OpenSSL 0.9.7 stable 2002 05 08 merge

18 files changed, 965 insertions, 822 deletions

diff --git a/lib/libcrypto/x509/Makefile.ssl b/lib/libcrypto/x509/Makefile.ssl
index 79f09d4f713..62243ae8125 100644
--- a/lib/libcrypto/x509/Makefile.ssl
+++ b/lib/libcrypto/x509/Makefile.ssl
@@ -5,13 +5,14 @@
 DIR=	x509
 TOP=	../..
 CC=	cc
-INCLUDES= -I.. -I../../include
+INCLUDES= -I.. -I$(TOP) -I../../include
 CFLAG=-g
 INSTALL_PREFIX=
 OPENSSLDIR=     /usr/local/ssl
 INSTALLTOP=/usr/local/ssl
 MAKE=		make -f Makefile.ssl
-MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEDEPPROG=	makedepend
+MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=	Makefile.ssl
 AR=		ar r
 
@@ -24,13 +25,13 @@ APPS=
 LIB=$(TOP)/libcrypto.a
 LIBSRC=	x509_def.c x509_d2.c x509_r2x.c x509_cmp.c \
 	x509_obj.c x509_req.c x509spki.c x509_vfy.c \
-	x509_set.c x509rset.c x509_err.c \
+	x509_set.c x509cset.c x509rset.c x509_err.c \
 	x509name.c x509_v3.c x509_ext.c x509_att.c \
 	x509type.c x509_lu.c x_all.c x509_txt.c \
 	x509_trs.c by_file.c by_dir.c 
 LIBOBJ= x509_def.o x509_d2.o x509_r2x.o x509_cmp.o \
 	x509_obj.o x509_req.o x509spki.o x509_vfy.o \
-	x509_set.o x509rset.o x509_err.o \
+	x509_set.o x509cset.o x509rset.o x509_err.o \
 	x509name.o x509_v3.o x509_ext.o x509_att.o \
 	x509type.o x509_lu.o x_all.o x509_txt.o \
 	x509_trs.o by_file.o by_dir.o
@@ -49,8 +50,7 @@ all:	lib
 
 lib:	$(LIBOBJ)
 	$(AR) $(LIB) $(LIBOBJ)
-	@echo You may get an error following this line.  Please ignore.
-	- $(RANLIB) $(LIB)
+	$(RANLIB) $(LIB) || echo Never mind.
 	@touch lib
 
 files:
@@ -89,433 +89,322 @@ clean:
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-by_dir.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-by_dir.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-by_dir.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-by_dir.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-by_dir.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-by_dir.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+by_dir.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+by_dir.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+by_dir.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+by_dir.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 by_dir.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-by_dir.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-by_dir.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-by_dir.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-by_dir.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-by_dir.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-by_dir.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-by_dir.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-by_dir.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+by_dir.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+by_dir.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+by_dir.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+by_dir.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
 by_dir.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 by_dir.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 by_dir.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-by_dir.o: ../cryptlib.h
-by_file.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-by_file.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-by_file.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-by_file.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+by_dir.o: ../cryptlib.h by_dir.c
+by_file.o: ../../e_os.h ../../include/openssl/asn1.h
+by_file.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+by_file.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 by_file.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-by_file.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-by_file.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-by_file.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-by_file.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-by_file.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+by_file.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+by_file.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 by_file.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 by_file.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-by_file.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h
-by_file.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-by_file.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-by_file.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-by_file.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-by_file.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-by_file.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-by_file.o: ../cryptlib.h
-x509_att.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-x509_att.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x509_att.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x509_att.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-x509_att.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-x509_att.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-x509_att.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+by_file.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pem.h
+by_file.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs7.h
+by_file.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+by_file.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+by_file.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+by_file.o: ../../include/openssl/x509_vfy.h ../cryptlib.h by_file.c
+x509_att.o: ../../e_os.h ../../include/openssl/asn1.h
+x509_att.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+x509_att.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+x509_att.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+x509_att.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 x509_att.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509_att.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x509_att.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-x509_att.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-x509_att.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-x509_att.o: ../../include/openssl/opensslconf.h
-x509_att.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-x509_att.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x509_att.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-x509_att.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-x509_att.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509_att.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-x509_att.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-x509_att.o: ../cryptlib.h
-x509_cmp.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-x509_cmp.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x509_cmp.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x509_cmp.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-x509_cmp.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-x509_cmp.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-x509_cmp.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+x509_att.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+x509_att.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509_att.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x509_att.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+x509_att.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x509_att.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+x509_att.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509_att.o: ../../include/openssl/x509v3.h ../cryptlib.h x509_att.c
+x509_cmp.o: ../../e_os.h ../../include/openssl/asn1.h
+x509_cmp.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+x509_cmp.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+x509_cmp.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+x509_cmp.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 x509_cmp.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509_cmp.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x509_cmp.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-x509_cmp.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-x509_cmp.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-x509_cmp.o: ../../include/openssl/opensslconf.h
-x509_cmp.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-x509_cmp.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x509_cmp.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-x509_cmp.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-x509_cmp.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509_cmp.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-x509_cmp.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-x509_cmp.o: ../cryptlib.h
-x509_d2.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-x509_d2.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x509_d2.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x509_d2.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+x509_cmp.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+x509_cmp.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509_cmp.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x509_cmp.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+x509_cmp.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x509_cmp.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+x509_cmp.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509_cmp.o: ../../include/openssl/x509v3.h ../cryptlib.h x509_cmp.c
+x509_d2.o: ../../e_os.h ../../include/openssl/asn1.h
+x509_d2.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+x509_d2.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 x509_d2.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-x509_d2.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-x509_d2.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509_d2.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x509_d2.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-x509_d2.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509_d2.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x509_d2.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 x509_d2.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 x509_d2.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-x509_d2.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-x509_d2.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-x509_d2.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-x509_d2.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-x509_d2.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-x509_d2.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x509_d2.o: ../cryptlib.h
-x509_def.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-x509_def.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x509_def.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x509_def.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+x509_d2.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+x509_d2.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+x509_d2.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509_d2.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+x509_d2.o: ../../include/openssl/x509_vfy.h ../cryptlib.h x509_d2.c
+x509_def.o: ../../e_os.h ../../include/openssl/asn1.h
+x509_def.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+x509_def.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 x509_def.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-x509_def.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-x509_def.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509_def.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x509_def.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-x509_def.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509_def.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x509_def.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 x509_def.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 x509_def.o: ../../include/openssl/opensslconf.h
-x509_def.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-x509_def.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x509_def.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-x509_def.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-x509_def.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509_def.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-x509_def.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+x509_def.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x509_def.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+x509_def.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x509_def.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+x509_def.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509_def.o: ../cryptlib.h x509_def.c
 x509_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-x509_err.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x509_err.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x509_err.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-x509_err.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-x509_err.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-x509_err.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-x509_err.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-x509_err.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-x509_err.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+x509_err.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+x509_err.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+x509_err.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+x509_err.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x509_err.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 x509_err.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-x509_err.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-x509_err.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x509_err.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-x509_err.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-x509_err.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509_err.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-x509_err.o: ../../include/openssl/x509_vfy.h
-x509_ext.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-x509_ext.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x509_ext.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x509_ext.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-x509_ext.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-x509_ext.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-x509_ext.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+x509_err.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x509_err.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+x509_err.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x509_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+x509_err.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509_err.o: x509_err.c
+x509_ext.o: ../../e_os.h ../../include/openssl/asn1.h
+x509_ext.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+x509_ext.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+x509_ext.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+x509_ext.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 x509_ext.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509_ext.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x509_ext.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-x509_ext.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-x509_ext.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-x509_ext.o: ../../include/openssl/opensslconf.h
-x509_ext.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-x509_ext.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x509_ext.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-x509_ext.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-x509_ext.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509_ext.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-x509_ext.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-x509_ext.o: ../cryptlib.h
-x509_lu.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-x509_lu.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x509_lu.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x509_lu.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-x509_lu.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-x509_lu.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+x509_ext.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+x509_ext.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509_ext.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x509_ext.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+x509_ext.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x509_ext.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+x509_ext.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509_ext.o: ../../include/openssl/x509v3.h ../cryptlib.h x509_ext.c
+x509_lu.o: ../../e_os.h ../../include/openssl/asn1.h
+x509_lu.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+x509_lu.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+x509_lu.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+x509_lu.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 x509_lu.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509_lu.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x509_lu.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-x509_lu.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-x509_lu.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-x509_lu.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-x509_lu.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-x509_lu.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-x509_lu.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+x509_lu.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+x509_lu.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509_lu.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x509_lu.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
 x509_lu.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 x509_lu.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 x509_lu.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x509_lu.o: ../cryptlib.h
-x509_obj.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-x509_obj.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x509_obj.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x509_obj.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+x509_lu.o: ../../include/openssl/x509v3.h ../cryptlib.h x509_lu.c
+x509_obj.o: ../../e_os.h ../../include/openssl/asn1.h
+x509_obj.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+x509_obj.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 x509_obj.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-x509_obj.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-x509_obj.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509_obj.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x509_obj.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-x509_obj.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509_obj.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x509_obj.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 x509_obj.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 x509_obj.o: ../../include/openssl/opensslconf.h
-x509_obj.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-x509_obj.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x509_obj.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-x509_obj.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-x509_obj.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509_obj.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-x509_obj.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
-x509_r2x.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-x509_r2x.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x509_r2x.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x509_r2x.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+x509_obj.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x509_obj.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+x509_obj.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x509_obj.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+x509_obj.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509_obj.o: ../cryptlib.h x509_obj.c
+x509_r2x.o: ../../e_os.h ../../include/openssl/asn1.h
+x509_r2x.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+x509_r2x.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 x509_r2x.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-x509_r2x.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-x509_r2x.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509_r2x.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x509_r2x.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-x509_r2x.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509_r2x.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x509_r2x.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 x509_r2x.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 x509_r2x.o: ../../include/openssl/opensslconf.h
-x509_r2x.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-x509_r2x.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x509_r2x.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-x509_r2x.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-x509_r2x.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509_r2x.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-x509_r2x.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
-x509_req.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-x509_req.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x509_req.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x509_req.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+x509_r2x.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x509_r2x.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+x509_r2x.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x509_r2x.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+x509_r2x.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509_r2x.o: ../cryptlib.h x509_r2x.c
+x509_req.o: ../../e_os.h ../../include/openssl/asn1.h
+x509_req.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+x509_req.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 x509_req.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-x509_req.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-x509_req.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509_req.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x509_req.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-x509_req.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509_req.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x509_req.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 x509_req.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 x509_req.o: ../../include/openssl/opensslconf.h
-x509_req.o: ../../include/openssl/opensslv.h ../../include/openssl/pem.h
-x509_req.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs7.h
-x509_req.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x509_req.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-x509_req.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-x509_req.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509_req.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-x509_req.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
-x509_set.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-x509_set.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x509_set.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x509_set.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+x509_req.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x509_req.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h
+x509_req.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+x509_req.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x509_req.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+x509_req.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509_req.o: ../cryptlib.h x509_req.c
+x509_set.o: ../../e_os.h ../../include/openssl/asn1.h
+x509_set.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+x509_set.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 x509_set.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-x509_set.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-x509_set.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509_set.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x509_set.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-x509_set.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509_set.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x509_set.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 x509_set.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 x509_set.o: ../../include/openssl/opensslconf.h
-x509_set.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-x509_set.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x509_set.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-x509_set.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-x509_set.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509_set.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-x509_set.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
-x509_trs.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-x509_trs.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x509_trs.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x509_trs.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-x509_trs.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-x509_trs.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-x509_trs.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+x509_set.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x509_set.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+x509_set.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x509_set.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+x509_set.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509_set.o: ../cryptlib.h x509_set.c
+x509_trs.o: ../../e_os.h ../../include/openssl/asn1.h
+x509_trs.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+x509_trs.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+x509_trs.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+x509_trs.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 x509_trs.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509_trs.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x509_trs.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-x509_trs.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-x509_trs.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-x509_trs.o: ../../include/openssl/opensslconf.h
-x509_trs.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-x509_trs.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x509_trs.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-x509_trs.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-x509_trs.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509_trs.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-x509_trs.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-x509_trs.o: ../cryptlib.h
-x509_txt.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-x509_txt.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x509_txt.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x509_txt.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+x509_trs.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+x509_trs.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509_trs.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x509_trs.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+x509_trs.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x509_trs.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+x509_trs.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509_trs.o: ../../include/openssl/x509v3.h ../cryptlib.h x509_trs.c
+x509_txt.o: ../../e_os.h ../../include/openssl/asn1.h
+x509_txt.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+x509_txt.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 x509_txt.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-x509_txt.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-x509_txt.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509_txt.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x509_txt.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-x509_txt.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509_txt.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x509_txt.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 x509_txt.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 x509_txt.o: ../../include/openssl/opensslconf.h
-x509_txt.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-x509_txt.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x509_txt.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-x509_txt.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-x509_txt.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509_txt.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-x509_txt.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
-x509_v3.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-x509_v3.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x509_v3.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x509_v3.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-x509_v3.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-x509_v3.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-x509_v3.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+x509_txt.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x509_txt.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+x509_txt.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x509_txt.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+x509_txt.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509_txt.o: ../cryptlib.h x509_txt.c
+x509_v3.o: ../../e_os.h ../../include/openssl/asn1.h
+x509_v3.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+x509_v3.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+x509_v3.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+x509_v3.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 x509_v3.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509_v3.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x509_v3.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-x509_v3.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-x509_v3.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-x509_v3.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-x509_v3.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-x509_v3.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-x509_v3.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+x509_v3.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+x509_v3.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509_v3.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x509_v3.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
 x509_v3.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 x509_v3.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 x509_v3.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x509_v3.o: ../../include/openssl/x509v3.h ../cryptlib.h
-x509_vfy.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-x509_vfy.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x509_vfy.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x509_vfy.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-x509_vfy.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-x509_vfy.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-x509_vfy.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+x509_v3.o: ../../include/openssl/x509v3.h ../cryptlib.h x509_v3.c
+x509_vfy.o: ../../e_os.h ../../include/openssl/asn1.h
+x509_vfy.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+x509_vfy.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+x509_vfy.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+x509_vfy.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 x509_vfy.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509_vfy.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x509_vfy.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-x509_vfy.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-x509_vfy.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-x509_vfy.o: ../../include/openssl/opensslconf.h
-x509_vfy.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-x509_vfy.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x509_vfy.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-x509_vfy.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-x509_vfy.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509_vfy.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-x509_vfy.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-x509_vfy.o: ../cryptlib.h
-x509name.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-x509name.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x509name.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x509name.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+x509_vfy.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+x509_vfy.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509_vfy.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x509_vfy.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+x509_vfy.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x509_vfy.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+x509_vfy.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509_vfy.o: ../../include/openssl/x509v3.h ../cryptlib.h x509_vfy.c
+x509cset.o: ../../e_os.h ../../include/openssl/asn1.h
+x509cset.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+x509cset.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+x509cset.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+x509cset.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x509cset.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+x509cset.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+x509cset.o: ../../include/openssl/opensslconf.h
+x509cset.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x509cset.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+x509cset.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x509cset.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+x509cset.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509cset.o: ../cryptlib.h x509cset.c
+x509name.o: ../../e_os.h ../../include/openssl/asn1.h
+x509name.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+x509name.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 x509name.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-x509name.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-x509name.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509name.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x509name.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-x509name.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509name.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x509name.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 x509name.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 x509name.o: ../../include/openssl/opensslconf.h
-x509name.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-x509name.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x509name.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-x509name.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-x509name.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509name.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-x509name.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
-x509rset.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-x509rset.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x509rset.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x509rset.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+x509name.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x509name.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+x509name.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x509name.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+x509name.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509name.o: ../cryptlib.h x509name.c
+x509rset.o: ../../e_os.h ../../include/openssl/asn1.h
+x509rset.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+x509rset.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 x509rset.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-x509rset.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-x509rset.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509rset.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x509rset.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-x509rset.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509rset.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x509rset.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 x509rset.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 x509rset.o: ../../include/openssl/opensslconf.h
-x509rset.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-x509rset.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x509rset.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-x509rset.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-x509rset.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509rset.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-x509rset.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
-x509spki.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-x509spki.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-x509spki.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-x509spki.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-x509spki.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-x509spki.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+x509rset.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x509rset.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+x509rset.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x509rset.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+x509rset.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509rset.o: ../cryptlib.h x509rset.c
+x509spki.o: ../../e_os.h ../../include/openssl/asn1.h
+x509spki.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+x509spki.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+x509spki.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
 x509spki.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-x509spki.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-x509spki.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-x509spki.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-x509spki.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-x509spki.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-x509spki.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-x509spki.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x509spki.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-x509spki.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-x509spki.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509spki.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-x509spki.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
-x509type.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-x509type.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x509type.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x509type.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+x509spki.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+x509spki.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+x509spki.o: ../../include/openssl/opensslconf.h
+x509spki.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x509spki.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+x509spki.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x509spki.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+x509spki.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509spki.o: ../cryptlib.h x509spki.c
+x509type.o: ../../e_os.h ../../include/openssl/asn1.h
+x509type.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+x509type.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 x509type.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-x509type.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-x509type.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509type.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x509type.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-x509type.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509type.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x509type.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 x509type.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 x509type.o: ../../include/openssl/opensslconf.h
-x509type.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-x509type.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x509type.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-x509type.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-x509type.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509type.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-x509type.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
-x_all.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-x_all.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x_all.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x_all.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-x_all.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-x_all.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+x509type.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x509type.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+x509type.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x509type.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+x509type.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509type.o: ../cryptlib.h x509type.c
+x_all.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+x_all.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+x_all.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+x_all.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 x_all.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x_all.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x_all.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-x_all.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-x_all.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-x_all.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-x_all.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-x_all.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-x_all.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+x_all.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+x_all.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x_all.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x_all.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
 x_all.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 x_all.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 x_all.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x_all.o: ../cryptlib.h
+x_all.o: ../cryptlib.h x_all.c
diff --git a/lib/libcrypto/x509/by_file.c b/lib/libcrypto/x509/by_file.c
index 78e9240a8d0..92e00d2d733 100644
--- a/lib/libcrypto/x509/by_file.c
+++ b/lib/libcrypto/x509/by_file.c
@@ -66,7 +66,7 @@
 #include <openssl/x509.h>
 #include <openssl/pem.h>
 
