		ar r
 
@@ -51,7 +46,8 @@ links:
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
 
 install:
-	@for i in $(EXHEADER) ; \
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+	@headerlist="$(EXHEADER)"; for i in $$headerlist ; \
 	do  \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
@@ -66,6 +62,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
+	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
@@ -79,13 +76,14 @@ clean:
 
 md2_dgst.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 md2_dgst.o: ../../include/openssl/md2.h ../../include/openssl/opensslconf.h
-md2_dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-md2_dgst.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-md2_dgst.o: md2_dgst.c
+md2_dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+md2_dgst.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+md2_dgst.o: ../../include/openssl/symhacks.h md2_dgst.c
 md2_one.o: ../../e_os.h ../../include/openssl/bio.h
 md2_one.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 md2_one.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 md2_one.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
 md2_one.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-md2_one.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-md2_one.o: ../../include/openssl/symhacks.h ../cryptlib.h md2_one.c
+md2_one.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+md2_one.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+md2_one.o: ../cryptlib.h md2_one.c
diff --git a/crypto/openssl/crypto/md2/md2.h b/crypto/openssl/crypto/md2/md2.h
index ad9241455caf..5b71855cb2e4 100644
--- a/crypto/openssl/crypto/md2/md2.h
+++ b/crypto/openssl/crypto/md2/md2.h
@@ -59,13 +59,13 @@
 #ifndef HEADER_MD2_H
 #define HEADER_MD2_H
 
+#include <openssl/opensslconf.h> /* OPENSSL_NO_MD2, MD2_INT */
 #ifdef OPENSSL_NO_MD2
 #error MD2 is disabled.
 #endif
 
 #define MD2_DIGEST_LENGTH	16
 #define MD2_BLOCK       	16
-#include <openssl/opensslconf.h> /* MD2_INT */
 
 #ifdef  __cplusplus
 extern "C" {
@@ -73,7 +73,7 @@ extern "C" {
 
 typedef struct MD2state_st
 	{
-	int num;
+	unsigned int num;
 	unsigned char data[MD2_BLOCK];
 	MD2_INT cksm[MD2_BLOCK];
 	MD2_INT state[MD2_BLOCK];
@@ -81,9 +81,9 @@ typedef struct MD2state_st
 
 const char *MD2_options(void);
 int MD2_Init(MD2_CTX *c);
-int MD2_Update(MD2_CTX *c, const unsigned char *data, unsigned long len);
+int MD2_Update(MD2_CTX *c, const unsigned char *data, size_t len);
 int MD2_Final(unsigned char *md, MD2_CTX *c);
-unsigned char *MD2(const unsigned char *d, unsigned long n,unsigned char *md);
+unsigned char *MD2(const unsigned char *d, size_t n,unsigned char *md);
 #ifdef  __cplusplus
 }
 #endif
diff --git a/crypto/openssl/crypto/md2/md2_dgst.c b/crypto/openssl/crypto/md2/md2_dgst.c
index ecb64f0ec40d..15e77d60be17 100644
--- a/crypto/openssl/crypto/md2/md2_dgst.c
+++ b/crypto/openssl/crypto/md2/md2_dgst.c
@@ -125,7 +125,7 @@ int MD2_Init(MD2_CTX *c)
 	return 1;
 	}
 
-int MD2_Update(MD2_CTX *c, const unsigned char *data, unsigned long len)
+int MD2_Update(MD2_CTX *c, const unsigned char *data, size_t len)
 	{
 	register UCHAR *p;
 
@@ -145,7 +145,7 @@ int MD2_Update(MD2_CTX *c, const unsigned char *data, unsigned long len)
 			}
 		else
 			{
-			memcpy(&(p[c->num]),data,(int)len);
+			memcpy(&(p[c->num]),data,len);
 			/* data+=len; */
 			c->num+=(int)len;
 			return 1;
@@ -159,7 +159,7 @@ int MD2_Update(MD2_CTX *c, const unsigned char *data, unsigned long len)
 		data+=MD2_BLOCK;
 		len-=MD2_BLOCK;
 		}
-	memcpy(p,data,(int)len);
+	memcpy(p,data,len);
 	c->num=(int)len;
 	return 1;
 	}
diff --git a/crypto/openssl/crypto/md2/md2_one.c b/crypto/openssl/crypto/md2/md2_one.c
index 835160ef56d1..f7fef5cc0a73 100644
--- a/crypto/openssl/crypto/md2/md2_one.c
+++ b/crypto/openssl/crypto/md2/md2_one.c
@@ -63,13 +63,14 @@
 /* This is a separate file so that #defines in cryptlib.h can
  * map my MD functions to different names */
 
-unsigned char *MD2(const unsigned char *d, unsigned long n, unsigned char *md)
+unsigned char *MD2(const unsigned char *d, size_t n, unsigned char *md)
 	{
 	MD2_CTX c;
 	static unsigned char m[MD2_DIGEST_LENGTH];
 
 	if (md == NULL) md=m;
-	MD2_Init(&c);
+	if (!MD2_Init(&c))
+		return NULL;
 #ifndef CHARSET_EBCDIC
 	MD2_Update(&c,d,n);
 #else
diff --git a/crypto/openssl/crypto/md2/md2test.c b/crypto/openssl/crypto/md2/md2test.c
index 9c1e28b6ce80..db5f5bc6d20e 100644
--- a/crypto/openssl/crypto/md2/md2test.c
+++ b/crypto/openssl/crypto/md2/md2test.c
@@ -110,7 +110,7 @@ int main(int argc, char *argv[])
 	i=1;
 	while (*P != NULL)
 		{
-		EVP_Digest((unsigned char *)*P,(unsigned long)strlen(*P),md,NULL,EVP_md2(), NULL);
+		EVP_Digest((unsigned char *)*P,strlen(*P),md,NULL,EVP_md2(), NULL);
 		p=pt(md);
 		if (strcmp(p,*R) != 0)
 			{
@@ -124,7 +124,11 @@ int main(int argc, char *argv[])
 		R++;
 		P++;
 		}
+#ifdef OPENSSL_SYS_NETWARE
+    if (err) printf("ERROR: %d\n", err);
+#endif
 	EXIT(err);
+	return err;
 	}
 
 static char *pt(unsigned char *md)
diff --git a/crypto/openssl/crypto/md32_common.h b/crypto/openssl/crypto/md32_common.h
index 8137c57b1c55..0e625a8e55c0 100644
--- a/crypto/openssl/crypto/md32_common.h
+++ b/crypto/openssl/crypto/md32_common.h
@@ -77,7 +77,7 @@
  *			...
  *			HASH_LONG	Nl,Nh;
  *			HASH_LONG	data[HASH_LBLOCK];
- *			int		num;
+ *			unsigned int	num;
  *			...
  *			} HASH_CTX;
  * HASH_UPDATE
@@ -128,10 +128,6 @@
  *					<appro@fy.chalmers.se>
  */
 
-#include <openssl/crypto.h>
-#include <openssl/fips.h>
-#include <openssl/err.h>
-
 #if !defined(DATA_ORDER_IS_BIG_ENDIAN) && !defined(DATA_ORDER_IS_LITTLE_ENDIAN)
 #error "DATA_ORDER must be defined!"
 #endif
@@ -183,7 +179,7 @@
  */
 #undef ROTATE
 #ifndef PEDANTIC
-# if 0 /* defined(_MSC_VER) */
+# if defined(_MSC_VER) || defined(__ICC)
 #  define ROTATE(a,n)	_lrotl(a,n)
 # elif defined(__MWERKS__)
 #  if defined(__POWERPC__)
@@ -199,7 +195,6 @@
    * Some GNU C inline assembler templates. Note that these are
    * rotates by *constant* number of bits! But that's exactly
    * what we need here...
-   *
    * 					<appro@fy.chalmers.se>
    */
 #  if defined(__i386) || defined(__i386__) || defined(__x86_64) || defined(__x86_64__)
@@ -211,7 +206,7 @@
 				: "cc");		\
 			   ret;				\
 			})
-#  elif defined(__powerpc) || defined(__ppc)
+#  elif defined(__powerpc) || defined(__ppc__) || defined(__powerpc64__)
 #   define ROTATE(a,n)	({ register unsigned int ret;	\
 				asm (			\
 				"rlwinm %0,%1,%2,0,31"	\
@@ -221,39 +216,6 @@
 			})
 #  endif
 # endif
-
-/*
- * Engage compiler specific "fetch in reverse byte order"
- * intrinsic function if available.
- */
-# if defined(__GNUC__) && __GNUC__>=2 && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
-  /* some GNU C inline assembler templates by <appro@fy.chalmers.se> */
-#  if (defined(__i386) || defined(__i386__) || defined(__x86_64) || defined(__x86_64__)) && !defined(I386_ONLY)
-#   define BE_FETCH32(a)	({ register unsigned int l=(a);\
-				asm (			\
-				"bswapl %0"		\
-				: "=r"(l) : "0"(l));	\
-			  l;				\
-			})
-#  elif defined(__powerpc)
-#   define LE_FETCH32(a)	({ register unsigned int l;	\
-				asm (			\
-				"lwbrx %0,0,%1"		\
-				: "=r"(l)		\
-				: "r"(a));		\
-			   l;				\
-			})
-
-#  elif defined(__sparc) && defined(OPENSSL_SYS_ULTRASPARC)
-#  define LE_FETCH32(a)	({ register unsigned int l;		\
-				asm (				\
-				"lda [%1]#ASI_PRIMARY_LITTLE,%0"\
-				: "=r"(l)			\
-				: "r"(a));			\
-			   l;					\
-			})
-#  endif
-# endif
 #endif /* PEDANTIC */
 
 #if HASH_LONG_LOG2==2	/* Engage only if sizeof(HASH_LONG)== 4 */
@@ -305,28 +267,12 @@
 #    if !defined(HASH_BLOCK_DATA_ORDER_ALIGNED) && HASH_LONG_LOG2==2
 #      define HASH_BLOCK_DATA_ORDER_ALIGNED	HASH_BLOCK_HOST_ORDER
 #    endif
-#  elif defined(DATA_ORDER_IS_LITTLE_ENDIAN)
-#    ifndef HOST_FETCH32
-#      ifdef LE_FETCH32
-#        define HOST_FETCH32(p,l)	LE_FETCH32(p)
-#      elif defined(REVERSE_FETCH32)
-#        define HOST_FETCH32(p,l)	REVERSE_FETCH32(p,l)
-#      endif
-#    endif
 #  endif
 #elif defined(L_ENDIAN)
 #  if defined(DATA_ORDER_IS_LITTLE_ENDIAN)
 #    if !defined(HASH_BLOCK_DATA_ORDER_ALIGNED) && HASH_LONG_LOG2==2
 #      define HASH_BLOCK_DATA_ORDER_ALIGNED	HASH_BLOCK_HOST_ORDER
 #    endif
-#  elif defined(DATA_ORDER_IS_BIG_ENDIAN)
-#    ifndef HOST_FETCH32
-#      ifdef BE_FETCH32
-#        define HOST_FETCH32(p,l)	BE_FETCH32(p)
-#      elif defined(REVERSE_FETCH32)
-#        define HOST_FETCH32(p,l)	REVERSE_FETCH32(p,l)
-#      endif
-#    endif
 #  endif
 #endif
 
@@ -338,11 +284,33 @@
 
 #if defined(DATA_ORDER_IS_BIG_ENDIAN)
 
+#ifndef PEDANTIC
+# if defined(__GNUC__) && __GNUC__>=2 && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
+#  if ((defined(__i386) || defined(__i386__)) && !defined(I386_ONLY)) || \
+      (defined(__x86_64) || defined(__x86_64__))
+    /*
+     * This gives ~30-40% performance improvement in SHA-256 compiled
+     * with gcc [on P4]. Well, first macro to be frank. We can pull
+     * this trick on x86* platforms only, because these CPUs can fetch
+     * unaligned data without raising an exception.
+     */
+#   define HOST_c2l(c,l)	({ unsigned int r=*((const unsigned int *)(c));	\
+				   asm ("bswapl %0":"=r"(r):"0"(r));	\
+				   (c)+=4; (l)=r;			})
+#   define HOST_l2c(l,c)	({ unsigned int r=(l);			\
+				   asm ("bswapl %0":"=r"(r):"0"(r));	\
+				   *((unsigned int *)(c))=r; (c)+=4; r;	})
+#  endif
+# endif
+#endif
+
+#ifndef HOST_c2l
 #define HOST_c2l(c,l)	(l =(((unsigned long)(*((c)++)))<<24),		\
 			 l|=(((unsigned long)(*((c)++)))<<16),		\
 			 l|=(((unsigned long)(*((c)++)))<< 8),		\
 			 l|=(((unsigned long)(*((c)++)))    ),		\
 			 l)
+#endif
 #define HOST_p_c2l(c,l,n)	{					\
 			switch (n) {					\
 			case 0: l =((unsigned long)(*((c)++)))<<24;	\
@@ -366,19 +334,31 @@
 			case 2: l|=((unsigned long)(*(--(c))))<<16;	\
 			case 1: l|=((unsigned long)(*(--(c))))<<24;	\
 				} }
+#ifndef HOST_l2c
 #define HOST_l2c(l,c)	(*((c)++)=(unsigned char)(((l)>>24)&0xff),	\
 			 *((c)++)=(unsigned char)(((l)>>16)&0xff),	\
 			 *((c)++)=(unsigned char)(((l)>> 8)&0xff),	\
 			 *((c)++)=(unsigned char)(((l)    )&0xff),	\
 			 l)
+#endif
 
 #elif defined(DATA_ORDER_IS_LITTLE_ENDIAN)
 
+#if defined(__i386) || defined(__i386__) || defined(__x86_64) || defined(__x86_64__)
+# ifndef B_ENDIAN
+   /* See comment in DATA_ORDER_IS_BIG_ENDIAN section. */
+#  define HOST_c2l(c,l)	((l)=*((const unsigned int *)(c)), (c)+=4, l)
+#  define HOST_l2c(l,c)	(*((unsigned int *)(c))=(l), (c)+=4, l)
+# endif
+#endif
+
+#ifndef HOST_c2l
 #define HOST_c2l(c,l)	(l =(((unsigned long)(*((c)++)))    ),		\
 			 l|=(((unsigned long)(*((c)++)))<< 8),		\
 			 l|=(((unsigned long)(*((c)++)))<<16),		\
 			 l|=(((unsigned long)(*((c)++)))<<24),		\
 			 l)
+#endif
 #define HOST_p_c2l(c,l,n)	{					\
 			switch (n) {					\
 			case 0: l =((unsigned long)(*((c)++)));		\
@@ -402,11 +382,13 @@
 			case 2: l|=((unsigned long)(*(--(c))))<< 8;	\
 			case 1: l|=((unsigned long)(*(--(c))));		\
 				} }
+#ifndef HOST_l2c
 #define HOST_l2c(l,c)	(*((c)++)=(unsigned char)(((l)    )&0xff),	\
 			 *((c)++)=(unsigned char)(((l)>> 8)&0xff),	\
 			 *((c)++)=(unsigned char)(((l)>>16)&0xff),	\
 			 *((c)++)=(unsigned char)(((l)>>24)&0xff),	\
 			 l)
+#endif
 
 #endif
 
@@ -414,21 +396,21 @@
  * Time for some action:-)
  */
 
-int HASH_UPDATE (HASH_CTX *c, const void *data_, unsigned long len)
+int HASH_UPDATE (HASH_CTX *c, const void *data_, size_t len)
 	{
 	const unsigned char *data=data_;
 	register HASH_LONG * p;
-	register unsigned long l;
-	int sw,sc,ew,ec;
+	register HASH_LONG l;
+	size_t sw,sc,ew,ec;
 
 	if (len==0) return 1;
 
-	l=(c->Nl+(len<<3))&0xffffffffL;
+	l=(c->Nl+(((HASH_LONG)len)<<3))&0xffffffffUL;
 	/* 95-05-24 eay Fixed a bug with the overflow handling, thanks to
 	 * Wei Dai <weidai@eskimo.com> for pointing it out. */
 	if (l < c->Nl) /* overflow */
 		c->Nh++;
-	c->Nh+=(len>>29);
+	c->Nh+=(len>>29);	/* might cause compiler warning on 16-bit */
 	c->Nl=l;
 
 	if (c->num != 0)
@@ -451,7 +433,7 @@ int HASH_UPDATE (HASH_CTX *c, const void *data_, unsigned long len)
 			}
 		else
 			{
-			c->num+=len;
+			c->num+=(unsigned int)len;
 			if ((sc+len) < 4) /* ugly, add char's to a word */
 				{
 				l=p[sw]; HOST_p_c2l_p(data,l,sc,len); p[sw]=l;
@@ -485,10 +467,10 @@ int HASH_UPDATE (HASH_CTX *c, const void *data_, unsigned long len)
 		 * Note that HASH_BLOCK_DATA_ORDER_ALIGNED gets defined
 		 * only if sizeof(HASH_LONG)==4.
 		 */
-		if ((((unsigned long)data)%4) == 0)
+		if ((((size_t)data)%4) == 0)
 			{
 			/* data is properly aligned so that we can cast it: */
-			HASH_BLOCK_DATA_ORDER_ALIGNED (c,(HASH_LONG *)data,sw);
+			HASH_BLOCK_DATA_ORDER_ALIGNED (c,(const HASH_LONG *)data,sw);
 			sw*=HASH_CBLOCK;
 			data+=sw;
 			len-=sw;
@@ -534,9 +516,9 @@ int HASH_UPDATE (HASH_CTX *c, const void *data_, unsigned long len)
 void HASH_TRANSFORM (HASH_CTX *c, const unsigned char *data)
 	{
 #if defined(HASH_BLOCK_DATA_ORDER_ALIGNED)
-	if ((((unsigned long)data)%4) == 0)
+	if ((((size_t)data)%4) == 0)
 		/* data is properly aligned so that we can cast it: */
-		HASH_BLOCK_DATA_ORDER_ALIGNED (c,(HASH_LONG *)data,1);
+		HASH_BLOCK_DATA_ORDER_ALIGNED (c,(const HASH_LONG *)data,1);
 	else
 #if !defined(HASH_BLOCK_DATA_ORDER)
 		{
@@ -559,14 +541,6 @@ int HASH_FINAL (unsigned char *md, HASH_CTX *c)
 	static const unsigned char end[4]={0x80,0x00,0x00,0x00};
 	const unsigned char *cp=end;
 
-#ifdef OPENSSL_FIPS
-	if(FIPS_mode() && !FIPS_md5_allowed())
-	    {
-	    FIPSerr(FIPS_F_HASH_FINAL,FIPS_R_NON_FIPS_METHOD);
-	    return 0;
-	    }
-#endif
-
 	/* c->num should definitly have room for at least one more byte. */
 	p=c->data;
 	i=c->num>>2;
diff --git a/crypto/openssl/crypto/md4/Makefile b/crypto/openssl/crypto/md4/Makefile
index f4b386940f70..ef97bb0cbef0 100644
--- a/crypto/openssl/crypto/md4/Makefile
+++ b/crypto/openssl/crypto/md4/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/md4/Makefile
+# OpenSSL/crypto/md4/Makefile
 #
 
 DIR=    md4
@@ -8,11 +8,6 @@ CC=     cc
 CPP=    $(CC) -E
 INCLUDES=
 CFLAG=-g
-INSTALL_PREFIX=
-OPENSSLDIR=     /usr/local/ssl
-INSTALLTOP=/usr/local/ssl
-MAKEDEPPROG=	makedepend
-MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=       Makefile
 AR=             ar r
 
@@ -52,7 +47,8 @@ links:
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
 
 install:
-	@for i in $(EXHEADER) ; \
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+	@headerlist="$(EXHEADER)"; for i in $$headerlist ; \
 	do  \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
@@ -67,6 +63,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
+	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
@@ -78,15 +75,12 @@ clean:
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-md4_dgst.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
-md4_dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-md4_dgst.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
-md4_dgst.o: ../../include/openssl/md4.h ../../include/openssl/opensslconf.h
-md4_dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-md4_dgst.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-md4_dgst.o: ../md32_common.h md4_dgst.c md4_locl.h
+md4_dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/md4.h
+md4_dgst.o: ../../include/openssl/opensslconf.h
+md4_dgst.o: ../../include/openssl/opensslv.h ../md32_common.h md4_dgst.c
+md4_dgst.o: md4_locl.h
 md4_one.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 md4_one.o: ../../include/openssl/md4.h ../../include/openssl/opensslconf.h
-md4_one.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-md4_one.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-md4_one.o: md4_one.c
+md4_one.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+md4_one.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+md4_one.o: ../../include/openssl/symhacks.h md4_one.c
diff --git a/crypto/openssl/crypto/md4/md4.h b/crypto/openssl/crypto/md4/md4.h
index 7a7b23682f8d..b080cbdc2140 100644
--- a/crypto/openssl/crypto/md4/md4.h
+++ b/crypto/openssl/crypto/md4/md4.h
@@ -101,13 +101,13 @@ typedef struct MD4state_st
 	MD4_LONG A,B,C,D;
 	MD4_LONG Nl,Nh;
 	MD4_LONG data[MD4_LBLOCK];
-	int num;
+	unsigned int num;
 	} MD4_CTX;
 
 int MD4_Init(MD4_CTX *c);
-int MD4_Update(MD4_CTX *c, const void *data, unsigned long len);
+int MD4_Update(MD4_CTX *c, const void *data, size_t len);
 int MD4_Final(unsigned char *md, MD4_CTX *c);
-unsigned char *MD4(const unsigned char *d, unsigned long n, unsigned char *md);
+unsigned char *MD4(const unsigned char *d, size_t n, unsigned char *md);
 void MD4_Transform(MD4_CTX *c, const unsigned char *b);
 #ifdef  __cplusplus
 }
diff --git a/crypto/openssl/crypto/md4/md4_dgst.c b/crypto/openssl/crypto/md4/md4_dgst.c
index 7afb7185b68a..d4c7057f13b5 100644
--- a/crypto/openssl/crypto/md4/md4_dgst.c
+++ b/crypto/openssl/crypto/md4/md4_dgst.c
@@ -83,7 +83,7 @@ int MD4_Init(MD4_CTX *c)
 	}
 
 #ifndef md4_block_host_order
-void md4_block_host_order (MD4_CTX *c, const void *data, int num)
+void md4_block_host_order (MD4_CTX *c, const void *data, size_t num)
 	{
 	const MD4_LONG *X=data;
 	register unsigned MD32_REG_T A,B,C,D;
@@ -159,7 +159,7 @@ void md4_block_host_order (MD4_CTX *c, const void *data, int num)
 #ifdef X
 #undef X
 #endif
-void md4_block_data_order (MD4_CTX *c, const void *data_, int num)
+void md4_block_data_order (MD4_CTX *c, const void *data_, size_t num)
 	{
 	const unsigned char *data=data_;
 	register unsigned MD32_REG_T A,B,C,D,l;
diff --git a/crypto/openssl/crypto/md4/md4_locl.h b/crypto/openssl/crypto/md4/md4_locl.h
index a8d31d7a73f5..abc7b9bb84bd 100644
--- a/crypto/openssl/crypto/md4/md4_locl.h
+++ b/crypto/openssl/crypto/md4/md4_locl.h
@@ -65,10 +65,11 @@
 #define MD4_LONG_LOG2 2 /* default to 32 bits */
 #endif
 
-void md4_block_host_order (MD4_CTX *c, const void *p,int num);
-void md4_block_data_order (MD4_CTX *c, const void *p,int num);
+void md4_block_host_order (MD4_CTX *c, const void *p,size_t num);
+void md4_block_data_order (MD4_CTX *c, const void *p,size_t num);
 
 #if defined(__i386) || defined(__i386__) || defined(_M_IX86) || defined(__INTEL__)
+# if !defined(B_ENDIAN)
 /*
  * *_block_host_order is expected to handle aligned data while
  * *_block_data_order - unaligned. As algorithm and host (x86)
@@ -90,7 +91,8 @@ void md4_block_data_order (MD4_CTX *c, const void *p,int num);
  *
  *				<appro@fy.chalmers.se>
  */
-#define md4_block_data_order md4_block_host_order
+# define md4_block_data_order md4_block_host_order
+# endif
 #endif
 
 #define DATA_ORDER_IS_LITTLE_ENDIAN
diff --git a/crypto/openssl/crypto/md4/md4_one.c b/crypto/openssl/crypto/md4/md4_one.c
index 00565507e4bb..bb6436263818 100644
--- a/crypto/openssl/crypto/md4/md4_one.c
+++ b/crypto/openssl/crypto/md4/md4_one.c
@@ -65,13 +65,14 @@
 #include <openssl/ebcdic.h>
 #endif
 
-unsigned char *MD4(const unsigned char *d, unsigned long n, unsigned char *md)
+unsigned char *MD4(const unsigned char *d, size_t n, unsigned char *md)
 	{
 	MD4_CTX c;
 	static unsigned char m[MD4_DIGEST_LENGTH];
 
 	if (md == NULL) md=m;
-	MD4_Init(&c);
+	if (!MD4_Init(&c))
+		return NULL;
 #ifndef CHARSET_EBCDIC
 	MD4_Update(&c,d,n);
 #else
diff --git a/crypto/openssl/crypto/md4/md4test.c b/crypto/openssl/crypto/md4/md4test.c
index 21a77d96f711..5da53382c9f8 100644
--- a/crypto/openssl/crypto/md4/md4test.c
+++ b/crypto/openssl/crypto/md4/md4test.c
@@ -106,7 +106,7 @@ int main(int argc, char *argv[])
 	i=1;
 	while (*P != NULL)
 		{
-		EVP_Digest(&(P[0][0]),(unsigned long)strlen((char *)*P),md,NULL,EVP_md4(), NULL);
+		EVP_Digest(&(P[0][0]),strlen((char *)*P),md,NULL,EVP_md4(), NULL);
 		p=pt(md);
 		if (strcmp(p,(char *)*R) != 0)
 			{
diff --git a/crypto/openssl/crypto/md5/Makefile b/crypto/openssl/crypto/md5/Makefile
index 2d5d81813d85..849a0a5bacd5 100644
--- a/crypto/openssl/crypto/md5/Makefile
+++ b/crypto/openssl/crypto/md5/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/md5/Makefile
+# OpenSSL/crypto/md5/Makefile
 #
 
 DIR=    md5
@@ -8,11 +8,6 @@ CC=     cc
 CPP=    $(CC) -E
 INCLUDES=-I.. -I$(TOP) -I../../include
 CFLAG=-g
-INSTALL_PREFIX=
-OPENSSLDIR=     /usr/local/ssl
-INSTALLTOP=/usr/local/ssl
-MAKEDEPPROG=	makedepend
-MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=       Makefile
 AR=             ar r
 
@@ -20,6 +15,7 @@ MD5_ASM_OBJ=
 
 CFLAGS= $(INCLUDES) $(CFLAG)
 ASFLAGS= $(INCLUDES) $(ASFLAG)
+AFLAGS= $(ASFLAGS)
 
 GENERAL=Makefile
 TEST=md5test.c
@@ -46,24 +42,19 @@ lib:    $(LIBOBJ)
 	$(RANLIB) $(LIB) || echo Never mind.
 	@touch lib
 
-# elf
-asm/mx86-elf.s: asm/md5-586.pl ../perlasm/x86asm.pl
-	(cd asm; $(PERL) md5-586.pl elf $(CFLAGS) > mx86-elf.s)
-
+# ELF
+mx86-elf.s: asm/md5-586.pl ../perlasm/x86asm.pl
+	(cd asm; $(PERL) md5-586.pl elf $(CFLAGS) > ../$@)
+# COFF
+mx86-cof.s: asm/md5-586.pl ../perlasm/x86asm.pl
+	(cd asm; $(PERL) md5-586.pl coff $(CFLAGS) > ../$@)
 # a.out
-asm/mx86-out.o: asm/mx86unix.cpp
-	$(CPP) -DOUT asm/mx86unix.cpp | as -o asm/mx86-out.o
-
-# bsdi
-asm/mx86bsdi.o: asm/mx86unix.cpp
-	$(CPP) -DBSDI asm/mx86unix.cpp | sed 's/ :/:/' | as -o asm/mx86bsdi.o
+mx86-out.s: asm/md5-586.pl ../perlasm/x86asm.pl
+	(cd asm; $(PERL) md5-586.pl a.out $(CFLAGS) > ../$@)
 
-asm/mx86unix.cpp: asm/md5-586.pl ../perlasm/x86asm.pl
-	(cd asm; $(PERL) md5-586.pl cpp >mx86unix.cpp)
-
-asm/md5-sparcv8plus.o: asm/md5-sparcv9.S
+md5-sparcv8plus.o: asm/md5-sparcv9.S
 	$(CC) $(ASFLAGS) -DMD5_BLOCK_DATA_ORDER -c \
-		-o asm/md5-sparcv8plus.o asm/md5-sparcv9.S
+		-o md5-sparcv8plus.o asm/md5-sparcv9.S
 
 # Old GNU assembler doesn't understand V9 instructions, so we
 # hire /usr/ccs/bin/as to do the job. Note that option is called
@@ -71,13 +62,15 @@ asm/md5-sparcv8plus.o: asm/md5-sparcv9.S
 # if they didn't bother to upgrade GNU assembler. Such users should
 # not choose this option, but be adviced to *remove* GNU assembler
 # or upgrade it.
-asm/md5-sparcv8plus-gcc27.o: asm/md5-sparcv9.S
+md5-sparcv8plus-gcc27.o: asm/md5-sparcv9.S
 	$(CC) $(ASFLAGS) -DMD5_BLOCK_DATA_ORDER -E asm/md5-sparcv9.S | \
-		/usr/ccs/bin/as -xarch=v8plus - -o asm/md5-sparcv8plus-gcc27.o
+		/usr/ccs/bin/as -xarch=v8plus - -o md5-sparcv8plus-gcc27.o
 
-asm/md5-sparcv9.o: asm/md5-sparcv9.S
+md5-sparcv9.o: asm/md5-sparcv9.S
 	$(CC) $(ASFLAGS) -DMD5_BLOCK_DATA_ORDER -c \
-		-o asm/md5-sparcv9.o asm/md5-sparcv9.S
+		-o md5-sparcv9.o asm/md5-sparcv9.S
+
+md5-x86_64.s:	asm/md5-x86_64.pl;	$(PERL) asm/md5-x86_64.pl $@
 
 files:
 	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
@@ -88,7 +81,8 @@ links:
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
 
 install:
-	@for i in $(EXHEADER) ; \
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+	@headerlist="$(EXHEADER)"; for i in $$headerlist ; \
 	do  \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
@@ -103,6 +97,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
+	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
@@ -110,19 +105,16 @@ dclean:
 	mv -f Makefile.new $(MAKEFILE)
 
 clean:
-	rm -f asm/mx86unix.cpp asm/*-elf.* *.o asm/*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+	rm -f *.s *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-md5_dgst.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
-md5_dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-md5_dgst.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
-md5_dgst.o: ../../include/openssl/md5.h ../../include/openssl/opensslconf.h
-md5_dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-md5_dgst.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-md5_dgst.o: ../md32_common.h md5_dgst.c md5_locl.h
+md5_dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/md5.h
+md5_dgst.o: ../../include/openssl/opensslconf.h
+md5_dgst.o: ../../include/openssl/opensslv.h ../md32_common.h md5_dgst.c
+md5_dgst.o: md5_locl.h
 md5_one.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 md5_one.o: ../../include/openssl/md5.h ../../include/openssl/opensslconf.h
-md5_one.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-md5_one.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-md5_one.o: md5_one.c
+md5_one.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+md5_one.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+md5_one.o: ../../include/openssl/symhacks.h md5_one.c
diff --git a/crypto/openssl/crypto/md5/asm/md5-x86_64.pl b/crypto/openssl/crypto/md5/asm/md5-x86_64.pl
new file mode 100755
index 000000000000..c36a7febf7f6
--- /dev/null
+++ b/crypto/openssl/crypto/md5/asm/md5-x86_64.pl
@@ -0,0 +1,245 @@
+#!/usr/bin/perl -w
+#
+# MD5 optimized for AMD64.
+#
+# Author: Marc Bevand <bevand_m (at) epita.fr>
+# Licence: I hereby disclaim the copyright on this code and place it
+# in the public domain.
+#
+
+use strict;
+
+my $code;
+
+# round1_step() does:
+#   dst = x + ((dst + F(x,y,z) + X[k] + T_i) <<< s)
+#   %r10d = X[k_next]
+#   %r11d = z' (copy of z for the next step)
+# Each round1_step() takes about 5.71 clocks (9 instructions, 1.58 IPC)
+sub round1_step
+{
+    my ($pos, $dst, $x, $y, $z, $k_next, $T_i, $s) = @_;
+    $code .= " mov	0*4(%rsi),	%r10d		/* (NEXT STEP) X[0] */\n" if ($pos == -1);
+    $code .= " mov	%edx,		%r11d		/* (NEXT STEP) z' = %edx */\n" if ($pos == -1);
+    $code .= <<EOF;
+	xor	$y,		%r11d		/* y ^ ... */
+	lea	$T_i($dst,%r10d),$dst		/* Const + dst + ... */
+	and	$x,		%r11d		/* x & ... */
+	xor	$z,		%r11d		/* z ^ ... */
+	mov	$k_next*4(%rsi),%r10d		/* (NEXT STEP) X[$k_next] */
+	add	%r11d,		$dst		/* dst += ... */
+	rol	\$$s,		$dst		/* dst <<< s */
+	mov	$y,		%r11d		/* (NEXT STEP) z' = $y */
+	add	$x,		$dst		/* dst += x */
+EOF
+}
+
+# round2_step() does:
+#   dst = x + ((dst + G(x,y,z) + X[k] + T_i) <<< s)
+#   %r10d = X[k_next]
+#   %r11d = y' (copy of y for the next step)
+# Each round2_step() takes about 6.22 clocks (9 instructions, 1.45 IPC)
+sub round2_step
+{
+    my ($pos, $dst, $x, $y, $z, $k_next, $T_i, $s) = @_;
+    $code .= " mov	1*4(%rsi),	%r10d		/* (NEXT STEP) X[1] */\n" if ($pos == -1);
+    $code .= " mov	%ecx,		%r11d		/* (NEXT STEP) y' = %ecx */\n" if ($pos == -1);
+    $code .= <<EOF;
+	xor	$x,		%r11d		/* x ^ ... */
+	lea	$T_i($dst,%r10d),$dst		/* Const + dst + ... */
+	and	$z,		%r11d		/* z & ... */
+	xor	$y,		%r11d		/* y ^ ... */
+	mov	$k_next*4(%rsi),%r10d		/* (NEXT STEP) X[$k_next] */
+	add	%r11d,		$dst		/* dst += ... */
+	rol	\$$s,		$dst		/* dst <<< s */
+	mov	$x,		%r11d		/* (NEXT STEP) y' = $x */
+	add	$x,		$dst		/* dst += x */
+EOF
+}
+
+# round3_step() does:
+#   dst = x + ((dst + H(x,y,z) + X[k] + T_i) <<< s)
+#   %r10d = X[k_next]
+#   %r11d = y' (copy of y for the next step)
+# Each round3_step() takes about 4.26 clocks (8 instructions, 1.88 IPC)
+sub round3_step
+{
+    my ($pos, $dst, $x, $y, $z, $k_next, $T_i, $s) = @_;
+    $code .= " mov	5*4(%rsi),	%r10d		/* (NEXT STEP) X[5] */\n" if ($pos == -1);
+    $code .= " mov	%ecx,		%r11d		/* (NEXT STEP) y' = %ecx */\n" if ($pos == -1);
+    $code .= <<EOF;
+	lea	$T_i($dst,%r10d),$dst		/* Const + dst + ... */
+	mov	$k_next*4(%rsi),%r10d		/* (NEXT STEP) X[$k_next] */
+	xor	$z,		%r11d		/* z ^ ... */
+	xor	$x,		%r11d		/* x ^ ... */
+	add	%r11d,		$dst		/* dst += ... */
+	rol	\$$s,		$dst		/* dst <<< s */
+	mov	$x,		%r11d		/* (NEXT STEP) y' = $x */
+	add	$x,		$dst		/* dst += x */
+EOF
+}
+
+# round4_step() does:
+#   dst = x + ((dst + I(x,y,z) + X[k] + T_i) <<< s)
+#   %r10d = X[k_next]
+#   %r11d = not z' (copy of not z for the next step)
+# Each round4_step() takes about 5.27 clocks (9 instructions, 1.71 IPC)
+sub round4_step
+{
+    my ($pos, $dst, $x, $y, $z, $k_next, $T_i, $s) = @_;
+    $code .= " mov	0*4(%rsi),	%r10d		/* (NEXT STEP) X[0] */\n" if ($pos == -1);
+    $code .= " mov	\$0xffffffff,	%r11d\n" if ($pos == -1);
+    $code .= " xor	%edx,		%r11d		/* (NEXT STEP) not z' = not %edx*/\n"
+    if ($pos == -1);
+    $code .= <<EOF;
+	lea	$T_i($dst,%r10d),$dst		/* Const + dst + ... */
+	or	$x,		%r11d		/* x | ... */
+	xor	$y,		%r11d		/* y ^ ... */
+	add	%r11d,		$dst		/* dst += ... */
+	mov	$k_next*4(%rsi),%r10d		/* (NEXT STEP) X[$k_next] */
+	mov	\$0xffffffff,	%r11d
+	rol	\$$s,		$dst		/* dst <<< s */
+	xor	$y,		%r11d		/* (NEXT STEP) not z' = not $y */
+	add	$x,		$dst		/* dst += x */
+EOF
+}
+
+my $output = shift;
+open STDOUT,"| $^X ../perlasm/x86_64-xlate.pl $output";
+
+$code .= <<EOF;
+.text
+.align 16
+
+.globl md5_block_asm_host_order
+.type md5_block_asm_host_order,\@function,3
+md5_block_asm_host_order:
+	push	%rbp
+	push	%rbx
+	push	%r14
+	push	%r15
+
+	# rdi = arg #1 (ctx, MD5_CTX pointer)
+	# rsi = arg #2 (ptr, data pointer)
+	# rdx = arg #3 (nbr, number of 16-word blocks to process)
+	mov	%rdi,		%rbp	# rbp = ctx
+	shl	\$6,		%rdx	# rdx = nbr in bytes
+	lea	(%rsi,%rdx),	%rdi	# rdi = end
+	mov	0*4(%rbp),	%eax	# eax = ctx->A
+	mov	1*4(%rbp),	%ebx	# ebx = ctx->B
+	mov	2*4(%rbp),	%ecx	# ecx = ctx->C
+	mov	3*4(%rbp),	%edx	# edx = ctx->D
+	# end is 'rdi'
+	# ptr is 'rsi'
+	# A is 'eax'
+	# B is 'ebx'
+	# C is 'ecx'
+	# D is 'edx'
+
+	cmp	%rdi,		%rsi		# cmp end with ptr
+	je	.Lend				# jmp if ptr == end
+
+	# BEGIN of loop over 16-word blocks
+.Lloop:	# save old values of A, B, C, D
+	mov	%eax,		%r8d
+	mov	%ebx,		%r9d
+	mov	%ecx,		%r14d
+	mov	%edx,		%r15d
+EOF
+round1_step(-1,'%eax','%ebx','%ecx','%edx', '1','0xd76aa478', '7');
+round1_step( 0,'%edx','%eax','%ebx','%ecx', '2','0xe8c7b756','12');
+round1_step( 0,'%ecx','%edx','%eax','%ebx', '3','0x242070db','17');
+round1_step( 0,'%ebx','%ecx','%edx','%eax', '4','0xc1bdceee','22');
+round1_step( 0,'%eax','%ebx','%ecx','%edx', '5','0xf57c0faf', '7');
+round1_step( 0,'%edx','%eax','%ebx','%ecx', '6','0x4787c62a','12');
+round1_step( 0,'%ecx','%edx','%eax','%ebx', '7','0xa8304613','17');
+round1_step( 0,'%ebx','%ecx','%edx','%eax', '8','0xfd469501','22');
+round1_step( 0,'%eax','%ebx','%ecx','%edx', '9','0x698098d8', '7');
+round1_step( 0,'%edx','%eax','%ebx','%ecx','10','0x8b44f7af','12');
+round1_step( 0,'%ecx','%edx','%eax','%ebx','11','0xffff5bb1','17');
+round1_step( 0,'%ebx','%ecx','%edx','%eax','12','0x895cd7be','22');
+round1_step( 0,'%eax','%ebx','%ecx','%edx','13','0x6b901122', '7');
+round1_step( 0,'%edx','%eax','%ebx','%ecx','14','0xfd987193','12');
+round1_step( 0,'%ecx','%edx','%eax','%ebx','15','0xa679438e','17');
+round1_step( 1,'%ebx','%ecx','%edx','%eax', '0','0x49b40821','22');
+
+round2_step(-1,'%eax','%ebx','%ecx','%edx', '6','0xf61e2562', '5');
+round2_step( 0,'%edx','%eax','%ebx','%ecx','11','0xc040b340', '9');
+round2_step( 0,'%ecx','%edx','%eax','%ebx', '0','0x265e5a51','14');
+round2_step( 0,'%ebx','%ecx','%edx','%eax', '5','0xe9b6c7aa','20');
+round2_step( 0,'%eax','%ebx','%ecx','%edx','10','0xd62f105d', '5');
+round2_step( 0,'%edx','%eax','%ebx','%ecx','15', '0x2441453', '9');
+round2_step( 0,'%ecx','%edx','%eax','%ebx', '4','0xd8a1e681','14');
+round2_step( 0,'%ebx','%ecx','%edx','%eax', '9','0xe7d3fbc8','20');
+round2_step( 0,'%eax','%ebx','%ecx','%edx','14','0x21e1cde6', '5');
+round2_step( 0,'%edx','%eax','%ebx','%ecx', '3','0xc33707d6', '9');
+round2_step( 0,'%ecx','%edx','%eax','%ebx', '8','0xf4d50d87','14');
+round2_step( 0,'%ebx','%ecx','%edx','%eax','13','0x455a14ed','20');
+round2_step( 0,'%eax','%ebx','%ecx','%edx', '2','0xa9e3e905', '5');
+round2_step( 0,'%edx','%eax','%ebx','%ecx', '7','0xfcefa3f8', '9');
+round2_step( 0,'%ecx','%edx','%eax','%ebx','12','0x676f02d9','14');
+round2_step( 1,'%ebx','%ecx','%edx','%eax', '0','0x8d2a4c8a','20');
+
+round3_step(-1,'%eax','%ebx','%ecx','%edx', '8','0xfffa3942', '4');
+round3_step( 0,'%edx','%eax','%ebx','%ecx','11','0x8771f681','11');
+round3_step( 0,'%ecx','%edx','%eax','%ebx','14','0x6d9d6122','16');
+round3_step( 0,'%ebx','%ecx','%edx','%eax', '1','0xfde5380c','23');
+round3_step( 0,'%eax','%ebx','%ecx','%edx', '4','0xa4beea44', '4');
+round3_step( 0,'%edx','%eax','%ebx','%ecx', '7','0x4bdecfa9','11');
+round3_step( 0,'%ecx','%edx','%eax','%ebx','10','0xf6bb4b60','16');
+round3_step( 0,'%ebx','%ecx','%edx','%eax','13','0xbebfbc70','23');
+round3_step( 0,'%eax','%ebx','%ecx','%edx', '0','0x289b7ec6', '4');
+round3_step( 0,'%edx','%eax','%ebx','%ecx', '3','0xeaa127fa','11');
+round3_step( 0,'%ecx','%edx','%eax','%ebx', '6','0xd4ef3085','16');
+round3_step( 0,'%ebx','%ecx','%edx','%eax', '9', '0x4881d05','23');
+round3_step( 0,'%eax','%ebx','%ecx','%edx','12','0xd9d4d039', '4');
+round3_step( 0,'%edx','%eax','%ebx','%ecx','15','0xe6db99e5','11');
+round3_step( 0,'%ecx','%edx','%eax','%ebx', '2','0x1fa27cf8','16');
+round3_step( 1,'%ebx','%ecx','%edx','%eax', '0','0xc4ac5665','23');
+
+round4_step(-1,'%eax','%ebx','%ecx','%edx', '7','0xf4292244', '6');
+round4_step( 0,'%edx','%eax','%ebx','%ecx','14','0x432aff97','10');
+round4_step( 0,'%ecx','%edx','%eax','%ebx', '5','0xab9423a7','15');
+round4_step( 0,'%ebx','%ecx','%edx','%eax','12','0xfc93a039','21');
+round4_step( 0,'%eax','%ebx','%ecx','%edx', '3','0x655b59c3', '6');
+round4_step( 0,'%edx','%eax','%ebx','%ecx','10','0x8f0ccc92','10');
+round4_step( 0,'%ecx','%edx','%eax','%ebx', '1','0xffeff47d','15');
+round4_step( 0,'%ebx','%ecx','%edx','%eax', '8','0x85845dd1','21');
+round4_step( 0,'%eax','%ebx','%ecx','%edx','15','0x6fa87e4f', '6');
+round4_step( 0,'%edx','%eax','%ebx','%ecx', '6','0xfe2ce6e0','10');
+round4_step( 0,'%ecx','%edx','%eax','%ebx','13','0xa3014314','15');
+round4_step( 0,'%ebx','%ecx','%edx','%eax', '4','0x4e0811a1','21');
+round4_step( 0,'%eax','%ebx','%ecx','%edx','11','0xf7537e82', '6');
+round4_step( 0,'%edx','%eax','%ebx','%ecx', '2','0xbd3af235','10');
+round4_step( 0,'%ecx','%edx','%eax','%ebx', '9','0x2ad7d2bb','15');
+round4_step( 1,'%ebx','%ecx','%edx','%eax', '0','0xeb86d391','21');
+$code .= <<EOF;
+	# add old values of A, B, C, D
+	add	%r8d,	%eax
+	add	%r9d,	%ebx
+	add	%r14d,	%ecx
+	add	%r15d,	%edx
+
+	# loop control
+	add	\$64,		%rsi		# ptr += 64
+	cmp	%rdi,		%rsi		# cmp end with ptr
+	jb	.Lloop				# jmp if ptr < end
+	# END of loop over 16-word blocks
+
+.Lend:
+	mov	%eax,		0*4(%rbp)	# ctx->A = A
+	mov	%ebx,		1*4(%rbp)	# ctx->B = B
+	mov	%ecx,		2*4(%rbp)	# ctx->C = C
+	mov	%edx,		3*4(%rbp)	# ctx->D = D
+
+	pop	%r15
+	pop	%r14
+	pop	%rbx
+	pop	%rbp
+	ret
+.size md5_block_asm_host_order,.-md5_block_asm_host_order
+EOF
+
+print $code;
+
+close STDOUT;
diff --git a/crypto/openssl/crypto/md5/md5.h b/crypto/openssl/crypto/md5/md5.h
index a252e0211543..6d283fe9dac8 100644
--- a/crypto/openssl/crypto/md5/md5.h
+++ b/crypto/openssl/crypto/md5/md5.h
@@ -101,13 +101,13 @@ typedef struct MD5state_st
 	MD5_LONG A,B,C,D;
 	MD5_LONG Nl,Nh;
 	MD5_LONG data[MD5_LBLOCK];
-	int num;
+	unsigned int num;
 	} MD5_CTX;
 
 int MD5_Init(MD5_CTX *c);
-int MD5_Update(MD5_CTX *c, const void *data, unsigned long len);
+int MD5_Update(MD5_CTX *c, const void *data, size_t len);
 int MD5_Final(unsigned char *md, MD5_CTX *c);
-unsigned char *MD5(const unsigned char *d, unsigned long n, unsigned char *md);
+unsigned char *MD5(const unsigned char *d, size_t n, unsigned char *md);
 void MD5_Transform(MD5_CTX *c, const unsigned char *b);
 #ifdef  __cplusplus
 }
diff --git a/crypto/openssl/crypto/md5/md5_dgst.c b/crypto/openssl/crypto/md5/md5_dgst.c
index 9c7abc36972e..f97f48e55bb8 100644
--- a/crypto/openssl/crypto/md5/md5_dgst.c
+++ b/crypto/openssl/crypto/md5/md5_dgst.c
@@ -83,7 +83,7 @@ int MD5_Init(MD5_CTX *c)
 	}
 
 #ifndef md5_block_host_order
-void md5_block_host_order (MD5_CTX *c, const void *data, int num)
+void md5_block_host_order (MD5_CTX *c, const void *data, size_t num)
 	{
 	const MD5_LONG *X=data;
 	register unsigned MD32_REG_T A,B,C,D;
@@ -176,7 +176,7 @@ void md5_block_host_order (MD5_CTX *c, const void *data, int num)
 #ifdef X
 #undef X
 #endif
-void md5_block_data_order (MD5_CTX *c, const void *data_, int num)
+void md5_block_data_order (MD5_CTX *c, const void *data_, size_t num)
 	{
 	const unsigned char *data=data_;
 	register unsigned MD32_REG_T A,B,C,D,l;
diff --git a/crypto/openssl/crypto/md5/md5_locl.h b/crypto/openssl/crypto/md5/md5_locl.h
index 9e360da732ab..94f395f27a24 100644
--- a/crypto/openssl/crypto/md5/md5_locl.h
+++ b/crypto/openssl/crypto/md5/md5_locl.h
@@ -66,18 +66,21 @@
 #endif
 
 #ifdef MD5_ASM
-# if defined(__i386) || defined(__i386__) || defined(_M_IX86) || defined(__INTEL__)
-#  define md5_block_host_order md5_block_asm_host_order
+# if defined(__i386) || defined(__i386__) || defined(_M_IX86) || defined(__INTEL__) || defined(__x86_64) || defined(__x86_64__)
+#  if !defined(B_ENDIAN)
+#   define md5_block_host_order md5_block_asm_host_order
+#  endif
 # elif defined(__sparc) && defined(OPENSSL_SYS_ULTRASPARC)
-   void md5_block_asm_data_order_aligned (MD5_CTX *c, const MD5_LONG *p,int num);
+   void md5_block_asm_data_order_aligned (MD5_CTX *c, const MD5_LONG *p,size_t num);
 #  define HASH_BLOCK_DATA_ORDER_ALIGNED md5_block_asm_data_order_aligned
 # endif
 #endif
 
-void md5_block_host_order (MD5_CTX *c, const void *p,int num);
-void md5_block_data_order (MD5_CTX *c, const void *p,int num);
+void md5_block_host_order (MD5_CTX *c, const void *p,size_t num);
+void md5_block_data_order (MD5_CTX *c, const void *p,size_t num);
 
-#if defined(__i386) || defined(__i386__) || defined(_M_IX86) || defined(__INTEL__)
+#if defined(__i386) || defined(__i386__) || defined(_M_IX86) || defined(__INTEL__) || defined(__x86_64) || defined(__x86_64__)
+# if !defined(B_ENDIAN)
 /*
  * *_block_host_order is expected to handle aligned data while
  * *_block_data_order - unaligned. As algorithm and host (x86)
@@ -99,7 +102,8 @@ void md5_block_data_order (MD5_CTX *c, const void *p,int num);
  *
  *				<appro@fy.chalmers.se>
  */
-#define md5_block_data_order md5_block_host_order
+# define md5_block_data_order md5_block_host_order
+# endif
 #endif
 
 #define DATA_ORDER_IS_LITTLE_ENDIAN
diff --git a/crypto/openssl/crypto/md5/md5_one.c b/crypto/openssl/crypto/md5/md5_one.c
index c5dd2d81db49..43fee8937963 100644
--- a/crypto/openssl/crypto/md5/md5_one.c
+++ b/crypto/openssl/crypto/md5/md5_one.c
@@ -65,13 +65,14 @@
 #include <openssl/ebcdic.h>
 #endif
 
-unsigned char *MD5(const unsigned char *d, unsigned long n, unsigned char *md)
+unsigned char *MD5(const unsigned char *d, size_t n, unsigned char *md)
 	{
 	MD5_CTX c;
 	static unsigned char m[MD5_DIGEST_LENGTH];
 
 	if (md == NULL) md=m;
-	MD5_Init(&c);
+	if (!MD5_Init(&c))
+		return NULL;
 #ifndef CHARSET_EBCDIC
 	MD5_Update(&c,d,n);
 #else
diff --git a/crypto/openssl/crypto/md5/md5test.c b/crypto/openssl/crypto/md5/md5test.c
index bfd62629ed28..0628053fa7ce 100644
--- a/crypto/openssl/crypto/md5/md5test.c
+++ b/crypto/openssl/crypto/md5/md5test.c
@@ -106,7 +106,7 @@ int main(int argc, char *argv[])
 	i=1;
 	while (*P != NULL)
 		{
-		EVP_Digest(&(P[0][0]),(unsigned long)strlen((char *)*P),md,NULL,EVP_md5(), NULL);
+		EVP_Digest(&(P[0][0]),strlen((char *)*P),md,NULL,EVP_md5(), NULL);
 		p=pt(md);
 		if (strcmp(p,(char *)*R) != 0)
 			{
@@ -120,6 +120,10 @@ int main(int argc, char *argv[])
 		R++;
 		P++;
 		}
+
+#ifdef OPENSSL_SYS_NETWARE
+    if (err) printf("ERROR: %d\n", err);
+#endif
 	EXIT(err);
 	return(0);
 	}
diff --git a/crypto/openssl/crypto/mdc2/Makefile b/crypto/openssl/crypto/mdc2/Makefile
index 7b701644230a..1d064f17a627 100644
--- a/crypto/openssl/crypto/mdc2/Makefile
+++ b/crypto/openssl/crypto/mdc2/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/mdc2/Makefile
+# OpenSSL/crypto/mdc2/Makefile
 #
 
 DIR=	mdc2
@@ -7,11 +7,6 @@ TOP=	../..
 CC=	cc
 INCLUDES=
 CFLAG=-g
-INSTALL_PREFIX=
-OPENSSLDIR=     /usr/local/ssl
-INSTALLTOP=/usr/local/ssl
-MAKEDEPPROG=	makedepend
-MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=	Makefile
 AR=		ar r
 
@@ -51,7 +46,8 @@ links:
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
 
 install:
-	@for i in $(EXHEADER) ; \
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+	@headerlist="$(EXHEADER)"; for i in $$headerlist ; \
 	do  \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
@@ -66,6 +62,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
+	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
@@ -83,14 +80,14 @@ mdc2_one.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
 mdc2_one.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 mdc2_one.o: ../../include/openssl/lhash.h ../../include/openssl/mdc2.h
 mdc2_one.o: ../../include/openssl/opensslconf.h
-mdc2_one.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-mdc2_one.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-mdc2_one.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-mdc2_one.o: ../cryptlib.h mdc2_one.c
-mdc2dgst.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-mdc2dgst.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
-mdc2dgst.o: ../../include/openssl/mdc2.h ../../include/openssl/opensslconf.h
-mdc2dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+mdc2_one.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+mdc2_one.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+mdc2_one.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+mdc2_one.o: ../../include/openssl/ui_compat.h ../cryptlib.h mdc2_one.c
+mdc2dgst.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
+mdc2dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/mdc2.h
+mdc2dgst.o: ../../include/openssl/opensslconf.h
+mdc2dgst.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
 mdc2dgst.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 mdc2dgst.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
 mdc2dgst.o: mdc2dgst.c
diff --git a/crypto/openssl/crypto/mdc2/mdc2.h b/crypto/openssl/crypto/mdc2/mdc2.h
index 793a8a0f13fb..72778a521236 100644
--- a/crypto/openssl/crypto/mdc2/mdc2.h
+++ b/crypto/openssl/crypto/mdc2/mdc2.h
@@ -74,7 +74,7 @@ extern "C" {
  
 typedef struct mdc2_ctx_st
 	{
-	int num;
+	unsigned int num;
 	unsigned char data[MDC2_BLOCK];
 	DES_cblock h,hh;
 	int pad_type; /* either 1 or 2, default 1 */
@@ -82,9 +82,9 @@ typedef struct mdc2_ctx_st
 
 
 int MDC2_Init(MDC2_CTX *c);
-int MDC2_Update(MDC2_CTX *c, const unsigned char *data, unsigned long len);
+int MDC2_Update(MDC2_CTX *c, const unsigned char *data, size_t len);
 int MDC2_Final(unsigned char *md, MDC2_CTX *c);
-unsigned char *MDC2(const unsigned char *d, unsigned long n,
+unsigned char *MDC2(const unsigned char *d, size_t n,
 	unsigned char *md);
 
 #ifdef  __cplusplus
diff --git a/crypto/openssl/crypto/mdc2/mdc2_one.c b/crypto/openssl/crypto/mdc2/mdc2_one.c
index 37f06c8d77cf..72647f67ede4 100644
--- a/crypto/openssl/crypto/mdc2/mdc2_one.c
+++ b/crypto/openssl/crypto/mdc2/mdc2_one.c
@@ -60,13 +60,14 @@
 #include "cryptlib.h"
 #include <openssl/mdc2.h>
 
-unsigned char *MDC2(const unsigned char *d, unsigned long n, unsigned char *md)
+unsigned char *MDC2(const unsigned char *d, size_t n, unsigned char *md)
 	{
 	MDC2_CTX c;
 	static unsigned char m[MDC2_DIGEST_LENGTH];
 
 	if (md == NULL) md=m;
-	MDC2_Init(&c);
+	if (!MDC2_Init(&c))
+		return NULL;
 	MDC2_Update(&c,d,n);
         MDC2_Final(md,&c);
 	OPENSSL_cleanse(&c,sizeof(c)); /* security consideration */
diff --git a/crypto/openssl/crypto/mdc2/mdc2dgst.c b/crypto/openssl/crypto/mdc2/mdc2dgst.c
index 32daa9b0da35..4aa406edc3ba 100644
--- a/crypto/openssl/crypto/mdc2/mdc2dgst.c
+++ b/crypto/openssl/crypto/mdc2/mdc2dgst.c
@@ -74,7 +74,7 @@
 			*((c)++)=(unsigned char)(((l)>>16L)&0xff), \
 			*((c)++)=(unsigned char)(((l)>>24L)&0xff))
 
-static void mdc2_body(MDC2_CTX *c, const unsigned char *in, unsigned int len);
+static void mdc2_body(MDC2_CTX *c, const unsigned char *in, size_t len);
 int MDC2_Init(MDC2_CTX *c)
 	{
 	c->num=0;
@@ -84,9 +84,9 @@ int MDC2_Init(MDC2_CTX *c)
 	return 1;
 	}
 
-int MDC2_Update(MDC2_CTX *c, const unsigned char *in, unsigned long len)
+int MDC2_Update(MDC2_CTX *c, const unsigned char *in, size_t len)
 	{
-	int i,j;
+	size_t i,j;
 
 	i=c->num;
 	if (i != 0)
@@ -94,7 +94,7 @@ int MDC2_Update(MDC2_CTX *c, const unsigned char *in, unsigned long len)
 		if (i+len < MDC2_BLOCK)
 			{
 			/* partial block */
-			memcpy(&(c->data[i]),in,(int)len);
+			memcpy(&(c->data[i]),in,len);
 			c->num+=(int)len;
 			return 1;
 			}
@@ -109,25 +109,25 @@ int MDC2_Update(MDC2_CTX *c, const unsigned char *in, unsigned long len)
 			mdc2_body(c,&(c->data[0]),MDC2_BLOCK);
 			}
 		}
-	i=(int)(len&(unsigned long)~(MDC2_BLOCK-1));
+	i=len&~((size_t)MDC2_BLOCK-1);
 	if (i > 0) mdc2_body(c,in,i);
-	j=(int)len-i;
+	j=len-i;
 	if (j > 0)
 		{
 		memcpy(&(c->data[0]),&(in[i]),j);
-		c->num=j;
+		c->num=(int)j;
 		}
 	return 1;
 	}
 
-static void mdc2_body(MDC2_CTX *c, const unsigned char *in, unsigned int len)
+static void mdc2_body(MDC2_CTX *c, const unsigned char *in, size_t len)
 	{
 	register DES_LONG tin0,tin1;
 	register DES_LONG ttin0,ttin1;
 	DES_LONG d[2],dd[2];
 	DES_key_schedule k;
 	unsigned char *p;
-	unsigned int i;
+	size_t i;
 
 	for (i=0; i<len; i+=8)
 		{
@@ -160,7 +160,8 @@ static void mdc2_body(MDC2_CTX *c, const unsigned char *in, unsigned int len)
 
 int MDC2_Final(unsigned char *md, MDC2_CTX *c)
 	{
-	int i,j;
+	unsigned int i;
+	int j;
 
 	i=c->num;
 	j=c->pad_type;
diff --git a/crypto/openssl/crypto/mdc2/mdc2test.c b/crypto/openssl/crypto/mdc2/mdc2test.c
index c9abe99d9280..017b31add2ea 100644
--- a/crypto/openssl/crypto/mdc2/mdc2test.c
+++ b/crypto/openssl/crypto/mdc2/mdc2test.c
@@ -140,6 +140,9 @@ int main(int argc, char *argv[])
 		printf("pad2 - ok\n");
 
 	EVP_MD_CTX_cleanup(&c);
+#ifdef OPENSSL_SYS_NETWARE
+    if (ret) printf("ERROR: %d\n", ret);
+#endif
 	EXIT(ret);
 	return(ret);
 	}
diff --git a/crypto/openssl/crypto/mem.c b/crypto/openssl/crypto/mem.c
index dd86733b7705..6635167228da 100644
--- a/crypto/openssl/crypto/mem.c
+++ b/crypto/openssl/crypto/mem.c
@@ -324,8 +324,8 @@ void *CRYPTO_realloc(void *str, int num, const char *file, int line)
 	if (str == NULL)
 		return CRYPTO_malloc(num, file, line);
 
- 	if (num <= 0) return NULL;
- 
+	if (num <= 0) return NULL;
+
 	if (realloc_debug_func != NULL)
 		realloc_debug_func(str, NULL, num, file, line, 0);
 	ret = realloc_ex_func(str,num,file,line);
@@ -345,9 +345,9 @@ void *CRYPTO_realloc_clean(void *str, int old_len, int num, const char *file,
 
 	if (str == NULL)
 		return CRYPTO_malloc(num, file, line);
- 
- 	if (num <= 0) return NULL;
- 
+
+	if (num <= 0) return NULL;
+
 	if (realloc_debug_func != NULL)
 		realloc_debug_func(str, NULL, num, file, line, 0);
 	ret=malloc_ex_func(num,file,line);
diff --git a/crypto/openssl/crypto/mem_clr.c b/crypto/openssl/crypto/mem_clr.c
index e4b7f540b0bd..75cbfb374e3b 100644
--- a/crypto/openssl/crypto/mem_clr.c
+++ b/crypto/openssl/crypto/mem_clr.c
@@ -68,7 +68,7 @@ void OPENSSL_cleanse(void *ptr, size_t len)
 	while(loop--)
 		{
 		*(p++) = cleanse_ctr;
-		cleanse_ctr += (17 + (unsigned char)((int)p & 0xF));
+		cleanse_ctr += (17 + (unsigned char)((unsigned long)p & 0xF));
 		}
 	if(memchr(ptr, cleanse_ctr, len))
 		cleanse_ctr += 63;
diff --git a/crypto/openssl/crypto/mem_dbg.c b/crypto/openssl/crypto/mem_dbg.c
index e212de27e488..8316485217ac 100644
--- a/crypto/openssl/crypto/mem_dbg.c
+++ b/crypto/openssl/crypto/mem_dbg.c
@@ -59,11 +59,11 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <time.h>	
+#include "cryptlib.h"
 #include <openssl/crypto.h>
 #include <openssl/buffer.h>
 #include <openssl/bio.h>
 #include <openssl/lhash.h>
-#include "cryptlib.h"
 
 static int mh_mode=CRYPTO_MEM_CHECK_OFF;
 /* The state changes to CRYPTO_MEM_CHECK_ON | CRYPTO_MEM_CHECK_ENABLE
@@ -252,8 +252,16 @@ long CRYPTO_dbg_get_options(void)
 /* static int mem_cmp(MEM *a, MEM *b) */
 static int mem_cmp(const void *a_void, const void *b_void)
 	{
+#ifdef _WIN64
+	const char *a=(const char *)((const MEM *)a_void)->addr,
+		   *b=(const char *)((const MEM *)b_void)->addr;
+	if (a==b)	return 0;
+	else if (a>b)	return 1;
+	else		return -1;
+#else
 	return((const char *)((const MEM *)a_void)->addr
 		- (const char *)((const MEM *)b_void)->addr);
+#endif
 	}
 
 /* static unsigned long mem_hash(MEM *a) */
diff --git a/crypto/openssl/crypto/o_dir.c b/crypto/openssl/crypto/o_dir.c
new file mode 100644
index 000000000000..42891ea45928
--- /dev/null
+++ b/crypto/openssl/crypto/o_dir.c
@@ -0,0 +1,83 @@
+/* crypto/o_dir.c -*- mode:C; c-file-style: "eay" -*- */
+/* Written by Richard Levitte (richard@levitte.org) for the OpenSSL
+ * project 2004.
+ */
+/* ====================================================================
+ * Copyright (c) 2004 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <errno.h>
+#include <e_os.h>
+
+/* The routines really come from the Levitte Programming, so to make
+   life simple, let's just use the raw files and hack the symbols to
+   fit our namespace.  */
+#define LP_DIR_CTX OPENSSL_DIR_CTX
+#define LP_dir_context_st OPENSSL_dir_context_st
+#define LP_find_file OPENSSL_DIR_read
+#define LP_find_file_end OPENSSL_DIR_end
+
+#include "o_dir.h"
+
+#define LPDIR_H
+#if defined OPENSSL_SYS_UNIX || defined DJGPP
+#include "LPdir_unix.c"
+#elif defined OPENSSL_SYS_VMS
+#include "LPdir_vms.c"
+#elif defined OPENSSL_SYS_WIN32
+#include "LPdir_win32.c"
+#elif defined OPENSSL_SYS_WINCE
+#include "LPdir_wince.c"
+#else
+#include "LPdir_nyi.c"
+#endif
diff --git a/crypto/openssl/crypto/o_dir.h b/crypto/openssl/crypto/o_dir.h
new file mode 100644
index 000000000000..4b725c031247
--- /dev/null
+++ b/crypto/openssl/crypto/o_dir.h
@@ -0,0 +1,53 @@
+/* crypto/o_dir.h -*- mode:C; c-file-style: "eay" -*- */
+/* Copied from Richard Levitte's (richard@levitte.org) LP library.  All
+ * symbol names have been changed, with permission from the author.
+ */
+
+/* $LP: LPlib/source/LPdir.h,v 1.1 2004/06/14 08:56:04 _cvs_levitte Exp $ */
+/*
+ * Copyright (c) 2004, Richard Levitte <richard@levitte.org>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+
+#ifndef O_DIR_H
+#define O_DIR_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+  typedef struct OPENSSL_dir_context_st OPENSSL_DIR_CTX;
+
+  /* returns NULL on error or end-of-directory.
+     If it is end-of-directory, errno will be zero */
+  const char *OPENSSL_DIR_read(OPENSSL_DIR_CTX **ctx, const char *directory);
+  /* returns 1 on success, 0 on error */
+  int OPENSSL_DIR_end(OPENSSL_DIR_CTX **ctx);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* LPDIR_H */
diff --git a/crypto/openssl/crypto/o_dir_test.c b/crypto/openssl/crypto/o_dir_test.c
new file mode 100644
index 000000000000..3d75ecb0050c
--- /dev/null
+++ b/crypto/openssl/crypto/o_dir_test.c
@@ -0,0 +1,70 @@
+/* crypto/o_dir.h -*- mode:C; c-file-style: "eay" -*- */
+/* Copied from Richard Levitte's (richard@levitte.org) LP library.  All
+ * symbol names have been changed, with permission from the author.
+ */
+
+/* $LP: LPlib/test/test_dir.c,v 1.1 2004/06/16 22:59:47 _cvs_levitte Exp $ */
+/*
+ * Copyright (c) 2004, Richard Levitte <richard@levitte.org>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <stddef.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <errno.h>
+#include "e_os2.h"
+#include "o_dir.h"
+
+#if defined OPENSSL_SYS_UNIX || defined OPENSSL_SYS_WIN32 || defined OPENSSL_SYS_WINCE
+#define CURRDIR "."
+#elif defined OPENSSL_SYS_VMS
+#define CURRDIR "SYS$DISK:[]"
+#else
+#error "No supported platform defined!"
+#endif
+
+int main()
+{
+  OPENSSL_DIR_CTX *ctx = NULL;
+  const char *result;
+
+  while((result = OPENSSL_DIR_read(&ctx, CURRDIR)) != NULL)
+    {
+      printf("%s\n", result);
+    }
+
+  if (errno)
+    {
+      perror("test_dir");
+      exit(1);
+    }
+
+  if (!OPENSSL_DIR_end(&ctx))
+    {
+      perror("test_dir");
+      exit(2);
+    }
+  exit(0);
+}
diff --git a/crypto/openssl/crypto/o_str.c b/crypto/openssl/crypto/o_str.c
index 7189d13352ee..2db099333a7f 100644
--- a/crypto/openssl/crypto/o_str.c
+++ b/crypto/openssl/crypto/o_str.c
@@ -57,20 +57,12 @@
  */
 
 #include <ctype.h>
-#include <openssl/e_os2.h>
-#ifdef OPENSSL_SYS_WINDOWS
-# include <string.h>
-#else
-# include <strings.h>
-#endif
+#include <e_os.h>
 #include "o_str.h"
 
-#undef strncasecmp
-#undef strcasecmp
-
 int OPENSSL_strncasecmp(const char *str1, const char *str2, size_t n)
 	{
-#if defined(OPENSSL_SYS_VMS)
+#if defined(OPENSSL_IMPLEMENTS_strncasecmp)
 	while (*str1 && *str2 && n)
 		{
 		int res = toupper(*str1) - toupper(*str2);
@@ -86,20 +78,28 @@ int OPENSSL_strncasecmp(const char *str1, const char *str2, size_t n)
 	if (*str2)
 		return -1;
 	return 0;
-#elif defined(OPENSSL_SYS_WINDOWS)
-	return _strnicmp(str1, str2, n);
 #else
+	/* Recursion hazard warning! Whenever strncasecmp is #defined as
+	 * OPENSSL_strncasecmp, OPENSSL_IMPLEMENTS_strncasecmp must be
+	 * defined as well. */
 	return strncasecmp(str1, str2, n);
 #endif
 	}
 int OPENSSL_strcasecmp(const char *str1, const char *str2)
 	{
-#if defined(OPENSSL_SYS_VMS)
+#if defined(OPENSSL_IMPLEMENTS_strncasecmp)
 	return OPENSSL_strncasecmp(str1, str2, (size_t)-1);
-#elif defined(OPENSSL_SYS_WINDOWS)
-	return _stricmp(str1, str2);
 #else
 	return strcasecmp(str1, str2);
 #endif
 	}
 
+int OPENSSL_memcmp(const void *v1,const void *v2,size_t n)
+	{
+	const unsigned char *c1=v1,*c2=v2;
+	int ret=0;
+
+	while(n && (ret=*c1-*c2)==0) n--,c1++,c2++;
+
+	return ret;
+	}
diff --git a/crypto/openssl/crypto/o_str.h b/crypto/openssl/crypto/o_str.h
index 4a70a9e00bad..dfc98494c6c5 100644
--- a/crypto/openssl/crypto/o_str.h
+++ b/crypto/openssl/crypto/o_str.h
@@ -63,5 +63,6 @@
 
 int OPENSSL_strcasecmp(const char *str1, const char *str2);
 int OPENSSL_strncasecmp(const char *str1, const char *str2, size_t n);
+int OPENSSL_memcmp(const void *p1,const void *p2,size_t n);
 
 #endif
diff --git a/crypto/openssl/crypto/objects/Makefile b/crypto/openssl/crypto/objects/Makefile
index 48a912846f26..08af092914d9 100644
--- a/crypto/openssl/crypto/objects/Makefile
+++ b/crypto/openssl/crypto/objects/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/objects/Makefile
+# OpenSSL/crypto/objects/Makefile
 #
 
 DIR=	objects
@@ -7,11 +7,6 @@ TOP=	../..
 CC=	cc
 INCLUDES= -I.. -I$(TOP) -I../../include
 CFLAG=-g
-INSTALL_PREFIX=
-OPENSSLDIR=     /usr/local/ssl
-INSTALLTOP=/usr/local/ssl
-MAKEDEPPROG=	makedepend
-MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=	Makefile
 AR=		ar r
 PERL=		perl
@@ -49,6 +44,7 @@ obj_dat.h: obj_dat.pl obj_mac.h
 # objects.pl both reads and writes obj_mac.num
 obj_mac.h: objects.pl objects.txt obj_mac.num
 	$(PERL) objects.pl objects.txt obj_mac.num obj_mac.h
+	@sleep 1; touch obj_mac.h; sleep 1
 
 files:
 	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
@@ -59,7 +55,8 @@ links:
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
 
 install:
-	@for i in $(EXHEADER) ; \
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+	@headerlist="$(EXHEADER)"; for i in $$headerlist ; \
 	do  \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
@@ -74,6 +71,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
+	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
@@ -86,36 +84,36 @@ clean:
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
 o_names.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-o_names.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
-o_names.o: ../../include/openssl/e_os2.h ../../include/openssl/lhash.h
+o_names.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+o_names.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
 o_names.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 o_names.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 o_names.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
 o_names.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 o_names.o: o_names.c
 obj_dat.o: ../../e_os.h ../../include/openssl/asn1.h
-obj_dat.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-obj_dat.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-obj_dat.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-obj_dat.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-obj_dat.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-obj_dat.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-obj_dat.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-obj_dat.o: ../../include/openssl/symhacks.h ../cryptlib.h obj_dat.c obj_dat.h
+obj_dat.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+obj_dat.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+obj_dat.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+obj_dat.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+obj_dat.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+obj_dat.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+obj_dat.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+obj_dat.o: ../cryptlib.h obj_dat.c obj_dat.h
 obj_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-obj_err.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
-obj_err.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-obj_err.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-obj_err.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-obj_err.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-obj_err.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-obj_err.o: ../../include/openssl/symhacks.h obj_err.c
+obj_err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+obj_err.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+obj_err.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+obj_err.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+obj_err.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+obj_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+obj_err.o: obj_err.c
 obj_lib.o: ../../e_os.h ../../include/openssl/asn1.h
-obj_lib.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-obj_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-obj_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-obj_lib.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-obj_lib.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-obj_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-obj_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-obj_lib.o: ../../include/openssl/symhacks.h ../cryptlib.h obj_lib.c
+obj_lib.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+obj_lib.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+obj_lib.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+obj_lib.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+obj_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+obj_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+obj_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+obj_lib.o: ../cryptlib.h obj_lib.c
diff --git a/crypto/openssl/crypto/objects/o_names.c b/crypto/openssl/crypto/objects/o_names.c
index b4453b4a9875..adb5731f7659 100644
--- a/crypto/openssl/crypto/objects/o_names.c
+++ b/crypto/openssl/crypto/objects/o_names.c
@@ -2,6 +2,7 @@
 #include <stdlib.h>
 #include <string.h>
 
+#include <openssl/err.h>
 #include <openssl/lhash.h>
 #include <openssl/objects.h>
 #include <openssl/safestack.h>
@@ -80,7 +81,11 @@ int OBJ_NAME_new_index(unsigned long (*hash_func)(const char *),
 		MemCheck_off();
 		name_funcs = OPENSSL_malloc(sizeof(NAME_FUNCS));
 		MemCheck_on();
-		if (!name_funcs) return(0);
+		if (!name_funcs)
+			{
+			OBJerr(OBJ_F_OBJ_NAME_NEW_INDEX,ERR_R_MALLOC_FAILURE);
+			return(0);
+			}
 		name_funcs->hash_func = lh_strhash;
 		name_funcs->cmp_func = OPENSSL_strcmp;
 		name_funcs->free_func = 0; /* NULL is often declared to
@@ -106,8 +111,8 @@ int OBJ_NAME_new_index(unsigned long (*hash_func)(const char *),
 static int obj_name_cmp(const void *a_void, const void *b_void)
 	{
 	int ret;
-	OBJ_NAME *a = (OBJ_NAME *)a_void;
-	OBJ_NAME *b = (OBJ_NAME *)b_void;
+	const OBJ_NAME *a = (const OBJ_NAME *)a_void;
+	const OBJ_NAME *b = (const OBJ_NAME *)b_void;
 
 	ret=a->type-b->type;
 	if (ret == 0)
@@ -128,7 +133,7 @@ static int obj_name_cmp(const void *a_void, const void *b_void)
 static unsigned long obj_name_hash(const void *a_void)
 	{
 	unsigned long ret;
-	OBJ_NAME *a = (OBJ_NAME *)a_void;
+	const OBJ_NAME *a = (const OBJ_NAME *)a_void;
 
 	if ((name_funcs_stack != NULL) && (sk_NAME_FUNCS_num(name_funcs_stack) > a->type))
 		{
diff --git a/crypto/openssl/crypto/objects/obj_dat.c b/crypto/openssl/crypto/objects/obj_dat.c
index 4534dc09856e..7a95c7795a93 100644
--- a/crypto/openssl/crypto/objects/obj_dat.c
+++ b/crypto/openssl/crypto/objects/obj_dat.c
@@ -58,6 +58,7 @@
 
 #include <stdio.h>
 #include <ctype.h>
+#include <limits.h>
 #include "cryptlib.h"
 #include <openssl/lhash.h>
 #include <openssl/asn1.h>
@@ -115,7 +116,7 @@ static unsigned long add_hash(const void *ca_void)
 	int i;
 	unsigned long ret=0;
 	unsigned char *p;
-	ADDED_OBJ *ca = (ADDED_OBJ *)ca_void;
+	const ADDED_OBJ *ca = (const ADDED_OBJ *)ca_void;
 
 	a=ca->obj;
 	switch (ca->type)
@@ -149,8 +150,8 @@ static int add_cmp(const void *ca_void, const void *cb_void)
 	{
 	ASN1_OBJECT *a,*b;
 	int i;
-	ADDED_OBJ *ca = (ADDED_OBJ *)ca_void;
-	ADDED_OBJ *cb = (ADDED_OBJ *)cb_void;
+	const ADDED_OBJ *ca = (const ADDED_OBJ *)ca_void;
+	const ADDED_OBJ *cb = (const ADDED_OBJ *)cb_void;
 
 	i=ca->type-cb->type;
 	if (i) return(i);
@@ -161,7 +162,7 @@ static int add_cmp(const void *ca_void, const void *cb_void)
 	case ADDED_DATA:
 		i=(a->length - b->length);
 		if (i) return(i);
-		return(memcmp(a->data,b->data,a->length));
+		return(memcmp(a->data,b->data,(size_t)a->length));
 	case ADDED_SNAME:
 		if (a->sn == NULL) return(-1);
 		else if (b->sn == NULL) return(1);
@@ -236,13 +237,13 @@ int OBJ_add_object(const ASN1_OBJECT *obj)
 	if (added == NULL)
 		if (!init_added()) return(0);
 	if ((o=OBJ_dup(obj)) == NULL) goto err;
-	if (!(ao[ADDED_NID]=(ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ)))) goto err;
+	if (!(ao[ADDED_NID]=(ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ)))) goto err2;
 	if ((o->length != 0) && (obj->data != NULL))
-		ao[ADDED_DATA]=(ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ));
+		if (!(ao[ADDED_DATA]=(ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ)))) goto err2;
 	if (o->sn != NULL)
-		ao[ADDED_SNAME]=(ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ));
+		if (!(ao[ADDED_SNAME]=(ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ)))) goto err2;
 	if (o->ln != NULL)
-		ao[ADDED_LNAME]=(ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ));
+		if (!(ao[ADDED_LNAME]=(ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ)))) goto err2;
 
 	for (i=ADDED_DATA; i<=ADDED_NID; i++)
 		{
@@ -260,6 +261,8 @@ int OBJ_add_object(const ASN1_OBJECT *obj)
 			ASN1_OBJECT_FLAG_DYNAMIC_DATA);
 
 	return(o->nid);
+err2:
+	OBJerr(OBJ_F_OBJ_ADD_OBJECT,ERR_R_MALLOC_FAILURE);
 err:
 	for (i=ADDED_DATA; i<=ADDED_NID; i++)
 		if (ao[i] != NULL) OPENSSL_free(ao[i]);
@@ -380,8 +383,8 @@ int OBJ_obj2nid(const ASN1_OBJECT *a)
 		adp=(ADDED_OBJ *)lh_retrieve(added,&ad);
 		if (adp != NULL) return (adp->obj->nid);
 		}
-	op=(ASN1_OBJECT **)OBJ_bsearch((char *)&a,(char *)obj_objs,NUM_OBJ,
-		sizeof(ASN1_OBJECT *),obj_cmp);
+	op=(ASN1_OBJECT **)OBJ_bsearch((const char *)&a,(const char *)obj_objs,
+		NUM_OBJ, sizeof(ASN1_OBJECT *),obj_cmp);
 	if (op == NULL)
 		return(NID_undef);
 	return((*op)->nid);
@@ -397,7 +400,9 @@ ASN1_OBJECT *OBJ_txt2obj(const char *s, int no_name)
 	{
 	int nid = NID_undef;
 	ASN1_OBJECT *op=NULL;
-	unsigned char *buf,*p;
+	unsigned char *buf;
+	unsigned char *p;
+	const unsigned char *cp;
 	int i, j;
 
 	if(!no_name) {
@@ -409,8 +414,8 @@ ASN1_OBJECT *OBJ_txt2obj(const char *s, int no_name)
 	/* Work out size of content octets */
 	i=a2d_ASN1_OBJECT(NULL,0,s,-1);
 	if (i <= 0) {
-		/* Clear the error */
-		ERR_get_error();
+		/* Don't clear the error */
+		/*ERR_clear_error();*/
 		return NULL;
 	}
 	/* Work out total size */
@@ -423,75 +428,170 @@ ASN1_OBJECT *OBJ_txt2obj(const char *s, int no_name)
 	ASN1_put_object(&p,0,i,V_ASN1_OBJECT,V_ASN1_UNIVERSAL);
 	/* Write out contents */
 	a2d_ASN1_OBJECT(p,i,s,-1);
-	
-	p=buf;
-	op=d2i_ASN1_OBJECT(NULL,&p,j);
+
+	cp=buf;
+	op=d2i_ASN1_OBJECT(NULL,&cp,j);
 	OPENSSL_free(buf);
 	return op;
 	}
 
 int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name)
 {
-	int i,idx=0,n=0,len,nid;
+	int i,n=0,len,nid, first, use_bn;
+	BIGNUM *bl;
 	unsigned long l;
 	unsigned char *p;
-	const char *s;
 	char tbuf[DECIMAL_SIZE(i)+DECIMAL_SIZE(l)+2];
 
-	if (buf_len <= 0) return(0);
-
 	if ((a == NULL) || (a->data == NULL)) {
 		buf[0]='\0';
 		return(0);
 	}
 
-	if (no_name || (nid=OBJ_obj2nid(a)) == NID_undef) {
-		len=a->length;
-		p=a->data;
 
-		idx=0;
-		l=0;
-		while (idx < a->length) {
-			l|=(p[idx]&0x7f);
-			if (!(p[idx] & 0x80)) break;
-			l<<=7L;
-			idx++;
+	if (!no_name && (nid=OBJ_obj2nid(a)) != NID_undef)
+		{
+		const char *s;
+		s=OBJ_nid2ln(nid);
+		if (s == NULL)
+			s=OBJ_nid2sn(nid);
+		if (buf)
+			BUF_strlcpy(buf,s,buf_len);
+		n=strlen(s);
+		return n;
 		}
-		idx++;
-		i=(int)(l/40);
-		if (i > 2) i=2;
-		l-=(long)(i*40);
-
-		BIO_snprintf(tbuf,sizeof tbuf,"%d.%lu",i,l);
-		i=strlen(tbuf);
-		BUF_strlcpy(buf,tbuf,buf_len);
-		buf_len-=i;
-		buf+=i;
-		n+=i;
 
+
+	len=a->length;
+	p=a->data;
+
+	first = 1;
+	bl = NULL;
+
+	while (len > 0)
+		{
 		l=0;
-		for (; idx<len; idx++) {
-			l|=p[idx]&0x7f;
-			if (!(p[idx] & 0x80)) {
-				BIO_snprintf(tbuf,sizeof tbuf,".%lu",l);
-				i=strlen(tbuf);
+		use_bn = 0;
+		for (;;)
+			{
+			unsigned char c = *p++;
+			len--;
+			if ((len == 0) && (c & 0x80))
+				goto err;
+			if (use_bn)
+				{
+				if (!BN_add_word(bl, c & 0x7f))
+					goto err;
+				}
+			else
+				l |= c  & 0x7f;
+			if (!(c & 0x80))
+				break;
+			if (!use_bn && (l > (ULONG_MAX >> 7L)))
+				{
+				if (!bl && !(bl = BN_new()))
+					goto err;
+				if (!BN_set_word(bl, l))
+					goto err;
+				use_bn = 1;
+				}
+			if (use_bn)
+				{
+				if (!BN_lshift(bl, bl, 7))
+					goto err;
+				}
+			else
+				l<<=7L;
+			}
+
+		if (first)
+			{
+			first = 0;
+			if (l >= 80)
+				{
+				i = 2;
+				if (use_bn)
+					{
+					if (!BN_sub_word(bl, 80))
+						goto err;
+					}
+				else
+					l -= 80;
+				}
+			else
+				{
+				i=(int)(l/40);
+				l-=(long)(i*40);
+				}
+			if (buf && (buf_len > 0))
+				{
+				*buf++ = i + '0';
+				buf_len--;
+				}
+			n++;
+			}
+
+		if (use_bn)
+			{
+			char *bndec;
+			bndec = BN_bn2dec(bl);
+			if (!bndec)
+				goto err;
+			i = strlen(bndec);
+			if (buf)
+				{
 				if (buf_len > 0)
-					BUF_strlcpy(buf,tbuf,buf_len);
-				buf_len-=i;
-				buf+=i;
-				n+=i;
-				l=0;
+					{
+					*buf++ = '.';
+					buf_len--;
+					}
+				BUF_strlcpy(buf,bndec,buf_len);
+				if (i > buf_len)
+					{
+					buf += buf_len;
+					buf_len = 0;
+					}
+				else
+					{
+					buf+=i;
+					buf_len-=i;
+					}
+				}
+			n++;
+			n += i;
+			OPENSSL_free(bndec);
+			}
+		else
+			{
+			BIO_snprintf(tbuf,sizeof tbuf,".%lu",l);
+			i=strlen(tbuf);
+			if (buf && (buf_len > 0))
+				{
+				BUF_strlcpy(buf,tbuf,buf_len);
+				if (i > buf_len)
+					{
+					buf += buf_len;
+					buf_len = 0;
+					}
+				else
+					{
+					buf+=i;
+					buf_len-=i;
+					}
+				}
+			n+=i;
+			l=0;
 			}
-			l<<=7L;
 		}
-	} else {
-		s=OBJ_nid2ln(nid);
-		if (s == NULL)
-			s=OBJ_nid2sn(nid);
-		BUF_strlcpy(buf,s,buf_len);
-		n=strlen(s);
-	}
-	return(n);
+
+	if (bl)
+		BN_free(bl);
+	return n;
+
+	err:
+	if (bl)
+		BN_free(bl);
+	return -1;
 }
 
 int OBJ_txt2nid(const char *s)
@@ -517,7 +617,7 @@ int OBJ_ln2nid(const char *s)
 		adp=(ADDED_OBJ *)lh_retrieve(added,&ad);
 		if (adp != NULL) return (adp->obj->nid);
 		}
-	op=(ASN1_OBJECT **)OBJ_bsearch((char *)&oo,(char *)ln_objs,NUM_LN,
+	op=(ASN1_OBJECT **)OBJ_bsearch((char *)&oo,(char *)ln_objs, NUM_LN,
 		sizeof(ASN1_OBJECT *),ln_cmp);
 	if (op == NULL) return(NID_undef);
 	return((*op)->nid);
@@ -545,8 +645,8 @@ int OBJ_sn2nid(const char *s)
 static int obj_cmp(const void *ap, const void *bp)
 	{
 	int j;
-	ASN1_OBJECT *a= *(ASN1_OBJECT **)ap;
-	ASN1_OBJECT *b= *(ASN1_OBJECT **)bp;
+	const ASN1_OBJECT *a= *(ASN1_OBJECT * const *)ap;
+	const ASN1_OBJECT *b= *(ASN1_OBJECT * const *)bp;
 
 	j=(a->length - b->length);
         if (j) return(j);
@@ -556,8 +656,14 @@ static int obj_cmp(const void *ap, const void *bp)
 const char *OBJ_bsearch(const char *key, const char *base, int num, int size,
 	int (*cmp)(const void *, const void *))
 	{
-	int l,h,i,c;
-	const char *p;
+	return OBJ_bsearch_ex(key, base, num, size, cmp, 0);
+	}
+
+const char *OBJ_bsearch_ex(const char *key, const char *base, int num,
+	int size, int (*cmp)(const void *, const void *), int flags)
+	{
+	int l,h,i=0,c=0;
+	const char *p = NULL;
 
 	if (num == 0) return(NULL);
 	l=0;
@@ -572,20 +678,33 @@ const char *OBJ_bsearch(const char *key, const char *base, int num, int size,
 		else if (c > 0)
 			l=i+1;
 		else
-			return(p);
+			break;
 		}
 #ifdef CHARSET_EBCDIC
 /* THIS IS A KLUDGE - Because the *_obj is sorted in ASCII order, and
  * I don't have perl (yet), we revert to a *LINEAR* search
  * when the object wasn't found in the binary search.
  */
-	for (i=0; i<num; ++i) {
-		p= &(base[i*size]);
-		if ((*cmp)(key,p) == 0)
-			return p;
-	}
+	if (c != 0)
+		{
+		for (i=0; i<num; ++i)
+			{
+			p= &(base[i*size]);
+			c = (*cmp)(key,p);
+			if (c == 0 || (c < 0 && (flags & OBJ_BSEARCH_VALUE_ON_NOMATCH)))
+				return p;
+			}
+		}
 #endif
-	return(NULL);
+	if (c != 0 && !(flags & OBJ_BSEARCH_VALUE_ON_NOMATCH))
+		p = NULL;
+	else if (c == 0 && (flags & OBJ_BSEARCH_FIRST_VALUE_ON_MATCH))
+		{
+		while(i > 0 && (*cmp)(key,&(base[(i-1)*size])) == 0)
+			i--;
+		p = &(base[i*size]);
+		}
+	return(p);
 	}
 
 int OBJ_create_objects(BIO *in)
@@ -648,7 +767,7 @@ int OBJ_create(const char *oid, const char *sn, const char *ln)
 
 	if ((buf=(unsigned char *)OPENSSL_malloc(i)) == NULL)
 		{
-		OBJerr(OBJ_F_OBJ_CREATE,OBJ_R_MALLOC_FAILURE);
+		OBJerr(OBJ_F_OBJ_CREATE,ERR_R_MALLOC_FAILURE);
 		return(0);
 		}
 	i=a2d_ASN1_OBJECT(buf,i,oid,-1);
diff --git a/crypto/openssl/crypto/objects/obj_dat.h b/crypto/openssl/crypto/objects/obj_dat.h
index 9de7b1217efa..db4400c28586 100644
--- a/crypto/openssl/crypto/objects/obj_dat.h
+++ b/crypto/openssl/crypto/objects/obj_dat.h
@@ -62,12 +62,12 @@
  * [including the GNU Public Licence.]
  */
 
-#define NUM_NID 660
-#define NUM_SN 653
-#define NUM_LN 653
-#define NUM_OBJ 617
+#define NUM_NID 751
+#define NUM_SN 747
+#define NUM_LN 747
+#define NUM_OBJ 709
 
-static unsigned char lvalues[4455]={
+static unsigned char lvalues[5002]={
 0x00,                                        /* [  0] OBJ_undef */
 0x2A,0x86,0x48,0x86,0xF7,0x0D,               /* [  1] OBJ_rsadsi */
 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,          /* [  7] OBJ_pkcs */
@@ -330,9 +330,9 @@ static unsigned char lvalues[4455]={
 0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x04,     /* [2092] OBJ_ac_auditEntity */
 0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x05,     /* [2100] OBJ_ac_targeting */
 0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x06,     /* [2108] OBJ_aaControls */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x07,     /* [2116] OBJ_sbqp_ipAddrBlock */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x08,     /* [2124] OBJ_sbqp_autonomousSysNum */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x09,     /* [2132] OBJ_sbqp_routerIdentifier */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x07,     /* [2116] OBJ_sbgp_ipAddrBlock */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x08,     /* [2124] OBJ_sbgp_autonomousSysNum */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x09,     /* [2132] OBJ_sbgp_routerIdentifier */
 0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x03,     /* [2140] OBJ_textNotice */
 0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x05,     /* [2148] OBJ_ipsecEndSystem */
 0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x06,     /* [2156] OBJ_ipsecTunnel */
@@ -432,7 +432,7 @@ static unsigned char lvalues[4455]={
 0x2B,0x06,0x01,0x04,0x01,0x8B,0x3A,0x82,0x58,/* [2865] OBJ_dcObject */
 0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x19,/* [2874] OBJ_domainComponent */
 0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x0D,/* [2884] OBJ_Domain */
-0x50,                                        /* [2894] OBJ_joint_iso_ccitt */
+0x00,                                        /* [2894] OBJ_joint_iso_ccitt */
 0x55,0x01,0x05,                              /* [2895] OBJ_selected_attribute_types */
 0x55,0x01,0x05,0x37,                         /* [2898] OBJ_clearance */
 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x03,/* [2902] OBJ_md4WithRSAEncryption */
@@ -683,8 +683,100 @@ static unsigned char lvalues[4455]={
 0x67,0x2A,0x08,0xAE,0x7B,                    /* [4412] OBJ_set_brand_Novus */
 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x03,0x0A,     /* [4417] OBJ_des_cdmf */
 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x06,/* [4425] OBJ_rsaOAEPEncryptionSET */
-0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x14,0x02,0x02,/* [4434] OBJ_ms_smartcard_login */
-0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x14,0x02,0x03,/* [4444] OBJ_ms_upn */
+0x00,                                        /* [4434] OBJ_itu_t */
+0x50,                                        /* [4435] OBJ_joint_iso_itu_t */
+0x67,                                        /* [4436] OBJ_international_organizations */
+0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x14,0x02,0x02,/* [4437] OBJ_ms_smartcard_login */
+0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x14,0x02,0x03,/* [4447] OBJ_ms_upn */
+0x55,0x04,0x09,                              /* [4457] OBJ_streetAddress */
+0x55,0x04,0x11,                              /* [4460] OBJ_postalCode */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x15,          /* [4463] OBJ_id_ppl */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x0E,     /* [4470] OBJ_proxyCertInfo */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x15,0x00,     /* [4478] OBJ_id_ppl_anyLanguage */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x15,0x01,     /* [4486] OBJ_id_ppl_inheritAll */
+0x55,0x1D,0x1E,                              /* [4494] OBJ_name_constraints */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x15,0x02,     /* [4497] OBJ_Independent */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,/* [4505] OBJ_sha256WithRSAEncryption */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0C,/* [4514] OBJ_sha384WithRSAEncryption */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0D,/* [4523] OBJ_sha512WithRSAEncryption */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0E,/* [4532] OBJ_sha224WithRSAEncryption */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x01,/* [4541] OBJ_sha256 */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x02,/* [4550] OBJ_sha384 */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x03,/* [4559] OBJ_sha512 */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x04,/* [4568] OBJ_sha224 */
+0x2B,                                        /* [4577] OBJ_identified_organization */
+0x2B,0x81,0x04,                              /* [4578] OBJ_certicom_arc */
+0x67,0x2B,                                   /* [4581] OBJ_wap */
+0x67,0x2B,0x0D,                              /* [4583] OBJ_wap_wsg */
+0x2A,0x86,0x48,0xCE,0x3D,0x01,0x02,0x03,     /* [4586] OBJ_X9_62_id_characteristic_two_basis */
+0x2A,0x86,0x48,0xCE,0x3D,0x01,0x02,0x03,0x01,/* [4594] OBJ_X9_62_onBasis */
+0x2A,0x86,0x48,0xCE,0x3D,0x01,0x02,0x03,0x02,/* [4603] OBJ_X9_62_tpBasis */
+0x2A,0x86,0x48,0xCE,0x3D,0x01,0x02,0x03,0x03,/* [4612] OBJ_X9_62_ppBasis */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x01,     /* [4621] OBJ_X9_62_c2pnb163v1 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x02,     /* [4629] OBJ_X9_62_c2pnb163v2 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x03,     /* [4637] OBJ_X9_62_c2pnb163v3 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x04,     /* [4645] OBJ_X9_62_c2pnb176v1 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x05,     /* [4653] OBJ_X9_62_c2tnb191v1 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x06,     /* [4661] OBJ_X9_62_c2tnb191v2 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x07,     /* [4669] OBJ_X9_62_c2tnb191v3 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x08,     /* [4677] OBJ_X9_62_c2onb191v4 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x09,     /* [4685] OBJ_X9_62_c2onb191v5 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x0A,     /* [4693] OBJ_X9_62_c2pnb208w1 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x0B,     /* [4701] OBJ_X9_62_c2tnb239v1 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x0C,     /* [4709] OBJ_X9_62_c2tnb239v2 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x0D,     /* [4717] OBJ_X9_62_c2tnb239v3 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x0E,     /* [4725] OBJ_X9_62_c2onb239v4 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x0F,     /* [4733] OBJ_X9_62_c2onb239v5 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x10,     /* [4741] OBJ_X9_62_c2pnb272w1 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x11,     /* [4749] OBJ_X9_62_c2pnb304w1 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x12,     /* [4757] OBJ_X9_62_c2tnb359v1 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x13,     /* [4765] OBJ_X9_62_c2pnb368w1 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x14,     /* [4773] OBJ_X9_62_c2tnb431r1 */
+0x2B,0x81,0x04,0x00,0x06,                    /* [4781] OBJ_secp112r1 */
+0x2B,0x81,0x04,0x00,0x07,                    /* [4786] OBJ_secp112r2 */
+0x2B,0x81,0x04,0x00,0x1C,                    /* [4791] OBJ_secp128r1 */
+0x2B,0x81,0x04,0x00,0x1D,                    /* [4796] OBJ_secp128r2 */
+0x2B,0x81,0x04,0x00,0x09,                    /* [4801] OBJ_secp160k1 */
+0x2B,0x81,0x04,0x00,0x08,                    /* [4806] OBJ_secp160r1 */
+0x2B,0x81,0x04,0x00,0x1E,                    /* [4811] OBJ_secp160r2 */
+0x2B,0x81,0x04,0x00,0x1F,                    /* [4816] OBJ_secp192k1 */
+0x2B,0x81,0x04,0x00,0x20,                    /* [4821] OBJ_secp224k1 */
+0x2B,0x81,0x04,0x00,0x21,                    /* [4826] OBJ_secp224r1 */
+0x2B,0x81,0x04,0x00,0x0A,                    /* [4831] OBJ_secp256k1 */
+0x2B,0x81,0x04,0x00,0x22,                    /* [4836] OBJ_secp384r1 */
+0x2B,0x81,0x04,0x00,0x23,                    /* [4841] OBJ_secp521r1 */
+0x2B,0x81,0x04,0x00,0x04,                    /* [4846] OBJ_sect113r1 */
+0x2B,0x81,0x04,0x00,0x05,                    /* [4851] OBJ_sect113r2 */
+0x2B,0x81,0x04,0x00,0x16,                    /* [4856] OBJ_sect131r1 */
+0x2B,0x81,0x04,0x00,0x17,                    /* [4861] OBJ_sect131r2 */
+0x2B,0x81,0x04,0x00,0x01,                    /* [4866] OBJ_sect163k1 */
+0x2B,0x81,0x04,0x00,0x02,                    /* [4871] OBJ_sect163r1 */
+0x2B,0x81,0x04,0x00,0x0F,                    /* [4876] OBJ_sect163r2 */
+0x2B,0x81,0x04,0x00,0x18,                    /* [4881] OBJ_sect193r1 */
+0x2B,0x81,0x04,0x00,0x19,                    /* [4886] OBJ_sect193r2 */
+0x2B,0x81,0x04,0x00,0x1A,                    /* [4891] OBJ_sect233k1 */
+0x2B,0x81,0x04,0x00,0x1B,                    /* [4896] OBJ_sect233r1 */
+0x2B,0x81,0x04,0x00,0x03,                    /* [4901] OBJ_sect239k1 */
+0x2B,0x81,0x04,0x00,0x10,                    /* [4906] OBJ_sect283k1 */
+0x2B,0x81,0x04,0x00,0x11,                    /* [4911] OBJ_sect283r1 */
+0x2B,0x81,0x04,0x00,0x24,                    /* [4916] OBJ_sect409k1 */
+0x2B,0x81,0x04,0x00,0x25,                    /* [4921] OBJ_sect409r1 */
+0x2B,0x81,0x04,0x00,0x26,                    /* [4926] OBJ_sect571k1 */
+0x2B,0x81,0x04,0x00,0x27,                    /* [4931] OBJ_sect571r1 */
+0x67,0x2B,0x0D,0x04,0x01,                    /* [4936] OBJ_wap_wsg_idm_ecid_wtls1 */
+0x67,0x2B,0x0D,0x04,0x03,                    /* [4941] OBJ_wap_wsg_idm_ecid_wtls3 */
+0x67,0x2B,0x0D,0x04,0x04,                    /* [4946] OBJ_wap_wsg_idm_ecid_wtls4 */
+0x67,0x2B,0x0D,0x04,0x05,                    /* [4951] OBJ_wap_wsg_idm_ecid_wtls5 */
+0x67,0x2B,0x0D,0x04,0x06,                    /* [4956] OBJ_wap_wsg_idm_ecid_wtls6 */
+0x67,0x2B,0x0D,0x04,0x07,                    /* [4961] OBJ_wap_wsg_idm_ecid_wtls7 */
+0x67,0x2B,0x0D,0x04,0x08,                    /* [4966] OBJ_wap_wsg_idm_ecid_wtls8 */
+0x67,0x2B,0x0D,0x04,0x09,                    /* [4971] OBJ_wap_wsg_idm_ecid_wtls9 */
+0x67,0x2B,0x0D,0x04,0x0A,                    /* [4976] OBJ_wap_wsg_idm_ecid_wtls10 */
+0x67,0x2B,0x0D,0x04,0x0B,                    /* [4981] OBJ_wap_wsg_idm_ecid_wtls11 */
+0x67,0x2B,0x0D,0x04,0x0C,                    /* [4986] OBJ_wap_wsg_idm_ecid_wtls12 */
+0x55,0x1D,0x20,0x00,                         /* [4991] OBJ_any_policy */
+0x55,0x1D,0x21,                              /* [4995] OBJ_policy_mappings */
+0x55,0x1D,0x36,                              /* [4998] OBJ_inhibit_any_policy */
 };
 
 static ASN1_OBJECT nid_objs[NUM_NID]={
@@ -732,21 +824,21 @@ static ASN1_OBJECT nid_objs[NUM_NID]={
 {"DES-CFB","des-cfb",NID_des_cfb64,5,&(lvalues[192]),0},
 {"DES-CBC","des-cbc",NID_des_cbc,5,&(lvalues[197]),0},
 {"DES-EDE","des-ede",NID_des_ede_ecb,5,&(lvalues[202]),0},
-{"DES-EDE3","des-ede3",NID_des_ede3_ecb,0,NULL},
+{"DES-EDE3","des-ede3",NID_des_ede3_ecb,0,NULL,0},
 {"IDEA-CBC","idea-cbc",NID_idea_cbc,11,&(lvalues[207]),0},
-{"IDEA-CFB","idea-cfb",NID_idea_cfb64,0,NULL},
-{"IDEA-ECB","idea-ecb",NID_idea_ecb,0,NULL},
+{"IDEA-CFB","idea-cfb",NID_idea_cfb64,0,NULL,0},
+{"IDEA-ECB","idea-ecb",NID_idea_ecb,0,NULL,0},
 {"RC2-CBC","rc2-cbc",NID_rc2_cbc,8,&(lvalues[218]),0},
-{"RC2-ECB","rc2-ecb",NID_rc2_ecb,0,NULL},
-{"RC2-CFB","rc2-cfb",NID_rc2_cfb64,0,NULL},
-{"RC2-OFB","rc2-ofb",NID_rc2_ofb64,0,NULL},
+{"RC2-ECB","rc2-ecb",NID_rc2_ecb,0,NULL,0},
+{"RC2-CFB","rc2-cfb",NID_rc2_cfb64,0,NULL,0},
+{"RC2-OFB","rc2-ofb",NID_rc2_ofb64,0,NULL,0},
 {"SHA","sha",NID_sha,5,&(lvalues[226]),0},
 {"RSA-SHA","shaWithRSAEncryption",NID_shaWithRSAEncryption,5,
 	&(lvalues[231]),0},
-{"DES-EDE-CBC","des-ede-cbc",NID_des_ede_cbc,0,NULL},
+{"DES-EDE-CBC","des-ede-cbc",NID_des_ede_cbc,0,NULL,0},
 {"DES-EDE3-CBC","des-ede3-cbc",NID_des_ede3_cbc,8,&(lvalues[236]),0},
 {"DES-OFB","des-ofb",NID_des_ofb64,5,&(lvalues[244]),0},
-{"IDEA-OFB","idea-ofb",NID_idea_ofb64,0,NULL},
+{"IDEA-OFB","idea-ofb",NID_idea_ofb64,0,NULL,0},
 {"pkcs9","pkcs9",NID_pkcs9,8,&(lvalues[249]),0},
 {"emailAddress","emailAddress",NID_pkcs9_emailAddress,9,
 	&(lvalues[257]),0},
@@ -770,10 +862,10 @@ static ASN1_OBJECT nid_objs[NUM_NID]={
 	NID_netscape_cert_extension,8,&(lvalues[345]),0},
 {"nsDataType","Netscape Data Type",NID_netscape_data_type,8,
 	&(lvalues[353]),0},
-{"DES-EDE-CFB","des-ede-cfb",NID_des_ede_cfb64,0,NULL},
-{"DES-EDE3-CFB","des-ede3-cfb",NID_des_ede3_cfb64,0,NULL},
-{"DES-EDE-OFB","des-ede-ofb",NID_des_ede_ofb64,0,NULL},
-{"DES-EDE3-OFB","des-ede3-ofb",NID_des_ede3_ofb64,0,NULL},
+{"DES-EDE-CFB","des-ede-cfb",NID_des_ede_cfb64,0,NULL,0},
+{"DES-EDE3-CFB","des-ede3-cfb",NID_des_ede3_cfb64,0,NULL,0},
+{"DES-EDE-OFB","des-ede-ofb",NID_des_ede_ofb64,0,NULL,0},
+{"DES-EDE3-OFB","des-ede3-ofb",NID_des_ede3_ofb64,0,NULL,0},
 {"SHA1","sha1",NID_sha1,5,&(lvalues[361]),0},
 {"RSA-SHA1","sha1WithRSAEncryption",NID_sha1WithRSAEncryption,9,
 	&(lvalues[366]),0},
@@ -800,7 +892,7 @@ static ASN1_OBJECT nid_objs[NUM_NID]={
 {"nsComment","Netscape Comment",NID_netscape_comment,9,&(lvalues[471]),0},
 {"nsCertSequence","Netscape Certificate Sequence",
 	NID_netscape_cert_sequence,9,&(lvalues[480]),0},
-{"DESX-CBC","desx-cbc",NID_desx_cbc,0,NULL},
+{"DESX-CBC","desx-cbc",NID_desx_cbc,0,NULL,0},
 {"id-ce","id-ce",NID_id_ce,2,&(lvalues[489]),0},
 {"subjectKeyIdentifier","X509v3 Subject Key Identifier",
 	NID_subject_key_identifier,3,&(lvalues[491]),0},
@@ -819,17 +911,17 @@ static ASN1_OBJECT nid_objs[NUM_NID]={
 {"authorityKeyIdentifier","X509v3 Authority Key Identifier",
 	NID_authority_key_identifier,3,&(lvalues[515]),0},
 {"BF-CBC","bf-cbc",NID_bf_cbc,9,&(lvalues[518]),0},
-{"BF-ECB","bf-ecb",NID_bf_ecb,0,NULL},
-{"BF-CFB","bf-cfb",NID_bf_cfb64,0,NULL},
-{"BF-OFB","bf-ofb",NID_bf_ofb64,0,NULL},
+{"BF-ECB","bf-ecb",NID_bf_ecb,0,NULL,0},
+{"BF-CFB","bf-cfb",NID_bf_cfb64,0,NULL,0},
+{"BF-OFB","bf-ofb",NID_bf_ofb64,0,NULL,0},
 {"MDC2","mdc2",NID_mdc2,4,&(lvalues[527]),0},
 {"RSA-MDC2","mdc2WithRSA",NID_mdc2WithRSA,4,&(lvalues[531]),0},
-{"RC4-40","rc4-40",NID_rc4_40,0,NULL},
-{"RC2-40-CBC","rc2-40-cbc",NID_rc2_40_cbc,0,NULL},
+{"RC4-40","rc4-40",NID_rc4_40,0,NULL,0},
+{"RC2-40-CBC","rc2-40-cbc",NID_rc2_40_cbc,0,NULL,0},
 {"GN","givenName",NID_givenName,3,&(lvalues[535]),0},
 {"SN","surname",NID_surname,3,&(lvalues[538]),0},
 {"initials","initials",NID_initials,3,&(lvalues[541]),0},
-{NULL,NULL,NID_undef,0,NULL},
+{NULL,NULL,NID_undef,0,NULL,0},
 {"crlDistributionPoints","X509v3 CRL Distribution Points",
 	NID_crl_distribution_points,3,&(lvalues[544]),0},
 {"RSA-NP-MD5","md5WithRSA",NID_md5WithRSA,5,&(lvalues[547]),0},
@@ -837,23 +929,23 @@ static ASN1_OBJECT nid_objs[NUM_NID]={
 {"title","title",NID_title,3,&(lvalues[555]),0},
 {"description","description",NID_description,3,&(lvalues[558]),0},
 {"CAST5-CBC","cast5-cbc",NID_cast5_cbc,9,&(lvalues[561]),0},
-{"CAST5-ECB","cast5-ecb",NID_cast5_ecb,0,NULL},
-{"CAST5-CFB","cast5-cfb",NID_cast5_cfb64,0,NULL},
-{"CAST5-OFB","cast5-ofb",NID_cast5_ofb64,0,NULL},
+{"CAST5-ECB","cast5-ecb",NID_cast5_ecb,0,NULL,0},
+{"CAST5-CFB","cast5-cfb",NID_cast5_cfb64,0,NULL,0},
+{"CAST5-OFB","cast5-ofb",NID_cast5_ofb64,0,NULL,0},
 {"pbeWithMD5AndCast5CBC","pbeWithMD5AndCast5CBC",
 	NID_pbeWithMD5AndCast5_CBC,9,&(lvalues[570]),0},
 {"DSA-SHA1","dsaWithSHA1",NID_dsaWithSHA1,7,&(lvalues[579]),0},
-{"MD5-SHA1","md5-sha1",NID_md5_sha1,0,NULL},
+{"MD5-SHA1","md5-sha1",NID_md5_sha1,0,NULL,0},
 {"RSA-SHA1-2","sha1WithRSA",NID_sha1WithRSA,5,&(lvalues[586]),0},
 {"DSA","dsaEncryption",NID_dsa,7,&(lvalues[591]),0},
 {"RIPEMD160","ripemd160",NID_ripemd160,5,&(lvalues[598]),0},
-{NULL,NULL,NID_undef,0,NULL},
+{NULL,NULL,NID_undef,0,NULL,0},
 {"RSA-RIPEMD160","ripemd160WithRSA",NID_ripemd160WithRSA,6,
 	&(lvalues[603]),0},
 {"RC5-CBC","rc5-cbc",NID_rc5_cbc,8,&(lvalues[609]),0},
-{"RC5-ECB","rc5-ecb",NID_rc5_ecb,0,NULL},
-{"RC5-CFB","rc5-cfb",NID_rc5_cfb64,0,NULL},
-{"RC5-OFB","rc5-ofb",NID_rc5_ofb64,0,NULL},
+{"RC5-ECB","rc5-ecb",NID_rc5_ecb,0,NULL,0},
+{"RC5-CFB","rc5-cfb",NID_rc5_cfb64,0,NULL,0},
+{"RC5-OFB","rc5-ofb",NID_rc5_ofb64,0,NULL,0},
 {"RLE","run length compression",NID_rle_compression,6,&(lvalues[617]),0},
 {"ZLIB","zlib compression",NID_zlib_compression,6,&(lvalues[623]),0},
 {"extendedKeyUsage","X509v3 Extended Key Usage",NID_ext_key_usage,3,
@@ -917,7 +1009,7 @@ static ASN1_OBJECT nid_objs[NUM_NID]={
 {"id-qt-cps","Policy Qualifier CPS",NID_id_qt_cps,8,&(lvalues[958]),0},
 {"id-qt-unotice","Policy Qualifier User Notice",NID_id_qt_unotice,8,
 	&(lvalues[966]),0},
-{"RC2-64-CBC","rc2-64-cbc",NID_rc2_64_cbc,0,NULL},
+{"RC2-64-CBC","rc2-64-cbc",NID_rc2_64_cbc,0,NULL,0},
 {"SMIME-CAPS","S/MIME Capabilities",NID_SMIMECapabilities,9,
 	&(lvalues[974]),0},
 {"PBE-MD2-RC2-64","pbeWithMD2AndRC2-CBC",NID_pbeWithMD2AndRC2_CBC,9,
@@ -1127,12 +1219,12 @@ static ASN1_OBJECT nid_objs[NUM_NID]={
 	&(lvalues[2092]),0},
 {"ac-targeting","ac-targeting",NID_ac_targeting,8,&(lvalues[2100]),0},
 {"aaControls","aaControls",NID_aaControls,8,&(lvalues[2108]),0},
-{"sbqp-ipAddrBlock","sbqp-ipAddrBlock",NID_sbqp_ipAddrBlock,8,
+{"sbgp-ipAddrBlock","sbgp-ipAddrBlock",NID_sbgp_ipAddrBlock,8,
 	&(lvalues[2116]),0},
-{"sbqp-autonomousSysNum","sbqp-autonomousSysNum",
-	NID_sbqp_autonomousSysNum,8,&(lvalues[2124]),0},
-{"sbqp-routerIdentifier","sbqp-routerIdentifier",
-	NID_sbqp_routerIdentifier,8,&(lvalues[2132]),0},
+{"sbgp-autonomousSysNum","sbgp-autonomousSysNum",
+	NID_sbgp_autonomousSysNum,8,&(lvalues[2124]),0},
+{"sbgp-routerIdentifier","sbgp-routerIdentifier",
+	NID_sbgp_routerIdentifier,8,&(lvalues[2132]),0},
 {"textNotice","textNotice",NID_textNotice,8,&(lvalues[2140]),0},
 {"ipsecEndSystem","IPSec End System",NID_ipsecEndSystem,8,
 	&(lvalues[2148]),0},
@@ -1238,7 +1330,7 @@ static ASN1_OBJECT nid_objs[NUM_NID]={
 	&(lvalues[2588]),0},
 {"id-pda-placeOfBirth","id-pda-placeOfBirth",NID_id_pda_placeOfBirth,
 	8,&(lvalues[2596]),0},
-{NULL,NULL,NID_undef,0,NULL},
+{NULL,NULL,NID_undef,0,NULL,0},
 {"id-pda-gender","id-pda-gender",NID_id_pda_gender,8,&(lvalues[2604]),0},
 {"id-pda-countryOfCitizenship","id-pda-countryOfCitizenship",
 	NID_id_pda_countryOfCitizenship,8,&(lvalues[2612]),0},
@@ -1297,8 +1389,7 @@ static ASN1_OBJECT nid_objs[NUM_NID]={
 {"dcobject","dcObject",NID_dcObject,9,&(lvalues[2865]),0},
 {"DC","domainComponent",NID_domainComponent,10,&(lvalues[2874]),0},
 {"domain","Domain",NID_Domain,10,&(lvalues[2884]),0},
-{"JOINT-ISO-CCITT","joint-iso-ccitt",NID_joint_iso_ccitt,1,
-	&(lvalues[2894]),0},
+{"NULL","NULL",NID_joint_iso_ccitt,1,&(lvalues[2894]),0},
 {"selected-attribute-types","Selected Attribute Types",
 	NID_selected_attribute_types,3,&(lvalues[2895]),0},
 {"clearance","clearance",NID_clearance,4,&(lvalues[2898]),0},
@@ -1316,7 +1407,7 @@ static ASN1_OBJECT nid_objs[NUM_NID]={
 	&(lvalues[2941]),0},
 {"noRevAvail","X509v3 No Revocation Available",NID_no_rev_avail,3,
 	&(lvalues[2944]),0},
-{"CCITT","ccitt",NID_ccitt,1,&(lvalues[2947]),0},
+{"NULL","NULL",NID_ccitt,1,&(lvalues[2947]),0},
 {"ansi-X9-62","ANSI X9.62",NID_ansi_X9_62,5,&(lvalues[2948]),0},
 {"prime-field","prime-field",NID_X9_62_prime_field,7,&(lvalues[2953]),0},
 {"characteristic-two-field","characteristic-two-field",
@@ -1471,7 +1562,7 @@ static ASN1_OBJECT nid_objs[NUM_NID]={
 {"generationQualifier","generationQualifier",NID_generationQualifier,
 	3,&(lvalues[3877]),0},
 {"pseudonym","pseudonym",NID_pseudonym,3,&(lvalues[3880]),0},
-{NULL,NULL,NID_undef,0,NULL},
+{NULL,NULL,NID_undef,0,NULL,0},
 {"id-set","Secure Electronic Transactions",NID_id_set,2,
 	&(lvalues[3883]),0},
 {"set-ctype","content types",NID_set_ctype,3,&(lvalues[3885]),0},
@@ -1721,23 +1812,139 @@ static ASN1_OBJECT nid_objs[NUM_NID]={
 {"DES-CDMF","des-cdmf",NID_des_cdmf,8,&(lvalues[4417]),0},
 {"rsaOAEPEncryptionSET","rsaOAEPEncryptionSET",
 	NID_rsaOAEPEncryptionSET,9,&(lvalues[4425]),0},
-{NULL,NULL,NID_undef,0,NULL},
-{NULL,NULL,NID_undef,0,NULL},
-{NULL,NULL,NID_undef,0,NULL},
+{"ITU-T","itu-t",NID_itu_t,1,&(lvalues[4434]),0},
+{"JOINT-ISO-ITU-T","joint-iso-itu-t",NID_joint_iso_itu_t,1,
+	&(lvalues[4435]),0},
+{"international-organizations","International Organizations",
+	NID_international_organizations,1,&(lvalues[4436]),0},
 {"msSmartcardLogin","Microsoft Smartcardlogin",NID_ms_smartcard_login,
-	10,&(lvalues[4434]),0},
+	10,&(lvalues[4437]),0},
 {"msUPN","Microsoft Universal Principal Name",NID_ms_upn,10,
-	&(lvalues[4444]),0},
-{"AES-128-CFB1","aes-128-cfb1",NID_aes_128_cfb1,0,NULL},
-{"AES-192-CFB1","aes-192-cfb1",NID_aes_192_cfb1,0,NULL},
-{"AES-256-CFB1","aes-256-cfb1",NID_aes_256_cfb1,0,NULL},
-{"AES-128-CFB8","aes-128-cfb8",NID_aes_128_cfb8,0,NULL},
-{"AES-192-CFB8","aes-192-cfb8",NID_aes_192_cfb8,0,NULL},
-{"AES-256-CFB8","aes-256-cfb8",NID_aes_256_cfb8,0,NULL},
-{"DES-CFB1","des-cfb1",NID_des_cfb1,0,NULL},
-{"DES-CFB8","des-cfb8",NID_des_cfb8,0,NULL},
-{"DES-EDE3-CFB1","des-ede3-cfb1",NID_des_ede3_cfb1,0,NULL},
-{"DES-EDE3-CFB8","des-ede3-cfb8",NID_des_ede3_cfb8,0,NULL},
+	&(lvalues[4447]),0},
+{"AES-128-CFB1","aes-128-cfb1",NID_aes_128_cfb1,0,NULL,0},
+{"AES-192-CFB1","aes-192-cfb1",NID_aes_192_cfb1,0,NULL,0},
+{"AES-256-CFB1","aes-256-cfb1",NID_aes_256_cfb1,0,NULL,0},
+{"AES-128-CFB8","aes-128-cfb8",NID_aes_128_cfb8,0,NULL,0},
+{"AES-192-CFB8","aes-192-cfb8",NID_aes_192_cfb8,0,NULL,0},
+{"AES-256-CFB8","aes-256-cfb8",NID_aes_256_cfb8,0,NULL,0},
+{"DES-CFB1","des-cfb1",NID_des_cfb1,0,NULL,0},
+{"DES-CFB8","des-cfb8",NID_des_cfb8,0,NULL,0},
+{"DES-EDE3-CFB1","des-ede3-cfb1",NID_des_ede3_cfb1,0,NULL,0},
+{"DES-EDE3-CFB8","des-ede3-cfb8",NID_des_ede3_cfb8,0,NULL,0},
+{"streetAddress","streetAddress",NID_streetAddress,3,&(lvalues[4457]),0},
+{"postalCode","postalCode",NID_postalCode,3,&(lvalues[4460]),0},
+{"id-ppl","id-ppl",NID_id_ppl,7,&(lvalues[4463]),0},
+{"proxyCertInfo","Proxy Certificate Information",NID_proxyCertInfo,8,
+	&(lvalues[4470]),0},
+{"id-ppl-anyLanguage","Any language",NID_id_ppl_anyLanguage,8,
+	&(lvalues[4478]),0},
+{"id-ppl-inheritAll","Inherit all",NID_id_ppl_inheritAll,8,
+	&(lvalues[4486]),0},
+{"nameConstraints","X509v3 Name Constraints",NID_name_constraints,3,
+	&(lvalues[4494]),0},
+{"id-ppl-independent","Independent",NID_Independent,8,&(lvalues[4497]),0},
+{"RSA-SHA256","sha256WithRSAEncryption",NID_sha256WithRSAEncryption,9,
+	&(lvalues[4505]),0},
+{"RSA-SHA384","sha384WithRSAEncryption",NID_sha384WithRSAEncryption,9,
+	&(lvalues[4514]),0},
+{"RSA-SHA512","sha512WithRSAEncryption",NID_sha512WithRSAEncryption,9,
+	&(lvalues[4523]),0},
+{"RSA-SHA224","sha224WithRSAEncryption",NID_sha224WithRSAEncryption,9,
+	&(lvalues[4532]),0},
+{"SHA256","sha256",NID_sha256,9,&(lvalues[4541]),0},
+{"SHA384","sha384",NID_sha384,9,&(lvalues[4550]),0},
+{"SHA512","sha512",NID_sha512,9,&(lvalues[4559]),0},
+{"SHA224","sha224",NID_sha224,9,&(lvalues[4568]),0},
+{"identified-organization","identified-organization",
+	NID_identified_organization,1,&(lvalues[4577]),0},
+{"certicom-arc","certicom-arc",NID_certicom_arc,3,&(lvalues[4578]),0},
+{"wap","wap",NID_wap,2,&(lvalues[4581]),0},
+{"wap-wsg","wap-wsg",NID_wap_wsg,3,&(lvalues[4583]),0},
+{"id-characteristic-two-basis","id-characteristic-two-basis",
+	NID_X9_62_id_characteristic_two_basis,8,&(lvalues[4586]),0},
+{"onBasis","onBasis",NID_X9_62_onBasis,9,&(lvalues[4594]),0},
+{"tpBasis","tpBasis",NID_X9_62_tpBasis,9,&(lvalues[4603]),0},
+{"ppBasis","ppBasis",NID_X9_62_ppBasis,9,&(lvalues[4612]),0},
+{"c2pnb163v1","c2pnb163v1",NID_X9_62_c2pnb163v1,8,&(lvalues[4621]),0},
+{"c2pnb163v2","c2pnb163v2",NID_X9_62_c2pnb163v2,8,&(lvalues[4629]),0},
+{"c2pnb163v3","c2pnb163v3",NID_X9_62_c2pnb163v3,8,&(lvalues[4637]),0},
+{"c2pnb176v1","c2pnb176v1",NID_X9_62_c2pnb176v1,8,&(lvalues[4645]),0},
+{"c2tnb191v1","c2tnb191v1",NID_X9_62_c2tnb191v1,8,&(lvalues[4653]),0},
+{"c2tnb191v2","c2tnb191v2",NID_X9_62_c2tnb191v2,8,&(lvalues[4661]),0},
+{"c2tnb191v3","c2tnb191v3",NID_X9_62_c2tnb191v3,8,&(lvalues[4669]),0},
+{"c2onb191v4","c2onb191v4",NID_X9_62_c2onb191v4,8,&(lvalues[4677]),0},
+{"c2onb191v5","c2onb191v5",NID_X9_62_c2onb191v5,8,&(lvalues[4685]),0},
+{"c2pnb208w1","c2pnb208w1",NID_X9_62_c2pnb208w1,8,&(lvalues[4693]),0},
+{"c2tnb239v1","c2tnb239v1",NID_X9_62_c2tnb239v1,8,&(lvalues[4701]),0},
+{"c2tnb239v2","c2tnb239v2",NID_X9_62_c2tnb239v2,8,&(lvalues[4709]),0},
+{"c2tnb239v3","c2tnb239v3",NID_X9_62_c2tnb239v3,8,&(lvalues[4717]),0},
+{"c2onb239v4","c2onb239v4",NID_X9_62_c2onb239v4,8,&(lvalues[4725]),0},
+{"c2onb239v5","c2onb239v5",NID_X9_62_c2onb239v5,8,&(lvalues[4733]),0},
+{"c2pnb272w1","c2pnb272w1",NID_X9_62_c2pnb272w1,8,&(lvalues[4741]),0},
+{"c2pnb304w1","c2pnb304w1",NID_X9_62_c2pnb304w1,8,&(lvalues[4749]),0},
+{"c2tnb359v1","c2tnb359v1",NID_X9_62_c2tnb359v1,8,&(lvalues[4757]),0},
+{"c2pnb368w1","c2pnb368w1",NID_X9_62_c2pnb368w1,8,&(lvalues[4765]),0},
+{"c2tnb431r1","c2tnb431r1",NID_X9_62_c2tnb431r1,8,&(lvalues[4773]),0},
+{"secp112r1","secp112r1",NID_secp112r1,5,&(lvalues[4781]),0},
+{"secp112r2","secp112r2",NID_secp112r2,5,&(lvalues[4786]),0},
+{"secp128r1","secp128r1",NID_secp128r1,5,&(lvalues[4791]),0},
+{"secp128r2","secp128r2",NID_secp128r2,5,&(lvalues[4796]),0},
+{"secp160k1","secp160k1",NID_secp160k1,5,&(lvalues[4801]),0},
+{"secp160r1","secp160r1",NID_secp160r1,5,&(lvalues[4806]),0},
+{"secp160r2","secp160r2",NID_secp160r2,5,&(lvalues[4811]),0},
+{"secp192k1","secp192k1",NID_secp192k1,5,&(lvalues[4816]),0},
+{"secp224k1","secp224k1",NID_secp224k1,5,&(lvalues[4821]),0},
+{"secp224r1","secp224r1",NID_secp224r1,5,&(lvalues[4826]),0},
+{"secp256k1","secp256k1",NID_secp256k1,5,&(lvalues[4831]),0},
+{"secp384r1","secp384r1",NID_secp384r1,5,&(lvalues[4836]),0},
+{"secp521r1","secp521r1",NID_secp521r1,5,&(lvalues[4841]),0},
+{"sect113r1","sect113r1",NID_sect113r1,5,&(lvalues[4846]),0},
+{"sect113r2","sect113r2",NID_sect113r2,5,&(lvalues[4851]),0},
+{"sect131r1","sect131r1",NID_sect131r1,5,&(lvalues[4856]),0},
+{"sect131r2","sect131r2",NID_sect131r2,5,&(lvalues[4861]),0},
+{"sect163k1","sect163k1",NID_sect163k1,5,&(lvalues[4866]),0},
+{"sect163r1","sect163r1",NID_sect163r1,5,&(lvalues[4871]),0},
+{"sect163r2","sect163r2",NID_sect163r2,5,&(lvalues[4876]),0},
+{"sect193r1","sect193r1",NID_sect193r1,5,&(lvalues[4881]),0},
+{"sect193r2","sect193r2",NID_sect193r2,5,&(lvalues[4886]),0},
+{"sect233k1","sect233k1",NID_sect233k1,5,&(lvalues[4891]),0},
+{"sect233r1","sect233r1",NID_sect233r1,5,&(lvalues[4896]),0},
+{"sect239k1","sect239k1",NID_sect239k1,5,&(lvalues[4901]),0},
+{"sect283k1","sect283k1",NID_sect283k1,5,&(lvalues[4906]),0},
+{"sect283r1","sect283r1",NID_sect283r1,5,&(lvalues[4911]),0},
+{"sect409k1","sect409k1",NID_sect409k1,5,&(lvalues[4916]),0},
+{"sect409r1","sect409r1",NID_sect409r1,5,&(lvalues[4921]),0},
+{"sect571k1","sect571k1",NID_sect571k1,5,&(lvalues[4926]),0},
+{"sect571r1","sect571r1",NID_sect571r1,5,&(lvalues[4931]),0},
+{"wap-wsg-idm-ecid-wtls1","wap-wsg-idm-ecid-wtls1",
+	NID_wap_wsg_idm_ecid_wtls1,5,&(lvalues[4936]),0},
+{"wap-wsg-idm-ecid-wtls3","wap-wsg-idm-ecid-wtls3",
+	NID_wap_wsg_idm_ecid_wtls3,5,&(lvalues[4941]),0},
+{"wap-wsg-idm-ecid-wtls4","wap-wsg-idm-ecid-wtls4",
+	NID_wap_wsg_idm_ecid_wtls4,5,&(lvalues[4946]),0},
+{"wap-wsg-idm-ecid-wtls5","wap-wsg-idm-ecid-wtls5",
+	NID_wap_wsg_idm_ecid_wtls5,5,&(lvalues[4951]),0},
+{"wap-wsg-idm-ecid-wtls6","wap-wsg-idm-ecid-wtls6",
+	NID_wap_wsg_idm_ecid_wtls6,5,&(lvalues[4956]),0},
+{"wap-wsg-idm-ecid-wtls7","wap-wsg-idm-ecid-wtls7",
+	NID_wap_wsg_idm_ecid_wtls7,5,&(lvalues[4961]),0},
+{"wap-wsg-idm-ecid-wtls8","wap-wsg-idm-ecid-wtls8",
+	NID_wap_wsg_idm_ecid_wtls8,5,&(lvalues[4966]),0},
+{"wap-wsg-idm-ecid-wtls9","wap-wsg-idm-ecid-wtls9",
+	NID_wap_wsg_idm_ecid_wtls9,5,&(lvalues[4971]),0},
+{"wap-wsg-idm-ecid-wtls10","wap-wsg-idm-ecid-wtls10",
+	NID_wap_wsg_idm_ecid_wtls10,5,&(lvalues[4976]),0},
+{"wap-wsg-idm-ecid-wtls11","wap-wsg-idm-ecid-wtls11",
+	NID_wap_wsg_idm_ecid_wtls11,5,&(lvalues[4981]),0},
+{"wap-wsg-idm-ecid-wtls12","wap-wsg-idm-ecid-wtls12",
+	NID_wap_wsg_idm_ecid_wtls12,5,&(lvalues[4986]),0},
+{"anyPolicy","X509v3 Any Policy",NID_any_policy,4,&(lvalues[4991]),0},
+{"policyMappings","X509v3 Policy Mappings",NID_policy_mappings,3,
+	&(lvalues[4995]),0},
+{"inhibitAnyPolicy","X509v3 Inhibit Any Policy",
+	NID_inhibit_any_policy,3,&(lvalues[4998]),0},
+{"Oakley-EC2N-3","ipsec3",NID_ipsec3,0,NULL,0},
+{"Oakley-EC2N-4","ipsec4",NID_ipsec4,0,NULL,0},
 };
 
 static ASN1_OBJECT *sn_objs[NUM_SN]={
@@ -1769,7 +1976,6 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[110]),/* "CAST5-CFB" */
 &(nid_objs[109]),/* "CAST5-ECB" */
 &(nid_objs[111]),/* "CAST5-OFB" */
-&(nid_objs[404]),/* "CCITT" */
 &(nid_objs[13]),/* "CN" */
 &(nid_objs[141]),/* "CRLReason" */
 &(nid_objs[417]),/* "CSPName" */
@@ -1808,7 +2014,8 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[46]),/* "IDEA-OFB" */
 &(nid_objs[181]),/* "ISO" */
 &(nid_objs[183]),/* "ISO-US" */
-&(nid_objs[393]),/* "JOINT-ISO-CCITT" */
+&(nid_objs[645]),/* "ITU-T" */
+&(nid_objs[646]),/* "JOINT-ISO-ITU-T" */
 &(nid_objs[15]),/* "L" */
 &(nid_objs[ 3]),/* "MD2" */
 &(nid_objs[257]),/* "MD4" */
@@ -1816,6 +2023,8 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[114]),/* "MD5-SHA1" */
 &(nid_objs[95]),/* "MDC2" */
 &(nid_objs[388]),/* "Mail" */
+&(nid_objs[393]),/* "NULL" */
+&(nid_objs[404]),/* "NULL" */
 &(nid_objs[57]),/* "Netscape" */
 &(nid_objs[366]),/* "Nonce" */
 &(nid_objs[17]),/* "O" */
@@ -1823,6 +2032,8 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[180]),/* "OCSPSigning" */
 &(nid_objs[379]),/* "ORG" */
 &(nid_objs[18]),/* "OU" */
+&(nid_objs[749]),/* "Oakley-EC2N-3" */
+&(nid_objs[750]),/* "Oakley-EC2N-4" */
 &(nid_objs[ 9]),/* "PBE-MD2-DES" */
 &(nid_objs[168]),/* "PBE-MD2-RC2-64" */
 &(nid_objs[10]),/* "PBE-MD5-DES" */
@@ -1863,8 +2074,16 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[42]),/* "RSA-SHA" */
 &(nid_objs[65]),/* "RSA-SHA1" */
 &(nid_objs[115]),/* "RSA-SHA1-2" */
+&(nid_objs[671]),/* "RSA-SHA224" */
+&(nid_objs[668]),/* "RSA-SHA256" */
+&(nid_objs[669]),/* "RSA-SHA384" */
+&(nid_objs[670]),/* "RSA-SHA512" */
 &(nid_objs[41]),/* "SHA" */
 &(nid_objs[64]),/* "SHA1" */
+&(nid_objs[675]),/* "SHA224" */
+&(nid_objs[672]),/* "SHA256" */
+&(nid_objs[673]),/* "SHA384" */
+&(nid_objs[674]),/* "SHA512" */
 &(nid_objs[188]),/* "SMIME" */
 &(nid_objs[167]),/* "SMIME-CAPS" */
 &(nid_objs[100]),/* "SN" */
@@ -1888,6 +2107,7 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[363]),/* "ad_timestamping" */
 &(nid_objs[376]),/* "algorithm" */
 &(nid_objs[405]),/* "ansi-X9-62" */
+&(nid_objs[746]),/* "anyPolicy" */
 &(nid_objs[370]),/* "archiveCutoff" */
 &(nid_objs[484]),/* "associatedDomain" */
 &(nid_objs[485]),/* "associatedName" */
@@ -1898,10 +2118,31 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[365]),/* "basicOCSPResponse" */
 &(nid_objs[285]),/* "biometricInfo" */
 &(nid_objs[494]),/* "buildingName" */
+&(nid_objs[691]),/* "c2onb191v4" */
+&(nid_objs[692]),/* "c2onb191v5" */
+&(nid_objs[697]),/* "c2onb239v4" */
+&(nid_objs[698]),/* "c2onb239v5" */
+&(nid_objs[684]),/* "c2pnb163v1" */
+&(nid_objs[685]),/* "c2pnb163v2" */
+&(nid_objs[686]),/* "c2pnb163v3" */
+&(nid_objs[687]),/* "c2pnb176v1" */
+&(nid_objs[693]),/* "c2pnb208w1" */
+&(nid_objs[699]),/* "c2pnb272w1" */
+&(nid_objs[700]),/* "c2pnb304w1" */
+&(nid_objs[702]),/* "c2pnb368w1" */
+&(nid_objs[688]),/* "c2tnb191v1" */
+&(nid_objs[689]),/* "c2tnb191v2" */
+&(nid_objs[690]),/* "c2tnb191v3" */
+&(nid_objs[694]),/* "c2tnb239v1" */
+&(nid_objs[695]),/* "c2tnb239v2" */
+&(nid_objs[696]),/* "c2tnb239v3" */
+&(nid_objs[701]),/* "c2tnb359v1" */
+&(nid_objs[703]),/* "c2tnb431r1" */
 &(nid_objs[483]),/* "cNAMERecord" */
 &(nid_objs[179]),/* "caIssuers" */
 &(nid_objs[443]),/* "caseIgnoreIA5StringSyntax" */
 &(nid_objs[152]),/* "certBag" */
+&(nid_objs[677]),/* "certicom-arc" */
 &(nid_objs[89]),/* "certificatePolicies" */
 &(nid_objs[54]),/* "challengePassword" */
 &(nid_objs[407]),/* "characteristic-two-field" */
@@ -1974,6 +2215,7 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[362]),/* "id-cct-PKIResponse" */
 &(nid_objs[360]),/* "id-cct-crs" */
 &(nid_objs[81]),/* "id-ce" */
+&(nid_objs[680]),/* "id-characteristic-two-basis" */
 &(nid_objs[263]),/* "id-cmc" */
 &(nid_objs[334]),/* "id-cmc-addExtensions" */
 &(nid_objs[346]),/* "id-cmc-confirmCertAcceptance" */
@@ -2042,6 +2284,10 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[271]),/* "id-pkix1-explicit-93" */
 &(nid_objs[270]),/* "id-pkix1-implicit-88" */
 &(nid_objs[272]),/* "id-pkix1-implicit-93" */
+&(nid_objs[662]),/* "id-ppl" */
+&(nid_objs[664]),/* "id-ppl-anyLanguage" */
+&(nid_objs[667]),/* "id-ppl-independent" */
+&(nid_objs[665]),/* "id-ppl-inheritAll" */
 &(nid_objs[267]),/* "id-qcs" */
 &(nid_objs[359]),/* "id-qcs-pkixQCSyntax-v1" */
 &(nid_objs[259]),/* "id-qt" */
@@ -2126,8 +2372,11 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[194]),/* "id-smime-spq" */
 &(nid_objs[250]),/* "id-smime-spq-ets-sqt-unotice" */
 &(nid_objs[249]),/* "id-smime-spq-ets-sqt-uri" */
+&(nid_objs[676]),/* "identified-organization" */
 &(nid_objs[461]),/* "info" */
+&(nid_objs[748]),/* "inhibitAnyPolicy" */
 &(nid_objs[101]),/* "initials" */
+&(nid_objs[647]),/* "international-organizations" */
 &(nid_objs[142]),/* "invalidityDate" */
 &(nid_objs[294]),/* "ipsecEndSystem" */
 &(nid_objs[295]),/* "ipsecTunnel" */
@@ -2160,6 +2409,7 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[649]),/* "msUPN" */
 &(nid_objs[481]),/* "nSRecord" */
 &(nid_objs[173]),/* "name" */
+&(nid_objs[666]),/* "nameConstraints" */
 &(nid_objs[369]),/* "noCheck" */
 &(nid_objs[403]),/* "noRevAvail" */
 &(nid_objs[72]),/* "nsBaseUrl" */
@@ -2174,6 +2424,7 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[73]),/* "nsRevocationUrl" */
 &(nid_objs[139]),/* "nsSGC" */
 &(nid_objs[77]),/* "nsSslServerName" */
+&(nid_objs[681]),/* "onBasis" */
 &(nid_objs[491]),/* "organizationalStatus" */
 &(nid_objs[475]),/* "otherMailbox" */
 &(nid_objs[489]),/* "pagerTelephoneNumber" */
@@ -2206,6 +2457,9 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[151]),/* "pkcs8ShroudedKeyBag" */
 &(nid_objs[47]),/* "pkcs9" */
 &(nid_objs[401]),/* "policyConstraints" */
+&(nid_objs[747]),/* "policyMappings" */
+&(nid_objs[661]),/* "postalCode" */
+&(nid_objs[683]),/* "ppBasis" */
 &(nid_objs[406]),/* "prime-field" */
 &(nid_objs[409]),/* "prime192v1" */
 &(nid_objs[410]),/* "prime192v2" */
@@ -2216,6 +2470,7 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[415]),/* "prime256v1" */
 &(nid_objs[385]),/* "private" */
 &(nid_objs[84]),/* "privateKeyUsagePeriod" */
+&(nid_objs[663]),/* "proxyCertInfo" */
 &(nid_objs[510]),/* "pseudonym" */
 &(nid_objs[435]),/* "pss" */
 &(nid_objs[286]),/* "qcStatements" */
@@ -2230,12 +2485,43 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[ 1]),/* "rsadsi" */
 &(nid_objs[482]),/* "sOARecord" */
 &(nid_objs[155]),/* "safeContentsBag" */
-&(nid_objs[291]),/* "sbqp-autonomousSysNum" */
-&(nid_objs[290]),/* "sbqp-ipAddrBlock" */
-&(nid_objs[292]),/* "sbqp-routerIdentifier" */
+&(nid_objs[291]),/* "sbgp-autonomousSysNum" */
+&(nid_objs[290]),/* "sbgp-ipAddrBlock" */
+&(nid_objs[292]),/* "sbgp-routerIdentifier" */
 &(nid_objs[159]),/* "sdsiCertificate" */
+&(nid_objs[704]),/* "secp112r1" */
+&(nid_objs[705]),/* "secp112r2" */
+&(nid_objs[706]),/* "secp128r1" */
+&(nid_objs[707]),/* "secp128r2" */
+&(nid_objs[708]),/* "secp160k1" */
+&(nid_objs[709]),/* "secp160r1" */
+&(nid_objs[710]),/* "secp160r2" */
+&(nid_objs[711]),/* "secp192k1" */
+&(nid_objs[712]),/* "secp224k1" */
+&(nid_objs[713]),/* "secp224r1" */
+&(nid_objs[714]),/* "secp256k1" */
+&(nid_objs[715]),/* "secp384r1" */
+&(nid_objs[716]),/* "secp521r1" */
 &(nid_objs[154]),/* "secretBag" */
 &(nid_objs[474]),/* "secretary" */
+&(nid_objs[717]),/* "sect113r1" */
+&(nid_objs[718]),/* "sect113r2" */
+&(nid_objs[719]),/* "sect131r1" */
+&(nid_objs[720]),/* "sect131r2" */
+&(nid_objs[721]),/* "sect163k1" */
+&(nid_objs[722]),/* "sect163r1" */
+&(nid_objs[723]),/* "sect163r2" */
+&(nid_objs[724]),/* "sect193r1" */
+&(nid_objs[725]),/* "sect193r2" */
+&(nid_objs[726]),/* "sect233k1" */
+&(nid_objs[727]),/* "sect233r1" */
+&(nid_objs[728]),/* "sect239k1" */
+&(nid_objs[729]),/* "sect283k1" */
+&(nid_objs[730]),/* "sect283r1" */
+&(nid_objs[731]),/* "sect409k1" */
+&(nid_objs[732]),/* "sect409r1" */
+&(nid_objs[733]),/* "sect571k1" */
+&(nid_objs[734]),/* "sect571r1" */
 &(nid_objs[386]),/* "security" */
 &(nid_objs[394]),/* "selected-attribute-types" */
 &(nid_objs[105]),/* "serialNumber" */
@@ -2375,6 +2661,7 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[454]),/* "simpleSecurityObject" */
 &(nid_objs[496]),/* "singleLevelQuality" */
 &(nid_objs[387]),/* "snmpv2" */
+&(nid_objs[660]),/* "streetAddress" */
 &(nid_objs[85]),/* "subjectAltName" */
 &(nid_objs[398]),/* "subjectInfoAccess" */
 &(nid_objs[82]),/* "subjectKeyIdentifier" */
@@ -2385,12 +2672,26 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[293]),/* "textNotice" */
 &(nid_objs[133]),/* "timeStamping" */
 &(nid_objs[106]),/* "title" */
+&(nid_objs[682]),/* "tpBasis" */
 &(nid_objs[375]),/* "trustRoot" */
 &(nid_objs[436]),/* "ucl" */
 &(nid_objs[55]),/* "unstructuredAddress" */
 &(nid_objs[49]),/* "unstructuredName" */
 &(nid_objs[465]),/* "userClass" */
 &(nid_objs[373]),/* "valid" */
+&(nid_objs[678]),/* "wap" */
+&(nid_objs[679]),/* "wap-wsg" */
+&(nid_objs[735]),/* "wap-wsg-idm-ecid-wtls1" */
+&(nid_objs[743]),/* "wap-wsg-idm-ecid-wtls10" */
+&(nid_objs[744]),/* "wap-wsg-idm-ecid-wtls11" */
+&(nid_objs[745]),/* "wap-wsg-idm-ecid-wtls12" */
+&(nid_objs[736]),/* "wap-wsg-idm-ecid-wtls3" */
+&(nid_objs[737]),/* "wap-wsg-idm-ecid-wtls4" */
+&(nid_objs[738]),/* "wap-wsg-idm-ecid-wtls5" */
+&(nid_objs[739]),/* "wap-wsg-idm-ecid-wtls6" */
+&(nid_objs[740]),/* "wap-wsg-idm-ecid-wtls7" */
+&(nid_objs[741]),/* "wap-wsg-idm-ecid-wtls8" */
+&(nid_objs[742]),/* "wap-wsg-idm-ecid-wtls9" */
 &(nid_objs[503]),/* "x500UniqueIdentifier" */
 &(nid_objs[158]),/* "x509Certificate" */
 &(nid_objs[160]),/* "x509Crl" */
@@ -2400,6 +2701,7 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[363]),/* "AD Time Stamping" */
 &(nid_objs[405]),/* "ANSI X9.62" */
 &(nid_objs[368]),/* "Acceptable OCSP Responses" */
+&(nid_objs[664]),/* "Any language" */
 &(nid_objs[177]),/* "Authority Information Access" */
 &(nid_objs[365]),/* "Basic OCSP Response" */
 &(nid_objs[285]),/* "Biometric Info" */
@@ -2422,6 +2724,9 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[296]),/* "IPSec User" */
 &(nid_objs[182]),/* "ISO Member Body" */
 &(nid_objs[183]),/* "ISO US Member Body" */
+&(nid_objs[667]),/* "Independent" */
+&(nid_objs[665]),/* "Inherit all" */
+&(nid_objs[647]),/* "International Organizations" */
 &(nid_objs[142]),/* "Invalidity Date" */
 &(nid_objs[504]),/* "MIME MHS" */
 &(nid_objs[388]),/* "Mail" */
@@ -2435,6 +2740,8 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[648]),/* "Microsoft Smartcardlogin" */
 &(nid_objs[136]),/* "Microsoft Trust List Signing" */
 &(nid_objs[649]),/* "Microsoft Universal Principal Name" */
+&(nid_objs[393]),/* "NULL" */
+&(nid_objs[404]),/* "NULL" */
 &(nid_objs[72]),/* "Netscape Base Url" */
 &(nid_objs[76]),/* "Netscape CA Policy Url" */
 &(nid_objs[74]),/* "Netscape CA Revocation Url" */
@@ -2462,6 +2769,7 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[164]),/* "Policy Qualifier CPS" */
 &(nid_objs[165]),/* "Policy Qualifier User Notice" */
 &(nid_objs[385]),/* "Private" */
+&(nid_objs[663]),/* "Proxy Certificate Information" */
 &(nid_objs[ 1]),/* "RSA Data Security, Inc." */
 &(nid_objs[ 2]),/* "RSA Data Security, Inc. PKCS" */
 &(nid_objs[188]),/* "S/MIME" */
@@ -2478,6 +2786,7 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[375]),/* "Trust Root" */
 &(nid_objs[12]),/* "X509" */
 &(nid_objs[402]),/* "X509v3 AC Targeting" */
+&(nid_objs[746]),/* "X509v3 Any Policy" */
 &(nid_objs[90]),/* "X509v3 Authority Key Identifier" */
 &(nid_objs[87]),/* "X509v3 Basic Constraints" */
 &(nid_objs[103]),/* "X509v3 CRL Distribution Points" */
@@ -2486,10 +2795,13 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[89]),/* "X509v3 Certificate Policies" */
 &(nid_objs[140]),/* "X509v3 Delta CRL Indicator" */
 &(nid_objs[126]),/* "X509v3 Extended Key Usage" */
+&(nid_objs[748]),/* "X509v3 Inhibit Any Policy" */
 &(nid_objs[86]),/* "X509v3 Issuer Alternative Name" */
 &(nid_objs[83]),/* "X509v3 Key Usage" */
+&(nid_objs[666]),/* "X509v3 Name Constraints" */
 &(nid_objs[403]),/* "X509v3 No Revocation Available" */
 &(nid_objs[401]),/* "X509v3 Policy Constraints" */
+&(nid_objs[747]),/* "X509v3 Policy Mappings" */
 &(nid_objs[84]),/* "X509v3 Private Key Usage Period" */
 &(nid_objs[85]),/* "X509v3 Subject Alternative Name" */
 &(nid_objs[82]),/* "X509v3 Subject Key Identifier" */
@@ -2530,14 +2842,34 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[92]),/* "bf-ecb" */
 &(nid_objs[94]),/* "bf-ofb" */
 &(nid_objs[494]),/* "buildingName" */
+&(nid_objs[691]),/* "c2onb191v4" */
+&(nid_objs[692]),/* "c2onb191v5" */
+&(nid_objs[697]),/* "c2onb239v4" */
+&(nid_objs[698]),/* "c2onb239v5" */
+&(nid_objs[684]),/* "c2pnb163v1" */
+&(nid_objs[685]),/* "c2pnb163v2" */
+&(nid_objs[686]),/* "c2pnb163v3" */
+&(nid_objs[687]),/* "c2pnb176v1" */
+&(nid_objs[693]),/* "c2pnb208w1" */
+&(nid_objs[699]),/* "c2pnb272w1" */
+&(nid_objs[700]),/* "c2pnb304w1" */
+&(nid_objs[702]),/* "c2pnb368w1" */
+&(nid_objs[688]),/* "c2tnb191v1" */
+&(nid_objs[689]),/* "c2tnb191v2" */
+&(nid_objs[690]),/* "c2tnb191v3" */
+&(nid_objs[694]),/* "c2tnb239v1" */
+&(nid_objs[695]),/* "c2tnb239v2" */
+&(nid_objs[696]),/* "c2tnb239v3" */
+&(nid_objs[701]),/* "c2tnb359v1" */
+&(nid_objs[703]),/* "c2tnb431r1" */
 &(nid_objs[483]),/* "cNAMERecord" */
 &(nid_objs[443]),/* "caseIgnoreIA5StringSyntax" */
 &(nid_objs[108]),/* "cast5-cbc" */
 &(nid_objs[110]),/* "cast5-cfb" */
 &(nid_objs[109]),/* "cast5-ecb" */
 &(nid_objs[111]),/* "cast5-ofb" */
-&(nid_objs[404]),/* "ccitt" */
 &(nid_objs[152]),/* "certBag" */
+&(nid_objs[677]),/* "certicom-arc" */
 &(nid_objs[517]),/* "certificate extensions" */
 &(nid_objs[54]),/* "challengePassword" */
 &(nid_objs[407]),/* "characteristic-two-field" */
@@ -2630,6 +2962,7 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[362]),/* "id-cct-PKIResponse" */
 &(nid_objs[360]),/* "id-cct-crs" */
 &(nid_objs[81]),/* "id-ce" */
+&(nid_objs[680]),/* "id-characteristic-two-basis" */
 &(nid_objs[263]),/* "id-cmc" */
 &(nid_objs[334]),/* "id-cmc-addExtensions" */
 &(nid_objs[346]),/* "id-cmc-confirmCertAcceptance" */
@@ -2698,6 +3031,7 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[271]),/* "id-pkix1-explicit-93" */
 &(nid_objs[270]),/* "id-pkix1-implicit-88" */
 &(nid_objs[272]),/* "id-pkix1-implicit-93" */
+&(nid_objs[662]),/* "id-ppl" */
 &(nid_objs[267]),/* "id-qcs" */
 &(nid_objs[359]),/* "id-qcs-pkixQCSyntax-v1" */
 &(nid_objs[259]),/* "id-qt" */
@@ -2783,12 +3117,16 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[35]),/* "idea-cfb" */
 &(nid_objs[36]),/* "idea-ecb" */
 &(nid_objs[46]),/* "idea-ofb" */
+&(nid_objs[676]),/* "identified-organization" */
 &(nid_objs[461]),/* "info" */
 &(nid_objs[101]),/* "initials" */
+&(nid_objs[749]),/* "ipsec3" */
+&(nid_objs[750]),/* "ipsec4" */
 &(nid_objs[181]),/* "iso" */
 &(nid_objs[623]),/* "issuer capabilities" */
+&(nid_objs[645]),/* "itu-t" */
 &(nid_objs[492]),/* "janetMailbox" */
-&(nid_objs[393]),/* "joint-iso-ccitt" */
+&(nid_objs[646]),/* "joint-iso-itu-t" */
 &(nid_objs[150]),/* "keyBag" */
 &(nid_objs[477]),/* "lastModifiedBy" */
 &(nid_objs[476]),/* "lastModifiedTime" */
@@ -2815,6 +3153,7 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[488]),/* "mobileTelephoneNumber" */
 &(nid_objs[481]),/* "nSRecord" */
 &(nid_objs[173]),/* "name" */
+&(nid_objs[681]),/* "onBasis" */
 &(nid_objs[379]),/* "org" */
 &(nid_objs[17]),/* "organizationName" */
 &(nid_objs[491]),/* "organizationalStatus" */
@@ -2861,6 +3200,8 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[22]),/* "pkcs7-signedData" */
 &(nid_objs[151]),/* "pkcs8ShroudedKeyBag" */
 &(nid_objs[47]),/* "pkcs9" */
+&(nid_objs[661]),/* "postalCode" */
+&(nid_objs[683]),/* "ppBasis" */
 &(nid_objs[406]),/* "prime-field" */
 &(nid_objs[409]),/* "prime192v1" */
 &(nid_objs[410]),/* "prime192v2" */
@@ -2899,12 +3240,43 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[124]),/* "run length compression" */
 &(nid_objs[482]),/* "sOARecord" */
 &(nid_objs[155]),/* "safeContentsBag" */
-&(nid_objs[291]),/* "sbqp-autonomousSysNum" */
-&(nid_objs[290]),/* "sbqp-ipAddrBlock" */
-&(nid_objs[292]),/* "sbqp-routerIdentifier" */
+&(nid_objs[291]),/* "sbgp-autonomousSysNum" */
+&(nid_objs[290]),/* "sbgp-ipAddrBlock" */
+&(nid_objs[292]),/* "sbgp-routerIdentifier" */
 &(nid_objs[159]),/* "sdsiCertificate" */
+&(nid_objs[704]),/* "secp112r1" */
+&(nid_objs[705]),/* "secp112r2" */
+&(nid_objs[706]),/* "secp128r1" */
+&(nid_objs[707]),/* "secp128r2" */
+&(nid_objs[708]),/* "secp160k1" */
+&(nid_objs[709]),/* "secp160r1" */
+&(nid_objs[710]),/* "secp160r2" */
+&(nid_objs[711]),/* "secp192k1" */
+&(nid_objs[712]),/* "secp224k1" */
+&(nid_objs[713]),/* "secp224r1" */
+&(nid_objs[714]),/* "secp256k1" */
+&(nid_objs[715]),/* "secp384r1" */
+&(nid_objs[716]),/* "secp521r1" */
 &(nid_objs[154]),/* "secretBag" */
 &(nid_objs[474]),/* "secretary" */
+&(nid_objs[717]),/* "sect113r1" */
+&(nid_objs[718]),/* "sect113r2" */
+&(nid_objs[719]),/* "sect131r1" */
+&(nid_objs[720]),/* "sect131r2" */
+&(nid_objs[721]),/* "sect163k1" */
+&(nid_objs[722]),/* "sect163r1" */
+&(nid_objs[723]),/* "sect163r2" */
+&(nid_objs[724]),/* "sect193r1" */
+&(nid_objs[725]),/* "sect193r2" */
+&(nid_objs[726]),/* "sect233k1" */
+&(nid_objs[727]),/* "sect233r1" */
+&(nid_objs[728]),/* "sect239k1" */
+&(nid_objs[729]),/* "sect283k1" */
+&(nid_objs[730]),/* "sect283r1" */
+&(nid_objs[731]),/* "sect409k1" */
+&(nid_objs[732]),/* "sect409r1" */
+&(nid_objs[733]),/* "sect571k1" */
+&(nid_objs[734]),/* "sect571r1" */
 &(nid_objs[635]),/* "secure device signature" */
 &(nid_objs[105]),/* "serialNumber" */
 &(nid_objs[625]),/* "set-addPolicy" */
@@ -3028,17 +3400,27 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[64]),/* "sha1" */
 &(nid_objs[115]),/* "sha1WithRSA" */
 &(nid_objs[65]),/* "sha1WithRSAEncryption" */
+&(nid_objs[675]),/* "sha224" */
+&(nid_objs[671]),/* "sha224WithRSAEncryption" */
+&(nid_objs[672]),/* "sha256" */
+&(nid_objs[668]),/* "sha256WithRSAEncryption" */
+&(nid_objs[673]),/* "sha384" */
+&(nid_objs[669]),/* "sha384WithRSAEncryption" */
+&(nid_objs[674]),/* "sha512" */
+&(nid_objs[670]),/* "sha512WithRSAEncryption" */
 &(nid_objs[42]),/* "shaWithRSAEncryption" */
 &(nid_objs[52]),/* "signingTime" */
 &(nid_objs[454]),/* "simpleSecurityObject" */
 &(nid_objs[496]),/* "singleLevelQuality" */
 &(nid_objs[16]),/* "stateOrProvinceName" */
+&(nid_objs[660]),/* "streetAddress" */
 &(nid_objs[498]),/* "subtreeMaximumQuality" */
 &(nid_objs[497]),/* "subtreeMinimumQuality" */
 &(nid_objs[100]),/* "surname" */
 &(nid_objs[459]),/* "textEncodedORAddress" */
 &(nid_objs[293]),/* "textNotice" */
 &(nid_objs[106]),/* "title" */
+&(nid_objs[682]),/* "tpBasis" */
 &(nid_objs[436]),/* "ucl" */
 &(nid_objs[ 0]),/* "undefined" */
 &(nid_objs[55]),/* "unstructuredAddress" */
@@ -3046,6 +3428,19 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[465]),/* "userClass" */
 &(nid_objs[458]),/* "userId" */
 &(nid_objs[373]),/* "valid" */
+&(nid_objs[678]),/* "wap" */
+&(nid_objs[679]),/* "wap-wsg" */
+&(nid_objs[735]),/* "wap-wsg-idm-ecid-wtls1" */
+&(nid_objs[743]),/* "wap-wsg-idm-ecid-wtls10" */
+&(nid_objs[744]),/* "wap-wsg-idm-ecid-wtls11" */
+&(nid_objs[745]),/* "wap-wsg-idm-ecid-wtls12" */
+&(nid_objs[736]),/* "wap-wsg-idm-ecid-wtls3" */
+&(nid_objs[737]),/* "wap-wsg-idm-ecid-wtls4" */
+&(nid_objs[738]),/* "wap-wsg-idm-ecid-wtls5" */
+&(nid_objs[739]),/* "wap-wsg-idm-ecid-wtls6" */
+&(nid_objs[740]),/* "wap-wsg-idm-ecid-wtls7" */
+&(nid_objs[741]),/* "wap-wsg-idm-ecid-wtls8" */
+&(nid_objs[742]),/* "wap-wsg-idm-ecid-wtls9" */
 &(nid_objs[503]),/* "x500UniqueIdentifier" */
 &(nid_objs[158]),/* "x509Certificate" */
 &(nid_objs[160]),/* "x509Crl" */
@@ -3054,21 +3449,27 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 
 static ASN1_OBJECT *obj_objs[NUM_OBJ]={
 &(nid_objs[ 0]),/* OBJ_undef                        0 */
-&(nid_objs[404]),/* OBJ_ccitt                        0 */
+&(nid_objs[393]),/* OBJ_joint_iso_ccitt              OBJ_joint_iso_itu_t */
+&(nid_objs[404]),/* OBJ_ccitt                        OBJ_itu_t */
+&(nid_objs[645]),/* OBJ_itu_t                        0 */
 &(nid_objs[434]),/* OBJ_data                         0 9 */
 &(nid_objs[181]),/* OBJ_iso                          1 */
 &(nid_objs[182]),/* OBJ_member_body                  1 2 */
 &(nid_objs[379]),/* OBJ_org                          1 3 */
-&(nid_objs[393]),/* OBJ_joint_iso_ccitt              2 */
+&(nid_objs[676]),/* OBJ_identified_organization      1 3 */
+&(nid_objs[646]),/* OBJ_joint_iso_itu_t              2 */
 &(nid_objs[11]),/* OBJ_X500                         2 5 */
+&(nid_objs[647]),/* OBJ_international_organizations  2 23 */
 &(nid_objs[380]),/* OBJ_dod                          1 3 6 */
 &(nid_objs[12]),/* OBJ_X509                         2 5 4 */
 &(nid_objs[378]),/* OBJ_X500algorithms               2 5 8 */
 &(nid_objs[81]),/* OBJ_id_ce                        2 5 29 */
 &(nid_objs[512]),/* OBJ_id_set                       2 23 42 */
+&(nid_objs[678]),/* OBJ_wap                          2 23 43 */
 &(nid_objs[435]),/* OBJ_pss                          0 9 2342 */
 &(nid_objs[183]),/* OBJ_ISO_US                       1 2 840 */
 &(nid_objs[381]),/* OBJ_iana                         1 3 6 1 */
+&(nid_objs[677]),/* OBJ_certicom_arc                 1 3 132 */
 &(nid_objs[394]),/* OBJ_selected_attribute_types     2 5 1 5 */
 &(nid_objs[13]),/* OBJ_commonName                   2 5 4 3 */
 &(nid_objs[100]),/* OBJ_surname                      2 5 4 4 */
@@ -3076,10 +3477,12 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
 &(nid_objs[14]),/* OBJ_countryName                  2 5 4 6 */
 &(nid_objs[15]),/* OBJ_localityName                 2 5 4 7 */
 &(nid_objs[16]),/* OBJ_stateOrProvinceName          2 5 4 8 */
+&(nid_objs[660]),/* OBJ_streetAddress                2 5 4 9 */
 &(nid_objs[17]),/* OBJ_organizationName             2 5 4 10 */
 &(nid_objs[18]),/* OBJ_organizationalUnitName       2 5 4 11 */
 &(nid_objs[106]),/* OBJ_title                        2 5 4 12 */
 &(nid_objs[107]),/* OBJ_description                  2 5 4 13 */
+&(nid_objs[661]),/* OBJ_postalCode                   2 5 4 17 */
 &(nid_objs[173]),/* OBJ_name                         2 5 4 41 */
 &(nid_objs[99]),/* OBJ_givenName                    2 5 4 42 */
 &(nid_objs[101]),/* OBJ_initials                     2 5 4 43 */
@@ -3099,11 +3502,14 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
 &(nid_objs[430]),/* OBJ_hold_instruction_code        2 5 29 23 */
 &(nid_objs[142]),/* OBJ_invalidity_date              2 5 29 24 */
 &(nid_objs[140]),/* OBJ_delta_crl                    2 5 29 27 */
+&(nid_objs[666]),/* OBJ_name_constraints             2 5 29 30 */
 &(nid_objs[103]),/* OBJ_crl_distribution_points      2 5 29 31 */
 &(nid_objs[89]),/* OBJ_certificate_policies         2 5 29 32 */
+&(nid_objs[747]),/* OBJ_policy_mappings              2 5 29 33 */
 &(nid_objs[90]),/* OBJ_authority_key_identifier     2 5 29 35 */
 &(nid_objs[401]),/* OBJ_policy_constraints           2 5 29 36 */
 &(nid_objs[126]),/* OBJ_ext_key_usage                2 5 29 37 */
+&(nid_objs[748]),/* OBJ_inhibit_any_policy           2 5 29 54 */
 &(nid_objs[402]),/* OBJ_target_information           2 5 29 55 */
 &(nid_objs[403]),/* OBJ_no_rev_avail                 2 5 29 56 */
 &(nid_objs[513]),/* OBJ_set_ctype                    2 23 42 0 */
@@ -3112,6 +3518,7 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
 &(nid_objs[516]),/* OBJ_set_policy                   2 23 42 5 */
 &(nid_objs[517]),/* OBJ_set_certExt                  2 23 42 7 */
 &(nid_objs[518]),/* OBJ_set_brand                    2 23 42 8 */
+&(nid_objs[679]),/* OBJ_wap_wsg                      2 23 43 13 */
 &(nid_objs[382]),/* OBJ_Directory                    1 3 6 1 1 */
 &(nid_objs[383]),/* OBJ_Management                   1 3 6 1 2 */
 &(nid_objs[384]),/* OBJ_Experimental                 1 3 6 1 3 */
@@ -3124,6 +3531,7 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
 &(nid_objs[19]),/* OBJ_rsa                          2 5 8 1 1 */
 &(nid_objs[96]),/* OBJ_mdc2WithRSA                  2 5 8 3 100 */
 &(nid_objs[95]),/* OBJ_mdc2                         2 5 8 3 101 */
+&(nid_objs[746]),/* OBJ_any_policy                   2 5 29 32 0 */
 &(nid_objs[519]),/* OBJ_setct_PANData                2 23 42 0 0 */
 &(nid_objs[520]),/* OBJ_setct_PANToken               2 23 42 0 1 */
 &(nid_objs[521]),/* OBJ_setct_PANOnly                2 23 42 0 2 */
@@ -3255,6 +3663,37 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
 &(nid_objs[115]),/* OBJ_sha1WithRSA                  1 3 14 3 2 29 */
 &(nid_objs[117]),/* OBJ_ripemd160                    1 3 36 3 2 1 */
 &(nid_objs[143]),/* OBJ_sxnet                        1 3 101 1 4 1 */
+&(nid_objs[721]),/* OBJ_sect163k1                    1 3 132 0 1 */
+&(nid_objs[722]),/* OBJ_sect163r1                    1 3 132 0 2 */
+&(nid_objs[728]),/* OBJ_sect239k1                    1 3 132 0 3 */
+&(nid_objs[717]),/* OBJ_sect113r1                    1 3 132 0 4 */
+&(nid_objs[718]),/* OBJ_sect113r2                    1 3 132 0 5 */
+&(nid_objs[704]),/* OBJ_secp112r1                    1 3 132 0 6 */
+&(nid_objs[705]),/* OBJ_secp112r2                    1 3 132 0 7 */
+&(nid_objs[709]),/* OBJ_secp160r1                    1 3 132 0 8 */
+&(nid_objs[708]),/* OBJ_secp160k1                    1 3 132 0 9 */
+&(nid_objs[714]),/* OBJ_secp256k1                    1 3 132 0 10 */
+&(nid_objs[723]),/* OBJ_sect163r2                    1 3 132 0 15 */
+&(nid_objs[729]),/* OBJ_sect283k1                    1 3 132 0 16 */
+&(nid_objs[730]),/* OBJ_sect283r1                    1 3 132 0 17 */
+&(nid_objs[719]),/* OBJ_sect131r1                    1 3 132 0 22 */
+&(nid_objs[720]),/* OBJ_sect131r2                    1 3 132 0 23 */
+&(nid_objs[724]),/* OBJ_sect193r1                    1 3 132 0 24 */
+&(nid_objs[725]),/* OBJ_sect193r2                    1 3 132 0 25 */
+&(nid_objs[726]),/* OBJ_sect233k1                    1 3 132 0 26 */
+&(nid_objs[727]),/* OBJ_sect233r1                    1 3 132 0 27 */
+&(nid_objs[706]),/* OBJ_secp128r1                    1 3 132 0 28 */
+&(nid_objs[707]),/* OBJ_secp128r2                    1 3 132 0 29 */
+&(nid_objs[710]),/* OBJ_secp160r2                    1 3 132 0 30 */
+&(nid_objs[711]),/* OBJ_secp192k1                    1 3 132 0 31 */
+&(nid_objs[712]),/* OBJ_secp224k1                    1 3 132 0 32 */
+&(nid_objs[713]),/* OBJ_secp224r1                    1 3 132 0 33 */
+&(nid_objs[715]),/* OBJ_secp384r1                    1 3 132 0 34 */
+&(nid_objs[716]),/* OBJ_secp521r1                    1 3 132 0 35 */
+&(nid_objs[731]),/* OBJ_sect409k1                    1 3 132 0 36 */
+&(nid_objs[732]),/* OBJ_sect409r1                    1 3 132 0 37 */
+&(nid_objs[733]),/* OBJ_sect571k1                    1 3 132 0 38 */
+&(nid_objs[734]),/* OBJ_sect571r1                    1 3 132 0 39 */
 &(nid_objs[624]),/* OBJ_set_rootKeyThumb             2 23 42 3 0 0 */
 &(nid_objs[625]),/* OBJ_set_addPolicy                2 23 42 3 0 1 */
 &(nid_objs[626]),/* OBJ_setAttr_Token_EMV            2 23 42 3 2 1 */
@@ -3263,6 +3702,17 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
 &(nid_objs[629]),/* OBJ_setAttr_IssCap_T2            2 23 42 3 3 4 */
 &(nid_objs[630]),/* OBJ_setAttr_IssCap_Sig           2 23 42 3 3 5 */
 &(nid_objs[642]),/* OBJ_set_brand_Novus              2 23 42 8 6011 */
+&(nid_objs[735]),/* OBJ_wap_wsg_idm_ecid_wtls1       2 23 43 13 4 1 */
+&(nid_objs[736]),/* OBJ_wap_wsg_idm_ecid_wtls3       2 23 43 13 4 3 */
+&(nid_objs[737]),/* OBJ_wap_wsg_idm_ecid_wtls4       2 23 43 13 4 4 */
+&(nid_objs[738]),/* OBJ_wap_wsg_idm_ecid_wtls5       2 23 43 13 4 5 */
+&(nid_objs[739]),/* OBJ_wap_wsg_idm_ecid_wtls6       2 23 43 13 4 6 */
+&(nid_objs[740]),/* OBJ_wap_wsg_idm_ecid_wtls7       2 23 43 13 4 7 */
+&(nid_objs[741]),/* OBJ_wap_wsg_idm_ecid_wtls8       2 23 43 13 4 8 */
+&(nid_objs[742]),/* OBJ_wap_wsg_idm_ecid_wtls9       2 23 43 13 4 9 */
+&(nid_objs[743]),/* OBJ_wap_wsg_idm_ecid_wtls10      2 23 43 13 4 10 */
+&(nid_objs[744]),/* OBJ_wap_wsg_idm_ecid_wtls11      2 23 43 13 4 11 */
+&(nid_objs[745]),/* OBJ_wap_wsg_idm_ecid_wtls12      2 23 43 13 4 12 */
 &(nid_objs[124]),/* OBJ_rle_compression              1 1 1 1 666 1 */
 &(nid_objs[125]),/* OBJ_zlib_compression             1 1 1 1 666 2 */
 &(nid_objs[ 1]),/* OBJ_rsadsi                       1 2 840 113549 */
@@ -3300,6 +3750,7 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
 &(nid_objs[266]),/* OBJ_id_aca                       1 3 6 1 5 5 7 10 */
 &(nid_objs[267]),/* OBJ_id_qcs                       1 3 6 1 5 5 7 11 */
 &(nid_objs[268]),/* OBJ_id_cct                       1 3 6 1 5 5 7 12 */
+&(nid_objs[662]),/* OBJ_id_ppl                       1 3 6 1 5 5 7 21 */
 &(nid_objs[176]),/* OBJ_id_ad                        1 3 6 1 5 5 7 48 */
 &(nid_objs[507]),/* OBJ_id_hex_partial_message       1 3 6 1 7 1 1 1 */
 &(nid_objs[508]),/* OBJ_id_hex_multipart_message     1 3 6 1 7 1 1 2 */
@@ -3319,6 +3770,27 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
 &(nid_objs[44]),/* OBJ_des_ede3_cbc                 1 2 840 113549 3 7 */
 &(nid_objs[120]),/* OBJ_rc5_cbc                      1 2 840 113549 3 8 */
 &(nid_objs[643]),/* OBJ_des_cdmf                     1 2 840 113549 3 10 */
+&(nid_objs[680]),/* OBJ_X9_62_id_characteristic_two_basis 1 2 840 10045 1 2 3 */
+&(nid_objs[684]),/* OBJ_X9_62_c2pnb163v1             1 2 840 10045 3 0 1 */
+&(nid_objs[685]),/* OBJ_X9_62_c2pnb163v2             1 2 840 10045 3 0 2 */
+&(nid_objs[686]),/* OBJ_X9_62_c2pnb163v3             1 2 840 10045 3 0 3 */
+&(nid_objs[687]),/* OBJ_X9_62_c2pnb176v1             1 2 840 10045 3 0 4 */
+&(nid_objs[688]),/* OBJ_X9_62_c2tnb191v1             1 2 840 10045 3 0 5 */
+&(nid_objs[689]),/* OBJ_X9_62_c2tnb191v2             1 2 840 10045 3 0 6 */
+&(nid_objs[690]),/* OBJ_X9_62_c2tnb191v3             1 2 840 10045 3 0 7 */
+&(nid_objs[691]),/* OBJ_X9_62_c2onb191v4             1 2 840 10045 3 0 8 */
+&(nid_objs[692]),/* OBJ_X9_62_c2onb191v5             1 2 840 10045 3 0 9 */
+&(nid_objs[693]),/* OBJ_X9_62_c2pnb208w1             1 2 840 10045 3 0 10 */
+&(nid_objs[694]),/* OBJ_X9_62_c2tnb239v1             1 2 840 10045 3 0 11 */
+&(nid_objs[695]),/* OBJ_X9_62_c2tnb239v2             1 2 840 10045 3 0 12 */
+&(nid_objs[696]),/* OBJ_X9_62_c2tnb239v3             1 2 840 10045 3 0 13 */
+&(nid_objs[697]),/* OBJ_X9_62_c2onb239v4             1 2 840 10045 3 0 14 */
+&(nid_objs[698]),/* OBJ_X9_62_c2onb239v5             1 2 840 10045 3 0 15 */
+&(nid_objs[699]),/* OBJ_X9_62_c2pnb272w1             1 2 840 10045 3 0 16 */
+&(nid_objs[700]),/* OBJ_X9_62_c2pnb304w1             1 2 840 10045 3 0 17 */
+&(nid_objs[701]),/* OBJ_X9_62_c2tnb359v1             1 2 840 10045 3 0 18 */
+&(nid_objs[702]),/* OBJ_X9_62_c2pnb368w1             1 2 840 10045 3 0 19 */
+&(nid_objs[703]),/* OBJ_X9_62_c2tnb431r1             1 2 840 10045 3 0 20 */
 &(nid_objs[409]),/* OBJ_X9_62_prime192v1             1 2 840 10045 3 1 1 */
 &(nid_objs[410]),/* OBJ_X9_62_prime192v2             1 2 840 10045 3 1 2 */
 &(nid_objs[411]),/* OBJ_X9_62_prime192v3             1 2 840 10045 3 1 3 */
@@ -3348,11 +3820,12 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
 &(nid_objs[287]),/* OBJ_ac_auditEntity               1 3 6 1 5 5 7 1 4 */
 &(nid_objs[288]),/* OBJ_ac_targeting                 1 3 6 1 5 5 7 1 5 */
 &(nid_objs[289]),/* OBJ_aaControls                   1 3 6 1 5 5 7 1 6 */
-&(nid_objs[290]),/* OBJ_sbqp_ipAddrBlock             1 3 6 1 5 5 7 1 7 */
-&(nid_objs[291]),/* OBJ_sbqp_autonomousSysNum        1 3 6 1 5 5 7 1 8 */
-&(nid_objs[292]),/* OBJ_sbqp_routerIdentifier        1 3 6 1 5 5 7 1 9 */
+&(nid_objs[290]),/* OBJ_sbgp_ipAddrBlock             1 3 6 1 5 5 7 1 7 */
+&(nid_objs[291]),/* OBJ_sbgp_autonomousSysNum        1 3 6 1 5 5 7 1 8 */
+&(nid_objs[292]),/* OBJ_sbgp_routerIdentifier        1 3 6 1 5 5 7 1 9 */
 &(nid_objs[397]),/* OBJ_ac_proxying                  1 3 6 1 5 5 7 1 10 */
 &(nid_objs[398]),/* OBJ_sinfo_access                 1 3 6 1 5 5 7 1 11 */
+&(nid_objs[663]),/* OBJ_proxyCertInfo                1 3 6 1 5 5 7 1 14 */
 &(nid_objs[164]),/* OBJ_id_qt_cps                    1 3 6 1 5 5 7 2 1 */
 &(nid_objs[165]),/* OBJ_id_qt_unotice                1 3 6 1 5 5 7 2 2 */
 &(nid_objs[293]),/* OBJ_textNotice                   1 3 6 1 5 5 7 2 3 */
@@ -3423,6 +3896,9 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
 &(nid_objs[360]),/* OBJ_id_cct_crs                   1 3 6 1 5 5 7 12 1 */
 &(nid_objs[361]),/* OBJ_id_cct_PKIData               1 3 6 1 5 5 7 12 2 */
 &(nid_objs[362]),/* OBJ_id_cct_PKIResponse           1 3 6 1 5 5 7 12 3 */
+&(nid_objs[664]),/* OBJ_id_ppl_anyLanguage           1 3 6 1 5 5 7 21 0 */
+&(nid_objs[665]),/* OBJ_id_ppl_inheritAll            1 3 6 1 5 5 7 21 1 */
+&(nid_objs[667]),/* OBJ_Independent                  1 3 6 1 5 5 7 21 2 */
 &(nid_objs[178]),/* OBJ_ad_OCSP                      1 3 6 1 5 5 7 48 1 */
 &(nid_objs[179]),/* OBJ_ad_ca_issuers                1 3 6 1 5 5 7 48 2 */
 &(nid_objs[363]),/* OBJ_ad_timeStamping              1 3 6 1 5 5 7 48 3 */
@@ -3441,6 +3917,10 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
 &(nid_objs[ 8]),/* OBJ_md5WithRSAEncryption         1 2 840 113549 1 1 4 */
 &(nid_objs[65]),/* OBJ_sha1WithRSAEncryption        1 2 840 113549 1 1 5 */
 &(nid_objs[644]),/* OBJ_rsaOAEPEncryptionSET         1 2 840 113549 1 1 6 */
+&(nid_objs[668]),/* OBJ_sha256WithRSAEncryption      1 2 840 113549 1 1 11 */
+&(nid_objs[669]),/* OBJ_sha384WithRSAEncryption      1 2 840 113549 1 1 12 */
+&(nid_objs[670]),/* OBJ_sha512WithRSAEncryption      1 2 840 113549 1 1 13 */
+&(nid_objs[671]),/* OBJ_sha224WithRSAEncryption      1 2 840 113549 1 1 14 */
 &(nid_objs[28]),/* OBJ_dhKeyAgreement               1 2 840 113549 1 3 1 */
 &(nid_objs[ 9]),/* OBJ_pbeWithMD2AndDES_CBC         1 2 840 113549 1 5 1 */
 &(nid_objs[10]),/* OBJ_pbeWithMD5AndDES_CBC         1 2 840 113549 1 5 3 */
@@ -3471,6 +3951,9 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
 &(nid_objs[188]),/* OBJ_SMIME                        1 2 840 113549 1 9 16 */
 &(nid_objs[156]),/* OBJ_friendlyName                 1 2 840 113549 1 9 20 */
 &(nid_objs[157]),/* OBJ_localKeyID                   1 2 840 113549 1 9 21 */
+&(nid_objs[681]),/* OBJ_X9_62_onBasis                1 2 840 10045 1 2 3 1 */
+&(nid_objs[682]),/* OBJ_X9_62_tpBasis                1 2 840 10045 1 2 3 2 */
+&(nid_objs[683]),/* OBJ_X9_62_ppBasis                1 2 840 10045 1 2 3 3 */
 &(nid_objs[417]),/* OBJ_ms_csp_name                  1 3 6 1 4 1 311 17 1 */
 &(nid_objs[390]),/* OBJ_dcObject                     1 3 6 1 4 1 1466 344 */
 &(nid_objs[91]),/* OBJ_bf_cbc                       1 3 6 1 4 1 3029 1 2 */
@@ -3505,6 +3988,10 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
 &(nid_objs[427]),/* OBJ_aes_256_cbc                  2 16 840 1 101 3 4 1 42 */
 &(nid_objs[428]),/* OBJ_aes_256_ofb128               2 16 840 1 101 3 4 1 43 */
 &(nid_objs[429]),/* OBJ_aes_256_cfb128               2 16 840 1 101 3 4 1 44 */
+&(nid_objs[672]),/* OBJ_sha256                       2 16 840 1 101 3 4 2 1 */
+&(nid_objs[673]),/* OBJ_sha384                       2 16 840 1 101 3 4 2 2 */
+&(nid_objs[674]),/* OBJ_sha512                       2 16 840 1 101 3 4 2 3 */
+&(nid_objs[675]),/* OBJ_sha224                       2 16 840 1 101 3 4 2 4 */
 &(nid_objs[71]),/* OBJ_netscape_cert_type           2 16 840 1 113730 1 1 */
 &(nid_objs[72]),/* OBJ_netscape_base_url            2 16 840 1 113730 1 2 */
 &(nid_objs[73]),/* OBJ_netscape_revocation_url      2 16 840 1 113730 1 3 */
diff --git a/crypto/openssl/crypto/objects/obj_dat.pl b/crypto/openssl/crypto/objects/obj_dat.pl
index d0371661f973..8a09a46ee659 100644
--- a/crypto/openssl/crypto/objects/obj_dat.pl
+++ b/crypto/openssl/crypto/objects/obj_dat.pl
@@ -94,7 +94,7 @@ for ($i=0; $i<$n; $i++)
 	{
 	if (!defined($nid{$i}))
 		{
-		push(@out,"{NULL,NULL,NID_undef,0,NULL},\n");
+		push(@out,"{NULL,NULL,NID_undef,0,NULL,0},\n");
 		}
 	else
 		{
@@ -138,7 +138,7 @@ for ($i=0; $i<$n; $i++)
 			}
 		else
 			{
-			$out.="0,NULL";
+			$out.="0,NULL,0";
 			}
 		$out.="},\n";
 		push(@out,$out);
diff --git a/crypto/openssl/crypto/objects/obj_err.c b/crypto/openssl/crypto/objects/obj_err.c
index 80ab6855af34..0682979b3815 100644
--- a/crypto/openssl/crypto/objects/obj_err.c
+++ b/crypto/openssl/crypto/objects/obj_err.c
@@ -1,6 +1,6 @@
 /* crypto/objects/obj_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -64,20 +64,26 @@
 
 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_OBJ,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_OBJ,0,reason)
+
 static ERR_STRING_DATA OBJ_str_functs[]=
 	{
-{ERR_PACK(0,OBJ_F_OBJ_CREATE,0),	"OBJ_create"},
-{ERR_PACK(0,OBJ_F_OBJ_DUP,0),	"OBJ_dup"},
-{ERR_PACK(0,OBJ_F_OBJ_NID2LN,0),	"OBJ_nid2ln"},
-{ERR_PACK(0,OBJ_F_OBJ_NID2OBJ,0),	"OBJ_nid2obj"},
-{ERR_PACK(0,OBJ_F_OBJ_NID2SN,0),	"OBJ_nid2sn"},
+{ERR_FUNC(OBJ_F_OBJ_ADD_OBJECT),	"OBJ_add_object"},
+{ERR_FUNC(OBJ_F_OBJ_CREATE),	"OBJ_create"},
+{ERR_FUNC(OBJ_F_OBJ_DUP),	"OBJ_dup"},
+{ERR_FUNC(OBJ_F_OBJ_NAME_NEW_INDEX),	"OBJ_NAME_new_index"},
+{ERR_FUNC(OBJ_F_OBJ_NID2LN),	"OBJ_nid2ln"},
+{ERR_FUNC(OBJ_F_OBJ_NID2OBJ),	"OBJ_nid2obj"},
+{ERR_FUNC(OBJ_F_OBJ_NID2SN),	"OBJ_nid2sn"},
 {0,NULL}
 	};
 
 static ERR_STRING_DATA OBJ_str_reasons[]=
 	{
-{OBJ_R_MALLOC_FAILURE                    ,"malloc failure"},
-{OBJ_R_UNKNOWN_NID                       ,"unknown nid"},
+{ERR_REASON(OBJ_R_MALLOC_FAILURE)        ,"malloc failure"},
+{ERR_REASON(OBJ_R_UNKNOWN_NID)           ,"unknown nid"},
 {0,NULL}
 	};
 
@@ -91,8 +97,8 @@ void ERR_load_OBJ_strings(void)
 		{
 		init=0;
 #ifndef OPENSSL_NO_ERR
-		ERR_load_strings(ERR_LIB_OBJ,OBJ_str_functs);
-		ERR_load_strings(ERR_LIB_OBJ,OBJ_str_reasons);
+		ERR_load_strings(0,OBJ_str_functs);
+		ERR_load_strings(0,OBJ_str_reasons);
 #endif
 
 		}
diff --git a/crypto/openssl/crypto/objects/obj_lib.c b/crypto/openssl/crypto/objects/obj_lib.c
index b0b0f2ff24b2..706fa0b0e78c 100644
--- a/crypto/openssl/crypto/objects/obj_lib.c
+++ b/crypto/openssl/crypto/objects/obj_lib.c
@@ -82,7 +82,8 @@ ASN1_OBJECT *OBJ_dup(const ASN1_OBJECT *o)
 	r->data=OPENSSL_malloc(o->length);
 	if (r->data == NULL)
 		goto err;
-	memcpy(r->data,o->data,o->length);
+	if (o->data != NULL)
+		memcpy(r->data,o->data,o->length);
 	r->length=o->length;
 	r->nid=o->nid;
 	r->ln=r->sn=NULL;
diff --git a/crypto/openssl/crypto/objects/obj_mac.h b/crypto/openssl/crypto/objects/obj_mac.h
index ceeaaa391db4..e4d63e5e3f9f 100644
--- a/crypto/openssl/crypto/objects/obj_mac.h
+++ b/crypto/openssl/crypto/objects/obj_mac.h
@@ -67,30 +67,57 @@
 #define NID_undef			0
 #define OBJ_undef			0L
 
-#define SN_ccitt		"CCITT"
-#define LN_ccitt		"ccitt"
+#define SN_itu_t		"ITU-T"
+#define LN_itu_t		"itu-t"
+#define NID_itu_t		645
+#define OBJ_itu_t		0L
+
 #define NID_ccitt		404
-#define OBJ_ccitt		0L
+#define OBJ_ccitt		OBJ_itu_t
 
 #define SN_iso		"ISO"
 #define LN_iso		"iso"
 #define NID_iso		181
 #define OBJ_iso		1L
 
-#define SN_joint_iso_ccitt		"JOINT-ISO-CCITT"
-#define LN_joint_iso_ccitt		"joint-iso-ccitt"
+#define SN_joint_iso_itu_t		"JOINT-ISO-ITU-T"
+#define LN_joint_iso_itu_t		"joint-iso-itu-t"
+#define NID_joint_iso_itu_t		646
+#define OBJ_joint_iso_itu_t		2L
+
 #define NID_joint_iso_ccitt		393
-#define OBJ_joint_iso_ccitt		2L
+#define OBJ_joint_iso_ccitt		OBJ_joint_iso_itu_t
 
 #define SN_member_body		"member-body"
 #define LN_member_body		"ISO Member Body"
 #define NID_member_body		182
 #define OBJ_member_body		OBJ_iso,2L
 
+#define SN_identified_organization		"identified-organization"
+#define NID_identified_organization		676
+#define OBJ_identified_organization		OBJ_iso,3L
+
+#define SN_certicom_arc		"certicom-arc"
+#define NID_certicom_arc		677
+#define OBJ_certicom_arc		OBJ_identified_organization,132L
+
+#define SN_international_organizations		"international-organizations"
+#define LN_international_organizations		"International Organizations"
+#define NID_international_organizations		647
+#define OBJ_international_organizations		OBJ_joint_iso_itu_t,23L
+
+#define SN_wap		"wap"
+#define NID_wap		678
+#define OBJ_wap		OBJ_international_organizations,43L
+
+#define SN_wap_wsg		"wap-wsg"
+#define NID_wap_wsg		679
+#define OBJ_wap_wsg		OBJ_wap,13L
+
 #define SN_selected_attribute_types		"selected-attribute-types"
 #define LN_selected_attribute_types		"Selected Attribute Types"
 #define NID_selected_attribute_types		394
-#define OBJ_selected_attribute_types		OBJ_joint_iso_ccitt,5L,1L,5L
+#define OBJ_selected_attribute_types		OBJ_joint_iso_itu_t,5L,1L,5L
 
 #define SN_clearance		"clearance"
 #define NID_clearance		395
@@ -136,6 +163,22 @@
 #define NID_X9_62_characteristic_two_field		407
 #define OBJ_X9_62_characteristic_two_field		OBJ_X9_62_id_fieldType,2L
 
+#define SN_X9_62_id_characteristic_two_basis		"id-characteristic-two-basis"
+#define NID_X9_62_id_characteristic_two_basis		680
+#define OBJ_X9_62_id_characteristic_two_basis		OBJ_X9_62_characteristic_two_field,3L
+
+#define SN_X9_62_onBasis		"onBasis"
+#define NID_X9_62_onBasis		681
+#define OBJ_X9_62_onBasis		OBJ_X9_62_id_characteristic_two_basis,1L
+
+#define SN_X9_62_tpBasis		"tpBasis"
+#define NID_X9_62_tpBasis		682
+#define OBJ_X9_62_tpBasis		OBJ_X9_62_id_characteristic_two_basis,2L
+
+#define SN_X9_62_ppBasis		"ppBasis"
+#define NID_X9_62_ppBasis		683
+#define OBJ_X9_62_ppBasis		OBJ_X9_62_id_characteristic_two_basis,3L
+
 #define OBJ_X9_62_id_publicKeyType		OBJ_ansi_X9_62,2L
 
 #define SN_X9_62_id_ecPublicKey		"id-ecPublicKey"
@@ -146,6 +189,86 @@
 
 #define OBJ_X9_62_c_TwoCurve		OBJ_X9_62_ellipticCurve,0L
 
+#define SN_X9_62_c2pnb163v1		"c2pnb163v1"
+#define NID_X9_62_c2pnb163v1		684
+#define OBJ_X9_62_c2pnb163v1		OBJ_X9_62_c_TwoCurve,1L
+
+#define SN_X9_62_c2pnb163v2		"c2pnb163v2"
+#define NID_X9_62_c2pnb163v2		685
+#define OBJ_X9_62_c2pnb163v2		OBJ_X9_62_c_TwoCurve,2L
+
+#define SN_X9_62_c2pnb163v3		"c2pnb163v3"
+#define NID_X9_62_c2pnb163v3		686
+#define OBJ_X9_62_c2pnb163v3		OBJ_X9_62_c_TwoCurve,3L
+
+#define SN_X9_62_c2pnb176v1		"c2pnb176v1"
+#define NID_X9_62_c2pnb176v1		687
+#define OBJ_X9_62_c2pnb176v1		OBJ_X9_62_c_TwoCurve,4L
+
+#define SN_X9_62_c2tnb191v1		"c2tnb191v1"
+#define NID_X9_62_c2tnb191v1		688
+#define OBJ_X9_62_c2tnb191v1		OBJ_X9_62_c_TwoCurve,5L
+
+#define SN_X9_62_c2tnb191v2		"c2tnb191v2"
+#define NID_X9_62_c2tnb191v2		689
+#define OBJ_X9_62_c2tnb191v2		OBJ_X9_62_c_TwoCurve,6L
+
+#define SN_X9_62_c2tnb191v3		"c2tnb191v3"
+#define NID_X9_62_c2tnb191v3		690
+#define OBJ_X9_62_c2tnb191v3		OBJ_X9_62_c_TwoCurve,7L
+
+#define SN_X9_62_c2onb191v4		"c2onb191v4"
+#define NID_X9_62_c2onb191v4		691
+#define OBJ_X9_62_c2onb191v4		OBJ_X9_62_c_TwoCurve,8L
+
+#define SN_X9_62_c2onb191v5		"c2onb191v5"
+#define NID_X9_62_c2onb191v5		692
+#define OBJ_X9_62_c2onb191v5		OBJ_X9_62_c_TwoCurve,9L
+
+#define SN_X9_62_c2pnb208w1		"c2pnb208w1"
+#define NID_X9_62_c2pnb208w1		693
+#define OBJ_X9_62_c2pnb208w1		OBJ_X9_62_c_TwoCurve,10L
+
+#define SN_X9_62_c2tnb239v1		"c2tnb239v1"
+#define NID_X9_62_c2tnb239v1		694
+#define OBJ_X9_62_c2tnb239v1		OBJ_X9_62_c_TwoCurve,11L
+
+#define SN_X9_62_c2tnb239v2		"c2tnb239v2"
+#define NID_X9_62_c2tnb239v2		695
+#define OBJ_X9_62_c2tnb239v2		OBJ_X9_62_c_TwoCurve,12L
+
+#define SN_X9_62_c2tnb239v3		"c2tnb239v3"
+#define NID_X9_62_c2tnb239v3		696
+#define OBJ_X9_62_c2tnb239v3		OBJ_X9_62_c_TwoCurve,13L
+
+#define SN_X9_62_c2onb239v4		"c2onb239v4"
+#define NID_X9_62_c2onb239v4		697
+#define OBJ_X9_62_c2onb239v4		OBJ_X9_62_c_TwoCurve,14L
+
+#define SN_X9_62_c2onb239v5		"c2onb239v5"
+#define NID_X9_62_c2onb239v5		698
+#define OBJ_X9_62_c2onb239v5		OBJ_X9_62_c_TwoCurve,15L
+
+#define SN_X9_62_c2pnb272w1		"c2pnb272w1"
+#define NID_X9_62_c2pnb272w1		699
+#define OBJ_X9_62_c2pnb272w1		OBJ_X9_62_c_TwoCurve,16L
+
+#define SN_X9_62_c2pnb304w1		"c2pnb304w1"
+#define NID_X9_62_c2pnb304w1		700
+#define OBJ_X9_62_c2pnb304w1		OBJ_X9_62_c_TwoCurve,17L
+
+#define SN_X9_62_c2tnb359v1		"c2tnb359v1"
+#define NID_X9_62_c2tnb359v1		701
+#define OBJ_X9_62_c2tnb359v1		OBJ_X9_62_c_TwoCurve,18L
+
+#define SN_X9_62_c2pnb368w1		"c2pnb368w1"
+#define NID_X9_62_c2pnb368w1		702
+#define OBJ_X9_62_c2pnb368w1		OBJ_X9_62_c_TwoCurve,19L
+
+#define SN_X9_62_c2tnb431r1		"c2tnb431r1"
+#define NID_X9_62_c2tnb431r1		703
+#define OBJ_X9_62_c2tnb431r1		OBJ_X9_62_c_TwoCurve,20L
+
 #define OBJ_X9_62_primeCurve		OBJ_X9_62_ellipticCurve,1L
 
 #define SN_X9_62_prime192v1		"prime192v1"
@@ -182,6 +305,178 @@
 #define NID_ecdsa_with_SHA1		416
 #define OBJ_ecdsa_with_SHA1		OBJ_X9_62_id_ecSigType,1L
 
+#define OBJ_secg_ellipticCurve		OBJ_certicom_arc,0L
+
+#define SN_secp112r1		"secp112r1"
+#define NID_secp112r1		704
+#define OBJ_secp112r1		OBJ_secg_ellipticCurve,6L
+
+#define SN_secp112r2		"secp112r2"
+#define NID_secp112r2		705
+#define OBJ_secp112r2		OBJ_secg_ellipticCurve,7L
+
+#define SN_secp128r1		"secp128r1"
+#define NID_secp128r1		706
+#define OBJ_secp128r1		OBJ_secg_ellipticCurve,28L
+
+#define SN_secp128r2		"secp128r2"
+#define NID_secp128r2		707
+#define OBJ_secp128r2		OBJ_secg_ellipticCurve,29L
+
+#define SN_secp160k1		"secp160k1"
+#define NID_secp160k1		708
+#define OBJ_secp160k1		OBJ_secg_ellipticCurve,9L
+
+#define SN_secp160r1		"secp160r1"
+#define NID_secp160r1		709
+#define OBJ_secp160r1		OBJ_secg_ellipticCurve,8L
+
+#define SN_secp160r2		"secp160r2"
+#define NID_secp160r2		710
+#define OBJ_secp160r2		OBJ_secg_ellipticCurve,30L
+
+#define SN_secp192k1		"secp192k1"
+#define NID_secp192k1		711
+#define OBJ_secp192k1		OBJ_secg_ellipticCurve,31L
+
+#define SN_secp224k1		"secp224k1"
+#define NID_secp224k1		712
+#define OBJ_secp224k1		OBJ_secg_ellipticCurve,32L
+
+#define SN_secp224r1		"secp224r1"
+#define NID_secp224r1		713
+#define OBJ_secp224r1		OBJ_secg_ellipticCurve,33L
+
+#define SN_secp256k1		"secp256k1"
+#define NID_secp256k1		714
+#define OBJ_secp256k1		OBJ_secg_ellipticCurve,10L
+
+#define SN_secp384r1		"secp384r1"
+#define NID_secp384r1		715
+#define OBJ_secp384r1		OBJ_secg_ellipticCurve,34L
+
+#define SN_secp521r1		"secp521r1"
+#define NID_secp521r1		716
+#define OBJ_secp521r1		OBJ_secg_ellipticCurve,35L
+
+#define SN_sect113r1		"sect113r1"
+#define NID_sect113r1		717
+#define OBJ_sect113r1		OBJ_secg_ellipticCurve,4L
+
+#define SN_sect113r2		"sect113r2"
+#define NID_sect113r2		718
+#define OBJ_sect113r2		OBJ_secg_ellipticCurve,5L
+
+#define SN_sect131r1		"sect131r1"
+#define NID_sect131r1		719
+#define OBJ_sect131r1		OBJ_secg_ellipticCurve,22L
+
+#define SN_sect131r2		"sect131r2"
+#define NID_sect131r2		720
+#define OBJ_sect131r2		OBJ_secg_ellipticCurve,23L
+
+#define SN_sect163k1		"sect163k1"
+#define NID_sect163k1		721
+#define OBJ_sect163k1		OBJ_secg_ellipticCurve,1L
+
+#define SN_sect163r1		"sect163r1"
+#define NID_sect163r1		722
+#define OBJ_sect163r1		OBJ_secg_ellipticCurve,2L
+
+#define SN_sect163r2		"sect163r2"
+#define NID_sect163r2		723
+#define OBJ_sect163r2		OBJ_secg_ellipticCurve,15L
+
+#define SN_sect193r1		"sect193r1"
+#define NID_sect193r1		724
+#define OBJ_sect193r1		OBJ_secg_ellipticCurve,24L
+
+#define SN_sect193r2		"sect193r2"
+#define NID_sect193r2		725
+#define OBJ_sect193r2		OBJ_secg_ellipticCurve,25L
+
+#define SN_sect233k1		"sect233k1"
+#define NID_sect233k1		726
+#define OBJ_sect233k1		OBJ_secg_ellipticCurve,26L
+
+#define SN_sect233r1		"sect233r1"
+#define NID_sect233r1		727
+#define OBJ_sect233r1		OBJ_secg_ellipticCurve,27L
+
+#define SN_sect239k1		"sect239k1"
+#define NID_sect239k1		728
+#define OBJ_sect239k1		OBJ_secg_ellipticCurve,3L
+
+#define SN_sect283k1		"sect283k1"
+#define NID_sect283k1		729
+#define OBJ_sect283k1		OBJ_secg_ellipticCurve,16L
+
+#define SN_sect283r1		"sect283r1"
+#define NID_sect283r1		730
+#define OBJ_sect283r1		OBJ_secg_ellipticCurve,17L
+
+#define SN_sect409k1		"sect409k1"
+#define NID_sect409k1		731
+#define OBJ_sect409k1		OBJ_secg_ellipticCurve,36L
+
+#define SN_sect409r1		"sect409r1"
+#define NID_sect409r1		732
+#define OBJ_sect409r1		OBJ_secg_ellipticCurve,37L
+
+#define SN_sect571k1		"sect571k1"
+#define NID_sect571k1		733
+#define OBJ_sect571k1		OBJ_secg_ellipticCurve,38L
+
+#define SN_sect571r1		"sect571r1"
+#define NID_sect571r1		734
+#define OBJ_sect571r1		OBJ_secg_ellipticCurve,39L
+
+#define OBJ_wap_wsg_idm_ecid		OBJ_wap_wsg,4L
+
+#define SN_wap_wsg_idm_ecid_wtls1		"wap-wsg-idm-ecid-wtls1"
+#define NID_wap_wsg_idm_ecid_wtls1		735
+#define OBJ_wap_wsg_idm_ecid_wtls1		OBJ_wap_wsg_idm_ecid,1L
+
+#define SN_wap_wsg_idm_ecid_wtls3		"wap-wsg-idm-ecid-wtls3"
+#define NID_wap_wsg_idm_ecid_wtls3		736
+#define OBJ_wap_wsg_idm_ecid_wtls3		OBJ_wap_wsg_idm_ecid,3L
+
+#define SN_wap_wsg_idm_ecid_wtls4		"wap-wsg-idm-ecid-wtls4"
+#define NID_wap_wsg_idm_ecid_wtls4		737
+#define OBJ_wap_wsg_idm_ecid_wtls4		OBJ_wap_wsg_idm_ecid,4L
+
+#define SN_wap_wsg_idm_ecid_wtls5		"wap-wsg-idm-ecid-wtls5"
+#define NID_wap_wsg_idm_ecid_wtls5		738
+#define OBJ_wap_wsg_idm_ecid_wtls5		OBJ_wap_wsg_idm_ecid,5L
+
+#define SN_wap_wsg_idm_ecid_wtls6		"wap-wsg-idm-ecid-wtls6"
+#define NID_wap_wsg_idm_ecid_wtls6		739
+#define OBJ_wap_wsg_idm_ecid_wtls6		OBJ_wap_wsg_idm_ecid,6L
+
+#define SN_wap_wsg_idm_ecid_wtls7		"wap-wsg-idm-ecid-wtls7"
+#define NID_wap_wsg_idm_ecid_wtls7		740
+#define OBJ_wap_wsg_idm_ecid_wtls7		OBJ_wap_wsg_idm_ecid,7L
+
+#define SN_wap_wsg_idm_ecid_wtls8		"wap-wsg-idm-ecid-wtls8"
+#define NID_wap_wsg_idm_ecid_wtls8		741
+#define OBJ_wap_wsg_idm_ecid_wtls8		OBJ_wap_wsg_idm_ecid,8L
+
+#define SN_wap_wsg_idm_ecid_wtls9		"wap-wsg-idm-ecid-wtls9"
+#define NID_wap_wsg_idm_ecid_wtls9		742
+#define OBJ_wap_wsg_idm_ecid_wtls9		OBJ_wap_wsg_idm_ecid,9L
+
+#define SN_wap_wsg_idm_ecid_wtls10		"wap-wsg-idm-ecid-wtls10"
+#define NID_wap_wsg_idm_ecid_wtls10		743
+#define OBJ_wap_wsg_idm_ecid_wtls10		OBJ_wap_wsg_idm_ecid,10L
+
+#define SN_wap_wsg_idm_ecid_wtls11		"wap-wsg-idm-ecid-wtls11"
+#define NID_wap_wsg_idm_ecid_wtls11		744
+#define OBJ_wap_wsg_idm_ecid_wtls11		OBJ_wap_wsg_idm_ecid,11L
+
+#define SN_wap_wsg_idm_ecid_wtls12		"wap-wsg-idm-ecid-wtls12"
+#define NID_wap_wsg_idm_ecid_wtls12		745
+#define OBJ_wap_wsg_idm_ecid_wtls12		OBJ_wap_wsg_idm_ecid,12L
+
 #define SN_cast5_cbc		"CAST5-CBC"
 #define LN_cast5_cbc		"cast5-cbc"
 #define NID_cast5_cbc		108
@@ -241,6 +536,26 @@
 #define NID_sha1WithRSAEncryption		65
 #define OBJ_sha1WithRSAEncryption		OBJ_pkcs1,5L
 
+#define SN_sha256WithRSAEncryption		"RSA-SHA256"
+#define LN_sha256WithRSAEncryption		"sha256WithRSAEncryption"
+#define NID_sha256WithRSAEncryption		668
+#define OBJ_sha256WithRSAEncryption		OBJ_pkcs1,11L
+
+#define SN_sha384WithRSAEncryption		"RSA-SHA384"
+#define LN_sha384WithRSAEncryption		"sha384WithRSAEncryption"
+#define NID_sha384WithRSAEncryption		669
+#define OBJ_sha384WithRSAEncryption		OBJ_pkcs1,12L
+
+#define SN_sha512WithRSAEncryption		"RSA-SHA512"
+#define LN_sha512WithRSAEncryption		"sha512WithRSAEncryption"
+#define NID_sha512WithRSAEncryption		670
+#define OBJ_sha512WithRSAEncryption		OBJ_pkcs1,13L
+
+#define SN_sha224WithRSAEncryption		"RSA-SHA224"
+#define LN_sha224WithRSAEncryption		"sha224WithRSAEncryption"
+#define NID_sha224WithRSAEncryption		671
+#define OBJ_sha224WithRSAEncryption		OBJ_pkcs1,14L
+
 #define SN_pkcs3		"pkcs3"
 #define NID_pkcs3		27
 #define OBJ_pkcs3		OBJ_pkcs,3L
@@ -950,6 +1265,10 @@
 #define NID_id_cct		268
 #define OBJ_id_cct		OBJ_id_pkix,12L
 
+#define SN_id_ppl		"id-ppl"
+#define NID_id_ppl		662
+#define OBJ_id_ppl		OBJ_id_pkix,21L
+
 #define SN_id_ad		"id-ad"
 #define NID_id_ad		176
 #define OBJ_id_ad		OBJ_id_pkix,48L
@@ -1044,17 +1363,17 @@
 #define NID_aaControls		289
 #define OBJ_aaControls		OBJ_id_pe,6L
 
-#define SN_sbqp_ipAddrBlock		"sbqp-ipAddrBlock"
-#define NID_sbqp_ipAddrBlock		290
-#define OBJ_sbqp_ipAddrBlock		OBJ_id_pe,7L
+#define SN_sbgp_ipAddrBlock		"sbgp-ipAddrBlock"
+#define NID_sbgp_ipAddrBlock		290
+#define OBJ_sbgp_ipAddrBlock		OBJ_id_pe,7L
 
-#define SN_sbqp_autonomousSysNum		"sbqp-autonomousSysNum"
-#define NID_sbqp_autonomousSysNum		291
-#define OBJ_sbqp_autonomousSysNum		OBJ_id_pe,8L
+#define SN_sbgp_autonomousSysNum		"sbgp-autonomousSysNum"
+#define NID_sbgp_autonomousSysNum		291
+#define OBJ_sbgp_autonomousSysNum		OBJ_id_pe,8L
 
-#define SN_sbqp_routerIdentifier		"sbqp-routerIdentifier"
-#define NID_sbqp_routerIdentifier		292
-#define OBJ_sbqp_routerIdentifier		OBJ_id_pe,9L
+#define SN_sbgp_routerIdentifier		"sbgp-routerIdentifier"
+#define NID_sbgp_routerIdentifier		292
+#define OBJ_sbgp_routerIdentifier		OBJ_id_pe,9L
 
 #define SN_ac_proxying		"ac-proxying"
 #define NID_ac_proxying		397
@@ -1065,6 +1384,11 @@
 #define NID_sinfo_access		398
 #define OBJ_sinfo_access		OBJ_id_pe,11L
 
+#define SN_proxyCertInfo		"proxyCertInfo"
+#define LN_proxyCertInfo		"Proxy Certificate Information"
+#define NID_proxyCertInfo		663
+#define OBJ_proxyCertInfo		OBJ_id_pe,14L
+
 #define SN_id_qt_cps		"id-qt-cps"
 #define LN_id_qt_cps		"Policy Qualifier CPS"
 #define NID_id_qt_cps		164
@@ -1389,6 +1713,21 @@
 #define NID_id_cct_PKIResponse		362
 #define OBJ_id_cct_PKIResponse		OBJ_id_cct,3L
 
+#define SN_id_ppl_anyLanguage		"id-ppl-anyLanguage"
+#define LN_id_ppl_anyLanguage		"Any language"
+#define NID_id_ppl_anyLanguage		664
+#define OBJ_id_ppl_anyLanguage		OBJ_id_ppl,0L
+
+#define SN_id_ppl_inheritAll		"id-ppl-inheritAll"
+#define LN_id_ppl_inheritAll		"Inherit all"
+#define NID_id_ppl_inheritAll		665
+#define OBJ_id_ppl_inheritAll		OBJ_id_ppl,1L
+
+#define SN_Independent		"id-ppl-independent"
+#define LN_Independent		"Independent"
+#define NID_Independent		667
+#define OBJ_Independent		OBJ_id_ppl,2L
+
 #define SN_ad_OCSP		"OCSP"
 #define LN_ad_OCSP		"OCSP"
 #define NID_ad_OCSP		178
@@ -1619,6 +1958,10 @@
 #define NID_stateOrProvinceName		16
 #define OBJ_stateOrProvinceName		OBJ_X509,8L
 
+#define LN_streetAddress		"streetAddress"
+#define NID_streetAddress		660
+#define OBJ_streetAddress		OBJ_X509,9L
+
 #define SN_organizationName		"O"
 #define LN_organizationName		"organizationName"
 #define NID_organizationName		17
@@ -1637,6 +1980,10 @@
 #define NID_description		107
 #define OBJ_description		OBJ_X509,13L
 
+#define LN_postalCode		"postalCode"
+#define NID_postalCode		661
+#define OBJ_postalCode		OBJ_X509,17L
+
 #define SN_name		"name"
 #define LN_name		"name"
 #define NID_name		173
@@ -1747,6 +2094,11 @@
 #define NID_delta_crl		140
 #define OBJ_delta_crl		OBJ_id_ce,27L
 
+#define SN_name_constraints		"nameConstraints"
+#define LN_name_constraints		"X509v3 Name Constraints"
+#define NID_name_constraints		666
+#define OBJ_name_constraints		OBJ_id_ce,30L
+
 #define SN_crl_distribution_points		"crlDistributionPoints"
 #define LN_crl_distribution_points		"X509v3 CRL Distribution Points"
 #define NID_crl_distribution_points		103
@@ -1757,6 +2109,16 @@
 #define NID_certificate_policies		89
 #define OBJ_certificate_policies		OBJ_id_ce,32L
 
+#define SN_any_policy		"anyPolicy"
+#define LN_any_policy		"X509v3 Any Policy"
+#define NID_any_policy		746
+#define OBJ_any_policy		OBJ_certificate_policies,0L
+
+#define SN_policy_mappings		"policyMappings"
+#define LN_policy_mappings		"X509v3 Policy Mappings"
+#define NID_policy_mappings		747
+#define OBJ_policy_mappings		OBJ_id_ce,33L
+
 #define SN_authority_key_identifier		"authorityKeyIdentifier"
 #define LN_authority_key_identifier		"X509v3 Authority Key Identifier"
 #define NID_authority_key_identifier		90
@@ -1772,6 +2134,11 @@
 #define NID_ext_key_usage		126
 #define OBJ_ext_key_usage		OBJ_id_ce,37L
 
+#define SN_inhibit_any_policy		"inhibitAnyPolicy"
+#define LN_inhibit_any_policy		"X509v3 Inhibit Any Policy"
+#define NID_inhibit_any_policy		748
+#define OBJ_inhibit_any_policy		OBJ_id_ce,54L
+
 #define SN_target_information		"targetInformation"
 #define LN_target_information		"X509v3 AC Targeting"
 #define NID_target_information		402
@@ -2049,6 +2416,28 @@
 #define LN_des_ede3_cfb8		"des-ede3-cfb8"
 #define NID_des_ede3_cfb8		659
 
+#define OBJ_nist_hashalgs		OBJ_nistAlgorithms,2L
+
+#define SN_sha256		"SHA256"
+#define LN_sha256		"sha256"
+#define NID_sha256		672
+#define OBJ_sha256		OBJ_nist_hashalgs,1L
+
+#define SN_sha384		"SHA384"
+#define LN_sha384		"sha384"
+#define NID_sha384		673
+#define OBJ_sha384		OBJ_nist_hashalgs,2L
+
+#define SN_sha512		"SHA512"
+#define LN_sha512		"sha512"
+#define NID_sha512		674
+#define OBJ_sha512		OBJ_nist_hashalgs,3L
+
+#define SN_sha224		"SHA224"
+#define LN_sha224		"sha224"
+#define NID_sha224		675
+#define OBJ_sha224		OBJ_nist_hashalgs,4L
+
 #define SN_hold_instruction_code		"holdInstructionCode"
 #define LN_hold_instruction_code		"Hold Instruction Code"
 #define NID_hold_instruction_code		430
@@ -2073,7 +2462,7 @@
 
 #define SN_data		"data"
 #define NID_data		434
-#define OBJ_data		OBJ_ccitt,9L
+#define OBJ_data		OBJ_itu_t,9L
 
 #define SN_pss		"pss"
 #define NID_pss		435
@@ -2362,7 +2751,7 @@
 #define SN_id_set		"id-set"
 #define LN_id_set		"Secure Electronic Transactions"
 #define NID_id_set		512
-#define OBJ_id_set		2L,23L,42L
+#define OBJ_id_set		OBJ_international_organizations,42L
 
 #define SN_set_ctype		"set-ctype"
 #define LN_set_ctype		"content types"
@@ -2906,3 +3295,11 @@
 #define NID_rsaOAEPEncryptionSET		644
 #define OBJ_rsaOAEPEncryptionSET		OBJ_rsadsi,1L,1L,6L
 
+#define SN_ipsec3		"Oakley-EC2N-3"
+#define LN_ipsec3		"ipsec3"
+#define NID_ipsec3		749
+
+#define SN_ipsec4		"Oakley-EC2N-4"
+#define LN_ipsec4		"ipsec4"
+#define NID_ipsec4		750
+
diff --git a/crypto/openssl/crypto/objects/obj_mac.num b/crypto/openssl/crypto/objects/obj_mac.num
index 4dffeaed2285..56a2bf7f55f2 100644
--- a/crypto/openssl/crypto/objects/obj_mac.num
+++ b/crypto/openssl/crypto/objects/obj_mac.num
@@ -287,9 +287,9 @@ qcStatements		286
 ac_auditEntity		287
 ac_targeting		288
 aaControls		289
-sbqp_ipAddrBlock		290
-sbqp_autonomousSysNum		291
-sbqp_routerIdentifier		292
+sbgp_ipAddrBlock		290
+sbgp_autonomousSysNum		291
+sbgp_routerIdentifier		292
 textNotice		293
 ipsecEndSystem		294
 ipsecTunnel		295
@@ -657,3 +657,94 @@ des_cfb1		656
 des_cfb8		657
 des_ede3_cfb1		658
 des_ede3_cfb8		659
+streetAddress		660
+postalCode		661
+id_ppl		662
+proxyCertInfo		663
+id_ppl_anyLanguage		664
+id_ppl_inheritAll		665
+name_constraints		666
+Independent		667
+sha256WithRSAEncryption		668
+sha384WithRSAEncryption		669
+sha512WithRSAEncryption		670
+sha224WithRSAEncryption		671
+sha256		672
+sha384		673
+sha512		674
+sha224		675
+identified_organization		676
+certicom_arc		677
+wap		678
+wap_wsg		679
+X9_62_id_characteristic_two_basis		680
+X9_62_onBasis		681
+X9_62_tpBasis		682
+X9_62_ppBasis		683
+X9_62_c2pnb163v1		684
+X9_62_c2pnb163v2		685
+X9_62_c2pnb163v3		686
+X9_62_c2pnb176v1		687
+X9_62_c2tnb191v1		688
+X9_62_c2tnb191v2		689
+X9_62_c2tnb191v3		690
+X9_62_c2onb191v4		691
+X9_62_c2onb191v5		692
+X9_62_c2pnb208w1		693
+X9_62_c2tnb239v1		694
+X9_62_c2tnb239v2		695
+X9_62_c2tnb239v3		696
+X9_62_c2onb239v4		697
+X9_62_c2onb239v5		698
+X9_62_c2pnb272w1		699
+X9_62_c2pnb304w1		700
+X9_62_c2tnb359v1		701
+X9_62_c2pnb368w1		702
+X9_62_c2tnb431r1		703
+secp112r1		704
+secp112r2		705
+secp128r1		706
+secp128r2		707
+secp160k1		708
+secp160r1		709
+secp160r2		710
+secp192k1		711
+secp224k1		712
+secp224r1		713
+secp256k1		714
+secp384r1		715
+secp521r1		716
+sect113r1		717
+sect113r2		718
+sect131r1		719
+sect131r2		720
+sect163k1		721
+sect163r1		722
+sect163r2		723
+sect193r1		724
+sect193r2		725
+sect233k1		726
+sect233r1		727
+sect239k1		728
+sect283k1		729
+sect283r1		730
+sect409k1		731
+sect409r1		732
+sect571k1		733
+sect571r1		734
+wap_wsg_idm_ecid_wtls1		735
+wap_wsg_idm_ecid_wtls3		736
+wap_wsg_idm_ecid_wtls4		737
+wap_wsg_idm_ecid_wtls5		738
+wap_wsg_idm_ecid_wtls6		739
+wap_wsg_idm_ecid_wtls7		740
+wap_wsg_idm_ecid_wtls8		741
+wap_wsg_idm_ecid_wtls9		742
+wap_wsg_idm_ecid_wtls10		743
+wap_wsg_idm_ecid_wtls11		744
+wap_wsg_idm_ecid_wtls12		745
+any_policy		746
+policy_mappings		747
+inhibit_any_policy		748
+ipsec3		749
+ipsec4		750
diff --git a/crypto/openssl/crypto/objects/objects.h b/crypto/openssl/crypto/objects/objects.h
index de1053281365..7242f76fb0f1 100644
--- a/crypto/openssl/crypto/objects/objects.h
+++ b/crypto/openssl/crypto/objects/objects.h
@@ -966,7 +966,10 @@
 #define	OBJ_NAME_TYPE_COMP_METH		0x04
 #define	OBJ_NAME_TYPE_NUM		0x05
 
-#define	OBJ_NAME_ALIAS		0x8000
+#define	OBJ_NAME_ALIAS			0x8000
+
+#define OBJ_BSEARCH_VALUE_ON_NOMATCH		0x01
+#define OBJ_BSEARCH_FIRST_VALUE_ON_MATCH	0x02
 
 
 #ifdef  __cplusplus
@@ -1010,6 +1013,8 @@ int		OBJ_sn2nid(const char *s);
 int		OBJ_cmp(const ASN1_OBJECT *a,const ASN1_OBJECT *b);
 const char *	OBJ_bsearch(const char *key,const char *base,int num,int size,
 	int (*cmp)(const void *, const void *));
+const char *	OBJ_bsearch_ex(const char *key,const char *base,int num,
+	int size, int (*cmp)(const void *, const void *), int flags);
 
 int		OBJ_new_nid(int num);
 int		OBJ_add_object(const ASN1_OBJECT *obj);
@@ -1026,8 +1031,10 @@ void ERR_load_OBJ_strings(void);
 /* Error codes for the OBJ functions. */
 
 /* Function codes. */
+#define OBJ_F_OBJ_ADD_OBJECT				 105
 #define OBJ_F_OBJ_CREATE				 100
 #define OBJ_F_OBJ_DUP					 101
+#define OBJ_F_OBJ_NAME_NEW_INDEX			 106
 #define OBJ_F_OBJ_NID2LN				 102
 #define OBJ_F_OBJ_NID2OBJ				 103
 #define OBJ_F_OBJ_NID2SN				 104
diff --git a/crypto/openssl/crypto/objects/objects.txt b/crypto/openssl/crypto/objects/objects.txt
index cd315d0cc0b8..0aec79b899cf 100644
--- a/crypto/openssl/crypto/objects/objects.txt
+++ b/crypto/openssl/crypto/objects/objects.txt
@@ -1,12 +1,24 @@
-0			: CCITT			: ccitt
+# CCITT was renamed to ITU-T quite some time ago
+0			: ITU-T			: itu-t
+!Alias ccitt itu-t
 
 1			: ISO			: iso
 
-2			: JOINT-ISO-CCITT	: joint-iso-ccitt
+2			: JOINT-ISO-ITU-T	: joint-iso-itu-t
+!Alias joint-iso-ccitt joint-iso-itu-t
 
 iso 2			: member-body		: ISO Member Body
 
-joint-iso-ccitt 5 1 5	: selected-attribute-types	: Selected Attribute Types
+iso 3			: identified-organization
+
+identified-organization 132	: certicom-arc
+
+joint-iso-itu-t 23	: international-organizations	: International Organizations
+
+international-organizations 43	: wap
+wap 13			: wap-wsg
+
+joint-iso-itu-t 5 1 5	: selected-attribute-types	: Selected Attribute Types
 
 selected-attribute-types 55	: clearance
 
@@ -24,12 +36,34 @@ ISO-US 10045		: ansi-X9-62		: ANSI X9.62
 !Alias id-fieldType ansi-X9-62 1
 X9-62_id-fieldType 1		: prime-field
 X9-62_id-fieldType 2		: characteristic-two-field
-# ... characteristic-two-field OID subtree
+X9-62_characteristic-two-field 3 : id-characteristic-two-basis
+X9-62_id-characteristic-two-basis 1 : onBasis
+X9-62_id-characteristic-two-basis 2 : tpBasis
+X9-62_id-characteristic-two-basis 3 : ppBasis
 !Alias id-publicKeyType ansi-X9-62 2
 X9-62_id-publicKeyType 1	: id-ecPublicKey
 !Alias ellipticCurve ansi-X9-62 3
 !Alias c-TwoCurve X9-62_ellipticCurve 0
-# ... characteristic 2 curve OIDs
+X9-62_c-TwoCurve 1		: c2pnb163v1
+X9-62_c-TwoCurve 2		: c2pnb163v2
+X9-62_c-TwoCurve 3		: c2pnb163v3
+X9-62_c-TwoCurve 4		: c2pnb176v1
+X9-62_c-TwoCurve 5		: c2tnb191v1
+X9-62_c-TwoCurve 6		: c2tnb191v2
+X9-62_c-TwoCurve 7		: c2tnb191v3
+X9-62_c-TwoCurve 8		: c2onb191v4
+X9-62_c-TwoCurve 9		: c2onb191v5
+X9-62_c-TwoCurve 10		: c2pnb208w1
+X9-62_c-TwoCurve 11		: c2tnb239v1
+X9-62_c-TwoCurve 12		: c2tnb239v2
+X9-62_c-TwoCurve 13		: c2tnb239v3
+X9-62_c-TwoCurve 14		: c2onb239v4
+X9-62_c-TwoCurve 15		: c2onb239v5
+X9-62_c-TwoCurve 16		: c2pnb272w1
+X9-62_c-TwoCurve 17		: c2pnb304w1
+X9-62_c-TwoCurve 18		: c2tnb359v1
+X9-62_c-TwoCurve 19		: c2pnb368w1
+X9-62_c-TwoCurve 20		: c2tnb431r1
 !Alias primeCurve X9-62_ellipticCurve 1
 X9-62_primeCurve 1	 	: prime192v1
 X9-62_primeCurve 2	 	: prime192v2
@@ -42,6 +76,60 @@ X9-62_primeCurve 7	 	: prime256v1
 !global
 X9-62_id-ecSigType 1		: ecdsa-with-SHA1
 
+# SECG curve OIDs from "SEC 2: Recommended Elliptic Curve Domain Parameters"
+# (http://www.secg.org/)
+!Alias secg_ellipticCurve certicom-arc 0
+# SECG prime curves OIDs
+secg-ellipticCurve 6		: secp112r1
+secg-ellipticCurve 7		: secp112r2
+secg-ellipticCurve 28		: secp128r1
+secg-ellipticCurve 29		: secp128r2
+secg-ellipticCurve 9		: secp160k1
+secg-ellipticCurve 8		: secp160r1
+secg-ellipticCurve 30		: secp160r2
+secg-ellipticCurve 31		: secp192k1
+# NOTE: the curve secp192r1 is the same as prime192v1 defined above
+#       and is therefore omitted
+secg-ellipticCurve 32		: secp224k1
+secg-ellipticCurve 33		: secp224r1
+secg-ellipticCurve 10		: secp256k1
+# NOTE: the curve secp256r1 is the same as prime256v1 defined above
+#       and is therefore omitted
+secg-ellipticCurve 34		: secp384r1
+secg-ellipticCurve 35		: secp521r1
+# SECG characteristic two curves OIDs
+secg-ellipticCurve 4		: sect113r1
+secg-ellipticCurve 5		: sect113r2
+secg-ellipticCurve 22		: sect131r1
+secg-ellipticCurve 23		: sect131r2
+secg-ellipticCurve 1		: sect163k1
+secg-ellipticCurve 2		: sect163r1
+secg-ellipticCurve 15		: sect163r2
+secg-ellipticCurve 24		: sect193r1
+secg-ellipticCurve 25		: sect193r2
+secg-ellipticCurve 26		: sect233k1
+secg-ellipticCurve 27		: sect233r1
+secg-ellipticCurve 3		: sect239k1
+secg-ellipticCurve 16		: sect283k1
+secg-ellipticCurve 17		: sect283r1
+secg-ellipticCurve 36		: sect409k1
+secg-ellipticCurve 37		: sect409r1
+secg-ellipticCurve 38		: sect571k1
+secg-ellipticCurve 39		: sect571r1
+
+# WAP/TLS curve OIDs (http://www.wapforum.org/)
+!Alias wap-wsg-idm-ecid wap-wsg 4
+wap-wsg-idm-ecid 1	: wap-wsg-idm-ecid-wtls1
+wap-wsg-idm-ecid 3	: wap-wsg-idm-ecid-wtls3
+wap-wsg-idm-ecid 4	: wap-wsg-idm-ecid-wtls4
+wap-wsg-idm-ecid 5	: wap-wsg-idm-ecid-wtls5
+wap-wsg-idm-ecid 6	: wap-wsg-idm-ecid-wtls6
+wap-wsg-idm-ecid 7	: wap-wsg-idm-ecid-wtls7
+wap-wsg-idm-ecid 8	: wap-wsg-idm-ecid-wtls8
+wap-wsg-idm-ecid 9	: wap-wsg-idm-ecid-wtls9
+wap-wsg-idm-ecid 10	: wap-wsg-idm-ecid-wtls10
+wap-wsg-idm-ecid 11	: wap-wsg-idm-ecid-wtls11
+wap-wsg-idm-ecid 12	: wap-wsg-idm-ecid-wtls12
 
 
 ISO-US 113533 7 66 10	: CAST5-CBC		: cast5-cbc
@@ -63,6 +151,11 @@ pkcs1 2			: RSA-MD2		: md2WithRSAEncryption
 pkcs1 3			: RSA-MD4		: md4WithRSAEncryption
 pkcs1 4			: RSA-MD5		: md5WithRSAEncryption
 pkcs1 5			: RSA-SHA1		: sha1WithRSAEncryption
+# According to PKCS #1 version 2.1
+pkcs1 11		: RSA-SHA256		: sha256WithRSAEncryption
+pkcs1 12		: RSA-SHA384		: sha384WithRSAEncryption
+pkcs1 13		: RSA-SHA512		: sha512WithRSAEncryption
+pkcs1 14		: RSA-SHA224		: sha224WithRSAEncryption
 
 pkcs 3			: pkcs3
 pkcs3 1			:			: dhKeyAgreement
@@ -312,6 +405,7 @@ id-pkix 9		: id-pda
 id-pkix 10		: id-aca
 id-pkix 11		: id-qcs
 id-pkix 12		: id-cct
+id-pkix 21		: id-ppl
 id-pkix 48		: id-ad
 
 # PKIX Modules
@@ -340,12 +434,13 @@ id-pe 3			: qcStatements
 id-pe 4			: ac-auditEntity
 id-pe 5			: ac-targeting
 id-pe 6			: aaControls
-id-pe 7			: sbqp-ipAddrBlock
-id-pe 8			: sbqp-autonomousSysNum
-id-pe 9			: sbqp-routerIdentifier
+id-pe 7			: sbgp-ipAddrBlock
+id-pe 8			: sbgp-autonomousSysNum
+id-pe 9			: sbgp-routerIdentifier
 id-pe 10		: ac-proxying
 !Cname sinfo-access
 id-pe 11		: subjectInfoAccess	: Subject Information Access
+id-pe 14		: proxyCertInfo		: Proxy Certificate Information
 
 # PKIX policyQualifiers for Internet policy qualifiers
 id-qt 1			: id-qt-cps		: Policy Qualifier CPS
@@ -461,6 +556,11 @@ id-cct 1		: id-cct-crs
 id-cct 2		: id-cct-PKIData
 id-cct 3		: id-cct-PKIResponse
 
+# Predefined Proxy Certificate policy languages
+id-ppl 0		: id-ppl-anyLanguage	: Any language
+id-ppl 1		: id-ppl-inheritAll	: Inherit all
+id-ppl 2		: id-ppl-independent	: Independent
+
 # access descriptors for authority info access extension
 !Cname ad-OCSP
 id-ad 1			: OCSP			: OCSP
@@ -536,10 +636,12 @@ X509 5			: 			: serialNumber
 X509 6			: C			: countryName
 X509 7			: L			: localityName
 X509 8			: ST			: stateOrProvinceName
+X509 9			:			: streetAddress
 X509 10			: O			: organizationName
 X509 11			: OU			: organizationalUnitName
 X509 12			: 			: title
 X509 13			: 			: description
+X509 17			:			: postalCode
 X509 41			: name			: name
 X509 42			: GN			: givenName
 X509 43			: 			: initials
@@ -575,16 +677,24 @@ id-ce 21		: CRLReason		: X509v3 CRL Reason Code
 id-ce 24		: invalidityDate	: Invalidity Date
 !Cname delta-crl
 id-ce 27		: deltaCRL		: X509v3 Delta CRL Indicator
+!Cname name-constraints
+id-ce 30		: nameConstraints	: X509v3 Name Constraints
 !Cname crl-distribution-points
 id-ce 31		: crlDistributionPoints	: X509v3 CRL Distribution Points
 !Cname certificate-policies
 id-ce 32		: certificatePolicies	: X509v3 Certificate Policies
+!Cname any-policy
+certificate-policies 0	: anyPolicy		: X509v3 Any Policy
+!Cname policy-mappings
+id-ce 33		: policyMappings	: X509v3 Policy Mappings
 !Cname authority-key-identifier
 id-ce 35		: authorityKeyIdentifier : X509v3 Authority Key Identifier
 !Cname policy-constraints
 id-ce 36		: policyConstraints	: X509v3 Policy Constraints
 !Cname ext-key-usage
 id-ce 37		: extendedKeyUsage	: X509v3 Extended Key Usage
+!Cname inhibit-any-policy
+id-ce 54		: inhibitAnyPolicy	: X509v3 Inhibit Any Policy
 !Cname target-information
 id-ce 55		: targetInformation	: X509v3 AC Targeting
 !Cname no-rev-avail
@@ -694,6 +804,13 @@ aes 44			: AES-256-CFB		: aes-256-cfb
 			: DES-EDE3-CFB1		: des-ede3-cfb1
 			: DES-EDE3-CFB8		: des-ede3-cfb8
 
+# OIDs for SHA224, SHA256, SHA385 and SHA512, according to x9.84.
+!Alias nist_hashalgs nistAlgorithms 2
+nist_hashalgs 1		: SHA256		: sha256
+nist_hashalgs 2		: SHA384		: sha384
+nist_hashalgs 3		: SHA512		: sha512
+nist_hashalgs 4		: SHA224		: sha224
+
 # Hold instruction CRL entry extension
 !Cname hold-instruction-code
 id-ce 23		: holdInstructionCode	: Hold Instruction Code
@@ -705,9 +822,9 @@ holdInstruction 2	: holdInstructionCallIssuer : Hold Instruction Call Issuer
 !Cname hold-instruction-reject
 holdInstruction 3	: holdInstructionReject	: Hold Instruction Reject
 
-# OID's from CCITT.  Most of this is defined in RFC 1274.  A couple of
+# OID's from ITU-T.  Most of this is defined in RFC 1274.  A couple of
 # them are also mentioned in RFC 2247
-ccitt 9			: data
+itu-t 9			: data
 data 2342		: pss
 pss 19200300		: ucl
 ucl 100			: pilot
@@ -781,7 +898,7 @@ pilotAttributeType 54	:			: dITRedirect
 pilotAttributeType 55	: audio
 pilotAttributeType 56	:			: documentPublisher
 
-2 23 42			: id-set		: Secure Electronic Transactions
+international-organizations 42	: id-set	: Secure Electronic Transactions
 
 id-set 0		: set-ctype		: content types
 id-set 1		: set-msgExt		: message extensions
@@ -927,3 +1044,6 @@ set-brand 6011		: set-brand-Novus
 
 rsadsi 3 10		: DES-CDMF		: des-cdmf
 rsadsi 1 1 6		: rsaOAEPEncryptionSET
+
+			: Oakley-EC2N-3		: ipsec3
+			: Oakley-EC2N-4		: ipsec4
diff --git a/crypto/openssl/crypto/ocsp/Makefile b/crypto/openssl/crypto/ocsp/Makefile
index 7135ba6b9404..0fe028960e25 100644
--- a/crypto/openssl/crypto/ocsp/Makefile
+++ b/crypto/openssl/crypto/ocsp/Makefile
@@ -7,11 +7,6 @@ TOP=	../..
 CC=	cc
 INCLUDES= -I.. -I$(TOP) -I../../include
 CFLAG=-g
-INSTALL_PREFIX=
-OPENSSLDIR=     /usr/local/ssl
-INSTALLTOP=/usr/local/ssl
-MAKEDEPPROG=	makedepend
-MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=	Makefile
 AR=		ar r
 
@@ -54,7 +49,8 @@ links:
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
 
 install:
-	@for i in $(EXHEADER) ; \
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+	@headerlist="$(EXHEADER)"; for i in $$headerlist ; \
 	do  \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
@@ -69,6 +65,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
+	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(LIBSRC)
 
 dclean:
@@ -80,212 +77,137 @@ clean:
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-ocsp_asn.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-ocsp_asn.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
-ocsp_asn.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-ocsp_asn.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+ocsp_asn.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
+ocsp_asn.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 ocsp_asn.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-ocsp_asn.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-ocsp_asn.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-ocsp_asn.o: ../../include/openssl/e_os2.h ../../include/openssl/evp.h
-ocsp_asn.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-ocsp_asn.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-ocsp_asn.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+ocsp_asn.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+ocsp_asn.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+ocsp_asn.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 ocsp_asn.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 ocsp_asn.o: ../../include/openssl/ocsp.h ../../include/openssl/opensslconf.h
 ocsp_asn.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-ocsp_asn.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-ocsp_asn.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-ocsp_asn.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-ocsp_asn.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-ocsp_asn.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-ocsp_asn.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-ocsp_asn.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-ocsp_asn.o: ../../include/openssl/x509v3.h ocsp_asn.c
-ocsp_cl.o: ../../e_os.h ../../include/openssl/aes.h
-ocsp_cl.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-ocsp_cl.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-ocsp_cl.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+ocsp_asn.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+ocsp_asn.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+ocsp_asn.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+ocsp_asn.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+ocsp_asn.o: ocsp_asn.c
+ocsp_cl.o: ../../e_os.h ../../include/openssl/asn1.h
+ocsp_cl.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 ocsp_cl.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-ocsp_cl.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-ocsp_cl.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-ocsp_cl.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-ocsp_cl.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-ocsp_cl.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-ocsp_cl.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-ocsp_cl.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+ocsp_cl.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+ocsp_cl.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+ocsp_cl.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+ocsp_cl.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 ocsp_cl.o: ../../include/openssl/objects.h ../../include/openssl/ocsp.h
 ocsp_cl.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 ocsp_cl.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pem.h
 ocsp_cl.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs7.h
-ocsp_cl.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h
-ocsp_cl.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-ocsp_cl.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-ocsp_cl.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-ocsp_cl.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-ocsp_cl.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-ocsp_cl.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-ocsp_cl.o: ../../include/openssl/x509v3.h ../cryptlib.h ocsp_cl.c
-ocsp_err.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-ocsp_err.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-ocsp_err.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-ocsp_err.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
-ocsp_err.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-ocsp_err.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-ocsp_err.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-ocsp_err.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-ocsp_err.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-ocsp_err.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-ocsp_err.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+ocsp_cl.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
+ocsp_cl.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+ocsp_cl.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+ocsp_cl.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+ocsp_cl.o: ../cryptlib.h ocsp_cl.c
+ocsp_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+ocsp_err.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+ocsp_err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+ocsp_err.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+ocsp_err.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+ocsp_err.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 ocsp_err.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 ocsp_err.o: ../../include/openssl/ocsp.h ../../include/openssl/opensslconf.h
 ocsp_err.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-ocsp_err.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-ocsp_err.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-ocsp_err.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-ocsp_err.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-ocsp_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-ocsp_err.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-ocsp_err.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-ocsp_err.o: ../../include/openssl/x509v3.h ocsp_err.c
-ocsp_ext.o: ../../e_os.h ../../include/openssl/aes.h
-ocsp_ext.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-ocsp_ext.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-ocsp_ext.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+ocsp_err.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+ocsp_err.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+ocsp_err.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+ocsp_err.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+ocsp_err.o: ocsp_err.c
+ocsp_ext.o: ../../e_os.h ../../include/openssl/asn1.h
+ocsp_ext.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 ocsp_ext.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-ocsp_ext.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-ocsp_ext.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-ocsp_ext.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-ocsp_ext.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-ocsp_ext.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-ocsp_ext.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-ocsp_ext.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+ocsp_ext.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+ocsp_ext.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+ocsp_ext.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+ocsp_ext.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 ocsp_ext.o: ../../include/openssl/objects.h ../../include/openssl/ocsp.h
 ocsp_ext.o: ../../include/openssl/opensslconf.h
 ocsp_ext.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 ocsp_ext.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
-ocsp_ext.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-ocsp_ext.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-ocsp_ext.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-ocsp_ext.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-ocsp_ext.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-ocsp_ext.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-ocsp_ext.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-ocsp_ext.o: ../cryptlib.h ocsp_ext.c
-ocsp_ht.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-ocsp_ht.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-ocsp_ht.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-ocsp_ht.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
-ocsp_ht.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-ocsp_ht.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-ocsp_ht.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-ocsp_ht.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-ocsp_ht.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-ocsp_ht.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-ocsp_ht.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+ocsp_ext.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+ocsp_ext.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+ocsp_ext.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+ocsp_ext.o: ../../include/openssl/x509v3.h ../cryptlib.h ocsp_ext.c
+ocsp_ht.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+ocsp_ht.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+ocsp_ht.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+ocsp_ht.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+ocsp_ht.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+ocsp_ht.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 ocsp_ht.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 ocsp_ht.o: ../../include/openssl/ocsp.h ../../include/openssl/opensslconf.h
 ocsp_ht.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-ocsp_ht.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-ocsp_ht.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-ocsp_ht.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-ocsp_ht.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-ocsp_ht.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-ocsp_ht.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-ocsp_ht.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-ocsp_ht.o: ../../include/openssl/x509v3.h ocsp_ht.c
-ocsp_lib.o: ../../e_os.h ../../include/openssl/aes.h
-ocsp_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-ocsp_lib.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-ocsp_lib.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+ocsp_ht.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+ocsp_ht.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+ocsp_ht.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+ocsp_ht.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+ocsp_ht.o: ocsp_ht.c
+ocsp_lib.o: ../../e_os.h ../../include/openssl/asn1.h
+ocsp_lib.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 ocsp_lib.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-ocsp_lib.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-ocsp_lib.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-ocsp_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-ocsp_lib.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-ocsp_lib.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-ocsp_lib.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-ocsp_lib.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+ocsp_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+ocsp_lib.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+ocsp_lib.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+ocsp_lib.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 ocsp_lib.o: ../../include/openssl/objects.h ../../include/openssl/ocsp.h
 ocsp_lib.o: ../../include/openssl/opensslconf.h
 ocsp_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 ocsp_lib.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h
 ocsp_lib.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
-ocsp_lib.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-ocsp_lib.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-ocsp_lib.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-ocsp_lib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-ocsp_lib.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-ocsp_lib.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-ocsp_lib.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-ocsp_lib.o: ../cryptlib.h ocsp_lib.c
-ocsp_prn.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-ocsp_prn.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-ocsp_prn.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-ocsp_prn.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
-ocsp_prn.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-ocsp_prn.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-ocsp_prn.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-ocsp_prn.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-ocsp_prn.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-ocsp_prn.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-ocsp_prn.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+ocsp_lib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+ocsp_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+ocsp_lib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+ocsp_lib.o: ../../include/openssl/x509v3.h ../cryptlib.h ocsp_lib.c
+ocsp_prn.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+ocsp_prn.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+ocsp_prn.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+ocsp_prn.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+ocsp_prn.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+ocsp_prn.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 ocsp_prn.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 ocsp_prn.o: ../../include/openssl/ocsp.h ../../include/openssl/opensslconf.h
 ocsp_prn.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 ocsp_prn.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h
-ocsp_prn.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-ocsp_prn.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-ocsp_prn.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-ocsp_prn.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-ocsp_prn.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-ocsp_prn.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-ocsp_prn.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-ocsp_prn.o: ../../include/openssl/x509v3.h ocsp_prn.c
-ocsp_srv.o: ../../e_os.h ../../include/openssl/aes.h
-ocsp_srv.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-ocsp_srv.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-ocsp_srv.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+ocsp_prn.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+ocsp_prn.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+ocsp_prn.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+ocsp_prn.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+ocsp_prn.o: ocsp_prn.c
+ocsp_srv.o: ../../e_os.h ../../include/openssl/asn1.h
+ocsp_srv.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 ocsp_srv.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-ocsp_srv.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-ocsp_srv.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-ocsp_srv.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-ocsp_srv.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-ocsp_srv.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-ocsp_srv.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-ocsp_srv.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+ocsp_srv.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+ocsp_srv.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+ocsp_srv.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+ocsp_srv.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 ocsp_srv.o: ../../include/openssl/objects.h ../../include/openssl/ocsp.h
 ocsp_srv.o: ../../include/openssl/opensslconf.h
 ocsp_srv.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 ocsp_srv.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h
 ocsp_srv.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
-ocsp_srv.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-ocsp_srv.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-ocsp_srv.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-ocsp_srv.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-ocsp_srv.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-ocsp_srv.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-ocsp_srv.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-ocsp_srv.o: ../cryptlib.h ocsp_srv.c
-ocsp_vfy.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-ocsp_vfy.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-ocsp_vfy.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-ocsp_vfy.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
-ocsp_vfy.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-ocsp_vfy.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-ocsp_vfy.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-ocsp_vfy.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-ocsp_vfy.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-ocsp_vfy.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-ocsp_vfy.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+ocsp_srv.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+ocsp_srv.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+ocsp_srv.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+ocsp_srv.o: ../../include/openssl/x509v3.h ../cryptlib.h ocsp_srv.c
+ocsp_vfy.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+ocsp_vfy.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+ocsp_vfy.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+ocsp_vfy.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+ocsp_vfy.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+ocsp_vfy.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 ocsp_vfy.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 ocsp_vfy.o: ../../include/openssl/ocsp.h ../../include/openssl/opensslconf.h
 ocsp_vfy.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-ocsp_vfy.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-ocsp_vfy.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-ocsp_vfy.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-ocsp_vfy.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-ocsp_vfy.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-ocsp_vfy.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-ocsp_vfy.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-ocsp_vfy.o: ../../include/openssl/x509v3.h ocsp_vfy.c
+ocsp_vfy.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+ocsp_vfy.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+ocsp_vfy.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+ocsp_vfy.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+ocsp_vfy.o: ocsp_vfy.c
diff --git a/crypto/openssl/crypto/ocsp/ocsp.h b/crypto/openssl/crypto/ocsp/ocsp.h
index fab3c0318215..53f3364af0c4 100644
--- a/crypto/openssl/crypto/ocsp/ocsp.h
+++ b/crypto/openssl/crypto/ocsp/ocsp.h
@@ -349,13 +349,9 @@ typedef struct ocsp_service_locator_st
 #define PEM_STRING_OCSP_REQUEST	"OCSP REQUEST"
 #define PEM_STRING_OCSP_RESPONSE "OCSP RESPONSE"
 
-#define d2i_OCSP_REQUEST_bio(bp,p) (OCSP_REQUEST*)ASN1_d2i_bio((char*(*)()) \
-		OCSP_REQUEST_new,(char *(*)())d2i_OCSP_REQUEST, (bp),\
-		(unsigned char **)(p))
+#define d2i_OCSP_REQUEST_bio(bp,p) ASN1_d2i_bio_of(OCSP_REQUEST,OCSP_REQUEST_new,d2i_OCSP_REQUEST,bp,p)
 
-#define d2i_OCSP_RESPONSE_bio(bp,p) (OCSP_RESPONSE*)ASN1_d2i_bio((char*(*)())\
-		OCSP_REQUEST_new,(char *(*)())d2i_OCSP_RESPONSE, (bp),\
-		(unsigned char **)(p))
+#define d2i_OCSP_RESPONSE_bio(bp,p) ASN1_d2i_bio_of(OCSP_RESPONSE,OCSP_RESPONSE_new,d2i_OCSP_RESPONSE,bp,p)
 
 #define	PEM_read_bio_OCSP_REQUEST(bp,x,cb) (OCSP_REQUEST *)PEM_ASN1_read_bio( \
      (char *(*)())d2i_OCSP_REQUEST,PEM_STRING_OCSP_REQUEST,bp,(char **)x,cb,NULL)
@@ -371,11 +367,9 @@ typedef struct ocsp_service_locator_st
     PEM_ASN1_write_bio((int (*)())i2d_OCSP_RESPONSE,PEM_STRING_OCSP_RESPONSE,\
 			bp,(char *)o, NULL,NULL,0,NULL,NULL)
 
-#define i2d_OCSP_RESPONSE_bio(bp,o) ASN1_i2d_bio(i2d_OCSP_RESPONSE,bp,\
-		(unsigned char *)o)
+#define i2d_OCSP_RESPONSE_bio(bp,o) ASN1_i2d_bio_of(OCSP_RESPONSE,i2d_OCSP_RESPONSE,bp,o)
 
-#define i2d_OCSP_REQUEST_bio(bp,o) ASN1_i2d_bio(i2d_OCSP_REQUEST,bp,\
-		(unsigned char *)o)
+#define i2d_OCSP_REQUEST_bio(bp,o) ASN1_i2d_bio_of(OCSP_REQUEST,i2d_OCSP_REQUEST,bp,o)
 
 #define OCSP_REQUEST_sign(o,pkey,md) \
 	ASN1_item_sign(ASN1_ITEM_rptr(OCSP_REQINFO),\
@@ -396,8 +390,7 @@ typedef struct ocsp_service_locator_st
 #define ASN1_BIT_STRING_digest(data,type,md,len) \
 	ASN1_item_digest(ASN1_ITEM_rptr(ASN1_BIT_STRING),type,data,md,len)
 
-#define OCSP_CERTID_dup(cid) (OCSP_CERTID*)ASN1_dup((int(*)())i2d_OCSP_CERTID,\
-		(char *(*)())d2i_OCSP_CERTID,(char *)(cid))
+#define OCSP_CERTID_dup(cid) ASN1_dup_of(OCSP_CERTID,i2d_OCSP_CERTID,d2i_OCSP_CERTID,cid)
 
 #define OCSP_CERTSTATUS_dup(cs)\
                 (OCSP_CERTSTATUS*)ASN1_dup((int(*)())i2d_OCSP_CERTSTATUS,\
@@ -473,8 +466,10 @@ int OCSP_basic_sign(OCSP_BASICRESP *brsp,
 			X509 *signer, EVP_PKEY *key, const EVP_MD *dgst,
 			STACK_OF(X509) *certs, unsigned long flags);
 
-ASN1_STRING *ASN1_STRING_encode(ASN1_STRING *s, int (*i2d)(), 
-				char *data, STACK_OF(ASN1_OBJECT) *sk);
+ASN1_STRING *ASN1_STRING_encode(ASN1_STRING *s, i2d_of_void *i2d,
+				void *data, STACK_OF(ASN1_OBJECT) *sk);
+#define ASN1_STRING_encode_of(type,s,i2d,data,sk) \
+((ASN1_STRING *(*)(ASN1_STRING *,I2D_OF(type),type *,STACK_OF(ASN1_OBJECT) *))openssl_fcast(ASN1_STRING_encode))(s,i2d,data,sk)
 
 X509_EXTENSION *OCSP_crlID_new(char *url, long *n, char *tim);
 
@@ -564,11 +559,11 @@ void ERR_load_OCSP_strings(void);
 
 /* Function codes. */
 #define OCSP_F_ASN1_STRING_ENCODE			 100
-#define OCSP_F_CERT_ID_NEW				 101
 #define OCSP_F_D2I_OCSP_NONCE				 102
 #define OCSP_F_OCSP_BASIC_ADD1_STATUS			 103
 #define OCSP_F_OCSP_BASIC_SIGN				 104
 #define OCSP_F_OCSP_BASIC_VERIFY			 105
+#define OCSP_F_OCSP_CERT_ID_NEW				 101
 #define OCSP_F_OCSP_CHECK_DELEGATED			 106
 #define OCSP_F_OCSP_CHECK_IDS				 107
 #define OCSP_F_OCSP_CHECK_ISSUER			 108
diff --git a/crypto/openssl/crypto/ocsp/ocsp_cl.c b/crypto/openssl/crypto/ocsp/ocsp_cl.c
index 9b3e6dd8ca22..17bab5fc59c7 100755
--- a/crypto/openssl/crypto/ocsp/ocsp_cl.c
+++ b/crypto/openssl/crypto/ocsp/ocsp_cl.c
@@ -101,6 +101,8 @@ int OCSP_request_set1_name(OCSP_REQUEST *req, X509_NAME *nm)
 	{
 	GENERAL_NAME *gen;
 	gen = GENERAL_NAME_new();
+	if (gen == NULL)
+		return 0;
 	if (!X509_NAME_set(&gen->d.directoryName, nm))
 		{
 		GENERAL_NAME_free(gen);
diff --git a/crypto/openssl/crypto/ocsp/ocsp_err.c b/crypto/openssl/crypto/ocsp/ocsp_err.c
index 4c4d8306f8ab..2c8ed7288486 100644
--- a/crypto/openssl/crypto/ocsp/ocsp_err.c
+++ b/crypto/openssl/crypto/ocsp/ocsp_err.c
@@ -1,6 +1,6 @@
 /* crypto/ocsp/ocsp_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -64,60 +64,64 @@
 
 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_OCSP,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_OCSP,0,reason)
+
 static ERR_STRING_DATA OCSP_str_functs[]=
 	{
-{ERR_PACK(0,OCSP_F_ASN1_STRING_ENCODE,0),	"ASN1_STRING_encode"},
-{ERR_PACK(0,OCSP_F_CERT_ID_NEW,0),	"CERT_ID_NEW"},
-{ERR_PACK(0,OCSP_F_D2I_OCSP_NONCE,0),	"D2I_OCSP_NONCE"},
-{ERR_PACK(0,OCSP_F_OCSP_BASIC_ADD1_STATUS,0),	"OCSP_basic_add1_status"},
-{ERR_PACK(0,OCSP_F_OCSP_BASIC_SIGN,0),	"OCSP_basic_sign"},
-{ERR_PACK(0,OCSP_F_OCSP_BASIC_VERIFY,0),	"OCSP_basic_verify"},
-{ERR_PACK(0,OCSP_F_OCSP_CHECK_DELEGATED,0),	"OCSP_CHECK_DELEGATED"},
-{ERR_PACK(0,OCSP_F_OCSP_CHECK_IDS,0),	"OCSP_CHECK_IDS"},
-{ERR_PACK(0,OCSP_F_OCSP_CHECK_ISSUER,0),	"OCSP_CHECK_ISSUER"},
-{ERR_PACK(0,OCSP_F_OCSP_CHECK_VALIDITY,0),	"OCSP_check_validity"},
-{ERR_PACK(0,OCSP_F_OCSP_MATCH_ISSUERID,0),	"OCSP_MATCH_ISSUERID"},
-{ERR_PACK(0,OCSP_F_OCSP_PARSE_URL,0),	"OCSP_parse_url"},
-{ERR_PACK(0,OCSP_F_OCSP_REQUEST_SIGN,0),	"OCSP_request_sign"},
-{ERR_PACK(0,OCSP_F_OCSP_REQUEST_VERIFY,0),	"OCSP_request_verify"},
-{ERR_PACK(0,OCSP_F_OCSP_RESPONSE_GET1_BASIC,0),	"OCSP_response_get1_basic"},
-{ERR_PACK(0,OCSP_F_OCSP_SENDREQ_BIO,0),	"OCSP_sendreq_bio"},
-{ERR_PACK(0,OCSP_F_REQUEST_VERIFY,0),	"REQUEST_VERIFY"},
+{ERR_FUNC(OCSP_F_ASN1_STRING_ENCODE),	"ASN1_STRING_encode"},
+{ERR_FUNC(OCSP_F_D2I_OCSP_NONCE),	"D2I_OCSP_NONCE"},
+{ERR_FUNC(OCSP_F_OCSP_BASIC_ADD1_STATUS),	"OCSP_basic_add1_status"},
+{ERR_FUNC(OCSP_F_OCSP_BASIC_SIGN),	"OCSP_basic_sign"},
+{ERR_FUNC(OCSP_F_OCSP_BASIC_VERIFY),	"OCSP_basic_verify"},
+{ERR_FUNC(OCSP_F_OCSP_CERT_ID_NEW),	"OCSP_cert_id_new"},
+{ERR_FUNC(OCSP_F_OCSP_CHECK_DELEGATED),	"OCSP_CHECK_DELEGATED"},
+{ERR_FUNC(OCSP_F_OCSP_CHECK_IDS),	"OCSP_CHECK_IDS"},
+{ERR_FUNC(OCSP_F_OCSP_CHECK_ISSUER),	"OCSP_CHECK_ISSUER"},
+{ERR_FUNC(OCSP_F_OCSP_CHECK_VALIDITY),	"OCSP_check_validity"},
+{ERR_FUNC(OCSP_F_OCSP_MATCH_ISSUERID),	"OCSP_MATCH_ISSUERID"},
+{ERR_FUNC(OCSP_F_OCSP_PARSE_URL),	"OCSP_parse_url"},
+{ERR_FUNC(OCSP_F_OCSP_REQUEST_SIGN),	"OCSP_request_sign"},
+{ERR_FUNC(OCSP_F_OCSP_REQUEST_VERIFY),	"OCSP_request_verify"},
+{ERR_FUNC(OCSP_F_OCSP_RESPONSE_GET1_BASIC),	"OCSP_response_get1_basic"},
+{ERR_FUNC(OCSP_F_OCSP_SENDREQ_BIO),	"OCSP_sendreq_bio"},
+{ERR_FUNC(OCSP_F_REQUEST_VERIFY),	"REQUEST_VERIFY"},
 {0,NULL}
 	};
 
 static ERR_STRING_DATA OCSP_str_reasons[]=
 	{
-{OCSP_R_BAD_DATA                         ,"bad data"},
-{OCSP_R_CERTIFICATE_VERIFY_ERROR         ,"certificate verify error"},
-{OCSP_R_DIGEST_ERR                       ,"digest err"},
-{OCSP_R_ERROR_IN_NEXTUPDATE_FIELD        ,"error in nextupdate field"},
-{OCSP_R_ERROR_IN_THISUPDATE_FIELD        ,"error in thisupdate field"},
-{OCSP_R_ERROR_PARSING_URL                ,"error parsing url"},
-{OCSP_R_MISSING_OCSPSIGNING_USAGE        ,"missing ocspsigning usage"},
-{OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE     ,"nextupdate before thisupdate"},
-{OCSP_R_NOT_BASIC_RESPONSE               ,"not basic response"},
-{OCSP_R_NO_CERTIFICATES_IN_CHAIN         ,"no certificates in chain"},
-{OCSP_R_NO_CONTENT                       ,"no content"},
-{OCSP_R_NO_PUBLIC_KEY                    ,"no public key"},
-{OCSP_R_NO_RESPONSE_DATA                 ,"no response data"},
-{OCSP_R_NO_REVOKED_TIME                  ,"no revoked time"},
-{OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE,"private key does not match certificate"},
-{OCSP_R_REQUEST_NOT_SIGNED               ,"request not signed"},
-{OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA,"response contains no revocation data"},
-{OCSP_R_ROOT_CA_NOT_TRUSTED              ,"root ca not trusted"},
-{OCSP_R_SERVER_READ_ERROR                ,"server read error"},
-{OCSP_R_SERVER_RESPONSE_ERROR            ,"server response error"},
-{OCSP_R_SERVER_RESPONSE_PARSE_ERROR      ,"server response parse error"},
-{OCSP_R_SERVER_WRITE_ERROR               ,"server write error"},
-{OCSP_R_SIGNATURE_FAILURE                ,"signature failure"},
-{OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND     ,"signer certificate not found"},
-{OCSP_R_STATUS_EXPIRED                   ,"status expired"},
-{OCSP_R_STATUS_NOT_YET_VALID             ,"status not yet valid"},
-{OCSP_R_STATUS_TOO_OLD                   ,"status too old"},
-{OCSP_R_UNKNOWN_MESSAGE_DIGEST           ,"unknown message digest"},
-{OCSP_R_UNKNOWN_NID                      ,"unknown nid"},
-{OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE   ,"unsupported requestorname type"},
+{ERR_REASON(OCSP_R_BAD_DATA)             ,"bad data"},
+{ERR_REASON(OCSP_R_CERTIFICATE_VERIFY_ERROR),"certificate verify error"},
+{ERR_REASON(OCSP_R_DIGEST_ERR)           ,"digest err"},
+{ERR_REASON(OCSP_R_ERROR_IN_NEXTUPDATE_FIELD),"error in nextupdate field"},
+{ERR_REASON(OCSP_R_ERROR_IN_THISUPDATE_FIELD),"error in thisupdate field"},
+{ERR_REASON(OCSP_R_ERROR_PARSING_URL)    ,"error parsing url"},
+{ERR_REASON(OCSP_R_MISSING_OCSPSIGNING_USAGE),"missing ocspsigning usage"},
+{ERR_REASON(OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE),"nextupdate before thisupdate"},
+{ERR_REASON(OCSP_R_NOT_BASIC_RESPONSE)   ,"not basic response"},
+{ERR_REASON(OCSP_R_NO_CERTIFICATES_IN_CHAIN),"no certificates in chain"},
+{ERR_REASON(OCSP_R_NO_CONTENT)           ,"no content"},
+{ERR_REASON(OCSP_R_NO_PUBLIC_KEY)        ,"no public key"},
+{ERR_REASON(OCSP_R_NO_RESPONSE_DATA)     ,"no response data"},
+{ERR_REASON(OCSP_R_NO_REVOKED_TIME)      ,"no revoked time"},
+{ERR_REASON(OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE),"private key does not match certificate"},
+{ERR_REASON(OCSP_R_REQUEST_NOT_SIGNED)   ,"request not signed"},
+{ERR_REASON(OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA),"response contains no revocation data"},
+{ERR_REASON(OCSP_R_ROOT_CA_NOT_TRUSTED)  ,"root ca not trusted"},
+{ERR_REASON(OCSP_R_SERVER_READ_ERROR)    ,"server read error"},
+{ERR_REASON(OCSP_R_SERVER_RESPONSE_ERROR),"server response error"},
+{ERR_REASON(OCSP_R_SERVER_RESPONSE_PARSE_ERROR),"server response parse error"},
+{ERR_REASON(OCSP_R_SERVER_WRITE_ERROR)   ,"server write error"},
+{ERR_REASON(OCSP_R_SIGNATURE_FAILURE)    ,"signature failure"},
+{ERR_REASON(OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND),"signer certificate not found"},
+{ERR_REASON(OCSP_R_STATUS_EXPIRED)       ,"status expired"},
+{ERR_REASON(OCSP_R_STATUS_NOT_YET_VALID) ,"status not yet valid"},
+{ERR_REASON(OCSP_R_STATUS_TOO_OLD)       ,"status too old"},
+{ERR_REASON(OCSP_R_UNKNOWN_MESSAGE_DIGEST),"unknown message digest"},
+{ERR_REASON(OCSP_R_UNKNOWN_NID)          ,"unknown nid"},
+{ERR_REASON(OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE),"unsupported requestorname type"},
 {0,NULL}
 	};
 
@@ -131,8 +135,8 @@ void ERR_load_OCSP_strings(void)
 		{
 		init=0;
 #ifndef OPENSSL_NO_ERR
-		ERR_load_strings(ERR_LIB_OCSP,OCSP_str_functs);
-		ERR_load_strings(ERR_LIB_OCSP,OCSP_str_reasons);
+		ERR_load_strings(0,OCSP_str_functs);
+		ERR_load_strings(0,OCSP_str_reasons);
 #endif
 
 		}
diff --git a/crypto/openssl/crypto/ocsp/ocsp_ext.c b/crypto/openssl/crypto/ocsp/ocsp_ext.c
index 57399433fc42..815cc29d58fe 100755
--- a/crypto/openssl/crypto/ocsp/ocsp_ext.c
+++ b/crypto/openssl/crypto/ocsp/ocsp_ext.c
@@ -265,8 +265,8 @@ int OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *x, X509_EXTENSION *ex, int loc)
 
 /* also CRL Entry Extensions */
 
-ASN1_STRING *ASN1_STRING_encode(ASN1_STRING *s, int (*i2d)(), 
-				char *data, STACK_OF(ASN1_OBJECT) *sk)
+ASN1_STRING *ASN1_STRING_encode(ASN1_STRING *s, i2d_of_void *i2d,
+				void *data, STACK_OF(ASN1_OBJECT) *sk)
         {
 	int i;
 	unsigned char *p, *b = NULL;
@@ -274,18 +274,23 @@ ASN1_STRING *ASN1_STRING_encode(ASN1_STRING *s, int (*i2d)(),
 	if (data)
 	        {
 		if ((i=i2d(data,NULL)) <= 0) goto err;
-		if (!(b=p=(unsigned char*)OPENSSL_malloc((unsigned int)i)))
+		if (!(b=p=OPENSSL_malloc((unsigned int)i)))
 			goto err;
 	        if (i2d(data, &p) <= 0) goto err;
 		}
 	else if (sk)
 	        {
-		if ((i=i2d_ASN1_SET_OF_ASN1_OBJECT(sk,NULL,i2d,V_ASN1_SEQUENCE,
-				   V_ASN1_UNIVERSAL,IS_SEQUENCE))<=0) goto err;
-		if (!(b=p=(unsigned char*)OPENSSL_malloc((unsigned int)i)))
+		if ((i=i2d_ASN1_SET_OF_ASN1_OBJECT(sk,NULL,
+						   (I2D_OF(ASN1_OBJECT))i2d,
+						   V_ASN1_SEQUENCE,
+						   V_ASN1_UNIVERSAL,
+						   IS_SEQUENCE))<=0) goto err;
+		if (!(b=p=OPENSSL_malloc((unsigned int)i)))
 			goto err;
-		if (i2d_ASN1_SET_OF_ASN1_OBJECT(sk,&p,i2d,V_ASN1_SEQUENCE,
-				 V_ASN1_UNIVERSAL,IS_SEQUENCE)<=0) goto err;
+		if (i2d_ASN1_SET_OF_ASN1_OBJECT(sk,&p,(I2D_OF(ASN1_OBJECT))i2d,
+						V_ASN1_SEQUENCE,
+						V_ASN1_UNIVERSAL,
+						IS_SEQUENCE)<=0) goto err;
 		}
 	else
 		{
@@ -439,7 +444,8 @@ X509_EXTENSION *OCSP_crlID_new(char *url, long *n, char *tim)
 		}
 	if (!(x = X509_EXTENSION_new())) goto err;
 	if (!(x->object = OBJ_nid2obj(NID_id_pkix_OCSP_CrlID))) goto err;
-	if (!(ASN1_STRING_encode(x->value,i2d_OCSP_CRLID,(char*)cid,NULL)))
+	if (!(ASN1_STRING_encode_of(OCSP_CRLID,x->value,i2d_OCSP_CRLID,cid,
+				    NULL)))
 	        goto err;
 	OCSP_CRLID_free(cid);
 	return x;
@@ -467,7 +473,8 @@ X509_EXTENSION *OCSP_accept_responses_new(char **oids)
 	if (!(x = X509_EXTENSION_new())) goto err;
 	if (!(x->object = OBJ_nid2obj(NID_id_pkix_OCSP_acceptableResponses)))
 		goto err;
-	if (!(ASN1_STRING_encode(x->value,i2d_ASN1_OBJECT,NULL,sk)))
+	if (!(ASN1_STRING_encode_of(ASN1_OBJECT,x->value,i2d_ASN1_OBJECT,NULL,
+				    sk)))
 	        goto err;
 	sk_ASN1_OBJECT_pop_free(sk, ASN1_OBJECT_free);
 	return x;
@@ -487,8 +494,8 @@ X509_EXTENSION *OCSP_archive_cutoff_new(char* tim)
 	if (!(ASN1_GENERALIZEDTIME_set_string(gt, tim))) goto err;
 	if (!(x = X509_EXTENSION_new())) goto err;
 	if (!(x->object=OBJ_nid2obj(NID_id_pkix_OCSP_archiveCutoff)))goto err;
-	if (!(ASN1_STRING_encode(x->value,i2d_ASN1_GENERALIZEDTIME,
-				 (char*)gt,NULL))) goto err;
+	if (!(ASN1_STRING_encode_of(ASN1_GENERALIZEDTIME,x->value,
+				    i2d_ASN1_GENERALIZEDTIME,gt,NULL))) goto err;
 	ASN1_GENERALIZEDTIME_free(gt);
 	return x;
 err:
@@ -526,8 +533,8 @@ X509_EXTENSION *OCSP_url_svcloc_new(X509_NAME* issuer, char **urls)
 	if (!(x = X509_EXTENSION_new())) goto err;
 	if (!(x->object = OBJ_nid2obj(NID_id_pkix_OCSP_serviceLocator))) 
 	        goto err;
-	if (!(ASN1_STRING_encode(x->value, i2d_OCSP_SERVICELOC,
-				 (char*)sloc, NULL))) goto err;
+	if (!(ASN1_STRING_encode_of(OCSP_SERVICELOC,x->value,
+				    i2d_OCSP_SERVICELOC,sloc,NULL))) goto err;
 	OCSP_SERVICELOC_free(sloc);
 	return x;
 err:
diff --git a/crypto/openssl/crypto/ocsp/ocsp_lib.c b/crypto/openssl/crypto/ocsp/ocsp_lib.c
index 9e87fc78957e..27450811d720 100755
--- a/crypto/openssl/crypto/ocsp/ocsp_lib.c
+++ b/crypto/openssl/crypto/ocsp/ocsp_lib.c
@@ -112,7 +112,7 @@ OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst,
 	if (alg->algorithm != NULL) ASN1_OBJECT_free(alg->algorithm);
 	if ((nid = EVP_MD_type(dgst)) == NID_undef)
 	        {
-		OCSPerr(OCSP_F_CERT_ID_NEW,OCSP_R_UNKNOWN_NID);
+		OCSPerr(OCSP_F_OCSP_CERT_ID_NEW,OCSP_R_UNKNOWN_NID);
 		goto err;
 		}
 	if (!(alg->algorithm=OBJ_nid2obj(nid))) goto err;
@@ -134,7 +134,7 @@ OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst,
 		}
 	return cid;
 digerr:
-	OCSPerr(OCSP_F_CERT_ID_NEW,OCSP_R_DIGEST_ERR);
+	OCSPerr(OCSP_F_OCSP_CERT_ID_NEW,OCSP_R_DIGEST_ERR);
 err:
 	if (cid) OCSP_CERTID_free(cid);
 	return NULL;
diff --git a/crypto/openssl/crypto/ocsp/ocsp_prn.c b/crypto/openssl/crypto/ocsp/ocsp_prn.c
index 4b7bc2876958..3dfb51c1e41c 100644
--- a/crypto/openssl/crypto/ocsp/ocsp_prn.c
+++ b/crypto/openssl/crypto/ocsp/ocsp_prn.c
@@ -194,7 +194,7 @@ int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE* o, unsigned long flags)
 
 	if (BIO_puts(bp,"OCSP Response Data:\n") <= 0) goto err;
 	l=ASN1_ENUMERATED_get(o->responseStatus);
-	if (BIO_printf(bp,"    OCSP Response Status: %s (0x%x)\n",
+	if (BIO_printf(bp,"    OCSP Response Status: %s (0x%lx)\n",
 		       OCSP_response_status_str(l), l) <= 0) goto err;
 	if (rb == NULL) return 1;
         if (BIO_puts(bp,"    Response Type: ") <= 0)
@@ -252,7 +252,7 @@ int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE* o, unsigned long flags)
 			        {
 				l=ASN1_ENUMERATED_get(rev->revocationReason);
 				if (BIO_printf(bp, 
-					 "\n    Revocation Reason: %s (0x%x)",
+					 "\n    Revocation Reason: %s (0x%lx)",
 					       OCSP_crl_reason_str(l), l) <= 0)
 				        goto err;
 				}
diff --git a/crypto/openssl/crypto/opensslconf.h b/crypto/openssl/crypto/opensslconf.h
index 492041bc7cb5..3cf32b3f5ce7 100644
--- a/crypto/openssl/crypto/opensslconf.h
+++ b/crypto/openssl/crypto/opensslconf.h
@@ -4,20 +4,41 @@
 /* OpenSSL was configured with the following options: */
 #ifndef OPENSSL_DOING_MAKEDEPEND
 
+#ifndef OPENSSL_NO_GMP
+# define OPENSSL_NO_GMP
+#endif
 #ifndef OPENSSL_NO_KRB5
 # define OPENSSL_NO_KRB5
 #endif
+#ifndef OPENSSL_NO_MDC2
+# define OPENSSL_NO_MDC2
+#endif
+#ifndef OPENSSL_NO_RC5
+# define OPENSSL_NO_RC5
+#endif
 
 #endif /* OPENSSL_DOING_MAKEDEPEND */
+#ifndef OPENSSL_NO_DYNAMIC_ENGINE
+# define OPENSSL_NO_DYNAMIC_ENGINE
+#endif
 
 /* The OPENSSL_NO_* macros are also defined as NO_* if the application
    asks for it.  This is a transient feature that is provided for those
    who haven't had the time to do the appropriate changes in their
    applications.  */
 #ifdef OPENSSL_ALGORITHM_DEFINES
+# if defined(OPENSSL_NO_GMP) && !defined(NO_GMP)
+#  define NO_GMP
+# endif
 # if defined(OPENSSL_NO_KRB5) && !defined(NO_KRB5)
 #  define NO_KRB5
 # endif
+# if defined(OPENSSL_NO_MDC2) && !defined(NO_MDC2)
+#  define NO_MDC2
+# endif
+# if defined(OPENSSL_NO_RC5) && !defined(NO_RC5)
+#  define NO_RC5
+# endif
 #endif
 
 /* crypto/opensslconf.h.in */
@@ -27,6 +48,7 @@
 
 #if !(defined(VMS) || defined(__VMS)) /* VMS uses logical names instead */
 #if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR)
+#define ENGINESDIR "/usr/local/ssl/lib/engines"
 #define OPENSSLDIR "/usr/local/ssl"
 #endif
 #endif
diff --git a/crypto/openssl/crypto/opensslconf.h.in b/crypto/openssl/crypto/opensslconf.h.in
index 685e83b7a33f..cee83acf9898 100644
--- a/crypto/openssl/crypto/opensslconf.h.in
+++ b/crypto/openssl/crypto/opensslconf.h.in
@@ -5,6 +5,7 @@
 
 #if !(defined(VMS) || defined(__VMS)) /* VMS uses logical names instead */
 #if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR)
+#define ENGINESDIR "/usr/local/lib/engines"
 #define OPENSSLDIR "/usr/local/ssl"
 #endif
 #endif
diff --git a/crypto/openssl/crypto/opensslv.h b/crypto/openssl/crypto/opensslv.h
index acb4584869bc..c303b06bc500 100644
--- a/crypto/openssl/crypto/opensslv.h
+++ b/crypto/openssl/crypto/opensslv.h
@@ -12,7 +12,7 @@
  * 0.9.3-beta2    0x00903002 (same as ...beta2-dev)
  * 0.9.3	  0x0090300f
  * 0.9.3a	  0x0090301f
- * 0.9.4 	  0x0090400f
+ * 0.9.4	  0x0090400f
  * 1.2.3z	  0x102031af
  *
  * For continuity reasons (because 0.9.5 is already out, and is coded
@@ -25,11 +25,11 @@
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-#define OPENSSL_VERSION_NUMBER	0x0090705FL
+#define OPENSSL_VERSION_NUMBER	0x0090802fL
 #ifdef OPENSSL_FIPS
-#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.7e-fips 25 Oct 2004"
+#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.8b-fips 04 May 2006"
 #else
-#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.7e 25 Oct 2004"
+#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.8b 04 May 2006"
 #endif
 #define OPENSSL_VERSION_PTEXT	" part of " OPENSSL_VERSION_TEXT
 
@@ -83,7 +83,7 @@
  * should only keep the versions that are binary compatible with the current.
  */
 #define SHLIB_VERSION_HISTORY ""
-#define SHLIB_VERSION_NUMBER "0.9.7"
+#define SHLIB_VERSION_NUMBER "0.9.8"
 
 
 #endif /* HEADER_OPENSSLV_H */
diff --git a/crypto/openssl/crypto/ossl_typ.h b/crypto/openssl/crypto/ossl_typ.h
index 285fd0b1d977..9c335a181909 100644
--- a/crypto/openssl/crypto/ossl_typ.h
+++ b/crypto/openssl/crypto/ossl_typ.h
@@ -97,15 +97,42 @@ typedef int ASN1_NULL;
 
 #ifdef OPENSSL_SYS_WIN32
 #undef X509_NAME
+#undef X509_CERT_PAIR
 #undef PKCS7_ISSUER_AND_SERIAL
 #endif
 
+#ifdef BIGNUM
+#undef BIGNUM
+#endif
+typedef struct bignum_st BIGNUM;
+typedef struct bignum_ctx BN_CTX;
+typedef struct bn_blinding_st BN_BLINDING;
+typedef struct bn_mont_ctx_st BN_MONT_CTX;
+typedef struct bn_recp_ctx_st BN_RECP_CTX;
+typedef struct bn_gencb_st BN_GENCB;
+
+typedef struct buf_mem_st BUF_MEM;
+
 typedef struct evp_cipher_st EVP_CIPHER;
 typedef struct evp_cipher_ctx_st EVP_CIPHER_CTX;
 typedef struct env_md_st EVP_MD;
 typedef struct env_md_ctx_st EVP_MD_CTX;
 typedef struct evp_pkey_st EVP_PKEY;
 
+typedef struct dh_st DH;
+typedef struct dh_method DH_METHOD;
+
+typedef struct dsa_st DSA;
+typedef struct dsa_method DSA_METHOD;
+
+typedef struct rsa_st RSA;
+typedef struct rsa_meth_st RSA_METHOD;
+
+typedef struct rand_meth_st RAND_METHOD;
+
+typedef struct ecdh_method ECDH_METHOD;
+typedef struct ecdsa_method ECDSA_METHOD;
+
 typedef struct x509_st X509;
 typedef struct X509_algor_st X509_ALGOR;
 typedef struct X509_crl_st X509_CRL;
@@ -113,10 +140,35 @@ typedef struct X509_name_st X509_NAME;
 typedef struct x509_store_st X509_STORE;
 typedef struct x509_store_ctx_st X509_STORE_CTX;
 
+typedef struct v3_ext_ctx X509V3_CTX;
+typedef struct conf_st CONF;
+
+typedef struct store_st STORE;
+typedef struct store_method_st STORE_METHOD;
+
+typedef struct ui_st UI;
+typedef struct ui_method_st UI_METHOD;
+
+typedef struct st_ERR_FNS ERR_FNS;
+
 typedef struct engine_st ENGINE;
 
+typedef struct X509_POLICY_NODE_st X509_POLICY_NODE;
+typedef struct X509_POLICY_LEVEL_st X509_POLICY_LEVEL;
+typedef struct X509_POLICY_TREE_st X509_POLICY_TREE;
+typedef struct X509_POLICY_CACHE_st X509_POLICY_CACHE;
+
   /* If placed in pkcs12.h, we end up with a circular depency with pkcs7.h */
 #define DECLARE_PKCS12_STACK_OF(type) /* Nothing */
 #define IMPLEMENT_PKCS12_STACK_OF(type) /* Nothing */
 
+typedef struct crypto_ex_data_st CRYPTO_EX_DATA;
+/* Callback types for crypto.h */
+typedef int CRYPTO_EX_new(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
+					int idx, long argl, void *argp);
+typedef void CRYPTO_EX_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
+					int idx, long argl, void *argp);
+typedef int CRYPTO_EX_dup(CRYPTO_EX_DATA *to, CRYPTO_EX_DATA *from, void *from_d, 
+					int idx, long argl, void *argp);
+
 #endif /* def HEADER_OPENSSL_TYPES_H */
diff --git a/crypto/openssl/crypto/pem/Makefile b/crypto/openssl/crypto/pem/Makefile
index c4e29f47edac..742194fd24cc 100644
--- a/crypto/openssl/crypto/pem/Makefile
+++ b/crypto/openssl/crypto/pem/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/pem/Makefile
+# OpenSSL/crypto/pem/Makefile
 #
 
 DIR=	pem
@@ -7,11 +7,6 @@ TOP=	../..
 CC=	cc
 INCLUDES= -I.. -I$(TOP) -I../../include
 CFLAG=-g
-INSTALL_PREFIX=
-OPENSSLDIR=     /usr/local/ssl
-INSTALLTOP=/usr/local/ssl
-MAKEDEPPROG=	makedepend
-MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=	Makefile
 AR=		ar r
 
@@ -54,7 +49,8 @@ links: $(EXHEADER)
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
 
 install:
-	@for i in $(EXHEADER) ; \
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+	@headerlist="$(EXHEADER)"; for i in $$headerlist ; \
 	do  \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
@@ -69,6 +65,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
+	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(LIBSRC)
 
 dclean:
@@ -80,256 +77,165 @@ clean:
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-pem_all.o: ../../e_os.h ../../include/openssl/aes.h
-pem_all.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-pem_all.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-pem_all.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-pem_all.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-pem_all.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
+pem_all.o: ../../e_os.h ../../include/openssl/asn1.h
+pem_all.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+pem_all.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
 pem_all.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-pem_all.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-pem_all.o: ../../include/openssl/fips.h ../../include/openssl/idea.h
-pem_all.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-pem_all.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-pem_all.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-pem_all.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-pem_all.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-pem_all.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h
-pem_all.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-pem_all.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-pem_all.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-pem_all.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-pem_all.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-pem_all.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-pem_all.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-pem_all.o: ../cryptlib.h pem_all.c
-pem_err.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-pem_err.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-pem_err.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-pem_err.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-pem_err.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-pem_err.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-pem_err.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-pem_err.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-pem_err.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-pem_err.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-pem_err.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+pem_all.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+pem_all.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+pem_all.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+pem_all.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+pem_all.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+pem_all.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pem.h
+pem_all.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs7.h
+pem_all.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+pem_all.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+pem_all.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+pem_all.o: ../../include/openssl/x509_vfy.h ../cryptlib.h pem_all.c
+pem_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+pem_err.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+pem_err.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+pem_err.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+pem_err.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+pem_err.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 pem_err.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 pem_err.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 pem_err.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h
-pem_err.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-pem_err.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-pem_err.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-pem_err.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-pem_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-pem_err.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-pem_err.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-pem_err.o: pem_err.c
-pem_info.o: ../../e_os.h ../../include/openssl/aes.h
-pem_info.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-pem_info.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-pem_info.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-pem_info.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-pem_info.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-pem_info.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+pem_err.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+pem_err.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+pem_err.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+pem_err.o: ../../include/openssl/x509_vfy.h pem_err.c
+pem_info.o: ../../e_os.h ../../include/openssl/asn1.h
+pem_info.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+pem_info.o: ../../include/openssl/crypto.h ../../include/openssl/dsa.h
+pem_info.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+pem_info.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 pem_info.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-pem_info.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-pem_info.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-pem_info.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-pem_info.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-pem_info.o: ../../include/openssl/opensslconf.h
+pem_info.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+pem_info.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 pem_info.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 pem_info.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h
-pem_info.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-pem_info.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-pem_info.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+pem_info.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
 pem_info.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 pem_info.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-pem_info.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
 pem_info.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 pem_info.o: ../cryptlib.h pem_info.c
-pem_lib.o: ../../e_os.h ../../include/openssl/aes.h
-pem_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-pem_lib.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-pem_lib.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+pem_lib.o: ../../e_os.h ../../include/openssl/asn1.h
+pem_lib.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 pem_lib.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-pem_lib.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-pem_lib.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-pem_lib.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-pem_lib.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-pem_lib.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-pem_lib.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+pem_lib.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
+pem_lib.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+pem_lib.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+pem_lib.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 pem_lib.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 pem_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 pem_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pem.h
 pem_lib.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs12.h
 pem_lib.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
-pem_lib.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-pem_lib.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-pem_lib.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-pem_lib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-pem_lib.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-pem_lib.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-pem_lib.o: ../../include/openssl/x509_vfy.h ../cryptlib.h pem_lib.c
-pem_oth.o: ../../e_os.h ../../include/openssl/aes.h
-pem_oth.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-pem_oth.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-pem_oth.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-pem_oth.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-pem_oth.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-pem_oth.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-pem_oth.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-pem_oth.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-pem_oth.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-pem_oth.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+pem_lib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+pem_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+pem_lib.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
+pem_lib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+pem_lib.o: ../cryptlib.h pem_lib.c
+pem_oth.o: ../../e_os.h ../../include/openssl/asn1.h
+pem_oth.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+pem_oth.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+pem_oth.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+pem_oth.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+pem_oth.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 pem_oth.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 pem_oth.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 pem_oth.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pem.h
 pem_oth.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs7.h
-pem_oth.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h
-pem_oth.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-pem_oth.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-pem_oth.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-pem_oth.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-pem_oth.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-pem_oth.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-pem_oth.o: ../cryptlib.h pem_oth.c
-pem_pk8.o: ../../e_os.h ../../include/openssl/aes.h
-pem_pk8.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-pem_pk8.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-pem_pk8.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-pem_pk8.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-pem_pk8.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-pem_pk8.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-pem_pk8.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-pem_pk8.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-pem_pk8.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-pem_pk8.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+pem_oth.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
+pem_oth.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+pem_oth.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+pem_oth.o: ../../include/openssl/x509_vfy.h ../cryptlib.h pem_oth.c
+pem_pk8.o: ../../e_os.h ../../include/openssl/asn1.h
+pem_pk8.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+pem_pk8.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+pem_pk8.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+pem_pk8.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+pem_pk8.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 pem_pk8.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 pem_pk8.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 pem_pk8.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pem.h
 pem_pk8.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs12.h
 pem_pk8.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
-pem_pk8.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-pem_pk8.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-pem_pk8.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-pem_pk8.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-pem_pk8.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-pem_pk8.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-pem_pk8.o: ../../include/openssl/x509_vfy.h ../cryptlib.h pem_pk8.c
-pem_pkey.o: ../../e_os.h ../../include/openssl/aes.h
-pem_pkey.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-pem_pkey.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-pem_pkey.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-pem_pkey.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-pem_pkey.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-pem_pkey.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-pem_pkey.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-pem_pkey.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-pem_pkey.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-pem_pkey.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+pem_pk8.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+pem_pk8.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+pem_pk8.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+pem_pk8.o: ../cryptlib.h pem_pk8.c
+pem_pkey.o: ../../e_os.h ../../include/openssl/asn1.h
+pem_pkey.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+pem_pkey.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+pem_pkey.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+pem_pkey.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+pem_pkey.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 pem_pkey.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 pem_pkey.o: ../../include/openssl/opensslconf.h
 pem_pkey.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 pem_pkey.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h
 pem_pkey.o: ../../include/openssl/pkcs12.h ../../include/openssl/pkcs7.h
-pem_pkey.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h
-pem_pkey.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-pem_pkey.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-pem_pkey.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-pem_pkey.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-pem_pkey.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-pem_pkey.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-pem_pkey.o: ../cryptlib.h pem_pkey.c
-pem_seal.o: ../../e_os.h ../../include/openssl/aes.h
-pem_seal.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-pem_seal.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-pem_seal.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-pem_seal.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-pem_seal.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-pem_seal.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-pem_seal.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-pem_seal.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-pem_seal.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-pem_seal.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+pem_pkey.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
+pem_pkey.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+pem_pkey.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+pem_pkey.o: ../../include/openssl/x509_vfy.h ../cryptlib.h pem_pkey.c
+pem_seal.o: ../../e_os.h ../../include/openssl/asn1.h
+pem_seal.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+pem_seal.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+pem_seal.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+pem_seal.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+pem_seal.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 pem_seal.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 pem_seal.o: ../../include/openssl/opensslconf.h
 pem_seal.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 pem_seal.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h
 pem_seal.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
-pem_seal.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-pem_seal.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 pem_seal.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 pem_seal.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-pem_seal.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-pem_seal.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
+pem_seal.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
 pem_seal.o: ../../include/openssl/x509_vfy.h ../cryptlib.h pem_seal.c
-pem_sign.o: ../../e_os.h ../../include/openssl/aes.h
-pem_sign.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-pem_sign.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-pem_sign.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-pem_sign.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-pem_sign.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-pem_sign.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-pem_sign.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-pem_sign.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-pem_sign.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-pem_sign.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+pem_sign.o: ../../e_os.h ../../include/openssl/asn1.h
+pem_sign.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+pem_sign.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+pem_sign.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+pem_sign.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+pem_sign.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 pem_sign.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 pem_sign.o: ../../include/openssl/opensslconf.h
 pem_sign.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 pem_sign.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h
 pem_sign.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
-pem_sign.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-pem_sign.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-pem_sign.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-pem_sign.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-pem_sign.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-pem_sign.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-pem_sign.o: ../../include/openssl/x509_vfy.h ../cryptlib.h pem_sign.c
-pem_x509.o: ../../e_os.h ../../include/openssl/aes.h
-pem_x509.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-pem_x509.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-pem_x509.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-pem_x509.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-pem_x509.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-pem_x509.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-pem_x509.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-pem_x509.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-pem_x509.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-pem_x509.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+pem_sign.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+pem_sign.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+pem_sign.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+pem_sign.o: ../cryptlib.h pem_sign.c
+pem_x509.o: ../../e_os.h ../../include/openssl/asn1.h
+pem_x509.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+pem_x509.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+pem_x509.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+pem_x509.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+pem_x509.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 pem_x509.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 pem_x509.o: ../../include/openssl/opensslconf.h
 pem_x509.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 pem_x509.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h
-pem_x509.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-pem_x509.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-pem_x509.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-pem_x509.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-pem_x509.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-pem_x509.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-pem_x509.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-pem_x509.o: ../cryptlib.h pem_x509.c
-pem_xaux.o: ../../e_os.h ../../include/openssl/aes.h
-pem_xaux.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-pem_xaux.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-pem_xaux.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-pem_xaux.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-pem_xaux.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-pem_xaux.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-pem_xaux.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-pem_xaux.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-pem_xaux.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-pem_xaux.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+pem_x509.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+pem_x509.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+pem_x509.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+pem_x509.o: ../../include/openssl/x509_vfy.h ../cryptlib.h pem_x509.c
+pem_xaux.o: ../../e_os.h ../../include/openssl/asn1.h
+pem_xaux.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+pem_xaux.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+pem_xaux.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+pem_xaux.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+pem_xaux.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 pem_xaux.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 pem_xaux.o: ../../include/openssl/opensslconf.h
 pem_xaux.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 pem_xaux.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h
-pem_xaux.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-pem_xaux.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-pem_xaux.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-pem_xaux.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-pem_xaux.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-pem_xaux.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-pem_xaux.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-pem_xaux.o: ../cryptlib.h pem_xaux.c
+pem_xaux.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+pem_xaux.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+pem_xaux.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+pem_xaux.o: ../../include/openssl/x509_vfy.h ../cryptlib.h pem_xaux.c
diff --git a/crypto/openssl/crypto/pem/pem.h b/crypto/openssl/crypto/pem/pem.h
index d330cbf9a328..7db6b423d06b 100644
--- a/crypto/openssl/crypto/pem/pem.h
+++ b/crypto/openssl/crypto/pem/pem.h
@@ -59,6 +59,7 @@
 #ifndef HEADER_PEM_H
 #define HEADER_PEM_H
 
+#include <openssl/e_os2.h>
 #ifndef OPENSSL_NO_BIO
 #include <openssl/bio.h>
 #endif
@@ -68,7 +69,6 @@
 #include <openssl/evp.h>
 #include <openssl/x509.h>
 #include <openssl/pem2.h>
-#include <openssl/e_os2.h>
 
 #ifdef  __cplusplus
 extern "C" {
@@ -91,6 +91,9 @@ extern "C" {
 #define PEM_OBJ_DHPARAMS	17
 #define PEM_OBJ_DSAPARAMS	18
 #define PEM_OBJ_PRIV_RSA_PUBLIC	19
+#define PEM_OBJ_PRIV_ECDSA	20
+#define PEM_OBJ_PUB_ECDSA	21
+#define PEM_OBJ_ECPARAMETERS	22
 
 #define PEM_ERROR		30
 #define PEM_DEK_DES_CBC         40
@@ -110,6 +113,7 @@ extern "C" {
 
 #define PEM_STRING_X509_OLD	"X509 CERTIFICATE"
 #define PEM_STRING_X509		"CERTIFICATE"
+#define PEM_STRING_X509_PAIR	"CERTIFICATE PAIR"
 #define PEM_STRING_X509_TRUSTED	"TRUSTED CERTIFICATE"
 #define PEM_STRING_X509_REQ_OLD	"NEW CERTIFICATE REQUEST"
 #define PEM_STRING_X509_REQ	"CERTIFICATE REQUEST"
@@ -126,6 +130,9 @@ extern "C" {
 #define PEM_STRING_DHPARAMS	"DH PARAMETERS"
 #define PEM_STRING_SSL_SESSION	"SSL SESSION PARAMETERS"
 #define PEM_STRING_DSAPARAMS	"DSA PARAMETERS"
+#define PEM_STRING_ECDSA_PUBLIC "ECDSA PUBLIC KEY"
+#define PEM_STRING_ECPARAMETERS "EC PARAMETERS"
+#define PEM_STRING_ECPRIVATEKEY	"EC PRIVATE KEY"
 
   /* Note that this structure is initialised by PEM_SealInit and cleaned up
      by PEM_SealFinal (at least for now) */
@@ -213,24 +220,35 @@ typedef struct pem_ctx_st
 #define IMPLEMENT_PEM_read_fp(name, type, str, asn1) \
 type *PEM_read_##name(FILE *fp, type **x, pem_password_cb *cb, void *u)\
 { \
-return((type *)PEM_ASN1_read((char *(*)())d2i_##asn1, str,fp,(char **)x,\
-	cb,u)); \
+return(((type *(*)(D2I_OF(type),char *,FILE *,type **,pem_password_cb *,void *))openssl_fcast(PEM_ASN1_read))(d2i_##asn1, str,fp,x,cb,u)); \
 } \
 
 #define IMPLEMENT_PEM_write_fp(name, type, str, asn1) \
 int PEM_write_##name(FILE *fp, type *x) \
 { \
-return(PEM_ASN1_write((int (*)())i2d_##asn1,str,fp, (char *)x, \
-							 NULL,NULL,0,NULL,NULL)); \
-} 
+return(((int (*)(I2D_OF(type),const char *,FILE *,type *, const EVP_CIPHER *,unsigned char *,int, pem_password_cb *,void *))openssl_fcast(PEM_ASN1_write))(i2d_##asn1,str,fp,x,NULL,NULL,0,NULL,NULL)); \
+}
+
+#define IMPLEMENT_PEM_write_fp_const(name, type, str, asn1) \
+int PEM_write_##name(FILE *fp, const type *x) \
+{ \
+return(((int (*)(I2D_OF_const(type),const char *,FILE *, const type *, const EVP_CIPHER *,unsigned char *,int, pem_password_cb *,void *))openssl_fcast(PEM_ASN1_write))(i2d_##asn1,str,fp,x,NULL,NULL,0,NULL,NULL)); \
+}
 
 #define IMPLEMENT_PEM_write_cb_fp(name, type, str, asn1) \
 int PEM_write_##name(FILE *fp, type *x, const EVP_CIPHER *enc, \
 	     unsigned char *kstr, int klen, pem_password_cb *cb, \
 		  void *u) \
 	{ \
-	return(PEM_ASN1_write((int (*)())i2d_##asn1,str,fp, \
-		(char *)x,enc,kstr,klen,cb,u)); \
+	return(((int (*)(I2D_OF(type),const char *,FILE *,type *, const EVP_CIPHER *,unsigned char *,int, pem_password_cb *,void *))openssl_fcast(PEM_ASN1_write))(i2d_##asn1,str,fp,x,enc,kstr,klen,cb,u)); \
+	}
+
+#define IMPLEMENT_PEM_write_cb_fp_const(name, type, str, asn1) \
+int PEM_write_##name(FILE *fp, type *x, const EVP_CIPHER *enc, \
+	     unsigned char *kstr, int klen, pem_password_cb *cb, \
+		  void *u) \
+	{ \
+	return(((int (*)(I2D_OF_const(type),const char *,FILE *,type *, const EVP_CIPHER *,unsigned char *,int, pem_password_cb *,void *))openssl_fcast(PEM_ASN1_write))(i2d_##asn1,str,fp,x,enc,kstr,klen,cb,u)); \
 	}
 
 #endif
@@ -238,33 +256,51 @@ int PEM_write_##name(FILE *fp, type *x, const EVP_CIPHER *enc, \
 #define IMPLEMENT_PEM_read_bio(name, type, str, asn1) \
 type *PEM_read_bio_##name(BIO *bp, type **x, pem_password_cb *cb, void *u)\
 { \
-return((type *)PEM_ASN1_read_bio((char *(*)())d2i_##asn1, str,bp,\
-							(char **)x,cb,u)); \
+return(((type *(*)(D2I_OF(type),const char *,BIO *,type **,pem_password_cb *,void *))openssl_fcast(PEM_ASN1_read_bio))(d2i_##asn1, str,bp,x,cb,u)); \
 }
 
 #define IMPLEMENT_PEM_write_bio(name, type, str, asn1) \
 int PEM_write_bio_##name(BIO *bp, type *x) \
 { \
-return(PEM_ASN1_write_bio((int (*)())i2d_##asn1,str,bp, (char *)x, \
-							 NULL,NULL,0,NULL,NULL)); \
+return(((int (*)(I2D_OF(type),const char *,BIO *,type *, const EVP_CIPHER *,unsigned char *,int, pem_password_cb *,void *))openssl_fcast(PEM_ASN1_write_bio))(i2d_##asn1,str,bp,x,NULL,NULL,0,NULL,NULL)); \
+}
+
+#define IMPLEMENT_PEM_write_bio_const(name, type, str, asn1) \
+int PEM_write_bio_##name(BIO *bp, const type *x) \
+{ \
+return(((int (*)(I2D_OF_const(type),const char *,BIO *,const type *, const EVP_CIPHER *,unsigned char *,int, pem_password_cb *,void *))openssl_fcast(PEM_ASN1_write_bio))(i2d_##asn1,str,bp,x,NULL,NULL,0,NULL,NULL)); \
 }
 
 #define IMPLEMENT_PEM_write_cb_bio(name, type, str, asn1) \
 int PEM_write_bio_##name(BIO *bp, type *x, const EVP_CIPHER *enc, \
 	     unsigned char *kstr, int klen, pem_password_cb *cb, void *u) \
 	{ \
-	return(PEM_ASN1_write_bio((int (*)())i2d_##asn1,str,bp, \
-		(char *)x,enc,kstr,klen,cb,u)); \
+	return(((int (*)(I2D_OF(type),const char *,BIO *,type *,const EVP_CIPHER *,unsigned char *,int,pem_password_cb *,void *))openssl_fcast(PEM_ASN1_write_bio))(i2d_##asn1,str,bp,x,enc,kstr,klen,cb,u)); \
+	}
+
+#define IMPLEMENT_PEM_write_cb_bio_const(name, type, str, asn1) \
+int PEM_write_bio_##name(BIO *bp, type *x, const EVP_CIPHER *enc, \
+	     unsigned char *kstr, int klen, pem_password_cb *cb, void *u) \
+	{ \
+	return(((int (*)(I2D_OF_const(type),const char *,BIO *,type *,const EVP_CIPHER *,unsigned char *,int,pem_password_cb *,void *))openssl_fcast(PEM_ASN1_write_bio))(i2d_##asn1,str,bp,x,enc,kstr,klen,cb,u)); \
 	}
 
 #define IMPLEMENT_PEM_write(name, type, str, asn1) \
 	IMPLEMENT_PEM_write_bio(name, type, str, asn1) \
 	IMPLEMENT_PEM_write_fp(name, type, str, asn1) 
 
+#define IMPLEMENT_PEM_write_const(name, type, str, asn1) \
+	IMPLEMENT_PEM_write_bio_const(name, type, str, asn1) \
+	IMPLEMENT_PEM_write_fp_const(name, type, str, asn1) 
+
 #define IMPLEMENT_PEM_write_cb(name, type, str, asn1) \
 	IMPLEMENT_PEM_write_cb_bio(name, type, str, asn1) \
 	IMPLEMENT_PEM_write_cb_fp(name, type, str, asn1) 
 
+#define IMPLEMENT_PEM_write_cb_const(name, type, str, asn1) \
+	IMPLEMENT_PEM_write_cb_bio_const(name, type, str, asn1) \
+	IMPLEMENT_PEM_write_cb_fp_const(name, type, str, asn1) 
+
 #define IMPLEMENT_PEM_read(name, type, str, asn1) \
 	IMPLEMENT_PEM_read_bio(name, type, str, asn1) \
 	IMPLEMENT_PEM_read_fp(name, type, str, asn1) 
@@ -273,6 +309,10 @@ int PEM_write_bio_##name(BIO *bp, type *x, const EVP_CIPHER *enc, \
 	IMPLEMENT_PEM_read(name, type, str, asn1) \
 	IMPLEMENT_PEM_write(name, type, str, asn1)
 
+#define IMPLEMENT_PEM_rw_const(name, type, str, asn1) \
+	IMPLEMENT_PEM_read(name, type, str, asn1) \
+	IMPLEMENT_PEM_write_const(name, type, str, asn1)
+
 #define IMPLEMENT_PEM_rw_cb(name, type, str, asn1) \
 	IMPLEMENT_PEM_read(name, type, str, asn1) \
 	IMPLEMENT_PEM_write_cb(name, type, str, asn1)
@@ -293,6 +333,9 @@ int PEM_write_bio_##name(BIO *bp, type *x, const EVP_CIPHER *enc, \
 #define DECLARE_PEM_write_fp(name, type) \
 	int PEM_write_##name(FILE *fp, type *x);
 
+#define DECLARE_PEM_write_fp_const(name, type) \
+	int PEM_write_##name(FILE *fp, const type *x);
+
 #define DECLARE_PEM_write_cb_fp(name, type) \
 	int PEM_write_##name(FILE *fp, type *x, const EVP_CIPHER *enc, \
 	     unsigned char *kstr, int klen, pem_password_cb *cb, void *u);
@@ -306,6 +349,9 @@ int PEM_write_bio_##name(BIO *bp, type *x, const EVP_CIPHER *enc, \
 #define DECLARE_PEM_write_bio(name, type) \
 	int PEM_write_bio_##name(BIO *bp, type *x);
 
+#define DECLARE_PEM_write_bio_const(name, type) \
+	int PEM_write_bio_##name(BIO *bp, const type *x);
+
 #define DECLARE_PEM_write_cb_bio(name, type) \
 	int PEM_write_bio_##name(BIO *bp, type *x, const EVP_CIPHER *enc, \
 	     unsigned char *kstr, int klen, pem_password_cb *cb, void *u);
@@ -322,6 +368,10 @@ int PEM_write_bio_##name(BIO *bp, type *x, const EVP_CIPHER *enc, \
 	DECLARE_PEM_write_bio(name, type) \
 	DECLARE_PEM_write_fp(name, type) 
 
+#define DECLARE_PEM_write_const(name, type) \
+	DECLARE_PEM_write_bio_const(name, type) \
+	DECLARE_PEM_write_fp_const(name, type)
+
 #define DECLARE_PEM_write_cb(name, type) \
 	DECLARE_PEM_write_cb_bio(name, type) \
 	DECLARE_PEM_write_cb_fp(name, type) 
@@ -334,6 +384,10 @@ int PEM_write_bio_##name(BIO *bp, type *x, const EVP_CIPHER *enc, \
 	DECLARE_PEM_read(name, type) \
 	DECLARE_PEM_write(name, type)
 
+#define DECLARE_PEM_rw_const(name, type) \
+	DECLARE_PEM_read(name, type) \
+	DECLARE_PEM_write_const(name, type)
+
 #define DECLARE_PEM_rw_cb(name, type) \
 	DECLARE_PEM_read(name, type) \
 	DECLARE_PEM_write_cb(name, type)
@@ -403,9 +457,6 @@ int PEM_write_bio_##name(BIO *bp, type *x, const EVP_CIPHER *enc, \
         (char *(*)())d2i_NETSCAPE_CERT_SEQUENCE,PEM_STRING_X509,fp,\
 							(char **)x,cb,u)
 
-#define PEM_write_bio_SSL_SESSION(bp,x) \
-		PEM_ASN1_write_bio((int (*)())i2d_SSL_SESSION, \
-			PEM_STRING_SSL_SESSION,bp, (char *)x, NULL,NULL,0,NULL,NULL)
 #define PEM_write_bio_X509(bp,x) \
 		PEM_ASN1_write_bio((int (*)())i2d_X509,PEM_STRING_X509,bp, \
 			(char *)x, NULL,NULL,0,NULL,NULL)
@@ -444,8 +495,6 @@ int PEM_write_bio_##name(BIO *bp, type *x, const EVP_CIPHER *enc, \
 			PEM_STRING_X509,bp, \
                         (char *)x, NULL,NULL,0,NULL,NULL)
 
-#define	PEM_read_bio_SSL_SESSION(bp,x,cb,u) (SSL_SESSION *)PEM_ASN1_read_bio( \
-	(char *(*)())d2i_SSL_SESSION,PEM_STRING_SSL_SESSION,bp,(char **)x,cb,u)
 #define	PEM_read_bio_X509(bp,x,cb,u) (X509 *)PEM_ASN1_read_bio( \
 	(char *(*)())d2i_X509,PEM_STRING_X509,bp,(char **)x,cb,u)
 #define	PEM_read_bio_X509_REQ(bp,x,cb,u) (X509_REQ *)PEM_ASN1_read_bio( \
@@ -494,11 +543,16 @@ int	PEM_write_bio(BIO *bp,const char *name,char *hdr,unsigned char *data,
 		long len);
 int PEM_bytes_read_bio(unsigned char **pdata, long *plen, char **pnm, const char *name, BIO *bp,
 	     pem_password_cb *cb, void *u);
-char *	PEM_ASN1_read_bio(char *(*d2i)(),const char *name,BIO *bp,char **x,
-		pem_password_cb *cb, void *u);
-int	PEM_ASN1_write_bio(int (*i2d)(),const char *name,BIO *bp,char *x,
+void *	PEM_ASN1_read_bio(d2i_of_void *d2i, const char *name, BIO *bp,
+			  void **x, pem_password_cb *cb, void *u);
+#define PEM_ASN1_read_bio_of(type,d2i,name,bp,x,cb,u) \
+((type *(*)(D2I_OF(type),const char *,BIO *,type **,pem_password_cb *,void *))openssl_fcast(PEM_ASN1_read_bio))(d2i,name,bp,x,cb,u)
+int	PEM_ASN1_write_bio(i2d_of_void *i2d,const char *name,BIO *bp,char *x,
 			   const EVP_CIPHER *enc,unsigned char *kstr,int klen,
 			   pem_password_cb *cb, void *u);
+#define PEM_ASN1_write_bio_of(type,i2d,name,bp,x,enc,kstr,klen,cb,u) \
+	((int (*)(I2D_OF(type),const char *,BIO *,type *, const EVP_CIPHER *,unsigned char *,int, pem_password_cb *,void *))openssl_fcast(PEM_ASN1_write_bio))(i2d,name,bp,x,enc,kstr,klen,cb,u)
+
 STACK_OF(X509_INFO) *	PEM_X509_INFO_read_bio(BIO *bp, STACK_OF(X509_INFO) *sk, pem_password_cb *cb, void *u);
 int	PEM_X509_INFO_write_bio(BIO *bp,X509_INFO *xi, EVP_CIPHER *enc,
 		unsigned char *kstr, int klen, pem_password_cb *cd, void *u);
@@ -508,11 +562,11 @@ int	PEM_X509_INFO_write_bio(BIO *bp,X509_INFO *xi, EVP_CIPHER *enc,
 int	PEM_read(FILE *fp, char **name, char **header,
 		unsigned char **data,long *len);
 int	PEM_write(FILE *fp,char *name,char *hdr,unsigned char *data,long len);
-char *	PEM_ASN1_read(char *(*d2i)(),const char *name,FILE *fp,char **x,
-	pem_password_cb *cb, void *u);
-int	PEM_ASN1_write(int (*i2d)(),const char *name,FILE *fp,char *x,
-		       const EVP_CIPHER *enc,unsigned char *kstr,int klen,
-		       pem_password_cb *callback, void *u);
+void *  PEM_ASN1_read(d2i_of_void *d2i, const char *name, FILE *fp, void **x,
+		      pem_password_cb *cb, void *u);
+int	PEM_ASN1_write(i2d_of_void *i2d,const char *name,FILE *fp,
+		       char *x,const EVP_CIPHER *enc,unsigned char *kstr,
+		       int klen,pem_password_cb *callback, void *u);
 STACK_OF(X509_INFO) *	PEM_X509_INFO_read(FILE *fp, STACK_OF(X509_INFO) *sk,
 	pem_password_cb *cb, void *u);
 #endif
@@ -542,6 +596,8 @@ DECLARE_PEM_rw(X509, X509)
 
 DECLARE_PEM_rw(X509_AUX, X509)
 
+DECLARE_PEM_rw(X509_CERT_PAIR, X509_CERT_PAIR)
+
 DECLARE_PEM_rw(X509_REQ, X509_REQ)
 DECLARE_PEM_write(X509_REQ_NEW, X509_REQ)
 
@@ -559,7 +615,7 @@ DECLARE_PEM_rw(PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO)
 
 DECLARE_PEM_rw_cb(RSAPrivateKey, RSA)
 
-DECLARE_PEM_rw(RSAPublicKey, RSA)
+DECLARE_PEM_rw_const(RSAPublicKey, RSA)
 DECLARE_PEM_rw(RSA_PUBKEY, RSA)
 
 #endif
@@ -570,13 +626,19 @@ DECLARE_PEM_rw_cb(DSAPrivateKey, DSA)
 
 DECLARE_PEM_rw(DSA_PUBKEY, DSA)
 
-DECLARE_PEM_rw(DSAparams, DSA)
+DECLARE_PEM_rw_const(DSAparams, DSA)
+
+#endif
 
+#ifndef OPENSSL_NO_EC
+DECLARE_PEM_rw_const(ECPKParameters, EC_GROUP)
+DECLARE_PEM_rw_cb(ECPrivateKey, EC_KEY)
+DECLARE_PEM_rw(EC_PUBKEY, EC_KEY)
 #endif
 
 #ifndef OPENSSL_NO_DH
 
-DECLARE_PEM_rw(DHparams, DH)
+DECLARE_PEM_rw_const(DHparams, DH)
 
 #endif
 
@@ -626,24 +688,27 @@ void ERR_load_PEM_strings(void);
 /* Function codes. */
 #define PEM_F_D2I_PKCS8PRIVATEKEY_BIO			 120
 #define PEM_F_D2I_PKCS8PRIVATEKEY_FP			 121
-#define PEM_F_DEF_CALLBACK				 100
+#define PEM_F_DO_PK8PKEY				 126
+#define PEM_F_DO_PK8PKEY_FP				 125
 #define PEM_F_LOAD_IV					 101
 #define PEM_F_PEM_ASN1_READ				 102
 #define PEM_F_PEM_ASN1_READ_BIO				 103
 #define PEM_F_PEM_ASN1_WRITE				 104
 #define PEM_F_PEM_ASN1_WRITE_BIO			 105
+#define PEM_F_PEM_DEF_CALLBACK				 100
 #define PEM_F_PEM_DO_HEADER				 106
-#define PEM_F_PEM_F_DO_PK8KEY_FP			 122
 #define PEM_F_PEM_F_PEM_WRITE_PKCS8PRIVATEKEY		 118
 #define PEM_F_PEM_GET_EVP_CIPHER_INFO			 107
+#define PEM_F_PEM_PK8PKEY				 119
 #define PEM_F_PEM_READ					 108
 #define PEM_F_PEM_READ_BIO				 109
+#define PEM_F_PEM_READ_BIO_PRIVATEKEY			 123
+#define PEM_F_PEM_READ_PRIVATEKEY			 124
 #define PEM_F_PEM_SEALFINAL				 110
 #define PEM_F_PEM_SEALINIT				 111
 #define PEM_F_PEM_SIGNFINAL				 112
 #define PEM_F_PEM_WRITE					 113
 #define PEM_F_PEM_WRITE_BIO				 114
-#define PEM_F_PEM_WRITE_BIO_PKCS8PRIVATEKEY		 119
 #define PEM_F_PEM_X509_INFO_READ			 115
 #define PEM_F_PEM_X509_INFO_READ_BIO			 116
 #define PEM_F_PEM_X509_INFO_WRITE_BIO			 117
diff --git a/crypto/openssl/crypto/pem/pem_all.c b/crypto/openssl/crypto/pem/pem_all.c
index 07963314c951..66cbc7eb82cf 100644
--- a/crypto/openssl/crypto/pem/pem_all.c
+++ b/crypto/openssl/crypto/pem/pem_all.c
@@ -55,6 +55,59 @@
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
  */
+/* ====================================================================
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
 
 #include <stdio.h>
 #undef SSLEAY_MACROS
@@ -64,7 +117,15 @@
 #include <openssl/x509.h>
 #include <openssl/pkcs7.h>
 #include <openssl/pem.h>
-#include <openssl/fips.h>
+#ifndef OPENSSL_NO_RSA
+#include <openssl/rsa.h>
+#endif
+#ifndef OPENSSL_NO_DSA
+#include <openssl/dsa.h>
+#endif
+#ifndef OPENSSL_NO_DH
+#include <openssl/dh.h>
+#endif
 
 #ifndef OPENSSL_NO_RSA
 static RSA *pkey_get_rsa(EVP_PKEY *key, RSA **rsa);
@@ -73,6 +134,10 @@ static RSA *pkey_get_rsa(EVP_PKEY *key, RSA **rsa);
 static DSA *pkey_get_dsa(EVP_PKEY *key, DSA **dsa);
 #endif
 
+#ifndef OPENSSL_NO_EC
+static EC_KEY *pkey_get_eckey(EVP_PKEY *key, EC_KEY **eckey);
+#endif
+
 IMPLEMENT_PEM_rw(X509_REQ, X509_REQ, PEM_STRING_X509_REQ, X509_REQ)
 
 IMPLEMENT_PEM_write(X509_REQ_NEW, X509_REQ, PEM_STRING_X509_REQ_OLD, X509_REQ)
@@ -129,50 +194,8 @@ RSA *PEM_read_RSAPrivateKey(FILE *fp, RSA **rsa, pem_password_cb *cb,
 
 #endif
 
-#ifdef OPENSSL_FIPS
-
-int PEM_write_bio_RSAPrivateKey(BIO *bp, RSA *x, const EVP_CIPHER *enc,
-                                               unsigned char *kstr, int klen,
-                                               pem_password_cb *cb, void *u)
-{
-	EVP_PKEY *k;
-	int ret;
-	k = EVP_PKEY_new();
-	if (!k)
-		return 0;
-	EVP_PKEY_set1_RSA(k, x);
-
-	ret = PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u);
-	EVP_PKEY_free(k);
-	return ret;
-}
-
-#ifndef OPENSSL_NO_FP_API
-int PEM_write_RSAPrivateKey(FILE *fp, RSA *x, const EVP_CIPHER *enc,
-                                               unsigned char *kstr, int klen,
-                                               pem_password_cb *cb, void *u)
-{
-	EVP_PKEY *k;
-	int ret;
-	k = EVP_PKEY_new();
-	if (!k)
-		return 0;
-
-	EVP_PKEY_set1_RSA(k, x);
-
-	ret = PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u);
-	EVP_PKEY_free(k);
-	return ret;
-}
-#endif
-
-#else
-
-IMPLEMENT_PEM_write_cb(RSAPrivateKey, RSA, PEM_STRING_RSA, RSAPrivateKey)
-
-#endif
-
-IMPLEMENT_PEM_rw(RSAPublicKey, RSA, PEM_STRING_RSA_PUBLIC, RSAPublicKey)
+IMPLEMENT_PEM_write_cb_const(RSAPrivateKey, RSA, PEM_STRING_RSA, RSAPrivateKey)
+IMPLEMENT_PEM_rw_const(RSAPublicKey, RSA, PEM_STRING_RSA_PUBLIC, RSAPublicKey)
 IMPLEMENT_PEM_rw(RSA_PUBKEY, RSA, PEM_STRING_PUBLIC, RSA_PUBKEY)
 
 #endif
@@ -201,69 +224,73 @@ DSA *PEM_read_bio_DSAPrivateKey(BIO *bp, DSA **dsa, pem_password_cb *cb,
 	return pkey_get_dsa(pktmp, dsa);
 }
 
+IMPLEMENT_PEM_write_cb_const(DSAPrivateKey, DSA, PEM_STRING_DSA, DSAPrivateKey)
+IMPLEMENT_PEM_rw(DSA_PUBKEY, DSA, PEM_STRING_PUBLIC, DSA_PUBKEY)
 
-#ifdef OPENSSL_FIPS
+#ifndef OPENSSL_NO_FP_API
 
-int PEM_write_bio_DSAPrivateKey(BIO *bp, DSA *x, const EVP_CIPHER *enc,
-                                               unsigned char *kstr, int klen,
-                                               pem_password_cb *cb, void *u)
+DSA *PEM_read_DSAPrivateKey(FILE *fp, DSA **dsa, pem_password_cb *cb,
+								void *u)
 {
-	EVP_PKEY *k;
-	int ret;
-	k = EVP_PKEY_new();
-	if (!k)
-		return 0;
-	EVP_PKEY_set1_DSA(k, x);
-
-	ret = PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u);
-	EVP_PKEY_free(k);
-	return ret;
+	EVP_PKEY *pktmp;
+	pktmp = PEM_read_PrivateKey(fp, NULL, cb, u);
+	return pkey_get_dsa(pktmp, dsa);
 }
 
-#ifndef OPENSSL_NO_FP_API
-int PEM_write_DSAPrivateKey(FILE *fp, DSA *x, const EVP_CIPHER *enc,
-                                               unsigned char *kstr, int klen,
-                                               pem_password_cb *cb, void *u)
+#endif
+
+IMPLEMENT_PEM_rw_const(DSAparams, DSA, PEM_STRING_DSAPARAMS, DSAparams)
+
+#endif
+
+
+#ifndef OPENSSL_NO_EC
+static EC_KEY *pkey_get_eckey(EVP_PKEY *key, EC_KEY **eckey)
 {
-	EVP_PKEY *k;
-	int ret;
-	k = EVP_PKEY_new();
-	if (!k)
-		return 0;
-	EVP_PKEY_set1_DSA(k, x);
-	ret = PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u);
-	EVP_PKEY_free(k);
-	return ret;
+	EC_KEY *dtmp;
+	if(!key) return NULL;
+	dtmp = EVP_PKEY_get1_EC_KEY(key);
+	EVP_PKEY_free(key);
+	if(!dtmp) return NULL;
+	if(eckey) 
+	{
+ 		EC_KEY_free(*eckey);
+		*eckey = dtmp;
+	}
+	return dtmp;
 }
-#endif
 
-#else
+EC_KEY *PEM_read_bio_ECPrivateKey(BIO *bp, EC_KEY **key, pem_password_cb *cb,
+							void *u)
+{
+	EVP_PKEY *pktmp;
+	pktmp = PEM_read_bio_PrivateKey(bp, NULL, cb, u);
+	return pkey_get_eckey(pktmp, key);
+}
 
-IMPLEMENT_PEM_write_cb(DSAPrivateKey, DSA, PEM_STRING_DSA, DSAPrivateKey)
+IMPLEMENT_PEM_rw_const(ECPKParameters, EC_GROUP, PEM_STRING_ECPARAMETERS, ECPKParameters)
 
-#endif
+IMPLEMENT_PEM_write_cb(ECPrivateKey, EC_KEY, PEM_STRING_ECPRIVATEKEY, ECPrivateKey)
 
-IMPLEMENT_PEM_rw(DSA_PUBKEY, DSA, PEM_STRING_PUBLIC, DSA_PUBKEY)
+IMPLEMENT_PEM_rw(EC_PUBKEY, EC_KEY, PEM_STRING_PUBLIC, EC_PUBKEY)
 
 #ifndef OPENSSL_NO_FP_API
-
-DSA *PEM_read_DSAPrivateKey(FILE *fp, DSA **dsa, pem_password_cb *cb,
-								void *u)
+ 
+EC_KEY *PEM_read_ECPrivateKey(FILE *fp, EC_KEY **eckey, pem_password_cb *cb,
+ 								void *u)
 {
 	EVP_PKEY *pktmp;
 	pktmp = PEM_read_PrivateKey(fp, NULL, cb, u);
-	return pkey_get_dsa(pktmp, dsa);
+	return pkey_get_eckey(pktmp, eckey);
 }
 
 #endif
 
-IMPLEMENT_PEM_rw(DSAparams, DSA, PEM_STRING_DSAPARAMS, DSAparams)
-
 #endif
 
 #ifndef OPENSSL_NO_DH
 
-IMPLEMENT_PEM_rw(DHparams, DH, PEM_STRING_DHPARAMS, DHparams)
+IMPLEMENT_PEM_rw_const(DHparams, DH, PEM_STRING_DHPARAMS, DHparams)
 
 #endif
 
@@ -274,42 +301,8 @@ IMPLEMENT_PEM_rw(DHparams, DH, PEM_STRING_DHPARAMS, DHparams)
  * (When reading, parameter PEM_STRING_EVP_PKEY is a wildcard for anything
  * appropriate.)
  */
-
-#ifdef OPENSSL_FIPS
-
-int PEM_write_bio_PrivateKey(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc,
-                                               unsigned char *kstr, int klen,
-                                               pem_password_cb *cb, void *u)
-	{
-		if (FIPS_mode())
-			return PEM_write_bio_PKCS8PrivateKey(bp, x, enc,
-						(char *)kstr, klen, cb, u);
-		else
-                	return PEM_ASN1_write_bio((int (*)())i2d_PrivateKey,
-                (((x)->type == EVP_PKEY_DSA)?PEM_STRING_DSA:PEM_STRING_RSA),
-                        bp,(char *)x,enc,kstr,klen,cb,u);
-	}
-
-#ifndef OPENSSL_NO_FP_API
-int PEM_write_PrivateKey(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc,
-                                               unsigned char *kstr, int klen,
-                                               pem_password_cb *cb, void *u)
-	{
-		if (FIPS_mode())
-			return PEM_write_PKCS8PrivateKey(fp, x, enc,
-						(char *)kstr, klen, cb, u);
-		else
-                	return PEM_ASN1_write((int (*)())i2d_PrivateKey,
-                (((x)->type == EVP_PKEY_DSA)?PEM_STRING_DSA:PEM_STRING_RSA),
-                        fp,(char *)x,enc,kstr,klen,cb,u);
-	}
-#endif
-
-#else
-
-IMPLEMENT_PEM_write_cb(PrivateKey, EVP_PKEY, ((x->type == EVP_PKEY_DSA)?PEM_STRING_DSA:PEM_STRING_RSA), PrivateKey)
-
-#endif
+IMPLEMENT_PEM_write_cb(PrivateKey, EVP_PKEY, ((x->type == EVP_PKEY_DSA)?PEM_STRING_DSA:\
+			(x->type == EVP_PKEY_RSA)?PEM_STRING_RSA:PEM_STRING_ECPRIVATEKEY), PrivateKey)
 
 IMPLEMENT_PEM_rw(PUBKEY, EVP_PKEY, PEM_STRING_PUBLIC, PUBKEY)
 
diff --git a/crypto/openssl/crypto/pem/pem_err.c b/crypto/openssl/crypto/pem/pem_err.c
index 3b39b84d66e1..7837cde1537f 100644
--- a/crypto/openssl/crypto/pem/pem_err.c
+++ b/crypto/openssl/crypto/pem/pem_err.c
@@ -1,6 +1,6 @@
 /* crypto/pem/pem_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -64,52 +64,59 @@
 
 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_PEM,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_PEM,0,reason)
+
 static ERR_STRING_DATA PEM_str_functs[]=
 	{
-{ERR_PACK(0,PEM_F_D2I_PKCS8PRIVATEKEY_BIO,0),	"d2i_PKCS8PrivateKey_bio"},
-{ERR_PACK(0,PEM_F_D2I_PKCS8PRIVATEKEY_FP,0),	"d2i_PKCS8PrivateKey_fp"},
-{ERR_PACK(0,PEM_F_DEF_CALLBACK,0),	"DEF_CALLBACK"},
-{ERR_PACK(0,PEM_F_LOAD_IV,0),	"LOAD_IV"},
-{ERR_PACK(0,PEM_F_PEM_ASN1_READ,0),	"PEM_ASN1_read"},
-{ERR_PACK(0,PEM_F_PEM_ASN1_READ_BIO,0),	"PEM_ASN1_read_bio"},
-{ERR_PACK(0,PEM_F_PEM_ASN1_WRITE,0),	"PEM_ASN1_write"},
-{ERR_PACK(0,PEM_F_PEM_ASN1_WRITE_BIO,0),	"PEM_ASN1_write_bio"},
-{ERR_PACK(0,PEM_F_PEM_DO_HEADER,0),	"PEM_do_header"},
-{ERR_PACK(0,PEM_F_PEM_F_DO_PK8KEY_FP,0),	"PEM_F_DO_PK8KEY_FP"},
-{ERR_PACK(0,PEM_F_PEM_F_PEM_WRITE_PKCS8PRIVATEKEY,0),	"PEM_F_PEM_WRITE_PKCS8PRIVATEKEY"},
-{ERR_PACK(0,PEM_F_PEM_GET_EVP_CIPHER_INFO,0),	"PEM_get_EVP_CIPHER_INFO"},
-{ERR_PACK(0,PEM_F_PEM_READ,0),	"PEM_read"},
-{ERR_PACK(0,PEM_F_PEM_READ_BIO,0),	"PEM_read_bio"},
-{ERR_PACK(0,PEM_F_PEM_SEALFINAL,0),	"PEM_SealFinal"},
-{ERR_PACK(0,PEM_F_PEM_SEALINIT,0),	"PEM_SealInit"},
-{ERR_PACK(0,PEM_F_PEM_SIGNFINAL,0),	"PEM_SignFinal"},
-{ERR_PACK(0,PEM_F_PEM_WRITE,0),	"PEM_write"},
-{ERR_PACK(0,PEM_F_PEM_WRITE_BIO,0),	"PEM_write_bio"},
-{ERR_PACK(0,PEM_F_PEM_WRITE_BIO_PKCS8PRIVATEKEY,0),	"PEM_write_bio_PKCS8PrivateKey"},
-{ERR_PACK(0,PEM_F_PEM_X509_INFO_READ,0),	"PEM_X509_INFO_read"},
-{ERR_PACK(0,PEM_F_PEM_X509_INFO_READ_BIO,0),	"PEM_X509_INFO_read_bio"},
-{ERR_PACK(0,PEM_F_PEM_X509_INFO_WRITE_BIO,0),	"PEM_X509_INFO_write_bio"},
+{ERR_FUNC(PEM_F_D2I_PKCS8PRIVATEKEY_BIO),	"d2i_PKCS8PrivateKey_bio"},
+{ERR_FUNC(PEM_F_D2I_PKCS8PRIVATEKEY_FP),	"d2i_PKCS8PrivateKey_fp"},
+{ERR_FUNC(PEM_F_DO_PK8PKEY),	"DO_PK8PKEY"},
+{ERR_FUNC(PEM_F_DO_PK8PKEY_FP),	"DO_PK8PKEY_FP"},
+{ERR_FUNC(PEM_F_LOAD_IV),	"LOAD_IV"},
+{ERR_FUNC(PEM_F_PEM_ASN1_READ),	"PEM_ASN1_read"},
+{ERR_FUNC(PEM_F_PEM_ASN1_READ_BIO),	"PEM_ASN1_read_bio"},
+{ERR_FUNC(PEM_F_PEM_ASN1_WRITE),	"PEM_ASN1_write"},
+{ERR_FUNC(PEM_F_PEM_ASN1_WRITE_BIO),	"PEM_ASN1_write_bio"},
+{ERR_FUNC(PEM_F_PEM_DEF_CALLBACK),	"PEM_def_callback"},
+{ERR_FUNC(PEM_F_PEM_DO_HEADER),	"PEM_do_header"},
+{ERR_FUNC(PEM_F_PEM_F_PEM_WRITE_PKCS8PRIVATEKEY),	"PEM_F_PEM_WRITE_PKCS8PRIVATEKEY"},
+{ERR_FUNC(PEM_F_PEM_GET_EVP_CIPHER_INFO),	"PEM_get_EVP_CIPHER_INFO"},
+{ERR_FUNC(PEM_F_PEM_PK8PKEY),	"PEM_PK8PKEY"},
+{ERR_FUNC(PEM_F_PEM_READ),	"PEM_read"},
+{ERR_FUNC(PEM_F_PEM_READ_BIO),	"PEM_read_bio"},
+{ERR_FUNC(PEM_F_PEM_READ_BIO_PRIVATEKEY),	"PEM_READ_BIO_PRIVATEKEY"},
+{ERR_FUNC(PEM_F_PEM_READ_PRIVATEKEY),	"PEM_READ_PRIVATEKEY"},
+{ERR_FUNC(PEM_F_PEM_SEALFINAL),	"PEM_SealFinal"},
+{ERR_FUNC(PEM_F_PEM_SEALINIT),	"PEM_SealInit"},
+{ERR_FUNC(PEM_F_PEM_SIGNFINAL),	"PEM_SignFinal"},
+{ERR_FUNC(PEM_F_PEM_WRITE),	"PEM_write"},
+{ERR_FUNC(PEM_F_PEM_WRITE_BIO),	"PEM_write_bio"},
+{ERR_FUNC(PEM_F_PEM_X509_INFO_READ),	"PEM_X509_INFO_read"},
+{ERR_FUNC(PEM_F_PEM_X509_INFO_READ_BIO),	"PEM_X509_INFO_read_bio"},
+{ERR_FUNC(PEM_F_PEM_X509_INFO_WRITE_BIO),	"PEM_X509_INFO_write_bio"},
 {0,NULL}
 	};
 
 static ERR_STRING_DATA PEM_str_reasons[]=
 	{
-{PEM_R_BAD_BASE64_DECODE                 ,"bad base64 decode"},
-{PEM_R_BAD_DECRYPT                       ,"bad decrypt"},
-{PEM_R_BAD_END_LINE                      ,"bad end line"},
-{PEM_R_BAD_IV_CHARS                      ,"bad iv chars"},
-{PEM_R_BAD_PASSWORD_READ                 ,"bad password read"},
-{PEM_R_ERROR_CONVERTING_PRIVATE_KEY      ,"error converting private key"},
-{PEM_R_NOT_DEK_INFO                      ,"not dek info"},
-{PEM_R_NOT_ENCRYPTED                     ,"not encrypted"},
-{PEM_R_NOT_PROC_TYPE                     ,"not proc type"},
-{PEM_R_NO_START_LINE                     ,"no start line"},
-{PEM_R_PROBLEMS_GETTING_PASSWORD         ,"problems getting password"},
-{PEM_R_PUBLIC_KEY_NO_RSA                 ,"public key no rsa"},
-{PEM_R_READ_KEY                          ,"read key"},
-{PEM_R_SHORT_HEADER                      ,"short header"},
-{PEM_R_UNSUPPORTED_CIPHER                ,"unsupported cipher"},
-{PEM_R_UNSUPPORTED_ENCRYPTION            ,"unsupported encryption"},
+{ERR_REASON(PEM_R_BAD_BASE64_DECODE)     ,"bad base64 decode"},
+{ERR_REASON(PEM_R_BAD_DECRYPT)           ,"bad decrypt"},
+{ERR_REASON(PEM_R_BAD_END_LINE)          ,"bad end line"},
+{ERR_REASON(PEM_R_BAD_IV_CHARS)          ,"bad iv chars"},
+{ERR_REASON(PEM_R_BAD_PASSWORD_READ)     ,"bad password read"},
+{ERR_REASON(PEM_R_ERROR_CONVERTING_PRIVATE_KEY),"error converting private key"},
+{ERR_REASON(PEM_R_NOT_DEK_INFO)          ,"not dek info"},
+{ERR_REASON(PEM_R_NOT_ENCRYPTED)         ,"not encrypted"},
+{ERR_REASON(PEM_R_NOT_PROC_TYPE)         ,"not proc type"},
+{ERR_REASON(PEM_R_NO_START_LINE)         ,"no start line"},
+{ERR_REASON(PEM_R_PROBLEMS_GETTING_PASSWORD),"problems getting password"},
+{ERR_REASON(PEM_R_PUBLIC_KEY_NO_RSA)     ,"public key no rsa"},
+{ERR_REASON(PEM_R_READ_KEY)              ,"read key"},
+{ERR_REASON(PEM_R_SHORT_HEADER)          ,"short header"},
+{ERR_REASON(PEM_R_UNSUPPORTED_CIPHER)    ,"unsupported cipher"},
+{ERR_REASON(PEM_R_UNSUPPORTED_ENCRYPTION),"unsupported encryption"},
 {0,NULL}
 	};
 
@@ -123,8 +130,8 @@ void ERR_load_PEM_strings(void)
 		{
 		init=0;
 #ifndef OPENSSL_NO_ERR
-		ERR_load_strings(ERR_LIB_PEM,PEM_str_functs);
-		ERR_load_strings(ERR_LIB_PEM,PEM_str_reasons);
+		ERR_load_strings(0,PEM_str_functs);
+		ERR_load_strings(0,PEM_str_reasons);
 #endif
 
 		}
diff --git a/crypto/openssl/crypto/pem/pem_info.c b/crypto/openssl/crypto/pem/pem_info.c
index 9e4af29c9544..1644dfcaac73 100644
--- a/crypto/openssl/crypto/pem/pem_info.c
+++ b/crypto/openssl/crypto/pem/pem_info.c
@@ -63,6 +63,12 @@
 #include <openssl/evp.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
+#ifndef OPENSSL_NO_RSA
+#include <openssl/rsa.h>
+#endif
+#ifndef OPENSSL_NO_DSA
+#include <openssl/dsa.h>
+#endif
 
 #ifndef OPENSSL_NO_FP_API
 STACK_OF(X509_INFO) *PEM_X509_INFO_read(FILE *fp, STACK_OF(X509_INFO) *sk, pem_password_cb *cb, void *u)
@@ -85,13 +91,15 @@ STACK_OF(X509_INFO) *PEM_X509_INFO_read(FILE *fp, STACK_OF(X509_INFO) *sk, pem_p
 STACK_OF(X509_INFO) *PEM_X509_INFO_read_bio(BIO *bp, STACK_OF(X509_INFO) *sk, pem_password_cb *cb, void *u)
 	{
 	X509_INFO *xi=NULL;
-	char *name=NULL,*header=NULL,**pp;
-	unsigned char *data=NULL,*p;
+	char *name=NULL,*header=NULL;
+	void *pp;
+	unsigned char *data=NULL;
+	const unsigned char *p;
 	long len,error=0;
 	int ok=0;
 	STACK_OF(X509_INFO) *ret=NULL;
 	unsigned int i,raw;
-	char *(*d2i)();
+	d2i_of_void *d2i;
 
 	if (sk == NULL)
 		{
@@ -123,42 +131,42 @@ start:
 		if (	(strcmp(name,PEM_STRING_X509) == 0) ||
 			(strcmp(name,PEM_STRING_X509_OLD) == 0))
 			{
-			d2i=(char *(*)())d2i_X509;
+			d2i=(D2I_OF(void))d2i_X509;
 			if (xi->x509 != NULL)
 				{
 				if (!sk_X509_INFO_push(ret,xi)) goto err;
 				if ((xi=X509_INFO_new()) == NULL) goto err;
 				goto start;
 				}
-			pp=(char **)&(xi->x509);
+			pp=&(xi->x509);
 			}
 		else if ((strcmp(name,PEM_STRING_X509_TRUSTED) == 0))
 			{
-			d2i=(char *(*)())d2i_X509_AUX;
+			d2i=(D2I_OF(void))d2i_X509_AUX;
 			if (xi->x509 != NULL)
 				{
 				if (!sk_X509_INFO_push(ret,xi)) goto err;
 				if ((xi=X509_INFO_new()) == NULL) goto err;
 				goto start;
 				}
-			pp=(char **)&(xi->x509);
+			pp=&(xi->x509);
 			}
 		else if (strcmp(name,PEM_STRING_X509_CRL) == 0)
 			{
-			d2i=(char *(*)())d2i_X509_CRL;
+			d2i=(D2I_OF(void))d2i_X509_CRL;
 			if (xi->crl != NULL)
 				{
 				if (!sk_X509_INFO_push(ret,xi)) goto err;
 				if ((xi=X509_INFO_new()) == NULL) goto err;
 				goto start;
 				}
-			pp=(char **)&(xi->crl);
+			pp=&(xi->crl);
 			}
 		else
 #ifndef OPENSSL_NO_RSA
 			if (strcmp(name,PEM_STRING_RSA) == 0)
 			{
-			d2i=(char *(*)())d2i_RSAPrivateKey;
+			d2i=(D2I_OF(void))d2i_RSAPrivateKey;
 			if (xi->x_pkey != NULL) 
 				{
 				if (!sk_X509_INFO_push(ret,xi)) goto err;
@@ -173,7 +181,7 @@ start:
 			if ((xi->x_pkey->dec_pkey=EVP_PKEY_new()) == NULL)
 				goto err;
 			xi->x_pkey->dec_pkey->type=EVP_PKEY_RSA;
-			pp=(char **)&(xi->x_pkey->dec_pkey->pkey.rsa);
+			pp=&(xi->x_pkey->dec_pkey->pkey.rsa);
 			if ((int)strlen(header) > 10) /* assume encrypted */
 				raw=1;
 			}
@@ -182,7 +190,7 @@ start:
 #ifndef OPENSSL_NO_DSA
 			if (strcmp(name,PEM_STRING_DSA) == 0)
 			{
-			d2i=(char *(*)())d2i_DSAPrivateKey;
+			d2i=(D2I_OF(void))d2i_DSAPrivateKey;
 			if (xi->x_pkey != NULL) 
 				{
 				if (!sk_X509_INFO_push(ret,xi)) goto err;
@@ -203,6 +211,30 @@ start:
 			}
 		else
 #endif
+#ifndef OPENSSL_NO_EC
+ 			if (strcmp(name,PEM_STRING_ECPRIVATEKEY) == 0)
+ 			{
+ 				d2i=(D2I_OF(void))d2i_ECPrivateKey;
+ 				if (xi->x_pkey != NULL) 
+ 				{
+ 					if (!sk_X509_INFO_push(ret,xi)) goto err;
+ 					if ((xi=X509_INFO_new()) == NULL) goto err;
+ 						goto start;
+ 				}
+ 
+ 			xi->enc_data=NULL;
+ 			xi->enc_len=0;
+ 
+ 			xi->x_pkey=X509_PKEY_new();
+ 			if ((xi->x_pkey->dec_pkey=EVP_PKEY_new()) == NULL)
+ 				goto err;
+ 			xi->x_pkey->dec_pkey->type=EVP_PKEY_EC;
+ 			pp=&(xi->x_pkey->dec_pkey->pkey.ec);
+ 			if ((int)strlen(header) > 10) /* assume encrypted */
+ 				raw=1;
+			}
+		else
+#endif
 			{
 			d2i=NULL;
 			pp=NULL;
diff --git a/crypto/openssl/crypto/pem/pem_lib.c b/crypto/openssl/crypto/pem/pem_lib.c
index 7785039b993c..7cfc2f3e0a85 100644
--- a/crypto/openssl/crypto/pem/pem_lib.c
+++ b/crypto/openssl/crypto/pem/pem_lib.c
@@ -73,7 +73,7 @@ const char *PEM_version="PEM" OPENSSL_VERSION_PTEXT;
 
 #define MIN_LENGTH	4
 
-static int load_iv(unsigned char **fromp,unsigned char *to, int num);
+static int load_iv(char **fromp,unsigned char *to, int num);
 static int check_pem(const char *nm, const char *name);
 
 int PEM_def_callback(char *buf, int num, int w, void *key)
@@ -81,7 +81,7 @@ int PEM_def_callback(char *buf, int num, int w, void *key)
 #ifdef OPENSSL_NO_FP_API
 	/* We should not ever call the default callback routine from
 	 * windows. */
-	PEMerr(PEM_F_DEF_CALLBACK,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+	PEMerr(PEM_F_PEM_DEF_CALLBACK,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
 	return(-1);
 #else
 	int i,j;
@@ -102,7 +102,7 @@ int PEM_def_callback(char *buf, int num, int w, void *key)
 		i=EVP_read_pw_string(buf,num,prompt,w);
 		if (i != 0)
 			{
-			PEMerr(PEM_F_DEF_CALLBACK,PEM_R_PROBLEMS_GETTING_PASSWORD);
+			PEMerr(PEM_F_PEM_DEF_CALLBACK,PEM_R_PROBLEMS_GETTING_PASSWORD);
 			memset(buf,0,(unsigned int)num);
 			return(-1);
 			}
@@ -158,11 +158,11 @@ void PEM_dek_info(char *buf, const char *type, int len, char *str)
 	}
 
 #ifndef OPENSSL_NO_FP_API
-char *PEM_ASN1_read(char *(*d2i)(), const char *name, FILE *fp, char **x,
-	     pem_password_cb *cb, void *u)
+void *PEM_ASN1_read(d2i_of_void *d2i, const char *name, FILE *fp, void **x,
+		    pem_password_cb *cb, void *u)
 	{
         BIO *b;
-        char *ret;
+        void *ret;
 
         if ((b=BIO_new(BIO_s_file())) == NULL)
 		{
@@ -195,6 +195,8 @@ static int check_pem(const char *nm, const char *name)
 	if(!strcmp(nm,PEM_STRING_DSA) &&
 		 !strcmp(name,PEM_STRING_EVP_PKEY)) return 1;
 
+ 	if(!strcmp(nm,PEM_STRING_ECPRIVATEKEY) &&
+ 		 !strcmp(name,PEM_STRING_EVP_PKEY)) return 1;
 	/* Permit older strings */
 
 	if(!strcmp(nm,PEM_STRING_X509_OLD) &&
@@ -258,9 +260,9 @@ err:
 	}
 
 #ifndef OPENSSL_NO_FP_API
-int PEM_ASN1_write(int (*i2d)(), const char *name, FILE *fp, char *x,
-	     const EVP_CIPHER *enc, unsigned char *kstr, int klen,
-	     pem_password_cb *callback, void *u)
+int PEM_ASN1_write(i2d_of_void *i2d, const char *name, FILE *fp,
+		   char *x, const EVP_CIPHER *enc, unsigned char *kstr,
+		   int klen, pem_password_cb *callback, void *u)
         {
         BIO *b;
         int ret;
@@ -277,9 +279,9 @@ int PEM_ASN1_write(int (*i2d)(), const char *name, FILE *fp, char *x,
         }
 #endif
 
-int PEM_ASN1_write_bio(int (*i2d)(), const char *name, BIO *bp, char *x,
-	     const EVP_CIPHER *enc, unsigned char *kstr, int klen,
-	     pem_password_cb *callback, void *u)
+int PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp,
+		       char *x, const EVP_CIPHER *enc, unsigned char *kstr,
+		       int klen, pem_password_cb *callback, void *u)
 	{
 	EVP_CIPHER_CTX ctx;
 	int dsize=0,i,j,ret=0;
@@ -301,7 +303,7 @@ int PEM_ASN1_write_bio(int (*i2d)(), const char *name, BIO *bp, char *x,
 
 	if ((dsize=i2d(x,NULL)) < 0)
 		{
-		PEMerr(PEM_F_PEM_ASN1_WRITE_BIO,ERR_R_MALLOC_FAILURE);
+		PEMerr(PEM_F_PEM_ASN1_WRITE_BIO,ERR_R_ASN1_LIB);
 		dsize=0;
 		goto err;
 		}
@@ -336,7 +338,7 @@ int PEM_ASN1_write_bio(int (*i2d)(), const char *name, BIO *bp, char *x,
 			kstr=(unsigned char *)buf;
 			}
 		RAND_add(data,i,0);/* put in the RSA key. */
-		OPENSSL_assert(enc->iv_len <= sizeof iv);
+		OPENSSL_assert(enc->iv_len <= (int)sizeof(iv));
 		if (RAND_pseudo_bytes(iv,enc->iv_len) < 0) /* Generate a salt */
 			goto err;
 		/* The 'iv' is used as the iv and as a salt.  It is
@@ -432,6 +434,7 @@ int PEM_get_EVP_CIPHER_INFO(char *header, EVP_CIPHER_INFO *cipher)
 	int o;
 	const EVP_CIPHER *enc=NULL;
 	char *p,c;
+	char **header_pp = &header;
 
 	cipher->cipher=NULL;
 	if ((header == NULL) || (*header == '\0') || (*header == '\n'))
@@ -478,15 +481,16 @@ int PEM_get_EVP_CIPHER_INFO(char *header, EVP_CIPHER_INFO *cipher)
 		PEMerr(PEM_F_PEM_GET_EVP_CIPHER_INFO,PEM_R_UNSUPPORTED_ENCRYPTION);
 		return(0);
 		}
-	if (!load_iv((unsigned char **)&header,&(cipher->iv[0]),enc->iv_len)) return(0);
+	if (!load_iv(header_pp,&(cipher->iv[0]),enc->iv_len))
+		return(0);
 
 	return(1);
 	}
 
-static int load_iv(unsigned char **fromp, unsigned char *to, int num)
+static int load_iv(char **fromp, unsigned char *to, int num)
 	{
 	int v,i;
-	unsigned char *from;
+	char *from;
 
 	from= *fromp;
 	for (i=0; i<num; i++) to[i]=0;
@@ -623,6 +627,9 @@ int PEM_read_bio(BIO *bp, char **name, char **header, unsigned char **data,
 	dataB=BUF_MEM_new();
 	if ((nameB == NULL) || (headerB == NULL) || (dataB == NULL))
 		{
+		BUF_MEM_free(nameB);
+		BUF_MEM_free(headerB);
+		BUF_MEM_free(dataB);
 		PEMerr(PEM_F_PEM_READ_BIO,ERR_R_MALLOC_FAILURE);
 		return(0);
 		}
diff --git a/crypto/openssl/crypto/pem/pem_oth.c b/crypto/openssl/crypto/pem/pem_oth.c
index 8d9064ea7c83..b33868d25ac1 100644
--- a/crypto/openssl/crypto/pem/pem_oth.c
+++ b/crypto/openssl/crypto/pem/pem_oth.c
@@ -67,10 +67,11 @@
 
 /* Handle 'other' PEMs: not private keys */
 
-char *PEM_ASN1_read_bio(char *(*d2i)(), const char *name, BIO *bp, char **x,
-	     pem_password_cb *cb, void *u)
+void *PEM_ASN1_read_bio(d2i_of_void *d2i, const char *name, BIO *bp, void **x,
+			pem_password_cb *cb, void *u)
 	{
-	unsigned char *p=NULL,*data=NULL;
+	const unsigned char *p=NULL;
+	unsigned char *data=NULL;
 	long len;
 	char *ret=NULL;
 
diff --git a/crypto/openssl/crypto/pem/pem_pk8.c b/crypto/openssl/crypto/pem/pem_pk8.c
index db38a2a79de2..6deab8c33810 100644
--- a/crypto/openssl/crypto/pem/pem_pk8.c
+++ b/crypto/openssl/crypto/pem/pem_pk8.c
@@ -118,7 +118,7 @@ static int do_pk8pkey(BIO *bp, EVP_PKEY *x, int isder, int nid, const EVP_CIPHER
 	char buf[PEM_BUFSIZE];
 	int ret;
 	if(!(p8inf = EVP_PKEY2PKCS8(x))) {
-		PEMerr(PEM_F_PEM_WRITE_BIO_PKCS8PRIVATEKEY,
+		PEMerr(PEM_F_DO_PK8PKEY,
 					PEM_R_ERROR_CONVERTING_PRIVATE_KEY);
 		return 0;
 	}
@@ -127,8 +127,7 @@ static int do_pk8pkey(BIO *bp, EVP_PKEY *x, int isder, int nid, const EVP_CIPHER
 			if(!cb) klen = PEM_def_callback(buf, PEM_BUFSIZE, 1, u);
 			else klen = cb(buf, PEM_BUFSIZE, 1, u);
 			if(klen <= 0) {
-				PEMerr(PEM_F_PEM_WRITE_BIO_PKCS8PRIVATEKEY,
-								PEM_R_READ_KEY);
+				PEMerr(PEM_F_DO_PK8PKEY,PEM_R_READ_KEY);
 				PKCS8_PRIV_KEY_INFO_free(p8inf);
 				return 0;
 			}
@@ -215,7 +214,7 @@ static int do_pk8pkey_fp(FILE *fp, EVP_PKEY *x, int isder, int nid, const EVP_CI
 	BIO *bp;
 	int ret;
 	if(!(bp = BIO_new_fp(fp, BIO_NOCLOSE))) {
-		PEMerr(PEM_F_PEM_F_DO_PK8KEY_FP,ERR_R_BUF_LIB);
+		PEMerr(PEM_F_DO_PK8PKEY_FP,ERR_R_BUF_LIB);
                 return(0);
 	}
 	ret = do_pk8pkey(bp, x, isder, nid, enc, kstr, klen, cb, u);
diff --git a/crypto/openssl/crypto/pem/pem_pkey.c b/crypto/openssl/crypto/pem/pem_pkey.c
index 9ecdbd5419ee..2162a45323e5 100644
--- a/crypto/openssl/crypto/pem/pem_pkey.c
+++ b/crypto/openssl/crypto/pem/pem_pkey.c
@@ -70,7 +70,8 @@
 EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, void *u)
 	{
 	char *nm=NULL;
-	unsigned char *p=NULL,*data=NULL;
+	const unsigned char *p=NULL;
+	unsigned char *data=NULL;
 	long len;
 	EVP_PKEY *ret=NULL;
 
@@ -82,6 +83,8 @@ EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, vo
 		ret=d2i_PrivateKey(EVP_PKEY_RSA,x,&p,len);
 	else if (strcmp(nm,PEM_STRING_DSA) == 0)
 		ret=d2i_PrivateKey(EVP_PKEY_DSA,x,&p,len);
+	else if (strcmp(nm,PEM_STRING_ECPRIVATEKEY) == 0)
+		ret=d2i_PrivateKey(EVP_PKEY_EC,x,&p,len);
 	else if (strcmp(nm,PEM_STRING_PKCS8INF) == 0) {
 		PKCS8_PRIV_KEY_INFO *p8inf;
 		p8inf=d2i_PKCS8_PRIV_KEY_INFO(NULL, &p, len);
@@ -102,7 +105,7 @@ EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, vo
 		if (cb) klen=cb(psbuf,PEM_BUFSIZE,0,u);
 		else klen=PEM_def_callback(psbuf,PEM_BUFSIZE,0,u);
 		if (klen <= 0) {
-			PEMerr(PEM_F_PEM_ASN1_READ_BIO,
+			PEMerr(PEM_F_PEM_READ_BIO_PRIVATEKEY,
 					PEM_R_BAD_PASSWORD_READ);
 			X509_SIG_free(p8);
 			goto err;
@@ -119,7 +122,7 @@ EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, vo
 	}
 p8err:
 	if (ret == NULL)
-		PEMerr(PEM_F_PEM_ASN1_READ_BIO,ERR_R_ASN1_LIB);
+		PEMerr(PEM_F_PEM_READ_BIO_PRIVATEKEY,ERR_R_ASN1_LIB);
 err:
 	OPENSSL_free(nm);
 	OPENSSL_free(data);
@@ -134,7 +137,7 @@ EVP_PKEY *PEM_read_PrivateKey(FILE *fp, EVP_PKEY **x, pem_password_cb *cb, void
 
         if ((b=BIO_new(BIO_s_file())) == NULL)
 		{
-		PEMerr(PEM_F_PEM_ASN1_READ,ERR_R_BUF_LIB);
+		PEMerr(PEM_F_PEM_READ_PRIVATEKEY,ERR_R_BUF_LIB);
                 return(0);
 		}
         BIO_set_fp(b,fp,BIO_NOCLOSE);
diff --git a/crypto/openssl/crypto/pem/pem_seal.c b/crypto/openssl/crypto/pem/pem_seal.c
index 56e08abd7053..4e554e5481e0 100644
--- a/crypto/openssl/crypto/pem/pem_seal.c
+++ b/crypto/openssl/crypto/pem/pem_seal.c
@@ -56,6 +56,7 @@
  * [including the GNU Public Licence.]
  */
 
+#include <openssl/opensslconf.h>	/* for OPENSSL_NO_RSA */
 #ifndef OPENSSL_NO_RSA
 #include <stdio.h>
 #include "cryptlib.h"
@@ -64,6 +65,7 @@
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
+#include <openssl/rsa.h>
 
 int PEM_SealInit(PEM_ENCODE_SEAL_CTX *ctx, EVP_CIPHER *type, EVP_MD *md_type,
 	     unsigned char **ek, int *ekl, unsigned char *iv, EVP_PKEY **pubk,
diff --git a/crypto/openssl/crypto/pem/pem_xaux.c b/crypto/openssl/crypto/pem/pem_xaux.c
index 2f579b542130..63ce660cf1a2 100644
--- a/crypto/openssl/crypto/pem/pem_xaux.c
+++ b/crypto/openssl/crypto/pem/pem_xaux.c
@@ -66,3 +66,4 @@
 #include <openssl/pem.h>
 
 IMPLEMENT_PEM_rw(X509_AUX, X509, PEM_STRING_X509_TRUSTED, X509_AUX)
+IMPLEMENT_PEM_rw(X509_CERT_PAIR, X509_CERT_PAIR, PEM_STRING_X509_PAIR, X509_CERT_PAIR)
diff --git a/crypto/openssl/crypto/perlasm/cbc.pl b/crypto/openssl/crypto/perlasm/cbc.pl
index 22149c680ec3..e43dc9ae15ed 100644
--- a/crypto/openssl/crypto/perlasm/cbc.pl
+++ b/crypto/openssl/crypto/perlasm/cbc.pl
@@ -322,7 +322,8 @@ sub cbc
 
 	&function_end_A($name);
 
-	&set_label("cbc_enc_jmp_table",1);
+	&align(64);
+	&set_label("cbc_enc_jmp_table");
 	&data_word("0");
 	&data_word(&label("ej1")."-".&label("PIC_point"));
 	&data_word(&label("ej2")."-".&label("PIC_point"));
@@ -341,6 +342,7 @@ sub cbc
 	#&data_word(&label("dj5")."-".&label("PIC_point"));
 	#&data_word(&label("dj6")."-".&label("PIC_point"));
 	#&data_word(&label("dj7")."-".&label("PIC_point"));
+	&align(64);
 
 	&function_end_B($name);
 	
diff --git a/crypto/openssl/crypto/perlasm/x86_64-xlate.pl b/crypto/openssl/crypto/perlasm/x86_64-xlate.pl
new file mode 100755
index 000000000000..ef1a4ce65685
--- /dev/null
+++ b/crypto/openssl/crypto/perlasm/x86_64-xlate.pl
@@ -0,0 +1,506 @@
+#!/usr/bin/env perl
+
+# Ascetic x86_64 AT&T to MASM assembler translator by <appro>.
+#
+# Why AT&T to MASM and not vice versa? Several reasons. Because AT&T
+# format is way easier to parse. Because it's simpler to "gear" from
+# Unix ABI to Windows one [see cross-reference "card" at the end of
+# file]. Because Linux targets were available first...
+#
+# In addition the script also "distills" code suitable for GNU
+# assembler, so that it can be compiled with more rigid assemblers,
+# such as Solaris /usr/ccs/bin/as.
+#
+# This translator is not designed to convert *arbitrary* assembler
+# code from AT&T format to MASM one. It's designed to convert just
+# enough to provide for dual-ABI OpenSSL modules development...
+# There *are* limitations and you might have to modify your assembler
+# code or this script to achieve the desired result...
+#
+# Currently recognized limitations:
+#
+# - can't use multiple ops per line;
+# - indirect calls and jumps are not supported;
+#
+# Dual-ABI styling rules.
+#
+# 1. Adhere to Unix register and stack layout [see the end for
+#    explanation].
+# 2. Forget about "red zone," stick to more traditional blended
+#    stack frame allocation. If volatile storage is actually required
+#    that is. If not, just leave the stack as is.
+# 3. Functions tagged with ".type name,@function" get crafted with
+#    unified Win64 prologue and epilogue automatically. If you want
+#    to take care of ABI differences yourself, tag functions as
+#    ".type name,@abi-omnipotent" instead.
+# 4. To optimize the Win64 prologue you can specify number of input
+#    arguments as ".type name,@function,N." Keep in mind that if N is
+#    larger than 6, then you *have to* write "abi-omnipotent" code,
+#    because >6 cases can't be addressed with unified prologue.
+# 5. Name local labels as .L*, do *not* use dynamic labels such as 1:
+#    (sorry about latter).
+# 6. Don't use [or hand-code with .byte] "rep ret." "ret" mnemonic is
+#    required to identify the spots, where to inject Win64 epilogue!
+#    But on the pros, it's then prefixed with rep automatically:-)
+# 7. Due to MASM limitations [and certain general counter-intuitivity
+#    of ip-relative addressing] generation of position-independent
+#    code is assisted by synthetic directive, .picmeup, which puts
+#    address of the *next* instruction into target register.
+#
+#    Example 1:
+#		.picmeup	%rax
+#		lea		.Label-.(%rax),%rax
+#    Example 2:
+#		.picmeup	%rcx
+#	.Lpic_point:
+#		...
+#		lea		.Label-.Lpic_point(%rcx),%rbp
+
+my $output = shift;
+open STDOUT,">$output" || die "can't open $output: $!";
+
+my $masm=1 if ($output =~ /\.asm/);
+
+my $current_segment;
+my $current_function;
+
+{ package opcode;	# pick up opcodes
+    sub re {
+	my	$self = shift;	# single instance in enough...
+	local	*line = shift;
+	undef	$ret;
+
+	if ($line =~ /^([a-z]+)/i) {
+	    $self->{op} = $1;
+	    $ret = $self;
+	    $line = substr($line,@+[0]); $line =~ s/^\s+//;
+
+	    undef $self->{sz};
+	    if ($self->{op} =~ /(movz)b.*/) {	# movz is pain...
+		$self->{op} = $1;
+		$self->{sz} = "b";
+	    } elsif ($self->{op} =~ /([a-z]{3,})([qlwb])/) {
+		$self->{op} = $1;
+		$self->{sz} = $2;
+	    }
+	}
+	$ret;
+    }
+    sub size {
+	my $self = shift;
+	my $sz   = shift;
+	$self->{sz} = $sz if (defined($sz) && !defined($self->{sz}));
+	$self->{sz};
+    }
+    sub out {
+	my $self = shift;
+	if (!$masm) {
+	    if ($self->{op} eq "movz") {	# movz in pain...
+		sprintf "%s%s%s",$self->{op},$self->{sz},shift;
+	    } elsif ($self->{op} eq "ret") {
+	    	".byte	0xf3,0xc3";
+	    } else {
+		"$self->{op}$self->{sz}";
+	    }
+	} else {
+	    $self->{op} =~ s/movz/movzx/;
+	    if ($self->{op} eq "ret") {
+		$self->{op} = "";
+		if ($current_function->{abi} eq "svr4") {
+		    $self->{op} = "mov	rdi,QWORD PTR 8[rsp]\t;WIN64 epilogue\n\t".
+				  "mov	rsi,QWORD PTR 16[rsp]\n\t";
+	    	}
+		$self->{op} .= "DB\t0F3h,0C3h\t\t;repret";
+	    }
+	    $self->{op};
+	}
+    }
+}
+{ package const;	# pick up constants, which start with $
+    sub re {
+	my	$self = shift;	# single instance in enough...
+	local	*line = shift;
+	undef	$ret;
+
+	if ($line =~ /^\$([^,]+)/) {
+	    $self->{value} = $1;
+	    $ret = $self;
+	    $line = substr($line,@+[0]); $line =~ s/^\s+//;
+	}
+	$ret;
+    }
+    sub out {
+    	my $self = shift;
+
+	if (!$masm) {
+	    sprintf "\$%s",$self->{value};
+	} else {
+	    $self->{value} =~ s/0x([0-9a-f]+)/0$1h/ig;
+	    sprintf "%s",$self->{value};
+	}
+    }
+}
+{ package ea;		# pick up effective addresses: expr(%reg,%reg,scale)
+    sub re {
+	my	$self = shift;	# single instance in enough...
+	local	*line = shift;
+	undef	$ret;
+
+	if ($line =~ /^([^\(,]*)\(([%\w,]+)\)/) {
+	    $self->{label} = $1;
+	    ($self->{base},$self->{index},$self->{scale})=split(/,/,$2);
+	    $self->{scale} = 1 if (!defined($self->{scale}));
+	    $ret = $self;
+	    $line = substr($line,@+[0]); $line =~ s/^\s+//;
+
+	    $self->{base}  =~ s/^%//;
+	    $self->{index} =~ s/^%// if (defined($self->{index}));
+	}
+	$ret;
+    }
+    sub size {}
+    sub out {
+    	my $self = shift;
+	my $sz = shift;
+
+	if (!$masm) {
+	    # elder GNU assembler insists on 64-bit EAs:-(
+	    # on pros side, this results in more compact code:-)
+	    $self->{index} =~ s/^[er](.?[0-9xp])[d]?$/r\1/;
+	    $self->{base}  =~ s/^[er](.?[0-9xp])[d]?$/r\1/;
+	    # Solaris /usr/ccs/bin/as can't handle multiplications
+	    # in $self->{label}
+	    $self->{label} =~ s/(?<![0-9a-f])(0[x0-9a-f]+)/oct($1)/eg;
+	    $self->{label} =~ s/([0-9]+\s*[\*\/\%]\s*[0-9]+)/eval($1)/eg;
+
+	    if (defined($self->{index})) {
+		sprintf "%s(%%%s,%%%s,%d)",
+					$self->{label},$self->{base},
+					$self->{index},$self->{scale};
+	    } else {
+		sprintf "%s(%%%s)",	$self->{label},$self->{base};
+	    }
+	} else {
+	    %szmap = ( b=>"BYTE", w=>"WORD", l=>"DWORD", q=>"QWORD" );
+
+	    $self->{label} =~ s/\./\$/g;
+	    $self->{label} =~ s/0x([0-9a-f]+)/0$1h/ig;
+	    $self->{label} = "($self->{label})" if ($self->{label} =~ /[\*\+\-\/]/);
+
+	    if (defined($self->{index})) {
+		sprintf "%s PTR %s[%s*%d+%s]",$szmap{$sz},
+					$self->{label},
+					$self->{index},$self->{scale},
+					$self->{base};
+	    } else {
+		sprintf "%s PTR %s[%s]",$szmap{$sz},
+					$self->{label},$self->{base};
+	    }
+	}
+    }
+}
+{ package register;	# pick up registers, which start with %.
+    sub re {
+	my	$class = shift;	# muliple instances...
+	my	$self = {};
+	local	*line = shift;
+	undef	$ret;
+
+	if ($line =~ /^%(\w+)/) {
+	    bless $self,$class;
+	    $self->{value} = $1;
+	    $ret = $self;
+	    $line = substr($line,@+[0]); $line =~ s/^\s+//;
+	}
+	$ret;
+    }
+    sub size {
+	my	$self = shift;
+	undef	$ret;
+
+	if    ($self->{value} =~ /^r[\d]+b$/i)	{ $ret="b"; }
+	elsif ($self->{value} =~ /^r[\d]+w$/i)	{ $ret="w"; }
+	elsif ($self->{value} =~ /^r[\d]+d$/i)	{ $ret="l"; }
+	elsif ($self->{value} =~ /^r[\w]+$/i)	{ $ret="q"; }
+	elsif ($self->{value} =~ /^[a-d][hl]$/i){ $ret="b"; }
+	elsif ($self->{value} =~ /^[\w]{2}l$/i)	{ $ret="b"; }
+	elsif ($self->{value} =~ /^[\w]{2}$/i)	{ $ret="w"; }
+	elsif ($self->{value} =~ /^e[a-z]{2}$/i){ $ret="l"; }
+
+	$ret;
+    }
+    sub out {
+    	my $self = shift;
+	sprintf $masm?"%s":"%%%s",$self->{value};
+    }
+}
+{ package label;	# pick up labels, which end with :
+    sub re {
+	my	$self = shift;	# single instance is enough...
+	local	*line = shift;
+	undef	$ret;
+
+	if ($line =~ /(^[\.\w]+\:)/) {
+	    $self->{value} = $1;
+	    $ret = $self;
+	    $line = substr($line,@+[0]); $line =~ s/^\s+//;
+
+	    $self->{value} =~ s/\.L/\$L/ if ($masm);
+	}
+	$ret;
+    }
+    sub out {
+	my $self = shift;
+
+	if (!$masm) {
+	    $self->{value};
+	} elsif ($self->{value} ne "$current_function->{name}:") {
+	    $self->{value};
+	} elsif ($current_function->{abi} eq "svr4") {
+	    my $func =	"$current_function->{name}	PROC\n".
+			"	mov	QWORD PTR 8[rsp],rdi\t;WIN64 prologue\n".
+			"	mov	QWORD PTR 16[rsp],rsi\n";
+	    my $narg = $current_function->{narg};
+	    $narg=6 if (!defined($narg));
+	    $func .= "	mov	rdi,rcx\n" if ($narg>0);
+	    $func .= "	mov	rsi,rdx\n" if ($narg>1);
+	    $func .= "	mov	rdx,r8\n"  if ($narg>2);
+	    $func .= "	mov	rcx,r9\n"  if ($narg>3);
+	    $func .= "	mov	r8,QWORD PTR 40[rsp]\n" if ($narg>4);
+	    $func .= "	mov	r9,QWORD PTR 48[rsp]\n" if ($narg>5);
+	    $func .= "\n";
+	} else {
+	   "$current_function->{name}	PROC";
+	}
+    }
+}
+{ package expr;		# pick up expressioins
+    sub re {
+	my	$self = shift;	# single instance is enough...
+	local	*line = shift;
+	undef	$ret;
+
+	if ($line =~ /(^[^,]+)/) {
+	    $self->{value} = $1;
+	    $ret = $self;
+	    $line = substr($line,@+[0]); $line =~ s/^\s+//;
+
+	    $self->{value} =~ s/\.L/\$L/g if ($masm);
+	}
+	$ret;
+    }
+    sub out {
+	my $self = shift;
+	$self->{value};
+    }
+}
+{ package directive;	# pick up directives, which start with .
+    sub re {
+	my	$self = shift;	# single instance is enough...
+	local	*line = shift;
+	undef	$ret;
+	my	$dir;
+	my	%opcode =	# lea 2f-1f(%rip),%dst; 1: nop; 2:
+		(	"%rax"=>0x01058d48,	"%rcx"=>0x010d8d48,
+			"%rdx"=>0x01158d48,	"%rbx"=>0x011d8d48,
+			"%rsp"=>0x01258d48,	"%rbp"=>0x012d8d48,
+			"%rsi"=>0x01358d48,	"%rdi"=>0x013d8d48,
+			"%r8" =>0x01058d4c,	"%r9" =>0x010d8d4c,
+			"%r10"=>0x01158d4c,	"%r11"=>0x011d8d4c,
+			"%r12"=>0x01258d4c,	"%r13"=>0x012d8d4c,
+			"%r14"=>0x01358d4c,	"%r15"=>0x013d8d4c	);
+
+	if ($line =~ /^\s*(\.\w+)/) {
+	    if (!$masm) {
+		$self->{value} = $1;
+		$line =~ s/\@abi\-omnipotent/\@function/;
+		$line =~ s/\@function.*/\@function/;
+		if ($line =~ /\.picmeup\s+(%r[\w]+)/i) {
+		    $self->{value} = sprintf "\t.long\t0x%x,0x90000000",$opcode{$1};
+		} else {
+		    $self->{value} = $line;
+		}
+		$line = "";
+		return $self;
+	    }
+
+	    $dir = $1;
+	    $ret = $self;
+	    undef $self->{value};
+	    $line = substr($line,@+[0]); $line =~ s/^\s+//;
+	    SWITCH: for ($dir) {
+		/\.(text)/
+			    && do { my $v=undef;
+				    $v="$current_segment\tENDS\n" if ($current_segment);
+				    $current_segment = "_$1\$";
+				    $current_segment =~ tr/[a-z]/[A-Z]/;
+				    $v.="$current_segment\tSEGMENT ALIGN(64) 'CODE'";
+				    $self->{value} = $v;
+				    last;
+				  };
+		/\.globl/   && do { $self->{value} = "PUBLIC\t".$line; last; };
+		/\.type/    && do { ($sym,$type,$narg) = split(',',$line);
+				    if ($type eq "\@function") {
+					undef $current_function;
+					$current_function->{name} = $sym;
+					$current_function->{abi}  = "svr4";
+					$current_function->{narg} = $narg;
+				    } elsif ($type eq "\@abi-omnipotent") {
+					undef $current_function;
+					$current_function->{name} = $sym;
+				    }
+				    last;
+				  };
+		/\.size/    && do { if (defined($current_function)) {
+					$self->{value}="$current_function->{name}\tENDP";
+					undef $current_function;
+				    }
+				    last;
+				  };
+		/\.align/   && do { $self->{value} = "ALIGN\t".$line; last; };
+		/\.(byte|value|long|quad)/
+			    && do { my @arr = split(',',$line);
+				    my $sz  = substr($1,0,1);
+				    my $last = pop(@arr);
+
+				    $sz =~ tr/bvlq/BWDQ/;
+				    $self->{value} = "\tD$sz\t";
+				    for (@arr) { $self->{value} .= sprintf"0%Xh,",oct; }
+				    $self->{value} .= sprintf"0%Xh",oct($last);
+				    last;
+				  };
+		/\.picmeup/ && do { $self->{value} = sprintf"\tDD\t 0%Xh,090000000h",$opcode{$line};
+				    last;
+				  };
+	    }
+	    $line = "";
+	}
+
+	$ret;
+    }
+    sub out {
+	my $self = shift;
+	$self->{value};
+    }
+}
+
+while($line=<>) {
+
+    chomp($line);
+
+    $line =~ s|[#!].*$||;	# get rid of asm-style comments...
+    $line =~ s|/\*.*\*/||;	# ... and C-style comments...
+    $line =~ s|^\s+||;		# ... and skip white spaces in beginning
+
+    undef $label;
+    undef $opcode;
+    undef $dst;
+    undef $src;
+    undef $sz;
+
+    if ($label=label->re(\$line))	{ print $label->out(); }
+
+    if (directive->re(\$line)) {
+	printf "%s",directive->out();
+    } elsif ($opcode=opcode->re(\$line)) { ARGUMENT: {
+
+	if ($src=register->re(\$line))	{ opcode->size($src->size()); }
+	elsif ($src=const->re(\$line))	{ }
+	elsif ($src=ea->re(\$line))	{ }
+	elsif ($src=expr->re(\$line))	{ }
+
+	last ARGUMENT if ($line !~ /^,/);
+
+	$line = substr($line,1); $line =~ s/^\s+//;
+
+	if ($dst=register->re(\$line))	{ opcode->size($dst->size()); }
+	elsif ($dst=const->re(\$line))	{ }
+	elsif ($dst=ea->re(\$line))	{ }
+
+	} # ARGUMENT:
+
+	$sz=opcode->size();
+
+	if (defined($dst)) {
+	    if (!$masm) {
+		printf "\t%s\t%s,%s",	$opcode->out($dst->size()),
+					$src->out($sz),$dst->out($sz);
+	    } else {
+		printf "\t%s\t%s,%s",	$opcode->out(),
+					$dst->out($sz),$src->out($sz);
+	    }
+	} elsif (defined($src)) {
+	    printf "\t%s\t%s",$opcode->out(),$src->out($sz);
+	} else {
+	    printf "\t%s",$opcode->out();
+	}
+    }
+
+    print $line,"\n";
+}
+
+print "\n$current_segment\tENDS\nEND\n" if ($masm);
+
+close STDOUT;
+
+#################################################
+# Cross-reference x86_64 ABI "card"
+#
+# 		Unix		Win64
+# %rax		*		*
+# %rbx		-		-
+# %rcx		#4		#1
+# %rdx		#3		#2
+# %rsi		#2		-
+# %rdi		#1		-
+# %rbp		-		-
+# %rsp		-		-
+# %r8		#5		#3
+# %r9		#6		#4
+# %r10		*		*
+# %r11		*		*
+# %r12		-		-
+# %r13		-		-
+# %r14		-		-
+# %r15		-		-
+# 
+# (*)	volatile register
+# (-)	preserved by callee
+# (#)	Nth argument, volatile
+#
+# In Unix terms top of stack is argument transfer area for arguments
+# which could not be accomodated in registers. Or in other words 7th
+# [integer] argument resides at 8(%rsp) upon function entry point.
+# 128 bytes above %rsp constitute a "red zone" which is not touched
+# by signal handlers and can be used as temporal storage without
+# allocating a frame.
+#
+# In Win64 terms N*8 bytes on top of stack is argument transfer area,
+# which belongs to/can be overwritten by callee. N is the number of
+# arguments passed to callee, *but* not less than 4! This means that
+# upon function entry point 5th argument resides at 40(%rsp), as well
+# as that 32 bytes from 8(%rsp) can always be used as temporal
+# storage [without allocating a frame].
+#
+# All the above means that if assembler programmer adheres to Unix
+# register and stack layout, but disregards the "red zone" existense,
+# it's possible to use following prologue and epilogue to "gear" from
+# Unix to Win64 ABI in leaf functions with not more than 6 arguments.
+#
+# omnipotent_function:
+# ifdef WIN64
+#	movq	%rdi,8(%rsp)
+#	movq	%rsi,16(%rsp)
+#	movq	%rcx,%rdi	; if 1st argument is actually present
+#	movq	%rdx,%rsi	; if 2nd argument is actually ...
+#	movq	%r8,%rdx	; if 3rd argument is ...
+#	movq	%r9,%rcx	; if 4th argument ...
+#	movq	40(%rsp),%r8	; if 5th ...
+#	movq	48(%rsp),%r9	; if 6th ...
+# endif
+#	...
+# ifdef WIN64
+#	movq	8(%rsp),%rdi
+#	movq	16(%rsp),%rsi
+# endif
+#	ret
diff --git a/crypto/openssl/crypto/perlasm/x86asm.pl b/crypto/openssl/crypto/perlasm/x86asm.pl
index 1cb96e914ab6..5979122158fd 100644
--- a/crypto/openssl/crypto/perlasm/x86asm.pl
+++ b/crypto/openssl/crypto/perlasm/x86asm.pl
@@ -18,31 +18,34 @@ sub main'asm_init
 	($type,$fn,$i386)=@_;
 	$filename=$fn;
 
-	$elf=$cpp=$sol=$aout=$win32=$gaswin=0;
+	$elf=$cpp=$coff=$aout=$win32=$netware=$mwerks=0;
 	if (	($type eq "elf"))
 		{ $elf=1; require "x86unix.pl"; }
 	elsif (	($type eq "a.out"))
 		{ $aout=1; require "x86unix.pl"; }
-	elsif (	($type eq "gaswin"))
-		{ $gaswin=1; $aout=1; require "x86unix.pl"; }
-	elsif (	($type eq "sol"))
-		{ $sol=1; require "x86unix.pl"; }
+	elsif (	($type eq "coff" or $type eq "gaswin"))
+		{ $coff=1; require "x86unix.pl"; }
 	elsif (	($type eq "cpp"))
 		{ $cpp=1; require "x86unix.pl"; }
 	elsif (	($type eq "win32"))
 		{ $win32=1; require "x86ms.pl"; }
 	elsif (	($type eq "win32n"))
 		{ $win32=1; require "x86nasm.pl"; }
+	elsif (	($type eq "nw-nasm"))
+		{ $netware=1; require "x86nasm.pl"; }
+	elsif (	($type eq "nw-mwasm"))
+		{ $netware=1; $mwerks=1; require "x86nasm.pl"; }
 	else
 		{
 		print STDERR <<"EOF";
 Pick one target type from
-	elf	- linux, FreeBSD etc
-	a.out	- old linux
-	sol	- x86 solaris
-	cpp	- format so x86unix.cpp can be used
+	elf	- Linux, FreeBSD, Solaris x86, etc.
+	a.out	- OpenBSD, DJGPP, etc.
+	coff	- GAS/COFF such as Win32 targets
 	win32	- Windows 95/Windows NT
 	win32n	- Windows 95/Windows NT NASM format
+	nw-nasm - NetWare NASM format
+	nw-mwasm- NetWare Metrowerks Assembler
 EOF
 		exit(1);
 		}
@@ -55,7 +58,7 @@ EOF
 &comment("Don't even think of reading this code");
 &comment("It was automatically generated by $filename");
 &comment("Which is a perl program used to generate the x86 assember for");
-&comment("any of elf, a.out, BSDI, Win32, gaswin (for GNU as on Win32) or Solaris");
+&comment("any of ELF, a.out, COFF, Win32, ...");
 &comment("eric <eay\@cryptsoft.com>");
 &comment("");
 
@@ -90,7 +93,7 @@ $tmp
 #ifdef OUT
 #define OK	1
 #define ALIGN	4
-#if defined(__CYGWIN__) || defined(__DJGPP__)
+#if defined(__CYGWIN__) || defined(__DJGPP__) || (__MINGW32__)
 #undef SIZE
 #undef TYPE
 #define SIZE(a,b)
diff --git a/crypto/openssl/crypto/perlasm/x86ms.pl b/crypto/openssl/crypto/perlasm/x86ms.pl
index fbb4afb9bda4..82538a9a9af8 100644
--- a/crypto/openssl/crypto/perlasm/x86ms.pl
+++ b/crypto/openssl/crypto/perlasm/x86ms.pl
@@ -27,7 +27,13 @@ $label="L000";
 sub main'asm_init_output { @out=(); }
 sub main'asm_get_output { return(@out); }
 sub main'get_labels { return(@labels); }
-sub main'external_label { push(@labels,@_); }
+sub main'external_label
+{
+	push(@labels,@_);
+	foreach (@_) {
+		push(@out, "EXTRN\t_$_:DWORD\n");
+	}
+}
 
 sub main'LB
 	{
@@ -51,6 +57,11 @@ sub main'DWP
 	&get_mem("DWORD",@_);
 	}
 
+sub main'QWP
+	{
+	&get_mem("QWORD",@_);
+	}
+
 sub main'BC
 	{
 	return @_;
@@ -87,7 +98,7 @@ sub get_mem
 		$reg2=&conv($1);
 		$addr="_$2";
 		}
-	elsif ($addr =~ /^[_a-zA-Z]/)
+	elsif ($addr =~ /^[_a-z][_a-z0-9]*$/i)
 		{
 		$addr="_$addr";
 		}
@@ -128,6 +139,7 @@ sub main'xorb	{ &out2("xor",@_); }
 sub main'add	{ &out2("add",@_); }
 sub main'adc	{ &out2("adc",@_); }
 sub main'sub	{ &out2("sub",@_); }
+sub main'sbb	{ &out2("sbb",@_); }
 sub main'rotl	{ &out2("rol",@_); }
 sub main'rotr	{ &out2("ror",@_); }
 sub main'exch	{ &out2("xchg",@_); }
@@ -155,11 +167,39 @@ sub main'jne	{ &out1("jne",@_); }
 sub main'jno	{ &out1("jno",@_); }
 sub main'push	{ &out1("push",@_); $stack+=4; }
 sub main'pop	{ &out1("pop",@_); $stack-=4; }
+sub main'pushf	{ &out0("pushfd"); $stack+=4; }
+sub main'popf	{ &out0("popfd"); $stack-=4; }
 sub main'bswap	{ &out1("bswap",@_); &using486(); }
 sub main'not	{ &out1("not",@_); }
 sub main'call	{ &out1("call",($_[0]=~/^\$L/?'':'_').$_[0]); }
+sub main'call_ptr { &out1p("call",@_); }
 sub main'ret	{ &out0("ret"); }
 sub main'nop	{ &out0("nop"); }
+sub main'test	{ &out2("test",@_); }
+sub main'bt	{ &out2("bt",@_); }
+sub main'leave	{ &out0("leave"); }
+sub main'cpuid  { &out0("DW\t0A20Fh"); }
+sub main'rdtsc  { &out0("DW\t0310Fh"); }
+sub main'halt	{ &out0("hlt"); }
+sub main'movz	{ &out2("movzx",@_); }
+sub main'neg	{ &out1("neg",@_); }
+sub main'cld	{ &out0("cld"); }
+
+# SSE2
+sub main'emms	{ &out0("emms"); }
+sub main'movd	{ &out2("movd",@_); }
+sub main'movq	{ &out2("movq",@_); }
+sub main'movdqu	{ &out2("movdqu",@_); }
+sub main'movdqa	{ &out2("movdqa",@_); }
+sub main'movdq2q{ &out2("movdq2q",@_); }
+sub main'movq2dq{ &out2("movq2dq",@_); }
+sub main'paddq	{ &out2("paddq",@_); }
+sub main'pmuludq{ &out2("pmuludq",@_); }
+sub main'psrlq	{ &out2("psrlq",@_); }
+sub main'psllq	{ &out2("psllq",@_); }
+sub main'pxor	{ &out2("pxor",@_); }
+sub main'por	{ &out2("por",@_); }
+sub main'pand	{ &out2("pand",@_); }
 
 sub out2
 	{
@@ -213,7 +253,9 @@ sub main'file
 	local($tmp)=<<"EOF";
 	TITLE	$file.asm
         .386
-.model FLAT
+.model	FLAT
+_TEXT\$	SEGMENT PAGE 'CODE'
+
 EOF
 	push(@out,$tmp);
 	}
@@ -225,7 +267,6 @@ sub main'function_begin
 	push(@labels,$func);
 
 	local($tmp)=<<"EOF";
-_TEXT	SEGMENT
 PUBLIC	_$func
 $extra
 _$func PROC NEAR
@@ -243,7 +284,6 @@ sub main'function_begin_B
 	local($func,$extra)=@_;
 
 	local($tmp)=<<"EOF";
-_TEXT	SEGMENT
 PUBLIC	_$func
 $extra
 _$func PROC NEAR
@@ -263,7 +303,6 @@ sub main'function_end
 	pop	ebp
 	ret
 _$func ENDP
-_TEXT	ENDS
 EOF
 	push(@out,$tmp);
 	$stack=0;
@@ -276,7 +315,6 @@ sub main'function_end_B
 
 	local($tmp)=<<"EOF";
 _$func ENDP
-_TEXT	ENDS
 EOF
 	push(@out,$tmp);
 	$stack=0;
@@ -299,6 +337,14 @@ EOF
 
 sub main'file_end
 	{
+	# try to detect if SSE2 or MMX extensions were used...
+	if (grep {/xmm[0-7]\s*,/i} @out) {
+		grep {s/\.[3-7]86/\.686\n\t\.XMM/} @out;
+		}
+	elsif (grep {/mm[0-7]\s*,/i} @out) {
+		grep {s/\.[3-7]86/\.686\n\t\.MMX/} @out;
+		}
+	push(@out,"_TEXT\$	ENDS\n");
 	push(@out,"END\n");
 	}
 
@@ -330,6 +376,12 @@ sub main'comment
 		}
 	}
 
+sub main'public_label
+	{
+	$label{$_[0]}="_$_[0]"	if (!defined($label{$_[0]}));
+	push(@out,"PUBLIC\t$label{$_[0]}\n");
+	}
+
 sub main'label
 	{
 	if (!defined($label{$_[0]}))
@@ -347,19 +399,37 @@ sub main'set_label
 		$label{$_[0]}="\$${label}${_[0]}";
 		$label++;
 		}
+	if ($_[1]!=0 && $_[1]>1)
+		{
+		main'align($_[1]);
+		}
 	if((defined $_[2]) && ($_[2] == 1))
 		{
 		push(@out,"$label{$_[0]}::\n");
 		}
+	elsif ($label{$_[0]} !~ /^\$/)
+		{
+		push(@out,"$label{$_[0]}\tLABEL PTR\n");
+		}
 	else
 		{
 		push(@out,"$label{$_[0]}:\n");
 		}
 	}
 
+sub main'data_byte
+	{
+	push(@out,"\tDB\t".join(',',@_)."\n");
+	}
+
 sub main'data_word
 	{
-	push(@out,"\tDD\t$_[0]\n");
+	push(@out,"\tDD\t".join(',',@_)."\n");
+	}
+
+sub main'align
+	{
+	push(@out,"\tALIGN\t$_[0]\n");
 	}
 
 sub out1p
@@ -367,7 +437,7 @@ sub out1p
 	local($name,$p1)=@_;
 	local($l,$t);
 
-	push(@out,"\t$name\t ".&conv($p1)."\n");
+	push(@out,"\t$name\t".&conv($p1)."\n");
 	}
 
 sub main'picmeup
@@ -377,3 +447,18 @@ sub main'picmeup
 	}
 
 sub main'blindpop { &out1("pop",@_); }
+
+sub main'initseg 
+	{
+	local($f)=@_;
+	local($tmp)=<<___;
+OPTION	DOTNAME
+.CRT\$XCU	SEGMENT DWORD PUBLIC 'DATA'
+EXTRN	_$f:NEAR
+DD	_$f
+.CRT\$XCU	ENDS
+___
+	push(@out,$tmp);
+	}
+
+1;
diff --git a/crypto/openssl/crypto/perlasm/x86nasm.pl b/crypto/openssl/crypto/perlasm/x86nasm.pl
index 30346af4eac7..b6dfcbdf02c6 100644
--- a/crypto/openssl/crypto/perlasm/x86nasm.pl
+++ b/crypto/openssl/crypto/perlasm/x86nasm.pl
@@ -3,6 +3,7 @@
 package x86nasm;
 
 $label="L000";
+$under=($main'netware)?'':'_';
 
 %lb=(	'eax',	'al',
 	'ebx',	'bl',
@@ -32,7 +33,8 @@ sub main'external_label
 {
 	push(@labels,@_);
 	foreach (@_) {
-		push(@out, "extern\t_$_\n");
+		push(@out,".") if ($main'mwerks);
+		push(@out, "extern\t${under}$_\n");
 	}
 }
 
@@ -58,14 +60,19 @@ sub main'DWP
 	&get_mem("DWORD",@_);
 	}
 
+sub main'QWP
+	{
+	&get_mem("",@_);
+	}
+
 sub main'BC
 	{
-	return "BYTE @_";
+	return (($main'mwerks)?"":"BYTE ")."@_";
 	}
 
 sub main'DWC
 	{
-	return "DWORD @_";
+	return (($main'mwerks)?"":"DWORD ")."@_";
 	}
 
 sub main'stack_push
@@ -86,16 +93,22 @@ sub get_mem
 	{
 	my($size,$addr,$reg1,$reg2,$idx)=@_;
 	my($t,$post);
-	my($ret)="[";
+	my($ret)=$size;
+	if ($ret ne "")
+		{
+		$ret .= " PTR" if ($main'mwerks);
+		$ret .= " ";
+		}
+	$ret .= "[";
 	$addr =~ s/^\s+//;
 	if ($addr =~ /^(.+)\+(.+)$/)
 		{
 		$reg2=&conv($1);
-		$addr="_$2";
+		$addr="$under$2";
 		}
-	elsif ($addr =~ /^[_a-zA-Z]/)
+	elsif ($addr =~ /^[_a-z][_a-z0-9]*$/i)
 		{
-		$addr="_$addr";
+		$addr="$under$addr";
 		}
 
 	if ($addr =~ /^.+\-.+$/) { $addr="($addr)"; }
@@ -134,6 +147,7 @@ sub main'xorb	{ &out2("xor",@_); }
 sub main'add	{ &out2("add",@_); }
 sub main'adc	{ &out2("adc",@_); }
 sub main'sub	{ &out2("sub",@_); }
+sub main'sbb	{ &out2("sbb",@_); }
 sub main'rotl	{ &out2("rol",@_); }
 sub main'rotr	{ &out2("ror",@_); }
 sub main'exch	{ &out2("xchg",@_); }
@@ -147,28 +161,57 @@ sub main'jmp	{ &out1("jmp",@_); }
 sub main'jmp_ptr { &out1p("jmp",@_); }
 
 # This is a bit of a kludge: declare all branches as NEAR.
-sub main'je	{ &out1("je NEAR",@_); }
-sub main'jle	{ &out1("jle NEAR",@_); }
-sub main'jz	{ &out1("jz NEAR",@_); }
-sub main'jge	{ &out1("jge NEAR",@_); }
-sub main'jl	{ &out1("jl NEAR",@_); }
-sub main'ja	{ &out1("ja NEAR",@_); }
-sub main'jae	{ &out1("jae NEAR",@_); }
-sub main'jb	{ &out1("jb NEAR",@_); }
-sub main'jbe	{ &out1("jbe NEAR",@_); }
-sub main'jc	{ &out1("jc NEAR",@_); }
-sub main'jnc	{ &out1("jnc NEAR",@_); }
-sub main'jnz	{ &out1("jnz NEAR",@_); }
-sub main'jne	{ &out1("jne NEAR",@_); }
-sub main'jno	{ &out1("jno NEAR",@_); }
+$near=($main'mwerks)?'':'NEAR';
+sub main'je	{ &out1("je $near",@_); }
+sub main'jle	{ &out1("jle $near",@_); }
+sub main'jz	{ &out1("jz $near",@_); }
+sub main'jge	{ &out1("jge $near",@_); }
+sub main'jl	{ &out1("jl $near",@_); }
+sub main'ja	{ &out1("ja $near",@_); }
+sub main'jae	{ &out1("jae $near",@_); }
+sub main'jb	{ &out1("jb $near",@_); }
+sub main'jbe	{ &out1("jbe $near",@_); }
+sub main'jc	{ &out1("jc $near",@_); }
+sub main'jnc	{ &out1("jnc $near",@_); }
+sub main'jnz	{ &out1("jnz $near",@_); }
+sub main'jne	{ &out1("jne $near",@_); }
+sub main'jno	{ &out1("jno $near",@_); }
 
 sub main'push	{ &out1("push",@_); $stack+=4; }
 sub main'pop	{ &out1("pop",@_); $stack-=4; }
+sub main'pushf	{ &out0("pushfd"); $stack+=4; }
+sub main'popf	{ &out0("popfd"); $stack-=4; }
 sub main'bswap	{ &out1("bswap",@_); &using486(); }
 sub main'not	{ &out1("not",@_); }
-sub main'call	{ &out1("call",($_[0]=~/^\$L/?'':'_').$_[0]); }
+sub main'call	{ &out1("call",($_[0]=~/^\@L/?'':$under).$_[0]); }
+sub main'call_ptr { &out1p("call",@_); }
 sub main'ret	{ &out0("ret"); }
 sub main'nop	{ &out0("nop"); }
+sub main'test	{ &out2("test",@_); }
+sub main'bt	{ &out2("bt",@_); }
+sub main'leave	{ &out0("leave"); }
+sub main'cpuid	{ &out0("cpuid"); }
+sub main'rdtsc	{ &out0("rdtsc"); }
+sub main'halt	{ &out0("hlt"); }
+sub main'movz	{ &out2("movzx",@_); }
+sub main'neg	{ &out1("neg",@_); }
+sub main'cld	{ &out0("cld"); }
+
+# SSE2
+sub main'emms	{ &out0("emms"); }
+sub main'movd	{ &out2("movd",@_); }
+sub main'movq	{ &out2("movq",@_); }
+sub main'movdqu	{ &out2("movdqu",@_); }
+sub main'movdqa	{ &out2("movdqa",@_); }
+sub main'movdq2q{ &out2("movdq2q",@_); }
+sub main'movq2dq{ &out2("movq2dq",@_); }
+sub main'paddq	{ &out2("paddq",@_); }
+sub main'pmuludq{ &out2("pmuludq",@_); }
+sub main'psrlq	{ &out2("psrlq",@_); }
+sub main'psllq	{ &out2("psllq",@_); }
+sub main'pxor	{ &out2("pxor",@_); }
+sub main'por	{ &out2("por",@_); }
+sub main'pand	{ &out2("pand",@_); }
 
 sub out2
 	{
@@ -176,6 +219,11 @@ sub out2
 	my($l,$t);
 
 	push(@out,"\t$name\t");
+	if (!$main'mwerks and $name eq "lea")
+		{
+		$p1 =~ s/^[^\[]*\[/\[/;
+		$p2 =~ s/^[^\[]*\[/\[/;
+		}
 	$t=&conv($p1).",";
 	$l=length($t);
 	push(@out,$t);
@@ -215,7 +263,17 @@ sub using486
 
 sub main'file
 	{
-	push(@out, "segment .text use32\n");
+	if ($main'mwerks)	{ push(@out,".section\t.text\n"); }
+	else	{
+		local $tmp=<<___;
+%ifdef __omf__
+section	code	use32 class=code
+%else
+section	.text
+%endif
+___
+		push(@out,$tmp);
+		}
 	}
 
 sub main'function_begin
@@ -224,8 +282,8 @@ sub main'function_begin
 
 	push(@labels,$func);
 	my($tmp)=<<"EOF";
-global	_$func
-_$func:
+global	$under$func
+$under$func:
 	push	ebp
 	push	ebx
 	push	esi
@@ -239,8 +297,8 @@ sub main'function_begin_B
 	{
 	my($func,$extra)=@_;
 	my($tmp)=<<"EOF";
-global	_$func
-_$func:
+global	$under$func
+$under$func:
 EOF
 	push(@out,$tmp);
 	$stack=4;
@@ -314,11 +372,17 @@ sub main'comment
 		}
 	}
 
+sub main'public_label
+	{
+	$label{$_[0]}="${under}${_[0]}"	if (!defined($label{$_[0]}));
+	push(@out,"global\t$label{$_[0]}\n");
+	}
+
 sub main'label
 	{
 	if (!defined($label{$_[0]}))
 		{
-		$label{$_[0]}="\$${label}${_[0]}";
+		$label{$_[0]}="\@${label}${_[0]}";
 		$label++;
 		}
 	return($label{$_[0]});
@@ -328,15 +392,30 @@ sub main'set_label
 	{
 	if (!defined($label{$_[0]}))
 		{
-		$label{$_[0]}="\$${label}${_[0]}";
+		$label{$_[0]}="\@${label}${_[0]}";
 		$label++;
 		}
+	if ($_[1]!=0 && $_[1]>1)
+		{
+		main'align($_[1]);
+		}
 	push(@out,"$label{$_[0]}:\n");
 	}
 
+sub main'data_byte
+	{
+	push(@out,(($main'mwerks)?".byte\t":"DB\t").join(',',@_)."\n");
+	}
+
 sub main'data_word
 	{
-	push(@out,"\tDD\t$_[0]\n");
+	push(@out,(($main'mwerks)?".long\t":"DD\t").join(',',@_)."\n");
+	}
+
+sub main'align
+	{
+	push(@out,".") if ($main'mwerks);
+	push(@out,"align\t$_[0]\n");
 	}
 
 sub out1p
@@ -344,7 +423,7 @@ sub out1p
 	my($name,$p1)=@_;
 	my($l,$t);
 
-	push(@out,"\t$name\t ".&conv($p1)."\n");
+	push(@out,"\t$name\t".&conv($p1)."\n");
 	}
 
 sub main'picmeup
@@ -354,3 +433,19 @@ sub main'picmeup
 	}
 
 sub main'blindpop { &out1("pop",@_); }
+
+sub main'initseg
+	{
+	local($f)=@_;
+	if ($main'win32)
+		{
+		local($tmp)=<<___;
+segment	.CRT\$XCU data
+extern	$under$f
+DD	$under$f
+___
+		push(@out,$tmp);
+		}
+	}
+
+1;
diff --git a/crypto/openssl/crypto/perlasm/x86unix.pl b/crypto/openssl/crypto/perlasm/x86unix.pl
index 10b669bf049e..e71050b6bcb5 100644
--- a/crypto/openssl/crypto/perlasm/x86unix.pl
+++ b/crypto/openssl/crypto/perlasm/x86unix.pl
@@ -1,14 +1,15 @@
 #!/usr/local/bin/perl
 
-package x86unix;
+package x86unix;	# GAS actually...
 