-#ifndef NO_STDIO
+#ifndef OPENSSL_NO_STDIO
 
 static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc,
 	long argl, char **ret);
@@ -294,5 +294,5 @@ int X509_load_cert_crl_file(X509_LOOKUP *ctx, const char *file, int type)
 }
 
 
-#endif /* NO_STDIO */
+#endif /* OPENSSL_NO_STDIO */
 
diff --git a/lib/libcrypto/x509/x509.h b/lib/libcrypto/x509/x509.h
index 813c8adffd7..c75aa0c7174 100644
--- a/lib/libcrypto/x509/x509.h
+++ b/lib/libcrypto/x509/x509.h
@@ -60,47 +60,46 @@
 #define HEADER_X509_H
 
 #include <openssl/symhacks.h>
-#ifndef NO_BUFFER
+#ifndef OPENSSL_NO_BUFFER
 #include <openssl/buffer.h>
 #endif
-#ifndef NO_EVP
+#ifndef OPENSSL_NO_EVP
 #include <openssl/evp.h>
 #endif
-#ifndef NO_BIO
+#ifndef OPENSSL_NO_BIO
 #include <openssl/bio.h>
 #endif
 #include <openssl/stack.h>
 #include <openssl/asn1.h>
 #include <openssl/safestack.h>
 
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
 #include <openssl/rsa.h>
 #endif
 
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
 #include <openssl/dsa.h>
 #endif
 
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
 #include <openssl/dh.h>
 #endif
-
+#ifndef OPENSSL_NO_SHA
+#include <openssl/sha.h>
+#endif
 #include <openssl/evp.h>
-
+#include <openssl/e_os2.h>
+#include <openssl/ossl_typ.h>
 
 #ifdef  __cplusplus
 extern "C" {
 #endif
 
-#ifdef WIN32
+#ifdef OPENSSL_SYS_WIN32
 /* Under Win32 this is defined in wincrypt.h */
 #undef X509_NAME
 #endif
 
-  /* If placed in pkcs12.h, we end up with a circular depency with pkcs7.h */
-#define DECLARE_PKCS12_STACK_OF(type) /* Nothing */
-#define IMPLEMENT_PKCS12_STACK_OF(type) /* Nothing */
-
 #define X509_FILETYPE_PEM	1
 #define X509_FILETYPE_ASN1	2
 #define X509_FILETYPE_DEFAULT	3
@@ -123,11 +122,11 @@ typedef struct X509_objects_st
 	int (*i2a)();
 	} X509_OBJECTS;
 
-typedef struct X509_algor_st
+struct X509_algor_st
 	{
 	ASN1_OBJECT *algorithm;
 	ASN1_TYPE *parameter;
-	} X509_ALGOR;
+	} /* X509_ALGOR */;
 
 DECLARE_STACK_OF(X509_ALGOR)
 DECLARE_ASN1_SET_OF(X509_ALGOR)
@@ -163,17 +162,17 @@ DECLARE_STACK_OF(X509_NAME_ENTRY)
 DECLARE_ASN1_SET_OF(X509_NAME_ENTRY)
 
 /* we always keep X509_NAMEs in 2 forms. */
-typedef struct X509_name_st
+struct X509_name_st
 	{
 	STACK_OF(X509_NAME_ENTRY) *entries;
 	int modified;	/* true if 'bytes' needs to be built */
-#ifndef NO_BUFFER
+#ifndef OPENSSL_NO_BUFFER
 	BUF_MEM *bytes;
 #else
 	char *bytes;
 #endif
 	unsigned long hash; /* Keep the hash around for lookups */
-	} X509_NAME;
+	} /* X509_NAME */;
 
 DECLARE_STACK_OF(X509_NAME)
 
@@ -182,11 +181,8 @@ DECLARE_STACK_OF(X509_NAME)
 typedef struct X509_extension_st
 	{
 	ASN1_OBJECT *object;
-	short critical;
-	short netscape_hack;
+	ASN1_BOOLEAN critical;
 	ASN1_OCTET_STRING *value;
-	struct v3_ext_method *method;	/* V3 method to use */
-	void *ext_val;			/* extension value */
 	} X509_EXTENSION;
 
 DECLARE_STACK_OF(X509_EXTENSION)
@@ -196,27 +192,26 @@ DECLARE_ASN1_SET_OF(X509_EXTENSION)
 typedef struct x509_attributes_st
 	{
 	ASN1_OBJECT *object;
-	int set; /* 1 for a set, 0 for a single item (which is wrong) */
+	int single; /* 0 for a set, 1 for a single item (which is wrong) */
 	union	{
 		char		*ptr;
-/* 1 */		STACK_OF(ASN1_TYPE) *set;
-/* 0 */		ASN1_TYPE	*single;
+/* 0 */		STACK_OF(ASN1_TYPE) *set;
+/* 1 */		ASN1_TYPE	*single;
 		} value;
 	} X509_ATTRIBUTE;
 
 DECLARE_STACK_OF(X509_ATTRIBUTE)
 DECLARE_ASN1_SET_OF(X509_ATTRIBUTE)
 
+
 typedef struct X509_req_info_st
 	{
-	unsigned char *asn1;
-	int length;
+	ASN1_ENCODING enc;
 	ASN1_INTEGER *version;
 	X509_NAME *subject;
 	X509_PUBKEY *pubkey;
 	/*  d=2 hl=2 l=  0 cons: cont: 00 */
 	STACK_OF(X509_ATTRIBUTE) *attributes; /* [ 0 ] */
-	int req_kludge;
 	} X509_REQ_INFO;
 
 typedef struct X509_req_st
@@ -256,7 +251,7 @@ typedef struct x509_cert_aux_st
 	STACK_OF(X509_ALGOR) *other;		/* other unspecified info */
 	} X509_CERT_AUX;
 
-typedef struct x509_st
+struct x509_st
 	{
 	X509_CINF *cert_info;
 	X509_ALGOR *sig_alg;
@@ -273,11 +268,11 @@ typedef struct x509_st
 	unsigned long ex_nscert;
 	ASN1_OCTET_STRING *skid;
 	struct AUTHORITY_KEYID_st *akid;
-#ifndef NO_SHA
+#ifndef OPENSSL_NO_SHA
 	unsigned char sha1_hash[SHA_DIGEST_LENGTH];
 #endif
 	X509_CERT_AUX *aux;
-	} X509;
+	} /* X509 */;
 
 DECLARE_STACK_OF(X509)
 DECLARE_ASN1_SET_OF(X509)
@@ -304,10 +299,12 @@ DECLARE_STACK_OF(X509_TRUST)
 #define X509_TRUST_SSL_SERVER	3
 #define X509_TRUST_EMAIL	4
 #define X509_TRUST_OBJECT_SIGN	5
+#define X509_TRUST_OCSP_SIGN	6
+#define X509_TRUST_OCSP_REQUEST	7
 
 /* Keep these up to date! */
 #define X509_TRUST_MIN		1
-#define X509_TRUST_MAX		5
+#define X509_TRUST_MAX		7
 
 
 /* trust_flags values */
@@ -320,6 +317,21 @@ DECLARE_STACK_OF(X509_TRUST)
 #define X509_TRUST_REJECTED	2
 #define X509_TRUST_UNTRUSTED	3
 
+/* Flags for X509_print_ex() */
+
+#define	X509_FLAG_COMPAT		0
+#define	X509_FLAG_NO_HEADER		1L
+#define	X509_FLAG_NO_VERSION		(1L << 1)
+#define	X509_FLAG_NO_SERIAL		(1L << 2)
+#define	X509_FLAG_NO_SIGNAME		(1L << 3)
+#define	X509_FLAG_NO_ISSUER		(1L << 4)
+#define	X509_FLAG_NO_VALIDITY		(1L << 5)
+#define	X509_FLAG_NO_SUBJECT		(1L << 6)
+#define	X509_FLAG_NO_PUBKEY		(1L << 7)
+#define	X509_FLAG_NO_EXTENSIONS		(1L << 8)
+#define	X509_FLAG_NO_SIGDUMP		(1L << 9)
+#define	X509_FLAG_NO_AUX		(1L << 10)
+
 /* Flags specific to X509_NAME_print_ex() */	
 
 /* The field separator information */
@@ -351,6 +363,8 @@ DECLARE_STACK_OF(X509_TRUST)
 
 #define XN_FLAG_DUMP_UNKNOWN_FIELDS (1 << 24)
 
+#define XN_FLAG_FN_ALIGN	(1 << 25)	/* Align field names to 20 characters */
+
 /* Complete set of RFC2253 flags */
 
 #define XN_FLAG_RFC2253 (ASN1_STRFLGS_RFC2253 | \
@@ -373,7 +387,8 @@ DECLARE_STACK_OF(X509_TRUST)
 			ASN1_STRFLGS_ESC_MSB | \
 			XN_FLAG_SEP_MULTILINE | \
 			XN_FLAG_SPC_EQ | \
-			XN_FLAG_FN_LN)
+			XN_FLAG_FN_LN | \
+			XN_FLAG_FN_ALIGN)
 
 typedef struct X509_revoked_st
 	{
@@ -397,14 +412,14 @@ typedef struct X509_crl_info_st
 	STACK_OF(X509_EXTENSION) /* [0] */ *extensions;
 	} X509_CRL_INFO;
 
-typedef struct X509_crl_st
+struct X509_crl_st
 	{
 	/* actual signature */
 	X509_CRL_INFO *crl;
 	X509_ALGOR *sig_alg;
 	ASN1_BIT_STRING *signature;
 	int references;
-	} X509_CRL;
+	} /* X509_CRL */;
 
 DECLARE_STACK_OF(X509_CRL)
 DECLARE_ASN1_SET_OF(X509_CRL)
@@ -430,7 +445,7 @@ typedef struct private_key_st
 	int references;
 	} X509_PKEY;
 
-#ifndef NO_EVP
+#ifndef OPENSSL_NO_EVP
 typedef struct X509_info_st
 	{
 	X509 *x509;
@@ -686,7 +701,7 @@ extern "C" {
 const char *X509_verify_cert_error_string(long n);
 
 #ifndef SSLEAY_MACROS
-#ifndef NO_EVP
+#ifndef OPENSSL_NO_EVP
 int X509_verify(X509 *a, EVP_PKEY *r);
 
 int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r);
@@ -700,11 +715,15 @@ int NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *x, EVP_PKEY *pkey);
 
 int NETSCAPE_SPKI_print(BIO *out, NETSCAPE_SPKI *spki);
 
+int X509_signature_print(BIO *bp,X509_ALGOR *alg, ASN1_STRING *sig);
+
 int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md);
 int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md);
 int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md);
 int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md);
 
+int X509_pubkey_digest(const X509 *data,const EVP_MD *type,
+		unsigned char *md, unsigned int *len);
 int X509_digest(const X509 *data,const EVP_MD *type,
 		unsigned char *md, unsigned int *len);
 int X509_CRL_digest(const X509_CRL *data,const EVP_MD *type,
@@ -715,14 +734,14 @@ int X509_NAME_digest(const X509_NAME *data,const EVP_MD *type,
 		unsigned char *md, unsigned int *len);
 #endif
 
-#ifndef NO_FP_API
+#ifndef OPENSSL_NO_FP_API
 X509 *d2i_X509_fp(FILE *fp, X509 **x509);
 int i2d_X509_fp(FILE *fp,X509 *x509);
 X509_CRL *d2i_X509_CRL_fp(FILE *fp,X509_CRL **crl);
 int i2d_X509_CRL_fp(FILE *fp,X509_CRL *crl);
 X509_REQ *d2i_X509_REQ_fp(FILE *fp,X509_REQ **req);
 int i2d_X509_REQ_fp(FILE *fp,X509_REQ *req);
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
 RSA *d2i_RSAPrivateKey_fp(FILE *fp,RSA **rsa);
 int i2d_RSAPrivateKey_fp(FILE *fp,RSA *rsa);
 RSA *d2i_RSAPublicKey_fp(FILE *fp,RSA **rsa);
@@ -730,7 +749,7 @@ int i2d_RSAPublicKey_fp(FILE *fp,RSA *rsa);
 RSA *d2i_RSA_PUBKEY_fp(FILE *fp,RSA **rsa);
 int i2d_RSA_PUBKEY_fp(FILE *fp,RSA *rsa);
 #endif
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
 DSA *d2i_DSA_PUBKEY_fp(FILE *fp, DSA **dsa);
 int i2d_DSA_PUBKEY_fp(FILE *fp, DSA *dsa);
 DSA *d2i_DSAPrivateKey_fp(FILE *fp, DSA **dsa);
@@ -748,14 +767,14 @@ int i2d_PUBKEY_fp(FILE *fp, EVP_PKEY *pkey);
 EVP_PKEY *d2i_PUBKEY_fp(FILE *fp, EVP_PKEY **a);
 #endif
 
-#ifndef NO_BIO
+#ifndef OPENSSL_NO_BIO
 X509 *d2i_X509_bio(BIO *bp,X509 **x509);
 int i2d_X509_bio(BIO *bp,X509 *x509);
 X509_CRL *d2i_X509_CRL_bio(BIO *bp,X509_CRL **crl);
 int i2d_X509_CRL_bio(BIO *bp,X509_CRL *crl);
 X509_REQ *d2i_X509_REQ_bio(BIO *bp,X509_REQ **req);
 int i2d_X509_REQ_bio(BIO *bp,X509_REQ *req);
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
 RSA *d2i_RSAPrivateKey_bio(BIO *bp,RSA **rsa);
 int i2d_RSAPrivateKey_bio(BIO *bp,RSA *rsa);
 RSA *d2i_RSAPublicKey_bio(BIO *bp,RSA **rsa);
@@ -763,7 +782,7 @@ int i2d_RSAPublicKey_bio(BIO *bp,RSA *rsa);
 RSA *d2i_RSA_PUBKEY_bio(BIO *bp,RSA **rsa);
 int i2d_RSA_PUBKEY_bio(BIO *bp,RSA *rsa);
 #endif
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
 DSA *d2i_DSA_PUBKEY_bio(BIO *bp, DSA **dsa);
 int i2d_DSA_PUBKEY_bio(BIO *bp, DSA *dsa);
 DSA *d2i_DSAPrivateKey_bio(BIO *bp, DSA **dsa);
@@ -789,7 +808,7 @@ X509_REQ *X509_REQ_dup(X509_REQ *req);
 X509_ALGOR *X509_ALGOR_dup(X509_ALGOR *xn);
 X509_NAME *X509_NAME_dup(X509_NAME *xn);
 X509_NAME_ENTRY *X509_NAME_ENTRY_dup(X509_NAME_ENTRY *ne);
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
 RSA *RSAPublicKey_dup(RSA *rsa);
 RSA *RSAPrivateKey_dup(RSA *rsa);
 #endif
@@ -810,25 +829,12 @@ const char *	X509_get_default_private_dir(void );
 