 $label="L000";
 $const="";
 $constl=0;
 
 $align=($main'aout)?"4":"16";
-$under=($main'aout)?"_":"";
-$com_start=($main'sol)?"/":"#";
+$under=($main'aout or $main'coff)?"_":"";
+$dot=($main'aout)?"":".";
+$com_start="#" if ($main'aout or $main'coff);
 
 sub main'asm_init_output { @out=(); }
 sub main'asm_get_output { return(@out); }
@@ -51,6 +52,24 @@ if ($main'cpp)
 	'edi',	'%edi',
 	'ebp',	'%ebp',
 	'esp',	'%esp',
+
+	'mm0',	'%mm0',
+	'mm1',	'%mm1',
+	'mm2',	'%mm2',
+	'mm3',	'%mm3',
+	'mm4',	'%mm4',
+	'mm5',	'%mm5',
+	'mm6',	'%mm6',
+	'mm7',	'%mm7',
+
+	'xmm0',	'%xmm0',
+	'xmm1',	'%xmm1',
+	'xmm2',	'%xmm2',
+	'xmm3',	'%xmm3',
+	'xmm4',	'%xmm4',
+	'xmm5',	'%xmm5',
+	'xmm6',	'%xmm6',
+	'xmm7',	'%xmm7',
 	);
 
 %reg_val=(
@@ -97,6 +116,11 @@ sub main'DWP
 	return($ret);
 	}
 
+sub main'QWP
+	{
+	return(&main'DWP(@_));
+	}
+
 sub main'BP
 	{
 	return(&main'DWP(@_));
@@ -137,12 +161,13 @@ sub main'shl	{ &out2("sall",@_); }
 sub main'shr	{ &out2("shrl",@_); }
 sub main'xor	{ &out2("xorl",@_); }
 sub main'xorb	{ &out2("xorb",@_); }
-sub main'add	{ &out2("addl",@_); }
+sub main'add	{ &out2($_[0]=~/%[a-d][lh]/?"addb":"addl",@_); }
 sub main'adc	{ &out2("adcl",@_); }
 sub main'sub	{ &out2("subl",@_); }
+sub main'sbb	{ &out2("sbbl",@_); }
 sub main'rotl	{ &out2("roll",@_); }
 sub main'rotr	{ &out2("rorl",@_); }
-sub main'exch	{ &out2("xchg",@_); }
+sub main'exch	{ &out2($_[0]=~/%[a-d][lh]/?"xchgb":"xchgl",@_); }
 sub main'cmp	{ &out2("cmpl",@_); }
 sub main'lea	{ &out2("leal",@_); }
 sub main'mul	{ &out1("mull",@_); }
@@ -164,15 +189,51 @@ sub main'jc	{ &out1("jc",@_); }
 sub main'jnc	{ &out1("jnc",@_); }
 sub main'jno	{ &out1("jno",@_); }
 sub main'dec	{ &out1("decl",@_); }
-sub main'inc	{ &out1("incl",@_); }
+sub main'inc	{ &out1($_[0]=~/%[a-d][hl]/?"incb":"incl",@_); }
 sub main'push	{ &out1("pushl",@_); $stack+=4; }
 sub main'pop	{ &out1("popl",@_); $stack-=4; }
-sub main'pushf	{ &out0("pushf"); $stack+=4; }
-sub main'popf	{ &out0("popf"); $stack-=4; }
+sub main'pushf	{ &out0("pushfl"); $stack+=4; }
+sub main'popf	{ &out0("popfl"); $stack-=4; }
 sub main'not	{ &out1("notl",@_); }
-sub main'call	{ &out1("call",($_[0]=~/^\.L/?'':$under).$_[0]); }
+sub main'call	{	my $pre=$under;
+			foreach $i (%label)
+			{ if ($label{$i} eq $_[0]) { $pre=''; last; } }
+			&out1("call",$pre.$_[0]);
+		}
+sub main'call_ptr { &out1p("call",@_); }
 sub main'ret	{ &out0("ret"); }
 sub main'nop	{ &out0("nop"); }
+sub main'test	{ &out2("testl",@_); }
+sub main'bt	{ &out2("btl",@_); }
+sub main'leave	{ &out0("leave"); }
+sub main'cpuid	{ &out0(".byte\t0x0f,0xa2"); }
+sub main'rdtsc	{ &out0(".byte\t0x0f,0x31"); }
+sub main'halt	{ &out0("hlt"); }
+sub main'movz	{ &out2("movzbl",@_); }
+sub main'neg	{ &out1("negl",@_); }
+sub main'cld	{ &out0("cld"); }
+
+# SSE2
+sub main'emms	{ &out0("emms"); }
+sub main'movd	{ &out2("movd",@_); }
+sub main'movdqu	{ &out2("movdqu",@_); }
+sub main'movdqa	{ &out2("movdqa",@_); }
+sub main'movdq2q{ &out2("movdq2q",@_); }
+sub main'movq2dq{ &out2("movq2dq",@_); }
+sub main'paddq	{ &out2("paddq",@_); }
+sub main'pmuludq{ &out2("pmuludq",@_); }
+sub main'psrlq	{ &out2("psrlq",@_); }
+sub main'psllq	{ &out2("psllq",@_); }
+sub main'pxor	{ &out2("pxor",@_); }
+sub main'por	{ &out2("por",@_); }
+sub main'pand	{ &out2("pand",@_); }
+sub main'movq	{
+	local($p1,$p2,$optimize)=@_;
+	if ($optimize && $p1=~/^mm[0-7]$/ && $p2=~/^mm[0-7]$/)
+		# movq between mmx registers can sink Intel CPUs
+		{	push(@out,"\tpshufw\t\$0xe4,%$p2,%$p1\n");	}
+	else	{	&out2("movq",@_);				}
+	}
 
 # The bswapl instruction is new for the 486. Emulate if i386.
 sub main'bswap
@@ -278,8 +339,6 @@ sub main'file
 
 	local($tmp)=<<"EOF";
 	.file	"$file.s"
-	.version	"01.01"
-gcc2_compiled.:
 EOF
 	push(@out,$tmp);
 	}
@@ -293,15 +352,17 @@ sub main'function_begin
 
 	local($tmp)=<<"EOF";
 .text
-	.align $align
-.globl $func
+.globl	$func
 EOF
 	push(@out,$tmp);
 	if ($main'cpp)
-		{ $tmp=push(@out,"\tTYPE($func,\@function)\n"); }
-	elsif ($main'gaswin)
-		{ $tmp=push(@out,"\t.def\t$func;\t.scl\t2;\t.type\t32;\t.endef\n"); }
-	else	{ $tmp=push(@out,"\t.type\t$func,\@function\n"); }
+		{ $tmp=push(@out,"TYPE($func,\@function)\n"); }
+	elsif ($main'coff)
+		{ $tmp=push(@out,".def\t$func;\t.scl\t2;\t.type\t32;\t.endef\n"); }
+	elsif ($main'aout and !$main'pic)
+		{ }
+	else	{ $tmp=push(@out,".type\t$func,\@function\n"); }
+	push(@out,".align\t$align\n");
 	push(@out,"$func:\n");
 	$tmp=<<"EOF";
 	pushl	%ebp
@@ -323,15 +384,17 @@ sub main'function_begin_B
 
 	local($tmp)=<<"EOF";
 .text
-	.align $align
-.globl $func
+.globl	$func
 EOF
 	push(@out,$tmp);
 	if ($main'cpp)
-		{ push(@out,"\tTYPE($func,\@function)\n"); }
-	elsif ($main'gaswin)
-		{ $tmp=push(@out,"\t.def\t$func;\t.scl\t2;\t.type\t32;\t.endef\n"); }
-	else	{ push(@out,"\t.type	$func,\@function\n"); }
+		{ push(@out,"TYPE($func,\@function)\n"); }
+	elsif ($main'coff)
+		{ $tmp=push(@out,".def\t$func;\t.scl\t2;\t.type\t32;\t.endef\n"); }
+	elsif ($main'aout and !$main'pic)
+		{ }
+	else	{ push(@out,".type	$func,\@function\n"); }
+	push(@out,".align\t$align\n");
 	push(@out,"$func:\n");
 	$stack=4;
 	}
@@ -348,15 +411,15 @@ sub main'function_end
 	popl	%ebx
 	popl	%ebp
 	ret
-.L_${func}_end:
+${dot}L_${func}_end:
 EOF
 	push(@out,$tmp);
 
 	if ($main'cpp)
-		{ push(@out,"\tSIZE($func,.L_${func}_end-$func)\n"); }
-	elsif ($main'gaswin)
-                { $tmp=push(@out,"\t.align 4\n"); }
-	else	{ push(@out,"\t.size\t$func,.L_${func}_end-$func\n"); }
+		{ push(@out,"SIZE($func,${dot}L_${func}_end-$func)\n"); }
+	elsif ($main'coff or $main'aout)
+                { }
+	else	{ push(@out,".size\t$func,${dot}L_${func}_end-$func\n"); }
 	push(@out,".ident	\"$func\"\n");
 	$stack=0;
 	%label=();
@@ -382,13 +445,13 @@ sub main'function_end_B
 
 	$func=$under.$func;
 
-	push(@out,".L_${func}_end:\n");
+	push(@out,"${dot}L_${func}_end:\n");
 	if ($main'cpp)
-		{ push(@out,"\tSIZE($func,.L_${func}_end-$func)\n"); }
-        elsif ($main'gaswin)
-                { push(@out,"\t.align 4\n"); }
-	else	{ push(@out,"\t.size\t$func,.L_${func}_end-$func\n"); }
-	push(@out,".ident	\"desasm.pl\"\n");
+		{ push(@out,"SIZE($func,${dot}L_${func}_end-$func)\n"); }
+        elsif ($main'coff or $main'aout)
+                { }
+	else	{ push(@out,".size\t$func,${dot}L_${func}_end-$func\n"); }
+	push(@out,".ident	\"$func\"\n");
 	$stack=0;
 	%label=();
 	}
@@ -429,9 +492,10 @@ sub main'swtmp
 
 sub main'comment
 	{
-	if ($main'elf)	# GNU and SVR4 as'es use different comment delimiters,
-		{	# so we just skip comments...
-		push(@out,"\n");
+	if (!defined($com_start) or $main'elf)
+		{	# Regarding $main'elf above...
+			# GNU and SVR4 as'es use different comment delimiters,
+		push(@out,"\n");	# so we just skip ELF comments...
 		return;
 		}
 	foreach (@_)
@@ -443,11 +507,17 @@ sub main'comment
 		}
 	}
 
+sub main'public_label
+	{
+	$label{$_[0]}="${under}${_[0]}"	if (!defined($label{$_[0]}));
+	push(@out,".globl\t$label{$_[0]}\n");
+	}
+
 sub main'label
 	{
 	if (!defined($label{$_[0]}))
 		{
-		$label{$_[0]}=".${label}${_[0]}";
+		$label{$_[0]}="${dot}${label}${_[0]}";
 		$label++;
 		}
 	return($label{$_[0]});
@@ -457,15 +527,66 @@ sub main'set_label
 	{
 	if (!defined($label{$_[0]}))
 		{
-		$label{$_[0]}=".${label}${_[0]}";
+		$label{$_[0]}="${dot}${label}${_[0]}";
 		$label++;
 		}
-	push(@out,".align $align\n") if ($_[1] != 0);
+	if ($_[1]!=0)
+		{
+		if ($_[1]>1)	{ main'align($_[1]);		}
+		else		{ push(@out,".align $align\n");	}
+		}
 	push(@out,"$label{$_[0]}:\n");
 	}
 
 sub main'file_end
 	{
+	# try to detect if SSE2 or MMX extensions were used on ELF platform...
+	if ($main'elf && grep {/%[x]*mm[0-7]/i} @out) {
+		local($tmp);
+
+		push (@out,"\n.section\t.bss\n");
+		push (@out,".comm\t${under}OPENSSL_ia32cap_P,4,4\n");
+
+		push (@out,".section\t.init\n");
+		# One can argue that it's wasteful to craft every
+		# SSE/MMX module with this snippet... Well, it's 72
+		# bytes long and for the moment we have two modules.
+		# Let's argue when we have 7 modules or so...
+		#
+		# $1<<10 sets a reserved bit to signal that variable
+		# was initialized already...
+		&main'picmeup("edx","OPENSSL_ia32cap_P");
+		$tmp=<<___;
+		cmpl	\$0,(%edx)
+		jne	1f
+		movl	\$1<<10,(%edx)
+		pushf
+		popl	%eax
+		movl	%eax,%ecx
+		xorl	\$1<<21,%eax
+		pushl	%eax
+		popf
+		pushf
+		popl	%eax
+		xorl	%ecx,%eax
+		btl	\$21,%eax
+		jnc	1f
+		pushl	%edi
+		pushl	%ebx
+		movl	%edx,%edi
+		movl	\$1,%eax
+		.byte	0x0f,0xa2
+		orl	\$1<<10,%edx
+		movl	%edx,0(%edi)
+		popl	%ebx
+		popl	%edi
+		jmp	1f
+	.align	$align
+	1:
+___
+		push (@out,$tmp);
+	}
+
 	if ($const ne "")
 		{
 		push(@out,".section .rodata\n");
@@ -474,9 +595,25 @@ sub main'file_end
 		}
 	}
 
+sub main'data_byte
+	{
+	push(@out,"\t.byte\t".join(',',@_)."\n");
+	}
+
 sub main'data_word
 	{
-	push(@out,"\t.long $_[0]\n");
+	push(@out,"\t.long\t".join(',',@_)."\n");
+	}
+
+sub main'align
+	{
+	my $val=$_[0],$p2,$i;
+	if ($main'aout) {
+		for ($p2=0;$val!=0;$val>>=1) { $p2++; }
+		$val=$p2-1;
+		$val.=",0x90";
+	}
+	push(@out,".align\t$val\n");
 	}
 
 # debug output functions: puts, putx, printf
@@ -558,7 +695,6 @@ sub main'picmeup
 		{
 		local($tmp)=<<___;
 #if (defined(ELF) || defined(SOL)) && defined(PIC)
-	.align	8
 	call	1f
 1:	popl	$regs{$dst}
 	addl	\$_GLOBAL_OFFSET_TABLE_+[.-1b],$regs{$dst}
@@ -571,13 +707,12 @@ ___
 		}
 	elsif ($main'pic && ($main'elf || $main'aout))
 		{
-		push(@out,"\t.align\t8\n");
 		&main'call(&main'label("PIC_me_up"));
 		&main'set_label("PIC_me_up");
 		&main'blindpop($dst);
-		&main'add($dst,"\$$under"."_GLOBAL_OFFSET_TABLE_+[.-".
+		&main'add($dst,"\$${under}_GLOBAL_OFFSET_TABLE_+[.-".
 				&main'label("PIC_me_up") . "]");
-		&main'mov($dst,&main'DWP($sym."\@GOT",$dst));
+		&main'mov($dst,&main'DWP($under.$sym."\@GOT",$dst));
 		}
 	else
 		{
@@ -586,3 +721,41 @@ ___
 	}
 
 sub main'blindpop { &out1("popl",@_); }
+
+sub main'initseg
+	{
+	local($f)=@_;
+	local($tmp);
+	if ($main'elf)
+		{
+		$tmp=<<___;
+.section	.init
+	call	$under$f
+	jmp	.Linitalign
+.align	$align
+.Linitalign:
+___
+		}
+	elsif ($main'coff)
+		{
+		$tmp=<<___;	# applies to both Cygwin and Mingw
+.section	.ctors
+.long	$under$f
+___
+		}
+	elsif ($main'aout)
+		{
+		local($ctor)="${under}_GLOBAL_\$I\$$f";
+		$tmp=".text\n";
+		$tmp.=".type	$ctor,\@function\n" if ($main'pic);
+		$tmp.=<<___;	# OpenBSD way...
+.globl	$ctor
+.align	2
+$ctor:
+	jmp	$under$f
+___
+		}
+	push(@out,$tmp) if ($tmp);
+	}
+
+1;
diff --git a/crypto/openssl/crypto/pkcs12/Makefile b/crypto/openssl/crypto/pkcs12/Makefile
index 0bd0b7a97794..3a7498fe7ad9 100644
--- a/crypto/openssl/crypto/pkcs12/Makefile
+++ b/crypto/openssl/crypto/pkcs12/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/pkcs12/Makefile
+# OpenSSL/crypto/pkcs12/Makefile
 #
 
 DIR=	pkcs12
@@ -7,11 +7,6 @@ TOP=	../..
 CC=	cc
 INCLUDES= -I.. -I$(TOP) -I../../include
 CFLAG=-g
-INSTALL_PREFIX=
-OPENSSLDIR=     /usr/local/ssl
-INSTALLTOP=/usr/local/ssl
-MAKEDEPPROG=	makedepend
-MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=	Makefile
 AR=		ar r
 
@@ -57,7 +52,8 @@ links:
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
 
 install:
-	@for i in $(EXHEADER) ; \
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+	@headerlist="$(EXHEADER)"; for i in $$headerlist ; \
 	do  \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
@@ -72,6 +68,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
+	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
@@ -83,333 +80,207 @@ clean:
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-p12_add.o: ../../e_os.h ../../include/openssl/aes.h
-p12_add.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-p12_add.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-p12_add.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-p12_add.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-p12_add.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-p12_add.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-p12_add.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-p12_add.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-p12_add.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-p12_add.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+p12_add.o: ../../e_os.h ../../include/openssl/asn1.h
+p12_add.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+p12_add.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+p12_add.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+p12_add.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+p12_add.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 p12_add.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 p12_add.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 p12_add.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs12.h
-p12_add.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-p12_add.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-p12_add.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-p12_add.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-p12_add.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-p12_add.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-p12_add.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-p12_add.o: ../cryptlib.h p12_add.c
-p12_asn.o: ../../e_os.h ../../include/openssl/aes.h
-p12_asn.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
-p12_asn.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-p12_asn.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-p12_asn.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-p12_asn.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-p12_asn.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-p12_asn.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-p12_asn.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-p12_asn.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-p12_asn.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-p12_asn.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+p12_add.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+p12_add.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+p12_add.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+p12_add.o: ../../include/openssl/x509_vfy.h ../cryptlib.h p12_add.c
+p12_asn.o: ../../e_os.h ../../include/openssl/asn1.h
+p12_asn.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+p12_asn.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+p12_asn.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+p12_asn.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+p12_asn.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+p12_asn.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 p12_asn.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 p12_asn.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 p12_asn.o: ../../include/openssl/pkcs12.h ../../include/openssl/pkcs7.h
-p12_asn.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-p12_asn.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-p12_asn.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-p12_asn.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-p12_asn.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-p12_asn.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-p12_asn.o: ../../include/openssl/x509_vfy.h ../cryptlib.h p12_asn.c
-p12_attr.o: ../../e_os.h ../../include/openssl/aes.h
-p12_attr.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-p12_attr.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-p12_attr.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-p12_attr.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-p12_attr.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-p12_attr.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-p12_attr.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-p12_attr.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-p12_attr.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-p12_attr.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+p12_asn.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p12_asn.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+p12_asn.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+p12_asn.o: ../cryptlib.h p12_asn.c
+p12_attr.o: ../../e_os.h ../../include/openssl/asn1.h
+p12_attr.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+p12_attr.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+p12_attr.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+p12_attr.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+p12_attr.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 p12_attr.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 p12_attr.o: ../../include/openssl/opensslconf.h
 p12_attr.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 p12_attr.o: ../../include/openssl/pkcs12.h ../../include/openssl/pkcs7.h
-p12_attr.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-p12_attr.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-p12_attr.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-p12_attr.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-p12_attr.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-p12_attr.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-p12_attr.o: ../../include/openssl/x509_vfy.h ../cryptlib.h p12_attr.c
-p12_crpt.o: ../../e_os.h ../../include/openssl/aes.h
-p12_crpt.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-p12_crpt.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-p12_crpt.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-p12_crpt.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-p12_crpt.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-p12_crpt.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-p12_crpt.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-p12_crpt.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-p12_crpt.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-p12_crpt.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+p12_attr.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p12_attr.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+p12_attr.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+p12_attr.o: ../cryptlib.h p12_attr.c
+p12_crpt.o: ../../e_os.h ../../include/openssl/asn1.h
+p12_crpt.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+p12_crpt.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+p12_crpt.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+p12_crpt.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+p12_crpt.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 p12_crpt.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 p12_crpt.o: ../../include/openssl/opensslconf.h
 p12_crpt.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 p12_crpt.o: ../../include/openssl/pkcs12.h ../../include/openssl/pkcs7.h
-p12_crpt.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-p12_crpt.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-p12_crpt.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-p12_crpt.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-p12_crpt.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-p12_crpt.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-p12_crpt.o: ../../include/openssl/x509_vfy.h ../cryptlib.h p12_crpt.c
-p12_crt.o: ../../e_os.h ../../include/openssl/aes.h
-p12_crt.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-p12_crt.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-p12_crt.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-p12_crt.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-p12_crt.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-p12_crt.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-p12_crt.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-p12_crt.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-p12_crt.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-p12_crt.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+p12_crpt.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p12_crpt.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+p12_crpt.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+p12_crpt.o: ../cryptlib.h p12_crpt.c
+p12_crt.o: ../../e_os.h ../../include/openssl/asn1.h
+p12_crt.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+p12_crt.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+p12_crt.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+p12_crt.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+p12_crt.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 p12_crt.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 p12_crt.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 p12_crt.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs12.h
-p12_crt.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-p12_crt.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-p12_crt.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-p12_crt.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-p12_crt.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-p12_crt.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-p12_crt.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-p12_crt.o: ../cryptlib.h p12_crt.c
-p12_decr.o: ../../e_os.h ../../include/openssl/aes.h
-p12_decr.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-p12_decr.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-p12_decr.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-p12_decr.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-p12_decr.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-p12_decr.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-p12_decr.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-p12_decr.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-p12_decr.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-p12_decr.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+p12_crt.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+p12_crt.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+p12_crt.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+p12_crt.o: ../../include/openssl/x509_vfy.h ../cryptlib.h p12_crt.c
+p12_decr.o: ../../e_os.h ../../include/openssl/asn1.h
+p12_decr.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+p12_decr.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+p12_decr.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+p12_decr.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+p12_decr.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 p12_decr.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 p12_decr.o: ../../include/openssl/opensslconf.h
 p12_decr.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 p12_decr.o: ../../include/openssl/pkcs12.h ../../include/openssl/pkcs7.h
-p12_decr.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-p12_decr.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-p12_decr.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-p12_decr.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-p12_decr.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-p12_decr.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-p12_decr.o: ../../include/openssl/x509_vfy.h ../cryptlib.h p12_decr.c
-p12_init.o: ../../e_os.h ../../include/openssl/aes.h
-p12_init.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-p12_init.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-p12_init.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-p12_init.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-p12_init.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-p12_init.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-p12_init.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-p12_init.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-p12_init.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-p12_init.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+p12_decr.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p12_decr.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+p12_decr.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+p12_decr.o: ../cryptlib.h p12_decr.c
+p12_init.o: ../../e_os.h ../../include/openssl/asn1.h
+p12_init.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+p12_init.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+p12_init.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+p12_init.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+p12_init.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 p12_init.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 p12_init.o: ../../include/openssl/opensslconf.h
 p12_init.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 p12_init.o: ../../include/openssl/pkcs12.h ../../include/openssl/pkcs7.h
-p12_init.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-p12_init.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-p12_init.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-p12_init.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-p12_init.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-p12_init.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-p12_init.o: ../../include/openssl/x509_vfy.h ../cryptlib.h p12_init.c
-p12_key.o: ../../e_os.h ../../include/openssl/aes.h
-p12_key.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-p12_key.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-p12_key.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-p12_key.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-p12_key.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-p12_key.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+p12_init.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p12_init.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+p12_init.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+p12_init.o: ../cryptlib.h p12_init.c
+p12_key.o: ../../e_os.h ../../include/openssl/asn1.h
+p12_key.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+p12_key.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+p12_key.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+p12_key.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 p12_key.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-p12_key.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-p12_key.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-p12_key.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-p12_key.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-p12_key.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-p12_key.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs12.h
-p12_key.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-p12_key.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-p12_key.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+p12_key.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+p12_key.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+p12_key.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+p12_key.o: ../../include/openssl/pkcs12.h ../../include/openssl/pkcs7.h
 p12_key.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 p12_key.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-p12_key.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
 p12_key.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 p12_key.o: ../cryptlib.h p12_key.c
-p12_kiss.o: ../../e_os.h ../../include/openssl/aes.h
-p12_kiss.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-p12_kiss.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-p12_kiss.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-p12_kiss.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-p12_kiss.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-p12_kiss.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-p12_kiss.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-p12_kiss.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-p12_kiss.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-p12_kiss.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+p12_kiss.o: ../../e_os.h ../../include/openssl/asn1.h
+p12_kiss.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+p12_kiss.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+p12_kiss.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+p12_kiss.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+p12_kiss.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 p12_kiss.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 p12_kiss.o: ../../include/openssl/opensslconf.h
 p12_kiss.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 p12_kiss.o: ../../include/openssl/pkcs12.h ../../include/openssl/pkcs7.h
-p12_kiss.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-p12_kiss.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-p12_kiss.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-p12_kiss.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-p12_kiss.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-p12_kiss.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-p12_kiss.o: ../../include/openssl/x509_vfy.h ../cryptlib.h p12_kiss.c
-p12_mutl.o: ../../e_os.h ../../include/openssl/aes.h
-p12_mutl.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-p12_mutl.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-p12_mutl.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-p12_mutl.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-p12_mutl.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-p12_mutl.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-p12_mutl.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-p12_mutl.o: ../../include/openssl/hmac.h ../../include/openssl/idea.h
-p12_mutl.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-p12_mutl.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-p12_mutl.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+p12_kiss.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p12_kiss.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+p12_kiss.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+p12_kiss.o: ../cryptlib.h p12_kiss.c
+p12_mutl.o: ../../e_os.h ../../include/openssl/asn1.h
+p12_mutl.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+p12_mutl.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+p12_mutl.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+p12_mutl.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+p12_mutl.o: ../../include/openssl/evp.h ../../include/openssl/hmac.h
+p12_mutl.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 p12_mutl.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 p12_mutl.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 p12_mutl.o: ../../include/openssl/pkcs12.h ../../include/openssl/pkcs7.h
-p12_mutl.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h
-p12_mutl.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-p12_mutl.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-p12_mutl.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-p12_mutl.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-p12_mutl.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-p12_mutl.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-p12_mutl.o: ../cryptlib.h p12_mutl.c
-p12_npas.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-p12_npas.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-p12_npas.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-p12_npas.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-p12_npas.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-p12_npas.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-p12_npas.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-p12_npas.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-p12_npas.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-p12_npas.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-p12_npas.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+p12_mutl.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
+p12_mutl.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+p12_mutl.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+p12_mutl.o: ../../include/openssl/x509_vfy.h ../cryptlib.h p12_mutl.c
+p12_npas.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+p12_npas.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+p12_npas.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+p12_npas.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+p12_npas.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+p12_npas.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 p12_npas.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 p12_npas.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 p12_npas.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h
 p12_npas.o: ../../include/openssl/pkcs12.h ../../include/openssl/pkcs7.h
-p12_npas.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-p12_npas.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-p12_npas.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-p12_npas.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-p12_npas.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-p12_npas.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-p12_npas.o: ../../include/openssl/x509_vfy.h p12_npas.c
-p12_p8d.o: ../../e_os.h ../../include/openssl/aes.h
-p12_p8d.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-p12_p8d.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-p12_p8d.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-p12_p8d.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-p12_p8d.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-p12_p8d.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-p12_p8d.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-p12_p8d.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-p12_p8d.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-p12_p8d.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+p12_npas.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p12_npas.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+p12_npas.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+p12_npas.o: p12_npas.c
+p12_p8d.o: ../../e_os.h ../../include/openssl/asn1.h
+p12_p8d.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+p12_p8d.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+p12_p8d.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+p12_p8d.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+p12_p8d.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 p12_p8d.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 p12_p8d.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 p12_p8d.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs12.h
-p12_p8d.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-p12_p8d.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-p12_p8d.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-p12_p8d.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-p12_p8d.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-p12_p8d.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-p12_p8d.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-p12_p8d.o: ../cryptlib.h p12_p8d.c
-p12_p8e.o: ../../e_os.h ../../include/openssl/aes.h
-p12_p8e.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-p12_p8e.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-p12_p8e.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-p12_p8e.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-p12_p8e.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-p12_p8e.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-p12_p8e.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-p12_p8e.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-p12_p8e.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-p12_p8e.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+p12_p8d.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+p12_p8d.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+p12_p8d.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+p12_p8d.o: ../../include/openssl/x509_vfy.h ../cryptlib.h p12_p8d.c
+p12_p8e.o: ../../e_os.h ../../include/openssl/asn1.h
+p12_p8e.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+p12_p8e.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+p12_p8e.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+p12_p8e.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+p12_p8e.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 p12_p8e.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 p12_p8e.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 p12_p8e.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs12.h
-p12_p8e.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-p12_p8e.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-p12_p8e.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-p12_p8e.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-p12_p8e.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-p12_p8e.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-p12_p8e.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-p12_p8e.o: ../cryptlib.h p12_p8e.c
-p12_utl.o: ../../e_os.h ../../include/openssl/aes.h
-p12_utl.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-p12_utl.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-p12_utl.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-p12_utl.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-p12_utl.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-p12_utl.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-p12_utl.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-p12_utl.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-p12_utl.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-p12_utl.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+p12_p8e.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+p12_p8e.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+p12_p8e.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+p12_p8e.o: ../../include/openssl/x509_vfy.h ../cryptlib.h p12_p8e.c
+p12_utl.o: ../../e_os.h ../../include/openssl/asn1.h
+p12_utl.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+p12_utl.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+p12_utl.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+p12_utl.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+p12_utl.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 p12_utl.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 p12_utl.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 p12_utl.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs12.h
-p12_utl.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-p12_utl.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-p12_utl.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-p12_utl.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-p12_utl.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-p12_utl.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-p12_utl.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-p12_utl.o: ../cryptlib.h p12_utl.c
-pk12err.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-pk12err.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-pk12err.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-pk12err.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-pk12err.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-pk12err.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-pk12err.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-pk12err.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-pk12err.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-pk12err.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-pk12err.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+p12_utl.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+p12_utl.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+p12_utl.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+p12_utl.o: ../../include/openssl/x509_vfy.h ../cryptlib.h p12_utl.c
+pk12err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+pk12err.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+pk12err.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+pk12err.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+pk12err.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+pk12err.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 pk12err.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 pk12err.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 pk12err.o: ../../include/openssl/pkcs12.h ../../include/openssl/pkcs7.h
-pk12err.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-pk12err.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-pk12err.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-pk12err.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-pk12err.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-pk12err.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-pk12err.o: ../../include/openssl/x509_vfy.h pk12err.c
+pk12err.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+pk12err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+pk12err.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+pk12err.o: pk12err.c
diff --git a/crypto/openssl/crypto/pkcs12/p12_add.c b/crypto/openssl/crypto/pkcs12/p12_add.c
index 1909f285065d..41bdc0055104 100644
--- a/crypto/openssl/crypto/pkcs12/p12_add.c
+++ b/crypto/openssl/crypto/pkcs12/p12_add.c
@@ -68,16 +68,16 @@ PKCS12_SAFEBAG *PKCS12_item_pack_safebag(void *obj, const ASN1_ITEM *it, int nid
 	PKCS12_BAGS *bag;
 	PKCS12_SAFEBAG *safebag;
 	if (!(bag = PKCS12_BAGS_new())) {
-		PKCS12err(PKCS12_F_PKCS12_PACK_SAFEBAG, ERR_R_MALLOC_FAILURE);
+		PKCS12err(PKCS12_F_PKCS12_ITEM_PACK_SAFEBAG, ERR_R_MALLOC_FAILURE);
 		return NULL;
 	}
 	bag->type = OBJ_nid2obj(nid1);
 	if (!ASN1_item_pack(obj, it, &bag->value.octet)) {
-		PKCS12err(PKCS12_F_PKCS12_PACK_SAFEBAG, ERR_R_MALLOC_FAILURE);
+		PKCS12err(PKCS12_F_PKCS12_ITEM_PACK_SAFEBAG, ERR_R_MALLOC_FAILURE);
 		return NULL;
 	}
 	if (!(safebag = PKCS12_SAFEBAG_new())) {
-		PKCS12err(PKCS12_F_PKCS12_PACK_SAFEBAG, ERR_R_MALLOC_FAILURE);
+		PKCS12err(PKCS12_F_PKCS12_ITEM_PACK_SAFEBAG, ERR_R_MALLOC_FAILURE);
 		return NULL;
 	}
 	safebag->value.bag = bag;
@@ -148,7 +148,11 @@ PKCS7 *PKCS12_pack_p7data(STACK_OF(PKCS12_SAFEBAG) *sk)
 /* Unpack SAFEBAGS from PKCS#7 data ContentInfo */
 STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7data(PKCS7 *p7)
 {
-	if(!PKCS7_type_is_data(p7)) return NULL;
+	if(!PKCS7_type_is_data(p7))
+		{
+		PKCS12err(PKCS12_F_PKCS12_UNPACK_P7DATA,PKCS12_R_CONTENT_TYPE_NOT_DATA);
+		return NULL;
+		}
 	return ASN1_item_unpack(p7->d.data, ASN1_ITEM_rptr(PKCS12_SAFEBAGS));
 }
 
@@ -211,5 +215,10 @@ int PKCS12_pack_authsafes(PKCS12 *p12, STACK_OF(PKCS7) *safes)
 
 STACK_OF(PKCS7) *PKCS12_unpack_authsafes(PKCS12 *p12)
 {
+	if (!PKCS7_type_is_data(p12->authsafes))
+		{
+		PKCS12err(PKCS12_F_PKCS12_UNPACK_AUTHSAFES,PKCS12_R_CONTENT_TYPE_NOT_DATA);
+		return NULL;
+		}
 	return ASN1_item_unpack(p12->authsafes->d.data, ASN1_ITEM_rptr(PKCS12_AUTHSAFES));
 }
diff --git a/crypto/openssl/crypto/pkcs12/p12_crpt.c b/crypto/openssl/crypto/pkcs12/p12_crpt.c
index 5e8958612b49..3ad33c49d82d 100644
--- a/crypto/openssl/crypto/pkcs12/p12_crpt.c
+++ b/crypto/openssl/crypto/pkcs12/p12_crpt.c
@@ -84,19 +84,25 @@ EVP_PBE_alg_add(NID_pbe_WithSHA1And40BitRC2_CBC, EVP_rc2_40_cbc(),
 #endif
 }
 
-int PKCS12_PBE_keyivgen (EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
+int PKCS12_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
 		ASN1_TYPE *param, const EVP_CIPHER *cipher, const EVP_MD *md, int en_de)
 {
 	PBEPARAM *pbe;
-	int saltlen, iter;
-	unsigned char *salt, *pbuf;
+	int saltlen, iter, ret;
+	unsigned char *salt;
+	const unsigned char *pbuf;
 	unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH];
 
 	/* Extract useful info from parameter */
+	if (param == NULL || param->type != V_ASN1_SEQUENCE ||
+	    param->value.sequence == NULL) {
+		PKCS12err(PKCS12_F_PKCS12_PBE_KEYIVGEN,PKCS12_R_DECODE_ERROR);
+		return 0;
+	}
+
 	pbuf = param->value.sequence->data;
-	if (!param || (param->type != V_ASN1_SEQUENCE) ||
-	   !(pbe = d2i_PBEPARAM (NULL, &pbuf, param->value.sequence->length))) {
-		EVPerr(PKCS12_F_PKCS12_PBE_KEYIVGEN,EVP_R_DECODE_ERROR);
+	if (!(pbe = d2i_PBEPARAM(NULL, &pbuf, param->value.sequence->length))) {
+		PKCS12err(PKCS12_F_PKCS12_PBE_KEYIVGEN,PKCS12_R_DECODE_ERROR);
 		return 0;
 	}
 
@@ -117,8 +123,8 @@ int PKCS12_PBE_keyivgen (EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
 		return 0;
 	}
 	PBEPARAM_free(pbe);
-	EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, en_de);
+	ret = EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, en_de);
 	OPENSSL_cleanse(key, EVP_MAX_KEY_LENGTH);
 	OPENSSL_cleanse(iv, EVP_MAX_IV_LENGTH);
-	return 1;
+	return ret;
 }
diff --git a/crypto/openssl/crypto/pkcs12/p12_crt.c b/crypto/openssl/crypto/pkcs12/p12_crt.c
index 4c36c643ce68..dbafda17b681 100644
--- a/crypto/openssl/crypto/pkcs12/p12_crt.c
+++ b/crypto/openssl/crypto/pkcs12/p12_crt.c
@@ -1,9 +1,9 @@
 /* p12_crt.c */
 /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
- * project 1999.
+ * project.
  */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2002 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -60,105 +60,289 @@
 #include "cryptlib.h"
 #include <openssl/pkcs12.h>
 
+
+static int pkcs12_add_bag(STACK_OF(PKCS12_SAFEBAG) **pbags, PKCS12_SAFEBAG *bag);
+
 PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert,
 	     STACK_OF(X509) *ca, int nid_key, int nid_cert, int iter, int mac_iter,
 	     int keytype)
 {
-	PKCS12 *p12;
-	STACK_OF(PKCS12_SAFEBAG) *bags;
-	STACK_OF(PKCS7) *safes;
-	PKCS12_SAFEBAG *bag;
-	PKCS8_PRIV_KEY_INFO *p8;
-	PKCS7 *authsafe;
-	X509 *tcert;
+	PKCS12 *p12 = NULL;
+	STACK_OF(PKCS7) *safes = NULL;
+	STACK_OF(PKCS12_SAFEBAG) *bags = NULL;
+	PKCS12_SAFEBAG *bag = NULL;
 	int i;
 	unsigned char keyid[EVP_MAX_MD_SIZE];
-	unsigned int keyidlen;
+	unsigned int keyidlen = 0;
 
 	/* Set defaults */
-	if(!nid_cert) nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC;
-	if(!nid_key) nid_key = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
-	if(!iter) iter = PKCS12_DEFAULT_ITER;
-	if(!mac_iter) mac_iter = 1;
+	if (!nid_cert)
+		nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC;
+	if (!nid_key)
+		nid_key = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
+	if (!iter)
+		iter = PKCS12_DEFAULT_ITER;
+	if (!mac_iter)
+		mac_iter = 1;
 
-	if(!pkey || !cert) {
+	if(!pkey && !cert && !ca)
+		{
 		PKCS12err(PKCS12_F_PKCS12_CREATE,PKCS12_R_INVALID_NULL_ARGUMENT);
 		return NULL;
-	}
-
-	if(!X509_check_private_key(cert, pkey)) return NULL;
+		}
 
-	if(!(bags = sk_PKCS12_SAFEBAG_new_null ())) {
-		PKCS12err(PKCS12_F_PKCS12_CREATE,ERR_R_MALLOC_FAILURE);
-		return NULL;
-	}
+	if (pkey && cert)
+		{
+		if(!X509_check_private_key(cert, pkey))
+			return NULL;
+		X509_digest(cert, EVP_sha1(), keyid, &keyidlen);
+		}
 
-	/* Add user certificate */
-	if(!(bag = PKCS12_x5092certbag(cert))) return NULL;
-	if(name && !PKCS12_add_friendlyname(bag, name, -1)) return NULL;
-	X509_digest(cert, EVP_sha1(), keyid, &keyidlen);
-	if(!PKCS12_add_localkeyid(bag, keyid, keyidlen)) return NULL;
+	if (cert)
+		{
+		bag = PKCS12_add_cert(&bags, cert);
+		if(name && !PKCS12_add_friendlyname(bag, name, -1))
+			goto err;
+		if(keyidlen && !PKCS12_add_localkeyid(bag, keyid, keyidlen))
+			goto err;
+		}
 
-	if(!sk_PKCS12_SAFEBAG_push(bags, bag)) {
-		PKCS12err(PKCS12_F_PKCS12_CREATE,ERR_R_MALLOC_FAILURE);
-		return NULL;
-	}
-	
 	/* Add all other certificates */
-	if(ca) {
-		for(i = 0; i < sk_X509_num(ca); i++) {
-			tcert = sk_X509_value(ca, i);
-			if(!(bag = PKCS12_x5092certbag(tcert))) return NULL;
-			if(!sk_PKCS12_SAFEBAG_push(bags, bag)) {
-				PKCS12err(PKCS12_F_PKCS12_CREATE,ERR_R_MALLOC_FAILURE);
-				return NULL;
+	for(i = 0; i < sk_X509_num(ca); i++)
+		{
+		if (!PKCS12_add_cert(&bags, sk_X509_value(ca, i)))
+			goto err;
+		}
+
+	if (bags && !PKCS12_add_safe(&safes, bags, nid_cert, iter, pass))
+			goto err;
+
+	sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
+	bags = NULL;
+
+	if (pkey)
+		{
+		int cspidx;
+		bag = PKCS12_add_key(&bags, pkey, keytype, iter, nid_key, pass);
+
+		if (!bag)
+			goto err;
+
+		cspidx = EVP_PKEY_get_attr_by_NID(pkey, NID_ms_csp_name, -1);
+		if (cspidx >= 0)
+			{
+			X509_ATTRIBUTE *cspattr;
+			cspattr = EVP_PKEY_get_attr(pkey, cspidx);
+			if (!X509at_add1_attr(&bag->attrib, cspattr))
+				goto err;
 			}
+
+		if(name && !PKCS12_add_friendlyname(bag, name, -1))
+			goto err;
+		if(keyidlen && !PKCS12_add_localkeyid(bag, keyid, keyidlen))
+			goto err;
 		}
-	}
 
-	/* Turn certbags into encrypted authsafe */
-	authsafe = PKCS12_pack_p7encdata (nid_cert, pass, -1, NULL, 0,
-					  iter, bags);
+	if (bags && !PKCS12_add_safe(&safes, bags, -1, 0, NULL))
+			goto err;
+
 	sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
+	bags = NULL;
 
-	if (!authsafe) return NULL;
+	p12 = PKCS12_add_safes(safes, 0);
+
+	sk_PKCS7_pop_free(safes, PKCS7_free);
+
+	safes = NULL;
+
+	if ((mac_iter != -1) &&
+		!PKCS12_set_mac(p12, pass, -1, NULL, 0, mac_iter, NULL))
+	    goto err;
+
+	return p12;
+
+	err:
+
+	if (p12)
+		PKCS12_free(p12);
+	if (safes)
+		sk_PKCS7_pop_free(safes, PKCS7_free);
+	if (bags)
+		sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
+	return NULL;
+
+}
+
+PKCS12_SAFEBAG *PKCS12_add_cert(STACK_OF(PKCS12_SAFEBAG) **pbags, X509 *cert)
+	{
+	PKCS12_SAFEBAG *bag = NULL;
+	char *name;
+	int namelen = -1;
+	unsigned char *keyid;
+	int keyidlen = -1;
+
+	/* Add user certificate */
+	if(!(bag = PKCS12_x5092certbag(cert)))
+		goto err;
+
+	/* Use friendlyName and localKeyID in certificate.
+	 * (if present)
+	 */
+
+	name = (char *)X509_alias_get0(cert, &namelen);
+
+	if(name && !PKCS12_add_friendlyname(bag, name, namelen))
+		goto err;
+
+	keyid = X509_keyid_get0(cert, &keyidlen);
+
+	if(keyid && !PKCS12_add_localkeyid(bag, keyid, keyidlen))
+		goto err;
+
+	if (!pkcs12_add_bag(pbags, bag))
+		goto err;
+
+	return bag;
+
+	err:
+
+	if (bag)
+		PKCS12_SAFEBAG_free(bag);
+
+	return NULL;
 
-	if(!(safes = sk_PKCS7_new_null ())
-	   || !sk_PKCS7_push(safes, authsafe)) {
-		PKCS12err(PKCS12_F_PKCS12_CREATE,ERR_R_MALLOC_FAILURE);
-		return NULL;
 	}
 
-	/* Make a shrouded key bag */
-	if(!(p8 = EVP_PKEY2PKCS8 (pkey))) return NULL;
-	if(keytype && !PKCS8_add_keyusage(p8, keytype)) return NULL;
-	bag = PKCS12_MAKE_SHKEYBAG (nid_key, pass, -1, NULL, 0, iter, p8);
-	if(!bag) return NULL;
-	PKCS8_PRIV_KEY_INFO_free(p8);
-        if (name && !PKCS12_add_friendlyname (bag, name, -1)) return NULL;
-	if(!PKCS12_add_localkeyid (bag, keyid, keyidlen)) return NULL;
-	if(!(bags = sk_PKCS12_SAFEBAG_new_null())
-	   || !sk_PKCS12_SAFEBAG_push (bags, bag)) {
-		PKCS12err(PKCS12_F_PKCS12_CREATE,ERR_R_MALLOC_FAILURE);
-		return NULL;
+PKCS12_SAFEBAG *PKCS12_add_key(STACK_OF(PKCS12_SAFEBAG) **pbags, EVP_PKEY *key,
+						int key_usage, int iter,
+						int nid_key, char *pass)
+	{
+
+	PKCS12_SAFEBAG *bag = NULL;
+	PKCS8_PRIV_KEY_INFO *p8 = NULL;
+
+	/* Make a PKCS#8 structure */
+	if(!(p8 = EVP_PKEY2PKCS8(key)))
+		goto err;
+	if(key_usage && !PKCS8_add_keyusage(p8, key_usage))
+		goto err;
+	if (nid_key != -1)
+		{
+		bag = PKCS12_MAKE_SHKEYBAG(nid_key, pass, -1, NULL, 0, iter, p8);
+		PKCS8_PRIV_KEY_INFO_free(p8);
+		}
+	else
+		bag = PKCS12_MAKE_KEYBAG(p8);
+
+	if(!bag)
+		goto err;
+
+	if (!pkcs12_add_bag(pbags, bag))
+		goto err;
+
+	return bag;
+
+	err:
+
+	if (bag)
+		PKCS12_SAFEBAG_free(bag);
+
+	return NULL;
+
 	}
-	/* Turn it into unencrypted safe bag */
-	if(!(authsafe = PKCS12_pack_p7data (bags))) return NULL;
-	sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
-	if(!sk_PKCS7_push(safes, authsafe)) {
-		PKCS12err(PKCS12_F_PKCS12_CREATE,ERR_R_MALLOC_FAILURE);
-		return NULL;
+
+int PKCS12_add_safe(STACK_OF(PKCS7) **psafes, STACK_OF(PKCS12_SAFEBAG) *bags,
+						int nid_safe, int iter, char *pass)
+	{
+	PKCS7 *p7 = NULL;
+	int free_safes = 0;
+
+	if (!*psafes)
+		{
+		*psafes = sk_PKCS7_new_null();
+		if (!*psafes)
+			return 0;
+		free_safes = 1;
+		}
+	else
+		free_safes = 0;
+
+	if (nid_safe == 0)
+		nid_safe = NID_pbe_WithSHA1And40BitRC2_CBC;
+
+	if (nid_safe == -1)
+		p7 = PKCS12_pack_p7data(bags);
+	else
+		p7 = PKCS12_pack_p7encdata(nid_safe, pass, -1, NULL, 0,
+					  iter, bags);
+	if (!p7)
+		goto err;
+
+	if (!sk_PKCS7_push(*psafes, p7))
+		goto err;
+
+	return 1;
+
+	err:
+	if (free_safes)
+		{
+		sk_PKCS7_free(*psafes);
+		*psafes = NULL;
+		}
+
+	if (p7)
+		PKCS7_free(p7);
+
+	return 0;
+
 	}
 
-	if(!(p12 = PKCS12_init (NID_pkcs7_data))) return NULL;
+static int pkcs12_add_bag(STACK_OF(PKCS12_SAFEBAG) **pbags, PKCS12_SAFEBAG *bag)
+	{
+	int free_bags;
+	if (!pbags)
+		return 1;
+	if (!*pbags)
+		{
+		*pbags = sk_PKCS12_SAFEBAG_new_null();
+		if (!*pbags)
+			return 0;
+		free_bags = 1;
+		}
+	else 
+		free_bags = 0;
+
+	if (!sk_PKCS12_SAFEBAG_push(*pbags, bag))
+		{
+		if (free_bags)
+			{
+			sk_PKCS12_SAFEBAG_free(*pbags);
+			*pbags = NULL;
+			}
+		return 0;
+		}
+
+	return 1;
 
-	if(!PKCS12_pack_authsafes (p12, safes)) return NULL;
+	}
+		
 
-	sk_PKCS7_pop_free(safes, PKCS7_free);
+PKCS12 *PKCS12_add_safes(STACK_OF(PKCS7) *safes, int nid_p7)
+	{
+	PKCS12 *p12;
+	if (nid_p7 <= 0)
+		nid_p7 = NID_pkcs7_data;
+	p12 = PKCS12_init(nid_p7);
 
-	if(!PKCS12_set_mac (p12, pass, -1, NULL, 0, mac_iter, NULL))
-	    return NULL;
+	if (!p12)
+		return NULL;
+
+	if(!PKCS12_pack_authsafes(p12, safes))
+		{
+		PKCS12_free(p12);
+		return NULL;
+		}
 
 	return p12;
 
-}
+	}
diff --git a/crypto/openssl/crypto/pkcs12/p12_decr.c b/crypto/openssl/crypto/pkcs12/p12_decr.c
index b5684a83ba34..74c961a92b89 100644
--- a/crypto/openssl/crypto/pkcs12/p12_decr.c
+++ b/crypto/openssl/crypto/pkcs12/p12_decr.c
@@ -113,13 +113,14 @@ unsigned char * PKCS12_pbe_crypt(X509_ALGOR *algor, const char *pass,
 void * PKCS12_item_decrypt_d2i(X509_ALGOR *algor, const ASN1_ITEM *it,
 	     const char *pass, int passlen, ASN1_OCTET_STRING *oct, int zbuf)
 {
-	unsigned char *out, *p;
+	unsigned char *out;
+	const unsigned char *p;
 	void *ret;
 	int outlen;
 
 	if (!PKCS12_pbe_crypt(algor, pass, passlen, oct->data, oct->length,
 			       &out, &outlen, 0)) {
-		PKCS12err(PKCS12_F_PKCS12_DECRYPT_D2I,PKCS12_R_PKCS12_PBE_CRYPT_ERROR);
+		PKCS12err(PKCS12_F_PKCS12_ITEM_DECRYPT_D2I,PKCS12_R_PKCS12_PBE_CRYPT_ERROR);
 		return NULL;
 	}
 	p = out;
@@ -137,7 +138,7 @@ void * PKCS12_item_decrypt_d2i(X509_ALGOR *algor, const ASN1_ITEM *it,
 #endif
 	ret = ASN1_item_d2i(NULL, &p, outlen, it);
 	if (zbuf) OPENSSL_cleanse(out, outlen);
-	if(!ret) PKCS12err(PKCS12_F_PKCS12_DECRYPT_D2I,PKCS12_R_DECODE_ERROR);
+	if(!ret) PKCS12err(PKCS12_F_PKCS12_ITEM_DECRYPT_D2I,PKCS12_R_DECODE_ERROR);
 	OPENSSL_free(out);
 	return ret;
 }
@@ -154,17 +155,17 @@ ASN1_OCTET_STRING *PKCS12_item_i2d_encrypt(X509_ALGOR *algor, const ASN1_ITEM *i
 	unsigned char *in = NULL;
 	int inlen;
 	if (!(oct = M_ASN1_OCTET_STRING_new ())) {
-		PKCS12err(PKCS12_F_PKCS12_I2D_ENCRYPT,ERR_R_MALLOC_FAILURE);
+		PKCS12err(PKCS12_F_PKCS12_ITEM_I2D_ENCRYPT,ERR_R_MALLOC_FAILURE);
 		return NULL;
 	}
 	inlen = ASN1_item_i2d(obj, &in, it);
 	if (!in) {
-		PKCS12err(PKCS12_F_PKCS12_I2D_ENCRYPT,PKCS12_R_ENCODE_ERROR);
+		PKCS12err(PKCS12_F_PKCS12_ITEM_I2D_ENCRYPT,PKCS12_R_ENCODE_ERROR);
 		return NULL;
 	}
 	if (!PKCS12_pbe_crypt(algor, pass, passlen, in, inlen, &oct->data,
 				 &oct->length, 1)) {
-		PKCS12err(PKCS12_F_PKCS12_I2D_ENCRYPT,PKCS12_R_ENCRYPT_ERROR);
+		PKCS12err(PKCS12_F_PKCS12_ITEM_I2D_ENCRYPT,PKCS12_R_ENCRYPT_ERROR);
 		OPENSSL_free(in);
 		return NULL;
 	}
diff --git a/crypto/openssl/crypto/pkcs12/p12_init.c b/crypto/openssl/crypto/pkcs12/p12_init.c
index eb837a78cf7d..6bdc1326317c 100644
--- a/crypto/openssl/crypto/pkcs12/p12_init.c
+++ b/crypto/openssl/crypto/pkcs12/p12_init.c
@@ -62,7 +62,7 @@
 
 /* Initialise a PKCS12 structure to take data */
 
-PKCS12 *PKCS12_init (int mode)
+PKCS12 *PKCS12_init(int mode)
 {
 	PKCS12 *pkcs12;
 	if (!(pkcs12 = PKCS12_new())) {
@@ -76,15 +76,17 @@ PKCS12 *PKCS12_init (int mode)
 			if (!(pkcs12->authsafes->d.data =
 				 M_ASN1_OCTET_STRING_new())) {
 			PKCS12err(PKCS12_F_PKCS12_INIT,ERR_R_MALLOC_FAILURE);
-			return NULL;
+			goto err;
 		}
 		break;
 		default:
-			PKCS12err(PKCS12_F_PKCS12_INIT,PKCS12_R_UNSUPPORTED_PKCS12_MODE);
-			PKCS12_free(pkcs12);
-			return NULL;
-		break;
+			PKCS12err(PKCS12_F_PKCS12_INIT,
+				PKCS12_R_UNSUPPORTED_PKCS12_MODE);
+			goto err;
 	}
 		
 	return pkcs12;
+err:
+	if (pkcs12 != NULL) PKCS12_free(pkcs12);
+	return NULL;
 }
diff --git a/crypto/openssl/crypto/pkcs12/p12_key.c b/crypto/openssl/crypto/pkcs12/p12_key.c
index 9196a34b4a90..18e72d0a1b81 100644
--- a/crypto/openssl/crypto/pkcs12/p12_key.c
+++ b/crypto/openssl/crypto/pkcs12/p12_key.c
@@ -59,7 +59,7 @@
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/pkcs12.h>
-
+#include <openssl/bn.h>
 
 /* Uncomment out this line to get debugging info about key generation */
 /*#define DEBUG_KEYGEN*/
diff --git a/crypto/openssl/crypto/pkcs12/p12_kiss.c b/crypto/openssl/crypto/pkcs12/p12_kiss.c
index 885087ad00fd..c2ee2cc6f3a7 100644
--- a/crypto/openssl/crypto/pkcs12/p12_kiss.c
+++ b/crypto/openssl/crypto/pkcs12/p12_kiss.c
@@ -80,7 +80,7 @@ static int parse_bag( PKCS12_SAFEBAG *bag, const char *pass, int passlen,
  * passed unitialised.
  */
 
-int PKCS12_parse (PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
+int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
 	     STACK_OF(X509) **ca)
 {
 
@@ -141,7 +141,7 @@ int PKCS12_parse (PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
 
 /* Parse the outer PKCS#12 structure */
 
-static int parse_pk12 (PKCS12 *p12, const char *pass, int passlen,
+static int parse_pk12(PKCS12 *p12, const char *pass, int passlen,
 	     EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca)
 {
 	STACK_OF(PKCS7) *asafes;
@@ -178,10 +178,10 @@ static int parse_pk12 (PKCS12 *p12, const char *pass, int passlen,
 }
 
 
-static int parse_bags (STACK_OF(PKCS12_SAFEBAG) *bags, const char *pass,
-		       int passlen, EVP_PKEY **pkey, X509 **cert,
-		       STACK_OF(X509) **ca, ASN1_OCTET_STRING **keyid,
-		       char *keymatch)
+static int parse_bags(STACK_OF(PKCS12_SAFEBAG) *bags, const char *pass,
+		      int passlen, EVP_PKEY **pkey, X509 **cert,
+		      STACK_OF(X509) **ca, ASN1_OCTET_STRING **keyid,
+		      char *keymatch)
 {
 	int i;
 	for (i = 0; i < sk_PKCS12_SAFEBAG_num(bags); i++) {
@@ -197,9 +197,9 @@ static int parse_bags (STACK_OF(PKCS12_SAFEBAG) *bags, const char *pass,
 #define MATCH_ALL  0x3
 
 static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen,
-		      EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca,
-		      ASN1_OCTET_STRING **keyid,
-	     char *keymatch)
+		     EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca,
+		     ASN1_OCTET_STRING **keyid,
+		     char *keymatch)
 {
 	PKCS8_PRIV_KEY_INFO *p8;
 	X509 *x509;
@@ -221,7 +221,7 @@ static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen,
 			if (M_ASN1_OCTET_STRING_cmp(*keyid, lkey)) lkey = NULL;
 		} else {
 			if (!(*keyid = M_ASN1_OCTET_STRING_dup(lkey))) {
-				PKCS12err(PKCS12_F_PARSE_BAGS,ERR_R_MALLOC_FAILURE);
+				PKCS12err(PKCS12_F_PARSE_BAG,ERR_R_MALLOC_FAILURE);
 				return 0;
 		    }
 		}
@@ -249,14 +249,26 @@ static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen,
 		if (M_PKCS12_cert_bag_type(bag) != NID_x509Certificate )
 								 return 1;
 		if (!(x509 = PKCS12_certbag2x509(bag))) return 0;
-		if(ckid) X509_keyid_set1(x509, ckid->data, ckid->length);
+		if(ckid)
+			{
+			if (!X509_keyid_set1(x509, ckid->data, ckid->length))
+				{
+				X509_free(x509);
+				return 0;
+				}
+			}
 		if(fname) {
-			int len;
+			int len, r;
 			unsigned char *data;
 			len = ASN1_STRING_to_UTF8(&data, fname);
 			if(len > 0) {
-				X509_alias_set1(x509, data, len);
+				r = X509_alias_set1(x509, data, len);
 				OPENSSL_free(data);
+				if (!r)
+					{
+					X509_free(x509);
+					return 0;
+					}
 			}
 		}
 
diff --git a/crypto/openssl/crypto/pkcs12/p12_mutl.c b/crypto/openssl/crypto/pkcs12/p12_mutl.c
index 0fb67f74b8b2..7bff04889c35 100644
--- a/crypto/openssl/crypto/pkcs12/p12_mutl.c
+++ b/crypto/openssl/crypto/pkcs12/p12_mutl.c
@@ -64,14 +64,20 @@
 #include <openssl/pkcs12.h>
 
 /* Generate a MAC */
-int PKCS12_gen_mac (PKCS12 *p12, const char *pass, int passlen,
-		    unsigned char *mac, unsigned int *maclen)
+int PKCS12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
+		   unsigned char *mac, unsigned int *maclen)
 {
 	const EVP_MD *md_type;
 	HMAC_CTX hmac;
 	unsigned char key[PKCS12_MAC_KEY_LENGTH], *salt;
 	int saltlen, iter;
 
+	if (!PKCS7_type_is_data(p12->authsafes))
+		{
+		PKCS12err(PKCS12_F_PKCS12_GEN_MAC,PKCS12_R_CONTENT_TYPE_NOT_DATA);
+		return 0;
+		}
+
 	salt = p12->mac->salt->data;
 	saltlen = p12->mac->salt->length;
 	if (!p12->mac->iter) iter = 1;
@@ -96,16 +102,16 @@ int PKCS12_gen_mac (PKCS12 *p12, const char *pass, int passlen,
 }
 
 /* Verify the mac */
-int PKCS12_verify_mac (PKCS12 *p12, const char *pass, int passlen)
+int PKCS12_verify_mac(PKCS12 *p12, const char *pass, int passlen)
 {
 	unsigned char mac[EVP_MAX_MD_SIZE];
 	unsigned int maclen;
 	if(p12->mac == NULL) {
-		PKCS12err(PKCS12_F_VERIFY_MAC,PKCS12_R_MAC_ABSENT);
+		PKCS12err(PKCS12_F_PKCS12_VERIFY_MAC,PKCS12_R_MAC_ABSENT);
 		return 0;
 	}
 	if (!PKCS12_gen_mac (p12, pass, passlen, mac, &maclen)) {
-		PKCS12err(PKCS12_F_VERIFY_MAC,PKCS12_R_MAC_GENERATION_ERROR);
+		PKCS12err(PKCS12_F_PKCS12_VERIFY_MAC,PKCS12_R_MAC_GENERATION_ERROR);
 		return 0;
 	}
 	if ((maclen != (unsigned int)p12->mac->dinfo->digest->length)
@@ -115,7 +121,7 @@ int PKCS12_verify_mac (PKCS12 *p12, const char *pass, int passlen)
 
 /* Set a mac */
 
-int PKCS12_set_mac (PKCS12 *p12, const char *pass, int passlen,
+int PKCS12_set_mac(PKCS12 *p12, const char *pass, int passlen,
 	     unsigned char *salt, int saltlen, int iter, const EVP_MD *md_type)
 {
 	unsigned char mac[EVP_MAX_MD_SIZE];
@@ -139,7 +145,7 @@ int PKCS12_set_mac (PKCS12 *p12, const char *pass, int passlen,
 }
 
 /* Set up a mac structure */
-int PKCS12_setup_mac (PKCS12 *p12, int iter, unsigned char *salt, int saltlen,
+int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt, int saltlen,
 	     const EVP_MD *md_type)
 {
 	if (!(p12->mac = PKCS12_MAC_DATA_new())) return PKCS12_ERROR;
@@ -148,7 +154,10 @@ int PKCS12_setup_mac (PKCS12 *p12, int iter, unsigned char *salt, int saltlen,
 			PKCS12err(PKCS12_F_PKCS12_SETUP_MAC, ERR_R_MALLOC_FAILURE);
 			return 0;
 		}
-		ASN1_INTEGER_set(p12->mac->iter, iter);
+		if (!ASN1_INTEGER_set(p12->mac->iter, iter)) {
+			PKCS12err(PKCS12_F_PKCS12_SETUP_MAC, ERR_R_MALLOC_FAILURE);
+			return 0;
+		}
 	}
 	if (!saltlen) saltlen = PKCS12_SALT_LEN;
 	p12->mac->salt->length = saltlen;
diff --git a/crypto/openssl/crypto/pkcs12/p12_npas.c b/crypto/openssl/crypto/pkcs12/p12_npas.c
index af708a27436e..48eacc5c49c4 100644
--- a/crypto/openssl/crypto/pkcs12/p12_npas.c
+++ b/crypto/openssl/crypto/pkcs12/p12_npas.c
@@ -77,28 +77,26 @@ static int alg_get(X509_ALGOR *alg, int *pnid, int *piter, int *psaltlen);
 
 int PKCS12_newpass(PKCS12 *p12, char *oldpass, char *newpass)
 {
+	/* Check for NULL PKCS12 structure */
 
-/* Check for NULL PKCS12 structure */
-
-if(!p12) {
-	PKCS12err(PKCS12_F_PKCS12_NEWPASS,PKCS12_R_INVALID_NULL_PKCS12_POINTER);
-	return 0;
-}
-
-/* Check the mac */
-
-if (!PKCS12_verify_mac(p12, oldpass, -1)) {
-	PKCS12err(PKCS12_F_PKCS12_NEWPASS,PKCS12_R_MAC_VERIFY_FAILURE);
-	return 0;
-}
+	if(!p12) {
+		PKCS12err(PKCS12_F_PKCS12_NEWPASS,PKCS12_R_INVALID_NULL_PKCS12_POINTER);
+		return 0;
+	}
 
-if (!newpass_p12(p12, oldpass, newpass)) {
-	PKCS12err(PKCS12_F_PKCS12_NEWPASS,PKCS12_R_PARSE_ERROR);
-	return 0;
-}
+	/* Check the mac */
+	
+	if (!PKCS12_verify_mac(p12, oldpass, -1)) {
+		PKCS12err(PKCS12_F_PKCS12_NEWPASS,PKCS12_R_MAC_VERIFY_FAILURE);
+		return 0;
+	}
 
-return 1;
+	if (!newpass_p12(p12, oldpass, newpass)) {
+		PKCS12err(PKCS12_F_PKCS12_NEWPASS,PKCS12_R_PARSE_ERROR);
+		return 0;
+	}
 
+	return 1;
 }
 
 /* Parse the outer PKCS#12 structure */
@@ -206,7 +204,8 @@ static int newpass_bag(PKCS12_SAFEBAG *bag, char *oldpass, char *newpass)
 static int alg_get(X509_ALGOR *alg, int *pnid, int *piter, int *psaltlen)
 {
         PBEPARAM *pbe;
-        unsigned char *p;
+        const unsigned char *p;
+
         p = alg->parameter->value.sequence->data;
         pbe = d2i_PBEPARAM(NULL, &p, alg->parameter->value.sequence->length);
         *pnid = OBJ_obj2nid(alg->algorithm);
diff --git a/crypto/openssl/crypto/pkcs12/pk12err.c b/crypto/openssl/crypto/pkcs12/pk12err.c
index 10ab80502c1b..5c92cb08e0c7 100644
--- a/crypto/openssl/crypto/pkcs12/pk12err.c
+++ b/crypto/openssl/crypto/pkcs12/pk12err.c
@@ -1,6 +1,6 @@
 /* crypto/pkcs12/pk12err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -64,60 +64,68 @@
 
 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_PKCS12,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_PKCS12,0,reason)
+
 static ERR_STRING_DATA PKCS12_str_functs[]=
 	{
-{ERR_PACK(0,PKCS12_F_PARSE_BAGS,0),	"PARSE_BAGS"},
-{ERR_PACK(0,PKCS12_F_PKCS12_ADD_FRIENDLYNAME,0),	"PKCS12_ADD_FRIENDLYNAME"},
-{ERR_PACK(0,PKCS12_F_PKCS12_ADD_FRIENDLYNAME_ASC,0),	"PKCS12_add_friendlyname_asc"},
-{ERR_PACK(0,PKCS12_F_PKCS12_ADD_FRIENDLYNAME_UNI,0),	"PKCS12_add_friendlyname_uni"},
-{ERR_PACK(0,PKCS12_F_PKCS12_ADD_LOCALKEYID,0),	"PKCS12_add_localkeyid"},
-{ERR_PACK(0,PKCS12_F_PKCS12_CREATE,0),	"PKCS12_create"},
-{ERR_PACK(0,PKCS12_F_PKCS12_DECRYPT_D2I,0),	"PKCS12_decrypt_d2i"},
-{ERR_PACK(0,PKCS12_F_PKCS12_GEN_MAC,0),	"PKCS12_gen_mac"},
-{ERR_PACK(0,PKCS12_F_PKCS12_I2D_ENCRYPT,0),	"PKCS12_i2d_encrypt"},
-{ERR_PACK(0,PKCS12_F_PKCS12_INIT,0),	"PKCS12_init"},
-{ERR_PACK(0,PKCS12_F_PKCS12_KEY_GEN_ASC,0),	"PKCS12_key_gen_asc"},
-{ERR_PACK(0,PKCS12_F_PKCS12_KEY_GEN_UNI,0),	"PKCS12_key_gen_uni"},
-{ERR_PACK(0,PKCS12_F_PKCS12_MAKE_KEYBAG,0),	"PKCS12_MAKE_KEYBAG"},
-{ERR_PACK(0,PKCS12_F_PKCS12_MAKE_SHKEYBAG,0),	"PKCS12_MAKE_SHKEYBAG"},
-{ERR_PACK(0,PKCS12_F_PKCS12_NEWPASS,0),	"PKCS12_newpass"},
-{ERR_PACK(0,PKCS12_F_PKCS12_PACK_P7DATA,0),	"PKCS12_pack_p7data"},
-{ERR_PACK(0,PKCS12_F_PKCS12_PACK_P7ENCDATA,0),	"PKCS12_pack_p7encdata"},
-{ERR_PACK(0,PKCS12_F_PKCS12_PACK_SAFEBAG,0),	"PKCS12_pack_safebag"},
-{ERR_PACK(0,PKCS12_F_PKCS12_PARSE,0),	"PKCS12_parse"},
-{ERR_PACK(0,PKCS12_F_PKCS12_PBE_CRYPT,0),	"PKCS12_pbe_crypt"},
-{ERR_PACK(0,PKCS12_F_PKCS12_PBE_KEYIVGEN,0),	"PKCS12_PBE_keyivgen"},
-{ERR_PACK(0,PKCS12_F_PKCS12_SETUP_MAC,0),	"PKCS12_setup_mac"},
-{ERR_PACK(0,PKCS12_F_PKCS12_SET_MAC,0),	"PKCS12_set_mac"},
-{ERR_PACK(0,PKCS12_F_PKCS8_ADD_KEYUSAGE,0),	"PKCS8_add_keyusage"},
-{ERR_PACK(0,PKCS12_F_PKCS8_ENCRYPT,0),	"PKCS8_encrypt"},
-{ERR_PACK(0,PKCS12_F_VERIFY_MAC,0),	"VERIFY_MAC"},
+{ERR_FUNC(PKCS12_F_PARSE_BAG),	"PARSE_BAG"},
+{ERR_FUNC(PKCS12_F_PARSE_BAGS),	"PARSE_BAGS"},
+{ERR_FUNC(PKCS12_F_PKCS12_ADD_FRIENDLYNAME),	"PKCS12_ADD_FRIENDLYNAME"},
+{ERR_FUNC(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_ASC),	"PKCS12_add_friendlyname_asc"},
+{ERR_FUNC(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_UNI),	"PKCS12_add_friendlyname_uni"},
+{ERR_FUNC(PKCS12_F_PKCS12_ADD_LOCALKEYID),	"PKCS12_add_localkeyid"},
+{ERR_FUNC(PKCS12_F_PKCS12_CREATE),	"PKCS12_create"},
+{ERR_FUNC(PKCS12_F_PKCS12_GEN_MAC),	"PKCS12_gen_mac"},
+{ERR_FUNC(PKCS12_F_PKCS12_INIT),	"PKCS12_init"},
+{ERR_FUNC(PKCS12_F_PKCS12_ITEM_DECRYPT_D2I),	"PKCS12_item_decrypt_d2i"},
+{ERR_FUNC(PKCS12_F_PKCS12_ITEM_I2D_ENCRYPT),	"PKCS12_item_i2d_encrypt"},
+{ERR_FUNC(PKCS12_F_PKCS12_ITEM_PACK_SAFEBAG),	"PKCS12_item_pack_safebag"},
+{ERR_FUNC(PKCS12_F_PKCS12_KEY_GEN_ASC),	"PKCS12_key_gen_asc"},
+{ERR_FUNC(PKCS12_F_PKCS12_KEY_GEN_UNI),	"PKCS12_key_gen_uni"},
+{ERR_FUNC(PKCS12_F_PKCS12_MAKE_KEYBAG),	"PKCS12_MAKE_KEYBAG"},
+{ERR_FUNC(PKCS12_F_PKCS12_MAKE_SHKEYBAG),	"PKCS12_MAKE_SHKEYBAG"},
+{ERR_FUNC(PKCS12_F_PKCS12_NEWPASS),	"PKCS12_newpass"},
+{ERR_FUNC(PKCS12_F_PKCS12_PACK_P7DATA),	"PKCS12_pack_p7data"},
+{ERR_FUNC(PKCS12_F_PKCS12_PACK_P7ENCDATA),	"PKCS12_pack_p7encdata"},
+{ERR_FUNC(PKCS12_F_PKCS12_PARSE),	"PKCS12_parse"},
+{ERR_FUNC(PKCS12_F_PKCS12_PBE_CRYPT),	"PKCS12_pbe_crypt"},
+{ERR_FUNC(PKCS12_F_PKCS12_PBE_KEYIVGEN),	"PKCS12_PBE_keyivgen"},
+{ERR_FUNC(PKCS12_F_PKCS12_SETUP_MAC),	"PKCS12_setup_mac"},
+{ERR_FUNC(PKCS12_F_PKCS12_SET_MAC),	"PKCS12_set_mac"},
+{ERR_FUNC(PKCS12_F_PKCS12_UNPACK_AUTHSAFES),	"PKCS12_unpack_authsafes"},
+{ERR_FUNC(PKCS12_F_PKCS12_UNPACK_P7DATA),	"PKCS12_unpack_p7data"},
+{ERR_FUNC(PKCS12_F_PKCS12_VERIFY_MAC),	"PKCS12_verify_mac"},
+{ERR_FUNC(PKCS12_F_PKCS8_ADD_KEYUSAGE),	"PKCS8_add_keyusage"},
+{ERR_FUNC(PKCS12_F_PKCS8_ENCRYPT),	"PKCS8_encrypt"},
 {0,NULL}
 	};
 
 static ERR_STRING_DATA PKCS12_str_reasons[]=
 	{
-{PKCS12_R_CANT_PACK_STRUCTURE            ,"cant pack structure"},
-{PKCS12_R_DECODE_ERROR                   ,"decode error"},
-{PKCS12_R_ENCODE_ERROR                   ,"encode error"},
-{PKCS12_R_ENCRYPT_ERROR                  ,"encrypt error"},
-{PKCS12_R_ERROR_SETTING_ENCRYPTED_DATA_TYPE,"error setting encrypted data type"},
-{PKCS12_R_INVALID_NULL_ARGUMENT          ,"invalid null argument"},
-{PKCS12_R_INVALID_NULL_PKCS12_POINTER    ,"invalid null pkcs12 pointer"},
-{PKCS12_R_IV_GEN_ERROR                   ,"iv gen error"},
-{PKCS12_R_KEY_GEN_ERROR                  ,"key gen error"},
-{PKCS12_R_MAC_ABSENT                     ,"mac absent"},
-{PKCS12_R_MAC_GENERATION_ERROR           ,"mac generation error"},
-{PKCS12_R_MAC_SETUP_ERROR                ,"mac setup error"},
-{PKCS12_R_MAC_STRING_SET_ERROR           ,"mac string set error"},
-{PKCS12_R_MAC_VERIFY_ERROR               ,"mac verify error"},
-{PKCS12_R_MAC_VERIFY_FAILURE             ,"mac verify failure"},
-{PKCS12_R_PARSE_ERROR                    ,"parse error"},
-{PKCS12_R_PKCS12_ALGOR_CIPHERINIT_ERROR  ,"pkcs12 algor cipherinit error"},
-{PKCS12_R_PKCS12_CIPHERFINAL_ERROR       ,"pkcs12 cipherfinal error"},
-{PKCS12_R_PKCS12_PBE_CRYPT_ERROR         ,"pkcs12 pbe crypt error"},
-{PKCS12_R_UNKNOWN_DIGEST_ALGORITHM       ,"unknown digest algorithm"},
-{PKCS12_R_UNSUPPORTED_PKCS12_MODE        ,"unsupported pkcs12 mode"},
+{ERR_REASON(PKCS12_R_CANT_PACK_STRUCTURE),"cant pack structure"},
+{ERR_REASON(PKCS12_R_CONTENT_TYPE_NOT_DATA),"content type not data"},
+{ERR_REASON(PKCS12_R_DECODE_ERROR)       ,"decode error"},
+{ERR_REASON(PKCS12_R_ENCODE_ERROR)       ,"encode error"},
+{ERR_REASON(PKCS12_R_ENCRYPT_ERROR)      ,"encrypt error"},
+{ERR_REASON(PKCS12_R_ERROR_SETTING_ENCRYPTED_DATA_TYPE),"error setting encrypted data type"},
+{ERR_REASON(PKCS12_R_INVALID_NULL_ARGUMENT),"invalid null argument"},
+{ERR_REASON(PKCS12_R_INVALID_NULL_PKCS12_POINTER),"invalid null pkcs12 pointer"},
+{ERR_REASON(PKCS12_R_IV_GEN_ERROR)       ,"iv gen error"},
+{ERR_REASON(PKCS12_R_KEY_GEN_ERROR)      ,"key gen error"},
+{ERR_REASON(PKCS12_R_MAC_ABSENT)         ,"mac absent"},
+{ERR_REASON(PKCS12_R_MAC_GENERATION_ERROR),"mac generation error"},
+{ERR_REASON(PKCS12_R_MAC_SETUP_ERROR)    ,"mac setup error"},
+{ERR_REASON(PKCS12_R_MAC_STRING_SET_ERROR),"mac string set error"},
+{ERR_REASON(PKCS12_R_MAC_VERIFY_ERROR)   ,"mac verify error"},
+{ERR_REASON(PKCS12_R_MAC_VERIFY_FAILURE) ,"mac verify failure"},
+{ERR_REASON(PKCS12_R_PARSE_ERROR)        ,"parse error"},
+{ERR_REASON(PKCS12_R_PKCS12_ALGOR_CIPHERINIT_ERROR),"pkcs12 algor cipherinit error"},
+{ERR_REASON(PKCS12_R_PKCS12_CIPHERFINAL_ERROR),"pkcs12 cipherfinal error"},
+{ERR_REASON(PKCS12_R_PKCS12_PBE_CRYPT_ERROR),"pkcs12 pbe crypt error"},
+{ERR_REASON(PKCS12_R_UNKNOWN_DIGEST_ALGORITHM),"unknown digest algorithm"},
+{ERR_REASON(PKCS12_R_UNSUPPORTED_PKCS12_MODE),"unsupported pkcs12 mode"},
 {0,NULL}
 	};
 
@@ -131,8 +139,8 @@ void ERR_load_PKCS12_strings(void)
 		{
 		init=0;
 #ifndef OPENSSL_NO_ERR
-		ERR_load_strings(ERR_LIB_PKCS12,PKCS12_str_functs);
-		ERR_load_strings(ERR_LIB_PKCS12,PKCS12_str_reasons);
+		ERR_load_strings(0,PKCS12_str_functs);
+		ERR_load_strings(0,PKCS12_str_reasons);
 #endif
 
 		}
diff --git a/crypto/openssl/crypto/pkcs12/pkcs12.h b/crypto/openssl/crypto/pkcs12/pkcs12.h
index dd338f266cc4..a2d7e359a0fd 100644
--- a/crypto/openssl/crypto/pkcs12/pkcs12.h
+++ b/crypto/openssl/crypto/pkcs12/pkcs12.h
@@ -249,6 +249,15 @@ int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
 PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert,
 			 STACK_OF(X509) *ca, int nid_key, int nid_cert, int iter,
 						 int mac_iter, int keytype);
+
+PKCS12_SAFEBAG *PKCS12_add_cert(STACK_OF(PKCS12_SAFEBAG) **pbags, X509 *cert);
+PKCS12_SAFEBAG *PKCS12_add_key(STACK_OF(PKCS12_SAFEBAG) **pbags, EVP_PKEY *key,
+						int key_usage, int iter,
+						int key_nid, char *pass);
+int PKCS12_add_safe(STACK_OF(PKCS7) **psafes, STACK_OF(PKCS12_SAFEBAG) *bags,
+					int safe_nid, int iter, char *pass);
+PKCS12 *PKCS12_add_safes(STACK_OF(PKCS7) *safes, int p7_nid);
+
 int i2d_PKCS12_bio(BIO *bp, PKCS12 *p12);
 int i2d_PKCS12_fp(FILE *fp, PKCS12 *p12);
 PKCS12 *d2i_PKCS12_bio(BIO *bp, PKCS12 **p12);
@@ -264,16 +273,18 @@ void ERR_load_PKCS12_strings(void);
 /* Error codes for the PKCS12 functions. */
 
 /* Function codes. */
+#define PKCS12_F_PARSE_BAG				 129
 #define PKCS12_F_PARSE_BAGS				 103
 #define PKCS12_F_PKCS12_ADD_FRIENDLYNAME		 100
 #define PKCS12_F_PKCS12_ADD_FRIENDLYNAME_ASC		 127
 #define PKCS12_F_PKCS12_ADD_FRIENDLYNAME_UNI		 102
 #define PKCS12_F_PKCS12_ADD_LOCALKEYID			 104
 #define PKCS12_F_PKCS12_CREATE				 105
-#define PKCS12_F_PKCS12_DECRYPT_D2I			 106
 #define PKCS12_F_PKCS12_GEN_MAC				 107
-#define PKCS12_F_PKCS12_I2D_ENCRYPT			 108
 #define PKCS12_F_PKCS12_INIT				 109
+#define PKCS12_F_PKCS12_ITEM_DECRYPT_D2I		 106
+#define PKCS12_F_PKCS12_ITEM_I2D_ENCRYPT		 108
+#define PKCS12_F_PKCS12_ITEM_PACK_SAFEBAG		 117
 #define PKCS12_F_PKCS12_KEY_GEN_ASC			 110
 #define PKCS12_F_PKCS12_KEY_GEN_UNI			 111
 #define PKCS12_F_PKCS12_MAKE_KEYBAG			 112
@@ -281,18 +292,20 @@ void ERR_load_PKCS12_strings(void);
 #define PKCS12_F_PKCS12_NEWPASS				 128
 #define PKCS12_F_PKCS12_PACK_P7DATA			 114
 #define PKCS12_F_PKCS12_PACK_P7ENCDATA			 115
-#define PKCS12_F_PKCS12_PACK_SAFEBAG			 117
 #define PKCS12_F_PKCS12_PARSE				 118
 #define PKCS12_F_PKCS12_PBE_CRYPT			 119
 #define PKCS12_F_PKCS12_PBE_KEYIVGEN			 120
 #define PKCS12_F_PKCS12_SETUP_MAC			 122
 #define PKCS12_F_PKCS12_SET_MAC				 123
+#define PKCS12_F_PKCS12_UNPACK_AUTHSAFES		 130
+#define PKCS12_F_PKCS12_UNPACK_P7DATA			 131
+#define PKCS12_F_PKCS12_VERIFY_MAC			 126
 #define PKCS12_F_PKCS8_ADD_KEYUSAGE			 124
 #define PKCS12_F_PKCS8_ENCRYPT				 125
-#define PKCS12_F_VERIFY_MAC				 126
 
 /* Reason codes. */
 #define PKCS12_R_CANT_PACK_STRUCTURE			 100
+#define PKCS12_R_CONTENT_TYPE_NOT_DATA			 121
 #define PKCS12_R_DECODE_ERROR				 101
 #define PKCS12_R_ENCODE_ERROR				 102
 #define PKCS12_R_ENCRYPT_ERROR				 103
diff --git a/crypto/openssl/crypto/pkcs7/Makefile b/crypto/openssl/crypto/pkcs7/Makefile
index 7eda4e8a6ac2..3f7e88b40faa 100644
--- a/crypto/openssl/crypto/pkcs7/Makefile
+++ b/crypto/openssl/crypto/pkcs7/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/pkcs7/Makefile
+# OpenSSL/crypto/pkcs7/Makefile
 #
 
 DIR=	pkcs7
@@ -7,11 +7,6 @@ TOP=	../..
 CC=	cc
 INCLUDES= -I.. -I$(TOP) -I../../include
 CFLAG=-g
-INSTALL_PREFIX=
-OPENSSLDIR=     /usr/local/ssl
-INSTALLTOP=/usr/local/ssl
-MAKEDEPPROG=	makedepend
-MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=	Makefile
 AR=		ar r
 
@@ -72,7 +67,8 @@ links:
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
 
 install:
-	@for i in $(EXHEADER) ; \
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+	@headerlist="$(EXHEADER)"; for i in $$headerlist ; \
 	do  \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
@@ -87,6 +83,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
+	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
@@ -98,143 +95,92 @@ clean:
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-pk7_asn1.o: ../../e_os.h ../../include/openssl/aes.h
-pk7_asn1.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
-pk7_asn1.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-pk7_asn1.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-pk7_asn1.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-pk7_asn1.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-pk7_asn1.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-pk7_asn1.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-pk7_asn1.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-pk7_asn1.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-pk7_asn1.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-pk7_asn1.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+pk7_asn1.o: ../../e_os.h ../../include/openssl/asn1.h
+pk7_asn1.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+pk7_asn1.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+pk7_asn1.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+pk7_asn1.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+pk7_asn1.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+pk7_asn1.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 pk7_asn1.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 pk7_asn1.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-pk7_asn1.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-pk7_asn1.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-pk7_asn1.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-pk7_asn1.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-pk7_asn1.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-pk7_asn1.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-pk7_asn1.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-pk7_asn1.o: ../cryptlib.h pk7_asn1.c
-pk7_attr.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-pk7_attr.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-pk7_attr.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-pk7_attr.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-pk7_attr.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-pk7_attr.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-pk7_attr.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-pk7_attr.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-pk7_attr.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-pk7_attr.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-pk7_attr.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+pk7_asn1.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+pk7_asn1.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+pk7_asn1.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+pk7_asn1.o: ../../include/openssl/x509_vfy.h ../cryptlib.h pk7_asn1.c
+pk7_attr.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+pk7_attr.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+pk7_attr.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+pk7_attr.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+pk7_attr.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+pk7_attr.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 pk7_attr.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 pk7_attr.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 pk7_attr.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h
-pk7_attr.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-pk7_attr.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-pk7_attr.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-pk7_attr.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-pk7_attr.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-pk7_attr.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-pk7_attr.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-pk7_attr.o: pk7_attr.c
-pk7_doit.o: ../../e_os.h ../../include/openssl/aes.h
-pk7_doit.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-pk7_doit.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-pk7_doit.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+pk7_attr.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+pk7_attr.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+pk7_attr.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+pk7_attr.o: ../../include/openssl/x509_vfy.h pk7_attr.c
+pk7_doit.o: ../../e_os.h ../../include/openssl/asn1.h
+pk7_doit.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 pk7_doit.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-pk7_doit.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-pk7_doit.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-pk7_doit.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-pk7_doit.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-pk7_doit.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-pk7_doit.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-pk7_doit.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+pk7_doit.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+pk7_doit.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+pk7_doit.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+pk7_doit.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 pk7_doit.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 pk7_doit.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 pk7_doit.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
-pk7_doit.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-pk7_doit.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-pk7_doit.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-pk7_doit.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-pk7_doit.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-pk7_doit.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-pk7_doit.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-pk7_doit.o: ../cryptlib.h pk7_doit.c
-pk7_lib.o: ../../e_os.h ../../include/openssl/aes.h
-pk7_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-pk7_lib.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-pk7_lib.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-pk7_lib.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-pk7_lib.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-pk7_lib.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-pk7_lib.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-pk7_lib.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-pk7_lib.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-pk7_lib.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+pk7_doit.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+pk7_doit.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+pk7_doit.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+pk7_doit.o: ../../include/openssl/x509v3.h ../cryptlib.h pk7_doit.c
+pk7_lib.o: ../../e_os.h ../../include/openssl/asn1.h
+pk7_lib.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+pk7_lib.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+pk7_lib.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+pk7_lib.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+pk7_lib.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 pk7_lib.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 pk7_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 pk7_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-pk7_lib.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-pk7_lib.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-pk7_lib.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-pk7_lib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-pk7_lib.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-pk7_lib.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-pk7_lib.o: ../../include/openssl/x509_vfy.h ../cryptlib.h pk7_lib.c
-pk7_mime.o: ../../e_os.h ../../include/openssl/aes.h
-pk7_mime.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-pk7_mime.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-pk7_mime.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-pk7_mime.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-pk7_mime.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-pk7_mime.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-pk7_mime.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-pk7_mime.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-pk7_mime.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-pk7_mime.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+pk7_lib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+pk7_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+pk7_lib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+pk7_lib.o: ../cryptlib.h pk7_lib.c
+pk7_mime.o: ../../e_os.h ../../include/openssl/asn1.h
+pk7_mime.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+pk7_mime.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+pk7_mime.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+pk7_mime.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+pk7_mime.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 pk7_mime.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 pk7_mime.o: ../../include/openssl/opensslconf.h
 pk7_mime.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 pk7_mime.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
-pk7_mime.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-pk7_mime.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-pk7_mime.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-pk7_mime.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-pk7_mime.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-pk7_mime.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-pk7_mime.o: ../../include/openssl/x509_vfy.h ../cryptlib.h pk7_mime.c
-pk7_smime.o: ../../e_os.h ../../include/openssl/aes.h
-pk7_smime.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-pk7_smime.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-pk7_smime.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+pk7_mime.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+pk7_mime.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+pk7_mime.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+pk7_mime.o: ../cryptlib.h pk7_mime.c
+pk7_smime.o: ../../e_os.h ../../include/openssl/asn1.h
+pk7_smime.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 pk7_smime.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-pk7_smime.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-pk7_smime.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-pk7_smime.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-pk7_smime.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-pk7_smime.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-pk7_smime.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-pk7_smime.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+pk7_smime.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+pk7_smime.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+pk7_smime.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+pk7_smime.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 pk7_smime.o: ../../include/openssl/objects.h
 pk7_smime.o: ../../include/openssl/opensslconf.h
 pk7_smime.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-pk7_smime.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-pk7_smime.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-pk7_smime.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-pk7_smime.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-pk7_smime.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-pk7_smime.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-pk7_smime.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-pk7_smime.o: ../../include/openssl/x509v3.h ../cryptlib.h pk7_smime.c
+pk7_smime.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+pk7_smime.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+pk7_smime.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+pk7_smime.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+pk7_smime.o: ../cryptlib.h pk7_smime.c
 pkcs7err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-pkcs7err.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
-pkcs7err.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-pkcs7err.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+pkcs7err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+pkcs7err.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+pkcs7err.o: ../../include/openssl/opensslconf.h
 pkcs7err.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 pkcs7err.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
 pkcs7err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
diff --git a/crypto/openssl/crypto/pkcs7/bio_ber.c b/crypto/openssl/crypto/pkcs7/bio_ber.c
index 895a91177be8..31973fcd1fc5 100644
--- a/crypto/openssl/crypto/pkcs7/bio_ber.c
+++ b/crypto/openssl/crypto/pkcs7/bio_ber.c
@@ -204,7 +204,7 @@ int bio_ber_get_header(BIO *bio, BIO_BER_CTX *ctx)
 		if ((ctx->buf_len < BER_BUF_SIZE) &&
 			(ERR_GET_REASON(ERR_peek_error()) == ASN1_R_TOO_LONG))
 			{
-			ERR_get_error(); /* clear the error */
+			ERR_clear_error(); /* clear the error */
 			BIO_set_retry_read(b);
 			}
 		return(-1);
diff --git a/crypto/openssl/crypto/pkcs7/example.c b/crypto/openssl/crypto/pkcs7/example.c
index c993947cc378..2953d04b5c90 100644
--- a/crypto/openssl/crypto/pkcs7/example.c
+++ b/crypto/openssl/crypto/pkcs7/example.c
@@ -123,7 +123,7 @@ int get_signed_seq2string(PKCS7_SIGNER_INFO *si, char **str1, char **str2)
 	so=PKCS7_get_signed_attribute(si,signed_seq2string_nid);
 	if (so && (so->type == V_ASN1_SEQUENCE))
 		{
-		ASN1_CTX c;
+		ASN1_const_CTX c;
 		ASN1_STRING *s;
 		long length;
 		ASN1_OCTET_STRING *os1,*os2;
@@ -144,7 +144,7 @@ int get_signed_seq2string(PKCS7_SIGNER_INFO *si, char **str1, char **str2)
 			goto err;
 		c.slen-=(c.p-c.q);
 
-		if (!asn1_Finish(&c)) goto err;
+		if (!asn1_const_Finish(&c)) goto err;
 		*str1=malloc(os1->length+1);
 		*str2=malloc(os2->length+1);
 		memcpy(*str1,os1->data,os1->length);
@@ -290,7 +290,7 @@ int sk_get_seq2string(STACK_OF(X509_ATTRIBUTE) *sk, char **str1, char **str2)
 	so=PKCS7_get_signed_attribute(&si,signed_seq2string_nid);
 	if (so->type == V_ASN1_SEQUENCE)
 		{
-		ASN1_CTX c;
+		ASN1_const_CTX c;
 		ASN1_STRING *s;
 		long length;
 		ASN1_OCTET_STRING *os1,*os2;
@@ -311,7 +311,7 @@ int sk_get_seq2string(STACK_OF(X509_ATTRIBUTE) *sk, char **str1, char **str2)
 			goto err;
 		c.slen-=(c.p-c.q);
 
-		if (!asn1_Finish(&c)) goto err;
+		if (!asn1_const_Finish(&c)) goto err;
 		*str1=malloc(os1->length+1);
 		*str2=malloc(os2->length+1);
 		memcpy(*str1,os1->data,os1->length);
diff --git a/crypto/openssl/crypto/pkcs7/pk7_asn1.c b/crypto/openssl/crypto/pkcs7/pk7_asn1.c
index 46f0fc9375ba..77931feeb417 100644
--- a/crypto/openssl/crypto/pkcs7/pk7_asn1.c
+++ b/crypto/openssl/crypto/pkcs7/pk7_asn1.c
@@ -69,30 +69,31 @@
 ASN1_ADB_TEMPLATE(p7default) = ASN1_EXP_OPT(PKCS7, d.other, ASN1_ANY, 0);
 
 ASN1_ADB(PKCS7) = {
-	ADB_ENTRY(NID_pkcs7_data, ASN1_EXP_OPT(PKCS7, d.data, ASN1_OCTET_STRING, 0)),
-	ADB_ENTRY(NID_pkcs7_signed, ASN1_EXP_OPT(PKCS7, d.sign, PKCS7_SIGNED, 0)),
-	ADB_ENTRY(NID_pkcs7_enveloped, ASN1_EXP_OPT(PKCS7, d.enveloped, PKCS7_ENVELOPE, 0)),
-	ADB_ENTRY(NID_pkcs7_signedAndEnveloped, ASN1_EXP_OPT(PKCS7, d.signed_and_enveloped, PKCS7_SIGN_ENVELOPE, 0)),
-	ADB_ENTRY(NID_pkcs7_digest, ASN1_EXP_OPT(PKCS7, d.digest, PKCS7_DIGEST, 0)),
-	ADB_ENTRY(NID_pkcs7_encrypted, ASN1_EXP_OPT(PKCS7, d.encrypted, PKCS7_ENCRYPT, 0))
+	ADB_ENTRY(NID_pkcs7_data, ASN1_NDEF_EXP_OPT(PKCS7, d.data, ASN1_OCTET_STRING_NDEF, 0)),
+	ADB_ENTRY(NID_pkcs7_signed, ASN1_NDEF_EXP_OPT(PKCS7, d.sign, PKCS7_SIGNED, 0)),
+	ADB_ENTRY(NID_pkcs7_enveloped, ASN1_NDEF_EXP_OPT(PKCS7, d.enveloped, PKCS7_ENVELOPE, 0)),
+	ADB_ENTRY(NID_pkcs7_signedAndEnveloped, ASN1_NDEF_EXP_OPT(PKCS7, d.signed_and_enveloped, PKCS7_SIGN_ENVELOPE, 0)),
+	ADB_ENTRY(NID_pkcs7_digest, ASN1_NDEF_EXP_OPT(PKCS7, d.digest, PKCS7_DIGEST, 0)),
+	ADB_ENTRY(NID_pkcs7_encrypted, ASN1_NDEF_EXP_OPT(PKCS7, d.encrypted, PKCS7_ENCRYPT, 0))
 } ASN1_ADB_END(PKCS7, 0, type, 0, &p7default_tt, NULL);
 
-ASN1_SEQUENCE(PKCS7) = {
+ASN1_NDEF_SEQUENCE(PKCS7) = {
 	ASN1_SIMPLE(PKCS7, type, ASN1_OBJECT),
 	ASN1_ADB_OBJECT(PKCS7)
-}ASN1_SEQUENCE_END(PKCS7)
+}ASN1_NDEF_SEQUENCE_END(PKCS7)
 
 IMPLEMENT_ASN1_FUNCTIONS(PKCS7)
+IMPLEMENT_ASN1_NDEF_FUNCTION(PKCS7)
 IMPLEMENT_ASN1_DUP_FUNCTION(PKCS7)
 
-ASN1_SEQUENCE(PKCS7_SIGNED) = {
+ASN1_NDEF_SEQUENCE(PKCS7_SIGNED) = {
 	ASN1_SIMPLE(PKCS7_SIGNED, version, ASN1_INTEGER),
 	ASN1_SET_OF(PKCS7_SIGNED, md_algs, X509_ALGOR),
 	ASN1_SIMPLE(PKCS7_SIGNED, contents, PKCS7),
 	ASN1_IMP_SEQUENCE_OF_OPT(PKCS7_SIGNED, cert, X509, 0),
 	ASN1_IMP_SET_OF_OPT(PKCS7_SIGNED, crl, X509_CRL, 1),
 	ASN1_SET_OF(PKCS7_SIGNED, signer_info, PKCS7_SIGNER_INFO)
-} ASN1_SEQUENCE_END(PKCS7_SIGNED)
+} ASN1_NDEF_SEQUENCE_END(PKCS7_SIGNED)
 
 IMPLEMENT_ASN1_FUNCTIONS(PKCS7_SIGNED)
 
@@ -130,11 +131,11 @@ ASN1_SEQUENCE(PKCS7_ISSUER_AND_SERIAL) = {
 
 IMPLEMENT_ASN1_FUNCTIONS(PKCS7_ISSUER_AND_SERIAL)
 
-ASN1_SEQUENCE(PKCS7_ENVELOPE) = {
+ASN1_NDEF_SEQUENCE(PKCS7_ENVELOPE) = {
 	ASN1_SIMPLE(PKCS7_ENVELOPE, version, ASN1_INTEGER),
 	ASN1_SET_OF(PKCS7_ENVELOPE, recipientinfo, PKCS7_RECIP_INFO),
 	ASN1_SIMPLE(PKCS7_ENVELOPE, enc_data, PKCS7_ENC_CONTENT)
-} ASN1_SEQUENCE_END(PKCS7_ENVELOPE)
+} ASN1_NDEF_SEQUENCE_END(PKCS7_ENVELOPE)
 
 IMPLEMENT_ASN1_FUNCTIONS(PKCS7_ENVELOPE)
 
@@ -157,15 +158,15 @@ ASN1_SEQUENCE_cb(PKCS7_RECIP_INFO, ri_cb) = {
 
 IMPLEMENT_ASN1_FUNCTIONS(PKCS7_RECIP_INFO)
 
-ASN1_SEQUENCE(PKCS7_ENC_CONTENT) = {
+ASN1_NDEF_SEQUENCE(PKCS7_ENC_CONTENT) = {
 	ASN1_SIMPLE(PKCS7_ENC_CONTENT, content_type, ASN1_OBJECT),
 	ASN1_SIMPLE(PKCS7_ENC_CONTENT, algorithm, X509_ALGOR),
 	ASN1_IMP_OPT(PKCS7_ENC_CONTENT, enc_data, ASN1_OCTET_STRING, 0)
-} ASN1_SEQUENCE_END(PKCS7_ENC_CONTENT)
+} ASN1_NDEF_SEQUENCE_END(PKCS7_ENC_CONTENT)
 
 IMPLEMENT_ASN1_FUNCTIONS(PKCS7_ENC_CONTENT)
 
-ASN1_SEQUENCE(PKCS7_SIGN_ENVELOPE) = {
+ASN1_NDEF_SEQUENCE(PKCS7_SIGN_ENVELOPE) = {
 	ASN1_SIMPLE(PKCS7_SIGN_ENVELOPE, version, ASN1_INTEGER),
 	ASN1_SET_OF(PKCS7_SIGN_ENVELOPE, recipientinfo, PKCS7_RECIP_INFO),
 	ASN1_SET_OF(PKCS7_SIGN_ENVELOPE, md_algs, X509_ALGOR),
@@ -173,23 +174,23 @@ ASN1_SEQUENCE(PKCS7_SIGN_ENVELOPE) = {
 	ASN1_IMP_SET_OF_OPT(PKCS7_SIGN_ENVELOPE, cert, X509, 0),
 	ASN1_IMP_SET_OF_OPT(PKCS7_SIGN_ENVELOPE, crl, X509_CRL, 1),
 	ASN1_SET_OF(PKCS7_SIGN_ENVELOPE, signer_info, PKCS7_SIGNER_INFO)
-} ASN1_SEQUENCE_END(PKCS7_SIGN_ENVELOPE)
+} ASN1_NDEF_SEQUENCE_END(PKCS7_SIGN_ENVELOPE)
 
 IMPLEMENT_ASN1_FUNCTIONS(PKCS7_SIGN_ENVELOPE)
 
-ASN1_SEQUENCE(PKCS7_ENCRYPT) = {
+ASN1_NDEF_SEQUENCE(PKCS7_ENCRYPT) = {
 	ASN1_SIMPLE(PKCS7_ENCRYPT, version, ASN1_INTEGER),
 	ASN1_SIMPLE(PKCS7_ENCRYPT, enc_data, PKCS7_ENC_CONTENT)
-} ASN1_SEQUENCE_END(PKCS7_ENCRYPT)
+} ASN1_NDEF_SEQUENCE_END(PKCS7_ENCRYPT)
 
 IMPLEMENT_ASN1_FUNCTIONS(PKCS7_ENCRYPT)
 
-ASN1_SEQUENCE(PKCS7_DIGEST) = {
+ASN1_NDEF_SEQUENCE(PKCS7_DIGEST) = {
 	ASN1_SIMPLE(PKCS7_DIGEST, version, ASN1_INTEGER),
 	ASN1_SIMPLE(PKCS7_DIGEST, md, X509_ALGOR),
 	ASN1_SIMPLE(PKCS7_DIGEST, contents, PKCS7),
 	ASN1_SIMPLE(PKCS7_DIGEST, digest, ASN1_OCTET_STRING)
-} ASN1_SEQUENCE_END(PKCS7_DIGEST)
+} ASN1_NDEF_SEQUENCE_END(PKCS7_DIGEST)
 
 IMPLEMENT_ASN1_FUNCTIONS(PKCS7_DIGEST)
 
diff --git a/crypto/openssl/crypto/pkcs7/pk7_attr.c b/crypto/openssl/crypto/pkcs7/pk7_attr.c
index 039141027a6f..735c8800e102 100644
--- a/crypto/openssl/crypto/pkcs7/pk7_attr.c
+++ b/crypto/openssl/crypto/pkcs7/pk7_attr.c
@@ -96,7 +96,8 @@ int PKCS7_add_attrib_smimecap(PKCS7_SIGNER_INFO *si, STACK_OF(X509_ALGOR) *cap)
 STACK_OF(X509_ALGOR) *PKCS7_get_smimecap(PKCS7_SIGNER_INFO *si)
 	{
 	ASN1_TYPE *cap;
-	unsigned char *p;
+	const unsigned char *p;
+
 	cap = PKCS7_get_signed_attribute(si, NID_SMIMECapabilities);
 	if (!cap || (cap->type != V_ASN1_SEQUENCE))
 		return NULL;
diff --git a/crypto/openssl/crypto/pkcs7/pk7_doit.c b/crypto/openssl/crypto/pkcs7/pk7_doit.c
index b78e22819cd8..a4bbba0556c6 100644
--- a/crypto/openssl/crypto/pkcs7/pk7_doit.c
+++ b/crypto/openssl/crypto/pkcs7/pk7_doit.c
@@ -62,6 +62,7 @@
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
+#include <openssl/err.h>
 
 static int add_attribute(STACK_OF(X509_ATTRIBUTE) **sk, int nid, int atrtype,
 			 void *value);
@@ -101,18 +102,54 @@ static ASN1_OCTET_STRING *PKCS7_get_octet_string(PKCS7 *p7)
 	return NULL;
 	}
 
+static int PKCS7_bio_add_digest(BIO **pbio, X509_ALGOR *alg)
+	{
+	BIO *btmp;
+	const EVP_MD *md;
+	if ((btmp=BIO_new(BIO_f_md())) == NULL)
+		{
+		PKCS7err(PKCS7_F_PKCS7_BIO_ADD_DIGEST,ERR_R_BIO_LIB);
+		goto err;
+		}
+
+	md=EVP_get_digestbyobj(alg->algorithm);
+	if (md == NULL)
+		{
+		PKCS7err(PKCS7_F_PKCS7_BIO_ADD_DIGEST,PKCS7_R_UNKNOWN_DIGEST_TYPE);
+		goto err;
+		}
+
+	BIO_set_md(btmp,md);
+	if (*pbio == NULL)
+		*pbio=btmp;
+	else if (!BIO_push(*pbio,btmp))
+		{
+		PKCS7err(PKCS7_F_PKCS7_BIO_ADD_DIGEST,ERR_R_BIO_LIB);
+		goto err;
+		}
+	btmp=NULL;
+
+	return 1;
+
+	err:
+	if (btmp)
+		BIO_free(btmp);
+	return 0;
+
+	}
+
 BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio)
 	{
 	int i;
 	BIO *out=NULL,*btmp=NULL;
-	X509_ALGOR *xa;
-	const EVP_MD *evp_md;
+	X509_ALGOR *xa = NULL;
 	const EVP_CIPHER *evp_cipher=NULL;
 	STACK_OF(X509_ALGOR) *md_sk=NULL;
 	STACK_OF(PKCS7_RECIP_INFO) *rsk=NULL;
 	X509_ALGOR *xalg=NULL;
 	PKCS7_RECIP_INFO *ri=NULL;
 	EVP_PKEY *pkey;
+	ASN1_OCTET_STRING *os=NULL;
 
 	i=OBJ_obj2nid(p7->type);
 	p7->state=PKCS7_S_HEADER;
@@ -121,6 +158,7 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio)
 		{
 	case NID_pkcs7_signed:
 		md_sk=p7->d.sign->md_algs;
+		os = PKCS7_get_octet_string(p7->d.sign->contents);
 		break;
 	case NID_pkcs7_signedAndEnveloped:
 		rsk=p7->d.signed_and_enveloped->recipientinfo;
@@ -145,37 +183,21 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio)
 			goto err;
 			}
 		break;
+	case NID_pkcs7_digest:
+		xa = p7->d.digest->md;
+		os = PKCS7_get_octet_string(p7->d.digest->contents);
+		break;
 	default:
 		PKCS7err(PKCS7_F_PKCS7_DATAINIT,PKCS7_R_UNSUPPORTED_CONTENT_TYPE);
 	        goto err;
 		}
 
-	if (md_sk != NULL)
-		{
-		for (i=0; i<sk_X509_ALGOR_num(md_sk); i++)
-			{
-			xa=sk_X509_ALGOR_value(md_sk,i);
-			if ((btmp=BIO_new(BIO_f_md())) == NULL)
-				{
-				PKCS7err(PKCS7_F_PKCS7_DATAINIT,ERR_R_BIO_LIB);
-				goto err;
-				}
-
-			evp_md=EVP_get_digestbyobj(xa->algorithm);
-			if (evp_md == NULL)
-				{
-				PKCS7err(PKCS7_F_PKCS7_DATAINIT,PKCS7_R_UNKNOWN_DIGEST_TYPE);
-				goto err;
-				}
+	for (i=0; i<sk_X509_ALGOR_num(md_sk); i++)
+		if (!PKCS7_bio_add_digest(&out, sk_X509_ALGOR_value(md_sk, i)))
+			goto err;
 
-			BIO_set_md(btmp,evp_md);
-			if (out == NULL)
-				out=btmp;
-			else
-				BIO_push(out,btmp);
-			btmp=NULL;
-			}
-		}
+	if (xa && !PKCS7_bio_add_digest(&out, xa))
+			goto err;
 
 	if (evp_cipher != NULL)
 		{
@@ -194,11 +216,14 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio)
 		BIO_get_cipher_ctx(btmp, &ctx);
 		keylen=EVP_CIPHER_key_length(evp_cipher);
 		ivlen=EVP_CIPHER_iv_length(evp_cipher);
-		if (RAND_bytes(key,keylen) <= 0)
-			goto err;
 		xalg->algorithm = OBJ_nid2obj(EVP_CIPHER_type(evp_cipher));
 		if (ivlen > 0) RAND_pseudo_bytes(iv,ivlen);
-		EVP_CipherInit_ex(ctx, evp_cipher, NULL, key, iv, 1);
+		if (EVP_CipherInit_ex(ctx, evp_cipher, NULL, NULL, NULL, 1)<=0)
+			goto err;
+		if (EVP_CIPHER_CTX_rand_key(ctx, key) <= 0)
+			goto err;
+		if (EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, 1) <= 0)
+			goto err;
 
 		if (ivlen > 0) {
 			if (xalg->parameter == NULL) 
@@ -239,7 +264,13 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio)
 				OPENSSL_free(tmp);
 				goto err;
 				}
-			M_ASN1_OCTET_STRING_set(ri->enc_key,tmp,jj);
+			if (!M_ASN1_OCTET_STRING_set(ri->enc_key,tmp,jj))
+				{
+				PKCS7err(PKCS7_F_PKCS7_DATAINIT,
+					ERR_R_MALLOC_FAILURE);
+				OPENSSL_free(tmp);
+				goto err;
+				}
 			}
 		OPENSSL_free(tmp);
 		OPENSSL_cleanse(key, keylen);
@@ -255,24 +286,14 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio)
 		{
 		if (PKCS7_is_detached(p7))
 			bio=BIO_new(BIO_s_null());
-		else
+		else if (os && os->length > 0)
+			bio = BIO_new_mem_buf(os->data, os->length);
+		if(bio == NULL)
 			{
-			if (PKCS7_type_is_signed(p7))
-				{
-				ASN1_OCTET_STRING *os;
-				os = PKCS7_get_octet_string(
-							p7->d.sign->contents);
-				if (os && os->length > 0)
-					bio = BIO_new_mem_buf(os->data,
-								os->length);
-				}
-			if(bio == NULL)
-				{
-				bio=BIO_new(BIO_s_mem());
-				BIO_set_mem_eof_return(bio,0);
-				}
+			bio=BIO_new(BIO_s_mem());
+			BIO_set_mem_eof_return(bio,0);
 			}
-	}
+		}
 	BIO_push(out,bio);
 	bio=NULL;
 	if (0)
@@ -287,6 +308,17 @@ err:
 	return(out);
 	}
 
+static int pkcs7_cmp_ri(PKCS7_RECIP_INFO *ri, X509 *pcert)
+	{
+	int ret;
+	ret = X509_NAME_cmp(ri->issuer_and_serial->issuer,
+				pcert->cert_info->issuer);
+	if (ret)
+		return ret;
+	return M_ASN1_INTEGER_cmp(pcert->cert_info->serialNumber,
+					ri->issuer_and_serial->serial);
+	}
+
 /* int */
 BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
 	{
@@ -397,18 +429,18 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
 		 * (if any)
 		 */
 
-		for (i=0; i<sk_PKCS7_RECIP_INFO_num(rsk); i++) {
-			ri=sk_PKCS7_RECIP_INFO_value(rsk,i);
-			if(!X509_NAME_cmp(ri->issuer_and_serial->issuer,
-					pcert->cert_info->issuer) &&
-			     !M_ASN1_INTEGER_cmp(pcert->cert_info->serialNumber,
-					ri->issuer_and_serial->serial)) break;
-			ri=NULL;
-		}
-		if (ri == NULL) {
-			PKCS7err(PKCS7_F_PKCS7_DATADECODE,
-				 PKCS7_R_NO_RECIPIENT_MATCHES_CERTIFICATE);
-			goto err;
+		if (pcert) {
+			for (i=0; i<sk_PKCS7_RECIP_INFO_num(rsk); i++) {
+				ri=sk_PKCS7_RECIP_INFO_value(rsk,i);
+				if (!pkcs7_cmp_ri(ri, pcert))
+					break;
+				ri=NULL;
+			}
+			if (ri == NULL) {
+				PKCS7err(PKCS7_F_PKCS7_DATADECODE,
+				      PKCS7_R_NO_RECIPIENT_MATCHES_CERTIFICATE);
+				goto err;
+			}
 		}
 
 		jj=EVP_PKEY_size(pkey);
@@ -419,17 +451,46 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
 			goto err;
 			}
 
-		jj=EVP_PKEY_decrypt(tmp, M_ASN1_STRING_data(ri->enc_key),
-			M_ASN1_STRING_length(ri->enc_key), pkey);
-		if (jj <= 0)
+		/* If we haven't got a certificate try each ri in turn */
+
+		if (pcert == NULL)
 			{
-			PKCS7err(PKCS7_F_PKCS7_DATADECODE,ERR_R_EVP_LIB);
-			goto err;
+			for (i=0; i<sk_PKCS7_RECIP_INFO_num(rsk); i++)
+				{
+				ri=sk_PKCS7_RECIP_INFO_value(rsk,i);
+				jj=EVP_PKEY_decrypt(tmp,
+					M_ASN1_STRING_data(ri->enc_key),
+					M_ASN1_STRING_length(ri->enc_key),
+						pkey);
+				if (jj > 0)
+					break;
+				ERR_clear_error();
+				ri = NULL;
+				}
+			if (ri == NULL)
+				{
+				PKCS7err(PKCS7_F_PKCS7_DATADECODE,
+				      PKCS7_R_NO_RECIPIENT_MATCHES_KEY);
+				goto err;
+				}
+			}
+		else
+			{
+			jj=EVP_PKEY_decrypt(tmp,
+				M_ASN1_STRING_data(ri->enc_key),
+				M_ASN1_STRING_length(ri->enc_key), pkey);
+			if (jj <= 0)
+				{
+				PKCS7err(PKCS7_F_PKCS7_DATADECODE,
+								ERR_R_EVP_LIB);
+				goto err;
+				}
 			}
 
 		evp_ctx=NULL;
 		BIO_get_cipher_ctx(etmp,&evp_ctx);
-		EVP_CipherInit_ex(evp_ctx,evp_cipher,NULL,NULL,NULL,0);
+		if (EVP_CipherInit_ex(evp_ctx,evp_cipher,NULL,NULL,NULL,0) <= 0)
+			goto err;
 		if (EVP_CIPHER_asn1_to_param(evp_ctx,enc_alg->parameter) < 0)
 			goto err;
 
@@ -445,7 +506,8 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
 				goto err;
 				}
 		} 
-		EVP_CipherInit_ex(evp_ctx,NULL,NULL,tmp,NULL,0);
+		if (EVP_CipherInit_ex(evp_ctx,NULL,NULL,tmp,NULL,0) <= 0)
+			goto err;
 
 		OPENSSL_cleanse(tmp,jj);
 
@@ -498,6 +560,29 @@ err:
 	return(out);
 	}
 
+static BIO *PKCS7_find_digest(EVP_MD_CTX **pmd, BIO *bio, int nid)
+	{
+	for (;;)
+		{
+		bio=BIO_find_type(bio,BIO_TYPE_MD);
+		if (bio == NULL)
+			{
+			PKCS7err(PKCS7_F_PKCS7_FIND_DIGEST,PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST);
+			return NULL;	
+			}
+		BIO_get_md_ctx(bio,pmd);
+		if (*pmd == NULL)
+			{
+			PKCS7err(PKCS7_F_PKCS7_FIND_DIGEST,ERR_R_INTERNAL_ERROR);
+			return NULL;
+			}	
+		if (EVP_MD_CTX_type(*pmd) == nid)
+			return bio;
+		bio=BIO_next(bio);
+		}
+	return NULL;
+	}
+
 int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
 	{
 	int ret=0;
@@ -520,12 +605,20 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
 	case NID_pkcs7_signedAndEnveloped:
 		/* XXXXXXXXXXXXXXXX */
 		si_sk=p7->d.signed_and_enveloped->signer_info;
-		os=M_ASN1_OCTET_STRING_new();
+		if (!(os=M_ASN1_OCTET_STRING_new()))
+			{
+			PKCS7err(PKCS7_F_PKCS7_DATAFINAL,ERR_R_MALLOC_FAILURE);
+			goto err;
+			}
 		p7->d.signed_and_enveloped->enc_data->enc_data=os;
 		break;
 	case NID_pkcs7_enveloped:
 		/* XXXXXXXXXXXXXXXX */
-		os=M_ASN1_OCTET_STRING_new();
+		if (!(os=M_ASN1_OCTET_STRING_new()))
+			{
+			PKCS7err(PKCS7_F_PKCS7_DATAFINAL,ERR_R_MALLOC_FAILURE);
+			goto err;
+			}
 		p7->d.enveloped->enc_data->enc_data=os;
 		break;
 	case NID_pkcs7_signed:
@@ -537,13 +630,24 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
 			p7->d.sign->contents->d.data = NULL;
 		}
 		break;
+
+	case NID_pkcs7_digest:
+		os=PKCS7_get_octet_string(p7->d.digest->contents);
+		/* If detached data then the content is excluded */
+		if(PKCS7_type_is_data(p7->d.digest->contents) && p7->detached)
+			{
+			M_ASN1_OCTET_STRING_free(os);
+			p7->d.digest->contents->d.data = NULL;
+			}
+		break;
+
 		}
 
 	if (si_sk != NULL)
 		{
 		if ((buf=BUF_MEM_new()) == NULL)
 			{
-			PKCS7err(PKCS7_F_PKCS7_DATASIGN,ERR_R_BIO_LIB);
+			PKCS7err(PKCS7_F_PKCS7_DATAFINAL,ERR_R_BIO_LIB);
 			goto err;
 			}
 		for (i=0; i<sk_PKCS7_SIGNER_INFO_num(si_sk); i++)
@@ -554,32 +658,18 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
 			j=OBJ_obj2nid(si->digest_alg->algorithm);
 
 			btmp=bio;
-			for (;;)
-				{
-				if ((btmp=BIO_find_type(btmp,BIO_TYPE_MD)) 
-					== NULL)
-					{
-					PKCS7err(PKCS7_F_PKCS7_DATASIGN,PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST);
-					goto err;
-					}
-				BIO_get_md_ctx(btmp,&mdc);
-				if (mdc == NULL)
-					{
-					PKCS7err(PKCS7_F_PKCS7_DATASIGN,ERR_R_INTERNAL_ERROR);
-					goto err;
-					}
-				if (EVP_MD_CTX_type(mdc) == j)
-					break;
-				else
-					btmp=BIO_next(btmp);
-				}
-			
+
+			btmp = PKCS7_find_digest(&mdc, btmp, j);
+
+			if (btmp == NULL)
+				goto err;
+
 			/* We now have the EVP_MD_CTX, lets do the
 			 * signing. */
 			EVP_MD_CTX_copy_ex(&ctx_tmp,mdc);
 			if (!BUF_MEM_grow_clean(buf,EVP_PKEY_size(si->pkey)))
 				{
-				PKCS7err(PKCS7_F_PKCS7_DATASIGN,ERR_R_BIO_LIB);
+				PKCS7err(PKCS7_F_PKCS7_DATAFINAL,ERR_R_BIO_LIB);
 				goto err;
 				}
 
@@ -599,7 +689,12 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
 				if (!PKCS7_get_signed_attribute(si,
 							NID_pkcs9_signingTime))
 					{
-					sign_time=X509_gmtime_adj(NULL,0);
+					if (!(sign_time=X509_gmtime_adj(NULL,0)))
+						{
+						PKCS7err(PKCS7_F_PKCS7_DATAFINAL,
+							ERR_R_MALLOC_FAILURE);
+						goto err;
+						}
 					PKCS7_add_signed_attribute(si,
 						NID_pkcs9_signingTime,
 						V_ASN1_UTCTIME,sign_time);
@@ -608,8 +703,19 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
 				/* Add digest */
 				md_tmp=EVP_MD_CTX_md(&ctx_tmp);
 				EVP_DigestFinal_ex(&ctx_tmp,md_data,&md_len);
-				digest=M_ASN1_OCTET_STRING_new();
-				M_ASN1_OCTET_STRING_set(digest,md_data,md_len);
+				if (!(digest=M_ASN1_OCTET_STRING_new()))
+					{
+					PKCS7err(PKCS7_F_PKCS7_DATAFINAL,
+						ERR_R_MALLOC_FAILURE);
+					goto err;
+					}
+				if (!M_ASN1_OCTET_STRING_set(digest,md_data,
+								md_len))
+					{
+					PKCS7err(PKCS7_F_PKCS7_DATAFINAL,
+						ERR_R_MALLOC_FAILURE);
+					goto err;
+					}
 				PKCS7_add_signed_attribute(si,
 					NID_pkcs9_messageDigest,
 					V_ASN1_OCTET_STRING,digest);
@@ -627,28 +733,42 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
 			if (si->pkey->type == EVP_PKEY_DSA)
 				ctx_tmp.digest=EVP_dss1();
 #endif
+#ifndef OPENSSL_NO_ECDSA
+ 			if (si->pkey->type == EVP_PKEY_EC)
+ 				ctx_tmp.digest=EVP_ecdsa();
+#endif
 
 			if (!EVP_SignFinal(&ctx_tmp,(unsigned char *)buf->data,
 				(unsigned int *)&buf->length,si->pkey))
 				{
-				PKCS7err(PKCS7_F_PKCS7_DATASIGN,ERR_R_EVP_LIB);
+				PKCS7err(PKCS7_F_PKCS7_DATAFINAL,ERR_R_EVP_LIB);
 				goto err;
 				}
 			if (!ASN1_STRING_set(si->enc_digest,
 				(unsigned char *)buf->data,buf->length))
 				{
-				PKCS7err(PKCS7_F_PKCS7_DATASIGN,ERR_R_ASN1_LIB);
+				PKCS7err(PKCS7_F_PKCS7_DATAFINAL,ERR_R_ASN1_LIB);
 				goto err;
 				}
 			}
 		}
+	else if (i == NID_pkcs7_digest)
+		{
+		unsigned char md_data[EVP_MAX_MD_SIZE];
+		unsigned int md_len;
+		if (!PKCS7_find_digest(&mdc, bio,
+				OBJ_obj2nid(p7->d.digest->md->algorithm)))
+			goto err;
+		EVP_DigestFinal_ex(mdc,md_data,&md_len);
+		M_ASN1_OCTET_STRING_set(p7->d.digest->digest, md_data, md_len);
+		}
 
 	if (!PKCS7_is_detached(p7))
 		{
 		btmp=BIO_find_type(bio,BIO_TYPE_MEM);
 		if (btmp == NULL)
 			{
-			PKCS7err(PKCS7_F_PKCS7_DATASIGN,PKCS7_R_UNABLE_TO_FIND_MEM_BIO);
+			PKCS7err(PKCS7_F_PKCS7_DATAFINAL,PKCS7_R_UNABLE_TO_FIND_MEM_BIO);
 			goto err;
 			}
 		BIO_get_mem_ptr(btmp,&buf_mem);
@@ -829,6 +949,9 @@ for (ii=0; ii<md_len; ii++) printf("%02X",md_dat[ii]); printf(" calc\n");
 #ifndef OPENSSL_NO_DSA
 	if(pkey->type == EVP_PKEY_DSA) mdc_tmp.digest=EVP_dss1();
 #endif
+#ifndef OPENSSL_NO_ECDSA
+	if (pkey->type == EVP_PKEY_EC) mdc_tmp.digest=EVP_ecdsa();
+#endif
 
 	i=EVP_VerifyFinal(&mdc_tmp,os->data,os->length, pkey);
 	EVP_PKEY_free(pkey);
diff --git a/crypto/openssl/crypto/pkcs7/pk7_lib.c b/crypto/openssl/crypto/pkcs7/pk7_lib.c
index 985b07245cc7..58ce6791c9ac 100644
--- a/crypto/openssl/crypto/pkcs7/pk7_lib.c
+++ b/crypto/openssl/crypto/pkcs7/pk7_lib.c
@@ -138,6 +138,10 @@ int PKCS7_set_content(PKCS7 *p7, PKCS7 *p7_data)
 		p7->d.sign->contents=p7_data;
 		break;
 	case NID_pkcs7_digest:
+		if (p7->d.digest->contents != NULL)
+			PKCS7_free(p7->d.digest->contents);
+		p7->d.digest->contents=p7_data;
+		break;
 	case NID_pkcs7_data:
 	case NID_pkcs7_enveloped:
 	case NID_pkcs7_signedAndEnveloped:
@@ -164,7 +168,12 @@ int PKCS7_set_type(PKCS7 *p7, int type)
 		p7->type=obj;
 		if ((p7->d.sign=PKCS7_SIGNED_new()) == NULL)
 			goto err;
-		ASN1_INTEGER_set(p7->d.sign->version,1);
+		if (!ASN1_INTEGER_set(p7->d.sign->version,1))
+			{
+			PKCS7_SIGNED_free(p7->d.sign);
+			p7->d.sign=NULL;
+			goto err;
+			}
 		break;
 	case NID_pkcs7_data:
 		p7->type=obj;
@@ -176,6 +185,8 @@ int PKCS7_set_type(PKCS7 *p7, int type)
 		if ((p7->d.signed_and_enveloped=PKCS7_SIGN_ENVELOPE_new())
 			== NULL) goto err;
 		ASN1_INTEGER_set(p7->d.signed_and_enveloped->version,1);
+		if (!ASN1_INTEGER_set(p7->d.signed_and_enveloped->version,1))
+			goto err;
 		p7->d.signed_and_enveloped->enc_data->content_type
 						= OBJ_nid2obj(NID_pkcs7_data);
 		break;
@@ -183,7 +194,8 @@ int PKCS7_set_type(PKCS7 *p7, int type)
 		p7->type=obj;
 		if ((p7->d.enveloped=PKCS7_ENVELOPE_new())
 			== NULL) goto err;
-		ASN1_INTEGER_set(p7->d.enveloped->version,0);
+		if (!ASN1_INTEGER_set(p7->d.enveloped->version,0))
+			goto err;
 		p7->d.enveloped->enc_data->content_type
 						= OBJ_nid2obj(NID_pkcs7_data);
 		break;
@@ -191,12 +203,19 @@ int PKCS7_set_type(PKCS7 *p7, int type)
 		p7->type=obj;
 		if ((p7->d.encrypted=PKCS7_ENCRYPT_new())
 			== NULL) goto err;
-		ASN1_INTEGER_set(p7->d.encrypted->version,0);
+		if (!ASN1_INTEGER_set(p7->d.encrypted->version,0))
+			goto err;
 		p7->d.encrypted->enc_data->content_type
 						= OBJ_nid2obj(NID_pkcs7_data);
 		break;
 
 	case NID_pkcs7_digest:
+		p7->type=obj;
+		if ((p7->d.digest=PKCS7_DIGEST_new())
+			== NULL) goto err;
+		if (!ASN1_INTEGER_set(p7->d.digest->version,0))
+			goto err;
+		break;
 	default:
 		PKCS7err(PKCS7_F_PKCS7_SET_TYPE,PKCS7_R_UNSUPPORTED_CONTENT_TYPE);
 		goto err;
@@ -206,6 +225,13 @@ err:
 	return(0);
 	}
 
+int PKCS7_set0_type_other(PKCS7 *p7, int type, ASN1_TYPE *other)
+	{
+	p7->type = OBJ_nid2obj(type);
+	p7->d.other = other;
+	return 1;
+	}
+
 int PKCS7_add_signer(PKCS7 *p7, PKCS7_SIGNER_INFO *psi)
 	{
 	int i,j,nid;
@@ -314,19 +340,26 @@ int PKCS7_add_crl(PKCS7 *p7, X509_CRL *crl)
 int PKCS7_SIGNER_INFO_set(PKCS7_SIGNER_INFO *p7i, X509 *x509, EVP_PKEY *pkey,
 	     const EVP_MD *dgst)
 	{
+	int nid;
 	char is_dsa;
-	if (pkey->type == EVP_PKEY_DSA) is_dsa = 1;
-	else is_dsa = 0;
+
+	if (pkey->type == EVP_PKEY_DSA || pkey->type == EVP_PKEY_EC)
+		is_dsa = 1;
+	else
+		is_dsa = 0;
 	/* We now need to add another PKCS7_SIGNER_INFO entry */
-	ASN1_INTEGER_set(p7i->version,1);
-	X509_NAME_set(&p7i->issuer_and_serial->issuer,
-		X509_get_issuer_name(x509));
+	if (!ASN1_INTEGER_set(p7i->version,1))
+		goto err;
+	if (!X509_NAME_set(&p7i->issuer_and_serial->issuer,
+			X509_get_issuer_name(x509)))
+		goto err;
 
 	/* because ASN1_INTEGER_set is used to set a 'long' we will do
 	 * things the ugly way. */
 	M_ASN1_INTEGER_free(p7i->issuer_and_serial->serial);
-	p7i->issuer_and_serial->serial=
-		M_ASN1_INTEGER_dup(X509_get_serialNumber(x509));
+	if (!(p7i->issuer_and_serial->serial=
+			M_ASN1_INTEGER_dup(X509_get_serialNumber(x509))))
+		goto err;
 
 	/* lets keep the pkey around for a while */
 	CRYPTO_add(&pkey->references,1,CRYPTO_LOCK_EVP_PKEY);
@@ -343,16 +376,38 @@ int PKCS7_SIGNER_INFO_set(PKCS7_SIGNER_INFO *p7i, X509 *x509, EVP_PKEY *pkey,
 		goto err;
 	p7i->digest_alg->parameter->type=V_ASN1_NULL;
 
-	p7i->digest_enc_alg->algorithm=OBJ_nid2obj(EVP_PKEY_type(pkey->type));
-
 	if (p7i->digest_enc_alg->parameter != NULL)
 		ASN1_TYPE_free(p7i->digest_enc_alg->parameter);
-	if(is_dsa) p7i->digest_enc_alg->parameter = NULL;
-	else {
+	nid = EVP_PKEY_type(pkey->type);
+	if (nid == EVP_PKEY_RSA)
+		{
+		p7i->digest_enc_alg->algorithm=OBJ_nid2obj(NID_rsaEncryption);
 		if (!(p7i->digest_enc_alg->parameter=ASN1_TYPE_new()))
 			goto err;
 		p7i->digest_enc_alg->parameter->type=V_ASN1_NULL;
-	}
+		}
+	else if (nid == EVP_PKEY_DSA)
+		{
+#if 1
+		/* use 'dsaEncryption' OID for compatibility with other software
+		 * (PKCS #7 v1.5 does specify how to handle DSA) ... */
+		p7i->digest_enc_alg->algorithm=OBJ_nid2obj(NID_dsa);
+#else
+		/* ... although the 'dsaWithSHA1' OID (as required by RFC 2630 for CMS)
+		 * would make more sense. */
+		p7i->digest_enc_alg->algorithm=OBJ_nid2obj(NID_dsaWithSHA1);
+#endif
+		p7i->digest_enc_alg->parameter = NULL; /* special case for DSA: omit 'parameter'! */
+		}
+	else if (nid == EVP_PKEY_EC)
+		{
+		p7i->digest_enc_alg->algorithm=OBJ_nid2obj(NID_ecdsa_with_SHA1);
+		if (!(p7i->digest_enc_alg->parameter=ASN1_TYPE_new()))
+			goto err;
+		p7i->digest_enc_alg->parameter->type=V_ASN1_NULL;
+		}
+	else
+		return(0);
 
 	return(1);
 err:
@@ -372,6 +427,24 @@ err:
 	return(NULL);
 	}
 
+int PKCS7_set_digest(PKCS7 *p7, const EVP_MD *md)
+	{
+	if (PKCS7_type_is_digest(p7))
+		{
+		if(!(p7->d.digest->md->parameter = ASN1_TYPE_new()))
+			{
+			PKCS7err(PKCS7_F_PKCS7_SET_DIGEST,ERR_R_MALLOC_FAILURE);
+			return 0;
+			}
+		p7->d.digest->md->parameter->type = V_ASN1_NULL;
+		p7->d.digest->md->algorithm = OBJ_nid2obj(EVP_MD_nid(md));
+		return 1;
+		}
+		
+	PKCS7err(PKCS7_F_PKCS7_SET_DIGEST,PKCS7_R_WRONG_CONTENT_TYPE);
+	return 1;
+	}
+
 STACK_OF(PKCS7_SIGNER_INFO) *PKCS7_get_signer_info(PKCS7 *p7)
 	{
 	if (PKCS7_type_is_signed(p7))
@@ -423,16 +496,20 @@ int PKCS7_add_recipient_info(PKCS7 *p7, PKCS7_RECIP_INFO *ri)
 
 int PKCS7_RECIP_INFO_set(PKCS7_RECIP_INFO *p7i, X509 *x509)
 	{
-	ASN1_INTEGER_set(p7i->version,0);
-	X509_NAME_set(&p7i->issuer_and_serial->issuer,
-		X509_get_issuer_name(x509));
+	if (!ASN1_INTEGER_set(p7i->version,0))
+		return 0;
+	if (!X509_NAME_set(&p7i->issuer_and_serial->issuer,
+		X509_get_issuer_name(x509)))
+		return 0;
 
 	M_ASN1_INTEGER_free(p7i->issuer_and_serial->serial);
-	p7i->issuer_and_serial->serial=
-		M_ASN1_INTEGER_dup(X509_get_serialNumber(x509));
+	if (!(p7i->issuer_and_serial->serial=
+		M_ASN1_INTEGER_dup(X509_get_serialNumber(x509))))
+		return 0;
 
 	X509_ALGOR_free(p7i->key_enc_algor);
-	p7i->key_enc_algor= X509_ALGOR_dup(x509->cert_info->key->algor);
+	if (!(p7i->key_enc_algor= X509_ALGOR_dup(x509->cert_info->key->algor)))
+		return 0;
 
 	CRYPTO_add(&x509->references,1,CRYPTO_LOCK_X509);
 	p7i->cert=x509;
diff --git a/crypto/openssl/crypto/pkcs7/pk7_mime.c b/crypto/openssl/crypto/pkcs7/pk7_mime.c
index 5d2a97839d2b..134746c1864f 100644
--- a/crypto/openssl/crypto/pkcs7/pk7_mime.c
+++ b/crypto/openssl/crypto/pkcs7/pk7_mime.c
@@ -1,9 +1,9 @@
 /* pk7_mime.c */
 /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
- * project 1999.
+ * project.
  */
 /* ====================================================================
- * Copyright (c) 1999-2003 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -86,6 +86,7 @@ STACK_OF(MIME_PARAM) *params;		/* Zero or more parameters */
 DECLARE_STACK_OF(MIME_HEADER)
 IMPLEMENT_STACK_OF(MIME_HEADER)
 
+static int pkcs7_output_data(BIO *bio, BIO *data, PKCS7 *p7, int flags);
 static int B64_write_PKCS7(BIO *bio, PKCS7 *p7);
 static PKCS7 *B64_read_PKCS7(BIO *bio);
 static char * strip_ends(char *name);
@@ -109,9 +110,6 @@ static void mime_hdr_free(MIME_HEADER *hdr);
 #define MAX_SMLEN 1024
 #define mime_debug(x) /* x */
 
-
-typedef void (*stkfree)();
-
 /* Base 64 read and write of PKCS#7 structure */
 
 static int B64_write_PKCS7(BIO *bio, PKCS7 *p7)
@@ -152,11 +150,12 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags)
 {
 	char bound[33], c;
 	int i;
-	char *mime_prefix, *mime_eol;
+	char *mime_prefix, *mime_eol, *msg_type=NULL;
 	if (flags & PKCS7_NOOLDMIMETYPE)
 		mime_prefix = "application/pkcs7-";
 	else
 		mime_prefix = "application/x-pkcs7-";
+
 	if (flags & PKCS7_CRLFEOL)
 		mime_eol = "\r\n";
 	else
@@ -181,7 +180,7 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags)
 						mime_eol, mime_eol);
 		/* Now write out the first part */
 		BIO_printf(bio, "------%s%s", bound, mime_eol);
-		SMIME_crlf_copy(data, bio, flags);
+		pkcs7_output_data(bio, data, p7, flags);
 		BIO_printf(bio, "%s------%s%s", mime_eol, bound, mime_eol);
 
 		/* Headers for signature */
@@ -195,14 +194,33 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags)
 							mime_eol, mime_eol);
 		B64_write_PKCS7(bio, p7);
 		BIO_printf(bio,"%s------%s--%s%s", mime_eol, bound,
-						mime_eol, mime_eol);
+							mime_eol, mime_eol);
 		return 1;
 	}
+
+	/* Determine smime-type header */
+
+	if (PKCS7_type_is_enveloped(p7))
+		msg_type = "enveloped-data";
+	else if (PKCS7_type_is_signed(p7))
+		{
+		/* If we have any signers it is signed-data othewise 
+		 * certs-only.
+		 */
+		STACK_OF(PKCS7_SIGNER_INFO) *sinfos;
+		sinfos = PKCS7_get_signer_info(p7);
+		if (sk_PKCS7_SIGNER_INFO_num(sinfos) > 0)
+			msg_type = "signed-data";
+		else
+			msg_type = "certs-only";
+		}
 	/* MIME headers */
 	BIO_printf(bio, "MIME-Version: 1.0%s", mime_eol);
 	BIO_printf(bio, "Content-Disposition: attachment;");
 	BIO_printf(bio, " filename=\"smime.p7m\"%s", mime_eol);
 	BIO_printf(bio, "Content-Type: %smime;", mime_prefix);
+	if (msg_type)
+		BIO_printf(bio, " smime-type=%s;", msg_type);
 	BIO_printf(bio, " name=\"smime.p7m\"%s", mime_eol);
 	BIO_printf(bio, "Content-Transfer-Encoding: base64%s%s",
 						mime_eol, mime_eol);
@@ -211,6 +229,46 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags)
 	return 1;
 }
 
+/* Handle output of PKCS#7 data */
+
+
+static int pkcs7_output_data(BIO *out, BIO *data, PKCS7 *p7, int flags)
+	{
+	BIO *tmpbio, *p7bio;
+
+	if (!(flags & PKCS7_STREAM))
+		{
+		SMIME_crlf_copy(data, out, flags);
+		return 1;
+		}
+
+	/* Partial sign operation */
+
+	/* Initialize sign operation */
+	p7bio = PKCS7_dataInit(p7, out);
+
+	/* Copy data across, computing digests etc */
+	SMIME_crlf_copy(data, p7bio, flags);
+
+	/* Must be detached */
+	PKCS7_set_detached(p7, 1);
+
+	/* Finalize signatures */
+	PKCS7_dataFinal(p7, p7bio);
+
+	/* Now remove any digests prepended to the BIO */
+
+	while (p7bio != out)
+		{
+		tmpbio = BIO_pop(p7bio);
+		BIO_free(p7bio);
+		p7bio = tmpbio;
+		}
+
+	return 1;
+
+	}
+
 /* SMIME reader: handle multipart/signed and opaque signing.
  * in multipart case the content is placed in a memory BIO
  * pointed to by "bcont". In opaque this is set to NULL
@@ -330,7 +388,8 @@ int SMIME_crlf_copy(BIO *in, BIO *out, int flags)
 						BIO_write(out, linebuf, len);
 		return 1;
 	}
-	if(flags & PKCS7_TEXT) BIO_printf(out, "Content-Type: text/plain\r\n\r\n");
+	if(flags & PKCS7_TEXT)
+		BIO_printf(out, "Content-Type: text/plain\r\n\r\n");
 	while ((len = BIO_gets(in, linebuf, MAX_SMLEN)) > 0) {
 		eol = strip_eol(linebuf, &len);
 		if (len)
diff --git a/crypto/openssl/crypto/pkcs7/pk7_smime.c b/crypto/openssl/crypto/pkcs7/pk7_smime.c
index 6e5735de1187..1f4a0a17952f 100644
--- a/crypto/openssl/crypto/pkcs7/pk7_smime.c
+++ b/crypto/openssl/crypto/pkcs7/pk7_smime.c
@@ -1,9 +1,9 @@
 /* pk7_smime.c */
 /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
- * project 1999.
+ * project.
  */
 /* ====================================================================
- * Copyright (c) 1999-2003 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2004 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -88,6 +88,7 @@ PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs,
 
     	if (!(si = PKCS7_add_signature(p7,signcert,pkey,EVP_sha1()))) {
 		PKCS7err(PKCS7_F_PKCS7_SIGN,PKCS7_R_PKCS7_ADD_SIGNATURE_ERROR);
+		PKCS7_free(p7);
 		return NULL;
 	}
 
@@ -97,14 +98,6 @@ PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs,
 			PKCS7_add_certificate(p7, sk_X509_value(certs, i));
 	}
 
-	if(!(p7bio = PKCS7_dataInit(p7, NULL))) {
-		PKCS7err(PKCS7_F_PKCS7_SIGN,ERR_R_MALLOC_FAILURE);
-		return NULL;
-	}
-
-
-	SMIME_crlf_copy(data, p7bio, flags);
-
 	if(!(flags & PKCS7_NOATTR)) {
 		PKCS7_add_signed_attribute(si, NID_pkcs9_contentType,
 				V_ASN1_OBJECT, OBJ_nid2obj(NID_pkcs7_data));
@@ -113,6 +106,7 @@ PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs,
 		{
 		if(!(smcap = sk_X509_ALGOR_new_null())) {
 			PKCS7err(PKCS7_F_PKCS7_SIGN,ERR_R_MALLOC_FAILURE);
+			PKCS7_free(p7);
 			return NULL;
 		}
 #ifndef OPENSSL_NO_DES
@@ -133,14 +127,27 @@ PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs,
 		}
 	}
 
+	if (flags & PKCS7_STREAM)
+		return p7;
+
+	if (!(p7bio = PKCS7_dataInit(p7, NULL))) {
+		PKCS7err(PKCS7_F_PKCS7_SIGN,ERR_R_MALLOC_FAILURE);
+		PKCS7_free(p7);
+		return NULL;
+	}
+
+	SMIME_crlf_copy(data, p7bio, flags);
+
 	if(flags & PKCS7_DETACHED)PKCS7_set_detached(p7, 1);
 
         if (!PKCS7_dataFinal(p7,p7bio)) {
 		PKCS7err(PKCS7_F_PKCS7_SIGN,PKCS7_R_PKCS7_DATASIGN);
+		PKCS7_free(p7);
+		BIO_free_all(p7bio);
 		return NULL;
 	}
 
-        BIO_free_all(p7bio);
+	BIO_free_all(p7bio);
 	return p7;
 }
 
@@ -155,7 +162,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
 	char buf[4096];
 	int i, j=0, k, ret = 0;
 	BIO *p7bio;
-	BIO *tmpout;
+	BIO *tmpin, *tmpout;
 
 	if(!p7) {
 		PKCS7err(PKCS7_F_PKCS7_VERIFY,PKCS7_R_INVALID_NULL_POINTER);
@@ -215,6 +222,8 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
 			sk_X509_free(signers);
 			return 0;
 		}
+		if (!(flags & PKCS7_NOCRL))
+			X509_STORE_CTX_set0_crls(&cert_ctx, p7->d.sign->crl);
 		i = X509_verify_cert(&cert_ctx);
 		if (i <= 0) j = X509_STORE_CTX_get_error(&cert_ctx);
 		X509_STORE_CTX_cleanup(&cert_ctx);
@@ -228,7 +237,30 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
 		/* Check for revocation status here */
 	}
 
-	p7bio=PKCS7_dataInit(p7,indata);
+	/* Performance optimization: if the content is a memory BIO then
+	 * store its contents in a temporary read only memory BIO. This
+	 * avoids potentially large numbers of slow copies of data which will
+	 * occur when reading from a read write memory BIO when signatures
+	 * are calculated.
+	 */
+
+	if (indata && (BIO_method_type(indata) == BIO_TYPE_MEM))
+		{
+		char *ptr;
+		long len;
+		len = BIO_get_mem_data(indata, &ptr);
+		tmpin = BIO_new_mem_buf(ptr, len);
+		if (tmpin == NULL)
+			{
+			PKCS7err(PKCS7_F_PKCS7_VERIFY,ERR_R_MALLOC_FAILURE);
+			return 0;
+			}
+		}
+	else
+		tmpin = indata;
+		
+
+	p7bio=PKCS7_dataInit(p7,tmpin);
 
 	if(flags & PKCS7_TEXT) {
 		if(!(tmpout = BIO_new(BIO_s_mem()))) {
@@ -270,9 +302,13 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
 	ret = 1;
 
 	err:
-
-	if(indata) BIO_pop(p7bio);
+	
+	if (tmpin == indata)
+		{
+		if (indata) BIO_pop(p7bio);
+		}
 	BIO_free_all(p7bio);
+
 	sk_X509_free(signers);
 
 	return ret;
@@ -296,10 +332,6 @@ STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags)
 		PKCS7err(PKCS7_F_PKCS7_GET0_SIGNERS,PKCS7_R_WRONG_CONTENT_TYPE);
 		return NULL;
 	}
-	if(!(signers = sk_X509_new_null())) {
-		PKCS7err(PKCS7_F_PKCS7_GET0_SIGNERS,ERR_R_MALLOC_FAILURE);
-		return NULL;
-	}
 
 	/* Collect all the signers together */
 
@@ -310,6 +342,11 @@ STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags)
 		return 0;
 	}
 
+	if(!(signers = sk_X509_new_null())) {
+		PKCS7err(PKCS7_F_PKCS7_GET0_SIGNERS,ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+
 	for (i = 0; i < sk_PKCS7_SIGNER_INFO_num(sinfos); i++)
 	{
 	    si = sk_PKCS7_SIGNER_INFO_value(sinfos, i);
@@ -404,7 +441,7 @@ int PKCS7_decrypt(PKCS7 *p7, EVP_PKEY *pkey, X509 *cert, BIO *data, int flags)
 		return 0;
 	}
 
-	if(!X509_check_private_key(cert, pkey)) {
+	if(cert && !X509_check_private_key(cert, pkey)) {
 		PKCS7err(PKCS7_F_PKCS7_DECRYPT,
 				PKCS7_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
 		return 0;
diff --git a/crypto/openssl/crypto/pkcs7/pkcs7.h b/crypto/openssl/crypto/pkcs7/pkcs7.h
index 15372e18f8c0..cc092d262dc3 100644
--- a/crypto/openssl/crypto/pkcs7/pkcs7.h
+++ b/crypto/openssl/crypto/pkcs7/pkcs7.h
@@ -233,6 +233,8 @@ DECLARE_PKCS12_STACK_OF(PKCS7)
 		(OBJ_obj2nid((a)->type) == NID_pkcs7_signedAndEnveloped)
 #define PKCS7_type_is_data(a)   (OBJ_obj2nid((a)->type) == NID_pkcs7_data)
 
+#define PKCS7_type_is_digest(a)   (OBJ_obj2nid((a)->type) == NID_pkcs7_digest)
+
 #define PKCS7_set_detached(p,v) \
 		PKCS7_ctrl(p,PKCS7_OP_SET_DETACHED_SIGNATURE,v,NULL)
 #define PKCS7_get_detached(p) \
@@ -262,6 +264,8 @@ DECLARE_PKCS12_STACK_OF(PKCS7)
 #define	PKCS7_NOSMIMECAP	0x200
 #define PKCS7_NOOLDMIMETYPE	0x400
 #define PKCS7_CRLFEOL		0x800
+#define PKCS7_STREAM		0x1000
+#define PKCS7_NOCRL		0x2000
 
 /* Flags: for compatibility with older code */
 
@@ -302,10 +306,12 @@ DECLARE_ASN1_FUNCTIONS(PKCS7)
 DECLARE_ASN1_ITEM(PKCS7_ATTR_SIGN)
 DECLARE_ASN1_ITEM(PKCS7_ATTR_VERIFY)
 
+DECLARE_ASN1_NDEF_FUNCTION(PKCS7)
 
 long PKCS7_ctrl(PKCS7 *p7, int cmd, long larg, char *parg);
 
 int PKCS7_set_type(PKCS7 *p7, int type);
+int PKCS7_set0_type_other(PKCS7 *p7, int type, ASN1_TYPE *other);
 int PKCS7_set_content(PKCS7 *p7, PKCS7 *p7_data);
 int PKCS7_SIGNER_INFO_set(PKCS7_SIGNER_INFO *p7i, X509 *x509, EVP_PKEY *pkey,
 	const EVP_MD *dgst);
@@ -326,6 +332,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert);
 PKCS7_SIGNER_INFO *PKCS7_add_signature(PKCS7 *p7, X509 *x509,
 	EVP_PKEY *pkey, const EVP_MD *dgst);
 X509 *PKCS7_cert_from_signer_info(PKCS7 *p7, PKCS7_SIGNER_INFO *si);
+int PKCS7_set_digest(PKCS7 *p7, const EVP_MD *md);
 STACK_OF(PKCS7_SIGNER_INFO) *PKCS7_get_signer_info(PKCS7 *p7);
 
 PKCS7_RECIP_INFO *PKCS7_add_recipient(PKCS7 *p7, X509 *x509);
@@ -381,16 +388,20 @@ void ERR_load_PKCS7_strings(void);
 #define PKCS7_F_PKCS7_ADD_CRL				 101
 #define PKCS7_F_PKCS7_ADD_RECIPIENT_INFO		 102
 #define PKCS7_F_PKCS7_ADD_SIGNER			 103
+#define PKCS7_F_PKCS7_BIO_ADD_DIGEST			 125
 #define PKCS7_F_PKCS7_CTRL				 104
 #define PKCS7_F_PKCS7_DATADECODE			 112
+#define PKCS7_F_PKCS7_DATAFINAL				 128
 #define PKCS7_F_PKCS7_DATAINIT				 105
 #define PKCS7_F_PKCS7_DATASIGN				 106
 #define PKCS7_F_PKCS7_DATAVERIFY			 107
 #define PKCS7_F_PKCS7_DECRYPT				 114
 #define PKCS7_F_PKCS7_ENCRYPT				 115
+#define PKCS7_F_PKCS7_FIND_DIGEST			 127
 #define PKCS7_F_PKCS7_GET0_SIGNERS			 124
 #define PKCS7_F_PKCS7_SET_CIPHER			 108
 #define PKCS7_F_PKCS7_SET_CONTENT			 109
+#define PKCS7_F_PKCS7_SET_DIGEST			 126
 #define PKCS7_F_PKCS7_SET_TYPE				 110
 #define PKCS7_F_PKCS7_SIGN				 116
 #define PKCS7_F_PKCS7_SIGNATUREVERIFY			 113
@@ -421,13 +432,15 @@ void ERR_load_PKCS7_strings(void);
 #define PKCS7_R_NO_MULTIPART_BODY_FAILURE		 136
 #define PKCS7_R_NO_MULTIPART_BOUNDARY			 137
 #define PKCS7_R_NO_RECIPIENT_MATCHES_CERTIFICATE	 115
+#define PKCS7_R_NO_RECIPIENT_MATCHES_KEY		 146
 #define PKCS7_R_NO_SIGNATURES_ON_DATA			 123
 #define PKCS7_R_NO_SIGNERS				 142
 #define PKCS7_R_NO_SIG_CONTENT_TYPE			 138
 #define PKCS7_R_OPERATION_NOT_SUPPORTED_ON_THIS_TYPE	 104
 #define PKCS7_R_PKCS7_ADD_SIGNATURE_ERROR		 124
+#define PKCS7_R_PKCS7_DATAFINAL				 126
 #define PKCS7_R_PKCS7_DATAFINAL_ERROR			 125
-#define PKCS7_R_PKCS7_DATASIGN				 126
+#define PKCS7_R_PKCS7_DATASIGN				 145
 #define PKCS7_R_PKCS7_PARSE_ERROR			 139
 #define PKCS7_R_PKCS7_SIG_PARSE_ERROR			 140
 #define PKCS7_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE	 127
diff --git a/crypto/openssl/crypto/pkcs7/pkcs7err.c b/crypto/openssl/crypto/pkcs7/pkcs7err.c
index 5e51527a4075..4cd293472ff2 100644
--- a/crypto/openssl/crypto/pkcs7/pkcs7err.c
+++ b/crypto/openssl/crypto/pkcs7/pkcs7err.c
@@ -1,6 +1,6 @@
 /* crypto/pkcs7/pkcs7err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -64,81 +64,91 @@
 
 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_PKCS7,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_PKCS7,0,reason)
+
 static ERR_STRING_DATA PKCS7_str_functs[]=
 	{
-{ERR_PACK(0,PKCS7_F_B64_READ_PKCS7,0),	"B64_READ_PKCS7"},
-{ERR_PACK(0,PKCS7_F_B64_WRITE_PKCS7,0),	"B64_WRITE_PKCS7"},
-{ERR_PACK(0,PKCS7_F_PKCS7_ADD_ATTRIB_SMIMECAP,0),	"PKCS7_add_attrib_smimecap"},
-{ERR_PACK(0,PKCS7_F_PKCS7_ADD_CERTIFICATE,0),	"PKCS7_add_certificate"},
-{ERR_PACK(0,PKCS7_F_PKCS7_ADD_CRL,0),	"PKCS7_add_crl"},
-{ERR_PACK(0,PKCS7_F_PKCS7_ADD_RECIPIENT_INFO,0),	"PKCS7_add_recipient_info"},
-{ERR_PACK(0,PKCS7_F_PKCS7_ADD_SIGNER,0),	"PKCS7_add_signer"},
-{ERR_PACK(0,PKCS7_F_PKCS7_CTRL,0),	"PKCS7_ctrl"},
-{ERR_PACK(0,PKCS7_F_PKCS7_DATADECODE,0),	"PKCS7_dataDecode"},
-{ERR_PACK(0,PKCS7_F_PKCS7_DATAINIT,0),	"PKCS7_dataInit"},
-{ERR_PACK(0,PKCS7_F_PKCS7_DATASIGN,0),	"PKCS7_DATASIGN"},
-{ERR_PACK(0,PKCS7_F_PKCS7_DATAVERIFY,0),	"PKCS7_dataVerify"},
-{ERR_PACK(0,PKCS7_F_PKCS7_DECRYPT,0),	"PKCS7_decrypt"},
-{ERR_PACK(0,PKCS7_F_PKCS7_ENCRYPT,0),	"PKCS7_encrypt"},
-{ERR_PACK(0,PKCS7_F_PKCS7_GET0_SIGNERS,0),	"PKCS7_get0_signers"},
-{ERR_PACK(0,PKCS7_F_PKCS7_SET_CIPHER,0),	"PKCS7_set_cipher"},
-{ERR_PACK(0,PKCS7_F_PKCS7_SET_CONTENT,0),	"PKCS7_set_content"},
-{ERR_PACK(0,PKCS7_F_PKCS7_SET_TYPE,0),	"PKCS7_set_type"},
-{ERR_PACK(0,PKCS7_F_PKCS7_SIGN,0),	"PKCS7_sign"},
-{ERR_PACK(0,PKCS7_F_PKCS7_SIGNATUREVERIFY,0),	"PKCS7_signatureVerify"},
-{ERR_PACK(0,PKCS7_F_PKCS7_SIMPLE_SMIMECAP,0),	"PKCS7_simple_smimecap"},
-{ERR_PACK(0,PKCS7_F_PKCS7_VERIFY,0),	"PKCS7_verify"},
-{ERR_PACK(0,PKCS7_F_SMIME_READ_PKCS7,0),	"SMIME_read_PKCS7"},
-{ERR_PACK(0,PKCS7_F_SMIME_TEXT,0),	"SMIME_text"},
+{ERR_FUNC(PKCS7_F_B64_READ_PKCS7),	"B64_READ_PKCS7"},
+{ERR_FUNC(PKCS7_F_B64_WRITE_PKCS7),	"B64_WRITE_PKCS7"},
+{ERR_FUNC(PKCS7_F_PKCS7_ADD_ATTRIB_SMIMECAP),	"PKCS7_add_attrib_smimecap"},
+{ERR_FUNC(PKCS7_F_PKCS7_ADD_CERTIFICATE),	"PKCS7_add_certificate"},
+{ERR_FUNC(PKCS7_F_PKCS7_ADD_CRL),	"PKCS7_add_crl"},
+{ERR_FUNC(PKCS7_F_PKCS7_ADD_RECIPIENT_INFO),	"PKCS7_add_recipient_info"},
+{ERR_FUNC(PKCS7_F_PKCS7_ADD_SIGNER),	"PKCS7_add_signer"},
+{ERR_FUNC(PKCS7_F_PKCS7_BIO_ADD_DIGEST),	"PKCS7_BIO_ADD_DIGEST"},
+{ERR_FUNC(PKCS7_F_PKCS7_CTRL),	"PKCS7_ctrl"},
+{ERR_FUNC(PKCS7_F_PKCS7_DATADECODE),	"PKCS7_dataDecode"},
+{ERR_FUNC(PKCS7_F_PKCS7_DATAFINAL),	"PKCS7_dataFinal"},
+{ERR_FUNC(PKCS7_F_PKCS7_DATAINIT),	"PKCS7_dataInit"},
+{ERR_FUNC(PKCS7_F_PKCS7_DATASIGN),	"PKCS7_DATASIGN"},
+{ERR_FUNC(PKCS7_F_PKCS7_DATAVERIFY),	"PKCS7_dataVerify"},
+{ERR_FUNC(PKCS7_F_PKCS7_DECRYPT),	"PKCS7_decrypt"},
+{ERR_FUNC(PKCS7_F_PKCS7_ENCRYPT),	"PKCS7_encrypt"},
+{ERR_FUNC(PKCS7_F_PKCS7_FIND_DIGEST),	"PKCS7_FIND_DIGEST"},
+{ERR_FUNC(PKCS7_F_PKCS7_GET0_SIGNERS),	"PKCS7_get0_signers"},
+{ERR_FUNC(PKCS7_F_PKCS7_SET_CIPHER),	"PKCS7_set_cipher"},
+{ERR_FUNC(PKCS7_F_PKCS7_SET_CONTENT),	"PKCS7_set_content"},
+{ERR_FUNC(PKCS7_F_PKCS7_SET_DIGEST),	"PKCS7_set_digest"},
+{ERR_FUNC(PKCS7_F_PKCS7_SET_TYPE),	"PKCS7_set_type"},
+{ERR_FUNC(PKCS7_F_PKCS7_SIGN),	"PKCS7_sign"},
+{ERR_FUNC(PKCS7_F_PKCS7_SIGNATUREVERIFY),	"PKCS7_signatureVerify"},
+{ERR_FUNC(PKCS7_F_PKCS7_SIMPLE_SMIMECAP),	"PKCS7_simple_smimecap"},
+{ERR_FUNC(PKCS7_F_PKCS7_VERIFY),	"PKCS7_verify"},
+{ERR_FUNC(PKCS7_F_SMIME_READ_PKCS7),	"SMIME_read_PKCS7"},
+{ERR_FUNC(PKCS7_F_SMIME_TEXT),	"SMIME_text"},
 {0,NULL}
 	};
 
 static ERR_STRING_DATA PKCS7_str_reasons[]=
 	{
-{PKCS7_R_CERTIFICATE_VERIFY_ERROR        ,"certificate verify error"},
-{PKCS7_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER ,"cipher has no object identifier"},
-{PKCS7_R_CIPHER_NOT_INITIALIZED          ,"cipher not initialized"},
-{PKCS7_R_CONTENT_AND_DATA_PRESENT        ,"content and data present"},
-{PKCS7_R_DECODE_ERROR                    ,"decode error"},
-{PKCS7_R_DECRYPTED_KEY_IS_WRONG_LENGTH   ,"decrypted key is wrong length"},
-{PKCS7_R_DECRYPT_ERROR                   ,"decrypt error"},
-{PKCS7_R_DIGEST_FAILURE                  ,"digest failure"},
-{PKCS7_R_ERROR_ADDING_RECIPIENT          ,"error adding recipient"},
-{PKCS7_R_ERROR_SETTING_CIPHER            ,"error setting cipher"},
-{PKCS7_R_INVALID_MIME_TYPE               ,"invalid mime type"},
-{PKCS7_R_INVALID_NULL_POINTER            ,"invalid null pointer"},
-{PKCS7_R_MIME_NO_CONTENT_TYPE            ,"mime no content type"},
-{PKCS7_R_MIME_PARSE_ERROR                ,"mime parse error"},
-{PKCS7_R_MIME_SIG_PARSE_ERROR            ,"mime sig parse error"},
-{PKCS7_R_MISSING_CERIPEND_INFO           ,"missing ceripend info"},
-{PKCS7_R_NO_CONTENT                      ,"no content"},
-{PKCS7_R_NO_CONTENT_TYPE                 ,"no content type"},
-{PKCS7_R_NO_MULTIPART_BODY_FAILURE       ,"no multipart body failure"},
-{PKCS7_R_NO_MULTIPART_BOUNDARY           ,"no multipart boundary"},
-{PKCS7_R_NO_RECIPIENT_MATCHES_CERTIFICATE,"no recipient matches certificate"},
-{PKCS7_R_NO_SIGNATURES_ON_DATA           ,"no signatures on data"},
-{PKCS7_R_NO_SIGNERS                      ,"no signers"},
-{PKCS7_R_NO_SIG_CONTENT_TYPE             ,"no sig content type"},
-{PKCS7_R_OPERATION_NOT_SUPPORTED_ON_THIS_TYPE,"operation not supported on this type"},
-{PKCS7_R_PKCS7_ADD_SIGNATURE_ERROR       ,"pkcs7 add signature error"},
-{PKCS7_R_PKCS7_DATAFINAL_ERROR           ,"pkcs7 datafinal error"},
-{PKCS7_R_PKCS7_DATASIGN                  ,"pkcs7 datasign"},
-{PKCS7_R_PKCS7_PARSE_ERROR               ,"pkcs7 parse error"},
-{PKCS7_R_PKCS7_SIG_PARSE_ERROR           ,"pkcs7 sig parse error"},
-{PKCS7_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE,"private key does not match certificate"},
-{PKCS7_R_SIGNATURE_FAILURE               ,"signature failure"},
-{PKCS7_R_SIGNER_CERTIFICATE_NOT_FOUND    ,"signer certificate not found"},
-{PKCS7_R_SIG_INVALID_MIME_TYPE           ,"sig invalid mime type"},
-{PKCS7_R_SMIME_TEXT_ERROR                ,"smime text error"},
-{PKCS7_R_UNABLE_TO_FIND_CERTIFICATE      ,"unable to find certificate"},
-{PKCS7_R_UNABLE_TO_FIND_MEM_BIO          ,"unable to find mem bio"},
-{PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST   ,"unable to find message digest"},
-{PKCS7_R_UNKNOWN_DIGEST_TYPE             ,"unknown digest type"},
-{PKCS7_R_UNKNOWN_OPERATION               ,"unknown operation"},
-{PKCS7_R_UNSUPPORTED_CIPHER_TYPE         ,"unsupported cipher type"},
-{PKCS7_R_UNSUPPORTED_CONTENT_TYPE        ,"unsupported content type"},
-{PKCS7_R_WRONG_CONTENT_TYPE              ,"wrong content type"},
-{PKCS7_R_WRONG_PKCS7_TYPE                ,"wrong pkcs7 type"},
+{ERR_REASON(PKCS7_R_CERTIFICATE_VERIFY_ERROR),"certificate verify error"},
+{ERR_REASON(PKCS7_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER),"cipher has no object identifier"},
+{ERR_REASON(PKCS7_R_CIPHER_NOT_INITIALIZED),"cipher not initialized"},
+{ERR_REASON(PKCS7_R_CONTENT_AND_DATA_PRESENT),"content and data present"},
+{ERR_REASON(PKCS7_R_DECODE_ERROR)        ,"decode error"},
+{ERR_REASON(PKCS7_R_DECRYPTED_KEY_IS_WRONG_LENGTH),"decrypted key is wrong length"},
+{ERR_REASON(PKCS7_R_DECRYPT_ERROR)       ,"decrypt error"},
+{ERR_REASON(PKCS7_R_DIGEST_FAILURE)      ,"digest failure"},
+{ERR_REASON(PKCS7_R_ERROR_ADDING_RECIPIENT),"error adding recipient"},
+{ERR_REASON(PKCS7_R_ERROR_SETTING_CIPHER),"error setting cipher"},
+{ERR_REASON(PKCS7_R_INVALID_MIME_TYPE)   ,"invalid mime type"},
+{ERR_REASON(PKCS7_R_INVALID_NULL_POINTER),"invalid null pointer"},
+{ERR_REASON(PKCS7_R_MIME_NO_CONTENT_TYPE),"mime no content type"},
+{ERR_REASON(PKCS7_R_MIME_PARSE_ERROR)    ,"mime parse error"},
+{ERR_REASON(PKCS7_R_MIME_SIG_PARSE_ERROR),"mime sig parse error"},
+{ERR_REASON(PKCS7_R_MISSING_CERIPEND_INFO),"missing ceripend info"},
+{ERR_REASON(PKCS7_R_NO_CONTENT)          ,"no content"},
+{ERR_REASON(PKCS7_R_NO_CONTENT_TYPE)     ,"no content type"},
+{ERR_REASON(PKCS7_R_NO_MULTIPART_BODY_FAILURE),"no multipart body failure"},
+{ERR_REASON(PKCS7_R_NO_MULTIPART_BOUNDARY),"no multipart boundary"},
+{ERR_REASON(PKCS7_R_NO_RECIPIENT_MATCHES_CERTIFICATE),"no recipient matches certificate"},
+{ERR_REASON(PKCS7_R_NO_RECIPIENT_MATCHES_KEY),"no recipient matches key"},
+{ERR_REASON(PKCS7_R_NO_SIGNATURES_ON_DATA),"no signatures on data"},
+{ERR_REASON(PKCS7_R_NO_SIGNERS)          ,"no signers"},
+{ERR_REASON(PKCS7_R_NO_SIG_CONTENT_TYPE) ,"no sig content type"},
+{ERR_REASON(PKCS7_R_OPERATION_NOT_SUPPORTED_ON_THIS_TYPE),"operation not supported on this type"},
+{ERR_REASON(PKCS7_R_PKCS7_ADD_SIGNATURE_ERROR),"pkcs7 add signature error"},
+{ERR_REASON(PKCS7_R_PKCS7_DATAFINAL)     ,"pkcs7 datafinal"},
+{ERR_REASON(PKCS7_R_PKCS7_DATAFINAL_ERROR),"pkcs7 datafinal error"},
+{ERR_REASON(PKCS7_R_PKCS7_DATASIGN)      ,"pkcs7 datasign"},
+{ERR_REASON(PKCS7_R_PKCS7_PARSE_ERROR)   ,"pkcs7 parse error"},
+{ERR_REASON(PKCS7_R_PKCS7_SIG_PARSE_ERROR),"pkcs7 sig parse error"},
+{ERR_REASON(PKCS7_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE),"private key does not match certificate"},
+{ERR_REASON(PKCS7_R_SIGNATURE_FAILURE)   ,"signature failure"},
+{ERR_REASON(PKCS7_R_SIGNER_CERTIFICATE_NOT_FOUND),"signer certificate not found"},
+{ERR_REASON(PKCS7_R_SIG_INVALID_MIME_TYPE),"sig invalid mime type"},
+{ERR_REASON(PKCS7_R_SMIME_TEXT_ERROR)    ,"smime text error"},
+{ERR_REASON(PKCS7_R_UNABLE_TO_FIND_CERTIFICATE),"unable to find certificate"},
+{ERR_REASON(PKCS7_R_UNABLE_TO_FIND_MEM_BIO),"unable to find mem bio"},
+{ERR_REASON(PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST),"unable to find message digest"},
+{ERR_REASON(PKCS7_R_UNKNOWN_DIGEST_TYPE) ,"unknown digest type"},
+{ERR_REASON(PKCS7_R_UNKNOWN_OPERATION)   ,"unknown operation"},
+{ERR_REASON(PKCS7_R_UNSUPPORTED_CIPHER_TYPE),"unsupported cipher type"},
+{ERR_REASON(PKCS7_R_UNSUPPORTED_CONTENT_TYPE),"unsupported content type"},
+{ERR_REASON(PKCS7_R_WRONG_CONTENT_TYPE)  ,"wrong content type"},
+{ERR_REASON(PKCS7_R_WRONG_PKCS7_TYPE)    ,"wrong pkcs7 type"},
 {0,NULL}
 	};
 
@@ -152,8 +162,8 @@ void ERR_load_PKCS7_strings(void)
 		{
 		init=0;
 #ifndef OPENSSL_NO_ERR
-		ERR_load_strings(ERR_LIB_PKCS7,PKCS7_str_functs);
-		ERR_load_strings(ERR_LIB_PKCS7,PKCS7_str_reasons);
+		ERR_load_strings(0,PKCS7_str_functs);
+		ERR_load_strings(0,PKCS7_str_reasons);
 #endif
 
 		}
diff --git a/crypto/openssl/crypto/pqueue/Makefile b/crypto/openssl/crypto/pqueue/Makefile
new file mode 100644
index 000000000000..d0c39d25cef8
--- /dev/null
+++ b/crypto/openssl/crypto/pqueue/Makefile
@@ -0,0 +1,84 @@
+#
+# OpenSSL/crypto/pqueue/Makefile
+#
+
+DIR=	pqueue
+TOP=	../..
+CC=	cc
+INCLUDES=
+CFLAG=-g
+MAKEFILE=	Makefile
+AR=		ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST=
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC=pqueue.c
+LIBOBJ=pqueue.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= pqueue.h pq_compat.h
+HEADER=	$(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB) || echo Never mind.
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
+
+links:
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+	@headerlist="$(EXHEADER)"; for i in $$headerlist ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
+	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+pqueue.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
+pqueue.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+pqueue.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+pqueue.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+pqueue.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+pqueue.o: ../../include/openssl/pq_compat.h ../../include/openssl/safestack.h
+pqueue.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+pqueue.o: ../cryptlib.h pqueue.c pqueue.h
diff --git a/crypto/openssl/crypto/pqueue/pq_compat.h b/crypto/openssl/crypto/pqueue/pq_compat.h
new file mode 100644
index 000000000000..28c58a0261d9
--- /dev/null
+++ b/crypto/openssl/crypto/pqueue/pq_compat.h
@@ -0,0 +1,147 @@
+/* crypto/pqueue/pqueue_compat.h */
+/* 
+ * DTLS implementation written by Nagendra Modadugu
+ * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.  
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include "opensslconf.h"
+#include <openssl/bn.h>
+
+/* 
+ * The purpose of this header file is for supporting 64-bit integer
+ * manipulation on 32-bit (and lower) machines.  Currently the only
+ * such environment is VMS, Utrix and those with smaller default integer
+ * sizes than 32 bits.  For all such environment, we fall back to using
+ * BIGNUM.  We may need to fine tune the conditions for systems that
+ * are incorrectly configured.
+ *
+ * The only clients of this code are (1) pqueue for priority, and
+ * (2) DTLS, for sequence number manipulation.
+ */
+
+#if (defined(THIRTY_TWO_BIT) && !defined(BN_LLONG)) || defined(SIXTEEN_BIT) || defined(EIGHT_BIT)
+
+#define PQ_64BIT_IS_INTEGER 0
+#define PQ_64BIT_IS_BIGNUM 1
+
+#define PQ_64BIT     BIGNUM
+#define PQ_64BIT_CTX BN_CTX
+
+#define pq_64bit_init(x)           BN_init(x)
+#define pq_64bit_free(x)           BN_free(x)
+
+#define pq_64bit_ctx_new(ctx)      BN_CTX_new()
+#define pq_64bit_ctx_free(x)       BN_CTX_free(x)
+
+#define pq_64bit_assign(x, y)      BN_copy(x, y)
+#define pq_64bit_assign_word(x, y) BN_set_word(x, y)
+#define pq_64bit_gt(x, y)          BN_ucmp(x, y) >= 1 ? 1 : 0
+#define pq_64bit_eq(x, y)          BN_ucmp(x, y) == 0 ? 1 : 0
+#define pq_64bit_add_word(x, w)    BN_add_word(x, w)
+#define pq_64bit_sub(r, x, y)      BN_sub(r, x, y)
+#define pq_64bit_sub_word(x, w)    BN_sub_word(x, w)
+#define pq_64bit_mod(r, x, n, ctx) BN_mod(r, x, n, ctx)
+
+#define pq_64bit_bin2num(bn, bytes, len)   BN_bin2bn(bytes, len, bn)
+#define pq_64bit_num2bin(bn, bytes)        BN_bn2bin(bn, bytes)
+#define pq_64bit_get_word(x)               BN_get_word(x)
+#define pq_64bit_is_bit_set(x, offset)     BN_is_bit_set(x, offset)
+#define pq_64bit_lshift(r, x, shift)       BN_lshift(r, x, shift)
+#define pq_64bit_set_bit(x, num)           BN_set_bit(x, num)
+#define pq_64bit_get_length(x)             BN_num_bits((x))
+
+#else
+
+#define PQ_64BIT_IS_INTEGER 1
+#define PQ_64BIT_IS_BIGNUM 0
+
+#if defined(SIXTY_FOUR_BIT)
+#define PQ_64BIT BN_ULONG
+#define PQ_64BIT_PRINT "%lld"
+#elif defined(SIXTY_FOUR_BIT_LONG)
+#define PQ_64BIT BN_ULONG
+#define PQ_64BIT_PRINT "%ld"
+#elif defined(THIRTY_TWO_BIT)
+#define PQ_64BIT BN_ULLONG
+#define PQ_64BIT_PRINT "%lld"
+#endif
+
+#define PQ_64BIT_CTX      void
+
+#define pq_64bit_init(x)
+#define pq_64bit_free(x)
+#define pq_64bit_ctx_new(ctx)        (ctx)
+#define pq_64bit_ctx_free(x)
+
+#define pq_64bit_assign(x, y)        (*(x) = *(y))
+#define pq_64bit_assign_word(x, y)   (*(x) = y)
+#define pq_64bit_gt(x, y)	         (*(x) > *(y))
+#define pq_64bit_eq(x, y)            (*(x) == *(y))
+#define pq_64bit_add_word(x, w)      (*(x) = (*(x) + (w)))
+#define pq_64bit_sub(r, x, y)        (*(r) = (*(x) - *(y)))
+#define pq_64bit_sub_word(x, w)      (*(x) = (*(x) - (w)))
+#define pq_64bit_mod(r, x, n, ctx)
+
+#define pq_64bit_bin2num(num, bytes, len) bytes_to_long_long(bytes, num)
+#define pq_64bit_num2bin(num, bytes)      long_long_to_bytes(num, bytes)
+#define pq_64bit_get_word(x)              *(x)
+#define pq_64bit_lshift(r, x, shift)      (*(r) = (*(x) << (shift)))
+#define pq_64bit_set_bit(x, num)          do { \
+                                              PQ_64BIT mask = 1; \
+                                              mask = mask << (num); \
+                                              *(x) |= mask; \
+                                          } while(0)
+#endif /* OPENSSL_SYS_VMS */
diff --git a/crypto/openssl/crypto/pqueue/pq_test.c b/crypto/openssl/crypto/pqueue/pq_test.c
new file mode 100644
index 000000000000..8d496dfc655b
--- /dev/null
+++ b/crypto/openssl/crypto/pqueue/pq_test.c
@@ -0,0 +1,95 @@
+/* crypto/pqueue/pq_test.c */
+/* 
+ * DTLS implementation written by Nagendra Modadugu
+ * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.  
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include "pqueue.h"
+
+int
+main(void)
+	{
+	pitem *item;
+	pqueue pq;
+
+	pq = pqueue_new();
+
+	item = pitem_new(3, NULL);
+	pqueue_insert(pq, item);
+
+	item = pitem_new(1, NULL);
+	pqueue_insert(pq, item);
+
+	item = pitem_new(2, NULL);
+	pqueue_insert(pq, item);
+
+	item = pqueue_find(pq, 1);
+	fprintf(stderr, "found %ld\n", item->priority);
+
+	item = pqueue_find(pq, 2);
+	fprintf(stderr, "found %ld\n", item->priority);
+
+	item = pqueue_find(pq, 3);
+	fprintf(stderr, "found %ld\n", item ? item->priority: 0);
+
+	pqueue_print(pq);
+
+	for(item = pqueue_pop(pq); item != NULL; item = pqueue_pop(pq))
+		pitem_free(item);
+
+	pqueue_free(pq);
+	return 0;
+	}
diff --git a/crypto/openssl/crypto/pqueue/pqueue.c b/crypto/openssl/crypto/pqueue/pqueue.c
new file mode 100644
index 000000000000..5cc18527f8da
--- /dev/null
+++ b/crypto/openssl/crypto/pqueue/pqueue.c
@@ -0,0 +1,236 @@
+/* crypto/pqueue/pqueue.c */
+/* 
+ * DTLS implementation written by Nagendra Modadugu
+ * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.  
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include "pqueue.h"
+
+typedef struct _pqueue
+	{
+	pitem *items;
+	int count;
+	} pqueue_s;
+
+pitem *
+pitem_new(PQ_64BIT priority, void *data)
+	{
+	pitem *item = (pitem *) OPENSSL_malloc(sizeof(pitem));
+	if (item == NULL) return NULL;
+
+	pq_64bit_init(&(item->priority));
+	pq_64bit_assign(&item->priority, &priority);
+
+	item->data = data;
+	item->next = NULL;
+
+	return item;
+	}
+
+void
+pitem_free(pitem *item)
+	{
+	if (item == NULL) return;
+
+	pq_64bit_free(&(item->priority));
+	OPENSSL_free(item);
+	}
+
+pqueue_s *
+pqueue_new()
+	{
+	pqueue_s *pq = (pqueue_s *) OPENSSL_malloc(sizeof(pqueue_s));
+	if (pq == NULL) return NULL;
+
+	memset(pq, 0x00, sizeof(pqueue_s));
+	return pq;
+	}
+
+void
+pqueue_free(pqueue_s *pq)
+	{
+	if (pq == NULL) return;
+
+	OPENSSL_free(pq);
+	}
+
+pitem *
+pqueue_insert(pqueue_s *pq, pitem *item)
+	{
+	pitem *curr, *next;
+
+	if (pq->items == NULL)
+		{
+		pq->items = item;
+		return item;
+		}
+
+	for(curr = NULL, next = pq->items; 
+		next != NULL;
+		curr = next, next = next->next)
+		{
+		if (pq_64bit_gt(&(next->priority), &(item->priority)))
+			{
+			item->next = next;
+
+			if (curr == NULL) 
+				pq->items = item;
+			else  
+				curr->next = item;
+
+			return item;
+			}
+		/* duplicates not allowed */
+		if (pq_64bit_eq(&(item->priority), &(next->priority)))
+			return NULL;
+		}
+
+	item->next = NULL;
+	curr->next = item;
+
+	return item;
+	}
+
+pitem *
+pqueue_peek(pqueue_s *pq)
+	{
+	return pq->items;
+	}
+
+pitem *
+pqueue_pop(pqueue_s *pq)
+	{
+	pitem *item = pq->items;
+
+	if (pq->items != NULL)
+		pq->items = pq->items->next;
+
+	return item;
+	}
+
+pitem *
+pqueue_find(pqueue_s *pq, PQ_64BIT priority)
+	{
+	pitem *next, *prev = NULL;
+	pitem *found = NULL;
+
+	if ( pq->items == NULL)
+		return NULL;
+
+	for ( next = pq->items; next->next != NULL; 
+		  prev = next, next = next->next)
+		{
+		if ( pq_64bit_eq(&(next->priority), &priority))
+			{
+			found = next;
+			break;
+			}
+		}
+	
+	/* check the one last node */
+	if ( pq_64bit_eq(&(next->priority), &priority))
+		found = next;
+
+	if ( ! found)
+		return NULL;
+
+#if 0 /* find works in peek mode */
+	if ( prev == NULL)
+		pq->items = next->next;
+	else
+		prev->next = next->next;
+#endif
+
+	return found;
+	}
+
+#if PQ_64BIT_IS_INTEGER
+void
+pqueue_print(pqueue_s *pq)
+	{
+	pitem *item = pq->items;
+
+	while(item != NULL)
+		{
+		printf("item\t" PQ_64BIT_PRINT "\n", item->priority);
+		item = item->next;
+		}
+	}
+#endif
+
+pitem *
+pqueue_iterator(pqueue_s *pq)
+	{
+	return pqueue_peek(pq);
+	}
+
+pitem *
+pqueue_next(pitem **item)
+	{
+	pitem *ret;
+
+	if ( item == NULL || *item == NULL)
+		return NULL;
+
+
+	/* *item != NULL */
+	ret = *item;
+	*item = (*item)->next;
+
+	return ret;
+	}
diff --git a/crypto/openssl/crypto/pqueue/pqueue.h b/crypto/openssl/crypto/pqueue/pqueue.h
new file mode 100644
index 000000000000..02386d130e9a
--- /dev/null
+++ b/crypto/openssl/crypto/pqueue/pqueue.h
@@ -0,0 +1,95 @@
+/* crypto/pqueue/pqueue.h */
+/* 
+ * DTLS implementation written by Nagendra Modadugu
+ * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.  
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_PQUEUE_H
+#define HEADER_PQUEUE_H
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <openssl/pq_compat.h>
+
+typedef struct _pqueue *pqueue;
+
+typedef struct _pitem
+	{
+	PQ_64BIT priority;
+	void *data;
+	struct _pitem *next;
+	} pitem;
+
+typedef struct _pitem *piterator;
+
+pitem *pitem_new(PQ_64BIT priority, void *data);
+void   pitem_free(pitem *item);
+
+pqueue pqueue_new(void);
+void   pqueue_free(pqueue pq);
+
+pitem *pqueue_insert(pqueue pq, pitem *item);
+pitem *pqueue_peek(pqueue pq);
+pitem *pqueue_pop(pqueue pq);
+pitem *pqueue_find(pqueue pq, PQ_64BIT priority);
+pitem *pqueue_iterator(pqueue pq);
+pitem *pqueue_next(piterator *iter);
+
+void   pqueue_print(pqueue pq);
+
+#endif /* ! HEADER_PQUEUE_H */
diff --git a/crypto/openssl/crypto/rand/Makefile b/crypto/openssl/crypto/rand/Makefile
index 4ab4b9c7b00f..3c1ab5bbaef3 100644
--- a/crypto/openssl/crypto/rand/Makefile
+++ b/crypto/openssl/crypto/rand/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/rand/Makefile
+# OpenSSL/crypto/rand/Makefile
 #
 
 DIR=	rand
@@ -7,11 +7,6 @@ TOP=	../..
 CC=	cc
 INCLUDES=
 CFLAG=-g
-INSTALL_PREFIX=
-OPENSSLDIR=     /usr/local/ssl
-INSTALLTOP=/usr/local/ssl
-MAKEDEPPROG=	makedepend
-MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=	Makefile
 AR=		ar r
 
@@ -23,9 +18,9 @@ APPS=
 
 LIB=$(TOP)/libcrypto.a
 LIBSRC=md_rand.c randfile.c rand_lib.c rand_err.c rand_egd.c \
-	rand_win.c rand_unix.c rand_os2.c
+	rand_win.c rand_unix.c rand_os2.c rand_nw.c
 LIBOBJ=md_rand.o randfile.o rand_lib.o rand_err.o rand_egd.o \
-	rand_win.o rand_unix.o rand_os2.o
+	rand_win.o rand_unix.o rand_os2.o rand_nw.o
 
 SRC= $(LIBSRC)
 
@@ -53,7 +48,8 @@ links:
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
 
 install:
-	@for i in $(EXHEADER) ; \
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+	@headerlist="$(EXHEADER)"; for i in $$headerlist ; \
 	do  \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
@@ -68,6 +64,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
+	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
@@ -79,26 +76,16 @@ clean:
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-md_rand.o: ../../e_os.h ../../include/openssl/aes.h
-md_rand.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-md_rand.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-md_rand.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-md_rand.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-md_rand.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+md_rand.o: ../../e_os.h ../../include/openssl/asn1.h
+md_rand.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
 md_rand.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-md_rand.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
-md_rand.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-md_rand.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-md_rand.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+md_rand.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 md_rand.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 md_rand.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 md_rand.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
-md_rand.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-md_rand.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-md_rand.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-md_rand.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-md_rand.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-md_rand.o: ../../include/openssl/ui_compat.h md_rand.c rand_lcl.h
+md_rand.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+md_rand.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+md_rand.o: md_rand.c rand_lcl.h
 rand_egd.o: ../../include/openssl/buffer.h ../../include/openssl/e_os2.h
 rand_egd.o: ../../include/openssl/opensslconf.h
 rand_egd.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
@@ -110,83 +97,59 @@ rand_err.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 rand_err.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
 rand_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 rand_err.o: rand_err.c
-rand_lib.o: ../../e_os.h ../../include/openssl/asn1.h
-rand_lib.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+rand_lib.o: ../../e_os.h ../../include/openssl/bio.h
 rand_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-rand_lib.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-rand_lib.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
 rand_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-rand_lib.o: ../../include/openssl/err.h ../../include/openssl/fips.h
-rand_lib.o: ../../include/openssl/fips_rand.h ../../include/openssl/lhash.h
+rand_lib.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
 rand_lib.o: ../../include/openssl/opensslconf.h
 rand_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-rand_lib.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
-rand_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-rand_lib.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-rand_lib.o: ../../include/openssl/ui_compat.h ../cryptlib.h rand_lib.c
-rand_os2.o: ../../e_os.h ../../include/openssl/aes.h
-rand_os2.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-rand_os2.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-rand_os2.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-rand_os2.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-rand_os2.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-rand_os2.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+rand_lib.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
+rand_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+rand_lib.o: ../cryptlib.h rand_lib.c
+rand_nw.o: ../../e_os.h ../../include/openssl/asn1.h
+rand_nw.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+rand_nw.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+rand_nw.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+rand_nw.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+rand_nw.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+rand_nw.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+rand_nw.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
+rand_nw.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+rand_nw.o: ../../include/openssl/symhacks.h ../cryptlib.h rand_lcl.h rand_nw.c
+rand_os2.o: ../../e_os.h ../../include/openssl/asn1.h
+rand_os2.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+rand_os2.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 rand_os2.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-rand_os2.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-rand_os2.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-rand_os2.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-rand_os2.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-rand_os2.o: ../../include/openssl/opensslconf.h
+rand_os2.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+rand_os2.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 rand_os2.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-rand_os2.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h
-rand_os2.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-rand_os2.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-rand_os2.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-rand_os2.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-rand_os2.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-rand_os2.o: ../cryptlib.h rand_lcl.h rand_os2.c
-rand_unix.o: ../../e_os.h ../../include/openssl/aes.h
-rand_unix.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-rand_unix.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-rand_unix.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-rand_unix.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-rand_unix.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-rand_unix.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+rand_os2.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
+rand_os2.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+rand_os2.o: ../../include/openssl/symhacks.h ../cryptlib.h rand_lcl.h
+rand_os2.o: rand_os2.c
+rand_unix.o: ../../e_os.h ../../include/openssl/asn1.h
+rand_unix.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+rand_unix.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 rand_unix.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-rand_unix.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-rand_unix.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-rand_unix.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-rand_unix.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+rand_unix.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+rand_unix.o: ../../include/openssl/objects.h
 rand_unix.o: ../../include/openssl/opensslconf.h
 rand_unix.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-rand_unix.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h
-rand_unix.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-rand_unix.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-rand_unix.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-rand_unix.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-rand_unix.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-rand_unix.o: ../cryptlib.h rand_lcl.h rand_unix.c
-rand_win.o: ../../e_os.h ../../include/openssl/aes.h
-rand_win.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-rand_win.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-rand_win.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-rand_win.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-rand_win.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-rand_win.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+rand_unix.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
+rand_unix.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+rand_unix.o: ../../include/openssl/symhacks.h ../cryptlib.h rand_lcl.h
+rand_unix.o: rand_unix.c
+rand_win.o: ../../e_os.h ../../include/openssl/asn1.h
+rand_win.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+rand_win.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 rand_win.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-rand_win.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-rand_win.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-rand_win.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-rand_win.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-rand_win.o: ../../include/openssl/opensslconf.h
+rand_win.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+rand_win.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 rand_win.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-rand_win.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h
-rand_win.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-rand_win.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-rand_win.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-rand_win.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-rand_win.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-rand_win.o: ../cryptlib.h rand_lcl.h rand_win.c
+rand_win.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
+rand_win.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+rand_win.o: ../../include/openssl/symhacks.h ../cryptlib.h rand_lcl.h
+rand_win.o: rand_win.c
 randfile.o: ../../e_os.h ../../include/openssl/buffer.h
 randfile.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 randfile.o: ../../include/openssl/opensslconf.h
diff --git a/crypto/openssl/crypto/rand/md_rand.c b/crypto/openssl/crypto/rand/md_rand.c
index c84968df88fe..6e10f6ef6761 100644
--- a/crypto/openssl/crypto/rand/md_rand.c
+++ b/crypto/openssl/crypto/rand/md_rand.c
@@ -126,7 +126,6 @@
 
 #include <openssl/crypto.h>
 #include <openssl/err.h>
-#include <openssl/fips.h>
 
 #ifdef BN_DEBUG
 # define PREDICT
@@ -301,7 +300,7 @@ static void ssleay_rand_add(const void *buf, int num, double add)
 	 * other thread's seeding remains without effect (except for
 	 * the incremented counter).  By XORing it we keep at least as
 	 * much entropy as fits into md. */
-	for (k = 0; k < sizeof md; k++)
+	for (k = 0; k < (int)sizeof(md); k++)
 		{
 		md[k] ^= local_md[k];
 		}
@@ -316,7 +315,7 @@ static void ssleay_rand_add(const void *buf, int num, double add)
 
 static void ssleay_rand_seed(const void *buf, int num)
 	{
-	ssleay_rand_add(buf, num, num);
+	ssleay_rand_add(buf, num, (double)num);
 	}
 
 static int ssleay_rand_bytes(unsigned char *buf, int num)
@@ -333,14 +332,6 @@ static int ssleay_rand_bytes(unsigned char *buf, int num)
 #endif
 	int do_stir_pool = 0;
 
-#ifdef OPENSSL_FIPS
-	if(FIPS_mode())
-	    {
-	    FIPSerr(FIPS_F_SSLEAY_RAND_BYTES,FIPS_R_NON_FIPS_METHOD);
-	    return 0;
-	    }
-#endif
-
 #ifdef PREDICT
 	if (rand_predictable)
 		{
@@ -529,7 +520,7 @@ static int ssleay_rand_pseudo_bytes(unsigned char *buf, int num)
 		err = ERR_peek_error();
 		if (ERR_GET_LIB(err) == ERR_LIB_RAND &&
 		    ERR_GET_REASON(err) == RAND_R_PRNG_NOT_SEEDED)
-			(void)ERR_get_error();
+			ERR_clear_error();
 		}
 	return (ret);
 	}
diff --git a/crypto/openssl/crypto/rand/rand.h b/crypto/openssl/crypto/rand/rand.h
index 604df9be6c38..ac6c0217636f 100644
--- a/crypto/openssl/crypto/rand/rand.h
+++ b/crypto/openssl/crypto/rand/rand.h
@@ -72,10 +72,13 @@ extern "C" {
 #endif
 
 #if defined(OPENSSL_FIPS)
-#define FIPS_RAND_SIZE_T int
+#define FIPS_RAND_SIZE_T size_t
 #endif
 
-typedef struct rand_meth_st
+/* Already defined in ossl_typ.h */
+/* typedef struct rand_meth_st RAND_METHOD; */
+
+struct rand_meth_st
 	{
 	void (*seed)(const void *buf, int num);
 	int (*bytes)(unsigned char *buf, int num);
@@ -83,7 +86,7 @@ typedef struct rand_meth_st
 	void (*add)(const void *buf, int num, double entropy);
 	int (*pseudorand)(unsigned char *buf, int num);
 	int (*status)(void);
-	} RAND_METHOD;
+	};
 
 #ifdef BN_DEBUG
 extern int rand_predictable;
@@ -125,17 +128,11 @@ void ERR_load_RAND_strings(void);
 /* Error codes for the RAND functions. */
 
 /* Function codes. */
-#define RAND_F_FIPS_RAND_BYTES				 102
 #define RAND_F_RAND_GET_RAND_METHOD			 101
 #define RAND_F_SSLEAY_RAND_BYTES			 100
 
 /* Reason codes. */
-#define RAND_R_NON_FIPS_METHOD				 101
-#define RAND_R_PRNG_ASKING_FOR_TOO_MUCH			 105
-#define RAND_R_PRNG_NOT_REKEYED				 103
-#define RAND_R_PRNG_NOT_RESEEDED			 104
 #define RAND_R_PRNG_NOT_SEEDED				 100
-#define RAND_R_PRNG_STUCK				 102
 
 #ifdef  __cplusplus
 }
diff --git a/crypto/openssl/crypto/rand/rand_egd.c b/crypto/openssl/crypto/rand/rand_egd.c
index 3ec2eabc2bab..50bce6cabae8 100644
--- a/crypto/openssl/crypto/rand/rand_egd.c
+++ b/crypto/openssl/crypto/rand/rand_egd.c
@@ -95,7 +95,7 @@
  *   RAND_egd() is a wrapper for RAND_egd_bytes() with numbytes=255.
  */
 
-#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_VOS)
+#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_VOS)
 int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes)
 	{
 	return(-1);
@@ -216,7 +216,9 @@ int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes)
 	    while (numbytes != 1)
 		{
 	        num = read(fd, egdbuf, 1);
-	        if (num >= 0)
+	        if (num == 0)
+			goto err;	/* descriptor closed */
+		else if (num > 0)
 		    numbytes += num;
 	    	else
 		    {
@@ -246,7 +248,9 @@ int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes)
 	    while (numbytes != egdbuf[0])
 		{
 	        num = read(fd, retrievebuf + numbytes, egdbuf[0] - numbytes);
-	        if (num >= 0)
+		if (num == 0)
+			goto err;	/* descriptor closed */
+	        else if (num > 0)
 		    numbytes += num;
 	    	else
 		    {
diff --git a/crypto/openssl/crypto/rand/rand_err.c b/crypto/openssl/crypto/rand/rand_err.c
index 95574659acee..b2f2448b667c 100644
--- a/crypto/openssl/crypto/rand/rand_err.c
+++ b/crypto/openssl/crypto/rand/rand_err.c
@@ -1,6 +1,6 @@
 /* crypto/rand/rand_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2003 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -64,22 +64,20 @@
 
 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_RAND,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_RAND,0,reason)
+
 static ERR_STRING_DATA RAND_str_functs[]=
 	{
-{ERR_PACK(0,RAND_F_FIPS_RAND_BYTES,0),	"FIPS_RAND_BYTES"},
-{ERR_PACK(0,RAND_F_RAND_GET_RAND_METHOD,0),	"RAND_get_rand_method"},
-{ERR_PACK(0,RAND_F_SSLEAY_RAND_BYTES,0),	"SSLEAY_RAND_BYTES"},
+{ERR_FUNC(RAND_F_RAND_GET_RAND_METHOD),	"RAND_get_rand_method"},
+{ERR_FUNC(RAND_F_SSLEAY_RAND_BYTES),	"SSLEAY_RAND_BYTES"},
 {0,NULL}
 	};
 
 static ERR_STRING_DATA RAND_str_reasons[]=
 	{
-{RAND_R_NON_FIPS_METHOD                  ,"non fips method"},
-{RAND_R_PRNG_ASKING_FOR_TOO_MUCH         ,"prng asking for too much"},
-{RAND_R_PRNG_NOT_REKEYED                 ,"prng not rekeyed"},
-{RAND_R_PRNG_NOT_RESEEDED                ,"prng not reseeded"},
-{RAND_R_PRNG_NOT_SEEDED                  ,"PRNG not seeded"},
-{RAND_R_PRNG_STUCK                       ,"prng stuck"},
+{ERR_REASON(RAND_R_PRNG_NOT_SEEDED)      ,"PRNG not seeded"},
 {0,NULL}
 	};
 
@@ -93,8 +91,8 @@ void ERR_load_RAND_strings(void)
 		{
 		init=0;
 #ifndef OPENSSL_NO_ERR
-		ERR_load_strings(ERR_LIB_RAND,RAND_str_functs);
-		ERR_load_strings(ERR_LIB_RAND,RAND_str_reasons);
+		ERR_load_strings(0,RAND_str_functs);
+		ERR_load_strings(0,RAND_str_reasons);
 #endif
 
 		}
diff --git a/crypto/openssl/crypto/rand/rand_lib.c b/crypto/openssl/crypto/rand/rand_lib.c
index 88f1b56d91e2..513e3389859e 100644
--- a/crypto/openssl/crypto/rand/rand_lib.c
+++ b/crypto/openssl/crypto/rand/rand_lib.c
@@ -63,8 +63,6 @@
 #ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
 #endif
-#include <openssl/fips.h>
-#include <openssl/fips_rand.h>
 
 #ifndef OPENSSL_NO_ENGINE
 /* non-NULL if default_RAND_meth is ENGINE-provided */
@@ -87,16 +85,6 @@ int RAND_set_rand_method(const RAND_METHOD *meth)
 
 const RAND_METHOD *RAND_get_rand_method(void)
 	{
-#ifdef OPENSSL_FIPS
-	if(FIPS_mode()
-		&& default_RAND_meth != FIPS_rand_check())
-	    {
-	    RANDerr(RAND_F_RAND_GET_RAND_METHOD,RAND_R_NON_FIPS_METHOD);
-	    return 0;
-	    }
-#endif
-
-
 	if (!default_RAND_meth)
 		{
 #ifndef OPENSSL_NO_ENGINE
diff --git a/crypto/openssl/crypto/rand/rand_nw.c b/crypto/openssl/crypto/rand/rand_nw.c
new file mode 100644
index 000000000000..ba5781278875
--- /dev/null
+++ b/crypto/openssl/crypto/rand/rand_nw.c
@@ -0,0 +1,176 @@
+/* crypto/rand/rand_nw.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include "cryptlib.h"
+#include <openssl/rand.h>
+#include "rand_lcl.h"
+
+#if defined (OPENSSL_SYS_NETWARE)
+
+#if defined(NETWARE_LIBC)
+#include <nks/thread.h>
+#endif
+
+extern long RunningProcess;
+
+   /* the FAQ indicates we need to provide at least 20 bytes (160 bits) of seed
+   */
+int RAND_poll(void)
+{
+   unsigned long l;
+   unsigned long tsc;
+   int i; 
+
+      /* There are several options to gather miscellaneous data
+       * but for now we will loop checking the time stamp counter (rdtsc) and
+       * the SuperHighResolutionTimer.  Each iteration will collect 8 bytes
+       * of data but it is treated as only 1 byte of entropy.  The call to
+       * ThreadSwitchWithDelay() will introduce additional variability into
+       * the data returned by rdtsc.
+       *
+       * Applications can agument the seed material by adding additional
+       * stuff with RAND_add() and should probably do so.
+      */
+   l = GetProcessSwitchCount();
+   RAND_add(&l,sizeof(l),1);
+   
+   l=RunningProcess;
+   RAND_add(&l,sizeof(l),1);
+
+   for( i=2; i<ENTROPY_NEEDED; i++)
+   {
+#ifdef __MWERKS__
+      asm 
+      {
+         rdtsc
+         mov tsc, eax        
+      }
+#else
+      asm volatile("rdtsc":"=A" (tsc));
+#endif
+
+      RAND_add(&tsc, sizeof(tsc), 1);
+
+      l = GetSuperHighResolutionTimer();
+      RAND_add(&l, sizeof(l), 0);
+
+# if defined(NETWARE_LIBC)
+      NXThreadYield();
+# else /* NETWARE_CLIB */
+      ThreadSwitchWithDelay();
+# endif
+   }
+
+   return 1;
+}
+
+#endif 
+
diff --git a/crypto/openssl/crypto/rand/rand_unix.c b/crypto/openssl/crypto/rand/rand_unix.c
index 0599719dd1d0..5d031d93af9e 100644
--- a/crypto/openssl/crypto/rand/rand_unix.c
+++ b/crypto/openssl/crypto/rand/rand_unix.c
@@ -108,6 +108,7 @@
  * Hudson (tjh@cryptsoft.com).
  *
  */
+#include <stdio.h>
 
 #define USE_SOCKETS
 #include "e_os.h"
@@ -115,11 +116,12 @@
 #include <openssl/rand.h>
 #include "rand_lcl.h"
 
-#if !(defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_VXWORKS))
+#if !(defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE)) 
 
 #include <sys/types.h>
 #include <sys/time.h>
 #include <sys/times.h>
+#include <sys/stat.h>
 #include <fcntl.h>
 #include <unistd.h>
 #include <time.h>
@@ -151,9 +153,10 @@ int RAND_poll(void)
 	int n = 0;
 #endif
 #ifdef DEVRANDOM
-	static const char *randomfiles[] = { DEVRANDOM, NULL };
-	const char **randomfile = NULL;
+	static const char *randomfiles[] = { DEVRANDOM };
+	struct stat randomstats[sizeof(randomfiles)/sizeof(randomfiles[0])];
 	int fd;
+	size_t i;
 #endif
 #ifdef DEVRANDOM_EGD
 	static const char *egdsockets[] = { DEVRANDOM_EGD, NULL };
@@ -161,26 +164,43 @@ int RAND_poll(void)
 #endif
 
 #ifdef DEVRANDOM
+	memset(randomstats,0,sizeof(randomstats));
 	/* Use a random entropy pool device. Linux, FreeBSD and OpenBSD
 	 * have this. Use /dev/urandom if you can as /dev/random may block
 	 * if it runs out of random entries.  */
 
-	for (randomfile = randomfiles; *randomfile && n < ENTROPY_NEEDED; randomfile++)
+	for (i=0; i<sizeof(randomfiles)/sizeof(randomfiles[0]) && n < ENTROPY_NEEDED; i++)
 		{
-		if ((fd = open(*randomfile, O_RDONLY|O_NONBLOCK
+		if ((fd = open(randomfiles[i], O_RDONLY
+#ifdef O_NONBLOCK
+			|O_NONBLOCK
+#endif
+#ifdef O_BINARY
+			|O_BINARY
+#endif
 #ifdef O_NOCTTY /* If it happens to be a TTY (god forbid), do not make it
 		   our controlling tty */
 			|O_NOCTTY
 #endif
-#ifdef O_NOFOLLOW /* Fail if the file is a symbolic link */
-			|O_NOFOLLOW
-#endif
 			)) >= 0)
 			{
 			struct timeval t = { 0, 10*1000 }; /* Spend 10ms on
 							      each file. */
 			int r;
+			size_t j;
 			fd_set fset;
+			struct stat *st=&randomstats[i];
+
+			/* Avoid using same input... Used to be O_NOFOLLOW
+			 * above, but it's not universally appropriate... */
+			if (fstat(fd,st) != 0)	{ close(fd); continue; }
+			for (j=0;j<i;j++)
+				{
+				if (randomstats[j].st_ino==st->st_ino &&
+				    randomstats[j].st_dev==st->st_dev)
+					break;
+				}
+			if (j<i)		{ close(fd); continue; }
 
 			do
 				{
@@ -232,19 +252,19 @@ int RAND_poll(void)
 #if defined(DEVRANDOM) || defined(DEVRANDOM_EGD)
 	if (n > 0)
 		{
-		RAND_add(tmpbuf,sizeof tmpbuf,n);
+		RAND_add(tmpbuf,sizeof tmpbuf,(double)n);
 		OPENSSL_cleanse(tmpbuf,n);
 		}
 #endif
 
 	/* put in some default random data, we need more than just this */
 	l=curr_pid;
-	RAND_add(&l,sizeof(l),0);
+	RAND_add(&l,sizeof(l),0.0);
 	l=getuid();
-	RAND_add(&l,sizeof(l),0);
+	RAND_add(&l,sizeof(l),0.0);
 
 	l=time(NULL);
-	RAND_add(&l,sizeof(l),0);
+	RAND_add(&l,sizeof(l),0.0);
 
 #if defined(DEVRANDOM) || defined(DEVRANDOM_EGD)
 	return 1;
diff --git a/crypto/openssl/crypto/rand/rand_vms.c b/crypto/openssl/crypto/rand/rand_vms.c
index 29b2d7af0b01..1267a3acae7c 100644
--- a/crypto/openssl/crypto/rand/rand_vms.c
+++ b/crypto/openssl/crypto/rand/rand_vms.c
@@ -101,11 +101,12 @@ int RAND_poll(void)
 	pitem = item;
 
 	/* Setup */
-	while (pitems_data->length)
+	while (pitems_data->length
+		&& (total_length + pitems_data->length <= 256))
 		{
 		pitem->length = pitems_data->length;
 		pitem->code = pitems_data->code;
-		pitem->buffer = (long *)data_buffer[total_length];
+		pitem->buffer = (long *)&data_buffer[total_length];
 		pitem->retlen = 0;
 		total_length += pitems_data->length;
 		pitems_data++;
diff --git a/crypto/openssl/crypto/rand/rand_win.c b/crypto/openssl/crypto/rand/rand_win.c
index aaea92c8fd00..00dbe4232cc1 100644
--- a/crypto/openssl/crypto/rand/rand_win.c
+++ b/crypto/openssl/crypto/rand/rand_win.c
@@ -121,6 +121,10 @@
 #include <wincrypt.h>
 #include <tlhelp32.h>
 
+/* Limit the time spent walking through the heap, processes, threads and modules to
+   a maximum of 1000 miliseconds each, unless CryptoGenRandom failed */
+#define MAXDELAY 1000
+
 /* Intel hardware RNG CSP -- available from
  * http://developer.intel.com/design/security/rng/redist_license.htm
  */
@@ -152,6 +156,7 @@ typedef struct tagCURSORINFO
 #define CURSOR_SHOWING     0x00000001
 #endif /* CURSOR_SHOWING */
 
+#if !defined(OPENSSL_SYS_WINCE)
 typedef BOOL (WINAPI *CRYPTACQUIRECONTEXTW)(HCRYPTPROV *, LPCWSTR, LPCWSTR,
 				    DWORD, DWORD);
 typedef BOOL (WINAPI *CRYPTGENRANDOM)(HCRYPTPROV, DWORD, BYTE *);
@@ -163,7 +168,7 @@ typedef DWORD (WINAPI *GETQUEUESTATUS)(UINT);
 
 typedef HANDLE (WINAPI *CREATETOOLHELP32SNAPSHOT)(DWORD, DWORD);
 typedef BOOL (WINAPI *CLOSETOOLHELP32SNAPSHOT)(HANDLE);
-typedef BOOL (WINAPI *HEAP32FIRST)(LPHEAPENTRY32, DWORD, DWORD);
+typedef BOOL (WINAPI *HEAP32FIRST)(LPHEAPENTRY32, DWORD, size_t);
 typedef BOOL (WINAPI *HEAP32NEXT)(LPHEAPENTRY32);
 typedef BOOL (WINAPI *HEAP32LIST)(HANDLE, LPHEAPLIST32);
 typedef BOOL (WINAPI *PROCESS32)(HANDLE, LPPROCESSENTRY32);
@@ -171,9 +176,7 @@ typedef BOOL (WINAPI *THREAD32)(HANDLE, LPTHREADENTRY32);
 typedef BOOL (WINAPI *MODULE32)(HANDLE, LPMODULEENTRY32);
 
 #include <lmcons.h>
-#ifndef OPENSSL_SYS_WINCE
 #include <lmstats.h>
-#endif
 #if 1 /* The NET API is Unicode only.  It requires the use of the UNICODE
        * macro.  When UNICODE is defined LPTSTR becomes LPWSTR.  LMSTR was
        * was added to the Platform SDK to allow the NET API to be used in
@@ -184,26 +187,14 @@ typedef NET_API_STATUS (NET_API_FUNCTION * NETSTATGET)
         (LPWSTR, LPWSTR, DWORD, DWORD, LPBYTE*);
 typedef NET_API_STATUS (NET_API_FUNCTION * NETFREE)(LPBYTE);
 #endif /* 1 */
+#endif /* !OPENSSL_SYS_WINCE */
 
 int RAND_poll(void)
 {
 	MEMORYSTATUS m;
 	HCRYPTPROV hProvider = 0;
-	BYTE buf[64];
 	DWORD w;
-	HWND h;
-
-	HMODULE advapi, kernel, user, netapi;
-	CRYPTACQUIRECONTEXTW acquire = 0;
-	CRYPTGENRANDOM gen = 0;
-	CRYPTRELEASECONTEXT release = 0;
-#if 1 /* There was previously a problem with NETSTATGET.  Currently, this
-       * section is still experimental, but if all goes well, this conditional
-       * will be removed
-       */
-	NETSTATGET netstatget = 0;
-	NETFREE netfree = 0;
-#endif /* 1 */
+	int good = 0;
 
 	/* Determine the OS version we are on so we can turn off things 
 	 * that do not work properly.
@@ -212,21 +203,24 @@ int RAND_poll(void)
         osverinfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFO) ;
         GetVersionEx( &osverinfo ) ;
 
-#if defined(OPENSSL_SYS_WINCE) && WCEPLATFORM!=MS_HPC_PRO
-#ifndef CryptAcquireContext
-#define CryptAcquireContext CryptAcquireContextW
-#endif
+#if defined(OPENSSL_SYS_WINCE)
+# if defined(_WIN32_WCE) && _WIN32_WCE>=300
+/* Even though MSDN says _WIN32_WCE>=210, it doesn't seem to be available
+ * in commonly available implementations prior 300... */
+	{
+	BYTE buf[64];
 	/* poll the CryptoAPI PRNG */
 	/* The CryptoAPI returns sizeof(buf) bytes of randomness */
-	if (CryptAcquireContext(&hProvider, 0, 0, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT))
+	if (CryptAcquireContextW(&hProvider, NULL, NULL, PROV_RSA_FULL,
+				CRYPT_VERIFYCONTEXT))
 		{
 		if (CryptGenRandom(hProvider, sizeof(buf), buf))
 			RAND_add(buf, sizeof(buf), sizeof(buf));
 		CryptReleaseContext(hProvider, 0); 
 		}
-#endif
-
-#ifndef OPENSSL_SYS_WINCE
+	}
+# endif
+#else	/* OPENSSL_SYS_WINCE */
 	/*
 	 * None of below libraries are present on Windows CE, which is
 	 * why we #ifndef the whole section. This also excuses us from
@@ -240,17 +234,19 @@ int RAND_poll(void)
 	 * implement own shim routine, which would accept ANSI argument
 	 * and expand it to Unicode.
 	 */
-
+	{
 	/* load functions dynamically - not available on all systems */
-	advapi = LoadLibrary(TEXT("ADVAPI32.DLL"));
-	kernel = LoadLibrary(TEXT("KERNEL32.DLL"));
-	user = LoadLibrary(TEXT("USER32.DLL"));
-	netapi = LoadLibrary(TEXT("NETAPI32.DLL"));
-
-#if 1 /* There was previously a problem with NETSTATGET.  Currently, this
-       * section is still experimental, but if all goes well, this conditional
-       * will be removed
-       */
+	HMODULE advapi = LoadLibrary(TEXT("ADVAPI32.DLL"));
+	HMODULE kernel = LoadLibrary(TEXT("KERNEL32.DLL"));
+	HMODULE user = NULL;
+	HMODULE netapi = LoadLibrary(TEXT("NETAPI32.DLL"));
+	CRYPTACQUIRECONTEXTW acquire = NULL;
+	CRYPTGENRANDOM gen = NULL;
+	CRYPTRELEASECONTEXT release = NULL;
+	NETSTATGET netstatget = NULL;
+	NETFREE netfree = NULL;
+	BYTE buf[64];
+
 	if (netapi)
 		{
 		netstatget = (NETSTATGET) GetProcAddress(netapi,"NetStatisticsGet");
@@ -280,7 +276,6 @@ int RAND_poll(void)
 
 	if (netapi)
 		FreeLibrary(netapi);
-#endif /* 1 */
 
         /* It appears like this can cause an exception deep within ADVAPI32.DLL
          * at random times on Windows 2000.  Reported by Jeffrey Altman.  
@@ -356,12 +351,13 @@ int RAND_poll(void)
 		{
 		/* poll the CryptoAPI PRNG */
                 /* The CryptoAPI returns sizeof(buf) bytes of randomness */
-		if (acquire(&hProvider, 0, 0, PROV_RSA_FULL,
+		if (acquire(&hProvider, NULL, NULL, PROV_RSA_FULL,
 			CRYPT_VERIFYCONTEXT))
 			{
 			if (gen(hProvider, sizeof(buf), buf) != 0)
 				{
 				RAND_add(buf, sizeof(buf), 0);
+				good = 1;
 #if 0
 				printf("randomness from PROV_RSA_FULL\n");
 #endif
@@ -375,6 +371,7 @@ int RAND_poll(void)
 			if (gen(hProvider, sizeof(buf), buf) != 0)
 				{
 				RAND_add(buf, sizeof(buf), sizeof(buf));
+				good = 1;
 #if 0
 				printf("randomness from PROV_INTEL_SEC\n");
 #endif
@@ -386,7 +383,9 @@ int RAND_poll(void)
         if (advapi)
 		FreeLibrary(advapi);
 
-	if (user)
+	if ((osverinfo.dwPlatformId != VER_PLATFORM_WIN32_NT ||
+	     !OPENSSL_isservice()) &&
+	    (user = LoadLibrary(TEXT("USER32.DLL"))))
 		{
 		GETCURSORINFO cursor;
 		GETFOREGROUNDWINDOW win;
@@ -399,7 +398,7 @@ int RAND_poll(void)
 		if (win)
 			{
 			/* window handle */
-			h = win();
+			HWND h = win();
 			RAND_add(&h, sizeof(h), 0);
 			}
 		if (cursor)
@@ -464,6 +463,7 @@ int RAND_poll(void)
 		PROCESSENTRY32 p;
 		THREADENTRY32 t;
 		MODULEENTRY32 m;
+		DWORD stoptime = 0;
 
 		snap = (CREATETOOLHELP32SNAPSHOT)
 			GetProcAddress(kernel, "CreateToolhelp32Snapshot");
@@ -495,6 +495,7 @@ int RAND_poll(void)
                          * of entropy.
                          */
 			hlist.dwSize = sizeof(HEAPLIST32);		
+			if (good) stoptime = GetTickCount() + MAXDELAY;
 			if (heaplist_first(handle, &hlist))
 				do
 					{
@@ -512,18 +513,20 @@ int RAND_poll(void)
 							&& --entrycnt > 0);
 						}
 					} while (heaplist_next(handle,
-						&hlist));
-			
+						&hlist) && GetTickCount() < stoptime);
+
 			/* process walking */
                         /* PROCESSENTRY32 contains 9 fields that will change
                          * with each entry.  Consider each field a source of
                          * 1 byte of entropy.
                          */
 			p.dwSize = sizeof(PROCESSENTRY32);
+		
+			if (good) stoptime = GetTickCount() + MAXDELAY;
 			if (process_first(handle, &p))
 				do
 					RAND_add(&p, p.dwSize, 9);
-				while (process_next(handle, &p));
+				while (process_next(handle, &p) && GetTickCount() < stoptime);
 
 			/* thread walking */
                         /* THREADENTRY32 contains 6 fields that will change
@@ -531,10 +534,11 @@ int RAND_poll(void)
                          * 1 byte of entropy.
                          */
 			t.dwSize = sizeof(THREADENTRY32);
+			if (good) stoptime = GetTickCount() + MAXDELAY;
 			if (thread_first(handle, &t))
 				do
 					RAND_add(&t, t.dwSize, 6);
-				while (thread_next(handle, &t));
+				while (thread_next(handle, &t) && GetTickCount() < stoptime);
 
 			/* module walking */
                         /* MODULEENTRY32 contains 9 fields that will change
@@ -542,18 +546,22 @@ int RAND_poll(void)
                          * 1 byte of entropy.
                          */
 			m.dwSize = sizeof(MODULEENTRY32);
+			if (good) stoptime = GetTickCount() + MAXDELAY;
 			if (module_first(handle, &m))
 				do
 					RAND_add(&m, m.dwSize, 9);
-				while (module_next(handle, &m));
+				while (module_next(handle, &m)
+					       	&& (GetTickCount() < stoptime));
 			if (close_snap)
 				close_snap(handle);
 			else
 				CloseHandle(handle);
+
 			}
 
 		FreeLibrary(kernel);
 		}
+	}
 #endif /* !OPENSSL_SYS_WINCE */
 
 	/* timer data */
@@ -680,7 +688,7 @@ static void readtimer(void)
 
 static void readscreen(void)
 {
-#ifndef OPENSSL_SYS_WINCE
+#if !defined(OPENSSL_SYS_WINCE) && !defined(OPENSSL_SYS_WIN32_CYGWIN)
   HDC		hScrDC;		/* screen DC */
   HDC		hMemDC;		/* memory DC */
   HBITMAP	hBitmap;	/* handle for our bitmap */
@@ -693,6 +701,9 @@ static void readscreen(void)
   int		y;		/* y-coordinate of screen lines to grab */
   int		n = 16;		/* number of screen lines to grab at a time */
 
+  if (GetVersion() >= 0x80000000 || !OPENSSL_isservice())
+    return;
+
   /* Create a screen DC and a memory DC compatible to screen DC */
   hScrDC = CreateDC(TEXT("DISPLAY"), NULL, NULL, NULL);
   hMemDC = CreateCompatibleDC(hScrDC);
diff --git a/crypto/openssl/crypto/rand/randfile.c b/crypto/openssl/crypto/rand/randfile.c
index c7fba496a835..d69bdf8b8a04 100644
--- a/crypto/openssl/crypto/rand/randfile.c
+++ b/crypto/openssl/crypto/rand/randfile.c
@@ -57,7 +57,7 @@
  */
 
 /* We need to define this to get macros like S_IFBLK and S_IFCHR */
-#define _XOPEN_SOURCE 1
+#define _XOPEN_SOURCE 500
 
 #include <errno.h>
 #include <stdio.h>
@@ -104,7 +104,7 @@ int RAND_load_file(const char *file, long bytes)
 
 	i=stat(file,&sb);
 	/* If the state fails, put some crap in anyway */
-	RAND_add(&sb,sizeof(sb),0);
+	RAND_add(&sb,sizeof(sb),0.0);
 	if (i < 0) return(0);
 	if (bytes == 0) return(ret);
 
@@ -129,7 +129,7 @@ int RAND_load_file(const char *file, long bytes)
 		i=fread(buf,1,n,in);
 		if (i <= 0) break;
 		/* even if n != i, use the full array */
-		RAND_add(buf,n,i);
+		RAND_add(buf,n,(double)i);
 		ret+=i;
 		if (bytes > 0)
 			{
diff --git a/crypto/openssl/crypto/rand/randtest.c b/crypto/openssl/crypto/rand/randtest.c
index 701932e6ee28..9e92a70b033c 100644
--- a/crypto/openssl/crypto/rand/randtest.c
+++ b/crypto/openssl/crypto/rand/randtest.c
@@ -65,7 +65,7 @@
 /* some FIPS 140-1 random number test */
 /* some simple tests */
 
-int main()
+int main(int argc,char **argv)
 	{
 	unsigned char buf[2500];
 	int i,j,k,s,sign,nsign,err=0;
@@ -211,6 +211,9 @@ int main()
 	printf("test 4 done\n");
  err:
 	err=((err)?1:0);
+#ifdef OPENSSL_SYS_NETWARE
+    if (err) printf("ERROR: %d\n", err);
+#endif
 	EXIT(err);
 	return(err);
 	}
diff --git a/crypto/openssl/crypto/rc2/Makefile b/crypto/openssl/crypto/rc2/Makefile
index 982b9c911df0..73eac347e7fd 100644
--- a/crypto/openssl/crypto/rc2/Makefile
+++ b/crypto/openssl/crypto/rc2/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/rc2/Makefile
+# OpenSSL/crypto/rc2/Makefile
 #
 
 DIR=	rc2
@@ -7,11 +7,6 @@ TOP=	../..
 CC=	cc
 INCLUDES=
 CFLAG=-g
-INSTALL_PREFIX=
-OPENSSLDIR=     /usr/local/ssl
-INSTALLTOP=/usr/local/ssl
-MAKEDEPPROG=	makedepend
-MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=	Makefile
 AR=		ar r
 
@@ -51,7 +46,8 @@ links:
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
 
 install:
-	@for i in $(EXHEADER) ; \
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+	@headerlist="$(EXHEADER)"; for i in $$headerlist ; \
 	do  \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
@@ -66,6 +62,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
+	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
diff --git a/crypto/openssl/crypto/rc2/rc2.h b/crypto/openssl/crypto/rc2/rc2.h
index 7816b454dcdf..34c83623172f 100644
--- a/crypto/openssl/crypto/rc2/rc2.h
+++ b/crypto/openssl/crypto/rc2/rc2.h
@@ -59,6 +59,7 @@
 #ifndef HEADER_RC2_H
 #define HEADER_RC2_H
 
+#include <openssl/opensslconf.h> /* OPENSSL_NO_RC2, RC2_INT */
 #ifdef OPENSSL_NO_RC2
 #error RC2 is disabled.
 #endif
@@ -66,7 +67,6 @@
 #define RC2_ENCRYPT	1
 #define RC2_DECRYPT	0
 
-#include <openssl/opensslconf.h> /* RC2_INT */
 #define RC2_BLOCK	8
 #define RC2_KEY_LENGTH	16
 
diff --git a/crypto/openssl/crypto/rc2/rc2_skey.c b/crypto/openssl/crypto/rc2/rc2_skey.c
index cab3080c73dc..49536420566b 100644
--- a/crypto/openssl/crypto/rc2/rc2_skey.c
+++ b/crypto/openssl/crypto/rc2/rc2_skey.c
@@ -84,6 +84,10 @@ static unsigned char key_table[256]={
 	0xfe,0x7f,0xc1,0xad,
 	};
 
+#if defined(_MSC_VER) && defined(_ARM_)
+#pragma optimize("g",off)
+#endif
+
 /* It has come to my attention that there are 2 versions of the RC2
  * key schedule.  One which is normal, and anther which has a hook to
  * use a reduced key length.
@@ -136,3 +140,6 @@ void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data, int bits)
 		*(ki--)=((k[i]<<8)|k[i-1])&0xffff;
 	}
 
+#if defined(_MSC_VER)
+#pragma optimize("",on)
+#endif
diff --git a/crypto/openssl/crypto/rc2/rc2speed.c b/crypto/openssl/crypto/rc2/rc2speed.c
index 47d34b444e5b..85cf6f65bf15 100644
--- a/crypto/openssl/crypto/rc2/rc2speed.c
+++ b/crypto/openssl/crypto/rc2/rc2speed.c
@@ -69,7 +69,10 @@
 #include OPENSSL_UNISTD_IO
 OPENSSL_DECLARE_EXIT
 
+#ifndef OPENSSL_SYS_NETWARE
 #include <signal.h>
+#endif
+
 #ifndef _IRIX
 #include <time.h>
 #endif
@@ -102,10 +105,10 @@ OPENSSL_DECLARE_EXIT
 #ifndef HZ
 #ifndef CLK_TCK
 #define HZ	100.0
-#endif
-#else /* CLK_TCK */
+#else	/* CLK_TCK */
 #define HZ ((double)CLK_TCK)
-#endif
+#endif	/* CLK_TCK */
+#endif	/* HZ */
 
 #define BUFSIZE	((long)1024)
 long run=0;
diff --git a/crypto/openssl/crypto/rc2/rc2test.c b/crypto/openssl/crypto/rc2/rc2test.c
index b67bafb49f4e..0e117436bb33 100644
--- a/crypto/openssl/crypto/rc2/rc2test.c
+++ b/crypto/openssl/crypto/rc2/rc2test.c
@@ -205,6 +205,9 @@ int main(int argc, char *argv[])
 		printf("ok\n");
 #endif
 
+#ifdef OPENSSL_SYS_NETWARE
+    if (err) printf("ERROR: %d\n", err);
+#endif
 	EXIT(err);
 	return(err);
 	}
diff --git a/crypto/openssl/crypto/rc4/Makefile b/crypto/openssl/crypto/rc4/Makefile
index 15da280838e2..7857c95fbfcd 100644
--- a/crypto/openssl/crypto/rc4/Makefile
+++ b/crypto/openssl/crypto/rc4/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/rc4/Makefile
+# OpenSSL/crypto/rc4/Makefile
 #
 
 DIR=	rc4
@@ -8,23 +8,13 @@ CC=	cc
 CPP=    $(CC) -E
 INCLUDES=
 CFLAG=-g
-INSTALL_PREFIX=
-OPENSSLDIR=     /usr/local/ssl
-INSTALLTOP=/usr/local/ssl
-MAKEDEPPROG=	makedepend
-MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
-MAKEFILE=	Makefile
 AR=		ar r
 
 RC4_ENC=rc4_enc.o
-# or use
-#RC4_ENC=asm/rx86-elf.o
-#RC4_ENC=asm/rx86-out.o
-#RC4_ENC=asm/rx86-sol.o
-#RC4_ENC=asm/rx86bdsi.o
 
 CFLAGS= $(INCLUDES) $(CFLAG)
 ASFLAGS= $(INCLUDES) $(ASFLAG)
+AFLAGS= $(ASFLAGS)
 
 GENERAL=Makefile
 TEST=rc4test.c
@@ -51,20 +41,24 @@ lib:	$(LIBOBJ)
 	$(RANLIB) $(LIB) || echo Never mind.
 	@touch lib
 
-# elf
-asm/rx86-elf.s: asm/rc4-586.pl ../perlasm/x86asm.pl
-	(cd asm; $(PERL) rc4-586.pl elf $(CFLAGS) > rx86-elf.s)
-
+# ELF
+rx86-elf.s: asm/rc4-586.pl ../perlasm/x86asm.pl
+	(cd asm; $(PERL) rc4-586.pl elf $(CFLAGS) > ../$@)
+# COFF
+rx86-cof.s: asm/rc4-586.pl ../perlasm/x86asm.pl
+	(cd asm; $(PERL) rc4-586.pl coff $(CFLAGS) > ../$@)
 # a.out
-asm/rx86-out.o: asm/rx86unix.cpp
-	$(CPP) -DOUT asm/rx86unix.cpp | as -o asm/rx86-out.o
+rx86-out.s: asm/rc4-586.pl ../perlasm/x86asm.pl
+	(cd asm; $(PERL) rc4-586.pl a.out $(CFLAGS) > ../$@)
 
-# bsdi
-asm/rx86bsdi.o: asm/rx86unix.cpp
-	$(CPP) -DBSDI asm/rx86unix.cpp | sed 's/ :/:/' | as -o asm/rx86bsdi.o
+rc4-x86_64.s: asm/rc4-x86_64.pl;	$(PERL) asm/rc4-x86_64.pl $@
 
-asm/rx86unix.cpp: asm/rc4-586.pl ../perlasm/x86asm.pl
-	(cd asm; $(PERL) rc4-586.pl cpp >rx86unix.cpp)
+rc4-ia64.s: asm/rc4-ia64.S
+	@case `awk '/^#define RC4_INT/{print$$NF}' $(TOP)/include/openssl/opensslconf.h` in \
+	int)	set -x; $(CC) $(CFLAGS) -DSZ=4 -E asm/rc4-ia64.S > $@ ;; \
+	char)	set -x; $(CC) $(CFLAGS) -DSZ=1 -E asm/rc4-ia64.S > $@ ;; \
+	*)	exit 1 ;; \
+	esac
 
 files:
 	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
@@ -75,7 +69,8 @@ links:
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
 
 install:
-	@for i in $(EXHEADER) ; \
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+	@headerlist="$(EXHEADER)"; for i in $$headerlist ; \
 	do  \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
@@ -90,6 +85,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
+	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
@@ -97,12 +93,23 @@ dclean:
 	mv -f Makefile.new $(MAKEFILE)
 
 clean:
-	rm -f asm/rx86unix.cpp asm/*-elf.* *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff asm/*.o
+	rm -f *.s *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-rc4_enc.o: ../../include/openssl/opensslconf.h ../../include/openssl/rc4.h
-rc4_enc.o: rc4_enc.c rc4_locl.h
-rc4_skey.o: ../../include/openssl/opensslconf.h
-rc4_skey.o: ../../include/openssl/opensslv.h ../../include/openssl/rc4.h
-rc4_skey.o: rc4_locl.h rc4_skey.c
+rc4_enc.o: ../../e_os.h ../../include/openssl/bio.h
+rc4_enc.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+rc4_enc.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+rc4_enc.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+rc4_enc.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+rc4_enc.o: ../../include/openssl/rc4.h ../../include/openssl/safestack.h
+rc4_enc.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+rc4_enc.o: ../cryptlib.h rc4_enc.c rc4_locl.h
+rc4_skey.o: ../../e_os.h ../../include/openssl/bio.h
+rc4_skey.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+rc4_skey.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+rc4_skey.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+rc4_skey.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+rc4_skey.o: ../../include/openssl/rc4.h ../../include/openssl/safestack.h
+rc4_skey.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+rc4_skey.o: ../cryptlib.h rc4_locl.h rc4_skey.c
diff --git a/crypto/openssl/crypto/rc4/asm/rc4-586.pl b/crypto/openssl/crypto/rc4/asm/rc4-586.pl
index 7ef889e5a135..22bda4b451e9 100644
--- a/crypto/openssl/crypto/rc4/asm/rc4-586.pl
+++ b/crypto/openssl/crypto/rc4/asm/rc4-586.pl
@@ -1,16 +1,37 @@
 #!/usr/local/bin/perl
 
-# define for pentium pro friendly version
+# At some point it became apparent that the original SSLeay RC4
+# assembler implementation performs suboptimaly on latest IA-32
+# microarchitectures. After re-tuning performance has changed as
+# following:
+#
+# Pentium	+0%
+# Pentium III	+17%
+# AMD		+52%(*)
+# P4		+180%(**)
+#
+# (*)	This number is actually a trade-off:-) It's possible to
+#	achieve	+72%, but at the cost of -48% off PIII performance.
+#	In other words code performing further 13% faster on AMD
+#	would perform almost 2 times slower on Intel PIII...
+#	For reference! This code delivers ~80% of rc4-amd64.pl
+#	performance on the same Opteron machine.
+# (**)	This number requires compressed key schedule set up by
+#	RC4_set_key and therefore doesn't apply to 0.9.7 [option for
+#	compressed key schedule is implemented in 0.9.8 and later,
+#	see commentary section in rc4_skey.c for further details].
+#
+#					<appro@fy.chalmers.se>
 
 push(@INC,"perlasm","../../perlasm");
 require "x86asm.pl";
 
 &asm_init($ARGV[0],"rc4-586.pl");
 
-$tx="eax";
-$ty="ebx";
-$x="ecx";
-$y="edx";
+$x="eax";
+$y="ebx";
+$tx="ecx";
+$ty="edx";
 $in="esi";
 $out="edi";
 $d="ebp";
@@ -31,7 +52,7 @@ sub RC4_loop
 			{
 			 &mov($ty,	&swtmp(2));
 			&cmp($ty,	$in);
-			 &jle(&label("finished"));
+			 &jbe(&label("finished"));
 			&inc($in);
 			}
 		else
@@ -39,27 +60,23 @@ sub RC4_loop
 			&add($ty,	8);
 			 &inc($in);
 			&cmp($ty,	$in);
-			 &jl(&label("finished"));
+			 &jb(&label("finished"));
 			&mov(&swtmp(2),	$ty);
 			}
 		}
 	# Moved out
 	# &mov(	$tx,		&DWP(0,$d,$x,4)) if $p < 0;
 
-	 &add(	$y,		$tx);
-	&and(	$y,		0xff);
-	 &inc(	$x);			# NEXT ROUND 
+	&add(	&LB($y),	&LB($tx));
 	&mov(	$ty,		&DWP(0,$d,$y,4));
 	 # XXX
-	&mov(	&DWP(-4,$d,$x,4),$ty);			# AGI
+	&mov(	&DWP(0,$d,$x,4),$ty);
 	 &add(	$ty,		$tx);
-	&and(	$x,		0xff);	# NEXT ROUND
-	 &and(	$ty,		0xff);
 	&mov(	&DWP(0,$d,$y,4),$tx);
-	 &nop();
-	&mov(	$ty,		&DWP(0,$d,$ty,4));
-	 &mov(	$tx,		&DWP(0,$d,$x,4)) if $p < 1; # NEXT ROUND
-	 # XXX
+	 &and(	$ty,		0xff);
+	 &inc(	&LB($x));			# NEXT ROUND
+	&mov(	$tx,		&DWP(0,$d,$x,4)) if $p < 1; # NEXT ROUND
+	 &mov(	$ty,		&DWP(0,$d,$ty,4));
 
 	if (!$char)
 		{
@@ -88,35 +105,47 @@ sub RC4
 
 	&function_begin_B($name,"");
 
+	&mov($ty,&wparam(1));		# len
+	&cmp($ty,0);
+	&jne(&label("proceed"));
+	&ret();
+	&set_label("proceed");
+
 	&comment("");
 
 	&push("ebp");
 	 &push("ebx");
-	&mov(	$d,	&wparam(0));	# key
-	 &mov(	$ty,	&wparam(1));	# num
 	&push("esi");
-	 &push("edi");
+	 &xor(	$x,	$x);		# avoid partial register stalls
+	&push("edi");
+	 &xor(	$y,	$y);		# avoid partial register stalls
+	&mov(	$d,	&wparam(0));	# key
+	 &mov(	$in,	&wparam(2));
 
-	&mov(	$x,	&DWP(0,$d,"",1));
-	 &mov(	$y,	&DWP(4,$d,"",1));
+	&movb(	&LB($x),	&BP(0,$d,"",1));
+	 &movb(	&LB($y),	&BP(4,$d,"",1));
 
-	&mov(	$in,	&wparam(2));
-	 &inc(	$x);
+	&mov(	$out,	&wparam(3));
+	 &inc(	&LB($x));
 
 	&stack_push(3);	# 3 temp variables
 	 &add(	$d,	8);
-	&and(	$x,		0xff);
+
+	# detect compressed schedule, see commentary section in rc4_skey.c...
+	# in 0.9.7 context ~50 bytes below RC4_CHAR label remain redundant,
+	# as compressed key schedule is set up in 0.9.8 and later.
+	&cmp(&DWP(256,$d),-1);
+	&je(&label("RC4_CHAR"));
 
 	 &lea(	$ty,	&DWP(-8,$ty,$in));
 
 	# check for 0 length input
 
-	&mov(	$out,	&wparam(3));
 	 &mov(	&swtmp(2),	$ty);	# this is now address to exit at
 	&mov(	$tx,	&DWP(0,$d,$x,4));
 
 	 &cmp(	$ty,	$in);
-	&jl(	&label("end")); # less than 8 bytes
+	&jb(	&label("end")); # less than 8 bytes
 
 	&set_label("start");
 
@@ -148,7 +177,7 @@ sub RC4
 	&mov(	&DWP(-4,$out,"",0),	$tx);
 	 &mov(	$tx,		&DWP(0,$d,$x,4));
 	&cmp($in,	$ty);
-	 &jle(&label("start"));
+	 &jbe(&label("start"));
 
 	&set_label("end");
 
@@ -162,10 +191,38 @@ sub RC4
 	&RC4_loop(5,0,1);
 	&RC4_loop(6,1,1);
 
+	&jmp(&label("finished"));
+
+	&align(16);
+	# this is essentially Intel P4 specific codepath, see rc4_skey.c,
+	# and is engaged in 0.9.8 and later context...
+	&set_label("RC4_CHAR");
+
+	&lea	($ty,&DWP(0,$in,$ty));
+	&mov	(&swtmp(2),$ty);
+	&movz	($tx,&BP(0,$d,$x));
+
+	# strangely enough unrolled loop performs over 20% slower...
+	&set_label("RC4_CHAR_loop");
+		&add	(&LB($y),&LB($tx));
+		&movz	($ty,&BP(0,$d,$y));
+		&movb	(&BP(0,$d,$y),&LB($tx));
+		&movb	(&BP(0,$d,$x),&LB($ty));
+		&add	(&LB($ty),&LB($tx));
+		&movz	($ty,&BP(0,$d,$ty));
+		&add	(&LB($x),1);
+		&xorb	(&LB($ty),&BP(0,$in));
+		&lea	($in,&BP(1,$in));
+		&movz	($tx,&BP(0,$d,$x));
+		&cmp	($in,&swtmp(2));
+		&movb	(&BP(0,$out),&LB($ty));
+		&lea	($out,&BP(1,$out));
+	&jb	(&label("RC4_CHAR_loop"));
+
 	&set_label("finished");
 	&dec(	$x);
 	 &stack_pop(3);
-	&mov(	&DWP(-4,$d,"",0),$y);
+	&movb(	&BP(-4,$d,"",0),&LB($y));
 	 &movb(	&BP(-8,$d,"",0),&LB($x));
 
 	&function_end($name);
diff --git a/crypto/openssl/crypto/rc4/asm/rc4-ia64.S b/crypto/openssl/crypto/rc4/asm/rc4-ia64.S
new file mode 100644
index 000000000000..a322d0c718e5
--- /dev/null
+++ b/crypto/openssl/crypto/rc4/asm/rc4-ia64.S
@@ -0,0 +1,160 @@
+// ====================================================================
+// Written by Andy Polyakov <appro@fy.chalmers.se> for the OpenSSL
+// project.
+//
+// Rights for redistribution and usage in source and binary forms are
+// granted according to the OpenSSL license. Warranty of any kind is
+// disclaimed.
+// ====================================================================
+
+.ident  "rc4-ia64.S, Version 2.0"
+.ident  "IA-64 ISA artwork by Andy Polyakov <appro@fy.chalmers.se>"
+
+// What's wrong with compiler generated code? Because of the nature of
+// C language, compiler doesn't [dare to] reorder load and stores. But
+// being memory-bound, RC4 should benefit from reorder [on in-order-
+// execution core such as IA-64]. But what can we reorder? At the very
+// least we can safely reorder references to key schedule in respect
+// to input and output streams. Secondly, from the first [close] glance
+// it appeared that it's possible to pull up some references to
+// elements of the key schedule itself. Original rationale ["prior
+// loads are not safe only for "degenerated" key schedule, when some
+// elements equal to the same value"] was kind of sloppy. I should have
+// formulated as it really was: if we assume that pulling up reference
+// to key[x+1] is not safe, then it would mean that key schedule would
+// "degenerate," which is never the case. The problem is that this
+// holds true in respect to references to key[x], but not to key[y].
+// Legitimate "collisions" do occur within every 256^2 bytes window.
+// Fortunately there're enough free instruction slots to keep prior
+// reference to key[x+1], detect "collision" and compensate for it.
+// All this without sacrificing a single clock cycle:-) Throughput is
+// ~210MBps on 900MHz CPU, which is is >3x faster than gcc generated
+// code and +30% - if compared to HP-UX C. Unrolling loop below should
+// give >30% on top of that...
+
+.text
+.explicit
+
+#if defined(_HPUX_SOURCE) && !defined(_LP64)
+# define ADDP	addp4
+#else
+# define ADDP	add
+#endif
+
+#ifndef SZ
+#define SZ	4	// this is set to sizeof(RC4_INT)
+#endif
+// SZ==4 seems to be optimal. At least SZ==8 is not any faster, not for
+// assembler implementation, while SZ==1 code is ~30% slower.
+#if SZ==1	// RC4_INT is unsigned char
+# define	LDKEY	ld1
+# define	STKEY	st1
+# define	OFF	0
+#elif SZ==4	// RC4_INT is unsigned int
+# define	LDKEY	ld4
+# define	STKEY	st4
+# define	OFF	2
+#elif SZ==8	// RC4_INT is unsigned long
+# define	LDKEY	ld8
+# define	STKEY	st8
+# define	OFF	3
+#endif
+
+out=r8;		// [expanded] output pointer
+inp=r9;		// [expanded] output pointer
+prsave=r10;
+key=r28;	// [expanded] pointer to RC4_KEY
+ksch=r29;	// (key->data+255)[&~(sizeof(key->data)-1)]
+xx=r30;
+yy=r31;
+
+// void RC4(RC4_KEY *key,size_t len,const void *inp,void *out);
+.global	RC4#
+.proc	RC4#
+.align	32
+.skip	16
+RC4:
+	.prologue
+	.fframe 0
+	.save   ar.pfs,r2
+	.save	ar.lc,r3
+	.save	pr,prsave
+{ .mii;	alloc	r2=ar.pfs,4,12,0,16
+	mov	prsave=pr
+	ADDP	key=0,in0		};;
+{ .mib;	cmp.eq	p6,p0=0,in1			// len==0?
+	mov	r3=ar.lc
+(p6)	br.ret.spnt.many	b0	};;	// emergency exit
+
+	.body
+	.rotr	dat[4],key_x[4],tx[2],rnd[2],key_y[2],ty[1];
+
+{ .mib;	LDKEY	xx=[key],SZ			// load key->x
+	add	in1=-1,in1			// adjust len for loop counter
+	nop.b	0			}
+{ .mib;	ADDP	inp=0,in2
+	ADDP	out=0,in3
+	brp.loop.imp	.Ltop,.Lexit-16	};;
+{ .mmi;	LDKEY	yy=[key]			// load key->y
+	add	ksch=SZ,key
+	mov	ar.lc=in1		}
+{ .mmi;	mov	key_y[1]=r0			// guarantee inequality
+						// in first iteration
+	add	xx=1,xx
+	mov	pr.rot=1<<16		};;
+{ .mii;	nop.m	0
+	dep	key_x[1]=xx,r0,OFF,8
+	mov	ar.ec=3			};;	// note that epilogue counter
+						// is off by 1. I compensate
+						// for this at exit...
+.Ltop:
+// The loop is scheduled for 4*(n+2) spin-rate on Itanium 2, which
+// theoretically gives asymptotic performance of clock frequency
+// divided by 4 bytes per seconds, or 400MBps on 1.6GHz CPU. This is
+// for sizeof(RC4_INT)==4. For smaller RC4_INT STKEY inadvertently
+// splits the last bundle and you end up with 5*n spin-rate:-(
+// Originally the loop was scheduled for 3*n and relied on key
+// schedule to be aligned at 256*sizeof(RC4_INT) boundary. But
+// *(out++)=dat, which maps to st1, had same effect [inadvertent
+// bundle split] and holded the loop back. Rescheduling for 4*n
+// made it possible to eliminate dependence on specific alignment
+// and allow OpenSSH keep "abusing" our API. Reaching for 3*n would
+// require unrolling, sticking to variable shift instruction for
+// collecting output [to avoid starvation for integer shifter] and
+// copying of key schedule to controlled place in stack [so that
+// deposit instruction can serve as substitute for whole
+// key->data+((x&255)<<log2(sizeof(key->data[0])))]...
+{ .mmi;	(p19)	st1	[out]=dat[3],1			// *(out++)=dat
+	(p16)	add	xx=1,xx				// x++
+	(p18)	dep	rnd[1]=rnd[1],r0,OFF,8	}	// ((tx+ty)&255)<<OFF
+{ .mmi;	(p16)	add	key_x[1]=ksch,key_x[1]		// &key[xx&255]
+	(p17)	add	key_y[1]=ksch,key_y[1]	};;	// &key[yy&255]	
+{ .mmi;	(p16)	LDKEY	tx[0]=[key_x[1]]		// tx=key[xx]
+	(p17)	LDKEY	ty[0]=[key_y[1]]		// ty=key[yy]	
+	(p16)	dep	key_x[0]=xx,r0,OFF,8	}	// (xx&255)<<OFF
+{ .mmi;	(p18)	add	rnd[1]=ksch,rnd[1]		// &key[(tx+ty)&255]
+	(p16)	cmp.ne.unc p20,p21=key_x[1],key_y[1] };;
+{ .mmi;	(p18)	LDKEY	rnd[1]=[rnd[1]]			// rnd=key[(tx+ty)&255]
+	(p16)	ld1	dat[0]=[inp],1		}	// dat=*(inp++)
+.pred.rel	"mutex",p20,p21
+{ .mmi;	(p21)	add	yy=yy,tx[1]			// (p16)
+	(p20)	add	yy=yy,tx[0]			// (p16) y+=tx
+	(p21)	mov	tx[0]=tx[1]		};;	// (p16)
+{ .mmi;	(p17)	STKEY	[key_y[1]]=tx[1]		// key[yy]=tx
+	(p17)	STKEY	[key_x[2]]=ty[0]		// key[xx]=ty
+	(p16)	dep	key_y[0]=yy,r0,OFF,8	}	// &key[yy&255]
+{ .mmb;	(p17)	add	rnd[0]=tx[1],ty[0]		// tx+=ty
+	(p18)	xor	dat[2]=dat[2],rnd[1]		// dat^=rnd
+	br.ctop.sptk	.Ltop			};;
+.Lexit:
+{ .mib;	STKEY	[key]=yy,-SZ			// save key->y
+	mov	pr=prsave,0x1ffff
+	nop.b	0			}
+{ .mib;	st1	[out]=dat[3],1			// compensate for truncated
+						// epilogue counter
+	add	xx=-1,xx
+	nop.b	0			};;
+{ .mib;	STKEY	[key]=xx			// save key->x
+	mov	ar.lc=r3
+	br.ret.sptk.many	b0	};;
+.endp	RC4#
diff --git a/crypto/openssl/crypto/rc4/asm/rc4-x86_64.pl b/crypto/openssl/crypto/rc4/asm/rc4-x86_64.pl
new file mode 100755
index 000000000000..4b990cba077e
--- /dev/null
+++ b/crypto/openssl/crypto/rc4/asm/rc4-x86_64.pl
@@ -0,0 +1,240 @@
+#!/usr/bin/env perl
+#
+# ====================================================================
+# Written by Andy Polyakov <appro@fy.chalmers.se> for the OpenSSL
+# project. Rights for redistribution and usage in source and binary
+# forms are granted according to the OpenSSL license.
+# ====================================================================
+#
+# 2.22x RC4 tune-up:-) It should be noted though that my hand [as in
+# "hand-coded assembler"] doesn't stand for the whole improvement
+# coefficient. It turned out that eliminating RC4_CHAR from config
+# line results in ~40% improvement (yes, even for C implementation).
+# Presumably it has everything to do with AMD cache architecture and
+# RAW or whatever penalties. Once again! The module *requires* config
+# line *without* RC4_CHAR! As for coding "secret," I bet on partial
+# register arithmetics. For example instead of 'inc %r8; and $255,%r8'
+# I simply 'inc %r8b'. Even though optimization manual discourages
+# to operate on partial registers, it turned out to be the best bet.
+# At least for AMD... How IA32E would perform remains to be seen...
+
+# As was shown by Marc Bevand reordering of couple of load operations
+# results in even higher performance gain of 3.3x:-) At least on
+# Opteron... For reference, 1x in this case is RC4_CHAR C-code
+# compiled with gcc 3.3.2, which performs at ~54MBps per 1GHz clock.
+# Latter means that if you want to *estimate* what to expect from
+# *your* Opteron, then multiply 54 by 3.3 and clock frequency in GHz.
+
+# Intel P4 EM64T core was found to run the AMD64 code really slow...
+# The only way to achieve comparable performance on P4 was to keep
+# RC4_CHAR. Kind of ironic, huh? As it's apparently impossible to
+# compose blended code, which would perform even within 30% marginal
+# on either AMD and Intel platforms, I implement both cases. See
+# rc4_skey.c for further details...
+
+# P4 EM64T core appears to be "allergic" to 64-bit inc/dec. Replacing 
+# those with add/sub results in 50% performance improvement of folded
+# loop...
+
+# As was shown by Zou Nanhai loop unrolling can improve Intel EM64T
+# performance by >30% [unlike P4 32-bit case that is]. But this is
+# provided that loads are reordered even more aggressively! Both code
+# pathes, AMD64 and EM64T, reorder loads in essentially same manner
+# as my IA-64 implementation. On Opteron this resulted in modest 5%
+# improvement [I had to test it], while final Intel P4 performance
+# achieves respectful 432MBps on 2.8GHz processor now. For reference.
+# If executed on Xeon, current RC4_CHAR code-path is 2.7x faster than
+# RC4_INT code-path. While if executed on Opteron, it's only 25%
+# slower than the RC4_INT one [meaning that if CPU µ-arch detection
+# is not implemented, then this final RC4_CHAR code-path should be
+# preferred, as it provides better *all-round* performance].
+
+$output=shift;
+open STDOUT,"| $^X ../perlasm/x86_64-xlate.pl $output";
+
+$dat="%rdi";	    # arg1
+$len="%rsi";	    # arg2
+$inp="%rdx";	    # arg3
+$out="%rcx";	    # arg4
+
+@XX=("%r8","%r10");
+@TX=("%r9","%r11");
+$YY="%r12";
+$TY="%r13";
+
+$code=<<___;
+.text
+
+.globl	RC4
+.type	RC4,\@function,4
+.align	16
+RC4:	or	$len,$len
+	jne	.Lentry
+	ret
+.Lentry:
+	push	%r12
+	push	%r13
+
+	add	\$8,$dat
+	movl	-8($dat),$XX[0]#d
+	movl	-4($dat),$YY#d
+	cmpl	\$-1,256($dat)
+	je	.LRC4_CHAR
+	inc	$XX[0]#b
+	movl	($dat,$XX[0],4),$TX[0]#d
+	test	\$-8,$len
+	jz	.Lloop1
+	jmp	.Lloop8
+.align	16
+.Lloop8:
+___
+for ($i=0;$i<8;$i++) {
+$code.=<<___;
+	add	$TX[0]#b,$YY#b
+	mov	$XX[0],$XX[1]
+	movl	($dat,$YY,4),$TY#d
+	ror	\$8,%rax			# ror is redundant when $i=0
+	inc	$XX[1]#b
+	movl	($dat,$XX[1],4),$TX[1]#d
+	cmp	$XX[1],$YY
+	movl	$TX[0]#d,($dat,$YY,4)
+	cmove	$TX[0],$TX[1]
+	movl	$TY#d,($dat,$XX[0],4)
+	add	$TX[0]#b,$TY#b
+	movb	($dat,$TY,4),%al
+___
+push(@TX,shift(@TX)); push(@XX,shift(@XX));	# "rotate" registers
+}
+$code.=<<___;
+	ror	\$8,%rax
+	sub	\$8,$len
+
+	xor	($inp),%rax
+	add	\$8,$inp
+	mov	%rax,($out)
+	add	\$8,$out
+
+	test	\$-8,$len
+	jnz	.Lloop8
+	cmp	\$0,$len
+	jne	.Lloop1
+___
+$code.=<<___;
+.Lexit:
+	sub	\$1,$XX[0]#b
+	movl	$XX[0]#d,-8($dat)
+	movl	$YY#d,-4($dat)
+
+	pop	%r13
+	pop	%r12
+	ret
+.align	16
+.Lloop1:
+	add	$TX[0]#b,$YY#b
+	movl	($dat,$YY,4),$TY#d
+	movl	$TX[0]#d,($dat,$YY,4)
+	movl	$TY#d,($dat,$XX[0],4)
+	add	$TY#b,$TX[0]#b
+	inc	$XX[0]#b
+	movl	($dat,$TX[0],4),$TY#d
+	movl	($dat,$XX[0],4),$TX[0]#d
+	xorb	($inp),$TY#b
+	inc	$inp
+	movb	$TY#b,($out)
+	inc	$out
+	dec	$len
+	jnz	.Lloop1
+	jmp	.Lexit
+
+.align	16
+.LRC4_CHAR:
+	add	\$1,$XX[0]#b
+	movzb	($dat,$XX[0]),$TX[0]#d
+	test	\$-8,$len
+	jz	.Lcloop1
+	push	%rbx
+	jmp	.Lcloop8
+.align	16
+.Lcloop8:
+	mov	($inp),%eax
+	mov	4($inp),%ebx
+___
+# unroll 2x4-wise, because 64-bit rotates kill Intel P4...
+for ($i=0;$i<4;$i++) {
+$code.=<<___;
+	add	$TX[0]#b,$YY#b
+	lea	1($XX[0]),$XX[1]
+	movzb	($dat,$YY),$TY#d
+	movzb	$XX[1]#b,$XX[1]#d
+	movzb	($dat,$XX[1]),$TX[1]#d
+	movb	$TX[0]#b,($dat,$YY)
+	cmp	$XX[1],$YY
+	movb	$TY#b,($dat,$XX[0])
+	jne	.Lcmov$i			# Intel cmov is sloooow...
+	mov	$TX[0],$TX[1]
+.Lcmov$i:
+	add	$TX[0]#b,$TY#b
+	xor	($dat,$TY),%al
+	ror	\$8,%eax
+___
+push(@TX,shift(@TX)); push(@XX,shift(@XX));	# "rotate" registers
+}
+for ($i=4;$i<8;$i++) {
+$code.=<<___;
+	add	$TX[0]#b,$YY#b
+	lea	1($XX[0]),$XX[1]
+	movzb	($dat,$YY),$TY#d
+	movzb	$XX[1]#b,$XX[1]#d
+	movzb	($dat,$XX[1]),$TX[1]#d
+	movb	$TX[0]#b,($dat,$YY)
+	cmp	$XX[1],$YY
+	movb	$TY#b,($dat,$XX[0])
+	jne	.Lcmov$i			# Intel cmov is sloooow...
+	mov	$TX[0],$TX[1]
+.Lcmov$i:
+	add	$TX[0]#b,$TY#b
+	xor	($dat,$TY),%bl
+	ror	\$8,%ebx
+___
+push(@TX,shift(@TX)); push(@XX,shift(@XX));	# "rotate" registers
+}
+$code.=<<___;
+	lea	-8($len),$len
+	mov	%eax,($out)
+	lea	8($inp),$inp
+	mov	%ebx,4($out)
+	lea	8($out),$out
+
+	test	\$-8,$len
+	jnz	.Lcloop8
+	pop	%rbx
+	cmp	\$0,$len
+	jne	.Lcloop1
+	jmp	.Lexit
+___
+$code.=<<___;
+.align	16
+.Lcloop1:
+	add	$TX[0]#b,$YY#b
+	movzb	($dat,$YY),$TY#d
+	movb	$TX[0]#b,($dat,$YY)
+	movb	$TY#b,($dat,$XX[0])
+	add	$TX[0]#b,$TY#b
+	add	\$1,$XX[0]#b
+	movzb	($dat,$TY),$TY#d
+	movzb	($dat,$XX[0]),$TX[0]#d
+	xorb	($inp),$TY#b
+	lea	1($inp),$inp
+	movb	$TY#b,($out)
+	lea	1($out),$out
+	sub	\$1,$len
+	jnz	.Lcloop1
+	jmp	.Lexit
+.size	RC4,.-RC4
+___
+
+$code =~ s/#([bwd])/$1/gm;
+
+print $code;
+
+close STDOUT;
diff --git a/crypto/openssl/crypto/rc4/rc4.c b/crypto/openssl/crypto/rc4/rc4.c
index b39c070292c9..c900b260554a 100644
--- a/crypto/openssl/crypto/rc4/rc4.c
+++ b/crypto/openssl/crypto/rc4/rc4.c
@@ -60,6 +60,7 @@
 #include <stdlib.h>
 #include <string.h>
 #include <openssl/rc4.h>
+#include <openssl/evp.h>
 
 char *usage[]={
 "usage: rc4 args\n",
@@ -162,7 +163,7 @@ bad:
 		keystr=buf;
 		}
 
-	EVP_Digest((unsigned char *)keystr,(unsigned long)strlen(keystr),md,NULL,EVP_md5());
+	EVP_Digest((unsigned char *)keystr,strlen(keystr),md,NULL,EVP_md5(),NULL);
 	OPENSSL_cleanse(keystr,strlen(keystr));
 	RC4_set_key(&key,MD5_DIGEST_LENGTH,md);
 	
diff --git a/crypto/openssl/crypto/rc4/rc4.h b/crypto/openssl/crypto/rc4/rc4.h
index 8722091f2ecf..7aec04fe93a2 100644
--- a/crypto/openssl/crypto/rc4/rc4.h
+++ b/crypto/openssl/crypto/rc4/rc4.h
@@ -59,12 +59,11 @@
 #ifndef HEADER_RC4_H
 #define HEADER_RC4_H
 
+#include <openssl/opensslconf.h> /* OPENSSL_NO_RC4, RC4_INT */
 #ifdef OPENSSL_NO_RC4
 #error RC4 is disabled.
 #endif
 
-#include <openssl/opensslconf.h> /* RC4_INT */
-
 #ifdef  __cplusplus
 extern "C" {
 #endif
diff --git a/crypto/openssl/crypto/rc4/rc4_enc.c b/crypto/openssl/crypto/rc4/rc4_enc.c
index d5f18a3a7070..0660ea60a25e 100644
--- a/crypto/openssl/crypto/rc4/rc4_enc.c
+++ b/crypto/openssl/crypto/rc4/rc4_enc.c
@@ -157,7 +157,7 @@ void RC4(RC4_KEY *key, unsigned long len, const unsigned char *indata,
 		if (!is_endian.little)
 			{	/* BIG-ENDIAN CASE */
 # define BESHFT(c)	(((sizeof(RC4_CHUNK)-(c)-1)*8)&(sizeof(RC4_CHUNK)*8-1))
-			for (;len&-sizeof(RC4_CHUNK);len-=sizeof(RC4_CHUNK))
+			for (;len&~(sizeof(RC4_CHUNK)-1);len-=sizeof(RC4_CHUNK))
 				{
 				ichunk  = *(RC4_CHUNK *)indata;
 				otp  = RC4_STEP<<BESHFT(0);
@@ -210,7 +210,7 @@ void RC4(RC4_KEY *key, unsigned long len, const unsigned char *indata,
 		else
 			{	/* LITTLE-ENDIAN CASE */
 # define LESHFT(c)	(((c)*8)&(sizeof(RC4_CHUNK)*8-1))
-			for (;len&-sizeof(RC4_CHUNK);len-=sizeof(RC4_CHUNK))
+			for (;len&~(sizeof(RC4_CHUNK)-1);len-=sizeof(RC4_CHUNK))
 				{
 				ichunk  = *(RC4_CHUNK *)indata;
 				otp  = RC4_STEP;
diff --git a/crypto/openssl/crypto/rc4/rc4_locl.h b/crypto/openssl/crypto/rc4/rc4_locl.h
index 3bb80b6ce9e0..c712e1632ea5 100644
--- a/crypto/openssl/crypto/rc4/rc4_locl.h
+++ b/crypto/openssl/crypto/rc4/rc4_locl.h
@@ -1,4 +1,5 @@
 #ifndef HEADER_RC4_LOCL_H
 #define HEADER_RC4_LOCL_H
 #include <openssl/opensslconf.h>
+#include <cryptlib.h>
 #endif
diff --git a/crypto/openssl/crypto/rc4/rc4_skey.c b/crypto/openssl/crypto/rc4/rc4_skey.c
index bb10c1ebe289..781ff2d8b9b8 100644
--- a/crypto/openssl/crypto/rc4/rc4_skey.c
+++ b/crypto/openssl/crypto/rc4/rc4_skey.c
@@ -93,25 +93,58 @@ void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data)
         unsigned int i;
         
         d= &(key->data[0]);
-	for (i=0; i<256; i++)
-		d[i]=i;
         key->x = 0;     
         key->y = 0;     
         id1=id2=0;     
 
-#define SK_LOOP(n) { \
+#define SK_LOOP(d,n) { \
 		tmp=d[(n)]; \
 		id2 = (data[id1] + tmp + id2) & 0xff; \
 		if (++id1 == len) id1=0; \
 		d[(n)]=d[id2]; \
 		d[id2]=tmp; }
 
+#if defined(OPENSSL_CPUID_OBJ) && !defined(OPENSSL_NO_ASM)
+# if	defined(__i386)   || defined(__i386__)   || defined(_M_IX86) || \
+	defined(__INTEL__) || \
+	defined(__x86_64) || defined(__x86_64__) || defined(_M_AMD64)
+	if (sizeof(RC4_INT) > 1) {
+		/*
+		 * Unlike all other x86 [and x86_64] implementations,
+		 * Intel P4 core [including EM64T] was found to perform
+		 * poorly with wider RC4_INT. Performance improvement
+		 * for IA-32 hand-coded assembler turned out to be 2.8x
+		 * if re-coded for RC4_CHAR! It's however inappropriate
+		 * to just switch to RC4_CHAR for x86[_64], as non-P4
+		 * implementations suffer from significant performance
+		 * losses then, e.g. PIII exhibits >2x deterioration,
+		 * and so does Opteron. In order to assure optimal
+		 * all-round performance, let us [try to] detect P4 at
+		 * run-time by checking upon HTT bit in CPU capability
+		 * vector and set up compressed key schedule, which is
+		 * recognized by correspondingly updated assembler
+		 * module...
+		 *				<appro@fy.chalmers.se>
+		 */
+		if (OPENSSL_ia32cap_P & (1<<28)) {
+			unsigned char *cp=(unsigned char *)d;
+
+			for (i=0;i<256;i++) cp[i]=i;
+			for (i=0;i<256;i++) SK_LOOP(cp,i);
+			/* mark schedule as compressed! */
+			d[256/sizeof(RC4_INT)]=-1;
+			return;
+		}
+	}
+# endif
+#endif
+	for (i=0; i < 256; i++) d[i]=i;
 	for (i=0; i < 256; i+=4)
 		{
-		SK_LOOP(i+0);
-		SK_LOOP(i+1);
-		SK_LOOP(i+2);
-		SK_LOOP(i+3);
+		SK_LOOP(d,i+0);
+		SK_LOOP(d,i+1);
+		SK_LOOP(d,i+2);
+		SK_LOOP(d,i+3);
 		}
 	}
     
diff --git a/crypto/openssl/crypto/rc4/rc4speed.c b/crypto/openssl/crypto/rc4/rc4speed.c
index ced98c52df94..0ebd38123d04 100644
--- a/crypto/openssl/crypto/rc4/rc4speed.c
+++ b/crypto/openssl/crypto/rc4/rc4speed.c
@@ -69,7 +69,10 @@
 #include OPENSSL_UNISTD_IO
 OPENSSL_DECLARE_EXIT
 
+#ifndef OPENSSL_SYS_NETWARE
 #include <signal.h>
+#endif
+
 #ifndef _IRIX
 #include <time.h>
 #endif
diff --git a/crypto/openssl/crypto/rc4/rc4test.c b/crypto/openssl/crypto/rc4/rc4test.c
index b9d8f2097536..54b597fa266e 100644
--- a/crypto/openssl/crypto/rc4/rc4test.c
+++ b/crypto/openssl/crypto/rc4/rc4test.c
@@ -70,6 +70,7 @@ int main(int argc, char *argv[])
 }
 #else
 #include <openssl/rc4.h>
+#include <openssl/sha.h>
 
 static unsigned char keys[7][30]={
 	{8,0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef},
@@ -113,13 +114,11 @@ static unsigned char output[7][30]={
 
 int main(int argc, char *argv[])
 	{
-	int i,err=0;
-	int j;
+	int err=0;
+	unsigned int i, j;
 	unsigned char *p;
 	RC4_KEY key;
-	unsigned char buf[512],obuf[512];
-
-	for (i=0; i<512; i++) buf[i]=0x01;
+	unsigned char obuf[512];
 
 	for (i=0; i<6; i++)
 		{
@@ -130,12 +129,12 @@ int main(int argc, char *argv[])
 			{
 			printf("error calculating RC4\n");
 			printf("output:");
-			for (j=0; j<data_len[i]+1; j++)
+			for (j=0; j<data_len[i]+1U; j++)
 				printf(" %02x",obuf[j]);
 			printf("\n");
 			printf("expect:");
 			p= &(output[i][0]);
-			for (j=0; j<data_len[i]+1; j++)
+			for (j=0; j<data_len[i]+1U; j++)
 				printf(" %02x",*(p++));
 			printf("\n");
 			err++;
@@ -181,12 +180,12 @@ int main(int argc, char *argv[])
 			{
 			printf("error in RC4 multi-call processing\n");
 			printf("output:");
-			for (j=0; j<data_len[3]+1; j++)
+			for (j=0; j<data_len[3]+1U; j++)
 				printf(" %02x",obuf[j]);
 			printf("\n");
 			printf("expect:");
 			p= &(output[3][0]);
-			for (j=0; j<data_len[3]+1; j++)
+			for (j=0; j<data_len[3]+1U; j++)
 				printf(" %02x",*(p++));
 			err++;
 			}
@@ -197,6 +196,40 @@ int main(int argc, char *argv[])
 			}
 		}
 	printf("done\n");
+	printf("bulk test ");
+	{   unsigned char buf[513];
+	    SHA_CTX c;
+	    unsigned char md[SHA_DIGEST_LENGTH];
+	    static unsigned char expected[]={
+		0xa4,0x7b,0xcc,0x00,0x3d,0xd0,0xbd,0xe1,0xac,0x5f,
+		0x12,0x1e,0x45,0xbc,0xfb,0x1a,0xa1,0xf2,0x7f,0xc5 };
+
+		RC4_set_key(&key,keys[0][0],&(keys[3][1]));
+		memset(buf,'\0',sizeof(buf));
+		SHA1_Init(&c);
+		for (i=0;i<2571;i++) {
+			RC4(&key,sizeof(buf),buf,buf);
+			SHA1_Update(&c,buf,sizeof(buf));
+		}
+		SHA1_Final(md,&c);
+
+		if (memcmp(md,expected,sizeof(md))) {
+			printf("error in RC4 bulk test\n");
+			printf("output:");
+			for (j=0; j<sizeof(md); j++)
+				printf(" %02x",md[j]);
+			printf("\n");
+			printf("expect:");
+			for (j=0; j<sizeof(md); j++)
+				printf(" %02x",expected[j]);
+			printf("\n");
+			err++;
+		}
+		else	printf("ok\n");
+	}
+#ifdef OPENSSL_SYS_NETWARE
+    if (err) printf("ERROR: %d\n", err);
+#endif
 	EXIT(err);
 	return(0);
 	}
diff --git a/crypto/openssl/crypto/rc5/Makefile b/crypto/openssl/crypto/rc5/Makefile
index 09133f028788..efb0f36b5980 100644
--- a/crypto/openssl/crypto/rc5/Makefile
+++ b/crypto/openssl/crypto/rc5/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/rc5/Makefile
+# OpenSSL/crypto/rc5/Makefile
 #
 
 DIR=	rc5
@@ -8,11 +8,6 @@ CC=	cc
 CPP=	$(CC) -E
 INCLUDES=
 CFLAG=-g
-INSTALL_PREFIX=
-OPENSSLDIR=     /usr/local/ssl
-INSTALLTOP=/usr/local/ssl
-MAKEDEPPROG=	makedepend
-MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=	Makefile
 AR=		ar r
 
@@ -22,6 +17,7 @@ RC5_ENC=		rc5_enc.o
 
 CFLAGS= $(INCLUDES) $(CFLAG)
 ASFLAGS= $(INCLUDES) $(ASFLAG)
+AFLAGS= $(ASFLAGS)
 
 GENERAL=Makefile
 TEST=rc5test.c
@@ -48,20 +44,15 @@ lib:	$(LIBOBJ)
 	$(RANLIB) $(LIB) || echo Never mind.
 	@touch lib
 
-# elf
-asm/r586-elf.s: asm/rc5-586.pl ../perlasm/x86asm.pl ../perlasm/cbc.pl
-	(cd asm; $(PERL) rc5-586.pl elf $(CFLAGS) > r586-elf.s)
-
+# ELF
+r586-elf.s: asm/rc5-586.pl ../perlasm/x86asm.pl ../perlasm/cbc.pl
+	(cd asm; $(PERL) rc5-586.pl elf $(CFLAGS) > ../$@)
+# COFF
+r586-cof.s: asm/rc5-586.pl ../perlasm/x86asm.pl ../perlasm/cbc.pl
+	(cd asm; $(PERL) rc5-586.pl coff $(CFLAGS) > ../$@)
 # a.out
-asm/r586-out.o: asm/r586unix.cpp
-	$(CPP) -DOUT asm/r586unix.cpp | as -o asm/r586-out.o
-
-# bsdi
-asm/r586bsdi.o: asm/r586unix.cpp
-	$(CPP) -DBSDI asm/r586unix.cpp | sed 's/ :/:/' | as -o asm/r586bsdi.o
-
-asm/r586unix.cpp: asm/rc5-586.pl ../perlasm/x86asm.pl ../perlasm/cbc.pl
-	(cd asm; $(PERL) rc5-586.pl cpp >r586unix.cpp)
+r586-out.s: asm/rc5-586.pl ../perlasm/x86asm.pl ../perlasm/cbc.pl
+	(cd asm; $(PERL) rc5-586.pl a.out $(CFLAGS) > ../$@)
 
 files:
 	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
@@ -72,7 +63,8 @@ links:
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
 
 install:
-	@for i in $(EXHEADER) ; \
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+	@headerlist="$(EXHEADER)"; for i in $$headerlist ; \
 	do  \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
@@ -87,6 +79,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
+	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
@@ -94,13 +87,17 @@ dclean:
 	mv -f Makefile.new $(MAKEFILE)
 
 clean:
-	rm -f asm/r586unix.cpp asm/*-elf.* *.o asm/*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+	rm -f *.s *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-rc5_ecb.o: ../../include/openssl/opensslv.h ../../include/openssl/rc5.h
-rc5_ecb.o: rc5_ecb.c rc5_locl.h
-rc5_enc.o: ../../include/openssl/rc5.h rc5_enc.c rc5_locl.h
-rc5_skey.o: ../../include/openssl/rc5.h rc5_locl.h rc5_skey.c
-rc5cfb64.o: ../../include/openssl/rc5.h rc5_locl.h rc5cfb64.c
-rc5ofb64.o: ../../include/openssl/rc5.h rc5_locl.h rc5ofb64.c
+rc5_ecb.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+rc5_ecb.o: ../../include/openssl/rc5.h rc5_ecb.c rc5_locl.h
+rc5_enc.o: ../../include/openssl/opensslconf.h ../../include/openssl/rc5.h
+rc5_enc.o: rc5_enc.c rc5_locl.h
+rc5_skey.o: ../../include/openssl/opensslconf.h ../../include/openssl/rc5.h
+rc5_skey.o: rc5_locl.h rc5_skey.c
+rc5cfb64.o: ../../include/openssl/opensslconf.h ../../include/openssl/rc5.h
+rc5cfb64.o: rc5_locl.h rc5cfb64.c
+rc5ofb64.o: ../../include/openssl/opensslconf.h ../../include/openssl/rc5.h
+rc5ofb64.o: rc5_locl.h rc5ofb64.c
diff --git a/crypto/openssl/crypto/rc5/rc5.h b/crypto/openssl/crypto/rc5/rc5.h
index 4adfd2db5ab1..4b3c153b5038 100644
--- a/crypto/openssl/crypto/rc5/rc5.h
+++ b/crypto/openssl/crypto/rc5/rc5.h
@@ -59,6 +59,8 @@
 #ifndef HEADER_RC5_H
 #define HEADER_RC5_H
 
+#include <openssl/opensslconf.h> /* OPENSSL_NO_RC5 */
+
 #ifdef  __cplusplus
 extern "C" {
 #endif
diff --git a/crypto/openssl/crypto/rc5/rc5_locl.h b/crypto/openssl/crypto/rc5/rc5_locl.h
index f4ebc23004b8..282dd3882234 100644
--- a/crypto/openssl/crypto/rc5/rc5_locl.h
+++ b/crypto/openssl/crypto/rc5/rc5_locl.h
@@ -146,7 +146,7 @@
                          *((c)++)=(unsigned char)(((l)>> 8L)&0xff), \
                          *((c)++)=(unsigned char)(((l)     )&0xff))
 
-#if defined(OPENSSL_SYS_WIN32) && defined(_MSC_VER)
+#if (defined(OPENSSL_SYS_WIN32) && defined(_MSC_VER)) || defined(__ICC)
 #define ROTATE_l32(a,n)     _lrotl(a,n)
 #define ROTATE_r32(a,n)     _lrotr(a,n)
 #elif defined(__GNUC__) && __GNUC__>=2 && !defined(__STRICT_ANSI__) && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM) && !defined(PEDANTIC)
diff --git a/crypto/openssl/crypto/rc5/rc5speed.c b/crypto/openssl/crypto/rc5/rc5speed.c
index 7d490d5b77fb..8e363be535b4 100644
--- a/crypto/openssl/crypto/rc5/rc5speed.c
+++ b/crypto/openssl/crypto/rc5/rc5speed.c
@@ -69,7 +69,10 @@
 #include OPENSSL_UNISTD_IO
 OPENSSL_DECLARE_EXIT
 
+#ifndef OPENSSL_SYS_NETWARE
 #include <signal.h>
+#endif
+
 #ifndef _IRIX
 #include <time.h>
 #endif
diff --git a/crypto/openssl/crypto/ripemd/Makefile b/crypto/openssl/crypto/ripemd/Makefile
index 200204428bc4..d55875c20c11 100644
--- a/crypto/openssl/crypto/ripemd/Makefile
+++ b/crypto/openssl/crypto/ripemd/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/ripemd/Makefile
+# OpenSSL/crypto/ripemd/Makefile
 #
 
 DIR=    ripemd
@@ -8,11 +8,6 @@ CC=     cc
 CPP=    $(CC) -E
 INCLUDES=
 CFLAG=-g
-INSTALL_PREFIX=
-OPENSSLDIR=     /usr/local/ssl
-INSTALLTOP=/usr/local/ssl
-MAKEDEPPROG=	makedepend
-MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=       Makefile
 AR=             ar r
 
@@ -20,6 +15,7 @@ RIP_ASM_OBJ=
 
 CFLAGS= $(INCLUDES) $(CFLAG)
 ASFLAGS= $(INCLUDES) $(ASFLAG)
+AFLAGS= $(ASFLAGS)
 
 GENERAL=Makefile
 TEST=rmdtest.c
@@ -46,20 +42,15 @@ lib:    $(LIBOBJ)
 	$(RANLIB) $(LIB) || echo Never mind.
 	@touch lib
 
-# elf
-asm/rm86-elf.s: asm/rmd-586.pl ../perlasm/x86asm.pl
-	(cd asm; $(PERL) rmd-586.pl elf $(CFLAGS) > rm86-elf.s)
-
+# ELF
+rm86-elf.s: asm/rmd-586.pl ../perlasm/x86asm.pl
+	(cd asm; $(PERL) rmd-586.pl elf $(CFLAGS) > ../$@)
+# COFF
+rm86-cof.s: asm/rmd-586.pl ../perlasm/x86asm.pl
+	(cd asm; $(PERL) rmd-586.pl coff $(CFLAGS) > ../$@)
 # a.out
-asm/rm86-out.o: asm/rm86unix.cpp
-	$(CPP) -DOUT asm/rm86unix.cpp | as -o asm/rm86-out.o
-
-# bsdi
-asm/rm86bsdi.o: asm/rm86unix.cpp
-	$(CPP) -DBSDI asm/rm86unix.cpp | sed 's/ :/:/' | as -o asm/rm86bsdi.o
-
-asm/rm86unix.cpp: asm/rmd-586.pl ../perlasm/x86asm.pl
-	(cd asm; $(PERL) rmd-586.pl cpp >rm86unix.cpp)
+rm86-out.s: asm/rmd-586.pl ../perlasm/x86asm.pl
+	(cd asm; $(PERL) rmd-586.pl a.out $(CFLAGS) > ../$@)
 
 files:
 	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
@@ -70,7 +61,8 @@ links:
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
 
 install:
-	@for i in $(EXHEADER) ; \
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+	@headerlist="$(EXHEADER)"; for i in $$headerlist ; \
 	do  \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
@@ -85,6 +77,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
+	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
@@ -92,20 +85,15 @@ dclean:
 	mv -f Makefile.new $(MAKEFILE)
 
 clean:
-	rm -f asm/rm86unix.cpp asm/*-elf.* *.o asm/*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+	rm -f *.s *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-rmd_dgst.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
-rmd_dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-rmd_dgst.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
-rmd_dgst.o: ../../include/openssl/opensslconf.h
+rmd_dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
 rmd_dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/ripemd.h
-rmd_dgst.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-rmd_dgst.o: ../../include/openssl/symhacks.h ../md32_common.h rmd_dgst.c
-rmd_dgst.o: rmd_locl.h rmdconst.h
+rmd_dgst.o: ../md32_common.h rmd_dgst.c rmd_locl.h rmdconst.h
 rmd_one.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 rmd_one.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-rmd_one.o: ../../include/openssl/ripemd.h ../../include/openssl/safestack.h
-rmd_one.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-rmd_one.o: rmd_one.c
+rmd_one.o: ../../include/openssl/ossl_typ.h ../../include/openssl/ripemd.h
+rmd_one.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+rmd_one.o: ../../include/openssl/symhacks.h rmd_one.c
diff --git a/crypto/openssl/crypto/ripemd/ripemd.h b/crypto/openssl/crypto/ripemd/ripemd.h
index 78d5f365605b..06bd67183bc3 100644
--- a/crypto/openssl/crypto/ripemd/ripemd.h
+++ b/crypto/openssl/crypto/ripemd/ripemd.h
@@ -87,13 +87,13 @@ typedef struct RIPEMD160state_st
 	RIPEMD160_LONG A,B,C,D,E;
 	RIPEMD160_LONG Nl,Nh;
 	RIPEMD160_LONG data[RIPEMD160_LBLOCK];
-	int num;
+	unsigned int   num;
 	} RIPEMD160_CTX;
 
 int RIPEMD160_Init(RIPEMD160_CTX *c);
-int RIPEMD160_Update(RIPEMD160_CTX *c, const void *data, unsigned long len);
+int RIPEMD160_Update(RIPEMD160_CTX *c, const void *data, size_t len);
 int RIPEMD160_Final(unsigned char *md, RIPEMD160_CTX *c);
-unsigned char *RIPEMD160(const unsigned char *d, unsigned long n,
+unsigned char *RIPEMD160(const unsigned char *d, size_t n,
 	unsigned char *md);
 void RIPEMD160_Transform(RIPEMD160_CTX *c, const unsigned char *b);
 #ifdef  __cplusplus
diff --git a/crypto/openssl/crypto/ripemd/rmd_dgst.c b/crypto/openssl/crypto/ripemd/rmd_dgst.c
index f351f00eea0e..03a286dfccfa 100644
--- a/crypto/openssl/crypto/ripemd/rmd_dgst.c
+++ b/crypto/openssl/crypto/ripemd/rmd_dgst.c
@@ -63,10 +63,10 @@
 const char *RMD160_version="RIPE-MD160" OPENSSL_VERSION_PTEXT;
 
 #  ifdef RMD160_ASM
-     void ripemd160_block_x86(RIPEMD160_CTX *c, unsigned long *p,int num);
+     void ripemd160_block_x86(RIPEMD160_CTX *c, unsigned long *p,size_t num);
 #    define ripemd160_block ripemd160_block_x86
 #  else
-     void ripemd160_block(RIPEMD160_CTX *c, unsigned long *p,int num);
+     void ripemd160_block(RIPEMD160_CTX *c, unsigned long *p,size_t num);
 #  endif
 
 int RIPEMD160_Init(RIPEMD160_CTX *c)
@@ -87,7 +87,7 @@ int RIPEMD160_Init(RIPEMD160_CTX *c)
 #undef X
 #endif
 #define X(i)	XX[i]
-void ripemd160_block_host_order (RIPEMD160_CTX *ctx, const void *p, int num)
+void ripemd160_block_host_order (RIPEMD160_CTX *ctx, const void *p, size_t num)
 	{
 	const RIPEMD160_LONG *XX=p;
 	register unsigned MD32_REG_T A,B,C,D,E;
@@ -287,7 +287,7 @@ void ripemd160_block_host_order (RIPEMD160_CTX *ctx, const void *p, int num)
 #ifdef X
 #undef X
 #endif
-void ripemd160_block_data_order (RIPEMD160_CTX *ctx, const void *p, int num)
+void ripemd160_block_data_order (RIPEMD160_CTX *ctx, const void *p, size_t num)
 	{
 	const unsigned char *data=p;
 	register unsigned MD32_REG_T A,B,C,D,E;
diff --git a/crypto/openssl/crypto/ripemd/rmd_locl.h b/crypto/openssl/crypto/ripemd/rmd_locl.h
index 7b835dfbd4f8..b52d7861654c 100644
--- a/crypto/openssl/crypto/ripemd/rmd_locl.h
+++ b/crypto/openssl/crypto/ripemd/rmd_locl.h
@@ -72,15 +72,19 @@
  */
 #ifdef RMD160_ASM
 # if defined(__i386) || defined(__i386__) || defined(_M_IX86) || defined(__INTEL__)
-#  define ripemd160_block_host_order ripemd160_block_asm_host_order
+#  if !defined(B_ENDIAN)
+#   define ripemd160_block_host_order ripemd160_block_asm_host_order
+#  endif
 # endif
 #endif
 
-void ripemd160_block_host_order (RIPEMD160_CTX *c, const void *p,int num);
-void ripemd160_block_data_order (RIPEMD160_CTX *c, const void *p,int num);
+void ripemd160_block_host_order (RIPEMD160_CTX *c, const void *p,size_t num);
+void ripemd160_block_data_order (RIPEMD160_CTX *c, const void *p,size_t num);
 
 #if defined(__i386) || defined(__i386__) || defined(_M_IX86) || defined(__INTEL__)
-#define ripemd160_block_data_order ripemd160_block_host_order
+# if !defined(B_ENDIAN)
+#  define ripemd160_block_data_order ripemd160_block_host_order
+# endif
 #endif
 
 #define DATA_ORDER_IS_LITTLE_ENDIAN
diff --git a/crypto/openssl/crypto/ripemd/rmd_one.c b/crypto/openssl/crypto/ripemd/rmd_one.c
index f8b580c33a3a..3efb13758f66 100644
--- a/crypto/openssl/crypto/ripemd/rmd_one.c
+++ b/crypto/openssl/crypto/ripemd/rmd_one.c
@@ -61,14 +61,15 @@
 #include <openssl/ripemd.h>
 #include <openssl/crypto.h>
 
-unsigned char *RIPEMD160(const unsigned char *d, unsigned long n,
+unsigned char *RIPEMD160(const unsigned char *d, size_t n,
 	     unsigned char *md)
 	{
 	RIPEMD160_CTX c;
 	static unsigned char m[RIPEMD160_DIGEST_LENGTH];
 
 	if (md == NULL) md=m;
-	RIPEMD160_Init(&c);
+	if (!RIPEMD160_Init(&c))
+		return NULL;
 	RIPEMD160_Update(&c,d,n);
 	RIPEMD160_Final(md,&c);
 	OPENSSL_cleanse(&c,sizeof(c)); /* security consideration */
diff --git a/crypto/openssl/crypto/ripemd/rmdtest.c b/crypto/openssl/crypto/ripemd/rmdtest.c
index d4c709e64667..cbfdf2ae6ff2 100644
--- a/crypto/openssl/crypto/ripemd/rmdtest.c
+++ b/crypto/openssl/crypto/ripemd/rmdtest.c
@@ -115,7 +115,7 @@ int main(int argc, char *argv[])
 #ifdef CHARSET_EBCDIC
 		ebcdic2ascii((char *)*P, (char *)*P, strlen((char *)*P));
 #endif
-		EVP_Digest(&(P[0][0]),(unsigned long)strlen((char *)*P),md,NULL,EVP_ripemd160(), NULL);
+		EVP_Digest(&(P[0][0]),strlen((char *)*P),md,NULL,EVP_ripemd160(), NULL);
 		p=pt(md);
 		if (strcmp(p,(char *)*R) != 0)
 			{
diff --git a/crypto/openssl/crypto/rsa/Makefile b/crypto/openssl/crypto/rsa/Makefile
index 7e666a072fb5..13900812acde 100644
--- a/crypto/openssl/crypto/rsa/Makefile
+++ b/crypto/openssl/crypto/rsa/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/rsa/Makefile
+# OpenSSL/crypto/rsa/Makefile
 #
 
 DIR=	rsa
@@ -7,11 +7,6 @@ TOP=	../..
 CC=	cc
 INCLUDES= -I.. -I$(TOP) -I../../include
 CFLAG=-g
-INSTALL_PREFIX=
-OPENSSLDIR=     /usr/local/ssl
-INSTALLTOP=/usr/local/ssl
-MAKEDEPPROG=	makedepend
-MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=	Makefile
 AR=		ar r
 
@@ -24,10 +19,10 @@ APPS=
 LIB=$(TOP)/libcrypto.a
 LIBSRC= rsa_eay.c rsa_gen.c rsa_lib.c rsa_sign.c rsa_saos.c rsa_err.c \
 	rsa_pk1.c rsa_ssl.c rsa_none.c rsa_oaep.c rsa_chk.c rsa_null.c \
-	rsa_asn1.c
+	rsa_pss.c rsa_x931.c rsa_asn1.c rsa_depr.c
 LIBOBJ= rsa_eay.o rsa_gen.o rsa_lib.o rsa_sign.o rsa_saos.o rsa_err.o \
 	rsa_pk1.o rsa_ssl.o rsa_none.o rsa_oaep.o rsa_chk.o rsa_null.o \
-	rsa_asn1.o
+	rsa_pss.o rsa_x931.o rsa_asn1.o rsa_depr.o
 
 SRC= $(LIBSRC)
 
@@ -55,7 +50,8 @@ links:
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
 
 install:
-	@for i in $(EXHEADER) ; \
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+	@headerlist="$(EXHEADER)"; for i in $$headerlist ; \
 	do  \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
@@ -70,6 +66,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
+	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
@@ -99,6 +96,15 @@ rsa_chk.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 rsa_chk.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 rsa_chk.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 rsa_chk.o: rsa_chk.c
+rsa_depr.o: ../../e_os.h ../../include/openssl/asn1.h
+rsa_depr.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+rsa_depr.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+rsa_depr.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+rsa_depr.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+rsa_depr.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+rsa_depr.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+rsa_depr.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+rsa_depr.o: ../cryptlib.h rsa_depr.c
 rsa_eay.o: ../../e_os.h ../../include/openssl/asn1.h
 rsa_eay.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 rsa_eay.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
@@ -109,13 +115,12 @@ rsa_eay.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
 rsa_eay.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 rsa_eay.o: ../../include/openssl/symhacks.h ../cryptlib.h rsa_eay.c
 rsa_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-rsa_err.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
-rsa_err.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-rsa_err.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-rsa_err.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-rsa_err.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-rsa_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-rsa_err.o: rsa_err.c
+rsa_err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+rsa_err.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+rsa_err.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+rsa_err.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rsa.h
+rsa_err.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+rsa_err.o: ../../include/openssl/symhacks.h rsa_err.c
 rsa_gen.o: ../../e_os.h ../../include/openssl/asn1.h
 rsa_gen.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 rsa_gen.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
@@ -128,14 +133,13 @@ rsa_gen.o: ../cryptlib.h rsa_gen.c
 rsa_lib.o: ../../e_os.h ../../include/openssl/asn1.h
 rsa_lib.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 rsa_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-rsa_lib.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
 rsa_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
 rsa_lib.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
 rsa_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 rsa_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
 rsa_lib.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 rsa_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-rsa_lib.o: ../../include/openssl/ui.h ../cryptlib.h rsa_lib.c
+rsa_lib.o: ../cryptlib.h rsa_lib.c
 rsa_none.o: ../../e_os.h ../../include/openssl/asn1.h
 rsa_none.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 rsa_none.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
@@ -154,26 +158,17 @@ rsa_null.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 rsa_null.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
 rsa_null.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 rsa_null.o: ../../include/openssl/symhacks.h ../cryptlib.h rsa_null.c
-rsa_oaep.o: ../../e_os.h ../../include/openssl/aes.h
-rsa_oaep.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-rsa_oaep.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-rsa_oaep.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-rsa_oaep.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-rsa_oaep.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-rsa_oaep.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-rsa_oaep.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-rsa_oaep.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-rsa_oaep.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-rsa_oaep.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+rsa_oaep.o: ../../e_os.h ../../include/openssl/asn1.h
+rsa_oaep.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+rsa_oaep.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+rsa_oaep.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+rsa_oaep.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 rsa_oaep.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 rsa_oaep.o: ../../include/openssl/opensslconf.h
 rsa_oaep.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-rsa_oaep.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h
-rsa_oaep.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-rsa_oaep.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+rsa_oaep.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
 rsa_oaep.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 rsa_oaep.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-rsa_oaep.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
 rsa_oaep.o: ../cryptlib.h rsa_oaep.c
 rsa_pk1.o: ../../e_os.h ../../include/openssl/asn1.h
 rsa_pk1.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
@@ -184,48 +179,43 @@ rsa_pk1.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 rsa_pk1.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
 rsa_pk1.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 rsa_pk1.o: ../../include/openssl/symhacks.h ../cryptlib.h rsa_pk1.c
-rsa_saos.o: ../../e_os.h ../../include/openssl/aes.h
-rsa_saos.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-rsa_saos.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-rsa_saos.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-rsa_saos.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-rsa_saos.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-rsa_saos.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+rsa_pss.o: ../../e_os.h ../../include/openssl/asn1.h
+rsa_pss.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+rsa_pss.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+rsa_pss.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+rsa_pss.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+rsa_pss.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+rsa_pss.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+rsa_pss.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
+rsa_pss.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+rsa_pss.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+rsa_pss.o: ../../include/openssl/symhacks.h ../cryptlib.h rsa_pss.c
+rsa_saos.o: ../../e_os.h ../../include/openssl/asn1.h
+rsa_saos.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+rsa_saos.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+rsa_saos.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+rsa_saos.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 rsa_saos.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-rsa_saos.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-rsa_saos.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-rsa_saos.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-rsa_saos.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-rsa_saos.o: ../../include/openssl/opensslconf.h
+rsa_saos.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+rsa_saos.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 rsa_saos.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-rsa_saos.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-rsa_saos.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-rsa_saos.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+rsa_saos.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
 rsa_saos.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 rsa_saos.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-rsa_saos.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
 rsa_saos.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 rsa_saos.o: ../cryptlib.h rsa_saos.c
-rsa_sign.o: ../../e_os.h ../../include/openssl/aes.h
-rsa_sign.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-rsa_sign.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-rsa_sign.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-rsa_sign.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-rsa_sign.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-rsa_sign.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+rsa_sign.o: ../../e_os.h ../../include/openssl/asn1.h
+rsa_sign.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+rsa_sign.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+rsa_sign.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+rsa_sign.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 rsa_sign.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-rsa_sign.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-rsa_sign.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-rsa_sign.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-rsa_sign.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-rsa_sign.o: ../../include/openssl/opensslconf.h
+rsa_sign.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+rsa_sign.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 rsa_sign.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-rsa_sign.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-rsa_sign.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-rsa_sign.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+rsa_sign.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
 rsa_sign.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 rsa_sign.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-rsa_sign.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
 rsa_sign.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 rsa_sign.o: ../cryptlib.h rsa_sign.c
 rsa_ssl.o: ../../e_os.h ../../include/openssl/asn1.h
@@ -237,3 +227,13 @@ rsa_ssl.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 rsa_ssl.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
 rsa_ssl.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 rsa_ssl.o: ../../include/openssl/symhacks.h ../cryptlib.h rsa_ssl.c
+rsa_x931.o: ../../e_os.h ../../include/openssl/asn1.h
+rsa_x931.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+rsa_x931.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+rsa_x931.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+rsa_x931.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+rsa_x931.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+rsa_x931.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+rsa_x931.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
+rsa_x931.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+rsa_x931.o: ../../include/openssl/symhacks.h ../cryptlib.h rsa_x931.c
diff --git a/crypto/openssl/crypto/rsa/rsa.h b/crypto/openssl/crypto/rsa/rsa.h
index fc3bb5f86de2..d302254bb1b1 100644
--- a/crypto/openssl/crypto/rsa/rsa.h
+++ b/crypto/openssl/crypto/rsa/rsa.h
@@ -64,25 +64,25 @@
 #ifndef OPENSSL_NO_BIO
 #include <openssl/bio.h>
 #endif
-#include <openssl/bn.h>
 #include <openssl/crypto.h>
 #include <openssl/ossl_typ.h>
+#ifndef OPENSSL_NO_DEPRECATED
+#include <openssl/bn.h>
+#endif
 
 #ifdef OPENSSL_NO_RSA
 #error RSA is disabled.
 #endif
 
-#if defined(OPENSSL_FIPS)
-#define FIPS_RSA_SIZE_T	int
-#endif
-
 #ifdef  __cplusplus
 extern "C" {
 #endif
 
-typedef struct rsa_st RSA;
+/* Declared already in ossl_typ.h */
+/* typedef struct rsa_st RSA; */
+/* typedef struct rsa_meth_st RSA_METHOD; */
 
-typedef struct rsa_meth_st
+struct rsa_meth_st
 	{
 	const char *name;
 	int (*rsa_pub_enc)(int flen,const unsigned char *from,
@@ -97,7 +97,7 @@ typedef struct rsa_meth_st
 	int (*rsa_priv_dec)(int flen,const unsigned char *from,
 			    unsigned char *to,
 			    RSA *rsa,int padding);
-	int (*rsa_mod_exp)(BIGNUM *r0,const BIGNUM *I,RSA *rsa); /* Can be null */
+	int (*rsa_mod_exp)(BIGNUM *r0,const BIGNUM *I,RSA *rsa,BN_CTX *ctx); /* Can be null */
 	int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
 			  const BIGNUM *m, BN_CTX *ctx,
 			  BN_MONT_CTX *m_ctx); /* Can be null */
@@ -118,8 +118,12 @@ typedef struct rsa_meth_st
 	int (*rsa_verify)(int dtype,
 		const unsigned char *m, unsigned int m_length,
 		unsigned char *sigbuf, unsigned int siglen, const RSA *rsa);
-
-	} RSA_METHOD;
+/* If this callback is NULL, the builtin software RSA key-gen will be used. This
+ * is for behavioural compatibility whilst the code gets rewired, but one day
+ * it would be nice to assume there are no such things as "builtin software"
+ * implementations. */
+	int (*rsa_keygen)(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb);
+	};
 
 struct rsa_st
 	{
@@ -152,38 +156,47 @@ struct rsa_st
 	 * NULL */
 	char *bignum_data;
 	BN_BLINDING *blinding;
+	BN_BLINDING *mt_blinding;
 	};
 
 #define RSA_3	0x3L
 #define RSA_F4	0x10001L
 
-#define RSA_METHOD_FLAG_NO_CHECK	0x01 /* don't check pub/private match */
+#define RSA_METHOD_FLAG_NO_CHECK	0x0001 /* don't check pub/private match */
 
-#define RSA_FLAG_CACHE_PUBLIC		0x02
-#define RSA_FLAG_CACHE_PRIVATE		0x04
-#define RSA_FLAG_BLINDING		0x08
-#define RSA_FLAG_THREAD_SAFE		0x10
+#define RSA_FLAG_CACHE_PUBLIC		0x0002
+#define RSA_FLAG_CACHE_PRIVATE		0x0004
+#define RSA_FLAG_BLINDING		0x0008
+#define RSA_FLAG_THREAD_SAFE		0x0010
 /* This flag means the private key operations will be handled by rsa_mod_exp
  * and that they do not depend on the private key components being present:
  * for example a key stored in external hardware. Without this flag bn_mod_exp
  * gets called when private key components are absent.
  */
-#define RSA_FLAG_EXT_PKEY		0x20
+#define RSA_FLAG_EXT_PKEY		0x0020
 
 /* This flag in the RSA_METHOD enables the new rsa_sign, rsa_verify functions.
  */
-#define RSA_FLAG_SIGN_VER		0x40
-
-#define RSA_FLAG_NO_BLINDING		0x80 /* new with 0.9.6j and 0.9.7b; the built-in
-                                              * RSA implementation now uses blinding by
-                                              * default (ignoring RSA_FLAG_BLINDING),
-                                              * but other engines might not need it
-                                              */
+#define RSA_FLAG_SIGN_VER		0x0040
+
+#define RSA_FLAG_NO_BLINDING		0x0080 /* new with 0.9.6j and 0.9.7b; the built-in
+                                                * RSA implementation now uses blinding by
+                                                * default (ignoring RSA_FLAG_BLINDING),
+                                                * but other engines might not need it
+                                                */
+#define RSA_FLAG_NO_EXP_CONSTTIME	0x0100 /* new with 0.9.7h; the built-in RSA
+                                                * implementation now uses constant time
+                                                * modular exponentiation for secret exponents
+                                                * by default. This flag causes the
+                                                * faster variable sliding window method to
+                                                * be used for all exponents.
+                                                */
 
 #define RSA_PKCS1_PADDING	1
 #define RSA_SSLV23_PADDING	2
 #define RSA_NO_PADDING		3
 #define RSA_PKCS1_OAEP_PADDING	4
+#define RSA_X931_PADDING	5
 
 #define RSA_PKCS1_PADDING_SIZE	11
 
@@ -193,8 +206,16 @@ struct rsa_st
 RSA *	RSA_new(void);
 RSA *	RSA_new_method(ENGINE *engine);
 int	RSA_size(const RSA *);
+
+/* Deprecated version */
+#ifndef OPENSSL_NO_DEPRECATED
 RSA *	RSA_generate_key(int bits, unsigned long e,void
 		(*callback)(int,int,void *),void *cb_arg);
+#endif /* !defined(OPENSSL_NO_DEPRECATED) */
+
+/* New version */
+int	RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb);
+
 int	RSA_check_key(const RSA *);
 	/* next 4 return -1 on error */
 int	RSA_public_encrypt(int flen, const unsigned char *from,
@@ -235,11 +256,19 @@ int	RSA_print_fp(FILE *fp, const RSA *r,int offset);
 int	RSA_print(BIO *bp, const RSA *r,int offset);
 #endif
 
-int i2d_RSA_NET(const RSA *a, unsigned char **pp, int (*cb)(), int sgckey);
-RSA *d2i_RSA_NET(RSA **a, const unsigned char **pp, long length, int (*cb)(), int sgckey);
+int i2d_RSA_NET(const RSA *a, unsigned char **pp,
+		int (*cb)(char *buf, int len, const char *prompt, int verify),
+		int sgckey);
+RSA *d2i_RSA_NET(RSA **a, const unsigned char **pp, long length,
+		 int (*cb)(char *buf, int len, const char *prompt, int verify),
+		 int sgckey);
 
-int i2d_Netscape_RSA(const RSA *a, unsigned char **pp, int (*cb)());
-RSA *d2i_Netscape_RSA(RSA **a, const unsigned char **pp, long length, int (*cb)());
+int i2d_Netscape_RSA(const RSA *a, unsigned char **pp,
+		     int (*cb)(char *buf, int len, const char *prompt,
+			       int verify));
+RSA *d2i_Netscape_RSA(RSA **a, const unsigned char **pp, long length,
+		      int (*cb)(char *buf, int len, const char *prompt,
+				int verify));
 
 /* The following 2 functions sign and verify a X509_SIG ASN1 object
  * inside PKCS#1 padded RSA encryption */
@@ -259,6 +288,7 @@ int RSA_verify_ASN1_OCTET_STRING(int type,
 
 int RSA_blinding_on(RSA *rsa, BN_CTX *ctx);
 void RSA_blinding_off(RSA *rsa);
+BN_BLINDING *RSA_setup_blinding(RSA *rsa, BN_CTX *ctx);
 
 int RSA_padding_add_PKCS1_type_1(unsigned char *to,int tlen,
 	const unsigned char *f,int fl);
@@ -268,6 +298,8 @@ int RSA_padding_add_PKCS1_type_2(unsigned char *to,int tlen,
 	const unsigned char *f,int fl);
 int RSA_padding_check_PKCS1_type_2(unsigned char *to,int tlen,
 	const unsigned char *f,int fl,int rsa_len);
+int PKCS1_MGF1(unsigned char *mask, long len,
+	const unsigned char *seed, long seedlen, const EVP_MD *dgst);
 int RSA_padding_add_PKCS1_OAEP(unsigned char *to,int tlen,
 	const unsigned char *f,int fl,
 	const unsigned char *p,int pl);
@@ -282,6 +314,17 @@ int RSA_padding_add_none(unsigned char *to,int tlen,
 	const unsigned char *f,int fl);
 int RSA_padding_check_none(unsigned char *to,int tlen,
 	const unsigned char *f,int fl,int rsa_len);
+int RSA_padding_add_X931(unsigned char *to,int tlen,
+	const unsigned char *f,int fl);
+int RSA_padding_check_X931(unsigned char *to,int tlen,
+	const unsigned char *f,int fl,int rsa_len);
+int RSA_X931_hash_id(int nid);
+
+int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
+			const EVP_MD *Hash, const unsigned char *EM, int sLen);
+int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
+			const unsigned char *mHash,
+			const EVP_MD *Hash, int sLen);
 
 int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
 	CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
@@ -301,30 +344,42 @@ void ERR_load_RSA_strings(void);
 
 /* Function codes. */
 #define RSA_F_MEMORY_LOCK				 100
+#define RSA_F_RSA_BUILTIN_KEYGEN			 129
 #define RSA_F_RSA_CHECK_KEY				 123
 #define RSA_F_RSA_EAY_PRIVATE_DECRYPT			 101
 #define RSA_F_RSA_EAY_PRIVATE_ENCRYPT			 102
 #define RSA_F_RSA_EAY_PUBLIC_DECRYPT			 103
 #define RSA_F_RSA_EAY_PUBLIC_ENCRYPT			 104
 #define RSA_F_RSA_GENERATE_KEY				 105
+#define RSA_F_RSA_MEMORY_LOCK				 130
 #define RSA_F_RSA_NEW_METHOD				 106
 #define RSA_F_RSA_NULL					 124
+#define RSA_F_RSA_NULL_MOD_EXP				 131
+#define RSA_F_RSA_NULL_PRIVATE_DECRYPT			 132
+#define RSA_F_RSA_NULL_PRIVATE_ENCRYPT			 133
+#define RSA_F_RSA_NULL_PUBLIC_DECRYPT			 134
+#define RSA_F_RSA_NULL_PUBLIC_ENCRYPT			 135
 #define RSA_F_RSA_PADDING_ADD_NONE			 107
 #define RSA_F_RSA_PADDING_ADD_PKCS1_OAEP		 121
+#define RSA_F_RSA_PADDING_ADD_PKCS1_PSS			 125
 #define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1		 108
 #define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2		 109
 #define RSA_F_RSA_PADDING_ADD_SSLV23			 110
+#define RSA_F_RSA_PADDING_ADD_X931			 127
 #define RSA_F_RSA_PADDING_CHECK_NONE			 111
 #define RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP		 122
 #define RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1		 112
 #define RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2		 113
 #define RSA_F_RSA_PADDING_CHECK_SSLV23			 114
+#define RSA_F_RSA_PADDING_CHECK_X931			 128
 #define RSA_F_RSA_PRINT					 115
 #define RSA_F_RSA_PRINT_FP				 116
+#define RSA_F_RSA_SETUP_BLINDING			 136
 #define RSA_F_RSA_SIGN					 117
 #define RSA_F_RSA_SIGN_ASN1_OCTET_STRING		 118
 #define RSA_F_RSA_VERIFY				 119
 #define RSA_F_RSA_VERIFY_ASN1_OCTET_STRING		 120
+#define RSA_F_RSA_VERIFY_PKCS1_PSS			 126
 
 /* Reason codes. */
 #define RSA_R_ALGORITHM_MISMATCH			 100
@@ -344,9 +399,15 @@ void ERR_load_RSA_strings(void);
 #define RSA_R_DMP1_NOT_CONGRUENT_TO_D			 124
 #define RSA_R_DMQ1_NOT_CONGRUENT_TO_D			 125
 #define RSA_R_D_E_NOT_CONGRUENT_TO_1			 123
+#define RSA_R_FIRST_OCTET_INVALID			 133
+#define RSA_R_INVALID_HEADER				 137
 #define RSA_R_INVALID_MESSAGE_LENGTH			 131
+#define RSA_R_INVALID_PADDING				 138
+#define RSA_R_INVALID_TRAILER				 139
 #define RSA_R_IQMP_NOT_INVERSE_OF_Q			 126
 #define RSA_R_KEY_SIZE_TOO_SMALL			 120
+#define RSA_R_LAST_OCTET_INVALID			 134
+#define RSA_R_NO_PUBLIC_EXPONENT			 140
 #define RSA_R_NULL_BEFORE_BLOCK_MISSING			 113
 #define RSA_R_N_DOES_NOT_EQUAL_P_Q			 127
 #define RSA_R_OAEP_DECODING_ERROR			 121
@@ -354,6 +415,8 @@ void ERR_load_RSA_strings(void);
 #define RSA_R_P_NOT_PRIME				 128
 #define RSA_R_Q_NOT_PRIME				 129
 #define RSA_R_RSA_OPERATIONS_NOT_SUPPORTED		 130
+#define RSA_R_SLEN_CHECK_FAILED				 136
+#define RSA_R_SLEN_RECOVERY_FAILED			 135
 #define RSA_R_SSLV3_ROLLBACK_ATTACK			 115
 #define RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD 116
 #define RSA_R_UNKNOWN_ALGORITHM_TYPE			 117
diff --git a/crypto/openssl/crypto/rsa/rsa_asn1.c b/crypto/openssl/crypto/rsa/rsa_asn1.c
index 1455a7e0e42b..bbbf26d50ed6 100644
--- a/crypto/openssl/crypto/rsa/rsa_asn1.c
+++ b/crypto/openssl/crypto/rsa/rsa_asn1.c
@@ -63,10 +63,10 @@
 #include <openssl/asn1t.h>
 
 static ASN1_METHOD method={
-        (int (*)())  i2d_RSAPrivateKey,
-        (char *(*)())d2i_RSAPrivateKey,
-        (char *(*)())RSA_new,
-        (void (*)()) RSA_free};
+        (I2D_OF(void))     i2d_RSAPrivateKey,
+        (D2I_OF(void))     d2i_RSAPrivateKey,
+        (void *(*)(void))  RSA_new,
+        (void (*)(void *)) RSA_free};
 
 ASN1_METHOD *RSAPrivateKey_asn1_meth(void)
 	{
diff --git a/crypto/openssl/crypto/rsa/rsa_chk.c b/crypto/openssl/crypto/rsa/rsa_chk.c
index 002f2cb48722..9d848db8c6c7 100644
--- a/crypto/openssl/crypto/rsa/rsa_chk.c
+++ b/crypto/openssl/crypto/rsa/rsa_chk.c
@@ -75,7 +75,7 @@ int RSA_check_key(const RSA *key)
 		}
 	
 	/* p prime? */
-	r = BN_is_prime(key->p, BN_prime_checks, NULL, NULL, NULL);
+	r = BN_is_prime_ex(key->p, BN_prime_checks, NULL, NULL);
 	if (r != 1)
 		{
 		ret = r;
@@ -85,7 +85,7 @@ int RSA_check_key(const RSA *key)
 		}
 	
 	/* q prime? */
-	r = BN_is_prime(key->q, BN_prime_checks, NULL, NULL, NULL);
+	r = BN_is_prime_ex(key->q, BN_prime_checks, NULL, NULL);
 	if (r != 1)
 		{
 		ret = r;
diff --git a/crypto/openssl/crypto/rsa/rsa_depr.c b/crypto/openssl/crypto/rsa/rsa_depr.c
new file mode 100644
index 000000000000..a859ded987a2
--- /dev/null
+++ b/crypto/openssl/crypto/rsa/rsa_depr.c
@@ -0,0 +1,101 @@
+/* crypto/rsa/rsa_depr.c */
+/* ====================================================================
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NB: This file contains deprecated functions (compatibility wrappers to the
+ * "new" versions). */
+
+#include <stdio.h>
+#include <time.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/rsa.h>
+
+#ifdef OPENSSL_NO_DEPRECATED
+
+static void *dummy=&dummy;
+
+#else
+
+RSA *RSA_generate_key(int bits, unsigned long e_value,
+	     void (*callback)(int,int,void *), void *cb_arg)
+	{
+	BN_GENCB cb;
+	int i;
+	RSA *rsa = RSA_new();
+	BIGNUM *e = BN_new();
+
+	if(!rsa || !e) goto err;
+
+	/* The problem is when building with 8, 16, or 32 BN_ULONG,
+	 * unsigned long can be larger */
+	for (i=0; i<(int)sizeof(unsigned long)*8; i++)
+		{
+		if (e_value & (1UL<<i))
+			if (BN_set_bit(e,i) == 0)
+				goto err;
+		}
+
+	BN_GENCB_set_old(&cb, callback, cb_arg);
+
+	if(RSA_generate_key_ex(rsa, bits, e, &cb)) {
+		BN_free(e);
+		return rsa;
+	}
+err:
+	if(e) BN_free(e);
+	if(rsa) RSA_free(rsa);
+	return 0;
+	}
+#endif
diff --git a/crypto/openssl/crypto/rsa/rsa_eay.c b/crypto/openssl/crypto/rsa/rsa_eay.c
index d4caab3f9538..56da94484599 100644
--- a/crypto/openssl/crypto/rsa/rsa_eay.c
+++ b/crypto/openssl/crypto/rsa/rsa_eay.c
@@ -55,6 +55,59 @@
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
  */
+/* ====================================================================
+ * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
 
 #include <stdio.h>
 #include "cryptlib.h"
@@ -62,7 +115,7 @@
 #include <openssl/rsa.h>
 #include <openssl/rand.h>
 
-#if !defined(RSA_NULL) && !defined(OPENSSL_FIPS)
+#ifndef RSA_NULL
 
 static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
 		unsigned char *to, RSA *rsa,int padding);
@@ -72,7 +125,7 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
 		unsigned char *to, RSA *rsa,int padding);
 static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
 		unsigned char *to, RSA *rsa,int padding);
-static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa);
+static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa, BN_CTX *ctx);
 static int RSA_eay_init(RSA *rsa);
 static int RSA_eay_finish(RSA *rsa);
 static RSA_METHOD rsa_pkcs1_eay_meth={
@@ -88,7 +141,8 @@ static RSA_METHOD rsa_pkcs1_eay_meth={
 	0, /* flags */
 	NULL,
 	0, /* rsa_sign */
-	0  /* rsa_verify */
+	0, /* rsa_verify */
+	NULL /* rsa_keygen */
 	};
 
 const RSA_METHOD *RSA_PKCS1_SSLeay(void)
@@ -96,19 +150,31 @@ const RSA_METHOD *RSA_PKCS1_SSLeay(void)
 	return(&rsa_pkcs1_eay_meth);
 	}
 
+/* Usage example;
+ *    MONT_HELPER(rsa, bn_ctx, p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
+ */
+#define MONT_HELPER(rsa, ctx, m, pre_cond, err_instr) \
+	if((pre_cond) && ((rsa)->_method_mod_##m == NULL) && \
+			!BN_MONT_CTX_set_locked(&((rsa)->_method_mod_##m), \
+				CRYPTO_LOCK_RSA, \
+				(rsa)->m, (ctx))) \
+		err_instr
+
 static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
 	     unsigned char *to, RSA *rsa, int padding)
 	{
-	BIGNUM f,ret;
+	BIGNUM *f,*ret;
 	int i,j,k,num=0,r= -1;
 	unsigned char *buf=NULL;
 	BN_CTX *ctx=NULL;
 
-	BN_init(&f);
-	BN_init(&ret);
 	if ((ctx=BN_CTX_new()) == NULL) goto err;
+	BN_CTX_start(ctx);
+	f = BN_CTX_get(ctx);
+	ret = BN_CTX_get(ctx);
 	num=BN_num_bytes(rsa->n);
-	if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL)
+	buf = OPENSSL_malloc(num);
+	if (!f || !ret || !buf)
 		{
 		RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,ERR_R_MALLOC_FAILURE);
 		goto err;
@@ -136,54 +202,34 @@ static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
 		}
 	if (i <= 0) goto err;
 
-	if (BN_bin2bn(buf,num,&f) == NULL) goto err;
+	if (BN_bin2bn(buf,num,f) == NULL) goto err;
 	
-	if (BN_ucmp(&f, rsa->n) >= 0)
+	if (BN_ucmp(f, rsa->n) >= 0)
 		{	
 		/* usually the padding functions would catch this */
 		RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
 		goto err;
 		}
 
-	if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
-		{
-		BN_MONT_CTX* bn_mont_ctx;
-		if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
-			goto err;
-		if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->n,ctx))
-			{
-			BN_MONT_CTX_free(bn_mont_ctx);
-			goto err;
-			}
-		if (rsa->_method_mod_n == NULL) /* other thread may have finished first */
-			{
-			CRYPTO_w_lock(CRYPTO_LOCK_RSA);
-			if (rsa->_method_mod_n == NULL)
-				{
-				rsa->_method_mod_n = bn_mont_ctx;
-				bn_mont_ctx = NULL;
-				}
-			CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
-			}
-		if (bn_mont_ctx)
-			BN_MONT_CTX_free(bn_mont_ctx);
-		}
-		
-	if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
+	MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
+
+	if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx,
 		rsa->_method_mod_n)) goto err;
 
 	/* put in leading 0 bytes if the number is less than the
 	 * length of the modulus */
-	j=BN_num_bytes(&ret);
-	i=BN_bn2bin(&ret,&(to[num-j]));
+	j=BN_num_bytes(ret);
+	i=BN_bn2bin(ret,&(to[num-j]));
 	for (k=0; k<(num-i); k++)
 		to[k]=0;
 
 	r=num;
 err:
-	if (ctx != NULL) BN_CTX_free(ctx);
-	BN_clear_free(&f);
-	BN_clear_free(&ret);
+	if (ctx != NULL)
+		{
+		BN_CTX_end(ctx);
+		BN_CTX_free(ctx);
+		}
 	if (buf != NULL) 
 		{
 		OPENSSL_cleanse(buf,num);
@@ -192,76 +238,92 @@ err:
 	return(r);
 	}
 
-static int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx)
-	{
-	int ret = 1;
-	CRYPTO_w_lock(CRYPTO_LOCK_RSA);
-	/* Check again inside the lock - the macro's check is racey */
-	if(rsa->blinding == NULL)
-		ret = RSA_blinding_on(rsa, ctx);
-	CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
-	return ret;
-	}
+static BN_BLINDING *rsa_get_blinding(RSA *rsa, BIGNUM **r, int *local, BN_CTX *ctx)
+{
+	BN_BLINDING *ret;
 
-#define BLINDING_HELPER(rsa, ctx, err_instr) \
-	do { \
-		if((!((rsa)->flags & RSA_FLAG_NO_BLINDING)) && \
-		    ((rsa)->blinding == NULL) && \
-		    !rsa_eay_blinding(rsa, ctx)) \
-		    err_instr \
-	} while(0)
+	if (rsa->blinding == NULL)
+		{
+		if (rsa->blinding == NULL)
+			{
+			CRYPTO_w_lock(CRYPTO_LOCK_RSA);
+			if (rsa->blinding == NULL)
+				rsa->blinding = RSA_setup_blinding(rsa, ctx);
+			CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
+			}
+		}
 
-static BN_BLINDING *setup_blinding(RSA *rsa, BN_CTX *ctx)
-	{
-	BIGNUM *A, *Ai;
-	BN_BLINDING *ret = NULL;
+	ret = rsa->blinding;
+	if (ret == NULL)
+		return NULL;
 
-	/* added in OpenSSL 0.9.6j and 0.9.7b */
+	if (BN_BLINDING_get_thread_id(ret) != CRYPTO_thread_id())
+		{
+		*local = 0;
+		if (rsa->mt_blinding == NULL)
+			{
+			CRYPTO_w_lock(CRYPTO_LOCK_RSA);
+			if (rsa->mt_blinding == NULL)
+				rsa->mt_blinding = RSA_setup_blinding(rsa, ctx);
+			CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
+			}
+		ret = rsa->mt_blinding;
+		}
+	else
+		*local = 1;
 
-	/* NB: similar code appears in RSA_blinding_on (rsa_lib.c);
-	 * this should be placed in a new function of its own, but for reasons
-	 * of binary compatibility can't */
+	return ret;
+}
 
-	BN_CTX_start(ctx);
-	A = BN_CTX_get(ctx);
-	if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL)
+static int rsa_blinding_convert(BN_BLINDING *b, int local, BIGNUM *f,
+	BIGNUM *r, BN_CTX *ctx)
+{
+	if (local)
+		return BN_BLINDING_convert_ex(f, NULL, b, ctx);
+	else
 		{
-		/* if PRNG is not properly seeded, resort to secret exponent as unpredictable seed */
-		RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0);
-		if (!BN_pseudo_rand_range(A,rsa->n)) goto err;
+		int ret;
+		CRYPTO_r_lock(CRYPTO_LOCK_RSA_BLINDING);
+		ret = BN_BLINDING_convert_ex(f, r, b, ctx);
+		CRYPTO_r_unlock(CRYPTO_LOCK_RSA_BLINDING);
+		return ret;
 		}
+}
+
+static int rsa_blinding_invert(BN_BLINDING *b, int local, BIGNUM *f,
+	BIGNUM *r, BN_CTX *ctx)
+{
+	if (local)
+		return BN_BLINDING_invert_ex(f, NULL, b, ctx);
 	else
 		{
-		if (!BN_rand_range(A,rsa->n)) goto err;
+		int ret;
+		CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING);
+		ret = BN_BLINDING_invert_ex(f, r, b, ctx);
+		CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING);
+		return ret;
 		}
-	if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err;
-
-	if (!rsa->meth->bn_mod_exp(A,A,rsa->e,rsa->n,ctx,rsa->_method_mod_n))
-		goto err;
-	ret = BN_BLINDING_new(A,Ai,rsa->n);
-	BN_free(Ai);
-err:
-	BN_CTX_end(ctx);
-	return ret;
-	}
+}
 
 /* signing */
 static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
 	     unsigned char *to, RSA *rsa, int padding)
 	{
-	BIGNUM f,ret;
+	BIGNUM *f, *ret, *br, *res;
 	int i,j,k,num=0,r= -1;
 	unsigned char *buf=NULL;
 	BN_CTX *ctx=NULL;
 	int local_blinding = 0;
 	BN_BLINDING *blinding = NULL;
 
-	BN_init(&f);
-	BN_init(&ret);
-
 	if ((ctx=BN_CTX_new()) == NULL) goto err;
-	num=BN_num_bytes(rsa->n);
-	if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL)
+	BN_CTX_start(ctx);
+	f   = BN_CTX_get(ctx);
+	br  = BN_CTX_get(ctx);
+	ret = BN_CTX_get(ctx);
+	num = BN_num_bytes(rsa->n);
+	buf = OPENSSL_malloc(num);
+	if(!f || !ret || !buf)
 		{
 		RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE);
 		goto err;
@@ -272,6 +334,9 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
 	case RSA_PKCS1_PADDING:
 		i=RSA_padding_add_PKCS1_type_1(buf,num,from,flen);
 		break;
+	case RSA_X931_PADDING:
+		i=RSA_padding_add_X931(buf,num,from,flen);
+		break;
 	case RSA_NO_PADDING:
 		i=RSA_padding_add_none(buf,num,from,flen);
 		break;
@@ -282,26 +347,18 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
 		}
 	if (i <= 0) goto err;
 
-	if (BN_bin2bn(buf,num,&f) == NULL) goto err;
+	if (BN_bin2bn(buf,num,f) == NULL) goto err;
 	
-	if (BN_ucmp(&f, rsa->n) >= 0)
+	if (BN_ucmp(f, rsa->n) >= 0)
 		{	
 		/* usually the padding functions would catch this */
 		RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
 		goto err;
 		}
 
-	BLINDING_HELPER(rsa, ctx, goto err;);
-	blinding = rsa->blinding;
-	
-	/* Now unless blinding is disabled, 'blinding' is non-NULL.
-	 * But the BN_BLINDING object may be owned by some other thread
-	 * (we don't want to keep it constant and we don't want to use
-	 * lots of locking to avoid race conditions, so only a single
-	 * thread can use it; other threads have to use local blinding
-	 * factors) */
 	if (!(rsa->flags & RSA_FLAG_NO_BLINDING))
 		{
+		blinding = rsa_get_blinding(rsa, &br, &local_blinding, ctx);
 		if (blinding == NULL)
 			{
 			RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR);
@@ -310,20 +367,8 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
 		}
 	
 	if (blinding != NULL)
-		{
-		if (blinding->thread_id != CRYPTO_thread_id())
-			{
-			/* we need a local one-time blinding factor */
-
-			blinding = setup_blinding(rsa, ctx);
-			if (blinding == NULL)
-				goto err;
-			local_blinding = 1;
-			}
-		}
-
-	if (blinding)
-		if (!BN_BLINDING_convert(&f, blinding, ctx)) goto err;
+		if (!rsa_blinding_convert(blinding, local_blinding, f, br, ctx))
+			goto err;
 
 	if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
 		((rsa->p != NULL) &&
@@ -331,29 +376,58 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
 		(rsa->dmp1 != NULL) &&
 		(rsa->dmq1 != NULL) &&
 		(rsa->iqmp != NULL)) )
-		{ if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
+		{ 
+		if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) goto err;
+		}
 	else
 		{
-		if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err;
+		BIGNUM local_d;
+		BIGNUM *d = NULL;
+		
+		if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME))
+			{
+			BN_init(&local_d);
+			d = &local_d;
+			BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME);
+			}
+		else
+			d = rsa->d;
+
+		MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
+
+		if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx,
+				rsa->_method_mod_n)) goto err;
 		}
 
 	if (blinding)
-		if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err;
+		if (!rsa_blinding_invert(blinding, local_blinding, ret, br, ctx))
+			goto err;
+
+	if (padding == RSA_X931_PADDING)
+		{
+		BN_sub(f, rsa->n, ret);
+		if (BN_cmp(ret, f))
+			res = f;
+		else
+			res = ret;
+		}
+	else
+		res = ret;
 
 	/* put in leading 0 bytes if the number is less than the
 	 * length of the modulus */
-	j=BN_num_bytes(&ret);
-	i=BN_bn2bin(&ret,&(to[num-j]));
+	j=BN_num_bytes(res);
+	i=BN_bn2bin(res,&(to[num-j]));
 	for (k=0; k<(num-i); k++)
 		to[k]=0;
 
 	r=num;
 err:
-	if (ctx != NULL) BN_CTX_free(ctx);
-	BN_clear_free(&ret);
-	BN_clear_free(&f);
-	if (local_blinding)
-		BN_BLINDING_free(blinding);
+	if (ctx != NULL)
+		{
+		BN_CTX_end(ctx);
+		BN_CTX_free(ctx);
+		}
 	if (buf != NULL)
 		{
 		OPENSSL_cleanse(buf,num);
@@ -365,7 +439,7 @@ err:
 static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
 	     unsigned char *to, RSA *rsa, int padding)
 	{
-	BIGNUM f,ret;
+	BIGNUM *f, *ret, *br;
 	int j,num=0,r= -1;
 	unsigned char *p;
 	unsigned char *buf=NULL;
@@ -373,14 +447,14 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
 	int local_blinding = 0;
 	BN_BLINDING *blinding = NULL;
 
-	BN_init(&f);
-	BN_init(&ret);
-	ctx=BN_CTX_new();
-	if (ctx == NULL) goto err;
-
-	num=BN_num_bytes(rsa->n);
-
-	if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL)
+	if((ctx = BN_CTX_new()) == NULL) goto err;
+	BN_CTX_start(ctx);
+	f   = BN_CTX_get(ctx);
+	br  = BN_CTX_get(ctx);
+	ret = BN_CTX_get(ctx);
+	num = BN_num_bytes(rsa->n);
+	buf = OPENSSL_malloc(num);
+	if(!f || !ret || !buf)
 		{
 		RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE);
 		goto err;
@@ -395,25 +469,17 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
 		}
 
 	/* make data into a big number */
-	if (BN_bin2bn(from,(int)flen,&f) == NULL) goto err;
+	if (BN_bin2bn(from,(int)flen,f) == NULL) goto err;
 
-	if (BN_ucmp(&f, rsa->n) >= 0)
+	if (BN_ucmp(f, rsa->n) >= 0)
 		{
 		RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
 		goto err;
 		}
 
-	BLINDING_HELPER(rsa, ctx, goto err;);
-	blinding = rsa->blinding;
-	
-	/* Now unless blinding is disabled, 'blinding' is non-NULL.
-	 * But the BN_BLINDING object may be owned by some other thread
-	 * (we don't want to keep it constant and we don't want to use
-	 * lots of locking to avoid race conditions, so only a single
-	 * thread can use it; other threads have to use local blinding
-	 * factors) */
 	if (!(rsa->flags & RSA_FLAG_NO_BLINDING))
 		{
+		blinding = rsa_get_blinding(rsa, &br, &local_blinding, ctx);
 		if (blinding == NULL)
 			{
 			RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR);
@@ -422,20 +488,8 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
 		}
 	
 	if (blinding != NULL)
-		{
-		if (blinding->thread_id != CRYPTO_thread_id())
-			{
-			/* we need a local one-time blinding factor */
-
-			blinding = setup_blinding(rsa, ctx);
-			if (blinding == NULL)
-				goto err;
-			local_blinding = 1;
-			}
-		}
-
-	if (blinding)
-		if (!BN_BLINDING_convert(&f, blinding, ctx)) goto err;
+		if (!rsa_blinding_convert(blinding, local_blinding, f, br, ctx))
+			goto err;
 
 	/* do the decrypt */
 	if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
@@ -444,18 +498,34 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
 		(rsa->dmp1 != NULL) &&
 		(rsa->dmq1 != NULL) &&
 		(rsa->iqmp != NULL)) )
-		{ if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
+		{
+		if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) goto err;
+		}
 	else
 		{
-		if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL))
-			goto err;
+		BIGNUM local_d;
+		BIGNUM *d = NULL;
+		
+		if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME))
+			{
+			d = &local_d;
+			BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME);
+			}
+		else
+			d = rsa->d;
+
+		MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
+		if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx,
+				rsa->_method_mod_n))
+		  goto err;
 		}
 
 	if (blinding)
-		if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err;
+		if (!rsa_blinding_invert(blinding, local_blinding, ret, br, ctx))
+			goto err;
 
 	p=buf;
-	j=BN_bn2bin(&ret,p); /* j is only used with no-padding mode */
+	j=BN_bn2bin(ret,p); /* j is only used with no-padding mode */
 
 	switch (padding)
 		{
@@ -481,11 +551,11 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
 		RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
 
 err:
-	if (ctx != NULL) BN_CTX_free(ctx);
-	BN_clear_free(&f);
-	BN_clear_free(&ret);
-	if (local_blinding)
-		BN_BLINDING_free(blinding);
+	if (ctx != NULL)
+		{
+		BN_CTX_end(ctx);
+		BN_CTX_free(ctx);
+		}
 	if (buf != NULL)
 		{
 		OPENSSL_cleanse(buf,num);
@@ -498,20 +568,19 @@ err:
 static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
 	     unsigned char *to, RSA *rsa, int padding)
 	{
-	BIGNUM f,ret;
+	BIGNUM *f,*ret;
 	int i,num=0,r= -1;
 	unsigned char *p;
 	unsigned char *buf=NULL;
 	BN_CTX *ctx=NULL;
 
-	BN_init(&f);
-	BN_init(&ret);
-	ctx=BN_CTX_new();
-	if (ctx == NULL) goto err;
-
+	if((ctx = BN_CTX_new()) == NULL) goto err;
+	BN_CTX_start(ctx);
+	f = BN_CTX_get(ctx);
+	ret = BN_CTX_get(ctx);
 	num=BN_num_bytes(rsa->n);
-	buf=(unsigned char *)OPENSSL_malloc(num);
-	if (buf == NULL)
+	buf = OPENSSL_malloc(num);
+	if(!f || !ret || !buf)
 		{
 		RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE);
 		goto err;
@@ -525,50 +594,33 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
 		goto err;
 		}
 
-	if (BN_bin2bn(from,flen,&f) == NULL) goto err;
+	if (BN_bin2bn(from,flen,f) == NULL) goto err;
 
-	if (BN_ucmp(&f, rsa->n) >= 0)
+	if (BN_ucmp(f, rsa->n) >= 0)
 		{
 		RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
 		goto err;
 		}
 
-	/* do the decrypt */
-	if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
-		{
-		BN_MONT_CTX* bn_mont_ctx;
-		if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
-			goto err;
-		if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->n,ctx))
-			{
-			BN_MONT_CTX_free(bn_mont_ctx);
-			goto err;
-			}
-		if (rsa->_method_mod_n == NULL) /* other thread may have finished first */
-			{
-			CRYPTO_w_lock(CRYPTO_LOCK_RSA);
-			if (rsa->_method_mod_n == NULL)
-				{
-				rsa->_method_mod_n = bn_mont_ctx;
-				bn_mont_ctx = NULL;
-				}
-			CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
-			}
-		if (bn_mont_ctx)
-			BN_MONT_CTX_free(bn_mont_ctx);
-		}
-		
-	if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
+	MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
+
+	if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx,
 		rsa->_method_mod_n)) goto err;
 
+	if ((padding == RSA_X931_PADDING) && ((ret->d[0] & 0xf) != 12))
+		BN_sub(ret, rsa->n, ret);
+
 	p=buf;
-	i=BN_bn2bin(&ret,p);
+	i=BN_bn2bin(ret,p);
 
 	switch (padding)
 		{
 	case RSA_PKCS1_PADDING:
 		r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num);
 		break;
+	case RSA_X931_PADDING:
+		r=RSA_padding_check_X931(to,num,buf,i,num);
+		break;
 	case RSA_NO_PADDING:
 		r=RSA_padding_check_none(to,num,buf,i,num);
 		break;
@@ -580,9 +632,11 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
 		RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
 
 err:
-	if (ctx != NULL) BN_CTX_free(ctx);
-	BN_clear_free(&f);
-	BN_clear_free(&ret);
+	if (ctx != NULL)
+		{
+		BN_CTX_end(ctx);
+		BN_CTX_free(ctx);
+		}
 	if (buf != NULL)
 		{
 		OPENSSL_cleanse(buf,num);
@@ -591,84 +645,52 @@ err:
 	return(r);
 	}
 
-static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
+static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
 	{
-	BIGNUM r1,m1,vrfy;
+	BIGNUM *r1,*m1,*vrfy;
+	BIGNUM local_dmp1, local_dmq1;
+	BIGNUM *dmp1, *dmq1;
 	int ret=0;
-	BN_CTX *ctx;
 
-	BN_init(&m1);
-	BN_init(&r1);
-	BN_init(&vrfy);
-	if ((ctx=BN_CTX_new()) == NULL) goto err;
+	BN_CTX_start(ctx);
+	r1 = BN_CTX_get(ctx);
+	m1 = BN_CTX_get(ctx);
+	vrfy = BN_CTX_get(ctx);
 
-	if (rsa->flags & RSA_FLAG_CACHE_PRIVATE)
-		{
-		if (rsa->_method_mod_p == NULL)
-			{
-			BN_MONT_CTX* bn_mont_ctx;
-			if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
-				goto err;
-			if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->p,ctx))
-				{
-				BN_MONT_CTX_free(bn_mont_ctx);
-				goto err;
-				}
-			if (rsa->_method_mod_p == NULL) /* other thread may have finished first */
-				{
-				CRYPTO_w_lock(CRYPTO_LOCK_RSA);
-				if (rsa->_method_mod_p == NULL)
-					{
-					rsa->_method_mod_p = bn_mont_ctx;
-					bn_mont_ctx = NULL;
-					}
-				CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
-				}
-			if (bn_mont_ctx)
-				BN_MONT_CTX_free(bn_mont_ctx);
-			}
+	MONT_HELPER(rsa, ctx, p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
+	MONT_HELPER(rsa, ctx, q, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
+	MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
 
-		if (rsa->_method_mod_q == NULL)
-			{
-			BN_MONT_CTX* bn_mont_ctx;
-			if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
-				goto err;
-			if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->q,ctx))
-				{
-				BN_MONT_CTX_free(bn_mont_ctx);
-				goto err;
-				}
-			if (rsa->_method_mod_q == NULL) /* other thread may have finished first */
-				{
-				CRYPTO_w_lock(CRYPTO_LOCK_RSA);
-				if (rsa->_method_mod_q == NULL)
-					{
-					rsa->_method_mod_q = bn_mont_ctx;
-					bn_mont_ctx = NULL;
-					}
-				CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
-				}
-			if (bn_mont_ctx)
-				BN_MONT_CTX_free(bn_mont_ctx);
-			}
+	if (!BN_mod(r1,I,rsa->q,ctx)) goto err;
+	if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME))
+		{
+		dmq1 = &local_dmq1;
+		BN_with_flags(dmq1, rsa->dmq1, BN_FLG_EXP_CONSTTIME);
 		}
-		
-	if (!BN_mod(&r1,I,rsa->q,ctx)) goto err;
-	if (!rsa->meth->bn_mod_exp(&m1,&r1,rsa->dmq1,rsa->q,ctx,
+	else
+		dmq1 = rsa->dmq1;
+	if (!rsa->meth->bn_mod_exp(m1,r1,dmq1,rsa->q,ctx,
 		rsa->_method_mod_q)) goto err;
 
-	if (!BN_mod(&r1,I,rsa->p,ctx)) goto err;
-	if (!rsa->meth->bn_mod_exp(r0,&r1,rsa->dmp1,rsa->p,ctx,
+	if (!BN_mod(r1,I,rsa->p,ctx)) goto err;
+	if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME))
+		{
+		dmp1 = &local_dmp1;
+		BN_with_flags(dmp1, rsa->dmp1, BN_FLG_EXP_CONSTTIME);
+		}
+	else
+		dmp1 = rsa->dmp1;
+	if (!rsa->meth->bn_mod_exp(r0,r1,dmp1,rsa->p,ctx,
 		rsa->_method_mod_p)) goto err;
 
-	if (!BN_sub(r0,r0,&m1)) goto err;
+	if (!BN_sub(r0,r0,m1)) goto err;
 	/* This will help stop the size of r0 increasing, which does
 	 * affect the multiply if it optimised for a power of 2 size */
-	if (r0->neg)
+	if (BN_is_negative(r0))
 		if (!BN_add(r0,r0,rsa->p)) goto err;
 
-	if (!BN_mul(&r1,r0,rsa->iqmp,ctx)) goto err;
-	if (!BN_mod(r0,&r1,rsa->p,ctx)) goto err;
+	if (!BN_mul(r1,r0,rsa->iqmp,ctx)) goto err;
+	if (!BN_mod(r0,r1,rsa->p,ctx)) goto err;
 	/* If p < q it is occasionally possible for the correction of
          * adding 'p' if r0 is negative above to leave the result still
 	 * negative. This can break the private key operations: the following
@@ -676,34 +698,45 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
 	 * This will *never* happen with OpenSSL generated keys because
          * they ensure p > q [steve]
          */
-	if (r0->neg)
+	if (BN_is_negative(r0))
 		if (!BN_add(r0,r0,rsa->p)) goto err;
-	if (!BN_mul(&r1,r0,rsa->q,ctx)) goto err;
-	if (!BN_add(r0,&r1,&m1)) goto err;
+	if (!BN_mul(r1,r0,rsa->q,ctx)) goto err;
+	if (!BN_add(r0,r1,m1)) goto err;
 
 	if (rsa->e && rsa->n)
 		{
-		if (!rsa->meth->bn_mod_exp(&vrfy,r0,rsa->e,rsa->n,ctx,NULL)) goto err;
+		if (!rsa->meth->bn_mod_exp(vrfy,r0,rsa->e,rsa->n,ctx,rsa->_method_mod_n)) goto err;
 		/* If 'I' was greater than (or equal to) rsa->n, the operation
 		 * will be equivalent to using 'I mod n'. However, the result of
 		 * the verify will *always* be less than 'n' so we don't check
 		 * for absolute equality, just congruency. */
-		if (!BN_sub(&vrfy, &vrfy, I)) goto err;
-		if (!BN_mod(&vrfy, &vrfy, rsa->n, ctx)) goto err;
-		if (vrfy.neg)
-			if (!BN_add(&vrfy, &vrfy, rsa->n)) goto err;
-		if (!BN_is_zero(&vrfy))
+		if (!BN_sub(vrfy, vrfy, I)) goto err;
+		if (!BN_mod(vrfy, vrfy, rsa->n, ctx)) goto err;
+		if (BN_is_negative(vrfy))
+			if (!BN_add(vrfy, vrfy, rsa->n)) goto err;
+		if (!BN_is_zero(vrfy))
+			{
 			/* 'I' and 'vrfy' aren't congruent mod n. Don't leak
 			 * miscalculated CRT output, just do a raw (slower)
 			 * mod_exp and return that instead. */
-			if (!rsa->meth->bn_mod_exp(r0,I,rsa->d,rsa->n,ctx,NULL)) goto err;
+
+			BIGNUM local_d;
+			BIGNUM *d = NULL;
+		
+			if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME))
+				{
+				d = &local_d;
+				BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME);
+				}
+			else
+				d = rsa->d;
+			if (!rsa->meth->bn_mod_exp(r0,I,d,rsa->n,ctx,
+						   rsa->_method_mod_n)) goto err;
+			}
 		}
 	ret=1;
 err:
-	BN_clear_free(&m1);
-	BN_clear_free(&r1);
-	BN_clear_free(&vrfy);
-	BN_CTX_free(ctx);
+	BN_CTX_end(ctx);
 	return(ret);
 	}
 
diff --git a/crypto/openssl/crypto/rsa/rsa_err.c b/crypto/openssl/crypto/rsa/rsa_err.c
index a7766c3b762e..f82b2d6ad994 100644
--- a/crypto/openssl/crypto/rsa/rsa_err.c
+++ b/crypto/openssl/crypto/rsa/rsa_err.c
@@ -1,6 +1,6 @@
 /* crypto/rsa/rsa_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -64,70 +64,94 @@
 
 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_RSA,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_RSA,0,reason)
+
 static ERR_STRING_DATA RSA_str_functs[]=
 	{
-{ERR_PACK(0,RSA_F_MEMORY_LOCK,0),	"MEMORY_LOCK"},
-{ERR_PACK(0,RSA_F_RSA_CHECK_KEY,0),	"RSA_check_key"},
-{ERR_PACK(0,RSA_F_RSA_EAY_PRIVATE_DECRYPT,0),	"RSA_EAY_PRIVATE_DECRYPT"},
-{ERR_PACK(0,RSA_F_RSA_EAY_PRIVATE_ENCRYPT,0),	"RSA_EAY_PRIVATE_ENCRYPT"},
-{ERR_PACK(0,RSA_F_RSA_EAY_PUBLIC_DECRYPT,0),	"RSA_EAY_PUBLIC_DECRYPT"},
-{ERR_PACK(0,RSA_F_RSA_EAY_PUBLIC_ENCRYPT,0),	"RSA_EAY_PUBLIC_ENCRYPT"},
-{ERR_PACK(0,RSA_F_RSA_GENERATE_KEY,0),	"RSA_generate_key"},
-{ERR_PACK(0,RSA_F_RSA_NEW_METHOD,0),	"RSA_new_method"},
-{ERR_PACK(0,RSA_F_RSA_NULL,0),	"RSA_NULL"},
-{ERR_PACK(0,RSA_F_RSA_PADDING_ADD_NONE,0),	"RSA_padding_add_none"},
-{ERR_PACK(0,RSA_F_RSA_PADDING_ADD_PKCS1_OAEP,0),	"RSA_padding_add_PKCS1_OAEP"},
-{ERR_PACK(0,RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1,0),	"RSA_padding_add_PKCS1_type_1"},
-{ERR_PACK(0,RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2,0),	"RSA_padding_add_PKCS1_type_2"},
-{ERR_PACK(0,RSA_F_RSA_PADDING_ADD_SSLV23,0),	"RSA_padding_add_SSLv23"},
-{ERR_PACK(0,RSA_F_RSA_PADDING_CHECK_NONE,0),	"RSA_padding_check_none"},
-{ERR_PACK(0,RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP,0),	"RSA_padding_check_PKCS1_OAEP"},
-{ERR_PACK(0,RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,0),	"RSA_padding_check_PKCS1_type_1"},
-{ERR_PACK(0,RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,0),	"RSA_padding_check_PKCS1_type_2"},
-{ERR_PACK(0,RSA_F_RSA_PADDING_CHECK_SSLV23,0),	"RSA_padding_check_SSLv23"},
-{ERR_PACK(0,RSA_F_RSA_PRINT,0),	"RSA_print"},
-{ERR_PACK(0,RSA_F_RSA_PRINT_FP,0),	"RSA_print_fp"},
-{ERR_PACK(0,RSA_F_RSA_SIGN,0),	"RSA_sign"},
-{ERR_PACK(0,RSA_F_RSA_SIGN_ASN1_OCTET_STRING,0),	"RSA_sign_ASN1_OCTET_STRING"},
-{ERR_PACK(0,RSA_F_RSA_VERIFY,0),	"RSA_verify"},
-{ERR_PACK(0,RSA_F_RSA_VERIFY_ASN1_OCTET_STRING,0),	"RSA_verify_ASN1_OCTET_STRING"},
+{ERR_FUNC(RSA_F_MEMORY_LOCK),	"MEMORY_LOCK"},
+{ERR_FUNC(RSA_F_RSA_BUILTIN_KEYGEN),	"RSA_BUILTIN_KEYGEN"},
+{ERR_FUNC(RSA_F_RSA_CHECK_KEY),	"RSA_check_key"},
+{ERR_FUNC(RSA_F_RSA_EAY_PRIVATE_DECRYPT),	"RSA_EAY_PRIVATE_DECRYPT"},
+{ERR_FUNC(RSA_F_RSA_EAY_PRIVATE_ENCRYPT),	"RSA_EAY_PRIVATE_ENCRYPT"},
+{ERR_FUNC(RSA_F_RSA_EAY_PUBLIC_DECRYPT),	"RSA_EAY_PUBLIC_DECRYPT"},
+{ERR_FUNC(RSA_F_RSA_EAY_PUBLIC_ENCRYPT),	"RSA_EAY_PUBLIC_ENCRYPT"},
+{ERR_FUNC(RSA_F_RSA_GENERATE_KEY),	"RSA_generate_key"},
+{ERR_FUNC(RSA_F_RSA_MEMORY_LOCK),	"RSA_memory_lock"},
+{ERR_FUNC(RSA_F_RSA_NEW_METHOD),	"RSA_new_method"},
+{ERR_FUNC(RSA_F_RSA_NULL),	"RSA_NULL"},
+{ERR_FUNC(RSA_F_RSA_NULL_MOD_EXP),	"RSA_NULL_MOD_EXP"},
+{ERR_FUNC(RSA_F_RSA_NULL_PRIVATE_DECRYPT),	"RSA_NULL_PRIVATE_DECRYPT"},
+{ERR_FUNC(RSA_F_RSA_NULL_PRIVATE_ENCRYPT),	"RSA_NULL_PRIVATE_ENCRYPT"},
+{ERR_FUNC(RSA_F_RSA_NULL_PUBLIC_DECRYPT),	"RSA_NULL_PUBLIC_DECRYPT"},
+{ERR_FUNC(RSA_F_RSA_NULL_PUBLIC_ENCRYPT),	"RSA_NULL_PUBLIC_ENCRYPT"},
+{ERR_FUNC(RSA_F_RSA_PADDING_ADD_NONE),	"RSA_padding_add_none"},
+{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP),	"RSA_padding_add_PKCS1_OAEP"},
+{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_PSS),	"RSA_padding_add_PKCS1_PSS"},
+{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1),	"RSA_padding_add_PKCS1_type_1"},
+{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2),	"RSA_padding_add_PKCS1_type_2"},
+{ERR_FUNC(RSA_F_RSA_PADDING_ADD_SSLV23),	"RSA_padding_add_SSLv23"},
+{ERR_FUNC(RSA_F_RSA_PADDING_ADD_X931),	"RSA_padding_add_X931"},
+{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_NONE),	"RSA_padding_check_none"},
+{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP),	"RSA_padding_check_PKCS1_OAEP"},
+{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1),	"RSA_padding_check_PKCS1_type_1"},
+{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2),	"RSA_padding_check_PKCS1_type_2"},
+{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_SSLV23),	"RSA_padding_check_SSLv23"},
+{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_X931),	"RSA_padding_check_X931"},
+{ERR_FUNC(RSA_F_RSA_PRINT),	"RSA_print"},
+{ERR_FUNC(RSA_F_RSA_PRINT_FP),	"RSA_PRINT_FP"},
+{ERR_FUNC(RSA_F_RSA_SETUP_BLINDING),	"RSA_setup_blinding"},
+{ERR_FUNC(RSA_F_RSA_SIGN),	"RSA_sign"},
+{ERR_FUNC(RSA_F_RSA_SIGN_ASN1_OCTET_STRING),	"RSA_sign_ASN1_OCTET_STRING"},
+{ERR_FUNC(RSA_F_RSA_VERIFY),	"RSA_verify"},
+{ERR_FUNC(RSA_F_RSA_VERIFY_ASN1_OCTET_STRING),	"RSA_verify_ASN1_OCTET_STRING"},
+{ERR_FUNC(RSA_F_RSA_VERIFY_PKCS1_PSS),	"RSA_verify_PKCS1_PSS"},
 {0,NULL}
 	};
 
 static ERR_STRING_DATA RSA_str_reasons[]=
 	{
-{RSA_R_ALGORITHM_MISMATCH                ,"algorithm mismatch"},
-{RSA_R_BAD_E_VALUE                       ,"bad e value"},
-{RSA_R_BAD_FIXED_HEADER_DECRYPT          ,"bad fixed header decrypt"},
-{RSA_R_BAD_PAD_BYTE_COUNT                ,"bad pad byte count"},
-{RSA_R_BAD_SIGNATURE                     ,"bad signature"},
-{RSA_R_BLOCK_TYPE_IS_NOT_01              ,"block type is not 01"},
-{RSA_R_BLOCK_TYPE_IS_NOT_02              ,"block type is not 02"},
-{RSA_R_DATA_GREATER_THAN_MOD_LEN         ,"data greater than mod len"},
-{RSA_R_DATA_TOO_LARGE                    ,"data too large"},
-{RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE       ,"data too large for key size"},
-{RSA_R_DATA_TOO_LARGE_FOR_MODULUS        ,"data too large for modulus"},
-{RSA_R_DATA_TOO_SMALL                    ,"data too small"},
-{RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE       ,"data too small for key size"},
-{RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY        ,"digest too big for rsa key"},
-{RSA_R_DMP1_NOT_CONGRUENT_TO_D           ,"dmp1 not congruent to d"},
-{RSA_R_DMQ1_NOT_CONGRUENT_TO_D           ,"dmq1 not congruent to d"},
-{RSA_R_D_E_NOT_CONGRUENT_TO_1            ,"d e not congruent to 1"},
-{RSA_R_INVALID_MESSAGE_LENGTH            ,"invalid message length"},
-{RSA_R_IQMP_NOT_INVERSE_OF_Q             ,"iqmp not inverse of q"},
-{RSA_R_KEY_SIZE_TOO_SMALL                ,"key size too small"},
-{RSA_R_NULL_BEFORE_BLOCK_MISSING         ,"null before block missing"},
-{RSA_R_N_DOES_NOT_EQUAL_P_Q              ,"n does not equal p q"},
-{RSA_R_OAEP_DECODING_ERROR               ,"oaep decoding error"},
-{RSA_R_PADDING_CHECK_FAILED              ,"padding check failed"},
-{RSA_R_P_NOT_PRIME                       ,"p not prime"},
-{RSA_R_Q_NOT_PRIME                       ,"q not prime"},
-{RSA_R_RSA_OPERATIONS_NOT_SUPPORTED      ,"rsa operations not supported"},
-{RSA_R_SSLV3_ROLLBACK_ATTACK             ,"sslv3 rollback attack"},
-{RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD,"the asn1 object identifier is not known for this md"},
-{RSA_R_UNKNOWN_ALGORITHM_TYPE            ,"unknown algorithm type"},
-{RSA_R_UNKNOWN_PADDING_TYPE              ,"unknown padding type"},
-{RSA_R_WRONG_SIGNATURE_LENGTH            ,"wrong signature length"},
+{ERR_REASON(RSA_R_ALGORITHM_MISMATCH)    ,"algorithm mismatch"},
+{ERR_REASON(RSA_R_BAD_E_VALUE)           ,"bad e value"},
+{ERR_REASON(RSA_R_BAD_FIXED_HEADER_DECRYPT),"bad fixed header decrypt"},
+{ERR_REASON(RSA_R_BAD_PAD_BYTE_COUNT)    ,"bad pad byte count"},
+{ERR_REASON(RSA_R_BAD_SIGNATURE)         ,"bad signature"},
+{ERR_REASON(RSA_R_BLOCK_TYPE_IS_NOT_01)  ,"block type is not 01"},
+{ERR_REASON(RSA_R_BLOCK_TYPE_IS_NOT_02)  ,"block type is not 02"},
+{ERR_REASON(RSA_R_DATA_GREATER_THAN_MOD_LEN),"data greater than mod len"},
+{ERR_REASON(RSA_R_DATA_TOO_LARGE)        ,"data too large"},
+{ERR_REASON(RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE),"data too large for key size"},
+{ERR_REASON(RSA_R_DATA_TOO_LARGE_FOR_MODULUS),"data too large for modulus"},
+{ERR_REASON(RSA_R_DATA_TOO_SMALL)        ,"data too small"},
+{ERR_REASON(RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE),"data too small for key size"},
+{ERR_REASON(RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY),"digest too big for rsa key"},
+{ERR_REASON(RSA_R_DMP1_NOT_CONGRUENT_TO_D),"dmp1 not congruent to d"},
+{ERR_REASON(RSA_R_DMQ1_NOT_CONGRUENT_TO_D),"dmq1 not congruent to d"},
+{ERR_REASON(RSA_R_D_E_NOT_CONGRUENT_TO_1),"d e not congruent to 1"},
+{ERR_REASON(RSA_R_FIRST_OCTET_INVALID)   ,"first octet invalid"},
+{ERR_REASON(RSA_R_INVALID_HEADER)        ,"invalid header"},
+{ERR_REASON(RSA_R_INVALID_MESSAGE_LENGTH),"invalid message length"},
+{ERR_REASON(RSA_R_INVALID_PADDING)       ,"invalid padding"},
+{ERR_REASON(RSA_R_INVALID_TRAILER)       ,"invalid trailer"},
+{ERR_REASON(RSA_R_IQMP_NOT_INVERSE_OF_Q) ,"iqmp not inverse of q"},
+{ERR_REASON(RSA_R_KEY_SIZE_TOO_SMALL)    ,"key size too small"},
+{ERR_REASON(RSA_R_LAST_OCTET_INVALID)    ,"last octet invalid"},
+{ERR_REASON(RSA_R_NO_PUBLIC_EXPONENT)    ,"no public exponent"},
+{ERR_REASON(RSA_R_NULL_BEFORE_BLOCK_MISSING),"null before block missing"},
+{ERR_REASON(RSA_R_N_DOES_NOT_EQUAL_P_Q)  ,"n does not equal p q"},
+{ERR_REASON(RSA_R_OAEP_DECODING_ERROR)   ,"oaep decoding error"},
+{ERR_REASON(RSA_R_PADDING_CHECK_FAILED)  ,"padding check failed"},
+{ERR_REASON(RSA_R_P_NOT_PRIME)           ,"p not prime"},
+{ERR_REASON(RSA_R_Q_NOT_PRIME)           ,"q not prime"},
+{ERR_REASON(RSA_R_RSA_OPERATIONS_NOT_SUPPORTED),"rsa operations not supported"},
+{ERR_REASON(RSA_R_SLEN_CHECK_FAILED)     ,"salt length check failed"},
+{ERR_REASON(RSA_R_SLEN_RECOVERY_FAILED)  ,"salt length recovery failed"},
+{ERR_REASON(RSA_R_SSLV3_ROLLBACK_ATTACK) ,"sslv3 rollback attack"},
+{ERR_REASON(RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD),"the asn1 object identifier is not known for this md"},
+{ERR_REASON(RSA_R_UNKNOWN_ALGORITHM_TYPE),"unknown algorithm type"},
+{ERR_REASON(RSA_R_UNKNOWN_PADDING_TYPE)  ,"unknown padding type"},
+{ERR_REASON(RSA_R_WRONG_SIGNATURE_LENGTH),"wrong signature length"},
 {0,NULL}
 	};
 
@@ -141,8 +165,8 @@ void ERR_load_RSA_strings(void)
 		{
 		init=0;
 #ifndef OPENSSL_NO_ERR
-		ERR_load_strings(ERR_LIB_RSA,RSA_str_functs);
-		ERR_load_strings(ERR_LIB_RSA,RSA_str_reasons);
+		ERR_load_strings(0,RSA_str_functs);
+		ERR_load_strings(0,RSA_str_reasons);
 #endif
 
 		}
diff --git a/crypto/openssl/crypto/rsa/rsa_gen.c b/crypto/openssl/crypto/rsa/rsa_gen.c
index adb5e34da56c..742f8b18e5ad 100644
--- a/crypto/openssl/crypto/rsa/rsa_gen.c
+++ b/crypto/openssl/crypto/rsa/rsa_gen.c
@@ -56,26 +56,40 @@
  * [including the GNU Public Licence.]
  */
 
+
+/* NB: these functions have been "upgraded", the deprecated versions (which are
+ * compatibility wrappers using these functions) are in rsa_depr.c.
+ * - Geoff
+ */
+
 #include <stdio.h>
 #include <time.h>
 #include "cryptlib.h"
 #include <openssl/bn.h>
 #include <openssl/rsa.h>
 
-#ifndef OPENSSL_FIPS
+static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb);
+
+/* NB: this wrapper would normally be placed in rsa_lib.c and the static
+ * implementation would probably be in rsa_eay.c. Nonetheless, is kept here so
+ * that we don't introduce a new linker dependency. Eg. any application that
+ * wasn't previously linking object code related to key-generation won't have to
+ * now just because key-generation is part of RSA_METHOD. */
+int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
+	{
+	if(rsa->meth->rsa_keygen)
+		return rsa->meth->rsa_keygen(rsa, bits, e_value, cb);
+	return rsa_builtin_keygen(rsa, bits, e_value, cb);
+	}
 
-RSA *RSA_generate_key(int bits, unsigned long e_value,
-	     void (*callback)(int,int,void *), void *cb_arg)
+static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
 	{
-	RSA *rsa=NULL;
 	BIGNUM *r0=NULL,*r1=NULL,*r2=NULL,*r3=NULL,*tmp;
-	int bitsp,bitsq,ok= -1,n=0,i;
-	BN_CTX *ctx=NULL,*ctx2=NULL;
+	int bitsp,bitsq,ok= -1,n=0;
+	BN_CTX *ctx=NULL;
 
 	ctx=BN_CTX_new();
 	if (ctx == NULL) goto err;
-	ctx2=BN_CTX_new();
-	if (ctx2 == NULL) goto err;
 	BN_CTX_start(ctx);
 	r0 = BN_CTX_get(ctx);
 	r1 = BN_CTX_get(ctx);
@@ -85,49 +99,58 @@ RSA *RSA_generate_key(int bits, unsigned long e_value,
 
 	bitsp=(bits+1)/2;
 	bitsq=bits-bitsp;
-	rsa=RSA_new();
-	if (rsa == NULL) goto err;
 
-	/* set e */ 
-	rsa->e=BN_new();
-	if (rsa->e == NULL) goto err;
+	/* We need the RSA components non-NULL */
+	if(!rsa->n && ((rsa->n=BN_new()) == NULL)) goto err;
+	if(!rsa->d && ((rsa->d=BN_new()) == NULL)) goto err;
+	if(!rsa->e && ((rsa->e=BN_new()) == NULL)) goto err;
+	if(!rsa->p && ((rsa->p=BN_new()) == NULL)) goto err;
+	if(!rsa->q && ((rsa->q=BN_new()) == NULL)) goto err;
+	if(!rsa->dmp1 && ((rsa->dmp1=BN_new()) == NULL)) goto err;
+	if(!rsa->dmq1 && ((rsa->dmq1=BN_new()) == NULL)) goto err;
+	if(!rsa->iqmp && ((rsa->iqmp=BN_new()) == NULL)) goto err;
 
-#if 1
-	/* The problem is when building with 8, 16, or 32 BN_ULONG,
-	 * unsigned long can be larger */
-	for (i=0; i<sizeof(unsigned long)*8; i++)
-		{
-		if (e_value & (1UL<<i))
-			BN_set_bit(rsa->e,i);
-		}
-#else
-	if (!BN_set_word(rsa->e,e_value)) goto err;
-#endif
+	BN_copy(rsa->e, e_value);
 
 	/* generate p and q */
 	for (;;)
 		{
-		rsa->p=BN_generate_prime(NULL,bitsp,0,NULL,NULL,callback,cb_arg);
-		if (rsa->p == NULL) goto err;
+		if(!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb))
+			goto err;
 		if (!BN_sub(r2,rsa->p,BN_value_one())) goto err;
 		if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err;
 		if (BN_is_one(r1)) break;
-		if (callback != NULL) callback(2,n++,cb_arg);
-		BN_free(rsa->p);
+		if(!BN_GENCB_call(cb, 2, n++))
+			goto err;
 		}
-	if (callback != NULL) callback(3,0,cb_arg);
+	if(!BN_GENCB_call(cb, 3, 0))
+		goto err;
 	for (;;)
 		{
-		rsa->q=BN_generate_prime(NULL,bitsq,0,NULL,NULL,callback,cb_arg);
-		if (rsa->q == NULL) goto err;
+		/* When generating ridiculously small keys, we can get stuck
+		 * continually regenerating the same prime values. Check for
+		 * this and bail if it happens 3 times. */
+		unsigned int degenerate = 0;
+		do
+			{
+			if(!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb))
+				goto err;
+			} while((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 3));
+		if(degenerate == 3)
+			{
+			ok = 0; /* we set our own err */
+			RSAerr(RSA_F_RSA_BUILTIN_KEYGEN,RSA_R_KEY_SIZE_TOO_SMALL);
+			goto err;
+			}
 		if (!BN_sub(r2,rsa->q,BN_value_one())) goto err;
 		if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err;
-		if (BN_is_one(r1) && (BN_cmp(rsa->p,rsa->q) != 0))
+		if (BN_is_one(r1))
 			break;
-		if (callback != NULL) callback(2,n++,cb_arg);
-		BN_free(rsa->q);
+		if(!BN_GENCB_call(cb, 2, n++))
+			goto err;
 		}
-	if (callback != NULL) callback(3,1,cb_arg);
+	if(!BN_GENCB_call(cb, 3, 1))
+		goto err;
 	if (BN_cmp(rsa->p,rsa->q) < 0)
 		{
 		tmp=rsa->p;
@@ -136,65 +159,36 @@ RSA *RSA_generate_key(int bits, unsigned long e_value,
 		}
 
 	/* calculate n */
-	rsa->n=BN_new();
-	if (rsa->n == NULL) goto err;
 	if (!BN_mul(rsa->n,rsa->p,rsa->q,ctx)) goto err;
 
 	/* calculate d */
 	if (!BN_sub(r1,rsa->p,BN_value_one())) goto err;	/* p-1 */
 	if (!BN_sub(r2,rsa->q,BN_value_one())) goto err;	/* q-1 */
 	if (!BN_mul(r0,r1,r2,ctx)) goto err;	/* (p-1)(q-1) */
-
-/* should not be needed, since gcd(p-1,e) == 1 and gcd(q-1,e) == 1 */
-/*	for (;;)
-		{
-		if (!BN_gcd(r3,r0,rsa->e,ctx)) goto err;
-		if (BN_is_one(r3)) break;
-
-		if (1)
-			{
-			if (!BN_add_word(rsa->e,2L)) goto err;
-			continue;
-			}
-		RSAerr(RSA_F_RSA_GENERATE_KEY,RSA_R_BAD_E_VALUE);
-		goto err;
-		}
-*/
-	rsa->d=BN_mod_inverse(NULL,rsa->e,r0,ctx2);	/* d */
-	if (rsa->d == NULL) goto err;
+	if (!BN_mod_inverse(rsa->d,rsa->e,r0,ctx)) goto err;	/* d */
 
 	/* calculate d mod (p-1) */
-	rsa->dmp1=BN_new();
-	if (rsa->dmp1 == NULL) goto err;
 	if (!BN_mod(rsa->dmp1,rsa->d,r1,ctx)) goto err;
 
 	/* calculate d mod (q-1) */
-	rsa->dmq1=BN_new();
-	if (rsa->dmq1 == NULL) goto err;
 	if (!BN_mod(rsa->dmq1,rsa->d,r2,ctx)) goto err;
 
 	/* calculate inverse of q mod p */
-	rsa->iqmp=BN_mod_inverse(NULL,rsa->q,rsa->p,ctx2);
-	if (rsa->iqmp == NULL) goto err;
+	if (!BN_mod_inverse(rsa->iqmp,rsa->q,rsa->p,ctx)) goto err;
 
 	ok=1;
 err:
 	if (ok == -1)
 		{
-		RSAerr(RSA_F_RSA_GENERATE_KEY,ERR_LIB_BN);
+		RSAerr(RSA_F_RSA_BUILTIN_KEYGEN,ERR_LIB_BN);
 		ok=0;
 		}
-	BN_CTX_end(ctx);
-	BN_CTX_free(ctx);
-	BN_CTX_free(ctx2);
-	
-	if (!ok)
+	if (ctx != NULL)
 		{
-		if (rsa != NULL) RSA_free(rsa);
-		return(NULL);
+		BN_CTX_end(ctx);
+		BN_CTX_free(ctx);
 		}
-	else
-		return(rsa);
+
+	return ok;
 	}
 
-#endif
diff --git a/crypto/openssl/crypto/rsa/rsa_lib.c b/crypto/openssl/crypto/rsa/rsa_lib.c
index e4d622851eed..66cd15ff6d90 100644
--- a/crypto/openssl/crypto/rsa/rsa_lib.c
+++ b/crypto/openssl/crypto/rsa/rsa_lib.c
@@ -179,6 +179,7 @@ RSA *RSA_new_method(ENGINE *engine)
 	ret->_method_mod_p=NULL;
 	ret->_method_mod_q=NULL;
 	ret->blinding=NULL;
+	ret->mt_blinding=NULL;
 	ret->bignum_data=NULL;
 	ret->flags=ret->meth->flags;
 	CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data);
@@ -232,6 +233,7 @@ void RSA_free(RSA *r)
 	if (r->dmq1 != NULL) BN_clear_free(r->dmq1);
 	if (r->iqmp != NULL) BN_clear_free(r->iqmp);
 	if (r->blinding != NULL) BN_BLINDING_free(r->blinding);
+	if (r->mt_blinding != NULL) BN_BLINDING_free(r->mt_blinding);
 	if (r->bignum_data != NULL) OPENSSL_free_locked(r->bignum_data);
 	OPENSSL_free(r);
 	}
@@ -314,59 +316,107 @@ void RSA_blinding_off(RSA *rsa)
 	rsa->flags |= RSA_FLAG_NO_BLINDING;
 	}
 
-int RSA_blinding_on(RSA *rsa, BN_CTX *p_ctx)
+int RSA_blinding_on(RSA *rsa, BN_CTX *ctx)
 	{
-	BIGNUM *A,*Ai = NULL;
-	BN_CTX *ctx;
 	int ret=0;
 
-	if (p_ctx == NULL)
+	if (rsa->blinding != NULL)
+		RSA_blinding_off(rsa);
+
+	rsa->blinding = RSA_setup_blinding(rsa, ctx);
+	if (rsa->blinding == NULL)
+		goto err;
+
+	rsa->flags |= RSA_FLAG_BLINDING;
+	rsa->flags &= ~RSA_FLAG_NO_BLINDING;
+	ret=1;
+err:
+	return(ret);
+	}
+
+static BIGNUM *rsa_get_public_exp(const BIGNUM *d, const BIGNUM *p,
+	const BIGNUM *q, BN_CTX *ctx)
+{
+	BIGNUM *ret = NULL, *r0, *r1, *r2;
+
+	if (d == NULL || p == NULL || q == NULL)
+		return NULL;
+
+	BN_CTX_start(ctx);
+	r0 = BN_CTX_get(ctx);
+	r1 = BN_CTX_get(ctx);
+	r2 = BN_CTX_get(ctx);
+	if (r2 == NULL)
+		goto err;
+
+	if (!BN_sub(r1, p, BN_value_one())) goto err;
+	if (!BN_sub(r2, q, BN_value_one())) goto err;
+	if (!BN_mul(r0, r1, r2, ctx)) goto err;
+
+	ret = BN_mod_inverse(NULL, d, r0, ctx);
+err:
+	BN_CTX_end(ctx);
+	return ret;
+}
+
+BN_BLINDING *RSA_setup_blinding(RSA *rsa, BN_CTX *in_ctx)
+{
+	BIGNUM *e;
+	BN_CTX *ctx;
+	BN_BLINDING *ret = NULL;
+
+	if (in_ctx == NULL)
 		{
-		if ((ctx=BN_CTX_new()) == NULL) goto err;
+		if ((ctx = BN_CTX_new()) == NULL) return 0;
 		}
 	else
-		ctx=p_ctx;
+		ctx = in_ctx;
 
-	/* XXXXX: Shouldn't this be RSA_blinding_off(rsa)? */
-	if (rsa->blinding != NULL)
+	BN_CTX_start(ctx);
+	e  = BN_CTX_get(ctx);
+	if (e == NULL)
 		{
-		BN_BLINDING_free(rsa->blinding);
-		rsa->blinding = NULL;
+		RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_MALLOC_FAILURE);
+		goto err;
 		}
 
-	/* NB: similar code appears in setup_blinding (rsa_eay.c);
-	 * this should be placed in a new function of its own, but for reasons
-	 * of binary compatibility can't */
-
-	BN_CTX_start(ctx);
-	A = BN_CTX_get(ctx);
-	if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL)
+	if (rsa->e == NULL)
 		{
-		/* if PRNG is not properly seeded, resort to secret exponent as unpredictable seed */
-		RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0);
-		if (!BN_pseudo_rand_range(A,rsa->n)) goto err;
+		e = rsa_get_public_exp(rsa->d, rsa->p, rsa->q, ctx);
+		if (e == NULL)
+			{
+			RSAerr(RSA_F_RSA_SETUP_BLINDING, RSA_R_NO_PUBLIC_EXPONENT);
+			goto err;
+			}
 		}
 	else
+		e = rsa->e;
+
+	
+	if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL)
 		{
-		if (!BN_rand_range(A,rsa->n)) goto err;
+		/* if PRNG is not properly seeded, resort to secret
+		 * exponent as unpredictable seed */
+		RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0.0);
 		}
-	if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err;
 
-	if (!rsa->meth->bn_mod_exp(A,A,rsa->e,rsa->n,ctx,rsa->_method_mod_n))
+	ret = BN_BLINDING_create_param(NULL, e, rsa->n, ctx,
+			rsa->meth->bn_mod_exp, rsa->_method_mod_n);
+	if (ret == NULL)
+		{
+		RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_BN_LIB);
 		goto err;
-	if ((rsa->blinding=BN_BLINDING_new(A,Ai,rsa->n)) == NULL) goto err;
-	/* to make things thread-safe without excessive locking,
-	 * rsa->blinding will be used just by the current thread: */
-	rsa->blinding->thread_id = CRYPTO_thread_id();
-	rsa->flags |= RSA_FLAG_BLINDING;
-	rsa->flags &= ~RSA_FLAG_NO_BLINDING;
-	ret=1;
+		}
+	BN_BLINDING_set_thread_id(ret, CRYPTO_thread_id());
 err:
-	if (Ai != NULL) BN_free(Ai);
 	BN_CTX_end(ctx);
-	if (ctx != p_ctx) BN_CTX_free(ctx);
-	return(ret);
-	}
+	if (in_ctx == NULL)
+		BN_CTX_free(ctx);
+	if(rsa->e == NULL)
+		BN_free(e);
+
+	return ret;
+}
 
 int RSA_memory_lock(RSA *r)
 	{
@@ -389,7 +439,7 @@ int RSA_memory_lock(RSA *r)
 		j+= (*t[i])->top;
 	if ((p=OPENSSL_malloc_locked((off+j)*sizeof(BN_ULONG))) == NULL)
 		{
-		RSAerr(RSA_F_MEMORY_LOCK,ERR_R_MALLOC_FAILURE);
+		RSAerr(RSA_F_RSA_MEMORY_LOCK,ERR_R_MALLOC_FAILURE);
 		return(0);
 		}
 	bn=(BIGNUM *)p;
diff --git a/crypto/openssl/crypto/rsa/rsa_null.c b/crypto/openssl/crypto/rsa/rsa_null.c
index 64057fbdcf7b..491572c82bdc 100644
--- a/crypto/openssl/crypto/rsa/rsa_null.c
+++ b/crypto/openssl/crypto/rsa/rsa_null.c
@@ -94,6 +94,9 @@ static RSA_METHOD rsa_null_meth={
 	RSA_null_finish,
 	0,
 	NULL,
+	NULL,
+	NULL,
+	NULL
 	};
 
 const RSA_METHOD *RSA_null_method(void)
@@ -104,35 +107,35 @@ const RSA_METHOD *RSA_null_method(void)
 static int RSA_null_public_encrypt(int flen, const unsigned char *from,
 	     unsigned char *to, RSA *rsa, int padding)
 	{
-	RSAerr(RSA_F_RSA_NULL, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED);
+	RSAerr(RSA_F_RSA_NULL_PUBLIC_ENCRYPT, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED);
 	return -1;
 	}
 
 static int RSA_null_private_encrypt(int flen, const unsigned char *from,
 	     unsigned char *to, RSA *rsa, int padding)
 	{
-	RSAerr(RSA_F_RSA_NULL, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED);
+	RSAerr(RSA_F_RSA_NULL_PRIVATE_ENCRYPT, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED);
 	return -1;
 	}
 
 static int RSA_null_private_decrypt(int flen, const unsigned char *from,
 	     unsigned char *to, RSA *rsa, int padding)
 	{
-	RSAerr(RSA_F_RSA_NULL, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED);
+	RSAerr(RSA_F_RSA_NULL_PRIVATE_DECRYPT, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED);
 	return -1;
 	}
 
 static int RSA_null_public_decrypt(int flen, const unsigned char *from,
 	     unsigned char *to, RSA *rsa, int padding)
 	{
-	RSAerr(RSA_F_RSA_NULL, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED);
+	RSAerr(RSA_F_RSA_NULL_PUBLIC_DECRYPT, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED);
 	return -1;
 	}
 
 #if 0 /* not currently used */
 static int RSA_null_mod_exp(BIGNUM *r0, BIGNUM *I, RSA *rsa)
 	{
-	RSAerr(RSA_F_RSA_NULL, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED);
+	...err(RSA_F_RSA_NULL_MOD_EXP, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED);
 	return -1;
 	}
 #endif
@@ -146,5 +149,3 @@ static int RSA_null_finish(RSA *rsa)
 	{
 	return(1);
 	}
-
-
diff --git a/crypto/openssl/crypto/rsa/rsa_oaep.c b/crypto/openssl/crypto/rsa/rsa_oaep.c
index e3f7c608ec8c..45d6f6ef8a5e 100644
--- a/crypto/openssl/crypto/rsa/rsa_oaep.c
+++ b/crypto/openssl/crypto/rsa/rsa_oaep.c
@@ -122,7 +122,7 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
 	db = OPENSSL_malloc(dblen);
 	if (db == NULL)
 		{
-		RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, ERR_R_MALLOC_FAILURE);
+		RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, ERR_R_MALLOC_FAILURE);
 		return -1;
 		}
 
@@ -170,28 +170,30 @@ decoding_err:
 	return -1;
 	}
 
-int MGF1(unsigned char *mask, long len,
-	const unsigned char *seed, long seedlen)
+int PKCS1_MGF1(unsigned char *mask, long len,
+	const unsigned char *seed, long seedlen, const EVP_MD *dgst)
 	{
 	long i, outlen = 0;
 	unsigned char cnt[4];
 	EVP_MD_CTX c;
-	unsigned char md[SHA_DIGEST_LENGTH];
+	unsigned char md[EVP_MAX_MD_SIZE];
+	int mdlen;
 
 	EVP_MD_CTX_init(&c);
+	mdlen = EVP_MD_size(dgst);
 	for (i = 0; outlen < len; i++)
 		{
 		cnt[0] = (unsigned char)((i >> 24) & 255);
 		cnt[1] = (unsigned char)((i >> 16) & 255);
 		cnt[2] = (unsigned char)((i >> 8)) & 255;
 		cnt[3] = (unsigned char)(i & 255);
-		EVP_DigestInit_ex(&c,EVP_sha1(), NULL);
+		EVP_DigestInit_ex(&c,dgst, NULL);
 		EVP_DigestUpdate(&c, seed, seedlen);
 		EVP_DigestUpdate(&c, cnt, 4);
-		if (outlen + SHA_DIGEST_LENGTH <= len)
+		if (outlen + mdlen <= len)
 			{
 			EVP_DigestFinal_ex(&c, mask + outlen, NULL);
-			outlen += SHA_DIGEST_LENGTH;
+			outlen += mdlen;
 			}
 		else
 			{
@@ -203,4 +205,9 @@ int MGF1(unsigned char *mask, long len,
 	EVP_MD_CTX_cleanup(&c);
 	return 0;
 	}
+
+int MGF1(unsigned char *mask, long len, const unsigned char *seed, long seedlen)
+	{
+	return PKCS1_MGF1(mask, len, seed, seedlen, EVP_sha1());
+	}
 #endif
diff --git a/crypto/openssl/crypto/rsa/rsa_pss.c b/crypto/openssl/crypto/rsa/rsa_pss.c
new file mode 100644
index 000000000000..e19d18c5b937
--- /dev/null
+++ b/crypto/openssl/crypto/rsa/rsa_pss.c
@@ -0,0 +1,269 @@
+/* rsa_pss.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2005.
+ */
+/* ====================================================================
+ * Copyright (c) 2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/rsa.h>
+#include <openssl/evp.h>
+#include <openssl/rand.h>
+#include <openssl/sha.h>
+
+static const unsigned char zeroes[] = {0,0,0,0,0,0,0,0};
+
+#if defined(_MSC_VER) && defined(_ARM_)
+#pragma optimize("g", off)
+#endif
+
+int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
+			const EVP_MD *Hash, const unsigned char *EM, int sLen)
+	{
+	int i;
+	int ret = 0;
+	int hLen, maskedDBLen, MSBits, emLen;
+	const unsigned char *H;
+	unsigned char *DB = NULL;
+	EVP_MD_CTX ctx;
+	unsigned char H_[EVP_MAX_MD_SIZE];
+
+	hLen = EVP_MD_size(Hash);
+	/*
+	 * Negative sLen has special meanings:
+	 *	-1	sLen == hLen
+	 *	-2	salt length is autorecovered from signature
+	 *	-N	reserved
+	 */
+	if      (sLen == -1)	sLen = hLen;
+	else if (sLen == -2)	sLen = -2;
+	else if (sLen < -2)
+		{
+		RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_SLEN_CHECK_FAILED);
+		goto err;
+		}
+
+	MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
+	emLen = RSA_size(rsa);
+	if (EM[0] & (0xFF << MSBits))
+		{
+		RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_FIRST_OCTET_INVALID);
+		goto err;
+		}
+	if (MSBits == 0)
+		{
+		EM++;
+		emLen--;
+		}
+	if (emLen < (hLen + sLen + 2)) /* sLen can be small negative */
+		{
+		RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_DATA_TOO_LARGE);
+		goto err;
+		}
+	if (EM[emLen - 1] != 0xbc)
+		{
+		RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_LAST_OCTET_INVALID);
+		goto err;
+		}
+	maskedDBLen = emLen - hLen - 1;
+	H = EM + maskedDBLen;
+	DB = OPENSSL_malloc(maskedDBLen);
+	if (!DB)
+		{
+		RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, ERR_R_MALLOC_FAILURE);
+		goto err;
+		}
+	PKCS1_MGF1(DB, maskedDBLen, H, hLen, Hash);
+	for (i = 0; i < maskedDBLen; i++)
+		DB[i] ^= EM[i];
+	if (MSBits)
+		DB[0] &= 0xFF >> (8 - MSBits);
+	for (i = 0; DB[i] == 0 && i < (maskedDBLen-1); i++) ;
+	if (DB[i++] != 0x1)
+		{
+		RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_SLEN_RECOVERY_FAILED);
+		goto err;
+		}
+	if (sLen >= 0 && (maskedDBLen - i) != sLen)
+		{
+		RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_SLEN_CHECK_FAILED);
+		goto err;
+		}
+	EVP_MD_CTX_init(&ctx);
+	EVP_DigestInit_ex(&ctx, Hash, NULL);
+	EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes);
+	EVP_DigestUpdate(&ctx, mHash, hLen);
+	if (maskedDBLen - i)
+		EVP_DigestUpdate(&ctx, DB + i, maskedDBLen - i);
+	EVP_DigestFinal(&ctx, H_, NULL);
+	EVP_MD_CTX_cleanup(&ctx);
+	if (memcmp(H_, H, hLen))
+		{
+		RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_BAD_SIGNATURE);
+		ret = 0;
+		}
+	else 
+		ret = 1;
+
+	err:
+	if (DB)
+		OPENSSL_free(DB);
+
+	return ret;
+
+	}
+
+int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
+			const unsigned char *mHash,
+			const EVP_MD *Hash, int sLen)
+	{
+	int i;
+	int ret = 0;
+	int hLen, maskedDBLen, MSBits, emLen;
+	unsigned char *H, *salt = NULL, *p;
+	EVP_MD_CTX ctx;
+
+	hLen = EVP_MD_size(Hash);
+	/*
+	 * Negative sLen has special meanings:
+	 *	-1	sLen == hLen
+	 *	-2	salt length is maximized
+	 *	-N	reserved
+	 */
+	if      (sLen == -1)	sLen = hLen;
+	else if (sLen == -2)	sLen = -2;
+	else if (sLen < -2)
+		{
+		RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS, RSA_R_SLEN_CHECK_FAILED);
+		goto err;
+		}
+
+	MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
+	emLen = RSA_size(rsa);
+	if (MSBits == 0)
+		{
+		*EM++ = 0;
+		emLen--;
+		}
+	if (sLen == -2)
+		{
+		sLen = emLen - hLen - 2;
+		}
+	else if (emLen < (hLen + sLen + 2))
+		{
+		RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS,
+		   RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
+		goto err;
+		}
+	if (sLen > 0)
+		{
+		salt = OPENSSL_malloc(sLen);
+		if (!salt)
+			{
+			RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS,
+		   		ERR_R_MALLOC_FAILURE);
+			goto err;
+			}
+		if (!RAND_bytes(salt, sLen))
+			goto err;
+		}
+	maskedDBLen = emLen - hLen - 1;
+	H = EM + maskedDBLen;
+	EVP_MD_CTX_init(&ctx);
+	EVP_DigestInit_ex(&ctx, Hash, NULL);
+	EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes);
+	EVP_DigestUpdate(&ctx, mHash, hLen);
+	if (sLen)
+		EVP_DigestUpdate(&ctx, salt, sLen);
+	EVP_DigestFinal(&ctx, H, NULL);
+	EVP_MD_CTX_cleanup(&ctx);
+
+	/* Generate dbMask in place then perform XOR on it */
+	PKCS1_MGF1(EM, maskedDBLen, H, hLen, Hash);
+
+	p = EM;
+
+	/* Initial PS XORs with all zeroes which is a NOP so just update
+	 * pointer. Note from a test above this value is guaranteed to
+	 * be non-negative.
+	 */
+	p += emLen - sLen - hLen - 2;
+	*p++ ^= 0x1;
+	if (sLen > 0)
+		{
+		for (i = 0; i < sLen; i++)
+			*p++ ^= salt[i];
+		}
+	if (MSBits)
+		EM[0] &= 0xFF >> (8 - MSBits);
+
+	/* H is already in place so just set final 0xbc */
+
+	EM[emLen - 1] = 0xbc;
+
+	ret = 1;
+
+	err:
+	if (salt)
+		OPENSSL_free(salt);
+
+	return ret;
+
+	}
+
+#if defined(_MSC_VER)
+#pragma optimize("",on)
+#endif
diff --git a/crypto/openssl/crypto/rsa/rsa_saos.c b/crypto/openssl/crypto/rsa/rsa_saos.c
index f462716a57f2..f98e0a80a6c2 100644
--- a/crypto/openssl/crypto/rsa/rsa_saos.c
+++ b/crypto/openssl/crypto/rsa/rsa_saos.c
@@ -107,7 +107,8 @@ int RSA_verify_ASN1_OCTET_STRING(int dtype,
 	RSA *rsa)
 	{
 	int i,ret=0;
-	unsigned char *p,*s;
+	unsigned char *s;
+	const unsigned char *p;
 	ASN1_OCTET_STRING *sig=NULL;
 
 	if (siglen != (unsigned int)RSA_size(rsa))
@@ -139,8 +140,11 @@ int RSA_verify_ASN1_OCTET_STRING(int dtype,
 		ret=1;
 err:
 	if (sig != NULL) M_ASN1_OCTET_STRING_free(sig);
-	OPENSSL_cleanse(s,(unsigned int)siglen);
-	OPENSSL_free(s);
+	if (s != NULL)
+		{
+		OPENSSL_cleanse(s,(unsigned int)siglen);
+		OPENSSL_free(s);
+		}
 	return(ret);
 	}
 
diff --git a/crypto/openssl/crypto/rsa/rsa_sign.c b/crypto/openssl/crypto/rsa/rsa_sign.c
index 8a1e642183c4..230ec6d7ea2a 100644
--- a/crypto/openssl/crypto/rsa/rsa_sign.c
+++ b/crypto/openssl/crypto/rsa/rsa_sign.c
@@ -146,7 +146,7 @@ int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len,
 	     unsigned char *sigbuf, unsigned int siglen, RSA *rsa)
 	{
 	int i,ret=0,sigtype;
-	unsigned char *p,*s;
+	unsigned char *s;
 	X509_SIG *sig=NULL;
 
 	if (siglen != (unsigned int)RSA_size(rsa))
@@ -169,7 +169,7 @@ int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len,
 		}
 	if((dtype == NID_md5_sha1) && (m_len != SSL_SIG_LENGTH) ) {
 			RSAerr(RSA_F_RSA_VERIFY,RSA_R_INVALID_MESSAGE_LENGTH);
-			return(0);
+			goto err;
 	}
 	i=RSA_public_decrypt((int)siglen,sigbuf,s,rsa,RSA_PKCS1_PADDING);
 
@@ -181,7 +181,7 @@ int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len,
 				RSAerr(RSA_F_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
 		else ret = 1;
 	} else {
-		p=s;
+		const unsigned char *p=s;
 		sig=d2i_X509_SIG(NULL,&p,(long)i);
 
 		if (sig == NULL) goto err;
@@ -222,8 +222,11 @@ int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len,
 	}
 err:
 	if (sig != NULL) X509_SIG_free(sig);
-	OPENSSL_cleanse(s,(unsigned int)siglen);
-	OPENSSL_free(s);
+	if (s != NULL)
+		{
+		OPENSSL_cleanse(s,(unsigned int)siglen);
+		OPENSSL_free(s);
+		}
 	return(ret);
 	}
 
diff --git a/crypto/openssl/crypto/rsa/rsa_test.c b/crypto/openssl/crypto/rsa/rsa_test.c
index 924e9ad1f6c0..0f8059ccfdfc 100644
--- a/crypto/openssl/crypto/rsa/rsa_test.c
+++ b/crypto/openssl/crypto/rsa/rsa_test.c
@@ -8,6 +8,7 @@
 #include <openssl/crypto.h>
 #include <openssl/err.h>
 #include <openssl/rand.h>
+#include <openssl/bn.h>
 #ifdef OPENSSL_NO_RSA
 int main(int argc, char *argv[])
 {
@@ -227,10 +228,10 @@ int main(int argc, char *argv[])
 
     plen = sizeof(ptext_ex) - 1;
 
-    for (v = 0; v < 3; v++)
+    for (v = 0; v < 6; v++)
 	{
 	key = RSA_new();
-	switch (v) {
+	switch (v%3) {
     case 0:
 	clen = key1(key, ctext_ex);
 	break;
@@ -241,6 +242,7 @@ int main(int argc, char *argv[])
 	clen = key3(key, ctext_ex);
 	break;
 	}
+	if (v/3 > 1) key->flags |= RSA_FLAG_NO_EXP_CONSTTIME;
 
 	num = RSA_public_encrypt(plen, ptext_ex, ctext, key,
 				 RSA_PKCS1_PADDING);
@@ -312,6 +314,9 @@ int main(int argc, char *argv[])
 
     CRYPTO_mem_leaks_fp(stderr);
 
+#ifdef OPENSSL_SYS_NETWARE
+    if (err) printf("ERROR: %d\n", err);
+#endif
     return err;
     }
 #endif
diff --git a/crypto/openssl/crypto/rsa/rsa_x931.c b/crypto/openssl/crypto/rsa/rsa_x931.c
new file mode 100644
index 000000000000..e91865417626
--- /dev/null
+++ b/crypto/openssl/crypto/rsa/rsa_x931.c
@@ -0,0 +1,177 @@
+/* rsa_x931.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2005.
+ */
+/* ====================================================================
+ * Copyright (c) 2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/rsa.h>
+#include <openssl/rand.h>
+#include <openssl/objects.h>
+
+int RSA_padding_add_X931(unsigned char *to, int tlen,
+	     const unsigned char *from, int flen)
+	{
+	int j;
+	unsigned char *p;
+
+	/* Absolute minimum amount of padding is 1 header nibble, 1 padding
+	 * nibble and 2 trailer bytes: but 1 hash if is already in 'from'.
+	 */
+
+	j = tlen - flen - 2;
+
+	if (j < 0)
+		{
+		RSAerr(RSA_F_RSA_PADDING_ADD_X931,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
+		return -1;
+		}
+	
+	p=(unsigned char *)to;
+
+	/* If no padding start and end nibbles are in one byte */
+	if (j == 0)
+		*p++ = 0x6A;
+	else
+		{
+		*p++ = 0x6B;
+		if (j > 1)
+			{
+			memset(p, 0xBB, j - 1);
+			p += j - 1;
+			}
+		*p++ = 0xBA;
+		}
+	memcpy(p,from,(unsigned int)flen);
+	p += flen;
+	*p = 0xCC;
+	return(1);
+	}
+
+int RSA_padding_check_X931(unsigned char *to, int tlen,
+	     const unsigned char *from, int flen, int num)
+	{
+	int i = 0,j;
+	const unsigned char *p;
+
+	p=from;
+	if ((num != flen) || ((*p != 0x6A) && (*p != 0x6B)))
+		{
+		RSAerr(RSA_F_RSA_PADDING_CHECK_X931,RSA_R_INVALID_HEADER);
+		return -1;
+		}
+
+	if (*p++ == 0x6B)
+		{
+		j=flen-3;
+		for (i = 0; i < j; i++)
+			{
+			unsigned char c = *p++;
+			if (c == 0xBA)
+				break;
+			if (c != 0xBB)
+				{
+				RSAerr(RSA_F_RSA_PADDING_CHECK_X931,
+					RSA_R_INVALID_PADDING);
+				return -1;
+				}
+			}
+
+		j -= i;
+
+		if (i == 0)
+			{
+			RSAerr(RSA_F_RSA_PADDING_CHECK_X931, RSA_R_INVALID_PADDING);
+			return -1;
+			}
+
+		}
+	else j = flen - 2;
+
+	if (p[j] != 0xCC)
+		{
+		RSAerr(RSA_F_RSA_PADDING_CHECK_X931, RSA_R_INVALID_TRAILER);
+		return -1;
+		}
+
+	memcpy(to,p,(unsigned int)j);
+
+	return(j);
+	}
+
+/* Translate between X931 hash ids and NIDs */
+
+int RSA_X931_hash_id(int nid)
+	{
+	switch (nid)
+		{
+		case NID_sha1:
+		return 0x33;
+
+		case NID_sha256:
+		return 0x34;
+
+		case NID_sha384:
+		return 0x36;
+
+		case NID_sha512:
+		return 0x35;
+
+		}
+	return -1;
+	}
+
diff --git a/crypto/openssl/crypto/sha/Makefile b/crypto/openssl/crypto/sha/Makefile
index 2cf0e68f32ba..42a8c5b443be 100644
--- a/crypto/openssl/crypto/sha/Makefile
+++ b/crypto/openssl/crypto/sha/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/sha/Makefile
+# OpenSSL/crypto/sha/Makefile
 #
 
 DIR=    sha
@@ -8,11 +8,6 @@ CC=     cc
 CPP=    $(CC) -E
 INCLUDES=
 CFLAG=-g
-INSTALL_PREFIX=
-OPENSSLDIR=     /usr/local/ssl
-INSTALLTOP=/usr/local/ssl
-MAKEDEPPROG=	makedepend
-MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=       Makefile
 AR=             ar r
 
@@ -20,14 +15,15 @@ SHA1_ASM_OBJ=
 
 CFLAGS= $(INCLUDES) $(CFLAG)
 ASFLAGS= $(INCLUDES) $(ASFLAG)
+AFLAGS= $(ASFLAGS)
 
 GENERAL=Makefile
-TEST=shatest.c sha1test.c
+TEST=shatest.c sha1test.c sha256t.c sha512t.c
 APPS=
 
 LIB=$(TOP)/libcrypto.a
-LIBSRC=sha_dgst.c sha1dgst.c sha_one.c sha1_one.c
-LIBOBJ=sha_dgst.o sha1dgst.o sha_one.o sha1_one.o $(SHA1_ASM_OBJ)
+LIBSRC=sha_dgst.c sha1dgst.c sha_one.c sha1_one.c sha256.c sha512.c
+LIBOBJ=sha_dgst.o sha1dgst.o sha_one.o sha1_one.o sha256.o sha512.o $(SHA1_ASM_OBJ)
 
 SRC= $(LIBSRC)
 
@@ -46,20 +42,28 @@ lib:    $(LIBOBJ)
 	$(RANLIB) $(LIB) || echo Never mind.
 	@touch lib
 
-# elf
-asm/sx86-elf.s: asm/sha1-586.pl ../perlasm/x86asm.pl
-	(cd asm; $(PERL) sha1-586.pl elf $(CFLAGS) $(PROCESSOR) > sx86-elf.s)
-
+# ELF
+sx86-elf.s: asm/sha1-586.pl ../perlasm/x86asm.pl
+	(cd asm; $(PERL) sha1-586.pl elf $(CFLAGS) $(PROCESSOR) > ../$@)
+s512sse2-elf.s:	asm/sha512-sse2.pl ../perlasm/x86asm.pl
+	(cd asm; $(PERL) sha512-sse2.pl elf $(CFLAGS) $(PROCESSOR) > ../$@)
+# COFF
+sx86-cof.s: asm/sha1-586.pl ../perlasm/x86asm.pl
+	(cd asm; $(PERL) sha1-586.pl coff $(CFLAGS) $(PROCESSOR) > ../$@)
+s512sse2-cof.s:     asm/sha512-sse2.pl ../perlasm/x86asm.pl
+	(cd asm; $(PERL) sha512-sse2.pl coff $(CFLAGS) $(PROCESSOR) > ../$@)
 # a.out
-asm/sx86-out.o: asm/sx86unix.cpp
-	$(CPP) -DOUT asm/sx86unix.cpp | as -o asm/sx86-out.o
-
-# bsdi
-asm/sx86bsdi.o: asm/sx86unix.cpp
-	$(CPP) -DBSDI asm/sx86unix.cpp | sed 's/ :/:/' | as -o asm/sx86bsdi.o
-
-asm/sx86unix.cpp: asm/sha1-586.pl ../perlasm/x86asm.pl
-	(cd asm; $(PERL) sha1-586.pl cpp $(PROCESSOR) >sx86unix.cpp)
+sx86-out.s: asm/sha1-586.pl ../perlasm/x86asm.pl
+	(cd asm; $(PERL) sha1-586.pl a.out $(CFLAGS) $(PROCESSOR) > ../$@)
+s512sse2-out.s:     asm/sha512-sse2.pl ../perlasm/x86asm.pl
+	(cd asm; $(PERL) sha512-sse2.pl a.out $(CFLAGS) $(PROCESSOR) > ../$@)
+
+sha1-ia64.s:   asm/sha1-ia64.pl
+	(cd asm; $(PERL) sha1-ia64.pl $(CFLAGS) ) > $@
+sha256-ia64.s: asm/sha512-ia64.pl
+	(cd asm; $(PERL) sha512-ia64.pl ../$@ $(CFLAGS))
+sha512-ia64.s: asm/sha512-ia64.pl
+	(cd asm; $(PERL) sha512-ia64.pl ../$@ $(CFLAGS))
 
 files:
 	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
@@ -70,7 +74,8 @@ links:
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
 
 install:
-	@for i in $(EXHEADER) ; \
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+	@headerlist="$(EXHEADER)"; for i in $$headerlist ; \
 	do  \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
@@ -85,6 +90,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
+	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
@@ -92,33 +98,37 @@ dclean:
 	mv -f Makefile.new $(MAKEFILE)
 
 clean:
-	rm -f asm/sx86unix.cpp asm/*-elf.* *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff asm/*.o
+	rm -f *.s *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
 sha1_one.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 sha1_one.o: ../../include/openssl/opensslconf.h
-sha1_one.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-sha1_one.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-sha1_one.o: ../../include/openssl/symhacks.h sha1_one.c
-sha1dgst.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
-sha1dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-sha1dgst.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
-sha1dgst.o: ../../include/openssl/opensslconf.h
-sha1dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-sha1dgst.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-sha1dgst.o: ../../include/openssl/symhacks.h ../md32_common.h sha1dgst.c
-sha1dgst.o: sha_locl.h
-sha_dgst.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
-sha_dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-sha_dgst.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
-sha_dgst.o: ../../include/openssl/opensslconf.h
-sha_dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-sha_dgst.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-sha_dgst.o: ../../include/openssl/symhacks.h ../md32_common.h sha_dgst.c
-sha_dgst.o: sha_locl.h
+sha1_one.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+sha1_one.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+sha1_one.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+sha1_one.o: sha1_one.c
+sha1dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
+sha1dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/sha.h
+sha1dgst.o: ../md32_common.h sha1dgst.c sha_locl.h
+sha256.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+sha256.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+sha256.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+sha256.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+sha256.o: ../../include/openssl/symhacks.h ../md32_common.h sha256.c
+sha512.o: ../../e_os.h ../../include/openssl/bio.h
+sha512.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+sha512.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+sha512.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+sha512.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+sha512.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+sha512.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+sha512.o: ../cryptlib.h sha512.c
+sha_dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
+sha_dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/sha.h
+sha_dgst.o: ../md32_common.h sha_dgst.c sha_locl.h
 sha_one.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 sha_one.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-sha_one.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-sha_one.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-sha_one.o: sha_one.c
+sha_one.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+sha_one.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+sha_one.o: ../../include/openssl/symhacks.h sha_one.c
diff --git a/crypto/openssl/crypto/sha/asm/sha1-586.pl b/crypto/openssl/crypto/sha/asm/sha1-586.pl
index e00f70955384..4f8521f1e2ca 100644
--- a/crypto/openssl/crypto/sha/asm/sha1-586.pl
+++ b/crypto/openssl/crypto/sha/asm/sha1-586.pl
@@ -9,7 +9,7 @@
 #
 #		compared with original	compared with Intel cc
 #		assembler impl.		generated code
-# Pentium	-25%			+37%
+# Pentium	-16%			+48%
 # PIII/AMD	+8%			+16%
 # P4		+85%(!)			+45%
 #
@@ -104,19 +104,21 @@ sub BODY_00_15
 
 	&comment("00_15 $n");
 
-	&mov($tmp1,$a);
-	 &mov($f,$c);			# f to hold F_00_19(b,c,d)
+	&mov($f,$c);			# f to hold F_00_19(b,c,d)
+	 if ($n==0)  { &mov($tmp1,$a); }
+	 else        { &mov($a,$tmp1); }
 	&rotl($tmp1,5);			# tmp1=ROTATE(a,5)
 	 &xor($f,$d);
 	&and($f,$b);
-	 &rotr($b,2);			# b=ROTATE(b,30)
-	&add($tmp1,$e);			# tmp1+=e;
-	 &mov($e,&swtmp($n));		# e becomes volatile and
+	 &add($tmp1,$e);		# tmp1+=e;
+	&mov($e,&swtmp($n));		# e becomes volatile and
 	 				# is loaded with xi
-	&xor($f,$d);			# f holds F_00_19(b,c,d)
+	 &xor($f,$d);			# f holds F_00_19(b,c,d)
+	&rotr($b,2);			# b=ROTATE(b,30)
 	 &lea($tmp1,&DWP($K,$tmp1,$e,1));# tmp1+=K_00_19+xi
-	
-	&add($f,$tmp1);			# f+=tmp1
+
+	if ($n==15) { &add($f,$tmp1); }	# f+=tmp1
+	else        { &add($tmp1,$f); }
 	}
 
 sub BODY_16_19
@@ -132,15 +134,15 @@ sub BODY_16_19
 	 &xor($tmp1,$d);
 	&xor($f,&swtmp($n2));
 	 &and($tmp1,$b);		# tmp1 holds F_00_19(b,c,d)
-	&xor($f,&swtmp($n3));		# f holds xa^xb^xc^xd
-	 &rotr($b,2);			# b=ROTATE(b,30)
-	&xor($tmp1,$d);			# tmp1=F_00_19(b,c,d)
-	 &rotl($f,1);			# f=ROATE(f,1)
+	&rotr($b,2);			# b=ROTATE(b,30)
+	 &xor($f,&swtmp($n3));		# f holds xa^xb^xc^xd
+	&rotl($f,1);			# f=ROATE(f,1)
+	 &xor($tmp1,$d);		# tmp1=F_00_19(b,c,d)
 	&mov(&swtmp($n0),$f);		# xi=f
 	&lea($f,&DWP($K,$f,$e,1));	# f+=K_00_19+e
 	 &mov($e,$a);			# e becomes volatile
-	&add($f,$tmp1);			# f+=F_00_19(b,c,d)
-	 &rotl($e,5);			# e=ROTATE(a,5)
+	&rotl($e,5);			# e=ROTATE(a,5)
+	 &add($f,$tmp1);		# f+=F_00_19(b,c,d)
 	&add($f,$e);			# f+=ROTATE(a,5)
 	}
 
@@ -151,20 +153,20 @@ sub BODY_20_39
 	&comment("20_39 $n");
 	local($n0,$n1,$n2,$n3,$np)=&Na($n);
 
-	&mov($f,&swtmp($n0));		# f to hold Xupdate(xi,xa,xb,xc,xd)
-	 &mov($tmp1,$b);		# tmp1 to hold F_20_39(b,c,d)
-	&xor($f,&swtmp($n1));
-	 &rotr($b,2);			# b=ROTATE(b,30)
-	&xor($f,&swtmp($n2));
-	 &xor($tmp1,$c);
-	&xor($f,&swtmp($n3));		# f holds xa^xb^xc^xd
-	 &xor($tmp1,$d);		# tmp1 holds F_20_39(b,c,d)
+	&mov($tmp1,$b);			# tmp1 to hold F_20_39(b,c,d)
+	 &mov($f,&swtmp($n0));		# f to hold Xupdate(xi,xa,xb,xc,xd)
+	&rotr($b,2);			# b=ROTATE(b,30)
+	 &xor($f,&swtmp($n1));
+	&xor($tmp1,$c);
+	 &xor($f,&swtmp($n2));
+	&xor($tmp1,$d);			# tmp1 holds F_20_39(b,c,d)
+	 &xor($f,&swtmp($n3));		# f holds xa^xb^xc^xd
 	&rotl($f,1);			# f=ROTATE(f,1)
+	 &add($tmp1,$e);
 	&mov(&swtmp($n0),$f);		# xi=f
-	&lea($f,&DWP($K,$f,$e,1));	# f+=K_20_39+e
 	 &mov($e,$a);			# e becomes volatile
 	&rotl($e,5);			# e=ROTATE(a,5)
-	 &add($f,$tmp1);		# f+=F_20_39(b,c,d)
+	 &lea($f,&DWP($K,$f,$tmp1,1));	# f+=K_20_39+e
 	&add($f,$e);			# f+=ROTATE(a,5)
 	}
 
@@ -176,14 +178,17 @@ sub BODY_40_59
 	local($n0,$n1,$n2,$n3,$np)=&Na($n);
 
 	&mov($f,&swtmp($n0));		# f to hold Xupdate(xi,xa,xb,xc,xd)
+	 &mov($tmp1,&swtmp($n1));
+	&xor($f,$tmp1);
+	 &mov($tmp1,&swtmp($n2));
+	&xor($f,$tmp1);
+	 &mov($tmp1,&swtmp($n3));
+	&xor($f,$tmp1);			# f holds xa^xb^xc^xd
 	 &mov($tmp1,$b);		# tmp1 to hold F_40_59(b,c,d)
-	&xor($f,&swtmp($n1));
-	 &or($tmp1,$c);
-	&xor($f,&swtmp($n2));
-	 &and($tmp1,$d);
-	&xor($f,&swtmp($n3));		# f holds xa^xb^xc^xd
 	&rotl($f,1);			# f=ROTATE(f,1)
+	 &or($tmp1,$c);
 	&mov(&swtmp($n0),$f);		# xi=f
+	 &and($tmp1,$d);
 	&lea($f,&DWP($K,$f,$e,1));	# f+=K_40_59+e
 	 &mov($e,$b);			# e becomes volatile and is used
 					# to calculate F_40_59(b,c,d)
@@ -192,8 +197,8 @@ sub BODY_40_59
 	&or($tmp1,$e);			# tmp1 holds F_40_59(b,c,d)		
 	 &mov($e,$a);
 	&rotl($e,5);			# e=ROTATE(a,5)
-	&add($tmp1,$e);			# tmp1+=ROTATE(a,5)
-	&add($f,$tmp1);			# f+=tmp1;
+	 &add($f,$tmp1);		# f+=tmp1;
+	&add($f,$e);			# f+=ROTATE(a,5)
 	}
 
 sub BODY_60_79
@@ -405,7 +410,7 @@ sub sha1_block_data
 	&mov(&DWP(16,$tmp1,"",0),$E);
 	 &cmp("esi","eax");
 	&mov(&DWP( 4,$tmp1,"",0),$B);
-	 &jl(&label("start"));
+	 &jb(&label("start"));
 