 X509_REQ *	X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md);
 X509 *		X509_REQ_to_X509(X509_REQ *r, int days,EVP_PKEY *pkey);
-void ERR_load_X509_strings(void );
 
-X509_ALGOR *	X509_ALGOR_new(void );
-void		X509_ALGOR_free(X509_ALGOR *a);
-int		i2d_X509_ALGOR(X509_ALGOR *a,unsigned char **pp);
-X509_ALGOR *	d2i_X509_ALGOR(X509_ALGOR **a,unsigned char **pp,
-			long length);
+DECLARE_ASN1_FUNCTIONS(X509_ALGOR)
+DECLARE_ASN1_FUNCTIONS(X509_VAL)
 
-X509_VAL *	X509_VAL_new(void );
-void		X509_VAL_free(X509_VAL *a);
-int		i2d_X509_VAL(X509_VAL *a,unsigned char **pp);
-X509_VAL *	d2i_X509_VAL(X509_VAL **a,unsigned char **pp,
-			long length);
+DECLARE_ASN1_FUNCTIONS(X509_PUBKEY)
 
-X509_PUBKEY *	X509_PUBKEY_new(void );
-void		X509_PUBKEY_free(X509_PUBKEY *a);
-int		i2d_X509_PUBKEY(X509_PUBKEY *a,unsigned char **pp);
-X509_PUBKEY *	d2i_X509_PUBKEY(X509_PUBKEY **a,unsigned char **pp,
-			long length);
 int		X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey);
 EVP_PKEY *	X509_PUBKEY_get(X509_PUBKEY *key);
 int		X509_get_pubkey_parameters(EVP_PKEY *pkey,
@@ -836,69 +842,37 @@ int		X509_get_pubkey_parameters(EVP_PKEY *pkey,
 int		i2d_PUBKEY(EVP_PKEY *a,unsigned char **pp);
 EVP_PKEY *	d2i_PUBKEY(EVP_PKEY **a,unsigned char **pp,
 			long length);
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
 int		i2d_RSA_PUBKEY(RSA *a,unsigned char **pp);
 RSA *		d2i_RSA_PUBKEY(RSA **a,unsigned char **pp,
 			long length);
 #endif
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
 int		i2d_DSA_PUBKEY(DSA *a,unsigned char **pp);
 DSA *		d2i_DSA_PUBKEY(DSA **a,unsigned char **pp,
 			long length);
 #endif
 
-X509_SIG *	X509_SIG_new(void );
-void		X509_SIG_free(X509_SIG *a);
-int		i2d_X509_SIG(X509_SIG *a,unsigned char **pp);
-X509_SIG *	d2i_X509_SIG(X509_SIG **a,unsigned char **pp,long length);
-
-X509_REQ_INFO *X509_REQ_INFO_new(void);
-void		X509_REQ_INFO_free(X509_REQ_INFO *a);
-int		i2d_X509_REQ_INFO(X509_REQ_INFO *a,unsigned char **pp);
-X509_REQ_INFO *d2i_X509_REQ_INFO(X509_REQ_INFO **a,unsigned char **pp,
-			long length);
+DECLARE_ASN1_FUNCTIONS(X509_SIG)
+DECLARE_ASN1_FUNCTIONS(X509_REQ_INFO)
+DECLARE_ASN1_FUNCTIONS(X509_REQ)
 
-X509_REQ *	X509_REQ_new(void);
-void		X509_REQ_free(X509_REQ *a);
-int		i2d_X509_REQ(X509_REQ *a,unsigned char **pp);
-X509_REQ *	d2i_X509_REQ(X509_REQ **a,unsigned char **pp,long length);
-
-X509_ATTRIBUTE *X509_ATTRIBUTE_new(void );
-void		X509_ATTRIBUTE_free(X509_ATTRIBUTE *a);
-int		i2d_X509_ATTRIBUTE(X509_ATTRIBUTE *a,unsigned char **pp);
-X509_ATTRIBUTE *d2i_X509_ATTRIBUTE(X509_ATTRIBUTE **a,unsigned char **pp,
-			long length);
+DECLARE_ASN1_FUNCTIONS(X509_ATTRIBUTE)
 X509_ATTRIBUTE *X509_ATTRIBUTE_create(int nid, int atrtype, void *value);
 
+DECLARE_ASN1_FUNCTIONS(X509_EXTENSION)
 
-X509_EXTENSION *X509_EXTENSION_new(void );
-void		X509_EXTENSION_free(X509_EXTENSION *a);
-int		i2d_X509_EXTENSION(X509_EXTENSION *a,unsigned char **pp);
-X509_EXTENSION *d2i_X509_EXTENSION(X509_EXTENSION **a,unsigned char **pp,
-			long length);
+DECLARE_ASN1_FUNCTIONS(X509_NAME_ENTRY)
 
-X509_NAME_ENTRY *X509_NAME_ENTRY_new(void);
-void		X509_NAME_ENTRY_free(X509_NAME_ENTRY *a);
-int		i2d_X509_NAME_ENTRY(X509_NAME_ENTRY *a,unsigned char **pp);
-X509_NAME_ENTRY *d2i_X509_NAME_ENTRY(X509_NAME_ENTRY **a,unsigned char **pp,
-			long length);
+DECLARE_ASN1_FUNCTIONS(X509_NAME)
 
-X509_NAME *	X509_NAME_new(void);
-void		X509_NAME_free(X509_NAME *a);
-int		i2d_X509_NAME(X509_NAME *a,unsigned char **pp);
-X509_NAME *	d2i_X509_NAME(X509_NAME **a,unsigned char **pp,long length);
 int		X509_NAME_set(X509_NAME **xn, X509_NAME *name);
 
+DECLARE_ASN1_FUNCTIONS(X509_CINF)
 
-X509_CINF *	X509_CINF_new(void);
-void		X509_CINF_free(X509_CINF *a);
-int		i2d_X509_CINF(X509_CINF *a,unsigned char **pp);
-X509_CINF *	d2i_X509_CINF(X509_CINF **a,unsigned char **pp,long length);
+DECLARE_ASN1_FUNCTIONS(X509)
+DECLARE_ASN1_FUNCTIONS(X509_CERT_AUX)
 
-X509 *		X509_new(void);
-void		X509_free(X509 *a);
-int		i2d_X509(X509 *a,unsigned char **pp);
-X509 *		d2i_X509(X509 **a,unsigned char **pp,long length);
 int X509_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
 	     CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
 int X509_set_ex_data(X509 *r, int idx, void *arg);
@@ -906,60 +880,32 @@ void *X509_get_ex_data(X509 *r, int idx);
 int		i2d_X509_AUX(X509 *a,unsigned char **pp);
 X509 *		d2i_X509_AUX(X509 **a,unsigned char **pp,long length);
 
-X509_CERT_AUX *	X509_CERT_AUX_new(void);
-void		X509_CERT_AUX_free(X509_CERT_AUX *a);
-int		i2d_X509_CERT_AUX(X509_CERT_AUX *a,unsigned char **pp);
-X509_CERT_AUX *	d2i_X509_CERT_AUX(X509_CERT_AUX **a,unsigned char **pp,
-								long length);
 int X509_alias_set1(X509 *x, unsigned char *name, int len);
 int X509_keyid_set1(X509 *x, unsigned char *id, int len);
 unsigned char * X509_alias_get0(X509 *x, int *len);
 int (*X509_TRUST_set_default(int (*trust)(int , X509 *, int)))(int, X509 *, int);
+int X509_TRUST_set(int *t, int trust);
 int X509_add1_trust_object(X509 *x, ASN1_OBJECT *obj);
 int X509_add1_reject_object(X509 *x, ASN1_OBJECT *obj);
 void X509_trust_clear(X509 *x);
 void X509_reject_clear(X509 *x);
 
-X509_REVOKED *	X509_REVOKED_new(void);
-void		X509_REVOKED_free(X509_REVOKED *a);
-int		i2d_X509_REVOKED(X509_REVOKED *a,unsigned char **pp);
-X509_REVOKED *	d2i_X509_REVOKED(X509_REVOKED **a,unsigned char **pp,long length);
+DECLARE_ASN1_FUNCTIONS(X509_REVOKED)
+DECLARE_ASN1_FUNCTIONS(X509_CRL_INFO)
+DECLARE_ASN1_FUNCTIONS(X509_CRL)
 
-X509_CRL_INFO *X509_CRL_INFO_new(void);
-void		X509_CRL_INFO_free(X509_CRL_INFO *a);
-int		i2d_X509_CRL_INFO(X509_CRL_INFO *a,unsigned char **pp);
-X509_CRL_INFO *d2i_X509_CRL_INFO(X509_CRL_INFO **a,unsigned char **pp,
-			long length);
-
-X509_CRL *	X509_CRL_new(void);
-void		X509_CRL_free(X509_CRL *a);
-int		i2d_X509_CRL(X509_CRL *a,unsigned char **pp);
-X509_CRL *	d2i_X509_CRL(X509_CRL **a,unsigned char **pp,long length);
+int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev);
 
 X509_PKEY *	X509_PKEY_new(void );
 void		X509_PKEY_free(X509_PKEY *a);
 int		i2d_X509_PKEY(X509_PKEY *a,unsigned char **pp);
 X509_PKEY *	d2i_X509_PKEY(X509_PKEY **a,unsigned char **pp,long length);
 
-NETSCAPE_SPKI *	NETSCAPE_SPKI_new(void );
-void		NETSCAPE_SPKI_free(NETSCAPE_SPKI *a);
-int		i2d_NETSCAPE_SPKI(NETSCAPE_SPKI *a,unsigned char **pp);
-NETSCAPE_SPKI *	d2i_NETSCAPE_SPKI(NETSCAPE_SPKI **a,unsigned char **pp,
-			long length);
+DECLARE_ASN1_FUNCTIONS(NETSCAPE_SPKI)
+DECLARE_ASN1_FUNCTIONS(NETSCAPE_SPKAC)
+DECLARE_ASN1_FUNCTIONS(NETSCAPE_CERT_SEQUENCE)
 
-NETSCAPE_SPKAC *NETSCAPE_SPKAC_new(void );
-void		NETSCAPE_SPKAC_free(NETSCAPE_SPKAC *a);
-int		i2d_NETSCAPE_SPKAC(NETSCAPE_SPKAC *a,unsigned char **pp);
-NETSCAPE_SPKAC *d2i_NETSCAPE_SPKAC(NETSCAPE_SPKAC **a,unsigned char **pp,
-		long length);
-
-
-int i2d_NETSCAPE_CERT_SEQUENCE(NETSCAPE_CERT_SEQUENCE *a, unsigned char **pp);
-NETSCAPE_CERT_SEQUENCE *NETSCAPE_CERT_SEQUENCE_new(void);
-NETSCAPE_CERT_SEQUENCE *d2i_NETSCAPE_CERT_SEQUENCE(NETSCAPE_CERT_SEQUENCE **a, unsigned char **pp, long length);
-void NETSCAPE_CERT_SEQUENCE_free(NETSCAPE_CERT_SEQUENCE *a);
-
-#ifndef NO_EVP
+#ifndef OPENSSL_NO_EVP
 X509_INFO *	X509_INFO_new(void);
 void		X509_INFO_free(X509_INFO *a);
 char *		X509_NAME_oneline(X509_NAME *a,char *buf,int size);
@@ -973,6 +919,16 @@ int ASN1_digest(int (*i2d)(),const EVP_MD *type,char *data,
 int ASN1_sign(int (*i2d)(), X509_ALGOR *algor1, X509_ALGOR *algor2,
 	ASN1_BIT_STRING *signature,
 	char *data,EVP_PKEY *pkey, const EVP_MD *type);
+
+int ASN1_item_digest(const ASN1_ITEM *it,const EVP_MD *type,void *data,
+	unsigned char *md,unsigned int *len);
+
+int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *algor1,
+	ASN1_BIT_STRING *signature,void *data,EVP_PKEY *pkey);
+
+int ASN1_item_sign(const ASN1_ITEM *it, X509_ALGOR *algor1, X509_ALGOR *algor2,
+	ASN1_BIT_STRING *signature,
+	void *data, EVP_PKEY *pkey, const EVP_MD *type);
 #endif
 
 int 		X509_set_version(X509 *x,long version);
@@ -986,6 +942,7 @@ int 		X509_set_notBefore(X509 *x, ASN1_TIME *tm);
 int 		X509_set_notAfter(X509 *x, ASN1_TIME *tm);
 int 		X509_set_pubkey(X509 *x, EVP_PKEY *pkey);
 EVP_PKEY *	X509_get_pubkey(X509 *x);
+ASN1_BIT_STRING * X509_get0_pubkey_bitstr(const X509 *x);
 int		X509_certificate_type(X509 *x,EVP_PKEY *pubkey /* optional */);
 
 int		X509_REQ_set_version(X509_REQ *x,long version);
@@ -1008,14 +965,23 @@ X509_ATTRIBUTE *X509_REQ_get_attr(const X509_REQ *req, int loc);
 X509_ATTRIBUTE *X509_REQ_delete_attr(X509_REQ *req, int loc);
 int X509_REQ_add1_attr(X509_REQ *req, X509_ATTRIBUTE *attr);
 int X509_REQ_add1_attr_by_OBJ(X509_REQ *req,
-			ASN1_OBJECT *obj, int type,
-			unsigned char *bytes, int len);
+			const ASN1_OBJECT *obj, int type,
+			const unsigned char *bytes, int len);
 int X509_REQ_add1_attr_by_NID(X509_REQ *req,
 			int nid, int type,
-			unsigned char *bytes, int len);
+			const unsigned char *bytes, int len);
 int X509_REQ_add1_attr_by_txt(X509_REQ *req,
-			char *attrname, int type,
-			unsigned char *bytes, int len);
+			const char *attrname, int type,
+			const unsigned char *bytes, int len);
+
+int X509_CRL_set_version(X509_CRL *x, long version);
+int X509_CRL_set_issuer_name(X509_CRL *x, X509_NAME *name);
+int X509_CRL_set_lastUpdate(X509_CRL *x, ASN1_TIME *tm);
+int X509_CRL_set_nextUpdate(X509_CRL *x, ASN1_TIME *tm);
+int X509_CRL_sort(X509_CRL *crl);
+
+int X509_REVOKED_set_serialNumber(X509_REVOKED *x, ASN1_INTEGER *serial);
+int X509_REVOKED_set_revocationDate(X509_REVOKED *r, ASN1_TIME *tm);
 
 int		X509_check_private_key(X509 *x509,EVP_PKEY *pkey);
 
@@ -1033,17 +999,20 @@ int		X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b);
 unsigned long	X509_NAME_hash(X509_NAME *x);
 
 int		X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b);
-#ifndef NO_FP_API
+#ifndef OPENSSL_NO_FP_API
+int		X509_print_ex_fp(FILE *bp,X509 *x, unsigned long nmflag, unsigned long cflag);
 int		X509_print_fp(FILE *bp,X509 *x);
 int		X509_CRL_print_fp(FILE *bp,X509_CRL *x);
 int		X509_REQ_print_fp(FILE *bp,X509_REQ *req);
 int X509_NAME_print_ex_fp(FILE *fp, X509_NAME *nm, int indent, unsigned long flags);
 #endif
 
-#ifndef NO_BIO
+#ifndef OPENSSL_NO_BIO
 int		X509_NAME_print(BIO *bp, X509_NAME *name, int obase);
 int X509_NAME_print_ex(BIO *out, X509_NAME *nm, int indent, unsigned long flags);
+int		X509_print_ex(BIO *bp,X509 *x, unsigned long nmflag, unsigned long cflag);
 int		X509_print(BIO *bp,X509 *x);
+int		X509_ocspid_print(BIO *bp,X509 *x);
 int		X509_CERT_AUX_print(BIO *bp,X509_CERT_AUX *x, int indent);
 int		X509_CRL_print(BIO *bp,X509_CRL *x);
 int		X509_REQ_print(BIO *bp,X509_REQ *req);
@@ -1104,6 +1073,8 @@ X509_EXTENSION *X509_get_ext(X509 *x, int loc);
 X509_EXTENSION *X509_delete_ext(X509 *x, int loc);
 int		X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc);
 void	*	X509_get_ext_d2i(X509 *x, int nid, int *crit, int *idx);
+int		X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit,
+							unsigned long flags);
 
 int		X509_CRL_get_ext_count(X509_CRL *x);
 int		X509_CRL_get_ext_by_NID(X509_CRL *x, int nid, int lastpos);
@@ -1113,6 +1084,8 @@ X509_EXTENSION *X509_CRL_get_ext(X509_CRL *x, int loc);
 X509_EXTENSION *X509_CRL_delete_ext(X509_CRL *x, int loc);
 int		X509_CRL_add_ext(X509_CRL *x, X509_EXTENSION *ex, int loc);
 void	*	X509_CRL_get_ext_d2i(X509_CRL *x, int nid, int *crit, int *idx);
+int		X509_CRL_add1_ext_i2d(X509_CRL *x, int nid, void *value, int crit,
+							unsigned long flags);
 
 int		X509_REVOKED_get_ext_count(X509_REVOKED *x);
 int		X509_REVOKED_get_ext_by_NID(X509_REVOKED *x, int nid, int lastpos);
@@ -1122,6 +1095,8 @@ X509_EXTENSION *X509_REVOKED_get_ext(X509_REVOKED *x, int loc);
 X509_EXTENSION *X509_REVOKED_delete_ext(X509_REVOKED *x, int loc);
 int		X509_REVOKED_add_ext(X509_REVOKED *x, X509_EXTENSION *ex, int loc);
 void	*	X509_REVOKED_get_ext_d2i(X509_REVOKED *x, int nid, int *crit, int *idx);
+int		X509_REVOKED_add1_ext_i2d(X509_REVOKED *x, int nid, void *value, int crit,
+							unsigned long flags);
 
 X509_EXTENSION *X509_EXTENSION_create_by_NID(X509_EXTENSION **ex,
 			int nid, int crit, ASN1_OCTET_STRING *data);
@@ -1145,22 +1120,22 @@ X509_ATTRIBUTE *X509at_delete_attr(STACK_OF(X509_ATTRIBUTE) *x, int loc);
 STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr(STACK_OF(X509_ATTRIBUTE) **x,
 					 X509_ATTRIBUTE *attr);
 STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_OBJ(STACK_OF(X509_ATTRIBUTE) **x,
-			ASN1_OBJECT *obj, int type,
-			unsigned char *bytes, int len);
+			const ASN1_OBJECT *obj, int type,
+			const unsigned char *bytes, int len);
 STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_NID(STACK_OF(X509_ATTRIBUTE) **x,
 			int nid, int type,
-			unsigned char *bytes, int len);
+			const unsigned char *bytes, int len);
 STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_txt(STACK_OF(X509_ATTRIBUTE) **x,
-			char *attrname, int type,
-			unsigned char *bytes, int len);
+			const char *attrname, int type,
+			const unsigned char *bytes, int len);
 X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_NID(X509_ATTRIBUTE **attr, int nid,
-	     int atrtype, void *data, int len);
+	     int atrtype, const void *data, int len);
 X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_OBJ(X509_ATTRIBUTE **attr,
-	     ASN1_OBJECT *obj, int atrtype, void *data, int len);
+	     const ASN1_OBJECT *obj, int atrtype, const void *data, int len);
 X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_txt(X509_ATTRIBUTE **attr,
-		char *atrname, int type, unsigned char *bytes, int len);
-int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, ASN1_OBJECT *obj);
-int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, void *data, int len);
+		const char *atrname, int type, const unsigned char *bytes, int len);
+int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, const ASN1_OBJECT *obj);
+int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, const void *data, int len);
 void *X509_ATTRIBUTE_get0_data(X509_ATTRIBUTE *attr, int idx,
 					int atrtype, void *data);
 int X509_ATTRIBUTE_count(X509_ATTRIBUTE *attr);
@@ -1174,31 +1149,17 @@ X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk,X509_NAME *name,
 				     ASN1_INTEGER *serial);
 X509 *X509_find_by_subject(STACK_OF(X509) *sk,X509_NAME *name);
 
-int i2d_PBEPARAM(PBEPARAM *a, unsigned char **pp);
-PBEPARAM *PBEPARAM_new(void);
-PBEPARAM *d2i_PBEPARAM(PBEPARAM **a, unsigned char **pp, long length);
-void PBEPARAM_free(PBEPARAM *a);
+DECLARE_ASN1_FUNCTIONS(PBEPARAM)
+DECLARE_ASN1_FUNCTIONS(PBE2PARAM)
+DECLARE_ASN1_FUNCTIONS(PBKDF2PARAM)
+
 X509_ALGOR *PKCS5_pbe_set(int alg, int iter, unsigned char *salt, int saltlen);
 X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter,
 					 unsigned char *salt, int saltlen);
 
-int i2d_PBKDF2PARAM(PBKDF2PARAM *a, unsigned char **pp);
-PBKDF2PARAM *PBKDF2PARAM_new(void);
-PBKDF2PARAM *d2i_PBKDF2PARAM(PBKDF2PARAM **a, unsigned char **pp, long length);
-void PBKDF2PARAM_free(PBKDF2PARAM *a);
-
-int i2d_PBE2PARAM(PBE2PARAM *a, unsigned char **pp);
-PBE2PARAM *PBE2PARAM_new(void);
-PBE2PARAM *d2i_PBE2PARAM(PBE2PARAM **a, unsigned char **pp, long length);
-void PBE2PARAM_free(PBE2PARAM *a);
-
 /* PKCS#8 utilities */
 
-int i2d_PKCS8_PRIV_KEY_INFO(PKCS8_PRIV_KEY_INFO *a, unsigned char **pp);
-PKCS8_PRIV_KEY_INFO *PKCS8_PRIV_KEY_INFO_new(void);
-PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO(PKCS8_PRIV_KEY_INFO **a,
-					 unsigned char **pp, long length);
-void PKCS8_PRIV_KEY_INFO_free(PKCS8_PRIV_KEY_INFO *a);
+DECLARE_ASN1_FUNCTIONS(PKCS8_PRIV_KEY_INFO)
 
 EVP_PKEY *EVP_PKCS82PKEY(PKCS8_PRIV_KEY_INFO *p8);
 PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8(EVP_PKEY *pkey);
@@ -1220,6 +1181,7 @@ int X509_TRUST_get_trust(X509_TRUST *xp);
 /* The following lines are auto generated by the script mkerr.pl. Any changes
  * made after this point may be overwritten when the script is next run.
  */
+void ERR_load_X509_strings(void);
 
 /* Error codes for the X509 functions. */
 
@@ -1258,9 +1220,12 @@ int X509_TRUST_get_trust(X509_TRUST *xp);
 #define X509_F_X509_REQ_TO_X509				 123
 #define X509_F_X509_STORE_ADD_CERT			 124
 #define X509_F_X509_STORE_ADD_CRL			 125
+#define X509_F_X509_STORE_CTX_INIT			 143
+#define X509_F_X509_STORE_CTX_NEW			 142
 #define X509_F_X509_STORE_CTX_PURPOSE_INHERIT		 134
 #define X509_F_X509_TO_X509_REQ				 126
 #define X509_F_X509_TRUST_ADD				 133
+#define X509_F_X509_TRUST_SET				 141
 #define X509_F_X509_VERIFY_CERT				 127
 
 /* Reason codes. */
@@ -1271,6 +1236,7 @@ int X509_TRUST_get_trust(X509_TRUST *xp);
 #define X509_R_ERR_ASN1_LIB				 102
 #define X509_R_INVALID_DIRECTORY			 113
 #define X509_R_INVALID_FIELD_NAME			 119
+#define X509_R_INVALID_TRUST				 123
 #define X509_R_KEY_TYPE_MISMATCH			 115
 #define X509_R_KEY_VALUES_MISMATCH			 116
 #define X509_R_LOADING_CERT_DIR				 103
@@ -1291,4 +1257,3 @@ int X509_TRUST_get_trust(X509_TRUST *xp);
 }
 #endif
 #endif
-
diff --git a/lib/libcrypto/x509/x509_att.c b/lib/libcrypto/x509/x509_att.c
index caafde658f3..0bae3d32a1a 100644
--- a/lib/libcrypto/x509/x509_att.c
+++ b/lib/libcrypto/x509/x509_att.c
@@ -149,8 +149,8 @@ err2:
 }
 
 STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_OBJ(STACK_OF(X509_ATTRIBUTE) **x,
-			ASN1_OBJECT *obj, int type,
-			unsigned char *bytes, int len)
+			const ASN1_OBJECT *obj, int type,
+			const unsigned char *bytes, int len)
 {
 	X509_ATTRIBUTE *attr;
 	STACK_OF(X509_ATTRIBUTE) *ret;
@@ -163,7 +163,7 @@ STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_OBJ(STACK_OF(X509_ATTRIBUTE) **x,
 
 STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_NID(STACK_OF(X509_ATTRIBUTE) **x,
 			int nid, int type,
-			unsigned char *bytes, int len)
+			const unsigned char *bytes, int len)
 {
 	X509_ATTRIBUTE *attr;
 	STACK_OF(X509_ATTRIBUTE) *ret;
@@ -175,8 +175,8 @@ STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_NID(STACK_OF(X509_ATTRIBUTE) **x,
 }
 
 STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_txt(STACK_OF(X509_ATTRIBUTE) **x,
-			char *attrname, int type,
-			unsigned char *bytes, int len)
+			const char *attrname, int type,
+			const unsigned char *bytes, int len)
 {
 	X509_ATTRIBUTE *attr;
 	STACK_OF(X509_ATTRIBUTE) *ret;
@@ -188,7 +188,7 @@ STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_txt(STACK_OF(X509_ATTRIBUTE) **x,
 }
 
 X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_NID(X509_ATTRIBUTE **attr, int nid,
-	     int atrtype, void *data, int len)
+	     int atrtype, const void *data, int len)
 {
 	ASN1_OBJECT *obj;
 	X509_ATTRIBUTE *ret;
@@ -205,7 +205,7 @@ X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_NID(X509_ATTRIBUTE **attr, int nid,
 }
 
 X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_OBJ(X509_ATTRIBUTE **attr,
-	     ASN1_OBJECT *obj, int atrtype, void *data, int len)
+	     const ASN1_OBJECT *obj, int atrtype, const void *data, int len)
 {
 	X509_ATTRIBUTE *ret;
 
@@ -234,7 +234,7 @@ err:
 }
 
 X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_txt(X509_ATTRIBUTE **attr,
-		char *atrname, int type, unsigned char *bytes, int len)
+		const char *atrname, int type, const unsigned char *bytes, int len)
 	{
 	ASN1_OBJECT *obj;
 	X509_ATTRIBUTE *nattr;
@@ -252,7 +252,7 @@ X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_txt(X509_ATTRIBUTE **attr,
 	return nattr;
 	}
 
-int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, ASN1_OBJECT *obj)
+int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, const ASN1_OBJECT *obj)
 {
 	if ((attr == NULL) || (obj == NULL))
 		return(0);
@@ -261,7 +261,7 @@ int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, ASN1_OBJECT *obj)
 	return(1);
 }
 
-int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, void *data, int len)
+int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, const void *data, int len)
 {
 	ASN1_TYPE *ttmp;
 	ASN1_STRING *stmp;
@@ -283,7 +283,7 @@ int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, void *data, int
 	if(!(attr->value.set = sk_ASN1_TYPE_new_null())) goto err;
 	if(!(ttmp = ASN1_TYPE_new())) goto err;
 	if(!sk_ASN1_TYPE_push(attr->value.set, ttmp)) goto err;
-	attr->set = 1;
+	attr->single = 0;
 	ASN1_TYPE_set(ttmp, atype, stmp);
 	return 1;
 	err:
@@ -293,7 +293,7 @@ int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, void *data, int
 
 int X509_ATTRIBUTE_count(X509_ATTRIBUTE *attr)
 {
-	if(attr->set) return sk_ASN1_TYPE_num(attr->value.set);
+	if(!attr->single) return sk_ASN1_TYPE_num(attr->value.set);
 	if(attr->value.single) return 1;
 	return 0;
 }
@@ -321,6 +321,6 @@ ASN1_TYPE *X509_ATTRIBUTE_get0_type(X509_ATTRIBUTE *attr, int idx)
 {
 	if (attr == NULL) return(NULL);
 	if(idx >= X509_ATTRIBUTE_count(attr)) return NULL;
-	if(attr->set) return sk_ASN1_TYPE_value(attr->value.set, idx);
+	if(!attr->single) return sk_ASN1_TYPE_value(attr->value.set, idx);
 	else return attr->value.single;
 }
diff --git a/lib/libcrypto/x509/x509_cmp.c b/lib/libcrypto/x509/x509_cmp.c
index 3f9f9b3d472..cd20b6d66f9 100644
--- a/lib/libcrypto/x509/x509_cmp.c
+++ b/lib/libcrypto/x509/x509_cmp.c
@@ -75,24 +75,26 @@ int X509_issuer_and_serial_cmp(const X509 *a, const X509 *b)
 	return(X509_NAME_cmp(ai->issuer,bi->issuer));
 	}
 
-#ifndef NO_MD5
+#ifndef OPENSSL_NO_MD5
 unsigned long X509_issuer_and_serial_hash(X509 *a)
 	{
 	unsigned long ret=0;
-	MD5_CTX ctx;
+	EVP_MD_CTX ctx;
 	unsigned char md[16];
 	char str[256];
 
+	EVP_MD_CTX_init(&ctx);
 	X509_NAME_oneline(a->cert_info->issuer,str,256);
 	ret=strlen(str);
-	MD5_Init(&ctx);
-	MD5_Update(&ctx,(unsigned char *)str,ret);
-	MD5_Update(&ctx,(unsigned char *)a->cert_info->serialNumber->data,
+	EVP_DigestInit_ex(&ctx, EVP_md5(), NULL);
+	EVP_DigestUpdate(&ctx,(unsigned char *)str,ret);
+	EVP_DigestUpdate(&ctx,(unsigned char *)a->cert_info->serialNumber->data,
 		(unsigned long)a->cert_info->serialNumber->length);
-	MD5_Final(&(md[0]),&ctx);
+	EVP_DigestFinal_ex(&ctx,&(md[0]),NULL);
 	ret=(	((unsigned long)md[0]     )|((unsigned long)md[1]<<8L)|
 		((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
 		)&0xffffffffL;
+	EVP_MD_CTX_cleanup(&ctx);
 	return(ret);
 	}
 #endif
@@ -137,7 +139,7 @@ unsigned long X509_subject_name_hash(X509 *x)
 	return(X509_NAME_hash(x->cert_info->subject));
 	}
 
-#ifndef NO_SHA
+#ifndef OPENSSL_NO_SHA
 /* Compare two certificates: they must be identical for
  * this to work. NB: Although "cmp" operations are generally
  * prototyped to take "const" arguments (eg. for use in
@@ -192,7 +194,7 @@ int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b)
 	return(0);
 	}
 
-#ifndef NO_MD5
+#ifndef OPENSSL_NO_MD5
 /* I now DER encode the name and hash it.  Since I cache the DER encoding,
  * this is reasonably efficient. */
 unsigned long X509_NAME_hash(X509_NAME *x)
@@ -200,12 +202,9 @@ unsigned long X509_NAME_hash(X509_NAME *x)
 	unsigned long ret=0;
 	unsigned char md[16];
 
-	/* Ensure cached version is up to date */
+	/* Make sure X509_NAME structure contains valid cached encoding */
 	i2d_X509_NAME(x,NULL);
-	/* Use cached encoding directly rather than copying: this should
-	 * keep libsafe happy.
-	 */
-	MD5((unsigned char *)x->bytes->data,x->bytes->length,&(md[0]));
+	EVP_Digest(x->bytes->data, x->bytes->length, md, NULL, EVP_md5(), NULL);
 
 	ret=(	((unsigned long)md[0]     )|((unsigned long)md[1]<<8L)|
 		((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
@@ -258,6 +257,12 @@ EVP_PKEY *X509_get_pubkey(X509 *x)
 	return(X509_PUBKEY_get(x->cert_info->key));
 	}
 