 	&stack_pop(18+9);
 	 &pop("edi");
diff --git a/crypto/openssl/crypto/sha/asm/sha1-ia64.pl b/crypto/openssl/crypto/sha/asm/sha1-ia64.pl
new file mode 100644
index 000000000000..cb9dfad1243a
--- /dev/null
+++ b/crypto/openssl/crypto/sha/asm/sha1-ia64.pl
@@ -0,0 +1,549 @@
+#!/usr/bin/env perl
+#
+# ====================================================================
+# Written by Andy Polyakov <appro@fy.chalmers.se> for the OpenSSL
+# project. Rights for redistribution and usage in source and binary
+# forms are granted according to the OpenSSL license.
+# ====================================================================
+#
+# Eternal question is what's wrong with compiler generated code? The
+# trick is that it's possible to reduce the number of shifts required
+# to perform rotations by maintaining copy of 32-bit value in upper
+# bits of 64-bit register. Just follow mux2 and shrp instructions...
+# Performance under big-endian OS such as HP-UX is 179MBps*1GHz, which
+# is >50% better than HP C and >2x better than gcc. As of this moment
+# performance under little-endian OS such as Linux and Windows will be
+# a bit lower, because data has to be picked in reverse byte-order.
+# It's possible to resolve this issue by implementing third function,
+# sha1_block_asm_data_order_aligned, which would temporarily flip
+# BE field in User Mask register...
+
+$code=<<___;
+.ident  \"sha1-ia64.s, version 1.0\"
+.ident  \"IA-64 ISA artwork by Andy Polyakov <appro\@fy.chalmers.se>\"
+.explicit
+
+___
+
+
+if ($^O eq "hpux") {
+    $ADDP="addp4";
+    for (@ARGV) { $ADDP="add" if (/[\+DD|\-mlp]64/); }
+} else { $ADDP="add"; }
+for (@ARGV) {	$big_endian=1 if (/\-DB_ENDIAN/);
+		$big_endian=0 if (/\-DL_ENDIAN/);   }
+if (!defined($big_endian))
+	    {	$big_endian=(unpack('L',pack('N',1))==1);   }
+
+#$human=1;
+if ($human) {	# useful for visual code auditing...
+	($A,$B,$C,$D,$E,$T)   = ("A","B","C","D","E","T");
+	($h0,$h1,$h2,$h3,$h4) = ("h0","h1","h2","h3","h4");
+	($K_00_19, $K_20_39, $K_40_59, $K_60_79) =
+	    (	"K_00_19","K_20_39","K_40_59","K_60_79"	);
+	@X= (	"X0", "X1", "X2", "X3", "X4", "X5", "X6", "X7",
+		"X8", "X9","X10","X11","X12","X13","X14","X15"	);
+}
+else {
+	($A,$B,$C,$D,$E,$T)   = ("loc0","loc1","loc2","loc3","loc4","loc5");
+	($h0,$h1,$h2,$h3,$h4) = ("loc6","loc7","loc8","loc9","loc10");
+	($K_00_19, $K_20_39, $K_40_59, $K_60_79) =
+	    (	"r14", "r15", "loc11", "loc12"	);
+	@X= (	"r16", "r17", "r18", "r19", "r20", "r21", "r22", "r23",
+		"r24", "r25", "r26", "r27", "r28", "r29", "r30", "r31"	);
+}
+
+sub BODY_00_15 {
+local	*code=shift;
+local	($i,$a,$b,$c,$d,$e,$f,$unaligned)=@_;
+
+if ($unaligned) {
+	$code.=<<___;
+{ .mmi;	ld1	tmp0=[inp],2		    // MSB
+	ld1	tmp1=[tmp3],2		};;
+{ .mmi;	ld1	tmp2=[inp],2
+	ld1	$X[$i&0xf]=[tmp3],2	    // LSB
+	dep	tmp1=tmp0,tmp1,8,8	};;
+{ .mii;	cmp.ne	p16,p0=r0,r0		    // no misaligned prefetch
+	dep	$X[$i&0xf]=tmp2,$X[$i&0xf],8,8;;
+	dep	$X[$i&0xf]=tmp1,$X[$i&0xf],16,16	};;
+{ .mmi;	nop.m	0
+___
+	}
+elsif ($i<15) {
+	$code.=<<___;
+{ .mmi;	ld4	$X[($i+1)&0xf]=[inp],4	// prefetch
+___
+	}
+else	{
+	$code.=<<___;
+{ .mmi;	nop.m	0
+___
+	}
+if ($i<15) {
+	$code.=<<___;
+	and	tmp0=$c,$b
+	dep.z	tmp5=$a,5,27		}   // a<<5
+{ .mmi;	andcm	tmp1=$d,$b
+	add	tmp4=$e,$K_00_19	};;
+{ .mmi;	or	tmp0=tmp0,tmp1		    // F_00_19(b,c,d)=(b&c)|(~b&d)
+	add	$f=tmp4,$X[$i&0xf]	    // f=xi+e+K_00_19
+	extr.u	tmp1=$a,27,5		};; // a>>27
+{ .mib;	add	$f=$f,tmp0		    // f+=F_00_19(b,c,d)
+	shrp	$b=tmp6,tmp6,2		}   // b=ROTATE(b,30)
+{ .mib;	or	tmp1=tmp1,tmp5		    // ROTATE(a,5)
+	mux2	tmp6=$a,0x44		};; // see b in next iteration
+{ .mii;	add	$f=$f,tmp1		    // f+=ROTATE(a,5)
+	mux2	$X[$i&0xf]=$X[$i&0xf],0x44
+	nop.i	0			};;
+
+___
+	}
+else	{
+	$code.=<<___;
+	and	tmp0=$c,$b
+	dep.z	tmp5=$a,5,27		}   // a<<5 ;;?
+{ .mmi;	andcm	tmp1=$d,$b
+	add	tmp4=$e,$K_00_19	};;
+{ .mmi;	or	tmp0=tmp0,tmp1		    // F_00_19(b,c,d)=(b&c)|(~b&d)
+	add	$f=tmp4,$X[$i&0xf]	    // f=xi+e+K_00_19
+	extr.u	tmp1=$a,27,5		}   // a>>27
+{ .mmi;	xor	tmp2=$X[($i+0+1)&0xf],$X[($i+2+1)&0xf]	// +1
+	xor	tmp3=$X[($i+8+1)&0xf],$X[($i+13+1)&0xf] // +1
+	nop.i	0			};;
+{ .mmi;	add	$f=$f,tmp0		    // f+=F_00_19(b,c,d)
+	xor	tmp2=tmp2,tmp3		    // +1
+	shrp	$b=tmp6,tmp6,2		}   // b=ROTATE(b,30)
+{ .mmi; or	tmp1=tmp1,tmp5		    // ROTATE(a,5)
+	mux2	tmp6=$a,0x44		};; // see b in next iteration
+{ .mii;	add	$f=$f,tmp1		    // f+=ROTATE(a,5)
+	shrp	$e=tmp2,tmp2,31		    // f+1=ROTATE(x[0]^x[2]^x[8]^x[13],1)
+	mux2	$X[$i&0xf]=$X[$i&0xf],0x44  };;
+
+___
+	}
+}
+
+sub BODY_16_19 {
+local	*code=shift;
+local	($i,$a,$b,$c,$d,$e,$f)=@_;
+
+$code.=<<___;
+{ .mmi;	mov	$X[$i&0xf]=$f		    // Xupdate
+	and	tmp0=$c,$b
+	dep.z	tmp5=$a,5,27		}   // a<<5
+{ .mmi;	andcm	tmp1=$d,$b
+	add	tmp4=$e,$K_00_19	};;
+{ .mmi;	or	tmp0=tmp0,tmp1		    // F_00_19(b,c,d)=(b&c)|(~b&d)
+	add	$f=$f,tmp4		    // f+=e+K_00_19
+	extr.u	tmp1=$a,27,5		}   // a>>27
+{ .mmi;	xor	tmp2=$X[($i+0+1)&0xf],$X[($i+2+1)&0xf]	// +1
+	xor	tmp3=$X[($i+8+1)&0xf],$X[($i+13+1)&0xf]	// +1
+	nop.i	0			};;
+{ .mmi;	add	$f=$f,tmp0		    // f+=F_00_19(b,c,d)
+	xor	tmp2=tmp2,tmp3		    // +1
+	shrp	$b=tmp6,tmp6,2		}   // b=ROTATE(b,30)
+{ .mmi;	or	tmp1=tmp1,tmp5		    // ROTATE(a,5)
+	mux2	tmp6=$a,0x44		};; // see b in next iteration
+{ .mii;	add	$f=$f,tmp1		    // f+=ROTATE(a,5)
+	shrp	$e=tmp2,tmp2,31		    // f+1=ROTATE(x[0]^x[2]^x[8]^x[13],1)
+	nop.i	0			};;
+
+___
+}
+
+sub BODY_20_39 {
+local	*code=shift;
+local	($i,$a,$b,$c,$d,$e,$f,$Konst)=@_;
+	$Konst = $K_20_39 if (!defined($Konst));
+
+if ($i<79) {
+$code.=<<___;
+{ .mib;	mov	$X[$i&0xf]=$f		    // Xupdate
+	dep.z	tmp5=$a,5,27		}   // a<<5
+{ .mib;	xor	tmp0=$c,$b
+	add	tmp4=$e,$Konst		};;
+{ .mmi;	xor	tmp0=tmp0,$d		    // F_20_39(b,c,d)=b^c^d
+	add	$f=$f,tmp4		    // f+=e+K_20_39
+	extr.u	tmp1=$a,27,5		}   // a>>27
+{ .mmi;	xor	tmp2=$X[($i+0+1)&0xf],$X[($i+2+1)&0xf]	// +1
+	xor	tmp3=$X[($i+8+1)&0xf],$X[($i+13+1)&0xf]	// +1
+	nop.i	0			};;
+{ .mmi;	add	$f=$f,tmp0		    // f+=F_20_39(b,c,d)
+	xor	tmp2=tmp2,tmp3		    // +1
+	shrp	$b=tmp6,tmp6,2		}   // b=ROTATE(b,30)
+{ .mmi;	or	tmp1=tmp1,tmp5		    // ROTATE(a,5)
+	mux2	tmp6=$a,0x44		};; // see b in next iteration
+{ .mii;	add	$f=$f,tmp1		    // f+=ROTATE(a,5)
+	shrp	$e=tmp2,tmp2,31		    // f+1=ROTATE(x[0]^x[2]^x[8]^x[13],1)
+	nop.i	0			};;
+
+___
+}
+else {
+$code.=<<___;
+{ .mib;	mov	$X[$i&0xf]=$f		    // Xupdate
+	dep.z	tmp5=$a,5,27		}   // a<<5
+{ .mib;	xor	tmp0=$c,$b
+	add	tmp4=$e,$Konst		};;
+{ .mib;	xor	tmp0=tmp0,$d		    // F_20_39(b,c,d)=b^c^d
+	extr.u	tmp1=$a,27,5		}   // a>>27
+{ .mib;	add	$f=$f,tmp4		    // f+=e+K_20_39
+	add	$h1=$h1,$a		};; // wrap up
+{ .mmi;
+(p16)	ld4.s	$X[0]=[inp],4		    // non-faulting prefetch
+	add	$f=$f,tmp0		    // f+=F_20_39(b,c,d)
+	shrp	$b=tmp6,tmp6,2		}   // b=ROTATE(b,30) ;;?
+{ .mmi;	or	tmp1=tmp1,tmp5		    // ROTATE(a,5)
+	add	$h3=$h3,$c		};; // wrap up
+{ .mib;	add	tmp3=1,inp		    // used in unaligned codepath
+	add	$f=$f,tmp1		}   // f+=ROTATE(a,5)
+{ .mib;	add	$h2=$h2,$b		    // wrap up
+	add	$h4=$h4,$d		};; // wrap up
+
+___
+}
+}
+
+sub BODY_40_59 {
+local	*code=shift;
+local	($i,$a,$b,$c,$d,$e,$f)=@_;
+
+$code.=<<___;
+{ .mmi;	mov	$X[$i&0xf]=$f		    // Xupdate
+	and	tmp0=$c,$b
+	dep.z	tmp5=$a,5,27		}   // a<<5
+{ .mmi;	and	tmp1=$d,$b
+	add	tmp4=$e,$K_40_59	};;
+{ .mmi;	or	tmp0=tmp0,tmp1		    // (b&c)|(b&d)
+	add	$f=$f,tmp4		    // f+=e+K_40_59
+	extr.u	tmp1=$a,27,5		}   // a>>27
+{ .mmi;	and	tmp4=$c,$d
+	xor	tmp2=$X[($i+0+1)&0xf],$X[($i+2+1)&0xf]	// +1
+	xor	tmp3=$X[($i+8+1)&0xf],$X[($i+13+1)&0xf]	// +1
+	};;
+{ .mmi;	or	tmp1=tmp1,tmp5		    // ROTATE(a,5)
+	xor	tmp2=tmp2,tmp3		    // +1
+	shrp	$b=tmp6,tmp6,2		}   // b=ROTATE(b,30)
+{ .mmi;	or	tmp0=tmp0,tmp4		    // F_40_59(b,c,d)=(b&c)|(b&d)|(c&d)
+	mux2	tmp6=$a,0x44		};; // see b in next iteration
+{ .mii;	add	$f=$f,tmp0		    // f+=F_40_59(b,c,d)
+	shrp	$e=tmp2,tmp2,31;;	    // f+1=ROTATE(x[0]^x[2]^x[8]^x[13],1)
+	add	$f=$f,tmp1		};; // f+=ROTATE(a,5)
+
+___
+}
+sub BODY_60_79	{ &BODY_20_39(@_,$K_60_79); }
+
+$code.=<<___;
+.text
+
+tmp0=r8;
+tmp1=r9;
+tmp2=r10;
+tmp3=r11;
+ctx=r32;	// in0
+inp=r33;	// in1
+
+// void sha1_block_asm_host_order(SHA_CTX *c,const void *p,size_t num);
+.global	sha1_block_asm_host_order#
+.proc	sha1_block_asm_host_order#
+.align	32
+sha1_block_asm_host_order:
+	.prologue
+	.fframe	0
+	.save	ar.pfs,r0
+	.save	ar.lc,r3
+{ .mmi;	alloc	tmp1=ar.pfs,3,15,0,0
+	$ADDP	tmp0=4,ctx
+	mov	r3=ar.lc		}
+{ .mmi;	$ADDP	ctx=0,ctx
+	$ADDP	inp=0,inp
+	mov	r2=pr			};;
+tmp4=in2;
+tmp5=loc13;
+tmp6=loc14;
+	.body
+{ .mlx;	ld4	$h0=[ctx],8
+	movl	$K_00_19=0x5a827999	}
+{ .mlx;	ld4	$h1=[tmp0],8
+	movl	$K_20_39=0x6ed9eba1	};;
+{ .mlx;	ld4	$h2=[ctx],8
+	movl	$K_40_59=0x8f1bbcdc	}
+{ .mlx;	ld4	$h3=[tmp0]
+	movl	$K_60_79=0xca62c1d6	};;
+{ .mmi;	ld4	$h4=[ctx],-16
+	add	in2=-1,in2		    // adjust num for ar.lc
+	mov	ar.ec=1			};;
+{ .mmi;	ld4	$X[0]=[inp],4		    // prefetch
+	cmp.ne	p16,p0=r0,in2		    // prefecth at loop end
+	mov	ar.lc=in2		};; // brp.loop.imp: too far
+
+.Lhtop:
+{ .mmi;	mov	$A=$h0
+	mov	$B=$h1
+	mux2	tmp6=$h1,0x44		}
+{ .mmi;	mov	$C=$h2
+	mov	$D=$h3
+	mov	$E=$h4			};;
+
+___
+
+	&BODY_00_15(\$code, 0,$A,$B,$C,$D,$E,$T);
+	&BODY_00_15(\$code, 1,$T,$A,$B,$C,$D,$E);
+	&BODY_00_15(\$code, 2,$E,$T,$A,$B,$C,$D);
+	&BODY_00_15(\$code, 3,$D,$E,$T,$A,$B,$C);
+	&BODY_00_15(\$code, 4,$C,$D,$E,$T,$A,$B);
+	&BODY_00_15(\$code, 5,$B,$C,$D,$E,$T,$A);
+	&BODY_00_15(\$code, 6,$A,$B,$C,$D,$E,$T);
+	&BODY_00_15(\$code, 7,$T,$A,$B,$C,$D,$E);
+	&BODY_00_15(\$code, 8,$E,$T,$A,$B,$C,$D);
+	&BODY_00_15(\$code, 9,$D,$E,$T,$A,$B,$C);
+	&BODY_00_15(\$code,10,$C,$D,$E,$T,$A,$B);
+	&BODY_00_15(\$code,11,$B,$C,$D,$E,$T,$A);
+	&BODY_00_15(\$code,12,$A,$B,$C,$D,$E,$T);
+	&BODY_00_15(\$code,13,$T,$A,$B,$C,$D,$E);
+	&BODY_00_15(\$code,14,$E,$T,$A,$B,$C,$D);
+	&BODY_00_15(\$code,15,$D,$E,$T,$A,$B,$C);
+
+	&BODY_16_19(\$code,16,$C,$D,$E,$T,$A,$B);
+	&BODY_16_19(\$code,17,$B,$C,$D,$E,$T,$A);
+	&BODY_16_19(\$code,18,$A,$B,$C,$D,$E,$T);
+	&BODY_16_19(\$code,19,$T,$A,$B,$C,$D,$E);
+
+	&BODY_20_39(\$code,20,$E,$T,$A,$B,$C,$D);
+	&BODY_20_39(\$code,21,$D,$E,$T,$A,$B,$C);
+	&BODY_20_39(\$code,22,$C,$D,$E,$T,$A,$B);
+	&BODY_20_39(\$code,23,$B,$C,$D,$E,$T,$A);
+	&BODY_20_39(\$code,24,$A,$B,$C,$D,$E,$T);
+	&BODY_20_39(\$code,25,$T,$A,$B,$C,$D,$E);
+	&BODY_20_39(\$code,26,$E,$T,$A,$B,$C,$D);
+	&BODY_20_39(\$code,27,$D,$E,$T,$A,$B,$C);
+	&BODY_20_39(\$code,28,$C,$D,$E,$T,$A,$B);
+	&BODY_20_39(\$code,29,$B,$C,$D,$E,$T,$A);
+	&BODY_20_39(\$code,30,$A,$B,$C,$D,$E,$T);
+	&BODY_20_39(\$code,31,$T,$A,$B,$C,$D,$E);
+	&BODY_20_39(\$code,32,$E,$T,$A,$B,$C,$D);
+	&BODY_20_39(\$code,33,$D,$E,$T,$A,$B,$C);
+	&BODY_20_39(\$code,34,$C,$D,$E,$T,$A,$B);
+	&BODY_20_39(\$code,35,$B,$C,$D,$E,$T,$A);
+	&BODY_20_39(\$code,36,$A,$B,$C,$D,$E,$T);
+	&BODY_20_39(\$code,37,$T,$A,$B,$C,$D,$E);
+	&BODY_20_39(\$code,38,$E,$T,$A,$B,$C,$D);
+	&BODY_20_39(\$code,39,$D,$E,$T,$A,$B,$C);
+
+	&BODY_40_59(\$code,40,$C,$D,$E,$T,$A,$B);
+	&BODY_40_59(\$code,41,$B,$C,$D,$E,$T,$A);
+	&BODY_40_59(\$code,42,$A,$B,$C,$D,$E,$T);
+	&BODY_40_59(\$code,43,$T,$A,$B,$C,$D,$E);
+	&BODY_40_59(\$code,44,$E,$T,$A,$B,$C,$D);
+	&BODY_40_59(\$code,45,$D,$E,$T,$A,$B,$C);
+	&BODY_40_59(\$code,46,$C,$D,$E,$T,$A,$B);
+	&BODY_40_59(\$code,47,$B,$C,$D,$E,$T,$A);
+	&BODY_40_59(\$code,48,$A,$B,$C,$D,$E,$T);
+	&BODY_40_59(\$code,49,$T,$A,$B,$C,$D,$E);
+	&BODY_40_59(\$code,50,$E,$T,$A,$B,$C,$D);
+	&BODY_40_59(\$code,51,$D,$E,$T,$A,$B,$C);
+	&BODY_40_59(\$code,52,$C,$D,$E,$T,$A,$B);
+	&BODY_40_59(\$code,53,$B,$C,$D,$E,$T,$A);
+	&BODY_40_59(\$code,54,$A,$B,$C,$D,$E,$T);
+	&BODY_40_59(\$code,55,$T,$A,$B,$C,$D,$E);
+	&BODY_40_59(\$code,56,$E,$T,$A,$B,$C,$D);
+	&BODY_40_59(\$code,57,$D,$E,$T,$A,$B,$C);
+	&BODY_40_59(\$code,58,$C,$D,$E,$T,$A,$B);
+	&BODY_40_59(\$code,59,$B,$C,$D,$E,$T,$A);
+
+	&BODY_60_79(\$code,60,$A,$B,$C,$D,$E,$T);
+	&BODY_60_79(\$code,61,$T,$A,$B,$C,$D,$E);
+	&BODY_60_79(\$code,62,$E,$T,$A,$B,$C,$D);
+	&BODY_60_79(\$code,63,$D,$E,$T,$A,$B,$C);
+	&BODY_60_79(\$code,64,$C,$D,$E,$T,$A,$B);
+	&BODY_60_79(\$code,65,$B,$C,$D,$E,$T,$A);
+	&BODY_60_79(\$code,66,$A,$B,$C,$D,$E,$T);
+	&BODY_60_79(\$code,67,$T,$A,$B,$C,$D,$E);
+	&BODY_60_79(\$code,68,$E,$T,$A,$B,$C,$D);
+	&BODY_60_79(\$code,69,$D,$E,$T,$A,$B,$C);
+	&BODY_60_79(\$code,70,$C,$D,$E,$T,$A,$B);
+	&BODY_60_79(\$code,71,$B,$C,$D,$E,$T,$A);
+	&BODY_60_79(\$code,72,$A,$B,$C,$D,$E,$T);
+	&BODY_60_79(\$code,73,$T,$A,$B,$C,$D,$E);
+	&BODY_60_79(\$code,74,$E,$T,$A,$B,$C,$D);
+	&BODY_60_79(\$code,75,$D,$E,$T,$A,$B,$C);
+	&BODY_60_79(\$code,76,$C,$D,$E,$T,$A,$B);
+	&BODY_60_79(\$code,77,$B,$C,$D,$E,$T,$A);
+	&BODY_60_79(\$code,78,$A,$B,$C,$D,$E,$T);
+	&BODY_60_79(\$code,79,$T,$A,$B,$C,$D,$E);
+
+$code.=<<___;
+{ .mmb;	add	$h0=$h0,$E
+	nop.m	0
+	br.ctop.dptk.many	.Lhtop	};;
+.Lhend:
+{ .mmi;	add	tmp0=4,ctx
+	mov	ar.lc=r3		};;
+{ .mmi;	st4	[ctx]=$h0,8
+	st4	[tmp0]=$h1,8		};;
+{ .mmi;	st4	[ctx]=$h2,8
+	st4	[tmp0]=$h3		};;
+{ .mib;	st4	[ctx]=$h4,-16
+	mov	pr=r2,0x1ffff
+	br.ret.sptk.many	b0	};;
+.endp	sha1_block_asm_host_order#
+___
+
+
+$code.=<<___;
+// void sha1_block_asm_data_order(SHA_CTX *c,const void *p,size_t num);
+.global	sha1_block_asm_data_order#
+.proc	sha1_block_asm_data_order#
+.align	32
+sha1_block_asm_data_order:
+___
+$code.=<<___ if ($big_endian);
+{ .mmi;	and	r2=3,inp				};;
+{ .mib;	cmp.eq	p6,p0=r0,r2
+(p6)	br.dptk.many	sha1_block_asm_host_order	};;
+___
+$code.=<<___;
+	.prologue
+	.fframe	0
+	.save	ar.pfs,r0
+	.save	ar.lc,r3
+{ .mmi;	alloc	tmp1=ar.pfs,3,15,0,0
+	$ADDP	tmp0=4,ctx
+	mov	r3=ar.lc		}
+{ .mmi;	$ADDP	ctx=0,ctx
+	$ADDP	inp=0,inp
+	mov	r2=pr			};;
+tmp4=in2;
+tmp5=loc13;
+tmp6=loc14;
+	.body
+{ .mlx;	ld4	$h0=[ctx],8
+	movl	$K_00_19=0x5a827999	}
+{ .mlx;	ld4	$h1=[tmp0],8
+	movl	$K_20_39=0x6ed9eba1	};;
+{ .mlx;	ld4	$h2=[ctx],8
+	movl	$K_40_59=0x8f1bbcdc	}
+{ .mlx;	ld4	$h3=[tmp0]
+	movl	$K_60_79=0xca62c1d6	};;
+{ .mmi;	ld4	$h4=[ctx],-16
+	add	in2=-1,in2		    // adjust num for ar.lc
+	mov	ar.ec=1			};;
+{ .mmi;	nop.m	0
+	add	tmp3=1,inp
+	mov	ar.lc=in2		};; // brp.loop.imp: too far
+
+.Ldtop:
+{ .mmi;	mov	$A=$h0
+	mov	$B=$h1
+	mux2	tmp6=$h1,0x44		}
+{ .mmi;	mov	$C=$h2
+	mov	$D=$h3
+	mov	$E=$h4			};;
+
+___
+
+	&BODY_00_15(\$code, 0,$A,$B,$C,$D,$E,$T,1);
+	&BODY_00_15(\$code, 1,$T,$A,$B,$C,$D,$E,1);
+	&BODY_00_15(\$code, 2,$E,$T,$A,$B,$C,$D,1);
+	&BODY_00_15(\$code, 3,$D,$E,$T,$A,$B,$C,1);
+	&BODY_00_15(\$code, 4,$C,$D,$E,$T,$A,$B,1);
+	&BODY_00_15(\$code, 5,$B,$C,$D,$E,$T,$A,1);
+	&BODY_00_15(\$code, 6,$A,$B,$C,$D,$E,$T,1);
+	&BODY_00_15(\$code, 7,$T,$A,$B,$C,$D,$E,1);
+	&BODY_00_15(\$code, 8,$E,$T,$A,$B,$C,$D,1);
+	&BODY_00_15(\$code, 9,$D,$E,$T,$A,$B,$C,1);
+	&BODY_00_15(\$code,10,$C,$D,$E,$T,$A,$B,1);
+	&BODY_00_15(\$code,11,$B,$C,$D,$E,$T,$A,1);
+	&BODY_00_15(\$code,12,$A,$B,$C,$D,$E,$T,1);
+	&BODY_00_15(\$code,13,$T,$A,$B,$C,$D,$E,1);
+	&BODY_00_15(\$code,14,$E,$T,$A,$B,$C,$D,1);
+	&BODY_00_15(\$code,15,$D,$E,$T,$A,$B,$C,1);
+
+	&BODY_16_19(\$code,16,$C,$D,$E,$T,$A,$B);
+	&BODY_16_19(\$code,17,$B,$C,$D,$E,$T,$A);
+	&BODY_16_19(\$code,18,$A,$B,$C,$D,$E,$T);
+	&BODY_16_19(\$code,19,$T,$A,$B,$C,$D,$E);
+
+	&BODY_20_39(\$code,20,$E,$T,$A,$B,$C,$D);
+	&BODY_20_39(\$code,21,$D,$E,$T,$A,$B,$C);
+	&BODY_20_39(\$code,22,$C,$D,$E,$T,$A,$B);
+	&BODY_20_39(\$code,23,$B,$C,$D,$E,$T,$A);
+	&BODY_20_39(\$code,24,$A,$B,$C,$D,$E,$T);
+	&BODY_20_39(\$code,25,$T,$A,$B,$C,$D,$E);
+	&BODY_20_39(\$code,26,$E,$T,$A,$B,$C,$D);
+	&BODY_20_39(\$code,27,$D,$E,$T,$A,$B,$C);
+	&BODY_20_39(\$code,28,$C,$D,$E,$T,$A,$B);
+	&BODY_20_39(\$code,29,$B,$C,$D,$E,$T,$A);
+	&BODY_20_39(\$code,30,$A,$B,$C,$D,$E,$T);
+	&BODY_20_39(\$code,31,$T,$A,$B,$C,$D,$E);
+	&BODY_20_39(\$code,32,$E,$T,$A,$B,$C,$D);
+	&BODY_20_39(\$code,33,$D,$E,$T,$A,$B,$C);
+	&BODY_20_39(\$code,34,$C,$D,$E,$T,$A,$B);
+	&BODY_20_39(\$code,35,$B,$C,$D,$E,$T,$A);
+	&BODY_20_39(\$code,36,$A,$B,$C,$D,$E,$T);
+	&BODY_20_39(\$code,37,$T,$A,$B,$C,$D,$E);
+	&BODY_20_39(\$code,38,$E,$T,$A,$B,$C,$D);
+	&BODY_20_39(\$code,39,$D,$E,$T,$A,$B,$C);
+
+	&BODY_40_59(\$code,40,$C,$D,$E,$T,$A,$B);
+	&BODY_40_59(\$code,41,$B,$C,$D,$E,$T,$A);
+	&BODY_40_59(\$code,42,$A,$B,$C,$D,$E,$T);
+	&BODY_40_59(\$code,43,$T,$A,$B,$C,$D,$E);
+	&BODY_40_59(\$code,44,$E,$T,$A,$B,$C,$D);
+	&BODY_40_59(\$code,45,$D,$E,$T,$A,$B,$C);
+	&BODY_40_59(\$code,46,$C,$D,$E,$T,$A,$B);
+	&BODY_40_59(\$code,47,$B,$C,$D,$E,$T,$A);
+	&BODY_40_59(\$code,48,$A,$B,$C,$D,$E,$T);
+	&BODY_40_59(\$code,49,$T,$A,$B,$C,$D,$E);
+	&BODY_40_59(\$code,50,$E,$T,$A,$B,$C,$D);
+	&BODY_40_59(\$code,51,$D,$E,$T,$A,$B,$C);
+	&BODY_40_59(\$code,52,$C,$D,$E,$T,$A,$B);
+	&BODY_40_59(\$code,53,$B,$C,$D,$E,$T,$A);
+	&BODY_40_59(\$code,54,$A,$B,$C,$D,$E,$T);
+	&BODY_40_59(\$code,55,$T,$A,$B,$C,$D,$E);
+	&BODY_40_59(\$code,56,$E,$T,$A,$B,$C,$D);
+	&BODY_40_59(\$code,57,$D,$E,$T,$A,$B,$C);
+	&BODY_40_59(\$code,58,$C,$D,$E,$T,$A,$B);
+	&BODY_40_59(\$code,59,$B,$C,$D,$E,$T,$A);
+
+	&BODY_60_79(\$code,60,$A,$B,$C,$D,$E,$T);
+	&BODY_60_79(\$code,61,$T,$A,$B,$C,$D,$E);
+	&BODY_60_79(\$code,62,$E,$T,$A,$B,$C,$D);
+	&BODY_60_79(\$code,63,$D,$E,$T,$A,$B,$C);
+	&BODY_60_79(\$code,64,$C,$D,$E,$T,$A,$B);
+	&BODY_60_79(\$code,65,$B,$C,$D,$E,$T,$A);
+	&BODY_60_79(\$code,66,$A,$B,$C,$D,$E,$T);
+	&BODY_60_79(\$code,67,$T,$A,$B,$C,$D,$E);
+	&BODY_60_79(\$code,68,$E,$T,$A,$B,$C,$D);
+	&BODY_60_79(\$code,69,$D,$E,$T,$A,$B,$C);
+	&BODY_60_79(\$code,70,$C,$D,$E,$T,$A,$B);
+	&BODY_60_79(\$code,71,$B,$C,$D,$E,$T,$A);
+	&BODY_60_79(\$code,72,$A,$B,$C,$D,$E,$T);
+	&BODY_60_79(\$code,73,$T,$A,$B,$C,$D,$E);
+	&BODY_60_79(\$code,74,$E,$T,$A,$B,$C,$D);
+	&BODY_60_79(\$code,75,$D,$E,$T,$A,$B,$C);
+	&BODY_60_79(\$code,76,$C,$D,$E,$T,$A,$B);
+	&BODY_60_79(\$code,77,$B,$C,$D,$E,$T,$A);
+	&BODY_60_79(\$code,78,$A,$B,$C,$D,$E,$T);
+	&BODY_60_79(\$code,79,$T,$A,$B,$C,$D,$E);
+
+$code.=<<___;
+{ .mmb;	add	$h0=$h0,$E
+	nop.m	0
+	br.ctop.dptk.many	.Ldtop	};;
+.Ldend:
+{ .mmi;	add	tmp0=4,ctx
+	mov	ar.lc=r3		};;
+{ .mmi;	st4	[ctx]=$h0,8
+	st4	[tmp0]=$h1,8		};;
+{ .mmi;	st4	[ctx]=$h2,8
+	st4	[tmp0]=$h3		};;
+{ .mib;	st4	[ctx]=$h4,-16
+	mov	pr=r2,0x1ffff
+	br.ret.sptk.many	b0	};;
+.endp	sha1_block_asm_data_order#
+___
+
+print $code;
diff --git a/crypto/openssl/crypto/sha/asm/sha512-ia64.pl b/crypto/openssl/crypto/sha/asm/sha512-ia64.pl
new file mode 100755
index 000000000000..0aea02399a9b
--- /dev/null
+++ b/crypto/openssl/crypto/sha/asm/sha512-ia64.pl
@@ -0,0 +1,432 @@
+#!/usr/bin/env perl
+#
+# ====================================================================
+# Written by Andy Polyakov <appro@fy.chalmers.se> for the OpenSSL
+# project. Rights for redistribution and usage in source and binary
+# forms are granted according to the OpenSSL license.
+# ====================================================================
+#
+# SHA256/512_Transform for Itanium.
+#
+# sha512_block runs in 1003 cycles on Itanium 2, which is almost 50%
+# faster than gcc and >60%(!) faster than code generated by HP-UX
+# compiler (yes, HP-UX is generating slower code, because unlike gcc,
+# it failed to deploy "shift right pair," 'shrp' instruction, which
+# substitutes for 64-bit rotate).
+#
+# 924 cycles long sha256_block outperforms gcc by over factor of 2(!)
+# and HP-UX compiler - by >40% (yes, gcc won sha512_block, but lost
+# this one big time). Note that "formally" 924 is about 100 cycles
+# too much. I mean it's 64 32-bit rounds vs. 80 virtually identical
+# 64-bit ones and 1003*64/80 gives 802. Extra cycles, 2 per round,
+# are spent on extra work to provide for 32-bit rotations. 32-bit
+# rotations are still handled by 'shrp' instruction and for this
+# reason lower 32 bits are deposited to upper half of 64-bit register
+# prior 'shrp' issue. And in order to minimize the amount of such
+# operations, X[16] values are *maintained* with copies of lower
+# halves in upper halves, which is why you'll spot such instructions
+# as custom 'mux2', "parallel 32-bit add," 'padd4' and "parallel
+# 32-bit unsigned right shift," 'pshr4.u' instructions here.
+#
+# Rules of engagement.
+#
+# There is only one integer shifter meaning that if I have two rotate,
+# deposit or extract instructions in adjacent bundles, they shall
+# split [at run-time if they have to]. But note that variable and
+# parallel shifts are performed by multi-media ALU and *are* pairable
+# with rotates [and alike]. On the backside MMALU is rather slow: it
+# takes 2 extra cycles before the result of integer operation is
+# available *to* MMALU and 2(*) extra cycles before the result of MM
+# operation is available "back" *to* integer ALU, not to mention that
+# MMALU itself has 2 cycles latency. However! I explicitly scheduled
+# these MM instructions to avoid MM stalls, so that all these extra
+# latencies get "hidden" in instruction-level parallelism.
+#
+# (*) 2 cycles on Itanium 1 and 1 cycle on Itanium 2. But I schedule
+#     for 2 in order to provide for best *overall* performance,
+#     because on Itanium 1 stall on MM result is accompanied by
+#     pipeline flush, which takes 6 cycles:-(
+#
+# Resulting performance numbers for 900MHz Itanium 2 system:
+#
+# The 'numbers' are in 1000s of bytes per second processed.
+# type     16 bytes    64 bytes   256 bytes  1024 bytes  8192 bytes
+# sha1(*)   6210.14k   20376.30k   52447.83k   85870.05k  105478.12k
+# sha256    7476.45k   20572.05k   41538.34k   56062.29k   62093.18k
+# sha512    4996.56k   20026.28k   47597.20k   85278.79k  111501.31k
+#
+# (*) SHA1 numbers are for HP-UX compiler and are presented purely
+#     for reference purposes. I bet it can improved too...
+#
+# To generate code, pass the file name with either 256 or 512 in its
+# name and compiler flags.
+
+$output=shift;
+
+if ($output =~ /512.*\.[s|asm]/) {
+	$SZ=8;
+	$BITS=8*$SZ;
+	$LDW="ld8";
+	$STW="st8";
+	$ADD="add";
+	$SHRU="shr.u";
+	$TABLE="K512";
+	$func="sha512_block";
+	@Sigma0=(28,34,39);
+	@Sigma1=(14,18,41);
+	@sigma0=(1,  8, 7);
+	@sigma1=(19,61, 6);
+	$rounds=80;
+} elsif ($output =~ /256.*\.[s|asm]/) {
+	$SZ=4;
+	$BITS=8*$SZ;
+	$LDW="ld4";
+	$STW="st4";
+	$ADD="padd4";
+	$SHRU="pshr4.u";
+	$TABLE="K256";
+	$func="sha256_block";
+	@Sigma0=( 2,13,22);
+	@Sigma1=( 6,11,25);
+	@sigma0=( 7,18, 3);
+	@sigma1=(17,19,10);
+	$rounds=64;
+} else { die "nonsense $output"; }
+
+open STDOUT,">$output" || die "can't open $output: $!";
+
+if ($^O eq "hpux") {
+    $ADDP="addp4";
+    for (@ARGV) { $ADDP="add" if (/[\+DD|\-mlp]64/); }
+} else { $ADDP="add"; }
+for (@ARGV)  {	$big_endian=1 if (/\-DB_ENDIAN/);
+		$big_endian=0 if (/\-DL_ENDIAN/);  }
+if (!defined($big_endian))
+             {	$big_endian=(unpack('L',pack('N',1))==1);  }
+
+$code=<<___;
+.ident  \"$output, version 1.0\"
+.ident  \"IA-64 ISA artwork by Andy Polyakov <appro\@fy.chalmers.se>\"
+.explicit
+.text
+
+prsave=r14;
+K=r15;
+A=r16;	B=r17;	C=r18;	D=r19;
+E=r20;	F=r21;	G=r22;	H=r23;
+T1=r24;	T2=r25;
+s0=r26;	s1=r27;	t0=r28;	t1=r29;
+Ktbl=r30;
+ctx=r31;	// 1st arg
+input=r48;	// 2nd arg
+num=r49;	// 3rd arg
+sgm0=r50;	sgm1=r51;	// small constants
+
+// void $func (SHA_CTX *ctx, const void *in,size_t num[,int host])
+.global	$func#
+.proc	$func#
+.align	32
+$func:
+	.prologue
+	.fframe	0
+	.save	ar.pfs,r2
+	.save	ar.lc,r3
+	.save	pr,prsave
+{ .mmi;	alloc	r2=ar.pfs,3,17,0,16
+	$ADDP	ctx=0,r32		// 1st arg
+	mov	r3=ar.lc	}
+{ .mmi;	$ADDP	input=0,r33		// 2nd arg
+	addl	Ktbl=\@ltoff($TABLE#),gp
+	mov	prsave=pr	};;
+
+	.body
+{ .mii;	ld8	Ktbl=[Ktbl]
+	mov	num=r34		};;	// 3rd arg
+
+{ .mib;	add	r8=0*$SZ,ctx
+	add	r9=1*$SZ,ctx
+	brp.loop.imp	.L_first16,.L_first16_ctop
+				}
+{ .mib;	add	r10=2*$SZ,ctx
+	add	r11=3*$SZ,ctx
+	brp.loop.imp	.L_rest,.L_rest_ctop
+				};;
+// load A-H
+{ .mmi;	$LDW	A=[r8],4*$SZ
+	$LDW	B=[r9],4*$SZ
+	mov	sgm0=$sigma0[2]	}
+{ .mmi;	$LDW	C=[r10],4*$SZ
+	$LDW	D=[r11],4*$SZ
+	mov	sgm1=$sigma1[2]	};;
+{ .mmi;	$LDW	E=[r8]
+	$LDW	F=[r9]		}
+{ .mmi;	$LDW	G=[r10]
+	$LDW	H=[r11]
+	cmp.ne	p15,p14=0,r35	};;	// used in sha256_block
+
+.L_outer:
+{ .mii;	mov	ar.lc=15
+	mov	ar.ec=1		};;
+.align	32
+.L_first16:
+.rotr	X[16]
+___
+$t0="t0", $t1="t1", $code.=<<___ if ($BITS==32);
+{ .mib;	(p14)	add	r9=1,input
+	(p14)	add	r10=2,input	}
+{ .mib;	(p14)	add	r11=3,input
+	(p15)	br.dptk.few	.L_host	};;
+{ .mmi;	(p14)	ld1	r8=[input],$SZ
+	(p14)	ld1	r9=[r9]		}
+{ .mmi;	(p14)	ld1	r10=[r10]
+	(p14)	ld1	r11=[r11]	};;
+{ .mii;	(p14)	dep	r9=r8,r9,8,8
+	(p14)	dep	r11=r10,r11,8,8	};;
+{ .mib;	(p14)	dep	X[15]=r9,r11,16,16 };;
+.L_host:
+{ .mib;	(p15)	$LDW	X[15]=[input],$SZ	// X[i]=*input++
+		dep.z	$t1=E,32,32	}
+{ .mib;		$LDW	K=[Ktbl],$SZ
+		zxt4	E=E		};;
+{ .mmi;		or	$t1=$t1,E
+		and	T1=F,E
+		and	T2=A,B		}
+{ .mmi;		andcm	r8=G,E
+		and	r9=A,C
+		mux2	$t0=A,0x44	};;	// copy lower half to upper
+{ .mib;		xor	T1=T1,r8		// T1=((e & f) ^ (~e & g))
+		_rotr	r11=$t1,$Sigma1[0] }	// ROTR(e,14)
+{ .mib;		and	r10=B,C
+		xor	T2=T2,r9	};;
+___
+$t0="A", $t1="E", $code.=<<___ if ($BITS==64);
+{ .mmi;		$LDW	X[15]=[input],$SZ	// X[i]=*input++
+		and	T1=F,E
+		and	T2=A,B		}
+{ .mmi;		$LDW	K=[Ktbl],$SZ
+		andcm	r8=G,E
+		and	r9=A,C		};;
+{ .mmi;		xor	T1=T1,r8		//T1=((e & f) ^ (~e & g))
+		and	r10=B,C
+		_rotr	r11=$t1,$Sigma1[0] }	// ROTR(e,14)
+{ .mmi;		xor	T2=T2,r9
+		mux1	X[15]=X[15],\@rev };;	// eliminated in big-endian
+___
+$code.=<<___;
+{ .mib;		add	T1=T1,H			// T1=Ch(e,f,g)+h
+		_rotr	r8=$t1,$Sigma1[1] }	// ROTR(e,18)
+{ .mib;		xor	T2=T2,r10		// T2=((a & b) ^ (a & c) ^ (b & c))
+		mov	H=G		};;
+{ .mib;		xor	r11=r8,r11
+		_rotr	r9=$t1,$Sigma1[2] }	// ROTR(e,41)
+{ .mib;		mov	G=F
+		mov	F=E		};;
+{ .mib;		xor	r9=r9,r11		// r9=Sigma1(e)
+		_rotr	r10=$t0,$Sigma0[0] }	// ROTR(a,28)
+{ .mib;		add	T1=T1,K			// T1=Ch(e,f,g)+h+K512[i]
+		mov	E=D		};;
+{ .mib;		add	T1=T1,r9		// T1+=Sigma1(e)
+		_rotr	r11=$t0,$Sigma0[1] }	// ROTR(a,34)
+{ .mib;		mov	D=C
+		mov	C=B		};;
+{ .mib;		add	T1=T1,X[15]		// T1+=X[i]
+		_rotr	r8=$t0,$Sigma0[2] }	// ROTR(a,39)
+{ .mib;		xor	r10=r10,r11
+		mux2	X[15]=X[15],0x44 };;	// eliminated in 64-bit
+{ .mmi;		xor	r10=r8,r10		// r10=Sigma0(a)
+		mov	B=A
+		add	A=T1,T2		};;
+.L_first16_ctop:
+{ .mib;		add	E=E,T1
+		add	A=A,r10			// T2=Maj(a,b,c)+Sigma0(a)
+	br.ctop.sptk	.L_first16	};;
+
+{ .mib;	mov	ar.lc=$rounds-17	}
+{ .mib;	mov	ar.ec=1			};;
+.align	32
+.L_rest:
+.rotr	X[16]
+{ .mib;		$LDW	K=[Ktbl],$SZ
+		_rotr	r8=X[15-1],$sigma0[0] }	// ROTR(s0,1)
+{ .mib; 	$ADD	X[15]=X[15],X[15-9]	// X[i&0xF]+=X[(i+9)&0xF]
+		$SHRU	s0=X[15-1],sgm0	};;	// s0=X[(i+1)&0xF]>>7
+{ .mib;		and	T1=F,E
+		_rotr	r9=X[15-1],$sigma0[1] }	// ROTR(s0,8)
+{ .mib;		andcm	r10=G,E
+		$SHRU	s1=X[15-14],sgm1 };;	// s1=X[(i+14)&0xF]>>6
+{ .mmi;		xor	T1=T1,r10		// T1=((e & f) ^ (~e & g))
+		xor	r9=r8,r9
+		_rotr	r10=X[15-14],$sigma1[0] };;// ROTR(s1,19)
+{ .mib;		and	T2=A,B		
+		_rotr	r11=X[15-14],$sigma1[1] }// ROTR(s1,61)
+{ .mib;		and	r8=A,C		};;
+___
+$t0="t0", $t1="t1", $code.=<<___ if ($BITS==32);
+// I adhere to mmi; in order to hold Itanium 1 back and avoid 6 cycle
+// pipeline flush in last bundle. Note that even on Itanium2 the
+// latter stalls for one clock cycle...
+{ .mmi;		xor	s0=s0,r9		// s0=sigma0(X[(i+1)&0xF])
+		dep.z	$t1=E,32,32	}
+{ .mmi;		xor	r10=r11,r10
+		zxt4	E=E		};;
+{ .mmi;		or	$t1=$t1,E
+		xor	s1=s1,r10		// s1=sigma1(X[(i+14)&0xF])
+		mux2	$t0=A,0x44	};;	// copy lower half to upper
+{ .mmi;		xor	T2=T2,r8
+		_rotr	r9=$t1,$Sigma1[0] }	// ROTR(e,14)
+{ .mmi;		and	r10=B,C
+		add	T1=T1,H			// T1=Ch(e,f,g)+h
+		$ADD	X[15]=X[15],s0	};;	// X[i&0xF]+=sigma0(X[(i+1)&0xF])
+___
+$t0="A", $t1="E", $code.=<<___ if ($BITS==64);
+{ .mib;		xor	s0=s0,r9		// s0=sigma0(X[(i+1)&0xF])
+		_rotr	r9=$t1,$Sigma1[0] }	// ROTR(e,14)
+{ .mib;		xor	r10=r11,r10
+		xor	T2=T2,r8	};;
+{ .mib;		xor	s1=s1,r10		// s1=sigma1(X[(i+14)&0xF])
+		add	T1=T1,H		}
+{ .mib;		and	r10=B,C
+		$ADD	X[15]=X[15],s0	};;	// X[i&0xF]+=sigma0(X[(i+1)&0xF])
+___
+$code.=<<___;
+{ .mmi;		xor	T2=T2,r10		// T2=((a & b) ^ (a & c) ^ (b & c))
+		mov	H=G
+		_rotr	r8=$t1,$Sigma1[1] };;	// ROTR(e,18)
+{ .mmi;		xor	r11=r8,r9
+		$ADD	X[15]=X[15],s1		// X[i&0xF]+=sigma1(X[(i+14)&0xF])
+		_rotr	r9=$t1,$Sigma1[2] }	// ROTR(e,41)
+{ .mmi;		mov	G=F
+		mov	F=E		};;
+{ .mib;		xor	r9=r9,r11		// r9=Sigma1(e)
+		_rotr	r10=$t0,$Sigma0[0] }	// ROTR(a,28)
+{ .mib;		add	T1=T1,K			// T1=Ch(e,f,g)+h+K512[i]
+		mov	E=D		};;
+{ .mib;		add	T1=T1,r9		// T1+=Sigma1(e)
+		_rotr	r11=$t0,$Sigma0[1] }	// ROTR(a,34)
+{ .mib;		mov	D=C
+		mov	C=B		};;
+{ .mmi;		add	T1=T1,X[15]		// T1+=X[i]
+		xor	r10=r10,r11
+		_rotr	r8=$t0,$Sigma0[2] };;	// ROTR(a,39)
+{ .mmi;		xor	r10=r8,r10		// r10=Sigma0(a)
+		mov	B=A
+		add	A=T1,T2		};;
+.L_rest_ctop:
+{ .mib;		add	E=E,T1
+		add	A=A,r10			// T2=Maj(a,b,c)+Sigma0(a)
+	br.ctop.sptk	.L_rest	};;
+
+{ .mib;	add	r8=0*$SZ,ctx
+	add	r9=1*$SZ,ctx		}
+{ .mib;	add	r10=2*$SZ,ctx
+	add	r11=3*$SZ,ctx		};;
+{ .mmi;	$LDW	r32=[r8],4*$SZ
+	$LDW	r33=[r9],4*$SZ		}
+{ .mmi;	$LDW	r34=[r10],4*$SZ
+	$LDW	r35=[r11],4*$SZ
+	cmp.ltu	p6,p7=1,num		};;
+{ .mmi;	$LDW	r36=[r8],-4*$SZ
+	$LDW	r37=[r9],-4*$SZ
+(p6)	add	Ktbl=-$SZ*$rounds,Ktbl	}
+{ .mmi;	$LDW	r38=[r10],-4*$SZ
+	$LDW	r39=[r11],-4*$SZ
+(p7)	mov	ar.lc=r3		};;
+{ .mmi;	add	A=A,r32
+	add	B=B,r33
+	add	C=C,r34			}
+{ .mmi;	add	D=D,r35
+	add	E=E,r36
+	add	F=F,r37			};;
+{ .mmi;	$STW	[r8]=A,4*$SZ
+	$STW	[r9]=B,4*$SZ
+	add	G=G,r38			}
+{ .mmi;	$STW	[r10]=C,4*$SZ
+	$STW	[r11]=D,4*$SZ
+	add	H=H,r39			};;
+{ .mmi;	$STW	[r8]=E
+	$STW	[r9]=F
+(p6)	add	num=-1,num		}
+{ .mmb;	$STW	[r10]=G
+	$STW	[r11]=H
+(p6)	br.dptk.many	.L_outer	};;
+
+{ .mib;	mov	pr=prsave,0x1ffff
+	br.ret.sptk.many	b0	};;
+.endp	$func#
+___
+
+$code =~ s/\`([^\`]*)\`/eval $1/gem;
+$code =~ s/_rotr(\s+)([^=]+)=([^,]+),([0-9]+)/shrp$1$2=$3,$3,$4/gm;
+if ($BITS==64) {
+    $code =~ s/mux2(\s+)\S+/nop.i$1 0x0/gm;
+    $code =~ s/mux1(\s+)\S+/nop.i$1 0x0/gm if ($big_endian);
+}
+
+print $code;
+
+print<<___ if ($BITS==32);
+.align	64
+.type	K256#,\@object
+K256:	data4	0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5
+	data4	0x3956c25b,0x59f111f1,0x923f82a4,0xab1c5ed5
+	data4	0xd807aa98,0x12835b01,0x243185be,0x550c7dc3
+	data4	0x72be5d74,0x80deb1fe,0x9bdc06a7,0xc19bf174
+	data4	0xe49b69c1,0xefbe4786,0x0fc19dc6,0x240ca1cc
+	data4	0x2de92c6f,0x4a7484aa,0x5cb0a9dc,0x76f988da
+	data4	0x983e5152,0xa831c66d,0xb00327c8,0xbf597fc7
+	data4	0xc6e00bf3,0xd5a79147,0x06ca6351,0x14292967
+	data4	0x27b70a85,0x2e1b2138,0x4d2c6dfc,0x53380d13
+	data4	0x650a7354,0x766a0abb,0x81c2c92e,0x92722c85
+	data4	0xa2bfe8a1,0xa81a664b,0xc24b8b70,0xc76c51a3
+	data4	0xd192e819,0xd6990624,0xf40e3585,0x106aa070
+	data4	0x19a4c116,0x1e376c08,0x2748774c,0x34b0bcb5
+	data4	0x391c0cb3,0x4ed8aa4a,0x5b9cca4f,0x682e6ff3
+	data4	0x748f82ee,0x78a5636f,0x84c87814,0x8cc70208
+	data4	0x90befffa,0xa4506ceb,0xbef9a3f7,0xc67178f2
+.size	K256#,$SZ*$rounds
+___
+print<<___ if ($BITS==64);
+.align	64
+.type	K512#,\@object
+K512:	data8	0x428a2f98d728ae22,0x7137449123ef65cd
+	data8	0xb5c0fbcfec4d3b2f,0xe9b5dba58189dbbc
+	data8	0x3956c25bf348b538,0x59f111f1b605d019
+	data8	0x923f82a4af194f9b,0xab1c5ed5da6d8118
+	data8	0xd807aa98a3030242,0x12835b0145706fbe
+	data8	0x243185be4ee4b28c,0x550c7dc3d5ffb4e2
+	data8	0x72be5d74f27b896f,0x80deb1fe3b1696b1
+	data8	0x9bdc06a725c71235,0xc19bf174cf692694
+	data8	0xe49b69c19ef14ad2,0xefbe4786384f25e3
+	data8	0x0fc19dc68b8cd5b5,0x240ca1cc77ac9c65
+	data8	0x2de92c6f592b0275,0x4a7484aa6ea6e483
+	data8	0x5cb0a9dcbd41fbd4,0x76f988da831153b5
+	data8	0x983e5152ee66dfab,0xa831c66d2db43210
+	data8	0xb00327c898fb213f,0xbf597fc7beef0ee4
+	data8	0xc6e00bf33da88fc2,0xd5a79147930aa725
+	data8	0x06ca6351e003826f,0x142929670a0e6e70
+	data8	0x27b70a8546d22ffc,0x2e1b21385c26c926
+	data8	0x4d2c6dfc5ac42aed,0x53380d139d95b3df
+	data8	0x650a73548baf63de,0x766a0abb3c77b2a8
+	data8	0x81c2c92e47edaee6,0x92722c851482353b
+	data8	0xa2bfe8a14cf10364,0xa81a664bbc423001
+	data8	0xc24b8b70d0f89791,0xc76c51a30654be30
+	data8	0xd192e819d6ef5218,0xd69906245565a910
+	data8	0xf40e35855771202a,0x106aa07032bbd1b8
+	data8	0x19a4c116b8d2d0c8,0x1e376c085141ab53
+	data8	0x2748774cdf8eeb99,0x34b0bcb5e19b48a8
+	data8	0x391c0cb3c5c95a63,0x4ed8aa4ae3418acb
+	data8	0x5b9cca4f7763e373,0x682e6ff3d6b2b8a3
+	data8	0x748f82ee5defb2fc,0x78a5636f43172f60
+	data8	0x84c87814a1f0ab72,0x8cc702081a6439ec
+	data8	0x90befffa23631e28,0xa4506cebde82bde9
+	data8	0xbef9a3f7b2c67915,0xc67178f2e372532b
+	data8	0xca273eceea26619c,0xd186b8c721c0c207
+	data8	0xeada7dd6cde0eb1e,0xf57d4f7fee6ed178
+	data8	0x06f067aa72176fba,0x0a637dc5a2c898a6
+	data8	0x113f9804bef90dae,0x1b710b35131c471b
+	data8	0x28db77f523047d84,0x32caab7b40c72493
+	data8	0x3c9ebe0a15c9bebc,0x431d67c49c100d4c
+	data8	0x4cc5d4becb3e42b6,0x597f299cfc657e2a
+	data8	0x5fcb6fab3ad6faec,0x6c44198c4a475817
+.size	K512#,$SZ*$rounds
+___
diff --git a/crypto/openssl/crypto/sha/asm/sha512-sse2.pl b/crypto/openssl/crypto/sha/asm/sha512-sse2.pl
new file mode 100644
index 000000000000..10902bf673d5
--- /dev/null
+++ b/crypto/openssl/crypto/sha/asm/sha512-sse2.pl
@@ -0,0 +1,404 @@
+#!/usr/bin/env perl
+#
+# ====================================================================
+# Written by Andy Polyakov <appro@fy.chalmers.se> for the OpenSSL
+# project. Rights for redistribution and usage in source and binary
+# forms are granted according to the OpenSSL license.
+# ====================================================================
+#
+# SHA512_Transform_SSE2.
+#
+# As the name suggests, this is an IA-32 SSE2 implementation of
+# SHA512_Transform. Motivating factor for the undertaken effort was that
+# SHA512 was observed to *consistently* perform *significantly* poorer
+# than SHA256 [2x and slower is common] on 32-bit platforms. On 64-bit
+# platforms on the other hand SHA512 tend to outperform SHA256 [~50%
+# seem to be common improvement factor]. All this is perfectly natural,
+# as SHA512 is a 64-bit algorithm. But isn't IA-32 SSE2 essentially
+# a 64-bit instruction set? Is it rich enough to implement SHA512?
+# If answer was "no," then you wouldn't have been reading this...
+#
+# Throughput performance in MBps (larger is better):
+#
+#		2.4GHz P4	1.4GHz AMD32	1.4GHz AMD64(*)
+# SHA256/gcc(*)	54		43		59
+# SHA512/gcc	17		23		92
+# SHA512/sse2	61(**)		57(**)
+# SHA512/icc	26		28
+# SHA256/icc(*)	65		54
+#
+# (*)	AMD64 and SHA256 numbers are presented mostly for amusement or
+#	reference purposes.
+# (**)	I.e. it gives ~2-3x speed-up if compared with compiler generated
+#	code. One can argue that hand-coded *non*-SSE2 implementation
+#	would perform better than compiler generated one as well, and
+#	that comparison is therefore not exactly fair. Well, as SHA512
+#	puts enormous pressure on IA-32 GP register bank, I reckon that
+#	hand-coded version wouldn't perform significantly better than
+#	one compiled with icc, ~20% perhaps... So that this code would
+#	still outperform it with distinguishing marginal. But feel free
+#	to prove me wrong:-)
+#						<appro@fy.chalmers.se>
+push(@INC,"perlasm","../../perlasm");
+require "x86asm.pl";
+
+&asm_init($ARGV[0],"sha512-sse2.pl",$ARGV[$#ARGV] eq "386");
+
+$K512="esi";	# K512[80] table, found at the end...
+#$W512="esp";	# $W512 is not just W512[16]: it comprises *two* copies
+		# of W512[16] and a copy of A-H variables...
+$W512_SZ=8*(16+16+8);	# see above...
+#$Kidx="ebx";	# index in K512 table, advances from 0 to 80...
+$Widx="edx";	# index in W512, wraps around at 16...
+$data="edi";	# 16 qwords of input data...
+$A="mm0";	# B-D and
+$E="mm1";	# F-H are allocated dynamically...
+$Aoff=256+0;	# A-H offsets relative to $W512...
+$Boff=256+8;
+$Coff=256+16;
+$Doff=256+24;
+$Eoff=256+32;
+$Foff=256+40;
+$Goff=256+48;
+$Hoff=256+56;
+
+sub SHA2_ROUND()
+{ local ($kidx,$widx)=@_;
+
+	# One can argue that one could reorder instructions for better
+	# performance. Well, I tried and it doesn't seem to make any
+	# noticeable difference. Modern out-of-order execution cores
+	# reorder instructions to their liking in either case and they
+	# apparently do decent job. So we can keep the code more
+	# readable/regular/comprehensible:-)
+
+	# I adhere to 64-bit %mmX registers in order to avoid/not care
+	# about #GP exceptions on misaligned 128-bit access, most
+	# notably in paddq with memory operand. Not to mention that
+	# SSE2 intructions operating on %mmX can be scheduled every
+	# cycle [and not every second one if operating on %xmmN].
+
+	&movq	("mm4",&QWP($Foff,$W512));	# load f
+	&movq	("mm5",&QWP($Goff,$W512));	# load g
+	&movq	("mm6",&QWP($Hoff,$W512));	# load h
+
+	&movq	("mm2",$E);			# %mm2 is sliding right
+	&movq	("mm3",$E);			# %mm3 is sliding left
+	&psrlq	("mm2",14);
+	&psllq	("mm3",23);
+	&movq	("mm7","mm2");			# %mm7 is T1
+	&pxor	("mm7","mm3");
+	&psrlq	("mm2",4);
+	&psllq	("mm3",23);
+	&pxor	("mm7","mm2");
+	&pxor	("mm7","mm3");
+	&psrlq	("mm2",23);
+	&psllq	("mm3",4);
+	&pxor	("mm7","mm2");
+	&pxor	("mm7","mm3");			# T1=Sigma1_512(e)
+
+	&movq	(&QWP($Foff,$W512),$E);		# f = e
+	&movq	(&QWP($Goff,$W512),"mm4");	# g = f
+	&movq	(&QWP($Hoff,$W512),"mm5");	# h = g
+
+	&pxor	("mm4","mm5");			# f^=g
+	&pand	("mm4",$E);			# f&=e
+	&pxor	("mm4","mm5");			# f^=g
+	&paddq	("mm7","mm4");			# T1+=Ch(e,f,g)
+
+	&movq	("mm2",&QWP($Boff,$W512));	# load b
+	&movq	("mm3",&QWP($Coff,$W512));	# load c
+	&movq	($E,&QWP($Doff,$W512));		# e = d
+
+	&paddq	("mm7","mm6");			# T1+=h
+	&paddq	("mm7",&QWP(0,$K512,$kidx,8));	# T1+=K512[i]
+	&paddq	("mm7",&QWP(0,$W512,$widx,8));	# T1+=W512[i]
+	&paddq	($E,"mm7");			# e += T1
+
+	&movq	("mm4",$A);			# %mm4 is sliding right
+	&movq	("mm5",$A);			# %mm5 is sliding left
+	&psrlq	("mm4",28);
+	&psllq	("mm5",25);
+	&movq	("mm6","mm4");			# %mm6 is T2
+	&pxor	("mm6","mm5");
+	&psrlq	("mm4",6);
+	&psllq	("mm5",5);
+	&pxor	("mm6","mm4");
+	&pxor	("mm6","mm5");
+	&psrlq	("mm4",5);
+	&psllq	("mm5",6);
+	&pxor	("mm6","mm4");
+	&pxor	("mm6","mm5");			# T2=Sigma0_512(a)
+
+	&movq	(&QWP($Boff,$W512),$A);		# b = a
+	&movq	(&QWP($Coff,$W512),"mm2");	# c = b
+	&movq	(&QWP($Doff,$W512),"mm3");	# d = c
+
+	&movq	("mm4",$A);			# %mm4=a
+	&por	($A,"mm3");			# a=a|c
+	&pand	("mm4","mm3");			# %mm4=a&c
+	&pand	($A,"mm2");			# a=(a|c)&b
+	&por	("mm4",$A);			# %mm4=(a&c)|((a|c)&b)
+	&paddq	("mm6","mm4");			# T2+=Maj(a,b,c)
+
+	&movq	($A,"mm7");			# a=T1
+	&paddq	($A,"mm6");			# a+=T2
+}
+
+$func="sha512_block_sse2";
+
+&function_begin_B($func);
+	if (0) {# Caller is expected to check if it's appropriate to
+		# call this routine. Below 3 lines are retained for
+		# debugging purposes...
+		&picmeup("eax","OPENSSL_ia32cap");
+		&bt	(&DWP(0,"eax"),26);
+		&jnc	("SHA512_Transform");
+	}
+
+	&push	("ebp");
+	&mov	("ebp","esp");
+	&push	("ebx");
+	&push	("esi");
+	&push	("edi");
+
+	&mov	($Widx,&DWP(8,"ebp"));		# A-H state, 1st arg
+	&mov	($data,&DWP(12,"ebp"));		# input data, 2nd arg
+	&call	(&label("pic_point"));		# make it PIC!
+&set_label("pic_point");
+	&blindpop($K512);
+	&lea	($K512,&DWP(&label("K512")."-".&label("pic_point"),$K512));
+
+	$W512 = "esp";			# start using %esp as W512
+	&sub	($W512,$W512_SZ);
+	&and	($W512,-16);		# ensure 128-bit alignment
+
+	# make private copy of A-H
+	#     v assume the worst and stick to unaligned load
+	&movdqu	("xmm0",&QWP(0,$Widx));
+	&movdqu	("xmm1",&QWP(16,$Widx));
+	&movdqu	("xmm2",&QWP(32,$Widx));
+	&movdqu	("xmm3",&QWP(48,$Widx));
+
+&align(8);
+&set_label("_chunk_loop");
+
+	&movdqa	(&QWP($Aoff,$W512),"xmm0");	# a,b
+	&movdqa	(&QWP($Coff,$W512),"xmm1");	# c,d
+	&movdqa	(&QWP($Eoff,$W512),"xmm2");	# e,f
+	&movdqa	(&QWP($Goff,$W512),"xmm3");	# g,h
+
+	&xor	($Widx,$Widx);
+
+	&movdq2q($A,"xmm0");			# load a
+	&movdq2q($E,"xmm2");			# load e
+
+	# Why aren't loops unrolled? It makes sense to unroll if
+	# execution time for loop body is comparable with branch
+	# penalties and/or if whole data-set resides in register bank.
+	# Neither is case here... Well, it would be possible to
+	# eliminate few store operations, but it would hardly affect
+	# so to say stop-watch performance, as there is a lot of
+	# available memory slots to fill. It will only relieve some
+	# pressure off memory bus...
+
+	# flip input stream byte order...
+	&mov	("eax",&DWP(0,$data,$Widx,8));
+	&mov	("ebx",&DWP(4,$data,$Widx,8));
+	&bswap	("eax");
+	&bswap	("ebx");
+	&mov	(&DWP(0,$W512,$Widx,8),"ebx");		# W512[i]
+	&mov	(&DWP(4,$W512,$Widx,8),"eax");
+	&mov	(&DWP(128+0,$W512,$Widx,8),"ebx");	# copy of W512[i]
+	&mov	(&DWP(128+4,$W512,$Widx,8),"eax");
+
+&align(8);
+&set_label("_1st_loop");		# 0-15
+	# flip input stream byte order...
+	&mov	("eax",&DWP(0+8,$data,$Widx,8));
+	&mov	("ebx",&DWP(4+8,$data,$Widx,8));
+	&bswap	("eax");
+	&bswap	("ebx");
+	&mov	(&DWP(0+8,$W512,$Widx,8),"ebx");	# W512[i]
+	&mov	(&DWP(4+8,$W512,$Widx,8),"eax");
+	&mov	(&DWP(128+0+8,$W512,$Widx,8),"ebx");	# copy of W512[i]
+	&mov	(&DWP(128+4+8,$W512,$Widx,8),"eax");
+&set_label("_1st_looplet");
+	&SHA2_ROUND($Widx,$Widx); &inc($Widx);
+
+&cmp	($Widx,15)
+&jl	(&label("_1st_loop"));
+&je	(&label("_1st_looplet"));	# playing similar trick on 2nd loop
+					# does not improve performance...
+
+	$Kidx = "ebx";			# start using %ebx as Kidx
+	&mov	($Kidx,$Widx);
+
+&align(8);
+&set_label("_2nd_loop");		# 16-79
+	&and($Widx,0xf);
+
+	# 128-bit fragment! I update W512[i] and W512[i+1] in
+	# parallel:-) Note that I refer to W512[(i&0xf)+N] and not to
+	# W512[(i+N)&0xf]! This is exactly what I maintain the second
+	# copy of W512[16] for...
+	&movdqu	("xmm0",&QWP(8*1,$W512,$Widx,8));	# s0=W512[i+1]
+	&movdqa	("xmm2","xmm0");		# %xmm2 is sliding right
+	&movdqa	("xmm3","xmm0");		# %xmm3 is sliding left
+	&psrlq	("xmm2",1);
+	&psllq	("xmm3",56);
+	&movdqa	("xmm0","xmm2");
+	&pxor	("xmm0","xmm3");
+	&psrlq	("xmm2",6);
+	&psllq	("xmm3",7);
+	&pxor	("xmm0","xmm2");
+	&pxor	("xmm0","xmm3");
+	&psrlq	("xmm2",1);
+	&pxor	("xmm0","xmm2");		# s0 = sigma0_512(s0);
+
+	&movdqa	("xmm1",&QWP(8*14,$W512,$Widx,8));	# s1=W512[i+14]
+	&movdqa	("xmm4","xmm1");		# %xmm4 is sliding right
+	&movdqa	("xmm5","xmm1");		# %xmm5 is sliding left
+	&psrlq	("xmm4",6);
+	&psllq	("xmm5",3);
+	&movdqa	("xmm1","xmm4");
+	&pxor	("xmm1","xmm5");
+	&psrlq	("xmm4",13);
+	&psllq	("xmm5",42);
+	&pxor	("xmm1","xmm4");
+	&pxor	("xmm1","xmm5");
+	&psrlq	("xmm4",42);
+	&pxor	("xmm1","xmm4");		# s1 = sigma1_512(s1);
+
+	#     + have to explictly load W512[i+9] as it's not 128-bit
+	#     v	aligned and paddq would throw an exception...
+	&movdqu	("xmm6",&QWP(8*9,$W512,$Widx,8));
+	&paddq	("xmm0","xmm1");		# s0 += s1
+	&paddq	("xmm0","xmm6");		# s0 += W512[i+9]
+	&paddq	("xmm0",&QWP(0,$W512,$Widx,8));	# s0 += W512[i]
+
+	&movdqa	(&QWP(0,$W512,$Widx,8),"xmm0");		# W512[i] = s0
+	&movdqa	(&QWP(16*8,$W512,$Widx,8),"xmm0");	# copy of W512[i]
+
+	# as the above fragment was 128-bit, we "owe" 2 rounds...
+	&SHA2_ROUND($Kidx,$Widx); &inc($Kidx); &inc($Widx);
+	&SHA2_ROUND($Kidx,$Widx); &inc($Kidx); &inc($Widx);
+
+&cmp	($Kidx,80);
+&jl	(&label("_2nd_loop"));
+
+	# update A-H state
+	&mov	($Widx,&DWP(8,"ebp"));		# A-H state, 1st arg
+	&movq	(&QWP($Aoff,$W512),$A);		# write out a
+	&movq	(&QWP($Eoff,$W512),$E);		# write out e
+	&movdqu	("xmm0",&QWP(0,$Widx));
+	&movdqu	("xmm1",&QWP(16,$Widx));
+	&movdqu	("xmm2",&QWP(32,$Widx));
+	&movdqu	("xmm3",&QWP(48,$Widx));
+	&paddq	("xmm0",&QWP($Aoff,$W512));	# 128-bit additions...
+	&paddq	("xmm1",&QWP($Coff,$W512));
+	&paddq	("xmm2",&QWP($Eoff,$W512));
+	&paddq	("xmm3",&QWP($Goff,$W512));
+	&movdqu	(&QWP(0,$Widx),"xmm0");
+	&movdqu	(&QWP(16,$Widx),"xmm1");
+	&movdqu	(&QWP(32,$Widx),"xmm2");
+	&movdqu	(&QWP(48,$Widx),"xmm3");
+
+&add	($data,16*8);				# advance input data pointer
+&dec	(&DWP(16,"ebp"));			# decrement 3rd arg
+&jnz	(&label("_chunk_loop"));
+
+	# epilogue
+	&emms	();	# required for at least ELF and Win32 ABIs
+	&mov	("edi",&DWP(-12,"ebp"));
+	&mov	("esi",&DWP(-8,"ebp"));
+	&mov	("ebx",&DWP(-4,"ebp"));
+	&leave	();
+&ret	();
+
+&align(64);
+&set_label("K512");	# Yes! I keep it in the code segment!
+	&data_word(0xd728ae22,0x428a2f98);	# u64
+	&data_word(0x23ef65cd,0x71374491);	# u64
+	&data_word(0xec4d3b2f,0xb5c0fbcf);	# u64
+	&data_word(0x8189dbbc,0xe9b5dba5);	# u64
+	&data_word(0xf348b538,0x3956c25b);	# u64
+	&data_word(0xb605d019,0x59f111f1);	# u64
+	&data_word(0xaf194f9b,0x923f82a4);	# u64
+	&data_word(0xda6d8118,0xab1c5ed5);	# u64
+	&data_word(0xa3030242,0xd807aa98);	# u64
+	&data_word(0x45706fbe,0x12835b01);	# u64
+	&data_word(0x4ee4b28c,0x243185be);	# u64
+	&data_word(0xd5ffb4e2,0x550c7dc3);	# u64
+	&data_word(0xf27b896f,0x72be5d74);	# u64
+	&data_word(0x3b1696b1,0x80deb1fe);	# u64
+	&data_word(0x25c71235,0x9bdc06a7);	# u64
+	&data_word(0xcf692694,0xc19bf174);	# u64
+	&data_word(0x9ef14ad2,0xe49b69c1);	# u64
+	&data_word(0x384f25e3,0xefbe4786);	# u64
+	&data_word(0x8b8cd5b5,0x0fc19dc6);	# u64
+	&data_word(0x77ac9c65,0x240ca1cc);	# u64
+	&data_word(0x592b0275,0x2de92c6f);	# u64
+	&data_word(0x6ea6e483,0x4a7484aa);	# u64
+	&data_word(0xbd41fbd4,0x5cb0a9dc);	# u64
+	&data_word(0x831153b5,0x76f988da);	# u64
+	&data_word(0xee66dfab,0x983e5152);	# u64
+	&data_word(0x2db43210,0xa831c66d);	# u64
+	&data_word(0x98fb213f,0xb00327c8);	# u64
+	&data_word(0xbeef0ee4,0xbf597fc7);	# u64
+	&data_word(0x3da88fc2,0xc6e00bf3);	# u64
+	&data_word(0x930aa725,0xd5a79147);	# u64
+	&data_word(0xe003826f,0x06ca6351);	# u64
+	&data_word(0x0a0e6e70,0x14292967);	# u64
+	&data_word(0x46d22ffc,0x27b70a85);	# u64
+	&data_word(0x5c26c926,0x2e1b2138);	# u64
+	&data_word(0x5ac42aed,0x4d2c6dfc);	# u64
+	&data_word(0x9d95b3df,0x53380d13);	# u64
+	&data_word(0x8baf63de,0x650a7354);	# u64
+	&data_word(0x3c77b2a8,0x766a0abb);	# u64
+	&data_word(0x47edaee6,0x81c2c92e);	# u64
+	&data_word(0x1482353b,0x92722c85);	# u64
+	&data_word(0x4cf10364,0xa2bfe8a1);	# u64
+	&data_word(0xbc423001,0xa81a664b);	# u64
+	&data_word(0xd0f89791,0xc24b8b70);	# u64
+	&data_word(0x0654be30,0xc76c51a3);	# u64
+	&data_word(0xd6ef5218,0xd192e819);	# u64
+	&data_word(0x5565a910,0xd6990624);	# u64
+	&data_word(0x5771202a,0xf40e3585);	# u64
+	&data_word(0x32bbd1b8,0x106aa070);	# u64
+	&data_word(0xb8d2d0c8,0x19a4c116);	# u64
+	&data_word(0x5141ab53,0x1e376c08);	# u64
+	&data_word(0xdf8eeb99,0x2748774c);	# u64
+	&data_word(0xe19b48a8,0x34b0bcb5);	# u64
+	&data_word(0xc5c95a63,0x391c0cb3);	# u64
+	&data_word(0xe3418acb,0x4ed8aa4a);	# u64
+	&data_word(0x7763e373,0x5b9cca4f);	# u64
+	&data_word(0xd6b2b8a3,0x682e6ff3);	# u64
+	&data_word(0x5defb2fc,0x748f82ee);	# u64
+	&data_word(0x43172f60,0x78a5636f);	# u64
+	&data_word(0xa1f0ab72,0x84c87814);	# u64
+	&data_word(0x1a6439ec,0x8cc70208);	# u64
+	&data_word(0x23631e28,0x90befffa);	# u64
+	&data_word(0xde82bde9,0xa4506ceb);	# u64
+	&data_word(0xb2c67915,0xbef9a3f7);	# u64
+	&data_word(0xe372532b,0xc67178f2);	# u64
+	&data_word(0xea26619c,0xca273ece);	# u64
+	&data_word(0x21c0c207,0xd186b8c7);	# u64
+	&data_word(0xcde0eb1e,0xeada7dd6);	# u64
+	&data_word(0xee6ed178,0xf57d4f7f);	# u64
+	&data_word(0x72176fba,0x06f067aa);	# u64
+	&data_word(0xa2c898a6,0x0a637dc5);	# u64
+	&data_word(0xbef90dae,0x113f9804);	# u64
+	&data_word(0x131c471b,0x1b710b35);	# u64
+	&data_word(0x23047d84,0x28db77f5);	# u64
+	&data_word(0x40c72493,0x32caab7b);	# u64
+	&data_word(0x15c9bebc,0x3c9ebe0a);	# u64
+	&data_word(0x9c100d4c,0x431d67c4);	# u64
+	&data_word(0xcb3e42b6,0x4cc5d4be);	# u64
+	&data_word(0xfc657e2a,0x597f299c);	# u64
+	&data_word(0x3ad6faec,0x5fcb6fab);	# u64
+	&data_word(0x4a475817,0x6c44198c);	# u64
+
+&function_end_B($func);
+
+&asm_finish();
diff --git a/crypto/openssl/crypto/sha/sha.h b/crypto/openssl/crypto/sha/sha.h
index a26ed5ddc1c0..a83bd3cace3d 100644
--- a/crypto/openssl/crypto/sha/sha.h
+++ b/crypto/openssl/crypto/sha/sha.h
@@ -70,7 +70,7 @@ extern "C" {
 #endif
 
 #if defined(OPENSSL_FIPS)
-#define FIPS_SHA_SIZE_T unsigned long
+#define FIPS_SHA_SIZE_T size_t
 #endif
 
 /*
@@ -101,23 +101,97 @@ typedef struct SHAstate_st
 	SHA_LONG h0,h1,h2,h3,h4;
 	SHA_LONG Nl,Nh;
 	SHA_LONG data[SHA_LBLOCK];
-	int num;
+	unsigned int num;
 	} SHA_CTX;
 
 #ifndef OPENSSL_NO_SHA0
 int SHA_Init(SHA_CTX *c);
-int SHA_Update(SHA_CTX *c, const void *data, unsigned long len);
+int SHA_Update(SHA_CTX *c, const void *data, size_t len);
 int SHA_Final(unsigned char *md, SHA_CTX *c);
-unsigned char *SHA(const unsigned char *d, unsigned long n,unsigned char *md);
+unsigned char *SHA(const unsigned char *d, size_t n, unsigned char *md);
 void SHA_Transform(SHA_CTX *c, const unsigned char *data);
 #endif
 #ifndef OPENSSL_NO_SHA1
 int SHA1_Init(SHA_CTX *c);
-int SHA1_Update(SHA_CTX *c, const void *data, unsigned long len);
+int SHA1_Update(SHA_CTX *c, const void *data, size_t len);
 int SHA1_Final(unsigned char *md, SHA_CTX *c);
-unsigned char *SHA1(const unsigned char *d, unsigned long n,unsigned char *md);
+unsigned char *SHA1(const unsigned char *d, size_t n, unsigned char *md);
 void SHA1_Transform(SHA_CTX *c, const unsigned char *data);
 #endif
+
+#define SHA256_CBLOCK	(SHA_LBLOCK*4)	/* SHA-256 treats input data as a
+					 * contiguous array of 32 bit
+					 * wide big-endian values. */
+#define SHA224_DIGEST_LENGTH	28
+#define SHA256_DIGEST_LENGTH	32
+
+typedef struct SHA256state_st
+	{
+	SHA_LONG h[8];
+	SHA_LONG Nl,Nh;
+	SHA_LONG data[SHA_LBLOCK];
+	unsigned int num,md_len;
+	} SHA256_CTX;
+
+#ifndef OPENSSL_NO_SHA256
+int SHA224_Init(SHA256_CTX *c);
+int SHA224_Update(SHA256_CTX *c, const void *data, size_t len);
+int SHA224_Final(unsigned char *md, SHA256_CTX *c);
+unsigned char *SHA224(const unsigned char *d, size_t n,unsigned char *md);
+int SHA256_Init(SHA256_CTX *c);
+int SHA256_Update(SHA256_CTX *c, const void *data, size_t len);
+int SHA256_Final(unsigned char *md, SHA256_CTX *c);
+unsigned char *SHA256(const unsigned char *d, size_t n,unsigned char *md);
+void SHA256_Transform(SHA256_CTX *c, const unsigned char *data);
+#endif
+
+#define SHA384_DIGEST_LENGTH	48
+#define SHA512_DIGEST_LENGTH	64
+
+#ifndef OPENSSL_NO_SHA512
+/*
+ * Unlike 32-bit digest algorithms, SHA-512 *relies* on SHA_LONG64
+ * being exactly 64-bit wide. See Implementation Notes in sha512.c
+ * for further details.
+ */
+#define SHA512_CBLOCK	(SHA_LBLOCK*8)	/* SHA-512 treats input data as a
+					 * contiguous array of 64 bit
+					 * wide big-endian values. */
+#if (defined(_WIN32) || defined(_WIN64)) && !defined(__MINGW32__)
+#define SHA_LONG64 unsigned __int64
+#define U64(C)     C##UI64
+#elif defined(__arch64__)
+#define SHA_LONG64 unsigned long
+#define U64(C)     C##UL
+#else
+#define SHA_LONG64 unsigned long long
+#define U64(C)     C##ULL
+#endif
+
+typedef struct SHA512state_st
+	{
+	SHA_LONG64 h[8];
+	SHA_LONG64 Nl,Nh;
+	union {
+		SHA_LONG64	d[SHA_LBLOCK];
+		unsigned char	p[SHA512_CBLOCK];
+	} u;
+	unsigned int num,md_len;
+	} SHA512_CTX;
+#endif
+
+#ifndef OPENSSL_NO_SHA512
+int SHA384_Init(SHA512_CTX *c);
+int SHA384_Update(SHA512_CTX *c, const void *data, size_t len);
+int SHA384_Final(unsigned char *md, SHA512_CTX *c);
+unsigned char *SHA384(const unsigned char *d, size_t n,unsigned char *md);
+int SHA512_Init(SHA512_CTX *c);
+int SHA512_Update(SHA512_CTX *c, const void *data, size_t len);
+int SHA512_Final(unsigned char *md, SHA512_CTX *c);
+unsigned char *SHA512(const unsigned char *d, size_t n,unsigned char *md);
+void SHA512_Transform(SHA512_CTX *c, const unsigned char *data);
+#endif
+
 #ifdef  __cplusplus
 }
 #endif
diff --git a/crypto/openssl/crypto/sha/sha1_one.c b/crypto/openssl/crypto/sha/sha1_one.c
index 20e660c71df7..7c65b60276cd 100644
--- a/crypto/openssl/crypto/sha/sha1_one.c
+++ b/crypto/openssl/crypto/sha/sha1_one.c
@@ -62,13 +62,14 @@
 #include <openssl/crypto.h>
 
 #ifndef OPENSSL_NO_SHA1
-unsigned char *SHA1(const unsigned char *d, unsigned long n, unsigned char *md)
+unsigned char *SHA1(const unsigned char *d, size_t n, unsigned char *md)
 	{
 	SHA_CTX c;
 	static unsigned char m[SHA_DIGEST_LENGTH];
 
 	if (md == NULL) md=m;
-	SHA1_Init(&c);
+	if (!SHA1_Init(&c))
+		return NULL;
 	SHA1_Update(&c,d,n);
 	SHA1_Final(md,&c);
 	OPENSSL_cleanse(&c,sizeof(c));
diff --git a/crypto/openssl/crypto/sha/sha1dgst.c b/crypto/openssl/crypto/sha/sha1dgst.c
index 1e2009b76081..447ce53e17ee 100644
--- a/crypto/openssl/crypto/sha/sha1dgst.c
+++ b/crypto/openssl/crypto/sha/sha1dgst.c
@@ -56,26 +56,19 @@
  * [including the GNU Public Licence.]
  */
 
+#include <openssl/opensslconf.h>
 #if !defined(OPENSSL_NO_SHA1) && !defined(OPENSSL_NO_SHA)
 
 #undef  SHA_0
 #define SHA_1
 
 #include <openssl/opensslv.h>
-#include <openssl/opensslconf.h>
 
-#ifndef OPENSSL_FIPS
 const char *SHA1_version="SHA1" OPENSSL_VERSION_PTEXT;
 
 /* The implementation is in ../md32_common.h */
 
 #include "sha_locl.h"
 
-#else /* ndef OPENSSL_FIPS */
-
-static void *dummy=&dummy;
-
-#endif /* ndef OPENSSL_FIPS */
-
 #endif
 
diff --git a/crypto/openssl/crypto/sha/sha1test.c b/crypto/openssl/crypto/sha/sha1test.c
index 4f2e4ada2d25..b0650c7254f2 100644
--- a/crypto/openssl/crypto/sha/sha1test.c
+++ b/crypto/openssl/crypto/sha/sha1test.c
@@ -123,7 +123,7 @@ int main(int argc, char *argv[])
 	i=1;
 	while (*P != NULL)
 		{
-		EVP_Digest(*P,(unsigned long)strlen((char *)*P),md,NULL,EVP_sha1(), NULL);
+		EVP_Digest(*P,strlen((char *)*P),md,NULL,EVP_sha1(), NULL);
 		p=pt(md);
 		if (strcmp(p,(char *)*R) != 0)
 			{
@@ -157,6 +157,10 @@ int main(int argc, char *argv[])
 		}
 	else
 		printf("test 3 ok\n");
+
+#ifdef OPENSSL_SYS_NETWARE
+    if (err) printf("ERROR: %d\n", err);
+#endif
 	EXIT(err);
 	EVP_MD_CTX_cleanup(&c);
 	return(0);
diff --git a/crypto/openssl/crypto/sha/sha256.c b/crypto/openssl/crypto/sha/sha256.c
new file mode 100644
index 000000000000..bbc20da0e97f
--- /dev/null
+++ b/crypto/openssl/crypto/sha/sha256.c
@@ -0,0 +1,319 @@
+/* crypto/sha/sha256.c */
+/* ====================================================================
+ * Copyright (c) 2004 The OpenSSL Project.  All rights reserved
+ * according to the OpenSSL license [found in ../../LICENSE].
+ * ====================================================================
+ */
+#include <openssl/opensslconf.h>
+#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA256)
+
+#include <stdlib.h>
+#include <string.h>
+
+#include <openssl/crypto.h>
+#include <openssl/sha.h>
+#include <openssl/opensslv.h>
+
+const char *SHA256_version="SHA-256" OPENSSL_VERSION_PTEXT;
+
+int SHA224_Init (SHA256_CTX *c)
+	{
+	c->h[0]=0xc1059ed8UL;	c->h[1]=0x367cd507UL;
+	c->h[2]=0x3070dd17UL;	c->h[3]=0xf70e5939UL;
+	c->h[4]=0xffc00b31UL;	c->h[5]=0x68581511UL;
+	c->h[6]=0x64f98fa7UL;	c->h[7]=0xbefa4fa4UL;
+	c->Nl=0;	c->Nh=0;
+	c->num=0;	c->md_len=SHA224_DIGEST_LENGTH;
+	return 1;
+	}
+
+int SHA256_Init (SHA256_CTX *c)
+	{
+	c->h[0]=0x6a09e667UL;	c->h[1]=0xbb67ae85UL;
+	c->h[2]=0x3c6ef372UL;	c->h[3]=0xa54ff53aUL;
+	c->h[4]=0x510e527fUL;	c->h[5]=0x9b05688cUL;
+	c->h[6]=0x1f83d9abUL;	c->h[7]=0x5be0cd19UL;
+	c->Nl=0;	c->Nh=0;
+	c->num=0;	c->md_len=SHA256_DIGEST_LENGTH;
+	return 1;
+	}
+
+unsigned char *SHA224(const unsigned char *d, size_t n, unsigned char *md)
+	{
+	SHA256_CTX c;
+	static unsigned char m[SHA224_DIGEST_LENGTH];
+
+	if (md == NULL) md=m;
+	SHA224_Init(&c);
+	SHA256_Update(&c,d,n);
+	SHA256_Final(md,&c);
+	OPENSSL_cleanse(&c,sizeof(c));
+	return(md);
+	}
+
+unsigned char *SHA256(const unsigned char *d, size_t n, unsigned char *md)
+	{
+	SHA256_CTX c;
+	static unsigned char m[SHA256_DIGEST_LENGTH];
+
+	if (md == NULL) md=m;
+	SHA256_Init(&c);
+	SHA256_Update(&c,d,n);
+	SHA256_Final(md,&c);
+	OPENSSL_cleanse(&c,sizeof(c));
+	return(md);
+	}
+
+int SHA224_Update(SHA256_CTX *c, const void *data, size_t len)
+{   return SHA256_Update (c,data,len);   }
+int SHA224_Final (unsigned char *md, SHA256_CTX *c)
+{   return SHA256_Final (md,c);   }
+
+#ifndef	SHA_LONG_LOG2
+#define	SHA_LONG_LOG2	2	/* default to 32 bits */
+#endif
+
+#define	DATA_ORDER_IS_BIG_ENDIAN
+
+#define	HASH_LONG		SHA_LONG
+#define	HASH_LONG_LOG2		SHA_LONG_LOG2
+#define	HASH_CTX		SHA256_CTX
+#define	HASH_CBLOCK		SHA_CBLOCK
+#define	HASH_LBLOCK		SHA_LBLOCK
+/*
+ * Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
+ * default: case below covers for it. It's not clear however if it's
+ * permitted to truncate to amount of bytes not divisible by 4. I bet not,
+ * but if it is, then default: case shall be extended. For reference.
+ * Idea behind separate cases for pre-defined lenghts is to let the
+ * compiler decide if it's appropriate to unroll small loops.
+ */
+#define	HASH_MAKE_STRING(c,s)	do {	\
+	unsigned long ll;		\
+	unsigned int  n;		\
+	switch ((c)->md_len)		\
+	{   case SHA224_DIGEST_LENGTH:	\
+		for (n=0;n<SHA224_DIGEST_LENGTH/4;n++)	\
+		{   ll=(c)->h[n]; HOST_l2c(ll,(s));   }	\
+		break;			\
+	    case SHA256_DIGEST_LENGTH:	\
+		for (n=0;n<SHA256_DIGEST_LENGTH/4;n++)	\
+		{   ll=(c)->h[n]; HOST_l2c(ll,(s));   }	\
+		break;			\
+	    default:			\
+		if ((c)->md_len > SHA256_DIGEST_LENGTH)	\
+		    return 0;				\
+		for (n=0;n<(c)->md_len/4;n++)		\
+		{   ll=(c)->h[n]; HOST_l2c(ll,(s));   }	\
+		break;			\
+	}				\
+	} while (0)
+
+#define	HASH_UPDATE		SHA256_Update
+#define	HASH_TRANSFORM		SHA256_Transform
+#define	HASH_FINAL		SHA256_Final
+#define	HASH_BLOCK_HOST_ORDER	sha256_block_host_order
+#define	HASH_BLOCK_DATA_ORDER	sha256_block_data_order
+void sha256_block_host_order (SHA256_CTX *ctx, const void *in, size_t num);
+void sha256_block_data_order (SHA256_CTX *ctx, const void *in, size_t num);
+
+#include "md32_common.h"
+
+#ifdef SHA256_ASM
+void sha256_block (SHA256_CTX *ctx, const void *in, size_t num, int host);
+#else
+static const SHA_LONG K256[64] = {
+	0x428a2f98UL,0x71374491UL,0xb5c0fbcfUL,0xe9b5dba5UL,
+	0x3956c25bUL,0x59f111f1UL,0x923f82a4UL,0xab1c5ed5UL,
+	0xd807aa98UL,0x12835b01UL,0x243185beUL,0x550c7dc3UL,
+	0x72be5d74UL,0x80deb1feUL,0x9bdc06a7UL,0xc19bf174UL,
+	0xe49b69c1UL,0xefbe4786UL,0x0fc19dc6UL,0x240ca1ccUL,
+	0x2de92c6fUL,0x4a7484aaUL,0x5cb0a9dcUL,0x76f988daUL,
+	0x983e5152UL,0xa831c66dUL,0xb00327c8UL,0xbf597fc7UL,
+	0xc6e00bf3UL,0xd5a79147UL,0x06ca6351UL,0x14292967UL,
+	0x27b70a85UL,0x2e1b2138UL,0x4d2c6dfcUL,0x53380d13UL,
+	0x650a7354UL,0x766a0abbUL,0x81c2c92eUL,0x92722c85UL,
+	0xa2bfe8a1UL,0xa81a664bUL,0xc24b8b70UL,0xc76c51a3UL,
+	0xd192e819UL,0xd6990624UL,0xf40e3585UL,0x106aa070UL,
+	0x19a4c116UL,0x1e376c08UL,0x2748774cUL,0x34b0bcb5UL,
+	0x391c0cb3UL,0x4ed8aa4aUL,0x5b9cca4fUL,0x682e6ff3UL,
+	0x748f82eeUL,0x78a5636fUL,0x84c87814UL,0x8cc70208UL,
+	0x90befffaUL,0xa4506cebUL,0xbef9a3f7UL,0xc67178f2UL };
+
+/*
+ * FIPS specification refers to right rotations, while our ROTATE macro
+ * is left one. This is why you might notice that rotation coefficients
+ * differ from those observed in FIPS document by 32-N...
+ */
+#define Sigma0(x)	(ROTATE((x),30) ^ ROTATE((x),19) ^ ROTATE((x),10))
+#define Sigma1(x)	(ROTATE((x),26) ^ ROTATE((x),21) ^ ROTATE((x),7))
+#define sigma0(x)	(ROTATE((x),25) ^ ROTATE((x),14) ^ ((x)>>3))
+#define sigma1(x)	(ROTATE((x),15) ^ ROTATE((x),13) ^ ((x)>>10))
+
+#define Ch(x,y,z)	(((x) & (y)) ^ ((~(x)) & (z)))
+#define Maj(x,y,z)	(((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
+
+#ifdef OPENSSL_SMALL_FOOTPRINT
+
+static void sha256_block (SHA256_CTX *ctx, const void *in, size_t num, int host)
+	{
+	unsigned MD32_REG_T a,b,c,d,e,f,g,h,s0,s1,T1,T2;
+	SHA_LONG	X[16];
+	int i;
+	const unsigned char *data=in;
+
+			while (num--) {
+
+	a = ctx->h[0];	b = ctx->h[1];	c = ctx->h[2];	d = ctx->h[3];
+	e = ctx->h[4];	f = ctx->h[5];	g = ctx->h[6];	h = ctx->h[7];
+
+	if (host)
+		{
+		const SHA_LONG *W=(const SHA_LONG *)data;
+
+		for (i=0;i<16;i++)
+			{
+			T1 = X[i] = W[i];
+			T1 += h + Sigma1(e) + Ch(e,f,g) + K256[i];
+			T2 = Sigma0(a) + Maj(a,b,c);
+			h = g;	g = f;	f = e;	e = d + T1;
+			d = c;	c = b;	b = a;	a = T1 + T2;
+			}
+
+		data += SHA256_CBLOCK;
+		}
+	else
+		{
+		SHA_LONG l;
+
+		for (i=0;i<16;i++)
+			{
+			HOST_c2l(data,l); T1 = X[i] = l;
+			T1 += h + Sigma1(e) + Ch(e,f,g) + K256[i];
+			T2 = Sigma0(a) + Maj(a,b,c);
+			h = g;	g = f;	f = e;	e = d + T1;
+			d = c;	c = b;	b = a;	a = T1 + T2;
+			}
+		}
+
+	for (;i<64;i++)
+		{
+		s0 = X[(i+1)&0x0f];	s0 = sigma0(s0);
+		s1 = X[(i+14)&0x0f];	s1 = sigma1(s1);
+
+		T1 = X[i&0xf] += s0 + s1 + X[(i+9)&0xf];
+		T1 += h + Sigma1(e) + Ch(e,f,g) + K256[i];
+		T2 = Sigma0(a) + Maj(a,b,c);
+		h = g;	g = f;	f = e;	e = d + T1;
+		d = c;	c = b;	b = a;	a = T1 + T2;
+		}
+
+	ctx->h[0] += a;	ctx->h[1] += b;	ctx->h[2] += c;	ctx->h[3] += d;
+	ctx->h[4] += e;	ctx->h[5] += f;	ctx->h[6] += g;	ctx->h[7] += h;
+
+			}
+}
+
+#else
+
+#define	ROUND_00_15(i,a,b,c,d,e,f,g,h)		do {	\
+	T1 += h + Sigma1(e) + Ch(e,f,g) + K256[i];	\
+	h = Sigma0(a) + Maj(a,b,c);			\
+	d += T1;	h += T1;		} while (0)
+
+#define	ROUND_16_63(i,a,b,c,d,e,f,g,h,X)	do {	\
+	s0 = X[(i+1)&0x0f];	s0 = sigma0(s0);	\
+	s1 = X[(i+14)&0x0f];	s1 = sigma1(s1);	\
+	T1 = X[(i)&0x0f] += s0 + s1 + X[(i+9)&0x0f];	\
+	ROUND_00_15(i,a,b,c,d,e,f,g,h);		} while (0)
+
+static void sha256_block (SHA256_CTX *ctx, const void *in, size_t num, int host)
+	{
+	unsigned MD32_REG_T a,b,c,d,e,f,g,h,s0,s1,T1;
+	SHA_LONG	X[16];
+	int i;
+	const unsigned char *data=in;
+
+			while (num--) {
+
+	a = ctx->h[0];	b = ctx->h[1];	c = ctx->h[2];	d = ctx->h[3];
+	e = ctx->h[4];	f = ctx->h[5];	g = ctx->h[6];	h = ctx->h[7];
+
+	if (host)
+		{
+		const SHA_LONG *W=(const SHA_LONG *)data;
+
+		T1 = X[0] = W[0];	ROUND_00_15(0,a,b,c,d,e,f,g,h);
+		T1 = X[1] = W[1];	ROUND_00_15(1,h,a,b,c,d,e,f,g);
+		T1 = X[2] = W[2];	ROUND_00_15(2,g,h,a,b,c,d,e,f);
+		T1 = X[3] = W[3];	ROUND_00_15(3,f,g,h,a,b,c,d,e);
+		T1 = X[4] = W[4];	ROUND_00_15(4,e,f,g,h,a,b,c,d);
+		T1 = X[5] = W[5];	ROUND_00_15(5,d,e,f,g,h,a,b,c);
+		T1 = X[6] = W[6];	ROUND_00_15(6,c,d,e,f,g,h,a,b);
+		T1 = X[7] = W[7];	ROUND_00_15(7,b,c,d,e,f,g,h,a);
+		T1 = X[8] = W[8];	ROUND_00_15(8,a,b,c,d,e,f,g,h);
+		T1 = X[9] = W[9];	ROUND_00_15(9,h,a,b,c,d,e,f,g);
+		T1 = X[10] = W[10];	ROUND_00_15(10,g,h,a,b,c,d,e,f);
+		T1 = X[11] = W[11];	ROUND_00_15(11,f,g,h,a,b,c,d,e);
+		T1 = X[12] = W[12];	ROUND_00_15(12,e,f,g,h,a,b,c,d);
+		T1 = X[13] = W[13];	ROUND_00_15(13,d,e,f,g,h,a,b,c);
+		T1 = X[14] = W[14];	ROUND_00_15(14,c,d,e,f,g,h,a,b);
+		T1 = X[15] = W[15];	ROUND_00_15(15,b,c,d,e,f,g,h,a);
+
+		data += SHA256_CBLOCK;
+		}
+	else
+		{
+		SHA_LONG l;
+
+		HOST_c2l(data,l); T1 = X[0] = l;  ROUND_00_15(0,a,b,c,d,e,f,g,h);
+		HOST_c2l(data,l); T1 = X[1] = l;  ROUND_00_15(1,h,a,b,c,d,e,f,g);
+		HOST_c2l(data,l); T1 = X[2] = l;  ROUND_00_15(2,g,h,a,b,c,d,e,f);
+		HOST_c2l(data,l); T1 = X[3] = l;  ROUND_00_15(3,f,g,h,a,b,c,d,e);
+		HOST_c2l(data,l); T1 = X[4] = l;  ROUND_00_15(4,e,f,g,h,a,b,c,d);
+		HOST_c2l(data,l); T1 = X[5] = l;  ROUND_00_15(5,d,e,f,g,h,a,b,c);
+		HOST_c2l(data,l); T1 = X[6] = l;  ROUND_00_15(6,c,d,e,f,g,h,a,b);
+		HOST_c2l(data,l); T1 = X[7] = l;  ROUND_00_15(7,b,c,d,e,f,g,h,a);
+		HOST_c2l(data,l); T1 = X[8] = l;  ROUND_00_15(8,a,b,c,d,e,f,g,h);
+		HOST_c2l(data,l); T1 = X[9] = l;  ROUND_00_15(9,h,a,b,c,d,e,f,g);
+		HOST_c2l(data,l); T1 = X[10] = l; ROUND_00_15(10,g,h,a,b,c,d,e,f);
+		HOST_c2l(data,l); T1 = X[11] = l; ROUND_00_15(11,f,g,h,a,b,c,d,e);
+		HOST_c2l(data,l); T1 = X[12] = l; ROUND_00_15(12,e,f,g,h,a,b,c,d);
+		HOST_c2l(data,l); T1 = X[13] = l; ROUND_00_15(13,d,e,f,g,h,a,b,c);
+		HOST_c2l(data,l); T1 = X[14] = l; ROUND_00_15(14,c,d,e,f,g,h,a,b);
+		HOST_c2l(data,l); T1 = X[15] = l; ROUND_00_15(15,b,c,d,e,f,g,h,a);
+		}
+
+	for (i=16;i<64;i+=8)
+		{
+		ROUND_16_63(i+0,a,b,c,d,e,f,g,h,X);
+		ROUND_16_63(i+1,h,a,b,c,d,e,f,g,X);
+		ROUND_16_63(i+2,g,h,a,b,c,d,e,f,X);
+		ROUND_16_63(i+3,f,g,h,a,b,c,d,e,X);
+		ROUND_16_63(i+4,e,f,g,h,a,b,c,d,X);
+		ROUND_16_63(i+5,d,e,f,g,h,a,b,c,X);
+		ROUND_16_63(i+6,c,d,e,f,g,h,a,b,X);
+		ROUND_16_63(i+7,b,c,d,e,f,g,h,a,X);
+		}
+
+	ctx->h[0] += a;	ctx->h[1] += b;	ctx->h[2] += c;	ctx->h[3] += d;
+	ctx->h[4] += e;	ctx->h[5] += f;	ctx->h[6] += g;	ctx->h[7] += h;
+
+			}
+	}
+
+#endif
+#endif /* SHA256_ASM */
+
+/*
+ * Idea is to trade couple of cycles for some space. On IA-32 we save
+ * about 4K in "big footprint" case. In "small footprint" case any gain
+ * is appreciated:-)
+ */
+void HASH_BLOCK_HOST_ORDER (SHA256_CTX *ctx, const void *in, size_t num)
+{   sha256_block (ctx,in,num,1);   }
+
+void HASH_BLOCK_DATA_ORDER (SHA256_CTX *ctx, const void *in, size_t num)
+{   sha256_block (ctx,in,num,0);   }
+
+#endif /* OPENSSL_NO_SHA256 */
diff --git a/crypto/openssl/crypto/sha/sha256t.c b/crypto/openssl/crypto/sha/sha256t.c
new file mode 100644
index 000000000000..6b4a3bd001ba
--- /dev/null
+++ b/crypto/openssl/crypto/sha/sha256t.c
@@ -0,0 +1,147 @@
+/* crypto/sha/sha256t.c */
+/* ====================================================================
+ * Copyright (c) 2004 The OpenSSL Project.  All rights reserved.
+ * ====================================================================
+ */
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+#include <openssl/sha.h>
+#include <openssl/evp.h>
+
+#if defined(OPENSSL_NO_SHA) || defined(OPENSSL_NO_SHA256)
+int main(int argc, char *argv[])
+{
+    printf("No SHA256 support\n");
+    return(0);
+}
+#else
+
+unsigned char app_b1[SHA256_DIGEST_LENGTH] = {
+	0xba,0x78,0x16,0xbf,0x8f,0x01,0xcf,0xea,
+	0x41,0x41,0x40,0xde,0x5d,0xae,0x22,0x23,
+	0xb0,0x03,0x61,0xa3,0x96,0x17,0x7a,0x9c,
+	0xb4,0x10,0xff,0x61,0xf2,0x00,0x15,0xad	};
+
+unsigned char app_b2[SHA256_DIGEST_LENGTH] = {
+	0x24,0x8d,0x6a,0x61,0xd2,0x06,0x38,0xb8,
+	0xe5,0xc0,0x26,0x93,0x0c,0x3e,0x60,0x39,
+	0xa3,0x3c,0xe4,0x59,0x64,0xff,0x21,0x67,
+	0xf6,0xec,0xed,0xd4,0x19,0xdb,0x06,0xc1	};
+
+unsigned char app_b3[SHA256_DIGEST_LENGTH] = {
+	0xcd,0xc7,0x6e,0x5c,0x99,0x14,0xfb,0x92,
+	0x81,0xa1,0xc7,0xe2,0x84,0xd7,0x3e,0x67,
+	0xf1,0x80,0x9a,0x48,0xa4,0x97,0x20,0x0e,
+	0x04,0x6d,0x39,0xcc,0xc7,0x11,0x2c,0xd0	};
+
+unsigned char addenum_1[SHA224_DIGEST_LENGTH] = {
+	0x23,0x09,0x7d,0x22,0x34,0x05,0xd8,0x22,
+	0x86,0x42,0xa4,0x77,0xbd,0xa2,0x55,0xb3,
+	0x2a,0xad,0xbc,0xe4,0xbd,0xa0,0xb3,0xf7,
+	0xe3,0x6c,0x9d,0xa7 };
+
+unsigned char addenum_2[SHA224_DIGEST_LENGTH] = {
+	0x75,0x38,0x8b,0x16,0x51,0x27,0x76,0xcc,
+	0x5d,0xba,0x5d,0xa1,0xfd,0x89,0x01,0x50,
+	0xb0,0xc6,0x45,0x5c,0xb4,0xf5,0x8b,0x19,
+	0x52,0x52,0x25,0x25 };
+
+unsigned char addenum_3[SHA224_DIGEST_LENGTH] = {
+	0x20,0x79,0x46,0x55,0x98,0x0c,0x91,0xd8,
+	0xbb,0xb4,0xc1,0xea,0x97,0x61,0x8a,0x4b,
+	0xf0,0x3f,0x42,0x58,0x19,0x48,0xb2,0xee,
+	0x4e,0xe7,0xad,0x67 };
+
+int main (int argc,char **argv)
+{ unsigned char md[SHA256_DIGEST_LENGTH];
+  int		i;
+  EVP_MD_CTX	evp;
+
+    fprintf(stdout,"Testing SHA-256 ");
+
+    EVP_Digest ("abc",3,md,NULL,EVP_sha256(),NULL);
+    if (memcmp(md,app_b1,sizeof(app_b1)))
+    {	fflush(stdout);
+	fprintf(stderr,"\nTEST 1 of 3 failed.\n");
+	return 1;
+    }
+    else
+	fprintf(stdout,"."); fflush(stdout);
+
+    EVP_Digest ("abcdbcde""cdefdefg""efghfghi""ghijhijk"
+		"ijkljklm""klmnlmno""mnopnopq",56,md,NULL,EVP_sha256(),NULL);
+    if (memcmp(md,app_b2,sizeof(app_b2)))
+    {	fflush(stdout);
+	fprintf(stderr,"\nTEST 2 of 3 failed.\n");
+	return 1;
+    }
+    else
+	fprintf(stdout,"."); fflush(stdout);
+
+    EVP_MD_CTX_init (&evp);
+    EVP_DigestInit_ex (&evp,EVP_sha256(),NULL);
+    for (i=0;i<1000000;i+=160)
+	EVP_DigestUpdate (&evp,	"aaaaaaaa""aaaaaaaa""aaaaaaaa""aaaaaaaa"
+				"aaaaaaaa""aaaaaaaa""aaaaaaaa""aaaaaaaa"
+				"aaaaaaaa""aaaaaaaa""aaaaaaaa""aaaaaaaa"
+				"aaaaaaaa""aaaaaaaa""aaaaaaaa""aaaaaaaa"
+				"aaaaaaaa""aaaaaaaa""aaaaaaaa""aaaaaaaa",
+				(1000000-i)<160?1000000-i:160);
+    EVP_DigestFinal_ex (&evp,md,NULL);
+    EVP_MD_CTX_cleanup (&evp);
+
+    if (memcmp(md,app_b3,sizeof(app_b3)))
+    {	fflush(stdout);
+	fprintf(stderr,"\nTEST 3 of 3 failed.\n");
+	return 1;
+    }
+    else
+	fprintf(stdout,"."); fflush(stdout);
+
+    fprintf(stdout," passed.\n"); fflush(stdout);
+
+    fprintf(stdout,"Testing SHA-224 ");
+
+    EVP_Digest ("abc",3,md,NULL,EVP_sha224(),NULL);
+    if (memcmp(md,addenum_1,sizeof(addenum_1)))
+    {	fflush(stdout);
+	fprintf(stderr,"\nTEST 1 of 3 failed.\n");
+	return 1;
+    }
+    else
+	fprintf(stdout,"."); fflush(stdout);
+
+    EVP_Digest ("abcdbcde""cdefdefg""efghfghi""ghijhijk"
+		"ijkljklm""klmnlmno""mnopnopq",56,md,NULL,EVP_sha224(),NULL);
+    if (memcmp(md,addenum_2,sizeof(addenum_2)))
+    {	fflush(stdout);
+	fprintf(stderr,"\nTEST 2 of 3 failed.\n");
+	return 1;
+    }
+    else
+	fprintf(stdout,"."); fflush(stdout);
+
+    EVP_MD_CTX_init (&evp);
+    EVP_DigestInit_ex (&evp,EVP_sha224(),NULL);
+    for (i=0;i<1000000;i+=64)
+	EVP_DigestUpdate (&evp,	"aaaaaaaa""aaaaaaaa""aaaaaaaa""aaaaaaaa"
+				"aaaaaaaa""aaaaaaaa""aaaaaaaa""aaaaaaaa",
+				(1000000-i)<64?1000000-i:64);
+    EVP_DigestFinal_ex (&evp,md,NULL);
+    EVP_MD_CTX_cleanup (&evp);
+
+    if (memcmp(md,addenum_3,sizeof(addenum_3)))
+    {	fflush(stdout);
+	fprintf(stderr,"\nTEST 3 of 3 failed.\n");
+	return 1;
+    }
+    else
+	fprintf(stdout,"."); fflush(stdout);
+
+    fprintf(stdout," passed.\n"); fflush(stdout);
+
+  return 0;
+}
+#endif
diff --git a/crypto/openssl/crypto/sha/sha512.c b/crypto/openssl/crypto/sha/sha512.c
new file mode 100644
index 000000000000..f965cff692cd
--- /dev/null
+++ b/crypto/openssl/crypto/sha/sha512.c
@@ -0,0 +1,496 @@
+/* crypto/sha/sha512.c */
+/* ====================================================================
+ * Copyright (c) 2004 The OpenSSL Project.  All rights reserved
+ * according to the OpenSSL license [found in ../../LICENSE].
+ * ====================================================================
+ */
+#include <openssl/opensslconf.h>
+#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA512)
+/*
+ * IMPLEMENTATION NOTES.
+ *
+ * As you might have noticed 32-bit hash algorithms:
+ *
+ * - permit SHA_LONG to be wider than 32-bit (case on CRAY);
+ * - optimized versions implement two transform functions: one operating
+ *   on [aligned] data in host byte order and one - on data in input
+ *   stream byte order;
+ * - share common byte-order neutral collector and padding function
+ *   implementations, ../md32_common.h;
+ *
+ * Neither of the above applies to this SHA-512 implementations. Reasons
+ * [in reverse order] are:
+ *
+ * - it's the only 64-bit hash algorithm for the moment of this writing,
+ *   there is no need for common collector/padding implementation [yet];
+ * - by supporting only one transform function [which operates on
+ *   *aligned* data in input stream byte order, big-endian in this case]
+ *   we minimize burden of maintenance in two ways: a) collector/padding
+ *   function is simpler; b) only one transform function to stare at;
+ * - SHA_LONG64 is required to be exactly 64-bit in order to be able to
+ *   apply a number of optimizations to mitigate potential performance
+ *   penalties caused by previous design decision;
+ *
+ * Caveat lector.
+ *
+ * Implementation relies on the fact that "long long" is 64-bit on
+ * both 32- and 64-bit platforms. If some compiler vendor comes up
+ * with 128-bit long long, adjustment to sha.h would be required.
+ * As this implementation relies on 64-bit integer type, it's totally
+ * inappropriate for platforms which don't support it, most notably
+ * 16-bit platforms.
+ *					<appro@fy.chalmers.se>
+ */
+#include <stdlib.h>
+#include <string.h>
+
+#include <openssl/crypto.h>
+#include <openssl/sha.h>
+#include <openssl/opensslv.h>
+
+#include "cryptlib.h"
+
+const char *SHA512_version="SHA-512" OPENSSL_VERSION_PTEXT;
+
+#if defined(_M_IX86) || defined(_M_AMD64) || defined(__i386) || defined(__x86_64)
+#define SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA
+#endif
+
+int SHA384_Init (SHA512_CTX *c)
+	{
+	c->h[0]=U64(0xcbbb9d5dc1059ed8);
+	c->h[1]=U64(0x629a292a367cd507);
+	c->h[2]=U64(0x9159015a3070dd17);
+	c->h[3]=U64(0x152fecd8f70e5939);
+	c->h[4]=U64(0x67332667ffc00b31);
+	c->h[5]=U64(0x8eb44a8768581511);
+	c->h[6]=U64(0xdb0c2e0d64f98fa7);
+	c->h[7]=U64(0x47b5481dbefa4fa4);
+        c->Nl=0;        c->Nh=0;
+        c->num=0;       c->md_len=SHA384_DIGEST_LENGTH;
+        return 1;
+	}
+
+int SHA512_Init (SHA512_CTX *c)
+	{
+	c->h[0]=U64(0x6a09e667f3bcc908);
+	c->h[1]=U64(0xbb67ae8584caa73b);
+	c->h[2]=U64(0x3c6ef372fe94f82b);
+	c->h[3]=U64(0xa54ff53a5f1d36f1);
+	c->h[4]=U64(0x510e527fade682d1);
+	c->h[5]=U64(0x9b05688c2b3e6c1f);
+	c->h[6]=U64(0x1f83d9abfb41bd6b);
+	c->h[7]=U64(0x5be0cd19137e2179);
+        c->Nl=0;        c->Nh=0;
+        c->num=0;       c->md_len=SHA512_DIGEST_LENGTH;
+        return 1;
+	}
+
+#ifndef SHA512_ASM
+static
+#endif
+void sha512_block (SHA512_CTX *ctx, const void *in, size_t num);
+
+int SHA512_Final (unsigned char *md, SHA512_CTX *c)
+	{
+	unsigned char *p=(unsigned char *)c->u.p;
+	size_t n=c->num;
+
+	p[n]=0x80;	/* There always is a room for one */
+	n++;
+	if (n > (sizeof(c->u)-16))
+		memset (p+n,0,sizeof(c->u)-n), n=0,
+		sha512_block (c,p,1);
+
+	memset (p+n,0,sizeof(c->u)-16-n);
+#ifdef	B_ENDIAN
+	c->u.d[SHA_LBLOCK-2] = c->Nh;
+	c->u.d[SHA_LBLOCK-1] = c->Nl;
+#else
+	p[sizeof(c->u)-1]  = (unsigned char)(c->Nl);
+	p[sizeof(c->u)-2]  = (unsigned char)(c->Nl>>8);
+	p[sizeof(c->u)-3]  = (unsigned char)(c->Nl>>16);
+	p[sizeof(c->u)-4]  = (unsigned char)(c->Nl>>24);
+	p[sizeof(c->u)-5]  = (unsigned char)(c->Nl>>32);
+	p[sizeof(c->u)-6]  = (unsigned char)(c->Nl>>40);
+	p[sizeof(c->u)-7]  = (unsigned char)(c->Nl>>48);
+	p[sizeof(c->u)-8]  = (unsigned char)(c->Nl>>56);
+	p[sizeof(c->u)-9]  = (unsigned char)(c->Nh);
+	p[sizeof(c->u)-10] = (unsigned char)(c->Nh>>8);
+	p[sizeof(c->u)-11] = (unsigned char)(c->Nh>>16);
+	p[sizeof(c->u)-12] = (unsigned char)(c->Nh>>24);
+	p[sizeof(c->u)-13] = (unsigned char)(c->Nh>>32);
+	p[sizeof(c->u)-14] = (unsigned char)(c->Nh>>40);
+	p[sizeof(c->u)-15] = (unsigned char)(c->Nh>>48);
+	p[sizeof(c->u)-16] = (unsigned char)(c->Nh>>56);
+#endif
+
+	sha512_block (c,p,1);
+
+	if (md==0) return 0;
+
+	switch (c->md_len)
+		{
+		/* Let compiler decide if it's appropriate to unroll... */
+		case SHA384_DIGEST_LENGTH:
+			for (n=0;n<SHA384_DIGEST_LENGTH/8;n++)
+				{
+				SHA_LONG64 t = c->h[n];
+
+				*(md++)	= (unsigned char)(t>>56);
+				*(md++)	= (unsigned char)(t>>48);
+				*(md++)	= (unsigned char)(t>>40);
+				*(md++)	= (unsigned char)(t>>32);
+				*(md++)	= (unsigned char)(t>>24);
+				*(md++)	= (unsigned char)(t>>16);
+				*(md++)	= (unsigned char)(t>>8);
+				*(md++)	= (unsigned char)(t);
+				}
+			break;
+		case SHA512_DIGEST_LENGTH:
+			for (n=0;n<SHA512_DIGEST_LENGTH/8;n++)
+				{
+				SHA_LONG64 t = c->h[n];
+
+				*(md++)	= (unsigned char)(t>>56);
+				*(md++)	= (unsigned char)(t>>48);
+				*(md++)	= (unsigned char)(t>>40);
+				*(md++)	= (unsigned char)(t>>32);
+				*(md++)	= (unsigned char)(t>>24);
+				*(md++)	= (unsigned char)(t>>16);
+				*(md++)	= (unsigned char)(t>>8);
+				*(md++)	= (unsigned char)(t);
+				}
+			break;
+		/* ... as well as make sure md_len is not abused. */
+		default:	return 0;
+		}
+
+	return 1;
+	}
+
+int SHA384_Final (unsigned char *md,SHA512_CTX *c)
+{   return SHA512_Final (md,c);   }
+
+int SHA512_Update (SHA512_CTX *c, const void *_data, size_t len)
+	{
+	SHA_LONG64	l;
+	unsigned char  *p=c->u.p;
+	const unsigned char *data=(const unsigned char *)_data;
+
+	if (len==0) return  1;
+
+	l = (c->Nl+(((SHA_LONG64)len)<<3))&U64(0xffffffffffffffff);
+	if (l < c->Nl)		c->Nh++;
+	if (sizeof(len)>=8)	c->Nh+=(((SHA_LONG64)len)>>61);
+	c->Nl=l;
+
+	if (c->num != 0)
+		{
+		size_t n = sizeof(c->u) - c->num;
+
+		if (len < n)
+			{
+			memcpy (p+c->num,data,len), c->num += len;
+			return 1;
+			}
+		else	{
+			memcpy (p+c->num,data,n), c->num = 0;
+			len-=n, data+=n;
+			sha512_block (c,p,1);
+			}
+		}
+
+	if (len >= sizeof(c->u))
+		{
+#ifndef SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA
+		if ((size_t)data%sizeof(c->u.d[0]) != 0)
+			while (len >= sizeof(c->u))
+				memcpy (p,data,sizeof(c->u)),
+				sha512_block (c,p,1),
+				len  -= sizeof(c->u),
+				data += sizeof(c->u);
+		else
+#endif
+			sha512_block (c,data,len/sizeof(c->u)),
+			data += len,
+			len  %= sizeof(c->u),
+			data -= len;
+		}
+
+	if (len != 0)	memcpy (p,data,len), c->num = (int)len;
+
+	return 1;
+	}
+
+int SHA384_Update (SHA512_CTX *c, const void *data, size_t len)
+{   return SHA512_Update (c,data,len);   }
+
+void SHA512_Transform (SHA512_CTX *c, const unsigned char *data)
+{   sha512_block (c,data,1);  }
+
+unsigned char *SHA384(const unsigned char *d, size_t n, unsigned char *md)
+	{
+	SHA512_CTX c;
+	static unsigned char m[SHA384_DIGEST_LENGTH];
+
+	if (md == NULL) md=m;
+	SHA384_Init(&c);
+	SHA512_Update(&c,d,n);
+	SHA512_Final(md,&c);
+	OPENSSL_cleanse(&c,sizeof(c));
+	return(md);
+	}
+
+unsigned char *SHA512(const unsigned char *d, size_t n, unsigned char *md)
+	{
+	SHA512_CTX c;
+	static unsigned char m[SHA512_DIGEST_LENGTH];
+
+	if (md == NULL) md=m;
+	SHA512_Init(&c);
+	SHA512_Update(&c,d,n);
+	SHA512_Final(md,&c);
+	OPENSSL_cleanse(&c,sizeof(c));
+	return(md);
+	}
+
+#ifndef SHA512_ASM
+static const SHA_LONG64 K512[80] = {
+        U64(0x428a2f98d728ae22),U64(0x7137449123ef65cd),
+        U64(0xb5c0fbcfec4d3b2f),U64(0xe9b5dba58189dbbc),
+        U64(0x3956c25bf348b538),U64(0x59f111f1b605d019),
+        U64(0x923f82a4af194f9b),U64(0xab1c5ed5da6d8118),
+        U64(0xd807aa98a3030242),U64(0x12835b0145706fbe),
+        U64(0x243185be4ee4b28c),U64(0x550c7dc3d5ffb4e2),
+        U64(0x72be5d74f27b896f),U64(0x80deb1fe3b1696b1),
+        U64(0x9bdc06a725c71235),U64(0xc19bf174cf692694),
+        U64(0xe49b69c19ef14ad2),U64(0xefbe4786384f25e3),
+        U64(0x0fc19dc68b8cd5b5),U64(0x240ca1cc77ac9c65),
+        U64(0x2de92c6f592b0275),U64(0x4a7484aa6ea6e483),
+        U64(0x5cb0a9dcbd41fbd4),U64(0x76f988da831153b5),
+        U64(0x983e5152ee66dfab),U64(0xa831c66d2db43210),
+        U64(0xb00327c898fb213f),U64(0xbf597fc7beef0ee4),
+        U64(0xc6e00bf33da88fc2),U64(0xd5a79147930aa725),
+        U64(0x06ca6351e003826f),U64(0x142929670a0e6e70),
+        U64(0x27b70a8546d22ffc),U64(0x2e1b21385c26c926),
+        U64(0x4d2c6dfc5ac42aed),U64(0x53380d139d95b3df),
+        U64(0x650a73548baf63de),U64(0x766a0abb3c77b2a8),
+        U64(0x81c2c92e47edaee6),U64(0x92722c851482353b),
+        U64(0xa2bfe8a14cf10364),U64(0xa81a664bbc423001),
+        U64(0xc24b8b70d0f89791),U64(0xc76c51a30654be30),
+        U64(0xd192e819d6ef5218),U64(0xd69906245565a910),
+        U64(0xf40e35855771202a),U64(0x106aa07032bbd1b8),
+        U64(0x19a4c116b8d2d0c8),U64(0x1e376c085141ab53),
+        U64(0x2748774cdf8eeb99),U64(0x34b0bcb5e19b48a8),
+        U64(0x391c0cb3c5c95a63),U64(0x4ed8aa4ae3418acb),
+        U64(0x5b9cca4f7763e373),U64(0x682e6ff3d6b2b8a3),
+        U64(0x748f82ee5defb2fc),U64(0x78a5636f43172f60),
+        U64(0x84c87814a1f0ab72),U64(0x8cc702081a6439ec),
+        U64(0x90befffa23631e28),U64(0xa4506cebde82bde9),
+        U64(0xbef9a3f7b2c67915),U64(0xc67178f2e372532b),
+        U64(0xca273eceea26619c),U64(0xd186b8c721c0c207),
+        U64(0xeada7dd6cde0eb1e),U64(0xf57d4f7fee6ed178),
+        U64(0x06f067aa72176fba),U64(0x0a637dc5a2c898a6),
+        U64(0x113f9804bef90dae),U64(0x1b710b35131c471b),
+        U64(0x28db77f523047d84),U64(0x32caab7b40c72493),
+        U64(0x3c9ebe0a15c9bebc),U64(0x431d67c49c100d4c),
+        U64(0x4cc5d4becb3e42b6),U64(0x597f299cfc657e2a),
+        U64(0x5fcb6fab3ad6faec),U64(0x6c44198c4a475817) };
+
+#ifndef PEDANTIC
+# if defined(__GNUC__) && __GNUC__>=2 && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
+#  if defined(__x86_64) || defined(__x86_64__)
+#   define PULL64(x) ({ SHA_LONG64 ret=*((const SHA_LONG64 *)(&(x)));	\
+				asm ("bswapq	%0"		\
+				: "=r"(ret)			\
+				: "0"(ret)); ret;		})
+#  endif
+# endif
+#endif
+
+#ifndef PULL64
+#define B(x,j)    (((SHA_LONG64)(*(((const unsigned char *)(&x))+j)))<<((7-j)*8))
+#define PULL64(x) (B(x,0)|B(x,1)|B(x,2)|B(x,3)|B(x,4)|B(x,5)|B(x,6)|B(x,7))
+#endif
+
+#ifndef PEDANTIC
+# if defined(_MSC_VER)
+#  if defined(_WIN64)	/* applies to both IA-64 and AMD64 */
+#   define ROTR(a,n)	_rotr64((a),n)
+#  endif
+# elif defined(__GNUC__) && __GNUC__>=2 && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
+#  if defined(__x86_64) || defined(__x86_64__)
+#   define ROTR(a,n)	({ unsigned long ret;		\
+				asm ("rorq %1,%0"	\
+				: "=r"(ret)		\
+				: "J"(n),"0"(a)		\
+				: "cc"); ret;		})
+#  elif defined(_ARCH_PPC) && defined(__64BIT__)
+#   define ROTR(a,n)	({ unsigned long ret;		\
+				asm ("rotrdi %0,%1,%2"	\
+				: "=r"(ret)		\
+				: "r"(a),"K"(n)); ret;	})
+#  endif
+# endif
+#endif
+
+#ifndef ROTR
+#define ROTR(x,s)	(((x)>>s) | (x)<<(64-s))
+#endif
+
+#define Sigma0(x)	(ROTR((x),28) ^ ROTR((x),34) ^ ROTR((x),39))
+#define Sigma1(x)	(ROTR((x),14) ^ ROTR((x),18) ^ ROTR((x),41))
+#define sigma0(x)	(ROTR((x),1)  ^ ROTR((x),8)  ^ ((x)>>7))
+#define sigma1(x)	(ROTR((x),19) ^ ROTR((x),61) ^ ((x)>>6))
+
+#define Ch(x,y,z)	(((x) & (y)) ^ ((~(x)) & (z)))
+#define Maj(x,y,z)	(((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
+
+#if defined(OPENSSL_IA32_SSE2) && !defined(OPENSSL_NO_ASM) && !defined(I386_ONLY)
+#define	GO_FOR_SSE2(ctx,in,num)		do {		\
+	void	sha512_block_sse2(void *,const void *,size_t);	\
+	if (!(OPENSSL_ia32cap_P & (1<<26))) break;	\
+	sha512_block_sse2(ctx->h,in,num); return;	\
+					} while (0)
+#endif
+
+#ifdef OPENSSL_SMALL_FOOTPRINT
+
+static void sha512_block (SHA512_CTX *ctx, const void *in, size_t num)
+	{
+	const SHA_LONG64 *W=in;
+	SHA_LONG64	a,b,c,d,e,f,g,h,s0,s1,T1,T2;
+	SHA_LONG64	X[16];
+	int i;
+
+#ifdef GO_FOR_SSE2
+	GO_FOR_SSE2(ctx,in,num);
+#endif
+
+			while (num--) {
+
+	a = ctx->h[0];	b = ctx->h[1];	c = ctx->h[2];	d = ctx->h[3];
+	e = ctx->h[4];	f = ctx->h[5];	g = ctx->h[6];	h = ctx->h[7];
+
+	for (i=0;i<16;i++)
+		{
+#ifdef B_ENDIAN
+		T1 = X[i] = W[i];
+#else
+		T1 = X[i] = PULL64(W[i]);
+#endif
+		T1 += h + Sigma1(e) + Ch(e,f,g) + K512[i];
+		T2 = Sigma0(a) + Maj(a,b,c);
+		h = g;	g = f;	f = e;	e = d + T1;
+		d = c;	c = b;	b = a;	a = T1 + T2;
+		}
+
+	for (;i<80;i++)
+		{
+		s0 = X[(i+1)&0x0f];	s0 = sigma0(s0);
+		s1 = X[(i+14)&0x0f];	s1 = sigma1(s1);
+
+		T1 = X[i&0xf] += s0 + s1 + X[(i+9)&0xf];
+		T1 += h + Sigma1(e) + Ch(e,f,g) + K512[i];
+		T2 = Sigma0(a) + Maj(a,b,c);
+		h = g;	g = f;	f = e;	e = d + T1;
+		d = c;	c = b;	b = a;	a = T1 + T2;
+		}
+
+	ctx->h[0] += a;	ctx->h[1] += b;	ctx->h[2] += c;	ctx->h[3] += d;
+	ctx->h[4] += e;	ctx->h[5] += f;	ctx->h[6] += g;	ctx->h[7] += h;
+
+			W+=SHA_LBLOCK;
+			}
+	}
+
+#else
+
+#define	ROUND_00_15(i,a,b,c,d,e,f,g,h)		do {	\
+	T1 += h + Sigma1(e) + Ch(e,f,g) + K512[i];	\
+	h = Sigma0(a) + Maj(a,b,c);			\
+	d += T1;	h += T1;		} while (0)
+
+#define	ROUND_16_80(i,a,b,c,d,e,f,g,h,X)	do {	\
+	s0 = X[(i+1)&0x0f];	s0 = sigma0(s0);	\
+	s1 = X[(i+14)&0x0f];	s1 = sigma1(s1);	\
+	T1 = X[(i)&0x0f] += s0 + s1 + X[(i+9)&0x0f];	\
+	ROUND_00_15(i,a,b,c,d,e,f,g,h);		} while (0)
+
+static void sha512_block (SHA512_CTX *ctx, const void *in, size_t num)
+	{
+	const SHA_LONG64 *W=in;
+	SHA_LONG64	a,b,c,d,e,f,g,h,s0,s1,T1;
+	SHA_LONG64	X[16];
+	int i;
+
+#ifdef GO_FOR_SSE2
+	GO_FOR_SSE2(ctx,in,num);
+#endif
+
+			while (num--) {
+
+	a = ctx->h[0];	b = ctx->h[1];	c = ctx->h[2];	d = ctx->h[3];
+	e = ctx->h[4];	f = ctx->h[5];	g = ctx->h[6];	h = ctx->h[7];
+
+#ifdef B_ENDIAN
+	T1 = X[0] = W[0];	ROUND_00_15(0,a,b,c,d,e,f,g,h);
+	T1 = X[1] = W[1];	ROUND_00_15(1,h,a,b,c,d,e,f,g);
+	T1 = X[2] = W[2];	ROUND_00_15(2,g,h,a,b,c,d,e,f);
+	T1 = X[3] = W[3];	ROUND_00_15(3,f,g,h,a,b,c,d,e);
+	T1 = X[4] = W[4];	ROUND_00_15(4,e,f,g,h,a,b,c,d);
+	T1 = X[5] = W[5];	ROUND_00_15(5,d,e,f,g,h,a,b,c);
+	T1 = X[6] = W[6];	ROUND_00_15(6,c,d,e,f,g,h,a,b);
+	T1 = X[7] = W[7];	ROUND_00_15(7,b,c,d,e,f,g,h,a);
+	T1 = X[8] = W[8];	ROUND_00_15(8,a,b,c,d,e,f,g,h);
+	T1 = X[9] = W[9];	ROUND_00_15(9,h,a,b,c,d,e,f,g);
+	T1 = X[10] = W[10];	ROUND_00_15(10,g,h,a,b,c,d,e,f);
+	T1 = X[11] = W[11];	ROUND_00_15(11,f,g,h,a,b,c,d,e);
+	T1 = X[12] = W[12];	ROUND_00_15(12,e,f,g,h,a,b,c,d);
+	T1 = X[13] = W[13];	ROUND_00_15(13,d,e,f,g,h,a,b,c);
+	T1 = X[14] = W[14];	ROUND_00_15(14,c,d,e,f,g,h,a,b);
+	T1 = X[15] = W[15];	ROUND_00_15(15,b,c,d,e,f,g,h,a);
+#else
+	T1 = X[0]  = PULL64(W[0]);	ROUND_00_15(0,a,b,c,d,e,f,g,h);
+	T1 = X[1]  = PULL64(W[1]);	ROUND_00_15(1,h,a,b,c,d,e,f,g);
+	T1 = X[2]  = PULL64(W[2]);	ROUND_00_15(2,g,h,a,b,c,d,e,f);
+	T1 = X[3]  = PULL64(W[3]);	ROUND_00_15(3,f,g,h,a,b,c,d,e);
+	T1 = X[4]  = PULL64(W[4]);	ROUND_00_15(4,e,f,g,h,a,b,c,d);
+	T1 = X[5]  = PULL64(W[5]);	ROUND_00_15(5,d,e,f,g,h,a,b,c);
+	T1 = X[6]  = PULL64(W[6]);	ROUND_00_15(6,c,d,e,f,g,h,a,b);
+	T1 = X[7]  = PULL64(W[7]);	ROUND_00_15(7,b,c,d,e,f,g,h,a);
+	T1 = X[8]  = PULL64(W[8]);	ROUND_00_15(8,a,b,c,d,e,f,g,h);
+	T1 = X[9]  = PULL64(W[9]);	ROUND_00_15(9,h,a,b,c,d,e,f,g);
+	T1 = X[10] = PULL64(W[10]);	ROUND_00_15(10,g,h,a,b,c,d,e,f);
+	T1 = X[11] = PULL64(W[11]);	ROUND_00_15(11,f,g,h,a,b,c,d,e);
+	T1 = X[12] = PULL64(W[12]);	ROUND_00_15(12,e,f,g,h,a,b,c,d);
+	T1 = X[13] = PULL64(W[13]);	ROUND_00_15(13,d,e,f,g,h,a,b,c);
+	T1 = X[14] = PULL64(W[14]);	ROUND_00_15(14,c,d,e,f,g,h,a,b);
+	T1 = X[15] = PULL64(W[15]);	ROUND_00_15(15,b,c,d,e,f,g,h,a);
+#endif
+
+	for (i=16;i<80;i+=8)
+		{
+		ROUND_16_80(i+0,a,b,c,d,e,f,g,h,X);
+		ROUND_16_80(i+1,h,a,b,c,d,e,f,g,X);
+		ROUND_16_80(i+2,g,h,a,b,c,d,e,f,X);
+		ROUND_16_80(i+3,f,g,h,a,b,c,d,e,X);
+		ROUND_16_80(i+4,e,f,g,h,a,b,c,d,X);
+		ROUND_16_80(i+5,d,e,f,g,h,a,b,c,X);
+		ROUND_16_80(i+6,c,d,e,f,g,h,a,b,X);
+		ROUND_16_80(i+7,b,c,d,e,f,g,h,a,X);
+		}
+
+	ctx->h[0] += a;	ctx->h[1] += b;	ctx->h[2] += c;	ctx->h[3] += d;
+	ctx->h[4] += e;	ctx->h[5] += f;	ctx->h[6] += g;	ctx->h[7] += h;
+
+			W+=SHA_LBLOCK;
+			}
+	}
+
+#endif
+
+#endif /* SHA512_ASM */
+
+#endif /* OPENSSL_NO_SHA512 */
diff --git a/crypto/openssl/crypto/sha/sha512t.c b/crypto/openssl/crypto/sha/sha512t.c
new file mode 100644
index 000000000000..210041d435c6
--- /dev/null
+++ b/crypto/openssl/crypto/sha/sha512t.c
@@ -0,0 +1,184 @@
+/* crypto/sha/sha512t.c */
+/* ====================================================================
+ * Copyright (c) 2004 The OpenSSL Project.  All rights reserved.
+ * ====================================================================
+ */
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+#include <openssl/sha.h>
+#include <openssl/evp.h>
+#include <openssl/crypto.h>
+
+#if defined(OPENSSL_NO_SHA) || defined(OPENSSL_NO_SHA512)
+int main(int argc, char *argv[])
+{
+    printf("No SHA512 support\n");
+    return(0);
+}
+#else
+
+unsigned char app_c1[SHA512_DIGEST_LENGTH] = {
+	0xdd,0xaf,0x35,0xa1,0x93,0x61,0x7a,0xba,
+	0xcc,0x41,0x73,0x49,0xae,0x20,0x41,0x31,
+	0x12,0xe6,0xfa,0x4e,0x89,0xa9,0x7e,0xa2,
+	0x0a,0x9e,0xee,0xe6,0x4b,0x55,0xd3,0x9a,
+	0x21,0x92,0x99,0x2a,0x27,0x4f,0xc1,0xa8,
+	0x36,0xba,0x3c,0x23,0xa3,0xfe,0xeb,0xbd,
+	0x45,0x4d,0x44,0x23,0x64,0x3c,0xe8,0x0e,
+	0x2a,0x9a,0xc9,0x4f,0xa5,0x4c,0xa4,0x9f };
+
+unsigned char app_c2[SHA512_DIGEST_LENGTH] = {
+	0x8e,0x95,0x9b,0x75,0xda,0xe3,0x13,0xda,
+	0x8c,0xf4,0xf7,0x28,0x14,0xfc,0x14,0x3f,
+	0x8f,0x77,0x79,0xc6,0xeb,0x9f,0x7f,0xa1,
+	0x72,0x99,0xae,0xad,0xb6,0x88,0x90,0x18,
+	0x50,0x1d,0x28,0x9e,0x49,0x00,0xf7,0xe4,
+	0x33,0x1b,0x99,0xde,0xc4,0xb5,0x43,0x3a,
+	0xc7,0xd3,0x29,0xee,0xb6,0xdd,0x26,0x54,
+	0x5e,0x96,0xe5,0x5b,0x87,0x4b,0xe9,0x09 };
+
+unsigned char app_c3[SHA512_DIGEST_LENGTH] = {
+	0xe7,0x18,0x48,0x3d,0x0c,0xe7,0x69,0x64,
+	0x4e,0x2e,0x42,0xc7,0xbc,0x15,0xb4,0x63,
+	0x8e,0x1f,0x98,0xb1,0x3b,0x20,0x44,0x28,
+	0x56,0x32,0xa8,0x03,0xaf,0xa9,0x73,0xeb,
+	0xde,0x0f,0xf2,0x44,0x87,0x7e,0xa6,0x0a,
+	0x4c,0xb0,0x43,0x2c,0xe5,0x77,0xc3,0x1b,
+	0xeb,0x00,0x9c,0x5c,0x2c,0x49,0xaa,0x2e,
+	0x4e,0xad,0xb2,0x17,0xad,0x8c,0xc0,0x9b };
+
+unsigned char app_d1[SHA384_DIGEST_LENGTH] = {
+	0xcb,0x00,0x75,0x3f,0x45,0xa3,0x5e,0x8b,
+	0xb5,0xa0,0x3d,0x69,0x9a,0xc6,0x50,0x07,
+	0x27,0x2c,0x32,0xab,0x0e,0xde,0xd1,0x63,
+	0x1a,0x8b,0x60,0x5a,0x43,0xff,0x5b,0xed,
+	0x80,0x86,0x07,0x2b,0xa1,0xe7,0xcc,0x23,
+	0x58,0xba,0xec,0xa1,0x34,0xc8,0x25,0xa7 };
+
+unsigned char app_d2[SHA384_DIGEST_LENGTH] = {
+	0x09,0x33,0x0c,0x33,0xf7,0x11,0x47,0xe8,
+	0x3d,0x19,0x2f,0xc7,0x82,0xcd,0x1b,0x47,
+	0x53,0x11,0x1b,0x17,0x3b,0x3b,0x05,0xd2,
+	0x2f,0xa0,0x80,0x86,0xe3,0xb0,0xf7,0x12,
+	0xfc,0xc7,0xc7,0x1a,0x55,0x7e,0x2d,0xb9,
+	0x66,0xc3,0xe9,0xfa,0x91,0x74,0x60,0x39 };
+
+unsigned char app_d3[SHA384_DIGEST_LENGTH] = {
+	0x9d,0x0e,0x18,0x09,0x71,0x64,0x74,0xcb,
+	0x08,0x6e,0x83,0x4e,0x31,0x0a,0x4a,0x1c,
+	0xed,0x14,0x9e,0x9c,0x00,0xf2,0x48,0x52,
+	0x79,0x72,0xce,0xc5,0x70,0x4c,0x2a,0x5b,
+	0x07,0xb8,0xb3,0xdc,0x38,0xec,0xc4,0xeb,
+	0xae,0x97,0xdd,0xd8,0x7f,0x3d,0x89,0x85 };
+
+int main (int argc,char **argv)
+{ unsigned char md[SHA512_DIGEST_LENGTH];
+  int		i;
+  EVP_MD_CTX	evp;
+
+#ifdef OPENSSL_IA32_SSE2
+    /* Alternative to this is to call OpenSSL_add_all_algorithms...
+     * The below code is retained exclusively for debugging purposes. */
+    { char      *env;
+
+	if ((env=getenv("OPENSSL_ia32cap")))
+	    OPENSSL_ia32cap = strtoul (env,NULL,0);
+    }
+#endif
+
+    fprintf(stdout,"Testing SHA-512 ");
+
+    EVP_Digest ("abc",3,md,NULL,EVP_sha512(),NULL);
+    if (memcmp(md,app_c1,sizeof(app_c1)))
+    {	fflush(stdout);
+	fprintf(stderr,"\nTEST 1 of 3 failed.\n");
+	return 1;
+    }
+    else
+	fprintf(stdout,"."); fflush(stdout);
+
+    EVP_Digest ("abcdefgh""bcdefghi""cdefghij""defghijk"
+		"efghijkl""fghijklm""ghijklmn""hijklmno"
+		"ijklmnop""jklmnopq""klmnopqr""lmnopqrs"
+		"mnopqrst""nopqrstu",112,md,NULL,EVP_sha512(),NULL);
+    if (memcmp(md,app_c2,sizeof(app_c2)))
+    {	fflush(stdout);
+	fprintf(stderr,"\nTEST 2 of 3 failed.\n");
+	return 1;
+    }
+    else
+	fprintf(stdout,"."); fflush(stdout);
+
+    EVP_MD_CTX_init (&evp);
+    EVP_DigestInit_ex (&evp,EVP_sha512(),NULL);
+    for (i=0;i<1000000;i+=288)
+	EVP_DigestUpdate (&evp,	"aaaaaaaa""aaaaaaaa""aaaaaaaa""aaaaaaaa"
+				"aaaaaaaa""aaaaaaaa""aaaaaaaa""aaaaaaaa"
+				"aaaaaaaa""aaaaaaaa""aaaaaaaa""aaaaaaaa"
+				"aaaaaaaa""aaaaaaaa""aaaaaaaa""aaaaaaaa"
+				"aaaaaaaa""aaaaaaaa""aaaaaaaa""aaaaaaaa"
+				"aaaaaaaa""aaaaaaaa""aaaaaaaa""aaaaaaaa"
+				"aaaaaaaa""aaaaaaaa""aaaaaaaa""aaaaaaaa"
+				"aaaaaaaa""aaaaaaaa""aaaaaaaa""aaaaaaaa"
+				"aaaaaaaa""aaaaaaaa""aaaaaaaa""aaaaaaaa",
+				(1000000-i)<288?1000000-i:288);
+    EVP_DigestFinal_ex (&evp,md,NULL);
+    EVP_MD_CTX_cleanup (&evp);
+
+    if (memcmp(md,app_c3,sizeof(app_c3)))
+    {	fflush(stdout);
+	fprintf(stderr,"\nTEST 3 of 3 failed.\n");
+	return 1;
+    }
+    else
+	fprintf(stdout,"."); fflush(stdout);
+
+    fprintf(stdout," passed.\n"); fflush(stdout);
+
+    fprintf(stdout,"Testing SHA-384 ");
+
+    EVP_Digest ("abc",3,md,NULL,EVP_sha384(),NULL);
+    if (memcmp(md,app_d1,sizeof(app_d1)))
+    {	fflush(stdout);
+	fprintf(stderr,"\nTEST 1 of 3 failed.\n");
+	return 1;
+    }
+    else
+	fprintf(stdout,"."); fflush(stdout);
+
+    EVP_Digest ("abcdefgh""bcdefghi""cdefghij""defghijk"
+		"efghijkl""fghijklm""ghijklmn""hijklmno"
+		"ijklmnop""jklmnopq""klmnopqr""lmnopqrs"
+		"mnopqrst""nopqrstu",112,md,NULL,EVP_sha384(),NULL);
+    if (memcmp(md,app_d2,sizeof(app_d2)))
+    {	fflush(stdout);
+	fprintf(stderr,"\nTEST 2 of 3 failed.\n");
+	return 1;
+    }
+    else
+	fprintf(stdout,"."); fflush(stdout);
+
+    EVP_MD_CTX_init (&evp);
+    EVP_DigestInit_ex (&evp,EVP_sha384(),NULL);
+    for (i=0;i<1000000;i+=64)
+	EVP_DigestUpdate (&evp,	"aaaaaaaa""aaaaaaaa""aaaaaaaa""aaaaaaaa"
+				"aaaaaaaa""aaaaaaaa""aaaaaaaa""aaaaaaaa",
+				(1000000-i)<64?1000000-i:64);
+    EVP_DigestFinal_ex (&evp,md,NULL);
+    EVP_MD_CTX_cleanup (&evp);
+
+    if (memcmp(md,app_d3,sizeof(app_d3)))
+    {	fflush(stdout);
+	fprintf(stderr,"\nTEST 3 of 3 failed.\n");
+	return 1;
+    }
+    else
+	fprintf(stdout,"."); fflush(stdout);
+
+    fprintf(stdout," passed.\n"); fflush(stdout);
+
+  return 0;
+}
+#endif
diff --git a/crypto/openssl/crypto/sha/sha_dgst.c b/crypto/openssl/crypto/sha/sha_dgst.c
index 5a4b3ab20459..60465d0c3e93 100644
--- a/crypto/openssl/crypto/sha/sha_dgst.c
+++ b/crypto/openssl/crypto/sha/sha_dgst.c
@@ -56,6 +56,7 @@
  * [including the GNU Public Licence.]
  */
 
+#include <openssl/opensslconf.h>
 #if !defined(OPENSSL_NO_SHA0) && !defined(OPENSSL_NO_SHA)
 
 #undef  SHA_1
diff --git a/crypto/openssl/crypto/sha/sha_locl.h b/crypto/openssl/crypto/sha/sha_locl.h
index 2dd63a62a646..6281313a4556 100644
--- a/crypto/openssl/crypto/sha/sha_locl.h
+++ b/crypto/openssl/crypto/sha/sha_locl.h
@@ -92,8 +92,8 @@
 # define HASH_BLOCK_DATA_ORDER   	sha_block_data_order
 # define Xupdate(a,ix,ia,ib,ic,id)	(ix=(a)=(ia^ib^ic^id))
 
-  void sha_block_host_order (SHA_CTX *c, const void *p,int num);
-  void sha_block_data_order (SHA_CTX *c, const void *p,int num);
+  void sha_block_host_order (SHA_CTX *c, const void *p,size_t num);
+  void sha_block_data_order (SHA_CTX *c, const void *p,size_t num);
 
 #elif defined(SHA_1)
 
@@ -116,15 +116,22 @@
 
 # ifdef SHA1_ASM
 #  if defined(__i386) || defined(__i386__) || defined(_M_IX86) || defined(__INTEL__)
+#   if !defined(B_ENDIAN)
+#    define sha1_block_host_order		sha1_block_asm_host_order
+#    define DONT_IMPLEMENT_BLOCK_HOST_ORDER
+#    define sha1_block_data_order		sha1_block_asm_data_order
+#    define DONT_IMPLEMENT_BLOCK_DATA_ORDER
+#    define HASH_BLOCK_DATA_ORDER_ALIGNED	sha1_block_asm_data_order
+#   endif
+#  elif defined(__ia64) || defined(__ia64__) || defined(_M_IA64)
 #   define sha1_block_host_order		sha1_block_asm_host_order
 #   define DONT_IMPLEMENT_BLOCK_HOST_ORDER
 #   define sha1_block_data_order		sha1_block_asm_data_order
 #   define DONT_IMPLEMENT_BLOCK_DATA_ORDER
-#   define HASH_BLOCK_DATA_ORDER_ALIGNED	sha1_block_asm_data_order
 #  endif
 # endif
-  void sha1_block_host_order (SHA_CTX *c, const void *p,int num);
-  void sha1_block_data_order (SHA_CTX *c, const void *p,int num);
+  void sha1_block_host_order (SHA_CTX *c, const void *p,size_t num);
+  void sha1_block_data_order (SHA_CTX *c, const void *p,size_t num);
 
 #else
 # error "Either SHA_0 or SHA_1 must be defined."
@@ -168,6 +175,8 @@ int HASH_INIT (SHA_CTX *c)
 #define F_40_59(b,c,d)	(((b) & (c)) | (((b)|(c)) & (d))) 
 #define	F_60_79(b,c,d)	F_20_39(b,c,d)
 
+#ifndef OPENSSL_SMALL_FOOTPRINT
+
 #define BODY_00_15(i,a,b,c,d,e,f,xi) \
 	(f)=xi+(e)+K_00_19+ROTATE((a),5)+F_00_19((b),(c),(d)); \
 	(b)=ROTATE((b),30);
@@ -221,7 +230,7 @@ int HASH_INIT (SHA_CTX *c)
 #endif
 
 #ifndef DONT_IMPLEMENT_BLOCK_HOST_ORDER
-void HASH_BLOCK_HOST_ORDER (SHA_CTX *c, const void *d, int num)
+void HASH_BLOCK_HOST_ORDER (SHA_CTX *c, const void *d, size_t num)
 	{
 	const SHA_LONG *W=d;
 	register unsigned MD32_REG_T A,B,C,D,E,T;
@@ -332,7 +341,7 @@ void HASH_BLOCK_HOST_ORDER (SHA_CTX *c, const void *d, int num)
 	c->h3=(c->h3+B)&0xffffffffL;
 	c->h4=(c->h4+C)&0xffffffffL;
 
-	if (--num <= 0) break;
+	if (--num == 0) break;
 
 	A=c->h0;
 	B=c->h1;
@@ -346,7 +355,7 @@ void HASH_BLOCK_HOST_ORDER (SHA_CTX *c, const void *d, int num)
 #endif
 
 #ifndef DONT_IMPLEMENT_BLOCK_DATA_ORDER
-void HASH_BLOCK_DATA_ORDER (SHA_CTX *c, const void *p, int num)
+void HASH_BLOCK_DATA_ORDER (SHA_CTX *c, const void *p, size_t num)
 	{
 	const unsigned char *data=p;
 	register unsigned MD32_REG_T A,B,C,D,E,T,l;
@@ -459,7 +468,7 @@ void HASH_BLOCK_DATA_ORDER (SHA_CTX *c, const void *p, int num)
 	c->h3=(c->h3+B)&0xffffffffL;
 	c->h4=(c->h4+C)&0xffffffffL;
 
-	if (--num <= 0) break;
+	if (--num == 0) break;
 
 	A=c->h0;
 	B=c->h1;
@@ -470,3 +479,127 @@ void HASH_BLOCK_DATA_ORDER (SHA_CTX *c, const void *p, int num)
 		}
 	}
 #endif
+
+#else	/* OPENSSL_SMALL_FOOTPRINT */
+
+#define BODY_00_15(xi)		 do {	\
+	T=E+K_00_19+F_00_19(B,C,D);	\
+	E=D, D=C, C=ROTATE(B,30), B=A;	\
+	A=ROTATE(A,5)+T+xi;	    } while(0)
+
+#define BODY_16_19(xa,xb,xc,xd)	 do {	\
+	Xupdate(T,xa,xa,xb,xc,xd);	\
+	T+=E+K_00_19+F_00_19(B,C,D);	\
+	E=D, D=C, C=ROTATE(B,30), B=A;	\
+	A=ROTATE(A,5)+T;	    } while(0)
+
+#define BODY_20_39(xa,xb,xc,xd)	 do {	\
+	Xupdate(T,xa,xa,xb,xc,xd);	\
+	T+=E+K_20_39+F_20_39(B,C,D);	\
+	E=D, D=C, C=ROTATE(B,30), B=A;	\
+	A=ROTATE(A,5)+T;	    } while(0)
+
+#define BODY_40_59(xa,xb,xc,xd)	 do {	\
+	Xupdate(T,xa,xa,xb,xc,xd);	\
+	T+=E+K_40_59+F_40_59(B,C,D);	\
+	E=D, D=C, C=ROTATE(B,30), B=A;	\
+	A=ROTATE(A,5)+T;	    } while(0)
+
+#define BODY_60_79(xa,xb,xc,xd)	 do {	\
+	Xupdate(T,xa,xa,xb,xc,xd);	\
+	T=E+K_60_79+F_60_79(B,C,D);	\
+	E=D, D=C, C=ROTATE(B,30), B=A;	\
+	A=ROTATE(A,5)+T+xa;	    } while(0)
+
+#ifndef DONT_IMPLEMENT_BLOCK_HOST_ORDER
+void HASH_BLOCK_HOST_ORDER (SHA_CTX *c, const void *d, size_t num)
+	{
+	const SHA_LONG *W=d;
+	register unsigned MD32_REG_T A,B,C,D,E,T;
+	int i;
+	SHA_LONG	X[16];
+
+	A=c->h0;
+	B=c->h1;
+	C=c->h2;
+	D=c->h3;
+	E=c->h4;
+
+	for (;;)
+		{
+	for (i=0;i<16;i++)
+	{ X[i]=W[i]; BODY_00_15(X[i]); }
+	for (i=0;i<4;i++)
+	{ BODY_16_19(X[i],       X[i+2],      X[i+8],     X[(i+13)&15]); }
+	for (;i<24;i++)
+	{ BODY_20_39(X[i&15],    X[(i+2)&15], X[(i+8)&15],X[(i+13)&15]); }
+	for (i=0;i<20;i++)
+	{ BODY_40_59(X[(i+8)&15],X[(i+10)&15],X[i&15],    X[(i+5)&15]);  }
+	for (i=4;i<24;i++)
+	{ BODY_60_79(X[(i+8)&15],X[(i+10)&15],X[i&15],    X[(i+5)&15]);  }
+	
+	c->h0=(c->h0+A)&0xffffffffL; 
+	c->h1=(c->h1+B)&0xffffffffL;
+	c->h2=(c->h2+C)&0xffffffffL;
+	c->h3=(c->h3+D)&0xffffffffL;
+	c->h4=(c->h4+E)&0xffffffffL;
+
+	if (--num == 0) break;
+
+	A=c->h0;
+	B=c->h1;
+	C=c->h2;
+	D=c->h3;
+	E=c->h4;
+
+	W+=SHA_LBLOCK;
+		}
+	}
+#endif
+
+#ifndef DONT_IMPLEMENT_BLOCK_DATA_ORDER
+void HASH_BLOCK_DATA_ORDER (SHA_CTX *c, const void *p, size_t num)
+	{
+	const unsigned char *data=p;
+	register unsigned MD32_REG_T A,B,C,D,E,T,l;
+	int i;
+	SHA_LONG	X[16];
+
+	A=c->h0;
+	B=c->h1;
+	C=c->h2;
+	D=c->h3;
+	E=c->h4;
+
+	for (;;)
+		{
+	for (i=0;i<16;i++)
+	{ HOST_c2l(data,l); X[i]=l; BODY_00_15(X[i]); }
+	for (i=0;i<4;i++)
+	{ BODY_16_19(X[i],       X[i+2],      X[i+8],     X[(i+13)&15]); }
+	for (;i<24;i++)
+	{ BODY_20_39(X[i&15],    X[(i+2)&15], X[(i+8)&15],X[(i+13)&15]); }
+	for (i=0;i<20;i++)
+	{ BODY_40_59(X[(i+8)&15],X[(i+10)&15],X[i&15],    X[(i+5)&15]);  }
+	for (i=4;i<24;i++)
+	{ BODY_60_79(X[(i+8)&15],X[(i+10)&15],X[i&15],    X[(i+5)&15]);  }
+
+	c->h0=(c->h0+A)&0xffffffffL; 
+	c->h1=(c->h1+B)&0xffffffffL;
+	c->h2=(c->h2+C)&0xffffffffL;
+	c->h3=(c->h3+D)&0xffffffffL;
+	c->h4=(c->h4+E)&0xffffffffL;
+
+	if (--num == 0) break;
+
+	A=c->h0;
+	B=c->h1;
+	C=c->h2;
+	D=c->h3;
+	E=c->h4;
+
+		}
+	}
+#endif
+
+#endif
diff --git a/crypto/openssl/crypto/sha/sha_one.c b/crypto/openssl/crypto/sha/sha_one.c
index e61c63f3e99d..3bae623ce882 100644
--- a/crypto/openssl/crypto/sha/sha_one.c
+++ b/crypto/openssl/crypto/sha/sha_one.c
@@ -62,13 +62,14 @@
 #include <openssl/crypto.h>
 
 #ifndef OPENSSL_NO_SHA0
-unsigned char *SHA(const unsigned char *d, unsigned long n, unsigned char *md)
+unsigned char *SHA(const unsigned char *d, size_t n, unsigned char *md)
 	{
 	SHA_CTX c;
 	static unsigned char m[SHA_DIGEST_LENGTH];
 
 	if (md == NULL) md=m;
-	SHA_Init(&c);
+	if (!SHA_Init(&c))
+		return NULL;
 	SHA_Update(&c,d,n);
 	SHA_Final(md,&c);
 	OPENSSL_cleanse(&c,sizeof(c));
diff --git a/crypto/openssl/crypto/sha/shatest.c b/crypto/openssl/crypto/sha/shatest.c
index 5d2b1d3b1aed..bfb11f0a5f2c 100644
--- a/crypto/openssl/crypto/sha/shatest.c
+++ b/crypto/openssl/crypto/sha/shatest.c
@@ -62,10 +62,10 @@
 
 #include "../e_os.h"
 
-#ifdef OPENSSL_NO_SHA
+#if defined(OPENSSL_NO_SHA) || defined(OPENSSL_NO_SHA0)
 int main(int argc, char *argv[])
 {
-    printf("No SHA support\n");
+    printf("No SHA0 support\n");
     return(0);
 }
 #else
@@ -123,7 +123,7 @@ int main(int argc, char *argv[])
 	i=1;
 	while (*P != NULL)
 		{
-		EVP_Digest(*P,(unsigned long)strlen((char *)*P),md,NULL,EVP_sha(), NULL);
+		EVP_Digest(*P,strlen((char *)*P),md,NULL,EVP_sha(), NULL);
 		p=pt(md);
 		if (strcmp(p,(char *)*R) != 0)
 			{
@@ -157,6 +157,10 @@ int main(int argc, char *argv[])
 		}
 	else
 		printf("test 3 ok\n");
+
+#ifdef OPENSSL_SYS_NETWARE
+    if (err) printf("ERROR: %d\n", err);
+#endif
 	EVP_MD_CTX_cleanup(&c);
 	EXIT(err);
 	return(0);
diff --git a/crypto/openssl/crypto/sparccpuid.S b/crypto/openssl/crypto/sparccpuid.S
new file mode 100644
index 000000000000..c17350fc89e0
--- /dev/null
+++ b/crypto/openssl/crypto/sparccpuid.S
@@ -0,0 +1,239 @@
+#if defined(__SUNPRO_C) && defined(__sparcv9)
+# define ABI64  /* They've said -xarch=v9 at command line */
+#elif defined(__GNUC__) && defined(__arch64__)
+# define ABI64  /* They've said -m64 at command line */
+#endif
+
+#ifdef ABI64
+  .register	%g2,#scratch
+  .register	%g3,#scratch
+# define	FRAME	-192
+# define	BIAS	2047
+#else
+# define	FRAME	-96
+# define	BIAS	0
+#endif
+
+.text
+.align	32
+.global	OPENSSL_wipe_cpu
+.type	OPENSSL_wipe_cpu,#function
+! Keep in mind that this does not excuse us from wiping the stack!
+! This routine wipes registers, but not the backing store [which
+! resides on the stack, toward lower addresses]. To facilitate for
+! stack wiping I return pointer to the top of stack of the *caller*.
+OPENSSL_wipe_cpu:
+	save	%sp,FRAME,%sp
+	nop
+#ifdef __sun
+#include <sys/trap.h>
+	ta	ST_CLEAN_WINDOWS
+#else
+	call	.walk.reg.wins
+#endif
+	nop
+	call	.PIC.zero.up
+	mov	.zero-(.-4),%o0
+	ldd	[%o0],%f0
+
+	subcc	%g0,1,%o0
+	! Following is V9 "rd %ccr,%o0" instruction. However! V8
+	! specification says that it ("rd %asr2,%o0" in V8 terms) does
+	! not cause illegal_instruction trap. It therefore can be used
+	! to determine if the CPU the code is executing on is V8- or
+	! V9-compliant, as V9 returns a distinct value of 0x99,
+	! "negative" and "borrow" bits set in both %icc and %xcc.
+	.word	0x91408000	!rd	%ccr,%o0
+	cmp	%o0,0x99
+	bne	.v8
+	nop
+			! Even though we do not use %fp register bank,
+			! we wipe it as memcpy might have used it...
+			.word	0xbfa00040	!fmovd	%f0,%f62
+			.word	0xbba00040	!...
+			.word	0xb7a00040
+			.word	0xb3a00040
+			.word	0xafa00040
+			.word	0xaba00040
+			.word	0xa7a00040
+			.word	0xa3a00040
+			.word	0x9fa00040
+			.word	0x9ba00040
+			.word	0x97a00040
+			.word	0x93a00040
+			.word	0x8fa00040
+			.word	0x8ba00040
+			.word	0x87a00040
+			.word	0x83a00040	!fmovd	%f0,%f32
+.v8:			fmovs	%f1,%f31
+	clr	%o0
+			fmovs	%f0,%f30
+	clr	%o1
+			fmovs	%f1,%f29
+	clr	%o2
+			fmovs	%f0,%f28
+	clr	%o3
+			fmovs	%f1,%f27
+	clr	%o4
+			fmovs	%f0,%f26
+	clr	%o5
+			fmovs	%f1,%f25
+	clr	%o7
+			fmovs	%f0,%f24
+	clr	%l0
+			fmovs	%f1,%f23
+	clr	%l1
+			fmovs	%f0,%f22
+	clr	%l2
+			fmovs	%f1,%f21
+	clr	%l3
+			fmovs	%f0,%f20
+	clr	%l4
+			fmovs	%f1,%f19
+	clr	%l5
+			fmovs	%f0,%f18
+	clr	%l6
+			fmovs	%f1,%f17
+	clr	%l7
+			fmovs	%f0,%f16
+	clr	%i0
+			fmovs	%f1,%f15
+	clr	%i1
+			fmovs	%f0,%f14
+	clr	%i2
+			fmovs	%f1,%f13
+	clr	%i3
+			fmovs	%f0,%f12
+	clr	%i4
+			fmovs	%f1,%f11
+	clr	%i5
+			fmovs	%f0,%f10
+	clr	%g1
+			fmovs	%f1,%f9
+	clr	%g2
+			fmovs	%f0,%f8
+	clr	%g3
+			fmovs	%f1,%f7
+	clr	%g4
+			fmovs	%f0,%f6
+	clr	%g5
+			fmovs	%f1,%f5
+			fmovs	%f0,%f4
+			fmovs	%f1,%f3
+			fmovs	%f0,%f2
+
+	add	%fp,BIAS,%i0	! return pointer to caller´s top of stack
+
+	ret
+	restore
+
+.zero:	.long	0x0,0x0
+.PIC.zero.up:
+	retl
+	add	%o0,%o7,%o0
+#ifdef DEBUG
+.global	walk_reg_wins
+.type	walk_reg_wins,#function
+walk_reg_wins:
+#endif
+.walk.reg.wins:
+	save	%sp,FRAME,%sp
+	cmp	%i7,%o7
+	be	2f
+	clr	%o0
+	cmp	%o7,0	! compiler never cleans %o7...
+	be	1f	! could have been a leaf function...
+	clr	%o1
+	call	.walk.reg.wins
+	nop
+1:	clr	%o2
+	clr	%o3
+	clr	%o4
+	clr	%o5
+	clr	%o7
+	clr	%l0
+	clr	%l1
+	clr	%l2
+	clr	%l3
+	clr	%l4
+	clr	%l5
+	clr	%l6
+	clr	%l7
+	add	%o0,1,%i0	! used for debugging
+2:	ret
+	restore
+.size	OPENSSL_wipe_cpu,.-OPENSSL_wipe_cpu
+
+.global	OPENSSL_atomic_add
+.type	OPENSSL_atomic_add,#function
+OPENSSL_atomic_add:
+#ifndef ABI64
+	subcc	%g0,1,%o2
+	.word	0x95408000	!rd	%ccr,%o2, see comment above
+	cmp	%o2,0x99
+	be	.v9
+	nop
+	save	%sp,FRAME,%sp
+	ba	.enter
+	nop
+#ifdef __sun
+! Note that you don't have to link with libthread to call thr_yield,
+! as libc provides a stub, which is overloaded the moment you link
+! with *either* libpthread or libthread...
+#define	YIELD_CPU	thr_yield
+#else
+! applies at least to Linux and FreeBSD... Feedback expected...
+#define	YIELD_CPU	sched_yield
+#endif
+.spin:	call	YIELD_CPU
+	nop
+.enter:	ld	[%i0],%i2
+	cmp	%i2,-4096
+	be	.spin
+	mov	-1,%i2
+	swap	[%i0],%i2
+	cmp	%i2,-1
+	be	.spin
+	add	%i2,%i1,%i2
+	stbar
+	st	%i2,[%i0]
+	sra	%i2,%g0,%i0
+	ret
+	restore
+.v9:
+#endif
+	ld	[%o0],%o2
+1:	add	%o1,%o2,%o3
+	.word	0xd7e2100a	!cas [%o0],%o2,%o3, compare [%o0] with %o2 and swap %o3
+	cmp	%o2,%o3
+	bne	1b
+	mov	%o3,%o2		! cas is always fetching to dest. register
+	add	%o1,%o2,%o0	! OpenSSL expects the new value
+	retl
+	sra	%o0,%g0,%o0	! we return signed int, remember?
+.size	OPENSSL_atomic_add,.-OPENSSL_atomic_add
+
+.global	OPENSSL_rdtsc
+	subcc	%g0,1,%o0
+	.word	0x91408000	!rd	%ccr,%o0
+	cmp	%o0,0x99
+	bne	.notsc
+	xor	%o0,%o0,%o0
+	save	%sp,FRAME-16,%sp
+	mov	513,%o0		!SI_PLATFORM
+	add	%sp,BIAS+16,%o1
+	call	sysinfo
+	mov	256,%o2
+
+	add	%sp,BIAS-16,%o1
+	ld	[%o1],%l0
+	ld	[%o1+4],%l1
+	ld	[%o1+8],%l2
+	mov	%lo('SUNW'),%l3
+	ret
+	restore
+.notsc:
+	retl
+	nop
+.type	OPENSSL_rdtsc,#function
+.size	OPENSSL_rdtsc,.-OPENSSL_atomic_add
diff --git a/crypto/openssl/crypto/stack/Makefile b/crypto/openssl/crypto/stack/Makefile
index 1f258148d42d..5327692ac895 100644
--- a/crypto/openssl/crypto/stack/Makefile
+++ b/crypto/openssl/crypto/stack/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/stack/Makefile
+# OpenSSL/crypto/stack/Makefile
 #
 
 DIR=	stack
@@ -7,11 +7,6 @@ TOP=	../..
 CC=	cc
 INCLUDES=
 CFLAG=-g
-INSTALL_PREFIX=
-OPENSSLDIR=     /usr/local/ssl
-INSTALLTOP=/usr/local/ssl
-MAKEDEPPROG=	makedepend
-MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=	Makefile
 AR=		ar r
 
@@ -51,7 +46,8 @@ links:
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
 
 install:
-	@for i in $(EXHEADER) ; \
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+	@headerlist="$(EXHEADER)"; for i in $$headerlist ; \
 	do  \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
@@ -66,6 +62,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
+	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
@@ -77,10 +74,11 @@ clean:
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-stack.o: ../../e_os.h ../../include/openssl/bio.h
+stack.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 stack.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 stack.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-stack.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-stack.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-stack.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-stack.o: ../cryptlib.h stack.c
+stack.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+stack.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+stack.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+stack.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+stack.o: ../../include/openssl/symhacks.h ../cryptlib.h stack.c
diff --git a/crypto/openssl/crypto/stack/safestack.h b/crypto/openssl/crypto/stack/safestack.h
index bd1121c279eb..e5f5be9f9c11 100644
--- a/crypto/openssl/crypto/stack/safestack.h
+++ b/crypto/openssl/crypto/stack/safestack.h
@@ -57,6 +57,9 @@
 
 #include <openssl/stack.h>
 
+typedef void (*openssl_fptr)(void);
+#define openssl_fcast(f) ((openssl_fptr)f)
+
 #ifdef DEBUG_SAFESTACK
 
 #define STACK_OF(type) struct stack_st_##type
@@ -73,72 +76,73 @@ STACK_OF(type) \
 /* SKM_sk_... stack macros are internal to safestack.h:
  * never use them directly, use sk_<type>_... instead */
 #define SKM_sk_new(type, cmp) \
-	((STACK_OF(type) * (*)(int (*)(const type * const *, const type * const *)))sk_new)(cmp)
+	((STACK_OF(type) * (*)(int (*)(const type * const *, const type * const *)))openssl_fcast(sk_new))(cmp)
 #define SKM_sk_new_null(type) \
-	((STACK_OF(type) * (*)(void))sk_new_null)()
+	((STACK_OF(type) * (*)(void))openssl_fcast(sk_new_null))()
 #define SKM_sk_free(type, st) \
-	((void (*)(STACK_OF(type) *))sk_free)(st)
+	((void (*)(STACK_OF(type) *))openssl_fcast(sk_free))(st)
 #define SKM_sk_num(type, st) \
-	((int (*)(const STACK_OF(type) *))sk_num)(st)
+	((int (*)(const STACK_OF(type) *))openssl_fcast(sk_num))(st)
 #define SKM_sk_value(type, st,i) \
-	((type * (*)(const STACK_OF(type) *, int))sk_value)(st, i)
+	((type * (*)(const STACK_OF(type) *, int))openssl_fcast(sk_value))(st, i)
 #define SKM_sk_set(type, st,i,val) \
-	((type * (*)(STACK_OF(type) *, int, type *))sk_set)(st, i, val)
+	((type * (*)(STACK_OF(type) *, int, type *))openssl_fcast(sk_set))(st, i, val)
 #define SKM_sk_zero(type, st) \
-	((void (*)(STACK_OF(type) *))sk_zero)(st)
+	((void (*)(STACK_OF(type) *))openssl_fcast(sk_zero))(st)
 #define SKM_sk_push(type, st,val) \
-	((int (*)(STACK_OF(type) *, type *))sk_push)(st, val)
+	((int (*)(STACK_OF(type) *, type *))openssl_fcast(sk_push))(st, val)
 #define SKM_sk_unshift(type, st,val) \
-	((int (*)(STACK_OF(type) *, type *))sk_unshift)(st, val)
+	((int (*)(STACK_OF(type) *, type *))openssl_fcast(sk_unshift))(st, val)
 #define SKM_sk_find(type, st,val) \
-	((int (*)(STACK_OF(type) *, type *))sk_find)(st, val)
+	((int (*)(STACK_OF(type) *, type *))openssl_fcast(sk_find))(st, val)
 #define SKM_sk_delete(type, st,i) \
-	((type * (*)(STACK_OF(type) *, int))sk_delete)(st, i)
+	((type * (*)(STACK_OF(type) *, int))openssl_fcast(sk_delete))(st, i)
 #define SKM_sk_delete_ptr(type, st,ptr) \
-	((type * (*)(STACK_OF(type) *, type *))sk_delete_ptr)(st, ptr)
+	((type * (*)(STACK_OF(type) *, type *))openssl_fcast(sk_delete_ptr))(st, ptr)
 #define SKM_sk_insert(type, st,val,i) \
-	((int (*)(STACK_OF(type) *, type *, int))sk_insert)(st, val, i)
+	((int (*)(STACK_OF(type) *, type *, int))openssl_fcast(sk_insert))(st, val, i)
 #define SKM_sk_set_cmp_func(type, st,cmp) \
 	((int (*(*)(STACK_OF(type) *, int (*)(const type * const *, const type * const *))) \
-	  (const type * const *, const type * const *))sk_set_cmp_func)\
+	  (const type * const *, const type * const *))openssl_fcast(sk_set_cmp_func))\
 	(st, cmp)
 #define SKM_sk_dup(type, st) \
-	((STACK_OF(type) *(*)(STACK_OF(type) *))sk_dup)(st)
+	((STACK_OF(type) *(*)(STACK_OF(type) *))openssl_fcast(sk_dup))(st)
 #define SKM_sk_pop_free(type, st,free_func) \
-	((void (*)(STACK_OF(type) *, void (*)(type *)))sk_pop_free)\
+	((void (*)(STACK_OF(type) *, void (*)(type *)))openssl_fcast(sk_pop_free))\
 	(st, free_func)
 #define SKM_sk_shift(type, st) \
-	((type * (*)(STACK_OF(type) *))sk_shift)(st)
+	((type * (*)(STACK_OF(type) *))openssl_fcast(sk_shift))(st)
 #define SKM_sk_pop(type, st) \
-	((type * (*)(STACK_OF(type) *))sk_pop)(st)
+	((type * (*)(STACK_OF(type) *))openssl_fcast(sk_pop))(st)
 #define SKM_sk_sort(type, st) \
-	((void (*)(STACK_OF(type) *))sk_sort)(st)
+	((void (*)(STACK_OF(type) *))openssl_fcast(sk_sort))(st)
 #define SKM_sk_is_sorted(type, st) \
-	((int (*)(const STACK_OF(type) *))sk_is_sorted)(st)
+	((int (*)(const STACK_OF(type) *))openssl_fcast(sk_is_sorted))(st)
 
 #define	SKM_ASN1_SET_OF_d2i(type, st, pp, length, d2i_func, free_func, ex_tag, ex_class) \
-	((STACK_OF(type) * (*) (STACK_OF(type) **,unsigned char **, long , \
-                                       type *(*)(type **, unsigned char **,long), \
-                                       void (*)(type *), int ,int )) d2i_ASN1_SET) \
-						(st,pp,length, d2i_func, free_func, ex_tag,ex_class)
+((STACK_OF(type) * (*) (STACK_OF(type) **,const unsigned char **, long , \
+                         type *(*)(type **, const unsigned char **,long), \
+                                void (*)(type *), int ,int )) openssl_fcast(d2i_ASN1_SET)) \
+			(st,pp,length, d2i_func, free_func, ex_tag,ex_class)
 #define	SKM_ASN1_SET_OF_i2d(type, st, pp, i2d_func, ex_tag, ex_class, is_set) \
 	((int (*)(STACK_OF(type) *,unsigned char **, \
-                           int (*)(type *,unsigned char **), int , int , int)) i2d_ASN1_SET) \
+        int (*)(type *,unsigned char **), int , int , int)) openssl_fcast(i2d_ASN1_SET)) \
 						(st,pp,i2d_func,ex_tag,ex_class,is_set)
 
 #define	SKM_ASN1_seq_pack(type, st, i2d_func, buf, len) \
 	((unsigned char *(*)(STACK_OF(type) *, \
-                                    int (*)(type *,unsigned char **), unsigned char **,int *)) ASN1_seq_pack) \
+        int (*)(type *,unsigned char **), unsigned char **,int *)) openssl_fcast(ASN1_seq_pack)) \
 				(st, i2d_func, buf, len)
 #define	SKM_ASN1_seq_unpack(type, buf, len, d2i_func, free_func) \
-	((STACK_OF(type) * (*)(unsigned char *,int, \
-                                       type *(*)(type **,unsigned char **, long), \
-                                       void (*)(type *)))ASN1_seq_unpack) \
+	((STACK_OF(type) * (*)(const unsigned char *,int, \
+                              type *(*)(type **,const unsigned char **, long), \
+                              void (*)(type *)))openssl_fcast(ASN1_seq_unpack)) \
 					(buf,len,d2i_func, free_func)
 
 #define SKM_PKCS12_decrypt_d2i(type, algor, d2i_func, free_func, pass, passlen, oct, seq) \
 	((STACK_OF(type) * (*)(X509_ALGOR *, \
-                                type *(*)(type **, unsigned char **, long), void (*)(type *), \
+            		type *(*)(type **, const unsigned char **, long), \
+				void (*)(type *), \
                                 const char *, int, \
                                 ASN1_STRING *, int))PKCS12_decrypt_d2i) \
 				(algor,d2i_func,free_func,pass,passlen,oct,seq)
@@ -193,14 +197,14 @@ STACK_OF(type) \
 	sk_is_sorted(st)
 
 #define	SKM_ASN1_SET_OF_d2i(type, st, pp, length, d2i_func, free_func, ex_tag, ex_class) \
-	d2i_ASN1_SET(st,pp,length, (char *(*)())d2i_func, (void (*)(void *))free_func, ex_tag,ex_class)
+	d2i_ASN1_SET(st,pp,length, (void *(*)(void ** ,const unsigned char ** ,long))d2i_func, (void (*)(void *))free_func, ex_tag,ex_class)
 #define	SKM_ASN1_SET_OF_i2d(type, st, pp, i2d_func, ex_tag, ex_class, is_set) \
-	i2d_ASN1_SET(st,pp,i2d_func,ex_tag,ex_class,is_set)
+	i2d_ASN1_SET(st,pp,(int (*)(void *, unsigned char **))i2d_func,ex_tag,ex_class,is_set)
 
 #define	SKM_ASN1_seq_pack(type, st, i2d_func, buf, len) \
-	ASN1_seq_pack(st, i2d_func, buf, len)
+	ASN1_seq_pack(st, (int (*)(void *, unsigned char **))i2d_func, buf, len)
 #define	SKM_ASN1_seq_unpack(type, buf, len, d2i_func, free_func) \
-	ASN1_seq_unpack(buf,len,(char *(*)())d2i_func, (void(*)(void *))free_func)
+	ASN1_seq_unpack(buf,len,(void *(*)(void **,const unsigned char **,long))d2i_func, (void(*)(void *))free_func)
 
 #define SKM_PKCS12_decrypt_d2i(type, algor, d2i_func, free_func, pass, passlen, oct, seq) \
 	((STACK *)PKCS12_decrypt_d2i(algor,(char *(*)())d2i_func, (void(*)(void *))free_func,pass,passlen,oct,seq))
@@ -218,6 +222,7 @@ STACK_OF(type) \
 #define sk_ACCESS_DESCRIPTION_push(st, val) SKM_sk_push(ACCESS_DESCRIPTION, (st), (val))
 #define sk_ACCESS_DESCRIPTION_unshift(st, val) SKM_sk_unshift(ACCESS_DESCRIPTION, (st), (val))
 #define sk_ACCESS_DESCRIPTION_find(st, val) SKM_sk_find(ACCESS_DESCRIPTION, (st), (val))
+#define sk_ACCESS_DESCRIPTION_find_ex(st, val) SKM_sk_find_ex(ACCESS_DESCRIPTION, (st), (val))
 #define sk_ACCESS_DESCRIPTION_delete(st, i) SKM_sk_delete(ACCESS_DESCRIPTION, (st), (i))
 #define sk_ACCESS_DESCRIPTION_delete_ptr(st, ptr) SKM_sk_delete_ptr(ACCESS_DESCRIPTION, (st), (ptr))
 #define sk_ACCESS_DESCRIPTION_insert(st, val, i) SKM_sk_insert(ACCESS_DESCRIPTION, (st), (val), (i))
@@ -239,6 +244,7 @@ STACK_OF(type) \
 #define sk_ASN1_GENERALSTRING_push(st, val) SKM_sk_push(ASN1_GENERALSTRING, (st), (val))
 #define sk_ASN1_GENERALSTRING_unshift(st, val) SKM_sk_unshift(ASN1_GENERALSTRING, (st), (val))
 #define sk_ASN1_GENERALSTRING_find(st, val) SKM_sk_find(ASN1_GENERALSTRING, (st), (val))
+#define sk_ASN1_GENERALSTRING_find_ex(st, val) SKM_sk_find_ex(ASN1_GENERALSTRING, (st), (val))
 #define sk_ASN1_GENERALSTRING_delete(st, i) SKM_sk_delete(ASN1_GENERALSTRING, (st), (i))
 #define sk_ASN1_GENERALSTRING_delete_ptr(st, ptr) SKM_sk_delete_ptr(ASN1_GENERALSTRING, (st), (ptr))
 #define sk_ASN1_GENERALSTRING_insert(st, val, i) SKM_sk_insert(ASN1_GENERALSTRING, (st), (val), (i))
@@ -260,6 +266,7 @@ STACK_OF(type) \
 #define sk_ASN1_INTEGER_push(st, val) SKM_sk_push(ASN1_INTEGER, (st), (val))
 #define sk_ASN1_INTEGER_unshift(st, val) SKM_sk_unshift(ASN1_INTEGER, (st), (val))
 #define sk_ASN1_INTEGER_find(st, val) SKM_sk_find(ASN1_INTEGER, (st), (val))
+#define sk_ASN1_INTEGER_find_ex(st, val) SKM_sk_find_ex(ASN1_INTEGER, (st), (val))
 #define sk_ASN1_INTEGER_delete(st, i) SKM_sk_delete(ASN1_INTEGER, (st), (i))
 #define sk_ASN1_INTEGER_delete_ptr(st, ptr) SKM_sk_delete_ptr(ASN1_INTEGER, (st), (ptr))
 #define sk_ASN1_INTEGER_insert(st, val, i) SKM_sk_insert(ASN1_INTEGER, (st), (val), (i))
@@ -281,6 +288,7 @@ STACK_OF(type) \
 #define sk_ASN1_OBJECT_push(st, val) SKM_sk_push(ASN1_OBJECT, (st), (val))
 #define sk_ASN1_OBJECT_unshift(st, val) SKM_sk_unshift(ASN1_OBJECT, (st), (val))
 #define sk_ASN1_OBJECT_find(st, val) SKM_sk_find(ASN1_OBJECT, (st), (val))
+#define sk_ASN1_OBJECT_find_ex(st, val) SKM_sk_find_ex(ASN1_OBJECT, (st), (val))
 #define sk_ASN1_OBJECT_delete(st, i) SKM_sk_delete(ASN1_OBJECT, (st), (i))
 #define sk_ASN1_OBJECT_delete_ptr(st, ptr) SKM_sk_delete_ptr(ASN1_OBJECT, (st), (ptr))
 #define sk_ASN1_OBJECT_insert(st, val, i) SKM_sk_insert(ASN1_OBJECT, (st), (val), (i))
@@ -302,6 +310,7 @@ STACK_OF(type) \
 #define sk_ASN1_STRING_TABLE_push(st, val) SKM_sk_push(ASN1_STRING_TABLE, (st), (val))
 #define sk_ASN1_STRING_TABLE_unshift(st, val) SKM_sk_unshift(ASN1_STRING_TABLE, (st), (val))
 #define sk_ASN1_STRING_TABLE_find(st, val) SKM_sk_find(ASN1_STRING_TABLE, (st), (val))
+#define sk_ASN1_STRING_TABLE_find_ex(st, val) SKM_sk_find_ex(ASN1_STRING_TABLE, (st), (val))
 #define sk_ASN1_STRING_TABLE_delete(st, i) SKM_sk_delete(ASN1_STRING_TABLE, (st), (i))
 #define sk_ASN1_STRING_TABLE_delete_ptr(st, ptr) SKM_sk_delete_ptr(ASN1_STRING_TABLE, (st), (ptr))
 #define sk_ASN1_STRING_TABLE_insert(st, val, i) SKM_sk_insert(ASN1_STRING_TABLE, (st), (val), (i))
@@ -323,6 +332,7 @@ STACK_OF(type) \
 #define sk_ASN1_TYPE_push(st, val) SKM_sk_push(ASN1_TYPE, (st), (val))
 #define sk_ASN1_TYPE_unshift(st, val) SKM_sk_unshift(ASN1_TYPE, (st), (val))
 #define sk_ASN1_TYPE_find(st, val) SKM_sk_find(ASN1_TYPE, (st), (val))
+#define sk_ASN1_TYPE_find_ex(st, val) SKM_sk_find_ex(ASN1_TYPE, (st), (val))
 #define sk_ASN1_TYPE_delete(st, i) SKM_sk_delete(ASN1_TYPE, (st), (i))
 #define sk_ASN1_TYPE_delete_ptr(st, ptr) SKM_sk_delete_ptr(ASN1_TYPE, (st), (ptr))
 #define sk_ASN1_TYPE_insert(st, val, i) SKM_sk_insert(ASN1_TYPE, (st), (val), (i))
@@ -344,6 +354,7 @@ STACK_OF(type) \
 #define sk_ASN1_VALUE_push(st, val) SKM_sk_push(ASN1_VALUE, (st), (val))
 #define sk_ASN1_VALUE_unshift(st, val) SKM_sk_unshift(ASN1_VALUE, (st), (val))
 #define sk_ASN1_VALUE_find(st, val) SKM_sk_find(ASN1_VALUE, (st), (val))
+#define sk_ASN1_VALUE_find_ex(st, val) SKM_sk_find_ex(ASN1_VALUE, (st), (val))
 #define sk_ASN1_VALUE_delete(st, i) SKM_sk_delete(ASN1_VALUE, (st), (i))
 #define sk_ASN1_VALUE_delete_ptr(st, ptr) SKM_sk_delete_ptr(ASN1_VALUE, (st), (ptr))
 #define sk_ASN1_VALUE_insert(st, val, i) SKM_sk_insert(ASN1_VALUE, (st), (val), (i))
@@ -365,6 +376,7 @@ STACK_OF(type) \
 #define sk_BIO_push(st, val) SKM_sk_push(BIO, (st), (val))
 #define sk_BIO_unshift(st, val) SKM_sk_unshift(BIO, (st), (val))
 #define sk_BIO_find(st, val) SKM_sk_find(BIO, (st), (val))
+#define sk_BIO_find_ex(st, val) SKM_sk_find_ex(BIO, (st), (val))
 #define sk_BIO_delete(st, i) SKM_sk_delete(BIO, (st), (i))
 #define sk_BIO_delete_ptr(st, ptr) SKM_sk_delete_ptr(BIO, (st), (ptr))
 #define sk_BIO_insert(st, val, i) SKM_sk_insert(BIO, (st), (val), (i))
@@ -386,6 +398,7 @@ STACK_OF(type) \
 #define sk_CONF_IMODULE_push(st, val) SKM_sk_push(CONF_IMODULE, (st), (val))
 #define sk_CONF_IMODULE_unshift(st, val) SKM_sk_unshift(CONF_IMODULE, (st), (val))
 #define sk_CONF_IMODULE_find(st, val) SKM_sk_find(CONF_IMODULE, (st), (val))
+#define sk_CONF_IMODULE_find_ex(st, val) SKM_sk_find_ex(CONF_IMODULE, (st), (val))
 #define sk_CONF_IMODULE_delete(st, i) SKM_sk_delete(CONF_IMODULE, (st), (i))
 #define sk_CONF_IMODULE_delete_ptr(st, ptr) SKM_sk_delete_ptr(CONF_IMODULE, (st), (ptr))
 #define sk_CONF_IMODULE_insert(st, val, i) SKM_sk_insert(CONF_IMODULE, (st), (val), (i))
@@ -407,6 +420,7 @@ STACK_OF(type) \
 #define sk_CONF_MODULE_push(st, val) SKM_sk_push(CONF_MODULE, (st), (val))
 #define sk_CONF_MODULE_unshift(st, val) SKM_sk_unshift(CONF_MODULE, (st), (val))
 #define sk_CONF_MODULE_find(st, val) SKM_sk_find(CONF_MODULE, (st), (val))
+#define sk_CONF_MODULE_find_ex(st, val) SKM_sk_find_ex(CONF_MODULE, (st), (val))
 #define sk_CONF_MODULE_delete(st, i) SKM_sk_delete(CONF_MODULE, (st), (i))
 #define sk_CONF_MODULE_delete_ptr(st, ptr) SKM_sk_delete_ptr(CONF_MODULE, (st), (ptr))
 #define sk_CONF_MODULE_insert(st, val, i) SKM_sk_insert(CONF_MODULE, (st), (val), (i))
@@ -428,6 +442,7 @@ STACK_OF(type) \
 #define sk_CONF_VALUE_push(st, val) SKM_sk_push(CONF_VALUE, (st), (val))
 #define sk_CONF_VALUE_unshift(st, val) SKM_sk_unshift(CONF_VALUE, (st), (val))
 #define sk_CONF_VALUE_find(st, val) SKM_sk_find(CONF_VALUE, (st), (val))
+#define sk_CONF_VALUE_find_ex(st, val) SKM_sk_find_ex(CONF_VALUE, (st), (val))
 #define sk_CONF_VALUE_delete(st, i) SKM_sk_delete(CONF_VALUE, (st), (i))
 #define sk_CONF_VALUE_delete_ptr(st, ptr) SKM_sk_delete_ptr(CONF_VALUE, (st), (ptr))
 #define sk_CONF_VALUE_insert(st, val, i) SKM_sk_insert(CONF_VALUE, (st), (val), (i))
@@ -449,6 +464,7 @@ STACK_OF(type) \
 #define sk_CRYPTO_EX_DATA_FUNCS_push(st, val) SKM_sk_push(CRYPTO_EX_DATA_FUNCS, (st), (val))
 #define sk_CRYPTO_EX_DATA_FUNCS_unshift(st, val) SKM_sk_unshift(CRYPTO_EX_DATA_FUNCS, (st), (val))
 #define sk_CRYPTO_EX_DATA_FUNCS_find(st, val) SKM_sk_find(CRYPTO_EX_DATA_FUNCS, (st), (val))
+#define sk_CRYPTO_EX_DATA_FUNCS_find_ex(st, val) SKM_sk_find_ex(CRYPTO_EX_DATA_FUNCS, (st), (val))
 #define sk_CRYPTO_EX_DATA_FUNCS_delete(st, i) SKM_sk_delete(CRYPTO_EX_DATA_FUNCS, (st), (i))
 #define sk_CRYPTO_EX_DATA_FUNCS_delete_ptr(st, ptr) SKM_sk_delete_ptr(CRYPTO_EX_DATA_FUNCS, (st), (ptr))
 #define sk_CRYPTO_EX_DATA_FUNCS_insert(st, val, i) SKM_sk_insert(CRYPTO_EX_DATA_FUNCS, (st), (val), (i))
@@ -470,6 +486,7 @@ STACK_OF(type) \
 #define sk_CRYPTO_dynlock_push(st, val) SKM_sk_push(CRYPTO_dynlock, (st), (val))
 #define sk_CRYPTO_dynlock_unshift(st, val) SKM_sk_unshift(CRYPTO_dynlock, (st), (val))
 #define sk_CRYPTO_dynlock_find(st, val) SKM_sk_find(CRYPTO_dynlock, (st), (val))
+#define sk_CRYPTO_dynlock_find_ex(st, val) SKM_sk_find_ex(CRYPTO_dynlock, (st), (val))
 #define sk_CRYPTO_dynlock_delete(st, i) SKM_sk_delete(CRYPTO_dynlock, (st), (i))
 #define sk_CRYPTO_dynlock_delete_ptr(st, ptr) SKM_sk_delete_ptr(CRYPTO_dynlock, (st), (ptr))
 #define sk_CRYPTO_dynlock_insert(st, val, i) SKM_sk_insert(CRYPTO_dynlock, (st), (val), (i))
@@ -491,6 +508,7 @@ STACK_OF(type) \
 #define sk_DIST_POINT_push(st, val) SKM_sk_push(DIST_POINT, (st), (val))
 #define sk_DIST_POINT_unshift(st, val) SKM_sk_unshift(DIST_POINT, (st), (val))
 #define sk_DIST_POINT_find(st, val) SKM_sk_find(DIST_POINT, (st), (val))
+#define sk_DIST_POINT_find_ex(st, val) SKM_sk_find_ex(DIST_POINT, (st), (val))
 #define sk_DIST_POINT_delete(st, i) SKM_sk_delete(DIST_POINT, (st), (i))
 #define sk_DIST_POINT_delete_ptr(st, ptr) SKM_sk_delete_ptr(DIST_POINT, (st), (ptr))
 #define sk_DIST_POINT_insert(st, val, i) SKM_sk_insert(DIST_POINT, (st), (val), (i))
@@ -512,6 +530,7 @@ STACK_OF(type) \
 #define sk_ENGINE_push(st, val) SKM_sk_push(ENGINE, (st), (val))
 #define sk_ENGINE_unshift(st, val) SKM_sk_unshift(ENGINE, (st), (val))
 #define sk_ENGINE_find(st, val) SKM_sk_find(ENGINE, (st), (val))
+#define sk_ENGINE_find_ex(st, val) SKM_sk_find_ex(ENGINE, (st), (val))
 #define sk_ENGINE_delete(st, i) SKM_sk_delete(ENGINE, (st), (i))
 #define sk_ENGINE_delete_ptr(st, ptr) SKM_sk_delete_ptr(ENGINE, (st), (ptr))
 #define sk_ENGINE_insert(st, val, i) SKM_sk_insert(ENGINE, (st), (val), (i))
@@ -533,6 +552,7 @@ STACK_OF(type) \
 #define sk_ENGINE_CLEANUP_ITEM_push(st, val) SKM_sk_push(ENGINE_CLEANUP_ITEM, (st), (val))
 #define sk_ENGINE_CLEANUP_ITEM_unshift(st, val) SKM_sk_unshift(ENGINE_CLEANUP_ITEM, (st), (val))
 #define sk_ENGINE_CLEANUP_ITEM_find(st, val) SKM_sk_find(ENGINE_CLEANUP_ITEM, (st), (val))
+#define sk_ENGINE_CLEANUP_ITEM_find_ex(st, val) SKM_sk_find_ex(ENGINE_CLEANUP_ITEM, (st), (val))
 #define sk_ENGINE_CLEANUP_ITEM_delete(st, i) SKM_sk_delete(ENGINE_CLEANUP_ITEM, (st), (i))
 #define sk_ENGINE_CLEANUP_ITEM_delete_ptr(st, ptr) SKM_sk_delete_ptr(ENGINE_CLEANUP_ITEM, (st), (ptr))
 #define sk_ENGINE_CLEANUP_ITEM_insert(st, val, i) SKM_sk_insert(ENGINE_CLEANUP_ITEM, (st), (val), (i))
@@ -554,6 +574,7 @@ STACK_OF(type) \
 #define sk_GENERAL_NAME_push(st, val) SKM_sk_push(GENERAL_NAME, (st), (val))
 #define sk_GENERAL_NAME_unshift(st, val) SKM_sk_unshift(GENERAL_NAME, (st), (val))
 #define sk_GENERAL_NAME_find(st, val) SKM_sk_find(GENERAL_NAME, (st), (val))
+#define sk_GENERAL_NAME_find_ex(st, val) SKM_sk_find_ex(GENERAL_NAME, (st), (val))
 #define sk_GENERAL_NAME_delete(st, i) SKM_sk_delete(GENERAL_NAME, (st), (i))
 #define sk_GENERAL_NAME_delete_ptr(st, ptr) SKM_sk_delete_ptr(GENERAL_NAME, (st), (ptr))
 #define sk_GENERAL_NAME_insert(st, val, i) SKM_sk_insert(GENERAL_NAME, (st), (val), (i))
@@ -565,6 +586,28 @@ STACK_OF(type) \
 #define sk_GENERAL_NAME_sort(st) SKM_sk_sort(GENERAL_NAME, (st))
 #define sk_GENERAL_NAME_is_sorted(st) SKM_sk_is_sorted(GENERAL_NAME, (st))
 
+#define sk_GENERAL_SUBTREE_new(st) SKM_sk_new(GENERAL_SUBTREE, (st))
+#define sk_GENERAL_SUBTREE_new_null() SKM_sk_new_null(GENERAL_SUBTREE)
+#define sk_GENERAL_SUBTREE_free(st) SKM_sk_free(GENERAL_SUBTREE, (st))
+#define sk_GENERAL_SUBTREE_num(st) SKM_sk_num(GENERAL_SUBTREE, (st))
+#define sk_GENERAL_SUBTREE_value(st, i) SKM_sk_value(GENERAL_SUBTREE, (st), (i))
+#define sk_GENERAL_SUBTREE_set(st, i, val) SKM_sk_set(GENERAL_SUBTREE, (st), (i), (val))
+#define sk_GENERAL_SUBTREE_zero(st) SKM_sk_zero(GENERAL_SUBTREE, (st))
+#define sk_GENERAL_SUBTREE_push(st, val) SKM_sk_push(GENERAL_SUBTREE, (st), (val))
+#define sk_GENERAL_SUBTREE_unshift(st, val) SKM_sk_unshift(GENERAL_SUBTREE, (st), (val))
+#define sk_GENERAL_SUBTREE_find(st, val) SKM_sk_find(GENERAL_SUBTREE, (st), (val))
+#define sk_GENERAL_SUBTREE_find_ex(st, val) SKM_sk_find_ex(GENERAL_SUBTREE, (st), (val))
+#define sk_GENERAL_SUBTREE_delete(st, i) SKM_sk_delete(GENERAL_SUBTREE, (st), (i))
+#define sk_GENERAL_SUBTREE_delete_ptr(st, ptr) SKM_sk_delete_ptr(GENERAL_SUBTREE, (st), (ptr))
+#define sk_GENERAL_SUBTREE_insert(st, val, i) SKM_sk_insert(GENERAL_SUBTREE, (st), (val), (i))
+#define sk_GENERAL_SUBTREE_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(GENERAL_SUBTREE, (st), (cmp))
+#define sk_GENERAL_SUBTREE_dup(st) SKM_sk_dup(GENERAL_SUBTREE, st)
+#define sk_GENERAL_SUBTREE_pop_free(st, free_func) SKM_sk_pop_free(GENERAL_SUBTREE, (st), (free_func))
+#define sk_GENERAL_SUBTREE_shift(st) SKM_sk_shift(GENERAL_SUBTREE, (st))
+#define sk_GENERAL_SUBTREE_pop(st) SKM_sk_pop(GENERAL_SUBTREE, (st))
+#define sk_GENERAL_SUBTREE_sort(st) SKM_sk_sort(GENERAL_SUBTREE, (st))
+#define sk_GENERAL_SUBTREE_is_sorted(st) SKM_sk_is_sorted(GENERAL_SUBTREE, (st))
+
 #define sk_KRB5_APREQBODY_new(st) SKM_sk_new(KRB5_APREQBODY, (st))
 #define sk_KRB5_APREQBODY_new_null() SKM_sk_new_null(KRB5_APREQBODY)
 #define sk_KRB5_APREQBODY_free(st) SKM_sk_free(KRB5_APREQBODY, (st))
@@ -575,6 +618,7 @@ STACK_OF(type) \
 #define sk_KRB5_APREQBODY_push(st, val) SKM_sk_push(KRB5_APREQBODY, (st), (val))
 #define sk_KRB5_APREQBODY_unshift(st, val) SKM_sk_unshift(KRB5_APREQBODY, (st), (val))
 #define sk_KRB5_APREQBODY_find(st, val) SKM_sk_find(KRB5_APREQBODY, (st), (val))
+#define sk_KRB5_APREQBODY_find_ex(st, val) SKM_sk_find_ex(KRB5_APREQBODY, (st), (val))
 #define sk_KRB5_APREQBODY_delete(st, i) SKM_sk_delete(KRB5_APREQBODY, (st), (i))
 #define sk_KRB5_APREQBODY_delete_ptr(st, ptr) SKM_sk_delete_ptr(KRB5_APREQBODY, (st), (ptr))
 #define sk_KRB5_APREQBODY_insert(st, val, i) SKM_sk_insert(KRB5_APREQBODY, (st), (val), (i))
@@ -596,6 +640,7 @@ STACK_OF(type) \
 #define sk_KRB5_AUTHDATA_push(st, val) SKM_sk_push(KRB5_AUTHDATA, (st), (val))
 #define sk_KRB5_AUTHDATA_unshift(st, val) SKM_sk_unshift(KRB5_AUTHDATA, (st), (val))
 #define sk_KRB5_AUTHDATA_find(st, val) SKM_sk_find(KRB5_AUTHDATA, (st), (val))
+#define sk_KRB5_AUTHDATA_find_ex(st, val) SKM_sk_find_ex(KRB5_AUTHDATA, (st), (val))
 #define sk_KRB5_AUTHDATA_delete(st, i) SKM_sk_delete(KRB5_AUTHDATA, (st), (i))
 #define sk_KRB5_AUTHDATA_delete_ptr(st, ptr) SKM_sk_delete_ptr(KRB5_AUTHDATA, (st), (ptr))
 #define sk_KRB5_AUTHDATA_insert(st, val, i) SKM_sk_insert(KRB5_AUTHDATA, (st), (val), (i))
@@ -617,6 +662,7 @@ STACK_OF(type) \
 #define sk_KRB5_AUTHENTBODY_push(st, val) SKM_sk_push(KRB5_AUTHENTBODY, (st), (val))
 #define sk_KRB5_AUTHENTBODY_unshift(st, val) SKM_sk_unshift(KRB5_AUTHENTBODY, (st), (val))
 #define sk_KRB5_AUTHENTBODY_find(st, val) SKM_sk_find(KRB5_AUTHENTBODY, (st), (val))
+#define sk_KRB5_AUTHENTBODY_find_ex(st, val) SKM_sk_find_ex(KRB5_AUTHENTBODY, (st), (val))
 #define sk_KRB5_AUTHENTBODY_delete(st, i) SKM_sk_delete(KRB5_AUTHENTBODY, (st), (i))
 #define sk_KRB5_AUTHENTBODY_delete_ptr(st, ptr) SKM_sk_delete_ptr(KRB5_AUTHENTBODY, (st), (ptr))
 #define sk_KRB5_AUTHENTBODY_insert(st, val, i) SKM_sk_insert(KRB5_AUTHENTBODY, (st), (val), (i))
@@ -638,6 +684,7 @@ STACK_OF(type) \
 #define sk_KRB5_CHECKSUM_push(st, val) SKM_sk_push(KRB5_CHECKSUM, (st), (val))
 #define sk_KRB5_CHECKSUM_unshift(st, val) SKM_sk_unshift(KRB5_CHECKSUM, (st), (val))
 #define sk_KRB5_CHECKSUM_find(st, val) SKM_sk_find(KRB5_CHECKSUM, (st), (val))
+#define sk_KRB5_CHECKSUM_find_ex(st, val) SKM_sk_find_ex(KRB5_CHECKSUM, (st), (val))
 #define sk_KRB5_CHECKSUM_delete(st, i) SKM_sk_delete(KRB5_CHECKSUM, (st), (i))
 #define sk_KRB5_CHECKSUM_delete_ptr(st, ptr) SKM_sk_delete_ptr(KRB5_CHECKSUM, (st), (ptr))
 #define sk_KRB5_CHECKSUM_insert(st, val, i) SKM_sk_insert(KRB5_CHECKSUM, (st), (val), (i))
@@ -659,6 +706,7 @@ STACK_OF(type) \
 #define sk_KRB5_ENCDATA_push(st, val) SKM_sk_push(KRB5_ENCDATA, (st), (val))
 #define sk_KRB5_ENCDATA_unshift(st, val) SKM_sk_unshift(KRB5_ENCDATA, (st), (val))
 #define sk_KRB5_ENCDATA_find(st, val) SKM_sk_find(KRB5_ENCDATA, (st), (val))
+#define sk_KRB5_ENCDATA_find_ex(st, val) SKM_sk_find_ex(KRB5_ENCDATA, (st), (val))
 #define sk_KRB5_ENCDATA_delete(st, i) SKM_sk_delete(KRB5_ENCDATA, (st), (i))
 #define sk_KRB5_ENCDATA_delete_ptr(st, ptr) SKM_sk_delete_ptr(KRB5_ENCDATA, (st), (ptr))
 #define sk_KRB5_ENCDATA_insert(st, val, i) SKM_sk_insert(KRB5_ENCDATA, (st), (val), (i))
@@ -680,6 +728,7 @@ STACK_OF(type) \
 #define sk_KRB5_ENCKEY_push(st, val) SKM_sk_push(KRB5_ENCKEY, (st), (val))
 #define sk_KRB5_ENCKEY_unshift(st, val) SKM_sk_unshift(KRB5_ENCKEY, (st), (val))
 #define sk_KRB5_ENCKEY_find(st, val) SKM_sk_find(KRB5_ENCKEY, (st), (val))
+#define sk_KRB5_ENCKEY_find_ex(st, val) SKM_sk_find_ex(KRB5_ENCKEY, (st), (val))
 #define sk_KRB5_ENCKEY_delete(st, i) SKM_sk_delete(KRB5_ENCKEY, (st), (i))
 #define sk_KRB5_ENCKEY_delete_ptr(st, ptr) SKM_sk_delete_ptr(KRB5_ENCKEY, (st), (ptr))
 #define sk_KRB5_ENCKEY_insert(st, val, i) SKM_sk_insert(KRB5_ENCKEY, (st), (val), (i))
@@ -701,6 +750,7 @@ STACK_OF(type) \
 #define sk_KRB5_PRINCNAME_push(st, val) SKM_sk_push(KRB5_PRINCNAME, (st), (val))
 #define sk_KRB5_PRINCNAME_unshift(st, val) SKM_sk_unshift(KRB5_PRINCNAME, (st), (val))
 #define sk_KRB5_PRINCNAME_find(st, val) SKM_sk_find(KRB5_PRINCNAME, (st), (val))
+#define sk_KRB5_PRINCNAME_find_ex(st, val) SKM_sk_find_ex(KRB5_PRINCNAME, (st), (val))
 #define sk_KRB5_PRINCNAME_delete(st, i) SKM_sk_delete(KRB5_PRINCNAME, (st), (i))
 #define sk_KRB5_PRINCNAME_delete_ptr(st, ptr) SKM_sk_delete_ptr(KRB5_PRINCNAME, (st), (ptr))
 #define sk_KRB5_PRINCNAME_insert(st, val, i) SKM_sk_insert(KRB5_PRINCNAME, (st), (val), (i))
@@ -722,6 +772,7 @@ STACK_OF(type) \
 #define sk_KRB5_TKTBODY_push(st, val) SKM_sk_push(KRB5_TKTBODY, (st), (val))
 #define sk_KRB5_TKTBODY_unshift(st, val) SKM_sk_unshift(KRB5_TKTBODY, (st), (val))
 #define sk_KRB5_TKTBODY_find(st, val) SKM_sk_find(KRB5_TKTBODY, (st), (val))
+#define sk_KRB5_TKTBODY_find_ex(st, val) SKM_sk_find_ex(KRB5_TKTBODY, (st), (val))
 #define sk_KRB5_TKTBODY_delete(st, i) SKM_sk_delete(KRB5_TKTBODY, (st), (i))
 #define sk_KRB5_TKTBODY_delete_ptr(st, ptr) SKM_sk_delete_ptr(KRB5_TKTBODY, (st), (ptr))
 #define sk_KRB5_TKTBODY_insert(st, val, i) SKM_sk_insert(KRB5_TKTBODY, (st), (val), (i))
@@ -743,6 +794,7 @@ STACK_OF(type) \
 #define sk_MIME_HEADER_push(st, val) SKM_sk_push(MIME_HEADER, (st), (val))
 #define sk_MIME_HEADER_unshift(st, val) SKM_sk_unshift(MIME_HEADER, (st), (val))
 #define sk_MIME_HEADER_find(st, val) SKM_sk_find(MIME_HEADER, (st), (val))
+#define sk_MIME_HEADER_find_ex(st, val) SKM_sk_find_ex(MIME_HEADER, (st), (val))
 #define sk_MIME_HEADER_delete(st, i) SKM_sk_delete(MIME_HEADER, (st), (i))
 #define sk_MIME_HEADER_delete_ptr(st, ptr) SKM_sk_delete_ptr(MIME_HEADER, (st), (ptr))
 #define sk_MIME_HEADER_insert(st, val, i) SKM_sk_insert(MIME_HEADER, (st), (val), (i))
@@ -764,6 +816,7 @@ STACK_OF(type) \
 #define sk_MIME_PARAM_push(st, val) SKM_sk_push(MIME_PARAM, (st), (val))
 #define sk_MIME_PARAM_unshift(st, val) SKM_sk_unshift(MIME_PARAM, (st), (val))
 #define sk_MIME_PARAM_find(st, val) SKM_sk_find(MIME_PARAM, (st), (val))
+#define sk_MIME_PARAM_find_ex(st, val) SKM_sk_find_ex(MIME_PARAM, (st), (val))
 #define sk_MIME_PARAM_delete(st, i) SKM_sk_delete(MIME_PARAM, (st), (i))
 #define sk_MIME_PARAM_delete_ptr(st, ptr) SKM_sk_delete_ptr(MIME_PARAM, (st), (ptr))
 #define sk_MIME_PARAM_insert(st, val, i) SKM_sk_insert(MIME_PARAM, (st), (val), (i))
@@ -785,6 +838,7 @@ STACK_OF(type) \
 #define sk_NAME_FUNCS_push(st, val) SKM_sk_push(NAME_FUNCS, (st), (val))
 #define sk_NAME_FUNCS_unshift(st, val) SKM_sk_unshift(NAME_FUNCS, (st), (val))
 #define sk_NAME_FUNCS_find(st, val) SKM_sk_find(NAME_FUNCS, (st), (val))
+#define sk_NAME_FUNCS_find_ex(st, val) SKM_sk_find_ex(NAME_FUNCS, (st), (val))
 #define sk_NAME_FUNCS_delete(st, i) SKM_sk_delete(NAME_FUNCS, (st), (i))
 #define sk_NAME_FUNCS_delete_ptr(st, ptr) SKM_sk_delete_ptr(NAME_FUNCS, (st), (ptr))
 #define sk_NAME_FUNCS_insert(st, val, i) SKM_sk_insert(NAME_FUNCS, (st), (val), (i))
@@ -806,6 +860,7 @@ STACK_OF(type) \
 #define sk_OCSP_CERTID_push(st, val) SKM_sk_push(OCSP_CERTID, (st), (val))
 #define sk_OCSP_CERTID_unshift(st, val) SKM_sk_unshift(OCSP_CERTID, (st), (val))
 #define sk_OCSP_CERTID_find(st, val) SKM_sk_find(OCSP_CERTID, (st), (val))
+#define sk_OCSP_CERTID_find_ex(st, val) SKM_sk_find_ex(OCSP_CERTID, (st), (val))
 #define sk_OCSP_CERTID_delete(st, i) SKM_sk_delete(OCSP_CERTID, (st), (i))
 #define sk_OCSP_CERTID_delete_ptr(st, ptr) SKM_sk_delete_ptr(OCSP_CERTID, (st), (ptr))
 #define sk_OCSP_CERTID_insert(st, val, i) SKM_sk_insert(OCSP_CERTID, (st), (val), (i))
@@ -827,6 +882,7 @@ STACK_OF(type) \
 #define sk_OCSP_ONEREQ_push(st, val) SKM_sk_push(OCSP_ONEREQ, (st), (val))
 #define sk_OCSP_ONEREQ_unshift(st, val) SKM_sk_unshift(OCSP_ONEREQ, (st), (val))
 #define sk_OCSP_ONEREQ_find(st, val) SKM_sk_find(OCSP_ONEREQ, (st), (val))
+#define sk_OCSP_ONEREQ_find_ex(st, val) SKM_sk_find_ex(OCSP_ONEREQ, (st), (val))
 #define sk_OCSP_ONEREQ_delete(st, i) SKM_sk_delete(OCSP_ONEREQ, (st), (i))
 #define sk_OCSP_ONEREQ_delete_ptr(st, ptr) SKM_sk_delete_ptr(OCSP_ONEREQ, (st), (ptr))
 #define sk_OCSP_ONEREQ_insert(st, val, i) SKM_sk_insert(OCSP_ONEREQ, (st), (val), (i))
@@ -848,6 +904,7 @@ STACK_OF(type) \
 #define sk_OCSP_SINGLERESP_push(st, val) SKM_sk_push(OCSP_SINGLERESP, (st), (val))
 #define sk_OCSP_SINGLERESP_unshift(st, val) SKM_sk_unshift(OCSP_SINGLERESP, (st), (val))
 #define sk_OCSP_SINGLERESP_find(st, val) SKM_sk_find(OCSP_SINGLERESP, (st), (val))
+#define sk_OCSP_SINGLERESP_find_ex(st, val) SKM_sk_find_ex(OCSP_SINGLERESP, (st), (val))
 #define sk_OCSP_SINGLERESP_delete(st, i) SKM_sk_delete(OCSP_SINGLERESP, (st), (i))
 #define sk_OCSP_SINGLERESP_delete_ptr(st, ptr) SKM_sk_delete_ptr(OCSP_SINGLERESP, (st), (ptr))
 #define sk_OCSP_SINGLERESP_insert(st, val, i) SKM_sk_insert(OCSP_SINGLERESP, (st), (val), (i))
@@ -869,6 +926,7 @@ STACK_OF(type) \
 #define sk_PKCS12_SAFEBAG_push(st, val) SKM_sk_push(PKCS12_SAFEBAG, (st), (val))
 #define sk_PKCS12_SAFEBAG_unshift(st, val) SKM_sk_unshift(PKCS12_SAFEBAG, (st), (val))
 #define sk_PKCS12_SAFEBAG_find(st, val) SKM_sk_find(PKCS12_SAFEBAG, (st), (val))
+#define sk_PKCS12_SAFEBAG_find_ex(st, val) SKM_sk_find_ex(PKCS12_SAFEBAG, (st), (val))
 #define sk_PKCS12_SAFEBAG_delete(st, i) SKM_sk_delete(PKCS12_SAFEBAG, (st), (i))
 #define sk_PKCS12_SAFEBAG_delete_ptr(st, ptr) SKM_sk_delete_ptr(PKCS12_SAFEBAG, (st), (ptr))
 #define sk_PKCS12_SAFEBAG_insert(st, val, i) SKM_sk_insert(PKCS12_SAFEBAG, (st), (val), (i))
@@ -890,6 +948,7 @@ STACK_OF(type) \
 #define sk_PKCS7_push(st, val) SKM_sk_push(PKCS7, (st), (val))
 #define sk_PKCS7_unshift(st, val) SKM_sk_unshift(PKCS7, (st), (val))
 #define sk_PKCS7_find(st, val) SKM_sk_find(PKCS7, (st), (val))
+#define sk_PKCS7_find_ex(st, val) SKM_sk_find_ex(PKCS7, (st), (val))
 #define sk_PKCS7_delete(st, i) SKM_sk_delete(PKCS7, (st), (i))
 #define sk_PKCS7_delete_ptr(st, ptr) SKM_sk_delete_ptr(PKCS7, (st), (ptr))
 #define sk_PKCS7_insert(st, val, i) SKM_sk_insert(PKCS7, (st), (val), (i))
@@ -911,6 +970,7 @@ STACK_OF(type) \
 #define sk_PKCS7_RECIP_INFO_push(st, val) SKM_sk_push(PKCS7_RECIP_INFO, (st), (val))
 #define sk_PKCS7_RECIP_INFO_unshift(st, val) SKM_sk_unshift(PKCS7_RECIP_INFO, (st), (val))
 #define sk_PKCS7_RECIP_INFO_find(st, val) SKM_sk_find(PKCS7_RECIP_INFO, (st), (val))
+#define sk_PKCS7_RECIP_INFO_find_ex(st, val) SKM_sk_find_ex(PKCS7_RECIP_INFO, (st), (val))
 #define sk_PKCS7_RECIP_INFO_delete(st, i) SKM_sk_delete(PKCS7_RECIP_INFO, (st), (i))
 #define sk_PKCS7_RECIP_INFO_delete_ptr(st, ptr) SKM_sk_delete_ptr(PKCS7_RECIP_INFO, (st), (ptr))
 #define sk_PKCS7_RECIP_INFO_insert(st, val, i) SKM_sk_insert(PKCS7_RECIP_INFO, (st), (val), (i))
@@ -932,6 +992,7 @@ STACK_OF(type) \
 #define sk_PKCS7_SIGNER_INFO_push(st, val) SKM_sk_push(PKCS7_SIGNER_INFO, (st), (val))
 #define sk_PKCS7_SIGNER_INFO_unshift(st, val) SKM_sk_unshift(PKCS7_SIGNER_INFO, (st), (val))
 #define sk_PKCS7_SIGNER_INFO_find(st, val) SKM_sk_find(PKCS7_SIGNER_INFO, (st), (val))
+#define sk_PKCS7_SIGNER_INFO_find_ex(st, val) SKM_sk_find_ex(PKCS7_SIGNER_INFO, (st), (val))
 #define sk_PKCS7_SIGNER_INFO_delete(st, i) SKM_sk_delete(PKCS7_SIGNER_INFO, (st), (i))
 #define sk_PKCS7_SIGNER_INFO_delete_ptr(st, ptr) SKM_sk_delete_ptr(PKCS7_SIGNER_INFO, (st), (ptr))
 #define sk_PKCS7_SIGNER_INFO_insert(st, val, i) SKM_sk_insert(PKCS7_SIGNER_INFO, (st), (val), (i))
@@ -953,6 +1014,7 @@ STACK_OF(type) \
 #define sk_POLICYINFO_push(st, val) SKM_sk_push(POLICYINFO, (st), (val))
 #define sk_POLICYINFO_unshift(st, val) SKM_sk_unshift(POLICYINFO, (st), (val))
 #define sk_POLICYINFO_find(st, val) SKM_sk_find(POLICYINFO, (st), (val))
+#define sk_POLICYINFO_find_ex(st, val) SKM_sk_find_ex(POLICYINFO, (st), (val))
 #define sk_POLICYINFO_delete(st, i) SKM_sk_delete(POLICYINFO, (st), (i))
 #define sk_POLICYINFO_delete_ptr(st, ptr) SKM_sk_delete_ptr(POLICYINFO, (st), (ptr))
 #define sk_POLICYINFO_insert(st, val, i) SKM_sk_insert(POLICYINFO, (st), (val), (i))
@@ -974,6 +1036,7 @@ STACK_OF(type) \
 #define sk_POLICYQUALINFO_push(st, val) SKM_sk_push(POLICYQUALINFO, (st), (val))
 #define sk_POLICYQUALINFO_unshift(st, val) SKM_sk_unshift(POLICYQUALINFO, (st), (val))
 #define sk_POLICYQUALINFO_find(st, val) SKM_sk_find(POLICYQUALINFO, (st), (val))
+#define sk_POLICYQUALINFO_find_ex(st, val) SKM_sk_find_ex(POLICYQUALINFO, (st), (val))
 #define sk_POLICYQUALINFO_delete(st, i) SKM_sk_delete(POLICYQUALINFO, (st), (i))
 #define sk_POLICYQUALINFO_delete_ptr(st, ptr) SKM_sk_delete_ptr(POLICYQUALINFO, (st), (ptr))
 #define sk_POLICYQUALINFO_insert(st, val, i) SKM_sk_insert(POLICYQUALINFO, (st), (val), (i))
@@ -985,6 +1048,28 @@ STACK_OF(type) \
 #define sk_POLICYQUALINFO_sort(st) SKM_sk_sort(POLICYQUALINFO, (st))
 #define sk_POLICYQUALINFO_is_sorted(st) SKM_sk_is_sorted(POLICYQUALINFO, (st))
 
+#define sk_POLICY_MAPPING_new(st) SKM_sk_new(POLICY_MAPPING, (st))
+#define sk_POLICY_MAPPING_new_null() SKM_sk_new_null(POLICY_MAPPING)
+#define sk_POLICY_MAPPING_free(st) SKM_sk_free(POLICY_MAPPING, (st))
+#define sk_POLICY_MAPPING_num(st) SKM_sk_num(POLICY_MAPPING, (st))
+#define sk_POLICY_MAPPING_value(st, i) SKM_sk_value(POLICY_MAPPING, (st), (i))
+#define sk_POLICY_MAPPING_set(st, i, val) SKM_sk_set(POLICY_MAPPING, (st), (i), (val))
+#define sk_POLICY_MAPPING_zero(st) SKM_sk_zero(POLICY_MAPPING, (st))
+#define sk_POLICY_MAPPING_push(st, val) SKM_sk_push(POLICY_MAPPING, (st), (val))
+#define sk_POLICY_MAPPING_unshift(st, val) SKM_sk_unshift(POLICY_MAPPING, (st), (val))
+#define sk_POLICY_MAPPING_find(st, val) SKM_sk_find(POLICY_MAPPING, (st), (val))
+#define sk_POLICY_MAPPING_find_ex(st, val) SKM_sk_find_ex(POLICY_MAPPING, (st), (val))
+#define sk_POLICY_MAPPING_delete(st, i) SKM_sk_delete(POLICY_MAPPING, (st), (i))
+#define sk_POLICY_MAPPING_delete_ptr(st, ptr) SKM_sk_delete_ptr(POLICY_MAPPING, (st), (ptr))
+#define sk_POLICY_MAPPING_insert(st, val, i) SKM_sk_insert(POLICY_MAPPING, (st), (val), (i))
+#define sk_POLICY_MAPPING_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(POLICY_MAPPING, (st), (cmp))
+#define sk_POLICY_MAPPING_dup(st) SKM_sk_dup(POLICY_MAPPING, st)
+#define sk_POLICY_MAPPING_pop_free(st, free_func) SKM_sk_pop_free(POLICY_MAPPING, (st), (free_func))
+#define sk_POLICY_MAPPING_shift(st) SKM_sk_shift(POLICY_MAPPING, (st))
+#define sk_POLICY_MAPPING_pop(st) SKM_sk_pop(POLICY_MAPPING, (st))
+#define sk_POLICY_MAPPING_sort(st) SKM_sk_sort(POLICY_MAPPING, (st))
+#define sk_POLICY_MAPPING_is_sorted(st) SKM_sk_is_sorted(POLICY_MAPPING, (st))
+
 #define sk_SSL_CIPHER_new(st) SKM_sk_new(SSL_CIPHER, (st))
 #define sk_SSL_CIPHER_new_null() SKM_sk_new_null(SSL_CIPHER)
 #define sk_SSL_CIPHER_free(st) SKM_sk_free(SSL_CIPHER, (st))
@@ -995,6 +1080,7 @@ STACK_OF(type) \
 #define sk_SSL_CIPHER_push(st, val) SKM_sk_push(SSL_CIPHER, (st), (val))
 #define sk_SSL_CIPHER_unshift(st, val) SKM_sk_unshift(SSL_CIPHER, (st), (val))
 #define sk_SSL_CIPHER_find(st, val) SKM_sk_find(SSL_CIPHER, (st), (val))
+#define sk_SSL_CIPHER_find_ex(st, val) SKM_sk_find_ex(SSL_CIPHER, (st), (val))
 #define sk_SSL_CIPHER_delete(st, i) SKM_sk_delete(SSL_CIPHER, (st), (i))
 #define sk_SSL_CIPHER_delete_ptr(st, ptr) SKM_sk_delete_ptr(SSL_CIPHER, (st), (ptr))
 #define sk_SSL_CIPHER_insert(st, val, i) SKM_sk_insert(SSL_CIPHER, (st), (val), (i))
@@ -1016,6 +1102,7 @@ STACK_OF(type) \
 #define sk_SSL_COMP_push(st, val) SKM_sk_push(SSL_COMP, (st), (val))
 #define sk_SSL_COMP_unshift(st, val) SKM_sk_unshift(SSL_COMP, (st), (val))
 #define sk_SSL_COMP_find(st, val) SKM_sk_find(SSL_COMP, (st), (val))
+#define sk_SSL_COMP_find_ex(st, val) SKM_sk_find_ex(SSL_COMP, (st), (val))
 #define sk_SSL_COMP_delete(st, i) SKM_sk_delete(SSL_COMP, (st), (i))
 #define sk_SSL_COMP_delete_ptr(st, ptr) SKM_sk_delete_ptr(SSL_COMP, (st), (ptr))
 #define sk_SSL_COMP_insert(st, val, i) SKM_sk_insert(SSL_COMP, (st), (val), (i))
@@ -1027,6 +1114,28 @@ STACK_OF(type) \
 #define sk_SSL_COMP_sort(st) SKM_sk_sort(SSL_COMP, (st))
 #define sk_SSL_COMP_is_sorted(st) SKM_sk_is_sorted(SSL_COMP, (st))
 
+#define sk_STORE_OBJECT_new(st) SKM_sk_new(STORE_OBJECT, (st))
+#define sk_STORE_OBJECT_new_null() SKM_sk_new_null(STORE_OBJECT)
+#define sk_STORE_OBJECT_free(st) SKM_sk_free(STORE_OBJECT, (st))
+#define sk_STORE_OBJECT_num(st) SKM_sk_num(STORE_OBJECT, (st))
+#define sk_STORE_OBJECT_value(st, i) SKM_sk_value(STORE_OBJECT, (st), (i))
+#define sk_STORE_OBJECT_set(st, i, val) SKM_sk_set(STORE_OBJECT, (st), (i), (val))
+#define sk_STORE_OBJECT_zero(st) SKM_sk_zero(STORE_OBJECT, (st))
+#define sk_STORE_OBJECT_push(st, val) SKM_sk_push(STORE_OBJECT, (st), (val))
+#define sk_STORE_OBJECT_unshift(st, val) SKM_sk_unshift(STORE_OBJECT, (st), (val))
+#define sk_STORE_OBJECT_find(st, val) SKM_sk_find(STORE_OBJECT, (st), (val))
+#define sk_STORE_OBJECT_find_ex(st, val) SKM_sk_find_ex(STORE_OBJECT, (st), (val))
+#define sk_STORE_OBJECT_delete(st, i) SKM_sk_delete(STORE_OBJECT, (st), (i))
+#define sk_STORE_OBJECT_delete_ptr(st, ptr) SKM_sk_delete_ptr(STORE_OBJECT, (st), (ptr))
+#define sk_STORE_OBJECT_insert(st, val, i) SKM_sk_insert(STORE_OBJECT, (st), (val), (i))
+#define sk_STORE_OBJECT_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(STORE_OBJECT, (st), (cmp))
+#define sk_STORE_OBJECT_dup(st) SKM_sk_dup(STORE_OBJECT, st)
+#define sk_STORE_OBJECT_pop_free(st, free_func) SKM_sk_pop_free(STORE_OBJECT, (st), (free_func))
+#define sk_STORE_OBJECT_shift(st) SKM_sk_shift(STORE_OBJECT, (st))
+#define sk_STORE_OBJECT_pop(st) SKM_sk_pop(STORE_OBJECT, (st))
+#define sk_STORE_OBJECT_sort(st) SKM_sk_sort(STORE_OBJECT, (st))
+#define sk_STORE_OBJECT_is_sorted(st) SKM_sk_is_sorted(STORE_OBJECT, (st))
+
 #define sk_SXNETID_new(st) SKM_sk_new(SXNETID, (st))
 #define sk_SXNETID_new_null() SKM_sk_new_null(SXNETID)
 #define sk_SXNETID_free(st) SKM_sk_free(SXNETID, (st))
@@ -1037,6 +1146,7 @@ STACK_OF(type) \
 #define sk_SXNETID_push(st, val) SKM_sk_push(SXNETID, (st), (val))
 #define sk_SXNETID_unshift(st, val) SKM_sk_unshift(SXNETID, (st), (val))
 #define sk_SXNETID_find(st, val) SKM_sk_find(SXNETID, (st), (val))
+#define sk_SXNETID_find_ex(st, val) SKM_sk_find_ex(SXNETID, (st), (val))
 #define sk_SXNETID_delete(st, i) SKM_sk_delete(SXNETID, (st), (i))
 #define sk_SXNETID_delete_ptr(st, ptr) SKM_sk_delete_ptr(SXNETID, (st), (ptr))
 #define sk_SXNETID_insert(st, val, i) SKM_sk_insert(SXNETID, (st), (val), (i))
@@ -1058,6 +1168,7 @@ STACK_OF(type) \
 #define sk_UI_STRING_push(st, val) SKM_sk_push(UI_STRING, (st), (val))
 #define sk_UI_STRING_unshift(st, val) SKM_sk_unshift(UI_STRING, (st), (val))
 #define sk_UI_STRING_find(st, val) SKM_sk_find(UI_STRING, (st), (val))
+#define sk_UI_STRING_find_ex(st, val) SKM_sk_find_ex(UI_STRING, (st), (val))
 #define sk_UI_STRING_delete(st, i) SKM_sk_delete(UI_STRING, (st), (i))
 #define sk_UI_STRING_delete_ptr(st, ptr) SKM_sk_delete_ptr(UI_STRING, (st), (ptr))
 #define sk_UI_STRING_insert(st, val, i) SKM_sk_insert(UI_STRING, (st), (val), (i))
@@ -1079,6 +1190,7 @@ STACK_OF(type) \
 #define sk_X509_push(st, val) SKM_sk_push(X509, (st), (val))
 #define sk_X509_unshift(st, val) SKM_sk_unshift(X509, (st), (val))
 #define sk_X509_find(st, val) SKM_sk_find(X509, (st), (val))
+#define sk_X509_find_ex(st, val) SKM_sk_find_ex(X509, (st), (val))
 #define sk_X509_delete(st, i) SKM_sk_delete(X509, (st), (i))
 #define sk_X509_delete_ptr(st, ptr) SKM_sk_delete_ptr(X509, (st), (ptr))
 #define sk_X509_insert(st, val, i) SKM_sk_insert(X509, (st), (val), (i))
@@ -1100,6 +1212,7 @@ STACK_OF(type) \
 #define sk_X509V3_EXT_METHOD_push(st, val) SKM_sk_push(X509V3_EXT_METHOD, (st), (val))
 #define sk_X509V3_EXT_METHOD_unshift(st, val) SKM_sk_unshift(X509V3_EXT_METHOD, (st), (val))
 #define sk_X509V3_EXT_METHOD_find(st, val) SKM_sk_find(X509V3_EXT_METHOD, (st), (val))
+#define sk_X509V3_EXT_METHOD_find_ex(st, val) SKM_sk_find_ex(X509V3_EXT_METHOD, (st), (val))
 #define sk_X509V3_EXT_METHOD_delete(st, i) SKM_sk_delete(X509V3_EXT_METHOD, (st), (i))
 #define sk_X509V3_EXT_METHOD_delete_ptr(st, ptr) SKM_sk_delete_ptr(X509V3_EXT_METHOD, (st), (ptr))
 #define sk_X509V3_EXT_METHOD_insert(st, val, i) SKM_sk_insert(X509V3_EXT_METHOD, (st), (val), (i))
@@ -1121,6 +1234,7 @@ STACK_OF(type) \
 #define sk_X509_ALGOR_push(st, val) SKM_sk_push(X509_ALGOR, (st), (val))
 #define sk_X509_ALGOR_unshift(st, val) SKM_sk_unshift(X509_ALGOR, (st), (val))
 #define sk_X509_ALGOR_find(st, val) SKM_sk_find(X509_ALGOR, (st), (val))
+#define sk_X509_ALGOR_find_ex(st, val) SKM_sk_find_ex(X509_ALGOR, (st), (val))
 #define sk_X509_ALGOR_delete(st, i) SKM_sk_delete(X509_ALGOR, (st), (i))
 #define sk_X509_ALGOR_delete_ptr(st, ptr) SKM_sk_delete_ptr(X509_ALGOR, (st), (ptr))
 #define sk_X509_ALGOR_insert(st, val, i) SKM_sk_insert(X509_ALGOR, (st), (val), (i))
@@ -1142,6 +1256,7 @@ STACK_OF(type) \
 #define sk_X509_ATTRIBUTE_push(st, val) SKM_sk_push(X509_ATTRIBUTE, (st), (val))
 #define sk_X509_ATTRIBUTE_unshift(st, val) SKM_sk_unshift(X509_ATTRIBUTE, (st), (val))
 #define sk_X509_ATTRIBUTE_find(st, val) SKM_sk_find(X509_ATTRIBUTE, (st), (val))
+#define sk_X509_ATTRIBUTE_find_ex(st, val) SKM_sk_find_ex(X509_ATTRIBUTE, (st), (val))
 #define sk_X509_ATTRIBUTE_delete(st, i) SKM_sk_delete(X509_ATTRIBUTE, (st), (i))
 #define sk_X509_ATTRIBUTE_delete_ptr(st, ptr) SKM_sk_delete_ptr(X509_ATTRIBUTE, (st), (ptr))
 #define sk_X509_ATTRIBUTE_insert(st, val, i) SKM_sk_insert(X509_ATTRIBUTE, (st), (val), (i))
@@ -1163,6 +1278,7 @@ STACK_OF(type) \
 #define sk_X509_CRL_push(st, val) SKM_sk_push(X509_CRL, (st), (val))
 #define sk_X509_CRL_unshift(st, val) SKM_sk_unshift(X509_CRL, (st), (val))
 #define sk_X509_CRL_find(st, val) SKM_sk_find(X509_CRL, (st), (val))
+#define sk_X509_CRL_find_ex(st, val) SKM_sk_find_ex(X509_CRL, (st), (val))
 #define sk_X509_CRL_delete(st, i) SKM_sk_delete(X509_CRL, (st), (i))
 #define sk_X509_CRL_delete_ptr(st, ptr) SKM_sk_delete_ptr(X509_CRL, (st), (ptr))
 #define sk_X509_CRL_insert(st, val, i) SKM_sk_insert(X509_CRL, (st), (val), (i))
@@ -1184,6 +1300,7 @@ STACK_OF(type) \
 #define sk_X509_EXTENSION_push(st, val) SKM_sk_push(X509_EXTENSION, (st), (val))
 #define sk_X509_EXTENSION_unshift(st, val) SKM_sk_unshift(X509_EXTENSION, (st), (val))
 #define sk_X509_EXTENSION_find(st, val) SKM_sk_find(X509_EXTENSION, (st), (val))
+#define sk_X509_EXTENSION_find_ex(st, val) SKM_sk_find_ex(X509_EXTENSION, (st), (val))
 #define sk_X509_EXTENSION_delete(st, i) SKM_sk_delete(X509_EXTENSION, (st), (i))
 #define sk_X509_EXTENSION_delete_ptr(st, ptr) SKM_sk_delete_ptr(X509_EXTENSION, (st), (ptr))
 #define sk_X509_EXTENSION_insert(st, val, i) SKM_sk_insert(X509_EXTENSION, (st), (val), (i))
@@ -1205,6 +1322,7 @@ STACK_OF(type) \
 #define sk_X509_INFO_push(st, val) SKM_sk_push(X509_INFO, (st), (val))
 #define sk_X509_INFO_unshift(st, val) SKM_sk_unshift(X509_INFO, (st), (val))
 #define sk_X509_INFO_find(st, val) SKM_sk_find(X509_INFO, (st), (val))
+#define sk_X509_INFO_find_ex(st, val) SKM_sk_find_ex(X509_INFO, (st), (val))
 #define sk_X509_INFO_delete(st, i) SKM_sk_delete(X509_INFO, (st), (i))
 #define sk_X509_INFO_delete_ptr(st, ptr) SKM_sk_delete_ptr(X509_INFO, (st), (ptr))
 #define sk_X509_INFO_insert(st, val, i) SKM_sk_insert(X509_INFO, (st), (val), (i))
@@ -1226,6 +1344,7 @@ STACK_OF(type) \
 #define sk_X509_LOOKUP_push(st, val) SKM_sk_push(X509_LOOKUP, (st), (val))
 #define sk_X509_LOOKUP_unshift(st, val) SKM_sk_unshift(X509_LOOKUP, (st), (val))
 #define sk_X509_LOOKUP_find(st, val) SKM_sk_find(X509_LOOKUP, (st), (val))
+#define sk_X509_LOOKUP_find_ex(st, val) SKM_sk_find_ex(X509_LOOKUP, (st), (val))
 #define sk_X509_LOOKUP_delete(st, i) SKM_sk_delete(X509_LOOKUP, (st), (i))
 #define sk_X509_LOOKUP_delete_ptr(st, ptr) SKM_sk_delete_ptr(X509_LOOKUP, (st), (ptr))
 #define sk_X509_LOOKUP_insert(st, val, i) SKM_sk_insert(X509_LOOKUP, (st), (val), (i))
@@ -1247,6 +1366,7 @@ STACK_OF(type) \
 #define sk_X509_NAME_push(st, val) SKM_sk_push(X509_NAME, (st), (val))
 #define sk_X509_NAME_unshift(st, val) SKM_sk_unshift(X509_NAME, (st), (val))
 #define sk_X509_NAME_find(st, val) SKM_sk_find(X509_NAME, (st), (val))
+#define sk_X509_NAME_find_ex(st, val) SKM_sk_find_ex(X509_NAME, (st), (val))
 #define sk_X509_NAME_delete(st, i) SKM_sk_delete(X509_NAME, (st), (i))
 #define sk_X509_NAME_delete_ptr(st, ptr) SKM_sk_delete_ptr(X509_NAME, (st), (ptr))
 #define sk_X509_NAME_insert(st, val, i) SKM_sk_insert(X509_NAME, (st), (val), (i))
@@ -1268,6 +1388,7 @@ STACK_OF(type) \
 #define sk_X509_NAME_ENTRY_push(st, val) SKM_sk_push(X509_NAME_ENTRY, (st), (val))
 #define sk_X509_NAME_ENTRY_unshift(st, val) SKM_sk_unshift(X509_NAME_ENTRY, (st), (val))
 #define sk_X509_NAME_ENTRY_find(st, val) SKM_sk_find(X509_NAME_ENTRY, (st), (val))
+#define sk_X509_NAME_ENTRY_find_ex(st, val) SKM_sk_find_ex(X509_NAME_ENTRY, (st), (val))
 #define sk_X509_NAME_ENTRY_delete(st, i) SKM_sk_delete(X509_NAME_ENTRY, (st), (i))
 #define sk_X509_NAME_ENTRY_delete_ptr(st, ptr) SKM_sk_delete_ptr(X509_NAME_ENTRY, (st), (ptr))
 #define sk_X509_NAME_ENTRY_insert(st, val, i) SKM_sk_insert(X509_NAME_ENTRY, (st), (val), (i))
@@ -1289,6 +1410,7 @@ STACK_OF(type) \
 #define sk_X509_OBJECT_push(st, val) SKM_sk_push(X509_OBJECT, (st), (val))
 #define sk_X509_OBJECT_unshift(st, val) SKM_sk_unshift(X509_OBJECT, (st), (val))
 #define sk_X509_OBJECT_find(st, val) SKM_sk_find(X509_OBJECT, (st), (val))
+#define sk_X509_OBJECT_find_ex(st, val) SKM_sk_find_ex(X509_OBJECT, (st), (val))
 #define sk_X509_OBJECT_delete(st, i) SKM_sk_delete(X509_OBJECT, (st), (i))
 #define sk_X509_OBJECT_delete_ptr(st, ptr) SKM_sk_delete_ptr(X509_OBJECT, (st), (ptr))
 #define sk_X509_OBJECT_insert(st, val, i) SKM_sk_insert(X509_OBJECT, (st), (val), (i))
@@ -1300,6 +1422,72 @@ STACK_OF(type) \
 #define sk_X509_OBJECT_sort(st) SKM_sk_sort(X509_OBJECT, (st))
 #define sk_X509_OBJECT_is_sorted(st) SKM_sk_is_sorted(X509_OBJECT, (st))
 
+#define sk_X509_POLICY_DATA_new(st) SKM_sk_new(X509_POLICY_DATA, (st))
+#define sk_X509_POLICY_DATA_new_null() SKM_sk_new_null(X509_POLICY_DATA)
+#define sk_X509_POLICY_DATA_free(st) SKM_sk_free(X509_POLICY_DATA, (st))
+#define sk_X509_POLICY_DATA_num(st) SKM_sk_num(X509_POLICY_DATA, (st))
+#define sk_X509_POLICY_DATA_value(st, i) SKM_sk_value(X509_POLICY_DATA, (st), (i))
+#define sk_X509_POLICY_DATA_set(st, i, val) SKM_sk_set(X509_POLICY_DATA, (st), (i), (val))
+#define sk_X509_POLICY_DATA_zero(st) SKM_sk_zero(X509_POLICY_DATA, (st))
+#define sk_X509_POLICY_DATA_push(st, val) SKM_sk_push(X509_POLICY_DATA, (st), (val))
+#define sk_X509_POLICY_DATA_unshift(st, val) SKM_sk_unshift(X509_POLICY_DATA, (st), (val))
+#define sk_X509_POLICY_DATA_find(st, val) SKM_sk_find(X509_POLICY_DATA, (st), (val))
+#define sk_X509_POLICY_DATA_find_ex(st, val) SKM_sk_find_ex(X509_POLICY_DATA, (st), (val))
+#define sk_X509_POLICY_DATA_delete(st, i) SKM_sk_delete(X509_POLICY_DATA, (st), (i))
+#define sk_X509_POLICY_DATA_delete_ptr(st, ptr) SKM_sk_delete_ptr(X509_POLICY_DATA, (st), (ptr))
+#define sk_X509_POLICY_DATA_insert(st, val, i) SKM_sk_insert(X509_POLICY_DATA, (st), (val), (i))
+#define sk_X509_POLICY_DATA_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(X509_POLICY_DATA, (st), (cmp))
+#define sk_X509_POLICY_DATA_dup(st) SKM_sk_dup(X509_POLICY_DATA, st)
+#define sk_X509_POLICY_DATA_pop_free(st, free_func) SKM_sk_pop_free(X509_POLICY_DATA, (st), (free_func))
+#define sk_X509_POLICY_DATA_shift(st) SKM_sk_shift(X509_POLICY_DATA, (st))
+#define sk_X509_POLICY_DATA_pop(st) SKM_sk_pop(X509_POLICY_DATA, (st))
+#define sk_X509_POLICY_DATA_sort(st) SKM_sk_sort(X509_POLICY_DATA, (st))
+#define sk_X509_POLICY_DATA_is_sorted(st) SKM_sk_is_sorted(X509_POLICY_DATA, (st))
+
+#define sk_X509_POLICY_NODE_new(st) SKM_sk_new(X509_POLICY_NODE, (st))
+#define sk_X509_POLICY_NODE_new_null() SKM_sk_new_null(X509_POLICY_NODE)
+#define sk_X509_POLICY_NODE_free(st) SKM_sk_free(X509_POLICY_NODE, (st))
+#define sk_X509_POLICY_NODE_num(st) SKM_sk_num(X509_POLICY_NODE, (st))
+#define sk_X509_POLICY_NODE_value(st, i) SKM_sk_value(X509_POLICY_NODE, (st), (i))
+#define sk_X509_POLICY_NODE_set(st, i, val) SKM_sk_set(X509_POLICY_NODE, (st), (i), (val))
+#define sk_X509_POLICY_NODE_zero(st) SKM_sk_zero(X509_POLICY_NODE, (st))
+#define sk_X509_POLICY_NODE_push(st, val) SKM_sk_push(X509_POLICY_NODE, (st), (val))
+#define sk_X509_POLICY_NODE_unshift(st, val) SKM_sk_unshift(X509_POLICY_NODE, (st), (val))
+#define sk_X509_POLICY_NODE_find(st, val) SKM_sk_find(X509_POLICY_NODE, (st), (val))
+#define sk_X509_POLICY_NODE_find_ex(st, val) SKM_sk_find_ex(X509_POLICY_NODE, (st), (val))
+#define sk_X509_POLICY_NODE_delete(st, i) SKM_sk_delete(X509_POLICY_NODE, (st), (i))
+#define sk_X509_POLICY_NODE_delete_ptr(st, ptr) SKM_sk_delete_ptr(X509_POLICY_NODE, (st), (ptr))
+#define sk_X509_POLICY_NODE_insert(st, val, i) SKM_sk_insert(X509_POLICY_NODE, (st), (val), (i))
+#define sk_X509_POLICY_NODE_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(X509_POLICY_NODE, (st), (cmp))
+#define sk_X509_POLICY_NODE_dup(st) SKM_sk_dup(X509_POLICY_NODE, st)
+#define sk_X509_POLICY_NODE_pop_free(st, free_func) SKM_sk_pop_free(X509_POLICY_NODE, (st), (free_func))
+#define sk_X509_POLICY_NODE_shift(st) SKM_sk_shift(X509_POLICY_NODE, (st))
+#define sk_X509_POLICY_NODE_pop(st) SKM_sk_pop(X509_POLICY_NODE, (st))
+#define sk_X509_POLICY_NODE_sort(st) SKM_sk_sort(X509_POLICY_NODE, (st))
+#define sk_X509_POLICY_NODE_is_sorted(st) SKM_sk_is_sorted(X509_POLICY_NODE, (st))
+
+#define sk_X509_POLICY_REF_new(st) SKM_sk_new(X509_POLICY_REF, (st))
+#define sk_X509_POLICY_REF_new_null() SKM_sk_new_null(X509_POLICY_REF)
+#define sk_X509_POLICY_REF_free(st) SKM_sk_free(X509_POLICY_REF, (st))
+#define sk_X509_POLICY_REF_num(st) SKM_sk_num(X509_POLICY_REF, (st))
+#define sk_X509_POLICY_REF_value(st, i) SKM_sk_value(X509_POLICY_REF, (st), (i))
+#define sk_X509_POLICY_REF_set(st, i, val) SKM_sk_set(X509_POLICY_REF, (st), (i), (val))
+#define sk_X509_POLICY_REF_zero(st) SKM_sk_zero(X509_POLICY_REF, (st))
+#define sk_X509_POLICY_REF_push(st, val) SKM_sk_push(X509_POLICY_REF, (st), (val))
+#define sk_X509_POLICY_REF_unshift(st, val) SKM_sk_unshift(X509_POLICY_REF, (st), (val))
+#define sk_X509_POLICY_REF_find(st, val) SKM_sk_find(X509_POLICY_REF, (st), (val))
+#define sk_X509_POLICY_REF_find_ex(st, val) SKM_sk_find_ex(X509_POLICY_REF, (st), (val))
+#define sk_X509_POLICY_REF_delete(st, i) SKM_sk_delete(X509_POLICY_REF, (st), (i))
+#define sk_X509_POLICY_REF_delete_ptr(st, ptr) SKM_sk_delete_ptr(X509_POLICY_REF, (st), (ptr))
+#define sk_X509_POLICY_REF_insert(st, val, i) SKM_sk_insert(X509_POLICY_REF, (st), (val), (i))
+#define sk_X509_POLICY_REF_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(X509_POLICY_REF, (st), (cmp))
+#define sk_X509_POLICY_REF_dup(st) SKM_sk_dup(X509_POLICY_REF, st)
+#define sk_X509_POLICY_REF_pop_free(st, free_func) SKM_sk_pop_free(X509_POLICY_REF, (st), (free_func))
+#define sk_X509_POLICY_REF_shift(st) SKM_sk_shift(X509_POLICY_REF, (st))
+#define sk_X509_POLICY_REF_pop(st) SKM_sk_pop(X509_POLICY_REF, (st))
+#define sk_X509_POLICY_REF_sort(st) SKM_sk_sort(X509_POLICY_REF, (st))
+#define sk_X509_POLICY_REF_is_sorted(st) SKM_sk_is_sorted(X509_POLICY_REF, (st))
+
 #define sk_X509_PURPOSE_new(st) SKM_sk_new(X509_PURPOSE, (st))
 #define sk_X509_PURPOSE_new_null() SKM_sk_new_null(X509_PURPOSE)
 #define sk_X509_PURPOSE_free(st) SKM_sk_free(X509_PURPOSE, (st))
@@ -1310,6 +1498,7 @@ STACK_OF(type) \
 #define sk_X509_PURPOSE_push(st, val) SKM_sk_push(X509_PURPOSE, (st), (val))
 #define sk_X509_PURPOSE_unshift(st, val) SKM_sk_unshift(X509_PURPOSE, (st), (val))
 #define sk_X509_PURPOSE_find(st, val) SKM_sk_find(X509_PURPOSE, (st), (val))
+#define sk_X509_PURPOSE_find_ex(st, val) SKM_sk_find_ex(X509_PURPOSE, (st), (val))
 #define sk_X509_PURPOSE_delete(st, i) SKM_sk_delete(X509_PURPOSE, (st), (i))
 #define sk_X509_PURPOSE_delete_ptr(st, ptr) SKM_sk_delete_ptr(X509_PURPOSE, (st), (ptr))
 #define sk_X509_PURPOSE_insert(st, val, i) SKM_sk_insert(X509_PURPOSE, (st), (val), (i))
@@ -1331,6 +1520,7 @@ STACK_OF(type) \
 #define sk_X509_REVOKED_push(st, val) SKM_sk_push(X509_REVOKED, (st), (val))
 #define sk_X509_REVOKED_unshift(st, val) SKM_sk_unshift(X509_REVOKED, (st), (val))
 #define sk_X509_REVOKED_find(st, val) SKM_sk_find(X509_REVOKED, (st), (val))
+#define sk_X509_REVOKED_find_ex(st, val) SKM_sk_find_ex(X509_REVOKED, (st), (val))
 #define sk_X509_REVOKED_delete(st, i) SKM_sk_delete(X509_REVOKED, (st), (i))
 #define sk_X509_REVOKED_delete_ptr(st, ptr) SKM_sk_delete_ptr(X509_REVOKED, (st), (ptr))
 #define sk_X509_REVOKED_insert(st, val, i) SKM_sk_insert(X509_REVOKED, (st), (val), (i))
@@ -1352,6 +1542,7 @@ STACK_OF(type) \
 #define sk_X509_TRUST_push(st, val) SKM_sk_push(X509_TRUST, (st), (val))
 #define sk_X509_TRUST_unshift(st, val) SKM_sk_unshift(X509_TRUST, (st), (val))
 #define sk_X509_TRUST_find(st, val) SKM_sk_find(X509_TRUST, (st), (val))
+#define sk_X509_TRUST_find_ex(st, val) SKM_sk_find_ex(X509_TRUST, (st), (val))
 #define sk_X509_TRUST_delete(st, i) SKM_sk_delete(X509_TRUST, (st), (i))
 #define sk_X509_TRUST_delete_ptr(st, ptr) SKM_sk_delete_ptr(X509_TRUST, (st), (ptr))
 #define sk_X509_TRUST_insert(st, val, i) SKM_sk_insert(X509_TRUST, (st), (val), (i))
@@ -1363,6 +1554,28 @@ STACK_OF(type) \
 #define sk_X509_TRUST_sort(st) SKM_sk_sort(X509_TRUST, (st))
 #define sk_X509_TRUST_is_sorted(st) SKM_sk_is_sorted(X509_TRUST, (st))
 
+#define sk_X509_VERIFY_PARAM_new(st) SKM_sk_new(X509_VERIFY_PARAM, (st))
+#define sk_X509_VERIFY_PARAM_new_null() SKM_sk_new_null(X509_VERIFY_PARAM)
+#define sk_X509_VERIFY_PARAM_free(st) SKM_sk_free(X509_VERIFY_PARAM, (st))
+#define sk_X509_VERIFY_PARAM_num(st) SKM_sk_num(X509_VERIFY_PARAM, (st))
+#define sk_X509_VERIFY_PARAM_value(st, i) SKM_sk_value(X509_VERIFY_PARAM, (st), (i))
+#define sk_X509_VERIFY_PARAM_set(st, i, val) SKM_sk_set(X509_VERIFY_PARAM, (st), (i), (val))
+#define sk_X509_VERIFY_PARAM_zero(st) SKM_sk_zero(X509_VERIFY_PARAM, (st))
+#define sk_X509_VERIFY_PARAM_push(st, val) SKM_sk_push(X509_VERIFY_PARAM, (st), (val))
+#define sk_X509_VERIFY_PARAM_unshift(st, val) SKM_sk_unshift(X509_VERIFY_PARAM, (st), (val))
+#define sk_X509_VERIFY_PARAM_find(st, val) SKM_sk_find(X509_VERIFY_PARAM, (st), (val))
+#define sk_X509_VERIFY_PARAM_find_ex(st, val) SKM_sk_find_ex(X509_VERIFY_PARAM, (st), (val))
+#define sk_X509_VERIFY_PARAM_delete(st, i) SKM_sk_delete(X509_VERIFY_PARAM, (st), (i))
+#define sk_X509_VERIFY_PARAM_delete_ptr(st, ptr) SKM_sk_delete_ptr(X509_VERIFY_PARAM, (st), (ptr))
+#define sk_X509_VERIFY_PARAM_insert(st, val, i) SKM_sk_insert(X509_VERIFY_PARAM, (st), (val), (i))
+#define sk_X509_VERIFY_PARAM_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(X509_VERIFY_PARAM, (st), (cmp))
+#define sk_X509_VERIFY_PARAM_dup(st) SKM_sk_dup(X509_VERIFY_PARAM, st)
+#define sk_X509_VERIFY_PARAM_pop_free(st, free_func) SKM_sk_pop_free(X509_VERIFY_PARAM, (st), (free_func))
+#define sk_X509_VERIFY_PARAM_shift(st) SKM_sk_shift(X509_VERIFY_PARAM, (st))
+#define sk_X509_VERIFY_PARAM_pop(st) SKM_sk_pop(X509_VERIFY_PARAM, (st))
+#define sk_X509_VERIFY_PARAM_sort(st) SKM_sk_sort(X509_VERIFY_PARAM, (st))
+#define sk_X509_VERIFY_PARAM_is_sorted(st) SKM_sk_is_sorted(X509_VERIFY_PARAM, (st))
+
 #define d2i_ASN1_SET_OF_ACCESS_DESCRIPTION(st, pp, length, d2i_func, free_func, ex_tag, ex_class) \
 	SKM_ASN1_SET_OF_d2i(ACCESS_DESCRIPTION, (st), (pp), (length), (d2i_func), (free_func), (ex_tag), (ex_class)) 
 #define i2d_ASN1_SET_OF_ACCESS_DESCRIPTION(st, pp, i2d_func, ex_tag, ex_class, is_set) \
diff --git a/crypto/openssl/crypto/stack/stack.c b/crypto/openssl/crypto/stack/stack.c
index c7173eb6ab21..5967a2c73563 100644
--- a/crypto/openssl/crypto/stack/stack.c
+++ b/crypto/openssl/crypto/stack/stack.c
@@ -68,6 +68,7 @@
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/stack.h>
+#include <openssl/objects.h>
 
 #undef MIN_NODES
 #define MIN_NODES	4
@@ -209,7 +210,7 @@ char *sk_delete(STACK *st, int loc)
 	return(ret);
 	}
 
-int sk_find(STACK *st, char *data)
+static int internal_find(STACK *st, char *data, int ret_val_options)
 	{
 	char **r;
 	int i;
@@ -232,19 +233,19 @@ int sk_find(STACK *st, char *data)
 	 * not (type *) pointers, but the *pointers* to (type *) pointers,
 	 * so we get our extra level of pointer dereferencing that way. */
 	comp_func=(int (*)(const void *,const void *))(st->comp);
-	r=(char **)bsearch(&data,(char *)st->data,
-		st->num,sizeof(char *), comp_func);
+	r=(char **)OBJ_bsearch_ex((char *)&data,(char *)st->data,
+		st->num,sizeof(char *),comp_func,ret_val_options);
 	if (r == NULL) return(-1);
-	i=(int)(r-st->data);
-	for ( ; i>0; i--)
-		/* This needs a cast because the type being pointed to from
-		 * the "&" expressions are (char *) rather than (const char *).
-		 * For an explanation, read:
-		 * http://www.eskimo.com/~scs/C-faq/q11.10.html :-) */
-		if ((*st->comp)((const char * const *)&(st->data[i-1]),
-				(const char * const *)&data) < 0)
-			break;
-	return(i);
+	return((int)(r-st->data));
+	}
+
+int sk_find(STACK *st, char *data)
+	{
+	return internal_find(st, data, OBJ_BSEARCH_FIRST_VALUE_ON_MATCH);
+	}
+int sk_find_ex(STACK *st, char *data)
+	{
+	return internal_find(st, data, OBJ_BSEARCH_VALUE_ON_NOMATCH);
 	}
 
 int sk_push(STACK *st, char *data)
diff --git a/crypto/openssl/crypto/stack/stack.h b/crypto/openssl/crypto/stack/stack.h
index 7570b85fe851..5cbb116a8b2f 100644
--- a/crypto/openssl/crypto/stack/stack.h
+++ b/crypto/openssl/crypto/stack/stack.h
@@ -89,6 +89,7 @@ int sk_insert(STACK *sk,char *data,int where);
 char *sk_delete(STACK *st,int loc);
 char *sk_delete_ptr(STACK *st, char *p);
 int sk_find(STACK *st,char *data);
+int sk_find_ex(STACK *st,char *data);
 int sk_push(STACK *st,char *data);
 int sk_unshift(STACK *st,char *data);
 char *sk_shift(STACK *st);
diff --git a/crypto/openssl/crypto/store/Makefile b/crypto/openssl/crypto/store/Makefile
new file mode 100644
index 000000000000..0dcfd7857a37
--- /dev/null
+++ b/crypto/openssl/crypto/store/Makefile
@@ -0,0 +1,112 @@
+#
+# OpenSSL/crypto/store/Makefile
+#
+
+DIR=	store
+TOP=	../..
+CC=	cc
+INCLUDES= -I.. -I$(TOP) -I../../include
+CFLAG=-g
+MAKEFILE=	Makefile
+AR=		ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+#TEST= storetest.c
+TEST=
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC= str_err.c str_lib.c str_meth.c str_mem.c
+LIBOBJ= str_err.o str_lib.o str_meth.o str_mem.o
+
+SRC= $(LIBSRC)
+
+#EXHEADER= store.h str_compat.h
+EXHEADER= store.h
+HEADER=	$(EXHEADER) str_locl.h
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB) || echo Never mind.
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
+
+links:
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+	@headerlist="$(EXHEADER)"; for i in $$headerlist; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
+	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o */*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+str_err.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
+str_err.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+str_err.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+str_err.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+str_err.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+str_err.o: ../../include/openssl/store.h ../../include/openssl/symhacks.h
+str_err.o: str_err.c
+str_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+str_lib.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+str_lib.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+str_lib.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+str_lib.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
+str_lib.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+str_lib.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+str_lib.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+str_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+str_lib.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+str_lib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+str_lib.o: ../../include/openssl/store.h ../../include/openssl/symhacks.h
+str_lib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+str_lib.o: str_lib.c str_locl.h
+str_mem.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
+str_mem.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+str_mem.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+str_mem.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+str_mem.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+str_mem.o: ../../include/openssl/store.h ../../include/openssl/symhacks.h
+str_mem.o: str_locl.h str_mem.c
+str_meth.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+str_meth.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
+str_meth.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+str_meth.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+str_meth.o: ../../include/openssl/store.h ../../include/openssl/symhacks.h
+str_meth.o: str_locl.h str_meth.c
diff --git a/crypto/openssl/crypto/store/README b/crypto/openssl/crypto/store/README
new file mode 100644
index 000000000000..966168f6a5a8
--- /dev/null
+++ b/crypto/openssl/crypto/store/README
@@ -0,0 +1,95 @@
+The STORE type
+==============
+
+A STORE, as defined in this code section, is really a rather simple
+thing which stores objects and per-object associations to a number
+of attributes.  What attributes are supported entirely depends on
+the particular implementation of a STORE.  It has some support for
+generation of certain objects (for example, keys and CRLs).
+
+
+Supported object types
+----------------------
+
+For now, the objects that are supported are the following:
+
+X.509 certificate
+X.509 CRL
+private key
+public key
+number
+arbitrary (application) data
+
+The intention is that a STORE should be able to store everything
+needed by an application that wants a cert/key store, as well as
+the data a CA might need to store (this includes the serial number
+counter, which explains the support for numbers).
+
+
+Supported attribute types
+-------------------------
+
+For now, the following attributes are supported:
+
+Friendly Name		- the value is a normal C string
+Key ID			- the value is a 160 bit SHA1 hash
+Issuer Key ID		- the value is a 160 bit SHA1 hash
+Subject Key ID		- the value is a 160 bit SHA1 hash
+Issuer/Serial Hash	- the value is a 160 bit SHA1 hash
+Issuer			- the value is a X509_NAME
+Serial			- the value is a BIGNUM
+Subject			- the value is a X509_NAME
+Certificate Hash	- the value is a 160 bit SHA1 hash
+Email			- the value is a normal C string
+Filename		- the value is a normal C string
+
+It is expected that these attributes should be enough to support
+the need from most, if not all, current applications.  Applications
+that need to do certificate verification would typically use Subject
+Key ID, Issuer/Serial Hash or Subject to look up issuer certificates.
+S/MIME applications would typically use Email to look up recipient
+and signer certificates.
+
+There's added support for combined sets of attributes to search for,
+with the special OR attribute.
+
+
+Supported basic functionality
+-----------------------------
+
+The functions that are supported through the STORE type are these:
+
+generate_object		- for example to generate keys and CRLs
+get_object		- to look up one object
+			  NOTE: this function is really rather
+			  redundant and probably of lesser usage
+			  than the list functions
+store_object		- store an object and the attributes
+			  associated with it
+modify_object		- modify the attributes associated with
+			  a specific object
+revoke_object		- revoke an object
+			  NOTE: this only marks an object as
+			  invalid, it doesn't remove the object
+			  from the database
+delete_object		- remove an object from the database
+list_object		- list objects associated with a given
+			  set of attributes
+			  NOTE: this is really four functions:
+			  list_start, list_next, list_end and
+			  list_endp
+update_store		- update the internal data of the store
+lock_store		- lock the store
+unlock_store		- unlock the store
+
+The list functions need some extra explanation: list_start is
+used to set up a lookup.  That's where the attributes to use in
+the search are set up.  It returns a search context.  list_next
+returns the next object searched for.  list_end closes the search.
+list_endp is used to check if we have reached the end.
+
+A few words on the store functions as well: update_store is
+typically used by a CA application to update the internal
+structure of a database.  This may for example involve automatic
+removal of expired certificates.  lock_store and unlock_store
+are used for locking a store to allow exclusive writes.
diff --git a/crypto/openssl/crypto/store/store.h b/crypto/openssl/crypto/store/store.h
new file mode 100644
index 000000000000..64583377a94a
--- /dev/null
+++ b/crypto/openssl/crypto/store/store.h
@@ -0,0 +1,554 @@
+/* crypto/store/store.h -*- mode:C; c-file-style: "eay" -*- */
+/* Written by Richard Levitte (richard@levitte.org) for the OpenSSL
+ * project 2003.
+ */
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_STORE_H
+#define HEADER_STORE_H
+
+#include <openssl/ossl_typ.h>
+#ifndef OPENSSL_NO_DEPRECATED
+#include <openssl/evp.h>
+#include <openssl/bn.h>
+#include <openssl/x509.h>
+#endif
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+/* Already defined in ossl_typ.h */
+/* typedef struct store_st STORE; */
+/* typedef struct store_method_st STORE_METHOD; */
+
+
+/* All the following functions return 0, a negative number or NULL on error.
+   When everything is fine, they return a positive value or a non-NULL
+   pointer, all depending on their purpose. */
+
+/* Creators and destructor.   */
+STORE *STORE_new_method(const STORE_METHOD *method);
+STORE *STORE_new_engine(ENGINE *engine);
+void STORE_free(STORE *ui);
+
+
+/* Give a user interface parametrised control commands.  This can be used to
+   send down an integer, a data pointer or a function pointer, as well as
+   be used to get information from a STORE. */
+int STORE_ctrl(STORE *store, int cmd, long i, void *p, void (*f)(void));
+
+/* A control to set the directory with keys and certificates.  Used by the
+   built-in directory level method. */
+#define STORE_CTRL_SET_DIRECTORY	0x0001
+/* A control to set a file to load.  Used by the built-in file level method. */
+#define STORE_CTRL_SET_FILE		0x0002
+/* A control to set a configuration file to load.  Can be used by any method
+   that wishes to load a configuration file. */
+#define STORE_CTRL_SET_CONF_FILE	0x0003
+/* A control to set a the section of the loaded configuration file.  Can be
+   used by any method that wishes to load a configuration file. */
+#define STORE_CTRL_SET_CONF_SECTION	0x0004
+
+
+/* Some methods may use extra data */
+#define STORE_set_app_data(s,arg)	STORE_set_ex_data(s,0,arg)
+#define STORE_get_app_data(s)		STORE_get_ex_data(s,0)
+int STORE_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+	CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
+int STORE_set_ex_data(STORE *r,int idx,void *arg);
+void *STORE_get_ex_data(STORE *r, int idx);
+
+/* Use specific methods instead of the built-in one */
+const STORE_METHOD *STORE_get_method(STORE *store);
+const STORE_METHOD *STORE_set_method(STORE *store, const STORE_METHOD *meth);
+
+/* The standard OpenSSL methods. */
+/* This is the in-memory method.  It does everything except revoking and updating,
+   and is of course volatile.  It's used by other methods that have an in-memory
+   cache. */
+const STORE_METHOD *STORE_Memory(void);
+#if 0 /* Not yet implemented */
+/* This is the directory store.  It does everything except revoking and updating,
+   and uses STORE_Memory() to cache things in memory. */
+const STORE_METHOD *STORE_Directory(void);
+/* This is the file store.  It does everything except revoking and updating,
+   and uses STORE_Memory() to cache things in memory.  Certificates are added
+   to it with the store operation, and it will only get cached certificates. */
+const STORE_METHOD *STORE_File(void);
+#endif
+
+/* Store functions take a type code for the type of data they should store
+   or fetch */
+typedef enum STORE_object_types
+	{
+	STORE_OBJECT_TYPE_X509_CERTIFICATE=	0x01, /* X509 * */
+	STORE_OBJECT_TYPE_X509_CRL=		0x02, /* X509_CRL * */
+	STORE_OBJECT_TYPE_PRIVATE_KEY=		0x03, /* EVP_PKEY * */
+	STORE_OBJECT_TYPE_PUBLIC_KEY=		0x04, /* EVP_PKEY * */
+	STORE_OBJECT_TYPE_NUMBER=		0x05, /* BIGNUM * */
+	STORE_OBJECT_TYPE_ARBITRARY=		0x06, /* BUF_MEM * */
+	STORE_OBJECT_TYPE_NUM=			0x06  /* The amount of known
+							 object types */
+	} STORE_OBJECT_TYPES;
+/* List of text strings corresponding to the object types. */
+extern const char * const STORE_object_type_string[STORE_OBJECT_TYPE_NUM+1];
+
+/* Some store functions take a parameter list.  Those parameters come with
+   one of the following codes. The comments following the codes below indicate
+   what type the value should be a pointer to. */
+typedef enum STORE_params
+	{
+	STORE_PARAM_EVP_TYPE=			0x01, /* int */
+	STORE_PARAM_BITS=			0x02, /* size_t */
+	STORE_PARAM_KEY_PARAMETERS=		0x03, /* ??? */
+	STORE_PARAM_KEY_NO_PARAMETERS=		0x04, /* N/A */
+	STORE_PARAM_AUTH_PASSPHRASE=		0x05, /* char * */
+	STORE_PARAM_AUTH_KRB5_TICKET=		0x06, /* void * */
+	STORE_PARAM_TYPE_NUM=			0x06  /* The amount of known
+							 parameter types */
+	} STORE_PARAM_TYPES;
+/* Parameter value sizes.  -1 means unknown, anything else is the required size. */
+extern const int STORE_param_sizes[STORE_PARAM_TYPE_NUM+1];
+
+/* Store functions take attribute lists.  Those attributes come with codes.
+   The comments following the codes below indicate what type the value should
+   be a pointer to. */
+typedef enum STORE_attribs
+	{
+	STORE_ATTR_END=				0x00,
+	STORE_ATTR_FRIENDLYNAME=		0x01, /* C string */
+	STORE_ATTR_KEYID=			0x02, /* 160 bit string (SHA1) */
+	STORE_ATTR_ISSUERKEYID=			0x03, /* 160 bit string (SHA1) */
+	STORE_ATTR_SUBJECTKEYID=		0x04, /* 160 bit string (SHA1) */
+	STORE_ATTR_ISSUERSERIALHASH=		0x05, /* 160 bit string (SHA1) */
+	STORE_ATTR_ISSUER=			0x06, /* X509_NAME * */
+	STORE_ATTR_SERIAL=			0x07, /* BIGNUM * */
+	STORE_ATTR_SUBJECT=			0x08, /* X509_NAME * */
+	STORE_ATTR_CERTHASH=			0x09, /* 160 bit string (SHA1) */
+	STORE_ATTR_EMAIL=			0x0a, /* C string */
+	STORE_ATTR_FILENAME=			0x0b, /* C string */
+	STORE_ATTR_TYPE_NUM=			0x0b, /* The amount of known
+							 attribute types */
+	STORE_ATTR_OR=				0xff  /* This is a special
+							 separator, which
+							 expresses the OR
+							 operation.  */
+	} STORE_ATTR_TYPES;
+/* Attribute value sizes.  -1 means unknown, anything else is the required size. */
+extern const int STORE_attr_sizes[STORE_ATTR_TYPE_NUM+1];
+
+typedef enum STORE_certificate_status
+	{
+	STORE_X509_VALID=			0x00,
+	STORE_X509_EXPIRED=			0x01,
+	STORE_X509_SUSPENDED=			0x02,
+	STORE_X509_REVOKED=			0x03
+	} STORE_CERTIFICATE_STATUS;
+
+/* Engine store functions will return a structure that contains all the necessary
+ * information, including revokation status for certificates.  This is really not
+ * needed for application authors, as the ENGINE framework functions will extract
+ * the OpenSSL-specific information when at all possible.  However, for engine
+ * authors, it's crucial to know this structure.  */
+typedef struct STORE_OBJECT_st
+	{
+	STORE_OBJECT_TYPES type;
+	union
+		{
+		struct
+			{
+			STORE_CERTIFICATE_STATUS status;
+			X509 *certificate;
+			} x509;
+		X509_CRL *crl;
+		EVP_PKEY *key;
+		BIGNUM *number;
+		BUF_MEM *arbitrary;
+		} data;
+	} STORE_OBJECT;
+DECLARE_STACK_OF(STORE_OBJECT)
+STORE_OBJECT *STORE_OBJECT_new(void);
+void STORE_OBJECT_free(STORE_OBJECT *data);
+
+
+
+/* The following functions handle the storage. They return 0, a negative number
+   or NULL on error, anything else on success. */
+X509 *STORE_get_certificate(STORE *e, OPENSSL_ITEM attributes[],
+	OPENSSL_ITEM parameters[]);
+int STORE_store_certificate(STORE *e, X509 *data, OPENSSL_ITEM attributes[],
+	OPENSSL_ITEM parameters[]);
+int STORE_modify_certificate(STORE *e, OPENSSL_ITEM search_attributes[],
+	OPENSSL_ITEM add_attributes[], OPENSSL_ITEM modify_attributes[],
+	OPENSSL_ITEM delete_attributes[], OPENSSL_ITEM parameters[]);
+int STORE_revoke_certificate(STORE *e, OPENSSL_ITEM attributes[],
+	OPENSSL_ITEM parameters[]);
+int STORE_delete_certificate(STORE *e, OPENSSL_ITEM attributes[],
+	OPENSSL_ITEM parameters[]);
+void *STORE_list_certificate_start(STORE *e, OPENSSL_ITEM attributes[],
+	OPENSSL_ITEM parameters[]);
+X509 *STORE_list_certificate_next(STORE *e, void *handle);
+int STORE_list_certificate_end(STORE *e, void *handle);
+int STORE_list_certificate_endp(STORE *e, void *handle);
+EVP_PKEY *STORE_generate_key(STORE *e, OPENSSL_ITEM attributes[],
+	OPENSSL_ITEM parameters[]);
+EVP_PKEY *STORE_get_private_key(STORE *e, OPENSSL_ITEM attributes[],
+	OPENSSL_ITEM parameters[]);
+int STORE_store_private_key(STORE *e, EVP_PKEY *data,
+	OPENSSL_ITEM attributes[], OPENSSL_ITEM parameters[]);
+int STORE_modify_private_key(STORE *e, OPENSSL_ITEM search_attributes[],
+	OPENSSL_ITEM add_sttributes[], OPENSSL_ITEM modify_attributes[],
+	OPENSSL_ITEM delete_attributes[], OPENSSL_ITEM parameters[]);
+int STORE_revoke_private_key(STORE *e, OPENSSL_ITEM attributes[],
+	OPENSSL_ITEM parameters[]);
+int STORE_delete_private_key(STORE *e, OPENSSL_ITEM attributes[],
+	OPENSSL_ITEM parameters[]);
+void *STORE_list_private_key_start(STORE *e, OPENSSL_ITEM attributes[],
+	OPENSSL_ITEM parameters[]);
+EVP_PKEY *STORE_list_private_key_next(STORE *e, void *handle);
+int STORE_list_private_key_end(STORE *e, void *handle);
+int STORE_list_private_key_endp(STORE *e, void *handle);
+EVP_PKEY *STORE_get_public_key(STORE *e, OPENSSL_ITEM attributes[],
+	OPENSSL_ITEM parameters[]);
+int STORE_store_public_key(STORE *e, EVP_PKEY *data, OPENSSL_ITEM attributes[],
+	OPENSSL_ITEM parameters[]);
+int STORE_modify_public_key(STORE *e, OPENSSL_ITEM search_attributes[],
+	OPENSSL_ITEM add_sttributes[], OPENSSL_ITEM modify_attributes[],
+	OPENSSL_ITEM delete_attributes[], OPENSSL_ITEM parameters[]);
+int STORE_revoke_public_key(STORE *e, OPENSSL_ITEM attributes[],
+	OPENSSL_ITEM parameters[]);
+int STORE_delete_public_key(STORE *e, OPENSSL_ITEM attributes[],
+	OPENSSL_ITEM parameters[]);
+void *STORE_list_public_key_start(STORE *e, OPENSSL_ITEM attributes[],
+	OPENSSL_ITEM parameters[]);
+EVP_PKEY *STORE_list_public_key_next(STORE *e, void *handle);
+int STORE_list_public_key_end(STORE *e, void *handle);
+int STORE_list_public_key_endp(STORE *e, void *handle);
+X509_CRL *STORE_generate_crl(STORE *e, OPENSSL_ITEM attributes[],
+	OPENSSL_ITEM parameters[]);
+X509_CRL *STORE_get_crl(STORE *e, OPENSSL_ITEM attributes[],
+	OPENSSL_ITEM parameters[]);
+int STORE_store_crl(STORE *e, X509_CRL *data, OPENSSL_ITEM attributes[],
+	OPENSSL_ITEM parameters[]);
+int STORE_modify_crl(STORE *e, OPENSSL_ITEM search_attributes[],
+	OPENSSL_ITEM add_sttributes[], OPENSSL_ITEM modify_attributes[],
+	OPENSSL_ITEM delete_attributes[], OPENSSL_ITEM parameters[]);
+int STORE_delete_crl(STORE *e, OPENSSL_ITEM attributes[],
+	OPENSSL_ITEM parameters[]);
+void *STORE_list_crl_start(STORE *e, OPENSSL_ITEM attributes[],
+	OPENSSL_ITEM parameters[]);
+X509_CRL *STORE_list_crl_next(STORE *e, void *handle);
+int STORE_list_crl_end(STORE *e, void *handle);
+int STORE_list_crl_endp(STORE *e, void *handle);
+int STORE_store_number(STORE *e, BIGNUM *data, OPENSSL_ITEM attributes[],
+	OPENSSL_ITEM parameters[]);
+int STORE_modify_number(STORE *e, OPENSSL_ITEM search_attributes[],
+	OPENSSL_ITEM add_sttributes[], OPENSSL_ITEM modify_attributes[],
+	OPENSSL_ITEM delete_attributes[], OPENSSL_ITEM parameters[]);
+BIGNUM *STORE_get_number(STORE *e, OPENSSL_ITEM attributes[],
+	OPENSSL_ITEM parameters[]);
+int STORE_delete_number(STORE *e, OPENSSL_ITEM attributes[],
+	OPENSSL_ITEM parameters[]);
+int STORE_store_arbitrary(STORE *e, BUF_MEM *data, OPENSSL_ITEM attributes[],
+	OPENSSL_ITEM parameters[]);
+int STORE_modify_arbitrary(STORE *e, OPENSSL_ITEM search_attributes[],
+	OPENSSL_ITEM add_sttributes[], OPENSSL_ITEM modify_attributes[],
+	OPENSSL_ITEM delete_attributes[], OPENSSL_ITEM parameters[]);
+BUF_MEM *STORE_get_arbitrary(STORE *e, OPENSSL_ITEM attributes[],
+	OPENSSL_ITEM parameters[]);
+int STORE_delete_arbitrary(STORE *e, OPENSSL_ITEM attributes[],
+	OPENSSL_ITEM parameters[]);
+
+
+/* Create and manipulate methods */
+STORE_METHOD *STORE_create_method(char *name);
+void STORE_destroy_method(STORE_METHOD *store_method);
+
+/* These callback types are use for store handlers */
+typedef int (*STORE_INITIALISE_FUNC_PTR)(STORE *);
+typedef void (*STORE_CLEANUP_FUNC_PTR)(STORE *);
+typedef STORE_OBJECT *(*STORE_GENERATE_OBJECT_FUNC_PTR)(STORE *, STORE_OBJECT_TYPES type, OPENSSL_ITEM attributes[], OPENSSL_ITEM parameters[]);
+typedef STORE_OBJECT *(*STORE_GET_OBJECT_FUNC_PTR)(STORE *, STORE_OBJECT_TYPES type, OPENSSL_ITEM attributes[], OPENSSL_ITEM parameters[]);
+typedef void *(*STORE_START_OBJECT_FUNC_PTR)(STORE *, STORE_OBJECT_TYPES type, OPENSSL_ITEM attributes[], OPENSSL_ITEM parameters[]);
+typedef STORE_OBJECT *(*STORE_NEXT_OBJECT_FUNC_PTR)(STORE *, void *handle);
+typedef int (*STORE_END_OBJECT_FUNC_PTR)(STORE *, void *handle);
+typedef int (*STORE_HANDLE_OBJECT_FUNC_PTR)(STORE *, STORE_OBJECT_TYPES type, OPENSSL_ITEM attributes[], OPENSSL_ITEM parameters[]);
+typedef int (*STORE_STORE_OBJECT_FUNC_PTR)(STORE *, STORE_OBJECT_TYPES type, STORE_OBJECT *data, OPENSSL_ITEM attributes[], OPENSSL_ITEM parameters[]);
+typedef int (*STORE_MODIFY_OBJECT_FUNC_PTR)(STORE *, STORE_OBJECT_TYPES type, OPENSSL_ITEM search_attributes[], OPENSSL_ITEM add_attributes[], OPENSSL_ITEM modify_attributes[], OPENSSL_ITEM delete_attributes[], OPENSSL_ITEM parameters[]);
+typedef int (*STORE_GENERIC_FUNC_PTR)(STORE *, OPENSSL_ITEM attributes[], OPENSSL_ITEM parameters[]);
+typedef int (*STORE_CTRL_FUNC_PTR)(STORE *, int cmd, long l, void *p, void (*f)(void));
+
+int STORE_method_set_initialise_function(STORE_METHOD *sm, STORE_INITIALISE_FUNC_PTR init_f);
+int STORE_method_set_cleanup_function(STORE_METHOD *sm, STORE_CLEANUP_FUNC_PTR clean_f);
+int STORE_method_set_generate_function(STORE_METHOD *sm, STORE_GENERATE_OBJECT_FUNC_PTR generate_f);
+int STORE_method_set_get_function(STORE_METHOD *sm, STORE_GET_OBJECT_FUNC_PTR get_f);
+int STORE_method_set_store_function(STORE_METHOD *sm, STORE_STORE_OBJECT_FUNC_PTR store_f);
+int STORE_method_set_modify_function(STORE_METHOD *sm, STORE_MODIFY_OBJECT_FUNC_PTR store_f);
+int STORE_method_set_revoke_function(STORE_METHOD *sm, STORE_HANDLE_OBJECT_FUNC_PTR revoke_f);
+int STORE_method_set_delete_function(STORE_METHOD *sm, STORE_HANDLE_OBJECT_FUNC_PTR delete_f);
+int STORE_method_set_list_start_function(STORE_METHOD *sm, STORE_START_OBJECT_FUNC_PTR list_start_f);
+int STORE_method_set_list_next_function(STORE_METHOD *sm, STORE_NEXT_OBJECT_FUNC_PTR list_next_f);
+int STORE_method_set_list_end_function(STORE_METHOD *sm, STORE_END_OBJECT_FUNC_PTR list_end_f);
+int STORE_method_set_update_store_function(STORE_METHOD *sm, STORE_GENERIC_FUNC_PTR);
+int STORE_method_set_lock_store_function(STORE_METHOD *sm, STORE_GENERIC_FUNC_PTR);
+int STORE_method_set_unlock_store_function(STORE_METHOD *sm, STORE_GENERIC_FUNC_PTR);
+int STORE_method_set_ctrl_function(STORE_METHOD *sm, STORE_CTRL_FUNC_PTR ctrl_f);
+
+STORE_INITIALISE_FUNC_PTR STORE_method_get_initialise_function(STORE_METHOD *sm);
+STORE_CLEANUP_FUNC_PTR STORE_method_get_cleanup_function(STORE_METHOD *sm);
+STORE_GENERATE_OBJECT_FUNC_PTR STORE_method_get_generate_function(STORE_METHOD *sm);
+STORE_GET_OBJECT_FUNC_PTR STORE_method_get_get_function(STORE_METHOD *sm);
+STORE_STORE_OBJECT_FUNC_PTR STORE_method_get_store_function(STORE_METHOD *sm);
+STORE_MODIFY_OBJECT_FUNC_PTR STORE_method_get_modify_function(STORE_METHOD *sm);
+STORE_HANDLE_OBJECT_FUNC_PTR STORE_method_get_revoke_function(STORE_METHOD *sm);
+STORE_HANDLE_OBJECT_FUNC_PTR STORE_method_get_delete_function(STORE_METHOD *sm);
+STORE_START_OBJECT_FUNC_PTR STORE_method_get_list_start_function(STORE_METHOD *sm);
+STORE_NEXT_OBJECT_FUNC_PTR STORE_method_get_list_next_function(STORE_METHOD *sm);
+STORE_END_OBJECT_FUNC_PTR STORE_method_get_list_end_function(STORE_METHOD *sm);
+STORE_GENERIC_FUNC_PTR STORE_method_get_update_store_function(STORE_METHOD *sm);
+STORE_GENERIC_FUNC_PTR STORE_method_get_lock_store_function(STORE_METHOD *sm);
+STORE_GENERIC_FUNC_PTR STORE_method_get_unlock_store_function(STORE_METHOD *sm);
+STORE_CTRL_FUNC_PTR STORE_method_get_ctrl_function(STORE_METHOD *sm);
+
+/* Method helper structures and functions. */
+
+/* This structure is the result of parsing through the information in a list
+   of OPENSSL_ITEMs.  It stores all the necessary information in a structured
+   way.*/
+typedef struct STORE_attr_info_st STORE_ATTR_INFO;
+
+/* Parse a list of OPENSSL_ITEMs and return a pointer to a STORE_ATTR_INFO.
+   Note that we do this in the list form, since the list of OPENSSL_ITEMs can
+   come in blocks separated with STORE_ATTR_OR.  Note that the value returned
+   by STORE_parse_attrs_next() must be freed with STORE_ATTR_INFO_free(). */
+void *STORE_parse_attrs_start(OPENSSL_ITEM *attributes);
+STORE_ATTR_INFO *STORE_parse_attrs_next(void *handle);
+int STORE_parse_attrs_end(void *handle);
+int STORE_parse_attrs_endp(void *handle);
+
+/* Creator and destructor */
+STORE_ATTR_INFO *STORE_ATTR_INFO_new(void);
+int STORE_ATTR_INFO_free(STORE_ATTR_INFO *attrs);
+
+/* Manipulators */
+char *STORE_ATTR_INFO_get0_cstr(STORE_ATTR_INFO *attrs, STORE_ATTR_TYPES code);
+unsigned char *STORE_ATTR_INFO_get0_sha1str(STORE_ATTR_INFO *attrs,
+	STORE_ATTR_TYPES code);
+X509_NAME *STORE_ATTR_INFO_get0_dn(STORE_ATTR_INFO *attrs, STORE_ATTR_TYPES code);
+BIGNUM *STORE_ATTR_INFO_get0_number(STORE_ATTR_INFO *attrs, STORE_ATTR_TYPES code);
+int STORE_ATTR_INFO_set_cstr(STORE_ATTR_INFO *attrs, STORE_ATTR_TYPES code,
+	char *cstr, size_t cstr_size);
+int STORE_ATTR_INFO_set_sha1str(STORE_ATTR_INFO *attrs, STORE_ATTR_TYPES code,
+	unsigned char *sha1str, size_t sha1str_size);
+int STORE_ATTR_INFO_set_dn(STORE_ATTR_INFO *attrs, STORE_ATTR_TYPES code,
+	X509_NAME *dn);
+int STORE_ATTR_INFO_set_number(STORE_ATTR_INFO *attrs, STORE_ATTR_TYPES code,
+	BIGNUM *number);
+int STORE_ATTR_INFO_modify_cstr(STORE_ATTR_INFO *attrs, STORE_ATTR_TYPES code,
+	char *cstr, size_t cstr_size);
+int STORE_ATTR_INFO_modify_sha1str(STORE_ATTR_INFO *attrs, STORE_ATTR_TYPES code,
+	unsigned char *sha1str, size_t sha1str_size);
+int STORE_ATTR_INFO_modify_dn(STORE_ATTR_INFO *attrs, STORE_ATTR_TYPES code,
+	X509_NAME *dn);
+int STORE_ATTR_INFO_modify_number(STORE_ATTR_INFO *attrs, STORE_ATTR_TYPES code,
+	BIGNUM *number);
+
+/* Compare on basis of a bit pattern formed by the STORE_ATTR_TYPES values
+   in each contained attribute. */
+int STORE_ATTR_INFO_compare(STORE_ATTR_INFO *a, STORE_ATTR_INFO *b);
+/* Check if the set of attributes in a is within the range of attributes
+   set in b. */
+int STORE_ATTR_INFO_in_range(STORE_ATTR_INFO *a, STORE_ATTR_INFO *b);
+/* Check if the set of attributes in a are also set in b. */
+int STORE_ATTR_INFO_in(STORE_ATTR_INFO *a, STORE_ATTR_INFO *b);
+/* Same as STORE_ATTR_INFO_in(), but also checks the attribute values. */
+int STORE_ATTR_INFO_in_ex(STORE_ATTR_INFO *a, STORE_ATTR_INFO *b);
+
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+void ERR_load_STORE_strings(void);
+
+/* Error codes for the STORE functions. */
+
+/* Function codes. */
+#define STORE_F_MEM_DELETE				 134
+#define STORE_F_MEM_GENERATE				 135
+#define STORE_F_MEM_LIST_END				 168
+#define STORE_F_MEM_LIST_NEXT				 136
+#define STORE_F_MEM_LIST_START				 137
+#define STORE_F_MEM_MODIFY				 169
+#define STORE_F_MEM_STORE				 138
+#define STORE_F_STORE_ATTR_INFO_GET0_CSTR		 139
+#define STORE_F_STORE_ATTR_INFO_GET0_DN			 140
+#define STORE_F_STORE_ATTR_INFO_GET0_NUMBER		 141
+#define STORE_F_STORE_ATTR_INFO_GET0_SHA1STR		 142
+#define STORE_F_STORE_ATTR_INFO_MODIFY_CSTR		 143
+#define STORE_F_STORE_ATTR_INFO_MODIFY_DN		 144
+#define STORE_F_STORE_ATTR_INFO_MODIFY_NUMBER		 145
+#define STORE_F_STORE_ATTR_INFO_MODIFY_SHA1STR		 146
+#define STORE_F_STORE_ATTR_INFO_SET_CSTR		 147
+#define STORE_F_STORE_ATTR_INFO_SET_DN			 148
+#define STORE_F_STORE_ATTR_INFO_SET_NUMBER		 149
+#define STORE_F_STORE_ATTR_INFO_SET_SHA1STR		 150
+#define STORE_F_STORE_CERTIFICATE			 170
+#define STORE_F_STORE_CTRL				 161
+#define STORE_F_STORE_DELETE_ARBITRARY			 158
+#define STORE_F_STORE_DELETE_CERTIFICATE		 102
+#define STORE_F_STORE_DELETE_CRL			 103
+#define STORE_F_STORE_DELETE_NUMBER			 104
+#define STORE_F_STORE_DELETE_PRIVATE_KEY		 105
+#define STORE_F_STORE_DELETE_PUBLIC_KEY			 106
+#define STORE_F_STORE_GENERATE_CRL			 107
+#define STORE_F_STORE_GENERATE_KEY			 108
+#define STORE_F_STORE_GET_ARBITRARY			 159
+#define STORE_F_STORE_GET_CERTIFICATE			 109
+#define STORE_F_STORE_GET_CRL				 110
+#define STORE_F_STORE_GET_NUMBER			 111
+#define STORE_F_STORE_GET_PRIVATE_KEY			 112
+#define STORE_F_STORE_GET_PUBLIC_KEY			 113
+#define STORE_F_STORE_LIST_CERTIFICATE_END		 114
+#define STORE_F_STORE_LIST_CERTIFICATE_ENDP		 153
+#define STORE_F_STORE_LIST_CERTIFICATE_NEXT		 115
+#define STORE_F_STORE_LIST_CERTIFICATE_START		 116
+#define STORE_F_STORE_LIST_CRL_END			 117
+#define STORE_F_STORE_LIST_CRL_ENDP			 154
+#define STORE_F_STORE_LIST_CRL_NEXT			 118
+#define STORE_F_STORE_LIST_CRL_START			 119
+#define STORE_F_STORE_LIST_PRIVATE_KEY_END		 120
+#define STORE_F_STORE_LIST_PRIVATE_KEY_ENDP		 155
+#define STORE_F_STORE_LIST_PRIVATE_KEY_NEXT		 121
+#define STORE_F_STORE_LIST_PRIVATE_KEY_START		 122
+#define STORE_F_STORE_LIST_PUBLIC_KEY_END		 123
+#define STORE_F_STORE_LIST_PUBLIC_KEY_ENDP		 156
+#define STORE_F_STORE_LIST_PUBLIC_KEY_NEXT		 124
+#define STORE_F_STORE_LIST_PUBLIC_KEY_START		 125
+#define STORE_F_STORE_MODIFY_ARBITRARY			 162
+#define STORE_F_STORE_MODIFY_CERTIFICATE		 163
+#define STORE_F_STORE_MODIFY_CRL			 164
+#define STORE_F_STORE_MODIFY_NUMBER			 165
+#define STORE_F_STORE_MODIFY_PRIVATE_KEY		 166
+#define STORE_F_STORE_MODIFY_PUBLIC_KEY			 167
+#define STORE_F_STORE_NEW_ENGINE			 133
+#define STORE_F_STORE_NEW_METHOD			 132
+#define STORE_F_STORE_PARSE_ATTRS_END			 151
+#define STORE_F_STORE_PARSE_ATTRS_ENDP			 172
+#define STORE_F_STORE_PARSE_ATTRS_NEXT			 152
+#define STORE_F_STORE_PARSE_ATTRS_START			 171
+#define STORE_F_STORE_REVOKE_CERTIFICATE		 129
+#define STORE_F_STORE_REVOKE_PRIVATE_KEY		 130
+#define STORE_F_STORE_REVOKE_PUBLIC_KEY			 131
+#define STORE_F_STORE_STORE_ARBITRARY			 157
+#define STORE_F_STORE_STORE_CERTIFICATE			 100
+#define STORE_F_STORE_STORE_CRL				 101
+#define STORE_F_STORE_STORE_NUMBER			 126
+#define STORE_F_STORE_STORE_PRIVATE_KEY			 127
+#define STORE_F_STORE_STORE_PUBLIC_KEY			 128
+
+/* Reason codes. */
+#define STORE_R_ALREADY_HAS_A_VALUE			 127
+#define STORE_R_FAILED_DELETING_ARBITRARY		 132
+#define STORE_R_FAILED_DELETING_CERTIFICATE		 100
+#define STORE_R_FAILED_DELETING_KEY			 101
+#define STORE_R_FAILED_DELETING_NUMBER			 102
+#define STORE_R_FAILED_GENERATING_CRL			 103
+#define STORE_R_FAILED_GENERATING_KEY			 104
+#define STORE_R_FAILED_GETTING_ARBITRARY		 133
+#define STORE_R_FAILED_GETTING_CERTIFICATE		 105
+#define STORE_R_FAILED_GETTING_KEY			 106
+#define STORE_R_FAILED_GETTING_NUMBER			 107
+#define STORE_R_FAILED_LISTING_CERTIFICATES		 108
+#define STORE_R_FAILED_LISTING_KEYS			 109
+#define STORE_R_FAILED_MODIFYING_ARBITRARY		 138
+#define STORE_R_FAILED_MODIFYING_CERTIFICATE		 139
+#define STORE_R_FAILED_MODIFYING_CRL			 140
+#define STORE_R_FAILED_MODIFYING_NUMBER			 141
+#define STORE_R_FAILED_MODIFYING_PRIVATE_KEY		 142
+#define STORE_R_FAILED_MODIFYING_PUBLIC_KEY		 143
+#define STORE_R_FAILED_REVOKING_CERTIFICATE		 110
+#define STORE_R_FAILED_REVOKING_KEY			 111
+#define STORE_R_FAILED_STORING_ARBITRARY		 134
+#define STORE_R_FAILED_STORING_CERTIFICATE		 112
+#define STORE_R_FAILED_STORING_KEY			 113
+#define STORE_R_FAILED_STORING_NUMBER			 114
+#define STORE_R_NOT_IMPLEMENTED				 128
+#define STORE_R_NO_CONTROL_FUNCTION			 144
+#define STORE_R_NO_DELETE_ARBITRARY_FUNCTION		 135
+#define STORE_R_NO_DELETE_NUMBER_FUNCTION		 115
+#define STORE_R_NO_DELETE_OBJECT_FUNCTION		 116
+#define STORE_R_NO_GENERATE_CRL_FUNCTION		 117
+#define STORE_R_NO_GENERATE_OBJECT_FUNCTION		 118
+#define STORE_R_NO_GET_OBJECT_ARBITRARY_FUNCTION	 136
+#define STORE_R_NO_GET_OBJECT_FUNCTION			 119
+#define STORE_R_NO_GET_OBJECT_NUMBER_FUNCTION		 120
+#define STORE_R_NO_LIST_OBJECT_ENDP_FUNCTION		 131
+#define STORE_R_NO_LIST_OBJECT_END_FUNCTION		 121
+#define STORE_R_NO_LIST_OBJECT_NEXT_FUNCTION		 122
+#define STORE_R_NO_LIST_OBJECT_START_FUNCTION		 123
+#define STORE_R_NO_MODIFY_OBJECT_FUNCTION		 145
+#define STORE_R_NO_REVOKE_OBJECT_FUNCTION		 124
+#define STORE_R_NO_STORE				 129
+#define STORE_R_NO_STORE_OBJECT_ARBITRARY_FUNCTION	 137
+#define STORE_R_NO_STORE_OBJECT_FUNCTION		 125
+#define STORE_R_NO_STORE_OBJECT_NUMBER_FUNCTION		 126
+#define STORE_R_NO_VALUE				 130
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
diff --git a/crypto/openssl/crypto/store/str_err.c b/crypto/openssl/crypto/store/str_err.c
new file mode 100644
index 000000000000..5c6fe832e860
--- /dev/null
+++ b/crypto/openssl/crypto/store/str_err.c
@@ -0,0 +1,214 @@
+/* crypto/store/str_err.c */
+/* ====================================================================
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include <openssl/store.h>
+
+/* BEGIN ERROR CODES */
+#ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_STORE,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_STORE,0,reason)
+
+static ERR_STRING_DATA STORE_str_functs[]=
+	{
+{ERR_FUNC(STORE_F_MEM_DELETE),	"MEM_DELETE"},
+{ERR_FUNC(STORE_F_MEM_GENERATE),	"MEM_GENERATE"},
+{ERR_FUNC(STORE_F_MEM_LIST_END),	"MEM_LIST_END"},
+{ERR_FUNC(STORE_F_MEM_LIST_NEXT),	"MEM_LIST_NEXT"},
+{ERR_FUNC(STORE_F_MEM_LIST_START),	"MEM_LIST_START"},
+{ERR_FUNC(STORE_F_MEM_MODIFY),	"MEM_MODIFY"},
+{ERR_FUNC(STORE_F_MEM_STORE),	"MEM_STORE"},
+{ERR_FUNC(STORE_F_STORE_ATTR_INFO_GET0_CSTR),	"STORE_ATTR_INFO_get0_cstr"},
+{ERR_FUNC(STORE_F_STORE_ATTR_INFO_GET0_DN),	"STORE_ATTR_INFO_get0_dn"},
+{ERR_FUNC(STORE_F_STORE_ATTR_INFO_GET0_NUMBER),	"STORE_ATTR_INFO_get0_number"},
+{ERR_FUNC(STORE_F_STORE_ATTR_INFO_GET0_SHA1STR),	"STORE_ATTR_INFO_get0_sha1str"},
+{ERR_FUNC(STORE_F_STORE_ATTR_INFO_MODIFY_CSTR),	"STORE_ATTR_INFO_modify_cstr"},
+{ERR_FUNC(STORE_F_STORE_ATTR_INFO_MODIFY_DN),	"STORE_ATTR_INFO_modify_dn"},
+{ERR_FUNC(STORE_F_STORE_ATTR_INFO_MODIFY_NUMBER),	"STORE_ATTR_INFO_modify_number"},
+{ERR_FUNC(STORE_F_STORE_ATTR_INFO_MODIFY_SHA1STR),	"STORE_ATTR_INFO_modify_sha1str"},
+{ERR_FUNC(STORE_F_STORE_ATTR_INFO_SET_CSTR),	"STORE_ATTR_INFO_set_cstr"},
+{ERR_FUNC(STORE_F_STORE_ATTR_INFO_SET_DN),	"STORE_ATTR_INFO_set_dn"},
+{ERR_FUNC(STORE_F_STORE_ATTR_INFO_SET_NUMBER),	"STORE_ATTR_INFO_set_number"},
+{ERR_FUNC(STORE_F_STORE_ATTR_INFO_SET_SHA1STR),	"STORE_ATTR_INFO_set_sha1str"},
+{ERR_FUNC(STORE_F_STORE_CERTIFICATE),	"STORE_CERTIFICATE"},
+{ERR_FUNC(STORE_F_STORE_CTRL),	"STORE_ctrl"},
+{ERR_FUNC(STORE_F_STORE_DELETE_ARBITRARY),	"STORE_delete_arbitrary"},
+{ERR_FUNC(STORE_F_STORE_DELETE_CERTIFICATE),	"STORE_delete_certificate"},
+{ERR_FUNC(STORE_F_STORE_DELETE_CRL),	"STORE_delete_crl"},
+{ERR_FUNC(STORE_F_STORE_DELETE_NUMBER),	"STORE_delete_number"},
+{ERR_FUNC(STORE_F_STORE_DELETE_PRIVATE_KEY),	"STORE_delete_private_key"},
+{ERR_FUNC(STORE_F_STORE_DELETE_PUBLIC_KEY),	"STORE_delete_public_key"},
+{ERR_FUNC(STORE_F_STORE_GENERATE_CRL),	"STORE_generate_crl"},
+{ERR_FUNC(STORE_F_STORE_GENERATE_KEY),	"STORE_generate_key"},
+{ERR_FUNC(STORE_F_STORE_GET_ARBITRARY),	"STORE_get_arbitrary"},
+{ERR_FUNC(STORE_F_STORE_GET_CERTIFICATE),	"STORE_get_certificate"},
+{ERR_FUNC(STORE_F_STORE_GET_CRL),	"STORE_get_crl"},
+{ERR_FUNC(STORE_F_STORE_GET_NUMBER),	"STORE_get_number"},
+{ERR_FUNC(STORE_F_STORE_GET_PRIVATE_KEY),	"STORE_get_private_key"},
+{ERR_FUNC(STORE_F_STORE_GET_PUBLIC_KEY),	"STORE_get_public_key"},
+{ERR_FUNC(STORE_F_STORE_LIST_CERTIFICATE_END),	"STORE_list_certificate_end"},
+{ERR_FUNC(STORE_F_STORE_LIST_CERTIFICATE_ENDP),	"STORE_list_certificate_endp"},
+{ERR_FUNC(STORE_F_STORE_LIST_CERTIFICATE_NEXT),	"STORE_list_certificate_next"},
+{ERR_FUNC(STORE_F_STORE_LIST_CERTIFICATE_START),	"STORE_list_certificate_start"},
+{ERR_FUNC(STORE_F_STORE_LIST_CRL_END),	"STORE_list_crl_end"},
+{ERR_FUNC(STORE_F_STORE_LIST_CRL_ENDP),	"STORE_list_crl_endp"},
+{ERR_FUNC(STORE_F_STORE_LIST_CRL_NEXT),	"STORE_list_crl_next"},
+{ERR_FUNC(STORE_F_STORE_LIST_CRL_START),	"STORE_list_crl_start"},
+{ERR_FUNC(STORE_F_STORE_LIST_PRIVATE_KEY_END),	"STORE_list_private_key_end"},
+{ERR_FUNC(STORE_F_STORE_LIST_PRIVATE_KEY_ENDP),	"STORE_list_private_key_endp"},
+{ERR_FUNC(STORE_F_STORE_LIST_PRIVATE_KEY_NEXT),	"STORE_list_private_key_next"},
+{ERR_FUNC(STORE_F_STORE_LIST_PRIVATE_KEY_START),	"STORE_list_private_key_start"},
+{ERR_FUNC(STORE_F_STORE_LIST_PUBLIC_KEY_END),	"STORE_list_public_key_end"},
+{ERR_FUNC(STORE_F_STORE_LIST_PUBLIC_KEY_ENDP),	"STORE_list_public_key_endp"},
+{ERR_FUNC(STORE_F_STORE_LIST_PUBLIC_KEY_NEXT),	"STORE_list_public_key_next"},
+{ERR_FUNC(STORE_F_STORE_LIST_PUBLIC_KEY_START),	"STORE_list_public_key_start"},
+{ERR_FUNC(STORE_F_STORE_MODIFY_ARBITRARY),	"STORE_modify_arbitrary"},
+{ERR_FUNC(STORE_F_STORE_MODIFY_CERTIFICATE),	"STORE_modify_certificate"},
+{ERR_FUNC(STORE_F_STORE_MODIFY_CRL),	"STORE_modify_crl"},
+{ERR_FUNC(STORE_F_STORE_MODIFY_NUMBER),	"STORE_modify_number"},
+{ERR_FUNC(STORE_F_STORE_MODIFY_PRIVATE_KEY),	"STORE_modify_private_key"},
+{ERR_FUNC(STORE_F_STORE_MODIFY_PUBLIC_KEY),	"STORE_modify_public_key"},
+{ERR_FUNC(STORE_F_STORE_NEW_ENGINE),	"STORE_new_engine"},
+{ERR_FUNC(STORE_F_STORE_NEW_METHOD),	"STORE_new_method"},
+{ERR_FUNC(STORE_F_STORE_PARSE_ATTRS_END),	"STORE_parse_attrs_end"},
+{ERR_FUNC(STORE_F_STORE_PARSE_ATTRS_ENDP),	"STORE_parse_attrs_endp"},
+{ERR_FUNC(STORE_F_STORE_PARSE_ATTRS_NEXT),	"STORE_parse_attrs_next"},
+{ERR_FUNC(STORE_F_STORE_PARSE_ATTRS_START),	"STORE_parse_attrs_start"},
+{ERR_FUNC(STORE_F_STORE_REVOKE_CERTIFICATE),	"STORE_revoke_certificate"},
+{ERR_FUNC(STORE_F_STORE_REVOKE_PRIVATE_KEY),	"STORE_revoke_private_key"},
+{ERR_FUNC(STORE_F_STORE_REVOKE_PUBLIC_KEY),	"STORE_revoke_public_key"},
+{ERR_FUNC(STORE_F_STORE_STORE_ARBITRARY),	"STORE_store_arbitrary"},
+{ERR_FUNC(STORE_F_STORE_STORE_CERTIFICATE),	"STORE_store_certificate"},
+{ERR_FUNC(STORE_F_STORE_STORE_CRL),	"STORE_store_crl"},
+{ERR_FUNC(STORE_F_STORE_STORE_NUMBER),	"STORE_store_number"},
+{ERR_FUNC(STORE_F_STORE_STORE_PRIVATE_KEY),	"STORE_store_private_key"},
+{ERR_FUNC(STORE_F_STORE_STORE_PUBLIC_KEY),	"STORE_store_public_key"},
+{0,NULL}
+	};
+
+static ERR_STRING_DATA STORE_str_reasons[]=
+	{
+{ERR_REASON(STORE_R_ALREADY_HAS_A_VALUE) ,"already has a value"},
+{ERR_REASON(STORE_R_FAILED_DELETING_ARBITRARY),"failed deleting arbitrary"},
+{ERR_REASON(STORE_R_FAILED_DELETING_CERTIFICATE),"failed deleting certificate"},
+{ERR_REASON(STORE_R_FAILED_DELETING_KEY) ,"failed deleting key"},
+{ERR_REASON(STORE_R_FAILED_DELETING_NUMBER),"failed deleting number"},
+{ERR_REASON(STORE_R_FAILED_GENERATING_CRL),"failed generating crl"},
+{ERR_REASON(STORE_R_FAILED_GENERATING_KEY),"failed generating key"},
+{ERR_REASON(STORE_R_FAILED_GETTING_ARBITRARY),"failed getting arbitrary"},
+{ERR_REASON(STORE_R_FAILED_GETTING_CERTIFICATE),"failed getting certificate"},
+{ERR_REASON(STORE_R_FAILED_GETTING_KEY)  ,"failed getting key"},
+{ERR_REASON(STORE_R_FAILED_GETTING_NUMBER),"failed getting number"},
+{ERR_REASON(STORE_R_FAILED_LISTING_CERTIFICATES),"failed listing certificates"},
+{ERR_REASON(STORE_R_FAILED_LISTING_KEYS) ,"failed listing keys"},
+{ERR_REASON(STORE_R_FAILED_MODIFYING_ARBITRARY),"failed modifying arbitrary"},
+{ERR_REASON(STORE_R_FAILED_MODIFYING_CERTIFICATE),"failed modifying certificate"},
+{ERR_REASON(STORE_R_FAILED_MODIFYING_CRL),"failed modifying crl"},
+{ERR_REASON(STORE_R_FAILED_MODIFYING_NUMBER),"failed modifying number"},
+{ERR_REASON(STORE_R_FAILED_MODIFYING_PRIVATE_KEY),"failed modifying private key"},
+{ERR_REASON(STORE_R_FAILED_MODIFYING_PUBLIC_KEY),"failed modifying public key"},
+{ERR_REASON(STORE_R_FAILED_REVOKING_CERTIFICATE),"failed revoking certificate"},
+{ERR_REASON(STORE_R_FAILED_REVOKING_KEY) ,"failed revoking key"},
+{ERR_REASON(STORE_R_FAILED_STORING_ARBITRARY),"failed storing arbitrary"},
+{ERR_REASON(STORE_R_FAILED_STORING_CERTIFICATE),"failed storing certificate"},
+{ERR_REASON(STORE_R_FAILED_STORING_KEY)  ,"failed storing key"},
+{ERR_REASON(STORE_R_FAILED_STORING_NUMBER),"failed storing number"},
+{ERR_REASON(STORE_R_NOT_IMPLEMENTED)     ,"not implemented"},
+{ERR_REASON(STORE_R_NO_CONTROL_FUNCTION) ,"no control function"},
+{ERR_REASON(STORE_R_NO_DELETE_ARBITRARY_FUNCTION),"no delete arbitrary function"},
+{ERR_REASON(STORE_R_NO_DELETE_NUMBER_FUNCTION),"no delete number function"},
+{ERR_REASON(STORE_R_NO_DELETE_OBJECT_FUNCTION),"no delete object function"},
+{ERR_REASON(STORE_R_NO_GENERATE_CRL_FUNCTION),"no generate crl function"},
+{ERR_REASON(STORE_R_NO_GENERATE_OBJECT_FUNCTION),"no generate object function"},
+{ERR_REASON(STORE_R_NO_GET_OBJECT_ARBITRARY_FUNCTION),"no get object arbitrary function"},
+{ERR_REASON(STORE_R_NO_GET_OBJECT_FUNCTION),"no get object function"},
+{ERR_REASON(STORE_R_NO_GET_OBJECT_NUMBER_FUNCTION),"no get object number function"},
+{ERR_REASON(STORE_R_NO_LIST_OBJECT_ENDP_FUNCTION),"no list object endp function"},
+{ERR_REASON(STORE_R_NO_LIST_OBJECT_END_FUNCTION),"no list object end function"},
+{ERR_REASON(STORE_R_NO_LIST_OBJECT_NEXT_FUNCTION),"no list object next function"},
+{ERR_REASON(STORE_R_NO_LIST_OBJECT_START_FUNCTION),"no list object start function"},
+{ERR_REASON(STORE_R_NO_MODIFY_OBJECT_FUNCTION),"no modify object function"},
+{ERR_REASON(STORE_R_NO_REVOKE_OBJECT_FUNCTION),"no revoke object function"},
+{ERR_REASON(STORE_R_NO_STORE)            ,"no store"},
+{ERR_REASON(STORE_R_NO_STORE_OBJECT_ARBITRARY_FUNCTION),"no store object arbitrary function"},
+{ERR_REASON(STORE_R_NO_STORE_OBJECT_FUNCTION),"no store object function"},
+{ERR_REASON(STORE_R_NO_STORE_OBJECT_NUMBER_FUNCTION),"no store object number function"},
+{ERR_REASON(STORE_R_NO_VALUE)            ,"no value"},
+{0,NULL}
+	};
+
+#endif
+
+void ERR_load_STORE_strings(void)
+	{
+	static int init=1;
+
+	if (init)
+		{
+		init=0;
+#ifndef OPENSSL_NO_ERR
+		ERR_load_strings(0,STORE_str_functs);
+		ERR_load_strings(0,STORE_str_reasons);
+#endif
+
+		}
+	}
diff --git a/crypto/openssl/crypto/store/str_lib.c b/crypto/openssl/crypto/store/str_lib.c
new file mode 100644
index 000000000000..c0ad763e9a1c
--- /dev/null
+++ b/crypto/openssl/crypto/store/str_lib.c
@@ -0,0 +1,1824 @@
+/* crypto/store/str_lib.c -*- mode:C; c-file-style: "eay" -*- */
+/* Written by Richard Levitte (richard@levitte.org) for the OpenSSL
+ * project 2003.
+ */
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <string.h>
+#include <openssl/bn.h>
+#include <openssl/err.h>
+#ifndef OPENSSL_NO_ENGINE
+#include <openssl/engine.h>
+#endif
+#include <openssl/sha.h>
+#include <openssl/x509.h>
+#include "str_locl.h"
+
+const char * const STORE_object_type_string[STORE_OBJECT_TYPE_NUM+1] =
+	{
+	0,
+	"X.509 Certificate",
+	"X.509 CRL",
+	"Private Key",
+	"Public Key",
+	"Number",
+	"Arbitrary Data"
+	};
+
+const int STORE_param_sizes[STORE_PARAM_TYPE_NUM+1] =
+	{
+	0,
+	sizeof(int),		/* EVP_TYPE */
+	sizeof(size_t),		/* BITS */
+	-1,			/* KEY_PARAMETERS */
+	0			/* KEY_NO_PARAMETERS */
+	};	
+
+const int STORE_attr_sizes[STORE_ATTR_TYPE_NUM+1] =
+	{
+	0,
+	-1,			/* FRIENDLYNAME:	C string */
+	SHA_DIGEST_LENGTH,	/* KEYID:		SHA1 digest, 160 bits */
+	SHA_DIGEST_LENGTH,	/* ISSUERKEYID:		SHA1 digest, 160 bits */
+	SHA_DIGEST_LENGTH,	/* SUBJECTKEYID:	SHA1 digest, 160 bits */
+	SHA_DIGEST_LENGTH,	/* ISSUERSERIALHASH:	SHA1 digest, 160 bits */
+	sizeof(X509_NAME *),	/* ISSUER:		X509_NAME * */
+	sizeof(BIGNUM *),	/* SERIAL:		BIGNUM * */
+	sizeof(X509_NAME *),	/* SUBJECT:		X509_NAME * */
+	SHA_DIGEST_LENGTH,	/* CERTHASH:		SHA1 digest, 160 bits */
+	-1,			/* EMAIL:		C string */
+	-1,			/* FILENAME:		C string */
+	};	
+
+STORE *STORE_new_method(const STORE_METHOD *method)
+	{
+	STORE *ret;
+
+	if (method == NULL)
+		{
+		STOREerr(STORE_F_STORE_NEW_METHOD,ERR_R_PASSED_NULL_PARAMETER);
+		return NULL;
+		}
+
+	ret=(STORE *)OPENSSL_malloc(sizeof(STORE));
+	if (ret == NULL)
+		{
+		STOREerr(STORE_F_STORE_NEW_METHOD,ERR_R_MALLOC_FAILURE);
+		return NULL;
+		}
+
+	ret->meth=method;
+
+	CRYPTO_new_ex_data(CRYPTO_EX_INDEX_STORE, ret, &ret->ex_data);
+	if (ret->meth->init && !ret->meth->init(ret))
+		{
+		STORE_free(ret);
+		ret = NULL;
+		}
+	return ret;
+	}
+
+STORE *STORE_new_engine(ENGINE *engine)
+	{
+	STORE *ret = NULL;
+	ENGINE *e = engine;
+	const STORE_METHOD *meth = 0;
+
+#ifdef OPENSSL_NO_ENGINE
+	e = NULL;
+#else
+	if (engine)
+		{
+		if (!ENGINE_init(engine))
+			{
+			STOREerr(STORE_F_STORE_NEW_ENGINE, ERR_R_ENGINE_LIB);
+			return NULL;
+			}
+		e = engine;
+		}
+	else
+		{
+		STOREerr(STORE_F_STORE_NEW_ENGINE,ERR_R_PASSED_NULL_PARAMETER);
+		return NULL;
+		}
+	if(e)
+		{
+		meth = ENGINE_get_STORE(e);
+		if(!meth)
+			{
+			STOREerr(STORE_F_STORE_NEW_ENGINE,
+				ERR_R_ENGINE_LIB);
+			ENGINE_finish(e);
+			return NULL;
+			}
+		}
+#endif
+
+	ret = STORE_new_method(meth);
+	if (ret == NULL)
+		{
+		STOREerr(STORE_F_STORE_NEW_ENGINE,ERR_R_STORE_LIB);
+		return NULL;
+		}
+
+	ret->engine = e;
+
+	return(ret);
+	}
+
+void STORE_free(STORE *store)
+	{
+	if (store == NULL)
+		return;
+	if (store->meth->clean)
+		store->meth->clean(store);
+	CRYPTO_free_ex_data(CRYPTO_EX_INDEX_STORE, store, &store->ex_data);
+	OPENSSL_free(store);
+	}
+
+int STORE_ctrl(STORE *store, int cmd, long i, void *p, void (*f)(void))
+	{
+	if (store == NULL)
+		{
+		STOREerr(STORE_F_STORE_CTRL,ERR_R_PASSED_NULL_PARAMETER);
+		return 0;
+		}
+	if (store->meth->ctrl)
+		return store->meth->ctrl(store, cmd, i, p, f);
+	STOREerr(STORE_F_STORE_CTRL,STORE_R_NO_CONTROL_FUNCTION);
+	return 0;
+	}
+
+
+int STORE_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+	     CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
+        {
+	return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_STORE, argl, argp,
+				new_func, dup_func, free_func);
+        }
+
+int STORE_set_ex_data(STORE *r, int idx, void *arg)
+	{
+	return(CRYPTO_set_ex_data(&r->ex_data,idx,arg));
+	}
+
+void *STORE_get_ex_data(STORE *r, int idx)
+	{
+	return(CRYPTO_get_ex_data(&r->ex_data,idx));
+	}
+
+const STORE_METHOD *STORE_get_method(STORE *store)
+	{
+	return store->meth;
+	}
+
+const STORE_METHOD *STORE_set_method(STORE *store, const STORE_METHOD *meth)
+	{
+	store->meth=meth;
+	return store->meth;
+	}
+
+
+/* API helpers */
+
+#define check_store(s,fncode,fnname,fnerrcode) \
+	do \
+		{ \
+		if ((s) == NULL || (s)->meth) \
+			{ \
+			STOREerr((fncode), ERR_R_PASSED_NULL_PARAMETER); \
+			return 0; \
+			} \
+		if ((s)->meth->fnname == NULL) \
+			{ \
+			STOREerr((fncode), (fnerrcode)); \
+			return 0; \
+			} \
+		} \
+	while(0)
+
+/* API functions */
+
+X509 *STORE_get_certificate(STORE *s, OPENSSL_ITEM attributes[],
+	OPENSSL_ITEM parameters[])
+	{
+	STORE_OBJECT *object;
+	X509 *x;
+
+	check_store(s,STORE_F_STORE_GET_CERTIFICATE,
+		get_object,STORE_R_NO_GET_OBJECT_FUNCTION);
+
+	object = s->meth->get_object(s, STORE_OBJECT_TYPE_X509_CERTIFICATE,
+		attributes, parameters);
+	if (!object || !object->data.x509.certificate)
+		{
+		STOREerr(STORE_F_STORE_GET_CERTIFICATE,
+			STORE_R_FAILED_GETTING_CERTIFICATE);
+		return 0;
+		}
+	CRYPTO_add(&object->data.x509.certificate->references,1,CRYPTO_LOCK_X509);
+#ifdef REF_PRINT
+	REF_PRINT("X509",data);
+#endif
+	x = object->data.x509.certificate;
+	STORE_OBJECT_free(object);
+	return x;
+	}
+
+int STORE_store_certificate(STORE *s, X509 *data, OPENSSL_ITEM attributes[],
+	OPENSSL_ITEM parameters[])
+	{
+	STORE_OBJECT *object;
+	int i;
+
+	check_store(s,STORE_F_STORE_CERTIFICATE,
+		store_object,STORE_R_NO_STORE_OBJECT_FUNCTION);
+
+	object = STORE_OBJECT_new();
+	if (!object)
+		{
+		STOREerr(STORE_F_STORE_STORE_CERTIFICATE,
+			ERR_R_MALLOC_FAILURE);
+		return 0;
+		}
+	
+	CRYPTO_add(&data->references,1,CRYPTO_LOCK_X509);
+#ifdef REF_PRINT
+	REF_PRINT("X509",data);
+#endif
+	object->data.x509.certificate = data;
+
+	i = s->meth->store_object(s, STORE_OBJECT_TYPE_X509_CERTIFICATE,
+		object, attributes, parameters);
+
+	STORE_OBJECT_free(object);
+
+	if (!i)
+		{
+		STOREerr(STORE_F_STORE_STORE_CERTIFICATE,
+			STORE_R_FAILED_STORING_CERTIFICATE);
+		return 0;
+		}
+	return 1;
+	}
+
+int STORE_modify_certificate(STORE *s, OPENSSL_ITEM search_attributes[],
+	OPENSSL_ITEM add_attributes[], OPENSSL_ITEM modify_attributes[],
+	OPENSSL_ITEM delete_attributes[], OPENSSL_ITEM parameters[])
+	{
+	check_store(s,STORE_F_STORE_MODIFY_CERTIFICATE,
+		modify_object,STORE_R_NO_MODIFY_OBJECT_FUNCTION);
+
+	if (!s->meth->modify_object(s, STORE_OBJECT_TYPE_X509_CERTIFICATE,
+		    search_attributes, add_attributes, modify_attributes,
+		    delete_attributes, parameters))
+		{
+		STOREerr(STORE_F_STORE_MODIFY_CERTIFICATE,
+			STORE_R_FAILED_MODIFYING_CERTIFICATE);
+		return 0;
+		}
+	return 1;
+	}
+
+int STORE_revoke_certificate(STORE *s, OPENSSL_ITEM attributes[],
+	OPENSSL_ITEM parameters[])
+	{
+	check_store(s,STORE_F_STORE_REVOKE_CERTIFICATE,
+		revoke_object,STORE_R_NO_REVOKE_OBJECT_FUNCTION);
+
+	if (!s->meth->revoke_object(s, STORE_OBJECT_TYPE_X509_CERTIFICATE,
+		    attributes, parameters))
+		{
+		STOREerr(STORE_F_STORE_REVOKE_CERTIFICATE,
+			STORE_R_FAILED_REVOKING_CERTIFICATE);
+		return 0;
+		}
+	return 1;
+	}
+
+int STORE_delete_certificate(STORE *s, OPENSSL_ITEM attributes[],
+	OPENSSL_ITEM parameters[])
+	{
+	check_store(s,STORE_F_STORE_DELETE_CERTIFICATE,
+		delete_object,STORE_R_NO_DELETE_OBJECT_FUNCTION);
+
+	if (!s->meth->delete_object(s, STORE_OBJECT_TYPE_X509_CERTIFICATE,
+		    attributes, parameters))
+		{
+		STOREerr(STORE_F_STORE_DELETE_CERTIFICATE,
+			STORE_R_FAILED_DELETING_CERTIFICATE);
+		return 0;
+		}
+	return 1;
+	}
+
+void *STORE_list_certificate_start(STORE *s, OPENSSL_ITEM attributes[],
+	OPENSSL_ITEM parameters[])
+	{
+	void *handle;
+
+	check_store(s,STORE_F_STORE_LIST_CERTIFICATE_START,
+		list_object_start,STORE_R_NO_LIST_OBJECT_START_FUNCTION);
+
+	handle = s->meth->list_object_start(s,
+		STORE_OBJECT_TYPE_X509_CERTIFICATE, attributes, parameters);
+	if (!handle)
+		{
+		STOREerr(STORE_F_STORE_LIST_CERTIFICATE_START,
+			STORE_R_FAILED_LISTING_CERTIFICATES);
+		return 0;
+		}
+	return handle;
+	}
+
+X509 *STORE_list_certificate_next(STORE *s, void *handle)
+	{
+	STORE_OBJECT *object;
+	X509 *x;
+
+	check_store(s,STORE_F_STORE_LIST_CERTIFICATE_NEXT,
+		list_object_next,STORE_R_NO_LIST_OBJECT_NEXT_FUNCTION);
+
+	object = s->meth->list_object_next(s, handle);
+	if (!object || !object->data.x509.certificate)
+		{
+		STOREerr(STORE_F_STORE_LIST_CERTIFICATE_NEXT,
+			STORE_R_FAILED_LISTING_CERTIFICATES);
+		return 0;
+		}
+	CRYPTO_add(&object->data.x509.certificate->references,1,CRYPTO_LOCK_X509);
+#ifdef REF_PRINT
+	REF_PRINT("X509",data);
+#endif
+	x = object->data.x509.certificate;
+	STORE_OBJECT_free(object);
+	return x;
+	}
+
+int STORE_list_certificate_end(STORE *s, void *handle)
+	{
+	check_store(s,STORE_F_STORE_LIST_CERTIFICATE_END,
+		list_object_end,STORE_R_NO_LIST_OBJECT_END_FUNCTION);
+
+	if (!s->meth->list_object_end(s, handle))
+		{
+		STOREerr(STORE_F_STORE_LIST_CERTIFICATE_END,
+			STORE_R_FAILED_LISTING_CERTIFICATES);
+		return 0;
+		}
+	return 1;
+	}
+
+int STORE_list_certificate_endp(STORE *s, void *handle)
+	{
+	check_store(s,STORE_F_STORE_LIST_CERTIFICATE_ENDP,
+		list_object_endp,STORE_R_NO_LIST_OBJECT_ENDP_FUNCTION);
+
+	if (!s->meth->list_object_endp(s, handle))
+		{
+		STOREerr(STORE_F_STORE_LIST_CERTIFICATE_ENDP,
+			STORE_R_FAILED_LISTING_CERTIFICATES);
+		return 0;
+		}
+	return 1;
+	}
+
+EVP_PKEY *STORE_generate_key(STORE *s, OPENSSL_ITEM attributes[],
+	OPENSSL_ITEM parameters[])
+	{
+	STORE_OBJECT *object;
+	EVP_PKEY *pkey;
+
+	check_store(s,STORE_F_STORE_GENERATE_KEY,
+		generate_object,STORE_R_NO_GENERATE_OBJECT_FUNCTION);
+
+	object = s->meth->generate_object(s, STORE_OBJECT_TYPE_PRIVATE_KEY,
+		attributes, parameters);
+	if (!object || !object->data.key)
+		{
+		STOREerr(STORE_F_STORE_GENERATE_KEY,
+			STORE_R_FAILED_GENERATING_KEY);
+		return 0;
+		}
+	CRYPTO_add(&object->data.key->references,1,CRYPTO_LOCK_EVP_PKEY);
+#ifdef REF_PRINT
+	REF_PRINT("EVP_PKEY",data);
+#endif
+	pkey = object->data.key;
+	STORE_OBJECT_free(object);
+	return pkey;
+	}
+
+EVP_PKEY *STORE_get_private_key(STORE *s, OPENSSL_ITEM attributes[],
+	OPENSSL_ITEM parameters[])
+	{
+	STORE_OBJECT *object;
+	EVP_PKEY *pkey;
+
+	check_store(s,STORE_F_STORE_GET_PRIVATE_KEY,
+		get_object,STORE_R_NO_GET_OBJECT_FUNCTION);
+
+	object = s->meth->get_object(s, STORE_OBJECT_TYPE_PRIVATE_KEY,
+		attributes, parameters);
+	if (!object || !object->data.key || !object->data.key)
+		{
+		STOREerr(STORE_F_STORE_GET_PRIVATE_KEY,
+			STORE_R_FAILED_GETTING_KEY);
+		return 0;
+		}
+	CRYPTO_add(&object->data.key->references,1,CRYPTO_LOCK_EVP_PKEY);
+#ifdef REF_PRINT
+	REF_PRINT("EVP_PKEY",data);
+#endif
+	pkey = object->data.key;
+	STORE_OBJECT_free(object);
+	return pkey;
+	}
+
+int STORE_store_private_key(STORE *s, EVP_PKEY *data, OPENSSL_ITEM attributes[],
+	OPENSSL_ITEM parameters[])
+	{
+	STORE_OBJECT *object;
+	int i;
+
+	check_store(s,STORE_F_STORE_STORE_PRIVATE_KEY,
+		store_object,STORE_R_NO_STORE_OBJECT_FUNCTION);
+
+	object = STORE_OBJECT_new();
+	if (!object)
+		{
+		STOREerr(STORE_F_STORE_STORE_PRIVATE_KEY,
+			ERR_R_MALLOC_FAILURE);
+		return 0;
+		}
+	object->data.key = EVP_PKEY_new();
+	if (!object->data.key)
+		{
+		STOREerr(STORE_F_STORE_STORE_PRIVATE_KEY,
+			ERR_R_MALLOC_FAILURE);
+		return 0;
+		}
+	
+	CRYPTO_add(&data->references,1,CRYPTO_LOCK_EVP_PKEY);
+#ifdef REF_PRINT
+	REF_PRINT("EVP_PKEY",data);
+#endif
+	object->data.key = data;
+
+	i = s->meth->store_object(s, STORE_OBJECT_TYPE_PRIVATE_KEY, object,
+		attributes, parameters);
+
+	STORE_OBJECT_free(object);
+
+	if (!i)
+		{
+		STOREerr(STORE_F_STORE_STORE_PRIVATE_KEY,
+			STORE_R_FAILED_STORING_KEY);
+		return 0;
+		}
+	return i;
+	}
+
+int STORE_modify_private_key(STORE *s, OPENSSL_ITEM search_attributes[],
+	OPENSSL_ITEM add_attributes[], OPENSSL_ITEM modify_attributes[],
+	OPENSSL_ITEM delete_attributes[], OPENSSL_ITEM parameters[])
+	{
+	check_store(s,STORE_F_STORE_MODIFY_PRIVATE_KEY,
+		modify_object,STORE_R_NO_MODIFY_OBJECT_FUNCTION);
+
+	if (!s->meth->modify_object(s, STORE_OBJECT_TYPE_PRIVATE_KEY,
+		    search_attributes, add_attributes, modify_attributes,
+		    delete_attributes, parameters))
+		{
+		STOREerr(STORE_F_STORE_MODIFY_PRIVATE_KEY,
+			STORE_R_FAILED_MODIFYING_PRIVATE_KEY);
+		return 0;
+		}
+	return 1;
+	}
+
+int STORE_revoke_private_key(STORE *s, OPENSSL_ITEM attributes[],
+	OPENSSL_ITEM parameters[])
+	{
+	int i;
+
+	check_store(s,STORE_F_STORE_REVOKE_PRIVATE_KEY,
+		revoke_object,STORE_R_NO_REVOKE_OBJECT_FUNCTION);
+
+	i = s->meth->revoke_object(s, STORE_OBJECT_TYPE_PRIVATE_KEY,
+		attributes, parameters);
+
+	if (!i)
+		{
+		STOREerr(STORE_F_STORE_REVOKE_PRIVATE_KEY,
+			STORE_R_FAILED_REVOKING_KEY);
+		return 0;
+		}
+	return i;
+	}
+
+int STORE_delete_private_key(STORE *s, OPENSSL_ITEM attributes[],
+	OPENSSL_ITEM parameters[])
+	{
+	check_store(s,STORE_F_STORE_DELETE_PRIVATE_KEY,
+		delete_object,STORE_R_NO_DELETE_OBJECT_FUNCTION);
+	
+	if (!s->meth->delete_object(s, STORE_OBJECT_TYPE_PRIVATE_KEY,
+		    attributes, parameters))
+		{
+		STOREerr(STORE_F_STORE_DELETE_PRIVATE_KEY,
+			STORE_R_FAILED_DELETING_KEY);
+		return 0;
+		}
+	return 1;
+	}
+
+void *STORE_list_private_key_start(STORE *s, OPENSSL_ITEM attributes[],
+	OPENSSL_ITEM parameters[])
+	{
+	void *handle;
+
+	check_store(s,STORE_F_STORE_LIST_PRIVATE_KEY_START,
+		list_object_start,STORE_R_NO_LIST_OBJECT_START_FUNCTION);
+
+	handle = s->meth->list_object_start(s, STORE_OBJECT_TYPE_PRIVATE_KEY,
+		attributes, parameters);
+	if (!handle)
+		{
+		STOREerr(STORE_F_STORE_LIST_PRIVATE_KEY_START,
+			STORE_R_FAILED_LISTING_KEYS);
+		return 0;
+		}
+	return handle;
+	}
+
+EVP_PKEY *STORE_list_private_key_next(STORE *s, void *handle)
+	{
+	STORE_OBJECT *object;
+	EVP_PKEY *pkey;
+
+	check_store(s,STORE_F_STORE_LIST_PRIVATE_KEY_NEXT,
+		list_object_next,STORE_R_NO_LIST_OBJECT_NEXT_FUNCTION);
+
+	object = s->meth->list_object_next(s, handle);
+	if (!object || !object->data.key || !object->data.key)
+		{
+		STOREerr(STORE_F_STORE_LIST_PRIVATE_KEY_NEXT,
+			STORE_R_FAILED_LISTING_KEYS);
+		return 0;
+		}
+	CRYPTO_add(&object->data.key->references,1,CRYPTO_LOCK_EVP_PKEY);
+#ifdef REF_PRINT
+	REF_PRINT("EVP_PKEY",data);
+#endif
+	pkey = object->data.key;
+	STORE_OBJECT_free(object);
+	return pkey;
+	}
+
+int STORE_list_private_key_end(STORE *s, void *handle)
+	{
+	check_store(s,STORE_F_STORE_LIST_PRIVATE_KEY_END,
+		list_object_end,STORE_R_NO_LIST_OBJECT_END_FUNCTION);
+
+	if (!s->meth->list_object_end(s, handle))
+		{
+		STOREerr(STORE_F_STORE_LIST_PRIVATE_KEY_END,
+			STORE_R_FAILED_LISTING_KEYS);
+		return 0;
+		}
+	return 1;
+	}
+
+int STORE_list_private_key_endp(STORE *s, void *handle)
+	{
+	check_store(s,STORE_F_STORE_LIST_PRIVATE_KEY_ENDP,
+		list_object_endp,STORE_R_NO_LIST_OBJECT_ENDP_FUNCTION);
+
+	if (!s->meth->list_object_endp(s, handle))
+		{
+		STOREerr(STORE_F_STORE_LIST_PRIVATE_KEY_ENDP,
+			STORE_R_FAILED_LISTING_KEYS);
+		return 0;
+		}
+	return 1;
+	}
+
+EVP_PKEY *STORE_get_public_key(STORE *s, OPENSSL_ITEM attributes[],
+	OPENSSL_ITEM parameters[])
+	{
+	STORE_OBJECT *object;
+	EVP_PKEY *pkey;
+
+	check_store(s,STORE_F_STORE_GET_PUBLIC_KEY,
+		get_object,STORE_R_NO_GET_OBJECT_FUNCTION);
+
+	object = s->meth->get_object(s, STORE_OBJECT_TYPE_PUBLIC_KEY,
+		attributes, parameters);
+	if (!object || !object->data.key || !object->data.key)
+		{
+		STOREerr(STORE_F_STORE_GET_PUBLIC_KEY,
+			STORE_R_FAILED_GETTING_KEY);
+		return 0;
+		}
+	CRYPTO_add(&object->data.key->references,1,CRYPTO_LOCK_EVP_PKEY);
+#ifdef REF_PRINT
+	REF_PRINT("EVP_PKEY",data);
+#endif
+	pkey = object->data.key;
+	STORE_OBJECT_free(object);
+	return pkey;
+	}
+
+int STORE_store_public_key(STORE *s, EVP_PKEY *data, OPENSSL_ITEM attributes[],
+	OPENSSL_ITEM parameters[])
+	{
+	STORE_OBJECT *object;
+	int i;
+
+	check_store(s,STORE_F_STORE_STORE_PUBLIC_KEY,
+		store_object,STORE_R_NO_STORE_OBJECT_FUNCTION);
+
+	object = STORE_OBJECT_new();
+	if (!object)
+		{
+		STOREerr(STORE_F_STORE_STORE_PUBLIC_KEY,
+			ERR_R_MALLOC_FAILURE);
+		return 0;
+		}
+	object->data.key = EVP_PKEY_new();
+	if (!object->data.key)
+		{
+		STOREerr(STORE_F_STORE_STORE_PUBLIC_KEY,
+			ERR_R_MALLOC_FAILURE);
+		return 0;
+		}
+	
+	CRYPTO_add(&data->references,1,CRYPTO_LOCK_EVP_PKEY);
+#ifdef REF_PRINT
+	REF_PRINT("EVP_PKEY",data);
+#endif
+	object->data.key = data;
+
+	i = s->meth->store_object(s, STORE_OBJECT_TYPE_PUBLIC_KEY, object,
+		attributes, parameters);
+
+	STORE_OBJECT_free(object);
+
+	if (!i)
+		{
+		STOREerr(STORE_F_STORE_STORE_PUBLIC_KEY,
+			STORE_R_FAILED_STORING_KEY);
+		return 0;
+		}
+	return i;
+	}
+
+int STORE_modify_public_key(STORE *s, OPENSSL_ITEM search_attributes[],
+	OPENSSL_ITEM add_attributes[], OPENSSL_ITEM modify_attributes[],
+	OPENSSL_ITEM delete_attributes[], OPENSSL_ITEM parameters[])
+	{
+	check_store(s,STORE_F_STORE_MODIFY_PUBLIC_KEY,
+		modify_object,STORE_R_NO_MODIFY_OBJECT_FUNCTION);
+
+	if (!s->meth->modify_object(s, STORE_OBJECT_TYPE_PUBLIC_KEY,
+		    search_attributes, add_attributes, modify_attributes,
+		    delete_attributes, parameters))
+		{
+		STOREerr(STORE_F_STORE_MODIFY_PUBLIC_KEY,
+			STORE_R_FAILED_MODIFYING_PUBLIC_KEY);
+		return 0;
+		}
+	return 1;
+	}
+
+int STORE_revoke_public_key(STORE *s, OPENSSL_ITEM attributes[],
+	OPENSSL_ITEM parameters[])
+	{
+	int i;
+
+	check_store(s,STORE_F_STORE_REVOKE_PUBLIC_KEY,
+		revoke_object,STORE_R_NO_REVOKE_OBJECT_FUNCTION);
+
+	i = s->meth->revoke_object(s, STORE_OBJECT_TYPE_PUBLIC_KEY,
+		attributes, parameters);
+
+	if (!i)
+		{
+		STOREerr(STORE_F_STORE_REVOKE_PUBLIC_KEY,
+			STORE_R_FAILED_REVOKING_KEY);
+		return 0;
+		}
+	return i;
+	}
+
+int STORE_delete_public_key(STORE *s, OPENSSL_ITEM attributes[],
+	OPENSSL_ITEM parameters[])
+	{
+	check_store(s,STORE_F_STORE_DELETE_PUBLIC_KEY,
+		delete_object,STORE_R_NO_DELETE_OBJECT_FUNCTION);
+	
+	if (!s->meth->delete_object(s, STORE_OBJECT_TYPE_PUBLIC_KEY,
+		    attributes, parameters))
+		{
+		STOREerr(STORE_F_STORE_DELETE_PUBLIC_KEY,
+			STORE_R_FAILED_DELETING_KEY);
+		return 0;
+		}
+	return 1;
+	}
+
+void *STORE_list_public_key_start(STORE *s, OPENSSL_ITEM attributes[],
+	OPENSSL_ITEM parameters[])
+	{
+	void *handle;
+
+	check_store(s,STORE_F_STORE_LIST_PUBLIC_KEY_START,
+		list_object_start,STORE_R_NO_LIST_OBJECT_START_FUNCTION);
+
+	handle = s->meth->list_object_start(s, STORE_OBJECT_TYPE_PUBLIC_KEY,
+		attributes, parameters);
+	if (!handle)
+		{
+		STOREerr(STORE_F_STORE_LIST_PUBLIC_KEY_START,
+			STORE_R_FAILED_LISTING_KEYS);
+		return 0;
+		}
+	return handle;
+	}
+
+EVP_PKEY *STORE_list_public_key_next(STORE *s, void *handle)
+	{
+	STORE_OBJECT *object;
+	EVP_PKEY *pkey;
+
+	check_store(s,STORE_F_STORE_LIST_PUBLIC_KEY_NEXT,
+		list_object_next,STORE_R_NO_LIST_OBJECT_NEXT_FUNCTION);
+
+	object = s->meth->list_object_next(s, handle);
+	if (!object || !object->data.key || !object->data.key)
+		{
+		STOREerr(STORE_F_STORE_LIST_PUBLIC_KEY_NEXT,
+			STORE_R_FAILED_LISTING_KEYS);
+		return 0;
+		}
+	CRYPTO_add(&object->data.key->references,1,CRYPTO_LOCK_EVP_PKEY);
+#ifdef REF_PRINT
+	REF_PRINT("EVP_PKEY",data);
+#endif
+	pkey = object->data.key;
+	STORE_OBJECT_free(object);
+	return pkey;
+	}
+
+int STORE_list_public_key_end(STORE *s, void *handle)
+	{
+	check_store(s,STORE_F_STORE_LIST_PUBLIC_KEY_END,
+		list_object_end,STORE_R_NO_LIST_OBJECT_END_FUNCTION);
+
+	if (!s->meth->list_object_end(s, handle))
+		{
+		STOREerr(STORE_F_STORE_LIST_PUBLIC_KEY_END,
+			STORE_R_FAILED_LISTING_KEYS);
+		return 0;
+		}
+	return 1;
+	}
+
+int STORE_list_public_key_endp(STORE *s, void *handle)
+	{
+	check_store(s,STORE_F_STORE_LIST_PUBLIC_KEY_ENDP,
+		list_object_endp,STORE_R_NO_LIST_OBJECT_ENDP_FUNCTION);
+
+	if (!s->meth->list_object_endp(s, handle))
+		{
+		STOREerr(STORE_F_STORE_LIST_PUBLIC_KEY_ENDP,
+			STORE_R_FAILED_LISTING_KEYS);
+		return 0;
+		}
+	return 1;
+	}
+
+X509_CRL *STORE_generate_crl(STORE *s, OPENSSL_ITEM attributes[],
+	OPENSSL_ITEM parameters[])
+	{
+	STORE_OBJECT *object;
+	X509_CRL *crl;
+
+	check_store(s,STORE_F_STORE_GENERATE_CRL,
+		generate_object,STORE_R_NO_GENERATE_CRL_FUNCTION);
+
+	object = s->meth->generate_object(s, STORE_OBJECT_TYPE_X509_CRL,
+		attributes, parameters);
+	if (!object || !object->data.crl)
+		{
+		STOREerr(STORE_F_STORE_GENERATE_CRL,
+			STORE_R_FAILED_GENERATING_CRL);
+		return 0;
+		}
+	CRYPTO_add(&object->data.crl->references,1,CRYPTO_LOCK_X509_CRL);
+#ifdef REF_PRINT
+	REF_PRINT("X509_CRL",data);
+#endif
+	crl = object->data.crl;
+	STORE_OBJECT_free(object);
+	return crl;
+	}
+
+X509_CRL *STORE_get_crl(STORE *s, OPENSSL_ITEM attributes[],
+	OPENSSL_ITEM parameters[])
+	{
+	STORE_OBJECT *object;
+	X509_CRL *crl;
+
+	check_store(s,STORE_F_STORE_GET_CRL,
+		get_object,STORE_R_NO_GET_OBJECT_FUNCTION);
+
+	object = s->meth->get_object(s, STORE_OBJECT_TYPE_X509_CRL,
+		attributes, parameters);
+	if (!object || !object->data.crl)
+		{
+		STOREerr(STORE_F_STORE_GET_CRL,
+			STORE_R_FAILED_GETTING_KEY);
+		return 0;
+		}
+	CRYPTO_add(&object->data.crl->references,1,CRYPTO_LOCK_X509_CRL);
+#ifdef REF_PRINT
+	REF_PRINT("X509_CRL",data);
+#endif
+	crl = object->data.crl;
+	STORE_OBJECT_free(object);
+	return crl;
+	}
+
+int STORE_store_crl(STORE *s, X509_CRL *data, OPENSSL_ITEM attributes[],
+	OPENSSL_ITEM parameters[])
+	{
+	STORE_OBJECT *object;
+	int i;
+
+	check_store(s,STORE_F_STORE_STORE_CRL,
+		store_object,STORE_R_NO_STORE_OBJECT_FUNCTION);
+
+	object = STORE_OBJECT_new();
+	if (!object)
+		{
+		STOREerr(STORE_F_STORE_STORE_CRL,
+			ERR_R_MALLOC_FAILURE);
+		return 0;
+		}
+	
+	CRYPTO_add(&data->references,1,CRYPTO_LOCK_X509_CRL);
+#ifdef REF_PRINT
+	REF_PRINT("X509_CRL",data);
+#endif
+	object->data.crl = data;
+
+	i = s->meth->store_object(s, STORE_OBJECT_TYPE_X509_CRL, object,
+		attributes, parameters);
+
+	STORE_OBJECT_free(object);
+
+	if (!i)
+		{
+		STOREerr(STORE_F_STORE_STORE_CRL,
+			STORE_R_FAILED_STORING_KEY);
+		return 0;
+		}
+	return i;
+	}
+
+int STORE_modify_crl(STORE *s, OPENSSL_ITEM search_attributes[],
+	OPENSSL_ITEM add_attributes[], OPENSSL_ITEM modify_attributes[],
+	OPENSSL_ITEM delete_attributes[], OPENSSL_ITEM parameters[])
+	{
+	check_store(s,STORE_F_STORE_MODIFY_CRL,
+		modify_object,STORE_R_NO_MODIFY_OBJECT_FUNCTION);
+
+	if (!s->meth->modify_object(s, STORE_OBJECT_TYPE_X509_CRL,
+		    search_attributes, add_attributes, modify_attributes,
+		    delete_attributes, parameters))
+		{
+		STOREerr(STORE_F_STORE_MODIFY_CRL,
+			STORE_R_FAILED_MODIFYING_CRL);
+		return 0;
+		}
+	return 1;
+	}
+
+int STORE_delete_crl(STORE *s, OPENSSL_ITEM attributes[],
+	OPENSSL_ITEM parameters[])
+	{
+	check_store(s,STORE_F_STORE_DELETE_CRL,
+		delete_object,STORE_R_NO_DELETE_OBJECT_FUNCTION);
+	
+	if (!s->meth->delete_object(s, STORE_OBJECT_TYPE_X509_CRL,
+		    attributes, parameters))
+		{
+		STOREerr(STORE_F_STORE_DELETE_CRL,
+			STORE_R_FAILED_DELETING_KEY);
+		return 0;
+		}
+	return 1;
+	}
+
+void *STORE_list_crl_start(STORE *s, OPENSSL_ITEM attributes[],
+	OPENSSL_ITEM parameters[])
+	{
+	void *handle;
+
+	check_store(s,STORE_F_STORE_LIST_CRL_START,
+		list_object_start,STORE_R_NO_LIST_OBJECT_START_FUNCTION);
+
+	handle = s->meth->list_object_start(s, STORE_OBJECT_TYPE_X509_CRL,
+		attributes, parameters);
+	if (!handle)
+		{
+		STOREerr(STORE_F_STORE_LIST_CRL_START,
+			STORE_R_FAILED_LISTING_KEYS);
+		return 0;
+		}
+	return handle;
+	}
+
+X509_CRL *STORE_list_crl_next(STORE *s, void *handle)
+	{
+	STORE_OBJECT *object;
+	X509_CRL *crl;
+
+	check_store(s,STORE_F_STORE_LIST_CRL_NEXT,
+		list_object_next,STORE_R_NO_LIST_OBJECT_NEXT_FUNCTION);
+
+	object = s->meth->list_object_next(s, handle);
+	if (!object || !object->data.crl)
+		{
+		STOREerr(STORE_F_STORE_LIST_CRL_NEXT,
+			STORE_R_FAILED_LISTING_KEYS);
+		return 0;
+		}
+	CRYPTO_add(&object->data.crl->references,1,CRYPTO_LOCK_X509_CRL);
+#ifdef REF_PRINT
+	REF_PRINT("X509_CRL",data);
+#endif
+	crl = object->data.crl;
+	STORE_OBJECT_free(object);
+	return crl;
+	}
+
+int STORE_list_crl_end(STORE *s, void *handle)
+	{
+	check_store(s,STORE_F_STORE_LIST_CRL_END,
+		list_object_end,STORE_R_NO_LIST_OBJECT_END_FUNCTION);
+
+	if (!s->meth->list_object_end(s, handle))
+		{
+		STOREerr(STORE_F_STORE_LIST_CRL_END,
+			STORE_R_FAILED_LISTING_KEYS);
+		return 0;
+		}
+	return 1;
+	}
+
+int STORE_list_crl_endp(STORE *s, void *handle)
+	{
+	check_store(s,STORE_F_STORE_LIST_CRL_ENDP,
+		list_object_endp,STORE_R_NO_LIST_OBJECT_ENDP_FUNCTION);
+
+	if (!s->meth->list_object_endp(s, handle))
+		{
+		STOREerr(STORE_F_STORE_LIST_CRL_ENDP,
+			STORE_R_FAILED_LISTING_KEYS);
+		return 0;
+		}
+	return 1;
+	}
+
+int STORE_store_number(STORE *s, BIGNUM *data, OPENSSL_ITEM attributes[],
+	OPENSSL_ITEM parameters[])
+	{
+	STORE_OBJECT *object;
+	int i;
+
+	check_store(s,STORE_F_STORE_STORE_NUMBER,
+		store_object,STORE_R_NO_STORE_OBJECT_NUMBER_FUNCTION);
+
+	object = STORE_OBJECT_new();
+	if (!object)
+		{
+		STOREerr(STORE_F_STORE_STORE_NUMBER,
+			ERR_R_MALLOC_FAILURE);
+		return 0;
+		}
+	
+	object->data.number = data;
+
+	i = s->meth->store_object(s, STORE_OBJECT_TYPE_NUMBER, object,
+		attributes, parameters);
+
+	STORE_OBJECT_free(object);
+
+	if (!i)
+		{
+		STOREerr(STORE_F_STORE_STORE_NUMBER,
+			STORE_R_FAILED_STORING_NUMBER);
+		return 0;
+		}
+	return 1;
+	}
+
+int STORE_modify_number(STORE *s, OPENSSL_ITEM search_attributes[],
+	OPENSSL_ITEM add_attributes[], OPENSSL_ITEM modify_attributes[],
+	OPENSSL_ITEM delete_attributes[], OPENSSL_ITEM parameters[])
+	{
+	check_store(s,STORE_F_STORE_MODIFY_NUMBER,
+		modify_object,STORE_R_NO_MODIFY_OBJECT_FUNCTION);
+
+	if (!s->meth->modify_object(s, STORE_OBJECT_TYPE_NUMBER,
+		    search_attributes, add_attributes, modify_attributes,
+		    delete_attributes, parameters))
+		{
+		STOREerr(STORE_F_STORE_MODIFY_NUMBER,
+			STORE_R_FAILED_MODIFYING_NUMBER);
+		return 0;
+		}
+	return 1;
+	}
+
+BIGNUM *STORE_get_number(STORE *s, OPENSSL_ITEM attributes[],
+	OPENSSL_ITEM parameters[])
+	{
+	STORE_OBJECT *object;
+	BIGNUM *n;
+
+	check_store(s,STORE_F_STORE_GET_NUMBER,
+		get_object,STORE_R_NO_GET_OBJECT_NUMBER_FUNCTION);
+
+	object = s->meth->get_object(s, STORE_OBJECT_TYPE_NUMBER, attributes,
+		parameters);
+	if (!object || !object->data.number)
+		{
+		STOREerr(STORE_F_STORE_GET_NUMBER,
+			STORE_R_FAILED_GETTING_NUMBER);
+		return 0;
+		}
+	n = object->data.number;
+	object->data.number = NULL;
+	STORE_OBJECT_free(object);
+	return n;
+	}
+
+int STORE_delete_number(STORE *s, OPENSSL_ITEM attributes[],
+	OPENSSL_ITEM parameters[])
+	{
+	check_store(s,STORE_F_STORE_DELETE_NUMBER,
+		delete_object,STORE_R_NO_DELETE_NUMBER_FUNCTION);
+
+	if (!s->meth->delete_object(s, STORE_OBJECT_TYPE_NUMBER, attributes,
+		    parameters))
+		{
+		STOREerr(STORE_F_STORE_DELETE_NUMBER,
+			STORE_R_FAILED_DELETING_NUMBER);
+		return 0;
+		}
+	return 1;
+	}
+
+int STORE_store_arbitrary(STORE *s, BUF_MEM *data, OPENSSL_ITEM attributes[],
+	OPENSSL_ITEM parameters[])
+	{
+	STORE_OBJECT *object;
+	int i;
+
+	check_store(s,STORE_F_STORE_STORE_ARBITRARY,
+		store_object,STORE_R_NO_STORE_OBJECT_ARBITRARY_FUNCTION);
+
+	object = STORE_OBJECT_new();
+	if (!object)
+		{
+		STOREerr(STORE_F_STORE_STORE_ARBITRARY,
+			ERR_R_MALLOC_FAILURE);
+		return 0;
+		}
+	
+	object->data.arbitrary = data;
+
+	i = s->meth->store_object(s, STORE_OBJECT_TYPE_ARBITRARY, object,
+		attributes, parameters);
+
+	STORE_OBJECT_free(object);
+
+	if (!i)
+		{
+		STOREerr(STORE_F_STORE_STORE_ARBITRARY,
+			STORE_R_FAILED_STORING_ARBITRARY);
+		return 0;
+		}
+	return 1;
+	}
+
+int STORE_modify_arbitrary(STORE *s, OPENSSL_ITEM search_attributes[],
+	OPENSSL_ITEM add_attributes[], OPENSSL_ITEM modify_attributes[],
+	OPENSSL_ITEM delete_attributes[], OPENSSL_ITEM parameters[])
+	{
+	check_store(s,STORE_F_STORE_MODIFY_ARBITRARY,
+		modify_object,STORE_R_NO_MODIFY_OBJECT_FUNCTION);
+
+	if (!s->meth->modify_object(s, STORE_OBJECT_TYPE_ARBITRARY,
+		    search_attributes, add_attributes, modify_attributes,
+		    delete_attributes, parameters))
+		{
+		STOREerr(STORE_F_STORE_MODIFY_ARBITRARY,
+			STORE_R_FAILED_MODIFYING_ARBITRARY);
+		return 0;
+		}
+	return 1;
+	}
+
+BUF_MEM *STORE_get_arbitrary(STORE *s, OPENSSL_ITEM attributes[],
+	OPENSSL_ITEM parameters[])
+	{
+	STORE_OBJECT *object;
+	BUF_MEM *b;
+
+	check_store(s,STORE_F_STORE_GET_ARBITRARY,
+		get_object,STORE_R_NO_GET_OBJECT_ARBITRARY_FUNCTION);
+
+	object = s->meth->get_object(s, STORE_OBJECT_TYPE_ARBITRARY,
+		attributes, parameters);
+	if (!object || !object->data.arbitrary)
+		{
+		STOREerr(STORE_F_STORE_GET_ARBITRARY,
+			STORE_R_FAILED_GETTING_ARBITRARY);
+		return 0;
+		}
+	b = object->data.arbitrary;
+	object->data.arbitrary = NULL;
+	STORE_OBJECT_free(object);
+	return b;
+	}
+
+int STORE_delete_arbitrary(STORE *s, OPENSSL_ITEM attributes[],
+	OPENSSL_ITEM parameters[])
+	{
+	check_store(s,STORE_F_STORE_DELETE_ARBITRARY,
+		delete_object,STORE_R_NO_DELETE_ARBITRARY_FUNCTION);
+
+	if (!s->meth->delete_object(s, STORE_OBJECT_TYPE_ARBITRARY, attributes,
+		    parameters))
+		{
+		STOREerr(STORE_F_STORE_DELETE_ARBITRARY,
+			STORE_R_FAILED_DELETING_ARBITRARY);
+		return 0;
+		}
+	return 1;
+	}
+
+STORE_OBJECT *STORE_OBJECT_new(void)
+	{
+	STORE_OBJECT *object = OPENSSL_malloc(sizeof(STORE_OBJECT));
+	if (object) memset(object, 0, sizeof(STORE_OBJECT));
+	return object;
+	}
+void STORE_OBJECT_free(STORE_OBJECT *data)
+	{
+	if (!data) return;
+	switch (data->type)
+		{
+	case STORE_OBJECT_TYPE_X509_CERTIFICATE:
+		X509_free(data->data.x509.certificate);
+		break;
+	case STORE_OBJECT_TYPE_X509_CRL:
+		X509_CRL_free(data->data.crl);
+		break;
+	case STORE_OBJECT_TYPE_PRIVATE_KEY:
+	case STORE_OBJECT_TYPE_PUBLIC_KEY:
+		EVP_PKEY_free(data->data.key);
+		break;
+	case STORE_OBJECT_TYPE_NUMBER:
+		BN_free(data->data.number);
+		break;
+	case STORE_OBJECT_TYPE_ARBITRARY:
+		BUF_MEM_free(data->data.arbitrary);
+		break;
+		}
+	OPENSSL_free(data);
+	}
+
+IMPLEMENT_STACK_OF(STORE_OBJECT*)
+
+
+struct STORE_attr_info_st
+	{
+	unsigned char set[(STORE_ATTR_TYPE_NUM + 8) / 8];
+	union
+		{
+		char *cstring;
+		unsigned char *sha1string;
+		X509_NAME *dn;
+		BIGNUM *number;
+		void *any;
+		} values[STORE_ATTR_TYPE_NUM+1];
+	size_t value_sizes[STORE_ATTR_TYPE_NUM+1];
+	};
+
+#define ATTR_IS_SET(a,i)	((i) > 0 && (i) < STORE_ATTR_TYPE_NUM \
+				&& ((a)->set[(i) / 8] & (1 << ((i) % 8))))
+#define SET_ATTRBIT(a,i)	((a)->set[(i) / 8] |= (1 << ((i) % 8)))
+#define CLEAR_ATTRBIT(a,i)	((a)->set[(i) / 8] &= ~(1 << ((i) % 8)))
+
+STORE_ATTR_INFO *STORE_ATTR_INFO_new(void)
+	{
+	return (STORE_ATTR_INFO *)OPENSSL_malloc(sizeof(STORE_ATTR_INFO));
+	}
+static void STORE_ATTR_INFO_attr_free(STORE_ATTR_INFO *attrs,
+	STORE_ATTR_TYPES code)
+	{
+	if (ATTR_IS_SET(attrs,code))
+		{
+		switch(code)
+			{
+		case STORE_ATTR_FRIENDLYNAME:
+		case STORE_ATTR_EMAIL:
+		case STORE_ATTR_FILENAME:
+			STORE_ATTR_INFO_modify_cstr(attrs, code, NULL, 0);
+			break;
+		case STORE_ATTR_KEYID:
+		case STORE_ATTR_ISSUERKEYID:
+		case STORE_ATTR_SUBJECTKEYID:
+		case STORE_ATTR_ISSUERSERIALHASH:
+		case STORE_ATTR_CERTHASH:
+			STORE_ATTR_INFO_modify_sha1str(attrs, code, NULL, 0);
+			break;
+		case STORE_ATTR_ISSUER:
+		case STORE_ATTR_SUBJECT:
+			STORE_ATTR_INFO_modify_dn(attrs, code, NULL);
+			break;
+		case STORE_ATTR_SERIAL:
+			STORE_ATTR_INFO_modify_number(attrs, code, NULL);
+			break;
+		default:
+			break;
+			}
+		}
+	}
+int STORE_ATTR_INFO_free(STORE_ATTR_INFO *attrs)
+	{
+	if (attrs)
+		{
+		STORE_ATTR_TYPES i;
+		for(i = 0; i++ < STORE_ATTR_TYPE_NUM;)
+			STORE_ATTR_INFO_attr_free(attrs, i);
+		OPENSSL_free(attrs);
+		}
+	return 1;
+	}
+char *STORE_ATTR_INFO_get0_cstr(STORE_ATTR_INFO *attrs, STORE_ATTR_TYPES code)
+	{
+	if (!attrs)
+		{
+		STOREerr(STORE_F_STORE_ATTR_INFO_GET0_CSTR,
+			ERR_R_PASSED_NULL_PARAMETER);
+		return NULL;
+		}
+	if (ATTR_IS_SET(attrs,code))
+		return attrs->values[code].cstring;
+	STOREerr(STORE_F_STORE_ATTR_INFO_GET0_CSTR,
+		STORE_R_NO_VALUE);
+	return NULL;
+	}
+unsigned char *STORE_ATTR_INFO_get0_sha1str(STORE_ATTR_INFO *attrs,
+	STORE_ATTR_TYPES code)
+	{
+	if (!attrs)
+		{
+		STOREerr(STORE_F_STORE_ATTR_INFO_GET0_SHA1STR,
+			ERR_R_PASSED_NULL_PARAMETER);
+		return NULL;
+		}
+	if (ATTR_IS_SET(attrs,code))
+		return attrs->values[code].sha1string;
+	STOREerr(STORE_F_STORE_ATTR_INFO_GET0_SHA1STR,
+		STORE_R_NO_VALUE);
+	return NULL;
+	}
+X509_NAME *STORE_ATTR_INFO_get0_dn(STORE_ATTR_INFO *attrs, STORE_ATTR_TYPES code)
+	{
+	if (!attrs)
+		{
+		STOREerr(STORE_F_STORE_ATTR_INFO_GET0_DN,
+			ERR_R_PASSED_NULL_PARAMETER);
+		return NULL;
+		}
+	if (ATTR_IS_SET(attrs,code))
+		return attrs->values[code].dn;
+	STOREerr(STORE_F_STORE_ATTR_INFO_GET0_DN,
+		STORE_R_NO_VALUE);
+	return NULL;
+	}
+BIGNUM *STORE_ATTR_INFO_get0_number(STORE_ATTR_INFO *attrs, STORE_ATTR_TYPES code)
+	{
+	if (!attrs)
+		{
+		STOREerr(STORE_F_STORE_ATTR_INFO_GET0_NUMBER,
+			ERR_R_PASSED_NULL_PARAMETER);
+		return NULL;
+		}
+	if (ATTR_IS_SET(attrs,code))
+		return attrs->values[code].number;
+	STOREerr(STORE_F_STORE_ATTR_INFO_GET0_NUMBER,
+		STORE_R_NO_VALUE);
+	return NULL;
+	}
+int STORE_ATTR_INFO_set_cstr(STORE_ATTR_INFO *attrs, STORE_ATTR_TYPES code,
+	char *cstr, size_t cstr_size)
+	{
+	if (!attrs)
+		{
+		STOREerr(STORE_F_STORE_ATTR_INFO_SET_CSTR,
+			ERR_R_PASSED_NULL_PARAMETER);
+		return 0;
+		}
+	if (!ATTR_IS_SET(attrs,code))
+		{
+		if ((attrs->values[code].cstring = BUF_strndup(cstr, cstr_size)))
+			return 1;
+		STOREerr(STORE_F_STORE_ATTR_INFO_SET_CSTR,
+			ERR_R_MALLOC_FAILURE);
+		return 0;
+		}
+	STOREerr(STORE_F_STORE_ATTR_INFO_SET_CSTR, STORE_R_ALREADY_HAS_A_VALUE);
+	return 0;
+	}
+int STORE_ATTR_INFO_set_sha1str(STORE_ATTR_INFO *attrs, STORE_ATTR_TYPES code,
+	unsigned char *sha1str, size_t sha1str_size)
+	{
+	if (!attrs)
+		{
+		STOREerr(STORE_F_STORE_ATTR_INFO_SET_SHA1STR,
+			ERR_R_PASSED_NULL_PARAMETER);
+		return 0;
+		}
+	if (!ATTR_IS_SET(attrs,code))
+		{
+		if ((attrs->values[code].sha1string =
+			    (unsigned char *)BUF_memdup(sha1str,
+				    sha1str_size)))
+			return 1;
+		STOREerr(STORE_F_STORE_ATTR_INFO_SET_SHA1STR,
+			ERR_R_MALLOC_FAILURE);
+		return 0;
+		}
+	STOREerr(STORE_F_STORE_ATTR_INFO_SET_SHA1STR, STORE_R_ALREADY_HAS_A_VALUE);
+	return 0;
+	}
+int STORE_ATTR_INFO_set_dn(STORE_ATTR_INFO *attrs, STORE_ATTR_TYPES code,
+	X509_NAME *dn)
+	{
+	if (!attrs)
+		{
+		STOREerr(STORE_F_STORE_ATTR_INFO_SET_DN,
+			ERR_R_PASSED_NULL_PARAMETER);
+		return 0;
+		}
+	if (!ATTR_IS_SET(attrs,code))
+		{
+		if ((attrs->values[code].dn = X509_NAME_dup(dn)))
+			return 1;
+		STOREerr(STORE_F_STORE_ATTR_INFO_SET_DN,
+			ERR_R_MALLOC_FAILURE);
+		return 0;
+		}
+	STOREerr(STORE_F_STORE_ATTR_INFO_SET_DN, STORE_R_ALREADY_HAS_A_VALUE);
+	return 0;
+	}
+int STORE_ATTR_INFO_set_number(STORE_ATTR_INFO *attrs, STORE_ATTR_TYPES code,
+	BIGNUM *number)
+	{
+	if (!attrs)
+		{
+		STOREerr(STORE_F_STORE_ATTR_INFO_SET_NUMBER,
+			ERR_R_PASSED_NULL_PARAMETER);
+		return 0;
+		}
+	if (!ATTR_IS_SET(attrs,code))
+		{
+		if ((attrs->values[code].number = BN_dup(number)))
+			return 1;
+		STOREerr(STORE_F_STORE_ATTR_INFO_SET_NUMBER,
+			ERR_R_MALLOC_FAILURE);
+		return 0;
+		}
+	STOREerr(STORE_F_STORE_ATTR_INFO_SET_NUMBER, STORE_R_ALREADY_HAS_A_VALUE);
+	return 0;
+	}
+int STORE_ATTR_INFO_modify_cstr(STORE_ATTR_INFO *attrs, STORE_ATTR_TYPES code,
+	char *cstr, size_t cstr_size)
+	{
+	if (!attrs)
+		{
+		STOREerr(STORE_F_STORE_ATTR_INFO_MODIFY_CSTR,
+			ERR_R_PASSED_NULL_PARAMETER);
+		return 0;
+		}
+	if (ATTR_IS_SET(attrs,code))
+		{
+		OPENSSL_free(attrs->values[code].cstring);
+		attrs->values[code].cstring = NULL;
+		CLEAR_ATTRBIT(attrs, code);
+		}
+	return STORE_ATTR_INFO_set_cstr(attrs, code, cstr, cstr_size);
+	}
+int STORE_ATTR_INFO_modify_sha1str(STORE_ATTR_INFO *attrs, STORE_ATTR_TYPES code,
+	unsigned char *sha1str, size_t sha1str_size)
+	{
+	if (!attrs)
+		{
+		STOREerr(STORE_F_STORE_ATTR_INFO_MODIFY_SHA1STR,
+			ERR_R_PASSED_NULL_PARAMETER);
+		return 0;
+		}
+	if (ATTR_IS_SET(attrs,code))
+		{
+		OPENSSL_free(attrs->values[code].sha1string);
+		attrs->values[code].sha1string = NULL;
+		CLEAR_ATTRBIT(attrs, code);
+		}
+	return STORE_ATTR_INFO_set_sha1str(attrs, code, sha1str, sha1str_size);
+	}
+int STORE_ATTR_INFO_modify_dn(STORE_ATTR_INFO *attrs, STORE_ATTR_TYPES code,
+	X509_NAME *dn)
+	{
+	if (!attrs)
+		{
+		STOREerr(STORE_F_STORE_ATTR_INFO_MODIFY_DN,
+			ERR_R_PASSED_NULL_PARAMETER);
+		return 0;
+		}
+	if (ATTR_IS_SET(attrs,code))
+		{
+		OPENSSL_free(attrs->values[code].dn);
+		attrs->values[code].dn = NULL;
+		CLEAR_ATTRBIT(attrs, code);
+		}
+	return STORE_ATTR_INFO_set_dn(attrs, code, dn);
+	}
+int STORE_ATTR_INFO_modify_number(STORE_ATTR_INFO *attrs, STORE_ATTR_TYPES code,
+	BIGNUM *number)
+	{
+	if (!attrs)
+		{
+		STOREerr(STORE_F_STORE_ATTR_INFO_MODIFY_NUMBER,
+			ERR_R_PASSED_NULL_PARAMETER);
+		return 0;
+		}
+	if (ATTR_IS_SET(attrs,code))
+		{
+		OPENSSL_free(attrs->values[code].number);
+		attrs->values[code].number = NULL;
+		CLEAR_ATTRBIT(attrs, code);
+		}
+	return STORE_ATTR_INFO_set_number(attrs, code, number);
+	}
+
+struct attr_list_ctx_st
+	{
+	OPENSSL_ITEM *attributes;
+	};
+void *STORE_parse_attrs_start(OPENSSL_ITEM *attributes)
+	{
+	if (attributes)
+		{
+		struct attr_list_ctx_st *context =
+			(struct attr_list_ctx_st *)OPENSSL_malloc(sizeof(struct attr_list_ctx_st));
+		if (context)
+			context->attributes = attributes;
+		else
+			STOREerr(STORE_F_STORE_PARSE_ATTRS_START,
+				ERR_R_MALLOC_FAILURE);
+		return context;
+		}
+	STOREerr(STORE_F_STORE_PARSE_ATTRS_START, ERR_R_PASSED_NULL_PARAMETER);
+	return 0;
+	}
+STORE_ATTR_INFO *STORE_parse_attrs_next(void *handle)
+	{
+	struct attr_list_ctx_st *context = (struct attr_list_ctx_st *)handle;
+
+	if (context && context->attributes)
+		{
+		STORE_ATTR_INFO *attrs = NULL;
+
+		while(context->attributes
+			&& context->attributes->code != STORE_ATTR_OR
+			&& context->attributes->code != STORE_ATTR_END)
+			{
+			switch(context->attributes->code)
+				{
+			case STORE_ATTR_FRIENDLYNAME:
+			case STORE_ATTR_EMAIL:
+			case STORE_ATTR_FILENAME:
+				if (!attrs) attrs = STORE_ATTR_INFO_new();
+				if (attrs == NULL)
+					{
+					STOREerr(STORE_F_STORE_PARSE_ATTRS_NEXT,
+						ERR_R_MALLOC_FAILURE);
+					goto err;
+					}
+				STORE_ATTR_INFO_set_cstr(attrs,
+					context->attributes->code,
+					context->attributes->value,
+					context->attributes->value_size);
+				break;
+			case STORE_ATTR_KEYID:
+			case STORE_ATTR_ISSUERKEYID:
+			case STORE_ATTR_SUBJECTKEYID:
+			case STORE_ATTR_ISSUERSERIALHASH:
+			case STORE_ATTR_CERTHASH:
+				if (!attrs) attrs = STORE_ATTR_INFO_new();
+				if (attrs == NULL)
+					{
+					STOREerr(STORE_F_STORE_PARSE_ATTRS_NEXT,
+						ERR_R_MALLOC_FAILURE);
+					goto err;
+					}
+				STORE_ATTR_INFO_set_sha1str(attrs,
+					context->attributes->code,
+					context->attributes->value,
+					context->attributes->value_size);
+				break;
+			case STORE_ATTR_ISSUER:
+			case STORE_ATTR_SUBJECT:
+				if (!attrs) attrs = STORE_ATTR_INFO_new();
+				if (attrs == NULL)
+					{
+					STOREerr(STORE_F_STORE_PARSE_ATTRS_NEXT,
+						ERR_R_MALLOC_FAILURE);
+					goto err;
+					}
+				STORE_ATTR_INFO_modify_dn(attrs,
+					context->attributes->code,
+					context->attributes->value);
+				break;
+			case STORE_ATTR_SERIAL:
+				if (!attrs) attrs = STORE_ATTR_INFO_new();
+				if (attrs == NULL)
+					{
+					STOREerr(STORE_F_STORE_PARSE_ATTRS_NEXT,
+						ERR_R_MALLOC_FAILURE);
+					goto err;
+					}
+				STORE_ATTR_INFO_modify_number(attrs,
+					context->attributes->code,
+					context->attributes->value);
+				break;
+				}
+			context->attributes++;
+			}
+		if (context->attributes->code == STORE_ATTR_OR)
+			context->attributes++;
+		return attrs;
+	err:
+		while(context->attributes
+			&& context->attributes->code != STORE_ATTR_OR
+			&& context->attributes->code != STORE_ATTR_END)
+			context->attributes++;
+		if (context->attributes->code == STORE_ATTR_OR)
+			context->attributes++;
+		return NULL;
+		}
+	STOREerr(STORE_F_STORE_PARSE_ATTRS_NEXT, ERR_R_PASSED_NULL_PARAMETER);
+	return NULL;
+	}
+int STORE_parse_attrs_end(void *handle)
+	{
+	struct attr_list_ctx_st *context = (struct attr_list_ctx_st *)handle;
+
+	if (context && context->attributes)
+		{
+#if 0
+		OPENSSL_ITEM *attributes = context->attributes;
+#endif
+		OPENSSL_free(context);
+		return 1;
+		}
+	STOREerr(STORE_F_STORE_PARSE_ATTRS_END, ERR_R_PASSED_NULL_PARAMETER);
+	return 0;
+	}
+
+int STORE_parse_attrs_endp(void *handle)
+	{
+	struct attr_list_ctx_st *context = (struct attr_list_ctx_st *)handle;
+
+	if (context && context->attributes)
+		{
+		return context->attributes->code == STORE_ATTR_END;
+		}
+	STOREerr(STORE_F_STORE_PARSE_ATTRS_ENDP, ERR_R_PASSED_NULL_PARAMETER);
+	return 0;
+	}
+
+static int attr_info_compare_compute_range(
+	unsigned char *abits, unsigned char *bbits,
+	unsigned int *alowp, unsigned int *ahighp,
+	unsigned int *blowp, unsigned int *bhighp)
+	{
+	unsigned int alow = (unsigned int)-1, ahigh = 0;
+	unsigned int blow = (unsigned int)-1, bhigh = 0;
+	int i, res = 0;
+
+	for (i = 0; i < (STORE_ATTR_TYPE_NUM + 8) / 8; i++, abits++, bbits++)
+		{
+		if (res == 0)
+			{
+			if (*abits < *bbits) res = -1;
+			if (*abits > *bbits) res = 1;
+			}
+		if (*abits)
+			{
+			if (alow == (unsigned int)-1)
+				{
+				alow = i * 8;
+				if (!(*abits & 0x01)) alow++;
+				if (!(*abits & 0x02)) alow++;
+				if (!(*abits & 0x04)) alow++;
+				if (!(*abits & 0x08)) alow++;
+				if (!(*abits & 0x10)) alow++;
+				if (!(*abits & 0x20)) alow++;
+				if (!(*abits & 0x40)) alow++;
+				}
+			ahigh = i * 8 + 7;
+			if (!(*abits & 0x80)) ahigh++;
+			if (!(*abits & 0x40)) ahigh++;
+			if (!(*abits & 0x20)) ahigh++;
+			if (!(*abits & 0x10)) ahigh++;
+			if (!(*abits & 0x08)) ahigh++;
+			if (!(*abits & 0x04)) ahigh++;
+			if (!(*abits & 0x02)) ahigh++;
+			}
+		if (*bbits)
+			{
+			if (blow == (unsigned int)-1)
+				{
+				blow = i * 8;
+				if (!(*bbits & 0x01)) blow++;
+				if (!(*bbits & 0x02)) blow++;
+				if (!(*bbits & 0x04)) blow++;
+				if (!(*bbits & 0x08)) blow++;
+				if (!(*bbits & 0x10)) blow++;
+				if (!(*bbits & 0x20)) blow++;
+				if (!(*bbits & 0x40)) blow++;
+				}
+			bhigh = i * 8 + 7;
+			if (!(*bbits & 0x80)) bhigh++;
+			if (!(*bbits & 0x40)) bhigh++;
+			if (!(*bbits & 0x20)) bhigh++;
+			if (!(*bbits & 0x10)) bhigh++;
+			if (!(*bbits & 0x08)) bhigh++;
+			if (!(*bbits & 0x04)) bhigh++;
+			if (!(*bbits & 0x02)) bhigh++;
+			}
+		}
+	if (ahigh + alow < bhigh + blow) res = -1;
+	if (ahigh + alow > bhigh + blow) res = 1;
+	if (alowp) *alowp = alow;
+	if (ahighp) *ahighp = ahigh;
+	if (blowp) *blowp = blow;
+	if (bhighp) *bhighp = bhigh;
+	return res;
+	}
+
+int STORE_ATTR_INFO_compare(STORE_ATTR_INFO *a, STORE_ATTR_INFO *b)
+	{
+	if (a == b) return 0;
+	if (!a) return -1;
+	if (!b) return 1;
+	return attr_info_compare_compute_range(a->set, b->set, 0, 0, 0, 0);
+	}
+int STORE_ATTR_INFO_in_range(STORE_ATTR_INFO *a, STORE_ATTR_INFO *b)
+	{
+	unsigned int alow, ahigh, blow, bhigh;
+
+	if (a == b) return 1;
+	if (!a) return 0;
+	if (!b) return 0;
+	attr_info_compare_compute_range(a->set, b->set,
+		&alow, &ahigh, &blow, &bhigh);
+	if (alow >= blow && ahigh <= bhigh)
+		return 1;
+	return 0;
+	}
+int STORE_ATTR_INFO_in(STORE_ATTR_INFO *a, STORE_ATTR_INFO *b)
+	{
+	unsigned char *abits, *bbits;
+	int i;
+
+	if (a == b) return 1;
+	if (!a) return 0;
+	if (!b) return 0;
+	abits = a->set;
+	bbits = b->set;
+	for (i = 0; i < (STORE_ATTR_TYPE_NUM + 8) / 8; i++, abits++, bbits++)
+		{
+		if (*abits && (*bbits & *abits) != *abits)
+			return 0;
+		}
+	return 1;
+	}
+int STORE_ATTR_INFO_in_ex(STORE_ATTR_INFO *a, STORE_ATTR_INFO *b)
+	{
+	STORE_ATTR_TYPES i;
+
+	if (a == b) return 1;
+	if (!STORE_ATTR_INFO_in(a, b)) return 0;
+	for (i = 1; i < STORE_ATTR_TYPE_NUM; i++)
+		if (ATTR_IS_SET(a, i))
+			{
+			switch(i)
+				{
+			case STORE_ATTR_FRIENDLYNAME:
+			case STORE_ATTR_EMAIL:
+			case STORE_ATTR_FILENAME:
+				if (strcmp(a->values[i].cstring,
+					    b->values[i].cstring))
+					return 0;
+				break;
+			case STORE_ATTR_KEYID:
+			case STORE_ATTR_ISSUERKEYID:
+			case STORE_ATTR_SUBJECTKEYID:
+			case STORE_ATTR_ISSUERSERIALHASH:
+			case STORE_ATTR_CERTHASH:
+				if (memcmp(a->values[i].sha1string,
+					    b->values[i].sha1string,
+					    a->value_sizes[i]))
+					return 0;
+				break;
+			case STORE_ATTR_ISSUER:
+			case STORE_ATTR_SUBJECT:
+				if (X509_NAME_cmp(a->values[i].dn,
+					    b->values[i].dn))
+					return 0;
+				break;
+			case STORE_ATTR_SERIAL:
+				if (BN_cmp(a->values[i].number,
+					    b->values[i].number))
+					return 0;
+				break;
+			default:
+				break;
+				}
+			}
+
+	return 1;
+	}
diff --git a/crypto/openssl/crypto/store/str_locl.h b/crypto/openssl/crypto/store/str_locl.h
new file mode 100644
index 000000000000..3f8cb75619c7
--- /dev/null
+++ b/crypto/openssl/crypto/store/str_locl.h
@@ -0,0 +1,124 @@
+/* crypto/store/str_locl.h -*- mode:C; c-file-style: "eay" -*- */
+/* Written by Richard Levitte (richard@levitte.org) for the OpenSSL
+ * project 2003.
+ */
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_STORE_LOCL_H
+#define HEADER_STORE_LOCL_H
+
+#include <openssl/crypto.h>
+#include <openssl/store.h>
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+struct store_method_st
+	{
+	char *name;
+
+	/* All the functions return a positive integer or non-NULL for success
+	   and 0, a negative integer or NULL for failure */
+
+	/* Initialise the STORE with private data */
+	STORE_INITIALISE_FUNC_PTR init;
+	/* Initialise the STORE with private data */
+	STORE_CLEANUP_FUNC_PTR clean;
+	/* Generate an object of a given type */
+	STORE_GENERATE_OBJECT_FUNC_PTR generate_object;
+	/* Get an object of a given type.  This function isn't really very
+	   useful since the listing functions (below) can be used for the
+	   same purpose and are much more general. */
+	STORE_GET_OBJECT_FUNC_PTR get_object;
+	/* Store an object of a given type. */
+	STORE_STORE_OBJECT_FUNC_PTR store_object;
+	/* Modify the attributes bound to an object of a given type. */
+	STORE_MODIFY_OBJECT_FUNC_PTR modify_object;
+	/* Revoke an object of a given type. */
+	STORE_HANDLE_OBJECT_FUNC_PTR revoke_object;
+	/* Delete an object of a given type. */
+	STORE_HANDLE_OBJECT_FUNC_PTR delete_object;
+	/* List a bunch of objects of a given type and with the associated
+	   attributes. */
+	STORE_START_OBJECT_FUNC_PTR list_object_start;
+	STORE_NEXT_OBJECT_FUNC_PTR list_object_next;
+	STORE_END_OBJECT_FUNC_PTR list_object_end;
+	STORE_END_OBJECT_FUNC_PTR list_object_endp;
+	/* Store-level function to make any necessary update operations. */
+	STORE_GENERIC_FUNC_PTR update_store;
+	/* Store-level function to get exclusive access to the store. */
+	STORE_GENERIC_FUNC_PTR lock_store;
+	/* Store-level function to release exclusive access to the store. */
+	STORE_GENERIC_FUNC_PTR unlock_store;
+
+	/* Generic control function */
+	STORE_CTRL_FUNC_PTR ctrl;
+	};
+
+struct store_st
+	{
+	const STORE_METHOD *meth;
+	/* functional reference if 'meth' is ENGINE-provided */
+	ENGINE *engine;
+
+	CRYPTO_EX_DATA ex_data;
+	int references;
+	};
+#ifdef  __cplusplus
+}
+#endif
+
+#endif
diff --git a/crypto/openssl/crypto/store/str_mem.c b/crypto/openssl/crypto/store/str_mem.c
new file mode 100644
index 000000000000..527757ae0990
--- /dev/null
+++ b/crypto/openssl/crypto/store/str_mem.c
@@ -0,0 +1,357 @@
+/* crypto/store/str_mem.c -*- mode:C; c-file-style: "eay" -*- */
+/* Written by Richard Levitte (richard@levitte.org) for the OpenSSL
+ * project 2003.
+ */
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <string.h>
+#include <openssl/err.h>
+#include "str_locl.h"
+
+/* The memory store is currently highly experimental.  It's meant to become
+   a base store used by other stores for internal caching (for full caching
+   support, aging needs to be added).
+
+   The database use is meant to support as much attribute association as
+   possible, while providing for as small search ranges as possible.
+   This is currently provided for by sorting the entries by numbers that
+   are composed of bits set at the positions indicated by attribute type
+   codes.  This provides for ranges determined by the highest attribute
+   type code value.  A better idea might be to sort by values computed
+   from the range of attributes associated with the object (basically,
+   the difference between the highest and lowest attribute type code)
+   and it's distance from a base (basically, the lowest associated
+   attribute type code).
+*/
+
+struct mem_object_data_st
+	{
+	STORE_OBJECT *object;
+	STORE_ATTR_INFO *attr_info;
+	int references;
+	};
+
+struct mem_data_st
+	{
+	STACK *data;		/* A stack of mem_object_data_st,
+				   sorted with STORE_ATTR_INFO_compare(). */
+	unsigned int compute_components : 1; /* Currently unused, but can
+						be used to add attributes
+						from parts of the data. */
+	};
+
+struct mem_ctx_st
+	{
+	int type;		/* The type we're searching for */
+	STACK *search_attributes; /* Sets of attributes to search for.
+				     Each element is a STORE_ATTR_INFO. */
+	int search_index;	/* which of the search attributes we found a match
+				   for, -1 when we still haven't found any */
+	int index;		/* -1 as long as we're searching for the first */
+	};
+
+static int mem_init(STORE *s);
+static void mem_clean(STORE *s);
+static STORE_OBJECT *mem_generate(STORE *s, STORE_OBJECT_TYPES type,
+	OPENSSL_ITEM attributes[], OPENSSL_ITEM parameters[]);
+static STORE_OBJECT *mem_get(STORE *s, STORE_OBJECT_TYPES type,
+	OPENSSL_ITEM attributes[], OPENSSL_ITEM parameters[]);
+static int mem_store(STORE *s, STORE_OBJECT_TYPES type,
+	STORE_OBJECT *data, OPENSSL_ITEM attributes[],
+	OPENSSL_ITEM parameters[]);
+static int mem_modify(STORE *s, STORE_OBJECT_TYPES type,
+	OPENSSL_ITEM search_attributes[], OPENSSL_ITEM add_attributes[],
+	OPENSSL_ITEM modify_attributes[], OPENSSL_ITEM delete_attributes[],
+	OPENSSL_ITEM parameters[]);
+static int mem_delete(STORE *s, STORE_OBJECT_TYPES type,
+	OPENSSL_ITEM attributes[], OPENSSL_ITEM parameters[]);
+static void *mem_list_start(STORE *s, STORE_OBJECT_TYPES type,
+	OPENSSL_ITEM attributes[], OPENSSL_ITEM parameters[]);
+static STORE_OBJECT *mem_list_next(STORE *s, void *handle);
+static int mem_list_end(STORE *s, void *handle);
+static int mem_list_endp(STORE *s, void *handle);
+static int mem_lock(STORE *s, OPENSSL_ITEM attributes[],
+	OPENSSL_ITEM parameters[]);
+static int mem_unlock(STORE *s, OPENSSL_ITEM attributes[],
+	OPENSSL_ITEM parameters[]);
+static int mem_ctrl(STORE *s, int cmd, long l, void *p, void (*f)(void));
+
+static STORE_METHOD store_memory =
+	{
+	"OpenSSL memory store interface",
+	mem_init,
+	mem_clean,
+	mem_generate,
+	mem_get,
+	mem_store,
+	mem_modify,
+	NULL, /* revoke */
+	mem_delete,
+	mem_list_start,
+	mem_list_next,
+	mem_list_end,
+	mem_list_endp,
+	NULL, /* update */
+	mem_lock,
+	mem_unlock,
+	mem_ctrl
+	};
+
+const STORE_METHOD *STORE_Memory(void)
+	{
+	return &store_memory;
+	}
+
+static int mem_init(STORE *s)
+	{
+	return 1;
+	}
+
+static void mem_clean(STORE *s)
+	{
+	return;
+	}
+
+static STORE_OBJECT *mem_generate(STORE *s, STORE_OBJECT_TYPES type,
+	OPENSSL_ITEM attributes[], OPENSSL_ITEM parameters[])
+	{
+	STOREerr(STORE_F_MEM_GENERATE, STORE_R_NOT_IMPLEMENTED);
+	return 0;
+	}
+static STORE_OBJECT *mem_get(STORE *s, STORE_OBJECT_TYPES type,
+	OPENSSL_ITEM attributes[], OPENSSL_ITEM parameters[])
+	{
+	void *context = mem_list_start(s, type, attributes, parameters);
+	
+	if (context)
+		{
+		STORE_OBJECT *object = mem_list_next(s, context);
+
+		if (mem_list_end(s, context))
+			return object;
+		}
+	return NULL;
+	}
+static int mem_store(STORE *s, STORE_OBJECT_TYPES type,
+	STORE_OBJECT *data, OPENSSL_ITEM attributes[],
+	OPENSSL_ITEM parameters[])
+	{
+	STOREerr(STORE_F_MEM_STORE, STORE_R_NOT_IMPLEMENTED);
+	return 0;
+	}
+static int mem_modify(STORE *s, STORE_OBJECT_TYPES type,
+	OPENSSL_ITEM search_attributes[], OPENSSL_ITEM add_attributes[],
+	OPENSSL_ITEM modify_attributes[], OPENSSL_ITEM delete_attributes[],
+	OPENSSL_ITEM parameters[])
+	{
+	STOREerr(STORE_F_MEM_MODIFY, STORE_R_NOT_IMPLEMENTED);
+	return 0;
+	}
+static int mem_delete(STORE *s, STORE_OBJECT_TYPES type,
+	OPENSSL_ITEM attributes[], OPENSSL_ITEM parameters[])
+	{
+	STOREerr(STORE_F_MEM_DELETE, STORE_R_NOT_IMPLEMENTED);
+	return 0;
+	}
+
+/* The list functions may be the hardest to understand.  Basically,
+   mem_list_start compiles a stack of attribute info elements, and
+   puts that stack into the context to be returned.  mem_list_next
+   will then find the first matching element in the store, and then
+   walk all the way to the end of the store (since any combination
+   of attribute bits above the starting point may match the searched
+   for bit pattern...). */
+static void *mem_list_start(STORE *s, STORE_OBJECT_TYPES type,
+	OPENSSL_ITEM attributes[], OPENSSL_ITEM parameters[])
+	{
+	struct mem_ctx_st *context =
+		(struct mem_ctx_st *)OPENSSL_malloc(sizeof(struct mem_ctx_st));
+	void *attribute_context = NULL;
+	STORE_ATTR_INFO *attrs = NULL;
+
+	if (!context)
+		{
+		STOREerr(STORE_F_MEM_LIST_START, ERR_R_MALLOC_FAILURE);
+		return 0;
+		}
+	memset(context, 0, sizeof(struct mem_ctx_st));
+
+	attribute_context = STORE_parse_attrs_start(attributes);
+	if (!attribute_context)
+		{
+		STOREerr(STORE_F_MEM_LIST_START, ERR_R_STORE_LIB);
+		goto err;
+		}
+
+	while((attrs = STORE_parse_attrs_next(attribute_context)))
+		{
+		if (context->search_attributes == NULL)
+			{
+			context->search_attributes =
+				sk_new((int (*)(const char * const *, const char * const *))STORE_ATTR_INFO_compare);
+			if (!context->search_attributes)
+				{
+				STOREerr(STORE_F_MEM_LIST_START,
+					ERR_R_MALLOC_FAILURE);
+				goto err;
+				}
+			}
+		sk_push(context->search_attributes,(char *)attrs);
+		}
+	if (!STORE_parse_attrs_endp(attribute_context))
+		goto err;
+	STORE_parse_attrs_end(attribute_context);
+	context->search_index = -1;
+	context->index = -1;
+	return context;
+ err:
+	if (attribute_context) STORE_parse_attrs_end(attribute_context);
+	mem_list_end(s, context);
+	return NULL;
+	}
+static STORE_OBJECT *mem_list_next(STORE *s, void *handle)
+	{
+	int i;
+	struct mem_ctx_st *context = (struct mem_ctx_st *)handle;
+	struct mem_object_data_st key = { 0, 0, 1 };
+	struct mem_data_st *store =
+		(struct mem_data_st *)STORE_get_ex_data(s, 1);
+	int srch;
+	int cres = 0;
+
+	if (!context)
+		{
+		STOREerr(STORE_F_MEM_LIST_NEXT, ERR_R_PASSED_NULL_PARAMETER);
+		return NULL;
+		}
+	if (!store)
+		{
+		STOREerr(STORE_F_MEM_LIST_NEXT, STORE_R_NO_STORE);
+		return NULL;
+		}
+
+	if (context->search_index == -1)
+		{
+		for (i = 0; i < sk_num(context->search_attributes); i++)
+			{
+			key.attr_info =
+				(STORE_ATTR_INFO *)sk_value(context->search_attributes, i);
+			srch = sk_find_ex(store->data, (char *)&key);
+
+			if (srch >= 0)
+				{
+				context->search_index = srch;
+				break;
+				}
+			}
+		}
+	if (context->search_index < 0)
+		return NULL;
+	
+	key.attr_info =
+		(STORE_ATTR_INFO *)sk_value(context->search_attributes,
+			context->search_index);
+	for(srch = context->search_index;
+	    srch < sk_num(store->data)
+		    && STORE_ATTR_INFO_in_range(key.attr_info,
+			    (STORE_ATTR_INFO *)sk_value(store->data, srch))
+		    && !(cres = STORE_ATTR_INFO_in_ex(key.attr_info,
+				 (STORE_ATTR_INFO *)sk_value(store->data, srch)));
+	    srch++)
+		;
+
+	context->search_index = srch;
+	if (cres)
+		return ((struct mem_object_data_st *)sk_value(store->data,
+				srch))->object;
+	return NULL;
+	}
+static int mem_list_end(STORE *s, void *handle)
+	{
+	struct mem_ctx_st *context = (struct mem_ctx_st *)handle;
+
+	if (!context)
+		{
+		STOREerr(STORE_F_MEM_LIST_END, ERR_R_PASSED_NULL_PARAMETER);
+		return 0;
+		}
+	if (context && context->search_attributes)
+		sk_free(context->search_attributes);
+	if (context) OPENSSL_free(context);
+	return 1;
+	}
+static int mem_list_endp(STORE *s, void *handle)
+	{
+	struct mem_ctx_st *context = (struct mem_ctx_st *)handle;
+
+	if (!context
+		|| context->search_index == sk_num(context->search_attributes))
+		return 1;
+	return 0;
+	}
+static int mem_lock(STORE *s, OPENSSL_ITEM attributes[],
+	OPENSSL_ITEM parameters[])
+	{
+	return 1;
+	}
+static int mem_unlock(STORE *s, OPENSSL_ITEM attributes[],
+	OPENSSL_ITEM parameters[])
+	{
+	return 1;
+	}
+static int mem_ctrl(STORE *s, int cmd, long l, void *p, void (*f)(void))
+	{
+	return 1;
+	}
diff --git a/crypto/openssl/crypto/store/str_meth.c b/crypto/openssl/crypto/store/str_meth.c
new file mode 100644
index 000000000000..a46de03a2600
--- /dev/null
+++ b/crypto/openssl/crypto/store/str_meth.c
@@ -0,0 +1,250 @@
+/* crypto/store/str_meth.c -*- mode:C; c-file-style: "eay" -*- */
+/* Written by Richard Levitte (richard@levitte.org) for the OpenSSL
+ * project 2003.
+ */
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <string.h>
+#include <openssl/buffer.h>
+#include "str_locl.h"
+
+STORE_METHOD *STORE_create_method(char *name)
+	{
+	STORE_METHOD *store_method = (STORE_METHOD *)OPENSSL_malloc(sizeof(STORE_METHOD));
+
+	if (store_method)
+		{
+		memset(store_method, 0, sizeof(*store_method));
+		store_method->name = BUF_strdup(name);
+		}
+	return store_method;
+	}
+
+/* BIG FSCKING WARNING!!!!  If you use this on a statically allocated method
+   (that is, it hasn't been allocated using STORE_create_method(), you deserve
+   anything Murphy can throw at you and more!  You have been warned. */
+void STORE_destroy_method(STORE_METHOD *store_method)
+	{
+	if (!store_method) return;
+	OPENSSL_free(store_method->name);
+	store_method->name = NULL;
+	OPENSSL_free(store_method);
+	}
+
+int STORE_method_set_initialise_function(STORE_METHOD *sm, STORE_INITIALISE_FUNC_PTR init_f)
+	{
+	sm->init = init_f;
+	return 1;
+	}
+
+int STORE_method_set_cleanup_function(STORE_METHOD *sm, STORE_CLEANUP_FUNC_PTR clean_f)
+	{
+	sm->clean = clean_f;
+	return 1;
+	}
+
+int STORE_method_set_generate_function(STORE_METHOD *sm, STORE_GENERATE_OBJECT_FUNC_PTR generate_f)
+	{
+	sm->generate_object = generate_f;
+	return 1;
+	}
+
+int STORE_method_set_get_function(STORE_METHOD *sm, STORE_GET_OBJECT_FUNC_PTR get_f)
+	{
+	sm->get_object = get_f;
+	return 1;
+	}
+
+int STORE_method_set_store_function(STORE_METHOD *sm, STORE_STORE_OBJECT_FUNC_PTR store_f)
+	{
+	sm->store_object = store_f;
+	return 1;
+	}
+
+int STORE_method_set_modify_function(STORE_METHOD *sm, STORE_MODIFY_OBJECT_FUNC_PTR modify_f)
+	{
+	sm->modify_object = modify_f;
+	return 1;
+	}
+
+int STORE_method_set_revoke_function(STORE_METHOD *sm, STORE_HANDLE_OBJECT_FUNC_PTR revoke_f)
+	{
+	sm->revoke_object = revoke_f;
+	return 1;
+	}
+
+int STORE_method_set_delete_function(STORE_METHOD *sm, STORE_HANDLE_OBJECT_FUNC_PTR delete_f)
+	{
+	sm->delete_object = delete_f;
+	return 1;
+	}
+
+int STORE_method_set_list_start_function(STORE_METHOD *sm, STORE_START_OBJECT_FUNC_PTR list_start_f)
+	{
+	sm->list_object_start = list_start_f;
+	return 1;
+	}
+
+int STORE_method_set_list_next_function(STORE_METHOD *sm, STORE_NEXT_OBJECT_FUNC_PTR list_next_f)
+	{
+	sm->list_object_next = list_next_f;
+	return 1;
+	}
+
+int STORE_method_set_list_end_function(STORE_METHOD *sm, STORE_END_OBJECT_FUNC_PTR list_end_f)
+	{
+	sm->list_object_end = list_end_f;
+	return 1;
+	}
+
+int STORE_method_set_update_store_function(STORE_METHOD *sm, STORE_GENERIC_FUNC_PTR update_f)
+	{
+	sm->update_store = update_f;
+	return 1;
+	}
+
+int STORE_method_set_lock_store_function(STORE_METHOD *sm, STORE_GENERIC_FUNC_PTR lock_f)
+	{
+	sm->lock_store = lock_f;
+	return 1;
+	}
+
+int STORE_method_set_unlock_store_function(STORE_METHOD *sm, STORE_GENERIC_FUNC_PTR unlock_f)
+	{
+	sm->unlock_store = unlock_f;
+	return 1;
+	}
+
+int STORE_method_set_ctrl_function(STORE_METHOD *sm, STORE_CTRL_FUNC_PTR ctrl_f)
+	{
+	sm->ctrl = ctrl_f;
+	return 1;
+	}
+
+STORE_INITIALISE_FUNC_PTR STORE_method_get_initialise_function(STORE_METHOD *sm)
+	{
+	return sm->init;
+	}
+
+STORE_CLEANUP_FUNC_PTR STORE_method_get_cleanup_function(STORE_METHOD *sm)
+	{
+	return sm->clean;
+	}
+
+STORE_GENERATE_OBJECT_FUNC_PTR STORE_method_get_generate_function(STORE_METHOD *sm)
+	{
+	return sm->generate_object;
+	}
+
+STORE_GET_OBJECT_FUNC_PTR STORE_method_get_get_function(STORE_METHOD *sm)
+	{
+	return sm->get_object;
+	}
+
+STORE_STORE_OBJECT_FUNC_PTR STORE_method_get_store_function(STORE_METHOD *sm)
+	{
+	return sm->store_object;
+	}
+
+STORE_MODIFY_OBJECT_FUNC_PTR STORE_method_get_modify_function(STORE_METHOD *sm)
+	{
+	return sm->modify_object;
+	}
+
+STORE_HANDLE_OBJECT_FUNC_PTR STORE_method_get_revoke_function(STORE_METHOD *sm)
+	{
+	return sm->revoke_object;
+	}
+
+STORE_HANDLE_OBJECT_FUNC_PTR STORE_method_get_delete_function(STORE_METHOD *sm)
+	{
+	return sm->delete_object;
+	}
+
+STORE_START_OBJECT_FUNC_PTR STORE_method_get_list_start_function(STORE_METHOD *sm)
+	{
+	return sm->list_object_start;
+	}
+
+STORE_NEXT_OBJECT_FUNC_PTR STORE_method_get_list_next_function(STORE_METHOD *sm)
+	{
+	return sm->list_object_next;
+	}
+
+STORE_END_OBJECT_FUNC_PTR STORE_method_get_list_end_function(STORE_METHOD *sm)
+	{
+	return sm->list_object_end;
+	}
+
+STORE_GENERIC_FUNC_PTR STORE_method_get_update_store_function(STORE_METHOD *sm)
+	{
+	return sm->update_store;
+	}
+
+STORE_GENERIC_FUNC_PTR STORE_method_get_lock_store_function(STORE_METHOD *sm)
+	{
+	return sm->lock_store;
+	}
+
+STORE_GENERIC_FUNC_PTR STORE_method_get_unlock_store_function(STORE_METHOD *sm)
+	{
+	return sm->unlock_store;
+	}
+
+STORE_CTRL_FUNC_PTR STORE_method_get_ctrl_function(STORE_METHOD *sm)
+	{
+	return sm->ctrl;
+	}
+
diff --git a/crypto/openssl/crypto/symhacks.h b/crypto/openssl/crypto/symhacks.h
index 774162fec9e8..7e3602d2ea43 100644
--- a/crypto/openssl/crypto/symhacks.h
+++ b/crypto/openssl/crypto/symhacks.h
@@ -127,6 +127,12 @@
 /* Hack some long X509 names */
 #undef X509_REVOKED_get_ext_by_critical
 #define X509_REVOKED_get_ext_by_critical	X509_REVOKED_get_ext_by_critic
+#undef X509_policy_tree_get0_user_policies
+#define X509_policy_tree_get0_user_policies	X509_pcy_tree_get0_usr_policies
+#undef X509_policy_node_get0_qualifiers
+#define X509_policy_node_get0_qualifiers	X509_pcy_node_get0_qualifiers
+#undef X509_STORE_CTX_get_explicit_policy
+#define X509_STORE_CTX_get_explicit_policy	X509_STORE_CTX_get_expl_policy
 
 /* Hack some long CRYPTO names */
 #undef CRYPTO_set_dynlock_destroy_callback
@@ -153,16 +159,16 @@
 #define SSL_get_ex_data_X509_STORE_CTX_idx      SSL_get_ex_d_X509_STORE_CTX_idx
 #undef SSL_add_file_cert_subjects_to_stack
 #define SSL_add_file_cert_subjects_to_stack     SSL_add_file_cert_subjs_to_stk
-#if 0 /* This function is not defined i VMS. */
 #undef SSL_add_dir_cert_subjects_to_stack
 #define SSL_add_dir_cert_subjects_to_stack      SSL_add_dir_cert_subjs_to_stk
-#endif
 #undef SSL_CTX_use_certificate_chain_file
 #define SSL_CTX_use_certificate_chain_file      SSL_CTX_use_cert_chain_file
 #undef SSL_CTX_set_cert_verify_callback
 #define SSL_CTX_set_cert_verify_callback        SSL_CTX_set_cert_verify_cb
 #undef SSL_CTX_set_default_passwd_cb_userdata
 #define SSL_CTX_set_default_passwd_cb_userdata  SSL_CTX_set_def_passwd_cb_ud
+#undef SSL_COMP_get_compression_methods
+#define SSL_COMP_get_compression_methods	SSL_COMP_get_compress_methods
 
 /* Hack some long ENGINE names */
 #undef ENGINE_get_default_BN_mod_exp_crt
@@ -195,6 +201,12 @@
 #define OPENSSL_add_all_algorithms_conf		OPENSSL_add_all_algo_conf
 
 /* Hack some long EC names */
+#undef EC_GROUP_set_point_conversion_form
+#define EC_GROUP_set_point_conversion_form	EC_GROUP_set_point_conv_form
+#undef EC_GROUP_get_point_conversion_form
+#define EC_GROUP_get_point_conversion_form	EC_GROUP_get_point_conv_form
+#undef EC_GROUP_clear_free_all_extra_data
+#define EC_GROUP_clear_free_all_extra_data	EC_GROUP_clr_free_all_xtra_data
 #undef EC_POINT_set_Jprojective_coordinates_GFp
 #define EC_POINT_set_Jprojective_coordinates_GFp \
                                                 EC_POINT_set_Jproj_coords_GFp
@@ -207,6 +219,32 @@
 #define EC_POINT_get_affine_coordinates_GFp     EC_POINT_get_affine_coords_GFp
 #undef EC_POINT_set_compressed_coordinates_GFp
 #define EC_POINT_set_compressed_coordinates_GFp EC_POINT_set_compr_coords_GFp
+#undef EC_POINT_set_affine_coordinates_GF2m
+#define EC_POINT_set_affine_coordinates_GF2m    EC_POINT_set_affine_coords_GF2m
+#undef EC_POINT_get_affine_coordinates_GF2m
+#define EC_POINT_get_affine_coordinates_GF2m    EC_POINT_get_affine_coords_GF2m
+#undef EC_POINT_set_compressed_coordinates_GF2m
+#define EC_POINT_set_compressed_coordinates_GF2m \
+                                                EC_POINT_set_compr_coords_GF2m
+#undef ec_GF2m_simple_group_clear_finish
+#define ec_GF2m_simple_group_clear_finish        ec_GF2m_simple_grp_clr_finish
+#undef ec_GF2m_simple_group_check_discriminant
+#define ec_GF2m_simple_group_check_discriminant	ec_GF2m_simple_grp_chk_discrim
+#undef ec_GF2m_simple_point_clear_finish
+#define ec_GF2m_simple_point_clear_finish        ec_GF2m_simple_pt_clr_finish
+#undef ec_GF2m_simple_point_set_to_infinity
+#define ec_GF2m_simple_point_set_to_infinity     ec_GF2m_simple_pt_set_to_inf
+#undef ec_GF2m_simple_points_make_affine
+#define ec_GF2m_simple_points_make_affine        ec_GF2m_simple_pts_make_affine
+#undef ec_GF2m_simple_point_set_affine_coordinates
+#define ec_GF2m_simple_point_set_affine_coordinates \
+                                                ec_GF2m_smp_pt_set_af_coords
+#undef ec_GF2m_simple_point_get_affine_coordinates
+#define ec_GF2m_simple_point_get_affine_coordinates \
+                                                ec_GF2m_smp_pt_get_af_coords
+#undef ec_GF2m_simple_set_compressed_coordinates
+#define ec_GF2m_simple_set_compressed_coordinates \
+                                                ec_GF2m_smp_set_compr_coords
 #undef ec_GFp_simple_group_set_curve_GFp
 #define ec_GFp_simple_group_set_curve_GFp       ec_GFp_simple_grp_set_curve_GFp
 #undef ec_GFp_simple_group_get_curve_GFp
@@ -242,6 +280,67 @@
 #undef ec_GFp_simple_set_compressed_coordinates_GFp
 #define ec_GFp_simple_set_compressed_coordinates_GFp \
                                                 ec_GFp_smp_set_compr_coords_GFp
+#undef ec_GFp_simple_point_set_affine_coordinates
+#define ec_GFp_simple_point_set_affine_coordinates \
+                                                ec_GFp_smp_pt_set_af_coords
+#undef ec_GFp_simple_point_get_affine_coordinates
+#define ec_GFp_simple_point_get_affine_coordinates \
+                                                ec_GFp_smp_pt_get_af_coords
+#undef ec_GFp_simple_set_compressed_coordinates
+#define ec_GFp_simple_set_compressed_coordinates \
+                                                ec_GFp_smp_set_compr_coords
+#undef ec_GFp_simple_group_check_discriminant
+#define ec_GFp_simple_group_check_discriminant	ec_GFp_simple_grp_chk_discrim
+
+/* Hack som long STORE names */
+#undef STORE_method_set_initialise_function
+#define STORE_method_set_initialise_function	STORE_meth_set_initialise_fn
+#undef STORE_method_set_cleanup_function
+#define STORE_method_set_cleanup_function	STORE_meth_set_cleanup_fn
+#undef STORE_method_set_generate_function
+#define STORE_method_set_generate_function	STORE_meth_set_generate_fn
+#undef STORE_method_set_modify_function
+#define STORE_method_set_modify_function	STORE_meth_set_modify_fn
+#undef STORE_method_set_revoke_function
+#define STORE_method_set_revoke_function	STORE_meth_set_revoke_fn
+#undef STORE_method_set_delete_function
+#define STORE_method_set_delete_function	STORE_meth_set_delete_fn
+#undef STORE_method_set_list_start_function
+#define STORE_method_set_list_start_function	STORE_meth_set_list_start_fn
+#undef STORE_method_set_list_next_function
+#define STORE_method_set_list_next_function	STORE_meth_set_list_next_fn
+#undef STORE_method_set_list_end_function
+#define STORE_method_set_list_end_function	STORE_meth_set_list_end_fn
+#undef STORE_method_set_update_store_function
+#define STORE_method_set_update_store_function	STORE_meth_set_update_store_fn
+#undef STORE_method_set_lock_store_function
+#define STORE_method_set_lock_store_function	STORE_meth_set_lock_store_fn
+#undef STORE_method_set_unlock_store_function
+#define STORE_method_set_unlock_store_function	STORE_meth_set_unlock_store_fn
+#undef STORE_method_get_initialise_function
+#define STORE_method_get_initialise_function	STORE_meth_get_initialise_fn
+#undef STORE_method_get_cleanup_function
+#define STORE_method_get_cleanup_function	STORE_meth_get_cleanup_fn
+#undef STORE_method_get_generate_function
+#define STORE_method_get_generate_function	STORE_meth_get_generate_fn
+#undef STORE_method_get_modify_function
+#define STORE_method_get_modify_function	STORE_meth_get_modify_fn
+#undef STORE_method_get_revoke_function
+#define STORE_method_get_revoke_function	STORE_meth_get_revoke_fn
+#undef STORE_method_get_delete_function
+#define STORE_method_get_delete_function	STORE_meth_get_delete_fn
+#undef STORE_method_get_list_start_function
+#define STORE_method_get_list_start_function	STORE_meth_get_list_start_fn
+#undef STORE_method_get_list_next_function
+#define STORE_method_get_list_next_function	STORE_meth_get_list_next_fn
+#undef STORE_method_get_list_end_function
+#define STORE_method_get_list_end_function	STORE_meth_get_list_end_fn
+#undef STORE_method_get_update_store_function
+#define STORE_method_get_update_store_function	STORE_meth_get_update_store_fn
+#undef STORE_method_get_lock_store_function
+#define STORE_method_get_lock_store_function	STORE_meth_get_lock_store_fn
+#undef STORE_method_get_unlock_store_function
+#define STORE_method_get_unlock_store_function	STORE_meth_get_unlock_store_fn
 
 #endif /* defined OPENSSL_SYS_VMS */
 
@@ -253,6 +352,15 @@
 #undef OCSP_crlID_new
 #define OCSP_crlID_new                          OCSP_crlID2_new
 
+#undef d2i_ECPARAMETERS
+#define d2i_ECPARAMETERS                        d2i_UC_ECPARAMETERS
+#undef i2d_ECPARAMETERS
+#define i2d_ECPARAMETERS                        i2d_UC_ECPARAMETERS
+#undef d2i_ECPKPARAMETERS
+#define d2i_ECPKPARAMETERS                      d2i_UC_ECPKPARAMETERS
+#undef i2d_ECPKPARAMETERS
+#define i2d_ECPKPARAMETERS                      i2d_UC_ECPKPARAMETERS
+
 /* These functions do not seem to exist!  However, I'm paranoid...
    Original command in x509v3.h:
    These functions are being redefined in another directory,
diff --git a/crypto/openssl/crypto/threads/mttest.c b/crypto/openssl/crypto/threads/mttest.c
index 7588966cb219..f6f3df4b6aa8 100644
--- a/crypto/openssl/crypto/threads/mttest.c
+++ b/crypto/openssl/crypto/threads/mttest.c
@@ -77,6 +77,12 @@
 #ifdef PTHREADS
 #include <pthread.h>
 #endif
+#ifdef OPENSSL_SYS_NETWARE
+#if !defined __int64
+#  define __int64 long long
+#endif   
+#include <nwmpk.h>
+#endif
 #include <openssl/lhash.h>
 #include <openssl/crypto.h>
 #include <openssl/buffer.h>
@@ -86,8 +92,18 @@
 #include <openssl/err.h>
 #include <openssl/rand.h>
 
+#ifdef OPENSSL_NO_FP_API
+#define APPS_WIN16
+#include "../buffer/bss_file.c"
+#endif
+
+#ifdef OPENSSL_SYS_NETWARE
+#define TEST_SERVER_CERT "/openssl/apps/server.pem"
+#define TEST_CLIENT_CERT "/openssl/apps/client.pem"
+#else
 #define TEST_SERVER_CERT "../../apps/server.pem"
 #define TEST_CLIENT_CERT "../../apps/client.pem"
+#endif
 
 #define MAX_THREAD_NUMBER	100
 
@@ -100,10 +116,18 @@ void irix_locking_callback(int mode,int type,char *file,int line);
 void solaris_locking_callback(int mode,int type,char *file,int line);
 void win32_locking_callback(int mode,int type,char *file,int line);
 void pthreads_locking_callback(int mode,int type,char *file,int line);
+void netware_locking_callback(int mode,int type,char *file,int line);
 
 unsigned long irix_thread_id(void );
 unsigned long solaris_thread_id(void );
 unsigned long pthreads_thread_id(void );
+unsigned long netware_thread_id(void );
+
+#if defined(OPENSSL_SYS_NETWARE)
+static MPKMutex *lock_cs;
+static MPKSema ThreadSem;
+static long *lock_count;
+#endif
 
 BIO *bio_err=NULL;
 BIO *bio_stdout=NULL;
@@ -384,6 +408,9 @@ int ndoit(SSL_CTX *ssl_ctx[2])
 		SSL_free((SSL *)ctx[2]);
 		SSL_free((SSL *)ctx[3]);
 		}
+#   ifdef OPENSSL_SYS_NETWARE
+        MPKSemaphoreSignal(ThreadSem);
+#   endif
 	return(0);
 	}
 
@@ -627,6 +654,9 @@ int doit(char *ctx[4])
 			}
 
 		if ((done & S_DONE) && (done & C_DONE)) break;
+#   if defined(OPENSSL_SYS_NETWARE)
+        ThreadSwitchWithDelay();
+#   endif
 		}
 
 	SSL_set_shutdown(c_ssl,SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
@@ -1094,3 +1124,88 @@ unsigned long pthreads_thread_id(void)
 
 
 
+#ifdef OPENSSL_SYS_NETWARE
+
+void thread_setup(void)
+{
+   int i;
+
+   lock_cs=OPENSSL_malloc(CRYPTO_num_locks() * sizeof(MPKMutex));
+   lock_count=OPENSSL_malloc(CRYPTO_num_locks() * sizeof(long));
+   for (i=0; i<CRYPTO_num_locks(); i++)
+   {
+      lock_count[i]=0;
+      lock_cs[i]=MPKMutexAlloc("OpenSSL mutex");
+   }
+
+   ThreadSem = MPKSemaphoreAlloc("OpenSSL mttest semaphore", 0 );
+
+   CRYPTO_set_id_callback((unsigned long (*)())netware_thread_id);
+   CRYPTO_set_locking_callback((void (*)())netware_locking_callback);
+}
+
+void thread_cleanup(void)
+{
+   int i;
+
+   CRYPTO_set_locking_callback(NULL);
+
+   fprintf(stdout,"thread_cleanup\n");
+
+   for (i=0; i<CRYPTO_num_locks(); i++)
+   {
+      MPKMutexFree(lock_cs[i]);
+      fprintf(stdout,"%8ld:%s\n",lock_count[i],CRYPTO_get_lock_name(i));
+   }
+   OPENSSL_free(lock_cs);
+   OPENSSL_free(lock_count);
+
+   MPKSemaphoreFree(ThreadSem);
+
+   fprintf(stdout,"done cleanup\n");
+}
+
+void netware_locking_callback(int mode, int type, char *file, int line)
+{
+   if (mode & CRYPTO_LOCK)
+   {
+      MPKMutexLock(lock_cs[type]);
+      lock_count[type]++;
+   }
+   else
+      MPKMutexUnlock(lock_cs[type]);
+}
+
+void do_threads(SSL_CTX *s_ctx, SSL_CTX *c_ctx)
+{
+   SSL_CTX *ssl_ctx[2];
+   int i;
+   ssl_ctx[0]=s_ctx;
+   ssl_ctx[1]=c_ctx;
+
+   for (i=0; i<thread_number; i++)
+   {
+      BeginThread( (void(*)(void*))ndoit, NULL, THREAD_STACK_SIZE, 
+                   (void*)ssl_ctx);
+      ThreadSwitchWithDelay();
+   }
+
+   printf("reaping\n");
+
+      /* loop until all threads have signaled the semaphore */
+   for (i=0; i<thread_number; i++)
+   {
+      MPKSemaphoreWait(ThreadSem);
+   }
+   printf("netware threads done (%d,%d)\n",
+         s_ctx->references,c_ctx->references);
+}
+
+unsigned long netware_thread_id(void)
+{
+   unsigned long ret;
+
+   ret=(unsigned long)GetThreadID();
+   return(ret);
+}
+#endif /* NETWARE */
diff --git a/crypto/openssl/crypto/threads/th-lock.c b/crypto/openssl/crypto/threads/th-lock.c
index a6a79b9f4530..14aae5f91287 100644
--- a/crypto/openssl/crypto/threads/th-lock.c
+++ b/crypto/openssl/crypto/threads/th-lock.c
@@ -80,7 +80,7 @@
 #include <openssl/lhash.h>
 #include <openssl/crypto.h>
 #include <openssl/buffer.h>
-#include <openssl/e_os.h>
+#include "../../e_os.h"
 #include <openssl/x509.h>
 #include <openssl/ssl.h>
 #include <openssl/err.h>
diff --git a/crypto/openssl/crypto/tmdiff.c b/crypto/openssl/crypto/tmdiff.c
index 307523ebba3b..1c6e052ac98d 100644
--- a/crypto/openssl/crypto/tmdiff.c
+++ b/crypto/openssl/crypto/tmdiff.c
@@ -72,7 +72,11 @@
 # define TIMES
 #endif
 
-#ifndef _IRIX
+#ifdef OPENSSL_SYS_NETWARE
+#undef TIMES
+#endif
+
+#if !defined(_IRIX) || defined (OPENSSL_SYS_NETWARE)
 #  include <time.h>
 #endif
 #ifdef TIMES
@@ -94,7 +98,7 @@
 #include <sys/param.h>
 #endif
 
-#if !defined(TIMES) && !defined(OPENSSL_SYS_VXWORKS)
+#if !defined(TIMES) && !defined(OPENSSL_SYS_VXWORKS) && !defined(OPENSSL_SYS_NETWARE)
 #include <sys/timeb.h>
 #endif
 
@@ -106,7 +110,8 @@
 #ifndef HZ
 # if defined(_SC_CLK_TCK) \
      && (!defined(OPENSSL_SYS_VMS) || __CTRL_VER >= 70000000)
-#  define HZ ((double)sysconf(_SC_CLK_TCK))
+/* #  define HZ ((double)sysconf(_SC_CLK_TCK)) */
+#  define HZ sysconf(_SC_CLK_TCK)
 # else
 #  ifndef CLK_TCK
 #   ifndef _BSD_CLK_TCK_ /* FreeBSD hack */
@@ -120,7 +125,7 @@
 # endif
 #endif
 
-typedef struct ms_tm
+struct ms_tm
 	{
 #ifdef TIMES
 	struct tms ms_tms;
@@ -128,6 +133,8 @@ typedef struct ms_tm
 #  ifdef OPENSSL_SYS_WIN32
 	HANDLE thread_id;
 	FILETIME ms_win32;
+#  elif defined (OPENSSL_SYS_NETWARE)
+   clock_t ms_clock;
 #  else
 #    ifdef OPENSSL_SYS_VXWORKS
           unsigned long ticks;
@@ -136,9 +143,9 @@ typedef struct ms_tm
 #    endif
 #  endif
 #endif
-	} MS_TM;
+	};
 
-char *ms_time_new(void)
+MS_TM *ms_time_new(void)
 	{
 	MS_TM *ret;
 
@@ -149,18 +156,17 @@ char *ms_time_new(void)
 #ifdef OPENSSL_SYS_WIN32
 	ret->thread_id=GetCurrentThread();
 #endif
-	return((char *)ret);
+	return ret;
 	}
 
-void ms_time_free(char *a)
+void ms_time_free(MS_TM *a)
 	{
 	if (a != NULL)
 		OPENSSL_free(a);
 	}
 
-void ms_time_get(char *a)
+void ms_time_get(MS_TM *tm)
 	{
-	MS_TM *tm=(MS_TM *)a;
 #ifdef OPENSSL_SYS_WIN32
 	FILETIME tmpa,tmpb,tmpc;
 #endif
@@ -170,6 +176,8 @@ void ms_time_get(char *a)
 #else
 #  ifdef OPENSSL_SYS_WIN32
 	GetThreadTimes(tm->thread_id,&tmpa,&tmpb,&tmpc,&(tm->ms_win32));
+#  elif defined (OPENSSL_SYS_NETWARE)
+   tm->ms_clock = clock();
 #  else
 #    ifdef OPENSSL_SYS_VXWORKS
         tm->ticks = tickGet();
@@ -180,14 +188,13 @@ void ms_time_get(char *a)
 #endif
 	}
 
-double ms_time_diff(char *ap, char *bp)
+double ms_time_diff(MS_TM *a, MS_TM *b)
 	{
-	MS_TM *a=(MS_TM *)ap;
-	MS_TM *b=(MS_TM *)bp;
 	double ret;
 
 #ifdef TIMES
-	ret=(b->ms_tms.tms_utime-a->ms_tms.tms_utime)/HZ;
+	ret = HZ;
+	ret = (b->ms_tms.tms_utime-a->ms_tms.tms_utime) / ret;
 #else
 # ifdef OPENSSL_SYS_WIN32
 	{
@@ -204,6 +211,8 @@ double ms_time_diff(char *ap, char *bp)
 	lb+=b->ms_win32.dwLowDateTime;
 	ret=((double)(lb-la))/1e7;
 	}
+# elif defined (OPENSSL_SYS_NETWARE)
+    ret= (double)(b->ms_clock - a->ms_clock);
 # else
 #  ifdef OPENSSL_SYS_VXWORKS
         ret = (double)(b->ticks - a->ticks) / (double)sysClkRateGet();
@@ -217,18 +226,20 @@ double ms_time_diff(char *ap, char *bp)
 	return((ret < 0.0000001)?0.0000001:ret);
 	}
 
-int ms_time_cmp(char *ap, char *bp)
+int ms_time_cmp(const MS_TM *a, const MS_TM *b)
 	{
-	MS_TM *a=(MS_TM *)ap,*b=(MS_TM *)bp;
 	double d;
 	int ret;
 
 #ifdef TIMES
-	d=(b->ms_tms.tms_utime-a->ms_tms.tms_utime)/HZ;
+	d = HZ;
+	d = (b->ms_tms.tms_utime-a->ms_tms.tms_utime) / d;
 #else
 # ifdef OPENSSL_SYS_WIN32
 	d =(b->ms_win32.dwHighDateTime&0x000fffff)*10+b->ms_win32.dwLowDateTime/1e7;
 	d-=(a->ms_win32.dwHighDateTime&0x000fffff)*10+a->ms_win32.dwLowDateTime/1e7;
+# elif defined (OPENSSL_SYS_NETWARE)
+    d= (double)(b->ms_clock - a->ms_clock);
 # else
 #  ifdef OPENSSL_SYS_VXWORKS
         d = (b->ticks - a->ticks);
diff --git a/crypto/openssl/crypto/tmdiff.h b/crypto/openssl/crypto/tmdiff.h
index 41a8a1e0e0da..af5c41c64992 100644
--- a/crypto/openssl/crypto/tmdiff.h
+++ b/crypto/openssl/crypto/tmdiff.h
@@ -59,6 +59,16 @@
 /* Header for dynamic hash table routines
  * Author - Eric Young
  */
+/* ... erm yeah, "dynamic hash tables" you say?
+ * 
+ * And what would dynamic hash tables have to do with any of this code *now*?
+ * AFAICS, this code is only referenced by crypto/bn/exp.c which is an unused
+ * file that I doubt compiles any more. speed.c is the only thing that could
+ * use this (and it has nothing to do with hash tables), yet it instead has its
+ * own duplication of all this stuff and looks, if anything, more complete. See
+ * the corresponding note in apps/speed.c.
+ * The Bemused - Geoff
+ */
 
 #ifndef HEADER_TMDIFF_H
 #define HEADER_TMDIFF_H
@@ -67,11 +77,13 @@
 extern "C" {
 #endif
 
-char *ms_time_new(void );
-void ms_time_free(char *a);
-void ms_time_get(char *a);
-double ms_time_diff(char *start,char *end);
-int ms_time_cmp(char *ap,char *bp);
+typedef struct ms_tm MS_TM;
+
+MS_TM *ms_time_new(void );
+void ms_time_free(MS_TM *a);
+void ms_time_get(MS_TM *a);
+double ms_time_diff(MS_TM *start, MS_TM *end);
+int ms_time_cmp(const MS_TM *ap, const MS_TM *bp);
 
 #ifdef  __cplusplus
 }
diff --git a/crypto/openssl/crypto/txt_db/Makefile b/crypto/openssl/crypto/txt_db/Makefile
index 15ae6ceda84e..e6f30331d8dd 100644
--- a/crypto/openssl/crypto/txt_db/Makefile
+++ b/crypto/openssl/crypto/txt_db/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/txt_db/Makefile
+# OpenSSL/crypto/txt_db/Makefile
 #
 
 DIR=	txt_db
@@ -7,11 +7,6 @@ TOP=	../..
 CC=	cc
 INCLUDES=
 CFLAG=-g
-INSTALL_PREFIX=
-OPENSSLDIR=     /usr/local/ssl
-INSTALLTOP=/usr/local/ssl
-MAKEDEPPROG=	makedepend
-MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=	Makefile
 AR=		ar r
 
@@ -51,7 +46,8 @@ links:
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
 
 install:
-	@for i in $(EXHEADER) ; \
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+	@headerlist="$(EXHEADER)"; for i in $$headerlist ; \
 	do  \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
@@ -66,6 +62,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
+	@[ -n "$(MAKEDEPEND)" ] # should be set by top Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
@@ -81,6 +78,7 @@ txt_db.o: ../../e_os.h ../../include/openssl/bio.h
 txt_db.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 txt_db.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 txt_db.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-txt_db.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-txt_db.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-txt_db.o: ../../include/openssl/txt_db.h ../cryptlib.h txt_db.c
+txt_db.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+txt_db.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+txt_db.o: ../../include/openssl/symhacks.h ../../include/openssl/txt_db.h
+txt_db.o: ../cryptlib.h txt_db.c
diff --git a/crypto/openssl/crypto/txt_db/txt_db.c b/crypto/openssl/crypto/txt_db/txt_db.c
index 58b300b00b01..e9e503eb073c 100644
--- a/crypto/openssl/crypto/txt_db/txt_db.c
+++ b/crypto/openssl/crypto/txt_db/txt_db.c
@@ -92,7 +92,7 @@ TXT_DB *TXT_DB_read(BIO *in, int num)
 		goto err;
 	if ((ret->index=(LHASH **)OPENSSL_malloc(sizeof(LHASH *)*num)) == NULL)
 		goto err;
-	if ((ret->qual=(int (**)())OPENSSL_malloc(sizeof(int (**)())*num)) == NULL)
+	if ((ret->qual=(int (**)(char **))OPENSSL_malloc(sizeof(int (**)(char **))*num)) == NULL)
 		goto err;
 	for (i=0; i<num; i++)
 		{
@@ -179,10 +179,13 @@ err:
 #if !defined(OPENSSL_NO_STDIO) && !defined(OPENSSL_SYS_WIN16)
 		if (er == 1) fprintf(stderr,"OPENSSL_malloc failure\n");
 #endif
-		if (ret->data != NULL) sk_free(ret->data);
-		if (ret->index != NULL) OPENSSL_free(ret->index);
-		if (ret->qual != NULL) OPENSSL_free(ret->qual);
-		if (ret != NULL) OPENSSL_free(ret);
+		if (ret != NULL)
+			{
+			if (ret->data != NULL) sk_free(ret->data);
+			if (ret->index != NULL) OPENSSL_free(ret->index);
+			if (ret->qual != NULL) OPENSSL_free(ret->qual);
+			if (ret != NULL) OPENSSL_free(ret);
+			}
 		return(NULL);
 		}
 	else
@@ -210,11 +213,11 @@ char **TXT_DB_get_by_index(TXT_DB *db, int idx, char **value)
 	return(ret);
 	}
 
-int TXT_DB_create_index(TXT_DB *db, int field, int (*qual)(),
+int TXT_DB_create_index(TXT_DB *db, int field, int (*qual)(char **),
 		LHASH_HASH_FN_TYPE hash, LHASH_COMP_FN_TYPE cmp)
 	{
 	LHASH *idx;
-	char *r;
+	char **r;
 	int i,n;
 
 	if (field >= db->num_fields)
@@ -230,12 +233,12 @@ int TXT_DB_create_index(TXT_DB *db, int field, int (*qual)(),
 	n=sk_num(db->data);
 	for (i=0; i<n; i++)
 		{
-		r=(char *)sk_value(db->data,i);
+		r=(char **)sk_value(db->data,i);
 		if ((qual != NULL) && (qual(r) == 0)) continue;
 		if ((r=lh_insert(idx,r)) != NULL)
 			{
 			db->error=DB_ERROR_INDEX_CLASH;
-			db->arg1=sk_find(db->data,r);
+			db->arg1=sk_find(db->data,(char *)r);
 			db->arg2=i;
 			lh_free(idx);
 			return(0);
diff --git a/crypto/openssl/crypto/txt_db/txt_db.h b/crypto/openssl/crypto/txt_db/txt_db.h
index 563392aeff11..307e1ba23fc2 100644
--- a/crypto/openssl/crypto/txt_db/txt_db.h
+++ b/crypto/openssl/crypto/txt_db/txt_db.h
@@ -59,6 +59,7 @@
 #ifndef HEADER_TXT_DB_H
 #define HEADER_TXT_DB_H
 
+#include <openssl/opensslconf.h>
 #ifndef OPENSSL_NO_BIO
 #include <openssl/bio.h>
 #endif
@@ -81,7 +82,7 @@ typedef struct txt_db_st
 	int num_fields;
 	STACK /* char ** */ *data;
 	LHASH **index;
-	int (**qual)();
+	int (**qual)(char **);
 	long error;
 	long arg1;
 	long arg2;
@@ -95,7 +96,7 @@ long TXT_DB_write(BIO *out, TXT_DB *db);
 TXT_DB *TXT_DB_read(char *in, int num);
 long TXT_DB_write(char *out, TXT_DB *db);
 #endif
-int TXT_DB_create_index(TXT_DB *db,int field,int (*qual)(),
+int TXT_DB_create_index(TXT_DB *db,int field,int (*qual)(char **),
 		LHASH_HASH_FN_TYPE hash, LHASH_COMP_FN_TYPE cmp);
 void TXT_DB_free(TXT_DB *db);
 char **TXT_DB_get_by_index(TXT_DB *db, int idx, char **value);
diff --git a/crypto/openssl/crypto/ui/Makefile b/crypto/openssl/crypto/ui/Makefile
index 004593121802..a685659fb4c8 100644
--- a/crypto/openssl/crypto/ui/Makefile
+++ b/crypto/openssl/crypto/ui/Makefile
@@ -7,11 +7,6 @@ TOP=	../..
 CC=	cc
 INCLUDES= -I.. -I$(TOP) -I../../include
 CFLAG=-g
-INSTALL_PREFIX=
-OPENSSLDIR=     /usr/local/ssl
-INSTALLTOP=/usr/local/ssl
-MAKEDEPPROG=	makedepend
-MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=	Makefile
 AR=		ar r
 
@@ -55,7 +50,8 @@ links:
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
 
 install:
-	@for i in $(EXHEADER) ; \
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+	@headerlist="$(EXHEADER)"; for i in $$headerlist ; \
 	do  \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
@@ -70,6 +66,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
+	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
@@ -81,35 +78,34 @@ clean:
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-ui_compat.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-ui_compat.o: ../../include/openssl/opensslconf.h
-ui_compat.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-ui_compat.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-ui_compat.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-ui_compat.o: ui_compat.c
+ui_compat.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
+ui_compat.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+ui_compat.o: ../../include/openssl/stack.h ../../include/openssl/ui.h
+ui_compat.o: ../../include/openssl/ui_compat.h ui_compat.c
 ui_err.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
 ui_err.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 ui_err.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-ui_err.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-ui_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-ui_err.o: ../../include/openssl/ui.h ui_err.c
+ui_err.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+ui_err.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+ui_err.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h ui_err.c
 ui_lib.o: ../../e_os.h ../../include/openssl/bio.h
 ui_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 ui_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 ui_lib.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-ui_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-ui_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-ui_lib.o: ../../include/openssl/ui.h ../cryptlib.h ui_lib.c ui_locl.h
+ui_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+ui_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+ui_lib.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+ui_lib.o: ../cryptlib.h ui_lib.c ui_locl.h
 ui_openssl.o: ../../e_os.h ../../include/openssl/bio.h
 ui_openssl.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 ui_openssl.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 ui_openssl.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-ui_openssl.o: ../../include/openssl/opensslv.h
+ui_openssl.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 ui_openssl.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 ui_openssl.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
 ui_openssl.o: ../cryptlib.h ui_locl.h ui_openssl.c
 ui_util.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 ui_util.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-ui_util.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-ui_util.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-ui_util.o: ui_util.c
+ui_util.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+ui_util.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+ui_util.o: ../../include/openssl/ui.h ui_locl.h ui_util.c
diff --git a/crypto/openssl/crypto/ui/ui.h b/crypto/openssl/crypto/ui/ui.h
index 735a2d988e84..018296412b18 100644
--- a/crypto/openssl/crypto/ui/ui.h
+++ b/crypto/openssl/crypto/ui/ui.h
@@ -59,25 +59,19 @@
 #ifndef HEADER_UI_H
 #define HEADER_UI_H
 
+#ifndef OPENSSL_NO_DEPRECATED
 #include <openssl/crypto.h>
+#endif
 #include <openssl/safestack.h>
+#include <openssl/ossl_typ.h>
 
 #ifdef  __cplusplus
 extern "C" {
 #endif
 
-/* The UI type is a holder for a specific user interface session.  It can
-   contain an illimited number of informational or error strings as well
-   as things to prompt for, both passwords (noecho mode) and others (echo
-   mode), and verification of the same.  All of these are called strings,
-   and are further described below. */
-typedef struct ui_st UI;
-
-/* All instances of UI have a reference to a method structure, which is a
-   ordered vector of functions that implement the lower level things to do.
-   There is an instruction on the implementation further down, in the section
-   for method implementors. */
-typedef struct ui_method_st UI_METHOD;
+/* Declared already in ossl_typ.h */
+/* typedef struct ui_st UI; */
+/* typedef struct ui_method_st UI_METHOD; */
 
 
 /* All the following functions return -1 or NULL on error and in some cases
@@ -217,7 +211,7 @@ int UI_process(UI *ui);
 /* Give a user interface parametrised control commands.  This can be used to
    send down an integer, a data pointer or a function pointer, as well as
    be used to get information from a UI. */
-int UI_ctrl(UI *ui, int cmd, long i, void *p, void (*f)());
+int UI_ctrl(UI *ui, int cmd, long i, void *p, void (*f)(void));
 
 /* The commands */
 /* Use UI_CONTROL_PRINT_ERRORS with the value 1 to have UI_process print the
diff --git a/crypto/openssl/crypto/ui/ui_err.c b/crypto/openssl/crypto/ui/ui_err.c
index 39a62ae73710..d983cdd66fac 100644
--- a/crypto/openssl/crypto/ui/ui_err.c
+++ b/crypto/openssl/crypto/ui/ui_err.c
@@ -1,6 +1,6 @@
 /* crypto/ui/ui_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -64,32 +64,36 @@
 
 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_UI,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_UI,0,reason)
+
 static ERR_STRING_DATA UI_str_functs[]=
 	{
-{ERR_PACK(0,UI_F_GENERAL_ALLOCATE_BOOLEAN,0),	"GENERAL_ALLOCATE_BOOLEAN"},
-{ERR_PACK(0,UI_F_GENERAL_ALLOCATE_PROMPT,0),	"GENERAL_ALLOCATE_PROMPT"},
-{ERR_PACK(0,UI_F_GENERAL_ALLOCATE_STRING,0),	"GENERAL_ALLOCATE_STRING"},
-{ERR_PACK(0,UI_F_UI_CTRL,0),	"UI_ctrl"},
-{ERR_PACK(0,UI_F_UI_DUP_ERROR_STRING,0),	"UI_dup_error_string"},
-{ERR_PACK(0,UI_F_UI_DUP_INFO_STRING,0),	"UI_dup_info_string"},
-{ERR_PACK(0,UI_F_UI_DUP_INPUT_BOOLEAN,0),	"UI_dup_input_boolean"},
-{ERR_PACK(0,UI_F_UI_DUP_INPUT_STRING,0),	"UI_dup_input_string"},
-{ERR_PACK(0,UI_F_UI_DUP_VERIFY_STRING,0),	"UI_dup_verify_string"},
-{ERR_PACK(0,UI_F_UI_GET0_RESULT,0),	"UI_get0_result"},
-{ERR_PACK(0,UI_F_UI_NEW_METHOD,0),	"UI_new_method"},
-{ERR_PACK(0,UI_F_UI_SET_RESULT,0),	"UI_set_result"},
+{ERR_FUNC(UI_F_GENERAL_ALLOCATE_BOOLEAN),	"GENERAL_ALLOCATE_BOOLEAN"},
+{ERR_FUNC(UI_F_GENERAL_ALLOCATE_PROMPT),	"GENERAL_ALLOCATE_PROMPT"},
+{ERR_FUNC(UI_F_GENERAL_ALLOCATE_STRING),	"GENERAL_ALLOCATE_STRING"},
+{ERR_FUNC(UI_F_UI_CTRL),	"UI_ctrl"},
+{ERR_FUNC(UI_F_UI_DUP_ERROR_STRING),	"UI_dup_error_string"},
+{ERR_FUNC(UI_F_UI_DUP_INFO_STRING),	"UI_dup_info_string"},
+{ERR_FUNC(UI_F_UI_DUP_INPUT_BOOLEAN),	"UI_dup_input_boolean"},
+{ERR_FUNC(UI_F_UI_DUP_INPUT_STRING),	"UI_dup_input_string"},
+{ERR_FUNC(UI_F_UI_DUP_VERIFY_STRING),	"UI_dup_verify_string"},
+{ERR_FUNC(UI_F_UI_GET0_RESULT),	"UI_get0_result"},
+{ERR_FUNC(UI_F_UI_NEW_METHOD),	"UI_new_method"},
+{ERR_FUNC(UI_F_UI_SET_RESULT),	"UI_set_result"},
 {0,NULL}
 	};
 
 static ERR_STRING_DATA UI_str_reasons[]=
 	{
-{UI_R_COMMON_OK_AND_CANCEL_CHARACTERS    ,"common ok and cancel characters"},
-{UI_R_INDEX_TOO_LARGE                    ,"index too large"},
-{UI_R_INDEX_TOO_SMALL                    ,"index too small"},
-{UI_R_NO_RESULT_BUFFER                   ,"no result buffer"},
-{UI_R_RESULT_TOO_LARGE                   ,"result too large"},
-{UI_R_RESULT_TOO_SMALL                   ,"result too small"},
-{UI_R_UNKNOWN_CONTROL_COMMAND            ,"unknown control command"},
+{ERR_REASON(UI_R_COMMON_OK_AND_CANCEL_CHARACTERS),"common ok and cancel characters"},
+{ERR_REASON(UI_R_INDEX_TOO_LARGE)        ,"index too large"},
+{ERR_REASON(UI_R_INDEX_TOO_SMALL)        ,"index too small"},
+{ERR_REASON(UI_R_NO_RESULT_BUFFER)       ,"no result buffer"},
+{ERR_REASON(UI_R_RESULT_TOO_LARGE)       ,"result too large"},
+{ERR_REASON(UI_R_RESULT_TOO_SMALL)       ,"result too small"},
+{ERR_REASON(UI_R_UNKNOWN_CONTROL_COMMAND),"unknown control command"},
 {0,NULL}
 	};
 