+ASN1_BIT_STRING *X509_get0_pubkey_bitstr(const X509 *x)
+	{
+	if(!x) return NULL;
+	return x->cert_info->key->public_key;
+	}
+
 int X509_check_private_key(X509 *x, EVP_PKEY *k)
 	{
 	EVP_PKEY *xk=NULL;
@@ -271,7 +276,7 @@ int X509_check_private_key(X509 *x, EVP_PKEY *k)
 	    }
 	switch (k->type)
 		{
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
 	case EVP_PKEY_RSA:
 		if (BN_cmp(xk->pkey.rsa->n,k->pkey.rsa->n) != 0
 		    || BN_cmp(xk->pkey.rsa->e,k->pkey.rsa->e) != 0)
@@ -281,7 +286,7 @@ int X509_check_private_key(X509 *x, EVP_PKEY *k)
 		    }
 		break;
 #endif
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
 	case EVP_PKEY_DSA:
 		if (BN_cmp(xk->pkey.dsa->pub_key,k->pkey.dsa->pub_key) != 0)
 		    {
@@ -290,7 +295,7 @@ int X509_check_private_key(X509 *x, EVP_PKEY *k)
 		    }
 		break;
 #endif
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
 	case EVP_PKEY_DH:
 		/* No idea */
 	        X509err(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_CANT_CHECK_DH_KEY);
diff --git a/lib/libcrypto/x509/x509_d2.c b/lib/libcrypto/x509/x509_d2.c
index 753d53eb437..51410cfd1a9 100644
--- a/lib/libcrypto/x509/x509_d2.c
+++ b/lib/libcrypto/x509/x509_d2.c
@@ -61,7 +61,7 @@
 #include <openssl/crypto.h>
 #include <openssl/x509.h>
 
-#ifndef NO_STDIO
+#ifndef OPENSSL_NO_STDIO
 int X509_STORE_set_default_paths(X509_STORE *ctx)
 	{
 	X509_LOOKUP *lookup;
diff --git a/lib/libcrypto/x509/x509_err.c b/lib/libcrypto/x509/x509_err.c
index 848add56e9b..5bbf4acf765 100644
--- a/lib/libcrypto/x509/x509_err.c
+++ b/lib/libcrypto/x509/x509_err.c
@@ -63,7 +63,7 @@
 #include <openssl/x509.h>
 
 /* BEGIN ERROR CODES */
-#ifndef NO_ERR
+#ifndef OPENSSL_NO_ERR
 static ERR_STRING_DATA X509_str_functs[]=
 	{
 {ERR_PACK(0,X509_F_ADD_CERT_DIR,0),	"ADD_CERT_DIR"},
@@ -100,9 +100,12 @@ static ERR_STRING_DATA X509_str_functs[]=
 {ERR_PACK(0,X509_F_X509_REQ_TO_X509,0),	"X509_REQ_to_X509"},
 {ERR_PACK(0,X509_F_X509_STORE_ADD_CERT,0),	"X509_STORE_add_cert"},
 {ERR_PACK(0,X509_F_X509_STORE_ADD_CRL,0),	"X509_STORE_add_crl"},
+{ERR_PACK(0,X509_F_X509_STORE_CTX_INIT,0),	"X509_STORE_CTX_init"},
+{ERR_PACK(0,X509_F_X509_STORE_CTX_NEW,0),	"X509_STORE_CTX_new"},
 {ERR_PACK(0,X509_F_X509_STORE_CTX_PURPOSE_INHERIT,0),	"X509_STORE_CTX_purpose_inherit"},
 {ERR_PACK(0,X509_F_X509_TO_X509_REQ,0),	"X509_to_X509_REQ"},
 {ERR_PACK(0,X509_F_X509_TRUST_ADD,0),	"X509_TRUST_add"},
+{ERR_PACK(0,X509_F_X509_TRUST_SET,0),	"X509_TRUST_set"},
 {ERR_PACK(0,X509_F_X509_VERIFY_CERT,0),	"X509_verify_cert"},
 {0,NULL}
 	};
@@ -116,6 +119,7 @@ static ERR_STRING_DATA X509_str_reasons[]=
 {X509_R_ERR_ASN1_LIB                     ,"err asn1 lib"},
 {X509_R_INVALID_DIRECTORY                ,"invalid directory"},
 {X509_R_INVALID_FIELD_NAME               ,"invalid field name"},
+{X509_R_INVALID_TRUST                    ,"invalid trust"},
 {X509_R_KEY_TYPE_MISMATCH                ,"key type mismatch"},
 {X509_R_KEY_VALUES_MISMATCH              ,"key values mismatch"},
 {X509_R_LOADING_CERT_DIR                 ,"loading cert dir"},
@@ -143,7 +147,7 @@ void ERR_load_X509_strings(void)
 	if (init)
 		{
 		init=0;
-#ifndef NO_ERR
+#ifndef OPENSSL_NO_ERR
 		ERR_load_strings(ERR_LIB_X509,X509_str_functs);
 		ERR_load_strings(ERR_LIB_X509,X509_str_reasons);
 #endif
diff --git a/lib/libcrypto/x509/x509_ext.c b/lib/libcrypto/x509/x509_ext.c
index 29559898073..e7fdacb5e45 100644
--- a/lib/libcrypto/x509/x509_ext.c
+++ b/lib/libcrypto/x509/x509_ext.c
@@ -101,6 +101,12 @@ void *X509_CRL_get_ext_d2i(X509_CRL *x, int nid, int *crit, int *idx)
 	return X509V3_get_d2i(x->crl->extensions, nid, crit, idx);
 }
 
+int X509_CRL_add1_ext_i2d(X509_CRL *x, int nid, void *value, int crit,
+							unsigned long flags)
+{
+	return X509V3_add1_i2d(&x->crl->extensions, nid, value, crit, flags);
+}
+
 int X509_CRL_add_ext(X509_CRL *x, X509_EXTENSION *ex, int loc)
 	{
 	return(X509v3_add_ext(&(x->crl->extensions),ex,loc) != NULL);
@@ -146,6 +152,13 @@ void *X509_get_ext_d2i(X509 *x, int nid, int *crit, int *idx)
 	return X509V3_get_d2i(x->cert_info->extensions, nid, crit, idx);
 }
 
+int X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit,
+							unsigned long flags)
+{
+	return X509V3_add1_i2d(&x->cert_info->extensions, nid, value, crit,
+							flags);
+}
+
 int X509_REVOKED_get_ext_count(X509_REVOKED *x)
 	{
 	return(X509v3_get_ext_count(x->extensions));
@@ -187,5 +200,11 @@ void *X509_REVOKED_get_ext_d2i(X509_REVOKED *x, int nid, int *crit, int *idx)
 	return X509V3_get_d2i(x->extensions, nid, crit, idx);
 }
 
+int X509_REVOKED_add1_ext_i2d(X509_REVOKED *x, int nid, void *value, int crit,
+							unsigned long flags)
+{
+	return X509V3_add1_i2d(&x->extensions, nid, value, crit, flags);
+}
+
 IMPLEMENT_STACK_OF(X509_EXTENSION)
 IMPLEMENT_ASN1_SET_OF(X509_EXTENSION)
diff --git a/lib/libcrypto/x509/x509_lu.c b/lib/libcrypto/x509/x509_lu.c
index 863c738cad8..b780dae5e29 100644
--- a/lib/libcrypto/x509/x509_lu.c
+++ b/lib/libcrypto/x509/x509_lu.c
@@ -60,8 +60,7 @@
 #include "cryptlib.h"
 #include <openssl/lhash.h>
 #include <openssl/x509.h>
-
-static STACK_OF(CRYPTO_EX_DATA_FUNCS) *x509_store_meth=NULL;
+#include <openssl/x509v3.h>
 
 X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method)
 	{
@@ -185,9 +184,23 @@ X509_STORE *X509_STORE_new(void)
 	ret->objs = sk_X509_OBJECT_new(x509_object_cmp);
 	ret->cache=1;
 	ret->get_cert_methods=sk_X509_LOOKUP_new_null();
-	ret->verify=NULL;
-	ret->verify_cb=NULL;
-	memset(&ret->ex_data,0,sizeof(CRYPTO_EX_DATA));
+	ret->verify=0;
+	ret->verify_cb=0;
+
+	ret->purpose = 0;
+	ret->trust = 0;
+
+	ret->flags = 0;
+
+	ret->get_issuer = 0;
+	ret->check_issued = 0;
+	ret->check_revocation = 0;
+	ret->get_crl = 0;
+	ret->check_crl = 0;
+	ret->cert_crl = 0;
+	ret->cleanup = 0;
+
+	CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE, ret, &ret->ex_data);
 	ret->references=1;
 	ret->depth=0;
 	return ret;
@@ -230,7 +243,7 @@ void X509_STORE_free(X509_STORE *vfy)
 	sk_X509_LOOKUP_free(sk);
 	sk_X509_OBJECT_pop_free(vfy->objs, cleanup);
 
-	CRYPTO_free_ex_data(x509_store_meth,vfy,&vfy->ex_data);
+	CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE, vfy, &vfy->ex_data);
 	OPENSSL_free(vfy);
 	}
 
@@ -525,5 +538,20 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
 	return 0;
 }
 
+void X509_STORE_set_flags(X509_STORE *ctx, long flags)
+	{
+	ctx->flags |= flags;
+	}
+
+int X509_STORE_set_purpose(X509_STORE *ctx, int purpose)
+	{
+	return X509_PURPOSE_set(&ctx->purpose, purpose);
+	}
+
+int X509_STORE_set_trust(X509_STORE *ctx, int trust)
+	{
+	return X509_TRUST_set(&ctx->trust, trust);
+	}
+
 IMPLEMENT_STACK_OF(X509_LOOKUP)
 IMPLEMENT_STACK_OF(X509_OBJECT)
diff --git a/lib/libcrypto/x509/x509_obj.c b/lib/libcrypto/x509/x509_obj.c
index f0271fdfa14..1e718f76eb2 100644
--- a/lib/libcrypto/x509/x509_obj.c
+++ b/lib/libcrypto/x509/x509_obj.c
@@ -94,6 +94,7 @@ int i;
 		OPENSSL_free(b);
 		}
 	    strncpy(buf,"NO X509_NAME",len);
+	    buf[len-1]='\0';
 	    return buf;
 	    }
 
diff --git a/lib/libcrypto/x509/x509_req.c b/lib/libcrypto/x509/x509_req.c
index 7eca1bd57a3..0affa3bf306 100644
--- a/lib/libcrypto/x509/x509_req.c
+++ b/lib/libcrypto/x509/x509_req.c
@@ -156,9 +156,9 @@ STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req)
 	for(i = 0; i < sk_X509_ATTRIBUTE_num(sk); i++) {
 		attr = sk_X509_ATTRIBUTE_value(sk, i);
 		if(X509_REQ_extension_nid(OBJ_obj2nid(attr->object))) {
-			if(attr->set && sk_ASN1_TYPE_num(attr->value.set))
+			if(attr->single) ext = attr->value.single;
+			else if(sk_ASN1_TYPE_num(attr->value.set))
 				ext = sk_ASN1_TYPE_value(attr->value.set, 0);
-			else ext = attr->value.single;
 			break;
 		}
 	}
@@ -199,7 +199,7 @@ int X509_REQ_add_extensions_nid(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts,
 	if(!(attr->value.set = sk_ASN1_TYPE_new_null())) goto err;
 	if(!sk_ASN1_TYPE_push(attr->value.set, at)) goto err;
 	at = NULL;
-	attr->set = 1;
+	attr->single = 0;
 	attr->object = OBJ_nid2obj(nid);
 	if(!sk_X509_ATTRIBUTE_push(req->req_info->attributes, attr)) goto err;
 	return 1;
@@ -251,8 +251,8 @@ int X509_REQ_add1_attr(X509_REQ *req, X509_ATTRIBUTE *attr)
 }
 
 int X509_REQ_add1_attr_by_OBJ(X509_REQ *req,
-			ASN1_OBJECT *obj, int type,
-			unsigned char *bytes, int len)
+			const ASN1_OBJECT *obj, int type,
+			const unsigned char *bytes, int len)
 {
 	if(X509at_add1_attr_by_OBJ(&req->req_info->attributes, obj,
 				type, bytes, len)) return 1;
@@ -261,7 +261,7 @@ int X509_REQ_add1_attr_by_OBJ(X509_REQ *req,
 
 int X509_REQ_add1_attr_by_NID(X509_REQ *req,
 			int nid, int type,
-			unsigned char *bytes, int len)
+			const unsigned char *bytes, int len)
 {
 	if(X509at_add1_attr_by_NID(&req->req_info->attributes, nid,
 				type, bytes, len)) return 1;
@@ -269,8 +269,8 @@ int X509_REQ_add1_attr_by_NID(X509_REQ *req,
 }
 
 int X509_REQ_add1_attr_by_txt(X509_REQ *req,
-			char *attrname, int type,
-			unsigned char *bytes, int len)
+			const char *attrname, int type,
+			const unsigned char *bytes, int len)
 {
 	if(X509at_add1_attr_by_txt(&req->req_info->attributes, attrname,
 				type, bytes, len)) return 1;
diff --git a/lib/libcrypto/x509/x509_trs.c b/lib/libcrypto/x509/x509_trs.c
index 86b3b79dcc0..17d69ac005b 100644
--- a/lib/libcrypto/x509/x509_trs.c
+++ b/lib/libcrypto/x509/x509_trs.c
@@ -66,6 +66,7 @@ static int tr_cmp(const X509_TRUST * const *a,
 static void trtable_free(X509_TRUST *p);
 
 static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags);
+static int trust_1oid(X509_TRUST *trust, X509 *x, int flags);
 static int trust_compat(X509_TRUST *trust, X509 *x, int flags);
 
 static int obj_trust(int id, X509 *x, int flags);
@@ -79,8 +80,10 @@ static int (*default_trust)(int id, X509 *x, int flags) = obj_trust;
 static X509_TRUST trstandard[] = {
 {X509_TRUST_COMPAT, 0, trust_compat, "compatible", 0, NULL},
 {X509_TRUST_SSL_CLIENT, 0, trust_1oidany, "SSL Client", NID_client_auth, NULL},
-{X509_TRUST_SSL_SERVER, 0, trust_1oidany, "SSL Client", NID_server_auth, NULL},
+{X509_TRUST_SSL_SERVER, 0, trust_1oidany, "SSL Server", NID_server_auth, NULL},
 {X509_TRUST_EMAIL, 0, trust_1oidany, "S/MIME email", NID_email_protect, NULL},
+{X509_TRUST_OCSP_SIGN, 0, trust_1oid, "OCSP responder", NID_OCSP_sign, NULL},
+{X509_TRUST_OCSP_REQUEST, 0, trust_1oid, "OCSP request", NID_ad_OCSP, NULL}
 };
 
 #define X509_TRUST_COUNT	(sizeof(trstandard)/sizeof(X509_TRUST))
@@ -97,10 +100,10 @@ static int tr_cmp(const X509_TRUST * const *a,
 
 int (*X509_TRUST_set_default(int (*trust)(int , X509 *, int)))(int, X509 *, int)
 {
-int (*oldtrust)(int , X509 *, int);
-oldtrust = default_trust;
-default_trust = trust;
-return oldtrust;
+	int (*oldtrust)(int , X509 *, int);
+	oldtrust = default_trust;
+	default_trust = trust;
+	return oldtrust;
 }
 
 
@@ -141,6 +144,16 @@ int X509_TRUST_get_by_id(int id)
 	return idx + X509_TRUST_COUNT;
 }
 
+int X509_TRUST_set(int *t, int trust)
+{
+	if(X509_TRUST_get_by_id(trust) == -1) {
+		X509err(X509_F_X509_TRUST_SET, X509_R_INVALID_TRUST);
+		return 0;
+	}
+	*t = trust;
+	return 1;
+}
+
 int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int),
 					char *name, int arg1, void *arg2)
 {
@@ -236,6 +249,12 @@ static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags)
 	return trust_compat(trust, x, flags);
 }
 
+static int trust_1oid(X509_TRUST *trust, X509 *x, int flags)
+{
+	if(x->aux) return obj_trust(trust->arg1, x, flags);
+	return X509_TRUST_UNTRUSTED;
+}
+
 static int trust_compat(X509_TRUST *trust, X509 *x, int flags)
 {
 	X509_check_purpose(x, -1, 0);
diff --git a/lib/libcrypto/x509/x509_txt.c b/lib/libcrypto/x509/x509_txt.c
index cfb478d4bc5..4f83db8ba2f 100644
--- a/lib/libcrypto/x509/x509_txt.c
+++ b/lib/libcrypto/x509/x509_txt.c
@@ -83,7 +83,7 @@ const char *X509_verify_cert_error_string(long n)
 	case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
 		return("unable to decrypt certificate's signature");
 	case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:
-		return("unable to decrypt CRL's's signature");
+		return("unable to decrypt CRL's signature");
 	case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
 		return("unable to decode issuer public key");
 	case X509_V_ERR_CERT_SIGNATURE_FAILURE:
@@ -95,7 +95,7 @@ const char *X509_verify_cert_error_string(long n)
 	case X509_V_ERR_CRL_NOT_YET_VALID:
 		return("CRL is not yet valid");
 	case X509_V_ERR_CERT_HAS_EXPIRED:
-		return("Certificate has expired");
+		return("certificate has expired");
 	case X509_V_ERR_CRL_HAS_EXPIRED:
 		return("CRL has expired");
 	case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
@@ -141,6 +141,12 @@ const char *X509_verify_cert_error_string(long n)
 	case X509_V_ERR_KEYUSAGE_NO_CERTSIGN:
 		return("key usage does not include certificate signing");
 
+	case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER:
+		return("unable to get CRL issuer certificate");
+
+	case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION:
+		return("unhandled critical extension");
+
 	default:
 		sprintf(buf,"error number %ld",n);
 		return(buf);
diff --git a/lib/libcrypto/x509/x509_v3.c b/lib/libcrypto/x509/x509_v3.c
index 52887986fe3..b5f7daa2e58 100644
--- a/lib/libcrypto/x509/x509_v3.c
+++ b/lib/libcrypto/x509/x509_v3.c
@@ -115,8 +115,8 @@ int X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *sk, int crit,
 	for ( ; lastpos < n; lastpos++)
 		{
 		ex=sk_X509_EXTENSION_value(sk,lastpos);
-		if (	(ex->critical && crit) ||
-			(!ex->critical && !crit))
+		if (	((ex->critical > 0) && crit) ||
+			(!(ex->critical <= 0) && !crit))
 			return(lastpos);
 		}
 	return(-1);
@@ -234,7 +234,7 @@ int X509_EXTENSION_set_object(X509_EXTENSION *ex, ASN1_OBJECT *obj)
 int X509_EXTENSION_set_critical(X509_EXTENSION *ex, int crit)
 	{
 	if (ex == NULL) return(0);
-	ex->critical=(crit)?0xFF:0;
+	ex->critical=(crit)?0xFF:-1;
 	return(1);
 	}
 
@@ -263,5 +263,6 @@ ASN1_OCTET_STRING *X509_EXTENSION_get_data(X509_EXTENSION *ex)
 int X509_EXTENSION_get_critical(X509_EXTENSION *ex)
 	{
 	if (ex == NULL) return(0);
-	return(ex->critical);
+	if(ex->critical > 0) return 1;
+	return 0;
 	}
diff --git a/lib/libcrypto/x509/x509_vfy.c b/lib/libcrypto/x509/x509_vfy.c
index 0f4110cc64b..db12f7bd35e 100644
--- a/lib/libcrypto/x509/x509_vfy.c
+++ b/lib/libcrypto/x509/x509_vfy.c
@@ -75,15 +75,11 @@ static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer);
 static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x);
 static int check_chain_purpose(X509_STORE_CTX *ctx);
 static int check_trust(X509_STORE_CTX *ctx);
+static int check_revocation(X509_STORE_CTX *ctx);
+static int check_cert(X509_STORE_CTX *ctx);
 static int internal_verify(X509_STORE_CTX *ctx);
 const char *X509_version="X.509" OPENSSL_VERSION_PTEXT;
 
-static STACK_OF(CRYPTO_EX_DATA_FUNCS) *x509_store_ctx_method=NULL;
-static int x509_store_ctx_num=0;
-#if 0
-static int x509_store_num=1;
-static STACK *x509_store_method=NULL;
-#endif
 
 static int null_callback(int ok, X509_STORE_CTX *e)
 	{
@@ -113,7 +109,6 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
 		}
 
 	cb=ctx->verify_cb;
-	if (cb == NULL) cb=null_callback;
 
 	/* first we make sure the chain we are going to build is
 	 * present and that the first entry is in place */
@@ -299,6 +294,13 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
 	/* We may as well copy down any DSA parameters that are required */
 	X509_get_pubkey_parameters(NULL,ctx->chain);
 
+	/* Check revocation status: we do this after copying parameters
+	 * because they may be needed for CRL signature verification.
+	 */
+
+	ok = ctx->check_revocation(ctx);
+	if(!ok) goto end;
+
 	/* At this point, we have a chain and just need to verify it */
 	if (ctx->verify != NULL)
 		ok=ctx->verify(ctx);
@@ -346,8 +348,7 @@ static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
 	ctx->error = ret;
 	ctx->current_cert = x;
 	ctx->current_issuer = issuer;
-	if (ctx->verify_cb)
-		return ctx->verify_cb(0, ctx);
+	return ctx->verify_cb(0, ctx);
 	return 0;
 }
 
@@ -372,18 +373,26 @@ static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
 
 static int check_chain_purpose(X509_STORE_CTX *ctx)
 {
-#ifdef NO_CHAIN_VERIFY
+#ifdef OPENSSL_NO_CHAIN_VERIFY
 	return 1;
 #else
 	int i, ok=0;
 	X509 *x;
 	int (*cb)();
 	cb=ctx->verify_cb;
-	if (cb == NULL) cb=null_callback;
 	/* Check all untrusted certificates */
 	for (i = 0; i < ctx->last_untrusted; i++)
 		{
 		x = sk_X509_value(ctx->chain, i);
+		if (!(ctx->flags & X509_V_FLAG_IGNORE_CRITICAL)
+			&& (x->ex_flags & EXFLAG_CRITICAL))
+			{
+			ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION;
+			ctx->error_depth = i;
+			ctx->current_cert = x;
+			ok=cb(0,ctx);
+			if (!ok) goto end;
+			}
 		if (!X509_check_purpose(x, ctx->purpose, i))
 			{
 			if (i)
@@ -414,21 +423,20 @@ static int check_chain_purpose(X509_STORE_CTX *ctx)
 
 static int check_trust(X509_STORE_CTX *ctx)
 {
-#ifdef NO_CHAIN_VERIFY
+#ifdef OPENSSL_NO_CHAIN_VERIFY
 	return 1;
 #else
 	int i, ok;
 	X509 *x;
 	int (*cb)();
 	cb=ctx->verify_cb;
-	if (cb == NULL) cb=null_callback;
 /* For now just check the last certificate in the chain */
 	i = sk_X509_num(ctx->chain) - 1;
 	x = sk_X509_value(ctx->chain, i);
 	ok = X509_check_trust(x, ctx->trust, 0);
 	if (ok == X509_TRUST_TRUSTED)
 		return 1;
-	ctx->error_depth = sk_X509_num(ctx->chain) - 1;
+	ctx->error_depth = i;
 	ctx->current_cert = x;
 	if (ok == X509_TRUST_REJECTED)
 		ctx->error = X509_V_ERR_CERT_REJECTED;
@@ -439,6 +447,183 @@ static int check_trust(X509_STORE_CTX *ctx)
 #endif
 }
 
+static int check_revocation(X509_STORE_CTX *ctx)
+	{
+	int i, last, ok;
+	if (!(ctx->flags & X509_V_FLAG_CRL_CHECK))
+		return 1;
+	if (ctx->flags & X509_V_FLAG_CRL_CHECK_ALL)
+		last = 0;
+	else
+		last = sk_X509_num(ctx->chain) - 1;
+	for(i = 0; i <= last; i++)
+		{
+		ctx->error_depth = i;
+		ok = check_cert(ctx);
+		if (!ok) return ok;
+		}
+	return 1;
+	}
+
+static int check_cert(X509_STORE_CTX *ctx)
+	{
+	X509_CRL *crl = NULL;
+	X509 *x;
+	int ok, cnum;
+	cnum = ctx->error_depth;
+	x = sk_X509_value(ctx->chain, cnum);
+	ctx->current_cert = x;
+	/* Try to retrieve relevant CRL */
+	ok = ctx->get_crl(ctx, &crl, x);
+	/* If error looking up CRL, nothing we can do except
+	 * notify callback
+	 */
+	if(!ok)
+		{
+		ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
+		ok = ctx->verify_cb(0, ctx);
+		goto err;
+		}
+	ctx->current_crl = crl;
+	ok = ctx->check_crl(ctx, crl);
+	if (!ok) goto err;
+	ok = ctx->cert_crl(ctx, crl, x);
+	err:
+	ctx->current_crl = NULL;
+	X509_CRL_free(crl);
+	return ok;
+
+	}
+
+/* Retrieve CRL corresponding to certificate: currently just a
+ * subject lookup: maybe use AKID later...
+ * Also might look up any included CRLs too (e.g PKCS#7 signedData).
+ */
+static int get_crl(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x)
+	{
+	int ok;
+	X509_OBJECT xobj;
+	ok = X509_STORE_get_by_subject(ctx, X509_LU_CRL, X509_get_issuer_name(x), &xobj);
+	if (!ok) return 0;
+	*crl = xobj.data.crl;
+	return 1;
+	}
+
+/* Check CRL validity */
+static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
+	{
+	X509 *issuer = NULL;
+	EVP_PKEY *ikey = NULL;
+	int ok = 0, chnum, cnum, i;
+	time_t *ptime;
+	cnum = ctx->error_depth;
+	chnum = sk_X509_num(ctx->chain) - 1;
+	/* Find CRL issuer: if not last certificate then issuer
+	 * is next certificate in chain.
+	 */
+	if(cnum < chnum)
+		issuer = sk_X509_value(ctx->chain, cnum + 1);
+	else
+		{
+		issuer = sk_X509_value(ctx->chain, chnum);
+		/* If not self signed, can't check signature */
+		if(!ctx->check_issued(ctx, issuer, issuer))
+			{
+			ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER;
+			ok = ctx->verify_cb(0, ctx);
+			if(!ok) goto err;
+			}
+		}
+
+	if(issuer)
+		{
+
+		/* Attempt to get issuer certificate public key */
+		ikey = X509_get_pubkey(issuer);
+
+		if(!ikey)
+			{
+			ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
+			ok = ctx->verify_cb(0, ctx);
+			if (!ok) goto err;
+			}
+		else
+			{
+			/* Verify CRL signature */
+			if(X509_CRL_verify(crl, ikey) <= 0)
+				{
+				ctx->error=X509_V_ERR_CRL_SIGNATURE_FAILURE;
+				ok = ctx->verify_cb(0, ctx);
+				if (!ok) goto err;
+				}
+			}
+		}
+
+	/* OK, CRL signature valid check times */
+	if (ctx->flags & X509_V_FLAG_USE_CHECK_TIME)
+		ptime = &ctx->check_time;
+	else
+		ptime = NULL;
+
+	i=X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime);
+	if (i == 0)
+		{
+		ctx->error=X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD;
+		ok = ctx->verify_cb(0, ctx);
+		if (!ok) goto err;
+		}
+
+	if (i > 0)
+		{
+		ctx->error=X509_V_ERR_CRL_NOT_YET_VALID;
+		ok = ctx->verify_cb(0, ctx);
+		if (!ok) goto err;
+		}
+
+	if(X509_CRL_get_nextUpdate(crl))
+		{
+		i=X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime);
+
+		if (i == 0)
+			{
+			ctx->error=X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD;
+			ok = ctx->verify_cb(0, ctx);
+			if (!ok) goto err;
+			}
+
+		if (i < 0)
+			{
+			ctx->error=X509_V_ERR_CRL_HAS_EXPIRED;
+			ok = ctx->verify_cb(0, ctx);
+			if (!ok) goto err;
+			}
+		}
+
+	ok = 1;
+
+	err:
+	EVP_PKEY_free(ikey);
+	return ok;
+	}
+
+/* Check certificate against CRL */
+static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
+	{
+	int idx, ok;
+	X509_REVOKED rtmp;
+	/* Look for serial number of certificate in CRL */
+	rtmp.serialNumber = X509_get_serialNumber(x);
+	idx = sk_X509_REVOKED_find(crl->crl->revoked, &rtmp);
+	/* Not found: OK */
+	if(idx == -1) return 1;
+	/* Otherwise revoked: want something cleverer than
+	 * this to handle entry extensions in V2 CRLs.
+	 */
+	ctx->error = X509_V_ERR_CERT_REVOKED;
+	ok = ctx->verify_cb(0, ctx);
+	return ok;
+	}
+
 static int internal_verify(X509_STORE_CTX *ctx)
 	{
 	int i,ok=0,n;
@@ -448,7 +633,6 @@ static int internal_verify(X509_STORE_CTX *ctx)
 	int (*cb)();
 
 	cb=ctx->verify_cb;
-	if (cb == NULL) cb=null_callback;
 
 	n=sk_X509_num(ctx->chain);
 	ctx->error_depth=n-1;
@@ -491,6 +675,13 @@ static int internal_verify(X509_STORE_CTX *ctx)
 				if (!ok) goto end;
 				}
 			if (X509_verify(xs,pkey) <= 0)
+				/* XXX  For the final trusted self-signed cert,
+				 * this is a waste of time.  That check should
+				 * optional so that e.g. 'openssl x509' can be
+				 * used to detect invalid self-signatures, but
+				 * we don't verify again and again in SSL
+				 * handshakes and the like once the cert has
+				 * been declared trusted. */
 				{
 				ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE;
 				ctx->current_cert=xs;
@@ -539,8 +730,6 @@ static int internal_verify(X509_STORE_CTX *ctx)
 			if (!ok) goto end;
 			}
 
-		/* CRL CHECK */
-
 		/* The last error (if any) is still in the error value */
 		ctx->current_cert=xs;
 		ok=(*cb)(1,ctx);
@@ -648,14 +837,16 @@ ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj)
 ASN1_TIME *X509_time_adj(ASN1_TIME *s, long adj, time_t *in_tm)
 	{
 	time_t t;
+	int type = -1;
 
 	if (in_tm) t = *in_tm;
 	else time(&t);
 
 	t+=adj;
-	if (!s) return ASN1_TIME_set(s, t);
-	if (s->type == V_ASN1_UTCTIME) return ASN1_UTCTIME_set(s,t);
-	return ASN1_GENERALIZEDTIME_set(s, t);
+	if (s) type = s->type;
+	if (type == V_ASN1_UTCTIME) return ASN1_UTCTIME_set(s,t);
+	if (type == V_ASN1_GENERALIZEDTIME) return ASN1_GENERALIZEDTIME_set(s, t);
+	return ASN1_TIME_set(s, t);
 	}
 
 int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
@@ -702,12 +893,12 @@ int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
 
 int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
 	     CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
-        {
-        x509_store_ctx_num++;
-        return CRYPTO_get_ex_new_index(x509_store_ctx_num-1,
-		&x509_store_ctx_method,
-                argl,argp,new_func,dup_func,free_func);
-        }
+	{
+	/* This function is (usually) called only once, by
+	 * SSL_get_ex_data_X509_STORE_CTX_idx (ssl/ssl_cert.c). */
+	return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE_CTX, argl, argp,
+			new_func, dup_func, free_func);
+	}
 
 int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data)
 	{
@@ -831,8 +1022,8 @@ int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
 			}
 		}
 
-	if (purpose) ctx->purpose = purpose;
-	if (trust) ctx->trust = trust;
+	if (purpose && !ctx->purpose) ctx->purpose = purpose;
+	if (trust && !ctx->trust) ctx->trust = trust;
 	return 1;
 }
 
@@ -840,7 +1031,12 @@ X509_STORE_CTX *X509_STORE_CTX_new(void)
 {
 	X509_STORE_CTX *ctx;
 	ctx = (X509_STORE_CTX *)OPENSSL_malloc(sizeof(X509_STORE_CTX));
-	if (ctx) memset(ctx, 0, sizeof(X509_STORE_CTX));
+	if (!ctx)
+		{
+		X509err(X509_F_X509_STORE_CTX_NEW,ERR_R_MALLOC_FAILURE);
+		return NULL;
+		}
+	memset(ctx, 0, sizeof(X509_STORE_CTX));
 	return ctx;
 }
 
@@ -850,7 +1046,7 @@ void X509_STORE_CTX_free(X509_STORE_CTX *ctx)
 	OPENSSL_free(ctx);
 }
 