@@ -103,8 +107,8 @@ void ERR_load_UI_strings(void)
 		{
 		init=0;
 #ifndef OPENSSL_NO_ERR
-		ERR_load_strings(ERR_LIB_UI,UI_str_functs);
-		ERR_load_strings(ERR_LIB_UI,UI_str_reasons);
+		ERR_load_strings(0,UI_str_functs);
+		ERR_load_strings(0,UI_str_reasons);
 #endif
 
 		}
diff --git a/crypto/openssl/crypto/ui/ui_lib.c b/crypto/openssl/crypto/ui/ui_lib.c
index dbc9711a2def..7ab249c3be32 100644
--- a/crypto/openssl/crypto/ui/ui_lib.c
+++ b/crypto/openssl/crypto/ui/ui_lib.c
@@ -57,12 +57,12 @@
  */
 
 #include <string.h>
+#include "cryptlib.h"
 #include <openssl/e_os2.h>
 #include <openssl/buffer.h>
 #include <openssl/ui.h>
 #include <openssl/err.h>
 #include "ui_locl.h"
-#include "cryptlib.h"
 
 IMPLEMENT_STACK_OF(UI_STRING_ST)
 
@@ -545,7 +545,7 @@ int UI_process(UI *ui)
 	return ok;
 	}
 
-int UI_ctrl(UI *ui, int cmd, long i, void *p, void (*f)())
+int UI_ctrl(UI *ui, int cmd, long i, void *p, void (*f)(void))
 	{
 	if (ui == NULL)
 		{
@@ -620,8 +620,10 @@ UI_METHOD *UI_create_method(char *name)
 	UI_METHOD *ui_method = (UI_METHOD *)OPENSSL_malloc(sizeof(UI_METHOD));
 
 	if (ui_method)
+		{
 		memset(ui_method, 0, sizeof(*ui_method));
-	ui_method->name = BUF_strdup(name);
+		ui_method->name = BUF_strdup(name);
+		}
 	return ui_method;
 	}
 
diff --git a/crypto/openssl/crypto/ui/ui_locl.h b/crypto/openssl/crypto/ui/ui_locl.h
index 7d3a75a619c7..aa4a55637d9f 100644
--- a/crypto/openssl/crypto/ui/ui_locl.h
+++ b/crypto/openssl/crypto/ui/ui_locl.h
@@ -60,6 +60,11 @@
 #define HEADER_UI_LOCL_H
 
 #include <openssl/ui.h>
+#include <openssl/crypto.h>
+
+#ifdef _
+#undef _
+#endif
 
 struct ui_method_st
 	{
diff --git a/crypto/openssl/crypto/ui/ui_openssl.c b/crypto/openssl/crypto/ui/ui_openssl.c
index 75318d48a142..1f23a45a339b 100644
--- a/crypto/openssl/crypto/ui/ui_openssl.c
+++ b/crypto/openssl/crypto/ui/ui_openssl.c
@@ -117,6 +117,17 @@
 
 #include <openssl/e_os2.h>
 
+/* need for #define _POSIX_C_SOURCE arises whenever you pass -ansi to gcc
+ * [maybe others?], because it masks interfaces not discussed in standard,
+ * sigaction and fileno included. -pedantic would be more appropriate for
+ * the intended purposes, but we can't prevent users from adding -ansi.
+ */
+#define _POSIX_C_SOURCE 1
+#include <signal.h>
+#include <stdio.h>
+#include <string.h>
+#include <errno.h>
+
 #if !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_VMS)
 # ifdef OPENSSL_UNISTD
 #  include OPENSSL_UNISTD
@@ -145,10 +156,6 @@
 /* 06-Apr-92 Luke Brennan    Support for VMS */
 #include "ui_locl.h"
 #include "cryptlib.h"
-#include <signal.h>
-#include <stdio.h>
-#include <string.h>
-#include <errno.h>
 
 #ifdef OPENSSL_SYS_VMS		/* prototypes for sys$whatever */
 # include <starlet.h>
@@ -199,6 +206,12 @@
 #undef SGTTY
 #endif
 
+#if defined(OPENSSL_SYS_NETWARE)
+#undef TERMIOS
+#undef TERMIO
+#undef SGTTY
+#endif
+
 #ifdef TERMIOS
 # include <termios.h>
 # define TTY_STRUCT		struct termios
@@ -247,7 +260,7 @@ struct IOSB {
 	typedef int sig_atomic_t;
 #endif
 
-#if defined(OPENSSL_SYS_MACINTOSH_CLASSIC) || defined(MAC_OS_GUSI_SOURCE)
+#if defined(OPENSSL_SYS_MACINTOSH_CLASSIC) || defined(MAC_OS_GUSI_SOURCE) || defined(OPENSSL_SYS_NETWARE)
 /*
  * This one needs work. As a matter of fact the code is unoperational
  * and this is only a trick to get it compiled.
@@ -460,7 +473,7 @@ static int open_console(UI *ui)
 	CRYPTO_w_lock(CRYPTO_LOCK_UI);
 	is_a_tty = 1;
 
-#if defined(OPENSSL_SYS_MACINTOSH_CLASSIC) || defined(OPENSSL_SYS_VXWORKS)
+#if defined(OPENSSL_SYS_MACINTOSH_CLASSIC) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE)
 	tty_in=stdin;
 	tty_out=stderr;
 #else
@@ -476,7 +489,7 @@ static int open_console(UI *ui)
 #endif
 
 #if defined(TTY_get) && !defined(OPENSSL_SYS_VMS)
-	if (TTY_get(fileno(tty_in),&tty_orig) == -1)
+ 	if (TTY_get(fileno(tty_in),&tty_orig) == -1)
 		{
 #ifdef ENOTTY
 		if (errno == ENOTTY)
@@ -565,7 +578,9 @@ static int close_console(UI *ui)
 /* Internal functions to handle signals and act on them */
 static void pushsig(void)
 	{
+#ifndef OPENSSL_SYS_WIN32
 	int i;
+#endif
 #ifdef SIGACTION
 	struct sigaction sa;
 
@@ -573,6 +588,14 @@ static void pushsig(void)
 	sa.sa_handler=recsig;
 #endif
 
+#ifdef OPENSSL_SYS_WIN32
+	savsig[SIGABRT]=signal(SIGABRT,recsig);
+	savsig[SIGFPE]=signal(SIGFPE,recsig);
+	savsig[SIGILL]=signal(SIGILL,recsig);
+	savsig[SIGINT]=signal(SIGINT,recsig);
+	savsig[SIGSEGV]=signal(SIGSEGV,recsig);
+	savsig[SIGTERM]=signal(SIGTERM,recsig);
+#else
 	for (i=1; i<NX509_SIG; i++)
 		{
 #ifdef SIGUSR1
@@ -593,6 +616,7 @@ static void pushsig(void)
 		savsig[i]=signal(i,recsig);
 #endif
 		}
+#endif
 
 #ifdef SIGWINCH
 	signal(SIGWINCH,SIG_DFL);
@@ -601,8 +625,15 @@ static void pushsig(void)
 
 static void popsig(void)
 	{
+#ifdef OPENSSL_SYS_WIN32
+	signal(SIGABRT,savsig[SIGABRT]);
+	signal(SIGFPE,savsig[SIGFPE]);
+	signal(SIGILL,savsig[SIGILL]);
+	signal(SIGINT,savsig[SIGINT]);
+	signal(SIGSEGV,savsig[SIGSEGV]);
+	signal(SIGTERM,savsig[SIGTERM]);
+#else
 	int i;
-
 	for (i=1; i<NX509_SIG; i++)
 		{
 #ifdef SIGUSR1
@@ -619,6 +650,7 @@ static void popsig(void)
 		signal(i,savsig[i]);
 #endif
 		}
+#endif
 	}
 
 static void recsig(int i)
diff --git a/crypto/openssl/crypto/ui/ui_util.c b/crypto/openssl/crypto/ui/ui_util.c
index 46bc8c1a9a08..5d9760bb7b3f 100644
--- a/crypto/openssl/crypto/ui/ui_util.c
+++ b/crypto/openssl/crypto/ui/ui_util.c
@@ -54,7 +54,7 @@
  */
 
 #include <string.h>
-#include <openssl/ui.h>
+#include "ui_locl.h"
 
 int UI_UTIL_read_pw_string(char *buf,int length,const char *prompt,int verify)
 	{
diff --git a/crypto/openssl/crypto/uid.c b/crypto/openssl/crypto/uid.c
index 73205a4baa93..b1fd52badad7 100644
--- a/crypto/openssl/crypto/uid.c
+++ b/crypto/openssl/crypto/uid.c
@@ -65,7 +65,7 @@ int OPENSSL_issetugid(void)
 	return issetugid();
 	}
 
-#elif defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VXWORKS)
+#elif defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE)
 
 int OPENSSL_issetugid(void)
 	{
diff --git a/crypto/openssl/crypto/x509/Makefile b/crypto/openssl/crypto/x509/Makefile
index be61a48214cf..ddcc3124a7b9 100644
--- a/crypto/openssl/crypto/x509/Makefile
+++ b/crypto/openssl/crypto/x509/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/x509/Makefile
+# OpenSSL/crypto/x509/Makefile
 #
 
 DIR=	x509
@@ -7,11 +7,6 @@ TOP=	../..
 CC=	cc
 INCLUDES= -I.. -I$(TOP) -I../../include
 CFLAG=-g
-INSTALL_PREFIX=
-OPENSSLDIR=     /usr/local/ssl
-INSTALLTOP=/usr/local/ssl
-MAKEDEPPROG=	makedepend
-MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=	Makefile
 AR=		ar r
 
@@ -27,13 +22,13 @@ LIBSRC=	x509_def.c x509_d2.c x509_r2x.c x509_cmp.c \
 	x509_set.c x509cset.c x509rset.c x509_err.c \
 	x509name.c x509_v3.c x509_ext.c x509_att.c \
 	x509type.c x509_lu.c x_all.c x509_txt.c \
-	x509_trs.c by_file.c by_dir.c 
+	x509_trs.c by_file.c by_dir.c x509_vpm.c
 LIBOBJ= x509_def.o x509_d2.o x509_r2x.o x509_cmp.o \
 	x509_obj.o x509_req.o x509spki.o x509_vfy.o \
 	x509_set.o x509cset.o x509rset.o x509_err.o \
 	x509name.o x509_v3.o x509_ext.o x509_att.o \
 	x509type.o x509_lu.o x_all.o x509_txt.o \
-	x509_trs.o by_file.o by_dir.o
+	x509_trs.o by_file.o by_dir.o x509_vpm.o
 
 SRC= $(LIBSRC)
 
@@ -53,7 +48,7 @@ lib:	$(LIBOBJ)
 	@touch lib
 
 files:
-	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
 
 links:
 	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
@@ -61,7 +56,8 @@ links:
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
 
 install:
-	@for i in $(EXHEADER) ; \
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+	@headerlist="$(EXHEADER)"; for i in $$headerlist ; \
 	do  \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
@@ -76,6 +72,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
+	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
@@ -87,506 +84,323 @@ clean:
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-by_dir.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-by_dir.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-by_dir.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-by_dir.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-by_dir.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-by_dir.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-by_dir.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-by_dir.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-by_dir.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-by_dir.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-by_dir.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+by_dir.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+by_dir.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+by_dir.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+by_dir.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+by_dir.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+by_dir.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 by_dir.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 by_dir.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-by_dir.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-by_dir.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-by_dir.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-by_dir.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-by_dir.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-by_dir.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-by_dir.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-by_dir.o: ../cryptlib.h by_dir.c
-by_file.o: ../../e_os.h ../../include/openssl/aes.h
-by_file.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-by_file.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-by_file.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-by_file.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-by_file.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-by_file.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-by_file.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-by_file.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-by_file.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-by_file.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+by_dir.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+by_dir.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+by_dir.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+by_dir.o: ../../include/openssl/x509_vfy.h ../cryptlib.h by_dir.c
+by_file.o: ../../e_os.h ../../include/openssl/asn1.h
+by_file.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+by_file.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+by_file.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+by_file.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+by_file.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 by_file.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 by_file.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 by_file.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pem.h
 by_file.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs7.h
-by_file.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-by_file.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-by_file.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-by_file.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-by_file.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-by_file.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-by_file.o: ../../include/openssl/x509_vfy.h ../cryptlib.h by_file.c
-x509_att.o: ../../e_os.h ../../include/openssl/aes.h
-x509_att.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-x509_att.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x509_att.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+by_file.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+by_file.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+by_file.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+by_file.o: ../cryptlib.h by_file.c
+x509_att.o: ../../e_os.h ../../include/openssl/asn1.h
+x509_att.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 x509_att.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-x509_att.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-x509_att.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-x509_att.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-x509_att.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-x509_att.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-x509_att.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-x509_att.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+x509_att.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+x509_att.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+x509_att.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x509_att.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 x509_att.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 x509_att.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-x509_att.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-x509_att.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-x509_att.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-x509_att.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-x509_att.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-x509_att.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-x509_att.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x509_att.o: ../../include/openssl/x509v3.h ../cryptlib.h x509_att.c
-x509_cmp.o: ../../e_os.h ../../include/openssl/aes.h
-x509_cmp.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-x509_cmp.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x509_cmp.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+x509_att.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+x509_att.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509_att.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+x509_att.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+x509_att.o: ../cryptlib.h x509_att.c
+x509_cmp.o: ../../e_os.h ../../include/openssl/asn1.h
+x509_cmp.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 x509_cmp.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-x509_cmp.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-x509_cmp.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-x509_cmp.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-x509_cmp.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-x509_cmp.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-x509_cmp.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-x509_cmp.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+x509_cmp.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+x509_cmp.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+x509_cmp.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x509_cmp.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 x509_cmp.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 x509_cmp.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-x509_cmp.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-x509_cmp.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-x509_cmp.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-x509_cmp.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-x509_cmp.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-x509_cmp.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-x509_cmp.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x509_cmp.o: ../../include/openssl/x509v3.h ../cryptlib.h x509_cmp.c
-x509_d2.o: ../../e_os.h ../../include/openssl/aes.h
-x509_d2.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-x509_d2.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x509_d2.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x509_d2.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-x509_d2.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-x509_d2.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-x509_d2.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509_d2.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x509_d2.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-x509_d2.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509_cmp.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+x509_cmp.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509_cmp.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+x509_cmp.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+x509_cmp.o: ../cryptlib.h x509_cmp.c
+x509_d2.o: ../../e_os.h ../../include/openssl/asn1.h
+x509_d2.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+x509_d2.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+x509_d2.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+x509_d2.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+x509_d2.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 x509_d2.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 x509_d2.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 x509_d2.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-x509_d2.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x509_d2.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-x509_d2.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-x509_d2.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509_d2.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-x509_d2.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-x509_d2.o: ../../include/openssl/x509_vfy.h ../cryptlib.h x509_d2.c
-x509_def.o: ../../e_os.h ../../include/openssl/aes.h
-x509_def.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-x509_def.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x509_def.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x509_def.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-x509_def.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-x509_def.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-x509_def.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509_def.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x509_def.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-x509_def.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509_d2.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x509_d2.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+x509_d2.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509_d2.o: ../cryptlib.h x509_d2.c
+x509_def.o: ../../e_os.h ../../include/openssl/asn1.h
+x509_def.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+x509_def.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+x509_def.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+x509_def.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+x509_def.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 x509_def.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 x509_def.o: ../../include/openssl/opensslconf.h
 x509_def.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-x509_def.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-x509_def.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-x509_def.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-x509_def.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-x509_def.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-x509_def.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-x509_def.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x509_def.o: ../cryptlib.h x509_def.c
-x509_err.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-x509_err.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-x509_err.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-x509_err.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-x509_err.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-x509_err.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-x509_err.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-x509_err.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-x509_err.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-x509_err.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-x509_err.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+x509_def.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+x509_def.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509_def.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+x509_def.o: ../../include/openssl/x509_vfy.h ../cryptlib.h x509_def.c
+x509_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+x509_err.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+x509_err.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+x509_err.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+x509_err.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x509_err.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 x509_err.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 x509_err.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-x509_err.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-x509_err.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-x509_err.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-x509_err.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-x509_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-x509_err.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-x509_err.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x509_err.o: x509_err.c
-x509_ext.o: ../../e_os.h ../../include/openssl/aes.h
-x509_ext.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-x509_ext.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x509_ext.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+x509_err.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+x509_err.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509_err.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+x509_err.o: ../../include/openssl/x509_vfy.h x509_err.c
+x509_ext.o: ../../e_os.h ../../include/openssl/asn1.h
+x509_ext.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 x509_ext.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-x509_ext.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-x509_ext.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-x509_ext.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-x509_ext.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-x509_ext.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-x509_ext.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-x509_ext.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+x509_ext.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+x509_ext.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+x509_ext.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x509_ext.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 x509_ext.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 x509_ext.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-x509_ext.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-x509_ext.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-x509_ext.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-x509_ext.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-x509_ext.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-x509_ext.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-x509_ext.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x509_ext.o: ../../include/openssl/x509v3.h ../cryptlib.h x509_ext.c
-x509_lu.o: ../../e_os.h ../../include/openssl/aes.h
-x509_lu.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-x509_lu.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x509_lu.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+x509_ext.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+x509_ext.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509_ext.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+x509_ext.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+x509_ext.o: ../cryptlib.h x509_ext.c
+x509_lu.o: ../../e_os.h ../../include/openssl/asn1.h
+x509_lu.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 x509_lu.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-x509_lu.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-x509_lu.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-x509_lu.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-x509_lu.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-x509_lu.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-x509_lu.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-x509_lu.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+x509_lu.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+x509_lu.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+x509_lu.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x509_lu.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 x509_lu.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 x509_lu.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-x509_lu.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-x509_lu.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-x509_lu.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-x509_lu.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-x509_lu.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-x509_lu.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-x509_lu.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x509_lu.o: ../../include/openssl/x509v3.h ../cryptlib.h x509_lu.c
-x509_obj.o: ../../e_os.h ../../include/openssl/aes.h
-x509_obj.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-x509_obj.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x509_obj.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x509_obj.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-x509_obj.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-x509_obj.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-x509_obj.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509_obj.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x509_obj.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-x509_obj.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509_lu.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+x509_lu.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509_lu.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+x509_lu.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+x509_lu.o: ../cryptlib.h x509_lu.c
+x509_obj.o: ../../e_os.h ../../include/openssl/asn1.h
+x509_obj.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+x509_obj.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+x509_obj.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+x509_obj.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+x509_obj.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 x509_obj.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 x509_obj.o: ../../include/openssl/opensslconf.h
 x509_obj.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-x509_obj.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-x509_obj.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-x509_obj.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-x509_obj.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-x509_obj.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-x509_obj.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-x509_obj.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x509_obj.o: ../cryptlib.h x509_obj.c
-x509_r2x.o: ../../e_os.h ../../include/openssl/aes.h
-x509_r2x.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-x509_r2x.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x509_r2x.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x509_r2x.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-x509_r2x.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-x509_r2x.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+x509_obj.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+x509_obj.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509_obj.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+x509_obj.o: ../../include/openssl/x509_vfy.h ../cryptlib.h x509_obj.c
+x509_r2x.o: ../../e_os.h ../../include/openssl/asn1.h
+x509_r2x.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+x509_r2x.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+x509_r2x.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+x509_r2x.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 x509_r2x.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509_r2x.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x509_r2x.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-x509_r2x.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-x509_r2x.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-x509_r2x.o: ../../include/openssl/opensslconf.h
+x509_r2x.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+x509_r2x.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 x509_r2x.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-x509_r2x.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-x509_r2x.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-x509_r2x.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-x509_r2x.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-x509_r2x.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-x509_r2x.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-x509_r2x.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x509_r2x.o: ../cryptlib.h x509_r2x.c
-x509_req.o: ../../e_os.h ../../include/openssl/aes.h
-x509_req.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-x509_req.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x509_req.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x509_req.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-x509_req.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-x509_req.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+x509_r2x.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+x509_r2x.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509_r2x.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+x509_r2x.o: ../../include/openssl/x509_vfy.h ../cryptlib.h x509_r2x.c
+x509_req.o: ../../e_os.h ../../include/openssl/asn1.h
+x509_req.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+x509_req.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+x509_req.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+x509_req.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 x509_req.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509_req.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x509_req.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-x509_req.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-x509_req.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-x509_req.o: ../../include/openssl/opensslconf.h
+x509_req.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+x509_req.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 x509_req.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 x509_req.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h
-x509_req.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-x509_req.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-x509_req.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-x509_req.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-x509_req.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-x509_req.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-x509_req.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x509_req.o: ../cryptlib.h x509_req.c
-x509_set.o: ../../e_os.h ../../include/openssl/aes.h
-x509_set.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-x509_set.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x509_set.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x509_set.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-x509_set.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-x509_set.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-x509_set.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509_set.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x509_set.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-x509_set.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509_req.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+x509_req.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509_req.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+x509_req.o: ../../include/openssl/x509_vfy.h ../cryptlib.h x509_req.c
+x509_set.o: ../../e_os.h ../../include/openssl/asn1.h
+x509_set.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+x509_set.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+x509_set.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+x509_set.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+x509_set.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 x509_set.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 x509_set.o: ../../include/openssl/opensslconf.h
 x509_set.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-x509_set.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-x509_set.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-x509_set.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-x509_set.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-x509_set.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-x509_set.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-x509_set.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x509_set.o: ../cryptlib.h x509_set.c
-x509_trs.o: ../../e_os.h ../../include/openssl/aes.h
-x509_trs.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-x509_trs.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x509_trs.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+x509_set.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+x509_set.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509_set.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+x509_set.o: ../../include/openssl/x509_vfy.h ../cryptlib.h x509_set.c
+x509_trs.o: ../../e_os.h ../../include/openssl/asn1.h
+x509_trs.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 x509_trs.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-x509_trs.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-x509_trs.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-x509_trs.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-x509_trs.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-x509_trs.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-x509_trs.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-x509_trs.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+x509_trs.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+x509_trs.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+x509_trs.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x509_trs.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 x509_trs.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 x509_trs.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-x509_trs.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-x509_trs.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-x509_trs.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-x509_trs.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-x509_trs.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-x509_trs.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-x509_trs.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x509_trs.o: ../../include/openssl/x509v3.h ../cryptlib.h x509_trs.c
-x509_txt.o: ../../e_os.h ../../include/openssl/aes.h
-x509_txt.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-x509_txt.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x509_txt.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x509_txt.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-x509_txt.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-x509_txt.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-x509_txt.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509_txt.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x509_txt.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-x509_txt.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509_trs.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+x509_trs.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509_trs.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+x509_trs.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+x509_trs.o: ../cryptlib.h x509_trs.c
+x509_txt.o: ../../e_os.h ../../include/openssl/asn1.h
+x509_txt.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+x509_txt.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+x509_txt.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+x509_txt.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+x509_txt.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 x509_txt.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 x509_txt.o: ../../include/openssl/opensslconf.h
 x509_txt.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-x509_txt.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-x509_txt.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-x509_txt.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-x509_txt.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-x509_txt.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-x509_txt.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-x509_txt.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x509_txt.o: ../cryptlib.h x509_txt.c
-x509_v3.o: ../../e_os.h ../../include/openssl/aes.h
-x509_v3.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-x509_v3.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x509_v3.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+x509_txt.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+x509_txt.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509_txt.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+x509_txt.o: ../../include/openssl/x509_vfy.h ../cryptlib.h x509_txt.c
+x509_v3.o: ../../e_os.h ../../include/openssl/asn1.h
+x509_v3.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 x509_v3.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-x509_v3.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-x509_v3.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-x509_v3.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-x509_v3.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-x509_v3.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-x509_v3.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-x509_v3.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+x509_v3.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+x509_v3.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+x509_v3.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x509_v3.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 x509_v3.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 x509_v3.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-x509_v3.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-x509_v3.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-x509_v3.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-x509_v3.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-x509_v3.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-x509_v3.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-x509_v3.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x509_v3.o: ../../include/openssl/x509v3.h ../cryptlib.h x509_v3.c
-x509_vfy.o: ../../e_os.h ../../include/openssl/aes.h
-x509_vfy.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-x509_vfy.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x509_vfy.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+x509_v3.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+x509_v3.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509_v3.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+x509_v3.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+x509_v3.o: ../cryptlib.h x509_v3.c
+x509_vfy.o: ../../e_os.h ../../include/openssl/asn1.h
+x509_vfy.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 x509_vfy.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-x509_vfy.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-x509_vfy.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-x509_vfy.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-x509_vfy.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-x509_vfy.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-x509_vfy.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-x509_vfy.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+x509_vfy.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+x509_vfy.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+x509_vfy.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x509_vfy.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 x509_vfy.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 x509_vfy.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-x509_vfy.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-x509_vfy.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-x509_vfy.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-x509_vfy.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-x509_vfy.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-x509_vfy.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-x509_vfy.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x509_vfy.o: ../../include/openssl/x509v3.h ../cryptlib.h x509_vfy.c
-x509cset.o: ../../e_os.h ../../include/openssl/aes.h
-x509cset.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-x509cset.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x509cset.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x509cset.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-x509cset.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-x509cset.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-x509cset.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509cset.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x509cset.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-x509cset.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509_vfy.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+x509_vfy.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509_vfy.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+x509_vfy.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+x509_vfy.o: ../cryptlib.h x509_vfy.c
+x509_vpm.o: ../../e_os.h ../../include/openssl/asn1.h
+x509_vpm.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+x509_vpm.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+x509_vpm.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+x509_vpm.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+x509_vpm.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x509_vpm.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+x509_vpm.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509_vpm.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x509_vpm.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+x509_vpm.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509_vpm.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+x509_vpm.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+x509_vpm.o: ../cryptlib.h x509_vpm.c
+x509cset.o: ../../e_os.h ../../include/openssl/asn1.h
+x509cset.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+x509cset.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+x509cset.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+x509cset.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+x509cset.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 x509cset.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 x509cset.o: ../../include/openssl/opensslconf.h
 x509cset.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-x509cset.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-x509cset.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-x509cset.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-x509cset.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-x509cset.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-x509cset.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-x509cset.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x509cset.o: ../cryptlib.h x509cset.c
-x509name.o: ../../e_os.h ../../include/openssl/aes.h
-x509name.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-x509name.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x509name.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x509name.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-x509name.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-x509name.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-x509name.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509name.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x509name.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-x509name.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509cset.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+x509cset.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509cset.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+x509cset.o: ../../include/openssl/x509_vfy.h ../cryptlib.h x509cset.c
+x509name.o: ../../e_os.h ../../include/openssl/asn1.h
+x509name.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+x509name.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+x509name.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+x509name.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+x509name.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 x509name.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 x509name.o: ../../include/openssl/opensslconf.h
 x509name.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-x509name.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-x509name.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-x509name.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-x509name.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-x509name.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-x509name.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-x509name.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x509name.o: ../cryptlib.h x509name.c
-x509rset.o: ../../e_os.h ../../include/openssl/aes.h
-x509rset.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-x509rset.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x509rset.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x509rset.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-x509rset.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-x509rset.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-x509rset.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509rset.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x509rset.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-x509rset.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509name.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+x509name.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509name.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+x509name.o: ../../include/openssl/x509_vfy.h ../cryptlib.h x509name.c
+x509rset.o: ../../e_os.h ../../include/openssl/asn1.h
+x509rset.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+x509rset.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+x509rset.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+x509rset.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+x509rset.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 x509rset.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 x509rset.o: ../../include/openssl/opensslconf.h
 x509rset.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-x509rset.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-x509rset.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-x509rset.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-x509rset.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-x509rset.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-x509rset.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-x509rset.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x509rset.o: ../cryptlib.h x509rset.c
-x509spki.o: ../../e_os.h ../../include/openssl/aes.h
-x509spki.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-x509spki.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x509spki.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x509spki.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-x509spki.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-x509spki.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-x509spki.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509spki.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x509spki.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-x509spki.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509rset.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+x509rset.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509rset.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+x509rset.o: ../../include/openssl/x509_vfy.h ../cryptlib.h x509rset.c
+x509spki.o: ../../e_os.h ../../include/openssl/asn1.h
+x509spki.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+x509spki.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+x509spki.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+x509spki.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+x509spki.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 x509spki.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 x509spki.o: ../../include/openssl/opensslconf.h
 x509spki.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-x509spki.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-x509spki.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-x509spki.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-x509spki.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-x509spki.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-x509spki.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-x509spki.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x509spki.o: ../cryptlib.h x509spki.c
-x509type.o: ../../e_os.h ../../include/openssl/aes.h
-x509type.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-x509type.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x509type.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x509type.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-x509type.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-x509type.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-x509type.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509type.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x509type.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-x509type.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509spki.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+x509spki.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509spki.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+x509spki.o: ../../include/openssl/x509_vfy.h ../cryptlib.h x509spki.c
+x509type.o: ../../e_os.h ../../include/openssl/asn1.h
+x509type.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+x509type.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+x509type.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+x509type.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+x509type.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 x509type.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 x509type.o: ../../include/openssl/opensslconf.h
 x509type.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-x509type.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-x509type.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-x509type.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-x509type.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-x509type.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-x509type.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-x509type.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x509type.o: ../cryptlib.h x509type.c
-x_all.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-x_all.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-x_all.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-x_all.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-x_all.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-x_all.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-x_all.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-x_all.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-x_all.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-x_all.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-x_all.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-x_all.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-x_all.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-x_all.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-x_all.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-x_all.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-x_all.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-x_all.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-x_all.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-x_all.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x_all.o: ../cryptlib.h x_all.c
+x509type.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+x509type.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509type.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+x509type.o: ../../include/openssl/x509_vfy.h ../cryptlib.h x509type.c
+x_all.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+x_all.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+x_all.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+x_all.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+x_all.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+x_all.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+x_all.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+x_all.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+x_all.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+x_all.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+x_all.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x_all.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+x_all.o: ../../include/openssl/x509_vfy.h ../cryptlib.h x_all.c
diff --git a/crypto/openssl/crypto/x509/by_dir.c b/crypto/openssl/crypto/x509/by_dir.c
index 6207340472e4..ea689aed1a25 100644
--- a/crypto/openssl/crypto/x509/by_dir.c
+++ b/crypto/openssl/crypto/x509/by_dir.c
@@ -114,7 +114,7 @@ static int dir_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl,
 	{
 	int ret=0;
 	BY_DIR *ld;
-	char *dir;
+	char *dir = NULL;
 
 	ld=(BY_DIR *)ctx->method_data;
 
@@ -123,17 +123,16 @@ static int dir_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl,
 	case X509_L_ADD_DIR:
 		if (argl == X509_FILETYPE_DEFAULT)
 			{
-			ret=add_cert_dir(ld,X509_get_default_cert_dir(),
-				X509_FILETYPE_PEM);
+			dir=(char *)Getenv(X509_get_default_cert_dir_env());
+			if (dir)
+				ret=add_cert_dir(ld,dir,X509_FILETYPE_PEM);
+			else
+				ret=add_cert_dir(ld,X509_get_default_cert_dir(),
+					X509_FILETYPE_PEM);
 			if (!ret)
 				{
 				X509err(X509_F_DIR_CTRL,X509_R_LOADING_CERT_DIR);
 				}
-			else
-				{
-				dir=(char *)Getenv(X509_get_default_cert_dir_env());
-				ret=add_cert_dir(ld,dir,X509_FILETYPE_PEM);
-				}
 			}
 		else
 			ret=add_cert_dir(ld,argp,(int)argl);
diff --git a/crypto/openssl/crypto/x509/by_file.c b/crypto/openssl/crypto/x509/by_file.c
index b4b04183d071..a5e0d4aefa1a 100644
--- a/crypto/openssl/crypto/x509/by_file.c
+++ b/crypto/openssl/crypto/x509/by_file.c
@@ -150,7 +150,7 @@ int X509_load_cert_file(X509_LOOKUP *ctx, const char *file, int type)
 			x=PEM_read_bio_X509_AUX(in,NULL,NULL,NULL);
 			if (x == NULL)
 				{
-				if ((ERR_GET_REASON(ERR_peek_error()) ==
+				if ((ERR_GET_REASON(ERR_peek_last_error()) ==
 					PEM_R_NO_START_LINE) && (count > 0))
 					{
 					ERR_clear_error();
@@ -217,7 +217,7 @@ int X509_load_crl_file(X509_LOOKUP *ctx, const char *file, int type)
 			x=PEM_read_bio_X509_CRL(in,NULL,NULL,NULL);
 			if (x == NULL)
 				{
-				if ((ERR_GET_REASON(ERR_peek_error()) ==
+				if ((ERR_GET_REASON(ERR_peek_last_error()) ==
 					PEM_R_NO_START_LINE) && (count > 0))
 					{
 					ERR_clear_error();
diff --git a/crypto/openssl/crypto/x509/x509.h b/crypto/openssl/crypto/x509/x509.h
index e4d5434cb143..66990ae5a88e 100644
--- a/crypto/openssl/crypto/x509/x509.h
+++ b/crypto/openssl/crypto/x509/x509.h
@@ -55,10 +55,16 @@
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
  */
+/* ====================================================================
+ * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
+ * ECDH support in OpenSSL originally developed by 
+ * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
+ */
 
 #ifndef HEADER_X509_H
 #define HEADER_X509_H
 
+#include <openssl/e_os2.h>
 #include <openssl/symhacks.h>
 #ifndef OPENSSL_NO_BUFFER
 #include <openssl/buffer.h>
@@ -73,21 +79,33 @@
 #include <openssl/asn1.h>
 #include <openssl/safestack.h>
 
+#ifndef OPENSSL_NO_EC
+#include <openssl/ec.h>
+#endif
+
+#ifndef OPENSSL_NO_ECDSA
+#include <openssl/ecdsa.h>
+#endif
+
+#ifndef OPENSSL_NO_ECDH
+#include <openssl/ecdh.h>
+#endif
+
+#ifndef OPENSSL_NO_DEPRECATED
 #ifndef OPENSSL_NO_RSA
 #include <openssl/rsa.h>
 #endif
-
 #ifndef OPENSSL_NO_DSA
 #include <openssl/dsa.h>
 #endif
-
 #ifndef OPENSSL_NO_DH
 #include <openssl/dh.h>
 #endif
+#endif
+
 #ifndef OPENSSL_NO_SHA
 #include <openssl/sha.h>
 #endif
-#include <openssl/e_os2.h>
 #include <openssl/ossl_typ.h>
 
 #ifdef  __cplusplus
@@ -95,8 +113,9 @@ extern "C" {
 #endif
 
 #ifdef OPENSSL_SYS_WIN32
-/* Under Win32 this is defined in wincrypt.h */
+/* Under Win32 these are defined in wincrypt.h */
 #undef X509_NAME
+#undef X509_CERT_PAIR
 #endif
 
 #define X509_FILETYPE_PEM	1
@@ -117,8 +136,8 @@ extern "C" {
 typedef struct X509_objects_st
 	{
 	int nid;
-	int (*a2i)();
-	int (*i2a)();
+	int (*a2i)(void);
+	int (*i2a)(void);
 	} X509_OBJECTS;
 
 struct X509_algor_st
@@ -261,12 +280,14 @@ struct x509_st
 	CRYPTO_EX_DATA ex_data;
 	/* These contain copies of various extension values */
 	long ex_pathlen;
+	long ex_pcpathlen;
 	unsigned long ex_flags;
 	unsigned long ex_kusage;
 	unsigned long ex_xkusage;
 	unsigned long ex_nscert;
 	ASN1_OCTET_STRING *skid;
 	struct AUTHORITY_KEYID_st *akid;
+	X509_POLICY_CACHE *policy_cache;
 #ifndef OPENSSL_NO_SHA
 	unsigned char sha1_hash[SHA_DIGEST_LENGTH];
 #endif
@@ -289,6 +310,11 @@ typedef struct x509_trust_st {
 
 DECLARE_STACK_OF(X509_TRUST)
 
+typedef struct x509_cert_pair_st {
+	X509 *forward;
+	X509 *reverse;
+} X509_CERT_PAIR;
+
 /* standard trust ids */
 
 #define X509_TRUST_DEFAULT	-1	/* Only valid in purpose settings */
@@ -655,6 +681,17 @@ extern "C" {
 #define i2d_DSAPrivateKey_bio(bp,dsa) ASN1_i2d_bio(i2d_DSAPrivateKey,bp, \
 		(unsigned char *)dsa)
 
+#define d2i_ECPrivateKey_fp(fp,ecdsa) (EC_KEY *)ASN1_d2i_fp((char *(*)())\
+		EC_KEY_new,(char *(*)())d2i_ECPrivateKey, (fp), \
+		(unsigned char **)(ecdsa))
+#define i2d_ECPrivateKey_fp(fp,ecdsa) ASN1_i2d_fp(i2d_ECPrivateKey,fp, \
+		(unsigned char *)ecdsa)
+#define d2i_ECPrivateKey_bio(bp,ecdsa) (EC_KEY *)ASN1_d2i_bio((char *(*)())\
+		EC_KEY_new,(char *(*)())d2i_ECPrivateKey, (bp), \
+		(unsigned char **)(ecdsa))
+#define i2d_ECPrivateKey_bio(bp,ecdsa) ASN1_i2d_bio(i2d_ECPrivateKey,bp, \
+		(unsigned char *)ecdsa)
+
 #define X509_ALGOR_dup(xn) (X509_ALGOR *)ASN1_dup((int (*)())i2d_X509_ALGOR,\
 		(char *(*)())d2i_X509_ALGOR,(char *)xn)
 
@@ -758,6 +795,12 @@ int i2d_DSA_PUBKEY_fp(FILE *fp, DSA *dsa);
 DSA *d2i_DSAPrivateKey_fp(FILE *fp, DSA **dsa);
 int i2d_DSAPrivateKey_fp(FILE *fp, DSA *dsa);
 #endif
+#ifndef OPENSSL_NO_EC
+EC_KEY *d2i_EC_PUBKEY_fp(FILE *fp, EC_KEY **eckey);
+int   i2d_EC_PUBKEY_fp(FILE *fp, EC_KEY *eckey);
+EC_KEY *d2i_ECPrivateKey_fp(FILE *fp, EC_KEY **eckey);
+int   i2d_ECPrivateKey_fp(FILE *fp, EC_KEY *eckey);
+#endif
 X509_SIG *d2i_PKCS8_fp(FILE *fp,X509_SIG **p8);
 int i2d_PKCS8_fp(FILE *fp,X509_SIG *p8);
 PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_fp(FILE *fp,
@@ -791,6 +834,12 @@ int i2d_DSA_PUBKEY_bio(BIO *bp, DSA *dsa);
 DSA *d2i_DSAPrivateKey_bio(BIO *bp, DSA **dsa);
 int i2d_DSAPrivateKey_bio(BIO *bp, DSA *dsa);
 #endif
+#ifndef OPENSSL_NO_EC
+EC_KEY *d2i_EC_PUBKEY_bio(BIO *bp, EC_KEY **eckey);
+int   i2d_EC_PUBKEY_bio(BIO *bp, EC_KEY *eckey);
+EC_KEY *d2i_ECPrivateKey_bio(BIO *bp, EC_KEY **eckey);
+int   i2d_ECPrivateKey_bio(BIO *bp, EC_KEY *eckey);
+#endif
 X509_SIG *d2i_PKCS8_bio(BIO *bp,X509_SIG **p8);
 int i2d_PKCS8_bio(BIO *bp,X509_SIG *p8);
 PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_bio(BIO *bp,
@@ -839,16 +888,21 @@ EVP_PKEY *	X509_PUBKEY_get(X509_PUBKEY *key);
 int		X509_get_pubkey_parameters(EVP_PKEY *pkey,
 					   STACK_OF(X509) *chain);
 int		i2d_PUBKEY(EVP_PKEY *a,unsigned char **pp);
-EVP_PKEY *	d2i_PUBKEY(EVP_PKEY **a,unsigned char **pp,
+EVP_PKEY *	d2i_PUBKEY(EVP_PKEY **a,const unsigned char **pp,
 			long length);
 #ifndef OPENSSL_NO_RSA
 int		i2d_RSA_PUBKEY(RSA *a,unsigned char **pp);
-RSA *		d2i_RSA_PUBKEY(RSA **a,unsigned char **pp,
+RSA *		d2i_RSA_PUBKEY(RSA **a,const unsigned char **pp,
 			long length);
 #endif
 #ifndef OPENSSL_NO_DSA
 int		i2d_DSA_PUBKEY(DSA *a,unsigned char **pp);
-DSA *		d2i_DSA_PUBKEY(DSA **a,unsigned char **pp,
+DSA *		d2i_DSA_PUBKEY(DSA **a,const unsigned char **pp,
+			long length);
+#endif
+#ifndef OPENSSL_NO_EC
+int		i2d_EC_PUBKEY(EC_KEY *a, unsigned char **pp);
+EC_KEY 		*d2i_EC_PUBKEY(EC_KEY **a, const unsigned char **pp,
 			long length);
 #endif
 
@@ -872,16 +926,19 @@ DECLARE_ASN1_FUNCTIONS(X509_CINF)
 DECLARE_ASN1_FUNCTIONS(X509)
 DECLARE_ASN1_FUNCTIONS(X509_CERT_AUX)
 
+DECLARE_ASN1_FUNCTIONS(X509_CERT_PAIR)
+
 int X509_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
 	     CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
 int X509_set_ex_data(X509 *r, int idx, void *arg);
 void *X509_get_ex_data(X509 *r, int idx);
 int		i2d_X509_AUX(X509 *a,unsigned char **pp);
-X509 *		d2i_X509_AUX(X509 **a,unsigned char **pp,long length);
+X509 *		d2i_X509_AUX(X509 **a,const unsigned char **pp,long length);
 
 int X509_alias_set1(X509 *x, unsigned char *name, int len);
 int X509_keyid_set1(X509 *x, unsigned char *id, int len);
 unsigned char * X509_alias_get0(X509 *x, int *len);
+unsigned char * X509_keyid_get0(X509 *x, int *len);
 int (*X509_TRUST_set_default(int (*trust)(int , X509 *, int)))(int, X509 *, int);
 int X509_TRUST_set(int *t, int trust);
 int X509_add1_trust_object(X509 *x, ASN1_OBJECT *obj);
@@ -898,7 +955,7 @@ int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev);
 X509_PKEY *	X509_PKEY_new(void );
 void		X509_PKEY_free(X509_PKEY *a);
 int		i2d_X509_PKEY(X509_PKEY *a,unsigned char **pp);
-X509_PKEY *	d2i_X509_PKEY(X509_PKEY **a,unsigned char **pp,long length);
+X509_PKEY *	d2i_X509_PKEY(X509_PKEY **a,const unsigned char **pp,long length);
 
 DECLARE_ASN1_FUNCTIONS(NETSCAPE_SPKI)
 DECLARE_ASN1_FUNCTIONS(NETSCAPE_SPKAC)
@@ -909,15 +966,15 @@ X509_INFO *	X509_INFO_new(void);
 void		X509_INFO_free(X509_INFO *a);
 char *		X509_NAME_oneline(X509_NAME *a,char *buf,int size);
 
-int ASN1_verify(int (*i2d)(), X509_ALGOR *algor1,
-	ASN1_BIT_STRING *signature,char *data,EVP_PKEY *pkey);
+int ASN1_verify(i2d_of_void *i2d, X509_ALGOR *algor1,
+		ASN1_BIT_STRING *signature,char *data,EVP_PKEY *pkey);
 
-int ASN1_digest(int (*i2d)(),const EVP_MD *type,char *data,
-	unsigned char *md,unsigned int *len);
+int ASN1_digest(i2d_of_void *i2d,const EVP_MD *type,char *data,
+		unsigned char *md,unsigned int *len);
 
-int ASN1_sign(int (*i2d)(), X509_ALGOR *algor1, X509_ALGOR *algor2,
-	ASN1_BIT_STRING *signature,
-	char *data,EVP_PKEY *pkey, const EVP_MD *type);
+int ASN1_sign(i2d_of_void *i2d, X509_ALGOR *algor1,
+	      X509_ALGOR *algor2, ASN1_BIT_STRING *signature,
+	      char *data,EVP_PKEY *pkey, const EVP_MD *type);
 
 int ASN1_item_digest(const ASN1_ITEM *it,const EVP_MD *type,void *data,
 	unsigned char *md,unsigned int *len);
@@ -982,6 +1039,8 @@ int X509_CRL_sort(X509_CRL *crl);
 int X509_REVOKED_set_serialNumber(X509_REVOKED *x, ASN1_INTEGER *serial);
 int X509_REVOKED_set_revocationDate(X509_REVOKED *r, ASN1_TIME *tm);
 
+int		X509_REQ_check_private_key(X509_REQ *x509,EVP_PKEY *pkey);
+
 int		X509_check_private_key(X509 *x509,EVP_PKEY *pkey);
 
 int		X509_issuer_and_serial_cmp(const X509 *a, const X509 *b);
@@ -1038,18 +1097,18 @@ int X509_NAME_add_entry_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, int type,
 int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, int type,
 			unsigned char *bytes, int len, int loc, int set);
 X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne,
-		char *field, int type, unsigned char *bytes, int len);
+		const char *field, int type, const unsigned char *bytes, int len);
 X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid,
 			int type,unsigned char *bytes, int len);
-int X509_NAME_add_entry_by_txt(X509_NAME *name, char *field, int type,
-			unsigned char *bytes, int len, int loc, int set);
+int X509_NAME_add_entry_by_txt(X509_NAME *name, const char *field, int type,
+			const unsigned char *bytes, int len, int loc, int set);
 X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne,
-			ASN1_OBJECT *obj, int type,unsigned char *bytes,
+			ASN1_OBJECT *obj, int type,const unsigned char *bytes,
 			int len);
 int 		X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne,
 			ASN1_OBJECT *obj);
 int 		X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type,
-			unsigned char *bytes, int len);
+			const unsigned char *bytes, int len);
 ASN1_OBJECT *	X509_NAME_ENTRY_get_object(X509_NAME_ENTRY *ne);
 ASN1_STRING *	X509_NAME_ENTRY_get_data(X509_NAME_ENTRY *ne);
 
@@ -1142,6 +1201,24 @@ int X509_ATTRIBUTE_count(X509_ATTRIBUTE *attr);
 ASN1_OBJECT *X509_ATTRIBUTE_get0_object(X509_ATTRIBUTE *attr);
 ASN1_TYPE *X509_ATTRIBUTE_get0_type(X509_ATTRIBUTE *attr, int idx);
 
+int EVP_PKEY_get_attr_count(const EVP_PKEY *key);
+int EVP_PKEY_get_attr_by_NID(const EVP_PKEY *key, int nid,
+			  int lastpos);
+int EVP_PKEY_get_attr_by_OBJ(const EVP_PKEY *key, ASN1_OBJECT *obj,
+			  int lastpos);
+X509_ATTRIBUTE *EVP_PKEY_get_attr(const EVP_PKEY *key, int loc);
+X509_ATTRIBUTE *EVP_PKEY_delete_attr(EVP_PKEY *key, int loc);
+int EVP_PKEY_add1_attr(EVP_PKEY *key, X509_ATTRIBUTE *attr);
+int EVP_PKEY_add1_attr_by_OBJ(EVP_PKEY *key,
+			const ASN1_OBJECT *obj, int type,
+			const unsigned char *bytes, int len);
+int EVP_PKEY_add1_attr_by_NID(EVP_PKEY *key,
+			int nid, int type,
+			const unsigned char *bytes, int len);
+int EVP_PKEY_add1_attr_by_txt(EVP_PKEY *key,
+			const char *attrname, int type,
+			const unsigned char *bytes, int len);
+
 int		X509_verify_cert(X509_STORE_CTX *ctx);
 
 /* lookup a cert from a X509 STACK */
@@ -1188,18 +1265,20 @@ void ERR_load_X509_strings(void);
 /* Function codes. */
 #define X509_F_ADD_CERT_DIR				 100
 #define X509_F_BY_FILE_CTRL				 101
+#define X509_F_CHECK_POLICY				 145
 #define X509_F_DIR_CTRL					 102
 #define X509_F_GET_CERT_BY_SUBJECT			 103
 #define X509_F_NETSCAPE_SPKI_B64_DECODE			 129
 #define X509_F_NETSCAPE_SPKI_B64_ENCODE			 130
+#define X509_F_X509AT_ADD1_ATTR				 135
 #define X509_F_X509V3_ADD_EXT				 104
-#define X509_F_X509_ADD_ATTR				 135
 #define X509_F_X509_ATTRIBUTE_CREATE_BY_NID		 136
 #define X509_F_X509_ATTRIBUTE_CREATE_BY_OBJ		 137
 #define X509_F_X509_ATTRIBUTE_CREATE_BY_TXT		 140
 #define X509_F_X509_ATTRIBUTE_GET0_DATA			 139
 #define X509_F_X509_ATTRIBUTE_SET1_DATA			 138
 #define X509_F_X509_CHECK_PRIVATE_KEY			 128
+#define X509_F_X509_CRL_PRINT_FP			 147
 #define X509_F_X509_EXTENSION_CREATE_BY_NID		 108
 #define X509_F_X509_EXTENSION_CREATE_BY_OBJ		 109
 #define X509_F_X509_GET_PUBKEY_PARAMETERS		 110
@@ -1212,14 +1291,16 @@ void ERR_load_X509_strings(void);
 #define X509_F_X509_NAME_ENTRY_SET_OBJECT		 115
 #define X509_F_X509_NAME_ONELINE			 116
 #define X509_F_X509_NAME_PRINT				 117
-#define X509_F_X509_PRINT_FP				 118
+#define X509_F_X509_PRINT_EX_FP				 118
 #define X509_F_X509_PUBKEY_GET				 119
 #define X509_F_X509_PUBKEY_SET				 120
-#define X509_F_X509_REQ_PRINT				 121
+#define X509_F_X509_REQ_CHECK_PRIVATE_KEY		 144
+#define X509_F_X509_REQ_PRINT_EX			 121
 #define X509_F_X509_REQ_PRINT_FP			 122
 #define X509_F_X509_REQ_TO_X509				 123
 #define X509_F_X509_STORE_ADD_CERT			 124
 #define X509_F_X509_STORE_ADD_CRL			 125
+#define X509_F_X509_STORE_CTX_GET1_ISSUER		 146
 #define X509_F_X509_STORE_CTX_INIT			 143
 #define X509_F_X509_STORE_CTX_NEW			 142
 #define X509_F_X509_STORE_CTX_PURPOSE_INHERIT		 134
diff --git a/crypto/openssl/crypto/x509/x509_att.c b/crypto/openssl/crypto/x509/x509_att.c
index 0bae3d32a1a5..65968c4944aa 100644
--- a/crypto/openssl/crypto/x509/x509_att.c
+++ b/crypto/openssl/crypto/x509/x509_att.c
@@ -125,7 +125,13 @@ STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr(STACK_OF(X509_ATTRIBUTE) **x,
 	X509_ATTRIBUTE *new_attr=NULL;
 	STACK_OF(X509_ATTRIBUTE) *sk=NULL;
 
-	if ((x != NULL) && (*x == NULL))
+	if (x == NULL)
+		{
+		X509err(X509_F_X509AT_ADD1_ATTR, ERR_R_PASSED_NULL_PARAMETER);
+		goto err2;
+		} 
+
+	if (*x == NULL)
 		{
 		if ((sk=sk_X509_ATTRIBUTE_new_null()) == NULL)
 			goto err;
@@ -137,11 +143,11 @@ STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr(STACK_OF(X509_ATTRIBUTE) **x,
 		goto err2;
 	if (!sk_X509_ATTRIBUTE_push(sk,new_attr))
 		goto err;
-	if ((x != NULL) && (*x == NULL))
+	if (*x == NULL)
 		*x=sk;
 	return(sk);
 err:
-	X509err(X509_F_X509_ADD_ATTR,ERR_R_MALLOC_FAILURE);
+	X509err(X509_F_X509AT_ADD1_ATTR,ERR_R_MALLOC_FAILURE);
 err2:
 	if (new_attr != NULL) X509_ATTRIBUTE_free(new_attr);
 	if (sk != NULL) sk_X509_ATTRIBUTE_free(sk);
diff --git a/crypto/openssl/crypto/x509/x509_cmp.c b/crypto/openssl/crypto/x509/x509_cmp.c
index f460102f4978..0d6bc653b21b 100644
--- a/crypto/openssl/crypto/x509/x509_cmp.c
+++ b/crypto/openssl/crypto/x509/x509_cmp.c
@@ -254,33 +254,49 @@ static int nocase_spacenorm_cmp(const ASN1_STRING *a, const ASN1_STRING *b)
 	return 0;
 }
 
+static int asn1_string_memcmp(ASN1_STRING *a, ASN1_STRING *b)
+	{
+	int j;
+	j = a->length - b->length;
+	if (j)
+		return j;
+	return memcmp(a->data, b->data, a->length);
+	}
+
+#define STR_TYPE_CMP (B_ASN1_PRINTABLESTRING|B_ASN1_T61STRING|B_ASN1_UTF8STRING)
+
 int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b)
 	{
 	int i,j;
 	X509_NAME_ENTRY *na,*nb;
 
-	if (sk_X509_NAME_ENTRY_num(a->entries)
-	    != sk_X509_NAME_ENTRY_num(b->entries))
-		return sk_X509_NAME_ENTRY_num(a->entries)
-		  -sk_X509_NAME_ENTRY_num(b->entries);
+	unsigned long nabit, nbbit;
+
+	j = sk_X509_NAME_ENTRY_num(a->entries)
+		  - sk_X509_NAME_ENTRY_num(b->entries);
+	if (j)
+		return j;
 	for (i=sk_X509_NAME_ENTRY_num(a->entries)-1; i>=0; i--)
 		{
 		na=sk_X509_NAME_ENTRY_value(a->entries,i);
 		nb=sk_X509_NAME_ENTRY_value(b->entries,i);
 		j=na->value->type-nb->value->type;
-		if (j) return(j);
-		if (na->value->type == V_ASN1_PRINTABLESTRING)
+		if (j)
+			{
+			nabit = ASN1_tag2bit(na->value->type);
+			nbbit = ASN1_tag2bit(nb->value->type);
+			if (!(nabit & STR_TYPE_CMP) ||
+				!(nbbit & STR_TYPE_CMP))
+				return j;
+			j = asn1_string_memcmp(na->value, nb->value);
+			}
+		else if (na->value->type == V_ASN1_PRINTABLESTRING)
 			j=nocase_spacenorm_cmp(na->value, nb->value);
 		else if (na->value->type == V_ASN1_IA5STRING
 			&& OBJ_obj2nid(na->object) == NID_pkcs9_emailAddress)
 			j=nocase_cmp(na->value, nb->value);
 		else
-			{
-			j=na->value->length-nb->value->length;
-			if (j) return(j);
-			j=memcmp(na->value->data,nb->value->data,
-				na->value->length);
-			}
+			j = asn1_string_memcmp(na->value, nb->value);
 		if (j) return(j);
 		j=na->set-nb->set;
 		if (j) return(j);
@@ -374,45 +390,36 @@ int X509_check_private_key(X509 *x, EVP_PKEY *k)
 	int ok=0;
 
 	xk=X509_get_pubkey(x);
-	if (xk->type != k->type)
-	    {
-	    X509err(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_KEY_TYPE_MISMATCH);
-	    goto err;
-	    }
-	switch (k->type)
+	switch (EVP_PKEY_cmp(xk, k))
 		{
-#ifndef OPENSSL_NO_RSA
-	case EVP_PKEY_RSA:
-		if (BN_cmp(xk->pkey.rsa->n,k->pkey.rsa->n) != 0
-		    || BN_cmp(xk->pkey.rsa->e,k->pkey.rsa->e) != 0)
-		    {
-		    X509err(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_KEY_VALUES_MISMATCH);
-		    goto err;
-		    }
+	case 1:
+		ok=1;
 		break;
-#endif
-#ifndef OPENSSL_NO_DSA
-	case EVP_PKEY_DSA:
-		if (BN_cmp(xk->pkey.dsa->pub_key,k->pkey.dsa->pub_key) != 0)
-		    {
-		    X509err(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_KEY_VALUES_MISMATCH);
-		    goto err;
-		    }
+	case 0:
+		X509err(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_KEY_VALUES_MISMATCH);
+		break;
+	case -1:
+		X509err(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_KEY_TYPE_MISMATCH);
 		break;
+	case -2:
+#ifndef OPENSSL_NO_EC
+		if (k->type == EVP_PKEY_EC)
+			{
+			X509err(X509_F_X509_CHECK_PRIVATE_KEY, ERR_R_EC_LIB);
+			break;
+			}
 #endif
 #ifndef OPENSSL_NO_DH
-	case EVP_PKEY_DH:
-		/* No idea */
-	        X509err(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_CANT_CHECK_DH_KEY);
-		goto err;
+		if (k->type == EVP_PKEY_DH)
+			{
+			/* No idea */
+			X509err(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_CANT_CHECK_DH_KEY);
+			break;
+			}
 #endif
-	default:
 	        X509err(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_UNKNOWN_KEY_TYPE);
-		goto err;
 		}
 
-	ok=1;
-err:
 	EVP_PKEY_free(xk);
 	return(ok);
 	}
diff --git a/crypto/openssl/crypto/x509/x509_err.c b/crypto/openssl/crypto/x509/x509_err.c
index 5bbf4acf7651..b7bc383a5029 100644
--- a/crypto/openssl/crypto/x509/x509_err.c
+++ b/crypto/openssl/crypto/x509/x509_err.c
@@ -1,6 +1,6 @@
 /* crypto/x509/x509_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -64,77 +64,85 @@
 
 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_X509,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_X509,0,reason)
+
 static ERR_STRING_DATA X509_str_functs[]=
 	{
-{ERR_PACK(0,X509_F_ADD_CERT_DIR,0),	"ADD_CERT_DIR"},
-{ERR_PACK(0,X509_F_BY_FILE_CTRL,0),	"BY_FILE_CTRL"},
-{ERR_PACK(0,X509_F_DIR_CTRL,0),	"DIR_CTRL"},
-{ERR_PACK(0,X509_F_GET_CERT_BY_SUBJECT,0),	"GET_CERT_BY_SUBJECT"},
-{ERR_PACK(0,X509_F_NETSCAPE_SPKI_B64_DECODE,0),	"NETSCAPE_SPKI_b64_decode"},
-{ERR_PACK(0,X509_F_NETSCAPE_SPKI_B64_ENCODE,0),	"NETSCAPE_SPKI_b64_encode"},
-{ERR_PACK(0,X509_F_X509V3_ADD_EXT,0),	"X509v3_add_ext"},
-{ERR_PACK(0,X509_F_X509_ADD_ATTR,0),	"X509_ADD_ATTR"},
-{ERR_PACK(0,X509_F_X509_ATTRIBUTE_CREATE_BY_NID,0),	"X509_ATTRIBUTE_create_by_NID"},
-{ERR_PACK(0,X509_F_X509_ATTRIBUTE_CREATE_BY_OBJ,0),	"X509_ATTRIBUTE_create_by_OBJ"},
-{ERR_PACK(0,X509_F_X509_ATTRIBUTE_CREATE_BY_TXT,0),	"X509_ATTRIBUTE_create_by_txt"},
-{ERR_PACK(0,X509_F_X509_ATTRIBUTE_GET0_DATA,0),	"X509_ATTRIBUTE_get0_data"},
-{ERR_PACK(0,X509_F_X509_ATTRIBUTE_SET1_DATA,0),	"X509_ATTRIBUTE_set1_data"},
-{ERR_PACK(0,X509_F_X509_CHECK_PRIVATE_KEY,0),	"X509_check_private_key"},
-{ERR_PACK(0,X509_F_X509_EXTENSION_CREATE_BY_NID,0),	"X509_EXTENSION_create_by_NID"},
-{ERR_PACK(0,X509_F_X509_EXTENSION_CREATE_BY_OBJ,0),	"X509_EXTENSION_create_by_OBJ"},
-{ERR_PACK(0,X509_F_X509_GET_PUBKEY_PARAMETERS,0),	"X509_get_pubkey_parameters"},
-{ERR_PACK(0,X509_F_X509_LOAD_CERT_CRL_FILE,0),	"X509_load_cert_crl_file"},
-{ERR_PACK(0,X509_F_X509_LOAD_CERT_FILE,0),	"X509_load_cert_file"},
-{ERR_PACK(0,X509_F_X509_LOAD_CRL_FILE,0),	"X509_load_crl_file"},
-{ERR_PACK(0,X509_F_X509_NAME_ADD_ENTRY,0),	"X509_NAME_add_entry"},
-{ERR_PACK(0,X509_F_X509_NAME_ENTRY_CREATE_BY_NID,0),	"X509_NAME_ENTRY_create_by_NID"},
-{ERR_PACK(0,X509_F_X509_NAME_ENTRY_CREATE_BY_TXT,0),	"X509_NAME_ENTRY_create_by_txt"},
-{ERR_PACK(0,X509_F_X509_NAME_ENTRY_SET_OBJECT,0),	"X509_NAME_ENTRY_set_object"},
-{ERR_PACK(0,X509_F_X509_NAME_ONELINE,0),	"X509_NAME_oneline"},
-{ERR_PACK(0,X509_F_X509_NAME_PRINT,0),	"X509_NAME_print"},
-{ERR_PACK(0,X509_F_X509_PRINT_FP,0),	"X509_print_fp"},
-{ERR_PACK(0,X509_F_X509_PUBKEY_GET,0),	"X509_PUBKEY_get"},
-{ERR_PACK(0,X509_F_X509_PUBKEY_SET,0),	"X509_PUBKEY_set"},
-{ERR_PACK(0,X509_F_X509_REQ_PRINT,0),	"X509_REQ_print"},
-{ERR_PACK(0,X509_F_X509_REQ_PRINT_FP,0),	"X509_REQ_print_fp"},
-{ERR_PACK(0,X509_F_X509_REQ_TO_X509,0),	"X509_REQ_to_X509"},
-{ERR_PACK(0,X509_F_X509_STORE_ADD_CERT,0),	"X509_STORE_add_cert"},
-{ERR_PACK(0,X509_F_X509_STORE_ADD_CRL,0),	"X509_STORE_add_crl"},
-{ERR_PACK(0,X509_F_X509_STORE_CTX_INIT,0),	"X509_STORE_CTX_init"},
-{ERR_PACK(0,X509_F_X509_STORE_CTX_NEW,0),	"X509_STORE_CTX_new"},
-{ERR_PACK(0,X509_F_X509_STORE_CTX_PURPOSE_INHERIT,0),	"X509_STORE_CTX_purpose_inherit"},
-{ERR_PACK(0,X509_F_X509_TO_X509_REQ,0),	"X509_to_X509_REQ"},
-{ERR_PACK(0,X509_F_X509_TRUST_ADD,0),	"X509_TRUST_add"},
-{ERR_PACK(0,X509_F_X509_TRUST_SET,0),	"X509_TRUST_set"},
-{ERR_PACK(0,X509_F_X509_VERIFY_CERT,0),	"X509_verify_cert"},
+{ERR_FUNC(X509_F_ADD_CERT_DIR),	"ADD_CERT_DIR"},
+{ERR_FUNC(X509_F_BY_FILE_CTRL),	"BY_FILE_CTRL"},
+{ERR_FUNC(X509_F_CHECK_POLICY),	"CHECK_POLICY"},
+{ERR_FUNC(X509_F_DIR_CTRL),	"DIR_CTRL"},
+{ERR_FUNC(X509_F_GET_CERT_BY_SUBJECT),	"GET_CERT_BY_SUBJECT"},
+{ERR_FUNC(X509_F_NETSCAPE_SPKI_B64_DECODE),	"NETSCAPE_SPKI_b64_decode"},
+{ERR_FUNC(X509_F_NETSCAPE_SPKI_B64_ENCODE),	"NETSCAPE_SPKI_b64_encode"},
+{ERR_FUNC(X509_F_X509AT_ADD1_ATTR),	"X509at_add1_attr"},
+{ERR_FUNC(X509_F_X509V3_ADD_EXT),	"X509v3_add_ext"},
+{ERR_FUNC(X509_F_X509_ATTRIBUTE_CREATE_BY_NID),	"X509_ATTRIBUTE_create_by_NID"},
+{ERR_FUNC(X509_F_X509_ATTRIBUTE_CREATE_BY_OBJ),	"X509_ATTRIBUTE_create_by_OBJ"},
+{ERR_FUNC(X509_F_X509_ATTRIBUTE_CREATE_BY_TXT),	"X509_ATTRIBUTE_create_by_txt"},
+{ERR_FUNC(X509_F_X509_ATTRIBUTE_GET0_DATA),	"X509_ATTRIBUTE_get0_data"},
+{ERR_FUNC(X509_F_X509_ATTRIBUTE_SET1_DATA),	"X509_ATTRIBUTE_set1_data"},
+{ERR_FUNC(X509_F_X509_CHECK_PRIVATE_KEY),	"X509_check_private_key"},
+{ERR_FUNC(X509_F_X509_CRL_PRINT_FP),	"X509_CRL_print_fp"},
+{ERR_FUNC(X509_F_X509_EXTENSION_CREATE_BY_NID),	"X509_EXTENSION_create_by_NID"},
+{ERR_FUNC(X509_F_X509_EXTENSION_CREATE_BY_OBJ),	"X509_EXTENSION_create_by_OBJ"},
+{ERR_FUNC(X509_F_X509_GET_PUBKEY_PARAMETERS),	"X509_get_pubkey_parameters"},
+{ERR_FUNC(X509_F_X509_LOAD_CERT_CRL_FILE),	"X509_load_cert_crl_file"},
+{ERR_FUNC(X509_F_X509_LOAD_CERT_FILE),	"X509_load_cert_file"},
+{ERR_FUNC(X509_F_X509_LOAD_CRL_FILE),	"X509_load_crl_file"},
+{ERR_FUNC(X509_F_X509_NAME_ADD_ENTRY),	"X509_NAME_add_entry"},
+{ERR_FUNC(X509_F_X509_NAME_ENTRY_CREATE_BY_NID),	"X509_NAME_ENTRY_create_by_NID"},
+{ERR_FUNC(X509_F_X509_NAME_ENTRY_CREATE_BY_TXT),	"X509_NAME_ENTRY_create_by_txt"},
+{ERR_FUNC(X509_F_X509_NAME_ENTRY_SET_OBJECT),	"X509_NAME_ENTRY_set_object"},
+{ERR_FUNC(X509_F_X509_NAME_ONELINE),	"X509_NAME_oneline"},
+{ERR_FUNC(X509_F_X509_NAME_PRINT),	"X509_NAME_print"},
+{ERR_FUNC(X509_F_X509_PRINT_EX_FP),	"X509_print_ex_fp"},
+{ERR_FUNC(X509_F_X509_PUBKEY_GET),	"X509_PUBKEY_get"},
+{ERR_FUNC(X509_F_X509_PUBKEY_SET),	"X509_PUBKEY_set"},
+{ERR_FUNC(X509_F_X509_REQ_CHECK_PRIVATE_KEY),	"X509_REQ_check_private_key"},
+{ERR_FUNC(X509_F_X509_REQ_PRINT_EX),	"X509_REQ_print_ex"},
+{ERR_FUNC(X509_F_X509_REQ_PRINT_FP),	"X509_REQ_print_fp"},
+{ERR_FUNC(X509_F_X509_REQ_TO_X509),	"X509_REQ_to_X509"},
+{ERR_FUNC(X509_F_X509_STORE_ADD_CERT),	"X509_STORE_add_cert"},
+{ERR_FUNC(X509_F_X509_STORE_ADD_CRL),	"X509_STORE_add_crl"},
+{ERR_FUNC(X509_F_X509_STORE_CTX_GET1_ISSUER),	"X509_STORE_CTX_get1_issuer"},
+{ERR_FUNC(X509_F_X509_STORE_CTX_INIT),	"X509_STORE_CTX_init"},
+{ERR_FUNC(X509_F_X509_STORE_CTX_NEW),	"X509_STORE_CTX_new"},
+{ERR_FUNC(X509_F_X509_STORE_CTX_PURPOSE_INHERIT),	"X509_STORE_CTX_purpose_inherit"},
+{ERR_FUNC(X509_F_X509_TO_X509_REQ),	"X509_to_X509_REQ"},
+{ERR_FUNC(X509_F_X509_TRUST_ADD),	"X509_TRUST_add"},
+{ERR_FUNC(X509_F_X509_TRUST_SET),	"X509_TRUST_set"},
+{ERR_FUNC(X509_F_X509_VERIFY_CERT),	"X509_verify_cert"},
 {0,NULL}
 	};
 
 static ERR_STRING_DATA X509_str_reasons[]=
 	{
-{X509_R_BAD_X509_FILETYPE                ,"bad x509 filetype"},
-{X509_R_BASE64_DECODE_ERROR              ,"base64 decode error"},
-{X509_R_CANT_CHECK_DH_KEY                ,"cant check dh key"},
-{X509_R_CERT_ALREADY_IN_HASH_TABLE       ,"cert already in hash table"},
-{X509_R_ERR_ASN1_LIB                     ,"err asn1 lib"},
-{X509_R_INVALID_DIRECTORY                ,"invalid directory"},
-{X509_R_INVALID_FIELD_NAME               ,"invalid field name"},
-{X509_R_INVALID_TRUST                    ,"invalid trust"},
-{X509_R_KEY_TYPE_MISMATCH                ,"key type mismatch"},
-{X509_R_KEY_VALUES_MISMATCH              ,"key values mismatch"},
-{X509_R_LOADING_CERT_DIR                 ,"loading cert dir"},
-{X509_R_LOADING_DEFAULTS                 ,"loading defaults"},
-{X509_R_NO_CERT_SET_FOR_US_TO_VERIFY     ,"no cert set for us to verify"},
-{X509_R_SHOULD_RETRY                     ,"should retry"},
-{X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN,"unable to find parameters in chain"},
-{X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY   ,"unable to get certs public key"},
-{X509_R_UNKNOWN_KEY_TYPE                 ,"unknown key type"},
-{X509_R_UNKNOWN_NID                      ,"unknown nid"},
-{X509_R_UNKNOWN_PURPOSE_ID               ,"unknown purpose id"},
-{X509_R_UNKNOWN_TRUST_ID                 ,"unknown trust id"},
-{X509_R_UNSUPPORTED_ALGORITHM            ,"unsupported algorithm"},
-{X509_R_WRONG_LOOKUP_TYPE                ,"wrong lookup type"},
-{X509_R_WRONG_TYPE                       ,"wrong type"},
+{ERR_REASON(X509_R_BAD_X509_FILETYPE)    ,"bad x509 filetype"},
+{ERR_REASON(X509_R_BASE64_DECODE_ERROR)  ,"base64 decode error"},
+{ERR_REASON(X509_R_CANT_CHECK_DH_KEY)    ,"cant check dh key"},
+{ERR_REASON(X509_R_CERT_ALREADY_IN_HASH_TABLE),"cert already in hash table"},
+{ERR_REASON(X509_R_ERR_ASN1_LIB)         ,"err asn1 lib"},
+{ERR_REASON(X509_R_INVALID_DIRECTORY)    ,"invalid directory"},
+{ERR_REASON(X509_R_INVALID_FIELD_NAME)   ,"invalid field name"},
+{ERR_REASON(X509_R_INVALID_TRUST)        ,"invalid trust"},
+{ERR_REASON(X509_R_KEY_TYPE_MISMATCH)    ,"key type mismatch"},
+{ERR_REASON(X509_R_KEY_VALUES_MISMATCH)  ,"key values mismatch"},
+{ERR_REASON(X509_R_LOADING_CERT_DIR)     ,"loading cert dir"},
+{ERR_REASON(X509_R_LOADING_DEFAULTS)     ,"loading defaults"},
+{ERR_REASON(X509_R_NO_CERT_SET_FOR_US_TO_VERIFY),"no cert set for us to verify"},
+{ERR_REASON(X509_R_SHOULD_RETRY)         ,"should retry"},
+{ERR_REASON(X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN),"unable to find parameters in chain"},
+{ERR_REASON(X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY),"unable to get certs public key"},
+{ERR_REASON(X509_R_UNKNOWN_KEY_TYPE)     ,"unknown key type"},
+{ERR_REASON(X509_R_UNKNOWN_NID)          ,"unknown nid"},
+{ERR_REASON(X509_R_UNKNOWN_PURPOSE_ID)   ,"unknown purpose id"},
+{ERR_REASON(X509_R_UNKNOWN_TRUST_ID)     ,"unknown trust id"},
+{ERR_REASON(X509_R_UNSUPPORTED_ALGORITHM),"unsupported algorithm"},
+{ERR_REASON(X509_R_WRONG_LOOKUP_TYPE)    ,"wrong lookup type"},
+{ERR_REASON(X509_R_WRONG_TYPE)           ,"wrong type"},
 {0,NULL}
 	};
 
@@ -148,8 +156,8 @@ void ERR_load_X509_strings(void)
 		{
 		init=0;
 #ifndef OPENSSL_NO_ERR
-		ERR_load_strings(ERR_LIB_X509,X509_str_functs);
-		ERR_load_strings(ERR_LIB_X509,X509_str_reasons);
+		ERR_load_strings(0,X509_str_functs);
+		ERR_load_strings(0,X509_str_reasons);
 #endif
 
 		}
diff --git a/crypto/openssl/crypto/x509/x509_lu.c b/crypto/openssl/crypto/x509/x509_lu.c
index b780dae5e29e..cd2cfb6d855a 100644
--- a/crypto/openssl/crypto/x509/x509_lu.c
+++ b/crypto/openssl/crypto/x509/x509_lu.c
@@ -187,10 +187,8 @@ X509_STORE *X509_STORE_new(void)
 	ret->verify=0;
 	ret->verify_cb=0;
 
-	ret->purpose = 0;
-	ret->trust = 0;
-
-	ret->flags = 0;
+	if ((ret->param = X509_VERIFY_PARAM_new()) == NULL)
+		return NULL;
 
 	ret->get_issuer = 0;
 	ret->check_issued = 0;
@@ -202,7 +200,6 @@ X509_STORE *X509_STORE_new(void)
 
 	CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE, ret, &ret->ex_data);
 	ret->references=1;
-	ret->depth=0;
 	return ret;
 	}
 
@@ -244,6 +241,8 @@ void X509_STORE_free(X509_STORE *vfy)
 	sk_X509_OBJECT_pop_free(vfy->objs, cleanup);
 
 	CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE, vfy, &vfy->ex_data);
+	if (vfy->param)
+		X509_VERIFY_PARAM_free(vfy->param);
 	OPENSSL_free(vfy);
 	}
 
@@ -498,7 +497,7 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
 		if (ok == X509_LU_RETRY)
 			{
 			X509_OBJECT_free_contents(&obj);
-			X509err(X509_F_X509_VERIFY_CERT,X509_R_SHOULD_RETRY);
+			X509err(X509_F_X509_STORE_CTX_GET1_ISSUER,X509_R_SHOULD_RETRY);
 			return -1;
 			}
 		else if (ok != X509_LU_FAIL)
@@ -538,19 +537,30 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
 	return 0;
 }
 
-void X509_STORE_set_flags(X509_STORE *ctx, long flags)
+int X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags)
 	{
-	ctx->flags |= flags;
+	return X509_VERIFY_PARAM_set_flags(ctx->param, flags);
+	}
+
+int X509_STORE_set_depth(X509_STORE *ctx, int depth)
+	{
+	X509_VERIFY_PARAM_set_depth(ctx->param, depth);
+	return 1;
 	}
 
 int X509_STORE_set_purpose(X509_STORE *ctx, int purpose)
 	{
-	return X509_PURPOSE_set(&ctx->purpose, purpose);
+	return X509_VERIFY_PARAM_set_purpose(ctx->param, purpose);
 	}
 
 int X509_STORE_set_trust(X509_STORE *ctx, int trust)
 	{
-	return X509_TRUST_set(&ctx->trust, trust);
+	return X509_VERIFY_PARAM_set_trust(ctx->param, trust);
+	}
+
+int X509_STORE_set1_param(X509_STORE *ctx, X509_VERIFY_PARAM *param)
+	{
+	return X509_VERIFY_PARAM_set1(ctx->param, param);
 	}
 
 IMPLEMENT_STACK_OF(X509_LOOKUP)
diff --git a/crypto/openssl/crypto/x509/x509_r2x.c b/crypto/openssl/crypto/x509/x509_r2x.c
index db051033d9bf..254a14693d99 100644
--- a/crypto/openssl/crypto/x509/x509_r2x.c
+++ b/crypto/openssl/crypto/x509/x509_r2x.c
@@ -89,11 +89,15 @@ X509 *X509_REQ_to_X509(X509_REQ *r, int days, EVP_PKEY *pkey)
 		}
 
 	xn=X509_REQ_get_subject_name(r);
-	X509_set_subject_name(ret,X509_NAME_dup(xn));
-	X509_set_issuer_name(ret,X509_NAME_dup(xn));
+	if (X509_set_subject_name(ret,X509_NAME_dup(xn)) == 0)
+		goto err;
+	if (X509_set_issuer_name(ret,X509_NAME_dup(xn)) == 0)
+		goto err;
 
-	X509_gmtime_adj(xi->validity->notBefore,0);
-	X509_gmtime_adj(xi->validity->notAfter,(long)60*60*24*days);
+	if (X509_gmtime_adj(xi->validity->notBefore,0) == NULL)
+		goto err;
+	if (X509_gmtime_adj(xi->validity->notAfter,(long)60*60*24*days) == NULL)
+		goto err;
 
 	X509_set_pubkey(ret,X509_REQ_get_pubkey(r));
 
diff --git a/crypto/openssl/crypto/x509/x509_req.c b/crypto/openssl/crypto/x509/x509_req.c
index 59fc6ca5484b..ab13bcfc061d 100644
--- a/crypto/openssl/crypto/x509/x509_req.c
+++ b/crypto/openssl/crypto/x509/x509_req.c
@@ -113,6 +113,46 @@ EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req)
 	return(X509_PUBKEY_get(req->req_info->pubkey));
 	}
 
+int X509_REQ_check_private_key(X509_REQ *x, EVP_PKEY *k)
+	{
+	EVP_PKEY *xk=NULL;
+	int ok=0;
+
+	xk=X509_REQ_get_pubkey(x);
+	switch (EVP_PKEY_cmp(xk, k))
+		{
+	case 1:
+		ok=1;
+		break;
+	case 0:
+		X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY,X509_R_KEY_VALUES_MISMATCH);
+		break;
+	case -1:
+		X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY,X509_R_KEY_TYPE_MISMATCH);
+		break;
+	case -2:
+#ifndef OPENSSL_NO_EC
+		if (k->type == EVP_PKEY_EC)
+			{
+			X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY, ERR_R_EC_LIB);
+			break;
+			}
+#endif
+#ifndef OPENSSL_NO_DH
+		if (k->type == EVP_PKEY_DH)
+			{
+			/* No idea */
+			X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY,X509_R_CANT_CHECK_DH_KEY);
+			break;
+			}
+#endif
+	        X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY,X509_R_UNKNOWN_KEY_TYPE);
+		}
+
+	EVP_PKEY_free(xk);
+	return(ok);
+	}
+
 /* It seems several organisations had the same idea of including a list of
  * extensions in a certificate request. There are at least two OIDs that are
  * used and there may be more: so the list is configurable.
@@ -147,7 +187,7 @@ STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req)
 	X509_ATTRIBUTE *attr;
 	ASN1_TYPE *ext = NULL;
 	int idx, *pnid;
-	unsigned char *p;
+	const unsigned char *p;
 
 	if ((req == NULL) || (req->req_info == NULL) || !ext_nids)
 		return(NULL);
@@ -169,7 +209,7 @@ STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req)
 			ext->value.sequence->length,
 			d2i_X509_EXTENSION, X509_EXTENSION_free,
 			V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
-	}
+}
 
 /* Add a STACK_OF extensions to a certificate request: allow alternative OIDs
  * in case we want to create a non standard one.
diff --git a/crypto/openssl/crypto/x509/x509_trs.c b/crypto/openssl/crypto/x509/x509_trs.c
index 881252608d1f..9c84a59d523c 100644
--- a/crypto/openssl/crypto/x509/x509_trs.c
+++ b/crypto/openssl/crypto/x509/x509_trs.c
@@ -128,7 +128,7 @@ int X509_TRUST_get_count(void)
 X509_TRUST * X509_TRUST_get0(int idx)
 {
 	if(idx < 0) return NULL;
-	if(idx < X509_TRUST_COUNT) return trstandard + idx;
+	if(idx < (int)X509_TRUST_COUNT) return trstandard + idx;
 	return sk_X509_TRUST_value(trtable, idx - X509_TRUST_COUNT);
 }
 
@@ -219,7 +219,7 @@ static void trtable_free(X509_TRUST *p)
 
 void X509_TRUST_cleanup(void)
 {
-	int i;
+	unsigned int i;
 	for(i = 0; i < X509_TRUST_COUNT; i++) trtable_free(trstandard + i);
 	sk_X509_TRUST_pop_free(trtable, trtable_free);
 	trtable = NULL;
diff --git a/crypto/openssl/crypto/x509/x509_txt.c b/crypto/openssl/crypto/x509/x509_txt.c
index e31ebc6741a0..7dd2b761d9ab 100644
--- a/crypto/openssl/crypto/x509/x509_txt.c
+++ b/crypto/openssl/crypto/x509/x509_txt.c
@@ -122,8 +122,14 @@ const char *X509_verify_cert_error_string(long n)
 		return("certificate revoked");
 	case X509_V_ERR_INVALID_CA:
 		return ("invalid CA certificate");
+	case X509_V_ERR_INVALID_NON_CA:
+		return ("invalid non-CA certificate (has CA markings)");
 	case X509_V_ERR_PATH_LENGTH_EXCEEDED:
 		return ("path length constraint exceeded");
+	case X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED:
+		return("proxy path length constraint exceeded");
+	case X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED:
+		return("proxy cerificates not allowed, please set the appropriate flag");
 	case X509_V_ERR_INVALID_PURPOSE:
 		return ("unsupported certificate purpose");
 	case X509_V_ERR_CERT_UNTRUSTED:
@@ -140,19 +146,22 @@ const char *X509_verify_cert_error_string(long n)
 		return("authority and issuer serial number mismatch");
 	case X509_V_ERR_KEYUSAGE_NO_CERTSIGN:
 		return("key usage does not include certificate signing");
-
 	case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER:
 		return("unable to get CRL issuer certificate");
-
 	case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION:
 		return("unhandled critical extension");
-
 	case X509_V_ERR_KEYUSAGE_NO_CRL_SIGN:
 		return("key usage does not include CRL signing");
-
+	case X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE:
+		return("key usage does not include digital signature");
 	case X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION:
 		return("unhandled critical CRL extension");
-
+	case X509_V_ERR_INVALID_EXTENSION:
+		return("invalid or inconsistent certificate extension");
+	case X509_V_ERR_INVALID_POLICY_EXTENSION:
+		return("invalid or inconsistent certificate policy extension");
+	case X509_V_ERR_NO_EXPLICIT_POLICY:
+		return("no explicit policy");
 	default:
 		BIO_snprintf(buf,sizeof buf,"error number %ld",n);
 		return(buf);
diff --git a/crypto/openssl/crypto/x509/x509_v3.c b/crypto/openssl/crypto/x509/x509_v3.c
index 67b1796a9213..42e6f0ab0560 100644
--- a/crypto/openssl/crypto/x509/x509_v3.c
+++ b/crypto/openssl/crypto/x509/x509_v3.c
@@ -147,7 +147,13 @@ STACK_OF(X509_EXTENSION) *X509v3_add_ext(STACK_OF(X509_EXTENSION) **x,
 	int n;
 	STACK_OF(X509_EXTENSION) *sk=NULL;
 
-	if ((x != NULL) && (*x == NULL))
+	if (x == NULL)
+		{
+		X509err(X509_F_X509V3_ADD_EXT,ERR_R_PASSED_NULL_PARAMETER);
+		goto err2;
+		}
+
+	if (*x == NULL)
 		{
 		if ((sk=sk_X509_EXTENSION_new_null()) == NULL)
 			goto err;
@@ -163,7 +169,7 @@ STACK_OF(X509_EXTENSION) *X509v3_add_ext(STACK_OF(X509_EXTENSION) **x,
 		goto err2;
 	if (!sk_X509_EXTENSION_insert(sk,new_ex,loc))
 		goto err;
-	if ((x != NULL) && (*x == NULL))
+	if (*x == NULL)
 		*x=sk;
 	return(sk);
 err:
diff --git a/crypto/openssl/crypto/x509/x509_vfy.c b/crypto/openssl/crypto/x509/x509_vfy.c
index e24e10259d3b..79dae3d3bf23 100644
--- a/crypto/openssl/crypto/x509/x509_vfy.c
+++ b/crypto/openssl/crypto/x509/x509_vfy.c
@@ -73,10 +73,11 @@
 static int null_callback(int ok,X509_STORE_CTX *e);
 static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer);
 static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x);
-static int check_chain_purpose(X509_STORE_CTX *ctx);
+static int check_chain_extensions(X509_STORE_CTX *ctx);
 static int check_trust(X509_STORE_CTX *ctx);
 static int check_revocation(X509_STORE_CTX *ctx);
 static int check_cert(X509_STORE_CTX *ctx);
+static int check_policy(X509_STORE_CTX *ctx);
 static int internal_verify(X509_STORE_CTX *ctx);
 const char *X509_version="X.509" OPENSSL_VERSION_PTEXT;
 
@@ -97,11 +98,12 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
 	{
 	X509 *x,*xtmp,*chain_ss=NULL;
 	X509_NAME *xn;
+	int bad_chain = 0;
+	X509_VERIFY_PARAM *param = ctx->param;
 	int depth,i,ok=0;
 	int num;
-	int (*cb)();
+	int (*cb)(int xok,X509_STORE_CTX *xctx);
 	STACK_OF(X509) *sktmp=NULL;
-
 	if (ctx->cert == NULL)
 		{
 		X509err(X509_F_X509_VERIFY_CERT,X509_R_NO_CERT_SET_FOR_US_TO_VERIFY);
@@ -134,7 +136,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
 
 	num=sk_X509_num(ctx->chain);
 	x=sk_X509_value(ctx->chain,num-1);
-	depth=ctx->depth;
+	depth=param->depth;
 
 
 	for (;;)
@@ -201,6 +203,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
 				ctx->current_cert=x;
 				ctx->error_depth=i-1;
 				if (ok == 1) X509_free(xtmp);
+				bad_chain = 1;
 				ok=cb(0,ctx);
 				if (!ok) goto end;
 				}
@@ -276,18 +279,19 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
 			}
 
 		ctx->error_depth=num-1;
+		bad_chain = 1;
 		ok=cb(0,ctx);
 		if (!ok) goto end;
 		}
 
 	/* We have the chain complete: now we need to check its purpose */
-	if (ctx->purpose > 0) ok = check_chain_purpose(ctx);
+	ok = check_chain_extensions(ctx);
 
 	if (!ok) goto end;
 
 	/* The chain extensions are OK: check trust */
 
-	if (ctx->trust > 0) ok = check_trust(ctx);
+	if (param->trust > 0) ok = check_trust(ctx);
 
 	if (!ok) goto end;
 
@@ -301,11 +305,17 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
 	ok = ctx->check_revocation(ctx);
 	if(!ok) goto end;
 
-	/* At this point, we have a chain and just need to verify it */
+	/* At this point, we have a chain and need to verify it */
 	if (ctx->verify != NULL)
 		ok=ctx->verify(ctx);
 	else
 		ok=internal_verify(ctx);
+	if(!ok) goto end;
+
+	/* If we get this far evaluate policies */
+	if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK))
+		ok = ctx->check_policy(ctx);
+	if(!ok) goto end;
 	if (0)
 		{
 end:
@@ -342,7 +352,7 @@ static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
 	if (ret == X509_V_OK)
 		return 1;
 	/* If we haven't asked for issuer errors don't set ctx */
-	if (!(ctx->flags & X509_V_FLAG_CB_ISSUER_CHECK))
+	if (!(ctx->param->flags & X509_V_FLAG_CB_ISSUER_CHECK))
 		return 0;
 
 	ctx->error = ret;
@@ -371,21 +381,40 @@ static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
  * with the supplied purpose
  */
 
-static int check_chain_purpose(X509_STORE_CTX *ctx)
+static int check_chain_extensions(X509_STORE_CTX *ctx)
 {
 #ifdef OPENSSL_NO_CHAIN_VERIFY
 	return 1;
 #else
-	int i, ok=0;
+	int i, ok=0, must_be_ca;
 	X509 *x;
-	int (*cb)();
+	int (*cb)(int xok,X509_STORE_CTX *xctx);
+	int proxy_path_length = 0;
+	int allow_proxy_certs =
+		!!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
 	cb=ctx->verify_cb;
+
+	/* must_be_ca can have 1 of 3 values:
+	   -1: we accept both CA and non-CA certificates, to allow direct
+	       use of self-signed certificates (which are marked as CA).
+	   0:  we only accept non-CA certificates.  This is currently not
+	       used, but the possibility is present for future extensions.
+	   1:  we only accept CA certificates.  This is currently used for
+	       all certificates in the chain except the leaf certificate.
+	*/
+	must_be_ca = -1;
+
+	/* A hack to keep people who don't want to modify their software
+	   happy */
+	if (getenv("OPENSSL_ALLOW_PROXY_CERTS"))
+		allow_proxy_certs = 1;
+
 	/* Check all untrusted certificates */
 	for (i = 0; i < ctx->last_untrusted; i++)
 		{
 		int ret;
 		x = sk_X509_value(ctx->chain, i);
-		if (!(ctx->flags & X509_V_FLAG_IGNORE_CRITICAL)
+		if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
 			&& (x->ex_flags & EXFLAG_CRITICAL))
 			{
 			ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION;
@@ -394,23 +423,73 @@ static int check_chain_purpose(X509_STORE_CTX *ctx)
 			ok=cb(0,ctx);
 			if (!ok) goto end;
 			}
-		ret = X509_check_purpose(x, ctx->purpose, i);
-		if ((ret == 0)
-			 || ((ctx->flags & X509_V_FLAG_X509_STRICT)
-				&& (ret != 1)))
+		if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY))
 			{
-			if (i)
+			ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED;
+			ctx->error_depth = i;
+			ctx->current_cert = x;
+			ok=cb(0,ctx);
+			if (!ok) goto end;
+			}
+		ret = X509_check_ca(x);
+		switch(must_be_ca)
+			{
+		case -1:
+			if ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
+				&& (ret != 1) && (ret != 0))
+				{
+				ret = 0;
 				ctx->error = X509_V_ERR_INVALID_CA;
+				}
 			else
-				ctx->error = X509_V_ERR_INVALID_PURPOSE;
+				ret = 1;
+			break;
+		case 0:
+			if (ret != 0)
+				{
+				ret = 0;
+				ctx->error = X509_V_ERR_INVALID_NON_CA;
+				}
+			else
+				ret = 1;
+			break;
+		default:
+			if ((ret == 0)
+				|| ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
+					&& (ret != 1)))
+				{
+				ret = 0;
+				ctx->error = X509_V_ERR_INVALID_CA;
+				}
+			else
+				ret = 1;
+			break;
+			}
+		if (ret == 0)
+			{
 			ctx->error_depth = i;
 			ctx->current_cert = x;
 			ok=cb(0,ctx);
 			if (!ok) goto end;
 			}
+		if (ctx->param->purpose > 0)
+			{
+			ret = X509_check_purpose(x, ctx->param->purpose,
+				must_be_ca > 0);
+			if ((ret == 0)
+				|| ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
+					&& (ret != 1)))
+				{
+				ctx->error = X509_V_ERR_INVALID_PURPOSE;
+				ctx->error_depth = i;
+				ctx->current_cert = x;
+				ok=cb(0,ctx);
+				if (!ok) goto end;
+				}
+			}
 		/* Check pathlen */
 		if ((i > 1) && (x->ex_pathlen != -1)
-			   && (i > (x->ex_pathlen + 1)))
+			   && (i > (x->ex_pathlen + proxy_path_length + 1)))
 			{
 			ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
 			ctx->error_depth = i;
@@ -418,6 +497,26 @@ static int check_chain_purpose(X509_STORE_CTX *ctx)
 			ok=cb(0,ctx);
 			if (!ok) goto end;
 			}
+		/* If this certificate is a proxy certificate, the next
+		   certificate must be another proxy certificate or a EE
+		   certificate.  If not, the next certificate must be a
+		   CA certificate.  */
+		if (x->ex_flags & EXFLAG_PROXY)
+			{
+			if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen)
+				{
+				ctx->error =
+					X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED;
+				ctx->error_depth = i;
+				ctx->current_cert = x;
+				ok=cb(0,ctx);
+				if (!ok) goto end;
+				}
+			proxy_path_length++;
+			must_be_ca = 0;
+			}
+		else
+			must_be_ca = 1;
 		}
 	ok = 1;
  end:
@@ -432,12 +531,12 @@ static int check_trust(X509_STORE_CTX *ctx)
 #else
 	int i, ok;
 	X509 *x;
-	int (*cb)();
+	int (*cb)(int xok,X509_STORE_CTX *xctx);
 	cb=ctx->verify_cb;
 /* For now just check the last certificate in the chain */
 	i = sk_X509_num(ctx->chain) - 1;
 	x = sk_X509_value(ctx->chain, i);
-	ok = X509_check_trust(x, ctx->trust, 0);
+	ok = X509_check_trust(x, ctx->param->trust, 0);
 	if (ok == X509_TRUST_TRUSTED)
 		return 1;
 	ctx->error_depth = i;
@@ -454,9 +553,9 @@ static int check_trust(X509_STORE_CTX *ctx)
 static int check_revocation(X509_STORE_CTX *ctx)
 	{
 	int i, last, ok;
-	if (!(ctx->flags & X509_V_FLAG_CRL_CHECK))
+	if (!(ctx->param->flags & X509_V_FLAG_CRL_CHECK))
 		return 1;
-	if (ctx->flags & X509_V_FLAG_CRL_CHECK_ALL)
+	if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL)
 		last = sk_X509_num(ctx->chain) - 1;
 	else
 		last = 0;
@@ -499,17 +598,124 @@ static int check_cert(X509_STORE_CTX *ctx)
 
 	}
 
+/* Check CRL times against values in X509_STORE_CTX */
+
+static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
+	{
+	time_t *ptime;
+	int i;
+	ctx->current_crl = crl;
+	if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
+		ptime = &ctx->param->check_time;
+	else
+		ptime = NULL;
+
+	i=X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime);
+	if (i == 0)
+		{
+		ctx->error=X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD;
+		if (!notify || !ctx->verify_cb(0, ctx))
+			return 0;
+		}
+
+	if (i > 0)
+		{
+		ctx->error=X509_V_ERR_CRL_NOT_YET_VALID;
+		if (!notify || !ctx->verify_cb(0, ctx))
+			return 0;
+		}
+
+	if(X509_CRL_get_nextUpdate(crl))
+		{
+		i=X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime);
+
+		if (i == 0)
+			{
+			ctx->error=X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD;
+			if (!notify || !ctx->verify_cb(0, ctx))
+				return 0;
+			}
+
+		if (i < 0)
+			{
+			ctx->error=X509_V_ERR_CRL_HAS_EXPIRED;
+			if (!notify || !ctx->verify_cb(0, ctx))
+				return 0;
+			}
+		}
+
+	ctx->current_crl = NULL;
+
+	return 1;
+	}
+
+/* Lookup CRLs from the supplied list. Look for matching isser name
+ * and validity. If we can't find a valid CRL return the last one
+ * with matching name. This gives more meaningful error codes. Otherwise
+ * we'd get a CRL not found error if a CRL existed with matching name but
+ * was invalid.
+ */
+
+static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl,
+			X509_NAME *nm, STACK_OF(X509_CRL) *crls)
+	{
+	int i;
+	X509_CRL *crl, *best_crl = NULL;
+	for (i = 0; i < sk_X509_CRL_num(crls); i++)
+		{
+		crl = sk_X509_CRL_value(crls, i);
+		if (X509_NAME_cmp(nm, X509_CRL_get_issuer(crl)))
+			continue;
+		if (check_crl_time(ctx, crl, 0))
+			{
+			*pcrl = crl;
+			CRYPTO_add(&crl->references, 1, CRYPTO_LOCK_X509);
+			return 1;
+			}
+		best_crl = crl;
+		}
+	if (best_crl)
+		{
+		*pcrl = best_crl;
+		CRYPTO_add(&best_crl->references, 1, CRYPTO_LOCK_X509);
+		}
+		
+	return 0;
+	}
+
 /* Retrieve CRL corresponding to certificate: currently just a
  * subject lookup: maybe use AKID later...
- * Also might look up any included CRLs too (e.g PKCS#7 signedData).
  */
-static int get_crl(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x)
+static int get_crl(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509 *x)
 	{
 	int ok;
+	X509_CRL *crl = NULL;
 	X509_OBJECT xobj;
-	ok = X509_STORE_get_by_subject(ctx, X509_LU_CRL, X509_get_issuer_name(x), &xobj);
-	if (!ok) return 0;
-	*crl = xobj.data.crl;
+	X509_NAME *nm;
+	nm = X509_get_issuer_name(x);
+	ok = get_crl_sk(ctx, &crl, nm, ctx->crls);
+	if (ok)
+		{
+		*pcrl = crl;
+		return 1;
+		}
+
+	ok = X509_STORE_get_by_subject(ctx, X509_LU_CRL, nm, &xobj);
+
+	if (!ok)
+		{
+		/* If we got a near match from get_crl_sk use that */
+		if (crl)
+			{
+			*pcrl = crl;
+			return 1;
+			}
+		return 0;
+		}
+
+	*pcrl = xobj.data.crl;
+	if (crl)
+		X509_CRL_free(crl);
 	return 1;
 	}
 
@@ -518,8 +724,7 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
 	{
 	X509 *issuer = NULL;
 	EVP_PKEY *ikey = NULL;
-	int ok = 0, chnum, cnum, i;
-	time_t *ptime;
+	int ok = 0, chnum, cnum;
 	cnum = ctx->error_depth;
 	chnum = sk_X509_num(ctx->chain) - 1;
 	/* Find CRL issuer: if not last certificate then issuer
@@ -571,45 +776,9 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
 			}
 		}
 
-	/* OK, CRL signature valid check times */
-	if (ctx->flags & X509_V_FLAG_USE_CHECK_TIME)
-		ptime = &ctx->check_time;
-	else
-		ptime = NULL;
-
-	i=X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime);
-	if (i == 0)
-		{
-		ctx->error=X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD;
-		ok = ctx->verify_cb(0, ctx);
-		if (!ok) goto err;
-		}
-
-	if (i > 0)
-		{
-		ctx->error=X509_V_ERR_CRL_NOT_YET_VALID;
-		ok = ctx->verify_cb(0, ctx);
-		if (!ok) goto err;
-		}
-
-	if(X509_CRL_get_nextUpdate(crl))
-		{
-		i=X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime);
-
-		if (i == 0)
-			{
-			ctx->error=X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD;
-			ok = ctx->verify_cb(0, ctx);
-			if (!ok) goto err;
-			}
-
-		if (i < 0)
-			{
-			ctx->error=X509_V_ERR_CRL_HAS_EXPIRED;
-			ok = ctx->verify_cb(0, ctx);
-			if (!ok) goto err;
-			}
-		}
+	ok = check_crl_time(ctx, crl, 1);
+	if (!ok)
+		goto err;
 
 	ok = 1;
 
@@ -647,7 +816,7 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
 		if (!ok) return 0;
 		}
 
-	if (ctx->flags & X509_V_FLAG_IGNORE_CRITICAL)
+	if (ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
 		return 1;
 
 	/* See if we have any critical CRL extensions: since we
@@ -674,13 +843,106 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
 	return 1;
 	}
 
+static int check_policy(X509_STORE_CTX *ctx)
+	{
+	int ret;
+	ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain,
+				ctx->param->policies, ctx->param->flags);
+	if (ret == 0)
+		{
+		X509err(X509_F_CHECK_POLICY,ERR_R_MALLOC_FAILURE);
+		return 0;
+		}
+	/* Invalid or inconsistent extensions */
+	if (ret == -1)
+		{
+		/* Locate certificates with bad extensions and notify
+		 * callback.
+		 */
+		X509 *x;
+		int i;
+		for (i = 1; i < sk_X509_num(ctx->chain); i++)
+			{
+			x = sk_X509_value(ctx->chain, i);
+			if (!(x->ex_flags & EXFLAG_INVALID_POLICY))
+				continue;
+			ctx->current_cert = x;
+			ctx->error = X509_V_ERR_INVALID_POLICY_EXTENSION;
+			ret = ctx->verify_cb(0, ctx);
+			}
+		return 1;
+		}
+	if (ret == -2)
+		{
+		ctx->current_cert = NULL;
+		ctx->error = X509_V_ERR_NO_EXPLICIT_POLICY;
+		return ctx->verify_cb(0, ctx);
+		}
+
+	if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY)
+		{
+		ctx->current_cert = NULL;
+		ctx->error = X509_V_OK;
+		if (!ctx->verify_cb(2, ctx))
+			return 0;
+		}
+
+	return 1;
+	}
+
+static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
+	{
+	time_t *ptime;
+	int i;
+
+	if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
+		ptime = &ctx->param->check_time;
+	else
+		ptime = NULL;
+
+	i=X509_cmp_time(X509_get_notBefore(x), ptime);
+	if (i == 0)
+		{
+		ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
+		ctx->current_cert=x;
+		if (!ctx->verify_cb(0, ctx))
+			return 0;
+		}
+
+	if (i > 0)
+		{
+		ctx->error=X509_V_ERR_CERT_NOT_YET_VALID;
+		ctx->current_cert=x;
+		if (!ctx->verify_cb(0, ctx))
+			return 0;
+		}
+
+	i=X509_cmp_time(X509_get_notAfter(x), ptime);
+	if (i == 0)
+		{
+		ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
+		ctx->current_cert=x;
+		if (!ctx->verify_cb(0, ctx))
+			return 0;
+		}
+
+	if (i < 0)
+		{
+		ctx->error=X509_V_ERR_CERT_HAS_EXPIRED;
+		ctx->current_cert=x;
+		if (!ctx->verify_cb(0, ctx))
+			return 0;
+		}
+
+	return 1;
+	}
+
 static int internal_verify(X509_STORE_CTX *ctx)
 	{
-	int i,ok=0,n;
+	int ok=0,n;
 	X509 *xs,*xi;
 	EVP_PKEY *pkey=NULL;
-	time_t *ptime;
-	int (*cb)();
+	int (*cb)(int xok,X509_STORE_CTX *xctx);
 
 	cb=ctx->verify_cb;
 
@@ -688,10 +950,7 @@ static int internal_verify(X509_STORE_CTX *ctx)
 	ctx->error_depth=n-1;
 	n--;
 	xi=sk_X509_value(ctx->chain,n);
-	if (ctx->flags & X509_V_FLAG_USE_CHECK_TIME)
-		ptime = &ctx->check_time;
-	else
-		ptime = NULL;
+
 	if (ctx->check_issued(ctx, xi, xi))
 		xs=xi;
 	else
@@ -744,43 +1003,16 @@ static int internal_verify(X509_STORE_CTX *ctx)
 				}
 			EVP_PKEY_free(pkey);
 			pkey=NULL;
-
-			i=X509_cmp_time(X509_get_notBefore(xs), ptime);
-			if (i == 0)
-				{
-				ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
-				ctx->current_cert=xs;
-				ok=(*cb)(0,ctx);
-				if (!ok) goto end;
-				}
-			if (i > 0)
-				{
-				ctx->error=X509_V_ERR_CERT_NOT_YET_VALID;
-				ctx->current_cert=xs;
-				ok=(*cb)(0,ctx);
-				if (!ok) goto end;
-				}
-			xs->valid=1;
 			}
 
-		i=X509_cmp_time(X509_get_notAfter(xs), ptime);
-		if (i == 0)
-			{
-			ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
-			ctx->current_cert=xs;
-			ok=(*cb)(0,ctx);
-			if (!ok) goto end;
-			}
+		xs->valid = 1;
 
-		if (i < 0)
-			{
-			ctx->error=X509_V_ERR_CERT_HAS_EXPIRED;
-			ctx->current_cert=xs;
-			ok=(*cb)(0,ctx);
-			if (!ok) goto end;
-			}
+		ok = check_cert_time(ctx, xs);
+		if (!ok)
+			goto end;
 
 		/* The last error (if any) is still in the error value */
+		ctx->current_issuer=xi;
 		ctx->current_cert=xs;
 		ok=(*cb)(1,ctx);
 		if (!ok) goto end;
@@ -849,7 +1081,7 @@ int X509_cmp_time(ASN1_TIME *ctm, time_t *cmp_time)
 		offset=0;
 	else
 		{
-		if ((*str != '+') && (str[5] != '-'))
+		if ((*str != '+') && (*str != '-'))
 			return 0;
 		offset=((str[1]-'0')*10+(str[2]-'0'))*60;
 		offset+=(str[3]-'0')*10+(str[4]-'0');
@@ -860,7 +1092,8 @@ int X509_cmp_time(ASN1_TIME *ctm, time_t *cmp_time)
 	atm.length=sizeof(buff2);
 	atm.data=(unsigned char *)buff2;
 
-	X509_time_adj(&atm,-offset*60, cmp_time);
+	if (X509_time_adj(&atm,-offset*60, cmp_time) == NULL)
+		return 0;
 
 	if (ctm->type == V_ASN1_UTCTIME)
 		{
@@ -1009,6 +1242,11 @@ void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
 	ctx->untrusted=sk;
 	}
 
+void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk)
+	{
+	ctx->crls=sk;
+	}
+
 int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose)
 	{
 	return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0);
@@ -1072,8 +1310,8 @@ int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
 			}
 		}
 
-	if (purpose && !ctx->purpose) ctx->purpose = purpose;
-	if (trust && !ctx->trust) ctx->trust = trust;
+	if (purpose && !ctx->param->purpose) ctx->param->purpose = purpose;
+	if (trust && !ctx->param->trust) ctx->param->trust = trust;
 	return 1;
 }
 
@@ -1099,20 +1337,30 @@ void X509_STORE_CTX_free(X509_STORE_CTX *ctx)
 int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
 	     STACK_OF(X509) *chain)
 	{
+	int ret = 1;
 	ctx->ctx=store;
 	ctx->current_method=0;
 	ctx->cert=x509;
 	ctx->untrusted=chain;
+	ctx->crls = NULL;
 	ctx->last_untrusted=0;
-	ctx->check_time=0;
 	ctx->other_ctx=NULL;
 	ctx->valid=0;
 	ctx->chain=NULL;
-	ctx->depth=9;
 	ctx->error=0;
+	ctx->explicit_policy=0;
 	ctx->error_depth=0;
 	ctx->current_cert=NULL;
 	ctx->current_issuer=NULL;
+	ctx->tree = NULL;
+
+	ctx->param = X509_VERIFY_PARAM_new();
+
+	if (!ctx->param)
+		{
+		X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE);
+		return 0;
+		}
 
 	/* Inherit callbacks and flags from X509_STORE if not set
 	 * use defaults.
@@ -1120,18 +1368,26 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
 
 
 	if (store)
+		ret = X509_VERIFY_PARAM_inherit(ctx->param, store->param);
+	else
+		ctx->param->flags |= X509_VP_FLAG_DEFAULT|X509_VP_FLAG_ONCE;
+
+	if (store)
 		{
-		ctx->purpose=store->purpose;
-		ctx->trust=store->trust;
-		ctx->flags = store->flags;
+		ctx->verify_cb = store->verify_cb;
 		ctx->cleanup = store->cleanup;
 		}
 	else
-		{
-		ctx->purpose = 0;
-		ctx->trust = 0;
-		ctx->flags = 0;
 		ctx->cleanup = 0;
+
+	if (ret)
+		ret = X509_VERIFY_PARAM_inherit(ctx->param,
+					X509_VERIFY_PARAM_lookup("default"));
+
+	if (ret == 0)
+		{
+		X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE);
+		return 0;
 		}
 
 	if (store && store->check_issued)
@@ -1174,6 +1430,8 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
 	else
 		ctx->cert_crl = cert_crl;
 
+	ctx->check_policy = check_policy;
+
 
 	/* This memset() can't make any sense anyway, so it's removed. As
 	 * X509_STORE_CTX_cleanup does a proper "free" on the ex_data, we put a
@@ -1202,6 +1460,9 @@ void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
 void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx)
 	{
 	if (ctx->cleanup) ctx->cleanup(ctx);
+	X509_VERIFY_PARAM_free(ctx->param);
+	if (ctx->tree)
+		X509_policy_tree_free(ctx->tree);
 	if (ctx->chain != NULL)
 		{
 		sk_X509_pop_free(ctx->chain,X509_free);
@@ -1211,15 +1472,19 @@ void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx)
 	memset(&ctx->ex_data,0,sizeof(CRYPTO_EX_DATA));
 	}
 
-void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, long flags)
+void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth)
+	{
+	X509_VERIFY_PARAM_set_depth(ctx->param, depth);
+	}
+
+void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags)
 	{
-	ctx->flags |= flags;
+	X509_VERIFY_PARAM_set_flags(ctx->param, flags);
 	}
 
-void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, long flags, time_t t)
+void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags, time_t t)
 	{
-	ctx->check_time = t;
-	ctx->flags |= X509_V_FLAG_USE_CHECK_TIME;
+	X509_VERIFY_PARAM_set_time(ctx->param, t);
 	}
 
 void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
@@ -1228,6 +1493,37 @@ void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
 	ctx->verify_cb=verify_cb;
 	}
 
+X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx)
+	{
+	return ctx->tree;
+	}
+
+int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx)
+	{
+	return ctx->explicit_policy;
+	}
+
+int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name)
+	{
+	const X509_VERIFY_PARAM *param;
+	param = X509_VERIFY_PARAM_lookup(name);
+	if (!param)
+		return 0;
+	return X509_VERIFY_PARAM_inherit(ctx->param, param);
+	}
+
+X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx)
+	{
+	return ctx->param;
+	}
+
+void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param)
+	{
+	if (ctx->param)
+		X509_VERIFY_PARAM_free(ctx->param);
+	ctx->param = param;
+	}
+
 IMPLEMENT_STACK_OF(X509)
 IMPLEMENT_ASN1_SET_OF(X509)
 
diff --git a/crypto/openssl/crypto/x509/x509_vfy.h b/crypto/openssl/crypto/x509/x509_vfy.h
index 198495884cfa..3f16330444f8 100644
--- a/crypto/openssl/crypto/x509/x509_vfy.h
+++ b/crypto/openssl/crypto/x509/x509_vfy.h
@@ -65,6 +65,7 @@
 #ifndef HEADER_X509_VFY_H
 #define HEADER_X509_VFY_H
 
+#include <openssl/opensslconf.h>
 #ifndef OPENSSL_NO_LHASH
 #include <openssl/lhash.h>
 #endif
@@ -155,6 +156,25 @@ typedef struct x509_lookup_method_st
 			    X509_OBJECT *ret);
 	} X509_LOOKUP_METHOD;
 
+/* This structure hold all parameters associated with a verify operation
+ * by including an X509_VERIFY_PARAM structure in related structures the
+ * parameters used can be customized
+ */
+
+typedef struct X509_VERIFY_PARAM_st
+	{
+	char *name;
+	time_t check_time;	/* Time to use */
+	unsigned long inh_flags; /* Inheritance flags */
+	unsigned long flags;	/* Various verify flags */
+	int purpose;		/* purpose to check untrusted certificates */
+	int trust;		/* trust setting to check */
+	int depth;		/* Verify depth */
+	STACK_OF(ASN1_OBJECT) *policies;	/* Permissible policies */
+	} X509_VERIFY_PARAM;
+
+DECLARE_STACK_OF(X509_VERIFY_PARAM)
+
 /* This is used to hold everything.  It is used for all certificate
  * validation.  Once we have a certificate chain, the 'verify'
  * function is then called to actually check the cert chain. */
@@ -167,13 +187,8 @@ struct x509_store_st
 	/* These are external lookup methods */
 	STACK_OF(X509_LOOKUP) *get_cert_methods;
 
-	/* The following fields are not used by X509_STORE but are
-         * inherited by X509_STORE_CTX when it is initialised.
-	 */
+	X509_VERIFY_PARAM *param;
 
-	unsigned long flags;	/* Various verify flags */
-	int purpose;
-	int trust;
 	/* Callbacks for various operations */
 	int (*verify)(X509_STORE_CTX *ctx);	/* called to verify a certificate */
 	int (*verify_cb)(int ok,X509_STORE_CTX *ctx);	/* error callback */
@@ -187,10 +202,9 @@ struct x509_store_st
 
 	CRYPTO_EX_DATA ex_data;
 	int references;
-	int depth;		/* how deep to look (still unused -- X509_STORE_CTX's depth is used) */
 	} /* X509_STORE */;
 
-#define X509_STORE_set_depth(ctx,d)       ((ctx)->depth=(d))
+int X509_STORE_set_depth(X509_STORE *store, int depth);
 
 #define X509_STORE_set_verify_cb_func(ctx,func) ((ctx)->verify_cb=(func))
 #define X509_STORE_set_verify_func(ctx,func)	((ctx)->verify=(func))
@@ -217,10 +231,9 @@ struct x509_store_ctx_st      /* X509_STORE_CTX */
 	/* The following are set by the caller */
 	X509 *cert;		/* The cert to check */
 	STACK_OF(X509) *untrusted;	/* chain of X509s - untrusted - passed in */
-	int purpose;		/* purpose to check untrusted certificates */
-	int trust;		/* trust setting to check */
-	time_t	check_time;	/* time to make verify at */
-	unsigned long flags;	/* Various verify flags */
+	STACK_OF(X509_CRL) *crls;	/* set of CRLs passed in */
+
+	X509_VERIFY_PARAM *param;
 	void *other_ctx;	/* Other info for use with get_issuer() */
 
 	/* Callbacks for various operations */
@@ -232,13 +245,16 @@ struct x509_store_ctx_st      /* X509_STORE_CTX */
 	int (*get_crl)(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x); /* retrieve CRL */
 	int (*check_crl)(X509_STORE_CTX *ctx, X509_CRL *crl); /* Check CRL validity */
 	int (*cert_crl)(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x); /* Check certificate against CRL */
+	int (*check_policy)(X509_STORE_CTX *ctx);
 	int (*cleanup)(X509_STORE_CTX *ctx);
 
 	/* The following is built up */
-	int depth;		/* how far to go looking up certs */
 	int valid;		/* if 0, rebuild chain */
 	int last_untrusted;	/* index of last untrusted cert */
 	STACK_OF(X509) *chain; 		/* chain of X509s - built up and trusted */
+	X509_POLICY_TREE *tree;	/* Valid policy tree */
+
+	int explicit_policy;	/* Require explicit policy value */
 
 	/* When something goes wrong, this is why */
 	int error_depth;
@@ -250,7 +266,7 @@ struct x509_store_ctx_st      /* X509_STORE_CTX */
 	CRYPTO_EX_DATA ex_data;
 	} /* X509_STORE_CTX */;
 
-#define X509_STORE_CTX_set_depth(ctx,d)       ((ctx)->depth=(d))
+void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
 
 #define X509_STORE_CTX_set_app_data(ctx,data) \
 	X509_STORE_CTX_set_ex_data(ctx,0,data)
@@ -276,7 +292,7 @@ struct x509_store_ctx_st      /* X509_STORE_CTX */
 #define		X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY	6
 #define		X509_V_ERR_CERT_SIGNATURE_FAILURE		7
 #define		X509_V_ERR_CRL_SIGNATURE_FAILURE		8
-#define		X509_V_ERR_CERT_NOT_YET_VALID			9	
+#define		X509_V_ERR_CERT_NOT_YET_VALID			9
 #define		X509_V_ERR_CERT_HAS_EXPIRED			10
 #define		X509_V_ERR_CRL_NOT_YET_VALID			11
 #define		X509_V_ERR_CRL_HAS_EXPIRED			12
@@ -306,6 +322,15 @@ struct x509_store_ctx_st      /* X509_STORE_CTX */
 #define		X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION		34
 #define		X509_V_ERR_KEYUSAGE_NO_CRL_SIGN			35
 #define		X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION	36
+#define		X509_V_ERR_INVALID_NON_CA			37
+#define		X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED		38
+#define		X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE	39
+#define		X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED	40
+
+#define		X509_V_ERR_INVALID_EXTENSION			41
+#define		X509_V_ERR_INVALID_POLICY_EXTENSION		42
+#define		X509_V_ERR_NO_EXPLICIT_POLICY			43
+
 
 /* The application is not happy */
 #define		X509_V_ERR_APPLICATION_VERIFICATION		50
@@ -324,6 +349,30 @@ struct x509_store_ctx_st      /* X509_STORE_CTX */
 #define	X509_V_FLAG_IGNORE_CRITICAL		0x10
 /* Disable workarounds for broken certificates */
 #define	X509_V_FLAG_X509_STRICT			0x20
+/* Enable proxy certificate validation */
+#define	X509_V_FLAG_ALLOW_PROXY_CERTS		0x40
+/* Enable policy checking */
+#define X509_V_FLAG_POLICY_CHECK		0x80
+/* Policy variable require-explicit-policy */
+#define X509_V_FLAG_EXPLICIT_POLICY		0x100
+/* Policy variable inhibit-any-policy */
+#define	X509_V_FLAG_INHIBIT_ANY			0x200
+/* Policy variable inhibit-policy-mapping */
+#define X509_V_FLAG_INHIBIT_MAP			0x400
+/* Notify callback that policy is OK */
+#define X509_V_FLAG_NOTIFY_POLICY		0x800
+
+#define X509_VP_FLAG_DEFAULT			0x1
+#define X509_VP_FLAG_OVERWRITE			0x2
+#define X509_VP_FLAG_RESET_FLAGS		0x4
+#define X509_VP_FLAG_LOCKED			0x8
+#define X509_VP_FLAG_ONCE			0x10
+
+/* Internal use: mask of policy related options */
+#define X509_V_FLAG_POLICY_MASK (X509_V_FLAG_POLICY_CHECK \
+				| X509_V_FLAG_EXPLICIT_POLICY \
+				| X509_V_FLAG_INHIBIT_ANY \
+				| X509_V_FLAG_INHIBIT_MAP)
 
 int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type,
 	     X509_NAME *name);
@@ -334,9 +383,10 @@ void X509_OBJECT_free_contents(X509_OBJECT *a);
 X509_STORE *X509_STORE_new(void );
 void X509_STORE_free(X509_STORE *v);
 
-void X509_STORE_set_flags(X509_STORE *ctx, long flags);
+int X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags);
 int X509_STORE_set_purpose(X509_STORE *ctx, int purpose);
 int X509_STORE_set_trust(X509_STORE *ctx, int trust);
+int X509_STORE_set1_param(X509_STORE *ctx, X509_VERIFY_PARAM *pm);
 
 X509_STORE_CTX *X509_STORE_CTX_new(void);
 
@@ -400,14 +450,78 @@ STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx);
 STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx);
 void	X509_STORE_CTX_set_cert(X509_STORE_CTX *c,X509 *x);
 void	X509_STORE_CTX_set_chain(X509_STORE_CTX *c,STACK_OF(X509) *sk);
+void	X509_STORE_CTX_set0_crls(X509_STORE_CTX *c,STACK_OF(X509_CRL) *sk);
 int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose);
 int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust);
 int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
 				int purpose, int trust);
-void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, long flags);
-void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, long flags, time_t t);
+void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags);
+void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags,
+								time_t t);
 void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
 				  int (*verify_cb)(int, X509_STORE_CTX *));
+  
+X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx);
+int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx);
+
+X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx);
+void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param);
+int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name);
+
+/* X509_VERIFY_PARAM functions */
+
+X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void);
+void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param);
+int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *to,
+						const X509_VERIFY_PARAM *from);
+int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to, 
+						const X509_VERIFY_PARAM *from);
+int X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, const char *name);
+int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags);
+int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param,
+							unsigned long flags);
+unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param);
+int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose);
+int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust);
+void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth);
+void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t);
+int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param,
+						ASN1_OBJECT *policy);
+int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param, 
+					STACK_OF(ASN1_OBJECT) *policies);
+int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param);
+
+int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param);
+const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name);
+void X509_VERIFY_PARAM_table_cleanup(void);
+
+int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
+			STACK_OF(X509) *certs,
+			STACK_OF(ASN1_OBJECT) *policy_oids,
+			unsigned int flags);
+
+void X509_policy_tree_free(X509_POLICY_TREE *tree);
+
+int X509_policy_tree_level_count(const X509_POLICY_TREE *tree);
+X509_POLICY_LEVEL *
+	X509_policy_tree_get0_level(const X509_POLICY_TREE *tree, int i);
+
+STACK_OF(X509_POLICY_NODE) *
+	X509_policy_tree_get0_policies(const X509_POLICY_TREE *tree);
+
+STACK_OF(X509_POLICY_NODE) *
+	X509_policy_tree_get0_user_policies(const X509_POLICY_TREE *tree);
+
+int X509_policy_level_node_count(X509_POLICY_LEVEL *level);
+
+X509_POLICY_NODE *X509_policy_level_get0_node(X509_POLICY_LEVEL *level, int i);
+
+const ASN1_OBJECT *X509_policy_node_get0_policy(const X509_POLICY_NODE *node);
+
+STACK_OF(POLICYQUALINFO) *
+	X509_policy_node_get0_qualifiers(const X509_POLICY_NODE *node);
+const X509_POLICY_NODE *
+	X509_policy_node_get0_parent(const X509_POLICY_NODE *node);
 
 #ifdef  __cplusplus
 }
diff --git a/crypto/openssl/crypto/x509/x509_vpm.c b/crypto/openssl/crypto/x509/x509_vpm.c
new file mode 100644
index 000000000000..5e69259a7934
--- /dev/null
+++ b/crypto/openssl/crypto/x509/x509_vpm.c
@@ -0,0 +1,420 @@
+/* x509_vpm.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2004.
+ */
+/* ====================================================================
+ * Copyright (c) 2004 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+
+#include "cryptlib.h"
+#include <openssl/crypto.h>
+#include <openssl/lhash.h>
+#include <openssl/buffer.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+
+/* X509_VERIFY_PARAM functions */
+
+static void x509_verify_param_zero(X509_VERIFY_PARAM *param)
+	{
+	if (!param)
+		return;
+	param->name = NULL;
+	param->purpose = 0;
+	param->trust = 0;
+	param->inh_flags = X509_VP_FLAG_DEFAULT;
+	param->flags = 0;
+	param->depth = -1;
+	if (param->policies)
+		{
+		sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);
+		param->policies = NULL;
+		}
+	}
+
+X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void)
+	{
+	X509_VERIFY_PARAM *param;
+	param = OPENSSL_malloc(sizeof(X509_VERIFY_PARAM));
+	memset(param, 0, sizeof(X509_VERIFY_PARAM));
+	x509_verify_param_zero(param);
+	return param;
+	}
+
+void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param)
+	{
+	x509_verify_param_zero(param);
+	OPENSSL_free(param);
+	}
+
+/* This function determines how parameters are "inherited" from one structure
+ * to another. There are several different ways this can happen.
+ *
+ * 1. If a child structure needs to have its values initialized from a parent
+ *    they are simply copied across. For example SSL_CTX copied to SSL.
+ * 2. If the structure should take on values only if they are currently unset.
+ *    For example the values in an SSL structure will take appropriate value
+ *    for SSL servers or clients but only if the application has not set new
+ *    ones.
+ *
+ * The "inh_flags" field determines how this function behaves. 
+ *
+ * Normally any values which are set in the default are not copied from the
+ * destination and verify flags are ORed together.
+ *
+ * If X509_VP_FLAG_DEFAULT is set then anything set in the source is copied
+ * to the destination. Effectively the values in "to" become default values
+ * which will be used only if nothing new is set in "from".
+ *
+ * If X509_VP_FLAG_OVERWRITE is set then all value are copied across whether
+ * they are set or not. Flags is still Ored though.
+ *
+ * If X509_VP_FLAG_RESET_FLAGS is set then the flags value is copied instead
+ * of ORed.
+ *
+ * If X509_VP_FLAG_LOCKED is set then no values are copied.
+ *
+ * If X509_VP_FLAG_ONCE is set then the current inh_flags setting is zeroed
+ * after the next call.
+ */
+
+/* Macro to test if a field should be copied from src to dest */
+
+#define test_x509_verify_param_copy(field, def) \
+	(to_overwrite || \
+		((src->field != def) && (to_default || (dest->field == def))))
+
+/* Macro to test and copy a field if necessary */
+
+#define x509_verify_param_copy(field, def) \
+	if (test_x509_verify_param_copy(field, def)) \
+		dest->field = src->field
+		
+
+int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest,
+						const X509_VERIFY_PARAM *src)
+	{
+	unsigned long inh_flags;
+	int to_default, to_overwrite;
+	if (!src)
+		return 1;
+	inh_flags = dest->inh_flags | src->inh_flags;
+
+	if (inh_flags & X509_VP_FLAG_ONCE)
+		dest->inh_flags = 0;
+
+	if (inh_flags & X509_VP_FLAG_LOCKED)
+		return 1;
+
+	if (inh_flags & X509_VP_FLAG_DEFAULT)
+		to_default = 1;
+	else
+		to_default = 0;
+
+	if (inh_flags & X509_VP_FLAG_OVERWRITE)
+		to_overwrite = 1;
+	else
+		to_overwrite = 0;
+
+	x509_verify_param_copy(purpose, 0);
+	x509_verify_param_copy(trust, 0);
+	x509_verify_param_copy(depth, -1);
+
+	/* If overwrite or check time not set, copy across */
+
+	if (to_overwrite || !(dest->flags & X509_V_FLAG_USE_CHECK_TIME))
+		{
+		dest->check_time = src->check_time;
+		dest->flags &= ~X509_V_FLAG_USE_CHECK_TIME;
+		/* Don't need to copy flag: that is done below */
+		}
+
+	if (inh_flags & X509_VP_FLAG_RESET_FLAGS)
+		dest->flags = 0;
+
+	dest->flags |= src->flags;
+
+	if (test_x509_verify_param_copy(policies, NULL))
+		{
+		if (!X509_VERIFY_PARAM_set1_policies(dest, src->policies))
+			return 0;
+		}
+
+	return 1;
+	}
+
+int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to,
+						const X509_VERIFY_PARAM *from)
+	{
+	to->inh_flags |= X509_VP_FLAG_DEFAULT;
+	return X509_VERIFY_PARAM_inherit(to, from);
+	}
+
+int X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, const char *name)
+	{
+	if (param->name)
+		OPENSSL_free(param->name);
+	param->name = BUF_strdup(name);
+	if (param->name)
+		return 1;
+	return 0;
+	}
+
+int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags)
+	{
+	param->flags |= flags;
+	if (flags & X509_V_FLAG_POLICY_MASK)
+		param->flags |= X509_V_FLAG_POLICY_CHECK;
+	return 1;
+	}
+
+int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, unsigned long flags)
+	{
+	param->flags &= ~flags;
+	return 1;
+	}
+
+unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param)
+	{
+	return param->flags;
+	}
+
+int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose)
+	{
+	return X509_PURPOSE_set(&param->purpose, purpose);
+	}
+
+int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust)
+	{
+	return X509_TRUST_set(&param->trust, trust);
+	}
+
+void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth)
+	{
+	param->depth = depth;
+	}
+
+void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t)
+	{
+	param->check_time = t;
+	param->flags |= X509_V_FLAG_USE_CHECK_TIME;
+	}
+
+int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, ASN1_OBJECT *policy)
+	{
+	if (!param->policies)
+		{
+		param->policies = sk_ASN1_OBJECT_new_null();
+		if (!param->policies)
+			return 0;
+		}
+	if (!sk_ASN1_OBJECT_push(param->policies, policy))
+		return 0;
+	return 1;
+	}
+
+int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param, 
+					STACK_OF(ASN1_OBJECT) *policies)
+	{
+	int i;
+	ASN1_OBJECT *oid, *doid;
+	if (!param)
+		return 0;
+	if (param->policies)
+		sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);
+
+	if (!policies)
+		{
+		param->policies = NULL;
+		return 1;
+		}
+
+	param->policies = sk_ASN1_OBJECT_new_null();
+	if (!param->policies)
+		return 0;
+
+	for (i = 0; i < sk_ASN1_OBJECT_num(policies); i++)
+		{
+		oid = sk_ASN1_OBJECT_value(policies, i);
+		doid = OBJ_dup(oid);
+		if (!doid)
+			return 0;
+		if (!sk_ASN1_OBJECT_push(param->policies, doid))
+			{
+			ASN1_OBJECT_free(doid);
+			return 0;
+			}
+		}
+	param->flags |= X509_V_FLAG_POLICY_CHECK;
+	return 1;
+	}
+
+int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param)
+	{
+	return param->depth;
+	}
+
+/* Default verify parameters: these are used for various
+ * applications and can be overridden by the user specified table.
+ * NB: the 'name' field *must* be in alphabetical order because it
+ * will be searched using OBJ_search.
+ */
+
+static const X509_VERIFY_PARAM default_table[] = {
+	{
+	"default",	/* X509 default parameters */
+	0,		/* Check time */
+	0,		/* internal flags */
+	0,		/* flags */
+	0,		/* purpose */
+	0,		/* trust */
+	9,		/* depth */
+	NULL		/* policies */
+	},
+	{
+	"pkcs7",			/* SSL/TLS client parameters */
+	0,				/* Check time */
+	0,				/* internal flags */
+	0,				/* flags */
+	X509_PURPOSE_SMIME_SIGN,	/* purpose */
+	X509_TRUST_EMAIL,		/* trust */
+	-1,				/* depth */
+	NULL				/* policies */
+	},
+	{
+	"ssl_client",			/* SSL/TLS client parameters */
+	0,				/* Check time */
+	0,				/* internal flags */
+	0,				/* flags */
+	X509_PURPOSE_SSL_CLIENT,	/* purpose */
+	X509_TRUST_SSL_CLIENT,		/* trust */
+	-1,				/* depth */
+	NULL				/* policies */
+	},
+	{
+	"ssl_server",			/* SSL/TLS server parameters */
+	0,				/* Check time */
+	0,				/* internal flags */
+	0,				/* flags */
+	X509_PURPOSE_SSL_SERVER,	/* purpose */
+	X509_TRUST_SSL_SERVER,		/* trust */
+	-1,				/* depth */
+	NULL				/* policies */
+	}};
+
+static STACK_OF(X509_VERIFY_PARAM) *param_table = NULL;
+
+static int table_cmp(const void *pa, const void *pb)
+	{
+	const X509_VERIFY_PARAM *a = pa, *b = pb;
+	return strcmp(a->name, b->name);
+	}
+
+static int param_cmp(const X509_VERIFY_PARAM * const *a,
+			const X509_VERIFY_PARAM * const *b)
+	{
+	return strcmp((*a)->name, (*b)->name);
+	}
+
+int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param)
+	{
+	int idx;
+	X509_VERIFY_PARAM *ptmp;
+	if (!param_table)
+		{
+		param_table = sk_X509_VERIFY_PARAM_new(param_cmp);
+		if (!param_table)
+			return 0;
+		}
+	else
+		{
+		idx = sk_X509_VERIFY_PARAM_find(param_table, param);
+		if (idx != -1)
+			{
+			ptmp = sk_X509_VERIFY_PARAM_value(param_table, idx);
+			X509_VERIFY_PARAM_free(ptmp);
+			sk_X509_VERIFY_PARAM_delete(param_table, idx);
+			}
+		}
+	if (!sk_X509_VERIFY_PARAM_push(param_table, param))
+		return 0;
+	return 1;
+	}
+
+const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name)
+	{
+	int idx;
+	X509_VERIFY_PARAM pm;
+	pm.name = (char *)name;
+	if (param_table)
+		{
+		idx = sk_X509_VERIFY_PARAM_find(param_table, &pm);
+		if (idx != -1)
+			return sk_X509_VERIFY_PARAM_value(param_table, idx);
+		}
+	return (const X509_VERIFY_PARAM *) OBJ_bsearch((char *)&pm,
+				(char *)&default_table,
+				sizeof(default_table)/sizeof(X509_VERIFY_PARAM),
+				sizeof(X509_VERIFY_PARAM),
+				table_cmp);
+	}
+
+void X509_VERIFY_PARAM_table_cleanup(void)
+	{
+	if (param_table)
+		sk_X509_VERIFY_PARAM_pop_free(param_table,
+						X509_VERIFY_PARAM_free);
+	param_table = NULL;
+	}
diff --git a/crypto/openssl/crypto/x509/x509cset.c b/crypto/openssl/crypto/x509/x509cset.c
index 6cac440ea936..9d1646d5c8d7 100644
--- a/crypto/openssl/crypto/x509/x509cset.c
+++ b/crypto/openssl/crypto/x509/x509cset.c
@@ -129,6 +129,7 @@ int X509_CRL_sort(X509_CRL *c)
 		r=sk_X509_REVOKED_value(c->crl->revoked,i);
 		r->sequence=i;
 		}
+	c->crl->enc.modified = 1;
 	return 1;
 	}
 
diff --git a/crypto/openssl/crypto/x509/x509name.c b/crypto/openssl/crypto/x509/x509name.c
index 4c20e03eced3..068abfe5f045 100644
--- a/crypto/openssl/crypto/x509/x509name.c
+++ b/crypto/openssl/crypto/x509/x509name.c
@@ -195,8 +195,8 @@ int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, int type,
 	return ret;
 }
 
-int X509_NAME_add_entry_by_txt(X509_NAME *name, char *field, int type,
-			unsigned char *bytes, int len, int loc, int set)
+int X509_NAME_add_entry_by_txt(X509_NAME *name, const char *field, int type,
+			const unsigned char *bytes, int len, int loc, int set)
 {
 	X509_NAME_ENTRY *ne;
 	int ret;
@@ -273,7 +273,7 @@ err:
 	}
 
 X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne,
-		char *field, int type, unsigned char *bytes, int len)
+		const char *field, int type, const unsigned char *bytes, int len)
 	{
 	ASN1_OBJECT *obj;
 	X509_NAME_ENTRY *nentry;
@@ -309,7 +309,7 @@ X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid,
 	}
 
 X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne,
-	     ASN1_OBJECT *obj, int type, unsigned char *bytes, int len)
+	     ASN1_OBJECT *obj, int type, const unsigned char *bytes, int len)
 	{
 	X509_NAME_ENTRY *ret;
 
@@ -347,7 +347,7 @@ int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne, ASN1_OBJECT *obj)
 	}
 
 int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type,
-	     unsigned char *bytes, int len)
+	     const unsigned char *bytes, int len)
 	{
 	int i;
 
diff --git a/crypto/openssl/crypto/x509/x509spki.c b/crypto/openssl/crypto/x509/x509spki.c
index 4c3af946ec73..ed868b838e31 100644
--- a/crypto/openssl/crypto/x509/x509spki.c
+++ b/crypto/openssl/crypto/x509/x509spki.c
@@ -77,7 +77,8 @@ EVP_PKEY *NETSCAPE_SPKI_get_pubkey(NETSCAPE_SPKI *x)
 
 NETSCAPE_SPKI * NETSCAPE_SPKI_b64_decode(const char *str, int len)
 {
-	unsigned char *spki_der, *p;
+	unsigned char *spki_der;
+	const unsigned char *p;
 	int spki_len;
 	NETSCAPE_SPKI *spki;
 	if(len <= 0) len = strlen(str);
diff --git a/crypto/openssl/crypto/x509/x509type.c b/crypto/openssl/crypto/x509/x509type.c
index c25959a74282..2cd994c5b0f5 100644
--- a/crypto/openssl/crypto/x509/x509type.c
+++ b/crypto/openssl/crypto/x509/x509type.c
@@ -86,6 +86,9 @@ int X509_certificate_type(X509 *x, EVP_PKEY *pkey)
 	case EVP_PKEY_DSA:
 		ret=EVP_PK_DSA|EVP_PKT_SIGN;
 		break;
+	case EVP_PKEY_EC:
+		ret=EVP_PK_EC|EVP_PKT_SIGN|EVP_PKT_EXCH;
+		break;
 	case EVP_PKEY_DH:
 		ret=EVP_PK_DH|EVP_PKT_EXCH;
 		break;
@@ -102,6 +105,9 @@ int X509_certificate_type(X509 *x, EVP_PKEY *pkey)
 	case EVP_PKEY_DSA:
 		ret|=EVP_PKS_DSA;
 		break;
+	case EVP_PKEY_EC:
+		ret|=EVP_PKS_EC;
+		break;
 	default:
 		break;
 		}
diff --git a/crypto/openssl/crypto/x509/x_all.c b/crypto/openssl/crypto/x509/x_all.c
index fb5015cd4def..9039caad60de 100644
--- a/crypto/openssl/crypto/x509/x_all.c
+++ b/crypto/openssl/crypto/x509/x_all.c
@@ -64,6 +64,12 @@
 #include <openssl/asn1.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
+#ifndef OPENSSL_NO_RSA
+#include <openssl/rsa.h>
+#endif
+#ifndef OPENSSL_NO_DSA
+#include <openssl/dsa.h>
+#endif
 
 int X509_verify(X509 *a, EVP_PKEY *r)
 	{
@@ -103,6 +109,7 @@ int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md)
 
 int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md)
 	{
+	x->crl->enc.modified = 1;
 	return(ASN1_item_sign(ASN1_ITEM_rptr(X509_CRL_INFO),x->crl->sig_alg,
 		x->sig_alg, x->signature, x->crl,pkey,md));
 	}
@@ -222,9 +229,9 @@ RSA *d2i_RSAPublicKey_fp(FILE *fp, RSA **rsa)
 
 RSA *d2i_RSA_PUBKEY_fp(FILE *fp, RSA **rsa)
 	{
-	return((RSA *)ASN1_d2i_fp((char *(*)())
-		RSA_new,(char *(*)())d2i_RSA_PUBKEY, (fp),
-		(unsigned char **)(rsa)));
+	return ASN1_d2i_fp((void *(*)(void))
+			   RSA_new,(D2I_OF(void))d2i_RSA_PUBKEY, fp,
+			   (void **)rsa);
 	}
 
 int i2d_RSAPublicKey_fp(FILE *fp, RSA *rsa)
@@ -234,7 +241,7 @@ int i2d_RSAPublicKey_fp(FILE *fp, RSA *rsa)
 
 int i2d_RSA_PUBKEY_fp(FILE *fp, RSA *rsa)
 	{
-	return(ASN1_i2d_fp(i2d_RSA_PUBKEY,fp,(unsigned char *)rsa));
+	return ASN1_i2d_fp((I2D_OF(void))i2d_RSA_PUBKEY,fp,rsa);
 	}
 #endif
 
@@ -256,9 +263,7 @@ RSA *d2i_RSAPublicKey_bio(BIO *bp, RSA **rsa)
 
 RSA *d2i_RSA_PUBKEY_bio(BIO *bp, RSA **rsa)
 	{
-	return((RSA *)ASN1_d2i_bio((char *(*)())
-		RSA_new,(char *(*)())d2i_RSA_PUBKEY, (bp),
-		(unsigned char **)(rsa)));
+	return ASN1_d2i_bio_of(RSA,RSA_new,d2i_RSA_PUBKEY,bp,rsa);
 	}
 
 int i2d_RSAPublicKey_bio(BIO *bp, RSA *rsa)
@@ -268,7 +273,7 @@ int i2d_RSAPublicKey_bio(BIO *bp, RSA *rsa)
 
 int i2d_RSA_PUBKEY_bio(BIO *bp, RSA *rsa)
 	{
-	return(ASN1_i2d_bio(i2d_RSA_PUBKEY,bp,(unsigned char *)rsa));
+	return ASN1_i2d_bio_of(RSA,i2d_RSA_PUBKEY,bp,rsa);
 	}
 #endif
 
@@ -276,55 +281,92 @@ int i2d_RSA_PUBKEY_bio(BIO *bp, RSA *rsa)
 #ifndef OPENSSL_NO_FP_API
 DSA *d2i_DSAPrivateKey_fp(FILE *fp, DSA **dsa)
 	{
-	return((DSA *)ASN1_d2i_fp((char *(*)())
-		DSA_new,(char *(*)())d2i_DSAPrivateKey, (fp),
-		(unsigned char **)(dsa)));
+	return ASN1_d2i_fp_of(DSA,DSA_new,d2i_DSAPrivateKey,fp,dsa);
 	}
 
 int i2d_DSAPrivateKey_fp(FILE *fp, DSA *dsa)
 	{
-	return(ASN1_i2d_fp(i2d_DSAPrivateKey,fp,(unsigned char *)dsa));
+	return ASN1_i2d_fp_of_const(DSA,i2d_DSAPrivateKey,fp,dsa);
 	}
 
 DSA *d2i_DSA_PUBKEY_fp(FILE *fp, DSA **dsa)
 	{
-	return((DSA *)ASN1_d2i_fp((char *(*)())
-		DSA_new,(char *(*)())d2i_DSA_PUBKEY, (fp),
-		(unsigned char **)(dsa)));
+	return ASN1_d2i_fp_of(DSA,DSA_new,d2i_DSA_PUBKEY,fp,dsa);
 	}
 
 int i2d_DSA_PUBKEY_fp(FILE *fp, DSA *dsa)
 	{
-	return(ASN1_i2d_fp(i2d_DSA_PUBKEY,fp,(unsigned char *)dsa));
+	return ASN1_i2d_fp_of(DSA,i2d_DSA_PUBKEY,fp,dsa);
 	}
 #endif
 
 DSA *d2i_DSAPrivateKey_bio(BIO *bp, DSA **dsa)
 	{
-	return((DSA *)ASN1_d2i_bio((char *(*)())
-		DSA_new,(char *(*)())d2i_DSAPrivateKey, (bp),
-		(unsigned char **)(dsa)));
+	return ASN1_d2i_bio_of(DSA,DSA_new,d2i_DSAPrivateKey,bp,dsa
+);
 	}
 
 int i2d_DSAPrivateKey_bio(BIO *bp, DSA *dsa)
 	{
-	return(ASN1_i2d_bio(i2d_DSAPrivateKey,bp,(unsigned char *)dsa));
+	return ASN1_i2d_bio_of_const(DSA,i2d_DSAPrivateKey,bp,dsa);
 	}
 
 DSA *d2i_DSA_PUBKEY_bio(BIO *bp, DSA **dsa)
 	{
-	return((DSA *)ASN1_d2i_bio((char *(*)())
-		DSA_new,(char *(*)())d2i_DSA_PUBKEY, (bp),
-		(unsigned char **)(dsa)));
+	return ASN1_d2i_bio_of(DSA,DSA_new,d2i_DSA_PUBKEY,bp,dsa);
 	}
 
 int i2d_DSA_PUBKEY_bio(BIO *bp, DSA *dsa)
 	{
-	return(ASN1_i2d_bio(i2d_DSA_PUBKEY,bp,(unsigned char *)dsa));
+	return ASN1_i2d_bio_of(DSA,i2d_DSA_PUBKEY,bp,dsa);
 	}
 
 #endif
 
+#ifndef OPENSSL_NO_EC
+#ifndef OPENSSL_NO_FP_API
+EC_KEY *d2i_EC_PUBKEY_fp(FILE *fp, EC_KEY **eckey)
+	{
+	return ASN1_d2i_fp_of(EC_KEY,EC_KEY_new,d2i_EC_PUBKEY,fp,eckey);
+	}
+  
+int i2d_EC_PUBKEY_fp(FILE *fp, EC_KEY *eckey)
+	{
+	return ASN1_i2d_fp_of(EC_KEY,i2d_EC_PUBKEY,fp,eckey);
+	}
+
+EC_KEY *d2i_ECPrivateKey_fp(FILE *fp, EC_KEY **eckey)
+	{
+	return ASN1_d2i_fp_of(EC_KEY,EC_KEY_new,d2i_ECPrivateKey,fp,eckey);
+	}
+  
+int i2d_ECPrivateKey_fp(FILE *fp, EC_KEY *eckey)
+	{
+	return ASN1_i2d_fp_of(EC_KEY,i2d_ECPrivateKey,fp,eckey);
+	}
+#endif
+EC_KEY *d2i_EC_PUBKEY_bio(BIO *bp, EC_KEY **eckey)
+	{
+	return ASN1_d2i_bio_of(EC_KEY,EC_KEY_new,d2i_EC_PUBKEY,bp,eckey);
+	}
+  
+int i2d_EC_PUBKEY_bio(BIO *bp, EC_KEY *ecdsa)
+	{
+	return ASN1_i2d_bio_of(EC_KEY,i2d_EC_PUBKEY,bp,ecdsa);
+	}
+
+EC_KEY *d2i_ECPrivateKey_bio(BIO *bp, EC_KEY **eckey)
+	{
+	return ASN1_d2i_bio_of(EC_KEY,EC_KEY_new,d2i_ECPrivateKey,bp,eckey);
+	}
+  
+int i2d_ECPrivateKey_bio(BIO *bp, EC_KEY *eckey)
+	{
+	return ASN1_i2d_bio_of(EC_KEY,i2d_ECPrivateKey,bp,eckey);
+	}
+#endif
+
+
 int X509_pubkey_digest(const X509 *data, const EVP_MD *type, unsigned char *md,
 	     unsigned int *len)
 	{
@@ -369,40 +411,37 @@ int PKCS7_ISSUER_AND_SERIAL_digest(PKCS7_ISSUER_AND_SERIAL *data, const EVP_MD *
 #ifndef OPENSSL_NO_FP_API
 X509_SIG *d2i_PKCS8_fp(FILE *fp, X509_SIG **p8)
 	{
-	return((X509_SIG *)ASN1_d2i_fp((char *(*)())X509_SIG_new,
-		(char *(*)())d2i_X509_SIG, (fp),(unsigned char **)(p8)));
+	return ASN1_d2i_fp_of(X509_SIG,X509_SIG_new,d2i_X509_SIG,fp,p8);
 	}
 
 int i2d_PKCS8_fp(FILE *fp, X509_SIG *p8)
 	{
-	return(ASN1_i2d_fp(i2d_X509_SIG,fp,(unsigned char *)p8));
+	return ASN1_i2d_fp_of(X509_SIG,i2d_X509_SIG,fp,p8);
 	}
 #endif
 
 X509_SIG *d2i_PKCS8_bio(BIO *bp, X509_SIG **p8)
 	{
-	return((X509_SIG *)ASN1_d2i_bio((char *(*)())X509_SIG_new,
-		(char *(*)())d2i_X509_SIG, (bp),(unsigned char **)(p8)));
+	return ASN1_d2i_bio_of(X509_SIG,X509_SIG_new,d2i_X509_SIG,bp,p8);
 	}
 
 int i2d_PKCS8_bio(BIO *bp, X509_SIG *p8)
 	{
-	return(ASN1_i2d_bio(i2d_X509_SIG,bp,(unsigned char *)p8));
+	return ASN1_i2d_bio_of(X509_SIG,i2d_X509_SIG,bp,p8);
 	}
 
 #ifndef OPENSSL_NO_FP_API
 PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_fp(FILE *fp,
 						 PKCS8_PRIV_KEY_INFO **p8inf)
 	{
-	return((PKCS8_PRIV_KEY_INFO *)ASN1_d2i_fp(
-		(char *(*)())PKCS8_PRIV_KEY_INFO_new,
-		(char *(*)())d2i_PKCS8_PRIV_KEY_INFO, (fp),
-				(unsigned char **)(p8inf)));
+	return ASN1_d2i_fp_of(PKCS8_PRIV_KEY_INFO,PKCS8_PRIV_KEY_INFO_new,
+			      d2i_PKCS8_PRIV_KEY_INFO,fp,p8inf);
 	}
 
 int i2d_PKCS8_PRIV_KEY_INFO_fp(FILE *fp, PKCS8_PRIV_KEY_INFO *p8inf)
 	{
-	return(ASN1_i2d_fp(i2d_PKCS8_PRIV_KEY_INFO,fp,(unsigned char *)p8inf));
+	return ASN1_i2d_fp_of(PKCS8_PRIV_KEY_INFO,i2d_PKCS8_PRIV_KEY_INFO,fp,
+			      p8inf);
 	}
 
 int i2d_PKCS8PrivateKeyInfo_fp(FILE *fp, EVP_PKEY *key)
@@ -418,24 +457,22 @@ int i2d_PKCS8PrivateKeyInfo_fp(FILE *fp, EVP_PKEY *key)
 
 int i2d_PrivateKey_fp(FILE *fp, EVP_PKEY *pkey)
 	{
-	return(ASN1_i2d_fp(i2d_PrivateKey,fp,(unsigned char *)pkey));
+	return ASN1_i2d_fp_of(EVP_PKEY,i2d_PrivateKey,fp,pkey);
 	}
 
 EVP_PKEY *d2i_PrivateKey_fp(FILE *fp, EVP_PKEY **a)
 {
-	return((EVP_PKEY *)ASN1_d2i_fp((char *(*)())EVP_PKEY_new,
-		(char *(*)())d2i_AutoPrivateKey, (fp),(unsigned char **)(a)));
+	return ASN1_d2i_fp_of(EVP_PKEY,EVP_PKEY_new,d2i_AutoPrivateKey,fp,a);
 }
 
 int i2d_PUBKEY_fp(FILE *fp, EVP_PKEY *pkey)
 	{
-	return(ASN1_i2d_fp(i2d_PUBKEY,fp,(unsigned char *)pkey));
+	return ASN1_i2d_fp_of(EVP_PKEY,i2d_PUBKEY,fp,pkey);
 	}
 
 EVP_PKEY *d2i_PUBKEY_fp(FILE *fp, EVP_PKEY **a)
 {
-	return((EVP_PKEY *)ASN1_d2i_fp((char *(*)())EVP_PKEY_new,
-		(char *(*)())d2i_PUBKEY, (fp),(unsigned char **)(a)));
+	return ASN1_d2i_fp_of(EVP_PKEY,EVP_PKEY_new,d2i_PUBKEY,fp,a);
 }
 
 #endif
@@ -443,15 +480,14 @@ EVP_PKEY *d2i_PUBKEY_fp(FILE *fp, EVP_PKEY **a)
 PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_bio(BIO *bp,
 						 PKCS8_PRIV_KEY_INFO **p8inf)
 	{
-	return((PKCS8_PRIV_KEY_INFO *)ASN1_d2i_bio(
-		(char *(*)())PKCS8_PRIV_KEY_INFO_new,
-		(char *(*)())d2i_PKCS8_PRIV_KEY_INFO, (bp),
-				(unsigned char **)(p8inf)));
+	return ASN1_d2i_bio_of(PKCS8_PRIV_KEY_INFO,PKCS8_PRIV_KEY_INFO_new,
+			    d2i_PKCS8_PRIV_KEY_INFO,bp,p8inf);
 	}
 
 int i2d_PKCS8_PRIV_KEY_INFO_bio(BIO *bp, PKCS8_PRIV_KEY_INFO *p8inf)
 	{
-	return(ASN1_i2d_bio(i2d_PKCS8_PRIV_KEY_INFO,bp,(unsigned char *)p8inf));
+	return ASN1_i2d_bio_of(PKCS8_PRIV_KEY_INFO,i2d_PKCS8_PRIV_KEY_INFO,bp,
+			       p8inf);
 	}
 
 int i2d_PKCS8PrivateKeyInfo_bio(BIO *bp, EVP_PKEY *key)
@@ -467,22 +503,20 @@ int i2d_PKCS8PrivateKeyInfo_bio(BIO *bp, EVP_PKEY *key)
 
 int i2d_PrivateKey_bio(BIO *bp, EVP_PKEY *pkey)
 	{
-	return(ASN1_i2d_bio(i2d_PrivateKey,bp,(unsigned char *)pkey));
+	return ASN1_i2d_bio_of(EVP_PKEY,i2d_PrivateKey,bp,pkey);
 	}
 
 EVP_PKEY *d2i_PrivateKey_bio(BIO *bp, EVP_PKEY **a)
 	{
-	return((EVP_PKEY *)ASN1_d2i_bio((char *(*)())EVP_PKEY_new,
-		(char *(*)())d2i_AutoPrivateKey, (bp),(unsigned char **)(a)));
+	return ASN1_d2i_bio_of(EVP_PKEY,EVP_PKEY_new,d2i_AutoPrivateKey,bp,a);
 	}
 
 int i2d_PUBKEY_bio(BIO *bp, EVP_PKEY *pkey)
 	{
-	return(ASN1_i2d_bio(i2d_PUBKEY,bp,(unsigned char *)pkey));
+	return ASN1_i2d_bio_of(EVP_PKEY,i2d_PUBKEY,bp,pkey);
 	}
 
 EVP_PKEY *d2i_PUBKEY_bio(BIO *bp, EVP_PKEY **a)
 	{
-	return((EVP_PKEY *)ASN1_d2i_bio((char *(*)())EVP_PKEY_new,
-		(char *(*)())d2i_PUBKEY, (bp),(unsigned char **)(a)));
+	return ASN1_d2i_bio_of(EVP_PKEY,EVP_PKEY_new,d2i_PUBKEY,bp,a);
 	}
diff --git a/crypto/openssl/crypto/x509v3/Makefile b/crypto/openssl/crypto/x509v3/Makefile
index 7b0d03ac6102..7a5266e6750d 100644
--- a/crypto/openssl/crypto/x509v3/Makefile
+++ b/crypto/openssl/crypto/x509v3/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/x509v3/Makefile
+# OpenSSL/crypto/x509v3/Makefile
 #
 
 DIR=	x509v3
@@ -7,11 +7,6 @@ TOP=	../..
 CC=	cc
 INCLUDES= -I.. -I$(TOP) -I../../include
 CFLAG=-g
-INSTALL_PREFIX=
-OPENSSLDIR=     /usr/local/ssl
-INSTALLTOP=/usr/local/ssl
-MAKEDEPPROG=	makedepend
-MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=	Makefile
 AR=		ar r
 
@@ -25,16 +20,18 @@ LIB=$(TOP)/libcrypto.a
 LIBSRC=	v3_bcons.c v3_bitst.c v3_conf.c v3_extku.c v3_ia5.c v3_lib.c \
 v3_prn.c v3_utl.c v3err.c v3_genn.c v3_alt.c v3_skey.c v3_akey.c v3_pku.c \
 v3_int.c v3_enum.c v3_sxnet.c v3_cpols.c v3_crld.c v3_purp.c v3_info.c \
-v3_ocsp.c v3_akeya.c
+v3_ocsp.c v3_akeya.c v3_pmaps.c v3_pcons.c v3_ncons.c v3_pcia.c v3_pci.c \
+pcy_cache.c pcy_node.c pcy_data.c pcy_map.c pcy_tree.c pcy_lib.c
 LIBOBJ= v3_bcons.o v3_bitst.o v3_conf.o v3_extku.o v3_ia5.o v3_lib.o \
 v3_prn.o v3_utl.o v3err.o v3_genn.o v3_alt.o v3_skey.o v3_akey.o v3_pku.o \
 v3_int.o v3_enum.o v3_sxnet.o v3_cpols.o v3_crld.o v3_purp.o v3_info.o \
-v3_ocsp.o v3_akeya.o
+v3_ocsp.o v3_akeya.o v3_pmaps.o v3_pcons.o v3_ncons.o v3_pcia.o v3_pci.o \
+pcy_cache.o pcy_node.o pcy_data.o pcy_map.o pcy_tree.o pcy_lib.o
 
 SRC= $(LIBSRC)
 
 EXHEADER= x509v3.h
-HEADER=	$(EXHEADER)
+HEADER=	$(EXHEADER) pcy_int.h
 
 ALL=    $(GENERAL) $(SRC) $(HEADER)
 
@@ -57,7 +54,8 @@ links:
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
 
 install:
-	@for i in $(EXHEADER) ; \
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+	@headerlist="$(EXHEADER)"; for i in $$headerlist ; \
 	do  \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
@@ -72,6 +70,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
+	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
@@ -83,519 +82,479 @@ clean:
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-v3_akey.o: ../../e_os.h ../../include/openssl/aes.h
-v3_akey.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
-v3_akey.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-v3_akey.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-v3_akey.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
-v3_akey.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-v3_akey.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-v3_akey.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-v3_akey.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3_akey.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-v3_akey.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-v3_akey.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+pcy_cache.o: ../../e_os.h ../../include/openssl/asn1.h
+pcy_cache.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+pcy_cache.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+pcy_cache.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+pcy_cache.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+pcy_cache.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+pcy_cache.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+pcy_cache.o: ../../include/openssl/objects.h
+pcy_cache.o: ../../include/openssl/opensslconf.h
+pcy_cache.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+pcy_cache.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+pcy_cache.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+pcy_cache.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+pcy_cache.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+pcy_cache.o: ../cryptlib.h pcy_cache.c pcy_int.h
+pcy_data.o: ../../e_os.h ../../include/openssl/asn1.h
+pcy_data.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+pcy_data.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+pcy_data.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+pcy_data.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+pcy_data.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+pcy_data.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+pcy_data.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+pcy_data.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+pcy_data.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+pcy_data.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+pcy_data.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+pcy_data.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+pcy_data.o: ../cryptlib.h pcy_data.c pcy_int.h
+pcy_lib.o: ../../e_os.h ../../include/openssl/asn1.h
+pcy_lib.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+pcy_lib.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+pcy_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+pcy_lib.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+pcy_lib.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+pcy_lib.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+pcy_lib.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+pcy_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+pcy_lib.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+pcy_lib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+pcy_lib.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+pcy_lib.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+pcy_lib.o: ../cryptlib.h pcy_int.h pcy_lib.c
+pcy_map.o: ../../e_os.h ../../include/openssl/asn1.h
+pcy_map.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+pcy_map.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+pcy_map.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+pcy_map.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+pcy_map.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+pcy_map.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+pcy_map.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+pcy_map.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+pcy_map.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+pcy_map.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+pcy_map.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+pcy_map.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+pcy_map.o: ../cryptlib.h pcy_int.h pcy_map.c
+pcy_node.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+pcy_node.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+pcy_node.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+pcy_node.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+pcy_node.o: ../../include/openssl/ecdsa.h ../../include/openssl/evp.h
+pcy_node.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+pcy_node.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+pcy_node.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+pcy_node.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+pcy_node.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+pcy_node.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+pcy_node.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+pcy_node.o: pcy_int.h pcy_node.c
+pcy_tree.o: ../../e_os.h ../../include/openssl/asn1.h
+pcy_tree.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+pcy_tree.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+pcy_tree.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+pcy_tree.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+pcy_tree.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+pcy_tree.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+pcy_tree.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+pcy_tree.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+pcy_tree.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+pcy_tree.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+pcy_tree.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+pcy_tree.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+pcy_tree.o: ../cryptlib.h pcy_int.h pcy_tree.c
+v3_akey.o: ../../e_os.h ../../include/openssl/asn1.h
+v3_akey.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+v3_akey.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+v3_akey.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+v3_akey.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+v3_akey.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+v3_akey.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 v3_akey.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 v3_akey.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 v3_akey.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-v3_akey.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-v3_akey.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-v3_akey.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-v3_akey.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-v3_akey.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-v3_akey.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-v3_akey.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-v3_akey.o: ../cryptlib.h v3_akey.c
-v3_akeya.o: ../../e_os.h ../../include/openssl/aes.h
-v3_akeya.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
-v3_akeya.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-v3_akeya.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-v3_akeya.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
-v3_akeya.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-v3_akeya.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-v3_akeya.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-v3_akeya.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3_akeya.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-v3_akeya.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-v3_akeya.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3_akey.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_akey.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+v3_akey.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_akey.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_akey.c
+v3_akeya.o: ../../e_os.h ../../include/openssl/asn1.h
+v3_akeya.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+v3_akeya.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+v3_akeya.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+v3_akeya.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+v3_akeya.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+v3_akeya.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 v3_akeya.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 v3_akeya.o: ../../include/openssl/opensslconf.h
 v3_akeya.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-v3_akeya.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-v3_akeya.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-v3_akeya.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-v3_akeya.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-v3_akeya.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-v3_akeya.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-v3_akeya.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-v3_akeya.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_akeya.c
-v3_alt.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-v3_alt.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-v3_alt.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-v3_alt.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
-v3_alt.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-v3_alt.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-v3_alt.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-v3_alt.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3_alt.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-v3_alt.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-v3_alt.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3_akeya.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+v3_akeya.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_akeya.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+v3_akeya.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_akeya.o: ../cryptlib.h v3_akeya.c
+v3_alt.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+v3_alt.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+v3_alt.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+v3_alt.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+v3_alt.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+v3_alt.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 v3_alt.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 v3_alt.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 v3_alt.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-v3_alt.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-v3_alt.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-v3_alt.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-v3_alt.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-v3_alt.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-v3_alt.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-v3_alt.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-v3_alt.o: ../cryptlib.h v3_alt.c
-v3_bcons.o: ../../e_os.h ../../include/openssl/aes.h
-v3_bcons.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
-v3_bcons.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-v3_bcons.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-v3_bcons.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
-v3_bcons.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-v3_bcons.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-v3_bcons.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-v3_bcons.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3_bcons.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-v3_bcons.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-v3_bcons.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3_alt.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_alt.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+v3_alt.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_alt.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_alt.c
+v3_bcons.o: ../../e_os.h ../../include/openssl/asn1.h
+v3_bcons.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+v3_bcons.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+v3_bcons.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+v3_bcons.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+v3_bcons.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+v3_bcons.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 v3_bcons.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 v3_bcons.o: ../../include/openssl/opensslconf.h
 v3_bcons.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-v3_bcons.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-v3_bcons.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-v3_bcons.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-v3_bcons.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-v3_bcons.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-v3_bcons.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-v3_bcons.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-v3_bcons.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_bcons.c
-v3_bitst.o: ../../e_os.h ../../include/openssl/aes.h
-v3_bitst.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-v3_bitst.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-v3_bitst.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+v3_bcons.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+v3_bcons.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_bcons.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+v3_bcons.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_bcons.o: ../cryptlib.h v3_bcons.c
+v3_bitst.o: ../../e_os.h ../../include/openssl/asn1.h
+v3_bitst.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 v3_bitst.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-v3_bitst.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-v3_bitst.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-v3_bitst.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-v3_bitst.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-v3_bitst.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-v3_bitst.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-v3_bitst.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+v3_bitst.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+v3_bitst.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+v3_bitst.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+v3_bitst.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 v3_bitst.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 v3_bitst.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-v3_bitst.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-v3_bitst.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-v3_bitst.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-v3_bitst.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-v3_bitst.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-v3_bitst.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-v3_bitst.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-v3_bitst.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_bitst.c
-v3_conf.o: ../../e_os.h ../../include/openssl/aes.h
-v3_conf.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-v3_conf.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-v3_conf.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+v3_bitst.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+v3_bitst.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_bitst.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+v3_bitst.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_bitst.o: ../cryptlib.h v3_bitst.c
+v3_conf.o: ../../e_os.h ../../include/openssl/asn1.h
+v3_conf.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 v3_conf.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-v3_conf.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-v3_conf.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-v3_conf.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-v3_conf.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-v3_conf.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-v3_conf.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-v3_conf.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+v3_conf.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+v3_conf.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+v3_conf.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+v3_conf.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 v3_conf.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 v3_conf.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-v3_conf.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-v3_conf.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-v3_conf.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-v3_conf.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-v3_conf.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-v3_conf.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-v3_conf.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-v3_conf.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_conf.c
-v3_cpols.o: ../../e_os.h ../../include/openssl/aes.h
-v3_cpols.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
-v3_cpols.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-v3_cpols.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-v3_cpols.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
-v3_cpols.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-v3_cpols.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-v3_cpols.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-v3_cpols.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3_cpols.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-v3_cpols.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-v3_cpols.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3_conf.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+v3_conf.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_conf.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+v3_conf.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_conf.o: ../cryptlib.h v3_conf.c
+v3_cpols.o: ../../e_os.h ../../include/openssl/asn1.h
+v3_cpols.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+v3_cpols.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+v3_cpols.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+v3_cpols.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+v3_cpols.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+v3_cpols.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 v3_cpols.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 v3_cpols.o: ../../include/openssl/opensslconf.h
 v3_cpols.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-v3_cpols.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-v3_cpols.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-v3_cpols.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-v3_cpols.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-v3_cpols.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-v3_cpols.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-v3_cpols.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-v3_cpols.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_cpols.c
-v3_crld.o: ../../e_os.h ../../include/openssl/aes.h
-v3_crld.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
-v3_crld.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-v3_crld.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-v3_crld.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
-v3_crld.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-v3_crld.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-v3_crld.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-v3_crld.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3_crld.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-v3_crld.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-v3_crld.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3_cpols.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+v3_cpols.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_cpols.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+v3_cpols.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_cpols.o: ../cryptlib.h pcy_int.h v3_cpols.c
+v3_crld.o: ../../e_os.h ../../include/openssl/asn1.h
+v3_crld.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+v3_crld.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+v3_crld.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+v3_crld.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+v3_crld.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+v3_crld.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 v3_crld.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 v3_crld.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 v3_crld.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-v3_crld.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-v3_crld.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-v3_crld.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-v3_crld.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-v3_crld.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-v3_crld.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-v3_crld.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-v3_crld.o: ../cryptlib.h v3_crld.c
-v3_enum.o: ../../e_os.h ../../include/openssl/aes.h
-v3_enum.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-v3_enum.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-v3_enum.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+v3_crld.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_crld.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+v3_crld.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_crld.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_crld.c
+v3_enum.o: ../../e_os.h ../../include/openssl/asn1.h
+v3_enum.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 v3_enum.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-v3_enum.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-v3_enum.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-v3_enum.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-v3_enum.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-v3_enum.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-v3_enum.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-v3_enum.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+v3_enum.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+v3_enum.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+v3_enum.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+v3_enum.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 v3_enum.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 v3_enum.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-v3_enum.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-v3_enum.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-v3_enum.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-v3_enum.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-v3_enum.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-v3_enum.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-v3_enum.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-v3_enum.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_enum.c
-v3_extku.o: ../../e_os.h ../../include/openssl/aes.h
-v3_extku.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
-v3_extku.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-v3_extku.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-v3_extku.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
-v3_extku.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-v3_extku.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-v3_extku.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-v3_extku.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3_extku.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-v3_extku.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-v3_extku.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3_enum.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+v3_enum.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_enum.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+v3_enum.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_enum.o: ../cryptlib.h v3_enum.c
+v3_extku.o: ../../e_os.h ../../include/openssl/asn1.h
+v3_extku.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+v3_extku.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+v3_extku.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+v3_extku.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+v3_extku.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+v3_extku.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 v3_extku.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 v3_extku.o: ../../include/openssl/opensslconf.h
 v3_extku.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-v3_extku.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-v3_extku.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-v3_extku.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-v3_extku.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-v3_extku.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-v3_extku.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-v3_extku.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-v3_extku.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_extku.c
-v3_genn.o: ../../e_os.h ../../include/openssl/aes.h
-v3_genn.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
-v3_genn.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-v3_genn.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-v3_genn.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
-v3_genn.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-v3_genn.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-v3_genn.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-v3_genn.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3_genn.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-v3_genn.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-v3_genn.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3_extku.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+v3_extku.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_extku.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+v3_extku.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_extku.o: ../cryptlib.h v3_extku.c
+v3_genn.o: ../../e_os.h ../../include/openssl/asn1.h
+v3_genn.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+v3_genn.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+v3_genn.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+v3_genn.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+v3_genn.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+v3_genn.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 v3_genn.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 v3_genn.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 v3_genn.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-v3_genn.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-v3_genn.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-v3_genn.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-v3_genn.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-v3_genn.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-v3_genn.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-v3_genn.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-v3_genn.o: ../cryptlib.h v3_genn.c
-v3_ia5.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-v3_ia5.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-v3_ia5.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-v3_ia5.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
-v3_ia5.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-v3_ia5.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-v3_ia5.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-v3_ia5.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3_ia5.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-v3_ia5.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-v3_ia5.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3_genn.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_genn.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+v3_genn.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_genn.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_genn.c
+v3_ia5.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+v3_ia5.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+v3_ia5.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+v3_ia5.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+v3_ia5.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+v3_ia5.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 v3_ia5.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 v3_ia5.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 v3_ia5.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-v3_ia5.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-v3_ia5.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-v3_ia5.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-v3_ia5.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-v3_ia5.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-v3_ia5.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-v3_ia5.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-v3_ia5.o: ../cryptlib.h v3_ia5.c
-v3_info.o: ../../e_os.h ../../include/openssl/aes.h
-v3_info.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
-v3_info.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-v3_info.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-v3_info.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
-v3_info.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-v3_info.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-v3_info.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-v3_info.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3_info.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-v3_info.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-v3_info.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3_ia5.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_ia5.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+v3_ia5.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_ia5.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_ia5.c
+v3_info.o: ../../e_os.h ../../include/openssl/asn1.h
+v3_info.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+v3_info.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+v3_info.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+v3_info.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+v3_info.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+v3_info.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 v3_info.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 v3_info.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 v3_info.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-v3_info.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-v3_info.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-v3_info.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-v3_info.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-v3_info.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-v3_info.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-v3_info.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-v3_info.o: ../cryptlib.h v3_info.c
-v3_int.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-v3_int.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-v3_int.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-v3_int.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
-v3_int.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-v3_int.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-v3_int.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-v3_int.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3_int.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-v3_int.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-v3_int.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3_info.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_info.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+v3_info.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_info.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_info.c
+v3_int.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+v3_int.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+v3_int.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+v3_int.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+v3_int.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+v3_int.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 v3_int.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 v3_int.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 v3_int.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-v3_int.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-v3_int.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-v3_int.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-v3_int.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-v3_int.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-v3_int.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-v3_int.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-v3_int.o: ../cryptlib.h v3_int.c
-v3_lib.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-v3_lib.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-v3_lib.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-v3_lib.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
-v3_lib.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-v3_lib.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-v3_lib.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-v3_lib.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3_lib.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-v3_lib.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-v3_lib.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3_int.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_int.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+v3_int.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_int.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_int.c
+v3_lib.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+v3_lib.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+v3_lib.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+v3_lib.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+v3_lib.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+v3_lib.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 v3_lib.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 v3_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 v3_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-v3_lib.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-v3_lib.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-v3_lib.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-v3_lib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-v3_lib.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-v3_lib.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-v3_lib.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-v3_lib.o: ../cryptlib.h ext_dat.h v3_lib.c
-v3_ocsp.o: ../../e_os.h ../../include/openssl/aes.h
-v3_ocsp.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-v3_ocsp.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-v3_ocsp.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+v3_lib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+v3_lib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_lib.o: ../../include/openssl/x509v3.h ../cryptlib.h ext_dat.h v3_lib.c
+v3_ncons.o: ../../e_os.h ../../include/openssl/asn1.h
+v3_ncons.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+v3_ncons.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+v3_ncons.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+v3_ncons.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+v3_ncons.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+v3_ncons.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+v3_ncons.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_ncons.o: ../../include/openssl/opensslconf.h
+v3_ncons.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+v3_ncons.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+v3_ncons.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_ncons.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+v3_ncons.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_ncons.o: ../cryptlib.h v3_ncons.c
+v3_ocsp.o: ../../e_os.h ../../include/openssl/asn1.h
+v3_ocsp.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 v3_ocsp.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-v3_ocsp.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-v3_ocsp.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-v3_ocsp.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-v3_ocsp.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-v3_ocsp.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-v3_ocsp.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-v3_ocsp.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+v3_ocsp.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+v3_ocsp.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+v3_ocsp.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+v3_ocsp.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 v3_ocsp.o: ../../include/openssl/objects.h ../../include/openssl/ocsp.h
 v3_ocsp.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 v3_ocsp.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-v3_ocsp.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-v3_ocsp.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-v3_ocsp.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-v3_ocsp.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-v3_ocsp.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-v3_ocsp.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-v3_ocsp.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-v3_ocsp.o: ../cryptlib.h v3_ocsp.c
-v3_pku.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
+v3_ocsp.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_ocsp.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+v3_ocsp.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_ocsp.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_ocsp.c
+v3_pci.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+v3_pci.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+v3_pci.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+v3_pci.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+v3_pci.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+v3_pci.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+v3_pci.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_pci.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3_pci.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+v3_pci.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_pci.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+v3_pci.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_pci.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_pci.c
+v3_pcia.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
+v3_pcia.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+v3_pcia.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+v3_pcia.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+v3_pcia.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+v3_pcia.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+v3_pcia.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_pcia.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3_pcia.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+v3_pcia.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_pcia.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+v3_pcia.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_pcia.o: ../../include/openssl/x509v3.h v3_pcia.c
+v3_pcons.o: ../../e_os.h ../../include/openssl/asn1.h
+v3_pcons.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+v3_pcons.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+v3_pcons.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+v3_pcons.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+v3_pcons.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+v3_pcons.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+v3_pcons.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_pcons.o: ../../include/openssl/opensslconf.h
+v3_pcons.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+v3_pcons.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+v3_pcons.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_pcons.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+v3_pcons.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_pcons.o: ../cryptlib.h v3_pcons.c
+v3_pku.o: ../../e_os.h ../../include/openssl/asn1.h
 v3_pku.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
-v3_pku.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-v3_pku.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-v3_pku.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-v3_pku.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-v3_pku.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-v3_pku.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-v3_pku.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-v3_pku.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-v3_pku.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-v3_pku.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-v3_pku.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-v3_pku.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-v3_pku.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-v3_pku.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-v3_pku.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+v3_pku.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+v3_pku.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+v3_pku.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+v3_pku.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+v3_pku.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+v3_pku.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_pku.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3_pku.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
 v3_pku.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 v3_pku.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-v3_pku.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
 v3_pku.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 v3_pku.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_pku.c
-v3_prn.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-v3_prn.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-v3_prn.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-v3_prn.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
-v3_prn.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-v3_prn.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-v3_prn.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-v3_prn.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3_prn.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-v3_prn.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-v3_prn.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3_pmaps.o: ../../e_os.h ../../include/openssl/asn1.h
+v3_pmaps.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+v3_pmaps.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+v3_pmaps.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+v3_pmaps.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+v3_pmaps.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+v3_pmaps.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+v3_pmaps.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_pmaps.o: ../../include/openssl/opensslconf.h
+v3_pmaps.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+v3_pmaps.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+v3_pmaps.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_pmaps.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+v3_pmaps.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_pmaps.o: ../cryptlib.h v3_pmaps.c
+v3_prn.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+v3_prn.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+v3_prn.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+v3_prn.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+v3_prn.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+v3_prn.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 v3_prn.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 v3_prn.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 v3_prn.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-v3_prn.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-v3_prn.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-v3_prn.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-v3_prn.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-v3_prn.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-v3_prn.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-v3_prn.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-v3_prn.o: ../cryptlib.h v3_prn.c
-v3_purp.o: ../../e_os.h ../../include/openssl/aes.h
-v3_purp.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-v3_purp.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-v3_purp.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+v3_prn.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_prn.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+v3_prn.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_prn.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_prn.c
+v3_purp.o: ../../e_os.h ../../include/openssl/asn1.h
+v3_purp.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 v3_purp.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-v3_purp.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-v3_purp.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-v3_purp.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-v3_purp.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-v3_purp.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-v3_purp.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-v3_purp.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+v3_purp.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+v3_purp.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+v3_purp.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+v3_purp.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 v3_purp.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 v3_purp.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-v3_purp.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-v3_purp.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-v3_purp.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-v3_purp.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-v3_purp.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-v3_purp.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-v3_purp.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-v3_purp.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_purp.c
-v3_skey.o: ../../e_os.h ../../include/openssl/aes.h
-v3_skey.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-v3_skey.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-v3_skey.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+v3_purp.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+v3_purp.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_purp.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+v3_purp.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_purp.o: ../cryptlib.h v3_purp.c
+v3_skey.o: ../../e_os.h ../../include/openssl/asn1.h
+v3_skey.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 v3_skey.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-v3_skey.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-v3_skey.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-v3_skey.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-v3_skey.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-v3_skey.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-v3_skey.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-v3_skey.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+v3_skey.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+v3_skey.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+v3_skey.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+v3_skey.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 v3_skey.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 v3_skey.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-v3_skey.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-v3_skey.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-v3_skey.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-v3_skey.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-v3_skey.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-v3_skey.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-v3_skey.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-v3_skey.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_skey.c
-v3_sxnet.o: ../../e_os.h ../../include/openssl/aes.h
-v3_sxnet.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
-v3_sxnet.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-v3_sxnet.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-v3_sxnet.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
-v3_sxnet.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-v3_sxnet.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-v3_sxnet.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-v3_sxnet.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3_sxnet.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-v3_sxnet.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-v3_sxnet.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3_skey.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+v3_skey.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_skey.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+v3_skey.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_skey.o: ../cryptlib.h v3_skey.c
+v3_sxnet.o: ../../e_os.h ../../include/openssl/asn1.h
+v3_sxnet.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+v3_sxnet.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+v3_sxnet.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+v3_sxnet.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+v3_sxnet.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+v3_sxnet.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 v3_sxnet.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 v3_sxnet.o: ../../include/openssl/opensslconf.h
 v3_sxnet.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-v3_sxnet.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-v3_sxnet.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-v3_sxnet.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-v3_sxnet.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-v3_sxnet.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-v3_sxnet.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-v3_sxnet.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-v3_sxnet.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_sxnet.c
-v3_utl.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
-v3_utl.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+v3_sxnet.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+v3_sxnet.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_sxnet.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+v3_sxnet.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_sxnet.o: ../cryptlib.h v3_sxnet.c
+v3_utl.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 v3_utl.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-v3_utl.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
-v3_utl.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-v3_utl.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-v3_utl.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+v3_utl.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+v3_utl.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+v3_utl.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 v3_utl.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3_utl.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-v3_utl.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-v3_utl.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-v3_utl.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-v3_utl.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-v3_utl.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-v3_utl.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-v3_utl.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-v3_utl.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+v3_utl.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+v3_utl.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+v3_utl.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+v3_utl.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
 v3_utl.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-v3_utl.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-v3_utl.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
+v3_utl.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
 v3_utl.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
 v3_utl.o: ../cryptlib.h v3_utl.c
-v3err.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-v3err.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-v3err.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-v3err.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
-v3err.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-v3err.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-v3err.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-v3err.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3err.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-v3err.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-v3err.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+v3err.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+v3err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+v3err.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+v3err.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+v3err.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 v3err.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 v3err.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 v3err.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-v3err.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-v3err.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-v3err.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-v3err.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-v3err.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-v3err.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-v3err.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-v3err.o: v3err.c
+v3err.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+v3err.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3err.o: ../../include/openssl/x509v3.h v3err.c
diff --git a/crypto/openssl/crypto/x509v3/ext_dat.h b/crypto/openssl/crypto/x509v3/ext_dat.h
index 6fa3178e6e0a..35966846873a 100644
--- a/crypto/openssl/crypto/x509v3/ext_dat.h
+++ b/crypto/openssl/crypto/x509v3/ext_dat.h
@@ -64,7 +64,9 @@ extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate;
 extern X509V3_EXT_METHOD v3_delta_crl, v3_cpols, v3_crld;
 extern X509V3_EXT_METHOD v3_ocsp_nonce, v3_ocsp_accresp, v3_ocsp_acutoff;
 extern X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc;
-extern X509V3_EXT_METHOD v3_crl_hold;
+extern X509V3_EXT_METHOD v3_crl_hold, v3_pci;
+extern X509V3_EXT_METHOD v3_policy_mappings, v3_policy_constraints;
+extern X509V3_EXT_METHOD v3_name_constraints, v3_inhibit_anyp;
 
 /* This table will be searched using OBJ_bsearch so it *must* kept in
  * order of the ext_nid values.
@@ -106,9 +108,14 @@ static X509V3_EXT_METHOD *standard_exts[] = {
 &v3_ocsp_serviceloc,
 #endif
 &v3_sinfo,
+&v3_policy_constraints,
 #ifndef OPENSSL_NO_OCSP
-&v3_crl_hold
+&v3_crl_hold,
 #endif
+&v3_pci,
+&v3_name_constraints,
+&v3_policy_mappings,
+&v3_inhibit_anyp
 };
 
 /* Number of standard extensions */
diff --git a/crypto/openssl/crypto/x509v3/pcy_cache.c b/crypto/openssl/crypto/x509v3/pcy_cache.c
new file mode 100644
index 000000000000..c18beb89f583
--- /dev/null
+++ b/crypto/openssl/crypto/x509v3/pcy_cache.c
@@ -0,0 +1,287 @@
+/* pcy_cache.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2004.
+ */
+/* ====================================================================
+ * Copyright (c) 2004 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include "cryptlib.h"
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+
+#include "pcy_int.h"
+
+static int policy_data_cmp(const X509_POLICY_DATA * const *a,
+				const X509_POLICY_DATA * const *b);
+static int policy_cache_set_int(long *out, ASN1_INTEGER *value);
+
+/* Set cache entry according to CertificatePolicies extension.
+ * Note: this destroys the passed CERTIFICATEPOLICIES structure.
+ */
+
+static int policy_cache_create(X509 *x,
+			CERTIFICATEPOLICIES *policies, int crit)
+	{
+	int i;
+	int ret = 0;
+	X509_POLICY_CACHE *cache = x->policy_cache;
+	X509_POLICY_DATA *data = NULL;
+	POLICYINFO *policy;
+	if (sk_POLICYINFO_num(policies) == 0)
+		goto bad_policy;
+	cache->data = sk_X509_POLICY_DATA_new(policy_data_cmp);
+	if (!cache->data)
+		goto bad_policy;
+	for (i = 0; i < sk_POLICYINFO_num(policies); i++)
+		{
+		policy = sk_POLICYINFO_value(policies, i);
+		data = policy_data_new(policy, NULL, crit);
+		if (!data)
+			goto bad_policy;
+		/* Duplicate policy OIDs are illegal: reject if matches
+		 * found.
+		 */
+		if (OBJ_obj2nid(data->valid_policy) == NID_any_policy)
+			{
+			if (cache->anyPolicy)
+				{
+				ret = -1;
+				goto bad_policy;
+				}
+			cache->anyPolicy = data;
+			}
+		else if (sk_X509_POLICY_DATA_find(cache->data, data) != -1)
+			{
+			ret = -1;
+			goto bad_policy;
+			}
+		else if (!sk_X509_POLICY_DATA_push(cache->data, data))
+			goto bad_policy;
+		data = NULL;
+		}
+	ret = 1;
+	bad_policy:
+	if (ret == -1)
+		x->ex_flags |= EXFLAG_INVALID_POLICY;
+	if (data)
+		policy_data_free(data);
+	sk_POLICYINFO_pop_free(policies, POLICYINFO_free);
+	if (ret <= 0)
+		{
+		sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free);
+		cache->data = NULL;
+		}
+	return ret;
+	}
+
+	
+static int policy_cache_new(X509 *x)
+	{
+	X509_POLICY_CACHE *cache;
+	ASN1_INTEGER *ext_any = NULL;
+	POLICY_CONSTRAINTS *ext_pcons = NULL;
+	CERTIFICATEPOLICIES *ext_cpols = NULL;
+	POLICY_MAPPINGS *ext_pmaps = NULL;
+	int i;
+	cache = OPENSSL_malloc(sizeof(X509_POLICY_CACHE));
+	if (!cache)
+		return 0;
+	cache->anyPolicy = NULL;
+	cache->data = NULL;
+	cache->maps = NULL;
+	cache->any_skip = -1;
+	cache->explicit_skip = -1;
+	cache->map_skip = -1;
+
+	x->policy_cache = cache;
+
+	/* Handle requireExplicitPolicy *first*. Need to process this
+	 * even if we don't have any policies.
+	 */
+	ext_pcons = X509_get_ext_d2i(x, NID_policy_constraints, &i, NULL);
+
+	if (!ext_pcons)
+		{
+		if (i != -1)
+			goto bad_cache;
+		}
+	else
+		{
+		if (!ext_pcons->requireExplicitPolicy
+			&& !ext_pcons->inhibitPolicyMapping)
+			goto bad_cache;
+		if (!policy_cache_set_int(&cache->explicit_skip,
+			ext_pcons->requireExplicitPolicy))
+			goto bad_cache;
+		if (!policy_cache_set_int(&cache->map_skip,
+			ext_pcons->inhibitPolicyMapping))
+			goto bad_cache;
+		}
+
+	/* Process CertificatePolicies */
+
+	ext_cpols = X509_get_ext_d2i(x, NID_certificate_policies, &i, NULL);
+	/* If no CertificatePolicies extension or problem decoding then
+	 * there is no point continuing because the valid policies will be
+	 * NULL.
+	 */
+	if (!ext_cpols)
+		{
+		/* If not absent some problem with extension */
+		if (i != -1)
+			goto bad_cache;
+		return 1;
+		}
+
+	i = policy_cache_create(x, ext_cpols, i);
+
+	/* NB: ext_cpols freed by policy_cache_set_policies */
+
+	if (i <= 0)
+		return i;
+
+	ext_pmaps = X509_get_ext_d2i(x, NID_policy_mappings, &i, NULL);
+
+	if (!ext_pmaps)
+		{
+		/* If not absent some problem with extension */
+		if (i != -1)
+			goto bad_cache;
+		}
+	else
+		{
+		i = policy_cache_set_mapping(x, ext_pmaps);
+		if (i <= 0)
+			goto bad_cache;
+		}
+
+	ext_any = X509_get_ext_d2i(x, NID_inhibit_any_policy, &i, NULL);
+
+	if (!ext_any)
+		{
+		if (i != -1)
+			goto bad_cache;
+		}
+	else if (!policy_cache_set_int(&cache->any_skip, ext_any))
+			goto bad_cache;
+
+	if (0)
+		{
+		bad_cache:
+		x->ex_flags |= EXFLAG_INVALID_POLICY;
+		}
+
+	if(ext_pcons)
+		POLICY_CONSTRAINTS_free(ext_pcons);
+
+	if (ext_any)
+		ASN1_INTEGER_free(ext_any);
+
+	return 1;
+
+	
+}
+
+void policy_cache_free(X509_POLICY_CACHE *cache)
+	{
+	if (!cache)
+		return;
+	if (cache->anyPolicy)
+		policy_data_free(cache->anyPolicy);
+	if (cache->data)
+		sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free);
+	OPENSSL_free(cache);
+	}
+
+const X509_POLICY_CACHE *policy_cache_set(X509 *x)
+	{
+
+	if (x->policy_cache == NULL)
+		{
+		CRYPTO_w_lock(CRYPTO_LOCK_X509);
+			policy_cache_new(x);
+		CRYPTO_w_unlock(CRYPTO_LOCK_X509);
+		}
+
+	return x->policy_cache;
+
+	}
+
+X509_POLICY_DATA *policy_cache_find_data(const X509_POLICY_CACHE *cache,
+						const ASN1_OBJECT *id)
+	{
+	int idx;
+	X509_POLICY_DATA tmp;
+	tmp.valid_policy = (ASN1_OBJECT *)id;
+	idx = sk_X509_POLICY_DATA_find(cache->data, &tmp);
+	if (idx == -1)
+		return NULL;
+	return sk_X509_POLICY_DATA_value(cache->data, idx);
+	}
+
+static int policy_data_cmp(const X509_POLICY_DATA * const *a,
+				const X509_POLICY_DATA * const *b)
+	{
+	return OBJ_cmp((*a)->valid_policy, (*b)->valid_policy);
+	}
+
+static int policy_cache_set_int(long *out, ASN1_INTEGER *value)
+	{
+	if (value == NULL)
+		return 1;
+	if (value->type == V_ASN1_NEG_INTEGER)
+		return 0;
+	*out = ASN1_INTEGER_get(value);
+	return 1;
+	}
diff --git a/crypto/openssl/crypto/x509v3/pcy_data.c b/crypto/openssl/crypto/x509v3/pcy_data.c
new file mode 100644
index 000000000000..614d2b493550
--- /dev/null
+++ b/crypto/openssl/crypto/x509v3/pcy_data.c
@@ -0,0 +1,123 @@
+/* pcy_data.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2004.
+ */
+/* ====================================================================
+ * Copyright (c) 2004 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include "cryptlib.h"
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+
+#include "pcy_int.h"
+
+/* Policy Node routines */
+
+void policy_data_free(X509_POLICY_DATA *data)
+	{
+	ASN1_OBJECT_free(data->valid_policy);
+	/* Don't free qualifiers if shared */
+	if (!(data->flags & POLICY_DATA_FLAG_SHARED_QUALIFIERS))
+		sk_POLICYQUALINFO_pop_free(data->qualifier_set,
+					POLICYQUALINFO_free);
+	sk_ASN1_OBJECT_pop_free(data->expected_policy_set, ASN1_OBJECT_free);
+	OPENSSL_free(data);
+	}
+
+/* Create a data based on an existing policy. If 'id' is NULL use the
+ * oid in the policy, otherwise use 'id'. This behaviour covers the two
+ * types of data in RFC3280: data with from a CertificatePolcies extension
+ * and additional data with just the qualifiers of anyPolicy and ID from
+ * another source.
+ */
+
+X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, ASN1_OBJECT *id, int crit)
+	{
+	X509_POLICY_DATA *ret;
+	if (!policy && !id)
+		return NULL;
+	ret = OPENSSL_malloc(sizeof(X509_POLICY_DATA));
+	if (!ret)
+		return NULL;
+	ret->expected_policy_set = sk_ASN1_OBJECT_new_null();
+	if (!ret->expected_policy_set)
+		{
+		OPENSSL_free(ret);
+		return NULL;
+		}
+
+	if (crit)
+		ret->flags = POLICY_DATA_FLAG_CRITICAL;
+	else
+		ret->flags = 0;
+
+	if (id)
+		ret->valid_policy = id;
+	else
+		{
+		ret->valid_policy = policy->policyid;
+		policy->policyid = NULL;
+		}
+
+	if (policy)
+		{
+		ret->qualifier_set = policy->qualifiers;
+		policy->qualifiers = NULL;
+		}
+	else
+		ret->qualifier_set = NULL;
+
+	return ret;
+	}
+
diff --git a/crypto/openssl/crypto/x509v3/pcy_int.h b/crypto/openssl/crypto/x509v3/pcy_int.h
new file mode 100644
index 000000000000..ba62a209dad8
--- /dev/null
+++ b/crypto/openssl/crypto/x509v3/pcy_int.h
@@ -0,0 +1,223 @@
+/* pcy_int.h */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2004.
+ */
+/* ====================================================================
+ * Copyright (c) 2004 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+DECLARE_STACK_OF(X509_POLICY_DATA)
+DECLARE_STACK_OF(X509_POLICY_REF)
+DECLARE_STACK_OF(X509_POLICY_NODE)
+
+typedef struct X509_POLICY_DATA_st X509_POLICY_DATA;
+typedef struct X509_POLICY_REF_st X509_POLICY_REF;
+
+/* Internal structures */
+
+/* This structure and the field names correspond to the Policy 'node' of
+ * RFC3280. NB this structure contains no pointers to parent or child
+ * data: X509_POLICY_NODE contains that. This means that the main policy data
+ * can be kept static and cached with the certificate.
+ */
+
+struct X509_POLICY_DATA_st
+	{
+	unsigned int flags;
+	/* Policy OID and qualifiers for this data */
+	ASN1_OBJECT *valid_policy;
+	STACK_OF(POLICYQUALINFO) *qualifier_set;
+	STACK_OF(ASN1_OBJECT) *expected_policy_set;
+	};
+
+/* X509_POLICY_DATA flags values */
+
+/* This flag indicates the structure has been mapped using a policy mapping
+ * extension. If policy mapping is not active its references get deleted. 
+ */
+
+#define POLICY_DATA_FLAG_MAPPED			0x1
+
+/* This flag indicates the data doesn't correspond to a policy in Certificate
+ * Policies: it has been mapped to any policy.
+ */
+
+#define POLICY_DATA_FLAG_MAPPED_ANY		0x2
+
+/* AND with flags to see if any mapping has occurred */
+
+#define POLICY_DATA_FLAG_MAP_MASK		0x3
+
+/* qualifiers are shared and shouldn't be freed */
+
+#define POLICY_DATA_FLAG_SHARED_QUALIFIERS	0x4
+
+/* Parent node is an extra node and should be freed */
+
+#define POLICY_DATA_FLAG_EXTRA_NODE		0x8
+
+/* Corresponding CertificatePolicies is critical */
+
+#define POLICY_DATA_FLAG_CRITICAL		0x10
+
+/* This structure is an entry from a table of mapped policies which
+ * cross reference the policy it refers to.
+ */
+
+struct X509_POLICY_REF_st
+	{
+	ASN1_OBJECT *subjectDomainPolicy;
+	const X509_POLICY_DATA *data;
+	};
+
+/* This structure is cached with a certificate */
+
+struct X509_POLICY_CACHE_st {
+	/* anyPolicy data or NULL if no anyPolicy */
+	X509_POLICY_DATA *anyPolicy;
+	/* other policy data */
+	STACK_OF(X509_POLICY_DATA) *data;
+	/* If policyMappings extension present a table of mapped policies */
+	STACK_OF(X509_POLICY_REF) *maps;
+	/* If InhibitAnyPolicy present this is its value or -1 if absent. */
+	long any_skip;
+	/* If policyConstraints and requireExplicitPolicy present this is its
+	 * value or -1 if absent.
+	 */
+	long explicit_skip;
+	/* If policyConstraints and policyMapping present this is its
+	 * value or -1 if absent.
+         */
+	long map_skip;
+	};
+
+/*#define POLICY_CACHE_FLAG_CRITICAL		POLICY_DATA_FLAG_CRITICAL*/
+
+/* This structure represents the relationship between nodes */
+
+struct X509_POLICY_NODE_st
+	{
+	/* node data this refers to */
+	const X509_POLICY_DATA *data;
+	/* Parent node */
+	X509_POLICY_NODE *parent;
+	/* Number of child nodes */
+	int nchild;
+	};
+
+struct X509_POLICY_LEVEL_st
+	{
+	/* Cert for this level */
+	X509 *cert;
+	/* nodes at this level */
+	STACK_OF(X509_POLICY_NODE) *nodes;
+	/* anyPolicy node */
+	X509_POLICY_NODE *anyPolicy;
+	/* Extra data */
+	/*STACK_OF(X509_POLICY_DATA) *extra_data;*/
+	unsigned int flags;
+	};
+
+struct X509_POLICY_TREE_st
+	{
+	/* This is the tree 'level' data */
+	X509_POLICY_LEVEL *levels;
+	int nlevel;
+	/* Extra policy data when additional nodes (not from the certificate)
+	 * are required.
+	 */
+	STACK_OF(X509_POLICY_DATA) *extra_data;
+	/* This is the authority constained policy set */
+	STACK_OF(X509_POLICY_NODE) *auth_policies;
+	STACK_OF(X509_POLICY_NODE) *user_policies;
+	unsigned int flags;
+	};
+
+/* Set if anyPolicy present in user policies */
+#define POLICY_FLAG_ANY_POLICY		0x2
+
+/* Useful macros */
+
+#define node_data_critical(data) (data->flags & POLICY_DATA_FLAG_CRITICAL)
+#define node_critical(node) node_data_critical(node->data)
+
+/* Internal functions */
+
+X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, ASN1_OBJECT *id,
+								int crit);
+void policy_data_free(X509_POLICY_DATA *data);
+
+X509_POLICY_DATA *policy_cache_find_data(const X509_POLICY_CACHE *cache,
+							const ASN1_OBJECT *id);
+int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps);
+
+
+STACK_OF(X509_POLICY_NODE) *policy_node_cmp_new(void);
+
+void policy_cache_init(void);
+
+void policy_cache_free(X509_POLICY_CACHE *cache);
+
+X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level,
+					const ASN1_OBJECT *id);
+
+X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk,
+						const ASN1_OBJECT *id);
+
+X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
+			X509_POLICY_DATA *data,
+			X509_POLICY_NODE *parent,
+			X509_POLICY_TREE *tree);
+void policy_node_free(X509_POLICY_NODE *node);
+
+const X509_POLICY_CACHE *policy_cache_set(X509 *x);
diff --git a/crypto/openssl/crypto/x509v3/pcy_lib.c b/crypto/openssl/crypto/x509v3/pcy_lib.c
new file mode 100644
index 000000000000..dae4840bc5d4
--- /dev/null
+++ b/crypto/openssl/crypto/x509v3/pcy_lib.c
@@ -0,0 +1,167 @@
+/* pcy_lib.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2004.
+ */
+/* ====================================================================
+ * Copyright (c) 2004 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+#include "cryptlib.h"
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+
+#include "pcy_int.h"
+
+/* accessor functions */
+
+/* X509_POLICY_TREE stuff */
+
+int X509_policy_tree_level_count(const X509_POLICY_TREE *tree)
+	{
+	if (!tree)
+		return 0;
+	return tree->nlevel;
+	}
+
+X509_POLICY_LEVEL *
+	X509_policy_tree_get0_level(const X509_POLICY_TREE *tree, int i)
+	{
+	if (!tree || (i < 0) || (i >= tree->nlevel))
+		return NULL;
+	return tree->levels + i;
+	}
+
+STACK_OF(X509_POLICY_NODE) *
+		X509_policy_tree_get0_policies(const X509_POLICY_TREE *tree)
+	{
+	if (!tree)
+		return NULL;
+	return tree->auth_policies;
+	}
+
+STACK_OF(X509_POLICY_NODE) *
+	X509_policy_tree_get0_user_policies(const X509_POLICY_TREE *tree)
+	{
+	if (!tree)
+		return NULL;
+	if (tree->flags & POLICY_FLAG_ANY_POLICY)
+		return tree->auth_policies;
+	else
+		return tree->user_policies;
+	}
+
+/* X509_POLICY_LEVEL stuff */
+
+int X509_policy_level_node_count(X509_POLICY_LEVEL *level)
+	{
+	int n;
+	if (!level)
+		return 0;
+	if (level->anyPolicy)
+		n = 1;
+	else
+		n = 0;
+	if (level->nodes)
+		n += sk_X509_POLICY_NODE_num(level->nodes);
+	return n;
+	}
+
+X509_POLICY_NODE *X509_policy_level_get0_node(X509_POLICY_LEVEL *level, int i)
+	{
+	if (!level)
+		return NULL;
+	if (level->anyPolicy)
+		{
+		if (i == 0)
+			return level->anyPolicy;
+		i--;
+		}
+	return sk_X509_POLICY_NODE_value(level->nodes, i);
+	}
+
+/* X509_POLICY_NODE stuff */
+
+const ASN1_OBJECT *X509_policy_node_get0_policy(const X509_POLICY_NODE *node)
+	{
+	if (!node)
+		return NULL;
+	return node->data->valid_policy;
+	}
+
+#if 0
+int X509_policy_node_get_critical(const X509_POLICY_NODE *node)
+	{
+	if (node_critical(node))
+		return 1;
+	return 0;
+	}
+#endif
+
+STACK_OF(POLICYQUALINFO) *
+		X509_policy_node_get0_qualifiers(const X509_POLICY_NODE *node)
+	{
+	if (!node)
+		return NULL;
+	return node->data->qualifier_set;
+	}
+
+const X509_POLICY_NODE *
+		X509_policy_node_get0_parent(const X509_POLICY_NODE *node)
+	{
+	if (!node)
+		return NULL;
+	return node->parent;
+	}
+
+
diff --git a/crypto/openssl/crypto/x509v3/pcy_map.c b/crypto/openssl/crypto/x509v3/pcy_map.c
new file mode 100644
index 000000000000..35221e8ba82b
--- /dev/null
+++ b/crypto/openssl/crypto/x509v3/pcy_map.c
@@ -0,0 +1,186 @@
+/* pcy_map.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2004.
+ */
+/* ====================================================================
+ * Copyright (c) 2004 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include "cryptlib.h"
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+
+#include "pcy_int.h"
+
+static int ref_cmp(const X509_POLICY_REF * const *a,
+			const X509_POLICY_REF * const *b)
+	{
+	return OBJ_cmp((*a)->subjectDomainPolicy, (*b)->subjectDomainPolicy);
+	}
+
+static void policy_map_free(X509_POLICY_REF *map)
+	{
+	if (map->subjectDomainPolicy)
+		ASN1_OBJECT_free(map->subjectDomainPolicy);
+	OPENSSL_free(map);
+	}
+
+static X509_POLICY_REF *policy_map_find(X509_POLICY_CACHE *cache, ASN1_OBJECT *id)
+	{
+	X509_POLICY_REF tmp;
+	int idx;
+	tmp.subjectDomainPolicy = id;
+
+	idx = sk_X509_POLICY_REF_find(cache->maps, &tmp);
+	if (idx == -1)
+		return NULL;
+	return sk_X509_POLICY_REF_value(cache->maps, idx);
+	}
+
+/* Set policy mapping entries in cache.
+ * Note: this modifies the passed POLICY_MAPPINGS structure
+ */
+
+int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps)
+	{
+	POLICY_MAPPING *map;
+	X509_POLICY_REF *ref = NULL;
+	X509_POLICY_DATA *data;
+	X509_POLICY_CACHE *cache = x->policy_cache;
+	int i;
+	int ret = 0;
+	if (sk_POLICY_MAPPING_num(maps) == 0)
+		{
+		ret = -1;
+		goto bad_mapping;
+		}
+	cache->maps = sk_X509_POLICY_REF_new(ref_cmp);
+	for (i = 0; i < sk_POLICY_MAPPING_num(maps); i++)
+		{
+		map = sk_POLICY_MAPPING_value(maps, i);
+		/* Reject if map to or from anyPolicy */
+		if ((OBJ_obj2nid(map->subjectDomainPolicy) == NID_any_policy)
+		   || (OBJ_obj2nid(map->issuerDomainPolicy) == NID_any_policy))
+			{
+			ret = -1;
+			goto bad_mapping;
+			}
+
+		/* If we've already mapped from this OID bad mapping */
+		if (policy_map_find(cache, map->subjectDomainPolicy) != NULL)
+			{
+			ret = -1;
+			goto bad_mapping;
+			}
+
+		/* Attempt to find matching policy data */
+		data = policy_cache_find_data(cache, map->issuerDomainPolicy);
+		/* If we don't have anyPolicy can't map */
+		if (!data && !cache->anyPolicy)
+			continue;
+
+		/* Create a NODE from anyPolicy */
+		if (!data)
+			{
+			data = policy_data_new(NULL, map->issuerDomainPolicy,
+					cache->anyPolicy->flags
+						& POLICY_DATA_FLAG_CRITICAL);
+			if (!data)
+				goto bad_mapping;
+			data->qualifier_set = cache->anyPolicy->qualifier_set;
+			map->issuerDomainPolicy = NULL;
+			data->flags |= POLICY_DATA_FLAG_MAPPED_ANY;
+			data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
+			if (!sk_X509_POLICY_DATA_push(cache->data, data))
+				{
+				policy_data_free(data);
+				goto bad_mapping;
+				}
+			}
+		else
+			data->flags |= POLICY_DATA_FLAG_MAPPED;
+
+		if (!sk_ASN1_OBJECT_push(data->expected_policy_set, 
+						map->subjectDomainPolicy))
+			goto bad_mapping;
+		
+		ref = OPENSSL_malloc(sizeof(X509_POLICY_REF));
+		if (!ref)
+			goto bad_mapping;
+
+		ref->subjectDomainPolicy = map->subjectDomainPolicy;
+		map->subjectDomainPolicy = NULL;
+		ref->data = data;
+
+		if (!sk_X509_POLICY_REF_push(cache->maps, ref))
+			goto bad_mapping;
+
+		ref = NULL;
+
+		}
+
+	ret = 1;
+	bad_mapping:
+	if (ret == -1)
+		x->ex_flags |= EXFLAG_INVALID_POLICY;
+	if (ref)
+		policy_map_free(ref);
+	if (ret <= 0)
+		{
+		sk_X509_POLICY_REF_pop_free(cache->maps, policy_map_free);
+		cache->maps = NULL;
+		}
+	sk_POLICY_MAPPING_pop_free(maps, POLICY_MAPPING_free);
+	return ret;
+
+	}
diff --git a/crypto/openssl/crypto/x509v3/pcy_node.c b/crypto/openssl/crypto/x509v3/pcy_node.c
new file mode 100644
index 000000000000..dcc1554e2992
--- /dev/null
+++ b/crypto/openssl/crypto/x509v3/pcy_node.c
@@ -0,0 +1,158 @@
+/* pcy_node.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2004.
+ */
+/* ====================================================================
+ * Copyright (c) 2004 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/asn1.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+
+#include "pcy_int.h"
+
+static int node_cmp(const X509_POLICY_NODE * const *a,
+			const X509_POLICY_NODE * const *b)
+	{
+	return OBJ_cmp((*a)->data->valid_policy, (*b)->data->valid_policy);
+	}
+
+STACK_OF(X509_POLICY_NODE) *policy_node_cmp_new(void)
+	{
+	return sk_X509_POLICY_NODE_new(node_cmp);
+	}
+
+X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *nodes,
+					const ASN1_OBJECT *id)
+	{
+	X509_POLICY_DATA n;
+	X509_POLICY_NODE l;
+	int idx;
+
+	n.valid_policy = (ASN1_OBJECT *)id;
+	l.data = &n;
+
+	idx = sk_X509_POLICY_NODE_find(nodes, &l);
+	if (idx == -1)
+		return NULL;
+
+	return sk_X509_POLICY_NODE_value(nodes, idx);
+
+	}
+
+X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level,
+					const ASN1_OBJECT *id)
+	{
+	return tree_find_sk(level->nodes, id);
+	}
+
+X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
+			X509_POLICY_DATA *data,
+			X509_POLICY_NODE *parent,
+			X509_POLICY_TREE *tree)
+	{
+	X509_POLICY_NODE *node;
+	node = OPENSSL_malloc(sizeof(X509_POLICY_NODE));
+	if (!node)
+		return NULL;
+	node->data = data;
+	node->parent = parent;
+	node->nchild = 0;
+	if (level)
+		{
+		if (OBJ_obj2nid(data->valid_policy) == NID_any_policy)
+			{
+			if (level->anyPolicy)
+				goto node_error;
+			level->anyPolicy = node;
+			}
+		else
+			{
+
+			if (!level->nodes)
+				level->nodes = policy_node_cmp_new();
+			if (!level->nodes)
+				goto node_error;
+			if (!sk_X509_POLICY_NODE_push(level->nodes, node))
+				goto node_error;
+			}
+		}
+
+	if (tree)
+		{
+		if (!tree->extra_data)
+			 tree->extra_data = sk_X509_POLICY_DATA_new_null();
+		if (!tree->extra_data)
+			goto node_error;
+		if (!sk_X509_POLICY_DATA_push(tree->extra_data, data))
+			goto node_error;
+		}
+
+	if (parent)
+		parent->nchild++;
+
+	return node;
+
+	node_error:
+	policy_node_free(node);
+	return 0;
+
+	}
+
+void policy_node_free(X509_POLICY_NODE *node)
+	{
+	OPENSSL_free(node);
+	}
+
+
diff --git a/crypto/openssl/crypto/x509v3/pcy_tree.c b/crypto/openssl/crypto/x509v3/pcy_tree.c
new file mode 100644
index 000000000000..1c68ce3352cc
--- /dev/null
+++ b/crypto/openssl/crypto/x509v3/pcy_tree.c
@@ -0,0 +1,682 @@
+/* pcy_tree.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2004.
+ */
+/* ====================================================================
+ * Copyright (c) 2004 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include "cryptlib.h"
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+
+#include "pcy_int.h"
+
+/* Initialize policy tree. Return values:
+ *  0 Some internal error occured.
+ * -1 Inconsistent or invalid extensions in certificates.
+ *  1 Tree initialized OK.
+ *  2 Policy tree is empty.
+ *  5 Tree OK and requireExplicitPolicy true.
+ *  6 Tree empty and requireExplicitPolicy true.
+ */
+
+static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
+			unsigned int flags)
+	{
+	X509_POLICY_TREE *tree;
+	X509_POLICY_LEVEL *level;
+	const X509_POLICY_CACHE *cache;
+	X509_POLICY_DATA *data = NULL;
+	X509 *x;
+	int ret = 1;
+	int i, n;
+	int explicit_policy;
+	int any_skip;
+	int map_skip;
+	*ptree = NULL;
+	n = sk_X509_num(certs);
+
+	/* Disable policy mapping for now... */
+	flags |= X509_V_FLAG_INHIBIT_MAP;
+
+	if (flags & X509_V_FLAG_EXPLICIT_POLICY)
+		explicit_policy = 0;
+	else
+		explicit_policy = n + 1;
+
+	if (flags & X509_V_FLAG_INHIBIT_ANY)
+		any_skip = 0;
+	else
+		any_skip = n + 1;
+
+	if (flags & X509_V_FLAG_INHIBIT_MAP)
+		map_skip = 0;
+	else
+		map_skip = n + 1;
+
+	/* Can't do anything with just a trust anchor */
+	if (n == 1)
+		return 1;
+	/* First setup policy cache in all certificates apart from the
+	 * trust anchor. Note any bad cache results on the way. Also can
+	 * calculate explicit_policy value at this point.
+	 */
+	for (i = n - 2; i >= 0; i--)
+		{
+		x = sk_X509_value(certs, i);
+		X509_check_purpose(x, -1, -1);
+		cache = policy_cache_set(x);
+		/* If cache NULL something bad happened: return immediately */
+		if (cache == NULL)
+			return 0;
+		/* If inconsistent extensions keep a note of it but continue */
+		if (x->ex_flags & EXFLAG_INVALID_POLICY)
+			ret = -1;
+		/* Otherwise if we have no data (hence no CertificatePolicies)
+		 * and haven't already set an inconsistent code note it.
+		 */
+		else if ((ret == 1) && !cache->data)
+			ret = 2;
+		if (explicit_policy > 0)
+			{
+			explicit_policy--;
+			if (!(x->ex_flags & EXFLAG_SS)
+				&& (cache->explicit_skip != -1)
+				&& (cache->explicit_skip < explicit_policy))
+				explicit_policy = cache->explicit_skip;
+			}
+		}
+
+	if (ret != 1)
+		{
+		if (ret == 2 && !explicit_policy)
+			return 6;
+		return ret;
+		}
+
+
+	/* If we get this far initialize the tree */
+
+	tree = OPENSSL_malloc(sizeof(X509_POLICY_TREE));
+
+	if (!tree)
+		return 0;
+
+	tree->flags = 0;
+	tree->levels = OPENSSL_malloc(sizeof(X509_POLICY_LEVEL) * n);
+	tree->nlevel = 0;
+	tree->extra_data = NULL;
+	tree->auth_policies = NULL;
+	tree->user_policies = NULL;
+
+	if (!tree)
+		{
+		OPENSSL_free(tree);
+		return 0;
+		}
+
+	memset(tree->levels, 0, n * sizeof(X509_POLICY_LEVEL));
+
+	tree->nlevel = n;
+
+	level = tree->levels;
+
+	/* Root data: initialize to anyPolicy */
+
+	data = policy_data_new(NULL, OBJ_nid2obj(NID_any_policy), 0);
+
+	if (!data || !level_add_node(level, data, NULL, tree))
+		goto bad_tree;
+
+	for (i = n - 2; i >= 0; i--)
+		{
+		level++;
+		x = sk_X509_value(certs, i);
+		cache = policy_cache_set(x);
+
+		CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
+		level->cert = x;
+
+		if (!cache->anyPolicy)
+				level->flags |= X509_V_FLAG_INHIBIT_ANY;
+
+		/* Determine inhibit any and inhibit map flags */
+		if (any_skip == 0)
+			{
+			/* Any matching allowed if certificate is self
+			 * issued and not the last in the chain.
+			 */
+			if (!(x->ex_flags && EXFLAG_SS) || (i == 0))
+				level->flags |= X509_V_FLAG_INHIBIT_ANY;
+			}
+		else
+			{
+			any_skip--;
+			if ((cache->any_skip > 0)
+				&& (cache->any_skip < any_skip))
+				any_skip = cache->any_skip;
+			}
+
+		if (map_skip == 0)
+			level->flags |= X509_V_FLAG_INHIBIT_MAP;
+		else
+			{
+			map_skip--;
+			if ((cache->map_skip > 0)
+				&& (cache->map_skip < map_skip))
+				map_skip = cache->map_skip;
+			}
+
+
+		}
+
+	*ptree = tree;
+
+	if (explicit_policy)
+		return 1;
+	else
+		return 5;
+
+	bad_tree:
+
+	X509_policy_tree_free(tree);
+
+	return 0;
+
+	}
+
+/* This corresponds to RFC3280 XXXX XXXXX:
+ * link any data from CertificatePolicies onto matching parent
+ * or anyPolicy if no match.
+ */
+
+static int tree_link_nodes(X509_POLICY_LEVEL *curr,
+				const X509_POLICY_CACHE *cache)
+	{
+	int i;
+	X509_POLICY_LEVEL *last;
+	X509_POLICY_DATA *data;
+	X509_POLICY_NODE *parent;
+	last = curr - 1;
+	for (i = 0; i < sk_X509_POLICY_DATA_num(cache->data); i++)
+		{
+		data = sk_X509_POLICY_DATA_value(cache->data, i);
+		/* If a node is mapped any it doesn't have a corresponding
+		 * CertificatePolicies entry. 
+		 * However such an identical node would be created
+		 * if anyPolicy matching is enabled because there would be
+		 * no match with the parent valid_policy_set. So we create
+		 * link because then it will have the mapping flags
+		 * right and we can prune it later.
+		 */
+		if ((data->flags & POLICY_DATA_FLAG_MAPPED_ANY)
+			&& !(curr->flags & X509_V_FLAG_INHIBIT_ANY))
+			continue;
+		/* Look for matching node in parent */
+		parent = level_find_node(last, data->valid_policy);
+		/* If no match link to anyPolicy */
+		if (!parent)
+			parent = last->anyPolicy;
+		if (parent && !level_add_node(curr, data, parent, NULL))
+				return 0;
+		}
+	return 1;
+	}
+
+/* This corresponds to RFC3280 XXXX XXXXX:
+ * Create new data for any unmatched policies in the parent and link
+ * to anyPolicy.
+ */
+
+static int tree_link_any(X509_POLICY_LEVEL *curr,
+			const X509_POLICY_CACHE *cache,
+			X509_POLICY_TREE *tree)
+	{
+	int i;
+	X509_POLICY_DATA *data;
+	X509_POLICY_NODE *node;
+	X509_POLICY_LEVEL *last;
+
+	last = curr - 1;
+
+	for (i = 0; i < sk_X509_POLICY_NODE_num(last->nodes); i++)
+		{
+		node = sk_X509_POLICY_NODE_value(last->nodes, i);
+
+		/* Skip any node with any children: we only want unmathced
+		 * nodes.
+		 *
+		 * Note: need something better for policy mapping
+		 * because each node may have multiple children 
+		 */
+		if (node->nchild)
+			continue;
+		/* Create a new node with qualifiers from anyPolicy and
+		 * id from unmatched node.
+		 */
+		data = policy_data_new(NULL, node->data->valid_policy, 
+						node_critical(node));
+
+		if (data == NULL)
+			return 0;
+		data->qualifier_set = curr->anyPolicy->data->qualifier_set;
+		data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
+		if (!level_add_node(curr, data, node, tree))
+			{
+			policy_data_free(data);
+			return 0;
+			}
+		}
+	/* Finally add link to anyPolicy */
+	if (last->anyPolicy)
+		{
+		if (!level_add_node(curr, cache->anyPolicy,
+						last->anyPolicy, NULL))
+			return 0;
+		}
+	return 1;
+	}
+
+/* Prune the tree: delete any child mapped child data on the current level
+ * then proceed up the tree deleting any data with no children. If we ever
+ * have no data on a level we can halt because the tree will be empty.
+ */
+
+static int tree_prune(X509_POLICY_TREE *tree, X509_POLICY_LEVEL *curr)
+	{
+	X509_POLICY_NODE *node;
+	int i;
+	for (i = sk_X509_POLICY_NODE_num(curr->nodes) - 1; i >= 0; i--)
+		{
+		node = sk_X509_POLICY_NODE_value(curr->nodes, i);
+		/* Delete any mapped data: see RFC3280 XXXX */
+		if (node->data->flags & POLICY_DATA_FLAG_MAP_MASK)
+			{
+			node->parent->nchild--;
+			OPENSSL_free(node);
+			sk_X509_POLICY_NODE_delete(curr->nodes, i);
+			}
+		}
+
+	for(;;)	{
+		--curr;
+		for (i = sk_X509_POLICY_NODE_num(curr->nodes) - 1; i >= 0; i--)
+			{
+			node = sk_X509_POLICY_NODE_value(curr->nodes, i);
+			if (node->nchild == 0)
+				{
+				node->parent->nchild--;
+				OPENSSL_free(node);
+				sk_X509_POLICY_NODE_delete(curr->nodes, i);
+				}
+			}
+		if (curr->anyPolicy && !curr->anyPolicy->nchild)
+			{
+			if (curr->anyPolicy->parent)
+				curr->anyPolicy->parent->nchild--;
+			OPENSSL_free(curr->anyPolicy);
+			curr->anyPolicy = NULL;
+			}
+		if (curr == tree->levels)
+			{
+			/* If we zapped anyPolicy at top then tree is empty */
+			if (!curr->anyPolicy)
+					return 2;
+			return 1;
+			}
+		}
+
+	return 1;
+
+	}
+
+static int tree_add_auth_node(STACK_OF(X509_POLICY_NODE) **pnodes,
+						 X509_POLICY_NODE *pcy)
+	{
+	if (!*pnodes)
+		{
+		*pnodes = policy_node_cmp_new();
+		if (!*pnodes)
+			return 0;
+		}
+	else if (sk_X509_POLICY_NODE_find(*pnodes, pcy) != -1)
+		return 1;
+
+	if (!sk_X509_POLICY_NODE_push(*pnodes, pcy))
+		return 0;
+
+	return 1;
+
+	}
+
+/* Calculate the authority set based on policy tree.
+ * The 'pnodes' parameter is used as a store for the set of policy nodes
+ * used to calculate the user set. If the authority set is not anyPolicy
+ * then pnodes will just point to the authority set. If however the authority
+ * set is anyPolicy then the set of valid policies (other than anyPolicy)
+ * is store in pnodes. The return value of '2' is used in this case to indicate
+ * that pnodes should be freed.
+ */
+
+static int tree_calculate_authority_set(X509_POLICY_TREE *tree,
+					STACK_OF(X509_POLICY_NODE) **pnodes)
+	{
+	X509_POLICY_LEVEL *curr;
+	X509_POLICY_NODE *node, *anyptr;
+	STACK_OF(X509_POLICY_NODE) **addnodes;
+	int i, j;
+	curr = tree->levels + tree->nlevel - 1;
+
+	/* If last level contains anyPolicy set is anyPolicy */
+	if (curr->anyPolicy)
+		{
+		if (!tree_add_auth_node(&tree->auth_policies, curr->anyPolicy))
+			return 0;
+		addnodes = pnodes;
+		}
+	else
+		/* Add policies to authority set */
+		addnodes = &tree->auth_policies;
+
+	curr = tree->levels;
+	for (i = 1; i < tree->nlevel; i++)
+		{
+		/* If no anyPolicy node on this this level it can't
+		 * appear on lower levels so end search.
+		 */
+		if (!(anyptr = curr->anyPolicy))
+			break;
+		curr++;
+		for (j = 0; j < sk_X509_POLICY_NODE_num(curr->nodes); j++)
+			{
+			node = sk_X509_POLICY_NODE_value(curr->nodes, j);
+			if ((node->parent == anyptr)
+				&& !tree_add_auth_node(addnodes, node))
+					return 0;
+			}
+		}
+
+	if (addnodes == pnodes)
+		return 2;
+
+	*pnodes = tree->auth_policies;
+
+	return 1;
+	}
+
+static int tree_calculate_user_set(X509_POLICY_TREE *tree,
+				STACK_OF(ASN1_OBJECT) *policy_oids,
+				STACK_OF(X509_POLICY_NODE) *auth_nodes)
+	{
+	int i;
+	X509_POLICY_NODE *node;
+	ASN1_OBJECT *oid;
+
+	X509_POLICY_NODE *anyPolicy;
+	X509_POLICY_DATA *extra;
+
+	/* Check if anyPolicy present in authority constrained policy set:
+	 * this will happen if it is a leaf node.
+	 */
+
+	if (sk_ASN1_OBJECT_num(policy_oids) <= 0)
+		return 1;
+
+	anyPolicy = tree->levels[tree->nlevel - 1].anyPolicy;
+
+	for (i = 0; i < sk_ASN1_OBJECT_num(policy_oids); i++)
+		{
+		oid = sk_ASN1_OBJECT_value(policy_oids, i);
+		if (OBJ_obj2nid(oid) == NID_any_policy)
+			{
+			tree->flags |= POLICY_FLAG_ANY_POLICY;
+			return 1;
+			}
+		}
+
+	for (i = 0; i < sk_ASN1_OBJECT_num(policy_oids); i++)
+		{
+		oid = sk_ASN1_OBJECT_value(policy_oids, i);
+		node = tree_find_sk(auth_nodes, oid);
+		if (!node)
+			{
+			if (!anyPolicy)
+				continue;
+			/* Create a new node with policy ID from user set
+			 * and qualifiers from anyPolicy.
+			 */
+			extra = policy_data_new(NULL, oid,
+						node_critical(anyPolicy));
+			if (!extra)
+				return 0;
+			extra->qualifier_set = anyPolicy->data->qualifier_set;
+			extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS
+						| POLICY_DATA_FLAG_EXTRA_NODE;
+			node = level_add_node(NULL, extra, anyPolicy->parent,
+						tree);
+			}
+		if (!tree->user_policies)
+			{
+			tree->user_policies = sk_X509_POLICY_NODE_new_null();
+			if (!tree->user_policies)
+				return 1;
+			}
+		if (!sk_X509_POLICY_NODE_push(tree->user_policies, node))
+			return 0;
+		}
+	return 1;
+
+	}
+
+static int tree_evaluate(X509_POLICY_TREE *tree)
+	{
+	int ret, i;
+	X509_POLICY_LEVEL *curr = tree->levels + 1;
+	const X509_POLICY_CACHE *cache;
+
+	for(i = 1; i < tree->nlevel; i++, curr++)
+		{
+		cache = policy_cache_set(curr->cert);
+		if (!tree_link_nodes(curr, cache))
+			return 0;
+
+		if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY)
+			&& !tree_link_any(curr, cache, tree))
+			return 0;
+		ret = tree_prune(tree, curr);
+		if (ret != 1)
+			return ret;
+		}
+
+	return 1;
+
+	}
+
+static void exnode_free(X509_POLICY_NODE *node)
+	{
+	if (node->data && (node->data->flags & POLICY_DATA_FLAG_EXTRA_NODE))
+		OPENSSL_free(node);
+	}
+
+
+void X509_policy_tree_free(X509_POLICY_TREE *tree)
+	{
+	X509_POLICY_LEVEL *curr;
+	int i;
+
+	if (!tree)
+		return;
+
+	sk_X509_POLICY_NODE_free(tree->auth_policies);
+	sk_X509_POLICY_NODE_pop_free(tree->user_policies, exnode_free);
+
+	for(i = 0, curr = tree->levels; i < tree->nlevel; i++, curr++)
+		{
+		if (curr->cert)
+			X509_free(curr->cert);
+		if (curr->nodes)
+			sk_X509_POLICY_NODE_pop_free(curr->nodes,
+						policy_node_free);
+		if (curr->anyPolicy)
+			policy_node_free(curr->anyPolicy);
+		}
+
+	if (tree->extra_data)
+		sk_X509_POLICY_DATA_pop_free(tree->extra_data,
+						policy_data_free);
+
+	OPENSSL_free(tree->levels);
+	OPENSSL_free(tree);
+
+	}
+
+/* Application policy checking function.
+ * Return codes:
+ *  0 	Internal Error.
+ *  1   Successful.
+ * -1   One or more certificates contain invalid or inconsistent extensions
+ * -2	User constrained policy set empty and requireExplicit true.
+ */
+
+int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
+			STACK_OF(X509) *certs,
+			STACK_OF(ASN1_OBJECT) *policy_oids,
+			unsigned int flags)
+	{
+	int ret;
+	X509_POLICY_TREE *tree = NULL;
+	STACK_OF(X509_POLICY_NODE) *nodes, *auth_nodes = NULL;
+	*ptree = NULL;
+
+	*pexplicit_policy = 0;
+	ret = tree_init(&tree, certs, flags);
+
+
+	switch (ret)
+		{
+
+		/* Tree empty requireExplicit False: OK */
+		case 2:
+		return 1;
+
+		/* Some internal error */
+		case 0:
+		return 0;
+
+		/* Tree empty requireExplicit True: Error */
+
+		case 6:
+		*pexplicit_policy = 1;
+		return -2;
+
+		/* Tree OK requireExplicit True: OK and continue */
+		case 5:
+		*pexplicit_policy = 1;
+		break;
+
+		/* Tree OK: continue */
+
+		case 1:
+		break;
+		}
+
+	if (!tree) goto error;
+	ret = tree_evaluate(tree);
+
+	if (ret <= 0)
+		goto error;
+
+	/* Return value 2 means tree empty */
+	if (ret == 2)
+		{
+		X509_policy_tree_free(tree);
+		if (*pexplicit_policy)
+			return -2;
+		else
+			return 1;
+		}
+
+	/* Tree is not empty: continue */
+
+	ret = tree_calculate_authority_set(tree, &auth_nodes);
+
+	if (!ret)
+		goto error;
+
+	if (!tree_calculate_user_set(tree, policy_oids, auth_nodes))
+		goto error;
+	
+	if (ret == 2)
+		sk_X509_POLICY_NODE_free(auth_nodes);
+
+	if (tree)
+		*ptree = tree;
+
+	if (*pexplicit_policy)
+		{
+		nodes = X509_policy_tree_get0_user_policies(tree);
+		if (sk_X509_POLICY_NODE_num(nodes) <= 0)
+			return -2;
+		}
+
+	return 1;
+
+	error:
+
+	X509_policy_tree_free(tree);
+
+	return 0;
+
+	}
+
diff --git a/crypto/openssl/crypto/x509v3/v3_akey.c b/crypto/openssl/crypto/x509v3/v3_akey.c
index 97e686f97af9..c481b6f12dc5 100644
--- a/crypto/openssl/crypto/x509v3/v3_akey.c
+++ b/crypto/openssl/crypto/x509v3/v3_akey.c
@@ -68,15 +68,17 @@ static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
 static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
 			X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
 
-X509V3_EXT_METHOD v3_akey_id = {
-NID_authority_key_identifier, X509V3_EXT_MULTILINE, ASN1_ITEM_ref(AUTHORITY_KEYID),
-0,0,0,0,
-0,0,
-(X509V3_EXT_I2V)i2v_AUTHORITY_KEYID,
-(X509V3_EXT_V2I)v2i_AUTHORITY_KEYID,
-0,0,
-NULL
-};
+X509V3_EXT_METHOD v3_akey_id =
+	{
+	NID_authority_key_identifier,
+	X509V3_EXT_MULTILINE, ASN1_ITEM_ref(AUTHORITY_KEYID),
+	0,0,0,0,
+	0,0,
+	(X509V3_EXT_I2V)i2v_AUTHORITY_KEYID,
+	(X509V3_EXT_V2I)v2i_AUTHORITY_KEYID,
+	0,0,
+	NULL
+	};
 
 static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
 	     AUTHORITY_KEYID *akeyid, STACK_OF(CONF_VALUE) *extlist)
@@ -108,83 +110,99 @@ static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
 
 static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
 	     X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values)
-{
-char keyid=0, issuer=0;
-int i;
-CONF_VALUE *cnf;
-ASN1_OCTET_STRING *ikeyid = NULL;
-X509_NAME *isname = NULL;
-GENERAL_NAMES * gens = NULL;
-GENERAL_NAME *gen = NULL;
-ASN1_INTEGER *serial = NULL;
-X509_EXTENSION *ext;
-X509 *cert;
-AUTHORITY_KEYID *akeyid;
-for(i = 0; i < sk_CONF_VALUE_num(values); i++) {
-	cnf = sk_CONF_VALUE_value(values, i);
-	if(!strcmp(cnf->name, "keyid")) {
-		keyid = 1;
-		if(cnf->value && !strcmp(cnf->value, "always")) keyid = 2;
-	} else if(!strcmp(cnf->name, "issuer")) {
-		issuer = 1;
-		if(cnf->value && !strcmp(cnf->value, "always")) issuer = 2;
-	} else {
-		X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_UNKNOWN_OPTION);
-		ERR_add_error_data(2, "name=", cnf->name);
+	{
+	char keyid=0, issuer=0;
+	int i;
+	CONF_VALUE *cnf;
+	ASN1_OCTET_STRING *ikeyid = NULL;
+	X509_NAME *isname = NULL;
+	GENERAL_NAMES * gens = NULL;
+	GENERAL_NAME *gen = NULL;
+	ASN1_INTEGER *serial = NULL;
+	X509_EXTENSION *ext;
+	X509 *cert;
+	AUTHORITY_KEYID *akeyid;
+
+	for(i = 0; i < sk_CONF_VALUE_num(values); i++)
+		{
+		cnf = sk_CONF_VALUE_value(values, i);
+		if(!strcmp(cnf->name, "keyid"))
+			{
+			keyid = 1;
+			if(cnf->value && !strcmp(cnf->value, "always"))
+				keyid = 2;
+			}
+		else if(!strcmp(cnf->name, "issuer"))
+			{
+			issuer = 1;
+			if(cnf->value && !strcmp(cnf->value, "always"))
+				issuer = 2;
+			}
+		else
+			{
+			X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_UNKNOWN_OPTION);
+			ERR_add_error_data(2, "name=", cnf->name);
+			return NULL;
+			}
+		}
+
+	if(!ctx || !ctx->issuer_cert)
+		{
+		if(ctx && (ctx->flags==CTX_TEST))
+			return AUTHORITY_KEYID_new();
+		X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_NO_ISSUER_CERTIFICATE);
 		return NULL;
-	}
-}
-
-if(!ctx || !ctx->issuer_cert) {
-	if(ctx && (ctx->flags==CTX_TEST)) return AUTHORITY_KEYID_new();
-	X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_NO_ISSUER_CERTIFICATE);
+		}
+
+	cert = ctx->issuer_cert;
+
+	if(keyid)
+		{
+		i = X509_get_ext_by_NID(cert, NID_subject_key_identifier, -1);
+		if((i >= 0)  && (ext = X509_get_ext(cert, i)))
+			ikeyid = X509V3_EXT_d2i(ext);
+		if(keyid==2 && !ikeyid)
+			{
+			X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_UNABLE_TO_GET_ISSUER_KEYID);
+			return NULL;
+			}
+		}
+
+	if((issuer && !ikeyid) || (issuer == 2))
+		{
+		isname = X509_NAME_dup(X509_get_issuer_name(cert));
+		serial = M_ASN1_INTEGER_dup(X509_get_serialNumber(cert));
+		if(!isname || !serial)
+			{
+			X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS);
+			goto err;
+			}
+		}
+
+	if(!(akeyid = AUTHORITY_KEYID_new())) goto err;
+
+	if(isname)
+		{
+		if(!(gens = sk_GENERAL_NAME_new_null())
+			|| !(gen = GENERAL_NAME_new())
+			|| !sk_GENERAL_NAME_push(gens, gen))
+			{
+			X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,ERR_R_MALLOC_FAILURE);
+			goto err;
+			}
+		gen->type = GEN_DIRNAME;
+		gen->d.dirn = isname;
+		}
+
+	akeyid->issuer = gens;
+	akeyid->serial = serial;
+	akeyid->keyid = ikeyid;
+
+	return akeyid;
+
+ err:
+	X509_NAME_free(isname);
+	M_ASN1_INTEGER_free(serial);
+	M_ASN1_OCTET_STRING_free(ikeyid);
 	return NULL;
-}
-
-cert = ctx->issuer_cert;
-
-if(keyid) {
-	i = X509_get_ext_by_NID(cert, NID_subject_key_identifier, -1);
-	if((i >= 0)  && (ext = X509_get_ext(cert, i)))
-						 ikeyid = X509V3_EXT_d2i(ext);
-	if(keyid==2 && !ikeyid) {
-		X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_UNABLE_TO_GET_ISSUER_KEYID);
-		return NULL;
-	}
-}
-
-if((issuer && !ikeyid) || (issuer == 2)) {
-	isname = X509_NAME_dup(X509_get_issuer_name(cert));
-	serial = M_ASN1_INTEGER_dup(X509_get_serialNumber(cert));
-	if(!isname || !serial) {
-		X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS);
-		goto err;
 	}
-}
-
-if(!(akeyid = AUTHORITY_KEYID_new())) goto err;
-
-if(isname) {
-	if(!(gens = sk_GENERAL_NAME_new_null()) || !(gen = GENERAL_NAME_new())
-		|| !sk_GENERAL_NAME_push(gens, gen)) {
-		X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,ERR_R_MALLOC_FAILURE);
-		goto err;
-	}
-	gen->type = GEN_DIRNAME;
-	gen->d.dirn = isname;
-}
-
-akeyid->issuer = gens;
-akeyid->serial = serial;
-akeyid->keyid = ikeyid;
-
-return akeyid;
-
-err:
-X509_NAME_free(isname);
-M_ASN1_INTEGER_free(serial);
-M_ASN1_OCTET_STRING_free(ikeyid);
-return NULL;
-
-}
-
diff --git a/crypto/openssl/crypto/x509v3/v3_alt.c b/crypto/openssl/crypto/x509v3/v3_alt.c
index 58b935a3b6b8..b38b3dbfe62b 100644
--- a/crypto/openssl/crypto/x509v3/v3_alt.c
+++ b/crypto/openssl/crypto/x509v3/v3_alt.c
@@ -1,9 +1,9 @@
 /* v3_alt.c */
 /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
- * project 1999.
+ * project.
  */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2003 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -65,6 +65,9 @@ static GENERAL_NAMES *v2i_subject_alt(X509V3_EXT_METHOD *method, X509V3_CTX *ctx
 static GENERAL_NAMES *v2i_issuer_alt(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
 static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p);
 static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens);
+static int do_othername(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx);
+static int do_dirname(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx);
+
 X509V3_EXT_METHOD v3_alt[] = {
 { NID_subject_alt_name, 0, ASN1_ITEM_ref(GENERAL_NAMES),
 0,0,0,0,
@@ -98,7 +101,8 @@ STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method,
 				GENERAL_NAME *gen, STACK_OF(CONF_VALUE) *ret)
 {
 	unsigned char *p;
-	char oline[256];
+	char oline[256], htmp[5];
+	int i;
 	switch (gen->type)
 	{
 		case GEN_OTHERNAME:
@@ -132,13 +136,27 @@ STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method,
 
 		case GEN_IPADD:
 		p = gen->d.ip->data;
-		/* BUG: doesn't support IPV6 */
-		if(gen->d.ip->length != 4) {
+		if(gen->d.ip->length == 4)
+			BIO_snprintf(oline, sizeof oline,
+				     "%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
+		else if(gen->d.ip->length == 16)
+			{
+			oline[0] = 0;
+			for (i = 0; i < 8; i++)
+				{
+				BIO_snprintf(htmp, sizeof htmp,
+					     "%X", p[0] << 8 | p[1]);
+				p += 2;
+				strcat(oline, htmp);
+				if (i != 7)
+					strcat(oline, ":");
+				}
+			}
+		else
+			{
 			X509V3_add_value("IP Address","<invalid>", &ret);
 			break;
-		}
-		BIO_snprintf(oline, sizeof oline,
-			     "%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
+			}
 		X509V3_add_value("IP Address",oline, &ret);
 		break;
 
@@ -153,6 +171,7 @@ STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method,
 int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen)
 {
 	unsigned char *p;
+	int i;
 	switch (gen->type)
 	{
 		case GEN_OTHERNAME:
@@ -187,12 +206,24 @@ int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen)
 
 		case GEN_IPADD:
 		p = gen->d.ip->data;
-		/* BUG: doesn't support IPV6 */
-		if(gen->d.ip->length != 4) {
+		if(gen->d.ip->length == 4)
+			BIO_printf(out, "IP Address:%d.%d.%d.%d",
+						p[0], p[1], p[2], p[3]);
+		else if(gen->d.ip->length == 16)
+			{
+			BIO_printf(out, "IP Address");
+			for (i = 0; i < 8; i++)
+				{
+				BIO_printf(out, ":%X", p[0] << 8 | p[1]);
+				p += 2;
+				}
+			BIO_puts(out, "\n");
+			}
+		else
+			{
 			BIO_printf(out,"IP Address:<invalid>");
 			break;
-		}
-		BIO_printf(out, "IP Address:%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
+			}
 		break;
 
 		case GEN_RID:
@@ -210,7 +241,7 @@ static GENERAL_NAMES *v2i_issuer_alt(X509V3_EXT_METHOD *method,
 	CONF_VALUE *cnf;
 	int i;
 	if(!(gens = sk_GENERAL_NAME_new_null())) {
-		X509V3err(X509V3_F_V2I_GENERAL_NAMES,ERR_R_MALLOC_FAILURE);
+		X509V3err(X509V3_F_V2I_ISSUER_ALT,ERR_R_MALLOC_FAILURE);
 		return NULL;
 	}
 	for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
@@ -275,7 +306,7 @@ static GENERAL_NAMES *v2i_subject_alt(X509V3_EXT_METHOD *method,
 	CONF_VALUE *cnf;
 	int i;
 	if(!(gens = sk_GENERAL_NAME_new_null())) {
-		X509V3err(X509V3_F_V2I_GENERAL_NAMES,ERR_R_MALLOC_FAILURE);
+		X509V3err(X509V3_F_V2I_SUBJECT_ALT,ERR_R_MALLOC_FAILURE);
 		return NULL;
 	}
 	for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
@@ -310,7 +341,8 @@ static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p)
 	X509_NAME_ENTRY *ne;
 	GENERAL_NAME *gen = NULL;
 	int i;
-	if(ctx->flags == CTX_TEST) return 1;
+	if(ctx != NULL && ctx->flags == CTX_TEST)
+		return 1;
 	if(!ctx || (!ctx->subject_cert && !ctx->subject_req)) {
 		X509V3err(X509V3_F_COPY_EMAIL,X509V3_R_NO_SUBJECT_DETAILS);
 		goto err;
@@ -378,81 +410,172 @@ GENERAL_NAMES *v2i_GENERAL_NAMES(X509V3_EXT_METHOD *method,
 
 GENERAL_NAME *v2i_GENERAL_NAME(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
 							 CONF_VALUE *cnf)
-{
-char is_string = 0;
-int type;
-GENERAL_NAME *gen = NULL;
+	{
+	return v2i_GENERAL_NAME_ex(NULL, method, ctx, cnf, 0);
+	}
 
-char *name, *value;
+GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out,
+				X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+						 CONF_VALUE *cnf, int is_nc)
+	{
+	char is_string = 0;
+	int type;
+	GENERAL_NAME *gen = NULL;
 
-name = cnf->name;
-value = cnf->value;
+	char *name, *value;
 
-if(!value) {
-	X509V3err(X509V3_F_V2I_GENERAL_NAME,X509V3_R_MISSING_VALUE);
-	return NULL;
-}
+	name = cnf->name;
+	value = cnf->value;
 
-if(!(gen = GENERAL_NAME_new())) {
-	X509V3err(X509V3_F_V2I_GENERAL_NAME,ERR_R_MALLOC_FAILURE);
-	return NULL;
-}
+	if(!value)
+		{
+		X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,X509V3_R_MISSING_VALUE);
+		return NULL;
+		}
 
-if(!name_cmp(name, "email")) {
-	is_string = 1;
-	type = GEN_EMAIL;
-} else if(!name_cmp(name, "URI")) {
-	is_string = 1;
-	type = GEN_URI;
-} else if(!name_cmp(name, "DNS")) {
-	is_string = 1;
-	type = GEN_DNS;
-} else if(!name_cmp(name, "RID")) {
-	ASN1_OBJECT *obj;
-	if(!(obj = OBJ_txt2obj(value,0))) {
-		X509V3err(X509V3_F_V2I_GENERAL_NAME,X509V3_R_BAD_OBJECT);
-		ERR_add_error_data(2, "value=", value);
-		goto err;
-	}
-	gen->d.rid = obj;
-	type = GEN_RID;
-} else if(!name_cmp(name, "IP")) {
-	int i1,i2,i3,i4;
-	unsigned char ip[4];
-	if((sscanf(value, "%d.%d.%d.%d",&i1,&i2,&i3,&i4) != 4) ||
-	    (i1 < 0) || (i1 > 255) || (i2 < 0) || (i2 > 255) ||
-	    (i3 < 0) || (i3 > 255) || (i4 < 0) || (i4 > 255) ) {
-		X509V3err(X509V3_F_V2I_GENERAL_NAME,X509V3_R_BAD_IP_ADDRESS);
-		ERR_add_error_data(2, "value=", value);
+	if (out)
+		gen = out;
+	else
+		{
+		gen = GENERAL_NAME_new();
+		if(gen == NULL)
+			{
+			X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,ERR_R_MALLOC_FAILURE);
+			return NULL;
+			}
+		}
+
+	if(!name_cmp(name, "email"))
+		{
+		is_string = 1;
+		type = GEN_EMAIL;
+		}
+	else if(!name_cmp(name, "URI"))
+		{
+		is_string = 1;
+		type = GEN_URI;
+		}
+	else if(!name_cmp(name, "DNS"))
+		{
+		is_string = 1;
+		type = GEN_DNS;
+		}
+	else if(!name_cmp(name, "RID"))
+		{
+		ASN1_OBJECT *obj;
+		if(!(obj = OBJ_txt2obj(value,0)))
+			{
+			X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,X509V3_R_BAD_OBJECT);
+			ERR_add_error_data(2, "value=", value);
+			goto err;
+			}
+		gen->d.rid = obj;
+		type = GEN_RID;
+		}
+	else if(!name_cmp(name, "IP"))
+		{
+		if (is_nc)
+			gen->d.ip = a2i_IPADDRESS_NC(value);
+		else
+			gen->d.ip = a2i_IPADDRESS(value);
+		if(gen->d.ip == NULL)
+			{
+			X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,X509V3_R_BAD_IP_ADDRESS);
+			ERR_add_error_data(2, "value=", value);
+			goto err;
+			}
+		type = GEN_IPADD;
+		}
+	else if(!name_cmp(name, "dirName"))
+		{
+		type = GEN_DIRNAME;
+		if (!do_dirname(gen, value, ctx))
+			{
+			X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,X509V3_R_DIRNAME_ERROR);
+			goto err;
+			}
+		}
+	else if(!name_cmp(name, "otherName"))
+		{
+		if (!do_othername(gen, value, ctx))
+			{
+			X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,X509V3_R_OTHERNAME_ERROR);
+			goto err;
+			}
+		type = GEN_OTHERNAME;
+		}
+	else
+		{
+		X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,X509V3_R_UNSUPPORTED_OPTION);
+		ERR_add_error_data(2, "name=", name);
 		goto err;
-	}
-	ip[0] = i1; ip[1] = i2 ; ip[2] = i3 ; ip[3] = i4;
-	if(!(gen->d.ip = M_ASN1_OCTET_STRING_new()) ||
-		!ASN1_STRING_set(gen->d.ip, ip, 4)) {
-			X509V3err(X509V3_F_V2I_GENERAL_NAME,ERR_R_MALLOC_FAILURE);
+		}
+
+	if(is_string)
+		{
+		if(!(gen->d.ia5 = M_ASN1_IA5STRING_new()) ||
+			      !ASN1_STRING_set(gen->d.ia5, (unsigned char*)value,
+					       strlen(value)))
+			{
+			X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,ERR_R_MALLOC_FAILURE);
 			goto err;
-	}
-	type = GEN_IPADD;
-} else {
-	X509V3err(X509V3_F_V2I_GENERAL_NAME,X509V3_R_UNSUPPORTED_OPTION);
-	ERR_add_error_data(2, "name=", name);
-	goto err;
-}
+			}
+		}
 
-if(is_string) {
-	if(!(gen->d.ia5 = M_ASN1_IA5STRING_new()) ||
-		      !ASN1_STRING_set(gen->d.ia5, (unsigned char*)value,
-				       strlen(value))) {
-		X509V3err(X509V3_F_V2I_GENERAL_NAME,ERR_R_MALLOC_FAILURE);
-		goto err;
-	}
-}
+	gen->type = type;
+
+	return gen;
 
-gen->type = type;
+	err:
+	GENERAL_NAME_free(gen);
+	return NULL;
+	}
 
-return gen;
+static int do_othername(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx)
+	{
+	char *objtmp = NULL, *p;
+	int objlen;
+	if (!(p = strchr(value, ';')))
+		return 0;
+	if (!(gen->d.otherName = OTHERNAME_new()))
+		return 0;
+	/* Free this up because we will overwrite it.
+	 * no need to free type_id because it is static
+	 */
+	ASN1_TYPE_free(gen->d.otherName->value);
+	if (!(gen->d.otherName->value = ASN1_generate_v3(p + 1, ctx)))
+		return 0;
+	objlen = p - value;
+	objtmp = OPENSSL_malloc(objlen + 1);
+	strncpy(objtmp, value, objlen);
+	objtmp[objlen] = 0;
+	gen->d.otherName->type_id = OBJ_txt2obj(objtmp, 0);
+	OPENSSL_free(objtmp);	
+	if (!gen->d.otherName->type_id)
+		return 0;
+	return 1;
+	}
 
-err:
-GENERAL_NAME_free(gen);
-return NULL;
-}
+static int do_dirname(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx)
+	{
+	int ret;
+	STACK_OF(CONF_VALUE) *sk;
+	X509_NAME *nm;
+	if (!(nm = X509_NAME_new()))
+		return 0;
+	sk = X509V3_get_section(ctx, value);
+	if (!sk)
+		{
+		X509V3err(X509V3_F_DO_DIRNAME,X509V3_R_SECTION_NOT_FOUND);
+		ERR_add_error_data(2, "section=", value);
+		X509_NAME_free(nm);
+		return 0;
+		}
+	/* FIXME: should allow other character types... */
+	ret = X509V3_NAME_from_section(nm, sk, MBSTRING_ASC);
+	if (!ret)
+		X509_NAME_free(nm);
+	gen->d.dirn = nm;
+		
+	return ret;
+	}
diff --git a/crypto/openssl/crypto/x509v3/v3_bitst.c b/crypto/openssl/crypto/x509v3/v3_bitst.c
index 16cf12556218..170c8d280bcc 100644
--- a/crypto/openssl/crypto/x509v3/v3_bitst.c
+++ b/crypto/openssl/crypto/x509v3/v3_bitst.c
@@ -61,12 +61,6 @@
 #include <openssl/conf.h>
 #include <openssl/x509v3.h>
 
-static ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
-				X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
-static STACK_OF(CONF_VALUE) *i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
-				ASN1_BIT_STRING *bits,
-				STACK_OF(CONF_VALUE) *extlist);
-
 static BIT_STRING_BITNAME ns_cert_type_table[] = {
 {0, "SSL Client", "client"},
 {1, "SSL Server", "server"},
@@ -97,7 +91,7 @@ static BIT_STRING_BITNAME key_usage_type_table[] = {
 X509V3_EXT_METHOD v3_nscert = EXT_BITSTRING(NID_netscape_cert_type, ns_cert_type_table);
 X509V3_EXT_METHOD v3_key_usage = EXT_BITSTRING(NID_key_usage, key_usage_type_table);
 
-static STACK_OF(CONF_VALUE) *i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
+STACK_OF(CONF_VALUE) *i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
 	     ASN1_BIT_STRING *bits, STACK_OF(CONF_VALUE) *ret)
 {
 	BIT_STRING_BITNAME *bnam;
@@ -108,7 +102,7 @@ static STACK_OF(CONF_VALUE) *i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
 	return ret;
 }
 	
-static ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
+ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
 	     X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
 {
 	CONF_VALUE *val;
@@ -124,7 +118,12 @@ static ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
 		for(bnam = method->usr_data; bnam->lname; bnam++) {
 			if(!strcmp(bnam->sname, val->name) ||
 				!strcmp(bnam->lname, val->name) ) {
-				ASN1_BIT_STRING_set_bit(bs, bnam->bitnum, 1);
+				if(!ASN1_BIT_STRING_set_bit(bs, bnam->bitnum, 1)) {
+					X509V3err(X509V3_F_V2I_ASN1_BIT_STRING,
+						ERR_R_MALLOC_FAILURE);
+					M_ASN1_BIT_STRING_free(bs);
+					return NULL;
+				}
 				break;
 			}
 		}
diff --git a/crypto/openssl/crypto/x509v3/v3_conf.c b/crypto/openssl/crypto/x509v3/v3_conf.c
index 1284d5aaa54f..2b867305fba1 100644
--- a/crypto/openssl/crypto/x509v3/v3_conf.c
+++ b/crypto/openssl/crypto/x509v3/v3_conf.c
@@ -3,7 +3,7 @@
  * project 1999.
  */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2002 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -69,11 +69,12 @@
 static int v3_check_critical(char **value);
 static int v3_check_generic(char **value);
 static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid, int crit, char *value);
-static X509_EXTENSION *v3_generic_extension(const char *ext, char *value, int crit, int type);
+static X509_EXTENSION *v3_generic_extension(const char *ext, char *value, int crit, int type, X509V3_CTX *ctx);
 static char *conf_lhash_get_string(void *db, char *section, char *value);
 static STACK_OF(CONF_VALUE) *conf_lhash_get_section(void *db, char *section);
 static X509_EXTENSION *do_ext_i2d(X509V3_EXT_METHOD *method, int ext_nid,
 						 int crit, void *ext_struc);
+static unsigned char *generic_asn1(char *value, X509V3_CTX *ctx, long *ext_len);
 /* CONF *conf:  Config file    */
 /* char *name:  Name    */
 /* char *value:  Value    */
@@ -85,11 +86,11 @@ X509_EXTENSION *X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, char *name,
 	X509_EXTENSION *ret;
 	crit = v3_check_critical(&value);
 	if ((ext_type = v3_check_generic(&value))) 
-		return v3_generic_extension(name, value, crit, ext_type);
+		return v3_generic_extension(name, value, crit, ext_type, ctx);
 	ret = do_ext_nconf(conf, ctx, OBJ_sn2nid(name), crit, value);
 	if (!ret)
 		{
-		X509V3err(X509V3_F_X509V3_EXT_CONF,X509V3_R_ERROR_IN_EXTENSION);
+		X509V3err(X509V3_F_X509V3_EXT_NCONF,X509V3_R_ERROR_IN_EXTENSION);
 		ERR_add_error_data(4,"name=", name, ", value=", value);
 		}
 	return ret;
@@ -105,7 +106,7 @@ X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid,
 	crit = v3_check_critical(&value);
 	if ((ext_type = v3_check_generic(&value))) 
 		return v3_generic_extension(OBJ_nid2sn(ext_nid),
-							 value, crit, ext_type);
+						 value, crit, ext_type, ctx);
 	return do_ext_nconf(conf, ctx, ext_nid, crit, value);
 	}
 
@@ -120,12 +121,12 @@ static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid,
 	void *ext_struc;
 	if (ext_nid == NID_undef)
 		{
-		X509V3err(X509V3_F_DO_EXT_CONF,X509V3_R_UNKNOWN_EXTENSION_NAME);
+		X509V3err(X509V3_F_DO_EXT_NCONF,X509V3_R_UNKNOWN_EXTENSION_NAME);
 		return NULL;
 		}
 	if (!(method = X509V3_EXT_get_nid(ext_nid)))
 		{
-		X509V3err(X509V3_F_DO_EXT_CONF,X509V3_R_UNKNOWN_EXTENSION);
+		X509V3err(X509V3_F_DO_EXT_NCONF,X509V3_R_UNKNOWN_EXTENSION);
 		return NULL;
 		}
 	/* Now get internal extension representation based on type */
@@ -133,9 +134,9 @@ static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid,
 		{
 		if(*value == '@') nval = NCONF_get_section(conf, value + 1);
 		else nval = X509V3_parse_list(value);
-		if(!nval)
+		if(sk_CONF_VALUE_num(nval) <= 0)
 			{
-			X509V3err(X509V3_F_X509V3_EXT_CONF,X509V3_R_INVALID_EXTENSION_STRING);
+			X509V3err(X509V3_F_DO_EXT_NCONF,X509V3_R_INVALID_EXTENSION_STRING);
 			ERR_add_error_data(4, "name=", OBJ_nid2sn(ext_nid), ",section=", value);
 			return NULL;
 			}
@@ -150,16 +151,16 @@ static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid,
 		}
 	else if(method->r2i)
 		{
-		if(!ctx->db)
+		if(!ctx->db || !ctx->db_meth)
 			{
-			X509V3err(X509V3_F_X509V3_EXT_CONF,X509V3_R_NO_CONFIG_DATABASE);
+			X509V3err(X509V3_F_DO_EXT_NCONF,X509V3_R_NO_CONFIG_DATABASE);
 			return NULL;
 			}
 		if(!(ext_struc = method->r2i(method, ctx, value))) return NULL;
 		}
 	else
 		{
-		X509V3err(X509V3_F_X509V3_EXT_CONF,X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED);
+		X509V3err(X509V3_F_DO_EXT_NCONF,X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED);
 		ERR_add_error_data(2, "name=", OBJ_nid2sn(ext_nid));
 		return NULL;
 		}
@@ -235,17 +236,29 @@ static int v3_check_critical(char **value)
 /* Check extension string for generic extension and return the type */
 static int v3_check_generic(char **value)
 {
+	int gen_type = 0;
 	char *p = *value;
-	if ((strlen(p) < 4) || strncmp(p, "DER:", 4)) return 0;
-	p+=4;
+	if ((strlen(p) >= 4) && !strncmp(p, "DER:", 4))
+		{
+		p+=4;
+		gen_type = 1;
+		}
+	else if ((strlen(p) >= 5) && !strncmp(p, "ASN1:", 5))
+		{
+		p+=5;
+		gen_type = 2;
+		}
+	else
+		return 0;
+
 	while (isspace((unsigned char)*p)) p++;
 	*value = p;
-	return 1;
+	return gen_type;
 }
 
 /* Create a generic extension: for now just handle DER type */
 static X509_EXTENSION *v3_generic_extension(const char *ext, char *value,
-	     int crit, int type)
+	     int crit, int gen_type, X509V3_CTX *ctx)
 	{
 	unsigned char *ext_der=NULL;
 	long ext_len;
@@ -259,7 +272,12 @@ static X509_EXTENSION *v3_generic_extension(const char *ext, char *value,
 		goto err;
 		}
 
-	if (!(ext_der = string_to_hex(value, &ext_len)))
+	if (gen_type == 1)
+		ext_der = string_to_hex(value, &ext_len);
+	else if (gen_type == 2)
+		ext_der = generic_asn1(value, ctx, &ext_len);
+
+	if (ext_der == NULL)
 		{
 		X509V3err(X509V3_F_V3_GENERIC_EXTENSION,X509V3_R_EXTENSION_VALUE_ERROR);
 		ERR_add_error_data(2, "value=", value);
@@ -286,6 +304,17 @@ static X509_EXTENSION *v3_generic_extension(const char *ext, char *value,
 
 	}
 
+static unsigned char *generic_asn1(char *value, X509V3_CTX *ctx, long *ext_len)
+	{
+	ASN1_TYPE *typ;
+	unsigned char *ext_der = NULL;
+	typ = ASN1_generate_v3(value, ctx);
+	if (typ == NULL)
+		return NULL;
+	*ext_len = i2d_ASN1_TYPE(typ, &ext_der);
+	ASN1_TYPE_free(typ);
+	return ext_der;
+	}
 
 /* This is the main function: add a bunch of extensions based on a config file
  * section to an extension STACK.
@@ -354,6 +383,11 @@ int X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section,
 
 char * X509V3_get_string(X509V3_CTX *ctx, char *name, char *section)
 	{
+	if(!ctx->db || !ctx->db_meth || !ctx->db_meth->get_string)
+		{
+		X509V3err(X509V3_F_X509V3_GET_STRING,X509V3_R_OPERATION_NOT_DEFINED);
+		return NULL;
+		}
 	if (ctx->db_meth->get_string)
 			return ctx->db_meth->get_string(ctx->db, name, section);
 	return NULL;
@@ -361,6 +395,11 @@ char * X509V3_get_string(X509V3_CTX *ctx, char *name, char *section)
 
 STACK_OF(CONF_VALUE) * X509V3_get_section(X509V3_CTX *ctx, char *section)
 	{
+	if(!ctx->db || !ctx->db_meth || !ctx->db_meth->get_section)
+		{
+		X509V3err(X509V3_F_X509V3_GET_SECTION,X509V3_R_OPERATION_NOT_DEFINED);
+		return NULL;
+		}
 	if (ctx->db_meth->get_section)
 			return ctx->db_meth->get_section(ctx->db, section);
 	return NULL;
diff --git a/crypto/openssl/crypto/x509v3/v3_cpols.c b/crypto/openssl/crypto/x509v3/v3_cpols.c
index 0d554f3a2c97..e5b8c5a1acc2 100644
--- a/crypto/openssl/crypto/x509v3/v3_cpols.c
+++ b/crypto/openssl/crypto/x509v3/v3_cpols.c
@@ -3,7 +3,7 @@
  * project 1999.
  */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2004 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -63,6 +63,8 @@
 #include <openssl/asn1t.h>
 #include <openssl/x509v3.h>
 
+#include "pcy_int.h"
+
 /* Certificate policies extension support: this one is a bit complex... */
 
 static int i2r_certpol(X509V3_EXT_METHOD *method, STACK_OF(POLICYINFO) *pol, BIO *out, int indent);
@@ -137,7 +139,15 @@ static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method,
 	CONF_VALUE *cnf;
 	int i, ia5org;
 	pols = sk_POLICYINFO_new_null();
+	if (pols == NULL) {
+		X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
 	vals =  X509V3_parse_list(value);
+	if (vals == NULL) {
+		X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_X509V3_LIB);
+		goto err;
+	}
 	ia5org = 0;
 	for(i = 0; i < sk_CONF_VALUE_num(vals); i++) {
 		cnf = sk_CONF_VALUE_value(vals, i);
@@ -176,6 +186,7 @@ static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method,
 	sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
 	return pols;
 	err:
+	sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
 	sk_POLICYINFO_pop_free(pols, POLICYINFO_free);
 	return NULL;
 }
@@ -339,7 +350,7 @@ static int nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos)
 	return 1;
 
 	merr:
-	X509V3err(X509V3_F_NOTICE_SECTION,ERR_R_MALLOC_FAILURE);
+	X509V3err(X509V3_F_NREF_NOS,ERR_R_MALLOC_FAILURE);
 
 	err:
 	sk_ASN1_INTEGER_pop_free(nnums, ASN1_STRING_free);
@@ -420,3 +431,19 @@ static void print_notice(BIO *out, USERNOTICE *notice, int indent)
 							 notice->exptext->data);
 }
 
+void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent)
+	{
+	const X509_POLICY_DATA *dat = node->data;
+
+	BIO_printf(out, "%*sPolicy: ", indent, "");
+			
+	i2a_ASN1_OBJECT(out, dat->valid_policy);
+	BIO_puts(out, "\n");
+	BIO_printf(out, "%*s%s\n", indent + 2, "",
+		node_data_critical(dat) ? "Critical" : "Non Critical");
+	if (dat->qualifier_set)
+		print_qualifiers(out, dat->qualifier_set, indent + 2);
+	else
+		BIO_printf(out, "%*sNo Qualifiers\n", indent + 2, "");
+	}
+	
diff --git a/crypto/openssl/crypto/x509v3/v3_extku.c b/crypto/openssl/crypto/x509v3/v3_extku.c
index b1cfaba1aa83..58c1c2e69935 100644
--- a/crypto/openssl/crypto/x509v3/v3_extku.c
+++ b/crypto/openssl/crypto/x509v3/v3_extku.c
@@ -122,7 +122,7 @@ static void *v2i_EXTENDED_KEY_USAGE(X509V3_EXT_METHOD *method,
 	int i;
 
 	if(!(extku = sk_ASN1_OBJECT_new_null())) {
-		X509V3err(X509V3_F_V2I_EXT_KU,ERR_R_MALLOC_FAILURE);
+		X509V3err(X509V3_F_V2I_EXTENDED_KEY_USAGE,ERR_R_MALLOC_FAILURE);
 		return NULL;
 	}
 
@@ -132,7 +132,7 @@ static void *v2i_EXTENDED_KEY_USAGE(X509V3_EXT_METHOD *method,
 		else extval = val->name;
 		if(!(objtmp = OBJ_txt2obj(extval, 0))) {
 			sk_ASN1_OBJECT_pop_free(extku, ASN1_OBJECT_free);
-			X509V3err(X509V3_F_V2I_EXT_KU,X509V3_R_INVALID_OBJECT_IDENTIFIER);
+			X509V3err(X509V3_F_V2I_EXTENDED_KEY_USAGE,X509V3_R_INVALID_OBJECT_IDENTIFIER);
 			X509V3_conf_err(val);
 			return NULL;
 		}
diff --git a/crypto/openssl/crypto/x509v3/v3_ia5.c b/crypto/openssl/crypto/x509v3/v3_ia5.c
index f9414456de27..9683afa47c43 100644
--- a/crypto/openssl/crypto/x509v3/v3_ia5.c
+++ b/crypto/openssl/crypto/x509v3/v3_ia5.c
@@ -82,7 +82,10 @@ static char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method,
 {
 	char *tmp;
 	if(!ia5 || !ia5->length) return NULL;
-	if (!(tmp = OPENSSL_malloc(ia5->length + 1))) return NULL;
+	if(!(tmp = OPENSSL_malloc(ia5->length + 1))) {
+		X509V3err(X509V3_F_I2S_ASN1_IA5STRING,ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
 	memcpy(tmp, ia5->data, ia5->length);
 	tmp[ia5->length] = 0;
 	return tmp;
diff --git a/crypto/openssl/crypto/x509v3/v3_info.c b/crypto/openssl/crypto/x509v3/v3_info.c
index 53e3f4885904..ab4f0eae1942 100644
--- a/crypto/openssl/crypto/x509v3/v3_info.c
+++ b/crypto/openssl/crypto/x509v3/v3_info.c
@@ -141,36 +141,35 @@ static AUTHORITY_INFO_ACCESS *v2i_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *metho
 	int i, objlen;
 	char *objtmp, *ptmp;
 	if(!(ainfo = sk_ACCESS_DESCRIPTION_new_null())) {
-		X509V3err(X509V3_F_V2I_ACCESS_DESCRIPTION,ERR_R_MALLOC_FAILURE);
+		X509V3err(X509V3_F_V2I_AUTHORITY_INFO_ACCESS,ERR_R_MALLOC_FAILURE);
 		return NULL;
 	}
 	for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
 		cnf = sk_CONF_VALUE_value(nval, i);
 		if(!(acc = ACCESS_DESCRIPTION_new())
 			|| !sk_ACCESS_DESCRIPTION_push(ainfo, acc)) {
-			X509V3err(X509V3_F_V2I_ACCESS_DESCRIPTION,ERR_R_MALLOC_FAILURE);
+			X509V3err(X509V3_F_V2I_AUTHORITY_INFO_ACCESS,ERR_R_MALLOC_FAILURE);
 			goto err;
 		}
 		ptmp = strchr(cnf->name, ';');
 		if(!ptmp) {
-			X509V3err(X509V3_F_V2I_ACCESS_DESCRIPTION,X509V3_R_INVALID_SYNTAX);
+			X509V3err(X509V3_F_V2I_AUTHORITY_INFO_ACCESS,X509V3_R_INVALID_SYNTAX);
 			goto err;
 		}
 		objlen = ptmp - cnf->name;
 		ctmp.name = ptmp + 1;
 		ctmp.value = cnf->value;
-		GENERAL_NAME_free(acc->location);
-		if(!(acc->location = v2i_GENERAL_NAME(method, ctx, &ctmp)))
+		if(!v2i_GENERAL_NAME_ex(acc->location, method, ctx, &ctmp, 0))
 								 goto err; 
 		if(!(objtmp = OPENSSL_malloc(objlen + 1))) {
-			X509V3err(X509V3_F_V2I_ACCESS_DESCRIPTION,ERR_R_MALLOC_FAILURE);
+			X509V3err(X509V3_F_V2I_AUTHORITY_INFO_ACCESS,ERR_R_MALLOC_FAILURE);
 			goto err;
 		}
 		strncpy(objtmp, cnf->name, objlen);
 		objtmp[objlen] = 0;
 		acc->method = OBJ_txt2obj(objtmp, 0);
 		if(!acc->method) {
-			X509V3err(X509V3_F_V2I_ACCESS_DESCRIPTION,X509V3_R_BAD_OBJECT);
+			X509V3err(X509V3_F_V2I_AUTHORITY_INFO_ACCESS,X509V3_R_BAD_OBJECT);
 			ERR_add_error_data(2, "value=", objtmp);
 			OPENSSL_free(objtmp);
 			goto err;
diff --git a/crypto/openssl/crypto/x509v3/v3_int.c b/crypto/openssl/crypto/x509v3/v3_int.c
index 7a43b4717bc5..85e79c05cad8 100644
--- a/crypto/openssl/crypto/x509v3/v3_int.c
+++ b/crypto/openssl/crypto/x509v3/v3_int.c
@@ -74,3 +74,16 @@ X509V3_EXT_METHOD v3_delta_crl = {
 	0,
 	0,0,0,0, NULL};
 
+static void * s2i_asn1_int(X509V3_EXT_METHOD *meth, X509V3_CTX *ctx, char *value)
+	{
+	return s2i_ASN1_INTEGER(meth, value);
+	}
+
+X509V3_EXT_METHOD v3_inhibit_anyp = { 
+	NID_inhibit_any_policy, 0, ASN1_ITEM_ref(ASN1_INTEGER),
+	0,0,0,0,
+	(X509V3_EXT_I2S)i2s_ASN1_INTEGER,
+	(X509V3_EXT_S2I)s2i_asn1_int,
+	0,0,0,0, NULL};
+
+
diff --git a/crypto/openssl/crypto/x509v3/v3_lib.c b/crypto/openssl/crypto/x509v3/v3_lib.c
index ca5a4a4a5709..f3015ea610cb 100644
--- a/crypto/openssl/crypto/x509v3/v3_lib.c
+++ b/crypto/openssl/crypto/x509v3/v3_lib.c
@@ -162,7 +162,8 @@ int X509V3_add_standard_extensions(void)
 void *X509V3_EXT_d2i(X509_EXTENSION *ext)
 {
 	X509V3_EXT_METHOD *method;
-	unsigned char *p;
+	const unsigned char *p;
+
 	if(!(method = X509V3_EXT_get(ext))) return NULL;
 	p = ext->value->data;
 	if(method->it) return ASN1_item_d2i(NULL, &p, ext->value->length, ASN1_ITEM_ptr(method->it));
@@ -276,7 +277,7 @@ int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value,
 	ext = X509V3_EXT_i2d(nid, crit, value);
 
 	if(!ext) {
-		X509V3err(X509V3_F_X509V3_ADD_I2D, X509V3_R_ERROR_CREATING_EXTENSION);
+		X509V3err(X509V3_F_X509V3_ADD1_I2D, X509V3_R_ERROR_CREATING_EXTENSION);
 		return 0;
 	}
 
@@ -295,7 +296,7 @@ int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value,
 
 	err:
 	if(!(flags & X509V3_ADD_SILENT))
-		X509V3err(X509V3_F_X509V3_ADD_I2D, errcode);
+		X509V3err(X509V3_F_X509V3_ADD1_I2D, errcode);
 	return 0;
 }
 
diff --git a/crypto/openssl/crypto/x509v3/v3_ncons.c b/crypto/openssl/crypto/x509v3/v3_ncons.c
new file mode 100644
index 000000000000..5fded6910ea5
--- /dev/null
+++ b/crypto/openssl/crypto/x509v3/v3_ncons.c
@@ -0,0 +1,220 @@
+/* v3_ncons.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project.
+ */
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1t.h>
+#include <openssl/conf.h>
+#include <openssl/x509v3.h>
+
+static void *v2i_NAME_CONSTRAINTS(X509V3_EXT_METHOD *method,
+				X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
+static int i2r_NAME_CONSTRAINTS(X509V3_EXT_METHOD *method, 
+				void *a, BIO *bp, int ind);
+static int do_i2r_name_constraints(X509V3_EXT_METHOD *method,
+				STACK_OF(GENERAL_SUBTREE) *trees,
+					BIO *bp, int ind, char *name);
+static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip);
+
+X509V3_EXT_METHOD v3_name_constraints = {
+	NID_name_constraints, 0,
+	ASN1_ITEM_ref(NAME_CONSTRAINTS),
+	0,0,0,0,
+	0,0,
+	0, v2i_NAME_CONSTRAINTS,
+	i2r_NAME_CONSTRAINTS,0,
+	NULL
+};
+
+ASN1_SEQUENCE(GENERAL_SUBTREE) = {
+	ASN1_SIMPLE(GENERAL_SUBTREE, base, GENERAL_NAME),
+	ASN1_IMP_OPT(GENERAL_SUBTREE, minimum, ASN1_INTEGER, 0),
+	ASN1_IMP_OPT(GENERAL_SUBTREE, maximum, ASN1_INTEGER, 1)
+} ASN1_SEQUENCE_END(GENERAL_SUBTREE)
+
+ASN1_SEQUENCE(NAME_CONSTRAINTS) = {
+	ASN1_IMP_SEQUENCE_OF_OPT(NAME_CONSTRAINTS, permittedSubtrees,
+							GENERAL_SUBTREE, 0),
+	ASN1_IMP_SEQUENCE_OF_OPT(NAME_CONSTRAINTS, excludedSubtrees,
+							GENERAL_SUBTREE, 1),
+} ASN1_SEQUENCE_END(NAME_CONSTRAINTS)
+	
+
+IMPLEMENT_ASN1_ALLOC_FUNCTIONS(GENERAL_SUBTREE)
+IMPLEMENT_ASN1_ALLOC_FUNCTIONS(NAME_CONSTRAINTS)
+
+static void *v2i_NAME_CONSTRAINTS(X509V3_EXT_METHOD *method,
+				X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
+	{
+	int i;
+	CONF_VALUE tval, *val;
+	STACK_OF(GENERAL_SUBTREE) **ptree = NULL;
+	NAME_CONSTRAINTS *ncons = NULL;
+	GENERAL_SUBTREE *sub = NULL;
+	ncons = NAME_CONSTRAINTS_new();
+	if (!ncons)
+		goto memerr;
+	for(i = 0; i < sk_CONF_VALUE_num(nval); i++)
+		{
+		val = sk_CONF_VALUE_value(nval, i);
+		if (!strncmp(val->name, "permitted", 9) && val->name[9])
+			{
+			ptree = &ncons->permittedSubtrees;
+			tval.name = val->name + 10;
+			}
+		else if (!strncmp(val->name, "excluded", 8) && val->name[8])
+			{
+			ptree = &ncons->excludedSubtrees;
+			tval.name = val->name + 9;
+			}
+		else
+			{
+			X509V3err(X509V3_F_V2I_NAME_CONSTRAINTS, X509V3_R_INVALID_SYNTAX);
+			goto err;
+			}
+		tval.value = val->value;
+		sub = GENERAL_SUBTREE_new();
+		if (!v2i_GENERAL_NAME_ex(sub->base, method, ctx, &tval, 1))
+			goto err;
+		if (!*ptree)
+			*ptree = sk_GENERAL_SUBTREE_new_null();
+		if (!*ptree || !sk_GENERAL_SUBTREE_push(*ptree, sub))
+			goto memerr;
+		sub = NULL;
+		}
+
+	return ncons;
+
+	memerr:
+	X509V3err(X509V3_F_V2I_NAME_CONSTRAINTS, ERR_R_MALLOC_FAILURE);
+	err:
+	if (ncons)
+		NAME_CONSTRAINTS_free(ncons);
+	if (sub)
+		GENERAL_SUBTREE_free(sub);
+
+	return NULL;
+	}
+			
+
+	
+
+static int i2r_NAME_CONSTRAINTS(X509V3_EXT_METHOD *method,
+				void *a, BIO *bp, int ind)
+	{
+	NAME_CONSTRAINTS *ncons = a;
+	do_i2r_name_constraints(method, ncons->permittedSubtrees,
+					bp, ind, "Permitted");
+	do_i2r_name_constraints(method, ncons->excludedSubtrees,
+					bp, ind, "Excluded");
+	return 1;
+	}
+
+static int do_i2r_name_constraints(X509V3_EXT_METHOD *method,
+				STACK_OF(GENERAL_SUBTREE) *trees,
+					BIO *bp, int ind, char *name)
+	{
+	GENERAL_SUBTREE *tree;
+	int i;
+	if (sk_GENERAL_SUBTREE_num(trees) > 0)
+		BIO_printf(bp, "%*s%s:\n", ind, "", name);
+	for(i = 0; i < sk_GENERAL_SUBTREE_num(trees); i++)
+		{
+		tree = sk_GENERAL_SUBTREE_value(trees, i);
+		BIO_printf(bp, "%*s", ind + 2, "");
+		if (tree->base->type == GEN_IPADD)
+			print_nc_ipadd(bp, tree->base->d.ip);
+		else
+			GENERAL_NAME_print(bp, tree->base);
+		tree = sk_GENERAL_SUBTREE_value(trees, i);
+		BIO_puts(bp, "\n");
+		}
+	return 1;
+	}
+
+static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip)
+	{
+	int i, len;
+	unsigned char *p;
+	p = ip->data;
+	len = ip->length;
+	BIO_puts(bp, "IP:");
+	if(len == 8)
+		{
+		BIO_printf(bp, "%d.%d.%d.%d/%d.%d.%d.%d",
+				p[0], p[1], p[2], p[3],
+				p[4], p[5], p[6], p[7]);
+		}
+	else if(len == 32)
+		{
+		for (i = 0; i < 16; i++)
+			{
+			BIO_printf(bp, "%X", p[0] << 8 | p[1]);
+			p += 2;
+			if (i == 7)
+				BIO_puts(bp, "/");
+			else if (i != 15)
+				BIO_puts(bp, ":");
+			}
+		}
+	else
+		BIO_printf(bp, "IP Address:<invalid>");
+	return 1;
+	}
+
diff --git a/crypto/openssl/crypto/x509v3/v3_ocsp.c b/crypto/openssl/crypto/x509v3/v3_ocsp.c
index 21badc13f9f0..28c11a4dbfca 100644
--- a/crypto/openssl/crypto/x509v3/v3_ocsp.c
+++ b/crypto/openssl/crypto/x509v3/v3_ocsp.c
@@ -74,12 +74,12 @@ static int i2r_object(X509V3_EXT_METHOD *method, void *obj, BIO *out, int indent
 
 static void *ocsp_nonce_new(void);
 static int i2d_ocsp_nonce(void *a, unsigned char **pp);
-static void *d2i_ocsp_nonce(void *a, unsigned char **pp, long length);
+static void *d2i_ocsp_nonce(void *a, const unsigned char **pp, long length);
 static void ocsp_nonce_free(void *a);
 static int i2r_ocsp_nonce(X509V3_EXT_METHOD *method, void *nonce, BIO *out, int indent);
 
 static int i2r_ocsp_nocheck(X509V3_EXT_METHOD *method, void *nocheck, BIO *out, int indent);
-static void *s2i_ocsp_nocheck(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str);
+static void *s2i_ocsp_nocheck(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, const char *str);
 static int i2r_ocsp_serviceloc(X509V3_EXT_METHOD *method, void *in, BIO *bp, int ind);
 
 X509V3_EXT_METHOD v3_ocsp_crlid = {
@@ -208,7 +208,7 @@ static int i2d_ocsp_nonce(void *a, unsigned char **pp)
 	return os->length;
 }
 
-static void *d2i_ocsp_nonce(void *a, unsigned char **pp, long length)
+static void *d2i_ocsp_nonce(void *a, const unsigned char **pp, long length)
 {
 	ASN1_OCTET_STRING *os, **pos;
 	pos = a;
@@ -246,7 +246,7 @@ static int i2r_ocsp_nocheck(X509V3_EXT_METHOD *method, void *nocheck, BIO *out,
 	return 1;
 }
 
-static void *s2i_ocsp_nocheck(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str)
+static void *s2i_ocsp_nocheck(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, const char *str)
 {
 	return ASN1_NULL_new();
 }
diff --git a/crypto/openssl/crypto/x509v3/v3_pci.c b/crypto/openssl/crypto/x509v3/v3_pci.c
new file mode 100644
index 000000000000..ccb0da548ac4
--- /dev/null
+++ b/crypto/openssl/crypto/x509v3/v3_pci.c
@@ -0,0 +1,313 @@
+/* v3_pci.c -*- mode:C; c-file-style: "eay" -*- */
+/* Contributed to the OpenSSL Project 2004
+ * by Richard Levitte (richard@levitte.org)
+ */
+/* Copyright (c) 2004 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/x509v3.h>
+
+static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *ext,
+	BIO *out, int indent);
+static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method,
+	X509V3_CTX *ctx, char *str);
+
+X509V3_EXT_METHOD v3_pci =
+	{ NID_proxyCertInfo, 0, ASN1_ITEM_ref(PROXY_CERT_INFO_EXTENSION),
+	  0,0,0,0,
+	  0,0,
+	  NULL, NULL,
+	  (X509V3_EXT_I2R)i2r_pci,
+	  (X509V3_EXT_R2I)r2i_pci,
+	  NULL,
+	};
+
+static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *pci,
+	BIO *out, int indent)
+	{
+	BIO_printf(out, "%*sPath Length Constraint: ", indent, "");
+	if (pci->pcPathLengthConstraint)
+	  i2a_ASN1_INTEGER(out, pci->pcPathLengthConstraint);
+	else
+	  BIO_printf(out, "infinite");
+	BIO_puts(out, "\n");
+	BIO_printf(out, "%*sPolicy Language: ", indent, "");
+	i2a_ASN1_OBJECT(out, pci->proxyPolicy->policyLanguage);
+	BIO_puts(out, "\n");
+	if (pci->proxyPolicy->policy && pci->proxyPolicy->policy->data)
+	  BIO_printf(out, "%*sPolicy Text: %s\n", indent, "",
+		     pci->proxyPolicy->policy->data);
+	return 1;
+	}
+
+static int process_pci_value(CONF_VALUE *val,
+	ASN1_OBJECT **language, ASN1_INTEGER **pathlen,
+	ASN1_OCTET_STRING **policy)
+	{
+	int free_policy = 0;
+
+	if (strcmp(val->name, "language") == 0)
+		{
+		if (*language)
+			{
+			X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_POLICY_LANGUAGE_ALREADTY_DEFINED);
+			X509V3_conf_err(val);
+			return 0;
+			}
+		if (!(*language = OBJ_txt2obj(val->value, 0)))
+			{
+			X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_INVALID_OBJECT_IDENTIFIER);
+			X509V3_conf_err(val);
+			return 0;
+			}
+		}
+	else if (strcmp(val->name, "pathlen") == 0)
+		{
+		if (*pathlen)
+			{
+			X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_POLICY_PATH_LENGTH_ALREADTY_DEFINED);
+			X509V3_conf_err(val);
+			return 0;
+			}
+		if (!X509V3_get_value_int(val, pathlen))
+			{
+			X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_POLICY_PATH_LENGTH);
+			X509V3_conf_err(val);
+			return 0;
+			}
+		}
+	else if (strcmp(val->name, "policy") == 0)
+		{
+		unsigned char *tmp_data = NULL;
+		long val_len;
+		if (!*policy)
+			{
+			*policy = ASN1_OCTET_STRING_new();
+			if (!*policy)
+				{
+				X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_MALLOC_FAILURE);
+				X509V3_conf_err(val);
+				return 0;
+				}
+			free_policy = 1;
+			}
+		if (strncmp(val->value, "hex:", 4) == 0)
+			{
+			unsigned char *tmp_data2 =
+				string_to_hex(val->value + 4, &val_len);
+
+			if (!tmp_data2) goto err;
+
+			tmp_data = OPENSSL_realloc((*policy)->data,
+				(*policy)->length + val_len + 1);
+			if (tmp_data)
+				{
+				(*policy)->data = tmp_data;
+				memcpy(&(*policy)->data[(*policy)->length],
+					tmp_data2, val_len);
+				(*policy)->length += val_len;
+				(*policy)->data[(*policy)->length] = '\0';
+				}
+			}
+		else if (strncmp(val->value, "file:", 5) == 0)
+			{
+			unsigned char buf[2048];
+			int n;
+			BIO *b = BIO_new_file(val->value + 5, "r");
+			if (!b)
+				{
+				X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_BIO_LIB);
+				X509V3_conf_err(val);
+				goto err;
+				}
+			while((n = BIO_read(b, buf, sizeof(buf))) > 0
+				|| (n == 0 && BIO_should_retry(b)))
+				{
+				if (!n) continue;
+
+				tmp_data = OPENSSL_realloc((*policy)->data,
+					(*policy)->length + n + 1);
+
+				if (!tmp_data)
+					break;
+
+				(*policy)->data = tmp_data;
+				memcpy(&(*policy)->data[(*policy)->length],
+					buf, n);
+				(*policy)->length += n;
+				(*policy)->data[(*policy)->length] = '\0';
+				}
+
+			if (n < 0)
+				{
+				X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_BIO_LIB);
+				X509V3_conf_err(val);
+				goto err;
+				}
+			}
+		else if (strncmp(val->value, "text:", 5) == 0)
+			{
+			val_len = strlen(val->value + 5);
+			tmp_data = OPENSSL_realloc((*policy)->data,
+				(*policy)->length + val_len + 1);
+			if (tmp_data)
+				{
+				(*policy)->data = tmp_data;
+				memcpy(&(*policy)->data[(*policy)->length],
+					val->value + 5, val_len);
+				(*policy)->length += val_len;
+				(*policy)->data[(*policy)->length] = '\0';
+				}
+			}
+		else
+			{
+			X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_INCORRECT_POLICY_SYNTAX_TAG);
+			X509V3_conf_err(val);
+			goto err;
+			}
+		if (!tmp_data)
+			{
+			X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_MALLOC_FAILURE);
+			X509V3_conf_err(val);
+			goto err;
+			}
+		}
+	return 1;
+err:
+	if (free_policy)
+		{
+		ASN1_OCTET_STRING_free(*policy);
+		*policy = NULL;
+		}
+	return 0;
+	}
+
+static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method,
+	X509V3_CTX *ctx, char *value)
+	{
+	PROXY_CERT_INFO_EXTENSION *pci = NULL;
+	STACK_OF(CONF_VALUE) *vals;
+	ASN1_OBJECT *language = NULL;
+	ASN1_INTEGER *pathlen = NULL;
+	ASN1_OCTET_STRING *policy = NULL;
+	int i, j;
+
+	vals = X509V3_parse_list(value);
+	for (i = 0; i < sk_CONF_VALUE_num(vals); i++)
+		{
+		CONF_VALUE *cnf = sk_CONF_VALUE_value(vals, i);
+		if (!cnf->name || (*cnf->name != '@' && !cnf->value))
+			{
+			X509V3err(X509V3_F_R2I_PCI,X509V3_R_INVALID_PROXY_POLICY_SETTING);
+			X509V3_conf_err(cnf);
+			goto err;
+			}
+		if (*cnf->name == '@')
+			{
+			STACK_OF(CONF_VALUE) *sect;
+			int success_p = 1;
+
+			sect = X509V3_get_section(ctx, cnf->name + 1);
+			if (!sect)
+				{
+				X509V3err(X509V3_F_R2I_PCI,X509V3_R_INVALID_SECTION);
+				X509V3_conf_err(cnf);
+				goto err;
+				}
+			for (j = 0; success_p && j < sk_CONF_VALUE_num(sect); j++)
+				{
+				success_p =
+					process_pci_value(sk_CONF_VALUE_value(sect, j),
+						&language, &pathlen, &policy);
+				}
+			X509V3_section_free(ctx, sect);
+			if (!success_p)
+				goto err;
+			}
+		else
+			{
+			if (!process_pci_value(cnf,
+					&language, &pathlen, &policy))
+				{
+				X509V3_conf_err(cnf);
+				goto err;
+				}
+			}
+		}
+
+	/* Language is mandatory */
+	if (!language)
+		{
+		X509V3err(X509V3_F_R2I_PCI,X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED);
+		goto err;
+		}
+	i = OBJ_obj2nid(language);
+	if ((i == NID_Independent || i == NID_id_ppl_inheritAll) && policy)
+		{
+		X509V3err(X509V3_F_R2I_PCI,X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY);
+		goto err;
+		}
+
+	pci = PROXY_CERT_INFO_EXTENSION_new();
+	if (!pci)
+		{
+		X509V3err(X509V3_F_R2I_PCI,ERR_R_MALLOC_FAILURE);
+		goto err;
+		}
+	pci->proxyPolicy = PROXY_POLICY_new();
+	if (!pci->proxyPolicy)
+		{
+		X509V3err(X509V3_F_R2I_PCI,ERR_R_MALLOC_FAILURE);
+		goto err;
+		}
+
+	pci->proxyPolicy->policyLanguage = language; language = NULL;
+	pci->proxyPolicy->policy = policy; policy = NULL;
+	pci->pcPathLengthConstraint = pathlen; pathlen = NULL;
+	goto end;
+err:
+	if (language) { ASN1_OBJECT_free(language); language = NULL; }
+	if (pathlen) { ASN1_INTEGER_free(pathlen); pathlen = NULL; }
+	if (policy) { ASN1_OCTET_STRING_free(policy); policy = NULL; }
+	if (pci && pci->proxyPolicy)
+		{
+		PROXY_POLICY_free(pci->proxyPolicy);
+		pci->proxyPolicy = NULL;
+		}
+	if (pci) { PROXY_CERT_INFO_EXTENSION_free(pci); pci = NULL; }
+end:
+	sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
+	return pci;
+	}
diff --git a/crypto/openssl/crypto/x509v3/v3_pcia.c b/crypto/openssl/crypto/x509v3/v3_pcia.c
new file mode 100644
index 000000000000..bb362e0e5a9d
--- /dev/null
+++ b/crypto/openssl/crypto/x509v3/v3_pcia.c
@@ -0,0 +1,55 @@
+/* v3_pcia.c -*- mode:C; c-file-style: "eay" -*- */
+/* Contributed to the OpenSSL Project 2004
+ * by Richard Levitte (richard@levitte.org)
+ */
+/* Copyright (c) 2004 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <openssl/asn1.h>
+#include <openssl/asn1t.h>
+#include <openssl/x509v3.h>
+
+ASN1_SEQUENCE(PROXY_POLICY) =
+	{
+	ASN1_SIMPLE(PROXY_POLICY,policyLanguage,ASN1_OBJECT),
+	ASN1_OPT(PROXY_POLICY,policy,ASN1_OCTET_STRING)
+} ASN1_SEQUENCE_END(PROXY_POLICY)
+
+IMPLEMENT_ASN1_FUNCTIONS(PROXY_POLICY)
+
+ASN1_SEQUENCE(PROXY_CERT_INFO_EXTENSION) =
+	{
+	ASN1_OPT(PROXY_CERT_INFO_EXTENSION,pcPathLengthConstraint,ASN1_INTEGER),
+	ASN1_SIMPLE(PROXY_CERT_INFO_EXTENSION,proxyPolicy,PROXY_POLICY)
+} ASN1_SEQUENCE_END(PROXY_CERT_INFO_EXTENSION)
+
+IMPLEMENT_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION)
diff --git a/crypto/openssl/crypto/x509v3/v3_pcons.c b/crypto/openssl/crypto/x509v3/v3_pcons.c
new file mode 100644
index 000000000000..91ae862ed795
--- /dev/null
+++ b/crypto/openssl/crypto/x509v3/v3_pcons.c
@@ -0,0 +1,136 @@
+/* v3_pcons.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project.
+ */
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+#include <openssl/asn1t.h>
+#include <openssl/conf.h>
+#include <openssl/x509v3.h>
+
+static STACK_OF(CONF_VALUE) *i2v_POLICY_CONSTRAINTS(X509V3_EXT_METHOD *method,
+				void *bcons, STACK_OF(CONF_VALUE) *extlist);
+static void *v2i_POLICY_CONSTRAINTS(X509V3_EXT_METHOD *method,
+				X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
+
+X509V3_EXT_METHOD v3_policy_constraints = {
+NID_policy_constraints, 0,
+ASN1_ITEM_ref(POLICY_CONSTRAINTS),
+0,0,0,0,
+0,0,
+i2v_POLICY_CONSTRAINTS,
+v2i_POLICY_CONSTRAINTS,
+NULL,NULL,
+NULL
+};
+
+ASN1_SEQUENCE(POLICY_CONSTRAINTS) = {
+	ASN1_IMP_OPT(POLICY_CONSTRAINTS, requireExplicitPolicy, ASN1_INTEGER,0),
+	ASN1_IMP_OPT(POLICY_CONSTRAINTS, inhibitPolicyMapping, ASN1_INTEGER,1)
+} ASN1_SEQUENCE_END(POLICY_CONSTRAINTS)
+
+IMPLEMENT_ASN1_ALLOC_FUNCTIONS(POLICY_CONSTRAINTS)
+
+
+static STACK_OF(CONF_VALUE) *i2v_POLICY_CONSTRAINTS(X509V3_EXT_METHOD *method,
+	     void *a, STACK_OF(CONF_VALUE) *extlist)
+{
+	POLICY_CONSTRAINTS *pcons = a;
+	X509V3_add_value_int("Require Explicit Policy",
+			pcons->requireExplicitPolicy, &extlist);
+	X509V3_add_value_int("Inhibit Policy Mapping",
+			pcons->inhibitPolicyMapping, &extlist);
+	return extlist;
+}
+
+static void *v2i_POLICY_CONSTRAINTS(X509V3_EXT_METHOD *method,
+	     X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values)
+{
+	POLICY_CONSTRAINTS *pcons=NULL;
+	CONF_VALUE *val;
+	int i;
+	if(!(pcons = POLICY_CONSTRAINTS_new())) {
+		X509V3err(X509V3_F_V2I_POLICY_CONSTRAINTS, ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+	for(i = 0; i < sk_CONF_VALUE_num(values); i++) {
+		val = sk_CONF_VALUE_value(values, i);
+		if(!strcmp(val->name, "requireExplicitPolicy")) {
+			if(!X509V3_get_value_int(val,
+				&pcons->requireExplicitPolicy)) goto err;
+		} else if(!strcmp(val->name, "inhibitPolicyMapping")) {
+			if(!X509V3_get_value_int(val,
+				&pcons->inhibitPolicyMapping)) goto err;
+		} else {
+			X509V3err(X509V3_F_V2I_POLICY_CONSTRAINTS, X509V3_R_INVALID_NAME);
+			X509V3_conf_err(val);
+			goto err;
+		}
+	}
+	if (!pcons->inhibitPolicyMapping && !pcons->requireExplicitPolicy) {
+		X509V3err(X509V3_F_V2I_POLICY_CONSTRAINTS, X509V3_R_ILLEGAL_EMPTY_EXTENSION);
+		goto err;
+	}
+
+	return pcons;
+	err:
+	POLICY_CONSTRAINTS_free(pcons);
+	return NULL;
+}
+
diff --git a/crypto/openssl/crypto/x509v3/v3_pmaps.c b/crypto/openssl/crypto/x509v3/v3_pmaps.c
new file mode 100644
index 000000000000..137be58ad91a
--- /dev/null
+++ b/crypto/openssl/crypto/x509v3/v3_pmaps.c
@@ -0,0 +1,153 @@
+/* v3_pmaps.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project.
+ */
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1t.h>
+#include <openssl/conf.h>
+#include <openssl/x509v3.h>
+
+static void *v2i_POLICY_MAPPINGS(X509V3_EXT_METHOD *method,
+				X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
+static STACK_OF(CONF_VALUE) *i2v_POLICY_MAPPINGS(X509V3_EXT_METHOD *method,
+				void *pmps, STACK_OF(CONF_VALUE) *extlist);
+
+X509V3_EXT_METHOD v3_policy_mappings = {
+	NID_policy_mappings, 0,
+	ASN1_ITEM_ref(POLICY_MAPPINGS),
+	0,0,0,0,
+	0,0,
+	i2v_POLICY_MAPPINGS,
+	v2i_POLICY_MAPPINGS,
+	0,0,
+	NULL
+};
+
+ASN1_SEQUENCE(POLICY_MAPPING) = {
+	ASN1_SIMPLE(POLICY_MAPPING, issuerDomainPolicy, ASN1_OBJECT),
+	ASN1_SIMPLE(POLICY_MAPPING, subjectDomainPolicy, ASN1_OBJECT)
+} ASN1_SEQUENCE_END(POLICY_MAPPING)
+
+ASN1_ITEM_TEMPLATE(POLICY_MAPPINGS) = 
+	ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, POLICY_MAPPINGS,
+								POLICY_MAPPING)
+ASN1_ITEM_TEMPLATE_END(POLICY_MAPPINGS)
+
+IMPLEMENT_ASN1_ALLOC_FUNCTIONS(POLICY_MAPPING)
+
+
+static STACK_OF(CONF_VALUE) *i2v_POLICY_MAPPINGS(X509V3_EXT_METHOD *method,
+		void *a, STACK_OF(CONF_VALUE) *ext_list)
+{
+	POLICY_MAPPINGS *pmaps = a;
+	POLICY_MAPPING *pmap;
+	int i;
+	char obj_tmp1[80];
+	char obj_tmp2[80];
+	for(i = 0; i < sk_POLICY_MAPPING_num(pmaps); i++) {
+		pmap = sk_POLICY_MAPPING_value(pmaps, i);
+		i2t_ASN1_OBJECT(obj_tmp1, 80, pmap->issuerDomainPolicy);
+		i2t_ASN1_OBJECT(obj_tmp2, 80, pmap->subjectDomainPolicy);
+		X509V3_add_value(obj_tmp1, obj_tmp2, &ext_list);
+	}
+	return ext_list;
+}
+
+static void *v2i_POLICY_MAPPINGS(X509V3_EXT_METHOD *method,
+				X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
+{
+	POLICY_MAPPINGS *pmaps;
+	POLICY_MAPPING *pmap;
+	ASN1_OBJECT *obj1, *obj2;
+	CONF_VALUE *val;
+	int i;
+
+	if(!(pmaps = sk_POLICY_MAPPING_new_null())) {
+		X509V3err(X509V3_F_V2I_POLICY_MAPPINGS,ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+
+	for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+		val = sk_CONF_VALUE_value(nval, i);
+		if(!val->value || !val->name) {
+			sk_POLICY_MAPPING_pop_free(pmaps, POLICY_MAPPING_free);
+			X509V3err(X509V3_F_V2I_POLICY_MAPPINGS,X509V3_R_INVALID_OBJECT_IDENTIFIER);
+			X509V3_conf_err(val);
+			return NULL;
+		}
+		obj1 = OBJ_txt2obj(val->name, 0);
+		obj2 = OBJ_txt2obj(val->value, 0);
+		if(!obj1 || !obj2) {
+			sk_POLICY_MAPPING_pop_free(pmaps, POLICY_MAPPING_free);
+			X509V3err(X509V3_F_V2I_POLICY_MAPPINGS,X509V3_R_INVALID_OBJECT_IDENTIFIER);
+			X509V3_conf_err(val);
+			return NULL;
+		}
+		pmap = POLICY_MAPPING_new();
+		if (!pmap) {
+			sk_POLICY_MAPPING_pop_free(pmaps, POLICY_MAPPING_free);
+			X509V3err(X509V3_F_V2I_POLICY_MAPPINGS,ERR_R_MALLOC_FAILURE);
+			return NULL;
+		}
+		pmap->issuerDomainPolicy = obj1;
+		pmap->subjectDomainPolicy = obj2;
+		sk_POLICY_MAPPING_push(pmaps, pmap);
+	}
+	return pmaps;
+}
diff --git a/crypto/openssl/crypto/x509v3/v3_prn.c b/crypto/openssl/crypto/x509v3/v3_prn.c
index 5d268eb7682c..20bd9bda190a 100644
--- a/crypto/openssl/crypto/x509v3/v3_prn.c
+++ b/crypto/openssl/crypto/x509v3/v3_prn.c
@@ -109,10 +109,11 @@ int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag, int inde
 {
 	void *ext_str = NULL;
 	char *value = NULL;
-	unsigned char *p;
+	const unsigned char *p;
 	X509V3_EXT_METHOD *method;	
 	STACK_OF(CONF_VALUE) *nval = NULL;
 	int ok = 1;
+
 	if(!(method = X509V3_EXT_get(ext)))
 		return unknown_ext_print(out, ext, flag, indent, 0);
 	p = ext->value->data;
@@ -182,7 +183,7 @@ int X509V3_extensions_print(BIO *bp, char *title, STACK_OF(X509_EXTENSION) *exts
 		obj=X509_EXTENSION_get_object(ex);
 		i2a_ASN1_OBJECT(bp,obj);
 		j=X509_EXTENSION_get_critical(ex);
-		if (BIO_printf(bp,": %s\n",j?"critical":"","") <= 0)
+		if (BIO_printf(bp,": %s\n",j?"critical":"") <= 0)
 			return 0;
 		if(!X509V3_EXT_print(bp, ex, flag, indent + 4))
 			{
diff --git a/crypto/openssl/crypto/x509v3/v3_purp.c b/crypto/openssl/crypto/x509v3/v3_purp.c
index b3d1ae5d1cc8..1222c3ce5b13 100644
--- a/crypto/openssl/crypto/x509v3/v3_purp.c
+++ b/crypto/openssl/crypto/x509v3/v3_purp.c
@@ -63,7 +63,6 @@
 
 static void x509v3_cache_extensions(X509 *x);
 
-static int ca_check(const X509 *x);
 static int check_ssl_ca(const X509 *x);
 static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca);
 static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca);
@@ -140,7 +139,7 @@ int X509_PURPOSE_get_count(void)
 X509_PURPOSE * X509_PURPOSE_get0(int idx)
 {
 	if(idx < 0) return NULL;
-	if(idx < X509_PURPOSE_COUNT) return xstandard + idx;
+	if(idx < (int)X509_PURPOSE_COUNT) return xstandard + idx;
 	return sk_X509_PURPOSE_value(xptable, idx - X509_PURPOSE_COUNT);
 }
 
@@ -240,7 +239,7 @@ static void xptable_free(X509_PURPOSE *p)
 
 void X509_PURPOSE_cleanup(void)
 {
-	int i;
+	unsigned int i;
 	sk_X509_PURPOSE_pop_free(xptable, xptable_free);
 	for(i = 0; i < X509_PURPOSE_COUNT; i++) xptable_free(xstandard + i);
 	xptable = NULL;
@@ -286,7 +285,8 @@ int X509_supported_extension(X509_EXTENSION *ex)
         	NID_key_usage,		/* 83 */
 		NID_subject_alt_name,	/* 85 */
 		NID_basic_constraints,	/* 87 */
-        	NID_ext_key_usage	/* 126 */
+        	NID_ext_key_usage,	/* 126 */
+		NID_proxyCertInfo	/* 661 */
 	};
 
 	int ex_nid;
@@ -307,6 +307,7 @@ int X509_supported_extension(X509_EXTENSION *ex)
 static void x509v3_cache_extensions(X509 *x)
 {
 	BASIC_CONSTRAINTS *bs;
+	PROXY_CERT_INFO_EXTENSION *pci;
 	ASN1_BIT_STRING *usage;
 	ASN1_BIT_STRING *ns;
 	EXTENDED_KEY_USAGE *extusage;
@@ -335,6 +336,20 @@ static void x509v3_cache_extensions(X509 *x)
 		BASIC_CONSTRAINTS_free(bs);
 		x->ex_flags |= EXFLAG_BCONS;
 	}
+	/* Handle proxy certificates */
+	if((pci=X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) {
+		if (x->ex_flags & EXFLAG_CA
+		    || X509_get_ext_by_NID(x, NID_subject_alt_name, 0) >= 0
+		    || X509_get_ext_by_NID(x, NID_issuer_alt_name, 0) >= 0) {
+			x->ex_flags |= EXFLAG_INVALID;
+		}
+		if (pci->pcPathLengthConstraint) {
+			x->ex_pcpathlen =
+				ASN1_INTEGER_get(pci->pcPathLengthConstraint);
+		} else x->ex_pcpathlen = -1;
+		PROXY_CERT_INFO_EXTENSION_free(pci);
+		x->ex_flags |= EXFLAG_PROXY;
+	}
 	/* Handle key usage */
 	if((usage=X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) {
 		if(usage->length > 0) {
@@ -426,7 +441,7 @@ static void x509v3_cache_extensions(X509 *x)
 #define ns_reject(x, usage) \
 	(((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))
 
-static int ca_check(const X509 *x)
+static int check_ca(const X509 *x)
 {
 	/* keyUsage if present should allow cert signing */
 	if(ku_reject(x, KU_KEY_CERT_SIGN)) return 0;
@@ -435,25 +450,37 @@ static int ca_check(const X509 *x)
 		/* If basicConstraints says not a CA then say so */
 		else return 0;
 	} else {
+		/* we support V1 roots for...  uh, I don't really know why. */
 		if((x->ex_flags & V1_ROOT) == V1_ROOT) return 3;
 		/* If key usage present it must have certSign so tolerate it */
 		else if (x->ex_flags & EXFLAG_KUSAGE) return 4;
-		else return 2;
+		/* Older certificates could have Netscape-specific CA types */
+		else if (x->ex_flags & EXFLAG_NSCERT
+			 && x->ex_nscert & NS_ANY_CA) return 5;
+		/* can this still be regarded a CA certificate?  I doubt it */
+		return 0;
 	}
 }
 
+int X509_check_ca(X509 *x)
+{
+	if(!(x->ex_flags & EXFLAG_SET)) {
+		CRYPTO_w_lock(CRYPTO_LOCK_X509);
+		x509v3_cache_extensions(x);
+		CRYPTO_w_unlock(CRYPTO_LOCK_X509);
+	}
+
+	return check_ca(x);
+}
+
 /* Check SSL CA: common checks for SSL client and server */
 static int check_ssl_ca(const X509 *x)
 {
 	int ca_ret;
-	ca_ret = ca_check(x);
+	ca_ret = check_ca(x);
 	if(!ca_ret) return 0;
 	/* check nsCertType if present */
-	if(x->ex_flags & EXFLAG_NSCERT) {
-		if(x->ex_nscert & NS_SSL_CA) return ca_ret;
-		return 0;
-	}
-	if(ca_ret != 2) return ca_ret;
+	if(ca_ret != 5 || x->ex_nscert & NS_SSL_CA) return ca_ret;
 	else return 0;
 }
 
@@ -498,14 +525,10 @@ static int purpose_smime(const X509 *x, int ca)
 	if(xku_reject(x,XKU_SMIME)) return 0;
 	if(ca) {
 		int ca_ret;
-		ca_ret = ca_check(x);
+		ca_ret = check_ca(x);
 		if(!ca_ret) return 0;
 		/* check nsCertType if present */
-		if(x->ex_flags & EXFLAG_NSCERT) {
-			if(x->ex_nscert & NS_SMIME_CA) return ca_ret;
-			return 0;
-		}
-		if(ca_ret != 2) return ca_ret;
+		if(ca_ret != 5 || x->ex_nscert & NS_SMIME_CA) return ca_ret;
 		else return 0;
 	}
 	if(x->ex_flags & EXFLAG_NSCERT) {
@@ -539,7 +562,7 @@ static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca)
 {
 	if(ca) {
 		int ca_ret;
-		if((ca_ret = ca_check(x)) != 2) return ca_ret;
+		if((ca_ret = check_ca(x)) != 2) return ca_ret;
 		else return 0;
 	}
 	if(ku_reject(x, KU_CRL_SIGN)) return 0;
@@ -552,17 +575,9 @@ static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca)
 
 static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca)
 {
-	/* Must be a valid CA */
-	if(ca) {
-		int ca_ret;
-		ca_ret = ca_check(x);
-		if(ca_ret != 2) return ca_ret;
-		if(x->ex_flags & EXFLAG_NSCERT) {
-			if(x->ex_nscert & NS_ANY_CA) return ca_ret;
-			return 0;
-		}
-		return 0;
-	}
+	/* Must be a valid CA.  Should we really support the "I don't know"
+	   value (2)? */
+	if(ca) return check_ca(x);
 	/* leaf certificate is checked in OCSP_verify() */
 	return 1;
 }
@@ -624,7 +639,13 @@ int X509_check_issued(X509 *issuer, X509 *subject)
 				return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
 		}
 	}
-	if(ku_reject(issuer, KU_KEY_CERT_SIGN)) return X509_V_ERR_KEYUSAGE_NO_CERTSIGN;
+	if(subject->ex_flags & EXFLAG_PROXY)
+		{
+		if(ku_reject(issuer, KU_DIGITAL_SIGNATURE))
+			return X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE;
+		}
+	else if(ku_reject(issuer, KU_KEY_CERT_SIGN))
+		return X509_V_ERR_KEYUSAGE_NO_CERTSIGN;
 	return X509_V_OK;
 }
 
diff --git a/crypto/openssl/crypto/x509v3/v3_skey.c b/crypto/openssl/crypto/x509v3/v3_skey.c
index c0f044ac1b98..b17a72d46ce2 100644
--- a/crypto/openssl/crypto/x509v3/v3_skey.c
+++ b/crypto/openssl/crypto/x509v3/v3_skey.c
@@ -109,14 +109,14 @@ static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method,
 	if(strcmp(str, "hash")) return s2i_ASN1_OCTET_STRING(method, ctx, str);
 
 	if(!(oct = M_ASN1_OCTET_STRING_new())) {
-		X509V3err(X509V3_F_S2I_S2I_SKEY_ID,ERR_R_MALLOC_FAILURE);
+		X509V3err(X509V3_F_S2I_SKEY_ID,ERR_R_MALLOC_FAILURE);
 		return NULL;
 	}
 
 	if(ctx && (ctx->flags == CTX_TEST)) return oct;
 
 	if(!ctx || (!ctx->subject_req && !ctx->subject_cert)) {
-		X509V3err(X509V3_F_S2I_ASN1_SKEY_ID,X509V3_R_NO_PUBLIC_KEY);
+		X509V3err(X509V3_F_S2I_SKEY_ID,X509V3_R_NO_PUBLIC_KEY);
 		goto err;
 	}
 
@@ -125,14 +125,14 @@ static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method,
 	else pk = ctx->subject_cert->cert_info->key->public_key;
 
 	if(!pk) {
-		X509V3err(X509V3_F_S2I_ASN1_SKEY_ID,X509V3_R_NO_PUBLIC_KEY);
+		X509V3err(X509V3_F_S2I_SKEY_ID,X509V3_R_NO_PUBLIC_KEY);
 		goto err;
 	}
 
 	EVP_Digest(pk->data, pk->length, pkey_dig, &diglen, EVP_sha1(), NULL);
 
 	if(!M_ASN1_OCTET_STRING_set(oct, pkey_dig, diglen)) {
-		X509V3err(X509V3_F_S2I_S2I_SKEY_ID,ERR_R_MALLOC_FAILURE);
+		X509V3err(X509V3_F_S2I_SKEY_ID,ERR_R_MALLOC_FAILURE);
 		goto err;
 	}
 
diff --git a/crypto/openssl/crypto/x509v3/v3_sxnet.c b/crypto/openssl/crypto/x509v3/v3_sxnet.c
index d3f4ba3a7243..819e2e670dac 100644
--- a/crypto/openssl/crypto/x509v3/v3_sxnet.c
+++ b/crypto/openssl/crypto/x509v3/v3_sxnet.c
@@ -109,7 +109,7 @@ static int sxnet_i2r(X509V3_EXT_METHOD *method, SXNET *sx, BIO *out,
 	SXNETID *id;
 	int i;
 	v = ASN1_INTEGER_get(sx->version);
-	BIO_printf(out, "%*sVersion: %d (0x%X)", indent, "", v + 1, v);
+	BIO_printf(out, "%*sVersion: %ld (0x%lX)", indent, "", v + 1, v);
 	for(i = 0; i < sk_SXNETID_num(sx->ids); i++) {
 		id = sk_SXNETID_value(sx->ids, i);
 		tmp = i2s_ASN1_INTEGER(NULL, id->zone);
@@ -154,7 +154,7 @@ int SXNET_add_id_asc(SXNET **psx, char *zone, char *user,
 {
 	ASN1_INTEGER *izone = NULL;
 	if(!(izone = s2i_ASN1_INTEGER(NULL, zone))) {
-		X509V3err(X509V3_F_SXNET_ADD_ASC,X509V3_R_ERROR_CONVERTING_ZONE);
+		X509V3err(X509V3_F_SXNET_ADD_ID_ASC,X509V3_R_ERROR_CONVERTING_ZONE);
 		return 0;
 	}
 	return SXNET_add_id_INTEGER(psx, izone, user, userlen);
diff --git a/crypto/openssl/crypto/x509v3/v3_utl.c b/crypto/openssl/crypto/x509v3/v3_utl.c
index 34ac2998defe..7911c4bdaf3f 100644
--- a/crypto/openssl/crypto/x509v3/v3_utl.c
+++ b/crypto/openssl/crypto/x509v3/v3_utl.c
@@ -1,9 +1,9 @@
 /* v3_utl.c */
 /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
- * project 1999.
+ * project.
  */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2003 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -63,6 +63,7 @@
 #include "cryptlib.h"
 #include <openssl/conf.h>
 #include <openssl/x509v3.h>
+#include <openssl/bn.h>
 
 static char *strip_spaces(char *name);
 static int sk_strcmp(const char * const *a, const char * const *b);
@@ -70,6 +71,12 @@ static STACK *get_email(X509_NAME *name, GENERAL_NAMES *gens);
 static void str_free(void *str);
 static int append_ia5(STACK **sk, ASN1_IA5STRING *email);
 
+static int a2i_ipadd(unsigned char *ipout, const char *ipasc);
+static int ipv4_from_asc(unsigned char *v4, const char *in);
+static int ipv6_from_asc(unsigned char *v6, const char *in);
+static int ipv6_cb(const char *elem, int len, void *usr);
+static int ipv6_hex(unsigned char *out, const char *in, int inlen);
+
 /* Add a CONF_VALUE name value pair to stack */
 
 int X509V3_add_value(const char *name, const char *value,
@@ -156,11 +163,11 @@ ASN1_INTEGER *s2i_ASN1_INTEGER(X509V3_EXT_METHOD *method, char *value)
 	ASN1_INTEGER *aint;
 	int isneg, ishex;
 	int ret;
-	bn = BN_new();
 	if (!value) {
 		X509V3err(X509V3_F_S2I_ASN1_INTEGER,X509V3_R_INVALID_NULL_VALUE);
 		return 0;
 	}
+	bn = BN_new();
 	if (value[0] == '-') {
 		value++;
 		isneg = 1;
@@ -174,7 +181,8 @@ ASN1_INTEGER *s2i_ASN1_INTEGER(X509V3_EXT_METHOD *method, char *value)
 	if (ishex) ret = BN_hex2bn(&bn, value);
 	else ret = BN_dec2bn(&bn, value);
 
-	if (!ret) {
+	if (!ret || value[ret]) {
+		BN_free(bn);
 		X509V3err(X509V3_F_S2I_ASN1_INTEGER,X509V3_R_BN_DEC2BN_ERROR);
 		return 0;
 	}
@@ -533,3 +541,305 @@ void X509_email_free(STACK *sk)
 {
 	sk_pop_free(sk, str_free);
 }
+
+/* Convert IP addresses both IPv4 and IPv6 into an 
+ * OCTET STRING compatible with RFC3280.
+ */
+
+ASN1_OCTET_STRING *a2i_IPADDRESS(const char *ipasc)
+	{
+	unsigned char ipout[16];
+	ASN1_OCTET_STRING *ret;
+	int iplen;
+
+	/* If string contains a ':' assume IPv6 */
+
+	iplen = a2i_ipadd(ipout, ipasc);
+
+	if (!iplen)
+		return NULL;
+
+	ret = ASN1_OCTET_STRING_new();
+	if (!ret)
+		return NULL;
+	if (!ASN1_OCTET_STRING_set(ret, ipout, iplen))
+		{
+		ASN1_OCTET_STRING_free(ret);
+		return NULL;
+		}
+	return ret;
+	}
+
+ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc)
+	{
+	ASN1_OCTET_STRING *ret = NULL;
+	unsigned char ipout[32];
+	char *iptmp = NULL, *p;
+	int iplen1, iplen2;
+	p = strchr(ipasc,'/');
+	if (!p)
+		return NULL;
+	iptmp = BUF_strdup(ipasc);
+	if (!iptmp)
+		return NULL;
+	p = iptmp + (p - ipasc);
+	*p++ = 0;
+
+	iplen1 = a2i_ipadd(ipout, iptmp);
+
+	if (!iplen1)
+		goto err;
+
+	iplen2 = a2i_ipadd(ipout + iplen1, p);
+
+	OPENSSL_free(iptmp);
+	iptmp = NULL;
+
+	if (!iplen2 || (iplen1 != iplen2))
+		goto err;
+
+	ret = ASN1_OCTET_STRING_new();
+	if (!ret)
+		goto err;
+	if (!ASN1_OCTET_STRING_set(ret, ipout, iplen1 + iplen2))
+		goto err;
+
+	return ret;
+
+	err:
+	if (iptmp)
+		OPENSSL_free(iptmp);
+	if (ret)
+		ASN1_OCTET_STRING_free(ret);
+	return NULL;
+	}
+	
+
+static int a2i_ipadd(unsigned char *ipout, const char *ipasc)
+	{
+	/* If string contains a ':' assume IPv6 */
+
+	if (strchr(ipasc, ':'))
+		{
+		if (!ipv6_from_asc(ipout, ipasc))
+			return 0;
+		return 16;
+		}
+	else
+		{
+		if (!ipv4_from_asc(ipout, ipasc))
+			return 0;
+		return 4;
+		}
+	}
+
+static int ipv4_from_asc(unsigned char *v4, const char *in)
+	{
+	int a0, a1, a2, a3;
+	if (sscanf(in, "%d.%d.%d.%d", &a0, &a1, &a2, &a3) != 4)
+		return 0;
+	if ((a0 < 0) || (a0 > 255) || (a1 < 0) || (a1 > 255)
+		|| (a2 < 0) || (a2 > 255) || (a3 < 0) || (a3 > 255))
+		return 0;
+	v4[0] = a0;
+	v4[1] = a1;
+	v4[2] = a2;
+	v4[3] = a3;
+	return 1;
+	}
+
+typedef struct {
+		/* Temporary store for IPV6 output */
+		unsigned char tmp[16];
+		/* Total number of bytes in tmp */
+		int total;
+		/* The position of a zero (corresponding to '::') */
+		int zero_pos;
+		/* Number of zeroes */
+		int zero_cnt;
+	} IPV6_STAT;
+
+
+static int ipv6_from_asc(unsigned char *v6, const char *in)
+	{
+	IPV6_STAT v6stat;
+	v6stat.total = 0;
+	v6stat.zero_pos = -1;
+	v6stat.zero_cnt = 0;
+	/* Treat the IPv6 representation as a list of values
+	 * separated by ':'. The presence of a '::' will parse
+ 	 * as one, two or three zero length elements.
+	 */
+	if (!CONF_parse_list(in, ':', 0, ipv6_cb, &v6stat))
+		return 0;
+
+	/* Now for some sanity checks */
+
+	if (v6stat.zero_pos == -1)
+		{
+		/* If no '::' must have exactly 16 bytes */
+		if (v6stat.total != 16)
+			return 0;
+		}
+	else 
+		{
+		/* If '::' must have less than 16 bytes */
+		if (v6stat.total == 16)
+			return 0;
+		/* More than three zeroes is an error */
+		if (v6stat.zero_cnt > 3)
+			return 0;
+		/* Can only have three zeroes if nothing else present */
+		else if (v6stat.zero_cnt == 3)
+			{
+			if (v6stat.total > 0)
+				return 0;
+			}
+		/* Can only have two zeroes if at start or end */
+		else if (v6stat.zero_cnt == 2)
+			{
+			if ((v6stat.zero_pos != 0)
+				&& (v6stat.zero_pos != v6stat.total))
+				return 0;
+			}
+		else 
+		/* Can only have one zero if *not* start or end */
+			{
+			if ((v6stat.zero_pos == 0)
+				|| (v6stat.zero_pos == v6stat.total))
+				return 0;
+			}
+		}
+
+	/* Format result */
+
+	/* Copy initial part */
+	if (v6stat.zero_pos > 0)
+		memcpy(v6, v6stat.tmp, v6stat.zero_pos);
+	/* Zero middle */
+	if (v6stat.total != 16)
+		memset(v6 + v6stat.zero_pos, 0, 16 - v6stat.total);
+	/* Copy final part */
+	if (v6stat.total != v6stat.zero_pos)
+		memcpy(v6 + v6stat.zero_pos + 16 - v6stat.total,
+			v6stat.tmp + v6stat.zero_pos,
+			v6stat.total - v6stat.zero_pos);
+
+	return 1;
+	}
+
+static int ipv6_cb(const char *elem, int len, void *usr)
+	{
+	IPV6_STAT *s = usr;
+	/* Error if 16 bytes written */
+	if (s->total == 16)
+		return 0;
+	if (len == 0)
+		{
+		/* Zero length element, corresponds to '::' */
+		if (s->zero_pos == -1)
+			s->zero_pos = s->total;
+		/* If we've already got a :: its an error */
+		else if (s->zero_pos != s->total)
+			return 0;
+		s->zero_cnt++;
+		}
+	else 
+		{
+		/* If more than 4 characters could be final a.b.c.d form */
+		if (len > 4)
+			{
+			/* Need at least 4 bytes left */
+			if (s->total > 12)
+				return 0;
+			/* Must be end of string */
+			if (elem[len])
+				return 0;
+			if (!ipv4_from_asc(s->tmp + s->total, elem))
+				return 0;
+			s->total += 4;
+			}
+		else
+			{
+			if (!ipv6_hex(s->tmp + s->total, elem, len))
+				return 0;
+			s->total += 2;
+			}
+		}
+	return 1;
+	}
+
+/* Convert a string of up to 4 hex digits into the corresponding
+ * IPv6 form.
+ */
+
+static int ipv6_hex(unsigned char *out, const char *in, int inlen)
+	{
+	unsigned char c;
+	unsigned int num = 0;
+	if (inlen > 4)
+		return 0;
+	while(inlen--)
+		{
+		c = *in++;
+		num <<= 4;
+		if ((c >= '0') && (c <= '9'))
+			num |= c - '0';
+		else if ((c >= 'A') && (c <= 'F'))
+			num |= c - 'A' + 10;
+		else if ((c >= 'a') && (c <= 'f'))
+			num |=  c - 'a' + 10;
+		else
+			return 0;
+		}
+	out[0] = num >> 8;
+	out[1] = num & 0xff;
+	return 1;
+	}
+
+
+int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE)*dn_sk,
+						unsigned long chtype)
+	{
+	CONF_VALUE *v;
+	int i, mval;
+	char *p, *type;
+	if (!nm)
+		return 0;
+
+	for (i = 0; i < sk_CONF_VALUE_num(dn_sk); i++)
+		{
+		v=sk_CONF_VALUE_value(dn_sk,i);
+		type=v->name;
+		/* Skip past any leading X. X: X, etc to allow for
+		 * multiple instances 
+		 */
+		for(p = type; *p ; p++) 
+#ifndef CHARSET_EBCDIC
+			if ((*p == ':') || (*p == ',') || (*p == '.'))
+#else
+			if ((*p == os_toascii[':']) || (*p == os_toascii[',']) || (*p == os_toascii['.']))
+#endif
+				{
+				p++;
+				if(*p) type = p;
+				break;
+				}
+#ifndef CHARSET_EBCDIC
+		if (*type == '+')
+#else
+		if (*type == os_toascii['+'])
+#endif
+			{
+			mval = -1;
+			type++;
+			}
+		else
+			mval = 0;
+		if (!X509_NAME_add_entry_by_txt(nm,type, chtype,
+				(unsigned char *) v->value,-1,-1,mval))
+					return 0;
+
+		}
+	return 1;
+	}
diff --git a/crypto/openssl/crypto/x509v3/v3err.c b/crypto/openssl/crypto/x509v3/v3err.c
index 6458e95bb918..451645f1f3a0 100644
--- a/crypto/openssl/crypto/x509v3/v3err.c
+++ b/crypto/openssl/crypto/x509v3/v3err.c
@@ -1,6 +1,6 @@
 /* crypto/x509v3/v3err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -64,102 +64,133 @@
 
 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_X509V3,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_X509V3,0,reason)
+
 static ERR_STRING_DATA X509V3_str_functs[]=
 	{
-{ERR_PACK(0,X509V3_F_COPY_EMAIL,0),	"COPY_EMAIL"},
-{ERR_PACK(0,X509V3_F_COPY_ISSUER,0),	"COPY_ISSUER"},
-{ERR_PACK(0,X509V3_F_DO_EXT_CONF,0),	"DO_EXT_CONF"},
-{ERR_PACK(0,X509V3_F_DO_EXT_I2D,0),	"DO_EXT_I2D"},
-{ERR_PACK(0,X509V3_F_HEX_TO_STRING,0),	"hex_to_string"},
-{ERR_PACK(0,X509V3_F_I2S_ASN1_ENUMERATED,0),	"i2s_ASN1_ENUMERATED"},
-{ERR_PACK(0,X509V3_F_I2S_ASN1_INTEGER,0),	"i2s_ASN1_INTEGER"},
-{ERR_PACK(0,X509V3_F_I2V_AUTHORITY_INFO_ACCESS,0),	"I2V_AUTHORITY_INFO_ACCESS"},
-{ERR_PACK(0,X509V3_F_NOTICE_SECTION,0),	"NOTICE_SECTION"},
-{ERR_PACK(0,X509V3_F_NREF_NOS,0),	"NREF_NOS"},
-{ERR_PACK(0,X509V3_F_POLICY_SECTION,0),	"POLICY_SECTION"},
-{ERR_PACK(0,X509V3_F_R2I_CERTPOL,0),	"R2I_CERTPOL"},
-{ERR_PACK(0,X509V3_F_S2I_ASN1_IA5STRING,0),	"S2I_ASN1_IA5STRING"},
-{ERR_PACK(0,X509V3_F_S2I_ASN1_INTEGER,0),	"s2i_ASN1_INTEGER"},
-{ERR_PACK(0,X509V3_F_S2I_ASN1_OCTET_STRING,0),	"s2i_ASN1_OCTET_STRING"},
-{ERR_PACK(0,X509V3_F_S2I_ASN1_SKEY_ID,0),	"S2I_ASN1_SKEY_ID"},
-{ERR_PACK(0,X509V3_F_S2I_S2I_SKEY_ID,0),	"S2I_S2I_SKEY_ID"},
-{ERR_PACK(0,X509V3_F_STRING_TO_HEX,0),	"string_to_hex"},
-{ERR_PACK(0,X509V3_F_SXNET_ADD_ASC,0),	"SXNET_ADD_ASC"},
-{ERR_PACK(0,X509V3_F_SXNET_ADD_ID_INTEGER,0),	"SXNET_add_id_INTEGER"},
-{ERR_PACK(0,X509V3_F_SXNET_ADD_ID_ULONG,0),	"SXNET_add_id_ulong"},
-{ERR_PACK(0,X509V3_F_SXNET_GET_ID_ASC,0),	"SXNET_get_id_asc"},
-{ERR_PACK(0,X509V3_F_SXNET_GET_ID_ULONG,0),	"SXNET_get_id_ulong"},
-{ERR_PACK(0,X509V3_F_V2I_ACCESS_DESCRIPTION,0),	"V2I_ACCESS_DESCRIPTION"},
-{ERR_PACK(0,X509V3_F_V2I_ASN1_BIT_STRING,0),	"V2I_ASN1_BIT_STRING"},
-{ERR_PACK(0,X509V3_F_V2I_AUTHORITY_KEYID,0),	"V2I_AUTHORITY_KEYID"},
-{ERR_PACK(0,X509V3_F_V2I_BASIC_CONSTRAINTS,0),	"V2I_BASIC_CONSTRAINTS"},
-{ERR_PACK(0,X509V3_F_V2I_CRLD,0),	"V2I_CRLD"},
-{ERR_PACK(0,X509V3_F_V2I_EXT_KU,0),	"V2I_EXT_KU"},
-{ERR_PACK(0,X509V3_F_V2I_GENERAL_NAME,0),	"v2i_GENERAL_NAME"},
-{ERR_PACK(0,X509V3_F_V2I_GENERAL_NAMES,0),	"v2i_GENERAL_NAMES"},
-{ERR_PACK(0,X509V3_F_V3_GENERIC_EXTENSION,0),	"V3_GENERIC_EXTENSION"},
-{ERR_PACK(0,X509V3_F_X509V3_ADD_I2D,0),	"X509V3_ADD_I2D"},
-{ERR_PACK(0,X509V3_F_X509V3_ADD_VALUE,0),	"X509V3_add_value"},
-{ERR_PACK(0,X509V3_F_X509V3_EXT_ADD,0),	"X509V3_EXT_add"},
-{ERR_PACK(0,X509V3_F_X509V3_EXT_ADD_ALIAS,0),	"X509V3_EXT_add_alias"},
-{ERR_PACK(0,X509V3_F_X509V3_EXT_CONF,0),	"X509V3_EXT_conf"},
-{ERR_PACK(0,X509V3_F_X509V3_EXT_I2D,0),	"X509V3_EXT_i2d"},
-{ERR_PACK(0,X509V3_F_X509V3_GET_VALUE_BOOL,0),	"X509V3_get_value_bool"},
-{ERR_PACK(0,X509V3_F_X509V3_PARSE_LIST,0),	"X509V3_parse_list"},
-{ERR_PACK(0,X509V3_F_X509_PURPOSE_ADD,0),	"X509_PURPOSE_add"},
-{ERR_PACK(0,X509V3_F_X509_PURPOSE_SET,0),	"X509_PURPOSE_set"},
+{ERR_FUNC(X509V3_F_COPY_EMAIL),	"COPY_EMAIL"},
+{ERR_FUNC(X509V3_F_COPY_ISSUER),	"COPY_ISSUER"},
+{ERR_FUNC(X509V3_F_DO_DIRNAME),	"DO_DIRNAME"},
+{ERR_FUNC(X509V3_F_DO_EXT_CONF),	"DO_EXT_CONF"},
+{ERR_FUNC(X509V3_F_DO_EXT_I2D),	"DO_EXT_I2D"},
+{ERR_FUNC(X509V3_F_DO_EXT_NCONF),	"DO_EXT_NCONF"},
+{ERR_FUNC(X509V3_F_DO_I2V_NAME_CONSTRAINTS),	"DO_I2V_NAME_CONSTRAINTS"},
+{ERR_FUNC(X509V3_F_HEX_TO_STRING),	"hex_to_string"},
+{ERR_FUNC(X509V3_F_I2S_ASN1_ENUMERATED),	"i2s_ASN1_ENUMERATED"},
+{ERR_FUNC(X509V3_F_I2S_ASN1_IA5STRING),	"I2S_ASN1_IA5STRING"},
+{ERR_FUNC(X509V3_F_I2S_ASN1_INTEGER),	"i2s_ASN1_INTEGER"},
+{ERR_FUNC(X509V3_F_I2V_AUTHORITY_INFO_ACCESS),	"I2V_AUTHORITY_INFO_ACCESS"},
+{ERR_FUNC(X509V3_F_NOTICE_SECTION),	"NOTICE_SECTION"},
+{ERR_FUNC(X509V3_F_NREF_NOS),	"NREF_NOS"},
+{ERR_FUNC(X509V3_F_POLICY_SECTION),	"POLICY_SECTION"},
+{ERR_FUNC(X509V3_F_PROCESS_PCI_VALUE),	"PROCESS_PCI_VALUE"},
+{ERR_FUNC(X509V3_F_R2I_CERTPOL),	"R2I_CERTPOL"},
+{ERR_FUNC(X509V3_F_R2I_PCI),	"R2I_PCI"},
+{ERR_FUNC(X509V3_F_S2I_ASN1_IA5STRING),	"S2I_ASN1_IA5STRING"},
+{ERR_FUNC(X509V3_F_S2I_ASN1_INTEGER),	"s2i_ASN1_INTEGER"},
+{ERR_FUNC(X509V3_F_S2I_ASN1_OCTET_STRING),	"s2i_ASN1_OCTET_STRING"},
+{ERR_FUNC(X509V3_F_S2I_ASN1_SKEY_ID),	"S2I_ASN1_SKEY_ID"},
+{ERR_FUNC(X509V3_F_S2I_SKEY_ID),	"S2I_SKEY_ID"},
+{ERR_FUNC(X509V3_F_STRING_TO_HEX),	"string_to_hex"},
+{ERR_FUNC(X509V3_F_SXNET_ADD_ID_ASC),	"SXNET_ADD_ID_ASC"},
+{ERR_FUNC(X509V3_F_SXNET_ADD_ID_INTEGER),	"SXNET_add_id_INTEGER"},
+{ERR_FUNC(X509V3_F_SXNET_ADD_ID_ULONG),	"SXNET_add_id_ulong"},
+{ERR_FUNC(X509V3_F_SXNET_GET_ID_ASC),	"SXNET_get_id_asc"},
+{ERR_FUNC(X509V3_F_SXNET_GET_ID_ULONG),	"SXNET_get_id_ulong"},
+{ERR_FUNC(X509V3_F_V2I_ASN1_BIT_STRING),	"V2I_ASN1_BIT_STRING"},
+{ERR_FUNC(X509V3_F_V2I_AUTHORITY_INFO_ACCESS),	"V2I_AUTHORITY_INFO_ACCESS"},
+{ERR_FUNC(X509V3_F_V2I_AUTHORITY_KEYID),	"V2I_AUTHORITY_KEYID"},
+{ERR_FUNC(X509V3_F_V2I_BASIC_CONSTRAINTS),	"V2I_BASIC_CONSTRAINTS"},
+{ERR_FUNC(X509V3_F_V2I_CRLD),	"V2I_CRLD"},
+{ERR_FUNC(X509V3_F_V2I_EXTENDED_KEY_USAGE),	"V2I_EXTENDED_KEY_USAGE"},
+{ERR_FUNC(X509V3_F_V2I_GENERAL_NAMES),	"v2i_GENERAL_NAMES"},
+{ERR_FUNC(X509V3_F_V2I_GENERAL_NAME_EX),	"v2i_GENERAL_NAME_ex"},
+{ERR_FUNC(X509V3_F_V2I_ISSUER_ALT),	"V2I_ISSUER_ALT"},
+{ERR_FUNC(X509V3_F_V2I_NAME_CONSTRAINTS),	"V2I_NAME_CONSTRAINTS"},
+{ERR_FUNC(X509V3_F_V2I_POLICY_CONSTRAINTS),	"V2I_POLICY_CONSTRAINTS"},
+{ERR_FUNC(X509V3_F_V2I_POLICY_MAPPINGS),	"V2I_POLICY_MAPPINGS"},
+{ERR_FUNC(X509V3_F_V2I_SUBJECT_ALT),	"V2I_SUBJECT_ALT"},
+{ERR_FUNC(X509V3_F_V3_GENERIC_EXTENSION),	"V3_GENERIC_EXTENSION"},
+{ERR_FUNC(X509V3_F_X509V3_ADD1_I2D),	"X509V3_add1_i2d"},
+{ERR_FUNC(X509V3_F_X509V3_ADD_VALUE),	"X509V3_add_value"},
+{ERR_FUNC(X509V3_F_X509V3_EXT_ADD),	"X509V3_EXT_add"},
+{ERR_FUNC(X509V3_F_X509V3_EXT_ADD_ALIAS),	"X509V3_EXT_add_alias"},
+{ERR_FUNC(X509V3_F_X509V3_EXT_CONF),	"X509V3_EXT_conf"},
+{ERR_FUNC(X509V3_F_X509V3_EXT_I2D),	"X509V3_EXT_i2d"},
+{ERR_FUNC(X509V3_F_X509V3_EXT_NCONF),	"X509V3_EXT_nconf"},
+{ERR_FUNC(X509V3_F_X509V3_GET_SECTION),	"X509V3_GET_SECTION"},
+{ERR_FUNC(X509V3_F_X509V3_GET_STRING),	"X509V3_get_string"},
+{ERR_FUNC(X509V3_F_X509V3_GET_VALUE_BOOL),	"X509V3_get_value_bool"},
+{ERR_FUNC(X509V3_F_X509V3_PARSE_LIST),	"X509V3_PARSE_LIST"},
+{ERR_FUNC(X509V3_F_X509_PURPOSE_ADD),	"X509_PURPOSE_add"},
+{ERR_FUNC(X509V3_F_X509_PURPOSE_SET),	"X509_PURPOSE_set"},
 {0,NULL}
 	};
 
 static ERR_STRING_DATA X509V3_str_reasons[]=
 	{
-{X509V3_R_BAD_IP_ADDRESS                 ,"bad ip address"},
-{X509V3_R_BAD_OBJECT                     ,"bad object"},
-{X509V3_R_BN_DEC2BN_ERROR                ,"bn dec2bn error"},
-{X509V3_R_BN_TO_ASN1_INTEGER_ERROR       ,"bn to asn1 integer error"},
-{X509V3_R_DUPLICATE_ZONE_ID              ,"duplicate zone id"},
-{X509V3_R_ERROR_CONVERTING_ZONE          ,"error converting zone"},
-{X509V3_R_ERROR_CREATING_EXTENSION       ,"error creating extension"},
-{X509V3_R_ERROR_IN_EXTENSION             ,"error in extension"},
-{X509V3_R_EXPECTED_A_SECTION_NAME        ,"expected a section name"},
-{X509V3_R_EXTENSION_EXISTS               ,"extension exists"},
-{X509V3_R_EXTENSION_NAME_ERROR           ,"extension name error"},
-{X509V3_R_EXTENSION_NOT_FOUND            ,"extension not found"},
-{X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED,"extension setting not supported"},
-{X509V3_R_EXTENSION_VALUE_ERROR          ,"extension value error"},
-{X509V3_R_ILLEGAL_HEX_DIGIT              ,"illegal hex digit"},
-{X509V3_R_INVALID_BOOLEAN_STRING         ,"invalid boolean string"},
-{X509V3_R_INVALID_EXTENSION_STRING       ,"invalid extension string"},
-{X509V3_R_INVALID_NAME                   ,"invalid name"},
-{X509V3_R_INVALID_NULL_ARGUMENT          ,"invalid null argument"},
-{X509V3_R_INVALID_NULL_NAME              ,"invalid null name"},
-{X509V3_R_INVALID_NULL_VALUE             ,"invalid null value"},
-{X509V3_R_INVALID_NUMBER                 ,"invalid number"},
-{X509V3_R_INVALID_NUMBERS                ,"invalid numbers"},
-{X509V3_R_INVALID_OBJECT_IDENTIFIER      ,"invalid object identifier"},
-{X509V3_R_INVALID_OPTION                 ,"invalid option"},
-{X509V3_R_INVALID_POLICY_IDENTIFIER      ,"invalid policy identifier"},
-{X509V3_R_INVALID_PURPOSE                ,"invalid purpose"},
-{X509V3_R_INVALID_SECTION                ,"invalid section"},
-{X509V3_R_INVALID_SYNTAX                 ,"invalid syntax"},
-{X509V3_R_ISSUER_DECODE_ERROR            ,"issuer decode error"},
-{X509V3_R_MISSING_VALUE                  ,"missing value"},
-{X509V3_R_NEED_ORGANIZATION_AND_NUMBERS  ,"need organization and numbers"},
-{X509V3_R_NO_CONFIG_DATABASE             ,"no config database"},
-{X509V3_R_NO_ISSUER_CERTIFICATE          ,"no issuer certificate"},
-{X509V3_R_NO_ISSUER_DETAILS              ,"no issuer details"},
-{X509V3_R_NO_POLICY_IDENTIFIER           ,"no policy identifier"},
-{X509V3_R_NO_PUBLIC_KEY                  ,"no public key"},
-{X509V3_R_NO_SUBJECT_DETAILS             ,"no subject details"},
-{X509V3_R_ODD_NUMBER_OF_DIGITS           ,"odd number of digits"},
-{X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS   ,"unable to get issuer details"},
-{X509V3_R_UNABLE_TO_GET_ISSUER_KEYID     ,"unable to get issuer keyid"},
-{X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT    ,"unknown bit string argument"},
-{X509V3_R_UNKNOWN_EXTENSION              ,"unknown extension"},
-{X509V3_R_UNKNOWN_EXTENSION_NAME         ,"unknown extension name"},
-{X509V3_R_UNKNOWN_OPTION                 ,"unknown option"},
-{X509V3_R_UNSUPPORTED_OPTION             ,"unsupported option"},
-{X509V3_R_USER_TOO_LONG                  ,"user too long"},
+{ERR_REASON(X509V3_R_BAD_IP_ADDRESS)     ,"bad ip address"},
+{ERR_REASON(X509V3_R_BAD_OBJECT)         ,"bad object"},
+{ERR_REASON(X509V3_R_BN_DEC2BN_ERROR)    ,"bn dec2bn error"},
+{ERR_REASON(X509V3_R_BN_TO_ASN1_INTEGER_ERROR),"bn to asn1 integer error"},
+{ERR_REASON(X509V3_R_DIRNAME_ERROR)      ,"dirname error"},
+{ERR_REASON(X509V3_R_DUPLICATE_ZONE_ID)  ,"duplicate zone id"},
+{ERR_REASON(X509V3_R_ERROR_CONVERTING_ZONE),"error converting zone"},
+{ERR_REASON(X509V3_R_ERROR_CREATING_EXTENSION),"error creating extension"},
+{ERR_REASON(X509V3_R_ERROR_IN_EXTENSION) ,"error in extension"},
+{ERR_REASON(X509V3_R_EXPECTED_A_SECTION_NAME),"expected a section name"},
+{ERR_REASON(X509V3_R_EXTENSION_EXISTS)   ,"extension exists"},
+{ERR_REASON(X509V3_R_EXTENSION_NAME_ERROR),"extension name error"},
+{ERR_REASON(X509V3_R_EXTENSION_NOT_FOUND),"extension not found"},
+{ERR_REASON(X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED),"extension setting not supported"},
+{ERR_REASON(X509V3_R_EXTENSION_VALUE_ERROR),"extension value error"},
+{ERR_REASON(X509V3_R_ILLEGAL_EMPTY_EXTENSION),"illegal empty extension"},
+{ERR_REASON(X509V3_R_ILLEGAL_HEX_DIGIT)  ,"illegal hex digit"},
+{ERR_REASON(X509V3_R_INCORRECT_POLICY_SYNTAX_TAG),"incorrect policy syntax tag"},
+{ERR_REASON(X509V3_R_INVALID_BOOLEAN_STRING),"invalid boolean string"},
+{ERR_REASON(X509V3_R_INVALID_EXTENSION_STRING),"invalid extension string"},
+{ERR_REASON(X509V3_R_INVALID_NAME)       ,"invalid name"},
+{ERR_REASON(X509V3_R_INVALID_NULL_ARGUMENT),"invalid null argument"},
+{ERR_REASON(X509V3_R_INVALID_NULL_NAME)  ,"invalid null name"},
+{ERR_REASON(X509V3_R_INVALID_NULL_VALUE) ,"invalid null value"},
+{ERR_REASON(X509V3_R_INVALID_NUMBER)     ,"invalid number"},
+{ERR_REASON(X509V3_R_INVALID_NUMBERS)    ,"invalid numbers"},
+{ERR_REASON(X509V3_R_INVALID_OBJECT_IDENTIFIER),"invalid object identifier"},
+{ERR_REASON(X509V3_R_INVALID_OPTION)     ,"invalid option"},
+{ERR_REASON(X509V3_R_INVALID_POLICY_IDENTIFIER),"invalid policy identifier"},
+{ERR_REASON(X509V3_R_INVALID_PROXY_POLICY_SETTING),"invalid proxy policy setting"},
+{ERR_REASON(X509V3_R_INVALID_PURPOSE)    ,"invalid purpose"},
+{ERR_REASON(X509V3_R_INVALID_SECTION)    ,"invalid section"},
+{ERR_REASON(X509V3_R_INVALID_SYNTAX)     ,"invalid syntax"},
+{ERR_REASON(X509V3_R_ISSUER_DECODE_ERROR),"issuer decode error"},
+{ERR_REASON(X509V3_R_MISSING_VALUE)      ,"missing value"},
+{ERR_REASON(X509V3_R_NEED_ORGANIZATION_AND_NUMBERS),"need organization and numbers"},
+{ERR_REASON(X509V3_R_NO_CONFIG_DATABASE) ,"no config database"},
+{ERR_REASON(X509V3_R_NO_ISSUER_CERTIFICATE),"no issuer certificate"},
+{ERR_REASON(X509V3_R_NO_ISSUER_DETAILS)  ,"no issuer details"},
+{ERR_REASON(X509V3_R_NO_POLICY_IDENTIFIER),"no policy identifier"},
+{ERR_REASON(X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED),"no proxy cert policy language defined"},
+{ERR_REASON(X509V3_R_NO_PUBLIC_KEY)      ,"no public key"},
+{ERR_REASON(X509V3_R_NO_SUBJECT_DETAILS) ,"no subject details"},
+{ERR_REASON(X509V3_R_ODD_NUMBER_OF_DIGITS),"odd number of digits"},
+{ERR_REASON(X509V3_R_OPERATION_NOT_DEFINED),"operation not defined"},
+{ERR_REASON(X509V3_R_OTHERNAME_ERROR)    ,"othername error"},
+{ERR_REASON(X509V3_R_POLICY_LANGUAGE_ALREADTY_DEFINED),"policy language alreadty defined"},
+{ERR_REASON(X509V3_R_POLICY_PATH_LENGTH) ,"policy path length"},
+{ERR_REASON(X509V3_R_POLICY_PATH_LENGTH_ALREADTY_DEFINED),"policy path length alreadty defined"},
+{ERR_REASON(X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED),"policy syntax not currently supported"},
+{ERR_REASON(X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY),"policy when proxy language requires no policy"},
+{ERR_REASON(X509V3_R_SECTION_NOT_FOUND)  ,"section not found"},
+{ERR_REASON(X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS),"unable to get issuer details"},
+{ERR_REASON(X509V3_R_UNABLE_TO_GET_ISSUER_KEYID),"unable to get issuer keyid"},
+{ERR_REASON(X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT),"unknown bit string argument"},
+{ERR_REASON(X509V3_R_UNKNOWN_EXTENSION)  ,"unknown extension"},
+{ERR_REASON(X509V3_R_UNKNOWN_EXTENSION_NAME),"unknown extension name"},
+{ERR_REASON(X509V3_R_UNKNOWN_OPTION)     ,"unknown option"},
+{ERR_REASON(X509V3_R_UNSUPPORTED_OPTION) ,"unsupported option"},
+{ERR_REASON(X509V3_R_USER_TOO_LONG)      ,"user too long"},
 {0,NULL}
 	};
 
@@ -173,8 +204,8 @@ void ERR_load_X509V3_strings(void)
 		{
 		init=0;
 #ifndef OPENSSL_NO_ERR
-		ERR_load_strings(ERR_LIB_X509V3,X509V3_str_functs);
-		ERR_load_strings(ERR_LIB_X509V3,X509V3_str_reasons);
+		ERR_load_strings(0,X509V3_str_functs);
+		ERR_load_strings(0,X509V3_str_reasons);
 #endif
 
 		}
diff --git a/crypto/openssl/crypto/x509v3/x509v3.h b/crypto/openssl/crypto/x509v3/x509v3.h
index fb07a19016fd..34429828f073 100644
--- a/crypto/openssl/crypto/x509v3/x509v3.h
+++ b/crypto/openssl/crypto/x509v3/x509v3.h
@@ -3,7 +3,7 @@
  * project 1999.
  */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2004 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -74,14 +74,14 @@ struct v3_ext_ctx;
 
 typedef void * (*X509V3_EXT_NEW)(void);
 typedef void (*X509V3_EXT_FREE)(void *);
-typedef void * (*X509V3_EXT_D2I)(void *, unsigned char ** , long);
+typedef void * (*X509V3_EXT_D2I)(void *, const unsigned char ** , long);
 typedef int (*X509V3_EXT_I2D)(void *, unsigned char **);
 typedef STACK_OF(CONF_VALUE) * (*X509V3_EXT_I2V)(struct v3_ext_method *method, void *ext, STACK_OF(CONF_VALUE) *extlist);
 typedef void * (*X509V3_EXT_V2I)(struct v3_ext_method *method, struct v3_ext_ctx *ctx, STACK_OF(CONF_VALUE) *values);
 typedef char * (*X509V3_EXT_I2S)(struct v3_ext_method *method, void *ext);
-typedef void * (*X509V3_EXT_S2I)(struct v3_ext_method *method, struct v3_ext_ctx *ctx, char *str);
+typedef void * (*X509V3_EXT_S2I)(struct v3_ext_method *method, struct v3_ext_ctx *ctx, const char *str);
 typedef int (*X509V3_EXT_I2R)(struct v3_ext_method *method, void *ext, BIO *out, int indent);
-typedef void * (*X509V3_EXT_R2I)(struct v3_ext_method *method, struct v3_ext_ctx *ctx, char *str);
+typedef void * (*X509V3_EXT_R2I)(struct v3_ext_method *method, struct v3_ext_ctx *ctx, const char *str);
 
 /* V3 extension structure */
 
@@ -132,7 +132,6 @@ void *db;
 };
 
 typedef struct v3_ext_method X509V3_EXT_METHOD;
-typedef struct v3_ext_ctx X509V3_CTX;
 
 DECLARE_STACK_OF(X509V3_EXT_METHOD)
 
@@ -287,6 +286,50 @@ typedef STACK_OF(POLICYINFO) CERTIFICATEPOLICIES;
 DECLARE_STACK_OF(POLICYINFO)
 DECLARE_ASN1_SET_OF(POLICYINFO)
 
+typedef struct POLICY_MAPPING_st {
+	ASN1_OBJECT *issuerDomainPolicy;
+	ASN1_OBJECT *subjectDomainPolicy;
+} POLICY_MAPPING;
+
+DECLARE_STACK_OF(POLICY_MAPPING)
+
+typedef STACK_OF(POLICY_MAPPING) POLICY_MAPPINGS;
+
+typedef struct GENERAL_SUBTREE_st {
+	GENERAL_NAME *base;
+	ASN1_INTEGER *minimum;
+	ASN1_INTEGER *maximum;
+} GENERAL_SUBTREE;
+
+DECLARE_STACK_OF(GENERAL_SUBTREE)
+
+typedef struct NAME_CONSTRAINTS_st {
+	STACK_OF(GENERAL_SUBTREE) *permittedSubtrees;
+	STACK_OF(GENERAL_SUBTREE) *excludedSubtrees;
+} NAME_CONSTRAINTS;
+
+typedef struct POLICY_CONSTRAINTS_st {
+	ASN1_INTEGER *requireExplicitPolicy;
+	ASN1_INTEGER *inhibitPolicyMapping;
+} POLICY_CONSTRAINTS;
+
+/* Proxy certificate structures, see RFC 3820 */
+typedef struct PROXY_POLICY_st
+	{
+	ASN1_OBJECT *policyLanguage;
+	ASN1_OCTET_STRING *policy;
+	} PROXY_POLICY;
+
+typedef struct PROXY_CERT_INFO_EXTENSION_st
+	{
+	ASN1_INTEGER *pcPathLengthConstraint;
+	PROXY_POLICY *proxyPolicy;
+	} PROXY_CERT_INFO_EXTENSION;
+
+DECLARE_ASN1_FUNCTIONS(PROXY_POLICY)
+DECLARE_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION)
+
+
 #define X509V3_conf_err(val) ERR_add_error_data(6, "section:", val->section, \
 ",name:", val->name, ",value:", val->value);
 
@@ -325,6 +368,9 @@ DECLARE_ASN1_SET_OF(POLICYINFO)
 #define EXFLAG_INVALID		0x80
 #define EXFLAG_SET		0x100
 #define EXFLAG_CRITICAL		0x200
+#define EXFLAG_PROXY		0x400
+
+#define EXFLAG_INVALID_POLICY	0x400
 
 #define KU_DIGITAL_SIGNATURE	0x0080
 #define KU_NON_REPUDIATION	0x0040
@@ -424,6 +470,13 @@ DECLARE_ASN1_FUNCTIONS(PKEY_USAGE_PERIOD)
 
 DECLARE_ASN1_FUNCTIONS(GENERAL_NAME)
 
+
+ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
+				X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
+STACK_OF(CONF_VALUE) *i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
+				ASN1_BIT_STRING *bits,
+				STACK_OF(CONF_VALUE) *extlist);
+
 STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method, GENERAL_NAME *gen, STACK_OF(CONF_VALUE) *ret);
 int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen);
 
@@ -456,8 +509,24 @@ DECLARE_ASN1_FUNCTIONS(DIST_POINT_NAME)
 DECLARE_ASN1_FUNCTIONS(ACCESS_DESCRIPTION)
 DECLARE_ASN1_FUNCTIONS(AUTHORITY_INFO_ACCESS)
 
+DECLARE_ASN1_ITEM(POLICY_MAPPING)
+DECLARE_ASN1_ALLOC_FUNCTIONS(POLICY_MAPPING)
+DECLARE_ASN1_ITEM(POLICY_MAPPINGS)
+
+DECLARE_ASN1_ITEM(GENERAL_SUBTREE)
+DECLARE_ASN1_ALLOC_FUNCTIONS(GENERAL_SUBTREE)
+
+DECLARE_ASN1_ITEM(NAME_CONSTRAINTS)
+DECLARE_ASN1_ALLOC_FUNCTIONS(NAME_CONSTRAINTS)
+
+DECLARE_ASN1_ALLOC_FUNCTIONS(POLICY_CONSTRAINTS)
+DECLARE_ASN1_ITEM(POLICY_CONSTRAINTS)
+
 #ifdef HEADER_CONF_H
-GENERAL_NAME *v2i_GENERAL_NAME(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, CONF_VALUE *cnf);
+GENERAL_NAME *v2i_GENERAL_NAME(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+							CONF_VALUE *cnf);
+GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out, X509V3_EXT_METHOD *method,
+				X509V3_CTX *ctx, CONF_VALUE *cnf, int is_nc);
 void X509V3_conf_free(CONF_VALUE *val);
 
 X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid, char *value);
@@ -527,6 +596,7 @@ int X509V3_EXT_print_fp(FILE *out, X509_EXTENSION *ext, int flag, int indent);
 
 int X509V3_extensions_print(BIO *out, char *title, STACK_OF(X509_EXTENSION) *exts, unsigned long flag, int indent);
 
+int X509_check_ca(X509 *x);
 int X509_check_purpose(X509 *x, int id, int ca);
 int X509_supported_extension(X509_EXTENSION *ex);
 int X509_PURPOSE_set(int *p, int purpose);
@@ -548,6 +618,12 @@ STACK *X509_get1_email(X509 *x);
 STACK *X509_REQ_get1_email(X509_REQ *x);
 void X509_email_free(STACK *sk);
 
+ASN1_OCTET_STRING *a2i_IPADDRESS(const char *ipasc);
+ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc);
+int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE)*dn_sk,
+						unsigned long chtype);
+
+void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent);
 
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
@@ -560,42 +636,56 @@ void ERR_load_X509V3_strings(void);
 /* Function codes. */
 #define X509V3_F_COPY_EMAIL				 122
 #define X509V3_F_COPY_ISSUER				 123
+#define X509V3_F_DO_DIRNAME				 144
 #define X509V3_F_DO_EXT_CONF				 124
 #define X509V3_F_DO_EXT_I2D				 135
+#define X509V3_F_DO_EXT_NCONF				 151
+#define X509V3_F_DO_I2V_NAME_CONSTRAINTS		 148
 #define X509V3_F_HEX_TO_STRING				 111
 #define X509V3_F_I2S_ASN1_ENUMERATED			 121
+#define X509V3_F_I2S_ASN1_IA5STRING			 149
 #define X509V3_F_I2S_ASN1_INTEGER			 120
 #define X509V3_F_I2V_AUTHORITY_INFO_ACCESS		 138
 #define X509V3_F_NOTICE_SECTION				 132
 #define X509V3_F_NREF_NOS				 133
 #define X509V3_F_POLICY_SECTION				 131
+#define X509V3_F_PROCESS_PCI_VALUE			 150
 #define X509V3_F_R2I_CERTPOL				 130
+#define X509V3_F_R2I_PCI				 155
 #define X509V3_F_S2I_ASN1_IA5STRING			 100
 #define X509V3_F_S2I_ASN1_INTEGER			 108
 #define X509V3_F_S2I_ASN1_OCTET_STRING			 112
 #define X509V3_F_S2I_ASN1_SKEY_ID			 114
-#define X509V3_F_S2I_S2I_SKEY_ID			 115
+#define X509V3_F_S2I_SKEY_ID				 115
 #define X509V3_F_STRING_TO_HEX				 113
-#define X509V3_F_SXNET_ADD_ASC				 125
+#define X509V3_F_SXNET_ADD_ID_ASC			 125
 #define X509V3_F_SXNET_ADD_ID_INTEGER			 126
 #define X509V3_F_SXNET_ADD_ID_ULONG			 127
 #define X509V3_F_SXNET_GET_ID_ASC			 128
 #define X509V3_F_SXNET_GET_ID_ULONG			 129
-#define X509V3_F_V2I_ACCESS_DESCRIPTION			 139
 #define X509V3_F_V2I_ASN1_BIT_STRING			 101
+#define X509V3_F_V2I_AUTHORITY_INFO_ACCESS		 139
 #define X509V3_F_V2I_AUTHORITY_KEYID			 119
 #define X509V3_F_V2I_BASIC_CONSTRAINTS			 102
 #define X509V3_F_V2I_CRLD				 134
-#define X509V3_F_V2I_EXT_KU				 103
-#define X509V3_F_V2I_GENERAL_NAME			 117
+#define X509V3_F_V2I_EXTENDED_KEY_USAGE			 103
 #define X509V3_F_V2I_GENERAL_NAMES			 118
+#define X509V3_F_V2I_GENERAL_NAME_EX			 117
+#define X509V3_F_V2I_ISSUER_ALT				 153
+#define X509V3_F_V2I_NAME_CONSTRAINTS			 147
+#define X509V3_F_V2I_POLICY_CONSTRAINTS			 146
+#define X509V3_F_V2I_POLICY_MAPPINGS			 145
+#define X509V3_F_V2I_SUBJECT_ALT			 154
 #define X509V3_F_V3_GENERIC_EXTENSION			 116
-#define X509V3_F_X509V3_ADD_I2D				 140
+#define X509V3_F_X509V3_ADD1_I2D			 140
 #define X509V3_F_X509V3_ADD_VALUE			 105
 #define X509V3_F_X509V3_EXT_ADD				 104
 #define X509V3_F_X509V3_EXT_ADD_ALIAS			 106
 #define X509V3_F_X509V3_EXT_CONF			 107
 #define X509V3_F_X509V3_EXT_I2D				 136
+#define X509V3_F_X509V3_EXT_NCONF			 152
+#define X509V3_F_X509V3_GET_SECTION			 142
+#define X509V3_F_X509V3_GET_STRING			 143
 #define X509V3_F_X509V3_GET_VALUE_BOOL			 110
 #define X509V3_F_X509V3_PARSE_LIST			 109
 #define X509V3_F_X509_PURPOSE_ADD			 137
@@ -606,6 +696,7 @@ void ERR_load_X509V3_strings(void);
 #define X509V3_R_BAD_OBJECT				 119
 #define X509V3_R_BN_DEC2BN_ERROR			 100
 #define X509V3_R_BN_TO_ASN1_INTEGER_ERROR		 101
+#define X509V3_R_DIRNAME_ERROR				 149
 #define X509V3_R_DUPLICATE_ZONE_ID			 133
 #define X509V3_R_ERROR_CONVERTING_ZONE			 131
 #define X509V3_R_ERROR_CREATING_EXTENSION		 144
@@ -616,7 +707,9 @@ void ERR_load_X509V3_strings(void);
 #define X509V3_R_EXTENSION_NOT_FOUND			 102
 #define X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED	 103
 #define X509V3_R_EXTENSION_VALUE_ERROR			 116
+#define X509V3_R_ILLEGAL_EMPTY_EXTENSION		 151
 #define X509V3_R_ILLEGAL_HEX_DIGIT			 113
+#define X509V3_R_INCORRECT_POLICY_SYNTAX_TAG		 152
 #define X509V3_R_INVALID_BOOLEAN_STRING			 104
 #define X509V3_R_INVALID_EXTENSION_STRING		 105
 #define X509V3_R_INVALID_NAME				 106
@@ -628,6 +721,7 @@ void ERR_load_X509V3_strings(void);
 #define X509V3_R_INVALID_OBJECT_IDENTIFIER		 110
 #define X509V3_R_INVALID_OPTION				 138
 #define X509V3_R_INVALID_POLICY_IDENTIFIER		 134
+#define X509V3_R_INVALID_PROXY_POLICY_SETTING		 153
 #define X509V3_R_INVALID_PURPOSE			 146
 #define X509V3_R_INVALID_SECTION			 135
 #define X509V3_R_INVALID_SYNTAX				 143
@@ -638,9 +732,18 @@ void ERR_load_X509V3_strings(void);
 #define X509V3_R_NO_ISSUER_CERTIFICATE			 121
 #define X509V3_R_NO_ISSUER_DETAILS			 127
 #define X509V3_R_NO_POLICY_IDENTIFIER			 139
+#define X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED	 154
 #define X509V3_R_NO_PUBLIC_KEY				 114
 #define X509V3_R_NO_SUBJECT_DETAILS			 125
 #define X509V3_R_ODD_NUMBER_OF_DIGITS			 112
+#define X509V3_R_OPERATION_NOT_DEFINED			 148
+#define X509V3_R_OTHERNAME_ERROR			 147
+#define X509V3_R_POLICY_LANGUAGE_ALREADTY_DEFINED	 155
+#define X509V3_R_POLICY_PATH_LENGTH			 156
+#define X509V3_R_POLICY_PATH_LENGTH_ALREADTY_DEFINED	 157
+#define X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED	 158
+#define X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY 159
+#define X509V3_R_SECTION_NOT_FOUND			 150
 #define X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS		 122
 #define X509V3_R_UNABLE_TO_GET_ISSUER_KEYID		 123
 #define X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT		 111
diff --git a/crypto/openssl/crypto/x86_64cpuid.pl b/crypto/openssl/crypto/x86_64cpuid.pl
new file mode 100644
index 000000000000..4d88ad191b37
--- /dev/null
+++ b/crypto/openssl/crypto/x86_64cpuid.pl
@@ -0,0 +1,138 @@
+#!/usr/bin/env perl
+
+$output=shift;
+$win64a=1 if ($output =~ /win64a\.[s|asm]/);
+open STDOUT,">$output" || die "can't open $output: $!";
+
+print<<___ if(defined($win64a));
+_TEXT	SEGMENT
+PUBLIC	OPENSSL_rdtsc
+ALIGN	16
+OPENSSL_rdtsc	PROC
+	rdtsc
+	shl	rdx,32
+	or	rax,rdx
+	ret
+OPENSSL_rdtsc	ENDP
+
+PUBLIC	OPENSSL_atomic_add
+ALIGN	16
+OPENSSL_atomic_add	PROC
+	mov	eax,DWORD PTR[rcx]
+\$Lspin:	lea	r8,DWORD PTR[rdx+rax]
+lock	cmpxchg	DWORD PTR[rcx],r8d
+	jne	\$Lspin
+	mov	eax,r8d
+	cdqe    
+	ret
+OPENSSL_atomic_add	ENDP
+
+PUBLIC	OPENSSL_wipe_cpu
+ALIGN	16
+OPENSSL_wipe_cpu	PROC
+	pxor	xmm0,xmm0
+	pxor	xmm1,xmm1
+	pxor	xmm2,xmm2
+	pxor	xmm3,xmm3
+	pxor	xmm4,xmm4
+	pxor	xmm5,xmm5
+	xor	rcx,rcx
+	xor	rdx,rdx
+	xor	r8,r8
+	xor	r9,r9
+	xor	r10,r10
+	xor	r11,r11
+	lea	rax,QWORD PTR[rsp+8]
+	ret
+OPENSSL_wipe_cpu	ENDP
+
+OPENSSL_ia32_cpuid	PROC
+	mov	r8,rbx
+	mov	eax,1
+	cpuid
+	shl	rcx,32
+	mov	eax,edx
+	mov	rbx,r8
+	or	rax,rcx
+	ret
+OPENSSL_ia32_cpuid	ENDP
+_TEXT	ENDS
+
+CRT\$XIU	SEGMENT
+EXTRN	OPENSSL_cpuid_setup:PROC
+DQ	OPENSSL_cpuid_setup
+CRT\$XIU	ENDS
+END
+___
+print<<___ if(!defined($win64a));
+.text
+.globl	OPENSSL_rdtsc
+.align	16
+OPENSSL_rdtsc:
+	rdtsc
+	shlq	\$32,%rdx
+	orq	%rdx,%rax
+	ret
+.size	OPENSSL_rdtsc,.-OPENSSL_rdtsc
+
+.globl	OPENSSL_atomic_add
+.type	OPENSSL_atomic_add,\@function
+.align	16
+OPENSSL_atomic_add:
+	movl	(%rdi),%eax
+.Lspin:	leaq	(%rsi,%rax),%r8
+lock;	cmpxchgl	%r8d,(%rdi)
+	jne	.Lspin
+	movl	%r8d,%eax
+	.byte	0x48,0x98
+	ret
+.size	OPENSSL_atomic_add,.-OPENSSL_atomic_add
+
+.globl	OPENSSL_wipe_cpu
+.type	OPENSSL_wipe_cpu,\@function
+.align	16
+OPENSSL_wipe_cpu:
+	pxor	%xmm0,%xmm0
+	pxor	%xmm1,%xmm1
+	pxor	%xmm2,%xmm2
+	pxor	%xmm3,%xmm3
+	pxor	%xmm4,%xmm4
+	pxor	%xmm5,%xmm5
+	pxor	%xmm6,%xmm6
+	pxor	%xmm7,%xmm7
+	pxor	%xmm8,%xmm8
+	pxor	%xmm9,%xmm9
+	pxor	%xmm10,%xmm10
+	pxor	%xmm11,%xmm11
+	pxor	%xmm12,%xmm12
+	pxor	%xmm13,%xmm13
+	pxor	%xmm14,%xmm14
+	pxor	%xmm15,%xmm15
+	xorq	%rcx,%rcx
+	xorq	%rdx,%rdx
+	xorq	%rsi,%rsi
+	xorq	%rdi,%rdi
+	xorq	%r8,%r8
+	xorq	%r9,%r9
+	xorq	%r10,%r10
+	xorq	%r11,%r11
+	leaq	8(%rsp),%rax
+	ret
+.size	OPENSSL_wipe_cpu,.-OPENSSL_wipe_cpu
+
+.globl	OPENSSL_ia32_cpuid
+.align	16
+OPENSSL_ia32_cpuid:
+	movq	%rbx,%r8
+	movl	\$1,%eax
+	cpuid
+	shlq	\$32,%rcx
+	movl	%edx,%eax
+	movq	%r8,%rbx
+	orq	%rcx,%rax
+	ret
+.size	OPENSSL_ia32_cpuid,.-OPENSSL_ia32_cpuid
+
+.section	.init
+	call	OPENSSL_cpuid_setup
+___
diff --git a/crypto/openssl/crypto/x86cpuid.pl b/crypto/openssl/crypto/x86cpuid.pl
new file mode 100644
index 000000000000..c53c9bc9980f
--- /dev/null
+++ b/crypto/openssl/crypto/x86cpuid.pl
@@ -0,0 +1,197 @@
+#!/usr/bin/env perl
+
+push(@INC,"perlasm");
+require "x86asm.pl";
+
+&asm_init($ARGV[0],"x86cpuid");
+
+for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
+
+&function_begin("OPENSSL_ia32_cpuid");
+	&xor	("edx","edx");
+	&pushf	();
+	&pop	("eax");
+	&mov	("ecx","eax");
+	&xor	("eax",1<<21);
+	&push	("eax");
+	&popf	();
+	&pushf	();
+	&pop	("eax");
+	&xor	("ecx","eax");
+	&bt	("ecx",21);
+	&jnc	(&label("nocpuid"));
+	&mov	("eax",1);
+	&cpuid	();
+&set_label("nocpuid");
+	&mov	("eax","edx");
+	&mov	("edx","ecx");
+&function_end("OPENSSL_ia32_cpuid");
+
+&external_label("OPENSSL_ia32cap_P");
+
+&function_begin_B("OPENSSL_rdtsc","EXTRN\t_OPENSSL_ia32cap_P:DWORD");
+	&xor	("eax","eax");
+	&xor	("edx","edx");
+	&picmeup("ecx","OPENSSL_ia32cap_P");
+	&bt	(&DWP(0,"ecx"),4);
+	&jnc	(&label("notsc"));
+	&rdtsc	();
+&set_label("notsc");
+	&ret	();
+&function_end_B("OPENSSL_rdtsc");
+
+# This works in Ring 0 only [read DJGPP+MS-DOS+privileged DPMI host],
+# but it's safe to call it on any [supported] 32-bit platform...
+# Just check for [non-]zero return value...
+&function_begin_B("OPENSSL_instrument_halt","EXTRN\t_OPENSSL_ia32cap_P:DWORD");
+	&picmeup("ecx","OPENSSL_ia32cap_P");
+	&bt	(&DWP(0,"ecx"),4);
+	&jnc	(&label("nohalt"));	# no TSC
+
+	&data_word(0x9058900e);		# push %cs; pop %eax
+	&and	("eax",3);
+	&jnz	(&label("nohalt"));	# not enough privileges
+
+	&pushf	();
+	&pop	("eax")
+	&bt	("eax",9);
+	&jnc	(&label("nohalt"));	# interrupts are disabled
+
+	&rdtsc	();
+	&push	("edx");
+	&push	("eax");
+	&halt	();
+	&rdtsc	();
+
+	&sub	("eax",&DWP(0,"esp"));
+	&sbb	("edx",&DWP(4,"esp"));
+	&add	("esp",8);
+	&ret	();
+
+&set_label("nohalt");
+	&xor	("eax","eax");
+	&xor	("edx","edx");
+	&ret	();
+&function_end_B("OPENSSL_instrument_halt");
+
+# Essentially there is only one use for this function. Under DJGPP:
+#
+#	#include <go32.h>
+#	...
+#	i=OPENSSL_far_spin(_dos_ds,0x46c);
+#	...
+# to obtain the number of spins till closest timer interrupt.
+
+&function_begin_B("OPENSSL_far_spin");
+	&pushf	();
+	&pop	("eax")
+	&bt	("eax",9);
+	&jnc	(&label("nospin"));	# interrupts are disabled
+
+	&mov	("eax",&DWP(4,"esp"));
+	&mov	("ecx",&DWP(8,"esp"));
+	&data_word (0x90d88e1e);	# push %ds, mov %eax,%ds
+	&xor	("eax","eax");
+	&mov	("edx",&DWP(0,"ecx"));
+	&jmp	(&label("spin"));
+
+	&align	(16);
+&set_label("spin");
+	&inc	("eax");
+	&cmp	("edx",&DWP(0,"ecx"));
+	&je	(&label("spin"));
+
+	&data_word (0x1f909090);	# pop	%ds
+	&ret	();
+
+&set_label("nospin");
+	&xor	("eax","eax");
+	&xor	("edx","edx");
+	&ret	();
+&function_end_B("OPENSSL_far_spin");
+
+&function_begin_B("OPENSSL_wipe_cpu","EXTRN\t_OPENSSL_ia32cap_P:DWORD");
+	&xor	("eax","eax");
+	&xor	("edx","edx");
+	&picmeup("ecx","OPENSSL_ia32cap_P");
+	&mov	("ecx",&DWP(0,"ecx"));
+	&bt	(&DWP(0,"ecx"),1);
+	&jnc	(&label("no_x87"));
+	if ($sse2) {
+		&bt	(&DWP(0,"ecx"),26);
+		&jnc	(&label("no_sse2"));
+		&pxor	("xmm0","xmm0");
+		&pxor	("xmm1","xmm1");
+		&pxor	("xmm2","xmm2");
+		&pxor	("xmm3","xmm3");
+		&pxor	("xmm4","xmm4");
+		&pxor	("xmm5","xmm5");
+		&pxor	("xmm6","xmm6");
+		&pxor	("xmm7","xmm7");
+	&set_label("no_sse2");
+	}
+	# just a bunch of fldz to zap the fp/mm bank followed by finit...
+	&data_word(0xeed9eed9,0xeed9eed9,0xeed9eed9,0xeed9eed9,0x90e3db9b);
+&set_label("no_x87");
+	&lea	("eax",&DWP(4,"esp"));
+	&ret	();
+&function_end_B("OPENSSL_wipe_cpu");
+
+&function_begin_B("OPENSSL_atomic_add");
+	&mov	("edx",&DWP(4,"esp"));	# fetch the pointer, 1st arg
+	&mov	("ecx",&DWP(8,"esp"));	# fetch the increment, 2nd arg
+	&push	("ebx");
+	&nop	();
+	&mov	("eax",&DWP(0,"edx"));
+&set_label("spin");
+	&lea	("ebx",&DWP(0,"eax","ecx"));
+	&nop	();
+	&data_word(0x1ab10ff0);	# lock;	cmpxchg	%ebx,(%edx)	# %eax is envolved and is always reloaded
+	&jne	(&label("spin"));
+	&mov	("eax","ebx");	# OpenSSL expects the new value
+	&pop	("ebx");
+	&ret	();
+&function_end_B("OPENSSL_atomic_add");
+
+# This function can become handy under Win32 in situations when
+# we don't know which calling convention, __stdcall or __cdecl(*),
+# indirect callee is using. In C it can be deployed as
+#
+#ifdef OPENSSL_CPUID_OBJ
+#	type OPENSSL_indirect_call(void *f,...);
+#	...
+#	OPENSSL_indirect_call(func,[up to $max arguments]);
+#endif
+#
+# (*)	it's designed to work even for __fastcall if number of
+#	arguments is 1 or 2!
+&function_begin_B("OPENSSL_indirect_call");
+	{
+	my $i,$max=7;		# $max has to be chosen as 4*n-1
+				# in order to preserve eventual
+				# stack alignment
+	&push	("ebp");
+	&mov	("ebp","esp");
+	&sub	("esp",$max*4);
+	&mov	("ecx",&DWP(12,"ebp"));
+	&mov	(&DWP(0,"esp"),"ecx");
+	&mov	("edx",&DWP(16,"ebp"));
+	&mov	(&DWP(4,"esp"),"edx");
+	for($i=2;$i<$max;$i++)
+		{
+		# Some copies will be redundant/bogus...
+		&mov	("eax",&DWP(12+$i*4,"ebp"));
+		&mov	(&DWP(0+$i*4,"esp"),"eax");
+		}
+	&call_ptr	(&DWP(8,"ebp"));# make the call...
+	&mov	("esp","ebp");	# ... and just restore the stack pointer
+				# without paying attention to what we called,
+				# (__cdecl *func) or (__stdcall *one).
+	&pop	("ebp");
+	&ret	();
+	}
+&function_end_B("OPENSSL_indirect_call");
+
+&initseg("OPENSSL_cpuid_setup");
+
+&asm_finish();
diff --git a/crypto/openssl/demos/easy_tls/easy-tls.c b/crypto/openssl/demos/easy_tls/easy-tls.c
index 9c1d98293960..9cd8314c3e4f 100644
--- a/crypto/openssl/demos/easy_tls/easy-tls.c
+++ b/crypto/openssl/demos/easy_tls/easy-tls.c
@@ -1,7 +1,7 @@
 /* -*- Mode: C; c-file-style: "bsd" -*- */
 /*
  * easy-tls.c -- generic TLS proxy.
- * $Id: easy-tls.c,v 1.2.2.2 2002/03/05 09:06:57 bodo Exp $
+ * $Id: easy-tls.c,v 1.4 2002/03/05 09:07:16 bodo Exp $
  */
 /*
  (c) Copyright 1999 Bodo Moeller.  All rights reserved.
@@ -73,7 +73,7 @@
  */
 
 static char const rcsid[] =
-"$Id: easy-tls.c,v 1.2.2.2 2002/03/05 09:06:57 bodo Exp $";
+"$Id: easy-tls.c,v 1.4 2002/03/05 09:07:16 bodo Exp $";
 
 #include <assert.h>
 #include <errno.h>
diff --git a/crypto/openssl/demos/engines/zencod/hw_zencod.c b/crypto/openssl/demos/engines/zencod/hw_zencod.c
index 29206b4a2978..4234b93cbe7c 100644
--- a/crypto/openssl/demos/engines/zencod/hw_zencod.c
+++ b/crypto/openssl/demos/engines/zencod/hw_zencod.c
@@ -1233,7 +1233,7 @@ static const EVP_MD engine_sha1_md =
 	SHA_CBLOCK,
 	/* sizeof ( EVP_MD * ) + sizeof ( SHA_CTX ) */
 	sizeof ( ZEN_MD_DATA )
-	/* sizeof ( MD_CTX_DATA )	The message digest data stucture ... */
+	/* sizeof ( MD_CTX_DATA )	The message digest data structure ... */
 } ;
 
 /* The one for MD5 ... */
@@ -1254,7 +1254,7 @@ static const EVP_MD engine_md5_md =
 	MD5_CBLOCK,
 	/* sizeof ( EVP_MD * ) + sizeof ( MD5_CTX ) */
 	sizeof ( ZEN_MD_DATA )
-	/* sizeof ( MD_CTX_DATA )	The message digest data stucture ... */
+	/* sizeof ( MD_CTX_DATA )	The message digest data structure ... */
 } ;
 
 
diff --git a/crypto/openssl/demos/ssltest-ecc/ECC-RSAcertgen.sh b/crypto/openssl/demos/ssltest-ecc/ECC-RSAcertgen.sh
new file mode 100755
index 000000000000..b31a4f1ee079
--- /dev/null
+++ b/crypto/openssl/demos/ssltest-ecc/ECC-RSAcertgen.sh
@@ -0,0 +1,98 @@
+#!/bin/sh
+
+# For a list of supported curves, use "apps/openssl ecparam -list_curves".
+
+# Path to the openssl distribution
+OPENSSL_DIR=../..
+# Path to the openssl program
+OPENSSL_CMD=$OPENSSL_DIR/apps/openssl
+# Option to find configuration file
+OPENSSL_CNF="-config $OPENSSL_DIR/apps/openssl.cnf"
+# Directory where certificates are stored
+CERTS_DIR=./Certs
+# Directory where private key files are stored
+KEYS_DIR=$CERTS_DIR
+# Directory where combo files (containing a certificate and corresponding
+# private key together) are stored
+COMBO_DIR=$CERTS_DIR
+# cat command
+CAT=/bin/cat
+# rm command
+RM=/bin/rm
+# mkdir command
+MKDIR=/bin/mkdir
+# The certificate will expire these many days after the issue date.
+DAYS=1500
+TEST_CA_FILE=rsa1024TestCA
+
+TEST_SERVER_CURVE=sect163r1
+TEST_SERVER_FILE=sect163r1-rsaTestServer
+TEST_SERVER_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Server (sect163r1 key signed with RSA)"
+
+TEST_CLIENT_CURVE=sect163r1
+TEST_CLIENT_FILE=sect163r1-rsaTestClient
+TEST_CLIENT_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Client (sect163r1 key signed with RSA)"
+
+# Generating an EC certificate involves the following main steps
+# 1. Generating curve parameters (if needed)
+# 2. Generating a certificate request
+# 3. Signing the certificate request 
+# 4. [Optional] One can combine the cert and private key into a single
+#    file and also delete the certificate request
+
+$MKDIR -p $CERTS_DIR
+$MKDIR -p $KEYS_DIR
+$MKDIR -p $COMBO_DIR
+
+echo "GENERATING A TEST SERVER CERTIFICATE (ECC key signed with RSA)"
+echo "=============================================================="
+$OPENSSL_CMD ecparam -name $TEST_SERVER_CURVE -out $TEST_SERVER_CURVE.pem
+
+$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_SERVER_DN" \
+    -keyout $KEYS_DIR/$TEST_SERVER_FILE.key.pem \
+    -newkey ec:$TEST_SERVER_CURVE.pem -new \
+    -out $CERTS_DIR/$TEST_SERVER_FILE.req.pem
+
+$OPENSSL_CMD x509 -req -days $DAYS \
+    -in $CERTS_DIR/$TEST_SERVER_FILE.req.pem \
+    -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \
+    -CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \
+    -out $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -CAcreateserial
+
+# Display the certificate 
+$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -text
+
+# Place the certificate and key in a common file
+$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -issuer -subject \
+	 > $COMBO_DIR/$TEST_SERVER_FILE.pem
+$CAT $KEYS_DIR/$TEST_SERVER_FILE.key.pem >> $COMBO_DIR/$TEST_SERVER_FILE.pem
+
+# Remove the cert request file (no longer needed)
+$RM $CERTS_DIR/$TEST_SERVER_FILE.req.pem
+
+echo "GENERATING A TEST CLIENT CERTIFICATE (ECC key signed with RSA)"
+echo "=============================================================="
+$OPENSSL_CMD ecparam -name $TEST_CLIENT_CURVE -out $TEST_CLIENT_CURVE.pem
+
+$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_CLIENT_DN" \
+	     -keyout $KEYS_DIR/$TEST_CLIENT_FILE.key.pem \
+	     -newkey ec:$TEST_CLIENT_CURVE.pem -new \
+	     -out $CERTS_DIR/$TEST_CLIENT_FILE.req.pem
+
+$OPENSSL_CMD x509 -req -days $DAYS \
+    -in $CERTS_DIR/$TEST_CLIENT_FILE.req.pem \
+    -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \
+    -CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \
+    -out $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -CAcreateserial
+
+# Display the certificate 
+$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -text
+
+# Place the certificate and key in a common file
+$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -issuer -subject \
+	 > $COMBO_DIR/$TEST_CLIENT_FILE.pem
+$CAT $KEYS_DIR/$TEST_CLIENT_FILE.key.pem >> $COMBO_DIR/$TEST_CLIENT_FILE.pem
+
+# Remove the cert request file (no longer needed)
+$RM $CERTS_DIR/$TEST_CLIENT_FILE.req.pem
+
diff --git a/crypto/openssl/demos/ssltest-ecc/ECCcertgen.sh b/crypto/openssl/demos/ssltest-ecc/ECCcertgen.sh
new file mode 100755
index 000000000000..a47b8bb0b5a1
--- /dev/null
+++ b/crypto/openssl/demos/ssltest-ecc/ECCcertgen.sh
@@ -0,0 +1,164 @@
+#!/bin/sh
+
+# For a list of supported curves, use "apps/openssl ecparam -list_curves".
+
+# Path to the openssl distribution
+OPENSSL_DIR=../..
+# Path to the openssl program
+OPENSSL_CMD=$OPENSSL_DIR/apps/openssl
+# Option to find configuration file
+OPENSSL_CNF="-config $OPENSSL_DIR/apps/openssl.cnf"
+# Directory where certificates are stored
+CERTS_DIR=./Certs
+# Directory where private key files are stored
+KEYS_DIR=$CERTS_DIR
+# Directory where combo files (containing a certificate and corresponding
+# private key together) are stored
+COMBO_DIR=$CERTS_DIR
+# cat command
+CAT=/bin/cat
+# rm command
+RM=/bin/rm
+# mkdir command
+MKDIR=/bin/mkdir
+# The certificate will expire these many days after the issue date.
+DAYS=1500
+TEST_CA_CURVE=secp160r1
+TEST_CA_FILE=secp160r1TestCA
+TEST_CA_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test CA (Elliptic curve secp160r1)"
+
+TEST_SERVER_CURVE=secp160r2
+TEST_SERVER_FILE=secp160r2TestServer
+TEST_SERVER_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Server (Elliptic curve secp160r2)"
+
+TEST_CLIENT_CURVE=secp160r2
+TEST_CLIENT_FILE=secp160r2TestClient
+TEST_CLIENT_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Client (Elliptic curve secp160r2)"
+
+# Generating an EC certificate involves the following main steps
+# 1. Generating curve parameters (if needed)
+# 2. Generating a certificate request
+# 3. Signing the certificate request 
+# 4. [Optional] One can combine the cert and private key into a single
+#    file and also delete the certificate request
+
+$MKDIR -p $CERTS_DIR
+$MKDIR -p $KEYS_DIR
+$MKDIR -p $COMBO_DIR
+
+echo "Generating self-signed CA certificate (on curve $TEST_CA_CURVE)"
+echo "==============================================================="
+$OPENSSL_CMD ecparam -name $TEST_CA_CURVE -out $TEST_CA_CURVE.pem
+
+# Generate a new certificate request in $TEST_CA_FILE.req.pem. A 
+# new ecdsa (actually ECC) key pair is generated on the parameters in
+# $TEST_CA_CURVE.pem and the private key is saved in $TEST_CA_FILE.key.pem
+# WARNING: By using the -nodes option, we force the private key to be 
+# stored in the clear (rather than encrypted with a password).
+$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_CA_DN" \
+    -keyout $KEYS_DIR/$TEST_CA_FILE.key.pem \
+    -newkey ec:$TEST_CA_CURVE.pem -new \
+    -out $CERTS_DIR/$TEST_CA_FILE.req.pem
+
+# Sign the certificate request in $TEST_CA_FILE.req.pem using the
+# private key in $TEST_CA_FILE.key.pem and include the CA extension.
+# Make the certificate valid for 1500 days from the time of signing.
+# The certificate is written into $TEST_CA_FILE.cert.pem
+$OPENSSL_CMD x509 -req -days $DAYS \
+    -in $CERTS_DIR/$TEST_CA_FILE.req.pem \
+    -extfile $OPENSSL_DIR/apps/openssl.cnf \
+    -extensions v3_ca \
+    -signkey $KEYS_DIR/$TEST_CA_FILE.key.pem \
+    -out $CERTS_DIR/$TEST_CA_FILE.cert.pem
+
+# Display the certificate
+$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CA_FILE.cert.pem -text
+
+# Place the certificate and key in a common file
+$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CA_FILE.cert.pem -issuer -subject \
+	 > $COMBO_DIR/$TEST_CA_FILE.pem
+$CAT $KEYS_DIR/$TEST_CA_FILE.key.pem >> $COMBO_DIR/$TEST_CA_FILE.pem
+
+# Remove the cert request file (no longer needed)
+$RM $CERTS_DIR/$TEST_CA_FILE.req.pem
+
+echo "GENERATING A TEST SERVER CERTIFICATE (on elliptic curve $TEST_SERVER_CURVE)"
+echo "=========================================================================="
+# Generate parameters for curve $TEST_SERVER_CURVE, if needed
+$OPENSSL_CMD ecparam -name $TEST_SERVER_CURVE -out $TEST_SERVER_CURVE.pem
+
+# Generate a new certificate request in $TEST_SERVER_FILE.req.pem. A 
+# new ecdsa (actually ECC) key pair is generated on the parameters in
+# $TEST_SERVER_CURVE.pem and the private key is saved in 
+# $TEST_SERVER_FILE.key.pem
+# WARNING: By using the -nodes option, we force the private key to be 
+# stored in the clear (rather than encrypted with a password).
+$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_SERVER_DN" \
+    -keyout $KEYS_DIR/$TEST_SERVER_FILE.key.pem \
+    -newkey ec:$TEST_SERVER_CURVE.pem -new \
+    -out $CERTS_DIR/$TEST_SERVER_FILE.req.pem
+
+# Sign the certificate request in $TEST_SERVER_FILE.req.pem using the
+# CA certificate in $TEST_CA_FILE.cert.pem and the CA private key in
+# $TEST_CA_FILE.key.pem. Since we do not have an existing serial number
+# file for this CA, create one. Make the certificate valid for $DAYS days
+# from the time of signing. The certificate is written into 
+# $TEST_SERVER_FILE.cert.pem
+$OPENSSL_CMD x509 -req -days $DAYS \
+    -in $CERTS_DIR/$TEST_SERVER_FILE.req.pem \
+    -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \
+    -CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \
+    -out $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -CAcreateserial
+
+# Display the certificate 
+$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -text
+
+# Place the certificate and key in a common file
+$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -issuer -subject \
+	 > $COMBO_DIR/$TEST_SERVER_FILE.pem
+$CAT $KEYS_DIR/$TEST_SERVER_FILE.key.pem >> $COMBO_DIR/$TEST_SERVER_FILE.pem
+
+# Remove the cert request file (no longer needed)
+$RM $CERTS_DIR/$TEST_SERVER_FILE.req.pem
+
+echo "GENERATING A TEST CLIENT CERTIFICATE (on elliptic curve $TEST_CLIENT_CURVE)"
+echo "=========================================================================="
+# Generate parameters for curve $TEST_CLIENT_CURVE, if needed
+$OPENSSL_CMD ecparam -name $TEST_CLIENT_CURVE -out $TEST_CLIENT_CURVE.pem
+
+# Generate a new certificate request in $TEST_CLIENT_FILE.req.pem. A 
+# new ecdsa (actually ECC) key pair is generated on the parameters in
+# $TEST_CLIENT_CURVE.pem and the private key is saved in 
+# $TEST_CLIENT_FILE.key.pem
+# WARNING: By using the -nodes option, we force the private key to be 
+# stored in the clear (rather than encrypted with a password).
+$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_CLIENT_DN" \
+	     -keyout $KEYS_DIR/$TEST_CLIENT_FILE.key.pem \
+	     -newkey ec:$TEST_CLIENT_CURVE.pem -new \
+	     -out $CERTS_DIR/$TEST_CLIENT_FILE.req.pem
+
+# Sign the certificate request in $TEST_CLIENT_FILE.req.pem using the
+# CA certificate in $TEST_CA_FILE.cert.pem and the CA private key in
+# $TEST_CA_FILE.key.pem. Since we do not have an existing serial number
+# file for this CA, create one. Make the certificate valid for $DAYS days
+# from the time of signing. The certificate is written into 
+# $TEST_CLIENT_FILE.cert.pem
+$OPENSSL_CMD x509 -req -days $DAYS \
+    -in $CERTS_DIR/$TEST_CLIENT_FILE.req.pem \
+    -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \
+    -CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \
+    -out $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -CAcreateserial
+
+# Display the certificate 
+$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -text
+
+# Place the certificate and key in a common file
+$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -issuer -subject \
+	 > $COMBO_DIR/$TEST_CLIENT_FILE.pem
+$CAT $KEYS_DIR/$TEST_CLIENT_FILE.key.pem >> $COMBO_DIR/$TEST_CLIENT_FILE.pem
+
+# Remove the cert request file (no longer needed)
+$RM $CERTS_DIR/$TEST_CLIENT_FILE.req.pem
+
+
+
diff --git a/crypto/openssl/demos/ssltest-ecc/README b/crypto/openssl/demos/ssltest-ecc/README
new file mode 100644
index 000000000000..71c070af161e
--- /dev/null
+++ b/crypto/openssl/demos/ssltest-ecc/README
@@ -0,0 +1,15 @@
+Scripts for using ECC ciphersuites with test/testssl
+(these ciphersuites are described in the Internet Draft available at
+http://www.ietf.org/internet-drafts/draft-ietf-tls-ecc-03.txt).
+
+Use ECCcertgen.sh, RSAcertgen.sh, ECC-RSAcertgen.sh to generate
+root, client and server certs of the following types:
+
+     ECC certs signed with ECDSA
+     RSA certs signed with RSA
+     ECC certs signed with RSA
+
+Afterwards, you can use ssltest.sh to run the various tests;
+specify one of the following options:
+
+     aecdh, ecdh-ecdsa, ecdhe-ecdsa, ecdh-rsa, ecdhe-rsa
diff --git a/crypto/openssl/demos/ssltest-ecc/RSAcertgen.sh b/crypto/openssl/demos/ssltest-ecc/RSAcertgen.sh
new file mode 100755
index 000000000000..0cb015359634
--- /dev/null
+++ b/crypto/openssl/demos/ssltest-ecc/RSAcertgen.sh
@@ -0,0 +1,121 @@
+#!/bin/sh
+
+# For a list of supported curves, use "apps/openssl ecparam -list_curves".
+
+# Path to the openssl distribution
+OPENSSL_DIR=../..
+# Path to the openssl program
+OPENSSL_CMD=$OPENSSL_DIR/apps/openssl
+# Option to find configuration file
+OPENSSL_CNF="-config $OPENSSL_DIR/apps/openssl.cnf"
+# Directory where certificates are stored
+CERTS_DIR=./Certs
+# Directory where private key files are stored
+KEYS_DIR=$CERTS_DIR
+# Directory where combo files (containing a certificate and corresponding
+# private key together) are stored
+COMBO_DIR=$CERTS_DIR
+# cat command
+CAT=/bin/cat
+# rm command
+RM=/bin/rm
+# mkdir command
+MKDIR=/bin/mkdir
+# The certificate will expire these many days after the issue date.
+DAYS=1500
+TEST_CA_FILE=rsa1024TestCA
+TEST_CA_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test CA (1024 bit RSA)"
+
+TEST_SERVER_FILE=rsa1024TestServer
+TEST_SERVER_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Server (1024 bit RSA)"
+
+TEST_CLIENT_FILE=rsa1024TestClient
+TEST_CLIENT_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Client (1024 bit RSA)"
+
+# Generating an EC certificate involves the following main steps
+# 1. Generating curve parameters (if needed)
+# 2. Generating a certificate request
+# 3. Signing the certificate request 
+# 4. [Optional] One can combine the cert and private key into a single
+#    file and also delete the certificate request
+
+$MKDIR -p $CERTS_DIR
+$MKDIR -p $KEYS_DIR
+$MKDIR -p $COMBO_DIR
+
+echo "Generating self-signed CA certificate (RSA)"
+echo "==========================================="
+
+$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_CA_DN" \
+    -keyout $KEYS_DIR/$TEST_CA_FILE.key.pem \
+    -newkey rsa:1024 -new \
+    -out $CERTS_DIR/$TEST_CA_FILE.req.pem
+
+$OPENSSL_CMD x509 -req -days $DAYS \
+    -in $CERTS_DIR/$TEST_CA_FILE.req.pem \
+    -extfile $OPENSSL_DIR/apps/openssl.cnf \
+    -extensions v3_ca \
+    -signkey $KEYS_DIR/$TEST_CA_FILE.key.pem \
+    -out $CERTS_DIR/$TEST_CA_FILE.cert.pem
+
+# Display the certificate
+$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CA_FILE.cert.pem -text
+
+# Place the certificate and key in a common file
+$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CA_FILE.cert.pem -issuer -subject \
+	 > $COMBO_DIR/$TEST_CA_FILE.pem
+$CAT $KEYS_DIR/$TEST_CA_FILE.key.pem >> $COMBO_DIR/$TEST_CA_FILE.pem
+
+# Remove the cert request file (no longer needed)
+$RM $CERTS_DIR/$TEST_CA_FILE.req.pem
+
+echo "GENERATING A TEST SERVER CERTIFICATE (RSA)"
+echo "=========================================="
+
+$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_SERVER_DN" \
+    -keyout $KEYS_DIR/$TEST_SERVER_FILE.key.pem \
+    -newkey rsa:1024 -new \
+    -out $CERTS_DIR/$TEST_SERVER_FILE.req.pem
+
+$OPENSSL_CMD x509 -req -days $DAYS \
+    -in $CERTS_DIR/$TEST_SERVER_FILE.req.pem \
+    -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \
+    -CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \
+    -out $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -CAcreateserial
+
+# Display the certificate 
+$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -text
+
+# Place the certificate and key in a common file
+$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -issuer -subject \
+	 > $COMBO_DIR/$TEST_SERVER_FILE.pem
+$CAT $KEYS_DIR/$TEST_SERVER_FILE.key.pem >> $COMBO_DIR/$TEST_SERVER_FILE.pem
+
+# Remove the cert request file (no longer needed)
+$RM $CERTS_DIR/$TEST_SERVER_FILE.req.pem
+
+echo "GENERATING A TEST CLIENT CERTIFICATE (RSA)"
+echo "=========================================="
+
+$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_CLIENT_DN" \
+	     -keyout $KEYS_DIR/$TEST_CLIENT_FILE.key.pem \
+	     -newkey rsa:1024 -new \
+	     -out $CERTS_DIR/$TEST_CLIENT_FILE.req.pem
+
+$OPENSSL_CMD x509 -req -days $DAYS \
+    -in $CERTS_DIR/$TEST_CLIENT_FILE.req.pem \
+    -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \
+    -CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \
+    -out $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -CAcreateserial
+
+# Display the certificate 
+$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -text
+
+# Place the certificate and key in a common file
+$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -issuer -subject \
+	 > $COMBO_DIR/$TEST_CLIENT_FILE.pem
+$CAT $KEYS_DIR/$TEST_CLIENT_FILE.key.pem >> $COMBO_DIR/$TEST_CLIENT_FILE.pem
+
+# Remove the cert request file (no longer needed)
+$RM $CERTS_DIR/$TEST_CLIENT_FILE.req.pem
+
diff --git a/crypto/openssl/demos/ssltest-ecc/ssltest.sh b/crypto/openssl/demos/ssltest-ecc/ssltest.sh
new file mode 100755
index 000000000000..923ca43824e6
--- /dev/null
+++ b/crypto/openssl/demos/ssltest-ecc/ssltest.sh
@@ -0,0 +1,188 @@
+#! /bin/sh
+# Tests ECC cipher suites using ssltest. Requires one argument which could
+# be aecdh or ecdh-ecdsa or ecdhe-ecdsa or ecdh-rsa or ecdhe-rsa.
+# A second optional argument can be one of ssl2 ssl3 or tls1
+
+if [ "$1" = "" ]; then
+  (echo "Usage: $0 test [ protocol ]"
+   echo "   where test is one of aecdh, ecdh-ecdsa, ecdhe-ecdsa, ecdh-rsa, ecdhe-rsa"
+   echo "   and protocol (optional) is one of ssl2, ssl3, tls1"
+   echo "Run RSAcertgen.sh, ECC-RSAcertgen.sh, ECCcertgen.sh first."
+  ) >&2
+  exit 1
+fi
+
+
+OPENSSL_DIR=../..
+CERTS_DIR=./Certs
+SSLTEST=$OPENSSL_DIR/test/ssltest
+# SSL protocol version to test (one of ssl2 ssl3 or tls1)"
+SSLVERSION=
+
+# These don't really require any certificates
+AECDH_CIPHER_LIST="AECDH-AES256-SHA AECDH-AES128-SHA AECDH-DES-CBC3-SHA AECDH-RC4-SHA AECDH-NULL-SHA"
+
+# These require ECC certificates signed with ECDSA
+# The EC public key must be authorized for key agreement.
+ECDH_ECDSA_CIPHER_LIST="ECDH-ECDSA-AES256-SHA ECDH-ECDSA-AES128-SHA ECDH-ECDSA-DES-CBC3-SHA ECDH-ECDSA-RC4-SHA ECDH-ECDSA-NULL-SHA"
+
+# These require ECC certificates.
+# The EC public key must be authorized for digital signature.
+ECDHE_ECDSA_CIPHER_LIST="ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-DES-CBC3-SHA ECDHE-ECDSA-RC4-SHA ECDHE-ECDSA-NULL-SHA"
+
+# These require ECC certificates signed with RSA.
+# The EC public key must be authorized for key agreement.
+ECDH_RSA_CIPHER_LIST="ECDH-RSA-AES256-SHA ECDH-RSA-AES128-SHA ECDH-RSA-DES-CBC3-SHA ECDH-RSA-RC4-SHA ECDH-RSA-NULL-SHA"
+
+# These require RSA certificates.
+# The RSA public key must be authorized for digital signature.
+ECDHE_RSA_CIPHER_LIST="ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-DES-CBC3-SHA ECDHE-RSA-RC4-SHA ECDHE-RSA-NULL-SHA"
+
+# List of Elliptic curves over which we wish to test generation of
+# ephemeral ECDH keys when using AECDH or ECDHE ciphers
+# NOTE: secp192r1 = prime192v1 and secp256r1 = prime256v1
+#ELLIPTIC_CURVE_LIST="secp112r1 sect113r2 secp128r1 sect131r1 secp160k1 sect163r2 wap-wsg-idm-ecid-wtls7 c2pnb163v3 c2pnb176v3 c2tnb191v3 secp192r1 prime192v3 sect193r2 secp224r1 wap-wsg-idm-ecid-wtls10 sect239k1 prime239v2 secp256r1 prime256v1 sect283k1 secp384r1 sect409r1 secp521r1 sect571r1"
+ELLIPTIC_CURVE_LIST="sect163k1 sect163r1 sect163r2 sect193r1 sect193r2 sect233k1 sect233r1 sect239k1 sect283k1 sect283r1 sect409k1 sect409r1 sect571k1 sect571r1 secp160k1 secp160r1 secp160r2 secp192k1 prime192v1 secp224k1 secp224r1 secp256k1 prime256v1 secp384r1 secp521r1"
+
+DEFAULT_CURVE="sect163r2"
+
+if [ "$2" = "" ]; then
+    if [ "$SSL_VERSION" = "" ]; then
+	SSL_VERSION=""
+    else
+	SSL_VERSION="-$SSL_VERSION"
+    fi
+else
+    SSL_VERSION="-$2"
+fi
+
+#==============================================================
+# Anonymous cipher suites do not require key or certificate files
+# but ssltest expects a cert file and complains if it can't
+# open the default one.
+SERVER_PEM=$OPENSSL_DIR/apps/server.pem
+
+if [ "$1" = "aecdh" ]; then
+for cipher in $AECDH_CIPHER_LIST
+do
+    echo "Testing $cipher"
+    $SSLTEST $SSL_VERSION -cert $SERVER_PEM -cipher $cipher 
+done
+#--------------------------------------------------------------
+for curve in $ELLIPTIC_CURVE_LIST
+do
+    echo "Testing AECDH-NULL-SHA (with $curve)"
+    $SSLTEST $SSL_VERSION -cert $SERVER_PEM \
+	-named_curve $curve -cipher AECDH-NULL-SHA
+done
+
+for curve in $ELLIPTIC_CURVE_LIST
+do
+    echo "Testing AECDH-RC4-SHA (with $curve)"
+    $SSLTEST $SSL_VERSION -cert $SERVER_PEM \
+	-named_curve $curve -cipher AECDH-RC4-SHA
+done
+fi
+
+#==============================================================
+# Both ECDH-ECDSA and ECDHE-ECDSA cipher suites require 
+# the server to have an ECC certificate signed with ECDSA.
+CA_PEM=$CERTS_DIR/secp160r1TestCA.pem
+SERVER_PEM=$CERTS_DIR/secp160r2TestServer.pem
+CLIENT_PEM=$CERTS_DIR/secp160r2TestClient.pem
+
+if [ "$1" = "ecdh-ecdsa" ]; then
+for cipher in $ECDH_ECDSA_CIPHER_LIST
+do
+    echo "Testing $cipher (with server authentication)"
+    $SSLTEST $SSL_VERSION -CAfile $CA_PEM \
+	-cert $SERVER_PEM -server_auth \
+	-cipher $cipher
+
+    echo "Testing $cipher (with server and client authentication)"
+    $SSLTEST $SSL_VERSION -CAfile $CA_PEM \
+	-cert $SERVER_PEM -server_auth \
+	-c_cert $CLIENT_PEM -client_auth \
+	-cipher $cipher
+done
+fi
+
+#==============================================================
+if [ "$1" = "ecdhe-ecdsa" ]; then
+for cipher in $ECDHE_ECDSA_CIPHER_LIST
+do
+    echo "Testing $cipher (with server authentication)"
+    $SSLTEST $SSL_VERSION -CAfile $CA_PEM \
+	-cert $SERVER_PEM -server_auth \
+	-cipher $cipher -named_curve $DEFAULT_CURVE
+
+    echo "Testing $cipher (with server and client authentication)"
+    $SSLTEST $SSL_VERSION -CAfile $CA_PEM \
+	-cert $SERVER_PEM -server_auth \
+	-c_cert $CLIENT_PEM -client_auth \
+	-cipher $cipher -named_curve $DEFAULT_CURVE
+done
+
+#--------------------------------------------------------------
+for curve in $ELLIPTIC_CURVE_LIST
+do
+    echo "Testing ECDHE-ECDSA-AES128-SHA (2-way auth with $curve)"
+    $SSLTEST $SSL_VERSION -CAfile $CA_PEM \
+	-cert $SERVER_PEM -server_auth \
+	-c_cert $CLIENT_PEM -client_auth \
+	-cipher ECDHE-ECDSA-AES128-SHA -named_curve $curve 
+done
+fi
+
+#==============================================================
+# ECDH-RSA cipher suites require the server to have an ECC
+# certificate signed with RSA.
+CA_PEM=$CERTS_DIR/rsa1024TestCA.pem
+SERVER_PEM=$CERTS_DIR/sect163r1-rsaTestServer.pem
+CLIENT_PEM=$CERTS_DIR/sect163r1-rsaTestClient.pem
+
+if [ "$1" = "ecdh-rsa" ]; then
+for cipher in $ECDH_RSA_CIPHER_LIST
+do
+    echo "Testing $cipher (with server authentication)"
+    $SSLTEST $SSL_VERSION -CAfile $CA_PEM \
+	-cert $SERVER_PEM -server_auth \
+	-cipher $cipher
+
+    echo "Testing $cipher (with server and client authentication)"
+    $SSLTEST $SSL_VERSION -CAfile $CA_PEM \
+	-cert $SERVER_PEM -server_auth \
+	-c_cert $CLIENT_PEM -client_auth \
+	-cipher $cipher
+done
+fi
+
+#==============================================================
+# ECDHE-RSA cipher suites require the server to have an RSA cert.
+CA_PEM=$CERTS_DIR/rsa1024TestCA.pem
+SERVER_PEM=$CERTS_DIR/rsa1024TestServer.pem
+CLIENT_PEM=$CERTS_DIR/rsa1024TestClient.pem
+
+if [ "$1" = "ecdhe-rsa" ]; then
+for cipher in $ECDHE_RSA_CIPHER_LIST
+do
+    echo "Testing $cipher (with server authentication)"
+    echo $SSLTEST $SSL_VERSION -CAfile $CA_PEM \
+	-cert $SERVER_PEM -server_auth \
+	-cipher $cipher -named_curve $DEFAULT_CURVE
+    $SSLTEST $SSL_VERSION -CAfile $CA_PEM \
+	-cert $SERVER_PEM -server_auth \
+	-cipher $cipher -named_curve $DEFAULT_CURVE
+
+    echo "Testing $cipher (with server and client authentication)"
+    $SSLTEST $SSL_VERSION -CAfile $CA_PEM \
+	-cert $SERVER_PEM -server_auth \
+	-c_cert $CLIENT_PEM -client_auth \
+	-cipher $cipher -named_curve $DEFAULT_CURVE
+done
+fi
+#==============================================================
+
+
+
+
diff --git a/crypto/openssl/demos/tunala/autoungunk.sh b/crypto/openssl/demos/tunala/autoungunk.sh
index 14d10790fd87..0c9123b6cfbc 100755
--- a/crypto/openssl/demos/tunala/autoungunk.sh
+++ b/crypto/openssl/demos/tunala/autoungunk.sh
@@ -4,13 +4,13 @@
 # mess has been left in the directory thanks to autoconf, automake, and their
 # friends.
 
-if test -f Makefile; then
-	make distclean
-	rm -f Makefile
-fi
-
 if test -f Makefile.plain; then
+	if test -f Makefile; then
+		make distclean
+	fi
 	mv Makefile.plain Makefile
+else
+	make clean
 fi
 
 rm -f aclocal.m4 config.* configure install-sh \
diff --git a/crypto/openssl/demos/tunala/cb.c b/crypto/openssl/demos/tunala/cb.c
index cd32f74c70a2..e64983896ebb 100644
--- a/crypto/openssl/demos/tunala/cb.c
+++ b/crypto/openssl/demos/tunala/cb.c
@@ -129,5 +129,15 @@ void cb_ssl_verify_set_level(unsigned int level)
 		cb_ssl_verify_level = level;
 }
 
+RSA *cb_generate_tmp_rsa(SSL *s, int is_export, int keylength)
+{
+	/* TODO: Perhaps make it so our global key can be generated on-the-fly
+	 * after certain intervals? */
+	static RSA *rsa_tmp = NULL;
+	if(!rsa_tmp)
+		rsa_tmp = RSA_generate_key(keylength, RSA_F4, NULL, NULL);
+	return rsa_tmp;
+}
+
 #endif /* !defined(NO_OPENSSL) */
 
diff --git a/crypto/openssl/demos/tunala/configure.in b/crypto/openssl/demos/tunala/configure.in
index b2a6ffc756b3..590cdbfd263b 100644
--- a/crypto/openssl/demos/tunala/configure.in
+++ b/crypto/openssl/demos/tunala/configure.in
@@ -10,6 +10,7 @@ dnl AM_PROG_LIBTOOL
 
 dnl Checks for libraries.
 AC_CHECK_LIB(dl, dlopen)
+AC_CHECK_LIB(z, inflate)
 AC_CHECK_LIB(socket, socket)
 AC_CHECK_LIB(nsl, gethostbyname)
 
diff --git a/crypto/openssl/demos/tunala/test.sh b/crypto/openssl/demos/tunala/test.sh
new file mode 100755
index 000000000000..105b447333bc
--- /dev/null
+++ b/crypto/openssl/demos/tunala/test.sh
@@ -0,0 +1,107 @@
+#!/bin/sh
+
+HTTP="localhost:8080"
+CLIENT_PORT="9020"
+SERVER_PORT="9021"
+
+sub_test ()
+{
+	echo "STARTING - $VER $CIPHER"
+	./tunala -listen localhost:$CLIENT_PORT -proxy localhost:$SERVER_PORT \
+		-cacert CA.pem -cert A-client.pem -server 0 \
+		-dh_special standard -v_peer -v_strict \
+		$VER -cipher $CIPHER 1> tc1.txt 2> tc2.txt &
+	./tunala -listen localhost:$SERVER_PORT -proxy $HTTP \
+		-cacert CA.pem -cert A-server.pem -server 1 \
+		-dh_special standard -v_peer -v_strict \
+		$VER -cipher $CIPHER 1> ts1.txt 2> ts2.txt &
+	# Wait for the servers to be listening before starting the wget test
+	DONE="no"
+	while [ "$DONE" != "yes" ]; do
+		L1=`netstat -a | egrep "LISTEN[\t ]*$" | grep ":$CLIENT_PORT"`
+		L2=`netstat -a | egrep "LISTEN[\t ]*$" | grep ":$SERVER_PORT"`
+		if [ "x$L1" != "x" ]; then
+			DONE="yes"
+		elif [ "x$L2" != "x" ]; then
+			DONE="yes"
+		else
+			sleep 1
+		fi
+	done
+	HTML=`wget -O - -T 1 http://localhost:$CLIENT_PORT 2> /dev/null | grep "<HTML>"`
+	if [ "x$HTML" != "x" ]; then
+		echo "OK - $CIPHER ($VER)"
+	else
+		echo "FAIL - $CIPHER ($VER)"
+		killall tunala
+		exit 1
+	fi
+	killall tunala
+	# Wait for the servers to stop before returning - otherwise the next
+	# test my fail to start ... (fscking race conditions)
+	DONE="yes"
+	while [ "$DONE" != "no" ]; do
+		L1=`netstat -a | egrep "LISTEN[\t ]*$" | grep ":$CLIENT_PORT"`
+		L2=`netstat -a | egrep "LISTEN[\t ]*$" | grep ":$SERVER_PORT"`
+		if [ "x$L1" != "x" ]; then
+			DONE="yes"
+		elif [ "x$L2" != "x" ]; then
+			DONE="yes"
+		else
+			DONE="no"
+		fi
+	done
+	exit 0
+}
+
+run_test ()
+{
+	(sub_test 1> /dev/null) || exit 1
+}
+
+run_ssl_test ()
+{
+killall tunala 1> /dev/null 2> /dev/null
+echo ""
+echo "Starting all $PRETTY tests"
+if [ "$PRETTY" != "SSLv2" ]; then
+	if [ "$PRETTY" != "SSLv3" ]; then
+		export VER="-no_ssl2 -no_ssl3"
+		export OSSL="-tls1"
+	else
+		export VER="-no_ssl2 -no_tls1"
+		export OSSL="-ssl3"
+	fi
+else
+	export VER="-no_ssl3 -no_tls1"
+	export OSSL="-ssl2"
+fi
+LIST="`../../apps/openssl ciphers $OSSL | sed -e 's/:/ /g'`"
+#echo "$LIST"
+for i in $LIST; do \
+	DSS=`echo "$i" | grep "DSS"`
+	if [ "x$DSS" != "x" ]; then
+		echo "---- skipping $i (no DSA cert/keys) ----"
+	else
+		export CIPHER=$i
+		run_test
+		echo "SUCCESS: $i"
+	fi
+done;
+}
+
+# Welcome the user
+echo "Tests will assume an http server running at $HTTP"
+
+# TLSv1 test
+export PRETTY="TLSv1"
+run_ssl_test
+
+# SSLv3 test
+export PRETTY="SSLv3"
+run_ssl_test
+
+# SSLv2 test
+export PRETTY="SSLv2"
+run_ssl_test
+
diff --git a/crypto/openssl/demos/tunala/tunala.c b/crypto/openssl/demos/tunala/tunala.c
index e802a6209fff..e918cba2ce8a 100644
--- a/crypto/openssl/demos/tunala/tunala.c
+++ b/crypto/openssl/demos/tunala/tunala.c
@@ -69,8 +69,8 @@ typedef struct _tunala_world_t {
 static SSL_CTX *initialise_ssl_ctx(int server_mode, const char *engine_id,
 		const char *CAfile, const char *cert, const char *key,
 		const char *dcert, const char *dkey, const char *cipher_list,
-		const char *dh_file, const char *dh_special, int ctx_options,
-		int out_state, int out_verify, int verify_mode,
+		const char *dh_file, const char *dh_special, int tmp_rsa,
+		int ctx_options, int out_state, int out_verify, int verify_mode,
 		unsigned int verify_depth);
 static void selector_init(tunala_selector_t *selector);
 static void selector_add_listener(tunala_selector_t *selector, int fd);
@@ -102,6 +102,7 @@ static int def_flipped = 0;
 static const char *def_cipher_list = NULL;
 static const char *def_dh_file = NULL;
 static const char *def_dh_special = NULL;
+static int def_tmp_rsa = 1;
 static int def_ctx_options = 0;
 static int def_verify_mode = 0;
 static unsigned int def_verify_depth = 10;
@@ -127,6 +128,7 @@ static const char *helpstring =
 " -cipher <list>         (specifies cipher list to use)\n"
 " -dh_file <path>        (a PEM file containing DH parameters to use)\n"
 " -dh_special <NULL|generate|standard> (see below: def=NULL)\n"
+" -no_tmp_rsa            (don't generate temporary RSA keys)\n"
 " -no_ssl2               (disable SSLv2)\n"
 " -no_ssl3               (disable SSLv3)\n"
 " -no_tls1               (disable TLSv1)\n"
@@ -306,6 +308,7 @@ int main(int argc, char *argv[])
 	const char *cipher_list = def_cipher_list;
 	const char *dh_file = def_dh_file;
 	const char *dh_special = def_dh_special;
+	int tmp_rsa = def_tmp_rsa;
 	int ctx_options = def_ctx_options;
 	int verify_mode = def_verify_mode;
 	unsigned int verify_depth = def_verify_depth;
@@ -427,6 +430,9 @@ next_arg:
 			if(!parse_dh_special(*argv, &dh_special))
 				return 1;
 			goto next_arg;
+		} else if(strcmp(*argv, "-no_tmp_rsa") == 0) {
+			tmp_rsa = 0;
+			goto next_arg;
 		} else if(strcmp(*argv, "-no_ssl2") == 0) {
 			ctx_options |= SSL_OP_NO_SSLv2;
 			goto next_arg;
@@ -487,7 +493,7 @@ next_arg:
 	/* Create the SSL_CTX */
 	if((world.ssl_ctx = initialise_ssl_ctx(server_mode, engine_id,
 			cacert, cert, key, dcert, dkey, cipher_list, dh_file,
-			dh_special, ctx_options, out_state, out_verify,
+			dh_special, tmp_rsa, ctx_options, out_state, out_verify,
 			verify_mode, verify_depth)) == NULL)
 		return err_str1("initialise_ssl_ctx(engine_id=%s) failed",
 			(engine_id == NULL) ? "NULL" : engine_id);
@@ -522,8 +528,13 @@ main_loop:
 	/* Now do the select */
 	switch(selector_select(&world.selector)) {
 	case -1:
-		fprintf(stderr, "selector_select returned a badness error.\n");
-		goto shouldnt_happen;
+		if(errno != EINTR) {
+			fprintf(stderr, "selector_select returned a "
+					"badness error.\n");
+			goto shouldnt_happen;
+		}
+		fprintf(stderr, "Warn, selector interrupted by a signal\n");
+		goto main_loop;
 	case 0:
 		fprintf(stderr, "Warn, selector_select returned 0 - signal?""?\n");
 		goto main_loop;
@@ -717,8 +728,8 @@ do_it:
 static SSL_CTX *initialise_ssl_ctx(int server_mode, const char *engine_id,
 		const char *CAfile, const char *cert, const char *key,
 		const char *dcert, const char *dkey, const char *cipher_list,
-		const char *dh_file, const char *dh_special, int ctx_options,
-		int out_state, int out_verify, int verify_mode,
+		const char *dh_file, const char *dh_special, int tmp_rsa,
+		int ctx_options, int out_state, int out_verify, int verify_mode,
 		unsigned int verify_depth)
 {
 	SSL_CTX *ctx = NULL, *ret = NULL;
@@ -770,6 +781,9 @@ static SSL_CTX *initialise_ssl_ctx(int server_mode, const char *engine_id,
 	/* dcert and dkey */
 	if((dcert || dkey) && !ctx_set_cert(ctx, dcert, dkey))
 		goto err;
+	/* temporary RSA key generation */
+	if(tmp_rsa)
+		SSL_CTX_set_tmp_rsa_callback(ctx, cb_generate_tmp_rsa);
 
 	/* cipher_list */
 	if(cipher_list) {
diff --git a/crypto/openssl/demos/tunala/tunala.h b/crypto/openssl/demos/tunala/tunala.h
index b4c8ec78d8ac..3a752f259a94 100644
--- a/crypto/openssl/demos/tunala/tunala.h
+++ b/crypto/openssl/demos/tunala/tunala.h
@@ -149,6 +149,7 @@ int cb_ssl_verify(int ok, X509_STORE_CTX *ctx);
 void cb_ssl_verify_set_output(FILE *fp);
 void cb_ssl_verify_set_depth(unsigned int verify_depth);
 void cb_ssl_verify_set_level(unsigned int level);
+RSA *cb_generate_tmp_rsa(SSL *s, int is_export, int keylength);
 #endif /* !defined(NO_OPENSSL) */
 #endif /* !defined(OPENSSL_NO_BUFFER) */
 
diff --git a/crypto/openssl/doc/HOWTO/certificates.txt b/crypto/openssl/doc/HOWTO/certificates.txt
index d3a62545adf3..a8a34c7abc51 100644
--- a/crypto/openssl/doc/HOWTO/certificates.txt
+++ b/crypto/openssl/doc/HOWTO/certificates.txt
@@ -66,14 +66,13 @@ Section 5 will tell you more on how to handle the certificate you
 received.
 
 
-4. Creating a self-signed certificate
+4. Creating a self-signed test certificate
 
 If you don't want to deal with another certificate authority, or just
-want to create a test certificate for yourself, or are setting up a
-certificate authority of your own, you may want to make the requested
-certificate a self-signed one.  This is similar to creating a
-certificate request, but creates a certificate instead of a
-certificate request (1095 is 3 years):
+want to create a test certificate for yourself.  This is similar to
+creating a certificate request, but creates a certificate instead of
+a certificate request.  This is NOT the recommended way to create a
+CA certificate, see ca.txt.
 
   openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095
 
diff --git a/crypto/openssl/doc/HOWTO/keys.txt b/crypto/openssl/doc/HOWTO/keys.txt
index 45f42eaaf1b7..7ae2a3a11833 100644
--- a/crypto/openssl/doc/HOWTO/keys.txt
+++ b/crypto/openssl/doc/HOWTO/keys.txt
@@ -40,9 +40,9 @@ consider insecure or to be insecure pretty soon.
 
 3. To generate a DSA key
 
-A DSA key can be used both for signing only.  This is important to
-keep in mind to know what kind of purposes a certificate request with
-a DSA key can really be used for.
+A DSA key can be used for signing only.  This is important to keep
+in mind to know what kind of purposes a certificate request with a
+DSA key can really be used for.
 
 Generating a key for the DSA algorithm is a two-step process.  First,
 you have to generate parameters from which to generate the key:
diff --git a/crypto/openssl/doc/HOWTO/proxy_certificates.txt b/crypto/openssl/doc/HOWTO/proxy_certificates.txt
new file mode 100644
index 000000000000..3d36b02f6b31
--- /dev/null
+++ b/crypto/openssl/doc/HOWTO/proxy_certificates.txt
@@ -0,0 +1,322 @@
+<DRAFT!>
+			HOWTO proxy certificates
+
+0. WARNING
+
+NONE OF THE CODE PRESENTED HERE HAVE BEEN CHECKED!  They are just an
+example to show you how things can be done.  There may be typos or
+type conflicts, and you will have to resolve them.
+
+1. Introduction
+
+Proxy certificates are defined in RFC 3820.  They are really usual
+certificates with the mandatory extension proxyCertInfo.
+
+Proxy certificates are issued by an End Entity (typically a user),
+either directly with the EE certificate as issuing certificate, or by
+extension through an already issued proxy certificate..  They are used
+to extend rights to some other entity (a computer process, typically,
+or sometimes to the user itself), so it can perform operations in the
+name of the owner of the EE certificate.
+
+See http://www.ietf.org/rfc/rfc3820.txt for more information.
+
+
+2. A warning about proxy certificates
+
+Noone seems to have tested proxy certificates with security in mind.
+Basically, to this date, it seems that proxy certificates have only
+been used in a world that's highly aware of them.  What would happen
+if an unsuspecting application is to validate a chain of certificates
+that contains proxy certificates?  It would usually consider the leaf
+to be the certificate to check for authorisation data, and since proxy
+certificates are controlled by the EE certificate owner alone, it's
+would be normal to consider what the EE certificate owner could do
+with them.
+
+subjectAltName and issuerAltName are forbidden in proxy certificates,
+and this is enforced in OpenSSL.  The subject must be the same as the
+issuer, with one commonName added on.
+
+Possible threats are, as far as has been imagined so far:
+
+ - impersonation through commonName (think server certificates).
+ - use of additional extensions, possibly non-standard ones used in
+   certain environments, that would grant extra or different
+   authorisation rights.
+
+For this reason, OpenSSL requires that the use of proxy certificates
+be explicitely allowed.  Currently, this can be done using the
+following methods:
+
+ - if the application calls X509_verify_cert() itself, it can do the
+   following prior to that call (ctx is the pointer passed in the call
+   to X509_verify_cert()):
+
+	X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
+
+ - in all other cases, proxy certificate validation can be enabled
+   before starting the application by setting the envirnoment variable
+   OPENSSL_ALLOW_PROXY with some non-empty value.
+
+There are thoughts to allow proxy certificates with a line in the
+default openssl.cnf, but that's still in the future.
+
+
+3. How to create proxy cerificates
+
+It's quite easy to create proxy certificates, by taking advantage of
+the lack of checks of the 'openssl x509' application (*ahem*).  But
+first, you need to create a configuration section that contains a
+definition of the proxyCertInfo extension, a little like this:
+
+  [ v3_proxy ]
+  # A proxy certificate MUST NEVER be a CA certificate.
+  basicConstraints=CA:FALSE
+
+  # Usual authority key ID
+  authorityKeyIdentifier=keyid,issuer:always
+
+  # Now, for the extension that marks this certificate as a proxy one
+  proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:1,policy:text:AB
+
+It's also possible to give the proxy extension in a separate section:
+
+  proxyCertInfo=critical,@proxy_ext
+
+  [ proxy_ext ]
+  language=id-ppl-anyLanguage
+  pathlen=0
+  policy=text:BC
+
+The policy value has a specific syntax, {syntag}:{string}, where the
+syntag determines what will be done with the string.  The recognised
+syntags are as follows:
+
+  text	indicates that the string is simply the bytes, not
+	encoded in any kind of way:
+
+		policy=text:räksmörgås
+
+	Previous versions of this design had a specific tag
+	for UTF-8 text.  However, since the bytes are copied
+	as-is anyway, there's no need for it.  Instead, use
+	the text: tag, like this:
+
+		policy=text:räksmörgås
+
+  hex	indicates the string is encoded in hex, with colons
+	between each byte (every second hex digit):
+
+		policy=hex:72:E4:6B:73:6D:F6:72:67:E5:73
+
+	Previous versions of this design had a tag to insert a
+	complete DER blob.  However, the only legal use for
+	this would be to surround the bytes that would go with
+	the hex: tag with what's needed to construct a correct
+	OCTET STRING.  Since hex: does that, the DER tag felt
+	superfluous, and was therefore removed.
+
+  file	indicates that the text of the policy should really be
+	taken from a file.  The string is then really a file
+	name.  This is useful for policies that are large
+	(more than a few of lines) XML documents, for example.
+
+The 'policy' setting can be split up in multiple lines like this:
+
+  0.policy=This is
+  1.polisy= a multi-
+  2.policy=line policy.
+
+NOTE: the proxy policy value is the part that determines the rights
+granted to the process using the proxy certificate.  The value is
+completely dependent on the application reading and interpretting it!
+
+Now that you have created an extension section for your proxy
+certificate, you can now easily create a proxy certificate like this:
+
+  openssl req -new -config openssl.cnf \
+	  -out proxy.req -keyout proxy.key
+  openssl x509 -req -CAcreateserial -in proxy.req -days 7 \
+	  -out proxy.crt -CA user.crt -CAkey user.key \
+	  -extfile openssl.cnf -extensions v3_proxy
+
+It's just as easy to create a proxy certificate using another proxy
+certificate as issuer (note that I'm using a different configuration
+section for it):
+
+  openssl req -new -config openssl.cnf \
+	  -out proxy2.req -keyout proxy2.key
+  openssl x509 -req -CAcreateserial -in proxy2.req -days 7 \
+	  -out proxy2.crt -CA proxy.crt -CAkey proxy.key \
+	  -extfile openssl.cnf -extensions v3_proxy2
+
+
+4. How to have your application interpret the policy?
+
+The basic way to interpret proxy policies is to prepare some default
+rights, then do a check of the proxy certificate against the a chain
+of proxy certificates, user certificate and CA certificates, and see
+what rights came out by the end.  Sounds easy, huh?  It almost is.
+
+The slightly complicated part is how to pass data between your
+application and the certificate validation procedure.
+
+You need the following ingredients:
+
+ - a callback routing that will be called for every certificate that's
+   validated.  It will be called several times for each certificates,
+   so you must be attentive to when it's a good time to do the proxy
+   policy interpretation and check, as well as to fill in the defaults
+   when the EE certificate is checked.
+
+ - a structure of data that's shared between your application code and
+   the callback.
+
+ - a wrapper function that sets it all up.
+
+ - an ex_data index function that creates an index into the generic
+   ex_data store that's attached to an X509 validation context.
+
+This is some cookbook code for you to fill in:
+
+  /* In this example, I will use a view of granted rights as a bit
+     array, one bit for each possible right.  */
+  typedef struct your_rights {
+    unsigned char rights[total_rights / 8];
+  } YOUR_RIGHTS;
+
+  /* The following procedure will create an index for the ex_data
+     store in the X509 validation context the first time it's called.
+     Subsequent calls will return the same index.  */
+  static int get_proxy_auth_ex_data_idx(void)
+  {
+    static volatile int idx = -1;
+    if (idx < 0)
+      {
+        CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
+        if (idx < 0)
+          {
+            idx = X509_STORE_CTX_get_ex_new_index(0,
+                                                  "for verify callback",
+                                                  NULL,NULL,NULL);
+          }
+        CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
+      }
+    return idx;
+  }
+
+  /* Callback to be given to the X509 validation procedure.  */
+  static int verify_callback(int ok, X509_STORE_CTX *ctx)
+  {
+    if (ok == 1) /* It's REALLY important you keep the proxy policy
+                    check within this secion.  It's important to know
+                    that when ok is 1, the certificates are checked
+                    from top to bottom.  You get the CA root first,
+                    followed by the possible chain of intermediate
+                    CAs, followed by the EE certificate, followed by
+                    the possible proxy certificates.  */
+      {
+        X509 *xs = ctx->current_cert;
+
+        if (xs->ex_flags & EXFLAG_PROXY)
+          {
+	    YOUR_RIGHTS *rights =
+              (YOUR_RIGHTS *)X509_STORE_CTX_get_ex_data(ctx,
+                get_proxy_auth_ex_data_idx());
+            PROXY_CERT_INFO_EXTENSION *pci =
+              X509_get_ext_d2i(xs, NID_proxyCertInfo, NULL, NULL);
+
+            switch (OBJ_obj2nid(pci->proxyPolicy->policyLanguage))
+              {
+              case NID_Independent:
+                /* Do whatever you need to grant explicit rights to
+                   this particular proxy certificate, usually by
+                   pulling them from some database.  If there are none
+                   to be found, clear all rights (making this and any
+                   subsequent proxy certificate void of any rights).
+                */
+                memset(rights->rights, 0, sizeof(rights->rights));
+                break;
+              case NID_id_ppl_inheritAll:
+                /* This is basically a NOP, we simply let the current
+                   rights stand as they are. */
+                break;
+              default:
+                /* This is usually the most complex section of code.
+                   You really do whatever you want as long as you
+                   follow RFC 3820.  In the example we use here, the
+                   simplest thing to do is to build another, temporary
+                   bit array and fill it with the rights granted by
+                   the current proxy certificate, then use it as a
+                   mask on the accumulated rights bit array, and
+                   voilà, you now have a new accumulated rights bit
+                   array.  */
+                {
+                  int i;
+                  YOUR_RIGHTS tmp_rights;
+		  memset(tmp_rights.rights, 0, sizeof(tmp_rights.rights));
+
+                  /* process_rights() is supposed to be a procedure
+                     that takes a string and it's length, interprets
+                     it and sets the bits in the YOUR_RIGHTS pointed
+                     at by the third argument.  */
+                  process_rights((char *) pci->proxyPolicy->policy->data,
+                                 pci->proxyPolicy->policy->length,
+                                 &tmp_rights);
+
+                  for(i = 0; i < total_rights / 8; i++)
+                    rights->rights[i] &= tmp_rights.rights[i];
+                }
+                break;
+              }
+            PROXY_CERT_INFO_EXTENSION_free(pci);
+          }
+        else if (!(xs->ex_flags & EXFLAG_CA))
+          {
+            /* We have a EE certificate, let's use it to set default!
+            */
+	    YOUR_RIGHTS *rights =
+              (YOUR_RIGHTS *)X509_STORE_CTX_get_ex_data(ctx,
+                get_proxy_auth_ex_data_idx());
+
+            /* The following procedure finds out what rights the owner
+               of the current certificate has, and sets them in the
+               YOUR_RIGHTS structure pointed at by the second
+               argument.  */
+            set_default_rights(xs, rights);
+          }
+      }
+    return ok;
+  }
+
+  static int my_X509_verify_cert(X509_STORE_CTX *ctx,
+                                 YOUR_RIGHTS *needed_rights)
+  {
+    int i;
+    int (*save_verify_cb)(int ok,X509_STORE_CTX *ctx) = ctx->verify_cb;
+    YOUR_RIGHTS rights;
+
+    X509_STORE_CTX_set_verify_cb(ctx, verify_callback);
+    X509_STORE_CTX_set_ex_data(ctx, get_proxy_auth_ex_data_idx(), &rights);
+    X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
+    ok = X509_verify_cert(ctx);
+
+    if (ok == 1)
+      {
+        ok = check_needed_rights(rights, needed_rights);
+      }
+
+    X509_STORE_CTX_set_verify_cb(ctx, save_verify_cb);
+
+    return ok;
+  }
+
+If you use SSL or TLS, you can easily set up a callback to have the
+certificates checked properly, using the code above:
+
+  SSL_CTX_set_cert_verify_callback(s_ctx, my_X509_verify_cert, &needed_rights);
+
+
+-- 
+Richard Levitte
diff --git a/crypto/openssl/doc/apps/CA.pl.pod b/crypto/openssl/doc/apps/CA.pl.pod
index 58e0f5200100..ed69952f3799 100644
--- a/crypto/openssl/doc/apps/CA.pl.pod
+++ b/crypto/openssl/doc/apps/CA.pl.pod
@@ -47,7 +47,7 @@ written to the file "newreq.pem".
 creates a new certificate request. The private key and request are
 written to the file "newreq.pem".
 
-=item B<-newreq-nowdes>
+=item B<-newreq-nodes>
 
 is like B<-newreq> except that the private key will not be encrypted.
 
diff --git a/crypto/openssl/doc/apps/asn1parse.pod b/crypto/openssl/doc/apps/asn1parse.pod
index e76e9813abaf..542d96906626 100644
--- a/crypto/openssl/doc/apps/asn1parse.pod
+++ b/crypto/openssl/doc/apps/asn1parse.pod
@@ -16,6 +16,8 @@ B<openssl> B<asn1parse>
 [B<-i>]
 [B<-oid filename>]
 [B<-strparse offset>]
+[B<-genstr string>]
+[B<-genconf file>]
 
 =head1 DESCRIPTION
 
@@ -67,6 +69,14 @@ file is described in the NOTES section below.
 parse the contents octets of the ASN.1 object starting at B<offset>. This
 option can be used multiple times to "drill down" into a nested structure.
 
+=item B<-genstr string>, B<-genconf file>
+
+generate encoded data based on B<string>, B<file> or both using
+ASN1_generate_nconf() format. If B<file> only is present then the string
+is obtained from the default section using the name B<asn1>. The encoded
+data is passed through the ASN1 parser and printed out as though it came
+from a file, the contents can thus be examined and written to a file
+using the B<out> option. 
 
 =back
 
@@ -121,9 +131,41 @@ by white space. The final column is the rest of the line and is the
 
 C<1.2.3.4	shortName	A long name>
 
+=head1 EXAMPLES
+
+Parse a file:
+
+ openssl asn1parse -in file.pem
+
+Parse a DER file:
+
+ openssl asn1parse -inform DER -in file.der
+
+Generate a simple UTF8String:
+
+ openssl asn1parse -genstr 'UTF8:Hello World'
+
+Generate and write out a UTF8String, don't print parsed output:
+
+ openssl asn1parse -genstr 'UTF8:Hello World' -noout -out utf8.der
+
+Generate using a config file:
+
+ openssl asn1parse -genconf asn1.cnf -noout -out asn1.der
+
+Example config file:
+
+ asn1=SEQUENCE:seq_sect
+
+ [seq_sect]
+
+ field1=BOOL:TRUE
+ field2=EXP:0, UTF8:some random string
+
+
 =head1 BUGS
 
-There should be options to change the format of input lines. The output of some
+There should be options to change the format of output lines. The output of some
 ASN.1 types is not well handled (if at all).
 
 =cut
diff --git a/crypto/openssl/doc/apps/ca.pod b/crypto/openssl/doc/apps/ca.pod
index 74f45ca2f90e..5618c2dc9d2e 100644
--- a/crypto/openssl/doc/apps/ca.pod
+++ b/crypto/openssl/doc/apps/ca.pod
@@ -17,7 +17,6 @@ B<openssl> B<ca>
 [B<-crl_hold instruction>]
 [B<-crl_compromise time>]
 [B<-crl_CA_compromise time>]
-[B<-subj arg>]
 [B<-crldays days>]
 [B<-crlhours hours>]
 [B<-crlexts section>]
@@ -30,6 +29,7 @@ B<openssl> B<ca>
 [B<-key arg>]
 [B<-passin arg>]
 [B<-cert file>]
+[B<-selfsign>]
 [B<-in file>]
 [B<-out file>]
 [B<-notext>]
@@ -44,6 +44,9 @@ B<openssl> B<ca>
 [B<-extensions section>]
 [B<-extfile section>]
 [B<-engine id>]
+[B<-subj arg>]
+[B<-utf8>]
+[B<-multivalue-rdn>]
 
 =head1 DESCRIPTION
 
@@ -113,6 +116,20 @@ the password used to encrypt the private key. Since on some
 systems the command line arguments are visible (e.g. Unix with
 the 'ps' utility) this option should be used with caution.
 
+=item B<-selfsign>
+
+indicates the issued certificates are to be signed with the key
+the certificate requests were signed with (given with B<-keyfile>).
+Cerificate requests signed with a different key are ignored.  If
+B<-spkac>, B<-ss_cert> or B<-gencrl> are given, B<-selfsign> is
+ignored.
+
+A consequence of using B<-selfsign> is that the self-signed
+certificate appears among the entries in the certificate database
+(see the configuration option B<database>), and uses the same
+serial number counter as all other certificates sign with the
+self-signed certificate.
+
 =item B<-passin arg>
 
 the key password source. For more information about the format of B<arg>
@@ -203,6 +220,28 @@ to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
 
+=item B<-subj arg>
+
+supersedes subject name given in the request.
+The arg must be formatted as I</type0=value0/type1=value1/type2=...>,
+characters may be escaped by \ (backslash), no spaces are skipped.
+
+=item B<-utf8>
+
+this option causes field values to be interpreted as UTF8 strings, by 
+default they are interpreted as ASCII. This means that the field
+values, whether prompted from a terminal or obtained from a
+configuration file, must be valid UTF8 strings.
+
+=item B<-multivalue-rdn>
+
+this option causes the -subj argument to be interpretedt with full
+support for multivalued RDNs. Example:
+
+I</DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe>
+
+If -multi-rdn is not used then the UID value is I<123456+CN=John Doe>.
+
 =back
 
 =head1 CRL OPTIONS
@@ -253,12 +292,6 @@ B<time>. B<time> should be in GeneralizedTime format that is B<YYYYMMDDHHMMSSZ>.
 This is the same as B<crl_compromise> except the revocation reason is set to
 B<CACompromise>.
 
-=item B<-subj arg>
-
-supersedes subject name given in the request.
-The arg must be formatted as I</type0=value0/type1=value1/type2=...>,
-characters may be escaped by \ (backslash), no spaces are skipped.
-
 =item B<-crlexts section>
 
 the section of the configuration file containing CRL extensions to
@@ -359,11 +392,27 @@ the same as the B<-md> option. The message digest to use. Mandatory.
 the text database file to use. Mandatory. This file must be present
 though initially it will be empty.
 
+=item B<unique_subject>
+
+if the value B<yes> is given, the valid certificate entries in the
+database must have unique subjects.  if the value B<no> is given,
+several valid certificate entries may have the exact same subject.
+The default value is B<yes>, to be compatible with older (pre 0.9.8)
+versions of OpenSSL.  However, to make CA certificate roll-over easier,
+it's recommended to use the value B<no>, especially if combined with
+the B<-selfsign> command line option.
+
 =item B<serial>
 
 a text file containing the next serial number to use in hex. Mandatory.
 This file must be present and contain a valid serial number.
 
+=item B<crlnumber>
+
+a text file containing the next CRL number to use in hex. The crl number
+will be inserted in the CRLs only if this file exists. If this file is
+present, it must contain a valid CRL number.
+
 =item B<x509_extensions>
 
 the same as B<-extensions>.
@@ -391,7 +440,7 @@ the same as B<-msie_hack>
 the same as B<-policy>. Mandatory. See the B<POLICY FORMAT> section
 for more information.
 
-=item B<nameopt>, B<certopt>
+=item B<name_opt>, B<cert_opt>
 
 these options allow the format used to display the certificate details
 when asking the user to confirm signing. All the options supported by
@@ -513,8 +562,8 @@ A sample configuration file with the relevant sections for B<ca>:
  policy         = policy_any            # default policy
  email_in_dn    = no                    # Don't add the email into cert DN
 
- nameopt	= ca_default		# Subject name display option
- certopt	= ca_default		# Certificate display option
+ name_opt	= ca_default		# Subject name display option
+ cert_opt	= ca_default		# Certificate display option
  copy_extensions = none			# Don't copy extensions from request
 
  [ policy_any ]
@@ -554,8 +603,7 @@ if corrupted it can be difficult to fix. It is theoretically possible
 to rebuild the index file from all the issued certificates and a current
 CRL: however there is no option to do this.
 
-V2 CRL features like delta CRL support and CRL numbers are not currently
-supported.
+V2 CRL features like delta CRLs are not currently supported.
 
 Although several requests can be input and handled at once it is only
 possible to include one SPKAC or self signed certificate.
@@ -566,12 +614,6 @@ The use of an in memory text database can cause problems when large
 numbers of certificates are present because, as the name implies
 the database has to be kept in memory.
 
-It is not possible to certify two certificates with the same DN: this
-is a side effect of how the text database is indexed and it cannot easily
-be fixed without introducing other problems. Some S/MIME clients can use
-two certificates with the same DN for separate signing and encryption
-keys.
-
 The B<ca> command really needs rewriting or the required functionality
 exposed at either a command or interface level so a more friendly utility
 (perl script or GUI) can handle things properly. The scripts B<CA.sh> and
diff --git a/crypto/openssl/doc/apps/config.pod b/crypto/openssl/doc/apps/config.pod
index 8f823fa6d69d..ace34b62bd2e 100644
--- a/crypto/openssl/doc/apps/config.pod
+++ b/crypto/openssl/doc/apps/config.pod
@@ -1,6 +1,8 @@
 
 =pod
 
+=for comment openssl_manual_section:5
+
 =head1 NAME
 
 config - OpenSSL CONF library configuration files
@@ -105,6 +107,11 @@ as any compliant applications. For example:
  some_new_oid = 1.2.3.4
  some_other_oid = 1.2.3.5
 
+In OpenSSL 0.9.8 it is also possible to set the value to the long name followed
+by a comma and the numerical OID form. For example:
+
+ shortName = some object long name, 1.2.3.4
+
 =head2 ENGINE CONFIGURATION MODULE
 
 This ENGINE configuration module has the name B<engines>. The value of this
diff --git a/crypto/openssl/doc/apps/dgst.pod b/crypto/openssl/doc/apps/dgst.pod
index 1648742bcfe1..b0d198724c6b 100644
--- a/crypto/openssl/doc/apps/dgst.pod
+++ b/crypto/openssl/doc/apps/dgst.pod
@@ -14,6 +14,7 @@ B<openssl> B<dgst>
 [B<-binary>]
 [B<-out filename>]
 [B<-sign filename>]
+[B<-passin arg>]
 [B<-verify filename>]
 [B<-prverify filename>]
 [B<-signature filename>]
@@ -59,6 +60,11 @@ filename to output to, or standard output by default.
 
 digitally sign the digest using the private key in "filename".
 
+=item B<-passin arg>
+
+the private key password source. For more information about the format of B<arg>
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+
 =item B<-verify filename>
 
 verify the signature using the the public key in "filename".
diff --git a/crypto/openssl/doc/apps/ec.pod b/crypto/openssl/doc/apps/ec.pod
new file mode 100644
index 000000000000..1d4a36dbf403
--- /dev/null
+++ b/crypto/openssl/doc/apps/ec.pod
@@ -0,0 +1,190 @@
+=pod
+
+=head1 NAME
+
+ec - EC key processing
+
+=head1 SYNOPSIS
+
+B<openssl> B<ec>
+[B<-inform PEM|DER>]
+[B<-outform PEM|DER>]
+[B<-in filename>]
+[B<-passin arg>]
+[B<-out filename>]
+[B<-passout arg>]
+[B<-des>]
+[B<-des3>]
+[B<-idea>]
+[B<-text>]
+[B<-noout>]
+[B<-param_out>]
+[B<-pubin>]
+[B<-pubout>]
+[B<-conv_form arg>]
+[B<-param_enc arg>]
+[B<-engine id>]
+
+=head1 DESCRIPTION
+
+The B<ec> command processes EC keys. They can be converted between various
+forms and their components printed out. B<Note> OpenSSL uses the 
+private key format specified in 'SEC 1: Elliptic Curve Cryptography'
+(http://www.secg.org/). To convert a OpenSSL EC private key into the
+PKCS#8 private key format use the B<pkcs8> command.
+
+=head1 COMMAND OPTIONS
+
+=over 4
+
+=item B<-inform DER|PEM>
+
+This specifies the input format. The B<DER> option with a private key uses
+an ASN.1 DER encoded SEC1 private key. When used with a public key it
+uses the SubjectPublicKeyInfo structur as specified in RFC 3280.
+The B<PEM> form is the default format: it consists of the B<DER> format base64
+encoded with additional header and footer lines. In the case of a private key
+PKCS#8 format is also accepted.
+
+=item B<-outform DER|PEM>
+
+This specifies the output format, the options have the same meaning as the 
+B<-inform> option.
+
+=item B<-in filename>
+
+This specifies the input filename to read a key from or standard input if this
+option is not specified. If the key is encrypted a pass phrase will be
+prompted for.
+
+=item B<-passin arg>
+
+the input file password source. For more information about the format of B<arg>
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+
+=item B<-out filename>
+
+This specifies the output filename to write a key to or standard output by
+is not specified. If any encryption options are set then a pass phrase will be
+prompted for. The output filename should B<not> be the same as the input
+filename.
+
+=item B<-passout arg>
+
+the output file password source. For more information about the format of B<arg>
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+
+=item B<-des|-des3|-idea>
+
+These options encrypt the private key with the DES, triple DES, IDEA or 
+any other cipher supported by OpenSSL before outputting it. A pass phrase is
+prompted for.
+If none of these options is specified the key is written in plain text. This
+means that using the B<ec> utility to read in an encrypted key with no
+encryption option can be used to remove the pass phrase from a key, or by
+setting the encryption options it can be use to add or change the pass phrase.
+These options can only be used with PEM format output files.
+
+=item B<-text>
+
+prints out the public, private key components and parameters.
+
+=item B<-noout>
+
+this option prevents output of the encoded version of the key.
+
+=item B<-modulus>
+
+this option prints out the value of the public key component of the key.
+
+=item B<-pubin>
+
+by default a private key is read from the input file: with this option a
+public key is read instead.
+
+=item B<-pubout>
+
+by default a private key is output. With this option a public
+key will be output instead. This option is automatically set if the input is
+a public key.
+
+=item B<-conv_form>
+
+This specifies how the points on the elliptic curve are converted
+into octet strings. Possible values are: B<compressed> (the default
+value), B<uncompressed> and B<hybrid>. For more information regarding
+the point conversion forms please read the X9.62 standard.
+B<Note> Due to patent issues the B<compressed> option is disabled
+by default for binary curves and can be enabled by defining
+the preprocessor macro B<OPENSSL_EC_BIN_PT_COMP> at compile time.
+
+=item B<-param_enc arg>
+
+This specifies how the elliptic curve parameters are encoded.
+Possible value are: B<named_curve>, i.e. the ec parameters are
+specified by a OID, or B<explicit> where the ec parameters are
+explicitly given (see RFC 3279 for the definition of the 
+EC parameters structures). The default value is B<named_curve>.
+B<Note> the B<implicitlyCA> alternative ,as specified in RFC 3279,
+is currently not implemented in OpenSSL.
+
+=item B<-engine id>
+
+specifying an engine (by it's unique B<id> string) will cause B<req>
+to attempt to obtain a functional reference to the specified engine,
+thus initialising it if needed. The engine will then be set as the default
+for all available algorithms.
+
+=back
+
+=head1 NOTES
+
+The PEM private key format uses the header and footer lines:
+
+ -----BEGIN EC PRIVATE KEY-----
+ -----END EC PRIVATE KEY-----
+
+The PEM public key format uses the header and footer lines:
+
+ -----BEGIN PUBLIC KEY-----
+ -----END PUBLIC KEY-----
+
+=head1 EXAMPLES
+
+To encrypt a private key using triple DES:
+
+ openssl ec -in key.pem -des3 -out keyout.pem
+
+To convert a private key from PEM to DER format: 
+
+ openssl ec -in key.pem -outform DER -out keyout.der
+
+To print out the components of a private key to standard output:
+
+ openssl ec -in key.pem -text -noout
+
+To just output the public part of a private key:
+
+ openssl ec -in key.pem -pubout -out pubkey.pem
+
+To change the parameters encoding to B<explicit>:
+
+ openssl ec -in key.pem -param_enc explicit -out keyout.pem
+
+To change the point conversion form to B<compressed>:
+
+ openssl ec -in key.pem -conv_form compressed -out keyout.pem
+
+=head1 SEE ALSO
+
+L<ecparam(1)|ecparam(1)>, L<dsa(1)|dsa(1)>, L<rsa(1)|rsa(1)>
+
+=head1 HISTORY
+
+The ec command was first introduced in OpenSSL 0.9.8.
+
+=head1 AUTHOR
+
+Nils Larsch for the OpenSSL project (http://www.openssl.org).
+
+=cut
diff --git a/crypto/openssl/doc/apps/ecparam.pod b/crypto/openssl/doc/apps/ecparam.pod
new file mode 100644
index 000000000000..1a12105da733
--- /dev/null
+++ b/crypto/openssl/doc/apps/ecparam.pod
@@ -0,0 +1,179 @@
+=pod
+
+=head1 NAME
+
+ecparam - EC parameter manipulation and generation
+
+=head1 SYNOPSIS
+
+B<openssl ecparam>
+[B<-inform DER|PEM>]
+[B<-outform DER|PEM>]
+[B<-in filename>]
+[B<-out filename>]
+[B<-noout>]
+[B<-text>]
+[B<-C>]
+[B<-check>]
+[B<-name arg>]
+[B<-list_curve>]
+[B<-conv_form arg>]
+[B<-param_enc arg>]
+[B<-no_seed>]
+[B<-rand file(s)>]
+[B<-genkey>]
+[B<-engine id>]
+
+=head1 DESCRIPTION
+
+This command is used to manipulate or generate EC parameter files.
+
+=head1 OPTIONS
+
+=over 4
+
+=item B<-inform DER|PEM>
+
+This specifies the input format. The B<DER> option uses an ASN.1 DER encoded
+form compatible with RFC 3279 EcpkParameters. The PEM form is the default
+format: it consists of the B<DER> format base64 encoded with additional 
+header and footer lines.
+
+=item B<-outform DER|PEM>
+
+This specifies the output format, the options have the same meaning as the 
+B<-inform> option.
+
+=item B<-in filename>
+
+This specifies the input filename to read parameters from or standard input if
+this option is not specified.
+
+=item B<-out filename>
+
+This specifies the output filename parameters to. Standard output is used
+if this option is not present. The output filename should B<not> be the same
+as the input filename.
+
+=item B<-noout>
+
+This option inhibits the output of the encoded version of the parameters.
+
+=item B<-text>
+
+This option prints out the EC parameters in human readable form.
+
+=item B<-C>
+
+This option converts the EC parameters into C code. The parameters can then
+be loaded by calling the B<get_ec_group_XXX()> function.
+
+=item B<-check>
+
+Validate the elliptic curve parameters.
+
+=item B<-name arg>
+
+Use the EC parameters with the specified 'short' name. Use B<-list_curves>
+to get a list of all currently implemented EC parameters.
+
+=item B<-list_curves>
+
+If this options is specified B<ecparam> will print out a list of all
+currently implemented EC parameters names and exit.
+
+=item B<-conv_form>
+
+This specifies how the points on the elliptic curve are converted
+into octet strings. Possible values are: B<compressed> (the default
+value), B<uncompressed> and B<hybrid>. For more information regarding
+the point conversion forms please read the X9.62 standard.
+B<Note> Due to patent issues the B<compressed> option is disabled
+by default for binary curves and can be enabled by defining
+the preprocessor macro B<OPENSSL_EC_BIN_PT_COMP> at compile time.
+
+=item B<-param_enc arg>
+
+This specifies how the elliptic curve parameters are encoded.
+Possible value are: B<named_curve>, i.e. the ec parameters are
+specified by a OID, or B<explicit> where the ec parameters are
+explicitly given (see RFC 3279 for the definition of the 
+EC parameters structures). The default value is B<named_curve>.
+B<Note> the B<implicitlyCA> alternative ,as specified in RFC 3279,
+is currently not implemented in OpenSSL.
+
+=item B<-no_seed>
+
+This option inhibits that the 'seed' for the parameter generation
+is included in the ECParameters structure (see RFC 3279).
+
+=item B<-genkey>
+
+This option will generate a EC private key using the specified parameters.
+
+=item B<-rand file(s)>
+
+a file or files containing random data used to seed the random number
+generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>).
+Multiple files can be specified separated by a OS-dependent character.
+The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
+all others.
+
+=item B<-engine id>
+
+specifying an engine (by it's unique B<id> string) will cause B<req>
+to attempt to obtain a functional reference to the specified engine,
+thus initialising it if needed. The engine will then be set as the default
+for all available algorithms.
+
+=back
+
+=head1 NOTES
+
+PEM format EC parameters use the header and footer lines:
+
+ -----BEGIN EC PARAMETERS-----
+ -----END EC PARAMETERS-----
+
+OpenSSL is currently not able to generate new groups and therefore
+B<ecparam> can only create EC parameters from known (named) curves. 
+
+=head1 EXAMPLES
+
+To create EC parameters with the group 'prime192v1':
+
+  openssl ecparam -out ec_param.pem -name prime192v1
+
+To create EC parameters with explicit parameters:
+
+  openssl ecparam -out ec_param.pem -name prime192v1 -param_enc explicit
+
+To validate given EC parameters:
+
+  openssl ecparam -in ec_param.pem -check
+
+To create EC parameters and a private key:
+
+  openssl ecparam -out ec_key.pem -name prime192v1 -genkey
+
+To change the point encoding to 'compressed':
+
+  openssl ecparam -in ec_in.pem -out ec_out.pem -conv_form compressed
+
+To print out the EC parameters to standard output:
+
+  openssl ecparam -in ec_param.pem -noout -text
+
+=head1 SEE ALSO
+
+L<ec(1)|ec(1)>, L<dsaparam(1)|dsaparam(1)>
+
+=head1 HISTORY
+
+The ecparam command was first introduced in OpenSSL 0.9.8.
+
+=head1 AUTHOR
+
+Nils Larsch for the OpenSSL project (http://www.openssl.org)
+
+=cut
diff --git a/crypto/openssl/doc/apps/enc.pod b/crypto/openssl/doc/apps/enc.pod
index 18fe7c81c720..c43da5b3f1ee 100644
--- a/crypto/openssl/doc/apps/enc.pod
+++ b/crypto/openssl/doc/apps/enc.pod
@@ -191,12 +191,12 @@ Blowfish and RC5 algorithms use a 128 bit key.
  des-ecb            DES in ECB mode
 
  des-ede-cbc        Two key triple DES EDE in CBC mode
- des-ede            Alias for des-ede
+ des-ede            Two key triple DES EDE in ECB mode
  des-ede-cfb        Two key triple DES EDE in CFB mode
  des-ede-ofb        Two key triple DES EDE in OFB mode
 
  des-ede3-cbc       Three key triple DES EDE in CBC mode
- des-ede3           Alias for des-ede3-cbc
+ des-ede3           Three key triple DES EDE in ECB mode
  des3               Alias for des-ede3-cbc
  des-ede3-cfb       Three key triple DES EDE CFB mode
  des-ede3-ofb       Three key triple DES EDE in OFB mode
@@ -211,9 +211,9 @@ Blowfish and RC5 algorithms use a 128 bit key.
 
  rc2-cbc            128 bit RC2 in CBC mode
  rc2                Alias for rc2-cbc
- rc2-cfb            128 bit RC2 in CBC mode
- rc2-ecb            128 bit RC2 in CBC mode
- rc2-ofb            128 bit RC2 in CBC mode
+ rc2-cfb            128 bit RC2 in CFB mode
+ rc2-ecb            128 bit RC2 in ECB mode
+ rc2-ofb            128 bit RC2 in OFB mode
  rc2-64-cbc         64 bit RC2 in CBC mode
  rc2-40-cbc         40 bit RC2 in CBC mode
 
@@ -223,9 +223,9 @@ Blowfish and RC5 algorithms use a 128 bit key.
 
  rc5-cbc            RC5 cipher in CBC mode
  rc5                Alias for rc5-cbc
- rc5-cfb            RC5 cipher in CBC mode
- rc5-ecb            RC5 cipher in CBC mode
- rc5-ofb            RC5 cipher in CBC mode
+ rc5-cfb            RC5 cipher in CFB mode
+ rc5-ecb            RC5 cipher in ECB mode
+ rc5-ofb            RC5 cipher in OFB mode
 
 =head1 EXAMPLES
 
diff --git a/crypto/openssl/doc/apps/errstr.pod b/crypto/openssl/doc/apps/errstr.pod
new file mode 100644
index 000000000000..b3c6ccfc9cbd
--- /dev/null
+++ b/crypto/openssl/doc/apps/errstr.pod
@@ -0,0 +1,39 @@
+=pod
+
+=head1 NAME
+
+errstr - lookup error codes
+
+=head1 SYNOPSIS
+
+B<openssl errstr error_code>
+
+=head1 DESCRIPTION
+
+Sometimes an application will not load error message and only
+numerical forms will be available. The B<errstr> utility can be used to 
+display the meaning of the hex code. The hex code is the hex digits after the
+second colon.
+
+=head1 EXAMPLE
+
+The error code:
+
+ 27594:error:2006D080:lib(32):func(109):reason(128):bss_file.c:107:
+
+can be displayed with:
+ 
+ openssl errstr 2006D080
+
+to produce the error message:
+
+ error:2006D080:BIO routines:BIO_new_file:no such file
+
+=head1 SEE ALSO
+
+L<err(3)|err(3)>,
+L<ERR_load_crypto_strings(3)|ERR_load_crypto_strings(3)>,
+L<SSL_load_error_strings(3)|SSL_load_error_strings(3)>
+
+
+=cut
diff --git a/crypto/openssl/doc/apps/req.pod b/crypto/openssl/doc/apps/req.pod
index e2b5d0d8ec22..82b565c9d4f3 100644
--- a/crypto/openssl/doc/apps/req.pod
+++ b/crypto/openssl/doc/apps/req.pod
@@ -30,6 +30,7 @@ B<openssl> B<req>
 [B<-[md5|sha1|md2|mdc2]>]
 [B<-config filename>]
 [B<-subj arg>]
+[B<-multivalue-rdn>]
 [B<-x509>]
 [B<-days n>]
 [B<-set_serial n>]
@@ -173,6 +174,15 @@ when processing a request.
 The arg must be formatted as I</type0=value0/type1=value1/type2=...>,
 characters may be escaped by \ (backslash), no spaces are skipped.
 
+=item B<-multivalue-rdn>
+
+this option causes the -subj argument to be interpreted with full
+support for multivalued RDNs. Example:
+
+I</DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe>
+
+If -multi-rdn is not used then the UID value is I<123456+CN=John Doe>.
+
 =item B<-x509>
 
 this option outputs a self signed certificate instead of a certificate
diff --git a/crypto/openssl/doc/apps/s_client.pod b/crypto/openssl/doc/apps/s_client.pod
index 8d19079973a4..e1e1ba9865d0 100644
--- a/crypto/openssl/doc/apps/s_client.pod
+++ b/crypto/openssl/doc/apps/s_client.pod
@@ -11,7 +11,10 @@ B<openssl> B<s_client>
 [B<-connect host:port>]
 [B<-verify depth>]
 [B<-cert filename>]
+[B<-certform DER|PEM>]
 [B<-key filename>]
+[B<-keyform DER|PEM>]
+[B<-pass arg>]
 [B<-CApath directory>]
 [B<-CAfile filename>]
 [B<-reconnect>]
@@ -57,11 +60,24 @@ then an attempt is made to connect to the local host on port 4433.
 The certificate to use, if one is requested by the server. The default is
 not to use a certificate.
 
+=item B<-certform format>
+
+The certificate format to use: DER or PEM. PEM is the default.
+
 =item B<-key keyfile>
 
 The private key to use. If not specified then the certificate file will
 be used.
 
+=item B<-keyform format>
+
+The private format to use: DER or PEM. PEM is the default.
+
+=item B<-pass arg>
+
+the private key password source. For more information about the format of B<arg>
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+
 =item B<-verify depth>
 
 The verify depth to use. This specifies the maximum length of the
diff --git a/crypto/openssl/doc/apps/s_server.pod b/crypto/openssl/doc/apps/s_server.pod
index 1d21921e47d1..7c1a9581d961 100644
--- a/crypto/openssl/doc/apps/s_server.pod
+++ b/crypto/openssl/doc/apps/s_server.pod
@@ -13,9 +13,15 @@ B<openssl> B<s_server>
 [B<-verify depth>]
 [B<-Verify depth>]
 [B<-cert filename>]
+[B<-certform DER|PEM>]
 [B<-key keyfile>]
+[B<-keyform DER|PEM>]
+[B<-pass arg>]
 [B<-dcert filename>]
+[B<-dcertform DER|PEM>]
 [B<-dkey keyfile>]
+[B<-dkeyform DER|PEM>]
+[B<-dpass arg>]
 [B<-dhparam filename>]
 [B<-nbio>]
 [B<-nbio_test>]
@@ -70,11 +76,24 @@ certificate and some require a certificate with a certain public key type:
 for example the DSS cipher suites require a certificate containing a DSS
 (DSA) key. If not specified then the filename "server.pem" will be used.
 
+=item B<-certform format>
+
+The certificate format to use: DER or PEM. PEM is the default.
+
 =item B<-key keyfile>
 
 The private key to use. If not specified then the certificate file will
 be used.
 
+=item B<-keyform format>
+
+The private format to use: DER or PEM. PEM is the default.
+
+=item B<-pass arg>
+
+the private key password source. For more information about the format of B<arg>
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+
 =item B<-dcert filename>, B<-dkey keyname>
 
 specify an additional certificate and private key, these behave in the
@@ -86,6 +105,10 @@ and some a DSS (DSA) key. By using RSA and DSS certificates and keys
 a server can support clients which only support RSA or DSS cipher suites
 by using an appropriate certificate.
 
+=item B<-dcertform format>, B<-dkeyform format>, B<-dpass arg>
+
+addtional certificate and private key format and passphrase respectively.
+
 =item B<-nocert>
 
 if this option is set then no certificate is used. This restricts the
diff --git a/crypto/openssl/doc/apps/x509.pod b/crypto/openssl/doc/apps/x509.pod
index 50343cd68543..a46378f0baae 100644
--- a/crypto/openssl/doc/apps/x509.pod
+++ b/crypto/openssl/doc/apps/x509.pod
@@ -17,6 +17,8 @@ B<openssl> B<x509>
 [B<-out filename>]
 [B<-serial>]
 [B<-hash>]
+[B<-subject_hash>]
+[B<-issuer_hash>]
 [B<-subject>]
 [B<-issuer>]
 [B<-nameopt option>]
@@ -96,8 +98,8 @@ default.
 
 the digest to use. This affects any signing or display option that uses a message
 digest, such as the B<-fingerprint>, B<-signkey> and B<-CA> options. If not
-specified then MD5 is used. If the key being used to sign with is a DSA key then
-this option has no effect: SHA1 is always used with DSA keys.
+specified then SHA1 is used. If the key being used to sign with is a DSA key
+then this option has no effect: SHA1 is always used with DSA keys.
 
 =item B<-engine id>
 
@@ -141,12 +143,20 @@ contained in the certificate.
 
 outputs the certificate serial number.
 
-=item B<-hash>
+=item B<-subject_hash>
 
 outputs the "hash" of the certificate subject name. This is used in OpenSSL to
 form an index to allow certificates in a directory to be looked up by subject
 name.
 
+=item B<-issuer_hash>
+
+outputs the "hash" of the certificate issuer name.
+
+=item B<-hash>
+
+synonym for "-hash" for backward compatibility reasons.
+
 =item B<-subject>
 
 outputs the subject name.
@@ -815,4 +825,8 @@ OpenSSL 0.9.5 and later.
 L<req(1)|req(1)>, L<ca(1)|ca(1)>, L<genrsa(1)|genrsa(1)>,
 L<gendsa(1)|gendsa(1)>, L<verify(1)|verify(1)>
 
+=head1 HISTORY
+
+Before OpenSSL 0.9.8, the default digest for RSA keys was MD5.
+
 =cut
diff --git a/crypto/openssl/doc/apps/x509v3_config.pod b/crypto/openssl/doc/apps/x509v3_config.pod
new file mode 100644
index 000000000000..38c46e85c461
--- /dev/null
+++ b/crypto/openssl/doc/apps/x509v3_config.pod
@@ -0,0 +1,456 @@
+=pod
+
+=for comment openssl_manual_section:5
+
+=head1 NAME
+
+x509v3_config - X509 V3 certificate extension configuration format
+
+=head1 DESCRIPTION
+
+Several of the OpenSSL utilities can add extensions to a certificate or
+certificate request based on the contents of a configuration file.
+
+Typically the application will contain an option to point to an extension
+section. Each line of the extension section takes the form:
+
+ extension_name=[critical,] extension_options
+
+If B<critical> is present then the extension will be critical.
+
+The format of B<extension_options> depends on the value of B<extension_name>.
+
+There are four main types of extension: I<string> extensions, I<multi-valued>
+extensions, I<raw> and I<arbitrary> extensions.
+
+String extensions simply have a string which contains either the value itself
+or how it is obtained.
+
+For example:
+
+ nsComment="This is a Comment"
+
+Multi-valued extensions have a short form and a long form. The short form
+is a list of names and values:
+
+ basicConstraints=critical,CA:true,pathlen:1
+
+The long form allows the values to be placed in a separate section:
+
+ basicConstraints=critical,@bs_section
+
+ [bs_section]
+
+ CA=true
+ pathlen=1
+
+Both forms are equivalent.
+
+The syntax of raw extensions is governed by the extension code: it can
+for example contain data in multiple sections. The correct syntax to
+use is defined by the extension code itself: check out the certificate
+policies extension for an example.
+
+If an extension type is unsupported then the I<arbitrary> extension syntax
+must be used, see the L<ARBITRART EXTENSIONS|/"ARBITRARY EXTENSIONS"> section for more details.
+
+=head1 STANDARD EXTENSIONS
+
+The following sections describe each supported extension in detail.
+
+=head2 Basic Constraints.
+
+This is a multi valued extension which indicates whether a certificate is
+a CA certificate. The first (mandatory) name is B<CA> followed by B<TRUE> or
+B<FALSE>. If B<CA> is B<TRUE> then an optional B<pathlen> name followed by an
+non-negative value can be included.
+
+For example:
+
+ basicConstraints=CA:TRUE
+
+ basicConstraints=CA:FALSE
+
+ basicConstraints=critical,CA:TRUE, pathlen:0
+
+A CA certificate B<must> include the basicConstraints value with the CA field
+set to TRUE. An end user certificate must either set CA to FALSE or exclude the
+extension entirely. Some software may require the inclusion of basicConstraints
+with CA set to FALSE for end entity certificates.
+
+The pathlen parameter indicates the maximum number of CAs that can appear
+below this one in a chain. So if you have a CA with a pathlen of zero it can
+only be used to sign end user certificates and not further CAs.
+
+
+=head2 Key Usage.
+
+Key usage is a multi valued extension consisting of a list of names of the
+permitted key usages.
+
+The supporte names are: digitalSignature, nonRepudiation, keyEncipherment,
+dataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly
+and decipherOnly.
+
+Examples:
+
+ keyUsage=digitalSignature, nonRepudiation
+
+ keyUsage=critical, keyCertSign
+
+
+=head2 Extended Key Usage.
+
+This extensions consists of a list of usages indicating purposes for which
+the certificate public key can be used for,
+
+These can either be object short names of the dotted numerical form of OIDs.
+While any OID can be used only certain values make sense. In particular the
+following PKIX, NS and MS values are meaningful:
+
+ Value			Meaning
+ -----			-------
+ serverAuth		SSL/TLS Web Server Authentication.
+ clientAuth		SSL/TLS Web Client Authentication.
+ codeSigning		Code signing.
+ emailProtection	E-mail Protection (S/MIME).
+ timeStamping		Trusted Timestamping
+ msCodeInd		Microsoft Individual Code Signing (authenticode)
+ msCodeCom		Microsoft Commercial Code Signing (authenticode)
+ msCTLSign		Microsoft Trust List Signing
+ msSGC			Microsoft Server Gated Crypto
+ msEFS			Microsoft Encrypted File System
+ nsSGC			Netscape Server Gated Crypto
+
+Examples:
+
+ extendedKeyUsage=critical,codeSigning,1.2.3.4
+ extendedKeyUsage=nsSGC,msSGC
+
+
+=head2 Subject Key Identifier.
+
+This is really a string extension and can take two possible values. Either
+the word B<hash> which will automatically follow the guidelines in RFC3280
+or a hex string giving the extension value to include. The use of the hex
+string is strongly discouraged.
+
+Example:
+
+ subjectKeyIdentifier=hash
+
+
+=head2 Authority Key Identifier.
+
+The authority key identifier extension permits two options. keyid and issuer:
+both can take the optional value "always".
+
+If the keyid option is present an attempt is made to copy the subject key
+identifier from the parent certificate. If the value "always" is present
+then an error is returned if the option fails.
+
+The issuer option copies the issuer and serial number from the issuer
+certificate. This will only be done if the keyid option fails or
+is not included unless the "always" flag will always include the value.
+
+Example:
+
+ authorityKeyIdentifier=keyid,issuer
+
+
+=head2 Subject Alternative Name.
+
+The subject alternative name extension allows various literal values to be
+included in the configuration file. These include B<email> (an email address)
+B<URI> a uniform resource indicator, B<DNS> (a DNS domain name), B<RID> (a
+registered ID: OBJECT IDENTIFIER), B<IP> (an IP address), B<dirName>
+(a distinguished name) and otherName.
+
+The email option include a special 'copy' value. This will automatically
+include and email addresses contained in the certificate subject name in
+the extension.
+
+The IP address used in the B<IP> options can be in either IPv4 or IPv6 format.
+
+The value of B<dirName> should point to a section containing the distinguished
+name to use as a set of name value pairs. Multi values AVAs can be formed by
+preceeding the name with a B<+> character.
+
+otherName can include arbitrary data associated with an OID: the value
+should be the OID followed by a semicolon and the content in standard
+ASN1_generate_nconf() format.
+
+Examples:
+
+ subjectAltName=email:copy,email:my@other.address,URI:http://my.url.here/
+ subjectAltName=IP:192.168.7.1
+ subjectAltName=IP:13::17
+ subjectAltName=email:my@other.address,RID:1.2.3.4
+ subjectAltName=otherName:1.2.3.4;UTF8:some other identifier
+
+ subjectAltName=dirName:dir_sect
+
+ [dir_sect]
+ C=UK
+ O=My Organization
+ OU=My Unit
+ CN=My Name
+
+
+=head2 Issuer Alternative Name.
+
+The issuer alternative name option supports all the literal options of
+subject alternative name. It does B<not> support the email:copy option because
+that would not make sense. It does support an additional issuer:copy option
+that will copy all the subject alternative name values from the issuer 
+certificate (if possible).
+
+Example:
+
+ issuserAltName = issuer:copy
+
+
+=head2 Authority Info Access.
+
+The authority information access extension gives details about how to access
+certain information relating to the CA. Its syntax is accessOID;location
+where I<location> has the same syntax as subject alternative name (except
+that email:copy is not supported). accessOID can be any valid OID but only
+certain values are meaningful, for example OCSP and caIssuers.
+
+Example:
+
+ authorityInfoAccess = OCSP;URI:http://ocsp.my.host/
+ authorityInfoAccess = caIssuers;URI:http://my.ca/ca.html
+
+
+=head2 CRL distribution points.
+
+This is a multi-valued extension that supports all the literal options of
+subject alternative name. Of the few software packages that currently interpret
+this extension most only interpret the URI option.
+
+Currently each option will set a new DistributionPoint with the fullName
+field set to the given value.
+
+Other fields like cRLissuer and reasons cannot currently be set or displayed:
+at this time no examples were available that used these fields.
+
+Examples:
+
+ crlDistributionPoints=URI:http://myhost.com/myca.crl
+ crlDistributionPoints=URI:http://my.com/my.crl,URI:http://oth.com/my.crl
+
+=head2 Certificate Policies.
+
+This is a I<raw> extension. All the fields of this extension can be set by
+using the appropriate syntax.
+
+If you follow the PKIX recommendations and just using one OID then you just
+include the value of that OID. Multiple OIDs can be set separated by commas,
+for example:
+
+ certificatePolicies= 1.2.4.5, 1.1.3.4
+
+If you wish to include qualifiers then the policy OID and qualifiers need to
+be specified in a separate section: this is done by using the @section syntax
+instead of a literal OID value.
+
+The section referred to must include the policy OID using the name
+policyIdentifier, cPSuri qualifiers can be included using the syntax:
+
+ CPS.nnn=value
+
+userNotice qualifiers can be set using the syntax:
+
+ userNotice.nnn=@notice
+
+The value of the userNotice qualifier is specified in the relevant section.
+This section can include explicitText, organization and noticeNumbers
+options. explicitText and organization are text strings, noticeNumbers is a
+comma separated list of numbers. The organization and noticeNumbers options
+(if included) must BOTH be present. If you use the userNotice option with IE5
+then you need the 'ia5org' option at the top level to modify the encoding:
+otherwise it will not be interpreted properly.
+
+Example:
+
+ certificatePolicies=ia5org,1.2.3.4,1.5.6.7.8,@polsect
+
+ [polsect]
+
+ policyIdentifier = 1.3.5.8
+ CPS.1="http://my.host.name/"
+ CPS.2="http://my.your.name/"
+ userNotice.1=@notice
+
+ [notice]
+
+ explicitText="Explicit Text Here"
+ organization="Organisation Name"
+ noticeNumbers=1,2,3,4
+
+The B<ia5org> option changes the type of the I<organization> field. In RFC2459
+it can only be of type DisplayText. In RFC3280 IA5Strring is also permissible.
+Some software (for example some versions of MSIE) may require ia5org.
+
+=head2 Policy Constraints
+
+This is a multi-valued extension which consisting of the names
+B<requireExplicitPolicy> or B<inhibitPolicyMapping> and a non negative intger
+value. At least one component must be present.
+
+Example:
+
+ policyConstraints = requireExplicitPolicy:3
+
+
+=head2 Inhibit Any Policy
+
+This is a string extension whose value must be a non negative integer.
+
+Example:
+
+ inhibitAnyPolicy = 2
+
+
+=head2 Name Constraints
+
+The name constraints extension is a multi-valued extension. The name should
+begin with the word B<permitted> or B<excluded> followed by a B<;>. The rest of
+the name and the value follows the syntax of subjectAltName except email:copy
+is not supported and the B<IP> form should consist of an IP addresses and 
+subnet mask separated by a B</>.
+
+Examples:
+
+ nameConstraints=permitted;IP:192.168.0.0/255.255.0.0
+
+ nameConstraints=permitted;email:.somedomain.com
+
+ nameConstraints=excluded;email:.com
+
+=head1 DEPRECATED EXTENSIONS
+
+The following extensions are non standard, Netscape specific and largely
+obsolete. Their use in new applications is discouraged.
+
+=head2 Netscape String extensions.
+
+Netscape Comment (B<nsComment>) is a string extension containing a comment
+which will be displayed when the certificate is viewed in some browsers.
+
+Example:
+
+ nsComment = "Some Random Comment"
+
+Other supported extensions in this category are: B<nsBaseUrl>,
+B<nsRevocationUrl>, B<nsCaRevocationUrl>, B<nsRenewalUrl>, B<nsCaPolicyUrl>
+and B<nsSslServerName>.
+
+
+=head2 Netscape Certificate Type
+
+This is a multi-valued extensions which consists of a list of flags to be
+included. It was used to indicate the purposes for which a certificate could
+be used. The basicConstraints, keyUsage and extended key usage extensions are
+now used instead.
+
+Acceptable values for nsCertType are: B<client>, B<server>, B<email>,
+B<objsign>, B<reserved>, B<sslCA>, B<emailCA>, B<objCA>.
+
+
+=head1 ARBITRARY EXTENSIONS
+
+If an extension is not supported by the OpenSSL code then it must be encoded
+using the arbitrary extension format. It is also possible to use the arbitrary
+format for supported extensions. Extreme care should be taken to ensure that
+the data is formatted correctly for the given extension type.
+
+There are two ways to encode arbitrary extensions.
+
+The first way is to use the word ASN1 followed by the extension content
+using the same syntax as ASN1_generate_nconf(). For example:
+
+ 1.2.3.4=critical,ASN1:UTF8String:Some random data
+
+ 1.2.3.4=ASN1:SEQUENCE:seq_sect
+
+ [seq_sect]
+
+ field1 = UTF8:field1
+ field2 = UTF8:field2
+
+It is also possible to use the word DER to include the raw encoded data in any
+extension.
+
+ 1.2.3.4=critical,DER:01:02:03:04
+ 1.2.3.4=DER:01020304
+
+The value following DER is a hex dump of the DER encoding of the extension
+Any extension can be placed in this form to override the default behaviour.
+For example:
+
+ basicConstraints=critical,DER:00:01:02:03
+
+=head1 WARNING
+
+There is no guarantee that a specific implementation will process a given
+extension. It may therefore be sometimes possible to use certificates for
+purposes prohibited by their extensions because a specific application does
+not recognize or honour the values of the relevant extensions.
+
+The DER and ASN1 options should be used with caution. It is possible to create
+totally invalid extensions if they are not used carefully.
+
+
+=head1 NOTES
+
+If an extension is multi-value and a field value must contain a comma the long
+form must be used otherwise the comma would be misinterpreted as a field
+separator. For example:
+
+ subjectAltName=URI:ldap://somehost.com/CN=foo,OU=bar
+
+will produce an error but the equivalent form:
+
+ subjectAltName=@subject_alt_section
+
+ [subject_alt_section]
+ subjectAltName=URI:ldap://somehost.com/CN=foo,OU=bar
+
+is valid. 
+
+Due to the behaviour of the OpenSSL B<conf> library the same field name
+can only occur once in a section. This means that:
+
+ subjectAltName=@alt_section
+
+ [alt_section]
+
+ email=steve@here
+ email=steve@there
+
+will only recognize the last value. This can be worked around by using the form:
+
+ [alt_section]
+
+ email.1=steve@here
+ email.2=steve@there
+
+=head1 HISTORY
+
+The X509v3 extension code was first added to OpenSSL 0.9.2.
+
+Policy mappings, inhibit any policy and name constraints support was added in
+OpenSSL 0.9.8
+
+The B<directoryName> and B<otherName> option as well as the B<ASN1> option
+for arbitrary extensions was added in OpenSSL 0.9.8
+
+=head1 SEE ALSO
+
+L<req(1)|req(1)>, L<ca(1)|ca(1)>, L<x509(1)|x509(1)>
+
+
+=cut
diff --git a/crypto/openssl/doc/crypto/ASN1_STRING_print_ex.pod b/crypto/openssl/doc/crypto/ASN1_STRING_print_ex.pod
index fbf9a1f1412e..d662225b87ad 100644
--- a/crypto/openssl/doc/crypto/ASN1_STRING_print_ex.pod
+++ b/crypto/openssl/doc/crypto/ASN1_STRING_print_ex.pod
@@ -30,8 +30,8 @@ with '.'.
 
 ASN1_STRING_print() is a legacy function which should be avoided in new applications.
 
-Although there are a large number of options frequently B<ASN1_STRFLAGS_RFC2253> is 
-suitable, or on UTF8 terminals B<ASN1_STRFLAGS_RFC2253 & ~ASN1_STRFLAGS_ESC_MSB>.
+Although there are a large number of options frequently B<ASN1_STRFLGS_RFC2253> is 
+suitable, or on UTF8 terminals B<ASN1_STRFLGS_RFC2253 & ~ASN1_STRFLGS_ESC_MSB>.
 
 The complete set of supported options for B<flags> is listed below.
 
@@ -72,7 +72,7 @@ octet.
 If B<ASN1_STRFLGS_DUMP_ALL> is set then any type is dumped.
 
 Normally non character string types (such as OCTET STRING) are assumed to be
-one byte per character, if B<ASN1_STRFLAGS_DUMP_UNKNOWN> is set then they will
+one byte per character, if B<ASN1_STRFLGS_DUMP_UNKNOWN> is set then they will
 be dumped instead.
 
 When a type is dumped normally just the content octets are printed, if 
diff --git a/crypto/openssl/doc/crypto/ASN1_generate_nconf.pod b/crypto/openssl/doc/crypto/ASN1_generate_nconf.pod
new file mode 100644
index 000000000000..ba6e3c2e8140
--- /dev/null
+++ b/crypto/openssl/doc/crypto/ASN1_generate_nconf.pod
@@ -0,0 +1,253 @@
+=pod
+
+=head1 NAME
+
+ASN1_generate_nconf, ASN1_generate_v3 - ASN1 generation functions
+
+=head1 SYNOPSIS
+
+ ASN1_TYPE *ASN1_generate_nconf(char *str, CONF *nconf);
+ ASN1_TYPE *ASN1_generate_v3(char *str, X509V3_CTX *cnf);
+
+=head1 DESCRIPTION
+
+These functions generate the ASN1 encoding of a string
+in an B<ASN1_TYPE> structure.
+
+B<str> contains the string to encode B<nconf> or B<cnf> contains
+the optional configuration information where additional strings
+will be read from. B<nconf> will typically come from a config
+file wherease B<cnf> is obtained from an B<X509V3_CTX> structure
+which will typically be used by X509 v3 certificate extension
+functions. B<cnf> or B<nconf> can be set to B<NULL> if no additional
+configuration will be used.
+
+=head1 GENERATION STRING FORMAT
+
+The actual data encoded is determined by the string B<str> and
+the configuration information. The general format of the string
+is:
+
+ B<[modifier,]type[:value]>
+
+That is zero or more comma separated modifiers followed by a type
+followed by an optional colon and a value. The formats of B<type>,
+B<value> and B<modifier> are explained below.
+
+=head2 SUPPORTED TYPES
+
+The supported types are listed below. Unless otherwise specified
+only the B<ASCII> format is permissible.
+
+=over 2
+
+=item B<BOOLEAN>, B<BOOL>
+
+This encodes a boolean type. The B<value> string is mandatory and
+should be B<TRUE> or B<FALSE>. Additionally B<TRUE>, B<true>, B<Y>,
+B<y>, B<YES>, B<yes>, B<FALSE>, B<false>, B<N>, B<n>, B<NO> and B<no>
+are acceptable. 
+
+=item B<NULL>
+
+Encode the B<NULL> type, the B<value> string must not be present.
+
+=item B<INTEGER>, B<INT>
+
+Encodes an ASN1 B<INTEGER> type. The B<value> string represents
+the value of the integer, it can be preceeded by a minus sign and
+is normally interpreted as a decimal value unless the prefix B<0x>
+is included.
+
+=item B<ENUMERATED>, B<ENUM>
+
+Encodes the ASN1 B<ENUMERATED> type, it is otherwise identical to
+B<INTEGER>.
+
+=item B<OBJECT>, B<OID>
+
+Encodes an ASN1 B<OBJECT IDENTIFIER>, the B<value> string can be
+a short name, a long name or numerical format.
+
+=item B<UTCTIME>, B<UTC>
+
+Encodes an ASN1 B<UTCTime> structure, the value should be in
+the format B<YYMMDDHHMMSSZ>. 
+
+=item B<GENERALIZEDTIME>, B<GENTIME>
+
+Encodes an ASN1 B<GeneralizedTime> structure, the value should be in
+the format B<YYYYMMDDHHMMSSZ>. 
+
+=item B<OCTETSTRING>, B<OCT>
+
+Emcodes an ASN1 B<OCTET STRING>. B<value> represents the contents
+of this structure, the format strings B<ASCII> and B<HEX> can be
+used to specify the format of B<value>.
+
+=item B<BITSRING>, B<BITSTR>
+
+Emcodes an ASN1 B<BIT STRING>. B<value> represents the contents
+of this structure, the format strings B<ASCII>, B<HEX> and B<BITLIST>
+can be used to specify the format of B<value>.
+
+If the format is anything other than B<BITLIST> the number of unused
+bits is set to zero.
+
+=item B<UNIVERSALSTRING>, B<UNIV>, B<IA5>, B<IA5STRING>, B<UTF8>,
+B<UTF8String>, B<BMP>, B<BMPSTRING>, B<VISIBLESTRING>,
+B<VISIBLE>, B<PRINTABLESTRING>, B<PRINTABLE>, B<T61>,
+B<T61STRING>, B<TELETEXSTRING>, B<GeneralString>
+
+These encode the corresponding string types. B<value> represents the
+contents of this structure. The format can be B<ASCII> or B<UTF8>.
+
+=item B<SEQUENCE>, B<SEQ>, B<SET>
+
+Formats the result as an ASN1 B<SEQUENCE> or B<SET> type. B<value>
+should be a section name which will contain the contents. The
+field names in the section are ignored and the values are in the
+generated string format. If B<value> is absent then an empty SEQUENCE
+will be encoded.
+
+=back
+
+=head2 MODIFIERS
+
+Modifiers affect the following structure, they can be used to
+add EXPLICIT or IMPLICIT tagging, add wrappers or to change
+the string format of the final type and value. The supported
+formats are documented below.
+
+=over 2
+
+=item B<EXPLICIT>, B<EXP>
+
+Add an explicit tag to the following structure. This string
+should be followed by a colon and the tag value to use as a
+decimal value.
+
+By following the number with B<U>, B<A>, B<P> or B<C> UNIVERSAL,
+APPLICATION, PRIVATE or CONTEXT SPECIFIC tagging can be used,
+the default is CONTEXT SPECIFIC.
+
+=item B<IMPLICIT>, B<IMP>
+
+This is the same as B<EXPLICIT> except IMPLICIT tagging is used
+instead.
+
+=item B<OCTWRAP>, B<SEQWRAP>, B<SETWRAP>, B<BITWRAP>
+
+The following structure is surrounded by an OCTET STRING, a SEQUENCE,
+a SET or a BIT STRING respectively. For a BIT STRING the number of unused
+bits is set to zero.
+
+=item B<FORMAT>
+
+This specifies the format of the ultimate value. It should be followed
+by a colon and one of the strings B<ASCII>, B<UTF8>, B<HEX> or B<BITLIST>.
+
+If no format specifier is included then B<ASCII> is used. If B<UTF8> is specified
+then the value string must be a valid B<UTF8> string. For B<HEX> the output must
+be a set of hex digits. B<BITLIST> (which is only valid for a BIT STRING) is a
+comma separated list of set bits.
+
+=back
+
+=head1 EXAMPLES
+
+A simple IA5String:
+
+ IA5STRING:Hello World
+
+An IA5String explicitly tagged:
+
+ EXPLICIT:0,IA5STRING:Hello World
+
+An IA5String explicitly tagged using APPLICATION tagging:
+
+ EXPLICIT:0A,IA5STRING:Hello World
+
+A more complex example using a config file to produce a
+SEQUENCE consiting of a BOOL an OID and a UTF8String:
+
+asn1 = SEQUENCE:seq_section
+
+[seq_section]
+
+field1 = BOOLEAN:TRUE
+field2 = OID:commonName
+field3 = UTF8:Third field
+
+This example produces an RSAPrivateKey structure, this is the
+key contained in the file client.pem in all OpenSSL distributions
+(note: the field names such as 'coeff' are ignored and are present just
+for clarity):
+
+ asn1=SEQUENCE:private_key
+ [private_key]
+ version=INTEGER:0
+
+ n=INTEGER:0xBB6FE79432CC6EA2D8F970675A5A87BFBE1AFF0BE63E879F2AFFB93644\
+ D4D2C6D000430DEC66ABF47829E74B8C5108623A1C0EE8BE217B3AD8D36D5EB4FCA1D9
+
+ e=INTEGER:0x010001
+
+ d=INTEGER:0x6F05EAD2F27FFAEC84BEC360C4B928FD5F3A9865D0FCAAD291E2A52F4A\
+ F810DC6373278C006A0ABBA27DC8C63BF97F7E666E27C5284D7D3B1FFFE16B7A87B51D
+
+ p=INTEGER:0xF3929B9435608F8A22C208D86795271D54EBDFB09DDEF539AB083DA912\
+ D4BD57
+
+ q=INTEGER:0xC50016F89DFF2561347ED1186A46E150E28BF2D0F539A1594BBD7FE467\
+ 46EC4F
+
+ exp1=INTEGER:0x9E7D4326C924AFC1DEA40B45650134966D6F9DFA3A7F9D698CD4ABEA\
+ 9C0A39B9
+
+ exp2=INTEGER:0xBA84003BB95355AFB7C50DF140C60513D0BA51D637272E355E397779\
+ E7B2458F
+
+ coeff=INTEGER:0x30B9E4F2AFA5AC679F920FC83F1F2DF1BAF1779CF989447FABC2F5\
+ 628657053A
+
+This example is the corresponding public key in a SubjectPublicKeyInfo
+structure:
+
+ # Start with a SEQUENCE
+ asn1=SEQUENCE:pubkeyinfo
+
+ # pubkeyinfo contains an algorithm identifier and the public key wrapped
+ # in a BIT STRING
+ [pubkeyinfo]
+ algorithm=SEQUENCE:rsa_alg
+ pubkey=BITWRAP,SEQUENCE:rsapubkey
+
+ # algorithm ID for RSA is just an OID and a NULL
+ [rsa_alg]
+ algorithm=OID:rsaEncryption
+ parameter=NULL
+
+ # Actual public key: modulus and exponent
+ [rsapubkey]
+ n=INTEGER:0xBB6FE79432CC6EA2D8F970675A5A87BFBE1AFF0BE63E879F2AFFB93644\
+ D4D2C6D000430DEC66ABF47829E74B8C5108623A1C0EE8BE217B3AD8D36D5EB4FCA1D9
+
+ e=INTEGER:0x010001
+
+=head1 RETURN VALUES
+
+ASN1_generate_nconf() and ASN1_generate_v3() return the encoded
+data as an B<ASN1_TYPE> structure or B<NULL> if an error occurred.
+
+The error codes that can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 SEE ALSO
+
+L<ERR_get_error(3)|ERR_get_error(3)>
+
+=head1 HISTORY
+
+ASN1_generate_nconf() and ASN1_generate_v3() were added to OpenSSL 0.9.8
+
+=cut
diff --git a/crypto/openssl/doc/crypto/BIO_f_base64.pod b/crypto/openssl/doc/crypto/BIO_f_base64.pod
index 929557d22f02..438af3b6b66c 100644
--- a/crypto/openssl/doc/crypto/BIO_f_base64.pod
+++ b/crypto/openssl/doc/crypto/BIO_f_base64.pod
@@ -63,7 +63,7 @@ data to standard output:
  bio = BIO_new_fp(stdin, BIO_NOCLOSE);
  bio_out = BIO_new_fp(stdout, BIO_NOCLOSE);
  bio = BIO_push(b64, bio);
- while((inlen = BIO_read(bio, inbuf, 512) > 0) 
+ while((inlen = BIO_read(bio, inbuf, 512)) > 0) 
 	BIO_write(bio_out, inbuf, inlen);
 
  BIO_free_all(bio);
diff --git a/crypto/openssl/doc/crypto/BN_BLINDING_new.pod b/crypto/openssl/doc/crypto/BN_BLINDING_new.pod
new file mode 100644
index 000000000000..7b087f7288f9
--- /dev/null
+++ b/crypto/openssl/doc/crypto/BN_BLINDING_new.pod
@@ -0,0 +1,109 @@
+=pod
+
+=head1 NAME
+
+BN_BLINDING_new, BN_BLINDING_free, BN_BLINDING_update, BN_BLINDING_convert, 
+BN_BLINDING_invert, BN_BLINDING_convert_ex, BN_BLINDING_invert_ex, 
+BN_BLINDING_get_thread_id, BN_BLINDING_set_thread_id, BN_BLINDING_get_flags,
+BN_BLINDING_set_flags, BN_BLINDING_create_param - blinding related BIGNUM
+functions.
+
+=head1 SYNOPSIS
+
+ #include <openssl/bn.h>
+
+ BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai,
+	BIGNUM *mod);
+ void BN_BLINDING_free(BN_BLINDING *b);
+ int BN_BLINDING_update(BN_BLINDING *b,BN_CTX *ctx);
+ int BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx);
+ int BN_BLINDING_invert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx);
+ int BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b,
+	BN_CTX *ctx);
+ int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b,
+	BN_CTX *ctx);
+ unsigned long BN_BLINDING_get_thread_id(const BN_BLINDING *);
+ void BN_BLINDING_set_thread_id(BN_BLINDING *, unsigned long);
+ unsigned long BN_BLINDING_get_flags(const BN_BLINDING *);
+ void BN_BLINDING_set_flags(BN_BLINDING *, unsigned long);
+ BN_BLINDING *BN_BLINDING_create_param(BN_BLINDING *b,
+	const BIGNUM *e, BIGNUM *m, BN_CTX *ctx,
+	int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+			  const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx),
+	BN_MONT_CTX *m_ctx);
+
+=head1 DESCRIPTION
+
+BN_BLINDING_new() allocates a new B<BN_BLINDING> structure and copies
+the B<A> and B<Ai> values into the newly created B<BN_BLINDING> object.
+
+BN_BLINDING_free() frees the B<BN_BLINDING> structure.
+
+BN_BLINDING_update() updates the B<BN_BLINDING> parameters by squaring
+the B<A> and B<Ai> or, after specific number of uses and if the
+necessary parameters are set, by re-creating the blinding parameters.
+
+BN_BLINDING_convert_ex() multiplies B<n> with the blinding factor B<A>.
+If B<r> is not NULL a copy the inverse blinding factor B<Ai> will be
+returned in B<r> (this is useful if a B<RSA> object is shared amoung
+several threads). BN_BLINDING_invert_ex() multiplies B<n> with the
+inverse blinding factor B<Ai>. If B<r> is not NULL it will be used as
+the inverse blinding.
+
+BN_BLINDING_convert() and BN_BLINDING_invert() are wrapper
+functions for BN_BLINDING_convert_ex() and BN_BLINDING_invert_ex()
+with B<r> set to NULL.
+
+BN_BLINDING_set_thread_id() and BN_BLINDING_get_thread_id()
+set and get the "thread id" value of the B<BN_BLINDING> structure,
+a field provided to users of B<BN_BLINDING> structure to help them
+provide proper locking if needed for multi-threaded use. The 
+"thread id" of a newly allocated B<BN_BLINDING> structure is zero.
+
+BN_BLINDING_get_flags() returns the BN_BLINDING flags. Currently
+there are two supported flags: B<BN_BLINDING_NO_UPDATE> and
+B<BN_BLINDING_NO_RECREATE>. B<BN_BLINDING_NO_UPDATE> inhibits the
+automatic update of the B<BN_BLINDING> parameters after each use
+and B<BN_BLINDING_NO_RECREATE> inhibits the automatic re-creation
+of the B<BN_BLINDING> parameters after a fixed number of uses (currently
+32). In newly allocated B<BN_BLINDING> objects no flags are set.
+BN_BLINDING_set_flags() sets the B<BN_BLINDING> parameters flags.
+
+BN_BLINDING_create_param() creates new B<BN_BLINDING> parameters
+using the exponent B<e> and the modulus B<m>. B<bn_mod_exp> and
+B<m_ctx> can be used to pass special functions for exponentiation
+(normally BN_mod_exp_mont() and B<BN_MONT_CTX>).
+
+=head1 RETURN VALUES
+
+BN_BLINDING_new() returns the newly allocated B<BN_BLINDING> structure
+or NULL in case of an error.
+
+BN_BLINDING_update(), BN_BLINDING_convert(), BN_BLINDING_invert(),
+BN_BLINDING_convert_ex() and BN_BLINDING_invert_ex() return 1 on
+success and 0 if an error occured.
+
+BN_BLINDING_get_thread_id() returns the thread id (a B<unsigned long>
+value) or 0 if not set.
+
+BN_BLINDING_get_flags() returns the currently set B<BN_BLINDING> flags
+(a B<unsigned long> value).
+
+BN_BLINDING_create_param() returns the newly created B<BN_BLINDING> 
+parameters or NULL on error.
+
+=head1 SEE ALSO
+
+L<bn(3)|bn(3)>
+
+=head1 HISTORY
+
+BN_BLINDING_convert_ex, BN_BLINDIND_invert_ex, BN_BLINDING_get_thread_id,
+BN_BLINDING_set_thread_id, BN_BLINDING_set_flags, BN_BLINDING_get_flags
+and BN_BLINDING_create_param were first introduced in OpenSSL 0.9.8
+
+=head1 AUTHOR
+
+Nils Larsch for the OpenSSL project (http://www.openssl.org).
+
+=cut
diff --git a/crypto/openssl/doc/crypto/BN_add_word.pod b/crypto/openssl/doc/crypto/BN_add_word.pod
index 94244adea4cd..70667d289345 100644
--- a/crypto/openssl/doc/crypto/BN_add_word.pod
+++ b/crypto/openssl/doc/crypto/BN_add_word.pod
@@ -29,11 +29,11 @@ BN_add_word() adds B<w> to B<a> (C<a+=w>).
 
 BN_sub_word() subtracts B<w> from B<a> (C<a-=w>).
 
-BN_mul_word() multiplies B<a> and B<w> (C<a*=b>).
+BN_mul_word() multiplies B<a> and B<w> (C<a*=w>).
 
 BN_div_word() divides B<a> by B<w> (C<a/=w>) and returns the remainder.
 
-BN_mod_word() returns the remainder of B<a> divided by B<w> (C<a%m>).
+BN_mod_word() returns the remainder of B<a> divided by B<w> (C<a%w>).
 
 For BN_div_word() and BN_mod_word(), B<w> must not be 0.
 
@@ -42,7 +42,8 @@ For BN_div_word() and BN_mod_word(), B<w> must not be 0.
 BN_add_word(), BN_sub_word() and BN_mul_word() return 1 for success, 0
 on error. The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
 
-BN_mod_word() and BN_div_word() return B<a>%B<w>.
+BN_mod_word() and BN_div_word() return B<a>%B<w> on success and
+B<(BN_ULONG)-1> if an error occurred.
 
 =head1 SEE ALSO
 
@@ -54,4 +55,7 @@ BN_add_word() and BN_mod_word() are available in all versions of
 SSLeay and OpenSSL. BN_div_word() was added in SSLeay 0.8, and
 BN_sub_word() and BN_mul_word() in SSLeay 0.9.0.
 
+Before 0.9.8a the return value for BN_div_word() and BN_mod_word()
+in case of an error was 0.
+
 =cut
diff --git a/crypto/openssl/doc/crypto/BN_new.pod b/crypto/openssl/doc/crypto/BN_new.pod
index 3033789c5147..ab7a105e3ad7 100644
--- a/crypto/openssl/doc/crypto/BN_new.pod
+++ b/crypto/openssl/doc/crypto/BN_new.pod
@@ -20,7 +20,7 @@ BN_new, BN_init, BN_clear, BN_free, BN_clear_free - allocate and free BIGNUMs
 
 =head1 DESCRIPTION
 
-BN_new() allocated and initializes a B<BIGNUM> structure. BN_init()
+BN_new() allocates and initializes a B<BIGNUM> structure. BN_init()
 initializes an existing uninitialized B<BIGNUM>.
 
 BN_clear() is used to destroy sensitive data such as keys when they
diff --git a/crypto/openssl/doc/crypto/ERR_error_string.pod b/crypto/openssl/doc/crypto/ERR_error_string.pod
index e01beb817a39..cdfa7fe1fe72 100644
--- a/crypto/openssl/doc/crypto/ERR_error_string.pod
+++ b/crypto/openssl/doc/crypto/ERR_error_string.pod
@@ -11,7 +11,7 @@ error message
  #include <openssl/err.h>
 
  char *ERR_error_string(unsigned long e, char *buf);
- char *ERR_error_string_n(unsigned long e, char *buf, size_t len);
+ void ERR_error_string_n(unsigned long e, char *buf, size_t len);
 
  const char *ERR_lib_error_string(unsigned long e);
  const char *ERR_func_error_string(unsigned long e);
diff --git a/crypto/openssl/doc/crypto/ERR_set_mark.pod b/crypto/openssl/doc/crypto/ERR_set_mark.pod
new file mode 100644
index 000000000000..d3ca4f2e770b
--- /dev/null
+++ b/crypto/openssl/doc/crypto/ERR_set_mark.pod
@@ -0,0 +1,38 @@
+=pod
+
+=head1 NAME
+
+ERR_set_mark, ERR_pop_to_mark - set marks and pop errors until mark
+
+=head1 SYNOPSIS
+
+ #include <openssl/err.h>
+
+ int ERR_set_mark(void);
+
+ int ERR_pop_to_mark(void);
+
+=head1 DESCRIPTION
+
+ERR_set_mark() sets a mark on the current topmost error record if there
+is one.
+
+ERR_pop_to_mark() will pop the top of the error stack until a mark is found.
+The mark is then removed.  If there is no mark, the whole stack is removed.
+
+=head1 RETURN VALUES
+
+ERR_set_mark() returns 0 if the error stack is empty, otherwise 1.
+
+ERR_pop_to_mark() returns 0 if there was no mark in the error stack, which
+implies that the stack became empty, otherwise 1.
+
+=head1 SEE ALSO
+
+L<err(3)|err(3)>
+
+=head1 HISTORY
+
+ERR_set_mark() and ERR_pop_to_mark() were added in OpenSSL 0.9.8.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/EVP_BytesToKey.pod b/crypto/openssl/doc/crypto/EVP_BytesToKey.pod
index 016381f3e994..d375c46e03d5 100644
--- a/crypto/openssl/doc/crypto/EVP_BytesToKey.pod
+++ b/crypto/openssl/doc/crypto/EVP_BytesToKey.pod
@@ -60,7 +60,7 @@ EVP_BytesToKey() returns the size of the derived key in bytes.
 =head1 SEE ALSO
 
 L<evp(3)|evp(3)>, L<rand(3)|rand(3)>,
-L<EVP_EncryptInit(3)|EVP_EncryptInit(3)>,
+L<EVP_EncryptInit(3)|EVP_EncryptInit(3)>
 
 =head1 HISTORY
 
diff --git a/crypto/openssl/doc/crypto/EVP_DigestInit.pod b/crypto/openssl/doc/crypto/EVP_DigestInit.pod
index 1cb315e739dd..130cd7f60adb 100644
--- a/crypto/openssl/doc/crypto/EVP_DigestInit.pod
+++ b/crypto/openssl/doc/crypto/EVP_DigestInit.pod
@@ -18,7 +18,7 @@ EVP digest routines
  EVP_MD_CTX *EVP_MD_CTX_create(void);
 
  int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl);
- int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *d, unsigned int cnt);
+ int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *d, size_t cnt);
  int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md,
         unsigned int *s);
 
diff --git a/crypto/openssl/doc/crypto/EVP_EncryptInit.pod b/crypto/openssl/doc/crypto/EVP_EncryptInit.pod
index daf57e5895f1..8271d3dfc417 100644
--- a/crypto/openssl/doc/crypto/EVP_EncryptInit.pod
+++ b/crypto/openssl/doc/crypto/EVP_EncryptInit.pod
@@ -22,7 +22,7 @@ EVP_CIPHER_CTX_set_padding - EVP cipher routines
 
  #include <openssl/evp.h>
 
- int EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *a);
+ void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *a);
 
  int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
 	 ENGINE *impl, unsigned char *key, unsigned char *iv);
@@ -236,8 +236,8 @@ RC5 can be set.
 
 =head1 RETURN VALUES
 
-EVP_CIPHER_CTX_init, EVP_EncryptInit_ex(), EVP_EncryptUpdate() and
-EVP_EncryptFinal_ex() return 1 for success and 0 for failure.
+EVP_EncryptInit_ex(), EVP_EncryptUpdate() and EVP_EncryptFinal_ex()
+return 1 for success and 0 for failure.
 
 EVP_DecryptInit_ex() and EVP_DecryptUpdate() return 1 for success and 0 for failure.
 EVP_DecryptFinal_ex() returns 0 if the decrypt failed or 1 for success.
@@ -479,6 +479,7 @@ General encryption, decryption function example using FILE I/O and RC2 with an
 		if(!EVP_CipherUpdate(&ctx, outbuf, &outlen, inbuf, inlen))
 			{
 			/* Error */
+			EVP_CIPHER_CTX_cleanup(&ctx);
 			return 0;
 			}
 		fwrite(outbuf, 1, outlen, out);
@@ -486,6 +487,7 @@ General encryption, decryption function example using FILE I/O and RC2 with an
 	if(!EVP_CipherFinal_ex(&ctx, outbuf, &outlen))
 		{
 		/* Error */
+		EVP_CIPHER_CTX_cleanup(&ctx);
 		return 0;
 		}
 	fwrite(outbuf, 1, outlen, out);
diff --git a/crypto/openssl/doc/crypto/EVP_SealInit.pod b/crypto/openssl/doc/crypto/EVP_SealInit.pod
index b5e477e29421..7d793e19ef7a 100644
--- a/crypto/openssl/doc/crypto/EVP_SealInit.pod
+++ b/crypto/openssl/doc/crypto/EVP_SealInit.pod
@@ -8,8 +8,9 @@ EVP_SealInit, EVP_SealUpdate, EVP_SealFinal - EVP envelope encryption
 
  #include <openssl/evp.h>
 
- int EVP_SealInit(EVP_CIPHER_CTX *ctx, EVP_CIPHER *type, unsigned char **ek,
-		int *ekl, unsigned char *iv,EVP_PKEY **pubk, int npubk);
+ int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
+                  unsigned char **ek, int *ekl, unsigned char *iv,
+                  EVP_PKEY **pubk, int npubk);
  int EVP_SealUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
          int *outl, unsigned char *in, int inl);
  int EVP_SealFinal(EVP_CIPHER_CTX *ctx, unsigned char *out,
diff --git a/crypto/openssl/doc/crypto/EVP_SignInit.pod b/crypto/openssl/doc/crypto/EVP_SignInit.pod
index b203c3a1c550..b6e62ce7f610 100644
--- a/crypto/openssl/doc/crypto/EVP_SignInit.pod
+++ b/crypto/openssl/doc/crypto/EVP_SignInit.pod
@@ -29,11 +29,10 @@ EVP_SignUpdate() hashes B<cnt> bytes of data at B<d> into the
 signature context B<ctx>. This function can be called several times on the
 same B<ctx> to include additional data.
 
-EVP_SignFinal() signs the data in B<ctx> using the private key B<pkey>
-and places the signature in B<sig>. If the B<s> parameter is not NULL
-then the number of bytes of data written (i.e. the length of the signature)
-will be written to the integer at B<s>, at most EVP_PKEY_size(pkey) bytes
-will be written. 
+EVP_SignFinal() signs the data in B<ctx> using the private key B<pkey> and
+places the signature in B<sig>. The number of bytes of data written (i.e. the
+length of the signature) will be written to the integer at B<s>, at most
+EVP_PKEY_size(pkey) bytes will be written. 
 
 EVP_SignInit() initializes a signing context B<ctx> to use the default
 implementation of digest B<type>.
diff --git a/crypto/openssl/doc/crypto/OPENSSL_Applink.pod b/crypto/openssl/doc/crypto/OPENSSL_Applink.pod
new file mode 100644
index 000000000000..e54de12cc89e
--- /dev/null
+++ b/crypto/openssl/doc/crypto/OPENSSL_Applink.pod
@@ -0,0 +1,21 @@
+=pod
+
+=head1 NAME
+
+OPENSSL_Applink - glue between OpenSSL BIO and Win32 compiler run-time
+
+=head1 SYNOPSIS
+
+ __declspec(dllexport) void **OPENSSL_Applink();
+
+=head1 DESCRIPTION
+
+OPENSSL_Applink is application-side interface which provides a glue
+between OpenSSL BIO layer and Win32 compiler run-time environment.
+Even though it appears at application side, it's essentially OpenSSL
+private interface. For this reason application developers are not
+expected to implement it, but to compile provided module with
+compiler of their choice and link it into the target application.
+The referred module is available as <openssl>/ms/applink.c.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/OPENSSL_config.pod b/crypto/openssl/doc/crypto/OPENSSL_config.pod
index 16600620ccf3..e7bba2aacae0 100644
--- a/crypto/openssl/doc/crypto/OPENSSL_config.pod
+++ b/crypto/openssl/doc/crypto/OPENSSL_config.pod
@@ -35,7 +35,7 @@ calls OPENSSL_add_all_algorithms() by compiling an application with the
 preprocessor symbol B<OPENSSL_LOAD_CONF> #define'd. In this way configuration
 can be added without source changes.
 
-The environment variable B<OPENSSL_CONFIG> can be set to specify the location
+The environment variable B<OPENSSL_CONF> can be set to specify the location
 of the configuration file.
  
 Currently ASN1 OBJECTs and ENGINE configuration can be performed future
diff --git a/crypto/openssl/doc/crypto/OPENSSL_ia32cap.pod b/crypto/openssl/doc/crypto/OPENSSL_ia32cap.pod
new file mode 100644
index 000000000000..121a8ddee5e1
--- /dev/null
+++ b/crypto/openssl/doc/crypto/OPENSSL_ia32cap.pod
@@ -0,0 +1,35 @@
+=pod
+
+=head1 NAME
+
+OPENSSL_ia32cap - finding the IA-32 processor capabilities
+
+=head1 SYNOPSIS
+
+ unsigned long *OPENSSL_ia32cap_loc(void);
+ #define OPENSSL_ia32cap (*(OPENSSL_ia32cap_loc()))
+
+=head1 DESCRIPTION
+
+Value returned by OPENSSL_ia32cap_loc() is address of a variable
+containing IA-32 processor capabilities bit vector as it appears in EDX
+register after executing CPUID instruction with EAX=1 input value (see
+Intel Application Note #241618). Naturally it's meaningful on IA-32[E]
+platforms only. The variable is normally set up automatically upon
+toolkit initialization, but can be manipulated afterwards to modify
+crypto library behaviour. For the moment of this writing three bits are
+significant, namely bit #28 denoting Hyperthreading, which is used to
+distinguish Intel P4 core, bit #26 denoting SSE2 support, and bit #4
+denoting presence of Time-Stamp Counter. Clearing bit #26 at run-time
+for example disables high-performance SSE2 code present in the crypto
+library. You might have to do this if target OpenSSL application is
+executed on SSE2 capable CPU, but under control of OS which does not
+support SSE2 extentions. Even though you can manipulate the value
+programmatically, you most likely will find it more appropriate to set
+up an environment variable with the same name prior starting target
+application, e.g. 'env OPENSSL_ia32cap=0x10 apps/openssl', to achieve
+same effect without modifying the application source code.
+Alternatively you can reconfigure the toolkit with no-sse2 option and
+recompile.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/PKCS12_create.pod b/crypto/openssl/doc/crypto/PKCS12_create.pod
index 48f3bb8cb8ef..de7cab2bdffc 100644
--- a/crypto/openssl/doc/crypto/PKCS12_create.pod
+++ b/crypto/openssl/doc/crypto/PKCS12_create.pod
@@ -46,6 +46,24 @@ export grade software which could use signing only keys of arbitrary size but
 had restrictions on the permissible sizes of keys which could be used for
 encryption.
 
+=head1 NEW FUNCTIONALITY IN OPENSSL 0.9.8
+
+Some additional functionality was added to PKCS12_create() in OpenSSL
+0.9.8. These extensions are detailed below.
+
+If a certificate contains an B<alias> or B<keyid> then this will be
+used for the corresponding B<friendlyName> or B<localKeyID> in the
+PKCS12 structure.
+
+Either B<pkey>, B<cert> or both can be B<NULL> to indicate that no key or
+certficate is required. In previous versions both had to be present or
+a fatal error is returned.
+
+B<nid_key> or B<nid_cert> can be set to -1 indicating that no encryption
+should be used. 
+
+B<mac_iter> can be set to -1 and the MAC will then be omitted entirely.
+
 =head1 SEE ALSO
 
 L<d2i_PKCS12(3)|d2i_PKCS12(3)>
diff --git a/crypto/openssl/doc/crypto/PKCS7_sign.pod b/crypto/openssl/doc/crypto/PKCS7_sign.pod
index fc7e649b341c..ffd0c734b096 100644
--- a/crypto/openssl/doc/crypto/PKCS7_sign.pod
+++ b/crypto/openssl/doc/crypto/PKCS7_sign.pod
@@ -51,6 +51,24 @@ If present the SMIMECapabilities attribute indicates support for the following
 algorithms: triple DES, 128 bit RC2, 64 bit RC2, DES and 40 bit RC2. If any
 of these algorithms is disabled then it will not be included.
 
+If the flags B<PKCS7_PARTSIGN> is set then the returned B<PKCS7> structure
+is just initialized ready to perform the signing operation. The signing
+is however B<not> performed and the data to be signed is not read from
+the B<data> parameter. Signing is deferred until after the data has been
+written. In this way data can be signed in a single pass. Currently the
+flag B<PKCS7_DETACHED> B<must> also be set.
+
+=head1 NOTES
+
+Currently the flag B<PKCS7_PARTSIGN> is only supported for detached
+data. If this flag is set the returned B<PKCS7> structure is B<not>
+complete and outputting its contents via a function that does not
+properly finalize the B<PKCS7> structure will give unpredictable 
+results.
+
+At present only the SMIME_write_PKCS7() function properly finalizes the
+structure.
+
 =head1 BUGS
 
 PKCS7_sign() is somewhat limited. It does not support multiple signers, some
@@ -64,10 +82,6 @@ signed due to memory restraints. There should be a way to sign data without
 having to hold it all in memory, this would however require fairly major
 revisions of the OpenSSL ASN1 code.
 
-Clear text signing does not store the content in memory but the way PKCS7_sign()
-operates means that two passes of the data must typically be made: one to compute
-the signatures and a second to output the data along with the signature. There
-should be a way to process the data with only a single pass.
 
 =head1 RETURN VALUES
 
@@ -82,4 +96,6 @@ L<ERR_get_error(3)|ERR_get_error(3)>, L<PKCS7_verify(3)|PKCS7_verify(3)>
 
 PKCS7_sign() was added to OpenSSL 0.9.5
 
+The B<PKCS7_PARTSIGN> flag was added in OpenSSL 0.9.8
+
 =cut
diff --git a/crypto/openssl/doc/crypto/PKCS7_verify.pod b/crypto/openssl/doc/crypto/PKCS7_verify.pod
index 07c9fdad4021..3490b5dc8255 100644
--- a/crypto/openssl/doc/crypto/PKCS7_verify.pod
+++ b/crypto/openssl/doc/crypto/PKCS7_verify.pod
@@ -8,7 +8,7 @@ PKCS7_verify - verify a PKCS#7 signedData structure
 
 int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, BIO *indata, BIO *out, int flags);
 
-int PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags);
+STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags);
 
 =head1 DESCRIPTION
 
diff --git a/crypto/openssl/doc/crypto/RSA_sign.pod b/crypto/openssl/doc/crypto/RSA_sign.pod
index 71688a665e13..8553be8e99b6 100644
--- a/crypto/openssl/doc/crypto/RSA_sign.pod
+++ b/crypto/openssl/doc/crypto/RSA_sign.pod
@@ -8,10 +8,10 @@ RSA_sign, RSA_verify - RSA signatures
 
  #include <openssl/rsa.h>
 
- int RSA_sign(int type, unsigned char *m, unsigned int m_len,
+ int RSA_sign(int type, const unsigned char *m, unsigned int m_len,
     unsigned char *sigret, unsigned int *siglen, RSA *rsa);
 
- int RSA_verify(int type, unsigned char *m, unsigned int m_len,
+ int RSA_verify(int type, const unsigned char *m, unsigned int m_len,
     unsigned char *sigbuf, unsigned int siglen, RSA *rsa);
 
 =head1 DESCRIPTION
diff --git a/crypto/openssl/doc/crypto/SMIME_write_PKCS7.pod b/crypto/openssl/doc/crypto/SMIME_write_PKCS7.pod
index 2cfad2e04976..61945b388728 100644
--- a/crypto/openssl/doc/crypto/SMIME_write_PKCS7.pod
+++ b/crypto/openssl/doc/crypto/SMIME_write_PKCS7.pod
@@ -30,18 +30,20 @@ If the B<PKCS7_TEXT> flag is set MIME headers for type B<text/plain>
 are added to the content, this only makes sense if B<PKCS7_DETACHED>
 is also set.
 
-If cleartext signing is being used then the data must be read twice:
-once to compute the signature in PKCS7_sign() and once to output the
-S/MIME message.
+If the B<PKCS7_PARTSIGN> flag is set the signed data is finalized
+and output along with the content. This flag should only be set
+if B<PKCS7_DETACHED> is also set and the previous call to PKCS7_sign()
+also set these flags.
+
+If cleartext signing is being used and B<PKCS7_PARTSIGN> not set then
+the data must be read twice: once to compute the signature in PKCS7_sign()
+and once to output the S/MIME message.
 
 =head1 BUGS
 
 SMIME_write_PKCS7() always base64 encodes PKCS#7 structures, there
 should be an option to disable this.
 
-There should really be a way to produce cleartext signing using only
-a single pass of the data.
-
 =head1 RETURN VALUES
 
 SMIME_write_PKCS7() returns 1 for success or 0 for failure.
diff --git a/crypto/openssl/doc/crypto/X509_NAME_ENTRY_get_object.pod b/crypto/openssl/doc/crypto/X509_NAME_ENTRY_get_object.pod
index d287c18564be..11b35f6fd355 100644
--- a/crypto/openssl/doc/crypto/X509_NAME_ENTRY_get_object.pod
+++ b/crypto/openssl/doc/crypto/X509_NAME_ENTRY_get_object.pod
@@ -13,11 +13,11 @@ ASN1_OBJECT * X509_NAME_ENTRY_get_object(X509_NAME_ENTRY *ne);
 ASN1_STRING * X509_NAME_ENTRY_get_data(X509_NAME_ENTRY *ne);
 
 int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne, ASN1_OBJECT *obj);
-int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type, unsigned char *bytes, int len);
+int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type, const unsigned char *bytes, int len);
 
-X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne, char *field, int type, unsigned char *bytes, int len);
+X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne, const char *field, int type, const unsigned char *bytes, int len);
 X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid, int type,unsigned char *bytes, int len);
-X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne, ASN1_OBJECT *obj, int type,unsigned char *bytes, int len);
+X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne, ASN1_OBJECT *obj, int type, const unsigned char *bytes, int len);
 
 =head1 DESCRIPTION
 
diff --git a/crypto/openssl/doc/crypto/X509_NAME_add_entry_by_txt.pod b/crypto/openssl/doc/crypto/X509_NAME_add_entry_by_txt.pod
index 4472a1c5cf77..e2ab4b0d2bb1 100644
--- a/crypto/openssl/doc/crypto/X509_NAME_add_entry_by_txt.pod
+++ b/crypto/openssl/doc/crypto/X509_NAME_add_entry_by_txt.pod
@@ -7,10 +7,14 @@ X509_NAME_add_entry, X509_NAME_delete_entry - X509_NAME modification functions
 
 =head1 SYNOPSIS
 
-int X509_NAME_add_entry_by_txt(X509_NAME *name, char *field, int type, unsigned char *bytes, int len, int loc, int set);
+int X509_NAME_add_entry_by_txt(X509_NAME *name, const char *field, int type, const unsigned char *bytes, int len, int loc, int set);
+
 int X509_NAME_add_entry_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, int type, unsigned char *bytes, int len, int loc, int set);
+
 int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, int type, unsigned char *bytes, int len, int loc, int set);
+
 int X509_NAME_add_entry(X509_NAME *name,X509_NAME_ENTRY *ne, int loc, int set);
+
 X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *name, int loc);
 
 =head1 DESCRIPTION
diff --git a/crypto/openssl/doc/crypto/X509_NAME_print_ex.pod b/crypto/openssl/doc/crypto/X509_NAME_print_ex.pod
index 907c04f684f5..919b90891937 100644
--- a/crypto/openssl/doc/crypto/X509_NAME_print_ex.pod
+++ b/crypto/openssl/doc/crypto/X509_NAME_print_ex.pod
@@ -41,8 +41,8 @@ applications.
 Although there are a large number of possible flags for most purposes
 B<XN_FLAG_ONELINE>, B<XN_FLAG_MULTILINE> or B<XN_FLAG_RFC2253> will suffice.
 As noted on the L<ASN1_STRING_print_ex(3)|ASN1_STRING_print_ex(3)> manual page
-for UTF8 terminals the B<ASN1_STRFLAGS_ESC_MSB> should be unset: so for example
-B<XN_FLAG_ONELINE & ~ASN1_STRFLAGS_ESC_MSB> would be used.
+for UTF8 terminals the B<ASN1_STRFLGS_ESC_MSB> should be unset: so for example
+B<XN_FLAG_ONELINE & ~ASN1_STRFLGS_ESC_MSB> would be used.
 
 The complete set of the flags supported by X509_NAME_print_ex() is listed below.
 
diff --git a/crypto/openssl/doc/crypto/blowfish.pod b/crypto/openssl/doc/crypto/blowfish.pod
index ed71334f5618..5b2d274c15fe 100644
--- a/crypto/openssl/doc/crypto/blowfish.pod
+++ b/crypto/openssl/doc/crypto/blowfish.pod
@@ -32,7 +32,7 @@ by Counterpane (see http://www.counterpane.com/blowfish.html ).
 
 Blowfish is a block cipher that operates on 64 bit (8 byte) blocks of data.
 It uses a variable size key, but typically, 128 bit (16 byte) keys are
-a considered good for strong encryption.  Blowfish can be used in the same
+considered good for strong encryption.  Blowfish can be used in the same
 modes as DES (see L<des_modes(7)|des_modes(7)>).  Blowfish is currently one
 of the faster block ciphers.  It is quite a bit faster than DES, and much
 faster than IDEA or RC2.
diff --git a/crypto/openssl/doc/crypto/bn.pod b/crypto/openssl/doc/crypto/bn.pod
index 210dfeac08cd..cd2f8e50c6c7 100644
--- a/crypto/openssl/doc/crypto/bn.pod
+++ b/crypto/openssl/doc/crypto/bn.pod
@@ -27,6 +27,9 @@ bn - multiprecision integer arithmetics
  int BN_num_bits(const BIGNUM *a);
  int BN_num_bits_word(BN_ULONG w);
 
+ void BN_set_negative(BIGNUM *a, int n);
+ int  BN_is_negative(const BIGNUM *a);
+
  int BN_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
  int BN_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
  int BN_mul(BIGNUM *r, BIGNUM *a, BIGNUM *b, BN_CTX *ctx);
@@ -118,6 +121,25 @@ bn - multiprecision integer arithmetics
  int BN_to_montgomery(BIGNUM *r, BIGNUM *a, BN_MONT_CTX *mont,
          BN_CTX *ctx);
 
+ BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai,
+	BIGNUM *mod);
+ void BN_BLINDING_free(BN_BLINDING *b);
+ int BN_BLINDING_update(BN_BLINDING *b,BN_CTX *ctx);
+ int BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx);
+ int BN_BLINDING_invert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx);
+ int BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b,
+	BN_CTX *ctx);
+ int BN_BLINDING_invert_ex(BIGNUM *n,const BIGNUM *r,BN_BLINDING *b,
+	BN_CTX *ctx);
+ unsigned long BN_BLINDING_get_thread_id(const BN_BLINDING *);
+ void BN_BLINDING_set_thread_id(BN_BLINDING *, unsigned long);
+ unsigned long BN_BLINDING_get_flags(const BN_BLINDING *);
+ void BN_BLINDING_set_flags(BN_BLINDING *, unsigned long);
+ BN_BLINDING *BN_BLINDING_create_param(BN_BLINDING *b,
+	const BIGNUM *e, BIGNUM *m, BN_CTX *ctx,
+	int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+			  const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx),
+	BN_MONT_CTX *m_ctx);
 
 =head1 DESCRIPTION
 
@@ -153,6 +175,7 @@ L<BN_cmp(3)|BN_cmp(3)>, L<BN_zero(3)|BN_zero(3)>, L<BN_rand(3)|BN_rand(3)>,
 L<BN_generate_prime(3)|BN_generate_prime(3)>, L<BN_set_bit(3)|BN_set_bit(3)>,
 L<BN_bn2bin(3)|BN_bn2bin(3)>, L<BN_mod_inverse(3)|BN_mod_inverse(3)>,
 L<BN_mod_mul_reciprocal(3)|BN_mod_mul_reciprocal(3)>,
-L<BN_mod_mul_montgomery(3)|BN_mod_mul_montgomery(3)> 
+L<BN_mod_mul_montgomery(3)|BN_mod_mul_montgomery(3)>,
+L<BN_BLINDING_new(3)|BN_BLINDING_new(3)>
 
 =cut
diff --git a/crypto/openssl/doc/crypto/bn_internal.pod b/crypto/openssl/doc/crypto/bn_internal.pod
index 9805a7c9f298..891914678c47 100644
--- a/crypto/openssl/doc/crypto/bn_internal.pod
+++ b/crypto/openssl/doc/crypto/bn_internal.pod
@@ -72,19 +72,19 @@ applications.
 
  typedef struct bignum_st
         {
-        int top;      /* index of last used d (most significant word) */
-        BN_ULONG *d;  /* pointer to an array of 'BITS2' bit chunks */
+        int top;      /* number of words used in d */
+        BN_ULONG *d;  /* pointer to an array containing the integer value */
         int max;      /* size of the d array */
         int neg;      /* sign */
         } BIGNUM;
 
-The big number is stored in B<d>, a malloc()ed array of B<BN_ULONG>s,
-least significant first. A B<BN_ULONG> can be either 16, 32 or 64 bits
-in size (B<BITS2>), depending on the 'number of bits' specified in
+The integer value is stored in B<d>, a malloc()ed array of words (B<BN_ULONG>),
+least significant word first. A B<BN_ULONG> can be either 16, 32 or 64 bits
+in size, depending on the 'number of bits' (B<BITS2>) specified in
 C<openssl/bn.h>.
 
 B<max> is the size of the B<d> array that has been allocated.  B<top>
-is the 'last' entry being used, so for a value of 4, bn.d[0]=4 and
+is the number of words being used, so for a value of 4, bn.d[0]=4 and
 bn.top=1.  B<neg> is 1 if the number is negative.  When a B<BIGNUM> is
 B<0>, the B<d> field can be B<NULL> and B<top> == B<0>.
 
@@ -202,7 +202,7 @@ call bn_expand2(), which allocates a new B<d> array and copies the
 data.  They return B<NULL> on error, B<b> otherwise.
 
 The bn_fix_top() macro reduces B<a-E<gt>top> to point to the most
-significant non-zero word when B<a> has shrunk.
+significant non-zero word plus one when B<a> has shrunk.
 
 =head2 Debugging
 
diff --git a/crypto/openssl/doc/crypto/d2i_X509.pod b/crypto/openssl/doc/crypto/d2i_X509.pod
index 5e3c3d098573..5bfa18afbb3d 100644
--- a/crypto/openssl/doc/crypto/d2i_X509.pod
+++ b/crypto/openssl/doc/crypto/d2i_X509.pod
@@ -9,7 +9,7 @@ i2d_X509_fp - X509 encode and decode functions
 
  #include <openssl/x509.h>
 
- X509 *d2i_X509(X509 **px, unsigned char **in, int len);
+ X509 *d2i_X509(X509 **px, const unsigned char **in, int len);
  int i2d_X509(X509 *x, unsigned char **out);
 
  X509 *d2i_X509_bio(BIO *bp, X509 **x);
@@ -23,13 +23,13 @@ i2d_X509_fp - X509 encode and decode functions
 The X509 encode and decode routines encode and parse an
 B<X509> structure, which represents an X509 certificate.
 
-d2i_X509() attempts to decode B<len> bytes at B<*out>. If 
+d2i_X509() attempts to decode B<len> bytes at B<*in>. If 
 successful a pointer to the B<X509> structure is returned. If an error
 occurred then B<NULL> is returned. If B<px> is not B<NULL> then the
 returned structure is written to B<*px>. If B<*px> is not B<NULL>
 then it is assumed that B<*px> contains a valid B<X509>
 structure and an attempt is made to reuse it. If the call is
-successful B<*out> is incremented to the byte following the
+successful B<*in> is incremented to the byte following the
 parsed data.
 
 i2d_X509() encodes the structure pointed to by B<x> into DER format.
diff --git a/crypto/openssl/doc/crypto/d2i_X509_CRL.pod b/crypto/openssl/doc/crypto/d2i_X509_CRL.pod
index 06c5b23c090a..e7295a5d6153 100644
--- a/crypto/openssl/doc/crypto/d2i_X509_CRL.pod
+++ b/crypto/openssl/doc/crypto/d2i_X509_CRL.pod
@@ -9,7 +9,7 @@ i2d_X509_CRL_bio, i2d_X509_CRL_fp - PKCS#10 certificate request functions.
 
  #include <openssl/x509.h>
 
- X509_CRL *d2i_X509_CRL(X509_CRL **a, unsigned char **pp, long length);
+ X509_CRL *d2i_X509_CRL(X509_CRL **a, const unsigned char **pp, long length);
  int i2d_X509_CRL(X509_CRL *a, unsigned char **pp);
 
  X509_CRL *d2i_X509_CRL_bio(BIO *bp, X509_CRL **x);
diff --git a/crypto/openssl/doc/crypto/d2i_X509_REQ.pod b/crypto/openssl/doc/crypto/d2i_X509_REQ.pod
index be4ad68257e0..ae32a3891d67 100644
--- a/crypto/openssl/doc/crypto/d2i_X509_REQ.pod
+++ b/crypto/openssl/doc/crypto/d2i_X509_REQ.pod
@@ -9,7 +9,7 @@ i2d_X509_REQ_bio, i2d_X509_REQ_fp - PKCS#10 certificate request functions.
 
  #include <openssl/x509.h>
 
- X509_REQ *d2i_X509_REQ(X509_REQ **a, unsigned char **pp, long length);
+ X509_REQ *d2i_X509_REQ(X509_REQ **a, const unsigned char **pp, long length);
  int i2d_X509_REQ(X509_REQ *a, unsigned char **pp);
 
  X509_REQ *d2i_X509_REQ_bio(BIO *bp, X509_REQ **x);
diff --git a/crypto/openssl/doc/crypto/des_modes.pod b/crypto/openssl/doc/crypto/des_modes.pod
index da75e8007d45..02664036fc6c 100644
--- a/crypto/openssl/doc/crypto/des_modes.pod
+++ b/crypto/openssl/doc/crypto/des_modes.pod
@@ -1,5 +1,7 @@
 =pod
 
+=for comment openssl_manual_section:7
+
 =head1 NAME
 
 Modes of DES - the variants of DES and other crypto algorithms of OpenSSL
diff --git a/crypto/openssl/doc/crypto/ecdsa.pod b/crypto/openssl/doc/crypto/ecdsa.pod
new file mode 100644
index 000000000000..49b10f22499b
--- /dev/null
+++ b/crypto/openssl/doc/crypto/ecdsa.pod
@@ -0,0 +1,210 @@
+=pod
+
+=head1 NAME
+
+ecdsa - Elliptic Curve Digital Signature Algorithm
+
+=head1 SYNOPSIS
+
+ #include <openssl/ecdsa.h>
+
+ ECDSA_SIG*	ECDSA_SIG_new(void);
+ void		ECDSA_SIG_free(ECDSA_SIG *sig);
+ int		i2d_ECDSA_SIG(const ECDSA_SIG *sig, unsigned char **pp);
+ ECDSA_SIG*	d2i_ECDSA_SIG(ECDSA_SIG **sig, const unsigned char **pp, 
+		long len);
+
+ ECDSA_SIG*	ECDSA_do_sign(const unsigned char *dgst, int dgst_len,
+			EC_KEY *eckey);
+ ECDSA_SIG*	ECDSA_do_sign_ex(const unsigned char *dgst, int dgstlen, 
+			const BIGNUM *kinv, const BIGNUM *rp,
+			EC_KEY *eckey);
+ int		ECDSA_do_verify(const unsigned char *dgst, int dgst_len,
+			const ECDSA_SIG *sig, EC_KEY* eckey);
+ int		ECDSA_sign_setup(EC_KEY *eckey, BN_CTX *ctx,
+			BIGNUM **kinv, BIGNUM **rp);
+ int		ECDSA_sign(int type, const unsigned char *dgst,
+			int dgstlen, unsigned char *sig,
+			unsigned int *siglen, EC_KEY *eckey);
+ int		ECDSA_sign_ex(int type, const unsigned char *dgst,
+			int dgstlen, unsigned char *sig,
+			unsigned int *siglen, const BIGNUM *kinv, 
+			const BIGNUM *rp, EC_KEY *eckey);
+ int		ECDSA_verify(int type, const unsigned char *dgst,
+			int dgstlen, const unsigned char *sig,
+			int siglen, EC_KEY *eckey);
+ int		ECDSA_size(const EC_KEY *eckey);
+
+ const ECDSA_METHOD*	ECDSA_OpenSSL(void);
+ void		ECDSA_set_default_method(const ECDSA_METHOD *meth);
+ const ECDSA_METHOD*	ECDSA_get_default_method(void);
+ int		ECDSA_set_method(EC_KEY *eckey,const ECDSA_METHOD *meth);
+
+ int		ECDSA_get_ex_new_index(long argl, void *argp,
+			CRYPTO_EX_new *new_func,
+			CRYPTO_EX_dup *dup_func,
+			CRYPTO_EX_free *free_func);
+ int		ECDSA_set_ex_data(EC_KEY *d, int idx, void *arg);
+ void*		ECDSA_get_ex_data(EC_KEY *d, int idx);
+
+=head1 DESCRIPTION
+
+The B<ECDSA_SIG> structure consists of two BIGNUMs for the
+r and s value of a ECDSA signature (see X9.62 or FIPS 186-2).
+
+ struct
+	{
+	BIGNUM *r;
+	BIGNUM *s;
+ } ECDSA_SIG;
+
+ECDSA_SIG_new() allocates a new B<ECDSA_SIG> structure (note: this
+function also allocates the BIGNUMs) and initialize it.
+
+ECDSA_SIG_free() frees the B<ECDSA_SIG> structure B<sig>.
+
+i2d_ECDSA_SIG() creates the DER encoding of the ECDSA signature
+B<sig> and writes the encoded signature to B<*pp> (note: if B<pp>
+is NULL B<i2d_ECDSA_SIG> returns the expected length in bytes of 
+the DER encoded signature). B<i2d_ECDSA_SIG> returns the length
+of the DER encoded signature (or 0 on error).
+
+d2i_ECDSA_SIG() decodes a DER encoded ECDSA signature and returns
+the decoded signature in a newly allocated B<ECDSA_SIG> structure.
+B<*sig> points to the buffer containing the DER encoded signature
+of size B<len>.
+
+ECDSA_size() returns the maximum length of a DER encoded
+ECDSA signature created with the private EC key B<eckey>.
+
+ECDSA_sign_setup() may be used to precompute parts of the
+signing operation. B<eckey> is the private EC key and B<ctx>
+is a pointer to B<BN_CTX> structure (or NULL). The precomputed
+values or returned in B<kinv> and B<rp> and can be used in a
+later call to B<ECDSA_sign_ex> or B<ECDSA_do_sign_ex>.
+
+ECDSA_sign() is wrapper function for ECDSA_sign_ex with B<kinv>
+and B<rp> set to NULL.
+
+ECDSA_sign_ex() computes a digital signature of the B<dgstlen> bytes
+hash value B<dgst> using the private EC key B<eckey> and the optional
+pre-computed values B<kinv> and B<rp>. The DER encoded signatures is
+stored in B<sig> and it's length is returned in B<sig_len>. Note: B<sig>
+must point to B<ECDSA_size> bytes of memory. The parameter B<type>
+is ignored.
+
+ECDSA_verify() verifies that the signature in B<sig> of size
+B<siglen> is a valid ECDSA signature of the hash value
+value B<dgst> of size B<dgstlen> using the public key B<eckey>.
+The parameter B<type> is ignored.
+
+ECDSA_do_sign() is wrapper function for ECDSA_do_sign_ex with B<kinv>
+and B<rp> set to NULL.
+
+ECDSA_do_sign_ex() computes a digital signature of the B<dgst_len>
+bytes hash value B<dgst> using the private key B<eckey> and the
+optional pre-computed values B<kinv> and B<rp>. The signature is
+returned in a newly allocated B<ECDSA_SIG> structure (or NULL on error).
+
+ECDSA_do_verify() verifies that the signature B<sig> is a valid
+ECDSA signature of the hash value B<dgst> of size B<dgst_len>
+using the public key B<eckey>.
+
+=head1 RETURN VALUES
+
+ECDSA_size() returns the maximum length signature or 0 on error.
+
+ECDSA_sign_setup() and ECDSA_sign() return 1 if successful or -1
+on error.
+
+ECDSA_verify() and ECDSA_do_verify() return 1 for a valid
+signature, 0 for an invalid signature and -1 on error.
+The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 EXAMPLES
+
+Creating a ECDSA signature of given SHA-1 hash value using the
+named curve secp192k1.
+
+First step: create a EC_KEY object (note: this part is B<not> ECDSA
+specific)
+
+ int        ret;
+ ECDSA_SIG *sig;
+ EC_KEY    *eckey = EC_KEY_new();
+ if (eckey == NULL)
+	{
+	/* error */
+	}
+ key->group = EC_GROUP_new_by_nid(NID_secp192k1);
+ if (key->group == NULL)
+	{
+	/* error */
+	}
+ if (!EC_KEY_generate_key(eckey))
+	{
+	/* error */
+	}
+
+Second step: compute the ECDSA signature of a SHA-1 hash value 
+using B<ECDSA_do_sign> 
+
+ sig = ECDSA_do_sign(digest, 20, eckey);
+ if (sig == NULL)
+	{
+	/* error */
+	}
+
+or using B<ECDSA_sign>
+
+ unsigned char *buffer, *pp;
+ int            buf_len;
+ buf_len = ECDSA_size(eckey);
+ buffer  = OPENSSL_malloc(buf_len);
+ pp = buffer;
+ if (!ECDSA_sign(0, dgst, dgstlen, pp, &buf_len, eckey);
+	{
+	/* error */
+	}
+
+Third step: verify the created ECDSA signature using B<ECDSA_do_verify>
+
+ ret = ECDSA_do_verify(digest, 20, sig, eckey);
+
+or using B<ECDSA_verify>
+
+ ret = ECDSA_verify(0, digest, 20, buffer, buf_len, eckey);
+
+and finally evaluate the return value:
+
+ if (ret == -1)
+	{
+	/* error */
+	}
+ else if (ret == 0)
+	{
+	/* incorrect signature */
+	}
+ else	/* ret == 1 */
+	{
+	/* signature ok */
+	}
+
+=head1 CONFORMING TO
+
+ANSI X9.62, US Federal Information Processing Standard FIPS 186-2
+(Digital Signature Standard, DSS)
+
+=head1 SEE ALSO
+
+L<dsa(3)|dsa(3)>, L<rsa(3)|rsa(3)>
+
+=head1 HISTORY
+
+The ecdsa implementation was first introduced in OpenSSL 0.9.8
+
+=head1 AUTHOR
+
+Nils Larsch for the OpenSSL project (http://www.openssl.org).
+
+=cut
diff --git a/crypto/openssl/doc/crypto/engine.pod b/crypto/openssl/doc/crypto/engine.pod
index c77dad55621f..75933fccadc5 100644
--- a/crypto/openssl/doc/crypto/engine.pod
+++ b/crypto/openssl/doc/crypto/engine.pod
@@ -23,21 +23,26 @@ engine - ENGINE cryptographic module support
 
  void ENGINE_load_openssl(void);
  void ENGINE_load_dynamic(void);
- void ENGINE_load_cswift(void);
- void ENGINE_load_chil(void);
+ #ifndef OPENSSL_NO_STATIC_ENGINE
+ void ENGINE_load_4758cca(void);
+ void ENGINE_load_aep(void);
  void ENGINE_load_atalla(void);
+ void ENGINE_load_chil(void);
+ void ENGINE_load_cswift(void);
+ void ENGINE_load_gmp(void);
  void ENGINE_load_nuron(void);
- void ENGINE_load_ubsec(void);
- void ENGINE_load_aep(void);
  void ENGINE_load_sureware(void);
- void ENGINE_load_4758cca(void);
- void ENGINE_load_openbsd_dev_crypto(void);
+ void ENGINE_load_ubsec(void);
+ #endif
+ void ENGINE_load_cryptodev(void);
  void ENGINE_load_builtin_engines(void);
 
  void ENGINE_cleanup(void);
 
  ENGINE *ENGINE_get_default_RSA(void);
  ENGINE *ENGINE_get_default_DSA(void);
+ ENGINE *ENGINE_get_default_ECDH(void);
+ ENGINE *ENGINE_get_default_ECDSA(void);
  ENGINE *ENGINE_get_default_DH(void);
  ENGINE *ENGINE_get_default_RAND(void);
  ENGINE *ENGINE_get_cipher_engine(int nid);
@@ -45,6 +50,8 @@ engine - ENGINE cryptographic module support
 
  int ENGINE_set_default_RSA(ENGINE *e);
  int ENGINE_set_default_DSA(ENGINE *e);
+ int ENGINE_set_default_ECDH(ENGINE *e);
+ int ENGINE_set_default_ECDSA(ENGINE *e);
  int ENGINE_set_default_DH(ENGINE *e);
  int ENGINE_set_default_RAND(ENGINE *e);
  int ENGINE_set_default_ciphers(ENGINE *e);
@@ -62,12 +69,21 @@ engine - ENGINE cryptographic module support
  int ENGINE_register_DSA(ENGINE *e);
  void ENGINE_unregister_DSA(ENGINE *e);
  void ENGINE_register_all_DSA(void);
+ int ENGINE_register_ECDH(ENGINE *e);
+ void ENGINE_unregister_ECDH(ENGINE *e);
+ void ENGINE_register_all_ECDH(void);
+ int ENGINE_register_ECDSA(ENGINE *e);
+ void ENGINE_unregister_ECDSA(ENGINE *e);
+ void ENGINE_register_all_ECDSA(void);
  int ENGINE_register_DH(ENGINE *e);
  void ENGINE_unregister_DH(ENGINE *e);
  void ENGINE_register_all_DH(void);
  int ENGINE_register_RAND(ENGINE *e);
  void ENGINE_unregister_RAND(ENGINE *e);
  void ENGINE_register_all_RAND(void);
+ int ENGINE_register_STORE(ENGINE *e);
+ void ENGINE_unregister_STORE(ENGINE *e);
+ void ENGINE_register_all_STORE(void);
  int ENGINE_register_ciphers(ENGINE *e);
  void ENGINE_unregister_ciphers(ENGINE *e);
  void ENGINE_register_all_ciphers(void);
@@ -77,12 +93,12 @@ engine - ENGINE cryptographic module support
  int ENGINE_register_complete(ENGINE *e);
  int ENGINE_register_all_complete(void);
 
- int ENGINE_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)());
+ int ENGINE_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void));
  int ENGINE_cmd_is_executable(ENGINE *e, int cmd);
  int ENGINE_ctrl_cmd(ENGINE *e, const char *cmd_name,
-         long i, void *p, void (*f)(), int cmd_optional);
+         long i, void *p, void (*f)(void), int cmd_optional);
  int ENGINE_ctrl_cmd_string(ENGINE *e, const char *cmd_name, const char *arg,
-                 int cmd_optional);
+         int cmd_optional);
 
  int ENGINE_set_ex_data(ENGINE *e, int idx, void *arg);
  void *ENGINE_get_ex_data(const ENGINE *e, int idx);
@@ -92,13 +108,17 @@ engine - ENGINE cryptographic module support
 
  ENGINE *ENGINE_new(void);
  int ENGINE_free(ENGINE *e);
+ int ENGINE_up_ref(ENGINE *e);
 
  int ENGINE_set_id(ENGINE *e, const char *id);
  int ENGINE_set_name(ENGINE *e, const char *name);
  int ENGINE_set_RSA(ENGINE *e, const RSA_METHOD *rsa_meth);
  int ENGINE_set_DSA(ENGINE *e, const DSA_METHOD *dsa_meth);
+ int ENGINE_set_ECDH(ENGINE *e, const ECDH_METHOD *dh_meth);
+ int ENGINE_set_ECDSA(ENGINE *e, const ECDSA_METHOD *dh_meth);
  int ENGINE_set_DH(ENGINE *e, const DH_METHOD *dh_meth);
  int ENGINE_set_RAND(ENGINE *e, const RAND_METHOD *rand_meth);
+ int ENGINE_set_STORE(ENGINE *e, const STORE_METHOD *rand_meth);
  int ENGINE_set_destroy_function(ENGINE *e, ENGINE_GEN_INT_FUNC_PTR destroy_f);
  int ENGINE_set_init_function(ENGINE *e, ENGINE_GEN_INT_FUNC_PTR init_f);
  int ENGINE_set_finish_function(ENGINE *e, ENGINE_GEN_INT_FUNC_PTR finish_f);
@@ -114,8 +134,11 @@ engine - ENGINE cryptographic module support
  const char *ENGINE_get_name(const ENGINE *e);
  const RSA_METHOD *ENGINE_get_RSA(const ENGINE *e);
  const DSA_METHOD *ENGINE_get_DSA(const ENGINE *e);
+ const ECDH_METHOD *ENGINE_get_ECDH(const ENGINE *e);
+ const ECDSA_METHOD *ENGINE_get_ECDSA(const ENGINE *e);
  const DH_METHOD *ENGINE_get_DH(const ENGINE *e);
  const RAND_METHOD *ENGINE_get_RAND(const ENGINE *e);
+ const STORE_METHOD *ENGINE_get_STORE(const ENGINE *e);
  ENGINE_GEN_INT_FUNC_PTR ENGINE_get_destroy_function(const ENGINE *e);
  ENGINE_GEN_INT_FUNC_PTR ENGINE_get_init_function(const ENGINE *e);
  ENGINE_GEN_INT_FUNC_PTR ENGINE_get_finish_function(const ENGINE *e);
@@ -148,7 +171,8 @@ The cryptographic functionality that can be provided by an B<ENGINE>
 implementation includes the following abstractions;
 
  RSA_METHOD - for providing alternative RSA implementations
- DSA_METHOD, DH_METHOD, RAND_METHOD - alternative DSA, DH, and RAND
+ DSA_METHOD, DH_METHOD, RAND_METHOD, ECDH_METHOD, ECDSA_METHOD,
+       STORE_METHOD - similarly for other OpenSSL APIs
  EVP_CIPHER - potentially multiple cipher algorithms (indexed by 'nid')
  EVP_DIGEST - potentially multiple hash algorithms (indexed by 'nid')
  key-loading - loading public and/or private EVP_PKEY keys
@@ -157,21 +181,20 @@ implementation includes the following abstractions;
 
 Due to the modular nature of the ENGINE API, pointers to ENGINEs need to be
 treated as handles - ie. not only as pointers, but also as references to
-the underlying ENGINE object. Ie. you should obtain a new reference when
+the underlying ENGINE object. Ie. one should obtain a new reference when
 making copies of an ENGINE pointer if the copies will be used (and
 released) independantly.
 
 ENGINE objects have two levels of reference-counting to match the way in
 which the objects are used. At the most basic level, each ENGINE pointer is
-inherently a B<structural> reference - you need a structural reference
-simply to refer to the pointer value at all, as this kind of reference is
-your guarantee that the structure can not be deallocated until you release
-your reference.
-
-However, a structural reference provides no guarantee that the ENGINE has
-been initiliased to be usable to perform any of its cryptographic
-implementations - and indeed it's quite possible that most ENGINEs will not
-initialised at all on standard setups, as ENGINEs are typically used to
+inherently a B<structural> reference - a structural reference is required
+to use the pointer value at all, as this kind of reference is a guarantee
+that the structure can not be deallocated until the reference is released.
+
+However, a structural reference provides no guarantee that the ENGINE is
+initiliased and able to use any of its cryptographic
+implementations. Indeed it's quite possible that most ENGINEs will not
+initialise at all in typical environments, as ENGINEs are typically used to
 support specialised hardware. To use an ENGINE's functionality, you need a
 B<functional> reference. This kind of reference can be considered a
 specialised form of structural reference, because each functional reference
@@ -179,30 +202,24 @@ implicitly contains a structural reference as well - however to avoid
 difficult-to-find programming bugs, it is recommended to treat the two
 kinds of reference independantly. If you have a functional reference to an
 ENGINE, you have a guarantee that the ENGINE has been initialised ready to
-perform cryptographic operations and will not be uninitialised or cleaned
-up until after you have released your reference.
-
-We will discuss the two kinds of reference separately, including how to
-tell which one you are dealing with at any given point in time (after all
-they are both simply (ENGINE *) pointers, the difference is in the way they
-are used).
+perform cryptographic operations and will remain uninitialised
+until after you have released your reference.
 
 I<Structural references>
 
-This basic type of reference is typically used for creating new ENGINEs
-dynamically, iterating across OpenSSL's internal linked-list of loaded
+This basic type of reference is used for instantiating new ENGINEs,
+iterating across OpenSSL's internal linked-list of loaded
 ENGINEs, reading information about an ENGINE, etc. Essentially a structural
 reference is sufficient if you only need to query or manipulate the data of
 an ENGINE implementation rather than use its functionality.
 
 The ENGINE_new() function returns a structural reference to a new (empty)
-ENGINE object. Other than that, structural references come from return
-values to various ENGINE API functions such as; ENGINE_by_id(),
-ENGINE_get_first(), ENGINE_get_last(), ENGINE_get_next(),
-ENGINE_get_prev(). All structural references should be released by a
-corresponding to call to the ENGINE_free() function - the ENGINE object
-itself will only actually be cleaned up and deallocated when the last
-structural reference is released.
+ENGINE object. There are other ENGINE API functions that return structural
+references such as; ENGINE_by_id(), ENGINE_get_first(), ENGINE_get_last(),
+ENGINE_get_next(), ENGINE_get_prev(). All structural references should be
+released by a corresponding to call to the ENGINE_free() function - the
+ENGINE object itself will only actually be cleaned up and deallocated when
+the last structural reference is released.
 
 It should also be noted that many ENGINE API function calls that accept a
 structural reference will internally obtain another reference - typically
@@ -237,15 +254,9 @@ call the ENGINE_init() function. This returns zero if the ENGINE was not
 already operational and couldn't be successfully initialised (eg. lack of
 system drivers, no special hardware attached, etc), otherwise it will
 return non-zero to indicate that the ENGINE is now operational and will
-have allocated a new B<functional> reference to the ENGINE. In this case,
-the supplied ENGINE pointer is, from the point of the view of the caller,
-both a structural reference and a functional reference - so if the caller
-intends to use it as a functional reference it should free the structural
-reference with ENGINE_free() first. If the caller wishes to use it only as
-a structural reference (eg. if the ENGINE_init() call was simply to test if
-the ENGINE seems available/online), then it should free the functional
-reference; all functional references are released by the ENGINE_finish()
-function.
+have allocated a new B<functional> reference to the ENGINE. All functional
+references are released by calling ENGINE_finish() (which removes the
+implicit structural reference as well).
 
 The second way to get a functional reference is by asking OpenSSL for a
 default implementation for a given task, eg. by ENGINE_get_default_RSA(),
@@ -259,26 +270,21 @@ algorithm-specific types in OpenSSL, such as RSA, DSA, EVP_CIPHER_CTX, etc.
 For each supported abstraction, the ENGINE code maintains an internal table
 of state to control which implementations are available for a given
 abstraction and which should be used by default. These implementations are
-registered in the tables separated-out by an 'nid' index, because
+registered in the tables and indexed by an 'nid' value, because
 abstractions like EVP_CIPHER and EVP_DIGEST support many distinct
-algorithms and modes - ENGINEs will support different numbers and
-combinations of these. In the case of other abstractions like RSA, DSA,
-etc, there is only one "algorithm" so all implementations implicitly
-register using the same 'nid' index. ENGINEs can be B<registered> into
-these tables to make themselves available for use automatically by the
-various abstractions, eg. RSA. For illustrative purposes, we continue with
-the RSA example, though all comments apply similarly to the other
-abstractions (they each get their own table and linkage to the
-corresponding section of openssl code).
-
-When a new RSA key is being created, ie. in RSA_new_method(), a
-"get_default" call will be made to the ENGINE subsystem to process the RSA
-state table and return a functional reference to an initialised ENGINE
-whose RSA_METHOD should be used. If no ENGINE should (or can) be used, it
-will return NULL and the RSA key will operate with a NULL ENGINE handle by
-using the conventional RSA implementation in OpenSSL (and will from then on
-behave the way it used to before the ENGINE API existed - for details see
-L<RSA_new_method(3)|RSA_new_method(3)>).
+algorithms and modes, and ENGINEs can support arbitrarily many of them.
+In the case of other abstractions like RSA, DSA, etc, there is only one
+"algorithm" so all implementations implicitly register using the same 'nid'
+index.
+
+When a default ENGINE is requested for a given abstraction/algorithm/mode, (eg.
+when calling RSA_new_method(NULL)), a "get_default" call will be made to the
+ENGINE subsystem to process the corresponding state table and return a
+functional reference to an initialised ENGINE whose implementation should be
+used. If no ENGINE should (or can) be used, it will return NULL and the caller
+will operate with a NULL ENGINE handle - this usually equates to using the
+conventional software implementation. In the latter case, OpenSSL will from
+then on behave the way it used to before the ENGINE API existed.
 
 Each state table has a flag to note whether it has processed this
 "get_default" query since the table was last modified, because to process
@@ -295,36 +301,9 @@ instead the only way for the state table to return a non-NULL ENGINE to the
 "get_default" query will be if one is expressly set in the table. Eg.
 ENGINE_set_default_RSA() does the same job as ENGINE_register_RSA() except
 that it also sets the state table's cached response for the "get_default"
-query.
-
-In the case of abstractions like EVP_CIPHER, where implementations are
-indexed by 'nid', these flags and cached-responses are distinct for each
-'nid' value.
-
-It is worth illustrating the difference between "registration" of ENGINEs
-into these per-algorithm state tables and using the alternative
-"set_default" functions. The latter handles both "registration" and also
-setting the cached "default" ENGINE in each relevant state table - so
-registered ENGINEs will only have a chance to be initialised for use as a
-default if a default ENGINE wasn't already set for the same state table.
-Eg. if ENGINE X supports cipher nids {A,B} and RSA, ENGINE Y supports
-ciphers {A} and DSA, and the following code is executed;
-
- ENGINE_register_complete(X);
- ENGINE_set_default(Y, ENGINE_METHOD_ALL);
- e1 = ENGINE_get_default_RSA();
- e2 = ENGINE_get_cipher_engine(A);
- e3 = ENGINE_get_cipher_engine(B);
- e4 = ENGINE_get_default_DSA();
- e5 = ENGINE_get_cipher_engine(C);
-
-The results would be as follows;
-
- assert(e1 == X);
- assert(e2 == Y);
- assert(e3 == X);
- assert(e4 == Y);
- assert(e5 == NULL);
+query. In the case of abstractions like EVP_CIPHER, where implementations are
+indexed by 'nid', these flags and cached-responses are distinct for each 'nid'
+value.
 
 =head2 Application requirements
 
@@ -360,7 +339,7 @@ mention an important API function;
 
 If no ENGINE API functions are called at all in an application, then there
 are no inherent memory leaks to worry about from the ENGINE functionality,
-however if any ENGINEs are "load"ed, even if they are never registered or
+however if any ENGINEs are loaded, even if they are never registered or
 used, it is necessary to use the ENGINE_cleanup() function to
 correspondingly cleanup before program exit, if the caller wishes to avoid
 memory leaks. This mechanism uses an internal callback registration table
@@ -375,7 +354,7 @@ linker.
 The fact that ENGINEs are made visible to OpenSSL (and thus are linked into
 the program and loaded into memory at run-time) does not mean they are
 "registered" or called into use by OpenSSL automatically - that behaviour
-is something for the application to have control over. Some applications
+is something for the application to control. Some applications
 will want to allow the user to specify exactly which ENGINE they want used
 if any is to be used at all. Others may prefer to load all support and have
 OpenSSL automatically use at run-time any ENGINE that is able to
@@ -433,7 +412,7 @@ it should be used. The following code illustrates how this can work;
 That's all that's required. Eg. the next time OpenSSL tries to set up an
 RSA key, any bundled ENGINEs that implement RSA_METHOD will be passed to
 ENGINE_init() and if any of those succeed, that ENGINE will be set as the
-default for use with RSA from then on.
+default for RSA use from then on.
 
 =head2 Advanced configuration support
 
@@ -441,7 +420,7 @@ There is a mechanism supported by the ENGINE framework that allows each
 ENGINE implementation to define an arbitrary set of configuration
 "commands" and expose them to OpenSSL and any applications based on
 OpenSSL. This mechanism is entirely based on the use of name-value pairs
-and and assumes ASCII input (no unicode or UTF for now!), so it is ideal if
+and assumes ASCII input (no unicode or UTF for now!), so it is ideal if
 applications want to provide a transparent way for users to provide
 arbitrary configuration "directives" directly to such ENGINEs. It is also
 possible for the application to dynamically interrogate the loaded ENGINE
@@ -450,8 +429,8 @@ available "control commands", providing a more flexible configuration
 scheme. However, if the user is expected to know which ENGINE device he/she
 is using (in the case of specialised hardware, this goes without saying)
 then applications may not need to concern themselves with discovering the
-supported control commands and simply prefer to allow settings to passed
-into ENGINEs exactly as they are provided by the user.
+supported control commands and simply prefer to pass settings into ENGINEs
+exactly as they are provided by the user.
 
 Before illustrating how control commands work, it is worth mentioning what
 they are typically used for. Broadly speaking there are two uses for
@@ -459,13 +438,13 @@ control commands; the first is to provide the necessary details to the
 implementation (which may know nothing at all specific to the host system)
 so that it can be initialised for use. This could include the path to any
 driver or config files it needs to load, required network addresses,
-smart-card identifiers, passwords to initialise password-protected devices,
+smart-card identifiers, passwords to initialise protected devices,
 logging information, etc etc. This class of commands typically needs to be
 passed to an ENGINE B<before> attempting to initialise it, ie. before
 calling ENGINE_init(). The other class of commands consist of settings or
 operations that tweak certain behaviour or cause certain operations to take
 place, and these commands may work either before or after ENGINE_init(), or
-in same cases both. ENGINE implementations should provide indications of
+in some cases both. ENGINE implementations should provide indications of
 this in the descriptions attached to builtin control commands and/or in
 external product documentation.
 
@@ -529,14 +508,14 @@ FALSE.
 I<Discovering supported control commands>
 
 It is possible to discover at run-time the names, numerical-ids, descriptions
-and input parameters of the control commands supported from a structural
-reference to any ENGINE. It is first important to note that some control
-commands are defined by OpenSSL itself and it will intercept and handle these
-control commands on behalf of the ENGINE, ie. the ENGINE's ctrl() handler is not
-used for the control command. openssl/engine.h defines a symbol,
-ENGINE_CMD_BASE, that all control commands implemented by ENGINEs from. Any
-command value lower than this symbol is considered a "generic" command is
-handled directly by the OpenSSL core routines.
+and input parameters of the control commands supported by an ENGINE using a
+structural reference. Note that some control commands are defined by OpenSSL
+itself and it will intercept and handle these control commands on behalf of the
+ENGINE, ie. the ENGINE's ctrl() handler is not used for the control command.
+openssl/engine.h defines an index, ENGINE_CMD_BASE, that all control commands
+implemented by ENGINEs should be numbered from. Any command value lower than
+this symbol is considered a "generic" command is handled directly by the
+OpenSSL core routines.
 
 It is using these "core" control commands that one can discover the the control
 commands implemented by a given ENGINE, specifically the commands;
@@ -552,8 +531,8 @@ commands implemented by a given ENGINE, specifically the commands;
  #define ENGINE_CTRL_GET_CMD_FLAGS		18
 
 Whilst these commands are automatically processed by the OpenSSL framework code,
-they use various properties exposed by each ENGINE by which to process these
-queries. An ENGINE has 3 properties it exposes that can affect this behaviour;
+they use various properties exposed by each ENGINE to process these
+queries. An ENGINE has 3 properties it exposes that can affect how this behaves;
 it can supply a ctrl() handler, it can specify ENGINE_FLAGS_MANUAL_CMD_CTRL in
 the ENGINE's flags, and it can expose an array of control command descriptions.
 If an ENGINE specifies the ENGINE_FLAGS_MANUAL_CMD_CTRL flag, then it will
@@ -615,7 +594,6 @@ implementations.
 
 =head1 SEE ALSO
 
-L<rsa(3)|rsa(3)>, L<dsa(3)|dsa(3)>, L<dh(3)|dh(3)>, L<rand(3)|rand(3)>,
-L<RSA_new_method(3)|RSA_new_method(3)>
+L<rsa(3)|rsa(3)>, L<dsa(3)|dsa(3)>, L<dh(3)|dh(3)>, L<rand(3)|rand(3)>
 
 =cut
diff --git a/crypto/openssl/doc/crypto/hmac.pod b/crypto/openssl/doc/crypto/hmac.pod
index 3976baf226a5..0bd79a6d3a98 100644
--- a/crypto/openssl/doc/crypto/hmac.pod
+++ b/crypto/openssl/doc/crypto/hmac.pod
@@ -18,7 +18,7 @@ authentication code
  void HMAC_Init(HMAC_CTX *ctx, const void *key, int key_len,
                const EVP_MD *md);
  void HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int key_len,
-               	   const EVP_MD *md);
+               	   const EVP_MD *md, ENGINE *impl);
  void HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, int len);
  void HMAC_Final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len);
 
diff --git a/crypto/openssl/doc/crypto/threads.pod b/crypto/openssl/doc/crypto/threads.pod
index afa45cd76cda..3df4ecd7768e 100644
--- a/crypto/openssl/doc/crypto/threads.pod
+++ b/crypto/openssl/doc/crypto/threads.pod
@@ -65,9 +65,10 @@ B<CRYPTO_LOCK>, and releases it otherwise.
 B<file> and B<line> are the file number of the function setting the
 lock. They can be useful for debugging.
 
-id_function(void) is a function that returns a thread ID. It is not
+id_function(void) is a function that returns a thread ID, for example
+pthread_self() if it returns an integer (see NOTES below).  It isn't
 needed on Windows nor on platforms where getpid() returns a different
-ID for each thread (most notably Linux).
+ID for each thread (see NOTES below).
 
 Additionally, OpenSSL supports dynamic locks, and sometimes, some parts
 of OpenSSL need it for better performance.  To enable this, the following
@@ -124,13 +125,13 @@ CRYPTO_get_new_dynlockid() returns the index to the newly created lock.
 
 The other functions return no values.
 
-=head1 NOTE
+=head1 NOTES
 
 You can find out if OpenSSL was configured with thread support:
 
  #define OPENSSL_THREAD_DEFINES
  #include <openssl/opensslconf.h>
- #if defined(THREADS)
+ #if defined(OPENSSL_THREADS)
    // thread support enabled
  #else
    // no thread support
@@ -139,6 +140,22 @@ You can find out if OpenSSL was configured with thread support:
 Also, dynamic locks are currently not used internally by OpenSSL, but
 may do so in the future.
 
+Defining id_function(void) has it's own issues.  Generally speaking,
+pthread_self() should be used, even on platforms where getpid() gives
+different answers in each thread, since that may depend on the machine
+the program is run on, not the machine where the program is being
+compiled.  For instance, Red Hat 8 Linux and earlier used
+LinuxThreads, whose getpid() returns a different value for each
+thread.  Red Hat 9 Linux and later use NPTL, which is
+Posix-conformant, and has a getpid() that returns the same value for
+all threads in a process.  A program compiled on Red Hat 8 and run on
+Red Hat 9 will therefore see getpid() returning the same value for
+all threads.
+
+There is still the issue of platforms where pthread_self() returns
+something other than an integer.  This is a bit unusual, and this
+manual has no cookbook solution for that case.
+
 =head1 EXAMPLES
 
 B<crypto/threads/mttest.c> shows examples of the callback functions on
diff --git a/crypto/openssl/doc/crypto/x509.pod b/crypto/openssl/doc/crypto/x509.pod
new file mode 100644
index 000000000000..f9e58e0e41a5
--- /dev/null
+++ b/crypto/openssl/doc/crypto/x509.pod
@@ -0,0 +1,64 @@
+=pod
+
+=head1 NAME
+
+x509 - X.509 certificate handling
+
+=head1 SYNOPSIS
+
+ #include <openssl/x509.h>
+
+=head1 DESCRIPTION
+
+A X.509 certificate is a structured grouping of information about
+an individual, a device, or anything one can imagine.  A X.509 CRL
+(certificate revocation list) is a tool to help determine if a
+certificate is still valid.  The exact definition of those can be
+found in the X.509 document from ITU-T, or in RFC3280 from PKIX.
+In OpenSSL, the type X509 is used to express such a certificate, and
+the type X509_CRL is used to express a CRL.
+
+A related structure is a certificate request, defined in PKCS#10 from
+RSA Security, Inc, also reflected in RFC2896.  In OpenSSL, the type
+X509_REQ is used to express such a certificate request.
+
+To handle some complex parts of a certificate, there are the types
+X509_NAME (to express a certificate name), X509_ATTRIBUTE (to express
+a certificate attributes), X509_EXTENSION (to express a certificate
+extension) and a few more.
+
+Finally, there's the supertype X509_INFO, which can contain a CRL, a
+certificate and a corresponding private key.
+
+B<X509_>I<...>, B<d2i_X509_>I<...> and B<i2d_X509_>I<...> handle X.509
+certificates, with some exceptions, shown below.
+
+B<X509_CRL_>I<...>, B<d2i_X509_CRL_>I<...> and B<i2d_X509_CRL_>I<...>
+handle X.509 CRLs.
+
+B<X509_REQ_>I<...>, B<d2i_X509_REQ_>I<...> and B<i2d_X509_REQ_>I<...>
+handle PKCS#10 certificate requests.
+
+B<X509_NAME_>I<...> handle certificate names.
+
+B<X509_ATTRIBUTE_>I<...> handle certificate attributes.
+
+B<X509_EXTENSION_>I<...> handle certificate extensions.
+
+=head1 SEE ALSO
+
+L<X509_NAME_ENTRY_get_object(3)|X509_NAME_ENTRY_get_object(3)>,
+L<X509_NAME_add_entry_by_txt(3)|X509_NAME_add_entry_by_txt(3)>,
+L<X509_NAME_add_entry_by_NID(3)|X509_NAME_add_entry_by_NID(3)>,
+L<X509_NAME_print_ex(3)|X509_NAME_print_ex(3)>,
+L<X509_NAME_new(3)|X509_NAME_new(3)>,
+L<d2i_X509(3)|d2i_X509(3)>,
+L<d2i_X509_ALGOR(3)|d2i_X509_ALGOR(3)>,
+L<d2i_X509_CRL(3)|d2i_X509_CRL(3)>,
+L<d2i_X509_NAME(3)|d2i_X509_NAME(3)>,
+L<d2i_X509_REQ(3)|d2i_X509_REQ(3)>,
+L<d2i_X509_SIG(3)|d2i_X509_SIG(3)>,
+L<crypto(3)|crypto(3)>,
+L<x509v3(3)|x509v3(3)>
+
+=cut
diff --git a/crypto/openssl/doc/fingerprints.txt b/crypto/openssl/doc/fingerprints.txt
new file mode 100644
index 000000000000..7d05a855946b
--- /dev/null
+++ b/crypto/openssl/doc/fingerprints.txt
@@ -0,0 +1,57 @@
+                              Fingerprints
+
+OpenSSL releases are signed with PGP/GnuPG keys.  You can find the
+signatures in separate files in the same location you find the
+distributions themselves.  The normal file name is the same as the
+distribution file, with '.asc' added.  For example, the signature for
+the distribution of OpenSSL 0.9.7f, openssl-0.9.7f.tar.gz, is found in
+the file openssl-0.9.7f.tar.gz.asc.
+
+The following is the list of fingerprints for the keys that are
+currently in use (have been used since summer 2004) to sign OpenSSL
+distributions:
+
+pub   1024D/F709453B 2003-10-20
+      Key fingerprint = C4CA B749 C34F 7F4C C04F  DAC9 A7AF 9E78 F709 453B
+uid                  Richard Levitte <richard@levitte.org>
+uid                  Richard Levitte <levitte@openssl.org>
+uid                  Richard Levitte <levitte@lp.se>
+
+pub   2048R/F295C759 1998-12-13
+      Key fingerprint = D0 5D 8C 61 6E 27 E6 60  41 EC B1 B8 D5 7E E5 97
+uid                  Dr S N Henson <shenson@drh-consultancy.demon.co.uk>
+
+pub   1024R/49A563D9 1997-02-24
+      Key fingerprint = 7B 79 19 FA 71 6B 87 25  0E 77 21 E5 52 D9 83 BF
+uid                  Mark Cox <mjc@redhat.com>
+uid                  Mark Cox <mark@awe.com>
+uid                  Mark Cox <mjc@apache.org>
+
+pub   1024R/26BB437D 1997-04-28
+      Key fingerprint = 00 C9 21 8E D1 AB 70 37  DD 67 A2 3A 0A 6F 8D A5
+uid                  Ralf S. Engelschall <rse@engelschall.com>
+
+pub   1024R/9C58A66D 1997-04-03
+      Key fingerprint = 13 D0 B8 9D 37 30 C3 ED  AC 9C 24 7D 45 8C 17 67
+uid                  jaenicke@openssl.org
+uid                  Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>
+
+pub   1024D/2118CF83 1998-07-13
+      Key fingerprint = 7656 55DE 62E3 96FF 2587  EB6C 4F6D E156 2118 CF83
+uid                  Ben Laurie <ben@thebunker.net>
+uid                  Ben Laurie <ben@cryptix.org>
+uid                  Ben Laurie <ben@algroup.co.uk>
+sub   4096g/1F5143E7 1998-07-13
+
+pub   1024R/5A6A9B85 1994-03-22
+      Key fingerprint = C7 AC 7E AD 56 6A 65 EC  F6 16 66 83 7E 86 68 28
+uid                  Bodo Moeller <2005@bmoeller.de>
+uid                  Bodo Moeller <2003@bmoeller.de>
+uid                  Bodo Moeller <2004@bmoeller.de>
+uid                  Bodo Moeller <bmoeller@acm.org>
+uid                  Bodo Moeller <bodo@openssl.org>
+uid                  Bodo Moeller <bm@ulf.mali.sub.org>
+uid                  Bodo Moeller <3moeller@informatik.uni-hamburg.de>
+uid                  Bodo Moeller <Bodo_Moeller@public.uni-hamburg.de>
+uid                  Bodo Moeller <3moeller@rzdspc5.informatik.uni-hamburg.de>
+
diff --git a/crypto/openssl/doc/openssl.txt b/crypto/openssl/doc/openssl.txt
index 432a17b66cf8..f8817b0a7199 100644
--- a/crypto/openssl/doc/openssl.txt
+++ b/crypto/openssl/doc/openssl.txt
@@ -154,8 +154,22 @@ for example contain data in multiple sections. The correct syntax to
 use is defined by the extension code itself: check out the certificate
 policies extension for an example.
 
-In addition it is also possible to use the word DER to include arbitrary
-data in any extension.
+There are two ways to encode arbitrary extensions.
+
+The first way is to use the word ASN1 followed by the extension content
+using the same syntax as ASN1_generate_nconf(). For example:
+
+1.2.3.4=critical,ASN1:UTF8String:Some random data
+
+1.2.3.4=ASN1:SEQUENCE:seq_sect
+
+[seq_sect]
+
+field1 = UTF8:field1
+field2 = UTF8:field2
+
+It is also possible to use the word DER to include arbitrary data in any
+extension.
 
 1.2.3.4=critical,DER:01:02:03:04
 1.2.3.4=DER:01020304
@@ -336,16 +350,21 @@ Subject Alternative Name.
 The subject alternative name extension allows various literal values to be
 included in the configuration file. These include "email" (an email address)
 "URI" a uniform resource indicator, "DNS" (a DNS domain name), RID (a
-registered ID: OBJECT IDENTIFIER) and IP (and IP address).
+registered ID: OBJECT IDENTIFIER), IP (and IP address) and otherName.
 
 Also the email option include a special 'copy' value. This will automatically
 include and email addresses contained in the certificate subject name in
 the extension.
 
+otherName can include arbitrary data associated with an OID: the value
+should be the OID followed by a semicolon and the content in standard
+ASN1_generate_nconf() format.
+
 Examples:
 
 subjectAltName=email:copy,email:my@other.address,URI:http://my.url.here/
 subjectAltName=email:my@other.address,RID:1.2.3.4
+subjectAltName=otherName:1.2.3.4;UTF8:some other identifier
 
 Issuer Alternative Name.
 
@@ -759,7 +778,7 @@ called.
 
 The X509V3_EXT_METHOD structure is described below.
 
-strut {
+struct {
 int ext_nid;
 int ext_flags;
 X509V3_EXT_NEW ext_new;
diff --git a/crypto/openssl/doc/ssl/SSL_CIPHER_get_name.pod b/crypto/openssl/doc/ssl/SSL_CIPHER_get_name.pod
index 4b91c63ba0df..f81f692df5de 100644
--- a/crypto/openssl/doc/ssl/SSL_CIPHER_get_name.pod
+++ b/crypto/openssl/doc/ssl/SSL_CIPHER_get_name.pod
@@ -8,9 +8,9 @@ SSL_CIPHER_get_name, SSL_CIPHER_get_bits, SSL_CIPHER_get_version, SSL_CIPHER_des
 
  #include <openssl/ssl.h>
 
- const char *SSL_CIPHER_get_name(SSL_CIPHER *cipher);
- int SSL_CIPHER_get_bits(SSL_CIPHER *cipher, int *alg_bits);
- char *SSL_CIPHER_get_version(SSL_CIPHER *cipher);
+ const char *SSL_CIPHER_get_name(const SSL_CIPHER *cipher);
+ int SSL_CIPHER_get_bits(const SSL_CIPHER *cipher, int *alg_bits);
+ char *SSL_CIPHER_get_version(const SSL_CIPHER *cipher);
  char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int size);
 
 =head1 DESCRIPTION
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_get_ex_new_index.pod b/crypto/openssl/doc/ssl/SSL_CTX_get_ex_new_index.pod
index 5686faf29982..0c40a91f2fb3 100644
--- a/crypto/openssl/doc/ssl/SSL_CTX_get_ex_new_index.pod
+++ b/crypto/openssl/doc/ssl/SSL_CTX_get_ex_new_index.pod
@@ -15,7 +15,7 @@ SSL_CTX_get_ex_new_index, SSL_CTX_set_ex_data, SSL_CTX_get_ex_data - internal ap
 
  int SSL_CTX_set_ex_data(SSL_CTX *ctx, int idx, void *arg);
 
- void *SSL_CTX_get_ex_data(SSL_CTX *ctx, int idx);
+ void *SSL_CTX_get_ex_data(const SSL_CTX *ctx, int idx);
 
  typedef int new_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
                 int idx, long argl, void *argp);
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_get_verify_mode.pod b/crypto/openssl/doc/ssl/SSL_CTX_get_verify_mode.pod
index 7f10c6e94509..2a3747e75c64 100644
--- a/crypto/openssl/doc/ssl/SSL_CTX_get_verify_mode.pod
+++ b/crypto/openssl/doc/ssl/SSL_CTX_get_verify_mode.pod
@@ -8,12 +8,12 @@ SSL_CTX_get_verify_mode, SSL_get_verify_mode, SSL_CTX_get_verify_depth, SSL_get_
 
  #include <openssl/ssl.h>
 
- int SSL_CTX_get_verify_mode(SSL_CTX *ctx);
- int SSL_get_verify_mode(SSL *ssl);
- int SSL_CTX_get_verify_depth(SSL_CTX *ctx);
- int SSL_get_verify_depth(SSL *ssl);
- int (*SSL_CTX_get_verify_callback(SSL_CTX *ctx))(int, X509_STORE_CTX *);
- int (*SSL_get_verify_callback(SSL *ssl))(int, X509_STORE_CTX *);
+ int SSL_CTX_get_verify_mode(const SSL_CTX *ctx);
+ int SSL_get_verify_mode(const SSL *ssl);
+ int SSL_CTX_get_verify_depth(const SSL_CTX *ctx);
+ int SSL_get_verify_depth(const SSL *ssl);
+ int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int, X509_STORE_CTX *);
+ int (*SSL_get_verify_callback(const SSL *ssl))(int, X509_STORE_CTX *);
 
 =head1 DESCRIPTION
 
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_cert_store.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_cert_store.pod
index 3a240c4d3747..6acf0d9f9b1c 100644
--- a/crypto/openssl/doc/ssl/SSL_CTX_set_cert_store.pod
+++ b/crypto/openssl/doc/ssl/SSL_CTX_set_cert_store.pod
@@ -9,7 +9,7 @@ SSL_CTX_set_cert_store, SSL_CTX_get_cert_store - manipulate X509 certificate ver
  #include <openssl/ssl.h>
 
  void SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *store);
- X509_STORE *SSL_CTX_get_cert_store(SSL_CTX *ctx);
+ X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx);
 
 =head1 DESCRIPTION
 
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_info_callback.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_info_callback.pod
index 63d0b8d33f87..0b4affd5eb1a 100644
--- a/crypto/openssl/doc/ssl/SSL_CTX_set_info_callback.pod
+++ b/crypto/openssl/doc/ssl/SSL_CTX_set_info_callback.pod
@@ -9,10 +9,10 @@ SSL_CTX_set_info_callback, SSL_CTX_get_info_callback, SSL_set_info_callback, SSL
  #include <openssl/ssl.h>
 
  void SSL_CTX_set_info_callback(SSL_CTX *ctx, void (*callback)());
- void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))();
+ void (*SSL_CTX_get_info_callback(const SSL_CTX *ctx))();
 
  void SSL_set_info_callback(SSL *ssl, void (*callback)());
- void (*SSL_get_info_callback(SSL *ssl))();
+ void (*SSL_get_info_callback(const SSL *ssl))();
 
 =head1 DESCRIPTION
 
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod
index 766f0c920070..fa63263601c8 100644
--- a/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod
+++ b/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod
@@ -86,7 +86,7 @@ doing a re-connect, always takes the first cipher in the cipher list.
 
 =item SSL_OP_MSIE_SSLV2_RSA_PADDING
 
-...
+As of OpenSSL 0.9.7h and 0.9.8a, this option has no effect.
 
 =item SSL_OP_SSLEAY_080_CLIENT_DH_BUG
 
@@ -163,7 +163,7 @@ When choosing a cipher, use the server's preferences instead of the client
 preferences. When not set, the SSL server will always follow the clients
 preferences. When set, the SSLv3/TLSv1 server will choose following its
 own preferences. Because of the different protocol, for SSLv2 the server
-will send his list of preferences to the client and the client chooses.
+will send its list of preferences to the client and the client chooses.
 
 =item SSL_OP_PKCS1_CHECK_1
 
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_quiet_shutdown.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_quiet_shutdown.pod
index 1d0526d59a3f..393f8ff0b467 100644
--- a/crypto/openssl/doc/ssl/SSL_CTX_set_quiet_shutdown.pod
+++ b/crypto/openssl/doc/ssl/SSL_CTX_set_quiet_shutdown.pod
@@ -9,10 +9,10 @@ SSL_CTX_set_quiet_shutdown, SSL_CTX_get_quiet_shutdown, SSL_set_quiet_shutdown,
  #include <openssl/ssl.h>
 
  void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx, int mode);
- int SSL_CTX_get_quiet_shutdown(SSL_CTX *ctx);
+ int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx);
 
  void SSL_set_quiet_shutdown(SSL *ssl, int mode);
- int SSL_get_quiet_shutdown(SSL *ssl);
+ int SSL_get_quiet_shutdown(const SSL *ssl);
 
 =head1 DESCRIPTION
 
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_use_certificate.pod b/crypto/openssl/doc/ssl/SSL_CTX_use_certificate.pod
index ea2faba3ecca..10be95fdb109 100644
--- a/crypto/openssl/doc/ssl/SSL_CTX_use_certificate.pod
+++ b/crypto/openssl/doc/ssl/SSL_CTX_use_certificate.pod
@@ -31,8 +31,8 @@ SSL_CTX_use_certificate, SSL_CTX_use_certificate_ASN1, SSL_CTX_use_certificate_f
  int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len);
  int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type);
 
- int SSL_CTX_check_private_key(SSL_CTX *ctx);
- int SSL_check_private_key(SSL *ssl);
+ int SSL_CTX_check_private_key(const SSL_CTX *ctx);
+ int SSL_check_private_key(const SSL *ssl);
 
 =head1 DESCRIPTION
 
@@ -77,6 +77,12 @@ SSL_CTX_use_PrivateKey() adds B<pkey> as private key to B<ctx>.
 SSL_CTX_use_RSAPrivateKey() adds the private key B<rsa> of type RSA
 to B<ctx>. SSL_use_PrivateKey() adds B<pkey> as private key to B<ssl>;
 SSL_use_RSAPrivateKey() adds B<rsa> as private key of type RSA to B<ssl>.
+If a certificate has already been set and the private does not belong
+to the certificate an error is returned. To change a certificate, private
+key pair the new certificate needs to be set with SSL_use_certificate()
+or SSL_CTX_use_certificate() before setting the private key with
+SSL_CTX_use_PrivateKey() or SSL_use_PrivateKey(). 
+
 
 SSL_CTX_use_PrivateKey_ASN1() adds the private key of type B<pk>
 stored at memory location B<d> (length B<len>) to B<ctx>.
@@ -154,4 +160,10 @@ L<SSL_CTX_set_cipher_list(3)|SSL_CTX_set_cipher_list(3)>,
 L<SSL_CTX_set_client_cert_cb(3)|SSL_CTX_set_client_cert_cb(3)>,
 L<SSL_CTX_add_extra_chain_cert(3)|SSL_CTX_add_extra_chain_cert(3)>
 
+=head1 HISTORY
+
+Support for DER encoded private keys (SSL_FILETYPE_ASN1) in
+SSL_CTX_use_PrivateKey_file() and SSL_use_PrivateKey_file() was added
+in 0.9.8 .
+
 =cut
diff --git a/crypto/openssl/doc/ssl/SSL_SESSION_get_ex_new_index.pod b/crypto/openssl/doc/ssl/SSL_SESSION_get_ex_new_index.pod
index da0bcf1590ca..657cda931ff9 100644
--- a/crypto/openssl/doc/ssl/SSL_SESSION_get_ex_new_index.pod
+++ b/crypto/openssl/doc/ssl/SSL_SESSION_get_ex_new_index.pod
@@ -15,7 +15,7 @@ SSL_SESSION_get_ex_new_index, SSL_SESSION_set_ex_data, SSL_SESSION_get_ex_data -
 
  int SSL_SESSION_set_ex_data(SSL_SESSION *session, int idx, void *arg);
 
- void *SSL_SESSION_get_ex_data(SSL_SESSION *session, int idx);
+ void *SSL_SESSION_get_ex_data(const SSL_SESSION *session, int idx);
 
  typedef int new_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
                 int idx, long argl, void *argp);
diff --git a/crypto/openssl/doc/ssl/SSL_SESSION_get_time.pod b/crypto/openssl/doc/ssl/SSL_SESSION_get_time.pod
index ea3c2bcfe601..00883ed2a050 100644
--- a/crypto/openssl/doc/ssl/SSL_SESSION_get_time.pod
+++ b/crypto/openssl/doc/ssl/SSL_SESSION_get_time.pod
@@ -8,14 +8,14 @@ SSL_SESSION_get_time, SSL_SESSION_set_time, SSL_SESSION_get_timeout, SSL_SESSION
 
  #include <openssl/ssl.h>
 
- long SSL_SESSION_get_time(SSL_SESSION *s);
+ long SSL_SESSION_get_time(const SSL_SESSION *s);
  long SSL_SESSION_set_time(SSL_SESSION *s, long tm);
- long SSL_SESSION_get_timeout(SSL_SESSION *s);
+ long SSL_SESSION_get_timeout(const SSL_SESSION *s);
  long SSL_SESSION_set_timeout(SSL_SESSION *s, long tm);
 
- long SSL_get_time(SSL_SESSION *s);
+ long SSL_get_time(const SSL_SESSION *s);
  long SSL_set_time(SSL_SESSION *s, long tm);
- long SSL_get_timeout(SSL_SESSION *s);
+ long SSL_get_timeout(const SSL_SESSION *s);
  long SSL_set_timeout(SSL_SESSION *s, long tm);
 
 =head1 DESCRIPTION
diff --git a/crypto/openssl/doc/ssl/SSL_get_SSL_CTX.pod b/crypto/openssl/doc/ssl/SSL_get_SSL_CTX.pod
index 52d0227b193d..659c482c792a 100644
--- a/crypto/openssl/doc/ssl/SSL_get_SSL_CTX.pod
+++ b/crypto/openssl/doc/ssl/SSL_get_SSL_CTX.pod
@@ -8,7 +8,7 @@ SSL_get_SSL_CTX - get the SSL_CTX from which an SSL is created
 
  #include <openssl/ssl.h>
 
- SSL_CTX *SSL_get_SSL_CTX(SSL *ssl);
+ SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl);
 
 =head1 DESCRIPTION
 
diff --git a/crypto/openssl/doc/ssl/SSL_get_ciphers.pod b/crypto/openssl/doc/ssl/SSL_get_ciphers.pod
index 2a57455c235d..aecadd9138f0 100644
--- a/crypto/openssl/doc/ssl/SSL_get_ciphers.pod
+++ b/crypto/openssl/doc/ssl/SSL_get_ciphers.pod
@@ -8,8 +8,8 @@ SSL_get_ciphers, SSL_get_cipher_list - get list of available SSL_CIPHERs
 
  #include <openssl/ssl.h>
 
- STACK_OF(SSL_CIPHER) *SSL_get_ciphers(SSL *ssl);
- const char *SSL_get_cipher_list(SSL *ssl, int priority);
+ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *ssl);
+ const char *SSL_get_cipher_list(const SSL *ssl, int priority);
 
 =head1 DESCRIPTION
 
diff --git a/crypto/openssl/doc/ssl/SSL_get_client_CA_list.pod b/crypto/openssl/doc/ssl/SSL_get_client_CA_list.pod
index 5693fdebb2f1..68181b2407b9 100644
--- a/crypto/openssl/doc/ssl/SSL_get_client_CA_list.pod
+++ b/crypto/openssl/doc/ssl/SSL_get_client_CA_list.pod
@@ -8,8 +8,8 @@ SSL_get_client_CA_list, SSL_CTX_get_client_CA_list - get list of client CAs
 
  #include <openssl/ssl.h>
 
- STACK_OF(X509_NAME) *SSL_get_client_CA_list(SSL *s);
- STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(SSL_CTX *ctx); 
+ STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s);
+ STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx); 
 
 =head1 DESCRIPTION
 
diff --git a/crypto/openssl/doc/ssl/SSL_get_current_cipher.pod b/crypto/openssl/doc/ssl/SSL_get_current_cipher.pod
index 2dd7261d89dc..e5ab12491e63 100644
--- a/crypto/openssl/doc/ssl/SSL_get_current_cipher.pod
+++ b/crypto/openssl/doc/ssl/SSL_get_current_cipher.pod
@@ -9,7 +9,7 @@ SSL_get_cipher_bits, SSL_get_cipher_version - get SSL_CIPHER of a connection
 
  #include <openssl/ssl.h>
 
- SSL_CIPHER *SSL_get_current_cipher(SSL *ssl);
+ SSL_CIPHER *SSL_get_current_cipher(const SSL *ssl);
  #define SSL_get_cipher(s) \
                 SSL_CIPHER_get_name(SSL_get_current_cipher(s))
  #define SSL_get_cipher_name(s) \
diff --git a/crypto/openssl/doc/ssl/SSL_get_default_timeout.pod b/crypto/openssl/doc/ssl/SSL_get_default_timeout.pod
index 8d43b31345df..a648a9b82df6 100644
--- a/crypto/openssl/doc/ssl/SSL_get_default_timeout.pod
+++ b/crypto/openssl/doc/ssl/SSL_get_default_timeout.pod
@@ -8,7 +8,7 @@ SSL_get_default_timeout - get default session timeout value
 
  #include <openssl/ssl.h>
 
- long SSL_get_default_timeout(SSL *ssl);
+ long SSL_get_default_timeout(const SSL *ssl);
 
 =head1 DESCRIPTION
 
diff --git a/crypto/openssl/doc/ssl/SSL_get_error.pod b/crypto/openssl/doc/ssl/SSL_get_error.pod
index fe28dd942aee..48c6b15db78f 100644
--- a/crypto/openssl/doc/ssl/SSL_get_error.pod
+++ b/crypto/openssl/doc/ssl/SSL_get_error.pod
@@ -8,7 +8,7 @@ SSL_get_error - obtain result code for TLS/SSL I/O operation
 
  #include <openssl/ssl.h>
 
- int SSL_get_error(SSL *ssl, int ret);
+ int SSL_get_error(const SSL *ssl, int ret);
 
 =head1 DESCRIPTION
 
diff --git a/crypto/openssl/doc/ssl/SSL_get_ex_new_index.pod b/crypto/openssl/doc/ssl/SSL_get_ex_new_index.pod
index 6644ef8fbc10..228d23d8c0bb 100644
--- a/crypto/openssl/doc/ssl/SSL_get_ex_new_index.pod
+++ b/crypto/openssl/doc/ssl/SSL_get_ex_new_index.pod
@@ -15,7 +15,7 @@ SSL_get_ex_new_index, SSL_set_ex_data, SSL_get_ex_data - internal application sp
 
  int SSL_set_ex_data(SSL *ssl, int idx, void *arg);
 
- void *SSL_get_ex_data(SSL *ssl, int idx);
+ void *SSL_get_ex_data(const SSL *ssl, int idx);
 
  typedef int new_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
                 int idx, long argl, void *argp);
diff --git a/crypto/openssl/doc/ssl/SSL_get_fd.pod b/crypto/openssl/doc/ssl/SSL_get_fd.pod
index a3f76259316f..89260b522ca2 100644
--- a/crypto/openssl/doc/ssl/SSL_get_fd.pod
+++ b/crypto/openssl/doc/ssl/SSL_get_fd.pod
@@ -8,9 +8,9 @@ SSL_get_fd - get file descriptor linked to an SSL object
 
  #include <openssl/ssl.h>
 
- int SSL_get_fd(SSL *ssl);
- int SSL_get_rfd(SSL *ssl);
- int SSL_get_wfd(SSL *ssl);
+ int SSL_get_fd(const SSL *ssl);
+ int SSL_get_rfd(const SSL *ssl);
+ int SSL_get_wfd(const SSL *ssl);
 
 =head1 DESCRIPTION
 
diff --git a/crypto/openssl/doc/ssl/SSL_get_peer_cert_chain.pod b/crypto/openssl/doc/ssl/SSL_get_peer_cert_chain.pod
index 390ce0b41b5c..49fb88f86faf 100644
--- a/crypto/openssl/doc/ssl/SSL_get_peer_cert_chain.pod
+++ b/crypto/openssl/doc/ssl/SSL_get_peer_cert_chain.pod
@@ -8,7 +8,7 @@ SSL_get_peer_cert_chain - get the X509 certificate chain of the peer
 
  #include <openssl/ssl.h>
 
- STACKOF(X509) *SSL_get_peer_cert_chain(SSL *ssl);
+ STACKOF(X509) *SSL_get_peer_cert_chain(const SSL *ssl);
 
 =head1 DESCRIPTION
 
diff --git a/crypto/openssl/doc/ssl/SSL_get_peer_certificate.pod b/crypto/openssl/doc/ssl/SSL_get_peer_certificate.pod
index 60635a966000..ef7c8be18079 100644
--- a/crypto/openssl/doc/ssl/SSL_get_peer_certificate.pod
+++ b/crypto/openssl/doc/ssl/SSL_get_peer_certificate.pod
@@ -8,7 +8,7 @@ SSL_get_peer_certificate - get the X509 certificate of the peer
 
  #include <openssl/ssl.h>
 
- X509 *SSL_get_peer_certificate(SSL *ssl);
+ X509 *SSL_get_peer_certificate(const SSL *ssl);
 
 =head1 DESCRIPTION
 
diff --git a/crypto/openssl/doc/ssl/SSL_get_session.pod b/crypto/openssl/doc/ssl/SSL_get_session.pod
index dd9aba40b6a4..0c41caa922ab 100644
--- a/crypto/openssl/doc/ssl/SSL_get_session.pod
+++ b/crypto/openssl/doc/ssl/SSL_get_session.pod
@@ -8,8 +8,8 @@ SSL_get_session - retrieve TLS/SSL session data
 
  #include <openssl/ssl.h>
 
- SSL_SESSION *SSL_get_session(SSL *ssl);
- SSL_SESSION *SSL_get0_session(SSL *ssl);
+ SSL_SESSION *SSL_get_session(const SSL *ssl);
+ SSL_SESSION *SSL_get0_session(const SSL *ssl);
  SSL_SESSION *SSL_get1_session(SSL *ssl);
 
 =head1 DESCRIPTION
diff --git a/crypto/openssl/doc/ssl/SSL_get_verify_result.pod b/crypto/openssl/doc/ssl/SSL_get_verify_result.pod
index e6bac9c35a8b..55b56a53f92e 100644
--- a/crypto/openssl/doc/ssl/SSL_get_verify_result.pod
+++ b/crypto/openssl/doc/ssl/SSL_get_verify_result.pod
@@ -8,7 +8,7 @@ SSL_get_verify_result - get result of peer certificate verification
 
  #include <openssl/ssl.h>
 
- long SSL_get_verify_result(SSL *ssl);
+ long SSL_get_verify_result(const SSL *ssl);
 
 =head1 DESCRIPTION
 
diff --git a/crypto/openssl/doc/ssl/SSL_get_version.pod b/crypto/openssl/doc/ssl/SSL_get_version.pod
index 24d52912565d..cc271db2c534 100644
--- a/crypto/openssl/doc/ssl/SSL_get_version.pod
+++ b/crypto/openssl/doc/ssl/SSL_get_version.pod
@@ -8,7 +8,7 @@ SSL_get_version - get the protocol version of a connection.
 
  #include <openssl/ssl.h>
 
- const char *SSL_get_version(SSL *ssl);
+ const char *SSL_get_version(const SSL *ssl);
 
 =head1 DESCRIPTION
 
diff --git a/crypto/openssl/doc/ssl/SSL_pending.pod b/crypto/openssl/doc/ssl/SSL_pending.pod
index b4c48598b25d..43f2874e8b6a 100644
--- a/crypto/openssl/doc/ssl/SSL_pending.pod
+++ b/crypto/openssl/doc/ssl/SSL_pending.pod
@@ -8,7 +8,7 @@ SSL_pending - obtain number of readable bytes buffered in an SSL object
 
  #include <openssl/ssl.h>
 
- int SSL_pending(SSL *ssl);
+ int SSL_pending(const SSL *ssl);
 
 =head1 DESCRIPTION
 
diff --git a/crypto/openssl/doc/ssl/SSL_set_shutdown.pod b/crypto/openssl/doc/ssl/SSL_set_shutdown.pod
index 6289e635d96d..011a022a12c3 100644
--- a/crypto/openssl/doc/ssl/SSL_set_shutdown.pod
+++ b/crypto/openssl/doc/ssl/SSL_set_shutdown.pod
@@ -10,7 +10,7 @@ SSL_set_shutdown, SSL_get_shutdown - manipulate shutdown state of an SSL connect
 
  void SSL_set_shutdown(SSL *ssl, int mode);
 
- int SSL_get_shutdown(SSL *ssl);
+ int SSL_get_shutdown(const SSL *ssl);
 
 =head1 DESCRIPTION
 
diff --git a/crypto/openssl/doc/ssl/SSL_shutdown.pod b/crypto/openssl/doc/ssl/SSL_shutdown.pod
index 6b5012be7a8d..89911acbcac8 100644
--- a/crypto/openssl/doc/ssl/SSL_shutdown.pod
+++ b/crypto/openssl/doc/ssl/SSL_shutdown.pod
@@ -38,7 +38,7 @@ behaviour.
 =over 4
 
 =item When the application is the first party to send the "close notify"
-alert, SSL_shutdown() will only send the alert and the set the
+alert, SSL_shutdown() will only send the alert and then set the
 SSL_SENT_SHUTDOWN flag (so that the session is considered good and will
 be kept in cache). SSL_shutdown() will then return with 0. If a unidirectional
 shutdown is enough (the underlying connection shall be closed anyway), this
diff --git a/crypto/openssl/doc/ssl/SSL_state_string.pod b/crypto/openssl/doc/ssl/SSL_state_string.pod
index b4be1aaa4863..fe25d47c71a3 100644
--- a/crypto/openssl/doc/ssl/SSL_state_string.pod
+++ b/crypto/openssl/doc/ssl/SSL_state_string.pod
@@ -8,8 +8,8 @@ SSL_state_string, SSL_state_string_long - get textual description of state of an
 
  #include <openssl/ssl.h>
 
- const char *SSL_state_string(SSL *ssl);
- const char *SSL_state_string_long(SSL *ssl);
+ const char *SSL_state_string(const SSL *ssl);
+ const char *SSL_state_string_long(const SSL *ssl);
 
 =head1 DESCRIPTION
 
diff --git a/crypto/openssl/doc/ssl/SSL_want.pod b/crypto/openssl/doc/ssl/SSL_want.pod
index 50cc89db80b9..c0059c0d4a56 100644
--- a/crypto/openssl/doc/ssl/SSL_want.pod
+++ b/crypto/openssl/doc/ssl/SSL_want.pod
@@ -8,11 +8,11 @@ SSL_want, SSL_want_nothing, SSL_want_read, SSL_want_write, SSL_want_x509_lookup
 
  #include <openssl/ssl.h>
 
- int SSL_want(SSL *ssl);
- int SSL_want_nothing(SSL *ssl);
- int SSL_want_read(SSL *ssl);
- int SSL_want_write(SSL *ssl);
- int SSL_want_x509_lookup(SSL *ssl);
+ int SSL_want(const SSL *ssl);
+ int SSL_want_nothing(const SSL *ssl);
+ int SSL_want_read(const SSL *ssl);
+ int SSL_want_write(const SSL *ssl);
+ int SSL_want_x509_lookup(const SSL *ssl);
 
 =head1 DESCRIPTION
 
diff --git a/crypto/openssl/doc/ssl/d2i_SSL_SESSION.pod b/crypto/openssl/doc/ssl/d2i_SSL_SESSION.pod
index 0321a5a36f2e..81d276477f9f 100644
--- a/crypto/openssl/doc/ssl/d2i_SSL_SESSION.pod
+++ b/crypto/openssl/doc/ssl/d2i_SSL_SESSION.pod
@@ -8,7 +8,7 @@ d2i_SSL_SESSION, i2d_SSL_SESSION - convert SSL_SESSION object from/to ASN1 repre
 
  #include <openssl/ssl.h>
 
- SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, unsigned char **pp, long length);
+ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length);
  int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp);
 
 =head1 DESCRIPTION
diff --git a/crypto/openssl/doc/ssl/ssl.pod b/crypto/openssl/doc/ssl/ssl.pod
index 3dc5358ef63f..266697d22164 100644
--- a/crypto/openssl/doc/ssl/ssl.pod
+++ b/crypto/openssl/doc/ssl/ssl.pod
@@ -213,7 +213,7 @@ protocol context defined in the B<SSL_CTX> structure.
 
 =item int B<SSL_CTX_add_session>(SSL_CTX *ctx, SSL_SESSION *c);
 
-=item int B<SSL_CTX_check_private_key>(SSL_CTX *ctx);
+=item int B<SSL_CTX_check_private_key>(const SSL_CTX *ctx);
 
 =item long B<SSL_CTX_ctrl>(SSL_CTX *ctx, int cmd, long larg, char *parg);
 
@@ -225,23 +225,23 @@ protocol context defined in the B<SSL_CTX> structure.
 
 =item X509_STORE *B<SSL_CTX_get_cert_store>(SSL_CTX *ctx);
 
-=item STACK *B<SSL_CTX_get_client_CA_list>(SSL_CTX *ctx);
+=item STACK *B<SSL_CTX_get_client_CA_list>(const SSL_CTX *ctx);
 
 =item int (*B<SSL_CTX_get_client_cert_cb>(SSL_CTX *ctx))(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
 
-=item char *B<SSL_CTX_get_ex_data>(SSL_CTX *s, int idx);
+=item char *B<SSL_CTX_get_ex_data>(const SSL_CTX *s, int idx);
 
 =item int B<SSL_CTX_get_ex_new_index>(long argl, char *argp, int (*new_func);(void), int (*dup_func)(void), void (*free_func)(void))
 
 =item void (*B<SSL_CTX_get_info_callback>(SSL_CTX *ctx))(SSL *ssl, int cb, int ret);
 
-=item int B<SSL_CTX_get_quiet_shutdown>(SSL_CTX *ctx);
+=item int B<SSL_CTX_get_quiet_shutdown>(const SSL_CTX *ctx);
 
 =item int B<SSL_CTX_get_session_cache_mode>(SSL_CTX *ctx);
 
-=item long B<SSL_CTX_get_timeout>(SSL_CTX *ctx);
+=item long B<SSL_CTX_get_timeout>(const SSL_CTX *ctx);
 
-=item int (*B<SSL_CTX_get_verify_callback>(SSL_CTX *ctx))(int ok, X509_STORE_CTX *ctx);
+=item int (*B<SSL_CTX_get_verify_callback>(const SSL_CTX *ctx))(int ok, X509_STORE_CTX *ctx);
 
 =item int B<SSL_CTX_get_verify_mode>(SSL_CTX *ctx);
 
@@ -383,27 +383,27 @@ sessions defined in the B<SSL_SESSION> structures.
 
 =over 4
 
-=item int B<SSL_SESSION_cmp>(SSL_SESSION *a, SSL_SESSION *b);
+=item int B<SSL_SESSION_cmp>(const SSL_SESSION *a, const SSL_SESSION *b);
 
 =item void B<SSL_SESSION_free>(SSL_SESSION *ss);
 
 =item char *B<SSL_SESSION_get_app_data>(SSL_SESSION *s);
 
-=item char *B<SSL_SESSION_get_ex_data>(SSL_SESSION *s, int idx);
+=item char *B<SSL_SESSION_get_ex_data>(const SSL_SESSION *s, int idx);
 
 =item int B<SSL_SESSION_get_ex_new_index>(long argl, char *argp, int (*new_func);(void), int (*dup_func)(void), void (*free_func)(void))
 
-=item long B<SSL_SESSION_get_time>(SSL_SESSION *s);
+=item long B<SSL_SESSION_get_time>(const SSL_SESSION *s);
 
-=item long B<SSL_SESSION_get_timeout>(SSL_SESSION *s);
+=item long B<SSL_SESSION_get_timeout>(const SSL_SESSION *s);
 
-=item unsigned long B<SSL_SESSION_hash>(SSL_SESSION *a);
+=item unsigned long B<SSL_SESSION_hash>(const SSL_SESSION *a);
 
 =item SSL_SESSION *B<SSL_SESSION_new>(void);
 
-=item int B<SSL_SESSION_print>(BIO *bp, SSL_SESSION *x);
+=item int B<SSL_SESSION_print>(BIO *bp, const SSL_SESSION *x);
 
-=item int B<SSL_SESSION_print_fp>(FILE *fp, SSL_SESSION *x);
+=item int B<SSL_SESSION_print_fp>(FILE *fp, const SSL_SESSION *x);
 
 =item void B<SSL_SESSION_set_app_data>(SSL_SESSION *s, char *a);
 
@@ -438,7 +438,7 @@ connection defined in the B<SSL> structure.
 
 =item char *B<SSL_alert_type_string_long>(int value);
 
-=item int B<SSL_check_private_key>(SSL *ssl);
+=item int B<SSL_check_private_key>(const SSL *ssl);
 
 =item void B<SSL_clear>(SSL *ssl);
 
@@ -446,7 +446,7 @@ connection defined in the B<SSL> structure.
 
 =item int B<SSL_connect>(SSL *ssl);
 
-=item void B<SSL_copy_session_id>(SSL *t, SSL *f);
+=item void B<SSL_copy_session_id>(SSL *t, const SSL *f);
 
 =item long B<SSL_ctrl>(SSL *ssl, int cmd, long larg, char *parg);
 
@@ -458,77 +458,77 @@ connection defined in the B<SSL> structure.
 
 =item void B<SSL_free>(SSL *ssl);
 
-=item SSL_CTX *B<SSL_get_SSL_CTX>(SSL *ssl);
+=item SSL_CTX *B<SSL_get_SSL_CTX>(const SSL *ssl);
 
 =item char *B<SSL_get_app_data>(SSL *ssl);
 
-=item X509 *B<SSL_get_certificate>(SSL *ssl);
+=item X509 *B<SSL_get_certificate>(const SSL *ssl);
 
-=item const char *B<SSL_get_cipher>(SSL *ssl);
+=item const char *B<SSL_get_cipher>(const SSL *ssl);
 
-=item int B<SSL_get_cipher_bits>(SSL *ssl, int *alg_bits);
+=item int B<SSL_get_cipher_bits>(const SSL *ssl, int *alg_bits);
 
-=item char *B<SSL_get_cipher_list>(SSL *ssl, int n);
+=item char *B<SSL_get_cipher_list>(const SSL *ssl, int n);
 
-=item char *B<SSL_get_cipher_name>(SSL *ssl);
+=item char *B<SSL_get_cipher_name>(const SSL *ssl);
 
-=item char *B<SSL_get_cipher_version>(SSL *ssl);
+=item char *B<SSL_get_cipher_version>(const SSL *ssl);
 
-=item STACK *B<SSL_get_ciphers>(SSL *ssl);
+=item STACK *B<SSL_get_ciphers>(const SSL *ssl);
 
-=item STACK *B<SSL_get_client_CA_list>(SSL *ssl);
+=item STACK *B<SSL_get_client_CA_list>(const SSL *ssl);
 
 =item SSL_CIPHER *B<SSL_get_current_cipher>(SSL *ssl);
 
-=item long B<SSL_get_default_timeout>(SSL *ssl);
+=item long B<SSL_get_default_timeout>(const SSL *ssl);
 
-=item int B<SSL_get_error>(SSL *ssl, int i);
+=item int B<SSL_get_error>(const SSL *ssl, int i);
 
-=item char *B<SSL_get_ex_data>(SSL *ssl, int idx);
+=item char *B<SSL_get_ex_data>(const SSL *ssl, int idx);
 
 =item int B<SSL_get_ex_data_X509_STORE_CTX_idx>(void);
 
 =item int B<SSL_get_ex_new_index>(long argl, char *argp, int (*new_func);(void), int (*dup_func)(void), void (*free_func)(void))
 
-=item int B<SSL_get_fd>(SSL *ssl);
+=item int B<SSL_get_fd>(const SSL *ssl);
 
-=item void (*B<SSL_get_info_callback>(SSL *ssl);)(void)
+=item void (*B<SSL_get_info_callback>(const SSL *ssl);)()
 
-=item STACK *B<SSL_get_peer_cert_chain>(SSL *ssl);
+=item STACK *B<SSL_get_peer_cert_chain>(const SSL *ssl);
 
-=item X509 *B<SSL_get_peer_certificate>(SSL *ssl);
+=item X509 *B<SSL_get_peer_certificate>(const SSL *ssl);
 
 =item EVP_PKEY *B<SSL_get_privatekey>(SSL *ssl);
 
-=item int B<SSL_get_quiet_shutdown>(SSL *ssl);
+=item int B<SSL_get_quiet_shutdown>(const SSL *ssl);
 
-=item BIO *B<SSL_get_rbio>(SSL *ssl);
+=item BIO *B<SSL_get_rbio>(const SSL *ssl);
 
-=item int B<SSL_get_read_ahead>(SSL *ssl);
+=item int B<SSL_get_read_ahead>(const SSL *ssl);
 
-=item SSL_SESSION *B<SSL_get_session>(SSL *ssl);
+=item SSL_SESSION *B<SSL_get_session>(const SSL *ssl);
 
-=item char *B<SSL_get_shared_ciphers>(SSL *ssl, char *buf, int len);
+=item char *B<SSL_get_shared_ciphers>(const SSL *ssl, char *buf, int len);
 
-=item int B<SSL_get_shutdown>(SSL *ssl);
+=item int B<SSL_get_shutdown>(const SSL *ssl);
 
 =item SSL_METHOD *B<SSL_get_ssl_method>(SSL *ssl);
 
-=item int B<SSL_get_state>(SSL *ssl);
+=item int B<SSL_get_state>(const SSL *ssl);
 
-=item long B<SSL_get_time>(SSL *ssl);
+=item long B<SSL_get_time>(const SSL *ssl);
 
-=item long B<SSL_get_timeout>(SSL *ssl);
+=item long B<SSL_get_timeout>(const SSL *ssl);
 
-=item int (*B<SSL_get_verify_callback>(SSL *ssl);)(void)
+=item int (*B<SSL_get_verify_callback>(const SSL *ssl))(int,X509_STORE_CTX *)
 
-=item int B<SSL_get_verify_mode>(SSL *ssl);
+=item int B<SSL_get_verify_mode>(const SSL *ssl);
 
-=item long B<SSL_get_verify_result>(SSL *ssl);
+=item long B<SSL_get_verify_result>(const SSL *ssl);
 
-=item char *B<SSL_get_version>(SSL *ssl);
+=item char *B<SSL_get_version>(const SSL *ssl);
 
-=item BIO *B<SSL_get_wbio>(SSL *ssl);
+=item BIO *B<SSL_get_wbio>(const SSL *ssl);
 
 =item int B<SSL_in_accept_init>(SSL *ssl);
 
@@ -550,7 +550,7 @@ connection defined in the B<SSL> structure.
 
 =item int B<SSL_peek>(SSL *ssl, void *buf, int num);
 
-=item int B<SSL_pending>(SSL *ssl);
+=item int B<SSL_pending>(const SSL *ssl);
 
 =item int B<SSL_read>(SSL *ssl, void *buf, int num);
 
@@ -610,11 +610,11 @@ connection defined in the B<SSL> structure.
 
 =item int B<SSL_shutdown>(SSL *ssl);
 
-=item int B<SSL_state>(SSL *ssl);
+=item int B<SSL_state>(const SSL *ssl);
 
-=item char *B<SSL_state_string>(SSL *ssl);
+=item char *B<SSL_state_string>(const SSL *ssl);
 
-=item char *B<SSL_state_string_long>(SSL *ssl);
+=item char *B<SSL_state_string_long>(const SSL *ssl);
 
 =item long B<SSL_total_renegotiations>(SSL *ssl);
 
@@ -636,17 +636,17 @@ connection defined in the B<SSL> structure.
 
 =item int B<SSL_use_certificate_file>(SSL *ssl, char *file, int type);
 
-=item int B<SSL_version>(SSL *ssl);
+=item int B<SSL_version>(const SSL *ssl);
 
-=item int B<SSL_want>(SSL *ssl);
+=item int B<SSL_want>(const SSL *ssl);
 
-=item int B<SSL_want_nothing>(SSL *ssl);
+=item int B<SSL_want_nothing>(const SSL *ssl);
 
-=item int B<SSL_want_read>(SSL *ssl);
+=item int B<SSL_want_read>(const SSL *ssl);
 
-=item int B<SSL_want_write>(SSL *ssl);
+=item int B<SSL_want_write>(const SSL *ssl);
 
-=item int B<SSL_want_x509_lookup>(s);
+=item int B<SSL_want_x509_lookup>(const SSL *ssl);
 
 =item int B<SSL_write>(SSL *ssl, const void *buf, int num);
 
diff --git a/crypto/openssl/doc/ssleay.txt b/crypto/openssl/doc/ssleay.txt
index d44d2f04a022..c75312911f96 100644
--- a/crypto/openssl/doc/ssleay.txt
+++ b/crypto/openssl/doc/ssleay.txt
@@ -4295,7 +4295,7 @@ X-Status:
 Loading client certs into MSIE 3.01
 ===================================
 
-This document conatains all the information necessary to succesfully set up 
+This document contains all the information necessary to successfully set up 
 some scripts to issue client certs to Microsoft Internet Explorer. It 
 includes the required knowledge about the model MSIE uses for client 
 certification and includes complete sample scripts ready to play with. The 
diff --git a/crypto/openssl/doc/standards.txt b/crypto/openssl/doc/standards.txt
index edbe2f3a57de..f6675b574b6f 100644
--- a/crypto/openssl/doc/standards.txt
+++ b/crypto/openssl/doc/standards.txt
@@ -88,6 +88,10 @@ PKCS#12: Personal Information Exchange Syntax Standard, version 1.0.
      (Format: TXT=143173 bytes) (Obsoletes RFC2437) (Status:           
      INFORMATIONAL)                                         
 
+3820 Internet X.509 Public Key Infrastructure (PKI) Proxy Certificate
+     Profile. S. Tuecke, V. Welch, D. Engert, L. Pearlman, M. Thompson.
+     June 2004. (Format: TXT=86374 bytes) (Status: PROPOSED STANDARD)
+
 
 Related:
 --------
diff --git a/crypto/openssl/e_os.h b/crypto/openssl/e_os.h
index 3c7a4967d639..5068d1bd74fe 100644
--- a/crypto/openssl/e_os.h
+++ b/crypto/openssl/e_os.h
@@ -181,6 +181,19 @@ extern "C" {
 #define closesocket(s)		    close(s)
 #define readsocket(s,b,n)	    read((s),(b),(n))
 #define writesocket(s,b,n)	    write((s),(char *)(b),(n))
+#elif defined(OPENSSL_SYS_NETWARE)
+#if defined(NETWARE_BSDSOCK)
+#define get_last_socket_error() errno
+#define clear_socket_error()    errno=0
+#define closesocket(s)          close(s)
+#define readsocket(s,b,n)       recv((s),(b),(n),0)
+#define writesocket(s,b,n)      send((s),(b),(n),0)
+#else
+#define get_last_socket_error()	WSAGetLastError()
+#define clear_socket_error()	WSASetLastError(0)
+#define readsocket(s,b,n)		recv((s),(b),(n),0)
+#define writesocket(s,b,n)		send((s),(b),(n),0)
+#endif
 #else
 #define get_last_socket_error()	errno
 #define clear_socket_error()	errno=0
@@ -191,7 +204,6 @@ extern "C" {
 #endif
 
 #ifdef WIN16
-#  define OPENSSL_NO_FP_API
 #  define MS_CALLBACK	_far _loadds
 #  define MS_FAR	_far
 #else
@@ -200,6 +212,7 @@ extern "C" {
 #endif
 
 #ifdef OPENSSL_NO_STDIO
+#  undef OPENSSL_NO_FP_API
 #  define OPENSSL_NO_FP_API
 #endif
 
@@ -214,6 +227,8 @@ extern "C" {
 #    define _setmode setmode
 #    define _O_TEXT O_TEXT
 #    define _O_BINARY O_BINARY
+#    undef DEVRANDOM
+#    define DEVRANDOM "/dev/urandom\x24"
 #  endif /* __DJGPP__ */
 
 #  ifndef S_IFDIR
@@ -230,10 +245,37 @@ extern "C" {
 #  define NO_DIRENT
 
 #  ifdef WINDOWS
+#    if !defined(_WIN32_WCE) && !defined(_WIN32_WINNT)
+       /*
+	* Defining _WIN32_WINNT here in e_os.h implies certain "discipline."
+	* Most notably we ought to check for availability of each specific
+	* routine with GetProcAddress() and/or quard NT-specific calls with
+	* GetVersion() < 0x80000000. One can argue that in latter "or" case
+	* we ought to /DELAYLOAD some .DLLs in order to protect ourselves
+	* against run-time link errors. This doesn't seem to be necessary,
+	* because it turned out that already Windows 95, first non-NT Win32
+	* implementation, is equipped with at least NT 3.51 stubs, dummy
+	* routines with same name, but which do nothing. Meaning that it's
+	* apparently appropriate to guard generic NT calls with GetVersion
+	* alone, while NT 4.0 and above calls ought to be additionally
+	* checked upon with GetProcAddress.
+	*/
+#      define _WIN32_WINNT 0x0400
+#    endif
 #    include <windows.h>
 #    include <stddef.h>
 #    include <errno.h>
 #    include <string.h>
+#    ifdef _WIN64
+#      define strlen(s) _strlen31(s)
+/* cut strings to 2GB */
+static unsigned int _strlen31(const char *str)
+	{
+	unsigned int len=0;
+	while (*str && len<0x80000000U) str++, len++;
+	return len&0x7FFFFFFF;
+	}
+#    endif
 #    include <malloc.h>
 #  endif
 #  include <io.h>
@@ -321,6 +363,26 @@ extern "C" {
                                      __VMS_EXIT |= 0x10000000; \
 				     exit(__VMS_EXIT); } while(0)
 #    define NO_SYS_PARAM_H
+
+#  elif defined(OPENSSL_SYS_NETWARE)
+#    include <fcntl.h>
+#    include <unistd.h>
+#    define NO_SYS_TYPES_H
+#    undef  DEVRANDOM
+#    ifdef NETWARE_CLIB
+#      define getpid GetThreadID
+#    endif
+#    define NO_SYSLOG
+#    define _setmode setmode
+#    define _kbhit kbhit
+#    define _O_TEXT O_TEXT
+#    define _O_BINARY O_BINARY
+#    define OPENSSL_CONF   "openssl.cnf"
+#    define SSLEAY_CONF    OPENSSL_CONF
+#    define RFILE    ".rnd"
+#    define LIST_SEPARATOR_CHAR ';'
+#    define EXIT(n)  { if (n) printf("ERROR: %d\n", (int)n); exit(n); }
+
 #  else
      /* !defined VMS */
 #    ifdef OPENSSL_SYS_MPE
@@ -374,6 +436,15 @@ extern "C" {
 #    elif !defined(__DJGPP__)
 #      include <winsock.h>
 extern HINSTANCE _hInstance;
+#      ifdef _WIN64
+/*
+ * Even though sizeof(SOCKET) is 8, it's safe to cast it to int, because
+ * the value constitutes an index in per-process table of limited size
+ * and not a real pointer.
+ */
+#        define socket(d,t,p)	((int)socket(d,t,p))
+#        define accept(s,f,l)	((int)accept(s,f,l))
+#      endif
 #      define SSLeay_Write(a,b,c)	send((a),(b),(c),0)
 #      define SSLeay_Read(a,b,c)	recv((a),(b),(c),0)
 #      define SHUTDOWN(fd)		{ shutdown((fd),0); closesocket(fd); }
@@ -393,6 +464,23 @@ extern HINSTANCE _hInstance;
 #    define SHUTDOWN(fd)		MacSocket_close(fd)
 #    define SHUTDOWN2(fd)		MacSocket_close(fd)
 
+#  elif defined(OPENSSL_SYS_NETWARE)
+         /* NetWare uses the WinSock2 interfaces by default, but can be configured for BSD
+         */
+#      if defined(NETWARE_BSDSOCK)
+#        include <sys/socket.h>
+#        include <netinet/in.h>
+#        include <sys/time.h>
+#        include <sys/select.h>
+#        define INVALID_SOCKET (int)(~0)
+#      else
+#        include <novsock2.h>
+#      endif
+#      define SSLeay_Write(a,b,c)   send((a),(b),(c),0)
+#      define SSLeay_Read(a,b,c) recv((a),(b),(c),0)
+#      define SHUTDOWN(fd)    { shutdown((fd),0); closesocket(fd); }
+#      define SHUTDOWN2(fd)      { shutdown((fd),2); closesocket(fd); }
+
 #  else
 
 #    ifndef NO_SYS_PARAM_H
@@ -477,6 +565,9 @@ extern HINSTANCE _hInstance;
 extern char *sys_errlist[]; extern int sys_nerr;
 # define strerror(errnum) \
 	(((errnum)<0 || (errnum)>=sys_nerr) ? NULL : sys_errlist[errnum])
+  /* Being signed SunOS 4.x memcpy breaks ASN1_OBJECT table lookup */
+#include "crypto/o_str.h"
+# define memcmp OPENSSL_memcmp
 #endif
 
 #ifndef OPENSSL_EXIT
@@ -518,9 +609,13 @@ extern char *sys_errlist[]; extern int sys_nerr;
 #  include "o_str.h"
 #  define strcasecmp OPENSSL_strcasecmp
 #  define strncasecmp OPENSSL_strncasecmp
+#  define OPENSSL_IMPLEMENTS_strncasecmp
 #elif defined(OPENSSL_SYS_OS2) && defined(__EMX__)
 #  define strcasecmp stricmp
 #  define strncasecmp strnicmp
+#elif defined(OPENSSL_SYS_NETWARE) && defined(NETWARE_CLIB)
+#  define strcasecmp stricmp
+#  define strncasecmp strnicmp
 #else
 #  ifdef NO_STRINGS_H
     int	strcasecmp();
diff --git a/crypto/openssl/e_os2.h b/crypto/openssl/e_os2.h
index 4ca79a4d65d8..9da0b654481d 100644
--- a/crypto/openssl/e_os2.h
+++ b/crypto/openssl/e_os2.h
@@ -76,17 +76,20 @@ extern "C" {
 # define OPENSSL_SYS_MACINTOSH_CLASSIC
 #endif
 
+/* ----------------------- NetWare ----------------------------------------- */
+#if defined(NETWARE) || defined(OPENSSL_SYSNAME_NETWARE)
+# undef OPENSSL_SYS_UNIX
+# define OPENSSL_SYS_NETWARE
+#endif
+
 /* ---------------------- Microsoft operating systems ---------------------- */
 
-/* The 16 bit environments are pretty straightforward */
-#if defined(OPENSSL_SYSNAME_WIN16) || defined(OPENSSL_SYSNAME_MSDOS)
+/* Note that MSDOS actually denotes 32-bit environments running on top of
+   MS-DOS, such as DJGPP one. */
+#if defined(OPENSSL_SYSNAME_MSDOS)
 # undef OPENSSL_SYS_UNIX
 # define OPENSSL_SYS_MSDOS
 #endif
-#if defined(OPENSSL_SYSNAME_WIN16)
-# undef OPENSSL_SYS_UNIX
-# define OPENSSL_SYS_WIN16
-#endif
 
 /* For 32 bit environment, there seems to be the CygWin environment and then
    all the others that try to do the same thing Microsoft does... */
@@ -114,7 +117,7 @@ extern "C" {
 #endif
 
 /* Anything that tries to look like Microsoft is "Windows" */
-#if defined(OPENSSL_SYS_WIN16) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_WINNT) || defined(OPENSSL_SYS_WINCE)
+#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_WINNT) || defined(OPENSSL_SYS_WINCE)
 # undef OPENSSL_SYS_UNIX
 # define OPENSSL_SYS_WINDOWS
 # ifndef OPENSSL_SYS_MSDOS
@@ -237,8 +240,8 @@ extern "C" {
 # define OPENSSL_IMPORT globalref
 # define OPENSSL_GLOBAL globaldef
 #elif defined(OPENSSL_SYS_WINDOWS) && defined(OPENSSL_OPT_WINDLL)
-# define OPENSSL_EXPORT extern _declspec(dllexport)
-# define OPENSSL_IMPORT extern _declspec(dllimport)
+# define OPENSSL_EXPORT extern __declspec(dllexport)
+# define OPENSSL_IMPORT extern __declspec(dllimport)
 # define OPENSSL_GLOBAL
 #else
 # define OPENSSL_EXPORT extern
@@ -248,7 +251,7 @@ extern "C" {
 #define OPENSSL_EXTERN OPENSSL_IMPORT
 
 /* Macros to allow global variables to be reached through function calls when
-   required (if a shared library version requires it, for example.
+   required (if a shared library version requvres it, for example.
    The way it's done allows definitions like this:
 