-void X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
+int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
 	     STACK_OF(X509) *chain)
 	{
 	ctx->ctx=store;
@@ -858,10 +1054,7 @@ void X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
 	ctx->cert=x509;
 	ctx->untrusted=chain;
 	ctx->last_untrusted=0;
-	ctx->purpose=0;
-	ctx->trust=0;
 	ctx->check_time=0;
-	ctx->flags=0;
 	ctx->other_ctx=NULL;
 	ctx->valid=0;
 	ctx->chain=NULL;
@@ -870,12 +1063,80 @@ void X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
 	ctx->error_depth=0;
 	ctx->current_cert=NULL;
 	ctx->current_issuer=NULL;
-	ctx->check_issued = check_issued;
-	ctx->get_issuer = X509_STORE_CTX_get1_issuer;
-	ctx->verify_cb = store->verify_cb;
-	ctx->verify = store->verify;
-	ctx->cleanup = 0;
-	memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA));
+
+	/* Inherit callbacks and flags from X509_STORE if not set
+	 * use defaults.
+	 */
+
+
+	if (store)
+		{
+		ctx->purpose=store->purpose;
+		ctx->trust=store->trust;
+		ctx->flags = store->flags;
+		ctx->cleanup = store->cleanup;
+		}
+	else
+		{
+		ctx->purpose = 0;
+		ctx->trust = 0;
+		ctx->flags = 0;
+		ctx->cleanup = 0;
+		}
+
+	if (store && store->check_issued)
+		ctx->check_issued = store->check_issued;
+	else
+		ctx->check_issued = check_issued;
+
+	if (store && store->get_issuer)
+		ctx->get_issuer = store->get_issuer;
+	else
+		ctx->get_issuer = X509_STORE_CTX_get1_issuer;
+
+	if (store && store->verify_cb)
+		ctx->verify_cb = store->verify_cb;
+	else
+		ctx->verify_cb = null_callback;
+
+	if (store && store->verify)
+		ctx->verify = store->verify;
+	else
+		ctx->verify = internal_verify;
+
+	if (store && store->check_revocation)
+		ctx->check_revocation = store->check_revocation;
+	else
+		ctx->check_revocation = check_revocation;
+
+	if (store && store->get_crl)
+		ctx->get_crl = store->get_crl;
+	else
+		ctx->get_crl = get_crl;
+
+	if (store && store->check_crl)
+		ctx->check_crl = store->check_crl;
+	else
+		ctx->check_crl = check_crl;
+
+	if (store && store->cert_crl)
+		ctx->cert_crl = store->cert_crl;
+	else
+		ctx->cert_crl = cert_crl;
+
+
+	/* This memset() can't make any sense anyway, so it's removed. As
+	 * X509_STORE_CTX_cleanup does a proper "free" on the ex_data, we put a
+	 * corresponding "new" here and remove this bogus initialisation. */
+	/* memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA)); */
+	if(!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx,
+				&(ctx->ex_data)))
+		{
+		OPENSSL_free(ctx);
+		X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE);
+		return 0;
+		}
+	return 1;
 	}
 
 /* Set alternative lookup method: just a STACK of trusted certificates.
@@ -896,7 +1157,7 @@ void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx)
 		sk_X509_pop_free(ctx->chain,X509_free);
 		ctx->chain=NULL;
 		}
-	CRYPTO_free_ex_data(x509_store_ctx_method,ctx,&(ctx->ex_data));
+	CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, &(ctx->ex_data));
 	memset(&ctx->ex_data,0,sizeof(CRYPTO_EX_DATA));
 	}
 
@@ -911,6 +1172,12 @@ void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, long flags, time_t t)
 	ctx->flags |= X509_V_FLAG_USE_CHECK_TIME;
 	}
 
+void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
+				  int (*verify_cb)(int, X509_STORE_CTX *))
+	{
+	ctx->verify_cb=verify_cb;
+	}
+
 IMPLEMENT_STACK_OF(X509)
 IMPLEMENT_ASN1_SET_OF(X509)
 
diff --git a/lib/libcrypto/x509/x509_vfy.h b/lib/libcrypto/x509/x509_vfy.h
index e289d5309a4..f0be21f4525 100644
--- a/lib/libcrypto/x509/x509_vfy.h
+++ b/lib/libcrypto/x509/x509_vfy.h
@@ -65,11 +65,12 @@
 #ifndef HEADER_X509_VFY_H
 #define HEADER_X509_VFY_H
 
-#ifndef NO_LHASH
+#ifndef OPENSSL_NO_LHASH
 #include <openssl/lhash.h>
 #endif
 #include <openssl/bio.h>
 #include <openssl/crypto.h>
+#include <openssl/symhacks.h>
 
 #ifdef  __cplusplus
 extern "C" {
@@ -154,12 +155,10 @@ typedef struct x509_lookup_method_st
 			    X509_OBJECT *ret);
 	} X509_LOOKUP_METHOD;
 
-typedef struct x509_store_ctx_st X509_STORE_CTX;
-
 /* This is used to hold everything.  It is used for all certificate
  * validation.  Once we have a certificate chain, the 'verify'
  * function is then called to actually check the cert chain. */
-typedef struct x509_store_st
+struct x509_store_st
 	{
 	/* The following is a cache of trusted certs */
 	int cache; 	/* if true, stash any hits */
@@ -167,13 +166,29 @@ typedef struct x509_store_st
 
 	/* These are external lookup methods */
 	STACK_OF(X509_LOOKUP) *get_cert_methods;
+
+	/* The following fields are not used by X509_STORE but are
+         * inherited by X509_STORE_CTX when it is initialised.
+	 */
+
+	unsigned long flags;	/* Various verify flags */
+	int purpose;
+	int trust;
+	/* Callbacks for various operations */
 	int (*verify)(X509_STORE_CTX *ctx);	/* called to verify a certificate */
 	int (*verify_cb)(int ok,X509_STORE_CTX *ctx);	/* error callback */
+	int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x);	/* get issuers cert from ctx */
+	int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); /* check issued */
+	int (*check_revocation)(X509_STORE_CTX *ctx); /* Check revocation status of chain */
+	int (*get_crl)(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x); /* retrieve CRL */
+	int (*check_crl)(X509_STORE_CTX *ctx, X509_CRL *crl); /* Check CRL validity */
+	int (*cert_crl)(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x); /* Check certificate against CRL */
+	int (*cleanup)(X509_STORE_CTX *ctx);
 
 	CRYPTO_EX_DATA ex_data;
 	int references;
 	int depth;		/* how deep to look (still unused -- X509_STORE_CTX's depth is used) */
-	}  X509_STORE;
+	} /* X509_STORE */;
 
 #define X509_STORE_set_depth(ctx,d)       ((ctx)->depth=(d))
 
@@ -189,7 +204,7 @@ struct x509_lookup_st
 	char *method_data;		/* method data */
 
 	X509_STORE *store_ctx;	/* who owns us */
-	};
+	} /* X509_LOOKUP */;
 
 /* This is a used when verifying cert chains.  Since the
  * gathering of the cert chain can take some time (and have to be
@@ -213,6 +228,10 @@ struct x509_store_ctx_st      /* X509_STORE_CTX */
 	int (*verify_cb)(int ok,X509_STORE_CTX *ctx);		/* error callback */
 	int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x);	/* get issuers cert from ctx */
 	int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); /* check issued */
+	int (*check_revocation)(X509_STORE_CTX *ctx); /* Check revocation status of chain */
+	int (*get_crl)(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x); /* retrieve CRL */
+	int (*check_crl)(X509_STORE_CTX *ctx, X509_CRL *crl); /* Check CRL validity */
+	int (*cert_crl)(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x); /* Check certificate against CRL */
 	int (*cleanup)(X509_STORE_CTX *ctx);
 
 	/* The following is built up */
@@ -226,9 +245,10 @@ struct x509_store_ctx_st      /* X509_STORE_CTX */
 	int error;
 	X509 *current_cert;
 	X509 *current_issuer;	/* cert currently being tested as valid issuer */
+	X509_CRL *current_crl;	/* current CRL */
 
 	CRYPTO_EX_DATA ex_data;
-	};
+	} /* X509_STORE_CTX */;
 
 #define X509_STORE_CTX_set_depth(ctx,d)       ((ctx)->depth=(d))
 
@@ -282,6 +302,9 @@ struct x509_store_ctx_st      /* X509_STORE_CTX */
 #define		X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH		31
 #define		X509_V_ERR_KEYUSAGE_NO_CERTSIGN			32
 
+#define		X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER		33
+#define		X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION		34
+
 /* The application is not happy */
 #define		X509_V_ERR_APPLICATION_VERIFICATION		50
 
@@ -289,21 +312,9 @@ struct x509_store_ctx_st      /* X509_STORE_CTX */
 
 #define	X509_V_FLAG_CB_ISSUER_CHECK		0x1	/* Send issuer+subject checks to verify_cb */
 #define	X509_V_FLAG_USE_CHECK_TIME		0x2	/* Use check time instead of current time */
-
-		  /* These functions are being redefined in another directory,
-		     and clash when the linker is case-insensitive, so let's
-		     hide them a little, by giving them an extra 'o' at the
-		     beginning of the name... */
-#ifdef VMS
-#undef X509v3_cleanup_extensions
-#define X509v3_cleanup_extensions oX509v3_cleanup_extensions
-#undef X509v3_add_extension
-#define X509v3_add_extension oX509v3_add_extension
-#undef X509v3_add_netscape_extensions
-#define X509v3_add_netscape_extensions oX509v3_add_netscape_extensions
-#undef X509v3_add_standard_extensions
-#define X509v3_add_standard_extensions oX509v3_add_standard_extensions
-#endif
+#define	X509_V_FLAG_CRL_CHECK			0x4	/* Lookup CRLs */
+#define	X509_V_FLAG_CRL_CHECK_ALL		0x8	/* Lookup CRLs for whole chain */
+#define	X509_V_FLAG_IGNORE_CRITICAL		0x10	/* Ignore unhandled critical extensions */
 
 int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type,
 	     X509_NAME *name);
@@ -314,12 +325,16 @@ void X509_OBJECT_free_contents(X509_OBJECT *a);
 X509_STORE *X509_STORE_new(void );
 void X509_STORE_free(X509_STORE *v);
 
+void X509_STORE_set_flags(X509_STORE *ctx, long flags);
+int X509_STORE_set_purpose(X509_STORE *ctx, int purpose);
+int X509_STORE_set_trust(X509_STORE *ctx, int trust);
+
 X509_STORE_CTX *X509_STORE_CTX_new(void);
 
 int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x);
 
 void X509_STORE_CTX_free(X509_STORE_CTX *ctx);
-void X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store,
+int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store,
 			 X509 *x509, STACK_OF(X509) *chain);
 void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk);
 void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx);
@@ -338,7 +353,7 @@ int X509_STORE_get_by_subject(X509_STORE_CTX *vs,int type,X509_NAME *name,
 int X509_LOOKUP_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc,
 	long argl, char **ret);
 
-#ifndef NO_STDIO
+#ifndef OPENSSL_NO_STDIO
 int X509_load_cert_file(X509_LOOKUP *ctx, const char *file, int type);
 int X509_load_crl_file(X509_LOOKUP *ctx, const char *file, int type);
 int X509_load_cert_crl_file(X509_LOOKUP *ctx, const char *file, int type);
@@ -358,7 +373,7 @@ int X509_LOOKUP_by_alias(X509_LOOKUP *ctx, int type, char *str,
 	int len, X509_OBJECT *ret);
 int X509_LOOKUP_shutdown(X509_LOOKUP *ctx);
 
-#ifndef NO_STDIO
+#ifndef OPENSSL_NO_STDIO
 int	X509_STORE_load_locations (X509_STORE *ctx,
 		const char *file, const char *dir);
 int	X509_STORE_set_default_paths(X509_STORE *ctx);
@@ -382,6 +397,8 @@ int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
 				int purpose, int trust);
 void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, long flags);
 void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, long flags, time_t t);
+void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
+				  int (*verify_cb)(int, X509_STORE_CTX *));
 
 #ifdef  __cplusplus
 }
diff --git a/lib/libcrypto/x509/x509spki.c b/lib/libcrypto/x509/x509spki.c
index fd0a534d88e..4c3af946ec7 100644
--- a/lib/libcrypto/x509/x509spki.c
+++ b/lib/libcrypto/x509/x509spki.c
@@ -59,7 +59,6 @@
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/x509.h>
-#include <openssl/asn1_mac.h>
 
 int NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *x, EVP_PKEY *pkey)
 {
diff --git a/lib/libcrypto/x509/x_all.c b/lib/libcrypto/x509/x_all.c
index 9bd6e2a39bd..fb5015cd4de 100644
--- a/lib/libcrypto/x509/x_all.c
+++ b/lib/libcrypto/x509/x_all.c
@@ -67,224 +67,159 @@
 
 int X509_verify(X509 *a, EVP_PKEY *r)
 	{
-	return(ASN1_verify((int (*)())i2d_X509_CINF,a->sig_alg,
-		a->signature,(char *)a->cert_info,r));
+	return(ASN1_item_verify(ASN1_ITEM_rptr(X509_CINF),a->sig_alg,
+		a->signature,a->cert_info,r));
 	}
 
 int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r)
 	{
-	return( ASN1_verify((int (*)())i2d_X509_REQ_INFO,
-		a->sig_alg,a->signature,(char *)a->req_info,r));
+	return( ASN1_item_verify(ASN1_ITEM_rptr(X509_REQ_INFO),
+		a->sig_alg,a->signature,a->req_info,r));
 	}
 
 int X509_CRL_verify(X509_CRL *a, EVP_PKEY *r)
 	{
-	return(ASN1_verify((int (*)())i2d_X509_CRL_INFO,
-		a->sig_alg, a->signature,(char *)a->crl,r));
+	return(ASN1_item_verify(ASN1_ITEM_rptr(X509_CRL_INFO),
+		a->sig_alg, a->signature,a->crl,r));
 	}
 
 int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *a, EVP_PKEY *r)
 	{
-	return(ASN1_verify((int (*)())i2d_NETSCAPE_SPKAC,
-		a->sig_algor,a->signature, (char *)a->spkac,r));
+	return(ASN1_item_verify(ASN1_ITEM_rptr(NETSCAPE_SPKAC),
+		a->sig_algor,a->signature,a->spkac,r));
 	}
 
 int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
 	{
-	return(ASN1_sign((int (*)())i2d_X509_CINF, x->cert_info->signature,
-		x->sig_alg, x->signature, (char *)x->cert_info,pkey,md));
+	return(ASN1_item_sign(ASN1_ITEM_rptr(X509_CINF), x->cert_info->signature,
+		x->sig_alg, x->signature, x->cert_info,pkey,md));
 	}
 
 int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md)
 	{
-	return(ASN1_sign((int (*)())i2d_X509_REQ_INFO,x->sig_alg, NULL,
-		x->signature, (char *)x->req_info,pkey,md));
+	return(ASN1_item_sign(ASN1_ITEM_rptr(X509_REQ_INFO),x->sig_alg, NULL,
+		x->signature, x->req_info,pkey,md));
 	}
 
 int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md)
 	{
-	return(ASN1_sign((int (*)())i2d_X509_CRL_INFO,x->crl->sig_alg,
-		x->sig_alg, x->signature, (char *)x->crl,pkey,md));
+	return(ASN1_item_sign(ASN1_ITEM_rptr(X509_CRL_INFO),x->crl->sig_alg,
+		x->sig_alg, x->signature, x->crl,pkey,md));
 	}
 
 int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md)
 	{
-	return(ASN1_sign((int (*)())i2d_NETSCAPE_SPKAC, x->sig_algor,NULL,
-		x->signature, (char *)x->spkac,pkey,md));
+	return(ASN1_item_sign(ASN1_ITEM_rptr(NETSCAPE_SPKAC), x->sig_algor,NULL,
+		x->signature, x->spkac,pkey,md));
 	}
 