 	// in foobar.c
diff --git a/crypto/openssl/engines/Makefile b/crypto/openssl/engines/Makefile
new file mode 100644
index 000000000000..88f8390d0ed6
--- /dev/null
+++ b/crypto/openssl/engines/Makefile
@@ -0,0 +1,249 @@
+#
+# OpenSSL/engines/Makefile
+#
+
+DIR=	engines
+TOP=	..
+CC=	cc
+INCLUDES= -I../include
+CFLAG=-g
+MAKEFILE=	Makefile
+AR=		ar r
+
+PEX_LIBS=
+EX_LIBS=
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile engines.com install.com engine_vector.mar
+TEST=
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBNAMES= 4758cca aep atalla cswift gmp chil nuron sureware ubsec
+
+LIBSRC=	e_4758cca.c \
+	e_aep.c \
+	e_atalla.c \
+	e_cswift.c \
+	e_gmp.c \
+	e_chil.c \
+	e_nuron.c \
+	e_sureware.c \
+	e_ubsec.c
+LIBOBJ= e_4758cca.o \
+	e_aep.o \
+	e_atalla.o \
+	e_cswift.o \
+	e_gmp.o \
+	e_chil.o \
+	e_nuron.o \
+	e_sureware.o \
+	e_ubsec.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= 
+HEADER=	e_4758cca_err.c e_4758cca_err.h \
+	e_aep_err.c e_aep_err.h \
+	e_atalla_err.c e_atalla_err.h \
+	e_cswift_err.c e_cswift_err.h \
+	e_gmp_err.c e_gmp_err.h \
+	e_chil_err.c e_chil_err.h \
+	e_nuron_err.c e_nuron_err.h \
+	e_sureware_err.c e_sureware_err.h \
+	e_ubsec_err.c e_ubsec_err.h
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ..; $(MAKE) DIRS=$(DIR) all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	@if [ -n "$(SHARED_LIBS)" ]; then \
+		set -e; \
+		for l in $(LIBNAMES); do \
+			$(MAKE) -f ../Makefile.shared -e \
+				LIBNAME=$$l LIBEXTRAS=e_$$l.o \
+				LIBDEPS='-L.. -lcrypto $(EX_LIBS)' \
+				link_o.$(SHLIB_TARGET); \
+		done; \
+	else \
+		$(AR) $(LIB) $(LIBOBJ); \
+		$(RANLIB) $(LIB) || echo Never mind.; \
+	fi; \
+	touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
+
+links:
+
+# XXXXX This currently only works on systems that use .so as suffix
+# for shared libraries as well as for Cygwin which uses the
+# dlfcn_name_converter and therefore stores the engines with .so suffix, too.
+# XXXXX This was extended to HP-UX dl targets, which use .sl suffix.
+install:
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+	@if [ -n "$(SHARED_LIBS)" ]; then \
+		set -e; \
+		for l in $(LIBNAMES); do \
+			( echo installing $$l; \
+			  if [ "$(PLATFORM)" != "Cygwin" ]; then \
+				case "$(CFLAGS)" in \
+				*DSO_DLFCN*)	sfx="so";;	\
+				*DSO_DL*)	sfx="sl";;	\
+				*)		sfx="bad";;	\
+				esac; \
+				cp lib$$l.$$sfx $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/lib$$l.$$sfx.new; \
+			  else \
+			  	sfx="so"; \
+				cp cyg$$l.dll $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/lib$$l.$$sfx.new; \
+			  fi; \
+			  chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/lib$$l.$$sfx.new; \
+			  mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/lib$$l.$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/lib$$l.$$sfx ); \
+		done; \
+	fi
+
+tags:
+	ctags $(SRC)
+
+errors:
+	set -e; for l in $(LIBNAMES); do \
+		$(PERL) ../util/mkerr.pl -conf e_$$l.ec \
+			-nostatic -staticloader -write e_$$l.c; \
+	done
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	@if [ -z "$(THIS)" ]; then \
+	    $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; \
+	else \
+	    $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC); \
+	fi
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+e_4758cca.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+e_4758cca.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+e_4758cca.o: ../include/openssl/crypto.h ../include/openssl/dso.h
+e_4758cca.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+e_4758cca.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+e_4758cca.o: ../include/openssl/engine.h ../include/openssl/err.h
+e_4758cca.o: ../include/openssl/evp.h ../include/openssl/lhash.h
+e_4758cca.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+e_4758cca.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+e_4758cca.o: ../include/openssl/ossl_typ.h ../include/openssl/pkcs7.h
+e_4758cca.o: ../include/openssl/rand.h ../include/openssl/rsa.h
+e_4758cca.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+e_4758cca.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+e_4758cca.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+e_4758cca.o: e_4758cca.c e_4758cca_err.c e_4758cca_err.h
+e_4758cca.o: vendor_defns/hw_4758_cca.h
+e_aep.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+e_aep.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+e_aep.o: ../include/openssl/crypto.h ../include/openssl/dh.h
+e_aep.o: ../include/openssl/dsa.h ../include/openssl/dso.h
+e_aep.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
+e_aep.o: ../include/openssl/err.h ../include/openssl/lhash.h
+e_aep.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+e_aep.o: ../include/openssl/ossl_typ.h ../include/openssl/rsa.h
+e_aep.o: ../include/openssl/safestack.h ../include/openssl/stack.h
+e_aep.o: ../include/openssl/symhacks.h e_aep.c e_aep_err.c e_aep_err.h
+e_aep.o: vendor_defns/aep.h
+e_atalla.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+e_atalla.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+e_atalla.o: ../include/openssl/crypto.h ../include/openssl/dh.h
+e_atalla.o: ../include/openssl/dsa.h ../include/openssl/dso.h
+e_atalla.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
+e_atalla.o: ../include/openssl/err.h ../include/openssl/lhash.h
+e_atalla.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+e_atalla.o: ../include/openssl/ossl_typ.h ../include/openssl/rsa.h
+e_atalla.o: ../include/openssl/safestack.h ../include/openssl/stack.h
+e_atalla.o: ../include/openssl/symhacks.h e_atalla.c e_atalla_err.c
+e_atalla.o: e_atalla_err.h vendor_defns/atalla.h
+e_chil.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+e_chil.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+e_chil.o: ../include/openssl/crypto.h ../include/openssl/dh.h
+e_chil.o: ../include/openssl/dso.h ../include/openssl/e_os2.h
+e_chil.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+e_chil.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+e_chil.o: ../include/openssl/err.h ../include/openssl/evp.h
+e_chil.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+e_chil.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+e_chil.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+e_chil.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+e_chil.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
+e_chil.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+e_chil.o: ../include/openssl/sha.h ../include/openssl/stack.h
+e_chil.o: ../include/openssl/symhacks.h ../include/openssl/ui.h
+e_chil.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h e_chil.c
+e_chil.o: e_chil_err.c e_chil_err.h vendor_defns/hwcryptohook.h
+e_cswift.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+e_cswift.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+e_cswift.o: ../include/openssl/crypto.h ../include/openssl/dh.h
+e_cswift.o: ../include/openssl/dsa.h ../include/openssl/dso.h
+e_cswift.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
+e_cswift.o: ../include/openssl/err.h ../include/openssl/lhash.h
+e_cswift.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+e_cswift.o: ../include/openssl/ossl_typ.h ../include/openssl/rand.h
+e_cswift.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+e_cswift.o: ../include/openssl/stack.h ../include/openssl/symhacks.h e_cswift.c
+e_cswift.o: e_cswift_err.c e_cswift_err.h vendor_defns/cswift.h
+e_gmp.o: ../include/openssl/buffer.h ../include/openssl/crypto.h
+e_gmp.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
+e_gmp.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+e_gmp.o: ../include/openssl/ossl_typ.h ../include/openssl/safestack.h
+e_gmp.o: ../include/openssl/stack.h ../include/openssl/symhacks.h e_gmp.c
+e_nuron.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+e_nuron.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+e_nuron.o: ../include/openssl/crypto.h ../include/openssl/dh.h
+e_nuron.o: ../include/openssl/dsa.h ../include/openssl/dso.h
+e_nuron.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
+e_nuron.o: ../include/openssl/err.h ../include/openssl/lhash.h
+e_nuron.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+e_nuron.o: ../include/openssl/ossl_typ.h ../include/openssl/rsa.h
+e_nuron.o: ../include/openssl/safestack.h ../include/openssl/stack.h
+e_nuron.o: ../include/openssl/symhacks.h e_nuron.c e_nuron_err.c e_nuron_err.h
+e_sureware.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+e_sureware.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+e_sureware.o: ../include/openssl/crypto.h ../include/openssl/dh.h
+e_sureware.o: ../include/openssl/dsa.h ../include/openssl/dso.h
+e_sureware.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+e_sureware.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+e_sureware.o: ../include/openssl/engine.h ../include/openssl/err.h
+e_sureware.o: ../include/openssl/evp.h ../include/openssl/lhash.h
+e_sureware.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+e_sureware.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+e_sureware.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+e_sureware.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+e_sureware.o: ../include/openssl/rand.h ../include/openssl/rsa.h
+e_sureware.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+e_sureware.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+e_sureware.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+e_sureware.o: e_sureware.c e_sureware_err.c e_sureware_err.h
+e_sureware.o: vendor_defns/sureware.h
+e_ubsec.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+e_ubsec.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+e_ubsec.o: ../include/openssl/crypto.h ../include/openssl/dh.h
+e_ubsec.o: ../include/openssl/dsa.h ../include/openssl/dso.h
+e_ubsec.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
+e_ubsec.o: ../include/openssl/err.h ../include/openssl/lhash.h
+e_ubsec.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+e_ubsec.o: ../include/openssl/ossl_typ.h ../include/openssl/rsa.h
+e_ubsec.o: ../include/openssl/safestack.h ../include/openssl/stack.h
+e_ubsec.o: ../include/openssl/symhacks.h e_ubsec.c e_ubsec_err.c e_ubsec_err.h
+e_ubsec.o: vendor_defns/hw_ubsec.h
diff --git a/crypto/openssl/engines/axp.opt b/crypto/openssl/engines/axp.opt
new file mode 100644
index 000000000000..1dc71bf4b7e3
--- /dev/null
+++ b/crypto/openssl/engines/axp.opt
@@ -0,0 +1 @@
+SYMBOL_VECTOR=(bind_engine=PROCEDURE,v_check=PROCEDURE)
diff --git a/crypto/openssl/engines/e_4758cca.c b/crypto/openssl/engines/e_4758cca.c
new file mode 100644
index 000000000000..0f1dae7567a5
--- /dev/null
+++ b/crypto/openssl/engines/e_4758cca.c
@@ -0,0 +1,994 @@
+/* Author: Maurice Gittens <maurice@gittens.nl>                       */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <openssl/crypto.h>
+#include <openssl/dso.h>
+#include <openssl/x509.h>
+#include <openssl/objects.h>
+#include <openssl/engine.h>
+#include <openssl/rand.h>
+#ifndef OPENSSL_NO_RSA
+#include <openssl/rsa.h>
+#endif
+#include <openssl/bn.h>
+
+#ifndef OPENSSL_NO_HW
+#ifndef OPENSSL_NO_HW_4758_CCA
+
+#ifdef FLAT_INC
+#include "hw_4758_cca.h"
+#else
+#include "vendor_defns/hw_4758_cca.h"
+#endif
+
+#include "e_4758cca_err.c"
+
+static int ibm_4758_cca_destroy(ENGINE *e);
+static int ibm_4758_cca_init(ENGINE *e);
+static int ibm_4758_cca_finish(ENGINE *e);
+static int ibm_4758_cca_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void));
+
+/* rsa functions */
+/*---------------*/
+#ifndef OPENSSL_NO_RSA
+static int cca_rsa_pub_enc(int flen, const unsigned char *from,
+		unsigned char *to, RSA *rsa,int padding);
+static int cca_rsa_priv_dec(int flen, const unsigned char *from,
+		unsigned char *to, RSA *rsa,int padding);
+static int cca_rsa_sign(int type, const unsigned char *m, unsigned int m_len,
+		unsigned char *sigret, unsigned int *siglen, const RSA *rsa);
+static int cca_rsa_verify(int dtype, const unsigned char *m, unsigned int m_len,
+		unsigned char *sigbuf, unsigned int siglen, const RSA *rsa);
+
+/* utility functions */
+/*-----------------------*/
+static EVP_PKEY *ibm_4758_load_privkey(ENGINE*, const char*,
+		UI_METHOD *ui_method, void *callback_data);
+static EVP_PKEY *ibm_4758_load_pubkey(ENGINE*, const char*,
+		UI_METHOD *ui_method, void *callback_data);
+
+static int getModulusAndExponent(const unsigned char *token, long *exponentLength,
+		unsigned char *exponent, long *modulusLength,
+		long *modulusFieldLength, unsigned char *modulus);
+#endif
+
+/* RAND number functions */
+/*-----------------------*/
+static int cca_get_random_bytes(unsigned char*, int );
+static int cca_random_status(void);
+
+#ifndef OPENSSL_NO_RSA
+static void cca_ex_free(void *obj, void *item, CRYPTO_EX_DATA *ad,
+		int idx,long argl, void *argp);
+#endif
+
+/* Function pointers for CCA verbs */
+/*---------------------------------*/
+#ifndef OPENSSL_NO_RSA
+static F_KEYRECORDREAD keyRecordRead;
+static F_DIGITALSIGNATUREGENERATE digitalSignatureGenerate;
+static F_DIGITALSIGNATUREVERIFY digitalSignatureVerify;
+static F_PUBLICKEYEXTRACT publicKeyExtract;
+static F_PKAENCRYPT pkaEncrypt;
+static F_PKADECRYPT pkaDecrypt;
+#endif
+static F_RANDOMNUMBERGENERATE randomNumberGenerate;
+
+/* static variables */
+/*------------------*/
+static const char *CCA4758_LIB_NAME = NULL;
+static const char *get_CCA4758_LIB_NAME(void)
+	{
+	if(CCA4758_LIB_NAME)
+		return CCA4758_LIB_NAME;
+	return CCA_LIB_NAME;
+	}
+static void free_CCA4758_LIB_NAME(void)
+	{
+	if(CCA4758_LIB_NAME)
+		OPENSSL_free((void*)CCA4758_LIB_NAME);
+	CCA4758_LIB_NAME = NULL;
+	}
+static long set_CCA4758_LIB_NAME(const char *name)
+	{
+	free_CCA4758_LIB_NAME();
+	return (((CCA4758_LIB_NAME = BUF_strdup(name)) != NULL) ? 1 : 0);
+	}
+#ifndef OPENSSL_NO_RSA
+static const char* n_keyRecordRead = CSNDKRR;
+static const char* n_digitalSignatureGenerate = CSNDDSG;
+static const char* n_digitalSignatureVerify = CSNDDSV;
+static const char* n_publicKeyExtract = CSNDPKX;
+static const char* n_pkaEncrypt = CSNDPKE;
+static const char* n_pkaDecrypt = CSNDPKD;
+#endif
+static const char* n_randomNumberGenerate = CSNBRNG;
+
+#ifndef OPENSSL_NO_RSA
+static int hndidx = -1;
+#endif
+static DSO *dso = NULL;
+
+/* openssl engine initialization structures */
+/*------------------------------------------*/
+
+#define CCA4758_CMD_SO_PATH		ENGINE_CMD_BASE
+static const ENGINE_CMD_DEFN	cca4758_cmd_defns[] = {
+	{CCA4758_CMD_SO_PATH,
+		"SO_PATH",
+		"Specifies the path to the '4758cca' shared library",
+		ENGINE_CMD_FLAG_STRING},
+	{0, NULL, NULL, 0}
+	};
+
+#ifndef OPENSSL_NO_RSA
+static RSA_METHOD ibm_4758_cca_rsa =
+	{
+	"IBM 4758 CCA RSA method",
+	cca_rsa_pub_enc,
+	NULL,
+	NULL,
+	cca_rsa_priv_dec,
+	NULL, /*rsa_mod_exp,*/
+	NULL, /*mod_exp_mont,*/
+	NULL, /* init */
+	NULL, /* finish */
+	RSA_FLAG_SIGN_VER,	  /* flags */
+	NULL, /* app_data */
+	cca_rsa_sign, /* rsa_sign */
+	cca_rsa_verify, /* rsa_verify */
+	NULL /* rsa_keygen */
+	};
+#endif
+
+static RAND_METHOD ibm_4758_cca_rand =
+	{
+	/* "IBM 4758 RAND method", */
+	NULL, /* seed */
+	cca_get_random_bytes, /* get random bytes from the card */
+	NULL, /* cleanup */
+	NULL, /* add */
+	cca_get_random_bytes, /* pseudo rand */
+	cca_random_status, /* status */
+	};
+
+static const char *engine_4758_cca_id = "4758cca";
+static const char *engine_4758_cca_name = "IBM 4758 CCA hardware engine support";
+#ifndef OPENSSL_NO_DYNAMIC_ENGINE 
+/* Compatibility hack, the dynamic library uses this form in the path */
+static const char *engine_4758_cca_id_alt = "4758_cca";
+#endif
+
+/* engine implementation */
+/*-----------------------*/
+static int bind_helper(ENGINE *e)
+	{
+	if(!ENGINE_set_id(e, engine_4758_cca_id) ||
+			!ENGINE_set_name(e, engine_4758_cca_name) ||
+#ifndef OPENSSL_NO_RSA
+			!ENGINE_set_RSA(e, &ibm_4758_cca_rsa) ||
+#endif
+			!ENGINE_set_RAND(e, &ibm_4758_cca_rand) ||
+			!ENGINE_set_destroy_function(e, ibm_4758_cca_destroy) ||
+			!ENGINE_set_init_function(e, ibm_4758_cca_init) ||
+			!ENGINE_set_finish_function(e, ibm_4758_cca_finish) ||
+			!ENGINE_set_ctrl_function(e, ibm_4758_cca_ctrl) ||
+#ifndef OPENSSL_NO_RSA
+			!ENGINE_set_load_privkey_function(e, ibm_4758_load_privkey) ||
+			!ENGINE_set_load_pubkey_function(e, ibm_4758_load_pubkey) ||
+#endif
+			!ENGINE_set_cmd_defns(e, cca4758_cmd_defns))
+		return 0;
+	/* Ensure the error handling is set up */
+	ERR_load_CCA4758_strings();
+	return 1;
+	}
+
+#ifdef OPENSSL_NO_DYNAMIC_ENGINE
+static ENGINE *engine_4758_cca(void)
+	{
+	ENGINE *ret = ENGINE_new();
+	if(!ret)
+		return NULL;
+	if(!bind_helper(ret))
+		{
+		ENGINE_free(ret);
+		return NULL;
+		}
+	return ret;
+	}
+
+void ENGINE_load_4758cca(void)
+	{
+	ENGINE *e_4758 = engine_4758_cca();
+	if (!e_4758) return;
+	ENGINE_add(e_4758);
+	ENGINE_free(e_4758);
+	ERR_clear_error();   
+	}
+#endif
+
+static int ibm_4758_cca_destroy(ENGINE *e)
+	{
+	ERR_unload_CCA4758_strings();
+	free_CCA4758_LIB_NAME();
+	return 1;
+	}
+
+static int ibm_4758_cca_init(ENGINE *e)
+	{
+	if(dso)
+		{
+		CCA4758err(CCA4758_F_IBM_4758_CCA_INIT,CCA4758_R_ALREADY_LOADED);
+		goto err;
+		}
+
+	dso = DSO_load(NULL, get_CCA4758_LIB_NAME(), NULL, 0);
+	if(!dso)
+		{
+		CCA4758err(CCA4758_F_IBM_4758_CCA_INIT,CCA4758_R_DSO_FAILURE);
+		goto err;
+		}
+
+#ifndef OPENSSL_NO_RSA
+	if(!(keyRecordRead = (F_KEYRECORDREAD)
+				DSO_bind_func(dso, n_keyRecordRead)) ||
+			!(randomNumberGenerate = (F_RANDOMNUMBERGENERATE)
+				DSO_bind_func(dso, n_randomNumberGenerate)) ||
+			!(digitalSignatureGenerate = (F_DIGITALSIGNATUREGENERATE)
+				DSO_bind_func(dso, n_digitalSignatureGenerate)) ||
+			!(digitalSignatureVerify = (F_DIGITALSIGNATUREVERIFY)
+				DSO_bind_func(dso, n_digitalSignatureVerify)) ||
+			!(publicKeyExtract = (F_PUBLICKEYEXTRACT)
+				DSO_bind_func(dso, n_publicKeyExtract)) ||
+			!(pkaEncrypt = (F_PKAENCRYPT)
+				DSO_bind_func(dso, n_pkaEncrypt)) ||
+			!(pkaDecrypt = (F_PKADECRYPT)
+				DSO_bind_func(dso, n_pkaDecrypt)))
+		{
+		CCA4758err(CCA4758_F_IBM_4758_CCA_INIT,CCA4758_R_DSO_FAILURE);
+		goto err;
+		}
+#else
+	if(!(randomNumberGenerate = (F_RANDOMNUMBERGENERATE)
+				DSO_bind_func(dso, n_randomNumberGenerate)))
+		{
+		CCA4758err(CCA4758_F_IBM_4758_CCA_INIT,CCA4758_R_DSO_FAILURE);
+		goto err;
+		}
+#endif
+
+#ifndef OPENSSL_NO_RSA
+	hndidx = RSA_get_ex_new_index(0, "IBM 4758 CCA RSA key handle",
+		NULL, NULL, cca_ex_free);
+#endif
+
+	return 1;
+err:
+	if(dso)
+		DSO_free(dso);
+	dso = NULL;
+
+#ifndef OPENSSL_NO_RSA
+	keyRecordRead = (F_KEYRECORDREAD)0;
+	digitalSignatureGenerate = (F_DIGITALSIGNATUREGENERATE)0;
+	digitalSignatureVerify = (F_DIGITALSIGNATUREVERIFY)0;
+	publicKeyExtract = (F_PUBLICKEYEXTRACT)0;
+	pkaEncrypt = (F_PKAENCRYPT)0;
+	pkaDecrypt = (F_PKADECRYPT)0;
+#endif
+	randomNumberGenerate = (F_RANDOMNUMBERGENERATE)0;
+	return 0;
+	}
+
+static int ibm_4758_cca_finish(ENGINE *e)
+	{
+	free_CCA4758_LIB_NAME();
+	if(!dso)
+		{
+		CCA4758err(CCA4758_F_IBM_4758_CCA_FINISH,
+				CCA4758_R_NOT_LOADED);
+		return 0;
+		}
+	if(!DSO_free(dso))
+		{
+		CCA4758err(CCA4758_F_IBM_4758_CCA_FINISH,
+				CCA4758_R_UNIT_FAILURE);
+		return 0;
+		}
+	dso = NULL;
+#ifndef OPENSSL_NO_RSA
+	keyRecordRead = (F_KEYRECORDREAD)0;
+	randomNumberGenerate = (F_RANDOMNUMBERGENERATE)0;
+	digitalSignatureGenerate = (F_DIGITALSIGNATUREGENERATE)0;
+	digitalSignatureVerify = (F_DIGITALSIGNATUREVERIFY)0;
+	publicKeyExtract = (F_PUBLICKEYEXTRACT)0;
+	pkaEncrypt = (F_PKAENCRYPT)0;
+	pkaDecrypt = (F_PKADECRYPT)0;
+#endif
+	randomNumberGenerate = (F_RANDOMNUMBERGENERATE)0;
+	return 1;
+	}
+
+static int ibm_4758_cca_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void))
+	{
+	int initialised = ((dso == NULL) ? 0 : 1);
+	switch(cmd)
+		{
+	case CCA4758_CMD_SO_PATH:
+		if(p == NULL)
+			{
+			CCA4758err(CCA4758_F_IBM_4758_CCA_CTRL,
+					ERR_R_PASSED_NULL_PARAMETER);
+			return 0;
+			}
+		if(initialised)
+			{
+			CCA4758err(CCA4758_F_IBM_4758_CCA_CTRL,
+					CCA4758_R_ALREADY_LOADED);
+			return 0;
+			}
+		return set_CCA4758_LIB_NAME((const char *)p);
+	default:
+		break;
+		}
+	CCA4758err(CCA4758_F_IBM_4758_CCA_CTRL,
+			CCA4758_R_COMMAND_NOT_IMPLEMENTED);
+	return 0;
+	}
+
+#ifndef OPENSSL_NO_RSA
+
+#define MAX_CCA_PKA_TOKEN_SIZE 2500
+
+static EVP_PKEY *ibm_4758_load_privkey(ENGINE* e, const char* key_id,
+			UI_METHOD *ui_method, void *callback_data)
+	{
+	RSA *rtmp = NULL;
+	EVP_PKEY *res = NULL;
+	unsigned char* keyToken = NULL;
+	unsigned char pubKeyToken[MAX_CCA_PKA_TOKEN_SIZE];
+	long pubKeyTokenLength = MAX_CCA_PKA_TOKEN_SIZE;
+	long keyTokenLength = MAX_CCA_PKA_TOKEN_SIZE;
+	long returnCode;
+	long reasonCode;
+	long exitDataLength = 0;
+	long ruleArrayLength = 0;
+	unsigned char exitData[8];
+	unsigned char ruleArray[8];
+	unsigned char keyLabel[64];
+	unsigned long keyLabelLength = strlen(key_id);
+	unsigned char modulus[256];
+	long modulusFieldLength = sizeof(modulus);
+	long modulusLength = 0;
+	unsigned char exponent[256];
+	long exponentLength = sizeof(exponent);
+
+	if (keyLabelLength > sizeof(keyLabel))
+		{
+		CCA4758err(CCA4758_F_IBM_4758_LOAD_PRIVKEY,
+		CCA4758_R_SIZE_TOO_LARGE_OR_TOO_SMALL);
+		return NULL;
+		}
+
+	memset(keyLabel,' ', sizeof(keyLabel));
+	memcpy(keyLabel, key_id, keyLabelLength);
+
+	keyToken = OPENSSL_malloc(MAX_CCA_PKA_TOKEN_SIZE + sizeof(long));
+	if (!keyToken)
+		{
+		CCA4758err(CCA4758_F_IBM_4758_LOAD_PRIVKEY,
+				ERR_R_MALLOC_FAILURE);
+		goto err;
+		}
+
+	keyRecordRead(&returnCode, &reasonCode, &exitDataLength,
+		exitData, &ruleArrayLength, ruleArray, keyLabel,
+		&keyTokenLength, keyToken+sizeof(long));
+
+	if (returnCode)
+		{
+		CCA4758err(CCA4758_F_IBM_4758_LOAD_PRIVKEY,
+			CCA4758_R_FAILED_LOADING_PRIVATE_KEY);
+		goto err;
+		}
+
+	publicKeyExtract(&returnCode, &reasonCode, &exitDataLength,
+		exitData, &ruleArrayLength, ruleArray, &keyTokenLength,
+		keyToken+sizeof(long), &pubKeyTokenLength, pubKeyToken);
+
+	if (returnCode)
+		{
+		CCA4758err(CCA4758_F_IBM_4758_LOAD_PRIVKEY,
+			CCA4758_R_FAILED_LOADING_PRIVATE_KEY);
+		goto err;
+		}
+
+	if (!getModulusAndExponent(pubKeyToken, &exponentLength,
+			exponent, &modulusLength, &modulusFieldLength,
+			modulus))
+		{
+		CCA4758err(CCA4758_F_IBM_4758_LOAD_PRIVKEY,
+			CCA4758_R_FAILED_LOADING_PRIVATE_KEY);
+		goto err;
+		}
+
+	(*(long*)keyToken) = keyTokenLength;
+	rtmp = RSA_new_method(e);
+	RSA_set_ex_data(rtmp, hndidx, (char *)keyToken);
+
+	rtmp->e = BN_bin2bn(exponent, exponentLength, NULL);
+	rtmp->n = BN_bin2bn(modulus, modulusFieldLength, NULL);
+	rtmp->flags |= RSA_FLAG_EXT_PKEY;
+
+	res = EVP_PKEY_new();
+	EVP_PKEY_assign_RSA(res, rtmp);
+
+	return res;
+err:
+	if (keyToken)
+		OPENSSL_free(keyToken);
+	if (res)
+		EVP_PKEY_free(res);
+	if (rtmp)
+		RSA_free(rtmp);
+	return NULL;
+	}
+
+static EVP_PKEY *ibm_4758_load_pubkey(ENGINE* e, const char* key_id,
+			UI_METHOD *ui_method, void *callback_data)
+	{
+	RSA *rtmp = NULL;
+	EVP_PKEY *res = NULL;
+	unsigned char* keyToken = NULL;
+	long keyTokenLength = MAX_CCA_PKA_TOKEN_SIZE;
+	long returnCode;
+	long reasonCode;
+	long exitDataLength = 0;
+	long ruleArrayLength = 0;
+	unsigned char exitData[8];
+	unsigned char ruleArray[8];
+	unsigned char keyLabel[64];
+	unsigned long keyLabelLength = strlen(key_id);
+	unsigned char modulus[512];
+	long modulusFieldLength = sizeof(modulus);
+	long modulusLength = 0;
+	unsigned char exponent[512];
+	long exponentLength = sizeof(exponent);
+
+	if (keyLabelLength > sizeof(keyLabel))
+		{
+		CCA4758err(CCA4758_F_IBM_4758_LOAD_PUBKEY,
+			CCA4758_R_SIZE_TOO_LARGE_OR_TOO_SMALL);
+		return NULL;
+		}
+
+	memset(keyLabel,' ', sizeof(keyLabel));
+	memcpy(keyLabel, key_id, keyLabelLength);
+
+	keyToken = OPENSSL_malloc(MAX_CCA_PKA_TOKEN_SIZE + sizeof(long));
+	if (!keyToken)
+		{
+		CCA4758err(CCA4758_F_IBM_4758_LOAD_PUBKEY,
+				ERR_R_MALLOC_FAILURE);
+		goto err;
+		}
+
+	keyRecordRead(&returnCode, &reasonCode, &exitDataLength, exitData,
+		&ruleArrayLength, ruleArray, keyLabel, &keyTokenLength,
+		keyToken+sizeof(long));
+
+	if (returnCode)
+		{
+		CCA4758err(CCA4758_F_IBM_4758_LOAD_PUBKEY,
+				ERR_R_MALLOC_FAILURE);
+		goto err;
+		}
+
+	if (!getModulusAndExponent(keyToken+sizeof(long), &exponentLength,
+			exponent, &modulusLength, &modulusFieldLength, modulus))
+		{
+		CCA4758err(CCA4758_F_IBM_4758_LOAD_PUBKEY,
+			CCA4758_R_FAILED_LOADING_PUBLIC_KEY);
+		goto err;
+		}
+
+	(*(long*)keyToken) = keyTokenLength;
+	rtmp = RSA_new_method(e);
+	RSA_set_ex_data(rtmp, hndidx, (char *)keyToken);
+	rtmp->e = BN_bin2bn(exponent, exponentLength, NULL);
+	rtmp->n = BN_bin2bn(modulus, modulusFieldLength, NULL);
+	rtmp->flags |= RSA_FLAG_EXT_PKEY;
+	res = EVP_PKEY_new();
+	EVP_PKEY_assign_RSA(res, rtmp);
+
+	return res;
+err:
+	if (keyToken)
+		OPENSSL_free(keyToken);
+	if (res)
+		EVP_PKEY_free(res);
+	if (rtmp)
+		RSA_free(rtmp);
+	return NULL;
+	}
+
+static int cca_rsa_pub_enc(int flen, const unsigned char *from,
+			unsigned char *to, RSA *rsa,int padding)
+	{
+	long returnCode;
+	long reasonCode;
+	long lflen = flen;
+	long exitDataLength = 0;
+	unsigned char exitData[8];
+	long ruleArrayLength = 1;
+	unsigned char ruleArray[8] = "PKCS-1.2";
+	long dataStructureLength = 0;
+	unsigned char dataStructure[8];
+	long outputLength = RSA_size(rsa);
+	long keyTokenLength;
+	unsigned char* keyToken = (unsigned char*)RSA_get_ex_data(rsa, hndidx);
+
+	keyTokenLength = *(long*)keyToken;
+	keyToken+=sizeof(long);
+
+	pkaEncrypt(&returnCode, &reasonCode, &exitDataLength, exitData,
+		&ruleArrayLength, ruleArray, &lflen, (unsigned char*)from,
+		&dataStructureLength, dataStructure, &keyTokenLength,
+		keyToken, &outputLength, to);
+
+	if (returnCode || reasonCode)
+		return -(returnCode << 16 | reasonCode);
+	return outputLength;
+	}
+
+static int cca_rsa_priv_dec(int flen, const unsigned char *from,
+			unsigned char *to, RSA *rsa,int padding)
+	{
+	long returnCode;
+	long reasonCode;
+	long lflen = flen;
+	long exitDataLength = 0;
+	unsigned char exitData[8];
+	long ruleArrayLength = 1;
+	unsigned char ruleArray[8] = "PKCS-1.2";
+	long dataStructureLength = 0;
+	unsigned char dataStructure[8];
+	long outputLength = RSA_size(rsa);
+	long keyTokenLength;
+	unsigned char* keyToken = (unsigned char*)RSA_get_ex_data(rsa, hndidx);
+
+	keyTokenLength = *(long*)keyToken;
+	keyToken+=sizeof(long);
+
+	pkaDecrypt(&returnCode, &reasonCode, &exitDataLength, exitData,
+		&ruleArrayLength, ruleArray, &lflen, (unsigned char*)from,
+		&dataStructureLength, dataStructure, &keyTokenLength,
+		keyToken, &outputLength, to);
+
+	return (returnCode | reasonCode) ? 0 : 1;
+	}
+
+#define SSL_SIG_LEN 36
+
+static int cca_rsa_verify(int type, const unsigned char *m, unsigned int m_len,
+		unsigned char *sigbuf, unsigned int siglen, const RSA *rsa)
+	{
+	long returnCode;
+	long reasonCode;
+	long lsiglen = siglen;
+	long exitDataLength = 0;
+	unsigned char exitData[8];
+	long ruleArrayLength = 1;
+	unsigned char ruleArray[8] = "PKCS-1.1";
+	long keyTokenLength;
+	unsigned char* keyToken = (unsigned char*)RSA_get_ex_data(rsa, hndidx);
+	long length = SSL_SIG_LEN;
+	long keyLength ;
+	unsigned char *hashBuffer = NULL;
+	X509_SIG sig;
+	ASN1_TYPE parameter;
+	X509_ALGOR algorithm;
+	ASN1_OCTET_STRING digest;
+
+	keyTokenLength = *(long*)keyToken;
+	keyToken+=sizeof(long);
+
+	if (type == NID_md5 || type == NID_sha1)
+		{
+		sig.algor = &algorithm;
+		algorithm.algorithm = OBJ_nid2obj(type);
+
+		if (!algorithm.algorithm)
+			{
+			CCA4758err(CCA4758_F_CCA_RSA_VERIFY,
+				CCA4758_R_UNKNOWN_ALGORITHM_TYPE);
+			return 0;
+			}
+
+		if (!algorithm.algorithm->length)
+			{
+			CCA4758err(CCA4758_F_CCA_RSA_VERIFY,
+				CCA4758_R_ASN1_OID_UNKNOWN_FOR_MD);
+			return 0;
+			}
+
+		parameter.type = V_ASN1_NULL;
+		parameter.value.ptr = NULL;
+		algorithm.parameter = &parameter;
+
+		sig.digest = &digest;
+		sig.digest->data = (unsigned char*)m;
+		sig.digest->length = m_len;
+
+		length = i2d_X509_SIG(&sig, NULL);
+		}
+
+	keyLength = RSA_size(rsa);
+
+	if (length - RSA_PKCS1_PADDING > keyLength)
+		{
+		CCA4758err(CCA4758_F_CCA_RSA_VERIFY,
+			CCA4758_R_SIZE_TOO_LARGE_OR_TOO_SMALL);
+		return 0;
+		}
+
+	switch (type)
+		{
+		case NID_md5_sha1 :
+			if (m_len != SSL_SIG_LEN)
+				{
+				CCA4758err(CCA4758_F_CCA_RSA_VERIFY,
+				CCA4758_R_SIZE_TOO_LARGE_OR_TOO_SMALL);
+				return 0;
+				}
+
+			hashBuffer = (unsigned char *)m;
+			length = m_len;
+			break;
+		case NID_md5 :
+			{
+			unsigned char *ptr;
+			ptr = hashBuffer = OPENSSL_malloc(
+					(unsigned int)keyLength+1);
+			if (!hashBuffer)
+				{
+				CCA4758err(CCA4758_F_CCA_RSA_VERIFY,
+						ERR_R_MALLOC_FAILURE);
+				return 0;
+				}
+
+			i2d_X509_SIG(&sig, &ptr);
+			}
+			break;
+		case NID_sha1 :
+			{
+			unsigned char *ptr;
+			ptr = hashBuffer = OPENSSL_malloc(
+					(unsigned int)keyLength+1);
+			if (!hashBuffer)
+				{
+				CCA4758err(CCA4758_F_CCA_RSA_VERIFY,
+						ERR_R_MALLOC_FAILURE);
+				return 0;
+				}
+			i2d_X509_SIG(&sig, &ptr);
+			}
+			break;
+		default:
+			return 0;
+		}
+
+	digitalSignatureVerify(&returnCode, &reasonCode, &exitDataLength,
+		exitData, &ruleArrayLength, ruleArray, &keyTokenLength,
+		keyToken, &length, hashBuffer, &lsiglen, sigbuf);
+
+	if (type == NID_sha1 || type == NID_md5)
+		{
+		OPENSSL_cleanse(hashBuffer, keyLength+1);
+		OPENSSL_free(hashBuffer);
+		}
+
+	return ((returnCode || reasonCode) ? 0 : 1);
+	}
+
+#define SSL_SIG_LEN 36
+
+static int cca_rsa_sign(int type, const unsigned char *m, unsigned int m_len,
+		unsigned char *sigret, unsigned int *siglen, const RSA *rsa)
+	{
+	long returnCode;
+	long reasonCode;
+	long exitDataLength = 0;
+	unsigned char exitData[8];
+	long ruleArrayLength = 1;
+	unsigned char ruleArray[8] = "PKCS-1.1";
+	long outputLength=256;
+	long outputBitLength;
+	long keyTokenLength;
+	unsigned char *hashBuffer = NULL;
+	unsigned char* keyToken = (unsigned char*)RSA_get_ex_data(rsa, hndidx);
+	long length = SSL_SIG_LEN;
+	long keyLength ;
+	X509_SIG sig;
+	ASN1_TYPE parameter;
+	X509_ALGOR algorithm;
+	ASN1_OCTET_STRING digest;
+
+	keyTokenLength = *(long*)keyToken;
+	keyToken+=sizeof(long);
+
+	if (type == NID_md5 || type == NID_sha1)
+		{
+		sig.algor = &algorithm;
+		algorithm.algorithm = OBJ_nid2obj(type);
+
+		if (!algorithm.algorithm)
+			{
+			CCA4758err(CCA4758_F_CCA_RSA_SIGN,
+				CCA4758_R_UNKNOWN_ALGORITHM_TYPE);
+			return 0;
+			}
+
+		if (!algorithm.algorithm->length)
+			{
+			CCA4758err(CCA4758_F_CCA_RSA_SIGN,
+				CCA4758_R_ASN1_OID_UNKNOWN_FOR_MD);
+			return 0;
+			}
+
+		parameter.type = V_ASN1_NULL;
+		parameter.value.ptr = NULL;
+		algorithm.parameter = &parameter;
+
+		sig.digest = &digest;
+		sig.digest->data = (unsigned char*)m;
+		sig.digest->length = m_len;
+
+		length = i2d_X509_SIG(&sig, NULL);
+		}
+
+	keyLength = RSA_size(rsa);
+
+	if (length - RSA_PKCS1_PADDING > keyLength)
+		{
+		CCA4758err(CCA4758_F_CCA_RSA_SIGN,
+			CCA4758_R_SIZE_TOO_LARGE_OR_TOO_SMALL);
+		return 0;
+		}
+
+	switch (type)
+		{
+		case NID_md5_sha1 :
+			if (m_len != SSL_SIG_LEN)
+				{
+				CCA4758err(CCA4758_F_CCA_RSA_SIGN,
+				CCA4758_R_SIZE_TOO_LARGE_OR_TOO_SMALL);
+				return 0;
+				}
+			hashBuffer = (unsigned char*)m;
+			length = m_len;
+			break;
+		case NID_md5 :
+			{
+			unsigned char *ptr;
+			ptr = hashBuffer = OPENSSL_malloc(
+					(unsigned int)keyLength+1);
+			if (!hashBuffer)
+				{
+				CCA4758err(CCA4758_F_CCA_RSA_SIGN,
+						ERR_R_MALLOC_FAILURE);
+				return 0;
+				}
+			i2d_X509_SIG(&sig, &ptr);
+			}
+			break;
+		case NID_sha1 :
+			{
+			unsigned char *ptr;
+			ptr = hashBuffer = OPENSSL_malloc(
+					(unsigned int)keyLength+1);
+			if (!hashBuffer)
+				{
+				CCA4758err(CCA4758_F_CCA_RSA_SIGN,
+						ERR_R_MALLOC_FAILURE);
+				return 0;
+				}
+			i2d_X509_SIG(&sig, &ptr);
+			}
+			break;
+		default:
+			return 0;
+		}
+
+	digitalSignatureGenerate(&returnCode, &reasonCode, &exitDataLength,
+		exitData, &ruleArrayLength, ruleArray, &keyTokenLength,
+		keyToken, &length, hashBuffer, &outputLength, &outputBitLength,
+		sigret);
+
+	if (type == NID_sha1 || type == NID_md5)
+		{
+		OPENSSL_cleanse(hashBuffer, keyLength+1);
+		OPENSSL_free(hashBuffer);
+		}
+
+	*siglen = outputLength;
+
+	return ((returnCode || reasonCode) ? 0 : 1);
+	}
+
+static int getModulusAndExponent(const unsigned char*token, long *exponentLength,
+		unsigned char *exponent, long *modulusLength, long *modulusFieldLength,
+		unsigned char *modulus)
+	{
+	unsigned long len;
+
+	if (*token++ != (char)0x1E) /* internal PKA token? */
+		return 0;
+
+	if (*token++) /* token version must be zero */
+		return 0;
+
+	len = *token++;
+	len = len << 8;
+	len |= (unsigned char)*token++;
+
+	token += 4; /* skip reserved bytes */
+
+	if (*token++ == (char)0x04)
+		{
+		if (*token++) /* token version must be zero */
+			return 0;
+
+		len = *token++;
+		len = len << 8;
+		len |= (unsigned char)*token++;
+
+		token+=2; /* skip reserved section */
+
+		len = *token++;
+		len = len << 8;
+		len |= (unsigned char)*token++;
+
+		*exponentLength = len;
+
+		len = *token++;
+		len = len << 8;
+		len |= (unsigned char)*token++;
+
+		*modulusLength = len;
+
+		len = *token++;
+		len = len << 8;
+		len |= (unsigned char)*token++;
+
+		*modulusFieldLength = len;
+
+		memcpy(exponent, token, *exponentLength);
+		token+= *exponentLength;
+
+		memcpy(modulus, token, *modulusFieldLength);
+		return 1;
+		}
+	return 0;
+	}
+
+#endif /* OPENSSL_NO_RSA */
+
+static int cca_random_status(void)
+	{
+	return 1;
+	}
+
+static int cca_get_random_bytes(unsigned char* buf, int num)
+	{
+	long ret_code;
+	long reason_code;
+	long exit_data_length;
+	unsigned char exit_data[4];
+	unsigned char form[] = "RANDOM  ";
+	unsigned char rand_buf[8];
+
+	while(num >= (int)sizeof(rand_buf))
+		{
+		randomNumberGenerate(&ret_code, &reason_code, &exit_data_length,
+			exit_data, form, rand_buf);
+		if (ret_code)
+			return 0;
+		num -= sizeof(rand_buf);
+		memcpy(buf, rand_buf, sizeof(rand_buf));
+		buf += sizeof(rand_buf);
+		}
+
+	if (num)
+		{
+		randomNumberGenerate(&ret_code, &reason_code, NULL, NULL,
+			form, rand_buf);
+		if (ret_code)
+			return 0;
+		memcpy(buf, rand_buf, num);
+		}
+
+	return 1;
+	}
+
+#ifndef OPENSSL_NO_RSA
+static void cca_ex_free(void *obj, void *item, CRYPTO_EX_DATA *ad, int idx,
+		long argl, void *argp)
+	{
+	if (item)
+		OPENSSL_free(item);
+	}
+#endif
+
+/* Goo to handle building as a dynamic engine */
+#ifndef OPENSSL_NO_DYNAMIC_ENGINE 
+static int bind_fn(ENGINE *e, const char *id)
+	{
+	if(id && (strcmp(id, engine_4758_cca_id) != 0) &&
+			(strcmp(id, engine_4758_cca_id_alt) != 0))
+		return 0;
+	if(!bind_helper(e))
+		return 0;
+	return 1;
+	}       
+IMPLEMENT_DYNAMIC_CHECK_FN()
+IMPLEMENT_DYNAMIC_BIND_FN(bind_fn)
+#endif /* OPENSSL_NO_DYNAMIC_ENGINE */
+
+#endif /* !OPENSSL_NO_HW_4758_CCA */
+#endif /* !OPENSSL_NO_HW */
diff --git a/crypto/openssl/engines/e_4758cca.ec b/crypto/openssl/engines/e_4758cca.ec
new file mode 100644
index 000000000000..f30ed02c05e8
--- /dev/null
+++ b/crypto/openssl/engines/e_4758cca.ec
@@ -0,0 +1 @@
+L CCA4758	e_4758cca_err.h		e_4758cca_err.c
diff --git a/crypto/openssl/engines/e_4758cca_err.c b/crypto/openssl/engines/e_4758cca_err.c
new file mode 100644
index 000000000000..6ecdc6e62781
--- /dev/null
+++ b/crypto/openssl/engines/e_4758cca_err.c
@@ -0,0 +1,153 @@
+/* e_4758cca_err.c */
+/* ====================================================================
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include "e_4758cca_err.h"
+
+/* BEGIN ERROR CODES */
+#ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(0,func,0)
+#define ERR_REASON(reason) ERR_PACK(0,0,reason)
+
+static ERR_STRING_DATA CCA4758_str_functs[]=
+	{
+{ERR_FUNC(CCA4758_F_CCA_RSA_SIGN),	"CCA_RSA_SIGN"},
+{ERR_FUNC(CCA4758_F_CCA_RSA_VERIFY),	"CCA_RSA_VERIFY"},
+{ERR_FUNC(CCA4758_F_IBM_4758_CCA_CTRL),	"IBM_4758_CCA_CTRL"},
+{ERR_FUNC(CCA4758_F_IBM_4758_CCA_FINISH),	"IBM_4758_CCA_FINISH"},
+{ERR_FUNC(CCA4758_F_IBM_4758_CCA_INIT),	"IBM_4758_CCA_INIT"},
+{ERR_FUNC(CCA4758_F_IBM_4758_LOAD_PRIVKEY),	"IBM_4758_LOAD_PRIVKEY"},
+{ERR_FUNC(CCA4758_F_IBM_4758_LOAD_PUBKEY),	"IBM_4758_LOAD_PUBKEY"},
+{0,NULL}
+	};
+
+static ERR_STRING_DATA CCA4758_str_reasons[]=
+	{
+{ERR_REASON(CCA4758_R_ALREADY_LOADED)    ,"already loaded"},
+{ERR_REASON(CCA4758_R_ASN1_OID_UNKNOWN_FOR_MD),"asn1 oid unknown for md"},
+{ERR_REASON(CCA4758_R_COMMAND_NOT_IMPLEMENTED),"command not implemented"},
+{ERR_REASON(CCA4758_R_DSO_FAILURE)       ,"dso failure"},
+{ERR_REASON(CCA4758_R_FAILED_LOADING_PRIVATE_KEY),"failed loading private key"},
+{ERR_REASON(CCA4758_R_FAILED_LOADING_PUBLIC_KEY),"failed loading public key"},
+{ERR_REASON(CCA4758_R_NOT_LOADED)        ,"not loaded"},
+{ERR_REASON(CCA4758_R_SIZE_TOO_LARGE_OR_TOO_SMALL),"size too large or too small"},
+{ERR_REASON(CCA4758_R_UNIT_FAILURE)      ,"unit failure"},
+{ERR_REASON(CCA4758_R_UNKNOWN_ALGORITHM_TYPE),"unknown algorithm type"},
+{0,NULL}
+	};
+
+#endif
+
+#ifdef CCA4758_LIB_NAME
+static ERR_STRING_DATA CCA4758_lib_name[]=
+        {
+{0	,CCA4758_LIB_NAME},
+{0,NULL}
+	};
+#endif
+
+
+static int CCA4758_lib_error_code=0;
+static int CCA4758_error_init=1;
+
+static void ERR_load_CCA4758_strings(void)
+	{
+	if (CCA4758_lib_error_code == 0)
+		CCA4758_lib_error_code=ERR_get_next_error_library();
+
+	if (CCA4758_error_init)
+		{
+		CCA4758_error_init=0;
+#ifndef OPENSSL_NO_ERR
+		ERR_load_strings(CCA4758_lib_error_code,CCA4758_str_functs);
+		ERR_load_strings(CCA4758_lib_error_code,CCA4758_str_reasons);
+#endif
+
+#ifdef CCA4758_LIB_NAME
+		CCA4758_lib_name->error = ERR_PACK(CCA4758_lib_error_code,0,0);
+		ERR_load_strings(0,CCA4758_lib_name);
+#endif
+		}
+	}
+
+static void ERR_unload_CCA4758_strings(void)
+	{
+	if (CCA4758_error_init == 0)
+		{
+#ifndef OPENSSL_NO_ERR
+		ERR_unload_strings(CCA4758_lib_error_code,CCA4758_str_functs);
+		ERR_unload_strings(CCA4758_lib_error_code,CCA4758_str_reasons);
+#endif
+
+#ifdef CCA4758_LIB_NAME
+		ERR_unload_strings(0,CCA4758_lib_name);
+#endif
+		CCA4758_error_init=1;
+		}
+	}
+
+static void ERR_CCA4758_error(int function, int reason, char *file, int line)
+	{
+	if (CCA4758_lib_error_code == 0)
+		CCA4758_lib_error_code=ERR_get_next_error_library();
+	ERR_PUT_error(CCA4758_lib_error_code,function,reason,file,line);
+	}
diff --git a/crypto/openssl/engines/e_4758cca_err.h b/crypto/openssl/engines/e_4758cca_err.h
new file mode 100644
index 000000000000..3d4276be91b3
--- /dev/null
+++ b/crypto/openssl/engines/e_4758cca_err.h
@@ -0,0 +1,93 @@
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_CCA4758_ERR_H
+#define HEADER_CCA4758_ERR_H
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+static void ERR_load_CCA4758_strings(void);
+static void ERR_unload_CCA4758_strings(void);
+static void ERR_CCA4758_error(int function, int reason, char *file, int line);
+#define CCA4758err(f,r) ERR_CCA4758_error((f),(r),__FILE__,__LINE__)
+
+/* Error codes for the CCA4758 functions. */
+
+/* Function codes. */
+#define CCA4758_F_CCA_RSA_SIGN				 105
+#define CCA4758_F_CCA_RSA_VERIFY			 106
+#define CCA4758_F_IBM_4758_CCA_CTRL			 100
+#define CCA4758_F_IBM_4758_CCA_FINISH			 101
+#define CCA4758_F_IBM_4758_CCA_INIT			 102
+#define CCA4758_F_IBM_4758_LOAD_PRIVKEY			 103
+#define CCA4758_F_IBM_4758_LOAD_PUBKEY			 104
+
+/* Reason codes. */
+#define CCA4758_R_ALREADY_LOADED			 100
+#define CCA4758_R_ASN1_OID_UNKNOWN_FOR_MD		 101
+#define CCA4758_R_COMMAND_NOT_IMPLEMENTED		 102
+#define CCA4758_R_DSO_FAILURE				 103
+#define CCA4758_R_FAILED_LOADING_PRIVATE_KEY		 104
+#define CCA4758_R_FAILED_LOADING_PUBLIC_KEY		 105
+#define CCA4758_R_NOT_LOADED				 106
+#define CCA4758_R_SIZE_TOO_LARGE_OR_TOO_SMALL		 107
+#define CCA4758_R_UNIT_FAILURE				 108
+#define CCA4758_R_UNKNOWN_ALGORITHM_TYPE		 109
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
diff --git a/crypto/openssl/engines/e_aep.c b/crypto/openssl/engines/e_aep.c
new file mode 100644
index 000000000000..7307ddfafb5b
--- /dev/null
+++ b/crypto/openssl/engines/e_aep.c
@@ -0,0 +1,1137 @@
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <openssl/bn.h>
+#include <string.h>
+
+#include <openssl/e_os2.h>
+#if !defined(OPENSSL_SYS_MSDOS) || defined(__DJGPP__)
+#include <sys/types.h>
+#include <unistd.h>
+#else
+#include <process.h>
+typedef int pid_t;
+#endif
+
+#include <openssl/crypto.h>
+#include <openssl/dso.h>
+#include <openssl/engine.h>
+#include <openssl/buffer.h>
+#ifndef OPENSSL_NO_RSA
+#include <openssl/rsa.h>
+#endif
+#ifndef OPENSSL_NO_DSA
+#include <openssl/dsa.h>
+#endif
+#ifndef OPENSSL_NO_DH
+#include <openssl/dh.h>
+#endif
+#include <openssl/bn.h>
+
+#ifndef OPENSSL_NO_HW
+#ifndef OPENSSL_NO_HW_AEP
+#ifdef FLAT_INC
+#include "aep.h"
+#else
+#include "vendor_defns/aep.h"
+#endif
+
+#define AEP_LIB_NAME "aep engine"
+#define FAIL_TO_SW 0x10101010
+
+#include "e_aep_err.c"
+
+static int aep_init(ENGINE *e);
+static int aep_finish(ENGINE *e);
+static int aep_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void));
+static int aep_destroy(ENGINE *e);
+
+static AEP_RV aep_get_connection(AEP_CONNECTION_HNDL_PTR hConnection);
+static AEP_RV aep_return_connection(AEP_CONNECTION_HNDL hConnection);
+static AEP_RV aep_close_connection(AEP_CONNECTION_HNDL hConnection);
+static AEP_RV aep_close_all_connections(int use_engine_lock, int *in_use);
+
+/* BIGNUM stuff */
+#ifndef OPENSSL_NO_RSA
+static int aep_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+	const BIGNUM *m, BN_CTX *ctx);
+
+static AEP_RV aep_mod_exp_crt(BIGNUM *r,const  BIGNUM *a, const BIGNUM *p,
+	const BIGNUM *q, const BIGNUM *dmp1,const BIGNUM *dmq1,
+	const BIGNUM *iqmp, BN_CTX *ctx);
+#endif
+
+/* RSA stuff */
+#ifndef OPENSSL_NO_RSA
+static int aep_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx);
+#endif
+
+/* This function is aliased to mod_exp (with the mont stuff dropped). */
+#ifndef OPENSSL_NO_RSA
+static int aep_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+	const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+#endif
+
+/* DSA stuff */
+#ifndef OPENSSL_NO_DSA
+static int aep_dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1,
+	BIGNUM *p1, BIGNUM *a2, BIGNUM *p2, BIGNUM *m,
+	BN_CTX *ctx, BN_MONT_CTX *in_mont);
+
+static int aep_mod_exp_dsa(DSA *dsa, BIGNUM *r, BIGNUM *a,
+	const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
+	BN_MONT_CTX *m_ctx);
+#endif
+
+/* DH stuff */
+/* This function is aliased to mod_exp (with the DH and mont dropped). */
+#ifndef OPENSSL_NO_DH
+static int aep_mod_exp_dh(const DH *dh, BIGNUM *r, const BIGNUM *a,
+	const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+#endif
+
+/* rand stuff   */
+#ifdef AEPRAND
+static int aep_rand(unsigned char *buf, int num);
+static int aep_rand_status(void);
+#endif
+
+/* Bignum conversion stuff */
+static AEP_RV GetBigNumSize(AEP_VOID_PTR ArbBigNum, AEP_U32* BigNumSize);
+static AEP_RV MakeAEPBigNum(AEP_VOID_PTR ArbBigNum, AEP_U32 BigNumSize,
+	unsigned char* AEP_BigNum);
+static AEP_RV ConvertAEPBigNum(void* ArbBigNum, AEP_U32 BigNumSize,
+	unsigned char* AEP_BigNum);
+
+/* The definitions for control commands specific to this engine */
+#define AEP_CMD_SO_PATH		ENGINE_CMD_BASE
+static const ENGINE_CMD_DEFN aep_cmd_defns[] =
+	{
+	{ AEP_CMD_SO_PATH,
+	  "SO_PATH",
+	  "Specifies the path to the 'aep' shared library",
+	  ENGINE_CMD_FLAG_STRING
+	},
+	{0, NULL, NULL, 0}
+	};
+
+#ifndef OPENSSL_NO_RSA
+/* Our internal RSA_METHOD that we provide pointers to */
+static RSA_METHOD aep_rsa =
+	{
+	"Aep RSA method",
+	NULL,                /*rsa_pub_encrypt*/
+	NULL,                /*rsa_pub_decrypt*/
+	NULL,                /*rsa_priv_encrypt*/
+	NULL,                /*rsa_priv_encrypt*/
+	aep_rsa_mod_exp,     /*rsa_mod_exp*/
+	aep_mod_exp_mont,    /*bn_mod_exp*/
+	NULL,                /*init*/
+	NULL,                /*finish*/
+	0,                   /*flags*/
+	NULL,                /*app_data*/
+	NULL,                /*rsa_sign*/
+	NULL,                /*rsa_verify*/
+	NULL                 /*rsa_keygen*/
+	};
+#endif
+
+#ifndef OPENSSL_NO_DSA
+/* Our internal DSA_METHOD that we provide pointers to */
+static DSA_METHOD aep_dsa =
+	{
+	"Aep DSA method",
+	NULL,                /* dsa_do_sign */
+	NULL,                /* dsa_sign_setup */
+	NULL,                /* dsa_do_verify */
+	aep_dsa_mod_exp,     /* dsa_mod_exp */
+	aep_mod_exp_dsa,     /* bn_mod_exp */
+	NULL,                /* init */
+	NULL,                /* finish */
+	0,                   /* flags */
+	NULL,                /* app_data */
+	NULL,                /* dsa_paramgen */
+	NULL                 /* dsa_keygen */
+	};
+#endif
+
+#ifndef OPENSSL_NO_DH
+/* Our internal DH_METHOD that we provide pointers to */
+static DH_METHOD aep_dh =
+	{
+	"Aep DH method",
+	NULL,
+	NULL,
+	aep_mod_exp_dh,
+	NULL,
+	NULL,
+	0,
+	NULL,
+	NULL
+	};
+#endif
+
+#ifdef AEPRAND
+/* our internal RAND_method that we provide pointers to  */
+static RAND_METHOD aep_random =
+	{
+	/*"AEP RAND method", */
+	NULL,
+	aep_rand,
+	NULL,
+	NULL,
+	aep_rand,
+	aep_rand_status,
+	};
+#endif
+
+/*Define an array of structures to hold connections*/
+static AEP_CONNECTION_ENTRY aep_app_conn_table[MAX_PROCESS_CONNECTIONS];
+
+/*Used to determine if this is a new process*/
+static pid_t    recorded_pid = 0;
+
+#ifdef AEPRAND
+static AEP_U8   rand_block[RAND_BLK_SIZE];
+static AEP_U32  rand_block_bytes = 0;
+#endif
+
+/* Constants used when creating the ENGINE */
+static const char *engine_aep_id = "aep";
+static const char *engine_aep_name = "Aep hardware engine support";
+
+static int max_key_len = 2176;
+
+
+/* This internal function is used by ENGINE_aep() and possibly by the
+ * "dynamic" ENGINE support too */
+static int bind_aep(ENGINE *e)
+	{
+#ifndef OPENSSL_NO_RSA
+	const RSA_METHOD  *meth1;
+#endif
+#ifndef OPENSSL_NO_DSA
+	const DSA_METHOD  *meth2;
+#endif
+#ifndef OPENSSL_NO_DH
+	const DH_METHOD	  *meth3;
+#endif
+
+	if(!ENGINE_set_id(e, engine_aep_id) ||
+		!ENGINE_set_name(e, engine_aep_name) ||
+#ifndef OPENSSL_NO_RSA
+		!ENGINE_set_RSA(e, &aep_rsa) ||
+#endif
+#ifndef OPENSSL_NO_DSA
+		!ENGINE_set_DSA(e, &aep_dsa) ||
+#endif
+#ifndef OPENSSL_NO_DH
+		!ENGINE_set_DH(e, &aep_dh) ||
+#endif
+#ifdef AEPRAND
+		!ENGINE_set_RAND(e, &aep_random) ||
+#endif
+		!ENGINE_set_init_function(e, aep_init) ||
+		!ENGINE_set_destroy_function(e, aep_destroy) ||
+		!ENGINE_set_finish_function(e, aep_finish) ||
+		!ENGINE_set_ctrl_function(e, aep_ctrl) ||
+		!ENGINE_set_cmd_defns(e, aep_cmd_defns))
+		return 0;
+
+#ifndef OPENSSL_NO_RSA
+	/* We know that the "PKCS1_SSLeay()" functions hook properly
+	 * to the aep-specific mod_exp and mod_exp_crt so we use
+	 * those functions. NB: We don't use ENGINE_openssl() or
+	 * anything "more generic" because something like the RSAref
+	 * code may not hook properly, and if you own one of these
+	 * cards then you have the right to do RSA operations on it
+	 * anyway! */
+	meth1 = RSA_PKCS1_SSLeay();
+	aep_rsa.rsa_pub_enc = meth1->rsa_pub_enc;
+	aep_rsa.rsa_pub_dec = meth1->rsa_pub_dec;
+	aep_rsa.rsa_priv_enc = meth1->rsa_priv_enc;
+	aep_rsa.rsa_priv_dec = meth1->rsa_priv_dec;
+#endif
+
+
+#ifndef OPENSSL_NO_DSA
+	/* Use the DSA_OpenSSL() method and just hook the mod_exp-ish
+	 * bits. */
+	meth2 = DSA_OpenSSL();
+	aep_dsa.dsa_do_sign    = meth2->dsa_do_sign;
+	aep_dsa.dsa_sign_setup = meth2->dsa_sign_setup;
+	aep_dsa.dsa_do_verify  = meth2->dsa_do_verify;
+
+	aep_dsa = *DSA_get_default_method(); 
+	aep_dsa.dsa_mod_exp = aep_dsa_mod_exp; 
+	aep_dsa.bn_mod_exp = aep_mod_exp_dsa;
+#endif
+
+#ifndef OPENSSL_NO_DH
+	/* Much the same for Diffie-Hellman */
+	meth3 = DH_OpenSSL();
+	aep_dh.generate_key = meth3->generate_key;
+	aep_dh.compute_key  = meth3->compute_key;
+	aep_dh.bn_mod_exp   = meth3->bn_mod_exp;
+#endif
+
+	/* Ensure the aep error handling is set up */
+	ERR_load_AEPHK_strings();
+
+	return 1;
+}
+
+#ifndef OPENSSL_NO_DYNAMIC_ENGINE
+static int bind_helper(ENGINE *e, const char *id)
+	{
+	if(id && (strcmp(id, engine_aep_id) != 0))
+		return 0;
+	if(!bind_aep(e))
+		return 0;
+	return 1;
+	}       
+IMPLEMENT_DYNAMIC_CHECK_FN()
+IMPLEMENT_DYNAMIC_BIND_FN(bind_helper)
+#else
+static ENGINE *engine_aep(void)
+	{
+	ENGINE *ret = ENGINE_new();
+	if(!ret)
+		return NULL;
+	if(!bind_aep(ret))
+		{
+		ENGINE_free(ret);
+		return NULL;
+		}
+	return ret;
+	}
+
+void ENGINE_load_aep(void)
+	{
+	/* Copied from eng_[openssl|dyn].c */
+	ENGINE *toadd = engine_aep();
+	if(!toadd) return;
+	ENGINE_add(toadd);
+	ENGINE_free(toadd);
+	ERR_clear_error();
+	}
+#endif
+
+/* This is a process-global DSO handle used for loading and unloading
+ * the Aep library. NB: This is only set (or unset) during an
+ * init() or finish() call (reference counts permitting) and they're
+ * operating with global locks, so this should be thread-safe
+ * implicitly. */
+static DSO *aep_dso = NULL;
+
+/* These are the static string constants for the DSO file name and the function
+ * symbol names to bind to. 
+*/
+static const char *AEP_LIBNAME = NULL;
+static const char *get_AEP_LIBNAME(void)
+	{
+	if(AEP_LIBNAME)
+		return AEP_LIBNAME;
+	return "aep";
+	}
+static void free_AEP_LIBNAME(void)
+	{
+	if(AEP_LIBNAME)
+		OPENSSL_free((void*)AEP_LIBNAME);
+	AEP_LIBNAME = NULL;
+	}
+static long set_AEP_LIBNAME(const char *name)
+	{
+	free_AEP_LIBNAME();
+	return ((AEP_LIBNAME = BUF_strdup(name)) != NULL ? 1 : 0);
+	}
+
+static const char *AEP_F1    = "AEP_ModExp";
+static const char *AEP_F2    = "AEP_ModExpCrt";
+#ifdef AEPRAND
+static const char *AEP_F3    = "AEP_GenRandom";
+#endif
+static const char *AEP_F4    = "AEP_Finalize";
+static const char *AEP_F5    = "AEP_Initialize";
+static const char *AEP_F6    = "AEP_OpenConnection";
+static const char *AEP_F7    = "AEP_SetBNCallBacks";
+static const char *AEP_F8    = "AEP_CloseConnection";
+
+/* These are the function pointers that are (un)set when the library has
+ * successfully (un)loaded. */
+static t_AEP_OpenConnection    *p_AEP_OpenConnection  = NULL;
+static t_AEP_CloseConnection   *p_AEP_CloseConnection = NULL;
+static t_AEP_ModExp            *p_AEP_ModExp          = NULL;
+static t_AEP_ModExpCrt         *p_AEP_ModExpCrt       = NULL;
+#ifdef AEPRAND
+static t_AEP_GenRandom         *p_AEP_GenRandom       = NULL;
+#endif
+static t_AEP_Initialize        *p_AEP_Initialize      = NULL;
+static t_AEP_Finalize          *p_AEP_Finalize        = NULL;
+static t_AEP_SetBNCallBacks    *p_AEP_SetBNCallBacks  = NULL;
+
+/* (de)initialisation functions. */
+static int aep_init(ENGINE *e)
+	{
+	t_AEP_ModExp          *p1;
+	t_AEP_ModExpCrt       *p2;
+#ifdef AEPRAND
+	t_AEP_GenRandom       *p3;
+#endif
+	t_AEP_Finalize        *p4;
+	t_AEP_Initialize      *p5;
+	t_AEP_OpenConnection  *p6;
+	t_AEP_SetBNCallBacks  *p7;
+	t_AEP_CloseConnection *p8;
+
+	int to_return = 0;
+ 
+	if(aep_dso != NULL)
+		{
+		AEPHKerr(AEPHK_F_AEP_INIT,AEPHK_R_ALREADY_LOADED);
+		goto err;
+		}
+	/* Attempt to load libaep.so. */
+
+	aep_dso = DSO_load(NULL, get_AEP_LIBNAME(), NULL, 0);
+  
+	if(aep_dso == NULL)
+		{
+		AEPHKerr(AEPHK_F_AEP_INIT,AEPHK_R_NOT_LOADED);
+		goto err;
+		}
+
+	if(	!(p1 = (t_AEP_ModExp *)     DSO_bind_func( aep_dso,AEP_F1))  ||
+		!(p2 = (t_AEP_ModExpCrt*)   DSO_bind_func( aep_dso,AEP_F2))  ||
+#ifdef AEPRAND
+		!(p3 = (t_AEP_GenRandom*)   DSO_bind_func( aep_dso,AEP_F3))  ||
+#endif
+		!(p4 = (t_AEP_Finalize*)    DSO_bind_func( aep_dso,AEP_F4))  ||
+		!(p5 = (t_AEP_Initialize*)  DSO_bind_func( aep_dso,AEP_F5))  ||
+		!(p6 = (t_AEP_OpenConnection*) DSO_bind_func( aep_dso,AEP_F6))  ||
+		!(p7 = (t_AEP_SetBNCallBacks*) DSO_bind_func( aep_dso,AEP_F7))  ||
+		!(p8 = (t_AEP_CloseConnection*) DSO_bind_func( aep_dso,AEP_F8)))
+		{
+		AEPHKerr(AEPHK_F_AEP_INIT,AEPHK_R_NOT_LOADED);
+		goto err;
+		}
+
+	/* Copy the pointers */
+  
+	p_AEP_ModExp           = p1;
+	p_AEP_ModExpCrt        = p2;
+#ifdef AEPRAND
+	p_AEP_GenRandom        = p3;
+#endif
+	p_AEP_Finalize         = p4;
+	p_AEP_Initialize       = p5;
+	p_AEP_OpenConnection   = p6;
+	p_AEP_SetBNCallBacks   = p7;
+	p_AEP_CloseConnection  = p8;
+ 
+	to_return = 1;
+ 
+	return to_return;
+
+ err: 
+
+	if(aep_dso)
+		DSO_free(aep_dso);
+	aep_dso = NULL;
+		
+	p_AEP_OpenConnection    = NULL;
+	p_AEP_ModExp            = NULL;
+	p_AEP_ModExpCrt         = NULL;
+#ifdef AEPRAND
+	p_AEP_GenRandom         = NULL;
+#endif
+	p_AEP_Initialize        = NULL;
+	p_AEP_Finalize          = NULL;
+	p_AEP_SetBNCallBacks    = NULL;
+	p_AEP_CloseConnection   = NULL;
+
+	return to_return;
+	}
+
+/* Destructor (complements the "ENGINE_aep()" constructor) */
+static int aep_destroy(ENGINE *e)
+	{
+	free_AEP_LIBNAME();
+	ERR_unload_AEPHK_strings();
+	return 1;
+	}
+
+static int aep_finish(ENGINE *e)
+	{
+	int to_return = 0, in_use;
+	AEP_RV rv;
+
+	if(aep_dso == NULL)
+		{
+		AEPHKerr(AEPHK_F_AEP_FINISH,AEPHK_R_NOT_LOADED);
+		goto err;
+		}
+
+	rv = aep_close_all_connections(0, &in_use);
+	if (rv != AEP_R_OK)
+		{
+		AEPHKerr(AEPHK_F_AEP_FINISH,AEPHK_R_CLOSE_HANDLES_FAILED);
+		goto err;
+		}
+	if (in_use)
+		{
+		AEPHKerr(AEPHK_F_AEP_FINISH,AEPHK_R_CONNECTIONS_IN_USE);
+		goto err;
+		}
+
+	rv = p_AEP_Finalize();
+	if (rv != AEP_R_OK)
+		{
+		AEPHKerr(AEPHK_F_AEP_FINISH,AEPHK_R_FINALIZE_FAILED);
+		goto err;
+		}
+
+	if(!DSO_free(aep_dso))
+		{
+		AEPHKerr(AEPHK_F_AEP_FINISH,AEPHK_R_UNIT_FAILURE);
+		goto err;
+		}
+
+	aep_dso = NULL;
+	p_AEP_CloseConnection   = NULL;
+	p_AEP_OpenConnection    = NULL;
+	p_AEP_ModExp            = NULL;
+	p_AEP_ModExpCrt         = NULL;
+#ifdef AEPRAND
+	p_AEP_GenRandom         = NULL;
+#endif
+	p_AEP_Initialize        = NULL;
+	p_AEP_Finalize          = NULL;
+	p_AEP_SetBNCallBacks    = NULL;
+
+	to_return = 1;
+ err:
+	return to_return;
+	}
+
+static int aep_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void))
+	{
+	int initialised = ((aep_dso == NULL) ? 0 : 1);
+	switch(cmd)
+		{
+	case AEP_CMD_SO_PATH:
+		if(p == NULL)
+			{
+			AEPHKerr(AEPHK_F_AEP_CTRL,
+				ERR_R_PASSED_NULL_PARAMETER);
+			return 0;
+			}
+		if(initialised)
+			{
+			AEPHKerr(AEPHK_F_AEP_CTRL,
+				AEPHK_R_ALREADY_LOADED);
+			return 0;
+			}
+		return set_AEP_LIBNAME((const char*)p);
+	default:
+		break;
+		}
+	AEPHKerr(AEPHK_F_AEP_CTRL,AEPHK_R_CTRL_COMMAND_NOT_IMPLEMENTED);
+	return 0;
+	}
+
+static int aep_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+	const BIGNUM *m, BN_CTX *ctx)
+	{
+	int to_return = 0;
+	int 	r_len = 0;
+	AEP_CONNECTION_HNDL hConnection;
+	AEP_RV rv;
+	
+	r_len = BN_num_bits(m);
+
+	/* Perform in software if modulus is too large for hardware. */
+
+	if (r_len > max_key_len){
+		AEPHKerr(AEPHK_F_AEP_MOD_EXP, AEPHK_R_SIZE_TOO_LARGE_OR_TOO_SMALL);
+		return BN_mod_exp(r, a, p, m, ctx);
+	} 
+
+	/*Grab a connection from the pool*/
+	rv = aep_get_connection(&hConnection);
+	if (rv != AEP_R_OK)
+		{     
+		AEPHKerr(AEPHK_F_AEP_MOD_EXP,AEPHK_R_GET_HANDLE_FAILED);
+		return BN_mod_exp(r, a, p, m, ctx);
+		}
+
+	/*To the card with the mod exp*/
+	rv = p_AEP_ModExp(hConnection,(void*)a, (void*)p,(void*)m, (void*)r,NULL);
+
+	if (rv !=  AEP_R_OK)
+		{
+		AEPHKerr(AEPHK_F_AEP_MOD_EXP,AEPHK_R_MOD_EXP_FAILED);
+		rv = aep_close_connection(hConnection);
+		return BN_mod_exp(r, a, p, m, ctx);
+		}
+
+	/*Return the connection to the pool*/
+	rv = aep_return_connection(hConnection);
+	if (rv != AEP_R_OK)
+		{
+		AEPHKerr(AEPHK_F_AEP_MOD_EXP,AEPHK_R_RETURN_CONNECTION_FAILED); 
+		goto err;
+		}
+
+	to_return = 1;
+ err:
+	return to_return;
+	}
+	
+#ifndef OPENSSL_NO_RSA
+static AEP_RV aep_mod_exp_crt(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+	const BIGNUM *q, const BIGNUM *dmp1,
+	const BIGNUM *dmq1,const BIGNUM *iqmp, BN_CTX *ctx)
+	{
+	AEP_RV rv = AEP_R_OK;
+	AEP_CONNECTION_HNDL hConnection;
+
+	/*Grab a connection from the pool*/
+	rv = aep_get_connection(&hConnection);
+	if (rv != AEP_R_OK)
+		{
+		AEPHKerr(AEPHK_F_AEP_MOD_EXP_CRT,AEPHK_R_GET_HANDLE_FAILED);
+		return FAIL_TO_SW;
+		}
+
+	/*To the card with the mod exp*/
+	rv = p_AEP_ModExpCrt(hConnection,(void*)a, (void*)p, (void*)q, (void*)dmp1,(void*)dmq1,
+		(void*)iqmp,(void*)r,NULL);
+	if (rv != AEP_R_OK)
+		{
+		AEPHKerr(AEPHK_F_AEP_MOD_EXP_CRT,AEPHK_R_MOD_EXP_CRT_FAILED);
+		rv = aep_close_connection(hConnection);
+		return FAIL_TO_SW;
+		}
+
+	/*Return the connection to the pool*/
+	rv = aep_return_connection(hConnection);
+	if (rv != AEP_R_OK)
+		{
+		AEPHKerr(AEPHK_F_AEP_MOD_EXP_CRT,AEPHK_R_RETURN_CONNECTION_FAILED); 
+		goto err;
+		}
+ 
+ err:
+	return rv;
+	}
+#endif
+	
+
+#ifdef AEPRAND
+static int aep_rand(unsigned char *buf,int len )
+	{
+	AEP_RV rv = AEP_R_OK;
+	AEP_CONNECTION_HNDL hConnection;
+
+	CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+
+	/*Can the request be serviced with what's already in the buffer?*/
+	if (len <= rand_block_bytes)
+		{
+		memcpy(buf, &rand_block[RAND_BLK_SIZE - rand_block_bytes], len);
+		rand_block_bytes -= len;
+		CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+		}
+	else
+		/*If not the get another block of random bytes*/
+		{
+		CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+
+		rv = aep_get_connection(&hConnection);
+		if (rv !=  AEP_R_OK)
+			{ 
+			AEPHKerr(AEPHK_F_AEP_RAND,AEPHK_R_GET_HANDLE_FAILED);             
+			goto err_nounlock;
+			}
+
+		if (len > RAND_BLK_SIZE)
+			{
+			rv = p_AEP_GenRandom(hConnection, len, 2, buf, NULL);
+			if (rv !=  AEP_R_OK)
+				{  
+				AEPHKerr(AEPHK_F_AEP_RAND,AEPHK_R_GET_RANDOM_FAILED); 
+				goto err_nounlock;
+				}
+			}
+		else
+			{
+			CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+
+			rv = p_AEP_GenRandom(hConnection, RAND_BLK_SIZE, 2, &rand_block[0], NULL);
+			if (rv !=  AEP_R_OK)
+				{       
+				AEPHKerr(AEPHK_F_AEP_RAND,AEPHK_R_GET_RANDOM_FAILED); 
+	      
+				goto err;
+				}
+
+			rand_block_bytes = RAND_BLK_SIZE;
+
+			memcpy(buf, &rand_block[RAND_BLK_SIZE - rand_block_bytes], len);
+			rand_block_bytes -= len;
+
+			CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+			}
+
+		rv = aep_return_connection(hConnection);
+		if (rv != AEP_R_OK)
+			{
+			AEPHKerr(AEPHK_F_AEP_RAND,AEPHK_R_RETURN_CONNECTION_FAILED); 
+	  
+			goto err_nounlock;
+			}
+		}
+  
+	return 1;
+ err:
+	CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+ err_nounlock:
+	return 0;
+	}
+	
+static int aep_rand_status(void)
+{
+	return 1;
+}
+#endif
+
+#ifndef OPENSSL_NO_RSA
+static int aep_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
+	{
+	int to_return = 0;
+	AEP_RV rv = AEP_R_OK;
+
+	if (!aep_dso)
+		{
+		AEPHKerr(AEPHK_F_AEP_RSA_MOD_EXP,AEPHK_R_NOT_LOADED);
+		goto err;
+		}
+
+	/*See if we have all the necessary bits for a crt*/
+	if (rsa->q && rsa->dmp1 && rsa->dmq1 && rsa->iqmp)
+		{
+		rv =  aep_mod_exp_crt(r0,I,rsa->p,rsa->q, rsa->dmp1,rsa->dmq1,rsa->iqmp,ctx);
+
+		if (rv == FAIL_TO_SW){
+			const RSA_METHOD *meth = RSA_PKCS1_SSLeay();
+			to_return = (*meth->rsa_mod_exp)(r0, I, rsa, ctx);
+			goto err;
+		}
+		else if (rv != AEP_R_OK)
+			goto err;
+		}
+	else
+		{
+		if (!rsa->d || !rsa->n)
+			{
+			AEPHKerr(AEPHK_F_AEP_RSA_MOD_EXP,AEPHK_R_MISSING_KEY_COMPONENTS);
+			goto err;
+			}
+ 
+		rv = aep_mod_exp(r0,I,rsa->d,rsa->n,ctx);
+		if  (rv != AEP_R_OK)
+			goto err;
+	
+		}
+
+	to_return = 1;
+
+ err:
+	return to_return;
+}
+#endif
+
+#ifndef OPENSSL_NO_DSA
+static int aep_dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1,
+	BIGNUM *p1, BIGNUM *a2, BIGNUM *p2, BIGNUM *m,
+	BN_CTX *ctx, BN_MONT_CTX *in_mont)
+	{
+	BIGNUM t;
+	int to_return = 0;
+	BN_init(&t);
+
+	/* let rr = a1 ^ p1 mod m */
+	if (!aep_mod_exp(rr,a1,p1,m,ctx)) goto end;
+	/* let t = a2 ^ p2 mod m */
+	if (!aep_mod_exp(&t,a2,p2,m,ctx)) goto end;
+	/* let rr = rr * t mod m */
+	if (!BN_mod_mul(rr,rr,&t,m,ctx)) goto end;
+	to_return = 1;
+ end: 
+	BN_free(&t);
+	return to_return;
+	}
+
+static int aep_mod_exp_dsa(DSA *dsa, BIGNUM *r, BIGNUM *a,
+	const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
+	BN_MONT_CTX *m_ctx)
+	{  
+	return aep_mod_exp(r, a, p, m, ctx); 
+	}
+#endif
+
+#ifndef OPENSSL_NO_RSA
+/* This function is aliased to mod_exp (with the mont stuff dropped). */
+static int aep_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+	const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
+	{
+	return aep_mod_exp(r, a, p, m, ctx);
+	}
+#endif
+
+#ifndef OPENSSL_NO_DH
+/* This function is aliased to mod_exp (with the dh and mont dropped). */
+static int aep_mod_exp_dh(const DH *dh, BIGNUM *r, const BIGNUM *a,
+	const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
+	BN_MONT_CTX *m_ctx)
+	{
+	return aep_mod_exp(r, a, p, m, ctx);
+	}
+#endif
+
+static AEP_RV aep_get_connection(AEP_CONNECTION_HNDL_PTR phConnection)
+	{
+	int count;
+	AEP_RV rv = AEP_R_OK;
+
+	/*Get the current process id*/
+	pid_t curr_pid;
+
+	CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+
+#ifndef NETWARE_CLIB
+	curr_pid = getpid();
+#else
+	curr_pid = GetThreadID();
+#endif
+
+	/*Check if this is the first time this is being called from the current
+	  process*/
+	if (recorded_pid != curr_pid)
+		{
+		/*Remember our pid so we can check if we're in a new process*/
+		recorded_pid = curr_pid;
+
+		/*Call Finalize to make sure we have not inherited some data
+		  from a parent process*/
+		p_AEP_Finalize();
+     
+		/*Initialise the AEP API*/
+		rv = p_AEP_Initialize(NULL);
+
+		if (rv != AEP_R_OK)
+			{
+			AEPHKerr(AEPHK_F_AEP_GET_CONNECTION,AEPHK_R_INIT_FAILURE);
+			recorded_pid = 0;
+			goto end;
+			}
+
+		/*Set the AEP big num call back functions*/
+		rv = p_AEP_SetBNCallBacks(&GetBigNumSize, &MakeAEPBigNum,
+			&ConvertAEPBigNum);
+
+		if (rv != AEP_R_OK)
+			{
+			AEPHKerr(AEPHK_F_AEP_GET_CONNECTION,AEPHK_R_SETBNCALLBACK_FAILURE);
+			recorded_pid = 0;
+			goto end;
+			}
+
+#ifdef AEPRAND
+		/*Reset the rand byte count*/
+		rand_block_bytes = 0;
+#endif
+
+		/*Init the structures*/
+		for (count = 0;count < MAX_PROCESS_CONNECTIONS;count ++)
+			{
+			aep_app_conn_table[count].conn_state = NotConnected;
+			aep_app_conn_table[count].conn_hndl  = 0;
+			}
+
+		/*Open a connection*/
+		rv = p_AEP_OpenConnection(phConnection);
+
+		if (rv != AEP_R_OK)
+			{
+			AEPHKerr(AEPHK_F_AEP_GET_CONNECTION,AEPHK_R_UNIT_FAILURE);
+			recorded_pid = 0;
+			goto end;
+			}
+
+		aep_app_conn_table[0].conn_state = InUse;
+		aep_app_conn_table[0].conn_hndl = *phConnection;
+		goto end;
+		}
+	/*Check the existing connections to see if we can find a free one*/
+	for (count = 0;count < MAX_PROCESS_CONNECTIONS;count ++)
+		{
+		if (aep_app_conn_table[count].conn_state == Connected)
+			{
+			aep_app_conn_table[count].conn_state = InUse;
+			*phConnection = aep_app_conn_table[count].conn_hndl;
+			goto end;
+			}
+		}
+	/*If no connections available, we're going to have to try
+	  to open a new one*/
+	for (count = 0;count < MAX_PROCESS_CONNECTIONS;count ++)
+		{
+		if (aep_app_conn_table[count].conn_state == NotConnected)
+			{
+			/*Open a connection*/
+			rv = p_AEP_OpenConnection(phConnection);
+
+			if (rv != AEP_R_OK)
+				{	      
+				AEPHKerr(AEPHK_F_AEP_GET_CONNECTION,AEPHK_R_UNIT_FAILURE);
+				goto end;
+				}
+
+			aep_app_conn_table[count].conn_state = InUse;
+			aep_app_conn_table[count].conn_hndl = *phConnection;
+			goto end;
+			}
+		}
+	rv = AEP_R_GENERAL_ERROR;
+ end:
+	CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+	return rv;
+	}
+
+
+static AEP_RV aep_return_connection(AEP_CONNECTION_HNDL hConnection)
+	{
+	int count;
+
+	CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+
+	/*Find the connection item that matches this connection handle*/
+	for(count = 0;count < MAX_PROCESS_CONNECTIONS;count ++)
+		{
+		if (aep_app_conn_table[count].conn_hndl == hConnection)
+			{
+			aep_app_conn_table[count].conn_state = Connected;
+			break;
+			}
+		}
+
+	CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+
+	return AEP_R_OK;
+	}
+
+static AEP_RV aep_close_connection(AEP_CONNECTION_HNDL hConnection)
+	{
+	int count;
+	AEP_RV rv = AEP_R_OK;
+
+	CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+
+	/*Find the connection item that matches this connection handle*/
+	for(count = 0;count < MAX_PROCESS_CONNECTIONS;count ++)
+		{
+		if (aep_app_conn_table[count].conn_hndl == hConnection)
+			{
+			rv = p_AEP_CloseConnection(aep_app_conn_table[count].conn_hndl);
+			if (rv != AEP_R_OK)
+				goto end;
+			aep_app_conn_table[count].conn_state = NotConnected;
+			aep_app_conn_table[count].conn_hndl  = 0;
+			break;
+			}
+		}
+
+ end:
+	CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+	return rv;
+	}
+
+static AEP_RV aep_close_all_connections(int use_engine_lock, int *in_use)
+	{
+	int count;
+	AEP_RV rv = AEP_R_OK;
+
+	*in_use = 0;
+	if (use_engine_lock) CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+	for (count = 0;count < MAX_PROCESS_CONNECTIONS;count ++)
+		{
+		switch (aep_app_conn_table[count].conn_state)
+			{
+		case Connected:
+			rv = p_AEP_CloseConnection(aep_app_conn_table[count].conn_hndl);
+			if (rv != AEP_R_OK)
+				goto end;
+			aep_app_conn_table[count].conn_state = NotConnected;
+			aep_app_conn_table[count].conn_hndl  = 0;
+			break;
+		case InUse:
+			(*in_use)++;
+			break;
+		case NotConnected:
+			break;
+			}
+		}
+ end:
+	if (use_engine_lock) CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+	return rv;
+	}
+
+/*BigNum call back functions, used to convert OpenSSL bignums into AEP bignums.
+  Note only 32bit Openssl build support*/
+
+static AEP_RV GetBigNumSize(AEP_VOID_PTR ArbBigNum, AEP_U32* BigNumSize)
+	{
+	BIGNUM* bn;
+
+	/*Cast the ArbBigNum pointer to our BIGNUM struct*/
+	bn = (BIGNUM*) ArbBigNum;
+
+#ifdef SIXTY_FOUR_BIT_LONG
+	*BigNumSize = bn->top << 3;
+#else
+	/*Size of the bignum in bytes is equal to the bn->top (no of 32 bit
+	  words) multiplies by 4*/
+	*BigNumSize = bn->top << 2;
+#endif
+
+	return AEP_R_OK;
+	}
+
+static AEP_RV MakeAEPBigNum(AEP_VOID_PTR ArbBigNum, AEP_U32 BigNumSize,
+	unsigned char* AEP_BigNum)
+	{
+	BIGNUM* bn;
+
+#ifndef SIXTY_FOUR_BIT_LONG
+	unsigned char* buf;
+	int i;
+#endif
+
+	/*Cast the ArbBigNum pointer to our BIGNUM struct*/
+	bn = (BIGNUM*) ArbBigNum;
+
+#ifdef SIXTY_FOUR_BIT_LONG
+  	memcpy(AEP_BigNum, bn->d, BigNumSize);
+#else
+	/*Must copy data into a (monotone) least significant byte first format
+	  performing endian conversion if necessary*/
+	for(i=0;i<bn->top;i++)
+		{
+		buf = (unsigned char*)&bn->d[i];
+
+		*((AEP_U32*)AEP_BigNum) = (AEP_U32)
+			((unsigned) buf[1] << 8 | buf[0]) |
+			((unsigned) buf[3] << 8 | buf[2])  << 16;
+
+		AEP_BigNum += 4;
+		}
+#endif
+
+	return AEP_R_OK;
+	}
+
+/*Turn an AEP Big Num back to a user big num*/
+static AEP_RV ConvertAEPBigNum(void* ArbBigNum, AEP_U32 BigNumSize,
+	unsigned char* AEP_BigNum)
+	{
+	BIGNUM* bn;
+#ifndef SIXTY_FOUR_BIT_LONG
+	int i;
+#endif
+
+	bn = (BIGNUM*)ArbBigNum;
+
+	/*Expand the result bn so that it can hold our big num.
+	  Size is in bits*/
+	bn_expand(bn, (int)(BigNumSize << 3));
+
+#ifdef SIXTY_FOUR_BIT_LONG
+	bn->top = BigNumSize >> 3;
+	
+	if((BigNumSize & 7) != 0)
+		bn->top++;
+
+	memset(bn->d, 0, bn->top << 3);	
+
+	memcpy(bn->d, AEP_BigNum, BigNumSize);
+#else
+	bn->top = BigNumSize >> 2;
+ 
+	for(i=0;i<bn->top;i++)
+		{
+		bn->d[i] = (AEP_U32)
+			((unsigned) AEP_BigNum[3] << 8 | AEP_BigNum[2]) << 16 |
+			((unsigned) AEP_BigNum[1] << 8 | AEP_BigNum[0]);
+		AEP_BigNum += 4;
+		}
+#endif
+
+	return AEP_R_OK;
+}	
+	
+#endif /* !OPENSSL_NO_HW_AEP */
+#endif /* !OPENSSL_NO_HW */
diff --git a/crypto/openssl/engines/e_aep.ec b/crypto/openssl/engines/e_aep.ec
new file mode 100644
index 000000000000..8eae642e065d
--- /dev/null
+++ b/crypto/openssl/engines/e_aep.ec
@@ -0,0 +1 @@
+L AEPHK		e_aep_err.h			e_aep_err.c
diff --git a/crypto/openssl/engines/e_aep_err.c b/crypto/openssl/engines/e_aep_err.c
new file mode 100644
index 000000000000..3f95881cabc3
--- /dev/null
+++ b/crypto/openssl/engines/e_aep_err.c
@@ -0,0 +1,161 @@
+/* e_aep_err.c */
+/* ====================================================================
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include "e_aep_err.h"
+
+/* BEGIN ERROR CODES */
+#ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(0,func,0)
+#define ERR_REASON(reason) ERR_PACK(0,0,reason)
+
+static ERR_STRING_DATA AEPHK_str_functs[]=
+	{
+{ERR_FUNC(AEPHK_F_AEP_CTRL),	"AEP_CTRL"},
+{ERR_FUNC(AEPHK_F_AEP_FINISH),	"AEP_FINISH"},
+{ERR_FUNC(AEPHK_F_AEP_GET_CONNECTION),	"AEP_GET_CONNECTION"},
+{ERR_FUNC(AEPHK_F_AEP_INIT),	"AEP_INIT"},
+{ERR_FUNC(AEPHK_F_AEP_MOD_EXP),	"AEP_MOD_EXP"},
+{ERR_FUNC(AEPHK_F_AEP_MOD_EXP_CRT),	"AEP_MOD_EXP_CRT"},
+{ERR_FUNC(AEPHK_F_AEP_RAND),	"AEP_RAND"},
+{ERR_FUNC(AEPHK_F_AEP_RSA_MOD_EXP),	"AEP_RSA_MOD_EXP"},
+{0,NULL}
+	};
+
+static ERR_STRING_DATA AEPHK_str_reasons[]=
+	{
+{ERR_REASON(AEPHK_R_ALREADY_LOADED)      ,"already loaded"},
+{ERR_REASON(AEPHK_R_CLOSE_HANDLES_FAILED),"close handles failed"},
+{ERR_REASON(AEPHK_R_CONNECTIONS_IN_USE)  ,"connections in use"},
+{ERR_REASON(AEPHK_R_CTRL_COMMAND_NOT_IMPLEMENTED),"ctrl command not implemented"},
+{ERR_REASON(AEPHK_R_FINALIZE_FAILED)     ,"finalize failed"},
+{ERR_REASON(AEPHK_R_GET_HANDLE_FAILED)   ,"get handle failed"},
+{ERR_REASON(AEPHK_R_GET_RANDOM_FAILED)   ,"get random failed"},
+{ERR_REASON(AEPHK_R_INIT_FAILURE)        ,"init failure"},
+{ERR_REASON(AEPHK_R_MISSING_KEY_COMPONENTS),"missing key components"},
+{ERR_REASON(AEPHK_R_MOD_EXP_CRT_FAILED)  ,"mod exp crt failed"},
+{ERR_REASON(AEPHK_R_MOD_EXP_FAILED)      ,"mod exp failed"},
+{ERR_REASON(AEPHK_R_NOT_LOADED)          ,"not loaded"},
+{ERR_REASON(AEPHK_R_OK)                  ,"ok"},
+{ERR_REASON(AEPHK_R_RETURN_CONNECTION_FAILED),"return connection failed"},
+{ERR_REASON(AEPHK_R_SETBNCALLBACK_FAILURE),"setbncallback failure"},
+{ERR_REASON(AEPHK_R_SIZE_TOO_LARGE_OR_TOO_SMALL),"size too large or too small"},
+{ERR_REASON(AEPHK_R_UNIT_FAILURE)        ,"unit failure"},
+{0,NULL}
+	};
+
+#endif
+
+#ifdef AEPHK_LIB_NAME
+static ERR_STRING_DATA AEPHK_lib_name[]=
+        {
+{0	,AEPHK_LIB_NAME},
+{0,NULL}
+	};
+#endif
+
+
+static int AEPHK_lib_error_code=0;
+static int AEPHK_error_init=1;
+
+static void ERR_load_AEPHK_strings(void)
+	{
+	if (AEPHK_lib_error_code == 0)
+		AEPHK_lib_error_code=ERR_get_next_error_library();
+
+	if (AEPHK_error_init)
+		{
+		AEPHK_error_init=0;
+#ifndef OPENSSL_NO_ERR
+		ERR_load_strings(AEPHK_lib_error_code,AEPHK_str_functs);
+		ERR_load_strings(AEPHK_lib_error_code,AEPHK_str_reasons);
+#endif
+
+#ifdef AEPHK_LIB_NAME
+		AEPHK_lib_name->error = ERR_PACK(AEPHK_lib_error_code,0,0);
+		ERR_load_strings(0,AEPHK_lib_name);
+#endif
+		}
+	}
+
+static void ERR_unload_AEPHK_strings(void)
+	{
+	if (AEPHK_error_init == 0)
+		{
+#ifndef OPENSSL_NO_ERR
+		ERR_unload_strings(AEPHK_lib_error_code,AEPHK_str_functs);
+		ERR_unload_strings(AEPHK_lib_error_code,AEPHK_str_reasons);
+#endif
+
+#ifdef AEPHK_LIB_NAME
+		ERR_unload_strings(0,AEPHK_lib_name);
+#endif
+		AEPHK_error_init=1;
+		}
+	}
+
+static void ERR_AEPHK_error(int function, int reason, char *file, int line)
+	{
+	if (AEPHK_lib_error_code == 0)
+		AEPHK_lib_error_code=ERR_get_next_error_library();
+	ERR_PUT_error(AEPHK_lib_error_code,function,reason,file,line);
+	}
diff --git a/crypto/openssl/engines/e_aep_err.h b/crypto/openssl/engines/e_aep_err.h
new file mode 100644
index 000000000000..8fe4cf921f06
--- /dev/null
+++ b/crypto/openssl/engines/e_aep_err.h
@@ -0,0 +1,101 @@
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_AEPHK_ERR_H
+#define HEADER_AEPHK_ERR_H
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+static void ERR_load_AEPHK_strings(void);
+static void ERR_unload_AEPHK_strings(void);
+static void ERR_AEPHK_error(int function, int reason, char *file, int line);
+#define AEPHKerr(f,r) ERR_AEPHK_error((f),(r),__FILE__,__LINE__)
+
+/* Error codes for the AEPHK functions. */
+
+/* Function codes. */
+#define AEPHK_F_AEP_CTRL				 100
+#define AEPHK_F_AEP_FINISH				 101
+#define AEPHK_F_AEP_GET_CONNECTION			 102
+#define AEPHK_F_AEP_INIT				 103
+#define AEPHK_F_AEP_MOD_EXP				 104
+#define AEPHK_F_AEP_MOD_EXP_CRT				 105
+#define AEPHK_F_AEP_RAND				 106
+#define AEPHK_F_AEP_RSA_MOD_EXP				 107
+
+/* Reason codes. */
+#define AEPHK_R_ALREADY_LOADED				 100
+#define AEPHK_R_CLOSE_HANDLES_FAILED			 101
+#define AEPHK_R_CONNECTIONS_IN_USE			 102
+#define AEPHK_R_CTRL_COMMAND_NOT_IMPLEMENTED		 103
+#define AEPHK_R_FINALIZE_FAILED				 104
+#define AEPHK_R_GET_HANDLE_FAILED			 105
+#define AEPHK_R_GET_RANDOM_FAILED			 106
+#define AEPHK_R_INIT_FAILURE				 107
+#define AEPHK_R_MISSING_KEY_COMPONENTS			 108
+#define AEPHK_R_MOD_EXP_CRT_FAILED			 109
+#define AEPHK_R_MOD_EXP_FAILED				 110
+#define AEPHK_R_NOT_LOADED				 111
+#define AEPHK_R_OK					 112
+#define AEPHK_R_RETURN_CONNECTION_FAILED		 113
+#define AEPHK_R_SETBNCALLBACK_FAILURE			 114
+#define AEPHK_R_SIZE_TOO_LARGE_OR_TOO_SMALL		 116
+#define AEPHK_R_UNIT_FAILURE				 115
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
diff --git a/crypto/openssl/engines/e_atalla.c b/crypto/openssl/engines/e_atalla.c
new file mode 100644
index 000000000000..fabaa86a5234
--- /dev/null
+++ b/crypto/openssl/engines/e_atalla.c
@@ -0,0 +1,607 @@
+/* crypto/engine/hw_atalla.c */
+/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <openssl/crypto.h>
+#include <openssl/buffer.h>
+#include <openssl/dso.h>
+#include <openssl/engine.h>
+#ifndef OPENSSL_NO_RSA
+#include <openssl/rsa.h>
+#endif
+#ifndef OPENSSL_NO_DSA
+#include <openssl/dsa.h>
+#endif
+#ifndef OPENSSL_NO_DH
+#include <openssl/dh.h>
+#endif
+#include <openssl/bn.h>
+
+#ifndef OPENSSL_NO_HW
+#ifndef OPENSSL_NO_HW_ATALLA
+
+#ifdef FLAT_INC
+#include "atalla.h"
+#else
+#include "vendor_defns/atalla.h"
+#endif
+
+#define ATALLA_LIB_NAME "atalla engine"
+#include "e_atalla_err.c"
+
+static int atalla_destroy(ENGINE *e);
+static int atalla_init(ENGINE *e);
+static int atalla_finish(ENGINE *e);
+static int atalla_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void));
+
+/* BIGNUM stuff */
+static int atalla_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+		const BIGNUM *m, BN_CTX *ctx);
+
+#ifndef OPENSSL_NO_RSA
+/* RSA stuff */
+static int atalla_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx);
+/* This function is aliased to mod_exp (with the mont stuff dropped). */
+static int atalla_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+		const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+#endif
+
+#ifndef OPENSSL_NO_DSA
+/* DSA stuff */
+static int atalla_dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1,
+		BIGNUM *p1, BIGNUM *a2, BIGNUM *p2, BIGNUM *m,
+		BN_CTX *ctx, BN_MONT_CTX *in_mont);
+static int atalla_mod_exp_dsa(DSA *dsa, BIGNUM *r, BIGNUM *a,
+		const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
+		BN_MONT_CTX *m_ctx);
+#endif
+
+#ifndef OPENSSL_NO_DH
+/* DH stuff */
+/* This function is alised to mod_exp (with the DH and mont dropped). */
+static int atalla_mod_exp_dh(const DH *dh, BIGNUM *r,
+		const BIGNUM *a, const BIGNUM *p,
+		const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+#endif
+
+/* The definitions for control commands specific to this engine */
+#define ATALLA_CMD_SO_PATH		ENGINE_CMD_BASE
+static const ENGINE_CMD_DEFN atalla_cmd_defns[] = {
+	{ATALLA_CMD_SO_PATH,
+		"SO_PATH",
+		"Specifies the path to the 'atasi' shared library",
+		ENGINE_CMD_FLAG_STRING},
+	{0, NULL, NULL, 0}
+	};
+
+#ifndef OPENSSL_NO_RSA
+/* Our internal RSA_METHOD that we provide pointers to */
+static RSA_METHOD atalla_rsa =
+	{
+	"Atalla RSA method",
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	atalla_rsa_mod_exp,
+	atalla_mod_exp_mont,
+	NULL,
+	NULL,
+	0,
+	NULL,
+	NULL,
+	NULL,
+	NULL
+	};
+#endif
+
+#ifndef OPENSSL_NO_DSA
+/* Our internal DSA_METHOD that we provide pointers to */
+static DSA_METHOD atalla_dsa =
+	{
+	"Atalla DSA method",
+	NULL, /* dsa_do_sign */
+	NULL, /* dsa_sign_setup */
+	NULL, /* dsa_do_verify */
+	atalla_dsa_mod_exp, /* dsa_mod_exp */
+	atalla_mod_exp_dsa, /* bn_mod_exp */
+	NULL, /* init */
+	NULL, /* finish */
+	0, /* flags */
+	NULL, /* app_data */
+	NULL, /* dsa_paramgen */
+	NULL /* dsa_keygen */
+	};
+#endif
+
+#ifndef OPENSSL_NO_DH
+/* Our internal DH_METHOD that we provide pointers to */
+static DH_METHOD atalla_dh =
+	{
+	"Atalla DH method",
+	NULL,
+	NULL,
+	atalla_mod_exp_dh,
+	NULL,
+	NULL,
+	0,
+	NULL,
+	NULL
+	};
+#endif
+
+/* Constants used when creating the ENGINE */
+static const char *engine_atalla_id = "atalla";
+static const char *engine_atalla_name = "Atalla hardware engine support";
+
+/* This internal function is used by ENGINE_atalla() and possibly by the
+ * "dynamic" ENGINE support too */
+static int bind_helper(ENGINE *e)
+	{
+#ifndef OPENSSL_NO_RSA
+	const RSA_METHOD *meth1;
+#endif
+#ifndef OPENSSL_NO_DSA
+	const DSA_METHOD *meth2;
+#endif
+#ifndef OPENSSL_NO_DH
+	const DH_METHOD *meth3;
+#endif
+	if(!ENGINE_set_id(e, engine_atalla_id) ||
+			!ENGINE_set_name(e, engine_atalla_name) ||
+#ifndef OPENSSL_NO_RSA
+			!ENGINE_set_RSA(e, &atalla_rsa) ||
+#endif
+#ifndef OPENSSL_NO_DSA
+			!ENGINE_set_DSA(e, &atalla_dsa) ||
+#endif
+#ifndef OPENSSL_NO_DH
+			!ENGINE_set_DH(e, &atalla_dh) ||
+#endif
+			!ENGINE_set_destroy_function(e, atalla_destroy) ||
+			!ENGINE_set_init_function(e, atalla_init) ||
+			!ENGINE_set_finish_function(e, atalla_finish) ||
+			!ENGINE_set_ctrl_function(e, atalla_ctrl) ||
+			!ENGINE_set_cmd_defns(e, atalla_cmd_defns))
+		return 0;
+
+#ifndef OPENSSL_NO_RSA
+	/* We know that the "PKCS1_SSLeay()" functions hook properly
+	 * to the atalla-specific mod_exp and mod_exp_crt so we use
+	 * those functions. NB: We don't use ENGINE_openssl() or
+	 * anything "more generic" because something like the RSAref
+	 * code may not hook properly, and if you own one of these
+	 * cards then you have the right to do RSA operations on it
+	 * anyway! */ 
+	meth1 = RSA_PKCS1_SSLeay();
+	atalla_rsa.rsa_pub_enc = meth1->rsa_pub_enc;
+	atalla_rsa.rsa_pub_dec = meth1->rsa_pub_dec;
+	atalla_rsa.rsa_priv_enc = meth1->rsa_priv_enc;
+	atalla_rsa.rsa_priv_dec = meth1->rsa_priv_dec;
+#endif
+
+#ifndef OPENSSL_NO_DSA
+	/* Use the DSA_OpenSSL() method and just hook the mod_exp-ish
+	 * bits. */
+	meth2 = DSA_OpenSSL();
+	atalla_dsa.dsa_do_sign = meth2->dsa_do_sign;
+	atalla_dsa.dsa_sign_setup = meth2->dsa_sign_setup;
+	atalla_dsa.dsa_do_verify = meth2->dsa_do_verify;
+#endif
+
+#ifndef OPENSSL_NO_DH
+	/* Much the same for Diffie-Hellman */
+	meth3 = DH_OpenSSL();
+	atalla_dh.generate_key = meth3->generate_key;
+	atalla_dh.compute_key = meth3->compute_key;
+#endif
+
+	/* Ensure the atalla error handling is set up */
+	ERR_load_ATALLA_strings();
+	return 1;
+	}
+
+#ifdef OPENSSL_NO_DYNAMIC_ENGINE
+static ENGINE *engine_atalla(void)
+	{
+	ENGINE *ret = ENGINE_new();
+	if(!ret)
+		return NULL;
+	if(!bind_helper(ret))
+		{
+		ENGINE_free(ret);
+		return NULL;
+		}
+	return ret;
+	}
+
+void ENGINE_load_atalla(void)
+	{
+	/* Copied from eng_[openssl|dyn].c */
+	ENGINE *toadd = engine_atalla();
+	if(!toadd) return;
+	ENGINE_add(toadd);
+	ENGINE_free(toadd);
+	ERR_clear_error();
+	}
+#endif
+
+/* This is a process-global DSO handle used for loading and unloading
+ * the Atalla library. NB: This is only set (or unset) during an
+ * init() or finish() call (reference counts permitting) and they're
+ * operating with global locks, so this should be thread-safe
+ * implicitly. */
+static DSO *atalla_dso = NULL;
+
+/* These are the function pointers that are (un)set when the library has
+ * successfully (un)loaded. */
+static tfnASI_GetHardwareConfig *p_Atalla_GetHardwareConfig = NULL;
+static tfnASI_RSAPrivateKeyOpFn *p_Atalla_RSAPrivateKeyOpFn = NULL;
+static tfnASI_GetPerformanceStatistics *p_Atalla_GetPerformanceStatistics = NULL;
+
+/* These are the static string constants for the DSO file name and the function
+ * symbol names to bind to. Regrettably, the DSO name on *nix appears to be
+ * "atasi.so" rather than something more consistent like "libatasi.so". At the
+ * time of writing, I'm not sure what the file name on win32 is but clearly
+ * native name translation is not possible (eg libatasi.so on *nix, and
+ * atasi.dll on win32). For the purposes of testing, I have created a symbollic
+ * link called "libatasi.so" so that we can use native name-translation - a
+ * better solution will be needed. */
+static const char *ATALLA_LIBNAME = NULL;
+static const char *get_ATALLA_LIBNAME(void)
+	{
+		if(ATALLA_LIBNAME)
+			return ATALLA_LIBNAME;
+		return "atasi";
+	}
+static void free_ATALLA_LIBNAME(void)
+	{
+		if(ATALLA_LIBNAME)
+			OPENSSL_free((void*)ATALLA_LIBNAME);
+		ATALLA_LIBNAME = NULL;
+	}
+static long set_ATALLA_LIBNAME(const char *name)
+	{
+	free_ATALLA_LIBNAME();
+	return (((ATALLA_LIBNAME = BUF_strdup(name)) != NULL) ? 1 : 0);
+	}
+static const char *ATALLA_F1 = "ASI_GetHardwareConfig";
+static const char *ATALLA_F2 = "ASI_RSAPrivateKeyOpFn";
+static const char *ATALLA_F3 = "ASI_GetPerformanceStatistics";
+
+/* Destructor (complements the "ENGINE_atalla()" constructor) */
+static int atalla_destroy(ENGINE *e)
+	{
+	free_ATALLA_LIBNAME();
+	/* Unload the atalla error strings so any error state including our
+	 * functs or reasons won't lead to a segfault (they simply get displayed
+	 * without corresponding string data because none will be found). */
+	ERR_unload_ATALLA_strings();
+	return 1;
+	}
+
+/* (de)initialisation functions. */
+static int atalla_init(ENGINE *e)
+	{
+	tfnASI_GetHardwareConfig *p1;
+	tfnASI_RSAPrivateKeyOpFn *p2;
+	tfnASI_GetPerformanceStatistics *p3;
+	/* Not sure of the origin of this magic value, but Ben's code had it
+	 * and it seemed to have been working for a few people. :-) */
+	unsigned int config_buf[1024];
+
+	if(atalla_dso != NULL)
+		{
+		ATALLAerr(ATALLA_F_ATALLA_INIT,ATALLA_R_ALREADY_LOADED);
+		goto err;
+		}
+	/* Attempt to load libatasi.so/atasi.dll/whatever. Needs to be
+	 * changed unfortunately because the Atalla drivers don't have
+	 * standard library names that can be platform-translated well. */
+	/* TODO: Work out how to actually map to the names the Atalla
+	 * drivers really use - for now a symbollic link needs to be
+	 * created on the host system from libatasi.so to atasi.so on
+	 * unix variants. */
+	atalla_dso = DSO_load(NULL, get_ATALLA_LIBNAME(), NULL, 0);
+	if(atalla_dso == NULL)
+		{
+		ATALLAerr(ATALLA_F_ATALLA_INIT,ATALLA_R_NOT_LOADED);
+		goto err;
+		}
+	if(!(p1 = (tfnASI_GetHardwareConfig *)DSO_bind_func(
+				atalla_dso, ATALLA_F1)) ||
+			!(p2 = (tfnASI_RSAPrivateKeyOpFn *)DSO_bind_func(
+				atalla_dso, ATALLA_F2)) ||
+			!(p3 = (tfnASI_GetPerformanceStatistics *)DSO_bind_func(
+				atalla_dso, ATALLA_F3)))
+		{
+		ATALLAerr(ATALLA_F_ATALLA_INIT,ATALLA_R_NOT_LOADED);
+		goto err;
+		}
+	/* Copy the pointers */
+	p_Atalla_GetHardwareConfig = p1;
+	p_Atalla_RSAPrivateKeyOpFn = p2;
+	p_Atalla_GetPerformanceStatistics = p3;
+	/* Perform a basic test to see if there's actually any unit
+	 * running. */
+	if(p1(0L, config_buf) != 0)
+		{
+		ATALLAerr(ATALLA_F_ATALLA_INIT,ATALLA_R_UNIT_FAILURE);
+		goto err;
+		}
+	/* Everything's fine. */
+	return 1;
+err:
+	if(atalla_dso)
+		DSO_free(atalla_dso);
+	atalla_dso = NULL;
+	p_Atalla_GetHardwareConfig = NULL;
+	p_Atalla_RSAPrivateKeyOpFn = NULL;
+	p_Atalla_GetPerformanceStatistics = NULL;
+	return 0;
+	}
+
+static int atalla_finish(ENGINE *e)
+	{
+	free_ATALLA_LIBNAME();
+	if(atalla_dso == NULL)
+		{
+		ATALLAerr(ATALLA_F_ATALLA_FINISH,ATALLA_R_NOT_LOADED);
+		return 0;
+		}
+	if(!DSO_free(atalla_dso))
+		{
+		ATALLAerr(ATALLA_F_ATALLA_FINISH,ATALLA_R_UNIT_FAILURE);
+		return 0;
+		}
+	atalla_dso = NULL;
+	p_Atalla_GetHardwareConfig = NULL;
+	p_Atalla_RSAPrivateKeyOpFn = NULL;
+	p_Atalla_GetPerformanceStatistics = NULL;
+	return 1;
+	}
+
+static int atalla_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void))
+	{
+	int initialised = ((atalla_dso == NULL) ? 0 : 1);
+	switch(cmd)
+		{
+	case ATALLA_CMD_SO_PATH:
+		if(p == NULL)
+			{
+			ATALLAerr(ATALLA_F_ATALLA_CTRL,ERR_R_PASSED_NULL_PARAMETER);
+			return 0;
+			}
+		if(initialised)
+			{
+			ATALLAerr(ATALLA_F_ATALLA_CTRL,ATALLA_R_ALREADY_LOADED);
+			return 0;
+			}
+		return set_ATALLA_LIBNAME((const char *)p);
+	default:
+		break;
+		}
+	ATALLAerr(ATALLA_F_ATALLA_CTRL,ATALLA_R_CTRL_COMMAND_NOT_IMPLEMENTED);
+	return 0;
+	}
+
+static int atalla_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+			const BIGNUM *m, BN_CTX *ctx)
+	{
+	/* I need somewhere to store temporary serialised values for
+	 * use with the Atalla API calls. A neat cheat - I'll use
+	 * BIGNUMs from the BN_CTX but access their arrays directly as
+	 * byte arrays <grin>. This way I don't have to clean anything
+	 * up. */
+	BIGNUM *modulus;
+	BIGNUM *exponent;
+	BIGNUM *argument;
+	BIGNUM *result;
+	RSAPrivateKey keydata;
+	int to_return, numbytes;
+
+	modulus = exponent = argument = result = NULL;
+	to_return = 0; /* expect failure */
+
+	if(!atalla_dso)
+		{
+		ATALLAerr(ATALLA_F_ATALLA_MOD_EXP,ATALLA_R_NOT_LOADED);
+		goto err;
+		}
+	/* Prepare the params */
+	BN_CTX_start(ctx);
+	modulus = BN_CTX_get(ctx);
+	exponent = BN_CTX_get(ctx);
+	argument = BN_CTX_get(ctx);
+	result = BN_CTX_get(ctx);
+	if (!result)
+		{
+		ATALLAerr(ATALLA_F_ATALLA_MOD_EXP,ATALLA_R_BN_CTX_FULL);
+		goto err;
+		}
+	if(!bn_wexpand(modulus, m->top) || !bn_wexpand(exponent, m->top) ||
+	   !bn_wexpand(argument, m->top) || !bn_wexpand(result, m->top))
+		{
+		ATALLAerr(ATALLA_F_ATALLA_MOD_EXP,ATALLA_R_BN_EXPAND_FAIL);
+		goto err;
+		}
+	/* Prepare the key-data */
+	memset(&keydata, 0,sizeof keydata);
+	numbytes = BN_num_bytes(m);
+	memset(exponent->d, 0, numbytes);
+	memset(modulus->d, 0, numbytes);
+	BN_bn2bin(p, (unsigned char *)exponent->d + numbytes - BN_num_bytes(p));
+	BN_bn2bin(m, (unsigned char *)modulus->d + numbytes - BN_num_bytes(m));
+	keydata.privateExponent.data = (unsigned char *)exponent->d;
+	keydata.privateExponent.len = numbytes;
+	keydata.modulus.data = (unsigned char *)modulus->d;
+	keydata.modulus.len = numbytes;
+	/* Prepare the argument */
+	memset(argument->d, 0, numbytes);
+	memset(result->d, 0, numbytes);
+	BN_bn2bin(a, (unsigned char *)argument->d + numbytes - BN_num_bytes(a));
+	/* Perform the operation */
+	if(p_Atalla_RSAPrivateKeyOpFn(&keydata, (unsigned char *)result->d,
+			(unsigned char *)argument->d,
+			keydata.modulus.len) != 0)
+		{
+		ATALLAerr(ATALLA_F_ATALLA_MOD_EXP,ATALLA_R_REQUEST_FAILED);
+		goto err;
+		}
+	/* Convert the response */
+	BN_bin2bn((unsigned char *)result->d, numbytes, r);
+	to_return = 1;
+err:
+	BN_CTX_end(ctx);
+	return to_return;
+	}
+
+#ifndef OPENSSL_NO_RSA
+static int atalla_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
+	{
+	int to_return = 0;
+
+	if(!atalla_dso)
+		{
+		ATALLAerr(ATALLA_F_ATALLA_RSA_MOD_EXP,ATALLA_R_NOT_LOADED);
+		goto err;
+		}
+	if(!rsa->d || !rsa->n)
+		{
+		ATALLAerr(ATALLA_F_ATALLA_RSA_MOD_EXP,ATALLA_R_MISSING_KEY_COMPONENTS);
+		goto err;
+		}
+	to_return = atalla_mod_exp(r0, I, rsa->d, rsa->n, ctx);
+err:
+	return to_return;
+	}
+#endif
+
+#ifndef OPENSSL_NO_DSA
+/* This code was liberated and adapted from the commented-out code in
+ * dsa_ossl.c. Because of the unoptimised form of the Atalla acceleration
+ * (it doesn't have a CRT form for RSA), this function means that an
+ * Atalla system running with a DSA server certificate can handshake
+ * around 5 or 6 times faster/more than an equivalent system running with
+ * RSA. Just check out the "signs" statistics from the RSA and DSA parts
+ * of "openssl speed -engine atalla dsa1024 rsa1024". */
+static int atalla_dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1,
+		BIGNUM *p1, BIGNUM *a2, BIGNUM *p2, BIGNUM *m,
+		BN_CTX *ctx, BN_MONT_CTX *in_mont)
+	{
+	BIGNUM t;
+	int to_return = 0;
+ 
+	BN_init(&t);
+	/* let rr = a1 ^ p1 mod m */
+	if (!atalla_mod_exp(rr,a1,p1,m,ctx)) goto end;
+	/* let t = a2 ^ p2 mod m */
+	if (!atalla_mod_exp(&t,a2,p2,m,ctx)) goto end;
+	/* let rr = rr * t mod m */
+	if (!BN_mod_mul(rr,rr,&t,m,ctx)) goto end;
+	to_return = 1;
+end:
+	BN_free(&t);
+	return to_return;
+	}
+
+static int atalla_mod_exp_dsa(DSA *dsa, BIGNUM *r, BIGNUM *a,
+		const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
+		BN_MONT_CTX *m_ctx)
+	{
+	return atalla_mod_exp(r, a, p, m, ctx);
+	}
+#endif
+
+#ifndef OPENSSL_NO_RSA
+/* This function is aliased to mod_exp (with the mont stuff dropped). */
+static int atalla_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+		const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
+	{
+	return atalla_mod_exp(r, a, p, m, ctx);
+	}
+#endif
+
+#ifndef OPENSSL_NO_DH
+/* This function is aliased to mod_exp (with the dh and mont dropped). */
+static int atalla_mod_exp_dh(const DH *dh, BIGNUM *r,
+		const BIGNUM *a, const BIGNUM *p,
+		const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
+	{
+	return atalla_mod_exp(r, a, p, m, ctx);
+	}
+#endif
+
+/* This stuff is needed if this ENGINE is being compiled into a self-contained
+ * shared-library. */
+#ifndef OPENSSL_NO_DYNAMIC_ENGINE
+static int bind_fn(ENGINE *e, const char *id)
+	{
+	if(id && (strcmp(id, engine_atalla_id) != 0))
+		return 0;
+	if(!bind_helper(e))
+		return 0;
+	return 1;
+	}
+IMPLEMENT_DYNAMIC_CHECK_FN()
+IMPLEMENT_DYNAMIC_BIND_FN(bind_fn)
+#endif /* OPENSSL_NO_DYNAMIC_ENGINE */
+
+#endif /* !OPENSSL_NO_HW_ATALLA */
+#endif /* !OPENSSL_NO_HW */
diff --git a/crypto/openssl/engines/e_atalla.ec b/crypto/openssl/engines/e_atalla.ec
new file mode 100644
index 000000000000..1d735e1b20d0
--- /dev/null
+++ b/crypto/openssl/engines/e_atalla.ec
@@ -0,0 +1 @@
+L ATALLA	e_atalla_err.h			e_atalla_err.c
diff --git a/crypto/openssl/engines/e_atalla_err.c b/crypto/openssl/engines/e_atalla_err.c
new file mode 100644
index 000000000000..fd3e0049ce85
--- /dev/null
+++ b/crypto/openssl/engines/e_atalla_err.c
@@ -0,0 +1,149 @@
+/* e_atalla_err.c */
+/* ====================================================================
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include "e_atalla_err.h"
+
+/* BEGIN ERROR CODES */
+#ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(0,func,0)
+#define ERR_REASON(reason) ERR_PACK(0,0,reason)
+
+static ERR_STRING_DATA ATALLA_str_functs[]=
+	{
+{ERR_FUNC(ATALLA_F_ATALLA_CTRL),	"ATALLA_CTRL"},
+{ERR_FUNC(ATALLA_F_ATALLA_FINISH),	"ATALLA_FINISH"},
+{ERR_FUNC(ATALLA_F_ATALLA_INIT),	"ATALLA_INIT"},
+{ERR_FUNC(ATALLA_F_ATALLA_MOD_EXP),	"ATALLA_MOD_EXP"},
+{ERR_FUNC(ATALLA_F_ATALLA_RSA_MOD_EXP),	"ATALLA_RSA_MOD_EXP"},
+{0,NULL}
+	};
+
+static ERR_STRING_DATA ATALLA_str_reasons[]=
+	{
+{ERR_REASON(ATALLA_R_ALREADY_LOADED)     ,"already loaded"},
+{ERR_REASON(ATALLA_R_BN_CTX_FULL)        ,"bn ctx full"},
+{ERR_REASON(ATALLA_R_BN_EXPAND_FAIL)     ,"bn expand fail"},
+{ERR_REASON(ATALLA_R_CTRL_COMMAND_NOT_IMPLEMENTED),"ctrl command not implemented"},
+{ERR_REASON(ATALLA_R_MISSING_KEY_COMPONENTS),"missing key components"},
+{ERR_REASON(ATALLA_R_NOT_LOADED)         ,"not loaded"},
+{ERR_REASON(ATALLA_R_REQUEST_FAILED)     ,"request failed"},
+{ERR_REASON(ATALLA_R_UNIT_FAILURE)       ,"unit failure"},
+{0,NULL}
+	};
+
+#endif
+
+#ifdef ATALLA_LIB_NAME
+static ERR_STRING_DATA ATALLA_lib_name[]=
+        {
+{0	,ATALLA_LIB_NAME},
+{0,NULL}
+	};
+#endif
+
+
+static int ATALLA_lib_error_code=0;
+static int ATALLA_error_init=1;
+
+static void ERR_load_ATALLA_strings(void)
+	{
+	if (ATALLA_lib_error_code == 0)
+		ATALLA_lib_error_code=ERR_get_next_error_library();
+
+	if (ATALLA_error_init)
+		{
+		ATALLA_error_init=0;
+#ifndef OPENSSL_NO_ERR
+		ERR_load_strings(ATALLA_lib_error_code,ATALLA_str_functs);
+		ERR_load_strings(ATALLA_lib_error_code,ATALLA_str_reasons);
+#endif
+
+#ifdef ATALLA_LIB_NAME
+		ATALLA_lib_name->error = ERR_PACK(ATALLA_lib_error_code,0,0);
+		ERR_load_strings(0,ATALLA_lib_name);
+#endif
+		}
+	}
+
+static void ERR_unload_ATALLA_strings(void)
+	{
+	if (ATALLA_error_init == 0)
+		{
+#ifndef OPENSSL_NO_ERR
+		ERR_unload_strings(ATALLA_lib_error_code,ATALLA_str_functs);
+		ERR_unload_strings(ATALLA_lib_error_code,ATALLA_str_reasons);
+#endif
+
+#ifdef ATALLA_LIB_NAME
+		ERR_unload_strings(0,ATALLA_lib_name);
+#endif
+		ATALLA_error_init=1;
+		}
+	}
+
+static void ERR_ATALLA_error(int function, int reason, char *file, int line)
+	{
+	if (ATALLA_lib_error_code == 0)
+		ATALLA_lib_error_code=ERR_get_next_error_library();
+	ERR_PUT_error(ATALLA_lib_error_code,function,reason,file,line);
+	}
diff --git a/crypto/openssl/engines/e_atalla_err.h b/crypto/openssl/engines/e_atalla_err.h
new file mode 100644
index 000000000000..cdac052d8c98
--- /dev/null
+++ b/crypto/openssl/engines/e_atalla_err.h
@@ -0,0 +1,89 @@
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_ATALLA_ERR_H
+#define HEADER_ATALLA_ERR_H
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+static void ERR_load_ATALLA_strings(void);
+static void ERR_unload_ATALLA_strings(void);
+static void ERR_ATALLA_error(int function, int reason, char *file, int line);
+#define ATALLAerr(f,r) ERR_ATALLA_error((f),(r),__FILE__,__LINE__)
+
+/* Error codes for the ATALLA functions. */
+
+/* Function codes. */
+#define ATALLA_F_ATALLA_CTRL				 100
+#define ATALLA_F_ATALLA_FINISH				 101
+#define ATALLA_F_ATALLA_INIT				 102
+#define ATALLA_F_ATALLA_MOD_EXP				 103
+#define ATALLA_F_ATALLA_RSA_MOD_EXP			 104
+
+/* Reason codes. */
+#define ATALLA_R_ALREADY_LOADED				 100
+#define ATALLA_R_BN_CTX_FULL				 101
+#define ATALLA_R_BN_EXPAND_FAIL				 102
+#define ATALLA_R_CTRL_COMMAND_NOT_IMPLEMENTED		 103
+#define ATALLA_R_MISSING_KEY_COMPONENTS			 104
+#define ATALLA_R_NOT_LOADED				 105
+#define ATALLA_R_REQUEST_FAILED				 106
+#define ATALLA_R_UNIT_FAILURE				 107
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
diff --git a/crypto/openssl/engines/e_chil.c b/crypto/openssl/engines/e_chil.c
new file mode 100644
index 000000000000..26108caa6494
--- /dev/null
+++ b/crypto/openssl/engines/e_chil.c
@@ -0,0 +1,1374 @@
+/* crypto/engine/e_chil.c -*- mode: C; c-file-style: "eay" -*- */
+/* Written by Richard Levitte (richard@levitte.org), Geoff Thorpe
+ * (geoff@geoffthorpe.net) and Dr Stephen N Henson (shenson@bigfoot.com)
+ * for the OpenSSL project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <openssl/crypto.h>
+#include <openssl/pem.h>
+#include <openssl/dso.h>
+#include <openssl/engine.h>
+#include <openssl/ui.h>
+#include <openssl/rand.h>
+#ifndef OPENSSL_NO_RSA
+#include <openssl/rsa.h>
+#endif
+#ifndef OPENSSL_NO_DH
+#include <openssl/dh.h>
+#endif
+#include <openssl/bn.h>
+
+#ifndef OPENSSL_NO_HW
+#ifndef OPENSSL_NO_HW_CHIL
+
+/* Attribution notice: nCipher have said several times that it's OK for
+ * us to implement a general interface to their boxes, and recently declared
+ * their HWCryptoHook to be public, and therefore available for us to use.
+ * Thanks, nCipher.
+ *
+ * The hwcryptohook.h included here is from May 2000.
+ * [Richard Levitte]
+ */
+#ifdef FLAT_INC
+#include "hwcryptohook.h"
+#else
+#include "vendor_defns/hwcryptohook.h"
+#endif
+
+#define HWCRHK_LIB_NAME "CHIL engine"
+#include "e_chil_err.c"
+
+static int hwcrhk_destroy(ENGINE *e);
+static int hwcrhk_init(ENGINE *e);
+static int hwcrhk_finish(ENGINE *e);
+static int hwcrhk_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void)); 
+
+/* Functions to handle mutexes */
+static int hwcrhk_mutex_init(HWCryptoHook_Mutex*, HWCryptoHook_CallerContext*);
+static int hwcrhk_mutex_lock(HWCryptoHook_Mutex*);
+static void hwcrhk_mutex_unlock(HWCryptoHook_Mutex*);
+static void hwcrhk_mutex_destroy(HWCryptoHook_Mutex*);
+
+/* BIGNUM stuff */
+static int hwcrhk_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+		const BIGNUM *m, BN_CTX *ctx);
+
+#ifndef OPENSSL_NO_RSA
+/* RSA stuff */
+static int hwcrhk_rsa_mod_exp(BIGNUM *r, const BIGNUM *I, RSA *rsa, BN_CTX *ctx);
+#endif
+#ifndef OPENSSL_NO_RSA
+/* This function is aliased to mod_exp (with the mont stuff dropped). */
+static int hwcrhk_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+		const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+#endif
+
+#ifndef OPENSSL_NO_DH
+/* DH stuff */
+/* This function is alised to mod_exp (with the DH and mont dropped). */
+static int hwcrhk_mod_exp_dh(const DH *dh, BIGNUM *r,
+	const BIGNUM *a, const BIGNUM *p,
+	const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+#endif
+
+/* RAND stuff */
+static int hwcrhk_rand_bytes(unsigned char *buf, int num);
+static int hwcrhk_rand_status(void);
+
+/* KM stuff */
+static EVP_PKEY *hwcrhk_load_privkey(ENGINE *eng, const char *key_id,
+	UI_METHOD *ui_method, void *callback_data);
+static EVP_PKEY *hwcrhk_load_pubkey(ENGINE *eng, const char *key_id,
+	UI_METHOD *ui_method, void *callback_data);
+#ifndef OPENSSL_NO_RSA
+static void hwcrhk_ex_free(void *obj, void *item, CRYPTO_EX_DATA *ad,
+	int ind,long argl, void *argp);
+#endif
+
+/* Interaction stuff */
+static int hwcrhk_insert_card(const char *prompt_info,
+	const char *wrong_info,
+	HWCryptoHook_PassphraseContext *ppctx,
+	HWCryptoHook_CallerContext *cactx);
+static int hwcrhk_get_pass(const char *prompt_info,
+	int *len_io, char *buf,
+	HWCryptoHook_PassphraseContext *ppctx,
+	HWCryptoHook_CallerContext *cactx);
+static void hwcrhk_log_message(void *logstr, const char *message);
+
+/* The definitions for control commands specific to this engine */
+#define HWCRHK_CMD_SO_PATH		ENGINE_CMD_BASE
+#define HWCRHK_CMD_FORK_CHECK		(ENGINE_CMD_BASE + 1)
+#define HWCRHK_CMD_THREAD_LOCKING	(ENGINE_CMD_BASE + 2)
+#define HWCRHK_CMD_SET_USER_INTERFACE   (ENGINE_CMD_BASE + 3)
+#define HWCRHK_CMD_SET_CALLBACK_DATA    (ENGINE_CMD_BASE + 4)
+static const ENGINE_CMD_DEFN hwcrhk_cmd_defns[] = {
+	{HWCRHK_CMD_SO_PATH,
+		"SO_PATH",
+		"Specifies the path to the 'hwcrhk' shared library",
+		ENGINE_CMD_FLAG_STRING},
+	{HWCRHK_CMD_FORK_CHECK,
+		"FORK_CHECK",
+		"Turns fork() checking on or off (boolean)",
+		ENGINE_CMD_FLAG_NUMERIC},
+	{HWCRHK_CMD_THREAD_LOCKING,
+		"THREAD_LOCKING",
+		"Turns thread-safe locking on or off (boolean)",
+		ENGINE_CMD_FLAG_NUMERIC},
+	{HWCRHK_CMD_SET_USER_INTERFACE,
+		"SET_USER_INTERFACE",
+		"Set the global user interface (internal)",
+		ENGINE_CMD_FLAG_INTERNAL},
+	{HWCRHK_CMD_SET_CALLBACK_DATA,
+		"SET_CALLBACK_DATA",
+		"Set the global user interface extra data (internal)",
+		ENGINE_CMD_FLAG_INTERNAL},
+	{0, NULL, NULL, 0}
+	};
+
+#ifndef OPENSSL_NO_RSA
+/* Our internal RSA_METHOD that we provide pointers to */
+static RSA_METHOD hwcrhk_rsa =
+	{
+	"CHIL RSA method",
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	hwcrhk_rsa_mod_exp,
+	hwcrhk_mod_exp_mont,
+	NULL,
+	NULL,
+	0,
+	NULL,
+	NULL,
+	NULL,
+	NULL
+	};
+#endif
+
+#ifndef OPENSSL_NO_DH
+/* Our internal DH_METHOD that we provide pointers to */
+static DH_METHOD hwcrhk_dh =
+	{
+	"CHIL DH method",
+	NULL,
+	NULL,
+	hwcrhk_mod_exp_dh,
+	NULL,
+	NULL,
+	0,
+	NULL,
+	NULL
+	};
+#endif
+
+static RAND_METHOD hwcrhk_rand =
+	{
+	/* "CHIL RAND method", */
+	NULL,
+	hwcrhk_rand_bytes,
+	NULL,
+	NULL,
+	hwcrhk_rand_bytes,
+	hwcrhk_rand_status,
+	};
+
+/* Constants used when creating the ENGINE */
+static const char *engine_hwcrhk_id = "chil";
+static const char *engine_hwcrhk_name = "CHIL hardware engine support";
+
+#ifndef OPENSSL_NO_DYNAMIC_ENGINE 
+/* Compatibility hack, the dynamic library uses this form in the path */
+static const char *engine_hwcrhk_id_alt = "ncipher";
+#endif
+
+/* Internal stuff for HWCryptoHook */
+
+/* Some structures needed for proper use of thread locks */
+/* hwcryptohook.h has some typedefs that turn struct HWCryptoHook_MutexValue
+   into HWCryptoHook_Mutex */
+struct HWCryptoHook_MutexValue
+	{
+	int lockid;
+	};
+
+/* hwcryptohook.h has some typedefs that turn
+   struct HWCryptoHook_PassphraseContextValue
+   into HWCryptoHook_PassphraseContext */
+struct HWCryptoHook_PassphraseContextValue
+	{
+        UI_METHOD *ui_method;
+	void *callback_data;
+	};
+
+/* hwcryptohook.h has some typedefs that turn
+   struct HWCryptoHook_CallerContextValue
+   into HWCryptoHook_CallerContext */
+struct HWCryptoHook_CallerContextValue
+	{
+	pem_password_cb *password_callback; /* Deprecated!  Only present for
+                                               backward compatibility! */
+        UI_METHOD *ui_method;
+	void *callback_data;
+	};
+
+/* The MPI structure in HWCryptoHook is pretty compatible with OpenSSL
+   BIGNUM's, so lets define a couple of conversion macros */
+#define BN2MPI(mp, bn) \
+    {mp.size = bn->top * sizeof(BN_ULONG); mp.buf = (unsigned char *)bn->d;}
+#define MPI2BN(bn, mp) \
+    {mp.size = bn->dmax * sizeof(BN_ULONG); mp.buf = (unsigned char *)bn->d;}
+
+static BIO *logstream = NULL;
+static int disable_mutex_callbacks = 0;
+
+/* One might wonder why these are needed, since one can pass down at least
+   a UI_METHOD and a pointer to callback data to the key-loading functions.
+   The thing is that the ModExp and RSAImmed functions can load keys as well,
+   if the data they get is in a special, nCipher-defined format (hint: if you
+   look at the private exponent of the RSA data as a string, you'll see this
+   string: "nCipher KM tool key id", followed by some bytes, followed a key
+   identity string, followed by more bytes.  This happens when you use "embed"
+   keys instead of "hwcrhk" keys).  Unfortunately, those functions do not take
+   any passphrase or caller context, and our functions can't really take any
+   callback data either.  Still, the "insert_card" and "get_passphrase"
+   callbacks may be called down the line, and will need to know what user
+   interface callbacks to call, and having callback data from the application
+   may be a nice thing as well, so we need to keep track of that globally. */
+static HWCryptoHook_CallerContext password_context = { NULL, NULL, NULL };
+
+/* Stuff to pass to the HWCryptoHook library */
+static HWCryptoHook_InitInfo hwcrhk_globals = {
+	HWCryptoHook_InitFlags_SimpleForkCheck,	/* Flags */
+	&logstream,		/* logstream */
+	sizeof(BN_ULONG),	/* limbsize */
+	0,			/* mslimb first: false for BNs */
+	-1,			/* msbyte first: use native */
+	0,			/* Max mutexes, 0 = no small limit */
+	0,			/* Max simultaneous, 0 = default */
+
+	/* The next few are mutex stuff: we write wrapper functions
+	   around the OS mutex functions.  We initialise them to 0
+	   here, and change that to actual function pointers in hwcrhk_init()
+	   if dynamic locks are supported (that is, if the application
+	   programmer has made sure of setting up callbacks bafore starting
+	   this engine) *and* if disable_mutex_callbacks hasn't been set by
+	   a call to ENGINE_ctrl(ENGINE_CTRL_CHIL_NO_LOCKING). */
+	sizeof(HWCryptoHook_Mutex),
+	0,
+	0,
+	0,
+	0,
+
+	/* The next few are condvar stuff: we write wrapper functions
+	   round the OS functions.  Currently not implemented and not
+	   and absolute necessity even in threaded programs, therefore
+	   0'ed.  Will hopefully be implemented some day, since it
+	   enhances the efficiency of HWCryptoHook.  */
+	0, /* sizeof(HWCryptoHook_CondVar), */
+	0, /* hwcrhk_cv_init, */
+	0, /* hwcrhk_cv_wait, */
+	0, /* hwcrhk_cv_signal, */
+	0, /* hwcrhk_cv_broadcast, */
+	0, /* hwcrhk_cv_destroy, */
+
+	hwcrhk_get_pass,	/* pass phrase */
+	hwcrhk_insert_card,	/* insert a card */
+	hwcrhk_log_message	/* Log message */
+};
+
+
+/* Now, to our own code */
+
+/* This internal function is used by ENGINE_chil() and possibly by the
+ * "dynamic" ENGINE support too */
+static int bind_helper(ENGINE *e)
+	{
+#ifndef OPENSSL_NO_RSA
+	const RSA_METHOD *meth1;
+#endif
+#ifndef OPENSSL_NO_DH
+	const DH_METHOD *meth2;
+#endif
+	if(!ENGINE_set_id(e, engine_hwcrhk_id) ||
+			!ENGINE_set_name(e, engine_hwcrhk_name) ||
+#ifndef OPENSSL_NO_RSA
+			!ENGINE_set_RSA(e, &hwcrhk_rsa) ||
+#endif
+#ifndef OPENSSL_NO_DH
+			!ENGINE_set_DH(e, &hwcrhk_dh) ||
+#endif
+			!ENGINE_set_RAND(e, &hwcrhk_rand) ||
+			!ENGINE_set_destroy_function(e, hwcrhk_destroy) ||
+			!ENGINE_set_init_function(e, hwcrhk_init) ||
+			!ENGINE_set_finish_function(e, hwcrhk_finish) ||
+			!ENGINE_set_ctrl_function(e, hwcrhk_ctrl) ||
+			!ENGINE_set_load_privkey_function(e, hwcrhk_load_privkey) ||
+			!ENGINE_set_load_pubkey_function(e, hwcrhk_load_pubkey) ||
+			!ENGINE_set_cmd_defns(e, hwcrhk_cmd_defns))
+		return 0;
+
+#ifndef OPENSSL_NO_RSA
+	/* We know that the "PKCS1_SSLeay()" functions hook properly
+	 * to the cswift-specific mod_exp and mod_exp_crt so we use
+	 * those functions. NB: We don't use ENGINE_openssl() or
+	 * anything "more generic" because something like the RSAref
+	 * code may not hook properly, and if you own one of these
+	 * cards then you have the right to do RSA operations on it
+	 * anyway! */ 
+	meth1 = RSA_PKCS1_SSLeay();
+	hwcrhk_rsa.rsa_pub_enc = meth1->rsa_pub_enc;
+	hwcrhk_rsa.rsa_pub_dec = meth1->rsa_pub_dec;
+	hwcrhk_rsa.rsa_priv_enc = meth1->rsa_priv_enc;
+	hwcrhk_rsa.rsa_priv_dec = meth1->rsa_priv_dec;
+#endif
+
+#ifndef OPENSSL_NO_DH
+	/* Much the same for Diffie-Hellman */
+	meth2 = DH_OpenSSL();
+	hwcrhk_dh.generate_key = meth2->generate_key;
+	hwcrhk_dh.compute_key = meth2->compute_key;
+#endif
+
+	/* Ensure the hwcrhk error handling is set up */
+	ERR_load_HWCRHK_strings();
+	return 1;
+	}
+
+#ifdef OPENSSL_NO_DYNAMIC_ENGINE
+static ENGINE *engine_chil(void)
+	{
+	ENGINE *ret = ENGINE_new();
+	if(!ret)
+		return NULL;
+	if(!bind_helper(ret))
+		{
+		ENGINE_free(ret);
+		return NULL;
+		}
+	return ret;
+	}
+
+void ENGINE_load_chil(void)
+	{
+	/* Copied from eng_[openssl|dyn].c */
+	ENGINE *toadd = engine_chil();
+	if(!toadd) return;
+	ENGINE_add(toadd);
+	ENGINE_free(toadd);
+	ERR_clear_error();
+	}
+#endif
+
+/* This is a process-global DSO handle used for loading and unloading
+ * the HWCryptoHook library. NB: This is only set (or unset) during an
+ * init() or finish() call (reference counts permitting) and they're
+ * operating with global locks, so this should be thread-safe
+ * implicitly. */
+static DSO *hwcrhk_dso = NULL;
+static HWCryptoHook_ContextHandle hwcrhk_context = 0;
+#ifndef OPENSSL_NO_RSA
+static int hndidx_rsa = -1;    /* Index for KM handle.  Not really used yet. */
+#endif
+
+/* These are the function pointers that are (un)set when the library has
+ * successfully (un)loaded. */
+static HWCryptoHook_Init_t *p_hwcrhk_Init = NULL;
+static HWCryptoHook_Finish_t *p_hwcrhk_Finish = NULL;
+static HWCryptoHook_ModExp_t *p_hwcrhk_ModExp = NULL;
+#ifndef OPENSSL_NO_RSA
+static HWCryptoHook_RSA_t *p_hwcrhk_RSA = NULL;
+#endif
+static HWCryptoHook_RandomBytes_t *p_hwcrhk_RandomBytes = NULL;
+#ifndef OPENSSL_NO_RSA
+static HWCryptoHook_RSALoadKey_t *p_hwcrhk_RSALoadKey = NULL;
+static HWCryptoHook_RSAGetPublicKey_t *p_hwcrhk_RSAGetPublicKey = NULL;
+static HWCryptoHook_RSAUnloadKey_t *p_hwcrhk_RSAUnloadKey = NULL;
+#endif
+static HWCryptoHook_ModExpCRT_t *p_hwcrhk_ModExpCRT = NULL;
+
+/* Used in the DSO operations. */
+static const char *HWCRHK_LIBNAME = NULL;
+static void free_HWCRHK_LIBNAME(void)
+	{
+	if(HWCRHK_LIBNAME)
+		OPENSSL_free((void*)HWCRHK_LIBNAME);
+	HWCRHK_LIBNAME = NULL;
+	}
+static const char *get_HWCRHK_LIBNAME(void)
+	{
+	if(HWCRHK_LIBNAME)
+		return HWCRHK_LIBNAME;
+	return "nfhwcrhk";
+	}
+static long set_HWCRHK_LIBNAME(const char *name)
+	{
+	free_HWCRHK_LIBNAME();
+	return (((HWCRHK_LIBNAME = BUF_strdup(name)) != NULL) ? 1 : 0);
+	}
+static const char *n_hwcrhk_Init = "HWCryptoHook_Init";
+static const char *n_hwcrhk_Finish = "HWCryptoHook_Finish";
+static const char *n_hwcrhk_ModExp = "HWCryptoHook_ModExp";
+#ifndef OPENSSL_NO_RSA
+static const char *n_hwcrhk_RSA = "HWCryptoHook_RSA";
+#endif
+static const char *n_hwcrhk_RandomBytes = "HWCryptoHook_RandomBytes";
+#ifndef OPENSSL_NO_RSA
+static const char *n_hwcrhk_RSALoadKey = "HWCryptoHook_RSALoadKey";
+static const char *n_hwcrhk_RSAGetPublicKey = "HWCryptoHook_RSAGetPublicKey";
+static const char *n_hwcrhk_RSAUnloadKey = "HWCryptoHook_RSAUnloadKey";
+#endif
+static const char *n_hwcrhk_ModExpCRT = "HWCryptoHook_ModExpCRT";
+
+/* HWCryptoHook library functions and mechanics - these are used by the
+ * higher-level functions further down. NB: As and where there's no
+ * error checking, take a look lower down where these functions are
+ * called, the checking and error handling is probably down there. */
+
+/* utility function to obtain a context */
+static int get_context(HWCryptoHook_ContextHandle *hac,
+        HWCryptoHook_CallerContext *cac)
+	{
+	char tempbuf[1024];
+	HWCryptoHook_ErrMsgBuf rmsg;
+
+	rmsg.buf = tempbuf;
+	rmsg.size = sizeof(tempbuf);
+
+        *hac = p_hwcrhk_Init(&hwcrhk_globals, sizeof(hwcrhk_globals), &rmsg,
+		cac);
+	if (!*hac)
+                return 0;
+        return 1;
+	}
+ 
+/* similarly to release one. */
+static void release_context(HWCryptoHook_ContextHandle hac)
+	{
+	p_hwcrhk_Finish(hac);
+	}
+
+/* Destructor (complements the "ENGINE_chil()" constructor) */
+static int hwcrhk_destroy(ENGINE *e)
+	{
+	free_HWCRHK_LIBNAME();
+	ERR_unload_HWCRHK_strings();
+	return 1;
+	}
+
+/* (de)initialisation functions. */
+static int hwcrhk_init(ENGINE *e)
+	{
+	HWCryptoHook_Init_t *p1;
+	HWCryptoHook_Finish_t *p2;
+	HWCryptoHook_ModExp_t *p3;
+#ifndef OPENSSL_NO_RSA
+	HWCryptoHook_RSA_t *p4;
+	HWCryptoHook_RSALoadKey_t *p5;
+	HWCryptoHook_RSAGetPublicKey_t *p6;
+	HWCryptoHook_RSAUnloadKey_t *p7;
+#endif
+	HWCryptoHook_RandomBytes_t *p8;
+	HWCryptoHook_ModExpCRT_t *p9;
+
+	if(hwcrhk_dso != NULL)
+		{
+		HWCRHKerr(HWCRHK_F_HWCRHK_INIT,HWCRHK_R_ALREADY_LOADED);
+		goto err;
+		}
+	/* Attempt to load libnfhwcrhk.so/nfhwcrhk.dll/whatever. */
+	hwcrhk_dso = DSO_load(NULL, get_HWCRHK_LIBNAME(), NULL, 0);
+	if(hwcrhk_dso == NULL)
+		{
+		HWCRHKerr(HWCRHK_F_HWCRHK_INIT,HWCRHK_R_DSO_FAILURE);
+		goto err;
+		}
+	if(!(p1 = (HWCryptoHook_Init_t *)
+			DSO_bind_func(hwcrhk_dso, n_hwcrhk_Init)) ||
+		!(p2 = (HWCryptoHook_Finish_t *)
+			DSO_bind_func(hwcrhk_dso, n_hwcrhk_Finish)) ||
+		!(p3 = (HWCryptoHook_ModExp_t *)
+			DSO_bind_func(hwcrhk_dso, n_hwcrhk_ModExp)) ||
+#ifndef OPENSSL_NO_RSA
+		!(p4 = (HWCryptoHook_RSA_t *)
+			DSO_bind_func(hwcrhk_dso, n_hwcrhk_RSA)) ||
+		!(p5 = (HWCryptoHook_RSALoadKey_t *)
+			DSO_bind_func(hwcrhk_dso, n_hwcrhk_RSALoadKey)) ||
+		!(p6 = (HWCryptoHook_RSAGetPublicKey_t *)
+			DSO_bind_func(hwcrhk_dso, n_hwcrhk_RSAGetPublicKey)) ||
+		!(p7 = (HWCryptoHook_RSAUnloadKey_t *)
+			DSO_bind_func(hwcrhk_dso, n_hwcrhk_RSAUnloadKey)) ||
+#endif
+		!(p8 = (HWCryptoHook_RandomBytes_t *)
+			DSO_bind_func(hwcrhk_dso, n_hwcrhk_RandomBytes)) ||
+		!(p9 = (HWCryptoHook_ModExpCRT_t *)
+			DSO_bind_func(hwcrhk_dso, n_hwcrhk_ModExpCRT)))
+		{
+		HWCRHKerr(HWCRHK_F_HWCRHK_INIT,HWCRHK_R_DSO_FAILURE);
+		goto err;
+		}
+	/* Copy the pointers */
+	p_hwcrhk_Init = p1;
+	p_hwcrhk_Finish = p2;
+	p_hwcrhk_ModExp = p3;
+#ifndef OPENSSL_NO_RSA
+	p_hwcrhk_RSA = p4;
+	p_hwcrhk_RSALoadKey = p5;
+	p_hwcrhk_RSAGetPublicKey = p6;
+	p_hwcrhk_RSAUnloadKey = p7;
+#endif
+	p_hwcrhk_RandomBytes = p8;
+	p_hwcrhk_ModExpCRT = p9;
+
+	/* Check if the application decided to support dynamic locks,
+	   and if it does, use them. */
+	if (disable_mutex_callbacks == 0)
+		{
+		if (CRYPTO_get_dynlock_create_callback() != NULL &&
+			CRYPTO_get_dynlock_lock_callback() != NULL &&
+			CRYPTO_get_dynlock_destroy_callback() != NULL)
+			{
+			hwcrhk_globals.mutex_init = hwcrhk_mutex_init;
+			hwcrhk_globals.mutex_acquire = hwcrhk_mutex_lock;
+			hwcrhk_globals.mutex_release = hwcrhk_mutex_unlock;
+			hwcrhk_globals.mutex_destroy = hwcrhk_mutex_destroy;
+			}
+		else if (CRYPTO_get_locking_callback() != NULL)
+			{
+			HWCRHKerr(HWCRHK_F_HWCRHK_INIT,HWCRHK_R_LOCKING_MISSING);
+			ERR_add_error_data(1,"You HAVE to add dynamic locking callbacks via CRYPTO_set_dynlock_{create,lock,destroy}_callback()");
+			goto err;
+			}
+		}
+
+	/* Try and get a context - if not, we may have a DSO but no
+	 * accelerator! */
+	if(!get_context(&hwcrhk_context, &password_context))
+		{
+		HWCRHKerr(HWCRHK_F_HWCRHK_INIT,HWCRHK_R_UNIT_FAILURE);
+		goto err;
+		}
+	/* Everything's fine. */
+#ifndef OPENSSL_NO_RSA
+	if (hndidx_rsa == -1)
+		hndidx_rsa = RSA_get_ex_new_index(0,
+			"nFast HWCryptoHook RSA key handle",
+			NULL, NULL, hwcrhk_ex_free);
+#endif
+	return 1;
+err:
+	if(hwcrhk_dso)
+		DSO_free(hwcrhk_dso);
+	hwcrhk_dso = NULL;
+	p_hwcrhk_Init = NULL;
+	p_hwcrhk_Finish = NULL;
+	p_hwcrhk_ModExp = NULL;
+#ifndef OPENSSL_NO_RSA
+	p_hwcrhk_RSA = NULL;
+	p_hwcrhk_RSALoadKey = NULL;
+	p_hwcrhk_RSAGetPublicKey = NULL;
+	p_hwcrhk_RSAUnloadKey = NULL;
+#endif
+	p_hwcrhk_ModExpCRT = NULL;
+	p_hwcrhk_RandomBytes = NULL;
+	return 0;
+	}
+
+static int hwcrhk_finish(ENGINE *e)
+	{
+	int to_return = 1;
+	free_HWCRHK_LIBNAME();
+	if(hwcrhk_dso == NULL)
+		{
+		HWCRHKerr(HWCRHK_F_HWCRHK_FINISH,HWCRHK_R_NOT_LOADED);
+		to_return = 0;
+		goto err;
+		}
+	release_context(hwcrhk_context);
+	if(!DSO_free(hwcrhk_dso))
+		{
+		HWCRHKerr(HWCRHK_F_HWCRHK_FINISH,HWCRHK_R_DSO_FAILURE);
+		to_return = 0;
+		goto err;
+		}
+ err:
+	if (logstream)
+		BIO_free(logstream);
+	hwcrhk_dso = NULL;
+	p_hwcrhk_Init = NULL;
+	p_hwcrhk_Finish = NULL;
+	p_hwcrhk_ModExp = NULL;
+#ifndef OPENSSL_NO_RSA
+	p_hwcrhk_RSA = NULL;
+	p_hwcrhk_RSALoadKey = NULL;
+	p_hwcrhk_RSAGetPublicKey = NULL;
+	p_hwcrhk_RSAUnloadKey = NULL;
+#endif
+	p_hwcrhk_ModExpCRT = NULL;
+	p_hwcrhk_RandomBytes = NULL;
+	return to_return;
+	}
+
+static int hwcrhk_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void))
+	{
+	int to_return = 1;
+
+	switch(cmd)
+		{
+	case HWCRHK_CMD_SO_PATH:
+		if(hwcrhk_dso)
+			{
+			HWCRHKerr(HWCRHK_F_HWCRHK_CTRL,HWCRHK_R_ALREADY_LOADED);
+			return 0;
+			}
+		if(p == NULL)
+			{
+			HWCRHKerr(HWCRHK_F_HWCRHK_CTRL,ERR_R_PASSED_NULL_PARAMETER);
+			return 0;
+			}
+		return set_HWCRHK_LIBNAME((const char *)p);
+	case ENGINE_CTRL_SET_LOGSTREAM:
+		{
+		BIO *bio = (BIO *)p;
+
+		CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+		if (logstream)
+			{
+			BIO_free(logstream);
+			logstream = NULL;
+			}
+		if (CRYPTO_add(&bio->references,1,CRYPTO_LOCK_BIO) > 1)
+			logstream = bio;
+		else
+			HWCRHKerr(HWCRHK_F_HWCRHK_CTRL,HWCRHK_R_BIO_WAS_FREED);
+		}
+		CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+		break;
+	case ENGINE_CTRL_SET_PASSWORD_CALLBACK:
+		CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+		password_context.password_callback = (pem_password_cb *)f;
+		CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+		break;
+	case ENGINE_CTRL_SET_USER_INTERFACE:
+	case HWCRHK_CMD_SET_USER_INTERFACE:
+		CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+		password_context.ui_method = (UI_METHOD *)p;
+		CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+		break;
+	case ENGINE_CTRL_SET_CALLBACK_DATA:
+	case HWCRHK_CMD_SET_CALLBACK_DATA:
+		CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+		password_context.callback_data = p;
+		CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+		break;
+	/* this enables or disables the "SimpleForkCheck" flag used in the
+	 * initialisation structure. */
+	case ENGINE_CTRL_CHIL_SET_FORKCHECK:
+	case HWCRHK_CMD_FORK_CHECK:
+		CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+		if(i)
+			hwcrhk_globals.flags |=
+				HWCryptoHook_InitFlags_SimpleForkCheck;
+		else
+			hwcrhk_globals.flags &=
+				~HWCryptoHook_InitFlags_SimpleForkCheck;
+		CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+		break;
+	/* This will prevent the initialisation function from "installing"
+	 * the mutex-handling callbacks, even if they are available from
+	 * within the library (or were provided to the library from the
+	 * calling application). This is to remove any baggage for
+	 * applications not using multithreading. */
+	case ENGINE_CTRL_CHIL_NO_LOCKING:
+		CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+		disable_mutex_callbacks = 1;
+		CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+		break;
+	case HWCRHK_CMD_THREAD_LOCKING:
+		CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+		disable_mutex_callbacks = ((i == 0) ? 0 : 1);
+		CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+		break;
+
+	/* The command isn't understood by this engine */
+	default:
+		HWCRHKerr(HWCRHK_F_HWCRHK_CTRL,
+			HWCRHK_R_CTRL_COMMAND_NOT_IMPLEMENTED);
+		to_return = 0;
+		break;
+		}
+
+	return to_return;
+	}
+
+static EVP_PKEY *hwcrhk_load_privkey(ENGINE *eng, const char *key_id,
+	UI_METHOD *ui_method, void *callback_data)
+	{
+#ifndef OPENSSL_NO_RSA
+	RSA *rtmp = NULL;
+#endif
+	EVP_PKEY *res = NULL;
+#ifndef OPENSSL_NO_RSA
+	HWCryptoHook_MPI e, n;
+	HWCryptoHook_RSAKeyHandle *hptr;
+#endif
+#if !defined(OPENSSL_NO_RSA)
+	char tempbuf[1024];
+	HWCryptoHook_ErrMsgBuf rmsg;
+	HWCryptoHook_PassphraseContext ppctx;
+#endif
+
+#if !defined(OPENSSL_NO_RSA)
+	rmsg.buf = tempbuf;
+	rmsg.size = sizeof(tempbuf);
+#endif
+
+	if(!hwcrhk_context)
+		{
+		HWCRHKerr(HWCRHK_F_HWCRHK_LOAD_PRIVKEY,
+			HWCRHK_R_NOT_INITIALISED);
+		goto err;
+		}
+#ifndef OPENSSL_NO_RSA
+	hptr = OPENSSL_malloc(sizeof(HWCryptoHook_RSAKeyHandle));
+	if (!hptr)
+		{
+		HWCRHKerr(HWCRHK_F_HWCRHK_LOAD_PRIVKEY,
+			ERR_R_MALLOC_FAILURE);
+		goto err;
+		}
+        ppctx.ui_method = ui_method;
+	ppctx.callback_data = callback_data;
+	if (p_hwcrhk_RSALoadKey(hwcrhk_context, key_id, hptr,
+		&rmsg, &ppctx))
+		{
+		HWCRHKerr(HWCRHK_F_HWCRHK_LOAD_PRIVKEY,
+			HWCRHK_R_CHIL_ERROR);
+		ERR_add_error_data(1,rmsg.buf);
+		goto err;
+		}
+	if (!*hptr)
+		{
+		HWCRHKerr(HWCRHK_F_HWCRHK_LOAD_PRIVKEY,
+			HWCRHK_R_NO_KEY);
+		goto err;
+		}
+#endif
+#ifndef OPENSSL_NO_RSA
+	rtmp = RSA_new_method(eng);
+	RSA_set_ex_data(rtmp, hndidx_rsa, (char *)hptr);
+	rtmp->e = BN_new();
+	rtmp->n = BN_new();
+	rtmp->flags |= RSA_FLAG_EXT_PKEY;
+	MPI2BN(rtmp->e, e);
+	MPI2BN(rtmp->n, n);
+	if (p_hwcrhk_RSAGetPublicKey(*hptr, &n, &e, &rmsg)
+		!= HWCRYPTOHOOK_ERROR_MPISIZE)
+		{
+		HWCRHKerr(HWCRHK_F_HWCRHK_LOAD_PRIVKEY,HWCRHK_R_CHIL_ERROR);
+		ERR_add_error_data(1,rmsg.buf);
+		goto err;
+		}
+
+	bn_expand2(rtmp->e, e.size/sizeof(BN_ULONG));
+	bn_expand2(rtmp->n, n.size/sizeof(BN_ULONG));
+	MPI2BN(rtmp->e, e);
+	MPI2BN(rtmp->n, n);
+
+	if (p_hwcrhk_RSAGetPublicKey(*hptr, &n, &e, &rmsg))
+		{
+		HWCRHKerr(HWCRHK_F_HWCRHK_LOAD_PRIVKEY,
+			HWCRHK_R_CHIL_ERROR);
+		ERR_add_error_data(1,rmsg.buf);
+		goto err;
+		}
+	rtmp->e->top = e.size / sizeof(BN_ULONG);
+	bn_fix_top(rtmp->e);
+	rtmp->n->top = n.size / sizeof(BN_ULONG);
+	bn_fix_top(rtmp->n);
+
+	res = EVP_PKEY_new();
+	EVP_PKEY_assign_RSA(res, rtmp);
+#endif
+
+        if (!res)
+                HWCRHKerr(HWCRHK_F_HWCRHK_LOAD_PRIVKEY,
+                        HWCRHK_R_PRIVATE_KEY_ALGORITHMS_DISABLED);
+
+	return res;
+ err:
+	if (res)
+		EVP_PKEY_free(res);
+#ifndef OPENSSL_NO_RSA
+	if (rtmp)
+		RSA_free(rtmp);
+#endif
+	return NULL;
+	}
+
+static EVP_PKEY *hwcrhk_load_pubkey(ENGINE *eng, const char *key_id,
+	UI_METHOD *ui_method, void *callback_data)
+	{
+	EVP_PKEY *res = NULL;
+
+#ifndef OPENSSL_NO_RSA
+        res = hwcrhk_load_privkey(eng, key_id,
+                ui_method, callback_data);
+#endif
+
+	if (res)
+		switch(res->type)
+			{
+#ifndef OPENSSL_NO_RSA
+		case EVP_PKEY_RSA:
+			{
+			RSA *rsa = NULL;
+
+			CRYPTO_w_lock(CRYPTO_LOCK_EVP_PKEY);
+			rsa = res->pkey.rsa;
+			res->pkey.rsa = RSA_new();
+			res->pkey.rsa->n = rsa->n;
+			res->pkey.rsa->e = rsa->e;
+			rsa->n = NULL;
+			rsa->e = NULL;
+			CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY);
+			RSA_free(rsa);
+			}
+			break;
+#endif
+		default:
+			HWCRHKerr(HWCRHK_F_HWCRHK_LOAD_PUBKEY,
+				HWCRHK_R_CTRL_COMMAND_NOT_IMPLEMENTED);
+			goto err;
+			}
+
+	return res;
+ err:
+	if (res)
+		EVP_PKEY_free(res);
+	return NULL;
+	}
+
+/* A little mod_exp */
+static int hwcrhk_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+			const BIGNUM *m, BN_CTX *ctx)
+	{
+	char tempbuf[1024];
+	HWCryptoHook_ErrMsgBuf rmsg;
+	/* Since HWCryptoHook_MPI is pretty compatible with BIGNUM's,
+	   we use them directly, plus a little macro magic.  We only
+	   thing we need to make sure of is that enough space is allocated. */
+	HWCryptoHook_MPI m_a, m_p, m_n, m_r;
+	int to_return, ret;
+ 
+	to_return = 0; /* expect failure */
+	rmsg.buf = tempbuf;
+	rmsg.size = sizeof(tempbuf);
+
+	if(!hwcrhk_context)
+		{
+		HWCRHKerr(HWCRHK_F_HWCRHK_MOD_EXP,HWCRHK_R_NOT_INITIALISED);
+		goto err;
+		}
+	/* Prepare the params */
+	bn_expand2(r, m->top);	/* Check for error !! */
+	BN2MPI(m_a, a);
+	BN2MPI(m_p, p);
+	BN2MPI(m_n, m);
+	MPI2BN(r, m_r);
+
+	/* Perform the operation */
+	ret = p_hwcrhk_ModExp(hwcrhk_context, m_a, m_p, m_n, &m_r, &rmsg);
+
+	/* Convert the response */
+	r->top = m_r.size / sizeof(BN_ULONG);
+	bn_fix_top(r);
+
+	if (ret < 0)
+		{
+		/* FIXME: When this error is returned, HWCryptoHook is
+		   telling us that falling back to software computation
+		   might be a good thing. */
+		if(ret == HWCRYPTOHOOK_ERROR_FALLBACK)
+			{
+			HWCRHKerr(HWCRHK_F_HWCRHK_MOD_EXP,HWCRHK_R_REQUEST_FALLBACK);
+			}
+		else
+			{
+			HWCRHKerr(HWCRHK_F_HWCRHK_MOD_EXP,HWCRHK_R_REQUEST_FAILED);
+			}
+		ERR_add_error_data(1,rmsg.buf);
+		goto err;
+		}
+
+	to_return = 1;
+err:
+	return to_return;
+	}
+
+#ifndef OPENSSL_NO_RSA 
+static int hwcrhk_rsa_mod_exp(BIGNUM *r, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
+	{
+	char tempbuf[1024];
+	HWCryptoHook_ErrMsgBuf rmsg;
+	HWCryptoHook_RSAKeyHandle *hptr;
+	int to_return = 0, ret;
+
+	rmsg.buf = tempbuf;
+	rmsg.size = sizeof(tempbuf);
+
+	if(!hwcrhk_context)
+		{
+		HWCRHKerr(HWCRHK_F_HWCRHK_RSA_MOD_EXP,HWCRHK_R_NOT_INITIALISED);
+		goto err;
+		}
+
+	/* This provides support for nForce keys.  Since that's opaque data
+	   all we do is provide a handle to the proper key and let HWCryptoHook
+	   take care of the rest. */
+	if ((hptr = (HWCryptoHook_RSAKeyHandle *) RSA_get_ex_data(rsa, hndidx_rsa))
+		!= NULL)
+		{
+		HWCryptoHook_MPI m_a, m_r;
+
+		if(!rsa->n)
+			{
+			HWCRHKerr(HWCRHK_F_HWCRHK_RSA_MOD_EXP,
+				HWCRHK_R_MISSING_KEY_COMPONENTS);
+			goto err;
+			}
+
+		/* Prepare the params */
+		bn_expand2(r, rsa->n->top); /* Check for error !! */
+		BN2MPI(m_a, I);
+		MPI2BN(r, m_r);
+
+		/* Perform the operation */
+		ret = p_hwcrhk_RSA(m_a, *hptr, &m_r, &rmsg);
+
+		/* Convert the response */
+		r->top = m_r.size / sizeof(BN_ULONG);
+		bn_fix_top(r);
+
+		if (ret < 0)
+			{
+			/* FIXME: When this error is returned, HWCryptoHook is
+			   telling us that falling back to software computation
+			   might be a good thing. */
+			if(ret == HWCRYPTOHOOK_ERROR_FALLBACK)
+				{
+				HWCRHKerr(HWCRHK_F_HWCRHK_RSA_MOD_EXP,
+					HWCRHK_R_REQUEST_FALLBACK);
+				}
+			else
+				{
+				HWCRHKerr(HWCRHK_F_HWCRHK_RSA_MOD_EXP,
+					HWCRHK_R_REQUEST_FAILED);
+				}
+			ERR_add_error_data(1,rmsg.buf);
+			goto err;
+			}
+		}
+	else
+		{
+		HWCryptoHook_MPI m_a, m_p, m_q, m_dmp1, m_dmq1, m_iqmp, m_r;
+
+		if(!rsa->p || !rsa->q || !rsa->dmp1 || !rsa->dmq1 || !rsa->iqmp)
+			{
+			HWCRHKerr(HWCRHK_F_HWCRHK_RSA_MOD_EXP,
+				HWCRHK_R_MISSING_KEY_COMPONENTS);
+			goto err;
+			}
+
+		/* Prepare the params */
+		bn_expand2(r, rsa->n->top); /* Check for error !! */
+		BN2MPI(m_a, I);
+		BN2MPI(m_p, rsa->p);
+		BN2MPI(m_q, rsa->q);
+		BN2MPI(m_dmp1, rsa->dmp1);
+		BN2MPI(m_dmq1, rsa->dmq1);
+		BN2MPI(m_iqmp, rsa->iqmp);
+		MPI2BN(r, m_r);
+
+		/* Perform the operation */
+		ret = p_hwcrhk_ModExpCRT(hwcrhk_context, m_a, m_p, m_q,
+			m_dmp1, m_dmq1, m_iqmp, &m_r, &rmsg);
+
+		/* Convert the response */
+		r->top = m_r.size / sizeof(BN_ULONG);
+		bn_fix_top(r);
+
+		if (ret < 0)
+			{
+			/* FIXME: When this error is returned, HWCryptoHook is
+			   telling us that falling back to software computation
+			   might be a good thing. */
+			if(ret == HWCRYPTOHOOK_ERROR_FALLBACK)
+				{
+				HWCRHKerr(HWCRHK_F_HWCRHK_RSA_MOD_EXP,
+					HWCRHK_R_REQUEST_FALLBACK);
+				}
+			else
+				{
+				HWCRHKerr(HWCRHK_F_HWCRHK_RSA_MOD_EXP,
+					HWCRHK_R_REQUEST_FAILED);
+				}
+			ERR_add_error_data(1,rmsg.buf);
+			goto err;
+			}
+		}
+	/* If we're here, we must be here with some semblance of success :-) */
+	to_return = 1;
+err:
+	return to_return;
+	}
+#endif
+
+#ifndef OPENSSL_NO_RSA
+/* This function is aliased to mod_exp (with the mont stuff dropped). */
+static int hwcrhk_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+		const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
+	{
+	return hwcrhk_mod_exp(r, a, p, m, ctx);
+	}
+#endif
+
+#ifndef OPENSSL_NO_DH
+/* This function is aliased to mod_exp (with the dh and mont dropped). */
+static int hwcrhk_mod_exp_dh(const DH *dh, BIGNUM *r,
+		const BIGNUM *a, const BIGNUM *p,
+		const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
+	{
+	return hwcrhk_mod_exp(r, a, p, m, ctx);
+	}
+#endif
+
+/* Random bytes are good */
+static int hwcrhk_rand_bytes(unsigned char *buf, int num)
+	{
+	char tempbuf[1024];
+	HWCryptoHook_ErrMsgBuf rmsg;
+	int to_return = 0; /* assume failure */
+	int ret;
+
+	rmsg.buf = tempbuf;
+	rmsg.size = sizeof(tempbuf);
+
+	if(!hwcrhk_context)
+		{
+		HWCRHKerr(HWCRHK_F_HWCRHK_RAND_BYTES,HWCRHK_R_NOT_INITIALISED);
+		goto err;
+		}
+
+	ret = p_hwcrhk_RandomBytes(hwcrhk_context, buf, num, &rmsg);
+	if (ret < 0)
+		{
+		/* FIXME: When this error is returned, HWCryptoHook is
+		   telling us that falling back to software computation
+		   might be a good thing. */
+		if(ret == HWCRYPTOHOOK_ERROR_FALLBACK)
+			{
+			HWCRHKerr(HWCRHK_F_HWCRHK_RAND_BYTES,
+				HWCRHK_R_REQUEST_FALLBACK);
+			}
+		else
+			{
+			HWCRHKerr(HWCRHK_F_HWCRHK_RAND_BYTES,
+				HWCRHK_R_REQUEST_FAILED);
+			}
+		ERR_add_error_data(1,rmsg.buf);
+		goto err;
+		}
+	to_return = 1;
+ err:
+	return to_return;
+	}
+
+static int hwcrhk_rand_status(void)
+	{
+	return 1;
+	}
+
+/* This cleans up an RSA KM key, called when ex_data is freed */
+#ifndef OPENSSL_NO_RSA
+static void hwcrhk_ex_free(void *obj, void *item, CRYPTO_EX_DATA *ad,
+	int ind,long argl, void *argp)
+{
+	char tempbuf[1024];
+	HWCryptoHook_ErrMsgBuf rmsg;
+#ifndef OPENSSL_NO_RSA
+	HWCryptoHook_RSAKeyHandle *hptr;
+#endif
+#if !defined(OPENSSL_NO_RSA)
+	int ret;
+#endif
+
+	rmsg.buf = tempbuf;
+	rmsg.size = sizeof(tempbuf);
+
+#ifndef OPENSSL_NO_RSA
+	hptr = (HWCryptoHook_RSAKeyHandle *) item;
+	if(hptr)
+                {
+                ret = p_hwcrhk_RSAUnloadKey(*hptr, NULL);
+                OPENSSL_free(hptr);
+                }
+#endif
+}
+#endif
+
+/* Mutex calls: since the HWCryptoHook model closely follows the POSIX model
+ * these just wrap the POSIX functions and add some logging.
+ */
+
+static int hwcrhk_mutex_init(HWCryptoHook_Mutex* mt,
+	HWCryptoHook_CallerContext *cactx)
+	{
+	mt->lockid = CRYPTO_get_new_dynlockid();
+	if (mt->lockid == 0)
+		return 1; /* failure */
+	return 0; /* success */
+	}
+
+static int hwcrhk_mutex_lock(HWCryptoHook_Mutex *mt)
+	{
+	CRYPTO_w_lock(mt->lockid);
+	return 0;
+	}
+
+static void hwcrhk_mutex_unlock(HWCryptoHook_Mutex * mt)
+	{
+	CRYPTO_w_unlock(mt->lockid);
+	}
+
+static void hwcrhk_mutex_destroy(HWCryptoHook_Mutex *mt)
+	{
+	CRYPTO_destroy_dynlockid(mt->lockid);
+	}
+
+static int hwcrhk_get_pass(const char *prompt_info,
+	int *len_io, char *buf,
+	HWCryptoHook_PassphraseContext *ppctx,
+	HWCryptoHook_CallerContext *cactx)
+	{
+	pem_password_cb *callback = NULL;
+	void *callback_data = NULL;
+        UI_METHOD *ui_method = NULL;
+
+        if (cactx)
+                {
+                if (cactx->ui_method)
+                        ui_method = cactx->ui_method;
+		if (cactx->password_callback)
+			callback = cactx->password_callback;
+		if (cactx->callback_data)
+			callback_data = cactx->callback_data;
+                }
+	if (ppctx)
+		{
+                if (ppctx->ui_method)
+                        {
+                        ui_method = ppctx->ui_method;
+                        callback = NULL;
+                        }
+		if (ppctx->callback_data)
+			callback_data = ppctx->callback_data;
+		}
+	if (callback == NULL && ui_method == NULL)
+		{
+		HWCRHKerr(HWCRHK_F_HWCRHK_GET_PASS,HWCRHK_R_NO_CALLBACK);
+		return -1;
+		}
+
+        if (ui_method)
+                {
+                UI *ui = UI_new_method(ui_method);
+                if (ui)
+                        {
+                        int ok;
+                        char *prompt = UI_construct_prompt(ui,
+                                "pass phrase", prompt_info);
+
+                        ok = UI_add_input_string(ui,prompt,
+                                UI_INPUT_FLAG_DEFAULT_PWD,
+				buf,0,(*len_io) - 1);
+                        UI_add_user_data(ui, callback_data);
+			UI_ctrl(ui, UI_CTRL_PRINT_ERRORS, 1, 0, 0);
+
+			if (ok >= 0)
+				do
+					{
+					ok=UI_process(ui);
+					}
+				while (ok < 0 && UI_ctrl(ui, UI_CTRL_IS_REDOABLE, 0, 0, 0));
+
+                        if (ok >= 0)
+                                *len_io = strlen(buf);
+
+                        UI_free(ui);
+                        OPENSSL_free(prompt);
+                        }
+                }
+        else
+                {
+                *len_io = callback(buf, *len_io, 0, callback_data);
+                }
+	if(!*len_io)
+		return -1;
+	return 0;
+	}
+
+static int hwcrhk_insert_card(const char *prompt_info,
+		      const char *wrong_info,
+		      HWCryptoHook_PassphraseContext *ppctx,
+		      HWCryptoHook_CallerContext *cactx)
+        {
+        int ok = -1;
+        UI *ui;
+	void *callback_data = NULL;
+        UI_METHOD *ui_method = NULL;
+
+        if (cactx)
+                {
+                if (cactx->ui_method)
+                        ui_method = cactx->ui_method;
+		if (cactx->callback_data)
+			callback_data = cactx->callback_data;
+                }
+	if (ppctx)
+		{
+                if (ppctx->ui_method)
+                        ui_method = ppctx->ui_method;
+		if (ppctx->callback_data)
+			callback_data = ppctx->callback_data;
+		}
+	if (ui_method == NULL)
+		{
+		HWCRHKerr(HWCRHK_F_HWCRHK_INSERT_CARD,
+			HWCRHK_R_NO_CALLBACK);
+		return -1;
+		}
+
+	ui = UI_new_method(ui_method);
+
+	if (ui)
+		{
+		char answer;
+		char buf[BUFSIZ];
+
+		if (wrong_info)
+			BIO_snprintf(buf, sizeof(buf)-1,
+				"Current card: \"%s\"\n", wrong_info);
+		ok = UI_dup_info_string(ui, buf);
+		if (ok >= 0 && prompt_info)
+			{
+			BIO_snprintf(buf, sizeof(buf)-1,
+				"Insert card \"%s\"", prompt_info);
+			ok = UI_dup_input_boolean(ui, buf,
+				"\n then hit <enter> or C<enter> to cancel\n",
+				"\r\n", "Cc", UI_INPUT_FLAG_ECHO, &answer);
+			}
+		UI_add_user_data(ui, callback_data);
+
+		if (ok >= 0)
+			ok = UI_process(ui);
+		UI_free(ui);
+
+		if (ok == -2 || (ok >= 0 && answer == 'C'))
+			ok = 1;
+		else if (ok < 0)
+			ok = -1;
+		else
+			ok = 0;
+		}
+	return ok;
+	}
+
+static void hwcrhk_log_message(void *logstr, const char *message)
+	{
+	BIO *lstream = NULL;
+
+	CRYPTO_w_lock(CRYPTO_LOCK_BIO);
+	if (logstr)
+		lstream=*(BIO **)logstr;
+	if (lstream)
+		{
+		BIO_printf(lstream, "%s\n", message);
+		}
+	CRYPTO_w_unlock(CRYPTO_LOCK_BIO);
+	}
+
+/* This stuff is needed if this ENGINE is being compiled into a self-contained
+ * shared-library. */	   
+#ifndef OPENSSL_NO_DYNAMIC_ENGINE
+static int bind_fn(ENGINE *e, const char *id)
+	{
+	if(id && (strcmp(id, engine_hwcrhk_id) != 0) &&
+			(strcmp(id, engine_hwcrhk_id_alt) != 0))
+		return 0;
+	if(!bind_helper(e))
+		return 0;
+	return 1;
+	}       
+IMPLEMENT_DYNAMIC_CHECK_FN()
+IMPLEMENT_DYNAMIC_BIND_FN(bind_fn)
+#endif /* OPENSSL_NO_DYNAMIC_ENGINE */
+
+#endif /* !OPENSSL_NO_HW_CHIL */
+#endif /* !OPENSSL_NO_HW */
diff --git a/crypto/openssl/engines/e_chil.ec b/crypto/openssl/engines/e_chil.ec
new file mode 100644
index 000000000000..b5a76e17df67
--- /dev/null
+++ b/crypto/openssl/engines/e_chil.ec
@@ -0,0 +1 @@
+L HWCRHK	e_chil_err.h			e_chil_err.c
diff --git a/crypto/openssl/engines/e_chil_err.c b/crypto/openssl/engines/e_chil_err.c
new file mode 100644
index 000000000000..3fec95a272bb
--- /dev/null
+++ b/crypto/openssl/engines/e_chil_err.c
@@ -0,0 +1,161 @@
+/* e_chil_err.c */
+/* ====================================================================
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include "e_chil_err.h"
+
+/* BEGIN ERROR CODES */
+#ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(0,func,0)
+#define ERR_REASON(reason) ERR_PACK(0,0,reason)
+
+static ERR_STRING_DATA HWCRHK_str_functs[]=
+	{
+{ERR_FUNC(HWCRHK_F_HWCRHK_CTRL),	"HWCRHK_CTRL"},
+{ERR_FUNC(HWCRHK_F_HWCRHK_FINISH),	"HWCRHK_FINISH"},
+{ERR_FUNC(HWCRHK_F_HWCRHK_GET_PASS),	"HWCRHK_GET_PASS"},
+{ERR_FUNC(HWCRHK_F_HWCRHK_INIT),	"HWCRHK_INIT"},
+{ERR_FUNC(HWCRHK_F_HWCRHK_INSERT_CARD),	"HWCRHK_INSERT_CARD"},
+{ERR_FUNC(HWCRHK_F_HWCRHK_LOAD_PRIVKEY),	"HWCRHK_LOAD_PRIVKEY"},
+{ERR_FUNC(HWCRHK_F_HWCRHK_LOAD_PUBKEY),	"HWCRHK_LOAD_PUBKEY"},
+{ERR_FUNC(HWCRHK_F_HWCRHK_MOD_EXP),	"HWCRHK_MOD_EXP"},
+{ERR_FUNC(HWCRHK_F_HWCRHK_RAND_BYTES),	"HWCRHK_RAND_BYTES"},
+{ERR_FUNC(HWCRHK_F_HWCRHK_RSA_MOD_EXP),	"HWCRHK_RSA_MOD_EXP"},
+{0,NULL}
+	};
+
+static ERR_STRING_DATA HWCRHK_str_reasons[]=
+	{
+{ERR_REASON(HWCRHK_R_ALREADY_LOADED)     ,"already loaded"},
+{ERR_REASON(HWCRHK_R_BIO_WAS_FREED)      ,"bio was freed"},
+{ERR_REASON(HWCRHK_R_CHIL_ERROR)         ,"chil error"},
+{ERR_REASON(HWCRHK_R_CTRL_COMMAND_NOT_IMPLEMENTED),"ctrl command not implemented"},
+{ERR_REASON(HWCRHK_R_DSO_FAILURE)        ,"dso failure"},
+{ERR_REASON(HWCRHK_R_LOCKING_MISSING)    ,"locking missing"},
+{ERR_REASON(HWCRHK_R_MISSING_KEY_COMPONENTS),"missing key components"},
+{ERR_REASON(HWCRHK_R_NOT_INITIALISED)    ,"not initialised"},
+{ERR_REASON(HWCRHK_R_NOT_LOADED)         ,"not loaded"},
+{ERR_REASON(HWCRHK_R_NO_CALLBACK)        ,"no callback"},
+{ERR_REASON(HWCRHK_R_NO_KEY)             ,"no key"},
+{ERR_REASON(HWCRHK_R_PRIVATE_KEY_ALGORITHMS_DISABLED),"private key algorithms disabled"},
+{ERR_REASON(HWCRHK_R_REQUEST_FAILED)     ,"request failed"},
+{ERR_REASON(HWCRHK_R_REQUEST_FALLBACK)   ,"request fallback"},
+{ERR_REASON(HWCRHK_R_UNIT_FAILURE)       ,"unit failure"},
+{0,NULL}
+	};
+
+#endif
+
+#ifdef HWCRHK_LIB_NAME
+static ERR_STRING_DATA HWCRHK_lib_name[]=
+        {
+{0	,HWCRHK_LIB_NAME},
+{0,NULL}
+	};
+#endif
+
+
+static int HWCRHK_lib_error_code=0;
+static int HWCRHK_error_init=1;
+
+static void ERR_load_HWCRHK_strings(void)
+	{
+	if (HWCRHK_lib_error_code == 0)
+		HWCRHK_lib_error_code=ERR_get_next_error_library();
+
+	if (HWCRHK_error_init)
+		{
+		HWCRHK_error_init=0;
+#ifndef OPENSSL_NO_ERR
+		ERR_load_strings(HWCRHK_lib_error_code,HWCRHK_str_functs);
+		ERR_load_strings(HWCRHK_lib_error_code,HWCRHK_str_reasons);
+#endif
+
+#ifdef HWCRHK_LIB_NAME
+		HWCRHK_lib_name->error = ERR_PACK(HWCRHK_lib_error_code,0,0);
+		ERR_load_strings(0,HWCRHK_lib_name);
+#endif
+		}
+	}
+
+static void ERR_unload_HWCRHK_strings(void)
+	{
+	if (HWCRHK_error_init == 0)
+		{
+#ifndef OPENSSL_NO_ERR
+		ERR_unload_strings(HWCRHK_lib_error_code,HWCRHK_str_functs);
+		ERR_unload_strings(HWCRHK_lib_error_code,HWCRHK_str_reasons);
+#endif
+
+#ifdef HWCRHK_LIB_NAME
+		ERR_unload_strings(0,HWCRHK_lib_name);
+#endif
+		HWCRHK_error_init=1;
+		}
+	}
+
+static void ERR_HWCRHK_error(int function, int reason, char *file, int line)
+	{
+	if (HWCRHK_lib_error_code == 0)
+		HWCRHK_lib_error_code=ERR_get_next_error_library();
+	ERR_PUT_error(HWCRHK_lib_error_code,function,reason,file,line);
+	}
diff --git a/crypto/openssl/engines/e_chil_err.h b/crypto/openssl/engines/e_chil_err.h
new file mode 100644
index 000000000000..482086e3b51a
--- /dev/null
+++ b/crypto/openssl/engines/e_chil_err.h
@@ -0,0 +1,101 @@
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_HWCRHK_ERR_H
+#define HEADER_HWCRHK_ERR_H
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+static void ERR_load_HWCRHK_strings(void);
+static void ERR_unload_HWCRHK_strings(void);
+static void ERR_HWCRHK_error(int function, int reason, char *file, int line);
+#define HWCRHKerr(f,r) ERR_HWCRHK_error((f),(r),__FILE__,__LINE__)
+
+/* Error codes for the HWCRHK functions. */
+
+/* Function codes. */
+#define HWCRHK_F_HWCRHK_CTRL				 100
+#define HWCRHK_F_HWCRHK_FINISH				 101
+#define HWCRHK_F_HWCRHK_GET_PASS			 102
+#define HWCRHK_F_HWCRHK_INIT				 103
+#define HWCRHK_F_HWCRHK_INSERT_CARD			 104
+#define HWCRHK_F_HWCRHK_LOAD_PRIVKEY			 105
+#define HWCRHK_F_HWCRHK_LOAD_PUBKEY			 106
+#define HWCRHK_F_HWCRHK_MOD_EXP				 107
+#define HWCRHK_F_HWCRHK_RAND_BYTES			 108
+#define HWCRHK_F_HWCRHK_RSA_MOD_EXP			 109
+
+/* Reason codes. */
+#define HWCRHK_R_ALREADY_LOADED				 100
+#define HWCRHK_R_BIO_WAS_FREED				 101
+#define HWCRHK_R_CHIL_ERROR				 102
+#define HWCRHK_R_CTRL_COMMAND_NOT_IMPLEMENTED		 103
+#define HWCRHK_R_DSO_FAILURE				 104
+#define HWCRHK_R_LOCKING_MISSING			 114
+#define HWCRHK_R_MISSING_KEY_COMPONENTS			 105
+#define HWCRHK_R_NOT_INITIALISED			 106
+#define HWCRHK_R_NOT_LOADED				 107
+#define HWCRHK_R_NO_CALLBACK				 108
+#define HWCRHK_R_NO_KEY					 109
+#define HWCRHK_R_PRIVATE_KEY_ALGORITHMS_DISABLED	 110
+#define HWCRHK_R_REQUEST_FAILED				 111
+#define HWCRHK_R_REQUEST_FALLBACK			 112
+#define HWCRHK_R_UNIT_FAILURE				 113
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
diff --git a/crypto/openssl/engines/e_cswift.c b/crypto/openssl/engines/e_cswift.c
new file mode 100644
index 000000000000..bc6517984649
--- /dev/null
+++ b/crypto/openssl/engines/e_cswift.c
@@ -0,0 +1,1131 @@
+/* crypto/engine/hw_cswift.c */
+/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <openssl/crypto.h>
+#include <openssl/buffer.h>
+#include <openssl/dso.h>
+#include <openssl/engine.h>
+#ifndef OPENSSL_NO_RSA
+#include <openssl/rsa.h>
+#endif
+#ifndef OPENSSL_NO_DSA
+#include <openssl/dsa.h>
+#endif
+#ifndef OPENSSL_NO_DH
+#include <openssl/dh.h>
+#endif
+#include <openssl/rand.h>
+#include <openssl/bn.h>
+
+#ifndef OPENSSL_NO_HW
+#ifndef OPENSSL_NO_HW_CSWIFT
+
+/* Attribution notice: Rainbow have generously allowed me to reproduce
+ * the necessary definitions here from their API. This means the support
+ * can build independently of whether application builders have the
+ * API or hardware. This will allow developers to easily produce software
+ * that has latent hardware support for any users that have accelerators
+ * installed, without the developers themselves needing anything extra.
+ *
+ * I have only clipped the parts from the CryptoSwift header files that
+ * are (or seem) relevant to the CryptoSwift support code. This is
+ * simply to keep the file sizes reasonable.
+ * [Geoff]
+ */
+#ifdef FLAT_INC
+#include "cswift.h"
+#else
+#include "vendor_defns/cswift.h"
+#endif
+
+#define CSWIFT_LIB_NAME "cswift engine"
+#include "e_cswift_err.c"
+
+#define DECIMAL_SIZE(type)	((sizeof(type)*8+2)/3+1)
+
+static int cswift_destroy(ENGINE *e);
+static int cswift_init(ENGINE *e);
+static int cswift_finish(ENGINE *e);
+static int cswift_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void));
+#ifndef OPENSSL_NO_RSA
+static int cswift_bn_32copy(SW_LARGENUMBER * out, const BIGNUM * in);
+#endif
+
+/* BIGNUM stuff */
+static int cswift_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+		const BIGNUM *m, BN_CTX *ctx);
+#ifndef OPENSSL_NO_RSA
+static int cswift_mod_exp_crt(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+		const BIGNUM *q, const BIGNUM *dmp1, const BIGNUM *dmq1,
+		const BIGNUM *iqmp, BN_CTX *ctx);
+#endif
+
+#ifndef OPENSSL_NO_RSA
+/* RSA stuff */
+static int cswift_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx);
+/* This function is aliased to mod_exp (with the mont stuff dropped). */
+static int cswift_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+		const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+#endif
+
+#ifndef OPENSSL_NO_DSA
+/* DSA stuff */
+static DSA_SIG *cswift_dsa_sign(const unsigned char *dgst, int dlen, DSA *dsa);
+static int cswift_dsa_verify(const unsigned char *dgst, int dgst_len,
+				DSA_SIG *sig, DSA *dsa);
+#endif
+
+#ifndef OPENSSL_NO_DH
+/* DH stuff */
+/* This function is alised to mod_exp (with the DH and mont dropped). */
+static int cswift_mod_exp_dh(const DH *dh, BIGNUM *r,
+		const BIGNUM *a, const BIGNUM *p,
+		const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+#endif
+
+/* RAND stuff */
+static int cswift_rand_bytes(unsigned char *buf, int num);
+static int cswift_rand_status(void);
+
+/* The definitions for control commands specific to this engine */
+#define CSWIFT_CMD_SO_PATH		ENGINE_CMD_BASE
+static const ENGINE_CMD_DEFN cswift_cmd_defns[] = {
+	{CSWIFT_CMD_SO_PATH,
+		"SO_PATH",
+		"Specifies the path to the 'cswift' shared library",
+		ENGINE_CMD_FLAG_STRING},
+	{0, NULL, NULL, 0}
+	};
+
+#ifndef OPENSSL_NO_RSA
+/* Our internal RSA_METHOD that we provide pointers to */
+static RSA_METHOD cswift_rsa =
+	{
+	"CryptoSwift RSA method",
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	cswift_rsa_mod_exp,
+	cswift_mod_exp_mont,
+	NULL,
+	NULL,
+	0,
+	NULL,
+	NULL,
+	NULL,
+	NULL
+	};
+#endif
+
+#ifndef OPENSSL_NO_DSA
+/* Our internal DSA_METHOD that we provide pointers to */
+static DSA_METHOD cswift_dsa =
+	{
+	"CryptoSwift DSA method",
+	cswift_dsa_sign,
+	NULL, /* dsa_sign_setup */
+	cswift_dsa_verify,
+	NULL, /* dsa_mod_exp */
+	NULL, /* bn_mod_exp */
+	NULL, /* init */
+	NULL, /* finish */
+	0, /* flags */
+	NULL, /* app_data */
+	NULL, /* dsa_paramgen */
+	NULL /* dsa_keygen */
+	};
+#endif
+
+#ifndef OPENSSL_NO_DH
+/* Our internal DH_METHOD that we provide pointers to */
+static DH_METHOD cswift_dh =
+	{
+	"CryptoSwift DH method",
+	NULL,
+	NULL,
+	cswift_mod_exp_dh,
+	NULL,
+	NULL,
+	0,
+	NULL,
+	NULL
+	};
+#endif
+
+static RAND_METHOD cswift_random =
+    {
+    /* "CryptoSwift RAND method", */
+    NULL,
+    cswift_rand_bytes,
+    NULL,
+    NULL,
+    cswift_rand_bytes,
+    cswift_rand_status,
+    };
+
+
+/* Constants used when creating the ENGINE */
+static const char *engine_cswift_id = "cswift";
+static const char *engine_cswift_name = "CryptoSwift hardware engine support";
+
+/* This internal function is used by ENGINE_cswift() and possibly by the
+ * "dynamic" ENGINE support too */
+static int bind_helper(ENGINE *e)
+	{
+#ifndef OPENSSL_NO_RSA
+	const RSA_METHOD *meth1;
+#endif
+#ifndef OPENSSL_NO_DH
+	const DH_METHOD *meth2;
+#endif
+	if(!ENGINE_set_id(e, engine_cswift_id) ||
+			!ENGINE_set_name(e, engine_cswift_name) ||
+#ifndef OPENSSL_NO_RSA
+			!ENGINE_set_RSA(e, &cswift_rsa) ||
+#endif
+#ifndef OPENSSL_NO_DSA
+			!ENGINE_set_DSA(e, &cswift_dsa) ||
+#endif
+#ifndef OPENSSL_NO_DH
+			!ENGINE_set_DH(e, &cswift_dh) ||
+#endif
+			!ENGINE_set_RAND(e, &cswift_random) ||
+			!ENGINE_set_destroy_function(e, cswift_destroy) ||
+			!ENGINE_set_init_function(e, cswift_init) ||
+			!ENGINE_set_finish_function(e, cswift_finish) ||
+			!ENGINE_set_ctrl_function(e, cswift_ctrl) ||
+			!ENGINE_set_cmd_defns(e, cswift_cmd_defns))
+		return 0;
+
+#ifndef OPENSSL_NO_RSA
+	/* We know that the "PKCS1_SSLeay()" functions hook properly
+	 * to the cswift-specific mod_exp and mod_exp_crt so we use
+	 * those functions. NB: We don't use ENGINE_openssl() or
+	 * anything "more generic" because something like the RSAref
+	 * code may not hook properly, and if you own one of these
+	 * cards then you have the right to do RSA operations on it
+	 * anyway! */ 
+	meth1 = RSA_PKCS1_SSLeay();
+	cswift_rsa.rsa_pub_enc = meth1->rsa_pub_enc;
+	cswift_rsa.rsa_pub_dec = meth1->rsa_pub_dec;
+	cswift_rsa.rsa_priv_enc = meth1->rsa_priv_enc;
+	cswift_rsa.rsa_priv_dec = meth1->rsa_priv_dec;
+#endif
+
+#ifndef OPENSSL_NO_DH
+	/* Much the same for Diffie-Hellman */
+	meth2 = DH_OpenSSL();
+	cswift_dh.generate_key = meth2->generate_key;
+	cswift_dh.compute_key = meth2->compute_key;
+#endif
+
+	/* Ensure the cswift error handling is set up */
+	ERR_load_CSWIFT_strings();
+	return 1;
+	}
+
+#ifdef OPENSSL_NO_DYNAMIC_ENGINE
+static ENGINE *engine_cswift(void)
+	{
+	ENGINE *ret = ENGINE_new();
+	if(!ret)
+		return NULL;
+	if(!bind_helper(ret))
+		{
+		ENGINE_free(ret);
+		return NULL;
+		}
+	return ret;
+	}
+
+void ENGINE_load_cswift(void)
+	{
+	/* Copied from eng_[openssl|dyn].c */
+	ENGINE *toadd = engine_cswift();
+	if(!toadd) return;
+	ENGINE_add(toadd);
+	ENGINE_free(toadd);
+	ERR_clear_error();
+	}
+#endif
+
+/* This is a process-global DSO handle used for loading and unloading
+ * the CryptoSwift library. NB: This is only set (or unset) during an
+ * init() or finish() call (reference counts permitting) and they're
+ * operating with global locks, so this should be thread-safe
+ * implicitly. */
+static DSO *cswift_dso = NULL;
+
+/* These are the function pointers that are (un)set when the library has
+ * successfully (un)loaded. */
+t_swAcquireAccContext *p_CSwift_AcquireAccContext = NULL;
+t_swAttachKeyParam *p_CSwift_AttachKeyParam = NULL;
+t_swSimpleRequest *p_CSwift_SimpleRequest = NULL;
+t_swReleaseAccContext *p_CSwift_ReleaseAccContext = NULL;
+
+/* Used in the DSO operations. */
+static const char *CSWIFT_LIBNAME = NULL;
+static const char *get_CSWIFT_LIBNAME(void)
+	{
+	if(CSWIFT_LIBNAME)
+		return CSWIFT_LIBNAME;
+	return "swift";
+	}
+static void free_CSWIFT_LIBNAME(void)
+	{
+	if(CSWIFT_LIBNAME)
+		OPENSSL_free((void*)CSWIFT_LIBNAME);
+	CSWIFT_LIBNAME = NULL;
+	}
+static long set_CSWIFT_LIBNAME(const char *name)
+	{
+	free_CSWIFT_LIBNAME();
+	return (((CSWIFT_LIBNAME = BUF_strdup(name)) != NULL) ? 1 : 0);
+	}
+static const char *CSWIFT_F1 = "swAcquireAccContext";
+static const char *CSWIFT_F2 = "swAttachKeyParam";
+static const char *CSWIFT_F3 = "swSimpleRequest";
+static const char *CSWIFT_F4 = "swReleaseAccContext";
+
+
+/* CryptoSwift library functions and mechanics - these are used by the
+ * higher-level functions further down. NB: As and where there's no
+ * error checking, take a look lower down where these functions are
+ * called, the checking and error handling is probably down there. */
+
+/* utility function to obtain a context */
+static int get_context(SW_CONTEXT_HANDLE *hac)
+	{
+        SW_STATUS status;
+ 
+        status = p_CSwift_AcquireAccContext(hac);
+        if(status != SW_OK)
+                return 0;
+        return 1;
+	}
+ 
+/* similarly to release one. */
+static void release_context(SW_CONTEXT_HANDLE hac)
+	{
+        p_CSwift_ReleaseAccContext(hac);
+	}
+
+/* Destructor (complements the "ENGINE_cswift()" constructor) */
+static int cswift_destroy(ENGINE *e)
+	{
+	free_CSWIFT_LIBNAME();
+	ERR_unload_CSWIFT_strings();
+	return 1;
+	}
+
+/* (de)initialisation functions. */
+static int cswift_init(ENGINE *e)
+	{
+        SW_CONTEXT_HANDLE hac;
+        t_swAcquireAccContext *p1;
+        t_swAttachKeyParam *p2;
+        t_swSimpleRequest *p3;
+        t_swReleaseAccContext *p4;
+
+	if(cswift_dso != NULL)
+		{
+		CSWIFTerr(CSWIFT_F_CSWIFT_INIT,CSWIFT_R_ALREADY_LOADED);
+		goto err;
+		}
+	/* Attempt to load libswift.so/swift.dll/whatever. */
+	cswift_dso = DSO_load(NULL, get_CSWIFT_LIBNAME(), NULL, 0);
+	if(cswift_dso == NULL)
+		{
+		CSWIFTerr(CSWIFT_F_CSWIFT_INIT,CSWIFT_R_NOT_LOADED);
+		goto err;
+		}
+	if(!(p1 = (t_swAcquireAccContext *)
+				DSO_bind_func(cswift_dso, CSWIFT_F1)) ||
+			!(p2 = (t_swAttachKeyParam *)
+				DSO_bind_func(cswift_dso, CSWIFT_F2)) ||
+			!(p3 = (t_swSimpleRequest *)
+				DSO_bind_func(cswift_dso, CSWIFT_F3)) ||
+			!(p4 = (t_swReleaseAccContext *)
+				DSO_bind_func(cswift_dso, CSWIFT_F4)))
+		{
+		CSWIFTerr(CSWIFT_F_CSWIFT_INIT,CSWIFT_R_NOT_LOADED);
+		goto err;
+		}
+	/* Copy the pointers */
+	p_CSwift_AcquireAccContext = p1;
+	p_CSwift_AttachKeyParam = p2;
+	p_CSwift_SimpleRequest = p3;
+	p_CSwift_ReleaseAccContext = p4;
+	/* Try and get a context - if not, we may have a DSO but no
+	 * accelerator! */
+	if(!get_context(&hac))
+		{
+		CSWIFTerr(CSWIFT_F_CSWIFT_INIT,CSWIFT_R_UNIT_FAILURE);
+		goto err;
+		}
+	release_context(hac);
+	/* Everything's fine. */
+	return 1;
+err:
+	if(cswift_dso)
+	{
+		DSO_free(cswift_dso);
+		cswift_dso = NULL;
+	}
+	p_CSwift_AcquireAccContext = NULL;
+	p_CSwift_AttachKeyParam = NULL;
+	p_CSwift_SimpleRequest = NULL;
+	p_CSwift_ReleaseAccContext = NULL;
+	return 0;
+	}
+
+static int cswift_finish(ENGINE *e)
+	{
+	free_CSWIFT_LIBNAME();
+	if(cswift_dso == NULL)
+		{
+		CSWIFTerr(CSWIFT_F_CSWIFT_FINISH,CSWIFT_R_NOT_LOADED);
+		return 0;
+		}
+	if(!DSO_free(cswift_dso))
+		{
+		CSWIFTerr(CSWIFT_F_CSWIFT_FINISH,CSWIFT_R_UNIT_FAILURE);
+		return 0;
+		}
+	cswift_dso = NULL;
+	p_CSwift_AcquireAccContext = NULL;
+	p_CSwift_AttachKeyParam = NULL;
+	p_CSwift_SimpleRequest = NULL;
+	p_CSwift_ReleaseAccContext = NULL;
+	return 1;
+	}
+
+static int cswift_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void))
+	{
+	int initialised = ((cswift_dso == NULL) ? 0 : 1);
+	switch(cmd)
+		{
+	case CSWIFT_CMD_SO_PATH:
+		if(p == NULL)
+			{
+			CSWIFTerr(CSWIFT_F_CSWIFT_CTRL,ERR_R_PASSED_NULL_PARAMETER);
+			return 0;
+			}
+		if(initialised)
+			{
+			CSWIFTerr(CSWIFT_F_CSWIFT_CTRL,CSWIFT_R_ALREADY_LOADED);
+			return 0;
+			}
+		return set_CSWIFT_LIBNAME((const char *)p);
+	default:
+		break;
+		}
+	CSWIFTerr(CSWIFT_F_CSWIFT_CTRL,CSWIFT_R_CTRL_COMMAND_NOT_IMPLEMENTED);
+	return 0;
+	}
+
+/* Un petit mod_exp */
+static int cswift_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+			const BIGNUM *m, BN_CTX *ctx)
+	{
+	/* I need somewhere to store temporary serialised values for
+	 * use with the CryptoSwift API calls. A neat cheat - I'll use
+	 * BIGNUMs from the BN_CTX but access their arrays directly as
+	 * byte arrays <grin>. This way I don't have to clean anything
+	 * up. */
+	BIGNUM *modulus;
+	BIGNUM *exponent;
+	BIGNUM *argument;
+	BIGNUM *result;
+	SW_STATUS sw_status;
+	SW_LARGENUMBER arg, res;
+	SW_PARAM sw_param;
+	SW_CONTEXT_HANDLE hac;
+	int to_return, acquired;
+ 
+	modulus = exponent = argument = result = NULL;
+	to_return = 0; /* expect failure */
+	acquired = 0;
+ 
+	if(!get_context(&hac))
+		{
+		CSWIFTerr(CSWIFT_F_CSWIFT_MOD_EXP,CSWIFT_R_UNIT_FAILURE);
+		goto err;
+		}
+	acquired = 1;
+	/* Prepare the params */
+	BN_CTX_start(ctx);
+	modulus = BN_CTX_get(ctx);
+	exponent = BN_CTX_get(ctx);
+	argument = BN_CTX_get(ctx);
+	result = BN_CTX_get(ctx);
+	if(!result)
+		{
+		CSWIFTerr(CSWIFT_F_CSWIFT_MOD_EXP,CSWIFT_R_BN_CTX_FULL);
+		goto err;
+		}
+	if(!bn_wexpand(modulus, m->top) || !bn_wexpand(exponent, p->top) ||
+		!bn_wexpand(argument, a->top) || !bn_wexpand(result, m->top))
+		{
+		CSWIFTerr(CSWIFT_F_CSWIFT_MOD_EXP,CSWIFT_R_BN_EXPAND_FAIL);
+		goto err;
+		}
+	sw_param.type = SW_ALG_EXP;
+	sw_param.up.exp.modulus.nbytes = BN_bn2bin(m,
+		(unsigned char *)modulus->d);
+	sw_param.up.exp.modulus.value = (unsigned char *)modulus->d;
+	sw_param.up.exp.exponent.nbytes = BN_bn2bin(p,
+		(unsigned char *)exponent->d);
+	sw_param.up.exp.exponent.value = (unsigned char *)exponent->d;
+	/* Attach the key params */
+	sw_status = p_CSwift_AttachKeyParam(hac, &sw_param);
+	switch(sw_status)
+		{
+	case SW_OK:
+		break;
+	case SW_ERR_INPUT_SIZE:
+		CSWIFTerr(CSWIFT_F_CSWIFT_MOD_EXP,CSWIFT_R_BAD_KEY_SIZE);
+		goto err;
+	default:
+		{
+		char tmpbuf[DECIMAL_SIZE(sw_status)+1];
+		CSWIFTerr(CSWIFT_F_CSWIFT_MOD_EXP,CSWIFT_R_REQUEST_FAILED);
+		sprintf(tmpbuf, "%ld", sw_status);
+		ERR_add_error_data(2, "CryptoSwift error number is ",tmpbuf);
+		}
+		goto err;
+		}
+	/* Prepare the argument and response */
+	arg.nbytes = BN_bn2bin(a, (unsigned char *)argument->d);
+	arg.value = (unsigned char *)argument->d;
+	res.nbytes = BN_num_bytes(m);
+	memset(result->d, 0, res.nbytes);
+	res.value = (unsigned char *)result->d;
+	/* Perform the operation */
+	if((sw_status = p_CSwift_SimpleRequest(hac, SW_CMD_MODEXP, &arg, 1,
+		&res, 1)) != SW_OK)
+		{
+		char tmpbuf[DECIMAL_SIZE(sw_status)+1];
+		CSWIFTerr(CSWIFT_F_CSWIFT_MOD_EXP,CSWIFT_R_REQUEST_FAILED);
+		sprintf(tmpbuf, "%ld", sw_status);
+		ERR_add_error_data(2, "CryptoSwift error number is ",tmpbuf);
+		goto err;
+		}
+	/* Convert the response */
+	BN_bin2bn((unsigned char *)result->d, res.nbytes, r);
+	to_return = 1;
+err:
+	if(acquired)
+		release_context(hac);
+	BN_CTX_end(ctx);
+	return to_return;
+	}
+
+
+#ifndef OPENSSL_NO_RSA
+int cswift_bn_32copy(SW_LARGENUMBER * out, const BIGNUM * in)
+{
+	int mod;
+	int numbytes = BN_num_bytes(in);
+
+	mod = 0;
+	while( ((out->nbytes = (numbytes+mod)) % 32) )
+	{
+		mod++;
+	}
+	out->value = (unsigned char*)OPENSSL_malloc(out->nbytes);
+	if(!out->value)
+	{
+		return 0;
+	}
+	BN_bn2bin(in, &out->value[mod]);
+	if(mod)
+		memset(out->value, 0, mod);
+
+	return 1;
+}
+#endif
+
+#ifndef OPENSSL_NO_RSA
+/* Un petit mod_exp chinois */
+static int cswift_mod_exp_crt(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+			const BIGNUM *q, const BIGNUM *dmp1,
+			const BIGNUM *dmq1, const BIGNUM *iqmp, BN_CTX *ctx)
+	{
+	SW_STATUS sw_status;
+	SW_LARGENUMBER arg, res;
+	SW_PARAM sw_param;
+	SW_CONTEXT_HANDLE hac;
+	BIGNUM *result = NULL;
+	BIGNUM *argument = NULL;
+	int to_return = 0; /* expect failure */
+	int acquired = 0;
+
+	sw_param.up.crt.p.value = NULL;
+	sw_param.up.crt.q.value = NULL;
+	sw_param.up.crt.dmp1.value = NULL;
+	sw_param.up.crt.dmq1.value = NULL;
+	sw_param.up.crt.iqmp.value = NULL;
+ 
+	if(!get_context(&hac))
+		{
+		CSWIFTerr(CSWIFT_F_CSWIFT_MOD_EXP_CRT,CSWIFT_R_UNIT_FAILURE);
+		goto err;
+		}
+	acquired = 1;
+
+	/* Prepare the params */
+	argument = BN_new();
+	result = BN_new();
+	if(!result || !argument)
+		{
+		CSWIFTerr(CSWIFT_F_CSWIFT_MOD_EXP_CRT,CSWIFT_R_BN_CTX_FULL);
+		goto err;
+		}
+
+
+	sw_param.type = SW_ALG_CRT;
+	/************************************************************************/
+	/* 04/02/2003                                                           */
+	/* Modified by Frederic Giudicelli (deny-all.com) to overcome the       */
+	/* limitation of cswift with values not a multiple of 32                */
+	/************************************************************************/
+	if(!cswift_bn_32copy(&sw_param.up.crt.p, p))
+	{
+		CSWIFTerr(CSWIFT_F_CSWIFT_MOD_EXP_CRT,CSWIFT_R_BN_EXPAND_FAIL);
+		goto err;
+	}
+	if(!cswift_bn_32copy(&sw_param.up.crt.q, q))
+	{
+		CSWIFTerr(CSWIFT_F_CSWIFT_MOD_EXP_CRT,CSWIFT_R_BN_EXPAND_FAIL);
+		goto err;
+	}
+	if(!cswift_bn_32copy(&sw_param.up.crt.dmp1, dmp1))
+	{
+		CSWIFTerr(CSWIFT_F_CSWIFT_MOD_EXP_CRT,CSWIFT_R_BN_EXPAND_FAIL);
+		goto err;
+	}
+	if(!cswift_bn_32copy(&sw_param.up.crt.dmq1, dmq1))
+	{
+		CSWIFTerr(CSWIFT_F_CSWIFT_MOD_EXP_CRT,CSWIFT_R_BN_EXPAND_FAIL);
+		goto err;
+	}
+	if(!cswift_bn_32copy(&sw_param.up.crt.iqmp, iqmp))
+	{
+		CSWIFTerr(CSWIFT_F_CSWIFT_MOD_EXP_CRT,CSWIFT_R_BN_EXPAND_FAIL);
+		goto err;
+	}
+	if(	!bn_wexpand(argument, a->top) ||
+			!bn_wexpand(result, p->top + q->top))
+		{
+		CSWIFTerr(CSWIFT_F_CSWIFT_MOD_EXP_CRT,CSWIFT_R_BN_EXPAND_FAIL);
+		goto err;
+		}
+
+	/* Attach the key params */
+	sw_status = p_CSwift_AttachKeyParam(hac, &sw_param);
+	switch(sw_status)
+		{
+	case SW_OK:
+		break;
+	case SW_ERR_INPUT_SIZE:
+		CSWIFTerr(CSWIFT_F_CSWIFT_MOD_EXP_CRT,CSWIFT_R_BAD_KEY_SIZE);
+		goto err;
+	default:
+		{
+		char tmpbuf[DECIMAL_SIZE(sw_status)+1];
+		CSWIFTerr(CSWIFT_F_CSWIFT_MOD_EXP_CRT,CSWIFT_R_REQUEST_FAILED);
+		sprintf(tmpbuf, "%ld", sw_status);
+		ERR_add_error_data(2, "CryptoSwift error number is ",tmpbuf);
+		}
+		goto err;
+		}
+	/* Prepare the argument and response */
+	arg.nbytes = BN_bn2bin(a, (unsigned char *)argument->d);
+	arg.value = (unsigned char *)argument->d;
+	res.nbytes = 2 * BN_num_bytes(p);
+	memset(result->d, 0, res.nbytes);
+	res.value = (unsigned char *)result->d;
+	/* Perform the operation */
+	if((sw_status = p_CSwift_SimpleRequest(hac, SW_CMD_MODEXP_CRT, &arg, 1,
+		&res, 1)) != SW_OK)
+		{
+		char tmpbuf[DECIMAL_SIZE(sw_status)+1];
+		CSWIFTerr(CSWIFT_F_CSWIFT_MOD_EXP_CRT,CSWIFT_R_REQUEST_FAILED);
+		sprintf(tmpbuf, "%ld", sw_status);
+		ERR_add_error_data(2, "CryptoSwift error number is ",tmpbuf);
+		goto err;
+		}
+	/* Convert the response */
+	BN_bin2bn((unsigned char *)result->d, res.nbytes, r);
+	to_return = 1;
+err:
+	if(sw_param.up.crt.p.value)
+		OPENSSL_free(sw_param.up.crt.p.value);
+	if(sw_param.up.crt.q.value)
+		OPENSSL_free(sw_param.up.crt.q.value);
+	if(sw_param.up.crt.dmp1.value)
+		OPENSSL_free(sw_param.up.crt.dmp1.value);
+	if(sw_param.up.crt.dmq1.value)
+		OPENSSL_free(sw_param.up.crt.dmq1.value);
+	if(sw_param.up.crt.iqmp.value)
+		OPENSSL_free(sw_param.up.crt.iqmp.value);
+	if(result)
+		BN_free(result);
+	if(argument)
+		BN_free(argument);
+	if(acquired)
+		release_context(hac);
+	return to_return;
+	}
+#endif
+ 
+#ifndef OPENSSL_NO_RSA
+static int cswift_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
+	{
+	int to_return = 0;
+	const RSA_METHOD * def_rsa_method;
+
+	if(!rsa->p || !rsa->q || !rsa->dmp1 || !rsa->dmq1 || !rsa->iqmp)
+		{
+		CSWIFTerr(CSWIFT_F_CSWIFT_RSA_MOD_EXP,CSWIFT_R_MISSING_KEY_COMPONENTS);
+		goto err;
+		}
+
+	/* Try the limits of RSA (2048 bits) */
+	if(BN_num_bytes(rsa->p) > 128 ||
+		BN_num_bytes(rsa->q) > 128 ||
+		BN_num_bytes(rsa->dmp1) > 128 ||
+		BN_num_bytes(rsa->dmq1) > 128 ||
+		BN_num_bytes(rsa->iqmp) > 128)
+	{
+#ifdef RSA_NULL
+		def_rsa_method=RSA_null_method();
+#else
+#if 0
+		def_rsa_method=RSA_PKCS1_RSAref();
+#else
+		def_rsa_method=RSA_PKCS1_SSLeay();
+#endif
+#endif
+		if(def_rsa_method)
+			return def_rsa_method->rsa_mod_exp(r0, I, rsa, ctx);
+	}
+
+	to_return = cswift_mod_exp_crt(r0, I, rsa->p, rsa->q, rsa->dmp1,
+		rsa->dmq1, rsa->iqmp, ctx);
+err:
+	return to_return;
+	}
+
+/* This function is aliased to mod_exp (with the mont stuff dropped). */
+static int cswift_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+		const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
+	{
+	const RSA_METHOD * def_rsa_method;
+
+	/* Try the limits of RSA (2048 bits) */
+	if(BN_num_bytes(r) > 256 ||
+		BN_num_bytes(a) > 256 ||
+		BN_num_bytes(m) > 256)
+	{
+#ifdef RSA_NULL
+		def_rsa_method=RSA_null_method();
+#else
+#if 0
+		def_rsa_method=RSA_PKCS1_RSAref();
+#else
+		def_rsa_method=RSA_PKCS1_SSLeay();
+#endif
+#endif
+		if(def_rsa_method)
+			return def_rsa_method->bn_mod_exp(r, a, p, m, ctx, m_ctx);
+	}
+
+	return cswift_mod_exp(r, a, p, m, ctx);
+	}
+#endif	/* OPENSSL_NO_RSA */
+
+#ifndef OPENSSL_NO_DSA
+static DSA_SIG *cswift_dsa_sign(const unsigned char *dgst, int dlen, DSA *dsa)
+	{
+	SW_CONTEXT_HANDLE hac;
+	SW_PARAM sw_param;
+	SW_STATUS sw_status;
+	SW_LARGENUMBER arg, res;
+	unsigned char *ptr;
+	BN_CTX *ctx;
+	BIGNUM *dsa_p = NULL;
+	BIGNUM *dsa_q = NULL;
+	BIGNUM *dsa_g = NULL;
+	BIGNUM *dsa_key = NULL;
+	BIGNUM *result = NULL;
+	DSA_SIG *to_return = NULL;
+	int acquired = 0;
+
+	if((ctx = BN_CTX_new()) == NULL)
+		goto err;
+	if(!get_context(&hac))
+		{
+		CSWIFTerr(CSWIFT_F_CSWIFT_DSA_SIGN,CSWIFT_R_UNIT_FAILURE);
+		goto err;
+		}
+	acquired = 1;
+	/* Prepare the params */
+	BN_CTX_start(ctx);
+	dsa_p = BN_CTX_get(ctx);
+	dsa_q = BN_CTX_get(ctx);
+	dsa_g = BN_CTX_get(ctx);
+	dsa_key = BN_CTX_get(ctx);
+	result = BN_CTX_get(ctx);
+	if(!result)
+		{
+		CSWIFTerr(CSWIFT_F_CSWIFT_DSA_SIGN,CSWIFT_R_BN_CTX_FULL);
+		goto err;
+		}
+	if(!bn_wexpand(dsa_p, dsa->p->top) ||
+			!bn_wexpand(dsa_q, dsa->q->top) ||
+			!bn_wexpand(dsa_g, dsa->g->top) ||
+			!bn_wexpand(dsa_key, dsa->priv_key->top) ||
+			!bn_wexpand(result, dsa->p->top))
+		{
+		CSWIFTerr(CSWIFT_F_CSWIFT_DSA_SIGN,CSWIFT_R_BN_EXPAND_FAIL);
+		goto err;
+		}
+	sw_param.type = SW_ALG_DSA;
+	sw_param.up.dsa.p.nbytes = BN_bn2bin(dsa->p,
+				(unsigned char *)dsa_p->d);
+	sw_param.up.dsa.p.value = (unsigned char *)dsa_p->d;
+	sw_param.up.dsa.q.nbytes = BN_bn2bin(dsa->q,
+				(unsigned char *)dsa_q->d);
+	sw_param.up.dsa.q.value = (unsigned char *)dsa_q->d;
+	sw_param.up.dsa.g.nbytes = BN_bn2bin(dsa->g,
+				(unsigned char *)dsa_g->d);
+	sw_param.up.dsa.g.value = (unsigned char *)dsa_g->d;
+	sw_param.up.dsa.key.nbytes = BN_bn2bin(dsa->priv_key,
+				(unsigned char *)dsa_key->d);
+	sw_param.up.dsa.key.value = (unsigned char *)dsa_key->d;
+	/* Attach the key params */
+	sw_status = p_CSwift_AttachKeyParam(hac, &sw_param);
+	switch(sw_status)
+		{
+	case SW_OK:
+		break;
+	case SW_ERR_INPUT_SIZE:
+		CSWIFTerr(CSWIFT_F_CSWIFT_DSA_SIGN,CSWIFT_R_BAD_KEY_SIZE);
+		goto err;
+	default:
+		{
+		char tmpbuf[DECIMAL_SIZE(sw_status)+1];
+		CSWIFTerr(CSWIFT_F_CSWIFT_DSA_SIGN,CSWIFT_R_REQUEST_FAILED);
+		sprintf(tmpbuf, "%ld", sw_status);
+		ERR_add_error_data(2, "CryptoSwift error number is ",tmpbuf);
+		}
+		goto err;
+		}
+	/* Prepare the argument and response */
+	arg.nbytes = dlen;
+	arg.value = (unsigned char *)dgst;
+	res.nbytes = BN_num_bytes(dsa->p);
+	memset(result->d, 0, res.nbytes);
+	res.value = (unsigned char *)result->d;
+	/* Perform the operation */
+	sw_status = p_CSwift_SimpleRequest(hac, SW_CMD_DSS_SIGN, &arg, 1,
+		&res, 1);
+	if(sw_status != SW_OK)
+		{
+		char tmpbuf[DECIMAL_SIZE(sw_status)+1];
+		CSWIFTerr(CSWIFT_F_CSWIFT_DSA_SIGN,CSWIFT_R_REQUEST_FAILED);
+		sprintf(tmpbuf, "%ld", sw_status);
+		ERR_add_error_data(2, "CryptoSwift error number is ",tmpbuf);
+		goto err;
+		}
+	/* Convert the response */
+	ptr = (unsigned char *)result->d;
+	if((to_return = DSA_SIG_new()) == NULL)
+		goto err;
+	to_return->r = BN_bin2bn((unsigned char *)result->d, 20, NULL);
+	to_return->s = BN_bin2bn((unsigned char *)result->d + 20, 20, NULL);
+
+err:
+	if(acquired)
+		release_context(hac);
+	if(ctx)
+		{
+		BN_CTX_end(ctx);
+		BN_CTX_free(ctx);
+		}
+	return to_return;
+	}
+
+static int cswift_dsa_verify(const unsigned char *dgst, int dgst_len,
+				DSA_SIG *sig, DSA *dsa)
+	{
+	SW_CONTEXT_HANDLE hac;
+	SW_PARAM sw_param;
+	SW_STATUS sw_status;
+	SW_LARGENUMBER arg[2], res;
+	unsigned long sig_result;
+	BN_CTX *ctx;
+	BIGNUM *dsa_p = NULL;
+	BIGNUM *dsa_q = NULL;
+	BIGNUM *dsa_g = NULL;
+	BIGNUM *dsa_key = NULL;
+	BIGNUM *argument = NULL;
+	int to_return = -1;
+	int acquired = 0;
+
+	if((ctx = BN_CTX_new()) == NULL)
+		goto err;
+	if(!get_context(&hac))
+		{
+		CSWIFTerr(CSWIFT_F_CSWIFT_DSA_VERIFY,CSWIFT_R_UNIT_FAILURE);
+		goto err;
+		}
+	acquired = 1;
+	/* Prepare the params */
+	BN_CTX_start(ctx);
+	dsa_p = BN_CTX_get(ctx);
+	dsa_q = BN_CTX_get(ctx);
+	dsa_g = BN_CTX_get(ctx);
+	dsa_key = BN_CTX_get(ctx);
+	argument = BN_CTX_get(ctx);
+	if(!argument)
+		{
+		CSWIFTerr(CSWIFT_F_CSWIFT_DSA_VERIFY,CSWIFT_R_BN_CTX_FULL);
+		goto err;
+		}
+	if(!bn_wexpand(dsa_p, dsa->p->top) ||
+			!bn_wexpand(dsa_q, dsa->q->top) ||
+			!bn_wexpand(dsa_g, dsa->g->top) ||
+			!bn_wexpand(dsa_key, dsa->pub_key->top) ||
+			!bn_wexpand(argument, 40))
+		{
+		CSWIFTerr(CSWIFT_F_CSWIFT_DSA_VERIFY,CSWIFT_R_BN_EXPAND_FAIL);
+		goto err;
+		}
+	sw_param.type = SW_ALG_DSA;
+	sw_param.up.dsa.p.nbytes = BN_bn2bin(dsa->p,
+				(unsigned char *)dsa_p->d);
+	sw_param.up.dsa.p.value = (unsigned char *)dsa_p->d;
+	sw_param.up.dsa.q.nbytes = BN_bn2bin(dsa->q,
+				(unsigned char *)dsa_q->d);
+	sw_param.up.dsa.q.value = (unsigned char *)dsa_q->d;
+	sw_param.up.dsa.g.nbytes = BN_bn2bin(dsa->g,
+				(unsigned char *)dsa_g->d);
+	sw_param.up.dsa.g.value = (unsigned char *)dsa_g->d;
+	sw_param.up.dsa.key.nbytes = BN_bn2bin(dsa->pub_key,
+				(unsigned char *)dsa_key->d);
+	sw_param.up.dsa.key.value = (unsigned char *)dsa_key->d;
+	/* Attach the key params */
+	sw_status = p_CSwift_AttachKeyParam(hac, &sw_param);
+	switch(sw_status)
+		{
+	case SW_OK:
+		break;
+	case SW_ERR_INPUT_SIZE:
+		CSWIFTerr(CSWIFT_F_CSWIFT_DSA_VERIFY,CSWIFT_R_BAD_KEY_SIZE);
+		goto err;
+	default:
+		{
+		char tmpbuf[DECIMAL_SIZE(sw_status)+1];
+		CSWIFTerr(CSWIFT_F_CSWIFT_DSA_VERIFY,CSWIFT_R_REQUEST_FAILED);
+		sprintf(tmpbuf, "%ld", sw_status);
+		ERR_add_error_data(2, "CryptoSwift error number is ",tmpbuf);
+		}
+		goto err;
+		}
+	/* Prepare the argument and response */
+	arg[0].nbytes = dgst_len;
+	arg[0].value = (unsigned char *)dgst;
+	arg[1].nbytes = 40;
+	arg[1].value = (unsigned char *)argument->d;
+	memset(arg[1].value, 0, 40);
+	BN_bn2bin(sig->r, arg[1].value + 20 - BN_num_bytes(sig->r));
+	BN_bn2bin(sig->s, arg[1].value + 40 - BN_num_bytes(sig->s));
+	res.nbytes = 4; /* unsigned long */
+	res.value = (unsigned char *)(&sig_result);
+	/* Perform the operation */
+	sw_status = p_CSwift_SimpleRequest(hac, SW_CMD_DSS_VERIFY, arg, 2,
+		&res, 1);
+	if(sw_status != SW_OK)
+		{
+		char tmpbuf[DECIMAL_SIZE(sw_status)+1];
+		CSWIFTerr(CSWIFT_F_CSWIFT_DSA_VERIFY,CSWIFT_R_REQUEST_FAILED);
+		sprintf(tmpbuf, "%ld", sw_status);
+		ERR_add_error_data(2, "CryptoSwift error number is ",tmpbuf);
+		goto err;
+		}
+	/* Convert the response */
+	to_return = ((sig_result == 0) ? 0 : 1);
+
+err:
+	if(acquired)
+		release_context(hac);
+	if(ctx)
+		{
+		BN_CTX_end(ctx);
+		BN_CTX_free(ctx);
+		}
+	return to_return;
+	}
+#endif
+
+#ifndef OPENSSL_NO_DH
+/* This function is aliased to mod_exp (with the dh and mont dropped). */
+static int cswift_mod_exp_dh(const DH *dh, BIGNUM *r,
+		const BIGNUM *a, const BIGNUM *p,
+		const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
+	{
+	return cswift_mod_exp(r, a, p, m, ctx);
+	}
+#endif
+
+/* Random bytes are good */
+static int cswift_rand_bytes(unsigned char *buf, int num)
+{
+	SW_CONTEXT_HANDLE hac;
+	SW_STATUS swrc;
+	SW_LARGENUMBER largenum;
+	int acquired = 0;
+	int to_return = 0; /* assume failure */
+	unsigned char buf32[1024];
+
+
+	if (!get_context(&hac))
+	{
+		CSWIFTerr(CSWIFT_F_CSWIFT_RAND_BYTES, CSWIFT_R_UNIT_FAILURE);
+		goto err;
+	}
+	acquired = 1;
+
+	/************************************************************************/
+	/* 04/02/2003                                                           */
+	/* Modified by Frederic Giudicelli (deny-all.com) to overcome the       */
+	/* limitation of cswift with values not a multiple of 32                */
+	/************************************************************************/
+
+	while(num >= (int)sizeof(buf32))
+	{
+		largenum.value = buf;
+		largenum.nbytes = sizeof(buf32);
+		/* tell CryptoSwift how many bytes we want and where we want it.
+		 * Note: - CryptoSwift cannot do more than 4096 bytes at a time.
+		 *       - CryptoSwift can only do multiple of 32-bits. */
+		swrc = p_CSwift_SimpleRequest(hac, SW_CMD_RAND, NULL, 0, &largenum, 1);
+		if (swrc != SW_OK)
+		{
+			char tmpbuf[20];
+			CSWIFTerr(CSWIFT_F_CSWIFT_RAND_BYTES, CSWIFT_R_REQUEST_FAILED);
+			sprintf(tmpbuf, "%ld", swrc);
+			ERR_add_error_data(2, "CryptoSwift error number is ", tmpbuf);
+			goto err;
+		}
+		buf += sizeof(buf32);
+		num -= sizeof(buf32);
+	}
+	if(num)
+	{
+		largenum.nbytes = sizeof(buf32);
+		largenum.value = buf32;
+		swrc = p_CSwift_SimpleRequest(hac, SW_CMD_RAND, NULL, 0, &largenum, 1);
+		if (swrc != SW_OK)
+		{
+			char tmpbuf[20];
+			CSWIFTerr(CSWIFT_F_CSWIFT_RAND_BYTES, CSWIFT_R_REQUEST_FAILED);
+			sprintf(tmpbuf, "%ld", swrc);
+			ERR_add_error_data(2, "CryptoSwift error number is ", tmpbuf);
+			goto err;
+		}
+		memcpy(buf, largenum.value, num);
+	}
+
+	to_return = 1;  /* success */
+err:
+	if (acquired)
+		release_context(hac);
+
+	return to_return;
+}
+
+static int cswift_rand_status(void)
+{
+	return 1;
+}
+
+
+/* This stuff is needed if this ENGINE is being compiled into a self-contained
+ * shared-library. */
+#ifndef OPENSSL_NO_DYNAMIC_ENGINE
+static int bind_fn(ENGINE *e, const char *id)
+	{
+	if(id && (strcmp(id, engine_cswift_id) != 0))
+		return 0;
+	if(!bind_helper(e))
+		return 0;
+	return 1;
+	}       
+IMPLEMENT_DYNAMIC_CHECK_FN()
+IMPLEMENT_DYNAMIC_BIND_FN(bind_fn)
+#endif /* OPENSSL_NO_DYNAMIC_ENGINE */
+
+#endif /* !OPENSSL_NO_HW_CSWIFT */
+#endif /* !OPENSSL_NO_HW */
diff --git a/crypto/openssl/engines/e_cswift.ec b/crypto/openssl/engines/e_cswift.ec
new file mode 100644
index 000000000000..a7f9d1143420
--- /dev/null
+++ b/crypto/openssl/engines/e_cswift.ec
@@ -0,0 +1 @@
+L CSWIFT	e_cswift_err.h			e_cswift_err.c
diff --git a/crypto/openssl/engines/e_cswift_err.c b/crypto/openssl/engines/e_cswift_err.c
new file mode 100644
index 000000000000..c7942a31fc3a
--- /dev/null
+++ b/crypto/openssl/engines/e_cswift_err.c
@@ -0,0 +1,154 @@
+/* e_cswift_err.c */
+/* ====================================================================
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include "e_cswift_err.h"
+
+/* BEGIN ERROR CODES */
+#ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(0,func,0)
+#define ERR_REASON(reason) ERR_PACK(0,0,reason)
+
+static ERR_STRING_DATA CSWIFT_str_functs[]=
+	{
+{ERR_FUNC(CSWIFT_F_CSWIFT_CTRL),	"CSWIFT_CTRL"},
+{ERR_FUNC(CSWIFT_F_CSWIFT_DSA_SIGN),	"CSWIFT_DSA_SIGN"},
+{ERR_FUNC(CSWIFT_F_CSWIFT_DSA_VERIFY),	"CSWIFT_DSA_VERIFY"},
+{ERR_FUNC(CSWIFT_F_CSWIFT_FINISH),	"CSWIFT_FINISH"},
+{ERR_FUNC(CSWIFT_F_CSWIFT_INIT),	"CSWIFT_INIT"},
+{ERR_FUNC(CSWIFT_F_CSWIFT_MOD_EXP),	"CSWIFT_MOD_EXP"},
+{ERR_FUNC(CSWIFT_F_CSWIFT_MOD_EXP_CRT),	"CSWIFT_MOD_EXP_CRT"},
+{ERR_FUNC(CSWIFT_F_CSWIFT_RAND_BYTES),	"CSWIFT_RAND_BYTES"},
+{ERR_FUNC(CSWIFT_F_CSWIFT_RSA_MOD_EXP),	"CSWIFT_RSA_MOD_EXP"},
+{0,NULL}
+	};
+
+static ERR_STRING_DATA CSWIFT_str_reasons[]=
+	{
+{ERR_REASON(CSWIFT_R_ALREADY_LOADED)     ,"already loaded"},
+{ERR_REASON(CSWIFT_R_BAD_KEY_SIZE)       ,"bad key size"},
+{ERR_REASON(CSWIFT_R_BN_CTX_FULL)        ,"bn ctx full"},
+{ERR_REASON(CSWIFT_R_BN_EXPAND_FAIL)     ,"bn expand fail"},
+{ERR_REASON(CSWIFT_R_CTRL_COMMAND_NOT_IMPLEMENTED),"ctrl command not implemented"},
+{ERR_REASON(CSWIFT_R_MISSING_KEY_COMPONENTS),"missing key components"},
+{ERR_REASON(CSWIFT_R_NOT_LOADED)         ,"not loaded"},
+{ERR_REASON(CSWIFT_R_REQUEST_FAILED)     ,"request failed"},
+{ERR_REASON(CSWIFT_R_UNIT_FAILURE)       ,"unit failure"},
+{0,NULL}
+	};
+
+#endif
+
+#ifdef CSWIFT_LIB_NAME
+static ERR_STRING_DATA CSWIFT_lib_name[]=
+        {
+{0	,CSWIFT_LIB_NAME},
+{0,NULL}
+	};
+#endif
+
+
+static int CSWIFT_lib_error_code=0;
+static int CSWIFT_error_init=1;
+
+static void ERR_load_CSWIFT_strings(void)
+	{
+	if (CSWIFT_lib_error_code == 0)
+		CSWIFT_lib_error_code=ERR_get_next_error_library();
+
+	if (CSWIFT_error_init)
+		{
+		CSWIFT_error_init=0;
+#ifndef OPENSSL_NO_ERR
+		ERR_load_strings(CSWIFT_lib_error_code,CSWIFT_str_functs);
+		ERR_load_strings(CSWIFT_lib_error_code,CSWIFT_str_reasons);
+#endif
+
+#ifdef CSWIFT_LIB_NAME
+		CSWIFT_lib_name->error = ERR_PACK(CSWIFT_lib_error_code,0,0);
+		ERR_load_strings(0,CSWIFT_lib_name);
+#endif
+		}
+	}
+
+static void ERR_unload_CSWIFT_strings(void)
+	{
+	if (CSWIFT_error_init == 0)
+		{
+#ifndef OPENSSL_NO_ERR
+		ERR_unload_strings(CSWIFT_lib_error_code,CSWIFT_str_functs);
+		ERR_unload_strings(CSWIFT_lib_error_code,CSWIFT_str_reasons);
+#endif
+
+#ifdef CSWIFT_LIB_NAME
+		ERR_unload_strings(0,CSWIFT_lib_name);
+#endif
+		CSWIFT_error_init=1;
+		}
+	}
+
+static void ERR_CSWIFT_error(int function, int reason, char *file, int line)
+	{
+	if (CSWIFT_lib_error_code == 0)
+		CSWIFT_lib_error_code=ERR_get_next_error_library();
+	ERR_PUT_error(CSWIFT_lib_error_code,function,reason,file,line);
+	}
diff --git a/crypto/openssl/engines/e_cswift_err.h b/crypto/openssl/engines/e_cswift_err.h
new file mode 100644
index 000000000000..9072cbe616e4
--- /dev/null
+++ b/crypto/openssl/engines/e_cswift_err.h
@@ -0,0 +1,94 @@
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_CSWIFT_ERR_H
+#define HEADER_CSWIFT_ERR_H
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+static void ERR_load_CSWIFT_strings(void);
+static void ERR_unload_CSWIFT_strings(void);
+static void ERR_CSWIFT_error(int function, int reason, char *file, int line);
+#define CSWIFTerr(f,r) ERR_CSWIFT_error((f),(r),__FILE__,__LINE__)
+
+/* Error codes for the CSWIFT functions. */
+
+/* Function codes. */
+#define CSWIFT_F_CSWIFT_CTRL				 100
+#define CSWIFT_F_CSWIFT_DSA_SIGN			 101
+#define CSWIFT_F_CSWIFT_DSA_VERIFY			 102
+#define CSWIFT_F_CSWIFT_FINISH				 103
+#define CSWIFT_F_CSWIFT_INIT				 104
+#define CSWIFT_F_CSWIFT_MOD_EXP				 105
+#define CSWIFT_F_CSWIFT_MOD_EXP_CRT			 106
+#define CSWIFT_F_CSWIFT_RAND_BYTES			 108
+#define CSWIFT_F_CSWIFT_RSA_MOD_EXP			 107
+
+/* Reason codes. */
+#define CSWIFT_R_ALREADY_LOADED				 100
+#define CSWIFT_R_BAD_KEY_SIZE				 101
+#define CSWIFT_R_BN_CTX_FULL				 102
+#define CSWIFT_R_BN_EXPAND_FAIL				 103
+#define CSWIFT_R_CTRL_COMMAND_NOT_IMPLEMENTED		 104
+#define CSWIFT_R_MISSING_KEY_COMPONENTS			 105
+#define CSWIFT_R_NOT_LOADED				 106
+#define CSWIFT_R_REQUEST_FAILED				 107
+#define CSWIFT_R_UNIT_FAILURE				 108
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
diff --git a/crypto/openssl/engines/e_gmp.c b/crypto/openssl/engines/e_gmp.c
new file mode 100644
index 000000000000..39da65f74bf1
--- /dev/null
+++ b/crypto/openssl/engines/e_gmp.c
@@ -0,0 +1,435 @@
+/* crypto/engine/e_gmp.c */
+/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
+ * project 2003.
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* This engine is not (currently) compiled in by default. Do enable it,
+ * reconfigure OpenSSL with "-DOPENSSL_USE_GMP -lgmp". The GMP libraries and
+ * headers must reside in one of the paths searched by the compiler/linker,
+ * otherwise paths must be specified - eg. try configuring with
+ * "-DOPENSSL_USE_GMP -I<includepath> -L<libpath> -lgmp". YMMV. */
+
+/* As for what this does - it's a largely unoptimised implementation of an
+ * ENGINE that uses the GMP library to perform RSA private key operations. To
+ * obtain more information about what "unoptimised" means, see my original mail
+ * on the subject (though ignore the build instructions which have since
+ * changed);
+ *
+ *    http://www.mail-archive.com/openssl-dev@openssl.org/msg12227.html
+ *
+ * On my athlon system at least, it appears the builtin OpenSSL code is now
+ * slightly faster, which is to say that the RSA-related MPI performance
+ * between OpenSSL's BIGNUM and GMP's mpz implementations is probably pretty
+ * balanced for this chip, and so the performance degradation in this ENGINE by
+ * having to convert to/from GMP formats (and not being able to cache
+ * montgomery forms) is probably the difference. However, if some unconfirmed
+ * reports from users is anything to go by, the situation on some other
+ * chipsets might be a good deal more favourable to the GMP version (eg. PPC).
+ * Feedback welcome. */
+
+#include <stdio.h>
+#include <string.h>
+#include <openssl/crypto.h>
+#include <openssl/buffer.h>
+#include <openssl/engine.h>
+
+#ifndef OPENSSL_NO_HW
+#if defined(OPENSSL_USE_GMP) && !defined(OPENSSL_NO_HW_GMP)
+
+#include <gmp.h>
+
+#define E_GMP_LIB_NAME "gmp engine"
+#include "e_gmp_err.c"
+
+static int e_gmp_destroy(ENGINE *e);
+static int e_gmp_init(ENGINE *e);
+static int e_gmp_finish(ENGINE *e);
+static int e_gmp_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void)); 
+
+#ifndef OPENSSL_NO_RSA
+/* RSA stuff */
+static int e_gmp_rsa_mod_exp(BIGNUM *r, const BIGNUM *I, RSA *rsa, BN_CTX *ctx);
+static int e_gmp_rsa_finish(RSA *r);
+#endif
+
+/* The definitions for control commands specific to this engine */
+/* #define E_GMP_CMD_SO_PATH		ENGINE_CMD_BASE */
+static const ENGINE_CMD_DEFN e_gmp_cmd_defns[] = {
+#if 0
+	{E_GMP_CMD_SO_PATH,
+		"SO_PATH",
+		"Specifies the path to the 'e_gmp' shared library",
+		ENGINE_CMD_FLAG_STRING},
+#endif
+	{0, NULL, NULL, 0}
+	};
+
+#ifndef OPENSSL_NO_RSA
+/* Our internal RSA_METHOD that we provide pointers to */
+static RSA_METHOD e_gmp_rsa =
+	{
+	"GMP RSA method",
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	e_gmp_rsa_mod_exp,
+	NULL,
+	NULL,
+	e_gmp_rsa_finish,
+	/* These flags initialise montgomery crud that GMP ignores, however it
+	 * makes sure the public key ops (which are done in openssl) don't seem
+	 * *slower* than usual :-) */
+	RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE,
+	NULL,
+	NULL,
+	NULL
+	};
+#endif
+
+/* Constants used when creating the ENGINE */
+static const char *engine_e_gmp_id = "gmp";
+static const char *engine_e_gmp_name = "GMP engine support";
+
+/* This internal function is used by ENGINE_gmp() and possibly by the
+ * "dynamic" ENGINE support too */
+static int bind_helper(ENGINE *e)
+	{
+#ifndef OPENSSL_NO_RSA
+	const RSA_METHOD *meth1;
+#endif
+	if(!ENGINE_set_id(e, engine_e_gmp_id) ||
+			!ENGINE_set_name(e, engine_e_gmp_name) ||
+#ifndef OPENSSL_NO_RSA
+			!ENGINE_set_RSA(e, &e_gmp_rsa) ||
+#endif
+			!ENGINE_set_destroy_function(e, e_gmp_destroy) ||
+			!ENGINE_set_init_function(e, e_gmp_init) ||
+			!ENGINE_set_finish_function(e, e_gmp_finish) ||
+			!ENGINE_set_ctrl_function(e, e_gmp_ctrl) ||
+			!ENGINE_set_cmd_defns(e, e_gmp_cmd_defns))
+		return 0;
+
+#ifndef OPENSSL_NO_RSA
+	meth1 = RSA_PKCS1_SSLeay();
+	e_gmp_rsa.rsa_pub_enc = meth1->rsa_pub_enc;
+	e_gmp_rsa.rsa_pub_dec = meth1->rsa_pub_dec;
+	e_gmp_rsa.rsa_priv_enc = meth1->rsa_priv_enc;
+	e_gmp_rsa.rsa_priv_dec = meth1->rsa_priv_dec;
+	e_gmp_rsa.bn_mod_exp = meth1->bn_mod_exp;
+#endif
+
+	/* Ensure the e_gmp error handling is set up */
+	ERR_load_GMP_strings();
+	return 1;
+	}
+
+static ENGINE *engine_gmp(void)
+	{
+	ENGINE *ret = ENGINE_new();
+	if(!ret)
+		return NULL;
+	if(!bind_helper(ret))
+		{
+		ENGINE_free(ret);
+		return NULL;
+		}
+	return ret;
+	}
+
+void ENGINE_load_gmp(void)
+	{
+	/* Copied from eng_[openssl|dyn].c */
+	ENGINE *toadd = engine_gmp();
+	if(!toadd) return;
+	ENGINE_add(toadd);
+	ENGINE_free(toadd);
+	ERR_clear_error();
+	}
+
+#ifndef OPENSSL_NO_RSA
+/* Used to attach our own key-data to an RSA structure */
+static int hndidx_rsa = -1;
+#endif
+
+static int e_gmp_destroy(ENGINE *e)
+	{
+	ERR_unload_GMP_strings();
+	return 1;
+	}
+
+/* (de)initialisation functions. */
+static int e_gmp_init(ENGINE *e)
+	{
+#ifndef OPENSSL_NO_RSA
+	if (hndidx_rsa == -1)
+		hndidx_rsa = RSA_get_ex_new_index(0,
+			"GMP-based RSA key handle",
+			NULL, NULL, NULL);
+#endif
+	if (hndidx_rsa == -1)
+		return 0;
+	return 1;
+	}
+
+static int e_gmp_finish(ENGINE *e)
+	{
+	return 1;
+	}
+
+static int e_gmp_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void))
+	{
+	int to_return = 1;
+
+	switch(cmd)
+		{
+#if 0
+	case E_GMP_CMD_SO_PATH:
+		/* ... */
+#endif
+	/* The command isn't understood by this engine */
+	default:
+		GMPerr(GMP_F_E_GMP_CTRL,
+			GMP_R_CTRL_COMMAND_NOT_IMPLEMENTED);
+		to_return = 0;
+		break;
+		}
+
+	return to_return;
+	}
+
+/* HACK - use text I/O functions in openssl and GMP to handle conversions. This
+ * is vile. */
+static int bn2gmp(const BIGNUM *bn, mpz_t g)
+	{
+	int toret;
+	char *tmpchar = BN_bn2hex(bn);
+	if(!tmpchar) return 0;
+	toret = (mpz_set_str(g, tmpchar, 16) == 0 ? 1 : 0);
+	OPENSSL_free(tmpchar);
+	return toret;
+	}
+
+static int gmp2bn(mpz_t g, BIGNUM *bn)
+	{
+	int toret;
+	char *tmpchar = OPENSSL_malloc(mpz_sizeinbase(g, 16) + 10);
+	if(!tmpchar) return 0;
+	mpz_get_str(tmpchar, 16, g);
+	toret = BN_hex2bn(&bn, tmpchar);
+	OPENSSL_free(tmpchar);
+	return toret;
+	}
+
+#ifndef OPENSSL_NO_RSA 
+typedef struct st_e_gmp_rsa_ctx
+	{
+	int public_only;
+	mpz_t n;
+	mpz_t d;
+	mpz_t e;
+	mpz_t p;
+	mpz_t q;
+	mpz_t dmp1;
+	mpz_t dmq1;
+	mpz_t iqmp;
+	mpz_t r0, r1, I0, m1;
+	} E_GMP_RSA_CTX;
+
+static E_GMP_RSA_CTX *e_gmp_get_rsa(RSA *rsa)
+	{
+	E_GMP_RSA_CTX *hptr = RSA_get_ex_data(rsa, hndidx_rsa);
+	if(hptr) return hptr;
+	hptr = OPENSSL_malloc(sizeof(E_GMP_RSA_CTX));
+	if(!hptr) return NULL;
+	/* These inits could probably be replaced by more intelligent
+	 * mpz_init2() versions, to reduce malloc-thrashing. */
+	mpz_init(hptr->n);
+	mpz_init(hptr->d);
+	mpz_init(hptr->e);
+	mpz_init(hptr->p);
+	mpz_init(hptr->q);
+	mpz_init(hptr->dmp1);
+	mpz_init(hptr->dmq1);
+	mpz_init(hptr->iqmp);
+	mpz_init(hptr->r0);
+	mpz_init(hptr->r1);
+	mpz_init(hptr->I0);
+	mpz_init(hptr->m1);
+	if(!bn2gmp(rsa->n, hptr->n) || !bn2gmp(rsa->e, hptr->e))
+		goto err;
+	if(!rsa->p || !rsa->q || !rsa->d || !rsa->dmp1 || !rsa->dmq1 || !rsa->iqmp)
+		{
+		hptr->public_only = 1;
+		return hptr;
+		}
+	if(!bn2gmp(rsa->d, hptr->d) || !bn2gmp(rsa->p, hptr->p) ||
+			!bn2gmp(rsa->q, hptr->q) || !bn2gmp(rsa->dmp1, hptr->dmp1) ||
+			!bn2gmp(rsa->dmq1, hptr->dmq1) || !bn2gmp(rsa->iqmp, hptr->iqmp))
+		goto err;
+	hptr->public_only = 0;
+	RSA_set_ex_data(rsa, hndidx_rsa, hptr);
+	return hptr;
+err:
+	mpz_clear(hptr->n);
+	mpz_clear(hptr->d);
+	mpz_clear(hptr->e);
+	mpz_clear(hptr->p);
+	mpz_clear(hptr->q);
+	mpz_clear(hptr->dmp1);
+	mpz_clear(hptr->dmq1);
+	mpz_clear(hptr->iqmp);
+	mpz_clear(hptr->r0);
+	mpz_clear(hptr->r1);
+	mpz_clear(hptr->I0);
+	mpz_clear(hptr->m1);
+	OPENSSL_free(hptr);
+	return NULL;
+	}
+
+static int e_gmp_rsa_finish(RSA *rsa)
+	{
+	E_GMP_RSA_CTX *hptr = RSA_get_ex_data(rsa, hndidx_rsa);
+	if(!hptr) return 0;
+	mpz_clear(hptr->n);
+	mpz_clear(hptr->d);
+	mpz_clear(hptr->e);
+	mpz_clear(hptr->p);
+	mpz_clear(hptr->q);
+	mpz_clear(hptr->dmp1);
+	mpz_clear(hptr->dmq1);
+	mpz_clear(hptr->iqmp);
+	mpz_clear(hptr->r0);
+	mpz_clear(hptr->r1);
+	mpz_clear(hptr->I0);
+	mpz_clear(hptr->m1);
+	OPENSSL_free(hptr);
+	RSA_set_ex_data(rsa, hndidx_rsa, NULL);
+	return 1;
+	}
+
+static int e_gmp_rsa_mod_exp(BIGNUM *r, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
+	{
+	E_GMP_RSA_CTX *hptr;
+	int to_return = 0;
+
+	hptr = e_gmp_get_rsa(rsa);
+	if(!hptr)
+		{
+		GMPerr(GMP_F_E_GMP_RSA_MOD_EXP,
+				GMP_R_KEY_CONTEXT_ERROR);
+		return 0;
+		}
+	if(hptr->public_only)
+		{
+		GMPerr(GMP_F_E_GMP_RSA_MOD_EXP,
+				GMP_R_MISSING_KEY_COMPONENTS);
+		return 0;
+		}
+
+	/* ugh!!! */
+	if(!bn2gmp(I, hptr->I0))
+		return 0;
+
+	/* This is basically the CRT logic in crypto/rsa/rsa_eay.c reworded into
+	 * GMP-speak. It may be that GMP's API facilitates cleaner formulations
+	 * of this stuff, eg. better handling of negatives, or functions that
+	 * combine operations. */
+
+	mpz_mod(hptr->r1, hptr->I0, hptr->q);
+	mpz_powm(hptr->m1, hptr->r1, hptr->dmq1, hptr->q);
+
+	mpz_mod(hptr->r1, hptr->I0, hptr->p);
+	mpz_powm(hptr->r0, hptr->r1, hptr->dmp1, hptr->p);
+
+	mpz_sub(hptr->r0, hptr->r0, hptr->m1);
+
+	if(mpz_sgn(hptr->r0) < 0)
+		mpz_add(hptr->r0, hptr->r0, hptr->p);
+	mpz_mul(hptr->r1, hptr->r0, hptr->iqmp);
+	mpz_mod(hptr->r0, hptr->r1, hptr->p);
+
+	if(mpz_sgn(hptr->r0) < 0)
+		mpz_add(hptr->r0, hptr->r0, hptr->p);
+	mpz_mul(hptr->r1, hptr->r0, hptr->q);
+	mpz_add(hptr->r0, hptr->r1, hptr->m1);
+
+	/* ugh!!! */
+	if(gmp2bn(hptr->r0, r))
+		to_return = 1;
+
+	return 1;
+	}
+#endif
+
+/* This stuff is needed if this ENGINE is being compiled into a self-contained
+ * shared-library. */	   
+#ifdef ENGINE_DYNAMIC_SUPPORT
+static int bind_fn(ENGINE *e, const char *id)
+	{
+	if(id && (strcmp(id, engine_e_gmp_id) != 0))
+		return 0;
+	if(!bind_helper(e))
+		return 0;
+	return 1;
+	}       
+IMPLEMENT_DYNAMIC_CHECK_FN()
+IMPLEMENT_DYNAMIC_BIND_FN(bind_fn)
+#endif /* ENGINE_DYNAMIC_SUPPORT */
+
+#endif /* !OPENSSL_NO_HW_GMP */
+#endif /* !OPENSSL_NO_HW */
+
diff --git a/crypto/openssl/engines/e_gmp.ec b/crypto/openssl/engines/e_gmp.ec
new file mode 100644
index 000000000000..72ec447fb7fc
--- /dev/null
+++ b/crypto/openssl/engines/e_gmp.ec
@@ -0,0 +1 @@
+L GMP		e_gmp_err.h			e_gmp_err.c
diff --git a/crypto/openssl/engines/e_gmp_err.c b/crypto/openssl/engines/e_gmp_err.c
new file mode 100644
index 000000000000..61db956796e1
--- /dev/null
+++ b/crypto/openssl/engines/e_gmp_err.c
@@ -0,0 +1,141 @@
+/* e_gmp_err.c */
+/* ====================================================================
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include "e_gmp_err.h"
+
+/* BEGIN ERROR CODES */
+#ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(0,func,0)
+#define ERR_REASON(reason) ERR_PACK(0,0,reason)
+
+static ERR_STRING_DATA GMP_str_functs[]=
+	{
+{ERR_FUNC(GMP_F_E_GMP_CTRL),	"E_GMP_CTRL"},
+{ERR_FUNC(GMP_F_E_GMP_RSA_MOD_EXP),	"E_GMP_RSA_MOD_EXP"},
+{0,NULL}
+	};
+
+static ERR_STRING_DATA GMP_str_reasons[]=
+	{
+{ERR_REASON(GMP_R_CTRL_COMMAND_NOT_IMPLEMENTED),"ctrl command not implemented"},
+{ERR_REASON(GMP_R_KEY_CONTEXT_ERROR)     ,"key context error"},
+{ERR_REASON(GMP_R_MISSING_KEY_COMPONENTS),"missing key components"},
+{0,NULL}
+	};
+
+#endif
+
+#ifdef GMP_LIB_NAME
+static ERR_STRING_DATA GMP_lib_name[]=
+        {
+{0	,GMP_LIB_NAME},
+{0,NULL}
+	};
+#endif
+
+
+static int GMP_lib_error_code=0;
+static int GMP_error_init=1;
+
+static void ERR_load_GMP_strings(void)
+	{
+	if (GMP_lib_error_code == 0)
+		GMP_lib_error_code=ERR_get_next_error_library();
+
+	if (GMP_error_init)
+		{
+		GMP_error_init=0;
+#ifndef OPENSSL_NO_ERR
+		ERR_load_strings(GMP_lib_error_code,GMP_str_functs);
+		ERR_load_strings(GMP_lib_error_code,GMP_str_reasons);
+#endif
+
+#ifdef GMP_LIB_NAME
+		GMP_lib_name->error = ERR_PACK(GMP_lib_error_code,0,0);
+		ERR_load_strings(0,GMP_lib_name);
+#endif
+		}
+	}
+
+static void ERR_unload_GMP_strings(void)
+	{
+	if (GMP_error_init == 0)
+		{
+#ifndef OPENSSL_NO_ERR
+		ERR_unload_strings(GMP_lib_error_code,GMP_str_functs);
+		ERR_unload_strings(GMP_lib_error_code,GMP_str_reasons);
+#endif
+
+#ifdef GMP_LIB_NAME
+		ERR_unload_strings(0,GMP_lib_name);
+#endif
+		GMP_error_init=1;
+		}
+	}
+
+static void ERR_GMP_error(int function, int reason, char *file, int line)
+	{
+	if (GMP_lib_error_code == 0)
+		GMP_lib_error_code=ERR_get_next_error_library();
+	ERR_PUT_error(GMP_lib_error_code,function,reason,file,line);
+	}
diff --git a/crypto/openssl/engines/e_gmp_err.h b/crypto/openssl/engines/e_gmp_err.h
new file mode 100644
index 000000000000..cf46f0ec742a
--- /dev/null
+++ b/crypto/openssl/engines/e_gmp_err.h
@@ -0,0 +1,81 @@
+/* ====================================================================
+ * Copyright (c) 2001-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_GMP_ERR_H
+#define HEADER_GMP_ERR_H
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+static void ERR_load_GMP_strings(void);
+static void ERR_unload_GMP_strings(void);
+static void ERR_GMP_error(int function, int reason, char *file, int line);
+#define GMPerr(f,r) ERR_GMP_error((f),(r),__FILE__,__LINE__)
+
+/* Error codes for the GMP functions. */
+
+/* Function codes. */
+#define GMP_F_E_GMP_CTRL				 100
+#define GMP_F_E_GMP_RSA_MOD_EXP				 101
+
+/* Reason codes. */
+#define GMP_R_CTRL_COMMAND_NOT_IMPLEMENTED		 100
+#define GMP_R_KEY_CONTEXT_ERROR				 101
+#define GMP_R_MISSING_KEY_COMPONENTS			 102
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
diff --git a/crypto/openssl/engines/e_nuron.c b/crypto/openssl/engines/e_nuron.c
new file mode 100644
index 000000000000..4c2537cbc30d
--- /dev/null
+++ b/crypto/openssl/engines/e_nuron.c
@@ -0,0 +1,434 @@
+/* crypto/engine/hw_nuron.c */
+/* Written by Ben Laurie for the OpenSSL Project, leaning heavily on Geoff
+ * Thorpe's Atalla implementation.
+ */
+/* ====================================================================
+ * Copyright (c) 2000-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <openssl/crypto.h>
+#include <openssl/buffer.h>
+#include <openssl/dso.h>
+#include <openssl/engine.h>
+#ifndef OPENSSL_NO_RSA
+#include <openssl/rsa.h>
+#endif
+#ifndef OPENSSL_NO_DSA
+#include <openssl/dsa.h>
+#endif
+#ifndef OPENSSL_NO_DH
+#include <openssl/dh.h>
+#endif
+#include <openssl/bn.h>
+
+#ifndef OPENSSL_NO_HW
+#ifndef OPENSSL_NO_HW_NURON
+
+#define NURON_LIB_NAME "nuron engine"
+#include "e_nuron_err.c"
+
+static const char *NURON_LIBNAME = NULL;
+static const char *get_NURON_LIBNAME(void)
+	{
+	if(NURON_LIBNAME)
+		return NURON_LIBNAME;
+	return "nuronssl";
+	}
+static void free_NURON_LIBNAME(void)
+	{
+	if(NURON_LIBNAME)
+		OPENSSL_free((void*)NURON_LIBNAME);
+	NURON_LIBNAME = NULL;
+	}
+static long set_NURON_LIBNAME(const char *name)
+	{
+	free_NURON_LIBNAME();
+	return (((NURON_LIBNAME = BUF_strdup(name)) != NULL) ? 1 : 0);
+	}
+static const char *NURON_F1 = "nuron_mod_exp";
+
+/* The definitions for control commands specific to this engine */
+#define NURON_CMD_SO_PATH		ENGINE_CMD_BASE
+static const ENGINE_CMD_DEFN nuron_cmd_defns[] = {
+	{NURON_CMD_SO_PATH,
+		"SO_PATH",
+		"Specifies the path to the 'nuronssl' shared library",
+		ENGINE_CMD_FLAG_STRING},
+	{0, NULL, NULL, 0}
+	};
+
+typedef int tfnModExp(BIGNUM *r,const BIGNUM *a,const BIGNUM *p,const BIGNUM *m);
+static tfnModExp *pfnModExp = NULL;
+
+static DSO *pvDSOHandle = NULL;
+
+static int nuron_destroy(ENGINE *e)
+	{
+	free_NURON_LIBNAME();
+	ERR_unload_NURON_strings();
+	return 1;
+	}
+
+static int nuron_init(ENGINE *e)
+	{
+	if(pvDSOHandle != NULL)
+		{
+		NURONerr(NURON_F_NURON_INIT,NURON_R_ALREADY_LOADED);
+		return 0;
+		}
+
+	pvDSOHandle = DSO_load(NULL, get_NURON_LIBNAME(), NULL,
+		DSO_FLAG_NAME_TRANSLATION_EXT_ONLY);
+	if(!pvDSOHandle)
+		{
+		NURONerr(NURON_F_NURON_INIT,NURON_R_DSO_NOT_FOUND);
+		return 0;
+		}
+
+	pfnModExp = (tfnModExp *)DSO_bind_func(pvDSOHandle, NURON_F1);
+	if(!pfnModExp)
+		{
+		NURONerr(NURON_F_NURON_INIT,NURON_R_DSO_FUNCTION_NOT_FOUND);
+		return 0;
+		}
+
+	return 1;
+	}
+
+static int nuron_finish(ENGINE *e)
+	{
+	free_NURON_LIBNAME();
+	if(pvDSOHandle == NULL)
+		{
+		NURONerr(NURON_F_NURON_FINISH,NURON_R_NOT_LOADED);
+		return 0;
+		}
+	if(!DSO_free(pvDSOHandle))
+		{
+		NURONerr(NURON_F_NURON_FINISH,NURON_R_DSO_FAILURE);
+		return 0;
+		}
+	pvDSOHandle=NULL;
+	pfnModExp=NULL;
+	return 1;
+	}
+
+static int nuron_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void))
+	{
+	int initialised = ((pvDSOHandle == NULL) ? 0 : 1);
+	switch(cmd)
+		{
+	case NURON_CMD_SO_PATH:
+		if(p == NULL)
+			{
+			NURONerr(NURON_F_NURON_CTRL,ERR_R_PASSED_NULL_PARAMETER);
+			return 0;
+			}
+		if(initialised)
+			{
+			NURONerr(NURON_F_NURON_CTRL,NURON_R_ALREADY_LOADED);
+			return 0;
+			}
+		return set_NURON_LIBNAME((const char *)p);
+	default:
+		break;
+		}
+	NURONerr(NURON_F_NURON_CTRL,NURON_R_CTRL_COMMAND_NOT_IMPLEMENTED);
+	return 0;
+}
+
+static int nuron_mod_exp(BIGNUM *r,const BIGNUM *a,const BIGNUM *p,
+			 const BIGNUM *m,BN_CTX *ctx)
+	{
+	if(!pvDSOHandle)
+		{
+		NURONerr(NURON_F_NURON_MOD_EXP,NURON_R_NOT_LOADED);
+		return 0;
+		}
+	return pfnModExp(r,a,p,m);
+	}
+
+#ifndef OPENSSL_NO_RSA
+static int nuron_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
+	{
+	return nuron_mod_exp(r0,I,rsa->d,rsa->n,ctx);
+	}
+#endif
+
+#ifndef OPENSSL_NO_DSA
+/* This code was liberated and adapted from the commented-out code in
+ * dsa_ossl.c. Because of the unoptimised form of the Atalla acceleration
+ * (it doesn't have a CRT form for RSA), this function means that an
+ * Atalla system running with a DSA server certificate can handshake
+ * around 5 or 6 times faster/more than an equivalent system running with
+ * RSA. Just check out the "signs" statistics from the RSA and DSA parts
+ * of "openssl speed -engine atalla dsa1024 rsa1024". */
+static int nuron_dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1,
+			     BIGNUM *p1, BIGNUM *a2, BIGNUM *p2, BIGNUM *m,
+			     BN_CTX *ctx, BN_MONT_CTX *in_mont)
+	{
+	BIGNUM t;
+	int to_return = 0;
+ 
+	BN_init(&t);
+	/* let rr = a1 ^ p1 mod m */
+	if (!nuron_mod_exp(rr,a1,p1,m,ctx))
+		goto end;
+	/* let t = a2 ^ p2 mod m */
+	if (!nuron_mod_exp(&t,a2,p2,m,ctx))
+		goto end;
+	/* let rr = rr * t mod m */
+	if (!BN_mod_mul(rr,rr,&t,m,ctx))
+		goto end;
+	to_return = 1;
+end:
+	BN_free(&t);
+	return to_return;
+	}
+
+
+static int nuron_mod_exp_dsa(DSA *dsa, BIGNUM *r, BIGNUM *a,
+			     const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
+			     BN_MONT_CTX *m_ctx)
+	{
+	return nuron_mod_exp(r, a, p, m, ctx);
+	}
+#endif
+
+/* This function is aliased to mod_exp (with the mont stuff dropped). */
+#ifndef OPENSSL_NO_RSA
+static int nuron_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+			      const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
+	{
+	return nuron_mod_exp(r, a, p, m, ctx);
+	}
+#endif
+
+#ifndef OPENSSL_NO_DH
+/* This function is aliased to mod_exp (with the dh and mont dropped). */
+static int nuron_mod_exp_dh(const DH *dh, BIGNUM *r,
+		const BIGNUM *a, const BIGNUM *p,
+		const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
+	{
+	return nuron_mod_exp(r, a, p, m, ctx);
+	}
+#endif
+
+#ifndef OPENSSL_NO_RSA
+static RSA_METHOD nuron_rsa =
+	{
+	"Nuron RSA method",
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	nuron_rsa_mod_exp,
+	nuron_mod_exp_mont,
+	NULL,
+	NULL,
+	0,
+	NULL,
+	NULL,
+	NULL,
+	NULL
+	};
+#endif
+
+#ifndef OPENSSL_NO_DSA
+static DSA_METHOD nuron_dsa =
+	{
+	"Nuron DSA method",
+	NULL, /* dsa_do_sign */
+	NULL, /* dsa_sign_setup */
+	NULL, /* dsa_do_verify */
+	nuron_dsa_mod_exp, /* dsa_mod_exp */
+	nuron_mod_exp_dsa, /* bn_mod_exp */
+	NULL, /* init */
+	NULL, /* finish */
+	0, /* flags */
+	NULL, /* app_data */
+	NULL, /* dsa_paramgen */
+	NULL /* dsa_keygen */
+	};
+#endif
+
+#ifndef OPENSSL_NO_DH
+static DH_METHOD nuron_dh =
+	{
+	"Nuron DH method",
+	NULL,
+	NULL,
+	nuron_mod_exp_dh,
+	NULL,
+	NULL,
+	0,
+	NULL,
+	NULL
+	};
+#endif
+
+/* Constants used when creating the ENGINE */
+static const char *engine_nuron_id = "nuron";
+static const char *engine_nuron_name = "Nuron hardware engine support";
+
+/* This internal function is used by ENGINE_nuron() and possibly by the
+ * "dynamic" ENGINE support too */
+static int bind_helper(ENGINE *e)
+	{
+#ifndef OPENSSL_NO_RSA
+	const RSA_METHOD *meth1;
+#endif
+#ifndef OPENSSL_NO_DSA
+	const DSA_METHOD *meth2;
+#endif
+#ifndef OPENSSL_NO_DH
+	const DH_METHOD *meth3;
+#endif
+	if(!ENGINE_set_id(e, engine_nuron_id) ||
+			!ENGINE_set_name(e, engine_nuron_name) ||
+#ifndef OPENSSL_NO_RSA
+			!ENGINE_set_RSA(e, &nuron_rsa) ||
+#endif
+#ifndef OPENSSL_NO_DSA
+			!ENGINE_set_DSA(e, &nuron_dsa) ||
+#endif
+#ifndef OPENSSL_NO_DH
+			!ENGINE_set_DH(e, &nuron_dh) ||
+#endif
+			!ENGINE_set_destroy_function(e, nuron_destroy) ||
+			!ENGINE_set_init_function(e, nuron_init) ||
+			!ENGINE_set_finish_function(e, nuron_finish) ||
+			!ENGINE_set_ctrl_function(e, nuron_ctrl) ||
+			!ENGINE_set_cmd_defns(e, nuron_cmd_defns))
+		return 0;
+
+#ifndef OPENSSL_NO_RSA
+	/* We know that the "PKCS1_SSLeay()" functions hook properly
+	 * to the nuron-specific mod_exp and mod_exp_crt so we use
+	 * those functions. NB: We don't use ENGINE_openssl() or
+	 * anything "more generic" because something like the RSAref
+	 * code may not hook properly, and if you own one of these
+	 * cards then you have the right to do RSA operations on it
+	 * anyway! */ 
+	meth1=RSA_PKCS1_SSLeay();
+	nuron_rsa.rsa_pub_enc=meth1->rsa_pub_enc;
+	nuron_rsa.rsa_pub_dec=meth1->rsa_pub_dec;
+	nuron_rsa.rsa_priv_enc=meth1->rsa_priv_enc;
+	nuron_rsa.rsa_priv_dec=meth1->rsa_priv_dec;
+#endif
+
+#ifndef OPENSSL_NO_DSA
+	/* Use the DSA_OpenSSL() method and just hook the mod_exp-ish
+	 * bits. */
+	meth2=DSA_OpenSSL();
+	nuron_dsa.dsa_do_sign=meth2->dsa_do_sign;
+	nuron_dsa.dsa_sign_setup=meth2->dsa_sign_setup;
+	nuron_dsa.dsa_do_verify=meth2->dsa_do_verify;
+#endif
+
+#ifndef OPENSSL_NO_DH
+	/* Much the same for Diffie-Hellman */
+	meth3=DH_OpenSSL();
+	nuron_dh.generate_key=meth3->generate_key;
+	nuron_dh.compute_key=meth3->compute_key;
+#endif
+
+	/* Ensure the nuron error handling is set up */
+	ERR_load_NURON_strings();
+	return 1;
+	}
+
+#ifdef OPENSSL_NO_DYNAMIC_ENGINE
+static ENGINE *engine_nuron(void)
+	{
+	ENGINE *ret = ENGINE_new();
+	if(!ret)
+		return NULL;
+	if(!bind_helper(ret))
+		{
+		ENGINE_free(ret);
+		return NULL;
+		}
+	return ret;
+	}
+
+void ENGINE_load_nuron(void)
+	{
+	/* Copied from eng_[openssl|dyn].c */
+	ENGINE *toadd = engine_nuron();
+	if(!toadd) return;
+	ENGINE_add(toadd);
+	ENGINE_free(toadd);
+	ERR_clear_error();
+	}
+#endif
+
+/* This stuff is needed if this ENGINE is being compiled into a self-contained
+ * shared-library. */	   
+#ifndef OPENSSL_NO_DYNAMIC_ENGINE
+static int bind_fn(ENGINE *e, const char *id)
+	{
+	if(id && (strcmp(id, engine_nuron_id) != 0))
+		return 0;
+	if(!bind_helper(e))
+		return 0;
+	return 1;
+	}       
+IMPLEMENT_DYNAMIC_CHECK_FN()
+IMPLEMENT_DYNAMIC_BIND_FN(bind_fn)
+#endif /* OPENSSL_NO_DYNAMIC_ENGINE */
+
+#endif /* !OPENSSL_NO_HW_NURON */
+#endif /* !OPENSSL_NO_HW */
diff --git a/crypto/openssl/engines/e_nuron.ec b/crypto/openssl/engines/e_nuron.ec
new file mode 100644
index 000000000000..cfa430dfcd77
--- /dev/null
+++ b/crypto/openssl/engines/e_nuron.ec
@@ -0,0 +1 @@
+L NURON		e_nuron_err.h			e_nuron_err.c
diff --git a/crypto/openssl/engines/e_nuron_err.c b/crypto/openssl/engines/e_nuron_err.c
new file mode 100644
index 000000000000..9a7864f42fd1
--- /dev/null
+++ b/crypto/openssl/engines/e_nuron_err.c
@@ -0,0 +1,146 @@
+/* e_nuron_err.c */
+/* ====================================================================
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include "e_nuron_err.h"
+
+/* BEGIN ERROR CODES */
+#ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(0,func,0)
+#define ERR_REASON(reason) ERR_PACK(0,0,reason)
+
+static ERR_STRING_DATA NURON_str_functs[]=
+	{
+{ERR_FUNC(NURON_F_NURON_CTRL),	"NURON_CTRL"},
+{ERR_FUNC(NURON_F_NURON_FINISH),	"NURON_FINISH"},
+{ERR_FUNC(NURON_F_NURON_INIT),	"NURON_INIT"},
+{ERR_FUNC(NURON_F_NURON_MOD_EXP),	"NURON_MOD_EXP"},
+{0,NULL}
+	};
+
+static ERR_STRING_DATA NURON_str_reasons[]=
+	{
+{ERR_REASON(NURON_R_ALREADY_LOADED)      ,"already loaded"},
+{ERR_REASON(NURON_R_CTRL_COMMAND_NOT_IMPLEMENTED),"ctrl command not implemented"},
+{ERR_REASON(NURON_R_DSO_FAILURE)         ,"dso failure"},
+{ERR_REASON(NURON_R_DSO_FUNCTION_NOT_FOUND),"dso function not found"},
+{ERR_REASON(NURON_R_DSO_NOT_FOUND)       ,"dso not found"},
+{ERR_REASON(NURON_R_NOT_LOADED)          ,"not loaded"},
+{0,NULL}
+	};
+
+#endif
+
+#ifdef NURON_LIB_NAME
+static ERR_STRING_DATA NURON_lib_name[]=
+        {
+{0	,NURON_LIB_NAME},
+{0,NULL}
+	};
+#endif
+
+
+static int NURON_lib_error_code=0;
+static int NURON_error_init=1;
+
+static void ERR_load_NURON_strings(void)
+	{
+	if (NURON_lib_error_code == 0)
+		NURON_lib_error_code=ERR_get_next_error_library();
+
+	if (NURON_error_init)
+		{
+		NURON_error_init=0;
+#ifndef OPENSSL_NO_ERR
+		ERR_load_strings(NURON_lib_error_code,NURON_str_functs);
+		ERR_load_strings(NURON_lib_error_code,NURON_str_reasons);
+#endif
+
+#ifdef NURON_LIB_NAME
+		NURON_lib_name->error = ERR_PACK(NURON_lib_error_code,0,0);
+		ERR_load_strings(0,NURON_lib_name);
+#endif
+		}
+	}
+
+static void ERR_unload_NURON_strings(void)
+	{
+	if (NURON_error_init == 0)
+		{
+#ifndef OPENSSL_NO_ERR
+		ERR_unload_strings(NURON_lib_error_code,NURON_str_functs);
+		ERR_unload_strings(NURON_lib_error_code,NURON_str_reasons);
+#endif
+
+#ifdef NURON_LIB_NAME
+		ERR_unload_strings(0,NURON_lib_name);
+#endif
+		NURON_error_init=1;
+		}
+	}
+
+static void ERR_NURON_error(int function, int reason, char *file, int line)
+	{
+	if (NURON_lib_error_code == 0)
+		NURON_lib_error_code=ERR_get_next_error_library();
+	ERR_PUT_error(NURON_lib_error_code,function,reason,file,line);
+	}
diff --git a/crypto/openssl/engines/e_nuron_err.h b/crypto/openssl/engines/e_nuron_err.h
new file mode 100644
index 000000000000..a56bfdf30398
--- /dev/null
+++ b/crypto/openssl/engines/e_nuron_err.h
@@ -0,0 +1,86 @@
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_NURON_ERR_H
+#define HEADER_NURON_ERR_H
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+static void ERR_load_NURON_strings(void);
+static void ERR_unload_NURON_strings(void);
+static void ERR_NURON_error(int function, int reason, char *file, int line);
+#define NURONerr(f,r) ERR_NURON_error((f),(r),__FILE__,__LINE__)
+
+/* Error codes for the NURON functions. */
+
+/* Function codes. */
+#define NURON_F_NURON_CTRL				 100
+#define NURON_F_NURON_FINISH				 101
+#define NURON_F_NURON_INIT				 102
+#define NURON_F_NURON_MOD_EXP				 103
+
+/* Reason codes. */
+#define NURON_R_ALREADY_LOADED				 100
+#define NURON_R_CTRL_COMMAND_NOT_IMPLEMENTED		 101
+#define NURON_R_DSO_FAILURE				 102
+#define NURON_R_DSO_FUNCTION_NOT_FOUND			 103
+#define NURON_R_DSO_NOT_FOUND				 104
+#define NURON_R_NOT_LOADED				 105
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
diff --git a/crypto/openssl/engines/e_sureware.c b/crypto/openssl/engines/e_sureware.c
new file mode 100644
index 000000000000..58fa9a98ee23
--- /dev/null
+++ b/crypto/openssl/engines/e_sureware.c
@@ -0,0 +1,1057 @@
+/* Written by Corinne Dive-Reclus(cdive@baltimore.com)
+* 
+*
+* Redistribution and use in source and binary forms, with or without
+* modification, are permitted provided that the following conditions
+* are met:
+*
+* 1. Redistributions of source code must retain the above copyright
+*    notice, this list of conditions and the following disclaimer. 
+*
+* 2. Redistributions in binary form must reproduce the above copyright
+*    notice, this list of conditions and the following disclaimer in
+*    the documentation and/or other materials provided with the
+*    distribution.
+*
+* 3. All advertising materials mentioning features or use of this
+*    software must display the following acknowledgment:
+*    "This product includes software developed by the OpenSSL Project
+*    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+*
+* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+*    endorse or promote products derived from this software without
+*    prior written permission. For written permission, please contact
+*    licensing@OpenSSL.org.
+*
+* 5. Products derived from this software may not be called "OpenSSL"
+*    nor may "OpenSSL" appear in their names without prior written
+*    permission of the OpenSSL Project.
+*
+* 6. Redistributions of any form whatsoever must retain the following
+*    acknowledgment:
+*    "This product includes software developed by the OpenSSL Project
+*    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+*
+* Written by Corinne Dive-Reclus(cdive@baltimore.com)
+*
+* Copyright@2001 Baltimore Technologies Ltd.
+* All right Reserved.
+*																								*	
+*		THIS FILE IS PROVIDED BY BALTIMORE TECHNOLOGIES ``AS IS'' AND																			*
+*		ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE					* 
+*		IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE				*
+*		ARE DISCLAIMED.  IN NO EVENT SHALL BALTIMORE TECHNOLOGIES BE LIABLE						*
+*		FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL				*
+*		DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS					*
+*		OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)					*
+*		HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT				*
+*		LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY				*
+*		OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF					*
+*		SUCH DAMAGE.																			*
+====================================================================*/
+
+#include <stdio.h>
+#include <string.h>
+#include <openssl/crypto.h>
+#include <openssl/pem.h>
+#include <openssl/dso.h>
+#include <openssl/engine.h>
+#include <openssl/rand.h>
+#ifndef OPENSSL_NO_RSA
+#include <openssl/rsa.h>
+#endif
+#ifndef OPENSSL_NO_DSA
+#include <openssl/dsa.h>
+#endif
+#ifndef OPENSSL_NO_DH
+#include <openssl/dh.h>
+#endif
+#include <openssl/bn.h>
+
+#ifndef OPENSSL_NO_HW
+#ifndef OPENSSL_NO_HW_SUREWARE
+
+#ifdef FLAT_INC
+#include "sureware.h"
+#else
+#include "vendor_defns/sureware.h"
+#endif
+
+#define SUREWARE_LIB_NAME "sureware engine"
+#include "e_sureware_err.c"
+
+static int surewarehk_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void));
+static int surewarehk_destroy(ENGINE *e);
+static int surewarehk_init(ENGINE *e);
+static int surewarehk_finish(ENGINE *e);
+static int surewarehk_modexp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+	const BIGNUM *m, BN_CTX *ctx);
+
+/* RSA stuff */
+#ifndef OPENSSL_NO_RSA
+static int surewarehk_rsa_priv_dec(int flen,const unsigned char *from,unsigned char *to,
+			RSA *rsa,int padding);
+static int surewarehk_rsa_sign(int flen,const unsigned char *from,unsigned char *to,
+			    RSA *rsa,int padding);
+#endif
+
+/* RAND stuff */
+static int surewarehk_rand_bytes(unsigned char *buf, int num);
+static void surewarehk_rand_seed(const void *buf, int num);
+static void surewarehk_rand_add(const void *buf, int num, double entropy);
+
+/* KM stuff */
+static EVP_PKEY *surewarehk_load_privkey(ENGINE *e, const char *key_id,
+	UI_METHOD *ui_method, void *callback_data);
+static EVP_PKEY *surewarehk_load_pubkey(ENGINE *e, const char *key_id,
+	UI_METHOD *ui_method, void *callback_data);
+static void surewarehk_ex_free(void *obj, void *item, CRYPTO_EX_DATA *ad,
+	int idx,long argl, void *argp);
+#if 0
+static void surewarehk_dh_ex_free(void *obj, void *item, CRYPTO_EX_DATA *ad,
+	int idx,long argl, void *argp);
+#endif
+
+#ifndef OPENSSL_NO_RSA
+/* This function is aliased to mod_exp (with the mont stuff dropped). */
+static int surewarehk_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+		const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
+{
+	return surewarehk_modexp(r, a, p, m, ctx);
+}
+
+/* Our internal RSA_METHOD that we provide pointers to */
+static RSA_METHOD surewarehk_rsa =
+	{
+	"SureWare RSA method",
+	NULL, /* pub_enc*/
+	NULL, /* pub_dec*/
+	surewarehk_rsa_sign, /* our rsa_sign is OpenSSL priv_enc*/
+	surewarehk_rsa_priv_dec, /* priv_dec*/
+	NULL, /*mod_exp*/
+	surewarehk_mod_exp_mont, /*mod_exp_mongomery*/
+	NULL, /* init*/
+	NULL, /* finish*/
+	0,	/* RSA flag*/
+	NULL, 
+	NULL, /* OpenSSL sign*/
+	NULL, /* OpenSSL verify*/
+	NULL  /* keygen */
+	};
+#endif
+
+#ifndef OPENSSL_NO_DH
+/* Our internal DH_METHOD that we provide pointers to */
+/* This function is aliased to mod_exp (with the dh and mont dropped). */
+static int surewarehk_modexp_dh(const DH *dh, BIGNUM *r, const BIGNUM *a,
+	const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
+{
+	return surewarehk_modexp(r, a, p, m, ctx);
+}
+
+static DH_METHOD surewarehk_dh =
+	{
+	"SureWare DH method",
+	NULL,/*gen_key*/
+	NULL,/*agree,*/
+	surewarehk_modexp_dh, /*dh mod exp*/
+	NULL, /* init*/
+	NULL, /* finish*/
+	0,    /* flags*/
+	NULL,
+	NULL
+	};
+#endif
+
+static RAND_METHOD surewarehk_rand =
+	{
+	/* "SureWare RAND method", */
+	surewarehk_rand_seed,
+	surewarehk_rand_bytes,
+	NULL,/*cleanup*/
+	surewarehk_rand_add,
+	surewarehk_rand_bytes,
+	NULL,/*rand_status*/
+	};
+
+#ifndef OPENSSL_NO_DSA
+/* DSA stuff */
+static	DSA_SIG * surewarehk_dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
+static int surewarehk_dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1,
+		BIGNUM *p1, BIGNUM *a2, BIGNUM *p2, BIGNUM *m,
+		BN_CTX *ctx, BN_MONT_CTX *in_mont)
+{
+	BIGNUM t;
+	int to_return = 0;
+	BN_init(&t);
+	/* let rr = a1 ^ p1 mod m */
+	if (!surewarehk_modexp(rr,a1,p1,m,ctx)) goto end;
+	/* let t = a2 ^ p2 mod m */
+	if (!surewarehk_modexp(&t,a2,p2,m,ctx)) goto end;
+	/* let rr = rr * t mod m */
+	if (!BN_mod_mul(rr,rr,&t,m,ctx)) goto end;
+	to_return = 1;
+end:
+	BN_free(&t);
+	return to_return;
+}
+
+static DSA_METHOD surewarehk_dsa =
+	{
+	 "SureWare DSA method", 
+	surewarehk_dsa_do_sign,
+	NULL,/*sign setup*/
+	NULL,/*verify,*/
+	surewarehk_dsa_mod_exp,/*mod exp*/
+	NULL,/*bn mod exp*/
+	NULL, /*init*/
+	NULL,/*finish*/
+	0,
+	NULL,
+	NULL,
+	NULL
+	};
+#endif
+
+static const char *engine_sureware_id = "sureware";
+static const char *engine_sureware_name = "SureWare hardware engine support";
+
+/* Now, to our own code */
+
+/* As this is only ever called once, there's no need for locking
+ * (indeed - the lock will already be held by our caller!!!) */
+static int bind_sureware(ENGINE *e)
+{
+#ifndef OPENSSL_NO_RSA
+	const RSA_METHOD *meth1;
+#endif
+#ifndef OPENSSL_NO_DSA
+	const DSA_METHOD *meth2;
+#endif
+#ifndef OPENSSL_NO_DH
+	const DH_METHOD *meth3;
+#endif
+
+	if(!ENGINE_set_id(e, engine_sureware_id) ||
+	   !ENGINE_set_name(e, engine_sureware_name) ||
+#ifndef OPENSSL_NO_RSA
+	   !ENGINE_set_RSA(e, &surewarehk_rsa) ||
+#endif
+#ifndef OPENSSL_NO_DSA
+	   !ENGINE_set_DSA(e, &surewarehk_dsa) ||
+#endif
+#ifndef OPENSSL_NO_DH
+	   !ENGINE_set_DH(e, &surewarehk_dh) ||
+#endif
+	   !ENGINE_set_RAND(e, &surewarehk_rand) ||
+	   !ENGINE_set_destroy_function(e, surewarehk_destroy) ||
+	   !ENGINE_set_init_function(e, surewarehk_init) ||
+	   !ENGINE_set_finish_function(e, surewarehk_finish) ||
+	   !ENGINE_set_ctrl_function(e, surewarehk_ctrl) ||
+	   !ENGINE_set_load_privkey_function(e, surewarehk_load_privkey) ||
+	   !ENGINE_set_load_pubkey_function(e, surewarehk_load_pubkey))
+	  return 0;
+
+#ifndef OPENSSL_NO_RSA
+	/* We know that the "PKCS1_SSLeay()" functions hook properly
+	 * to the cswift-specific mod_exp and mod_exp_crt so we use
+	 * those functions. NB: We don't use ENGINE_openssl() or
+	 * anything "more generic" because something like the RSAref
+	 * code may not hook properly, and if you own one of these
+	 * cards then you have the right to do RSA operations on it
+	 * anyway! */ 
+	meth1 = RSA_PKCS1_SSLeay();
+	if (meth1)
+	{
+		surewarehk_rsa.rsa_pub_enc = meth1->rsa_pub_enc;
+		surewarehk_rsa.rsa_pub_dec = meth1->rsa_pub_dec;
+	}
+#endif
+
+#ifndef OPENSSL_NO_DSA
+	/* Use the DSA_OpenSSL() method and just hook the mod_exp-ish
+	 * bits. */
+	meth2 = DSA_OpenSSL();
+	if (meth2)
+	{
+		surewarehk_dsa.dsa_do_verify = meth2->dsa_do_verify;
+	}
+#endif
+
+#ifndef OPENSSL_NO_DH
+	/* Much the same for Diffie-Hellman */
+	meth3 = DH_OpenSSL();
+	if (meth3)
+	{
+		surewarehk_dh.generate_key = meth3->generate_key;
+		surewarehk_dh.compute_key = meth3->compute_key;
+	}
+#endif
+
+	/* Ensure the sureware error handling is set up */
+	ERR_load_SUREWARE_strings();
+	return 1;
+}
+
+#ifndef OPENSSL_NO_DYNAMIC_ENGINE
+static int bind_helper(ENGINE *e, const char *id)
+	{
+	if(id && (strcmp(id, engine_sureware_id) != 0))
+		return 0;
+	if(!bind_sureware(e))
+		return 0;
+	return 1;
+	}       
+IMPLEMENT_DYNAMIC_CHECK_FN()
+IMPLEMENT_DYNAMIC_BIND_FN(bind_helper)
+#else
+static ENGINE *engine_sureware(void)
+	{
+	ENGINE *ret = ENGINE_new();
+	if(!ret)
+		return NULL;
+	if(!bind_sureware(ret))
+		{
+		ENGINE_free(ret);
+		return NULL;
+		}
+	return ret;
+	}
+
+void ENGINE_load_sureware(void)
+	{
+	/* Copied from eng_[openssl|dyn].c */
+	ENGINE *toadd = engine_sureware();
+	if(!toadd) return;
+	ENGINE_add(toadd);
+	ENGINE_free(toadd);
+	ERR_clear_error();
+	}
+#endif
+
+/* This is a process-global DSO handle used for loading and unloading
+ * the SureWareHook library. NB: This is only set (or unset) during an
+ * init() or finish() call (reference counts permitting) and they're
+ * operating with global locks, so this should be thread-safe
+ * implicitly. */
+static DSO *surewarehk_dso = NULL;
+#ifndef OPENSSL_NO_RSA
+static int rsaHndidx = -1;	/* Index for KM handle.  Not really used yet. */
+#endif
+#ifndef OPENSSL_NO_DSA
+static int dsaHndidx = -1;	/* Index for KM handle.  Not really used yet. */
+#endif
+
+/* These are the function pointers that are (un)set when the library has
+ * successfully (un)loaded. */
+static SureWareHook_Init_t *p_surewarehk_Init = NULL;
+static SureWareHook_Finish_t *p_surewarehk_Finish = NULL;
+static SureWareHook_Rand_Bytes_t *p_surewarehk_Rand_Bytes = NULL;
+static SureWareHook_Rand_Seed_t *p_surewarehk_Rand_Seed = NULL;
+static SureWareHook_Load_Privkey_t *p_surewarehk_Load_Privkey = NULL;
+static SureWareHook_Info_Pubkey_t *p_surewarehk_Info_Pubkey = NULL;
+static SureWareHook_Load_Rsa_Pubkey_t *p_surewarehk_Load_Rsa_Pubkey = NULL;
+static SureWareHook_Load_Dsa_Pubkey_t *p_surewarehk_Load_Dsa_Pubkey = NULL;
+static SureWareHook_Free_t *p_surewarehk_Free=NULL;
+static SureWareHook_Rsa_Priv_Dec_t *p_surewarehk_Rsa_Priv_Dec=NULL;
+static SureWareHook_Rsa_Sign_t *p_surewarehk_Rsa_Sign=NULL;
+static SureWareHook_Dsa_Sign_t *p_surewarehk_Dsa_Sign=NULL;
+static SureWareHook_Mod_Exp_t *p_surewarehk_Mod_Exp=NULL;
+
+/* Used in the DSO operations. */
+static const char *surewarehk_LIBNAME = "SureWareHook";
+static const char *n_surewarehk_Init = "SureWareHook_Init";
+static const char *n_surewarehk_Finish = "SureWareHook_Finish";
+static const char *n_surewarehk_Rand_Bytes="SureWareHook_Rand_Bytes";
+static const char *n_surewarehk_Rand_Seed="SureWareHook_Rand_Seed";
+static const char *n_surewarehk_Load_Privkey="SureWareHook_Load_Privkey";
+static const char *n_surewarehk_Info_Pubkey="SureWareHook_Info_Pubkey";
+static const char *n_surewarehk_Load_Rsa_Pubkey="SureWareHook_Load_Rsa_Pubkey";
+static const char *n_surewarehk_Load_Dsa_Pubkey="SureWareHook_Load_Dsa_Pubkey";
+static const char *n_surewarehk_Free="SureWareHook_Free";
+static const char *n_surewarehk_Rsa_Priv_Dec="SureWareHook_Rsa_Priv_Dec";
+static const char *n_surewarehk_Rsa_Sign="SureWareHook_Rsa_Sign";
+static const char *n_surewarehk_Dsa_Sign="SureWareHook_Dsa_Sign";
+static const char *n_surewarehk_Mod_Exp="SureWareHook_Mod_Exp";
+static BIO *logstream = NULL;
+
+/* SureWareHook library functions and mechanics - these are used by the
+ * higher-level functions further down. NB: As and where there's no
+ * error checking, take a look lower down where these functions are
+ * called, the checking and error handling is probably down there. 
+*/
+static int threadsafe=1;
+static int surewarehk_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void))
+{
+	int to_return = 1;
+
+	switch(cmd)
+	{
+		case ENGINE_CTRL_SET_LOGSTREAM:
+		{
+			BIO *bio = (BIO *)p;
+			CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+			if (logstream)
+			{
+				BIO_free(logstream);
+				logstream = NULL;
+			}
+			if (CRYPTO_add(&bio->references,1,CRYPTO_LOCK_BIO) > 1)
+				logstream = bio;
+			else
+				SUREWAREerr(SUREWARE_F_SUREWAREHK_CTRL,SUREWARE_R_BIO_WAS_FREED);
+		}
+		CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+		break;
+	/* This will prevent the initialisation function from "installing"
+	 * the mutex-handling callbacks, even if they are available from
+	 * within the library (or were provided to the library from the
+	 * calling application). This is to remove any baggage for
+	 * applications not using multithreading. */
+	case ENGINE_CTRL_CHIL_NO_LOCKING:
+		CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+		threadsafe = 0;
+		CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+		break;
+
+	/* The command isn't understood by this engine */
+	default:
+		SUREWAREerr(SUREWARE_F_SUREWAREHK_CTRL,
+			ENGINE_R_CTRL_COMMAND_NOT_IMPLEMENTED);
+		to_return = 0;
+		break;
+		}
+
+	return to_return;
+}
+
+/* Destructor (complements the "ENGINE_surewarehk()" constructor) */
+static int surewarehk_destroy(ENGINE *e)
+{
+	ERR_unload_SUREWARE_strings();
+	return 1;
+}
+
+/* (de)initialisation functions. */
+static int surewarehk_init(ENGINE *e)
+{
+	char msg[64]="ENGINE_init";
+	SureWareHook_Init_t *p1=NULL;
+	SureWareHook_Finish_t *p2=NULL;
+	SureWareHook_Rand_Bytes_t *p3=NULL;
+	SureWareHook_Rand_Seed_t *p4=NULL;
+	SureWareHook_Load_Privkey_t *p5=NULL;
+	SureWareHook_Load_Rsa_Pubkey_t *p6=NULL;
+	SureWareHook_Free_t *p7=NULL;
+	SureWareHook_Rsa_Priv_Dec_t *p8=NULL;
+	SureWareHook_Rsa_Sign_t *p9=NULL;
+	SureWareHook_Dsa_Sign_t *p12=NULL;
+	SureWareHook_Info_Pubkey_t *p13=NULL;
+	SureWareHook_Load_Dsa_Pubkey_t *p14=NULL;
+	SureWareHook_Mod_Exp_t *p15=NULL;
+
+	if(surewarehk_dso != NULL)
+	{
+		SUREWAREerr(SUREWARE_F_SUREWAREHK_INIT,ENGINE_R_ALREADY_LOADED);
+		goto err;
+	}
+	/* Attempt to load libsurewarehk.so/surewarehk.dll/whatever. */
+	surewarehk_dso = DSO_load(NULL, surewarehk_LIBNAME, NULL, 0);
+	if(surewarehk_dso == NULL)
+	{
+		SUREWAREerr(SUREWARE_F_SUREWAREHK_INIT,ENGINE_R_DSO_FAILURE);
+		goto err;
+	}
+	if(!(p1=(SureWareHook_Init_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Init)) ||
+	   !(p2=(SureWareHook_Finish_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Finish)) ||
+	   !(p3=(SureWareHook_Rand_Bytes_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Rand_Bytes)) ||
+	   !(p4=(SureWareHook_Rand_Seed_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Rand_Seed)) ||
+	   !(p5=(SureWareHook_Load_Privkey_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Load_Privkey)) ||
+	   !(p6=(SureWareHook_Load_Rsa_Pubkey_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Load_Rsa_Pubkey)) ||
+	   !(p7=(SureWareHook_Free_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Free)) ||
+	   !(p8=(SureWareHook_Rsa_Priv_Dec_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Rsa_Priv_Dec)) ||
+	   !(p9=(SureWareHook_Rsa_Sign_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Rsa_Sign)) ||
+	   !(p12=(SureWareHook_Dsa_Sign_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Dsa_Sign)) ||
+	   !(p13=(SureWareHook_Info_Pubkey_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Info_Pubkey)) ||
+	   !(p14=(SureWareHook_Load_Dsa_Pubkey_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Load_Dsa_Pubkey)) ||
+	   !(p15=(SureWareHook_Mod_Exp_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Mod_Exp)))
+	{
+		SUREWAREerr(SUREWARE_F_SUREWAREHK_INIT,ENGINE_R_DSO_FAILURE);
+		goto err;
+	}
+	/* Copy the pointers */
+	p_surewarehk_Init = p1;
+	p_surewarehk_Finish = p2;
+	p_surewarehk_Rand_Bytes = p3;
+	p_surewarehk_Rand_Seed = p4;
+	p_surewarehk_Load_Privkey = p5;
+	p_surewarehk_Load_Rsa_Pubkey = p6;
+	p_surewarehk_Free = p7;
+	p_surewarehk_Rsa_Priv_Dec = p8;
+	p_surewarehk_Rsa_Sign = p9;
+	p_surewarehk_Dsa_Sign = p12;
+	p_surewarehk_Info_Pubkey = p13;
+	p_surewarehk_Load_Dsa_Pubkey = p14;
+	p_surewarehk_Mod_Exp = p15;
+	/* Contact the hardware and initialises it. */
+	if(p_surewarehk_Init(msg,threadsafe)==SUREWAREHOOK_ERROR_UNIT_FAILURE)
+	{
+		SUREWAREerr(SUREWARE_F_SUREWAREHK_INIT,SUREWARE_R_UNIT_FAILURE);
+		goto err;
+	}
+	if(p_surewarehk_Init(msg,threadsafe)==SUREWAREHOOK_ERROR_UNIT_FAILURE)
+	{
+		SUREWAREerr(SUREWARE_F_SUREWAREHK_INIT,SUREWARE_R_UNIT_FAILURE);
+		goto err;
+	}
+	/* try to load the default private key, if failed does not return a failure but
+           wait for an explicit ENGINE_load_privakey */
+	surewarehk_load_privkey(e,NULL,NULL,NULL);
+
+	/* Everything's fine. */
+#ifndef OPENSSL_NO_RSA
+	if (rsaHndidx == -1)
+		rsaHndidx = RSA_get_ex_new_index(0,
+						"SureWareHook RSA key handle",
+						NULL, NULL, surewarehk_ex_free);
+#endif
+#ifndef OPENSSL_NO_DSA
+	if (dsaHndidx == -1)
+		dsaHndidx = DSA_get_ex_new_index(0,
+						"SureWareHook DSA key handle",
+						NULL, NULL, surewarehk_ex_free);
+#endif
+
+	return 1;
+err:
+	if(surewarehk_dso)
+		DSO_free(surewarehk_dso);
+	surewarehk_dso = NULL;
+	p_surewarehk_Init = NULL;
+	p_surewarehk_Finish = NULL;
+	p_surewarehk_Rand_Bytes = NULL;
+	p_surewarehk_Rand_Seed = NULL;
+	p_surewarehk_Load_Privkey = NULL;
+	p_surewarehk_Load_Rsa_Pubkey = NULL;
+	p_surewarehk_Free = NULL;
+	p_surewarehk_Rsa_Priv_Dec = NULL;
+	p_surewarehk_Rsa_Sign = NULL;
+	p_surewarehk_Dsa_Sign = NULL;
+	p_surewarehk_Info_Pubkey = NULL;
+	p_surewarehk_Load_Dsa_Pubkey = NULL;
+	p_surewarehk_Mod_Exp = NULL;
+	return 0;
+}
+
+static int surewarehk_finish(ENGINE *e)
+{
+	int to_return = 1;
+	if(surewarehk_dso == NULL)
+		{
+		SUREWAREerr(SUREWARE_F_SUREWAREHK_FINISH,ENGINE_R_NOT_LOADED);
+		to_return = 0;
+		goto err;
+		}
+	p_surewarehk_Finish();
+	if(!DSO_free(surewarehk_dso))
+		{
+		SUREWAREerr(SUREWARE_F_SUREWAREHK_FINISH,ENGINE_R_DSO_FAILURE);
+		to_return = 0;
+		goto err;
+		}
+ err:
+	if (logstream)
+		BIO_free(logstream);
+	surewarehk_dso = NULL;
+	p_surewarehk_Init = NULL;
+	p_surewarehk_Finish = NULL;
+	p_surewarehk_Rand_Bytes = NULL;
+	p_surewarehk_Rand_Seed = NULL;
+	p_surewarehk_Load_Privkey = NULL;
+	p_surewarehk_Load_Rsa_Pubkey = NULL;
+	p_surewarehk_Free = NULL;
+	p_surewarehk_Rsa_Priv_Dec = NULL;
+	p_surewarehk_Rsa_Sign = NULL;
+	p_surewarehk_Dsa_Sign = NULL;
+	p_surewarehk_Info_Pubkey = NULL;
+	p_surewarehk_Load_Dsa_Pubkey = NULL;
+	p_surewarehk_Mod_Exp = NULL;
+	return to_return;
+}
+
+static void surewarehk_error_handling(char *const msg,int func,int ret)
+{
+	switch (ret)
+	{
+		case SUREWAREHOOK_ERROR_UNIT_FAILURE:
+			ENGINEerr(func,SUREWARE_R_UNIT_FAILURE);
+			break;
+		case SUREWAREHOOK_ERROR_FALLBACK:
+			ENGINEerr(func,SUREWARE_R_REQUEST_FALLBACK);
+			break;
+		case SUREWAREHOOK_ERROR_DATA_SIZE:
+			ENGINEerr(func,SUREWARE_R_SIZE_TOO_LARGE_OR_TOO_SMALL);
+			break;
+		case SUREWAREHOOK_ERROR_INVALID_PAD:
+			ENGINEerr(func,SUREWARE_R_PADDING_CHECK_FAILED);
+			break;
+		default:
+			ENGINEerr(func,SUREWARE_R_REQUEST_FAILED);
+			break;
+		case 1:/*nothing*/
+			msg[0]='\0';
+	}
+	if (*msg)
+	{
+		ERR_add_error_data(1,msg);
+		if (logstream)
+		{
+			CRYPTO_w_lock(CRYPTO_LOCK_BIO);
+			BIO_write(logstream, msg, strlen(msg));
+			CRYPTO_w_unlock(CRYPTO_LOCK_BIO);
+		}
+	}
+}
+
+static int surewarehk_rand_bytes(unsigned char *buf, int num)
+{
+	int ret=0;
+	char msg[64]="ENGINE_rand_bytes";
+	if(!p_surewarehk_Rand_Bytes)
+	{
+		SUREWAREerr(SUREWARE_F_SUREWAREHK_RAND_BYTES,ENGINE_R_NOT_INITIALISED);
+	}
+	else
+	{
+		ret = p_surewarehk_Rand_Bytes(msg,buf, num);
+		surewarehk_error_handling(msg,SUREWARE_F_SUREWAREHK_RAND_BYTES,ret);
+	}
+	return ret==1 ? 1 : 0;
+}
+
+static void surewarehk_rand_seed(const void *buf, int num)
+{
+	int ret=0;
+	char msg[64]="ENGINE_rand_seed";
+	if(!p_surewarehk_Rand_Seed)
+	{
+		SUREWAREerr(SUREWARE_F_SUREWAREHK_RAND_SEED,ENGINE_R_NOT_INITIALISED);
+	}
+	else
+	{
+		ret = p_surewarehk_Rand_Seed(msg,buf, num);
+		surewarehk_error_handling(msg,SUREWARE_F_SUREWAREHK_RAND_SEED,ret);
+	}
+}
+
+static void surewarehk_rand_add(const void *buf, int num, double entropy)
+{
+	surewarehk_rand_seed(buf,num);
+}
+
+static EVP_PKEY* sureware_load_public(ENGINE *e,const char *key_id,char *hptr,unsigned long el,char keytype)
+{
+	EVP_PKEY *res = NULL;
+#ifndef OPENSSL_NO_RSA
+	RSA *rsatmp = NULL;
+#endif
+#ifndef OPENSSL_NO_DSA
+	DSA *dsatmp=NULL;
+#endif
+	char msg[64]="sureware_load_public";
+	int ret=0;
+	if(!p_surewarehk_Load_Rsa_Pubkey || !p_surewarehk_Load_Dsa_Pubkey)
+	{
+		SUREWAREerr(SUREWARE_F_SUREWARE_LOAD_PUBLIC,ENGINE_R_NOT_INITIALISED);
+		goto err;
+	}
+	switch (keytype)
+	{
+#ifndef OPENSSL_NO_RSA
+	case 1: /*RSA*/
+		/* set private external reference */
+		rsatmp = RSA_new_method(e);
+		RSA_set_ex_data(rsatmp,rsaHndidx,hptr);
+		rsatmp->flags |= RSA_FLAG_EXT_PKEY;
+
+		/* set public big nums*/
+		rsatmp->e = BN_new();
+		rsatmp->n = BN_new();
+		bn_expand2(rsatmp->e, el/sizeof(BN_ULONG));
+		bn_expand2(rsatmp->n, el/sizeof(BN_ULONG));
+		if (!rsatmp->e || rsatmp->e->dmax!=(int)(el/sizeof(BN_ULONG))|| 
+			!rsatmp->n || rsatmp->n->dmax!=(int)(el/sizeof(BN_ULONG)))
+			goto err;
+		ret=p_surewarehk_Load_Rsa_Pubkey(msg,key_id,el,
+						 (unsigned long *)rsatmp->n->d,
+						 (unsigned long *)rsatmp->e->d);
+		surewarehk_error_handling(msg,SUREWARE_F_SUREWARE_LOAD_PUBLIC,ret);
+		if (ret!=1)
+		{
+			SUREWAREerr(SUREWARE_F_SUREWARE_LOAD_PUBLIC,ENGINE_R_FAILED_LOADING_PUBLIC_KEY);
+			goto err;
+		}
+		/* normalise pub e and pub n */
+		rsatmp->e->top=el/sizeof(BN_ULONG);
+		bn_fix_top(rsatmp->e);
+		rsatmp->n->top=el/sizeof(BN_ULONG);
+		bn_fix_top(rsatmp->n);
+		/* create an EVP object: engine + rsa key */
+		res = EVP_PKEY_new();
+		EVP_PKEY_assign_RSA(res, rsatmp);
+		break;
+#endif
+
+#ifndef OPENSSL_NO_DSA
+	case 2:/*DSA*/
+		/* set private/public external reference */
+		dsatmp = DSA_new_method(e);
+		DSA_set_ex_data(dsatmp,dsaHndidx,hptr);
+		/*dsatmp->flags |= DSA_FLAG_EXT_PKEY;*/
+
+		/* set public key*/
+		dsatmp->pub_key = BN_new();
+		dsatmp->p = BN_new();
+		dsatmp->q = BN_new();
+		dsatmp->g = BN_new();
+		bn_expand2(dsatmp->pub_key, el/sizeof(BN_ULONG));
+		bn_expand2(dsatmp->p, el/sizeof(BN_ULONG));
+		bn_expand2(dsatmp->q, 20/sizeof(BN_ULONG));
+		bn_expand2(dsatmp->g, el/sizeof(BN_ULONG));
+		if (!dsatmp->pub_key || dsatmp->pub_key->dmax!=(int)(el/sizeof(BN_ULONG))|| 
+			!dsatmp->p || dsatmp->p->dmax!=(int)(el/sizeof(BN_ULONG)) ||
+			!dsatmp->q || dsatmp->q->dmax!=20/sizeof(BN_ULONG) ||
+			!dsatmp->g || dsatmp->g->dmax!=(int)(el/sizeof(BN_ULONG)))
+			goto err;
+
+		ret=p_surewarehk_Load_Dsa_Pubkey(msg,key_id,el,
+						 (unsigned long *)dsatmp->pub_key->d, 
+						 (unsigned long *)dsatmp->p->d,
+						 (unsigned long *)dsatmp->q->d,
+						 (unsigned long *)dsatmp->g->d);
+		surewarehk_error_handling(msg,SUREWARE_F_SUREWARE_LOAD_PUBLIC,ret);
+		if (ret!=1)
+		{
+			SUREWAREerr(SUREWARE_F_SUREWARE_LOAD_PUBLIC,ENGINE_R_FAILED_LOADING_PUBLIC_KEY);
+			goto err;
+		}
+		/* set parameters */
+		/* normalise pubkey and parameters in case of */
+		dsatmp->pub_key->top=el/sizeof(BN_ULONG);
+		bn_fix_top(dsatmp->pub_key);
+		dsatmp->p->top=el/sizeof(BN_ULONG);
+		bn_fix_top(dsatmp->p);
+		dsatmp->q->top=20/sizeof(BN_ULONG);
+		bn_fix_top(dsatmp->q);
+		dsatmp->g->top=el/sizeof(BN_ULONG);
+		bn_fix_top(dsatmp->g);
+
+		/* create an EVP object: engine + rsa key */
+		res = EVP_PKEY_new();
+		EVP_PKEY_assign_DSA(res, dsatmp);
+		break;
+#endif
+
+	default:
+		SUREWAREerr(SUREWARE_F_SUREWARE_LOAD_PUBLIC,ENGINE_R_FAILED_LOADING_PRIVATE_KEY);
+		goto err;
+	}
+	return res;
+ err:
+	if (res)
+		EVP_PKEY_free(res);
+#ifndef OPENSSL_NO_RSA
+	if (rsatmp)
+		RSA_free(rsatmp);
+#endif
+#ifndef OPENSSL_NO_DSA
+	if (dsatmp)
+		DSA_free(dsatmp);
+#endif
+	return NULL;
+}
+
+static EVP_PKEY *surewarehk_load_privkey(ENGINE *e, const char *key_id,
+					 UI_METHOD *ui_method, void *callback_data)
+{
+	EVP_PKEY *res = NULL;
+	int ret=0;
+	unsigned long el=0;
+	char *hptr=NULL;
+	char keytype=0;
+	char msg[64]="ENGINE_load_privkey";
+
+	if(!p_surewarehk_Load_Privkey)
+	{
+		SUREWAREerr(SUREWARE_F_SUREWAREHK_LOAD_PRIVKEY,ENGINE_R_NOT_INITIALISED);
+	}
+	else
+	{
+		ret=p_surewarehk_Load_Privkey(msg,key_id,&hptr,&el,&keytype);
+		if (ret!=1)
+		{
+			SUREWAREerr(SUREWARE_F_SUREWAREHK_LOAD_PRIVKEY,ENGINE_R_FAILED_LOADING_PRIVATE_KEY);
+			ERR_add_error_data(1,msg);		
+		}
+		else
+			res=sureware_load_public(e,key_id,hptr,el,keytype);
+	}
+	return res;
+}
+
+static EVP_PKEY *surewarehk_load_pubkey(ENGINE *e, const char *key_id,
+					 UI_METHOD *ui_method, void *callback_data)
+{
+	EVP_PKEY *res = NULL;
+	int ret=0;
+	unsigned long el=0;
+	char *hptr=NULL;
+	char keytype=0;
+	char msg[64]="ENGINE_load_pubkey";
+
+	if(!p_surewarehk_Info_Pubkey)
+	{
+		SUREWAREerr(SUREWARE_F_SUREWAREHK_LOAD_PUBKEY,ENGINE_R_NOT_INITIALISED);
+	}
+	else
+	{
+		/* call once to identify if DSA or RSA */
+		ret=p_surewarehk_Info_Pubkey(msg,key_id,&el,&keytype);
+		if (ret!=1)
+		{
+			SUREWAREerr(SUREWARE_F_SUREWAREHK_LOAD_PUBKEY,ENGINE_R_FAILED_LOADING_PUBLIC_KEY);
+			ERR_add_error_data(1,msg);
+		}
+		else
+			res=sureware_load_public(e,key_id,hptr,el,keytype);
+	}
+	return res;
+}
+
+/* This cleans up an RSA/DSA KM key(do not destroy the key into the hardware)
+, called when ex_data is freed */
+static void surewarehk_ex_free(void *obj, void *item, CRYPTO_EX_DATA *ad,
+	int idx,long argl, void *argp)
+{
+	if(!p_surewarehk_Free)
+	{
+		SUREWAREerr(SUREWARE_F_SUREWAREHK_EX_FREE,ENGINE_R_NOT_INITIALISED);
+	}
+	else
+		p_surewarehk_Free((char *)item,0);
+}
+
+#if 0
+/* not currently used (bug?) */
+/* This cleans up an DH KM key (destroys the key into hardware), 
+called when ex_data is freed */
+static void surewarehk_dh_ex_free(void *obj, void *item, CRYPTO_EX_DATA *ad,
+	int idx,long argl, void *argp)
+{
+	if(!p_surewarehk_Free)
+	{
+		SUREWAREerr(SUREWARE_F_SUREWAREHK_DH_EX_FREE,ENGINE_R_NOT_INITIALISED);
+	}
+	else
+		p_surewarehk_Free((char *)item,1);
+}
+#endif
+
+/*
+* return number of decrypted bytes
+*/
+#ifndef OPENSSL_NO_RSA
+static int surewarehk_rsa_priv_dec(int flen,const unsigned char *from,unsigned char *to,
+			RSA *rsa,int padding)
+{
+	int ret=0,tlen;
+	char *buf=NULL,*hptr=NULL;
+	char msg[64]="ENGINE_rsa_priv_dec";
+	if (!p_surewarehk_Rsa_Priv_Dec)
+	{
+		SUREWAREerr(SUREWARE_F_SUREWAREHK_RSA_PRIV_DEC,ENGINE_R_NOT_INITIALISED);
+	}
+	/* extract ref to private key */
+	else if (!(hptr=RSA_get_ex_data(rsa, rsaHndidx)))
+	{
+		SUREWAREerr(SUREWARE_F_SUREWAREHK_RSA_PRIV_DEC,SUREWARE_R_MISSING_KEY_COMPONENTS);
+		goto err;
+	}
+	/* analyse what padding we can do into the hardware */
+	if (padding==RSA_PKCS1_PADDING)
+	{
+		/* do it one shot */
+		ret=p_surewarehk_Rsa_Priv_Dec(msg,flen,(unsigned char *)from,&tlen,to,hptr,SUREWARE_PKCS1_PAD);
+		surewarehk_error_handling(msg,SUREWARE_F_SUREWAREHK_RSA_PRIV_DEC,ret);
+		if (ret!=1)
+			goto err;
+		ret=tlen;
+	}
+	else /* do with no padding into hardware */
+	{
+		ret=p_surewarehk_Rsa_Priv_Dec(msg,flen,(unsigned char *)from,&tlen,to,hptr,SUREWARE_NO_PAD);
+		surewarehk_error_handling(msg,SUREWARE_F_SUREWAREHK_RSA_PRIV_DEC,ret);
+		if (ret!=1)
+			goto err;
+		/* intermediate buffer for padding */
+		if ((buf=OPENSSL_malloc(tlen)) == NULL)
+		{
+			SUREWAREerr(SUREWARE_F_SUREWAREHK_RSA_PRIV_DEC,ERR_R_MALLOC_FAILURE);
+			goto err;
+		}
+		memcpy(buf,to,tlen);/* transfert to into buf */
+		switch (padding) /* check padding in software */
+		{
+#ifndef OPENSSL_NO_SHA
+		case RSA_PKCS1_OAEP_PADDING:
+			ret=RSA_padding_check_PKCS1_OAEP(to,tlen,(unsigned char *)buf,tlen,tlen,NULL,0);
+			break;
+#endif
+ 		case RSA_SSLV23_PADDING:
+			ret=RSA_padding_check_SSLv23(to,tlen,(unsigned char *)buf,flen,tlen);
+			break;
+		case RSA_NO_PADDING:
+			ret=RSA_padding_check_none(to,tlen,(unsigned char *)buf,flen,tlen);
+			break;
+		default:
+			SUREWAREerr(SUREWARE_F_SUREWAREHK_RSA_PRIV_DEC,SUREWARE_R_UNKNOWN_PADDING_TYPE);
+			goto err;
+		}
+		if (ret < 0)
+			SUREWAREerr(SUREWARE_F_SUREWAREHK_RSA_PRIV_DEC,SUREWARE_R_PADDING_CHECK_FAILED);
+	}
+err:
+	if (buf)
+	{
+		OPENSSL_cleanse(buf,tlen);
+		OPENSSL_free(buf);
+	}
+	return ret;
+}
+
+/*
+* Does what OpenSSL rsa_priv_enc does.
+*/
+static int surewarehk_rsa_sign(int flen,const unsigned char *from,unsigned char *to,
+			    RSA *rsa,int padding)
+{
+	int ret=0,tlen;
+	char *hptr=NULL;
+	char msg[64]="ENGINE_rsa_sign";
+	if (!p_surewarehk_Rsa_Sign)
+	{
+		SUREWAREerr(SUREWARE_F_SUREWAREHK_RSA_SIGN,ENGINE_R_NOT_INITIALISED);
+	}
+	/* extract ref to private key */
+	else if (!(hptr=RSA_get_ex_data(rsa, rsaHndidx)))
+	{
+		SUREWAREerr(SUREWARE_F_SUREWAREHK_RSA_SIGN,SUREWARE_R_MISSING_KEY_COMPONENTS);
+	}
+	else
+	{
+		switch (padding)
+		{
+		case RSA_PKCS1_PADDING: /* do it in one shot */
+			ret=p_surewarehk_Rsa_Sign(msg,flen,(unsigned char *)from,&tlen,to,hptr,SUREWARE_PKCS1_PAD);
+			surewarehk_error_handling(msg,SUREWARE_F_SUREWAREHK_RSA_SIGN,ret);
+			break;
+		case RSA_NO_PADDING:
+		default:
+			SUREWAREerr(SUREWARE_F_SUREWAREHK_RSA_SIGN,SUREWARE_R_UNKNOWN_PADDING_TYPE);
+		}
+	}
+	return ret==1 ? tlen : ret;
+}
+
+#endif
+
+#ifndef OPENSSL_NO_DSA
+/* DSA sign and verify */
+static	DSA_SIG * surewarehk_dsa_do_sign(const unsigned char *from, int flen, DSA *dsa)
+{
+	int ret=0;
+	char *hptr=NULL;
+	DSA_SIG *psign=NULL;
+	char msg[64]="ENGINE_dsa_do_sign";
+	if (!p_surewarehk_Dsa_Sign)
+	{
+		SUREWAREerr(SUREWARE_F_SUREWAREHK_DSA_DO_SIGN,ENGINE_R_NOT_INITIALISED);
+		goto err;
+	}
+	/* extract ref to private key */
+	else if (!(hptr=DSA_get_ex_data(dsa, dsaHndidx)))
+	{
+		SUREWAREerr(SUREWARE_F_SUREWAREHK_DSA_DO_SIGN,SUREWARE_R_MISSING_KEY_COMPONENTS);
+		goto err;
+	}
+	else
+	{
+		if((psign = DSA_SIG_new()) == NULL)
+		{
+			SUREWAREerr(SUREWARE_F_SUREWAREHK_DSA_DO_SIGN,ERR_R_MALLOC_FAILURE);
+			goto err;
+		}
+		psign->r=BN_new();
+		psign->s=BN_new();
+		bn_expand2(psign->r, 20/sizeof(BN_ULONG));
+		bn_expand2(psign->s, 20/sizeof(BN_ULONG));
+		if (!psign->r || psign->r->dmax!=20/sizeof(BN_ULONG) ||
+			!psign->s || psign->s->dmax!=20/sizeof(BN_ULONG))
+			goto err;
+		ret=p_surewarehk_Dsa_Sign(msg,flen,from,
+					  (unsigned long *)psign->r->d,
+					  (unsigned long *)psign->s->d,
+					  hptr);
+		surewarehk_error_handling(msg,SUREWARE_F_SUREWAREHK_DSA_DO_SIGN,ret);
+	}
+	psign->r->top=20/sizeof(BN_ULONG);
+	bn_fix_top(psign->r);
+	psign->s->top=20/sizeof(BN_ULONG);
+	bn_fix_top(psign->s);
+
+err:	
+	if (psign)
+	{
+		DSA_SIG_free(psign);
+		psign=NULL;
+	}
+	return psign;
+}
+#endif
+
+static int surewarehk_modexp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+			     const BIGNUM *m, BN_CTX *ctx)
+{
+	int ret=0;
+	char msg[64]="ENGINE_modexp";
+	if (!p_surewarehk_Mod_Exp)
+	{
+		SUREWAREerr(SUREWARE_F_SUREWAREHK_MODEXP,ENGINE_R_NOT_INITIALISED);
+	}
+	else
+	{
+		bn_expand2(r,m->top);
+		if (r && r->dmax==m->top)
+		{
+			/* do it*/
+			ret=p_surewarehk_Mod_Exp(msg,
+						 m->top*sizeof(BN_ULONG),
+						 (unsigned long *)m->d,
+						 p->top*sizeof(BN_ULONG),
+						 (unsigned long *)p->d,
+						 a->top*sizeof(BN_ULONG),
+						 (unsigned long *)a->d,
+						 (unsigned long *)r->d);
+			surewarehk_error_handling(msg,SUREWARE_F_SUREWAREHK_MODEXP,ret);
+			if (ret==1)
+			{
+				/* normalise result */
+				r->top=m->top;
+				bn_fix_top(r);
+			}
+		}
+	}
+	return ret;
+}
+#endif /* !OPENSSL_NO_HW_SureWare */
+#endif /* !OPENSSL_NO_HW */
diff --git a/crypto/openssl/engines/e_sureware.ec b/crypto/openssl/engines/e_sureware.ec
new file mode 100644
index 000000000000..3d266b8b7cf1
--- /dev/null
+++ b/crypto/openssl/engines/e_sureware.ec
@@ -0,0 +1 @@
+L SUREWARE	e_sureware_err.h		e_sureware_err.c
diff --git a/crypto/openssl/engines/e_sureware_err.c b/crypto/openssl/engines/e_sureware_err.c
new file mode 100644
index 000000000000..d4ca68c1dbc4
--- /dev/null
+++ b/crypto/openssl/engines/e_sureware_err.c
@@ -0,0 +1,158 @@
+/* e_sureware_err.c */
+/* ====================================================================
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include "e_sureware_err.h"
+
+/* BEGIN ERROR CODES */
+#ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(0,func,0)
+#define ERR_REASON(reason) ERR_PACK(0,0,reason)
+
+static ERR_STRING_DATA SUREWARE_str_functs[]=
+	{
+{ERR_FUNC(SUREWARE_F_SUREWAREHK_CTRL),	"SUREWAREHK_CTRL"},
+{ERR_FUNC(SUREWARE_F_SUREWAREHK_DH_EX_FREE),	"SUREWAREHK_DH_EX_FREE"},
+{ERR_FUNC(SUREWARE_F_SUREWAREHK_DSA_DO_SIGN),	"SUREWAREHK_DSA_DO_SIGN"},
+{ERR_FUNC(SUREWARE_F_SUREWAREHK_EX_FREE),	"SUREWAREHK_EX_FREE"},
+{ERR_FUNC(SUREWARE_F_SUREWAREHK_FINISH),	"SUREWAREHK_FINISH"},
+{ERR_FUNC(SUREWARE_F_SUREWAREHK_INIT),	"SUREWAREHK_INIT"},
+{ERR_FUNC(SUREWARE_F_SUREWAREHK_LOAD_PRIVKEY),	"SUREWAREHK_LOAD_PRIVKEY"},
+{ERR_FUNC(SUREWARE_F_SUREWAREHK_LOAD_PUBKEY),	"SUREWAREHK_LOAD_PUBKEY"},
+{ERR_FUNC(SUREWARE_F_SUREWAREHK_MODEXP),	"SUREWAREHK_MODEXP"},
+{ERR_FUNC(SUREWARE_F_SUREWAREHK_RAND_BYTES),	"SUREWAREHK_RAND_BYTES"},
+{ERR_FUNC(SUREWARE_F_SUREWAREHK_RAND_SEED),	"SUREWAREHK_RAND_SEED"},
+{ERR_FUNC(SUREWARE_F_SUREWAREHK_RSA_PRIV_DEC),	"SUREWAREHK_RSA_PRIV_DEC"},
+{ERR_FUNC(SUREWARE_F_SUREWAREHK_RSA_SIGN),	"SUREWAREHK_RSA_SIGN"},
+{ERR_FUNC(SUREWARE_F_SUREWARE_LOAD_PUBLIC),	"SUREWARE_LOAD_PUBLIC"},
+{0,NULL}
+	};
+
+static ERR_STRING_DATA SUREWARE_str_reasons[]=
+	{
+{ERR_REASON(SUREWARE_R_BIO_WAS_FREED)    ,"bio was freed"},
+{ERR_REASON(SUREWARE_R_MISSING_KEY_COMPONENTS),"missing key components"},
+{ERR_REASON(SUREWARE_R_PADDING_CHECK_FAILED),"padding check failed"},
+{ERR_REASON(SUREWARE_R_REQUEST_FAILED)   ,"request failed"},
+{ERR_REASON(SUREWARE_R_REQUEST_FALLBACK) ,"request fallback"},
+{ERR_REASON(SUREWARE_R_SIZE_TOO_LARGE_OR_TOO_SMALL),"size too large or too small"},
+{ERR_REASON(SUREWARE_R_UNIT_FAILURE)     ,"unit failure"},
+{ERR_REASON(SUREWARE_R_UNKNOWN_PADDING_TYPE),"unknown padding type"},
+{0,NULL}
+	};
+
+#endif
+
+#ifdef SUREWARE_LIB_NAME
+static ERR_STRING_DATA SUREWARE_lib_name[]=
+        {
+{0	,SUREWARE_LIB_NAME},
+{0,NULL}
+	};
+#endif
+
+
+static int SUREWARE_lib_error_code=0;
+static int SUREWARE_error_init=1;
+
+static void ERR_load_SUREWARE_strings(void)
+	{
+	if (SUREWARE_lib_error_code == 0)
+		SUREWARE_lib_error_code=ERR_get_next_error_library();
+
+	if (SUREWARE_error_init)
+		{
+		SUREWARE_error_init=0;
+#ifndef OPENSSL_NO_ERR
+		ERR_load_strings(SUREWARE_lib_error_code,SUREWARE_str_functs);
+		ERR_load_strings(SUREWARE_lib_error_code,SUREWARE_str_reasons);
+#endif
+
+#ifdef SUREWARE_LIB_NAME
+		SUREWARE_lib_name->error = ERR_PACK(SUREWARE_lib_error_code,0,0);
+		ERR_load_strings(0,SUREWARE_lib_name);
+#endif
+		}
+	}
+
+static void ERR_unload_SUREWARE_strings(void)
+	{
+	if (SUREWARE_error_init == 0)
+		{
+#ifndef OPENSSL_NO_ERR
+		ERR_unload_strings(SUREWARE_lib_error_code,SUREWARE_str_functs);
+		ERR_unload_strings(SUREWARE_lib_error_code,SUREWARE_str_reasons);
+#endif
+
+#ifdef SUREWARE_LIB_NAME
+		ERR_unload_strings(0,SUREWARE_lib_name);
+#endif
+		SUREWARE_error_init=1;
+		}
+	}
+
+static void ERR_SUREWARE_error(int function, int reason, char *file, int line)
+	{
+	if (SUREWARE_lib_error_code == 0)
+		SUREWARE_lib_error_code=ERR_get_next_error_library();
+	ERR_PUT_error(SUREWARE_lib_error_code,function,reason,file,line);
+	}
diff --git a/crypto/openssl/engines/e_sureware_err.h b/crypto/openssl/engines/e_sureware_err.h
new file mode 100644
index 000000000000..82af229bec7b
--- /dev/null
+++ b/crypto/openssl/engines/e_sureware_err.h
@@ -0,0 +1,98 @@
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_SUREWARE_ERR_H
+#define HEADER_SUREWARE_ERR_H
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+static void ERR_load_SUREWARE_strings(void);
+static void ERR_unload_SUREWARE_strings(void);
+static void ERR_SUREWARE_error(int function, int reason, char *file, int line);
+#define SUREWAREerr(f,r) ERR_SUREWARE_error((f),(r),__FILE__,__LINE__)
+
+/* Error codes for the SUREWARE functions. */
+
+/* Function codes. */
+#define SUREWARE_F_SUREWAREHK_CTRL			 100
+#define SUREWARE_F_SUREWAREHK_DH_EX_FREE		 112
+#define SUREWARE_F_SUREWAREHK_DSA_DO_SIGN		 101
+#define SUREWARE_F_SUREWAREHK_EX_FREE			 102
+#define SUREWARE_F_SUREWAREHK_FINISH			 103
+#define SUREWARE_F_SUREWAREHK_INIT			 104
+#define SUREWARE_F_SUREWAREHK_LOAD_PRIVKEY		 105
+#define SUREWARE_F_SUREWAREHK_LOAD_PUBKEY		 113
+#define SUREWARE_F_SUREWAREHK_MODEXP			 107
+#define SUREWARE_F_SUREWAREHK_RAND_BYTES		 108
+#define SUREWARE_F_SUREWAREHK_RAND_SEED			 109
+#define SUREWARE_F_SUREWAREHK_RSA_PRIV_DEC		 110
+#define SUREWARE_F_SUREWAREHK_RSA_SIGN			 111
+#define SUREWARE_F_SUREWARE_LOAD_PUBLIC			 106
+
+/* Reason codes. */
+#define SUREWARE_R_BIO_WAS_FREED			 100
+#define SUREWARE_R_MISSING_KEY_COMPONENTS		 105
+#define SUREWARE_R_PADDING_CHECK_FAILED			 106
+#define SUREWARE_R_REQUEST_FAILED			 101
+#define SUREWARE_R_REQUEST_FALLBACK			 102
+#define SUREWARE_R_SIZE_TOO_LARGE_OR_TOO_SMALL		 103
+#define SUREWARE_R_UNIT_FAILURE				 104
+#define SUREWARE_R_UNKNOWN_PADDING_TYPE			 107
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
diff --git a/crypto/openssl/engines/e_ubsec.c b/crypto/openssl/engines/e_ubsec.c
new file mode 100644
index 000000000000..8b6c98bafa20
--- /dev/null
+++ b/crypto/openssl/engines/e_ubsec.c
@@ -0,0 +1,1070 @@
+/* crypto/engine/hw_ubsec.c */
+/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
+ * project 2000.
+ *
+ * Cloned shamelessly by Joe Tardo. 
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <openssl/crypto.h>
+#include <openssl/buffer.h>
+#include <openssl/dso.h>
+#include <openssl/engine.h>
+#ifndef OPENSSL_NO_RSA
+#include <openssl/rsa.h>
+#endif
+#ifndef OPENSSL_NO_DSA
+#include <openssl/dsa.h>
+#endif
+#ifndef OPENSSL_NO_DH
+#include <openssl/dh.h>
+#endif
+#include <openssl/bn.h>
+
+#ifndef OPENSSL_NO_HW
+#ifndef OPENSSL_NO_HW_UBSEC
+
+#ifdef FLAT_INC
+#include "hw_ubsec.h"
+#else
+#include "vendor_defns/hw_ubsec.h"
+#endif
+
+#define UBSEC_LIB_NAME "ubsec engine"
+#include "e_ubsec_err.c"
+
+#define FAIL_TO_SOFTWARE -15
+
+static int ubsec_destroy(ENGINE *e);
+static int ubsec_init(ENGINE *e);
+static int ubsec_finish(ENGINE *e);
+static int ubsec_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void));
+static int ubsec_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+		const BIGNUM *m, BN_CTX *ctx);
+static int ubsec_mod_exp_crt(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+			const BIGNUM *q, const BIGNUM *dp,
+			const BIGNUM *dq, const BIGNUM *qinv, BN_CTX *ctx);
+#ifndef OPENSSL_NO_RSA
+static int ubsec_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx);
+#endif
+static int ubsec_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+		const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+#ifndef OPENSSL_NO_DSA
+#ifdef NOT_USED
+static int ubsec_dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1,
+		BIGNUM *p1, BIGNUM *a2, BIGNUM *p2, BIGNUM *m,
+		BN_CTX *ctx, BN_MONT_CTX *in_mont);
+static int ubsec_mod_exp_dsa(DSA *dsa, BIGNUM *r, BIGNUM *a,
+		const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
+		BN_MONT_CTX *m_ctx);
+#endif
+static DSA_SIG *ubsec_dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
+static int ubsec_dsa_verify(const unsigned char *dgst, int dgst_len,
+                                DSA_SIG *sig, DSA *dsa);
+#endif
+#ifndef OPENSSL_NO_DH
+static int ubsec_mod_exp_dh(const DH *dh, BIGNUM *r, const BIGNUM *a,
+		const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
+		BN_MONT_CTX *m_ctx);
+static int ubsec_dh_compute_key(unsigned char *key,const BIGNUM *pub_key,DH *dh);
+static int ubsec_dh_generate_key(DH *dh);
+#endif
+
+#ifdef NOT_USED
+static int ubsec_rand_bytes(unsigned char *buf, int num);
+static int ubsec_rand_status(void);
+#endif
+
+#define UBSEC_CMD_SO_PATH		ENGINE_CMD_BASE
+static const ENGINE_CMD_DEFN ubsec_cmd_defns[] = {
+	{UBSEC_CMD_SO_PATH,
+		"SO_PATH",
+		"Specifies the path to the 'ubsec' shared library",
+		ENGINE_CMD_FLAG_STRING},
+	{0, NULL, NULL, 0}
+	};
+
+#ifndef OPENSSL_NO_RSA
+/* Our internal RSA_METHOD that we provide pointers to */
+static RSA_METHOD ubsec_rsa =
+	{
+	"UBSEC RSA method",
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	ubsec_rsa_mod_exp,
+	ubsec_mod_exp_mont,
+	NULL,
+	NULL,
+	0,
+	NULL,
+	NULL,
+	NULL,
+	NULL
+	};
+#endif
+
+#ifndef OPENSSL_NO_DSA
+/* Our internal DSA_METHOD that we provide pointers to */
+static DSA_METHOD ubsec_dsa =
+	{
+	"UBSEC DSA method",
+	ubsec_dsa_do_sign, /* dsa_do_sign */
+	NULL, /* dsa_sign_setup */
+	ubsec_dsa_verify, /* dsa_do_verify */
+	NULL, /* ubsec_dsa_mod_exp */ /* dsa_mod_exp */
+	NULL, /* ubsec_mod_exp_dsa */ /* bn_mod_exp */
+	NULL, /* init */
+	NULL, /* finish */
+	0, /* flags */
+	NULL, /* app_data */
+	NULL, /* dsa_paramgen */
+	NULL /* dsa_keygen */
+	};
+#endif
+
+#ifndef OPENSSL_NO_DH
+/* Our internal DH_METHOD that we provide pointers to */
+static DH_METHOD ubsec_dh =
+	{
+	"UBSEC DH method",
+	ubsec_dh_generate_key,
+	ubsec_dh_compute_key,
+	ubsec_mod_exp_dh,
+	NULL,
+	NULL,
+	0,
+	NULL,
+	NULL
+	};
+#endif
+
+/* Constants used when creating the ENGINE */
+static const char *engine_ubsec_id = "ubsec";
+static const char *engine_ubsec_name = "UBSEC hardware engine support";
+
+/* This internal function is used by ENGINE_ubsec() and possibly by the
+ * "dynamic" ENGINE support too */
+static int bind_helper(ENGINE *e)
+	{
+#ifndef OPENSSL_NO_RSA
+	const RSA_METHOD *meth1;
+#endif
+#ifndef OPENSSL_NO_DH
+#ifndef HAVE_UBSEC_DH
+	const DH_METHOD *meth3;
+#endif /* HAVE_UBSEC_DH */
+#endif
+	if(!ENGINE_set_id(e, engine_ubsec_id) ||
+			!ENGINE_set_name(e, engine_ubsec_name) ||
+#ifndef OPENSSL_NO_RSA
+			!ENGINE_set_RSA(e, &ubsec_rsa) ||
+#endif
+#ifndef OPENSSL_NO_DSA
+			!ENGINE_set_DSA(e, &ubsec_dsa) ||
+#endif
+#ifndef OPENSSL_NO_DH
+			!ENGINE_set_DH(e, &ubsec_dh) ||
+#endif
+			!ENGINE_set_destroy_function(e, ubsec_destroy) ||
+			!ENGINE_set_init_function(e, ubsec_init) ||
+			!ENGINE_set_finish_function(e, ubsec_finish) ||
+			!ENGINE_set_ctrl_function(e, ubsec_ctrl) ||
+			!ENGINE_set_cmd_defns(e, ubsec_cmd_defns))
+		return 0;
+
+#ifndef OPENSSL_NO_RSA
+	/* We know that the "PKCS1_SSLeay()" functions hook properly
+	 * to the Broadcom-specific mod_exp and mod_exp_crt so we use
+	 * those functions. NB: We don't use ENGINE_openssl() or
+	 * anything "more generic" because something like the RSAref
+	 * code may not hook properly, and if you own one of these
+	 * cards then you have the right to do RSA operations on it
+	 * anyway! */ 
+	meth1 = RSA_PKCS1_SSLeay();
+	ubsec_rsa.rsa_pub_enc = meth1->rsa_pub_enc;
+	ubsec_rsa.rsa_pub_dec = meth1->rsa_pub_dec;
+	ubsec_rsa.rsa_priv_enc = meth1->rsa_priv_enc;
+	ubsec_rsa.rsa_priv_dec = meth1->rsa_priv_dec;
+#endif
+
+#ifndef OPENSSL_NO_DH
+#ifndef HAVE_UBSEC_DH
+	/* Much the same for Diffie-Hellman */
+	meth3 = DH_OpenSSL();
+	ubsec_dh.generate_key = meth3->generate_key;
+	ubsec_dh.compute_key = meth3->compute_key;
+#endif /* HAVE_UBSEC_DH */
+#endif
+
+	/* Ensure the ubsec error handling is set up */
+	ERR_load_UBSEC_strings();
+	return 1;
+	}
+
+#ifdef OPENSSL_NO_DYNAMIC_ENGINE
+static ENGINE *engine_ubsec(void)
+	{
+	ENGINE *ret = ENGINE_new();
+	if(!ret)
+		return NULL;
+	if(!bind_helper(ret))
+		{
+		ENGINE_free(ret);
+		return NULL;
+		}
+	return ret;
+	}
+
+void ENGINE_load_ubsec(void)
+	{
+	/* Copied from eng_[openssl|dyn].c */
+	ENGINE *toadd = engine_ubsec();
+	if(!toadd) return;
+	ENGINE_add(toadd);
+	ENGINE_free(toadd);
+	ERR_clear_error();
+	}
+#endif
+
+/* This is a process-global DSO handle used for loading and unloading
+ * the UBSEC library. NB: This is only set (or unset) during an
+ * init() or finish() call (reference counts permitting) and they're
+ * operating with global locks, so this should be thread-safe
+ * implicitly. */
+
+static DSO *ubsec_dso = NULL;
+
+/* These are the function pointers that are (un)set when the library has
+ * successfully (un)loaded. */
+
+static t_UBSEC_ubsec_bytes_to_bits *p_UBSEC_ubsec_bytes_to_bits = NULL;
+static t_UBSEC_ubsec_bits_to_bytes *p_UBSEC_ubsec_bits_to_bytes = NULL;
+static t_UBSEC_ubsec_open *p_UBSEC_ubsec_open = NULL;
+static t_UBSEC_ubsec_close *p_UBSEC_ubsec_close = NULL;
+#ifndef OPENSSL_NO_DH
+static t_UBSEC_diffie_hellman_generate_ioctl 
+	*p_UBSEC_diffie_hellman_generate_ioctl = NULL;
+static t_UBSEC_diffie_hellman_agree_ioctl *p_UBSEC_diffie_hellman_agree_ioctl = NULL;
+#endif
+/* #ifndef OPENSSL_NO_RSA */
+static t_UBSEC_rsa_mod_exp_ioctl *p_UBSEC_rsa_mod_exp_ioctl = NULL;
+static t_UBSEC_rsa_mod_exp_crt_ioctl *p_UBSEC_rsa_mod_exp_crt_ioctl = NULL;
+/* #endif */
+#ifndef OPENSSL_NO_DSA
+static t_UBSEC_dsa_sign_ioctl *p_UBSEC_dsa_sign_ioctl = NULL;
+static t_UBSEC_dsa_verify_ioctl *p_UBSEC_dsa_verify_ioctl = NULL;
+#endif
+static t_UBSEC_math_accelerate_ioctl *p_UBSEC_math_accelerate_ioctl = NULL;
+static t_UBSEC_rng_ioctl *p_UBSEC_rng_ioctl = NULL;
+static t_UBSEC_max_key_len_ioctl *p_UBSEC_max_key_len_ioctl = NULL;
+
+static int max_key_len = 1024;  /* ??? */
+
+/* 
+ * These are the static string constants for the DSO file name and the function
+ * symbol names to bind to. 
+ */
+
+static const char *UBSEC_LIBNAME = NULL;
+static const char *get_UBSEC_LIBNAME(void)
+	{
+	if(UBSEC_LIBNAME)
+		return UBSEC_LIBNAME;
+	return "ubsec";
+	}
+static void free_UBSEC_LIBNAME(void)
+	{
+	if(UBSEC_LIBNAME)
+		OPENSSL_free((void*)UBSEC_LIBNAME);
+	UBSEC_LIBNAME = NULL;
+	}
+static long set_UBSEC_LIBNAME(const char *name)
+	{
+	free_UBSEC_LIBNAME();
+	return (((UBSEC_LIBNAME = BUF_strdup(name)) != NULL) ? 1 : 0);
+	}
+static const char *UBSEC_F1 = "ubsec_bytes_to_bits";
+static const char *UBSEC_F2 = "ubsec_bits_to_bytes";
+static const char *UBSEC_F3 = "ubsec_open";
+static const char *UBSEC_F4 = "ubsec_close";
+#ifndef OPENSSL_NO_DH
+static const char *UBSEC_F5 = "diffie_hellman_generate_ioctl";
+static const char *UBSEC_F6 = "diffie_hellman_agree_ioctl";
+#endif
+/* #ifndef OPENSSL_NO_RSA */
+static const char *UBSEC_F7 = "rsa_mod_exp_ioctl";
+static const char *UBSEC_F8 = "rsa_mod_exp_crt_ioctl";
+/* #endif */
+#ifndef OPENSSL_NO_DSA
+static const char *UBSEC_F9 = "dsa_sign_ioctl";
+static const char *UBSEC_F10 = "dsa_verify_ioctl";
+#endif
+static const char *UBSEC_F11 = "math_accelerate_ioctl";
+static const char *UBSEC_F12 = "rng_ioctl";
+static const char *UBSEC_F13 = "ubsec_max_key_len_ioctl";
+
+/* Destructor (complements the "ENGINE_ubsec()" constructor) */
+static int ubsec_destroy(ENGINE *e)
+	{
+	free_UBSEC_LIBNAME();
+	ERR_unload_UBSEC_strings();
+	return 1;
+	}
+
+/* (de)initialisation functions. */
+static int ubsec_init(ENGINE *e)
+	{
+	t_UBSEC_ubsec_bytes_to_bits *p1;
+	t_UBSEC_ubsec_bits_to_bytes *p2;
+	t_UBSEC_ubsec_open *p3;
+	t_UBSEC_ubsec_close *p4;
+#ifndef OPENSSL_NO_DH
+	t_UBSEC_diffie_hellman_generate_ioctl *p5;
+	t_UBSEC_diffie_hellman_agree_ioctl *p6;
+#endif
+/* #ifndef OPENSSL_NO_RSA */
+	t_UBSEC_rsa_mod_exp_ioctl *p7;
+	t_UBSEC_rsa_mod_exp_crt_ioctl *p8;
+/* #endif */
+#ifndef OPENSSL_NO_DSA
+	t_UBSEC_dsa_sign_ioctl *p9;
+	t_UBSEC_dsa_verify_ioctl *p10;
+#endif
+	t_UBSEC_math_accelerate_ioctl *p11;
+	t_UBSEC_rng_ioctl *p12;
+        t_UBSEC_max_key_len_ioctl *p13;
+	int fd = 0;
+
+	if(ubsec_dso != NULL)
+		{
+		UBSECerr(UBSEC_F_UBSEC_INIT, UBSEC_R_ALREADY_LOADED);
+		goto err;
+		}
+	/* 
+	 * Attempt to load libubsec.so/ubsec.dll/whatever. 
+	 */
+	ubsec_dso = DSO_load(NULL, get_UBSEC_LIBNAME(), NULL, 0);
+	if(ubsec_dso == NULL)
+		{
+		UBSECerr(UBSEC_F_UBSEC_INIT, UBSEC_R_DSO_FAILURE);
+		goto err;
+		}
+
+	if (
+	!(p1 = (t_UBSEC_ubsec_bytes_to_bits *) DSO_bind_func(ubsec_dso, UBSEC_F1)) ||
+	!(p2 = (t_UBSEC_ubsec_bits_to_bytes *) DSO_bind_func(ubsec_dso, UBSEC_F2)) ||
+	!(p3 = (t_UBSEC_ubsec_open *) DSO_bind_func(ubsec_dso, UBSEC_F3)) ||
+	!(p4 = (t_UBSEC_ubsec_close *) DSO_bind_func(ubsec_dso, UBSEC_F4)) ||
+#ifndef OPENSSL_NO_DH
+	!(p5 = (t_UBSEC_diffie_hellman_generate_ioctl *) 
+				DSO_bind_func(ubsec_dso, UBSEC_F5)) ||
+	!(p6 = (t_UBSEC_diffie_hellman_agree_ioctl *) 
+				DSO_bind_func(ubsec_dso, UBSEC_F6)) ||
+#endif
+/* #ifndef OPENSSL_NO_RSA */
+	!(p7 = (t_UBSEC_rsa_mod_exp_ioctl *) DSO_bind_func(ubsec_dso, UBSEC_F7)) ||
+	!(p8 = (t_UBSEC_rsa_mod_exp_crt_ioctl *) DSO_bind_func(ubsec_dso, UBSEC_F8)) ||
+/* #endif */
+#ifndef OPENSSL_NO_DSA
+	!(p9 = (t_UBSEC_dsa_sign_ioctl *) DSO_bind_func(ubsec_dso, UBSEC_F9)) ||
+	!(p10 = (t_UBSEC_dsa_verify_ioctl *) DSO_bind_func(ubsec_dso, UBSEC_F10)) ||
+#endif
+	!(p11 = (t_UBSEC_math_accelerate_ioctl *) 
+				DSO_bind_func(ubsec_dso, UBSEC_F11)) ||
+	!(p12 = (t_UBSEC_rng_ioctl *) DSO_bind_func(ubsec_dso, UBSEC_F12)) ||
+        !(p13 = (t_UBSEC_max_key_len_ioctl *) DSO_bind_func(ubsec_dso, UBSEC_F13)))
+		{
+		UBSECerr(UBSEC_F_UBSEC_INIT, UBSEC_R_DSO_FAILURE);
+		goto err;
+		}
+
+	/* Copy the pointers */
+	p_UBSEC_ubsec_bytes_to_bits = p1;
+	p_UBSEC_ubsec_bits_to_bytes = p2;
+	p_UBSEC_ubsec_open = p3;
+	p_UBSEC_ubsec_close = p4;
+#ifndef OPENSSL_NO_DH
+	p_UBSEC_diffie_hellman_generate_ioctl = p5;
+	p_UBSEC_diffie_hellman_agree_ioctl = p6;
+#endif
+#ifndef OPENSSL_NO_RSA
+	p_UBSEC_rsa_mod_exp_ioctl = p7;
+	p_UBSEC_rsa_mod_exp_crt_ioctl = p8;
+#endif
+#ifndef OPENSSL_NO_DSA
+	p_UBSEC_dsa_sign_ioctl = p9;
+	p_UBSEC_dsa_verify_ioctl = p10;
+#endif
+	p_UBSEC_math_accelerate_ioctl = p11;
+	p_UBSEC_rng_ioctl = p12;
+        p_UBSEC_max_key_len_ioctl = p13;
+
+	/* Perform an open to see if there's actually any unit running. */
+	if (((fd = p_UBSEC_ubsec_open(UBSEC_KEY_DEVICE_NAME)) > 0) && (p_UBSEC_max_key_len_ioctl(fd, &max_key_len) == 0))
+	{
+	   p_UBSEC_ubsec_close(fd);
+	   return 1;
+	}
+	else
+	{
+	  UBSECerr(UBSEC_F_UBSEC_INIT, UBSEC_R_UNIT_FAILURE);
+	}
+
+err:
+	if(ubsec_dso)
+		DSO_free(ubsec_dso);
+	ubsec_dso = NULL;
+	p_UBSEC_ubsec_bytes_to_bits = NULL;
+	p_UBSEC_ubsec_bits_to_bytes = NULL;
+	p_UBSEC_ubsec_open = NULL;
+	p_UBSEC_ubsec_close = NULL;
+#ifndef OPENSSL_NO_DH
+	p_UBSEC_diffie_hellman_generate_ioctl = NULL;
+	p_UBSEC_diffie_hellman_agree_ioctl = NULL;
+#endif
+#ifndef OPENSSL_NO_RSA
+	p_UBSEC_rsa_mod_exp_ioctl = NULL;
+	p_UBSEC_rsa_mod_exp_crt_ioctl = NULL;
+#endif
+#ifndef OPENSSL_NO_DSA
+	p_UBSEC_dsa_sign_ioctl = NULL;
+	p_UBSEC_dsa_verify_ioctl = NULL;
+#endif
+	p_UBSEC_math_accelerate_ioctl = NULL;
+	p_UBSEC_rng_ioctl = NULL;
+        p_UBSEC_max_key_len_ioctl = NULL;
+
+	return 0;
+	}
+
+static int ubsec_finish(ENGINE *e)
+	{
+	free_UBSEC_LIBNAME();
+	if(ubsec_dso == NULL)
+		{
+		UBSECerr(UBSEC_F_UBSEC_FINISH, UBSEC_R_NOT_LOADED);
+		return 0;
+		}
+	if(!DSO_free(ubsec_dso))
+		{
+		UBSECerr(UBSEC_F_UBSEC_FINISH, UBSEC_R_DSO_FAILURE);
+		return 0;
+		}
+	ubsec_dso = NULL;
+	p_UBSEC_ubsec_bytes_to_bits = NULL;
+	p_UBSEC_ubsec_bits_to_bytes = NULL;
+	p_UBSEC_ubsec_open = NULL;
+	p_UBSEC_ubsec_close = NULL;
+#ifndef OPENSSL_NO_DH
+	p_UBSEC_diffie_hellman_generate_ioctl = NULL;
+	p_UBSEC_diffie_hellman_agree_ioctl = NULL;
+#endif
+#ifndef OPENSSL_NO_RSA
+	p_UBSEC_rsa_mod_exp_ioctl = NULL;
+	p_UBSEC_rsa_mod_exp_crt_ioctl = NULL;
+#endif
+#ifndef OPENSSL_NO_DSA
+	p_UBSEC_dsa_sign_ioctl = NULL;
+	p_UBSEC_dsa_verify_ioctl = NULL;
+#endif
+	p_UBSEC_math_accelerate_ioctl = NULL;
+	p_UBSEC_rng_ioctl = NULL;
+        p_UBSEC_max_key_len_ioctl = NULL;
+	return 1;
+	}
+
+static int ubsec_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void))
+	{
+	int initialised = ((ubsec_dso == NULL) ? 0 : 1);
+	switch(cmd)
+		{
+	case UBSEC_CMD_SO_PATH:
+		if(p == NULL)
+			{
+			UBSECerr(UBSEC_F_UBSEC_CTRL,ERR_R_PASSED_NULL_PARAMETER);
+			return 0;
+			}
+		if(initialised)
+			{
+			UBSECerr(UBSEC_F_UBSEC_CTRL,UBSEC_R_ALREADY_LOADED);
+			return 0;
+			}
+		return set_UBSEC_LIBNAME((const char *)p);
+	default:
+		break;
+		}
+	UBSECerr(UBSEC_F_UBSEC_CTRL,UBSEC_R_CTRL_COMMAND_NOT_IMPLEMENTED);
+	return 0;
+	}
+
+static int ubsec_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+		const BIGNUM *m, BN_CTX *ctx)
+	{
+	int 	y_len = 0;
+	int 	fd;
+
+	if(ubsec_dso == NULL)
+	{
+		UBSECerr(UBSEC_F_UBSEC_MOD_EXP, UBSEC_R_NOT_LOADED);
+		return 0;
+	}
+
+	/* Check if hardware can't handle this argument. */
+	y_len = BN_num_bits(m);
+	if (y_len > max_key_len) {
+		UBSECerr(UBSEC_F_UBSEC_MOD_EXP, UBSEC_R_SIZE_TOO_LARGE_OR_TOO_SMALL);
+                return BN_mod_exp(r, a, p, m, ctx);
+	} 
+
+	if(!bn_wexpand(r, m->top))
+	{
+		UBSECerr(UBSEC_F_UBSEC_MOD_EXP, UBSEC_R_BN_EXPAND_FAIL);
+		return 0;
+	}
+
+	if ((fd = p_UBSEC_ubsec_open(UBSEC_KEY_DEVICE_NAME)) <= 0) {
+		fd = 0;
+		UBSECerr(UBSEC_F_UBSEC_MOD_EXP, UBSEC_R_UNIT_FAILURE);
+                return BN_mod_exp(r, a, p, m, ctx);
+	}
+
+	if (p_UBSEC_rsa_mod_exp_ioctl(fd, (unsigned char *)a->d, BN_num_bits(a),
+		(unsigned char *)m->d, BN_num_bits(m), (unsigned char *)p->d, 
+		BN_num_bits(p), (unsigned char *)r->d, &y_len) != 0)
+	{
+		UBSECerr(UBSEC_F_UBSEC_MOD_EXP, UBSEC_R_REQUEST_FAILED);
+                p_UBSEC_ubsec_close(fd);
+
+                return BN_mod_exp(r, a, p, m, ctx);
+	}
+
+	p_UBSEC_ubsec_close(fd);
+
+	r->top = (BN_num_bits(m)+BN_BITS2-1)/BN_BITS2;
+	return 1;
+	}
+
+#ifndef OPENSSL_NO_RSA
+static int ubsec_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
+	{
+	int to_return = 0;
+
+	if(!rsa->p || !rsa->q || !rsa->dmp1 || !rsa->dmq1 || !rsa->iqmp)
+		{
+		UBSECerr(UBSEC_F_UBSEC_RSA_MOD_EXP, UBSEC_R_MISSING_KEY_COMPONENTS);
+		goto err;
+		}
+
+	to_return = ubsec_mod_exp_crt(r0, I, rsa->p, rsa->q, rsa->dmp1,
+		    rsa->dmq1, rsa->iqmp, ctx);
+	if (to_return == FAIL_TO_SOFTWARE)
+	{
+	  /*
+	   * Do in software as hardware failed.
+	   */
+	   const RSA_METHOD *meth = RSA_PKCS1_SSLeay();
+	   to_return = (*meth->rsa_mod_exp)(r0, I, rsa, ctx);
+	}
+err:
+	return to_return;
+	}
+#endif
+
+static int ubsec_mod_exp_crt(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+			const BIGNUM *q, const BIGNUM *dp,
+			const BIGNUM *dq, const BIGNUM *qinv, BN_CTX *ctx)
+	{
+	int	y_len,
+		m_len,
+		fd;
+
+	m_len = BN_num_bytes(p) + BN_num_bytes(q) + 1;
+	y_len = BN_num_bits(p) + BN_num_bits(q);
+
+	/* Check if hardware can't handle this argument. */
+	if (y_len > max_key_len) {
+		UBSECerr(UBSEC_F_UBSEC_MOD_EXP_CRT, UBSEC_R_SIZE_TOO_LARGE_OR_TOO_SMALL);
+		return FAIL_TO_SOFTWARE;
+	} 
+
+	if (!bn_wexpand(r, p->top + q->top + 1)) {
+		UBSECerr(UBSEC_F_UBSEC_MOD_EXP_CRT, UBSEC_R_BN_EXPAND_FAIL);
+		return 0;
+	}
+
+	if ((fd = p_UBSEC_ubsec_open(UBSEC_KEY_DEVICE_NAME)) <= 0) {
+		fd = 0;
+		UBSECerr(UBSEC_F_UBSEC_MOD_EXP_CRT, UBSEC_R_UNIT_FAILURE);
+		return FAIL_TO_SOFTWARE;
+	}
+
+	if (p_UBSEC_rsa_mod_exp_crt_ioctl(fd,
+		(unsigned char *)a->d, BN_num_bits(a), 
+		(unsigned char *)qinv->d, BN_num_bits(qinv),
+		(unsigned char *)dp->d, BN_num_bits(dp),
+		(unsigned char *)p->d, BN_num_bits(p),
+		(unsigned char *)dq->d, BN_num_bits(dq),
+		(unsigned char *)q->d, BN_num_bits(q),
+		(unsigned char *)r->d,  &y_len) != 0) {
+		UBSECerr(UBSEC_F_UBSEC_MOD_EXP_CRT, UBSEC_R_REQUEST_FAILED);
+                p_UBSEC_ubsec_close(fd);
+		return FAIL_TO_SOFTWARE;
+	}
+
+	p_UBSEC_ubsec_close(fd);
+
+	r->top = (BN_num_bits(p) + BN_num_bits(q) + BN_BITS2 - 1)/BN_BITS2;
+	return 1;
+}
+
+#ifndef OPENSSL_NO_DSA
+#ifdef NOT_USED
+static int ubsec_dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1,
+		BIGNUM *p1, BIGNUM *a2, BIGNUM *p2, BIGNUM *m,
+		BN_CTX *ctx, BN_MONT_CTX *in_mont)
+	{
+	BIGNUM t;
+	int to_return = 0;
+ 
+	BN_init(&t);
+	/* let rr = a1 ^ p1 mod m */
+	if (!ubsec_mod_exp(rr,a1,p1,m,ctx)) goto end;
+	/* let t = a2 ^ p2 mod m */
+	if (!ubsec_mod_exp(&t,a2,p2,m,ctx)) goto end;
+	/* let rr = rr * t mod m */
+	if (!BN_mod_mul(rr,rr,&t,m,ctx)) goto end;
+	to_return = 1;
+end:
+	BN_free(&t);
+	return to_return;
+	}
+
+static int ubsec_mod_exp_dsa(DSA *dsa, BIGNUM *r, BIGNUM *a,
+		const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
+		BN_MONT_CTX *m_ctx)
+	{
+	return ubsec_mod_exp(r, a, p, m, ctx);
+	}
+#endif
+#endif
+
+/*
+ * This function is aliased to mod_exp (with the mont stuff dropped).
+ */
+static int ubsec_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+		const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
+        {
+	int ret = 0;
+
+#ifndef OPENSSL_NO_RSA
+ 	/* Do in software if the key is too large for the hardware. */
+	if (BN_num_bits(m) > max_key_len)
+                {
+		const RSA_METHOD *meth = RSA_PKCS1_SSLeay();
+		ret = (*meth->bn_mod_exp)(r, a, p, m, ctx, m_ctx);
+                }
+        else
+#endif
+                {
+		ret = ubsec_mod_exp(r, a, p, m, ctx);
+                }
+	
+	return ret;
+        }
+
+#ifndef OPENSSL_NO_DH
+/* This function is aliased to mod_exp (with the dh and mont dropped). */
+static int ubsec_mod_exp_dh(const DH *dh, BIGNUM *r, const BIGNUM *a,
+		const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
+		BN_MONT_CTX *m_ctx)
+	{
+	return ubsec_mod_exp(r, a, p, m, ctx);
+	}
+#endif
+
+#ifndef OPENSSL_NO_DSA
+static DSA_SIG *ubsec_dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
+	{
+	DSA_SIG *to_return = NULL;
+	int s_len = 160, r_len = 160, d_len, fd;
+	BIGNUM m, *r=NULL, *s=NULL;
+
+	BN_init(&m);
+
+	s = BN_new();
+	r = BN_new();
+	if ((s == NULL) || (r==NULL))
+		goto err;
+
+	d_len = p_UBSEC_ubsec_bytes_to_bits((unsigned char *)dgst, dlen);
+
+        if(!bn_wexpand(r, (160+BN_BITS2-1)/BN_BITS2) ||
+       	   (!bn_wexpand(s, (160+BN_BITS2-1)/BN_BITS2))) {
+		UBSECerr(UBSEC_F_UBSEC_DSA_DO_SIGN, UBSEC_R_BN_EXPAND_FAIL);
+		goto err;
+	}
+
+	if (BN_bin2bn(dgst,dlen,&m) == NULL) {
+		UBSECerr(UBSEC_F_UBSEC_DSA_DO_SIGN, UBSEC_R_BN_EXPAND_FAIL);
+		goto err;
+	} 
+
+	if ((fd = p_UBSEC_ubsec_open(UBSEC_KEY_DEVICE_NAME)) <= 0) {
+                const DSA_METHOD *meth;
+		fd = 0;
+		UBSECerr(UBSEC_F_UBSEC_DSA_DO_SIGN, UBSEC_R_UNIT_FAILURE);
+                meth = DSA_OpenSSL();
+                to_return =  meth->dsa_do_sign(dgst, dlen, dsa);
+		goto err;
+	}
+
+	if (p_UBSEC_dsa_sign_ioctl(fd, 0, /* compute hash before signing */
+		(unsigned char *)dgst, d_len,
+		NULL, 0,  /* compute random value */
+		(unsigned char *)dsa->p->d, BN_num_bits(dsa->p), 
+		(unsigned char *)dsa->q->d, BN_num_bits(dsa->q),
+		(unsigned char *)dsa->g->d, BN_num_bits(dsa->g),
+		(unsigned char *)dsa->priv_key->d, BN_num_bits(dsa->priv_key),
+		(unsigned char *)r->d, &r_len,
+		(unsigned char *)s->d, &s_len ) != 0) {
+                const DSA_METHOD *meth;
+
+		UBSECerr(UBSEC_F_UBSEC_DSA_DO_SIGN, UBSEC_R_REQUEST_FAILED);
+                p_UBSEC_ubsec_close(fd);
+                meth = DSA_OpenSSL();
+                to_return = meth->dsa_do_sign(dgst, dlen, dsa);
+
+		goto err;
+	}
+
+	p_UBSEC_ubsec_close(fd);
+
+	r->top = (160+BN_BITS2-1)/BN_BITS2;
+	s->top = (160+BN_BITS2-1)/BN_BITS2;
+
+	to_return = DSA_SIG_new();
+	if(to_return == NULL) {
+		UBSECerr(UBSEC_F_UBSEC_DSA_DO_SIGN, UBSEC_R_BN_EXPAND_FAIL);
+		goto err;
+	}
+
+	to_return->r = r;
+	to_return->s = s;
+
+err:
+	if (!to_return) {
+		if (r) BN_free(r);
+		if (s) BN_free(s);
+	}                                 
+	BN_clear_free(&m);
+	return to_return;
+}
+
+static int ubsec_dsa_verify(const unsigned char *dgst, int dgst_len,
+                                DSA_SIG *sig, DSA *dsa)
+	{
+	int v_len, d_len;
+	int to_return = 0;
+	int fd;
+	BIGNUM v;
+
+	BN_init(&v);
+
+	if(!bn_wexpand(&v, dsa->p->top)) {
+		UBSECerr(UBSEC_F_UBSEC_DSA_VERIFY, UBSEC_R_BN_EXPAND_FAIL);
+		goto err;
+	}
+
+	v_len = BN_num_bits(dsa->p);
+
+	d_len = p_UBSEC_ubsec_bytes_to_bits((unsigned char *)dgst, dgst_len);
+
+	if ((fd = p_UBSEC_ubsec_open(UBSEC_KEY_DEVICE_NAME)) <= 0) {
+                const DSA_METHOD *meth;
+		fd = 0;
+		UBSECerr(UBSEC_F_UBSEC_DSA_VERIFY, UBSEC_R_UNIT_FAILURE);
+                meth = DSA_OpenSSL();
+                to_return = meth->dsa_do_verify(dgst, dgst_len, sig, dsa);
+		goto err;
+	}
+
+	if (p_UBSEC_dsa_verify_ioctl(fd, 0, /* compute hash before signing */
+		(unsigned char *)dgst, d_len,
+		(unsigned char *)dsa->p->d, BN_num_bits(dsa->p), 
+		(unsigned char *)dsa->q->d, BN_num_bits(dsa->q),
+		(unsigned char *)dsa->g->d, BN_num_bits(dsa->g),
+		(unsigned char *)dsa->pub_key->d, BN_num_bits(dsa->pub_key),
+		(unsigned char *)sig->r->d, BN_num_bits(sig->r),
+		(unsigned char *)sig->s->d, BN_num_bits(sig->s),
+		(unsigned char *)v.d, &v_len) != 0) {
+                const DSA_METHOD *meth;
+		UBSECerr(UBSEC_F_UBSEC_DSA_VERIFY, UBSEC_R_REQUEST_FAILED);
+                p_UBSEC_ubsec_close(fd);
+
+                meth = DSA_OpenSSL();
+                to_return = meth->dsa_do_verify(dgst, dgst_len, sig, dsa);
+
+		goto err;
+	}
+
+	p_UBSEC_ubsec_close(fd);
+
+	to_return = 1;
+err:
+	BN_clear_free(&v);
+	return to_return;
+	}
+#endif
+
+#ifndef OPENSSL_NO_DH
+static int ubsec_dh_compute_key(unsigned char *key,const BIGNUM *pub_key,DH *dh)
+        {
+        int      ret      = -1,
+                 k_len,
+                 fd;
+
+        k_len = BN_num_bits(dh->p);
+
+        if ((fd = p_UBSEC_ubsec_open(UBSEC_KEY_DEVICE_NAME)) <= 0)
+                {
+                const DH_METHOD *meth;
+                UBSECerr(UBSEC_F_UBSEC_DH_COMPUTE_KEY, UBSEC_R_UNIT_FAILURE);
+                meth = DH_OpenSSL();
+                ret = meth->compute_key(key, pub_key, dh);
+                goto err;
+                }
+
+        if (p_UBSEC_diffie_hellman_agree_ioctl(fd,
+                                               (unsigned char *)dh->priv_key->d, BN_num_bits(dh->priv_key),
+                                               (unsigned char *)pub_key->d, BN_num_bits(pub_key),
+                                               (unsigned char *)dh->p->d, BN_num_bits(dh->p),
+                                               key, &k_len) != 0)
+                {
+                /* Hardware's a no go, failover to software */
+                const DH_METHOD *meth;
+                UBSECerr(UBSEC_F_UBSEC_DH_COMPUTE_KEY, UBSEC_R_REQUEST_FAILED);
+                p_UBSEC_ubsec_close(fd);
+
+                meth = DH_OpenSSL();
+                ret = meth->compute_key(key, pub_key, dh);
+
+                goto err;
+                }
+
+        p_UBSEC_ubsec_close(fd);
+
+        ret = p_UBSEC_ubsec_bits_to_bytes(k_len);
+err:
+        return ret;
+        }
+
+static int ubsec_dh_generate_key(DH *dh)
+        {
+        int      ret               = 0,
+                 random_bits       = 0,
+                 pub_key_len       = 0,
+                 priv_key_len      = 0,
+                 fd;
+        BIGNUM   *pub_key          = NULL;
+        BIGNUM   *priv_key         = NULL;
+
+        /* 
+         *  How many bits should Random x be? dh_key.c
+         *  sets the range from 0 to num_bits(modulus) ???
+         */
+
+        if (dh->priv_key == NULL)
+                {
+                priv_key = BN_new();
+                if (priv_key == NULL) goto err;
+                priv_key_len = BN_num_bits(dh->p);
+                bn_wexpand(priv_key, dh->p->top);
+                do
+                        if (!BN_rand_range(priv_key, dh->p)) goto err;
+                while (BN_is_zero(priv_key));
+                random_bits = BN_num_bits(priv_key);
+                }
+        else
+                {
+                priv_key = dh->priv_key;
+                }
+
+        if (dh->pub_key == NULL)
+                {
+                pub_key = BN_new();
+                pub_key_len = BN_num_bits(dh->p);
+                bn_wexpand(pub_key, dh->p->top);
+                if(pub_key == NULL) goto err;
+                }
+        else
+                {
+                pub_key = dh->pub_key;
+                }
+
+        if ((fd = p_UBSEC_ubsec_open(UBSEC_KEY_DEVICE_NAME)) <= 0)
+                {
+                const DH_METHOD *meth;
+                UBSECerr(UBSEC_F_UBSEC_DH_GENERATE_KEY, UBSEC_R_UNIT_FAILURE);
+                meth = DH_OpenSSL();
+                ret = meth->generate_key(dh);
+                goto err;
+                }
+
+        if (p_UBSEC_diffie_hellman_generate_ioctl(fd,
+                                                  (unsigned char *)priv_key->d, &priv_key_len,
+                                                  (unsigned char *)pub_key->d,  &pub_key_len,
+                                                  (unsigned char *)dh->g->d, BN_num_bits(dh->g),
+                                                  (unsigned char *)dh->p->d, BN_num_bits(dh->p),
+                                                  0, 0, random_bits) != 0)
+                {
+                /* Hardware's a no go, failover to software */
+                const DH_METHOD *meth;
+
+                UBSECerr(UBSEC_F_UBSEC_DH_GENERATE_KEY, UBSEC_R_REQUEST_FAILED);
+                p_UBSEC_ubsec_close(fd);
+
+                meth = DH_OpenSSL();
+                ret = meth->generate_key(dh);
+
+                goto err;
+                }
+
+        p_UBSEC_ubsec_close(fd);
+
+        dh->pub_key = pub_key;
+        dh->pub_key->top = (pub_key_len + BN_BITS2-1) / BN_BITS2;
+        dh->priv_key = priv_key;
+        dh->priv_key->top = (priv_key_len + BN_BITS2-1) / BN_BITS2;
+
+        ret = 1;
+err:
+        return ret;
+        }
+#endif
+
+#ifdef NOT_USED
+static int ubsec_rand_bytes(unsigned char * buf,
+                            int num)
+        {
+        int      ret      = 0,
+                 fd;
+
+        if ((fd = p_UBSEC_ubsec_open(UBSEC_KEY_DEVICE_NAME)) <= 0)
+                {
+                const RAND_METHOD *meth;
+                UBSECerr(UBSEC_F_UBSEC_RAND_BYTES, UBSEC_R_UNIT_FAILURE);
+                num = p_UBSEC_ubsec_bits_to_bytes(num);
+                meth = RAND_SSLeay();
+                meth->seed(buf, num);
+                ret = meth->bytes(buf, num);
+                goto err;
+                }
+
+        num *= 8; /* bytes to bits */
+
+        if (p_UBSEC_rng_ioctl(fd,
+                              UBSEC_RNG_DIRECT,
+                              buf,
+                              &num) != 0)
+                {
+                /* Hardware's a no go, failover to software */
+                const RAND_METHOD *meth;
+
+                UBSECerr(UBSEC_F_UBSEC_RAND_BYTES, UBSEC_R_REQUEST_FAILED);
+                p_UBSEC_ubsec_close(fd);
+
+                num = p_UBSEC_ubsec_bits_to_bytes(num);
+                meth = RAND_SSLeay();
+                meth->seed(buf, num);
+                ret = meth->bytes(buf, num);
+
+                goto err;
+                }
+
+        p_UBSEC_ubsec_close(fd);
+
+        ret = 1;
+err:
+        return(ret);
+        }
+
+
+static int ubsec_rand_status(void)
+	{
+	return 0;
+	}
+#endif
+
+/* This stuff is needed if this ENGINE is being compiled into a self-contained
+ * shared-library. */
+#ifndef OPENSSL_NO_DYNAMIC_ENGINE
+static int bind_fn(ENGINE *e, const char *id)
+	{
+	if(id && (strcmp(id, engine_ubsec_id) != 0))
+		return 0;
+	if(!bind_helper(e))
+		return 0;
+	return 1;
+	}
+IMPLEMENT_DYNAMIC_CHECK_FN()
+IMPLEMENT_DYNAMIC_BIND_FN(bind_fn)
+#endif /* OPENSSL_NO_DYNAMIC_ENGINE */
+
+#endif /* !OPENSSL_NO_HW_UBSEC */
+#endif /* !OPENSSL_NO_HW */
diff --git a/crypto/openssl/engines/e_ubsec.ec b/crypto/openssl/engines/e_ubsec.ec
new file mode 100644
index 000000000000..99b9233569ea
--- /dev/null
+++ b/crypto/openssl/engines/e_ubsec.ec
@@ -0,0 +1 @@
+L UBSEC		e_ubsec_err.h			e_ubsec_err.c
diff --git a/crypto/openssl/engines/e_ubsec_err.c b/crypto/openssl/engines/e_ubsec_err.c
new file mode 100644
index 000000000000..14c3d61e2409
--- /dev/null
+++ b/crypto/openssl/engines/e_ubsec_err.c
@@ -0,0 +1,157 @@
+/* e_ubsec_err.c */
+/* ====================================================================
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include "e_ubsec_err.h"
+
+/* BEGIN ERROR CODES */
+#ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(0,func,0)
+#define ERR_REASON(reason) ERR_PACK(0,0,reason)
+
+static ERR_STRING_DATA UBSEC_str_functs[]=
+	{
+{ERR_FUNC(UBSEC_F_UBSEC_CTRL),	"UBSEC_CTRL"},
+{ERR_FUNC(UBSEC_F_UBSEC_DH_COMPUTE_KEY),	"UBSEC_DH_COMPUTE_KEY"},
+{ERR_FUNC(UBSEC_F_UBSEC_DH_GENERATE_KEY),	"UBSEC_DH_GENERATE_KEY"},
+{ERR_FUNC(UBSEC_F_UBSEC_DSA_DO_SIGN),	"UBSEC_DSA_DO_SIGN"},
+{ERR_FUNC(UBSEC_F_UBSEC_DSA_VERIFY),	"UBSEC_DSA_VERIFY"},
+{ERR_FUNC(UBSEC_F_UBSEC_FINISH),	"UBSEC_FINISH"},
+{ERR_FUNC(UBSEC_F_UBSEC_INIT),	"UBSEC_INIT"},
+{ERR_FUNC(UBSEC_F_UBSEC_MOD_EXP),	"UBSEC_MOD_EXP"},
+{ERR_FUNC(UBSEC_F_UBSEC_MOD_EXP_CRT),	"UBSEC_MOD_EXP_CRT"},
+{ERR_FUNC(UBSEC_F_UBSEC_RAND_BYTES),	"UBSEC_RAND_BYTES"},
+{ERR_FUNC(UBSEC_F_UBSEC_RSA_MOD_EXP),	"UBSEC_RSA_MOD_EXP"},
+{ERR_FUNC(UBSEC_F_UBSEC_RSA_MOD_EXP_CRT),	"UBSEC_RSA_MOD_EXP_CRT"},
+{0,NULL}
+	};
+
+static ERR_STRING_DATA UBSEC_str_reasons[]=
+	{
+{ERR_REASON(UBSEC_R_ALREADY_LOADED)      ,"already loaded"},
+{ERR_REASON(UBSEC_R_BN_EXPAND_FAIL)      ,"bn expand fail"},
+{ERR_REASON(UBSEC_R_CTRL_COMMAND_NOT_IMPLEMENTED),"ctrl command not implemented"},
+{ERR_REASON(UBSEC_R_DSO_FAILURE)         ,"dso failure"},
+{ERR_REASON(UBSEC_R_MISSING_KEY_COMPONENTS),"missing key components"},
+{ERR_REASON(UBSEC_R_NOT_LOADED)          ,"not loaded"},
+{ERR_REASON(UBSEC_R_REQUEST_FAILED)      ,"request failed"},
+{ERR_REASON(UBSEC_R_SIZE_TOO_LARGE_OR_TOO_SMALL),"size too large or too small"},
+{ERR_REASON(UBSEC_R_UNIT_FAILURE)        ,"unit failure"},
+{0,NULL}
+	};
+
+#endif
+
+#ifdef UBSEC_LIB_NAME
+static ERR_STRING_DATA UBSEC_lib_name[]=
+        {
+{0	,UBSEC_LIB_NAME},
+{0,NULL}
+	};
+#endif
+
+
+static int UBSEC_lib_error_code=0;
+static int UBSEC_error_init=1;
+
+static void ERR_load_UBSEC_strings(void)
+	{
+	if (UBSEC_lib_error_code == 0)
+		UBSEC_lib_error_code=ERR_get_next_error_library();
+
+	if (UBSEC_error_init)
+		{
+		UBSEC_error_init=0;
+#ifndef OPENSSL_NO_ERR
+		ERR_load_strings(UBSEC_lib_error_code,UBSEC_str_functs);
+		ERR_load_strings(UBSEC_lib_error_code,UBSEC_str_reasons);
+#endif
+
+#ifdef UBSEC_LIB_NAME
+		UBSEC_lib_name->error = ERR_PACK(UBSEC_lib_error_code,0,0);
+		ERR_load_strings(0,UBSEC_lib_name);
+#endif
+		}
+	}
+
+static void ERR_unload_UBSEC_strings(void)
+	{
+	if (UBSEC_error_init == 0)
+		{
+#ifndef OPENSSL_NO_ERR
+		ERR_unload_strings(UBSEC_lib_error_code,UBSEC_str_functs);
+		ERR_unload_strings(UBSEC_lib_error_code,UBSEC_str_reasons);
+#endif
+
+#ifdef UBSEC_LIB_NAME
+		ERR_unload_strings(0,UBSEC_lib_name);
+#endif
+		UBSEC_error_init=1;
+		}
+	}
+
+static void ERR_UBSEC_error(int function, int reason, char *file, int line)
+	{
+	if (UBSEC_lib_error_code == 0)
+		UBSEC_lib_error_code=ERR_get_next_error_library();
+	ERR_PUT_error(UBSEC_lib_error_code,function,reason,file,line);
+	}
diff --git a/crypto/openssl/engines/e_ubsec_err.h b/crypto/openssl/engines/e_ubsec_err.h
new file mode 100644
index 000000000000..3229eca5cf3d
--- /dev/null
+++ b/crypto/openssl/engines/e_ubsec_err.h
@@ -0,0 +1,97 @@
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_UBSEC_ERR_H
+#define HEADER_UBSEC_ERR_H
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+static void ERR_load_UBSEC_strings(void);
+static void ERR_unload_UBSEC_strings(void);
+static void ERR_UBSEC_error(int function, int reason, char *file, int line);
+#define UBSECerr(f,r) ERR_UBSEC_error((f),(r),__FILE__,__LINE__)
+
+/* Error codes for the UBSEC functions. */
+
+/* Function codes. */
+#define UBSEC_F_UBSEC_CTRL				 100
+#define UBSEC_F_UBSEC_DH_COMPUTE_KEY			 101
+#define UBSEC_F_UBSEC_DH_GENERATE_KEY			 111
+#define UBSEC_F_UBSEC_DSA_DO_SIGN			 102
+#define UBSEC_F_UBSEC_DSA_VERIFY			 103
+#define UBSEC_F_UBSEC_FINISH				 104
+#define UBSEC_F_UBSEC_INIT				 105
+#define UBSEC_F_UBSEC_MOD_EXP				 106
+#define UBSEC_F_UBSEC_MOD_EXP_CRT			 110
+#define UBSEC_F_UBSEC_RAND_BYTES			 107
+#define UBSEC_F_UBSEC_RSA_MOD_EXP			 108
+#define UBSEC_F_UBSEC_RSA_MOD_EXP_CRT			 109
+
+/* Reason codes. */
+#define UBSEC_R_ALREADY_LOADED				 100
+#define UBSEC_R_BN_EXPAND_FAIL				 101
+#define UBSEC_R_CTRL_COMMAND_NOT_IMPLEMENTED		 102
+#define UBSEC_R_DSO_FAILURE				 103
+#define UBSEC_R_MISSING_KEY_COMPONENTS			 104
+#define UBSEC_R_NOT_LOADED				 105
+#define UBSEC_R_REQUEST_FAILED				 106
+#define UBSEC_R_SIZE_TOO_LARGE_OR_TOO_SMALL		 107
+#define UBSEC_R_UNIT_FAILURE				 108
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
diff --git a/crypto/openssl/engines/engine_vector.mar b/crypto/openssl/engines/engine_vector.mar
new file mode 100644
index 000000000000..7d968e7b40ac
--- /dev/null
+++ b/crypto/openssl/engines/engine_vector.mar
@@ -0,0 +1,24 @@
+;
+; Transfer vector for VAX shareable image
+;
+	.TITLE ENGINE
+	.IDENT /ENGINE/
+;
+; Define macro to assist in building transfer vector entries.  Each entry
+; should take no more than 8 bytes.
+;
+	.MACRO FTRANSFER_ENTRY routine
+	.ALIGN QUAD
+	.TRANSFER routine
+	.MASK	routine
+	JMP	routine+2
+	.ENDM FTRANSFER_ENTRY
+;
+; Place entries in own program section.
+;
+	.PSECT $$ENGINE,QUAD,PIC,USR,CON,REL,LCL,SHR,EXE,RD,NOWRT
+ENGINE_xfer:
+	FTRANSFER_ENTRY bind_engine
+	FTRANSFER_ENTRY v_check
+	.BLKB 32768-<.-ENGINE_xfer>	; 64 pages total.
+	.END
diff --git a/crypto/openssl/engines/vax.opt b/crypto/openssl/engines/vax.opt
new file mode 100644
index 000000000000..72e6bd895f39
--- /dev/null
+++ b/crypto/openssl/engines/vax.opt
@@ -0,0 +1,9 @@
+!
+! Ensure transfer vector is at beginning of image
+!
+CLUSTER=FIRST
+COLLECT=FIRST,$$ENGINE
+!
+! make psects nonshareable so image can be installed.
+!
+PSECT_ATTR=$CHAR_STRING_CONSTANTS,NOWRT
diff --git a/crypto/openssl/engines/vendor_defns/aep.h b/crypto/openssl/engines/vendor_defns/aep.h
new file mode 100644
index 000000000000..5e9754fe43f5
--- /dev/null
+++ b/crypto/openssl/engines/vendor_defns/aep.h
@@ -0,0 +1,178 @@
+/* This header declares the necessary definitions for using the exponentiation
+ * acceleration capabilities, and rnd number generation of the AEP card. 
+ *
+ */
+
+/*
+ *
+ * Some AEP defines
+ *
+ */
+
+/*Successful return value*/
+#define AEP_R_OK                                0x00000000
+
+/*Miscelleanous unsuccessful return value*/
+#define AEP_R_GENERAL_ERROR                     0x10000001
+
+/*Insufficient host memory*/
+#define AEP_R_HOST_MEMORY                       0x10000002
+
+#define AEP_R_FUNCTION_FAILED                   0x10000006
+
+/*Invalid arguments in function call*/
+#define AEP_R_ARGUMENTS_BAD                     0x10020000
+
+#define AEP_R_NO_TARGET_RESOURCES				0x10030000
+
+/*Error occuring on socket operation*/
+#define AEP_R_SOCKERROR							0x10000010
+
+/*Socket has been closed from the other end*/
+#define AEP_R_SOCKEOF							0x10000011
+
+/*Invalid handles*/
+#define AEP_R_CONNECTION_HANDLE_INVALID         0x100000B3
+
+#define AEP_R_TRANSACTION_HANDLE_INVALID		0x10040000
+
+/*Transaction has not yet returned from accelerator*/
+#define AEP_R_TRANSACTION_NOT_READY				0x00010000
+
+/*There is already a thread waiting on this transaction*/
+#define AEP_R_TRANSACTION_CLAIMED				0x10050000
+
+/*The transaction timed out*/
+#define AEP_R_TIMED_OUT							0x10060000
+
+#define AEP_R_FXN_NOT_IMPLEMENTED				0x10070000
+
+#define AEP_R_TARGET_ERROR						0x10080000
+
+/*Error in the AEP daemon process*/
+#define AEP_R_DAEMON_ERROR						0x10090000
+
+/*Invalid ctx id*/
+#define AEP_R_INVALID_CTX_ID					0x10009000
+
+#define AEP_R_NO_KEY_MANAGER					0x1000a000
+
+/*Error obtaining a mutex*/
+#define AEP_R_MUTEX_BAD                         0x000001A0
+
+/*Fxn call before AEP_Initialise ot after AEP_Finialise*/
+#define AEP_R_AEPAPI_NOT_INITIALIZED			0x10000190
+
+/*AEP_Initialise has already been called*/
+#define AEP_R_AEPAPI_ALREADY_INITIALIZED		0x10000191
+
+/*Maximum number of connections to daemon reached*/
+#define AEP_R_NO_MORE_CONNECTION_HNDLS			0x10000200
+
+/*
+ *
+ * Some AEP Type definitions
+ *
+ */
+
+/* an unsigned 8-bit value */
+typedef unsigned char				AEP_U8;
+
+/* an unsigned 8-bit character */
+typedef char					AEP_CHAR;
+
+/* a BYTE-sized Boolean flag */
+typedef AEP_U8					AEP_BBOOL;
+
+/*Unsigned value, at least 16 bits long*/
+typedef unsigned short				AEP_U16;
+
+/* an unsigned value, at least 32 bits long */
+#ifdef SIXTY_FOUR_BIT_LONG
+typedef unsigned int				AEP_U32;
+#else
+typedef unsigned long				AEP_U32;
+#endif
+
+#ifdef SIXTY_FOUR_BIT_LONG
+typedef unsigned long				AEP_U64;
+#else
+typedef struct { unsigned long l1, l2; }	AEP_U64;
+#endif
+
+/* at least 32 bits; each bit is a Boolean flag */
+typedef AEP_U32			AEP_FLAGS;
+
+typedef AEP_U8	    	*AEP_U8_PTR;
+typedef AEP_CHAR    	*AEP_CHAR_PTR;
+typedef AEP_U32			*AEP_U32_PTR;
+typedef AEP_U64			*AEP_U64_PTR;
+typedef void        	*AEP_VOID_PTR;
+
+/* Pointer to a AEP_VOID_PTR-- i.e., pointer to pointer to void */
+typedef AEP_VOID_PTR 	*AEP_VOID_PTR_PTR;
+
+/*Used to identify an AEP connection handle*/
+typedef AEP_U32					AEP_CONNECTION_HNDL;
+
+/*Pointer to an AEP connection handle*/
+typedef AEP_CONNECTION_HNDL 	*AEP_CONNECTION_HNDL_PTR;
+
+/*Used by an application (in conjunction with the apps process id) to 
+identify an individual transaction*/
+typedef AEP_U32					AEP_TRANSACTION_ID;
+
+/*Pointer to an applications transaction identifier*/
+typedef AEP_TRANSACTION_ID 		*AEP_TRANSACTION_ID_PTR;
+
+/*Return value type*/
+typedef AEP_U32					AEP_RV;
+
+#define MAX_PROCESS_CONNECTIONS 256
+
+#define RAND_BLK_SIZE 1024
+
+typedef enum{
+        NotConnected=   0,
+        Connected=              1,
+        InUse=                  2
+} AEP_CONNECTION_STATE;
+
+
+typedef struct AEP_CONNECTION_ENTRY{
+        AEP_CONNECTION_STATE    conn_state;
+        AEP_CONNECTION_HNDL     conn_hndl;
+} AEP_CONNECTION_ENTRY;
+
+
+typedef AEP_RV t_AEP_OpenConnection(AEP_CONNECTION_HNDL_PTR phConnection);
+typedef AEP_RV t_AEP_CloseConnection(AEP_CONNECTION_HNDL hConnection);
+
+typedef AEP_RV t_AEP_ModExp(AEP_CONNECTION_HNDL hConnection,
+			    AEP_VOID_PTR pA, AEP_VOID_PTR pP,
+			    AEP_VOID_PTR pN,
+			    AEP_VOID_PTR pResult,
+			    AEP_TRANSACTION_ID* pidTransID);
+
+typedef AEP_RV t_AEP_ModExpCrt(AEP_CONNECTION_HNDL hConnection,
+			       AEP_VOID_PTR pA, AEP_VOID_PTR pP,
+			       AEP_VOID_PTR pQ,
+			       AEP_VOID_PTR pDmp1, AEP_VOID_PTR pDmq1,
+			       AEP_VOID_PTR pIqmp,
+			       AEP_VOID_PTR pResult,
+			       AEP_TRANSACTION_ID* pidTransID);
+
+#ifdef AEPRAND
+typedef AEP_RV t_AEP_GenRandom(AEP_CONNECTION_HNDL hConnection,
+			       AEP_U32 Len,
+			       AEP_U32 Type,
+			       AEP_VOID_PTR pResult,
+			       AEP_TRANSACTION_ID* pidTransID);
+#endif
+
+typedef AEP_RV t_AEP_Initialize(AEP_VOID_PTR pInitArgs);
+typedef AEP_RV t_AEP_Finalize(void);
+typedef AEP_RV t_AEP_SetBNCallBacks(AEP_RV (*GetBigNumSizeFunc)(AEP_VOID_PTR ArbBigNum, AEP_U32* BigNumSize),
+				    AEP_RV (*MakeAEPBigNumFunc)(AEP_VOID_PTR ArbBigNum, AEP_U32 BigNumSize, unsigned char* AEP_BigNum),
+				    AEP_RV (*ConverAEPBigNumFunc)(void* ArbBigNum, AEP_U32 BigNumSize, unsigned char* AEP_BigNum));
+
diff --git a/crypto/openssl/engines/vendor_defns/atalla.h b/crypto/openssl/engines/vendor_defns/atalla.h
new file mode 100644
index 000000000000..149970d44147
--- /dev/null
+++ b/crypto/openssl/engines/vendor_defns/atalla.h
@@ -0,0 +1,48 @@
+/* This header declares the necessary definitions for using the exponentiation
+ * acceleration capabilities of Atalla cards. The only cryptographic operation
+ * is performed by "ASI_RSAPrivateKeyOpFn" and this takes a structure that
+ * defines an "RSA private key". However, it is really only performing a
+ * regular mod_exp using the supplied modulus and exponent - no CRT form is
+ * being used. Hence, it is a generic mod_exp function in disguise, and we use
+ * it as such.
+ *
+ * Thanks to the people at Atalla for letting me know these definitions are
+ * fine and that they can be reproduced here.
+ *
+ * Geoff.
+ */
+
+typedef struct ItemStr
+	{
+	unsigned char *data;
+	int len;
+	} Item;
+
+typedef struct RSAPrivateKeyStr
+	{
+	void *reserved;
+	Item version;
+	Item modulus;
+	Item publicExponent;
+	Item privateExponent;
+	Item prime[2];
+	Item exponent[2];
+	Item coefficient;
+	} RSAPrivateKey;
+
+/* Predeclare the function pointer types that we dynamically load from the DSO.
+ * These use the same names and form that Ben's original support code had (in
+ * crypto/bn/bn_exp.c) unless of course I've inadvertently changed the style
+ * somewhere along the way!
+ */
+
+typedef int tfnASI_GetPerformanceStatistics(int reset_flag,
+					unsigned int *ret_buf);
+
+typedef int tfnASI_GetHardwareConfig(long card_num, unsigned int *ret_buf);
+
+typedef int tfnASI_RSAPrivateKeyOpFn(RSAPrivateKey * rsaKey,
+					unsigned char *output,
+					unsigned char *input,
+					unsigned int modulus_len);
+
diff --git a/crypto/openssl/engines/vendor_defns/cswift.h b/crypto/openssl/engines/vendor_defns/cswift.h
new file mode 100644
index 000000000000..60079326bbbf
--- /dev/null
+++ b/crypto/openssl/engines/vendor_defns/cswift.h
@@ -0,0 +1,234 @@
+/* Attribution notice: Rainbow have generously allowed me to reproduce
+ * the necessary definitions here from their API. This means the support
+ * can build independently of whether application builders have the
+ * API or hardware. This will allow developers to easily produce software
+ * that has latent hardware support for any users that have accelertors
+ * installed, without the developers themselves needing anything extra.
+ *
+ * I have only clipped the parts from the CryptoSwift header files that
+ * are (or seem) relevant to the CryptoSwift support code. This is
+ * simply to keep the file sizes reasonable.
+ * [Geoff]
+ */
+
+
+/* NB: These type widths do *not* seem right in general, in particular
+ * they're not terribly friendly to 64-bit architectures (unsigned long)
+ * will be 64-bit on IA-64 for a start. I'm leaving these alone as they
+ * agree with Rainbow's API and this will only be called into question
+ * on platforms with Rainbow support anyway! ;-) */
+
+#ifdef __cplusplus
+extern "C" {
+#endif /* __cplusplus */
+
+typedef long              SW_STATUS;              /* status           */
+typedef unsigned char     SW_BYTE;                /* 8 bit byte       */
+typedef unsigned short    SW_U16;                 /* 16 bit number    */
+#if defined(_IRIX)
+#include <sgidefs.h>
+typedef __uint32_t        SW_U32;
+#else
+typedef unsigned long     SW_U32;                 /* 32 bit integer   */
+#endif
+ 
+#if defined(OPENSSL_SYS_WIN32)
+  typedef struct _SW_U64 {
+      SW_U32 low32;
+      SW_U32 high32;
+  } SW_U64;                                         /* 64 bit integer   */
+#elif defined(OPENSSL_SYS_MACINTOSH_CLASSIC)
+  typedef longlong SW_U64
+#else /* Unix variants */
+  typedef struct _SW_U64 {
+      SW_U32 low32;
+      SW_U32 high32;
+  } SW_U64;                                         /* 64 bit integer   */
+#endif
+
+/* status codes */
+#define SW_OK                 (0L)
+#define SW_ERR_BASE           (-10000L)
+#define SW_ERR_NO_CARD        (SW_ERR_BASE-1) /* The Card is not present   */
+#define SW_ERR_CARD_NOT_READY (SW_ERR_BASE-2) /* The card has not powered  */
+                                              /*    up yet                 */
+#define SW_ERR_TIME_OUT       (SW_ERR_BASE-3) /* Execution of a command    */
+                                              /*    time out               */
+#define SW_ERR_NO_EXECUTE     (SW_ERR_BASE-4) /* The Card failed to        */
+                                              /*    execute the command    */
+#define SW_ERR_INPUT_NULL_PTR (SW_ERR_BASE-5) /* a required pointer is     */
+                                              /*    NULL                   */
+#define SW_ERR_INPUT_SIZE     (SW_ERR_BASE-6) /* size is invalid, too      */
+                                              /*    small, too large.      */
+#define SW_ERR_INVALID_HANDLE (SW_ERR_BASE-7) /* Invalid SW_ACC_CONTEXT    */
+                                              /*    handle                 */
+#define SW_ERR_PENDING        (SW_ERR_BASE-8) /* A request is already out- */
+                                              /*    standing at this       */
+                                              /*    context handle         */
+#define SW_ERR_AVAILABLE      (SW_ERR_BASE-9) /* A result is available.    */
+#define SW_ERR_NO_PENDING     (SW_ERR_BASE-10)/* No request is pending.    */
+#define SW_ERR_NO_MEMORY      (SW_ERR_BASE-11)/* Not enough memory         */
+#define SW_ERR_BAD_ALGORITHM  (SW_ERR_BASE-12)/* Invalid algorithm type    */
+                                              /*    in SW_PARAM structure  */
+#define SW_ERR_MISSING_KEY    (SW_ERR_BASE-13)/* No key is associated with */
+                                              /*    context.               */
+                                              /*    swAttachKeyParam() is  */
+                                              /*    not called.            */
+#define SW_ERR_KEY_CMD_MISMATCH \
+                              (SW_ERR_BASE-14)/* Cannot perform requested  */
+                                              /*    SW_COMMAND_CODE since  */
+                                              /*    key attached via       */
+                                              /*    swAttachKeyParam()     */
+                                              /*    cannot be used for this*/
+                                              /*    SW_COMMAND_CODE.       */
+#define SW_ERR_NOT_IMPLEMENTED \
+                              (SW_ERR_BASE-15)/* Not implemented           */
+#define SW_ERR_BAD_COMMAND    (SW_ERR_BASE-16)/* Bad command code          */
+#define SW_ERR_BAD_ITEM_SIZE  (SW_ERR_BASE-17)/* too small or too large in */
+                                              /*    the "initems" or       */
+                                              /*    "outitems".            */
+#define SW_ERR_BAD_ACCNUM     (SW_ERR_BASE-18)/* Bad accelerator number    */
+#define SW_ERR_SELFTEST_FAIL  (SW_ERR_BASE-19)/* At least one of the self  */
+                                              /*    test fail, look at the */
+                                              /*    selfTestBitmap in      */
+                                              /*    SW_ACCELERATOR_INFO for*/
+                                              /*    details.               */
+#define SW_ERR_MISALIGN       (SW_ERR_BASE-20)/* Certain alogrithms require*/
+                                              /*    key materials aligned  */
+                                              /*    in certain order, e.g. */
+                                              /*    128 bit for CRT        */
+#define SW_ERR_OUTPUT_NULL_PTR \
+                              (SW_ERR_BASE-21)/* a required pointer is     */
+                                              /*    NULL                   */
+#define SW_ERR_OUTPUT_SIZE \
+                              (SW_ERR_BASE-22)/* size is invalid, too      */
+                                              /*    small, too large.      */
+#define SW_ERR_FIRMWARE_CHECKSUM \
+                              (SW_ERR_BASE-23)/* firmware checksum mismatch*/
+                                              /*    download failed.       */
+#define SW_ERR_UNKNOWN_FIRMWARE \
+                              (SW_ERR_BASE-24)/* unknown firmware error    */
+#define SW_ERR_INTERRUPT      (SW_ERR_BASE-25)/* request is abort when     */
+                                              /*    it's waiting to be     */
+                                              /*    completed.             */
+#define SW_ERR_NVWRITE_FAIL   (SW_ERR_BASE-26)/* error in writing to Non-  */
+                                              /*    volatile memory        */
+#define SW_ERR_NVWRITE_RANGE  (SW_ERR_BASE-27)/* out of range error in     */
+                                              /*    writing to NV memory   */
+#define SW_ERR_RNG_ERROR      (SW_ERR_BASE-28)/* Random Number Generation  */
+                                              /*    failure                */
+#define SW_ERR_DSS_FAILURE    (SW_ERR_BASE-29)/* DSS Sign or Verify failure*/
+#define SW_ERR_MODEXP_FAILURE (SW_ERR_BASE-30)/* Failure in various math   */
+                                              /*    calculations           */
+#define SW_ERR_ONBOARD_MEMORY (SW_ERR_BASE-31)/* Error in accessing on -   */
+                                              /*    board memory           */
+#define SW_ERR_FIRMWARE_VERSION \
+                              (SW_ERR_BASE-32)/* Wrong version in firmware */
+                                              /*    update                 */
+#define SW_ERR_ZERO_WORKING_ACCELERATOR \
+                              (SW_ERR_BASE-44)/* All accelerators are bad  */
+
+
+  /* algorithm type */
+#define SW_ALG_CRT          1
+#define SW_ALG_EXP          2
+#define SW_ALG_DSA          3
+#define SW_ALG_NVDATA       4
+
+  /* command code */
+#define SW_CMD_MODEXP_CRT   1 /* perform Modular Exponentiation using  */
+                              /*  Chinese Remainder Theorem (CRT)      */
+#define SW_CMD_MODEXP       2 /* perform Modular Exponentiation        */
+#define SW_CMD_DSS_SIGN     3 /* perform DSS sign                      */
+#define SW_CMD_DSS_VERIFY   4 /* perform DSS verify                    */
+#define SW_CMD_RAND         5 /* perform random number generation      */
+#define SW_CMD_NVREAD       6 /* perform read to nonvolatile RAM       */
+#define SW_CMD_NVWRITE      7 /* perform write to nonvolatile RAM      */
+
+typedef SW_U32            SW_ALGTYPE;             /* alogrithm type   */
+typedef SW_U32            SW_STATE;               /* state            */
+typedef SW_U32            SW_COMMAND_CODE;        /* command code     */
+typedef SW_U32            SW_COMMAND_BITMAP[4];   /* bitmap           */
+
+typedef struct _SW_LARGENUMBER {
+    SW_U32    nbytes;       /* number of bytes in the buffer "value"  */
+    SW_BYTE*  value;        /* the large integer as a string of       */
+                            /*   bytes in network (big endian) order  */
+} SW_LARGENUMBER;               
+
+#if defined(OPENSSL_SYS_WIN32)
+    #include <windows.h>
+    typedef HANDLE          SW_OSHANDLE;          /* handle to kernel object */
+    #define SW_OS_INVALID_HANDLE  INVALID_HANDLE_VALUE
+    #define SW_CALLCONV _stdcall
+#elif defined(OPENSSL_SYS_MACINTOSH_CLASSIC)
+    /* async callback mechanisms */
+    /* swiftCallbackLevel */
+    #define SW_MAC_CALLBACK_LEVEL_NO         0		
+    #define SW_MAC_CALLBACK_LEVEL_HARDWARE   1	/* from the hardware ISR */
+    #define SW_MAC_CALLBACK_LEVEL_SECONDARY  2	/* as secondary ISR */
+    typedef int             SW_MAC_CALLBACK_LEVEL;
+    typedef int             SW_OSHANDLE;
+    #define SW_OS_INVALID_HANDLE  (-1)
+    #define SW_CALLCONV
+#else /* Unix variants */
+    typedef int             SW_OSHANDLE;          /* handle to driver */
+    #define SW_OS_INVALID_HANDLE  (-1)
+    #define SW_CALLCONV
+#endif 
+
+typedef struct _SW_CRT {
+    SW_LARGENUMBER  p;      /* prime number p                         */
+    SW_LARGENUMBER  q;      /* prime number q                         */
+    SW_LARGENUMBER  dmp1;   /* exponent1                              */
+    SW_LARGENUMBER  dmq1;   /* exponent2                              */
+    SW_LARGENUMBER  iqmp;   /* CRT coefficient                        */
+} SW_CRT;
+
+typedef struct _SW_EXP {
+    SW_LARGENUMBER  modulus; /* modulus                                */
+    SW_LARGENUMBER  exponent;/* exponent                               */
+} SW_EXP;
+
+typedef struct _SW_DSA {
+    SW_LARGENUMBER  p;      /*                                        */
+    SW_LARGENUMBER  q;      /*                                        */
+    SW_LARGENUMBER  g;      /*                                        */
+    SW_LARGENUMBER  key;    /* private/public key                     */
+} SW_DSA;
+
+typedef struct _SW_NVDATA {
+    SW_U32 accnum;          /* accelerator board number               */
+    SW_U32 offset;          /* offset in byte                         */
+} SW_NVDATA;
+
+typedef struct _SW_PARAM {
+    SW_ALGTYPE    type;     /* type of the alogrithm                  */
+    union {
+        SW_CRT    crt;
+        SW_EXP    exp;
+        SW_DSA    dsa;
+        SW_NVDATA nvdata;
+    } up;
+} SW_PARAM;
+
+typedef SW_U32 SW_CONTEXT_HANDLE; /* opaque context handle */
+
+
+/* Now the OpenSSL bits, these function types are the for the function
+ * pointers that will bound into the Rainbow shared libraries. */
+typedef SW_STATUS SW_CALLCONV t_swAcquireAccContext(SW_CONTEXT_HANDLE *hac);
+typedef SW_STATUS SW_CALLCONV t_swAttachKeyParam(SW_CONTEXT_HANDLE hac,
+                                                SW_PARAM *key_params);
+typedef SW_STATUS SW_CALLCONV t_swSimpleRequest(SW_CONTEXT_HANDLE hac,
+                                                SW_COMMAND_CODE cmd,
+                				SW_LARGENUMBER pin[],
+                                		SW_U32 pin_count,
+                                                SW_LARGENUMBER pout[],
+                				SW_U32 pout_count);
+typedef SW_STATUS SW_CALLCONV t_swReleaseAccContext(SW_CONTEXT_HANDLE hac);
+
+#ifdef __cplusplus
+}
+#endif /* __cplusplus */
+
diff --git a/crypto/openssl/engines/vendor_defns/hw_4758_cca.h b/crypto/openssl/engines/vendor_defns/hw_4758_cca.h
new file mode 100644
index 000000000000..296636e81a8b
--- /dev/null
+++ b/crypto/openssl/engines/vendor_defns/hw_4758_cca.h
@@ -0,0 +1,149 @@
+/**********************************************************************/
+/*                                                                    */
+/*  Prototypes of the CCA verbs used by the 4758 CCA openssl driver   */
+/*                                                                    */
+/*  Maurice Gittens <maurice@gittens.nl>                              */
+/*                                                                    */
+/**********************************************************************/
+
+#ifndef __HW_4758_CCA__
+#define __HW_4758_CCA__
+
+/*
+ *  Only WIN32 support for now
+ */
+#if defined(WIN32)
+
+  #define CCA_LIB_NAME "CSUNSAPI"
+
+  #define CSNDPKX   "CSNDPKX_32"
+  #define CSNDKRR   "CSNDKRR_32"
+  #define CSNDPKE   "CSNDPKE_32"
+  #define CSNDPKD   "CSNDPKD_32"
+  #define CSNDDSV   "CSNDDSV_32"
+  #define CSNDDSG   "CSNDDSG_32"
+  #define CSNBRNG   "CSNBRNG_32"
+
+  #define SECURITYAPI __stdcall
+#else
+    /* Fixme!!         
+      Find out the values of these constants for other platforms.
+    */
+  #define CCA_LIB_NAME "CSUNSAPI"
+
+  #define CSNDPKX   "CSNDPKX"
+  #define CSNDKRR   "CSNDKRR"
+  #define CSNDPKE   "CSNDPKE"
+  #define CSNDPKD   "CSNDPKD"
+  #define CSNDDSV   "CSNDDSV"
+  #define CSNDDSG   "CSNDDSG"
+  #define CSNBRNG   "CSNBRNG"
+
+  #define SECURITYAPI
+#endif
+
+/*
+ * security API prototypes
+ */
+
+/* PKA Key Record Read */
+typedef void (SECURITYAPI *F_KEYRECORDREAD)
+             (long          * return_code,
+              long          * reason_code,
+              long          * exit_data_length,
+              unsigned char * exit_data,
+              long          * rule_array_count,
+              unsigned char * rule_array,
+              unsigned char * key_label,
+              long          * key_token_length,
+              unsigned char * key_token);
+
+/* Random Number Generate */
+typedef void (SECURITYAPI *F_RANDOMNUMBERGENERATE)
+             (long          * return_code,
+              long          * reason_code,
+              long          * exit_data_length,
+              unsigned char * exit_data,
+              unsigned char * form,
+              unsigned char * random_number);
+
+/* Digital Signature Generate */
+typedef void (SECURITYAPI *F_DIGITALSIGNATUREGENERATE)
+             (long          * return_code,
+              long          * reason_code,
+              long          * exit_data_length,
+              unsigned char * exit_data,
+              long          * rule_array_count,
+              unsigned char * rule_array,
+              long          * PKA_private_key_id_length,
+              unsigned char * PKA_private_key_id,
+              long          * hash_length,
+              unsigned char * hash,
+              long          * signature_field_length,
+              long          * signature_bit_length,
+              unsigned char * signature_field);
+
+/* Digital Signature Verify */
+typedef void (SECURITYAPI *F_DIGITALSIGNATUREVERIFY)(
+              long          * return_code,
+              long          * reason_code,
+              long          * exit_data_length,
+              unsigned char * exit_data,
+              long          * rule_array_count,
+              unsigned char * rule_array,
+              long          * PKA_public_key_id_length,
+              unsigned char * PKA_public_key_id,
+              long          * hash_length,
+              unsigned char * hash,
+              long          * signature_field_length,
+              unsigned char * signature_field);
+
+/* PKA Public Key Extract */
+typedef void (SECURITYAPI *F_PUBLICKEYEXTRACT)(
+              long          * return_code,
+              long          * reason_code,
+              long          * exit_data_length,
+              unsigned char * exit_data,
+              long          * rule_array_count,
+              unsigned char * rule_array,
+              long          * source_key_identifier_length,
+              unsigned char * source_key_identifier,
+              long          * target_key_token_length,
+              unsigned char * target_key_token);
+
+/* PKA Encrypt */
+typedef void   (SECURITYAPI *F_PKAENCRYPT)
+               (long          *  return_code,
+                 long          *  reason_code,
+                 long          *  exit_data_length,
+                 unsigned char *  exit_data,
+                 long          *  rule_array_count,
+                 unsigned char *  rule_array,
+                 long          *  key_value_length,
+                 unsigned char *  key_value,
+                 long          *  data_struct_length,
+                 unsigned char *  data_struct,
+                 long          *  RSA_public_key_length,
+                 unsigned char *  RSA_public_key,
+                 long          *  RSA_encipher_length,
+                 unsigned char *  RSA_encipher );
+
+/* PKA Decrypt */
+typedef void    (SECURITYAPI *F_PKADECRYPT)
+                (long          *  return_code,
+                 long          *  reason_code,
+                 long          *  exit_data_length,
+                 unsigned char *  exit_data,
+                 long          *  rule_array_count,
+                 unsigned char *  rule_array,
+                 long          *  enciphered_key_length,
+                 unsigned char *  enciphered_key,
+                 long          *  data_struct_length,
+                 unsigned char *  data_struct,
+                 long          *  RSA_private_key_length,
+                 unsigned char *  RSA_private_key,
+                 long          *  key_value_length,
+                 unsigned char *  key_value    );
+
+
+#endif
diff --git a/crypto/openssl/engines/vendor_defns/hw_ubsec.h b/crypto/openssl/engines/vendor_defns/hw_ubsec.h
new file mode 100644
index 000000000000..b6619d40f2fa
--- /dev/null
+++ b/crypto/openssl/engines/vendor_defns/hw_ubsec.h
@@ -0,0 +1,100 @@
+/******************************************************************************
+ *
+ *  Copyright 2000
+ *  Broadcom Corporation
+ *  16215 Alton Parkway
+ *  PO Box 57013
+ *  Irvine CA 92619-7013
+ *
+ *****************************************************************************/
+/* 
+ * Broadcom Corporation uBSec SDK 
+ */
+/*
+ * Character device header file.
+ */
+/*
+ * Revision History:
+ *
+ * October 2000 JTT Created.
+ */
+
+#define MAX_PUBLIC_KEY_BITS (1024)
+#define MAX_PUBLIC_KEY_BYTES (1024/8)
+#define SHA_BIT_SIZE  (160)
+#define MAX_CRYPTO_KEY_LENGTH 24
+#define MAX_MAC_KEY_LENGTH 64
+#define UBSEC_CRYPTO_DEVICE_NAME ((unsigned char *)"/dev/ubscrypt")
+#define UBSEC_KEY_DEVICE_NAME ((unsigned char *)"/dev/ubskey")
+
+/* Math command types. */
+#define UBSEC_MATH_MODADD 0x0001
+#define UBSEC_MATH_MODSUB 0x0002
+#define UBSEC_MATH_MODMUL 0x0004
+#define UBSEC_MATH_MODEXP 0x0008
+#define UBSEC_MATH_MODREM 0x0010
+#define UBSEC_MATH_MODINV 0x0020
+
+typedef long ubsec_MathCommand_t;
+typedef long ubsec_RNGCommand_t;
+
+typedef struct ubsec_crypto_context_s {
+	unsigned int	flags;
+	unsigned char	crypto[MAX_CRYPTO_KEY_LENGTH];
+	unsigned char 	auth[MAX_MAC_KEY_LENGTH];
+} ubsec_crypto_context_t, *ubsec_crypto_context_p;
+
+/* 
+ * Predeclare the function pointer types that we dynamically load from the DSO.
+ */
+
+typedef int t_UBSEC_ubsec_bytes_to_bits(unsigned char *n, int bytes);
+
+typedef int t_UBSEC_ubsec_bits_to_bytes(int bits);
+
+typedef int t_UBSEC_ubsec_open(unsigned char *device);
+
+typedef int t_UBSEC_ubsec_close(int fd);
+
+typedef int t_UBSEC_diffie_hellman_generate_ioctl (int fd,
+	unsigned char *x, int *x_len, unsigned char *y, int *y_len, 
+	unsigned char *g, int g_len, unsigned char *m, int m_len,
+	unsigned char *userX, int userX_len, int random_bits);
+
+typedef int t_UBSEC_diffie_hellman_agree_ioctl (int fd,
+	unsigned char *x, int x_len, unsigned char *y, int y_len, 
+	unsigned char *m, int m_len, unsigned char *k, int *k_len);
+
+typedef int t_UBSEC_rsa_mod_exp_ioctl (int fd,
+	unsigned char *x, int x_len, unsigned char *m, int m_len,
+	unsigned char *e, int e_len, unsigned char *y, int *y_len);
+
+typedef int t_UBSEC_rsa_mod_exp_crt_ioctl (int fd,
+	unsigned char *x, int x_len, unsigned char *qinv, int qinv_len,
+	unsigned char *edq, int edq_len, unsigned char *q, int q_len,
+	unsigned char *edp, int edp_len, unsigned char *p, int p_len,
+	unsigned char *y, int *y_len);
+
+typedef int t_UBSEC_dsa_sign_ioctl (int fd,
+	int hash, unsigned char *data, int data_len, 
+	unsigned char *rndom, int random_len, 
+	unsigned char *p, int p_len, unsigned char *q, int q_len,
+	unsigned char *g, int g_len, unsigned char *key, int key_len,
+	unsigned char *r, int *r_len, unsigned char *s, int *s_len);
+
+typedef int t_UBSEC_dsa_verify_ioctl (int fd,
+	int hash, unsigned char *data, int data_len,
+	unsigned char *p, int p_len, unsigned char *q, int q_len,
+	unsigned char *g, int g_len, unsigned char *key, int key_len,
+	unsigned char *r, int r_len, unsigned char *s, int s_len,
+	unsigned char *v, int *v_len);
+
+typedef int t_UBSEC_math_accelerate_ioctl(int fd, ubsec_MathCommand_t command,
+	unsigned char *ModN, int *ModN_len, unsigned char *ExpE, int *ExpE_len, 
+	unsigned char *ParamA, int *ParamA_len, unsigned char *ParamB, int *ParamB_len,
+	unsigned char *Result, int *Result_len);
+
+typedef int t_UBSEC_rng_ioctl(int fd, ubsec_RNGCommand_t command,
+	unsigned char *Result, int *Result_len);
+
+typedef int t_UBSEC_max_key_len_ioctl(int fd, int *max_key_len);
diff --git a/crypto/openssl/engines/vendor_defns/hwcryptohook.h b/crypto/openssl/engines/vendor_defns/hwcryptohook.h
new file mode 100644
index 000000000000..482f1f2d11e9
--- /dev/null
+++ b/crypto/openssl/engines/vendor_defns/hwcryptohook.h
@@ -0,0 +1,486 @@
+/*
+ * ModExp / RSA (with/without KM) plugin API
+ *
+ * The application will load a dynamic library which
+ * exports entrypoint(s) defined in this file.
+ *
+ * This set of entrypoints provides only a multithreaded,
+ * synchronous-within-each-thread, facility.
+ *
+ *
+ * This file is Copyright 1998-2000 nCipher Corporation Limited.
+ *
+ * Redistribution and use in source and binary forms, with opr without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the copyright notice,
+ *    this list of conditions, and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above
+ *    copyright notice, this list of conditions, and the following
+ *    disclaimer, in the documentation and/or other materials provided
+ *    with the distribution
+ *
+ * IN NO EVENT SHALL NCIPHER CORPORATION LIMITED (`NCIPHER') AND/OR
+ * ANY OTHER AUTHORS OR DISTRIBUTORS OF THIS FILE BE LIABLE for any
+ * damages arising directly or indirectly from this file, its use or
+ * this licence.  Without prejudice to the generality of the
+ * foregoing: all liability shall be excluded for direct, indirect,
+ * special, incidental, consequential or other damages or any loss of
+ * profits, business, revenue goodwill or anticipated savings;
+ * liability shall be excluded even if nCipher or anyone else has been
+ * advised of the possibility of damage.  In any event, if the
+ * exclusion of liability is not effective, the liability of nCipher
+ * or any author or distributor shall be limited to the lesser of the
+ * price paid and 1,000 pounds sterling. This licence only fails to
+ * exclude or limit liability for death or personal injury arising out
+ * of negligence, and only to the extent that such an exclusion or
+ * limitation is not effective.
+ *
+ * NCIPHER AND THE AUTHORS AND DISTRIBUTORS SPECIFICALLY DISCLAIM ALL
+ * AND ANY WARRANTIES (WHETHER EXPRESS OR IMPLIED), including, but not
+ * limited to, any implied warranties of merchantability, fitness for
+ * a particular purpose, satisfactory quality, and/or non-infringement
+ * of any third party rights.
+ *
+ * US Government use: This software and documentation is Commercial
+ * Computer Software and Computer Software Documentation, as defined in
+ * sub-paragraphs (a)(1) and (a)(5) of DFAR 252.227-7014, "Rights in
+ * Noncommercial Computer Software and Noncommercial Computer Software
+ * Documentation."  Use, duplication or disclosure by the Government is
+ * subject to the terms and conditions specified here.
+ *
+ * By using or distributing this file you will be accepting these
+ * terms and conditions, including the limitation of liability and
+ * lack of warranty.  If you do not wish to accept these terms and
+ * conditions, DO NOT USE THE FILE.
+ *
+ *
+ * The actual dynamically loadable plugin, and the library files for
+ * static linking, which are also provided in some distributions, are
+ * not covered by the licence described above.  You should have
+ * received a separate licence with terms and conditions for these
+ * library files; if you received the library files without a licence,
+ * please contact nCipher.
+ *
+ *
+ * $Id: hwcryptohook.h,v 1.1 2002/10/11 17:10:59 levitte Exp $
+ */
+
+#ifndef HWCRYPTOHOOK_H
+#define HWCRYPTOHOOK_H
+
+#include <sys/types.h>
+#include <stdio.h>
+
+#ifndef HWCRYPTOHOOK_DECLARE_APPTYPES
+#define HWCRYPTOHOOK_DECLARE_APPTYPES 1
+#endif
+
+#define HWCRYPTOHOOK_ERROR_FAILED   -1
+#define HWCRYPTOHOOK_ERROR_FALLBACK -2
+#define HWCRYPTOHOOK_ERROR_MPISIZE  -3
+
+#if HWCRYPTOHOOK_DECLARE_APPTYPES
+
+/* These structs are defined by the application and opaque to the
+ * crypto plugin.  The application may define these as it sees fit.
+ * Default declarations are provided here, but the application may
+ *  #define HWCRYPTOHOOK_DECLARE_APPTYPES 0
+ * to prevent these declarations, and instead provide its own
+ * declarations of these types.  (Pointers to them must still be
+ * ordinary pointers to structs or unions, or the resulting combined
+ * program will have a type inconsistency.)
+ */
+typedef struct HWCryptoHook_MutexValue HWCryptoHook_Mutex;
+typedef struct HWCryptoHook_CondVarValue HWCryptoHook_CondVar;
+typedef struct HWCryptoHook_PassphraseContextValue HWCryptoHook_PassphraseContext;
+typedef struct HWCryptoHook_CallerContextValue HWCryptoHook_CallerContext;
+
+#endif /* HWCRYPTOHOOK_DECLARE_APPTYPES */
+
+/* These next two structs are opaque to the application.  The crypto
+ * plugin will return pointers to them; the caller simply manipulates
+ * the pointers.
+ */
+typedef struct HWCryptoHook_Context *HWCryptoHook_ContextHandle;
+typedef struct HWCryptoHook_RSAKey *HWCryptoHook_RSAKeyHandle;
+
+typedef struct {
+  char *buf;
+  size_t size;
+} HWCryptoHook_ErrMsgBuf;
+/* Used for error reporting.  When a HWCryptoHook function fails it
+ * will return a sentinel value (0 for pointer-valued functions, or a
+ * negative number, usually HWCRYPTOHOOK_ERROR_FAILED, for
+ * integer-valued ones).  It will, if an ErrMsgBuf is passed, also put
+ * an error message there.
+ * 
+ * size is the size of the buffer, and will not be modified.  If you
+ * pass 0 for size you must pass 0 for buf, and nothing will be
+ * recorded (just as if you passed 0 for the struct pointer).
+ * Messages written to the buffer will always be null-terminated, even
+ * when truncated to fit within size bytes.
+ *
+ * The contents of the buffer are not defined if there is no error.
+ */
+
+typedef struct HWCryptoHook_MPIStruct {
+  unsigned char *buf;
+  size_t size;
+} HWCryptoHook_MPI;
+/* When one of these is returned, a pointer is passed to the function.
+ * At call, size is the space available.  Afterwards it is updated to
+ * be set to the actual length (which may be more than the space available,
+ * if there was not enough room and the result was truncated).
+ * buf (the pointer) is not updated.
+ *
+ * size is in bytes and may be zero at call or return, but must be a
+ * multiple of the limb size.  Zero limbs at the MS end are not
+ * permitted.
+ */
+
+#define HWCryptoHook_InitFlags_FallbackModExp    0x0002UL
+#define HWCryptoHook_InitFlags_FallbackRSAImmed  0x0004UL
+/* Enable requesting fallback to software in case of problems with the
+ * hardware support.  This indicates to the crypto provider that the
+ * application is prepared to fall back to software operation if the
+ * ModExp* or RSAImmed* functions return HWCRYPTOHOOK_ERROR_FALLBACK.
+ * Without this flag those calls will never return
+ * HWCRYPTOHOOK_ERROR_FALLBACK.  The flag will also cause the crypto
+ * provider to avoid repeatedly attempting to contact dead hardware
+ * within a short interval, if appropriate.
+ */
+
+#define HWCryptoHook_InitFlags_SimpleForkCheck   0x0010UL
+/* Without _SimpleForkCheck the library is allowed to assume that the
+ * application will not fork and call the library in the child(ren).
+ *
+ * When it is specified, this is allowed.  However, after a fork
+ * neither parent nor child may unload any loaded keys or call
+ * _Finish.  Instead, they should call exit (or die with a signal)
+ * without calling _Finish.  After all the children have died the
+ * parent may unload keys or call _Finish.
+ *
+ * This flag only has any effect on UN*X platforms.
+ */
+
+typedef struct {
+  unsigned long flags;
+  void *logstream; /* usually a FILE*.  See below. */
+
+  size_t limbsize; /* bignum format - size of radix type, must be power of 2 */
+  int mslimbfirst; /* 0 or 1 */
+  int msbytefirst; /* 0 or 1; -1 = native */
+
+  /* All the callback functions should return 0 on success, or a
+   * nonzero integer (whose value will be visible in the error message
+   * put in the buffer passed to the call).
+   *
+   * If a callback is not available pass a null function pointer.
+   *
+   * The callbacks may not call down again into the crypto plugin.
+   */
+  
+  /* For thread-safety.  Set everything to 0 if you promise only to be
+   * singlethreaded.  maxsimultaneous is the number of calls to
+   * ModExp[Crt]/RSAImmed{Priv,Pub}/RSA.  If you don't know what to
+   * put there then say 0 and the hook library will use a default.
+   *
+   * maxmutexes is a small limit on the number of simultaneous mutexes
+   * which will be requested by the library.  If there is no small
+   * limit, set it to 0.  If the crypto plugin cannot create the
+   * advertised number of mutexes the calls to its functions may fail.
+   * If a low number of mutexes is advertised the plugin will try to
+   * do the best it can.  Making larger numbers of mutexes available
+   * may improve performance and parallelism by reducing contention
+   * over critical sections.  Unavailability of any mutexes, implying
+   * single-threaded operation, should be indicated by the setting
+   * mutex_init et al to 0.
+   */
+  int maxmutexes;
+  int maxsimultaneous;
+  size_t mutexsize;
+  int (*mutex_init)(HWCryptoHook_Mutex*, HWCryptoHook_CallerContext *cactx);
+  int (*mutex_acquire)(HWCryptoHook_Mutex*);
+  void (*mutex_release)(HWCryptoHook_Mutex*);
+  void (*mutex_destroy)(HWCryptoHook_Mutex*);
+
+  /* For greater efficiency, can use condition vars internally for
+   * synchronisation.  In this case maxsimultaneous is ignored, but
+   * the other mutex stuff must be available.  In singlethreaded
+   * programs, set everything to 0.
+   */
+  size_t condvarsize;
+  int (*condvar_init)(HWCryptoHook_CondVar*, HWCryptoHook_CallerContext *cactx);
+  int (*condvar_wait)(HWCryptoHook_CondVar*, HWCryptoHook_Mutex*);
+  void (*condvar_signal)(HWCryptoHook_CondVar*);
+  void (*condvar_broadcast)(HWCryptoHook_CondVar*);
+  void (*condvar_destroy)(HWCryptoHook_CondVar*);
+  
+  /* The semantics of acquiring and releasing mutexes and broadcasting
+   * and waiting on condition variables are expected to be those from
+   * POSIX threads (pthreads).  The mutexes may be (in pthread-speak)
+   * fast mutexes, recursive mutexes, or nonrecursive ones.
+   * 
+   * The _release/_signal/_broadcast and _destroy functions must
+   * always succeed when given a valid argument; if they are given an
+   * invalid argument then the program (crypto plugin + application)
+   * has an internal error, and they should abort the program.
+   */
+
+  int (*getpassphrase)(const char *prompt_info,
+                       int *len_io, char *buf,
+                       HWCryptoHook_PassphraseContext *ppctx,
+                       HWCryptoHook_CallerContext *cactx);
+  /* Passphrases and the prompt_info, if they contain high-bit-set
+   * characters, are UTF-8.  The prompt_info may be a null pointer if
+   * no prompt information is available (it should not be an empty
+   * string).  It will not contain text like `enter passphrase';
+   * instead it might say something like `Operator Card for John
+   * Smith' or `SmartCard in nFast Module #1, Slot #1'.
+   *
+   * buf points to a buffer in which to return the passphrase; on
+   * entry *len_io is the length of the buffer.  It should be updated
+   * by the callback.  The returned passphrase should not be
+   * null-terminated by the callback.
+   */
+  
+  int (*getphystoken)(const char *prompt_info,
+                      const char *wrong_info,
+                      HWCryptoHook_PassphraseContext *ppctx,
+                      HWCryptoHook_CallerContext *cactx);
+  /* Requests that the human user physically insert a different
+   * smartcard, DataKey, etc.  The plugin should check whether the
+   * currently inserted token(s) are appropriate, and if they are it
+   * should not make this call.
+   *
+   * prompt_info is as before.  wrong_info is a description of the
+   * currently inserted token(s) so that the user is told what
+   * something is.  wrong_info, like prompt_info, may be null, but
+   * should not be an empty string.  Its contents should be
+   * syntactically similar to that of prompt_info. 
+   */
+  
+  /* Note that a single LoadKey operation might cause several calls to
+   * getpassphrase and/or requestphystoken.  If requestphystoken is
+   * not provided (ie, a null pointer is passed) then the plugin may
+   * not support loading keys for which authorisation by several cards
+   * is required.  If getpassphrase is not provided then cards with
+   * passphrases may not be supported.
+   *
+   * getpassphrase and getphystoken do not need to check that the
+   * passphrase has been entered correctly or the correct token
+   * inserted; the crypto plugin will do that.  If this is not the
+   * case then the crypto plugin is responsible for calling these
+   * routines again as appropriate until the correct token(s) and
+   * passphrase(s) are supplied as required, or until any retry limits
+   * implemented by the crypto plugin are reached.
+   *
+   * In either case, the application must allow the user to say `no'
+   * or `cancel' to indicate that they do not know the passphrase or
+   * have the appropriate token; this should cause the callback to
+   * return nonzero indicating error.
+   */
+
+  void (*logmessage)(void *logstream, const char *message);
+  /* A log message will be generated at least every time something goes
+   * wrong and an ErrMsgBuf is filled in (or would be if one was
+   * provided).  Other diagnostic information may be written there too,
+   * including more detailed reasons for errors which are reported in an
+   * ErrMsgBuf.
+   *
+   * When a log message is generated, this callback is called.  It
+   * should write a message to the relevant logging arrangements.
+   *
+   * The message string passed will be null-terminated and may be of arbitrary
+   * length.  It will not be prefixed by the time and date, nor by the
+   * name of the library that is generating it - if this is required,
+   * the logmessage callback must do it.  The message will not have a
+   * trailing newline (though it may contain internal newlines).
+   *
+   * If a null pointer is passed for logmessage a default function is
+   * used.  The default function treats logstream as a FILE* which has
+   * been converted to a void*.  If logstream is 0 it does nothing.
+   * Otherwise it prepends the date and time and library name and
+   * writes the message to logstream.  Each line will be prefixed by a
+   * descriptive string containing the date, time and identity of the
+   * crypto plugin.  Errors on the logstream are not reported
+   * anywhere, and the default function doesn't flush the stream, so
+   * the application must set the buffering how it wants it.
+   *
+   * The crypto plugin may also provide a facility to have copies of
+   * log messages sent elsewhere, and or for adjusting the verbosity
+   * of the log messages; any such facilities will be configured by
+   * external means.
+   */
+
+} HWCryptoHook_InitInfo;
+
+typedef
+HWCryptoHook_ContextHandle HWCryptoHook_Init_t(const HWCryptoHook_InitInfo *initinfo,
+                                               size_t initinfosize,
+                                               const HWCryptoHook_ErrMsgBuf *errors,
+                                               HWCryptoHook_CallerContext *cactx);
+extern HWCryptoHook_Init_t HWCryptoHook_Init;
+
+/* Caller should set initinfosize to the size of the HWCryptoHook struct,
+ * so it can be extended later.
+ *
+ * On success, a message for display or logging by the server,
+ * including the name and version number of the plugin, will be filled
+ * in into *errors; on failure *errors is used for error handling, as
+ * usual.
+ */
+
+/* All these functions return 0 on success, HWCRYPTOHOOK_ERROR_FAILED
+ * on most failures.  HWCRYPTOHOOK_ERROR_MPISIZE means at least one of
+ * the output MPI buffer(s) was too small; the sizes of all have been
+ * set to the desired size (and for those where the buffer was large
+ * enough, the value may have been copied in), and no error message
+ * has been recorded.
+ *
+ * You may pass 0 for the errors struct.  In any case, unless you set
+ * _NoStderr at init time then messages may be reported to stderr.
+ */
+
+/* The RSAImmed* functions (and key managed RSA) only work with
+ * modules which have an RSA patent licence - currently that means KM
+ * units; the ModExp* ones work with all modules, so you need a patent
+ * licence in the software in the US.  They are otherwise identical.
+ */
+
+typedef
+void HWCryptoHook_Finish_t(HWCryptoHook_ContextHandle hwctx);
+extern HWCryptoHook_Finish_t HWCryptoHook_Finish;
+/* You must not have any calls going or keys loaded when you call this. */
+
+typedef
+int HWCryptoHook_RandomBytes_t(HWCryptoHook_ContextHandle hwctx,
+                               unsigned char *buf, size_t len,
+                               const HWCryptoHook_ErrMsgBuf *errors);
+extern HWCryptoHook_RandomBytes_t HWCryptoHook_RandomBytes;
+
+typedef
+int HWCryptoHook_ModExp_t(HWCryptoHook_ContextHandle hwctx,
+                          HWCryptoHook_MPI a,
+                          HWCryptoHook_MPI p,
+                          HWCryptoHook_MPI n,
+                          HWCryptoHook_MPI *r,
+                          const HWCryptoHook_ErrMsgBuf *errors);
+extern HWCryptoHook_ModExp_t HWCryptoHook_ModExp;
+
+typedef
+int HWCryptoHook_RSAImmedPub_t(HWCryptoHook_ContextHandle hwctx,
+                               HWCryptoHook_MPI m,
+                               HWCryptoHook_MPI e,
+                               HWCryptoHook_MPI n,
+                               HWCryptoHook_MPI *r,
+                               const HWCryptoHook_ErrMsgBuf *errors);
+extern HWCryptoHook_RSAImmedPub_t HWCryptoHook_RSAImmedPub;
+
+typedef
+int HWCryptoHook_ModExpCRT_t(HWCryptoHook_ContextHandle hwctx,
+                             HWCryptoHook_MPI a,
+                             HWCryptoHook_MPI p,
+                             HWCryptoHook_MPI q,
+                             HWCryptoHook_MPI dmp1,
+                             HWCryptoHook_MPI dmq1,
+                             HWCryptoHook_MPI iqmp,
+                             HWCryptoHook_MPI *r,
+                             const HWCryptoHook_ErrMsgBuf *errors);
+extern HWCryptoHook_ModExpCRT_t HWCryptoHook_ModExpCRT;
+
+typedef
+int HWCryptoHook_RSAImmedPriv_t(HWCryptoHook_ContextHandle hwctx,
+                                HWCryptoHook_MPI m,
+                                HWCryptoHook_MPI p,
+                                HWCryptoHook_MPI q,
+                                HWCryptoHook_MPI dmp1,
+                                HWCryptoHook_MPI dmq1,
+                                HWCryptoHook_MPI iqmp,
+                                HWCryptoHook_MPI *r,
+                                const HWCryptoHook_ErrMsgBuf *errors);
+extern HWCryptoHook_RSAImmedPriv_t HWCryptoHook_RSAImmedPriv;
+
+/* The RSAImmed* and ModExp* functions may return E_FAILED or
+ * E_FALLBACK for failure.
+ *
+ * E_FAILED means the failure is permanent and definite and there
+ *    should be no attempt to fall back to software.  (Eg, for some
+ *    applications, which support only the acceleration-only
+ *    functions, the `key material' may actually be an encoded key
+ *    identifier, and doing the operation in software would give wrong
+ *    answers.)
+ *
+ * E_FALLBACK means that doing the computation in software would seem
+ *    reasonable.  If an application pays attention to this and is
+ *    able to fall back, it should also set the Fallback init flags.
+ */
+
+typedef
+int HWCryptoHook_RSALoadKey_t(HWCryptoHook_ContextHandle hwctx,
+                              const char *key_ident,
+                              HWCryptoHook_RSAKeyHandle *keyhandle_r,
+                              const HWCryptoHook_ErrMsgBuf *errors,
+                              HWCryptoHook_PassphraseContext *ppctx);
+extern HWCryptoHook_RSALoadKey_t HWCryptoHook_RSALoadKey;
+/* The key_ident is a null-terminated string configured by the
+ * user via the application's usual configuration mechanisms.
+ * It is provided to the user by the crypto provider's key management
+ * system.  The user must be able to enter at least any string of between
+ * 1 and 1023 characters inclusive, consisting of printable 7-bit
+ * ASCII characters.  The provider should avoid using
+ * any characters except alphanumerics and the punctuation
+ * characters  _ - + . / @ ~  (the user is expected to be able
+ * to enter these without quoting).  The string may be case-sensitive.
+ * The application may allow the user to enter other NULL-terminated strings,
+ * and the provider must cope (returning an error if the string is not
+ * valid).
+ *
+ * If the key does not exist, no error is recorded and 0 is returned;
+ * keyhandle_r will be set to 0 instead of to a key handle.
+ */
+
+typedef
+int HWCryptoHook_RSAGetPublicKey_t(HWCryptoHook_RSAKeyHandle k,
+                                   HWCryptoHook_MPI *n,
+                                   HWCryptoHook_MPI *e,
+                                   const HWCryptoHook_ErrMsgBuf *errors);
+extern HWCryptoHook_RSAGetPublicKey_t HWCryptoHook_RSAGetPublicKey;
+/* The crypto plugin will not store certificates.
+ *
+ * Although this function for acquiring the public key value is
+ * provided, it is not the purpose of this API to deal fully with the
+ * handling of the public key.
+ *
+ * It is expected that the crypto supplier's key generation program
+ * will provide general facilities for producing X.509
+ * self-certificates and certificate requests in PEM format.  These
+ * will be given to the user so that they can configure them in the
+ * application, send them to CAs, or whatever.
+ *
+ * In case this kind of certificate handling is not appropriate, the
+ * crypto supplier's key generation program should be able to be
+ * configured not to generate such a self-certificate or certificate
+ * request.  Then the application will need to do all of this, and
+ * will need to store and handle the public key and certificates
+ * itself.
+ */
+
+typedef
+int HWCryptoHook_RSAUnloadKey_t(HWCryptoHook_RSAKeyHandle k,
+                                const HWCryptoHook_ErrMsgBuf *errors);
+extern HWCryptoHook_RSAUnloadKey_t HWCryptoHook_RSAUnloadKey;
+/* Might fail due to locking problems, or other serious internal problems. */
+
+typedef
+int HWCryptoHook_RSA_t(HWCryptoHook_MPI m,
+                       HWCryptoHook_RSAKeyHandle k,
+                       HWCryptoHook_MPI *r,
+                       const HWCryptoHook_ErrMsgBuf *errors);
+extern HWCryptoHook_RSA_t HWCryptoHook_RSA;
+/* RSA private key operation (sign or decrypt) - raw, unpadded. */
+
+#endif /*HWCRYPTOHOOK_H*/
diff --git a/crypto/openssl/engines/vendor_defns/sureware.h b/crypto/openssl/engines/vendor_defns/sureware.h
new file mode 100644
index 000000000000..e46b000ddcad
--- /dev/null
+++ b/crypto/openssl/engines/vendor_defns/sureware.h
@@ -0,0 +1,239 @@
+/*
+* Written by Corinne Dive-Reclus(cdive@baltimore.com)
+*
+* Copyright@2001 Baltimore Technologies Ltd.
+*																								*	
+*		THIS FILE IS PROVIDED BY BALTIMORE TECHNOLOGIES ``AS IS'' AND																			*
+*		ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE					* 
+*		IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE				*
+*		ARE DISCLAIMED.  IN NO EVENT SHALL BALTIMORE TECHNOLOGIES BE LIABLE						*
+*		FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL				*
+*		DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS					*
+*		OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)					*
+*		HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT				*
+*		LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY				*
+*		OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF					*
+*		SUCH DAMAGE.																			*
+*
+* 
+*/
+#ifdef WIN32
+#define SW_EXPORT	__declspec ( dllexport )
+#else
+#define SW_EXPORT
+#endif
+
+/*
+*	List of exposed SureWare errors
+*/
+#define SUREWAREHOOK_ERROR_FAILED		-1
+#define SUREWAREHOOK_ERROR_FALLBACK		-2
+#define SUREWAREHOOK_ERROR_UNIT_FAILURE -3
+#define SUREWAREHOOK_ERROR_DATA_SIZE -4
+#define SUREWAREHOOK_ERROR_INVALID_PAD -5
+/*
+* -----------------WARNING-----------------------------------
+* In all the following functions:
+* msg is a string with at least 24 bytes free.
+* A 24 bytes string will be concatenated to the existing content of msg. 
+*/
+/*
+*	SureWare Initialisation function
+*	in param threadsafe, if !=0, thread safe enabled
+*	return SureWareHOOK_ERROR_UNIT_FAILURE if failure, 1 if success
+*/
+typedef int SureWareHook_Init_t(char*const msg,int threadsafe);
+extern SW_EXPORT SureWareHook_Init_t SureWareHook_Init;
+/*
+*	SureWare Finish function
+*/
+typedef void SureWareHook_Finish_t(void);
+extern SW_EXPORT SureWareHook_Finish_t SureWareHook_Finish;
+/*
+*	 PRE_CONDITION:
+*		DO NOT CALL ANY OF THE FOLLOWING FUNCTIONS IN CASE OF INIT FAILURE
+*/
+/*
+*	SureWare RAND Bytes function
+*	In case of failure, the content of buf is unpredictable.
+*	return 1 if success
+*			SureWareHOOK_ERROR_FALLBACK if function not available in hardware
+*			SureWareHOOK_ERROR_FAILED if error while processing
+*			SureWareHOOK_ERROR_UNIT_FAILURE if hardware failure
+*			SUREWAREHOOK_ERROR_DATA_SIZE wrong size for buf
+*
+*	in/out param buf : a num bytes long buffer where random bytes will be put
+*	in param num : the number of bytes into buf
+*/
+typedef int SureWareHook_Rand_Bytes_t(char*const msg,unsigned char *buf, int num);
+extern SW_EXPORT SureWareHook_Rand_Bytes_t SureWareHook_Rand_Bytes;
+
+/*
+*	SureWare RAND Seed function
+*	Adds some seed to the Hardware Random Number Generator
+*	return 1 if success
+*			SureWareHOOK_ERROR_FALLBACK if function not available in hardware
+*			SureWareHOOK_ERROR_FAILED if error while processing
+*			SureWareHOOK_ERROR_UNIT_FAILURE if hardware failure
+*			SUREWAREHOOK_ERROR_DATA_SIZE wrong size for buf
+*
+*	in param buf : the seed to add into the HRNG
+*	in param num : the number of bytes into buf
+*/
+typedef int SureWareHook_Rand_Seed_t(char*const msg,const void *buf, int num);
+extern SW_EXPORT SureWareHook_Rand_Seed_t SureWareHook_Rand_Seed;
+
+/*
+*	SureWare Load Private Key function
+*	return 1 if success
+*			SureWareHOOK_ERROR_FAILED if error while processing
+*	No hardware is contact for this function.
+*
+*	in param key_id :the name of the private protected key file without the extension
+						".sws"
+*	out param hptr : a pointer to a buffer allocated by SureWare_Hook
+*	out param num: the effective key length in bytes
+*	out param keytype: 1 if RSA 2 if DSA
+*/
+typedef int SureWareHook_Load_Privkey_t(char*const msg,const char *key_id,char **hptr,unsigned long *num,char *keytype);
+extern SW_EXPORT SureWareHook_Load_Privkey_t SureWareHook_Load_Privkey;
+
+/*
+*	SureWare Info Public Key function
+*	return 1 if success
+*			SureWareHOOK_ERROR_FAILED if error while processing
+*	No hardware is contact for this function.
+*
+*	in param key_id :the name of the private protected key file without the extension
+						".swp"
+*	out param hptr : a pointer to a buffer allocated by SureWare_Hook
+*	out param num: the effective key length in bytes
+*	out param keytype: 1 if RSA 2 if DSA
+*/
+typedef int SureWareHook_Info_Pubkey_t(char*const msg,const char *key_id,unsigned long *num,
+										char *keytype);
+extern SW_EXPORT SureWareHook_Info_Pubkey_t SureWareHook_Info_Pubkey;
+
+/*
+*	SureWare Load Public Key function
+*	return 1 if success
+*			SureWareHOOK_ERROR_FAILED if error while processing
+*	No hardware is contact for this function.
+*
+*	in param key_id :the name of the public protected key file without the extension
+						".swp"
+*	in param num : the bytes size of n and e
+*	out param n: where to write modulus in bn format
+*	out param e: where to write exponent in bn format
+*/
+typedef int SureWareHook_Load_Rsa_Pubkey_t(char*const msg,const char *key_id,unsigned long num,
+										unsigned long *n, unsigned long *e);
+extern SW_EXPORT SureWareHook_Load_Rsa_Pubkey_t SureWareHook_Load_Rsa_Pubkey;
+
+/*
+*	SureWare Load DSA Public Key function
+*	return 1 if success
+*			SureWareHOOK_ERROR_FAILED if error while processing
+*	No hardware is contact for this function.
+*
+*	in param key_id :the name of the public protected key file without the extension
+						".swp"
+*	in param num : the bytes size of n and e
+*	out param pub: where to write pub key in bn format
+*	out param p: where to write prime in bn format
+*	out param q: where to write sunprime (length 20 bytes) in bn format
+*	out param g: where to write base in bn format
+*/
+typedef int SureWareHook_Load_Dsa_Pubkey_t(char*const msg,const char *key_id,unsigned long num,
+										unsigned long *pub, unsigned long *p,unsigned long*q,
+										unsigned long *g);
+extern SW_EXPORT SureWareHook_Load_Dsa_Pubkey_t SureWareHook_Load_Dsa_Pubkey;
+
+/*
+*	SureWare Free function
+*	Destroy the key into the hardware if destroy==1
+*/
+typedef void SureWareHook_Free_t(char *p,int destroy);
+extern SW_EXPORT SureWareHook_Free_t SureWareHook_Free;
+
+#define SUREWARE_PKCS1_PAD 1
+#define SUREWARE_ISO9796_PAD 2
+#define SUREWARE_NO_PAD 0
+/*
+* SureWare RSA Private Decryption
+* return 1 if success
+*			SureWareHOOK_ERROR_FAILED if error while processing
+*			SureWareHOOK_ERROR_UNIT_FAILURE if hardware failure
+*			SUREWAREHOOK_ERROR_DATA_SIZE wrong size for buf
+*
+*	in param flen : byte size of from and to
+*	in param from : encrypted data buffer, should be a not-null valid pointer
+*	out param tlen: byte size of decrypted data, if error, unexpected value
+*	out param to : decrypted data buffer, should be a not-null valid pointer
+*   in param prsa: a protected key pointer, should be a not-null valid pointer
+*   int padding: padding id as follow
+*					SUREWARE_PKCS1_PAD
+*					SUREWARE_NO_PAD
+*
+*/
+typedef int SureWareHook_Rsa_Priv_Dec_t(char*const msg,int flen,unsigned char *from,
+										int *tlen,unsigned char *to,
+										char *prsa,int padding);
+extern SW_EXPORT SureWareHook_Rsa_Priv_Dec_t SureWareHook_Rsa_Priv_Dec;
+/*
+* SureWare RSA Signature
+* return 1 if success
+*			SureWareHOOK_ERROR_FAILED if error while processing
+*			SureWareHOOK_ERROR_UNIT_FAILURE if hardware failure
+*			SUREWAREHOOK_ERROR_DATA_SIZE wrong size for buf
+*
+*	in param flen : byte size of from and to
+*	in param from : encrypted data buffer, should be a not-null valid pointer
+*	out param tlen: byte size of decrypted data, if error, unexpected value
+*	out param to : decrypted data buffer, should be a not-null valid pointer
+*   in param prsa: a protected key pointer, should be a not-null valid pointer
+*   int padding: padding id as follow
+*					SUREWARE_PKCS1_PAD
+*					SUREWARE_ISO9796_PAD
+*
+*/
+typedef int SureWareHook_Rsa_Sign_t(char*const msg,int flen,unsigned char *from,
+										int *tlen,unsigned char *to,
+										char *prsa,int padding);
+extern SW_EXPORT SureWareHook_Rsa_Sign_t SureWareHook_Rsa_Sign;
+/*
+* SureWare DSA Signature
+* return 1 if success
+*			SureWareHOOK_ERROR_FAILED if error while processing
+*			SureWareHOOK_ERROR_UNIT_FAILURE if hardware failure
+*			SUREWAREHOOK_ERROR_DATA_SIZE wrong size for buf
+*
+*	in param flen : byte size of from and to
+*	in param from : encrypted data buffer, should be a not-null valid pointer
+*	out param to : decrypted data buffer, should be a 40bytes valid pointer
+*   in param pdsa: a protected key pointer, should be a not-null valid pointer
+*
+*/
+typedef int SureWareHook_Dsa_Sign_t(char*const msg,int flen,const unsigned char *from,
+										unsigned long *r,unsigned long *s,char *pdsa);
+extern SW_EXPORT SureWareHook_Dsa_Sign_t SureWareHook_Dsa_Sign;
+
+
+/*
+* SureWare Mod Exp
+* return 1 if success
+*			SureWareHOOK_ERROR_FAILED if error while processing
+*			SureWareHOOK_ERROR_UNIT_FAILURE if hardware failure
+*			SUREWAREHOOK_ERROR_DATA_SIZE wrong size for buf
+*
+*	mod and res are mlen bytes long.
+*	exp is elen bytes long
+*	data is dlen bytes long
+*	mlen,elen and dlen are all multiple of sizeof(unsigned long)
+*/
+typedef int SureWareHook_Mod_Exp_t(char*const msg,int mlen,const unsigned long *mod,
+									int elen,const unsigned long *exponent,
+									int dlen,unsigned long *data,
+									unsigned long *res);
+extern SW_EXPORT SureWareHook_Mod_Exp_t SureWareHook_Mod_Exp;
+
diff --git a/crypto/openssl/openssl.spec b/crypto/openssl/openssl.spec
index 9be18eb18a5c..598ab84bbb29 100644
--- a/crypto/openssl/openssl.spec
+++ b/crypto/openssl/openssl.spec
@@ -1,7 +1,7 @@
 %define libmaj 0
 %define libmin 9
-%define librel 7
-%define librev e
+%define librel 8
+%define librev b
 Release: 1
 
 %define openssldir /var/ssl
@@ -121,7 +121,6 @@ rm -rf $RPM_BUILD_ROOT
 
 %config %attr(0644,root,root) %{openssldir}/openssl.cnf 
 %dir %attr(0755,root,root) %{openssldir}/certs
-%dir %attr(0755,root,root) %{openssldir}/lib
 %dir %attr(0755,root,root) %{openssldir}/misc
 %dir %attr(0750,root,root) %{openssldir}/private
 
@@ -146,6 +145,8 @@ ldconfig
 ldconfig
 
 %changelog
+* Sun Jun  6 2005 Richard Levitte <richard@levitte.org>
+- Remove the incorrect installation of '%{openssldir}/lib'.
 * Wed May  7 2003 Richard Levitte <richard@levitte.org>
 - Add /usr/lib/pkgconfig/openssl.pc to the development section.
 * Thu Mar 22 2001 Richard Levitte <richard@levitte.org>
diff --git a/crypto/openssl/ssl/Makefile b/crypto/openssl/ssl/Makefile
index 9dd9416a2183..ca1f0eb82e59 100644
--- a/crypto/openssl/ssl/Makefile
+++ b/crypto/openssl/ssl/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/ssl/Makefile
+# OpenSSL/ssl/Makefile
 #
 
 DIR=	ssl
@@ -7,11 +7,6 @@ TOP=	..
 CC=	cc
 INCLUDES= -I../crypto -I$(TOP) -I../include $(KRB5_INCLUDES)
 CFLAG=-g
-INSTALL_PREFIX=
-OPENSSLDIR=     /usr/local/ssl
-INSTALLTOP=/usr/local/ssl
-MAKEDEPPROG=	makedepend
-MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=	Makefile
 AR=		ar r
 # KRB5 stuff
@@ -30,6 +25,8 @@ LIBSRC=	\
 	s3_meth.c   s3_srvr.c s3_clnt.c  s3_lib.c  s3_enc.c s3_pkt.c s3_both.c \
 	s23_meth.c s23_srvr.c s23_clnt.c s23_lib.c          s23_pkt.c \
 	t1_meth.c   t1_srvr.c t1_clnt.c  t1_lib.c  t1_enc.c \
+	d1_meth.c   d1_srvr.c d1_clnt.c  d1_lib.c  d1_pkt.c \
+	d1_both.c d1_enc.c \
 	ssl_lib.c ssl_err2.c ssl_cert.c ssl_sess.c \
 	ssl_ciph.c ssl_stat.c ssl_rsa.c \
 	ssl_asn1.c ssl_txt.c ssl_algs.c \
@@ -39,6 +36,8 @@ LIBOBJ= \
 	s3_meth.o  s3_srvr.o  s3_clnt.o  s3_lib.o  s3_enc.o s3_pkt.o s3_both.o \
 	s23_meth.o s23_srvr.o s23_clnt.o s23_lib.o          s23_pkt.o \
 	t1_meth.o   t1_srvr.o t1_clnt.o  t1_lib.o  t1_enc.o \
+	d1_meth.o   d1_srvr.o d1_clnt.o  d1_lib.o  d1_pkt.o \
+	d1_both.o d1_enc.o \
 	ssl_lib.o ssl_err2.o ssl_cert.o ssl_sess.o \
 	ssl_ciph.o ssl_stat.o ssl_rsa.o \
 	ssl_asn1.o ssl_txt.o ssl_algs.o \
@@ -46,7 +45,7 @@ LIBOBJ= \
 
 SRC= $(LIBSRC)
 
-EXHEADER= ssl.h ssl2.h ssl3.h ssl23.h tls1.h kssl.h
+EXHEADER= ssl.h ssl2.h ssl3.h ssl23.h tls1.h dtls1.h kssl.h
 HEADER=	$(EXHEADER) ssl_locl.h kssl_lcl.h
 
 ALL=    $(GENERAL) $(SRC) $(HEADER)
@@ -75,7 +74,8 @@ links:
 	@$(PERL) $(TOP)/util/mklink.pl ../apps $(APPS)
 
 install:
-	@for i in $(EXHEADER) ; \
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+	@headerlist="$(EXHEADER)"; for i in $$headerlist ; \
 	do  \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
@@ -90,7 +90,11 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
+	@if [ -z "$(THIS)" ]; then \
+	    $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; \
+	else \
+	    $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC); \
+	fi
 
 dclean:
 	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
@@ -101,920 +105,866 @@ clean:
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-bio_ssl.o: ../include/openssl/aes.h ../include/openssl/asn1.h
-bio_ssl.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+bio_ssl.o: ../include/openssl/asn1.h ../include/openssl/bio.h
 bio_ssl.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-bio_ssl.o: ../include/openssl/cast.h ../include/openssl/comp.h
-bio_ssl.o: ../include/openssl/crypto.h ../include/openssl/des.h
-bio_ssl.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-bio_ssl.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
-bio_ssl.o: ../include/openssl/err.h ../include/openssl/evp.h
-bio_ssl.o: ../include/openssl/idea.h ../include/openssl/kssl.h
-bio_ssl.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-bio_ssl.o: ../include/openssl/md4.h ../include/openssl/md5.h
-bio_ssl.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+bio_ssl.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+bio_ssl.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
+bio_ssl.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+bio_ssl.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
+bio_ssl.o: ../include/openssl/evp.h ../include/openssl/kssl.h
+bio_ssl.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
 bio_ssl.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
 bio_ssl.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
 bio_ssl.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-bio_ssl.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
-bio_ssl.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-bio_ssl.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
-bio_ssl.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-bio_ssl.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-bio_ssl.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-bio_ssl.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-bio_ssl.o: ../include/openssl/tls1.h ../include/openssl/ui.h
-bio_ssl.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
-bio_ssl.o: ../include/openssl/x509_vfy.h bio_ssl.c
-kssl.o: ../include/openssl/aes.h ../include/openssl/asn1.h
-kssl.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+bio_ssl.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
+bio_ssl.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h
+bio_ssl.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+bio_ssl.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+bio_ssl.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+bio_ssl.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+bio_ssl.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h bio_ssl.c
+d1_both.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+d1_both.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+d1_both.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+d1_both.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+d1_both.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+d1_both.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+d1_both.o: ../include/openssl/err.h ../include/openssl/evp.h
+d1_both.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+d1_both.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+d1_both.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+d1_both.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+d1_both.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+d1_both.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
+d1_both.o: ../include/openssl/rand.h ../include/openssl/rsa.h
+d1_both.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+d1_both.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+d1_both.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+d1_both.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+d1_both.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+d1_both.o: ../include/openssl/x509_vfy.h d1_both.c ssl_locl.h
+d1_clnt.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+d1_clnt.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+d1_clnt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+d1_clnt.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+d1_clnt.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
+d1_clnt.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+d1_clnt.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
+d1_clnt.o: ../include/openssl/evp.h ../include/openssl/kssl.h
+d1_clnt.o: ../include/openssl/lhash.h ../include/openssl/md5.h
+d1_clnt.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+d1_clnt.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+d1_clnt.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+d1_clnt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+d1_clnt.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
+d1_clnt.o: ../include/openssl/rand.h ../include/openssl/rsa.h
+d1_clnt.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+d1_clnt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+d1_clnt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+d1_clnt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+d1_clnt.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+d1_clnt.o: ../include/openssl/x509_vfy.h d1_clnt.c kssl_lcl.h ssl_locl.h
+d1_enc.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+d1_enc.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+d1_enc.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+d1_enc.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+d1_enc.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+d1_enc.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+d1_enc.o: ../include/openssl/err.h ../include/openssl/evp.h
+d1_enc.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
+d1_enc.o: ../include/openssl/lhash.h ../include/openssl/md5.h
+d1_enc.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+d1_enc.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+d1_enc.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+d1_enc.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+d1_enc.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
+d1_enc.o: ../include/openssl/rand.h ../include/openssl/rsa.h
+d1_enc.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+d1_enc.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+d1_enc.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+d1_enc.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+d1_enc.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+d1_enc.o: ../include/openssl/x509_vfy.h d1_enc.c ssl_locl.h
+d1_lib.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+d1_lib.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+d1_lib.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+d1_lib.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+d1_lib.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+d1_lib.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+d1_lib.o: ../include/openssl/err.h ../include/openssl/evp.h
+d1_lib.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+d1_lib.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+d1_lib.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+d1_lib.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+d1_lib.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+d1_lib.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
+d1_lib.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+d1_lib.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+d1_lib.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+d1_lib.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+d1_lib.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+d1_lib.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h d1_lib.c
+d1_lib.o: ssl_locl.h
+d1_meth.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+d1_meth.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+d1_meth.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+d1_meth.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+d1_meth.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+d1_meth.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+d1_meth.o: ../include/openssl/err.h ../include/openssl/evp.h
+d1_meth.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+d1_meth.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+d1_meth.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+d1_meth.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+d1_meth.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+d1_meth.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
+d1_meth.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+d1_meth.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+d1_meth.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+d1_meth.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+d1_meth.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+d1_meth.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h d1_meth.c
+d1_meth.o: ssl_locl.h
+d1_pkt.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+d1_pkt.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+d1_pkt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+d1_pkt.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+d1_pkt.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+d1_pkt.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+d1_pkt.o: ../include/openssl/err.h ../include/openssl/evp.h
+d1_pkt.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+d1_pkt.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+d1_pkt.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+d1_pkt.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+d1_pkt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+d1_pkt.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
+d1_pkt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+d1_pkt.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+d1_pkt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+d1_pkt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+d1_pkt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+d1_pkt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h d1_pkt.c
+d1_pkt.o: ssl_locl.h
+d1_srvr.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+d1_srvr.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+d1_srvr.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+d1_srvr.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+d1_srvr.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
+d1_srvr.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+d1_srvr.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
+d1_srvr.o: ../include/openssl/evp.h ../include/openssl/kssl.h
+d1_srvr.o: ../include/openssl/lhash.h ../include/openssl/md5.h
+d1_srvr.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+d1_srvr.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+d1_srvr.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+d1_srvr.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+d1_srvr.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
+d1_srvr.o: ../include/openssl/rand.h ../include/openssl/rsa.h
+d1_srvr.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+d1_srvr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+d1_srvr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+d1_srvr.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+d1_srvr.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+d1_srvr.o: ../include/openssl/x509_vfy.h d1_srvr.c ssl_locl.h
+kssl.o: ../include/openssl/asn1.h ../include/openssl/bio.h
 kssl.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-kssl.o: ../include/openssl/cast.h ../include/openssl/comp.h
-kssl.o: ../include/openssl/crypto.h ../include/openssl/des.h
-kssl.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-kssl.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
-kssl.o: ../include/openssl/evp.h ../include/openssl/idea.h
+kssl.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+kssl.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
+kssl.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+kssl.o: ../include/openssl/ecdsa.h ../include/openssl/evp.h
 kssl.o: ../include/openssl/krb5_asn.h ../include/openssl/kssl.h
-kssl.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-kssl.o: ../include/openssl/md4.h ../include/openssl/md5.h
-kssl.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+kssl.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
 kssl.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
 kssl.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
 kssl.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-kssl.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
-kssl.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-kssl.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
-kssl.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-kssl.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-kssl.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-kssl.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-kssl.o: ../include/openssl/tls1.h ../include/openssl/ui.h
-kssl.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
-kssl.o: ../include/openssl/x509_vfy.h kssl.c
-s23_clnt.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-s23_clnt.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+kssl.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
+kssl.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h
+kssl.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+kssl.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+kssl.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+kssl.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+kssl.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h kssl.c
+s23_clnt.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 s23_clnt.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-s23_clnt.o: ../include/openssl/cast.h ../include/openssl/comp.h
-s23_clnt.o: ../include/openssl/crypto.h ../include/openssl/des.h
-s23_clnt.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-s23_clnt.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+s23_clnt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s23_clnt.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+s23_clnt.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+s23_clnt.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 s23_clnt.o: ../include/openssl/err.h ../include/openssl/evp.h
-s23_clnt.o: ../include/openssl/idea.h ../include/openssl/kssl.h
-s23_clnt.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-s23_clnt.o: ../include/openssl/md4.h ../include/openssl/md5.h
-s23_clnt.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-s23_clnt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-s23_clnt.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-s23_clnt.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-s23_clnt.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
-s23_clnt.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-s23_clnt.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-s23_clnt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-s23_clnt.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-s23_clnt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-s23_clnt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-s23_clnt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s23_clnt.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
-s23_clnt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s23_clnt.c
-s23_clnt.o: ssl_locl.h
-s23_lib.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-s23_lib.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+s23_clnt.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+s23_clnt.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+s23_clnt.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+s23_clnt.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+s23_clnt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s23_clnt.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
+s23_clnt.o: ../include/openssl/rand.h ../include/openssl/rsa.h
+s23_clnt.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s23_clnt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s23_clnt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s23_clnt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+s23_clnt.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s23_clnt.o: ../include/openssl/x509_vfy.h s23_clnt.c ssl_locl.h
+s23_lib.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 s23_lib.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-s23_lib.o: ../include/openssl/cast.h ../include/openssl/comp.h
-s23_lib.o: ../include/openssl/crypto.h ../include/openssl/des.h
-s23_lib.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-s23_lib.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+s23_lib.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s23_lib.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+s23_lib.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+s23_lib.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 s23_lib.o: ../include/openssl/err.h ../include/openssl/evp.h
-s23_lib.o: ../include/openssl/idea.h ../include/openssl/kssl.h
-s23_lib.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-s23_lib.o: ../include/openssl/md4.h ../include/openssl/md5.h
-s23_lib.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-s23_lib.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-s23_lib.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-s23_lib.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-s23_lib.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
-s23_lib.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-s23_lib.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
-s23_lib.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-s23_lib.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-s23_lib.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-s23_lib.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-s23_lib.o: ../include/openssl/tls1.h ../include/openssl/ui.h
-s23_lib.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
-s23_lib.o: ../include/openssl/x509_vfy.h s23_lib.c ssl_locl.h
-s23_meth.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-s23_meth.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+s23_lib.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+s23_lib.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+s23_lib.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+s23_lib.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+s23_lib.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s23_lib.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
+s23_lib.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s23_lib.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s23_lib.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s23_lib.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s23_lib.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+s23_lib.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s23_lib.c
+s23_lib.o: ssl_locl.h
+s23_meth.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 s23_meth.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-s23_meth.o: ../include/openssl/cast.h ../include/openssl/comp.h
-s23_meth.o: ../include/openssl/crypto.h ../include/openssl/des.h
-s23_meth.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-s23_meth.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+s23_meth.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s23_meth.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+s23_meth.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+s23_meth.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 s23_meth.o: ../include/openssl/err.h ../include/openssl/evp.h
-s23_meth.o: ../include/openssl/idea.h ../include/openssl/kssl.h
-s23_meth.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-s23_meth.o: ../include/openssl/md4.h ../include/openssl/md5.h
-s23_meth.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-s23_meth.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-s23_meth.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-s23_meth.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-s23_meth.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
-s23_meth.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-s23_meth.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
-s23_meth.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-s23_meth.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-s23_meth.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-s23_meth.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-s23_meth.o: ../include/openssl/tls1.h ../include/openssl/ui.h
-s23_meth.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
-s23_meth.o: ../include/openssl/x509_vfy.h s23_meth.c ssl_locl.h
-s23_pkt.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-s23_pkt.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+s23_meth.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+s23_meth.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+s23_meth.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+s23_meth.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+s23_meth.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s23_meth.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
+s23_meth.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s23_meth.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s23_meth.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s23_meth.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s23_meth.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+s23_meth.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s23_meth.c
+s23_meth.o: ssl_locl.h
+s23_pkt.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 s23_pkt.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-s23_pkt.o: ../include/openssl/cast.h ../include/openssl/comp.h
-s23_pkt.o: ../include/openssl/crypto.h ../include/openssl/des.h
-s23_pkt.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-s23_pkt.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+s23_pkt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s23_pkt.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+s23_pkt.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+s23_pkt.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 s23_pkt.o: ../include/openssl/err.h ../include/openssl/evp.h
-s23_pkt.o: ../include/openssl/idea.h ../include/openssl/kssl.h
-s23_pkt.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-s23_pkt.o: ../include/openssl/md4.h ../include/openssl/md5.h
-s23_pkt.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-s23_pkt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-s23_pkt.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-s23_pkt.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-s23_pkt.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
-s23_pkt.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-s23_pkt.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
-s23_pkt.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-s23_pkt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-s23_pkt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-s23_pkt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-s23_pkt.o: ../include/openssl/tls1.h ../include/openssl/ui.h
-s23_pkt.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
-s23_pkt.o: ../include/openssl/x509_vfy.h s23_pkt.c ssl_locl.h
-s23_srvr.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-s23_srvr.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+s23_pkt.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+s23_pkt.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+s23_pkt.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+s23_pkt.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+s23_pkt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s23_pkt.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
+s23_pkt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s23_pkt.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s23_pkt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s23_pkt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s23_pkt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+s23_pkt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s23_pkt.c
+s23_pkt.o: ssl_locl.h
+s23_srvr.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 s23_srvr.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-s23_srvr.o: ../include/openssl/cast.h ../include/openssl/comp.h
-s23_srvr.o: ../include/openssl/crypto.h ../include/openssl/des.h
-s23_srvr.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-s23_srvr.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+s23_srvr.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s23_srvr.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+s23_srvr.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+s23_srvr.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 s23_srvr.o: ../include/openssl/err.h ../include/openssl/evp.h
-s23_srvr.o: ../include/openssl/idea.h ../include/openssl/kssl.h
-s23_srvr.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-s23_srvr.o: ../include/openssl/md4.h ../include/openssl/md5.h
-s23_srvr.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-s23_srvr.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-s23_srvr.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-s23_srvr.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-s23_srvr.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
-s23_srvr.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-s23_srvr.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-s23_srvr.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-s23_srvr.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-s23_srvr.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-s23_srvr.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-s23_srvr.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s23_srvr.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
-s23_srvr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s23_srvr.c
-s23_srvr.o: ssl_locl.h
-s2_clnt.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-s2_clnt.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+s23_srvr.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+s23_srvr.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+s23_srvr.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+s23_srvr.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+s23_srvr.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s23_srvr.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
+s23_srvr.o: ../include/openssl/rand.h ../include/openssl/rsa.h
+s23_srvr.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s23_srvr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s23_srvr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s23_srvr.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+s23_srvr.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s23_srvr.o: ../include/openssl/x509_vfy.h s23_srvr.c ssl_locl.h
+s2_clnt.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 s2_clnt.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-s2_clnt.o: ../include/openssl/cast.h ../include/openssl/comp.h
-s2_clnt.o: ../include/openssl/crypto.h ../include/openssl/des.h
-s2_clnt.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-s2_clnt.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+s2_clnt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s2_clnt.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+s2_clnt.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+s2_clnt.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 s2_clnt.o: ../include/openssl/err.h ../include/openssl/evp.h
-s2_clnt.o: ../include/openssl/idea.h ../include/openssl/kssl.h
-s2_clnt.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-s2_clnt.o: ../include/openssl/md4.h ../include/openssl/md5.h
-s2_clnt.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-s2_clnt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-s2_clnt.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-s2_clnt.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-s2_clnt.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
-s2_clnt.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-s2_clnt.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-s2_clnt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-s2_clnt.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-s2_clnt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-s2_clnt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-s2_clnt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s2_clnt.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
-s2_clnt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s2_clnt.c
-s2_clnt.o: ssl_locl.h
-s2_enc.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-s2_enc.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+s2_clnt.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+s2_clnt.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+s2_clnt.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+s2_clnt.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+s2_clnt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s2_clnt.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
+s2_clnt.o: ../include/openssl/rand.h ../include/openssl/rsa.h
+s2_clnt.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s2_clnt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s2_clnt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s2_clnt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+s2_clnt.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s2_clnt.o: ../include/openssl/x509_vfy.h s2_clnt.c ssl_locl.h
+s2_enc.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 s2_enc.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-s2_enc.o: ../include/openssl/cast.h ../include/openssl/comp.h
-s2_enc.o: ../include/openssl/crypto.h ../include/openssl/des.h
-s2_enc.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-s2_enc.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+s2_enc.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s2_enc.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+s2_enc.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+s2_enc.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 s2_enc.o: ../include/openssl/err.h ../include/openssl/evp.h
-s2_enc.o: ../include/openssl/idea.h ../include/openssl/kssl.h
-s2_enc.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-s2_enc.o: ../include/openssl/md4.h ../include/openssl/md5.h
-s2_enc.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-s2_enc.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-s2_enc.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-s2_enc.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-s2_enc.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
-s2_enc.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-s2_enc.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
-s2_enc.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-s2_enc.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-s2_enc.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-s2_enc.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-s2_enc.o: ../include/openssl/tls1.h ../include/openssl/ui.h
-s2_enc.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
-s2_enc.o: ../include/openssl/x509_vfy.h s2_enc.c ssl_locl.h
-s2_lib.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-s2_lib.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+s2_enc.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+s2_enc.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+s2_enc.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+s2_enc.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+s2_enc.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s2_enc.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
+s2_enc.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s2_enc.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s2_enc.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s2_enc.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s2_enc.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+s2_enc.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s2_enc.c
+s2_enc.o: ssl_locl.h
+s2_lib.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 s2_lib.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-s2_lib.o: ../include/openssl/cast.h ../include/openssl/comp.h
-s2_lib.o: ../include/openssl/crypto.h ../include/openssl/des.h
-s2_lib.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-s2_lib.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+s2_lib.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s2_lib.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+s2_lib.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+s2_lib.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 s2_lib.o: ../include/openssl/err.h ../include/openssl/evp.h
-s2_lib.o: ../include/openssl/idea.h ../include/openssl/kssl.h
-s2_lib.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-s2_lib.o: ../include/openssl/md4.h ../include/openssl/md5.h
-s2_lib.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+s2_lib.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+s2_lib.o: ../include/openssl/md5.h ../include/openssl/obj_mac.h
 s2_lib.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
 s2_lib.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
 s2_lib.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-s2_lib.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
-s2_lib.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-s2_lib.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+s2_lib.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
+s2_lib.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
 s2_lib.o: ../include/openssl/safestack.h ../include/openssl/sha.h
 s2_lib.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
 s2_lib.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
 s2_lib.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-s2_lib.o: ../include/openssl/tls1.h ../include/openssl/ui.h
-s2_lib.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
+s2_lib.o: ../include/openssl/tls1.h ../include/openssl/x509.h
 s2_lib.o: ../include/openssl/x509_vfy.h s2_lib.c ssl_locl.h
-s2_meth.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-s2_meth.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+s2_meth.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 s2_meth.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-s2_meth.o: ../include/openssl/cast.h ../include/openssl/comp.h
-s2_meth.o: ../include/openssl/crypto.h ../include/openssl/des.h
-s2_meth.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-s2_meth.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+s2_meth.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s2_meth.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+s2_meth.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+s2_meth.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 s2_meth.o: ../include/openssl/err.h ../include/openssl/evp.h
-s2_meth.o: ../include/openssl/idea.h ../include/openssl/kssl.h
-s2_meth.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-s2_meth.o: ../include/openssl/md4.h ../include/openssl/md5.h
-s2_meth.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-s2_meth.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-s2_meth.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-s2_meth.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-s2_meth.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
-s2_meth.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-s2_meth.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
-s2_meth.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-s2_meth.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-s2_meth.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-s2_meth.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-s2_meth.o: ../include/openssl/tls1.h ../include/openssl/ui.h
-s2_meth.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
-s2_meth.o: ../include/openssl/x509_vfy.h s2_meth.c ssl_locl.h
-s2_pkt.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-s2_pkt.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+s2_meth.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+s2_meth.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+s2_meth.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+s2_meth.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+s2_meth.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s2_meth.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
+s2_meth.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s2_meth.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s2_meth.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s2_meth.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s2_meth.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+s2_meth.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s2_meth.c
+s2_meth.o: ssl_locl.h
+s2_pkt.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 s2_pkt.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-s2_pkt.o: ../include/openssl/cast.h ../include/openssl/comp.h
-s2_pkt.o: ../include/openssl/crypto.h ../include/openssl/des.h
-s2_pkt.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-s2_pkt.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+s2_pkt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s2_pkt.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+s2_pkt.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+s2_pkt.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 s2_pkt.o: ../include/openssl/err.h ../include/openssl/evp.h
-s2_pkt.o: ../include/openssl/idea.h ../include/openssl/kssl.h
-s2_pkt.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-s2_pkt.o: ../include/openssl/md4.h ../include/openssl/md5.h
-s2_pkt.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-s2_pkt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-s2_pkt.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-s2_pkt.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-s2_pkt.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
-s2_pkt.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-s2_pkt.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
-s2_pkt.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-s2_pkt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-s2_pkt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-s2_pkt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-s2_pkt.o: ../include/openssl/tls1.h ../include/openssl/ui.h
-s2_pkt.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
-s2_pkt.o: ../include/openssl/x509_vfy.h s2_pkt.c ssl_locl.h
-s2_srvr.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-s2_srvr.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+s2_pkt.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+s2_pkt.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+s2_pkt.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+s2_pkt.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+s2_pkt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s2_pkt.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
+s2_pkt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s2_pkt.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s2_pkt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s2_pkt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s2_pkt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+s2_pkt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s2_pkt.c
+s2_pkt.o: ssl_locl.h
+s2_srvr.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 s2_srvr.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-s2_srvr.o: ../include/openssl/cast.h ../include/openssl/comp.h
-s2_srvr.o: ../include/openssl/crypto.h ../include/openssl/des.h
-s2_srvr.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-s2_srvr.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+s2_srvr.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s2_srvr.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+s2_srvr.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+s2_srvr.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 s2_srvr.o: ../include/openssl/err.h ../include/openssl/evp.h
-s2_srvr.o: ../include/openssl/idea.h ../include/openssl/kssl.h
-s2_srvr.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-s2_srvr.o: ../include/openssl/md4.h ../include/openssl/md5.h
-s2_srvr.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-s2_srvr.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-s2_srvr.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-s2_srvr.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-s2_srvr.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
-s2_srvr.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-s2_srvr.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-s2_srvr.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-s2_srvr.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-s2_srvr.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-s2_srvr.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-s2_srvr.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s2_srvr.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
-s2_srvr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s2_srvr.c
-s2_srvr.o: ssl_locl.h
-s3_both.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-s3_both.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+s2_srvr.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+s2_srvr.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+s2_srvr.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+s2_srvr.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+s2_srvr.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s2_srvr.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
+s2_srvr.o: ../include/openssl/rand.h ../include/openssl/rsa.h
+s2_srvr.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s2_srvr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s2_srvr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s2_srvr.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+s2_srvr.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s2_srvr.o: ../include/openssl/x509_vfy.h s2_srvr.c ssl_locl.h
+s3_both.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 s3_both.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-s3_both.o: ../include/openssl/cast.h ../include/openssl/comp.h
-s3_both.o: ../include/openssl/crypto.h ../include/openssl/des.h
-s3_both.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-s3_both.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+s3_both.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s3_both.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+s3_both.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+s3_both.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 s3_both.o: ../include/openssl/err.h ../include/openssl/evp.h
-s3_both.o: ../include/openssl/idea.h ../include/openssl/kssl.h
-s3_both.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-s3_both.o: ../include/openssl/md4.h ../include/openssl/md5.h
-s3_both.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-s3_both.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-s3_both.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-s3_both.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-s3_both.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
-s3_both.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-s3_both.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-s3_both.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-s3_both.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-s3_both.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-s3_both.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-s3_both.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s3_both.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
-s3_both.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s3_both.c
-s3_both.o: ssl_locl.h
-s3_clnt.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-s3_clnt.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+s3_both.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+s3_both.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+s3_both.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+s3_both.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+s3_both.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s3_both.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
+s3_both.o: ../include/openssl/rand.h ../include/openssl/rsa.h
+s3_both.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s3_both.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s3_both.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s3_both.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+s3_both.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s3_both.o: ../include/openssl/x509_vfy.h s3_both.c ssl_locl.h
+s3_clnt.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 s3_clnt.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-s3_clnt.o: ../include/openssl/cast.h ../include/openssl/comp.h
-s3_clnt.o: ../include/openssl/crypto.h ../include/openssl/des.h
-s3_clnt.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-s3_clnt.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
-s3_clnt.o: ../include/openssl/err.h ../include/openssl/evp.h
-s3_clnt.o: ../include/openssl/fips.h ../include/openssl/idea.h
-s3_clnt.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
-s3_clnt.o: ../include/openssl/md2.h ../include/openssl/md4.h
-s3_clnt.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s3_clnt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s3_clnt.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+s3_clnt.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
+s3_clnt.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+s3_clnt.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
+s3_clnt.o: ../include/openssl/evp.h ../include/openssl/kssl.h
+s3_clnt.o: ../include/openssl/lhash.h ../include/openssl/md5.h
 s3_clnt.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
 s3_clnt.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
 s3_clnt.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
 s3_clnt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-s3_clnt.o: ../include/openssl/rand.h ../include/openssl/rc2.h
-s3_clnt.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-s3_clnt.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+s3_clnt.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
+s3_clnt.o: ../include/openssl/rand.h ../include/openssl/rsa.h
 s3_clnt.o: ../include/openssl/safestack.h ../include/openssl/sha.h
 s3_clnt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
 s3_clnt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
 s3_clnt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-s3_clnt.o: ../include/openssl/tls1.h ../include/openssl/ui.h
-s3_clnt.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
+s3_clnt.o: ../include/openssl/tls1.h ../include/openssl/x509.h
 s3_clnt.o: ../include/openssl/x509_vfy.h kssl_lcl.h s3_clnt.c ssl_locl.h
-s3_enc.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-s3_enc.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+s3_enc.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 s3_enc.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-s3_enc.o: ../include/openssl/cast.h ../include/openssl/comp.h
-s3_enc.o: ../include/openssl/crypto.h ../include/openssl/des.h
-s3_enc.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-s3_enc.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+s3_enc.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s3_enc.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+s3_enc.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+s3_enc.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 s3_enc.o: ../include/openssl/err.h ../include/openssl/evp.h
-s3_enc.o: ../include/openssl/idea.h ../include/openssl/kssl.h
-s3_enc.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-s3_enc.o: ../include/openssl/md4.h ../include/openssl/md5.h
-s3_enc.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+s3_enc.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+s3_enc.o: ../include/openssl/md5.h ../include/openssl/obj_mac.h
 s3_enc.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
 s3_enc.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
 s3_enc.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-s3_enc.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
-s3_enc.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-s3_enc.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+s3_enc.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
+s3_enc.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
 s3_enc.o: ../include/openssl/safestack.h ../include/openssl/sha.h
 s3_enc.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
 s3_enc.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
 s3_enc.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-s3_enc.o: ../include/openssl/tls1.h ../include/openssl/ui.h
-s3_enc.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
+s3_enc.o: ../include/openssl/tls1.h ../include/openssl/x509.h
 s3_enc.o: ../include/openssl/x509_vfy.h s3_enc.c ssl_locl.h
-s3_lib.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-s3_lib.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+s3_lib.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 s3_lib.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-s3_lib.o: ../include/openssl/cast.h ../include/openssl/comp.h
-s3_lib.o: ../include/openssl/crypto.h ../include/openssl/des.h
-s3_lib.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-s3_lib.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
-s3_lib.o: ../include/openssl/err.h ../include/openssl/evp.h
-s3_lib.o: ../include/openssl/idea.h ../include/openssl/kssl.h
-s3_lib.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-s3_lib.o: ../include/openssl/md4.h ../include/openssl/md5.h
-s3_lib.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-s3_lib.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-s3_lib.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-s3_lib.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-s3_lib.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
-s3_lib.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-s3_lib.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
-s3_lib.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-s3_lib.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-s3_lib.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-s3_lib.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-s3_lib.o: ../include/openssl/tls1.h ../include/openssl/ui.h
-s3_lib.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
-s3_lib.o: ../include/openssl/x509_vfy.h kssl_lcl.h s3_lib.c ssl_locl.h
-s3_meth.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-s3_meth.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+s3_lib.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s3_lib.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+s3_lib.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
+s3_lib.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+s3_lib.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
+s3_lib.o: ../include/openssl/evp.h ../include/openssl/kssl.h
+s3_lib.o: ../include/openssl/lhash.h ../include/openssl/md5.h
+s3_lib.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+s3_lib.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+s3_lib.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+s3_lib.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s3_lib.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
+s3_lib.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s3_lib.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s3_lib.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s3_lib.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s3_lib.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+s3_lib.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h kssl_lcl.h
+s3_lib.o: s3_lib.c ssl_locl.h
+s3_meth.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 s3_meth.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-s3_meth.o: ../include/openssl/cast.h ../include/openssl/comp.h
-s3_meth.o: ../include/openssl/crypto.h ../include/openssl/des.h
-s3_meth.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-s3_meth.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+s3_meth.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s3_meth.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+s3_meth.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+s3_meth.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 s3_meth.o: ../include/openssl/err.h ../include/openssl/evp.h
-s3_meth.o: ../include/openssl/idea.h ../include/openssl/kssl.h
-s3_meth.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-s3_meth.o: ../include/openssl/md4.h ../include/openssl/md5.h
-s3_meth.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-s3_meth.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-s3_meth.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-s3_meth.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-s3_meth.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
-s3_meth.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-s3_meth.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
-s3_meth.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-s3_meth.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-s3_meth.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-s3_meth.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-s3_meth.o: ../include/openssl/tls1.h ../include/openssl/ui.h
-s3_meth.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
-s3_meth.o: ../include/openssl/x509_vfy.h s3_meth.c ssl_locl.h
-s3_pkt.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-s3_pkt.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+s3_meth.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+s3_meth.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+s3_meth.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+s3_meth.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+s3_meth.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s3_meth.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
+s3_meth.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s3_meth.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s3_meth.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s3_meth.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s3_meth.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+s3_meth.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s3_meth.c
+s3_meth.o: ssl_locl.h
+s3_pkt.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 s3_pkt.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-s3_pkt.o: ../include/openssl/cast.h ../include/openssl/comp.h
-s3_pkt.o: ../include/openssl/crypto.h ../include/openssl/des.h
-s3_pkt.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-s3_pkt.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+s3_pkt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s3_pkt.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+s3_pkt.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+s3_pkt.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 s3_pkt.o: ../include/openssl/err.h ../include/openssl/evp.h
-s3_pkt.o: ../include/openssl/idea.h ../include/openssl/kssl.h
-s3_pkt.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-s3_pkt.o: ../include/openssl/md4.h ../include/openssl/md5.h
-s3_pkt.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-s3_pkt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-s3_pkt.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-s3_pkt.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-s3_pkt.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
-s3_pkt.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-s3_pkt.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
-s3_pkt.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-s3_pkt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-s3_pkt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-s3_pkt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-s3_pkt.o: ../include/openssl/tls1.h ../include/openssl/ui.h
-s3_pkt.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
-s3_pkt.o: ../include/openssl/x509_vfy.h s3_pkt.c ssl_locl.h
-s3_srvr.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-s3_srvr.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+s3_pkt.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+s3_pkt.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+s3_pkt.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+s3_pkt.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+s3_pkt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s3_pkt.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
+s3_pkt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s3_pkt.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s3_pkt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s3_pkt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s3_pkt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+s3_pkt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s3_pkt.c
+s3_pkt.o: ssl_locl.h
+s3_srvr.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 s3_srvr.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-s3_srvr.o: ../include/openssl/cast.h ../include/openssl/comp.h
-s3_srvr.o: ../include/openssl/crypto.h ../include/openssl/des.h
-s3_srvr.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-s3_srvr.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
-s3_srvr.o: ../include/openssl/err.h ../include/openssl/evp.h
-s3_srvr.o: ../include/openssl/fips.h ../include/openssl/idea.h
+s3_srvr.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s3_srvr.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+s3_srvr.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
+s3_srvr.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+s3_srvr.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
+s3_srvr.o: ../include/openssl/evp.h ../include/openssl/krb5_asn.h
 s3_srvr.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
-s3_srvr.o: ../include/openssl/md2.h ../include/openssl/md4.h
-s3_srvr.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
-s3_srvr.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-s3_srvr.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-s3_srvr.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-s3_srvr.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-s3_srvr.o: ../include/openssl/rand.h ../include/openssl/rc2.h
-s3_srvr.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-s3_srvr.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
-s3_srvr.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-s3_srvr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-s3_srvr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-s3_srvr.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-s3_srvr.o: ../include/openssl/tls1.h ../include/openssl/ui.h
-s3_srvr.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
-s3_srvr.o: ../include/openssl/x509_vfy.h kssl_lcl.h s3_srvr.c ssl_locl.h
-ssl_algs.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-ssl_algs.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+s3_srvr.o: ../include/openssl/md5.h ../include/openssl/obj_mac.h
+s3_srvr.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s3_srvr.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+s3_srvr.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+s3_srvr.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
+s3_srvr.o: ../include/openssl/pqueue.h ../include/openssl/rand.h
+s3_srvr.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s3_srvr.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s3_srvr.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s3_srvr.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s3_srvr.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+s3_srvr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h kssl_lcl.h
+s3_srvr.o: s3_srvr.c ssl_locl.h
+ssl_algs.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 ssl_algs.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-ssl_algs.o: ../include/openssl/cast.h ../include/openssl/comp.h
-ssl_algs.o: ../include/openssl/crypto.h ../include/openssl/des.h
-ssl_algs.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-ssl_algs.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+ssl_algs.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+ssl_algs.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+ssl_algs.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+ssl_algs.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 ssl_algs.o: ../include/openssl/err.h ../include/openssl/evp.h
-ssl_algs.o: ../include/openssl/idea.h ../include/openssl/kssl.h
-ssl_algs.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-ssl_algs.o: ../include/openssl/md4.h ../include/openssl/md5.h
-ssl_algs.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-ssl_algs.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-ssl_algs.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-ssl_algs.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-ssl_algs.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
-ssl_algs.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-ssl_algs.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
-ssl_algs.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-ssl_algs.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-ssl_algs.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-ssl_algs.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-ssl_algs.o: ../include/openssl/tls1.h ../include/openssl/ui.h
-ssl_algs.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
-ssl_algs.o: ../include/openssl/x509_vfy.h ssl_algs.c ssl_locl.h
-ssl_asn1.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-ssl_asn1.o: ../include/openssl/asn1_mac.h ../include/openssl/bio.h
-ssl_asn1.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-ssl_asn1.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-ssl_asn1.o: ../include/openssl/comp.h ../include/openssl/crypto.h
-ssl_asn1.o: ../include/openssl/des.h ../include/openssl/des_old.h
-ssl_asn1.o: ../include/openssl/dh.h ../include/openssl/dsa.h
-ssl_asn1.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-ssl_asn1.o: ../include/openssl/evp.h ../include/openssl/idea.h
-ssl_asn1.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
-ssl_asn1.o: ../include/openssl/md2.h ../include/openssl/md4.h
-ssl_asn1.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
-ssl_asn1.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-ssl_asn1.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-ssl_asn1.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-ssl_asn1.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-ssl_asn1.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-ssl_asn1.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-ssl_asn1.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-ssl_asn1.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-ssl_asn1.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-ssl_asn1.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-ssl_asn1.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-ssl_asn1.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
-ssl_asn1.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_asn1.c
-ssl_asn1.o: ssl_locl.h
-ssl_cert.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-ssl_cert.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
-ssl_cert.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-ssl_cert.o: ../include/openssl/cast.h ../include/openssl/comp.h
+ssl_algs.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+ssl_algs.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+ssl_algs.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+ssl_algs.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+ssl_algs.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ssl_algs.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
+ssl_algs.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+ssl_algs.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+ssl_algs.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+ssl_algs.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ssl_algs.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+ssl_algs.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_algs.c
+ssl_algs.o: ssl_locl.h
+ssl_asn1.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/asn1_mac.h
+ssl_asn1.o: ../include/openssl/bio.h ../include/openssl/bn.h
+ssl_asn1.o: ../include/openssl/buffer.h ../include/openssl/comp.h
+ssl_asn1.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
+ssl_asn1.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
+ssl_asn1.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+ssl_asn1.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
+ssl_asn1.o: ../include/openssl/evp.h ../include/openssl/kssl.h
+ssl_asn1.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+ssl_asn1.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+ssl_asn1.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+ssl_asn1.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+ssl_asn1.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
+ssl_asn1.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
+ssl_asn1.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+ssl_asn1.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+ssl_asn1.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+ssl_asn1.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+ssl_asn1.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssl_asn1.o: ../include/openssl/x509_vfy.h ssl_asn1.c ssl_locl.h
+ssl_cert.o: ../crypto/o_dir.h ../e_os.h ../include/openssl/asn1.h
+ssl_cert.o: ../include/openssl/bio.h ../include/openssl/bn.h
+ssl_cert.o: ../include/openssl/buffer.h ../include/openssl/comp.h
 ssl_cert.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-ssl_cert.o: ../include/openssl/des.h ../include/openssl/des_old.h
 ssl_cert.o: ../include/openssl/dh.h ../include/openssl/dsa.h
-ssl_cert.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-ssl_cert.o: ../include/openssl/evp.h ../include/openssl/fips.h
-ssl_cert.o: ../include/openssl/idea.h ../include/openssl/kssl.h
-ssl_cert.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-ssl_cert.o: ../include/openssl/md4.h ../include/openssl/md5.h
-ssl_cert.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+ssl_cert.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
+ssl_cert.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+ssl_cert.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
+ssl_cert.o: ../include/openssl/evp.h ../include/openssl/kssl.h
+ssl_cert.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
 ssl_cert.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
 ssl_cert.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
 ssl_cert.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-ssl_cert.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
-ssl_cert.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-ssl_cert.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+ssl_cert.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
+ssl_cert.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
 ssl_cert.o: ../include/openssl/safestack.h ../include/openssl/sha.h
 ssl_cert.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
 ssl_cert.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
 ssl_cert.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-ssl_cert.o: ../include/openssl/tls1.h ../include/openssl/ui.h
-ssl_cert.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
+ssl_cert.o: ../include/openssl/tls1.h ../include/openssl/x509.h
 ssl_cert.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h
 ssl_cert.o: ssl_cert.c ssl_locl.h
-ssl_ciph.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-ssl_ciph.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+ssl_ciph.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 ssl_ciph.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-ssl_ciph.o: ../include/openssl/cast.h ../include/openssl/comp.h
-ssl_ciph.o: ../include/openssl/crypto.h ../include/openssl/des.h
-ssl_ciph.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-ssl_ciph.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+ssl_ciph.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+ssl_ciph.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+ssl_ciph.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+ssl_ciph.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 ssl_ciph.o: ../include/openssl/err.h ../include/openssl/evp.h
-ssl_ciph.o: ../include/openssl/fips.h ../include/openssl/idea.h
 ssl_ciph.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
-ssl_ciph.o: ../include/openssl/md2.h ../include/openssl/md4.h
-ssl_ciph.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
 ssl_ciph.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
 ssl_ciph.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
 ssl_ciph.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
 ssl_ciph.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-ssl_ciph.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-ssl_ciph.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+ssl_ciph.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
 ssl_ciph.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
 ssl_ciph.o: ../include/openssl/sha.h ../include/openssl/ssl.h
 ssl_ciph.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
 ssl_ciph.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
 ssl_ciph.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-ssl_ciph.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
 ssl_ciph.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_ciph.c
 ssl_ciph.o: ssl_locl.h
-ssl_err.o: ../include/openssl/aes.h ../include/openssl/asn1.h
-ssl_err.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+ssl_err.o: ../include/openssl/asn1.h ../include/openssl/bio.h
 ssl_err.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-ssl_err.o: ../include/openssl/cast.h ../include/openssl/comp.h
-ssl_err.o: ../include/openssl/crypto.h ../include/openssl/des.h
-ssl_err.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-ssl_err.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
-ssl_err.o: ../include/openssl/err.h ../include/openssl/evp.h
-ssl_err.o: ../include/openssl/idea.h ../include/openssl/kssl.h
-ssl_err.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-ssl_err.o: ../include/openssl/md4.h ../include/openssl/md5.h
-ssl_err.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+ssl_err.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+ssl_err.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
+ssl_err.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+ssl_err.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
+ssl_err.o: ../include/openssl/evp.h ../include/openssl/kssl.h
+ssl_err.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
 ssl_err.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
 ssl_err.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
 ssl_err.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-ssl_err.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
-ssl_err.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-ssl_err.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
-ssl_err.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-ssl_err.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-ssl_err.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-ssl_err.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-ssl_err.o: ../include/openssl/tls1.h ../include/openssl/ui.h
-ssl_err.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
-ssl_err.o: ../include/openssl/x509_vfy.h ssl_err.c
-ssl_err2.o: ../include/openssl/aes.h ../include/openssl/asn1.h
-ssl_err2.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+ssl_err.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
+ssl_err.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h
+ssl_err.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+ssl_err.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+ssl_err.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ssl_err.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+ssl_err.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_err.c
+ssl_err2.o: ../include/openssl/asn1.h ../include/openssl/bio.h
 ssl_err2.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-ssl_err2.o: ../include/openssl/cast.h ../include/openssl/comp.h
-ssl_err2.o: ../include/openssl/crypto.h ../include/openssl/des.h
-ssl_err2.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-ssl_err2.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
-ssl_err2.o: ../include/openssl/err.h ../include/openssl/evp.h
-ssl_err2.o: ../include/openssl/idea.h ../include/openssl/kssl.h
-ssl_err2.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-ssl_err2.o: ../include/openssl/md4.h ../include/openssl/md5.h
-ssl_err2.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+ssl_err2.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+ssl_err2.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
+ssl_err2.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+ssl_err2.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
+ssl_err2.o: ../include/openssl/evp.h ../include/openssl/kssl.h
+ssl_err2.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
 ssl_err2.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
 ssl_err2.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
 ssl_err2.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-ssl_err2.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
-ssl_err2.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-ssl_err2.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
-ssl_err2.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-ssl_err2.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-ssl_err2.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-ssl_err2.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-ssl_err2.o: ../include/openssl/tls1.h ../include/openssl/ui.h
-ssl_err2.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
-ssl_err2.o: ../include/openssl/x509_vfy.h ssl_err2.c
-ssl_lib.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-ssl_lib.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+ssl_err2.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
+ssl_err2.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h
+ssl_err2.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+ssl_err2.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+ssl_err2.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ssl_err2.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+ssl_err2.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_err2.c
+ssl_lib.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 ssl_lib.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-ssl_lib.o: ../include/openssl/cast.h ../include/openssl/comp.h
-ssl_lib.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-ssl_lib.o: ../include/openssl/des.h ../include/openssl/des_old.h
-ssl_lib.o: ../include/openssl/dh.h ../include/openssl/dsa.h
-ssl_lib.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-ssl_lib.o: ../include/openssl/evp.h ../include/openssl/fips.h
-ssl_lib.o: ../include/openssl/idea.h ../include/openssl/kssl.h
-ssl_lib.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-ssl_lib.o: ../include/openssl/md4.h ../include/openssl/md5.h
-ssl_lib.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-ssl_lib.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-ssl_lib.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-ssl_lib.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-ssl_lib.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
-ssl_lib.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-ssl_lib.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
-ssl_lib.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-ssl_lib.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-ssl_lib.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-ssl_lib.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-ssl_lib.o: ../include/openssl/tls1.h ../include/openssl/ui.h
-ssl_lib.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
-ssl_lib.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h kssl_lcl.h
-ssl_lib.o: ssl_lib.c ssl_locl.h
-ssl_rsa.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-ssl_rsa.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+ssl_lib.o: ../include/openssl/comp.h ../include/openssl/conf.h
+ssl_lib.o: ../include/openssl/crypto.h ../include/openssl/dh.h
+ssl_lib.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+ssl_lib.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+ssl_lib.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+ssl_lib.o: ../include/openssl/err.h ../include/openssl/evp.h
+ssl_lib.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+ssl_lib.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+ssl_lib.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+ssl_lib.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+ssl_lib.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ssl_lib.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
+ssl_lib.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+ssl_lib.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+ssl_lib.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+ssl_lib.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ssl_lib.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+ssl_lib.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+ssl_lib.o: ../include/openssl/x509v3.h kssl_lcl.h ssl_lib.c ssl_locl.h
+ssl_rsa.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 ssl_rsa.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-ssl_rsa.o: ../include/openssl/cast.h ../include/openssl/comp.h
-ssl_rsa.o: ../include/openssl/crypto.h ../include/openssl/des.h
-ssl_rsa.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-ssl_rsa.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+ssl_rsa.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+ssl_rsa.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+ssl_rsa.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+ssl_rsa.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 ssl_rsa.o: ../include/openssl/err.h ../include/openssl/evp.h
-ssl_rsa.o: ../include/openssl/idea.h ../include/openssl/kssl.h
-ssl_rsa.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-ssl_rsa.o: ../include/openssl/md4.h ../include/openssl/md5.h
-ssl_rsa.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-ssl_rsa.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-ssl_rsa.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-ssl_rsa.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-ssl_rsa.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
-ssl_rsa.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-ssl_rsa.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
-ssl_rsa.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-ssl_rsa.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-ssl_rsa.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-ssl_rsa.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-ssl_rsa.o: ../include/openssl/tls1.h ../include/openssl/ui.h
-ssl_rsa.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
-ssl_rsa.o: ../include/openssl/x509_vfy.h ssl_locl.h ssl_rsa.c
-ssl_sess.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-ssl_sess.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+ssl_rsa.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+ssl_rsa.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+ssl_rsa.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+ssl_rsa.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+ssl_rsa.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ssl_rsa.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
+ssl_rsa.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+ssl_rsa.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+ssl_rsa.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+ssl_rsa.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ssl_rsa.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+ssl_rsa.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
+ssl_rsa.o: ssl_rsa.c
+ssl_sess.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 ssl_sess.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-ssl_sess.o: ../include/openssl/cast.h ../include/openssl/comp.h
-ssl_sess.o: ../include/openssl/crypto.h ../include/openssl/des.h
-ssl_sess.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-ssl_sess.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+ssl_sess.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+ssl_sess.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+ssl_sess.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+ssl_sess.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 ssl_sess.o: ../include/openssl/err.h ../include/openssl/evp.h
-ssl_sess.o: ../include/openssl/idea.h ../include/openssl/kssl.h
-ssl_sess.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-ssl_sess.o: ../include/openssl/md4.h ../include/openssl/md5.h
-ssl_sess.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-ssl_sess.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-ssl_sess.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-ssl_sess.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-ssl_sess.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
-ssl_sess.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-ssl_sess.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-ssl_sess.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-ssl_sess.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-ssl_sess.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-ssl_sess.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-ssl_sess.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-ssl_sess.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
-ssl_sess.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
-ssl_sess.o: ssl_sess.c
-ssl_stat.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-ssl_stat.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+ssl_sess.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+ssl_sess.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+ssl_sess.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+ssl_sess.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+ssl_sess.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ssl_sess.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
+ssl_sess.o: ../include/openssl/rand.h ../include/openssl/rsa.h
+ssl_sess.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+ssl_sess.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+ssl_sess.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+ssl_sess.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+ssl_sess.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssl_sess.o: ../include/openssl/x509_vfy.h ssl_locl.h ssl_sess.c
+ssl_stat.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 ssl_stat.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-ssl_stat.o: ../include/openssl/cast.h ../include/openssl/comp.h
-ssl_stat.o: ../include/openssl/crypto.h ../include/openssl/des.h
-ssl_stat.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-ssl_stat.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+ssl_stat.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+ssl_stat.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+ssl_stat.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+ssl_stat.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 ssl_stat.o: ../include/openssl/err.h ../include/openssl/evp.h
-ssl_stat.o: ../include/openssl/idea.h ../include/openssl/kssl.h
-ssl_stat.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-ssl_stat.o: ../include/openssl/md4.h ../include/openssl/md5.h
-ssl_stat.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-ssl_stat.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-ssl_stat.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-ssl_stat.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-ssl_stat.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
-ssl_stat.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-ssl_stat.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
-ssl_stat.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-ssl_stat.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-ssl_stat.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-ssl_stat.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-ssl_stat.o: ../include/openssl/tls1.h ../include/openssl/ui.h
-ssl_stat.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
-ssl_stat.o: ../include/openssl/x509_vfy.h ssl_locl.h ssl_stat.c
-ssl_txt.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-ssl_txt.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+ssl_stat.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+ssl_stat.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+ssl_stat.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+ssl_stat.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+ssl_stat.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ssl_stat.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
+ssl_stat.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+ssl_stat.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+ssl_stat.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+ssl_stat.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ssl_stat.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+ssl_stat.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
+ssl_stat.o: ssl_stat.c
+ssl_txt.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 ssl_txt.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-ssl_txt.o: ../include/openssl/cast.h ../include/openssl/comp.h
-ssl_txt.o: ../include/openssl/crypto.h ../include/openssl/des.h
-ssl_txt.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-ssl_txt.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+ssl_txt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+ssl_txt.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+ssl_txt.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+ssl_txt.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 ssl_txt.o: ../include/openssl/err.h ../include/openssl/evp.h
-ssl_txt.o: ../include/openssl/idea.h ../include/openssl/kssl.h
-ssl_txt.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-ssl_txt.o: ../include/openssl/md4.h ../include/openssl/md5.h
-ssl_txt.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-ssl_txt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-ssl_txt.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-ssl_txt.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-ssl_txt.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
-ssl_txt.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-ssl_txt.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
-ssl_txt.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-ssl_txt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-ssl_txt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-ssl_txt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-ssl_txt.o: ../include/openssl/tls1.h ../include/openssl/ui.h
-ssl_txt.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
-ssl_txt.o: ../include/openssl/x509_vfy.h ssl_locl.h ssl_txt.c
-t1_clnt.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-t1_clnt.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+ssl_txt.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+ssl_txt.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+ssl_txt.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+ssl_txt.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+ssl_txt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ssl_txt.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
+ssl_txt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+ssl_txt.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+ssl_txt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+ssl_txt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ssl_txt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+ssl_txt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
+ssl_txt.o: ssl_txt.c
+t1_clnt.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 t1_clnt.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-t1_clnt.o: ../include/openssl/cast.h ../include/openssl/comp.h
-t1_clnt.o: ../include/openssl/crypto.h ../include/openssl/des.h
-t1_clnt.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-t1_clnt.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+t1_clnt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+t1_clnt.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+t1_clnt.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+t1_clnt.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 t1_clnt.o: ../include/openssl/err.h ../include/openssl/evp.h
-t1_clnt.o: ../include/openssl/idea.h ../include/openssl/kssl.h
-t1_clnt.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-t1_clnt.o: ../include/openssl/md4.h ../include/openssl/md5.h
-t1_clnt.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-t1_clnt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-t1_clnt.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-t1_clnt.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-t1_clnt.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
-t1_clnt.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-t1_clnt.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-t1_clnt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-t1_clnt.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-t1_clnt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-t1_clnt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-t1_clnt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-t1_clnt.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
-t1_clnt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
-t1_clnt.o: t1_clnt.c
-t1_enc.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-t1_enc.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+t1_clnt.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+t1_clnt.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+t1_clnt.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+t1_clnt.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+t1_clnt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+t1_clnt.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
+t1_clnt.o: ../include/openssl/rand.h ../include/openssl/rsa.h
+t1_clnt.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+t1_clnt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+t1_clnt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+t1_clnt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+t1_clnt.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+t1_clnt.o: ../include/openssl/x509_vfy.h ssl_locl.h t1_clnt.c
+t1_enc.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 t1_enc.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-t1_enc.o: ../include/openssl/cast.h ../include/openssl/comp.h
-t1_enc.o: ../include/openssl/crypto.h ../include/openssl/des.h
-t1_enc.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-t1_enc.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+t1_enc.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+t1_enc.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+t1_enc.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+t1_enc.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 t1_enc.o: ../include/openssl/err.h ../include/openssl/evp.h
-t1_enc.o: ../include/openssl/fips.h ../include/openssl/hmac.h
-t1_enc.o: ../include/openssl/idea.h ../include/openssl/kssl.h
-t1_enc.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-t1_enc.o: ../include/openssl/md4.h ../include/openssl/md5.h
-t1_enc.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-t1_enc.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-t1_enc.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-t1_enc.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-t1_enc.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
-t1_enc.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-t1_enc.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
-t1_enc.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-t1_enc.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-t1_enc.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-t1_enc.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-t1_enc.o: ../include/openssl/tls1.h ../include/openssl/ui.h
-t1_enc.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
-t1_enc.o: ../include/openssl/x509_vfy.h ssl_locl.h t1_enc.c
-t1_lib.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-t1_lib.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+t1_enc.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
+t1_enc.o: ../include/openssl/lhash.h ../include/openssl/md5.h
+t1_enc.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+t1_enc.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+t1_enc.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+t1_enc.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+t1_enc.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
+t1_enc.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+t1_enc.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+t1_enc.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+t1_enc.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+t1_enc.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+t1_enc.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
+t1_enc.o: t1_enc.c
+t1_lib.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 t1_lib.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-t1_lib.o: ../include/openssl/cast.h ../include/openssl/comp.h
-t1_lib.o: ../include/openssl/crypto.h ../include/openssl/des.h
-t1_lib.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-t1_lib.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+t1_lib.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+t1_lib.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+t1_lib.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+t1_lib.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 t1_lib.o: ../include/openssl/err.h ../include/openssl/evp.h
-t1_lib.o: ../include/openssl/idea.h ../include/openssl/kssl.h
-t1_lib.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-t1_lib.o: ../include/openssl/md4.h ../include/openssl/md5.h
-t1_lib.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-t1_lib.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-t1_lib.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-t1_lib.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-t1_lib.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
-t1_lib.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-t1_lib.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
-t1_lib.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-t1_lib.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-t1_lib.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-t1_lib.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-t1_lib.o: ../include/openssl/tls1.h ../include/openssl/ui.h
-t1_lib.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
-t1_lib.o: ../include/openssl/x509_vfy.h ssl_locl.h t1_lib.c
-t1_meth.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-t1_meth.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+t1_lib.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+t1_lib.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+t1_lib.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+t1_lib.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+t1_lib.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+t1_lib.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
+t1_lib.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+t1_lib.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+t1_lib.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+t1_lib.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+t1_lib.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+t1_lib.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
+t1_lib.o: t1_lib.c
+t1_meth.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 t1_meth.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-t1_meth.o: ../include/openssl/cast.h ../include/openssl/comp.h
-t1_meth.o: ../include/openssl/crypto.h ../include/openssl/des.h
-t1_meth.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-t1_meth.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+t1_meth.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+t1_meth.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+t1_meth.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+t1_meth.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 t1_meth.o: ../include/openssl/err.h ../include/openssl/evp.h
-t1_meth.o: ../include/openssl/idea.h ../include/openssl/kssl.h
-t1_meth.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-t1_meth.o: ../include/openssl/md4.h ../include/openssl/md5.h
-t1_meth.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-t1_meth.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-t1_meth.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-t1_meth.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-t1_meth.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
-t1_meth.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-t1_meth.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
-t1_meth.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-t1_meth.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-t1_meth.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-t1_meth.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-t1_meth.o: ../include/openssl/tls1.h ../include/openssl/ui.h
-t1_meth.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
-t1_meth.o: ../include/openssl/x509_vfy.h ssl_locl.h t1_meth.c
-t1_srvr.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-t1_srvr.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+t1_meth.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+t1_meth.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+t1_meth.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+t1_meth.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+t1_meth.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+t1_meth.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
+t1_meth.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+t1_meth.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+t1_meth.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+t1_meth.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+t1_meth.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+t1_meth.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
+t1_meth.o: t1_meth.c
+t1_srvr.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 t1_srvr.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-t1_srvr.o: ../include/openssl/cast.h ../include/openssl/comp.h
-t1_srvr.o: ../include/openssl/crypto.h ../include/openssl/des.h
-t1_srvr.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-t1_srvr.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+t1_srvr.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+t1_srvr.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+t1_srvr.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+t1_srvr.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 t1_srvr.o: ../include/openssl/err.h ../include/openssl/evp.h
-t1_srvr.o: ../include/openssl/idea.h ../include/openssl/kssl.h
-t1_srvr.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-t1_srvr.o: ../include/openssl/md4.h ../include/openssl/md5.h
-t1_srvr.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-t1_srvr.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-t1_srvr.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-t1_srvr.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-t1_srvr.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
-t1_srvr.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-t1_srvr.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-t1_srvr.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-t1_srvr.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-t1_srvr.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-t1_srvr.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-t1_srvr.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-t1_srvr.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
-t1_srvr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
-t1_srvr.o: t1_srvr.c
+t1_srvr.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+t1_srvr.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+t1_srvr.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+t1_srvr.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+t1_srvr.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+t1_srvr.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
+t1_srvr.o: ../include/openssl/rand.h ../include/openssl/rsa.h
+t1_srvr.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+t1_srvr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+t1_srvr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+t1_srvr.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+t1_srvr.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+t1_srvr.o: ../include/openssl/x509_vfy.h ssl_locl.h t1_srvr.c
diff --git a/crypto/openssl/ssl/bio_ssl.c b/crypto/openssl/ssl/bio_ssl.c
index d683ee43e192..420deb7fc966 100644
--- a/crypto/openssl/ssl/bio_ssl.c
+++ b/crypto/openssl/ssl/bio_ssl.c
@@ -456,7 +456,7 @@ static long ssl_ctrl(BIO *b, int cmd, long num, void *ptr)
 	case BIO_CTRL_SET_CALLBACK:
 		{
 #if 0 /* FIXME: Should this be used?  -- Richard Levitte */
-		BIOerr(SSL_F_SSL_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+		SSLerr(SSL_F_SSL_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
 		ret = -1;
 #else
 		ret=0;
@@ -465,9 +465,9 @@ static long ssl_ctrl(BIO *b, int cmd, long num, void *ptr)
 		break;
 	case BIO_CTRL_GET_CALLBACK:
 		{
-		void (**fptr)();
+		void (**fptr)(const SSL *xssl,int type,int val);
 
-		fptr=(void (**)())ptr;
+		fptr=(void (**)(const SSL *xssl,int type,int val))ptr;
 		*fptr=SSL_get_info_callback(ssl);
 		}
 		break;
diff --git a/crypto/openssl/ssl/d1_both.c b/crypto/openssl/ssl/d1_both.c
new file mode 100644
index 000000000000..b746a50dd718
--- /dev/null
+++ b/crypto/openssl/ssl/d1_both.c
@@ -0,0 +1,1263 @@
+/* ssl/d1_both.c */
+/* 
+ * DTLS implementation written by Nagendra Modadugu
+ * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.  
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <limits.h>
+#include <string.h>
+#include <stdio.h>
+#include "ssl_locl.h"
+#include <openssl/buffer.h>
+#include <openssl/rand.h>
+#include <openssl/objects.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+
+
+/* XDTLS:  figure out the right values */
+static unsigned int g_probable_mtu[] = {1500 - 28, 512 - 28, 256 - 28};
+
+static unsigned int dtls1_min_mtu(void);
+static unsigned int dtls1_guess_mtu(unsigned int curr_mtu);
+static void dtls1_fix_message_header(SSL *s, unsigned long frag_off, 
+	unsigned long frag_len);
+static unsigned char *dtls1_write_message_header(SSL *s,
+	unsigned char *p);
+static void dtls1_set_message_header_int(SSL *s, unsigned char mt,
+	unsigned long len, unsigned short seq_num, unsigned long frag_off, 
+	unsigned long frag_len);
+static int dtls1_retransmit_buffered_messages(SSL *s);
+static long dtls1_get_message_fragment(SSL *s, int st1, int stn, 
+    long max, int *ok);
+static void dtls1_process_handshake_fragment(SSL *s, int frag_len);
+
+static hm_fragment *
+dtls1_hm_fragment_new(unsigned long frag_len)
+    {
+    hm_fragment *frag = NULL;
+    unsigned char *buf = NULL;
+
+    frag = (hm_fragment *)OPENSSL_malloc(sizeof(hm_fragment));
+    if ( frag == NULL)
+        return NULL;
+
+    buf = (unsigned char *)OPENSSL_malloc(frag_len 
+        + DTLS1_HM_HEADER_LENGTH);
+    if ( buf == NULL)
+        {
+        OPENSSL_free(frag);
+        return NULL;
+        }
+    
+    frag->fragment = buf;
+
+    return frag;
+    }
+
+static void
+dtls1_hm_fragment_free(hm_fragment *frag)
+    {
+    OPENSSL_free(frag->fragment);
+    OPENSSL_free(frag);
+    }
+
+/* send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or SSL3_RT_CHANGE_CIPHER_SPEC) */
+int dtls1_do_write(SSL *s, int type)
+	{
+	int ret;
+	int curr_mtu;
+	unsigned int len, frag_off;
+
+	/* AHA!  Figure out the MTU, and stick to the right size */
+	if ( ! (SSL_get_options(s) & SSL_OP_NO_QUERY_MTU))
+        {
+		s->d1->mtu = 
+			BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL);
+
+		/* I've seen the kernel return bogus numbers when it doesn't know
+		 * (initial write), so just make sure we have a reasonable number */
+		if ( s->d1->mtu < dtls1_min_mtu())
+			{
+			s->d1->mtu = 0;
+			s->d1->mtu = dtls1_guess_mtu(s->d1->mtu);
+			BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SET_MTU, 
+				s->d1->mtu, NULL);
+			}
+		}
+#if 0 
+	mtu = s->d1->mtu;
+
+	fprintf(stderr, "using MTU = %d\n", mtu);
+
+	mtu -= (DTLS1_HM_HEADER_LENGTH + DTLS1_RT_HEADER_LENGTH);
+
+	curr_mtu = mtu - BIO_wpending(SSL_get_wbio(s));
+
+	if ( curr_mtu > 0)
+		mtu = curr_mtu;
+	else if ( ( ret = BIO_flush(SSL_get_wbio(s))) <= 0)
+		return ret;
+		
+	if ( BIO_wpending(SSL_get_wbio(s)) + s->init_num >= mtu)
+		{
+		ret = BIO_flush(SSL_get_wbio(s));
+		if ( ret <= 0)
+			return ret;
+		mtu = s->d1->mtu - (DTLS1_HM_HEADER_LENGTH + DTLS1_RT_HEADER_LENGTH);
+		}
+
+	OPENSSL_assert(mtu > 0);  /* should have something reasonable now */
+
+#endif
+
+	if ( s->init_off == 0  && type == SSL3_RT_HANDSHAKE)
+		OPENSSL_assert(s->init_num == 
+			(int)s->d1->w_msg_hdr.msg_len + DTLS1_HM_HEADER_LENGTH);
+
+	frag_off = 0;
+	while( s->init_num)
+		{
+		curr_mtu = s->d1->mtu - BIO_wpending(SSL_get_wbio(s)) - 
+			DTLS1_RT_HEADER_LENGTH;
+
+		if ( curr_mtu <= DTLS1_HM_HEADER_LENGTH)
+			{
+			/* grr.. we could get an error if MTU picked was wrong */
+			ret = BIO_flush(SSL_get_wbio(s));
+			if ( ret <= 0)
+				return ret;
+			curr_mtu = s->d1->mtu - DTLS1_RT_HEADER_LENGTH;
+			}
+
+		if ( s->init_num > curr_mtu)
+			len = curr_mtu;
+		else
+			len = s->init_num;
+
+
+		/* XDTLS: this function is too long.  split out the CCS part */
+		if ( type == SSL3_RT_HANDSHAKE)
+			{
+			if ( s->init_off != 0)
+				{
+				OPENSSL_assert(s->init_off > DTLS1_HM_HEADER_LENGTH);
+				s->init_off -= DTLS1_HM_HEADER_LENGTH;
+				s->init_num += DTLS1_HM_HEADER_LENGTH;
+
+                /* write atleast DTLS1_HM_HEADER_LENGTH bytes */
+				if ( len <= DTLS1_HM_HEADER_LENGTH)  
+					len += DTLS1_HM_HEADER_LENGTH;
+				}
+			
+			dtls1_fix_message_header(s, frag_off, 
+				len - DTLS1_HM_HEADER_LENGTH);
+
+			dtls1_write_message_header(s, (unsigned char *)&s->init_buf->data[s->init_off]);
+
+			OPENSSL_assert(len >= DTLS1_HM_HEADER_LENGTH);
+			}
+
+		ret=dtls1_write_bytes(s,type,&s->init_buf->data[s->init_off],
+			len);
+		if (ret < 0)
+			{
+			/* might need to update MTU here, but we don't know
+			 * which previous packet caused the failure -- so can't
+			 * really retransmit anything.  continue as if everything
+			 * is fine and wait for an alert to handle the
+			 * retransmit 
+			 */
+			if ( BIO_ctrl(SSL_get_wbio(s),
+				BIO_CTRL_DGRAM_MTU_EXCEEDED, 0, NULL))
+				s->d1->mtu = BIO_ctrl(SSL_get_wbio(s),
+					BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL);
+			else
+				return(-1);
+			}
+		else
+			{
+			
+			/* bad if this assert fails, only part of the handshake
+			 * message got sent.  but why would this happen? */
+			OPENSSL_assert(len == (unsigned int)ret); 
+			
+			if (type == SSL3_RT_HANDSHAKE && ! s->d1->retransmitting)
+				/* should not be done for 'Hello Request's, but in that case
+				 * we'll ignore the result anyway */
+				ssl3_finish_mac(s, 
+					(unsigned char *)&s->init_buf->data[s->init_off + 
+						DTLS1_HM_HEADER_LENGTH], ret - DTLS1_HM_HEADER_LENGTH);
+			
+			if (ret == s->init_num)
+				{
+				if (s->msg_callback)
+					s->msg_callback(1, s->version, type, s->init_buf->data, 
+						(size_t)(s->init_off + s->init_num), s, 
+						s->msg_callback_arg);
+
+				s->init_off = 0;  /* done writing this message */
+				s->init_num = 0;
+				
+				return(1);
+				}
+			s->init_off+=ret;
+			s->init_num-=ret;
+			frag_off += (ret -= DTLS1_HM_HEADER_LENGTH);
+			}
+		}
+	return(0);
+	}
+
+
+/* Obtain handshake message of message type 'mt' (any if mt == -1),
+ * maximum acceptable body length 'max'.
+ * Read an entire handshake message.  Handshake messages arrive in
+ * fragments.
+ */
+long dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
+	{
+	int i, al;
+
+	/* s3->tmp is used to store messages that are unexpected, caused
+	 * by the absence of an optional handshake message */
+	if (s->s3->tmp.reuse_message)
+		{
+		s->s3->tmp.reuse_message=0;
+		if ((mt >= 0) && (s->s3->tmp.message_type != mt))
+			{
+			al=SSL_AD_UNEXPECTED_MESSAGE;
+			SSLerr(SSL_F_DTLS1_GET_MESSAGE,SSL_R_UNEXPECTED_MESSAGE);
+			goto f_err;
+			}
+		*ok=1;
+		s->init_msg = s->init_buf->data + DTLS1_HM_HEADER_LENGTH;
+		s->init_num = (int)s->s3->tmp.message_size;
+		return s->init_num;
+		}
+	
+	do
+		{
+		if ( s->d1->r_msg_hdr.frag_off == 0)
+			{
+			/* s->d1->r_message_header.msg_len = 0; */
+			memset(&(s->d1->r_msg_hdr), 0x00, sizeof(struct hm_header_st));
+			}
+
+		i = dtls1_get_message_fragment(s, st1, stn, max, ok);
+		if ( i == DTLS1_HM_BAD_FRAGMENT ||
+            i == DTLS1_HM_FRAGMENT_RETRY)  /* bad fragment received */
+			continue;
+		else if ( i <= 0 && !*ok)
+			return i;
+
+		if (s->d1->r_msg_hdr.msg_len == (unsigned int)s->init_num - DTLS1_HM_HEADER_LENGTH)
+			{
+			memset(&(s->d1->r_msg_hdr), 0x00, sizeof(struct hm_header_st));
+
+			s->d1->handshake_read_seq++;
+			/* we just read a handshake message from the other side:
+			 * this means that we don't need to retransmit of the
+			 * buffered messages.  
+			 * XDTLS: may be able clear out this
+			 * buffer a little sooner (i.e if an out-of-order
+			 * handshake message/record is received at the record
+			 * layer.  
+			 * XDTLS: exception is that the server needs to
+			 * know that change cipher spec and finished messages
+			 * have been received by the client before clearing this
+			 * buffer.  this can simply be done by waiting for the
+			 * first data  segment, but is there a better way?  */
+			dtls1_clear_record_buffer(s);
+
+            s->init_msg = s->init_buf->data + DTLS1_HM_HEADER_LENGTH;
+			return s->init_num - DTLS1_HM_HEADER_LENGTH;
+			}
+		else
+			s->d1->r_msg_hdr.frag_off = i;
+		} while(1) ;
+
+f_err:
+	ssl3_send_alert(s,SSL3_AL_FATAL,al);
+	*ok = 0;
+	return -1;
+	}
+
+
+static int
+dtls1_retrieve_buffered_fragment(SSL *s, unsigned long *copied)
+    {
+    /* (0) check whether the desired fragment is available
+     * if so:
+     * (1) copy over the fragment to s->init_buf->data[]
+     * (2) update s->init_num
+     */
+    pitem *item;
+    hm_fragment *frag;
+    unsigned long overlap;
+    unsigned char *p;
+
+    item = pqueue_peek(s->d1->buffered_messages);
+    if ( item == NULL)
+        return 0;
+
+    frag = (hm_fragment *)item->data;
+    
+    if ( s->d1->handshake_read_seq == frag->msg_header.seq &&
+        frag->msg_header.frag_off <= (unsigned int)s->init_num - DTLS1_HM_HEADER_LENGTH)
+        {
+        pqueue_pop(s->d1->buffered_messages);
+        overlap = s->init_num - DTLS1_HM_HEADER_LENGTH 
+            - frag->msg_header.frag_off;
+
+        p = frag->fragment;
+
+        memcpy(&s->init_buf->data[s->init_num],
+            p + DTLS1_HM_HEADER_LENGTH + overlap,
+            frag->msg_header.frag_len - overlap);
+    
+        OPENSSL_free(frag->fragment);
+        OPENSSL_free(frag);
+        pitem_free(item);
+
+        *copied = frag->msg_header.frag_len - overlap;
+        return *copied;
+        }
+    else
+        return 0;
+    }
+
+
+static int
+dtls1_buffer_handshake_fragment(SSL *s, struct hm_header_st* msg_hdr)
+{
+    hm_fragment *frag = NULL;
+    pitem *item = NULL;
+	PQ_64BIT seq64;
+
+    frag = dtls1_hm_fragment_new(msg_hdr->frag_len);
+    if ( frag == NULL)
+        goto err;
+
+    memcpy(frag->fragment, &(s->init_buf->data[s->init_num]),
+        msg_hdr->frag_len + DTLS1_HM_HEADER_LENGTH);
+
+    memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr));
+
+    pq_64bit_init(&seq64);
+    pq_64bit_assign_word(&seq64, msg_hdr->seq);
+
+    item = pitem_new(seq64, frag);
+    if ( item == NULL)
+        goto err;
+
+    pq_64bit_free(&seq64);
+
+    pqueue_insert(s->d1->buffered_messages, item);
+    return 1;
+
+err:
+    if ( frag != NULL) dtls1_hm_fragment_free(frag);
+    if ( item != NULL) OPENSSL_free(item);
+    return 0;
+}
+
+
+static void
+dtls1_process_handshake_fragment(SSL *s, int frag_len)
+    {
+    unsigned char *p;
+
+    p = (unsigned char *)s->init_buf->data;
+
+	ssl3_finish_mac(s, &p[s->init_num - frag_len], frag_len);
+    }
+
+
+static int
+dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st *msg_hdr, int *ok)
+    {
+    int i;
+    unsigned char *p;
+
+    /* make sure there's enough room to read this fragment */
+    if ( (int)msg_hdr->frag_len && !BUF_MEM_grow_clean(s->init_buf, 
+             (int)msg_hdr->frag_len + DTLS1_HM_HEADER_LENGTH + s->init_num))
+        {
+        SSLerr(SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE,ERR_R_BUF_LIB);
+        goto err;
+        }
+
+    p = (unsigned char *)s->init_buf->data;
+
+    /* read the body of the fragment (header has already been read */
+    if ( msg_hdr->frag_len > 0)
+		{
+		i=s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,
+            &p[s->init_num], 
+            msg_hdr->frag_len,0);
+		if (i <= 0)
+			{
+			*ok = 0;
+			return i;
+			}
+		}
+
+    if ( msg_hdr->seq > s->d1->handshake_read_seq)
+        dtls1_buffer_handshake_fragment(s, msg_hdr);
+    else
+        OPENSSL_assert(msg_hdr->seq < s->d1->handshake_read_seq);
+
+    return DTLS1_HM_FRAGMENT_RETRY;
+err:
+    *ok = 0;
+    return -1;
+    }
+
+
+static long
+dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
+	{
+	unsigned char *p;
+	unsigned long l, frag_off, frag_len;
+	int i,al;
+	struct hm_header_st msg_hdr;
+    unsigned long overlap;
+    
+    /* see if we have the required fragment already */
+    if (dtls1_retrieve_buffered_fragment(s, &l))
+    {
+        /* compute MAC, remove fragment headers */
+        dtls1_process_handshake_fragment(s, l);
+        s->init_msg = s->init_buf->data + DTLS1_HM_HEADER_LENGTH;
+        s->state = stn;
+        return 1;
+    }
+
+    /* get a handshake fragment from the record layer */
+	p = (unsigned char *)s->init_buf->data;
+
+    /* read handshake message header */
+	i=s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,&p[s->init_num],
+		DTLS1_HM_HEADER_LENGTH, 0);
+	if (i <= 0) 	/* nbio, or an error */
+		{
+		s->rwstate=SSL_READING;
+		*ok = 0;
+		return i;
+		}
+
+	OPENSSL_assert(i == DTLS1_HM_HEADER_LENGTH);
+
+	p += s->init_num;
+    /* parse the message fragment header */
+    
+    dtls1_get_message_header(p, &msg_hdr);
+
+    /* 
+     * if this is a future (or stale) message it gets buffered
+     * (or dropped)--no further processing at this time 
+     */
+    if ( msg_hdr.seq != s->d1->handshake_read_seq)
+        return dtls1_process_out_of_seq_message(s, &msg_hdr, ok);
+
+    l = msg_hdr.msg_len;
+    frag_off = msg_hdr.frag_off;
+	frag_len = msg_hdr.frag_len;
+
+    /* sanity checking */
+    if ( frag_off + frag_len > l)
+        {
+        al=SSL_AD_ILLEGAL_PARAMETER;
+        SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT,SSL_R_EXCESSIVE_MESSAGE_SIZE);
+        goto f_err;
+        }
+
+	if (!s->server && s->d1->r_msg_hdr.frag_off == 0 &&
+        p[0] == SSL3_MT_HELLO_REQUEST)
+        {
+        /* The server may always send 'Hello Request' messages --
+         * we are doing a handshake anyway now, so ignore them
+         * if their format is correct. Does not count for
+         * 'Finished' MAC. */
+        if (p[1] == 0 && p[2] == 0 &&p[3] == 0)
+            {
+            if (s->msg_callback)
+                s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, 
+                    p, DTLS1_HM_HEADER_LENGTH, s, 
+                    s->msg_callback_arg);
+            
+            s->init_num = 0;
+            return dtls1_get_message_fragment(s, st1, stn,
+                max, ok);
+            }
+        else /* Incorrectly formated Hello request */
+            {
+            al=SSL_AD_UNEXPECTED_MESSAGE;
+            SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT,SSL_R_UNEXPECTED_MESSAGE);
+            goto f_err;
+            }
+        }
+
+    /* XDTLS: do a sanity check on the fragment */
+
+    s->init_num += i;
+
+	if ( s->d1->r_msg_hdr.frag_off == 0) /* first fragment */
+		{
+		/* BUF_MEM_grow takes an 'int' parameter */
+		if (l > (INT_MAX-DTLS1_HM_HEADER_LENGTH)) 
+			{
+			al=SSL_AD_ILLEGAL_PARAMETER;
+			SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT,SSL_R_EXCESSIVE_MESSAGE_SIZE);
+			goto f_err;
+			}
+		if (l && !BUF_MEM_grow_clean(s->init_buf,(int)l
+			+ DTLS1_HM_HEADER_LENGTH))
+			{
+			SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT,ERR_R_BUF_LIB);
+			goto err;
+			}
+        /* Only do this test when we're reading the expected message.
+         * Stale messages will be dropped and future messages will be buffered */
+        if ( l > (unsigned long)max)
+			{
+			al=SSL_AD_ILLEGAL_PARAMETER;
+			SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT,SSL_R_EXCESSIVE_MESSAGE_SIZE);
+			goto f_err;
+			}
+
+		s->s3->tmp.message_size=l;
+		}
+
+    if ( frag_len > (unsigned long)max)
+        {
+        al=SSL_AD_ILLEGAL_PARAMETER;
+        SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT,SSL_R_EXCESSIVE_MESSAGE_SIZE);
+        goto f_err;
+        }
+    if ( frag_len + s->init_num > (INT_MAX - DTLS1_HM_HEADER_LENGTH))
+        {
+        al=SSL_AD_ILLEGAL_PARAMETER;
+        SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT,SSL_R_EXCESSIVE_MESSAGE_SIZE);
+        goto f_err;
+        }
+
+    if ( frag_len & !BUF_MEM_grow_clean(s->init_buf, (int)frag_len 
+             + DTLS1_HM_HEADER_LENGTH + s->init_num))
+        {
+        SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT,ERR_R_BUF_LIB);
+        goto err;
+        }
+
+	if ( s->d1->r_msg_hdr.frag_off == 0)
+		{
+		s->s3->tmp.message_type = msg_hdr.type;
+		s->d1->r_msg_hdr.type = msg_hdr.type;
+		s->d1->r_msg_hdr.msg_len = l;
+		/* s->d1->r_msg_hdr.seq = seq_num; */
+		}
+
+	/* XDTLS:  ressurect this when restart is in place */
+	s->state=stn;
+	
+	/* next state (stn) */
+	p = (unsigned char *)s->init_buf->data;
+
+	if ( frag_len > 0)
+		{
+		i=s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,
+            &p[s->init_num], 
+            frag_len,0);
+        /* XDTLS:  fix this--message fragments cannot span multiple packets */
+		if (i <= 0)
+			{
+			s->rwstate=SSL_READING;
+			*ok = 0;
+			return i;
+			}
+		}
+	else
+		i = 0;
+
+    /* XDTLS:  an incorrectly formatted fragment should cause the 
+     * handshake to fail */
+	OPENSSL_assert(i == (int)frag_len);
+
+#if 0
+    /* Successfully read a fragment.
+     * It may be (1) out of order, or
+     *           (2) it's a repeat, in which case we dump it
+     *           (3) the one we are expecting next (maybe with overlap)
+     * If it is next one, it may overlap with previously read bytes
+     */
+
+    /* case (1): buffer the future fragment 
+     * (we can treat fragments from a future message the same
+     * as future fragments from the message being currently read, since
+     * they are sematically simply out of order.
+     */
+    if ( msg_hdr.seq > s->d1->handshake_read_seq ||
+        frag_off > s->init_num - DTLS1_HM_HEADER_LENGTH)
+    {
+        dtls1_buffer_handshake_fragment(s, &msg_hdr);
+        return DTLS1_HM_FRAGMENT_RETRY;
+    }
+
+    /* case (2):  drop the entire fragment, and try again */
+    if ( msg_hdr.seq < s->d1->handshake_read_seq ||
+        frag_off + frag_len < s->init_num - DTLS1_HM_HEADER_LENGTH)
+        {
+        s->init_num -= DTLS1_HM_HEADER_LENGTH;
+        return DTLS1_HM_FRAGMENT_RETRY;
+        }
+#endif
+
+    /* case (3): received a immediately useful fragment.  Determine the 
+     * possible overlap and copy the fragment.
+     */
+    overlap = (s->init_num - DTLS1_HM_HEADER_LENGTH) - frag_off;
+        
+    /* retain the header for the first fragment */
+    if ( s->init_num > DTLS1_HM_HEADER_LENGTH)
+        {
+        memmove(&(s->init_buf->data[s->init_num]),
+            &(s->init_buf->data[s->init_num + DTLS1_HM_HEADER_LENGTH + overlap]),
+            frag_len - overlap);
+
+        s->init_num += frag_len - overlap;
+        }
+    else
+        s->init_num += frag_len;
+
+    dtls1_process_handshake_fragment(s, frag_len - overlap);
+
+	if (s->msg_callback)
+		s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data, 
+			(size_t)s->init_num, s, 
+			s->msg_callback_arg);
+	*ok=1;
+
+	return s->init_num;
+
+f_err:
+	ssl3_send_alert(s,SSL3_AL_FATAL,al);
+    s->init_num = 0;
+err:
+	*ok=0;
+	return(-1);
+	}
+
+int dtls1_send_finished(SSL *s, int a, int b, const char *sender, int slen)
+	{
+	unsigned char *p,*d;
+	int i;
+	unsigned long l;
+
+	if (s->state == a)
+		{
+		d=(unsigned char *)s->init_buf->data;
+		p= &(d[DTLS1_HM_HEADER_LENGTH]);
+
+		i=s->method->ssl3_enc->final_finish_mac(s,
+			&(s->s3->finish_dgst1),
+			&(s->s3->finish_dgst2),
+			sender,slen,s->s3->tmp.finish_md);
+		s->s3->tmp.finish_md_len = i;
+		memcpy(p, s->s3->tmp.finish_md, i);
+		p+=i;
+		l=i;
+
+#ifdef OPENSSL_SYS_WIN16
+		/* MSVC 1.5 does not clear the top bytes of the word unless
+		 * I do this.
+		 */
+		l&=0xffff;
+#endif
+
+		d = dtls1_set_message_header(s, d, SSL3_MT_FINISHED, l, 0, l);
+		s->init_num=(int)l+DTLS1_HM_HEADER_LENGTH;
+		s->init_off=0;
+
+		/* buffer the message to handle re-xmits */
+		dtls1_buffer_message(s, 0);
+		
+		s->state=b;
+		}
+
+	/* SSL3_ST_SEND_xxxxxx_HELLO_B */
+	return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
+	}
+
+/* for these 2 messages, we need to
+ * ssl->enc_read_ctx			re-init
+ * ssl->s3->read_sequence		zero
+ * ssl->s3->read_mac_secret		re-init
+ * ssl->session->read_sym_enc		assign
+ * ssl->session->read_compression	assign
+ * ssl->session->read_hash		assign
+ */
+int dtls1_send_change_cipher_spec(SSL *s, int a, int b)
+	{ 
+	unsigned char *p;
+
+	if (s->state == a)
+		{
+		p=(unsigned char *)s->init_buf->data;
+		*p++=SSL3_MT_CCS;
+		s->d1->handshake_write_seq = s->d1->next_handshake_write_seq;
+		s->d1->next_handshake_write_seq++;
+		s2n(s->d1->handshake_write_seq,p);
+
+		s->init_num=DTLS1_CCS_HEADER_LENGTH;
+		s->init_off=0;
+
+		dtls1_set_message_header_int(s, SSL3_MT_CCS, 0, 
+			s->d1->handshake_write_seq, 0, 0);
+
+		/* buffer the message to handle re-xmits */
+		dtls1_buffer_message(s, 1);
+
+		s->state=b;
+		}
+
+	/* SSL3_ST_CW_CHANGE_B */
+	return(dtls1_do_write(s,SSL3_RT_CHANGE_CIPHER_SPEC));
+	}
+
+unsigned long dtls1_output_cert_chain(SSL *s, X509 *x)
+	{
+	unsigned char *p;
+	int n,i;
+	unsigned long l= 3 + DTLS1_HM_HEADER_LENGTH;
+	BUF_MEM *buf;
+	X509_STORE_CTX xs_ctx;
+	X509_OBJECT obj;
+
+	/* TLSv1 sends a chain with nothing in it, instead of an alert */
+	buf=s->init_buf;
+	if (!BUF_MEM_grow_clean(buf,10))
+		{
+		SSLerr(SSL_F_DTLS1_OUTPUT_CERT_CHAIN,ERR_R_BUF_LIB);
+		return(0);
+		}
+	if (x != NULL)
+		{
+		if(!X509_STORE_CTX_init(&xs_ctx,s->ctx->cert_store,NULL,NULL))
+			{
+			SSLerr(SSL_F_DTLS1_OUTPUT_CERT_CHAIN,ERR_R_X509_LIB);
+			return(0);
+			}
+
+		for (;;)
+			{
+			n=i2d_X509(x,NULL);
+			if (!BUF_MEM_grow_clean(buf,(int)(n+l+3)))
+				{
+				SSLerr(SSL_F_DTLS1_OUTPUT_CERT_CHAIN,ERR_R_BUF_LIB);
+				return(0);
+				}
+			p=(unsigned char *)&(buf->data[l]);
+			l2n3(n,p);
+			i2d_X509(x,&p);
+			l+=n+3;
+			if (X509_NAME_cmp(X509_get_subject_name(x),
+				X509_get_issuer_name(x)) == 0) break;
+
+			i=X509_STORE_get_by_subject(&xs_ctx,X509_LU_X509,
+				X509_get_issuer_name(x),&obj);
+			if (i <= 0) break;
+			x=obj.data.x509;
+			/* Count is one too high since the X509_STORE_get uped the
+			 * ref count */
+			X509_free(x);
+			}
+
+		X509_STORE_CTX_cleanup(&xs_ctx);
+		}
+
+	/* Thawte special :-) */
+	if (s->ctx->extra_certs != NULL)
+	for (i=0; i<sk_X509_num(s->ctx->extra_certs); i++)
+		{
+		x=sk_X509_value(s->ctx->extra_certs,i);
+		n=i2d_X509(x,NULL);
+		if (!BUF_MEM_grow_clean(buf,(int)(n+l+3)))
+			{
+			SSLerr(SSL_F_DTLS1_OUTPUT_CERT_CHAIN,ERR_R_BUF_LIB);
+			return(0);
+			}
+		p=(unsigned char *)&(buf->data[l]);
+		l2n3(n,p);
+		i2d_X509(x,&p);
+		l+=n+3;
+		}
+
+	l-= (3 + DTLS1_HM_HEADER_LENGTH);
+
+	p=(unsigned char *)&(buf->data[DTLS1_HM_HEADER_LENGTH]);
+	l2n3(l,p);
+	l+=3;
+	p=(unsigned char *)&(buf->data[0]);
+	p = dtls1_set_message_header(s, p, SSL3_MT_CERTIFICATE, l, 0, l);
+
+	l+=DTLS1_HM_HEADER_LENGTH;
+	return(l);
+	}
+
+int dtls1_read_failed(SSL *s, int code)
+    {
+    DTLS1_STATE *state;
+    BIO *bio;
+    int send_alert = 0;
+
+    if ( code > 0)
+        {
+        fprintf( stderr, "invalid state reached %s:%d", __FILE__, __LINE__);
+        return 1;
+        }
+
+    bio = SSL_get_rbio(s);
+    if ( ! BIO_dgram_recv_timedout(bio))
+        {
+        /* not a timeout, none of our business, 
+           let higher layers handle this.  in fact it's probably an error */
+        return code;
+        }
+
+    if ( ! SSL_in_init(s))  /* done, no need to send a retransmit */
+        {
+        BIO_set_flags(SSL_get_rbio(s), BIO_FLAGS_READ);
+        return code;
+        }
+
+    state = s->d1;
+    state->timeout.num_alerts++;
+    if ( state->timeout.num_alerts > DTLS1_TMO_ALERT_COUNT)
+        {
+        /* fail the connection, enough alerts have been sent */
+        SSLerr(SSL_F_DTLS1_READ_FAILED,SSL_R_READ_TIMEOUT_EXPIRED);
+        return 0;
+        }
+	
+    state->timeout.read_timeouts++;
+    if ( state->timeout.read_timeouts > DTLS1_TMO_READ_COUNT)
+        {
+        send_alert = 1;
+        state->timeout.read_timeouts = 1;
+        }
+
+	
+#if 0 /* for now, each alert contains only one record number */
+    item = pqueue_peek(state->rcvd_records);
+    if ( item )
+        {
+        /* send an alert immediately for all the missing records */
+        }
+    else
+#endif
+
+#if 0  /* no more alert sending, just retransmit the last set of messages */
+        if ( send_alert)
+            ssl3_send_alert(s,SSL3_AL_WARNING,
+                DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
+#endif
+
+    return dtls1_retransmit_buffered_messages(s) ;
+    }
+
+
+static int
+dtls1_retransmit_buffered_messages(SSL *s)
+    {
+    pqueue sent = s->d1->sent_messages;
+    piterator iter;
+    pitem *item;
+    hm_fragment *frag;
+    int found = 0;
+
+    iter = pqueue_iterator(sent);
+
+    for ( item = pqueue_next(&iter); item != NULL; item = pqueue_next(&iter))
+        {
+        frag = (hm_fragment *)item->data;
+        if ( dtls1_retransmit_message(s, frag->msg_header.seq, 0, &found) <= 0 &&
+            found)
+            {
+            fprintf(stderr, "dtls1_retransmit_message() failed\n");
+            return -1;
+            }
+        }
+
+    return 1;
+    }
+
+#if 0
+static dtls1_message_buffer *
+dtls1_message_buffer_new(unsigned int len)
+    {
+    dtls1_message_buffer *msg_buf;
+
+    msg_buf = (dtls1_message_buffer *) 
+        OPENSSL_malloc(sizeof(dtls1_message_buffer)); 
+    if ( msg_buf == NULL)
+        return NULL;
+
+    memset(msg_buf, 0x00, sizeof(dtls1_message_buffer));
+
+    msg_buf->data = (unsigned char *) OPENSSL_malloc(len);
+    if ( msg_buf->data == NULL)
+        {
+        OPENSSL_free(msg_buf);
+        return NULL;
+        }
+
+    memset(msg_buf->data, 0x00, len);
+    return msg_buf;
+    }
+#endif
+
+#if 0
+static void
+dtls1_message_buffer_free(dtls1_message_buffer *msg_buf)
+    {
+    if (msg_buf != NULL)
+        {
+        OPENSSL_free(msg_buf->data);
+        OPENSSL_free(msg_buf);
+        }
+    }
+#endif
+
+int
+dtls1_buffer_message(SSL *s, int is_ccs)
+    {
+    pitem *item;
+    hm_fragment *frag;
+	PQ_64BIT seq64;
+
+    /* this function is called immediately after a message has 
+     * been serialized */
+    OPENSSL_assert(s->init_off == 0);
+
+    frag = dtls1_hm_fragment_new(s->init_num);
+
+    memcpy(frag->fragment, s->init_buf->data, s->init_num);
+
+    if ( is_ccs)
+        {
+        OPENSSL_assert(s->d1->w_msg_hdr.msg_len + 
+            DTLS1_CCS_HEADER_LENGTH == (unsigned int)s->init_num);
+        }
+    else
+        {
+        OPENSSL_assert(s->d1->w_msg_hdr.msg_len + 
+            DTLS1_HM_HEADER_LENGTH == (unsigned int)s->init_num);
+        }
+
+    frag->msg_header.msg_len = s->d1->w_msg_hdr.msg_len;
+    frag->msg_header.seq = s->d1->w_msg_hdr.seq;
+    frag->msg_header.type = s->d1->w_msg_hdr.type;
+    frag->msg_header.frag_off = 0;
+    frag->msg_header.frag_len = s->d1->w_msg_hdr.msg_len;
+    frag->msg_header.is_ccs = is_ccs;
+
+    pq_64bit_init(&seq64);
+    pq_64bit_assign_word(&seq64, frag->msg_header.seq);
+
+    item = pitem_new(seq64, frag);
+    pq_64bit_free(&seq64);
+    if ( item == NULL)
+        {
+        dtls1_hm_fragment_free(frag);
+        return 0;
+        }
+
+#if 0
+    fprintf( stderr, "buffered messge: \ttype = %xx\n", msg_buf->type);
+    fprintf( stderr, "\t\t\t\t\tlen = %d\n", msg_buf->len);
+    fprintf( stderr, "\t\t\t\t\tseq_num = %d\n", msg_buf->seq_num);
+#endif
+
+    pqueue_insert(s->d1->sent_messages, item);
+    return 1;
+    }
+
+int
+dtls1_retransmit_message(SSL *s, unsigned short seq, unsigned long frag_off,
+    int *found)
+    {
+    int ret;
+    /* XDTLS: for now assuming that read/writes are blocking */
+    pitem *item;
+    hm_fragment *frag ;
+    unsigned long header_length;
+	PQ_64BIT seq64;
+
+    /*
+      OPENSSL_assert(s->init_num == 0);
+      OPENSSL_assert(s->init_off == 0);
+     */
+
+    /* XDTLS:  the requested message ought to be found, otherwise error */
+    pq_64bit_init(&seq64);
+    pq_64bit_assign_word(&seq64, seq);
+
+    item = pqueue_find(s->d1->sent_messages, seq64);
+    pq_64bit_free(&seq64);
+    if ( item == NULL)
+        {
+        fprintf(stderr, "retransmit:  message %d non-existant\n", seq);
+        *found = 0;
+        return 0;
+        }
+
+    *found = 1;
+    frag = (hm_fragment *)item->data;
+
+    if ( frag->msg_header.is_ccs)
+        header_length = DTLS1_CCS_HEADER_LENGTH;
+    else
+        header_length = DTLS1_HM_HEADER_LENGTH;
+
+    memcpy(s->init_buf->data, frag->fragment, 
+        frag->msg_header.msg_len + header_length);
+        s->init_num = frag->msg_header.msg_len + header_length;
+    
+    dtls1_set_message_header_int(s, frag->msg_header.type, 
+        frag->msg_header.msg_len, frag->msg_header.seq, 0, 
+        frag->msg_header.frag_len);
+
+    s->d1->retransmitting = 1;
+    ret = dtls1_do_write(s, frag->msg_header.is_ccs ? 
+        SSL3_RT_CHANGE_CIPHER_SPEC : SSL3_RT_HANDSHAKE);
+    s->d1->retransmitting = 0;
+
+    BIO_flush(SSL_get_wbio(s));
+    return ret;
+    }
+
+/* call this function when the buffered messages are no longer needed */
+void
+dtls1_clear_record_buffer(SSL *s)
+    {
+    pitem *item;
+    
+    for(item = pqueue_pop(s->d1->sent_messages);
+        item != NULL; item = pqueue_pop(s->d1->sent_messages))
+        {
+        dtls1_hm_fragment_free((hm_fragment *)item->data);
+        pitem_free(item);
+        }
+    }
+
+
+unsigned char *
+dtls1_set_message_header(SSL *s, unsigned char *p, unsigned char mt,
+    unsigned long len, unsigned long frag_off, unsigned long frag_len)
+    {
+    if ( frag_off == 0)
+        {
+        s->d1->handshake_write_seq = s->d1->next_handshake_write_seq;
+        s->d1->next_handshake_write_seq++;
+        }
+    
+    dtls1_set_message_header_int(s, mt, len, s->d1->handshake_write_seq,
+        frag_off, frag_len);
+    
+    return p += DTLS1_HM_HEADER_LENGTH;
+    }
+
+
+/* don't actually do the writing, wait till the MTU has been retrieved */
+static void
+dtls1_set_message_header_int(SSL *s, unsigned char mt,
+    unsigned long len, unsigned short seq_num, unsigned long frag_off, 
+    unsigned long frag_len)
+    {
+    struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr;
+    
+    msg_hdr->type = mt;
+    msg_hdr->msg_len = len;
+    msg_hdr->seq = seq_num;
+    msg_hdr->frag_off = frag_off;
+    msg_hdr->frag_len = frag_len;
+}
+
+static void
+dtls1_fix_message_header(SSL *s, unsigned long frag_off,
+	unsigned long frag_len)
+    {
+    struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr;
+    
+    msg_hdr->frag_off = frag_off;
+    msg_hdr->frag_len = frag_len;
+    }
+
+static unsigned char *
+dtls1_write_message_header(SSL *s, unsigned char *p)
+    {
+    struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr;
+    
+    *p++ = msg_hdr->type;
+    l2n3(msg_hdr->msg_len, p);
+    
+    s2n(msg_hdr->seq, p);
+    l2n3(msg_hdr->frag_off, p);
+    l2n3(msg_hdr->frag_len, p);
+    
+    return p;
+    }
+
+static unsigned int 
+dtls1_min_mtu(void)
+    {
+    return 
+        g_probable_mtu[(sizeof(g_probable_mtu) / 
+           sizeof(g_probable_mtu[0])) - 1];
+    }
+
+static unsigned int 
+dtls1_guess_mtu(unsigned int curr_mtu)
+	{
+	size_t i;
+
+	if ( curr_mtu == 0 )
+		return g_probable_mtu[0] ;
+
+	for ( i = 0; i < sizeof(g_probable_mtu)/sizeof(g_probable_mtu[0]); i++)
+		if ( curr_mtu > g_probable_mtu[i])
+			return g_probable_mtu[i];
+	
+	return curr_mtu;
+	}
+
+void
+dtls1_get_message_header(unsigned char *data, struct hm_header_st *msg_hdr)
+    {
+    memset(msg_hdr, 0x00, sizeof(struct hm_header_st));
+    msg_hdr->type = *(data++);
+    n2l3(data, msg_hdr->msg_len);
+    
+    n2s(data, msg_hdr->seq);
+    n2l3(data, msg_hdr->frag_off);
+    n2l3(data, msg_hdr->frag_len);
+    }
+
+void
+dtls1_get_ccs_header(unsigned char *data, struct ccs_header_st *ccs_hdr)
+    {
+    memset(ccs_hdr, 0x00, sizeof(struct ccs_header_st));
+    
+    ccs_hdr->type = *(data++);
+    n2s(data, ccs_hdr->seq);
+}
diff --git a/crypto/openssl/ssl/d1_clnt.c b/crypto/openssl/ssl/d1_clnt.c
new file mode 100644
index 000000000000..e8b60a45d225
--- /dev/null
+++ b/crypto/openssl/ssl/d1_clnt.c
@@ -0,0 +1,1143 @@
+/* ssl/d1_clnt.c */
+/* 
+ * DTLS implementation written by Nagendra Modadugu
+ * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.  
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "ssl_locl.h"
+#include "kssl_lcl.h"
+#include <openssl/buffer.h>
+#include <openssl/rand.h>
+#include <openssl/objects.h>
+#include <openssl/evp.h>
+#include <openssl/md5.h>
+#ifndef OPENSSL_NO_DH
+#include <openssl/dh.h>
+#endif
+
+static SSL_METHOD *dtls1_get_client_method(int ver);
+static int dtls1_get_hello_verify(SSL *s);
+
+static SSL_METHOD *dtls1_get_client_method(int ver)
+	{
+	if (ver == DTLS1_VERSION)
+		return(DTLSv1_client_method());
+	else
+		return(NULL);
+	}
+
+IMPLEMENT_dtls1_meth_func(DTLSv1_client_method,
+			ssl_undefined_function,
+			dtls1_connect,
+			dtls1_get_client_method)
+
+int dtls1_connect(SSL *s)
+	{
+	BUF_MEM *buf=NULL;
+	unsigned long Time=(unsigned long)time(NULL),l;
+	long num1;
+	void (*cb)(const SSL *ssl,int type,int val)=NULL;
+	int ret= -1;
+	int new_state,state,skip=0;;
+
+	RAND_add(&Time,sizeof(Time),0);
+	ERR_clear_error();
+	clear_sys_error();
+
+	if (s->info_callback != NULL)
+		cb=s->info_callback;
+	else if (s->ctx->info_callback != NULL)
+		cb=s->ctx->info_callback;
+	
+	s->in_handshake++;
+	if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); 
+
+	for (;;)
+		{
+		state=s->state;
+
+		switch(s->state)
+			{
+		case SSL_ST_RENEGOTIATE:
+			s->new_session=1;
+			s->state=SSL_ST_CONNECT;
+			s->ctx->stats.sess_connect_renegotiate++;
+			/* break */
+		case SSL_ST_BEFORE:
+		case SSL_ST_CONNECT:
+		case SSL_ST_BEFORE|SSL_ST_CONNECT:
+		case SSL_ST_OK|SSL_ST_CONNECT:
+
+			s->server=0;
+			if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
+
+			if ((s->version & 0xff00 ) != (DTLS1_VERSION & 0xff00))
+				{
+				SSLerr(SSL_F_DTLS1_CONNECT, ERR_R_INTERNAL_ERROR);
+				ret = -1;
+				goto end;
+				}
+				
+			/* s->version=SSL3_VERSION; */
+			s->type=SSL_ST_CONNECT;
+
+			if (s->init_buf == NULL)
+				{
+				if ((buf=BUF_MEM_new()) == NULL)
+					{
+					ret= -1;
+					goto end;
+					}
+				if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
+					{
+					ret= -1;
+					goto end;
+					}
+				s->init_buf=buf;
+				buf=NULL;
+				}
+
+			if (!ssl3_setup_buffers(s)) { ret= -1; goto end; }
+
+			/* setup buffing BIO */
+			if (!ssl_init_wbio_buffer(s,0)) { ret= -1; goto end; }
+
+			/* don't push the buffering BIO quite yet */
+
+			ssl3_init_finished_mac(s);
+
+			s->state=SSL3_ST_CW_CLNT_HELLO_A;
+			s->ctx->stats.sess_connect++;
+			s->init_num=0;
+			break;
+
+		case SSL3_ST_CW_CLNT_HELLO_A:
+		case SSL3_ST_CW_CLNT_HELLO_B:
+
+			s->shutdown=0;
+			ret=dtls1_client_hello(s);
+			if (ret <= 0) goto end;
+
+			if ( s->d1->send_cookie)
+				{
+				s->state=SSL3_ST_CW_FLUSH;
+				s->s3->tmp.next_state=SSL3_ST_CR_SRVR_HELLO_A;
+				}
+			else
+				s->state=SSL3_ST_CR_SRVR_HELLO_A;
+
+			s->init_num=0;
+
+			/* turn on buffering for the next lot of output */
+			if (s->bbio != s->wbio)
+				s->wbio=BIO_push(s->bbio,s->wbio);
+
+			break;
+
+		case SSL3_ST_CR_SRVR_HELLO_A:
+		case SSL3_ST_CR_SRVR_HELLO_B:
+			ret=ssl3_get_server_hello(s);
+			if (ret <= 0) goto end;
+			else
+				{
+				if (s->hit)
+					s->state=SSL3_ST_CR_FINISHED_A;
+				else
+					s->state=DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A;
+				}
+			s->init_num=0;
+			break;
+
+		case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A:
+		case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B:
+
+			ret = dtls1_get_hello_verify(s);
+			if ( ret <= 0)
+				goto end;
+			if ( s->d1->send_cookie) /* start again, with a cookie */
+				s->state=SSL3_ST_CW_CLNT_HELLO_A;
+			else
+				s->state = SSL3_ST_CR_CERT_A;
+			s->init_num = 0;
+			break;
+
+		case SSL3_ST_CR_CERT_A:
+		case SSL3_ST_CR_CERT_B:
+			/* Check if it is anon DH */
+			if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL))
+				{
+				ret=ssl3_get_server_certificate(s);
+				if (ret <= 0) goto end;
+				}
+			else
+				skip=1;
+			s->state=SSL3_ST_CR_KEY_EXCH_A;
+			s->init_num=0;
+			break;
+
+		case SSL3_ST_CR_KEY_EXCH_A:
+		case SSL3_ST_CR_KEY_EXCH_B:
+			ret=ssl3_get_key_exchange(s);
+			if (ret <= 0) goto end;
+			s->state=SSL3_ST_CR_CERT_REQ_A;
+			s->init_num=0;
+
+			/* at this point we check that we have the
+			 * required stuff from the server */
+			if (!ssl3_check_cert_and_algorithm(s))
+				{
+				ret= -1;
+				goto end;
+				}
+			break;
+
+		case SSL3_ST_CR_CERT_REQ_A:
+		case SSL3_ST_CR_CERT_REQ_B:
+			ret=ssl3_get_certificate_request(s);
+			if (ret <= 0) goto end;
+			s->state=SSL3_ST_CR_SRVR_DONE_A;
+			s->init_num=0;
+			break;
+
+		case SSL3_ST_CR_SRVR_DONE_A:
+		case SSL3_ST_CR_SRVR_DONE_B:
+			ret=ssl3_get_server_done(s);
+			if (ret <= 0) goto end;
+			if (s->s3->tmp.cert_req)
+				s->state=SSL3_ST_CW_CERT_A;
+			else
+				s->state=SSL3_ST_CW_KEY_EXCH_A;
+			s->init_num=0;
+
+			break;
+
+		case SSL3_ST_CW_CERT_A:
+		case SSL3_ST_CW_CERT_B:
+		case SSL3_ST_CW_CERT_C:
+		case SSL3_ST_CW_CERT_D:
+			ret=dtls1_send_client_certificate(s);
+			if (ret <= 0) goto end;
+			s->state=SSL3_ST_CW_KEY_EXCH_A;
+			s->init_num=0;
+			break;
+
+		case SSL3_ST_CW_KEY_EXCH_A:
+		case SSL3_ST_CW_KEY_EXCH_B:
+			ret=dtls1_send_client_key_exchange(s);
+			if (ret <= 0) goto end;
+			l=s->s3->tmp.new_cipher->algorithms;
+			/* EAY EAY EAY need to check for DH fix cert
+			 * sent back */
+			/* For TLS, cert_req is set to 2, so a cert chain
+			 * of nothing is sent, but no verify packet is sent */
+			if (s->s3->tmp.cert_req == 1)
+				{
+				s->state=SSL3_ST_CW_CERT_VRFY_A;
+				}
+			else
+				{
+				s->state=SSL3_ST_CW_CHANGE_A;
+				s->s3->change_cipher_spec=0;
+				}
+
+			s->init_num=0;
+			break;
+
+		case SSL3_ST_CW_CERT_VRFY_A:
+		case SSL3_ST_CW_CERT_VRFY_B:
+			ret=dtls1_send_client_verify(s);
+			if (ret <= 0) goto end;
+			s->state=SSL3_ST_CW_CHANGE_A;
+			s->init_num=0;
+			s->s3->change_cipher_spec=0;
+			break;
+
+		case SSL3_ST_CW_CHANGE_A:
+		case SSL3_ST_CW_CHANGE_B:
+			ret=dtls1_send_change_cipher_spec(s,
+				SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B);
+			if (ret <= 0) goto end;
+			s->state=SSL3_ST_CW_FINISHED_A;
+			s->init_num=0;
+
+			s->session->cipher=s->s3->tmp.new_cipher;
+#ifdef OPENSSL_NO_COMP
+			s->session->compress_meth=0;
+#else
+			if (s->s3->tmp.new_compression == NULL)
+				s->session->compress_meth=0;
+			else
+				s->session->compress_meth=
+					s->s3->tmp.new_compression->id;
+#endif
+			if (!s->method->ssl3_enc->setup_key_block(s))
+				{
+				ret= -1;
+				goto end;
+				}
+
+			if (!s->method->ssl3_enc->change_cipher_state(s,
+				SSL3_CHANGE_CIPHER_CLIENT_WRITE))
+				{
+				ret= -1;
+				goto end;
+				}
+			
+			dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
+			break;
+
+		case SSL3_ST_CW_FINISHED_A:
+		case SSL3_ST_CW_FINISHED_B:
+			ret=dtls1_send_finished(s,
+				SSL3_ST_CW_FINISHED_A,SSL3_ST_CW_FINISHED_B,
+				s->method->ssl3_enc->client_finished_label,
+				s->method->ssl3_enc->client_finished_label_len);
+			if (ret <= 0) goto end;
+			s->state=SSL3_ST_CW_FLUSH;
+
+			/* clear flags */
+			s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER;
+			if (s->hit)
+				{
+				s->s3->tmp.next_state=SSL_ST_OK;
+				if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED)
+					{
+					s->state=SSL_ST_OK;
+					s->s3->flags|=SSL3_FLAGS_POP_BUFFER;
+					s->s3->delay_buf_pop_ret=0;
+					}
+				}
+			else
+				{
+				s->s3->tmp.next_state=SSL3_ST_CR_FINISHED_A;
+				}
+			s->init_num=0;
+			break;
+
+		case SSL3_ST_CR_FINISHED_A:
+		case SSL3_ST_CR_FINISHED_B:
+
+			ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A,
+				SSL3_ST_CR_FINISHED_B);
+			if (ret <= 0) goto end;
+
+			if (s->hit)
+				s->state=SSL3_ST_CW_CHANGE_A;
+			else
+				s->state=SSL_ST_OK;
+			s->init_num=0;
+			break;
+
+		case SSL3_ST_CW_FLUSH:
+			/* number of bytes to be flushed */
+			num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL);
+			if (num1 > 0)
+				{
+				s->rwstate=SSL_WRITING;
+				num1=BIO_flush(s->wbio);
+				if (num1 <= 0) { ret= -1; goto end; }
+				s->rwstate=SSL_NOTHING;
+				}
+
+			s->state=s->s3->tmp.next_state;
+			break;
+
+		case SSL_ST_OK:
+			/* clean a few things up */
+			ssl3_cleanup_key_block(s);
+
+#if 0
+			if (s->init_buf != NULL)
+				{
+				BUF_MEM_free(s->init_buf);
+				s->init_buf=NULL;
+				}
+#endif
+
+			/* If we are not 'joining' the last two packets,
+			 * remove the buffering now */
+			if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER))
+				ssl_free_wbio_buffer(s);
+			/* else do it later in ssl3_write */
+
+			s->init_num=0;
+			s->new_session=0;
+
+			ssl_update_cache(s,SSL_SESS_CACHE_CLIENT);
+			if (s->hit) s->ctx->stats.sess_hit++;
+
+			ret=1;
+			/* s->server=0; */
+			s->handshake_func=dtls1_connect;
+			s->ctx->stats.sess_connect_good++;
+
+			if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
+
+			/* done with handshaking */
+			s->d1->handshake_read_seq  = 0;
+			goto end;
+			/* break; */
+			
+		default:
+			SSLerr(SSL_F_DTLS1_CONNECT,SSL_R_UNKNOWN_STATE);
+			ret= -1;
+			goto end;
+			/* break; */
+			}
+
+		/* did we do anything */
+		if (!s->s3->tmp.reuse_message && !skip)
+			{
+			if (s->debug)
+				{
+				if ((ret=BIO_flush(s->wbio)) <= 0)
+					goto end;
+				}
+
+			if ((cb != NULL) && (s->state != state))
+				{
+				new_state=s->state;
+				s->state=state;
+				cb(s,SSL_CB_CONNECT_LOOP,1);
+				s->state=new_state;
+				}
+			}
+		skip=0;
+		}
+end:
+	s->in_handshake--;
+	if (buf != NULL)
+		BUF_MEM_free(buf);
+	if (cb != NULL)
+		cb(s,SSL_CB_CONNECT_EXIT,ret);
+	return(ret);
+	}
+
+int dtls1_client_hello(SSL *s)
+	{
+	unsigned char *buf;
+	unsigned char *p,*d;
+	unsigned int i,j;
+	unsigned long Time,l;
+	SSL_COMP *comp;
+
+	buf=(unsigned char *)s->init_buf->data;
+	if (s->state == SSL3_ST_CW_CLNT_HELLO_A)
+		{
+		if ((s->session == NULL) ||
+			(s->session->ssl_version != s->version) ||
+			(s->session->not_resumable))
+			{
+			if (!ssl_get_new_session(s,0))
+				goto err;
+			}
+		/* else use the pre-loaded session */
+
+		p=s->s3->client_random;
+		Time=(unsigned long)time(NULL);			/* Time */
+		l2n(Time,p);
+		RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
+
+		/* Do the message type and length last */
+		d=p= &(buf[DTLS1_HM_HEADER_LENGTH]);
+
+		*(p++)=s->version>>8;
+		*(p++)=s->version&0xff;
+		s->client_version=s->version;
+
+		/* Random stuff */
+		memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE);
+		p+=SSL3_RANDOM_SIZE;
+
+		/* Session ID */
+		if (s->new_session)
+			i=0;
+		else
+			i=s->session->session_id_length;
+		*(p++)=i;
+		if (i != 0)
+			{
+			if (i > sizeof s->session->session_id)
+				{
+				SSLerr(SSL_F_DTLS1_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
+				goto err;
+				}
+			memcpy(p,s->session->session_id,i);
+			p+=i;
+			}
+		
+		/* cookie stuff */
+		if ( s->d1->cookie_len > sizeof(s->d1->cookie))
+			{
+			SSLerr(SSL_F_DTLS1_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
+			goto err;
+			}
+		*(p++) = s->d1->cookie_len;
+		memcpy(p, s->d1->cookie, s->d1->cookie_len);
+		p += s->d1->cookie_len;
+
+		/* Ciphers supported */
+		i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]),0);
+		if (i == 0)
+			{
+			SSLerr(SSL_F_DTLS1_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
+			goto err;
+			}
+		s2n(i,p);
+		p+=i;
+
+		/* COMPRESSION */
+		if (s->ctx->comp_methods == NULL)
+			j=0;
+		else
+			j=sk_SSL_COMP_num(s->ctx->comp_methods);
+		*(p++)=1+j;
+		for (i=0; i<j; i++)
+			{
+			comp=sk_SSL_COMP_value(s->ctx->comp_methods,i);
+			*(p++)=comp->id;
+			}
+		*(p++)=0; /* Add the NULL method */
+		
+		l=(p-d);
+		d=buf;
+
+		d = dtls1_set_message_header(s, d, SSL3_MT_CLIENT_HELLO, l, 0, l);
+
+		s->state=SSL3_ST_CW_CLNT_HELLO_B;
+		/* number of bytes to write */
+		s->init_num=p-buf;
+		s->init_off=0;
+
+		/* buffer the message to handle re-xmits */
+		dtls1_buffer_message(s, 0);
+		}
+
+	/* SSL3_ST_CW_CLNT_HELLO_B */
+	return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
+err:
+	return(-1);
+	}
+
+static int dtls1_get_hello_verify(SSL *s)
+	{
+	int n, al, ok = 0;
+	unsigned char *data;
+	unsigned int cookie_len;
+
+	n=s->method->ssl_get_message(s,
+		DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A,
+		DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B,
+		-1,
+		s->max_cert_list,
+		&ok);
+
+	if (!ok) return((int)n);
+
+	if (s->s3->tmp.message_type != DTLS1_MT_HELLO_VERIFY_REQUEST)
+		{
+		s->d1->send_cookie = 0;
+		s->s3->tmp.reuse_message=1;
+		return(1);
+		}
+
+	data = (unsigned char *)s->init_msg;
+
+	if ((data[0] != (s->version>>8)) || (data[1] != (s->version&0xff)))
+		{
+		SSLerr(SSL_F_DTLS1_GET_HELLO_VERIFY,SSL_R_WRONG_SSL_VERSION);
+		s->version=(s->version&0xff00)|data[1];
+		al = SSL_AD_PROTOCOL_VERSION;
+		goto f_err;
+		}
+	data+=2;
+
+	cookie_len = *(data++);
+	if ( cookie_len > sizeof(s->d1->cookie))
+		{
+		al=SSL_AD_ILLEGAL_PARAMETER;
+		goto f_err;
+		}
+
+	memcpy(s->d1->cookie, data, cookie_len);
+	s->d1->cookie_len = cookie_len;
+
+	s->d1->send_cookie = 1;
+	return 1;
+
+f_err:
+	ssl3_send_alert(s, SSL3_AL_FATAL, al);
+	return -1;
+	}
+
+int dtls1_send_client_key_exchange(SSL *s)
+	{
+	unsigned char *p,*d;
+	int n;
+	unsigned long l;
+#ifndef OPENSSL_NO_RSA
+	unsigned char *q;
+	EVP_PKEY *pkey=NULL;
+#endif
+#ifndef OPENSSL_NO_KRB5
+        KSSL_ERR kssl_err;
+#endif /* OPENSSL_NO_KRB5 */
+
+	if (s->state == SSL3_ST_CW_KEY_EXCH_A)
+		{
+		d=(unsigned char *)s->init_buf->data;
+		p= &(d[DTLS1_HM_HEADER_LENGTH]);
+
+		l=s->s3->tmp.new_cipher->algorithms;
+
+                /* Fool emacs indentation */
+                if (0) {}
+#ifndef OPENSSL_NO_RSA
+		else if (l & SSL_kRSA)
+			{
+			RSA *rsa;
+			unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
+
+			if (s->session->sess_cert->peer_rsa_tmp != NULL)
+				rsa=s->session->sess_cert->peer_rsa_tmp;
+			else
+				{
+				pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
+				if ((pkey == NULL) ||
+					(pkey->type != EVP_PKEY_RSA) ||
+					(pkey->pkey.rsa == NULL))
+					{
+					SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
+					goto err;
+					}
+				rsa=pkey->pkey.rsa;
+				EVP_PKEY_free(pkey);
+				}
+				
+			tmp_buf[0]=s->client_version>>8;
+			tmp_buf[1]=s->client_version&0xff;
+			if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0)
+					goto err;
+
+			s->session->master_key_length=sizeof tmp_buf;
+
+			q=p;
+			/* Fix buf for TLS and beyond */
+			if (s->version > SSL3_VERSION)
+				p+=2;
+			n=RSA_public_encrypt(sizeof tmp_buf,
+				tmp_buf,p,rsa,RSA_PKCS1_PADDING);
+#ifdef PKCS1_CHECK
+			if (s->options & SSL_OP_PKCS1_CHECK_1) p[1]++;
+			if (s->options & SSL_OP_PKCS1_CHECK_2) tmp_buf[0]=0x70;
+#endif
+			if (n <= 0)
+				{
+				SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_ENCRYPT);
+				goto err;
+				}
+
+			/* Fix buf for TLS and beyond */
+			if (s->version > SSL3_VERSION)
+				{
+				s2n(n,q);
+				n+=2;
+				}
+
+			s->session->master_key_length=
+				s->method->ssl3_enc->generate_master_secret(s,
+					s->session->master_key,
+					tmp_buf,sizeof tmp_buf);
+			OPENSSL_cleanse(tmp_buf,sizeof tmp_buf);
+			}
+#endif
+#ifndef OPENSSL_NO_KRB5
+		else if (l & SSL_kKRB5)
+                        {
+                        krb5_error_code	krb5rc;
+                        KSSL_CTX	*kssl_ctx = s->kssl_ctx;
+                        /*  krb5_data	krb5_ap_req;  */
+                        krb5_data	*enc_ticket;
+                        krb5_data	authenticator, *authp = NULL;
+			EVP_CIPHER_CTX	ciph_ctx;
+			EVP_CIPHER	*enc = NULL;
+			unsigned char	iv[EVP_MAX_IV_LENGTH];
+			unsigned char	tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
+			unsigned char	epms[SSL_MAX_MASTER_KEY_LENGTH 
+						+ EVP_MAX_IV_LENGTH];
+			int 		padl, outl = sizeof(epms);
+
+			EVP_CIPHER_CTX_init(&ciph_ctx);
+
+#ifdef KSSL_DEBUG
+                        printf("ssl3_send_client_key_exchange(%lx & %lx)\n",
+                                l, SSL_kKRB5);
+#endif	/* KSSL_DEBUG */
+
+			authp = NULL;
+#ifdef KRB5SENDAUTH
+			if (KRB5SENDAUTH)  authp = &authenticator;
+#endif	/* KRB5SENDAUTH */
+
+                        krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket, authp,
+				&kssl_err);
+			enc = kssl_map_enc(kssl_ctx->enctype);
+                        if (enc == NULL)
+                            goto err;
+#ifdef KSSL_DEBUG
+                        {
+                        printf("kssl_cget_tkt rtn %d\n", krb5rc);
+                        if (krb5rc && kssl_err.text)
+			  printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text);
+                        }
+#endif	/* KSSL_DEBUG */
+
+                        if (krb5rc)
+                                {
+                                ssl3_send_alert(s,SSL3_AL_FATAL,
+						SSL_AD_HANDSHAKE_FAILURE);
+                                SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
+						kssl_err.reason);
+                                goto err;
+                                }
+
+			/*  20010406 VRS - Earlier versions used KRB5 AP_REQ
+			**  in place of RFC 2712 KerberosWrapper, as in:
+			**
+                        **  Send ticket (copy to *p, set n = length)
+                        **  n = krb5_ap_req.length;
+                        **  memcpy(p, krb5_ap_req.data, krb5_ap_req.length);
+                        **  if (krb5_ap_req.data)  
+                        **    kssl_krb5_free_data_contents(NULL,&krb5_ap_req);
+                        **
+			**  Now using real RFC 2712 KerberosWrapper
+			**  (Thanks to Simon Wilkinson <sxw@sxw.org.uk>)
+			**  Note: 2712 "opaque" types are here replaced
+			**  with a 2-byte length followed by the value.
+			**  Example:
+			**  KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms
+			**  Where "xx xx" = length bytes.  Shown here with
+			**  optional authenticator omitted.
+			*/
+
+			/*  KerberosWrapper.Ticket		*/
+			s2n(enc_ticket->length,p);
+			memcpy(p, enc_ticket->data, enc_ticket->length);
+			p+= enc_ticket->length;
+			n = enc_ticket->length + 2;
+
+			/*  KerberosWrapper.Authenticator	*/
+			if (authp  &&  authp->length)  
+				{
+				s2n(authp->length,p);
+				memcpy(p, authp->data, authp->length);
+				p+= authp->length;
+				n+= authp->length + 2;
+				
+				free(authp->data);
+				authp->data = NULL;
+				authp->length = 0;
+				}
+			else
+				{
+				s2n(0,p);/*  null authenticator length	*/
+				n+=2;
+				}
+ 
+			if (RAND_bytes(tmp_buf,sizeof tmp_buf) <= 0)
+			    goto err;
+
+			/*  20010420 VRS.  Tried it this way; failed.
+			**	EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL);
+			**	EVP_CIPHER_CTX_set_key_length(&ciph_ctx,
+			**				kssl_ctx->length);
+			**	EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv);
+			*/
+
+			memset(iv, 0, sizeof iv);  /* per RFC 1510 */
+			EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,
+				kssl_ctx->key,iv);
+			EVP_EncryptUpdate(&ciph_ctx,epms,&outl,tmp_buf,
+				sizeof tmp_buf);
+			EVP_EncryptFinal_ex(&ciph_ctx,&(epms[outl]),&padl);
+			outl += padl;
+			if (outl > sizeof epms)
+				{
+				SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
+				goto err;
+				}
+			EVP_CIPHER_CTX_cleanup(&ciph_ctx);
+
+			/*  KerberosWrapper.EncryptedPreMasterSecret	*/
+			s2n(outl,p);
+			memcpy(p, epms, outl);
+			p+=outl;
+			n+=outl + 2;
+
+                        s->session->master_key_length=
+                                s->method->ssl3_enc->generate_master_secret(s,
+					s->session->master_key,
+					tmp_buf, sizeof tmp_buf);
+
+			OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
+			OPENSSL_cleanse(epms, outl);
+                        }
+#endif
+#ifndef OPENSSL_NO_DH
+		else if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
+			{
+			DH *dh_srvr,*dh_clnt;
+
+			if (s->session->sess_cert->peer_dh_tmp != NULL)
+				dh_srvr=s->session->sess_cert->peer_dh_tmp;
+			else
+				{
+				/* we get them from the cert */
+				ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
+				SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_DH_PARAMETERS);
+				goto err;
+				}
+			
+			/* generate a new random key */
+			if ((dh_clnt=DHparams_dup(dh_srvr)) == NULL)
+				{
+				SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
+				goto err;
+				}
+			if (!DH_generate_key(dh_clnt))
+				{
+				SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
+				goto err;
+				}
+
+			/* use the 'p' output buffer for the DH key, but
+			 * make sure to clear it out afterwards */
+
+			n=DH_compute_key(p,dh_srvr->pub_key,dh_clnt);
+
+			if (n <= 0)
+				{
+				SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
+				goto err;
+				}
+
+			/* generate master key from the result */
+			s->session->master_key_length=
+				s->method->ssl3_enc->generate_master_secret(s,
+					s->session->master_key,p,n);
+			/* clean up */
+			memset(p,0,n);
+
+			/* send off the data */
+			n=BN_num_bytes(dh_clnt->pub_key);
+			s2n(n,p);
+			BN_bn2bin(dh_clnt->pub_key,p);
+			n+=2;
+
+			DH_free(dh_clnt);
+
+			/* perhaps clean things up a bit EAY EAY EAY EAY*/
+			}
+#endif
+		else
+			{
+			ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
+			SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
+			goto err;
+			}
+		
+		d = dtls1_set_message_header(s, d,
+		SSL3_MT_CLIENT_KEY_EXCHANGE, n, 0, n);
+		/*
+		 *(d++)=SSL3_MT_CLIENT_KEY_EXCHANGE;
+		 l2n3(n,d);
+		 l2n(s->d1->handshake_write_seq,d);
+		 s->d1->handshake_write_seq++;
+		*/
+		
+		s->state=SSL3_ST_CW_KEY_EXCH_B;
+		/* number of bytes to write */
+		s->init_num=n+DTLS1_HM_HEADER_LENGTH;
+		s->init_off=0;
+
+		/* buffer the message to handle re-xmits */
+		dtls1_buffer_message(s, 0);
+		}
+	
+	/* SSL3_ST_CW_KEY_EXCH_B */
+	return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
+err:
+	return(-1);
+	}
+
+int dtls1_send_client_verify(SSL *s)
+	{
+	unsigned char *p,*d;
+	unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
+	EVP_PKEY *pkey;
+#ifndef OPENSSL_NO_RSA
+	unsigned u=0;
+#endif
+	unsigned long n;
+#ifndef OPENSSL_NO_DSA
+	int j;
+#endif
+
+	if (s->state == SSL3_ST_CW_CERT_VRFY_A)
+		{
+		d=(unsigned char *)s->init_buf->data;
+		p= &(d[DTLS1_HM_HEADER_LENGTH]);
+		pkey=s->cert->key->privatekey;
+
+		s->method->ssl3_enc->cert_verify_mac(s,&(s->s3->finish_dgst2),
+			&(data[MD5_DIGEST_LENGTH]));
+
+#ifndef OPENSSL_NO_RSA
+		if (pkey->type == EVP_PKEY_RSA)
+			{
+			s->method->ssl3_enc->cert_verify_mac(s,
+				&(s->s3->finish_dgst1),&(data[0]));
+			if (RSA_sign(NID_md5_sha1, data,
+					 MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH,
+					&(p[2]), &u, pkey->pkey.rsa) <= 0 )
+				{
+				SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY,ERR_R_RSA_LIB);
+				goto err;
+				}
+			s2n(u,p);
+			n=u+2;
+			}
+		else
+#endif
+#ifndef OPENSSL_NO_DSA
+			if (pkey->type == EVP_PKEY_DSA)
+			{
+			if (!DSA_sign(pkey->save_type,
+				&(data[MD5_DIGEST_LENGTH]),
+				SHA_DIGEST_LENGTH,&(p[2]),
+				(unsigned int *)&j,pkey->pkey.dsa))
+				{
+				SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY,ERR_R_DSA_LIB);
+				goto err;
+				}
+			s2n(j,p);
+			n=j+2;
+			}
+		else
+#endif
+			{
+			SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY,ERR_R_INTERNAL_ERROR);
+			goto err;
+			}
+
+		d = dtls1_set_message_header(s, d,
+			SSL3_MT_CERTIFICATE_VERIFY, n, 0, n) ;
+
+		s->init_num=(int)n+DTLS1_HM_HEADER_LENGTH;
+		s->init_off=0;
+
+		/* buffer the message to handle re-xmits */
+		dtls1_buffer_message(s, 0);
+
+		s->state = SSL3_ST_CW_CERT_VRFY_B;
+		}
+
+	/* s->state = SSL3_ST_CW_CERT_VRFY_B */
+	return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
+err:
+	return(-1);
+	}
+
+int dtls1_send_client_certificate(SSL *s)
+	{
+	X509 *x509=NULL;
+	EVP_PKEY *pkey=NULL;
+	int i;
+	unsigned long l;
+
+	if (s->state ==	SSL3_ST_CW_CERT_A)
+		{
+		if ((s->cert == NULL) ||
+			(s->cert->key->x509 == NULL) ||
+			(s->cert->key->privatekey == NULL))
+			s->state=SSL3_ST_CW_CERT_B;
+		else
+			s->state=SSL3_ST_CW_CERT_C;
+		}
+
+	/* We need to get a client cert */
+	if (s->state == SSL3_ST_CW_CERT_B)
+		{
+		/* If we get an error, we need to
+		 * ssl->rwstate=SSL_X509_LOOKUP; return(-1);
+		 * We then get retied later */
+		i=0;
+		if (s->ctx->client_cert_cb != NULL)
+			i=s->ctx->client_cert_cb(s,&(x509),&(pkey));
+		if (i < 0)
+			{
+			s->rwstate=SSL_X509_LOOKUP;
+			return(-1);
+			}
+		s->rwstate=SSL_NOTHING;
+		if ((i == 1) && (pkey != NULL) && (x509 != NULL))
+			{
+			s->state=SSL3_ST_CW_CERT_B;
+			if (	!SSL_use_certificate(s,x509) ||
+				!SSL_use_PrivateKey(s,pkey))
+				i=0;
+			}
+		else if (i == 1)
+			{
+			i=0;
+			SSLerr(SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE,SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
+			}
+
+		if (x509 != NULL) X509_free(x509);
+		if (pkey != NULL) EVP_PKEY_free(pkey);
+		if (i == 0)
+			{
+			if (s->version == SSL3_VERSION)
+				{
+				s->s3->tmp.cert_req=0;
+				ssl3_send_alert(s,SSL3_AL_WARNING,SSL_AD_NO_CERTIFICATE);
+				return(1);
+				}
+			else
+				{
+				s->s3->tmp.cert_req=2;
+				}
+			}
+
+		/* Ok, we have a cert */
+		s->state=SSL3_ST_CW_CERT_C;
+		}
+
+	if (s->state == SSL3_ST_CW_CERT_C)
+		{
+		s->state=SSL3_ST_CW_CERT_D;
+		l=dtls1_output_cert_chain(s,
+			(s->s3->tmp.cert_req == 2)?NULL:s->cert->key->x509);
+		s->init_num=(int)l;
+		s->init_off=0;
+
+		/* set header called by dtls1_output_cert_chain() */
+
+		/* buffer the message to handle re-xmits */
+		dtls1_buffer_message(s, 0);
+		}
+	/* SSL3_ST_CW_CERT_D */
+	return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
+	}
+
+
diff --git a/crypto/openssl/ssl/d1_enc.c b/crypto/openssl/ssl/d1_enc.c
new file mode 100644
index 000000000000..cbff7495c502
--- /dev/null
+++ b/crypto/openssl/ssl/d1_enc.c
@@ -0,0 +1,281 @@
+/* ssl/d1_enc.c */
+/* 
+ * DTLS implementation written by Nagendra Modadugu
+ * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.  
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "ssl_locl.h"
+#include <openssl/comp.h>
+#include <openssl/evp.h>
+#include <openssl/hmac.h>
+#include <openssl/md5.h>
+#include <openssl/rand.h>
+
+
+int dtls1_enc(SSL *s, int send)
+	{
+	SSL3_RECORD *rec;
+	EVP_CIPHER_CTX *ds;
+	unsigned long l;
+	int bs,i,ii,j,k,n=0;
+	const EVP_CIPHER *enc;
+
+	if (send)
+		{
+		if (s->write_hash != NULL)
+			n=EVP_MD_size(s->write_hash);
+		ds=s->enc_write_ctx;
+		rec= &(s->s3->wrec);
+		if (s->enc_write_ctx == NULL)
+			enc=NULL;
+		else
+			{
+			enc=EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
+			if ( rec->data != rec->input)
+				/* we can't write into the input stream */
+				fprintf(stderr, "%s:%d: rec->data != rec->input\n",
+					__FILE__, __LINE__);
+			else if ( EVP_CIPHER_block_size(ds->cipher) > 1)
+				{
+				if (!RAND_bytes(rec->input, EVP_CIPHER_block_size(ds->cipher)))
+					return -1;
+				}
+			}
+		}
+	else
+		{
+		if (s->read_hash != NULL)
+			n=EVP_MD_size(s->read_hash);
+		ds=s->enc_read_ctx;
+		rec= &(s->s3->rrec);
+		if (s->enc_read_ctx == NULL)
+			enc=NULL;
+		else
+			enc=EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
+		}
+
+#ifdef KSSL_DEBUG
+	printf("dtls1_enc(%d)\n", send);
+#endif    /* KSSL_DEBUG */
+
+	if ((s->session == NULL) || (ds == NULL) ||
+		(enc == NULL))
+		{
+		memmove(rec->data,rec->input,rec->length);
+		rec->input=rec->data;
+		}
+	else
+		{
+		l=rec->length;
+		bs=EVP_CIPHER_block_size(ds->cipher);
+
+		if ((bs != 1) && send)
+			{
+			i=bs-((int)l%bs);
+
+			/* Add weird padding of upto 256 bytes */
+
+			/* we need to add 'i' padding bytes of value j */
+			j=i-1;
+			if (s->options & SSL_OP_TLS_BLOCK_PADDING_BUG)
+				{
+				if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG)
+					j++;
+				}
+			for (k=(int)l; k<(int)(l+i); k++)
+				rec->input[k]=j;
+			l+=i;
+			rec->length+=i;
+			}
+
+#ifdef KSSL_DEBUG
+		{
+                unsigned long ui;
+		printf("EVP_Cipher(ds=%p,rec->data=%p,rec->input=%p,l=%ld) ==>\n",
+                        ds,rec->data,rec->input,l);
+		printf("\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%d %d], %d iv_len\n",
+                        ds->buf_len, ds->cipher->key_len,
+                        DES_KEY_SZ, DES_SCHEDULE_SZ,
+                        ds->cipher->iv_len);
+		printf("\t\tIV: ");
+		for (i=0; i<ds->cipher->iv_len; i++) printf("%02X", ds->iv[i]);
+		printf("\n");
+		printf("\trec->input=");
+		for (ui=0; ui<l; ui++) printf(" %02x", rec->input[ui]);
+		printf("\n");
+		}
+#endif	/* KSSL_DEBUG */
+
+		if (!send)
+			{
+			if (l == 0 || l%bs != 0)
+				{
+				SSLerr(SSL_F_DTLS1_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
+				ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED);
+				return 0;
+				}
+			}
+		
+		EVP_Cipher(ds,rec->data,rec->input,l);
+
+#ifdef KSSL_DEBUG
+		{
+                unsigned long i;
+                printf("\trec->data=");
+		for (i=0; i<l; i++)
+                        printf(" %02x", rec->data[i]);  printf("\n");
+                }
+#endif	/* KSSL_DEBUG */
+
+		if ((bs != 1) && !send)
+			{
+			ii=i=rec->data[l-1]; /* padding_length */
+			i++;
+			if (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG)
+				{
+				/* First packet is even in size, so check */
+				if ((memcmp(s->s3->read_sequence,
+					"\0\0\0\0\0\0\0\0",8) == 0) && !(ii & 1))
+					s->s3->flags|=TLS1_FLAGS_TLS_PADDING_BUG;
+				if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG)
+					i--;
+				}
+			/* TLS 1.0 does not bound the number of padding bytes by the block size.
+			 * All of them must have value 'padding_length'. */
+			if (i > (int)rec->length)
+				{
+				/* Incorrect padding. SSLerr() and ssl3_alert are done
+				 * by caller: we don't want to reveal whether this is
+				 * a decryption error or a MAC verification failure
+				 * (see http://www.openssl.org/~bodo/tls-cbc.txt) 
+				 */
+				return -1;
+				}
+			for (j=(int)(l-i); j<(int)l; j++)
+				{
+				if (rec->data[j] != ii)
+					{
+					/* Incorrect padding */
+					return -1;
+					}
+				}
+			rec->length-=i;
+
+			rec->data += bs;    /* skip the implicit IV */
+			rec->input += bs;
+			rec->length -= bs;
+			}
+		}
+	return(1);
+	}
+
diff --git a/crypto/openssl/ssl/d1_lib.c b/crypto/openssl/ssl/d1_lib.c
new file mode 100644
index 000000000000..78308111447f
--- /dev/null
+++ b/crypto/openssl/ssl/d1_lib.c
@@ -0,0 +1,190 @@
+/* ssl/d1_lib.c */
+/* 
+ * DTLS implementation written by Nagendra Modadugu
+ * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.  
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <openssl/objects.h>
+#include "ssl_locl.h"
+
+const char *dtls1_version_str="DTLSv1" OPENSSL_VERSION_PTEXT;
+
+SSL3_ENC_METHOD DTLSv1_enc_data={
+    dtls1_enc,
+	tls1_mac,
+	tls1_setup_key_block,
+	tls1_generate_master_secret,
+	tls1_change_cipher_state,
+	tls1_final_finish_mac,
+	TLS1_FINISH_MAC_LENGTH,
+	tls1_cert_verify_mac,
+	TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
+	TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
+	tls1_alert_code,
+	};
+
+long dtls1_default_timeout(void)
+	{
+	/* 2 hours, the 24 hours mentioned in the DTLSv1 spec
+	 * is way too long for http, the cache would over fill */
+	return(60*60*2);
+	}
+
+IMPLEMENT_dtls1_meth_func(dtlsv1_base_method,
+			ssl_undefined_function,
+			ssl_undefined_function,
+			ssl_bad_method)
+
+int dtls1_new(SSL *s)
+	{
+	DTLS1_STATE *d1;
+
+	if (!ssl3_new(s)) return(0);
+	if ((d1=OPENSSL_malloc(sizeof *d1)) == NULL) return (0);
+	memset(d1,0, sizeof *d1);
+
+	/* d1->handshake_epoch=0; */
+#if defined(OPENSSL_SYS_VMS) || defined(VMS_TEST)
+	d1->bitmap.length=64;
+#else
+	d1->bitmap.length=sizeof(d1->bitmap.map) * 8;
+#endif
+	pq_64bit_init(&(d1->bitmap.map));
+	pq_64bit_init(&(d1->bitmap.max_seq_num));
+	
+	pq_64bit_init(&(d1->next_bitmap.map));
+	pq_64bit_init(&(d1->next_bitmap.max_seq_num));
+
+	d1->unprocessed_rcds.q=pqueue_new();
+	d1->processed_rcds.q=pqueue_new();
+	d1->buffered_messages = pqueue_new();
+	d1->sent_messages=pqueue_new();
+
+	if ( s->server)
+		{
+		d1->cookie_len = sizeof(s->d1->cookie);
+		}
+
+	if( ! d1->unprocessed_rcds.q || ! d1->processed_rcds.q 
+        || ! d1->buffered_messages || ! d1->sent_messages)
+		{
+        if ( d1->unprocessed_rcds.q) pqueue_free(d1->unprocessed_rcds.q);
+        if ( d1->processed_rcds.q) pqueue_free(d1->processed_rcds.q);
+        if ( d1->buffered_messages) pqueue_free(d1->buffered_messages);
+		if ( d1->sent_messages) pqueue_free(d1->sent_messages);
+		OPENSSL_free(d1);
+		return (0);
+		}
+
+	s->d1=d1;
+	s->method->ssl_clear(s);
+	return(1);
+	}
+
+void dtls1_free(SSL *s)
+	{
+    pitem *item = NULL;
+    hm_fragment *frag = NULL;
+
+	ssl3_free(s);
+
+    while( (item = pqueue_pop(s->d1->unprocessed_rcds.q)) != NULL)
+        {
+        OPENSSL_free(item->data);
+        pitem_free(item);
+        }
+    pqueue_free(s->d1->unprocessed_rcds.q);
+
+    while( (item = pqueue_pop(s->d1->processed_rcds.q)) != NULL)
+        {
+        OPENSSL_free(item->data);
+        pitem_free(item);
+        }
+    pqueue_free(s->d1->processed_rcds.q);
+
+    while( (item = pqueue_pop(s->d1->buffered_messages)) != NULL)
+        {
+        frag = (hm_fragment *)item->data;
+        OPENSSL_free(frag->fragment);
+        OPENSSL_free(frag);
+        pitem_free(item);
+        }
+    pqueue_free(s->d1->buffered_messages);
+
+    while ( (item = pqueue_pop(s->d1->sent_messages)) != NULL)
+        {
+        frag = (hm_fragment *)item->data;
+        OPENSSL_free(frag->fragment);
+        OPENSSL_free(frag);
+        pitem_free(item);
+        }
+	pqueue_free(s->d1->sent_messages);
+
+	pq_64bit_free(&(s->d1->bitmap.map));
+	pq_64bit_free(&(s->d1->bitmap.max_seq_num));
+
+	pq_64bit_free(&(s->d1->next_bitmap.map));
+	pq_64bit_free(&(s->d1->next_bitmap.max_seq_num));
+
+	OPENSSL_free(s->d1);
+	}
+
+void dtls1_clear(SSL *s)
+	{
+	ssl3_clear(s);
+	s->version=DTLS1_VERSION;
+	}
diff --git a/crypto/openssl/ssl/d1_meth.c b/crypto/openssl/ssl/d1_meth.c
new file mode 100644
index 000000000000..8a6cf31947ab
--- /dev/null
+++ b/crypto/openssl/ssl/d1_meth.c
@@ -0,0 +1,77 @@
+/* ssl/d1_meth.h */
+/* 
+ * DTLS implementation written by Nagendra Modadugu
+ * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.  
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <openssl/objects.h>
+#include "ssl_locl.h"
+
+static SSL_METHOD *dtls1_get_method(int ver);
+static SSL_METHOD *dtls1_get_method(int ver)
+	{
+	if (ver == DTLS1_VERSION)
+		return(DTLSv1_method());
+	else
+		return(NULL);
+	}
+
+IMPLEMENT_dtls1_meth_func(DTLSv1_method,
+			dtls1_accept,
+			dtls1_connect,
+			dtls1_get_method)
+
diff --git a/crypto/openssl/ssl/d1_pkt.c b/crypto/openssl/ssl/d1_pkt.c
new file mode 100644
index 000000000000..be6ee3232684
--- /dev/null
+++ b/crypto/openssl/ssl/d1_pkt.c
@@ -0,0 +1,1770 @@
+/* ssl/d1_pkt.c */
+/* 
+ * DTLS implementation written by Nagendra Modadugu
+ * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.  
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <errno.h>
+#define USE_SOCKETS
+#include "ssl_locl.h"
+#include <openssl/evp.h>
+#include <openssl/buffer.h>
+#include <openssl/pqueue.h>
+
+static int have_handshake_fragment(SSL *s, int type, unsigned char *buf, 
+	int len, int peek);
+static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap,
+	PQ_64BIT *seq_num);
+static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap);
+static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, 
+    unsigned int *is_next_epoch);
+#if 0
+static int dtls1_record_needs_buffering(SSL *s, SSL3_RECORD *rr,
+	unsigned short *priority, unsigned long *offset);
+#endif
+static int dtls1_buffer_record(SSL *s, record_pqueue *q,
+	PQ_64BIT priority);
+static int dtls1_process_record(SSL *s);
+#if PQ_64BIT_IS_INTEGER
+static PQ_64BIT bytes_to_long_long(unsigned char *bytes, PQ_64BIT *num);
+#endif
+static void dtls1_clear_timeouts(SSL *s);
+
+/* copy buffered record into SSL structure */
+static int
+dtls1_copy_record(SSL *s, pitem *item)
+    {
+    DTLS1_RECORD_DATA *rdata;
+
+    rdata = (DTLS1_RECORD_DATA *)item->data;
+    
+    if (s->s3->rbuf.buf != NULL)
+        OPENSSL_free(s->s3->rbuf.buf);
+    
+    s->packet = rdata->packet;
+    s->packet_length = rdata->packet_length;
+    memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER));
+    memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD));
+    
+    return(1);
+    }
+
+
+static int
+dtls1_buffer_record(SSL *s, record_pqueue *queue, PQ_64BIT priority)
+{
+    DTLS1_RECORD_DATA *rdata;
+	pitem *item;
+
+	rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA));
+	item = pitem_new(priority, rdata);
+	if (rdata == NULL || item == NULL)
+		{
+		if (rdata != NULL) OPENSSL_free(rdata);
+		if (item != NULL) pitem_free(item);
+		
+		SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR);
+		return(0);
+		}
+	
+	rdata->packet = s->packet;
+	rdata->packet_length = s->packet_length;
+	memcpy(&(rdata->rbuf), &(s->s3->rbuf), sizeof(SSL3_BUFFER));
+	memcpy(&(rdata->rrec), &(s->s3->rrec), sizeof(SSL3_RECORD));
+
+	item->data = rdata;
+
+	/* insert should not fail, since duplicates are dropped */
+	if (pqueue_insert(queue->q, item) == NULL)
+		{
+		OPENSSL_free(rdata);
+		pitem_free(item);
+		return(0);
+		}
+
+	s->packet = NULL;
+	s->packet_length = 0;
+	memset(&(s->s3->rbuf), 0, sizeof(SSL3_BUFFER));
+	memset(&(s->s3->rrec), 0, sizeof(SSL3_RECORD));
+	
+	if (!ssl3_setup_buffers(s))
+		{
+		SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR);
+		OPENSSL_free(rdata);
+		pitem_free(item);
+		return(0);
+		}
+	
+	return(1);
+    }
+
+
+static int
+dtls1_retrieve_buffered_record(SSL *s, record_pqueue *queue)
+    {
+    pitem *item;
+
+    item = pqueue_pop(queue->q);
+    if (item)
+        {
+        dtls1_copy_record(s, item);
+
+        OPENSSL_free(item->data);
+		pitem_free(item);
+
+        return(1);
+        }
+
+    return(0);
+    }
+
+
+/* retrieve a buffered record that belongs to the new epoch, i.e., not processed 
+ * yet */
+#define dtls1_get_unprocessed_record(s) \
+                   dtls1_retrieve_buffered_record((s), \
+                   &((s)->d1->unprocessed_rcds))
+
+/* retrieve a buffered record that belongs to the current epoch, ie, processed */
+#define dtls1_get_processed_record(s) \
+                   dtls1_retrieve_buffered_record((s), \
+                   &((s)->d1->processed_rcds))
+
+static int
+dtls1_process_buffered_records(SSL *s)
+    {
+    pitem *item;
+    
+    item = pqueue_peek(s->d1->unprocessed_rcds.q);
+    if (item)
+        {
+        DTLS1_RECORD_DATA *rdata;
+        rdata = (DTLS1_RECORD_DATA *)item->data;
+        
+        /* Check if epoch is current. */
+        if (s->d1->unprocessed_rcds.epoch != s->d1->r_epoch)
+            return(1);  /* Nothing to do. */
+        
+        /* Process all the records. */
+        while (pqueue_peek(s->d1->unprocessed_rcds.q))
+            {
+            dtls1_get_unprocessed_record(s);
+            if ( ! dtls1_process_record(s))
+                return(0);
+            dtls1_buffer_record(s, &(s->d1->processed_rcds), 
+                s->s3->rrec.seq_num);
+            }
+        }
+
+    /* sync epoch numbers once all the unprocessed records 
+     * have been processed */
+    s->d1->processed_rcds.epoch = s->d1->r_epoch;
+    s->d1->unprocessed_rcds.epoch = s->d1->r_epoch + 1;
+
+    return(1);
+    }
+
+
+#if 0
+
+static int
+dtls1_get_buffered_record(SSL *s)
+	{
+	pitem *item;
+	PQ_64BIT priority = 
+		(((PQ_64BIT)s->d1->handshake_read_seq) << 32) | 
+		((PQ_64BIT)s->d1->r_msg_hdr.frag_off);
+	
+	if ( ! SSL_in_init(s))  /* if we're not (re)negotiating, 
+							   nothing buffered */
+		return 0;
+
+
+	item = pqueue_peek(s->d1->rcvd_records);
+	if (item && item->priority == priority)
+		{
+		/* Check if we've received the record of interest.  It must be
+		 * a handshake record, since data records as passed up without
+		 * buffering */
+		DTLS1_RECORD_DATA *rdata;
+		item = pqueue_pop(s->d1->rcvd_records);
+		rdata = (DTLS1_RECORD_DATA *)item->data;
+		
+		if (s->s3->rbuf.buf != NULL)
+			OPENSSL_free(s->s3->rbuf.buf);
+		
+		s->packet = rdata->packet;
+		s->packet_length = rdata->packet_length;
+		memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER));
+		memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD));
+		
+		OPENSSL_free(item->data);
+		pitem_free(item);
+		
+		/* s->d1->next_expected_seq_num++; */
+		return(1);
+		}
+	
+	return 0;
+	}
+
+#endif
+
+static int
+dtls1_process_record(SSL *s)
+{
+    int i,al;
+	int clear=0;
+    int enc_err;
+	SSL_SESSION *sess;
+    SSL3_RECORD *rr;
+	unsigned int mac_size;
+	unsigned char md[EVP_MAX_MD_SIZE];
+
+
+	rr= &(s->s3->rrec);
+    sess = s->session;
+
+	/* At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length,
+	 * and we have that many bytes in s->packet
+	 */
+	rr->input= &(s->packet[DTLS1_RT_HEADER_LENGTH]);
+
+	/* ok, we can now read from 's->packet' data into 'rr'
+	 * rr->input points at rr->length bytes, which
+	 * need to be copied into rr->data by either
+	 * the decryption or by the decompression
+	 * When the data is 'copied' into the rr->data buffer,
+	 * rr->input will be pointed at the new buffer */ 
+
+	/* We now have - encrypted [ MAC [ compressed [ plain ] ] ]
+	 * rr->length bytes of encrypted compressed stuff. */
+
+	/* check is not needed I believe */
+	if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH)
+		{
+		al=SSL_AD_RECORD_OVERFLOW;
+		SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
+		goto f_err;
+		}
+
+	/* decrypt in place in 'rr->input' */
+	rr->data=rr->input;
+
+	enc_err = s->method->ssl3_enc->enc(s,0);
+	if (enc_err <= 0)
+		{
+		if (enc_err == 0)
+			/* SSLerr() and ssl3_send_alert() have been called */
+			goto err;
+
+		/* otherwise enc_err == -1 */
+		goto decryption_failed_or_bad_record_mac;
+		}
+
+#ifdef TLS_DEBUG
+printf("dec %d\n",rr->length);
+{ unsigned int z; for (z=0; z<rr->length; z++) printf("%02X%c",rr->data[z],((z+1)%16)?' ':'\n'); }
+printf("\n");
+#endif
+
+	/* r->length is now the compressed data plus mac */
+if (	(sess == NULL) ||
+		(s->enc_read_ctx == NULL) ||
+		(s->read_hash == NULL))
+    clear=1;
+
+	if (!clear)
+		{
+		mac_size=EVP_MD_size(s->read_hash);
+
+		if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size)
+			{
+#if 0 /* OK only for stream ciphers (then rr->length is visible from ciphertext anyway) */
+			al=SSL_AD_RECORD_OVERFLOW;
+			SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
+			goto f_err;
+#else
+			goto decryption_failed_or_bad_record_mac;
+#endif			
+			}
+		/* check the MAC for rr->input (it's in mac_size bytes at the tail) */
+		if (rr->length < mac_size)
+			{
+#if 0 /* OK only for stream ciphers */
+			al=SSL_AD_DECODE_ERROR;
+			SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT);
+			goto f_err;
+#else
+			goto decryption_failed_or_bad_record_mac;
+#endif
+			}
+		rr->length-=mac_size;
+		i=s->method->ssl3_enc->mac(s,md,0);
+		if (memcmp(md,&(rr->data[rr->length]),mac_size) != 0)
+			{
+			goto decryption_failed_or_bad_record_mac;
+			}
+		}
+
+	/* r->length is now just compressed */
+	if (s->expand != NULL)
+		{
+		if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH)
+			{
+			al=SSL_AD_RECORD_OVERFLOW;
+			SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_COMPRESSED_LENGTH_TOO_LONG);
+			goto f_err;
+			}
+		if (!ssl3_do_uncompress(s))
+			{
+			al=SSL_AD_DECOMPRESSION_FAILURE;
+			SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_BAD_DECOMPRESSION);
+			goto f_err;
+			}
+		}
+
+	if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH)
+		{
+		al=SSL_AD_RECORD_OVERFLOW;
+		SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_DATA_LENGTH_TOO_LONG);
+		goto f_err;
+		}
+
+	rr->off=0;
+	/* So at this point the following is true
+	 * ssl->s3->rrec.type 	is the type of record
+	 * ssl->s3->rrec.length	== number of bytes in record
+	 * ssl->s3->rrec.off	== offset to first valid byte
+	 * ssl->s3->rrec.data	== where to take bytes from, increment
+	 *			   after use :-).
+	 */
+
+	/* we have pulled in a full packet so zero things */
+	s->packet_length=0;
+    dtls1_record_bitmap_update(s, &(s->d1->bitmap));/* Mark receipt of record. */
+    return(1);
+
+decryption_failed_or_bad_record_mac:
+	/* Separate 'decryption_failed' alert was introduced with TLS 1.0,
+	 * SSL 3.0 only has 'bad_record_mac'.  But unless a decryption
+	 * failure is directly visible from the ciphertext anyway,
+	 * we should not reveal which kind of error occured -- this
+	 * might become visible to an attacker (e.g. via logfile) */
+	al=SSL_AD_BAD_RECORD_MAC;
+	SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
+f_err:
+	ssl3_send_alert(s,SSL3_AL_FATAL,al);
+err:
+	return(0);
+}
+
+
+/* Call this to get a new input record.
+ * It will return <= 0 if more data is needed, normally due to an error
+ * or non-blocking IO.
+ * When it finishes, one packet has been decoded and can be found in
+ * ssl->s3->rrec.type    - is the type of record
+ * ssl->s3->rrec.data, 	 - data
+ * ssl->s3->rrec.length, - number of bytes
+ */
+/* used only by dtls1_read_bytes */
+int dtls1_get_record(SSL *s)
+	{
+	int ssl_major,ssl_minor,al;
+	int i,n;
+	SSL3_RECORD *rr;
+	SSL_SESSION *sess;
+	unsigned char *p;
+	short version;
+	DTLS1_BITMAP *bitmap;
+    unsigned int is_next_epoch;
+
+	rr= &(s->s3->rrec);
+	sess=s->session;
+
+    /* The epoch may have changed.  If so, process all the
+     * pending records.  This is a non-blocking operation. */
+    if ( ! dtls1_process_buffered_records(s))
+        return 0;
+
+	/* if we're renegotiating, then there may be buffered records */
+	if (dtls1_get_processed_record(s))
+		return 1;
+
+	/* get something from the wire */
+again:
+	/* check if we have the header */
+	if (	(s->rstate != SSL_ST_READ_BODY) ||
+		(s->packet_length < DTLS1_RT_HEADER_LENGTH)) 
+		{
+		n=ssl3_read_n(s, DTLS1_RT_HEADER_LENGTH, s->s3->rbuf.len, 0);
+		/* read timeout is handled by dtls1_read_bytes */
+		if (n <= 0) return(n); /* error or non-blocking */
+
+		OPENSSL_assert(s->packet_length == DTLS1_RT_HEADER_LENGTH);
+
+		s->rstate=SSL_ST_READ_BODY;
+
+		p=s->packet;
+
+		/* Pull apart the header into the DTLS1_RECORD */
+		rr->type= *(p++);
+		ssl_major= *(p++);
+		ssl_minor= *(p++);
+		version=(ssl_major<<8)|ssl_minor;
+
+        /* sequence number is 64 bits, with top 2 bytes = epoch */ 
+		n2s(p,rr->epoch);
+
+		memcpy(&(s->s3->read_sequence[2]), p, 6);
+		p+=6;
+
+		n2s(p,rr->length);
+
+		/* Lets check version */
+		if (s->first_packet)
+			{
+			s->first_packet=0;
+			}
+		else
+			{
+			if (version != s->version)
+				{
+				SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
+				/* Send back error using their
+				 * version number :-) */
+				s->version=version;
+				al=SSL_AD_PROTOCOL_VERSION;
+				goto f_err;
+				}
+			}
+
+		if ((version & 0xff00) != (DTLS1_VERSION & 0xff00))
+			{
+			SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
+			goto err;
+			}
+
+		if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH)
+			{
+			al=SSL_AD_RECORD_OVERFLOW;
+			SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_PACKET_LENGTH_TOO_LONG);
+			goto f_err;
+			}
+
+		/* now s->rstate == SSL_ST_READ_BODY */
+		}
+
+	/* s->rstate == SSL_ST_READ_BODY, get and decode the data */
+
+	if (rr->length > s->packet_length-DTLS1_RT_HEADER_LENGTH)
+		{
+		/* now s->packet_length == DTLS1_RT_HEADER_LENGTH */
+		i=rr->length;
+		n=ssl3_read_n(s,i,i,1);
+		if (n <= 0) return(n); /* error or non-blocking io */
+
+		/* this packet contained a partial record, dump it */
+		if ( n != i)
+			{
+			s->packet_length = 0;
+			goto again;
+			}
+
+		/* now n == rr->length,
+		 * and s->packet_length == DTLS1_RT_HEADER_LENGTH + rr->length */
+		}
+	s->rstate=SSL_ST_READ_HEADER; /* set state for later operations */
+
+	/* match epochs.  NULL means the packet is dropped on the floor */
+	bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch);
+	if ( bitmap == NULL)
+        {
+        s->packet_length = 0;  /* dump this record */
+        goto again;   /* get another record */
+		}
+
+	/* check whether this is a repeat, or aged record */
+	if ( ! dtls1_record_replay_check(s, bitmap, &(rr->seq_num)))
+		{
+		s->packet_length=0; /* dump this record */
+		goto again;     /* get another record */
+		}
+
+	/* just read a 0 length packet */
+	if (rr->length == 0) goto again;
+
+    /* If this record is from the next epoch (either HM or ALERT), buffer it
+     * since it cannot be processed at this time.
+     * Records from the next epoch are marked as received even though they are 
+     * not processed, so as to prevent any potential resource DoS attack */
+    if (is_next_epoch)
+        {
+        dtls1_record_bitmap_update(s, bitmap);
+        dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num);
+        s->packet_length = 0;
+        goto again;
+        }
+
+    if ( ! dtls1_process_record(s))
+        return(0);
+
+	dtls1_clear_timeouts(s);  /* done waiting */
+	return(1);
+
+f_err:
+	ssl3_send_alert(s,SSL3_AL_FATAL,al);
+err:
+	return(0);
+	}
+
+/* Return up to 'len' payload bytes received in 'type' records.
+ * 'type' is one of the following:
+ *
+ *   -  SSL3_RT_HANDSHAKE (when ssl3_get_message calls us)
+ *   -  SSL3_RT_APPLICATION_DATA (when ssl3_read calls us)
+ *   -  0 (during a shutdown, no data has to be returned)
+ *
+ * If we don't have stored data to work from, read a SSL/TLS record first
+ * (possibly multiple records if we still don't have anything to return).
+ *
+ * This function must handle any surprises the peer may have for us, such as
+ * Alert records (e.g. close_notify), ChangeCipherSpec records (not really
+ * a surprise, but handled as if it were), or renegotiation requests.
+ * Also if record payloads contain fragments too small to process, we store
+ * them until there is enough for the respective protocol (the record protocol
+ * may use arbitrary fragmentation and even interleaving):
+ *     Change cipher spec protocol
+ *             just 1 byte needed, no need for keeping anything stored
+ *     Alert protocol
+ *             2 bytes needed (AlertLevel, AlertDescription)
+ *     Handshake protocol
+ *             4 bytes needed (HandshakeType, uint24 length) -- we just have
+ *             to detect unexpected Client Hello and Hello Request messages
+ *             here, anything else is handled by higher layers
+ *     Application data protocol
+ *             none of our business
+ */
+int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
+	{
+	int al,i,j,ret;
+	unsigned int n;
+	SSL3_RECORD *rr;
+	void (*cb)(const SSL *ssl,int type2,int val)=NULL;
+
+	if (s->s3->rbuf.buf == NULL) /* Not initialized yet */
+		if (!ssl3_setup_buffers(s))
+			return(-1);
+
+    /* XXX: check what the second '&& type' is about */
+	if ((type && (type != SSL3_RT_APPLICATION_DATA) && 
+		(type != SSL3_RT_HANDSHAKE) && type) ||
+	    (peek && (type != SSL3_RT_APPLICATION_DATA)))
+		{
+		SSLerr(SSL_F_DTLS1_READ_BYTES, ERR_R_INTERNAL_ERROR);
+		return -1;
+		}
+
+	/* check whether there's a handshake message (client hello?) waiting */
+	if ( (ret = have_handshake_fragment(s, type, buf, len, peek)))
+		return ret;
+
+	/* Now s->d1->handshake_fragment_len == 0 if type == SSL3_RT_HANDSHAKE. */
+
+	if (!s->in_handshake && SSL_in_init(s))
+		{
+		/* type == SSL3_RT_APPLICATION_DATA */
+		i=s->handshake_func(s);
+		if (i < 0) return(i);
+		if (i == 0)
+			{
+			SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
+			return(-1);
+			}
+		}
+
+start:
+	s->rwstate=SSL_NOTHING;
+
+	/* s->s3->rrec.type	    - is the type of record
+	 * s->s3->rrec.data,    - data
+	 * s->s3->rrec.off,     - offset into 'data' for next read
+	 * s->s3->rrec.length,  - number of bytes. */
+	rr = &(s->s3->rrec);
+
+	/* get new packet if necessary */
+	if ((rr->length == 0) || (s->rstate == SSL_ST_READ_BODY))
+		{
+		ret=dtls1_get_record(s);
+		if (ret <= 0) 
+			{
+			ret = dtls1_read_failed(s, ret);
+			/* anything other than a timeout is an error */
+			if (ret <= 0)  
+				return(ret);
+			else
+				goto start;
+			}
+		}
+
+	/* we now have a packet which can be read and processed */
+
+	if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
+	                               * reset by ssl3_get_finished */
+		&& (rr->type != SSL3_RT_HANDSHAKE))
+		{
+		al=SSL_AD_UNEXPECTED_MESSAGE;
+		SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_DATA_BETWEEN_CCS_AND_FINISHED);
+		goto err;
+		}
+
+	/* If the other end has shut down, throw anything we read away
+	 * (even in 'peek' mode) */
+	if (s->shutdown & SSL_RECEIVED_SHUTDOWN)
+		{
+		rr->length=0;
+		s->rwstate=SSL_NOTHING;
+		return(0);
+		}
+
+
+	if (type == rr->type) /* SSL3_RT_APPLICATION_DATA or SSL3_RT_HANDSHAKE */
+		{
+		/* make sure that we are not getting application data when we
+		 * are doing a handshake for the first time */
+		if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) &&
+			(s->enc_read_ctx == NULL))
+			{
+			al=SSL_AD_UNEXPECTED_MESSAGE;
+			SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_APP_DATA_IN_HANDSHAKE);
+			goto f_err;
+			}
+
+		if (len <= 0) return(len);
+
+		if ((unsigned int)len > rr->length)
+			n = rr->length;
+		else
+			n = (unsigned int)len;
+
+		memcpy(buf,&(rr->data[rr->off]),n);
+		if (!peek)
+			{
+			rr->length-=n;
+			rr->off+=n;
+			if (rr->length == 0)
+				{
+				s->rstate=SSL_ST_READ_HEADER;
+				rr->off=0;
+				}
+			}
+		return(n);
+		}
+
+
+	/* If we get here, then type != rr->type; if we have a handshake
+	 * message, then it was unexpected (Hello Request or Client Hello). */
+
+	/* In case of record types for which we have 'fragment' storage,
+	 * fill that so that we can process the data at a fixed place.
+	 */
+		{
+		unsigned int k, dest_maxlen = 0;
+		unsigned char *dest = NULL;
+		unsigned int *dest_len = NULL;
+
+		if (rr->type == SSL3_RT_HANDSHAKE)
+			{
+			dest_maxlen = sizeof s->d1->handshake_fragment;
+			dest = s->d1->handshake_fragment;
+			dest_len = &s->d1->handshake_fragment_len;
+			}
+		else if (rr->type == SSL3_RT_ALERT)
+			{
+			dest_maxlen = sizeof(s->d1->alert_fragment);
+			dest = s->d1->alert_fragment;
+			dest_len = &s->d1->alert_fragment_len;
+			}
+		else	/* else it's a CCS message */
+			OPENSSL_assert(rr->type == SSL3_RT_CHANGE_CIPHER_SPEC);
+
+
+		if (dest_maxlen > 0)
+			{
+            /* XDTLS:  In a pathalogical case, the Client Hello
+             *  may be fragmented--don't always expect dest_maxlen bytes */
+			if ( rr->length < dest_maxlen)
+				{
+				s->rstate=SSL_ST_READ_HEADER;
+				rr->length = 0;
+				goto start;
+				}
+
+			/* now move 'n' bytes: */
+			for ( k = 0; k < dest_maxlen; k++)
+				{
+				dest[k] = rr->data[rr->off++];
+				rr->length--;
+				}
+			*dest_len = dest_maxlen;
+			}
+		}
+
+	/* s->d1->handshake_fragment_len == 12  iff  rr->type == SSL3_RT_HANDSHAKE;
+	 * s->d1->alert_fragment_len == 7      iff  rr->type == SSL3_RT_ALERT.
+	 * (Possibly rr is 'empty' now, i.e. rr->length may be 0.) */
+
+	/* If we are a client, check for an incoming 'Hello Request': */
+	if ((!s->server) &&
+		(s->d1->handshake_fragment_len >= DTLS1_HM_HEADER_LENGTH) &&
+		(s->d1->handshake_fragment[0] == SSL3_MT_HELLO_REQUEST) &&
+		(s->session != NULL) && (s->session->cipher != NULL))
+		{
+		s->d1->handshake_fragment_len = 0;
+
+		if ((s->d1->handshake_fragment[1] != 0) ||
+			(s->d1->handshake_fragment[2] != 0) ||
+			(s->d1->handshake_fragment[3] != 0))
+			{
+			al=SSL_AD_DECODE_ERROR;
+			SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_BAD_HELLO_REQUEST);
+			goto err;
+			}
+
+		/* no need to check sequence number on HELLO REQUEST messages */
+
+		if (s->msg_callback)
+			s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, 
+				s->d1->handshake_fragment, 4, s, s->msg_callback_arg);
+
+		if (SSL_is_init_finished(s) &&
+			!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
+			!s->s3->renegotiate)
+			{
+			ssl3_renegotiate(s);
+			if (ssl3_renegotiate_check(s))
+				{
+				i=s->handshake_func(s);
+				if (i < 0) return(i);
+				if (i == 0)
+					{
+					SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
+					return(-1);
+					}
+
+				if (!(s->mode & SSL_MODE_AUTO_RETRY))
+					{
+					if (s->s3->rbuf.left == 0) /* no read-ahead left? */
+						{
+						BIO *bio;
+						/* In the case where we try to read application data,
+						 * but we trigger an SSL handshake, we return -1 with
+						 * the retry option set.  Otherwise renegotiation may
+						 * cause nasty problems in the blocking world */
+						s->rwstate=SSL_READING;
+						bio=SSL_get_rbio(s);
+						BIO_clear_retry_flags(bio);
+						BIO_set_retry_read(bio);
+						return(-1);
+						}
+					}
+				}
+			}
+		/* we either finished a handshake or ignored the request,
+		 * now try again to obtain the (application) data we were asked for */
+		goto start;
+		}
+
+	if (s->d1->alert_fragment_len >= DTLS1_AL_HEADER_LENGTH)
+		{
+		int alert_level = s->d1->alert_fragment[0];
+		int alert_descr = s->d1->alert_fragment[1];
+
+		s->d1->alert_fragment_len = 0;
+
+		if (s->msg_callback)
+			s->msg_callback(0, s->version, SSL3_RT_ALERT, 
+				s->d1->alert_fragment, 2, s, s->msg_callback_arg);
+
+		if (s->info_callback != NULL)
+			cb=s->info_callback;
+		else if (s->ctx->info_callback != NULL)
+			cb=s->ctx->info_callback;
+
+		if (cb != NULL)
+			{
+			j = (alert_level << 8) | alert_descr;
+			cb(s, SSL_CB_READ_ALERT, j);
+			}
+
+		if (alert_level == 1) /* warning */
+			{
+			s->s3->warn_alert = alert_descr;
+			if (alert_descr == SSL_AD_CLOSE_NOTIFY)
+				{
+				s->shutdown |= SSL_RECEIVED_SHUTDOWN;
+				return(0);
+				}
+#if 0
+            /* XXX: this is a possible improvement in the future */
+			/* now check if it's a missing record */
+			if (alert_descr == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE)
+				{
+				unsigned short seq;
+				unsigned int frag_off;
+				unsigned char *p = &(s->d1->alert_fragment[2]);
+
+				n2s(p, seq);
+				n2l3(p, frag_off);
+
+				dtls1_retransmit_message(s, seq, frag_off, &found);
+				if ( ! found  && SSL_in_init(s))
+					{
+					/* fprintf( stderr,"in init = %d\n", SSL_in_init(s)); */
+					/* requested a message not yet sent, 
+					   send an alert ourselves */
+					ssl3_send_alert(s,SSL3_AL_WARNING,
+						DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
+					}
+				}
+#endif
+			}
+		else if (alert_level == 2) /* fatal */
+			{
+			char tmp[16];
+
+			s->rwstate=SSL_NOTHING;
+			s->s3->fatal_alert = alert_descr;
+			SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_AD_REASON_OFFSET + alert_descr);
+			BIO_snprintf(tmp,sizeof tmp,"%d",alert_descr);
+			ERR_add_error_data(2,"SSL alert number ",tmp);
+			s->shutdown|=SSL_RECEIVED_SHUTDOWN;
+			SSL_CTX_remove_session(s->ctx,s->session);
+			return(0);
+			}
+		else
+			{
+			al=SSL_AD_ILLEGAL_PARAMETER;
+			SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNKNOWN_ALERT_TYPE);
+			goto f_err;
+			}
+
+		goto start;
+		}
+
+	if (s->shutdown & SSL_SENT_SHUTDOWN) /* but we have not received a shutdown */
+		{
+		s->rwstate=SSL_NOTHING;
+		rr->length=0;
+		return(0);
+		}
+
+	if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC)
+        {
+        struct ccs_header_st ccs_hdr;
+
+		dtls1_get_ccs_header(rr->data, &ccs_hdr);
+
+		if ( ccs_hdr.seq == s->d1->handshake_read_seq)
+			{
+			/* 'Change Cipher Spec' is just a single byte, so we know
+			 * exactly what the record payload has to look like */
+			/* XDTLS: check that epoch is consistent */
+			if (	(rr->length != DTLS1_CCS_HEADER_LENGTH) || 
+				(rr->off != 0) || (rr->data[0] != SSL3_MT_CCS))
+				{
+				i=SSL_AD_ILLEGAL_PARAMETER;
+				SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC);
+				goto err;
+				}
+			
+			rr->length=0;
+			
+			if (s->msg_callback)
+				s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC, 
+					rr->data, 1, s, s->msg_callback_arg);
+			
+			s->s3->change_cipher_spec=1;
+			if (!ssl3_do_change_cipher_spec(s))
+				goto err;
+			
+			/* do this whenever CCS is processed */
+			dtls1_reset_seq_numbers(s, SSL3_CC_READ);
+			
+			/* handshake read seq is reset upon handshake completion */
+			s->d1->handshake_read_seq++;
+			
+			goto start;
+			}
+		else
+			{
+			rr->length = 0;
+			goto start;
+			}
+		}
+
+	/* Unexpected handshake message (Client Hello, or protocol violation) */
+	if ((s->d1->handshake_fragment_len >= DTLS1_HM_HEADER_LENGTH) && 
+		!s->in_handshake)
+		{
+		struct hm_header_st msg_hdr;
+		
+		/* this may just be a stale retransmit */
+		dtls1_get_message_header(rr->data, &msg_hdr);
+		if( rr->epoch != s->d1->r_epoch)
+			{
+			rr->length = 0;
+			goto start;
+			}
+
+		if (((s->state&SSL_ST_MASK) == SSL_ST_OK) &&
+			!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS))
+			{
+#if 0 /* worked only because C operator preferences are not as expected (and
+       * because this is not really needed for clients except for detecting
+       * protocol violations): */
+			s->state=SSL_ST_BEFORE|(s->server)
+				?SSL_ST_ACCEPT
+				:SSL_ST_CONNECT;
+#else
+			s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT;
+#endif
+			s->new_session=1;
+			}
+		i=s->handshake_func(s);
+		if (i < 0) return(i);
+		if (i == 0)
+			{
+			SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
+			return(-1);
+			}
+
+		if (!(s->mode & SSL_MODE_AUTO_RETRY))
+			{
+			if (s->s3->rbuf.left == 0) /* no read-ahead left? */
+				{
+				BIO *bio;
+				/* In the case where we try to read application data,
+				 * but we trigger an SSL handshake, we return -1 with
+				 * the retry option set.  Otherwise renegotiation may
+				 * cause nasty problems in the blocking world */
+				s->rwstate=SSL_READING;
+				bio=SSL_get_rbio(s);
+				BIO_clear_retry_flags(bio);
+				BIO_set_retry_read(bio);
+				return(-1);
+				}
+			}
+		goto start;
+		}
+
+	switch (rr->type)
+		{
+	default:
+#ifndef OPENSSL_NO_TLS
+		/* TLS just ignores unknown message types */
+		if (s->version == TLS1_VERSION)
+			{
+			rr->length = 0;
+			goto start;
+			}
+#endif
+		al=SSL_AD_UNEXPECTED_MESSAGE;
+		SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
+		goto f_err;
+	case SSL3_RT_CHANGE_CIPHER_SPEC:
+	case SSL3_RT_ALERT:
+	case SSL3_RT_HANDSHAKE:
+		/* we already handled all of these, with the possible exception
+		 * of SSL3_RT_HANDSHAKE when s->in_handshake is set, but that
+		 * should not happen when type != rr->type */
+		al=SSL_AD_UNEXPECTED_MESSAGE;
+		SSLerr(SSL_F_DTLS1_READ_BYTES,ERR_R_INTERNAL_ERROR);
+		goto f_err;
+	case SSL3_RT_APPLICATION_DATA:
+		/* At this point, we were expecting handshake data,
+		 * but have application data.  If the library was
+		 * running inside ssl3_read() (i.e. in_read_app_data
+		 * is set) and it makes sense to read application data
+		 * at this point (session renegotiation not yet started),
+		 * we will indulge it.
+		 */
+		if (s->s3->in_read_app_data &&
+			(s->s3->total_renegotiations != 0) &&
+			((
+				(s->state & SSL_ST_CONNECT) &&
+				(s->state >= SSL3_ST_CW_CLNT_HELLO_A) &&
+				(s->state <= SSL3_ST_CR_SRVR_HELLO_A)
+				) || (
+					(s->state & SSL_ST_ACCEPT) &&
+					(s->state <= SSL3_ST_SW_HELLO_REQ_A) &&
+					(s->state >= SSL3_ST_SR_CLNT_HELLO_A)
+					)
+				))
+			{
+			s->s3->in_read_app_data=2;
+			return(-1);
+			}
+		else
+			{
+			al=SSL_AD_UNEXPECTED_MESSAGE;
+			SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
+			goto f_err;
+			}
+		}
+	/* not reached */
+
+f_err:
+	ssl3_send_alert(s,SSL3_AL_FATAL,al);
+err:
+	return(-1);
+	}
+
+int
+dtls1_write_app_data_bytes(SSL *s, int type, const void *buf_, int len)
+	{
+	unsigned int n,tot;
+	int i;
+
+	if (SSL_in_init(s) && !s->in_handshake)
+		{
+		i=s->handshake_func(s);
+		if (i < 0) return(i);
+		if (i == 0)
+			{
+			SSLerr(SSL_F_DTLS1_WRITE_APP_DATA_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
+			return -1;
+			}
+		}
+
+	tot = s->s3->wnum;
+	n = len - tot;
+
+	while( n)
+		{
+		/* dtls1_write_bytes sends one record at a time, sized according to 
+		 * the currently known MTU */
+		i = dtls1_write_bytes(s, type, buf_, len);
+		if (i <= 0) return i;
+		
+		if ((i == (int)n) ||
+			(type == SSL3_RT_APPLICATION_DATA &&
+				(s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE)))
+			{
+			/* next chunk of data should get another prepended empty fragment
+			 * in ciphersuites with known-IV weakness: */
+			s->s3->empty_fragment_done = 0;
+			return tot+i;
+			}
+
+		tot += i;
+		n-=i;
+		}
+
+	return tot;
+	}
+
+
+	/* this only happens when a client hello is received and a handshake 
+	 * is started. */
+static int
+have_handshake_fragment(SSL *s, int type, unsigned char *buf, 
+	int len, int peek)
+	{
+	
+	if ((type == SSL3_RT_HANDSHAKE) && (s->d1->handshake_fragment_len > 0))
+		/* (partially) satisfy request from storage */
+		{
+		unsigned char *src = s->d1->handshake_fragment;
+		unsigned char *dst = buf;
+		unsigned int k,n;
+		
+		/* peek == 0 */
+		n = 0;
+		while ((len > 0) && (s->d1->handshake_fragment_len > 0))
+			{
+			*dst++ = *src++;
+			len--; s->d1->handshake_fragment_len--;
+			n++;
+			}
+		/* move any remaining fragment bytes: */
+		for (k = 0; k < s->d1->handshake_fragment_len; k++)
+			s->d1->handshake_fragment[k] = *src++;
+		return n;
+		}
+	
+	return 0;
+	}
+
+
+
+
+/* Call this to write data in records of type 'type'
+ * It will return <= 0 if not all data has been sent or non-blocking IO.
+ */
+int dtls1_write_bytes(SSL *s, int type, const void *buf_, int len)
+	{
+	const unsigned char *buf=buf_;
+	unsigned int tot,n,nw;
+	int i;
+	unsigned int mtu;
+
+	s->rwstate=SSL_NOTHING;
+	tot=s->s3->wnum;
+
+	n=(len-tot);
+
+	/* handshake layer figures out MTU for itself, but data records
+	 * are also sent through this interface, so need to figure out MTU */
+#if 0
+	mtu = BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_GET_MTU, 0, NULL);
+	mtu += DTLS1_HM_HEADER_LENGTH;  /* HM already inserted */
+#endif
+	mtu = s->d1->mtu;
+
+	if (mtu > SSL3_RT_MAX_PLAIN_LENGTH)
+		mtu = SSL3_RT_MAX_PLAIN_LENGTH;
+
+	if (n > mtu)
+		nw=mtu;
+	else
+		nw=n;
+	
+	i=do_dtls1_write(s, type, &(buf[tot]), nw, 0);
+	if (i <= 0)
+		{
+		s->s3->wnum=tot;
+		return i;
+		}
+
+	if ( (int)s->s3->wnum + i == len)
+		s->s3->wnum = 0;
+	else 
+		s->s3->wnum += i;
+
+	return tot + i;
+	}
+
+int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len, int create_empty_fragment)
+	{
+	unsigned char *p,*pseq;
+	int i,mac_size,clear=0;
+	int prefix_len = 0;
+	SSL3_RECORD *wr;
+	SSL3_BUFFER *wb;
+	SSL_SESSION *sess;
+	int bs;
+
+	/* first check if there is a SSL3_BUFFER still being written
+	 * out.  This will happen with non blocking IO */
+	if (s->s3->wbuf.left != 0)
+		{
+		OPENSSL_assert(0); /* XDTLS:  want to see if we ever get here */
+		return(ssl3_write_pending(s,type,buf,len));
+		}
+
+	/* If we have an alert to send, lets send it */
+	if (s->s3->alert_dispatch)
+		{
+		i=s->method->ssl_dispatch_alert(s);
+		if (i <= 0)
+			return(i);
+		/* if it went, fall through and send more stuff */
+		}
+
+	if (len == 0 && !create_empty_fragment)
+		return 0;
+
+	wr= &(s->s3->wrec);
+	wb= &(s->s3->wbuf);
+	sess=s->session;
+
+	if (	(sess == NULL) ||
+		(s->enc_write_ctx == NULL) ||
+		(s->write_hash == NULL))
+		clear=1;
+
+	if (clear)
+		mac_size=0;
+	else
+		mac_size=EVP_MD_size(s->write_hash);
+
+	/* DTLS implements explicit IV, so no need for empty fragments */
+#if 0
+	/* 'create_empty_fragment' is true only when this function calls itself */
+	if (!clear && !create_empty_fragment && !s->s3->empty_fragment_done
+		&& SSL_version(s) != DTLS1_VERSION)
+		{
+		/* countermeasure against known-IV weakness in CBC ciphersuites
+		 * (see http://www.openssl.org/~bodo/tls-cbc.txt) 
+		 */
+
+		if (s->s3->need_empty_fragments && type == SSL3_RT_APPLICATION_DATA)
+			{
+			/* recursive function call with 'create_empty_fragment' set;
+			 * this prepares and buffers the data for an empty fragment
+			 * (these 'prefix_len' bytes are sent out later
+			 * together with the actual payload) */
+			prefix_len = s->method->do_ssl_write(s, type, buf, 0, 1);
+			if (prefix_len <= 0)
+				goto err;
+
+			if (s->s3->wbuf.len < (size_t)prefix_len + SSL3_RT_MAX_PACKET_SIZE)
+				{
+				/* insufficient space */
+				SSLerr(SSL_F_DO_DTLS1_WRITE, ERR_R_INTERNAL_ERROR);
+				goto err;
+				}
+			}
+		
+		s->s3->empty_fragment_done = 1;
+		}
+#endif
+
+	p = wb->buf + prefix_len;
+
+	/* write the header */
+
+	*(p++)=type&0xff;
+	wr->type=type;
+
+	*(p++)=(s->version>>8);
+	*(p++)=s->version&0xff;
+
+	/* field where we are to write out packet epoch, seq num and len */
+	pseq=p; 
+	p+=10;
+
+	/* lets setup the record stuff. */
+
+	/* Make space for the explicit IV in case of CBC.
+	 * (this is a bit of a boundary violation, but what the heck).
+	 */
+	if ( s->enc_write_ctx && 
+		(EVP_CIPHER_mode( s->enc_write_ctx->cipher ) & EVP_CIPH_CBC_MODE))
+		bs = EVP_CIPHER_block_size(s->enc_write_ctx->cipher);
+	else
+		bs = 0;
+
+	wr->data=p + bs;  /* make room for IV in case of CBC */
+	wr->length=(int)len;
+	wr->input=(unsigned char *)buf;
+
+	/* we now 'read' from wr->input, wr->length bytes into
+	 * wr->data */
+
+	/* first we compress */
+	if (s->compress != NULL)
+		{
+		if (!ssl3_do_compress(s))
+			{
+			SSLerr(SSL_F_DO_DTLS1_WRITE,SSL_R_COMPRESSION_FAILURE);
+			goto err;
+			}
+		}
+	else
+		{
+		memcpy(wr->data,wr->input,wr->length);
+		wr->input=wr->data;
+		}
+
+	/* we should still have the output to wr->data and the input
+	 * from wr->input.  Length should be wr->length.
+	 * wr->data still points in the wb->buf */
+
+	if (mac_size != 0)
+		{
+		s->method->ssl3_enc->mac(s,&(p[wr->length + bs]),1);
+		wr->length+=mac_size;
+		}
+
+	/* this is true regardless of mac size */
+	wr->input=p;
+	wr->data=p;
+
+
+	/* ssl3_enc can only have an error on read */
+	wr->length += bs;  /* bs != 0 in case of CBC.  The enc fn provides
+						* the randomness */ 
+	s->method->ssl3_enc->enc(s,1);
+
+	/* record length after mac and block padding */
+/*	if (type == SSL3_RT_APPLICATION_DATA ||
+	(type == SSL3_RT_ALERT && ! SSL_in_init(s))) */
+	
+	/* there's only one epoch between handshake and app data */
+	
+	s2n(s->d1->w_epoch, pseq);
+
+	/* XDTLS: ?? */
+/*	else
+	s2n(s->d1->handshake_epoch, pseq); */
+
+	memcpy(pseq, &(s->s3->write_sequence[2]), 6);
+	pseq+=6;
+	s2n(wr->length,pseq);
+
+	/* we should now have
+	 * wr->data pointing to the encrypted data, which is
+	 * wr->length long */
+	wr->type=type; /* not needed but helps for debugging */
+	wr->length+=DTLS1_RT_HEADER_LENGTH;
+
+#if 0  /* this is now done at the message layer */
+	/* buffer the record, making it easy to handle retransmits */
+	if ( type == SSL3_RT_HANDSHAKE || type == SSL3_RT_CHANGE_CIPHER_SPEC)
+		dtls1_buffer_record(s, wr->data, wr->length, 
+			*((PQ_64BIT *)&(s->s3->write_sequence[0])));
+#endif
+
+	ssl3_record_sequence_update(&(s->s3->write_sequence[0]));
+
+	if (create_empty_fragment)
+		{
+		/* we are in a recursive call;
+		 * just return the length, don't write out anything here
+		 */
+		return wr->length;
+		}
+
+	/* now let's set up wb */
+	wb->left = prefix_len + wr->length;
+	wb->offset = 0;
+
+	/* memorize arguments so that ssl3_write_pending can detect bad write retries later */
+	s->s3->wpend_tot=len;
+	s->s3->wpend_buf=buf;
+	s->s3->wpend_type=type;
+	s->s3->wpend_ret=len;
+
+	/* we now just need to write the buffer */
+	return ssl3_write_pending(s,type,buf,len);
+err:
+	return -1;
+	}
+
+
+
+static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap,
+	PQ_64BIT *seq_num)
+	{
+#if PQ_64BIT_IS_INTEGER
+	PQ_64BIT mask = 0x0000000000000001L;
+#endif
+	PQ_64BIT rcd_num, tmp;
+
+	pq_64bit_init(&rcd_num);
+	pq_64bit_init(&tmp);
+
+	/* this is the sequence number for the record just read */
+	pq_64bit_bin2num(&rcd_num, s->s3->read_sequence, 8);
+
+	
+	if (pq_64bit_gt(&rcd_num, &(bitmap->max_seq_num)) ||
+		pq_64bit_eq(&rcd_num, &(bitmap->max_seq_num)))
+		{
+		pq_64bit_assign(seq_num, &rcd_num);
+		pq_64bit_free(&rcd_num);
+		pq_64bit_free(&tmp);
+		return 1;  /* this record is new */
+		}
+
+	pq_64bit_sub(&tmp, &(bitmap->max_seq_num), &rcd_num);
+
+	if ( pq_64bit_get_word(&tmp) > bitmap->length)
+		{
+		pq_64bit_free(&rcd_num);
+		pq_64bit_free(&tmp);
+		return 0;  /* stale, outside the window */
+		}
+
+#if PQ_64BIT_IS_BIGNUM
+	{
+	int offset;
+	pq_64bit_sub(&tmp, &(bitmap->max_seq_num), &rcd_num);
+	pq_64bit_sub_word(&tmp, 1);
+	offset = pq_64bit_get_word(&tmp);
+	if ( pq_64bit_is_bit_set(&(bitmap->map), offset))
+		{
+		pq_64bit_free(&rcd_num);
+		pq_64bit_free(&tmp);
+		return 0;
+		}
+	}
+#else
+	mask <<= (bitmap->max_seq_num - rcd_num - 1);
+	if (bitmap->map & mask)
+		return 0; /* record previously received */
+#endif
+	
+	pq_64bit_assign(seq_num, &rcd_num);
+	pq_64bit_free(&rcd_num);
+	pq_64bit_free(&tmp);
+	return 1;
+	}
+
+
+static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap)
+	{
+	unsigned int shift;
+	PQ_64BIT rcd_num;
+	PQ_64BIT tmp;
+	PQ_64BIT_CTX *ctx;
+
+	pq_64bit_init(&rcd_num);
+	pq_64bit_init(&tmp);
+
+	pq_64bit_bin2num(&rcd_num, s->s3->read_sequence, 8);
+
+	/* unfortunate code complexity due to 64-bit manipulation support
+	 * on 32-bit machines */
+	if ( pq_64bit_gt(&rcd_num, &(bitmap->max_seq_num)) ||
+		pq_64bit_eq(&rcd_num, &(bitmap->max_seq_num)))
+		{
+		pq_64bit_sub(&tmp, &rcd_num, &(bitmap->max_seq_num));
+		pq_64bit_add_word(&tmp, 1);
+
+		shift = (unsigned int)pq_64bit_get_word(&tmp);
+
+		pq_64bit_lshift(&(tmp), &(bitmap->map), shift);
+		pq_64bit_assign(&(bitmap->map), &tmp);
+
+		pq_64bit_set_bit(&(bitmap->map), 0);
+		pq_64bit_add_word(&rcd_num, 1);
+		pq_64bit_assign(&(bitmap->max_seq_num), &rcd_num);
+
+		pq_64bit_assign_word(&tmp, 1);
+		pq_64bit_lshift(&tmp, &tmp, bitmap->length);
+		ctx = pq_64bit_ctx_new(&ctx);
+		pq_64bit_mod(&(bitmap->map), &(bitmap->map), &tmp, ctx);
+		pq_64bit_ctx_free(ctx);
+		}
+	else
+		{
+		pq_64bit_sub(&tmp, &(bitmap->max_seq_num), &rcd_num);
+		pq_64bit_sub_word(&tmp, 1);
+		shift = (unsigned int)pq_64bit_get_word(&tmp);
+
+		pq_64bit_set_bit(&(bitmap->map), shift);
+		}
+
+	pq_64bit_free(&rcd_num);
+	pq_64bit_free(&tmp);
+	}
+
+
+int dtls1_dispatch_alert(SSL *s)
+	{
+	int i,j;
+	void (*cb)(const SSL *ssl,int type,int val)=NULL;
+	unsigned char buf[2 + 2 + 3]; /* alert level + alert desc + message seq +frag_off */
+	unsigned char *ptr = &buf[0];
+
+	s->s3->alert_dispatch=0;
+
+	memset(buf, 0x00, sizeof(buf));
+	*ptr++ = s->s3->send_alert[0];
+	*ptr++ = s->s3->send_alert[1];
+
+	if (s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE)
+		{	
+		s2n(s->d1->handshake_read_seq, ptr);
+#if 0
+		if ( s->d1->r_msg_hdr.frag_off == 0)  /* waiting for a new msg */
+
+		else
+			s2n(s->d1->r_msg_hdr.seq, ptr); /* partial msg read */
+#endif
+
+#if 0
+		fprintf(stderr, "s->d1->handshake_read_seq = %d, s->d1->r_msg_hdr.seq = %d\n",s->d1->handshake_read_seq,s->d1->r_msg_hdr.seq);
+#endif
+		l2n3(s->d1->r_msg_hdr.frag_off, ptr);
+		}
+
+	i = do_dtls1_write(s, SSL3_RT_ALERT, &buf[0], sizeof(buf), 0);
+	if (i <= 0)
+		{
+		s->s3->alert_dispatch=1;
+		/* fprintf( stderr, "not done with alert\n" ); */
+		}
+	else
+		{
+		if ( s->s3->send_alert[0] == SSL3_AL_FATAL ||
+			s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE)
+			(void)BIO_flush(s->wbio);
+
+		if (s->msg_callback)
+			s->msg_callback(1, s->version, SSL3_RT_ALERT, s->s3->send_alert, 
+				2, s, s->msg_callback_arg);
+
+		if (s->info_callback != NULL)
+			cb=s->info_callback;
+		else if (s->ctx->info_callback != NULL)
+			cb=s->ctx->info_callback;
+
+		if (cb != NULL)
+			{
+			j=(s->s3->send_alert[0]<<8)|s->s3->send_alert[1];
+			cb(s,SSL_CB_WRITE_ALERT,j);
+			}
+		}
+	return(i);
+	}
+
+
+static DTLS1_BITMAP *
+dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, unsigned int *is_next_epoch)
+    {
+    
+    *is_next_epoch = 0;
+
+    /* In current epoch, accept HM, CCS, DATA, & ALERT */
+    if (rr->epoch == s->d1->r_epoch)
+        return &s->d1->bitmap;
+
+    /* Only HM and ALERT messages can be from the next epoch */
+    else if (rr->epoch == (unsigned long)(s->d1->r_epoch + 1) &&
+        (rr->type == SSL3_RT_HANDSHAKE ||
+            rr->type == SSL3_RT_ALERT))
+        {
+        *is_next_epoch = 1;
+        return &s->d1->next_bitmap;
+        }
+
+    return NULL;
+    }
+
+#if 0
+static int
+dtls1_record_needs_buffering(SSL *s, SSL3_RECORD *rr, unsigned short *priority,
+	unsigned long *offset)
+	{
+
+	/* alerts are passed up immediately */
+	if ( rr->type == SSL3_RT_APPLICATION_DATA ||
+		rr->type == SSL3_RT_ALERT)
+		return 0;
+
+	/* Only need to buffer if a handshake is underway.
+	 * (this implies that Hello Request and Client Hello are passed up
+	 * immediately) */
+	if ( SSL_in_init(s))
+		{
+		unsigned char *data = rr->data;
+		/* need to extract the HM/CCS sequence number here */
+		if ( rr->type == SSL3_RT_HANDSHAKE ||
+			rr->type == SSL3_RT_CHANGE_CIPHER_SPEC)
+			{
+			unsigned short seq_num;
+			struct hm_header_st msg_hdr;
+			struct ccs_header_st ccs_hdr;
+
+			if ( rr->type == SSL3_RT_HANDSHAKE)
+				{
+				dtls1_get_message_header(data, &msg_hdr);
+				seq_num = msg_hdr.seq;
+				*offset = msg_hdr.frag_off;
+				}
+			else
+				{
+				dtls1_get_ccs_header(data, &ccs_hdr);
+				seq_num = ccs_hdr.seq;
+				*offset = 0;
+				}
+				
+			/* this is either a record we're waiting for, or a
+			 * retransmit of something we happened to previously 
+			 * receive (higher layers will drop the repeat silently */
+			if ( seq_num < s->d1->handshake_read_seq)
+				return 0;
+			if (rr->type == SSL3_RT_HANDSHAKE && 
+				seq_num == s->d1->handshake_read_seq &&
+				msg_hdr.frag_off < s->d1->r_msg_hdr.frag_off)
+				return 0;
+			else if ( seq_num == s->d1->handshake_read_seq &&
+				(rr->type == SSL3_RT_CHANGE_CIPHER_SPEC ||
+					msg_hdr.frag_off == s->d1->r_msg_hdr.frag_off))
+				return 0;
+			else
+				{
+				*priority = seq_num;
+				return 1;
+				}
+			}
+		else /* unknown record type */
+			return 0;
+		}
+
+	return 0;
+	}
+#endif
+
+void
+dtls1_reset_seq_numbers(SSL *s, int rw)
+	{
+	unsigned char *seq;
+	unsigned int seq_bytes = sizeof(s->s3->read_sequence);
+
+	if ( rw & SSL3_CC_READ)
+		{
+		seq = s->s3->read_sequence;
+		s->d1->r_epoch++;
+
+		pq_64bit_assign(&(s->d1->bitmap.map), &(s->d1->next_bitmap.map));
+		s->d1->bitmap.length = s->d1->next_bitmap.length;
+		pq_64bit_assign(&(s->d1->bitmap.max_seq_num), 
+			&(s->d1->next_bitmap.max_seq_num));
+
+		pq_64bit_free(&(s->d1->next_bitmap.map));
+		pq_64bit_free(&(s->d1->next_bitmap.max_seq_num));
+		memset(&(s->d1->next_bitmap), 0x00, sizeof(DTLS1_BITMAP));
+		pq_64bit_init(&(s->d1->next_bitmap.map));
+		pq_64bit_init(&(s->d1->next_bitmap.max_seq_num));
+		}
+	else
+		{
+		seq = s->s3->write_sequence;
+		s->d1->w_epoch++;
+		}
+
+	memset(seq, 0x00, seq_bytes);
+	}
+
+#if PQ_64BIT_IS_INTEGER
+static PQ_64BIT
+bytes_to_long_long(unsigned char *bytes, PQ_64BIT *num)
+       {
+       PQ_64BIT _num;
+
+       _num = (((PQ_64BIT)bytes[0]) << 56) |
+               (((PQ_64BIT)bytes[1]) << 48) |
+               (((PQ_64BIT)bytes[2]) << 40) |
+               (((PQ_64BIT)bytes[3]) << 32) |
+               (((PQ_64BIT)bytes[4]) << 24) |
+               (((PQ_64BIT)bytes[5]) << 16) |
+               (((PQ_64BIT)bytes[6]) <<  8) |
+               (((PQ_64BIT)bytes[7])      );
+
+	   *num = _num ;
+       return _num;
+       }
+#endif
+
+
+static void
+dtls1_clear_timeouts(SSL *s)
+	{
+	memset(&(s->d1->timeout), 0x00, sizeof(struct dtls1_timeout_st));
+	}
diff --git a/crypto/openssl/ssl/d1_srvr.c b/crypto/openssl/ssl/d1_srvr.c
new file mode 100644
index 000000000000..475e6095fd80
--- /dev/null
+++ b/crypto/openssl/ssl/d1_srvr.c
@@ -0,0 +1,1130 @@
+/* ssl/d1_srvr.c */
+/* 
+ * DTLS implementation written by Nagendra Modadugu
+ * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.  
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "ssl_locl.h"
+#include <openssl/buffer.h>
+#include <openssl/rand.h>
+#include <openssl/objects.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+#include <openssl/md5.h>
+#ifndef OPENSSL_NO_DH
+#include <openssl/dh.h>
+#endif
+
+static SSL_METHOD *dtls1_get_server_method(int ver);
+static int dtls1_send_hello_verify_request(SSL *s);
+
+static SSL_METHOD *dtls1_get_server_method(int ver)
+	{
+	if (ver == DTLS1_VERSION)
+		return(DTLSv1_server_method());
+	else
+		return(NULL);
+	}
+
+IMPLEMENT_dtls1_meth_func(DTLSv1_server_method,
+			dtls1_accept,
+			ssl_undefined_function,
+			dtls1_get_server_method)
+
+int dtls1_accept(SSL *s)
+	{
+	BUF_MEM *buf;
+	unsigned long l,Time=(unsigned long)time(NULL);
+	void (*cb)(const SSL *ssl,int type,int val)=NULL;
+	long num1;
+	int ret= -1;
+	int new_state,state,skip=0;
+
+	RAND_add(&Time,sizeof(Time),0);
+	ERR_clear_error();
+	clear_sys_error();
+
+	if (s->info_callback != NULL)
+		cb=s->info_callback;
+	else if (s->ctx->info_callback != NULL)
+		cb=s->ctx->info_callback;
+
+	/* init things to blank */
+	s->in_handshake++;
+	if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
+
+	if (s->cert == NULL)
+		{
+		SSLerr(SSL_F_DTLS1_ACCEPT,SSL_R_NO_CERTIFICATE_SET);
+		return(-1);
+		}
+
+	for (;;)
+		{
+		state=s->state;
+
+		switch (s->state)
+			{
+		case SSL_ST_RENEGOTIATE:
+			s->new_session=1;
+			/* s->state=SSL_ST_ACCEPT; */
+
+		case SSL_ST_BEFORE:
+		case SSL_ST_ACCEPT:
+		case SSL_ST_BEFORE|SSL_ST_ACCEPT:
+		case SSL_ST_OK|SSL_ST_ACCEPT:
+
+			s->server=1;
+			if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
+
+			if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00))
+				{
+				SSLerr(SSL_F_DTLS1_ACCEPT, ERR_R_INTERNAL_ERROR);
+				return -1;
+				}
+			s->type=SSL_ST_ACCEPT;
+
+			if (s->init_buf == NULL)
+				{
+				if ((buf=BUF_MEM_new()) == NULL)
+					{
+					ret= -1;
+					goto end;
+					}
+				if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
+					{
+					ret= -1;
+					goto end;
+					}
+				s->init_buf=buf;
+				}
+
+			if (!ssl3_setup_buffers(s))
+				{
+				ret= -1;
+				goto end;
+				}
+
+			s->init_num=0;
+
+			if (s->state != SSL_ST_RENEGOTIATE)
+				{
+				/* Ok, we now need to push on a buffering BIO so that
+				 * the output is sent in a way that TCP likes :-)
+				 */
+				if (!ssl_init_wbio_buffer(s,1)) { ret= -1; goto end; }
+
+				ssl3_init_finished_mac(s);
+				s->state=SSL3_ST_SR_CLNT_HELLO_A;
+				s->ctx->stats.sess_accept++;
+				}
+			else
+				{
+				/* s->state == SSL_ST_RENEGOTIATE,
+				 * we will just send a HelloRequest */
+				s->ctx->stats.sess_accept_renegotiate++;
+				s->state=SSL3_ST_SW_HELLO_REQ_A;
+				}
+
+            if ( (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE))
+                s->d1->send_cookie = 1;
+            else
+                s->d1->send_cookie = 0;
+
+			break;
+
+		case SSL3_ST_SW_HELLO_REQ_A:
+		case SSL3_ST_SW_HELLO_REQ_B:
+
+			s->shutdown=0;
+			ret=dtls1_send_hello_request(s);
+			if (ret <= 0) goto end;
+			s->s3->tmp.next_state=SSL3_ST_SW_HELLO_REQ_C;
+			s->state=SSL3_ST_SW_FLUSH;
+			s->init_num=0;
+
+			ssl3_init_finished_mac(s);
+			break;
+
+		case SSL3_ST_SW_HELLO_REQ_C:
+			s->state=SSL_ST_OK;
+			break;
+
+		case SSL3_ST_SR_CLNT_HELLO_A:
+		case SSL3_ST_SR_CLNT_HELLO_B:
+		case SSL3_ST_SR_CLNT_HELLO_C:
+
+			s->shutdown=0;
+			ret=ssl3_get_client_hello(s);
+			if (ret <= 0) goto end;
+			s->new_session = 2;
+
+			if ( s->d1->send_cookie)
+				s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A;
+			else
+				s->state = SSL3_ST_SW_SRVR_HELLO_A;
+
+			s->init_num=0;
+			break;
+			
+		case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A:
+		case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B:
+
+			ret = dtls1_send_hello_verify_request(s);
+			if ( ret <= 0) goto end;
+			s->d1->send_cookie = 0;
+			s->state=SSL3_ST_SW_FLUSH;
+			s->s3->tmp.next_state=SSL3_ST_SR_CLNT_HELLO_A;
+			break;
+			
+		case SSL3_ST_SW_SRVR_HELLO_A:
+		case SSL3_ST_SW_SRVR_HELLO_B:
+			ret=dtls1_send_server_hello(s);
+			if (ret <= 0) goto end;
+
+			if (s->hit)
+				s->state=SSL3_ST_SW_CHANGE_A;
+			else
+				s->state=SSL3_ST_SW_CERT_A;
+			s->init_num=0;
+			break;
+
+		case SSL3_ST_SW_CERT_A:
+		case SSL3_ST_SW_CERT_B:
+			/* Check if it is anon DH */
+			if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL))
+				{
+				ret=dtls1_send_server_certificate(s);
+				if (ret <= 0) goto end;
+				}
+			else
+				skip=1;
+			s->state=SSL3_ST_SW_KEY_EXCH_A;
+			s->init_num=0;
+			break;
+
+		case SSL3_ST_SW_KEY_EXCH_A:
+		case SSL3_ST_SW_KEY_EXCH_B:
+			l=s->s3->tmp.new_cipher->algorithms;
+
+			/* clear this, it may get reset by
+			 * send_server_key_exchange */
+			if ((s->options & SSL_OP_EPHEMERAL_RSA)
+#ifndef OPENSSL_NO_KRB5
+				&& !(l & SSL_KRB5)
+#endif /* OPENSSL_NO_KRB5 */
+				)
+				/* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key
+				 * even when forbidden by protocol specs
+				 * (handshake may fail as clients are not required to
+				 * be able to handle this) */
+				s->s3->tmp.use_rsa_tmp=1;
+			else
+				s->s3->tmp.use_rsa_tmp=0;
+
+			/* only send if a DH key exchange, fortezza or
+			 * RSA but we have a sign only certificate */
+			if (s->s3->tmp.use_rsa_tmp
+			    || (l & (SSL_DH|SSL_kFZA))
+			    || ((l & SSL_kRSA)
+				&& (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
+				    || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)
+					&& EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)
+					)
+				    )
+				)
+			    )
+				{
+				ret=dtls1_send_server_key_exchange(s);
+				if (ret <= 0) goto end;
+				}
+			else
+				skip=1;
+
+			s->state=SSL3_ST_SW_CERT_REQ_A;
+			s->init_num=0;
+			break;
+
+		case SSL3_ST_SW_CERT_REQ_A:
+		case SSL3_ST_SW_CERT_REQ_B:
+			if (/* don't request cert unless asked for it: */
+				!(s->verify_mode & SSL_VERIFY_PEER) ||
+				/* if SSL_VERIFY_CLIENT_ONCE is set,
+				 * don't request cert during re-negotiation: */
+				((s->session->peer != NULL) &&
+				 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
+				/* never request cert in anonymous ciphersuites
+				 * (see section "Certificate request" in SSL 3 drafts
+				 * and in RFC 2246): */
+				((s->s3->tmp.new_cipher->algorithms & SSL_aNULL) &&
+				 /* ... except when the application insists on verification
+				  * (against the specs, but s3_clnt.c accepts this for SSL 3) */
+				 !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) ||
+                                 /* never request cert in Kerberos ciphersuites */
+                                (s->s3->tmp.new_cipher->algorithms & SSL_aKRB5))
+				{
+				/* no cert request */
+				skip=1;
+				s->s3->tmp.cert_request=0;
+				s->state=SSL3_ST_SW_SRVR_DONE_A;
+				}
+			else
+				{
+				s->s3->tmp.cert_request=1;
+				ret=dtls1_send_certificate_request(s);
+				if (ret <= 0) goto end;
+#ifndef NETSCAPE_HANG_BUG
+				s->state=SSL3_ST_SW_SRVR_DONE_A;
+#else
+				s->state=SSL3_ST_SW_FLUSH;
+				s->s3->tmp.next_state=SSL3_ST_SR_CERT_A;
+#endif
+				s->init_num=0;
+				}
+			break;
+
+		case SSL3_ST_SW_SRVR_DONE_A:
+		case SSL3_ST_SW_SRVR_DONE_B:
+			ret=dtls1_send_server_done(s);
+			if (ret <= 0) goto end;
+			s->s3->tmp.next_state=SSL3_ST_SR_CERT_A;
+			s->state=SSL3_ST_SW_FLUSH;
+			s->init_num=0;
+			break;
+		
+		case SSL3_ST_SW_FLUSH:
+			/* number of bytes to be flushed */
+			num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL);
+			if (num1 > 0)
+				{
+				s->rwstate=SSL_WRITING;
+				num1=BIO_flush(s->wbio);
+				if (num1 <= 0) { ret= -1; goto end; }
+				s->rwstate=SSL_NOTHING;
+				}
+
+			s->state=s->s3->tmp.next_state;
+			break;
+
+		case SSL3_ST_SR_CERT_A:
+		case SSL3_ST_SR_CERT_B:
+			/* Check for second client hello (MS SGC) */
+			ret = ssl3_check_client_hello(s);
+			if (ret <= 0)
+				goto end;
+			if (ret == 2)
+				s->state = SSL3_ST_SR_CLNT_HELLO_C;
+			else {
+				/* could be sent for a DH cert, even if we
+				 * have not asked for it :-) */
+				ret=ssl3_get_client_certificate(s);
+				if (ret <= 0) goto end;
+				s->init_num=0;
+				s->state=SSL3_ST_SR_KEY_EXCH_A;
+			}
+			break;
+
+		case SSL3_ST_SR_KEY_EXCH_A:
+		case SSL3_ST_SR_KEY_EXCH_B:
+			ret=ssl3_get_client_key_exchange(s);
+			if (ret <= 0) goto end;
+			s->state=SSL3_ST_SR_CERT_VRFY_A;
+			s->init_num=0;
+
+			/* We need to get hashes here so if there is
+			 * a client cert, it can be verified */ 
+			s->method->ssl3_enc->cert_verify_mac(s,
+				&(s->s3->finish_dgst1),
+				&(s->s3->tmp.cert_verify_md[0]));
+			s->method->ssl3_enc->cert_verify_mac(s,
+				&(s->s3->finish_dgst2),
+				&(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]));
+
+			break;
+
+		case SSL3_ST_SR_CERT_VRFY_A:
+		case SSL3_ST_SR_CERT_VRFY_B:
+
+			/* we should decide if we expected this one */
+			ret=ssl3_get_cert_verify(s);
+			if (ret <= 0) goto end;
+
+			s->state=SSL3_ST_SR_FINISHED_A;
+			s->init_num=0;
+			break;
+
+		case SSL3_ST_SR_FINISHED_A:
+		case SSL3_ST_SR_FINISHED_B:
+			ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A,
+				SSL3_ST_SR_FINISHED_B);
+			if (ret <= 0) goto end;
+			if (s->hit)
+				s->state=SSL_ST_OK;
+			else
+				s->state=SSL3_ST_SW_CHANGE_A;
+			s->init_num=0;
+			break;
+
+		case SSL3_ST_SW_CHANGE_A:
+		case SSL3_ST_SW_CHANGE_B:
+
+			s->session->cipher=s->s3->tmp.new_cipher;
+			if (!s->method->ssl3_enc->setup_key_block(s))
+				{ ret= -1; goto end; }
+
+			ret=dtls1_send_change_cipher_spec(s,
+				SSL3_ST_SW_CHANGE_A,SSL3_ST_SW_CHANGE_B);
+
+			if (ret <= 0) goto end;
+			s->state=SSL3_ST_SW_FINISHED_A;
+			s->init_num=0;
+
+			if (!s->method->ssl3_enc->change_cipher_state(s,
+				SSL3_CHANGE_CIPHER_SERVER_WRITE))
+				{
+				ret= -1;
+				goto end;
+				}
+
+			dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
+			break;
+
+		case SSL3_ST_SW_FINISHED_A:
+		case SSL3_ST_SW_FINISHED_B:
+			ret=dtls1_send_finished(s,
+				SSL3_ST_SW_FINISHED_A,SSL3_ST_SW_FINISHED_B,
+				s->method->ssl3_enc->server_finished_label,
+				s->method->ssl3_enc->server_finished_label_len);
+			if (ret <= 0) goto end;
+			s->state=SSL3_ST_SW_FLUSH;
+			if (s->hit)
+				s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
+			else
+				s->s3->tmp.next_state=SSL_ST_OK;
+			s->init_num=0;
+			break;
+
+		case SSL_ST_OK:
+			/* clean a few things up */
+			ssl3_cleanup_key_block(s);
+
+#if 0
+			BUF_MEM_free(s->init_buf);
+			s->init_buf=NULL;
+#endif
+
+			/* remove buffering on output */
+			ssl_free_wbio_buffer(s);
+
+			s->init_num=0;
+
+			if (s->new_session == 2) /* skipped if we just sent a HelloRequest */
+				{
+				/* actually not necessarily a 'new' session unless
+				 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */
+				
+				s->new_session=0;
+				
+				ssl_update_cache(s,SSL_SESS_CACHE_SERVER);
+				
+				s->ctx->stats.sess_accept_good++;
+				/* s->server=1; */
+				s->handshake_func=dtls1_accept;
+
+				if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
+				}
+			
+			ret = 1;
+
+			/* done handshaking, next message is client hello */
+			s->d1->handshake_read_seq = 0;
+			/* next message is server hello */
+			s->d1->handshake_write_seq = 0;
+			goto end;
+			/* break; */
+
+		default:
+			SSLerr(SSL_F_DTLS1_ACCEPT,SSL_R_UNKNOWN_STATE);
+			ret= -1;
+			goto end;
+			/* break; */
+			}
+		
+		if (!s->s3->tmp.reuse_message && !skip)
+			{
+			if (s->debug)
+				{
+				if ((ret=BIO_flush(s->wbio)) <= 0)
+					goto end;
+				}
+
+
+			if ((cb != NULL) && (s->state != state))
+				{
+				new_state=s->state;
+				s->state=state;
+				cb(s,SSL_CB_ACCEPT_LOOP,1);
+				s->state=new_state;
+				}
+			}
+		skip=0;
+		}
+end:
+	/* BIO_flush(s->wbio); */
+
+	s->in_handshake--;
+	if (cb != NULL)
+		cb(s,SSL_CB_ACCEPT_EXIT,ret);
+	return(ret);
+	}
+
+int dtls1_send_hello_request(SSL *s)
+	{
+	unsigned char *p;
+
+	if (s->state == SSL3_ST_SW_HELLO_REQ_A)
+		{
+		p=(unsigned char *)s->init_buf->data;
+		p = dtls1_set_message_header(s, p, SSL3_MT_HELLO_REQUEST, 0, 0, 0);
+
+		s->state=SSL3_ST_SW_HELLO_REQ_B;
+		/* number of bytes to write */
+		s->init_num=DTLS1_HM_HEADER_LENGTH;
+		s->init_off=0;
+
+		/* no need to buffer this message, since there are no retransmit 
+		 * requests for it */
+		}
+
+	/* SSL3_ST_SW_HELLO_REQ_B */
+	return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
+	}
+
+int dtls1_send_hello_verify_request(SSL *s)
+	{
+	unsigned int msg_len;
+	unsigned char *msg, *buf, *p;
+
+	if (s->state == DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A)
+		{
+		buf = (unsigned char *)s->init_buf->data;
+
+		msg = p = &(buf[DTLS1_HM_HEADER_LENGTH]);
+		*(p++) = s->version >> 8;
+		*(p++) = s->version & 0xFF;
+
+		*(p++) = (unsigned char) s->d1->cookie_len;
+        if ( s->ctx->app_gen_cookie_cb != NULL &&
+            s->ctx->app_gen_cookie_cb(s, s->d1->cookie, 
+                &(s->d1->cookie_len)) == 0)
+            {
+			SSLerr(SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST,ERR_R_INTERNAL_ERROR);
+            return 0;
+            }
+        /* else the cookie is assumed to have 
+         * been initialized by the application */
+
+		memcpy(p, s->d1->cookie, s->d1->cookie_len);
+		p += s->d1->cookie_len;
+		msg_len = p - msg;
+
+		dtls1_set_message_header(s, buf,
+			DTLS1_MT_HELLO_VERIFY_REQUEST, msg_len, 0, msg_len);
+
+		s->state=DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B;
+		/* number of bytes to write */
+		s->init_num=p-buf;
+		s->init_off=0;
+
+		/* buffer the message to handle re-xmits */
+		dtls1_buffer_message(s, 0);
+		}
+
+	/* s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B */
+	return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
+	}
+
+int dtls1_send_server_hello(SSL *s)
+	{
+	unsigned char *buf;
+	unsigned char *p,*d;
+	int i;
+	unsigned int sl;
+	unsigned long l,Time;
+
+	if (s->state == SSL3_ST_SW_SRVR_HELLO_A)
+		{
+		buf=(unsigned char *)s->init_buf->data;
+		p=s->s3->server_random;
+		Time=(unsigned long)time(NULL);			/* Time */
+		l2n(Time,p);
+		RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
+		/* Do the message type and length last */
+		d=p= &(buf[DTLS1_HM_HEADER_LENGTH]);
+
+		*(p++)=s->version>>8;
+		*(p++)=s->version&0xff;
+
+		/* Random stuff */
+		memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE);
+		p+=SSL3_RANDOM_SIZE;
+
+		/* now in theory we have 3 options to sending back the
+		 * session id.  If it is a re-use, we send back the
+		 * old session-id, if it is a new session, we send
+		 * back the new session-id or we send back a 0 length
+		 * session-id if we want it to be single use.
+		 * Currently I will not implement the '0' length session-id
+		 * 12-Jan-98 - I'll now support the '0' length stuff.
+		 */
+		if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER))
+			s->session->session_id_length=0;
+
+		sl=s->session->session_id_length;
+		if (sl > sizeof s->session->session_id)
+			{
+			SSLerr(SSL_F_DTLS1_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
+			return -1;
+			}
+		*(p++)=sl;
+		memcpy(p,s->session->session_id,sl);
+		p+=sl;
+
+		/* put the cipher */
+		i=ssl3_put_cipher_by_char(s->s3->tmp.new_cipher,p);
+		p+=i;
+
+		/* put the compression method */
+#ifdef OPENSSL_NO_COMP
+		*(p++)=0;
+#else
+		if (s->s3->tmp.new_compression == NULL)
+			*(p++)=0;
+		else
+			*(p++)=s->s3->tmp.new_compression->id;
+#endif
+
+		/* do the header */
+		l=(p-d);
+		d=buf;
+
+		d = dtls1_set_message_header(s, d, SSL3_MT_SERVER_HELLO, l, 0, l);
+
+		s->state=SSL3_ST_CW_CLNT_HELLO_B;
+		/* number of bytes to write */
+		s->init_num=p-buf;
+		s->init_off=0;
+
+		/* buffer the message to handle re-xmits */
+		dtls1_buffer_message(s, 0);
+		}
+
+	/* SSL3_ST_CW_CLNT_HELLO_B */
+	return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
+	}
+
+int dtls1_send_server_done(SSL *s)
+	{
+	unsigned char *p;
+
+	if (s->state == SSL3_ST_SW_SRVR_DONE_A)
+		{
+		p=(unsigned char *)s->init_buf->data;
+
+		/* do the header */
+		p = dtls1_set_message_header(s, p, SSL3_MT_SERVER_DONE, 0, 0, 0);
+
+		s->state=SSL3_ST_SW_SRVR_DONE_B;
+		/* number of bytes to write */
+		s->init_num=DTLS1_HM_HEADER_LENGTH;
+		s->init_off=0;
+
+		/* buffer the message to handle re-xmits */
+		dtls1_buffer_message(s, 0);
+		}
+
+	/* SSL3_ST_CW_CLNT_HELLO_B */
+	return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
+	}
+
+int dtls1_send_server_key_exchange(SSL *s)
+	{
+#ifndef OPENSSL_NO_RSA
+	unsigned char *q;
+	int j,num;
+	RSA *rsa;
+	unsigned char md_buf[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
+	unsigned int u;
+#endif
+#ifndef OPENSSL_NO_DH
+	DH *dh=NULL,*dhp;
+#endif
+	EVP_PKEY *pkey;
+	unsigned char *p,*d;
+	int al,i;
+	unsigned long type;
+	int n;
+	CERT *cert;
+	BIGNUM *r[4];
+	int nr[4],kn;
+	BUF_MEM *buf;
+	EVP_MD_CTX md_ctx;
+
+	EVP_MD_CTX_init(&md_ctx);
+	if (s->state == SSL3_ST_SW_KEY_EXCH_A)
+		{
+		type=s->s3->tmp.new_cipher->algorithms & SSL_MKEY_MASK;
+		cert=s->cert;
+
+		buf=s->init_buf;
+
+		r[0]=r[1]=r[2]=r[3]=NULL;
+		n=0;
+#ifndef OPENSSL_NO_RSA
+		if (type & SSL_kRSA)
+			{
+			rsa=cert->rsa_tmp;
+			if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL))
+				{
+				rsa=s->cert->rsa_tmp_cb(s,
+				      SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
+				      SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
+				if(rsa == NULL)
+				{
+					al=SSL_AD_HANDSHAKE_FAILURE;
+					SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_ERROR_GENERATING_TMP_RSA_KEY);
+					goto f_err;
+				}
+				RSA_up_ref(rsa);
+				cert->rsa_tmp=rsa;
+				}
+			if (rsa == NULL)
+				{
+				al=SSL_AD_HANDSHAKE_FAILURE;
+				SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_RSA_KEY);
+				goto f_err;
+				}
+			r[0]=rsa->n;
+			r[1]=rsa->e;
+			s->s3->tmp.use_rsa_tmp=1;
+			}
+		else
+#endif
+#ifndef OPENSSL_NO_DH
+			if (type & SSL_kEDH)
+			{
+			dhp=cert->dh_tmp;
+			if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL))
+				dhp=s->cert->dh_tmp_cb(s,
+				      SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
+				      SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
+			if (dhp == NULL)
+				{
+				al=SSL_AD_HANDSHAKE_FAILURE;
+				SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY);
+				goto f_err;
+				}
+
+			if (s->s3->tmp.dh != NULL)
+				{
+				DH_free(dh);
+				SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
+				goto err;
+				}
+
+			if ((dh=DHparams_dup(dhp)) == NULL)
+				{
+				SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
+				goto err;
+				}
+
+			s->s3->tmp.dh=dh;
+			if ((dhp->pub_key == NULL ||
+			     dhp->priv_key == NULL ||
+			     (s->options & SSL_OP_SINGLE_DH_USE)))
+				{
+				if(!DH_generate_key(dh))
+				    {
+				    SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,
+					   ERR_R_DH_LIB);
+				    goto err;
+				    }
+				}
+			else
+				{
+				dh->pub_key=BN_dup(dhp->pub_key);
+				dh->priv_key=BN_dup(dhp->priv_key);
+				if ((dh->pub_key == NULL) ||
+					(dh->priv_key == NULL))
+					{
+					SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
+					goto err;
+					}
+				}
+			r[0]=dh->p;
+			r[1]=dh->g;
+			r[2]=dh->pub_key;
+			}
+		else 
+#endif
+			{
+			al=SSL_AD_HANDSHAKE_FAILURE;
+			SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
+			goto f_err;
+			}
+		for (i=0; r[i] != NULL; i++)
+			{
+			nr[i]=BN_num_bytes(r[i]);
+			n+=2+nr[i];
+			}
+
+		if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL))
+			{
+			if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher))
+				== NULL)
+				{
+				al=SSL_AD_DECODE_ERROR;
+				goto f_err;
+				}
+			kn=EVP_PKEY_size(pkey);
+			}
+		else
+			{
+			pkey=NULL;
+			kn=0;
+			}
+
+		if (!BUF_MEM_grow_clean(buf,n+DTLS1_HM_HEADER_LENGTH+kn))
+			{
+			SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_BUF);
+			goto err;
+			}
+		d=(unsigned char *)s->init_buf->data;
+		p= &(d[DTLS1_HM_HEADER_LENGTH]);
+
+		for (i=0; r[i] != NULL; i++)
+			{
+			s2n(nr[i],p);
+			BN_bn2bin(r[i],p);
+			p+=nr[i];
+			}
+
+		/* not anonymous */
+		if (pkey != NULL)
+			{
+			/* n is the length of the params, they start at
+			 * &(d[DTLS1_HM_HEADER_LENGTH]) and p points to the space
+			 * at the end. */
+#ifndef OPENSSL_NO_RSA
+			if (pkey->type == EVP_PKEY_RSA)
+				{
+				q=md_buf;
+				j=0;
+				for (num=2; num > 0; num--)
+					{
+					EVP_DigestInit_ex(&md_ctx,(num == 2)
+						?s->ctx->md5:s->ctx->sha1, NULL);
+					EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
+					EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
+					EVP_DigestUpdate(&md_ctx,&(d[DTLS1_HM_HEADER_LENGTH]),n);
+					EVP_DigestFinal_ex(&md_ctx,q,
+						(unsigned int *)&i);
+					q+=i;
+					j+=i;
+					}
+				if (RSA_sign(NID_md5_sha1, md_buf, j,
+					&(p[2]), &u, pkey->pkey.rsa) <= 0)
+					{
+					SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_RSA);
+					goto err;
+					}
+				s2n(u,p);
+				n+=u+2;
+				}
+			else
+#endif
+#if !defined(OPENSSL_NO_DSA)
+				if (pkey->type == EVP_PKEY_DSA)
+				{
+				/* lets do DSS */
+				EVP_SignInit_ex(&md_ctx,EVP_dss1(), NULL);
+				EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
+				EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
+				EVP_SignUpdate(&md_ctx,&(d[DTLS1_HM_HEADER_LENGTH]),n);
+				if (!EVP_SignFinal(&md_ctx,&(p[2]),
+					(unsigned int *)&i,pkey))
+					{
+					SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_DSA);
+					goto err;
+					}
+				s2n(i,p);
+				n+=i+2;
+				}
+			else
+#endif
+				{
+				/* Is this error check actually needed? */
+				al=SSL_AD_HANDSHAKE_FAILURE;
+				SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_PKEY_TYPE);
+				goto f_err;
+				}
+			}
+
+		d = dtls1_set_message_header(s, d,
+			SSL3_MT_SERVER_KEY_EXCHANGE, n, 0, n);
+
+		/* we should now have things packed up, so lets send
+		 * it off */
+		s->init_num=n+DTLS1_HM_HEADER_LENGTH;
+		s->init_off=0;
+
+		/* buffer the message to handle re-xmits */
+		dtls1_buffer_message(s, 0);
+		}
+
+	s->state = SSL3_ST_SW_KEY_EXCH_B;
+	EVP_MD_CTX_cleanup(&md_ctx);
+	return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
+f_err:
+	ssl3_send_alert(s,SSL3_AL_FATAL,al);
+err:
+	EVP_MD_CTX_cleanup(&md_ctx);
+	return(-1);
+	}
+
+int dtls1_send_certificate_request(SSL *s)
+	{
+	unsigned char *p,*d;
+	int i,j,nl,off,n;
+	STACK_OF(X509_NAME) *sk=NULL;
+	X509_NAME *name;
+	BUF_MEM *buf;
+
+	if (s->state == SSL3_ST_SW_CERT_REQ_A)
+		{
+		buf=s->init_buf;
+
+		d=p=(unsigned char *)&(buf->data[DTLS1_HM_HEADER_LENGTH]);
+
+		/* get the list of acceptable cert types */
+		p++;
+		n=ssl3_get_req_cert_type(s,p);
+		d[0]=n;
+		p+=n;
+		n++;
+
+		off=n;
+		p+=2;
+		n+=2;
+
+		sk=SSL_get_client_CA_list(s);
+		nl=0;
+		if (sk != NULL)
+			{
+			for (i=0; i<sk_X509_NAME_num(sk); i++)
+				{
+				name=sk_X509_NAME_value(sk,i);
+				j=i2d_X509_NAME(name,NULL);
+				if (!BUF_MEM_grow_clean(buf,DTLS1_HM_HEADER_LENGTH+n+j+2))
+					{
+					SSLerr(SSL_F_DTLS1_SEND_CERTIFICATE_REQUEST,ERR_R_BUF_LIB);
+					goto err;
+					}
+				p=(unsigned char *)&(buf->data[DTLS1_HM_HEADER_LENGTH+n]);
+				if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
+					{
+					s2n(j,p);
+					i2d_X509_NAME(name,&p);
+					n+=2+j;
+					nl+=2+j;
+					}
+				else
+					{
+					d=p;
+					i2d_X509_NAME(name,&p);
+					j-=2; s2n(j,d); j+=2;
+					n+=j;
+					nl+=j;
+					}
+				}
+			}
+		/* else no CA names */
+		p=(unsigned char *)&(buf->data[DTLS1_HM_HEADER_LENGTH+off]);
+		s2n(nl,p);
+
+		d=(unsigned char *)buf->data;
+		*(d++)=SSL3_MT_CERTIFICATE_REQUEST;
+		l2n3(n,d);
+		s2n(s->d1->handshake_write_seq,d);
+		s->d1->handshake_write_seq++;
+
+		/* we should now have things packed up, so lets send
+		 * it off */
+
+		s->init_num=n+DTLS1_HM_HEADER_LENGTH;
+		s->init_off=0;
+#ifdef NETSCAPE_HANG_BUG
+/* XXX: what to do about this? */
+		p=(unsigned char *)s->init_buf->data + s->init_num;
+
+		/* do the header */
+		*(p++)=SSL3_MT_SERVER_DONE;
+		*(p++)=0;
+		*(p++)=0;
+		*(p++)=0;
+		s->init_num += 4;
+#endif
+
+		/* XDTLS:  set message header ? */
+		/* buffer the message to handle re-xmits */
+		dtls1_buffer_message(s, 0);
+
+		s->state = SSL3_ST_SW_CERT_REQ_B;
+		}
+
+	/* SSL3_ST_SW_CERT_REQ_B */
+	return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
+err:
+	return(-1);
+	}
+
+int dtls1_send_server_certificate(SSL *s)
+	{
+	unsigned long l;
+	X509 *x;
+
+	if (s->state == SSL3_ST_SW_CERT_A)
+		{
+		x=ssl_get_server_send_cert(s);
+		if (x == NULL &&
+                        /* VRS: allow null cert if auth == KRB5 */
+                        (s->s3->tmp.new_cipher->algorithms
+                                & (SSL_MKEY_MASK|SSL_AUTH_MASK))
+                        != (SSL_aKRB5|SSL_kKRB5))
+			{
+			SSLerr(SSL_F_DTLS1_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR);
+			return(0);
+			}
+
+		l=dtls1_output_cert_chain(s,x);
+		s->state=SSL3_ST_SW_CERT_B;
+		s->init_num=(int)l;
+		s->init_off=0;
+
+		/* buffer the message to handle re-xmits */
+		dtls1_buffer_message(s, 0);
+		}
+
+	/* SSL3_ST_SW_CERT_B */
+	return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
+	}
diff --git a/crypto/openssl/ssl/dtls1.h b/crypto/openssl/ssl/dtls1.h
new file mode 100644
index 000000000000..b377cc5f6b2d
--- /dev/null
+++ b/crypto/openssl/ssl/dtls1.h
@@ -0,0 +1,212 @@
+/* ssl/dtls1.h */
+/* 
+ * DTLS implementation written by Nagendra Modadugu
+ * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.  
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_DTLS1_H 
+#define HEADER_DTLS1_H 
+
+#include <openssl/buffer.h>
+#include <openssl/pqueue.h>
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+#define DTLS1_VERSION			0x0100
+#define DTLS1_VERSION_MAJOR		0x01
+#define DTLS1_VERSION_MINOR		0x00
+
+#define DTLS1_AD_MISSING_HANDSHAKE_MESSAGE    110
+
+/* lengths of messages */
+#define DTLS1_COOKIE_LENGTH                     32
+
+#define DTLS1_RT_HEADER_LENGTH                  13
+
+#define DTLS1_HM_HEADER_LENGTH                  12
+
+#define DTLS1_HM_BAD_FRAGMENT                   -2
+#define DTLS1_HM_FRAGMENT_RETRY                 -3
+
+#define DTLS1_CCS_HEADER_LENGTH                  3
+
+#define DTLS1_AL_HEADER_LENGTH                   7
+
+
+typedef struct dtls1_bitmap_st
+	{
+	PQ_64BIT map;
+	unsigned long length;     /* sizeof the bitmap in bits */
+	PQ_64BIT max_seq_num;  /* max record number seen so far */
+	} DTLS1_BITMAP;
+
+struct hm_header_st
+	{
+	unsigned char type;
+	unsigned long msg_len;
+	unsigned short seq;
+	unsigned long frag_off;
+	unsigned long frag_len;
+	unsigned int is_ccs;
+	};
+
+struct ccs_header_st
+	{
+	unsigned char type;
+	unsigned short seq;
+	};
+
+struct dtls1_timeout_st
+	{
+	/* Number of read timeouts so far */
+	unsigned int read_timeouts;
+	
+	/* Number of write timeouts so far */
+	unsigned int write_timeouts;
+	
+	/* Number of alerts received so far */
+	unsigned int num_alerts;
+	};
+
+typedef struct record_pqueue_st
+	{
+	unsigned short epoch;
+	pqueue q;
+	} record_pqueue;
+
+typedef struct hm_fragment_st
+	{
+	struct hm_header_st msg_header;
+	unsigned char *fragment;
+	} hm_fragment;
+
+typedef struct dtls1_state_st
+	{
+	unsigned int send_cookie;
+	unsigned char cookie[DTLS1_COOKIE_LENGTH];
+	unsigned char rcvd_cookie[DTLS1_COOKIE_LENGTH];
+	unsigned int cookie_len;
+
+	/* 
+	 * The current data and handshake epoch.  This is initially
+	 * undefined, and starts at zero once the initial handshake is
+	 * completed 
+	 */
+	unsigned short r_epoch;
+	unsigned short w_epoch;
+
+	/* records being received in the current epoch */
+	DTLS1_BITMAP bitmap;
+
+	/* renegotiation starts a new set of sequence numbers */
+	DTLS1_BITMAP next_bitmap;
+
+	/* handshake message numbers */
+	unsigned short handshake_write_seq;
+	unsigned short next_handshake_write_seq;
+
+	unsigned short handshake_read_seq;
+
+	/* Received handshake records (processed and unprocessed) */
+	record_pqueue unprocessed_rcds;
+	record_pqueue processed_rcds;
+
+	/* Buffered handshake messages */
+	pqueue buffered_messages;
+
+	/* Buffered (sent) handshake records */
+	pqueue sent_messages;
+
+	unsigned int mtu; /* max wire packet size */
+
+	struct hm_header_st w_msg_hdr;
+	struct hm_header_st r_msg_hdr;
+
+	struct dtls1_timeout_st timeout;
+	
+	/* storage for Alert/Handshake protocol data received but not
+	 * yet processed by ssl3_read_bytes: */
+	unsigned char alert_fragment[DTLS1_AL_HEADER_LENGTH];
+	unsigned int alert_fragment_len;
+	unsigned char handshake_fragment[DTLS1_HM_HEADER_LENGTH];
+	unsigned int handshake_fragment_len;
+
+	unsigned int retransmitting;
+
+	} DTLS1_STATE;
+
+typedef struct dtls1_record_data_st
+	{
+	unsigned char *packet;
+	unsigned int   packet_length;
+	SSL3_BUFFER    rbuf;
+	SSL3_RECORD    rrec;
+	} DTLS1_RECORD_DATA;
+
+
+/* Timeout multipliers (timeout slice is defined in apps/timeouts.h */
+#define DTLS1_TMO_READ_COUNT                      2
+#define DTLS1_TMO_WRITE_COUNT                     2
+
+#define DTLS1_TMO_ALERT_COUNT                     12
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
+
diff --git a/crypto/openssl/ssl/kssl.c b/crypto/openssl/ssl/kssl.c
index 51378897f6e2..ffa8d52e7063 100644
--- a/crypto/openssl/ssl/kssl.c
+++ b/crypto/openssl/ssl/kssl.c
@@ -68,11 +68,15 @@
 
 #include <openssl/opensslconf.h>
 
-#define _XOPEN_SOURCE /* glibc2 needs this to declare strptime() */
+#define _XOPEN_SOURCE 500 /* glibc2 needs this to declare strptime() */
 #include <time.h>
+#if 0 /* experimental */
 #undef _XOPEN_SOURCE /* To avoid clashes with anything else... */
+#endif
 #include <string.h>
 
+#define KRB5_PRIVATE	1
+
 #include <openssl/ssl.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
@@ -80,6 +84,10 @@
 
 #ifndef OPENSSL_NO_KRB5
 
+#ifndef ENOMEM
+#define ENOMEM KRB5KRB_ERR_GENERIC
+#endif
+
 /* 
  * When OpenSSL is built on Windows, we do not want to require that
  * the Kerberos DLLs be available in order for the OpenSSL DLLs to
@@ -289,7 +297,7 @@ load_krb5_dll(void)
 	HANDLE hKRB5_32;
     
 	krb5_loaded++;
-	hKRB5_32 = LoadLibrary("KRB5_32");
+	hKRB5_32 = LoadLibrary(TEXT("KRB5_32"));
 	if (!hKRB5_32)
 		return;
 
@@ -932,7 +940,7 @@ print_krb5_data(char *label, krb5_data *kdata)
 	int i;
 
 	printf("%s[%d] ", label, kdata->length);
-	for (i=0; i < kdata->length; i++)
+	for (i=0; i < (int)kdata->length; i++)
                 {
 		if (0 &&  isprint((int) kdata->data[i]))
                         printf(	"%c ",  kdata->data[i]);
@@ -984,14 +992,14 @@ print_krb5_keyblock(char *label, krb5_keyblock *keyblk)
 #ifdef KRB5_HEIMDAL
 	printf("%s\n\t[et%d:%d]: ", label, keyblk->keytype,
 					   keyblk->keyvalue->length);
-	for (i=0; i < keyblk->keyvalue->length; i++)
+	for (i=0; i < (int)keyblk->keyvalue->length; i++)
                 {
 		printf("%02x",(unsigned char *)(keyblk->keyvalue->contents)[i]);
 		}
 	printf("\n");
 #else
 	printf("%s\n\t[et%d:%d]: ", label, keyblk->enctype, keyblk->length);
-	for (i=0; i < keyblk->length; i++)
+	for (i=0; i < (int)keyblk->length; i++)
                 {
 		printf("%02x",keyblk->contents[i]);
 		}
@@ -1010,12 +1018,12 @@ print_krb5_princ(char *label, krb5_principal_data *princ)
 
 	printf("%s principal Realm: ", label);
 	if (princ == NULL)  return;
-	for (ui=0; ui < princ->realm.length; ui++)  putchar(princ->realm.data[ui]);
+	for (ui=0; ui < (int)princ->realm.length; ui++)  putchar(princ->realm.data[ui]);
 	printf(" (nametype %d) has %d strings:\n", princ->type,princ->length);
-	for (i=0; i < princ->length; i++)
+	for (i=0; i < (int)princ->length; i++)
                 {
 		printf("\t%d [%d]: ", i, princ->data[i].length);
-		for (uj=0; uj < princ->data[i].length; uj++)  {
+		for (uj=0; uj < (int)princ->data[i].length; uj++)  {
 			putchar(princ->data[i].data[uj]);
 			}
 		printf("\n");
@@ -1124,7 +1132,7 @@ kssl_cget_tkt(	/* UPDATE */	KSSL_CTX *kssl_ctx,
 	if (authenp)
                 {
 		krb5_data	krb5in_data;
-		unsigned char	*p;
+		const unsigned char	*p;
 		long		arlen;
 		KRB5_APREQBODY	*ap_req;
 
@@ -1293,7 +1301,7 @@ kssl_sget_tkt(	/* UPDATE */	KSSL_CTX		*kssl_ctx,
 	static krb5_auth_context	krb5auth_context = NULL;
 	krb5_ticket 			*krb5ticket = NULL;
 	KRB5_TKTBODY 			*asn1ticket = NULL;
-	unsigned char			*p;
+	const unsigned char		*p;
 	krb5_keytab 			krb5keytab = NULL;
 	krb5_keytab_entry		kt_entry;
 	krb5_principal			krb5server;
@@ -1978,7 +1986,8 @@ krb5_error_code  kssl_check_authent(
 	EVP_CIPHER_CTX		ciph_ctx;
 	const EVP_CIPHER	*enc = NULL;
 	unsigned char		iv[EVP_MAX_IV_LENGTH];
-	unsigned char		*p, *unenc_authent;
+	const unsigned char	*p;
+	unsigned char		*unenc_authent;
 	int 			outl, unencbufsize;
 	struct tm		tm_time, *tm_l, *tm_g;
 	time_t			now, tl, tg, tr, tz_offset;
diff --git a/crypto/openssl/ssl/kssl.h b/crypto/openssl/ssl/kssl.h
index 19a689b089b7..a3d20e1ccbdc 100644
--- a/crypto/openssl/ssl/kssl.h
+++ b/crypto/openssl/ssl/kssl.h
@@ -82,6 +82,12 @@ extern "C" {
 #ifdef KRB5_HEIMDAL
 typedef unsigned char krb5_octet;
 #define FAR
+#else
+
+#ifndef FAR
+#define FAR
+#endif
+
 #endif
 
 /*	Uncomment this to debug kssl problems or
diff --git a/crypto/openssl/ssl/s23_clnt.c b/crypto/openssl/ssl/s23_clnt.c
index b1db0fb7b2b0..ed4ee72393ef 100644
--- a/crypto/openssl/ssl/s23_clnt.c
+++ b/crypto/openssl/ssl/s23_clnt.c
@@ -80,33 +80,15 @@ static SSL_METHOD *ssl23_get_client_method(int ver)
 		return(NULL);
 	}
 
-SSL_METHOD *SSLv23_client_method(void)
-	{
-	static int init=1;
-	static SSL_METHOD SSLv23_client_data;
-
-	if (init)
-		{
-		CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
-
-		if (init)
-			{
-			memcpy((char *)&SSLv23_client_data,
-				(char *)sslv23_base_method(),sizeof(SSL_METHOD));
-			SSLv23_client_data.ssl_connect=ssl23_connect;
-			SSLv23_client_data.get_ssl_method=ssl23_get_client_method;
-			init=0;
-			}
-
-		CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
-		}
-	return(&SSLv23_client_data);
-	}
+IMPLEMENT_ssl23_meth_func(SSLv23_client_method,
+			ssl_undefined_function,
+			ssl23_connect,
+			ssl23_get_client_method)
 
 int ssl23_connect(SSL *s)
 	{
 	BUF_MEM *buf=NULL;
-	unsigned long Time=time(NULL);
+	unsigned long Time=(unsigned long)time(NULL);
 	void (*cb)(const SSL *ssl,int type,int val)=NULL;
 	int ret= -1;
 	int new_state,state;
@@ -220,9 +202,28 @@ static int ssl23_client_hello(SSL *s)
 	{
 	unsigned char *buf;
 	unsigned char *p,*d;
-	int i,ch_len;
+	int i,j,ch_len;
+	unsigned long Time,l;
+	int ssl2_compat;
+	int version = 0, version_major, version_minor;
+	SSL_COMP *comp;
 	int ret;
 
+	ssl2_compat = (s->options & SSL_OP_NO_SSLv2) ? 0 : 1;
+
+	if (!(s->options & SSL_OP_NO_TLSv1))
+		{
+		version = TLS1_VERSION;
+		}
+	else if (!(s->options & SSL_OP_NO_SSLv3))
+		{
+		version = SSL3_VERSION;
+		}
+	else if (!(s->options & SSL_OP_NO_SSLv2))
+		{
+		version = SSL2_VERSION;
+		}
+
 	buf=(unsigned char *)s->init_buf->data;
 	if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
 		{
@@ -235,31 +236,25 @@ static int ssl23_client_hello(SSL *s)
 #endif
 
 		p=s->s3->client_random;
-		if(RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE) <= 0)
-		    return -1;
-
-		/* Do the message type and length last */
-		d= &(buf[2]);
-		p=d+9;
+		Time=(unsigned long)time(NULL);		/* Time */
+		l2n(Time,p);
+		if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
+			return -1;
 
-		*(d++)=SSL2_MT_CLIENT_HELLO;
-		if (!(s->options & SSL_OP_NO_TLSv1))
+		if (version == TLS1_VERSION)
 			{
-			*(d++)=TLS1_VERSION_MAJOR;
-			*(d++)=TLS1_VERSION_MINOR;
-			s->client_version=TLS1_VERSION;
+			version_major = TLS1_VERSION_MAJOR;
+			version_minor = TLS1_VERSION_MINOR;
 			}
-		else if (!(s->options & SSL_OP_NO_SSLv3))
+		else if (version == SSL3_VERSION)
 			{
-			*(d++)=SSL3_VERSION_MAJOR;
-			*(d++)=SSL3_VERSION_MINOR;
-			s->client_version=SSL3_VERSION;
+			version_major = SSL3_VERSION_MAJOR;
+			version_minor = SSL3_VERSION_MINOR;
 			}
-		else if (!(s->options & SSL_OP_NO_SSLv2))
+		else if (version == SSL2_VERSION)
 			{
-			*(d++)=SSL2_VERSION_MAJOR;
-			*(d++)=SSL2_VERSION_MINOR;
-			s->client_version=SSL2_VERSION;
+			version_major = SSL2_VERSION_MAJOR;
+			version_minor = SSL2_VERSION_MINOR;
 			}
 		else
 			{
@@ -267,59 +262,153 @@ static int ssl23_client_hello(SSL *s)
 			return(-1);
 			}
 
-		/* Ciphers supported */
-		i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),p);
-		if (i == 0)
+		s->client_version = version;
+
+		if (ssl2_compat)
 			{
-			/* no ciphers */
-			SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
-			return(-1);
-			}
-		s2n(i,d);
-		p+=i;
+			/* create SSL 2.0 compatible Client Hello */
 
-		/* put in the session-id, zero since there is no
-		 * reuse. */
+			/* two byte record header will be written last */
+			d = &(buf[2]);
+			p = d + 9; /* leave space for message type, version, individual length fields */
+
+			*(d++) = SSL2_MT_CLIENT_HELLO;
+			*(d++) = version_major;
+			*(d++) = version_minor;
+			
+			/* Ciphers supported */
+			i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),p,0);
+			if (i == 0)
+				{
+				/* no ciphers */
+				SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
+				return -1;
+				}
+			s2n(i,d);
+			p+=i;
+			
+			/* put in the session-id length (zero since there is no reuse) */
 #if 0
-		s->session->session_id_length=0;
+			s->session->session_id_length=0;
 #endif
-		s2n(0,d);
-
-		if (s->options & SSL_OP_NETSCAPE_CHALLENGE_BUG)
-			ch_len=SSL2_CHALLENGE_LENGTH;
+			s2n(0,d);
+
+			if (s->options & SSL_OP_NETSCAPE_CHALLENGE_BUG)
+				ch_len=SSL2_CHALLENGE_LENGTH;
+			else
+				ch_len=SSL2_MAX_CHALLENGE_LENGTH;
+
+			/* write out sslv2 challenge */
+			if (SSL3_RANDOM_SIZE < ch_len)
+				i=SSL3_RANDOM_SIZE;
+			else
+				i=ch_len;
+			s2n(i,d);
+			memset(&(s->s3->client_random[0]),0,SSL3_RANDOM_SIZE);
+			if (RAND_pseudo_bytes(&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i) <= 0)
+				return -1;
+
+			memcpy(p,&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i);
+			p+=i;
+
+			i= p- &(buf[2]);
+			buf[0]=((i>>8)&0xff)|0x80;
+			buf[1]=(i&0xff);
+
+			/* number of bytes to write */
+			s->init_num=i+2;
+			s->init_off=0;
+
+			ssl3_finish_mac(s,&(buf[2]),i);
+			}
 		else
-			ch_len=SSL2_MAX_CHALLENGE_LENGTH;
+			{
+			/* create Client Hello in SSL 3.0/TLS 1.0 format */
 
-		/* write out sslv2 challenge */
-		if (SSL3_RANDOM_SIZE < ch_len)
-			i=SSL3_RANDOM_SIZE;
-		else
-			i=ch_len;
-		s2n(i,d);
-		memset(&(s->s3->client_random[0]),0,SSL3_RANDOM_SIZE);
-		if(RAND_pseudo_bytes(&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i) <= 0)
-			return -1;
+			/* do the record header (5 bytes) and handshake message header (4 bytes) last */
+			d = p = &(buf[9]);
+			
+			*(p++) = version_major;
+			*(p++) = version_minor;
+
+			/* Random stuff */
+			memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE);
+			p += SSL3_RANDOM_SIZE;
+
+			/* Session ID (zero since there is no reuse) */
+			*(p++) = 0;
+
+			/* Ciphers supported (using SSL 3.0/TLS 1.0 format) */
+			i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]),ssl3_put_cipher_by_char);
+			if (i == 0)
+				{
+				SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
+				return -1;
+				}
+			s2n(i,p);
+			p+=i;
+
+			/* COMPRESSION */
+			if (s->ctx->comp_methods == NULL)
+				j=0;
+			else
+				j=sk_SSL_COMP_num(s->ctx->comp_methods);
+			*(p++)=1+j;
+			for (i=0; i<j; i++)
+				{
+				comp=sk_SSL_COMP_value(s->ctx->comp_methods,i);
+				*(p++)=comp->id;
+				}
+			*(p++)=0; /* Add the NULL method */
+			
+			l = p-d;
+			*p = 42;
 
-		memcpy(p,&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i);
-		p+=i;
+			/* fill in 4-byte handshake header */
+			d=&(buf[5]);
+			*(d++)=SSL3_MT_CLIENT_HELLO;
+			l2n3(l,d);
 
-		i= p- &(buf[2]);
-		buf[0]=((i>>8)&0xff)|0x80;
-		buf[1]=(i&0xff);
+			l += 4;
+
+			if (l > SSL3_RT_MAX_PLAIN_LENGTH)
+				{
+				SSLerr(SSL_F_SSL23_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);
+				return -1;
+				}
+			
+			/* fill in 5-byte record header */
+			d=buf;
+			*(d++) = SSL3_RT_HANDSHAKE;
+			*(d++) = version_major;
+			*(d++) = version_minor; /* arguably we should send the *lowest* suported version here
+			                         * (indicating, e.g., TLS 1.0 in "SSL 3.0 format") */
+			s2n((int)l,d);
+
+			/* number of bytes to write */
+			s->init_num=p-buf;
+			s->init_off=0;
+
+			ssl3_finish_mac(s,&(buf[5]), s->init_num - 5);
+			}
 
 		s->state=SSL23_ST_CW_CLNT_HELLO_B;
-		/* number of bytes to write */
-		s->init_num=i+2;
 		s->init_off=0;
-
-		ssl3_finish_mac(s,&(buf[2]),i);
 		}
 
 	/* SSL3_ST_CW_CLNT_HELLO_B */
 	ret = ssl23_write_bytes(s);
-	if (ret >= 2)
-		if (s->msg_callback)
-			s->msg_callback(1, SSL2_VERSION, 0, s->init_buf->data+2, ret-2, s, s->msg_callback_arg); /* CLIENT-HELLO */
+
+	if ((ret >= 2) && s->msg_callback)
+		{
+		/* Client Hello has been sent; tell msg_callback */
+
+		if (ssl2_compat)
+			s->msg_callback(1, SSL2_VERSION, 0, s->init_buf->data+2, ret-2, s, s->msg_callback_arg);
+		else
+			s->msg_callback(1, version, SSL3_RT_HANDSHAKE, s->init_buf->data+5, ret-5, s, s->msg_callback_arg);
+		}
+
 	return ret;
 	}
 
diff --git a/crypto/openssl/ssl/s23_lib.c b/crypto/openssl/ssl/s23_lib.c
index b70002a64768..fc2981308d55 100644
--- a/crypto/openssl/ssl/s23_lib.c
+++ b/crypto/openssl/ssl/s23_lib.c
@@ -60,55 +60,17 @@
 #include <openssl/objects.h>
 #include "ssl_locl.h"
 
-static int ssl23_num_ciphers(void );
-static SSL_CIPHER *ssl23_get_cipher(unsigned int u);
-static int ssl23_read(SSL *s, void *buf, int len);
-static int ssl23_peek(SSL *s, void *buf, int len);
-static int ssl23_write(SSL *s, const void *buf, int len);
-static long ssl23_default_timeout(void );
-static int ssl23_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p);
-static SSL_CIPHER *ssl23_get_cipher_by_char(const unsigned char *p);
-const char *SSL23_version_str="SSLv2/3 compatibility" OPENSSL_VERSION_PTEXT;
-
-static SSL_METHOD SSLv23_data= {
-	TLS1_VERSION,
-	tls1_new,
-	tls1_clear,
-	tls1_free,
-	ssl_undefined_function,
-	ssl_undefined_function,
-	ssl23_read,
-	ssl23_peek,
-	ssl23_write,
-	ssl_undefined_function,
-	ssl_undefined_function,
-	ssl_ok,
-	ssl3_ctrl,
-	ssl3_ctx_ctrl,
-	ssl23_get_cipher_by_char,
-	ssl23_put_cipher_by_char,
-	ssl_undefined_function,
-	ssl23_num_ciphers,
-	ssl23_get_cipher,
-	ssl_bad_method,
-	ssl23_default_timeout,
-	&ssl3_undef_enc_method,
-	ssl_undefined_function,
-	ssl3_callback_ctrl,
-	ssl3_ctx_callback_ctrl,
-	};
-
-static long ssl23_default_timeout(void)
+long ssl23_default_timeout(void)
 	{
 	return(300);
 	}
 
-SSL_METHOD *sslv23_base_method(void)
-	{
-	return(&SSLv23_data);
-	}
+IMPLEMENT_ssl23_meth_func(sslv23_base_method,
+			ssl_undefined_function,
+			ssl_undefined_function,
+			ssl_bad_method)
 
-static int ssl23_num_ciphers(void)
+int ssl23_num_ciphers(void)
 	{
 	return(ssl3_num_ciphers()
 #ifndef OPENSSL_NO_SSL2
@@ -117,7 +79,7 @@ static int ssl23_num_ciphers(void)
 	    );
 	}
 
-static SSL_CIPHER *ssl23_get_cipher(unsigned int u)
+SSL_CIPHER *ssl23_get_cipher(unsigned int u)
 	{
 	unsigned int uu=ssl3_num_ciphers();
 
@@ -133,7 +95,7 @@ static SSL_CIPHER *ssl23_get_cipher(unsigned int u)
 
 /* This function needs to check if the ciphers required are actually
  * available */
-static SSL_CIPHER *ssl23_get_cipher_by_char(const unsigned char *p)
+SSL_CIPHER *ssl23_get_cipher_by_char(const unsigned char *p)
 	{
 	SSL_CIPHER c,*cp;
 	unsigned long id;
@@ -151,7 +113,7 @@ static SSL_CIPHER *ssl23_get_cipher_by_char(const unsigned char *p)
 	return(cp);
 	}
 
-static int ssl23_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p)
+int ssl23_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p)
 	{
 	long l;
 
@@ -166,7 +128,7 @@ static int ssl23_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p)
 	return(3);
 	}
 
-static int ssl23_read(SSL *s, void *buf, int len)
+int ssl23_read(SSL *s, void *buf, int len)
 	{
 	int n;
 
@@ -189,7 +151,7 @@ static int ssl23_read(SSL *s, void *buf, int len)
 		}
 	}
 
-static int ssl23_peek(SSL *s, void *buf, int len)
+int ssl23_peek(SSL *s, void *buf, int len)
 	{
 	int n;
 
@@ -212,7 +174,7 @@ static int ssl23_peek(SSL *s, void *buf, int len)
 		}
 	}
 
-static int ssl23_write(SSL *s, const void *buf, int len)
+int ssl23_write(SSL *s, const void *buf, int len)
 	{
 	int n;
 
diff --git a/crypto/openssl/ssl/s23_meth.c b/crypto/openssl/ssl/s23_meth.c
index f207140835f8..950d9aab3d9e 100644
--- a/crypto/openssl/ssl/s23_meth.c
+++ b/crypto/openssl/ssl/s23_meth.c
@@ -63,37 +63,26 @@
 static SSL_METHOD *ssl23_get_method(int ver);
 static SSL_METHOD *ssl23_get_method(int ver)
 	{
+#ifndef OPENSSL_NO_SSL2
 	if (ver == SSL2_VERSION)
 		return(SSLv2_method());
-	else if (ver == SSL3_VERSION)
+	else
+#endif
+#ifndef OPENSSL_NO_SSL3
+	if (ver == SSL3_VERSION)
 		return(SSLv3_method());
-	else if (ver == TLS1_VERSION)
+	else
+#endif
+#ifndef OPENSSL_NO_TLS1
+	if (ver == TLS1_VERSION)
 		return(TLSv1_method());
 	else
+#endif
 		return(NULL);
 	}
 
-SSL_METHOD *SSLv23_method(void)
-	{
-	static int init=1;
-	static SSL_METHOD SSLv23_data;
-
-	if (init)
-		{
-		CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
-		
-		if (init)
-			{
-			memcpy((char *)&SSLv23_data,(char *)sslv23_base_method(),
-				sizeof(SSL_METHOD));
-			SSLv23_data.ssl_connect=ssl23_connect;
-			SSLv23_data.ssl_accept=ssl23_accept;
-			SSLv23_data.get_ssl_method=ssl23_get_method;
-			init=0;
-			}
-		
-		CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
-		}
-	return(&SSLv23_data);
-	}
+IMPLEMENT_ssl23_meth_func(SSLv23_method,
+			ssl23_accept,
+			ssl23_connect,
+			ssl23_get_method)
 
diff --git a/crypto/openssl/ssl/s23_srvr.c b/crypto/openssl/ssl/s23_srvr.c
index c5404ca0bcd4..da4f377e76ea 100644
--- a/crypto/openssl/ssl/s23_srvr.c
+++ b/crypto/openssl/ssl/s23_srvr.c
@@ -132,33 +132,15 @@ static SSL_METHOD *ssl23_get_server_method(int ver)
 		return(NULL);
 	}
 
-SSL_METHOD *SSLv23_server_method(void)
-	{
-	static int init=1;
-	static SSL_METHOD SSLv23_server_data;
-
-	if (init)
-		{
-		CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
-
-		if (init)
-			{
-			memcpy((char *)&SSLv23_server_data,
-				(char *)sslv23_base_method(),sizeof(SSL_METHOD));
-			SSLv23_server_data.ssl_accept=ssl23_accept;
-			SSLv23_server_data.get_ssl_method=ssl23_get_server_method;
-			init=0;
-			}
-
-		CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
-		}
-	return(&SSLv23_server_data);
-	}
+IMPLEMENT_ssl23_meth_func(SSLv23_server_method,
+			ssl23_accept,
+			ssl_undefined_function,
+			ssl23_get_server_method)
 
 int ssl23_accept(SSL *s)
 	{
 	BUF_MEM *buf;
-	unsigned long Time=time(NULL);
+	unsigned long Time=(unsigned long)time(NULL);
 	void (*cb)(const SSL *ssl,int type,int val)=NULL;
 	int ret= -1;
 	int new_state,state;
@@ -268,9 +250,6 @@ int ssl23_get_client_hello(SSL *s)
 	int n=0,j;
 	int type=0;
 	int v[2];
-#ifndef OPENSSL_NO_RSA
-	int use_sslv2_strong=0;
-#endif
 
 	if (s->state ==	SSL23_ST_SR_CLNT_HELLO_A)
 		{
@@ -519,9 +498,7 @@ int ssl23_get_client_hello(SSL *s)
 			}
 
 		s->state=SSL2_ST_GET_CLIENT_HELLO_A;
-		if ((s->options & SSL_OP_MSIE_SSLV2_RSA_PADDING) ||
-			use_sslv2_strong ||
-			(s->options & SSL_OP_NO_TLSv1 && s->options & SSL_OP_NO_SSLv3))
+		if (s->options & SSL_OP_NO_TLSv1 && s->options & SSL_OP_NO_SSLv3)
 			s->s2->ssl2_rollback=0;
 		else
 			/* reject SSL 2.0 session if client supports SSL 3.0 or TLS 1.0
diff --git a/crypto/openssl/ssl/s2_clnt.c b/crypto/openssl/ssl/s2_clnt.c
index c67829f4957c..efb52485a714 100644
--- a/crypto/openssl/ssl/s2_clnt.c
+++ b/crypto/openssl/ssl/s2_clnt.c
@@ -137,32 +137,14 @@ static SSL_METHOD *ssl2_get_client_method(int ver)
 		return(NULL);
 	}
 
-SSL_METHOD *SSLv2_client_method(void)
-	{
-	static int init=1;
-	static SSL_METHOD SSLv2_client_data;
-
-	if (init)
-		{
-		CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
-
-		if (init)
-			{
-			memcpy((char *)&SSLv2_client_data,(char *)sslv2_base_method(),
-				sizeof(SSL_METHOD));
-			SSLv2_client_data.ssl_connect=ssl2_connect;
-			SSLv2_client_data.get_ssl_method=ssl2_get_client_method;
-			init=0;
-			}
-
-		CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
-		}
-	return(&SSLv2_client_data);
-	}
+IMPLEMENT_ssl2_meth_func(SSLv2_client_method,
+			ssl_undefined_function,
+			ssl2_connect,
+			ssl2_get_client_method)
 
 int ssl2_connect(SSL *s)
 	{
-	unsigned long l=time(NULL);
+	unsigned long l=(unsigned long)time(NULL);
 	BUF_MEM *buf=NULL;
 	int ret= -1;
 	void (*cb)(const SSL *ssl,int type,int val)=NULL;
@@ -584,7 +566,7 @@ static int client_hello(SSL *s)
 		s2n(SSL2_VERSION,p);			/* version */
 		n=j=0;
 
-		n=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),d);
+		n=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),d,0);
 		d+=n;
 
 		if (n == 0)
@@ -612,7 +594,7 @@ static int client_hello(SSL *s)
 		s->s2->challenge_length=SSL2_CHALLENGE_LENGTH;
 		s2n(SSL2_CHALLENGE_LENGTH,p);		/* challenge length */
 		/*challenge id data*/
-		if(RAND_pseudo_bytes(s->s2->challenge,SSL2_CHALLENGE_LENGTH) <= 0)
+		if (RAND_pseudo_bytes(s->s2->challenge,SSL2_CHALLENGE_LENGTH) <= 0)
 			return -1;
 		memcpy(d,s->s2->challenge,SSL2_CHALLENGE_LENGTH);
 		d+=SSL2_CHALLENGE_LENGTH;
@@ -662,7 +644,7 @@ static int client_master_key(SSL *s)
 			return -1;
 			}
 		if (i > 0)
-			if(RAND_pseudo_bytes(sess->key_arg,i) <= 0)
+			if (RAND_pseudo_bytes(sess->key_arg,i) <= 0)
 				return -1;
 
 		/* make a master key */
@@ -670,7 +652,7 @@ static int client_master_key(SSL *s)
 		sess->master_key_length=i;
 		if (i > 0)
 			{
-			if (i > sizeof sess->master_key)
+			if (i > (int)sizeof(sess->master_key))
 				{
 				ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
 				SSLerr(SSL_F_CLIENT_MASTER_KEY, ERR_R_INTERNAL_ERROR);
@@ -690,7 +672,7 @@ static int client_master_key(SSL *s)
 		else
 			enc=i;
 
-		if (i < enc)
+		if ((int)i < enc)
 			{
 			ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
 			SSLerr(SSL_F_CLIENT_MASTER_KEY,SSL_R_CIPHER_TABLE_SRC_ERROR);
@@ -719,7 +701,7 @@ static int client_master_key(SSL *s)
 		d+=enc;
 		karg=sess->key_arg_length;	
 		s2n(karg,p); /* key arg size */
-		if (karg > sizeof sess->key_arg)
+		if (karg > (int)sizeof(sess->key_arg))
 			{
 			ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
 			SSLerr(SSL_F_CLIENT_MASTER_KEY, ERR_R_INTERNAL_ERROR);
@@ -1037,7 +1019,7 @@ static int get_server_finished(SSL *s)
 	}
 
 /* loads in the certificate from the server */
-int ssl2_set_certificate(SSL *s, int type, int len, unsigned char *data)
+int ssl2_set_certificate(SSL *s, int type, int len, const unsigned char *data)
 	{
 	STACK_OF(X509) *sk=NULL;
 	EVP_PKEY *pkey=NULL;
diff --git a/crypto/openssl/ssl/s2_enc.c b/crypto/openssl/ssl/s2_enc.c
index 21a06f76cb07..18882bf70487 100644
--- a/crypto/openssl/ssl/s2_enc.c
+++ b/crypto/openssl/ssl/s2_enc.c
@@ -100,7 +100,7 @@ int ssl2_enc_init(SSL *s, int client)
 	if (ssl2_generate_key_material(s) <= 0)
 		return 0;
 
-	OPENSSL_assert(c->iv_len <= sizeof s->session->key_arg);
+	OPENSSL_assert(c->iv_len <= (int)sizeof(s->session->key_arg));
 	EVP_EncryptInit_ex(ws,c,NULL,&(s->s2->key_material[(client)?num:0]),
 		s->session->key_arg);
 	EVP_DecryptInit_ex(rs,c,NULL,&(s->s2->key_material[(client)?0:num]),
diff --git a/crypto/openssl/ssl/s2_lib.c b/crypto/openssl/ssl/s2_lib.c
index edcef4dda291..d2cce7546d2e 100644
--- a/crypto/openssl/ssl/s2_lib.c
+++ b/crypto/openssl/ssl/s2_lib.c
@@ -59,16 +59,15 @@
 #include "ssl_locl.h"
 #ifndef OPENSSL_NO_SSL2
 #include <stdio.h>
-#include <openssl/rsa.h>
 #include <openssl/objects.h>
 #include <openssl/evp.h>
 #include <openssl/md5.h>
 
-static long ssl2_default_timeout(void );
 const char *ssl2_version_str="SSLv2" OPENSSL_VERSION_PTEXT;
 
 #define SSL2_NUM_CIPHERS (sizeof(ssl2_ciphers)/sizeof(SSL_CIPHER))
 
+/* list of available SSLv2 ciphers (sorted by id) */
 OPENSSL_GLOBAL SSL_CIPHER ssl2_ciphers[]={
 /* NULL_WITH_MD5 v3 */
 #if 0
@@ -85,19 +84,6 @@ OPENSSL_GLOBAL SSL_CIPHER ssl2_ciphers[]={
 	SSL_ALL_STRENGTHS,
 	},
 #endif
-/* RC4_128_EXPORT40_WITH_MD5 */
-	{
-	1,
-	SSL2_TXT_RC4_128_EXPORT40_WITH_MD5,
-	SSL2_CK_RC4_128_EXPORT40_WITH_MD5,
-	SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_SSLV2,
-	SSL_EXPORT|SSL_EXP40,
-	SSL2_CF_5_BYTE_ENC,
-	40,
-	128,
-	SSL_ALL_CIPHERS,
-	SSL_ALL_STRENGTHS,
-	},
 /* RC4_128_WITH_MD5 */
 	{
 	1,
@@ -111,12 +97,12 @@ OPENSSL_GLOBAL SSL_CIPHER ssl2_ciphers[]={
 	SSL_ALL_CIPHERS,
 	SSL_ALL_STRENGTHS,
 	},
-/* RC2_128_CBC_EXPORT40_WITH_MD5 */
+/* RC4_128_EXPORT40_WITH_MD5 */
 	{
 	1,
-	SSL2_TXT_RC2_128_CBC_EXPORT40_WITH_MD5,
-	SSL2_CK_RC2_128_CBC_EXPORT40_WITH_MD5,
-	SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_SSLV2,
+	SSL2_TXT_RC4_128_EXPORT40_WITH_MD5,
+	SSL2_CK_RC4_128_EXPORT40_WITH_MD5,
+	SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_SSLV2,
 	SSL_EXPORT|SSL_EXP40,
 	SSL2_CF_5_BYTE_ENC,
 	40,
@@ -137,6 +123,19 @@ OPENSSL_GLOBAL SSL_CIPHER ssl2_ciphers[]={
 	SSL_ALL_CIPHERS,
 	SSL_ALL_STRENGTHS,
 	},
+/* RC2_128_CBC_EXPORT40_WITH_MD5 */
+	{
+	1,
+	SSL2_TXT_RC2_128_CBC_EXPORT40_WITH_MD5,
+	SSL2_CK_RC2_128_CBC_EXPORT40_WITH_MD5,
+	SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_SSLV2,
+	SSL_EXPORT|SSL_EXP40,
+	SSL2_CF_5_BYTE_ENC,
+	40,
+	128,
+	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
+	},
 /* IDEA_128_CBC_WITH_MD5 */
 #ifndef OPENSSL_NO_IDEA
 	{
@@ -212,43 +211,15 @@ OPENSSL_GLOBAL SSL_CIPHER ssl2_ciphers[]={
 /* end of list :-) */
 	};
 
-static SSL_METHOD SSLv2_data= {
-	SSL2_VERSION,
-	ssl2_new,	/* local */
-	ssl2_clear,	/* local */
-	ssl2_free,	/* local */
-	ssl_undefined_function,
-	ssl_undefined_function,
-	ssl2_read,
-	ssl2_peek,
-	ssl2_write,
-	ssl2_shutdown,
-	ssl_ok,	/* NULL - renegotiate */
-	ssl_ok,	/* NULL - check renegotiate */
-	ssl2_ctrl,	/* local */
-	ssl2_ctx_ctrl,	/* local */
-	ssl2_get_cipher_by_char,
-	ssl2_put_cipher_by_char,
-	ssl2_pending,
-	ssl2_num_ciphers,
-	ssl2_get_cipher,
-	ssl_bad_method,
-	ssl2_default_timeout,
-	&ssl3_undef_enc_method,
-	ssl_undefined_function,
-	ssl2_callback_ctrl,	/* local */
-	ssl2_ctx_callback_ctrl,	/* local */
-	};
-
-static long ssl2_default_timeout(void)
+long ssl2_default_timeout(void)
 	{
 	return(300);
 	}
 
-SSL_METHOD *sslv2_base_method(void)
-	{
-	return(&SSLv2_data);
-	}
+IMPLEMENT_ssl2_meth_func(sslv2_base_method,
+			ssl_undefined_function,
+			ssl_undefined_function,
+			ssl_bad_method)
 
 int ssl2_num_ciphers(void)
 	{
@@ -263,7 +234,7 @@ SSL_CIPHER *ssl2_get_cipher(unsigned int u)
 		return(NULL);
 	}
 
-int ssl2_pending(SSL *s)
+int ssl2_pending(const SSL *s)
 	{
 	return SSL_in_init(s) ? 0 : s->s2->ract_data_length;
 	}
@@ -349,7 +320,7 @@ long ssl2_ctrl(SSL *s, int cmd, long larg, void *parg)
 	return(ret);
 	}
 
-long ssl2_callback_ctrl(SSL *s, int cmd, void (*fp)())
+long ssl2_callback_ctrl(SSL *s, int cmd, void (*fp)(void))
 	{
 	return(0);
 	}
@@ -359,7 +330,7 @@ long ssl2_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
 	return(0);
 	}
 
-long ssl2_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)())
+long ssl2_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
 	{
 	return(0);
 	}
@@ -368,42 +339,20 @@ long ssl2_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)())
  * available */
 SSL_CIPHER *ssl2_get_cipher_by_char(const unsigned char *p)
 	{
-	static int init=1;
-	static SSL_CIPHER *sorted[SSL2_NUM_CIPHERS];
-	SSL_CIPHER c,*cp= &c,**cpp;
+	SSL_CIPHER c,*cp;
 	unsigned long id;
-	int i;
-
-	if (init)
-		{
-		CRYPTO_w_lock(CRYPTO_LOCK_SSL);
-
-		if (init)
-			{
-			for (i=0; i<SSL2_NUM_CIPHERS; i++)
-				sorted[i]= &(ssl2_ciphers[i]);
-
-			qsort((char *)sorted,
-				SSL2_NUM_CIPHERS,sizeof(SSL_CIPHER *),
-				FP_ICC ssl_cipher_ptr_id_cmp);
-
-			init=0;
-			}
-			
-		CRYPTO_w_unlock(CRYPTO_LOCK_SSL);
-		}
 
 	id=0x02000000L|((unsigned long)p[0]<<16L)|
 		((unsigned long)p[1]<<8L)|(unsigned long)p[2];
 	c.id=id;
-	cpp=(SSL_CIPHER **)OBJ_bsearch((char *)&cp,
-		(char *)sorted,
-		SSL2_NUM_CIPHERS,sizeof(SSL_CIPHER *),
-		FP_ICC ssl_cipher_ptr_id_cmp);
-	if ((cpp == NULL) || !(*cpp)->valid)
-		return(NULL);
+	cp = (SSL_CIPHER *)OBJ_bsearch((char *)&c,
+		(char *)ssl2_ciphers,
+		SSL2_NUM_CIPHERS,sizeof(SSL_CIPHER),
+		FP_ICC ssl_cipher_id_cmp);
+	if ((cp == NULL) || (cp->valid == 0))
+		return NULL;
 	else
-		return(*cpp);
+		return cp;
 	}
 
 int ssl2_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p)
@@ -438,7 +387,8 @@ int ssl2_generate_key_material(SSL *s)
 	EVP_MD_CTX_init(&ctx);
 	km=s->s2->key_material;
 
- 	if (s->session->master_key_length < 0 || s->session->master_key_length > sizeof s->session->master_key)
+ 	if (s->session->master_key_length < 0 ||
+			s->session->master_key_length > (int)sizeof(s->session->master_key))
  		{
  		SSLerr(SSL_F_SSL2_GENERATE_KEY_MATERIAL, ERR_R_INTERNAL_ERROR);
  		return 0;
@@ -446,7 +396,8 @@ int ssl2_generate_key_material(SSL *s)
 
 	for (i=0; i<s->s2->key_material_length; i += EVP_MD_size(md5))
 		{
-		if (((km - s->s2->key_material) + EVP_MD_size(md5)) > sizeof s->s2->key_material)
+		if (((km - s->s2->key_material) + EVP_MD_size(md5)) >
+				(int)sizeof(s->s2->key_material))
 			{
 			/* EVP_DigestFinal_ex() below would write beyond buffer */
 			SSLerr(SSL_F_SSL2_GENERATE_KEY_MATERIAL, ERR_R_INTERNAL_ERROR);
@@ -457,7 +408,7 @@ int ssl2_generate_key_material(SSL *s)
 
 		OPENSSL_assert(s->session->master_key_length >= 0
 		    && s->session->master_key_length
-		    < sizeof s->session->master_key);
+		    < (int)sizeof(s->session->master_key));
 		EVP_DigestUpdate(&ctx,s->session->master_key,s->session->master_key_length);
 		EVP_DigestUpdate(&ctx,&c,1);
 		c++;
@@ -496,7 +447,7 @@ void ssl2_write_error(SSL *s)
 
 	error=s->error; /* number of bytes left to write */
 	s->error=0;
-	OPENSSL_assert(error >= 0 && error <= sizeof buf);
+	OPENSSL_assert(error >= 0 && error <= (int)sizeof(buf));
 	i=ssl2_write(s,&(buf[3-error]),error);
 
 /*	if (i == error) s->rwstate=state; */
diff --git a/crypto/openssl/ssl/s2_meth.c b/crypto/openssl/ssl/s2_meth.c
index 8b6cbd086e2a..a35e435b7137 100644
--- a/crypto/openssl/ssl/s2_meth.c
+++ b/crypto/openssl/ssl/s2_meth.c
@@ -70,29 +70,11 @@ static SSL_METHOD *ssl2_get_method(int ver)
 		return(NULL);
 	}
 
-SSL_METHOD *SSLv2_method(void)
-	{
-	static int init=1;
-	static SSL_METHOD SSLv2_data;
+IMPLEMENT_ssl2_meth_func(SSLv2_method,
+			ssl2_accept,
+			ssl2_connect,
+			ssl2_get_method)
 
-	if (init)
-		{
-		CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
-		
-		if (init)
-			{
-			memcpy((char *)&SSLv2_data,(char *)sslv2_base_method(),
-				sizeof(SSL_METHOD));
-			SSLv2_data.ssl_connect=ssl2_connect;
-			SSLv2_data.ssl_accept=ssl2_accept;
-			SSLv2_data.get_ssl_method=ssl2_get_method;
-			init=0;
-			}
-		
-		CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
-		}
-	return(&SSLv2_data);
-	}
 #else /* !OPENSSL_NO_SSL2 */
 
 # if PEDANTIC
diff --git a/crypto/openssl/ssl/s2_srvr.c b/crypto/openssl/ssl/s2_srvr.c
index 853871f28c4d..27d71a2e0952 100644
--- a/crypto/openssl/ssl/s2_srvr.c
+++ b/crypto/openssl/ssl/s2_srvr.c
@@ -137,32 +137,14 @@ static SSL_METHOD *ssl2_get_server_method(int ver)
 		return(NULL);
 	}
 
-SSL_METHOD *SSLv2_server_method(void)
-	{
-	static int init=1;
-	static SSL_METHOD SSLv2_server_data;
-
-	if (init)
-		{
-		CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
-
-		if (init)
-			{
-			memcpy((char *)&SSLv2_server_data,(char *)sslv2_base_method(),
-				sizeof(SSL_METHOD));
-			SSLv2_server_data.ssl_accept=ssl2_accept;
-			SSLv2_server_data.get_ssl_method=ssl2_get_server_method;
-			init=0;
-			}
-
-		CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
-		}
-	return(&SSLv2_server_data);
-	}
+IMPLEMENT_ssl2_meth_func(SSLv2_server_method,
+			ssl2_accept,
+			ssl_undefined_function,
+			ssl2_get_server_method)
 
 int ssl2_accept(SSL *s)
 	{
-	unsigned long l=time(NULL);
+	unsigned long l=(unsigned long)time(NULL);
 	BUF_MEM *buf=NULL;
 	int ret= -1;
 	long num1;
@@ -498,8 +480,8 @@ static int get_client_master_key(SSL *s)
 			i=ek;
 		else
 			i=EVP_CIPHER_key_length(c);
-		if(RAND_pseudo_bytes(p,i) <= 0)
-		    return 0;
+		if (RAND_pseudo_bytes(p,i) <= 0)
+			return 0;
 		}
 #else
 	if (i < 0)
@@ -797,7 +779,7 @@ static int server_hello(SSL *s)
 			/* lets send out the ciphers we like in the
 			 * prefered order */
 			sk= s->session->ciphers;
-			n=ssl_cipher_list_to_bytes(s,s->session->ciphers,d);
+			n=ssl_cipher_list_to_bytes(s,s->session->ciphers,d,0);
 			d+=n;
 			s2n(n,p);		/* add cipher length */
 			}
@@ -805,8 +787,8 @@ static int server_hello(SSL *s)
 		/* make and send conn_id */
 		s2n(SSL2_CONNECTION_ID_LENGTH,p);	/* add conn_id length */
 		s->s2->conn_id_length=SSL2_CONNECTION_ID_LENGTH;
-		if(RAND_pseudo_bytes(s->s2->conn_id,(int)s->s2->conn_id_length) <= 0)
-		    return -1;
+		if (RAND_pseudo_bytes(s->s2->conn_id,(int)s->s2->conn_id_length) <= 0)
+			return -1;
 		memcpy(d,s->s2->conn_id,SSL2_CONNECTION_ID_LENGTH);
 		d+=SSL2_CONNECTION_ID_LENGTH;
 
@@ -938,6 +920,7 @@ static int server_finish(SSL *s)
 /* send the request and check the response */
 static int request_certificate(SSL *s)
 	{
+	const unsigned char *cp;
 	unsigned char *p,*p2,*buf2;
 	unsigned char *ccd;
 	int i,j,ctype,ret= -1;
@@ -951,7 +934,7 @@ static int request_certificate(SSL *s)
 		p=(unsigned char *)s->init_buf->data;
 		*(p++)=SSL2_MT_REQUEST_CERTIFICATE;
 		*(p++)=SSL2_AT_MD5_WITH_RSA_ENCRYPTION;
-		if(RAND_pseudo_bytes(ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH) <= 0)
+		if (RAND_pseudo_bytes(ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH) <= 0)
 			return -1;
 		memcpy(p,ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH);
 
@@ -1055,7 +1038,8 @@ static int request_certificate(SSL *s)
 		s->msg_callback(0, s->version, 0, p, len, s, s->msg_callback_arg); /* CLIENT-CERTIFICATE */
 	p += 6;
 
-	x509=(X509 *)d2i_X509(NULL,&p,(long)s->s2->tmp.clen);
+	cp = p;
+	x509=(X509 *)d2i_X509(NULL,&cp,(long)s->s2->tmp.clen);
 	if (x509 == NULL)
 		{
 		SSLerr(SSL_F_REQUEST_CERTIFICATE,ERR_R_X509_LIB);
@@ -1095,7 +1079,7 @@ static int request_certificate(SSL *s)
 
 		pkey=X509_get_pubkey(x509);
 		if (pkey == NULL) goto end;
-		i=EVP_VerifyFinal(&ctx,p,s->s2->tmp.rlen,pkey);
+		i=EVP_VerifyFinal(&ctx,cp,s->s2->tmp.rlen,pkey);
 		EVP_PKEY_free(pkey);
 		EVP_MD_CTX_cleanup(&ctx);
 
diff --git a/crypto/openssl/ssl/s3_both.c b/crypto/openssl/ssl/s3_both.c
index 64d317b7ac35..2ecfbb77cb17 100644
--- a/crypto/openssl/ssl/s3_both.c
+++ b/crypto/openssl/ssl/s3_both.c
@@ -108,6 +108,11 @@
  * Hudson (tjh@cryptsoft.com).
  *
  */
+/* ====================================================================
+ * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
+ * ECC cipher suite support in OpenSSL originally developed by 
+ * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
+ */
 
 #include <limits.h>
 #include <string.h>
@@ -192,7 +197,7 @@ int ssl3_get_finished(SSL *s, int a, int b)
 	 * change cipher spec message and is in s->s3->tmp.peer_finish_md
 	 */ 
 
-	n=ssl3_get_message(s,
+	n=s->method->ssl_get_message(s,
 		a,
 		b,
 		SSL3_MT_FINISHED,
@@ -386,8 +391,8 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
 			{
 			while (s->init_num < 4)
 				{
-				i=ssl3_read_bytes(s,SSL3_RT_HANDSHAKE,&p[s->init_num],
-					4 - s->init_num, 0);
+				i=s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,
+					&p[s->init_num],4 - s->init_num, 0);
 				if (i <= 0)
 					{
 					s->rwstate=SSL_READING;
@@ -467,7 +472,7 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
 	n = s->s3->tmp.message_size - s->init_num;
 	while (n > 0)
 		{
-		i=ssl3_read_bytes(s,SSL3_RT_HANDSHAKE,&p[s->init_num],n,0);
+		i=s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,&p[s->init_num],n,0);
 		if (i <= 0)
 			{
 			s->rwstate=SSL_READING;
@@ -492,7 +497,7 @@ err:
 int ssl_cert_type(X509 *x, EVP_PKEY *pkey)
 	{
 	EVP_PKEY *pk;
-	int ret= -1,i,j;
+	int ret= -1,i;
 
 	if (pkey == NULL)
 		pk=X509_get_pubkey(x);
@@ -504,35 +509,17 @@ int ssl_cert_type(X509 *x, EVP_PKEY *pkey)
 	if (i == EVP_PKEY_RSA)
 		{
 		ret=SSL_PKEY_RSA_ENC;
-		if (x != NULL)
-			{
-			j=X509_get_ext_count(x);
-			/* check to see if this is a signing only certificate */
-			/* EAY EAY EAY EAY */
-			}
 		}
 	else if (i == EVP_PKEY_DSA)
 		{
 		ret=SSL_PKEY_DSA_SIGN;
 		}
-	else if (i == EVP_PKEY_DH)
+#ifndef OPENSSL_NO_EC
+	else if (i == EVP_PKEY_EC)
 		{
-		/* if we just have a key, we needs to be guess */
-
-		if (x == NULL)
-			ret=SSL_PKEY_DH_DSA;
-		else
-			{
-			j=X509_get_signature_type(x);
-			if (j == EVP_PKEY_RSA)
-				ret=SSL_PKEY_DH_RSA;
-			else if (j== EVP_PKEY_DSA)
-				ret=SSL_PKEY_DH_DSA;
-			else ret= -1;
-			}
+		ret = SSL_PKEY_ECC;
 		}
-	else
-		ret= -1;
+#endif
 
 err:
 	if(!pkey) EVP_PKEY_free(pk);
diff --git a/crypto/openssl/ssl/s3_clnt.c b/crypto/openssl/ssl/s3_clnt.c
index 6b4dc3e67284..26788858d757 100644
--- a/crypto/openssl/ssl/s3_clnt.c
+++ b/crypto/openssl/ssl/s3_clnt.c
@@ -56,7 +56,7 @@
  * [including the GNU Public Licence.]
  */
 /* ====================================================================
- * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2003 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -108,6 +108,19 @@
  * Hudson (tjh@cryptsoft.com).
  *
  */
+/* ====================================================================
+ * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
+ *
+ * Portions of the attached software ("Contribution") are developed by 
+ * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
+ *
+ * The Contribution is licensed pursuant to the OpenSSL open source
+ * license provided above.
+ *
+ * ECC cipher suite support in OpenSSL originally written by
+ * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
+ *
+ */
 
 #include <stdio.h>
 #include "ssl_locl.h"
@@ -117,20 +130,19 @@
 #include <openssl/objects.h>
 #include <openssl/evp.h>
 #include <openssl/md5.h>
-#include <openssl/fips.h>
+#ifndef OPENSSL_NO_DH
+#include <openssl/dh.h>
+#endif
+#include <openssl/bn.h>
 
 static SSL_METHOD *ssl3_get_client_method(int ver);
-static int ssl3_client_hello(SSL *s);
-static int ssl3_get_server_hello(SSL *s);
-static int ssl3_get_certificate_request(SSL *s);
 static int ca_dn_cmp(const X509_NAME * const *a,const X509_NAME * const *b);
-static int ssl3_get_server_done(SSL *s);
-static int ssl3_send_client_verify(SSL *s);
-static int ssl3_send_client_certificate(SSL *s);
-static int ssl3_send_client_key_exchange(SSL *s);
-static int ssl3_get_key_exchange(SSL *s);
-static int ssl3_get_server_certificate(SSL *s);
-static int ssl3_check_cert_and_algorithm(SSL *s);
+
+#ifndef OPENSSL_NO_ECDH
+static int curve_id2nid(int curve_id);
+int check_srvr_ecc_cert_and_alg(X509 *x, SSL_CIPHER *cs);
+#endif
+
 static SSL_METHOD *ssl3_get_client_method(int ver)
 	{
 	if (ver == SSL3_VERSION)
@@ -139,33 +151,15 @@ static SSL_METHOD *ssl3_get_client_method(int ver)
 		return(NULL);
 	}
 
-SSL_METHOD *SSLv3_client_method(void)
-	{
-	static int init=1;
-	static SSL_METHOD SSLv3_client_data;
-
-	if (init)
-		{
-		CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
-
-		if (init)
-			{
-			memcpy((char *)&SSLv3_client_data,(char *)sslv3_base_method(),
-				sizeof(SSL_METHOD));
-			SSLv3_client_data.ssl_connect=ssl3_connect;
-			SSLv3_client_data.get_ssl_method=ssl3_get_client_method;
-			init=0;
-			}
-
-		CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
-		}
-	return(&SSLv3_client_data);
-	}
+IMPLEMENT_ssl3_meth_func(SSLv3_client_method,
+			ssl_undefined_function,
+			ssl3_connect,
+			ssl3_get_client_method)
 
 int ssl3_connect(SSL *s)
 	{
 	BUF_MEM *buf=NULL;
-	unsigned long Time=time(NULL),l;
+	unsigned long Time=(unsigned long)time(NULL),l;
 	long num1;
 	void (*cb)(const SSL *ssl,int type,int val)=NULL;
 	int ret= -1;
@@ -270,7 +264,7 @@ int ssl3_connect(SSL *s)
 
 		case SSL3_ST_CR_CERT_A:
 		case SSL3_ST_CR_CERT_B:
-			/* Check if it is anon DH */
+			/* Check if it is anon DH/ECDH */
 			if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL))
 				{
 				ret=ssl3_get_server_certificate(s);
@@ -337,6 +331,13 @@ int ssl3_connect(SSL *s)
 			 * sent back */
 			/* For TLS, cert_req is set to 2, so a cert chain
 			 * of nothing is sent, but no verify packet is sent */
+			/* XXX: For now, we do not support client 
+			 * authentication in ECDH cipher suites with
+			 * ECDH (rather than ECDSA) certificates.
+			 * We need to skip the certificate verify 
+			 * message when client's ECDH public key is sent 
+			 * inside the client certificate.
+			 */
 			if (s->s3->tmp.cert_req == 1)
 				{
 				s->state=SSL3_ST_CW_CERT_VRFY_A;
@@ -368,11 +369,15 @@ int ssl3_connect(SSL *s)
 			s->init_num=0;
 
 			s->session->cipher=s->s3->tmp.new_cipher;
+#ifdef OPENSSL_NO_COMP
+			s->session->compress_meth=0;
+#else
 			if (s->s3->tmp.new_compression == NULL)
 				s->session->compress_meth=0;
 			else
 				s->session->compress_meth=
 					s->s3->tmp.new_compression->id;
+#endif
 			if (!s->method->ssl3_enc->setup_key_block(s))
 				{
 				ret= -1;
@@ -512,13 +517,16 @@ end:
 	}
 
 
-static int ssl3_client_hello(SSL *s)
+int ssl3_client_hello(SSL *s)
 	{
 	unsigned char *buf;
 	unsigned char *p,*d;
-	int i,j;
+	int i;
 	unsigned long Time,l;
+#ifndef OPENSSL_NO_COMP
+	int j;
 	SSL_COMP *comp;
+#endif
 
 	buf=(unsigned char *)s->init_buf->data;
 	if (s->state == SSL3_ST_CW_CLNT_HELLO_A)
@@ -533,10 +541,10 @@ static int ssl3_client_hello(SSL *s)
 		/* else use the pre-loaded session */
 
 		p=s->s3->client_random;
-		Time=time(NULL);			/* Time */
+		Time=(unsigned long)time(NULL);			/* Time */
 		l2n(Time,p);
-		if(RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time)) <= 0)
-		    goto err;
+		if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
+			goto err;
 
 		/* Do the message type and length last */
 		d=p= &(buf[4]);
@@ -557,7 +565,7 @@ static int ssl3_client_hello(SSL *s)
 		*(p++)=i;
 		if (i != 0)
 			{
-			if (i > sizeof s->session->session_id)
+			if (i > (int)sizeof(s->session->session_id))
 				{
 				SSLerr(SSL_F_SSL3_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
 				goto err;
@@ -567,7 +575,7 @@ static int ssl3_client_hello(SSL *s)
 			}
 		
 		/* Ciphers supported */
-		i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]));
+		i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]),0);
 		if (i == 0)
 			{
 			SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
@@ -577,6 +585,9 @@ static int ssl3_client_hello(SSL *s)
 		p+=i;
 
 		/* COMPRESSION */
+#ifdef OPENSSL_NO_COMP
+		*(p++)=1;
+#else
 		if (s->ctx->comp_methods == NULL)
 			j=0;
 		else
@@ -587,6 +598,7 @@ static int ssl3_client_hello(SSL *s)
 			comp=sk_SSL_COMP_value(s->ctx->comp_methods,i);
 			*(p++)=comp->id;
 			}
+#endif
 		*(p++)=0; /* Add the NULL method */
 		
 		l=(p-d);
@@ -606,7 +618,7 @@ err:
 	return(-1);
 	}
 
-static int ssl3_get_server_hello(SSL *s)
+int ssl3_get_server_hello(SSL *s)
 	{
 	STACK_OF(SSL_CIPHER) *sk;
 	SSL_CIPHER *c;
@@ -614,16 +626,44 @@ static int ssl3_get_server_hello(SSL *s)
 	int i,al,ok;
 	unsigned int j;
 	long n;
+#ifndef OPENSSL_NO_COMP
 	SSL_COMP *comp;
+#endif
 
-	n=ssl3_get_message(s,
+	n=s->method->ssl_get_message(s,
 		SSL3_ST_CR_SRVR_HELLO_A,
 		SSL3_ST_CR_SRVR_HELLO_B,
-		SSL3_MT_SERVER_HELLO,
+		-1,
 		300, /* ?? */
 		&ok);
 
 	if (!ok) return((int)n);
+
+	if ( SSL_version(s) == DTLS1_VERSION)
+		{
+		if ( s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST)
+			{
+			if ( s->d1->send_cookie == 0)
+				{
+				s->s3->tmp.reuse_message = 1;
+				return 1;
+				}
+			else /* already sent a cookie */
+				{
+				al=SSL_AD_UNEXPECTED_MESSAGE;
+				SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_MESSAGE_TYPE);
+				goto f_err;
+				}
+			}
+		}
+	
+	if ( s->s3->tmp.message_type != SSL3_MT_SERVER_HELLO)
+		{
+		al=SSL_AD_UNEXPECTED_MESSAGE;
+		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_MESSAGE_TYPE);
+		goto f_err;
+		}
+
 	d=p=(unsigned char *)s->init_msg;
 
 	if ((p[0] != (s->version>>8)) || (p[1] != (s->version&0xff)))
@@ -719,6 +759,14 @@ static int ssl3_get_server_hello(SSL *s)
 
 	/* lets get the compression algorithm */
 	/* COMPRESSION */
+#ifdef OPENSSL_NO_COMP
+	if (*(p++) != 0)
+		{
+		al=SSL_AD_ILLEGAL_PARAMETER;
+		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
+		goto f_err;
+		}
+#else
 	j= *(p++);
 	if (j == 0)
 		comp=NULL;
@@ -735,6 +783,7 @@ static int ssl3_get_server_hello(SSL *s)
 		{
 		s->s3->tmp.new_compression=comp;
 		}
+#endif
 
 	if (p != (d+n))
 		{
@@ -751,18 +800,19 @@ err:
 	return(-1);
 	}
 
-static int ssl3_get_server_certificate(SSL *s)
+int ssl3_get_server_certificate(SSL *s)
 	{
 	int al,i,ok,ret= -1;
 	unsigned long n,nc,llen,l;
 	X509 *x=NULL;
-	unsigned char *p,*d,*q;
+	const unsigned char *q,*p;
+	unsigned char *d;
 	STACK_OF(X509) *sk=NULL;
 	SESS_CERT *sc;
 	EVP_PKEY *pkey=NULL;
-        int need_cert = 1; /* VRS: 0=> will allow null cert if auth == KRB5 */
+	int need_cert = 1; /* VRS: 0=> will allow null cert if auth == KRB5 */
 
-	n=ssl3_get_message(s,
+	n=s->method->ssl_get_message(s,
 		SSL3_ST_CR_CERT_A,
 		SSL3_ST_CR_CERT_B,
 		-1,
@@ -783,7 +833,7 @@ static int ssl3_get_server_certificate(SSL *s)
 		SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_BAD_MESSAGE_TYPE);
 		goto f_err;
 		}
-	d=p=(unsigned char *)s->init_msg;
+	p=d=(unsigned char *)s->init_msg;
 
 	if ((sk=sk_X509_new_null()) == NULL)
 		{
@@ -835,10 +885,10 @@ static int ssl3_get_server_certificate(SSL *s)
 	i=ssl_verify_cert_chain(s,sk);
 	if ((s->verify_mode != SSL_VERIFY_NONE) && (!i)
 #ifndef OPENSSL_NO_KRB5
-                && (s->s3->tmp.new_cipher->algorithms & (SSL_MKEY_MASK|SSL_AUTH_MASK))
-                != (SSL_aKRB5|SSL_kKRB5)
+	        && (s->s3->tmp.new_cipher->algorithms & (SSL_MKEY_MASK|SSL_AUTH_MASK))
+	        != (SSL_aKRB5|SSL_kKRB5)
 #endif /* OPENSSL_NO_KRB5 */
-                )
+	        )
 		{
 		al=ssl_verify_alarm_type(s->verify_result);
 		SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED);
@@ -861,16 +911,16 @@ static int ssl3_get_server_certificate(SSL *s)
 
 	pkey=X509_get_pubkey(x);
 
-        /* VRS: allow null cert if auth == KRB5 */
-        need_cert =	((s->s3->tmp.new_cipher->algorithms
-			& (SSL_MKEY_MASK|SSL_AUTH_MASK))
-                        == (SSL_aKRB5|SSL_kKRB5))? 0: 1;
+	/* VRS: allow null cert if auth == KRB5 */
+	need_cert =	((s->s3->tmp.new_cipher->algorithms
+	                 & (SSL_MKEY_MASK|SSL_AUTH_MASK))
+	                 == (SSL_aKRB5|SSL_kKRB5))? 0: 1;
 
 #ifdef KSSL_DEBUG
 	printf("pkey,x = %p, %p\n", pkey,x);
 	printf("ssl_cert_type(x,pkey) = %d\n", ssl_cert_type(x,pkey));
 	printf("cipher, alg, nc = %s, %lx, %d\n", s->s3->tmp.new_cipher->name,
-                s->s3->tmp.new_cipher->algorithms, need_cert);
+	        s->s3->tmp.new_cipher->algorithms, need_cert);
 #endif    /* KSSL_DEBUG */
 
 	if (need_cert && ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey)))
@@ -892,31 +942,31 @@ static int ssl3_get_server_certificate(SSL *s)
 		goto f_err;
 		}
 
-        if (need_cert)
-                {
-                sc->peer_cert_type=i;
-                CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
-                /* Why would the following ever happen?
-                 * We just created sc a couple of lines ago. */
-                if (sc->peer_pkeys[i].x509 != NULL)
-                        X509_free(sc->peer_pkeys[i].x509);
-                sc->peer_pkeys[i].x509=x;
-                sc->peer_key= &(sc->peer_pkeys[i]);
-
-                if (s->session->peer != NULL)
-                        X509_free(s->session->peer);
-                CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
-                s->session->peer=x;
-                }
-        else
-                {
-                sc->peer_cert_type=i;
-                sc->peer_key= NULL;
-
-                if (s->session->peer != NULL)
-                        X509_free(s->session->peer);
-                s->session->peer=NULL;
-                }
+	if (need_cert)
+		{
+		sc->peer_cert_type=i;
+		CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
+		/* Why would the following ever happen?
+		 * We just created sc a couple of lines ago. */
+		if (sc->peer_pkeys[i].x509 != NULL)
+			X509_free(sc->peer_pkeys[i].x509);
+		sc->peer_pkeys[i].x509=x;
+		sc->peer_key= &(sc->peer_pkeys[i]);
+
+		if (s->session->peer != NULL)
+			X509_free(s->session->peer);
+		CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
+		s->session->peer=x;
+		}
+	else
+		{
+		sc->peer_cert_type=i;
+		sc->peer_key= NULL;
+
+		if (s->session->peer != NULL)
+			X509_free(s->session->peer);
+		s->session->peer=NULL;
+		}
 	s->session->verify_result = s->verify_result;
 
 	x=NULL;
@@ -934,7 +984,7 @@ err:
 	return(ret);
 	}
 
-static int ssl3_get_key_exchange(SSL *s)
+int ssl3_get_key_exchange(SSL *s)
 	{
 #ifndef OPENSSL_NO_RSA
 	unsigned char *q,md_buf[EVP_MAX_MD_SIZE*2];
@@ -950,10 +1000,17 @@ static int ssl3_get_key_exchange(SSL *s)
 #ifndef OPENSSL_NO_DH
 	DH *dh=NULL;
 #endif
+#ifndef OPENSSL_NO_ECDH
+	EC_KEY *ecdh = NULL;
+	BN_CTX *bn_ctx = NULL;
+	EC_POINT *srvr_ecpoint = NULL;
+	int curve_nid = 0;
+	int encoded_pt_len = 0;
+#endif
 
 	/* use same message size as in ssl3_get_certificate_request()
 	 * as ServerKeyExchange message may be skipped */
-	n=ssl3_get_message(s,
+	n=s->method->ssl_get_message(s,
 		SSL3_ST_CR_KEY_EXCH_A,
 		SSL3_ST_CR_KEY_EXCH_B,
 		-1,
@@ -986,6 +1043,13 @@ static int ssl3_get_key_exchange(SSL *s)
 			s->session->sess_cert->peer_dh_tmp=NULL;
 			}
 #endif
+#ifndef OPENSSL_NO_ECDH
+		if (s->session->sess_cert->peer_ecdh_tmp)
+			{
+			EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp);
+			s->session->sess_cert->peer_ecdh_tmp=NULL;
+			}
+#endif
 		}
 	else
 		{
@@ -1127,6 +1191,114 @@ static int ssl3_get_key_exchange(SSL *s)
 		goto f_err;
 		}
 #endif /* !OPENSSL_NO_DH */
+
+#ifndef OPENSSL_NO_ECDH
+	else if (alg & SSL_kECDHE)
+		{
+		EC_GROUP *ngroup;
+		const EC_GROUP *group;
+
+		if ((ecdh=EC_KEY_new()) == NULL)
+			{
+			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
+			goto err;
+			}
+
+		/* Extract elliptic curve parameters and the
+		 * server's ephemeral ECDH public key.
+		 * Keep accumulating lengths of various components in
+		 * param_len and make sure it never exceeds n.
+		 */
+
+		/* XXX: For now we only support named (not generic) curves
+		 * and the ECParameters in this case is just three bytes.
+		 */
+		param_len=3;
+		if ((param_len > n) ||
+		    (*p != NAMED_CURVE_TYPE) || 
+		    ((curve_nid = curve_id2nid(*(p + 2))) == 0)) 
+			{
+			al=SSL_AD_INTERNAL_ERROR;
+			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
+			goto f_err;
+			}
+
+		ngroup = EC_GROUP_new_by_curve_name(curve_nid);
+		if (ngroup == NULL)
+			{
+			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_EC_LIB);
+			goto err;
+			}
+		if (EC_KEY_set_group(ecdh, ngroup) == 0)
+			{
+			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_EC_LIB);
+			goto err;
+			}
+		EC_GROUP_free(ngroup);
+
+		group = EC_KEY_get0_group(ecdh);
+
+		if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
+		    (EC_GROUP_get_degree(group) > 163))
+			{
+			al=SSL_AD_EXPORT_RESTRICTION;
+			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER);
+			goto f_err;
+			}
+
+		p+=3;
+
+		/* Next, get the encoded ECPoint */
+		if (((srvr_ecpoint = EC_POINT_new(group)) == NULL) ||
+		    ((bn_ctx = BN_CTX_new()) == NULL))
+			{
+			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
+			goto err;
+			}
+
+		encoded_pt_len = *p;  /* length of encoded point */
+		p+=1;
+		param_len += (1 + encoded_pt_len);
+		if ((param_len > n) ||
+		    (EC_POINT_oct2point(group, srvr_ecpoint, 
+			p, encoded_pt_len, bn_ctx) == 0))
+			{
+			al=SSL_AD_DECODE_ERROR;
+			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_ECPOINT);
+			goto f_err;
+			}
+
+		n-=param_len;
+		p+=encoded_pt_len;
+
+		/* The ECC/TLS specification does not mention
+		 * the use of DSA to sign ECParameters in the server
+		 * key exchange message. We do support RSA and ECDSA.
+		 */
+		if (0) ;
+#ifndef OPENSSL_NO_RSA
+		else if (alg & SSL_aRSA)
+			pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
+#endif
+#ifndef OPENSSL_NO_ECDSA
+		else if (alg & SSL_aECDSA)
+			pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);
+#endif
+		/* else anonymous ECDH, so no certificate or pkey. */
+		EC_KEY_set_public_key(ecdh, srvr_ecpoint);
+		s->session->sess_cert->peer_ecdh_tmp=ecdh;
+		ecdh=NULL;
+		BN_CTX_free(bn_ctx);
+		EC_POINT_free(srvr_ecpoint);
+		srvr_ecpoint = NULL;
+		}
+	else if (alg & SSL_kECDH)
+		{
+		al=SSL_AD_UNEXPECTED_MESSAGE;
+		SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
+		goto f_err;
+		}
+#endif /* !OPENSSL_NO_ECDH */
 	if (alg & SSL_aFZA)
 		{
 		al=SSL_AD_HANDSHAKE_FAILURE;
@@ -1137,7 +1309,6 @@ static int ssl3_get_key_exchange(SSL *s)
 
 	/* p points to the next byte, there are 'n' bytes left */
 
-
 	/* if it was signed, check the signature */
 	if (pkey != NULL)
 		{
@@ -1167,16 +1338,7 @@ static int ssl3_get_key_exchange(SSL *s)
 				EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
 				EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
 				EVP_DigestUpdate(&md_ctx,param,param_len);
-#ifdef OPENSSL_FIPS
-				if(s->version == TLS1_VERSION && num == 2)
-					FIPS_allow_md5(1);
-#endif
-				
 				EVP_DigestFinal_ex(&md_ctx,q,(unsigned int *)&i);
-#ifdef OPENSSL_FIPS
-				if(s->version == TLS1_VERSION && num == 2)
-					FIPS_allow_md5(1);
-#endif
 				q+=i;
 				j+=i;
 				}
@@ -1216,6 +1378,24 @@ static int ssl3_get_key_exchange(SSL *s)
 			}
 		else
 #endif
+#ifndef OPENSSL_NO_ECDSA
+			if (pkey->type == EVP_PKEY_EC)
+			{
+			/* let's do ECDSA */
+			EVP_VerifyInit_ex(&md_ctx,EVP_ecdsa(), NULL);
+			EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
+			EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
+			EVP_VerifyUpdate(&md_ctx,param,param_len);
+			if (!EVP_VerifyFinal(&md_ctx,p,(int)n,pkey))
+				{
+				/* bad signature */
+				al=SSL_AD_DECRYPT_ERROR;
+				SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE);
+				goto f_err;
+				}
+			}
+		else
+#endif
 			{
 			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
 			goto err;
@@ -1251,20 +1431,27 @@ err:
 	if (dh != NULL)
 		DH_free(dh);
 #endif
+#ifndef OPENSSL_NO_ECDH
+	BN_CTX_free(bn_ctx);
+	EC_POINT_free(srvr_ecpoint);
+	if (ecdh != NULL)
+		EC_KEY_free(ecdh);
+#endif
 	EVP_MD_CTX_cleanup(&md_ctx);
 	return(-1);
 	}
 
-static int ssl3_get_certificate_request(SSL *s)
+int ssl3_get_certificate_request(SSL *s)
 	{
 	int ok,ret=0;
 	unsigned long n,nc,l;
 	unsigned int llen,ctype_num,i;
 	X509_NAME *xn=NULL;
-	unsigned char *p,*d,*q;
+	const unsigned char *p,*q;
+	unsigned char *d;
 	STACK_OF(X509_NAME) *ca_sk=NULL;
 
-	n=ssl3_get_message(s,
+	n=s->method->ssl_get_message(s,
 		SSL3_ST_CR_CERT_REQ_A,
 		SSL3_ST_CR_CERT_REQ_B,
 		-1,
@@ -1300,7 +1487,7 @@ static int ssl3_get_certificate_request(SSL *s)
 			}
 		}
 
-	d=p=(unsigned char *)s->init_msg;
+	p=d=(unsigned char *)s->init_msg;
 
 	if ((ca_sk=sk_X509_NAME_new(ca_dn_cmp)) == NULL)
 		{
@@ -1402,12 +1589,12 @@ static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b)
 	return(X509_NAME_cmp(*a,*b));
 	}
 
-static int ssl3_get_server_done(SSL *s)
+int ssl3_get_server_done(SSL *s)
 	{
 	int ok,ret=0;
 	long n;
 
-	n=ssl3_get_message(s,
+	n=s->method->ssl_get_message(s,
 		SSL3_ST_CR_SRVR_DONE_A,
 		SSL3_ST_CR_SRVR_DONE_B,
 		SSL3_MT_SERVER_DONE,
@@ -1426,7 +1613,8 @@ static int ssl3_get_server_done(SSL *s)
 	return(ret);
 	}
 
-static int ssl3_send_client_key_exchange(SSL *s)
+
+int ssl3_send_client_key_exchange(SSL *s)
 	{
 	unsigned char *p,*d;
 	int n;
@@ -1436,8 +1624,16 @@ static int ssl3_send_client_key_exchange(SSL *s)
 	EVP_PKEY *pkey=NULL;
 #endif
 #ifndef OPENSSL_NO_KRB5
-        KSSL_ERR kssl_err;
+	KSSL_ERR kssl_err;
 #endif /* OPENSSL_NO_KRB5 */
+#ifndef OPENSSL_NO_ECDH
+	EC_KEY *clnt_ecdh = NULL;
+	const EC_POINT *srvr_ecpoint = NULL;
+	EVP_PKEY *srvr_pub_pkey = NULL;
+	unsigned char *encodedPoint = NULL;
+	int encoded_pt_len = 0;
+	BN_CTX * bn_ctx = NULL;
+#endif
 
 	if (s->state == SSL3_ST_CW_KEY_EXCH_A)
 		{
@@ -1446,8 +1642,8 @@ static int ssl3_send_client_key_exchange(SSL *s)
 
 		l=s->s3->tmp.new_cipher->algorithms;
 
-                /* Fool emacs indentation */
-                if (0) {}
+		/* Fool emacs indentation */
+		if (0) {}
 #ifndef OPENSSL_NO_RSA
 		else if (l & SSL_kRSA)
 			{
@@ -1509,12 +1705,12 @@ static int ssl3_send_client_key_exchange(SSL *s)
 #endif
 #ifndef OPENSSL_NO_KRB5
 		else if (l & SSL_kKRB5)
-                        {
-                        krb5_error_code	krb5rc;
-                        KSSL_CTX	*kssl_ctx = s->kssl_ctx;
-                        /*  krb5_data	krb5_ap_req;  */
-                        krb5_data	*enc_ticket;
-                        krb5_data	authenticator, *authp = NULL;
+			{
+			krb5_error_code	krb5rc;
+			KSSL_CTX	*kssl_ctx = s->kssl_ctx;
+			/*  krb5_data	krb5_ap_req;  */
+			krb5_data	*enc_ticket;
+			krb5_data	authenticator, *authp = NULL;
 			EVP_CIPHER_CTX	ciph_ctx;
 			EVP_CIPHER	*enc = NULL;
 			unsigned char	iv[EVP_MAX_IV_LENGTH];
@@ -1526,8 +1722,8 @@ static int ssl3_send_client_key_exchange(SSL *s)
 			EVP_CIPHER_CTX_init(&ciph_ctx);
 
 #ifdef KSSL_DEBUG
-                        printf("ssl3_send_client_key_exchange(%lx & %lx)\n",
-                                l, SSL_kKRB5);
+			printf("ssl3_send_client_key_exchange(%lx & %lx)\n",
+			        l, SSL_kKRB5);
 #endif	/* KSSL_DEBUG */
 
 			authp = NULL;
@@ -1535,37 +1731,37 @@ static int ssl3_send_client_key_exchange(SSL *s)
 			if (KRB5SENDAUTH)  authp = &authenticator;
 #endif	/* KRB5SENDAUTH */
 
-                        krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket, authp,
+			krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket, authp,
 				&kssl_err);
 			enc = kssl_map_enc(kssl_ctx->enctype);
-                        if (enc == NULL)
-                            goto err;
+			if (enc == NULL)
+			    goto err;
 #ifdef KSSL_DEBUG
-                        {
-                        printf("kssl_cget_tkt rtn %d\n", krb5rc);
-                        if (krb5rc && kssl_err.text)
+			{
+			printf("kssl_cget_tkt rtn %d\n", krb5rc);
+			if (krb5rc && kssl_err.text)
 			  printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text);
-                        }
+			}
 #endif	/* KSSL_DEBUG */
 
-                        if (krb5rc)
-                                {
-                                ssl3_send_alert(s,SSL3_AL_FATAL,
+			if (krb5rc)
+				{
+				ssl3_send_alert(s,SSL3_AL_FATAL,
 						SSL_AD_HANDSHAKE_FAILURE);
-                                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
+				SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
 						kssl_err.reason);
-                                goto err;
-                                }
+				goto err;
+				}
 
 			/*  20010406 VRS - Earlier versions used KRB5 AP_REQ
 			**  in place of RFC 2712 KerberosWrapper, as in:
 			**
-                        **  Send ticket (copy to *p, set n = length)
-                        **  n = krb5_ap_req.length;
-                        **  memcpy(p, krb5_ap_req.data, krb5_ap_req.length);
-                        **  if (krb5_ap_req.data)  
-                        **    kssl_krb5_free_data_contents(NULL,&krb5_ap_req);
-                        **
+			**  Send ticket (copy to *p, set n = length)
+			**  n = krb5_ap_req.length;
+			**  memcpy(p, krb5_ap_req.data, krb5_ap_req.length);
+			**  if (krb5_ap_req.data)  
+			**    kssl_krb5_free_data_contents(NULL,&krb5_ap_req);
+			**
 			**  Now using real RFC 2712 KerberosWrapper
 			**  (Thanks to Simon Wilkinson <sxw@sxw.org.uk>)
 			**  Note: 2712 "opaque" types are here replaced
@@ -1630,14 +1826,14 @@ static int ssl3_send_client_key_exchange(SSL *s)
 			p+=outl;
 			n+=outl + 2;
 
-                        s->session->master_key_length=
-                                s->method->ssl3_enc->generate_master_secret(s,
+			s->session->master_key_length=
+			        s->method->ssl3_enc->generate_master_secret(s,
 					s->session->master_key,
 					tmp_buf, sizeof tmp_buf);
 
 			OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
 			OPENSSL_cleanse(epms, outl);
-                        }
+			}
 #endif
 #ifndef OPENSSL_NO_DH
 		else if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
@@ -1695,10 +1891,198 @@ static int ssl3_send_client_key_exchange(SSL *s)
 			/* perhaps clean things up a bit EAY EAY EAY EAY*/
 			}
 #endif
+
+#ifndef OPENSSL_NO_ECDH 
+		else if ((l & SSL_kECDH) || (l & SSL_kECDHE))
+			{
+			const EC_GROUP *srvr_group = NULL;
+			EC_KEY *tkey;
+			int ecdh_clnt_cert = 0;
+			int field_size = 0;
+
+			/* Did we send out the client's
+			 * ECDH share for use in premaster
+			 * computation as part of client certificate?
+			 * If so, set ecdh_clnt_cert to 1.
+			 */
+			if ((l & SSL_kECDH) && (s->cert != NULL)) 
+				{
+				/* XXX: For now, we do not support client
+				 * authentication using ECDH certificates.
+				 * To add such support, one needs to add
+				 * code that checks for appropriate 
+				 * conditions and sets ecdh_clnt_cert to 1.
+				 * For example, the cert have an ECC
+				 * key on the same curve as the server's
+				 * and the key should be authorized for
+				 * key agreement.
+				 *
+				 * One also needs to add code in ssl3_connect
+				 * to skip sending the certificate verify
+				 * message.
+				 *
+				 * if ((s->cert->key->privatekey != NULL) &&
+				 *     (s->cert->key->privatekey->type ==
+				 *      EVP_PKEY_EC) && ...)
+				 * ecdh_clnt_cert = 1;
+				 */
+				}
+
+			if (s->session->sess_cert->peer_ecdh_tmp != NULL)
+				{
+				tkey = s->session->sess_cert->peer_ecdh_tmp;
+				}
+			else
+				{
+				/* Get the Server Public Key from Cert */
+				srvr_pub_pkey = X509_get_pubkey(s->session-> \
+				    sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);
+				if ((srvr_pub_pkey == NULL) ||
+				    (srvr_pub_pkey->type != EVP_PKEY_EC) ||
+				    (srvr_pub_pkey->pkey.ec == NULL))
+					{
+					SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
+					    ERR_R_INTERNAL_ERROR);
+					goto err;
+					}
+
+				tkey = srvr_pub_pkey->pkey.ec;
+				}
+
+			srvr_group   = EC_KEY_get0_group(tkey);
+			srvr_ecpoint = EC_KEY_get0_public_key(tkey);
+
+			if ((srvr_group == NULL) || (srvr_ecpoint == NULL))
+				{
+				SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
+				    ERR_R_INTERNAL_ERROR);
+				goto err;
+				}
+
+			if ((clnt_ecdh=EC_KEY_new()) == NULL) 
+				{
+				SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
+				goto err;
+				}
+
+			if (!EC_KEY_set_group(clnt_ecdh, srvr_group))
+				{
+				SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB);
+				goto err;
+				}
+			if (ecdh_clnt_cert) 
+				{ 
+				/* Reuse key info from our certificate
+				 * We only need our private key to perform
+				 * the ECDH computation.
+				 */
+				const BIGNUM *priv_key;
+				tkey = s->cert->key->privatekey->pkey.ec;
+				priv_key = EC_KEY_get0_private_key(tkey);
+				if (priv_key == NULL)
+					{
+					SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
+					goto err;
+					}
+				if (!EC_KEY_set_private_key(clnt_ecdh, priv_key))
+					{
+					SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB);
+					goto err;
+					}
+				}
+			else 
+				{
+				/* Generate a new ECDH key pair */
+				if (!(EC_KEY_generate_key(clnt_ecdh)))
+					{
+					SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_ECDH_LIB);
+					goto err;
+					}
+				}
+
+			/* use the 'p' output buffer for the ECDH key, but
+			 * make sure to clear it out afterwards
+			 */
+
+			field_size = EC_GROUP_get_degree(srvr_group);
+			if (field_size <= 0)
+				{
+				SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 
+				       ERR_R_ECDH_LIB);
+				goto err;
+				}
+			n=ECDH_compute_key(p, (field_size+7)/8, srvr_ecpoint, clnt_ecdh, NULL);
+			if (n <= 0)
+				{
+				SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 
+				       ERR_R_ECDH_LIB);
+				goto err;
+				}
+
+			/* generate master key from the result */
+			s->session->master_key_length = s->method->ssl3_enc \
+			    -> generate_master_secret(s, 
+				s->session->master_key,
+				p, n);
+
+			memset(p, 0, n); /* clean up */
+
+			if (ecdh_clnt_cert) 
+				{
+				/* Send empty client key exch message */
+				n = 0;
+				}
+			else 
+				{
+				/* First check the size of encoding and
+				 * allocate memory accordingly.
+				 */
+				encoded_pt_len = 
+				    EC_POINT_point2oct(srvr_group, 
+					EC_KEY_get0_public_key(clnt_ecdh), 
+					POINT_CONVERSION_UNCOMPRESSED, 
+					NULL, 0, NULL);
+
+				encodedPoint = (unsigned char *) 
+				    OPENSSL_malloc(encoded_pt_len * 
+					sizeof(unsigned char)); 
+				bn_ctx = BN_CTX_new();
+				if ((encodedPoint == NULL) || 
+				    (bn_ctx == NULL)) 
+					{
+					SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
+					goto err;
+					}
+
+				/* Encode the public key */
+				n = EC_POINT_point2oct(srvr_group, 
+				    EC_KEY_get0_public_key(clnt_ecdh), 
+				    POINT_CONVERSION_UNCOMPRESSED, 
+				    encodedPoint, encoded_pt_len, bn_ctx);
+
+				*p = n; /* length of encoded point */
+				/* Encoded point will be copied here */
+				p += 1; 
+				/* copy the point */
+				memcpy((unsigned char *)p, encodedPoint, n);
+				/* increment n to account for length field */
+				n += 1; 
+				}
+
+			/* Free allocated memory */
+			BN_CTX_free(bn_ctx);
+			if (encodedPoint != NULL) OPENSSL_free(encodedPoint);
+			if (clnt_ecdh != NULL) 
+				 EC_KEY_free(clnt_ecdh);
+			EVP_PKEY_free(srvr_pub_pkey);
+			}
+#endif /* !OPENSSL_NO_ECDH */
 		else
 			{
-			ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
-			SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
+			ssl3_send_alert(s, SSL3_AL_FATAL,
+			    SSL_AD_HANDSHAKE_FAILURE);
+			SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
+			    ERR_R_INTERNAL_ERROR);
 			goto err;
 			}
 		
@@ -1714,10 +2098,17 @@ static int ssl3_send_client_key_exchange(SSL *s)
 	/* SSL3_ST_CW_KEY_EXCH_B */
 	return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
 err:
+#ifndef OPENSSL_NO_ECDH
+	BN_CTX_free(bn_ctx);
+	if (encodedPoint != NULL) OPENSSL_free(encodedPoint);
+	if (clnt_ecdh != NULL) 
+		EC_KEY_free(clnt_ecdh);
+	EVP_PKEY_free(srvr_pub_pkey);
+#endif
 	return(-1);
 	}
 
-static int ssl3_send_client_verify(SSL *s)
+int ssl3_send_client_verify(SSL *s)
 	{
 	unsigned char *p,*d;
 	unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
@@ -1726,7 +2117,7 @@ static int ssl3_send_client_verify(SSL *s)
 	unsigned u=0;
 #endif
 	unsigned long n;
-#ifndef OPENSSL_NO_DSA
+#if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_ECDSA)
 	int j;
 #endif
 
@@ -1772,6 +2163,23 @@ static int ssl3_send_client_verify(SSL *s)
 			}
 		else
 #endif
+#ifndef OPENSSL_NO_ECDSA
+			if (pkey->type == EVP_PKEY_EC)
+			{
+			if (!ECDSA_sign(pkey->save_type,
+				&(data[MD5_DIGEST_LENGTH]),
+				SHA_DIGEST_LENGTH,&(p[2]),
+				(unsigned int *)&j,pkey->pkey.ec))
+				{
+				SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,
+				    ERR_R_ECDSA_LIB);
+				goto err;
+				}
+			s2n(j,p);
+			n=j+2;
+			}
+		else
+#endif
 			{
 			SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_INTERNAL_ERROR);
 			goto err;
@@ -1788,7 +2196,7 @@ err:
 	return(-1);
 	}
 
-static int ssl3_send_client_certificate(SSL *s)
+int ssl3_send_client_certificate(SSL *s)
 	{
 	X509 *x509=NULL;
 	EVP_PKEY *pkey=NULL;
@@ -1867,7 +2275,7 @@ static int ssl3_send_client_certificate(SSL *s)
 
 #define has_bits(i,m)	(((i)&(m)) == (m))
 
-static int ssl3_check_cert_and_algorithm(SSL *s)
+int ssl3_check_cert_and_algorithm(SSL *s)
 	{
 	int i,idx;
 	long algs;
@@ -1904,6 +2312,21 @@ static int ssl3_check_cert_and_algorithm(SSL *s)
 	/* This is the passed certificate */
 
 	idx=sc->peer_cert_type;
+#ifndef OPENSSL_NO_ECDH
+	if (idx == SSL_PKEY_ECC)
+		{
+		if (check_srvr_ecc_cert_and_alg(sc->peer_pkeys[idx].x509,
+		    s->s3->tmp.new_cipher) == 0) 
+			{ /* check failed */
+			SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_BAD_ECC_CERT);
+			goto f_err;			
+			}
+		else 
+			{
+			return 1;
+			}
+		}
+#endif
 	pkey=X509_get_pubkey(sc->peer_pkeys[idx].x509);
 	i=X509_certificate_type(sc->peer_pkeys[idx].x509,pkey);
 	EVP_PKEY_free(pkey);
@@ -1989,3 +2412,45 @@ err:
 	return(0);
 	}
 
+
+#ifndef OPENSSL_NO_ECDH
+/* This is the complement of nid2curve_id in s3_srvr.c. */
+static int curve_id2nid(int curve_id)
+{
+	/* ECC curves from draft-ietf-tls-ecc-01.txt (Mar 15, 2001)
+	 * (no changes in draft-ietf-tls-ecc-03.txt [June 2003]) */
+	static int nid_list[26] =
+	{
+		0,
+		NID_sect163k1, /* sect163k1 (1) */
+		NID_sect163r1, /* sect163r1 (2) */
+		NID_sect163r2, /* sect163r2 (3) */
+		NID_sect193r1, /* sect193r1 (4) */ 
+		NID_sect193r2, /* sect193r2 (5) */ 
+		NID_sect233k1, /* sect233k1 (6) */
+		NID_sect233r1, /* sect233r1 (7) */ 
+		NID_sect239k1, /* sect239k1 (8) */ 
+		NID_sect283k1, /* sect283k1 (9) */
+		NID_sect283r1, /* sect283r1 (10) */ 
+		NID_sect409k1, /* sect409k1 (11) */ 
+		NID_sect409r1, /* sect409r1 (12) */
+		NID_sect571k1, /* sect571k1 (13) */ 
+		NID_sect571r1, /* sect571r1 (14) */ 
+		NID_secp160k1, /* secp160k1 (15) */
+		NID_secp160r1, /* secp160r1 (16) */ 
+		NID_secp160r2, /* secp160r2 (17) */ 
+		NID_secp192k1, /* secp192k1 (18) */
+		NID_X9_62_prime192v1, /* secp192r1 (19) */ 
+		NID_secp224k1, /* secp224k1 (20) */ 
+		NID_secp224r1, /* secp224r1 (21) */
+		NID_secp256k1, /* secp256k1 (22) */ 
+		NID_X9_62_prime256v1, /* secp256r1 (23) */ 
+		NID_secp384r1, /* secp384r1 (24) */
+		NID_secp521r1  /* secp521r1 (25) */	
+	};
+	
+	if ((curve_id < 1) || (curve_id > 25)) return 0;
+
+	return nid_list[curve_id];
+}
+#endif
diff --git a/crypto/openssl/ssl/s3_enc.c b/crypto/openssl/ssl/s3_enc.c
index 92efb9597d38..561a9846e974 100644
--- a/crypto/openssl/ssl/s3_enc.c
+++ b/crypto/openssl/ssl/s3_enc.c
@@ -139,7 +139,7 @@ static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
 	EVP_MD_CTX s1;
 	unsigned char buf[16],smd[SHA_DIGEST_LENGTH];
 	unsigned char c='A';
-	int i,j,k;
+	unsigned int i,j,k;
 
 #ifdef CHARSET_EBCDIC
 	c = os_toascii[c]; /*'A' in ASCII */
@@ -147,7 +147,7 @@ static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
 	k=0;
 	EVP_MD_CTX_init(&m5);
 	EVP_MD_CTX_init(&s1);
-	for (i=0; i<num; i+=MD5_DIGEST_LENGTH)
+	for (i=0; (int)i<num; i+=MD5_DIGEST_LENGTH)
 		{
 		k++;
 		if (k > sizeof buf)
@@ -172,7 +172,7 @@ static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
 		EVP_DigestUpdate(&m5,s->session->master_key,
 			s->session->master_key_length);
 		EVP_DigestUpdate(&m5,smd,SHA_DIGEST_LENGTH);
-		if ((i+MD5_DIGEST_LENGTH) > num)
+		if ((int)(i+MD5_DIGEST_LENGTH) > num)
 			{
 			EVP_DigestFinal_ex(&m5,smd,NULL);
 			memcpy(km,smd,(num-i));
@@ -196,7 +196,9 @@ int ssl3_change_cipher_state(SSL *s, int which)
 	unsigned char *ms,*key,*iv,*er1,*er2;
 	EVP_CIPHER_CTX *dd;
 	const EVP_CIPHER *c;
+#ifndef OPENSSL_NO_COMP
 	COMP_METHOD *comp;
+#endif
 	const EVP_MD *m;
 	EVP_MD_CTX md;
 	int is_exp,n,i,j,k,cl;
@@ -205,10 +207,12 @@ int ssl3_change_cipher_state(SSL *s, int which)
 	is_exp=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
 	c=s->s3->tmp.new_sym_enc;
 	m=s->s3->tmp.new_hash;
+#ifndef OPENSSL_NO_COMP
 	if (s->s3->tmp.new_compression == NULL)
 		comp=NULL;
 	else
 		comp=s->s3->tmp.new_compression->method;
+#endif
 	key_block=s->s3->tmp.key_block;
 
 	if (which & SSL3_CC_READ)
@@ -219,6 +223,7 @@ int ssl3_change_cipher_state(SSL *s, int which)
 			goto err;
 		dd= s->enc_read_ctx;
 		s->read_hash=m;
+#ifndef OPENSSL_NO_COMP
 		/* COMPRESS */
 		if (s->expand != NULL)
 			{
@@ -239,6 +244,7 @@ int ssl3_change_cipher_state(SSL *s, int which)
 			if (s->s3->rrec.comp == NULL)
 				goto err;
 			}
+#endif
 		memset(&(s->s3->read_sequence[0]),0,8);
 		mac_secret= &(s->s3->read_mac_secret[0]);
 		}
@@ -250,6 +256,7 @@ int ssl3_change_cipher_state(SSL *s, int which)
 			goto err;
 		dd= s->enc_write_ctx;
 		s->write_hash=m;
+#ifndef OPENSSL_NO_COMP
 		/* COMPRESS */
 		if (s->compress != NULL)
 			{
@@ -265,6 +272,7 @@ int ssl3_change_cipher_state(SSL *s, int which)
 				goto err2;
 				}
 			}
+#endif
 		memset(&(s->s3->write_sequence[0]),0,8);
 		mac_secret= &(s->s3->write_mac_secret[0]);
 		}
@@ -277,7 +285,7 @@ int ssl3_change_cipher_state(SSL *s, int which)
 	i=EVP_MD_size(m);
 	cl=EVP_CIPHER_key_length(c);
 	j=is_exp ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ?
-		    cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl;
+		 cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl;
 	/* Was j=(is_exp)?5:EVP_CIPHER_key_length(c); */
 	k=EVP_CIPHER_iv_length(c);
 	if (	(which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) ||
@@ -363,7 +371,11 @@ int ssl3_setup_key_block(SSL *s)
 
 	s->s3->tmp.new_sym_enc=c;
 	s->s3->tmp.new_hash=hash;
+#ifdef OPENSSL_NO_COMP
+	s->s3->tmp.new_compression=NULL;
+#else
 	s->s3->tmp.new_compression=comp;
+#endif
 
 	num=EVP_CIPHER_key_length(c)+EVP_MD_size(hash)+EVP_CIPHER_iv_length(c);
 	num*=2;
@@ -569,7 +581,7 @@ int ssl3_mac(SSL *ssl, unsigned char *md, int send)
 	const EVP_MD *hash;
 	unsigned char *p,rec_char;
 	unsigned int md_size;
-	int npad,i;
+	int npad;
 
 	if (send)
 		{
@@ -612,13 +624,19 @@ int ssl3_mac(SSL *ssl, unsigned char *md, int send)
 
 	EVP_MD_CTX_cleanup(&md_ctx);
 
+	ssl3_record_sequence_update(seq);
+	return(md_size);
+	}
+
+void ssl3_record_sequence_update(unsigned char *seq)
+	{
+	int i;
+
 	for (i=7; i>=0; i--)
 		{
 		++seq[i];
 		if (seq[i] != 0) break; 
 		}
-
-	return(md_size);
 	}
 
 int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
diff --git a/crypto/openssl/ssl/s3_lib.c b/crypto/openssl/ssl/s3_lib.c
index e7b15431b1aa..401ddd7d3d04 100644
--- a/crypto/openssl/ssl/s3_lib.c
+++ b/crypto/openssl/ssl/s3_lib.c
@@ -108,19 +108,35 @@
  * Hudson (tjh@cryptsoft.com).
  *
  */
+/* ====================================================================
+ * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
+ *
+ * Portions of the attached software ("Contribution") are developed by 
+ * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
+ *
+ * The Contribution is licensed pursuant to the OpenSSL open source
+ * license provided above.
+ *
+ * ECC cipher suite support in OpenSSL originally written by
+ * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
+ *
+ */
 
 #include <stdio.h>
 #include <openssl/objects.h>
 #include "ssl_locl.h"
 #include "kssl_lcl.h"
 #include <openssl/md5.h>
+#ifndef OPENSSL_NO_DH
+#include <openssl/dh.h>
+#endif
+#include <openssl/pq_compat.h>
 
 const char *ssl3_version_str="SSLv3" OPENSSL_VERSION_PTEXT;
 
 #define SSL3_NUM_CIPHERS	(sizeof(ssl3_ciphers)/sizeof(SSL_CIPHER))
 
-static long ssl3_default_timeout(void );
-
+/* list of available SSLv3 ciphers (sorted by id) */
 OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 /* The RSA ciphers */
 /* Cipher 01 */
@@ -142,82 +158,13 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL3_TXT_RSA_NULL_SHA,
 	SSL3_CK_RSA_NULL_SHA,
 	SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_SHA1|SSL_SSLV3,
-	SSL_NOT_EXP|SSL_STRONG_NONE|SSL_FIPS,
+	SSL_NOT_EXP|SSL_STRONG_NONE,
 	0,
 	0,
 	0,
 	SSL_ALL_CIPHERS,
 	SSL_ALL_STRENGTHS,
 	},
-
-/* anon DH */
-/* Cipher 17 */
-	{
-	1,
-	SSL3_TXT_ADH_RC4_40_MD5,
-	SSL3_CK_ADH_RC4_40_MD5,
-	SSL_kEDH |SSL_aNULL|SSL_RC4  |SSL_MD5 |SSL_SSLV3,
-	SSL_EXPORT|SSL_EXP40,
-	0,
-	40,
-	128,
-	SSL_ALL_CIPHERS,
-	SSL_ALL_STRENGTHS,
-	},
-/* Cipher 18 */
-	{
-	1,
-	SSL3_TXT_ADH_RC4_128_MD5,
-	SSL3_CK_ADH_RC4_128_MD5,
-	SSL_kEDH |SSL_aNULL|SSL_RC4  |SSL_MD5 |SSL_SSLV3,
-	SSL_NOT_EXP|SSL_MEDIUM,
-	0,
-	128,
-	128,
-	SSL_ALL_CIPHERS,
-	SSL_ALL_STRENGTHS,
-	},
-/* Cipher 19 */
-	{
-	1,
-	SSL3_TXT_ADH_DES_40_CBC_SHA,
-	SSL3_CK_ADH_DES_40_CBC_SHA,
-	SSL_kEDH |SSL_aNULL|SSL_DES|SSL_SHA1|SSL_SSLV3,
-	SSL_EXPORT|SSL_EXP40|SSL_FIPS,
-	0,
-	40,
-	128,
-	SSL_ALL_CIPHERS,
-	SSL_ALL_STRENGTHS,
-	},
-/* Cipher 1A */
-	{
-	1,
-	SSL3_TXT_ADH_DES_64_CBC_SHA,
-	SSL3_CK_ADH_DES_64_CBC_SHA,
-	SSL_kEDH |SSL_aNULL|SSL_DES  |SSL_SHA1|SSL_SSLV3,
-	SSL_NOT_EXP|SSL_LOW|SSL_FIPS,
-	0,
-	56,
-	56,
-	SSL_ALL_CIPHERS,
-	SSL_ALL_STRENGTHS,
-	},
-/* Cipher 1B */
-	{
-	1,
-	SSL3_TXT_ADH_DES_192_CBC_SHA,
-	SSL3_CK_ADH_DES_192_CBC_SHA,
-	SSL_kEDH |SSL_aNULL|SSL_3DES |SSL_SHA1|SSL_SSLV3,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
-	0,
-	168,
-	168,
-	SSL_ALL_CIPHERS,
-	SSL_ALL_STRENGTHS,
-	},
-
-/* RSA again */
 /* Cipher 03 */
 	{
 	1,
@@ -291,7 +238,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL3_TXT_RSA_DES_40_CBC_SHA,
 	SSL3_CK_RSA_DES_40_CBC_SHA,
 	SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_SSLV3,
-	SSL_EXPORT|SSL_EXP40|SSL_FIPS,
+	SSL_EXPORT|SSL_EXP40,
 	0,
 	40,
 	56,
@@ -304,7 +251,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL3_TXT_RSA_DES_64_CBC_SHA,
 	SSL3_CK_RSA_DES_64_CBC_SHA,
 	SSL_kRSA|SSL_aRSA|SSL_DES  |SSL_SHA1|SSL_SSLV3,
-	SSL_NOT_EXP|SSL_LOW|SSL_FIPS,
+	SSL_NOT_EXP|SSL_LOW,
 	0,
 	56,
 	56,
@@ -317,22 +264,21 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL3_TXT_RSA_DES_192_CBC3_SHA,
 	SSL3_CK_RSA_DES_192_CBC3_SHA,
 	SSL_kRSA|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+	SSL_NOT_EXP|SSL_HIGH,
 	0,
 	168,
 	168,
 	SSL_ALL_CIPHERS,
 	SSL_ALL_STRENGTHS,
 	},
-
-/*  The DH ciphers */
+/* The DH ciphers */
 /* Cipher 0B */
 	{
 	0,
 	SSL3_TXT_DH_DSS_DES_40_CBC_SHA,
 	SSL3_CK_DH_DSS_DES_40_CBC_SHA,
 	SSL_kDHd |SSL_aDH|SSL_DES|SSL_SHA1|SSL_SSLV3,
-	SSL_EXPORT|SSL_EXP40|SSL_FIPS,
+	SSL_EXPORT|SSL_EXP40,
 	0,
 	40,
 	56,
@@ -345,7 +291,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL3_TXT_DH_DSS_DES_64_CBC_SHA,
 	SSL3_CK_DH_DSS_DES_64_CBC_SHA,
 	SSL_kDHd |SSL_aDH|SSL_DES  |SSL_SHA1|SSL_SSLV3,
-	SSL_NOT_EXP|SSL_LOW|SSL_FIPS,
+	SSL_NOT_EXP|SSL_LOW,
 	0,
 	56,
 	56,
@@ -358,7 +304,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL3_TXT_DH_DSS_DES_192_CBC3_SHA,
 	SSL3_CK_DH_DSS_DES_192_CBC3_SHA,
 	SSL_kDHd |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+	SSL_NOT_EXP|SSL_HIGH,
 	0,
 	168,
 	168,
@@ -371,7 +317,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL3_TXT_DH_RSA_DES_40_CBC_SHA,
 	SSL3_CK_DH_RSA_DES_40_CBC_SHA,
 	SSL_kDHr |SSL_aDH|SSL_DES|SSL_SHA1|SSL_SSLV3,
-	SSL_EXPORT|SSL_EXP40|SSL_FIPS,
+	SSL_EXPORT|SSL_EXP40,
 	0,
 	40,
 	56,
@@ -384,7 +330,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL3_TXT_DH_RSA_DES_64_CBC_SHA,
 	SSL3_CK_DH_RSA_DES_64_CBC_SHA,
 	SSL_kDHr |SSL_aDH|SSL_DES  |SSL_SHA1|SSL_SSLV3,
-	SSL_NOT_EXP|SSL_LOW|SSL_FIPS,
+	SSL_NOT_EXP|SSL_LOW,
 	0,
 	56,
 	56,
@@ -397,7 +343,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL3_TXT_DH_RSA_DES_192_CBC3_SHA,
 	SSL3_CK_DH_RSA_DES_192_CBC3_SHA,
 	SSL_kDHr |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+	SSL_NOT_EXP|SSL_HIGH,
 	0,
 	168,
 	168,
@@ -412,7 +358,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL3_TXT_EDH_DSS_DES_40_CBC_SHA,
 	SSL3_CK_EDH_DSS_DES_40_CBC_SHA,
 	SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA1|SSL_SSLV3,
-	SSL_EXPORT|SSL_EXP40|SSL_FIPS,
+	SSL_EXPORT|SSL_EXP40,
 	0,
 	40,
 	56,
@@ -425,7 +371,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL3_TXT_EDH_DSS_DES_64_CBC_SHA,
 	SSL3_CK_EDH_DSS_DES_64_CBC_SHA,
 	SSL_kEDH|SSL_aDSS|SSL_DES  |SSL_SHA1|SSL_SSLV3,
-	SSL_NOT_EXP|SSL_LOW|SSL_FIPS,
+	SSL_NOT_EXP|SSL_LOW,
 	0,
 	56,
 	56,
@@ -438,7 +384,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA,
 	SSL3_CK_EDH_DSS_DES_192_CBC3_SHA,
 	SSL_kEDH|SSL_aDSS|SSL_3DES |SSL_SHA1|SSL_SSLV3,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+	SSL_NOT_EXP|SSL_HIGH,
 	0,
 	168,
 	168,
@@ -451,7 +397,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL3_TXT_EDH_RSA_DES_40_CBC_SHA,
 	SSL3_CK_EDH_RSA_DES_40_CBC_SHA,
 	SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_SSLV3,
-	SSL_EXPORT|SSL_EXP40|SSL_FIPS,
+	SSL_EXPORT|SSL_EXP40,
 	0,
 	40,
 	56,
@@ -464,7 +410,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL3_TXT_EDH_RSA_DES_64_CBC_SHA,
 	SSL3_CK_EDH_RSA_DES_64_CBC_SHA,
 	SSL_kEDH|SSL_aRSA|SSL_DES  |SSL_SHA1|SSL_SSLV3,
-	SSL_NOT_EXP|SSL_LOW|SSL_FIPS,
+	SSL_NOT_EXP|SSL_LOW,
 	0,
 	56,
 	56,
@@ -477,7 +423,72 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA,
 	SSL3_CK_EDH_RSA_DES_192_CBC3_SHA,
 	SSL_kEDH|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+	SSL_NOT_EXP|SSL_HIGH,
+	0,
+	168,
+	168,
+	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
+	},
+/* Cipher 17 */
+	{
+	1,
+	SSL3_TXT_ADH_RC4_40_MD5,
+	SSL3_CK_ADH_RC4_40_MD5,
+	SSL_kEDH |SSL_aNULL|SSL_RC4  |SSL_MD5 |SSL_SSLV3,
+	SSL_EXPORT|SSL_EXP40,
+	0,
+	40,
+	128,
+	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
+	},
+/* Cipher 18 */
+	{
+	1,
+	SSL3_TXT_ADH_RC4_128_MD5,
+	SSL3_CK_ADH_RC4_128_MD5,
+	SSL_kEDH |SSL_aNULL|SSL_RC4  |SSL_MD5 |SSL_SSLV3,
+	SSL_NOT_EXP|SSL_MEDIUM,
+	0,
+	128,
+	128,
+	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
+	},
+/* Cipher 19 */
+	{
+	1,
+	SSL3_TXT_ADH_DES_40_CBC_SHA,
+	SSL3_CK_ADH_DES_40_CBC_SHA,
+	SSL_kEDH |SSL_aNULL|SSL_DES|SSL_SHA1|SSL_SSLV3,
+	SSL_EXPORT|SSL_EXP40,
+	0,
+	40,
+	128,
+	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
+	},
+/* Cipher 1A */
+	{
+	1,
+	SSL3_TXT_ADH_DES_64_CBC_SHA,
+	SSL3_CK_ADH_DES_64_CBC_SHA,
+	SSL_kEDH |SSL_aNULL|SSL_DES  |SSL_SHA1|SSL_SSLV3,
+	SSL_NOT_EXP|SSL_LOW,
+	0,
+	56,
+	56,
+	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
+	},
+/* Cipher 1B */
+	{
+	1,
+	SSL3_TXT_ADH_DES_192_CBC_SHA,
+	SSL3_CK_ADH_DES_192_CBC_SHA,
+	SSL_kEDH |SSL_aNULL|SSL_3DES |SSL_SHA1|SSL_SSLV3,
+	SSL_NOT_EXP|SSL_HIGH,
 	0,
 	168,
 	168,
@@ -731,7 +742,165 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL_ALL_STRENGTHS,
 	},
 #endif	/* OPENSSL_NO_KRB5 */
+/* New AES ciphersuites */
 
+/* Cipher 2F */
+	{
+	1,
+	TLS1_TXT_RSA_WITH_AES_128_SHA,
+	TLS1_CK_RSA_WITH_AES_128_SHA,
+	SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1,
+	SSL_NOT_EXP|SSL_HIGH,
+	0,
+	128,
+	128,
+	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
+	},
+/* Cipher 30 */
+	{
+	0,
+	TLS1_TXT_DH_DSS_WITH_AES_128_SHA,
+	TLS1_CK_DH_DSS_WITH_AES_128_SHA,
+	SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
+	SSL_NOT_EXP|SSL_HIGH,
+	0,
+	128,
+	128,
+	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
+	},
+/* Cipher 31 */
+	{
+	0,
+	TLS1_TXT_DH_RSA_WITH_AES_128_SHA,
+	TLS1_CK_DH_RSA_WITH_AES_128_SHA,
+	SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
+	SSL_NOT_EXP|SSL_HIGH,
+	0,
+	128,
+	128,
+	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
+	},
+/* Cipher 32 */
+	{
+	1,
+	TLS1_TXT_DHE_DSS_WITH_AES_128_SHA,
+	TLS1_CK_DHE_DSS_WITH_AES_128_SHA,
+	SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1,
+	SSL_NOT_EXP|SSL_HIGH,
+	0,
+	128,
+	128,
+	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
+	},
+/* Cipher 33 */
+	{
+	1,
+	TLS1_TXT_DHE_RSA_WITH_AES_128_SHA,
+	TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
+	SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
+	SSL_NOT_EXP|SSL_HIGH,
+	0,
+	128,
+	128,
+	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
+	},
+/* Cipher 34 */
+	{
+	1,
+	TLS1_TXT_ADH_WITH_AES_128_SHA,
+	TLS1_CK_ADH_WITH_AES_128_SHA,
+	SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1,
+	SSL_NOT_EXP|SSL_HIGH,
+	0,
+	128,
+	128,
+	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
+	},
+
+/* Cipher 35 */
+	{
+	1,
+	TLS1_TXT_RSA_WITH_AES_256_SHA,
+	TLS1_CK_RSA_WITH_AES_256_SHA,
+	SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1,
+	SSL_NOT_EXP|SSL_HIGH,
+	0,
+	256,
+	256,
+	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
+	},
+/* Cipher 36 */
+	{
+	0,
+	TLS1_TXT_DH_DSS_WITH_AES_256_SHA,
+	TLS1_CK_DH_DSS_WITH_AES_256_SHA,
+	SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
+	SSL_NOT_EXP|SSL_HIGH,
+	0,
+	256,
+	256,
+	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
+	},
+/* Cipher 37 */
+	{
+	0,
+	TLS1_TXT_DH_RSA_WITH_AES_256_SHA,
+	TLS1_CK_DH_RSA_WITH_AES_256_SHA,
+	SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
+	SSL_NOT_EXP|SSL_HIGH,
+	0,
+	256,
+	256,
+	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
+	},
+/* Cipher 38 */
+	{
+	1,
+	TLS1_TXT_DHE_DSS_WITH_AES_256_SHA,
+	TLS1_CK_DHE_DSS_WITH_AES_256_SHA,
+	SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1,
+	SSL_NOT_EXP|SSL_HIGH,
+	0,
+	256,
+	256,
+	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
+	},
+/* Cipher 39 */
+	{
+	1,
+	TLS1_TXT_DHE_RSA_WITH_AES_256_SHA,
+	TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
+	SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
+	SSL_NOT_EXP|SSL_HIGH,
+	0,
+	256,
+	256,
+	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
+	},
+	/* Cipher 3A */
+	{
+	1,
+	TLS1_TXT_ADH_WITH_AES_256_SHA,
+	TLS1_CK_ADH_WITH_AES_256_SHA,
+	SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1,
+	SSL_NOT_EXP|SSL_HIGH,
+	0,
+	256,
+	256,
+	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
+	},
 
 #if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES
 	/* New TLS Export CipherSuites */
@@ -767,7 +936,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	    TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA,
 	    TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA,
 	    SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA|SSL_TLSV1,
-	    SSL_EXPORT|SSL_EXP56|SSL_FIPS,
+	    SSL_EXPORT|SSL_EXP56,
 	    0,
 	    56,
 	    56,
@@ -780,7 +949,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	    TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
 	    TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
 	    SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA|SSL_TLSV1,
-	    SSL_EXPORT|SSL_EXP56|SSL_FIPS,
+	    SSL_EXPORT|SSL_EXP56,
 	    0,
 	    56,
 	    56,
@@ -827,170 +996,362 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	    SSL_ALL_STRENGTHS
 	    },
 #endif
-	/* New AES ciphersuites */
-
-	/* Cipher 2F */
+#ifndef OPENSSL_NO_ECDH
+	/* Cipher C001 */
 	    {
-	    1,
-	    TLS1_TXT_RSA_WITH_AES_128_SHA,
-	    TLS1_CK_RSA_WITH_AES_128_SHA,
-	    SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1,
-	    SSL_NOT_EXP|SSL_MEDIUM|SSL_FIPS,
-	    0,
-	    128,
-	    128,
-	    SSL_ALL_CIPHERS,
-	    SSL_ALL_STRENGTHS,
-	    },
-	/* Cipher 30 */
+            1,
+            TLS1_TXT_ECDH_ECDSA_WITH_NULL_SHA,
+            TLS1_CK_ECDH_ECDSA_WITH_NULL_SHA,
+            SSL_kECDH|SSL_aECDSA|SSL_eNULL|SSL_SHA|SSL_TLSV1,
+            SSL_NOT_EXP,
+            0,
+            0,
+            0,
+            SSL_ALL_CIPHERS,
+            SSL_ALL_STRENGTHS,
+            },
+
+	/* Cipher C002 */
 	    {
-	    0,
-	    TLS1_TXT_DH_DSS_WITH_AES_128_SHA,
-	    TLS1_CK_DH_DSS_WITH_AES_128_SHA,
-	    SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
-	    SSL_NOT_EXP|SSL_MEDIUM|SSL_FIPS,
-	    0,
-	    128,
-	    128,
-	    SSL_ALL_CIPHERS,
-	    SSL_ALL_STRENGTHS,
-	    },
-	/* Cipher 31 */
+            1,
+            TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA,
+            TLS1_CK_ECDH_ECDSA_WITH_RC4_128_SHA,
+            SSL_kECDH|SSL_aECDSA|SSL_RC4|SSL_SHA|SSL_TLSV1,
+            SSL_NOT_EXP,
+            0,
+            128,
+            128,
+            SSL_ALL_CIPHERS,
+            SSL_ALL_STRENGTHS,
+            },
+
+	/* Cipher C003 */
 	    {
-	    0,
-	    TLS1_TXT_DH_RSA_WITH_AES_128_SHA,
-	    TLS1_CK_DH_RSA_WITH_AES_128_SHA,
-	    SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
-	    SSL_NOT_EXP|SSL_MEDIUM|SSL_FIPS,
-	    0,
-	    128,
-	    128,
-	    SSL_ALL_CIPHERS,
-	    SSL_ALL_STRENGTHS,
-	    },
-	/* Cipher 32 */
+            1,
+            TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA,
+            TLS1_CK_ECDH_ECDSA_WITH_DES_192_CBC3_SHA,
+            SSL_kECDH|SSL_aECDSA|SSL_3DES|SSL_SHA|SSL_TLSV1,
+            SSL_NOT_EXP|SSL_HIGH,
+            0,
+            168,
+            168,
+            SSL_ALL_CIPHERS,
+            SSL_ALL_STRENGTHS,
+            },
+
+	/* Cipher C004 */
 	    {
-	    1,
-	    TLS1_TXT_DHE_DSS_WITH_AES_128_SHA,
-	    TLS1_CK_DHE_DSS_WITH_AES_128_SHA,
-	    SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1,
-	    SSL_NOT_EXP|SSL_MEDIUM|SSL_FIPS,
-	    0,
-	    128,
-	    128,
-	    SSL_ALL_CIPHERS,
-	    SSL_ALL_STRENGTHS,
-	    },
-	/* Cipher 33 */
+            1,
+            TLS1_TXT_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
+            TLS1_CK_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
+            SSL_kECDH|SSL_aECDSA|SSL_AES|SSL_SHA|SSL_TLSV1,
+            SSL_NOT_EXP|SSL_HIGH,
+            0,
+            128,
+            128,
+            SSL_ALL_CIPHERS,
+            SSL_ALL_STRENGTHS,
+            },
+
+	/* Cipher C005 */
 	    {
-	    1,
-	    TLS1_TXT_DHE_RSA_WITH_AES_128_SHA,
-	    TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
-	    SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
-	    SSL_NOT_EXP|SSL_MEDIUM|SSL_FIPS,
-	    0,
-	    128,
-	    128,
-	    SSL_ALL_CIPHERS,
-	    SSL_ALL_STRENGTHS,
-	    },
-	/* Cipher 34 */
+            1,
+            TLS1_TXT_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
+            TLS1_CK_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
+            SSL_kECDH|SSL_aECDSA|SSL_AES|SSL_SHA|SSL_TLSV1,
+            SSL_NOT_EXP|SSL_HIGH,
+            0,
+            256,
+            256,
+            SSL_ALL_CIPHERS,
+            SSL_ALL_STRENGTHS,
+            },
+
+	/* Cipher C006 */
 	    {
-	    1,
-	    TLS1_TXT_ADH_WITH_AES_128_SHA,
-	    TLS1_CK_ADH_WITH_AES_128_SHA,
-	    SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1,
-	    SSL_NOT_EXP|SSL_MEDIUM|SSL_FIPS,
-	    0,
-	    128,
-	    128,
-	    SSL_ALL_CIPHERS,
-	    SSL_ALL_STRENGTHS,
-	    },
-
-	/* Cipher 35 */
+            1,
+            TLS1_TXT_ECDHE_ECDSA_WITH_NULL_SHA,
+            TLS1_CK_ECDHE_ECDSA_WITH_NULL_SHA,
+            SSL_kECDHE|SSL_aECDSA|SSL_eNULL|SSL_SHA|SSL_TLSV1,
+            SSL_NOT_EXP,
+            0,
+            0,
+            0,
+            SSL_ALL_CIPHERS,
+            SSL_ALL_STRENGTHS,
+            },
+
+	/* Cipher C007 */
 	    {
-	    1,
-	    TLS1_TXT_RSA_WITH_AES_256_SHA,
-	    TLS1_CK_RSA_WITH_AES_256_SHA,
-	    SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1,
-	    SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
-	    0,
-	    256,
-	    256,
-	    SSL_ALL_CIPHERS,
-	    SSL_ALL_STRENGTHS,
-	    },
-	/* Cipher 36 */
+            1,
+            TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA,
+            TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA,
+            SSL_kECDHE|SSL_aECDSA|SSL_RC4|SSL_SHA|SSL_TLSV1,
+            SSL_NOT_EXP,
+            0,
+            128,
+            128,
+            SSL_ALL_CIPHERS,
+            SSL_ALL_STRENGTHS,
+            },
+
+	/* Cipher C008 */
 	    {
-	    0,
-	    TLS1_TXT_DH_DSS_WITH_AES_256_SHA,
-	    TLS1_CK_DH_DSS_WITH_AES_256_SHA,
-	    SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
-	    SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
-	    0,
-	    256,
-	    256,
-	    SSL_ALL_CIPHERS,
-	    SSL_ALL_STRENGTHS,
-	    },
-	/* Cipher 37 */
+            1,
+            TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA,
+            TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA,
+            SSL_kECDHE|SSL_aECDSA|SSL_3DES|SSL_SHA|SSL_TLSV1,
+            SSL_NOT_EXP|SSL_HIGH,
+            0,
+            168,
+            168,
+            SSL_ALL_CIPHERS,
+            SSL_ALL_STRENGTHS,
+            },
+
+	/* Cipher C009 */
 	    {
-	    0,
-	    TLS1_TXT_DH_RSA_WITH_AES_256_SHA,
-	    TLS1_CK_DH_RSA_WITH_AES_256_SHA,
-	    SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
-	    SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
-	    0,
-	    256,
-	    256,
-	    SSL_ALL_CIPHERS,
-	    SSL_ALL_STRENGTHS,
-	    },
-	/* Cipher 38 */
+            1,
+            TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+            TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+            SSL_kECDHE|SSL_aECDSA|SSL_AES|SSL_SHA|SSL_TLSV1,
+            SSL_NOT_EXP|SSL_HIGH,
+            0,
+            128,
+            128,
+            SSL_ALL_CIPHERS,
+            SSL_ALL_STRENGTHS,
+            },
+
+	/* Cipher C00A */
 	    {
-	    1,
-	    TLS1_TXT_DHE_DSS_WITH_AES_256_SHA,
-	    TLS1_CK_DHE_DSS_WITH_AES_256_SHA,
-	    SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1,
-	    SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
-	    0,
-	    256,
-	    256,
-	    SSL_ALL_CIPHERS,
-	    SSL_ALL_STRENGTHS,
-	    },
-	/* Cipher 39 */
+            1,
+            TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+            TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+            SSL_kECDHE|SSL_aECDSA|SSL_AES|SSL_SHA|SSL_TLSV1,
+            SSL_NOT_EXP|SSL_HIGH,
+            0,
+            256,
+            256,
+            SSL_ALL_CIPHERS,
+            SSL_ALL_STRENGTHS,
+            },
+
+	/* Cipher C00B */
 	    {
-	    1,
-	    TLS1_TXT_DHE_RSA_WITH_AES_256_SHA,
-	    TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
-	    SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
-	    SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
-	    0,
-	    256,
-	    256,
-	    SSL_ALL_CIPHERS,
-	    SSL_ALL_STRENGTHS,
-	    },
-	/* Cipher 3A */
+            1,
+            TLS1_TXT_ECDH_RSA_WITH_NULL_SHA,
+            TLS1_CK_ECDH_RSA_WITH_NULL_SHA,
+            SSL_kECDH|SSL_aRSA|SSL_eNULL|SSL_SHA|SSL_TLSV1,
+            SSL_NOT_EXP,
+            0,
+            0,
+            0,
+            SSL_ALL_CIPHERS,
+            SSL_ALL_STRENGTHS,
+            },
+
+	/* Cipher C00C */
 	    {
-	    1,
-	    TLS1_TXT_ADH_WITH_AES_256_SHA,
-	    TLS1_CK_ADH_WITH_AES_256_SHA,
-	    SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1,
-	    SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
-	    0,
-	    256,
-	    256,
-	    SSL_ALL_CIPHERS,
-	    SSL_ALL_STRENGTHS,
+            1,
+            TLS1_TXT_ECDH_RSA_WITH_RC4_128_SHA,
+            TLS1_CK_ECDH_RSA_WITH_RC4_128_SHA,
+            SSL_kECDH|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1,
+            SSL_NOT_EXP,
+            0,
+            128,
+            128,
+            SSL_ALL_CIPHERS,
+            SSL_ALL_STRENGTHS,
+            },
+
+	/* Cipher C00D */
+	    {
+            1,
+            TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA,
+            TLS1_CK_ECDH_RSA_WITH_DES_192_CBC3_SHA,
+            SSL_kECDH|SSL_aRSA|SSL_3DES|SSL_SHA|SSL_TLSV1,
+            SSL_NOT_EXP|SSL_HIGH,
+            0,
+            168,
+            168,
+            SSL_ALL_CIPHERS,
+            SSL_ALL_STRENGTHS,
+            },
+
+	/* Cipher C00E */
+	    {
+            1,
+            TLS1_TXT_ECDH_RSA_WITH_AES_128_CBC_SHA,
+            TLS1_CK_ECDH_RSA_WITH_AES_128_CBC_SHA,
+            SSL_kECDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
+            SSL_NOT_EXP|SSL_HIGH,
+            0,
+            128,
+            128,
+            SSL_ALL_CIPHERS,
+            SSL_ALL_STRENGTHS,
+            },
+
+	/* Cipher C00F */
+	    {
+            1,
+            TLS1_TXT_ECDH_RSA_WITH_AES_256_CBC_SHA,
+            TLS1_CK_ECDH_RSA_WITH_AES_256_CBC_SHA,
+            SSL_kECDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
+            SSL_NOT_EXP|SSL_HIGH,
+            0,
+            256,
+            256,
+            SSL_ALL_CIPHERS,
+            SSL_ALL_STRENGTHS,
+            },
+
+	/* Cipher C010 */
+	    {
+            1,
+            TLS1_TXT_ECDHE_RSA_WITH_NULL_SHA,
+            TLS1_CK_ECDHE_RSA_WITH_NULL_SHA,
+            SSL_kECDHE|SSL_aRSA|SSL_eNULL|SSL_SHA|SSL_TLSV1,
+            SSL_NOT_EXP,
+            0,
+            0,
+            0,
+            SSL_ALL_CIPHERS,
+            SSL_ALL_STRENGTHS,
+            },
+
+	/* Cipher C011 */
+	    {
+            1,
+            TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA,
+            TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA,
+            SSL_kECDHE|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1,
+            SSL_NOT_EXP,
+            0,
+            128,
+            128,
+            SSL_ALL_CIPHERS,
+            SSL_ALL_STRENGTHS,
+            },
+
+	/* Cipher C012 */
+	    {
+            1,
+            TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA,
+            TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA,
+            SSL_kECDHE|SSL_aRSA|SSL_3DES|SSL_SHA|SSL_TLSV1,
+            SSL_NOT_EXP|SSL_HIGH,
+            0,
+            168,
+            168,
+            SSL_ALL_CIPHERS,
+            SSL_ALL_STRENGTHS,
+            },
+
+	/* Cipher C013 */
+	    {
+            1,
+            TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+            TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+            SSL_kECDHE|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
+            SSL_NOT_EXP|SSL_HIGH,
+            0,
+            128,
+            128,
+            SSL_ALL_CIPHERS,
+            SSL_ALL_STRENGTHS,
+            },
+
+	/* Cipher C014 */
+	    {
+            1,
+            TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+            TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+            SSL_kECDHE|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
+            SSL_NOT_EXP|SSL_HIGH,
+            0,
+            256,
+            256,
+            SSL_ALL_CIPHERS,
+            SSL_ALL_STRENGTHS,
+            },
+
+	/* Cipher C015 */
+            {
+            1,
+            TLS1_TXT_ECDH_anon_WITH_NULL_SHA,
+            TLS1_CK_ECDH_anon_WITH_NULL_SHA,
+            SSL_kECDHE|SSL_aNULL|SSL_eNULL|SSL_SHA|SSL_TLSV1,
+            SSL_NOT_EXP,
+            0,
+            0,
+            0,
+            SSL_ALL_CIPHERS,
+            SSL_ALL_STRENGTHS,
+	    },
+
+	/* Cipher C016 */
+            {
+            1,
+            TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA,
+            TLS1_CK_ECDH_anon_WITH_RC4_128_SHA,
+            SSL_kECDHE|SSL_aNULL|SSL_RC4|SSL_SHA|SSL_TLSV1,
+            SSL_NOT_EXP,
+            0,
+            128,
+            128,
+            SSL_ALL_CIPHERS,
+            SSL_ALL_STRENGTHS,
 	    },
 
+	/* Cipher C017 */
+	    {
+            1,
+            TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA,
+            TLS1_CK_ECDH_anon_WITH_DES_192_CBC3_SHA,
+            SSL_kECDHE|SSL_aNULL|SSL_3DES|SSL_SHA|SSL_TLSV1,
+            SSL_NOT_EXP|SSL_HIGH,
+            0,
+            168,
+            168,
+            SSL_ALL_CIPHERS,
+            SSL_ALL_STRENGTHS,
+            },
+
+	/* Cipher C018 */
+	    {
+            1,
+            TLS1_TXT_ECDH_anon_WITH_AES_128_CBC_SHA,
+            TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA,
+            SSL_kECDHE|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1,
+            SSL_NOT_EXP|SSL_HIGH,
+            0,
+            128,
+            128,
+            SSL_ALL_CIPHERS,
+            SSL_ALL_STRENGTHS,
+            },
+
+	/* Cipher C019 */
+	    {
+            1,
+            TLS1_TXT_ECDH_anon_WITH_AES_256_CBC_SHA,
+            TLS1_CK_ECDH_anon_WITH_AES_256_CBC_SHA,
+            SSL_kECDHE|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1,
+            SSL_NOT_EXP|SSL_HIGH,
+            0,
+            256,
+            256,
+            SSL_ALL_CIPHERS,
+            SSL_ALL_STRENGTHS,
+            },
+#endif	/* OPENSSL_NO_ECDH */
+
 /* end of list */
 	};
 
-static SSL3_ENC_METHOD SSLv3_enc_data={
+SSL3_ENC_METHOD SSLv3_enc_data={
 	ssl3_enc,
 	ssl3_mac,
 	ssl3_setup_key_block,
@@ -1004,45 +1365,17 @@ static SSL3_ENC_METHOD SSLv3_enc_data={
 	ssl3_alert_code,
 	};
 
-static SSL_METHOD SSLv3_data= {
-	SSL3_VERSION,
-	ssl3_new,
-	ssl3_clear,
-	ssl3_free,
-	ssl_undefined_function,
-	ssl_undefined_function,
-	ssl3_read,
-	ssl3_peek,
-	ssl3_write,
-	ssl3_shutdown,
-	ssl3_renegotiate,
-	ssl3_renegotiate_check,
-	ssl3_ctrl,
-	ssl3_ctx_ctrl,
-	ssl3_get_cipher_by_char,
-	ssl3_put_cipher_by_char,
-	ssl3_pending,
-	ssl3_num_ciphers,
-	ssl3_get_cipher,
-	ssl_bad_method,
-	ssl3_default_timeout,
-	&SSLv3_enc_data,
-	ssl_undefined_function,
-	ssl3_callback_ctrl,
-	ssl3_ctx_callback_ctrl,
-	};
-
-static long ssl3_default_timeout(void)
+long ssl3_default_timeout(void)
 	{
 	/* 2 hours, the 24 hours mentioned in the SSLv3 spec
 	 * is way too long for http, the cache would over fill */
 	return(60*60*2);
 	}
 
-SSL_METHOD *sslv3_base_method(void)
-	{
-	return(&SSLv3_data);
-	}
+IMPLEMENT_ssl3_meth_func(sslv3_base_method,
+			ssl_undefined_function,
+			ssl_undefined_function,
+			ssl_bad_method)
 
 int ssl3_num_ciphers(void)
 	{
@@ -1057,7 +1390,7 @@ SSL_CIPHER *ssl3_get_cipher(unsigned int u)
 		return(NULL);
 	}
 
-int ssl3_pending(SSL *s)
+int ssl3_pending(const SSL *s)
 	{
 	if (s->rstate == SSL_ST_READ_BODY)
 		return 0;
@@ -1073,6 +1406,8 @@ int ssl3_new(SSL *s)
 	memset(s3,0,sizeof *s3);
 	EVP_MD_CTX_init(&s3->finish_dgst1);
 	EVP_MD_CTX_init(&s3->finish_dgst2);
+	pq_64bit_init(&(s3->rrec.seq_num));
+	pq_64bit_init(&(s3->wrec.seq_num));
 
 	s->s3=s3;
 
@@ -1098,10 +1433,18 @@ void ssl3_free(SSL *s)
 	if (s->s3->tmp.dh != NULL)
 		DH_free(s->s3->tmp.dh);
 #endif
+#ifndef OPENSSL_NO_ECDH
+	if (s->s3->tmp.ecdh != NULL)
+		EC_KEY_free(s->s3->tmp.ecdh);
+#endif
+
 	if (s->s3->tmp.ca_names != NULL)
 		sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
 	EVP_MD_CTX_cleanup(&s->s3->finish_dgst1);
 	EVP_MD_CTX_cleanup(&s->s3->finish_dgst2);
+	pq_64bit_free(&(s->s3->rrec.seq_num));
+	pq_64bit_free(&(s->s3->wrec.seq_num));
+
 	OPENSSL_cleanse(s->s3,sizeof *s->s3);
 	OPENSSL_free(s->s3);
 	s->s3=NULL;
@@ -1125,6 +1468,10 @@ void ssl3_clear(SSL *s)
 	if (s->s3->tmp.dh != NULL)
 		DH_free(s->s3->tmp.dh);
 #endif
+#ifndef OPENSSL_NO_ECDH
+	if (s->s3->tmp.ecdh != NULL)
+		EC_KEY_free(s->s3->tmp.ecdh);
+#endif
 
 	rp = s->s3->rbuf.buf;
 	wp = s->s3->wbuf.buf;
@@ -1263,13 +1610,51 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
 		}
 		break;
 #endif
+#ifndef OPENSSL_NO_ECDH
+	case SSL_CTRL_SET_TMP_ECDH:
+		{
+		EC_KEY *ecdh = NULL;
+ 			
+		if (parg == NULL)
+			{
+			SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER);
+			return(ret);
+			}
+		if (!EC_KEY_up_ref((EC_KEY *)parg))
+			{
+			SSLerr(SSL_F_SSL3_CTRL,ERR_R_ECDH_LIB);
+			return(ret);
+			}
+		ecdh = (EC_KEY *)parg;
+		if (!(s->options & SSL_OP_SINGLE_ECDH_USE))
+			{
+			if (!EC_KEY_generate_key(ecdh))
+				{
+				EC_KEY_free(ecdh);
+				SSLerr(SSL_F_SSL3_CTRL,ERR_R_ECDH_LIB);
+				return(ret);
+				}
+			}
+		if (s->cert->ecdh_tmp != NULL)
+			EC_KEY_free(s->cert->ecdh_tmp);
+		s->cert->ecdh_tmp = ecdh;
+		ret = 1;
+		}
+		break;
+	case SSL_CTRL_SET_TMP_ECDH_CB:
+		{
+		SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+		return(ret);
+		}
+		break;
+#endif /* !OPENSSL_NO_ECDH */
 	default:
 		break;
 		}
 	return(ret);
 	}
 
-long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)())
+long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void))
 	{
 	int ret=0;
 
@@ -1307,6 +1692,13 @@ long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)())
 		}
 		break;
 #endif
+#ifndef OPENSSL_NO_ECDH
+	case SSL_CTRL_SET_TMP_ECDH_CB:
+		{
+		s->cert->ecdh_tmp_cb = (EC_KEY *(*)(SSL *, int, int))fp;
+		}
+		break;
+#endif
 	default:
 		break;
 		}
@@ -1399,6 +1791,47 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
 		}
 		break;
 #endif
+#ifndef OPENSSL_NO_ECDH
+	case SSL_CTRL_SET_TMP_ECDH:
+		{
+		EC_KEY *ecdh = NULL;
+ 			
+		if (parg == NULL)
+			{
+			SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_ECDH_LIB);
+			return 0;
+			}
+		ecdh = EC_KEY_dup((EC_KEY *)parg);
+		if (ecdh == NULL)
+			{
+			SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_EC_LIB);
+			return 0;
+			}
+		if (!(ctx->options & SSL_OP_SINGLE_ECDH_USE))
+			{
+			if (!EC_KEY_generate_key(ecdh))
+				{
+				EC_KEY_free(ecdh);
+				SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_ECDH_LIB);
+				return 0;
+				}
+			}
+
+		if (cert->ecdh_tmp != NULL)
+			{
+			EC_KEY_free(cert->ecdh_tmp);
+			}
+		cert->ecdh_tmp = ecdh;
+		return 1;
+		}
+		/* break; */
+	case SSL_CTRL_SET_TMP_ECDH_CB:
+		{
+		SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+		return(0);
+		}
+		break;
+#endif /* !OPENSSL_NO_ECDH */
 	/* A Thawte special :-) */
 	case SSL_CTRL_EXTRA_CHAIN_CERT:
 		if (ctx->extra_certs == NULL)
@@ -1415,7 +1848,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
 	return(1);
 	}
 
-long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)())
+long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
 	{
 	CERT *cert;
 
@@ -1437,6 +1870,13 @@ long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)())
 		}
 		break;
 #endif
+#ifndef OPENSSL_NO_ECDH
+	case SSL_CTRL_SET_TMP_ECDH_CB:
+		{
+		cert->ecdh_tmp_cb = (EC_KEY *(*)(SSL *, int, int))fp;
+		}
+		break;
+#endif
 	default:
 		return(0);
 		}
@@ -1447,41 +1887,19 @@ long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)())
  * available */
 SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p)
 	{
-	static int init=1;
-	static SSL_CIPHER *sorted[SSL3_NUM_CIPHERS];
-	SSL_CIPHER c,*cp= &c,**cpp;
+	SSL_CIPHER c,*cp;
 	unsigned long id;
-	int i;
-
-	if (init)
-		{
-		CRYPTO_w_lock(CRYPTO_LOCK_SSL);
-
-		if (init)
-			{
-			for (i=0; i<SSL3_NUM_CIPHERS; i++)
-				sorted[i]= &(ssl3_ciphers[i]);
-
-			qsort(sorted,
-				SSL3_NUM_CIPHERS,sizeof(SSL_CIPHER *),
-				FP_ICC ssl_cipher_ptr_id_cmp);
-
-			init=0;
-			}
-		
-		CRYPTO_w_unlock(CRYPTO_LOCK_SSL);
-		}
 
 	id=0x03000000L|((unsigned long)p[0]<<8L)|(unsigned long)p[1];
 	c.id=id;
-	cpp=(SSL_CIPHER **)OBJ_bsearch((char *)&cp,
-		(char *)sorted,
-		SSL3_NUM_CIPHERS,sizeof(SSL_CIPHER *),
-		FP_ICC ssl_cipher_ptr_id_cmp);
-	if ((cpp == NULL) || !(*cpp)->valid)
-		return(NULL);
+	cp = (SSL_CIPHER *)OBJ_bsearch((char *)&c,
+		(char *)ssl3_ciphers,
+		SSL3_NUM_CIPHERS,sizeof(SSL_CIPHER),
+		FP_ICC ssl_cipher_id_cmp);
+	if (cp == NULL || cp->valid == 0)
+		return NULL;
 	else
-		return(*cpp);
+		return cp;
 	}
 
 int ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p)
@@ -1584,7 +2002,6 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
 			}
 
 		if (!ok) continue;
-	
 		j=sk_SSL_CIPHER_find(allow,c);
 		if (j >= 0)
 			{
@@ -1629,6 +2046,26 @@ int ssl3_get_req_cert_type(SSL *s, unsigned char *p)
 #ifndef OPENSSL_NO_DSA
 	p[ret++]=SSL3_CT_DSS_SIGN;
 #endif
+#ifndef OPENSSL_NO_ECDH
+	/* We should ask for fixed ECDH certificates only
+	 * for SSL_kECDH (and not SSL_kECDHE)
+	 */
+	if ((alg & SSL_kECDH) && (s->version >= TLS1_VERSION))
+		{
+		p[ret++]=TLS_CT_RSA_FIXED_ECDH;
+		p[ret++]=TLS_CT_ECDSA_FIXED_ECDH;
+		}
+#endif
+
+#ifndef OPENSSL_NO_ECDSA
+	/* ECDSA certs can be used with RSA cipher suites as well 
+	 * so we don't need to check for SSL_kECDH or SSL_kECDHE
+	 */
+	if (s->version >= TLS1_VERSION)
+		{
+		p[ret++]=TLS_CT_ECDSA_SIGN;
+		}
+#endif	
 	return(ret);
 	}
 
@@ -1656,13 +2093,13 @@ int ssl3_shutdown(SSL *s)
 		{
 		/* resend it if not sent */
 #if 1
-		ssl3_dispatch_alert(s);
+		s->method->ssl_dispatch_alert(s);
 #endif
 		}
 	else if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN))
 		{
 		/* If we are waiting for a close from our peer, we are closed */
-		ssl3_read_bytes(s,0,NULL,0,0);
+		s->method->ssl_read_bytes(s,0,NULL,0,0);
 		}
 
 	if ((s->shutdown == (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)) &&
@@ -1717,8 +2154,8 @@ int ssl3_write(SSL *s, const void *buf, int len)
 		}
 	else
 		{
-		ret=ssl3_write_bytes(s,SSL3_RT_APPLICATION_DATA,
-				     buf,len);
+		ret=s->method->ssl_write_bytes(s,SSL3_RT_APPLICATION_DATA,
+			buf,len);
 		if (ret <= 0) return(ret);
 		}
 
@@ -1732,7 +2169,7 @@ static int ssl3_read_internal(SSL *s, void *buf, int len, int peek)
 	clear_sys_error();
 	if (s->s3->renegotiate) ssl3_renegotiate_check(s);
 	s->s3->in_read_app_data=1;
-	ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek);
+	ret=s->method->ssl_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek);
 	if ((ret == -1) && (s->s3->in_read_app_data == 2))
 		{
 		/* ssl3_read_bytes decided to call s->handshake_func, which
@@ -1741,7 +2178,7 @@ static int ssl3_read_internal(SSL *s, void *buf, int len, int peek)
 		 * and thinks that application data makes sense here; so disable
 		 * handshake processing and try to read application data again. */
 		s->in_handshake++;
-		ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek);
+		ret=s->method->ssl_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek);
 		s->in_handshake--;
 		}
 	else
diff --git a/crypto/openssl/ssl/s3_meth.c b/crypto/openssl/ssl/s3_meth.c
index 1fd7a96f87ba..6a6eb1c58f80 100644
--- a/crypto/openssl/ssl/s3_meth.c
+++ b/crypto/openssl/ssl/s3_meth.c
@@ -69,27 +69,9 @@ static SSL_METHOD *ssl3_get_method(int ver)
 		return(NULL);
 	}
 
-SSL_METHOD *SSLv3_method(void)
-	{
-	static int init=1;
-	static SSL_METHOD SSLv3_data;
-
-	if (init)
-		{
-		CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
-		
-		if (init)
-			{
-			memcpy((char *)&SSLv3_data,(char *)sslv3_base_method(),
-				sizeof(SSL_METHOD));
-			SSLv3_data.ssl_connect=ssl3_connect;
-			SSLv3_data.ssl_accept=ssl3_accept;
-			SSLv3_data.get_ssl_method=ssl3_get_method;
-			init=0;
-			}
+IMPLEMENT_ssl3_meth_func(SSLv3_method,
+			ssl3_accept,
+			ssl3_connect,
+			ssl3_get_method)
 
-		CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
-		}
-	return(&SSLv3_data);
-	}
 
diff --git a/crypto/openssl/ssl/s3_pkt.c b/crypto/openssl/ssl/s3_pkt.c
index cb0b12b4006e..d0f54e297bb7 100644
--- a/crypto/openssl/ssl/s3_pkt.c
+++ b/crypto/openssl/ssl/s3_pkt.c
@@ -118,15 +118,9 @@
 
 static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
 			 unsigned int len, int create_empty_fragment);
-static int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
-			      unsigned int len);
 static int ssl3_get_record(SSL *s);
-static int do_compress(SSL *ssl);
-static int do_uncompress(SSL *ssl);
-static int do_change_cipher_spec(SSL *ssl);
 
-/* used only by ssl3_get_record */
-static int ssl3_read_n(SSL *s, int n, int max, int extend)
+int ssl3_read_n(SSL *s, int n, int max, int extend)
 	{
 	/* If extend == 0, obtain new n-byte packet; if extend == 1, increase
 	 * packet by another n bytes.
@@ -147,6 +141,14 @@ static int ssl3_read_n(SSL *s, int n, int max, int extend)
 		/* ... now we can act as if 'extend' was set */
 		}
 
+	/* extend reads should not span multiple packets for DTLS */
+	if ( SSL_version(s) == DTLS1_VERSION &&
+		extend)
+		{
+		if ( s->s3->rbuf.left > 0 && n > s->s3->rbuf.left)
+			n = s->s3->rbuf.left;
+		}
+
 	/* if there is enough in the buffer from a previous read, take some */
 	if (s->s3->rbuf.left >= (int)n)
 		{
@@ -434,7 +436,7 @@ printf("\n");
 			SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_COMPRESSED_LENGTH_TOO_LONG);
 			goto f_err;
 			}
-		if (!do_uncompress(s))
+		if (!ssl3_do_uncompress(s))
 			{
 			al=SSL_AD_DECOMPRESSION_FAILURE;
 			SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_BAD_DECOMPRESSION);
@@ -472,8 +474,9 @@ err:
 	return(ret);
 	}
 
-static int do_uncompress(SSL *ssl)
+int ssl3_do_uncompress(SSL *ssl)
 	{
+#ifndef OPENSSL_NO_COMP
 	int i;
 	SSL3_RECORD *rr;
 
@@ -485,12 +488,13 @@ static int do_uncompress(SSL *ssl)
 	else
 		rr->length=i;
 	rr->data=rr->comp;
-
+#endif
 	return(1);
 	}
 
-static int do_compress(SSL *ssl)
+int ssl3_do_compress(SSL *ssl)
 	{
+#ifndef OPENSSL_NO_COMP
 	int i;
 	SSL3_RECORD *wr;
 
@@ -504,6 +508,7 @@ static int do_compress(SSL *ssl)
 		wr->length=i;
 
 	wr->input=wr->data;
+#endif
 	return(1);
 	}
 
@@ -580,7 +585,7 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
 	/* If we have an alert to send, lets send it */
 	if (s->s3->alert_dispatch)
 		{
-		i=ssl3_dispatch_alert(s);
+		i=s->method->ssl_dispatch_alert(s);
 		if (i <= 0)
 			return(i);
 		/* if it went, fall through and send more stuff */
@@ -655,7 +660,7 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
 	/* first we compress */
 	if (s->compress != NULL)
 		{
-		if (!do_compress(s))
+		if (!ssl3_do_compress(s))
 			{
 			SSLerr(SSL_F_DO_SSL3_WRITE,SSL_R_COMPRESSION_FAILURE);
 			goto err;
@@ -716,8 +721,8 @@ err:
 	}
 
 /* if s->s3->wbuf.left != 0, we need to call this */
-static int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
-			      unsigned int len)
+int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
+	unsigned int len)
 	{
 	int i;
 
@@ -1089,7 +1094,7 @@ start:
 		if (s->s3->tmp.new_cipher == NULL)
 			{
 			al=SSL_AD_UNEXPECTED_MESSAGE;
-			SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_CCS_RECEIVED_EARLY);
+			SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_CCS_RECEIVED_EARLY);
 			goto f_err;
 			}
 
@@ -1099,7 +1104,7 @@ start:
 			s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC, rr->data, 1, s, s->msg_callback_arg);
 
 		s->s3->change_cipher_spec=1;
-		if (!do_change_cipher_spec(s))
+		if (!ssl3_do_change_cipher_spec(s))
 			goto err;
 		else
 			goto start;
@@ -1211,7 +1216,7 @@ err:
 	return(-1);
 	}
 
-static int do_change_cipher_spec(SSL *s)
+int ssl3_do_change_cipher_spec(SSL *s)
 	{
 	int i;
 	const char *sender;
@@ -1268,7 +1273,7 @@ void ssl3_send_alert(SSL *s, int level, int desc)
 	s->s3->send_alert[0]=level;
 	s->s3->send_alert[1]=desc;
 	if (s->s3->wbuf.left == 0) /* data still being written out? */
-		ssl3_dispatch_alert(s);
+		s->method->ssl_dispatch_alert(s);
 	/* else data is still being written out, we will get written
 	 * some time in the future */
 	}
diff --git a/crypto/openssl/ssl/s3_srvr.c b/crypto/openssl/ssl/s3_srvr.c
index 44248ba55941..a8c5df822c77 100644
--- a/crypto/openssl/ssl/s3_srvr.c
+++ b/crypto/openssl/ssl/s3_srvr.c
@@ -56,7 +56,7 @@
  * [including the GNU Public Licence.]
  */
 /* ====================================================================
- * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -108,11 +108,23 @@
  * Hudson (tjh@cryptsoft.com).
  *
  */
+/* ====================================================================
+ * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
+ *
+ * Portions of the attached software ("Contribution") are developed by 
+ * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
+ *
+ * The Contribution is licensed pursuant to the OpenSSL open source
+ * license provided above.
+ *
+ * ECC cipher suite support in OpenSSL originally written by
+ * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
+ *
+ */
 
 #define REUSE_CIPHER_BUG
 #define NETSCAPE_HANG_BUG
 
-
 #include <stdio.h>
 #include "ssl_locl.h"
 #include "kssl_lcl.h"
@@ -121,23 +133,20 @@
 #include <openssl/objects.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
+#ifndef OPENSSL_NO_DH
+#include <openssl/dh.h>
+#endif
+#include <openssl/bn.h>
 #ifndef OPENSSL_NO_KRB5
 #include <openssl/krb5_asn.h>
 #endif
 #include <openssl/md5.h>
-#include <openssl/fips.h>
 
 static SSL_METHOD *ssl3_get_server_method(int ver);
-static int ssl3_get_client_hello(SSL *s);
-static int ssl3_check_client_hello(SSL *s);
-static int ssl3_send_server_hello(SSL *s);
-static int ssl3_send_server_key_exchange(SSL *s);
-static int ssl3_send_certificate_request(SSL *s);
-static int ssl3_send_server_done(SSL *s);
-static int ssl3_get_client_key_exchange(SSL *s);
-static int ssl3_get_client_certificate(SSL *s);
-static int ssl3_get_cert_verify(SSL *s);
-static int ssl3_send_hello_request(SSL *s);
+
+#ifndef OPENSSL_NO_ECDH
+static int nid2curve_id(int nid);
+#endif
 
 static SSL_METHOD *ssl3_get_server_method(int ver)
 	{
@@ -147,33 +156,15 @@ static SSL_METHOD *ssl3_get_server_method(int ver)
 		return(NULL);
 	}
 
-SSL_METHOD *SSLv3_server_method(void)
-	{
-	static int init=1;
-	static SSL_METHOD SSLv3_server_data;
-
-	if (init)
-		{
-		CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
-
-		if (init)
-			{
-			memcpy((char *)&SSLv3_server_data,(char *)sslv3_base_method(),
-				sizeof(SSL_METHOD));
-			SSLv3_server_data.ssl_accept=ssl3_accept;
-			SSLv3_server_data.get_ssl_method=ssl3_get_server_method;
-			init=0;
-			}
-			
-		CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
-		}
-	return(&SSLv3_server_data);
-	}
+IMPLEMENT_ssl3_meth_func(SSLv3_server_method,
+			ssl3_accept,
+			ssl_undefined_function,
+			ssl3_get_server_method)
 
 int ssl3_accept(SSL *s)
 	{
 	BUF_MEM *buf;
-	unsigned long l,Time=time(NULL);
+	unsigned long l,Time=(unsigned long)time(NULL);
 	void (*cb)(const SSL *ssl,int type,int val)=NULL;
 	long num1;
 	int ret= -1;
@@ -309,7 +300,7 @@ int ssl3_accept(SSL *s)
 
 		case SSL3_ST_SW_CERT_A:
 		case SSL3_ST_SW_CERT_B:
-			/* Check if it is anon DH */
+			/* Check if it is anon DH or anon ECDH */
 			if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL))
 				{
 				ret=ssl3_send_server_certificate(s);
@@ -340,9 +331,18 @@ int ssl3_accept(SSL *s)
 			else
 				s->s3->tmp.use_rsa_tmp=0;
 
+
 			/* only send if a DH key exchange, fortezza or
-			 * RSA but we have a sign only certificate */
+			 * RSA but we have a sign only certificate
+			 *
+			 * For ECC ciphersuites, we send a serverKeyExchange
+			 * message only if the cipher suite is either
+			 * ECDH-anon or ECDHE. In other cases, the
+			 * server certificate contains the server's 
+			 * public key for key exchange.
+			 */
 			if (s->s3->tmp.use_rsa_tmp
+			    || (l & SSL_kECDHE)
 			    || (l & (SSL_DH|SSL_kFZA))
 			    || ((l & SSL_kRSA)
 				&& (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
@@ -446,19 +446,33 @@ int ssl3_accept(SSL *s)
 		case SSL3_ST_SR_KEY_EXCH_A:
 		case SSL3_ST_SR_KEY_EXCH_B:
 			ret=ssl3_get_client_key_exchange(s);
-			if (ret <= 0) goto end;
-			s->state=SSL3_ST_SR_CERT_VRFY_A;
-			s->init_num=0;
-
-			/* We need to get hashes here so if there is
-			 * a client cert, it can be verified */ 
-			s->method->ssl3_enc->cert_verify_mac(s,
-				&(s->s3->finish_dgst1),
-				&(s->s3->tmp.cert_verify_md[0]));
-			s->method->ssl3_enc->cert_verify_mac(s,
-				&(s->s3->finish_dgst2),
-				&(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]));
+			if (ret <= 0) 
+				goto end;
+			if (ret == 2)
+				{
+				/* For the ECDH ciphersuites when
+				 * the client sends its ECDH pub key in
+				 * a certificate, the CertificateVerify
+				 * message is not sent.
+				 */
+				s->state=SSL3_ST_SR_FINISHED_A;
+				s->init_num = 0;
+				}
+			else   
+				{
+				s->state=SSL3_ST_SR_CERT_VRFY_A;
+				s->init_num=0;
 
+				/* We need to get hashes here so if there is
+				 * a client cert, it can be verified
+				 */ 
+				s->method->ssl3_enc->cert_verify_mac(s,
+				    &(s->s3->finish_dgst1),
+				    &(s->s3->tmp.cert_verify_md[0]));
+				s->method->ssl3_enc->cert_verify_mac(s,
+				    &(s->s3->finish_dgst2),
+				    &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]));
+				}
 			break;
 
 		case SSL3_ST_SR_CERT_VRFY_A:
@@ -589,7 +603,7 @@ end:
 	return(ret);
 	}
 
-static int ssl3_send_hello_request(SSL *s)
+int ssl3_send_hello_request(SSL *s)
 	{
 	unsigned char *p;
 
@@ -611,14 +625,14 @@ static int ssl3_send_hello_request(SSL *s)
 	return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
 	}
 
-static int ssl3_check_client_hello(SSL *s)
+int ssl3_check_client_hello(SSL *s)
 	{
 	int ok;
 	long n;
 
 	/* this function is called when we really expect a Certificate message,
 	 * so permit appropriate message length */
-	n=ssl3_get_message(s,
+	n=s->method->ssl_get_message(s,
 		SSL3_ST_SR_CERT_A,
 		SSL3_ST_SR_CERT_B,
 		-1,
@@ -644,14 +658,17 @@ static int ssl3_check_client_hello(SSL *s)
 	return 1;
 }
 
-static int ssl3_get_client_hello(SSL *s)
+int ssl3_get_client_hello(SSL *s)
 	{
 	int i,j,ok,al,ret= -1;
+	unsigned int cookie_len;
 	long n;
 	unsigned long id;
 	unsigned char *p,*d,*q;
 	SSL_CIPHER *c;
+#ifndef OPENSSL_NO_COMP
 	SSL_COMP *comp=NULL;
+#endif
 	STACK_OF(SSL_CIPHER) *ciphers=NULL;
 
 	/* We do this so that we will respond with our native type.
@@ -665,7 +682,7 @@ static int ssl3_get_client_hello(SSL *s)
 		s->first_packet=1;
 		s->state=SSL3_ST_SR_CLNT_HELLO_B;
 		}
-	n=ssl3_get_message(s,
+	n=s->method->ssl_get_message(s,
 		SSL3_ST_SR_CLNT_HELLO_B,
 		SSL3_ST_SR_CLNT_HELLO_C,
 		SSL3_MT_CLIENT_HELLO,
@@ -730,6 +747,68 @@ static int ssl3_get_client_hello(SSL *s)
 		}
 
 	p+=j;
+
+	if (SSL_version(s) == DTLS1_VERSION)
+		{
+		/* cookie stuff */
+		cookie_len = *(p++);
+
+		if ( (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) &&
+			s->d1->send_cookie == 0)
+			{
+			/* HelloVerifyMessage has already been sent */
+			if ( cookie_len != s->d1->cookie_len)
+				{
+				al = SSL_AD_HANDSHAKE_FAILURE;
+				SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH);
+				goto f_err;
+				}
+			}
+
+		/* 
+		 * The ClientHello may contain a cookie even if the
+		 * HelloVerify message has not been sent--make sure that it
+		 * does not cause an overflow.
+		 */
+		if ( cookie_len > sizeof(s->d1->rcvd_cookie))
+			{
+			/* too much data */
+			al = SSL_AD_DECODE_ERROR;
+			SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH);
+			goto f_err;
+			}
+
+		/* verify the cookie if appropriate option is set. */
+		if ( (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) &&
+			cookie_len > 0)
+			{
+			memcpy(s->d1->rcvd_cookie, p, cookie_len);
+
+			if ( s->ctx->app_verify_cookie_cb != NULL)
+				{
+				if ( s->ctx->app_verify_cookie_cb(s, s->d1->rcvd_cookie,
+					cookie_len) == 0)
+					{
+					al=SSL_AD_HANDSHAKE_FAILURE;
+					SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, 
+						SSL_R_COOKIE_MISMATCH);
+					goto f_err;
+					}
+				/* else cookie verification succeeded */
+				}
+			else if ( memcmp(s->d1->rcvd_cookie, s->d1->cookie, 
+						  s->d1->cookie_len) != 0) /* default verification */
+				{
+					al=SSL_AD_HANDSHAKE_FAILURE;
+					SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, 
+						SSL_R_COOKIE_MISMATCH);
+					goto f_err;
+				}
+			}
+
+		p += cookie_len;
+		}
+
 	n2s(p,i);
 	if ((i == 0) && (j != 0))
 		{
@@ -779,8 +858,7 @@ static int ssl3_get_client_hello(SSL *s)
 			if ((s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1))
 				{
 				/* Very bad for multi-threading.... */
-				s->session->cipher=sk_SSL_CIPHER_value(ciphers,
-								       0);
+				s->session->cipher=sk_SSL_CIPHER_value(ciphers, 0);
 				}
 			else
 				{
@@ -821,6 +899,7 @@ static int ssl3_get_client_hello(SSL *s)
 	 * options, we will now look for them.  We have i-1 compression
 	 * algorithms from the client, starting at q. */
 	s->s3->tmp.new_compression=NULL;
+#ifndef OPENSSL_NO_COMP
 	if (s->ctx->comp_methods != NULL)
 		{ /* See if we have a match */
 		int m,nn,o,v,done=0;
@@ -845,6 +924,7 @@ static int ssl3_get_client_hello(SSL *s)
 		else
 			comp=NULL;
 		}
+#endif
 
 	/* TLS does not mind if there is extra stuff */
 #if 0   /* SSL 3.0 does not mind either, so we should disable this test
@@ -868,7 +948,11 @@ static int ssl3_get_client_hello(SSL *s)
 
 	if (!s->hit)
 		{
+#ifdef OPENSSL_NO_COMP
+		s->session->compress_meth=0;
+#else
 		s->session->compress_meth=(comp == NULL)?0:comp->id;
+#endif
 		if (s->session->ciphers != NULL)
 			sk_SSL_CIPHER_free(s->session->ciphers);
 		s->session->ciphers=ciphers;
@@ -943,7 +1027,7 @@ err:
 	return(ret);
 	}
 
-static int ssl3_send_server_hello(SSL *s)
+int ssl3_send_server_hello(SSL *s)
 	{
 	unsigned char *buf;
 	unsigned char *p,*d;
@@ -954,9 +1038,9 @@ static int ssl3_send_server_hello(SSL *s)
 		{
 		buf=(unsigned char *)s->init_buf->data;
 		p=s->s3->server_random;
-		Time=time(NULL);			/* Time */
+		Time=(unsigned long)time(NULL);			/* Time */
 		l2n(Time,p);
-		if(RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time)) <= 0)
+		if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
 			return -1;
 		/* Do the message type and length last */
 		d=p= &(buf[4]);
@@ -980,7 +1064,7 @@ static int ssl3_send_server_hello(SSL *s)
 			s->session->session_id_length=0;
 
 		sl=s->session->session_id_length;
-		if (sl > sizeof s->session->session_id)
+		if (sl > (int)sizeof(s->session->session_id))
 			{
 			SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
 			return -1;
@@ -994,10 +1078,14 @@ static int ssl3_send_server_hello(SSL *s)
 		p+=i;
 
 		/* put the compression method */
+#ifdef OPENSSL_NO_COMP
+			*(p++)=0;
+#else
 		if (s->s3->tmp.new_compression == NULL)
 			*(p++)=0;
 		else
 			*(p++)=s->s3->tmp.new_compression->id;
+#endif
 
 		/* do the header */
 		l=(p-d);
@@ -1015,7 +1103,7 @@ static int ssl3_send_server_hello(SSL *s)
 	return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
 	}
 
-static int ssl3_send_server_done(SSL *s)
+int ssl3_send_server_done(SSL *s)
 	{
 	unsigned char *p;
 
@@ -1039,7 +1127,7 @@ static int ssl3_send_server_done(SSL *s)
 	return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
 	}
 
-static int ssl3_send_server_key_exchange(SSL *s)
+int ssl3_send_server_key_exchange(SSL *s)
 	{
 #ifndef OPENSSL_NO_RSA
 	unsigned char *q;
@@ -1051,6 +1139,13 @@ static int ssl3_send_server_key_exchange(SSL *s)
 #ifndef OPENSSL_NO_DH
 	DH *dh=NULL,*dhp;
 #endif
+#ifndef OPENSSL_NO_ECDH
+	EC_KEY *ecdh=NULL, *ecdhp;
+	unsigned char *encodedPoint = NULL;
+	int encodedlen = 0;
+	int curve_id = 0;
+	BN_CTX *bn_ctx = NULL; 
+#endif
 	EVP_PKEY *pkey;
 	unsigned char *p,*d;
 	int al,i;
@@ -1159,6 +1254,134 @@ static int ssl3_send_server_key_exchange(SSL *s)
 			}
 		else 
 #endif
+#ifndef OPENSSL_NO_ECDH
+			if (type & SSL_kECDHE)
+			{
+			const EC_GROUP *group;
+
+			ecdhp=cert->ecdh_tmp;
+			if ((ecdhp == NULL) && (s->cert->ecdh_tmp_cb != NULL))
+				{
+				ecdhp=s->cert->ecdh_tmp_cb(s,
+				      SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
+				      SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
+				}
+			if (ecdhp == NULL)
+				{
+				al=SSL_AD_HANDSHAKE_FAILURE;
+				SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_ECDH_KEY);
+				goto f_err;
+				}
+
+			if (s->s3->tmp.ecdh != NULL)
+				{
+				EC_KEY_free(s->s3->tmp.ecdh); 
+				SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
+				goto err;
+				}
+
+			/* Duplicate the ECDH structure. */
+			if (ecdhp == NULL)
+				{
+				SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
+				goto err;
+				}
+			if (!EC_KEY_up_ref(ecdhp))
+				{
+				SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
+				goto err;
+				}
+			ecdh = ecdhp;
+
+			s->s3->tmp.ecdh=ecdh;
+			if ((EC_KEY_get0_public_key(ecdh) == NULL) ||
+			    (EC_KEY_get0_private_key(ecdh) == NULL) ||
+			    (s->options & SSL_OP_SINGLE_ECDH_USE))
+				{
+				if(!EC_KEY_generate_key(ecdh))
+				    {
+				    SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
+				    goto err;
+				    }
+				}
+
+			if (((group = EC_KEY_get0_group(ecdh)) == NULL) ||
+			    (EC_KEY_get0_public_key(ecdh)  == NULL) ||
+			    (EC_KEY_get0_private_key(ecdh) == NULL))
+				{
+				SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
+				goto err;
+				}
+
+			if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
+			    (EC_GROUP_get_degree(group) > 163)) 
+				{
+				SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER);
+				goto err;
+				}
+
+			/* XXX: For now, we only support ephemeral ECDH
+			 * keys over named (not generic) curves. For 
+			 * supported named curves, curve_id is non-zero.
+			 */
+			if ((curve_id = 
+			    nid2curve_id(EC_GROUP_get_curve_name(group)))
+			    == 0)
+				{
+				SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
+				goto err;
+				}
+
+			/* Encode the public key.
+			 * First check the size of encoding and
+			 * allocate memory accordingly.
+			 */
+			encodedlen = EC_POINT_point2oct(group, 
+			    EC_KEY_get0_public_key(ecdh),
+			    POINT_CONVERSION_UNCOMPRESSED, 
+			    NULL, 0, NULL);
+
+			encodedPoint = (unsigned char *) 
+			    OPENSSL_malloc(encodedlen*sizeof(unsigned char)); 
+			bn_ctx = BN_CTX_new();
+			if ((encodedPoint == NULL) || (bn_ctx == NULL))
+				{
+				SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
+				goto err;
+				}
+
+
+			encodedlen = EC_POINT_point2oct(group, 
+			    EC_KEY_get0_public_key(ecdh), 
+			    POINT_CONVERSION_UNCOMPRESSED, 
+			    encodedPoint, encodedlen, bn_ctx);
+
+			if (encodedlen == 0) 
+				{
+				SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
+				goto err;
+				}
+
+			BN_CTX_free(bn_ctx);  bn_ctx=NULL;
+
+			/* XXX: For now, we only support named (not 
+			 * generic) curves in ECDH ephemeral key exchanges.
+			 * In this situation, we need four additional bytes
+			 * to encode the entire ServerECDHParams
+			 * structure. 
+			 */
+			n = 4 + encodedlen;
+
+			/* We'll generate the serverKeyExchange message
+			 * explicitly so we can set these to NULLs
+			 */
+			r[0]=NULL;
+			r[1]=NULL;
+			r[2]=NULL;
+			r[3]=NULL;
+			}
+		else 
+#endif /* !OPENSSL_NO_ECDH */
 			{
 			al=SSL_AD_HANDSHAKE_FAILURE;
 			SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
@@ -1201,6 +1424,31 @@ static int ssl3_send_server_key_exchange(SSL *s)
 			p+=nr[i];
 			}
 
+#ifndef OPENSSL_NO_ECDH
+		if (type & SSL_kECDHE) 
+			{
+			/* XXX: For now, we only support named (not generic) curves.
+			 * In this situation, the serverKeyExchange message has:
+			 * [1 byte CurveType], [2 byte CurveName]
+			 * [1 byte length of encoded point], followed by
+			 * the actual encoded point itself
+			 */
+			*p = NAMED_CURVE_TYPE;
+			p += 1;
+			*p = 0;
+			p += 1;
+			*p = curve_id;
+			p += 1;
+			*p = encodedlen;
+			p += 1;
+			memcpy((unsigned char*)p, 
+			    (unsigned char *)encodedPoint, 
+			    encodedlen);
+			OPENSSL_free(encodedPoint);
+			p += encodedlen;
+			}
+#endif
+
 		/* not anonymous */
 		if (pkey != NULL)
 			{
@@ -1218,16 +1466,8 @@ static int ssl3_send_server_key_exchange(SSL *s)
 					EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
 					EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
 					EVP_DigestUpdate(&md_ctx,&(d[4]),n);
-#ifdef OPENSSL_FIPS
-					if(s->version == TLS1_VERSION && num == 2)
-						FIPS_allow_md5(1);
-#endif
 					EVP_DigestFinal_ex(&md_ctx,q,
 						(unsigned int *)&i);
-#ifdef OPENSSL_FIPS
-					if(s->version == TLS1_VERSION && num == 2)
-						FIPS_allow_md5(0);
-#endif
 					q+=i;
 					j+=i;
 					}
@@ -1261,6 +1501,25 @@ static int ssl3_send_server_key_exchange(SSL *s)
 				}
 			else
 #endif
+#if !defined(OPENSSL_NO_ECDSA)
+				if (pkey->type == EVP_PKEY_EC)
+				{
+				/* let's do ECDSA */
+				EVP_SignInit_ex(&md_ctx,EVP_ecdsa(), NULL);
+				EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
+				EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
+				EVP_SignUpdate(&md_ctx,&(d[4]),n);
+				if (!EVP_SignFinal(&md_ctx,&(p[2]),
+					(unsigned int *)&i,pkey))
+					{
+					SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_ECDSA);
+					goto err;
+					}
+				s2n(i,p);
+				n+=i+2;
+				}
+			else
+#endif
 				{
 				/* Is this error check actually needed? */
 				al=SSL_AD_HANDSHAKE_FAILURE;
@@ -1284,11 +1543,15 @@ static int ssl3_send_server_key_exchange(SSL *s)
 f_err:
 	ssl3_send_alert(s,SSL3_AL_FATAL,al);
 err:
+#ifndef OPENSSL_NO_ECDH
+	if (encodedPoint != NULL) OPENSSL_free(encodedPoint);
+	BN_CTX_free(bn_ctx);
+#endif
 	EVP_MD_CTX_cleanup(&md_ctx);
 	return(-1);
 	}
 
-static int ssl3_send_certificate_request(SSL *s)
+int ssl3_send_certificate_request(SSL *s)
 	{
 	unsigned char *p,*d;
 	int i,j,nl,off,n;
@@ -1377,7 +1640,7 @@ err:
 	return(-1);
 	}
 
-static int ssl3_get_client_key_exchange(SSL *s)
+int ssl3_get_client_key_exchange(SSL *s)
 	{
 	int i,al,ok;
 	long n;
@@ -1395,7 +1658,14 @@ static int ssl3_get_client_key_exchange(SSL *s)
         KSSL_ERR kssl_err;
 #endif /* OPENSSL_NO_KRB5 */
 
-	n=ssl3_get_message(s,
+#ifndef OPENSSL_NO_ECDH
+	EC_KEY *srvr_ecdh = NULL;
+	EVP_PKEY *clnt_pub_pkey = NULL;
+	EC_POINT *clnt_ecpoint = NULL;
+	BN_CTX *bn_ctx = NULL; 
+#endif
+
+	n=s->method->ssl_get_message(s,
 		SSL3_ST_SR_KEY_EXCH_A,
 		SSL3_ST_SR_KEY_EXCH_B,
 		SSL3_MT_CLIENT_KEY_EXCHANGE,
@@ -1501,7 +1771,7 @@ static int ssl3_get_client_key_exchange(SSL *s)
 			i = SSL_MAX_MASTER_KEY_LENGTH;
 			p[0] = s->client_version >> 8;
 			p[1] = s->client_version & 0xff;
-			if(RAND_pseudo_bytes(p+2, i-2) <= 0)  /* should be RAND_bytes, but we cannot work around a failure */
+			if (RAND_pseudo_bytes(p+2, i-2) <= 0) /* should be RAND_bytes, but we cannot work around a failure */
 				goto err;
 			}
 	
@@ -1600,7 +1870,7 @@ static int ssl3_get_client_key_exchange(SSL *s)
 		n2s(p,i);
 		enc_ticket.length = i;
 
-		if (n < enc_ticket.length + 6)
+		if (n < (int)enc_ticket.length + 6)
 			{
 			SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
 				SSL_R_DATA_LENGTH_TOO_LONG);
@@ -1613,7 +1883,7 @@ static int ssl3_get_client_key_exchange(SSL *s)
 		n2s(p,i);
 		authenticator.length = i;
 
-		if (n < enc_ticket.length + authenticator.length + 6)
+		if (n < (int)(enc_ticket.length + authenticator.length) + 6)
 			{
 			SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
 				SSL_R_DATA_LENGTH_TOO_LONG);
@@ -1638,8 +1908,8 @@ static int ssl3_get_client_key_exchange(SSL *s)
 			goto err;
 			}
 
-		if (n != enc_ticket.length + authenticator.length +
-						enc_pms.length + 6)
+		if (n != (long)(enc_ticket.length + authenticator.length +
+						enc_pms.length + 6))
 			{
 			SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
 				SSL_R_DATA_LENGTH_TOO_LONG);
@@ -1655,7 +1925,7 @@ static int ssl3_get_client_key_exchange(SSL *s)
                         if (kssl_err.text)
                                 printf("kssl_err text= %s\n", kssl_err.text);
 #endif	/* KSSL_DEBUG */
-                        SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
+                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
                                 kssl_err.reason);
                         goto err;
                         }
@@ -1672,14 +1942,14 @@ static int ssl3_get_client_key_exchange(SSL *s)
                         if (kssl_err.text)
                                 printf("kssl_err text= %s\n", kssl_err.text);
 #endif	/* KSSL_DEBUG */
-                        SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
+                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
                                 kssl_err.reason);
                         goto err;
 			}
 
 		if ((krb5rc = kssl_validate_times(authtime, &ttimes)) != 0)
 			{
-			SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, krb5rc);
+			SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, krb5rc);
                         goto err;
 			}
 
@@ -1750,6 +2020,156 @@ static int ssl3_get_client_key_exchange(SSL *s)
                 }
 	else
 #endif	/* OPENSSL_NO_KRB5 */
+
+#ifndef OPENSSL_NO_ECDH
+		if ((l & SSL_kECDH) || (l & SSL_kECDHE))
+		{
+		int ret = 1;
+		int field_size = 0;
+		const EC_KEY   *tkey;
+		const EC_GROUP *group;
+		const BIGNUM *priv_key;
+
+                /* initialize structures for server's ECDH key pair */
+		if ((srvr_ecdh = EC_KEY_new()) == NULL) 
+			{
+                	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+			    ERR_R_MALLOC_FAILURE);
+                	goto err;
+			}
+
+		/* Let's get server private key and group information */
+		if (l & SSL_kECDH) 
+			{ 
+                        /* use the certificate */
+			tkey = s->cert->key->privatekey->pkey.ec;
+			}
+		else
+			{
+			/* use the ephermeral values we saved when
+			 * generating the ServerKeyExchange msg.
+			 */
+			tkey = s->s3->tmp.ecdh;
+			}
+
+		group    = EC_KEY_get0_group(tkey);
+		priv_key = EC_KEY_get0_private_key(tkey);
+
+		if (!EC_KEY_set_group(srvr_ecdh, group) ||
+		    !EC_KEY_set_private_key(srvr_ecdh, priv_key))
+			{
+			SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+			       ERR_R_EC_LIB);
+			goto err;
+			}
+
+		/* Let's get client's public key */
+		if ((clnt_ecpoint = EC_POINT_new(group)) == NULL)
+			{
+			SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+			    ERR_R_MALLOC_FAILURE);
+			goto err;
+			}
+
+                if (n == 0L) 
+                        {
+			/* Client Publickey was in Client Certificate */
+
+			 if (l & SSL_kECDHE) 
+				 {
+				 al=SSL_AD_HANDSHAKE_FAILURE;
+				 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_ECDH_KEY);
+				 goto f_err;
+				 }
+                        if (((clnt_pub_pkey=X509_get_pubkey(s->session->peer))
+			    == NULL) || 
+			    (clnt_pub_pkey->type != EVP_PKEY_EC))
+                        	{
+				/* XXX: For now, we do not support client
+				 * authentication using ECDH certificates
+				 * so this branch (n == 0L) of the code is
+				 * never executed. When that support is
+				 * added, we ought to ensure the key 
+				 * received in the certificate is 
+				 * authorized for key agreement.
+				 * ECDH_compute_key implicitly checks that
+				 * the two ECDH shares are for the same
+				 * group.
+				 */
+                           	al=SSL_AD_HANDSHAKE_FAILURE;
+                           	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+				    SSL_R_UNABLE_TO_DECODE_ECDH_CERTS);
+                           	goto f_err;
+                           	}
+
+			if (EC_POINT_copy(clnt_ecpoint,
+			    EC_KEY_get0_public_key(clnt_pub_pkey->pkey.ec)) == 0)
+				{
+				SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+					ERR_R_EC_LIB);
+				goto err;
+				}
+                        ret = 2; /* Skip certificate verify processing */
+                        }
+                else
+                        {
+			/* Get client's public key from encoded point
+			 * in the ClientKeyExchange message.
+			 */
+			if ((bn_ctx = BN_CTX_new()) == NULL)
+				{
+				SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+				    ERR_R_MALLOC_FAILURE);
+				goto err;
+				}
+
+                        /* Get encoded point length */
+                        i = *p; 
+			p += 1;
+                        if (EC_POINT_oct2point(group, 
+			    clnt_ecpoint, p, i, bn_ctx) == 0)
+				{
+				SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+				    ERR_R_EC_LIB);
+				goto err;
+				}
+                        /* p is pointing to somewhere in the buffer
+                         * currently, so set it to the start 
+                         */ 
+                        p=(unsigned char *)s->init_buf->data;
+                        }
+
+		/* Compute the shared pre-master secret */
+		field_size = EC_GROUP_get_degree(group);
+		if (field_size <= 0)
+			{
+			SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 
+			       ERR_R_ECDH_LIB);
+			goto err;
+			}
+		i = ECDH_compute_key(p, (field_size+7)/8, clnt_ecpoint, srvr_ecdh, NULL);
+                if (i <= 0)
+                        {
+                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+			    ERR_R_ECDH_LIB);
+                        goto err;
+                        }
+
+		EVP_PKEY_free(clnt_pub_pkey);
+		EC_POINT_free(clnt_ecpoint);
+		if (srvr_ecdh != NULL) 
+			EC_KEY_free(srvr_ecdh);
+		BN_CTX_free(bn_ctx);
+
+		/* Compute the master secret */
+                s->session->master_key_length = s->method->ssl3_enc-> \
+		    generate_master_secret(s, s->session->master_key, p, i);
+		
+                OPENSSL_cleanse(p, i);
+                return (ret);
+		}
+	else
+#endif
 		{
 		al=SSL_AD_HANDSHAKE_FAILURE;
 		SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
@@ -1760,13 +2180,20 @@ static int ssl3_get_client_key_exchange(SSL *s)
 	return(1);
 f_err:
 	ssl3_send_alert(s,SSL3_AL_FATAL,al);
-#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_RSA)
+#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_ECDH)
 err:
 #endif
+#ifndef OPENSSL_NO_ECDH
+	EVP_PKEY_free(clnt_pub_pkey);
+	EC_POINT_free(clnt_ecpoint);
+	if (srvr_ecdh != NULL) 
+		EC_KEY_free(srvr_ecdh);
+	BN_CTX_free(bn_ctx);
+#endif
 	return(-1);
 	}
 
-static int ssl3_get_cert_verify(SSL *s)
+int ssl3_get_cert_verify(SSL *s)
 	{
 	EVP_PKEY *pkey=NULL;
 	unsigned char *p;
@@ -1775,7 +2202,7 @@ static int ssl3_get_cert_verify(SSL *s)
 	int type=0,i,j;
 	X509 *peer;
 
-	n=ssl3_get_message(s,
+	n=s->method->ssl_get_message(s,
 		SSL3_ST_SR_CERT_VRFY_A,
 		SSL3_ST_SR_CERT_VRFY_B,
 		-1,
@@ -1886,6 +2313,23 @@ static int ssl3_get_cert_verify(SSL *s)
 		}
 	else
 #endif
+#ifndef OPENSSL_NO_ECDSA
+		if (pkey->type == EVP_PKEY_EC)
+		{
+		j=ECDSA_verify(pkey->save_type,
+			&(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]),
+			SHA_DIGEST_LENGTH,p,i,pkey->pkey.ec);
+		if (j <= 0)
+			{
+			/* bad signature */
+			al=SSL_AD_DECRYPT_ERROR;
+			SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
+			    SSL_R_BAD_ECDSA_SIGNATURE);
+			goto f_err;
+			}
+		}
+	else
+#endif
 		{
 		SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,ERR_R_INTERNAL_ERROR);
 		al=SSL_AD_UNSUPPORTED_CERTIFICATE;
@@ -1904,15 +2348,16 @@ end:
 	return(ret);
 	}
 
-static int ssl3_get_client_certificate(SSL *s)
+int ssl3_get_client_certificate(SSL *s)
 	{
 	int i,ok,al,ret= -1;
 	X509 *x=NULL;
 	unsigned long l,nc,llen,n;
-	unsigned char *p,*d,*q;
+	const unsigned char *p,*q;
+	unsigned char *d;
 	STACK_OF(X509) *sk=NULL;
 
-	n=ssl3_get_message(s,
+	n=s->method->ssl_get_message(s,
 		SSL3_ST_SR_CERT_A,
 		SSL3_ST_SR_CERT_B,
 		-1,
@@ -1947,7 +2392,7 @@ static int ssl3_get_client_certificate(SSL *s)
 		SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_WRONG_MESSAGE_TYPE);
 		goto f_err;
 		}
-	d=p=(unsigned char *)s->init_msg;
+	p=d=(unsigned char *)s->init_msg;
 
 	if ((sk=sk_X509_new_null()) == NULL)
 		{
@@ -2086,3 +2531,67 @@ int ssl3_send_server_certificate(SSL *s)
 	/* SSL3_ST_SW_CERT_B */
 	return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
 	}
+
+
+#ifndef OPENSSL_NO_ECDH
+/* This is the complement of curve_id2nid in s3_clnt.c. */
+static int nid2curve_id(int nid)
+{
+	/* ECC curves from draft-ietf-tls-ecc-01.txt (Mar 15, 2001)
+	 * (no changes in draft-ietf-tls-ecc-03.txt [June 2003]) */
+	switch (nid) {
+	case NID_sect163k1: /* sect163k1 (1) */
+		return 1;
+	case NID_sect163r1: /* sect163r1 (2) */
+		return 2;
+	case NID_sect163r2: /* sect163r2 (3) */
+		return 3;
+	case NID_sect193r1: /* sect193r1 (4) */ 
+		return 4;
+	case NID_sect193r2: /* sect193r2 (5) */ 
+		return 5;
+	case NID_sect233k1: /* sect233k1 (6) */
+		return 6;
+	case NID_sect233r1: /* sect233r1 (7) */ 
+		return 7;
+	case NID_sect239k1: /* sect239k1 (8) */ 
+		return 8;
+	case NID_sect283k1: /* sect283k1 (9) */
+		return 9;
+	case NID_sect283r1: /* sect283r1 (10) */ 
+		return 10;
+	case NID_sect409k1: /* sect409k1 (11) */ 
+		return 11;
+	case NID_sect409r1: /* sect409r1 (12) */
+		return 12;
+	case NID_sect571k1: /* sect571k1 (13) */ 
+		return 13;
+	case NID_sect571r1: /* sect571r1 (14) */ 
+		return 14;
+	case NID_secp160k1: /* secp160k1 (15) */
+		return 15;
+	case NID_secp160r1: /* secp160r1 (16) */ 
+		return 16;
+	case NID_secp160r2: /* secp160r2 (17) */ 
+		return 17;
+	case NID_secp192k1: /* secp192k1 (18) */
+		return 18;
+	case NID_X9_62_prime192v1: /* secp192r1 (19) */ 
+		return 19;
+	case NID_secp224k1: /* secp224k1 (20) */ 
+		return 20;
+	case NID_secp224r1: /* secp224r1 (21) */
+		return 21;
+	case NID_secp256k1: /* secp256k1 (22) */ 
+		return 22;
+	case NID_X9_62_prime256v1: /* secp256r1 (23) */ 
+		return 23;
+	case NID_secp384r1: /* secp384r1 (24) */
+		return 24;
+	case NID_secp521r1:  /* secp521r1 (25) */	
+		return 25;
+	default:
+		return 0;
+	}
+}
+#endif
diff --git a/crypto/openssl/ssl/ssl.h b/crypto/openssl/ssl/ssl.h
index ad201f257437..c87e5f8429d0 100644
--- a/crypto/openssl/ssl/ssl.h
+++ b/crypto/openssl/ssl/ssl.h
@@ -161,6 +161,11 @@
  * Hudson (tjh@cryptsoft.com).
  *
  */
+/* ====================================================================
+ * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
+ * ECC cipher suite support in OpenSSL originally developed by 
+ * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
+ */
 
 #ifndef HEADER_SSL_H 
 #define HEADER_SSL_H 
@@ -173,9 +178,16 @@
 #ifndef OPENSSL_NO_BIO
 #include <openssl/bio.h>
 #endif
+#ifndef OPENSSL_NO_DEPRECATED
 #ifndef OPENSSL_NO_X509
 #include <openssl/x509.h>
 #endif
+#include <openssl/crypto.h>
+#include <openssl/lhash.h>
+#include <openssl/buffer.h>
+#endif
+#include <openssl/pem.h>
+
 #include <openssl/kssl.h>
 #include <openssl/safestack.h>
 #include <openssl/symhacks.h>
@@ -239,7 +251,6 @@ extern "C" {
 #define SSL_TXT_LOW		"LOW"
 #define SSL_TXT_MEDIUM		"MEDIUM"
 #define SSL_TXT_HIGH		"HIGH"
-#define SSL_TXT_FIPS		"FIPS"
 #define SSL_TXT_kFZA		"kFZA"
 #define	SSL_TXT_aFZA		"aFZA"
 #define SSL_TXT_eFZA		"eFZA"
@@ -282,6 +293,7 @@ extern "C" {
 #define SSL_TXT_SSLV3		"SSLv3"
 #define SSL_TXT_TLSV1		"TLSv1"
 #define SSL_TXT_ALL		"ALL"
+#define SSL_TXT_ECC		"ECCdraft" /* ECC ciphersuites are not yet official */
 
 /*
  * COMPLEMENTOF* definitions. These identifiers are used to (de-select)
@@ -313,11 +325,6 @@ extern "C" {
 }
 #endif
 
-#include <openssl/crypto.h>
-#include <openssl/lhash.h>
-#include <openssl/buffer.h>
-#include <openssl/pem.h>
-
 #ifdef  __cplusplus
 extern "C" {
 #endif
@@ -369,19 +376,25 @@ typedef struct ssl_method_st
 	int (*ssl_shutdown)(SSL *s);
 	int (*ssl_renegotiate)(SSL *s);
 	int (*ssl_renegotiate_check)(SSL *s);
+	long (*ssl_get_message)(SSL *s, int st1, int stn, int mt, long
+		max, int *ok);
+	int (*ssl_read_bytes)(SSL *s, int type, unsigned char *buf, int len, 
+		int peek);
+	int (*ssl_write_bytes)(SSL *s, int type, const void *buf_, int len);
+	int (*ssl_dispatch_alert)(SSL *s);
 	long (*ssl_ctrl)(SSL *s,int cmd,long larg,void *parg);
 	long (*ssl_ctx_ctrl)(SSL_CTX *ctx,int cmd,long larg,void *parg);
 	SSL_CIPHER *(*get_cipher_by_char)(const unsigned char *ptr);
 	int (*put_cipher_by_char)(const SSL_CIPHER *cipher,unsigned char *ptr);
-	int (*ssl_pending)(SSL *s);
+	int (*ssl_pending)(const SSL *s);
 	int (*num_ciphers)(void);
 	SSL_CIPHER *(*get_cipher)(unsigned ncipher);
 	struct ssl_method_st *(*get_ssl_method)(int version);
 	long (*get_timeout)(void);
 	struct ssl3_enc_method *ssl3_enc; /* Extra SSLv3/TLS stuff */
-	int (*ssl_version)();
-	long (*ssl_callback_ctrl)(SSL *s, int cb_id, void (*fp)());
-	long (*ssl_ctx_callback_ctrl)(SSL_CTX *s, int cb_id, void (*fp)());
+	int (*ssl_version)(void);
+	long (*ssl_callback_ctrl)(SSL *s, int cb_id, void (*fp)(void));
+	long (*ssl_ctx_callback_ctrl)(SSL_CTX *s, int cb_id, void (*fp)(void));
 	} SSL_METHOD;
 
 /* Lets make this into an ASN.1 type structure as follows
@@ -467,7 +480,7 @@ typedef struct ssl_session_st
 #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG		0x00000008L
 #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG		0x00000010L
 #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER		0x00000020L
-#define SSL_OP_MSIE_SSLV2_RSA_PADDING			0x00000040L
+#define SSL_OP_MSIE_SSLV2_RSA_PADDING			0x00000040L /* no effect since 0.9.7h and 0.9.8b */
 #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG			0x00000080L
 #define SSL_OP_TLS_D5_BUG				0x00000100L
 #define SSL_OP_TLS_BLOCK_PADDING_BUG			0x00000200L
@@ -483,8 +496,15 @@ typedef struct ssl_session_st
  *             This used to be 0x000FFFFFL before 0.9.7. */
 #define SSL_OP_ALL					0x00000FFFL
 
+/* DTLS options */
+#define SSL_OP_NO_QUERY_MTU                 0x00001000L
+/* Turn on Cookie Exchange (on relevant for servers) */
+#define SSL_OP_COOKIE_EXCHANGE              0x00002000L
+
 /* As server, disallow session resumption on renegotiation */
 #define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION	0x00010000L
+/* If set, always create a new key when using tmp_ecdh parameters */
+#define SSL_OP_SINGLE_ECDH_USE				0x00080000L
 /* If set, always create a new key when using tmp_dh parameters */
 #define SSL_OP_SINGLE_DH_USE				0x00100000L
 /* Set to always use the tmp_rsa key when doing RSA operations,
@@ -546,6 +566,8 @@ typedef struct ssl_session_st
 	SSL_ctrl((ssl),SSL_CTRL_MODE,(op),NULL)
 #define SSL_get_mode(ssl) \
         SSL_ctrl((ssl),SSL_CTRL_MODE,0,NULL)
+#define SSL_set_mtu(ssl, mtu) \
+        SSL_ctrl((ssl),SSL_CTRL_SET_MTU,(mtu),NULL)
 
 
 void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));
@@ -582,7 +604,7 @@ typedef int (*GEN_SESSION_CB)(const SSL *ssl, unsigned char *id,
 typedef struct ssl_comp_st
 	{
 	int id;
-	char *name;
+	const char *name;
 #ifndef OPENSSL_NO_COMP
 	COMP_METHOD *method;
 #else
@@ -670,6 +692,14 @@ struct ssl_ctx_st
 	/* get client cert callback */
 	int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
 
+    /* cookie generate callback */
+    int (*app_gen_cookie_cb)(SSL *ssl, unsigned char *cookie, 
+        unsigned int *cookie_len);
+
+    /* verify cookie callback */
+    int (*app_verify_cookie_cb)(SSL *ssl, unsigned char *cookie, 
+        unsigned int cookie_len);
+
 	CRYPTO_EX_DATA ex_data;
 
 	const EVP_MD *rsa_md5;/* For SSLv2 - name is 'ssl2-md5' */
@@ -702,7 +732,6 @@ struct ssl_ctx_st
 	void *msg_callback_arg;
 
 	int verify_mode;
-	int verify_depth;
 	unsigned int sid_ctx_length;
 	unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
 	int (*default_verify_callback)(int ok,X509_STORE_CTX *ctx); /* called 'verify_callback' in the SSL */
@@ -710,8 +739,12 @@ struct ssl_ctx_st
 	/* Default generate session ID callback. */
 	GEN_SESSION_CB generate_session_id;
 
+	X509_VERIFY_PARAM *param;
+
+#if 0
 	int purpose;		/* Purpose setting */
 	int trust;		/* Trust setting */
+#endif
 
 	int quiet_shutdown;
 	};
@@ -763,6 +796,8 @@ struct ssl_ctx_st
 #define SSL_CTX_get_info_callback(ctx)		((ctx)->info_callback)
 #define SSL_CTX_set_client_cert_cb(ctx,cb)	((ctx)->client_cert_cb=(cb))
 #define SSL_CTX_get_client_cert_cb(ctx)		((ctx)->client_cert_cb)
+#define SSL_CTX_set_cookie_generate_cb(ctx,cb) ((ctx)->app_gen_cookie_cb=(cb))
+#define SSL_CTX_set_cookie_verify_cb(ctx,cb) ((ctx)->app_verify_cookie_cb=(cb))
 
 #define SSL_NOTHING	1
 #define SSL_WRITING	2
@@ -778,7 +813,7 @@ struct ssl_ctx_st
 struct ssl_st
 	{
 	/* protocol version
-	 * (one of SSL2_VERSION, SSL3_VERSION, TLS1_VERSION)
+	 * (one of SSL2_VERSION, SSL3_VERSION, TLS1_VERSION, DTLS1_VERSION)
 	 */
 	int version;
 	int type; /* SSL_ST_CONNECT or SSL_ST_ACCEPT */
@@ -807,7 +842,7 @@ struct ssl_st
 
 	/* true when we are actually in SSL_accept() or SSL_connect() */
 	int in_handshake;
-	int (*handshake_func)();
+	int (*handshake_func)(SSL *);
 
 	/* Imagine that here's a boolean member "init" that is
 	 * switched as soon as SSL_set_{accept/connect}_state
@@ -842,6 +877,7 @@ struct ssl_st
 
 	struct ssl2_state_st *s2; /* SSLv2 variables */
 	struct ssl3_state_st *s3; /* SSLv3 variables */
+	struct dtls1_state_st *d1; /* DTLSv1 variables */
 
 	int read_ahead;		/* Read as many input bytes as possible
 	               	 	 * (for non-blocking reads) */
@@ -852,8 +888,12 @@ struct ssl_st
 
 	int hit;		/* reusing a previous session */
 
+	X509_VERIFY_PARAM *param;
+
+#if 0
 	int purpose;		/* Purpose setting */
 	int trust;		/* Trust setting */
+#endif
 
 	/* crypto */
 	STACK_OF(SSL_CIPHER) *cipher_list;
@@ -898,7 +938,6 @@ struct ssl_st
 	/* Used in SSL2 and SSL3 */
 	int verify_mode;	/* 0 don't care about verify failure.
 				 * 1 fail if verify fails */
-	int verify_depth;
 	int (*verify_callback)(int ok,X509_STORE_CTX *ctx); /* fail if callback returns 0 */
 
 	void (*info_callback)(const SSL *ssl,int type,int val); /* optional informational callback */
@@ -938,6 +977,7 @@ struct ssl_st
 #include <openssl/ssl2.h>
 #include <openssl/ssl3.h>
 #include <openssl/tls1.h> /* This is mostly sslv3 with a few tweaks */
+#include <openssl/dtls1.h> /* Datagram TLS */
 #include <openssl/ssl23.h>
 
 #ifdef  __cplusplus
@@ -999,8 +1039,8 @@ extern "C" {
  *   -- that we sent (SSL_get_finished)
  *   -- that we expected from peer (SSL_get_peer_finished).
  * Returns length (0 == no Finished so far), copies up to 'count' bytes. */
-size_t SSL_get_finished(SSL *s, void *buf, size_t count);
-size_t SSL_get_peer_finished(SSL *s, void *buf, size_t count);
+size_t SSL_get_finished(const SSL *s, void *buf, size_t count);
+size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count);
 
 /* use either SSL_VERIFY_NONE or SSL_VERIFY_PEER, the last 2 options
  * are 'ored' with SSL_VERIFY_PEER if they are desired */
@@ -1035,21 +1075,16 @@ size_t SSL_get_peer_finished(SSL *s, void *buf, size_t count);
 #define SSL_set_timeout(a,b)	SSL_SESSION_set_timeout((a),(b))
 
 #if 1 /*SSLEAY_MACROS*/
-#define d2i_SSL_SESSION_bio(bp,s_id) (SSL_SESSION *)ASN1_d2i_bio( \
-	(char *(*)())SSL_SESSION_new,(char *(*)())d2i_SSL_SESSION, \
-	(bp),(unsigned char **)(s_id))
-#define i2d_SSL_SESSION_bio(bp,s_id) ASN1_i2d_bio(i2d_SSL_SESSION, \
-	bp,(unsigned char *)s_id)
+#define d2i_SSL_SESSION_bio(bp,s_id) ASN1_d2i_bio_of(SSL_SESSION,SSL_SESSION_new,d2i_SSL_SESSION,bp,s_id)
+#define i2d_SSL_SESSION_bio(bp,s_id) ASN1_i2d_bio_of(SSL_SESSION,i2d_SSL_SESSION,bp,s_id)
 #define PEM_read_SSL_SESSION(fp,x,cb,u) (SSL_SESSION *)PEM_ASN1_read( \
 	(char *(*)())d2i_SSL_SESSION,PEM_STRING_SSL_SESSION,fp,(char **)x,cb,u)
-#define PEM_read_bio_SSL_SESSION(bp,x,cb,u) (SSL_SESSION *)PEM_ASN1_read_bio( \
-	(char *(*)())d2i_SSL_SESSION,PEM_STRING_SSL_SESSION,bp,(char **)x,cb,u)
+#define PEM_read_bio_SSL_SESSION(bp,x,cb,u) PEM_ASN1_read_bio_of(SSL_SESSION,d2i_SSL_SESSION,PEM_STRING_SSL_SESSION,bp,x,cb,u)
 #define PEM_write_SSL_SESSION(fp,x) \
 	PEM_ASN1_write((int (*)())i2d_SSL_SESSION, \
 		PEM_STRING_SSL_SESSION,fp, (char *)x, NULL,NULL,0,NULL,NULL)
 #define PEM_write_bio_SSL_SESSION(bp,x) \
-	PEM_ASN1_write_bio((int (*)())i2d_SSL_SESSION, \
-		PEM_STRING_SSL_SESSION,bp, (char *)x, NULL,NULL,0,NULL,NULL)
+	PEM_ASN1_write_bio_of(SSL_SESSION,i2d_SSL_SESSION,PEM_STRING_SSL_SESSION,bp,x,NULL,NULL,0,NULL,NULL)
 #endif
 
 #define SSL_AD_REASON_OFFSET		1000
@@ -1092,20 +1127,24 @@ size_t SSL_get_peer_finished(SSL *s, void *buf, size_t count);
 #define SSL_CTRL_NEED_TMP_RSA			1
 #define SSL_CTRL_SET_TMP_RSA			2
 #define SSL_CTRL_SET_TMP_DH			3
-#define SSL_CTRL_SET_TMP_RSA_CB			4
-#define SSL_CTRL_SET_TMP_DH_CB			5
-
-#define SSL_CTRL_GET_SESSION_REUSED		6
-#define SSL_CTRL_GET_CLIENT_CERT_REQUEST	7
-#define SSL_CTRL_GET_NUM_RENEGOTIATIONS		8
-#define SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS	9
-#define SSL_CTRL_GET_TOTAL_RENEGOTIATIONS	10
-#define SSL_CTRL_GET_FLAGS			11
-#define SSL_CTRL_EXTRA_CHAIN_CERT		12
-
-#define SSL_CTRL_SET_MSG_CALLBACK               13
-#define SSL_CTRL_SET_MSG_CALLBACK_ARG           14
-
+#define SSL_CTRL_SET_TMP_ECDH			4
+#define SSL_CTRL_SET_TMP_RSA_CB			5
+#define SSL_CTRL_SET_TMP_DH_CB			6
+#define SSL_CTRL_SET_TMP_ECDH_CB		7
+
+#define SSL_CTRL_GET_SESSION_REUSED		8
+#define SSL_CTRL_GET_CLIENT_CERT_REQUEST	9
+#define SSL_CTRL_GET_NUM_RENEGOTIATIONS		10
+#define SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS	11
+#define SSL_CTRL_GET_TOTAL_RENEGOTIATIONS	12
+#define SSL_CTRL_GET_FLAGS			13
+#define SSL_CTRL_EXTRA_CHAIN_CERT		14
+
+#define SSL_CTRL_SET_MSG_CALLBACK               15
+#define SSL_CTRL_SET_MSG_CALLBACK_ARG           16
+
+/* only applies to datagram connections */
+#define SSL_CTRL_SET_MTU                17
 /* Stats */
 #define SSL_CTRL_SESS_NUMBER			20
 #define SSL_CTRL_SESS_CONNECT			21
@@ -1147,6 +1186,8 @@ size_t SSL_get_peer_finished(SSL *s, void *buf, size_t count);
 	SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_RSA,0,(char *)rsa)
 #define SSL_CTX_set_tmp_dh(ctx,dh) \
 	SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_DH,0,(char *)dh)
+#define SSL_CTX_set_tmp_ecdh(ctx,ecdh) \
+	SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_ECDH,0,(char *)ecdh)
 
 #define SSL_need_tmp_RSA(ssl) \
 	SSL_ctrl(ssl,SSL_CTRL_NEED_TMP_RSA,0,NULL)
@@ -1154,6 +1195,8 @@ size_t SSL_get_peer_finished(SSL *s, void *buf, size_t count);
 	SSL_ctrl(ssl,SSL_CTRL_SET_TMP_RSA,0,(char *)rsa)
 #define SSL_set_tmp_dh(ssl,dh) \
 	SSL_ctrl(ssl,SSL_CTRL_SET_TMP_DH,0,(char *)dh)
+#define SSL_set_tmp_ecdh(ssl,ecdh) \
+	SSL_ctrl(ssl,SSL_CTRL_SET_TMP_ECDH,0,(char *)ecdh)
 
 #define SSL_CTX_add_extra_chain_cert(ctx,x509) \
 	SSL_CTX_ctrl(ctx,SSL_CTRL_EXTRA_CHAIN_CERT,0,(char *)x509)
@@ -1172,26 +1215,26 @@ int	SSL_CTX_set_cipher_list(SSL_CTX *,const char *str);
 SSL_CTX *SSL_CTX_new(SSL_METHOD *meth);
 void	SSL_CTX_free(SSL_CTX *);
 long SSL_CTX_set_timeout(SSL_CTX *ctx,long t);
-long SSL_CTX_get_timeout(SSL_CTX *ctx);
-X509_STORE *SSL_CTX_get_cert_store(SSL_CTX *);
+long SSL_CTX_get_timeout(const SSL_CTX *ctx);
+X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *);
 void SSL_CTX_set_cert_store(SSL_CTX *,X509_STORE *);
-int SSL_want(SSL *s);
+int SSL_want(const SSL *s);
 int	SSL_clear(SSL *s);
 
 void	SSL_CTX_flush_sessions(SSL_CTX *ctx,long tm);
 
-SSL_CIPHER *SSL_get_current_cipher(SSL *s);
-int	SSL_CIPHER_get_bits(SSL_CIPHER *c,int *alg_bits);
-char *	SSL_CIPHER_get_version(SSL_CIPHER *c);
-const char *	SSL_CIPHER_get_name(SSL_CIPHER *c);
-
-int	SSL_get_fd(SSL *s);
-int	SSL_get_rfd(SSL *s);
-int	SSL_get_wfd(SSL *s);
-const char  * SSL_get_cipher_list(SSL *s,int n);
-char *	SSL_get_shared_ciphers(SSL *s, char *buf, int len);
-int	SSL_get_read_ahead(SSL * s);
-int	SSL_pending(SSL *s);
+SSL_CIPHER *SSL_get_current_cipher(const SSL *s);
+int	SSL_CIPHER_get_bits(const SSL_CIPHER *c,int *alg_bits);
+char *	SSL_CIPHER_get_version(const SSL_CIPHER *c);
+const char *	SSL_CIPHER_get_name(const SSL_CIPHER *c);
+
+int	SSL_get_fd(const SSL *s);
+int	SSL_get_rfd(const SSL *s);
+int	SSL_get_wfd(const SSL *s);
+const char  * SSL_get_cipher_list(const SSL *s,int n);
+char *	SSL_get_shared_ciphers(const SSL *s, char *buf, int len);
+int	SSL_get_read_ahead(const SSL * s);
+int	SSL_pending(const SSL *s);
 #ifndef OPENSSL_NO_SOCK
 int	SSL_set_fd(SSL *s, int fd);
 int	SSL_set_rfd(SSL *s, int fd);
@@ -1199,14 +1242,14 @@ int	SSL_set_wfd(SSL *s, int fd);
 #endif
 #ifndef OPENSSL_NO_BIO
 void	SSL_set_bio(SSL *s, BIO *rbio,BIO *wbio);
-BIO *	SSL_get_rbio(SSL *s);
-BIO *	SSL_get_wbio(SSL *s);
+BIO *	SSL_get_rbio(const SSL *s);
+BIO *	SSL_get_wbio(const SSL *s);
 #endif
 int	SSL_set_cipher_list(SSL *s, const char *str);
 void	SSL_set_read_ahead(SSL *s, int yes);
-int	SSL_get_verify_mode(SSL *s);
-int	SSL_get_verify_depth(SSL *s);
-int	(*SSL_get_verify_callback(SSL *s))(int,X509_STORE_CTX *);
+int	SSL_get_verify_mode(const SSL *s);
+int	SSL_get_verify_depth(const SSL *s);
+int	(*SSL_get_verify_callback(const SSL *s))(int,X509_STORE_CTX *);
 void	SSL_set_verify(SSL *s, int mode,
 		       int (*callback)(int ok,X509_STORE_CTX *ctx));
 void	SSL_set_verify_depth(SSL *s, int depth);
@@ -1215,9 +1258,9 @@ int	SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa);
 #endif
 int	SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len);
 int	SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey);
-int	SSL_use_PrivateKey_ASN1(int pk,SSL *ssl, unsigned char *d, long len);
+int	SSL_use_PrivateKey_ASN1(int pk,SSL *ssl, const unsigned char *d, long len);
 int	SSL_use_certificate(SSL *ssl, X509 *x);
-int	SSL_use_certificate_ASN1(SSL *ssl, unsigned char *d, int len);
+int	SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len);
 
 #ifndef OPENSSL_NO_STDIO
 int	SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type);
@@ -1244,20 +1287,21 @@ const char *SSL_state_string(const SSL *s);
 const char *SSL_rstate_string(const SSL *s);
 const char *SSL_state_string_long(const SSL *s);
 const char *SSL_rstate_string_long(const SSL *s);
-long	SSL_SESSION_get_time(SSL_SESSION *s);
+long	SSL_SESSION_get_time(const SSL_SESSION *s);
 long	SSL_SESSION_set_time(SSL_SESSION *s, long t);
-long	SSL_SESSION_get_timeout(SSL_SESSION *s);
+long	SSL_SESSION_get_timeout(const SSL_SESSION *s);
 long	SSL_SESSION_set_timeout(SSL_SESSION *s, long t);
-void	SSL_copy_session_id(SSL *to,SSL *from);
+void	SSL_copy_session_id(SSL *to,const SSL *from);
 
 SSL_SESSION *SSL_SESSION_new(void);
-unsigned long SSL_SESSION_hash(SSL_SESSION *a);
-int	SSL_SESSION_cmp(SSL_SESSION *a,SSL_SESSION *b);
+unsigned long SSL_SESSION_hash(const SSL_SESSION *a);
+int	SSL_SESSION_cmp(const SSL_SESSION *a,const SSL_SESSION *b);
+const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len);
 #ifndef OPENSSL_NO_FP_API
-int	SSL_SESSION_print_fp(FILE *fp,SSL_SESSION *ses);
+int	SSL_SESSION_print_fp(FILE *fp,const SSL_SESSION *ses);
 #endif
 #ifndef OPENSSL_NO_BIO
-int	SSL_SESSION_print(BIO *fp,SSL_SESSION *ses);
+int	SSL_SESSION_print(BIO *fp,const SSL_SESSION *ses);
 #endif
 void	SSL_SESSION_free(SSL_SESSION *ses);
 int	i2d_SSL_SESSION(SSL_SESSION *in,unsigned char **pp);
@@ -1268,17 +1312,18 @@ int	SSL_CTX_set_generate_session_id(SSL_CTX *, GEN_SESSION_CB);
 int	SSL_set_generate_session_id(SSL *, GEN_SESSION_CB);
 int	SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id,
 					unsigned int id_len);
-SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a,unsigned char **pp,long length);
+SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a,const unsigned char **pp,
+			     long length);
 
 #ifdef HEADER_X509_H
-X509 *	SSL_get_peer_certificate(SSL *s);
+X509 *	SSL_get_peer_certificate(const SSL *s);
 #endif
 
-STACK_OF(X509) *SSL_get_peer_cert_chain(SSL *s);
+STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s);
 
-int SSL_CTX_get_verify_mode(SSL_CTX *ctx);
-int SSL_CTX_get_verify_depth(SSL_CTX *ctx);
-int (*SSL_CTX_get_verify_callback(SSL_CTX *ctx))(int,X509_STORE_CTX *);
+int SSL_CTX_get_verify_mode(const SSL_CTX *ctx);
+int SSL_CTX_get_verify_depth(const SSL_CTX *ctx);
+int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int,X509_STORE_CTX *);
 void SSL_CTX_set_verify(SSL_CTX *ctx,int mode,
 			int (*callback)(int, X509_STORE_CTX *));
 void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth);
@@ -1286,18 +1331,18 @@ void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*cb)(X509_STORE_CTX *,v
 #ifndef OPENSSL_NO_RSA
 int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa);
 #endif
-int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, unsigned char *d, long len);
+int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d, long len);
 int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey);
 int SSL_CTX_use_PrivateKey_ASN1(int pk,SSL_CTX *ctx,
-	unsigned char *d, long len);
+	const unsigned char *d, long len);
 int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x);
-int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, unsigned char *d);
+int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, const unsigned char *d);
 
 void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb);
 void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u);
 
-int SSL_CTX_check_private_key(SSL_CTX *ctx);
-int SSL_check_private_key(SSL *ctx);
+int SSL_CTX_check_private_key(const SSL_CTX *ctx);
+int SSL_check_private_key(const SSL *ctx);
 
 int	SSL_CTX_set_session_id_context(SSL_CTX *ctx,const unsigned char *sid_ctx,
 				       unsigned int sid_ctx_len);
@@ -1318,12 +1363,12 @@ int 	SSL_read(SSL *ssl,void *buf,int num);
 int 	SSL_peek(SSL *ssl,void *buf,int num);
 int 	SSL_write(SSL *ssl,const void *buf,int num);
 long	SSL_ctrl(SSL *ssl,int cmd, long larg, void *parg);
-long	SSL_callback_ctrl(SSL *, int, void (*)());
+long	SSL_callback_ctrl(SSL *, int, void (*)(void));
 long	SSL_CTX_ctrl(SSL_CTX *ctx,int cmd, long larg, void *parg);
-long	SSL_CTX_callback_ctrl(SSL_CTX *, int, void (*)());
+long	SSL_CTX_callback_ctrl(SSL_CTX *, int, void (*)(void));
 
-int	SSL_get_error(SSL *s,int ret_code);
-const char *SSL_get_version(SSL *s);
+int	SSL_get_error(const SSL *s,int ret_code);
+const char *SSL_get_version(const SSL *s);
 
 /* This sets the 'default' SSL version that SSL_new() will create */
 int SSL_CTX_set_ssl_version(SSL_CTX *ctx,SSL_METHOD *meth);
@@ -1344,7 +1389,11 @@ SSL_METHOD *TLSv1_method(void);		/* TLSv1.0 */
 SSL_METHOD *TLSv1_server_method(void);	/* TLSv1.0 */
 SSL_METHOD *TLSv1_client_method(void);	/* TLSv1.0 */
 
-STACK_OF(SSL_CIPHER) *SSL_get_ciphers(SSL *s);
+SSL_METHOD *DTLSv1_method(void);		/* DTLSv1.0 */
+SSL_METHOD *DTLSv1_server_method(void);	/* DTLSv1.0 */
+SSL_METHOD *DTLSv1_client_method(void);	/* DTLSv1.0 */
+
+STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s);
 
 int SSL_do_handshake(SSL *s);
 int SSL_renegotiate(SSL *s);
@@ -1360,15 +1409,15 @@ const char *SSL_alert_desc_string(int value);
 
 void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list);
 void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list);
-STACK_OF(X509_NAME) *SSL_get_client_CA_list(SSL *s);
-STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(SSL_CTX *s);
+STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s);
+STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *s);
 int SSL_add_client_CA(SSL *ssl,X509 *x);
 int SSL_CTX_add_client_CA(SSL_CTX *ctx,X509 *x);
 
 void SSL_set_connect_state(SSL *s);
 void SSL_set_accept_state(SSL *s);
 
-long SSL_get_default_timeout(SSL *s);
+long SSL_get_default_timeout(const SSL *s);
 
 int SSL_library_init(void );
 
@@ -1377,43 +1426,43 @@ STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk);
 
 SSL *SSL_dup(SSL *ssl);
 
-X509 *SSL_get_certificate(SSL *ssl);
+X509 *SSL_get_certificate(const SSL *ssl);
 /* EVP_PKEY */ struct evp_pkey_st *SSL_get_privatekey(SSL *ssl);
 
 void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx,int mode);
-int SSL_CTX_get_quiet_shutdown(SSL_CTX *ctx);
+int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx);
 void SSL_set_quiet_shutdown(SSL *ssl,int mode);
-int SSL_get_quiet_shutdown(SSL *ssl);
+int SSL_get_quiet_shutdown(const SSL *ssl);
 void SSL_set_shutdown(SSL *ssl,int mode);
-int SSL_get_shutdown(SSL *ssl);
-int SSL_version(SSL *ssl);
+int SSL_get_shutdown(const SSL *ssl);
+int SSL_version(const SSL *ssl);
 int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx);
 int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
 	const char *CApath);
 #define SSL_get0_session SSL_get_session /* just peek at pointer */
-SSL_SESSION *SSL_get_session(SSL *ssl);
+SSL_SESSION *SSL_get_session(const SSL *ssl);
 SSL_SESSION *SSL_get1_session(SSL *ssl); /* obtain a reference count */
-SSL_CTX *SSL_get_SSL_CTX(SSL *ssl);
+SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl);
 void SSL_set_info_callback(SSL *ssl,
 			   void (*cb)(const SSL *ssl,int type,int val));
-void (*SSL_get_info_callback(SSL *ssl))(const SSL *ssl,int type,int val);
-int SSL_state(SSL *ssl);
+void (*SSL_get_info_callback(const SSL *ssl))(const SSL *ssl,int type,int val);
+int SSL_state(const SSL *ssl);
 
 void SSL_set_verify_result(SSL *ssl,long v);
-long SSL_get_verify_result(SSL *ssl);
+long SSL_get_verify_result(const SSL *ssl);
 
 int SSL_set_ex_data(SSL *ssl,int idx,void *data);
-void *SSL_get_ex_data(SSL *ssl,int idx);
+void *SSL_get_ex_data(const SSL *ssl,int idx);
 int SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
 	CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
 
 int SSL_SESSION_set_ex_data(SSL_SESSION *ss,int idx,void *data);
-void *SSL_SESSION_get_ex_data(SSL_SESSION *ss,int idx);
+void *SSL_SESSION_get_ex_data(const SSL_SESSION *ss,int idx);
 int SSL_SESSION_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
 	CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
 
 int SSL_CTX_set_ex_data(SSL_CTX *ssl,int idx,void *data);
-void *SSL_CTX_get_ex_data(SSL_CTX *ssl,int idx);
+void *SSL_CTX_get_ex_data(const SSL_CTX *ssl,int idx);
 int SSL_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
 	CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
 
@@ -1461,11 +1510,27 @@ void SSL_set_tmp_dh_callback(SSL *ssl,
 				 DH *(*dh)(SSL *ssl,int is_export,
 					   int keylength));
 #endif
+#ifndef OPENSSL_NO_ECDH
+void SSL_CTX_set_tmp_ecdh_callback(SSL_CTX *ctx,
+				 EC_KEY *(*ecdh)(SSL *ssl,int is_export,
+					   int keylength));
+void SSL_set_tmp_ecdh_callback(SSL *ssl,
+				 EC_KEY *(*ecdh)(SSL *ssl,int is_export,
+					   int keylength));
+#endif
 
 #ifndef OPENSSL_NO_COMP
+const COMP_METHOD *SSL_get_current_compression(SSL *s);
+const COMP_METHOD *SSL_get_current_expansion(SSL *s);
+const char *SSL_COMP_get_name(const COMP_METHOD *comp);
+STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void);
 int SSL_COMP_add_compression_method(int id,COMP_METHOD *cm);
 #else
-int SSL_COMP_add_compression_method(int id,char *cm);
+const void *SSL_get_current_compression(SSL *s);
+const void *SSL_get_current_expansion(SSL *s);
+const char *SSL_COMP_get_name(const void *comp);
+void *SSL_COMP_get_compression_methods(void);
+int SSL_COMP_add_compression_method(int id,void *cm);
 #endif
 
 /* BEGIN ERROR CODES */
@@ -1478,11 +1543,35 @@ void ERR_load_SSL_strings(void);
 
 /* Function codes. */
 #define SSL_F_CLIENT_CERTIFICATE			 100
-#define SSL_F_CLIENT_FINISHED				 238
+#define SSL_F_CLIENT_FINISHED				 167
 #define SSL_F_CLIENT_HELLO				 101
 #define SSL_F_CLIENT_MASTER_KEY				 102
 #define SSL_F_D2I_SSL_SESSION				 103
+#define SSL_F_DO_DTLS1_WRITE				 245
 #define SSL_F_DO_SSL3_WRITE				 104
+#define SSL_F_DTLS1_ACCEPT				 246
+#define SSL_F_DTLS1_BUFFER_RECORD			 247
+#define SSL_F_DTLS1_CLIENT_HELLO			 248
+#define SSL_F_DTLS1_CONNECT				 249
+#define SSL_F_DTLS1_ENC					 250
+#define SSL_F_DTLS1_GET_HELLO_VERIFY			 251
+#define SSL_F_DTLS1_GET_MESSAGE				 252
+#define SSL_F_DTLS1_GET_MESSAGE_FRAGMENT		 253
+#define SSL_F_DTLS1_GET_RECORD				 254
+#define SSL_F_DTLS1_OUTPUT_CERT_CHAIN			 255
+#define SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE		 256
+#define SSL_F_DTLS1_PROCESS_RECORD			 257
+#define SSL_F_DTLS1_READ_BYTES				 258
+#define SSL_F_DTLS1_READ_FAILED				 259
+#define SSL_F_DTLS1_SEND_CERTIFICATE_REQUEST		 260
+#define SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE		 261
+#define SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE		 262
+#define SSL_F_DTLS1_SEND_CLIENT_VERIFY			 263
+#define SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST		 264
+#define SSL_F_DTLS1_SEND_SERVER_CERTIFICATE		 265
+#define SSL_F_DTLS1_SEND_SERVER_HELLO			 266
+#define SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE		 267
+#define SSL_F_DTLS1_WRITE_APP_DATA_BYTES		 268
 #define SSL_F_GET_CLIENT_FINISHED			 105
 #define SSL_F_GET_CLIENT_HELLO				 106
 #define SSL_F_GET_CLIENT_MASTER_KEY			 107
@@ -1566,6 +1655,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_F_SSL_CTRL					 232
 #define SSL_F_SSL_CTX_CHECK_PRIVATE_KEY			 168
 #define SSL_F_SSL_CTX_NEW				 169
+#define SSL_F_SSL_CTX_SET_CIPHER_LIST			 269
 #define SSL_F_SSL_CTX_SET_PURPOSE			 226
 #define SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT		 219
 #define SSL_F_SSL_CTX_SET_SSL_VERSION			 170
@@ -1588,6 +1678,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_F_SSL_INIT_WBIO_BUFFER			 184
 #define SSL_F_SSL_LOAD_CLIENT_CA_FILE			 185
 #define SSL_F_SSL_NEW					 186
+#define SSL_F_SSL_PEEK					 270
 #define SSL_F_SSL_READ					 223
 #define SSL_F_SSL_RSA_PRIVATE_DECRYPT			 187
 #define SSL_F_SSL_RSA_PUBLIC_ENCRYPT			 188
@@ -1595,6 +1686,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_F_SSL_SESSION_PRINT_FP			 190
 #define SSL_F_SSL_SESS_CERT_NEW				 225
 #define SSL_F_SSL_SET_CERT				 191
+#define SSL_F_SSL_SET_CIPHER_LIST			 271
 #define SSL_F_SSL_SET_FD				 192
 #define SSL_F_SSL_SET_PKEY				 193
 #define SSL_F_SSL_SET_PURPOSE				 227
@@ -1604,7 +1696,9 @@ void ERR_load_SSL_strings(void);
 #define SSL_F_SSL_SET_TRUST				 228
 #define SSL_F_SSL_SET_WFD				 196
 #define SSL_F_SSL_SHUTDOWN				 224
+#define SSL_F_SSL_UNDEFINED_CONST_FUNCTION		 243
 #define SSL_F_SSL_UNDEFINED_FUNCTION			 197
+#define SSL_F_SSL_UNDEFINED_VOID_FUNCTION		 244
 #define SSL_F_SSL_USE_CERTIFICATE			 198
 #define SSL_F_SSL_USE_CERTIFICATE_ASN1			 199
 #define SSL_F_SSL_USE_CERTIFICATE_FILE			 200
@@ -1635,6 +1729,9 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_BAD_DH_P_LENGTH				 110
 #define SSL_R_BAD_DIGEST_LENGTH				 111
 #define SSL_R_BAD_DSA_SIGNATURE				 112
+#define SSL_R_BAD_ECC_CERT				 304
+#define SSL_R_BAD_ECDSA_SIGNATURE			 305
+#define SSL_R_BAD_ECPOINT				 306
 #define SSL_R_BAD_HELLO_REQUEST				 105
 #define SSL_R_BAD_LENGTH				 271
 #define SSL_R_BAD_MAC_DECODE				 113
@@ -1666,46 +1763,49 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_CIPHER_TABLE_SRC_ERROR			 139
 #define SSL_R_COMPRESSED_LENGTH_TOO_LONG		 140
 #define SSL_R_COMPRESSION_FAILURE			 141
+#define SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE	 307
 #define SSL_R_COMPRESSION_LIBRARY_ERROR			 142
 #define SSL_R_CONNECTION_ID_IS_DIFFERENT		 143
 #define SSL_R_CONNECTION_TYPE_NOT_SET			 144
+#define SSL_R_COOKIE_MISMATCH				 308
 #define SSL_R_DATA_BETWEEN_CCS_AND_FINISHED		 145
 #define SSL_R_DATA_LENGTH_TOO_LONG			 146
 #define SSL_R_DECRYPTION_FAILED				 147
-#define SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC	 1109
+#define SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC	 281
 #define SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG		 148
 #define SSL_R_DIGEST_CHECK_FAILED			 149
+#define SSL_R_DUPLICATE_COMPRESSION_ID			 309
+#define SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER		 310
 #define SSL_R_ENCRYPTED_LENGTH_TOO_LONG			 150
-#define SSL_R_ERROR_GENERATING_TMP_RSA_KEY		 1092
+#define SSL_R_ERROR_GENERATING_TMP_RSA_KEY		 282
 #define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST		 151
 #define SSL_R_EXCESSIVE_MESSAGE_SIZE			 152
 #define SSL_R_EXTRA_DATA_IN_MESSAGE			 153
 #define SSL_R_GOT_A_FIN_BEFORE_A_CCS			 154
 #define SSL_R_HTTPS_PROXY_REQUEST			 155
 #define SSL_R_HTTP_REQUEST				 156
-#define SSL_R_ILLEGAL_PADDING				 1110
+#define SSL_R_ILLEGAL_PADDING				 283
 #define SSL_R_INVALID_CHALLENGE_LENGTH			 158
 #define SSL_R_INVALID_COMMAND				 280
 #define SSL_R_INVALID_PURPOSE				 278
 #define SSL_R_INVALID_TRUST				 279
-#define SSL_R_KEY_ARG_TOO_LONG				 1112
-#define SSL_R_KRB5					 1104
-#define SSL_R_KRB5_C_CC_PRINC				 1094
-#define SSL_R_KRB5_C_GET_CRED				 1095
-#define SSL_R_KRB5_C_INIT				 1096
-#define SSL_R_KRB5_C_MK_REQ				 1097
-#define SSL_R_KRB5_S_BAD_TICKET				 1098
-#define SSL_R_KRB5_S_INIT				 1099
-#define SSL_R_KRB5_S_RD_REQ				 1108
-#define SSL_R_KRB5_S_TKT_EXPIRED			 1105
-#define SSL_R_KRB5_S_TKT_NYV				 1106
-#define SSL_R_KRB5_S_TKT_SKEW				 1107
+#define SSL_R_KEY_ARG_TOO_LONG				 284
+#define SSL_R_KRB5					 285
+#define SSL_R_KRB5_C_CC_PRINC				 286
+#define SSL_R_KRB5_C_GET_CRED				 287
+#define SSL_R_KRB5_C_INIT				 288
+#define SSL_R_KRB5_C_MK_REQ				 289
+#define SSL_R_KRB5_S_BAD_TICKET				 290
+#define SSL_R_KRB5_S_INIT				 291
+#define SSL_R_KRB5_S_RD_REQ				 292
+#define SSL_R_KRB5_S_TKT_EXPIRED			 293
+#define SSL_R_KRB5_S_TKT_NYV				 294
+#define SSL_R_KRB5_S_TKT_SKEW				 295
 #define SSL_R_LENGTH_MISMATCH				 159
 #define SSL_R_LENGTH_TOO_SHORT				 160
 #define SSL_R_LIBRARY_BUG				 274
 #define SSL_R_LIBRARY_HAS_NO_CIPHERS			 161
-#define SSL_R_MASTER_KEY_TOO_LONG			 1112
-#define SSL_R_MESSAGE_TOO_LONG				 1111
+#define SSL_R_MESSAGE_TOO_LONG				 296
 #define SSL_R_MISSING_DH_DSA_CERT			 162
 #define SSL_R_MISSING_DH_KEY				 163
 #define SSL_R_MISSING_DH_RSA_CERT			 164
@@ -1716,6 +1816,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_MISSING_RSA_ENCRYPTING_CERT		 169
 #define SSL_R_MISSING_RSA_SIGNING_CERT			 170
 #define SSL_R_MISSING_TMP_DH_KEY			 171
+#define SSL_R_MISSING_TMP_ECDH_KEY			 311
 #define SSL_R_MISSING_TMP_RSA_KEY			 172
 #define SSL_R_MISSING_TMP_RSA_PKEY			 173
 #define SSL_R_MISSING_VERIFY_MESSAGE			 174
@@ -1742,6 +1843,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_NULL_SSL_CTX				 195
 #define SSL_R_NULL_SSL_METHOD_PASSED			 196
 #define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED		 197
+#define SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE		 297
 #define SSL_R_PACKET_LENGTH_TOO_LONG			 198
 #define SSL_R_PATH_TOO_LONG				 270
 #define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE		 199
@@ -1757,10 +1859,11 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_PUBLIC_KEY_IS_NOT_RSA			 209
 #define SSL_R_PUBLIC_KEY_NOT_RSA			 210
 #define SSL_R_READ_BIO_NOT_SET				 211
+#define SSL_R_READ_TIMEOUT_EXPIRED			 312
 #define SSL_R_READ_WRONG_PACKET_TYPE			 212
 #define SSL_R_RECORD_LENGTH_MISMATCH			 213
 #define SSL_R_RECORD_TOO_LARGE				 214
-#define SSL_R_RECORD_TOO_SMALL				 1093
+#define SSL_R_RECORD_TOO_SMALL				 298
 #define SSL_R_REQUIRED_CIPHER_MISSING			 215
 #define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO		 216
 #define SSL_R_REUSE_CERT_TYPE_NOT_ZERO			 217
@@ -1769,8 +1872,8 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_SHORT_READ				 219
 #define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE	 220
 #define SSL_R_SSL23_DOING_SESSION_ID_REUSE		 221
-#define SSL_R_SSL2_CONNECTION_ID_TOO_LONG		 1114
-#define SSL_R_SSL3_SESSION_ID_TOO_LONG			 1113
+#define SSL_R_SSL2_CONNECTION_ID_TOO_LONG		 299
+#define SSL_R_SSL3_SESSION_ID_TOO_LONG			 300
 #define SSL_R_SSL3_SESSION_ID_TOO_SHORT			 222
 #define SSL_R_SSLV3_ALERT_BAD_CERTIFICATE		 1042
 #define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC		 1020
@@ -1781,20 +1884,15 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE		 1040
 #define SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER		 1047
 #define SSL_R_SSLV3_ALERT_NO_CERTIFICATE		 1041
-#define SSL_R_SSLV3_ALERT_PEER_ERROR_CERTIFICATE	 223
-#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CERTIFICATE	 224
-#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CIPHER		 225
-#define SSL_R_SSLV3_ALERT_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 226
 #define SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE		 1010
-#define SSL_R_SSLV3_ALERT_UNKNOWN_REMOTE_ERROR_TYPE	 227
 #define SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE	 1043
 #define SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION	 228
 #define SSL_R_SSL_HANDSHAKE_FAILURE			 229
 #define SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS		 230
-#define SSL_R_SSL_SESSION_ID_CALLBACK_FAILED		 1102
-#define SSL_R_SSL_SESSION_ID_CONFLICT			 1103
+#define SSL_R_SSL_SESSION_ID_CALLBACK_FAILED		 301
+#define SSL_R_SSL_SESSION_ID_CONFLICT			 302
 #define SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG		 273
-#define SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH		 1101
+#define SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH		 303
 #define SSL_R_SSL_SESSION_ID_IS_DIFFERENT		 231
 #define SSL_R_TLSV1_ALERT_ACCESS_DENIED			 1049
 #define SSL_R_TLSV1_ALERT_DECODE_ERROR			 1050
@@ -1813,8 +1911,10 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG	 234
 #define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER		 235
 #define SSL_R_UNABLE_TO_DECODE_DH_CERTS			 236
+#define SSL_R_UNABLE_TO_DECODE_ECDH_CERTS		 313
 #define SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY		 237
 #define SSL_R_UNABLE_TO_FIND_DH_PARAMETERS		 238
+#define SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS		 314
 #define SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS	 239
 #define SSL_R_UNABLE_TO_FIND_SSL_METHOD			 240
 #define SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES		 241
@@ -1835,7 +1935,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_UNKNOWN_STATE				 255
 #define SSL_R_UNSUPPORTED_CIPHER			 256
 #define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM		 257
-#define SSL_R_UNSUPPORTED_OPTION			 1091
+#define SSL_R_UNSUPPORTED_ELLIPTIC_CURVE		 315
 #define SSL_R_UNSUPPORTED_PROTOCOL			 258
 #define SSL_R_UNSUPPORTED_SSL_VERSION			 259
 #define SSL_R_WRITE_BIO_NOT_SET				 260
diff --git a/crypto/openssl/ssl/ssl3.h b/crypto/openssl/ssl/ssl3.h
index 1153aeda7481..bacaff157e5b 100644
--- a/crypto/openssl/ssl/ssl3.h
+++ b/crypto/openssl/ssl/ssl3.h
@@ -108,6 +108,11 @@
  * Hudson (tjh@cryptsoft.com).
  *
  */
+/* ====================================================================
+ * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
+ * ECC cipher suite support in OpenSSL originally developed by 
+ * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
+ */
 
 #ifndef HEADER_SSL3_H 
 #define HEADER_SSL3_H 
@@ -118,6 +123,7 @@
 #include <openssl/buffer.h>
 #include <openssl/evp.h>
 #include <openssl/ssl.h>
+#include <openssl/pq_compat.h>
 
 #ifdef  __cplusplus
 extern "C" {
@@ -248,7 +254,11 @@ extern "C" {
 #endif
 
 #define SSL3_RT_MAX_PLAIN_LENGTH		16384
+#ifdef OPENSSL_NO_COMP
+#define SSL3_RT_MAX_COMPRESSED_LENGTH	SSL3_RT_MAX_PLAIN_LENGTH
+#else
 #define SSL3_RT_MAX_COMPRESSED_LENGTH	(1024+SSL3_RT_MAX_PLAIN_LENGTH)
+#endif
 #define SSL3_RT_MAX_ENCRYPTED_LENGTH	(1024+SSL3_RT_MAX_COMPRESSED_LENGTH)
 #define SSL3_RT_MAX_PACKET_SIZE		(SSL3_RT_MAX_ENCRYPTED_LENGTH+SSL3_RT_HEADER_LENGTH)
 #define SSL3_RT_MAX_DATA_SIZE			(1024*1024)
@@ -289,6 +299,8 @@ typedef struct ssl3_record_st
 /*rw*/	unsigned char *data;    /* pointer to the record data */
 /*rw*/	unsigned char *input;   /* where the decode bytes are */
 /*r */	unsigned char *comp;    /* only used with decompression - malloc()ed */
+/*r */  unsigned long epoch;    /* epoch number, needed by DTLS1 */
+/*r */  PQ_64BIT seq_num;       /* sequence number, needed by DTLS1 */
 	} SSL3_RECORD;
 
 typedef struct ssl3_buffer_st
@@ -307,7 +319,12 @@ typedef struct ssl3_buffer_st
 #define SSL3_CT_RSA_EPHEMERAL_DH		5
 #define SSL3_CT_DSS_EPHEMERAL_DH		6
 #define SSL3_CT_FORTEZZA_DMS			20
-#define SSL3_CT_NUMBER				7
+/* SSL3_CT_NUMBER is used to size arrays and it must be large
+ * enough to contain all of the cert types defined either for
+ * SSLv3 and TLSv1.
+ */
+#define SSL3_CT_NUMBER			7
+
 
 #define SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS	0x0001
 #define SSL3_FLAGS_DELAY_CLIENT_FINISHED	0x0002
@@ -392,6 +409,11 @@ typedef struct ssl3_state_st
 #ifndef OPENSSL_NO_DH
 		DH *dh;
 #endif
+
+#ifndef OPENSSL_NO_ECDH
+		EC_KEY *ecdh; /* holds short lived ECDH key */
+#endif
+
 		/* used when SSL_ST_FLUSH_DATA is entered */
 		int next_state;			
 
@@ -420,6 +442,7 @@ typedef struct ssl3_state_st
 
 	} SSL3_STATE;
 
+
 /* SSLv3 */
 /*client */
 /* extra state */
@@ -430,6 +453,8 @@ typedef struct ssl3_state_st
 /* read from server */
 #define SSL3_ST_CR_SRVR_HELLO_A		(0x120|SSL_ST_CONNECT)
 #define SSL3_ST_CR_SRVR_HELLO_B		(0x121|SSL_ST_CONNECT)
+#define DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A (0x126|SSL_ST_CONNECT)
+#define DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B (0x127|SSL_ST_CONNECT)
 #define SSL3_ST_CR_CERT_A		(0x130|SSL_ST_CONNECT)
 #define SSL3_ST_CR_CERT_B		(0x131|SSL_ST_CONNECT)
 #define SSL3_ST_CR_KEY_EXCH_A		(0x140|SSL_ST_CONNECT)
@@ -466,6 +491,8 @@ typedef struct ssl3_state_st
 #define SSL3_ST_SR_CLNT_HELLO_B		(0x111|SSL_ST_ACCEPT)
 #define SSL3_ST_SR_CLNT_HELLO_C		(0x112|SSL_ST_ACCEPT)
 /* write to client */
+#define DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A (0x113|SSL_ST_ACCEPT)
+#define DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B (0x114|SSL_ST_ACCEPT)
 #define SSL3_ST_SW_HELLO_REQ_A		(0x120|SSL_ST_ACCEPT)
 #define SSL3_ST_SW_HELLO_REQ_B		(0x121|SSL_ST_ACCEPT)
 #define SSL3_ST_SW_HELLO_REQ_C		(0x122|SSL_ST_ACCEPT)
@@ -506,6 +533,8 @@ typedef struct ssl3_state_st
 #define SSL3_MT_CERTIFICATE_VERIFY		15
 #define SSL3_MT_CLIENT_KEY_EXCHANGE		16
 #define SSL3_MT_FINISHED			20
+#define DTLS1_MT_HELLO_VERIFY_REQUEST    3
+
 
 #define SSL3_MT_CCS				1
 
diff --git a/crypto/openssl/ssl/ssl_algs.c b/crypto/openssl/ssl/ssl_algs.c
index 3d1299ee7b96..ac82d45a9c61 100644
--- a/crypto/openssl/ssl/ssl_algs.c
+++ b/crypto/openssl/ssl/ssl_algs.c
@@ -101,11 +101,22 @@ int SSL_library_init(void)
 	EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1");
 	EVP_add_digest_alias(SN_dsaWithSHA1,"dss1");
 #endif
+#ifndef OPENSSL_NO_ECDSA
+	EVP_add_digest(EVP_ecdsa());
+#endif
 	/* If you want support for phased out ciphers, add the following */
 #if 0
 	EVP_add_digest(EVP_sha());
 	EVP_add_digest(EVP_dss());
 #endif
+#ifndef OPENSSL_NO_COMP
+	/* This will initialise the built-in compression algorithms.
+	   The value returned is a STACK_OF(SSL_COMP), but that can
+	   be discarded safely */
+	(void)SSL_COMP_get_compression_methods();
+#endif
+	/* initialize cipher/digest methods table */
+	ssl_load_ciphers();
 	return(1);
 	}
 
diff --git a/crypto/openssl/ssl/ssl_asn1.c b/crypto/openssl/ssl/ssl_asn1.c
index d8ff8fc4a3dc..d129acc32911 100644
--- a/crypto/openssl/ssl/ssl_asn1.c
+++ b/crypto/openssl/ssl/ssl_asn1.c
@@ -226,7 +226,7 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
 	M_ASN1_I2D_finish();
 	}
 
-SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, unsigned char **pp,
+SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
 	     long length)
 	{
 	int version,ssl_version=0,i;
@@ -242,18 +242,18 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, unsigned char **pp,
 	M_ASN1_D2I_start_sequence();
 
 	ai.data=NULL; ai.length=0;
-	M_ASN1_D2I_get(aip,d2i_ASN1_INTEGER);
+	M_ASN1_D2I_get_x(ASN1_INTEGER,aip,d2i_ASN1_INTEGER);
 	version=(int)ASN1_INTEGER_get(aip);
 	if (ai.data != NULL) { OPENSSL_free(ai.data); ai.data=NULL; ai.length=0; }
 
 	/* we don't care about the version right now :-) */
-	M_ASN1_D2I_get(aip,d2i_ASN1_INTEGER);
+	M_ASN1_D2I_get_x(ASN1_INTEGER,aip,d2i_ASN1_INTEGER);
 	ssl_version=(int)ASN1_INTEGER_get(aip);
 	ret->ssl_version=ssl_version;
 	if (ai.data != NULL) { OPENSSL_free(ai.data); ai.data=NULL; ai.length=0; }
 
 	os.data=NULL; os.length=0;
-	M_ASN1_D2I_get(osp,d2i_ASN1_OCTET_STRING);
+	M_ASN1_D2I_get_x(ASN1_OCTET_STRING,osp,d2i_ASN1_OCTET_STRING);
 	if (ssl_version == SSL2_VERSION)
 		{
 		if (os.length != 3)
@@ -266,7 +266,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, unsigned char **pp,
 			((unsigned long)os.data[1]<< 8L)|
 			 (unsigned long)os.data[2];
 		}
-	else if ((ssl_version>>8) == 3)
+	else if ((ssl_version>>8) == SSL3_VERSION_MAJOR)
 		{
 		if (os.length != 2)
 			{
@@ -286,22 +286,22 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, unsigned char **pp,
 	ret->cipher=NULL;
 	ret->cipher_id=id;
 
-	M_ASN1_D2I_get(osp,d2i_ASN1_OCTET_STRING);
-	if ((ssl_version>>8) == SSL3_VERSION)
+	M_ASN1_D2I_get_x(ASN1_OCTET_STRING,osp,d2i_ASN1_OCTET_STRING);
+	if ((ssl_version>>8) == SSL3_VERSION_MAJOR)
 		i=SSL3_MAX_SSL_SESSION_ID_LENGTH;
-	else /* if (ssl_version == SSL2_VERSION) */
+	else /* if (ssl_version>>8 == SSL2_VERSION_MAJOR) */
 		i=SSL2_MAX_SSL_SESSION_ID_LENGTH;
 
 	if (os.length > i)
 		os.length = i;
-	if (os.length > sizeof ret->session_id) /* can't happen */
-		os.length = sizeof ret->session_id;
+	if (os.length > (int)sizeof(ret->session_id)) /* can't happen */
+		os.length = sizeof(ret->session_id);
 
 	ret->session_id_length=os.length;
-	OPENSSL_assert(os.length <= sizeof ret->session_id);
+	OPENSSL_assert(os.length <= (int)sizeof(ret->session_id));
 	memcpy(ret->session_id,os.data,os.length);
 
-	M_ASN1_D2I_get(osp,d2i_ASN1_OCTET_STRING);
+	M_ASN1_D2I_get_x(ASN1_OCTET_STRING,osp,d2i_ASN1_OCTET_STRING);
 	if (ret->master_key_length > SSL_MAX_MASTER_KEY_LENGTH)
 		ret->master_key_length=SSL_MAX_MASTER_KEY_LENGTH;
 	else
@@ -344,7 +344,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, unsigned char **pp,
 		OPENSSL_free(ai.data); ai.data=NULL; ai.length=0;
 		}
 	else
-		ret->time=time(NULL);
+		ret->time=(unsigned long)time(NULL);
 
 	ai.length=0;
 	M_ASN1_D2I_get_EXP_opt(aip,d2i_ASN1_INTEGER,2);
diff --git a/crypto/openssl/ssl/ssl_cert.c b/crypto/openssl/ssl/ssl_cert.c
index 0bef96080f2b..452a0822d9a3 100644
--- a/crypto/openssl/ssl/ssl_cert.c
+++ b/crypto/openssl/ssl/ssl_cert.c
@@ -103,6 +103,11 @@
  * OF THE POSSIBILITY OF SUCH DAMAGE.
  * ====================================================================
  */
+/* ====================================================================
+ * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
+ * ECC cipher suite support in OpenSSL originally developed by 
+ * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
+ */
 
 #include <stdio.h>
 
@@ -111,26 +116,16 @@
 # include <sys/types.h>
 #endif
 
-#if !defined(OPENSSL_SYS_WIN32) && !defined(OPENSSL_SYS_VMS) && !defined(NeXT) && !defined(MAC_OS_pre_X)
-#include <dirent.h>
-#endif
-
-#if defined(WIN32)
-#include <windows.h>
-#include <tchar.h>
-#endif
-
-#ifdef NeXT
-#include <sys/dir.h>
-#define dirent direct
-#endif
-
+#include "o_dir.h"
 #include <openssl/objects.h>
 #include <openssl/bio.h>
 #include <openssl/pem.h>
 #include <openssl/x509v3.h>
+#ifndef OPENSSL_NO_DH
+#include <openssl/dh.h>
+#endif
+#include <openssl/bn.h>
 #include "ssl_locl.h"
-#include <openssl/fips.h>
 
 int SSL_get_ex_data_X509_STORE_CTX_idx(void)
 	{
@@ -205,7 +200,6 @@ CERT *ssl_cert_dup(CERT *cert)
 #ifndef OPENSSL_NO_DH
 	if (cert->dh_tmp != NULL)
 		{
-		/* DH parameters don't have a reference count */
 		ret->dh_tmp = DHparams_dup(cert->dh_tmp);
 		if (ret->dh_tmp == NULL)
 			{
@@ -236,6 +230,19 @@ CERT *ssl_cert_dup(CERT *cert)
 	ret->dh_tmp_cb = cert->dh_tmp_cb;
 #endif
 
+#ifndef OPENSSL_NO_ECDH
+	if (cert->ecdh_tmp)
+		{
+		ret->ecdh_tmp = EC_KEY_dup(cert->ecdh_tmp);
+		if (ret->ecdh_tmp == NULL)
+			{
+			SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_EC_LIB);
+			goto err;
+			}
+		}
+	ret->ecdh_tmp_cb = cert->ecdh_tmp_cb;
+#endif
+
 	for (i = 0; i < SSL_PKEY_NUM; i++)
 		{
 		if (cert->pkeys[i].x509 != NULL)
@@ -270,7 +277,11 @@ CERT *ssl_cert_dup(CERT *cert)
 			case SSL_PKEY_DH_DSA:
 				/* We have a DH key. */
 				break;
-				
+
+			case SSL_PKEY_ECC:
+				/* We have an ECC key */
+				break;
+
 			default:
 				/* Can't happen. */
 				SSLerr(SSL_F_SSL_CERT_DUP, SSL_R_LIBRARY_BUG);
@@ -285,7 +296,7 @@ CERT *ssl_cert_dup(CERT *cert)
 
 	return(ret);
 	
-#ifndef OPENSSL_NO_DH /* avoid 'unreferenced label' warning if OPENSSL_NO_DH is defined */
+#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_ECDH)
 err:
 #endif
 #ifndef OPENSSL_NO_RSA
@@ -296,6 +307,10 @@ err:
 	if (ret->dh_tmp != NULL)
 		DH_free(ret->dh_tmp);
 #endif
+#ifndef OPENSSL_NO_ECDH
+	if (ret->ecdh_tmp != NULL)
+		EC_KEY_free(ret->ecdh_tmp);
+#endif
 
 	for (i = 0; i < SSL_PKEY_NUM; i++)
 		{
@@ -335,6 +350,9 @@ void ssl_cert_free(CERT *c)
 #ifndef OPENSSL_NO_DH
 	if (c->dh_tmp) DH_free(c->dh_tmp);
 #endif
+#ifndef OPENSSL_NO_ECDH
+	if (c->ecdh_tmp) EC_KEY_free(c->ecdh_tmp);
+#endif
 
 	for (i=0; i<SSL_PKEY_NUM; i++)
 		{
@@ -441,6 +459,10 @@ void ssl_sess_cert_free(SESS_CERT *sc)
 	if (sc->peer_dh_tmp != NULL)
 		DH_free(sc->peer_dh_tmp);
 #endif
+#ifndef OPENSSL_NO_ECDH
+	if (sc->peer_ecdh_tmp != NULL)
+		EC_KEY_free(sc->peer_ecdh_tmp);
+#endif
 
 	OPENSSL_free(sc);
 	}
@@ -466,20 +488,22 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk)
 		SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN,ERR_R_X509_LIB);
 		return(0);
 		}
+	if (s->param)
+		X509_VERIFY_PARAM_inherit(X509_STORE_CTX_get0_param(&ctx),
+						s->param);
+#if 0
 	if (SSL_get_verify_depth(s) >= 0)
 		X509_STORE_CTX_set_depth(&ctx, SSL_get_verify_depth(s));
+#endif
 	X509_STORE_CTX_set_ex_data(&ctx,SSL_get_ex_data_X509_STORE_CTX_idx(),s);
 
-	/* We need to set the verify purpose. The purpose can be determined by
+	/* We need to inherit the verify parameters. These can be determined by
 	 * the context: if its a server it will verify SSL client certificates
 	 * or vice versa.
 	 */
-	if (s->server)
-		i = X509_PURPOSE_SSL_CLIENT;
-	else
-		i = X509_PURPOSE_SSL_SERVER;
 
-	X509_STORE_CTX_purpose_inherit(&ctx, i, s->purpose, s->trust);
+	X509_STORE_CTX_set_default(&ctx,
+				s->server ? "ssl_client" : "ssl_server");
 
 	if (s->verify_callback)
 		X509_STORE_CTX_set_verify_cb(&ctx, s->verify_callback);
@@ -493,15 +517,7 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk)
 	else
 		{
 #ifndef OPENSSL_NO_X509_VERIFY
-# ifdef OPENSSL_FIPS
-		if(s->version == TLS1_VERSION)
-			FIPS_allow_md5(1);
-# endif
 		i=X509_verify_cert(&ctx);
-# ifdef OPENSSL_FIPS
-		if(s->version == TLS1_VERSION)
-			FIPS_allow_md5(0);
-# endif
 #else
 		i=0;
 		ctx.error=X509_V_ERR_APPLICATION_VERIFICATION;
@@ -552,12 +568,12 @@ void SSL_CTX_set_client_CA_list(SSL_CTX *ctx,STACK_OF(X509_NAME) *name_list)
 	set_client_CA_list(&(ctx->client_CA),name_list);
 	}
 
-STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(SSL_CTX *ctx)
+STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx)
 	{
 	return(ctx->client_CA);
 	}
 
-STACK_OF(X509_NAME) *SSL_get_client_CA_list(SSL *s)
+STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s)
 	{
 	if (s->type == SSL_ST_CONNECT)
 		{ /* we are in the client */
@@ -624,14 +640,13 @@ STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file)
 	BIO *in;
 	X509 *x=NULL;
 	X509_NAME *xn=NULL;
-	STACK_OF(X509_NAME) *ret,*sk;
+	STACK_OF(X509_NAME) *ret = NULL,*sk;
 
-	ret=sk_X509_NAME_new_null();
 	sk=sk_X509_NAME_new(xname_cmp);
 
 	in=BIO_new(BIO_s_file_internal());
 
-	if ((ret == NULL) || (sk == NULL) || (in == NULL))
+	if ((sk == NULL) || (in == NULL))
 		{
 		SSLerr(SSL_F_SSL_LOAD_CLIENT_CA_FILE,ERR_R_MALLOC_FAILURE);
 		goto err;
@@ -644,6 +659,15 @@ STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file)
 		{
 		if (PEM_read_bio_X509(in,&x,NULL,NULL) == NULL)
 			break;
+		if (ret == NULL)
+			{
+			ret = sk_X509_NAME_new_null();
+			if (ret == NULL)
+				{
+				SSLerr(SSL_F_SSL_LOAD_CLIENT_CA_FILE,ERR_R_MALLOC_FAILURE);
+				goto err;
+				}
+			}
 		if ((xn=X509_get_subject_name(x)) == NULL) goto err;
 		/* check for duplicates */
 		xn=X509_NAME_dup(xn);
@@ -666,6 +690,8 @@ err:
 	if (sk != NULL) sk_X509_NAME_free(sk);
 	if (in != NULL) BIO_free(in);
 	if (x != NULL) X509_free(x);
+	if (ret != NULL)
+		ERR_clear_error();
 	return(ret);
 	}
 #endif
@@ -740,157 +766,52 @@ err:
  * certs may have been added to \c stack.
  */
 
-#ifndef OPENSSL_SYS_WIN32
-#ifndef OPENSSL_SYS_VMS		/* XXXX This may be fixed in the future */
-#ifndef OPENSSL_SYS_MACINTOSH_CLASSIC /* XXXXX: Better scheme needed! */
-
 int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
 				       const char *dir)
 	{
-	DIR *d;
-	struct dirent *dstruct;
+	OPENSSL_DIR_CTX *d = NULL;
+	const char *filename;
 	int ret = 0;
 
 	CRYPTO_w_lock(CRYPTO_LOCK_READDIR);
-	d = opendir(dir);
 
 	/* Note that a side effect is that the CAs will be sorted by name */
-	if(!d)
-		{
-		SYSerr(SYS_F_OPENDIR, get_last_sys_error());
-		ERR_add_error_data(3, "opendir('", dir, "')");
-		SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK, ERR_R_SYS_LIB);
-		goto err;
-		}
-	
-	while((dstruct=readdir(d)))
+
+	while((filename = OPENSSL_DIR_read(&d, dir)))
 		{
 		char buf[1024];
 		int r;
-		
-		if(strlen(dir)+strlen(dstruct->d_name)+2 > sizeof buf)
+
+		if(strlen(dir)+strlen(filename)+2 > sizeof buf)
 			{
 			SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,SSL_R_PATH_TOO_LONG);
 			goto err;
 			}
-		
-		r = BIO_snprintf(buf,sizeof buf,"%s/%s",dir,dstruct->d_name);
-		if (r <= 0 || r >= sizeof buf)
+
+#ifdef OPENSSL_SYS_VMS
+		r = BIO_snprintf(buf,sizeof buf,"%s%s",dir,filename);
+#else
+		r = BIO_snprintf(buf,sizeof buf,"%s/%s",dir,filename);
+#endif
+		if (r <= 0 || r >= (int)sizeof(buf))
 			goto err;
 		if(!SSL_add_file_cert_subjects_to_stack(stack,buf))
 			goto err;
 		}
-	ret = 1;
-
-err:	
-	if (d) closedir(d);
-	CRYPTO_w_unlock(CRYPTO_LOCK_READDIR);
-	return ret;
-	}
-
-#endif
-#endif
-
-#else /* OPENSSL_SYS_WIN32 */
-
-#if defined(_WIN32_WCE)
-# ifndef UNICODE
-#  error "WinCE comes in UNICODE flavor only..."
-# endif
-# if _WIN32_WCE<101 && !defined(OPENSSL_NO_MULTIBYTE)
-#  define OPENSSL_NO_MULTIBYTE
-# endif
-# ifndef  FindFirstFile
-#  define FindFirstFile FindFirstFileW
-# endif
-# ifndef  FindNextFile
-#  define FindNextFile FindNextFileW
-# endif
-#endif
-
-int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
-				       const char *dir)
-	{
-	WIN32_FIND_DATA FindFileData;
-	HANDLE hFind;
-	int    ret = 0;
-	TCHAR *wdir = NULL;
-	size_t i,len_0 = strlen(dir)+1;	/* len_0 accounts for trailing 0 */
-	char   buf[1024],*slash;
-
-	if (len_0 > (sizeof(buf)-14))	/* 14 is just some value... */
-		{
-		SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,SSL_R_PATH_TOO_LONG);
-		return ret;
-		}
-
-	CRYPTO_w_lock(CRYPTO_LOCK_READDIR);
-
-	if (sizeof(TCHAR) != sizeof(char))
-		{
-		wdir = (TCHAR *)malloc(len_0*sizeof(TCHAR));
-		if (wdir == NULL)
-			goto err_noclose;
-#ifndef OPENSSL_NO_MULTIBYTE
-		if (!MultiByteToWideChar(CP_ACP,0,dir,len_0,
-					(WCHAR *)wdir,len_0))
-#endif
-			for (i=0;i<len_0;i++) wdir[i]=(TCHAR)dir[i];
-
-		hFind = FindFirstFile(wdir, &FindFileData);
-		}
-	else	hFind = FindFirstFile((const TCHAR *)dir, &FindFileData);
 
-	/* Note that a side effect is that the CAs will be sorted by name */
-	if(hFind == INVALID_HANDLE_VALUE)
+	if (errno)
 		{
 		SYSerr(SYS_F_OPENDIR, get_last_sys_error());
-		ERR_add_error_data(3, "opendir('", dir, "')");
+		ERR_add_error_data(3, "OPENSSL_DIR_read(&ctx, '", dir, "')");
 		SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK, ERR_R_SYS_LIB);
-		goto err_noclose;
+		goto err;
 		}
 
-	strncpy(buf,dir,sizeof(buf));	/* strcpy is safe too... */
-	buf[len_0-1]='/';		/* no trailing zero!     */
-	slash=buf+len_0;
-
-	do	{
-		const TCHAR *fnam=FindFileData.cFileName;
-		size_t flen_0=_tcslen(fnam)+1;
-
-		if (flen_0 > (sizeof(buf)-len_0))
-			{
-			SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,SSL_R_PATH_TOO_LONG);
-			goto err;
-			}
-		/* else strcpy would be safe too... */
-
-		if (sizeof(TCHAR) != sizeof(char))
-			{
-#ifndef OPENSSL_NO_MULTIBYTE
-			if (!WideCharToMultiByte(CP_ACP,0,
-						(WCHAR *)fnam,flen_0,
-						slash,sizeof(buf)-len_0,
-						NULL,0))
-#endif
-				for (i=0;i<flen_0;i++) slash[i]=(char)fnam[i];
-			}
-		else	strncpy(slash,(const char *)fnam,sizeof(buf)-len_0);
-
-		if(!SSL_add_file_cert_subjects_to_stack(stack,buf))
-			goto err;
-		}
-	while (FindNextFile(hFind, &FindFileData) != FALSE);
 	ret = 1;
 
-err:	
-	FindClose(hFind);
-err_noclose:
-	if (wdir != NULL)
-		free(wdir);
-
+err:
+	if (d) OPENSSL_DIR_end(&d);
 	CRYPTO_w_unlock(CRYPTO_LOCK_READDIR);
 	return ret;
 	}
 
-#endif
diff --git a/crypto/openssl/ssl/ssl_ciph.c b/crypto/openssl/ssl/ssl_ciph.c
index 012d05ecea78..441507f4946b 100644
--- a/crypto/openssl/ssl/ssl_ciph.c
+++ b/crypto/openssl/ssl/ssl_ciph.c
@@ -55,11 +55,14 @@
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
  */
-
+/* ====================================================================
+ * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
+ * ECC cipher suite support in OpenSSL originally developed by 
+ * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
+ */
 #include <stdio.h>
 #include <openssl/objects.h>
 #include <openssl/comp.h>
-#include <openssl/fips.h>
 #include "ssl_locl.h"
 
 #define SSL_ENC_DES_IDX		0
@@ -77,6 +80,10 @@ static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX]={
 	NULL,NULL,NULL,NULL,NULL,NULL,
 	};
 
+#define SSL_COMP_NULL_IDX	0
+#define SSL_COMP_ZLIB_IDX	1
+#define SSL_COMP_NUM_IDX	2
+
 static STACK_OF(SSL_COMP) *ssl_comp_methods=NULL;
 
 #define SSL_MD_MD5_IDX	0
@@ -102,18 +109,20 @@ typedef struct cipher_order_st
 
 static const SSL_CIPHER cipher_aliases[]={
 	/* Don't include eNULL unless specifically enabled. */
-	{0,SSL_TXT_ALL, 0,SSL_ALL & ~SSL_eNULL, SSL_ALL ,0,0,0,SSL_ALL,SSL_ALL}, /* must be first */
-        {0,SSL_TXT_CMPALL,0,SSL_eNULL,0,0,0,0,SSL_ENC_MASK,0},  /* COMPLEMENT OF ALL */
+	/* Don't include ECC in ALL because these ciphers are not yet official. */
+	{0,SSL_TXT_ALL, 0,SSL_ALL & ~SSL_eNULL & ~SSL_kECDH & ~SSL_kECDHE, SSL_ALL ,0,0,0,SSL_ALL,SSL_ALL}, /* must be first */
+	/* TODO: COMPLEMENT OF ALL and COMPLEMENT OF DEFAULT do not have ECC cipher suites handled properly. */
+	{0,SSL_TXT_CMPALL,0,SSL_eNULL,0,0,0,0,SSL_ENC_MASK,0},  /* COMPLEMENT OF ALL */
 	{0,SSL_TXT_CMPDEF,0,SSL_ADH, 0,0,0,0,SSL_AUTH_MASK,0},
-        {0,SSL_TXT_kKRB5,0,SSL_kKRB5,0,0,0,0,SSL_MKEY_MASK,0},  /* VRS Kerberos5 */
+	{0,SSL_TXT_kKRB5,0,SSL_kKRB5,0,0,0,0,SSL_MKEY_MASK,0},  /* VRS Kerberos5 */
 	{0,SSL_TXT_kRSA,0,SSL_kRSA,  0,0,0,0,SSL_MKEY_MASK,0},
 	{0,SSL_TXT_kDHr,0,SSL_kDHr,  0,0,0,0,SSL_MKEY_MASK,0},
 	{0,SSL_TXT_kDHd,0,SSL_kDHd,  0,0,0,0,SSL_MKEY_MASK,0},
 	{0,SSL_TXT_kEDH,0,SSL_kEDH,  0,0,0,0,SSL_MKEY_MASK,0},
 	{0,SSL_TXT_kFZA,0,SSL_kFZA,  0,0,0,0,SSL_MKEY_MASK,0},
 	{0,SSL_TXT_DH,	0,SSL_DH,    0,0,0,0,SSL_MKEY_MASK,0},
+	{0,SSL_TXT_ECC,	0,(SSL_kECDH|SSL_kECDHE), 0,0,0,0,SSL_MKEY_MASK,0},
 	{0,SSL_TXT_EDH,	0,SSL_EDH,   0,0,0,0,SSL_MKEY_MASK|SSL_AUTH_MASK,0},
-
 	{0,SSL_TXT_aKRB5,0,SSL_aKRB5,0,0,0,0,SSL_AUTH_MASK,0},  /* VRS Kerberos5 */
 	{0,SSL_TXT_aRSA,0,SSL_aRSA,  0,0,0,0,SSL_AUTH_MASK,0},
 	{0,SSL_TXT_aDSS,0,SSL_aDSS,  0,0,0,0,SSL_AUTH_MASK,0},
@@ -154,12 +163,9 @@ static const SSL_CIPHER cipher_aliases[]={
 	{0,SSL_TXT_LOW,   0, 0,   SSL_LOW, 0,0,0,0,SSL_STRONG_MASK},
 	{0,SSL_TXT_MEDIUM,0, 0,SSL_MEDIUM, 0,0,0,0,SSL_STRONG_MASK},
 	{0,SSL_TXT_HIGH,  0, 0,  SSL_HIGH, 0,0,0,0,SSL_STRONG_MASK},
-	{0,SSL_TXT_FIPS,  0, 0,  SSL_FIPS, 0,0,0,0,SSL_FIPS|SSL_STRONG_NONE},
 	};
 
-static int init_ciphers=1;
-
-static void load_ciphers(void)
+void ssl_load_ciphers(void)
 	{
 	ssl_cipher_methods[SSL_ENC_DES_IDX]= 
 		EVP_get_cipherbyname(SN_des_cbc);
@@ -184,10 +190,53 @@ static void load_ciphers(void)
 		EVP_get_digestbyname(SN_md5);
 	ssl_digest_methods[SSL_MD_SHA1_IDX]=
 		EVP_get_digestbyname(SN_sha1);
-	init_ciphers=0;
 	}
 
-int ssl_cipher_get_evp(SSL_SESSION *s, const EVP_CIPHER **enc,
+
+#ifndef OPENSSL_NO_COMP
+
+static int sk_comp_cmp(const SSL_COMP * const *a,
+			const SSL_COMP * const *b)
+	{
+	return((*a)->id-(*b)->id);
+	}
+
+static void load_builtin_compressions(void)
+	{
+	if (ssl_comp_methods != NULL)
+		return;
+
+	CRYPTO_w_lock(CRYPTO_LOCK_SSL);
+	if (ssl_comp_methods == NULL)
+		{
+		SSL_COMP *comp = NULL;
+
+		MemCheck_off();
+		ssl_comp_methods=sk_SSL_COMP_new(sk_comp_cmp);
+		if (ssl_comp_methods != NULL)
+			{
+			comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
+			if (comp != NULL)
+				{
+				comp->method=COMP_zlib();
+				if (comp->method
+					&& comp->method->type == NID_undef)
+					OPENSSL_free(comp);
+				else
+					{
+					comp->id=SSL_COMP_ZLIB_IDX;
+					comp->name=comp->method->name;
+					sk_SSL_COMP_push(ssl_comp_methods,comp);
+					}
+				}
+			}
+		MemCheck_on();
+		}
+	CRYPTO_w_unlock(CRYPTO_LOCK_SSL);
+	}
+#endif
+
+int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
 	     const EVP_MD **md, SSL_COMP **comp)
 	{
 	int i;
@@ -198,18 +247,14 @@ int ssl_cipher_get_evp(SSL_SESSION *s, const EVP_CIPHER **enc,
 	if (comp != NULL)
 		{
 		SSL_COMP ctmp;
+#ifndef OPENSSL_NO_COMP
+		load_builtin_compressions();
+#endif
 
-		if (s->compress_meth == 0)
-			*comp=NULL;
-		else if (ssl_comp_methods == NULL)
-			{
-			/* bad */
-			*comp=NULL;
-			}
-		else
+		*comp=NULL;
+		ctmp.id=s->compress_meth;
+		if (ssl_comp_methods != NULL)
 			{
-
-			ctmp.id=s->compress_meth;
 			i=sk_SSL_COMP_find(ssl_comp_methods,&ctmp);
 			if (i >= 0)
 				*comp=sk_SSL_COMP_value(ssl_comp_methods,i);
@@ -322,7 +367,9 @@ static unsigned long ssl_cipher_get_disabled(void)
 #ifdef OPENSSL_NO_KRB5
 	mask |= SSL_kKRB5|SSL_aKRB5;
 #endif
-
+#ifdef OPENSSL_NO_ECDH
+	mask |= SSL_kECDH|SSL_kECDHE;
+#endif
 #ifdef SSL_FORBID_ENULL
 	mask |= SSL_eNULL;
 #endif
@@ -361,12 +408,7 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
 		{
 		c = ssl_method->get_cipher(i);
 		/* drop those that use any of that is not available */
-#ifdef OPENSSL_FIPS
-		if ((c != NULL) && c->valid && !(c->algorithms & mask)
-			&& (!FIPS_mode() || (c->algo_strength & SSL_FIPS)))
-#else
 		if ((c != NULL) && c->valid && !(c->algorithms & mask))
-#endif
 			{
 			co_list[co_list_num].cipher = c;
 			co_list[co_list_num].next = NULL;
@@ -440,7 +482,8 @@ static void ssl_cipher_collect_aliases(SSL_CIPHER **ca_list,
 	*ca_curr = NULL;	/* end of list */
 	}
 
-static void ssl_cipher_apply_rule(unsigned long algorithms, unsigned long mask,
+static void ssl_cipher_apply_rule(unsigned long cipher_id,
+		unsigned long algorithms, unsigned long mask,
 		unsigned long algo_strength, unsigned long mask_strength,
 		int rule, int strength_bits, CIPHER_ORDER *co_list,
 		CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
@@ -466,11 +509,19 @@ static void ssl_cipher_apply_rule(unsigned long algorithms, unsigned long mask,
 
 		cp = curr->cipher;
 
+		/* If explicit cipher suite match that one only */
+
+		if (cipher_id)
+			{
+			if (cp->id != cipher_id)
+				continue;
+			}
+
 		/*
 		 * Selection criteria is either the number of strength_bits
 		 * or the algorithm used.
 		 */
-		if (strength_bits == -1)
+		else if (strength_bits == -1)
 			{
 			ma = mask & cp->algorithms;
 			ma_s = mask_strength & cp->algo_strength;
@@ -583,7 +634,7 @@ static int ssl_cipher_strength_sort(CIPHER_ORDER *co_list,
 	 */
 	for (i = max_strength_bits; i >= 0; i--)
 		if (number_uses[i] > 0)
-			ssl_cipher_apply_rule(0, 0, 0, 0, CIPHER_ORD, i,
+			ssl_cipher_apply_rule(0, 0, 0, 0, 0, CIPHER_ORD, i,
 					co_list, head_p, tail_p);
 
 	OPENSSL_free(number_uses);
@@ -597,6 +648,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
 	unsigned long algorithms, mask, algo_strength, mask_strength;
 	const char *l, *start, *buf;
 	int j, multi, found, rule, retval, ok, buflen;
+	unsigned long cipher_id;
 	char ch;
 
 	retval = 1;
@@ -686,6 +738,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
 			 * use strcmp(), because buf is not '\0' terminated.)
 			 */
 			 j = found = 0;
+			 cipher_id = 0;
 			 while (ca_list[j])
 				{
 				if (!strncmp(buf, ca_list[j]->name, buflen) &&
@@ -700,9 +753,24 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
 			if (!found)
 				break;	/* ignore this entry */
 
-			algorithms |= ca_list[j]->algorithms;
+			if (ca_list[j]->valid)
+				{
+				cipher_id = ca_list[j]->id;
+				break;
+				}
+
+			/* New algorithms:
+			 *  1 - any old restrictions apply outside new mask
+			 *  2 - any new restrictions apply outside old mask
+			 *  3 - enforce old & new where masks intersect
+			 */
+			algorithms = (algorithms & ~ca_list[j]->mask) |		/* 1 */
+			             (ca_list[j]->algorithms & ~mask) |		/* 2 */
+			             (algorithms & ca_list[j]->algorithms);	/* 3 */
 			mask |= ca_list[j]->mask;
-			algo_strength |= ca_list[j]->algo_strength;
+			algo_strength = (algo_strength & ~ca_list[j]->mask_strength) |
+			                (ca_list[j]->algo_strength & ~mask_strength) |
+			                (algo_strength & ca_list[j]->algo_strength);
 			mask_strength |= ca_list[j]->mask_strength;
 
 			if (!multi) break;
@@ -734,7 +802,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
 			}
 		else if (found)
 			{
-			ssl_cipher_apply_rule(algorithms, mask,
+			ssl_cipher_apply_rule(cipher_id, algorithms, mask,
 				algo_strength, mask_strength, rule, -1,
 				co_list, head_p, tail_p);
 			}
@@ -756,7 +824,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
 	{
 	int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases;
 	unsigned long disabled_mask;
-	STACK_OF(SSL_CIPHER) *cipherstack;
+	STACK_OF(SSL_CIPHER) *cipherstack, *tmp_cipher_list;
 	const char *rule_p;
 	CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
 	SSL_CIPHER **ca_list = NULL;
@@ -764,14 +832,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
 	/*
 	 * Return with error if nothing to do.
 	 */
-	if (rule_str == NULL) return(NULL);
-
-	if (init_ciphers)
-		{
-		CRYPTO_w_lock(CRYPTO_LOCK_SSL);
-		if (init_ciphers) load_ciphers();
-		CRYPTO_w_unlock(CRYPTO_LOCK_SSL);
-		}
+	if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL)
+		return NULL;
 
 	/*
 	 * To reduce the work to do we only want to process the compiled
@@ -861,11 +923,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
 	 */
 	for (curr = head; curr != NULL; curr = curr->next)
 		{
-#ifdef OPENSSL_FIPS
-		if (curr->active && (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS))
-#else
 		if (curr->active)
-#endif
 			{
 			sk_SSL_CIPHER_push(cipherstack, curr->cipher);
 #ifdef CIPHER_DEBUG
@@ -875,46 +933,18 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
 		}
 	OPENSSL_free(co_list);	/* Not needed any longer */
 
-	/*
-	 * The following passage is a little bit odd. If pointer variables
-	 * were supplied to hold STACK_OF(SSL_CIPHER) return information,
-	 * the old memory pointed to is free()ed. Then, however, the
-	 * cipher_list entry will be assigned just a copy of the returned
-	 * cipher stack. For cipher_list_by_id a copy of the cipher stack
-	 * will be created. See next comment...
-	 */
-	if (cipher_list != NULL)
-		{
-		if (*cipher_list != NULL)
-			sk_SSL_CIPHER_free(*cipher_list);
-		*cipher_list = cipherstack;
-		}
-
-	if (cipher_list_by_id != NULL)
-		{
-		if (*cipher_list_by_id != NULL)
-			sk_SSL_CIPHER_free(*cipher_list_by_id);
-		*cipher_list_by_id = sk_SSL_CIPHER_dup(cipherstack);
-		}
-
-	/*
-	 * Now it is getting really strange. If something failed during
-	 * the previous pointer assignment or if one of the pointers was
-	 * not requested, the error condition is met. That might be
-	 * discussable. The strange thing is however that in this case
-	 * the memory "ret" pointed to is "free()ed" and hence the pointer
-	 * cipher_list becomes wild. The memory reserved for
-	 * cipher_list_by_id however is not "free()ed" and stays intact.
-	 */
-	if (	(cipher_list_by_id == NULL) ||
-		(*cipher_list_by_id == NULL) ||
-		(cipher_list == NULL) ||
-		(*cipher_list == NULL))
+	tmp_cipher_list = sk_SSL_CIPHER_dup(cipherstack);
+	if (tmp_cipher_list == NULL)
 		{
 		sk_SSL_CIPHER_free(cipherstack);
-		return(NULL);
+		return NULL;
 		}
-
+	if (*cipher_list != NULL)
+		sk_SSL_CIPHER_free(*cipher_list);
+	*cipher_list = cipherstack;
+	if (*cipher_list_by_id != NULL)
+		sk_SSL_CIPHER_free(*cipher_list_by_id);
+	*cipher_list_by_id = tmp_cipher_list;
 	sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id,ssl_cipher_ptr_id_cmp);
 
 	return(cipherstack);
@@ -923,13 +953,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
 char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len)
 	{
 	int is_export,pkl,kl;
-	char *ver,*exp_str;
-	char *kx,*au,*enc,*mac;
+	const char *ver,*exp_str;
+	const char *kx,*au,*enc,*mac;
 	unsigned long alg,alg2,alg_s;
 #ifdef KSSL_DEBUG
-	static char *format="%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s AL=%lx\n";
+	static const char *format="%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s AL=%lx\n";
 #else
-	static char *format="%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s\n";
+	static const char *format="%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s\n";
 #endif /* KSSL_DEBUG */
 
 	alg=cipher->algorithms;
@@ -940,7 +970,7 @@ char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len)
 	pkl=SSL_C_EXPORT_PKEYLENGTH(cipher);
 	kl=SSL_C_EXPORT_KEYLENGTH(cipher);
 	exp_str=is_export?" export":"";
-
+	
 	if (alg & SSL_SSLV2)
 		ver="SSLv2";
 	else if (alg & SSL_SSLV3)
@@ -969,6 +999,10 @@ char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len)
 	case SSL_kEDH:
 		kx=is_export?(pkl == 512 ? "DH(512)" : "DH(1024)"):"DH";
 		break;
+	case SSL_kECDH:
+	case SSL_kECDHE:
+		kx=is_export?"ECDH(<=163)":"ECDH";
+		break;
 	default:
 		kx="unknown";
 		}
@@ -992,6 +1026,9 @@ char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len)
 	case SSL_aNULL:
 		au="None";
 		break;
+	case SSL_aECDSA:
+		au="ECDSA";
+		break;
 	default:
 		au="unknown";
 		break;
@@ -1065,7 +1102,7 @@ char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len)
 	return(buf);
 	}
 
-char *SSL_CIPHER_get_version(SSL_CIPHER *c)
+char *SSL_CIPHER_get_version(const SSL_CIPHER *c)
 	{
 	int i;
 
@@ -1080,7 +1117,7 @@ char *SSL_CIPHER_get_version(SSL_CIPHER *c)
 	}
 
 /* return the actual cipher being used */
-const char *SSL_CIPHER_get_name(SSL_CIPHER *c)
+const char *SSL_CIPHER_get_name(const SSL_CIPHER *c)
 	{
 	if (c != NULL)
 		return(c->name);
@@ -1088,7 +1125,7 @@ const char *SSL_CIPHER_get_name(SSL_CIPHER *c)
 	}
 
 /* number of bits for symmetric cipher */
-int SSL_CIPHER_get_bits(SSL_CIPHER *c, int *alg_bits)
+int SSL_CIPHER_get_bits(const SSL_CIPHER *c, int *alg_bits)
 	{
 	int ret=0;
 
@@ -1116,35 +1153,63 @@ SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n)
 	return(NULL);
 	}
 
-static int sk_comp_cmp(const SSL_COMP * const *a,
-			const SSL_COMP * const *b)
+#ifdef OPENSSL_NO_COMP
+void *SSL_COMP_get_compression_methods(void)
 	{
-	return((*a)->id-(*b)->id);
+	return NULL;
+	}
+int SSL_COMP_add_compression_method(int id, void *cm)
+	{
+	return 1;
 	}
 
+const char *SSL_COMP_get_name(const void *comp)
+	{
+	return NULL;
+	}
+#else
 STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void)
 	{
+	load_builtin_compressions();
 	return(ssl_comp_methods);
 	}
 
 int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm)
 	{
 	SSL_COMP *comp;
-	STACK_OF(SSL_COMP) *sk;
 
         if (cm == NULL || cm->type == NID_undef)
                 return 1;
 
+	/* According to draft-ietf-tls-compression-04.txt, the
+	   compression number ranges should be the following:
+
+	   0 to 63:    methods defined by the IETF
+	   64 to 192:  external party methods assigned by IANA
+	   193 to 255: reserved for private use */
+	if (id < 193 || id > 255)
+		{
+		SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE);
+		return 0;
+		}
+
 	MemCheck_off();
 	comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
 	comp->id=id;
 	comp->method=cm;
-	if (ssl_comp_methods == NULL)
-		sk=ssl_comp_methods=sk_SSL_COMP_new(sk_comp_cmp);
-	else
-		sk=ssl_comp_methods;
-	if ((sk == NULL) || !sk_SSL_COMP_push(sk,comp))
+	load_builtin_compressions();
+	if (ssl_comp_methods
+		&& !sk_SSL_COMP_find(ssl_comp_methods,comp))
+		{
+		OPENSSL_free(comp);
+		MemCheck_on();
+		SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,SSL_R_DUPLICATE_COMPRESSION_ID);
+		return(1);
+		}
+	else if ((ssl_comp_methods == NULL)
+		|| !sk_SSL_COMP_push(ssl_comp_methods,comp))
 		{
+		OPENSSL_free(comp);
 		MemCheck_on();
 		SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,ERR_R_MALLOC_FAILURE);
 		return(1);
@@ -1155,3 +1220,12 @@ int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm)
 		return(0);
 		}
 	}
+
+const char *SSL_COMP_get_name(const COMP_METHOD *comp)
+	{
+	if (comp)
+		return comp->name;
+	return NULL;
+	}
+
+#endif
diff --git a/crypto/openssl/ssl/ssl_err.c b/crypto/openssl/ssl/ssl_err.c
index d2cb18150322..4a4ba685267e 100644
--- a/crypto/openssl/ssl/ssl_err.c
+++ b/crypto/openssl/ssl/ssl_err.c
@@ -1,6 +1,6 @@
 /* ssl/ssl_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2002 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -64,382 +64,421 @@
 
 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_SSL,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_SSL,0,reason)
+
 static ERR_STRING_DATA SSL_str_functs[]=
 	{
-{ERR_PACK(0,SSL_F_CLIENT_CERTIFICATE,0),	"CLIENT_CERTIFICATE"},
-{ERR_PACK(0,SSL_F_CLIENT_FINISHED,0),	"CLIENT_FINISHED"},
-{ERR_PACK(0,SSL_F_CLIENT_HELLO,0),	"CLIENT_HELLO"},
-{ERR_PACK(0,SSL_F_CLIENT_MASTER_KEY,0),	"CLIENT_MASTER_KEY"},
-{ERR_PACK(0,SSL_F_D2I_SSL_SESSION,0),	"d2i_SSL_SESSION"},
-{ERR_PACK(0,SSL_F_DO_SSL3_WRITE,0),	"DO_SSL3_WRITE"},
-{ERR_PACK(0,SSL_F_GET_CLIENT_FINISHED,0),	"GET_CLIENT_FINISHED"},
-{ERR_PACK(0,SSL_F_GET_CLIENT_HELLO,0),	"GET_CLIENT_HELLO"},
-{ERR_PACK(0,SSL_F_GET_CLIENT_MASTER_KEY,0),	"GET_CLIENT_MASTER_KEY"},
-{ERR_PACK(0,SSL_F_GET_SERVER_FINISHED,0),	"GET_SERVER_FINISHED"},
-{ERR_PACK(0,SSL_F_GET_SERVER_HELLO,0),	"GET_SERVER_HELLO"},
-{ERR_PACK(0,SSL_F_GET_SERVER_VERIFY,0),	"GET_SERVER_VERIFY"},
-{ERR_PACK(0,SSL_F_I2D_SSL_SESSION,0),	"i2d_SSL_SESSION"},
-{ERR_PACK(0,SSL_F_READ_N,0),	"READ_N"},
-{ERR_PACK(0,SSL_F_REQUEST_CERTIFICATE,0),	"REQUEST_CERTIFICATE"},
-{ERR_PACK(0,SSL_F_SERVER_FINISH,0),	"SERVER_FINISH"},
-{ERR_PACK(0,SSL_F_SERVER_HELLO,0),	"SERVER_HELLO"},
-{ERR_PACK(0,SSL_F_SERVER_VERIFY,0),	"SERVER_VERIFY"},
-{ERR_PACK(0,SSL_F_SSL23_ACCEPT,0),	"SSL23_ACCEPT"},
-{ERR_PACK(0,SSL_F_SSL23_CLIENT_HELLO,0),	"SSL23_CLIENT_HELLO"},
-{ERR_PACK(0,SSL_F_SSL23_CONNECT,0),	"SSL23_CONNECT"},
-{ERR_PACK(0,SSL_F_SSL23_GET_CLIENT_HELLO,0),	"SSL23_GET_CLIENT_HELLO"},
-{ERR_PACK(0,SSL_F_SSL23_GET_SERVER_HELLO,0),	"SSL23_GET_SERVER_HELLO"},
-{ERR_PACK(0,SSL_F_SSL23_PEEK,0),	"SSL23_PEEK"},
-{ERR_PACK(0,SSL_F_SSL23_READ,0),	"SSL23_READ"},
-{ERR_PACK(0,SSL_F_SSL23_WRITE,0),	"SSL23_WRITE"},
-{ERR_PACK(0,SSL_F_SSL2_ACCEPT,0),	"SSL2_ACCEPT"},
-{ERR_PACK(0,SSL_F_SSL2_CONNECT,0),	"SSL2_CONNECT"},
-{ERR_PACK(0,SSL_F_SSL2_ENC_INIT,0),	"SSL2_ENC_INIT"},
-{ERR_PACK(0,SSL_F_SSL2_GENERATE_KEY_MATERIAL,0),	"SSL2_GENERATE_KEY_MATERIAL"},
-{ERR_PACK(0,SSL_F_SSL2_PEEK,0),	"SSL2_PEEK"},
-{ERR_PACK(0,SSL_F_SSL2_READ,0),	"SSL2_READ"},
-{ERR_PACK(0,SSL_F_SSL2_READ_INTERNAL,0),	"SSL2_READ_INTERNAL"},
-{ERR_PACK(0,SSL_F_SSL2_SET_CERTIFICATE,0),	"SSL2_SET_CERTIFICATE"},
-{ERR_PACK(0,SSL_F_SSL2_WRITE,0),	"SSL2_WRITE"},
-{ERR_PACK(0,SSL_F_SSL3_ACCEPT,0),	"SSL3_ACCEPT"},
-{ERR_PACK(0,SSL_F_SSL3_CALLBACK_CTRL,0),	"SSL3_CALLBACK_CTRL"},
-{ERR_PACK(0,SSL_F_SSL3_CHANGE_CIPHER_STATE,0),	"SSL3_CHANGE_CIPHER_STATE"},
-{ERR_PACK(0,SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,0),	"SSL3_CHECK_CERT_AND_ALGORITHM"},
-{ERR_PACK(0,SSL_F_SSL3_CLIENT_HELLO,0),	"SSL3_CLIENT_HELLO"},
-{ERR_PACK(0,SSL_F_SSL3_CONNECT,0),	"SSL3_CONNECT"},
-{ERR_PACK(0,SSL_F_SSL3_CTRL,0),	"SSL3_CTRL"},
-{ERR_PACK(0,SSL_F_SSL3_CTX_CTRL,0),	"SSL3_CTX_CTRL"},
-{ERR_PACK(0,SSL_F_SSL3_ENC,0),	"SSL3_ENC"},
-{ERR_PACK(0,SSL_F_SSL3_GENERATE_KEY_BLOCK,0),	"SSL3_GENERATE_KEY_BLOCK"},
-{ERR_PACK(0,SSL_F_SSL3_GET_CERTIFICATE_REQUEST,0),	"SSL3_GET_CERTIFICATE_REQUEST"},
-{ERR_PACK(0,SSL_F_SSL3_GET_CERT_VERIFY,0),	"SSL3_GET_CERT_VERIFY"},
-{ERR_PACK(0,SSL_F_SSL3_GET_CLIENT_CERTIFICATE,0),	"SSL3_GET_CLIENT_CERTIFICATE"},
-{ERR_PACK(0,SSL_F_SSL3_GET_CLIENT_HELLO,0),	"SSL3_GET_CLIENT_HELLO"},
-{ERR_PACK(0,SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,0),	"SSL3_GET_CLIENT_KEY_EXCHANGE"},
-{ERR_PACK(0,SSL_F_SSL3_GET_FINISHED,0),	"SSL3_GET_FINISHED"},
-{ERR_PACK(0,SSL_F_SSL3_GET_KEY_EXCHANGE,0),	"SSL3_GET_KEY_EXCHANGE"},
-{ERR_PACK(0,SSL_F_SSL3_GET_MESSAGE,0),	"SSL3_GET_MESSAGE"},
-{ERR_PACK(0,SSL_F_SSL3_GET_RECORD,0),	"SSL3_GET_RECORD"},
-{ERR_PACK(0,SSL_F_SSL3_GET_SERVER_CERTIFICATE,0),	"SSL3_GET_SERVER_CERTIFICATE"},
-{ERR_PACK(0,SSL_F_SSL3_GET_SERVER_DONE,0),	"SSL3_GET_SERVER_DONE"},
-{ERR_PACK(0,SSL_F_SSL3_GET_SERVER_HELLO,0),	"SSL3_GET_SERVER_HELLO"},
-{ERR_PACK(0,SSL_F_SSL3_OUTPUT_CERT_CHAIN,0),	"SSL3_OUTPUT_CERT_CHAIN"},
-{ERR_PACK(0,SSL_F_SSL3_PEEK,0),	"SSL3_PEEK"},
-{ERR_PACK(0,SSL_F_SSL3_READ_BYTES,0),	"SSL3_READ_BYTES"},
-{ERR_PACK(0,SSL_F_SSL3_READ_N,0),	"SSL3_READ_N"},
-{ERR_PACK(0,SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,0),	"SSL3_SEND_CERTIFICATE_REQUEST"},
-{ERR_PACK(0,SSL_F_SSL3_SEND_CLIENT_CERTIFICATE,0),	"SSL3_SEND_CLIENT_CERTIFICATE"},
-{ERR_PACK(0,SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,0),	"SSL3_SEND_CLIENT_KEY_EXCHANGE"},
-{ERR_PACK(0,SSL_F_SSL3_SEND_CLIENT_VERIFY,0),	"SSL3_SEND_CLIENT_VERIFY"},
-{ERR_PACK(0,SSL_F_SSL3_SEND_SERVER_CERTIFICATE,0),	"SSL3_SEND_SERVER_CERTIFICATE"},
-{ERR_PACK(0,SSL_F_SSL3_SEND_SERVER_HELLO,0),	"SSL3_SEND_SERVER_HELLO"},
-{ERR_PACK(0,SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,0),	"SSL3_SEND_SERVER_KEY_EXCHANGE"},
-{ERR_PACK(0,SSL_F_SSL3_SETUP_BUFFERS,0),	"SSL3_SETUP_BUFFERS"},
-{ERR_PACK(0,SSL_F_SSL3_SETUP_KEY_BLOCK,0),	"SSL3_SETUP_KEY_BLOCK"},
-{ERR_PACK(0,SSL_F_SSL3_WRITE_BYTES,0),	"SSL3_WRITE_BYTES"},
-{ERR_PACK(0,SSL_F_SSL3_WRITE_PENDING,0),	"SSL3_WRITE_PENDING"},
-{ERR_PACK(0,SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,0),	"SSL_add_dir_cert_subjects_to_stack"},
-{ERR_PACK(0,SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK,0),	"SSL_add_file_cert_subjects_to_stack"},
-{ERR_PACK(0,SSL_F_SSL_BAD_METHOD,0),	"SSL_BAD_METHOD"},
-{ERR_PACK(0,SSL_F_SSL_BYTES_TO_CIPHER_LIST,0),	"SSL_BYTES_TO_CIPHER_LIST"},
-{ERR_PACK(0,SSL_F_SSL_CERT_DUP,0),	"SSL_CERT_DUP"},
-{ERR_PACK(0,SSL_F_SSL_CERT_INST,0),	"SSL_CERT_INST"},
-{ERR_PACK(0,SSL_F_SSL_CERT_INSTANTIATE,0),	"SSL_CERT_INSTANTIATE"},
-{ERR_PACK(0,SSL_F_SSL_CERT_NEW,0),	"SSL_CERT_NEW"},
-{ERR_PACK(0,SSL_F_SSL_CHECK_PRIVATE_KEY,0),	"SSL_check_private_key"},
-{ERR_PACK(0,SSL_F_SSL_CIPHER_PROCESS_RULESTR,0),	"SSL_CIPHER_PROCESS_RULESTR"},
-{ERR_PACK(0,SSL_F_SSL_CIPHER_STRENGTH_SORT,0),	"SSL_CIPHER_STRENGTH_SORT"},
-{ERR_PACK(0,SSL_F_SSL_CLEAR,0),	"SSL_clear"},
-{ERR_PACK(0,SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,0),	"SSL_COMP_add_compression_method"},
-{ERR_PACK(0,SSL_F_SSL_CREATE_CIPHER_LIST,0),	"SSL_CREATE_CIPHER_LIST"},
-{ERR_PACK(0,SSL_F_SSL_CTRL,0),	"SSL_ctrl"},
-{ERR_PACK(0,SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,0),	"SSL_CTX_check_private_key"},
-{ERR_PACK(0,SSL_F_SSL_CTX_NEW,0),	"SSL_CTX_new"},
-{ERR_PACK(0,SSL_F_SSL_CTX_SET_PURPOSE,0),	"SSL_CTX_set_purpose"},
-{ERR_PACK(0,SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT,0),	"SSL_CTX_set_session_id_context"},
-{ERR_PACK(0,SSL_F_SSL_CTX_SET_SSL_VERSION,0),	"SSL_CTX_set_ssl_version"},
-{ERR_PACK(0,SSL_F_SSL_CTX_SET_TRUST,0),	"SSL_CTX_set_trust"},
-{ERR_PACK(0,SSL_F_SSL_CTX_USE_CERTIFICATE,0),	"SSL_CTX_use_certificate"},
-{ERR_PACK(0,SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1,0),	"SSL_CTX_use_certificate_ASN1"},
-{ERR_PACK(0,SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,0),	"SSL_CTX_use_certificate_chain_file"},
-{ERR_PACK(0,SSL_F_SSL_CTX_USE_CERTIFICATE_FILE,0),	"SSL_CTX_use_certificate_file"},
-{ERR_PACK(0,SSL_F_SSL_CTX_USE_PRIVATEKEY,0),	"SSL_CTX_use_PrivateKey"},
-{ERR_PACK(0,SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1,0),	"SSL_CTX_use_PrivateKey_ASN1"},
-{ERR_PACK(0,SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE,0),	"SSL_CTX_use_PrivateKey_file"},
-{ERR_PACK(0,SSL_F_SSL_CTX_USE_RSAPRIVATEKEY,0),	"SSL_CTX_use_RSAPrivateKey"},
-{ERR_PACK(0,SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1,0),	"SSL_CTX_use_RSAPrivateKey_ASN1"},
-{ERR_PACK(0,SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE,0),	"SSL_CTX_use_RSAPrivateKey_file"},
-{ERR_PACK(0,SSL_F_SSL_DO_HANDSHAKE,0),	"SSL_do_handshake"},
-{ERR_PACK(0,SSL_F_SSL_GET_NEW_SESSION,0),	"SSL_GET_NEW_SESSION"},
-{ERR_PACK(0,SSL_F_SSL_GET_PREV_SESSION,0),	"SSL_GET_PREV_SESSION"},
-{ERR_PACK(0,SSL_F_SSL_GET_SERVER_SEND_CERT,0),	"SSL_GET_SERVER_SEND_CERT"},
-{ERR_PACK(0,SSL_F_SSL_GET_SIGN_PKEY,0),	"SSL_GET_SIGN_PKEY"},
-{ERR_PACK(0,SSL_F_SSL_INIT_WBIO_BUFFER,0),	"SSL_INIT_WBIO_BUFFER"},
-{ERR_PACK(0,SSL_F_SSL_LOAD_CLIENT_CA_FILE,0),	"SSL_load_client_CA_file"},
-{ERR_PACK(0,SSL_F_SSL_NEW,0),	"SSL_new"},
-{ERR_PACK(0,SSL_F_SSL_READ,0),	"SSL_read"},
-{ERR_PACK(0,SSL_F_SSL_RSA_PRIVATE_DECRYPT,0),	"SSL_RSA_PRIVATE_DECRYPT"},
-{ERR_PACK(0,SSL_F_SSL_RSA_PUBLIC_ENCRYPT,0),	"SSL_RSA_PUBLIC_ENCRYPT"},
-{ERR_PACK(0,SSL_F_SSL_SESSION_NEW,0),	"SSL_SESSION_new"},
-{ERR_PACK(0,SSL_F_SSL_SESSION_PRINT_FP,0),	"SSL_SESSION_print_fp"},
-{ERR_PACK(0,SSL_F_SSL_SESS_CERT_NEW,0),	"SSL_SESS_CERT_NEW"},
-{ERR_PACK(0,SSL_F_SSL_SET_CERT,0),	"SSL_SET_CERT"},
-{ERR_PACK(0,SSL_F_SSL_SET_FD,0),	"SSL_set_fd"},
-{ERR_PACK(0,SSL_F_SSL_SET_PKEY,0),	"SSL_SET_PKEY"},
-{ERR_PACK(0,SSL_F_SSL_SET_PURPOSE,0),	"SSL_set_purpose"},
-{ERR_PACK(0,SSL_F_SSL_SET_RFD,0),	"SSL_set_rfd"},
-{ERR_PACK(0,SSL_F_SSL_SET_SESSION,0),	"SSL_set_session"},
-{ERR_PACK(0,SSL_F_SSL_SET_SESSION_ID_CONTEXT,0),	"SSL_set_session_id_context"},
-{ERR_PACK(0,SSL_F_SSL_SET_TRUST,0),	"SSL_set_trust"},
-{ERR_PACK(0,SSL_F_SSL_SET_WFD,0),	"SSL_set_wfd"},
-{ERR_PACK(0,SSL_F_SSL_SHUTDOWN,0),	"SSL_shutdown"},
-{ERR_PACK(0,SSL_F_SSL_UNDEFINED_FUNCTION,0),	"SSL_UNDEFINED_FUNCTION"},
-{ERR_PACK(0,SSL_F_SSL_USE_CERTIFICATE,0),	"SSL_use_certificate"},
-{ERR_PACK(0,SSL_F_SSL_USE_CERTIFICATE_ASN1,0),	"SSL_use_certificate_ASN1"},
-{ERR_PACK(0,SSL_F_SSL_USE_CERTIFICATE_FILE,0),	"SSL_use_certificate_file"},
-{ERR_PACK(0,SSL_F_SSL_USE_PRIVATEKEY,0),	"SSL_use_PrivateKey"},
-{ERR_PACK(0,SSL_F_SSL_USE_PRIVATEKEY_ASN1,0),	"SSL_use_PrivateKey_ASN1"},
-{ERR_PACK(0,SSL_F_SSL_USE_PRIVATEKEY_FILE,0),	"SSL_use_PrivateKey_file"},
-{ERR_PACK(0,SSL_F_SSL_USE_RSAPRIVATEKEY,0),	"SSL_use_RSAPrivateKey"},
-{ERR_PACK(0,SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1,0),	"SSL_use_RSAPrivateKey_ASN1"},
-{ERR_PACK(0,SSL_F_SSL_USE_RSAPRIVATEKEY_FILE,0),	"SSL_use_RSAPrivateKey_file"},
-{ERR_PACK(0,SSL_F_SSL_VERIFY_CERT_CHAIN,0),	"SSL_VERIFY_CERT_CHAIN"},
-{ERR_PACK(0,SSL_F_SSL_WRITE,0),	"SSL_write"},
-{ERR_PACK(0,SSL_F_TLS1_CHANGE_CIPHER_STATE,0),	"TLS1_CHANGE_CIPHER_STATE"},
-{ERR_PACK(0,SSL_F_TLS1_ENC,0),	"TLS1_ENC"},
-{ERR_PACK(0,SSL_F_TLS1_SETUP_KEY_BLOCK,0),	"TLS1_SETUP_KEY_BLOCK"},
-{ERR_PACK(0,SSL_F_WRITE_PENDING,0),	"WRITE_PENDING"},
+{ERR_FUNC(SSL_F_CLIENT_CERTIFICATE),	"CLIENT_CERTIFICATE"},
+{ERR_FUNC(SSL_F_CLIENT_FINISHED),	"CLIENT_FINISHED"},
+{ERR_FUNC(SSL_F_CLIENT_HELLO),	"CLIENT_HELLO"},
+{ERR_FUNC(SSL_F_CLIENT_MASTER_KEY),	"CLIENT_MASTER_KEY"},
+{ERR_FUNC(SSL_F_D2I_SSL_SESSION),	"d2i_SSL_SESSION"},
+{ERR_FUNC(SSL_F_DO_DTLS1_WRITE),	"DO_DTLS1_WRITE"},
+{ERR_FUNC(SSL_F_DO_SSL3_WRITE),	"DO_SSL3_WRITE"},
+{ERR_FUNC(SSL_F_DTLS1_ACCEPT),	"DTLS1_ACCEPT"},
+{ERR_FUNC(SSL_F_DTLS1_BUFFER_RECORD),	"DTLS1_BUFFER_RECORD"},
+{ERR_FUNC(SSL_F_DTLS1_CLIENT_HELLO),	"DTLS1_CLIENT_HELLO"},
+{ERR_FUNC(SSL_F_DTLS1_CONNECT),	"DTLS1_CONNECT"},
+{ERR_FUNC(SSL_F_DTLS1_ENC),	"DTLS1_ENC"},
+{ERR_FUNC(SSL_F_DTLS1_GET_HELLO_VERIFY),	"DTLS1_GET_HELLO_VERIFY"},
+{ERR_FUNC(SSL_F_DTLS1_GET_MESSAGE),	"DTLS1_GET_MESSAGE"},
+{ERR_FUNC(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT),	"DTLS1_GET_MESSAGE_FRAGMENT"},
+{ERR_FUNC(SSL_F_DTLS1_GET_RECORD),	"DTLS1_GET_RECORD"},
+{ERR_FUNC(SSL_F_DTLS1_OUTPUT_CERT_CHAIN),	"DTLS1_OUTPUT_CERT_CHAIN"},
+{ERR_FUNC(SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE),	"DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE"},
+{ERR_FUNC(SSL_F_DTLS1_PROCESS_RECORD),	"DTLS1_PROCESS_RECORD"},
+{ERR_FUNC(SSL_F_DTLS1_READ_BYTES),	"DTLS1_READ_BYTES"},
+{ERR_FUNC(SSL_F_DTLS1_READ_FAILED),	"DTLS1_READ_FAILED"},
+{ERR_FUNC(SSL_F_DTLS1_SEND_CERTIFICATE_REQUEST),	"DTLS1_SEND_CERTIFICATE_REQUEST"},
+{ERR_FUNC(SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE),	"DTLS1_SEND_CLIENT_CERTIFICATE"},
+{ERR_FUNC(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE),	"DTLS1_SEND_CLIENT_KEY_EXCHANGE"},
+{ERR_FUNC(SSL_F_DTLS1_SEND_CLIENT_VERIFY),	"DTLS1_SEND_CLIENT_VERIFY"},
+{ERR_FUNC(SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST),	"DTLS1_SEND_HELLO_VERIFY_REQUEST"},
+{ERR_FUNC(SSL_F_DTLS1_SEND_SERVER_CERTIFICATE),	"DTLS1_SEND_SERVER_CERTIFICATE"},
+{ERR_FUNC(SSL_F_DTLS1_SEND_SERVER_HELLO),	"DTLS1_SEND_SERVER_HELLO"},
+{ERR_FUNC(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE),	"DTLS1_SEND_SERVER_KEY_EXCHANGE"},
+{ERR_FUNC(SSL_F_DTLS1_WRITE_APP_DATA_BYTES),	"DTLS1_WRITE_APP_DATA_BYTES"},
+{ERR_FUNC(SSL_F_GET_CLIENT_FINISHED),	"GET_CLIENT_FINISHED"},
+{ERR_FUNC(SSL_F_GET_CLIENT_HELLO),	"GET_CLIENT_HELLO"},
+{ERR_FUNC(SSL_F_GET_CLIENT_MASTER_KEY),	"GET_CLIENT_MASTER_KEY"},
+{ERR_FUNC(SSL_F_GET_SERVER_FINISHED),	"GET_SERVER_FINISHED"},
+{ERR_FUNC(SSL_F_GET_SERVER_HELLO),	"GET_SERVER_HELLO"},
+{ERR_FUNC(SSL_F_GET_SERVER_VERIFY),	"GET_SERVER_VERIFY"},
+{ERR_FUNC(SSL_F_I2D_SSL_SESSION),	"i2d_SSL_SESSION"},
+{ERR_FUNC(SSL_F_READ_N),	"READ_N"},
+{ERR_FUNC(SSL_F_REQUEST_CERTIFICATE),	"REQUEST_CERTIFICATE"},
+{ERR_FUNC(SSL_F_SERVER_FINISH),	"SERVER_FINISH"},
+{ERR_FUNC(SSL_F_SERVER_HELLO),	"SERVER_HELLO"},
+{ERR_FUNC(SSL_F_SERVER_VERIFY),	"SERVER_VERIFY"},
+{ERR_FUNC(SSL_F_SSL23_ACCEPT),	"SSL23_ACCEPT"},
+{ERR_FUNC(SSL_F_SSL23_CLIENT_HELLO),	"SSL23_CLIENT_HELLO"},
+{ERR_FUNC(SSL_F_SSL23_CONNECT),	"SSL23_CONNECT"},
+{ERR_FUNC(SSL_F_SSL23_GET_CLIENT_HELLO),	"SSL23_GET_CLIENT_HELLO"},
+{ERR_FUNC(SSL_F_SSL23_GET_SERVER_HELLO),	"SSL23_GET_SERVER_HELLO"},
+{ERR_FUNC(SSL_F_SSL23_PEEK),	"SSL23_PEEK"},
+{ERR_FUNC(SSL_F_SSL23_READ),	"SSL23_READ"},
+{ERR_FUNC(SSL_F_SSL23_WRITE),	"SSL23_WRITE"},
+{ERR_FUNC(SSL_F_SSL2_ACCEPT),	"SSL2_ACCEPT"},
+{ERR_FUNC(SSL_F_SSL2_CONNECT),	"SSL2_CONNECT"},
+{ERR_FUNC(SSL_F_SSL2_ENC_INIT),	"SSL2_ENC_INIT"},
+{ERR_FUNC(SSL_F_SSL2_GENERATE_KEY_MATERIAL),	"SSL2_GENERATE_KEY_MATERIAL"},
+{ERR_FUNC(SSL_F_SSL2_PEEK),	"SSL2_PEEK"},
+{ERR_FUNC(SSL_F_SSL2_READ),	"SSL2_READ"},
+{ERR_FUNC(SSL_F_SSL2_READ_INTERNAL),	"SSL2_READ_INTERNAL"},
+{ERR_FUNC(SSL_F_SSL2_SET_CERTIFICATE),	"SSL2_SET_CERTIFICATE"},
+{ERR_FUNC(SSL_F_SSL2_WRITE),	"SSL2_WRITE"},
+{ERR_FUNC(SSL_F_SSL3_ACCEPT),	"SSL3_ACCEPT"},
+{ERR_FUNC(SSL_F_SSL3_CALLBACK_CTRL),	"SSL3_CALLBACK_CTRL"},
+{ERR_FUNC(SSL_F_SSL3_CHANGE_CIPHER_STATE),	"SSL3_CHANGE_CIPHER_STATE"},
+{ERR_FUNC(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM),	"SSL3_CHECK_CERT_AND_ALGORITHM"},
+{ERR_FUNC(SSL_F_SSL3_CLIENT_HELLO),	"SSL3_CLIENT_HELLO"},
+{ERR_FUNC(SSL_F_SSL3_CONNECT),	"SSL3_CONNECT"},
+{ERR_FUNC(SSL_F_SSL3_CTRL),	"SSL3_CTRL"},
+{ERR_FUNC(SSL_F_SSL3_CTX_CTRL),	"SSL3_CTX_CTRL"},
+{ERR_FUNC(SSL_F_SSL3_ENC),	"SSL3_ENC"},
+{ERR_FUNC(SSL_F_SSL3_GENERATE_KEY_BLOCK),	"SSL3_GENERATE_KEY_BLOCK"},
+{ERR_FUNC(SSL_F_SSL3_GET_CERTIFICATE_REQUEST),	"SSL3_GET_CERTIFICATE_REQUEST"},
+{ERR_FUNC(SSL_F_SSL3_GET_CERT_VERIFY),	"SSL3_GET_CERT_VERIFY"},
+{ERR_FUNC(SSL_F_SSL3_GET_CLIENT_CERTIFICATE),	"SSL3_GET_CLIENT_CERTIFICATE"},
+{ERR_FUNC(SSL_F_SSL3_GET_CLIENT_HELLO),	"SSL3_GET_CLIENT_HELLO"},
+{ERR_FUNC(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE),	"SSL3_GET_CLIENT_KEY_EXCHANGE"},
+{ERR_FUNC(SSL_F_SSL3_GET_FINISHED),	"SSL3_GET_FINISHED"},
+{ERR_FUNC(SSL_F_SSL3_GET_KEY_EXCHANGE),	"SSL3_GET_KEY_EXCHANGE"},
+{ERR_FUNC(SSL_F_SSL3_GET_MESSAGE),	"SSL3_GET_MESSAGE"},
+{ERR_FUNC(SSL_F_SSL3_GET_RECORD),	"SSL3_GET_RECORD"},
+{ERR_FUNC(SSL_F_SSL3_GET_SERVER_CERTIFICATE),	"SSL3_GET_SERVER_CERTIFICATE"},
+{ERR_FUNC(SSL_F_SSL3_GET_SERVER_DONE),	"SSL3_GET_SERVER_DONE"},
+{ERR_FUNC(SSL_F_SSL3_GET_SERVER_HELLO),	"SSL3_GET_SERVER_HELLO"},
+{ERR_FUNC(SSL_F_SSL3_OUTPUT_CERT_CHAIN),	"SSL3_OUTPUT_CERT_CHAIN"},
+{ERR_FUNC(SSL_F_SSL3_PEEK),	"SSL3_PEEK"},
+{ERR_FUNC(SSL_F_SSL3_READ_BYTES),	"SSL3_READ_BYTES"},
+{ERR_FUNC(SSL_F_SSL3_READ_N),	"SSL3_READ_N"},
+{ERR_FUNC(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST),	"SSL3_SEND_CERTIFICATE_REQUEST"},
+{ERR_FUNC(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE),	"SSL3_SEND_CLIENT_CERTIFICATE"},
+{ERR_FUNC(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE),	"SSL3_SEND_CLIENT_KEY_EXCHANGE"},
+{ERR_FUNC(SSL_F_SSL3_SEND_CLIENT_VERIFY),	"SSL3_SEND_CLIENT_VERIFY"},
+{ERR_FUNC(SSL_F_SSL3_SEND_SERVER_CERTIFICATE),	"SSL3_SEND_SERVER_CERTIFICATE"},
+{ERR_FUNC(SSL_F_SSL3_SEND_SERVER_HELLO),	"SSL3_SEND_SERVER_HELLO"},
+{ERR_FUNC(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE),	"SSL3_SEND_SERVER_KEY_EXCHANGE"},
+{ERR_FUNC(SSL_F_SSL3_SETUP_BUFFERS),	"SSL3_SETUP_BUFFERS"},
+{ERR_FUNC(SSL_F_SSL3_SETUP_KEY_BLOCK),	"SSL3_SETUP_KEY_BLOCK"},
+{ERR_FUNC(SSL_F_SSL3_WRITE_BYTES),	"SSL3_WRITE_BYTES"},
+{ERR_FUNC(SSL_F_SSL3_WRITE_PENDING),	"SSL3_WRITE_PENDING"},
+{ERR_FUNC(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK),	"SSL_add_dir_cert_subjects_to_stack"},
+{ERR_FUNC(SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK),	"SSL_add_file_cert_subjects_to_stack"},
+{ERR_FUNC(SSL_F_SSL_BAD_METHOD),	"SSL_BAD_METHOD"},
+{ERR_FUNC(SSL_F_SSL_BYTES_TO_CIPHER_LIST),	"SSL_BYTES_TO_CIPHER_LIST"},
+{ERR_FUNC(SSL_F_SSL_CERT_DUP),	"SSL_CERT_DUP"},
+{ERR_FUNC(SSL_F_SSL_CERT_INST),	"SSL_CERT_INST"},
+{ERR_FUNC(SSL_F_SSL_CERT_INSTANTIATE),	"SSL_CERT_INSTANTIATE"},
+{ERR_FUNC(SSL_F_SSL_CERT_NEW),	"SSL_CERT_NEW"},
+{ERR_FUNC(SSL_F_SSL_CHECK_PRIVATE_KEY),	"SSL_check_private_key"},
+{ERR_FUNC(SSL_F_SSL_CIPHER_PROCESS_RULESTR),	"SSL_CIPHER_PROCESS_RULESTR"},
+{ERR_FUNC(SSL_F_SSL_CIPHER_STRENGTH_SORT),	"SSL_CIPHER_STRENGTH_SORT"},
+{ERR_FUNC(SSL_F_SSL_CLEAR),	"SSL_clear"},
+{ERR_FUNC(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD),	"SSL_COMP_add_compression_method"},
+{ERR_FUNC(SSL_F_SSL_CREATE_CIPHER_LIST),	"SSL_CREATE_CIPHER_LIST"},
+{ERR_FUNC(SSL_F_SSL_CTRL),	"SSL_ctrl"},
+{ERR_FUNC(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY),	"SSL_CTX_check_private_key"},
+{ERR_FUNC(SSL_F_SSL_CTX_NEW),	"SSL_CTX_new"},
+{ERR_FUNC(SSL_F_SSL_CTX_SET_CIPHER_LIST),	"SSL_CTX_set_cipher_list"},
+{ERR_FUNC(SSL_F_SSL_CTX_SET_PURPOSE),	"SSL_CTX_set_purpose"},
+{ERR_FUNC(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT),	"SSL_CTX_set_session_id_context"},
+{ERR_FUNC(SSL_F_SSL_CTX_SET_SSL_VERSION),	"SSL_CTX_set_ssl_version"},
+{ERR_FUNC(SSL_F_SSL_CTX_SET_TRUST),	"SSL_CTX_set_trust"},
+{ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE),	"SSL_CTX_use_certificate"},
+{ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1),	"SSL_CTX_use_certificate_ASN1"},
+{ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE),	"SSL_CTX_use_certificate_chain_file"},
+{ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE),	"SSL_CTX_use_certificate_file"},
+{ERR_FUNC(SSL_F_SSL_CTX_USE_PRIVATEKEY),	"SSL_CTX_use_PrivateKey"},
+{ERR_FUNC(SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1),	"SSL_CTX_use_PrivateKey_ASN1"},
+{ERR_FUNC(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE),	"SSL_CTX_use_PrivateKey_file"},
+{ERR_FUNC(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY),	"SSL_CTX_use_RSAPrivateKey"},
+{ERR_FUNC(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1),	"SSL_CTX_use_RSAPrivateKey_ASN1"},
+{ERR_FUNC(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE),	"SSL_CTX_use_RSAPrivateKey_file"},
+{ERR_FUNC(SSL_F_SSL_DO_HANDSHAKE),	"SSL_do_handshake"},
+{ERR_FUNC(SSL_F_SSL_GET_NEW_SESSION),	"SSL_GET_NEW_SESSION"},
+{ERR_FUNC(SSL_F_SSL_GET_PREV_SESSION),	"SSL_GET_PREV_SESSION"},
+{ERR_FUNC(SSL_F_SSL_GET_SERVER_SEND_CERT),	"SSL_GET_SERVER_SEND_CERT"},
+{ERR_FUNC(SSL_F_SSL_GET_SIGN_PKEY),	"SSL_GET_SIGN_PKEY"},
+{ERR_FUNC(SSL_F_SSL_INIT_WBIO_BUFFER),	"SSL_INIT_WBIO_BUFFER"},
+{ERR_FUNC(SSL_F_SSL_LOAD_CLIENT_CA_FILE),	"SSL_LOAD_CLIENT_CA_FILE"},
+{ERR_FUNC(SSL_F_SSL_NEW),	"SSL_new"},
+{ERR_FUNC(SSL_F_SSL_PEEK),	"SSL_peek"},
+{ERR_FUNC(SSL_F_SSL_READ),	"SSL_read"},
+{ERR_FUNC(SSL_F_SSL_RSA_PRIVATE_DECRYPT),	"SSL_RSA_PRIVATE_DECRYPT"},
+{ERR_FUNC(SSL_F_SSL_RSA_PUBLIC_ENCRYPT),	"SSL_RSA_PUBLIC_ENCRYPT"},
+{ERR_FUNC(SSL_F_SSL_SESSION_NEW),	"SSL_SESSION_new"},
+{ERR_FUNC(SSL_F_SSL_SESSION_PRINT_FP),	"SSL_SESSION_print_fp"},
+{ERR_FUNC(SSL_F_SSL_SESS_CERT_NEW),	"SSL_SESS_CERT_NEW"},
+{ERR_FUNC(SSL_F_SSL_SET_CERT),	"SSL_SET_CERT"},
+{ERR_FUNC(SSL_F_SSL_SET_CIPHER_LIST),	"SSL_set_cipher_list"},
+{ERR_FUNC(SSL_F_SSL_SET_FD),	"SSL_set_fd"},
+{ERR_FUNC(SSL_F_SSL_SET_PKEY),	"SSL_SET_PKEY"},
+{ERR_FUNC(SSL_F_SSL_SET_PURPOSE),	"SSL_set_purpose"},
+{ERR_FUNC(SSL_F_SSL_SET_RFD),	"SSL_set_rfd"},
+{ERR_FUNC(SSL_F_SSL_SET_SESSION),	"SSL_set_session"},
+{ERR_FUNC(SSL_F_SSL_SET_SESSION_ID_CONTEXT),	"SSL_set_session_id_context"},
+{ERR_FUNC(SSL_F_SSL_SET_TRUST),	"SSL_set_trust"},
+{ERR_FUNC(SSL_F_SSL_SET_WFD),	"SSL_set_wfd"},
+{ERR_FUNC(SSL_F_SSL_SHUTDOWN),	"SSL_shutdown"},
+{ERR_FUNC(SSL_F_SSL_UNDEFINED_CONST_FUNCTION),	"SSL_UNDEFINED_CONST_FUNCTION"},
+{ERR_FUNC(SSL_F_SSL_UNDEFINED_FUNCTION),	"SSL_UNDEFINED_FUNCTION"},
+{ERR_FUNC(SSL_F_SSL_UNDEFINED_VOID_FUNCTION),	"SSL_UNDEFINED_VOID_FUNCTION"},
+{ERR_FUNC(SSL_F_SSL_USE_CERTIFICATE),	"SSL_use_certificate"},
+{ERR_FUNC(SSL_F_SSL_USE_CERTIFICATE_ASN1),	"SSL_use_certificate_ASN1"},
+{ERR_FUNC(SSL_F_SSL_USE_CERTIFICATE_FILE),	"SSL_use_certificate_file"},
+{ERR_FUNC(SSL_F_SSL_USE_PRIVATEKEY),	"SSL_use_PrivateKey"},
+{ERR_FUNC(SSL_F_SSL_USE_PRIVATEKEY_ASN1),	"SSL_use_PrivateKey_ASN1"},
+{ERR_FUNC(SSL_F_SSL_USE_PRIVATEKEY_FILE),	"SSL_use_PrivateKey_file"},
+{ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY),	"SSL_use_RSAPrivateKey"},
+{ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1),	"SSL_use_RSAPrivateKey_ASN1"},
+{ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE),	"SSL_use_RSAPrivateKey_file"},
+{ERR_FUNC(SSL_F_SSL_VERIFY_CERT_CHAIN),	"SSL_VERIFY_CERT_CHAIN"},
+{ERR_FUNC(SSL_F_SSL_WRITE),	"SSL_write"},
+{ERR_FUNC(SSL_F_TLS1_CHANGE_CIPHER_STATE),	"TLS1_CHANGE_CIPHER_STATE"},
+{ERR_FUNC(SSL_F_TLS1_ENC),	"TLS1_ENC"},
+{ERR_FUNC(SSL_F_TLS1_SETUP_KEY_BLOCK),	"TLS1_SETUP_KEY_BLOCK"},
+{ERR_FUNC(SSL_F_WRITE_PENDING),	"WRITE_PENDING"},
 {0,NULL}
 	};
 
 static ERR_STRING_DATA SSL_str_reasons[]=
 	{
-{SSL_R_APP_DATA_IN_HANDSHAKE             ,"app data in handshake"},
-{SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT,"attempt to reuse session in different context"},
-{SSL_R_BAD_ALERT_RECORD                  ,"bad alert record"},
-{SSL_R_BAD_AUTHENTICATION_TYPE           ,"bad authentication type"},
-{SSL_R_BAD_CHANGE_CIPHER_SPEC            ,"bad change cipher spec"},
-{SSL_R_BAD_CHECKSUM                      ,"bad checksum"},
-{SSL_R_BAD_DATA_RETURNED_BY_CALLBACK     ,"bad data returned by callback"},
-{SSL_R_BAD_DECOMPRESSION                 ,"bad decompression"},
-{SSL_R_BAD_DH_G_LENGTH                   ,"bad dh g length"},
-{SSL_R_BAD_DH_PUB_KEY_LENGTH             ,"bad dh pub key length"},
-{SSL_R_BAD_DH_P_LENGTH                   ,"bad dh p length"},
-{SSL_R_BAD_DIGEST_LENGTH                 ,"bad digest length"},
-{SSL_R_BAD_DSA_SIGNATURE                 ,"bad dsa signature"},
-{SSL_R_BAD_HELLO_REQUEST                 ,"bad hello request"},
-{SSL_R_BAD_LENGTH                        ,"bad length"},
-{SSL_R_BAD_MAC_DECODE                    ,"bad mac decode"},
-{SSL_R_BAD_MESSAGE_TYPE                  ,"bad message type"},
-{SSL_R_BAD_PACKET_LENGTH                 ,"bad packet length"},
-{SSL_R_BAD_PROTOCOL_VERSION_NUMBER       ,"bad protocol version number"},
-{SSL_R_BAD_RESPONSE_ARGUMENT             ,"bad response argument"},
-{SSL_R_BAD_RSA_DECRYPT                   ,"bad rsa decrypt"},
-{SSL_R_BAD_RSA_ENCRYPT                   ,"bad rsa encrypt"},
-{SSL_R_BAD_RSA_E_LENGTH                  ,"bad rsa e length"},
-{SSL_R_BAD_RSA_MODULUS_LENGTH            ,"bad rsa modulus length"},
-{SSL_R_BAD_RSA_SIGNATURE                 ,"bad rsa signature"},
-{SSL_R_BAD_SIGNATURE                     ,"bad signature"},
-{SSL_R_BAD_SSL_FILETYPE                  ,"bad ssl filetype"},
-{SSL_R_BAD_SSL_SESSION_ID_LENGTH         ,"bad ssl session id length"},
-{SSL_R_BAD_STATE                         ,"bad state"},
-{SSL_R_BAD_WRITE_RETRY                   ,"bad write retry"},
-{SSL_R_BIO_NOT_SET                       ,"bio not set"},
-{SSL_R_BLOCK_CIPHER_PAD_IS_WRONG         ,"block cipher pad is wrong"},
-{SSL_R_BN_LIB                            ,"bn lib"},
-{SSL_R_CA_DN_LENGTH_MISMATCH             ,"ca dn length mismatch"},
-{SSL_R_CA_DN_TOO_LONG                    ,"ca dn too long"},
-{SSL_R_CCS_RECEIVED_EARLY                ,"ccs received early"},
-{SSL_R_CERTIFICATE_VERIFY_FAILED         ,"certificate verify failed"},
-{SSL_R_CERT_LENGTH_MISMATCH              ,"cert length mismatch"},
-{SSL_R_CHALLENGE_IS_DIFFERENT            ,"challenge is different"},
-{SSL_R_CIPHER_CODE_WRONG_LENGTH          ,"cipher code wrong length"},
-{SSL_R_CIPHER_OR_HASH_UNAVAILABLE        ,"cipher or hash unavailable"},
-{SSL_R_CIPHER_TABLE_SRC_ERROR            ,"cipher table src error"},
-{SSL_R_COMPRESSED_LENGTH_TOO_LONG        ,"compressed length too long"},
-{SSL_R_COMPRESSION_FAILURE               ,"compression failure"},
-{SSL_R_COMPRESSION_LIBRARY_ERROR         ,"compression library error"},
-{SSL_R_CONNECTION_ID_IS_DIFFERENT        ,"connection id is different"},
-{SSL_R_CONNECTION_TYPE_NOT_SET           ,"connection type not set"},
-{SSL_R_DATA_BETWEEN_CCS_AND_FINISHED     ,"data between ccs and finished"},
-{SSL_R_DATA_LENGTH_TOO_LONG              ,"data length too long"},
-{SSL_R_DECRYPTION_FAILED                 ,"decryption failed"},
-{SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC,"decryption failed or bad record mac"},
-{SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG   ,"dh public value length is wrong"},
-{SSL_R_DIGEST_CHECK_FAILED               ,"digest check failed"},
-{SSL_R_ENCRYPTED_LENGTH_TOO_LONG         ,"encrypted length too long"},
-{SSL_R_ERROR_GENERATING_TMP_RSA_KEY      ,"error generating tmp rsa key"},
-{SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST     ,"error in received cipher list"},
-{SSL_R_EXCESSIVE_MESSAGE_SIZE            ,"excessive message size"},
-{SSL_R_EXTRA_DATA_IN_MESSAGE             ,"extra data in message"},
-{SSL_R_GOT_A_FIN_BEFORE_A_CCS            ,"got a fin before a ccs"},
-{SSL_R_HTTPS_PROXY_REQUEST               ,"https proxy request"},
-{SSL_R_HTTP_REQUEST                      ,"http request"},
-{SSL_R_ILLEGAL_PADDING                   ,"illegal padding"},
-{SSL_R_INVALID_CHALLENGE_LENGTH          ,"invalid challenge length"},
-{SSL_R_INVALID_COMMAND                   ,"invalid command"},
-{SSL_R_INVALID_PURPOSE                   ,"invalid purpose"},
-{SSL_R_INVALID_TRUST                     ,"invalid trust"},
-{SSL_R_KEY_ARG_TOO_LONG                  ,"key arg too long"},
-{SSL_R_KRB5                              ,"krb5"},
-{SSL_R_KRB5_C_CC_PRINC                   ,"krb5 client cc principal (no tkt?)"},
-{SSL_R_KRB5_C_GET_CRED                   ,"krb5 client get cred"},
-{SSL_R_KRB5_C_INIT                       ,"krb5 client init"},
-{SSL_R_KRB5_C_MK_REQ                     ,"krb5 client mk_req (expired tkt?)"},
-{SSL_R_KRB5_S_BAD_TICKET                 ,"krb5 server bad ticket"},
-{SSL_R_KRB5_S_INIT                       ,"krb5 server init"},
-{SSL_R_KRB5_S_RD_REQ                     ,"krb5 server rd_req (keytab perms?)"},
-{SSL_R_KRB5_S_TKT_EXPIRED                ,"krb5 server tkt expired"},
-{SSL_R_KRB5_S_TKT_NYV                    ,"krb5 server tkt not yet valid"},
-{SSL_R_KRB5_S_TKT_SKEW                   ,"krb5 server tkt skew"},
-{SSL_R_LENGTH_MISMATCH                   ,"length mismatch"},
-{SSL_R_LENGTH_TOO_SHORT                  ,"length too short"},
-{SSL_R_LIBRARY_BUG                       ,"library bug"},
-{SSL_R_LIBRARY_HAS_NO_CIPHERS            ,"library has no ciphers"},
-{SSL_R_MASTER_KEY_TOO_LONG               ,"master key too long"},
-{SSL_R_MESSAGE_TOO_LONG                  ,"message too long"},
-{SSL_R_MISSING_DH_DSA_CERT               ,"missing dh dsa cert"},
-{SSL_R_MISSING_DH_KEY                    ,"missing dh key"},
-{SSL_R_MISSING_DH_RSA_CERT               ,"missing dh rsa cert"},
-{SSL_R_MISSING_DSA_SIGNING_CERT          ,"missing dsa signing cert"},
-{SSL_R_MISSING_EXPORT_TMP_DH_KEY         ,"missing export tmp dh key"},
-{SSL_R_MISSING_EXPORT_TMP_RSA_KEY        ,"missing export tmp rsa key"},
-{SSL_R_MISSING_RSA_CERTIFICATE           ,"missing rsa certificate"},
-{SSL_R_MISSING_RSA_ENCRYPTING_CERT       ,"missing rsa encrypting cert"},
-{SSL_R_MISSING_RSA_SIGNING_CERT          ,"missing rsa signing cert"},
-{SSL_R_MISSING_TMP_DH_KEY                ,"missing tmp dh key"},
-{SSL_R_MISSING_TMP_RSA_KEY               ,"missing tmp rsa key"},
-{SSL_R_MISSING_TMP_RSA_PKEY              ,"missing tmp rsa pkey"},
-{SSL_R_MISSING_VERIFY_MESSAGE            ,"missing verify message"},
-{SSL_R_NON_SSLV2_INITIAL_PACKET          ,"non sslv2 initial packet"},
-{SSL_R_NO_CERTIFICATES_RETURNED          ,"no certificates returned"},
-{SSL_R_NO_CERTIFICATE_ASSIGNED           ,"no certificate assigned"},
-{SSL_R_NO_CERTIFICATE_RETURNED           ,"no certificate returned"},
-{SSL_R_NO_CERTIFICATE_SET                ,"no certificate set"},
-{SSL_R_NO_CERTIFICATE_SPECIFIED          ,"no certificate specified"},
-{SSL_R_NO_CIPHERS_AVAILABLE              ,"no ciphers available"},
-{SSL_R_NO_CIPHERS_PASSED                 ,"no ciphers passed"},
-{SSL_R_NO_CIPHERS_SPECIFIED              ,"no ciphers specified"},
-{SSL_R_NO_CIPHER_LIST                    ,"no cipher list"},
-{SSL_R_NO_CIPHER_MATCH                   ,"no cipher match"},
-{SSL_R_NO_CLIENT_CERT_RECEIVED           ,"no client cert received"},
-{SSL_R_NO_COMPRESSION_SPECIFIED          ,"no compression specified"},
-{SSL_R_NO_METHOD_SPECIFIED               ,"no method specified"},
-{SSL_R_NO_PRIVATEKEY                     ,"no privatekey"},
-{SSL_R_NO_PRIVATE_KEY_ASSIGNED           ,"no private key assigned"},
-{SSL_R_NO_PROTOCOLS_AVAILABLE            ,"no protocols available"},
-{SSL_R_NO_PUBLICKEY                      ,"no publickey"},
-{SSL_R_NO_SHARED_CIPHER                  ,"no shared cipher"},
-{SSL_R_NO_VERIFY_CALLBACK                ,"no verify callback"},
-{SSL_R_NULL_SSL_CTX                      ,"null ssl ctx"},
-{SSL_R_NULL_SSL_METHOD_PASSED            ,"null ssl method passed"},
-{SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED   ,"old session cipher not returned"},
-{SSL_R_PACKET_LENGTH_TOO_LONG            ,"packet length too long"},
-{SSL_R_PATH_TOO_LONG                     ,"path too long"},
-{SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE ,"peer did not return a certificate"},
-{SSL_R_PEER_ERROR                        ,"peer error"},
-{SSL_R_PEER_ERROR_CERTIFICATE            ,"peer error certificate"},
-{SSL_R_PEER_ERROR_NO_CERTIFICATE         ,"peer error no certificate"},
-{SSL_R_PEER_ERROR_NO_CIPHER              ,"peer error no cipher"},
-{SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE,"peer error unsupported certificate type"},
-{SSL_R_PRE_MAC_LENGTH_TOO_LONG           ,"pre mac length too long"},
-{SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS ,"problems mapping cipher functions"},
-{SSL_R_PROTOCOL_IS_SHUTDOWN              ,"protocol is shutdown"},
-{SSL_R_PUBLIC_KEY_ENCRYPT_ERROR          ,"public key encrypt error"},
-{SSL_R_PUBLIC_KEY_IS_NOT_RSA             ,"public key is not rsa"},
-{SSL_R_PUBLIC_KEY_NOT_RSA                ,"public key not rsa"},
-{SSL_R_READ_BIO_NOT_SET                  ,"read bio not set"},
-{SSL_R_READ_WRONG_PACKET_TYPE            ,"read wrong packet type"},
-{SSL_R_RECORD_LENGTH_MISMATCH            ,"record length mismatch"},
-{SSL_R_RECORD_TOO_LARGE                  ,"record too large"},
-{SSL_R_RECORD_TOO_SMALL                  ,"record too small"},
-{SSL_R_REQUIRED_CIPHER_MISSING           ,"required cipher missing"},
-{SSL_R_REUSE_CERT_LENGTH_NOT_ZERO        ,"reuse cert length not zero"},
-{SSL_R_REUSE_CERT_TYPE_NOT_ZERO          ,"reuse cert type not zero"},
-{SSL_R_REUSE_CIPHER_LIST_NOT_ZERO        ,"reuse cipher list not zero"},
-{SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED  ,"session id context uninitialized"},
-{SSL_R_SHORT_READ                        ,"short read"},
-{SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE,"signature for non signing certificate"},
-{SSL_R_SSL23_DOING_SESSION_ID_REUSE      ,"ssl23 doing session id reuse"},
-{SSL_R_SSL2_CONNECTION_ID_TOO_LONG       ,"ssl2 connection id too long"},
-{SSL_R_SSL3_SESSION_ID_TOO_LONG          ,"ssl3 session id too long"},
-{SSL_R_SSL3_SESSION_ID_TOO_SHORT         ,"ssl3 session id too short"},
-{SSL_R_SSLV3_ALERT_BAD_CERTIFICATE       ,"sslv3 alert bad certificate"},
-{SSL_R_SSLV3_ALERT_BAD_RECORD_MAC        ,"sslv3 alert bad record mac"},
-{SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED   ,"sslv3 alert certificate expired"},
-{SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED   ,"sslv3 alert certificate revoked"},
-{SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN   ,"sslv3 alert certificate unknown"},
-{SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE ,"sslv3 alert decompression failure"},
-{SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE     ,"sslv3 alert handshake failure"},
-{SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER     ,"sslv3 alert illegal parameter"},
-{SSL_R_SSLV3_ALERT_NO_CERTIFICATE        ,"sslv3 alert no certificate"},
-{SSL_R_SSLV3_ALERT_PEER_ERROR_CERTIFICATE,"sslv3 alert peer error certificate"},
-{SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CERTIFICATE,"sslv3 alert peer error no certificate"},
-{SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CIPHER  ,"sslv3 alert peer error no cipher"},
-{SSL_R_SSLV3_ALERT_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE,"sslv3 alert peer error unsupported certificate type"},
-{SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE    ,"sslv3 alert unexpected message"},
-{SSL_R_SSLV3_ALERT_UNKNOWN_REMOTE_ERROR_TYPE,"sslv3 alert unknown remote error type"},
-{SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE,"sslv3 alert unsupported certificate"},
-{SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION,"ssl ctx has no default ssl version"},
-{SSL_R_SSL_HANDSHAKE_FAILURE             ,"ssl handshake failure"},
-{SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS        ,"ssl library has no ciphers"},
-{SSL_R_SSL_SESSION_ID_CALLBACK_FAILED    ,"ssl session id callback failed"},
-{SSL_R_SSL_SESSION_ID_CONFLICT           ,"ssl session id conflict"},
-{SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG   ,"ssl session id context too long"},
-{SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH     ,"ssl session id has bad length"},
-{SSL_R_SSL_SESSION_ID_IS_DIFFERENT       ,"ssl session id is different"},
-{SSL_R_TLSV1_ALERT_ACCESS_DENIED         ,"tlsv1 alert access denied"},
-{SSL_R_TLSV1_ALERT_DECODE_ERROR          ,"tlsv1 alert decode error"},
-{SSL_R_TLSV1_ALERT_DECRYPTION_FAILED     ,"tlsv1 alert decryption failed"},
-{SSL_R_TLSV1_ALERT_DECRYPT_ERROR         ,"tlsv1 alert decrypt error"},
-{SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION    ,"tlsv1 alert export restriction"},
-{SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY ,"tlsv1 alert insufficient security"},
-{SSL_R_TLSV1_ALERT_INTERNAL_ERROR        ,"tlsv1 alert internal error"},
-{SSL_R_TLSV1_ALERT_NO_RENEGOTIATION      ,"tlsv1 alert no renegotiation"},
-{SSL_R_TLSV1_ALERT_PROTOCOL_VERSION      ,"tlsv1 alert protocol version"},
-{SSL_R_TLSV1_ALERT_RECORD_OVERFLOW       ,"tlsv1 alert record overflow"},
-{SSL_R_TLSV1_ALERT_UNKNOWN_CA            ,"tlsv1 alert unknown ca"},
-{SSL_R_TLSV1_ALERT_USER_CANCELLED        ,"tlsv1 alert user cancelled"},
-{SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER,"tls client cert req with anon cipher"},
-{SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST,"tls peer did not respond with certificate list"},
-{SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG,"tls rsa encrypted value length is wrong"},
-{SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER   ,"tried to use unsupported cipher"},
-{SSL_R_UNABLE_TO_DECODE_DH_CERTS         ,"unable to decode dh certs"},
-{SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY      ,"unable to extract public key"},
-{SSL_R_UNABLE_TO_FIND_DH_PARAMETERS      ,"unable to find dh parameters"},
-{SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS,"unable to find public key parameters"},
-{SSL_R_UNABLE_TO_FIND_SSL_METHOD         ,"unable to find ssl method"},
-{SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES  ,"unable to load ssl2 md5 routines"},
-{SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES  ,"unable to load ssl3 md5 routines"},
-{SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES ,"unable to load ssl3 sha1 routines"},
-{SSL_R_UNEXPECTED_MESSAGE                ,"unexpected message"},
-{SSL_R_UNEXPECTED_RECORD                 ,"unexpected record"},
-{SSL_R_UNINITIALIZED                     ,"uninitialized"},
-{SSL_R_UNKNOWN_ALERT_TYPE                ,"unknown alert type"},
-{SSL_R_UNKNOWN_CERTIFICATE_TYPE          ,"unknown certificate type"},
-{SSL_R_UNKNOWN_CIPHER_RETURNED           ,"unknown cipher returned"},
-{SSL_R_UNKNOWN_CIPHER_TYPE               ,"unknown cipher type"},
-{SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE         ,"unknown key exchange type"},
-{SSL_R_UNKNOWN_PKEY_TYPE                 ,"unknown pkey type"},
-{SSL_R_UNKNOWN_PROTOCOL                  ,"unknown protocol"},
-{SSL_R_UNKNOWN_REMOTE_ERROR_TYPE         ,"unknown remote error type"},
-{SSL_R_UNKNOWN_SSL_VERSION               ,"unknown ssl version"},
-{SSL_R_UNKNOWN_STATE                     ,"unknown state"},
-{SSL_R_UNSUPPORTED_CIPHER                ,"unsupported cipher"},
-{SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM ,"unsupported compression algorithm"},
-{SSL_R_UNSUPPORTED_OPTION                ,"unsupported option"},
-{SSL_R_UNSUPPORTED_PROTOCOL              ,"unsupported protocol"},
-{SSL_R_UNSUPPORTED_SSL_VERSION           ,"unsupported ssl version"},
-{SSL_R_WRITE_BIO_NOT_SET                 ,"write bio not set"},
-{SSL_R_WRONG_CIPHER_RETURNED             ,"wrong cipher returned"},
-{SSL_R_WRONG_MESSAGE_TYPE                ,"wrong message type"},
-{SSL_R_WRONG_NUMBER_OF_KEY_BITS          ,"wrong number of key bits"},
-{SSL_R_WRONG_SIGNATURE_LENGTH            ,"wrong signature length"},
-{SSL_R_WRONG_SIGNATURE_SIZE              ,"wrong signature size"},
-{SSL_R_WRONG_SSL_VERSION                 ,"wrong ssl version"},
-{SSL_R_WRONG_VERSION_NUMBER              ,"wrong version number"},
-{SSL_R_X509_LIB                          ,"x509 lib"},
-{SSL_R_X509_VERIFICATION_SETUP_PROBLEMS  ,"x509 verification setup problems"},
+{ERR_REASON(SSL_R_APP_DATA_IN_HANDSHAKE) ,"app data in handshake"},
+{ERR_REASON(SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT),"attempt to reuse session in different context"},
+{ERR_REASON(SSL_R_BAD_ALERT_RECORD)      ,"bad alert record"},
+{ERR_REASON(SSL_R_BAD_AUTHENTICATION_TYPE),"bad authentication type"},
+{ERR_REASON(SSL_R_BAD_CHANGE_CIPHER_SPEC),"bad change cipher spec"},
+{ERR_REASON(SSL_R_BAD_CHECKSUM)          ,"bad checksum"},
+{ERR_REASON(SSL_R_BAD_DATA_RETURNED_BY_CALLBACK),"bad data returned by callback"},
+{ERR_REASON(SSL_R_BAD_DECOMPRESSION)     ,"bad decompression"},
+{ERR_REASON(SSL_R_BAD_DH_G_LENGTH)       ,"bad dh g length"},
+{ERR_REASON(SSL_R_BAD_DH_PUB_KEY_LENGTH) ,"bad dh pub key length"},
+{ERR_REASON(SSL_R_BAD_DH_P_LENGTH)       ,"bad dh p length"},
+{ERR_REASON(SSL_R_BAD_DIGEST_LENGTH)     ,"bad digest length"},
+{ERR_REASON(SSL_R_BAD_DSA_SIGNATURE)     ,"bad dsa signature"},
+{ERR_REASON(SSL_R_BAD_ECC_CERT)          ,"bad ecc cert"},
+{ERR_REASON(SSL_R_BAD_ECDSA_SIGNATURE)   ,"bad ecdsa signature"},
+{ERR_REASON(SSL_R_BAD_ECPOINT)           ,"bad ecpoint"},
+{ERR_REASON(SSL_R_BAD_HELLO_REQUEST)     ,"bad hello request"},
+{ERR_REASON(SSL_R_BAD_LENGTH)            ,"bad length"},
+{ERR_REASON(SSL_R_BAD_MAC_DECODE)        ,"bad mac decode"},
+{ERR_REASON(SSL_R_BAD_MESSAGE_TYPE)      ,"bad message type"},
+{ERR_REASON(SSL_R_BAD_PACKET_LENGTH)     ,"bad packet length"},
+{ERR_REASON(SSL_R_BAD_PROTOCOL_VERSION_NUMBER),"bad protocol version number"},
+{ERR_REASON(SSL_R_BAD_RESPONSE_ARGUMENT) ,"bad response argument"},
+{ERR_REASON(SSL_R_BAD_RSA_DECRYPT)       ,"bad rsa decrypt"},
+{ERR_REASON(SSL_R_BAD_RSA_ENCRYPT)       ,"bad rsa encrypt"},
+{ERR_REASON(SSL_R_BAD_RSA_E_LENGTH)      ,"bad rsa e length"},
+{ERR_REASON(SSL_R_BAD_RSA_MODULUS_LENGTH),"bad rsa modulus length"},
+{ERR_REASON(SSL_R_BAD_RSA_SIGNATURE)     ,"bad rsa signature"},
+{ERR_REASON(SSL_R_BAD_SIGNATURE)         ,"bad signature"},
+{ERR_REASON(SSL_R_BAD_SSL_FILETYPE)      ,"bad ssl filetype"},
+{ERR_REASON(SSL_R_BAD_SSL_SESSION_ID_LENGTH),"bad ssl session id length"},
+{ERR_REASON(SSL_R_BAD_STATE)             ,"bad state"},
+{ERR_REASON(SSL_R_BAD_WRITE_RETRY)       ,"bad write retry"},
+{ERR_REASON(SSL_R_BIO_NOT_SET)           ,"bio not set"},
+{ERR_REASON(SSL_R_BLOCK_CIPHER_PAD_IS_WRONG),"block cipher pad is wrong"},
+{ERR_REASON(SSL_R_BN_LIB)                ,"bn lib"},
+{ERR_REASON(SSL_R_CA_DN_LENGTH_MISMATCH) ,"ca dn length mismatch"},
+{ERR_REASON(SSL_R_CA_DN_TOO_LONG)        ,"ca dn too long"},
+{ERR_REASON(SSL_R_CCS_RECEIVED_EARLY)    ,"ccs received early"},
+{ERR_REASON(SSL_R_CERTIFICATE_VERIFY_FAILED),"certificate verify failed"},
+{ERR_REASON(SSL_R_CERT_LENGTH_MISMATCH)  ,"cert length mismatch"},
+{ERR_REASON(SSL_R_CHALLENGE_IS_DIFFERENT),"challenge is different"},
+{ERR_REASON(SSL_R_CIPHER_CODE_WRONG_LENGTH),"cipher code wrong length"},
+{ERR_REASON(SSL_R_CIPHER_OR_HASH_UNAVAILABLE),"cipher or hash unavailable"},
+{ERR_REASON(SSL_R_CIPHER_TABLE_SRC_ERROR),"cipher table src error"},
+{ERR_REASON(SSL_R_COMPRESSED_LENGTH_TOO_LONG),"compressed length too long"},
+{ERR_REASON(SSL_R_COMPRESSION_FAILURE)   ,"compression failure"},
+{ERR_REASON(SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE),"compression id not within private range"},
+{ERR_REASON(SSL_R_COMPRESSION_LIBRARY_ERROR),"compression library error"},
+{ERR_REASON(SSL_R_CONNECTION_ID_IS_DIFFERENT),"connection id is different"},
+{ERR_REASON(SSL_R_CONNECTION_TYPE_NOT_SET),"connection type not set"},
+{ERR_REASON(SSL_R_COOKIE_MISMATCH)       ,"cookie mismatch"},
+{ERR_REASON(SSL_R_DATA_BETWEEN_CCS_AND_FINISHED),"data between ccs and finished"},
+{ERR_REASON(SSL_R_DATA_LENGTH_TOO_LONG)  ,"data length too long"},
+{ERR_REASON(SSL_R_DECRYPTION_FAILED)     ,"decryption failed"},
+{ERR_REASON(SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC),"decryption failed or bad record mac"},
+{ERR_REASON(SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG),"dh public value length is wrong"},
+{ERR_REASON(SSL_R_DIGEST_CHECK_FAILED)   ,"digest check failed"},
+{ERR_REASON(SSL_R_DUPLICATE_COMPRESSION_ID),"duplicate compression id"},
+{ERR_REASON(SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER),"ecgroup too large for cipher"},
+{ERR_REASON(SSL_R_ENCRYPTED_LENGTH_TOO_LONG),"encrypted length too long"},
+{ERR_REASON(SSL_R_ERROR_GENERATING_TMP_RSA_KEY),"error generating tmp rsa key"},
+{ERR_REASON(SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST),"error in received cipher list"},
+{ERR_REASON(SSL_R_EXCESSIVE_MESSAGE_SIZE),"excessive message size"},
+{ERR_REASON(SSL_R_EXTRA_DATA_IN_MESSAGE) ,"extra data in message"},
+{ERR_REASON(SSL_R_GOT_A_FIN_BEFORE_A_CCS),"got a fin before a ccs"},
+{ERR_REASON(SSL_R_HTTPS_PROXY_REQUEST)   ,"https proxy request"},
+{ERR_REASON(SSL_R_HTTP_REQUEST)          ,"http request"},
+{ERR_REASON(SSL_R_ILLEGAL_PADDING)       ,"illegal padding"},
+{ERR_REASON(SSL_R_INVALID_CHALLENGE_LENGTH),"invalid challenge length"},
+{ERR_REASON(SSL_R_INVALID_COMMAND)       ,"invalid command"},
+{ERR_REASON(SSL_R_INVALID_PURPOSE)       ,"invalid purpose"},
+{ERR_REASON(SSL_R_INVALID_TRUST)         ,"invalid trust"},
+{ERR_REASON(SSL_R_KEY_ARG_TOO_LONG)      ,"key arg too long"},
+{ERR_REASON(SSL_R_KRB5)                  ,"krb5"},
+{ERR_REASON(SSL_R_KRB5_C_CC_PRINC)       ,"krb5 client cc principal (no tkt?)"},
+{ERR_REASON(SSL_R_KRB5_C_GET_CRED)       ,"krb5 client get cred"},
+{ERR_REASON(SSL_R_KRB5_C_INIT)           ,"krb5 client init"},
+{ERR_REASON(SSL_R_KRB5_C_MK_REQ)         ,"krb5 client mk_req (expired tkt?)"},
+{ERR_REASON(SSL_R_KRB5_S_BAD_TICKET)     ,"krb5 server bad ticket"},
+{ERR_REASON(SSL_R_KRB5_S_INIT)           ,"krb5 server init"},
+{ERR_REASON(SSL_R_KRB5_S_RD_REQ)         ,"krb5 server rd_req (keytab perms?)"},
+{ERR_REASON(SSL_R_KRB5_S_TKT_EXPIRED)    ,"krb5 server tkt expired"},
+{ERR_REASON(SSL_R_KRB5_S_TKT_NYV)        ,"krb5 server tkt not yet valid"},
+{ERR_REASON(SSL_R_KRB5_S_TKT_SKEW)       ,"krb5 server tkt skew"},
+{ERR_REASON(SSL_R_LENGTH_MISMATCH)       ,"length mismatch"},
+{ERR_REASON(SSL_R_LENGTH_TOO_SHORT)      ,"length too short"},
+{ERR_REASON(SSL_R_LIBRARY_BUG)           ,"library bug"},
+{ERR_REASON(SSL_R_LIBRARY_HAS_NO_CIPHERS),"library has no ciphers"},
+{ERR_REASON(SSL_R_MESSAGE_TOO_LONG)      ,"message too long"},
+{ERR_REASON(SSL_R_MISSING_DH_DSA_CERT)   ,"missing dh dsa cert"},
+{ERR_REASON(SSL_R_MISSING_DH_KEY)        ,"missing dh key"},
+{ERR_REASON(SSL_R_MISSING_DH_RSA_CERT)   ,"missing dh rsa cert"},
+{ERR_REASON(SSL_R_MISSING_DSA_SIGNING_CERT),"missing dsa signing cert"},
+{ERR_REASON(SSL_R_MISSING_EXPORT_TMP_DH_KEY),"missing export tmp dh key"},
+{ERR_REASON(SSL_R_MISSING_EXPORT_TMP_RSA_KEY),"missing export tmp rsa key"},
+{ERR_REASON(SSL_R_MISSING_RSA_CERTIFICATE),"missing rsa certificate"},
+{ERR_REASON(SSL_R_MISSING_RSA_ENCRYPTING_CERT),"missing rsa encrypting cert"},
+{ERR_REASON(SSL_R_MISSING_RSA_SIGNING_CERT),"missing rsa signing cert"},
+{ERR_REASON(SSL_R_MISSING_TMP_DH_KEY)    ,"missing tmp dh key"},
+{ERR_REASON(SSL_R_MISSING_TMP_ECDH_KEY)  ,"missing tmp ecdh key"},
+{ERR_REASON(SSL_R_MISSING_TMP_RSA_KEY)   ,"missing tmp rsa key"},
+{ERR_REASON(SSL_R_MISSING_TMP_RSA_PKEY)  ,"missing tmp rsa pkey"},
+{ERR_REASON(SSL_R_MISSING_VERIFY_MESSAGE),"missing verify message"},
+{ERR_REASON(SSL_R_NON_SSLV2_INITIAL_PACKET),"non sslv2 initial packet"},
+{ERR_REASON(SSL_R_NO_CERTIFICATES_RETURNED),"no certificates returned"},
+{ERR_REASON(SSL_R_NO_CERTIFICATE_ASSIGNED),"no certificate assigned"},
+{ERR_REASON(SSL_R_NO_CERTIFICATE_RETURNED),"no certificate returned"},
+{ERR_REASON(SSL_R_NO_CERTIFICATE_SET)    ,"no certificate set"},
+{ERR_REASON(SSL_R_NO_CERTIFICATE_SPECIFIED),"no certificate specified"},
+{ERR_REASON(SSL_R_NO_CIPHERS_AVAILABLE)  ,"no ciphers available"},
+{ERR_REASON(SSL_R_NO_CIPHERS_PASSED)     ,"no ciphers passed"},
+{ERR_REASON(SSL_R_NO_CIPHERS_SPECIFIED)  ,"no ciphers specified"},
+{ERR_REASON(SSL_R_NO_CIPHER_LIST)        ,"no cipher list"},
+{ERR_REASON(SSL_R_NO_CIPHER_MATCH)       ,"no cipher match"},
+{ERR_REASON(SSL_R_NO_CLIENT_CERT_RECEIVED),"no client cert received"},
+{ERR_REASON(SSL_R_NO_COMPRESSION_SPECIFIED),"no compression specified"},
+{ERR_REASON(SSL_R_NO_METHOD_SPECIFIED)   ,"no method specified"},
+{ERR_REASON(SSL_R_NO_PRIVATEKEY)         ,"no privatekey"},
+{ERR_REASON(SSL_R_NO_PRIVATE_KEY_ASSIGNED),"no private key assigned"},
+{ERR_REASON(SSL_R_NO_PROTOCOLS_AVAILABLE),"no protocols available"},
+{ERR_REASON(SSL_R_NO_PUBLICKEY)          ,"no publickey"},
+{ERR_REASON(SSL_R_NO_SHARED_CIPHER)      ,"no shared cipher"},
+{ERR_REASON(SSL_R_NO_VERIFY_CALLBACK)    ,"no verify callback"},
+{ERR_REASON(SSL_R_NULL_SSL_CTX)          ,"null ssl ctx"},
+{ERR_REASON(SSL_R_NULL_SSL_METHOD_PASSED),"null ssl method passed"},
+{ERR_REASON(SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED),"old session cipher not returned"},
+{ERR_REASON(SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE),"only tls allowed in fips mode"},
+{ERR_REASON(SSL_R_PACKET_LENGTH_TOO_LONG),"packet length too long"},
+{ERR_REASON(SSL_R_PATH_TOO_LONG)         ,"path too long"},
+{ERR_REASON(SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE),"peer did not return a certificate"},
+{ERR_REASON(SSL_R_PEER_ERROR)            ,"peer error"},
+{ERR_REASON(SSL_R_PEER_ERROR_CERTIFICATE),"peer error certificate"},
+{ERR_REASON(SSL_R_PEER_ERROR_NO_CERTIFICATE),"peer error no certificate"},
+{ERR_REASON(SSL_R_PEER_ERROR_NO_CIPHER)  ,"peer error no cipher"},
+{ERR_REASON(SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE),"peer error unsupported certificate type"},
+{ERR_REASON(SSL_R_PRE_MAC_LENGTH_TOO_LONG),"pre mac length too long"},
+{ERR_REASON(SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS),"problems mapping cipher functions"},
+{ERR_REASON(SSL_R_PROTOCOL_IS_SHUTDOWN)  ,"protocol is shutdown"},
+{ERR_REASON(SSL_R_PUBLIC_KEY_ENCRYPT_ERROR),"public key encrypt error"},
+{ERR_REASON(SSL_R_PUBLIC_KEY_IS_NOT_RSA) ,"public key is not rsa"},
+{ERR_REASON(SSL_R_PUBLIC_KEY_NOT_RSA)    ,"public key not rsa"},
+{ERR_REASON(SSL_R_READ_BIO_NOT_SET)      ,"read bio not set"},
+{ERR_REASON(SSL_R_READ_TIMEOUT_EXPIRED)  ,"read timeout expired"},
+{ERR_REASON(SSL_R_READ_WRONG_PACKET_TYPE),"read wrong packet type"},
+{ERR_REASON(SSL_R_RECORD_LENGTH_MISMATCH),"record length mismatch"},
+{ERR_REASON(SSL_R_RECORD_TOO_LARGE)      ,"record too large"},
+{ERR_REASON(SSL_R_RECORD_TOO_SMALL)      ,"record too small"},
+{ERR_REASON(SSL_R_REQUIRED_CIPHER_MISSING),"required cipher missing"},
+{ERR_REASON(SSL_R_REUSE_CERT_LENGTH_NOT_ZERO),"reuse cert length not zero"},
+{ERR_REASON(SSL_R_REUSE_CERT_TYPE_NOT_ZERO),"reuse cert type not zero"},
+{ERR_REASON(SSL_R_REUSE_CIPHER_LIST_NOT_ZERO),"reuse cipher list not zero"},
+{ERR_REASON(SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED),"session id context uninitialized"},
+{ERR_REASON(SSL_R_SHORT_READ)            ,"short read"},
+{ERR_REASON(SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE),"signature for non signing certificate"},
+{ERR_REASON(SSL_R_SSL23_DOING_SESSION_ID_REUSE),"ssl23 doing session id reuse"},
+{ERR_REASON(SSL_R_SSL2_CONNECTION_ID_TOO_LONG),"ssl2 connection id too long"},
+{ERR_REASON(SSL_R_SSL3_SESSION_ID_TOO_LONG),"ssl3 session id too long"},
+{ERR_REASON(SSL_R_SSL3_SESSION_ID_TOO_SHORT),"ssl3 session id too short"},
+{ERR_REASON(SSL_R_SSLV3_ALERT_BAD_CERTIFICATE),"sslv3 alert bad certificate"},
+{ERR_REASON(SSL_R_SSLV3_ALERT_BAD_RECORD_MAC),"sslv3 alert bad record mac"},
+{ERR_REASON(SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED),"sslv3 alert certificate expired"},
+{ERR_REASON(SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED),"sslv3 alert certificate revoked"},
+{ERR_REASON(SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN),"sslv3 alert certificate unknown"},
+{ERR_REASON(SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE),"sslv3 alert decompression failure"},
+{ERR_REASON(SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE),"sslv3 alert handshake failure"},
+{ERR_REASON(SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER),"sslv3 alert illegal parameter"},
+{ERR_REASON(SSL_R_SSLV3_ALERT_NO_CERTIFICATE),"sslv3 alert no certificate"},
+{ERR_REASON(SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE),"sslv3 alert unexpected message"},
+{ERR_REASON(SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE),"sslv3 alert unsupported certificate"},
+{ERR_REASON(SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION),"ssl ctx has no default ssl version"},
+{ERR_REASON(SSL_R_SSL_HANDSHAKE_FAILURE) ,"ssl handshake failure"},
+{ERR_REASON(SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS),"ssl library has no ciphers"},
+{ERR_REASON(SSL_R_SSL_SESSION_ID_CALLBACK_FAILED),"ssl session id callback failed"},
+{ERR_REASON(SSL_R_SSL_SESSION_ID_CONFLICT),"ssl session id conflict"},
+{ERR_REASON(SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG),"ssl session id context too long"},
+{ERR_REASON(SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH),"ssl session id has bad length"},
+{ERR_REASON(SSL_R_SSL_SESSION_ID_IS_DIFFERENT),"ssl session id is different"},
+{ERR_REASON(SSL_R_TLSV1_ALERT_ACCESS_DENIED),"tlsv1 alert access denied"},
+{ERR_REASON(SSL_R_TLSV1_ALERT_DECODE_ERROR),"tlsv1 alert decode error"},
+{ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPTION_FAILED),"tlsv1 alert decryption failed"},
+{ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPT_ERROR),"tlsv1 alert decrypt error"},
+{ERR_REASON(SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION),"tlsv1 alert export restriction"},
+{ERR_REASON(SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY),"tlsv1 alert insufficient security"},
+{ERR_REASON(SSL_R_TLSV1_ALERT_INTERNAL_ERROR),"tlsv1 alert internal error"},
+{ERR_REASON(SSL_R_TLSV1_ALERT_NO_RENEGOTIATION),"tlsv1 alert no renegotiation"},
+{ERR_REASON(SSL_R_TLSV1_ALERT_PROTOCOL_VERSION),"tlsv1 alert protocol version"},
+{ERR_REASON(SSL_R_TLSV1_ALERT_RECORD_OVERFLOW),"tlsv1 alert record overflow"},
+{ERR_REASON(SSL_R_TLSV1_ALERT_UNKNOWN_CA),"tlsv1 alert unknown ca"},
+{ERR_REASON(SSL_R_TLSV1_ALERT_USER_CANCELLED),"tlsv1 alert user cancelled"},
+{ERR_REASON(SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER),"tls client cert req with anon cipher"},
+{ERR_REASON(SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST),"tls peer did not respond with certificate list"},
+{ERR_REASON(SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG),"tls rsa encrypted value length is wrong"},
+{ERR_REASON(SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER),"tried to use unsupported cipher"},
+{ERR_REASON(SSL_R_UNABLE_TO_DECODE_DH_CERTS),"unable to decode dh certs"},
+{ERR_REASON(SSL_R_UNABLE_TO_DECODE_ECDH_CERTS),"unable to decode ecdh certs"},
+{ERR_REASON(SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY),"unable to extract public key"},
+{ERR_REASON(SSL_R_UNABLE_TO_FIND_DH_PARAMETERS),"unable to find dh parameters"},
+{ERR_REASON(SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS),"unable to find ecdh parameters"},
+{ERR_REASON(SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS),"unable to find public key parameters"},
+{ERR_REASON(SSL_R_UNABLE_TO_FIND_SSL_METHOD),"unable to find ssl method"},
+{ERR_REASON(SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES),"unable to load ssl2 md5 routines"},
+{ERR_REASON(SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES),"unable to load ssl3 md5 routines"},
+{ERR_REASON(SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES),"unable to load ssl3 sha1 routines"},
+{ERR_REASON(SSL_R_UNEXPECTED_MESSAGE)    ,"unexpected message"},
+{ERR_REASON(SSL_R_UNEXPECTED_RECORD)     ,"unexpected record"},
+{ERR_REASON(SSL_R_UNINITIALIZED)         ,"uninitialized"},
+{ERR_REASON(SSL_R_UNKNOWN_ALERT_TYPE)    ,"unknown alert type"},
+{ERR_REASON(SSL_R_UNKNOWN_CERTIFICATE_TYPE),"unknown certificate type"},
+{ERR_REASON(SSL_R_UNKNOWN_CIPHER_RETURNED),"unknown cipher returned"},
+{ERR_REASON(SSL_R_UNKNOWN_CIPHER_TYPE)   ,"unknown cipher type"},
+{ERR_REASON(SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE),"unknown key exchange type"},
+{ERR_REASON(SSL_R_UNKNOWN_PKEY_TYPE)     ,"unknown pkey type"},
+{ERR_REASON(SSL_R_UNKNOWN_PROTOCOL)      ,"unknown protocol"},
+{ERR_REASON(SSL_R_UNKNOWN_REMOTE_ERROR_TYPE),"unknown remote error type"},
+{ERR_REASON(SSL_R_UNKNOWN_SSL_VERSION)   ,"unknown ssl version"},
+{ERR_REASON(SSL_R_UNKNOWN_STATE)         ,"unknown state"},
+{ERR_REASON(SSL_R_UNSUPPORTED_CIPHER)    ,"unsupported cipher"},
+{ERR_REASON(SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM),"unsupported compression algorithm"},
+{ERR_REASON(SSL_R_UNSUPPORTED_ELLIPTIC_CURVE),"unsupported elliptic curve"},
+{ERR_REASON(SSL_R_UNSUPPORTED_PROTOCOL)  ,"unsupported protocol"},
+{ERR_REASON(SSL_R_UNSUPPORTED_SSL_VERSION),"unsupported ssl version"},
+{ERR_REASON(SSL_R_WRITE_BIO_NOT_SET)     ,"write bio not set"},
+{ERR_REASON(SSL_R_WRONG_CIPHER_RETURNED) ,"wrong cipher returned"},
+{ERR_REASON(SSL_R_WRONG_MESSAGE_TYPE)    ,"wrong message type"},
+{ERR_REASON(SSL_R_WRONG_NUMBER_OF_KEY_BITS),"wrong number of key bits"},
+{ERR_REASON(SSL_R_WRONG_SIGNATURE_LENGTH),"wrong signature length"},
+{ERR_REASON(SSL_R_WRONG_SIGNATURE_SIZE)  ,"wrong signature size"},
+{ERR_REASON(SSL_R_WRONG_SSL_VERSION)     ,"wrong ssl version"},
+{ERR_REASON(SSL_R_WRONG_VERSION_NUMBER)  ,"wrong version number"},
+{ERR_REASON(SSL_R_X509_LIB)              ,"x509 lib"},
+{ERR_REASON(SSL_R_X509_VERIFICATION_SETUP_PROBLEMS),"x509 verification setup problems"},
 {0,NULL}
 	};
 