-X509_ATTRIBUTE *X509_ATTRIBUTE_dup(X509_ATTRIBUTE *xa)
-	{
-	return((X509_ATTRIBUTE *)ASN1_dup((int (*)())i2d_X509_ATTRIBUTE,
-		(char *(*)())d2i_X509_ATTRIBUTE,(char *)xa));
-	}
-
-X509 *X509_dup(X509 *x509)
-	{
-	return((X509 *)ASN1_dup((int (*)())i2d_X509,
-		(char *(*)())d2i_X509,(char *)x509));
-	}
-
-X509_EXTENSION *X509_EXTENSION_dup(X509_EXTENSION *ex)
-	{
-	return((X509_EXTENSION *)ASN1_dup(
-		(int (*)())i2d_X509_EXTENSION,
-		(char *(*)())d2i_X509_EXTENSION,(char *)ex));
-	}
-
-#ifndef NO_FP_API
+#ifndef OPENSSL_NO_FP_API
 X509 *d2i_X509_fp(FILE *fp, X509 **x509)
 	{
-	return((X509 *)ASN1_d2i_fp((char *(*)())X509_new,
-		(char *(*)())d2i_X509, (fp),(unsigned char **)(x509)));
+	return ASN1_item_d2i_fp(ASN1_ITEM_rptr(X509), fp, x509);
 	}
 
 int i2d_X509_fp(FILE *fp, X509 *x509)
 	{
-	return(ASN1_i2d_fp(i2d_X509,fp,(unsigned char *)x509));
+	return ASN1_item_i2d_fp(ASN1_ITEM_rptr(X509), fp, x509);
 	}
 #endif
 
 X509 *d2i_X509_bio(BIO *bp, X509 **x509)
 	{
-	return((X509 *)ASN1_d2i_bio((char *(*)())X509_new,
-		(char *(*)())d2i_X509, (bp),(unsigned char **)(x509)));
+	return ASN1_item_d2i_bio(ASN1_ITEM_rptr(X509), bp, x509);
 	}
 
 int i2d_X509_bio(BIO *bp, X509 *x509)
 	{
-	return(ASN1_i2d_bio(i2d_X509,bp,(unsigned char *)x509));
-	}
-
-X509_CRL *X509_CRL_dup(X509_CRL *crl)
-	{
-	return((X509_CRL *)ASN1_dup((int (*)())i2d_X509_CRL,
-		(char *(*)())d2i_X509_CRL,(char *)crl));
+	return ASN1_item_i2d_bio(ASN1_ITEM_rptr(X509), bp, x509);
 	}
 
-#ifndef NO_FP_API
+#ifndef OPENSSL_NO_FP_API
 X509_CRL *d2i_X509_CRL_fp(FILE *fp, X509_CRL **crl)
 	{
-	return((X509_CRL *)ASN1_d2i_fp((char *(*)())
-		X509_CRL_new,(char *(*)())d2i_X509_CRL, (fp),
-		(unsigned char **)(crl)));
+	return ASN1_item_d2i_fp(ASN1_ITEM_rptr(X509_CRL), fp, crl);
 	}
 
 int i2d_X509_CRL_fp(FILE *fp, X509_CRL *crl)
 	{
-	return(ASN1_i2d_fp(i2d_X509_CRL,fp,(unsigned char *)crl));
+	return ASN1_item_i2d_fp(ASN1_ITEM_rptr(X509_CRL), fp, crl);
 	}
 #endif
 
 X509_CRL *d2i_X509_CRL_bio(BIO *bp, X509_CRL **crl)
 	{
-	return((X509_CRL *)ASN1_d2i_bio((char *(*)())
-		X509_CRL_new,(char *(*)())d2i_X509_CRL, (bp),
-		(unsigned char **)(crl)));
+	return ASN1_item_d2i_bio(ASN1_ITEM_rptr(X509_CRL), bp, crl);
 	}
 
 int i2d_X509_CRL_bio(BIO *bp, X509_CRL *crl)
 	{
-	return(ASN1_i2d_bio(i2d_X509_CRL,bp,(unsigned char *)crl));
-	}
-
-PKCS7 *PKCS7_dup(PKCS7 *p7)
-	{
-	return((PKCS7 *)ASN1_dup((int (*)())i2d_PKCS7,
-		(char *(*)())d2i_PKCS7,(char *)p7));
+	return ASN1_item_i2d_bio(ASN1_ITEM_rptr(X509_CRL), bp, crl);
 	}
 
-#ifndef NO_FP_API
+#ifndef OPENSSL_NO_FP_API
 PKCS7 *d2i_PKCS7_fp(FILE *fp, PKCS7 **p7)
 	{
-	return((PKCS7 *)ASN1_d2i_fp((char *(*)())
-		PKCS7_new,(char *(*)())d2i_PKCS7, (fp),
-		(unsigned char **)(p7)));
+	return ASN1_item_d2i_fp(ASN1_ITEM_rptr(PKCS7), fp, p7);
 	}
 
 int i2d_PKCS7_fp(FILE *fp, PKCS7 *p7)
 	{
-	return(ASN1_i2d_fp(i2d_PKCS7,fp,(unsigned char *)p7));
+	return ASN1_item_i2d_fp(ASN1_ITEM_rptr(PKCS7), fp, p7);
 	}
 #endif
 
 PKCS7 *d2i_PKCS7_bio(BIO *bp, PKCS7 **p7)
 	{
-	return((PKCS7 *)ASN1_d2i_bio((char *(*)())
-		PKCS7_new,(char *(*)())d2i_PKCS7, (bp),
-		(unsigned char **)(p7)));
+	return ASN1_item_d2i_bio(ASN1_ITEM_rptr(PKCS7), bp, p7);
 	}
 
 int i2d_PKCS7_bio(BIO *bp, PKCS7 *p7)
 	{
-	return(ASN1_i2d_bio(i2d_PKCS7,bp,(unsigned char *)p7));
+	return ASN1_item_i2d_bio(ASN1_ITEM_rptr(PKCS7), bp, p7);
 	}
 
-X509_REQ *X509_REQ_dup(X509_REQ *req)
-	{
-	return((X509_REQ *)ASN1_dup((int (*)())i2d_X509_REQ,
-		(char *(*)())d2i_X509_REQ,(char *)req));
-	}
-
-#ifndef NO_FP_API
+#ifndef OPENSSL_NO_FP_API
 X509_REQ *d2i_X509_REQ_fp(FILE *fp, X509_REQ **req)
 	{
-	return((X509_REQ *)ASN1_d2i_fp((char *(*)())
-		X509_REQ_new, (char *(*)())d2i_X509_REQ, (fp),
-		(unsigned char **)(req)));
+	return ASN1_item_d2i_fp(ASN1_ITEM_rptr(X509_REQ), fp, req);
 	}
 
 int i2d_X509_REQ_fp(FILE *fp, X509_REQ *req)
 	{
-	return(ASN1_i2d_fp(i2d_X509_REQ,fp,(unsigned char *)req));
+	return ASN1_item_i2d_fp(ASN1_ITEM_rptr(X509_REQ), fp, req);
 	}
 #endif
 
 X509_REQ *d2i_X509_REQ_bio(BIO *bp, X509_REQ **req)
 	{
-	return((X509_REQ *)ASN1_d2i_bio((char *(*)())
-		X509_REQ_new, (char *(*)())d2i_X509_REQ, (bp),
-		(unsigned char **)(req)));
+	return ASN1_item_d2i_bio(ASN1_ITEM_rptr(X509_REQ), bp, req);
 	}
 
 int i2d_X509_REQ_bio(BIO *bp, X509_REQ *req)
 	{
-	return(ASN1_i2d_bio(i2d_X509_REQ,bp,(unsigned char *)req));
-	}
-
-#ifndef NO_RSA
-RSA *RSAPublicKey_dup(RSA *rsa)
-	{
-	return((RSA *)ASN1_dup((int (*)())i2d_RSAPublicKey,
-		(char *(*)())d2i_RSAPublicKey,(char *)rsa));
+	return ASN1_item_i2d_bio(ASN1_ITEM_rptr(X509_REQ), bp, req);
 	}
 
-RSA *RSAPrivateKey_dup(RSA *rsa)
-	{
-	return((RSA *)ASN1_dup((int (*)())i2d_RSAPrivateKey,
-		(char *(*)())d2i_RSAPrivateKey,(char *)rsa));
-	}
+#ifndef OPENSSL_NO_RSA
 
-#ifndef NO_FP_API
+#ifndef OPENSSL_NO_FP_API
 RSA *d2i_RSAPrivateKey_fp(FILE *fp, RSA **rsa)
 	{
-	return((RSA *)ASN1_d2i_fp((char *(*)())
-		RSA_new,(char *(*)())d2i_RSAPrivateKey, (fp),
-		(unsigned char **)(rsa)));
+	return ASN1_item_d2i_fp(ASN1_ITEM_rptr(RSAPrivateKey), fp, rsa);
 	}
 
 int i2d_RSAPrivateKey_fp(FILE *fp, RSA *rsa)
 	{
-	return(ASN1_i2d_fp(i2d_RSAPrivateKey,fp,(unsigned char *)rsa));
+	return ASN1_item_i2d_fp(ASN1_ITEM_rptr(RSAPrivateKey), fp, rsa);
 	}
 
 RSA *d2i_RSAPublicKey_fp(FILE *fp, RSA **rsa)
 	{
-	return((RSA *)ASN1_d2i_fp((char *(*)())
-		RSA_new,(char *(*)())d2i_RSAPublicKey, (fp),
-		(unsigned char **)(rsa)));
+	return ASN1_item_d2i_fp(ASN1_ITEM_rptr(RSAPublicKey), fp, rsa);
 	}
 
+
 RSA *d2i_RSA_PUBKEY_fp(FILE *fp, RSA **rsa)
 	{
 	return((RSA *)ASN1_d2i_fp((char *(*)())
@@ -294,7 +229,7 @@ RSA *d2i_RSA_PUBKEY_fp(FILE *fp, RSA **rsa)
 
 int i2d_RSAPublicKey_fp(FILE *fp, RSA *rsa)
 	{
-	return(ASN1_i2d_fp(i2d_RSAPublicKey,fp,(unsigned char *)rsa));
+	return ASN1_item_i2d_fp(ASN1_ITEM_rptr(RSAPublicKey), fp, rsa);
 	}
 
 int i2d_RSA_PUBKEY_fp(FILE *fp, RSA *rsa)
@@ -305,23 +240,20 @@ int i2d_RSA_PUBKEY_fp(FILE *fp, RSA *rsa)
 
 RSA *d2i_RSAPrivateKey_bio(BIO *bp, RSA **rsa)
 	{
-	return((RSA *)ASN1_d2i_bio((char *(*)())
-		RSA_new,(char *(*)())d2i_RSAPrivateKey, (bp),
-		(unsigned char **)(rsa)));
+	return ASN1_item_d2i_bio(ASN1_ITEM_rptr(RSAPrivateKey), bp, rsa);
 	}
 
 int i2d_RSAPrivateKey_bio(BIO *bp, RSA *rsa)
 	{
-	return(ASN1_i2d_bio(i2d_RSAPrivateKey,bp,(unsigned char *)rsa));
+	return ASN1_item_i2d_bio(ASN1_ITEM_rptr(RSAPrivateKey), bp, rsa);
 	}
 
 RSA *d2i_RSAPublicKey_bio(BIO *bp, RSA **rsa)
 	{
-	return((RSA *)ASN1_d2i_bio((char *(*)())
-		RSA_new,(char *(*)())d2i_RSAPublicKey, (bp),
-		(unsigned char **)(rsa)));
+	return ASN1_item_d2i_bio(ASN1_ITEM_rptr(RSAPublicKey), bp, rsa);
 	}
 
+
 RSA *d2i_RSA_PUBKEY_bio(BIO *bp, RSA **rsa)
 	{
 	return((RSA *)ASN1_d2i_bio((char *(*)())
@@ -331,7 +263,7 @@ RSA *d2i_RSA_PUBKEY_bio(BIO *bp, RSA **rsa)
 
 int i2d_RSAPublicKey_bio(BIO *bp, RSA *rsa)
 	{
-	return(ASN1_i2d_bio(i2d_RSAPublicKey,bp,(unsigned char *)rsa));
+	return ASN1_item_i2d_bio(ASN1_ITEM_rptr(RSAPublicKey), bp, rsa);
 	}
 
 int i2d_RSA_PUBKEY_bio(BIO *bp, RSA *rsa)
@@ -340,8 +272,8 @@ int i2d_RSA_PUBKEY_bio(BIO *bp, RSA *rsa)
 	}
 #endif
 
-#ifndef NO_DSA
-#ifndef NO_FP_API
+#ifndef OPENSSL_NO_DSA
+#ifndef OPENSSL_NO_FP_API
 DSA *d2i_DSAPrivateKey_fp(FILE *fp, DSA **dsa)
 	{
 	return((DSA *)ASN1_d2i_fp((char *(*)())
@@ -393,57 +325,48 @@ int i2d_DSA_PUBKEY_bio(BIO *bp, DSA *dsa)
 
 #endif
 
-X509_ALGOR *X509_ALGOR_dup(X509_ALGOR *xn)
-	{
-	return((X509_ALGOR *)ASN1_dup((int (*)())i2d_X509_ALGOR,
-	(char *(*)())d2i_X509_ALGOR,(char *)xn));
-	}
-
-X509_NAME *X509_NAME_dup(X509_NAME *xn)
-	{
-	return((X509_NAME *)ASN1_dup((int (*)())i2d_X509_NAME,
-		(char *(*)())d2i_X509_NAME,(char *)xn));
-	}
-
-X509_NAME_ENTRY *X509_NAME_ENTRY_dup(X509_NAME_ENTRY *ne)
+int X509_pubkey_digest(const X509 *data, const EVP_MD *type, unsigned char *md,
+	     unsigned int *len)
 	{
-	return((X509_NAME_ENTRY *)ASN1_dup((int (*)())i2d_X509_NAME_ENTRY,
-		(char *(*)())d2i_X509_NAME_ENTRY,(char *)ne));
+	ASN1_BIT_STRING *key;
+	key = X509_get0_pubkey_bitstr(data);
+	if(!key) return 0;
+	return EVP_Digest(key->data, key->length, md, len, type, NULL);
 	}
 
 int X509_digest(const X509 *data, const EVP_MD *type, unsigned char *md,
 	     unsigned int *len)
 	{
-	return(ASN1_digest((int (*)())i2d_X509,type,(char *)data,md,len));
+	return(ASN1_item_digest(ASN1_ITEM_rptr(X509),type,(char *)data,md,len));
 	}
 
 int X509_CRL_digest(const X509_CRL *data, const EVP_MD *type, unsigned char *md,
 	     unsigned int *len)
 	{
-	return(ASN1_digest((int (*)())i2d_X509_CRL,type,(char *)data,md,len));
+	return(ASN1_item_digest(ASN1_ITEM_rptr(X509_CRL),type,(char *)data,md,len));
 	}
 
 int X509_REQ_digest(const X509_REQ *data, const EVP_MD *type, unsigned char *md,
 	     unsigned int *len)
 	{
-	return(ASN1_digest((int (*)())i2d_X509_REQ,type,(char *)data,md,len));
+	return(ASN1_item_digest(ASN1_ITEM_rptr(X509_REQ),type,(char *)data,md,len));
 	}
 
 int X509_NAME_digest(const X509_NAME *data, const EVP_MD *type, unsigned char *md,
 	     unsigned int *len)
 	{
-	return(ASN1_digest((int (*)())i2d_X509_NAME,type,(char *)data,md,len));
+	return(ASN1_item_digest(ASN1_ITEM_rptr(X509_NAME),type,(char *)data,md,len));
 	}
 
 int PKCS7_ISSUER_AND_SERIAL_digest(PKCS7_ISSUER_AND_SERIAL *data, const EVP_MD *type,
 	     unsigned char *md, unsigned int *len)
 	{
-	return(ASN1_digest((int (*)())i2d_PKCS7_ISSUER_AND_SERIAL,type,
+	return(ASN1_item_digest(ASN1_ITEM_rptr(PKCS7_ISSUER_AND_SERIAL),type,
 		(char *)data,md,len));
 	}
 
 
-#ifndef NO_FP_API
+#ifndef OPENSSL_NO_FP_API
 X509_SIG *d2i_PKCS8_fp(FILE *fp, X509_SIG **p8)
 	{
 	return((X509_SIG *)ASN1_d2i_fp((char *(*)())X509_SIG_new,
@@ -467,7 +390,7 @@ int i2d_PKCS8_bio(BIO *bp, X509_SIG *p8)
 	return(ASN1_i2d_bio(i2d_X509_SIG,bp,(unsigned char *)p8));
 	}
 
-#ifndef NO_FP_API
+#ifndef OPENSSL_NO_FP_API
 PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_fp(FILE *fp,
 						 PKCS8_PRIV_KEY_INFO **p8inf)
 	{