@@ -453,8 +492,8 @@ void ERR_load_SSL_strings(void)
 		{
 		init=0;
 #ifndef OPENSSL_NO_ERR
-		ERR_load_strings(ERR_LIB_SSL,SSL_str_functs);
-		ERR_load_strings(ERR_LIB_SSL,SSL_str_reasons);
+		ERR_load_strings(0,SSL_str_functs);
+		ERR_load_strings(0,SSL_str_reasons);
 #endif
 
 		}
diff --git a/crypto/openssl/ssl/ssl_lib.c b/crypto/openssl/ssl/ssl_lib.c
index f5705af0f616..28c90fc68e20 100644
--- a/crypto/openssl/ssl/ssl_lib.c
+++ b/crypto/openssl/ssl/ssl_lib.c
@@ -110,7 +110,11 @@
  * Hudson (tjh@cryptsoft.com).
  *
  */
-
+/* ====================================================================
+ * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
+ * ECC cipher suite support in OpenSSL originally developed by 
+ * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
+ */
 
 #ifdef REF_CHECK
 #  include <assert.h>
@@ -121,18 +125,27 @@
 #include <openssl/objects.h>
 #include <openssl/lhash.h>
 #include <openssl/x509v3.h>
-#include <openssl/fips.h>
+#ifndef OPENSSL_NO_DH
+#include <openssl/dh.h>
+#endif
 
 const char *SSL_version_str=OPENSSL_VERSION_TEXT;
 
-OPENSSL_GLOBAL SSL3_ENC_METHOD ssl3_undef_enc_method={
+SSL3_ENC_METHOD ssl3_undef_enc_method={
 	/* evil casts, but these functions are only called if there's a library bug */
 	(int (*)(SSL *,int))ssl_undefined_function,
 	(int (*)(SSL *, unsigned char *, int))ssl_undefined_function,
 	ssl_undefined_function,
 	(int (*)(SSL *, unsigned char *, unsigned char *, int))ssl_undefined_function,
 	(int (*)(SSL*, int))ssl_undefined_function,
-	(int (*)(SSL *, EVP_MD_CTX *, EVP_MD_CTX *, const char*, int, unsigned char *))ssl_undefined_function
+	(int (*)(SSL *, EVP_MD_CTX *, EVP_MD_CTX *, const char*, int, unsigned char *))ssl_undefined_function,
+	0,	/* finish_mac_length */
+	(int (*)(SSL *, EVP_MD_CTX *, unsigned char *))ssl_undefined_function,
+	NULL,	/* client_finished_label */
+	0,	/* client_finished_label_len */
+	NULL,	/* server_finished_label */
+	0,	/* server_finished_label_len */
+	(int (*)(int))ssl_undefined_function
 	};
 
 int SSL_clear(SSL *s)
@@ -272,14 +285,23 @@ SSL *SSL_new(SSL_CTX *ctx)
 	s->msg_callback=ctx->msg_callback;
 	s->msg_callback_arg=ctx->msg_callback_arg;
 	s->verify_mode=ctx->verify_mode;
+#if 0
 	s->verify_depth=ctx->verify_depth;
+#endif
 	s->sid_ctx_length=ctx->sid_ctx_length;
 	OPENSSL_assert(s->sid_ctx_length <= sizeof s->sid_ctx);
 	memcpy(&s->sid_ctx,&ctx->sid_ctx,sizeof(s->sid_ctx));
 	s->verify_callback=ctx->default_verify_callback;
 	s->generate_session_id=ctx->generate_session_id;
+
+	s->param = X509_VERIFY_PARAM_new();
+	if (!s->param)
+		goto err;
+	X509_VERIFY_PARAM_inherit(s->param, ctx->param);
+#if 0
 	s->purpose = ctx->purpose;
 	s->trust = ctx->trust;
+#endif
 	s->quiet_shutdown=ctx->quiet_shutdown;
 
 	CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);
@@ -393,22 +415,22 @@ int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id,
 
 int SSL_CTX_set_purpose(SSL_CTX *s, int purpose)
 	{
-	return X509_PURPOSE_set(&s->purpose, purpose);
+	return X509_VERIFY_PARAM_set_purpose(s->param, purpose);
 	}
 
 int SSL_set_purpose(SSL *s, int purpose)
 	{
-	return X509_PURPOSE_set(&s->purpose, purpose);
+	return X509_VERIFY_PARAM_set_purpose(s->param, purpose);
 	}
 
 int SSL_CTX_set_trust(SSL_CTX *s, int trust)
 	{
-	return X509_TRUST_set(&s->trust, trust);
+	return X509_VERIFY_PARAM_set_trust(s->param, trust);
 	}
 
 int SSL_set_trust(SSL *s, int trust)
 	{
-	return X509_TRUST_set(&s->trust, trust);
+	return X509_VERIFY_PARAM_set_trust(s->param, trust);
 	}
 
 void SSL_free(SSL *s)
@@ -431,6 +453,9 @@ void SSL_free(SSL *s)
 		}
 #endif
 
+	if (s->param)
+		X509_VERIFY_PARAM_free(s->param);
+
 	CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data);
 
 	if (s->bbio != NULL)
@@ -501,18 +526,18 @@ void SSL_set_bio(SSL *s,BIO *rbio,BIO *wbio)
 	s->wbio=wbio;
 	}
 
-BIO *SSL_get_rbio(SSL *s)
+BIO *SSL_get_rbio(const SSL *s)
 	{ return(s->rbio); }
 
-BIO *SSL_get_wbio(SSL *s)
+BIO *SSL_get_wbio(const SSL *s)
 	{ return(s->wbio); }
 
-int SSL_get_fd(SSL *s)
+int SSL_get_fd(const SSL *s)
 	{
 	return(SSL_get_rfd(s));
 	}
 
-int SSL_get_rfd(SSL *s)
+int SSL_get_rfd(const SSL *s)
 	{
 	int ret= -1;
 	BIO *b,*r;
@@ -524,7 +549,7 @@ int SSL_get_rfd(SSL *s)
 	return(ret);
 	}
 
-int SSL_get_wfd(SSL *s)
+int SSL_get_wfd(const SSL *s)
 	{
 	int ret= -1;
 	BIO *b,*r;
@@ -606,7 +631,7 @@ err:
 
 
 /* return length of latest Finished message we sent, copy to 'buf' */
-size_t SSL_get_finished(SSL *s, void *buf, size_t count)
+size_t SSL_get_finished(const SSL *s, void *buf, size_t count)
 	{
 	size_t ret = 0;
 	
@@ -621,7 +646,7 @@ size_t SSL_get_finished(SSL *s, void *buf, size_t count)
 	}
 
 /* return length of latest Finished message we expected, copy to 'buf' */
-size_t SSL_get_peer_finished(SSL *s, void *buf, size_t count)
+size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count)
 	{
 	size_t ret = 0;
 	
@@ -636,32 +661,32 @@ size_t SSL_get_peer_finished(SSL *s, void *buf, size_t count)
 	}
 
 
-int SSL_get_verify_mode(SSL *s)
+int SSL_get_verify_mode(const SSL *s)
 	{
 	return(s->verify_mode);
 	}
 
-int SSL_get_verify_depth(SSL *s)
+int SSL_get_verify_depth(const SSL *s)
 	{
-	return(s->verify_depth);
+	return X509_VERIFY_PARAM_get_depth(s->param);
 	}
 
-int (*SSL_get_verify_callback(SSL *s))(int,X509_STORE_CTX *)
+int (*SSL_get_verify_callback(const SSL *s))(int,X509_STORE_CTX *)
 	{
 	return(s->verify_callback);
 	}
 
-int SSL_CTX_get_verify_mode(SSL_CTX *ctx)
+int SSL_CTX_get_verify_mode(const SSL_CTX *ctx)
 	{
 	return(ctx->verify_mode);
 	}
 
-int SSL_CTX_get_verify_depth(SSL_CTX *ctx)
+int SSL_CTX_get_verify_depth(const SSL_CTX *ctx)
 	{
-	return(ctx->verify_depth);
+	return X509_VERIFY_PARAM_get_depth(ctx->param);
 	}
 
-int (*SSL_CTX_get_verify_callback(SSL_CTX *ctx))(int,X509_STORE_CTX *)
+int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int,X509_STORE_CTX *)
 	{
 	return(ctx->default_verify_callback);
 	}
@@ -676,7 +701,7 @@ void SSL_set_verify(SSL *s,int mode,
 
 void SSL_set_verify_depth(SSL *s,int depth)
 	{
-	s->verify_depth=depth;
+	X509_VERIFY_PARAM_set_depth(s->param, depth);
 	}
 
 void SSL_set_read_ahead(SSL *s,int yes)
@@ -684,12 +709,12 @@ void SSL_set_read_ahead(SSL *s,int yes)
 	s->read_ahead=yes;
 	}
 
-int SSL_get_read_ahead(SSL *s)
+int SSL_get_read_ahead(const SSL *s)
 	{
 	return(s->read_ahead);
 	}
 
-int SSL_pending(SSL *s)
+int SSL_pending(const SSL *s)
 	{
 	/* SSL_pending cannot work properly if read-ahead is enabled
 	 * (SSL_[CTX_]ctrl(..., SSL_CTRL_SET_READ_AHEAD, 1, NULL)),
@@ -701,7 +726,7 @@ int SSL_pending(SSL *s)
 	return(s->method->ssl_pending(s));
 	}
 
-X509 *SSL_get_peer_certificate(SSL *s)
+X509 *SSL_get_peer_certificate(const SSL *s)
 	{
 	X509 *r;
 	
@@ -717,7 +742,7 @@ X509 *SSL_get_peer_certificate(SSL *s)
 	return(r);
 	}
 
-STACK_OF(X509) *SSL_get_peer_cert_chain(SSL *s)
+STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s)
 	{
 	STACK_OF(X509) *r;
 	
@@ -734,7 +759,7 @@ STACK_OF(X509) *SSL_get_peer_cert_chain(SSL *s)
 
 /* Now in theory, since the calling process own 't' it should be safe to
  * modify.  We need to be able to read f without being hassled */
-void SSL_copy_session_id(SSL *t,SSL *f)
+void SSL_copy_session_id(SSL *t,const SSL *f)
 	{
 	CERT *tmp;
 
@@ -763,7 +788,7 @@ void SSL_copy_session_id(SSL *t,SSL *f)
 	}
 
 /* Fix this so it checks all the valid key/cert options */
-int SSL_CTX_check_private_key(SSL_CTX *ctx)
+int SSL_CTX_check_private_key(const SSL_CTX *ctx)
 	{
 	if (	(ctx == NULL) ||
 		(ctx->cert == NULL) ||
@@ -781,7 +806,7 @@ int SSL_CTX_check_private_key(SSL_CTX *ctx)
 	}
 
 /* Fix this function so that it takes an optional type parameter */
-int SSL_check_private_key(SSL *ssl)
+int SSL_check_private_key(const SSL *ssl)
 	{
 	if (ssl == NULL)
 		{
@@ -825,7 +850,7 @@ int SSL_connect(SSL *s)
 	return(s->method->ssl_connect(s));
 	}
 
-long SSL_get_default_timeout(SSL *s)
+long SSL_get_default_timeout(const SSL *s)
 	{
 	return(s->method->get_timeout());
 	}
@@ -850,7 +875,7 @@ int SSL_peek(SSL *s,void *buf,int num)
 	{
 	if (s->handshake_func == 0)
 		{
-		SSLerr(SSL_F_SSL_READ, SSL_R_UNINITIALIZED);
+		SSLerr(SSL_F_SSL_PEEK, SSL_R_UNINITIALIZED);
 		return -1;
 		}
 
@@ -941,12 +966,19 @@ long SSL_ctrl(SSL *s,int cmd,long larg,void *parg)
 		l=s->max_cert_list;
 		s->max_cert_list=larg;
 		return(l);
+	case SSL_CTRL_SET_MTU:
+		if (SSL_version(s) == DTLS1_VERSION)
+			{
+			s->d1->mtu = larg;
+			return larg;
+			}
+		return 0;
 	default:
 		return(s->method->ssl_ctrl(s,cmd,larg,parg));
 		}
 	}
 
-long SSL_callback_ctrl(SSL *s, int cmd, void (*fp)())
+long SSL_callback_ctrl(SSL *s, int cmd, void (*fp)(void))
 	{
 	switch(cmd)
 		{
@@ -1034,7 +1066,7 @@ long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd,long larg,void *parg)
 		}
 	}
 
-long SSL_CTX_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)())
+long SSL_CTX_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
 	{
 	switch(cmd)
 		{
@@ -1072,7 +1104,7 @@ int ssl_cipher_ptr_id_cmp(const SSL_CIPHER * const *ap,
 
 /** return a STACK of the ciphers available for the SSL and in order of
  * preference */
-STACK_OF(SSL_CIPHER) *SSL_get_ciphers(SSL *s)
+STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s)
 	{
 	if (s != NULL)
 		{
@@ -1109,7 +1141,7 @@ STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s)
 	}
 
 /** The old interface to get the same thing as SSL_get_ciphers() */
-const char *SSL_get_cipher_list(SSL *s,int n)
+const char *SSL_get_cipher_list(const SSL *s,int n)
 	{
 	SSL_CIPHER *c;
 	STACK_OF(SSL_CIPHER) *sk;
@@ -1130,8 +1162,21 @@ int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str)
 	
 	sk=ssl_create_cipher_list(ctx->method,&ctx->cipher_list,
 		&ctx->cipher_list_by_id,str);
-/* XXXX */
-	return((sk == NULL)?0:1);
+	/* ssl_create_cipher_list may return an empty stack if it
+	 * was unable to find a cipher matching the given rule string
+	 * (for example if the rule string specifies a cipher which
+	 * has been disabled). This is not an error as far as 
+	 * ssl_create_cipher_list is concerned, and hence 
+	 * ctx->cipher_list and ctx->cipher_list_by_id has been
+	 * updated. */
+	if (sk == NULL)
+		return 0;
+	else if (sk_SSL_CIPHER_num(sk) == 0)
+		{
+		SSLerr(SSL_F_SSL_CTX_SET_CIPHER_LIST, SSL_R_NO_CIPHER_MATCH);
+		return 0;
+		}
+	return 1;
 	}
 
 /** specify the ciphers to be used by the SSL */
@@ -1141,12 +1186,19 @@ int SSL_set_cipher_list(SSL *s,const char *str)
 	
 	sk=ssl_create_cipher_list(s->ctx->method,&s->cipher_list,
 		&s->cipher_list_by_id,str);
-/* XXXX */
-	return((sk == NULL)?0:1);
+	/* see comment in SSL_CTX_set_cipher_list */
+	if (sk == NULL)
+		return 0;
+	else if (sk_SSL_CIPHER_num(sk) == 0)
+		{
+		SSLerr(SSL_F_SSL_SET_CIPHER_LIST, SSL_R_NO_CIPHER_MATCH);
+		return 0;
+		}
+	return 1;
 	}
 
 /* works well for SSLv2, not so good for SSLv3 */
-char *SSL_get_shared_ciphers(SSL *s,char *buf,int len)
+char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len)
 	{
 	char *p;
 	const char *cp;
@@ -1181,7 +1233,8 @@ char *SSL_get_shared_ciphers(SSL *s,char *buf,int len)
 	return(buf);
 	}
 
-int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p)
+int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p,
+                             int (*put_cb)(const SSL_CIPHER *, unsigned char *))
 	{
 	int i,j=0;
 	SSL_CIPHER *c;
@@ -1200,7 +1253,8 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p)
                 if ((c->algorithms & SSL_KRB5) && nokrb5)
                     continue;
 #endif /* OPENSSL_NO_KRB5 */                    
-		j=ssl_put_cipher_by_char(s,c,p);
+
+		j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p);
 		p+=j;
 		}
 	return(p-q);
@@ -1250,7 +1304,7 @@ err:
 	return(NULL);
 	}
 
-unsigned long SSL_SESSION_hash(SSL_SESSION *a)
+unsigned long SSL_SESSION_hash(const SSL_SESSION *a)
 	{
 	unsigned long l;
 
@@ -1267,7 +1321,7 @@ unsigned long SSL_SESSION_hash(SSL_SESSION *a)
  * SSL_CTX_has_matching_session_id() is checked accordingly. It relies on being
  * able to construct an SSL_SESSION that will collide with any existing session
  * with a matching session ID. */
-int SSL_SESSION_cmp(SSL_SESSION *a,SSL_SESSION *b)
+int SSL_SESSION_cmp(const SSL_SESSION *a,const SSL_SESSION *b)
 	{
 	if (a->ssl_version != b->ssl_version)
 		return(1);
@@ -1341,7 +1395,9 @@ SSL_CTX *SSL_CTX_new(SSL_METHOD *meth)
 	ret->msg_callback=0;
 	ret->msg_callback_arg=NULL;
 	ret->verify_mode=SSL_VERIFY_NONE;
+#if 0
 	ret->verify_depth=-1; /* Don't impose a limit (but x509_lu.c does) */
+#endif
 	ret->sid_ctx_length=0;
 	ret->default_verify_callback=NULL;
 	if ((ret->cert=ssl_cert_new()) == NULL)
@@ -1350,6 +1406,8 @@ SSL_CTX *SSL_CTX_new(SSL_METHOD *meth)
 	ret->default_passwd_callback=0;
 	ret->default_passwd_callback_userdata=NULL;
 	ret->client_cert_cb=0;
+	ret->app_gen_cookie_cb=0;
+	ret->app_verify_cookie_cb=0;
 
 	ret->sessions=lh_new(LHASH_HASH_FN(SSL_SESSION_hash),
 			LHASH_COMP_FN(SSL_SESSION_cmp));
@@ -1367,6 +1425,10 @@ SSL_CTX *SSL_CTX_new(SSL_METHOD *meth)
 		goto err2;
 		}
 
+	ret->param = X509_VERIFY_PARAM_new();
+	if (!ret->param)
+		goto err;
+
 	if ((ret->rsa_md5=EVP_get_digestbyname("ssl2-md5")) == NULL)
 		{
 		SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES);
@@ -1423,6 +1485,9 @@ void SSL_CTX_free(SSL_CTX *a)
 		}
 #endif
 
+	if (a->param)
+		X509_VERIFY_PARAM_free(a->param);
+
 	/*
 	 * Free internal session cache. However: the remove_cb() may reference
 	 * the ex_data of SSL_CTX, thus the ex_data store can only be removed
@@ -1485,7 +1550,7 @@ void SSL_CTX_set_verify(SSL_CTX *ctx,int mode,int (*cb)(int, X509_STORE_CTX *))
 
 void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth)
 	{
-	ctx->verify_depth=depth;
+	X509_VERIFY_PARAM_set_depth(ctx->param, depth);
 	}
 
 void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher)
@@ -1495,6 +1560,13 @@ void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher)
 	int rsa_enc_export,dh_rsa_export,dh_dsa_export;
 	int rsa_tmp_export,dh_tmp_export,kl;
 	unsigned long mask,emask;
+	int have_ecc_cert, ecdh_ok, ecdsa_ok, ecc_pkey_size;
+#ifndef OPENSSL_NO_ECDH
+	int have_ecdh_tmp;
+#endif
+	X509 *x = NULL;
+	EVP_PKEY *ecc_pkey = NULL;
+	int signature_nid = 0;
 
 	if (c == NULL) return;
 
@@ -1515,6 +1587,9 @@ void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher)
 	dh_tmp=dh_tmp_export=0;
 #endif
 
+#ifndef OPENSSL_NO_ECDH
+	have_ecdh_tmp=(c->ecdh_tmp != NULL || c->ecdh_tmp_cb != NULL);
+#endif
 	cpk= &(c->pkeys[SSL_PKEY_RSA_ENC]);
 	rsa_enc= (cpk->x509 != NULL && cpk->privatekey != NULL);
 	rsa_enc_export=(rsa_enc && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
@@ -1529,7 +1604,8 @@ void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher)
 /* FIX THIS EAY EAY EAY */
 	dh_dsa=  (cpk->x509 != NULL && cpk->privatekey != NULL);
 	dh_dsa_export=(dh_dsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
-
+	cpk= &(c->pkeys[SSL_PKEY_ECC]);
+	have_ecc_cert= (cpk->x509 != NULL && cpk->privatekey != NULL);
 	mask=0;
 	emask=0;
 
@@ -1586,11 +1662,127 @@ void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher)
 	emask|=SSL_kKRB5|SSL_aKRB5;
 #endif
 
+	/* An ECC certificate may be usable for ECDH and/or
+	 * ECDSA cipher suites depending on the key usage extension.
+	 */
+	if (have_ecc_cert)
+		{
+                /* This call populates extension flags (ex_flags) */
+		x = (c->pkeys[SSL_PKEY_ECC]).x509;
+		X509_check_purpose(x, -1, 0);
+		ecdh_ok = (x->ex_flags & EXFLAG_KUSAGE) ?
+		    (x->ex_kusage & X509v3_KU_KEY_AGREEMENT) : 1;
+		ecdsa_ok = (x->ex_flags & EXFLAG_KUSAGE) ?
+		    (x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE) : 1;
+		ecc_pkey = X509_get_pubkey(x);
+		ecc_pkey_size = (ecc_pkey != NULL) ? 
+		    EVP_PKEY_bits(ecc_pkey) : 0;
+		EVP_PKEY_free(ecc_pkey);
+		if ((x->sig_alg) && (x->sig_alg->algorithm))
+			signature_nid = OBJ_obj2nid(x->sig_alg->algorithm);
+#ifndef OPENSSL_NO_ECDH
+		if (ecdh_ok)
+			{
+			if ((signature_nid == NID_md5WithRSAEncryption) ||
+			    (signature_nid == NID_md4WithRSAEncryption) ||
+			    (signature_nid == NID_md2WithRSAEncryption))
+				{
+				mask|=SSL_kECDH|SSL_aRSA;
+				if (ecc_pkey_size <= 163)
+					emask|=SSL_kECDH|SSL_aRSA;
+				}
+			if (signature_nid == NID_ecdsa_with_SHA1)
+				{
+				mask|=SSL_kECDH|SSL_aECDSA;
+				if (ecc_pkey_size <= 163)
+					emask|=SSL_kECDH|SSL_aECDSA;
+				}
+			}
+#endif
+#ifndef OPENSSL_NO_ECDSA
+		if (ecdsa_ok)
+			{
+			mask|=SSL_aECDSA;
+			emask|=SSL_aECDSA;
+			}
+#endif
+		}
+
+#ifndef OPENSSL_NO_ECDH
+	if (have_ecdh_tmp)
+		{
+		mask|=SSL_kECDHE;
+		emask|=SSL_kECDHE;
+		}
+#endif
 	c->mask=mask;
 	c->export_mask=emask;
 	c->valid=1;
 	}
 
+/* This handy macro borrowed from crypto/x509v3/v3_purp.c */
+#define ku_reject(x, usage) \
+	(((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
+
+int check_srvr_ecc_cert_and_alg(X509 *x, SSL_CIPHER *cs)
+	{
+	unsigned long alg = cs->algorithms;
+	EVP_PKEY *pkey = NULL;
+	int keysize = 0;
+	int signature_nid = 0;
+
+	if (SSL_C_IS_EXPORT(cs))
+		{
+		/* ECDH key length in export ciphers must be <= 163 bits */
+		pkey = X509_get_pubkey(x);
+		if (pkey == NULL) return 0;
+		keysize = EVP_PKEY_bits(pkey);
+		EVP_PKEY_free(pkey);
+		if (keysize > 163) return 0;
+		}
+
+	/* This call populates the ex_flags field correctly */
+	X509_check_purpose(x, -1, 0);
+	if ((x->sig_alg) && (x->sig_alg->algorithm))
+		signature_nid = OBJ_obj2nid(x->sig_alg->algorithm);
+	if (alg & SSL_kECDH) 
+		{
+		/* key usage, if present, must allow key agreement */
+		if (ku_reject(x, X509v3_KU_KEY_AGREEMENT))
+			{
+			return 0;
+			}
+		if (alg & SSL_aECDSA) 
+			{
+			/* signature alg must be ECDSA */
+			if (signature_nid != NID_ecdsa_with_SHA1)
+				{
+				return 0;
+				}
+			}
+		if (alg & SSL_aRSA)
+			{
+			/* signature alg must be RSA */
+			if ((signature_nid != NID_md5WithRSAEncryption) &&
+			    (signature_nid != NID_md4WithRSAEncryption) &&
+			    (signature_nid != NID_md2WithRSAEncryption))
+				{
+				return 0;
+				}
+			}
+		} 
+	else if (alg & SSL_aECDSA)
+		{
+		/* key usage, if present, must allow signing */
+		if (ku_reject(x, X509v3_KU_DIGITAL_SIGNATURE))
+			{
+			return 0;
+			}
+		}
+
+	return 1;  /* all checks are ok */
+	}
+
 /* THIS NEEDS CLEANING UP */
 X509 *ssl_get_server_send_cert(SSL *s)
 	{
@@ -1605,7 +1797,26 @@ X509 *ssl_get_server_send_cert(SSL *s)
 	mask=is_export?c->export_mask:c->mask;
 	kalg=alg&(SSL_MKEY_MASK|SSL_AUTH_MASK);
 
-	if 	(kalg & SSL_kDHr)
+	if (kalg & SSL_kECDH)
+		{
+		/* we don't need to look at SSL_kECDHE 
+		 * since no certificate is needed for
+		 * anon ECDH and for authenticated
+		 * ECDHE, the check for the auth 
+		 * algorithm will set i correctly
+		 * NOTE: For ECDH-RSA, we need an ECC
+		 * not an RSA cert but for ECDHE-RSA
+		 * we need an RSA cert. Placing the
+		 * checks for SSL_kECDH before RSA
+		 * checks ensures the correct cert is chosen.
+		 */
+		i=SSL_PKEY_ECC;
+		}
+	else if (kalg & SSL_aECDSA)
+		{
+		i=SSL_PKEY_ECC;
+		}
+	else if (kalg & SSL_kDHr)
 		i=SSL_PKEY_DH_RSA;
 	else if (kalg & SSL_kDHd)
 		i=SSL_PKEY_DH_DSA;
@@ -1629,6 +1840,7 @@ X509 *ssl_get_server_send_cert(SSL *s)
 		return(NULL);
 		}
 	if (c->pkeys[i].x509 == NULL) return(NULL);
+
 	return(c->pkeys[i].x509);
 	}
 
@@ -1652,6 +1864,9 @@ EVP_PKEY *ssl_get_sign_pkey(SSL *s,SSL_CIPHER *cipher)
 		else
 			return(NULL);
 		}
+	else if ((alg & SSL_aECDSA) &&
+	         (c->pkeys[SSL_PKEY_ECC].privatekey != NULL))
+		return(c->pkeys[SSL_PKEY_ECC].privatekey);
 	else /* if (alg & SSL_aNULL) */
 		{
 		SSLerr(SSL_F_SSL_GET_SIGN_PKEY,ERR_R_INTERNAL_ERROR);
@@ -1686,7 +1901,7 @@ void ssl_update_cache(SSL *s,int mode)
 			?s->ctx->stats.sess_connect_good
 			:s->ctx->stats.sess_accept_good) & 0xff) == 0xff)
 			{
-			SSL_CTX_flush_sessions(s->ctx,time(NULL));
+			SSL_CTX_flush_sessions(s->ctx,(unsigned long)time(NULL));
 			}
 		}
 	}
@@ -1723,7 +1938,7 @@ int SSL_set_ssl_method(SSL *s,SSL_METHOD *meth)
 	return(ret);
 	}
 
-int SSL_get_error(SSL *s,int i)
+int SSL_get_error(const SSL *s,int i)
 	{
 	int reason;
 	unsigned long l;
@@ -1857,13 +2072,25 @@ int ssl_undefined_function(SSL *s)
 	return(0);
 	}
 
+int ssl_undefined_void_function(void)
+	{
+	SSLerr(SSL_F_SSL_UNDEFINED_VOID_FUNCTION,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+	return(0);
+	}
+
+int ssl_undefined_const_function(const SSL *s)
+	{
+	SSLerr(SSL_F_SSL_UNDEFINED_CONST_FUNCTION,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+	return(0);
+	}
+
 SSL_METHOD *ssl_bad_method(int ver)
 	{
 	SSLerr(SSL_F_SSL_BAD_METHOD,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
 	return(NULL);
 	}
 
-const char *SSL_get_version(SSL *s)
+const char *SSL_get_version(const SSL *s)
 	{
 	if (s->version == TLS1_VERSION)
 		return("TLSv1");
@@ -1966,8 +2193,8 @@ SSL *SSL_dup(SSL *s)
 	ret->rstate=s->rstate;
 	ret->init_num = 0; /* would have to copy ret->init_buf, ret->init_msg, ret->init_num, ret->init_off */
 	ret->hit=s->hit;
-	ret->purpose=s->purpose;
-	ret->trust=s->trust;
+
+	X509_VERIFY_PARAM_inherit(ret->param, s->param);
 
 	/* dup the cipher_list and cipher_list_by_id stacks */
 	if (s->cipher_list != NULL)
@@ -2019,6 +2246,7 @@ void ssl_clear_cipher_ctx(SSL *s)
 		OPENSSL_free(s->enc_write_ctx);
 		s->enc_write_ctx=NULL;
 		}
+#ifndef OPENSSL_NO_COMP
 	if (s->expand != NULL)
 		{
 		COMP_CTX_free(s->expand);
@@ -2029,10 +2257,11 @@ void ssl_clear_cipher_ctx(SSL *s)
 		COMP_CTX_free(s->compress);
 		s->compress=NULL;
 		}
+#endif
 	}
 
 /* Fix this function so that it takes an optional type parameter */
-X509 *SSL_get_certificate(SSL *s)
+X509 *SSL_get_certificate(const SSL *s)
 	{
 	if (s->cert != NULL)
 		return(s->cert->key->x509);
@@ -2049,12 +2278,37 @@ EVP_PKEY *SSL_get_privatekey(SSL *s)
 		return(NULL);
 	}
 
-SSL_CIPHER *SSL_get_current_cipher(SSL *s)
+SSL_CIPHER *SSL_get_current_cipher(const SSL *s)
 	{
 	if ((s->session != NULL) && (s->session->cipher != NULL))
 		return(s->session->cipher);
 	return(NULL);
 	}
+#ifdef OPENSSL_NO_COMP
+const void *SSL_get_current_compression(SSL *s)
+	{
+	return NULL;
+	}
+const void *SSL_get_current_expansion(SSL *s)
+	{
+	return NULL;
+	}
+#else
+
+const COMP_METHOD *SSL_get_current_compression(SSL *s)
+	{
+	if (s->compress != NULL)
+		return(s->compress->meth);
+	return(NULL);
+	}
+
+const COMP_METHOD *SSL_get_current_expansion(SSL *s)
+	{
+	if (s->expand != NULL)
+		return(s->expand->meth);
+	return(NULL);
+	}
+#endif
 
 int ssl_init_wbio_buffer(SSL *s,int push)
 	{
@@ -2113,7 +2367,7 @@ void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx,int mode)
 	ctx->quiet_shutdown=mode;
 	}
 
-int SSL_CTX_get_quiet_shutdown(SSL_CTX *ctx)
+int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx)
 	{
 	return(ctx->quiet_shutdown);
 	}
@@ -2123,7 +2377,7 @@ void SSL_set_quiet_shutdown(SSL *s,int mode)
 	s->quiet_shutdown=mode;
 	}
 
-int SSL_get_quiet_shutdown(SSL *s)
+int SSL_get_quiet_shutdown(const SSL *s)
 	{
 	return(s->quiet_shutdown);
 	}
@@ -2133,17 +2387,17 @@ void SSL_set_shutdown(SSL *s,int mode)
 	s->shutdown=mode;
 	}
 
-int SSL_get_shutdown(SSL *s)
+int SSL_get_shutdown(const SSL *s)
 	{
 	return(s->shutdown);
 	}
 
-int SSL_version(SSL *s)
+int SSL_version(const SSL *s)
 	{
 	return(s->version);
 	}
 
-SSL_CTX *SSL_get_SSL_CTX(SSL *ssl)
+SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl)
 	{
 	return(ssl->ctx);
 	}
@@ -2157,18 +2411,7 @@ int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx)
 int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
 		const char *CApath)
 	{
-	int r;
-
-#ifdef OPENSSL_FIPS
-	if(ctx->method->version == TLS1_VERSION)
-	    FIPS_allow_md5(1);
-#endif
-	r=X509_STORE_load_locations(ctx->cert_store,CAfile,CApath);
-#ifdef OPENSSL_FIPS
-	if(ctx->method->version == TLS1_VERSION)
-	    FIPS_allow_md5(0);
-#endif
-	return r;
+	return(X509_STORE_load_locations(ctx->cert_store,CAfile,CApath));
 	}
 #endif
 
@@ -2178,12 +2421,14 @@ void SSL_set_info_callback(SSL *ssl,
 	ssl->info_callback=cb;
 	}
 
-void (*SSL_get_info_callback(SSL *ssl))(const SSL *ssl,int type,int val)
+/* One compiler (Diab DCC) doesn't like argument names in returned
+   function pointer.  */
+void (*SSL_get_info_callback(const SSL *ssl))(const SSL * /*ssl*/,int /*type*/,int /*val*/)
 	{
 	return ssl->info_callback;
 	}
 
-int SSL_state(SSL *ssl)
+int SSL_state(const SSL *ssl)
 	{
 	return(ssl->state);
 	}
@@ -2193,7 +2438,7 @@ void SSL_set_verify_result(SSL *ssl,long arg)
 	ssl->verify_result=arg;
 	}
 
-long SSL_get_verify_result(SSL *ssl)
+long SSL_get_verify_result(const SSL *ssl)
 	{
 	return(ssl->verify_result);
 	}
@@ -2210,7 +2455,7 @@ int SSL_set_ex_data(SSL *s,int idx,void *arg)
 	return(CRYPTO_set_ex_data(&s->ex_data,idx,arg));
 	}
 
-void *SSL_get_ex_data(SSL *s,int idx)
+void *SSL_get_ex_data(const SSL *s,int idx)
 	{
 	return(CRYPTO_get_ex_data(&s->ex_data,idx));
 	}
@@ -2227,7 +2472,7 @@ int SSL_CTX_set_ex_data(SSL_CTX *s,int idx,void *arg)
 	return(CRYPTO_set_ex_data(&s->ex_data,idx,arg));
 	}
 
-void *SSL_CTX_get_ex_data(SSL_CTX *s,int idx)
+void *SSL_CTX_get_ex_data(const SSL_CTX *s,int idx)
 	{
 	return(CRYPTO_get_ex_data(&s->ex_data,idx));
 	}
@@ -2237,7 +2482,7 @@ int ssl_ok(SSL *s)
 	return(1);
 	}
 
-X509_STORE *SSL_CTX_get_cert_store(SSL_CTX *ctx)
+X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx)
 	{
 	return(ctx->cert_store);
 	}
@@ -2249,7 +2494,7 @@ void SSL_CTX_set_cert_store(SSL_CTX *ctx,X509_STORE *store)
 	ctx->cert_store=store;
 	}
 
-int SSL_want(SSL *s)
+int SSL_want(const SSL *s)
 	{
 	return(s->rwstate);
 	}
@@ -2265,14 +2510,14 @@ void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,RSA *(*cb)(SSL *ssl,
 							  int is_export,
 							  int keylength))
     {
-    SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_RSA_CB,(void (*)())cb);
+    SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_RSA_CB,(void (*)(void))cb);
     }
 
 void SSL_set_tmp_rsa_callback(SSL *ssl,RSA *(*cb)(SSL *ssl,
 						  int is_export,
 						  int keylength))
     {
-    SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_RSA_CB,(void (*)())cb);
+    SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_RSA_CB,(void (*)(void))cb);
     }
 #endif
 
@@ -2301,24 +2546,38 @@ RSA *cb(SSL *ssl,int is_export,int keylength)
 void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,DH *(*dh)(SSL *ssl,int is_export,
 							int keylength))
 	{
-	SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_DH_CB,(void (*)())dh);
+	SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_DH_CB,(void (*)(void))dh);
 	}
 
 void SSL_set_tmp_dh_callback(SSL *ssl,DH *(*dh)(SSL *ssl,int is_export,
 						int keylength))
 	{
-	SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_DH_CB,(void (*)())dh);
+	SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_DH_CB,(void (*)(void))dh);
+	}
+#endif
+
+#ifndef OPENSSL_NO_ECDH
+void SSL_CTX_set_tmp_ecdh_callback(SSL_CTX *ctx,EC_KEY *(*ecdh)(SSL *ssl,int is_export,
+							int keylength))
+	{
+	SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_ECDH_CB,(void (*)(void))ecdh);
+	}
+
+void SSL_set_tmp_ecdh_callback(SSL *ssl,EC_KEY *(*ecdh)(SSL *ssl,int is_export,
+						int keylength))
+	{
+	SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_ECDH_CB,(void (*)(void))ecdh);
 	}
 #endif
 
 
 void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))
 	{
-	SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_MSG_CALLBACK, (void (*)())cb);
+	SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb);
 	}
 void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))
 	{
-	SSL_callback_ctrl(ssl, SSL_CTRL_SET_MSG_CALLBACK, (void (*)())cb);
+	SSL_callback_ctrl(ssl, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb);
 	}
 
 
diff --git a/crypto/openssl/ssl/ssl_locl.h b/crypto/openssl/ssl/ssl_locl.h
index ca34c8b8f07c..0bebaf02bcd0 100644
--- a/crypto/openssl/ssl/ssl_locl.h
+++ b/crypto/openssl/ssl/ssl_locl.h
@@ -108,6 +108,11 @@
  * Hudson (tjh@cryptsoft.com).
  *
  */
+/* ====================================================================
+ * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
+ * ECC cipher suite support in OpenSSL originally developed by 
+ * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
+ */
 
 #ifndef HEADER_SSL_LOCL_H
 #define HEADER_SSL_LOCL_H
@@ -121,10 +126,13 @@
 #include <openssl/buffer.h>
 #include <openssl/comp.h>
 #include <openssl/bio.h>
-#include <openssl/crypto.h>
-#include <openssl/evp.h>
 #include <openssl/stack.h>
-#include <openssl/x509.h>
+#ifndef OPENSSL_NO_RSA
+#include <openssl/rsa.h>
+#endif
+#ifndef OPENSSL_NO_DSA
+#include <openssl/dsa.h>
+#endif
 #include <openssl/err.h>
 #include <openssl/ssl.h>
 #include <openssl/symhacks.h>
@@ -172,6 +180,20 @@
 			 *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
 			 *((c)++)=(unsigned char)(((l)    )&0xff))
 
+#define l2n6(l,c)	(*((c)++)=(unsigned char)(((l)>>40)&0xff), \
+			 *((c)++)=(unsigned char)(((l)>>32)&0xff), \
+			 *((c)++)=(unsigned char)(((l)>>24)&0xff), \
+			 *((c)++)=(unsigned char)(((l)>>16)&0xff), \
+			 *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
+			 *((c)++)=(unsigned char)(((l)    )&0xff))
+
+#define n2l6(c,l)	(l =((BN_ULLONG)(*((c)++)))<<40, \
+			 l|=((BN_ULLONG)(*((c)++)))<<32, \
+			 l|=((BN_ULLONG)(*((c)++)))<<24, \
+			 l|=((BN_ULLONG)(*((c)++)))<<16, \
+			 l|=((BN_ULLONG)(*((c)++)))<< 8, \
+			 l|=((BN_ULLONG)(*((c)++))))
+
 /* NOTE - c is not incremented as per l2c */
 #define l2cn(l1,l2,c,n)	{ \
 			c+=n; \
@@ -227,52 +249,56 @@
  * that the different entities within are mutually exclusive:
  * ONLY ONE BIT PER MASK CAN BE SET AT A TIME.
  */
-#define SSL_MKEY_MASK		0x0000003FL
+#define SSL_MKEY_MASK		0x000000FFL
 #define SSL_kRSA		0x00000001L /* RSA key exchange */
 #define SSL_kDHr		0x00000002L /* DH cert RSA CA cert */
 #define SSL_kDHd		0x00000004L /* DH cert DSA CA cert */
 #define SSL_kFZA		0x00000008L
 #define SSL_kEDH		0x00000010L /* tmp DH key no DH cert */
 #define SSL_kKRB5		0x00000020L /* Kerberos5 key exchange */
+#define SSL_kECDH               0x00000040L /* ECDH w/ long-term keys */
+#define SSL_kECDHE              0x00000080L /* ephemeral ECDH */
 #define SSL_EDH			(SSL_kEDH|(SSL_AUTH_MASK^SSL_aNULL))
 
-#define SSL_AUTH_MASK		0x00000FC0L
-#define SSL_aRSA		0x00000040L /* Authenticate with RSA */
-#define SSL_aDSS 		0x00000080L /* Authenticate with DSS */
+#define SSL_AUTH_MASK		0x00007F00L
+#define SSL_aRSA		0x00000100L /* Authenticate with RSA */
+#define SSL_aDSS 		0x00000200L /* Authenticate with DSS */
 #define SSL_DSS 		SSL_aDSS
-#define SSL_aFZA 		0x00000100L
-#define SSL_aNULL 		0x00000200L /* no Authenticate, ADH */
-#define SSL_aDH 		0x00000400L /* no Authenticate, ADH */
-#define SSL_aKRB5               0x00000800L /* Authenticate with KRB5 */
+#define SSL_aFZA 		0x00000400L
+#define SSL_aNULL 		0x00000800L /* no Authenticate, ADH */
+#define SSL_aDH 		0x00001000L /* no Authenticate, ADH */
+#define SSL_aKRB5               0x00002000L /* Authenticate with KRB5 */
+#define SSL_aECDSA              0x00004000L /* Authenticate with ECDSA */
 
 #define SSL_NULL		(SSL_eNULL)
 #define SSL_ADH			(SSL_kEDH|SSL_aNULL)
 #define SSL_RSA			(SSL_kRSA|SSL_aRSA)
 #define SSL_DH			(SSL_kDHr|SSL_kDHd|SSL_kEDH)
+#define SSL_ECDH		(SSL_kECDH|SSL_kECDHE)
 #define SSL_FZA			(SSL_aFZA|SSL_kFZA|SSL_eFZA)
 #define SSL_KRB5                (SSL_kKRB5|SSL_aKRB5)
 
-#define SSL_ENC_MASK		0x0087F000L
-#define SSL_DES			0x00001000L
-#define SSL_3DES		0x00002000L
-#define SSL_RC4			0x00004000L
-#define SSL_RC2			0x00008000L
-#define SSL_IDEA		0x00010000L
-#define SSL_eFZA		0x00020000L
-#define SSL_eNULL		0x00040000L
-#define SSL_AES			0x00800000L
-
-#define SSL_MAC_MASK		0x00180000L
-#define SSL_MD5			0x00080000L
-#define SSL_SHA1		0x00100000L
+#define SSL_ENC_MASK		0x043F8000L
+#define SSL_DES			0x00008000L
+#define SSL_3DES		0x00010000L
+#define SSL_RC4			0x00020000L
+#define SSL_RC2			0x00040000L
+#define SSL_IDEA		0x00080000L
+#define SSL_eFZA		0x00100000L
+#define SSL_eNULL		0x00200000L
+#define SSL_AES			0x04000000L
+
+#define SSL_MAC_MASK		0x00c00000L
+#define SSL_MD5			0x00400000L
+#define SSL_SHA1		0x00800000L
 #define SSL_SHA			(SSL_SHA1)
 
-#define SSL_SSL_MASK		0x00600000L
-#define SSL_SSLV2		0x00200000L
-#define SSL_SSLV3		0x00400000L
+#define SSL_SSL_MASK		0x03000000L
+#define SSL_SSLV2		0x01000000L
+#define SSL_SSLV3		0x02000000L
 #define SSL_TLSV1		SSL_SSLV3	/* for now */
 
-/* we have used 007fffff - 9 bits left to go */
+/* we have used 07ffffff - 5 bits left to go. */
 
 /*
  * Export and cipher strength information. For each cipher we have to decide
@@ -302,9 +328,8 @@
 #define SSL_LOW			0x00000020L
 #define SSL_MEDIUM		0x00000040L
 #define SSL_HIGH		0x00000080L
-#define SSL_FIPS		0x00000100L
 
-/* we have used 000001ff - 23 bits left to go */
+/* we have used 000000ff - 24 bits left to go */
 
 /*
  * Macros to check the export status and cipher strength for export ciphers.
@@ -345,7 +370,8 @@
 #define SSL_PKEY_DSA_SIGN	2
 #define SSL_PKEY_DH_RSA		3
 #define SSL_PKEY_DH_DSA		4
-#define SSL_PKEY_NUM		5
+#define SSL_PKEY_ECC            5
+#define SSL_PKEY_NUM		6
 
 /* SSL_kRSA <- RSA_ENC | (RSA_TMP & RSA_SIGN) |
  * 	    <- (EXPORT & (RSA_ENC | RSA_TMP) & RSA_SIGN)
@@ -361,6 +387,15 @@
 #define CERT_PRIVATE_KEY	2
 */
 
+#ifndef OPENSSL_NO_EC
+/* From ECC-TLS draft, used in encoding the curve type in 
+ * ECParameters
+ */
+#define EXPLICIT_PRIME_CURVE_TYPE  1   
+#define EXPLICIT_CHAR2_CURVE_TYPE  2
+#define NAMED_CURVE_TYPE           3
+#endif  /* OPENSSL_NO_EC */
+
 typedef struct cert_pkey_st
 	{
 	X509 *x509;
@@ -387,6 +422,11 @@ typedef struct cert_st
 	DH *dh_tmp;
 	DH *(*dh_tmp_cb)(SSL *ssl,int is_export,int keysize);
 #endif
+#ifndef OPENSSL_NO_ECDH
+	EC_KEY *ecdh_tmp;
+	/* Callback for generating ephemeral ECDH keys */
+	EC_KEY *(*ecdh_tmp_cb)(SSL *ssl,int is_export,int keysize);
+#endif
 
 	CERT_PKEY pkeys[SSL_PKEY_NUM];
 
@@ -412,6 +452,9 @@ typedef struct sess_cert_st
 #ifndef OPENSSL_NO_DH
 	DH *peer_dh_tmp; /* not used for SSL 2 */
 #endif
+#ifndef OPENSSL_NO_ECDH
+	EC_KEY *peer_ecdh_tmp;
+#endif
 
 	int references; /* actually always 1 at the moment */
 	} SESS_CERT;
@@ -462,21 +505,205 @@ typedef struct ssl3_comp_st
 	COMP_METHOD *method; /* The method :-) */
 	} SSL3_COMP;
 
-OPENSSL_EXTERN SSL3_ENC_METHOD ssl3_undef_enc_method;
+extern SSL3_ENC_METHOD ssl3_undef_enc_method;
 OPENSSL_EXTERN SSL_CIPHER ssl2_ciphers[];
 OPENSSL_EXTERN SSL_CIPHER ssl3_ciphers[];
 
-#ifdef OPENSSL_SYS_VMS
-#undef SSL_COMP_get_compression_methods
-#define SSL_COMP_get_compression_methods	SSL_COMP_get_compress_methods
-#endif
-
 
 SSL_METHOD *ssl_bad_method(int ver);
 SSL_METHOD *sslv2_base_method(void);
 SSL_METHOD *sslv23_base_method(void);
 SSL_METHOD *sslv3_base_method(void);
 
+extern SSL3_ENC_METHOD TLSv1_enc_data;
+extern SSL3_ENC_METHOD SSLv3_enc_data;
+extern SSL3_ENC_METHOD DTLSv1_enc_data;
+
+#define IMPLEMENT_tls1_meth_func(func_name, s_accept, s_connect, s_get_meth) \
+SSL_METHOD *func_name(void)  \
+	{ \
+	static SSL_METHOD func_name##_data= { \
+		TLS1_VERSION, \
+		tls1_new, \
+		tls1_clear, \
+		tls1_free, \
+		s_accept, \
+		s_connect, \
+		ssl3_read, \
+		ssl3_peek, \
+		ssl3_write, \
+		ssl3_shutdown, \
+		ssl3_renegotiate, \
+		ssl3_renegotiate_check, \
+		ssl3_get_message, \
+		ssl3_read_bytes, \
+		ssl3_write_bytes, \
+		ssl3_dispatch_alert, \
+		ssl3_ctrl, \
+		ssl3_ctx_ctrl, \
+		ssl3_get_cipher_by_char, \
+		ssl3_put_cipher_by_char, \
+		ssl3_pending, \
+		ssl3_num_ciphers, \
+		ssl3_get_cipher, \
+		s_get_meth, \
+		tls1_default_timeout, \
+		&TLSv1_enc_data, \
+		ssl_undefined_void_function, \
+		ssl3_callback_ctrl, \
+		ssl3_ctx_callback_ctrl, \
+	}; \
+	return &func_name##_data; \
+	}
+
+#define IMPLEMENT_ssl3_meth_func(func_name, s_accept, s_connect, s_get_meth) \
+SSL_METHOD *func_name(void)  \
+	{ \
+	static SSL_METHOD func_name##_data= { \
+		SSL3_VERSION, \
+		ssl3_new, \
+		ssl3_clear, \
+		ssl3_free, \
+		s_accept, \
+		s_connect, \
+		ssl3_read, \
+		ssl3_peek, \
+		ssl3_write, \
+		ssl3_shutdown, \
+		ssl3_renegotiate, \
+		ssl3_renegotiate_check, \
+		ssl3_get_message, \
+		ssl3_read_bytes, \
+		ssl3_write_bytes, \
+		ssl3_dispatch_alert, \
+		ssl3_ctrl, \
+		ssl3_ctx_ctrl, \
+		ssl3_get_cipher_by_char, \
+		ssl3_put_cipher_by_char, \
+		ssl3_pending, \
+		ssl3_num_ciphers, \
+		ssl3_get_cipher, \
+		s_get_meth, \
+		ssl3_default_timeout, \
+		&SSLv3_enc_data, \
+		ssl_undefined_void_function, \
+		ssl3_callback_ctrl, \
+		ssl3_ctx_callback_ctrl, \
+	}; \
+	return &func_name##_data; \
+	}
+
+#define IMPLEMENT_ssl23_meth_func(func_name, s_accept, s_connect, s_get_meth) \
+SSL_METHOD *func_name(void)  \
+	{ \
+	static SSL_METHOD func_name##_data= { \
+	TLS1_VERSION, \
+	tls1_new, \
+	tls1_clear, \
+	tls1_free, \
+	s_accept, \
+	s_connect, \
+	ssl23_read, \
+	ssl23_peek, \
+	ssl23_write, \
+	ssl_undefined_function, \
+	ssl_undefined_function, \
+	ssl_ok, \
+	ssl3_get_message, \
+	ssl3_read_bytes, \
+	ssl3_write_bytes, \
+	ssl3_dispatch_alert, \
+	ssl3_ctrl, \
+	ssl3_ctx_ctrl, \
+	ssl23_get_cipher_by_char, \
+	ssl23_put_cipher_by_char, \
+	ssl_undefined_const_function, \
+	ssl23_num_ciphers, \
+	ssl23_get_cipher, \
+	s_get_meth, \
+	ssl23_default_timeout, \
+	&ssl3_undef_enc_method, \
+	ssl_undefined_void_function, \
+	ssl3_callback_ctrl, \
+	ssl3_ctx_callback_ctrl, \
+	}; \
+	return &func_name##_data; \
+	}
+
+#define IMPLEMENT_ssl2_meth_func(func_name, s_accept, s_connect, s_get_meth) \
+SSL_METHOD *func_name(void)  \
+	{ \
+	static SSL_METHOD func_name##_data= { \
+		SSL2_VERSION, \
+		ssl2_new,	/* local */ \
+		ssl2_clear,	/* local */ \
+		ssl2_free,	/* local */ \
+		s_accept, \
+		s_connect, \
+		ssl2_read, \
+		ssl2_peek, \
+		ssl2_write, \
+		ssl2_shutdown, \
+		ssl_ok,	/* NULL - renegotiate */ \
+		ssl_ok,	/* NULL - check renegotiate */ \
+		NULL, /* NULL - ssl_get_message */ \
+		NULL, /* NULL - ssl_get_record */ \
+		NULL, /* NULL - ssl_write_bytes */ \
+		NULL, /* NULL - dispatch_alert */ \
+		ssl2_ctrl,	/* local */ \
+		ssl2_ctx_ctrl,	/* local */ \
+		ssl2_get_cipher_by_char, \
+		ssl2_put_cipher_by_char, \
+		ssl2_pending, \
+		ssl2_num_ciphers, \
+		ssl2_get_cipher, \
+		s_get_meth, \
+		ssl2_default_timeout, \
+		&ssl3_undef_enc_method, \
+		ssl_undefined_void_function, \
+		ssl2_callback_ctrl,	/* local */ \
+		ssl2_ctx_callback_ctrl,	/* local */ \
+	}; \
+	return &func_name##_data; \
+	}
+
+#define IMPLEMENT_dtls1_meth_func(func_name, s_accept, s_connect, s_get_meth) \
+SSL_METHOD *func_name(void)  \
+	{ \
+	static SSL_METHOD func_name##_data= { \
+		DTLS1_VERSION, \
+		dtls1_new, \
+		dtls1_clear, \
+		dtls1_free, \
+		s_accept, \
+		s_connect, \
+		ssl3_read, \
+		ssl3_peek, \
+		ssl3_write, \
+		ssl3_shutdown, \
+		ssl3_renegotiate, \
+		ssl3_renegotiate_check, \
+		dtls1_get_message, \
+		dtls1_read_bytes, \
+		dtls1_write_app_data_bytes, \
+		dtls1_dispatch_alert, \
+		ssl3_ctrl, \
+		ssl3_ctx_ctrl, \
+		ssl3_get_cipher_by_char, \
+		ssl3_put_cipher_by_char, \
+		ssl3_pending, \
+		ssl3_num_ciphers, \
+		ssl3_get_cipher, \
+		s_get_meth, \
+		dtls1_default_timeout, \
+		&DTLSv1_enc_data, \
+		ssl_undefined_void_function, \
+		ssl3_callback_ctrl, \
+		ssl3_ctx_callback_ctrl, \
+	}; \
+	return &func_name##_data; \
+	}
+
 void ssl_clear_cipher_ctx(SSL *s);
 int ssl_clear_bad_session(SSL *s);
 CERT *ssl_cert_new(void);
@@ -493,22 +720,26 @@ int ssl_cipher_ptr_id_cmp(const SSL_CIPHER * const *ap,
 			const SSL_CIPHER * const *bp);
 STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num,
 					       STACK_OF(SSL_CIPHER) **skp);
-int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p);
+int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p,
+                             int (*put_cb)(const SSL_CIPHER *, unsigned char *));
 STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *meth,
 					     STACK_OF(SSL_CIPHER) **pref,
 					     STACK_OF(SSL_CIPHER) **sorted,
 					     const char *rule_str);
 void ssl_update_cache(SSL *s, int mode);
-int ssl_cipher_get_evp(SSL_SESSION *s,const EVP_CIPHER **enc,const EVP_MD **md,
-		       SSL_COMP **comp);
+int ssl_cipher_get_evp(const SSL_SESSION *s,const EVP_CIPHER **enc,
+		       const EVP_MD **md,SSL_COMP **comp);
 int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk);
 int ssl_undefined_function(SSL *s);
+int ssl_undefined_void_function(void);
+int ssl_undefined_const_function(const SSL *s);
 X509 *ssl_get_server_send_cert(SSL *);
 EVP_PKEY *ssl_get_sign_pkey(SSL *,SSL_CIPHER *);
 int ssl_cert_type(X509 *x,EVP_PKEY *pkey);
 void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher);
 STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s);
 int ssl_verify_alarm_type(long type);
+void ssl_load_ciphers(void);
 
 int ssl2_enc_init(SSL *s, int client);
 int ssl2_generate_key_material(SSL *s);
@@ -518,7 +749,7 @@ SSL_CIPHER *ssl2_get_cipher_by_char(const unsigned char *p);
 int ssl2_put_cipher_by_char(const SSL_CIPHER *c,unsigned char *p);
 int ssl2_part_read(SSL *s, unsigned long f, int i);
 int ssl2_do_write(SSL *s);
-int ssl2_set_certificate(SSL *s, int type, int len, unsigned char *data);
+int ssl2_set_certificate(SSL *s, int type, int len, const unsigned char *data);
 void ssl2_return_error(SSL *s,int reason);
 void ssl2_write_error(SSL *s);
 int ssl2_num_ciphers(void);
@@ -534,9 +765,10 @@ int	ssl2_shutdown(SSL *s);
 void	ssl2_clear(SSL *s);
 long	ssl2_ctrl(SSL *s,int cmd, long larg, void *parg);
 long	ssl2_ctx_ctrl(SSL_CTX *s,int cmd, long larg, void *parg);
-long	ssl2_callback_ctrl(SSL *s,int cmd, void (*fp)());
-long	ssl2_ctx_callback_ctrl(SSL_CTX *s,int cmd, void (*fp)());
-int	ssl2_pending(SSL *s);
+long	ssl2_callback_ctrl(SSL *s,int cmd, void (*fp)(void));
+long	ssl2_ctx_callback_ctrl(SSL_CTX *s,int cmd, void (*fp)(void));
+int	ssl2_pending(const SSL *s);
+long	ssl2_default_timeout(void );
 
 SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p);
 int ssl3_put_cipher_by_char(const SSL_CIPHER *c,unsigned char *p);
@@ -582,9 +814,89 @@ int	ssl3_shutdown(SSL *s);
 void	ssl3_clear(SSL *s);
 long	ssl3_ctrl(SSL *s,int cmd, long larg, void *parg);
 long	ssl3_ctx_ctrl(SSL_CTX *s,int cmd, long larg, void *parg);
-long	ssl3_callback_ctrl(SSL *s,int cmd, void (*fp)());
-long	ssl3_ctx_callback_ctrl(SSL_CTX *s,int cmd, void (*fp)());
-int	ssl3_pending(SSL *s);
+long	ssl3_callback_ctrl(SSL *s,int cmd, void (*fp)(void));
+long	ssl3_ctx_callback_ctrl(SSL_CTX *s,int cmd, void (*fp)(void));
+int	ssl3_pending(const SSL *s);
+
+void ssl3_record_sequence_update(unsigned char *seq);
+int ssl3_do_change_cipher_spec(SSL *ssl);
+long ssl3_default_timeout(void );
+
+int ssl23_num_ciphers(void );
+SSL_CIPHER *ssl23_get_cipher(unsigned int u);
+int ssl23_read(SSL *s, void *buf, int len);
+int ssl23_peek(SSL *s, void *buf, int len);
+int ssl23_write(SSL *s, const void *buf, int len);
+int ssl23_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p);
+SSL_CIPHER *ssl23_get_cipher_by_char(const unsigned char *p);
+long ssl23_default_timeout(void );
+
+long tls1_default_timeout(void);
+int dtls1_do_write(SSL *s,int type);
+int ssl3_read_n(SSL *s, int n, int max, int extend);
+int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek);
+int ssl3_do_compress(SSL *ssl);
+int ssl3_do_uncompress(SSL *ssl);
+int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
+	unsigned int len);
+unsigned char *dtls1_set_message_header(SSL *s, 
+	unsigned char *p, unsigned char mt,	unsigned long len, 
+	unsigned long frag_off, unsigned long frag_len);
+
+int dtls1_write_app_data_bytes(SSL *s, int type, const void *buf, int len);
+int dtls1_write_bytes(SSL *s, int type, const void *buf, int len);
+
+int dtls1_send_change_cipher_spec(SSL *s, int a, int b);
+int dtls1_send_finished(SSL *s, int a, int b, const char *sender, int slen);
+unsigned long dtls1_output_cert_chain(SSL *s, X509 *x);
+int dtls1_read_failed(SSL *s, int code);
+int dtls1_buffer_message(SSL *s, int ccs);
+int dtls1_retransmit_message(SSL *s, unsigned short seq, 
+	unsigned long frag_off, int *found);
+void dtls1_clear_record_buffer(SSL *s);
+void dtls1_get_message_header(unsigned char *data, struct hm_header_st *msg_hdr);
+void dtls1_get_ccs_header(unsigned char *data, struct ccs_header_st *ccs_hdr);
+void dtls1_reset_seq_numbers(SSL *s, int rw);
+long dtls1_default_timeout(void);
+
+
+/* some client-only functions */
+int ssl3_client_hello(SSL *s);
+int ssl3_get_server_hello(SSL *s);
+int ssl3_get_certificate_request(SSL *s);
+int ssl3_get_server_done(SSL *s);
+int ssl3_send_client_verify(SSL *s);
+int ssl3_send_client_certificate(SSL *s);
+int ssl3_send_client_key_exchange(SSL *s);
+int ssl3_get_key_exchange(SSL *s);
+int ssl3_get_server_certificate(SSL *s);
+int ssl3_check_cert_and_algorithm(SSL *s);
+
+int dtls1_client_hello(SSL *s);
+int dtls1_send_client_certificate(SSL *s);
+int dtls1_send_client_key_exchange(SSL *s);
+int dtls1_send_client_verify(SSL *s);
+
+/* some server-only functions */
+int ssl3_get_client_hello(SSL *s);
+int ssl3_send_server_hello(SSL *s);
+int ssl3_send_hello_request(SSL *s);
+int ssl3_send_server_key_exchange(SSL *s);
+int ssl3_send_certificate_request(SSL *s);
+int ssl3_send_server_done(SSL *s);
+int ssl3_check_client_hello(SSL *s);
+int ssl3_get_client_certificate(SSL *s);
+int ssl3_get_client_key_exchange(SSL *s);
+int ssl3_get_cert_verify(SSL *s);
+
+int dtls1_send_hello_request(SSL *s);
+int dtls1_send_server_hello(SSL *s);
+int dtls1_send_server_certificate(SSL *s);
+int dtls1_send_server_key_exchange(SSL *s);
+int dtls1_send_certificate_request(SSL *s);
+int dtls1_send_server_done(SSL *s);
+
+
 
 int ssl23_accept(SSL *s);
 int ssl23_connect(SSL *s);
@@ -595,9 +907,24 @@ int tls1_new(SSL *s);
 void tls1_free(SSL *s);
 void tls1_clear(SSL *s);
 long tls1_ctrl(SSL *s,int cmd, long larg, void *parg);
-long tls1_callback_ctrl(SSL *s,int cmd, void (*fp)());
+long tls1_callback_ctrl(SSL *s,int cmd, void (*fp)(void));
 SSL_METHOD *tlsv1_base_method(void );
 
+int dtls1_new(SSL *s);
+int	dtls1_accept(SSL *s);
+int	dtls1_connect(SSL *s);
+void dtls1_free(SSL *s);
+void dtls1_clear(SSL *s);
+long dtls1_ctrl(SSL *s,int cmd, long larg, void *parg);
+SSL_METHOD *dtlsv1_base_method(void );
+
+long dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok);
+int dtls1_get_record(SSL *s);
+int do_dtls1_write(SSL *s, int type, const unsigned char *buf,
+	unsigned int len, int create_empty_fragement);
+int dtls1_dispatch_alert(SSL *s);
+int dtls1_enc(SSL *s, int snd);
+
 int ssl_init_wbio_buffer(SSL *s, int push);
 void ssl_free_wbio_buffer(SSL *s);
 
@@ -614,8 +941,9 @@ int tls1_alert_code(int code);
 int ssl3_alert_code(int code);
 int ssl_ok(SSL *s);
 
+int check_srvr_ecc_cert_and_alg(X509 *x, SSL_CIPHER *cs);
+
 SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n);
-STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void);
 
 
 #endif
diff --git a/crypto/openssl/ssl/ssl_rsa.c b/crypto/openssl/ssl/ssl_rsa.c
index 330390519bb6..fc42dfa1ec66 100644
--- a/crypto/openssl/ssl/ssl_rsa.c
+++ b/crypto/openssl/ssl/ssl_rsa.c
@@ -131,7 +131,7 @@ end:
 	}
 #endif
 
-int SSL_use_certificate_ASN1(SSL *ssl, unsigned char *d, int len)
+int SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len)
 	{
 	X509 *x;
 	int ret;
@@ -181,7 +181,7 @@ int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa)
 
 static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
 	{
-	int i,ok=0,bad=0;
+	int i;
 
 	i=ssl_cert_type(NULL,pkey);
 	if (i < 0)
@@ -202,47 +202,18 @@ static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
 		/* Don't check the public/private key, this is mostly
 		 * for smart cards. */
 		if ((pkey->type == EVP_PKEY_RSA) &&
-			(RSA_flags(pkey->pkey.rsa) &
-			 RSA_METHOD_FLAG_NO_CHECK))
-			 ok=1;
+			(RSA_flags(pkey->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK))
+			;
 		else
 #endif
-		     if (!X509_check_private_key(c->pkeys[i].x509,pkey))
+		if (!X509_check_private_key(c->pkeys[i].x509,pkey))
 			{
-			if ((i == SSL_PKEY_DH_RSA) || (i == SSL_PKEY_DH_DSA))
-				{
-				i=(i == SSL_PKEY_DH_RSA)?
-					SSL_PKEY_DH_DSA:SSL_PKEY_DH_RSA;
-
-				if (c->pkeys[i].x509 == NULL)
-					ok=1;
-				else
-					{
-					if (!X509_check_private_key(
-						c->pkeys[i].x509,pkey))
-						bad=1;
-					else
-						ok=1;
-					}
-				}
-			else
-				bad=1;
+			X509_free(c->pkeys[i].x509);
+			c->pkeys[i].x509 = NULL;
+			return 0;
 			}
-		else
-			ok=1;
 		}
-	else
-		ok=1;
 
-	if (bad)
-		{
-		X509_free(c->pkeys[i].x509);
-		c->pkeys[i].x509=NULL;
-		return(0);
-		}
-
-	ERR_clear_error(); /* make sure no error from X509_check_private_key()
-	                    * is left if we have chosen to ignore it */
 	if (c->pkeys[i].privatekey != NULL)
 		EVP_PKEY_free(c->pkeys[i].privatekey);
 	CRYPTO_add(&pkey->references,1,CRYPTO_LOCK_EVP_PKEY);
@@ -364,6 +335,11 @@ int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type)
 		pkey=PEM_read_bio_PrivateKey(in,NULL,
 			ssl->ctx->default_passwd_callback,ssl->ctx->default_passwd_callback_userdata);
 		}
+	else if (type == SSL_FILETYPE_ASN1)
+		{
+		j = ERR_R_ASN1_LIB;
+		pkey = d2i_PrivateKey_bio(in,NULL);
+		}
 	else
 		{
 		SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE,SSL_R_BAD_SSL_FILETYPE);
@@ -382,10 +358,10 @@ end:
 	}
 #endif
 
-int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, unsigned char *d, long len)
+int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, const unsigned char *d, long len)
 	{
 	int ret;
-	unsigned char *p;
+	const unsigned char *p;
 	EVP_PKEY *pkey;
 
 	p=d;
@@ -418,7 +394,7 @@ int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x)
 static int ssl_set_cert(CERT *c, X509 *x)
 	{
 	EVP_PKEY *pkey;
-	int i,ok=0,bad=0;
+	int i;
 
 	pkey=X509_get_pubkey(x);
 	if (pkey == NULL)
@@ -446,44 +422,23 @@ static int ssl_set_cert(CERT *c, X509 *x)
 		if ((c->pkeys[i].privatekey->type == EVP_PKEY_RSA) &&
 			(RSA_flags(c->pkeys[i].privatekey->pkey.rsa) &
 			 RSA_METHOD_FLAG_NO_CHECK))
-			 ok=1;
+			 ;
 		else
-#endif
-		{
+#endif /* OPENSSL_NO_RSA */
 		if (!X509_check_private_key(x,c->pkeys[i].privatekey))
 			{
-			if ((i == SSL_PKEY_DH_RSA) || (i == SSL_PKEY_DH_DSA))
-				{
-				i=(i == SSL_PKEY_DH_RSA)?
-					SSL_PKEY_DH_DSA:SSL_PKEY_DH_RSA;
-
-				if (c->pkeys[i].privatekey == NULL)
-					ok=1;
-				else
-					{
-					if (!X509_check_private_key(x,
-						c->pkeys[i].privatekey))
-						bad=1;
-					else
-						ok=1;
-					}
-				}
-			else
-				bad=1;
+			/* don't fail for a cert/key mismatch, just free
+			 * current private key (when switching to a different
+			 * cert & key, first this function should be used,
+			 * then ssl_set_pkey */
+			EVP_PKEY_free(c->pkeys[i].privatekey);
+			c->pkeys[i].privatekey=NULL;
+			/* clear error queue */
+			ERR_clear_error();
 			}
-		else
-			ok=1;
-		} /* OPENSSL_NO_RSA */
 		}
-	else
-		ok=1;
 
 	EVP_PKEY_free(pkey);
-	if (bad)
-		{
-		EVP_PKEY_free(c->pkeys[i].privatekey);
-		c->pkeys[i].privatekey=NULL;
-		}
 
 	if (c->pkeys[i].x509 != NULL)
 		X509_free(c->pkeys[i].x509);
@@ -545,7 +500,7 @@ end:
 	}
 #endif
 
-int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, unsigned char *d)
+int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, const unsigned char *d)
 	{
 	X509 *x;
 	int ret;
@@ -640,7 +595,7 @@ end:
 	}
 #endif
 
-int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, unsigned char *d, long len)
+int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d, long len)
 	{
 	int ret;
 	const unsigned char *p;
@@ -699,6 +654,11 @@ int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type)
 		pkey=PEM_read_bio_PrivateKey(in,NULL,
 			ctx->default_passwd_callback,ctx->default_passwd_callback_userdata);
 		}
+	else if (type == SSL_FILETYPE_ASN1)
+		{
+		j = ERR_R_ASN1_LIB;
+		pkey = d2i_PrivateKey_bio(in,NULL);
+		}
 	else
 		{
 		SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE,SSL_R_BAD_SSL_FILETYPE);
@@ -717,11 +677,11 @@ end:
 	}
 #endif
 
-int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, unsigned char *d,
+int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, const unsigned char *d,
 	     long len)
 	{
 	int ret;
-	unsigned char *p;
+	const unsigned char *p;
 	EVP_PKEY *pkey;
 
 	p=d;
@@ -804,7 +764,7 @@ int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file)
 		/* When the while loop ends, it's usually just EOF. */
 		err = ERR_peek_last_error();
 		if (ERR_GET_LIB(err) == ERR_LIB_PEM && ERR_GET_REASON(err) == PEM_R_NO_START_LINE)
-			(void)ERR_get_error();
+			ERR_clear_error();
 		else 
 			ret = 0; /* some real error */
 		}
diff --git a/crypto/openssl/ssl/ssl_sess.c b/crypto/openssl/ssl/ssl_sess.c
index 8e896870c1e3..2f26593c7008 100644
--- a/crypto/openssl/ssl/ssl_sess.c
+++ b/crypto/openssl/ssl/ssl_sess.c
@@ -65,7 +65,7 @@ static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s);
 static void SSL_SESSION_list_add(SSL_CTX *ctx,SSL_SESSION *s);
 static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck);
 
-SSL_SESSION *SSL_get_session(SSL *ssl)
+SSL_SESSION *SSL_get_session(const SSL *ssl)
 /* aka SSL_get0_session; gets 0 objects, just returns a copy of the pointer */
 	{
 	return(ssl->session);
@@ -98,7 +98,7 @@ int SSL_SESSION_set_ex_data(SSL_SESSION *s, int idx, void *arg)
 	return(CRYPTO_set_ex_data(&s->ex_data,idx,arg));
 	}
 
-void *SSL_SESSION_get_ex_data(SSL_SESSION *s, int idx)
+void *SSL_SESSION_get_ex_data(const SSL_SESSION *s, int idx)
 	{
 	return(CRYPTO_get_ex_data(&s->ex_data,idx));
 	}
@@ -118,7 +118,7 @@ SSL_SESSION *SSL_SESSION_new(void)
 	ss->verify_result = 1; /* avoid 0 (= X509_V_OK) just in case */
 	ss->references=1;
 	ss->timeout=60*5+4; /* 5 minute timeout by default */
-	ss->time=time(NULL);
+	ss->time=(unsigned long)time(NULL);
 	ss->prev=NULL;
 	ss->next=NULL;
 	ss->compress_meth=0;
@@ -126,6 +126,13 @@ SSL_SESSION *SSL_SESSION_new(void)
 	return(ss);
 	}
 
+const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len)
+	{
+	if(len)
+		*len = s->session_id_length;
+	return s->session_id;
+	}
+
 /* Even with SSLv2, we have 16 bytes (128 bits) of session ID space. SSLv3/TLSv1
  * has 32 bytes (256 bits). As such, filling the ID with random gunk repeatedly
  * until we have no conflict is going to complete in one iteration pretty much
@@ -141,7 +148,7 @@ static int def_generate_session_id(const SSL *ssl, unsigned char *id,
 {
 	unsigned int retry = 0;
 	do
-		if(RAND_pseudo_bytes(id, *id_len) <= 0)
+		if (RAND_pseudo_bytes(id, *id_len) <= 0)
 			return 0;
 	while(SSL_has_matching_session_id(ssl, id, *id_len) &&
 		(++retry < MAX_SESS_ID_ATTEMPTS));
@@ -198,6 +205,11 @@ int ssl_get_new_session(SSL *s, int session)
 			ss->ssl_version=TLS1_VERSION;
 			ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
 			}
+		else if (s->version == DTLS1_VERSION)
+			{
+			ss->ssl_version=DTLS1_VERSION;
+			ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
+			}
 		else
 			{
 			SSLerr(SSL_F_SSL_GET_NEW_SESSION,SSL_R_UNSUPPORTED_SSL_VERSION);
@@ -377,7 +389,7 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len)
 	CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION);
 #endif
 
-	if ((long)(ret->time+ret->timeout) < (long)time(NULL)) /* timeout */
+	if (ret->timeout < (long)(time(NULL) - ret->time)) /* timeout */
 		{
 		s->ctx->stats.sess_timeout++;
 		/* remove it from the cache */
@@ -610,13 +622,13 @@ long SSL_SESSION_set_timeout(SSL_SESSION *s, long t)
 	return(1);
 	}
 
-long SSL_SESSION_get_timeout(SSL_SESSION *s)
+long SSL_SESSION_get_timeout(const SSL_SESSION *s)
 	{
 	if (s == NULL) return(0);
 	return(s->timeout);
 	}
 
-long SSL_SESSION_get_time(SSL_SESSION *s)
+long SSL_SESSION_get_time(const SSL_SESSION *s)
 	{
 	if (s == NULL) return(0);
 	return(s->time);
@@ -638,7 +650,7 @@ long SSL_CTX_set_timeout(SSL_CTX *s, long t)
 	return(l);
 	}
 
-long SSL_CTX_get_timeout(SSL_CTX *s)
+long SSL_CTX_get_timeout(const SSL_CTX *s)
 	{
 	if (s == NULL) return(0);
 	return(s->session_timeout);
diff --git a/crypto/openssl/ssl/ssl_txt.c b/crypto/openssl/ssl/ssl_txt.c
index 40b76b1b2692..4eb0867155e1 100644
--- a/crypto/openssl/ssl/ssl_txt.c
+++ b/crypto/openssl/ssl/ssl_txt.c
@@ -61,7 +61,7 @@
 #include "ssl_locl.h"
 
 #ifndef OPENSSL_NO_FP_API
-int SSL_SESSION_print_fp(FILE *fp, SSL_SESSION *x)
+int SSL_SESSION_print_fp(FILE *fp, const SSL_SESSION *x)
 	{
 	BIO *b;
 	int ret;
@@ -78,10 +78,10 @@ int SSL_SESSION_print_fp(FILE *fp, SSL_SESSION *x)
 	}
 #endif
 
-int SSL_SESSION_print(BIO *bp, SSL_SESSION *x)
+int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
 	{
 	unsigned int i;
-	char *s;
+	const char *s;
 
 	if (x == NULL) goto err;
 	if (BIO_puts(bp,"SSL-Session:\n") <= 0) goto err;
@@ -151,9 +151,10 @@ int SSL_SESSION_print(BIO *bp, SSL_SESSION *x)
 			if (BIO_printf(bp,"%02X",x->krb5_client_princ[i]) <= 0) goto err;
 			}
 #endif /* OPENSSL_NO_KRB5 */
+#ifndef OPENSSL_NO_COMP
 	if (x->compress_meth != 0)
 		{
-		SSL_COMP *comp;
+		SSL_COMP *comp = NULL;
 
 		ssl_cipher_get_evp(x,NULL,NULL,&comp);
 		if (comp == NULL)
@@ -165,6 +166,7 @@ int SSL_SESSION_print(BIO *bp, SSL_SESSION *x)
 			if (BIO_printf(bp,"\n   Compression: %d (%s)", comp->id,comp->method->name) <= 0) goto err;
 			}
 		}	
+#endif
 	if (x->time != 0L)
 		{
 		if (BIO_printf(bp, "\n    Start Time: %ld",x->time) <= 0) goto err;
diff --git a/crypto/openssl/ssl/ssltest.c b/crypto/openssl/ssl/ssltest.c
index c7f33d9a7fcf..517657c0240d 100644
--- a/crypto/openssl/ssl/ssltest.c
+++ b/crypto/openssl/ssl/ssltest.c
@@ -108,6 +108,11 @@
  * Hudson (tjh@cryptsoft.com).
  *
  */
+/* ====================================================================
+ * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
+ * ECC cipher suite support in OpenSSL originally developed by 
+ * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
+ */
 
 #define _BSD_SOURCE 1		/* Or gethostname won't be declared properly
 				   on Linux and GNU platforms. */
@@ -123,17 +128,31 @@
 #define USE_SOCKETS
 #include "e_os.h"
 
+#define _XOPEN_SOURCE 500	/* Or isascii won't be declared properly on
+				   VMS (at least with DECompHP C).  */
+#include <ctype.h>
+
 #include <openssl/bio.h>
 #include <openssl/crypto.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
+#include <openssl/x509v3.h>
 #include <openssl/ssl.h>
 #ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
 #endif
 #include <openssl/err.h>
 #include <openssl/rand.h>
-#include <openssl/fips.h>
+#ifndef OPENSSL_NO_RSA
+#include <openssl/rsa.h>
+#endif
+#ifndef OPENSSL_NO_DSA
+#include <openssl/dsa.h>
+#endif
+#ifndef OPENSSL_NO_DH
+#include <openssl/dh.h>
+#endif
+#include <openssl/bn.h>
 
 #define _XOPEN_SOURCE_EXTENDED	1 /* Or gethostname won't be declared properly
 				     on Compaq platforms (at least with DEC C).
@@ -153,6 +172,9 @@
 #elif defined(OPENSSL_SYS_WINCE)
 #  define TEST_SERVER_CERT "\\OpenSSL\\server.pem"
 #  define TEST_CLIENT_CERT "\\OpenSSL\\client.pem"
+#elif defined(OPENSSL_SYS_NETWARE)
+#  define TEST_SERVER_CERT "\\openssl\\apps\\server.pem"
+#  define TEST_CLIENT_CERT "\\openssl\\apps\\client.pem"
 #else
 #  define TEST_SERVER_CERT "../apps/server.pem"
 #  define TEST_CLIENT_CERT "../apps/client.pem"
@@ -160,8 +182,8 @@
 
 /* There is really no standard for this, so let's assign some tentative
    numbers.  In any case, these numbers are only for this test */
-#define COMP_RLE	1
-#define COMP_ZLIB	2
+#define COMP_RLE	255
+#define COMP_ZLIB	1
 
 static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
 #ifndef OPENSSL_NO_RSA
@@ -169,8 +191,15 @@ static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export,int keylength);
 static void free_tmp_rsa(void);
 #endif
 static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg);
-#define APP_CALLBACK "Test Callback Argument"
-static char *app_verify_arg = APP_CALLBACK;
+#define APP_CALLBACK_STRING "Test Callback Argument"
+struct app_verify_arg
+	{
+	char *string;
+	int app_verify;
+	int allow_proxy_certs;
+	char *proxy_auth;
+	char *proxy_cond;
+	};
 
 #ifndef OPENSSL_NO_DH
 static DH *get_dh512(void);
@@ -195,15 +224,16 @@ static const char rnd_seed[] = "string to make the random number generator think
 
 int doit_biopair(SSL *s_ssl,SSL *c_ssl,long bytes,clock_t *s_time,clock_t *c_time);
 int doit(SSL *s_ssl,SSL *c_ssl,long bytes);
+static int do_test_cipherlist(void);
 static void sv_usage(void)
 	{
 	fprintf(stderr,"usage: ssltest [args ...]\n");
 	fprintf(stderr,"\n");
-#ifdef OPENSSL_FIPS
-	fprintf(stderr,"-F             - run test in FIPS mode\n");
-#endif
 	fprintf(stderr," -server_auth  - check server certificate\n");
 	fprintf(stderr," -client_auth  - do client authentication\n");
+	fprintf(stderr," -proxy        - allow proxy certificates\n");
+	fprintf(stderr," -proxy_auth <val> - set proxy policy rights\n");
+	fprintf(stderr," -proxy_cond <val> - experssion to test proxy policy rights\n");
 	fprintf(stderr," -v            - more output\n");
 	fprintf(stderr," -d            - debug output\n");
 	fprintf(stderr," -reuse        - use session-id reuse\n");
@@ -214,6 +244,9 @@ static void sv_usage(void)
 	fprintf(stderr," -dhe1024dsa   - use 1024 bit key (with 160-bit subprime) for DHE\n");
 	fprintf(stderr," -no_dhe       - disable DHE\n");
 #endif
+#ifndef OPENSSL_NO_ECDH
+	fprintf(stderr," -no_ecdhe     - disable ECDHE\n");
+#endif
 #ifndef OPENSSL_NO_SSL2
 	fprintf(stderr," -ssl2         - use SSLv2\n");
 #endif
@@ -234,7 +267,13 @@ static void sv_usage(void)
 	fprintf(stderr," -f            - Test even cases that can't work\n");
 	fprintf(stderr," -time         - measure processor time used by client and server\n");
 	fprintf(stderr," -zlib         - use zlib compression\n");
-	fprintf(stderr," -time         - use rle compression\n");
+	fprintf(stderr," -rle          - use rle compression\n");
+#ifndef OPENSSL_NO_ECDH
+	fprintf(stderr," -named_curve arg  - Elliptic curve name to use for ephemeral ECDH keys.\n" \
+	               "                 Use \"openssl ecparam -list_curves\" for all names\n"  \
+	               "                 (default is sect163r2).\n");
+#endif
+	fprintf(stderr," -test_cipherlist - verifies the order of the ssl cipher lists\n");
 	}
 
 static void print_details(SSL *c_ssl, const char *prefix)
@@ -344,6 +383,7 @@ static void lock_dbg_cb(int mode, int type, const char *file, int line)
 		}
 	}
 
+
 int main(int argc, char *argv[])
 	{
 	char *CApath=NULL,*CAfile=NULL;
@@ -353,30 +393,38 @@ int main(int argc, char *argv[])
 	int tls1=0,ssl2=0,ssl3=0,ret=1;
 	int client_auth=0;
 	int server_auth=0,i;
-	int app_verify=0;
+	struct app_verify_arg app_verify_arg =
+		{ APP_CALLBACK_STRING, 0, 0, NULL, NULL };
 	char *server_cert=TEST_SERVER_CERT;
 	char *server_key=NULL;
 	char *client_cert=TEST_CLIENT_CERT;
 	char *client_key=NULL;
+#ifndef OPENSSL_NO_ECDH
+	char *named_curve = NULL;
+#endif
 	SSL_CTX *s_ctx=NULL;
 	SSL_CTX *c_ctx=NULL;
 	SSL_METHOD *meth=NULL;
 	SSL *c_ssl,*s_ssl;
 	int number=1,reuse=0;
-	long bytes=1L;
+	long bytes=256L;
 #ifndef OPENSSL_NO_DH
 	DH *dh;
 	int dhe1024 = 0, dhe1024dsa = 0;
 #endif
+#ifndef OPENSSL_NO_ECDH
+	EC_KEY *ecdh = NULL;
+#endif
 	int no_dhe = 0;
+	int no_ecdhe = 0;
 	int print_time = 0;
 	clock_t s_time = 0, c_time = 0;
 	int comp = 0;
+#ifndef OPENSSL_NO_COMP
 	COMP_METHOD *cm = NULL;
-#ifdef OPENSSL_FIPS
-	int fips_mode=0;
-	const char *path=argv[0];
 #endif
+	STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
+	int test_cipherlist = 0;
 
 	verbose = 0;
 	debug = 0;
@@ -408,19 +456,20 @@ int main(int argc, char *argv[])
 
 	while (argc >= 1)
 		{
-		if(!strcmp(*argv,"-F"))
-			{
-#ifdef OPENSSL_FIPS
-			fips_mode=1;
-#else
-			fprintf(stderr,"not compiled with FIPS support, so exitting without running.\n");
-			exit(0);
-#endif
-			}
-		else if	(strcmp(*argv,"-server_auth") == 0)
+		if	(strcmp(*argv,"-server_auth") == 0)
 			server_auth=1;
 		else if	(strcmp(*argv,"-client_auth") == 0)
 			client_auth=1;
+		else if (strcmp(*argv,"-proxy_auth") == 0)
+			{
+			if (--argc < 1) goto bad;
+			app_verify_arg.proxy_auth= *(++argv);
+			}
+		else if (strcmp(*argv,"-proxy_cond") == 0)
+			{
+			if (--argc < 1) goto bad;
+			app_verify_arg.proxy_cond= *(++argv);
+			}
 		else if	(strcmp(*argv,"-v") == 0)
 			verbose=1;
 		else if	(strcmp(*argv,"-d") == 0)
@@ -445,6 +494,8 @@ int main(int argc, char *argv[])
 			}
 		else if	(strcmp(*argv,"-no_dhe") == 0)
 			no_dhe=1;
+		else if	(strcmp(*argv,"-no_ecdhe") == 0)
+			no_ecdhe=1;
 		else if	(strcmp(*argv,"-ssl2") == 0)
 			ssl2=1;
 		else if	(strcmp(*argv,"-tls1") == 0)
@@ -531,9 +582,27 @@ int main(int argc, char *argv[])
 			{
 			comp = COMP_RLE;
 			}
+		else if	(strcmp(*argv,"-named_curve") == 0)
+			{
+			if (--argc < 1) goto bad;
+#ifndef OPENSSL_NO_ECDH		
+			named_curve = *(++argv);
+#else
+			fprintf(stderr,"ignoring -named_curve, since I'm compiled without ECDH\n");
+			++argv;
+#endif
+			}
 		else if	(strcmp(*argv,"-app_verify") == 0)
 			{
-			app_verify = 1;
+			app_verify_arg.app_verify = 1;
+			}
+		else if	(strcmp(*argv,"-proxy") == 0)
+			{
+			app_verify_arg.allow_proxy_certs = 1;
+			}
+		else if (strcmp(*argv,"-test_cipherlist") == 0)
+			{
+			test_cipherlist = 1;
 			}
 		else
 			{
@@ -551,6 +620,14 @@ bad:
 		goto end;
 		}
 
+	if (test_cipherlist == 1)
+		{
+		/* ensure that the cipher list are correctly sorted and exit */
+		if (do_test_cipherlist() == 0)
+			EXIT(1);
+		ret = 0;
+		goto end;
+		}
 
 	if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force)
 		{
@@ -561,20 +638,6 @@ bad:
 		EXIT(1);
 		}
 
-#ifdef OPENSSL_FIPS
-	if(fips_mode)
-		{
-		if(!FIPS_mode_set(1,path))
-			{
-			ERR_load_crypto_strings();
-			ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
-			exit(1);
-			}
-		else
-			fprintf(stderr,"*** IN FIPS MODE ***\n");
-		}
-#endif
-
 	if (print_time)
 		{
 		if (!bio_pair)
@@ -591,6 +654,7 @@ bad:
 	SSL_library_init();
 	SSL_load_error_strings();
 
+#ifndef OPENSSL_NO_COMP
 	if (comp == COMP_ZLIB) cm = COMP_zlib();
 	if (comp == COMP_RLE) cm = COMP_rle();
 	if (cm != NULL)
@@ -614,6 +678,20 @@ bad:
 			ERR_print_errors_fp(stderr);
 			}
 		}
+	ssl_comp_methods = SSL_COMP_get_compression_methods();
+	fprintf(stderr, "Available compression methods:\n");
+	{
+	int j, n = sk_SSL_COMP_num(ssl_comp_methods);
+	if (n == 0)
+		fprintf(stderr, "  NONE\n");
+	else
+		for (j = 0; j < n; j++)
+			{
+			SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j);
+			fprintf(stderr, "  %d: %s\n", c->id, c->name);
+			}
+	}
+#endif
 
 #if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
 	if (ssl2)
@@ -668,6 +746,38 @@ bad:
 	(void)no_dhe;
 #endif
 
+#ifndef OPENSSL_NO_ECDH
+	if (!no_ecdhe)
+		{
+		int nid;
+
+		if (named_curve != NULL)
+			{
+			nid = OBJ_sn2nid(named_curve);
+			if (nid == 0)
+			{
+				BIO_printf(bio_err, "unknown curve name (%s)\n", named_curve);
+				goto end;
+				}
+			}
+		else
+			nid = NID_sect163r2;
+
+		ecdh = EC_KEY_new_by_curve_name(nid);
+		if (ecdh == NULL)
+			{
+			BIO_printf(bio_err, "unable to create curve\n");
+			goto end;
+			}
+
+		SSL_CTX_set_tmp_ecdh(s_ctx, ecdh);
+		SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_ECDH_USE);
+		EC_KEY_free(ecdh);
+		}
+#else
+	(void)no_ecdhe;
+#endif
+
 #ifndef OPENSSL_NO_RSA
 	SSL_CTX_set_tmp_rsa_callback(s_ctx,tmp_rsa_cb);
 #endif
@@ -708,20 +818,14 @@ bad:
 		SSL_CTX_set_verify(s_ctx,
 			SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
 			verify_callback);
-		if (app_verify) 
-			{
-			SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, app_verify_arg);
-			}
+		SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, &app_verify_arg);
 		}
 	if (server_auth)
 		{
 		BIO_printf(bio_err,"server authentication\n");
 		SSL_CTX_set_verify(c_ctx,SSL_VERIFY_PEER,
 			verify_callback);
-		if (app_verify) 
-			{
-			SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, app_verify_arg);
-			}
+		SSL_CTX_set_cert_verify_callback(c_ctx, app_verify_callback, &app_verify_arg);
 		}
 	
 	{
@@ -810,6 +914,7 @@ end:
 	CRYPTO_mem_leaks(bio_err);
 	if (bio_err != NULL) BIO_free(bio_err);
 	EXIT(ret);
+	return ret;
 	}
 
 int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
@@ -1300,8 +1405,8 @@ int doit(SSL *s_ssl, SSL *c_ssl, long count)
 			{
 			if (c_write)
 				{
-				j=(cw_num > (long)sizeof(cbuf))
-					?sizeof(cbuf):(int)cw_num;
+				j = (cw_num > (long)sizeof(cbuf)) ?
+					(int)sizeof(cbuf) : (int)cw_num;
 				i=BIO_write(c_bio,cbuf,j);
 				if (i < 0)
 					{
@@ -1431,8 +1536,8 @@ int doit(SSL *s_ssl, SSL *c_ssl, long count)
 				}
 			else
 				{
-				j=(sw_num > (long)sizeof(sbuf))?
-					sizeof(sbuf):(int)sw_num;
+				j = (sw_num > (long)sizeof(sbuf)) ?
+					(int)sizeof(sbuf) : (int)sw_num;
 				i=BIO_write(s_bio,sbuf,j);
 				if (i < 0)
 					{
@@ -1503,6 +1608,22 @@ err:
 	return(ret);
 	}
 
+static int get_proxy_auth_ex_data_idx(void)
+	{
+	static volatile int idx = -1;
+	if (idx < 0)
+		{
+		CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
+		if (idx < 0)
+			{
+			idx = X509_STORE_CTX_get_ex_new_index(0,
+				"SSLtest for verify callback", NULL,NULL,NULL);
+			}
+		CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
+		}
+	return idx;
+	}
+
 static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
 	{
 	char *s,buf[256];
@@ -1512,42 +1633,467 @@ static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
 	if (s != NULL)
 		{
 		if (ok)
-			fprintf(stderr,"depth=%d %s\n",ctx->error_depth,buf);
+			fprintf(stderr,"depth=%d %s\n",
+				ctx->error_depth,buf);
 		else
+			{
 			fprintf(stderr,"depth=%d error=%d %s\n",
 				ctx->error_depth,ctx->error,buf);
+			}
 		}
 
 	if (ok == 0)
 		{
+		fprintf(stderr,"Error string: %s\n",
+			X509_verify_cert_error_string(ctx->error));
 		switch (ctx->error)
 			{
 		case X509_V_ERR_CERT_NOT_YET_VALID:
 		case X509_V_ERR_CERT_HAS_EXPIRED:
 		case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
+			fprintf(stderr,"  ... ignored.\n");
 			ok=1;
 			}
 		}
 
+	if (ok == 1)
+		{
+		X509 *xs = ctx->current_cert;
+#if 0
+		X509 *xi = ctx->current_issuer;
+#endif
+
+		if (xs->ex_flags & EXFLAG_PROXY)
+			{
+			unsigned int *letters =
+				X509_STORE_CTX_get_ex_data(ctx,
+					get_proxy_auth_ex_data_idx());
+
+			if (letters)
+				{
+				int found_any = 0;
+				int i;
+				PROXY_CERT_INFO_EXTENSION *pci =
+					X509_get_ext_d2i(xs, NID_proxyCertInfo,
+						NULL, NULL);
+
+				switch (OBJ_obj2nid(pci->proxyPolicy->policyLanguage))
+					{
+				case NID_Independent:
+					/* Completely meaningless in this
+					   program, as there's no way to
+					   grant explicit rights to a
+					   specific PrC.  Basically, using
+					   id-ppl-Independent is the perfect
+					   way to grant no rights at all. */
+					fprintf(stderr, "  Independent proxy certificate");
+					for (i = 0; i < 26; i++)
+						letters[i] = 0;
+					break;
+				case NID_id_ppl_inheritAll:
+					/* This is basically a NOP, we
+					   simply let the current rights
+					   stand as they are. */
+					fprintf(stderr, "  Proxy certificate inherits all");
+					break;
+				default:
+					s = (char *)
+						pci->proxyPolicy->policy->data;
+					i = pci->proxyPolicy->policy->length;
+
+					/* The algorithm works as follows:
+					   it is assumed that previous
+					   iterations or the initial granted
+					   rights has already set some elements
+					   of `letters'.  What we need to do is
+					   to clear those that weren't granted
+					   by the current PrC as well.  The
+					   easiest way to do this is to add 1
+					   to all the elements whose letters
+					   are given with the current policy.
+					   That way, all elements that are set
+					   by the current policy and were
+					   already set by earlier policies and
+					   through the original grant of rights
+					   will get the value 2 or higher.
+					   The last thing to do is to sweep
+					   through `letters' and keep the
+					   elements having the value 2 as set,
+					   and clear all the others. */
+
+					fprintf(stderr, "  Certificate proxy rights = %*.*s", i, i, s);
+					while(i-- > 0)
+						{
+						int c = *s++;
+						if (isascii(c) && isalpha(c))
+							{
+							if (islower(c))
+								c = toupper(c);
+							letters[c - 'A']++;
+							}
+						}
+					for (i = 0; i < 26; i++)
+						if (letters[i] < 2)
+							letters[i] = 0;
+						else
+							letters[i] = 1;
+					}
+
+				found_any = 0;
+				fprintf(stderr,
+					", resulting proxy rights = ");
+				for(i = 0; i < 26; i++)
+					if (letters[i])
+						{
+						fprintf(stderr, "%c", i + 'A');
+						found_any = 1;
+						}
+				if (!found_any)
+					fprintf(stderr, "none");
+				fprintf(stderr, "\n");
+
+				PROXY_CERT_INFO_EXTENSION_free(pci);
+				}
+			}
+		}
+
 	return(ok);
 	}
 
+static void process_proxy_debug(int indent, const char *format, ...)
+	{
+	static const char indentation[] =
+		">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
+		">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"; /* That's 80 > */
+	char my_format[256];
+	va_list args;
+
+	BIO_snprintf(my_format, sizeof(my_format), "%*.*s %s",
+		indent, indent, indentation, format);
+
+	va_start(args, format);
+	vfprintf(stderr, my_format, args);
+	va_end(args);
+	}
+/* Priority levels:
+   0	[!]var, ()
+   1	& ^
+   2	|
+*/
+static int process_proxy_cond_adders(unsigned int letters[26],
+	const char *cond, const char **cond_end, int *pos, int indent);
+static int process_proxy_cond_val(unsigned int letters[26],
+	const char *cond, const char **cond_end, int *pos, int indent)
+	{
+	int c;
+	int ok = 1;
+	int negate = 0;
+
+	while(isspace((int)*cond))
+		{
+		cond++; (*pos)++;
+		}
+	c = *cond;
+
+	if (debug)
+		process_proxy_debug(indent,
+			"Start process_proxy_cond_val at position %d: %s\n",
+			*pos, cond);
+
+	while(c == '!')
+		{
+		negate = !negate;
+		cond++; (*pos)++;
+		while(isspace((int)*cond))
+			{
+			cond++; (*pos)++;
+			}
+		c = *cond;
+		}
+
+	if (c == '(')
+		{
+		cond++; (*pos)++;
+		ok = process_proxy_cond_adders(letters, cond, cond_end, pos,
+			indent + 1);
+		cond = *cond_end;
+		if (ok < 0)
+			goto end;
+		while(isspace((int)*cond))
+			{
+			cond++; (*pos)++;
+			}
+		c = *cond;
+		if (c != ')')
+			{
+			fprintf(stderr,
+				"Weird condition character in position %d: "
+				"%c\n", *pos, c);
+			ok = -1;
+			goto end;
+			}
+		cond++; (*pos)++;
+		}
+	else if (isascii(c) && isalpha(c))
+		{
+		if (islower(c))
+			c = toupper(c);
+		ok = letters[c - 'A'];
+		cond++; (*pos)++;
+		}
+	else
+		{
+		fprintf(stderr,
+			"Weird condition character in position %d: "
+			"%c\n", *pos, c);
+		ok = -1;
+		goto end;
+		}
+ end:
+	*cond_end = cond;
+	if (ok >= 0 && negate)
+		ok = !ok;
+
+	if (debug)
+		process_proxy_debug(indent,
+			"End process_proxy_cond_val at position %d: %s, returning %d\n",
+			*pos, cond, ok);
+
+	return ok;
+	}
+static int process_proxy_cond_multipliers(unsigned int letters[26],
+	const char *cond, const char **cond_end, int *pos, int indent)
+	{
+	int ok;
+	char c;
+
+	if (debug)
+		process_proxy_debug(indent,
+			"Start process_proxy_cond_multipliers at position %d: %s\n",
+			*pos, cond);
+
+	ok = process_proxy_cond_val(letters, cond, cond_end, pos, indent + 1);
+	cond = *cond_end;
+	if (ok < 0)
+		goto end;
+
+	while(ok >= 0)
+		{
+		while(isspace((int)*cond))
+			{
+			cond++; (*pos)++;
+			}
+		c = *cond;
+
+		switch(c)
+			{
+		case '&':
+		case '^':
+			{
+			int save_ok = ok;
+
+			cond++; (*pos)++;
+			ok = process_proxy_cond_val(letters,
+				cond, cond_end, pos, indent + 1);
+			cond = *cond_end;
+			if (ok < 0)
+				break;
+
+			switch(c)
+				{
+			case '&':
+				ok &= save_ok;
+				break;
+			case '^':
+				ok ^= save_ok;
+				break;
+			default:
+				fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
+					" STOPPING\n");
+				EXIT(1);
+				}
+			}
+			break;
+		default:
+			goto end;
+			}
+		}
+ end:
+	if (debug)
+		process_proxy_debug(indent,
+			"End process_proxy_cond_multipliers at position %d: %s, returning %d\n",
+			*pos, cond, ok);
+
+	*cond_end = cond;
+	return ok;
+	}
+static int process_proxy_cond_adders(unsigned int letters[26],
+	const char *cond, const char **cond_end, int *pos, int indent)
+	{
+	int ok;
+	char c;
+
+	if (debug)
+		process_proxy_debug(indent,
+			"Start process_proxy_cond_adders at position %d: %s\n",
+			*pos, cond);
+
+	ok = process_proxy_cond_multipliers(letters, cond, cond_end, pos,
+		indent + 1);
+	cond = *cond_end;
+	if (ok < 0)
+		goto end;
+
+	while(ok >= 0)
+		{
+		while(isspace((int)*cond))
+			{
+			cond++; (*pos)++;
+			}
+		c = *cond;
+
+		switch(c)
+			{
+		case '|':
+			{
+			int save_ok = ok;
+
+			cond++; (*pos)++;
+			ok = process_proxy_cond_multipliers(letters,
+				cond, cond_end, pos, indent + 1);
+			cond = *cond_end;
+			if (ok < 0)
+				break;
+
+			switch(c)
+				{
+			case '|':
+				ok |= save_ok;
+				break;
+			default:
+				fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
+					" STOPPING\n");
+				EXIT(1);
+				}
+			}
+			break;
+		default:
+			goto end;
+			}
+		}
+ end:
+	if (debug)
+		process_proxy_debug(indent,
+			"End process_proxy_cond_adders at position %d: %s, returning %d\n",
+			*pos, cond, ok);
+
+	*cond_end = cond;
+	return ok;
+	}
+
+static int process_proxy_cond(unsigned int letters[26],
+	const char *cond, const char **cond_end)
+	{
+	int pos = 1;
+	return process_proxy_cond_adders(letters, cond, cond_end, &pos, 1);
+	}
+
 static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg)
 	{
-	char *s = NULL,buf[256];
 	int ok=1;
+	struct app_verify_arg *cb_arg = arg;
+	unsigned int letters[26]; /* only used with proxy_auth */
 
-	fprintf(stderr, "In app_verify_callback, allowing cert. ");
-	fprintf(stderr, "Arg is: %s\n", (char *)arg);
-	fprintf(stderr, "Finished printing do we have a context? 0x%x a cert? 0x%x\n",
-			(unsigned int)ctx, (unsigned int)ctx->cert);
-	if (ctx->cert)
-		s=X509_NAME_oneline(X509_get_subject_name(ctx->cert),buf,256);
-	if (s != NULL)
+	if (cb_arg->app_verify)
 		{
+		char *s = NULL,buf[256];
+
+		fprintf(stderr, "In app_verify_callback, allowing cert. ");
+		fprintf(stderr, "Arg is: %s\n", cb_arg->string);
+		fprintf(stderr, "Finished printing do we have a context? 0x%p a cert? 0x%p\n",
+			(void *)ctx, (void *)ctx->cert);
+		if (ctx->cert)
+			s=X509_NAME_oneline(X509_get_subject_name(ctx->cert),buf,256);
+		if (s != NULL)
+			{
 			fprintf(stderr,"cert depth=%d %s\n",ctx->error_depth,buf);
+			}
+		return(1);
 		}
+	if (cb_arg->proxy_auth)
+		{
+		int found_any = 0, i;
+		char *sp;
 
+		for(i = 0; i < 26; i++)
+			letters[i] = 0;
+		for(sp = cb_arg->proxy_auth; *sp; sp++)
+			{
+			int c = *sp;
+			if (isascii(c) && isalpha(c))
+				{
+				if (islower(c))
+					c = toupper(c);
+				letters[c - 'A'] = 1;
+				}
+			}
+
+		fprintf(stderr,
+			"  Initial proxy rights = ");
+		for(i = 0; i < 26; i++)
+			if (letters[i])
+				{
+				fprintf(stderr, "%c", i + 'A');
+				found_any = 1;
+				}
+		if (!found_any)
+			fprintf(stderr, "none");
+		fprintf(stderr, "\n");
+
+		X509_STORE_CTX_set_ex_data(ctx,
+			get_proxy_auth_ex_data_idx(),letters);
+		}
+	if (cb_arg->allow_proxy_certs)
+		{
+		X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
+		}
+
+#ifndef OPENSSL_NO_X509_VERIFY
+# ifdef OPENSSL_FIPS
+	if(s->version == TLS1_VERSION)
+		FIPS_allow_md5(1);
+# endif
+	ok = X509_verify_cert(ctx);
+# ifdef OPENSSL_FIPS
+	if(s->version == TLS1_VERSION)
+		FIPS_allow_md5(0);
+# endif
+#endif
+
+	if (cb_arg->proxy_auth)
+		{
+		if (ok)
+			{
+			const char *cond_end = NULL;
+
+			ok = process_proxy_cond(letters,
+				cb_arg->proxy_cond, &cond_end);
+
+			if (ok < 0)
+				EXIT(3);
+			if (*cond_end)
+				{
+				fprintf(stderr, "Stopped processing condition before it's end.\n");
+				ok = 0;
+				}
+			if (!ok)
+				fprintf(stderr, "Proxy rights check with condition '%s' proved invalid\n",
+					cb_arg->proxy_cond);
+			else
+				fprintf(stderr, "Proxy rights check with condition '%s' proved valid\n",
+					cb_arg->proxy_cond);
+			}
+		}
 	return(ok);
 	}
 
@@ -1556,14 +2102,29 @@ static RSA *rsa_tmp=NULL;
 
 static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength)
 	{
+	BIGNUM *bn = NULL;
 	if (rsa_tmp == NULL)
 		{
+		bn = BN_new();
+		rsa_tmp = RSA_new();
+		if(!bn || !rsa_tmp || !BN_set_word(bn, RSA_F4))
+			{
+			BIO_printf(bio_err, "Memory error...");
+			goto end;
+			}
 		BIO_printf(bio_err,"Generating temp (%d bit) RSA key...",keylength);
 		(void)BIO_flush(bio_err);
-		rsa_tmp=RSA_generate_key(keylength,RSA_F4,NULL,NULL);
+		if(!RSA_generate_key_ex(rsa_tmp,keylength,bn,NULL))
+			{
+			BIO_printf(bio_err, "Error generating key.");
+			RSA_free(rsa_tmp);
+			rsa_tmp = NULL;
+			}
+end:
 		BIO_printf(bio_err,"\n");
 		(void)BIO_flush(bio_err);
 		}
+	if(bn) BN_free(bn);
 	return(rsa_tmp);
 	}
 
@@ -1674,3 +2235,60 @@ static DH *get_dh1024dsa()
 	return(dh);
 	}
 #endif
+
+static int do_test_cipherlist(void)
+	{
+	int i = 0;
+	const SSL_METHOD *meth;
+	SSL_CIPHER *ci, *tci = NULL;
+
+#ifndef OPENSSL_NO_SSL2
+	fprintf(stderr, "testing SSLv2 cipher list order: ");
+	meth = SSLv2_method();
+	while ((ci = meth->get_cipher(i++)) != NULL)
+		{
+		if (tci != NULL)
+			if (ci->id >= tci->id)
+				{
+				fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
+				return 0;
+				}
+		tci = ci;
+		}
+	fprintf(stderr, "ok\n");
+#endif
+#ifndef OPENSSL_NO_SSL3
+	fprintf(stderr, "testing SSLv3 cipher list order: ");
+	meth = SSLv3_method();
+	tci = NULL;
+	while ((ci = meth->get_cipher(i++)) != NULL)
+		{
+		if (tci != NULL)
+			if (ci->id >= tci->id)
+				{
+				fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
+				return 0;
+				}
+		tci = ci;
+		}
+	fprintf(stderr, "ok\n");
+#endif
+#ifndef OPENSSL_NO_TLS1
+	fprintf(stderr, "testing TLSv1 cipher list order: ");
+	meth = TLSv1_method();
+	tci = NULL;
+	while ((ci = meth->get_cipher(i++)) != NULL)
+		{
+		if (tci != NULL)
+			if (ci->id >= tci->id)
+				{
+				fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
+				return 0;
+				}
+		tci = ci;
+		}
+	fprintf(stderr, "ok\n");
+#endif
+
+	return 1;
+	}
diff --git a/crypto/openssl/ssl/t1_clnt.c b/crypto/openssl/ssl/t1_clnt.c
index 57205fb429ab..4d1e198cdcde 100644
--- a/crypto/openssl/ssl/t1_clnt.c
+++ b/crypto/openssl/ssl/t1_clnt.c
@@ -72,26 +72,8 @@ static SSL_METHOD *tls1_get_client_method(int ver)
 		return(NULL);
 	}
 
-SSL_METHOD *TLSv1_client_method(void)
-	{
-	static int init=1;
-	static SSL_METHOD TLSv1_client_data;
-
-	if (init)
-		{
-		CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
-
-		if (init)
-			{
-			memcpy((char *)&TLSv1_client_data,(char *)tlsv1_base_method(),
-				sizeof(SSL_METHOD));
-			TLSv1_client_data.ssl_connect=ssl3_connect;
-			TLSv1_client_data.get_ssl_method=tls1_get_client_method;
-			init=0;
-			}
-		
-		CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
-		}
-	return(&TLSv1_client_data);
-	}
+IMPLEMENT_tls1_meth_func(TLSv1_client_method,
+			ssl_undefined_function,
+			ssl3_connect,
+			tls1_get_client_method)
 
diff --git a/crypto/openssl/ssl/t1_enc.c b/crypto/openssl/ssl/t1_enc.c
index ac224ddfa181..c544c764950c 100644
--- a/crypto/openssl/ssl/t1_enc.c
+++ b/crypto/openssl/ssl/t1_enc.c
@@ -115,7 +115,6 @@
 #include <openssl/evp.h>
 #include <openssl/hmac.h>
 #include <openssl/md5.h>
-#include <openssl/fips.h>
 
 static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
 			int sec_len, unsigned char *seed, int seed_len,
@@ -178,13 +177,8 @@ static void tls1_PRF(const EVP_MD *md5, const EVP_MD *sha1,
 	S2= &(sec[len]);
 	len+=(slen&1); /* add for odd, make longer */
 
-#ifdef OPENSSL_FIPS
-	FIPS_allow_md5(1);
-#endif
+	
 	tls1_P_hash(md5 ,S1,len,label,label_len,out1,olen);
-#ifdef OPENSSL_FIPS
-	FIPS_allow_md5(0);
-#endif
 	tls1_P_hash(sha1,S2,len,label,label_len,out2,olen);
 
 	for (i=0; i<olen; i++)
@@ -237,7 +231,9 @@ int tls1_change_cipher_state(SSL *s, int which)
 	int client_write;
 	EVP_CIPHER_CTX *dd;
 	const EVP_CIPHER *c;
+#ifndef OPENSSL_NO_COMP
 	const SSL_COMP *comp;
+#endif
 	const EVP_MD *m;
 	int is_export,n,i,j,k,exp_label_len,cl;
 	int reuse_dd = 0;
@@ -245,7 +241,9 @@ int tls1_change_cipher_state(SSL *s, int which)
 	is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
 	c=s->s3->tmp.new_sym_enc;
 	m=s->s3->tmp.new_hash;
+#ifndef OPENSSL_NO_COMP
 	comp=s->s3->tmp.new_compression;
+#endif
 	key_block=s->s3->tmp.key_block;
 
 #ifdef KSSL_DEBUG
@@ -271,6 +269,7 @@ int tls1_change_cipher_state(SSL *s, int which)
 			goto err;
 		dd= s->enc_read_ctx;
 		s->read_hash=m;
+#ifndef OPENSSL_NO_COMP
 		if (s->expand != NULL)
 			{
 			COMP_CTX_free(s->expand);
@@ -290,7 +289,10 @@ int tls1_change_cipher_state(SSL *s, int which)
 			if (s->s3->rrec.comp == NULL)
 				goto err;
 			}
-		memset(&(s->s3->read_sequence[0]),0,8);
+#endif
+		/* this is done by dtls1_reset_seq_numbers for DTLS1_VERSION */
+ 		if (s->version != DTLS1_VERSION)
+			memset(&(s->s3->read_sequence[0]),0,8);
 		mac_secret= &(s->s3->read_mac_secret[0]);
 		}
 	else
@@ -305,6 +307,7 @@ int tls1_change_cipher_state(SSL *s, int which)
 			goto err;
 		dd= s->enc_write_ctx;
 		s->write_hash=m;
+#ifndef OPENSSL_NO_COMP
 		if (s->compress != NULL)
 			{
 			COMP_CTX_free(s->compress);
@@ -319,7 +322,10 @@ int tls1_change_cipher_state(SSL *s, int which)
 				goto err2;
 				}
 			}
-		memset(&(s->s3->write_sequence[0]),0,8);
+#endif
+		/* this is done by dtls1_reset_seq_numbers for DTLS1_VERSION */
+ 		if (s->version != DTLS1_VERSION)
+			memset(&(s->s3->write_sequence[0]),0,8);
 		mac_secret= &(s->s3->write_mac_secret[0]);
 		}
 
@@ -507,7 +513,7 @@ printf("\nkey block\n");
 #endif
 			}
 		}
-
+		
 	return(1);
 err:
 	SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE);
@@ -662,13 +668,7 @@ int tls1_cert_verify_mac(SSL *s, EVP_MD_CTX *in_ctx, unsigned char *out)
 
 	EVP_MD_CTX_init(&ctx);
 	EVP_MD_CTX_copy_ex(&ctx,in_ctx);
-#ifdef OPENSSL_FIPS
-	FIPS_allow_md5(1);
-#endif
 	EVP_DigestFinal_ex(&ctx,out,&ret);
-#ifdef OPENSSL_FIPS
-	FIPS_allow_md5(0);
-#endif
 	EVP_MD_CTX_cleanup(&ctx);
 	return((int)ret);
 	}
@@ -687,13 +687,7 @@ int tls1_final_finish_mac(SSL *s, EVP_MD_CTX *in1_ctx, EVP_MD_CTX *in2_ctx,
 
 	EVP_MD_CTX_init(&ctx);
 	EVP_MD_CTX_copy_ex(&ctx,in1_ctx);
-#ifdef OPENSSL_FIPS
-	FIPS_allow_md5(1);
-#endif
 	EVP_DigestFinal_ex(&ctx,q,&i);
-#ifdef OPENSSL_FIPS
-	FIPS_allow_md5(0);
-#endif
 	q+=i;
 	EVP_MD_CTX_copy_ex(&ctx,in2_ctx);
 	EVP_DigestFinal_ex(&ctx,q,&i);
@@ -760,10 +754,13 @@ printf("rec=");
 {unsigned int z; for (z=0; z<rec->length; z++) printf("%02X ",buf[z]); printf("\n"); }
 #endif
 
-	for (i=7; i>=0; i--)
-		{
-		++seq[i];
-		if (seq[i] != 0) break; 
+    if ( SSL_version(ssl) != DTLS1_VERSION)
+	    {
+		for (i=7; i>=0; i--)
+			{
+			++seq[i];
+			if (seq[i] != 0) break; 
+			}
 		}
 
 #ifdef TLS_DEBUG
@@ -826,6 +823,8 @@ int tls1_alert_code(int code)
 	case SSL_AD_INTERNAL_ERROR:	return(TLS1_AD_INTERNAL_ERROR);
 	case SSL_AD_USER_CANCELLED:	return(TLS1_AD_USER_CANCELLED);
 	case SSL_AD_NO_RENEGOTIATION:	return(TLS1_AD_NO_RENEGOTIATION);
+	case DTLS1_AD_MISSING_HANDSHAKE_MESSAGE: return 
+					  (DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
 	default:			return(-1);
 		}
 	}
diff --git a/crypto/openssl/ssl/t1_lib.c b/crypto/openssl/ssl/t1_lib.c
index ca6c03d5af18..d4516eba71e0 100644
--- a/crypto/openssl/ssl/t1_lib.c
+++ b/crypto/openssl/ssl/t1_lib.c
@@ -62,9 +62,7 @@
 
 const char *tls1_version_str="TLSv1" OPENSSL_VERSION_PTEXT;
 
-static long tls1_default_timeout(void);
-
-static SSL3_ENC_METHOD TLSv1_enc_data={
+SSL3_ENC_METHOD TLSv1_enc_data={
 	tls1_enc,
 	tls1_mac,
 	tls1_setup_key_block,
@@ -78,45 +76,17 @@ static SSL3_ENC_METHOD TLSv1_enc_data={
 	tls1_alert_code,
 	};
 
-static SSL_METHOD TLSv1_data= {
-	TLS1_VERSION,
-	tls1_new,
-	tls1_clear,
-	tls1_free,
-	ssl_undefined_function,
-	ssl_undefined_function,
-	ssl3_read,
-	ssl3_peek,
-	ssl3_write,
-	ssl3_shutdown,
-	ssl3_renegotiate,
-	ssl3_renegotiate_check,
-	ssl3_ctrl,
-	ssl3_ctx_ctrl,
-	ssl3_get_cipher_by_char,
-	ssl3_put_cipher_by_char,
-	ssl3_pending,
-	ssl3_num_ciphers,
-	ssl3_get_cipher,
-	ssl_bad_method,
-	tls1_default_timeout,
-	&TLSv1_enc_data,
-	ssl_undefined_function,
-	ssl3_callback_ctrl,
-	ssl3_ctx_callback_ctrl,
-	};
-
-static long tls1_default_timeout(void)
+long tls1_default_timeout(void)
 	{
 	/* 2 hours, the 24 hours mentioned in the TLSv1 spec
 	 * is way too long for http, the cache would over fill */
 	return(60*60*2);
 	}
 
-SSL_METHOD *tlsv1_base_method(void)
-	{
-	return(&TLSv1_data);
-	}
+IMPLEMENT_tls1_meth_func(tlsv1_base_method,
+			ssl_undefined_function,
+			ssl_undefined_function,
+			ssl_bad_method)
 
 int tls1_new(SSL *s)
 	{
diff --git a/crypto/openssl/ssl/t1_meth.c b/crypto/openssl/ssl/t1_meth.c
index fcc243f78264..f5d8df634ee1 100644
--- a/crypto/openssl/ssl/t1_meth.c
+++ b/crypto/openssl/ssl/t1_meth.c
@@ -69,28 +69,8 @@ static SSL_METHOD *tls1_get_method(int ver)
 		return(NULL);
 	}
 
-SSL_METHOD *TLSv1_method(void)
-	{
-	static int init=1;
-	static SSL_METHOD TLSv1_data;
-
-	if (init)
-		{
-		CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
-		
-		if (init)
-			{
-			memcpy((char *)&TLSv1_data,(char *)tlsv1_base_method(),
-				sizeof(SSL_METHOD));
-			TLSv1_data.ssl_connect=ssl3_connect;
-			TLSv1_data.ssl_accept=ssl3_accept;
-			TLSv1_data.get_ssl_method=tls1_get_method;
-			init=0;
-			}
-
-		CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
-		}
-	
-	return(&TLSv1_data);
-	}
+IMPLEMENT_tls1_meth_func(TLSv1_method,
+			ssl3_accept,
+			ssl3_connect,
+			tls1_get_method)
 
diff --git a/crypto/openssl/ssl/t1_srvr.c b/crypto/openssl/ssl/t1_srvr.c
index 1c1149e49fe1..b75636abba91 100644
--- a/crypto/openssl/ssl/t1_srvr.c
+++ b/crypto/openssl/ssl/t1_srvr.c
@@ -73,26 +73,8 @@ static SSL_METHOD *tls1_get_server_method(int ver)
 		return(NULL);
 	}
 
-SSL_METHOD *TLSv1_server_method(void)
-	{
-	static int init=1;
-	static SSL_METHOD TLSv1_server_data;
-
-	if (init)
-		{
-		CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
-
-		if (init)
-			{
-			memcpy((char *)&TLSv1_server_data,(char *)tlsv1_base_method(),
-				sizeof(SSL_METHOD));
-			TLSv1_server_data.ssl_accept=ssl3_accept;
-			TLSv1_server_data.get_ssl_method=tls1_get_server_method;
-			init=0;
-			}
-			
-		CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
-		}
-	return(&TLSv1_server_data);
-	}
+IMPLEMENT_tls1_meth_func(TLSv1_server_method,
+			ssl3_accept,
+			ssl_undefined_function,
+			tls1_get_server_method)
 
diff --git a/crypto/openssl/ssl/tls1.h b/crypto/openssl/ssl/tls1.h
index 38838ea9a5da..f8a215e6e911 100644
--- a/crypto/openssl/ssl/tls1.h
+++ b/crypto/openssl/ssl/tls1.h
@@ -55,6 +55,19 @@
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
  */
+/* ====================================================================
+ * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
+ *
+ * Portions of the attached software ("Contribution") are developed by 
+ * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
+ *
+ * The Contribution is licensed pursuant to the OpenSSL open source
+ * license provided above.
+ *
+ * ECC cipher suite support in OpenSSL originally written by
+ * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
+ *
+ */
 
 #ifndef HEADER_TLS1_H 
 #define HEADER_TLS1_H 
@@ -112,6 +125,37 @@ extern "C" {
 #define TLS1_CK_DHE_RSA_WITH_AES_256_SHA		0x03000039
 #define TLS1_CK_ADH_WITH_AES_256_SHA			0x0300003A
 
+/* ECC ciphersuites from draft-ietf-tls-ecc-12.txt with changes soon to be in draft 13 */
+#define TLS1_CK_ECDH_ECDSA_WITH_NULL_SHA                0x0300C001
+#define TLS1_CK_ECDH_ECDSA_WITH_RC4_128_SHA             0x0300C002
+#define TLS1_CK_ECDH_ECDSA_WITH_DES_192_CBC3_SHA        0x0300C003
+#define TLS1_CK_ECDH_ECDSA_WITH_AES_128_CBC_SHA         0x0300C004
+#define TLS1_CK_ECDH_ECDSA_WITH_AES_256_CBC_SHA         0x0300C005
+
+#define TLS1_CK_ECDHE_ECDSA_WITH_NULL_SHA               0x0300C006
+#define TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA            0x0300C007
+#define TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA       0x0300C008
+#define TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA        0x0300C009
+#define TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA        0x0300C00A
+
+#define TLS1_CK_ECDH_RSA_WITH_NULL_SHA                  0x0300C00B
+#define TLS1_CK_ECDH_RSA_WITH_RC4_128_SHA               0x0300C00C
+#define TLS1_CK_ECDH_RSA_WITH_DES_192_CBC3_SHA          0x0300C00D
+#define TLS1_CK_ECDH_RSA_WITH_AES_128_CBC_SHA           0x0300C00E
+#define TLS1_CK_ECDH_RSA_WITH_AES_256_CBC_SHA           0x0300C00F
+
+#define TLS1_CK_ECDHE_RSA_WITH_NULL_SHA                 0x0300C010
+#define TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA              0x0300C011
+#define TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA         0x0300C012
+#define TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA          0x0300C013
+#define TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA          0x0300C014
+
+#define TLS1_CK_ECDH_anon_WITH_NULL_SHA                 0x0300C015
+#define TLS1_CK_ECDH_anon_WITH_RC4_128_SHA              0x0300C016
+#define TLS1_CK_ECDH_anon_WITH_DES_192_CBC3_SHA         0x0300C017
+#define TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA          0x0300C018
+#define TLS1_CK_ECDH_anon_WITH_AES_256_CBC_SHA          0x0300C019
+
 /* XXX
  * Inconsistency alert:
  * The OpenSSL names of ciphers with ephemeral DH here include the string
@@ -142,12 +186,45 @@ extern "C" {
 #define TLS1_TXT_DHE_RSA_WITH_AES_256_SHA		"DHE-RSA-AES256-SHA"
 #define TLS1_TXT_ADH_WITH_AES_256_SHA			"ADH-AES256-SHA"
 
+/* ECC ciphersuites from draft-ietf-tls-ecc-01.txt (Mar 15, 2001) */
+#define TLS1_TXT_ECDH_ECDSA_WITH_NULL_SHA               "ECDH-ECDSA-NULL-SHA"
+#define TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA            "ECDH-ECDSA-RC4-SHA"
+#define TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA       "ECDH-ECDSA-DES-CBC3-SHA"
+#define TLS1_TXT_ECDH_ECDSA_WITH_AES_128_CBC_SHA        "ECDH-ECDSA-AES128-SHA"
+#define TLS1_TXT_ECDH_ECDSA_WITH_AES_256_CBC_SHA        "ECDH-ECDSA-AES256-SHA"
+
+#define TLS1_TXT_ECDHE_ECDSA_WITH_NULL_SHA              "ECDHE-ECDSA-NULL-SHA"
+#define TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA           "ECDHE-ECDSA-RC4-SHA"
+#define TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA      "ECDHE-ECDSA-DES-CBC3-SHA"
+#define TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA       "ECDHE-ECDSA-AES128-SHA"
+#define TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA       "ECDHE-ECDSA-AES256-SHA"
+
+#define TLS1_TXT_ECDH_RSA_WITH_NULL_SHA                 "ECDH-RSA-NULL-SHA"
+#define TLS1_TXT_ECDH_RSA_WITH_RC4_128_SHA              "ECDH-RSA-RC4-SHA"
+#define TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA         "ECDH-RSA-DES-CBC3-SHA"
+#define TLS1_TXT_ECDH_RSA_WITH_AES_128_CBC_SHA          "ECDH-RSA-AES128-SHA"
+#define TLS1_TXT_ECDH_RSA_WITH_AES_256_CBC_SHA          "ECDH-RSA-AES256-SHA"
+
+#define TLS1_TXT_ECDHE_RSA_WITH_NULL_SHA                "ECDHE-RSA-NULL-SHA"
+#define TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA             "ECDHE-RSA-RC4-SHA"
+#define TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA        "ECDHE-RSA-DES-CBC3-SHA"
+#define TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA         "ECDHE-RSA-AES128-SHA"
+#define TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA         "ECDHE-RSA-AES256-SHA"
+
+#define TLS1_TXT_ECDH_anon_WITH_NULL_SHA                "AECDH-NULL-SHA"
+#define TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA             "AECDH-RC4-SHA"
+#define TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA        "AECDH-DES-CBC3-SHA"
+#define TLS1_TXT_ECDH_anon_WITH_AES_128_CBC_SHA         "AECDH-AES128-SHA"
+#define TLS1_TXT_ECDH_anon_WITH_AES_256_CBC_SHA         "AECDH-AES256-SHA"
 
 #define TLS_CT_RSA_SIGN			1
 #define TLS_CT_DSS_SIGN			2
 #define TLS_CT_RSA_FIXED_DH		3
 #define TLS_CT_DSS_FIXED_DH		4
-#define TLS_CT_NUMBER			4
+#define TLS_CT_ECDSA_SIGN		64
+#define TLS_CT_RSA_FIXED_ECDH		65
+#define TLS_CT_ECDSA_FIXED_ECDH 	66
+#define TLS_CT_NUMBER			7
 
 #define TLS1_FINISH_MAC_LENGTH		12
 
@@ -193,3 +270,5 @@ extern "C" {
 #endif
 #endif
 
+
+
diff --git a/crypto/openssl/test/CAss.cnf b/crypto/openssl/test/CAss.cnf
index b941b7ae1570..20f8f05e3dfd 100644
--- a/crypto/openssl/test/CAss.cnf
+++ b/crypto/openssl/test/CAss.cnf
@@ -23,3 +23,54 @@ organizationName_value		= Dodgy Brothers
 
 commonName			= Common Name (eg, YOUR name)
 commonName_value		= Dodgy CA
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= ./demoCA		# Where everything is kept
+certs		= $dir/certs		# Where the issued certs are kept
+crl_dir		= $dir/crl		# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+#unique_subject	= no			# Set to 'no' to allow creation of
+					# several ctificates with same subject.
+new_certs_dir	= $dir/newcerts		# default place for new certs.
+
+certificate	= $dir/cacert.pem 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/private/cakey.pem# The private key
+RANDFILE	= $dir/private/.rand	# private random number file
+
+x509_extensions	= v3_ca			# The extentions to add to the cert
+
+name_opt 	= ca_default		# Subject Name options
+cert_opt 	= ca_default		# Certificate field options
+
+default_days	= 365			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= md5			# which md to use.
+preserve	= no			# keep passed DN ordering
+
+policy		= policy_anything
+
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+
+
+[ v3_ca ]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+basicConstraints = CA:true,pathlen:1
+keyUsage = cRLSign, keyCertSign
+issuerAltName=issuer:copy
diff --git a/crypto/openssl/test/Makefile b/crypto/openssl/test/Makefile
index 28fbd34c5ce0..7d4a5f56f0f7 100644
--- a/crypto/openssl/test/Makefile
+++ b/crypto/openssl/test/Makefile
@@ -7,11 +7,6 @@ TOP=		..
 CC=		cc
 INCLUDES=	-I$(TOP) -I../include $(KRB5_INCLUDES)
 CFLAG=		-g
-INSTALL_PREFIX=
-OPENSSLDIR=     /usr/local/ssl
-INSTALLTOP=	/usr/local/ssl
-MAKEFILE=	Makefile
-MAKEDEPPROG=	makedepend
 MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 PERL=		perl
 # KRB5 stuff
@@ -35,11 +30,14 @@ LIBSSL= -L.. -lssl
 
 BNTEST=		bntest
 ECTEST=		ectest
+ECDSATEST=	ecdsatest
+ECDHTEST=	ecdhtest
 EXPTEST=	exptest
 IDEATEST=	ideatest
 SHATEST=	shatest
 SHA1TEST=	sha1test
-FIPS_SHA1TEST=	fips_sha1test
+SHA256TEST=	sha256t
+SHA512TEST=	sha512t
 MDC2TEST=	mdc2test
 RMDTEST=	rmdtest
 MD2TEST=	md2test
@@ -52,44 +50,45 @@ RC5TEST=	rc5test
 BFTEST=		bftest
 CASTTEST=	casttest
 DESTEST=	destest
-FIPS_DESTEST=	fips_desmovs
 RANDTEST=	randtest
-FIPS_RANDTEST=	fips_randtest
 DHTEST=		dhtest
 DSATEST=	dsatest
-FIPS_DSATEST=	fips_dsatest
 METHTEST=	methtest
 SSLTEST=	ssltest
 RSATEST=	rsa_test
 ENGINETEST=	enginetest
 EVPTEST=	evp_test
-FIPS_AESTEST=	fips_aesavs
 
 TESTS=		alltests
 
-EXE=	$(BNTEST)$(EXE_EXT) $(ECTEST)$(EXE_EXT) $(IDEATEST)$(EXE_EXT) $(MD2TEST)$(EXE_EXT)  $(MD4TEST)$(EXE_EXT) $(MD5TEST)$(EXE_EXT) $(HMACTEST)$(EXE_EXT) \
+EXE=	$(BNTEST)$(EXE_EXT) $(ECTEST)$(EXE_EXT)  $(ECDSATEST)$(EXE_EXT) $(ECDHTEST)$(EXE_EXT) $(IDEATEST)$(EXE_EXT) \
+	$(MD2TEST)$(EXE_EXT)  $(MD4TEST)$(EXE_EXT) $(MD5TEST)$(EXE_EXT) $(HMACTEST)$(EXE_EXT) \
 	$(RC2TEST)$(EXE_EXT) $(RC4TEST)$(EXE_EXT) $(RC5TEST)$(EXE_EXT) \
-	$(DESTEST)$(EXE_EXT) $(FIPS_DESTEST)$(EXE_EXT) $(SHATEST)$(EXE_EXT) $(SHA1TEST)$(EXE_EXT) $(FIPS_SHA1TEST)$(EXE_EXT) $(MDC2TEST)$(EXE_EXT) $(RMDTEST)$(EXE_EXT) \
-	$(RANDTEST)$(EXE_EXT) $(FIPS_RANDTEST)$(EXE_EXT) $(DHTEST)$(EXE_EXT) $(ENGINETEST)$(EXE_EXT) \
-	$(BFTEST)$(EXE_EXT) $(CASTTEST)$(EXE_EXT) $(SSLTEST)$(EXE_EXT) $(EXPTEST)$(EXE_EXT) $(DSATEST)$(EXE_EXT) $(FIPS_DSATEST)$(EXE_EXT) $(RSATEST)$(EXE_EXT) \
-	$(EVPTEST)$(EXE_EXT) $(FIPS_AESTEST)$(EXE_EXT)
+	$(DESTEST)$(EXE_EXT) $(SHATEST)$(EXE_EXT) $(SHA1TEST)$(EXE_EXT) $(SHA256TEST)$(EXE_EXT) $(SHA512TEST)$(EXE_EXT) \
+	$(MDC2TEST)$(EXE_EXT) $(RMDTEST)$(EXE_EXT) \
+	$(RANDTEST)$(EXE_EXT) $(DHTEST)$(EXE_EXT) $(ENGINETEST)$(EXE_EXT) \
+	$(BFTEST)$(EXE_EXT) $(CASTTEST)$(EXE_EXT) $(SSLTEST)$(EXE_EXT) $(EXPTEST)$(EXE_EXT) $(DSATEST)$(EXE_EXT) $(RSATEST)$(EXE_EXT) \
+	$(EVPTEST)$(EXE_EXT)
 
 # $(METHTEST)$(EXE_EXT)
 
-OBJ=	$(BNTEST).o $(ECTEST).o $(IDEATEST).o $(MD2TEST).o $(MD4TEST).o $(MD5TEST).o \
+OBJ=	$(BNTEST).o $(ECTEST).o  $(ECDSATEST).o $(ECDHTEST).o $(IDEATEST).o \
+	$(MD2TEST).o $(MD4TEST).o $(MD5TEST).o \
 	$(HMACTEST).o \
 	$(RC2TEST).o $(RC4TEST).o $(RC5TEST).o \
-	$(DESTEST).o $(FIPS_DESTEST).o $(SHATEST).o $(SHA1TEST).o $(FIPS_SHA1TEST).o $(MDC2TEST).o $(RMDTEST).o \
-	$(RANDTEST).o $(FIPS_RANDTEST).o $(DHTEST).o $(ENGINETEST).o $(CASTTEST).o \
-	$(BFTEST).o  $(SSLTEST).o  $(DSATEST).o $(FIPS_DSATEST).o $(EXPTEST).o $(RSATEST).o \
-	$(EVPTEST).o $(FIPS_AESTEST).o
-SRC=	$(BNTEST).c $(ECTEST).c $(IDEATEST).c $(MD2TEST).c  $(MD4TEST).c $(MD5TEST).c \
+	$(DESTEST).o $(SHATEST).o $(SHA1TEST).o $(SHA256TEST).o $(SHA512TEST).o \
+	$(MDC2TEST).o $(RMDTEST).o \
+	$(RANDTEST).o $(DHTEST).o $(ENGINETEST).o $(CASTTEST).o \
+	$(BFTEST).o  $(SSLTEST).o  $(DSATEST).o  $(EXPTEST).o $(RSATEST).o \
+	$(EVPTEST).o
+SRC=	$(BNTEST).c $(ECTEST).c  $(ECDSATEST).c $(ECDHTEST).c $(IDEATEST).c \
+	$(MD2TEST).c  $(MD4TEST).c $(MD5TEST).c \
 	$(HMACTEST).c \
 	$(RC2TEST).c $(RC4TEST).c $(RC5TEST).c \
-	$(DESTEST).c $(FIPS_DESTEST).c $(SHATEST).c $(SHA1TEST).c $(FIPS_SHA1TEST).c $(MDC2TEST).c $(RMDTEST).c \
-	$(RANDTEST).c $(FIPS_RANDTEST).c $(DHTEST).c $(ENGINETEST).c $(CASTTEST).c \
-	$(BFTEST).c  $(SSLTEST).c $(DSATEST).c $(FIPS_DSATEST).c $(EXPTEST).c $(RSATEST).c \
-	$(EVPTEST).c $(FIPS_AESTEST).c
+	$(DESTEST).c $(SHATEST).c $(SHA1TEST).c $(MDC2TEST).c $(RMDTEST).c \
+	$(RANDTEST).c $(DHTEST).c $(ENGINETEST).c $(CASTTEST).c \
+	$(BFTEST).c  $(SSLTEST).c $(DSATEST).c   $(EXPTEST).c $(RSATEST).c \
+	$(EVPTEST).c
 
 EXHEADER= 
 HEADER=	$(EXHEADER)
@@ -124,166 +123,155 @@ tests:	exe apps $(TESTS)
 apps:
 	@(cd ..; $(MAKE) DIRS=apps all)
 
-SET_SO_PATHS=OSSL_LIBPATH="`cd ..; pwd`"; \
-		LD_LIBRARY_PATH="$$OSSL_LIBPATH:$$LD_LIBRARY_PATH"; \
-		DYLD_LIBRARY_PATH="$$OSSL_LIBPATH:$$DYLD_LIBRARY_PATH"; \
-		SHLIB_PATH="$$OSSL_LIBPATH:$$SHLIB_PATH"; \
-		LIBPATH="$$OSSL_LIBPATH:$$LIBPATH"; \
-		if [ "$(PLATFORM)" = "Cygwin" ]; then PATH="$${LIBPATH}:$$PATH"; fi; \
-		export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH
-
 alltests: \
 	test_des test_idea test_sha test_md4 test_md5 test_hmac \
 	test_md2 test_mdc2 \
 	test_rmd test_rc2 test_rc4 test_rc5 test_bf test_cast test_aes \
-	test_rand test_bn test_ec test_enc test_x509 test_rsa test_crl test_sid \
+	test_rand test_bn test_ec test_ecdsa test_ecdh \
+	test_enc test_x509 test_rsa test_crl test_sid \
 	test_gen test_req test_pkcs7 test_verify test_dh test_dsa \
 	test_ss test_ca test_engine test_evp test_ssl
-# temporarily removed
-# fips_test_aes
-
-fips_test_aes:
-	if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \
-	  mkdir -p fips_aes_data/rsp; \
-	  $(SET_SO_PATHS); ./$(FIPS_AESTEST) -d fips_aes_data/list; \
-	fi
 
 test_evp:
-	$(SET_SO_PATHS); ./$(EVPTEST) evptests.txt
+	../util/shlib_wrap.sh ./$(EVPTEST) evptests.txt
 
 test_des:
-	$(SET_SO_PATHS); ./$(DESTEST)
+	../util/shlib_wrap.sh ./$(DESTEST)
 
 test_idea:
-	$(SET_SO_PATHS); ./$(IDEATEST)
+	../util/shlib_wrap.sh ./$(IDEATEST)
 
 test_sha:
-	$(SET_SO_PATHS); ./$(SHATEST)
-	$(SET_SO_PATHS); ./$(SHA1TEST)
-	if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \
-	  $(SET_SO_PATHS); ./$(FIPS_SHA1TEST) sha1vectors.txt | sed s/Strings/Hashes/ | cmp sha1hashes.txt - ; \
-	fi
+	../util/shlib_wrap.sh ./$(SHATEST)
+	../util/shlib_wrap.sh ./$(SHA1TEST)
+	../util/shlib_wrap.sh ./$(SHA256TEST)
+	../util/shlib_wrap.sh ./$(SHA512TEST)
 
 test_mdc2:
-	$(SET_SO_PATHS); ./$(MDC2TEST)
+	../util/shlib_wrap.sh ./$(MDC2TEST)
 
 test_md5:
-	$(SET_SO_PATHS); ./$(MD5TEST)
+	../util/shlib_wrap.sh ./$(MD5TEST)
 
 test_md4:
-	$(SET_SO_PATHS); ./$(MD4TEST)
+	../util/shlib_wrap.sh ./$(MD4TEST)
 
 test_hmac:
-	$(SET_SO_PATHS); ./$(HMACTEST)
+	../util/shlib_wrap.sh ./$(HMACTEST)
 
 test_md2:
-	$(SET_SO_PATHS); ./$(MD2TEST)
+	../util/shlib_wrap.sh ./$(MD2TEST)
 
 test_rmd:
-	$(SET_SO_PATHS); ./$(RMDTEST)
+	../util/shlib_wrap.sh ./$(RMDTEST)
 
 test_bf:
-	$(SET_SO_PATHS); ./$(BFTEST)
+	../util/shlib_wrap.sh ./$(BFTEST)
 
 test_cast:
-	$(SET_SO_PATHS); ./$(CASTTEST)
+	../util/shlib_wrap.sh ./$(CASTTEST)
 
 test_rc2:
-	$(SET_SO_PATHS); ./$(RC2TEST)
+	../util/shlib_wrap.sh ./$(RC2TEST)
 
 test_rc4:
-	$(SET_SO_PATHS); ./$(RC4TEST)
+	../util/shlib_wrap.sh ./$(RC4TEST)
 
 test_rc5:
-	$(SET_SO_PATHS); ./$(RC5TEST)
+	../util/shlib_wrap.sh ./$(RC5TEST)
 
 test_rand:
-	$(SET_SO_PATHS); ./$(RANDTEST)
-	if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \
-	  $(SET_SO_PATHS); ./$(FIPS_RANDTEST); \
-	fi
+	../util/shlib_wrap.sh ./$(RANDTEST)
 
 test_enc:
-	@$(SET_SO_PATHS); sh ./testenc
+	@sh ./testenc
 
 test_x509:
 	echo test normal x509v1 certificate
-	$(SET_SO_PATHS); sh ./tx509 2>/dev/null
+	sh ./tx509 2>/dev/null
 	echo test first x509v3 certificate
-	$(SET_SO_PATHS); sh ./tx509 v3-cert1.pem 2>/dev/null
+	sh ./tx509 v3-cert1.pem 2>/dev/null
 	echo test second x509v3 certificate
-	$(SET_SO_PATHS); sh ./tx509 v3-cert2.pem 2>/dev/null
+	sh ./tx509 v3-cert2.pem 2>/dev/null
 
 test_rsa:
-	@$(SET_SO_PATHS); sh ./trsa 2>/dev/null
-	$(SET_SO_PATHS); ./$(RSATEST)
+	@sh ./trsa 2>/dev/null
+	../util/shlib_wrap.sh ./$(RSATEST)
 
 test_crl:
-	@$(SET_SO_PATHS); sh ./tcrl 2>/dev/null
+	@sh ./tcrl 2>/dev/null
 
 test_sid:
-	@$(SET_SO_PATHS); sh ./tsid 2>/dev/null
+	@sh ./tsid 2>/dev/null
 
 test_req:
-	@$(SET_SO_PATHS); sh ./treq 2>/dev/null
-	@$(SET_SO_PATHS); sh ./treq testreq2.pem 2>/dev/null
+	@sh ./treq 2>/dev/null
+	@sh ./treq testreq2.pem 2>/dev/null
 
 test_pkcs7:
-	@$(SET_SO_PATHS); sh ./tpkcs7 2>/dev/null
-	@$(SET_SO_PATHS); sh ./tpkcs7d 2>/dev/null
+	@sh ./tpkcs7 2>/dev/null
+	@sh ./tpkcs7d 2>/dev/null
 
 test_bn:
 	@echo starting big number library test, could take a while...
-	@$(SET_SO_PATHS); ./$(BNTEST) >tmp.bntest
+	@../util/shlib_wrap.sh ./$(BNTEST) >tmp.bntest
 	@echo quit >>tmp.bntest
 	@echo "running bc"
 	@<tmp.bntest sh -c "`sh ./bctest ignore`" | $(PERL) -e '$$i=0; while (<STDIN>) {if (/^test (.*)/) {print STDERR "\nverify $$1";} elsif (!/^0$$/) {die "\nFailed! bc: $$_";} else {print STDERR "."; $$i++;}} print STDERR "\n$$i tests passed\n"'
 	@echo 'test a^b%c implementations'
-	$(SET_SO_PATHS); ./$(EXPTEST)
+	../util/shlib_wrap.sh ./$(EXPTEST)
 
 test_ec:
 	@echo 'test elliptic curves'
-	$(SET_SO_PATHS); ./$(ECTEST)
+	../util/shlib_wrap.sh ./$(ECTEST)
+
+test_ecdsa:
+	@echo 'test ecdsa'
+	../util/shlib_wrap.sh ./$(ECDSATEST)
+
+test_ecdh:
+	@echo 'test ecdh'
+	../util/shlib_wrap.sh ./$(ECDHTEST)
 
 test_verify:
 	@echo "The following command should have some OK's and some failures"
 	@echo "There are definitly a few expired certificates"
-	-$(SET_SO_PATHS); ../apps/openssl verify -CApath ../certs ../certs/*.pem
+	../util/shlib_wrap.sh ../apps/openssl verify -CApath ../certs ../certs/*.pem
 
 test_dh:
 	@echo "Generate a set of DH parameters"
-	$(SET_SO_PATHS); ./$(DHTEST)
+	../util/shlib_wrap.sh ./$(DHTEST)
 
 test_dsa:
 	@echo "Generate a set of DSA parameters"
-	$(SET_SO_PATHS); ./$(DSATEST)
-	$(SET_SO_PATHS); ./$(DSATEST) -app2_1
-	if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \
-	  $(SET_SO_PATHS); ./$(FIPS_DSATEST); \
-	  $(SET_SO_PATHS); ./$(FIPS_DSATEST) -app2_1; \
-	fi
+	../util/shlib_wrap.sh ./$(DSATEST)
+	../util/shlib_wrap.sh ./$(DSATEST) -app2_1
 
 test_gen:
 	@echo "Generate and verify a certificate request"
-	@$(SET_SO_PATHS); sh ./testgen
+	@sh ./testgen
 
-test_ss keyU.ss certU.ss certCA.ss: testss
+test_ss keyU.ss certU.ss certCA.ss certP1.ss keyP1.ss certP2.ss keyP2.ss \
+		intP1.ss intP2.ss: testss
 	@echo "Generate and certify a test certificate"
-	@$(SET_SO_PATHS); sh ./testss
+	@sh ./testss
+	@cat certCA.ss certU.ss > intP1.ss
+	@cat certCA.ss certU.ss certP1.ss > intP2.ss
 
 test_engine: 
 	@echo "Manipulate the ENGINE structures"
-	$(SET_SO_PATHS); ./$(ENGINETEST)
+	../util/shlib_wrap.sh ./$(ENGINETEST)
 
-test_ssl: keyU.ss certU.ss certCA.ss
+test_ssl: keyU.ss certU.ss certCA.ss certP1.ss keyP1.ss certP2.ss keyP2.ss \
+		intP1.ss intP2.ss
 	@echo "test SSL protocol"
-	@if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \
-	  $(SET_SO_PATHS); sh ./testfipsssl keyU.ss certU.ss certCA.ss; \
-	fi
-	@$(SET_SO_PATHS); sh ./testssl keyU.ss certU.ss certCA.ss
+	../util/shlib_wrap.sh ./$(SSLTEST) -test_cipherlist
+	@sh ./testssl keyU.ss certU.ss certCA.ss
+	@sh ./testsslproxy keyP1.ss certP1.ss intP1.ss
+	@sh ./testsslproxy keyP2.ss certP2.ss intP2.ss
 
 test_ca:
-	@$(SET_SO_PATHS); if ../apps/openssl no-rsa; then \
+	@if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then \
 	  echo "skipping CA.sh test -- requires RSA"; \
 	else \
 	  echo "Generate and certify a test certificate via the 'ca' program"; \
@@ -292,13 +280,17 @@ test_ca:
 
 test_aes: #$(AESTEST)
 #	@echo "test Rijndael"
-#	$(SET_SO_PATHS); ./$(AESTEST)
+#	../util/shlib_wrap.sh ./$(AESTEST)
 
 lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(SRC)
+	@if [ -z "$(THIS)" ]; then \
+	    $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; \
+	else \
+	    $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(SRC); \
+	fi
 
 dclean:
 	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
@@ -313,267 +305,108 @@ $(DLIBSSL):
 $(DLIBCRYPTO):
 	(cd ..; $(MAKE) DIRS=crypto all)
 
-$(FIPS_AESTEST)$(EXE_EXT): $(FIPS_AESTEST).o $(DLIBCRYPTO)
-	if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
-	  $(CC) -o $(FIPS_AESTEST)$(EXE_EXT) $(CFLAGS) $(FIPS_AESTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
+BUILD_CMD=shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \
+		shlib_target="$(SHLIB_TARGET)"; \
+	fi; \
+	if [ "$${shlib_target}" = "hpux-shared" -o "$${shlib_target}" = "darwin-shared" ] ; then \
+		LIBRARIES="$(DLIBSSL) $(DLIBCRYPTO) $(LIBKRB5)"; \
 	else \
-	  $(CC) -o $(FIPS_AESTEST)$(EXE_EXT) $(CFLAGS) $(FIPS_AESTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
-	fi
-	if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \
-	  TOP=$(TOP) $(TOP)/fips/openssl_fips_fingerprint $(TOP)/libcrypto.a $(FIPS_AESTEST); \
-	fi
+		LIBRARIES="$(LIBSSL) $(LIBCRYPTO) $(LIBKRB5)"; \
+	fi; \
+	$(MAKE) -f $(TOP)/Makefile.shared -e \
+		APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \
+		LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \
+		link_app.$${shlib_target}
 
 $(RSATEST)$(EXE_EXT): $(RSATEST).o $(DLIBCRYPTO)
-	if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
-	  $(CC) -o $(RSATEST)$(EXE_EXT) $(CFLAGS) $(RSATEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
-	else \
-	  LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
-	  $(CC) -o $(RSATEST)$(EXE_EXT) $(CFLAGS) $(RSATEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
-	fi
+	@target=$(RSATEST); $(BUILD_CMD)
 
 $(BNTEST)$(EXE_EXT): $(BNTEST).o $(DLIBCRYPTO)
-	if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
-	  $(CC) -o $(BNTEST)$(EXE_EXT) $(CFLAGS) $(BNTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
-	else \
-	  LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
-	  $(CC) -o $(BNTEST)$(EXE_EXT) $(CFLAGS) $(BNTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
-	fi
+	@target=$(BNTEST); $(BUILD_CMD)
 
 $(ECTEST)$(EXE_EXT): $(ECTEST).o $(DLIBCRYPTO)
-	if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
-	  $(CC) -o $(ECTEST)$(EXE_EXT) $(CFLAGS) $(ECTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
-	else \
-	  LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
-	  $(CC) -o $(ECTEST)$(EXE_EXT) $(CFLAGS) $(ECTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
-	fi
+	@target=$(ECTEST); $(BUILD_CMD)
 
 $(EXPTEST)$(EXE_EXT): $(EXPTEST).o $(DLIBCRYPTO)
-	if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
-	  $(CC) -o $(EXPTEST)$(EXE_EXT) $(CFLAGS) $(EXPTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
-	else \
-	  LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
-	  $(CC) -o $(EXPTEST)$(EXE_EXT) $(CFLAGS) $(EXPTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
-	fi
+	@target=$(EXPTEST); $(BUILD_CMD)
 
 $(IDEATEST)$(EXE_EXT): $(IDEATEST).o $(DLIBCRYPTO)
-	if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
-	  $(CC) -o $(IDEATEST)$(EXE_EXT) $(CFLAGS) $(IDEATEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
-	else \
-	  LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
-	  $(CC) -o $(IDEATEST)$(EXE_EXT) $(CFLAGS) $(IDEATEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
-	fi
+	@target=$(IDEATEST); $(BUILD_CMD)
 
 $(MD2TEST)$(EXE_EXT): $(MD2TEST).o $(DLIBCRYPTO)
-	if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
-	  $(CC) -o $(MD2TEST)$(EXE_EXT) $(CFLAGS) $(MD2TEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
-	else \
-	  LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
-	  $(CC) -o $(MD2TEST)$(EXE_EXT) $(CFLAGS) $(MD2TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
-	fi
+	@target=$(MD2TEST); $(BUILD_CMD)
 
 $(SHATEST)$(EXE_EXT): $(SHATEST).o $(DLIBCRYPTO)
-	if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
-	  $(CC) -o $(SHATEST)$(EXE_EXT) $(CFLAGS) $(SHATEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
-	else \
-	  LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
-	  $(CC) -o $(SHATEST)$(EXE_EXT) $(CFLAGS) $(SHATEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
-	fi
+	@target=$(SHATEST); $(BUILD_CMD)
 
 $(SHA1TEST)$(EXE_EXT): $(SHA1TEST).o $(DLIBCRYPTO)
-	if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
-	  $(CC) -o $(SHA1TEST)$(EXE_EXT) $(CFLAGS) $(SHA1TEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
-	else \
-	  LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
-	  $(CC) -o $(SHA1TEST)$(EXE_EXT) $(CFLAGS) $(SHA1TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
-	fi
+	@target=$(SHA1TEST); $(BUILD_CMD)
 
-$(FIPS_SHA1TEST)$(EXE_EXT): $(FIPS_SHA1TEST).o $(DLIBCRYPTO)
-	if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
-	  $(CC) -o $(FIPS_SHA1TEST)$(EXE_EXT) $(CFLAGS) $(FIPS_SHA1TEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
-	else \
-	  $(CC) -o $(FIPS_SHA1TEST)$(EXE_EXT) $(CFLAGS) $(FIPS_SHA1TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
-	fi
-	if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \
-	  TOP=$(TOP) $(TOP)/fips/openssl_fips_fingerprint $(TOP)/libcrypto.a $(FIPS_SHA1TEST); \
-	fi
+$(SHA256TEST)$(EXE_EXT): $(SHA256TEST).o $(DLIBCRYPTO)
+	@target=$(SHA256TEST); $(BUILD_CMD)
+
+$(SHA512TEST)$(EXE_EXT): $(SHA512TEST).o $(DLIBCRYPTO)
+	@target=$(SHA512TEST); $(BUILD_CMD)
 
 $(RMDTEST)$(EXE_EXT): $(RMDTEST).o $(DLIBCRYPTO)
-	if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
-	  $(CC) -o $(RMDTEST)$(EXE_EXT) $(CFLAGS) $(RMDTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
-	else \
-	  LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
-	  $(CC) -o $(RMDTEST)$(EXE_EXT) $(CFLAGS) $(RMDTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
-	fi
+	@target=$(RMDTEST); $(BUILD_CMD)
 
 $(MDC2TEST)$(EXE_EXT): $(MDC2TEST).o $(DLIBCRYPTO)
-	if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
-	  $(CC) -o $(MDC2TEST)$(EXE_EXT) $(CFLAGS) $(MDC2TEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
-	else \
-	  LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
-	  $(CC) -o $(MDC2TEST)$(EXE_EXT) $(CFLAGS) $(MDC2TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
-	fi
+	@target=$(MDC2TEST); $(BUILD_CMD)
 
 $(MD4TEST)$(EXE_EXT): $(MD4TEST).o $(DLIBCRYPTO)
-	if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
-	  $(CC) -o $(MD4TEST)$(EXE_EXT) $(CFLAGS) $(MD4TEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
-	else \
-	  LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
-	  $(CC) -o $(MD4TEST)$(EXE_EXT) $(CFLAGS) $(MD4TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
-	fi
+	@target=$(MD4TEST); $(BUILD_CMD)
 
 $(MD5TEST)$(EXE_EXT): $(MD5TEST).o $(DLIBCRYPTO)
-	if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
-	  $(CC) -o $(MD5TEST)$(EXE_EXT) $(CFLAGS) $(MD5TEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
-	else \
-	  LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
-	  $(CC) -o $(MD5TEST)$(EXE_EXT) $(CFLAGS) $(MD5TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
-	fi
+	@target=$(MD5TEST); $(BUILD_CMD)
 
 $(HMACTEST)$(EXE_EXT): $(HMACTEST).o $(DLIBCRYPTO)
-	if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
-	  $(CC) -o $(HMACTEST)$(EXE_EXT) $(CFLAGS) $(HMACTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
-	else \
-	  LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
-	  $(CC) -o $(HMACTEST)$(EXE_EXT) $(CFLAGS) $(HMACTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
-	fi
+	@target=$(HMACTEST); $(BUILD_CMD)
 
 $(RC2TEST)$(EXE_EXT): $(RC2TEST).o $(DLIBCRYPTO)
-	if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
-	  $(CC) -o $(RC2TEST)$(EXE_EXT) $(CFLAGS) $(RC2TEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
-	else \
-	  LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
-	  $(CC) -o $(RC2TEST)$(EXE_EXT) $(CFLAGS) $(RC2TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
-	fi
+	@target=$(RC2TEST); $(BUILD_CMD)
 
 $(BFTEST)$(EXE_EXT): $(BFTEST).o $(DLIBCRYPTO)
-	if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
-	  $(CC) -o $(BFTEST)$(EXE_EXT) $(CFLAGS) $(BFTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
-	else \
-	  LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
-	  $(CC) -o $(BFTEST)$(EXE_EXT) $(CFLAGS) $(BFTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
-	fi
+	@target=$(BFTEST); $(BUILD_CMD)
 
 $(CASTTEST)$(EXE_EXT): $(CASTTEST).o $(DLIBCRYPTO)
-	if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
-	  $(CC) -o $(CASTTEST)$(EXE_EXT) $(CFLAGS) $(CASTTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
-	else \
-	  LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
-	  $(CC) -o $(CASTTEST)$(EXE_EXT) $(CFLAGS) $(CASTTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
-	fi
+	@target=$(CASTTEST); $(BUILD_CMD)
 
 $(RC4TEST)$(EXE_EXT): $(RC4TEST).o $(DLIBCRYPTO)
-	if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
-	  $(CC) -o $(RC4TEST)$(EXE_EXT) $(CFLAGS) $(RC4TEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
-	else \
-	  LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
-	  $(CC) -o $(RC4TEST)$(EXE_EXT) $(CFLAGS) $(RC4TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
-	fi
+	@target=$(RC4TEST); $(BUILD_CMD)
 
 $(RC5TEST)$(EXE_EXT): $(RC5TEST).o $(DLIBCRYPTO)
-	if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
-	  $(CC) -o $(RC5TEST)$(EXE_EXT) $(CFLAGS) $(RC5TEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
-	else \
-	  LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
-	  $(CC) -o $(RC5TEST)$(EXE_EXT) $(CFLAGS) $(RC5TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
-	fi
+	@target=$(RC5TEST); $(BUILD_CMD)
 
 $(DESTEST)$(EXE_EXT): $(DESTEST).o $(DLIBCRYPTO)
-	if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
-	  $(CC) -o $(DESTEST)$(EXE_EXT) $(CFLAGS) $(DESTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
-	else \
-	  LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
-	  $(CC) -o $(DESTEST)$(EXE_EXT) $(CFLAGS) $(DESTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
-	fi
-
-$(FIPS_DESTEST)$(EXE_EXT): $(FIPS_DESTEST).o $(DLIBCRYPTO)
-	if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
-	  $(CC) -o $(FIPS_DESTEST)$(EXE_EXT) $(CFLAGS) $(FIPS_DESTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
-	else \
-	  LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
-	  $(CC) -o $(FIPS_DESTEST)$(EXE_EXT) $(CFLAGS) $(FIPS_DESTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
-	fi
-	if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \
-	  TOP=$(TOP) $(TOP)/fips/openssl_fips_fingerprint $(TOP)/libcrypto.a $(FIPS_DESTEST); \
-	fi
+	@target=$(DESTEST); $(BUILD_CMD)
 
 $(RANDTEST)$(EXE_EXT): $(RANDTEST).o $(DLIBCRYPTO)
-	if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
-	  $(CC) -o $(RANDTEST)$(EXE_EXT) $(CFLAGS) $(RANDTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
-	else \
-	  LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
-	  $(CC) -o $(RANDTEST)$(EXE_EXT) $(CFLAGS) $(RANDTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
-	fi
-
-$(FIPS_RANDTEST)$(EXE_EXT): $(FIPS_RANDTEST).o $(DLIBCRYPTO)
-	if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
-	  $(CC) -o $(FIPS_RANDTEST)$(EXE_EXT) $(CFLAGS) $(FIPS_RANDTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
-	else \
-	  $(CC) -o $(FIPS_RANDTEST)$(EXE_EXT) $(CFLAGS) $(FIPS_RANDTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
-	fi
-	if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \
-	  TOP=$(TOP) $(TOP)/fips/openssl_fips_fingerprint $(TOP)/libcrypto.a $(FIPS_RANDTEST); \
-	fi
+	@target=$(RANDTEST); $(BUILD_CMD)
 
 $(DHTEST)$(EXE_EXT): $(DHTEST).o $(DLIBCRYPTO)
-	if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
-	  $(CC) -o $(DHTEST)$(EXE_EXT) $(CFLAGS) $(DHTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
-	else \
-	  LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
-	  $(CC) -o $(DHTEST)$(EXE_EXT) $(CFLAGS) $(DHTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
-	fi
+	@target=$(DHTEST); $(BUILD_CMD)
 
 $(DSATEST)$(EXE_EXT): $(DSATEST).o $(DLIBCRYPTO)
-	if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
-	  $(CC) -o $(DSATEST)$(EXE_EXT) $(CFLAGS) $(DSATEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
-	else \
-	  LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
-	  $(CC) -o $(DSATEST)$(EXE_EXT) $(CFLAGS) $(DSATEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
-	fi
-
-$(FIPS_DSATEST)$(EXE_EXT): $(FIPS_DSATEST).o $(DLIBCRYPTO)
-	if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
-	  $(CC) -o $(FIPS_DSATEST)$(EXE_EXT) $(CFLAGS) $(FIPS_DSATEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
-	else \
-	  $(CC) -o $(FIPS_DSATEST)$(EXE_EXT) $(CFLAGS) $(FIPS_DSATEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
-	fi
-	if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \
-	  TOP=$(TOP) $(TOP)/fips/openssl_fips_fingerprint $(TOP)/libcrypto.a $(FIPS_DSATEST); \
-	fi
+	@target=$(DSATEST); $(BUILD_CMD)
 
 $(METHTEST)$(EXE_EXT): $(METHTEST).o $(DLIBCRYPTO)
-	if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
-	  $(CC) -o $(METHTEST)$(EXE_EXT) $(CFLAGS) $(METHTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
-	else \
-	  LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
-	  $(CC) -o $(METHTEST)$(EXE_EXT) $(CFLAGS) $(METHTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
-	fi
+	@target=$(METHTEST); $(BUILD_CMD)
 
 $(SSLTEST)$(EXE_EXT): $(SSLTEST).o $(DLIBSSL) $(DLIBCRYPTO)
-	if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
-	  $(CC) -o $(SSLTEST)$(EXE_EXT) $(CFLAGS) $(SSLTEST).o $(PEX_LIBS) $(DLIBSSL) $(LIBKRB5) $(DLIBCRYPTO) $(EX_LIBS) ; \
-	else \
-	  LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
-	  $(CC) -o $(SSLTEST)$(EXE_EXT) $(CFLAGS) $(SSLTEST).o $(PEX_LIBS) $(LIBSSL) $(LIBKRB5) $(LIBCRYPTO) $(EX_LIBS) ; \
-	fi
-	if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \
-	  TOP=$(TOP) $(TOP)/fips/openssl_fips_fingerprint $(TOP)/libcrypto.a $(SSLTEST); \
-	fi
+	@target=$(SSLTEST); $(BUILD_CMD)
 
 $(ENGINETEST)$(EXE_EXT): $(ENGINETEST).o $(DLIBCRYPTO)
-	if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
-	  $(CC) -o $(ENGINETEST)$(EXE_EXT) $(CFLAGS) $(ENGINETEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
-	else \
-	  LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
-	  $(CC) -o $(ENGINETEST)$(EXE_EXT) $(CFLAGS) $(ENGINETEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
-	fi
+	@target=$(ENGINETEST); $(BUILD_CMD)
 
 $(EVPTEST)$(EXE_EXT): $(EVPTEST).o $(DLIBCRYPTO)
-	if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
-	  $(CC) -o $(EVPTEST)$(EXE_EXT) $(CFLAGS) $(EVPTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
-	else \
-	  LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
-	  $(CC) -o $(EVPTEST)$(EXE_EXT) $(CFLAGS) $(EVPTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
-	fi
+	@target=$(EVPTEST); $(BUILD_CMD)
+
+$(ECDSATEST)$(EXE_EXT): $(ECDSATEST).o $(DLIBCRYPTO)
+	@target=$(ECDSATEST); $(BUILD_CMD)
+
+$(ECDHTEST)$(EXE_EXT): $(ECDHTEST).o $(DLIBCRYPTO)
+	@target=$(ECDHTEST); $(BUILD_CMD)
 
 #$(AESTEST).o: $(AESTEST).c
 #	$(CC) -c $(CFLAGS) -DINTERMEDIATE_VALUE_KAT -DTRACE_KAT_MCT $(AESTEST).c
@@ -582,51 +415,37 @@ $(EVPTEST)$(EXE_EXT): $(EVPTEST).o $(DLIBCRYPTO)
 #	if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
 #	  $(CC) -o $(AESTEST)$(EXE_EXT) $(CFLAGS) $(AESTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
 #	else \
-#	  LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
 #	  $(CC) -o $(AESTEST)$(EXE_EXT) $(CFLAGS) $(AESTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
 #	fi
 
 dummytest$(EXE_EXT): dummytest.o $(DLIBCRYPTO)
-	if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
-	  $(CC) -o dummytest$(EXE_EXT) $(CFLAGS) dummytest.o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
-	else \
-	  LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
-	  $(CC) -o dummytest$(EXE_EXT) $(CFLAGS) dummytest.o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
-	fi
+	@target=dummytest$; $(BUILD_CMD)
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
 bftest.o: ../e_os.h ../include/openssl/blowfish.h ../include/openssl/e_os2.h
 bftest.o: ../include/openssl/opensslconf.h bftest.c
-bntest.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-bntest.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+bntest.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 bntest.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-bntest.o: ../include/openssl/cast.h ../include/openssl/crypto.h
-bntest.o: ../include/openssl/des.h ../include/openssl/des_old.h
-bntest.o: ../include/openssl/dh.h ../include/openssl/dsa.h
-bntest.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-bntest.o: ../include/openssl/evp.h ../include/openssl/idea.h
-bntest.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-bntest.o: ../include/openssl/md4.h ../include/openssl/md5.h
-bntest.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-bntest.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-bntest.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-bntest.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
-bntest.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-bntest.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-bntest.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-bntest.o: ../include/openssl/sha.h ../include/openssl/stack.h
-bntest.o: ../include/openssl/symhacks.h ../include/openssl/ui.h
-bntest.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
-bntest.o: ../include/openssl/x509_vfy.h bntest.c
+bntest.o: ../include/openssl/crypto.h ../include/openssl/dh.h
+bntest.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+bntest.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+bntest.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
+bntest.o: ../include/openssl/evp.h ../include/openssl/lhash.h
+bntest.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+bntest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+bntest.o: ../include/openssl/ossl_typ.h ../include/openssl/pkcs7.h
+bntest.o: ../include/openssl/rand.h ../include/openssl/rsa.h
+bntest.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+bntest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+bntest.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h bntest.c
 casttest.o: ../e_os.h ../include/openssl/cast.h ../include/openssl/e_os2.h
 casttest.o: ../include/openssl/opensslconf.h casttest.c
-destest.o: ../include/openssl/crypto.h ../include/openssl/des.h
-destest.o: ../include/openssl/des_old.h ../include/openssl/e_os2.h
-destest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-destest.o: ../include/openssl/safestack.h ../include/openssl/stack.h
-destest.o: ../include/openssl/symhacks.h ../include/openssl/ui.h
-destest.o: ../include/openssl/ui_compat.h destest.c
+destest.o: ../include/openssl/des.h ../include/openssl/des_old.h
+destest.o: ../include/openssl/e_os2.h ../include/openssl/opensslconf.h
+destest.o: ../include/openssl/ossl_typ.h ../include/openssl/safestack.h
+destest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+destest.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h destest.c
 dhtest.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/bn.h
 dhtest.o: ../include/openssl/crypto.h ../include/openssl/dh.h
 dhtest.o: ../include/openssl/e_os2.h ../include/openssl/err.h
@@ -642,47 +461,52 @@ dsatest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
 dsatest.o: ../include/openssl/ossl_typ.h ../include/openssl/rand.h
 dsatest.o: ../include/openssl/safestack.h ../include/openssl/stack.h
 dsatest.o: ../include/openssl/symhacks.h dsatest.c
+ecdhtest.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+ecdhtest.o: ../include/openssl/bn.h ../include/openssl/crypto.h
+ecdhtest.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+ecdhtest.o: ../include/openssl/ecdh.h ../include/openssl/err.h
+ecdhtest.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+ecdhtest.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+ecdhtest.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+ecdhtest.o: ../include/openssl/rand.h ../include/openssl/safestack.h
+ecdhtest.o: ../include/openssl/sha.h ../include/openssl/stack.h
+ecdhtest.o: ../include/openssl/symhacks.h ecdhtest.c
+ecdsatest.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+ecdsatest.o: ../include/openssl/bn.h ../include/openssl/crypto.h
+ecdsatest.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+ecdsatest.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+ecdsatest.o: ../include/openssl/err.h ../include/openssl/evp.h
+ecdsatest.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+ecdsatest.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+ecdsatest.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+ecdsatest.o: ../include/openssl/rand.h ../include/openssl/safestack.h
+ecdsatest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+ecdsatest.o: ecdsatest.c
 ectest.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 ectest.o: ../include/openssl/bn.h ../include/openssl/crypto.h
-ectest.o: ../include/openssl/dh.h ../include/openssl/dsa.h
 ectest.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
 ectest.o: ../include/openssl/engine.h ../include/openssl/err.h
-ectest.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h
+ectest.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+ectest.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
 ectest.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-ectest.o: ../include/openssl/rand.h ../include/openssl/rsa.h
-ectest.o: ../include/openssl/safestack.h ../include/openssl/stack.h
-ectest.o: ../include/openssl/symhacks.h ../include/openssl/ui.h ectest.c
-enginetest.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-enginetest.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-enginetest.o: ../include/openssl/crypto.h ../include/openssl/dh.h
-enginetest.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+ectest.o: ../include/openssl/rand.h ../include/openssl/safestack.h
+ectest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h ectest.c
+enginetest.o: ../include/openssl/bio.h ../include/openssl/buffer.h
+enginetest.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
 enginetest.o: ../include/openssl/engine.h ../include/openssl/err.h
 enginetest.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h
 enginetest.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-enginetest.o: ../include/openssl/rand.h ../include/openssl/rsa.h
 enginetest.o: ../include/openssl/safestack.h ../include/openssl/stack.h
-enginetest.o: ../include/openssl/symhacks.h ../include/openssl/ui.h
-enginetest.o: enginetest.c
-evp_test.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-evp_test.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
-evp_test.o: ../include/openssl/bn.h ../include/openssl/cast.h
+enginetest.o: ../include/openssl/symhacks.h enginetest.c
+evp_test.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 evp_test.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-evp_test.o: ../include/openssl/des.h ../include/openssl/des_old.h
-evp_test.o: ../include/openssl/dh.h ../include/openssl/dsa.h
 evp_test.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
 evp_test.o: ../include/openssl/err.h ../include/openssl/evp.h
-evp_test.o: ../include/openssl/idea.h ../include/openssl/lhash.h
-evp_test.o: ../include/openssl/md2.h ../include/openssl/md4.h
-evp_test.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
-evp_test.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-evp_test.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-evp_test.o: ../include/openssl/ossl_typ.h ../include/openssl/rand.h
-evp_test.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-evp_test.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-evp_test.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-evp_test.o: ../include/openssl/sha.h ../include/openssl/stack.h
-evp_test.o: ../include/openssl/symhacks.h ../include/openssl/ui.h
-evp_test.o: ../include/openssl/ui_compat.h evp_test.c
+evp_test.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+evp_test.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+evp_test.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+evp_test.o: ../include/openssl/safestack.h ../include/openssl/stack.h
+evp_test.o: ../include/openssl/symhacks.h evp_test.c
 exptest.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/bn.h
 exptest.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
 exptest.o: ../include/openssl/err.h ../include/openssl/lhash.h
@@ -690,187 +514,62 @@ exptest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
 exptest.o: ../include/openssl/ossl_typ.h ../include/openssl/rand.h
 exptest.o: ../include/openssl/safestack.h ../include/openssl/stack.h
 exptest.o: ../include/openssl/symhacks.h exptest.c
-fips_aesavs.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-fips_aesavs.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
-fips_aesavs.o: ../include/openssl/bn.h ../include/openssl/cast.h
-fips_aesavs.o: ../include/openssl/crypto.h ../include/openssl/des.h
-fips_aesavs.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-fips_aesavs.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
-fips_aesavs.o: ../include/openssl/err.h ../include/openssl/evp.h
-fips_aesavs.o: ../include/openssl/fips.h ../include/openssl/idea.h
-fips_aesavs.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-fips_aesavs.o: ../include/openssl/md4.h ../include/openssl/md5.h
-fips_aesavs.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-fips_aesavs.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-fips_aesavs.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-fips_aesavs.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-fips_aesavs.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-fips_aesavs.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-fips_aesavs.o: ../include/openssl/sha.h ../include/openssl/stack.h
-fips_aesavs.o: ../include/openssl/symhacks.h ../include/openssl/ui.h
-fips_aesavs.o: ../include/openssl/ui_compat.h fips_aesavs.c
-fips_desmovs.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-fips_desmovs.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
-fips_desmovs.o: ../include/openssl/bn.h ../include/openssl/cast.h
-fips_desmovs.o: ../include/openssl/crypto.h ../include/openssl/des.h
-fips_desmovs.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-fips_desmovs.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
-fips_desmovs.o: ../include/openssl/err.h ../include/openssl/evp.h
-fips_desmovs.o: ../include/openssl/fips.h ../include/openssl/idea.h
-fips_desmovs.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-fips_desmovs.o: ../include/openssl/md4.h ../include/openssl/md5.h
-fips_desmovs.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-fips_desmovs.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-fips_desmovs.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-fips_desmovs.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-fips_desmovs.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-fips_desmovs.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-fips_desmovs.o: ../include/openssl/sha.h ../include/openssl/stack.h
-fips_desmovs.o: ../include/openssl/symhacks.h ../include/openssl/ui.h
-fips_desmovs.o: ../include/openssl/ui_compat.h fips_desmovs.c
-fips_dsatest.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-fips_dsatest.o: ../include/openssl/bn.h ../include/openssl/crypto.h
-fips_dsatest.o: ../include/openssl/des.h ../include/openssl/des_old.h
-fips_dsatest.o: ../include/openssl/dh.h ../include/openssl/dsa.h
-fips_dsatest.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
-fips_dsatest.o: ../include/openssl/err.h ../include/openssl/fips.h
-fips_dsatest.o: ../include/openssl/fips_rand.h ../include/openssl/lhash.h
-fips_dsatest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-fips_dsatest.o: ../include/openssl/ossl_typ.h ../include/openssl/rand.h
-fips_dsatest.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-fips_dsatest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-fips_dsatest.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
-fips_dsatest.o: fips_dsatest.c
-fips_randtest.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/crypto.h
-fips_randtest.o: ../include/openssl/des.h ../include/openssl/des_old.h
-fips_randtest.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-fips_randtest.o: ../include/openssl/fips_rand.h ../include/openssl/lhash.h
-fips_randtest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-fips_randtest.o: ../include/openssl/ossl_typ.h ../include/openssl/rand.h
-fips_randtest.o: ../include/openssl/safestack.h ../include/openssl/stack.h
-fips_randtest.o: ../include/openssl/symhacks.h ../include/openssl/ui.h
-fips_randtest.o: ../include/openssl/ui_compat.h fips_randtest.c
-fips_sha1test.o: ../include/openssl/bio.h ../include/openssl/crypto.h
-fips_sha1test.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-fips_sha1test.o: ../include/openssl/fips.h ../include/openssl/lhash.h
-fips_sha1test.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-fips_sha1test.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-fips_sha1test.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-fips_sha1test.o: fips_sha1test.c
-hmactest.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-hmactest.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
-hmactest.o: ../include/openssl/bn.h ../include/openssl/cast.h
-hmactest.o: ../include/openssl/crypto.h ../include/openssl/des.h
-hmactest.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-hmactest.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+hmactest.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+hmactest.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
 hmactest.o: ../include/openssl/evp.h ../include/openssl/hmac.h
-hmactest.o: ../include/openssl/idea.h ../include/openssl/md2.h
-hmactest.o: ../include/openssl/md4.h ../include/openssl/md5.h
-hmactest.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+hmactest.o: ../include/openssl/md5.h ../include/openssl/obj_mac.h
 hmactest.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
 hmactest.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-hmactest.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-hmactest.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-hmactest.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-hmactest.o: ../include/openssl/sha.h ../include/openssl/stack.h
-hmactest.o: ../include/openssl/symhacks.h ../include/openssl/ui.h
-hmactest.o: ../include/openssl/ui_compat.h hmactest.c
+hmactest.o: ../include/openssl/safestack.h ../include/openssl/stack.h
+hmactest.o: ../include/openssl/symhacks.h hmactest.c
 ideatest.o: ../e_os.h ../include/openssl/e_os2.h ../include/openssl/idea.h
 ideatest.o: ../include/openssl/opensslconf.h ideatest.c
-md2test.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-md2test.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
-md2test.o: ../include/openssl/bn.h ../include/openssl/cast.h
-md2test.o: ../include/openssl/crypto.h ../include/openssl/des.h
-md2test.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-md2test.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
-md2test.o: ../include/openssl/evp.h ../include/openssl/idea.h
-md2test.o: ../include/openssl/md2.h ../include/openssl/md4.h
-md2test.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+md2test.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+md2test.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+md2test.o: ../include/openssl/evp.h ../include/openssl/md2.h
 md2test.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
 md2test.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-md2test.o: ../include/openssl/ossl_typ.h ../include/openssl/rc2.h
-md2test.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-md2test.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
-md2test.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-md2test.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-md2test.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h md2test.c
-md4test.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-md4test.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
-md4test.o: ../include/openssl/bn.h ../include/openssl/cast.h
-md4test.o: ../include/openssl/crypto.h ../include/openssl/des.h
-md4test.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-md4test.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
-md4test.o: ../include/openssl/evp.h ../include/openssl/idea.h
-md4test.o: ../include/openssl/md2.h ../include/openssl/md4.h
-md4test.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+md2test.o: ../include/openssl/ossl_typ.h ../include/openssl/safestack.h
+md2test.o: ../include/openssl/stack.h ../include/openssl/symhacks.h md2test.c
+md4test.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+md4test.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+md4test.o: ../include/openssl/evp.h ../include/openssl/md4.h
 md4test.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
 md4test.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-md4test.o: ../include/openssl/ossl_typ.h ../include/openssl/rc2.h
-md4test.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-md4test.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
-md4test.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-md4test.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-md4test.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h md4test.c
-md5test.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-md5test.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
-md5test.o: ../include/openssl/bn.h ../include/openssl/cast.h
-md5test.o: ../include/openssl/crypto.h ../include/openssl/des.h
-md5test.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-md5test.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
-md5test.o: ../include/openssl/evp.h ../include/openssl/idea.h
-md5test.o: ../include/openssl/md2.h ../include/openssl/md4.h
-md5test.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+md4test.o: ../include/openssl/ossl_typ.h ../include/openssl/safestack.h
+md4test.o: ../include/openssl/stack.h ../include/openssl/symhacks.h md4test.c
+md5test.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+md5test.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+md5test.o: ../include/openssl/evp.h ../include/openssl/md5.h
 md5test.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
 md5test.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-md5test.o: ../include/openssl/ossl_typ.h ../include/openssl/rc2.h
-md5test.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-md5test.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
-md5test.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-md5test.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-md5test.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h md5test.c
-mdc2test.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-mdc2test.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
-mdc2test.o: ../include/openssl/bn.h ../include/openssl/cast.h
-mdc2test.o: ../include/openssl/crypto.h ../include/openssl/des.h
-mdc2test.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-mdc2test.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
-mdc2test.o: ../include/openssl/evp.h ../include/openssl/idea.h
-mdc2test.o: ../include/openssl/md2.h ../include/openssl/md4.h
-mdc2test.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
-mdc2test.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-mdc2test.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-mdc2test.o: ../include/openssl/ossl_typ.h ../include/openssl/rc2.h
-mdc2test.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-mdc2test.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
-mdc2test.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-mdc2test.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-mdc2test.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h mdc2test.c
+md5test.o: ../include/openssl/ossl_typ.h ../include/openssl/safestack.h
+md5test.o: ../include/openssl/stack.h ../include/openssl/symhacks.h md5test.c
+mdc2test.o: ../include/openssl/buffer.h ../include/openssl/crypto.h
+mdc2test.o: ../include/openssl/e_os2.h ../include/openssl/opensslconf.h
+mdc2test.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+mdc2test.o: ../include/openssl/safestack.h ../include/openssl/stack.h
+mdc2test.o: ../include/openssl/symhacks.h mdc2test.c
 randtest.o: ../e_os.h ../include/openssl/e_os2.h
 randtest.o: ../include/openssl/opensslconf.h ../include/openssl/ossl_typ.h
 randtest.o: ../include/openssl/rand.h randtest.c
 rc2test.o: ../e_os.h ../include/openssl/e_os2.h
 rc2test.o: ../include/openssl/opensslconf.h ../include/openssl/rc2.h rc2test.c
 rc4test.o: ../e_os.h ../include/openssl/e_os2.h
-rc4test.o: ../include/openssl/opensslconf.h ../include/openssl/rc4.h rc4test.c
-rc5test.o: ../e_os.h ../include/openssl/e_os2.h
-rc5test.o: ../include/openssl/opensslconf.h ../include/openssl/rc5.h rc5test.c
-rmdtest.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-rmdtest.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
-rmdtest.o: ../include/openssl/bn.h ../include/openssl/cast.h
-rmdtest.o: ../include/openssl/crypto.h ../include/openssl/des.h
-rmdtest.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-rmdtest.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
-rmdtest.o: ../include/openssl/evp.h ../include/openssl/idea.h
-rmdtest.o: ../include/openssl/md2.h ../include/openssl/md4.h
-rmdtest.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
-rmdtest.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-rmdtest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-rmdtest.o: ../include/openssl/ossl_typ.h ../include/openssl/rc2.h
-rmdtest.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-rmdtest.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
-rmdtest.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-rmdtest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-rmdtest.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h rmdtest.c
+rc4test.o: ../include/openssl/opensslconf.h ../include/openssl/rc4.h
+rc4test.o: ../include/openssl/sha.h rc4test.c
+rc5test.o: ../include/openssl/buffer.h ../include/openssl/crypto.h
+rc5test.o: ../include/openssl/e_os2.h ../include/openssl/opensslconf.h
+rc5test.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+rc5test.o: ../include/openssl/safestack.h ../include/openssl/stack.h
+rc5test.o: ../include/openssl/symhacks.h rc5test.c
+rmdtest.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+rmdtest.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+rmdtest.o: ../include/openssl/evp.h ../include/openssl/obj_mac.h
+rmdtest.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+rmdtest.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+rmdtest.o: ../include/openssl/ripemd.h ../include/openssl/safestack.h
+rmdtest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h rmdtest.c
 rsa_test.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 rsa_test.o: ../include/openssl/bn.h ../include/openssl/crypto.h
 rsa_test.o: ../include/openssl/e_os2.h ../include/openssl/err.h
@@ -879,63 +578,39 @@ rsa_test.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
 rsa_test.o: ../include/openssl/rand.h ../include/openssl/rsa.h
 rsa_test.o: ../include/openssl/safestack.h ../include/openssl/stack.h
 rsa_test.o: ../include/openssl/symhacks.h rsa_test.c
-sha1test.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-sha1test.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
-sha1test.o: ../include/openssl/bn.h ../include/openssl/cast.h
-sha1test.o: ../include/openssl/crypto.h ../include/openssl/des.h
-sha1test.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-sha1test.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
-sha1test.o: ../include/openssl/evp.h ../include/openssl/idea.h
-sha1test.o: ../include/openssl/md2.h ../include/openssl/md4.h
-sha1test.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
-sha1test.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-sha1test.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-sha1test.o: ../include/openssl/ossl_typ.h ../include/openssl/rc2.h
-sha1test.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-sha1test.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+sha1test.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+sha1test.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+sha1test.o: ../include/openssl/evp.h ../include/openssl/obj_mac.h
+sha1test.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+sha1test.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
 sha1test.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-sha1test.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-sha1test.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h sha1test.c
-shatest.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-shatest.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
-shatest.o: ../include/openssl/bn.h ../include/openssl/cast.h
-shatest.o: ../include/openssl/crypto.h ../include/openssl/des.h
-shatest.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-shatest.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
-shatest.o: ../include/openssl/evp.h ../include/openssl/idea.h
-shatest.o: ../include/openssl/md2.h ../include/openssl/md4.h
-shatest.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
-shatest.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-shatest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-shatest.o: ../include/openssl/ossl_typ.h ../include/openssl/rc2.h
-shatest.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-shatest.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+sha1test.o: ../include/openssl/stack.h ../include/openssl/symhacks.h sha1test.c
+shatest.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+shatest.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+shatest.o: ../include/openssl/evp.h ../include/openssl/obj_mac.h
+shatest.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+shatest.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
 shatest.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-shatest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-shatest.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h shatest.c
-ssltest.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-ssltest.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+shatest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h shatest.c
+ssltest.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 ssltest.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-ssltest.o: ../include/openssl/cast.h ../include/openssl/comp.h
-ssltest.o: ../include/openssl/crypto.h ../include/openssl/des.h
-ssltest.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-ssltest.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+ssltest.o: ../include/openssl/comp.h ../include/openssl/conf.h
+ssltest.o: ../include/openssl/crypto.h ../include/openssl/dh.h
+ssltest.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+ssltest.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+ssltest.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 ssltest.o: ../include/openssl/engine.h ../include/openssl/err.h
-ssltest.o: ../include/openssl/evp.h ../include/openssl/fips.h
-ssltest.o: ../include/openssl/idea.h ../include/openssl/kssl.h
-ssltest.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-ssltest.o: ../include/openssl/md4.h ../include/openssl/md5.h
-ssltest.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+ssltest.o: ../include/openssl/evp.h ../include/openssl/kssl.h
+ssltest.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
 ssltest.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
 ssltest.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
 ssltest.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-ssltest.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
-ssltest.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-ssltest.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+ssltest.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
+ssltest.o: ../include/openssl/pqueue.h ../include/openssl/rand.h
 ssltest.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
 ssltest.o: ../include/openssl/sha.h ../include/openssl/ssl.h
 ssltest.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
 ssltest.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
 ssltest.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-ssltest.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
-ssltest.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssltest.c
+ssltest.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+ssltest.o: ../include/openssl/x509v3.h ssltest.c
diff --git a/crypto/openssl/test/P1ss.cnf b/crypto/openssl/test/P1ss.cnf
new file mode 100644
index 000000000000..876a0d35f819
--- /dev/null
+++ b/crypto/openssl/test/P1ss.cnf
@@ -0,0 +1,37 @@
+#
+# SSLeay example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+RANDFILE		= ./.rnd
+
+####################################################################
+[ req ]
+default_bits		= 512
+default_keyfile 	= keySS.pem
+distinguished_name	= req_distinguished_name
+encrypt_rsa_key		= no
+default_md		= md2
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= AU
+countryName_value		= AU
+
+organizationName                = Organization Name (eg, company)
+organizationName_value          = Dodgy Brothers
+
+0.commonName			= Common Name (eg, YOUR name)
+0.commonName_value		= Brother 1
+
+1.commonName			= Common Name (eg, YOUR name)
+1.commonName_value		= Brother 2
+
+2.commonName			= Common Name (eg, YOUR name)
+2.commonName_value		= Proxy 1
+
+[ v3_proxy ]
+basicConstraints=CA:FALSE
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:1,policy:text:AB
diff --git a/crypto/openssl/test/P2ss.cnf b/crypto/openssl/test/P2ss.cnf
new file mode 100644
index 000000000000..373a87e7c2ee
--- /dev/null
+++ b/crypto/openssl/test/P2ss.cnf
@@ -0,0 +1,45 @@
+#
+# SSLeay example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+RANDFILE		= ./.rnd
+
+####################################################################
+[ req ]
+default_bits		= 512
+default_keyfile 	= keySS.pem
+distinguished_name	= req_distinguished_name
+encrypt_rsa_key		= no
+default_md		= md2
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= AU
+countryName_value		= AU
+
+organizationName                = Organization Name (eg, company)
+organizationName_value          = Dodgy Brothers
+
+0.commonName			= Common Name (eg, YOUR name)
+0.commonName_value		= Brother 1
+
+1.commonName			= Common Name (eg, YOUR name)
+1.commonName_value		= Brother 2
+
+2.commonName			= Common Name (eg, YOUR name)
+2.commonName_value		= Proxy 1
+
+3.commonName			= Common Name (eg, YOUR name)
+3.commonName_value		= Proxy 2
+
+[ v3_proxy ]
+basicConstraints=CA:FALSE
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+proxyCertInfo=critical,@proxy_ext
+
+[ proxy_ext ]
+language=id-ppl-anyLanguage
+pathlen=0
+policy=text:BC
diff --git a/crypto/openssl/test/Uss.cnf b/crypto/openssl/test/Uss.cnf
index c89692d5199c..0c0ebb5f6729 100644
--- a/crypto/openssl/test/Uss.cnf
+++ b/crypto/openssl/test/Uss.cnf
@@ -26,3 +26,11 @@ organizationName_value          = Dodgy Brothers
 
 1.commonName			= Common Name (eg, YOUR name)
 1.commonName_value		= Brother 2
+
+[ v3_ee ]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+basicConstraints = CA:false
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+issuerAltName=issuer:copy
+
diff --git a/crypto/openssl/test/bctest b/crypto/openssl/test/bctest
index e81fc0733a6b..bdb3218f7aca 100755
--- a/crypto/openssl/test/bctest
+++ b/crypto/openssl/test/bctest
@@ -1,6 +1,6 @@
 #!/bin/sh
 
-# This script is used by test/Makefile to check whether a sane 'bc'
+# This script is used by test/Makefile.ssl to check whether a sane 'bc'
 # is installed.
 # ('make test_bn' should not try to run 'bc' if it does not exist or if
 # it is a broken 'bc' version that is known to cause trouble.)
diff --git a/crypto/openssl/test/evptests.txt b/crypto/openssl/test/evptests.txt
index dfe91a5bc0e4..80bd9c7765cb 100644
--- a/crypto/openssl/test/evptests.txt
+++ b/crypto/openssl/test/evptests.txt
@@ -92,102 +92,7 @@ AES-256-CBC:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:000
 AES-256-CBC:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:F58C4C04D6E5F1BA779EABFB5F7BFBD6:AE2D8A571E03AC9C9EB76FAC45AF8E51:9CFC4E967EDB808D679F777BC6702C7D
 AES-256-CBC:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:9CFC4E967EDB808D679F777BC6702C7D:30C81C46A35CE411E5FBC1191A0A52EF:39F23369A9D9BACFA530E26304231461
 AES-256-CBC:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:39F23369A9D9BACFA530E26304231461:F69F2445DF4F9B17AD2B417BE66C3710:B2EB05E2C39BE9FCDA6C19078C6A9D1B
-
-# CFB1-AES128.Encrypt
-
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:000102030405060708090a0b0c0d0e0f:00:00:1
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:00020406080a0c0e10121416181a1c1e:80:80:1
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:0004080c1014181c2024282c3034383d:80:80:1
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:0008101820283038404850586068707b:00:00:1
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:00102030405060708090a0b0c0d0e0f6:80:80:1
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:0020406080a0c0e10121416181a1c1ed:00:00:1
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:004080c1014181c2024282c3034383da:80:00:1
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:008101820283038404850586068707b4:80:00:1
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:0102030405060708090a0b0c0d0e0f68:80:80:1
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:020406080a0c0e10121416181a1c1ed1:80:00:1
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:04080c1014181c2024282c3034383da2:00:80:1
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:08101820283038404850586068707b45:00:80:1
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:102030405060708090a0b0c0d0e0f68b:00:00:1
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:20406080a0c0e10121416181a1c1ed16:00:00:1
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:4080c1014181c2024282c3034383da2c:00:80:1
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:8101820283038404850586068707b459:80:80:1
-# all of the above packed into one...
-# in: 0110 1011 1100 0001 = 6bc1
-# out: 0110 1000 1011 0011 = 68b3
-AES-128-CFB1*8:2b7e151628aed2a6abf7158809cf4f3c:000102030405060708090a0b0c0d0e0f:6bc1:68b3:1
-
-# CFB1-AES128.Decrypt
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:000102030405060708090a0b0c0d0e0f:00:00:0
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:00020406080a0c0e10121416181a1c1e:80:80:0
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:0004080c1014181c2024282c3034383d:80:80:0
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:0008101820283038404850586068707b:00:00:0
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:00102030405060708090a0b0c0d0e0f6:80:80:0
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:0020406080a0c0e10121416181a1c1ed:00:00:0
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:004080c1014181c2024282c3034383da:80:00:0
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:008101820283038404850586068707b4:80:00:0
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:0102030405060708090a0b0c0d0e0f68:80:80:0
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:020406080a0c0e10121416181a1c1ed1:80:00:0
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:04080c1014181c2024282c3034383da2:00:80:0
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:08101820283038404850586068707b45:00:80:0
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:102030405060708090a0b0c0d0e0f68b:00:00:0
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:20406080a0c0e10121416181a1c1ed16:00:00:0
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:4080c1014181c2024282c3034383da2c:00:80:0
-AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:8101820283038404850586068707b459:80:80:0
-# all of the above packed into one...
-# in: 0110 1000 1011 0011 = 68b3
-# out: 0110 1011 1100 0001 = 6bc1
-AES-128-CFB1*8:2b7e151628aed2a6abf7158809cf4f3c:000102030405060708090a0b0c0d0e0f:6bc1:68b3:0
-
-# TODO: CFB1-AES192 and 256
-
-# CFB8-AES128.Encrypt
-
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:000102030405060708090a0b0c0d0e0f:6b:3b:1
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0102030405060708090a0b0c0d0e0f3b:c1:79:1
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:02030405060708090a0b0c0d0e0f3b79:be:42:1
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:030405060708090a0b0c0d0e0f3b7942:e2:4c:1
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0405060708090a0b0c0d0e0f3b79424c:2e:9c:1
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:05060708090a0b0c0d0e0f3b79424c9c:40:0d:1
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:060708090a0b0c0d0e0f3b79424c9c0d:9f:d4:1
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0708090a0b0c0d0e0f3b79424c9c0dd4:96:36:1
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:08090a0b0c0d0e0f3b79424c9c0dd436:e9:ba:1
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:090a0b0c0d0e0f3b79424c9c0dd436ba:3d:ce:1
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0a0b0c0d0e0f3b79424c9c0dd436bace:7e:9e:1
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0b0c0d0e0f3b79424c9c0dd436bace9e:11:0e:1
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0c0d0e0f3b79424c9c0dd436bace9e0e:73:d4:1
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0d0e0f3b79424c9c0dd436bace9e0ed4:93:58:1
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0e0f3b79424c9c0dd436bace9e0ed458:17:6a:1
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0f3b79424c9c0dd436bace9e0ed4586a:2a:4f:1
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:3b79424c9c0dd436bace9e0ed4586a4f:ae:32:1
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:79424c9c0dd436bace9e0ed4586a4f32:2d:b9:1
-# all of the above packed into one
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:000102030405060708090a0b0c0d0e0f:6bc1bee22e409f96e93d7e117393172aae2d:3b79424c9c0dd436bace9e0ed4586a4f32b9:1
-
-# CFB8-AES128.Decrypt
-
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:000102030405060708090a0b0c0d0e0f:6b:3b:0
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0102030405060708090a0b0c0d0e0f3b:c1:79:0
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:02030405060708090a0b0c0d0e0f3b79:be:42:0
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:030405060708090a0b0c0d0e0f3b7942:e2:4c:0
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0405060708090a0b0c0d0e0f3b79424c:2e:9c:0
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:05060708090a0b0c0d0e0f3b79424c9c:40:0d:0
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:060708090a0b0c0d0e0f3b79424c9c0d:9f:d4:0
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0708090a0b0c0d0e0f3b79424c9c0dd4:96:36:0
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:08090a0b0c0d0e0f3b79424c9c0dd436:e9:ba:0
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:090a0b0c0d0e0f3b79424c9c0dd436ba:3d:ce:0
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0a0b0c0d0e0f3b79424c9c0dd436bace:7e:9e:0
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0b0c0d0e0f3b79424c9c0dd436bace9e:11:0e:0
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0c0d0e0f3b79424c9c0dd436bace9e0e:73:d4:0
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0d0e0f3b79424c9c0dd436bace9e0ed4:93:58:0
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0e0f3b79424c9c0dd436bace9e0ed458:17:6a:0
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0f3b79424c9c0dd436bace9e0ed4586a:2a:4f:0
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:3b79424c9c0dd436bace9e0ed4586a4f:ae:32:0
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:79424c9c0dd436bace9e0ed4586a4f32:2d:b9:0
-# all of the above packed into one
-AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:000102030405060708090a0b0c0d0e0f:6bc1bee22e409f96e93d7e117393172aae2d:3b79424c9c0dd436bace9e0ed4586a4f32b9:0
-
-# TODO: 192 and 256 bit keys
-
+# We don't support CFB{1,8}-AESxxx.{En,De}crypt
 # For all CFB128 encrypts and decrypts, the transformed sequence is
 #   AES-bits-CFB:key:IV/ciphertext':plaintext:ciphertext:encdec
 # CFB128-AES128.Encrypt 
@@ -269,16 +174,6 @@ DESX-CBC:0123456789abcdeff1e0d3c2b5a49786fedcba9876543210:fedcba9876543210:37363
 # DES EDE3 CBC tests (from destest)
 DES-EDE3-CBC:0123456789abcdeff1e0d3c2b5a49786fedcba9876543210:fedcba9876543210:37363534333231204E6F77206973207468652074696D6520666F722000000000:3FE301C962AC01D02213763C1CBD4CDC799657C064ECF5D41C673812CFDE9675
 
-# DES CFB1 from FIPS 81
-# plaintext: 0100 1110 0110 1111 0111 0111 = 4e6f77
-# ciphertext: 1100 1101 0001 1110 1100 1001 = cd1ec9
-
-DES-CFB1*8:0123456789abcdef:1234567890abcdef:4e6f77:cd1ec9
-
-# DES CFB8 from FIPS 81
-
-DES-CFB8:0123456789abcdef:1234567890abcdef:4e6f7720697320746865:f31fda07011462ee187f
-
 # RC4 tests (from rc4test)
 RC4:0123456789abcdef0123456789abcdef::0123456789abcdef:75b7878099e0c596
 RC4:0123456789abcdef0123456789abcdef::0000000000000000:7494c2e7104b0879
diff --git a/crypto/openssl/test/tcrl b/crypto/openssl/test/tcrl
index f71ef7a8630c..055269eab8dd 100644
--- a/crypto/openssl/test/tcrl
+++ b/crypto/openssl/test/tcrl
@@ -1,13 +1,6 @@
 #!/bin/sh
 
-if test "$OSTYPE" = msdosdjgpp; then
-    PATH=../apps\;$PATH
-else
-    PATH=../apps:$PATH
-fi
-export PATH
-
-cmd='../apps/openssl crl'
+cmd='../util/shlib_wrap.sh ../apps/openssl crl'
 
 if [ "$1"x != "x" ]; then
 	t=$1
diff --git a/crypto/openssl/test/testca b/crypto/openssl/test/testca
index 8215ebb5d1d0..b109cfe271f3 100644
--- a/crypto/openssl/test/testca
+++ b/crypto/openssl/test/testca
@@ -2,15 +2,18 @@
 
 SH="/bin/sh"
 if test "$OSTYPE" = msdosdjgpp; then
-    PATH=./apps\;../apps\;$PATH
+    PATH="../apps\;$PATH"
 else
-    PATH=../apps:$PATH
+    PATH="../apps:$PATH"
 fi
 export SH PATH
 
 SSLEAY_CONFIG="-config CAss.cnf"
 export SSLEAY_CONFIG
 
+OPENSSL="`pwd`/../util/opensslwrap.sh"
+export OPENSSL
+
 /bin/rm -fr demoCA
 $SH ../apps/CA.sh -newca <<EOF
 EOF
diff --git a/crypto/openssl/test/testenc b/crypto/openssl/test/testenc
index 70505f02225c..f5ce7c0c4573 100644
--- a/crypto/openssl/test/testenc
+++ b/crypto/openssl/test/testenc
@@ -2,7 +2,7 @@
 
 testsrc=Makefile
 test=./p
-cmd=../apps/openssl
+cmd="../util/shlib_wrap.sh ../apps/openssl"
 
 cat $testsrc >$test;
 
diff --git a/crypto/openssl/test/testgen b/crypto/openssl/test/testgen
index 3798543e0473..524c0d134c89 100644
--- a/crypto/openssl/test/testgen
+++ b/crypto/openssl/test/testgen
@@ -17,7 +17,7 @@ echo "generating certificate request"
 
 echo "string to make the random number generator think it has entropy" >> ./.rnd
 
-if ../apps/openssl no-rsa; then
+if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then
   req_new='-newkey dsa:../apps/dsa512.pem'
 else
   req_new='-new'
@@ -29,13 +29,13 @@ echo "This could take some time."
 
 rm -f testkey.pem testreq.pem
 
-../apps/openssl req -config test.cnf $req_new -out testreq.pem
+../util/shlib_wrap.sh ../apps/openssl req -config test.cnf $req_new -out testreq.pem
 if [ $? != 0 ]; then
 echo problems creating request
 exit 1
 fi
 
-../apps/openssl req -config test.cnf -verify -in testreq.pem -noout
+../util/shlib_wrap.sh ../apps/openssl req -config test.cnf -verify -in testreq.pem -noout
 if [ $? != 0 ]; then
 echo signature on req is wrong
 exit 1
diff --git a/crypto/openssl/test/testss b/crypto/openssl/test/testss
index 8d3557f356d9..1a426857d31e 100644
--- a/crypto/openssl/test/testss
+++ b/crypto/openssl/test/testss
@@ -1,9 +1,9 @@
 #!/bin/sh
 
-digest='-md5'
-reqcmd="../apps/openssl req"
-x509cmd="../apps/openssl x509 $digest"
-verifycmd="../apps/openssl verify"
+digest='-sha1'
+reqcmd="../util/shlib_wrap.sh ../apps/openssl req"
+x509cmd="../util/shlib_wrap.sh ../apps/openssl x509 $digest"
+verifycmd="../util/shlib_wrap.sh ../apps/openssl verify"
 dummycnf="../apps/openssl.cnf"
 
 CAkey="keyCA.ss"
@@ -17,12 +17,24 @@ Ukey="keyU.ss"
 Ureq="reqU.ss"
 Ucert="certU.ss"
 
+P1conf="P1ss.cnf"
+P1key="keyP1.ss"
+P1req="reqP1.ss"
+P1cert="certP1.ss"
+P1intermediate="tmp_intP1.ss"
+
+P2conf="P2ss.cnf"
+P2key="keyP2.ss"
+P2req="reqP2.ss"
+P2cert="certP2.ss"
+P2intermediate="tmp_intP2.ss"
+
 echo
 echo "make a certificate request using 'req'"
 
 echo "string to make the random number generator think it has entropy" >> ./.rnd
 
-if ../apps/openssl no-rsa; then
+if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then
   req_new='-newkey dsa:../apps/dsa512.pem'
 else
   req_new='-new'
@@ -35,7 +47,7 @@ if [ $? != 0 ]; then
 fi
 echo
 echo "convert the certificate request into a self signed certificate using 'x509'"
-$x509cmd -CAcreateserial -in $CAreq -days 30 -req -out $CAcert -signkey $CAkey >err.ss
+$x509cmd -CAcreateserial -in $CAreq -days 30 -req -out $CAcert -signkey $CAkey -extfile $CAconf -extensions v3_ca >err.ss
 if [ $? != 0 ]; then
 	echo "error using 'x509' to self sign a certificate request"
 	exit 1
@@ -68,18 +80,18 @@ if [ $? != 0 ]; then
 fi
 
 echo
-echo "make another certificate request using 'req'"
+echo "make a user certificate request using 'req'"
 $reqcmd -config $Uconf -out $Ureq -keyout $Ukey $req_new >err.ss
 if [ $? != 0 ]; then
-	echo "error using 'req' to generate a certificate request"
+	echo "error using 'req' to generate a user certificate request"
 	exit 1
 fi
 
 echo
-echo "sign certificate request with the just created CA via 'x509'"
-$x509cmd -CAcreateserial -in $Ureq -days 30 -req -out $Ucert -CA $CAcert -CAkey $CAkey >err.ss
+echo "sign user certificate request with the just created CA via 'x509'"
+$x509cmd -CAcreateserial -in $Ureq -days 30 -req -out $Ucert -CA $CAcert -CAkey $CAkey -extfile $Uconf -extensions v3_ee >err.ss
 if [ $? != 0 ]; then
-	echo "error using 'x509' to sign a certificate request"
+	echo "error using 'x509' to sign a user certificate request"
 	exit 1
 fi
 
@@ -89,11 +101,63 @@ echo "Certificate details"
 $x509cmd -subject -issuer -startdate -enddate -noout -in $Ucert
 
 echo
+echo "make a proxy certificate request using 'req'"
+$reqcmd -config $P1conf -out $P1req -keyout $P1key $req_new >err.ss
+if [ $? != 0 ]; then
+	echo "error using 'req' to generate a proxy certificate request"
+	exit 1
+fi
+
+echo
+echo "sign proxy certificate request with the just created user certificate via 'x509'"
+$x509cmd -CAcreateserial -in $P1req -days 30 -req -out $P1cert -CA $Ucert -CAkey $Ukey -extfile $P1conf -extensions v3_proxy >err.ss
+if [ $? != 0 ]; then
+	echo "error using 'x509' to sign a proxy certificate request"
+	exit 1
+fi
+
+cat $Ucert > $P1intermediate
+$verifycmd -CAfile $CAcert -untrusted $P1intermediate $P1cert
+echo
+echo "Certificate details"
+$x509cmd -subject -issuer -startdate -enddate -noout -in $P1cert
+
+echo
+echo "make another proxy certificate request using 'req'"
+$reqcmd -config $P2conf -out $P2req -keyout $P2key $req_new >err.ss
+if [ $? != 0 ]; then
+	echo "error using 'req' to generate another proxy certificate request"
+	exit 1
+fi
+
+echo
+echo "sign second proxy certificate request with the first proxy certificate via 'x509'"
+$x509cmd -CAcreateserial -in $P2req -days 30 -req -out $P2cert -CA $P1cert -CAkey $P1key -extfile $P2conf -extensions v3_proxy >err.ss
+if [ $? != 0 ]; then
+	echo "error using 'x509' to sign a second proxy certificate request"
+	exit 1
+fi
+
+cat $Ucert $P1cert > $P2intermediate
+$verifycmd -CAfile $CAcert -untrusted $P2intermediate $P2cert
+echo
+echo "Certificate details"
+$x509cmd -subject -issuer -startdate -enddate -noout -in $P2cert
+
+echo
 echo The generated CA certificate is $CAcert
 echo The generated CA private key is $CAkey
 
 echo The generated user certificate is $Ucert
 echo The generated user private key is $Ukey
 
+echo The first generated proxy certificate is $P1cert
+echo The first generated proxy private key is $P1key
+
+echo The second generated proxy certificate is $P2cert
+echo The second generated proxy private key is $P2key
+
 /bin/rm err.ss
+#/bin/rm $P1intermediate
+#/bin/rm $P2intermediate
 exit 0
diff --git a/crypto/openssl/test/testssl b/crypto/openssl/test/testssl
index ca8e718022aa..8ac90ae5eec3 100644
--- a/crypto/openssl/test/testssl
+++ b/crypto/openssl/test/testssl
@@ -10,9 +10,9 @@ if [ "$2" = "" ]; then
 else
   cert="$2"
 fi
-ssltest="./ssltest -key $key -cert $cert -c_key $key -c_cert $cert"
+ssltest="../util/shlib_wrap.sh ./ssltest -key $key -cert $cert -c_key $key -c_cert $cert"
 
-if ../apps/openssl x509 -in $cert -text -noout | fgrep 'DSA Public Key' >/dev/null; then
+if ../util/shlib_wrap.sh ../apps/openssl x509 -in $cert -text -noout | fgrep 'DSA Public Key' >/dev/null; then
   dsa_cert=YES
 else
   dsa_cert=NO
@@ -121,24 +121,24 @@ $ssltest -bio_pair -server_auth -client_auth -app_verify $CA $extra || exit 1
 
 #############################################################################
 
-if ../apps/openssl no-dh; then
+if ../util/shlib_wrap.sh ../apps/openssl no-dh; then
   echo skipping anonymous DH tests
 else
   echo test tls1 with 1024bit anonymous DH, multiple handshakes
   $ssltest -v -bio_pair -tls1 -cipher ADH -dhe1024dsa -num 10 -f -time $extra || exit 1
 fi
 
-if ../apps/openssl no-rsa; then
+if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then
   echo skipping RSA tests
 else
   echo test tls1 with 1024bit RSA, no DHE, multiple handshakes
-  ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -no_dhe -num 10 -f -time $extra || exit 1
+  ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -no_dhe -num 10 -f -time $extra || exit 1
 
-  if ../apps/openssl no-dh; then
+  if ../util/shlib_wrap.sh ../apps/openssl no-dh; then
     echo skipping RSA+DHE tests
   else
     echo test tls1 with 1024bit RSA, 1024bit DHE, multiple handshakes
-    ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -dhe1024dsa -num 10 -f -time $extra || exit 1
+    ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -dhe1024dsa -num 10 -f -time $extra || exit 1
   fi
 fi
 
diff --git a/crypto/openssl/test/testsslproxy b/crypto/openssl/test/testsslproxy
new file mode 100644
index 000000000000..58bbda8ab7d6
--- /dev/null
+++ b/crypto/openssl/test/testsslproxy
@@ -0,0 +1,10 @@
+#! /bin/sh
+
+echo 'Testing a lot of proxy conditions.'
+echo 'Some of them may turn out being invalid, which is fine.'
+for auth in A B C BC; do
+    for cond in A B C 'A|B&!C'; do
+	sh ./testssl $1 $2 $3 "-proxy -proxy_auth $auth -proxy_cond $cond"
+	if [ $? = 3 ]; then exit 1; fi
+    done
+done
diff --git a/crypto/openssl/test/tpkcs7 b/crypto/openssl/test/tpkcs7
index cf3bd9fadbe8..3e435ffbf9fd 100644
--- a/crypto/openssl/test/tpkcs7
+++ b/crypto/openssl/test/tpkcs7
@@ -1,13 +1,6 @@
 #!/bin/sh
 
-if test "$OSTYPE" = msdosdjgpp; then
-    PATH=../apps\;$PATH
-else
-    PATH=../apps:$PATH
-fi
-export PATH
-
-cmd='../apps/openssl pkcs7'
+cmd='../util/shlib_wrap.sh ../apps/openssl pkcs7'
 
 if [ "$1"x != "x" ]; then
 	t=$1
diff --git a/crypto/openssl/test/tpkcs7d b/crypto/openssl/test/tpkcs7d
index 18f9311b0689..64fc28e88f0b 100644
--- a/crypto/openssl/test/tpkcs7d
+++ b/crypto/openssl/test/tpkcs7d
@@ -1,13 +1,6 @@
 #!/bin/sh
 
-if test "$OSTYPE" = msdosdjgpp; then
-    PATH=../apps\;$PATH
-else
-    PATH=../apps:$PATH
-fi
-export PATH
-
-cmd='../apps/openssl pkcs7'
+cmd='../util/shlib_wrap.sh ../apps/openssl pkcs7'
 
 if [ "$1"x != "x" ]; then
 	t=$1
diff --git a/crypto/openssl/test/treq b/crypto/openssl/test/treq
index 47a8273cde62..77f37dcf3a9a 100644
--- a/crypto/openssl/test/treq
+++ b/crypto/openssl/test/treq
@@ -1,13 +1,6 @@
 #!/bin/sh
 
-if test "$OSTYPE" = msdosdjgpp; then
-    PATH=../apps\;$PATH
-else
-    PATH=../apps:$PATH
-fi
-export PATH
-
-cmd='../apps/openssl req -config ../apps/openssl.cnf'
+cmd='../util/shlib_wrap.sh ../apps/openssl req -config ../apps/openssl.cnf'
 
 if [ "$1"x != "x" ]; then
 	t=$1
@@ -15,7 +8,7 @@ else
 	t=testreq.pem
 fi
 
-if $cmd -in $t -inform p -noout -text | fgrep 'Unknown Public Key'; then
+if $cmd -in $t -inform p -noout -text 2>&1 | fgrep -i 'Unknown Public Key'; then
   echo "skipping req conversion test for $t"
   exit 0
 fi
diff --git a/crypto/openssl/test/trsa b/crypto/openssl/test/trsa
index 413e2ec0a0cd..249ac1ddcc6b 100644
--- a/crypto/openssl/test/trsa
+++ b/crypto/openssl/test/trsa
@@ -1,18 +1,11 @@
 #!/bin/sh
 
-if test "$OSTYPE" = msdosdjgpp; then
-    PATH=../apps\;$PATH
-else
-    PATH=../apps:$PATH
-fi
-export PATH
-
-if ../apps/openssl no-rsa; then
+if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then
   echo skipping rsa conversion test
   exit 0
 fi
 
-cmd='../apps/openssl rsa'
+cmd='../util/shlib_wrap.sh ../apps/openssl rsa'
 
 if [ "$1"x != "x" ]; then
 	t=$1
diff --git a/crypto/openssl/test/tsid b/crypto/openssl/test/tsid
index 40a1dfa97ce8..6adbd531ce0a 100644
--- a/crypto/openssl/test/tsid
+++ b/crypto/openssl/test/tsid
@@ -1,13 +1,6 @@
 #!/bin/sh
 
-if test "$OSTYPE" = msdosdjgpp; then
-    PATH=../apps\;$PATH
-else
-    PATH=../apps:$PATH
-fi
-export PATH
-
-cmd='../apps/openssl sess_id'
+cmd='../util/shlib_wrap.sh ../apps/openssl sess_id'
 
 if [ "$1"x != "x" ]; then
 	t=$1
diff --git a/crypto/openssl/test/tx509 b/crypto/openssl/test/tx509
index d380963abce5..4a15b98d17d8 100644
--- a/crypto/openssl/test/tx509
+++ b/crypto/openssl/test/tx509
@@ -1,13 +1,6 @@
 #!/bin/sh
 
-if test "$OSTYPE" = msdosdjgpp; then
-    PATH=../apps\;$PATH
-else
-    PATH=../apps:$PATH
-fi
-export PATH
-
-cmd='../apps/openssl x509'
+cmd='../util/shlib_wrap.sh ../apps/openssl x509'
 
 if [ "$1"x != "x" ]; then
 	t=$1
diff --git a/crypto/openssl/tools/Makefile b/crypto/openssl/tools/Makefile
index 52a797045529..4ca835c4af5c 100644
--- a/crypto/openssl/tools/Makefile
+++ b/crypto/openssl/tools/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/tools/Makefile
+# OpenSSL/tools/Makefile
 #
 
 DIR=	tools
@@ -7,15 +7,11 @@ TOP=	..
 CC=	cc
 INCLUDES= -I$(TOP) -I../../include
 CFLAG=-g
-INSTALL_PREFIX=
-OPENSSLDIR=     /usr/local/ssl
-INSTALLTOP=/usr/local/ssl
-MAKEDEPPROG=	makedepend
-MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=	Makefile
 
 CFLAGS= $(INCLUDES) $(CFLAG)
 
+GENERAL=Makefile
 TEST=
 APPS= c_rehash
 MISC_APPS= c_hash c_info c_issuer c_name
@@ -23,6 +19,7 @@ MISC_APPS= c_hash c_info c_issuer c_name
 all:
 
 install:
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
 	@for i in $(APPS) ; \
 	do  \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
diff --git a/crypto/openssl/util/ck_errf.pl b/crypto/openssl/util/ck_errf.pl
index 7a24d6c5a2e2..344b422c3403 100755
--- a/crypto/openssl/util/ck_errf.pl
+++ b/crypto/openssl/util/ck_errf.pl
@@ -13,16 +13,21 @@ foreach $file (@ARGV)
 	$func="";
 	while (<IN>)
 		{
-		if (/^[a-zA-Z].+[\s*]([A-Za-z_0-9]+)\(.*\)/)
+		if (!/;$/ && /^([a-zA-Z].*[\s*])?([A-Za-z_0-9]+)\(.*[),]/)
 			{
-			$func=$1;
+			/^([^()]*(\([^()]*\)[^()]*)*)\(/;
+			$1 =~ /([A-Za-z_0-9]*)$/;
+			$func = $1;
 			$func =~ tr/A-Z/a-z/;
 			}
 		if (/([A-Z0-9]+)err\(([^,]+)/)
 			{
-			next if ($func eq "");
 			$errlib=$1;
 			$n=$2;
+
+			if ($func eq "")
+				{ print "$file:$.:???:$n\n"; next; }
+
 			if ($n !~ /([^_]+)_F_(.+)$/)
 				{
 		#		print "check -$file:$.:$func:$n\n";
@@ -32,7 +37,7 @@ foreach $file (@ARGV)
 			$n=$2;
 
 			if ($lib ne $errlib)
-				{ print "$file:$.:$func:$n\n"; next; }
+				{ print "$file:$.:$func:$n [${errlib}err]\n"; next; }
 
 			$n =~ tr/A-Z/a-z/;
 			if (($n ne $func) && ($errlib ne "SYS"))
diff --git a/crypto/openssl/util/copy.pl b/crypto/openssl/util/copy.pl
new file mode 100644
index 000000000000..e20b45530a8f
--- /dev/null
+++ b/crypto/openssl/util/copy.pl
@@ -0,0 +1,59 @@
+#!/usr/local/bin/perl
+
+use Fcntl;
+
+
+# copy.pl
+
+# Perl script 'copy' comment. On Windows the built in "copy" command also
+# copies timestamps: this messes up Makefile dependencies.
+
+my $arg;
+
+foreach $arg (@ARGV) {
+	$arg =~ s|\\|/|g;	# compensate for bug/feature in cygwin glob...
+	foreach (glob $arg)
+		{
+		push @filelist, $_;
+		}
+}
+
+$fnum = @filelist;
+
+if ($fnum <= 1)
+	{
+	die "Need at least two filenames";
+	}
+
+$dest = pop @filelist;
+	
+if ($fnum > 2 && ! -d $dest)
+	{
+	die "Destination must be a directory";
+	}
+
+foreach (@filelist)
+	{
+	if (-d $dest)
+		{
+		$dfile = $_;
+		$dfile =~ s|^.*[/\\]([^/\\]*)$|$1|;
+		$dfile = "$dest/$dfile";
+		}
+	else
+		{
+		$dfile = $dest;
+		}
+	sysopen(IN, $_, O_RDONLY|O_BINARY) || die "Can't Open $_";
+	sysopen(OUT, $dfile, O_WRONLY|O_CREAT|O_TRUNC|O_BINARY)
+					|| die "Can't Open $dfile";
+	while (sysread IN, $buf, 10240)
+		{
+		syswrite(OUT, $buf, length($buf));
+		}
+	close(IN);
+	close(OUT);
+	print "Copying: $_ to $dfile\n";
+	}
+		
+
diff --git a/crypto/openssl/util/domd b/crypto/openssl/util/domd
index 5610521f0b83..691be7a440ac 100755
--- a/crypto/openssl/util/domd
+++ b/crypto/openssl/util/domd
@@ -26,7 +26,7 @@ if [ "$MAKEDEPEND" = "gcc" ]; then
     ${PERL} $TOP/util/clean-depend.pl < Makefile.tmp > Makefile.new
     rm -f Makefile.tmp
 else
-    ${MAKEDEPEND} -D OPENSSL_DOING_MAKEDEPEND -f Makefile $@
+    ${MAKEDEPEND} -D OPENSSL_DOING_MAKEDEPEND $@
     ${PERL} $TOP/util/clean-depend.pl < Makefile > Makefile.new
 fi
 mv Makefile.new Makefile
diff --git a/crypto/openssl/util/extract-section.pl b/crypto/openssl/util/extract-section.pl
new file mode 100644
index 000000000000..7a0ba4f69a7a
--- /dev/null
+++ b/crypto/openssl/util/extract-section.pl
@@ -0,0 +1,12 @@
+#!/usr/bin/perl
+
+while(<STDIN>) {
+	if (/=for\s+comment\s+openssl_manual_section:(\S+)/)
+		{
+		print "$1\n";
+		exit 0;
+		}
+}
+
+print "$ARGV[0]\n";
+
diff --git a/crypto/openssl/util/libeay.num b/crypto/openssl/util/libeay.num
index d446b9e5e9c6..f8555a1a4516 100755
--- a/crypto/openssl/util/libeay.num
+++ b/crypto/openssl/util/libeay.num
@@ -123,10 +123,10 @@ BN_dup                                  128	EXIST::FUNCTION:
 BN_free                                 129	EXIST::FUNCTION:
 BN_from_montgomery                      130	EXIST::FUNCTION:
 BN_gcd                                  131	EXIST::FUNCTION:
-BN_generate_prime                       132	EXIST::FUNCTION:
+BN_generate_prime                       132	EXIST::FUNCTION:DEPRECATED
 BN_get_word                             133	EXIST::FUNCTION:
 BN_is_bit_set                           134	EXIST::FUNCTION:
-BN_is_prime                             135	EXIST::FUNCTION:
+BN_is_prime                             135	EXIST::FUNCTION:DEPRECATED
 BN_lshift                               136	EXIST::FUNCTION:
 BN_lshift1                              137	EXIST::FUNCTION:
 BN_mask_bits                            138	EXIST::FUNCTION:
@@ -193,14 +193,14 @@ DH_check                                200	EXIST::FUNCTION:DH
 DH_compute_key                          201	EXIST::FUNCTION:DH
 DH_free                                 202	EXIST::FUNCTION:DH
 DH_generate_key                         203	EXIST::FUNCTION:DH
-DH_generate_parameters                  204	EXIST::FUNCTION:DH
+DH_generate_parameters                  204	EXIST::FUNCTION:DEPRECATED,DH
 DH_new                                  205	EXIST::FUNCTION:DH
 DH_size                                 206	EXIST::FUNCTION:DH
 DHparams_print                          207	EXIST::FUNCTION:BIO,DH
 DHparams_print_fp                       208	EXIST::FUNCTION:DH,FP_API
 DSA_free                                209	EXIST::FUNCTION:DSA
 DSA_generate_key                        210	EXIST::FUNCTION:DSA
-DSA_generate_parameters                 211	EXIST::FUNCTION:DSA
+DSA_generate_parameters                 211	EXIST::FUNCTION:DEPRECATED,DSA
 DSA_is_prime                            212	NOEXIST::FUNCTION:
 DSA_new                                 213	EXIST::FUNCTION:DSA
 DSA_print                               214	EXIST::FUNCTION:BIO,DSA
@@ -474,7 +474,7 @@ RSAPrivateKey_dup                       481	EXIST::FUNCTION:RSA
 RSAPublicKey_dup                        482	EXIST::FUNCTION:RSA
 RSA_PKCS1_SSLeay                        483	EXIST::FUNCTION:RSA
 RSA_free                                484	EXIST::FUNCTION:RSA
-RSA_generate_key                        485	EXIST::FUNCTION:RSA
+RSA_generate_key                        485	EXIST::FUNCTION:DEPRECATED,RSA
 RSA_new                                 486	EXIST::FUNCTION:RSA
 RSA_new_method                          487	EXIST::FUNCTION:RSA
 RSA_print                               488	EXIST::FUNCTION:BIO,RSA
@@ -1104,7 +1104,7 @@ BN_RECP_CTX_set                         1131	EXIST::FUNCTION:
 BN_mod_mul_reciprocal                   1132	EXIST::FUNCTION:
 BN_mod_exp_recp                         1133	EXIST::FUNCTION:
 BN_div_recp                             1134	EXIST::FUNCTION:
-BN_CTX_init                             1135	EXIST::FUNCTION:
+BN_CTX_init                             1135	EXIST::FUNCTION:DEPRECATED
 BN_MONT_CTX_init                        1136	EXIST::FUNCTION:
 RAND_get_rand_method                    1137	EXIST::FUNCTION:
 PKCS7_add_attribute                     1138	EXIST::FUNCTION:
@@ -1221,8 +1221,8 @@ BIO_f_reliable                          1244	EXIST::FUNCTION:BIO
 PKCS7_dataFinal                         1245	EXIST::FUNCTION:
 PKCS7_dataDecode                        1246	EXIST::FUNCTION:
 X509V3_EXT_CRL_add_conf                 1247	EXIST::FUNCTION:
-BN_set_params                           1248	EXIST::FUNCTION:
-BN_get_params                           1249	EXIST::FUNCTION:
+BN_set_params                           1248	EXIST::FUNCTION:DEPRECATED
+BN_get_params                           1249	EXIST::FUNCTION:DEPRECATED
 BIO_get_ex_num                          1250	NOEXIST::FUNCTION:
 BIO_set_ex_free_func                    1251	NOEXIST::FUNCTION:
 EVP_ripemd160                           1252	EXIST::FUNCTION:RIPEMD
@@ -1744,7 +1744,7 @@ X509_REQ_add1_attr_by_txt               2217	EXIST::FUNCTION:
 X509_ATTRIBUTE_create_by_txt            2218	EXIST::FUNCTION:
 X509at_add1_attr_by_txt                 2219	EXIST::FUNCTION:
 BN_pseudo_rand                          2239	EXIST::FUNCTION:
-BN_is_prime_fasttest                    2240	EXIST::FUNCTION:
+BN_is_prime_fasttest                    2240	EXIST::FUNCTION:DEPRECATED
 BN_CTX_end                              2241	EXIST::FUNCTION:
 BN_CTX_start                            2242	EXIST::FUNCTION:
 BN_CTX_get                              2243	EXIST::FUNCTION:
@@ -2071,7 +2071,7 @@ PKCS7_ATTR_SIGN_it                      2632	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTI
 UI_add_error_string                     2633	EXIST::FUNCTION:
 KRB5_CHECKSUM_free                      2634	EXIST::FUNCTION:
 OCSP_REQUEST_get_ext                    2635	EXIST::FUNCTION:
-ENGINE_load_ubsec                       2636	EXIST::FUNCTION:ENGINE
+ENGINE_load_ubsec                       2636	EXIST::FUNCTION:ENGINE,STATIC_ENGINE
 ENGINE_register_all_digests             2637	EXIST::FUNCTION:ENGINE
 PKEY_USAGE_PERIOD_it                    2638	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 PKEY_USAGE_PERIOD_it                    2638	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
@@ -2419,7 +2419,7 @@ UI_get_string_type                      2916	EXIST::FUNCTION:
 ENGINE_unregister_DH                    2917	EXIST::FUNCTION:ENGINE
 ENGINE_register_all_DSA                 2918	EXIST::FUNCTION:ENGINE
 OCSP_ONEREQ_get_ext_by_critical         2919	EXIST::FUNCTION:
-bn_dup_expand                           2920	EXIST::FUNCTION:
+bn_dup_expand                           2920	EXIST::FUNCTION:DEPRECATED
 OCSP_cert_id_new                        2921	EXIST::FUNCTION:
 BASIC_CONSTRAINTS_it                    2922	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 BASIC_CONSTRAINTS_it                    2922	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
@@ -2545,7 +2545,7 @@ OCSP_RESPONSE_new                       3023	EXIST::FUNCTION:
 AES_set_encrypt_key                     3024	EXIST::FUNCTION:AES
 OCSP_resp_count                         3025	EXIST::FUNCTION:
 KRB5_CHECKSUM_new                       3026	EXIST::FUNCTION:
-ENGINE_load_cswift                      3027	EXIST::FUNCTION:ENGINE
+ENGINE_load_cswift                      3027	EXIST::FUNCTION:ENGINE,STATIC_ENGINE
 OCSP_onereq_get0_id                     3028	EXIST::FUNCTION:
 ENGINE_set_default_ciphers              3029	EXIST::FUNCTION:ENGINE
 NOTICEREF_it                            3030	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
@@ -2576,7 +2576,7 @@ ASN1_primitive_free                     3051	EXIST::FUNCTION:
 i2d_EXTENDED_KEY_USAGE                  3052	EXIST::FUNCTION:
 i2d_OCSP_SIGNATURE                      3053	EXIST::FUNCTION:
 asn1_enc_save                           3054	EXIST::FUNCTION:
-ENGINE_load_nuron                       3055	EXIST::FUNCTION:ENGINE
+ENGINE_load_nuron                       3055	EXIST::FUNCTION:ENGINE,STATIC_ENGINE
 _ossl_old_des_pcbc_encrypt              3056	EXIST::FUNCTION:DES
 PKCS12_MAC_DATA_it                      3057	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 PKCS12_MAC_DATA_it                      3057	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
@@ -2600,7 +2600,7 @@ asn1_get_choice_selector                3071	EXIST::FUNCTION:
 i2d_KRB5_CHECKSUM                       3072	EXIST::FUNCTION:
 ENGINE_set_table_flags                  3073	EXIST::FUNCTION:ENGINE
 AES_options                             3074	EXIST::FUNCTION:AES
-ENGINE_load_chil                        3075	EXIST::FUNCTION:ENGINE
+ENGINE_load_chil                        3075	EXIST::FUNCTION:ENGINE,STATIC_ENGINE
 OCSP_id_cmp                             3076	EXIST::FUNCTION:
 OCSP_BASICRESP_new                      3077	EXIST::FUNCTION:
 OCSP_REQUEST_get_ext_by_NID             3078	EXIST::FUNCTION:
@@ -2667,7 +2667,7 @@ OCSP_CRLID_it                           3127	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIA
 OCSP_CRLID_it                           3127	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 i2d_KRB5_AUTHENTBODY                    3128	EXIST::FUNCTION:
 OCSP_REQUEST_get_ext_count              3129	EXIST::FUNCTION:
-ENGINE_load_atalla                      3130	EXIST::FUNCTION:ENGINE
+ENGINE_load_atalla                      3130	EXIST::FUNCTION:ENGINE,STATIC_ENGINE
 X509_NAME_it                            3131	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 X509_NAME_it                            3131	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 USERNOTICE_it                           3132	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
@@ -2762,8 +2762,8 @@ DES_read_2passwords                     3206	EXIST::FUNCTION:DES
 DES_read_password                       3207	EXIST::FUNCTION:DES
 UI_UTIL_read_pw                         3208	EXIST::FUNCTION:
 UI_UTIL_read_pw_string                  3209	EXIST::FUNCTION:
-ENGINE_load_aep                         3210	EXIST::FUNCTION:ENGINE
-ENGINE_load_sureware                    3211	EXIST::FUNCTION:ENGINE
+ENGINE_load_aep                         3210	EXIST::FUNCTION:ENGINE,STATIC_ENGINE
+ENGINE_load_sureware                    3211	EXIST::FUNCTION:ENGINE,STATIC_ENGINE
 OPENSSL_add_all_algorithms_noconf       3212	EXIST:!VMS:FUNCTION:
 OPENSSL_add_all_algo_noconf             3212	EXIST:VMS:FUNCTION:
 OPENSSL_add_all_algorithms_conf         3213	EXIST:!VMS:FUNCTION:
@@ -2772,7 +2772,7 @@ OPENSSL_load_builtin_modules            3214	EXIST::FUNCTION:
 AES_ofb128_encrypt                      3215	EXIST::FUNCTION:AES
 AES_ctr128_encrypt                      3216	EXIST::FUNCTION:AES
 AES_cfb128_encrypt                      3217	EXIST::FUNCTION:AES
-ENGINE_load_4758cca                     3218	EXIST::FUNCTION:ENGINE
+ENGINE_load_4758cca                     3218	EXIST::FUNCTION:ENGINE,STATIC_ENGINE
 _ossl_096_des_random_seed               3219	EXIST::FUNCTION:DES
 EVP_aes_256_ofb                         3220	EXIST::FUNCTION:AES
 EVP_aes_192_ofb                         3221	EXIST::FUNCTION:AES
@@ -2804,40 +2804,579 @@ OPENSSL_cleanse                         3245	EXIST::FUNCTION:
 ENGINE_setup_bsd_cryptodev              3246	EXIST:__FreeBSD__:FUNCTION:ENGINE
 ERR_release_err_state_table             3247	EXIST::FUNCTION:LHASH
 EVP_aes_128_cfb8                        3248	EXIST::FUNCTION:AES
-FIPS_corrupt_rsa                        3249	EXIST:OPENSSL_FIPS:FUNCTION:
-FIPS_selftest_des                       3250	EXIST:OPENSSL_FIPS:FUNCTION:
+FIPS_corrupt_rsa                        3249	NOEXIST::FUNCTION:
+FIPS_selftest_des                       3250	NOEXIST::FUNCTION:
 EVP_aes_128_cfb1                        3251	EXIST::FUNCTION:AES
 EVP_aes_192_cfb8                        3252	EXIST::FUNCTION:AES
-FIPS_mode_set                           3253	EXIST:OPENSSL_FIPS:FUNCTION:
-FIPS_selftest_dsa                       3254	EXIST:OPENSSL_FIPS:FUNCTION:
+FIPS_mode_set                           3253	NOEXIST::FUNCTION:
+FIPS_selftest_dsa                       3254	NOEXIST::FUNCTION:
 EVP_aes_256_cfb8                        3255	EXIST::FUNCTION:AES
-FIPS_allow_md5                          3256	EXIST:OPENSSL_FIPS:FUNCTION:
+FIPS_allow_md5                          3256	NOEXIST::FUNCTION:
 DES_ede3_cfb_encrypt                    3257	EXIST::FUNCTION:DES
 EVP_des_ede3_cfb8                       3258	EXIST::FUNCTION:DES
-FIPS_rand_seeded                        3259	EXIST:OPENSSL_FIPS:FUNCTION:
+FIPS_rand_seeded                        3259	NOEXIST::FUNCTION:
 AES_cfbr_encrypt_block                  3260	EXIST::FUNCTION:AES
 AES_cfb8_encrypt                        3261	EXIST::FUNCTION:AES
-FIPS_rand_seed                          3262	EXIST:OPENSSL_FIPS:FUNCTION:
-FIPS_corrupt_des                        3263	EXIST:OPENSSL_FIPS:FUNCTION:
+FIPS_rand_seed                          3262	NOEXIST::FUNCTION:
+FIPS_corrupt_des                        3263	NOEXIST::FUNCTION:
 EVP_aes_192_cfb1                        3264	EXIST::FUNCTION:AES
-FIPS_selftest_aes                       3265	EXIST:OPENSSL_FIPS:FUNCTION:
-FIPS_set_prng_key                       3266	EXIST:OPENSSL_FIPS:FUNCTION:
+FIPS_selftest_aes                       3265	NOEXIST::FUNCTION:
+FIPS_set_prng_key                       3266	NOEXIST::FUNCTION:
 EVP_des_cfb8                            3267	EXIST::FUNCTION:DES
-FIPS_corrupt_dsa                        3268	EXIST:OPENSSL_FIPS:FUNCTION:
-FIPS_test_mode                          3269	EXIST:OPENSSL_FIPS:FUNCTION:
-FIPS_rand_method                        3270	EXIST:OPENSSL_FIPS:FUNCTION:
+FIPS_corrupt_dsa                        3268	NOEXIST::FUNCTION:
+FIPS_test_mode                          3269	NOEXIST::FUNCTION:
+FIPS_rand_method                        3270	NOEXIST::FUNCTION:
 EVP_aes_256_cfb1                        3271	EXIST::FUNCTION:AES
-ERR_load_FIPS_strings                   3272	EXIST:OPENSSL_FIPS:FUNCTION:
-FIPS_corrupt_aes                        3273	EXIST:OPENSSL_FIPS:FUNCTION:
-FIPS_selftest_sha1                      3274	EXIST:OPENSSL_FIPS:FUNCTION:
-FIPS_selftest_rsa                       3275	EXIST:OPENSSL_FIPS:FUNCTION:
-FIPS_corrupt_sha1                       3276	EXIST:OPENSSL_FIPS:FUNCTION:
+ERR_load_FIPS_strings                   3272	NOEXIST::FUNCTION:
+FIPS_corrupt_aes                        3273	NOEXIST::FUNCTION:
+FIPS_selftest_sha1                      3274	NOEXIST::FUNCTION:
+FIPS_selftest_rsa                       3275	NOEXIST::FUNCTION:
+FIPS_corrupt_sha1                       3276	NOEXIST::FUNCTION:
 EVP_des_cfb1                            3277	EXIST::FUNCTION:DES
-FIPS_dsa_check                          3278	EXIST:OPENSSL_FIPS:FUNCTION:
+FIPS_dsa_check                          3278	NOEXIST::FUNCTION:
 AES_cfb1_encrypt                        3279	EXIST::FUNCTION:AES
 EVP_des_ede3_cfb1                       3280	EXIST::FUNCTION:DES
-FIPS_rand_check                         3281	EXIST:OPENSSL_FIPS:FUNCTION:
-FIPS_md5_allowed                        3282	EXIST:OPENSSL_FIPS:FUNCTION:
-FIPS_mode                               3283	EXIST:OPENSSL_FIPS:FUNCTION:
-FIPS_selftest_failed                    3284	EXIST:OPENSSL_FIPS:FUNCTION:
+FIPS_rand_check                         3281	NOEXIST::FUNCTION:
+FIPS_md5_allowed                        3282	NOEXIST::FUNCTION:
+FIPS_mode                               3283	NOEXIST::FUNCTION:
+FIPS_selftest_failed                    3284	NOEXIST::FUNCTION:
 sk_is_sorted                            3285	EXIST::FUNCTION:
+X509_check_ca                           3286	EXIST::FUNCTION:
+private_idea_set_encrypt_key            3287	NOEXIST::FUNCTION:
+HMAC_CTX_set_flags                      3288	NOEXIST::FUNCTION:
+private_SHA_Init                        3289	NOEXIST::FUNCTION:
+private_CAST_set_key                    3290	NOEXIST::FUNCTION:
+private_RIPEMD160_Init                  3291	NOEXIST::FUNCTION:
+private_RC5_32_set_key                  3292	NOEXIST::FUNCTION:
+private_MD5_Init                        3293	NOEXIST::FUNCTION:
+private_RC4_set_key                     3294	NOEXIST::FUNCTION:
+private_MDC2_Init                       3295	NOEXIST::FUNCTION:
+private_RC2_set_key                     3296	NOEXIST::FUNCTION:
+private_MD4_Init                        3297	NOEXIST::FUNCTION:
+private_BF_set_key                      3298	NOEXIST::FUNCTION:
+private_MD2_Init                        3299	NOEXIST::FUNCTION:
+d2i_PROXY_CERT_INFO_EXTENSION           3300	EXIST::FUNCTION:
+PROXY_POLICY_it                         3301	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+PROXY_POLICY_it                         3301	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+i2d_PROXY_POLICY                        3302	EXIST::FUNCTION:
+i2d_PROXY_CERT_INFO_EXTENSION           3303	EXIST::FUNCTION:
+d2i_PROXY_POLICY                        3304	EXIST::FUNCTION:
+PROXY_CERT_INFO_EXTENSION_new           3305	EXIST::FUNCTION:
+PROXY_CERT_INFO_EXTENSION_free          3306	EXIST::FUNCTION:
+PROXY_CERT_INFO_EXTENSION_it            3307	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+PROXY_CERT_INFO_EXTENSION_it            3307	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+PROXY_POLICY_free                       3308	EXIST::FUNCTION:
+PROXY_POLICY_new                        3309	EXIST::FUNCTION:
+BN_MONT_CTX_set_locked                  3310	EXIST::FUNCTION:
+FIPS_selftest_rng                       3311	NOEXIST::FUNCTION:
+EVP_sha384                              3312	EXIST::FUNCTION:SHA,SHA512
+EVP_sha512                              3313	EXIST::FUNCTION:SHA,SHA512
+EVP_sha224                              3314	EXIST::FUNCTION:SHA,SHA256
+EVP_sha256                              3315	EXIST::FUNCTION:SHA,SHA256
+FIPS_selftest_hmac                      3316	NOEXIST::FUNCTION:
+FIPS_corrupt_rng                        3317	NOEXIST::FUNCTION:
+BN_mod_exp_mont_consttime               3318	EXIST::FUNCTION:
+RSA_X931_hash_id                        3319	EXIST::FUNCTION:RSA
+RSA_padding_check_X931                  3320	EXIST::FUNCTION:RSA
+RSA_verify_PKCS1_PSS                    3321	EXIST::FUNCTION:RSA
+RSA_padding_add_X931                    3322	EXIST::FUNCTION:RSA
+RSA_padding_add_PKCS1_PSS               3323	EXIST::FUNCTION:RSA
+PKCS1_MGF1                              3324	EXIST::FUNCTION:RSA
+BN_X931_generate_Xpq                    3325	NOEXIST::FUNCTION:
+RSA_X931_generate_key                   3326	NOEXIST::FUNCTION:
+BN_X931_derive_prime                    3327	NOEXIST::FUNCTION:
+BN_X931_generate_prime                  3328	NOEXIST::FUNCTION:
+RSA_X931_derive                         3329	NOEXIST::FUNCTION:
+BIO_new_dgram                           3330	EXIST::FUNCTION:
+BN_get0_nist_prime_384                  3331	EXIST::FUNCTION:
+ERR_set_mark                            3332	EXIST::FUNCTION:
+X509_STORE_CTX_set0_crls                3333	EXIST::FUNCTION:
+ENGINE_set_STORE                        3334	EXIST::FUNCTION:ENGINE
+ENGINE_register_ECDSA                   3335	EXIST::FUNCTION:ENGINE
+STORE_method_set_list_start_function    3336	EXIST:!VMS:FUNCTION:
+STORE_meth_set_list_start_fn            3336	EXIST:VMS:FUNCTION:
+BN_BLINDING_invert_ex                   3337	EXIST::FUNCTION:
+NAME_CONSTRAINTS_free                   3338	EXIST::FUNCTION:
+STORE_ATTR_INFO_set_number              3339	EXIST::FUNCTION:
+BN_BLINDING_get_thread_id               3340	EXIST::FUNCTION:
+X509_STORE_CTX_set0_param               3341	EXIST::FUNCTION:
+POLICY_MAPPING_it                       3342	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+POLICY_MAPPING_it                       3342	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+STORE_parse_attrs_start                 3343	EXIST::FUNCTION:
+POLICY_CONSTRAINTS_free                 3344	EXIST::FUNCTION:
+EVP_PKEY_add1_attr_by_NID               3345	EXIST::FUNCTION:
+BN_nist_mod_192                         3346	EXIST::FUNCTION:
+EC_GROUP_get_trinomial_basis            3347	EXIST::FUNCTION:EC
+STORE_set_method                        3348	EXIST::FUNCTION:
+GENERAL_SUBTREE_free                    3349	EXIST::FUNCTION:
+NAME_CONSTRAINTS_it                     3350	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+NAME_CONSTRAINTS_it                     3350	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+ECDH_get_default_method                 3351	EXIST::FUNCTION:ECDH
+PKCS12_add_safe                         3352	EXIST::FUNCTION:
+EC_KEY_new_by_curve_name                3353	EXIST::FUNCTION:EC
+STORE_method_get_update_store_function  3354	EXIST:!VMS:FUNCTION:
+STORE_meth_get_update_store_fn          3354	EXIST:VMS:FUNCTION:
+ENGINE_register_ECDH                    3355	EXIST::FUNCTION:ENGINE
+SHA512_Update                           3356	EXIST::FUNCTION:SHA,SHA512
+i2d_ECPrivateKey                        3357	EXIST::FUNCTION:EC
+BN_get0_nist_prime_192                  3358	EXIST::FUNCTION:
+STORE_modify_certificate                3359	EXIST::FUNCTION:
+EC_POINT_set_affine_coordinates_GF2m    3360	EXIST:!VMS:FUNCTION:EC
+EC_POINT_set_affine_coords_GF2m         3360	EXIST:VMS:FUNCTION:EC
+BN_GF2m_mod_exp_arr                     3361	EXIST::FUNCTION:
+STORE_ATTR_INFO_modify_number           3362	EXIST::FUNCTION:
+X509_keyid_get0                         3363	EXIST::FUNCTION:
+ENGINE_load_gmp                         3364	EXIST::FUNCTION:ENGINE,GMP,STATIC_ENGINE
+pitem_new                               3365	EXIST::FUNCTION:
+BN_GF2m_mod_mul_arr                     3366	EXIST::FUNCTION:
+STORE_list_public_key_endp              3367	EXIST::FUNCTION:
+o2i_ECPublicKey                         3368	EXIST::FUNCTION:EC
+EC_KEY_copy                             3369	EXIST::FUNCTION:EC
+BIO_dump_fp                             3370	EXIST::FUNCTION:FP_API
+X509_policy_node_get0_parent            3371	EXIST::FUNCTION:
+EC_GROUP_check_discriminant             3372	EXIST::FUNCTION:EC
+i2o_ECPublicKey                         3373	EXIST::FUNCTION:EC
+EC_KEY_precompute_mult                  3374	EXIST::FUNCTION:EC
+a2i_IPADDRESS                           3375	EXIST::FUNCTION:
+STORE_method_set_initialise_function    3376	EXIST:!VMS:FUNCTION:
+STORE_meth_set_initialise_fn            3376	EXIST:VMS:FUNCTION:
+X509_STORE_CTX_set_depth                3377	EXIST::FUNCTION:
+X509_VERIFY_PARAM_inherit               3378	EXIST::FUNCTION:
+EC_POINT_point2bn                       3379	EXIST::FUNCTION:EC
+STORE_ATTR_INFO_set_dn                  3380	EXIST::FUNCTION:
+X509_policy_tree_get0_policies          3381	EXIST::FUNCTION:
+EC_GROUP_new_curve_GF2m                 3382	EXIST::FUNCTION:EC
+STORE_destroy_method                    3383	EXIST::FUNCTION:
+ENGINE_unregister_STORE                 3384	EXIST::FUNCTION:ENGINE
+EVP_PKEY_get1_EC_KEY                    3385	EXIST::FUNCTION:EC
+STORE_ATTR_INFO_get0_number             3386	EXIST::FUNCTION:
+ENGINE_get_default_ECDH                 3387	EXIST::FUNCTION:ENGINE
+EC_KEY_get_conv_form                    3388	EXIST::FUNCTION:EC
+ASN1_OCTET_STRING_NDEF_it               3389	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+ASN1_OCTET_STRING_NDEF_it               3389	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+STORE_delete_public_key                 3390	EXIST::FUNCTION:
+STORE_get_public_key                    3391	EXIST::FUNCTION:
+STORE_modify_arbitrary                  3392	EXIST::FUNCTION:
+ENGINE_get_static_state                 3393	EXIST::FUNCTION:ENGINE
+pqueue_iterator                         3394	EXIST::FUNCTION:
+ECDSA_SIG_new                           3395	EXIST::FUNCTION:ECDSA
+OPENSSL_DIR_end                         3396	EXIST::FUNCTION:
+BN_GF2m_mod_sqr                         3397	EXIST::FUNCTION:
+EC_POINT_bn2point                       3398	EXIST::FUNCTION:EC
+X509_VERIFY_PARAM_set_depth             3399	EXIST::FUNCTION:
+EC_KEY_set_asn1_flag                    3400	EXIST::FUNCTION:EC
+STORE_get_method                        3401	EXIST::FUNCTION:
+EC_KEY_get_key_method_data              3402	EXIST::FUNCTION:EC
+ECDSA_sign_ex                           3403	EXIST::FUNCTION:ECDSA
+STORE_parse_attrs_end                   3404	EXIST::FUNCTION:
+EC_GROUP_get_point_conversion_form      3405	EXIST:!VMS:FUNCTION:EC
+EC_GROUP_get_point_conv_form            3405	EXIST:VMS:FUNCTION:EC
+STORE_method_set_store_function         3406	EXIST::FUNCTION:
+STORE_ATTR_INFO_in                      3407	EXIST::FUNCTION:
+PEM_read_bio_ECPKParameters             3408	EXIST::FUNCTION:EC
+EC_GROUP_get_pentanomial_basis          3409	EXIST::FUNCTION:EC
+EVP_PKEY_add1_attr_by_txt               3410	EXIST::FUNCTION:
+BN_BLINDING_set_flags                   3411	EXIST::FUNCTION:
+X509_VERIFY_PARAM_set1_policies         3412	EXIST::FUNCTION:
+X509_VERIFY_PARAM_set1_name             3413	EXIST::FUNCTION:
+X509_VERIFY_PARAM_set_purpose           3414	EXIST::FUNCTION:
+STORE_get_number                        3415	EXIST::FUNCTION:
+ECDSA_sign_setup                        3416	EXIST::FUNCTION:ECDSA
+BN_GF2m_mod_solve_quad_arr              3417	EXIST::FUNCTION:
+EC_KEY_up_ref                           3418	EXIST::FUNCTION:EC
+POLICY_MAPPING_free                     3419	EXIST::FUNCTION:
+BN_GF2m_mod_div                         3420	EXIST::FUNCTION:
+X509_VERIFY_PARAM_set_flags             3421	EXIST::FUNCTION:
+EC_KEY_free                             3422	EXIST::FUNCTION:EC
+STORE_method_set_list_next_function     3423	EXIST:!VMS:FUNCTION:
+STORE_meth_set_list_next_fn             3423	EXIST:VMS:FUNCTION:
+PEM_write_bio_ECPrivateKey              3424	EXIST::FUNCTION:EC
+d2i_EC_PUBKEY                           3425	EXIST::FUNCTION:EC
+STORE_method_get_generate_function      3426	EXIST:!VMS:FUNCTION:
+STORE_meth_get_generate_fn              3426	EXIST:VMS:FUNCTION:
+STORE_method_set_list_end_function      3427	EXIST:!VMS:FUNCTION:
+STORE_meth_set_list_end_fn              3427	EXIST:VMS:FUNCTION:
+pqueue_print                            3428	EXIST::FUNCTION:
+EC_GROUP_have_precompute_mult           3429	EXIST::FUNCTION:EC
+EC_KEY_print_fp                         3430	EXIST::FUNCTION:EC,FP_API
+BN_GF2m_mod_arr                         3431	EXIST::FUNCTION:
+PEM_write_bio_X509_CERT_PAIR            3432	EXIST::FUNCTION:
+EVP_PKEY_cmp                            3433	EXIST::FUNCTION:
+X509_policy_level_node_count            3434	EXIST::FUNCTION:
+STORE_new_engine                        3435	EXIST::FUNCTION:
+STORE_list_public_key_start             3436	EXIST::FUNCTION:
+X509_VERIFY_PARAM_new                   3437	EXIST::FUNCTION:
+ECDH_get_ex_data                        3438	EXIST::FUNCTION:ECDH
+EVP_PKEY_get_attr                       3439	EXIST::FUNCTION:
+ECDSA_do_sign                           3440	EXIST::FUNCTION:ECDSA
+ENGINE_unregister_ECDH                  3441	EXIST::FUNCTION:ENGINE
+ECDH_OpenSSL                            3442	EXIST::FUNCTION:ECDH
+EC_KEY_set_conv_form                    3443	EXIST::FUNCTION:EC
+EC_POINT_dup                            3444	EXIST::FUNCTION:EC
+GENERAL_SUBTREE_new                     3445	EXIST::FUNCTION:
+STORE_list_crl_endp                     3446	EXIST::FUNCTION:
+EC_get_builtin_curves                   3447	EXIST::FUNCTION:EC
+X509_policy_node_get0_qualifiers        3448	EXIST:!VMS:FUNCTION:
+X509_pcy_node_get0_qualifiers           3448	EXIST:VMS:FUNCTION:
+STORE_list_crl_end                      3449	EXIST::FUNCTION:
+EVP_PKEY_set1_EC_KEY                    3450	EXIST::FUNCTION:EC
+BN_GF2m_mod_sqrt_arr                    3451	EXIST::FUNCTION:
+i2d_ECPrivateKey_bio                    3452	EXIST::FUNCTION:BIO,EC
+ECPKParameters_print_fp                 3453	EXIST::FUNCTION:EC,FP_API
+pqueue_find                             3454	EXIST::FUNCTION:
+ECDSA_SIG_free                          3455	EXIST::FUNCTION:ECDSA
+PEM_write_bio_ECPKParameters            3456	EXIST::FUNCTION:EC
+STORE_method_set_ctrl_function          3457	EXIST::FUNCTION:
+STORE_list_public_key_end               3458	EXIST::FUNCTION:
+EC_KEY_set_private_key                  3459	EXIST::FUNCTION:EC
+pqueue_peek                             3460	EXIST::FUNCTION:
+STORE_get_arbitrary                     3461	EXIST::FUNCTION:
+STORE_store_crl                         3462	EXIST::FUNCTION:
+X509_policy_node_get0_policy            3463	EXIST::FUNCTION:
+PKCS12_add_safes                        3464	EXIST::FUNCTION:
+BN_BLINDING_convert_ex                  3465	EXIST::FUNCTION:
+X509_policy_tree_free                   3466	EXIST::FUNCTION:
+OPENSSL_ia32cap_loc                     3467	EXIST::FUNCTION:
+BN_GF2m_poly2arr                        3468	EXIST::FUNCTION:
+STORE_ctrl                              3469	EXIST::FUNCTION:
+STORE_ATTR_INFO_compare                 3470	EXIST::FUNCTION:
+BN_get0_nist_prime_224                  3471	EXIST::FUNCTION:
+i2d_ECParameters                        3472	EXIST::FUNCTION:EC
+i2d_ECPKParameters                      3473	EXIST::FUNCTION:EC
+BN_GENCB_call                           3474	EXIST::FUNCTION:
+d2i_ECPKParameters                      3475	EXIST::FUNCTION:EC
+STORE_method_set_generate_function      3476	EXIST:!VMS:FUNCTION:
+STORE_meth_set_generate_fn              3476	EXIST:VMS:FUNCTION:
+ENGINE_set_ECDH                         3477	EXIST::FUNCTION:ENGINE
+NAME_CONSTRAINTS_new                    3478	EXIST::FUNCTION:
+SHA256_Init                             3479	EXIST::FUNCTION:SHA,SHA256
+EC_KEY_get0_public_key                  3480	EXIST::FUNCTION:EC
+PEM_write_bio_EC_PUBKEY                 3481	EXIST::FUNCTION:EC
+STORE_ATTR_INFO_set_cstr                3482	EXIST::FUNCTION:
+STORE_list_crl_next                     3483	EXIST::FUNCTION:
+STORE_ATTR_INFO_in_range                3484	EXIST::FUNCTION:
+ECParameters_print                      3485	EXIST::FUNCTION:BIO,EC
+STORE_method_set_delete_function        3486	EXIST:!VMS:FUNCTION:
+STORE_meth_set_delete_fn                3486	EXIST:VMS:FUNCTION:
+STORE_list_certificate_next             3487	EXIST::FUNCTION:
+ASN1_generate_nconf                     3488	EXIST::FUNCTION:
+BUF_memdup                              3489	EXIST::FUNCTION:
+BN_GF2m_mod_mul                         3490	EXIST::FUNCTION:
+STORE_method_get_list_next_function     3491	EXIST:!VMS:FUNCTION:
+STORE_meth_get_list_next_fn             3491	EXIST:VMS:FUNCTION:
+STORE_ATTR_INFO_get0_dn                 3492	EXIST::FUNCTION:
+STORE_list_private_key_next             3493	EXIST::FUNCTION:
+EC_GROUP_set_seed                       3494	EXIST::FUNCTION:EC
+X509_VERIFY_PARAM_set_trust             3495	EXIST::FUNCTION:
+STORE_ATTR_INFO_free                    3496	EXIST::FUNCTION:
+STORE_get_private_key                   3497	EXIST::FUNCTION:
+EVP_PKEY_get_attr_count                 3498	EXIST::FUNCTION:
+STORE_ATTR_INFO_new                     3499	EXIST::FUNCTION:
+EC_GROUP_get_curve_GF2m                 3500	EXIST::FUNCTION:EC
+STORE_method_set_revoke_function        3501	EXIST:!VMS:FUNCTION:
+STORE_meth_set_revoke_fn                3501	EXIST:VMS:FUNCTION:
+STORE_store_number                      3502	EXIST::FUNCTION:
+BN_is_prime_ex                          3503	EXIST::FUNCTION:
+STORE_revoke_public_key                 3504	EXIST::FUNCTION:
+X509_STORE_CTX_get0_param               3505	EXIST::FUNCTION:
+STORE_delete_arbitrary                  3506	EXIST::FUNCTION:
+PEM_read_X509_CERT_PAIR                 3507	EXIST:!WIN16:FUNCTION:
+X509_STORE_set_depth                    3508	EXIST::FUNCTION:
+ECDSA_get_ex_data                       3509	EXIST::FUNCTION:ECDSA
+SHA224                                  3510	EXIST::FUNCTION:SHA,SHA256
+BIO_dump_indent_fp                      3511	EXIST::FUNCTION:FP_API
+EC_KEY_set_group                        3512	EXIST::FUNCTION:EC
+BUF_strndup                             3513	EXIST::FUNCTION:
+STORE_list_certificate_start            3514	EXIST::FUNCTION:
+BN_GF2m_mod                             3515	EXIST::FUNCTION:
+X509_REQ_check_private_key              3516	EXIST::FUNCTION:
+EC_GROUP_get_seed_len                   3517	EXIST::FUNCTION:EC
+ERR_load_STORE_strings                  3518	EXIST::FUNCTION:
+PEM_read_bio_EC_PUBKEY                  3519	EXIST::FUNCTION:EC
+STORE_list_private_key_end              3520	EXIST::FUNCTION:
+i2d_EC_PUBKEY                           3521	EXIST::FUNCTION:EC
+ECDSA_get_default_method                3522	EXIST::FUNCTION:ECDSA
+ASN1_put_eoc                            3523	EXIST::FUNCTION:
+X509_STORE_CTX_get_explicit_policy      3524	EXIST:!VMS:FUNCTION:
+X509_STORE_CTX_get_expl_policy          3524	EXIST:VMS:FUNCTION:
+X509_VERIFY_PARAM_table_cleanup         3525	EXIST::FUNCTION:
+STORE_modify_private_key                3526	EXIST::FUNCTION:
+X509_VERIFY_PARAM_free                  3527	EXIST::FUNCTION:
+EC_METHOD_get_field_type                3528	EXIST::FUNCTION:EC
+EC_GFp_nist_method                      3529	EXIST::FUNCTION:EC
+STORE_method_set_modify_function        3530	EXIST:!VMS:FUNCTION:
+STORE_meth_set_modify_fn                3530	EXIST:VMS:FUNCTION:
+STORE_parse_attrs_next                  3531	EXIST::FUNCTION:
+ENGINE_load_padlock                     3532	EXIST::FUNCTION:ENGINE
+EC_GROUP_set_curve_name                 3533	EXIST::FUNCTION:EC
+X509_CERT_PAIR_it                       3534	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+X509_CERT_PAIR_it                       3534	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+STORE_method_get_revoke_function        3535	EXIST:!VMS:FUNCTION:
+STORE_meth_get_revoke_fn                3535	EXIST:VMS:FUNCTION:
+STORE_method_set_get_function           3536	EXIST::FUNCTION:
+STORE_modify_number                     3537	EXIST::FUNCTION:
+STORE_method_get_store_function         3538	EXIST::FUNCTION:
+STORE_store_private_key                 3539	EXIST::FUNCTION:
+BN_GF2m_mod_sqr_arr                     3540	EXIST::FUNCTION:
+RSA_setup_blinding                      3541	EXIST::FUNCTION:RSA
+BIO_s_datagram                          3542	EXIST::FUNCTION:DGRAM
+STORE_Memory                            3543	EXIST::FUNCTION:
+sk_find_ex                              3544	EXIST::FUNCTION:
+EC_GROUP_set_curve_GF2m                 3545	EXIST::FUNCTION:EC
+ENGINE_set_default_ECDSA                3546	EXIST::FUNCTION:ENGINE
+POLICY_CONSTRAINTS_new                  3547	EXIST::FUNCTION:
+BN_GF2m_mod_sqrt                        3548	EXIST::FUNCTION:
+ECDH_set_default_method                 3549	EXIST::FUNCTION:ECDH
+EC_KEY_generate_key                     3550	EXIST::FUNCTION:EC
+SHA384_Update                           3551	EXIST::FUNCTION:SHA,SHA512
+BN_GF2m_arr2poly                        3552	EXIST::FUNCTION:
+STORE_method_get_get_function           3553	EXIST::FUNCTION:
+STORE_method_set_cleanup_function       3554	EXIST:!VMS:FUNCTION:
+STORE_meth_set_cleanup_fn               3554	EXIST:VMS:FUNCTION:
+EC_GROUP_check                          3555	EXIST::FUNCTION:EC
+d2i_ECPrivateKey_bio                    3556	EXIST::FUNCTION:BIO,EC
+EC_KEY_insert_key_method_data           3557	EXIST::FUNCTION:EC
+STORE_method_get_lock_store_function    3558	EXIST:!VMS:FUNCTION:
+STORE_meth_get_lock_store_fn            3558	EXIST:VMS:FUNCTION:
+X509_VERIFY_PARAM_get_depth             3559	EXIST::FUNCTION:
+SHA224_Final                            3560	EXIST::FUNCTION:SHA,SHA256
+STORE_method_set_update_store_function  3561	EXIST:!VMS:FUNCTION:
+STORE_meth_set_update_store_fn          3561	EXIST:VMS:FUNCTION:
+SHA224_Update                           3562	EXIST::FUNCTION:SHA,SHA256
+d2i_ECPrivateKey                        3563	EXIST::FUNCTION:EC
+ASN1_item_ndef_i2d                      3564	EXIST::FUNCTION:
+STORE_delete_private_key                3565	EXIST::FUNCTION:
+ERR_pop_to_mark                         3566	EXIST::FUNCTION:
+ENGINE_register_all_STORE               3567	EXIST::FUNCTION:ENGINE
+X509_policy_level_get0_node             3568	EXIST::FUNCTION:
+i2d_PKCS7_NDEF                          3569	EXIST::FUNCTION:
+EC_GROUP_get_degree                     3570	EXIST::FUNCTION:EC
+ASN1_generate_v3                        3571	EXIST::FUNCTION:
+STORE_ATTR_INFO_modify_cstr             3572	EXIST::FUNCTION:
+X509_policy_tree_level_count            3573	EXIST::FUNCTION:
+BN_GF2m_add                             3574	EXIST::FUNCTION:
+EC_KEY_get0_group                       3575	EXIST::FUNCTION:EC
+STORE_generate_crl                      3576	EXIST::FUNCTION:
+STORE_store_public_key                  3577	EXIST::FUNCTION:
+X509_CERT_PAIR_free                     3578	EXIST::FUNCTION:
+STORE_revoke_private_key                3579	EXIST::FUNCTION:
+BN_nist_mod_224                         3580	EXIST::FUNCTION:
+SHA512_Final                            3581	EXIST::FUNCTION:SHA,SHA512
+STORE_ATTR_INFO_modify_dn               3582	EXIST::FUNCTION:
+STORE_method_get_initialise_function    3583	EXIST:!VMS:FUNCTION:
+STORE_meth_get_initialise_fn            3583	EXIST:VMS:FUNCTION:
+STORE_delete_number                     3584	EXIST::FUNCTION:
+i2d_EC_PUBKEY_bio                       3585	EXIST::FUNCTION:BIO,EC
+BIO_dgram_non_fatal_error               3586	EXIST::FUNCTION:
+EC_GROUP_get_asn1_flag                  3587	EXIST::FUNCTION:EC
+STORE_ATTR_INFO_in_ex                   3588	EXIST::FUNCTION:
+STORE_list_crl_start                    3589	EXIST::FUNCTION:
+ECDH_get_ex_new_index                   3590	EXIST::FUNCTION:ECDH
+STORE_method_get_modify_function        3591	EXIST:!VMS:FUNCTION:
+STORE_meth_get_modify_fn                3591	EXIST:VMS:FUNCTION:
+v2i_ASN1_BIT_STRING                     3592	EXIST::FUNCTION:
+STORE_store_certificate                 3593	EXIST::FUNCTION:
+OBJ_bsearch_ex                          3594	EXIST::FUNCTION:
+X509_STORE_CTX_set_default              3595	EXIST::FUNCTION:
+STORE_ATTR_INFO_set_sha1str             3596	EXIST::FUNCTION:
+BN_GF2m_mod_inv                         3597	EXIST::FUNCTION:
+BN_GF2m_mod_exp                         3598	EXIST::FUNCTION:
+STORE_modify_public_key                 3599	EXIST::FUNCTION:
+STORE_method_get_list_start_function    3600	EXIST:!VMS:FUNCTION:
+STORE_meth_get_list_start_fn            3600	EXIST:VMS:FUNCTION:
+EC_GROUP_get0_seed                      3601	EXIST::FUNCTION:EC
+STORE_store_arbitrary                   3602	EXIST::FUNCTION:
+STORE_method_set_unlock_store_function  3603	EXIST:!VMS:FUNCTION:
+STORE_meth_set_unlock_store_fn          3603	EXIST:VMS:FUNCTION:
+BN_GF2m_mod_div_arr                     3604	EXIST::FUNCTION:
+ENGINE_set_ECDSA                        3605	EXIST::FUNCTION:ENGINE
+STORE_create_method                     3606	EXIST::FUNCTION:
+ECPKParameters_print                    3607	EXIST::FUNCTION:BIO,EC
+EC_KEY_get0_private_key                 3608	EXIST::FUNCTION:EC
+PEM_write_EC_PUBKEY                     3609	EXIST:!WIN16:FUNCTION:EC
+X509_VERIFY_PARAM_set1                  3610	EXIST::FUNCTION:
+ECDH_set_method                         3611	EXIST::FUNCTION:ECDH
+v2i_GENERAL_NAME_ex                     3612	EXIST::FUNCTION:
+ECDH_set_ex_data                        3613	EXIST::FUNCTION:ECDH
+STORE_generate_key                      3614	EXIST::FUNCTION:
+BN_nist_mod_521                         3615	EXIST::FUNCTION:
+X509_policy_tree_get0_level             3616	EXIST::FUNCTION:
+EC_GROUP_set_point_conversion_form      3617	EXIST:!VMS:FUNCTION:EC
+EC_GROUP_set_point_conv_form            3617	EXIST:VMS:FUNCTION:EC
+PEM_read_EC_PUBKEY                      3618	EXIST:!WIN16:FUNCTION:EC
+i2d_ECDSA_SIG                           3619	EXIST::FUNCTION:ECDSA
+ECDSA_OpenSSL                           3620	EXIST::FUNCTION:ECDSA
+STORE_delete_crl                        3621	EXIST::FUNCTION:
+EC_KEY_get_enc_flags                    3622	EXIST::FUNCTION:EC
+ASN1_const_check_infinite_end           3623	EXIST::FUNCTION:
+EVP_PKEY_delete_attr                    3624	EXIST::FUNCTION:
+ECDSA_set_default_method                3625	EXIST::FUNCTION:ECDSA
+EC_POINT_set_compressed_coordinates_GF2m 3626	EXIST:!VMS:FUNCTION:EC
+EC_POINT_set_compr_coords_GF2m          3626	EXIST:VMS:FUNCTION:EC
+EC_GROUP_cmp                            3627	EXIST::FUNCTION:EC
+STORE_revoke_certificate                3628	EXIST::FUNCTION:
+BN_get0_nist_prime_256                  3629	EXIST::FUNCTION:
+STORE_method_get_delete_function        3630	EXIST:!VMS:FUNCTION:
+STORE_meth_get_delete_fn                3630	EXIST:VMS:FUNCTION:
+SHA224_Init                             3631	EXIST::FUNCTION:SHA,SHA256
+PEM_read_ECPrivateKey                   3632	EXIST:!WIN16:FUNCTION:EC
+SHA512_Init                             3633	EXIST::FUNCTION:SHA,SHA512
+STORE_parse_attrs_endp                  3634	EXIST::FUNCTION:
+BN_set_negative                         3635	EXIST::FUNCTION:
+ERR_load_ECDSA_strings                  3636	EXIST::FUNCTION:ECDSA
+EC_GROUP_get_basis_type                 3637	EXIST::FUNCTION:EC
+STORE_list_public_key_next              3638	EXIST::FUNCTION:
+i2v_ASN1_BIT_STRING                     3639	EXIST::FUNCTION:
+STORE_OBJECT_free                       3640	EXIST::FUNCTION:
+BN_nist_mod_384                         3641	EXIST::FUNCTION:
+i2d_X509_CERT_PAIR                      3642	EXIST::FUNCTION:
+PEM_write_ECPKParameters                3643	EXIST:!WIN16:FUNCTION:EC
+ECDH_compute_key                        3644	EXIST::FUNCTION:ECDH
+STORE_ATTR_INFO_get0_sha1str            3645	EXIST::FUNCTION:
+ENGINE_register_all_ECDH                3646	EXIST::FUNCTION:ENGINE
+pqueue_pop                              3647	EXIST::FUNCTION:
+STORE_ATTR_INFO_get0_cstr               3648	EXIST::FUNCTION:
+POLICY_CONSTRAINTS_it                   3649	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+POLICY_CONSTRAINTS_it                   3649	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+STORE_get_ex_new_index                  3650	EXIST::FUNCTION:
+EVP_PKEY_get_attr_by_OBJ                3651	EXIST::FUNCTION:
+X509_VERIFY_PARAM_add0_policy           3652	EXIST::FUNCTION:
+BN_GF2m_mod_solve_quad                  3653	EXIST::FUNCTION:
+SHA256                                  3654	EXIST::FUNCTION:SHA,SHA256
+i2d_ECPrivateKey_fp                     3655	EXIST::FUNCTION:EC,FP_API
+X509_policy_tree_get0_user_policies     3656	EXIST:!VMS:FUNCTION:
+X509_pcy_tree_get0_usr_policies         3656	EXIST:VMS:FUNCTION:
+OPENSSL_DIR_read                        3657	EXIST::FUNCTION:
+ENGINE_register_all_ECDSA               3658	EXIST::FUNCTION:ENGINE
+X509_VERIFY_PARAM_lookup                3659	EXIST::FUNCTION:
+EC_POINT_get_affine_coordinates_GF2m    3660	EXIST:!VMS:FUNCTION:EC
+EC_POINT_get_affine_coords_GF2m         3660	EXIST:VMS:FUNCTION:EC
+EC_GROUP_dup                            3661	EXIST::FUNCTION:EC
+ENGINE_get_default_ECDSA                3662	EXIST::FUNCTION:ENGINE
+EC_KEY_new                              3663	EXIST::FUNCTION:EC
+SHA256_Transform                        3664	EXIST::FUNCTION:SHA,SHA256
+EC_KEY_set_enc_flags                    3665	EXIST::FUNCTION:EC
+ECDSA_verify                            3666	EXIST::FUNCTION:ECDSA
+EC_POINT_point2hex                      3667	EXIST::FUNCTION:EC
+ENGINE_get_STORE                        3668	EXIST::FUNCTION:ENGINE
+SHA512                                  3669	EXIST::FUNCTION:SHA,SHA512
+STORE_get_certificate                   3670	EXIST::FUNCTION:
+ECDSA_do_sign_ex                        3671	EXIST::FUNCTION:ECDSA
+ECDSA_do_verify                         3672	EXIST::FUNCTION:ECDSA
+d2i_ECPrivateKey_fp                     3673	EXIST::FUNCTION:EC,FP_API
+STORE_delete_certificate                3674	EXIST::FUNCTION:
+SHA512_Transform                        3675	EXIST::FUNCTION:SHA,SHA512
+X509_STORE_set1_param                   3676	EXIST::FUNCTION:
+STORE_method_get_ctrl_function          3677	EXIST::FUNCTION:
+STORE_free                              3678	EXIST::FUNCTION:
+PEM_write_ECPrivateKey                  3679	EXIST:!WIN16:FUNCTION:EC
+STORE_method_get_unlock_store_function  3680	EXIST:!VMS:FUNCTION:
+STORE_meth_get_unlock_store_fn          3680	EXIST:VMS:FUNCTION:
+STORE_get_ex_data                       3681	EXIST::FUNCTION:
+EC_KEY_set_public_key                   3682	EXIST::FUNCTION:EC
+PEM_read_ECPKParameters                 3683	EXIST:!WIN16:FUNCTION:EC
+X509_CERT_PAIR_new                      3684	EXIST::FUNCTION:
+ENGINE_register_STORE                   3685	EXIST::FUNCTION:ENGINE
+RSA_generate_key_ex                     3686	EXIST::FUNCTION:RSA
+DSA_generate_parameters_ex              3687	EXIST::FUNCTION:DSA
+ECParameters_print_fp                   3688	EXIST::FUNCTION:EC,FP_API
+X509V3_NAME_from_section                3689	EXIST::FUNCTION:
+EVP_PKEY_add1_attr                      3690	EXIST::FUNCTION:
+STORE_modify_crl                        3691	EXIST::FUNCTION:
+STORE_list_private_key_start            3692	EXIST::FUNCTION:
+POLICY_MAPPINGS_it                      3693	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+POLICY_MAPPINGS_it                      3693	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+GENERAL_SUBTREE_it                      3694	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+GENERAL_SUBTREE_it                      3694	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+EC_GROUP_get_curve_name                 3695	EXIST::FUNCTION:EC
+PEM_write_X509_CERT_PAIR                3696	EXIST:!WIN16:FUNCTION:
+BIO_dump_indent_cb                      3697	EXIST::FUNCTION:
+d2i_X509_CERT_PAIR                      3698	EXIST::FUNCTION:
+STORE_list_private_key_endp             3699	EXIST::FUNCTION:
+asn1_const_Finish                       3700	EXIST::FUNCTION:
+i2d_EC_PUBKEY_fp                        3701	EXIST::FUNCTION:EC,FP_API
+BN_nist_mod_256                         3702	EXIST::FUNCTION:
+X509_VERIFY_PARAM_add0_table            3703	EXIST::FUNCTION:
+pqueue_free                             3704	EXIST::FUNCTION:
+BN_BLINDING_create_param                3705	EXIST::FUNCTION:
+ECDSA_size                              3706	EXIST::FUNCTION:ECDSA
+d2i_EC_PUBKEY_bio                       3707	EXIST::FUNCTION:BIO,EC
+BN_get0_nist_prime_521                  3708	EXIST::FUNCTION:
+STORE_ATTR_INFO_modify_sha1str          3709	EXIST::FUNCTION:
+BN_generate_prime_ex                    3710	EXIST::FUNCTION:
+EC_GROUP_new_by_curve_name              3711	EXIST::FUNCTION:EC
+SHA256_Final                            3712	EXIST::FUNCTION:SHA,SHA256
+DH_generate_parameters_ex               3713	EXIST::FUNCTION:DH
+PEM_read_bio_ECPrivateKey               3714	EXIST::FUNCTION:EC
+STORE_method_get_cleanup_function       3715	EXIST:!VMS:FUNCTION:
+STORE_meth_get_cleanup_fn               3715	EXIST:VMS:FUNCTION:
+ENGINE_get_ECDH                         3716	EXIST::FUNCTION:ENGINE
+d2i_ECDSA_SIG                           3717	EXIST::FUNCTION:ECDSA
+BN_is_prime_fasttest_ex                 3718	EXIST::FUNCTION:
+ECDSA_sign                              3719	EXIST::FUNCTION:ECDSA
+X509_policy_check                       3720	EXIST::FUNCTION:
+EVP_PKEY_get_attr_by_NID                3721	EXIST::FUNCTION:
+STORE_set_ex_data                       3722	EXIST::FUNCTION:
+ENGINE_get_ECDSA                        3723	EXIST::FUNCTION:ENGINE
+EVP_ecdsa                               3724	EXIST::FUNCTION:SHA
+BN_BLINDING_get_flags                   3725	EXIST::FUNCTION:
+PKCS12_add_cert                         3726	EXIST::FUNCTION:
+STORE_OBJECT_new                        3727	EXIST::FUNCTION:
+ERR_load_ECDH_strings                   3728	EXIST::FUNCTION:ECDH
+EC_KEY_dup                              3729	EXIST::FUNCTION:EC
+EVP_CIPHER_CTX_rand_key                 3730	EXIST::FUNCTION:
+ECDSA_set_method                        3731	EXIST::FUNCTION:ECDSA
+a2i_IPADDRESS_NC                        3732	EXIST::FUNCTION:
+d2i_ECParameters                        3733	EXIST::FUNCTION:EC
+STORE_list_certificate_end              3734	EXIST::FUNCTION:
+STORE_get_crl                           3735	EXIST::FUNCTION:
+X509_POLICY_NODE_print                  3736	EXIST::FUNCTION:
+SHA384_Init                             3737	EXIST::FUNCTION:SHA,SHA512
+EC_GF2m_simple_method                   3738	EXIST::FUNCTION:EC
+ECDSA_set_ex_data                       3739	EXIST::FUNCTION:ECDSA
+SHA384_Final                            3740	EXIST::FUNCTION:SHA,SHA512
+PKCS7_set_digest                        3741	EXIST::FUNCTION:
+EC_KEY_print                            3742	EXIST::FUNCTION:BIO,EC
+STORE_method_set_lock_store_function    3743	EXIST:!VMS:FUNCTION:
+STORE_meth_set_lock_store_fn            3743	EXIST:VMS:FUNCTION:
+ECDSA_get_ex_new_index                  3744	EXIST::FUNCTION:ECDSA
+SHA384                                  3745	EXIST::FUNCTION:SHA,SHA512
+POLICY_MAPPING_new                      3746	EXIST::FUNCTION:
+STORE_list_certificate_endp             3747	EXIST::FUNCTION:
+X509_STORE_CTX_get0_policy_tree         3748	EXIST::FUNCTION:
+EC_GROUP_set_asn1_flag                  3749	EXIST::FUNCTION:EC
+EC_KEY_check_key                        3750	EXIST::FUNCTION:EC
+d2i_EC_PUBKEY_fp                        3751	EXIST::FUNCTION:EC,FP_API
+PKCS7_set0_type_other                   3752	EXIST::FUNCTION:
+PEM_read_bio_X509_CERT_PAIR             3753	EXIST::FUNCTION:
+pqueue_next                             3754	EXIST::FUNCTION:
+STORE_method_get_list_end_function      3755	EXIST:!VMS:FUNCTION:
+STORE_meth_get_list_end_fn              3755	EXIST:VMS:FUNCTION:
+EVP_PKEY_add1_attr_by_OBJ               3756	EXIST::FUNCTION:
+X509_VERIFY_PARAM_set_time              3757	EXIST::FUNCTION:
+pqueue_new                              3758	EXIST::FUNCTION:
+ENGINE_set_default_ECDH                 3759	EXIST::FUNCTION:ENGINE
+STORE_new_method                        3760	EXIST::FUNCTION:
+PKCS12_add_key                          3761	EXIST::FUNCTION:
+DSO_merge                               3762	EXIST::FUNCTION:
+EC_POINT_hex2point                      3763	EXIST::FUNCTION:EC
+BIO_dump_cb                             3764	EXIST::FUNCTION:
+SHA256_Update                           3765	EXIST::FUNCTION:SHA,SHA256
+pqueue_insert                           3766	EXIST::FUNCTION:
+pitem_free                              3767	EXIST::FUNCTION:
+BN_GF2m_mod_inv_arr                     3768	EXIST::FUNCTION:
+ENGINE_unregister_ECDSA                 3769	EXIST::FUNCTION:ENGINE
+BN_BLINDING_set_thread_id               3770	EXIST::FUNCTION:
+get_rfc3526_prime_8192                  3771	EXIST::FUNCTION:
+X509_VERIFY_PARAM_clear_flags           3772	EXIST::FUNCTION:
+get_rfc2409_prime_1024                  3773	EXIST::FUNCTION:
+DH_check_pub_key                        3774	EXIST::FUNCTION:DH
+get_rfc3526_prime_2048                  3775	EXIST::FUNCTION:
+get_rfc3526_prime_6144                  3776	EXIST::FUNCTION:
+get_rfc3526_prime_1536                  3777	EXIST::FUNCTION:
+get_rfc3526_prime_3072                  3778	EXIST::FUNCTION:
+get_rfc3526_prime_4096                  3779	EXIST::FUNCTION:
+get_rfc2409_prime_768                   3780	EXIST::FUNCTION:
+X509_VERIFY_PARAM_get_flags             3781	EXIST::FUNCTION:
+EVP_CIPHER_CTX_new                      3782	EXIST::FUNCTION:
+EVP_CIPHER_CTX_free                     3783	EXIST::FUNCTION:
diff --git a/crypto/openssl/util/mk1mf.pl b/crypto/openssl/util/mk1mf.pl
index 957264c6b54b..10eb19c67162 100755
--- a/crypto/openssl/util/mk1mf.pl
+++ b/crypto/openssl/util/mk1mf.pl
@@ -10,6 +10,12 @@ $OPTIONS="";
 $ssl_version="";
 $banner="\t\@echo Building OpenSSL";
 
+my $no_static_engine = 0;
+my $engines = "";
+local $zlib_opt = 0;	# 0 = no zlib, 1 = static, 2 = dynamic
+local $zlib_lib = "";
+
+
 open(IN,"<Makefile") || die "unable to open Makefile!\n";
 while(<IN>) {
     $ssl_version=$1 if (/^VERSION=(.*)$/);
@@ -24,25 +30,25 @@ $infile="MINFO";
 
 %ops=(
 	"VC-WIN32",   "Microsoft Visual C++ [4-6] - Windows NT or 9X",
+	"VC-WIN64I",  "Microsoft C/C++ - Win64/IA-64",
+	"VC-WIN64A",  "Microsoft C/C++ - Win64/x64",
 	"VC-CE",   "Microsoft eMbedded Visual C++ 3.0 - Windows CE ONLY",
 	"VC-NT",   "Microsoft Visual C++ [4-6] - Windows NT ONLY",
-	"VC-W31-16",  "Microsoft Visual C++ 1.52 - Windows 3.1 - 286",
-	"VC-WIN16",   "Alias for VC-W31-32",
-	"VC-W31-32",  "Microsoft Visual C++ 1.52 - Windows 3.1 - 386+",
-	"VC-MSDOS","Microsoft Visual C++ 1.52 - MSDOS",
 	"Mingw32", "GNU C++ - Windows NT or 9x",
 	"Mingw32-files", "Create files with DOS copy ...",
 	"BC-NT",   "Borland C++ 4.5 - Windows NT",
-	"BC-W31",  "Borland C++ 4.5 - Windows 3.1 - PROBABLY NOT WORKING",
-	"BC-MSDOS","Borland C++ 4.5 - MSDOS",
 	"linux-elf","Linux elf",
 	"ultrix-mips","DEC mips ultrix",
 	"FreeBSD","FreeBSD distribution",
 	"OS2-EMX", "EMX GCC OS/2",
+	"netware-clib", "CodeWarrior for NetWare - CLib - with WinSock Sockets",
+	"netware-libc", "CodeWarrior for NetWare - LibC - with WinSock Sockets",
+	"netware-libc-bsdsock", "CodeWarrior for NetWare - LibC - with BSD Sockets",
 	"default","cc under unix",
 	);
 
 $platform="";
+my $xcflags="";
 foreach (@ARGV)
 	{
 	if (!&read_options && !defined($ops{$_}))
@@ -64,9 +70,13 @@ and [options] can be one of
 	no-asm 					- No x86 asm
 	no-krb5					- No KRB5
 	no-ec					- No EC
+	no-ecdsa				- No ECDSA
+	no-ecdh					- No ECDH
 	no-engine				- No engine
 	no-hw					- No hw
 	nasm 					- Use NASM for x86 asm
+	nw-nasm					- Use NASM x86 asm for NetWare
+	nw-mwasm					- Use Metrowerks x86 asm for NetWare
 	gaswin					- Use GNU as with Mingw32
 	no-socks				- No socket code
 	no-err					- No error strings
@@ -91,6 +101,8 @@ foreach (grep(!/^$/, split(/ /, $OPTIONS)))
 	print STDERR "unknown option - $_\n" if !&read_options;
 	}
 
+$no_static_engine = 0 if (!$shlib);
+
 $no_mdc2=1 if ($no_des);
 
 $no_ssl3=1 if ($no_md5 || $no_sha);
@@ -103,7 +115,8 @@ $out_def="out";
 $inc_def="outinc";
 $tmp_def="tmp";
 
-$mkdir="-mkdir";
+$perl="perl" unless defined $perl;
+$mkdir="-mkdir" unless defined $mkdir;
 
 ($ssl,$crypto)=("ssl","crypto");
 $ranlib="echo ranlib";
@@ -114,36 +127,16 @@ $bin_dir=(defined($VARS{'BIN'}))?$VARS{'BIN'}:'';
 
 # $bin_dir.=$o causes a core dump on my sparc :-(
 
+
 $NT=0;
 
 push(@INC,"util/pl","pl");
-if ($platform eq "VC-MSDOS")
-	{
-	$asmbits=16;
-	$msdos=1;
-	require 'VC-16.pl';
-	}
-elsif ($platform eq "VC-W31-16")
+if (($platform =~ /VC-(.+)/))
 	{
-	$asmbits=16;
-	$msdos=1; $win16=1;
-	require 'VC-16.pl';
-	}
-elsif (($platform eq "VC-W31-32") || ($platform eq "VC-WIN16"))
-	{
-	$asmbits=32;
-	$msdos=1; $win16=1;
-	require 'VC-16.pl';
-	}
-elsif (($platform eq "VC-WIN32") || ($platform eq "VC-NT"))
-	{
-	$NT = 1 if $platform eq "VC-NT";
+	$FLAVOR=$1;
+	$NT = 1 if $1 eq "NT";
 	require 'VC-32.pl';
 	}
-elsif ($platform eq "VC-CE")
-	{
-	require 'VC-CE.pl';
-	}
 elsif ($platform eq "Mingw32")
 	{
 	require 'Mingw32.pl';
@@ -157,23 +150,6 @@ elsif ($platform eq "BC-NT")
 	$bc=1;
 	require 'BC-32.pl';
 	}
-elsif ($platform eq "BC-W31")
-	{
-	$bc=1;
-	$msdos=1; $w16=1;
-	require 'BC-16.pl';
-	}
-elsif ($platform eq "BC-Q16")
-	{
-	$msdos=1; $w16=1; $shlib=0; $qw=1;
-	require 'BC-16.pl';
-	}
-elsif ($platform eq "BC-MSDOS")
-	{
-	$asmbits=16;
-	$msdos=1;
-	require 'BC-16.pl';
-	}
 elsif ($platform eq "FreeBSD")
 	{
 	require 'unix.pl';
@@ -196,6 +172,13 @@ elsif ($platform eq "OS2-EMX")
 	$wc=1;
 	require 'OS2-EMX.pl';
 	}
+elsif (($platform eq "netware-clib") || ($platform eq "netware-libc") ||
+       ($platform eq "netware-libc-bsdsock"))
+	{
+	$LIBC=1 if $platform eq "netware-libc" || $platform eq "netware-libc-bsdsock";
+	$BSDSOCK=1 if $platform eq "netware-libc-bsdsock";
+	require 'netware.pl';
+	}
 else
 	{
 	require "unix.pl";
@@ -210,6 +193,8 @@ $inc_dir=(defined($VARS{'INC'}))?$VARS{'INC'}:$inc_def;
 
 $bin_dir=$bin_dir.$o unless ((substr($bin_dir,-1,1) eq $o) || ($bin_dir eq ''));
 
+$cflags= "$xcflags$cflags" if $xcflags ne "";
+
 $cflags.=" -DOPENSSL_NO_IDEA" if $no_idea;
 $cflags.=" -DOPENSSL_NO_AES"  if $no_aes;
 $cflags.=" -DOPENSSL_NO_RC2"  if $no_rc2;
@@ -222,7 +207,7 @@ $cflags.=" -DOPENSSL_NO_SHA"  if $no_sha;
 $cflags.=" -DOPENSSL_NO_SHA1" if $no_sha1;
 $cflags.=" -DOPENSSL_NO_RIPEMD" if $no_ripemd;
 $cflags.=" -DOPENSSL_NO_MDC2" if $no_mdc2;
-$cflags.=" -DOPENSSL_NO_BF"   if $no_bf;
+$cflags.=" -DOPENSSL_NO_BF"  if $no_bf;
 $cflags.=" -DOPENSSL_NO_CAST" if $no_cast;
 $cflags.=" -DOPENSSL_NO_DES"  if $no_des;
 $cflags.=" -DOPENSSL_NO_RSA"  if $no_rsa;
@@ -234,9 +219,23 @@ $cflags.=" -DOPENSSL_NO_SSL3" if $no_ssl3;
 $cflags.=" -DOPENSSL_NO_ERR"  if $no_err;
 $cflags.=" -DOPENSSL_NO_KRB5" if $no_krb5;
 $cflags.=" -DOPENSSL_NO_EC"   if $no_ec;
+$cflags.=" -DOPENSSL_NO_ECDSA" if $no_ecdsa;
+$cflags.=" -DOPENSSL_NO_ECDH" if $no_ecdh;
 $cflags.=" -DOPENSSL_NO_ENGINE"   if $no_engine;
 $cflags.=" -DOPENSSL_NO_HW"   if $no_hw;
-$cflags.=" -DOPENSSL_FIPS"    if $fips;
+
+$cflags.= " -DZLIB" if $zlib_opt;
+$cflags.= " -DZLIB_SHARED" if $zlib_opt == 2;
+
+if ($no_static_engine)
+	{
+	$cflags .= " -DOPENSSL_NO_STATIC_ENGINE";
+	}
+else
+	{
+	$cflags .= " -DOPENSSL_NO_DYNAMIC_ENGINE";
+	}
+
 #$cflags.=" -DRSAref"  if $rsaref ne "";
 
 ## if ($unix)
@@ -246,6 +245,7 @@ $cflags.=" -DOPENSSL_FIPS"    if $fips;
 
 $ex_libs="$l_flags$ex_libs" if ($l_flags ne "");
 
+
 %shlib_ex_cflags=("SSL" => " -DOPENSSL_BUILD_SHLIBSSL",
 		  "CRYPTO" => " -DOPENSSL_BUILD_SHLIBCRYPTO");
 
@@ -262,6 +262,96 @@ $link="$bin_dir$link" if ($link !~ /^\$/);
 
 $INSTALLTOP =~ s|/|$o|g;
 
+#############################################
+# We parse in input file and 'store' info for later printing.
+open(IN,"<$infile") || die "unable to open $infile:$!\n";
+$_=<IN>;
+for (;;)
+	{
+	chop;
+
+	($key,$val)=/^([^=]+)=(.*)/;
+	if ($key eq "RELATIVE_DIRECTORY")
+		{
+		if ($lib ne "")
+			{
+			$uc=$lib;
+			$uc =~ s/^lib(.*)\.a/$1/;
+			$uc =~ tr/a-z/A-Z/;
+			$lib_nam{$uc}=$uc;
+			$lib_obj{$uc}.=$libobj." ";
+			}
+		last if ($val eq "FINISHED");
+		$lib="";
+		$libobj="";
+		$dir=$val;
+		}
+
+	if ($key eq "KRB5_INCLUDES")
+		{ $cflags .= " $val";}
+
+	if ($key eq "ZLIB_INCLUDE")
+		{ $cflags .= " $val" if $val ne "";}
+
+	if ($key eq "LIBZLIB")
+		{ $zlib_lib = "$val" if $val ne "";}
+
+	if ($key eq "LIBKRB5")
+		{ $ex_libs .= " $val" if $val ne "";}
+
+	if ($key eq "TEST")
+		{ $test.=&var_add($dir,$val, 0); }
+
+	if (($key eq "PROGS") || ($key eq "E_OBJ"))
+		{ $e_exe.=&var_add($dir,$val, 0); }
+
+	if ($key eq "LIB")
+		{
+		$lib=$val;
+		$lib =~ s/^.*\/([^\/]+)$/$1/;
+		}
+
+	if ($key eq "EXHEADER")
+		{ $exheader.=&var_add($dir,$val, 1); }
+
+	if ($key eq "HEADER")
+		{ $header.=&var_add($dir,$val, 1); }
+
+	if ($key eq "LIBOBJ" && ($dir ne "engines" || !$no_static_engine))
+		{ $libobj=&var_add($dir,$val, 0); }
+	if ($key eq "LIBNAMES" && $dir eq "engines" && $no_static_engine)
+ 		{ $engines.=$val }
+
+	if (!($_=<IN>))
+		{ $_="RELATIVE_DIRECTORY=FINISHED\n"; }
+	}
+close(IN);
+
+if ($shlib)
+	{
+	$extra_install= <<"EOF";
+	\$(CP) \$(O_SSL) \$(INSTALLTOP)${o}bin
+	\$(CP) \$(O_CRYPTO) \$(INSTALLTOP)${o}bin
+	\$(CP) \$(L_SSL) \$(INSTALLTOP)${o}lib
+	\$(CP) \$(L_CRYPTO) \$(INSTALLTOP)${o}lib
+EOF
+	if ($no_static_engine)
+		{
+		$extra_install .= <<"EOF"
+	\$(MKDIR) \$(INSTALLTOP)${o}lib${o}engines
+	\$(CP) \$(E_SHLIB) \$(INSTALLTOP)${o}lib${o}engines
+EOF
+		}
+	}
+else
+	{
+	$extra_install= <<"EOF";
+	\$(CP) \$(O_SSL) \$(INSTALLTOP)${o}lib
+	\$(CP) \$(O_CRYPTO) \$(INSTALLTOP)${o}lib
+EOF
+	$ex_libs .= " $zlib_lib" if $zlib_opt == 1;
+	}
+
 $defs= <<"EOF";
 # This makefile has been automatically generated from the OpenSSL distribution.
 # This single makefile will build the complete OpenSSL distribution and
@@ -280,14 +370,6 @@ EOF
 
 $defs .= $preamble if defined $preamble;
 
-if ($platform eq "VC-CE")
-	{
-	$defs.= <<"EOF";
-!INCLUDE <\$(WCECOMPAT)/wcedefs.mak>
-
-EOF
-	}
-
 $defs.= <<"EOF";
 INSTALLTOP=$INSTALLTOP
 
@@ -309,6 +391,7 @@ SRC_D=$src_dir
 
 LINK=$link
 LFLAGS=$lflags
+RSC=$rsc
 
 BN_ASM_OBJ=$bn_asm_obj
 BN_ASM_SRC=$bn_asm_src
@@ -339,6 +422,7 @@ TMP_D=$tmp_dir
 INC_D=$inc_dir
 INCO_D=$inc_dir${o}openssl
 
+PERL=$perl
 CP=$cp
 RM=$rm
 RANLIB=$ranlib
@@ -358,12 +442,14 @@ CRYPTO=$crypto
 # BIN_D  - Binary output directory
 # TEST_D - Binary test file output directory
 # LIB_D  - library output directory
+# ENG_D  - dynamic engine output directory
 # Note: if you change these point to different directories then uncomment out
 # the lines around the 'NB' comment below.
 # 
 BIN_D=\$(OUT_D)
 TEST_D=\$(OUT_D)
 LIB_D=\$(OUT_D)
+ENG_D=\$(OUT_D)
 
 # INCL_D - local library directory
 # OBJ_D  - temp object file directory
@@ -419,11 +505,11 @@ $banner
 headers: \$(HEADER) \$(EXHEADER)
 	@
 
-lib: \$(LIBS_DEP)
+lib: \$(LIBS_DEP) \$(E_SHLIB)
 
 exe: \$(T_EXE) \$(BIN_D)$o\$(E_EXE)$exep
 
-install:
+install: all
 	\$(MKDIR) \$(INSTALLTOP)
 	\$(MKDIR) \$(INSTALLTOP)${o}bin
 	\$(MKDIR) \$(INSTALLTOP)${o}include
@@ -431,8 +517,13 @@ install:
 	\$(MKDIR) \$(INSTALLTOP)${o}lib
 	\$(CP) \$(INCO_D)${o}*.\[ch\] \$(INSTALLTOP)${o}include${o}openssl
 	\$(CP) \$(BIN_D)$o\$(E_EXE)$exep \$(INSTALLTOP)${o}bin
-	\$(CP) \$(O_SSL) \$(INSTALLTOP)${o}lib
-	\$(CP) \$(O_CRYPTO) \$(INSTALLTOP)${o}lib
+	\$(CP) apps${o}openssl.cnf \$(INSTALLTOP)
+$extra_install
+
+
+test: \$(T_EXE)
+	cd \$(BIN_D)
+	..${o}ms${o}test
 
 clean:
 	\$(RM) \$(TMP_D)$o*.*
@@ -479,57 +570,6 @@ printf OUT "  #define DATE \"%s\"\n", scalar gmtime();
 printf OUT "#endif\n";
 close(OUT);
 
-#############################################
-# We parse in input file and 'store' info for later printing.
-open(IN,"<$infile") || die "unable to open $infile:$!\n";
-$_=<IN>;
-for (;;)
-	{
-	chop;
-
-	($key,$val)=/^([^=]+)=(.*)/;
-	if ($key eq "RELATIVE_DIRECTORY")
-		{
-		if ($lib ne "")
-			{
-			$uc=$lib;
-			$uc =~ s/^lib(.*)\.a/$1/;
-			$uc =~ tr/a-z/A-Z/;
-			$lib_nam{$uc}=$uc;
-			$lib_obj{$uc}.=$libobj." ";
-			}
-		last if ($val eq "FINISHED");
-		$lib="";
-		$libobj="";
-		$dir=$val;
-		}
-
-	if ($key eq "TEST")
-		{ $test.=&var_add($dir,$val); }
-
-	if (($key eq "PROGS") || ($key eq "E_OBJ"))
-		{ $e_exe.=&var_add($dir,$val); }
-
-	if ($key eq "LIB")
-		{
-		$lib=$val;
-		$lib =~ s/^.*\/([^\/]+)$/$1/;
-		}
-
-	if ($key eq "EXHEADER")
-		{ $exheader.=&var_add($dir,$val); }
-
-	if ($key eq "HEADER")
-		{ $header.=&var_add($dir,$val); }
-
-	if ($key eq "LIBOBJ")
-		{ $libobj=&var_add($dir,$val); }
-
-	if (!($_=<IN>))
-		{ $_="RELATIVE_DIRECTORY=FINISHED\n"; }
-	}
-close(IN);
-
 # Strip of trailing ' '
 foreach (keys %lib_obj) { $lib_obj{$_}=&clean_up_ws($lib_obj{$_}); }
 $test=&clean_up_ws($test);
@@ -542,11 +582,11 @@ foreach (split(/\s+/,$exheader)){ $h{$_}=1; }
 foreach (split(/\s+/,$header))	{ $h.=$_." " unless $h{$_}; }
 chop($h); $header=$h;
 
-$defs.=&do_defs("HEADER",$header,"\$(INCL_D)",".h");
-$rules.=&do_copy_rule("\$(INCL_D)",$header,".h");
+$defs.=&do_defs("HEADER",$header,"\$(INCL_D)","");
+$rules.=&do_copy_rule("\$(INCL_D)",$header,"");
 
-$defs.=&do_defs("EXHEADER",$exheader,"\$(INCO_D)",".h");
-$rules.=&do_copy_rule("\$(INCO_D)",$exheader,".h");
+$defs.=&do_defs("EXHEADER",$exheader,"\$(INCO_D)","");
+$rules.=&do_copy_rule("\$(INCO_D)",$exheader,"");
 
 $defs.=&do_defs("T_OBJ",$test,"\$(OBJ_D)",$obj);
 $rules.=&do_compile_rule("\$(OBJ_D)",$test,"\$(APP_CFLAGS)");
@@ -621,6 +661,18 @@ foreach (values %lib_nam)
 	$rules.=&do_compile_rule("\$(OBJ_D)",$lib_obj{$_},$lib);
 	}
 
+# hack to add version info on MSVC
+if (($platform eq "VC-WIN32") || ($platform eq "VC-NT")) {
+    $rules.= <<"EOF";
+\$(OBJ_D)\\\$(CRYPTO).res: ms\\version32.rc
+	\$(RSC) /fo"\$(OBJ_D)\\\$(CRYPTO).res" /d CRYPTO ms\\version32.rc
+
+\$(OBJ_D)\\\$(SSL).res: ms\\version32.rc
+	\$(RSC) /fo"\$(OBJ_D)\\\$(SSL).res" /d SSL ms\\version32.rc
+
+EOF
+}
+
 $defs.=&do_defs("T_EXE",$test,"\$(TEST_D)",$exep);
 foreach (split(/\s+/,$test))
 	{
@@ -629,17 +681,21 @@ foreach (split(/\s+/,$test))
 	$rules.=&do_link_rule("\$(TEST_D)$o$t$exep",$tt,"\$(LIBS_DEP)","\$(L_LIBS) \$(EX_LIBS)");
 	}
 
-$rules.= &do_lib_rule("\$(SSLOBJ)","\$(O_SSL)",$ssl,$shlib,"\$(SO_SSL)");
-$rules.= &do_lib_rule("\$(CRYPTOOBJ)","\$(O_CRYPTO)",$crypto,$shlib,"\$(SO_CRYPTO)");
+$defs.=&do_defs("E_SHLIB",$engines,"\$(ENG_D)",$shlibp);
 
-if ($fips)
+foreach (split(/\s+/,$engines))
 	{
-	$rules.=&do_link_rule("\$(BIN_D)$o\$(E_EXE)$exep","\$(E_OBJ)","\$(LIBS_DEP)","\$(L_LIBS) \$(EX_LIBS)","\$(BIN_D)$o.sha1","\$(BIN_D)$o\$(E_EXE)$exep");
-	}
-else
-	{
-	$rules.=&do_link_rule("\$(BIN_D)$o\$(E_EXE)$exep","\$(E_OBJ)","\$(LIBS_DEP)","\$(L_LIBS) \$(EX_LIBS)");
+	$rules.=&do_compile_rule("\$(OBJ_D)","engines${o}e_$_",$lib);
+	$rules.= &do_lib_rule("\$(OBJ_D)${o}e_${_}.obj","\$(ENG_D)$o$_$shlibp","",$shlib,"");
 	}
+
+
+
+$rules.= &do_lib_rule("\$(SSLOBJ)","\$(O_SSL)",$ssl,$shlib,"\$(SO_SSL)");
+$rules.= &do_lib_rule("\$(CRYPTOOBJ)","\$(O_CRYPTO)",$crypto,$shlib,"\$(SO_CRYPTO)");
+
+$rules.=&do_link_rule("\$(BIN_D)$o\$(E_EXE)$exep","\$(E_OBJ)","\$(LIBS_DEP)","\$(L_LIBS) \$(EX_LIBS)");
+
 print $defs;
 
 if ($platform eq "linux-elf") {
@@ -658,7 +714,7 @@ print $rules;
 # directories
 sub var_add
 	{
-	local($dir,$val)=@_;
+	local($dir,$val,$keepext)=@_;
 	local(@a,$_,$ret);
 
 	return("") if $no_engine && $dir =~ /\/engine/;
@@ -687,7 +743,7 @@ sub var_add
 
 	$val =~ s/^\s*(.*)\s*$/$1/;
 	@a=split(/\s+/,$val);
-	grep(s/\.[och]$//,@a);
+	grep(s/\.[och]$//,@a) unless $keepext;
 
 	@a=grep(!/^e_.*_3d$/,@a) if $no_des;
 	@a=grep(!/^e_.*_d$/,@a) if $no_des;
@@ -787,7 +843,15 @@ sub do_defs
 		$Vars{$var}.="$t ";
 		$ret.=$t;
 		}
-	chop($ret);
+	# hack to add version info on MSVC
+	if ($shlib && (($platform eq "VC-WIN32") || ($platform eq "VC-NT")))
+		{
+		if ($var eq "CRYPTOOBJ")
+			{ $ret.="\$(OBJ_D)\\\$(CRYPTO).res "; }
+		elsif ($var eq "SSLOBJ")
+			{ $ret.="\$(OBJ_D)\\\$(SSL).res "; }
+		}
+	chomp($ret);
 	$ret.="\n\n";
 	return($ret);
 	}
@@ -889,52 +953,122 @@ sub do_copy_rule
 
 sub read_options
 	{
-	if    (/^no-rc2$/)	{ $no_rc2=1; }
-	elsif (/^no-rc4$/)	{ $no_rc4=1; }
-	elsif (/^no-rc5$/)	{ $no_rc5=1; }
-	elsif (/^no-idea$/)	{ $no_idea=1; }
-	elsif (/^no-aes$/)	{ $no_aes=1; }
-	elsif (/^no-des$/)	{ $no_des=1; }
-	elsif (/^no-bf$/)	{ $no_bf=1; }
-	elsif (/^no-cast$/)	{ $no_cast=1; }
-	elsif (/^no-md2$/)  	{ $no_md2=1; }
-	elsif (/^no-md4$/)	{ $no_md4=1; }
-	elsif (/^no-md5$/)	{ $no_md5=1; }
-	elsif (/^no-sha$/)	{ $no_sha=1; }
-	elsif (/^no-sha1$/)	{ $no_sha1=1; }
-	elsif (/^no-ripemd$/)	{ $no_ripemd=1; }
-	elsif (/^no-mdc2$/)	{ $no_mdc2=1; }
-	elsif (/^no-patents$/)	{ $no_rc2=$no_rc4=$no_rc5=$no_idea=$no_rsa=1; }
-	elsif (/^no-rsa$/)	{ $no_rsa=1; }
-	elsif (/^no-dsa$/)	{ $no_dsa=1; }
-	elsif (/^no-dh$/)	{ $no_dh=1; }
-	elsif (/^no-hmac$/)	{ $no_hmac=1; }
-	elsif (/^no-aes$/)	{ $no_aes=1; }
-	elsif (/^no-asm$/)	{ $no_asm=1; }
-	elsif (/^nasm$/)	{ $nasm=1; }
-	elsif (/^gaswin$/)	{ $gaswin=1; }
-	elsif (/^no-ssl2$/)	{ $no_ssl2=1; }
-	elsif (/^no-ssl3$/)	{ $no_ssl3=1; }
-	elsif (/^no-err$/)	{ $no_err=1; }
-	elsif (/^no-sock$/)	{ $no_sock=1; }
-	elsif (/^no-krb5$/)	{ $no_krb5=1; }
-	elsif (/^no-ec$/)	{ $no_ec=1; }
-	elsif (/^no-engine$/)	{ $no_engine=1; }
-	elsif (/^no-hw$/)	{ $no_hw=1; }
-
-	elsif (/^just-ssl$/)	{ $no_rc2=$no_idea=$no_des=$no_bf=$no_cast=1;
-				  $no_md2=$no_sha=$no_mdc2=$no_dsa=$no_dh=1;
-				  $no_ssl2=$no_err=$no_ripemd=$no_rc5=1;
-				  $no_aes=1; }
-
-	elsif (/^rsaref$/)	{ }
-	elsif (/^fips$/)	{ $fips=1; }
-	elsif (/^gcc$/)		{ $gcc=1; }
-	elsif (/^debug$/)	{ $debug=1; }
-	elsif (/^profile$/)	{ $profile=1; }
-	elsif (/^shlib$/)	{ $shlib=1; }
-	elsif (/^dll$/)		{ $shlib=1; }
-	elsif (/^shared$/)	{ } # We just need to ignore it for now...
+	# Many options are handled in a similar way. In particular
+	# no-xxx sets zero or more scalars to 1.
+	# Process these using a hash containing the option name and
+	# reference to the scalars to set.
+
+	my %valid_options = (
+		"no-rc2" => \$no_rc2,
+		"no-rc4" => \$no_rc4,
+		"no-rc5" => \$no_rc5,
+		"no-idea" => \$no_idea,
+		"no-aes" => \$no_aes,
+		"no-des" => \$no_des,
+		"no-bf" => \$no_bf,
+		"no-cast" => \$no_cast,
+		"no-md2" => \$no_md2,
+		"no-md4" => \$no_md4,
+		"no-md5" => \$no_md5,
+		"no-sha" => \$no_sha,
+		"no-sha1" => \$no_sha1,
+		"no-ripemd" => \$no_ripemd,
+		"no-mdc2" => \$no_mdc2,
+		"no-patents" => 
+			[\$no_rc2, \$no_rc4, \$no_rc5, \$no_idea, \$no_rsa],
+		"no-rsa" => \$no_rsa,
+		"no-dsa" => \$no_dsa,
+		"no-dh" => \$no_dh,
+		"no-hmac" => \$no_hmac,
+		"no-aes" => \$no_aes,
+		"no-asm" => \$no_asm,
+		"nasm" => \$nasm,
+		"nw-nasm" => \$nw_nasm,
+		"nw-mwasm" => \$nw_mwasm,
+		"gaswin" => \$gaswin,
+		"no-ssl2" => \$no_ssl2,
+		"no-ssl3" => \$no_ssl3,
+		"no-err" => \$no_err,
+		"no-sock" => \$no_sock,
+		"no-krb5" => \$no_krb5,
+		"no-ec" => \$no_ec,
+		"no-ecdsa" => \$no_ecdsa,
+		"no-ecdh" => \$no_ecdh,
+		"no-engine" => \$no_engine,
+		"no-hw" => \$no_hw,
+		"just-ssl" =>
+			[\$no_rc2, \$no_idea, \$no_des, \$no_bf, \$no_cast,
+			  \$no_md2, \$no_sha, \$no_mdc2, \$no_dsa, \$no_dh,
+			  \$no_ssl2, \$no_err, \$no_ripemd, \$no_rc5,
+			  \$no_aes],
+		"rsaref" => 0,
+		"gcc" => \$gcc,
+		"debug" => \$debug,
+		"profile" => \$profile,
+		"shlib" => \$shlib,
+		"dll" => \$shlib,
+		"shared" => 0,
+		"no-gmp" => 0,
+		"no-shared" => 0,
+		"no-zlib" => 0,
+		"no-zlib-dynamic" => 0,
+		);
+
+	if (exists $valid_options{$_})
+		{
+		my $r = $valid_options{$_};
+		if ( ref $r eq "SCALAR")
+			{ $$r = 1;}
+		elsif ( ref $r eq "ARRAY")
+			{
+			my $r2;
+			foreach $r2 (@$r)
+				{
+				$$r2 = 1;
+				}
+			}
+		}
+	elsif (/^no-comp$/) { $xcflags = "-DOPENSSL_NO_COMP $xcflags"; }
+	elsif (/^enable-zlib$/) { $zlib_opt = 1 if $zlib_opt == 0 }
+	elsif (/^enable-zlib-dynamic$/)
+		{
+		$zlib_opt = 2;
+		}
+	elsif (/^no-static-engine/)
+		{
+		$no_static_engine = 1;
+		}
+	elsif (/^enable-static-engine/)
+		{
+		$no_static_engine = 0;
+		}
+	# There are also enable-xxx options which correspond to
+	# the no-xxx. Since the scalars are enabled by default
+	# these can be ignored.
+	elsif (/^enable-/)
+		{
+		my $t = $_;
+		$t =~ s/^enable/no/;
+		if (exists $valid_options{$t})
+			{return 1;}
+		return 0;
+		}
+	elsif (/^--with-krb5-flavor=(.*)$/)
+		{
+		my $krb5_flavor = $1;
+		if ($krb5_flavor =~ /^force-[Hh]eimdal$/)
+			{
+			$xcflags="-DKRB5_HEIMDAL $xcflags";
+			}
+		elsif ($krb5_flavor =~ /^MIT/i)
+			{
+			$xcflags="-DKRB5_MIT $xcflags";
+		 	if ($krb5_flavor =~ /^MIT[._-]*1[._-]*[01]/i)
+				{
+				$xcflags="-DKRB5_MIT_OLD11 $xcflags"
+				}
+			}
+		}
 	elsif (/^([^=]*)=(.*)$/){ $VARS{$1}=$2; }
 	elsif (/^-[lL].*$/)	{ $l_flags.="$_ "; }
 	elsif ((!/^-help/) && (!/^-h/) && (!/^-\?/) && /^-.*$/)
diff --git a/crypto/openssl/util/mkdef.pl b/crypto/openssl/util/mkdef.pl
index 443d74d4481a..24386009bfbb 100755
--- a/crypto/openssl/util/mkdef.pl
+++ b/crypto/openssl/util/mkdef.pl
@@ -79,19 +79,23 @@ my $OS2=0;
 my $safe_stack_def = 0;
 
 my @known_platforms = ( "__FreeBSD__", "PERL5", "NeXT",
-			"EXPORT_VAR_AS_FUNCTION", "OPENSSL_FIPS" );
+			"EXPORT_VAR_AS_FUNCTION" );
 my @known_ossl_platforms = ( "VMS", "WIN16", "WIN32", "WINNT", "OS2" );
 my @known_algorithms = ( "RC2", "RC4", "RC5", "IDEA", "DES", "BF",
 			 "CAST", "MD2", "MD4", "MD5", "SHA", "SHA0", "SHA1",
-			 "RIPEMD",
-			 "MDC2", "RSA", "DSA", "DH", "EC", "HMAC", "AES",
+			 "SHA256", "SHA512", "RIPEMD",
+			 "MDC2", "RSA", "DSA", "DH", "EC", "ECDH", "ECDSA", "HMAC", "AES",
 			 # Envelope "algorithms"
 			 "EVP", "X509", "ASN1_TYPEDEFS",
 			 # Helper "algorithms"
 			 "BIO", "COMP", "BUFFER", "LHASH", "STACK", "ERR",
 			 "LOCKING",
 			 # External "algorithms"
-			 "FP_API", "STDIO", "SOCK", "KRB5", "ENGINE", "HW" );
+			 "FP_API", "STDIO", "SOCK", "KRB5", "DGRAM",
+			 # Engines
+			 "STATIC_ENGINE", "ENGINE", "HW", "GMP",
+			 # Deprecated functions
+			 "DEPRECATED" );
 
 my $options="";
 open(IN,"<Makefile") || die "unable to open Makefile!\n";
@@ -107,9 +111,9 @@ my $no_rc2; my $no_rc4; my $no_rc5; my $no_idea; my $no_des; my $no_bf;
 my $no_cast;
 my $no_md2; my $no_md4; my $no_md5; my $no_sha; my $no_ripemd; my $no_mdc2;
 my $no_rsa; my $no_dsa; my $no_dh; my $no_hmac=0; my $no_aes; my $no_krb5;
-my $no_ec; my $no_engine; my $no_hw;
-my $no_fp_api;
-my $fips;
+my $no_ec; my $no_ecdsa; my $no_ecdh; my $no_engine; my $no_hw;
+my $no_fp_api; my $no_static_engine; my $no_gmp; my $no_deprecated;
+
 
 foreach (@ARGV, split(/ /, $options))
 	{
@@ -130,7 +134,6 @@ foreach (@ARGV, split(/ /, $options))
 	}
 	$VMS=1 if $_ eq "VMS";
 	$OS2=1 if $_ eq "OS2";
-	$fips=1 if $_ eq "fips";
 
 	$do_ssl=1 if $_ eq "ssleay";
 	if ($_ eq "ssl") {
@@ -142,6 +145,8 @@ foreach (@ARGV, split(/ /, $options))
 		$do_crypto=1;
 		$libname=$_;
 	}
+	$no_static_engine=1 if $_ eq "no-static-engine";
+	$no_static_engine=0 if $_ eq "enable-static-engine";
 	$do_update=1 if $_ eq "update";
 	$do_rewrite=1 if $_ eq "rewrite";
 	$do_ctest=1 if $_ eq "ctest";
@@ -166,6 +171,8 @@ foreach (@ARGV, split(/ /, $options))
 	elsif (/^no-dsa$/)      { $no_dsa=1; }
 	elsif (/^no-dh$/)       { $no_dh=1; }
 	elsif (/^no-ec$/)       { $no_ec=1; }
+	elsif (/^no-ecdsa$/)	{ $no_ecdsa=1; }
+	elsif (/^no-ecdh$/) 	{ $no_ecdh=1; }
 	elsif (/^no-hmac$/)	{ $no_hmac=1; }
 	elsif (/^no-aes$/)	{ $no_aes=1; }
 	elsif (/^no-evp$/)	{ $no_evp=1; }
@@ -180,6 +187,7 @@ foreach (@ARGV, split(/ /, $options))
 	elsif (/^no-krb5$/)	{ $no_krb5=1; }
 	elsif (/^no-engine$/)	{ $no_engine=1; }
 	elsif (/^no-hw$/)	{ $no_hw=1; }
+	elsif (/^no-gmp$/)	{ $no_gmp=1; }
 	}
 
 
@@ -217,6 +225,7 @@ my $ssl="ssl/ssl.h";
 $ssl.=" ssl/kssl.h";
 
 my $crypto ="crypto/crypto.h";
+$crypto.=" crypto/o_dir.h";
 $crypto.=" crypto/des/des.h crypto/des/des_old.h" ; # unless $no_des;
 $crypto.=" crypto/idea/idea.h" ; # unless $no_idea;
 $crypto.=" crypto/rc4/rc4.h" ; # unless $no_rc4;
@@ -237,6 +246,8 @@ $crypto.=" crypto/rsa/rsa.h" ; # unless $no_rsa;
 $crypto.=" crypto/dsa/dsa.h" ; # unless $no_dsa;
 $crypto.=" crypto/dh/dh.h" ; # unless $no_dh;
 $crypto.=" crypto/ec/ec.h" ; # unless $no_ec;
+$crypto.=" crypto/ecdsa/ecdsa.h" ; # unless $no_ecdsa;
+$crypto.=" crypto/ecdh/ecdh.h" ; # unless $no_ecdh;
 $crypto.=" crypto/hmac/hmac.h" ; # unless $no_hmac;
 
 $crypto.=" crypto/engine/engine.h"; # unless $no_engine;
@@ -267,7 +278,8 @@ $crypto.=" crypto/ocsp/ocsp.h";
 $crypto.=" crypto/ui/ui.h crypto/ui/ui_compat.h";
 $crypto.=" crypto/krb5/krb5_asn.h";
 $crypto.=" crypto/tmdiff.h";
-$crypto.=" fips/fips.h fips/rand/fips_rand.h";
+$crypto.=" crypto/store/store.h";
+$crypto.=" crypto/pqueue/pqueue.h";
 
 my $symhacks="crypto/symhacks.h";
 
@@ -423,7 +435,11 @@ sub do_defs
 
 		print STDERR "DEBUG: parsing ----------\n" if $debug;
 		while(<IN>) {
-			last if (/\/\* Error codes for the \w+ functions\. \*\//);
+			if (/\/\* Error codes for the \w+ functions\. \*\//)
+				{
+				undef @tag;
+				last;
+				}
 			if ($line ne '') {
 				$_ = $line . $_;
 				$line = '';
@@ -436,17 +452,22 @@ sub do_defs
 				next;
 			}
 
-	    		$cpp = 1 if /^\#.*ifdef.*cplusplus/;
+			if(/\/\*/) {
+				if (not /\*\//) {	# multiline comment...
+					$line = $_;	# ... just accumulate
+					next;
+				} else {
+					s/\/\*.*?\*\///gs;# wipe it
+				}
+			}
+
 			if ($cpp) {
-				$cpp = 0 if /^\#.*endif/;
+				$cpp++ if /^#\s*if/;
+				$cpp-- if /^#\s*endif/;
 				next;
 	    		}
+			$cpp = 1 if /^#.*ifdef.*cplusplus/;
 
-			s/\/\*.*?\*\///gs;                   # ignore comments
-			if (/\/\*/) {			     # if we have part
-				$line = $_;		     # of a comment,
-				next;			     # continue reading
-			}
 			s/{[^{}]*}//gs;                      # ignore {} blocks
 			print STDERR "DEBUG: \$def=\"$def\"\n" if $debug && $def ne "";
 			print STDERR "DEBUG: \$_=\"$_\"\n" if $debug;
@@ -472,7 +493,7 @@ sub do_defs
 					push(@tag,$1);
 					$tag{$1}=-1;
 				}
-			} elsif (/^\#\s*ifdef\s+(.*)/) {
+			} elsif (/^\#\s*ifdef\s+(\S*)/) {
 				push(@tag,"-");
 				push(@tag,$1);
 				$tag{$1}=1;
@@ -505,7 +526,7 @@ sub do_defs
 				}
 			} elsif (/^\#\s*endif/) {
 				my $tag_i = $#tag;
-				while($tag[$tag_i] ne "-") {
+				while($tag_i > 0 && $tag[$tag_i] ne "-") {
 					my $t=$tag[$tag_i];
 					print STDERR "DEBUG: \$t=\"$t\"\n" if $debug;
 					if ($tag{$t}==2) {
@@ -672,6 +693,10 @@ sub do_defs
 						      "EXPORT_VAR_AS_FUNCTION",
 						      "FUNCTION");
 					next;
+				} elsif (/^\s*DECLARE_ASN1_ALLOC_FUNCTIONS\s*\(\s*(\w*)\s*\)/) {
+					$def .= "int $1_free(void);";
+					$def .= "int $1_new(void);";
+					next;
 				} elsif (/^\s*DECLARE_ASN1_FUNCTIONS_name\s*\(\s*(\w*)\s*,\s*(\w*)\s*\)/) {
 					$def .= "int d2i_$2(void);";
 					$def .= "int i2d_$2(void);";
@@ -716,12 +741,21 @@ sub do_defs
 						      "EXPORT_VAR_AS_FUNCTION",
 						      "FUNCTION");
 					next;
+				} elsif (/^\s*DECLARE_ASN1_NDEF_FUNCTION\s*\(\s*(\w*)\s*\)/) {
+					$def .= "int i2d_$1_NDEF(void);";
 				} elsif (/^\s*DECLARE_ASN1_SET_OF\s*\(\s*(\w*)\s*\)/) {
 					next;
+				} elsif (/^\s*DECLARE_ASN1_PRINT_FUNCTION\s*\(\s*(\w*)\s*\)/) {
+					$def .= "int $1_print_ctx(void);";
+					next;
+				} elsif (/^\s*DECLARE_ASN1_PRINT_FUNCTION_name\s*\(\s*(\w*)\s*,\s*(\w*)\s*\)/) {
+					$def .= "int $2_print_ctx(void);";
+					next;
 				} elsif (/^\s*DECLARE_PKCS12_STACK_OF\s*\(\s*(\w*)\s*\)/) {
 					next;
 				} elsif (/^DECLARE_PEM_rw\s*\(\s*(\w*)\s*,/ ||
-					 /^DECLARE_PEM_rw_cb\s*\(\s*(\w*)\s*,/ ) {
+					 /^DECLARE_PEM_rw_cb\s*\(\s*(\w*)\s*,/ ||
+					 /^DECLARE_PEM_rw_const\s*\(\s*(\w*)\s*,/ ) {
 					# Things not in Win16
 					$def .=
 					    "#INFO:"
@@ -797,7 +831,7 @@ sub do_defs
 		}
 		close(IN);
 
-		my $algs = '';
+		my $algs;
 		my $plays;
 
 		print STDERR "DEBUG: postprocessing ----------\n" if $debug;
@@ -809,6 +843,17 @@ sub do_defs
 			next if(/typedef\W/);
 			next if(/\#define/);
 
+			# Reduce argument lists to empty ()
+			# fold round brackets recursively: (t(*v)(t),t) -> (t{}{},t) -> {}
+			while(/\(.*\)/s) {
+				s/\([^\(\)]+\)/\{\}/gs;
+				s/\(\s*\*\s*(\w+)\s*\{\}\s*\)/$1/gs;	#(*f{}) -> f
+			}
+			# pretend as we didn't use curly braces: {} -> ()
+			s/\{\}/\(\)/gs;
+
+			s/STACK_OF\(\)/void/gs;
+
 			print STDERR "DEBUG: \$_ = \"$_\"\n" if $debug;
 			if (/^\#INFO:([^:]*):(.*)$/) {
 				$plats = $1;
@@ -819,21 +864,10 @@ sub do_defs
 				$s = $1;
 				$k = "VARIABLE";
 				print STDERR "DEBUG: found external variable $s\n" if $debug;
-			} elsif (/\(\*(\w*(\{[0-9]+\})?)\([^\)]+/) {
-				$s = $1;
-				print STDERR "DEBUG: found ANSI C function $s\n" if $debug;
-			} elsif (/\w+\W+(\w+)\W*\(\s*\)(\s*__attribute__\(.*\)\s*)?$/s) {
-				# K&R C
-				print STDERR "DEBUG: found K&R C function $s\n" if $debug;
+			} elsif (/TYPEDEF_\w+_OF/s) {
 				next;
-			} elsif (/\w+\W+\w+(\{[0-9]+\})?\W*\(.*\)(\s*__attribute__\(.*\)\s*)?$/s) {
-				while (not /\(\)(\s*__attribute__\(.*\)\s*)?$/s) {
-					s/[^\(\)]*\)(\s*__attribute__\(.*\)\s*)?$/\)/s;
-					s/\([^\(\)]*\)\)(\s*__attribute__\(.*\)\s*)?$/\)/s;
-				}
-				s/\(void\)//;
-				/(\w+(\{[0-9]+\})?)\W*\(\)/s;
-				$s = $1;
+			} elsif (/(\w+)\s*\(\).*/s) {	# first token prior [first] () is
+				$s = $1;		# a function name!
 				print STDERR "DEBUG: found function $s\n" if $debug;
 			} elsif (/\(/ and not (/=/)) {
 				print STDERR "File $file: cannot parse: $_;\n";
@@ -867,7 +901,6 @@ sub do_defs
 
 			$platform{$s} =
 			    &reduce_platforms((defined($platform{$s})?$platform{$s}.',':"").$p);
-			$algorithm{$s} = '' if !defined $algorithm{$s};
 			$algorithm{$s} .= ','.$a;
 
 			if (defined($variant{$s})) {
@@ -1011,7 +1044,7 @@ sub is_valid
 {
 	my ($keywords_txt,$platforms) = @_;
 	my (@keywords) = split /,/,$keywords_txt;
-	my ($falsesum, $truesum) = (0, !grep(/^[^!]/,@keywords));
+	my ($falsesum, $truesum) = (0, 1);
 
 	# Param: one keyword
 	sub recognise
@@ -1032,9 +1065,6 @@ sub is_valid
 			if ($keyword eq "EXPORT_VAR_AS_FUNCTION" && ($VMSVAX || $W32 || $W16)) {
 				return 1;
 			}
-			if ($keyword eq "OPENSSL_FIPS" && $fips) {
-				return 1;
-			}
 			return 0;
 		} else {
 			# algorithms
@@ -1055,6 +1085,8 @@ sub is_valid
 			if ($keyword eq "DSA" && $no_dsa) { return 0; }
 			if ($keyword eq "DH" && $no_dh) { return 0; }
 			if ($keyword eq "EC" && $no_ec) { return 0; }
+			if ($keyword eq "ECDSA" && $no_ecdsa) { return 0; }
+			if ($keyword eq "ECDH" && $no_ecdh) { return 0; }
 			if ($keyword eq "HMAC" && $no_hmac) { return 0; }
 			if ($keyword eq "AES" && $no_aes) { return 0; }
 			if ($keyword eq "EVP" && $no_evp) { return 0; }
@@ -1069,6 +1101,9 @@ sub is_valid
 			if ($keyword eq "ENGINE" && $no_engine) { return 0; }
 			if ($keyword eq "HW" && $no_hw) { return 0; }
 			if ($keyword eq "FP_API" && $no_fp_api) { return 0; }
+			if ($keyword eq "STATIC_ENGINE" && $no_static_engine) { return 0; }
+			if ($keyword eq "GMP" && $no_gmp) { return 0; }
+			if ($keyword eq "DEPRECATED" && $no_deprecated) { return 0; }
 
 			# Nothing recognise as true
 			return 1;
@@ -1079,7 +1114,7 @@ sub is_valid
 		if ($k =~ /^!(.*)$/) {
 			$falsesum += &recognise($1,$platforms);
 		} else {
-			$truesum += &recognise($k,$platforms);
+			$truesum *= &recognise($k,$platforms);
 		}
 	}
 	print STDERR "DEBUG: [",$#keywords,",",$#keywords < 0,"] is_valid($keywords_txt) => (\!$falsesum) && $truesum = ",(!$falsesum) && $truesum,"\n" if $debug;
diff --git a/crypto/openssl/util/mkdir-p.pl b/crypto/openssl/util/mkdir-p.pl
index 6c69c2daa4d0..e73d02b073bb 100755
--- a/crypto/openssl/util/mkdir-p.pl
+++ b/crypto/openssl/util/mkdir-p.pl
@@ -8,6 +8,7 @@
 my $arg;
 
 foreach $arg (@ARGV) {
+  $arg =~ tr|\\|/|;
   &do_mkdir_p($arg);
 }
 
diff --git a/crypto/openssl/util/mkerr.pl b/crypto/openssl/util/mkerr.pl
index e3215e27a312..399b10e1a338 100644
--- a/crypto/openssl/util/mkerr.pl
+++ b/crypto/openssl/util/mkerr.pl
@@ -9,6 +9,9 @@ my $reindex = 0;
 my $dowrite = 0;
 my $staticloader = "";
 
+my $pack_errcode;
+my $load_errcode;
+
 while (@ARGV) {
 	my $arg = $ARGV[0];
 	if($arg eq "-conf") {
@@ -41,8 +44,7 @@ while (@ARGV) {
 }
 
 if($recurse) {
-	@source = (<crypto/*.c>, <crypto/*/*.c>, <ssl/*.c>, <fips/*.c>,
-		   <fips/*/*.c>);
+	@source = (<crypto/*.c>, <crypto/*/*.c>, <ssl/*.c>);
 } else {
 	@source = @ARGV;
 }
@@ -63,6 +65,8 @@ while(<IN>)
 			$csrc{$1} = $3;
 			$fmax{$1} = 99;
 			$rmax{$1} = 99;
+			$fassigned{$1} = ":";
+			$rassigned{$1} = ":";
 			$fnew{$1} = 0;
 			$rnew{$1} = 0;
 		}
@@ -101,15 +105,24 @@ while (($hdr, $lib) = each %libinc)
 		    next;
 		}
 
-		$cpp = 1 if /^#.*ifdef.*cplusplus/;  # skip "C" declaration
+		if(/\/\*/) {
+		    if (not /\*\//) {		# multiline comment...
+			$line = $_;		# ... just accumulate
+			next; 
+		    } else {
+			s/\/\*.*?\*\///gs;	# wipe it
+		    }
+		}
+
 		if ($cpp) {
-		    $cpp = 0 if /^#.*endif/;
+		    $cpp++ if /^#\s*if/;
+		    $cpp-- if /^#\s*endif/;
 		    next;
 		}
+		$cpp = 1 if /^#.*ifdef.*cplusplus/;  # skip "C" declaration
 
 		next if (/^\#/);                      # skip preprocessor directives
 
-		s/\/\*.*?\*\///gs;                   # ignore comments
 		s/{[^{}]*}//gs;                      # ignore {} blocks
 
 		if (/\{|\/\*/) { # Add a } so editor works...
@@ -126,27 +139,28 @@ while (($hdr, $lib) = each %libinc)
 	    $defnr++;
 	    print STDERR "def: $defnr\r" if $debug;
 
+	    # The goal is to collect function names from function declarations.
+
 	    s/^[\n\s]*//g;
 	    s/[\n\s]*$//g;
-	    next if(/typedef\W/);
-	    if (/\(\*(\w*)\([^\)]+/) {
-		my $name = $1;
-		$name =~ tr/[a-z]/[A-Z]/;
-		$ftrans{$name} = $1;
-	    } elsif (/\w+\W+(\w+)\W*\(\s*\)(\s*__attribute__\(.*\)\s*)?$/s){
-		# K&R C
-		next ;
-	    } elsif (/\w+\W+\w+\W*\(.*\)(\s*__attribute__\(.*\)\s*)?$/s) {
-		while (not /\(\)(\s*__attribute__\(.*\)\s*)?$/s) {
-		    s/[^\(\)]*\)(\s*__attribute__\(.*\)\s*)?$/\)/s;
-		    s/\([^\(\)]*\)\)(\s*__attribute__\(.*\)\s*)?$/\)/s;
-		}
-		s/\(void\)//;
-		/(\w+(\{[0-9]+\})?)\W*\(\)/s;
-		my $name = $1;
+
+	    # Skip over recognized non-function declarations
+	    next if(/typedef\W/ or /DECLARE_STACK_OF/ or /TYPEDEF_.*_OF/);
+
+	    # Reduce argument lists to empty ()
+	    # fold round brackets recursively: (t(*v)(t),t) -> (t{}{},t) -> {}
+	    while(/\(.*\)/s) {
+		s/\([^\(\)]+\)/\{\}/gs;
+		s/\(\s*\*\s*(\w+)\s*\{\}\s*\)/$1/gs;	#(*f{}) -> f
+	    }
+	    # pretend as we didn't use curly braces: {} -> ()
+	    s/\{\}/\(\)/gs;
+
+	    if (/(\w+)\s*\(\).*/s) {	# first token prior [first] () is
+		my $name = $1;		# a function name!
 		$name =~ tr/[a-z]/[A-Z]/;
 		$ftrans{$name} = $1;
-	    } elsif (/\(/ and not (/=/ or /DECLARE_STACK/)) {
+	    } elsif (/[\(\)]/ and not (/=/)) {
 		print STDERR "Header $hdr: cannot parse: $_;\n";
 	    }
 	}
@@ -159,7 +173,7 @@ while (($hdr, $lib) = each %libinc)
 	# maximum code used.
 
 	if ($gotfile) {
-	    while(<IN>) {
+	  while(<IN>) {
 		if(/^\#define\s+(\S+)\s+(\S+)/) {
 			$name = $1;
 			$code = $2;
@@ -170,18 +184,49 @@ while (($hdr, $lib) = each %libinc)
 			}
 			if($1 eq "R") {
 				$rcodes{$name} = $code;
+				if ($rassigned{$lib} =~ /:$code:/) {
+					print STDERR "!! ERROR: $lib reason code $code assigned twice\n";
+				}
+				$rassigned{$lib} .= "$code:";
 				if(!(exists $rextra{$name}) &&
 					 ($code > $rmax{$lib}) ) {
 					$rmax{$lib} = $code;
 				}
 			} else {
+				if ($fassigned{$lib} =~ /:$code:/) {
+					print STDERR "!! ERROR: $lib function code $code assigned twice\n";
+				}
+				$fassigned{$lib} .= "$code:";
 				if($code > $fmax{$lib}) {
 					$fmax{$lib} = $code;
 				}
 				$fcodes{$name} = $code;
 			}
 		}
-	    }
+	  }
+	}
+
+	if ($debug) {
+		if (defined($fmax{$lib})) {
+			print STDERR "Max function code fmax" . "{" . "$lib" . "} = $fmax{$lib}\n";
+			$fassigned{$lib} =~ m/^:(.*):$/;
+			@fassigned = sort {$a <=> $b} split(":", $1);
+			print STDERR "  @fassigned\n";
+		}
+		if (defined($rmax{$lib})) {
+			print STDERR "Max reason code rmax" . "{" . "$lib" . "} = $rmax{$lib}\n";
+			$rassigned{$lib} =~ m/^:(.*):$/;
+			@rassigned = sort {$a <=> $b} split(":", $1);
+			print STDERR "  @rassigned\n";
+		}
+	}
+
+	if ($lib eq "SSL") {
+		if ($rmax{$lib} >= 1000) {
+			print STDERR "!! ERROR: SSL error codes 1000+ are reserved for alerts.\n";
+			print STDERR "!!        Any new alerts must be added to $config.\n";
+			print STDERR "\n";
+		}
 	}
 	close IN;
 }
@@ -198,11 +243,10 @@ while (($hdr, $lib) = each %libinc)
 # so all those unreferenced can be printed out.
 
 
-print STDERR "Files loaded: " if $debug;
 foreach $file (@source) {
 	# Don't parse the error source file.
 	next if exists $cskip{$file};
-	print STDERR $file if $debug;
+	print STDERR "File loaded: ".$file."\r" if $debug;
 	open(IN, "<$file") || die "Can't open source file $file\n";
 	while(<IN>) {
 		if(/(([A-Z0-9]+)_F_([A-Z0-9_]+))/) {
@@ -226,7 +270,7 @@ foreach $file (@source) {
 	}
 	close IN;
 }
-print STDERR "\n" if $debug;
+print STDERR "                                  \n" if $debug;
 
 # Now process each library in turn.
 
@@ -263,7 +307,7 @@ foreach $lib (keys %csrc)
 	} else {
 	    push @out,
 "/* ====================================================================\n",
-" * Copyright (c) 2001-2003 The OpenSSL Project.  All rights reserved.\n",
+" * Copyright (c) 2001-2005 The OpenSSL Project.  All rights reserved.\n",
 " *\n",
 " * Redistribution and use in source and binary forms, with or without\n",
 " * modification, are permitted provided that the following conditions\n",
@@ -353,7 +397,16 @@ EOF
 	foreach $i (@function) {
 		$z=6-int(length($i)/8);
 		if($fcodes{$i} eq "X") {
-			$fcodes{$i} = ++$fmax{$lib};
+			$fassigned{$lib} =~ m/^:([^:]*):/;
+			$findcode = $1;
+			if (!defined($findcode)) {
+				$findcode = $fmax{$lib};
+			}
+			while ($fassigned{$lib} =~ m/:$findcode:/) {
+				$findcode++;
+			}
+			$fcodes{$i} = $findcode;
+			$fassigned{$lib} .= "$findcode:";
 			print STDERR "New Function code $i\n" if $debug;
 		}
 		printf OUT "#define $i%s $fcodes{$i}\n","\t" x $z;
@@ -364,7 +417,16 @@ EOF
 	foreach $i (@reasons) {
 		$z=6-int(length($i)/8);
 		if($rcodes{$i} eq "X") {
-			$rcodes{$i} = ++$rmax{$lib};
+			$rassigned{$lib} =~ m/^:([^:]*):/;
+			$findcode = $1;
+			if (!defined($findcode)) {
+				$findcode = $rmax{$lib};
+			}
+			while ($rassigned{$lib} =~ m/:$findcode:/) {
+				$findcode++;
+			}
+			$rcodes{$i} = $findcode;
+			$rassigned{$lib} .= "$findcode:";
 			print STDERR "New Reason code   $i\n" if $debug;
 		}
 		printf OUT "#define $i%s $rcodes{$i}\n","\t" x $z;
@@ -399,13 +461,27 @@ EOF
 		$hincf = "\"$hfile\"";
 	}
 
+	# If static we know the error code at compile time so use it
+	# in error definitions.
+
+	if ($static)
+		{
+		$pack_errcode = "ERR_LIB_${lib}";
+		$load_errcode = "0";
+		}
+	else
+		{
+		$pack_errcode = "0";
+		$load_errcode = "ERR_LIB_${lib}";
+		}
+
 
 	open (OUT,">$cfile") || die "Can't open $cfile for writing";
 
 	print OUT <<"EOF";
 /* $cfile */
 /* ====================================================================
- * Copyright (c) 1999-2003 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -469,6 +545,10 @@ EOF
 
 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK($pack_errcode,func,0)
+#define ERR_REASON(reason) ERR_PACK($pack_errcode,0,reason)
+
 static ERR_STRING_DATA ${lib}_str_functs[]=
 	{
 EOF
@@ -480,7 +560,8 @@ EOF
 		if(exists $ftrans{$fn}) {
 			$fn = $ftrans{$fn};
 		}
-		print OUT "{ERR_PACK(0,$i,0),\t\"$fn\"},\n";
+#		print OUT "{ERR_PACK($pack_errcode,$i,0),\t\"$fn\"},\n";
+		print OUT "{ERR_FUNC($i),\t\"$fn\"},\n";
 	}
 	print OUT <<"EOF";
 {0,NULL}
@@ -492,6 +573,7 @@ EOF
 	# Add each reason code.
 	foreach $i (@reasons) {
 		my $rn;
+		my $rstr = "ERR_REASON($i)";
 		my $nspc = 0;
 		if (exists $err_reason_strings{$i}) {
 			$rn = $err_reason_strings{$i};
@@ -500,9 +582,9 @@ EOF
 			$rn = $1;
 			$rn =~ tr/_[A-Z]/ [a-z]/;
 		}
-		$nspc = 40 - length($i) unless length($i) > 40;
+		$nspc = 40 - length($rstr) unless length($rstr) > 40;
 		$nspc = " " x $nspc;
-		print OUT "{${i}${nspc},\"$rn\"},\n";
+		print OUT "{${rstr}${nspc},\"$rn\"},\n";
 	}
 if($static) {
 	print OUT <<"EOF";
@@ -519,8 +601,8 @@ ${staticloader}void ERR_load_${lib}_strings(void)
 		{
 		init=0;
 #ifndef OPENSSL_NO_ERR
-		ERR_load_strings(ERR_LIB_${lib},${lib}_str_functs);
-		ERR_load_strings(ERR_LIB_${lib},${lib}_str_reasons);
+		ERR_load_strings($load_errcode,${lib}_str_functs);
+		ERR_load_strings($load_errcode,${lib}_str_reasons);
 #endif
 
 		}
diff --git a/crypto/openssl/util/mkfiles.pl b/crypto/openssl/util/mkfiles.pl
index 7c9d9d58e668..cb0e282fa8b0 100755
--- a/crypto/openssl/util/mkfiles.pl
+++ b/crypto/openssl/util/mkfiles.pl
@@ -30,6 +30,8 @@ my @dirs = (
 "crypto/dso",
 "crypto/dh",
 "crypto/ec",
+"crypto/ecdh",
+"crypto/ecdsa",
 "crypto/buffer",
 "crypto/bio",
 "crypto/stack",
@@ -51,15 +53,11 @@ my @dirs = (
 "crypto/ocsp",
 "crypto/ui",
 "crypto/krb5",
-"fips",
-"fips/aes",
-"fips/des",
-"fips/dsa",
-"fips/rand",
-"fips/rsa",
-"fips/sha1",
+"crypto/store",
+"crypto/pqueue",
 "ssl",
 "apps",
+"engines",
 "test",
 "tools"
 );
diff --git a/crypto/openssl/util/mklink.pl b/crypto/openssl/util/mklink.pl
index 9386da7aa4c3..d9bc98aab878 100755
--- a/crypto/openssl/util/mklink.pl
+++ b/crypto/openssl/util/mklink.pl
@@ -15,12 +15,14 @@
 # Apart from this, this script should be able to handle even the most
 # pathological cases.
 
+use Cwd;
+
 my $from = shift;
 my @files = @ARGV;
 
 my @from_path = split(/[\\\/]/, $from);
-my $pwd = `pwd`;
-chop($pwd);
+my $pwd = getcwd();
+chomp($pwd);
 my @pwd_path = split(/[\\\/]/, $pwd);
 
 my @to_path = ();
@@ -52,6 +54,7 @@ $symlink_exists=eval {symlink("",""); 1};
 foreach $file (@files) {
     my $err = "";
     if ($symlink_exists) {
+	unlink "$from/$file";
 	symlink("$to/$file", "$from/$file") or $err = " [$!]";
     } else {
 	unlink "$from/$file"; 
diff --git a/crypto/openssl/util/mkstack.pl b/crypto/openssl/util/mkstack.pl
index 0ca9eb6a766a..2a968f395fc2 100755
--- a/crypto/openssl/util/mkstack.pl
+++ b/crypto/openssl/util/mkstack.pl
@@ -75,6 +75,7 @@ while(<IN>) {
 #define sk_${type_thing}_push(st, val) SKM_sk_push($type_thing, (st), (val))
 #define sk_${type_thing}_unshift(st, val) SKM_sk_unshift($type_thing, (st), (val))
 #define sk_${type_thing}_find(st, val) SKM_sk_find($type_thing, (st), (val))
+#define sk_${type_thing}_find_ex(st, val) SKM_sk_find_ex($type_thing, (st), (val))
 #define sk_${type_thing}_delete(st, i) SKM_sk_delete($type_thing, (st), (i))
 #define sk_${type_thing}_delete_ptr(st, ptr) SKM_sk_delete_ptr($type_thing, (st), (ptr))
 #define sk_${type_thing}_insert(st, val, i) SKM_sk_insert($type_thing, (st), (val), (i))
diff --git a/crypto/openssl/util/opensslwrap.sh b/crypto/openssl/util/opensslwrap.sh
new file mode 100755
index 000000000000..91d29e2b870a
--- /dev/null
+++ b/crypto/openssl/util/opensslwrap.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+HERE="`echo $0 | sed -e 's|[^/]*$||'`"
+OPENSSL="${HERE}../apps/openssl"
+
+if [ -x "${OPENSSL}.exe" ]; then
+	# The original reason for this script existence is to work around
+	# certain caveats in run-time linker behaviour. On Windows platforms
+	# adjusting $PATH used to be sufficient, but with introduction of
+	# SafeDllSearchMode in XP/2003 the only way to get it right in
+	# *all* possible situations is to copy newly built .DLLs to apps/
+	# and test/, which is now done elsewhere... The $PATH is adjusted
+	# for backward compatibility (and nostagical reasons:-).
+	if [ "$OSTYPE" != msdosdjgpp ]; then
+		PATH="${HERE}..:$PATH"; export PATH
+	fi
+	exec "${OPENSSL}.exe" "$@"
+elif [ -x "${OPENSSL}" -a -x "${HERE}shlib_wrap.sh" ]; then
+	exec "${HERE}shlib_wrap.sh" "${OPENSSL}" "$@"
+else
+	exec "${OPENSSL}" "$@"	# hope for the best...
+fi
diff --git a/crypto/openssl/util/pl/BC-32.pl b/crypto/openssl/util/pl/BC-32.pl
index 897ae9d8249c..99b8c058d2c4 100644
--- a/crypto/openssl/util/pl/BC-32.pl
+++ b/crypto/openssl/util/pl/BC-32.pl
@@ -18,7 +18,7 @@ $out_def="out32";
 $tmp_def="tmp32";
 $inc_def="inc32";
 #enable max error messages, disable most common warnings
-$cflags="-DWIN32_LEAN_AND_MEAN -q -w-aus -w-par -w-inl  -c -tWC -tWM -DOPENSSL_SYSNAME_WIN32 -DL_ENDIAN -DDSO_WIN32 -D_stricmp=stricmp ";
+$cflags="-DWIN32_LEAN_AND_MEAN -q -w-ccc -w-rch -w-pia -w-aus -w-par -w-inl  -c -tWC -tWM -DOPENSSL_SYSNAME_WIN32 -DL_ENDIAN -DDSO_WIN32 -D_stricmp=stricmp -D_strnicmp=strnicmp ";
 if ($debug)
 {
     $cflags.="-Od -y -v -vi- -D_DEBUG";
@@ -51,7 +51,7 @@ $lfile='';
 $shlib_ex_obj="";
 $app_ex_obj="c0x32.obj"; 
 
-$asm='nasmw -f obj';
+$asm='nasmw -f obj -d__omf__';
 $asm.=" /Zi" if $debug;
 $afile='-o';
 
@@ -62,7 +62,7 @@ $des_enc_src='';
 $bf_enc_obj='';
 $bf_enc_src='';
 
-if (!$no_asm && !$fips)
+if (!$no_asm)
 	{
 	$bn_mulw_obj='crypto\bn\asm\bn_win32.obj';
 	$bn_mulw_src='crypto\bn\asm\bn_win32.asm';
@@ -106,9 +106,13 @@ sub do_lib_rule
 	$ret.="$target: $objs\n";
 	if (!$shlib)
 		{
-		#		$ret.="\t\$(RM) \$(O_$Name)\n";
-		$ret.="\techo LIB $<\n";    
-                $ret.="\t&\$(MKLIB) $lfile$target -+\$**\n";
+		$ret.=<<___;
+	-\$(RM) $lfile$target
+	\$(MKLIB) $lfile$target \@&&!
++\$(**: = &^
++)
+!
+___
 		}
 	else
 		{
@@ -122,18 +126,13 @@ sub do_lib_rule
 
 sub do_link_rule
 	{
-	local($target,$files,$dep_libs,$libs,$sha1file,$openssl)=@_;
+	local($target,$files,$dep_libs,$libs)=@_;
 	local($ret,$_);
-
+	
 	$file =~ s/\//$o/g if $o ne '/';
 	$n=&bname($targer);
 	$ret.="$target: $files $dep_libs\n";
-	$ret.="\t\$(LINK) \$(LFLAGS) $files \$(APP_EX_OBJ), $target,, $libs\n";
-	if (defined $sha1file)
-		{
-		$ret.="\t$openssl sha1 -hmac etaonrishdlcupfm -binary $target > $sha1file";
-		}
-	$ret.="\n";
+	$ret.="\t\$(LINK) \$(LFLAGS) $files \$(APP_EX_OBJ), $target,, $libs\n\n";
 	return($ret);
 	}
 
diff --git a/crypto/openssl/util/pl/Mingw32.pl b/crypto/openssl/util/pl/Mingw32.pl
index b9bb24d21d70..b76b7afd27d8 100644
--- a/crypto/openssl/util/pl/Mingw32.pl
+++ b/crypto/openssl/util/pl/Mingw32.pl
@@ -21,7 +21,7 @@ if ($debug)
 else
 	{ $cflags="-DL_ENDIAN -DDSO_WIN32 -fomit-frame-pointer -O3 -mcpu=i486 -Wall"; }
 
-if ($gaswin and !$no_asm and !$fips)
+if ($gaswin and !$no_asm)
 	{
         $bn_asm_obj='$(OBJ_D)\bn-win32.o';
         $bn_asm_src='crypto/bn/asm/bn-win32.s';
@@ -43,7 +43,7 @@ if ($gaswin and !$no_asm and !$fips)
         $rmd160_asm_src='crypto/ripemd/asm/rm-win32.s';
         $sha1_asm_obj='$(OBJ_D)\s1-win32.o';
         $sha1_asm_src='crypto/sha/asm/s1-win32.s';
-	$cflags.=" -DBN_ASM -DMD5_ASM -DSHA1_ASM";
+	$cflags.=" -DBN_ASM -DMD5_ASM -DSHA1_ASM -DOPENSSL_BN_ASM_PART_WORDS";
 	}
 
 
@@ -92,18 +92,13 @@ sub do_lib_rule
 
 sub do_link_rule
 	{
-	local($target,$files,$dep_libs,$libs,$sha1file,$openssl)=@_;
+	local($target,$files,$dep_libs,$libs)=@_;
 	local($ret,$_);
 	
 	$file =~ s/\//$o/g if $o ne '/';
 	$n=&bname($target);
 	$ret.="$target: $files $dep_libs\n";
-	$ret.="\t\$(LINK) ${efile}$target \$(LFLAGS) $files $libs\n";
-	if (defined $sha1file)
-		{
-		$ret.="\t$openssl sha1 -hmac etaonrishdlcupfm -binary $target > $sha1file";
-		}
-	$ret.="\n";
+	$ret.="\t\$(LINK) ${efile}$target \$(LFLAGS) $files $libs\n\n";
 	return($ret);
 	}
 1;
diff --git a/crypto/openssl/util/pl/OS2-EMX.pl b/crypto/openssl/util/pl/OS2-EMX.pl
index 75d72ebbcbda..28cd1169079a 100644
--- a/crypto/openssl/util/pl/OS2-EMX.pl
+++ b/crypto/openssl/util/pl/OS2-EMX.pl
@@ -48,7 +48,7 @@ $des_enc_src="";
 $bf_enc_obj="";
 $bf_enc_src="";
 
-if (!$no_asm && !$fips)
+if (!$no_asm)
 	{
 	$bn_asm_obj="crypto/bn/asm/bn-os2$obj crypto/bn/asm/co-os2$obj";
 	$bn_asm_src="crypto/bn/asm/bn-os2.asm crypto/bn/asm/co-os2.asm";
@@ -68,6 +68,7 @@ if (!$no_asm && !$fips)
 	$sha1_asm_src="crypto/sha/asm/s1-os2.asm";
 	$rmd160_asm_obj="crypto/ripemd/asm/rm-os2$obj";
 	$rmd160_asm_src="crypto/ripemd/asm/rm-os2.asm";
+	$cflags.=" -DBN_ASM -DMD5_ASM -DSHA1_ASM -DOPENSSL_BN_ASM_PART_WORDS";
 	}
 
 if ($shlib)
@@ -106,18 +107,13 @@ sub do_lib_rule
 
 sub do_link_rule
 	{
-	local($target,$files,$dep_libs,$libs,$sha1file,$openssl)=@_;
+	local($target,$files,$dep_libs,$libs)=@_;
 	local($ret,$_);
 	
 	$file =~ s/\//$o/g if $o ne '/';
 	$n=&bname($target);
 	$ret.="$target: $files $dep_libs\n";
-	$ret.="\t\$(LINK) ${efile}$target \$(CFLAG) \$(LFLAGS) $files $libs\n";
-	if (defined $sha1file)
-		{
-		$ret.="\t$openssl sha1 -hmac etaonrishdlcupfm -binary $target > $sha1file";
-		}
-	$ret.="\n";
+	$ret.="\t\$(LINK) ${efile}$target \$(CFLAG) \$(LFLAGS) $files $libs\n\n";
 	return($ret);
 	}
 
diff --git a/crypto/openssl/util/pl/VC-32.pl b/crypto/openssl/util/pl/VC-32.pl
index 516b9a7bf557..81e92f0ad426 100644
--- a/crypto/openssl/util/pl/VC-32.pl
+++ b/crypto/openssl/util/pl/VC-32.pl
@@ -1,43 +1,150 @@
 #!/usr/local/bin/perl
-# VCw32lib.pl - the file for Visual C++ 4.[01] for windows NT, static libraries
+# VC-32.pl - unified script for Microsoft Visual C++, covering Win32,
+# Win64 and WinCE [follow $FLAVOR variable to trace the differences].
 #
 
 $ssl=	"ssleay32";
 $crypto="libeay32";
 
 $o='\\';
-$cp='copy nul+';	# Timestamps get stuffed otherwise
+$cp='$(PERL) util/copy.pl';
+$mkdir='$(PERL) util/mkdir-p.pl';
 $rm='del';
 
+$zlib_lib="zlib1.lib";
+
 # C compiler stuff
 $cc='cl';
-$cflags=' /MD /W3 /WX /G5 /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32';
-$lflags="/nologo /subsystem:console /machine:I386 /opt:ref";
+if ($FLAVOR =~ /WIN64/)
+    {
+    # Note that we currently don't have /WX on Win64! There is a lot of
+    # warnings, but only of two types:
+    #
+    # C4344: conversion from '__int64' to 'int/long', possible loss of data
+    # C4267: conversion from 'size_t' to 'int/long', possible loss of data
+    #
+    # Amount of latter type is minimized by aliasing strlen to function of
+    # own desing and limiting its return value to 2GB-1 (see e_os.h). As
+    # per 0.9.8 release remaining warnings were explicitly examined and
+    # considered safe to ignore.
+    # 
+    $base_cflags=' /W3 /Gs0 /GF /Gy /nologo -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32 -DOPENSSL_SYSNAME_WIN32 -DOPENSSL_SYSNAME_WINNT -DUNICODE -D_UNICODE';
+    $base_cflags.=' -D_CRT_SECURE_NO_DEPRECATE';	# shut up VC8
+    $base_cflags.=' -D_CRT_NONSTDC_NO_DEPRECATE';	# shut up VC8
+    $opt_cflags=' /MD /Ox';
+    $dbg_cflags=' /MDd /Od -DDEBUG -D_DEBUG';
+    $lflags="/nologo /subsystem:console /opt:ref";
+    }
+elsif ($FLAVOR =~ /CE/)
+    {
+    # sanity check
+    die '%OSVERSION% is not defined'	if (!defined($ENV{'OSVERSION'}));
+    die '%PLATFORM% is not defined'	if (!defined($ENV{'PLATFORM'}));
+    die '%TARGETCPU% is not defined'	if (!defined($ENV{'TARGETCPU'}));
+
+    #
+    # Idea behind this is to mimic flags set by eVC++ IDE...
+    #
+    $wcevers = $ENV{'OSVERSION'};			# WCENNN
+    die '%OSVERSION% value is insane'	if ($wcevers !~ /^WCE([1-9])([0-9]{2})$/);
+    $wcecdefs = "-D_WIN32_WCE=$1$2 -DUNDER_CE=$1$2";	# -D_WIN32_WCE=NNN
+    $wcelflag = "/subsystem:windowsce,$1.$2";		# ...,N.NN
+
+    $wceplatf =  $ENV{'PLATFORM'};
+    $wceplatf =~ tr/a-z0-9 /A-Z0-9_/d;
+    $wcecdefs .= " -DWCE_PLATFORM_$wceplatf";
+
+    $wcetgt = $ENV{'TARGETCPU'};	# just shorter name...
+    SWITCH: for($wcetgt) {
+	/^X86/		&& do {	$wcecdefs.=" -Dx86 -D_X86_ -D_i386_ -Di_386_";
+				$wcelflag.=" /machine:IX86";	last; };
+	/^ARMV4[IT]/	&& do { $wcecdefs.=" -DARM -D_ARM_ -D$wcetgt";
+				$wcecdefs.=" -DTHUMB -D_THUMB_" if($wcetgt=~/T$/);
+				$wcecdefs.=" -QRarch4T -QRinterwork-return";
+				$wcelflag.=" /machine:THUMB";	last; };
+	/^ARM/		&& do {	$wcecdefs.=" -DARM -D_ARM_ -D$wcetgt";
+				$wcelflag.=" /machine:ARM";	last; };
+	/^MIPSIV/	&& do {	$wcecdefs.=" -DMIPS -D_MIPS_ -DR4000 -D$wcetgt";
+				$wcecdefs.=" -D_MIPS64 -QMmips4 -QMn32";
+				$wcelflag.=" /machine:MIPSFPU";	last; };
+	/^MIPS16/	&& do {	$wcecdefs.=" -DMIPS -D_MIPS_ -DR4000 -D$wcetgt";
+				$wcecdefs.=" -DMIPSII -QMmips16";
+				$wcelflag.=" /machine:MIPS16";	last; };
+	/^MIPSII/	&& do {	$wcecdefs.=" -DMIPS -D_MIPS_ -DR4000 -D$wcetgt";
+				$wcecdefs.=" -QMmips2";
+				$wcelflag.=" /machine:MIPS";	last; };
+	/^R4[0-9]{3}/	&& do {	$wcecdefs.=" -DMIPS -D_MIPS_ -DR4000";
+				$wcelflag.=" /machine:MIPS";	last; };
+	/^SH[0-9]/	&& do {	$wcecdefs.=" -D$wcetgt -D_$wcetgt_ -DSHx";
+				$wcecdefs.=" -Qsh4" if ($wcetgt =~ /^SH4/);
+				$wcelflag.=" /machine:$wcetgt";	last; };
+	{ $wcecdefs.=" -D$wcetgt -D_$wcetgt_";
+	  $wcelflag.=" /machine:$wcetgt";			last; };
+    }
+
+    $cc='$(CC)';
+    $base_cflags=' /W3 /WX /GF /Gy /nologo -DUNICODE -D_UNICODE -DOPENSSL_SYSNAME_WINCE -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32 -DNO_CHMOD -I$(WCECOMPAT)/include -DOPENSSL_SMALL_FOOTPRINT';
+    $base_cflags.=" $wcecdefs";
+    $opt_cflags=' /MC /O1i';	# optimize for space, but with intrinsics...
+    $dbg_clfags=' /MC /Od -DDEBUG -D_DEBUG';
+    $lflags="/nologo /opt:ref $wcelflag";
+    }
+else	# Win32
+    {
+    $base_cflags=' /W3 /WX /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32';
+    $base_cflags.=' -D_CRT_SECURE_NO_DEPRECATE';	# shut up VC8
+    $base_cflags.=' -D_CRT_NONSTDC_NO_DEPRECATE';	# shut up VC8
+    $opt_cflags=' /MD /Ox /O2 /Ob2';
+    $dbg_cflags=' /MDd /Od -DDEBUG -D_DEBUG';
+    $lflags="/nologo /subsystem:console /opt:ref";
+    }
 $mlflags='';
 
-$out_def="out32";
-$tmp_def="tmp32";
+$out_def="out32"; $out_def.='_$(TARGETCPU)' if ($FLAVOR =~ /CE/);
+$tmp_def="tmp32"; $tmp_def.='_$(TARGETCPU)' if ($FLAVOR =~ /CE/);
 $inc_def="inc32";
 
 if ($debug)
 	{
-	$cflags=" /MDd /W3 /WX /Zi /Yd /Od /nologo -DOPENSSL_SYSNAME_WIN32 -D_DEBUG -DL_ENDIAN -DWIN32_LEAN_AND_MEAN -DDEBUG -DDSO_WIN32";
+	$cflags=$dbg_cflags.$base_cflags;
 	$lflags.=" /debug";
 	$mlflags.=' /debug';
 	}
-$cflags .= " -DOPENSSL_SYSNAME_WINNT" if $NT == 1;
+else
+	{
+	$cflags=$opt_cflags.$base_cflags;
+	}
 
 $obj='.obj';
 $ofile="/Fo";
 
 # EXE linking stuff
 $link="link";
+$rsc="rc";
 $efile="/out:";
 $exep='.exe';
-if ($no_sock)
-	{ $ex_libs=""; }
-else	{ $ex_libs="wsock32.lib user32.lib gdi32.lib"; }
+if ($no_sock)		{ $ex_libs=''; }
+elsif ($FLAVOR =~ /CE/)	{ $ex_libs='winsock.lib'; }
+else			{ $ex_libs='wsock32.lib'; }
 
+if ($FLAVOR =~ /CE/)
+	{
+	$ex_libs.=' $(WCECOMPAT)/lib/wcecompatex.lib';
+	$ex_libs.=' /nodefaultlib:oldnames.lib coredll.lib corelibc.lib' if ($ENV{'TARGETCPU'} eq "X86");
+	}
+else
+	{
+	$ex_libs.=' gdi32.lib advapi32.lib user32.lib';
+	$ex_libs.=' bufferoverflowu.lib' if ($FLAVOR =~ /WIN64/);
+	}
+
+# As native NT API is pure UNICODE, our WIN-NT build defaults to UNICODE,
+# but gets linked with unicows.lib to ensure backward compatibility.
+if ($FLAVOR =~ /NT/)
+	{
+	$cflags.=" -DOPENSSL_SYSNAME_WINNT -DUNICODE -D_UNICODE";
+	$ex_libs="unicows.lib $ex_libs";
+	}
 # static library stuff
 $mklib='lib';
 $ranlib='';
@@ -47,7 +154,7 @@ $shlibp=($shlib)?".dll":".lib";
 $lfile='/out:';
 
 $shlib_ex_obj="";
-$app_ex_obj="";
+$app_ex_obj="setargv.obj" if ($FLAVOR !~ /CE/);
 if ($nasm) {
 	$asm='nasmw -f win32';
 	$afile='-o ';
@@ -64,7 +171,7 @@ $des_enc_src='';
 $bf_enc_obj='';
 $bf_enc_src='';
 
-if (!$no_asm && !$fips)
+if (!$no_asm)
 	{
 	$bn_asm_obj='crypto\bn\asm\bn_win32.obj';
 	$bn_asm_src='crypto\bn\asm\bn_win32.asm';
@@ -87,13 +194,44 @@ if (!$no_asm && !$fips)
 	$cflags.=" -DBN_ASM -DMD5_ASM -DSHA1_ASM -DRMD160_ASM";
 	}
 
-if ($shlib)
+if ($shlib && $FLAVOR !~ /CE/)
 	{
 	$mlflags.=" $lflags /dll";
 #	$cflags =~ s| /MD| /MT|;
 	$lib_cflag=" -D_WINDLL";
 	$out_def="out32dll";
 	$tmp_def="tmp32dll";
+	#
+	# Engage Applink...
+	#
+	$app_ex_obj.=" \$(OBJ_D)\\applink.obj /implib:\$(TMP_D)\\junk.lib";
+	$cflags.=" -DOPENSSL_USE_APPLINK -I.";
+	# I'm open for better suggestions than overriding $banner...
+	$banner=<<'___';
+	@echo Building OpenSSL
+
+$(OBJ_D)\applink.obj:	ms\applink.c
+	$(CC) /Fo$(OBJ_D)\applink.obj $(APP_CFLAGS) -c ms\applink.c
+$(OBJ_D)\uplink.obj:	ms\uplink.c ms\applink.c
+	$(CC) /Fo$(OBJ_D)\uplink.obj $(SHLIB_CFLAGS) -c ms\uplink.c
+$(INCO_D)\applink.c:	ms\applink.c
+	$(CP) ms\applink.c $(INCO_D)\applink.c
+
+EXHEADER= $(EXHEADER) $(INCO_D)\applink.c
+
+LIBS_DEP=$(LIBS_DEP) $(OBJ_D)\applink.obj
+CRYPTOOBJ=$(OBJ_D)\uplink.obj $(CRYPTOOBJ)
+___
+	$banner.=<<'___' if ($FLAVOR =~ /WIN64/);
+CRYPTOOBJ=ms\uptable.obj $(CRYPTOOBJ)
+___
+	}
+elsif ($shlib && $FLAVOR =~ /CE/)
+	{
+	$mlflags.=" $lflags /dll";
+	$lib_cflag=" -D_WINDLL -D_DLL";
+	$out_def='out32dll_$(TARGETCPU)';
+	$tmp_def='tmp32dll_$(TARGETCPU)';
 	}
 
 $cflags.=" /Fd$out_def";
@@ -101,24 +239,43 @@ $cflags.=" /Fd$out_def";
 sub do_lib_rule
 	{
 	local($objs,$target,$name,$shlib)=@_;
-	local($ret,$Name);
+	local($ret);
 
 	$taget =~ s/\//$o/g if $o ne '/';
-	($Name=$name) =~ tr/a-z/A-Z/;
+	if ($name ne "")
+		{
+		$name =~ tr/a-z/A-Z/;
+		$name = "/def:ms/${name}.def";
+		}
 
 #	$target="\$(LIB_D)$o$target";
 	$ret.="$target: $objs\n";
 	if (!$shlib)
 		{
 #		$ret.="\t\$(RM) \$(O_$Name)\n";
-		$ex =' advapi32.lib';
+		$ex =' ';
 		$ret.="\t\$(MKLIB) $lfile$target @<<\n  $objs $ex\n<<\n";
 		}
 	else
 		{
-		local($ex)=($target =~ /O_SSL/)?' $(L_CRYPTO)':'';
-		$ex.=' wsock32.lib gdi32.lib advapi32.lib';
-		$ret.="\t\$(LINK) \$(MLFLAGS) $efile$target /def:ms/${Name}.def @<<\n  \$(SHLIB_EX_OBJ) $objs $ex\n<<\n";
+		local($ex)=($target =~ /O_CRYPTO/)?'':' $(L_CRYPTO)';
+		if ($name eq "")
+			{
+			$ex.=' bufferoverflowu.lib' if ($FLAVOR =~ /WIN64/);
+			}
+		elsif ($FLAVOR =~ /CE/)
+			{
+			$ex.=' winsock.lib $(WCECOMPAT)/lib/wcecompatex.lib';
+			}
+		else
+			{
+			$ex.=' unicows.lib' if ($FLAVOR =~ /NT/);
+			$ex.=' wsock32.lib gdi32.lib advapi32.lib user32.lib';
+			$ex.=' bufferoverflowu.lib' if ($FLAVOR =~ /WIN64/);
+			}
+		$ex.=" $zlib_lib" if $zlib_opt == 1 && $target =~ /O_CRYPTO/;
+		$ret.="\t\$(LINK) \$(MLFLAGS) $efile$target $name @<<\n  \$(SHLIB_EX_OBJ) $objs $ex\n<<\n";
+        $ret.="\tIF EXIST \$@.manifest mt -manifest \$@.manifest -outputresource:\$@;2\n\n";
 		}
 	$ret.="\n";
 	return($ret);
@@ -126,19 +283,15 @@ sub do_lib_rule
 
 sub do_link_rule
 	{
-	local($target,$files,$dep_libs,$libs,$sha1file,$openssl)=@_;
+	local($target,$files,$dep_libs,$libs)=@_;
 	local($ret,$_);
 	
 	$file =~ s/\//$o/g if $o ne '/';
 	$n=&bname($targer);
 	$ret.="$target: $files $dep_libs\n";
-	$ret.="  \$(LINK) \$(LFLAGS) $efile$target @<<\n";
+	$ret.="\t\$(LINK) \$(LFLAGS) $efile$target @<<\n";
 	$ret.="  \$(APP_EX_OBJ) $files $libs\n<<\n";
-	if (defined $sha1file)
-		{
-		$ret.="  $openssl sha1 -hmac etaonrishdlcupfm -binary $target > $sha1file";
-		}
-	$ret.="\n";
+    $ret.="\tIF EXIST \$@.manifest mt -manifest \$@.manifest -outputresource:\$@;1\n\n";
 	return($ret);
 	}
 
diff --git a/crypto/openssl/util/pl/linux.pl b/crypto/openssl/util/pl/linux.pl
index df05c40526e7..d24f7b72913c 100644
--- a/crypto/openssl/util/pl/linux.pl
+++ b/crypto/openssl/util/pl/linux.pl
@@ -39,7 +39,7 @@ if (!$no_asm)
 	$rmd160_asm_src='crypto/ripemd/asm/rm86unix.cpp';
 	$sha1_asm_obj='$(OBJ_D)/sx86-elf.o';
 	$sha1_asm_src='crypto/sha/asm/sx86unix.cpp';
-	$cflags.=" -DBN_ASM -DMD5_ASM -DSHA1_ASM";
+	$cflags.=" -DBN_ASM -DMD5_ASM -DSHA1_ASM -DOPENSSL_BN_ASM_PART_WORDS";
 	}
 
 $cflags.=" -DTERMIO -DL_ENDIAN -m486 -Wall";
@@ -72,18 +72,13 @@ sub do_shlib_rule
 
 sub do_link_rule
 	{
-	local($target,$files,$dep_libs,$libs,$sha1file,$openssl)=@_;
+	local($target,$files,$dep_libs,$libs)=@_;
 	local($ret,$_);
 	
 	$file =~ s/\//$o/g if $o ne '/';
 	$n=&bname($target);
 	$ret.="$target: $files $dep_libs\n";
-	$ret.="\t\$(LINK) ${efile}$target \$(LFLAGS) $files $libs\n";
-	if (defined $sha1file)
-		{
-		$ret.="\t$openssl sha1 -hmac etaonrishdlcupfm -binary $target > $sha1file";
-		}
-	$ret.="\n";
+	$ret.="\t\$(LINK) ${efile}$target \$(LFLAGS) $files $libs\n\n";
 	return($ret);
 	}
 
diff --git a/crypto/openssl/util/pl/netware.pl b/crypto/openssl/util/pl/netware.pl
new file mode 100644
index 000000000000..c05789b22f9a
--- /dev/null
+++ b/crypto/openssl/util/pl/netware.pl
@@ -0,0 +1,341 @@
+# Metrowerks Codewarrior for NetWare
+#
+
+# The import files and other misc imports needed to link
+@misc_imports = ("GetProcessSwitchCount", "RunningProcess",  
+                 "GetSuperHighResolutionTimer");
+if ($LIBC)
+{
+   @import_files = ("libc.imp");
+   @module_files = ("libc");
+}
+else
+{
+   # clib build
+   @import_files = ("clib.imp");
+   @module_files = ("clib");
+   push(@misc_imports, "_rt_modu64%16", "_rt_divu64%16");
+}
+if (!$BSDSOCK)
+{
+   push(@import_files, "ws2nlm.imp");
+}
+		 
+
+# The "IMPORTS" environment variable must be set and point to the location
+# where import files (*.imp) can be found.
+# Example:  set IMPORTS=c:\ndk\nwsdk\imports
+$import_path = $ENV{"IMPORTS"} || die ("IMPORTS environment variable not set\n");
+
+
+# The "PRELUDE" environment variable must be set and point to the location
+# and name of the prelude source to link with ( nwpre.obj is recommended ).
+# Example: set PRELUDE=c:\codewar\novell support\metrowerks support\libraries\runtime\nwpre.obj
+$prelude = $ENV{"PRELUDE"} || die ("PRELUDE environment variable not set\n");
+
+#$ssl=   "ssleay32";
+#$crypto="libeay32";
+
+$o='\\\\';
+$cp='copy >nul:';
+$rm='del';
+
+# C compiler
+$cc="mwccnlm";
+
+# Linker
+$link="mwldnlm";
+
+# librarian
+$mklib="mwldnlm";
+
+# assembler 
+if ($nw_nasm) 
+{
+   $asm="nasmw -s -f coff";
+   $afile="-o ";
+   $asm.=" -g" if $debug;
+}
+elsif ($nw_mwasm) 
+{
+   $asm="mwasmnlm -maxerrors 20";
+   $afile="-o ";
+   $asm.=" -g" if $debug;
+}
+elsif ($nw_masm)
+{
+# masm assembly settings - it should be possible to use masm but haven't 
+# got it working.
+# $asm='ml /Cp /coff /c /Cx';
+# $asm.=" /Zi" if $debug;
+# $afile='/Fo';
+   die("Support for masm assembler not yet functional\n");
+}
+else 
+{
+   $asm="";
+   $afile="";
+}
+
+
+
+# compile flags
+#
+# NOTES: Several c files in the crypto subdirectory include headers from
+#        their local directories.  Metrowerks wouldn't find these h files
+#        without adding individual include directives as compile flags
+#        or modifying the c files.  Instead of adding individual include
+#        paths for each subdirectory a recursive include directive
+#        is used ( -ir crypto ).
+#
+#        A similar issue exists for the engines and apps subdirectories.
+#
+#        Turned off the "possible" warnings ( -w nopossible ).  Metrowerks
+#        complained a lot about various stuff.  May want to turn back
+#        on for further development.
+$cflags="-ir crypto -ir engines -ir apps -msgstyle gcc -align 4 -processor pentium \\
+         -char unsigned -w on -w nolargeargs -w nopossible -w nounusedarg \\
+         -w noimplicitconv -relax_pointers -nosyspath -DL_ENDIAN \\
+         -DOPENSSL_SYSNAME_NETWARE -U_WIN32 -maxerrors 20 ";
+
+# link flags
+$lflags="-msgstyle gcc -zerobss -stacksize 32768 -nostdlib -sym internal ";
+
+
+# additional flags based upon debug | non-debug
+if ($debug)
+{
+   $cflags.=" -opt off -g -sym internal -DDEBUG";
+}
+else
+{
+# CodeWarrior compiler has a problem with optimizations for floating
+# points - no optimizations until further investigation
+#   $cflags.=" -opt all";
+}
+
+# If LibC build add in NKS_LIBC define and set the entry/exit
+# routines - The default entry/exit routines are for CLib and don't exist
+# in LibC
+if ($LIBC)
+{
+   $cflags.=" -DNETWARE_LIBC";
+   $lflags.=" -entry _LibCPrelude -exit _LibCPostlude -flags pseudopreemption";
+}
+else
+{
+   $cflags.=" -DNETWARE_CLIB";
+   $lflags.=" -entry _Prelude -exit _Stop";
+}
+
+# If BSD Socket support is requested, set a define for the compiler
+if ($BSDSOCK)
+{
+   $cflags.=" -DNETWARE_BSDSOCK";
+}
+
+
+# linking stuff
+# for the output directories use the mk1mf.pl values with "_nw" appended
+if ($shlib)
+{
+   if ($LIBC)
+   {
+      $out_def.="_nw_libc_nlm";
+      $tmp_def.="_nw_libc_nlm";
+      $inc_def.="_nw_libc_nlm";
+   }
+   else  # NETWARE_CLIB
+   {
+      $out_def.="_nw_clib_nlm";
+      $tmp_def.="_nw_clib_nlm";
+      $inc_def.="_nw_clib_nlm";
+   }
+}
+else
+{
+   $libp=".lib";
+   $shlibp=".lib";
+   $lib_flags="-nodefaults -type library";
+   if ($LIBC)
+   {
+      $out_def.="_nw_libc";
+      $tmp_def.="_nw_libc";
+      $inc_def.="_nw_libc";
+   }
+   else  # NETWARE_CLIB 
+   {
+      $out_def.="_nw_clib";
+      $tmp_def.="_nw_clib";
+      $inc_def.="_nw_clib";
+   }
+}
+
+# used by mk1mf.pl
+$obj='.obj';
+$ofile='-o ';
+$efile='';
+$exep='.nlm';
+$ex_libs='';
+
+if (!$no_asm)
+{
+   $bn_asm_obj="crypto${o}bn${o}asm${o}bn-nw.obj";
+   $bn_asm_src="crypto${o}bn${o}asm${o}bn-nw.asm";
+   $des_enc_obj="crypto${o}des${o}asm${o}d-nw.obj crypto${o}des${o}asm${o}y-nw.obj";
+   $des_enc_src="crypto${o}des${o}asm${o}d-nw.asm crypto${o}des${o}asm${o}y-nw.asm";
+   $bf_enc_obj="crypto${o}bf${o}asm${o}b-nw.obj";
+   $bf_enc_src="crypto${o}bf${o}asm${o}b-nw.asm";
+   $cast_enc_obj="crypto${o}cast${o}asm${o}c-nw.obj";
+   $cast_enc_src="crypto${o}cast${o}asm${o}c-nw.asm";
+   $rc4_enc_obj="crypto${o}rc4${o}asm${o}r4-nw.obj";
+   $rc4_enc_src="crypto${o}rc4${o}asm${o}r4-nw.asm";
+   $rc5_enc_obj="crypto${o}rc5${o}asm${o}r5-nw.obj";
+   $rc5_enc_src="crypto${o}rc5${o}asm${o}r5-nw.asm";
+   $md5_asm_obj="crypto${o}md5${o}asm${o}m5-nw.obj";
+   $md5_asm_src="crypto${o}md5${o}asm${o}m5-nw.asm";
+   $sha1_asm_obj="crypto${o}sha${o}asm${o}s1-nw.obj";
+   $sha1_asm_src="crypto${o}sha${o}asm${o}s1-nw.asm";
+   $rmd160_asm_obj="crypto${o}ripemd${o}asm${o}rm-nw.obj";
+   $rmd160_asm_src="crypto${o}ripemd${o}asm${o}rm-nw.asm";
+   $cflags.=" -DBN_ASM -DMD5_ASM -DSHA1_ASM -DRMD160_ASM";
+}
+else
+{
+   $bn_asm_obj='';
+   $bn_asm_src='';
+   $des_enc_obj='';
+   $des_enc_src='';
+   $bf_enc_obj='';
+   $bf_enc_src='';
+   $cast_enc_obj='';
+   $cast_enc_src='';
+   $rc4_enc_obj='';
+   $rc4_enc_src='';
+   $rc5_enc_obj='';
+   $rc5_enc_src='';
+   $md5_asm_obj='';
+   $md5_asm_src='';
+   $sha1_asm_obj='';
+   $sha1_asm_src='';
+   $rmd160_asm_obj='';
+   $rmd160_asm_src='';
+}
+
+# create the *.def linker command files in \openssl\netware\ directory
+sub do_def_file
+{
+   # strip off the leading path
+   my($target) = bname(@_);
+   my($def_file);
+   my($mod_file);
+   my($i);
+
+   if ($target =~ /(.*).nlm/)
+   {
+      $target = $1;
+   }
+
+   # special case for openssl - the mk1mf.pl defines E_EXE = openssl
+   if ($target =~ /E_EXE/)
+   {
+      $target = "openssl";
+   }
+
+   # Note: originally tried to use full path ( \openssl\netware\$target.def )
+   # Metrowerks linker choked on this with an assertion failure. bug???
+   #
+   $def_file = "netware\\$target.def";
+
+   open(DEF_OUT, ">$def_file") || die("unable to open file $def_file\n");
+
+   print( DEF_OUT "# command file generated by netware.pl for Metrowerks build\n" );
+   print( DEF_OUT "#\n");
+   print( DEF_OUT "DESCRIPTION \"$target\"\n");
+   
+   foreach $i (@misc_imports)
+   {
+      print( DEF_OUT "IMPORT $i\n");
+   }
+   
+   foreach $i (@import_files)
+   {
+      print( DEF_OUT "IMPORT \@$import_path\\$i\n");
+   }
+   
+   foreach $i (@module_files)
+   {
+      print( DEF_OUT "MODULE $i\n");
+   }
+
+   close(DEF_OUT);
+   return($def_file);
+}
+
+sub do_lib_rule
+{
+   my($objs,$target,$name,$shlib)=@_;
+   my($ret);
+
+   $ret.="$target: $objs\n";
+   if (!$shlib)
+   {
+      $ret.="\t\@echo Building Lib: $name\n";
+      $ret.="\t\$(MKLIB) $lib_flags -o $target $objs\n";
+      $ret.="\t\@echo .\n"
+   }
+   else
+   {
+      die( "Building as NLM not currently supported!" );
+   }
+
+   $ret.="\n";
+   return($ret);
+}
+
+sub do_link_rule
+{
+   my($target,$files,$dep_libs,$libs)=@_;
+   my($ret);
+   my($def_file);
+
+   $def_file = do_def_file($target);
+
+   # special case for openssl - the mk1mf.pl defines E_EXE = openssl
+
+   # NOTE:  When building the test nlms no screen name is given
+   #  which causes the console screen to be used.  By using the console
+   #  screen there is no "<press any key to continue>" message which
+   #  requires user interaction.  The test script ( tests.pl ) needs to be
+   #  able to run the tests without requiring user interaction.
+   #
+   #  However, the sample program "openssl.nlm" is used by the tests and is
+   #  a interactive sample so a screen is desired when not be run by the
+   #  tests.  To solve the problem, two versions of the program are built:
+   #    openssl2 - no screen used by tests
+   #    openssl - default screen - use for normal interactive modes
+   #
+   if ($target =~ /E_EXE/)
+   {
+      my($target2) = $target;
+
+      $target2 =~ s/\(E_EXE\)/\(E_EXE\)2/;
+
+      $ret.="$target: $files $dep_libs\n";
+
+         # openssl
+      $ret.="\t\$(LINK) \$(LFLAGS) -screenname openssl -commandfile $def_file $files \"$prelude\" $libs -o $target\n";
+         # openssl2
+      $ret.="\t\$(LINK) \$(LFLAGS) -commandfile $def_file $files \"$prelude\" $libs -o $target2\n";
+   }
+   else
+   {
+      $ret.="$target: $files $dep_libs\n";
+      $ret.="\t\$(LINK) \$(LFLAGS) -commandfile $def_file $files \"$prelude\" $libs -o $target\n";
+   }
+
+   $ret.="\n";
+   return($ret);
+}
+
+1;
diff --git a/crypto/openssl/util/pl/ultrix.pl b/crypto/openssl/util/pl/ultrix.pl
index 447b8547080c..ea370c71f968 100644
--- a/crypto/openssl/util/pl/ultrix.pl
+++ b/crypto/openssl/util/pl/ultrix.pl
@@ -17,7 +17,7 @@ else
 
 $cflags.=" -std1 -DL_ENDIAN";
 
-if (!$no_asm && !$fips)
+if (!$no_asm)
 	{
 	$bn_asm_obj='$(OBJ_D)/mips1.o';
 	$bn_asm_src='crypto/bn/asm/mips1.s';
@@ -25,18 +25,13 @@ if (!$no_asm && !$fips)
 
 sub do_link_rule
 	{
-	local($target,$files,$dep_libs,$libs,$sha1file,$openssl)=@_;
+	local($target,$files,$dep_libs,$libs)=@_;
 	local($ret,$_);
 	
 	$file =~ s/\//$o/g if $o ne '/';
 	$n=&bname($target);
 	$ret.="$target: $files $dep_libs\n";
-	$ret.="\t\$(LINK) ${efile}$target \$(LFLAGS) $files $libs\n";
-	if (defined $sha1file)
-		{
-		$ret.="\t$openssl sha1 -hmac etaonrishdlcupfm -binary $target > $sha1file";
-		}
-	$ret.="\n";
+	$ret.="\t\$(LINK) ${efile}$target \$(LFLAGS) $files $libs\n\n";
 	return($ret);
 	}
 
diff --git a/crypto/openssl/util/pl/unix.pl b/crypto/openssl/util/pl/unix.pl
index bbd1798a2e5e..146611ad9958 100644
--- a/crypto/openssl/util/pl/unix.pl
+++ b/crypto/openssl/util/pl/unix.pl
@@ -70,18 +70,13 @@ sub do_lib_rule
 
 sub do_link_rule
 	{
-	local($target,$files,$dep_libs,$libs,$sha1file,$openssl)=@_;
+	local($target,$files,$dep_libs,$libs)=@_;
 	local($ret,$_);
 	
 	$file =~ s/\//$o/g if $o ne '/';
 	$n=&bname($target);
 	$ret.="$target: $files $dep_libs\n";
-	$ret.="\t\$(LINK) ${efile}$target \$(LFLAGS) $files $libs\n";
-	if (defined $sha1file)
-		{
-		$ret.="\t$openssl sha1 -hmac etaonrishdlcupfm -binary $target > $sha1file";
-		}
-	$ret.="\n";
+	$ret.="\t\$(LINK) ${efile}$target \$(LFLAGS) $files $libs\n\n";
 	return($ret);
 	}
 
diff --git a/crypto/openssl/util/pod2man.pl b/crypto/openssl/util/pod2man.pl
index 657e4e264e07..546d1ec18600 100755
--- a/crypto/openssl/util/pod2man.pl
+++ b/crypto/openssl/util/pod2man.pl
@@ -425,6 +425,7 @@ if ($name ne 'something') {
 	    }
 	    next if /^=cut\b/;	# DB_File and Net::Ping have =cut before NAME
 	    next if /^=pod\b/;  # It is OK to have =pod before NAME
+	    next if /^=for\s+comment\b/;  # It is OK to have =for comment before NAME
 	    die "$0: Invalid man page - 1st pod line is not NAME in $ARGV[0]\n" unless $lax;
 	}
 	die "$0: Invalid man page - no documentation in $ARGV[0]\n" unless $lax;
diff --git a/crypto/openssl/util/selftest.pl b/crypto/openssl/util/selftest.pl
index e9d5aa8938ec..4778c5ab01df 100644
--- a/crypto/openssl/util/selftest.pl
+++ b/crypto/openssl/util/selftest.pl
@@ -49,7 +49,7 @@ if (open(IN,"<Makefile")) {
 }
 
 $cversion=`$cc -v 2>&1`;
-$cversion=`$cc -V 2>&1` if $cversion =~ "usage";
+$cversion=`$cc -V 2>&1` if $cversion =~ "[Uu]sage";
 $cversion=`$cc -V |head -1` if $cversion =~ "Error";
 $cversion=`$cc --version` if $cversion eq "";
 $cversion =~ s/Reading specs.*\n//;
@@ -130,15 +130,21 @@ if (system("make 2>&1 | tee make.log") > 255) {
     goto err;
 }
 
-$_=$options;
-s/no-asm//;
-s/no-shared//;
-s/no-krb5//;
-if (/no-/)
-{
-    print OUT "Test skipped.\n";
-    goto err;
-}
+# Not sure why this is here.  The tests themselves can detect if their
+# particular feature isn't included, and should therefore skip themselves.
+# To skip *all* tests just because one algorithm isn't included is like
+# shooting mosquito with an elephant gun...
+#                   -- Richard Levitte, inspired by problem report 1089
+#
+#$_=$options;
+#s/no-asm//;
+#s/no-shared//;
+#s/no-krb5//;
+#if (/no-/)
+#{
+#    print OUT "Test skipped.\n";
+#    goto err;
+#}
 
 print "Running make test...\n";
 if (system("make test 2>&1 | tee maketest.log") > 255)
diff --git a/crypto/openssl/util/shlib_wrap.sh b/crypto/openssl/util/shlib_wrap.sh
new file mode 100755
index 000000000000..dc5f5b1ce480
--- /dev/null
+++ b/crypto/openssl/util/shlib_wrap.sh
@@ -0,0 +1,70 @@
+#!/bin/sh
+
+[ $# -ne 0 ] || set -x		# debug mode without arguments:-)
+
+THERE="`echo $0 | sed -e 's|[^/]*$||' 2>/dev/null`.."
+[ -d "${THERE}" ] || exec "$@"	# should never happen...
+
+# Alternative to this is to parse ${THERE}/Makefile...
+LIBCRYPTOSO="${THERE}/libcrypto.so"
+if [ -f "$LIBCRYPTOSO" ]; then
+    while [ -h "$LIBCRYPTOSO" ]; do
+	LIBCRYPTOSO="${THERE}/`ls -l "$LIBCRYPTOSO" | sed -e 's|.*\-> ||'`"
+    done
+    SOSUFFIX=`echo ${LIBCRYPTOSO} | sed -e 's|.*\.so||' 2>/dev/null`
+    LIBSSLSO="${THERE}/libssl.so${SOSUFFIX}"
+fi
+
+SYSNAME=`(uname -s) 2>/dev/null`;
+case "$SYSNAME" in
+SunOS|IRIX*)
+	# SunOS and IRIX run-time linkers evaluate alternative
+	# variables depending on target ABI...
+	rld_var=LD_LIBRARY_PATH
+	case "`(/usr/bin/file "$LIBCRYPTOSO") 2>/dev/null`" in
+	*ELF\ 64*SPARC*)
+		[ -n "$LD_LIBRARY_PATH_64" ] && rld_var=LD_LIBRARY_PATH_64
+		;;
+	*ELF\ N32*MIPS*)
+		[ -n "$LD_LIBRARYN32_PATH" ] && rld_var=LD_LIBRARYN32_PATH
+		_RLDN32_LIST="$LIBCRYPTOSO:$LIBSSLSO:DEFAULT"; export _RLDN32_LIST
+		;;
+	*ELF\ 64*MIPS*)
+		[ -n "$LD_LIBRARY64_PATH"  ] && rld_var=LD_LIBRARY64_PATH
+		_RLD64_LIST="$LIBCRYPTOSO:$LIBSSLSO:DEFAULT"; export _RLD64_LIST
+		;;
+	esac
+	eval $rld_var=\"${THERE}:'$'$rld_var\"; export $rld_var
+	unset rld_var
+	;;
+*)	LD_LIBRARY_PATH="${THERE}:$LD_LIBRARY_PATH"	# Linux, ELF HP-UX
+	DYLD_LIBRARY_PATH="${THERE}:$DYLD_LIBRARY_PATH"	# MacOS X
+	SHLIB_PATH="${THERE}:$SHLIB_PATH"		# legacy HP-UX
+	LIBPATH="${THERE}:$LIBPATH"			# AIX, OS/2
+	export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH
+	# Even though $PATH is adjusted [for Windows sake], it doesn't
+	# necessarily does the trick. Trouble is that with introduction
+	# of SafeDllSearchMode in XP/2003 it's more appropriate to copy
+	# .DLLs in vicinity of executable, which is done elsewhere...
+	if [ "$OSTYPE" != msdosdjgpp ]; then
+		PATH="${THERE}:$PATH"; export PATH
+	fi
+	;;
+esac
+
+if [ -f "$LIBCRYPTOSO" ]; then
+	# Following three lines are major excuse for isolating them into
+	# this wrapper script. Original reason for setting LD_PRELOAD
+	# was to make it possible to pass 'make test' when user linked
+	# with -rpath pointing to previous version installation. Wrapping
+	# it into a script makes it possible to do so on multi-ABI
+	# platforms.
+	case "$SYSNAME" in
+	*BSD)	LD_PRELOAD="$LIBCRYPTOSO:$LIBSSLSO" ;;	# *BSD
+	*)	LD_PRELOAD="$LIBCRYPTOSO $LIBSSLSO" ;;	# SunOS, Linux, ELF HP-UX
+	esac
+	_RLD_LIST="$LIBCRYPTOSO:$LIBSSLSO:DEFAULT"	# Tru64, o32 IRIX
+	export LD_PRELOAD _RLD_LIST
+fi
+
+exec "$@"
diff --git a/crypto/openssl/util/ssleay.num b/crypto/openssl/util/ssleay.num
index 46e38a131f99..e285a0f96f34 100755
--- a/crypto/openssl/util/ssleay.num
+++ b/crypto/openssl/util/ssleay.num
@@ -170,7 +170,7 @@ SSL_add_file_cert_subjs_to_stk          185	EXIST:VMS:FUNCTION:STDIO
 SSL_set_tmp_rsa_callback                186	EXIST::FUNCTION:RSA
 SSL_set_tmp_dh_callback                 187	EXIST::FUNCTION:DH
 SSL_add_dir_cert_subjects_to_stack      188	EXIST:!VMS:FUNCTION:STDIO
-SSL_add_dir_cert_subjs_to_stk           188	NOEXIST::FUNCTION:
+SSL_add_dir_cert_subjs_to_stk           188	EXIST:VMS:FUNCTION:STDIO
 SSL_set_session_id_context              189	EXIST::FUNCTION:
 SSL_CTX_use_certificate_chain_file      222	EXIST:!VMS:FUNCTION:STDIO
 SSL_CTX_use_cert_chain_file             222	EXIST:VMS:FUNCTION:STDIO
@@ -215,3 +215,14 @@ SSL_CTX_set_generate_session_id         264	EXIST::FUNCTION:
 SSL_renegotiate_pending                 265	EXIST::FUNCTION:
 SSL_CTX_set_msg_callback                266	EXIST::FUNCTION:
 SSL_set_msg_callback                    267	EXIST::FUNCTION:
+DTLSv1_client_method                    268	EXIST::FUNCTION:
+SSL_CTX_set_tmp_ecdh_callback           269	EXIST::FUNCTION:ECDH
+SSL_set_tmp_ecdh_callback               270	EXIST::FUNCTION:ECDH
+SSL_COMP_get_name                       271	EXIST::FUNCTION:COMP
+SSL_get_current_compression             272	EXIST::FUNCTION:COMP
+DTLSv1_method                           273	EXIST::FUNCTION:
+SSL_get_current_expansion               274	EXIST::FUNCTION:COMP
+DTLSv1_server_method                    275	EXIST::FUNCTION:
+SSL_COMP_get_compression_methods        276	EXIST:!VMS:FUNCTION:COMP
+SSL_COMP_get_compress_methods           276	EXIST:VMS:FUNCTION:COMP
+SSL_SESSION_get_id                      277	EXIST::FUNCTION: