Time for release.

The tag will be OpenSSL-engine-0_9_6g.
Recent changes.
2002-08-09 11:49:15 +00:00 · 2002-08-09 09:23:29 +00:00 · 2002-08-09 08:16:11 +00:00 · 2002-08-08 22:46:22 +00:00 · 2002-08-08 21:44:13 +00:00 · 2002-08-08 20:11:31 +00:00
218 changed files with 14126 additions and 1736 deletions
--- a/77
+++ b/77
@@ -2,7 +2,82 @@
 OpenSSL CHANGES
 _______________

- Changes between 0.9.6c and 0.9.6d  [XX xxx XXXX]
+ Changes between 0.9.6f and 0.9.6g  [9 Aug 2002]
+
+  *) [In 0.9.6g-engine release:]
+     Fix crypto/engine/vendor_defns/cswift.h for WIN32 (use '_stdcall').
+     [Lynn Gazis <lgazis@rainbow.com>]
+
+ Changes between 0.9.6e and 0.9.6f  [8 Aug 2002]
+
+  *) Fix ASN1 checks. Check for overflow by comparing with LONG_MAX
+     and get fix the header length calculation.
+     [Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>,
+	Alon Kantor <alonk@checkpoint.com> (and others),
+	Steve Henson]
+
+  *) Use proper error handling instead of 'assertions' in buffer
+     overflow checks added in 0.9.6e.  This prevents DoS (the
+     assertions could call abort()).
+     [Arne Ansper <arne@ats.cyber.ee>, Bodo Moeller]
+
+ Changes between 0.9.6d and 0.9.6e  [30 Jul 2002]
+
+  *) Fix cipher selection routines: ciphers without encryption had no flags
+     for the cipher strength set and where therefore not handled correctly
+     by the selection routines (PR #130).
+     [Lutz Jaenicke]
+
+  *) Fix EVP_dsa_sha macro.
+     [Nils Larsch]
+
+  *) New option
+          SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
+     for disabling the SSL 3.0/TLS 1.0 CBC vulnerability countermeasure
+     that was added in OpenSSL 0.9.6d.
+
+     As the countermeasure turned out to be incompatible with some
+     broken SSL implementations, the new option is part of SSL_OP_ALL.
+     SSL_OP_ALL is usually employed when compatibility with weird SSL
+     implementations is desired (e.g. '-bugs' option to 's_client' and
+     's_server'), so the new option is automatically set in many
+     applications.
+     [Bodo Moeller]
+
+  *) Changes in security patch:
+
+     Changes marked "(CHATS)" were sponsored by the Defense Advanced
+     Research Projects Agency (DARPA) and Air Force Research Laboratory,
+     Air Force Materiel Command, USAF, under agreement number
+     F30602-01-2-0537.
+
+  *) Add various sanity checks to asn1_get_length() to reject
+     the ASN1 length bytes if they exceed sizeof(long), will appear
+     negative or the content length exceeds the length of the
+     supplied buffer.
+     [Steve Henson, Adi Stav <stav@mercury.co.il>, James Yonan <jim@ntlp.com>]
+
+  *) Assertions for various potential buffer overflows, not known to
+     happen in practice.
+     [Ben Laurie (CHATS)]
+
+  *) Various temporary buffers to hold ASCII versions of integers were
+     too small for 64 bit platforms. (CAN-2002-0655)
+     [Matthew Byng-Maddick <mbm@aldigital.co.uk> and Ben Laurie (CHATS)>
+
+  *) Remote buffer overflow in SSL3 protocol - an attacker could
+     supply an oversized session ID to a client. (CAN-2002-0656)
+     [Ben Laurie (CHATS)]
+
+  *) Remote buffer overflow in SSL2 protocol - an attacker could
+     supply an oversized client master key. (CAN-2002-0656)
+     [Ben Laurie (CHATS)]
+
+ Changes between 0.9.6c and 0.9.6d  [9 May 2002]
+
+  *) Fix crypto/asn1/a_sign.c so that 'parameters' is omitted (not
+     encoded as NULL) with id-dsa-with-sha1.
+     [Nils Larsch <nla@trustcenter.de>; problem pointed out by Bodo Moeller]

  *) Check various X509_...() return values in apps/req.c.
     [Nils Larsch <nla@trustcenter.de>]
--- a/57
+++ b/57
@@ -10,7 +10,7 @@ use strict;

 # see INSTALL for instructions.

-my $usage="Usage: Configure [no-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [rsaref] [no-threads] [no-asm] [no-dso] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--test-sanity] os/compiler[:flags]\n";
+my $usage="Usage: Configure [no-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [rsaref] [no-threads] [no-asm] [no-dso] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--test-sanity] os/compiler[:flags]\n";

 # Options:
 #
@@ -23,6 +23,12 @@ my $usage="Usage: Configure [no-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-
 #               default).  This needn't be set in advance, you can
 #               just as well use "make INSTALL_PREFIX=/whatever install".
 #
+# no-hw-xxx     do not compile support for specific crypto hardware.
+#               Generic OpenSSL-style methods relating to this support
+#               are always compiled but return NULL if the hardware
+#               support isn't compiled.
+# no-hw         do not compile support for any crypto hardware.
+#
 # --test-sanity Make a number of sanity checks on the data in this file.
 #               This is a debugging tool for OpenSSL developers.
 #
@@ -31,6 +37,10 @@ my $usage="Usage: Configure [no-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-
 #               multithreaded applications (default is "threads" if we
 #               know how to do it)
 # [no-]shared	[don't] try to create shared libraries when supported.
+#               IT IS NOT RECOMMENDED TO USE "shared"!  Since this is a
+#               development branch, the positions of the ENGINE symbols
+#               in the transfer vector are constantly moving, so binary
+#               backward compatibility can't be guaranteed in any way.
 # no-asm        do not use assembler
 # no-dso        do not compile in any native shared-library methods. This
 #               will ensure that all methods just return NULL.
@@ -144,6 +154,7 @@ my %table=(
 "solaris-sparcv7-gcc","gcc:-O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "solaris-sparcv8-gcc","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "solaris-sparcv9-gcc","gcc:-mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris64-sparcv9-gcc31","gcc:-mcpu=ultrasparc -m64 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:solaris-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # gcc pre-2.8 doesn't understand -mcpu=ultrasparc, so fall down to -mv8
 # but keep the assembler modules.
 "solaris-sparcv9-gcc27","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus-gcc27.o:::asm/md5-sparcv8plus-gcc27.o::::::dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@@ -169,10 +180,10 @@ my %table=(
 "linux-sparcv7","gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::",
 # Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently
 # assisted with debugging of following two configs.
-"linux-sparcv8","gcc:-mv8 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o::::",
+"linux-sparcv8","gcc:-mv8 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # it's a real mess with -mcpu=ultrasparc option under Linux, but
 # -Wa,-Av8plus should do the trick no matter what.
-"linux-sparcv9","gcc:-mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:linux-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-sparcv9","gcc:-mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DULTRASPARC -DBN_DIV2W::-D_REENTRANT:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # !!!Folowing can't be even tested yet!!!
 #    We have to wait till 64-bit glibc for SPARC is operational!!!
 #"linux64-sparcv9","sparc64-linux-gcc:-m64 -mcpu=v9 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::asm/md5-sparcv9.o:",
@@ -228,6 +239,7 @@ my %table=(
 "hpux-parisc-cc-o4","cc:-Ae +O4 +ESlit -z -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY:::-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "hpux-parisc-gcc","gcc:-O3 -DB_ENDIAN -DBN_DIV2W:::-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:-fPIC::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "hpux64-parisc-cc","cc:-Ae +DD64 +O3 +ESlit -z -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT:-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dlfcn:hpux64-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux64-parisc-gcc","gcc:-DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT:-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dlfcn:hpux64-shared:-fpic::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",

 # More attempts at unified 10.X and 11.X targets for HP C compiler.
 #
@@ -335,15 +347,15 @@ my %table=(
 # The intel boxes :-), It would be worth seeing if bsdi-gcc can use the
 # bn86-elf.o file file since it is hand tweaked assembler.
 "linux-elf",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall::-D_REENTRANT:-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"debug-linux-elf","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT:-lefence -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-linux-elf","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT:-lefence -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-linux-elf-noefence","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT:-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
 "linux-aout",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}",
 "linux-mipsel",   "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::(unknown)::BN_LLONG:::",
 "linux-mips",   "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::(unknown)::BN_LLONG:::",
 "linux-ppc",	"gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-m68k",   "gcc:-DB_ENDIAN -DTERMIO -O2 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG::",
-"linux-s390",	"gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG::",
-"linux-s390x", "gcc:-DB_ENDIAN -DTERMIO -DNO_ASM -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::SIXTY_FOUR_BIT_LONG:::::::::::linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-s390",	"gcc:-DB_ENDIAN -DTERMIO -DNO_ASM -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:-ldl:BN_LLONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR),\$(SHLIB_MINOR)",
+"linux-s390x", "gcc:-DB_ENDIAN -DTERMIO -DNO_ASM -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:-ldl:SIXTY_FOUR_BIT_LONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-ia64",   "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR:asm/ia64.o:::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "NetBSD-sparc",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer -mv8 -Wall -DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "NetBSD-m68",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer -Wall -DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@@ -435,7 +447,7 @@ my %table=(
 "sco5-cc-pentium",  "cc:-Kpentium::(unknown):-lsocket:${x86_gcc_des} ${x86_gcc_opts}:::", # des options?
 "sco5-gcc",  "gcc:-O3 -fomit-frame-pointer::(unknown):-lsocket:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::", # the SCO assembler doesn't seem to like our assembler files ...
 "sco5-cc-shared","cc:-belf:::-lsocket -lresolv -lnsl:MD2_CHAR RC4_INDEX ${x86_gcc_des}::::::::::dlfcn:svr3-shared:-Kpic",
-"sco5-gcc-shared","gcc:-O3 -DFILIO_H -fomit-frame-pointer:::-lsocket -lresolv -lnsl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:svr3-shared:-fPIC",
+"sco5-gcc-shared","gcc:-O3 -fomit-frame-pointer:::-lsocket -lresolv -lnsl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:svr3-shared:-fPIC", # the SCO assembler doesn't seem to like our assembler files ...

 # Sinix/ReliantUNIX RM400
 # NOTE: The CDS++ Compiler up to V2.0Bsomething has the IRIX_CC_BUG optimizer problem. Better use -g  */
@@ -470,6 +482,9 @@ my %table=(
 # and its library files in util/pl/*)
 "Mingw32", "gcc:-DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32",

+# UWIN 
+"UWIN", "cc:-DTERMIOS -DL_ENDIAN -O -Wall::::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32",
+
 # Cygwin
 "Cygwin-pre1.3", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O2 -m486 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32",
 "Cygwin", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O2 -m486 -Wall::::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32:cygwin-shared:::.dll",
@@ -488,7 +503,7 @@ my %table=(

 ##### MacOS X (a.k.a. Rhapsody or Darwin) setup
 "rhapsody-ppc-cc","cc:-O3 -DB_ENDIAN::(unknown)::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::",
-"darwin-ppc-cc","cc:-O3 -D_DARWIN -DB_ENDIAN::-D_REENTRANT::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::::::::::darwin-shared:-fPIC:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
+"darwin-ppc-cc","cc:-O3 -D_DARWIN -DB_ENDIAN -fno-common::-D_REENTRANT::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::::::::::darwin-shared:-fPIC::.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",

 ##### Sony NEWS-OS 4.x
 "newsos4-gcc","gcc:-O -DB_ENDIAN -DNEWS4::(unknown):-lmld -liberty:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::",
@@ -606,6 +621,18 @@ PROCESS_ARGS:
 			$flags .= "-DNO_ASM ";
 			$openssl_other_defines .= "#define NO_ASM\n";
 			}
+		elsif (/^no-hw-(.+)$/)
+			{
+			my $hw=$1;
+			$hw =~ tr/[a-z]/[A-Z]/;
+			$flags .= "-DNO_HW_$hw ";
+			$openssl_other_defines .= "#define NO_HW_$hw\n";
+			}
+		elsif (/^no-hw$/)
+			{
+			$flags .= "-DNO_HW ";
+			$openssl_other_defines .= "#define NO_HW\n";
+			}
 		elsif (/^no-dso$/)
 			{ $no_dso=1; }
 		elsif (/^no-threads$/)
@@ -899,6 +926,10 @@ if ($rmd160_obj =~ /\.o$/)
 	$cflags.=" -DRMD160_ASM";
 	}

+# "Stringify" the C flags string.  This permits it to be made part of a string
+# and works as well on command lines.
+$cflags =~ s/([\\\"])/\\\1/g;
+
 my $version = "unknown";
 my $major = "unknown";
 my $minor = "unknown";
@@ -981,13 +1012,21 @@ while (<IN>)
 	if ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*$/)
 		{
 		my $sotmp = $1;
-		s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp/
+		s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp/;
+		}
+	elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.dylib$/)
+		{
+		s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.dylib/;
 		}
 	elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/)
 		{
 		my $sotmp = $1;
 		s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_MAJOR) .s$sotmp/;
 		}
+	elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/)
+		{
+		s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.\$(SHLIB_MAJOR).dylib .dylib/;
+		}
 	s/^SHARED_LDFLAGS=.*/SHARED_LDFLAGS=$shared_ldflag/;
 	print OUT $_."\n";
 	}
--- a/57
+++ b/57
@@ -38,6 +38,8 @@ OpenSSL  -  Frequently Asked Questions
 * Why does the OpenSSL compilation fail on Alpha Tru64 Unix?
 * Why does the OpenSSL compilation fail with "ar: command not found"?
 * Why does the OpenSSL compilation fail on Win32 with VC++?
+* What is special about OpenSSL on Redhat?
+* Why does the OpenSSL test suite fail on MacOS X?

 [PROG] Questions about programming with OpenSSL

@@ -59,7 +61,7 @@ OpenSSL  -  Frequently Asked Questions
 * Which is the current version of OpenSSL?

 The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 0.9.6c was released on December 21st, 2001.
+OpenSSL 0.9.6g was released on 9 August 2002.

 In addition to the current stable release, you can also access daily
 snapshots of the OpenSSL development version at <URL:
@@ -215,8 +217,11 @@ For Solaris 2.6, Tim Nibbe <tnibbe@sprint.net> and others have suggested
 installing the SUNski package from Sun patch 105710-01 (Sparc) which
 adds a /dev/random device and make sure it gets used, usually through
 $RANDFILE.  There are probably similar patches for the other Solaris
-versions.  However, be warned that /dev/random is usually a blocking
-device, which may have some effects on OpenSSL.
+versions.  An official statement from Sun with respect to /dev/random
+support can be found at
+  http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsrdb/27606&zone_32=SUNWski
+However, be warned that /dev/random is usually a blocking device, which
+may have some effects on OpenSSL.


 * Why do I get an "unable to write 'random state'" error message?
@@ -451,6 +456,52 @@ under 'Program Files').  This needs to be done prior to running NMAKE,
 and the changes are only valid for the current DOS session.


+* What is special about OpenSSL on Redhat?
+
+Red Hat Linux (release 7.0 and later) include a preinstalled limited
+version of OpenSSL. For patent reasons, support for IDEA, RC5 and MDC2
+is disabled in this version. The same may apply to other Linux distributions.
+Users may therefore wish to install more or all of the features left out.
+
+To do this you MUST ensure that you do not overwrite the openssl that is in
+/usr/bin on your Red Hat machine. Several packages depend on this file,
+including sendmail and ssh. /usr/local/bin is a good alternative choice. The
+libraries that come with Red Hat 7.0 onwards have different names and so are
+not affected. (eg For Red Hat 7.2 they are /lib/libssl.so.0.9.6b and
+/lib/libcrypto.so.0.9.6b with symlinks /lib/libssl.so.2 and
+/lib/libcrypto.so.2 respectively).
+
+Please note that we have been advised by Red Hat attempting to recompile the
+openssl rpm with all the cryptography enabled will not work. All other
+packages depend on the original Red Hat supplied openssl package. It is also
+worth noting that due to the way Red Hat supplies its packages, updates to
+openssl on each distribution never change the package version, only the
+build number. For example, on Red Hat 7.1, the latest openssl package has
+version number 0.9.6 and build number 9 even though it contains all the
+relevant updates in packages up to and including 0.9.6b.
+
+A possible way around this is to persuade Red Hat to produce a non-US
+version of Red Hat Linux.
+
+FYI: Patent numbers and expiry dates of US patents:
+MDC-2: 4,908,861 13/03/2007
+IDEA:  5,214,703 25/05/2010
+RC5:   5,724,428 03/03/2015
+
+
+* Why does the OpenSSL test suite fail on MacOS X?
+
+If the failure happens when running 'make test' and the RC4 test fails,
+it's very probable that you have OpenSSL 0.9.6b delivered with the
+operating system (you can find out by running '/usr/bin/openssl version')
+and that you were trying to build OpenSSL 0.9.6d.  The problem is that
+the loader ('ld') in MacOS X has a misfeature that's quite difficult to
+go around and has linked the programs "openssl" and the test programs
+with /usr/lib/libcrypto.dylib and /usr/lib/libssl.dylib instead of the
+libraries you just built.
+Look in the file PROBLEMS for a more detailed explanation and for possible
+solutions.
+
 [PROG] ========================================================================

 * Is OpenSSL thread-safe?
--- a/15
+++ b/15
@@ -57,7 +57,10 @@

  shared        In addition to the usual static libraries, create shared
                libraries on platforms where it's supported.  See "Note on
-                shared libraries" below.
+                shared libraries" below.  THIS IS NOT RECOMMENDED!  Since
+                this is a development branch, the positions of the ENGINE
+                symbols in the transfer vector are constantly moving, so
+                binary backward compatibility can't be guaranteed in any way.

  no-asm        Do not use assembler code.

@@ -128,8 +131,11 @@
     the failure that aren't problems in OpenSSL itself (like missing
     standard headers).  If it is a problem with OpenSSL itself, please
     report the problem to <openssl-bugs@openssl.org> (note that your
-     message will be forwarded to a public mailing list).  Include the
-     output of "make report" in your message.
+     message will be recorded in the request tracker publicly readable
+     via http://www.openssl.org/rt2.html and will be forwarded to a public
+     mailing list). Include the output of "make report" in your message.
+     Please check out the request tracker. Maybe the bug was already
+     reported or has already been fixed.

     [If you encounter assembler error messages, try the "no-asm"
     configuration option as an immediate fix.]
@@ -147,7 +153,8 @@
     try removing any compiler optimization flags from the CFLAGS line
     in Makefile.ssl and run "make clean; make". Please send a bug
     report to <openssl-bugs@openssl.org>, including the output of
-     "make report".
+     "make report" in order to be added to the request tracker at
+     http://www.openssl.org/rt2.html.

  4. If everything tests ok, install OpenSSL with

--- a/INSTALL.W32
+++ b/INSTALL.W32
@@ -94,6 +94,18 @@
 You can also build a static version of the library using the Makefile
 ms\nt.mak

+ Borland C++ builder 5
+ ---------------------
+
+ * Configure for building with Borland Builder:
+   > perl Configure BC-32
+
+ * Create the appropriate makefile
+   > ms\do_nasm
+
+ * Build
+   > make -f ms\bcb.mak
+
 Borland C++ builder 3 and 4
 ---------------------------

--- a/Makefile.org
+++ b/Makefile.org
@@ -162,7 +162,7 @@ SHLIBDIRS= crypto ssl
 SDIRS=  \
 	md2 md4 md5 sha mdc2 hmac ripemd \
 	des rc2 rc4 rc5 idea bf cast \
-	bn rsa dsa dh dso \
+	bn rsa dsa dh dso engine \
 	buffer bio stack lhash rand err objects \
 	evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp

@@ -247,7 +247,8 @@ link-shared:
 		for i in $(SHLIBDIRS); do \
 			prev=lib$$i$(SHLIB_EXT); \
 			for j in $${tmp:-x}; do \
-				( set -x; ln -f -s $$prev lib$$i$$j ); \
+				( set -x; \
+				rm -f lib$$i$$j; ln -s $$prev lib$$i$$j ); \
 				prev=lib$$i$$j; \
 			done; \
 		done; \
@@ -420,6 +421,7 @@ do_hpux-shared:
 		-b -z -o lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 		+h lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 		-Fl lib$$i.a $$libs ${EX_LIBS} -lc ) || exit 1; \
+	chmod a=rx lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} ; \
 	libs="$$libs -L. -l$$i"; \
 	done

@@ -430,6 +432,7 @@ do_hpux64-shared:
 		-b -z -o lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 		+h lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 		+forceload lib$$i.a $$libs ${EX_LIBS} -lc ) || exit 1; \
+	chmod a=rx lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} ; \
 	libs="$$libs -L. -l$$i"; \
 	done

@@ -545,7 +548,7 @@ test:   tests

 tests: rehash
 	@(cd test && echo "testing..." && \
-	$(MAKE) CC='${CC}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SDIRS='${SDIRS}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PERL='${PERL}' EXE_EXT='${EXE_EXT}' tests );
+	$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' OPENSSL_DEBUG_MEMORY=on tests );
 	@apps/openssl version -a

 report:
@@ -556,7 +559,7 @@ depend:
 	do \
 	if [ -d "$$i" ]; then \
 		(cd $$i && echo "making dependencies $$i..." && \
-		$(MAKE) SDIRS='${SDIRS}' DEPFLAG='${DEPFLAG}' depend ) || exit 1; \
+		$(MAKE) SDIRS='${SDIRS}' DEPFLAG='${DEPFLAG}' PERL='${PERL}' depend ) || exit 1; \
 	fi; \
 	done;

@@ -601,20 +604,26 @@ TABLE: Configure

 update: depend errors stacks util/libeay.num util/ssleay.num crypto/objects/obj_dat.h TABLE

+# Build distribution tar-file. As the list of files returned by "find" is
+# pretty long, on several platforms a "too many arguments" error or similar
+# would occur. Therefore the list of files is temporarily stored into a file
+# and read directly, requiring GNU-Tar. Call "make TAR=gtar dist" if the normal
+# tar does not support the --files-from option.
 tar:
-	@$(TAR) $(TARFLAGS) -cvf - \
-		`find * \! -path CVS/\* \! -path \*/CVS/\* \! -name CVS \! -name .cvsignore \! -name STATUS \! -name TABLE | sort` |\
+	find * \! -path CVS/\* \! -path \*/CVS/\* \! -name CVS \! -name .cvsignore \! -name STATUS \! -name TABLE | sort > ../$(TARFILE).list; \
+	$(TAR) $(TARFLAGS) --files-from ../$(TARFILE).list -cvf - | \
 	tardy --user_number=0  --user_name=openssl \
 	      --group_number=0 --group_name=openssl \
 	      --prefix=openssl-$(VERSION) - |\
 	gzip --best >../$(TARFILE).gz; \
+	rm -f ../$(TARFILE).list; \
 	ls -l ../$(TARFILE).gz

 dist:   
 	$(PERL) Configure dist
 	@$(MAKE) dist_pem_h
 	@$(MAKE) SDIRS='${SDIRS}' clean
-	@$(MAKE) tar
+	@$(MAKE) TAR='${TAR}' TARFLAGS='${TARFLAGS}' tar

 dist_pem_h:
 	(cd crypto/pem; $(MAKE) CC='${CC}' SDIRS='${SDIRS}' CFLAG='${CFLAG}' pem.h; $(MAKE) clean)
@@ -646,7 +655,7 @@ install: all install_docs
 			cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \
 			$(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \
 			chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \
-		fi \
+		fi; \
 	done
 	@if [ -n "$(SHARED_LIBS)" ]; then \
 		tmp="$(SHARED_LIBS)"; \
@@ -656,7 +665,7 @@ install: all install_docs
 			(       echo installing $$i; \
 				if [ "$(PLATFORM)" != "Cygwin" ]; then \
 					cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \
-					chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \
+					chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \
 				else \
 					c=`echo $$i | sed 's/^lib/cyg/'`; \
 					cp $$c $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \
@@ -664,11 +673,12 @@ install: all install_docs
 					cp $$i.a $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a; \
 					chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a; \
 				fi ); \
-			fi \
+			fi; \
 		done; \
 		(	here="`pwd`"; \
 			cd $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \
-			make -f $$here/Makefile link-shared ); \
+			set $(MAKE); \
+			$$1 -f $$here/Makefile link-shared ); \
 	fi

 install_docs:
@@ -677,22 +687,25 @@ install_docs:
 		$(INSTALL_PREFIX)$(MANDIR)/man3 \
 		$(INSTALL_PREFIX)$(MANDIR)/man5 \
 		$(INSTALL_PREFIX)$(MANDIR)/man7
-	@for i in doc/apps/*.pod; do \
+	@pod2man=`cd util; ./pod2mantest ignore`; \
+	for i in doc/apps/*.pod; do \
 		fn=`basename $$i .pod`; \
 		if [ "$$fn" = "config" ]; then sec=5; else sec=1; fi; \
 		echo "installing man$$sec/`basename $$i .pod`.$$sec"; \
-		(cd `dirname $$i`; \
-		$(PERL) ../../util/pod2man.pl --section=$$sec --center=OpenSSL \
-			 --release=$(VERSION) `basename $$i`) \
+		(cd `$(PERL) util/dirname.pl $$i`; \
+		sh -c "$(PERL) $$pod2man \
+			--section=$$sec --center=OpenSSL \
+			--release=$(VERSION) `basename $$i`") \
 			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/`basename $$i .pod`.$$sec; \
-	done
-	@for i in doc/crypto/*.pod doc/ssl/*.pod; do \
+	done; \
+	for i in doc/crypto/*.pod doc/ssl/*.pod; do \
 		fn=`basename $$i .pod`; \
 		if [ "$$fn" = "des_modes" ]; then sec=7; else sec=3; fi; \
 		echo "installing man$$sec/`basename $$i .pod`.$$sec"; \
-		(cd `dirname $$i`; \
-		$(PERL) ../../util/pod2man.pl --section=$$sec --center=OpenSSL \
-			--release=$(VERSION) `basename $$i`) \
+		(cd `$(PERL) util/dirname.pl $$i`; \
+		sh -c "$(PERL) $$pod2man \
+			--section=$$sec --center=OpenSSL \
+			--release=$(VERSION) `basename $$i`") \
 			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/`basename $$i .pod`.$$sec; \
 	done

--- a/21
+++ b/21
@@ -5,12 +5,25 @@
  This file gives a brief overview of the major changes between each OpenSSL
  release. For more details please read the CHANGES file.

-  Changes between OpenSSL 0.9.6c and OpenSSL 0.9.6d:
+  Major changes between OpenSSL 0.9.6f and OpenSSL 0.9.6g:
+
+      o Important building fixes on Unix.
+
+  Major changes between OpenSSL 0.9.6e and OpenSSL 0.9.6f:
+
+      o Various important bugfixes.
+
+  Major changes between OpenSSL 0.9.6d and OpenSSL 0.9.6e:
+
+      o Important security related bugfixes.
+      o Various SSL/TLS library bugfixes.
+
+  Major changes between OpenSSL 0.9.6c and OpenSSL 0.9.6d:

      o Various SSL/TLS library bugfixes.
      o Fix DH parameter generation for 'non-standard' generators.

-  Changes between OpenSSL 0.9.6b and OpenSSL 0.9.6c:
+  Major changes between OpenSSL 0.9.6b and OpenSSL 0.9.6c:

      o Various SSL/TLS library bugfixes.
      o BIGNUM library fixes.
@@ -23,7 +36,7 @@
        Broadcom and Cryptographic Appliance's keyserver
        [in 0.9.6c-engine release].

-  Changes between OpenSSL 0.9.6a and OpenSSL 0.9.6b:
+  Major changes between OpenSSL 0.9.6a and OpenSSL 0.9.6b:

      o Security fix: PRNG improvements.
      o Security fix: RSA OAEP check.
@@ -56,7 +69,7 @@
      o Bug fixes for Win32, HP/UX and Irix.
      o Bug fixes in BIGNUM, SSL, PKCS#7, PKCS#12, X.509, CONF and
        memory checking routines.
-      o Bug fixes for RSA operations in threaded enviroments.
+      o Bug fixes for RSA operations in threaded environments.
      o Bug fixes in misc. openssl applications.
      o Remove a few potential memory leaks.
      o Add tighter checks of BIGNUM routines.
--- a/42
+++ b/42
@@ -0,0 +1,42 @@
+* System libcrypto.dylib and libssl.dylib are used by system ld on MacOS X.
+[NOTE: This is currently undergoing tests, and may be removed soon]
+
+This is really a misfeature in ld, which seems to look for .dylib libraries
+along the whole library path before it bothers looking for .a libraries.  This
+means that -L switches won't matter unless OpenSSL is built with shared
+library support.
+
+The workaround may be to change the following lines in apps/Makefile.ssl and
+test/Makefile.ssl:
+
+  LIBCRYPTO=-L.. -lcrypto
+  LIBSSL=-L.. -lssl
+
+to:
+
+  LIBCRYPTO=../libcrypto.a
+  LIBSSL=../libssl.a
+
+It's possible that something similar is needed for shared library support
+as well.  That hasn't been well tested yet.
+
+
+Another solution that many seem to recommend is to move the libraries
+/usr/lib/libcrypto.0.9.dylib, /usr/lib/libssl.0.9.dylib to a different
+directory, build and install OpenSSL and anything that depends on your
+build, then move libcrypto.0.9.dylib and libssl.0.9.dylib back to their
+original places.  Note that the version numbers on those two libraries
+may differ on your machine.
+
+
+As long as Apple doesn't fix the problem with ld, this problem building
+OpenSSL will remain as is.
+
+
+* Parallell make leads to errors
+
+While running tests, running a parallell make is a bad idea.  Many test
+scripts use the same name for output and input files, which means different
+will interfere with each other and lead to test failure.
+
+The solution is simple for now: don't run parallell make when testing.
--- a/19
+++ b/19
@@ -1,5 +1,5 @@

- OpenSSL 0.9.6d-beta1 17 Apr 2002
+ OpenSSL 0.9.6g [engine] 9 August 2002

 Copyright (c) 1998-2002 The OpenSSL Project
 Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
@@ -122,6 +122,13 @@
 lists the functions; you will probably have to look at the code to work out
 how to use them. Look at the example programs.

+ PROBLEMS
+ --------
+
+ For some platforms, there are some known problems that may affect the user
+ or application author.  We try to collect those in doc/PROBLEMS, with current
+ thoughts on how they should be solved in a future of OpenSSL.
+
 SUPPORT 
 -------

@@ -146,11 +153,13 @@
    - Problem Description (steps that will reproduce the problem, if known)
    - Stack Traceback (if the application dumps core)

- Report the bug to the OpenSSL project at:
+ Report the bug to the OpenSSL project via the Request Tracker
+ (http://www.openssl.org/rt2.html) by mail to:

    openssl-bugs@openssl.org

- Note that mail to openssl-bugs@openssl.org is forwarded to a public
+ Note that mail to openssl-bugs@openssl.org is recorded in the publicly
+ readable request tracker database and is forwarded to a public
 mailing list. Confidential mail may be sent to openssl-security@openssl.org
 (PGP key available from the key servers).

@@ -164,7 +173,9 @@
 textual explanation of what your patch does.

 Note: For legal reasons, contributions from the US can be accepted only
- if a copy of the patch is sent to crypt@bxa.doc.gov
+ if a TSA notification and a copy of the patch is sent to crypt@bis.doc.gov;
+ see http://www.bis.doc.gov/Encryption/PubAvailEncSourceCodeNofify.html [sic]
+ and http://w3.access.gpo.gov/bis/ear/pdf/740.pdf (EAR Section 740.13(e)).

 The preferred format for changes is "diff -u" output. You might
 generate it like this:
--- a/7
+++ b/7
@@ -1,11 +1,14 @@

  OpenSSL STATUS                           Last modified at
-  ______________                           $Date: 2002/04/17 12:28:37 $
+  ______________                           $Date: 2002/08/09 11:49:13 $

  DEVELOPMENT STATE

    o  OpenSSL 0.9.7:  Under development...
-    o  OpenSSL 0.9.6d: Feature freeze, beta1 April 17th, 2002
+    o  OpenSSL 0.9.6g: Released on August     9th, 2002
+    o  OpenSSL 0.9.6f: Released on August     8th, 2002
+    o  OpenSSL 0.9.6e: Released on July      30th, 2002
+    o  OpenSSL 0.9.6d: Released on May        9th, 2002
    o  OpenSSL 0.9.6c: Released on December  21st, 2001
    o  OpenSSL 0.9.6b: Released on July       9th, 2001
    o  OpenSSL 0.9.6a: Released on April      5th, 2001
--- a/131
+++ b/131
@@ -621,6 +621,29 @@ $shared_ldflag =
 $shared_extension = 
 $ranlib       = 

+*** UWIN
+$cc           = cc
+$cflags       = -DTERMIOS -DL_ENDIAN -O -Wall
+$unistd       = 
+$thread_cflag = 
+$lflags       = 
+$bn_ops       = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT
+$bn_obj       = 
+$des_obj      = 
+$bf_obj       = 
+$md5_obj      = 
+$sha1_obj     = 
+$cast_obj     = 
+$rc4_obj      = 
+$rmd160_obj   = 
+$rc5_obj      = 
+$dso_scheme   = win32
+$shared_target= 
+$shared_cflag = 
+$shared_ldflag = 
+$shared_extension = 
+$ranlib       = 
+
 *** VC-MSDOS
 $cc           = cl
 $cflags       = 
@@ -1083,7 +1106,7 @@ $ranlib       =

 *** darwin-ppc-cc
 $cc           = cc
-$cflags       = -O3 -D_DARWIN -DB_ENDIAN
+$cflags       = -O3 -D_DARWIN -DB_ENDIAN -fno-common
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $lflags       = 
@@ -1100,8 +1123,8 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= darwin-shared
 $shared_cflag = -fPIC
-$shared_ldflag = .$(SHLIB_MAJOR).$(SHLIB_MINOR).dylib
-$shared_extension = 
+$shared_ldflag = 
+$shared_extension = .$(SHLIB_MAJOR).$(SHLIB_MINOR).dylib
 $ranlib       = 

 *** debug
@@ -1261,8 +1284,8 @@ $rc5_obj      = asm/r586-elf.o
 $dso_scheme   = dlfcn
 $shared_target= linux-shared
 $shared_cflag = -fPIC
-$shared_ldflag = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
-$shared_extension = 
+$shared_ldflag = 
+$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 

 *** debug-linux-elf-noefence
@@ -1909,6 +1932,29 @@ $shared_ldflag =
 $shared_extension = .sl.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 

+*** hpux64-parisc-gcc
+$cc           = gcc
+$cflags       = -DB_ENDIAN -DMD32_XARRAY
+$unistd       = 
+$thread_cflag = -D_REENTRANT
+$lflags       = -ldl
+$bn_ops       = SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT
+$bn_obj       = 
+$des_obj      = 
+$bf_obj       = 
+$md5_obj      = 
+$sha1_obj     = 
+$cast_obj     = 
+$rc4_obj      = 
+$rmd160_obj   = 
+$rc5_obj      = 
+$dso_scheme   = dlfcn
+$shared_target= hpux64-shared
+$shared_cflag = -fpic
+$shared_ldflag = 
+$shared_extension = .sl.$(SHLIB_MAJOR).$(SHLIB_MINOR)
+$ranlib       = 
+
 *** hpux64-parisc2-cc
 $cc           = cc
 $cflags       = +DD64 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY
@@ -2371,10 +2417,10 @@ $ranlib       =

 *** linux-s390
 $cc           = gcc
-$cflags       = -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall
+$cflags       = -DB_ENDIAN -DTERMIO -DNO_ASM -O3 -fomit-frame-pointer -Wall
 $unistd       = 
 $thread_cflag = -D_REENTRANT
-$lflags       = 
+$lflags       = -ldl
 $bn_ops       = BN_LLONG
 $bn_obj       = 
 $des_obj      = 
@@ -2385,11 +2431,11 @@ $cast_obj     =
 $rc4_obj      = 
 $rmd160_obj   = 
 $rc5_obj      = 
-$dso_scheme   = 
-$shared_target= 
-$shared_cflag = 
+$dso_scheme   = dlfcn
+$shared_target= linux-shared
+$shared_cflag = -fPIC
 $shared_ldflag = 
-$shared_extension = 
+$shared_extension = .so.$(SHLIB_MAJOR),$(SHLIB_MINOR)
 $ranlib       = 

 *** linux-s390x
@@ -2397,7 +2443,7 @@ $cc           = gcc
 $cflags       = -DB_ENDIAN -DTERMIO -DNO_ASM -O3 -fomit-frame-pointer -Wall
 $unistd       = 
 $thread_cflag = -D_REENTRANT
-$lflags       = 
+$lflags       = -ldl
 $bn_ops       = SIXTY_FOUR_BIT_LONG
 $bn_obj       = 
 $des_obj      = 
@@ -2408,7 +2454,7 @@ $cast_obj     =
 $rc4_obj      = 
 $rmd160_obj   = 
 $rc5_obj      = 
-$dso_scheme   = 
+$dso_scheme   = dlfcn
 $shared_target= linux-shared
 $shared_cflag = -fPIC
 $shared_ldflag = 
@@ -2443,7 +2489,7 @@ $cc           = gcc
 $cflags       = -mv8 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV2W
 $unistd       = 
 $thread_cflag = -D_REENTRANT
-$lflags       = 
+$lflags       = -ldl
 $bn_ops       = BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR
 $bn_obj       = asm/sparcv8.o
 $des_obj      = 
@@ -2454,11 +2500,11 @@ $cast_obj     =
 $rc4_obj      = 
 $rmd160_obj   = 
 $rc5_obj      = 
-$dso_scheme   = 
-$shared_target= 
-$shared_cflag = 
+$dso_scheme   = dlfcn
+$shared_target= linux-shared
+$shared_cflag = -fPIC
 $shared_ldflag = 
-$shared_extension = 
+$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 

 *** linux-sparcv9
@@ -2466,7 +2512,7 @@ $cc           = gcc
 $cflags       = -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DULTRASPARC -DBN_DIV2W
 $unistd       = 
 $thread_cflag = -D_REENTRANT
-$lflags       = 
+$lflags       = -ldl
 $bn_ops       = BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR
 $bn_obj       = asm/sparcv8plus.o
 $des_obj      = 
@@ -2480,8 +2526,8 @@ $rc5_obj      =
 $dso_scheme   = dlfcn
 $shared_target= linux-shared
 $shared_cflag = -fPIC
-$shared_ldflag = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
-$shared_extension = 
+$shared_ldflag = 
+$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 

 *** ncr-scde
@@ -2785,20 +2831,20 @@ $ranlib       =

 *** sco5-gcc-shared
 $cc           = gcc
-$cflags       = -O3 -DFILIO_H -fomit-frame-pointer
+$cflags       = -O3 -fomit-frame-pointer
 $unistd       = 
 $thread_cflag = 
 $lflags       = -lsocket -lresolv -lnsl
 $bn_ops       = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT
-$bn_obj       = asm/bn86-elf.o asm/co86-elf.o
-$des_obj      = asm/dx86-elf.o asm/yx86-elf.o
-$bf_obj       = asm/bx86-elf.o
-$md5_obj      = asm/mx86-elf.o
-$sha1_obj     = asm/sx86-elf.o
-$cast_obj     = asm/cx86-elf.o
-$rc4_obj      = asm/rx86-elf.o
-$rmd160_obj   = asm/rm86-elf.o
-$rc5_obj      = asm/r586-elf.o
+$bn_obj       = 
+$des_obj      = 
+$bf_obj       = 
+$md5_obj      = 
+$sha1_obj     = 
+$cast_obj     = 
+$rc4_obj      = 
+$rmd160_obj   = 
+$rc5_obj      = 
 $dso_scheme   = dlfcn
 $shared_target= svr3-shared
 $shared_cflag = -fPIC
@@ -3059,6 +3105,29 @@ $shared_ldflag = -xarch=v9
 $shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = /usr/ccs/bin/ar rs

+*** solaris64-sparcv9-gcc31
+$cc           = gcc
+$cflags       = -mcpu=ultrasparc -m64 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DULTRASPARC
+$unistd       = 
+$thread_cflag = -D_REENTRANT
+$lflags       = -lsocket -lnsl -ldl
+$bn_ops       = SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR
+$bn_obj       = 
+$des_obj      = 
+$bf_obj       = 
+$md5_obj      = asm/md5-sparcv9.o
+$sha1_obj     = 
+$cast_obj     = 
+$rc4_obj      = 
+$rmd160_obj   = 
+$rc5_obj      = 
+$dso_scheme   = dlfcn
+$shared_target= solaris-shared
+$shared_cflag = -fPIC
+$shared_ldflag = -m64
+$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
+$ranlib       = 
+
 *** sunos-gcc
 $cc           = gcc
 $cflags       = -O3 -mv8 -Dssize_t=int
--- a/apps/Makefile.ssl
+++ b/apps/Makefile.ssl
@@ -13,7 +13,7 @@ OPENSSLDIR=	/usr/local/ssl
 MAKE=		make -f Makefile.ssl
 MAKEDEPEND=	$(TOP)/util/domd $(TOP)
 MAKEFILE=	Makefile.ssl
-PERL=/usr/local/bin/perl
+PERL=		perl
 RM=		rm -f

 PEX_LIBS=
@@ -128,10 +128,10 @@ clean:
 	rm -f req

 $(DLIBSSL):
-	(cd ../ssl; $(MAKE))
+	(cd ../ssl; $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}')

 $(DLIBCRYPTO):
-	(cd ../crypto; $(MAKE))
+	(cd ../crypto; $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}')

 $(PROGRAM): progs.h $(E_OBJ) $(PROGRAM).o $(DLIBCRYPTO) $(DLIBSSL)
 	$(RM) $(PROGRAM)
@@ -209,14 +209,15 @@ ca.o: ../include/openssl/buffer.h ../include/openssl/cast.h
 ca.o: ../include/openssl/conf.h ../include/openssl/crypto.h
 ca.o: ../include/openssl/des.h ../include/openssl/dh.h ../include/openssl/dsa.h
 ca.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
-ca.o: ../include/openssl/err.h ../include/openssl/evp.h
-ca.o: ../include/openssl/idea.h ../include/openssl/lhash.h
-ca.o: ../include/openssl/md2.h ../include/openssl/md4.h
-ca.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
-ca.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-ca.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-ca.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-ca.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+ca.o: ../include/openssl/engine.h ../include/openssl/err.h
+ca.o: ../include/openssl/evp.h ../include/openssl/idea.h
+ca.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+ca.o: ../include/openssl/md4.h ../include/openssl/md5.h
+ca.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+ca.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+ca.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+ca.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ca.o: ../include/openssl/rand.h ../include/openssl/rc2.h
 ca.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
 ca.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
 ca.o: ../include/openssl/safestack.h ../include/openssl/sha.h
@@ -292,14 +293,15 @@ dgst.o: ../include/openssl/buffer.h ../include/openssl/cast.h
 dgst.o: ../include/openssl/conf.h ../include/openssl/crypto.h
 dgst.o: ../include/openssl/des.h ../include/openssl/dh.h
 dgst.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-dgst.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-dgst.o: ../include/openssl/evp.h ../include/openssl/idea.h
-dgst.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-dgst.o: ../include/openssl/md4.h ../include/openssl/md5.h
-dgst.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-dgst.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-dgst.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
-dgst.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+dgst.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
+dgst.o: ../include/openssl/err.h ../include/openssl/evp.h
+dgst.o: ../include/openssl/idea.h ../include/openssl/lhash.h
+dgst.o: ../include/openssl/md2.h ../include/openssl/md4.h
+dgst.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+dgst.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+dgst.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+dgst.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+dgst.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
 dgst.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
 dgst.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
 dgst.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
@@ -312,14 +314,15 @@ dh.o: ../include/openssl/buffer.h ../include/openssl/cast.h
 dh.o: ../include/openssl/conf.h ../include/openssl/crypto.h
 dh.o: ../include/openssl/des.h ../include/openssl/dh.h ../include/openssl/dsa.h
 dh.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
-dh.o: ../include/openssl/err.h ../include/openssl/evp.h
-dh.o: ../include/openssl/idea.h ../include/openssl/lhash.h
-dh.o: ../include/openssl/md2.h ../include/openssl/md4.h
-dh.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
-dh.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-dh.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-dh.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-dh.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+dh.o: ../include/openssl/engine.h ../include/openssl/err.h
+dh.o: ../include/openssl/evp.h ../include/openssl/idea.h
+dh.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+dh.o: ../include/openssl/md4.h ../include/openssl/md5.h
+dh.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+dh.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+dh.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+dh.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+dh.o: ../include/openssl/rand.h ../include/openssl/rc2.h
 dh.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
 dh.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
 dh.o: ../include/openssl/safestack.h ../include/openssl/sha.h
@@ -331,14 +334,15 @@ dsa.o: ../include/openssl/buffer.h ../include/openssl/cast.h
 dsa.o: ../include/openssl/conf.h ../include/openssl/crypto.h
 dsa.o: ../include/openssl/des.h ../include/openssl/dh.h
 dsa.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-dsa.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-dsa.o: ../include/openssl/evp.h ../include/openssl/idea.h
-dsa.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-dsa.o: ../include/openssl/md4.h ../include/openssl/md5.h
-dsa.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-dsa.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-dsa.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
-dsa.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+dsa.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
+dsa.o: ../include/openssl/err.h ../include/openssl/evp.h
+dsa.o: ../include/openssl/idea.h ../include/openssl/lhash.h
+dsa.o: ../include/openssl/md2.h ../include/openssl/md4.h
+dsa.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+dsa.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+dsa.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+dsa.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+dsa.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
 dsa.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
 dsa.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
 dsa.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
@@ -371,20 +375,21 @@ enc.o: ../include/openssl/buffer.h ../include/openssl/cast.h
 enc.o: ../include/openssl/conf.h ../include/openssl/crypto.h
 enc.o: ../include/openssl/des.h ../include/openssl/dh.h
 enc.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-enc.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-enc.o: ../include/openssl/evp.h ../include/openssl/idea.h
-enc.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-enc.o: ../include/openssl/md4.h ../include/openssl/md5.h
-enc.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-enc.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-enc.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
-enc.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-enc.o: ../include/openssl/rand.h ../include/openssl/rc2.h
-enc.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-enc.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
-enc.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-enc.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-enc.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
+enc.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
+enc.o: ../include/openssl/err.h ../include/openssl/evp.h
+enc.o: ../include/openssl/idea.h ../include/openssl/lhash.h
+enc.o: ../include/openssl/md2.h ../include/openssl/md4.h
+enc.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+enc.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+enc.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+enc.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+enc.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
+enc.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+enc.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+enc.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+enc.o: ../include/openssl/sha.h ../include/openssl/stack.h
+enc.o: ../include/openssl/symhacks.h ../include/openssl/x509.h
+enc.o: ../include/openssl/x509_vfy.h apps.h
 errstr.o: ../include/openssl/asn1.h ../include/openssl/bio.h
 errstr.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
 errstr.o: ../include/openssl/buffer.h ../include/openssl/cast.h
@@ -414,34 +419,36 @@ gendh.o: ../include/openssl/buffer.h ../include/openssl/cast.h
 gendh.o: ../include/openssl/conf.h ../include/openssl/crypto.h
 gendh.o: ../include/openssl/des.h ../include/openssl/dh.h
 gendh.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-gendh.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-gendh.o: ../include/openssl/evp.h ../include/openssl/idea.h
-gendh.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-gendh.o: ../include/openssl/md4.h ../include/openssl/md5.h
-gendh.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-gendh.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-gendh.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
-gendh.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-gendh.o: ../include/openssl/rand.h ../include/openssl/rc2.h
-gendh.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-gendh.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
-gendh.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-gendh.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-gendh.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
+gendh.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
+gendh.o: ../include/openssl/err.h ../include/openssl/evp.h
+gendh.o: ../include/openssl/idea.h ../include/openssl/lhash.h
+gendh.o: ../include/openssl/md2.h ../include/openssl/md4.h
+gendh.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+gendh.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+gendh.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+gendh.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+gendh.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
+gendh.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+gendh.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+gendh.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+gendh.o: ../include/openssl/sha.h ../include/openssl/stack.h
+gendh.o: ../include/openssl/symhacks.h ../include/openssl/x509.h
+gendh.o: ../include/openssl/x509_vfy.h apps.h
 gendsa.o: ../include/openssl/asn1.h ../include/openssl/bio.h
 gendsa.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
 gendsa.o: ../include/openssl/buffer.h ../include/openssl/cast.h
 gendsa.o: ../include/openssl/conf.h ../include/openssl/crypto.h
 gendsa.o: ../include/openssl/des.h ../include/openssl/dh.h
 gendsa.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-gendsa.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-gendsa.o: ../include/openssl/evp.h ../include/openssl/idea.h
-gendsa.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-gendsa.o: ../include/openssl/md4.h ../include/openssl/md5.h
-gendsa.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-gendsa.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-gendsa.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
-gendsa.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+gendsa.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
+gendsa.o: ../include/openssl/err.h ../include/openssl/evp.h
+gendsa.o: ../include/openssl/idea.h ../include/openssl/lhash.h
+gendsa.o: ../include/openssl/md2.h ../include/openssl/md4.h
+gendsa.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+gendsa.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+gendsa.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+gendsa.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+gendsa.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
 gendsa.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
 gendsa.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
 gendsa.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
@@ -454,14 +461,15 @@ genrsa.o: ../include/openssl/buffer.h ../include/openssl/cast.h
 genrsa.o: ../include/openssl/conf.h ../include/openssl/crypto.h
 genrsa.o: ../include/openssl/des.h ../include/openssl/dh.h
 genrsa.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-genrsa.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-genrsa.o: ../include/openssl/evp.h ../include/openssl/idea.h
-genrsa.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-genrsa.o: ../include/openssl/md4.h ../include/openssl/md5.h
-genrsa.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-genrsa.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-genrsa.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
-genrsa.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+genrsa.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
+genrsa.o: ../include/openssl/err.h ../include/openssl/evp.h
+genrsa.o: ../include/openssl/idea.h ../include/openssl/lhash.h
+genrsa.o: ../include/openssl/md2.h ../include/openssl/md4.h
+genrsa.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+genrsa.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+genrsa.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+genrsa.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+genrsa.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
 genrsa.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
 genrsa.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
 genrsa.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
@@ -536,15 +544,16 @@ pkcs12.o: ../include/openssl/buffer.h ../include/openssl/cast.h
 pkcs12.o: ../include/openssl/conf.h ../include/openssl/crypto.h
 pkcs12.o: ../include/openssl/des.h ../include/openssl/dh.h
 pkcs12.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-pkcs12.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-pkcs12.o: ../include/openssl/evp.h ../include/openssl/idea.h
-pkcs12.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-pkcs12.o: ../include/openssl/md4.h ../include/openssl/md5.h
-pkcs12.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-pkcs12.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-pkcs12.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
-pkcs12.o: ../include/openssl/pem2.h ../include/openssl/pkcs12.h
-pkcs12.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+pkcs12.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
+pkcs12.o: ../include/openssl/err.h ../include/openssl/evp.h
+pkcs12.o: ../include/openssl/idea.h ../include/openssl/lhash.h
+pkcs12.o: ../include/openssl/md2.h ../include/openssl/md4.h
+pkcs12.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+pkcs12.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+pkcs12.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+pkcs12.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+pkcs12.o: ../include/openssl/pkcs12.h ../include/openssl/pkcs7.h
+pkcs12.o: ../include/openssl/rand.h ../include/openssl/rc2.h
 pkcs12.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
 pkcs12.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
 pkcs12.o: ../include/openssl/safestack.h ../include/openssl/sha.h
@@ -556,14 +565,15 @@ pkcs7.o: ../include/openssl/buffer.h ../include/openssl/cast.h
 pkcs7.o: ../include/openssl/conf.h ../include/openssl/crypto.h
 pkcs7.o: ../include/openssl/des.h ../include/openssl/dh.h
 pkcs7.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-pkcs7.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-pkcs7.o: ../include/openssl/evp.h ../include/openssl/idea.h
-pkcs7.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-pkcs7.o: ../include/openssl/md4.h ../include/openssl/md5.h
-pkcs7.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-pkcs7.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-pkcs7.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
-pkcs7.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+pkcs7.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
+pkcs7.o: ../include/openssl/err.h ../include/openssl/evp.h
+pkcs7.o: ../include/openssl/idea.h ../include/openssl/lhash.h
+pkcs7.o: ../include/openssl/md2.h ../include/openssl/md4.h
+pkcs7.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+pkcs7.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+pkcs7.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+pkcs7.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+pkcs7.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
 pkcs7.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
 pkcs7.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
 pkcs7.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
@@ -576,15 +586,16 @@ pkcs8.o: ../include/openssl/buffer.h ../include/openssl/cast.h
 pkcs8.o: ../include/openssl/conf.h ../include/openssl/crypto.h
 pkcs8.o: ../include/openssl/des.h ../include/openssl/dh.h
 pkcs8.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-pkcs8.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-pkcs8.o: ../include/openssl/evp.h ../include/openssl/idea.h
-pkcs8.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-pkcs8.o: ../include/openssl/md4.h ../include/openssl/md5.h
-pkcs8.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-pkcs8.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-pkcs8.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
-pkcs8.o: ../include/openssl/pem2.h ../include/openssl/pkcs12.h
-pkcs8.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+pkcs8.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
+pkcs8.o: ../include/openssl/err.h ../include/openssl/evp.h
+pkcs8.o: ../include/openssl/idea.h ../include/openssl/lhash.h
+pkcs8.o: ../include/openssl/md2.h ../include/openssl/md4.h
+pkcs8.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+pkcs8.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+pkcs8.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+pkcs8.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+pkcs8.o: ../include/openssl/pkcs12.h ../include/openssl/pkcs7.h
+pkcs8.o: ../include/openssl/rand.h ../include/openssl/rc2.h
 pkcs8.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
 pkcs8.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
 pkcs8.o: ../include/openssl/safestack.h ../include/openssl/sha.h
@@ -596,33 +607,35 @@ rand.o: ../include/openssl/buffer.h ../include/openssl/cast.h
 rand.o: ../include/openssl/conf.h ../include/openssl/crypto.h
 rand.o: ../include/openssl/des.h ../include/openssl/dh.h
 rand.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-rand.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-rand.o: ../include/openssl/evp.h ../include/openssl/idea.h
-rand.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-rand.o: ../include/openssl/md4.h ../include/openssl/md5.h
-rand.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-rand.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-rand.o: ../include/openssl/opensslv.h ../include/openssl/pkcs7.h
-rand.o: ../include/openssl/rand.h ../include/openssl/rc2.h
-rand.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-rand.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
-rand.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-rand.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-rand.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
+rand.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
+rand.o: ../include/openssl/err.h ../include/openssl/evp.h
+rand.o: ../include/openssl/idea.h ../include/openssl/lhash.h
+rand.o: ../include/openssl/md2.h ../include/openssl/md4.h
+rand.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+rand.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+rand.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+rand.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
+rand.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+rand.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+rand.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+rand.o: ../include/openssl/sha.h ../include/openssl/stack.h
+rand.o: ../include/openssl/symhacks.h ../include/openssl/x509.h
+rand.o: ../include/openssl/x509_vfy.h apps.h
 req.o: ../include/openssl/asn1.h ../include/openssl/bio.h
 req.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
 req.o: ../include/openssl/buffer.h ../include/openssl/cast.h
 req.o: ../include/openssl/conf.h ../include/openssl/crypto.h
 req.o: ../include/openssl/des.h ../include/openssl/dh.h
 req.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-req.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-req.o: ../include/openssl/evp.h ../include/openssl/idea.h
-req.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-req.o: ../include/openssl/md4.h ../include/openssl/md5.h
-req.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-req.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-req.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
-req.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+req.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
+req.o: ../include/openssl/err.h ../include/openssl/evp.h
+req.o: ../include/openssl/idea.h ../include/openssl/lhash.h
+req.o: ../include/openssl/md2.h ../include/openssl/md4.h
+req.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+req.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+req.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+req.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+req.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
 req.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
 req.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
 req.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
@@ -635,14 +648,15 @@ rsa.o: ../include/openssl/buffer.h ../include/openssl/cast.h
 rsa.o: ../include/openssl/conf.h ../include/openssl/crypto.h
 rsa.o: ../include/openssl/des.h ../include/openssl/dh.h
 rsa.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-rsa.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-rsa.o: ../include/openssl/evp.h ../include/openssl/idea.h
-rsa.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-rsa.o: ../include/openssl/md4.h ../include/openssl/md5.h
-rsa.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-rsa.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-rsa.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
-rsa.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+rsa.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
+rsa.o: ../include/openssl/err.h ../include/openssl/evp.h
+rsa.o: ../include/openssl/idea.h ../include/openssl/lhash.h
+rsa.o: ../include/openssl/md2.h ../include/openssl/md4.h
+rsa.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+rsa.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+rsa.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+rsa.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+rsa.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
 rsa.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
 rsa.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
 rsa.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
@@ -655,14 +669,15 @@ rsautl.o: ../include/openssl/buffer.h ../include/openssl/cast.h
 rsautl.o: ../include/openssl/conf.h ../include/openssl/crypto.h
 rsautl.o: ../include/openssl/des.h ../include/openssl/dh.h
 rsautl.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-rsautl.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-rsautl.o: ../include/openssl/evp.h ../include/openssl/idea.h
-rsautl.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-rsautl.o: ../include/openssl/md4.h ../include/openssl/md5.h
-rsautl.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-rsautl.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-rsautl.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
-rsautl.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+rsautl.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
+rsautl.o: ../include/openssl/err.h ../include/openssl/evp.h
+rsautl.o: ../include/openssl/idea.h ../include/openssl/lhash.h
+rsautl.o: ../include/openssl/md2.h ../include/openssl/md4.h
+rsautl.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+rsautl.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+rsautl.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+rsautl.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+rsautl.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
 rsautl.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
 rsautl.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
 rsautl.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
@@ -699,23 +714,23 @@ s_client.o: ../include/openssl/comp.h ../include/openssl/conf.h
 s_client.o: ../include/openssl/crypto.h ../include/openssl/des.h
 s_client.o: ../include/openssl/dh.h ../include/openssl/dsa.h
 s_client.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
-s_client.o: ../include/openssl/err.h ../include/openssl/evp.h
-s_client.o: ../include/openssl/idea.h ../include/openssl/lhash.h
-s_client.o: ../include/openssl/md2.h ../include/openssl/md4.h
-s_client.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
-s_client.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-s_client.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-s_client.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-s_client.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
-s_client.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-s_client.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-s_client.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-s_client.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-s_client.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-s_client.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-s_client.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s_client.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
-s_client.o: s_apps.h
+s_client.o: ../include/openssl/engine.h ../include/openssl/err.h
+s_client.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s_client.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s_client.o: ../include/openssl/md4.h ../include/openssl/md5.h
+s_client.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+s_client.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s_client.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s_client.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s_client.o: ../include/openssl/rand.h ../include/openssl/rc2.h
+s_client.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+s_client.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+s_client.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s_client.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s_client.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s_client.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+s_client.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s_client.o: ../include/openssl/x509_vfy.h apps.h s_apps.h
 s_server.o: ../include/openssl/asn1.h ../include/openssl/bio.h
 s_server.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
 s_server.o: ../include/openssl/buffer.h ../include/openssl/cast.h
@@ -723,23 +738,23 @@ s_server.o: ../include/openssl/comp.h ../include/openssl/conf.h
 s_server.o: ../include/openssl/crypto.h ../include/openssl/des.h
 s_server.o: ../include/openssl/dh.h ../include/openssl/dsa.h
 s_server.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
-s_server.o: ../include/openssl/err.h ../include/openssl/evp.h
-s_server.o: ../include/openssl/idea.h ../include/openssl/lhash.h
-s_server.o: ../include/openssl/md2.h ../include/openssl/md4.h
-s_server.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
-s_server.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-s_server.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-s_server.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-s_server.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
-s_server.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-s_server.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-s_server.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-s_server.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-s_server.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-s_server.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-s_server.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s_server.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
-s_server.o: s_apps.h
+s_server.o: ../include/openssl/engine.h ../include/openssl/err.h
+s_server.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s_server.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s_server.o: ../include/openssl/md4.h ../include/openssl/md5.h
+s_server.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+s_server.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s_server.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s_server.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s_server.o: ../include/openssl/rand.h ../include/openssl/rc2.h
+s_server.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+s_server.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+s_server.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s_server.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s_server.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s_server.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+s_server.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s_server.o: ../include/openssl/x509_vfy.h apps.h s_apps.h
 s_socket.o: ../include/openssl/asn1.h ../include/openssl/bio.h
 s_socket.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
 s_socket.o: ../include/openssl/buffer.h ../include/openssl/cast.h
@@ -815,14 +830,15 @@ smime.o: ../include/openssl/buffer.h ../include/openssl/cast.h
 smime.o: ../include/openssl/conf.h ../include/openssl/crypto.h
 smime.o: ../include/openssl/des.h ../include/openssl/dh.h
 smime.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-smime.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-smime.o: ../include/openssl/evp.h ../include/openssl/idea.h
-smime.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-smime.o: ../include/openssl/md4.h ../include/openssl/md5.h
-smime.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-smime.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-smime.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
-smime.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+smime.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
+smime.o: ../include/openssl/err.h ../include/openssl/evp.h
+smime.o: ../include/openssl/idea.h ../include/openssl/lhash.h
+smime.o: ../include/openssl/md2.h ../include/openssl/md4.h
+smime.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+smime.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+smime.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+smime.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+smime.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
 smime.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
 smime.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
 smime.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
@@ -835,34 +851,36 @@ speed.o: ../include/openssl/buffer.h ../include/openssl/cast.h
 speed.o: ../include/openssl/conf.h ../include/openssl/crypto.h
 speed.o: ../include/openssl/des.h ../include/openssl/dh.h
 speed.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-speed.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-speed.o: ../include/openssl/evp.h ../include/openssl/hmac.h
-speed.o: ../include/openssl/idea.h ../include/openssl/lhash.h
-speed.o: ../include/openssl/md2.h ../include/openssl/md4.h
-speed.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
-speed.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-speed.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-speed.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
-speed.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-speed.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-speed.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-speed.o: ../include/openssl/sha.h ../include/openssl/stack.h
-speed.o: ../include/openssl/symhacks.h ../include/openssl/x509.h
-speed.o: ../include/openssl/x509_vfy.h ./testdsa.h ./testrsa.h apps.h
+speed.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
+speed.o: ../include/openssl/err.h ../include/openssl/evp.h
+speed.o: ../include/openssl/hmac.h ../include/openssl/idea.h
+speed.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+speed.o: ../include/openssl/md4.h ../include/openssl/md5.h
+speed.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+speed.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+speed.o: ../include/openssl/opensslv.h ../include/openssl/pkcs7.h
+speed.o: ../include/openssl/rand.h ../include/openssl/rc2.h
+speed.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+speed.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+speed.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+speed.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+speed.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ./testdsa.h
+speed.o: ./testrsa.h apps.h
 spkac.o: ../include/openssl/asn1.h ../include/openssl/bio.h
 spkac.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
 spkac.o: ../include/openssl/buffer.h ../include/openssl/cast.h
 spkac.o: ../include/openssl/conf.h ../include/openssl/crypto.h
 spkac.o: ../include/openssl/des.h ../include/openssl/dh.h
 spkac.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-spkac.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-spkac.o: ../include/openssl/evp.h ../include/openssl/idea.h
-spkac.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-spkac.o: ../include/openssl/md4.h ../include/openssl/md5.h
-spkac.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-spkac.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-spkac.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
-spkac.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+spkac.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
+spkac.o: ../include/openssl/err.h ../include/openssl/evp.h
+spkac.o: ../include/openssl/idea.h ../include/openssl/lhash.h
+spkac.o: ../include/openssl/md2.h ../include/openssl/md4.h
+spkac.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+spkac.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+spkac.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+spkac.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+spkac.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
 spkac.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
 spkac.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
 spkac.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
@@ -875,14 +893,15 @@ verify.o: ../include/openssl/buffer.h ../include/openssl/cast.h
 verify.o: ../include/openssl/conf.h ../include/openssl/crypto.h
 verify.o: ../include/openssl/des.h ../include/openssl/dh.h
 verify.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-verify.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-verify.o: ../include/openssl/evp.h ../include/openssl/idea.h
-verify.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-verify.o: ../include/openssl/md4.h ../include/openssl/md5.h
-verify.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-verify.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-verify.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
-verify.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+verify.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
+verify.o: ../include/openssl/err.h ../include/openssl/evp.h
+verify.o: ../include/openssl/idea.h ../include/openssl/lhash.h
+verify.o: ../include/openssl/md2.h ../include/openssl/md4.h
+verify.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+verify.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+verify.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+verify.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+verify.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
 verify.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
 verify.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
 verify.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
@@ -913,14 +932,15 @@ x509.o: ../include/openssl/buffer.h ../include/openssl/cast.h
 x509.o: ../include/openssl/conf.h ../include/openssl/crypto.h
 x509.o: ../include/openssl/des.h ../include/openssl/dh.h
 x509.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-x509.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-x509.o: ../include/openssl/evp.h ../include/openssl/idea.h
-x509.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-x509.o: ../include/openssl/md4.h ../include/openssl/md5.h
-x509.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-x509.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-x509.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
-x509.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+x509.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
+x509.o: ../include/openssl/err.h ../include/openssl/evp.h
+x509.o: ../include/openssl/idea.h ../include/openssl/lhash.h
+x509.o: ../include/openssl/md2.h ../include/openssl/md4.h
+x509.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+x509.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+x509.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+x509.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+x509.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
 x509.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
 x509.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
 x509.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -170,6 +170,8 @@ int str2fmt(char *s)
 		|| (strcmp(s,"PKCS12") == 0) || (strcmp(s,"pkcs12") == 0)
 		|| (strcmp(s,"P12") == 0) || (strcmp(s,"p12") == 0))
 		return(FORMAT_PKCS12);
+	else if ((*s == 'E') || (*s == 'e'))
+		return(FORMAT_ENGINE);
 	else
 		return(FORMAT_UNDEF);
 	}
@@ -228,10 +230,17 @@ void program_name(char *in, char *out, int size)

 	q=strrchr(p,'.');
 	if (q == NULL)
-		q = in+size;
-	strncpy(out,p,q-p);
+		q = p + strlen(p);
+	strncpy(out,p,size-1);
+	if (q-p >= size)
+		{
+		out[size-1]='\0';
+		}
+	else
+		{
 		out[q-p]='\0';
 		}
+	}
 #else
 void program_name(char *in, char *out, int size)
 	{
@@ -755,7 +764,7 @@ int set_name_ex(unsigned long *flags, const char *arg)

 void print_name(BIO *out, char *title, X509_NAME *nm, unsigned long lflags)
 {
-	char buf[256];
+	char *buf;
 	char mline = 0;
 	int indent = 0;
 	if(title) BIO_puts(out, title);
@@ -764,9 +773,10 @@ void print_name(BIO *out, char *title, X509_NAME *nm, unsigned long lflags)
 		indent = 4;
 	}
 	if(lflags == XN_FLAG_COMPAT) {
-		X509_NAME_oneline(nm,buf,256);
-		BIO_puts(out,buf);
+		buf = X509_NAME_oneline(nm, 0, 0);
+		BIO_puts(out, buf);
 		BIO_puts(out, "\n");
+		OPENSSL_free(buf);
 	} else {
 		if(mline) BIO_puts(out, "\n");
 		X509_NAME_print_ex(out, nm, indent, lflags);
--- a/apps/apps.h
+++ b/apps/apps.h
@@ -162,6 +162,8 @@ STACK_OF(X509) *load_certs(BIO *err, char *file, int format);
 #define FORMAT_NETSCAPE 4
 #define FORMAT_PKCS12   5
 #define FORMAT_SMIME    6
+/* Since this is currently inofficial, let's give it a high number */
+#define FORMAT_ENGINE   127

 #define NETSCAPE_CERT_HDR	"certificate"

--- a/apps/asn1pars.c
+++ b/apps/asn1pars.c
@@ -181,7 +181,7 @@ bad:
 		BIO_printf(bio_err,"where options are\n");
 		BIO_printf(bio_err," -inform arg   input format - one of DER TXT PEM\n");
 		BIO_printf(bio_err," -in arg       input file\n");
-		BIO_printf(bio_err," -out arg      output file\n");
+		BIO_printf(bio_err," -out arg      output file (output format is always DER\n");
 		BIO_printf(bio_err," -noout arg    don't produce any output\n");
 		BIO_printf(bio_err," -offset arg   offset into file\n");
 		BIO_printf(bio_err," -length arg   length of section in file\n");
@@ -192,7 +192,6 @@ bad:
 		BIO_printf(bio_err," -strparse offset\n");
 		BIO_printf(bio_err,"               a series of these can be used to 'dig' into multiple\n");
 		BIO_printf(bio_err,"               ASN1 blob wrappings\n");
-		BIO_printf(bio_err," -out filename output DER encoding to file\n");
 		goto end;
 		}

--- a/apps/ca.c
+++ b/apps/ca.c
@@ -74,6 +74,7 @@
 #include <openssl/x509v3.h>
 #include <openssl/objects.h>
 #include <openssl/pem.h>
+#include <openssl/engine.h>

 #ifndef W_OK
 #  ifdef VMS
@@ -167,6 +168,7 @@ static char *ca_usage[]={
 " -revoke file    - Revoke a certificate (given in file)\n",
 " -extensions ..  - Extension section (override value in config file)\n",
 " -crlexts ..     - CRL extension section (override value in config file)\n",
+" -engine e       - use engine e, possibly a hardware device.\n",
 NULL
 };

@@ -216,6 +218,7 @@ int MAIN(int, char **);

 int MAIN(int argc, char **argv)
 	{
+	ENGINE *e = NULL;
 	char *key=NULL,*passargin=NULL;
 	int total=0;
 	int total_done=0;
@@ -268,6 +271,7 @@ int MAIN(int argc, char **argv)
 #define BSIZE 256
 	MS_STATIC char buf[3][BSIZE];
 	char *randfile=NULL;
+	char *engine = NULL;

 #ifdef EFENCE
 EF_PROTECT_FREE=1;
@@ -419,6 +423,11 @@ EF_ALIGNMENT=0;
 			if (--argc < 1) goto bad;
 			crl_ext= *(++argv);
 			}
+		else if (strcmp(*argv,"-engine") == 0)
+			{
+			if (--argc < 1) goto bad;
+			engine= *(++argv);
+			}
 		else
 			{
 bad:
@@ -439,6 +448,24 @@ bad:

 	ERR_load_crypto_strings();

+	if (engine != NULL)
+		{
+		if((e = ENGINE_by_id(engine)) == NULL)
+			{
+			BIO_printf(bio_err,"invalid engine \"%s\"\n",
+				engine);
+			goto err;
+			}
+		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
+			{
+			BIO_printf(bio_err,"can't use that engine\n");
+			goto err;
+			}
+		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
+		/* Free our "structural" reference. */
+		ENGINE_free(e);
+		}
+
 	/*****************************************************************/
 	if (configfile == NULL) configfile = getenv("OPENSSL_CONF");
 	if (configfile == NULL) configfile = getenv("SSLEAY_CONF");
@@ -1108,7 +1135,7 @@ bad:
 			}
 		if ((crldays == 0) && (crlhours == 0))
 			{
-			BIO_printf(bio_err,"cannot lookup how long until the next CRL is issuer\n");
+			BIO_printf(bio_err,"cannot lookup how long until the next CRL is issued\n");
 			goto err;
 			}

--- a/apps/dgst.c
+++ b/apps/dgst.c
@@ -66,6 +66,7 @@
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
+#include <openssl/engine.h>

 #undef BUFSIZE
 #define BUFSIZE	1024*8
@@ -80,6 +81,7 @@ int MAIN(int, char **);

 int MAIN(int argc, char **argv)
 	{
+	ENGINE *e = NULL;
 	unsigned char *buf=NULL;
 	int i,err=0;
 	const EVP_MD *md=NULL,*m;
@@ -97,6 +99,7 @@ int MAIN(int argc, char **argv)
 	EVP_PKEY *sigkey = NULL;
 	unsigned char *sigbuf = NULL;
 	int siglen = 0;
+	char *engine=NULL;

 	apps_startup();

@@ -154,6 +157,11 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) break;
 			sigfile=*(++argv);
 			}
+		else if (strcmp(*argv,"-engine") == 0)
+			{
+			if (--argc < 1) break;
+			engine= *(++argv);
+			}
 		else if (strcmp(*argv,"-hex") == 0)
 			out_bin = 0;
 		else if (strcmp(*argv,"-binary") == 0)
@@ -190,6 +198,7 @@ int MAIN(int argc, char **argv)
 		BIO_printf(bio_err,"-prverify file  verify a signature using private key in file\n");
 		BIO_printf(bio_err,"-signature file signature to verify\n");
 		BIO_printf(bio_err,"-binary         output in binary form\n");
+		BIO_printf(bio_err,"-engine e       use engine e, possibly a hardware device.\n");

 		BIO_printf(bio_err,"-%3s to use the %s message digest algorithm (default)\n",
 			LN_md5,LN_md5);
@@ -209,6 +218,24 @@ int MAIN(int argc, char **argv)
 		goto end;
 		}

+	if (engine != NULL)
+		{
+		if((e = ENGINE_by_id(engine)) == NULL)
+			{
+			BIO_printf(bio_err,"invalid engine \"%s\"\n",
+				engine);
+			goto end;
+			}
+		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
+			{
+			BIO_printf(bio_err,"can't use that engine\n");
+			goto end;
+			}
+		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
+		/* Free our "structural" reference. */
+		ENGINE_free(e);
+		}
+
 	in=BIO_new(BIO_s_file());
 	bmd=BIO_new(BIO_f_md());
 	if (debug)
--- a/apps/dh.c
+++ b/apps/dh.c
@@ -69,6 +69,7 @@
 #include <openssl/dh.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
+#include <openssl/engine.h>

 #undef PROG
 #define PROG	dh_main
@@ -87,11 +88,12 @@ int MAIN(int, char **);

 int MAIN(int argc, char **argv)
 	{
+	ENGINE *e = NULL;
 	DH *dh=NULL;
 	int i,badops=0,text=0;
 	BIO *in=NULL,*out=NULL;
 	int informat,outformat,check=0,noout=0,C=0,ret=1;
-	char *infile,*outfile,*prog;
+	char *infile,*outfile,*prog,*engine;

 	apps_startup();

@@ -99,6 +101,7 @@ int MAIN(int argc, char **argv)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);

+	engine=NULL;
 	infile=NULL;
 	outfile=NULL;
 	informat=FORMAT_PEM;
@@ -129,6 +132,11 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			outfile= *(++argv);
 			}
+		else if (strcmp(*argv,"-engine") == 0)
+			{
+			if (--argc < 1) goto bad;
+			engine= *(++argv);
+			}
 		else if (strcmp(*argv,"-check") == 0)
 			check=1;
 		else if (strcmp(*argv,"-text") == 0)
@@ -160,11 +168,30 @@ bad:
 		BIO_printf(bio_err," -text         print a text form of the DH parameters\n");
 		BIO_printf(bio_err," -C            Output C code\n");
 		BIO_printf(bio_err," -noout        no output\n");
+		BIO_printf(bio_err," -engine e     use engine e, possibly a hardware device.\n");
 		goto end;
 		}

 	ERR_load_crypto_strings();

+	if (engine != NULL)
+		{
+		if((e = ENGINE_by_id(engine)) == NULL)
+			{
+			BIO_printf(bio_err,"invalid engine \"%s\"\n",
+				engine);
+			goto end;
+			}
+		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
+			{
+			BIO_printf(bio_err,"can't use that engine\n");
+			goto end;
+			}
+		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
+		/* Free our "structural" reference. */
+		ENGINE_free(e);
+		}
+
 	in=BIO_new(BIO_s_file());
 	out=BIO_new(BIO_s_file());
 	if ((in == NULL) || (out == NULL))
--- a/apps/dhparam.c
+++ b/apps/dhparam.c
@@ -121,6 +121,7 @@
 #include <openssl/dh.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
+#include <openssl/engine.h>

 #ifndef NO_DSA
 #include <openssl/dsa.h>
@@ -148,6 +149,7 @@ int MAIN(int, char **);

 int MAIN(int argc, char **argv)
 	{
+	ENGINE *e = NULL;
 	DH *dh=NULL;
 	int i,badops=0,text=0;
 #ifndef NO_DSA
@@ -156,7 +158,7 @@ int MAIN(int argc, char **argv)
 	BIO *in=NULL,*out=NULL;
 	int informat,outformat,check=0,noout=0,C=0,ret=1;
 	char *infile,*outfile,*prog;
-	char *inrand=NULL;
+	char *inrand=NULL,*engine=NULL;
 	int num = 0, g = 0;

 	apps_startup();
@@ -195,6 +197,11 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			outfile= *(++argv);
 			}
+		else if (strcmp(*argv,"-engine") == 0)
+			{
+			if (--argc < 1) goto bad;
+			engine= *(++argv);
+			}
 		else if (strcmp(*argv,"-check") == 0)
 			check=1;
 		else if (strcmp(*argv,"-text") == 0)
@@ -240,6 +247,7 @@ bad:
 		BIO_printf(bio_err," -2            generate parameters using  2 as the generator value\n");
 		BIO_printf(bio_err," -5            generate parameters using  5 as the generator value\n");
 		BIO_printf(bio_err," numbits       number of bits in to generate (default 512)\n");
+		BIO_printf(bio_err," -engine e     use engine e, possibly a hardware device.\n");
 		BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
 		BIO_printf(bio_err,"               - load the file (or the files in the directory) into\n");
 		BIO_printf(bio_err,"               the random number generator\n");
@@ -249,6 +257,24 @@ bad:

 	ERR_load_crypto_strings();

+	if (engine != NULL)
+		{
+		if((e = ENGINE_by_id(engine)) == NULL)
+			{
+			BIO_printf(bio_err,"invalid engine \"%s\"\n",
+				engine);
+			goto end;
+			}
+		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
+			{
+			BIO_printf(bio_err,"can't use that engine\n");
+			goto end;
+			}
+		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
+		/* Free our "structural" reference. */
+		ENGINE_free(e);
+		}
+
 	if (g && !num)
 		num = DEFBITS;

--- a/apps/dsa.c
+++ b/apps/dsa.c
@@ -68,6 +68,7 @@
 #include <openssl/evp.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
+#include <openssl/engine.h>

 #undef PROG
 #define PROG	dsa_main
@@ -87,6 +88,7 @@ int MAIN(int, char **);

 int MAIN(int argc, char **argv)
 	{
+	ENGINE *e = NULL;
 	int ret=1;
 	DSA *dsa=NULL;
 	int i,badops=0;
@@ -94,7 +96,7 @@ int MAIN(int argc, char **argv)
 	BIO *in=NULL,*out=NULL;
 	int informat,outformat,text=0,noout=0;
 	int pubin = 0, pubout = 0;
-	char *infile,*outfile,*prog;
+	char *infile,*outfile,*prog,*engine;
 	char *passargin = NULL, *passargout = NULL;
 	char *passin = NULL, *passout = NULL;
 	int modulus=0;
@@ -105,6 +107,7 @@ int MAIN(int argc, char **argv)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);

+	engine=NULL;
 	infile=NULL;
 	outfile=NULL;
 	informat=FORMAT_PEM;
@@ -145,6 +148,11 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			passargout= *(++argv);
 			}
+		else if (strcmp(*argv,"-engine") == 0)
+			{
+			if (--argc < 1) goto bad;
+			engine= *(++argv);
+			}
 		else if (strcmp(*argv,"-noout") == 0)
 			noout=1;
 		else if (strcmp(*argv,"-text") == 0)
@@ -176,6 +184,7 @@ bad:
 		BIO_printf(bio_err," -passin arg     input file pass phrase source\n");
 		BIO_printf(bio_err," -out arg        output file\n");
 		BIO_printf(bio_err," -passout arg    output file pass phrase source\n");
+		BIO_printf(bio_err," -engine e       use engine e, possibly a hardware device.\n");
 		BIO_printf(bio_err," -des            encrypt PEM output with cbc des\n");
 		BIO_printf(bio_err," -des3           encrypt PEM output with ede cbc des using 168 bit key\n");
 #ifndef NO_IDEA
@@ -189,6 +198,24 @@ bad:

 	ERR_load_crypto_strings();

+	if (engine != NULL)
+		{
+		if((e = ENGINE_by_id(engine)) == NULL)
+			{
+			BIO_printf(bio_err,"invalid engine \"%s\"\n",
+				engine);
+			goto end;
+			}
+		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
+			{
+			BIO_printf(bio_err,"can't use that engine\n");
+			goto end;
+			}
+		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
+		/* Free our "structural" reference. */
+		ENGINE_free(e);
+		}
+
 	if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
 		BIO_printf(bio_err, "Error getting passwords\n");
 		goto end;
--- a/apps/dsaparam.c
+++ b/apps/dsaparam.c
@@ -176,7 +176,7 @@ bad:
 		BIO_printf(bio_err," -outform arg  output format - DER or PEM\n");
 		BIO_printf(bio_err," -in arg       input file\n");
 		BIO_printf(bio_err," -out arg      output file\n");
-		BIO_printf(bio_err," -text         print the key in text\n");
+		BIO_printf(bio_err," -text         print as text\n");
 		BIO_printf(bio_err," -C            Output C code\n");
 		BIO_printf(bio_err," -noout        no output\n");
 		BIO_printf(bio_err," -rand         files to use for random number input\n");
--- a/apps/enc.c
+++ b/apps/enc.c
@@ -70,6 +70,7 @@
 #include <openssl/md5.h>
 #endif
 #include <openssl/pem.h>
+#include <openssl/engine.h>

 int set_hex(char *in,unsigned char *out,int size);
 #undef SIZE
@@ -84,6 +85,7 @@ int MAIN(int, char **);

 int MAIN(int argc, char **argv)
 	{
+	ENGINE *e = NULL;
 	static const char magic[]="Salted__";
 	char mbuf[8];	/* should be 1 smaller than magic */
 	char *strbuf=NULL;
@@ -101,6 +103,7 @@ int MAIN(int argc, char **argv)
 	BIO *in=NULL,*out=NULL,*b64=NULL,*benc=NULL,*rbio=NULL,*wbio=NULL;
 #define PROG_NAME_SIZE  39
 	char pname[PROG_NAME_SIZE+1];
+	char *engine = NULL;

 	apps_startup();

@@ -141,6 +144,11 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			passarg= *(++argv);
 			}
+		else if (strcmp(*argv,"-engine") == 0)
+			{
+			if (--argc < 1) goto bad;
+			engine= *(++argv);
+			}
 		else if	(strcmp(*argv,"-d") == 0)
 			enc=0;
 		else if	(strcmp(*argv,"-p") == 0)
@@ -241,6 +249,7 @@ bad:
 			BIO_printf(bio_err,"%-14s key/iv in hex is the next argument\n","-K/-iv");
 			BIO_printf(bio_err,"%-14s print the iv/key (then exit if -P)\n","-[pP]");
 			BIO_printf(bio_err,"%-14s buffer size\n","-bufsize <n>");
+			BIO_printf(bio_err,"%-14s use engine e, possibly a hardware device.\n","-engine e");

 			BIO_printf(bio_err,"Cipher Types\n");
 			BIO_printf(bio_err,"des     : 56 bit key DES encryption\n");
@@ -314,6 +323,24 @@ bad:
 		argv++;
 		}

+	if (engine != NULL)
+		{
+		if((e = ENGINE_by_id(engine)) == NULL)
+			{
+			BIO_printf(bio_err,"invalid engine \"%s\"\n",
+				engine);
+			goto end;
+			}
+		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
+			{
+			BIO_printf(bio_err,"can't use that engine\n");
+			goto end;
+			}
+		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
+		/* Free our "structural" reference. */
+		ENGINE_free(e);
+		}
+
 	if (bufsize != NULL)
 		{
 		unsigned long n;
--- a/apps/gendh.c
+++ b/apps/gendh.c
@@ -70,6 +70,7 @@
 #include <openssl/dh.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
+#include <openssl/engine.h>

 #define DEFBITS	512
 #undef PROG
@@ -81,11 +82,13 @@ int MAIN(int, char **);

 int MAIN(int argc, char **argv)
 	{
+	ENGINE *e = NULL;
 	DH *dh=NULL;
 	int ret=1,num=DEFBITS;
 	int g=2;
 	char *outfile=NULL;
 	char *inrand=NULL;
+	char *engine=NULL;
 	BIO *out=NULL;

 	apps_startup();
@@ -110,6 +113,11 @@ int MAIN(int argc, char **argv)
 			g=3; */
 		else if (strcmp(*argv,"-5") == 0)
 			g=5;
+		else if (strcmp(*argv,"-engine") == 0)
+			{
+			if (--argc < 1) goto bad;
+			engine= *(++argv);
+			}
 		else if (strcmp(*argv,"-rand") == 0)
 			{
 			if (--argc < 1) goto bad;
@@ -125,15 +133,34 @@ int MAIN(int argc, char **argv)
 bad:
 		BIO_printf(bio_err,"usage: gendh [args] [numbits]\n");
 		BIO_printf(bio_err," -out file - output the key to 'file\n");
-		BIO_printf(bio_err," -2    use 2 as the generator value\n");
-	/*	BIO_printf(bio_err," -3    use 3 as the generator value\n"); */
-		BIO_printf(bio_err," -5    use 5 as the generator value\n");
+		BIO_printf(bio_err," -2        - use 2 as the generator value\n");
+	/*	BIO_printf(bio_err," -3        - use 3 as the generator value\n"); */
+		BIO_printf(bio_err," -5        - use 5 as the generator value\n");
+		BIO_printf(bio_err," -engine e - use engine e, possibly a hardware device.\n");
 		BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
 		BIO_printf(bio_err,"           - load the file (or the files in the directory) into\n");
 		BIO_printf(bio_err,"             the random number generator\n");
 		goto end;
 		}
 		
+	if (engine != NULL)
+		{
+		if((e = ENGINE_by_id(engine)) == NULL)
+			{
+			BIO_printf(bio_err,"invalid engine \"%s\"\n",
+				engine);
+			goto end;
+			}
+		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
+			{
+			BIO_printf(bio_err,"can't use that engine\n");
+			goto end;
+			}
+		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
+		/* Free our "structural" reference. */
+		ENGINE_free(e);
+		}
+
 	out=BIO_new(BIO_s_file());
 	if (out == NULL)
 		{
--- a/apps/gendsa.c
+++ b/apps/gendsa.c
@@ -68,6 +68,7 @@
 #include <openssl/dsa.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
+#include <openssl/engine.h>

 #define DEFBITS	512
 #undef PROG
@@ -77,6 +78,7 @@ int MAIN(int, char **);

 int MAIN(int argc, char **argv)
 	{
+	ENGINE *e = NULL;
 	DSA *dsa=NULL;
 	int ret=1;
 	char *outfile=NULL;
@@ -84,6 +86,7 @@ int MAIN(int argc, char **argv)
 	char *passargout = NULL, *passout = NULL;
 	BIO *out=NULL,*in=NULL;
 	EVP_CIPHER *enc=NULL;
+	char *engine=NULL;

 	apps_startup();

@@ -106,6 +109,11 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			passargout= *(++argv);
 			}
+		else if (strcmp(*argv,"-engine") == 0)
+			{
+			if (--argc < 1) goto bad;
+			engine= *(++argv);
+			}
 		else if (strcmp(*argv,"-rand") == 0)
 			{
 			if (--argc < 1) goto bad;
@@ -145,6 +153,7 @@ bad:
 #ifndef NO_IDEA
 		BIO_printf(bio_err," -idea     - encrypt the generated key with IDEA in cbc mode\n");
 #endif
+		BIO_printf(bio_err," -engine e - use engine e, possibly a hardware device.\n");
 		BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
 		BIO_printf(bio_err,"           - load the file (or the files in the directory) into\n");
 		BIO_printf(bio_err,"             the random number generator\n");
@@ -153,6 +162,24 @@ bad:
 		goto end;
 		}

+	if (engine != NULL)
+		{
+		if((e = ENGINE_by_id(engine)) == NULL)
+			{
+			BIO_printf(bio_err,"invalid engine \"%s\"\n",
+				engine);
+			goto end;
+			}
+		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
+			{
+			BIO_printf(bio_err,"can't use that engine\n");
+			goto end;
+			}
+		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
+		/* Free our "structural" reference. */
+		ENGINE_free(e);
+		}
+
 	if(!app_passwd(bio_err, NULL, passargout, NULL, &passout)) {
 		BIO_printf(bio_err, "Error getting password\n");
 		goto end;
--- a/apps/genrsa.c
+++ b/apps/genrsa.c
@@ -69,6 +69,7 @@
 #include <openssl/evp.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
+#include <openssl/engine.h>

 #define DEFBITS	512
 #undef PROG
@@ -80,6 +81,7 @@ int MAIN(int, char **);

 int MAIN(int argc, char **argv)
 	{
+	ENGINE *e = NULL;
 	int ret=1;
 	RSA *rsa=NULL;
 	int i,num=DEFBITS;
@@ -88,6 +90,7 @@ int MAIN(int argc, char **argv)
 	unsigned long f4=RSA_F4;
 	char *outfile=NULL;
 	char *passargout = NULL, *passout = NULL;
+	char *engine=NULL;
 	char *inrand=NULL;
 	BIO *out=NULL;

@@ -116,6 +119,11 @@ int MAIN(int argc, char **argv)
 			f4=3;
 		else if (strcmp(*argv,"-F4") == 0 || strcmp(*argv,"-f4") == 0)
 			f4=RSA_F4;
+		else if (strcmp(*argv,"-engine") == 0)
+			{
+			if (--argc < 1) goto bad;
+			engine= *(++argv);
+			}
 		else if (strcmp(*argv,"-rand") == 0)
 			{
 			if (--argc < 1) goto bad;
@@ -154,6 +162,7 @@ bad:
 		BIO_printf(bio_err," -passout arg    output file pass phrase source\n");
 		BIO_printf(bio_err," -f4             use F4 (0x10001) for the E value\n");
 		BIO_printf(bio_err," -3              use 3 for the E value\n");
+		BIO_printf(bio_err," -engine e       use engine e, possibly a hardware device.\n");
 		BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
 		BIO_printf(bio_err,"                 load the file (or the files in the directory) into\n");
 		BIO_printf(bio_err,"                 the random number generator\n");
@@ -167,6 +176,24 @@ bad:
 		goto err;
 	}

+	if (engine != NULL)
+		{
+		if((e = ENGINE_by_id(engine)) == NULL)
+			{
+			BIO_printf(bio_err,"invalid engine \"%s\"\n",
+				engine);
+			goto err;
+			}
+		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
+			{
+			BIO_printf(bio_err,"can't use that engine\n");
+			goto err;
+			}
+		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
+		/* Free our "structural" reference. */
+		ENGINE_free(e);
+		}
+
 	if (outfile == NULL)
 		{
 		BIO_set_fp(out,stdout,BIO_NOCLOSE);
@@ -186,7 +213,8 @@ bad:
 			}
 		}

-	if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL)
+	if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
+		&& !RAND_status())
 		{
 		BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
 		}
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@@ -66,6 +66,7 @@
 #include <openssl/err.h>
 #include <openssl/pem.h>
 #include <openssl/pkcs12.h>
+#include <openssl/engine.h>

 #define PROG pkcs12_main

@@ -92,6 +93,7 @@ int MAIN(int, char **);

 int MAIN(int argc, char **argv)
 {
+    ENGINE *e = NULL;
    char *infile=NULL, *outfile=NULL, *keyname = NULL;	
    char *certfile=NULL;
    BIO *in=NULL, *out = NULL, *inkey = NULL, *certsin = NULL;
@@ -118,6 +120,7 @@ int MAIN(int argc, char **argv)
    char *passin = NULL, *passout = NULL;
    char *inrand = NULL;
    char *CApath = NULL, *CAfile = NULL;
+    char *engine=NULL;

    apps_startup();

@@ -236,6 +239,11 @@ int MAIN(int argc, char **argv)
 			args++;	
 			CAfile = *args;
 		    } else badarg = 1;
+		} else if (!strcmp(*args,"-engine")) {
+		    if (args[1]) {
+			args++;	
+			engine = *args;
+		    } else badarg = 1;
 		} else badarg = 1;

 	} else badarg = 1;
@@ -279,12 +287,27 @@ int MAIN(int argc, char **argv)
 	BIO_printf (bio_err, "-password p   set import/export password source\n");
 	BIO_printf (bio_err, "-passin p     input file pass phrase source\n");
 	BIO_printf (bio_err, "-passout p    output file pass phrase source\n");
+	BIO_printf (bio_err, "-engine e     use engine e, possibly a hardware device.\n");
 	BIO_printf(bio_err,  "-rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
 	BIO_printf(bio_err,  "              load the file (or the files in the directory) into\n");
 	BIO_printf(bio_err,  "              the random number generator\n");
    	goto end;
    }

+    if (engine != NULL) {
+	if((e = ENGINE_by_id(engine)) == NULL) {
+	    BIO_printf(bio_err,"invalid engine \"%s\"\n", engine);
+	    goto end;
+	}
+	if(!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
+	    BIO_printf(bio_err,"can't use that engine\n");
+	    goto end;
+	}
+	BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
+	/* Free our "structural" reference. */
+	ENGINE_free(e);
+    }
+
    if(passarg) {
 	if(export_cert) passargout = passarg;
 	else passargin = passarg;
@@ -749,7 +772,10 @@ int dump_certs_pkeys_bag (BIO *out, PKCS12_SAFEBAG *bag, char *pass,
 		print_attribs (out, bag->attrib, "Bag Attributes");
 		if (!(p8 = M_PKCS12_decrypt_skey (bag, pass, passlen)))
 				return 0;
-		if (!(pkey = EVP_PKCS82PKEY (p8))) return 0;
+		if (!(pkey = EVP_PKCS82PKEY (p8))) {
+			PKCS8_PRIV_KEY_INFO_free(p8);
+			return 0;
+		}
 		print_attribs (out, p8->attributes, "Key Attributes");
 		PKCS8_PRIV_KEY_INFO_free(p8);
 		PEM_write_bio_PrivateKey (out, pkey, enc, NULL, 0, NULL, pempass);
--- a/apps/pkcs7.c
+++ b/apps/pkcs7.c
@@ -67,6 +67,7 @@
 #include <openssl/x509.h>
 #include <openssl/pkcs7.h>
 #include <openssl/pem.h>
+#include <openssl/engine.h>

 #undef PROG
 #define PROG	pkcs7_main
@@ -82,13 +83,15 @@ int MAIN(int, char **);

 int MAIN(int argc, char **argv)
 	{
+	ENGINE *e = NULL;
 	PKCS7 *p7=NULL;
 	int i,badops=0;
 	BIO *in=NULL,*out=NULL;
 	int informat,outformat;
 	char *infile,*outfile,*prog;
 	int print_certs=0,text=0,noout=0;
-	int ret=0;
+	int ret=1;
+	char *engine=NULL;

 	apps_startup();

@@ -132,6 +135,11 @@ int MAIN(int argc, char **argv)
 			text=1;
 		else if (strcmp(*argv,"-print_certs") == 0)
 			print_certs=1;
+		else if (strcmp(*argv,"-engine") == 0)
+			{
+			if (--argc < 1) goto bad;
+			engine= *(++argv);
+			}
 		else
 			{
 			BIO_printf(bio_err,"unknown option %s\n",*argv);
@@ -154,11 +162,30 @@ bad:
 		BIO_printf(bio_err," -print_certs  print any certs or crl in the input\n");
 		BIO_printf(bio_err," -text         print full details of certificates\n");
 		BIO_printf(bio_err," -noout        don't output encoded data\n");
+		BIO_printf(bio_err," -engine e     use engine e, possibly a hardware device.\n");
 		EXIT(1);
 		}

 	ERR_load_crypto_strings();

+	if (engine != NULL)
+		{
+		if((e = ENGINE_by_id(engine)) == NULL)
+			{
+			BIO_printf(bio_err,"invalid engine \"%s\"\n",
+				engine);
+			goto end;
+			}
+		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
+			{
+			BIO_printf(bio_err,"can't use that engine\n");
+			goto end;
+			}
+		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
+		/* Free our "structural" reference. */
+		ENGINE_free(e);
+		}
+
 	in=BIO_new(BIO_s_file());
 	out=BIO_new(BIO_s_file());
 	if ((in == NULL) || (out == NULL))
--- a/apps/pkcs8.c
+++ b/apps/pkcs8.c
@@ -62,6 +62,7 @@
 #include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/pkcs12.h>
+#include <openssl/engine.h>

 #include "apps.h"
 #define PROG pkcs8_main
@@ -70,6 +71,7 @@ int MAIN(int, char **);

 int MAIN(int argc, char **argv)
 {
+	ENGINE *e = NULL;
 	char **args, *infile = NULL, *outfile = NULL;
 	char *passargin = NULL, *passargout = NULL;
 	BIO *in = NULL, *out = NULL;
@@ -85,9 +87,13 @@ int MAIN(int argc, char **argv)
 	EVP_PKEY *pkey;
 	char pass[50], *passin = NULL, *passout = NULL, *p8pass = NULL;
 	int badarg = 0;
+	char *engine=NULL;
+
 	if (bio_err == NULL) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);
+
 	informat=FORMAT_PEM;
 	outformat=FORMAT_PEM;
+
 	ERR_load_crypto_strings();
 	OpenSSL_add_all_algorithms();
 	args = argv + 1;
@@ -138,6 +144,11 @@ int MAIN(int argc, char **argv)
 			if (!args[1]) goto bad;
 			passargout= *(++args);
 			}
+		else if (strcmp(*args,"-engine") == 0)
+			{
+			if (!args[1]) goto bad;
+			engine= *(++args);
+			}
 		else if (!strcmp (*args, "-in")) {
 			if (args[1]) {
 				args++;
@@ -170,9 +181,28 @@ int MAIN(int argc, char **argv)
 		BIO_printf(bio_err, "-nocrypt        use or expect unencrypted private key\n");
 		BIO_printf(bio_err, "-v2 alg         use PKCS#5 v2.0 and cipher \"alg\"\n");
 		BIO_printf(bio_err, "-v1 obj         use PKCS#5 v1.5 and cipher \"alg\"\n");
+		BIO_printf(bio_err," -engine e       use engine e, possibly a hardware device.\n");
 		return (1);
 	}

+	if (engine != NULL)
+		{
+		if((e = ENGINE_by_id(engine)) == NULL)
+			{
+			BIO_printf(bio_err,"invalid engine \"%s\"\n",
+				engine);
+			return (1);
+			}
+		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
+			{
+			BIO_printf(bio_err,"can't use that engine\n");
+			return (1);
+			}
+		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
+		/* Free our "structural" reference. */
+		ENGINE_free(e);
+		}
+
 	if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
 		BIO_printf(bio_err, "Error getting passwords\n");
 		return (1);
--- a/apps/rand.c
+++ b/apps/rand.c
@@ -9,6 +9,7 @@
 #include <openssl/bio.h>
 #include <openssl/err.h>
 #include <openssl/rand.h>
+#include <openssl/engine.h>

 #undef PROG
 #define PROG rand_main
@@ -23,6 +24,7 @@ int MAIN(int, char **);

 int MAIN(int argc, char **argv)
 	{
+	ENGINE *e = NULL;
 	int i, r, ret = 1;
 	int badopt;
 	char *outfile = NULL;
@@ -30,6 +32,7 @@ int MAIN(int argc, char **argv)
 	int base64 = 0;
 	BIO *out = NULL;
 	int num = -1;
+	char *engine=NULL;

 	apps_startup();

@@ -48,6 +51,13 @@ int MAIN(int argc, char **argv)
 			else
 				badopt = 1;
 			}
+		if (strcmp(argv[i], "-engine") == 0)
+			{
+			if ((argv[i+1] != NULL) && (engine == NULL))
+				engine = argv[++i];
+			else
+				badopt = 1;
+			}
 		else if (strcmp(argv[i], "-rand") == 0)
 			{
 			if ((argv[i+1] != NULL) && (inrand == NULL))
@@ -85,11 +95,30 @@ int MAIN(int argc, char **argv)
 		BIO_printf(bio_err, "Usage: rand [options] num\n");
 		BIO_printf(bio_err, "where options are\n");
 		BIO_printf(bio_err, "-out file             - write to file\n");
+		BIO_printf(bio_err," -engine e             - use engine e, possibly a hardware device.\n");
 		BIO_printf(bio_err, "-rand file%cfile%c... - seed PRNG from files\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
 		BIO_printf(bio_err, "-base64               - encode output\n");
 		goto err;
 		}

+	if (engine != NULL)
+		{
+		if((e = ENGINE_by_id(engine)) == NULL)
+			{
+			BIO_printf(bio_err,"invalid engine \"%s\"\n",
+				engine);
+			goto err;
+			}
+		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
+			{
+			BIO_printf(bio_err,"can't use that engine\n");
+			goto err;
+			}
+		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
+		/* Free our "structural" reference. */
+		ENGINE_free(e);
+		}
+
 	app_RAND_load_file(NULL, bio_err, (inrand != NULL));
 	if (inrand != NULL)
 		BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
--- a/apps/req.c
+++ b/apps/req.c
@@ -73,6 +73,7 @@
 #include <openssl/x509v3.h>
 #include <openssl/objects.h>
 #include <openssl/pem.h>
+#include <openssl/engine.h>

 #define SECTION		"req"

@@ -140,6 +141,7 @@ int MAIN(int, char **);

 int MAIN(int argc, char **argv)
 	{
+	ENGINE *e = NULL;
 #ifndef NO_DSA
 	DSA *dsa_params=NULL;
 #endif
@@ -152,6 +154,7 @@ int MAIN(int argc, char **argv)
 	int informat,outformat,verify=0,noout=0,text=0,keyform=FORMAT_PEM;
 	int nodes=0,kludge=0,newhdr=0;
 	char *infile,*outfile,*prog,*keyfile=NULL,*template=NULL,*keyout=NULL;
+	char *engine=NULL;
 	char *extensions = NULL;
 	char *req_exts = NULL;
 	EVP_CIPHER *cipher=NULL;
@@ -195,6 +198,11 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			outformat=str2fmt(*(++argv));
 			}
+		else if (strcmp(*argv,"-engine") == 0)
+			{
+			if (--argc < 1) goto bad;
+			engine= *(++argv);
+			}
 		else if (strcmp(*argv,"-key") == 0)
 			{
 			if (--argc < 1) goto bad;
@@ -375,6 +383,7 @@ bad:
 		BIO_printf(bio_err," -verify        verify signature on REQ\n");
 		BIO_printf(bio_err," -modulus       RSA modulus\n");
 		BIO_printf(bio_err," -nodes         don't encrypt the output key\n");
+		BIO_printf(bio_err," -engine e      use engine e, possibly a hardware device.\n");
 		BIO_printf(bio_err," -key file	use the private key contained in file\n");
 		BIO_printf(bio_err," -keyform arg   key file format\n");
 		BIO_printf(bio_err," -keyout arg    file to send the key to\n");
@@ -521,7 +530,36 @@ bad:
 	if ((in == NULL) || (out == NULL))
 		goto end;

+	if (engine != NULL)
+		{
+		if((e = ENGINE_by_id(engine)) == NULL)
+			{
+			BIO_printf(bio_err,"invalid engine \"%s\"\n",
+				engine);
+			goto end;
+			}
+		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
+			{
+			BIO_printf(bio_err,"can't use that engine\n");
+			goto end;
+			}
+		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
+		/* Free our "structural" reference. */
+		ENGINE_free(e);
+		}
+
 	if (keyfile != NULL)
+		{
+		if (keyform == FORMAT_ENGINE)
+			{
+			if (!e)
+				{
+				BIO_printf(bio_err,"no engine specified\n");
+				goto end;
+				}
+			pkey = ENGINE_load_private_key(e, keyfile, NULL);
+			}
+		else
 			{
 			if (BIO_read_filename(in,keyfile) <= 0)
 				{
@@ -533,13 +571,15 @@ bad:
 				pkey=d2i_PrivateKey_bio(in,NULL);
 			else if (keyform == FORMAT_PEM)
 				{
-			pkey=PEM_read_bio_PrivateKey(in,NULL,NULL,passin);
+				pkey=PEM_read_bio_PrivateKey(in,NULL,NULL,
+					passin);
 				}
 			else
 				{
 				BIO_printf(bio_err,"bad input format specified for X509 request\n");
 				goto end;
 				}
+			}

 		if (pkey == NULL)
 			{
--- a/apps/rsa.c
+++ b/apps/rsa.c
@@ -68,6 +68,7 @@
 #include <openssl/evp.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
+#include <openssl/engine.h>

 #undef PROG
 #define PROG	rsa_main
@@ -90,6 +91,7 @@ int MAIN(int, char **);

 int MAIN(int argc, char **argv)
 	{
+	ENGINE *eng = NULL;
 	int ret=1;
 	RSA *rsa=NULL;
 	int i,badops=0, sgckey=0;
@@ -100,6 +102,7 @@ int MAIN(int argc, char **argv)
 	char *infile,*outfile,*prog;
 	char *passargin = NULL, *passargout = NULL;
 	char *passin = NULL, *passout = NULL;
+	char *engine=NULL;
 	int modulus=0;

 	apps_startup();
@@ -148,6 +151,11 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			passargout= *(++argv);
 			}
+		else if (strcmp(*argv,"-engine") == 0)
+			{
+			if (--argc < 1) goto bad;
+			engine= *(++argv);
+			}
 		else if (strcmp(*argv,"-sgckey") == 0)
 			sgckey=1;
 		else if (strcmp(*argv,"-pubin") == 0)
@@ -195,11 +203,30 @@ bad:
 		BIO_printf(bio_err," -check          verify key consistency\n");
 		BIO_printf(bio_err," -pubin          expect a public key in input file\n");
 		BIO_printf(bio_err," -pubout         output a public key\n");
+		BIO_printf(bio_err," -engine e       use engine e, possibly a hardware device.\n");
 		goto end;
 		}

 	ERR_load_crypto_strings();

+	if (engine != NULL)
+		{
+		if((eng = ENGINE_by_id(engine)) == NULL)
+			{
+			BIO_printf(bio_err,"invalid engine \"%s\"\n",
+				engine);
+			goto end;
+			}
+		if(!ENGINE_set_default(eng, ENGINE_METHOD_ALL))
+			{
+			BIO_printf(bio_err,"can't use that engine\n");
+			goto end;
+			}
+		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
+		/* Free our "structural" reference. */
+		ENGINE_free(eng);
+		}
+
 	if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
 		BIO_printf(bio_err, "Error getting passwords\n");
 		goto end;
--- a/apps/rsautl.c
+++ b/apps/rsautl.c
@@ -62,6 +62,7 @@
 #include <string.h>
 #include <openssl/err.h>
 #include <openssl/pem.h>
+#include <openssl/engine.h>

 #define RSA_SIGN 	1
 #define RSA_VERIFY 	2
@@ -82,6 +83,7 @@ int MAIN(int argc, char **);

 int MAIN(int argc, char **argv)
 {
+	ENGINE *e = NULL;
 	BIO *in = NULL, *out = NULL;
 	char *infile = NULL, *outfile = NULL;
 	char *keyfile = NULL;
@@ -95,6 +97,7 @@ int MAIN(int argc, char **argv)
 	unsigned char *rsa_in = NULL, *rsa_out = NULL, pad;
 	int rsa_inlen, rsa_outlen = 0;
 	int keysize;
+	char *engine=NULL;

 	int ret = 1;

@@ -117,6 +120,9 @@ int MAIN(int argc, char **argv)
 		} else if(!strcmp(*argv, "-inkey")) {
 			if (--argc < 1) badarg = 1;
 			keyfile = *(++argv);
+		} else if(!strcmp(*argv, "-engine")) {
+			if (--argc < 1) badarg = 1;
+			engine = *(++argv);
 		} else if(!strcmp(*argv, "-pubin")) {
 			key_type = KEY_PUBKEY;
 		} else if(!strcmp(*argv, "-certin")) {
@@ -151,6 +157,24 @@ int MAIN(int argc, char **argv)
 		goto end;
 	}

+	if (engine != NULL)
+		{
+		if((e = ENGINE_by_id(engine)) == NULL)
+			{
+			BIO_printf(bio_err,"invalid engine \"%s\"\n",
+				engine);
+			goto end;
+			}
+		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
+			{
+			BIO_printf(bio_err,"can't use that engine\n");
+			goto end;
+			}
+		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
+		/* Free our "structural" reference. */
+		ENGINE_free(e);
+		}
+
 /* FIXME: seed PRNG only if needed */
 	app_RAND_load_file(NULL, bio_err, 0);
 	
@@ -280,6 +304,7 @@ static void usage()
 	BIO_printf(bio_err, "-inkey file     input key\n");
 	BIO_printf(bio_err, "-pubin          input is an RSA public\n");
 	BIO_printf(bio_err, "-certin         input is a certificate carrying an RSA public key\n");
+	BIO_printf(bio_err, "-engine e       use engine e, possibly a hardware device.\n");
 	BIO_printf(bio_err, "-ssl            use SSL v2 padding\n");
 	BIO_printf(bio_err, "-raw            use no padding\n");
 	BIO_printf(bio_err, "-pkcs           use PKCS#1 v1.5 padding (default)\n");
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -80,6 +80,7 @@ typedef unsigned int u_int;
 #include <openssl/err.h>
 #include <openssl/pem.h>
 #include <openssl/rand.h>
+#include <openssl/engine.h>
 #include "s_apps.h"

 #ifdef WINDOWS
@@ -154,7 +155,7 @@ static void sc_usage(void)
 	BIO_printf(bio_err," -cipher       - preferred cipher to use, use the 'openssl ciphers'\n");
 	BIO_printf(bio_err,"                 command to see what is available\n");
 	BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
-
+	BIO_printf(bio_err," -engine id    - Initialise and use the specified engine\n");
 	}

 int MAIN(int, char **);
@@ -182,6 +183,8 @@ int MAIN(int argc, char **argv)
 	SSL_METHOD *meth=NULL;
 	BIO *sbio;
 	char *inrand=NULL;
+	char *engine_id=NULL;
+	ENGINE *e=NULL;
 #ifdef WINDOWS
 	struct timeval tv;
 #endif
@@ -324,6 +327,11 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			inrand= *(++argv);
 			}
+		else if	(strcmp(*argv,"-engine") == 0)
+			{
+			if (--argc < 1) goto bad;
+			engine_id = *(++argv);
+			}
 		else
 			{
 			BIO_printf(bio_err,"unknown option %s\n",*argv);
@@ -364,6 +372,30 @@ bad:

 	OpenSSL_add_ssl_algorithms();
 	SSL_load_error_strings();
+
+	if (engine_id != NULL)
+		{
+		if((e = ENGINE_by_id(engine_id)) == NULL)
+			{
+			BIO_printf(bio_err,"invalid engine\n");
+			ERR_print_errors(bio_err);
+			goto end;
+			}
+		if (c_debug)
+			{
+			ENGINE_ctrl(e, ENGINE_CTRL_SET_LOGSTREAM,
+				0, bio_err, 0);
+			}
+		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
+			{
+			BIO_printf(bio_err,"can't use that engine\n");
+			ERR_print_errors(bio_err);
+			goto end;
+			}
+		BIO_printf(bio_err,"engine \"%s\" set.\n", engine_id);
+		ENGINE_free(e);
+		}
+
 	ctx=SSL_CTX_new(meth);
 	if (ctx == NULL)
 		{
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -84,6 +84,7 @@ typedef unsigned int u_int;
 #include <openssl/x509.h>
 #include <openssl/ssl.h>
 #include <openssl/rand.h>
+#include <openssl/engine.h>
 #include "s_apps.h"

 #ifdef WINDOWS
@@ -177,6 +178,7 @@ static int s_debug=0;
 static int s_quiet=0;

 static int hack=0;
+static char *engine_id=NULL;

 #ifdef MONOLITH
 static void s_server_init(void)
@@ -199,6 +201,7 @@ static void s_server_init(void)
 	s_debug=0;
 	s_quiet=0;
 	hack=0;
+	engine_id=NULL;
 	}
 #endif

@@ -244,6 +247,7 @@ static void sv_usage(void)
 	BIO_printf(bio_err," -www          - Respond to a 'GET /' with a status page\n");
 	BIO_printf(bio_err," -WWW          - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>\n");
 	BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
+	BIO_printf(bio_err," -engine id    - Initialise and use the specified engine\n");
 	}

 static int local_argc=0;
@@ -414,6 +418,8 @@ int MAIN(int argc, char *argv[])
 	int state=0;
 	SSL_METHOD *meth=NULL;
 	char *inrand=NULL;
+	char *engine=NULL;
+	ENGINE *e=NULL;
 #ifndef NO_DH
 	DH *dh=NULL;
 #endif
@@ -573,6 +579,11 @@ int MAIN(int argc, char *argv[])
 			if (--argc < 1) goto bad;
 			inrand= *(++argv);
 			}
+		else if (strcmp(*argv,"-engine") == 0)
+			{
+			if (--argc < 1) goto bad;
+			engine = *(++argv);
+			}
 		else
 			{
 			BIO_printf(bio_err,"unknown option %s\n",*argv);
@@ -624,6 +635,29 @@ bad:
 	SSL_load_error_strings();
 	OpenSSL_add_ssl_algorithms();

+	if (engine != NULL)
+		{
+		if((e = ENGINE_by_id(engine)) == NULL)
+			{
+			BIO_printf(bio_err,"invalid engine\n");
+			ERR_print_errors(bio_err);
+			goto end;
+			}
+		if (s_debug)
+			{
+			ENGINE_ctrl(e, ENGINE_CTRL_SET_LOGSTREAM,
+				0, bio_err, 0);
+			}
+		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
+			{
+			BIO_printf(bio_err,"can't use that engine\n");
+			ERR_print_errors(bio_err);
+			goto end;
+			}
+		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
+		ENGINE_free(e);
+		}
+
 	ctx=SSL_CTX_new(meth);
 	if (ctx == NULL)
 		{
--- a/apps/smime.c
+++ b/apps/smime.c
@@ -64,6 +64,7 @@
 #include <openssl/crypto.h>
 #include <openssl/pem.h>
 #include <openssl/err.h>
+#include <openssl/engine.h>

 #undef PROG
 #define PROG smime_main
@@ -81,6 +82,7 @@ int MAIN(int, char **);

 int MAIN(int argc, char **argv)
 {
+	ENGINE *e = NULL;
 	int operation = 0;
 	int ret = 0;
 	char **args;
@@ -103,8 +105,9 @@ int MAIN(int argc, char **argv)
 	char *inrand = NULL;
 	int need_rand = 0;
 	int informat = FORMAT_SMIME, outformat = FORMAT_SMIME;
-	args = argv + 1;
+	char *engine=NULL;

+	args = argv + 1;
 	ret = 1;

 	while (!badarg && *args && *args[0] == '-') {
@@ -153,6 +156,11 @@ int MAIN(int argc, char **argv)
 				inrand = *args;
 			} else badarg = 1;
 			need_rand = 1;
+		} else if (!strcmp(*args,"-engine")) {
+			if (args[1]) {
+				args++;
+				engine = *args;
+			} else badarg = 1;
 		} else if (!strcmp(*args,"-passin")) {
 			if (args[1]) {
 				args++;
@@ -290,6 +298,7 @@ int MAIN(int argc, char **argv)
 		BIO_printf (bio_err, "-text          include or delete text MIME headers\n");
 		BIO_printf (bio_err, "-CApath dir    trusted certificates directory\n");
 		BIO_printf (bio_err, "-CAfile file   trusted certificates file\n");
+		BIO_printf (bio_err, "-engine e      use engine e, possibly a hardware device.\n");
 		BIO_printf (bio_err, "-passin arg    input file pass phrase source\n");
 		BIO_printf(bio_err,  "-rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
 		BIO_printf(bio_err,  "               load the file (or the files in the directory) into\n");
@@ -298,6 +307,24 @@ int MAIN(int argc, char **argv)
 		goto end;
 	}

+	if (engine != NULL)
+		{
+		if((e = ENGINE_by_id(engine)) == NULL)
+			{
+			BIO_printf(bio_err,"invalid engine \"%s\"\n",
+				engine);
+			goto end;
+			}
+		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
+			{
+			BIO_printf(bio_err,"can't use that engine\n");
+			goto end;
+			}
+		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
+		/* Free our "structural" reference. */
+		ENGINE_free(e);
+		}
+
 	if(!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
 		BIO_printf(bio_err, "Error getting password\n");
 		goto end;
@@ -414,7 +441,10 @@ int MAIN(int argc, char **argv)
 		p7 = PKCS7_encrypt(encerts, in, cipher, flags);
 	} else if(operation == SMIME_SIGN) {
 		p7 = PKCS7_sign(signer, key, other, in, flags);
-		BIO_reset(in);
+		if (BIO_reset(in) != 0 && (flags & PKCS7_DETACHED)) {
+		  BIO_printf(bio_err, "Can't rewind input file\n");
+		  goto end;
+		}
 	} else {
 		if(informat == FORMAT_SMIME) 
 			p7 = SMIME_read_PKCS7(in, &indata);
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -81,6 +81,7 @@
 #include <openssl/crypto.h>
 #include <openssl/rand.h>
 #include <openssl/err.h>
+#include <openssl/engine.h>

 #if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) || defined(_DARWIN)
 # define USE_TOD
@@ -327,6 +328,7 @@ int MAIN(int, char **);

 int MAIN(int argc, char **argv)
 	{
+	ENGINE *e;
 	unsigned char *buf=NULL,*buf2=NULL;
 	int mret=1;
 #define ALGOR_NUM	15
@@ -489,6 +491,37 @@ int MAIN(int argc, char **argv)
 		{
 		if	((argc > 0) && (strcmp(*argv,"-elapsed") == 0))
 			usertime = 0;
+		else
+		if	((argc > 0) && (strcmp(*argv,"-engine") == 0))
+			{
+			argc--;
+			argv++;
+			if(argc == 0)
+				{
+				BIO_printf(bio_err,"no engine given\n");
+				goto end;
+				}
+			if((e = ENGINE_by_id(*argv)) == NULL)
+				{
+				BIO_printf(bio_err,"invalid engine \"%s\"\n",
+					*argv);
+				goto end;
+				}
+			if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
+				{
+				BIO_printf(bio_err,"can't use that engine\n");
+				goto end;
+				}
+			BIO_printf(bio_err,"engine \"%s\" set.\n", *argv);
+			/* Free our "structural" reference. */
+			ENGINE_free(e);
+			/* It will be increased again further down.  We just
+			   don't want speed to confuse an engine with an
+			   algorithm, especially when none is given (which
+			   means all of them should be run) */
+			j--;
+			}
+		else
 #ifndef NO_MD2
 		if	(strcmp(*argv,"md2") == 0) doit[D_MD2]=1;
 		else
@@ -536,7 +569,7 @@ int MAIN(int argc, char **argv)
 #ifdef RSAref
 			if (strcmp(*argv,"rsaref") == 0) 
 			{
-			RSA_set_default_method(RSA_PKCS1_RSAref());
+			RSA_set_default_openssl_method(RSA_PKCS1_RSAref());
 			j--;
 			}
 		else
@@ -544,7 +577,7 @@ int MAIN(int argc, char **argv)
 #ifndef RSA_NULL
 			if (strcmp(*argv,"openssl") == 0) 
 			{
-			RSA_set_default_method(RSA_PKCS1_SSLeay());
+			RSA_set_default_openssl_method(RSA_PKCS1_SSLeay());
 			j--;
 			}
 		else
@@ -689,11 +722,12 @@ int MAIN(int argc, char **argv)
 			BIO_printf(bio_err,"\n");
 #endif

-#ifdef TIMES
 			BIO_printf(bio_err,"\n");
 			BIO_printf(bio_err,"Available options:\n");
+#ifdef TIMES
 			BIO_printf(bio_err,"-elapsed        measure time in real time instead of CPU user time.\n");
 #endif
+			BIO_printf(bio_err,"-engine e       use engine e, possibly a hardware device.\n");
 			goto end;
 			}
 		argc--;
@@ -1400,6 +1434,7 @@ int MAIN(int argc, char **argv)
 #endif
 	mret=0;
 end:
+	ERR_print_errors(bio_err);
 	if (buf != NULL) OPENSSL_free(buf);
 	if (buf2 != NULL) OPENSSL_free(buf2);
 #ifndef NO_RSA
--- a/apps/spkac.c
+++ b/apps/spkac.c
@@ -69,6 +69,7 @@
 #include <openssl/lhash.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
+#include <openssl/engine.h>

 #undef PROG
 #define PROG	spkac_main
@@ -81,6 +82,7 @@ int MAIN(int, char **);

 int MAIN(int argc, char **argv)
 	{
+	ENGINE *e = NULL;
 	int i,badops=0, ret = 1;
 	BIO *in = NULL,*out = NULL, *key = NULL;
 	int verify=0,noout=0,pubkey=0;
@@ -91,6 +93,7 @@ int MAIN(int argc, char **argv)
 	LHASH *conf = NULL;
 	NETSCAPE_SPKI *spki = NULL;
 	EVP_PKEY *pkey = NULL;
+	char *engine=NULL;

 	apps_startup();

@@ -136,6 +139,11 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			spksect= *(++argv);
 			}
+		else if (strcmp(*argv,"-engine") == 0)
+			{
+			if (--argc < 1) goto bad;
+			engine= *(++argv);
+			}
 		else if (strcmp(*argv,"-noout") == 0)
 			noout=1;
 		else if (strcmp(*argv,"-pubkey") == 0)
@@ -161,6 +169,7 @@ bad:
 		BIO_printf(bio_err," -noout         don't print SPKAC\n");
 		BIO_printf(bio_err," -pubkey        output public key\n");
 		BIO_printf(bio_err," -verify        verify SPKAC signature\n");
+		BIO_printf(bio_err," -engine e      use engine e, possibly a hardware device.\n");
 		goto end;
 		}

@@ -170,6 +179,24 @@ bad:
 		goto end;
 	}

+	if (engine != NULL)
+		{
+		if((e = ENGINE_by_id(engine)) == NULL)
+			{
+			BIO_printf(bio_err,"invalid engine \"%s\"\n",
+				engine);
+			goto end;
+			}
+		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
+			{
+			BIO_printf(bio_err,"can't use that engine\n");
+			goto end;
+			}
+		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
+		/* Free our "structural" reference. */
+		ENGINE_free(e);
+		}
+
 	if(keyfile) {
 		if(strcmp(keyfile, "-")) key = BIO_new_file(keyfile, "r");
 		else key = BIO_new_fp(stdin, BIO_NOCLOSE);
--- a/apps/verify.c
+++ b/apps/verify.c
@@ -65,6 +65,7 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 #include <openssl/pem.h>
+#include <openssl/engine.h>

 #undef PROG
 #define PROG	verify_main
@@ -78,6 +79,7 @@ int MAIN(int, char **);

 int MAIN(int argc, char **argv)
 	{
+	ENGINE *e = NULL;
 	int i,ret=1;
 	int purpose = -1;
 	char *CApath=NULL,*CAfile=NULL;
@@ -85,6 +87,7 @@ int MAIN(int argc, char **argv)
 	STACK_OF(X509) *untrusted = NULL, *trusted = NULL;
 	X509_STORE *cert_ctx=NULL;
 	X509_LOOKUP *lookup=NULL;
+	char *engine=NULL;

 	cert_ctx=X509_STORE_new();
 	if (cert_ctx == NULL) goto end;
@@ -137,6 +140,11 @@ int MAIN(int argc, char **argv)
 				if (argc-- < 1) goto end;
 				trustfile= *(++argv);
 				}
+			else if (strcmp(*argv,"-engine") == 0)
+				{
+				if (--argc < 1) goto end;
+				engine= *(++argv);
+				}
 			else if (strcmp(*argv,"-help") == 0)
 				goto end;
 			else if (strcmp(*argv,"-issuer_checks") == 0)
@@ -154,6 +162,24 @@ int MAIN(int argc, char **argv)
 			break;
 		}

+	if (engine != NULL)
+		{
+		if((e = ENGINE_by_id(engine)) == NULL)
+			{
+			BIO_printf(bio_err,"invalid engine \"%s\"\n",
+				engine);
+			goto end;
+			}
+		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
+			{
+			BIO_printf(bio_err,"can't use that engine\n");
+			goto end;
+			}
+		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
+		/* Free our "structural" reference. */
+		ENGINE_free(e);
+		}
+
 	lookup=X509_STORE_add_lookup(cert_ctx,X509_LOOKUP_file());
 	if (lookup == NULL) abort();
 	if (CAfile) {
@@ -201,7 +227,7 @@ int MAIN(int argc, char **argv)
 	ret=0;
 end:
 	if (ret == 1) {
-		BIO_printf(bio_err,"usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] cert1 cert2 ...\n");
+		BIO_printf(bio_err,"usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-engine e] cert1 cert2 ...\n");
 		BIO_printf(bio_err,"recognized usages:\n");
 		for(i = 0; i < X509_PURPOSE_get_count(); i++) {
 			X509_PURPOSE *ptmp;
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -73,6 +73,7 @@
 #include <openssl/x509v3.h>
 #include <openssl/objects.h>
 #include <openssl/pem.h>
+#include <openssl/engine.h>

 #undef PROG
 #define PROG x509_main
@@ -129,6 +130,7 @@ static char *x509_usage[]={
 " -extensions     - section from config file with X509V3 extensions to add\n",
 " -clrext         - delete extensions before signing and input certificate\n",
 " -nameopt arg    - various certificate name options\n",
+" -engine e       - use engine e, possibly a hardware device.\n",
 NULL
 };

@@ -145,6 +147,7 @@ int MAIN(int, char **);

 int MAIN(int argc, char **argv)
 	{
+	ENGINE *e = NULL;
 	int ret=1;
 	X509_REQ *req=NULL;
 	X509 *x=NULL,*xca=NULL;
@@ -175,6 +178,7 @@ int MAIN(int argc, char **argv)
 	int need_rand = 0;
 	int checkend=0,checkoffset=0;
 	unsigned long nmflag = 0;
+	char *engine=NULL;

 	reqfile=0;

@@ -233,7 +237,7 @@ int MAIN(int argc, char **argv)
 		else if (strcmp(*argv,"-CAkeyform") == 0)
 			{
 			if (--argc < 1) goto bad;
-			CAformat=str2fmt(*(++argv));
+			CAkeyformat=str2fmt(*(++argv));
 			}
 		else if (strcmp(*argv,"-days") == 0)
 			{
@@ -337,6 +341,11 @@ int MAIN(int argc, char **argv)
 			alias= *(++argv);
 			trustout = 1;
 			}
+		else if (strcmp(*argv,"-engine") == 0)
+			{
+			if (--argc < 1) goto bad;
+			engine= *(++argv);
+			}
 		else if (strcmp(*argv,"-C") == 0)
 			C= ++num;
 		else if (strcmp(*argv,"-email") == 0)
@@ -420,6 +429,24 @@ bad:
 		goto end;
 		}

+	if (engine != NULL)
+		{
+		if((e = ENGINE_by_id(engine)) == NULL)
+			{
+			BIO_printf(bio_err,"invalid engine \"%s\"\n",
+				engine);
+			goto end;
+			}
+		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
+			{
+			BIO_printf(bio_err,"can't use that engine\n");
+			goto end;
+			}
+		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
+		/* Free our "structural" reference. */
+		ENGINE_free(e);
+		}
+
 	if (need_rand)
 		app_RAND_load_file(NULL, bio_err, 0);

--- a/64
+++ b/64
@@ -381,17 +381,33 @@ done

 # figure out if gcc is available and if so we use it otherwise
 # we fallback to whatever cc does on the system
-GCCVER=`(gcc --version) 2>/dev/null`
+GCCVER=`(gcc -dumpversion) 2>/dev/null`
 if [ "$GCCVER" != "" ]; then
  CC=gcc
-  # then strip off whatever prefix Cygnus prepends the number with...
-  GCCVER=`echo $GCCVER | sed 's/^[a-z]*\-//'`
+  # then strip off whatever prefix egcs prepends the number with...
+  # Hopefully, this will work for any future prefixes as well.
+  GCCVER=`echo $GCCVER | sed 's/^[a-zA-Z]*\-//'`
+  # Since gcc 3.1 gcc --version behaviour has changed.  gcc -dumpversion
+  # does give us what we want though, so we use that.  We just just the
+  # major and minor version numbers.
  # peak single digit before and after first dot, e.g. 2.95.1 gives 29
  GCCVER=`echo $GCCVER | sed 's/\([0-9]\)\.\([0-9]\).*/\1\2/'`
 else
  CC=cc
 fi
-
+GCCVER=${GCCVER:-0}
+if [ "$SYSTEM" = "HP-UX" ];then
+  # By default gcc is a ILP32 compiler (with long long == 64).
+  GCC_BITS="32"
+  if [ $GCCVER -ge 30 ]; then
+    # PA64 support only came in with gcc 3.0.x.
+    # We look for the preprocessor symbol __LP64__ indicating
+    # 64bit bit long and pointer.  sizeof(int) == 32 on HPUX64.
+    if gcc -v -E -x c /dev/null 2>&1 | grep __LP64__ > /dev/null; then
+      GCC_BITS="64"
+    fi
+  fi
+fi
 if [ "$SYSTEM" = "SunOS" ]; then
  # check for WorkShop C, expected output is "cc: blah-blah C x.x"
  CCVER=`(cc -V 2>&1) 2>/dev/null | \
@@ -497,6 +513,10 @@ EOF
 	${CC} -o dummy dummy.c && OUT=`./dummy ${MACHINE}`
 	rm dummy dummy.c
 	;;
+  ppc64-*-linux2)
+	#Use the standard target for PPC architecture until we create a
+	#special one for the 64bit architecture.
+	OUT="linux-ppc" ;;
  ppc-*-linux2) OUT="linux-ppc" ;;
  m68k-*-linux*) OUT="linux-m68k" ;;
  ia64-*-linux?) OUT="linux-ia64" ;;
@@ -589,7 +609,17 @@ EOF
  BS2000-siemens-sysv4) OUT="BS2000-OSD" ;;
  RM*-siemens-sysv4) OUT="ReliantUNIX" ;;
  *-siemens-sysv4) OUT="SINIX" ;;
-  *-hpux1*)	OUT="hpux-parisc-$CC"
+  *-hpux1*)
+	if [ $CC = "gcc" ];
+	then
+	  if [ $GCC_BITS = "64" ]; then
+	    OUT="hpux64-parisc-gcc"
+	  else
+	    OUT="hpux-parisc-gcc"
+	  fi
+	else
+	  OUT="hpux-parisc-$CC"
+	fi
 	options="$options -D_REENTRANT" ;;
  *-hpux)	OUT="hpux-parisc-$CC" ;;
  # these are all covered by the catchall below
@@ -603,11 +633,27 @@ EOF
  *) OUT=`echo $GUESSOS | awk -F- '{print $3}'`;;
 esac

+# NB: This atalla support has been superceded by the ENGINE support
+# That contains its own header and definitions anyway. Support can
+# be enabled or disabled on any supported platform without external
+# headers, eg. by adding the "hw-atalla" switch to ./config or
+# perl Configure
+#
 # See whether we can compile Atalla support
-if [ -f /usr/include/atasi.h ]
-then
-  options="$options -DATALLA"
-fi
+#if [ -f /usr/include/atasi.h ]
+#then
+#  options="$options -DATALLA"
+#fi
+
+#get some basic shared lib support (behnke@trustcenter.de)
+case "$OUT" in
+   solaris-*-gcc)
+	if  [ "$SHARED" = "true" ] 
+	 then
+	  options="$options -DPIC -fPIC"
+        fi
+     ;;
+esac

 # gcc < 2.8 does not support -mcpu=ultrasparc
 if [ "$OUT" = solaris-sparcv9-gcc -a $GCCVER -lt 28 ]
--- a/crypto/Makefile.ssl
+++ b/crypto/Makefile.ssl
@@ -27,7 +27,7 @@ LIBS=

 SDIRS=	md2 md5 sha mdc2 hmac ripemd \
 	des rc2 rc4 rc5 idea bf cast \
-	bn rsa dsa dh dso \
+	bn rsa dsa dh dso engine \
 	buffer bio stack lhash rand err objects \
 	evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp

@@ -51,11 +51,11 @@ all: buildinf.h lib subdirs

 buildinf.h: ../Makefile.ssl
 	( echo "#ifndef MK1MF_BUILD"; \
-	echo "  /* auto-generated by crypto/Makefile.ssl for crypto/cversion.c */"; \
-	echo "  #define CFLAGS \"$(CC) $(CFLAG)\""; \
-	echo "  #define PLATFORM \"$(PLATFORM)\""; \
-	echo "  #define DATE \"`date`\""; \
-	echo "#endif" ) >buildinf.h
+	echo '  /* auto-generated by crypto/Makefile.ssl for crypto/cversion.c */'; \
+	echo '  #define CFLAGS "$(CC) $(CFLAG)"'; \
+	echo '  #define PLATFORM "$(PLATFORM)"'; \
+	echo "  #define DATE \"`LC_ALL=C LC_TIME=C date`\""; \
+	echo '#endif' ) >buildinf.h

 testapps:
 	if echo ${SDIRS} | fgrep ' des '; \
@@ -134,7 +134,7 @@ depend:
 	@for i in $(SDIRS) ;\
 	do \
 	(cd $$i; echo "making depend in crypto/$$i..."; \
-	$(MAKE) MAKEFILE='${MAKEFILE}' INCLUDES='${INCLUDES}' DEPFLAG='${DEPFLAG}' depend ); \
+	$(MAKE) MAKEFILE='${MAKEFILE}' INCLUDES='${INCLUDES}' DEPFLAG='${DEPFLAG}' PERL='${PERL}' depend ); \
 	done;

 clean:
--- a/crypto/asn1/a_bitstr.c
+++ b/crypto/asn1/a_bitstr.c
@@ -89,8 +89,6 @@ int i2c_ASN1_BIT_STRING(ASN1_BIT_STRING *a, unsigned char **pp)
 	if (a == NULL) return(0);

 	len=a->length;
-	ret=1+len;
-	if (pp == NULL) return(ret);

 	if (len > 0)
 		{
@@ -118,6 +116,10 @@ int i2c_ASN1_BIT_STRING(ASN1_BIT_STRING *a, unsigned char **pp)
 		}
 	else
 		bits=0;
+
+	ret=1+len;
+	if (pp == NULL) return(ret);
+
 	p= *pp;

 	*(p++)=(unsigned char)bits;
--- a/crypto/asn1/a_enum.c
+++ b/crypto/asn1/a_enum.c
@@ -205,7 +205,18 @@ ASN1_ENUMERATED *BN_to_ASN1_ENUMERATED(BIGNUM *bn, ASN1_ENUMERATED *ai)
 	else ret->type=V_ASN1_ENUMERATED;
 	j=BN_num_bits(bn);
 	len=((j == 0)?0:((j/8)+1));
-	ret->data=(unsigned char *)OPENSSL_malloc(len+4);
+	if (ret->length < len+4)
+		{
+		unsigned char *new_data=
+			OPENSSL_realloc(ret->data, len+4);
+		if (!new_data)
+			{
+			ASN1err(ASN1_F_BN_TO_ASN1_INTEGER,ERR_R_MALLOC_FAILURE);
+			goto err;
+			}
+		ret->data=new_data;
+		}
+
 	ret->length=BN_bn2bin(bn,ret->data);
 	return(ret);
 err:
--- a/crypto/asn1/a_int.c
+++ b/crypto/asn1/a_int.c
@@ -451,7 +451,16 @@ ASN1_INTEGER *BN_to_ASN1_INTEGER(BIGNUM *bn, ASN1_INTEGER *ai)
 	else ret->type=V_ASN1_INTEGER;
 	j=BN_num_bits(bn);
 	len=((j == 0)?0:((j/8)+1));
-	ret->data=(unsigned char *)OPENSSL_malloc(len+4);
+	if (ret->length < len+4)
+		{
+		unsigned char *new_data= OPENSSL_realloc(ret->data, len+4);
+		if (!new_data)
+			{
+			ASN1err(ASN1_F_BN_TO_ASN1_INTEGER,ERR_R_MALLOC_FAILURE);
+			goto err;
+			}
+		ret->data=new_data;
+		}
 	ret->length=BN_bn2bin(bn,ret->data);
 	return(ret);
 err:
--- a/crypto/asn1/a_set.c
+++ b/crypto/asn1/a_set.c
@@ -116,7 +116,7 @@ int i2d_ASN1_SET(STACK *a, unsigned char **pp, int (*func)(), int ex_tag,
 		}

        pStart  = p; /* Catch the beg of Setblobs*/
-        rgSetBlob = (MYBLOB *)OPENSSL_malloc( sk_num(a) * sizeof(MYBLOB)); /* In this array
+        if (!(rgSetBlob = (MYBLOB *)OPENSSL_malloc( sk_num(a) * sizeof(MYBLOB)))) return 0; /* In this array
 we will store the SET blobs */

        for (i=0; i<sk_num(a); i++)
@@ -133,7 +133,7 @@ SetBlob
 /* Now we have to sort the blobs. I am using a simple algo.
    *Sort ptrs *Copy to temp-mem *Copy from temp-mem to user-mem*/
        qsort( rgSetBlob, sk_num(a), sizeof(MYBLOB), SetBlobCmp);
-        pTempMem = OPENSSL_malloc(totSize);
+        if (!(pTempMem = OPENSSL_malloc(totSize))) return 0;

 /* Copy to temp mem */
        p = pTempMem;
--- a/crypto/asn1/a_sign.c
+++ b/crypto/asn1/a_sign.c
@@ -55,6 +55,59 @@
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */
+/* ====================================================================
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */

 #include <stdio.h>
 #include <time.h>
@@ -87,7 +140,14 @@ int ASN1_sign(int (*i2d)(), X509_ALGOR *algor1, X509_ALGOR *algor2,
 		else
 			a=algor2;
 		if (a == NULL) continue;
-		if (	(a->parameter == NULL) || 
+                if (type->pkey_type == NID_dsaWithSHA1)
+			{
+			/* special case: RFC 2459 tells us to omit 'parameters'
+			 * with id-dsa-with-sha1 */
+			ASN1_TYPE_free(a->parameter);
+			a->parameter = NULL;
+			}
+		else if ((a->parameter == NULL) || 
 			(a->parameter->type != V_ASN1_NULL))
 			{
 			ASN1_TYPE_free(a->parameter);
--- a/crypto/asn1/a_utctm.c
+++ b/crypto/asn1/a_utctm.c
@@ -270,6 +270,9 @@ ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s, time_t t)
 int ASN1_UTCTIME_cmp_time_t(const ASN1_UTCTIME *s, time_t t)
 	{
 	struct tm *tm;
+#if defined(THREADS) && !defined(WIN32) && !defined(__CYGWIN32__) && !defined(_DARWIN)
+	struct tm data;
+#endif
 	int offset;
 	int year;

@@ -287,7 +290,8 @@ int ASN1_UTCTIME_cmp_time_t(const ASN1_UTCTIME *s, time_t t)
 	t -= offset*60; /* FIXME: may overflow in extreme cases */

 #if defined(THREADS) && !defined(WIN32) && !defined(__CYGWIN32__) && !defined(_DARWIN)
-	{ struct tm data; gmtime_r(&t, &data); tm = &data; }
+	gmtime_r(&t, &data);
+	tm = &data;
 #else
 	tm = gmtime(&t);
 #endif
--- a/crypto/asn1/asn1_lib.c
+++ b/crypto/asn1/asn1_lib.c
@@ -57,6 +57,7 @@
 */

 #include <stdio.h>
+#include <limits.h>
 #include "cryptlib.h"
 #include <openssl/asn1.h>
 #include <openssl/asn1_mac.h>
@@ -124,15 +125,13 @@ int ASN1_get_object(unsigned char **pp, long *plength, int *ptag, int *pclass,
 		(int)(omax+ *pp));

 #endif
-#if 0
-	if ((p+ *plength) > (omax+ *pp))
+	if (*plength > (omax - (p - *pp)))
 		{
 		ASN1err(ASN1_F_ASN1_GET_OBJECT,ASN1_R_TOO_LONG);
 		/* Set this so that even if things are not long enough
 		 * the values are set correctly */
 		ret|=0x80;
 		}
-#endif
 	*pp=p;
 	return(ret|inf);
 err:
@@ -143,7 +142,7 @@ err:
 static int asn1_get_length(unsigned char **pp, int *inf, long *rl, int max)
 	{
 	unsigned char *p= *pp;
-	long ret=0;
+	unsigned long ret=0;
 	int i;

 	if (max-- < 1) return(0);
@@ -159,6 +158,8 @@ static int asn1_get_length(unsigned char **pp, int *inf, long *rl, int max)
 		i= *p&0x7f;
 		if (*(p++) & 0x80)
 			{
+			if (i > sizeof(long))
+				return 0;
 			if (max-- == 0) return(0);
 			while (i-- > 0)
 				{
@@ -170,8 +171,10 @@ static int asn1_get_length(unsigned char **pp, int *inf, long *rl, int max)
 		else
 			ret=i;
 		}
+	if (ret > LONG_MAX)
+		return 0;
 	*pp=p;
-	*rl=ret;
+	*rl=(long)ret;
 	return(1);
 	}

@@ -407,7 +410,7 @@ int ASN1_STRING_cmp(ASN1_STRING *a, ASN1_STRING *b)

 void asn1_add_error(unsigned char *address, int offset)
 	{
-	char buf1[16],buf2[16];
+	char buf1[DECIMAL_SIZE(address)+1],buf2[DECIMAL_SIZE(offset)+1];

 	sprintf(buf1,"%lu",(unsigned long)address);
 	sprintf(buf2,"%d",offset);
--- a/crypto/asn1/d2i_dhp.c
+++ b/crypto/asn1/d2i_dhp.c
@@ -87,6 +87,7 @@ DH *d2i_DHparams(DH **a, unsigned char **pp, long length)
 		}

 	M_ASN1_BIT_STRING_free(bs);
+	bs = NULL;

 	M_ASN1_D2I_Finish_2(a);

--- a/crypto/asn1/d2i_dsap.c
+++ b/crypto/asn1/d2i_dsap.c
@@ -84,6 +84,7 @@ DSA *d2i_DSAparams(DSA **a, unsigned char **pp, long length)
 	if ((ret->g=BN_bin2bn(bs->data,bs->length,ret->g)) == NULL) goto err_bn;

 	M_ASN1_BIT_STRING_free(bs);
+	bs = NULL;

 	M_ASN1_D2I_Finish_2(a);

--- a/crypto/asn1/d2i_r_pr.c
+++ b/crypto/asn1/d2i_r_pr.c
@@ -108,6 +108,7 @@ RSA *d2i_RSAPrivateKey(RSA **a, unsigned char **pp, long length)
 		goto err_bn;

 	M_ASN1_INTEGER_free(bs);
+	bs = NULL;

 	M_ASN1_D2I_Finish_2(a);
 err_bn:
--- a/crypto/asn1/t_pkey.c
+++ b/crypto/asn1/t_pkey.c
@@ -96,10 +96,34 @@ int RSA_print(BIO *bp, RSA *x, int off)
 	char str[128];
 	const char *s;
 	unsigned char *m=NULL;
-	int i,ret=0;
+	int ret=0;
+	size_t buf_len=0, i;

-	i=RSA_size(x);
-	m=(unsigned char *)OPENSSL_malloc((unsigned int)i+10);
+	if (x->n)
+		buf_len = (size_t)BN_num_bytes(x->n);
+	if (x->e)
+		if (buf_len < (i = (size_t)BN_num_bytes(x->e)))
+			buf_len = i;
+	if (x->d)
+		if (buf_len < (i = (size_t)BN_num_bytes(x->d)))
+			buf_len = i;
+	if (x->p)
+		if (buf_len < (i = (size_t)BN_num_bytes(x->p)))
+			buf_len = i;
+	if (x->q)
+		if (buf_len < (i = (size_t)BN_num_bytes(x->q)))
+			buf_len = i;
+	if (x->dmp1)
+		if (buf_len < (i = (size_t)BN_num_bytes(x->dmp1)))
+			buf_len = i;
+	if (x->dmq1)
+		if (buf_len < (i = (size_t)BN_num_bytes(x->dmq1)))
+			buf_len = i;
+	if (x->iqmp)
+		if (buf_len < (i = (size_t)BN_num_bytes(x->iqmp)))
+			buf_len = i;
+
+	m=(unsigned char *)OPENSSL_malloc(buf_len+10);
 	if (m == NULL)
 		{
 		RSAerr(RSA_F_RSA_PRINT,ERR_R_MALLOC_FAILURE);
@@ -161,22 +185,25 @@ int DSA_print(BIO *bp, DSA *x, int off)
 	{
 	char str[128];
 	unsigned char *m=NULL;
-	int i,ret=0;
-	BIGNUM *bn=NULL;
+	int ret=0;
+	size_t buf_len=0,i;

-	if (x->p != NULL)
-		bn=x->p;
-	else if (x->priv_key != NULL)
-		bn=x->priv_key;
-	else if (x->pub_key != NULL)
-		bn=x->pub_key;
+	if (x->p)
+		buf_len = (size_t)BN_num_bytes(x->p);
+	if (x->q)
+		if (buf_len < (i = (size_t)BN_num_bytes(x->q)))
+			buf_len = i;
+	if (x->g)
+		if (buf_len < (i = (size_t)BN_num_bytes(x->g)))
+			buf_len = i;
+	if (x->priv_key)
+		if (buf_len < (i = (size_t)BN_num_bytes(x->priv_key)))
+			buf_len = i;
+	if (x->pub_key)
+		if (buf_len < (i = (size_t)BN_num_bytes(x->pub_key)))
+			buf_len = i;

-	/* larger than needed but what the hell :-) */
-	if (bn != NULL)
-		i=BN_num_bytes(bn)*2;
-	else
-		i=256;
-	m=(unsigned char *)OPENSSL_malloc((unsigned int)i+10);
+	m=(unsigned char *)OPENSSL_malloc(buf_len+10);
 	if (m == NULL)
 		{
 		DSAerr(DSA_F_DSA_PRINT,ERR_R_MALLOC_FAILURE);
@@ -281,10 +308,15 @@ int DHparams_print_fp(FILE *fp, DH *x)
 int DHparams_print(BIO *bp, DH *x)
 	{
 	unsigned char *m=NULL;
-	int reason=ERR_R_BUF_LIB,i,ret=0;
+	int reason=ERR_R_BUF_LIB,ret=0;
+	size_t buf_len=0, i;

-	i=BN_num_bytes(x->p);
-	m=(unsigned char *)OPENSSL_malloc((unsigned int)i+10);
+	if (x->p)
+		buf_len = (size_t)BN_num_bytes(x->p);
+	if (x->g)
+		if (buf_len < (i = (size_t)BN_num_bytes(x->g)))
+			buf_len = i;
+	m=(unsigned char *)OPENSSL_malloc(buf_len+10);
 	if (m == NULL)
 		{
 		reason=ERR_R_MALLOC_FAILURE;
@@ -334,10 +366,18 @@ int DSAparams_print_fp(FILE *fp, DSA *x)
 int DSAparams_print(BIO *bp, DSA *x)
 	{
 	unsigned char *m=NULL;
-	int reason=ERR_R_BUF_LIB,i,ret=0;
+	int reason=ERR_R_BUF_LIB,ret=0;
+	size_t buf_len=0, i;

-	i=BN_num_bytes(x->p);
-	m=(unsigned char *)OPENSSL_malloc((unsigned int)i+10);
+	if (x->p)
+		buf_len = (size_t)BN_num_bytes(x->p);
+	if (x->q)
+		if (buf_len < (i = (size_t)BN_num_bytes(x->q)))
+			buf_len = i;
+	if (x->g)
+		if (buf_len < (i = (size_t)BN_num_bytes(x->g)))
+			buf_len = i;
+	m=(unsigned char *)OPENSSL_malloc(buf_len+10);
 	if (m == NULL)
 		{
 		reason=ERR_R_MALLOC_FAILURE;
--- a/crypto/asn1/x_pubkey.c
+++ b/crypto/asn1/x_pubkey.c
@@ -156,7 +156,7 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey)
 		dsa->write_params=0;
 		ASN1_TYPE_free(a->parameter);
 		i=i2d_DSAparams(dsa,NULL);
-		p=(unsigned char *)OPENSSL_malloc(i);
+		if ((p=(unsigned char *)OPENSSL_malloc(i)) == NULL) goto err;
 		pp=p;
 		i2d_DSAparams(dsa,&pp);
 		a->parameter=ASN1_TYPE_new();
--- a/crypto/bio/b_print.c
+++ b/crypto/bio/b_print.c
@@ -56,6 +56,13 @@
 * [including the GNU Public Licence.]
 */

+/* disable assert() unless BIO_DEBUG has been defined */
+#ifndef BIO_DEBUG
+# ifndef NDEBUG
+#  define NDEBUG
+# endif
+#endif
+
 /* 
 * Stolen from tjh's ssl/ssl_trc.c stuff.
 */
@@ -102,7 +109,7 @@
 * o ...                                       (for OpenSSL)
 */

-#if HAVE_LONG_DOUBLE
+#ifdef HAVE_LONG_DOUBLE
 #define LDOUBLE long double
 #else
 #define LDOUBLE double
@@ -716,12 +723,13 @@ doapr_outch(
    if (buffer) {
 	while (*currlen >= *maxlen) {
 	    if (*buffer == NULL) {
-		assert(*sbuffer != NULL);
 		if (*maxlen == 0)
 		    *maxlen = 1024;
 		*buffer = OPENSSL_malloc(*maxlen);
-		if (*currlen > 0)
+		if (*currlen > 0) {
+		    assert(*sbuffer != NULL);
 		    memcpy(*buffer, *sbuffer, *currlen);
+		}
 		*sbuffer = NULL;
 	    } else {
 		*maxlen += 1024;
@@ -761,7 +769,9 @@ int BIO_vprintf (BIO *bio, const char *format, va_list args)
 	{
 	int ret;
 	size_t retlen;
-	MS_STATIC char hugebuf[1024*10];
+	char hugebuf[1024*2];	/* Was previously 10k, which is unreasonable
+				   in small-stack environments, like threads
+				   or DOS programs. */
 	char *hugebufp = hugebuf;
 	size_t hugebufsize = sizeof(hugebuf);
 	char *dynbuf = NULL;
--- a/crypto/bio/bf_nbio.c
+++ b/crypto/bio/bf_nbio.c
@@ -104,7 +104,7 @@ static int nbiof_new(BIO *bi)
 	{
 	NBIO_TEST *nt;

-	nt=(NBIO_TEST *)OPENSSL_malloc(sizeof(NBIO_TEST));
+	if (!(nt=(NBIO_TEST *)OPENSSL_malloc(sizeof(NBIO_TEST)))) return(0);
 	nt->lrn= -1;
 	nt->lwn= -1;
 	bi->ptr=(char *)nt;
--- a/crypto/bio/bss_bio.c
+++ b/crypto/bio/bss_bio.c
@@ -7,9 +7,18 @@
 * for which no specific BIO method is available.
 * See ssl/ssltest.c for some hints on how this can be used. */

+/* BIO_DEBUG implies BIO_PAIR_DEBUG */
+#ifdef BIO_DEBUG
+# ifndef BIO_PAIR_DEBUG
+#  define BIO_PAIR_DEBUG
+# endif
+#endif
+
+/* disable assert() unless BIO_PAIR_DEBUG has been defined */
 #ifndef BIO_PAIR_DEBUG
-# undef NDEBUG /* avoid conflicting definitions */
+# ifndef NDEBUG
 #  define NDEBUG
+# endif
 #endif

 #include <assert.h>
--- a/crypto/bn/bn.h
+++ b/crypto/bn/bn.h
@@ -155,7 +155,7 @@ extern "C" {
 #define BN_BYTES	4
 #define BN_BITS2	32
 #define BN_BITS4	16
-#ifdef WIN32
+#ifdef _MSC_VER
 /* VC++ doesn't like the LL suffix */
 #define BN_MASK		(0xffffffffffffffffL)
 #else
--- a/crypto/bn/bn_div.c
+++ b/crypto/bn/bn_div.c
@@ -190,10 +190,10 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,

 	/* First we normalise the numbers */
 	norm_shift=BN_BITS2-((BN_num_bits(divisor))%BN_BITS2);
-	BN_lshift(sdiv,divisor,norm_shift);
+	if (!(BN_lshift(sdiv,divisor,norm_shift))) goto err;
 	sdiv->neg=0;
 	norm_shift+=BN_BITS2;
-	BN_lshift(snum,num,norm_shift);
+	if (!(BN_lshift(snum,num,norm_shift))) goto err;
 	snum->neg=0;
 	div_n=sdiv->top;
 	num_n=snum->top;
@@ -315,7 +315,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
 		tmp->top=j;

 		j=wnum.top;
-		BN_sub(&wnum,&wnum,tmp);
+		if (!BN_sub(&wnum,&wnum,tmp)) goto err;

 		snum->top=snum->top+wnum.top-j;

@@ -323,7 +323,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
 			{
 			q--;
 			j=wnum.top;
-			BN_add(&wnum,&wnum,sdiv);
+			if (!BN_add(&wnum,&wnum,sdiv)) goto err;
 			snum->top+=wnum.top-j;
 			}
 		*(resp--)=q;
--- a/crypto/bn/bn_exp.c
+++ b/crypto/bn/bn_exp.c
@@ -113,13 +113,6 @@
 #include <stdio.h>
 #include "cryptlib.h"
 #include "bn_lcl.h"
-#ifdef ATALLA
-# include <alloca.h>
-# include <atasi.h>
-# include <assert.h>
-# include <dlfcn.h>
-#endif
-

 #define TABLE_SIZE	32

@@ -183,174 +176,6 @@ err:
 	}


-#ifdef ATALLA
-
-/*
- * This routine will dynamically check for the existance of an Atalla AXL-200
- * SSL accelerator module.  If one is found, the variable
- * asi_accelerator_present is set to 1 and the function pointers
- * ptr_ASI_xxxxxx above will be initialized to corresponding ASI API calls.
- */
-typedef int tfnASI_GetPerformanceStatistics(int reset_flag,
-					    unsigned int *ret_buf);
-typedef int tfnASI_GetHardwareConfig(long card_num, unsigned int *ret_buf);
-typedef int tfnASI_RSAPrivateKeyOpFn(RSAPrivateKey * rsaKey,
-				     unsigned char *output,
-				     unsigned char *input,
-				     unsigned int modulus_len);
-
-static tfnASI_GetHardwareConfig *ptr_ASI_GetHardwareConfig;
-static tfnASI_RSAPrivateKeyOpFn *ptr_ASI_RSAPrivateKeyOpFn;
-static tfnASI_GetPerformanceStatistics *ptr_ASI_GetPerformanceStatistics;
-static int asi_accelerator_present;
-static int tried_atalla;
-
-void atalla_initialize_accelerator_handle(void)
-	{
-	void *dl_handle;
-	int status;
-	unsigned int config_buf[1024]; 
-	static int tested;
-
-	if(tested)
-		return;
-
-	tested=1;
-
-	bzero((void *)config_buf, 1024);
-
-	/*
-	 * Check to see if the library is present on the system
-	 */
-	dl_handle = dlopen("atasi.so", RTLD_NOW);
-	if (dl_handle == (void *) NULL)
-		{
-/*		printf("atasi.so library is not present on the system\n");
-		printf("No HW acceleration available\n");*/
-		return;
-	        }
-
-	/*
-	 * The library is present.  Now we'll check to insure that the
-	 * LDM is up and running. First we'll get the address of the
-	 * function in the atasi library that we need to see if the
-	 * LDM is operating.
-	 */
-
-	ptr_ASI_GetHardwareConfig =
-	  (tfnASI_GetHardwareConfig *)dlsym(dl_handle,"ASI_GetHardwareConfig");
-
-	if (ptr_ASI_GetHardwareConfig)
-		{
-		/*
-		 * We found the call, now we'll get our config
-		 * status.  If we get a non 0 result, the LDM is not
-		 * running and we cannot use the Atalla ASI *
-		 * library.
-		 */
-		status = (*ptr_ASI_GetHardwareConfig)(0L, config_buf);
-		if (status != 0)
-			{
-			printf("atasi.so library is present but not initialized\n");
-			printf("No HW acceleration available\n");
-			return;
-			}    
-	        }
-	else
-		{
-/*		printf("We found the library, but not the function. Very Strange!\n");*/
-		return ;
-	      	}
-
-	/* 
-	 * It looks like we have acceleration capabilities.  Load up the
-	 * pointers to our ASI API calls.
-	 */
-	ptr_ASI_RSAPrivateKeyOpFn=
-	  (tfnASI_RSAPrivateKeyOpFn *)dlsym(dl_handle, "ASI_RSAPrivateKeyOpFn");
-	if (ptr_ASI_RSAPrivateKeyOpFn == NULL)
-		{
-/*		printf("We found the library, but no RSA function. Very Strange!\n");*/
-		return;
-	        }
-
-	ptr_ASI_GetPerformanceStatistics =
-	  (tfnASI_GetPerformanceStatistics *)dlsym(dl_handle, "ASI_GetPerformanceStatistics");
-	if (ptr_ASI_GetPerformanceStatistics == NULL)
-		{
-/*		printf("We found the library, but no stat function. Very Strange!\n");*/
-		return;
-	      }
-
-	/*
-	 * Indicate that acceleration is available
-	 */
-	asi_accelerator_present = 1;
-
-/*	printf("This system has acceleration!\n");*/
-
-	return;
-	}
-
-/* make sure this only gets called once when bn_mod_exp calls bn_mod_exp_mont */
-int BN_mod_exp_atalla(BIGNUM *r, BIGNUM *a, const BIGNUM *p, const BIGNUM *m)
-	{
-	unsigned char *abin;
-	unsigned char *pbin;
-	unsigned char *mbin;
-	unsigned char *rbin;
-	int an,pn,mn,ret;
-	RSAPrivateKey keydata;
-
-	atalla_initialize_accelerator_handle();
-	if(!asi_accelerator_present)
-		return 0;
-
-
-/* We should be able to run without size testing */
-# define ASIZE	128
-	an=BN_num_bytes(a);
-	pn=BN_num_bytes(p);
-	mn=BN_num_bytes(m);
-
-	if(an <= ASIZE && pn <= ASIZE && mn <= ASIZE)
-	    {
-	    int size=mn;
-
-	    assert(an <= mn);
-	    abin=alloca(size);
-	    memset(abin,'\0',mn);
-	    BN_bn2bin(a,abin+size-an);
-
-	    pbin=alloca(pn);
-	    BN_bn2bin(p,pbin);
-
-	    mbin=alloca(size);
-	    memset(mbin,'\0',mn);
-	    BN_bn2bin(m,mbin+size-mn);
-
-	    rbin=alloca(size);
-
-	    memset(&keydata,'\0',sizeof keydata);
-	    keydata.privateExponent.data=pbin;
-	    keydata.privateExponent.len=pn;
-	    keydata.modulus.data=mbin;
-	    keydata.modulus.len=size;
-
-	    ret=(*ptr_ASI_RSAPrivateKeyOpFn)(&keydata,rbin,abin,keydata.modulus.len);
-/*fprintf(stderr,"!%s\n",BN_bn2hex(a));*/
-	    if(!ret)
-	        {
-		BN_bin2bn(rbin,keydata.modulus.len,r);
-/*fprintf(stderr,"?%s\n",BN_bn2hex(r));*/
-		return 1;
-	        }
-	    }
-	return 0;
-        }
-#endif /* def ATALLA */
-
-
 int BN_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
 	       BN_CTX *ctx)
 	{
@@ -360,13 +185,6 @@ int BN_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
 	bn_check_top(p);
 	bn_check_top(m);

-#ifdef ATALLA
-	if(BN_mod_exp_atalla(r,a,p,m))
-	    return 1;
-/* If it fails, try the other methods (but don't try atalla again) */
-	tried_atalla=1;
-#endif
-
 #ifdef MONT_MUL_MOD
 	/* I have finally been able to take out this pre-condition of
 	 * the top bit being set.  It was caused by an error in BN_div
@@ -392,10 +210,6 @@ int BN_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
 		{ ret=BN_mod_exp_simple(r,a,p,m,ctx); }
 #endif

-#ifdef ATALLA
-	tried_atalla=0;
-#endif
-
 	return(ret);
 	}

@@ -525,12 +339,6 @@ int BN_mod_exp_mont(BIGNUM *rr, BIGNUM *a, const BIGNUM *p,
 	bn_check_top(p);
 	bn_check_top(m);

-#ifdef ATALLA
-	if(!tried_atalla && BN_mod_exp_atalla(rr,a,p,m))
-	    return 1;
-/* If it fails, try the other methods */
-#endif
-
 	if (!(m->d[0] & 1))
 		{
 		BNerr(BN_F_BN_MOD_EXP_MONT,BN_R_CALLED_WITH_EVEN_MODULUS);
@@ -693,19 +501,6 @@ int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p,
 	t = BN_CTX_get(ctx);
 	if (d == NULL || r == NULL || t == NULL) goto err;

-#ifdef ATALLA
-	if (!tried_atalla)
-		{
-		BN_set_word(t, a);
-		if (BN_mod_exp_atalla(rr, t, p, m))
-			{
-			BN_CTX_end(ctx);
-			return 1;
-			}
-		}
-/* If it fails, try the other methods */
-#endif
-
 	if (in_mont != NULL)
 		mont=in_mont;
 	else
--- a/crypto/bn/bn_gcd.c
+++ b/crypto/bn/bn_gcd.c
@@ -168,8 +168,8 @@ BIGNUM *BN_mod_inverse(BIGNUM *in, BIGNUM *a, const BIGNUM *n, BN_CTX *ctx)
 		R=in;
 	if (R == NULL) goto err;

-	BN_zero(X);
-	BN_one(Y);
+	if (!BN_zero(X)) goto err;
+	if (!BN_one(Y)) goto err;
 	if (BN_copy(A,a) == NULL) goto err;
 	if (BN_copy(B,n) == NULL) goto err;
 	sign=1;
--- a/crypto/bn/bn_mont.c
+++ b/crypto/bn/bn_mont.c
@@ -224,7 +224,7 @@ int BN_from_montgomery(BIGNUM *ret, BIGNUM *a, BN_MONT_CTX *mont,

 	if (!BN_mul(t1,t2,&mont->N,ctx)) goto err;
 	if (!BN_add(t2,a,t1)) goto err;
-	BN_rshift(ret,t2,mont->ri);
+	if (!BN_rshift(ret,t2,mont->ri)) goto err;
 #endif /* MONT_WORD */

 	if (BN_ucmp(ret, &(mont->N)) >= 0)
@@ -284,8 +284,8 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
 		BN_ULONG buf[2];

 		mont->ri=(BN_num_bits(mod)+(BN_BITS2-1))/BN_BITS2*BN_BITS2;
-		BN_zero(R);
-		BN_set_bit(R,BN_BITS2);			/* R */
+		if (!(BN_zero(R))) goto err;
+		if (!(BN_set_bit(R,BN_BITS2))) goto err;	/* R */

 		buf[0]=mod->d[0]; /* tmod = N mod word size */
 		buf[1]=0;
@@ -296,36 +296,44 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
 							/* Ri = R^-1 mod N*/
 		if ((BN_mod_inverse(&Ri,R,&tmod,ctx)) == NULL)
 			goto err;
-		BN_lshift(&Ri,&Ri,BN_BITS2);		/* R*Ri */
+		/* R*Ri */
+		if (!(BN_lshift(&Ri,&Ri,BN_BITS2))) goto err;
 		if (!BN_is_zero(&Ri))
-			BN_sub_word(&Ri,1);
+			{
+		   	if (!BN_sub_word(&Ri,1)) goto err;
+			}
 		else /* if N mod word size == 1 */
-			BN_set_word(&Ri,BN_MASK2);  /* Ri-- (mod word size) */
-		BN_div(&Ri,NULL,&Ri,&tmod,ctx);	/* Ni = (R*Ri-1)/N,
-		                                 * keep only least significant word: */
+		   	/* Ri-- (mod word size) */
+			{
+			if (!BN_set_word(&Ri,BN_MASK2)) goto err;
+			}
+		/* Ni = (R*Ri-1)/N, keep only least significant word: */
+                if (!(BN_div(&Ri,NULL,&Ri,&tmod,ctx))) goto err;
 		mont->n0=Ri.d[0];
 		BN_free(&Ri);
 		}
 #else /* !MONT_WORD */
 		{ /* bignum version */
 		mont->ri=BN_num_bits(mod);
-		BN_zero(R);
-		BN_set_bit(R,mont->ri);			/* R = 2^ri */
+		if (!(BN_zero(R))) goto err;
+		/* R = 2^ri */
+		if (!(BN_set_bit(R,mont->ri))) goto err;
 							/* Ri = R^-1 mod N*/
 		if ((BN_mod_inverse(&Ri,R,mod,ctx)) == NULL)
 			goto err;
-		BN_lshift(&Ri,&Ri,mont->ri);		/* R*Ri */
-		BN_sub_word(&Ri,1);
+		/* R*Ri */
+		if (!(BN_lshift(&Ri,&Ri,mont->ri))) goto err;
+		if (!(BN_sub_word(&Ri,1))) goto err;
 							/* Ni = (R*Ri-1) / N */
-		BN_div(&(mont->Ni),NULL,&Ri,mod,ctx);
+		if (!(BN_div(&(mont->Ni),NULL,&Ri,mod,ctx))) goto err;
 		BN_free(&Ri);
 		}
 #endif

 	/* setup RR for conversions */
-	BN_zero(&(mont->RR));
-	BN_set_bit(&(mont->RR),mont->ri*2);
-	BN_mod(&(mont->RR),&(mont->RR),&(mont->N),ctx);
+	if (!(BN_zero(&(mont->RR)))) goto err;
+	if (!(BN_set_bit(&(mont->RR),mont->ri*2))) goto err;
+	if (!(BN_mod(&(mont->RR),&(mont->RR),&(mont->N),ctx))) goto err;

 	return(1);
 err:
@@ -336,9 +344,9 @@ BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to, BN_MONT_CTX *from)
 	{
 	if (to == from) return(to);

-	BN_copy(&(to->RR),&(from->RR));
-	BN_copy(&(to->N),&(from->N));
-	BN_copy(&(to->Ni),&(from->Ni));
+	if (!(BN_copy(&(to->RR),&(from->RR)))) return NULL;
+	if (!(BN_copy(&(to->N),&(from->N)))) return NULL;
+	if (!(BN_copy(&(to->Ni),&(from->Ni)))) return NULL;
 	to->ri=from->ri;
 	to->n0=from->n0;
 	return(to);
--- a/crypto/bn/bn_mul.c
+++ b/crypto/bn/bn_mul.c
@@ -634,7 +634,7 @@ int BN_mul(BIGNUM *r, BIGNUM *a, BIGNUM *b, BN_CTX *ctx)

 	if ((al == 0) || (bl == 0))
 		{
-		BN_zero(r);
+		if (!BN_zero(r)) goto err;
 		return(1);
 		}
 	top=al+bl;
@@ -677,14 +677,14 @@ int BN_mul(BIGNUM *r, BIGNUM *a, BIGNUM *b, BN_CTX *ctx)
 		{
 		if (i == 1 && !BN_get_flags(b,BN_FLG_STATIC_DATA))
 			{
-			bn_wexpand(b,al);
+			if (bn_wexpand(b,al) == NULL) goto err;
 			b->d[bl]=0;
 			bl++;
 			i--;
 			}
 		else if (i == -1 && !BN_get_flags(a,BN_FLG_STATIC_DATA))
 			{
-			bn_wexpand(a,bl);
+			if (bn_wexpand(a,bl) == NULL) goto err;
 			a->d[al]=0;
 			al++;
 			i++;
@@ -699,16 +699,16 @@ int BN_mul(BIGNUM *r, BIGNUM *a, BIGNUM *b, BN_CTX *ctx)
 			t = BN_CTX_get(ctx);
 			if (al == j) /* exact multiple */
 				{
-				bn_wexpand(t,k*2);
-				bn_wexpand(rr,k*2);
+				if (bn_wexpand(t,k*2) == NULL) goto err;
+				if (bn_wexpand(rr,k*2) == NULL) goto err;
 				bn_mul_recursive(rr->d,a->d,b->d,al,t->d);
 				}
 			else
 				{
-				bn_wexpand(a,k);
-				bn_wexpand(b,k);
-				bn_wexpand(t,k*4);
-				bn_wexpand(rr,k*4);
+				if (bn_wexpand(a,k) == NULL ) goto err;
+				if (bn_wexpand(b,k) == NULL ) goto err;
+				if (bn_wexpand(t,k*4) == NULL ) goto err;
+				if (bn_wexpand(rr,k*4) == NULL ) goto err;
 				for (i=a->top; i<k; i++)
 					a->d[i]=0;
 				for (i=b->top; i<k; i++)
--- a/crypto/conf/Makefile.ssl
+++ b/crypto/conf/Makefile.ssl
@@ -5,7 +5,7 @@
 DIR=	conf
 TOP=	../..
 CC=	cc
-INCLUDES= -I.. -I../.. -I../../include
+INCLUDES= -I.. -I../../include
 CFLAG=-g
 INSTALL_PREFIX=
 OPENSSLDIR=     /usr/local/ssl
@@ -80,18 +80,20 @@ clean:

 # DO NOT DELETE THIS LINE -- make depend depends on it.

-conf_api.o: ../../e_os.h ../../include/openssl/bio.h
-conf_api.o: ../../include/openssl/conf.h ../../include/openssl/conf_api.h
-conf_api.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+conf_api.o: ../../include/openssl/bio.h ../../include/openssl/conf.h
+conf_api.o: ../../include/openssl/conf_api.h ../../include/openssl/crypto.h
+conf_api.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 conf_api.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 conf_api.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 conf_api.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 conf_def.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 conf_def.o: ../../include/openssl/conf.h ../../include/openssl/conf_api.h
-conf_def.o: ../../include/openssl/crypto.h ../../include/openssl/err.h
-conf_def.o: ../../include/openssl/lhash.h ../../include/openssl/opensslv.h
-conf_def.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-conf_def.o: ../../include/openssl/symhacks.h conf_def.h
+conf_def.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+conf_def.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+conf_def.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+conf_def.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+conf_def.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+conf_def.o: ../cryptlib.h conf_def.h
 conf_err.o: ../../include/openssl/bio.h ../../include/openssl/conf.h
 conf_err.o: ../../include/openssl/crypto.h ../../include/openssl/err.h
 conf_err.o: ../../include/openssl/lhash.h ../../include/openssl/opensslv.h
--- a/crypto/conf/conf_api.c
+++ b/crypto/conf/conf_api.c
@@ -67,7 +67,7 @@
 #include <string.h>
 #include <openssl/conf.h>
 #include <openssl/conf_api.h>
-#include "e_os.h"
+#include "openssl/e_os.h"

 static void value_free_hash(CONF_VALUE *a, LHASH *conf);
 static void value_free_stack(CONF_VALUE *a,LHASH *conf);
--- a/crypto/conf/conf_def.c
+++ b/crypto/conf/conf_def.c
@@ -67,6 +67,7 @@
 #include "conf_def.h"
 #include <openssl/buffer.h>
 #include <openssl/err.h>
+#include "cryptlib.h"

 static char *eat_ws(CONF *conf, char *p);
 static char *eat_alpha_numeric(CONF *conf, char *p);
@@ -180,12 +181,12 @@ static int def_destroy_data(CONF *conf)
 static int def_load(CONF *conf, BIO *in, long *line)
 	{
 #define BUFSIZE	512
-	char btmp[16];
 	int bufnum=0,i,ii;
 	BUF_MEM *buff=NULL;
 	char *s,*p,*end;
 	int again,n;
 	long eline=0;
+	char btmp[DECIMAL_SIZE(eline)+1];
 	CONF_VALUE *v=NULL,*tv;
 	CONF_VALUE *sv=NULL;
 	char *section=NULL,*buf;
--- a/crypto/cryptlib.c
+++ b/crypto/cryptlib.c
@@ -101,7 +101,8 @@ static const char* lock_names[CRYPTO_NUM_LOCKS] =
 	"debug_malloc2",
 	"dso",
 	"dynlock",
-#if CRYPTO_NUM_LOCKS != 29
+	"engine",
+#if CRYPTO_NUM_LOCKS != 30
 # error "Inconsistency between crypto.h and cryptlib.c"
 #endif
 	};
@@ -399,16 +400,15 @@ void CRYPTO_lock(int mode, int type, const char *file, int line)
 #endif
 	if (type < 0)
 		{
-		int i = -type - 1;
 		struct CRYPTO_dynlock_value *pointer
-			= CRYPTO_get_dynlock_value(i);
+			= CRYPTO_get_dynlock_value(type);

 		if (pointer && dynlock_lock_callback)
 			{
 			dynlock_lock_callback(mode, pointer, file, line);
 			}

-		CRYPTO_destroy_dynlockid(i);
+		CRYPTO_destroy_dynlockid(type);
 		}
 	else
 		if (locking_callback != NULL)
@@ -491,3 +491,11 @@ BOOL WINAPI DLLEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason,
 #endif

 #endif
+
+void OpenSSLDie(const char *file,int line,const char *assertion)
+    {
+    fprintf(stderr,"%s(%d): OpenSSL internal error, assertion failed: %s\n",
+	    file,line,assertion);
+    abort();
+    }
+
--- a/crypto/cryptlib.h
+++ b/crypto/cryptlib.h
@@ -89,6 +89,10 @@ extern "C" {
 #define X509_CERT_DIR_EVP        "SSL_CERT_DIR"
 #define X509_CERT_FILE_EVP       "SSL_CERT_FILE"

+/* size of string represenations */
+#define DECIMAL_SIZE(type)     ((sizeof(type)*8+2)/3+1)
+#define HEX_SIZE(type)         ((sizeof(type)*2)
+
 #ifdef  __cplusplus
 }
 #endif
--- a/crypto/crypto-lib.com
+++ b/crypto/crypto-lib.com
@@ -88,7 +88,7 @@ $! Define The Different Encryption Types.
 $!
 $ ENCRYPT_TYPES = "Basic,MD2,MD4,MD5,SHA,MDC2,HMAC,RIPEMD,"+ -
 		  "DES,RC2,RC4,RC5,IDEA,BF,CAST,"+ -
-		  "BN,RSA,DSA,DH,DSO,"+ -
+		  "BN,RSA,DSA,DH,DSO,ENGINE,"+ -
 		  "BUFFER,BIO,STACK,LHASH,RAND,ERR,OBJECTS,"+ -
 		  "EVP,EVP_2,ASN1,ASN1_2,PEM,X509,X509V3,"+ -
 		  "CONF,TXT_DB,PKCS7,PKCS12,COMP"
@@ -206,6 +206,9 @@ $ LIB_DSA = "dsa_gen,dsa_key,dsa_lib,dsa_asn1,dsa_vrf,dsa_sign,dsa_err,dsa_ossl"
 $ LIB_DH = "dh_gen,dh_key,dh_lib,dh_check,dh_err"
 $ LIB_DSO = "dso_dl,dso_dlfcn,dso_err,dso_lib,dso_null,"+ -
 	"dso_openssl,dso_win32,dso_vms"
+$ LIB_ENGINE = "engine_err,engine_lib,engine_list,engine_openssl,"+ -
+	"hw_atalla,hw_cswift,hw_ncipher,hw_aep,hw_sureware,"+ -
+	"hw_ubsec,hw_keyclient"
 $ LIB_BUFFER = "buffer,buf_err"
 $ LIB_BIO = "bio_lib,bio_cb,bio_err,"+ -
 	"bss_mem,bss_null,bss_fd,"+ -
@@ -623,6 +626,7 @@ $   WRITE SYS$OUTPUT "	",APPLICATION,".exe"
 $!
 $! Link The Program, Check To See If We Need To Link With RSAREF Or Not.
 $!
+$   ON ERROR THEN GOTO NEXT_APPLICATION
 $   IF (RSAREF.EQS."TRUE")
 $   THEN
 $!
@@ -1194,7 +1198,9 @@ $     CC = "CC"
 $     IF ARCH.EQS."VAX" .AND. F$TRNLNM("DECC$CC_DEFAULT").NES."/DECC" -
 	 THEN CC = "CC/DECC"
 $     CC = CC + "/''CC_OPTIMIZE'/''DEBUGGER'/STANDARD=ANSI89" + -
-           "/NOLIST/PREFIX=ALL/INCLUDE=SYS$DISK:[]" + CCEXTRAFLAGS
+           "/NOLIST/PREFIX=ALL" + -
+	   "/INCLUDE=(SYS$DISK:[],SYS$DISK:[.ENGINE.VENDOR_DEFNS])" + -
+	   CCEXTRAFLAGS
 $!
 $!    Define The Linker Options File Name.
 $!
@@ -1226,7 +1232,8 @@ $	WRITE SYS$OUTPUT "There is no VAX C on Alpha!"
 $	EXIT
 $     ENDIF
 $     IF F$TRNLNM("DECC$CC_DEFAULT").EQS."/DECC" THEN CC = "CC/VAXC"
-$     CC = CC + "/''CC_OPTIMIZE'/''DEBUGGER'/NOLIST/INCLUDE=SYS$DISK:[]" + -
+$     CC = CC + "/''CC_OPTIMIZE'/''DEBUGGER'/NOLIST" + -
+	   "/INCLUDE=(SYS$DISK:[],SYS$DISK:[.ENGINE.VENDOR_DEFNS])" + -
 	   CCEXTRAFLAGS
 $     CCDEFS = """VAXC""," + CCDEFS
 $!
@@ -1258,7 +1265,8 @@ $!
 $!    Use GNU C...
 $!
 $     CC = "GCC/NOCASE_HACK/''GCC_OPTIMIZE'/''DEBUGGER'/NOLIST" + -
-	   "/INCLUDE=SYS$DISK:[]" + CCEXTRAFLAGS
+	   "/INCLUDE=(SYS$DISK:[],SYS$DISK:[.ENGINE.VENDOR_DEFNS])" + -
+	   CCEXTRAFLAGS
 $!
 $!    Define The Linker Options File Name.
 $!
--- a/crypto/crypto.h
+++ b/crypto/crypto.h
@@ -123,7 +123,8 @@ extern "C" {
 #define	CRYPTO_LOCK_MALLOC2		26
 #define	CRYPTO_LOCK_DSO			27
 #define	CRYPTO_LOCK_DYNLOCK		28
-#define	CRYPTO_NUM_LOCKS		29
+#define	CRYPTO_LOCK_ENGINE		29
+#define	CRYPTO_NUM_LOCKS		30

 #define CRYPTO_LOCK		1
 #define CRYPTO_UNLOCK		2
--- a/crypto/des/des.h
+++ b/crypto/des/des.h
@@ -189,7 +189,7 @@ int des_enc_write(int fd,const void *buf,int len,des_key_schedule sched,
 		  des_cblock *iv);
 char *des_fcrypt(const char *buf,const char *salt, char *ret);
 char *des_crypt(const char *buf,const char *salt);
-#if !defined(PERL5) && !defined(__FreeBSD__) && !defined(NeXT)
+#if !defined(PERL5) && !defined(__FreeBSD__) && !defined(NeXT) && !defined(_UWIN)
 char *crypt(const char *buf,const char *salt);
 #endif
 void des_ofb_encrypt(const unsigned char *in,unsigned char *out,int numbits,
--- a/crypto/dh/Makefile.ssl
+++ b/crypto/dh/Makefile.ssl
@@ -101,19 +101,39 @@ dh_gen.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 dh_gen.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 dh_gen.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 dh_gen.o: ../cryptlib.h
-dh_key.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-dh_key.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-dh_key.o: ../../include/openssl/dh.h ../../include/openssl/e_os.h
-dh_key.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-dh_key.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+dh_key.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+dh_key.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+dh_key.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+dh_key.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+dh_key.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+dh_key.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+dh_key.o: ../../include/openssl/engine.h ../../include/openssl/err.h
+dh_key.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+dh_key.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+dh_key.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
+dh_key.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+dh_key.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 dh_key.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
-dh_key.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+dh_key.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+dh_key.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+dh_key.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+dh_key.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 dh_key.o: ../../include/openssl/symhacks.h ../cryptlib.h
-dh_lib.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-dh_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-dh_lib.o: ../../include/openssl/dh.h ../../include/openssl/e_os.h
-dh_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-dh_lib.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-dh_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-dh_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-dh_lib.o: ../cryptlib.h
+dh_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+dh_lib.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+dh_lib.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+dh_lib.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+dh_lib.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+dh_lib.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+dh_lib.o: ../../include/openssl/engine.h ../../include/openssl/err.h
+dh_lib.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+dh_lib.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+dh_lib.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
+dh_lib.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+dh_lib.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+dh_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
+dh_lib.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+dh_lib.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+dh_lib.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+dh_lib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+dh_lib.o: ../../include/openssl/symhacks.h ../cryptlib.h
--- a/crypto/dh/dh.h
+++ b/crypto/dh/dh.h
@@ -115,7 +115,11 @@ struct dh_st

 	int references;
 	CRYPTO_EX_DATA ex_data;
+#if 0
 	DH_METHOD *meth;
+#else
+	struct engine_st *engine;
+#endif
 	};

 #define DH_GENERATOR_2		2
@@ -150,10 +154,15 @@ struct dh_st

 DH_METHOD *DH_OpenSSL(void);

-void DH_set_default_method(DH_METHOD *meth);
-DH_METHOD *DH_get_default_method(void);
+void DH_set_default_openssl_method(DH_METHOD *meth);
+DH_METHOD *DH_get_default_openssl_method(void);
+#if 0
 DH_METHOD *DH_set_method(DH *dh, DH_METHOD *meth);
 DH *DH_new_method(DH_METHOD *meth);
+#else
+int DH_set_method(DH *dh, struct engine_st *engine);
+DH *DH_new_method(struct engine_st *engine);
+#endif

 DH *	DH_new(void);
 void	DH_free(DH *dh);
--- a/crypto/dh/dh_key.c
+++ b/crypto/dh/dh_key.c
@@ -61,6 +61,7 @@
 #include <openssl/bn.h>
 #include <openssl/rand.h>
 #include <openssl/dh.h>
+#include <openssl/engine.h>

 static int generate_key(DH *dh);
 static int compute_key(unsigned char *key, BIGNUM *pub_key, DH *dh);
@@ -72,12 +73,12 @@ static int dh_finish(DH *dh);

 int DH_generate_key(DH *dh)
 	{
-	return dh->meth->generate_key(dh);
+	return ENGINE_get_DH(dh->engine)->generate_key(dh);
 	}

 int DH_compute_key(unsigned char *key, BIGNUM *pub_key, DH *dh)
 	{
-	return dh->meth->compute_key(key, pub_key, dh);
+	return ENGINE_get_DH(dh->engine)->compute_key(key, pub_key, dh);
 	}

 static DH_METHOD dh_ossl = {
@@ -137,7 +138,9 @@ static int generate_key(DH *dh)
 		l = dh->length ? dh->length : BN_num_bits(dh->p)-1; /* secret exponent length */
 		if (!BN_rand(priv_key, l, 0, 0)) goto err;
 		}
-	if (!dh->meth->bn_mod_exp(dh, pub_key,dh->g,priv_key,dh->p,&ctx,mont)) goto err;
+	if (!ENGINE_get_DH(dh->engine)->bn_mod_exp(dh, pub_key, dh->g,
+				priv_key,dh->p,&ctx,mont))
+		goto err;
 		
 	dh->pub_key=pub_key;
 	dh->priv_key=priv_key;
@@ -176,7 +179,8 @@ static int compute_key(unsigned char *key, BIGNUM *pub_key, DH *dh)
 		}

 	mont=(BN_MONT_CTX *)dh->method_mont_p;
-	if (!dh->meth->bn_mod_exp(dh, tmp,pub_key,dh->priv_key,dh->p,&ctx,mont))
+	if (!ENGINE_get_DH(dh->engine)->bn_mod_exp(dh, tmp, pub_key,
+				dh->priv_key,dh->p,&ctx,mont))
 		{
 		DHerr(DH_F_DH_COMPUTE_KEY,ERR_R_BN_LIB);
 		goto err;
--- a/crypto/dh/dh_lib.c
+++ b/crypto/dh/dh_lib.c
@@ -60,6 +60,7 @@
 #include "cryptlib.h"
 #include <openssl/bn.h>
 #include <openssl/dh.h>
+#include <openssl/engine.h>

 const char *DH_version="Diffie-Hellman" OPENSSL_VERSION_PTEXT;

@@ -67,17 +68,32 @@ static DH_METHOD *default_DH_method = NULL;
 static int dh_meth_num = 0;
 static STACK_OF(CRYPTO_EX_DATA_FUNCS) *dh_meth = NULL;

-void DH_set_default_method(DH_METHOD *meth)
+void DH_set_default_openssl_method(DH_METHOD *meth)
 {
+	ENGINE *e;
+	/* We'll need to notify the "openssl" ENGINE of this
+	 * change too. We won't bother locking things down at
+	 * our end as there was never any locking in these
+	 * functions! */
+	if(default_DH_method != meth)
+		{
 		default_DH_method = meth;
+		e = ENGINE_by_id("openssl");
+		if(e)
+			{
+			ENGINE_set_DH(e, meth);
+			ENGINE_free(e);
+			}
+		}
 }

-DH_METHOD *DH_get_default_method(void)
+DH_METHOD *DH_get_default_openssl_method(void)
 {
 	if(!default_DH_method) default_DH_method = DH_OpenSSL();
 	return default_DH_method;
 }

+#if 0
 DH_METHOD *DH_set_method(DH *dh, DH_METHOD *meth)
 {
        DH_METHOD *mtmp;
@@ -87,14 +103,37 @@ DH_METHOD *DH_set_method(DH *dh, DH_METHOD *meth)
        if (meth->init) meth->init(dh);
        return mtmp;
 }
+#else
+int DH_set_method(DH *dh, ENGINE *engine)
+{
+	ENGINE *mtmp;
+	DH_METHOD *meth;
+	mtmp = dh->engine;
+	meth = ENGINE_get_DH(mtmp);
+	if (!ENGINE_init(engine))
+		return 0;
+	if (meth->finish) meth->finish(dh);
+	dh->engine= engine;
+	meth = ENGINE_get_DH(engine);
+	if (meth->init) meth->init(dh);
+	/* SHOULD ERROR CHECK THIS!!! */
+	ENGINE_finish(mtmp);
+	return 1;
+}
+#endif

 DH *DH_new(void)
 {
 	return DH_new_method(NULL);
 }

+#if 0
 DH *DH_new_method(DH_METHOD *meth)
+#else
+DH *DH_new_method(ENGINE *engine)
+#endif
 	{
+	DH_METHOD *meth;
 	DH *ret;
 	ret=(DH *)OPENSSL_malloc(sizeof(DH));

@@ -103,8 +142,17 @@ DH *DH_new_method(DH_METHOD *meth)
 		DHerr(DH_F_DH_NEW,ERR_R_MALLOC_FAILURE);
 		return(NULL);
 		}
-	if(meth) ret->meth = meth;
-	else ret->meth = DH_get_default_method();
+	if(engine)
+		ret->engine = engine;
+	else
+		{
+		if((ret->engine=ENGINE_get_default_DH()) == NULL)
+			{
+			OPENSSL_free(ret);
+			return NULL;
+			}
+		}
+	meth = ENGINE_get_DH(ret->engine);
 	ret->pad=0;
 	ret->version=0;
 	ret->p=NULL;
@@ -119,9 +167,9 @@ DH *DH_new_method(DH_METHOD *meth)
 	ret->counter = NULL;
 	ret->method_mont_p=NULL;
 	ret->references = 1;
-	ret->flags=ret->meth->flags;
+	ret->flags=meth->flags;
 	CRYPTO_new_ex_data(dh_meth,ret,&ret->ex_data);
-	if ((ret->meth->init != NULL) && !ret->meth->init(ret))
+	if ((meth->init != NULL) && !meth->init(ret))
 		{
 		CRYPTO_free_ex_data(dh_meth,ret,&ret->ex_data);
 		OPENSSL_free(ret);
@@ -132,6 +180,7 @@ DH *DH_new_method(DH_METHOD *meth)

 void DH_free(DH *r)
 	{
+	DH_METHOD *meth;
 	int i;
 	if(r == NULL) return;
 	i = CRYPTO_add(&r->references, -1, CRYPTO_LOCK_DH);
@@ -147,7 +196,9 @@ void DH_free(DH *r)
 	}
 #endif

-	if(r->meth->finish) r->meth->finish(r);
+	meth = ENGINE_get_DH(r->engine);
+	if(meth->finish) meth->finish(r);
+	ENGINE_finish(r->engine);

 	CRYPTO_free_ex_data(dh_meth, r, &r->ex_data);

--- a/crypto/dsa/Makefile.ssl
+++ b/crypto/dsa/Makefile.ssl
@@ -116,39 +116,75 @@ dsa_key.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
 dsa_key.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 dsa_key.o: ../../include/openssl/symhacks.h ../cryptlib.h
 dsa_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-dsa_lib.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-dsa_lib.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
-dsa_lib.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-dsa_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-dsa_lib.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-dsa_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-dsa_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-dsa_lib.o: ../cryptlib.h
+dsa_lib.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+dsa_lib.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+dsa_lib.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+dsa_lib.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+dsa_lib.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+dsa_lib.o: ../../include/openssl/engine.h ../../include/openssl/err.h
+dsa_lib.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+dsa_lib.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+dsa_lib.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
+dsa_lib.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+dsa_lib.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+dsa_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
+dsa_lib.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+dsa_lib.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+dsa_lib.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+dsa_lib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+dsa_lib.o: ../../include/openssl/symhacks.h ../cryptlib.h
 dsa_ossl.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-dsa_ossl.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-dsa_ossl.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
-dsa_ossl.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-dsa_ossl.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-dsa_ossl.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+dsa_ossl.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+dsa_ossl.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+dsa_ossl.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+dsa_ossl.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+dsa_ossl.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+dsa_ossl.o: ../../include/openssl/engine.h ../../include/openssl/err.h
+dsa_ossl.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+dsa_ossl.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+dsa_ossl.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
+dsa_ossl.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+dsa_ossl.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 dsa_ossl.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
-dsa_ossl.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+dsa_ossl.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+dsa_ossl.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+dsa_ossl.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+dsa_ossl.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 dsa_ossl.o: ../../include/openssl/symhacks.h ../cryptlib.h
 dsa_sign.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-dsa_sign.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-dsa_sign.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
-dsa_sign.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-dsa_sign.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-dsa_sign.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+dsa_sign.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+dsa_sign.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+dsa_sign.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+dsa_sign.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+dsa_sign.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+dsa_sign.o: ../../include/openssl/engine.h ../../include/openssl/err.h
+dsa_sign.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+dsa_sign.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+dsa_sign.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
+dsa_sign.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+dsa_sign.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 dsa_sign.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
-dsa_sign.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+dsa_sign.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+dsa_sign.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+dsa_sign.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+dsa_sign.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 dsa_sign.o: ../../include/openssl/symhacks.h ../cryptlib.h
 dsa_vrf.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-dsa_vrf.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-dsa_vrf.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-dsa_vrf.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-dsa_vrf.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-dsa_vrf.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+dsa_vrf.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+dsa_vrf.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+dsa_vrf.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+dsa_vrf.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+dsa_vrf.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+dsa_vrf.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
+dsa_vrf.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+dsa_vrf.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+dsa_vrf.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+dsa_vrf.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+dsa_vrf.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 dsa_vrf.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-dsa_vrf.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
+dsa_vrf.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h
+dsa_vrf.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+dsa_vrf.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+dsa_vrf.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 dsa_vrf.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 dsa_vrf.o: ../cryptlib.h
--- a/crypto/dsa/dsa.h
+++ b/crypto/dsa/dsa.h
@@ -133,7 +133,11 @@ struct dsa_st
 	char *method_mont_p;
 	int references;
 	CRYPTO_EX_DATA ex_data;
+#if 0
 	DSA_METHOD *meth;
+#else
+	struct engine_st *engine;
+#endif
 	};

 #define DSAparams_dup(x) (DSA *)ASN1_dup((int (*)())i2d_DSAparams, \
@@ -159,12 +163,20 @@ int	DSA_do_verify(const unsigned char *dgst,int dgst_len,

 DSA_METHOD *DSA_OpenSSL(void);

-void        DSA_set_default_method(DSA_METHOD *);
-DSA_METHOD *DSA_get_default_method(void);
+void        DSA_set_default_openssl_method(DSA_METHOD *);
+DSA_METHOD *DSA_get_default_openssl_method(void);
+#if 0
 DSA_METHOD *DSA_set_method(DSA *dsa, DSA_METHOD *);
+#else
+int DSA_set_method(DSA *dsa, struct engine_st *engine);
+#endif

 DSA *	DSA_new(void);
+#if 0
 DSA *	DSA_new_method(DSA_METHOD *meth);
+#else
+DSA *	DSA_new_method(struct engine_st *engine);
+#endif
 int	DSA_size(DSA *);
 	/* next 4 return -1 on error */
 int	DSA_sign_setup( DSA *dsa,BN_CTX *ctx_in,BIGNUM **kinvp,BIGNUM **rp);
--- a/crypto/dsa/dsa_asn1.c
+++ b/crypto/dsa/dsa_asn1.c
@@ -84,6 +84,7 @@ DSA_SIG *d2i_DSA_SIG(DSA_SIG **a, unsigned char **pp, long length)
 	if ((ret->s=BN_bin2bn(bs->data,bs->length,ret->s)) == NULL)
 		goto err_bn;
 	M_ASN1_BIT_STRING_free(bs);
+	bs = NULL;
 	M_ASN1_D2I_Finish_2(a);

 err_bn:
--- a/crypto/dsa/dsa_lib.c
+++ b/crypto/dsa/dsa_lib.c
@@ -63,6 +63,7 @@
 #include <openssl/bn.h>
 #include <openssl/dsa.h>
 #include <openssl/asn1.h>
+#include <openssl/engine.h>

 const char *DSA_version="DSA" OPENSSL_VERSION_PTEXT;

@@ -70,12 +71,26 @@ static DSA_METHOD *default_DSA_method = NULL;
 static int dsa_meth_num = 0;
 static STACK_OF(CRYPTO_EX_DATA_FUNCS) *dsa_meth = NULL;

-void DSA_set_default_method(DSA_METHOD *meth)
+void DSA_set_default_openssl_method(DSA_METHOD *meth)
 {
+	ENGINE *e;
+	/* We'll need to notify the "openssl" ENGINE of this
+	 * change too. We won't bother locking things down at
+	 * our end as there was never any locking in these
+	 * functions! */
+	if(default_DSA_method != meth)
+		{
 		default_DSA_method = meth;
+		e = ENGINE_by_id("openssl");
+		if(e)
+			{
+			ENGINE_set_DSA(e, meth);
+			ENGINE_free(e);
+			}
+		}
 }

-DSA_METHOD *DSA_get_default_method(void)
+DSA_METHOD *DSA_get_default_openssl_method(void)
 {
 	if(!default_DSA_method) default_DSA_method = DSA_OpenSSL();
 	return default_DSA_method;
@@ -86,6 +101,7 @@ DSA *DSA_new(void)
 	return DSA_new_method(NULL);
 }

+#if 0
 DSA_METHOD *DSA_set_method(DSA *dsa, DSA_METHOD *meth)
 {
        DSA_METHOD *mtmp;
@@ -95,10 +111,33 @@ DSA_METHOD *DSA_set_method(DSA *dsa, DSA_METHOD *meth)
        if (meth->init) meth->init(dsa);
        return mtmp;
 }
-
-
-DSA *DSA_new_method(DSA_METHOD *meth)
+#else
+int DSA_set_method(DSA *dsa, ENGINE *engine)
 	{
+	ENGINE *mtmp;
+	DSA_METHOD *meth;
+	mtmp = dsa->engine;
+	meth = ENGINE_get_DSA(mtmp);
+	if (!ENGINE_init(engine))
+		return 0;
+	if (meth->finish) meth->finish(dsa);
+	dsa->engine = engine;
+	meth = ENGINE_get_DSA(engine);
+	if (meth->init) meth->init(dsa);
+	/* SHOULD ERROR CHECK THIS!!! */
+	ENGINE_finish(mtmp);
+	return 1;
+	}
+#endif
+
+
+#if 0
+DSA *DSA_new_method(DSA_METHOD *meth)
+#else
+DSA *DSA_new_method(ENGINE *engine)
+#endif
+	{
+	DSA_METHOD *meth;
 	DSA *ret;

 	ret=(DSA *)OPENSSL_malloc(sizeof(DSA));
@@ -107,8 +146,17 @@ DSA *DSA_new_method(DSA_METHOD *meth)
 		DSAerr(DSA_F_DSA_NEW,ERR_R_MALLOC_FAILURE);
 		return(NULL);
 		}
-	if(meth) ret->meth = meth;
-	else ret->meth = DSA_get_default_method();
+	if(engine)
+		ret->engine = engine;
+	else
+		{
+		if((ret->engine=ENGINE_get_default_DSA()) == NULL)
+			{
+			OPENSSL_free(ret);
+			return NULL;
+			}
+		}
+	meth = ENGINE_get_DSA(ret->engine);
 	ret->pad=0;
 	ret->version=0;
 	ret->write_params=1;
@@ -124,9 +172,9 @@ DSA *DSA_new_method(DSA_METHOD *meth)
 	ret->method_mont_p=NULL;

 	ret->references=1;
-	ret->flags=ret->meth->flags;
+	ret->flags=meth->flags;
 	CRYPTO_new_ex_data(dsa_meth,ret,&ret->ex_data);
-	if ((ret->meth->init != NULL) && !ret->meth->init(ret))
+	if ((meth->init != NULL) && !meth->init(ret))
 		{
 		CRYPTO_free_ex_data(dsa_meth,ret,&ret->ex_data);
 		OPENSSL_free(ret);
@@ -138,6 +186,7 @@ DSA *DSA_new_method(DSA_METHOD *meth)

 void DSA_free(DSA *r)
 	{
+	DSA_METHOD *meth;
 	int i;

 	if (r == NULL) return;
@@ -155,7 +204,9 @@ void DSA_free(DSA *r)
 		}
 #endif

-	if(r->meth->finish) r->meth->finish(r);
+	meth = ENGINE_get_DSA(r->engine);
+	if(meth->finish) meth->finish(r);
+	ENGINE_finish(r->engine);

 	CRYPTO_free_ex_data(dsa_meth, r, &r->ex_data);

--- a/crypto/dsa/dsa_ossl.c
+++ b/crypto/dsa/dsa_ossl.c
@@ -64,6 +64,7 @@
 #include <openssl/dsa.h>
 #include <openssl/rand.h>
 #include <openssl/asn1.h>
+#include <openssl/engine.h>

 static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
 static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp);
@@ -201,7 +202,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
 		}

 	/* Compute r = (g^k mod p) mod q */
-	if (!dsa->meth->bn_mod_exp(dsa, r,dsa->g,&k,dsa->p,ctx,
+	if (!ENGINE_get_DSA(dsa->engine)->bn_mod_exp(dsa, r,dsa->g,&k,dsa->p,ctx,
 		(BN_MONT_CTX *)dsa->method_mont_p)) goto err;
 	if (!BN_mod(r,r,dsa->q,ctx)) goto err;

@@ -290,7 +291,7 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
 	if (!BN_mod(&u1,&u1,dsa->q,ctx)) goto err;
 #else
 	{
-	if (!dsa->meth->dsa_mod_exp(dsa, &t1,dsa->g,&u1,dsa->pub_key,&u2,
+	if (!ENGINE_get_DSA(dsa->engine)->dsa_mod_exp(dsa, &t1,dsa->g,&u1,dsa->pub_key,&u2,
 						dsa->p,ctx,mont)) goto err;
 	/* BN_copy(&u1,&t1); */
 	/* let u1 = u1 mod q */
--- a/crypto/dsa/dsa_sign.c
+++ b/crypto/dsa/dsa_sign.c
@@ -64,10 +64,11 @@
 #include <openssl/dsa.h>
 #include <openssl/rand.h>
 #include <openssl/asn1.h>
+#include <openssl/engine.h>

 DSA_SIG * DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
 	{
-	return dsa->meth->dsa_do_sign(dgst, dlen, dsa);
+	return ENGINE_get_DSA(dsa->engine)->dsa_do_sign(dgst, dlen, dsa);
 	}

 int DSA_sign(int type, const unsigned char *dgst, int dlen, unsigned char *sig,
@@ -87,6 +88,6 @@ int DSA_sign(int type, const unsigned char *dgst, int dlen, unsigned char *sig,

 int DSA_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
 	{
-	return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp);
+	return ENGINE_get_DSA(dsa->engine)->dsa_sign_setup(dsa, ctx_in, kinvp, rp);
 	}

--- a/crypto/dsa/dsa_vrf.c
+++ b/crypto/dsa/dsa_vrf.c
@@ -65,11 +65,12 @@
 #include <openssl/rand.h>
 #include <openssl/asn1.h>
 #include <openssl/asn1_mac.h>
+#include <openssl/engine.h>

 int DSA_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
 		  DSA *dsa)
 	{
-	return dsa->meth->dsa_do_verify(dgst, dgst_len, sig, dsa);
+	return ENGINE_get_DSA(dsa->engine)->dsa_do_verify(dgst, dgst_len, sig, dsa);
 	}

 /* data has already been hashed (probably with SHA or SHA-1). */
--- a/crypto/dso/dso_dlfcn.c
+++ b/crypto/dso/dso_dlfcn.c
@@ -112,7 +112,7 @@ DSO_METHOD *DSO_METHOD_dlfcn(void)
 * as we don't have autoconf yet, I'm implementing a hack that could
 * be hacked further relatively easily to deal with cases as we find
 * them. Initially this is to cope with OpenBSD. */
-#ifdef __OpenBSD__
+#if defined(__OpenBSD__) || defined(__NetBSD__)
 #	ifdef DL_LAZY
 #		define DLOPEN_FLAG DL_LAZY
 #	else
--- a/crypto/ebcdic.c
+++ b/crypto/ebcdic.c
@@ -211,7 +211,7 @@ ascii2ebcdic(void *dest, const void *srce, size_t count)
 }

 #else /*CHARSET_EBCDIC*/
-#if defined(PEDANTIC) || defined(VMS) || defined(__VMS)
+#if defined(PEDANTIC) || defined(VMS) || defined(__VMS) || defined(_DARWIN)
 static void *dummy=&dummy;
 #endif
 #endif
--- a/crypto/engine/.cvsignore
+++ b/crypto/engine/.cvsignore
@@ -0,0 +1,2 @@
+lib
+Makefile.save
--- a/crypto/engine/Makefile.ssl
+++ b/crypto/engine/Makefile.ssl
@@ -0,0 +1,304 @@
+#
+# OpenSSL/crypto/engine/Makefile
+#
+
+DIR=	engine
+TOP=	../..
+CC=	cc
+INCLUDES= -I.. -I../../include
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=		make -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEFILE=	Makefile.ssl
+AR=		ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST= enginetest.c
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC= engine_err.c engine_lib.c engine_list.c engine_openssl.c \
+	hw_atalla.c hw_cswift.c hw_ncipher.c hw_aep.c hw_sureware.c \
+	hw_ubsec.c hw_keyclient.c
+LIBOBJ= engine_err.o engine_lib.o engine_list.o engine_openssl.o \
+	hw_atalla.o hw_cswift.o hw_ncipher.o hw_aep.o hw_sureware.o \
+	hw_ubsec.o hw_keyclient.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= engine.h
+HEADER=	$(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB)
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o */*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+engine_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+engine_err.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+engine_err.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+engine_err.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+engine_err.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+engine_err.o: ../../include/openssl/engine.h ../../include/openssl/err.h
+engine_err.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+engine_err.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+engine_err.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
+engine_err.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+engine_err.o: ../../include/openssl/objects.h
+engine_err.o: ../../include/openssl/opensslconf.h
+engine_err.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
+engine_err.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+engine_err.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+engine_err.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+engine_err.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+engine_err.o: ../../include/openssl/symhacks.h
+engine_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+engine_lib.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+engine_lib.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+engine_lib.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+engine_lib.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+engine_lib.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+engine_lib.o: ../../include/openssl/engine.h ../../include/openssl/err.h
+engine_lib.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+engine_lib.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+engine_lib.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
+engine_lib.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+engine_lib.o: ../../include/openssl/objects.h
+engine_lib.o: ../../include/openssl/opensslconf.h
+engine_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
+engine_lib.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+engine_lib.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+engine_lib.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+engine_lib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+engine_lib.o: ../../include/openssl/symhacks.h ../cryptlib.h engine_int.h
+engine_list.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+engine_list.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+engine_list.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+engine_list.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+engine_list.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+engine_list.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+engine_list.o: ../../include/openssl/engine.h ../../include/openssl/err.h
+engine_list.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+engine_list.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+engine_list.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
+engine_list.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+engine_list.o: ../../include/openssl/objects.h
+engine_list.o: ../../include/openssl/opensslconf.h
+engine_list.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
+engine_list.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+engine_list.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+engine_list.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+engine_list.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+engine_list.o: ../../include/openssl/symhacks.h ../cryptlib.h engine_int.h
+engine_openssl.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+engine_openssl.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+engine_openssl.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+engine_openssl.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+engine_openssl.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+engine_openssl.o: ../../include/openssl/dso.h ../../include/openssl/e_os.h
+engine_openssl.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
+engine_openssl.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+engine_openssl.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+engine_openssl.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+engine_openssl.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+engine_openssl.o: ../../include/openssl/obj_mac.h
+engine_openssl.o: ../../include/openssl/objects.h
+engine_openssl.o: ../../include/openssl/opensslconf.h
+engine_openssl.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
+engine_openssl.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+engine_openssl.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+engine_openssl.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+engine_openssl.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+engine_openssl.o: ../../include/openssl/symhacks.h ../cryptlib.h engine_int.h
+hw_aep.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+hw_aep.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+hw_aep.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+hw_aep.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+hw_aep.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+hw_aep.o: ../../include/openssl/dso.h ../../include/openssl/e_os.h
+hw_aep.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+hw_aep.o: ../../include/openssl/engine.h ../../include/openssl/err.h
+hw_aep.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+hw_aep.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+hw_aep.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
+hw_aep.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+hw_aep.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+hw_aep.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
+hw_aep.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+hw_aep.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+hw_aep.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+hw_aep.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+hw_aep.o: ../../include/openssl/symhacks.h ../cryptlib.h engine_int.h
+hw_aep.o: vendor_defns/aep.h
+hw_atalla.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+hw_atalla.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+hw_atalla.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+hw_atalla.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+hw_atalla.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+hw_atalla.o: ../../include/openssl/dso.h ../../include/openssl/e_os.h
+hw_atalla.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
+hw_atalla.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+hw_atalla.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+hw_atalla.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+hw_atalla.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+hw_atalla.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+hw_atalla.o: ../../include/openssl/opensslconf.h
+hw_atalla.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
+hw_atalla.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+hw_atalla.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+hw_atalla.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+hw_atalla.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+hw_atalla.o: ../../include/openssl/symhacks.h ../cryptlib.h engine_int.h
+hw_atalla.o: vendor_defns/atalla.h
+hw_cswift.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+hw_cswift.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+hw_cswift.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+hw_cswift.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+hw_cswift.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+hw_cswift.o: ../../include/openssl/dso.h ../../include/openssl/e_os.h
+hw_cswift.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
+hw_cswift.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+hw_cswift.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+hw_cswift.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+hw_cswift.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+hw_cswift.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+hw_cswift.o: ../../include/openssl/opensslconf.h
+hw_cswift.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
+hw_cswift.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+hw_cswift.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+hw_cswift.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+hw_cswift.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+hw_cswift.o: ../../include/openssl/symhacks.h ../cryptlib.h engine_int.h
+hw_cswift.o: vendor_defns/cswift.h
+hw_keyclient.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+hw_keyclient.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+hw_keyclient.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+hw_keyclient.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+hw_keyclient.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+hw_keyclient.o: ../../include/openssl/dso.h ../../include/openssl/e_os.h
+hw_keyclient.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
+hw_keyclient.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+hw_keyclient.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+hw_keyclient.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+hw_keyclient.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+hw_keyclient.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+hw_keyclient.o: ../../include/openssl/opensslconf.h
+hw_keyclient.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
+hw_keyclient.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+hw_keyclient.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+hw_keyclient.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+hw_keyclient.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+hw_keyclient.o: ../../include/openssl/symhacks.h ../cryptlib.h engine_int.h
+hw_keyclient.o: vendor_defns/keyclient.h
+hw_ncipher.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+hw_ncipher.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+hw_ncipher.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+hw_ncipher.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+hw_ncipher.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+hw_ncipher.o: ../../include/openssl/dso.h ../../include/openssl/e_os.h
+hw_ncipher.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
+hw_ncipher.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+hw_ncipher.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+hw_ncipher.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+hw_ncipher.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+hw_ncipher.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+hw_ncipher.o: ../../include/openssl/opensslconf.h
+hw_ncipher.o: ../../include/openssl/opensslv.h ../../include/openssl/pem.h
+hw_ncipher.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs7.h
+hw_ncipher.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h
+hw_ncipher.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+hw_ncipher.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+hw_ncipher.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+hw_ncipher.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+hw_ncipher.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+hw_ncipher.o: ../cryptlib.h engine_int.h vendor_defns/hwcryptohook.h
+hw_sureware.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+hw_sureware.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+hw_sureware.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+hw_sureware.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+hw_sureware.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+hw_sureware.o: ../../include/openssl/dso.h ../../include/openssl/e_os.h
+hw_sureware.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
+hw_sureware.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+hw_sureware.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+hw_sureware.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+hw_sureware.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+hw_sureware.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+hw_sureware.o: ../../include/openssl/opensslconf.h
+hw_sureware.o: ../../include/openssl/opensslv.h ../../include/openssl/pem.h
+hw_sureware.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs7.h
+hw_sureware.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h
+hw_sureware.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+hw_sureware.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+hw_sureware.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+hw_sureware.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+hw_sureware.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+hw_sureware.o: ../cryptlib.h engine.h engine_int.h vendor_defns/sureware.h
+hw_ubsec.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+hw_ubsec.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+hw_ubsec.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+hw_ubsec.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+hw_ubsec.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+hw_ubsec.o: ../../include/openssl/dso.h ../../include/openssl/e_os.h
+hw_ubsec.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
+hw_ubsec.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+hw_ubsec.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+hw_ubsec.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+hw_ubsec.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+hw_ubsec.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+hw_ubsec.o: ../../include/openssl/opensslconf.h
+hw_ubsec.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
+hw_ubsec.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+hw_ubsec.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+hw_ubsec.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+hw_ubsec.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+hw_ubsec.o: ../../include/openssl/symhacks.h ../cryptlib.h engine_int.h
+hw_ubsec.o: vendor_defns/hw_ubsec.h
--- a/crypto/engine/README
+++ b/crypto/engine/README
@@ -0,0 +1,278 @@
+NOTES, THOUGHTS, and EVERYTHING
+-------------------------------
+
+(1) Concurrency and locking ... I made a change to the ENGINE_free code
+    because I spotted a potential hold-up in proceedings (doing too
+    much inside a lock including calling a callback), there may be
+    other bits like this. What do the speed/optimisation freaks think
+    of this aspect of the code and design? There's lots of locking for
+    manipulation functions and I need that to keep things nice and
+    solid, but this manipulation is mostly (de)initialisation, I would
+    think that most run-time locking is purely in the ENGINE_init and
+    ENGINE_finish calls that might be made when getting handles for
+    RSA (and friends') structures. These would be mostly reference
+    count operations as the functional references should always be 1
+    or greater at run-time to prevent init/deinit thrashing.
+
+(2) nCipher support, via the HWCryptoHook API, is now in the code.
+    Apparently this hasn't been tested too much yet, but it looks
+    good. :-) Atalla support has been added too, but shares a lot in
+    common with Ben's original hooks in bn_exp.c (although it has been
+    ENGINE-ified, and error handling wrapped around it) and it's also
+    had some low-volume testing, so it should be usable.
+
+(3) Of more concern, we need to work out (a) how to put together usable
+    RAND_METHODs for units that just have one "get n or less random
+    bytes" function, (b) we also need to determine how to hook the code
+    in crypto/rand/ to use the ENGINE defaults in a way similar to what
+    has been done in crypto/rsa/, crypto/dsa/, etc.
+
+(4) ENGINE should really grow to encompass more than 3 public key
+    algorithms and randomness gathering. The structure/data level of
+    the engine code is hidden from code outside the crypto/engine/
+    directory so change shouldn't be too viral. More important though
+    is how things should evolve ... this needs thought and discussion.
+
+
+-----------------------------------==*==-----------------------------------
+
+More notes 2000-08-01
+---------------------
+
+Geoff Thorpe, who designed the engine part, wrote a pretty good description
+of the thoughts he had when he built it, good enough to include verbatim here
+(with his permission)					-- Richard Levitte
+
+
+Date: Tue, 1 Aug 2000 16:54:08 +0100 (BST)
+From: Geoff Thorpe
+Subject: Re: The thoughts to merge BRANCH_engine into the main trunk are
+ emerging
+
+Hi there,
+
+I'm going to try and do some justice to this, but I'm a little short on
+time and the there is an endless amount that could be discussed on this
+subject. sigh ... please bear with me :-)
+
+> The changes in BRANCH_engine dig deep into the core of OpenSSL, for example
+> into the RSA and RAND routines, adding a level of indirection which is needed
+> to keep the abstraction, as far as I understand.  It would be a good thing if
+> those who do play with those things took a look at the changes that have been
+> done in the branch and say out loud how much (or hopefully little) we've made
+> fools of ourselves.
+
+The point here is that the code that has emerged in the BRANCH_engine
+branch was based on some initial requirements of mine that I went in and
+addressed, and Richard has picked up the ball and run with it too. It
+would be really useful to get some review of the approach we've taken, but
+first I think I need to describe as best I can the reasons behind what has
+been done so far, in particular what issues we have tried to address when
+doing this, and what issues we have intentionally (or necessarily) tried
+to avoid.
+
+methods, engines, and evps
+--------------------------
+
+There has been some dicussion, particularly with Steve, about where this
+ENGINE stuff might fit into the conceptual picture as/when we start to
+abstract algorithms a little bit to make the library more extensible. In
+particular, it would desirable to have algorithms (symmetric, hash, pkc,
+etc) abstracted in some way that allows them to be just objects sitting in
+a list (or database) ... it'll just happen that the "DSA" object doesn't
+support encryption whereas the "RSA" object does. This requires a lot of
+consideration to begin to know how to tackle it; in particular how
+encapsulated should these things be? If the objects also understand their
+own ASN1 encodings and what-not, then it would for example be possible to
+add support for elliptic-curve DSA in as a new algorithm and automatically
+have ECC-DSA certificates supported in SSL applications. Possible, but not
+easy. :-)
+
+Whatever, it seems that the way to go (if I've grok'd Steve's comments on
+this in the past) is to amalgamate these things in EVP as is already done
+(I think) for ciphers or hashes (Steve, please correct/elaborate). I
+certainly think something should be done in this direction because right
+now we have different source directories, types, functions, and methods
+for each algorithm - even when conceptually they are very much different
+feathers of the same bird. (This is certainly all true for the public-key
+stuff, and may be partially true for the other parts.)
+
+ENGINE was *not* conceived as a way of solving this, far from it. Nor was
+it conceived as a way of replacing the various "***_METHOD"s. It was
+conceived as an abstraction of a sort of "virtual crypto device". If we
+lived in a world where "EVP_ALGO"s (or something like them) encapsulated
+particular algorithms like RSA,DSA,MD5,RC4,etc, and "***_METHOD"s
+encapsulated interfaces to algorithms (eg. some algo's might support a
+PKC_METHOD, a HASH_METHOD, or a CIPHER_METHOD, who knows?), then I would
+think that ENGINE would encapsulate an implementation of arbitrarily many
+of those algorithms - perhaps as alternatives to existing algorithms
+and/or perhaps as new previously unimplemented algorithms. An ENGINE could
+be used to contain an alternative software implementation, a wrapper for a
+hardware acceleration and/or key-management unit, a comms-wrapper for
+distributing cryptographic operations to remote machines, or any other
+"devices" your imagination can dream up.
+
+However, what has been done in the ENGINE branch so far is nothing more
+than starting to get our toes wet. I had a couple of self-imposed
+requirements when putting the initial abstraction together, and I may have
+already posed these in one form or another on the list, but briefly;
+
+   (i) only bother with public key algorithms for now, and maybe RAND too
+       (motivated by the need to get hardware support going and the fact
+       this was a comparitively easy subset to address to begin with).
+
+  (ii) don't change (if at all possible) the existing crypto code, ie. the
+       implementations, the way the ***_METHODs work, etc.
+
+ (iii) ensure that if no function from the ENGINE code is ever called then
+       things work the way they always did, and there is no memory
+       allocation (otherwise the failure to cleanup would be a problem -
+       this is part of the reason no STACKs were used, the other part of
+       the reason being I found them inappropriate).
+
+  (iv) ensure that all the built-in crypto was encapsulated by one of
+       these "ENGINE"s and that this engine was automatically selected as
+       the default.
+
+   (v) provide the minimum hooking possible in the existing crypto code
+       so that global functions (eg. RSA_public_encrypt) do not need any
+       extra parameter, yet will use whatever the current default ENGINE
+       for that RSA key is, and that the default can be set "per-key"
+       and globally (new keys will assume the global default, and keys
+       without their own default will be operated on using the global
+       default). NB: Try and make (v) conflict as little as possible with
+       (ii). :-)
+
+  (vi) wrap the ENGINE code up in duct tape so you can't even see the
+       corners. Ie. expose no structures at all, just black-box pointers.
+
+   (v) maintain internally a list of ENGINEs on which a calling
+       application can iterate, interrogate, etc. Allow a calling
+       application to hook in new ENGINEs, remove ENGINEs from the list,
+       and enforce uniqueness within the global list of each ENGINE's
+       "unique id".
+
+  (vi) keep reference counts for everything - eg. this includes storing a
+       reference inside each RSA structure to the ENGINE that it uses.
+       This is freed when the RSA structure is destroyed, or has its
+       ENGINE explicitly changed. The net effect needs to be that at any
+       time, it is deterministic to know whether an ENGINE is in use or
+       can be safely removed (or unloaded in the case of the other type
+       of reference) without invalidating function pointers that may or
+       may not be used indavertently in the future. This was actually
+       one of the biggest problems to overcome in the existing OpenSSL
+       code - implementations had always been assumed to be ever-present,
+       so there was no trivial way to get round this.
+
+ (vii) distinguish between structural references and functional
+       references.
+
+A *little* detail
+-----------------
+
+While my mind is on it; I'll illustrate the bit in item (vii). This idea
+turned out to be very handy - the ENGINEs themselves need to be operated
+on and manipulated simply as objects without necessarily trying to
+"enable" them for use. Eg. most host machines will not have the necessary
+hardware or software to support all the engines one might compile into
+OpenSSL, yet it needs to be possible to iterate across the ENGINEs,
+querying their names, properties, etc - all happening in a thread-safe
+manner that uses reference counts (if you imagine two threads iterating
+through a list and one thread removing the ENGINE the other is currently
+looking at - you can see the gotcha waiting to happen). For all of this,
+*structural references* are used and operate much like the other reference
+counts in OpenSSL.
+
+The other kind of reference count is for *functional* references - these
+indicate a reference on which the caller can actually assume the
+particular ENGINE to be initialised and usable to perform the operations
+it implements. Any increment or decrement of the functional reference
+count automatically invokes a corresponding change in the structural
+reference count, as it is fairly obvious that a functional reference is a
+restricted case of a structural reference. So struct_ref >= funct_ref at
+all times. NB: functional references are usually obtained by a call to
+ENGINE_init(), but can also be created implicitly by calls that require a
+new functional reference to be created, eg. ENGINE_set_default(). Either
+way the only time the underlying ENGINE's "init" function is really called
+is when the (functional) reference count increases to 1, similarly the
+underlying "finish" handler is only called as the count goes down to 0.
+The effect of this, for example, is that if you set the default ENGINE for
+RSA operations to be "cswift", then its functional reference count will
+already be at least 1 so the CryptoSwift shared-library and the card will
+stay loaded and initialised until such time as all RSA keys using the
+cswift ENGINE are changed or destroyed and the default ENGINE for RSA
+operations has been changed. This prevents repeated thrashing of init and
+finish handling if the count keeps getting down as far as zero.
+
+Otherwise, the way the ENGINE code has been put together I think pretty
+much reflects the above points. The reason for the ENGINE structure having
+individual RSA_METHOD, DSA_METHOD, etc pointers is simply that it was the
+easiest way to go about things for now, to hook it all into the raw
+RSA,DSA,etc code, and I was trying to the keep the structure invisible
+anyway so that the way this is internally managed could be easily changed
+later on when we start to work out what's to be done about these other
+abstractions.
+
+Down the line, if some EVP-based technique emerges for adequately
+encapsulating algorithms and all their various bits and pieces, then I can
+imagine that "ENGINE" would turn into a reference-counting database of
+these EVP things, of which the default "openssl" ENGINE would be the
+library's own object database of pre-built software implemented algorithms
+(and such). It would also be cool to see the idea of "METHOD"s detached
+from the algorithms themselves ... so RSA, DSA, ElGamal, etc can all
+expose essentially the same METHOD (aka interface), which would include
+any querying/flagging stuff to identify what the algorithm can/can't do,
+its name, and other stuff like max/min block sizes, key sizes, etc. This
+would result in ENGINE similarly detaching its internal database of
+algorithm implementations from the function definitions that return
+interfaces to them. I think ...
+
+As for DSOs etc. Well the DSO code is pretty handy (but could be made much
+more so) for loading vendor's driver-libraries and talking to them in some
+generic way, but right now there's still big problems associated with
+actually putting OpenSSL code (ie. new ENGINEs, or anything else for that
+matter) in dynamically loadable libraries. These problems won't go away in
+a hurry so I don't think we should expect to have any kind of
+shared-library extensions any time soon - but solving the problems is a
+good thing to aim for, and would as a side-effect probably help make
+OpenSSL more usable as a shared-library itself (looking at the things
+needed to do this will show you why).
+
+One of the problems is that if you look at any of the ENGINE
+implementations, eg. hw_cswift.c or hw_ncipher.c, you'll see how it needs
+a variety of functionality and definitions from various areas of OpenSSL,
+including crypto/bn/, crypto/err/, crypto/ itself (locking for example),
+crypto/dso/, crypto/engine/, crypto/rsa, etc etc etc. So if similar code
+were to be suctioned off into shared libraries, the shared libraries would
+either have to duplicate all the definitions and code and avoid loader
+conflicts, or OpenSSL would have to somehow expose all that functionality
+to the shared-library. If this isn't a big enough problem, the issue of
+binary compatibility will be - anyone writing Apache modules can tell you
+that (Ralf? Ben? :-). However, I don't think OpenSSL would need to be
+quite so forgiving as Apache should be, so OpenSSL could simply tell its
+version to the DSO and leave the DSO with the problem of deciding whether
+to proceed or bail out for fear of binary incompatibilities.
+
+Certainly one thing that would go a long way to addressing this is to
+embark on a bit of an opaqueness mission. I've set the ENGINE code up with
+this in mind - it's so draconian that even to declare your own ENGINE, you
+have to get the engine code to create the underlying ENGINE structure, and
+then feed in the new ENGINE's function/method pointers through various
+"set" functions. The more of the code that takes on such a black-box
+approach, the more of the code that will be (a) easy to expose to shared
+libraries that need it, and (b) easy to expose to applications wanting to
+use OpenSSL itself as a shared-library. From my own explorations in
+OpenSSL, the biggest leviathan I've seen that is a problem in this respect
+is the BIGNUM code. Trying to "expose" the bignum code through any kind of
+organised "METHODs", let alone do all the necessary bignum operations
+solely through functions rather than direct access to the structures and
+macros, will be a massive pain in the "r"s.
+
+Anyway, I'm done for now - hope it was readable. Thoughts?
+
+Cheers,
+Geoff
+
+
+-----------------------------------==*==-----------------------------------
+
--- a/crypto/engine/engine.h
+++ b/crypto/engine/engine.h
@@ -0,0 +1,458 @@
+/* openssl/engine.h */
+/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_ENGINE_H
+#define HEADER_ENGINE_H
+
+#include <openssl/bn.h>
+#include <openssl/rsa.h>
+#include <openssl/dsa.h>
+#include <openssl/dh.h>
+#include <openssl/rand.h>
+#include <openssl/evp.h>
+#include <openssl/symhacks.h>
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+/* These flags are used to control combinations of algorithm (methods)
+ * by bitwise "OR"ing. */
+#define ENGINE_METHOD_RSA		(unsigned int)0x0001
+#define ENGINE_METHOD_DSA		(unsigned int)0x0002
+#define ENGINE_METHOD_DH		(unsigned int)0x0004
+#define ENGINE_METHOD_RAND		(unsigned int)0x0008
+#define ENGINE_METHOD_BN_MOD_EXP	(unsigned int)0x0010
+#define ENGINE_METHOD_BN_MOD_EXP_CRT	(unsigned int)0x0020
+/* Obvious all-or-nothing cases. */
+#define ENGINE_METHOD_ALL		(unsigned int)0xFFFF
+#define ENGINE_METHOD_NONE		(unsigned int)0x0000
+
+/* These flags are used to tell the ctrl function what should be done.
+ * All command numbers are shared between all engines, even if some don't
+ * make sense to some engines.  In such a case, they do nothing but return
+ * the error ENGINE_R_CTRL_COMMAND_NOT_IMPLEMENTED. */
+#define ENGINE_CTRL_SET_LOGSTREAM		1
+#define ENGINE_CTRL_SET_PASSWORD_CALLBACK	2
+/* Flags specific to the nCipher "chil" engine */
+#define ENGINE_CTRL_CHIL_SET_FORKCHECK		100
+	/* Depending on the value of the (long)i argument, this sets or
+	 * unsets the SimpleForkCheck flag in the CHIL API to enable or
+	 * disable checking and workarounds for applications that fork().
+	 */
+#define ENGINE_CTRL_CHIL_NO_LOCKING		101
+	/* This prevents the initialisation function from providing mutex
+	 * callbacks to the nCipher library. */
+
+/* As we're missing a BIGNUM_METHOD, we need a couple of locally
+ * defined function types that engines can implement. */
+
+#ifndef HEADER_ENGINE_INT_H
+/* mod_exp operation, calculates; r = a ^ p mod m
+ * NB: ctx can be NULL, but if supplied, the implementation may use
+ * it if it wishes. */
+typedef int (*BN_MOD_EXP)(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+		const BIGNUM *m, BN_CTX *ctx);
+
+/* private key operation for RSA, provided seperately in case other
+ * RSA implementations wish to use it. */
+typedef int (*BN_MOD_EXP_CRT)(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+		const BIGNUM *q, const BIGNUM *dmp1, const BIGNUM *dmq1,
+		const BIGNUM *iqmp, BN_CTX *ctx);
+
+/* Generic function pointer */
+typedef void (*ENGINE_GEN_FUNC_PTR)();
+/* Generic function pointer taking no arguments */
+typedef void (*ENGINE_GEN_INT_FUNC_PTR)(void);
+/* Specific control function pointer */
+typedef int (*ENGINE_CTRL_FUNC_PTR)(int cmd, long i, void *p, void (*f)());
+
+/* The list of "engine" types is a static array of (const ENGINE*)
+ * pointers (not dynamic because static is fine for now and we otherwise
+ * have to hook an appropriate load/unload function in to initialise and
+ * cleanup). */
+typedef struct engine_st ENGINE;
+#endif
+
+/* STRUCTURE functions ... all of these functions deal with pointers to
+ * ENGINE structures where the pointers have a "structural reference".
+ * This means that their reference is to allow access to the structure
+ * but it does not imply that the structure is functional. To simply
+ * increment or decrement the structural reference count, use ENGINE_new
+ * and ENGINE_free. NB: This is not required when iterating using
+ * ENGINE_get_next as it will automatically decrement the structural
+ * reference count of the "current" ENGINE and increment the structural
+ * reference count of the ENGINE it returns (unless it is NULL). */
+
+/* Get the first/last "ENGINE" type available. */
+ENGINE *ENGINE_get_first(void);
+ENGINE *ENGINE_get_last(void);
+/* Iterate to the next/previous "ENGINE" type (NULL = end of the list). */
+ENGINE *ENGINE_get_next(ENGINE *e);
+ENGINE *ENGINE_get_prev(ENGINE *e);
+/* Add another "ENGINE" type into the array. */
+int ENGINE_add(ENGINE *e);
+/* Remove an existing "ENGINE" type from the array. */
+int ENGINE_remove(ENGINE *e);
+/* Retrieve an engine from the list by its unique "id" value. */
+ENGINE *ENGINE_by_id(const char *id);
+
+/* These functions are useful for manufacturing new ENGINE
+ * structures. They don't address reference counting at all -
+ * one uses them to populate an ENGINE structure with personalised
+ * implementations of things prior to using it directly or adding
+ * it to the builtin ENGINE list in OpenSSL. These are also here
+ * so that the ENGINE structure doesn't have to be exposed and
+ * break binary compatibility!
+ *
+ * NB: I'm changing ENGINE_new to force the ENGINE structure to
+ * be allocated from within OpenSSL. See the comment for
+ * ENGINE_get_struct_size().
+ */
+#if 0
+ENGINE *ENGINE_new(ENGINE *e);
+#else
+ENGINE *ENGINE_new(void);
+#endif
+int ENGINE_free(ENGINE *e);
+int ENGINE_set_id(ENGINE *e, const char *id);
+int ENGINE_set_name(ENGINE *e, const char *name);
+int ENGINE_set_RSA(ENGINE *e, RSA_METHOD *rsa_meth);
+int ENGINE_set_DSA(ENGINE *e, DSA_METHOD *dsa_meth);
+int ENGINE_set_DH(ENGINE *e, DH_METHOD *dh_meth);
+int ENGINE_set_RAND(ENGINE *e, RAND_METHOD *rand_meth);
+int ENGINE_set_BN_mod_exp(ENGINE *e, BN_MOD_EXP bn_mod_exp);
+int ENGINE_set_BN_mod_exp_crt(ENGINE *e, BN_MOD_EXP_CRT bn_mod_exp_crt);
+int ENGINE_set_init_function(ENGINE *e, ENGINE_GEN_INT_FUNC_PTR init_f);
+int ENGINE_set_finish_function(ENGINE *e, ENGINE_GEN_INT_FUNC_PTR finish_f);
+int ENGINE_set_ctrl_function(ENGINE *e, ENGINE_CTRL_FUNC_PTR ctrl_f);
+
+/* These return values from within the ENGINE structure. These can
+ * be useful with functional references as well as structural
+ * references - it depends which you obtained. Using the result
+ * for functional purposes if you only obtained a structural
+ * reference may be problematic! */
+const char *ENGINE_get_id(ENGINE *e);
+const char *ENGINE_get_name(ENGINE *e);
+RSA_METHOD *ENGINE_get_RSA(ENGINE *e);
+DSA_METHOD *ENGINE_get_DSA(ENGINE *e);
+DH_METHOD *ENGINE_get_DH(ENGINE *e);
+RAND_METHOD *ENGINE_get_RAND(ENGINE *e);
+BN_MOD_EXP ENGINE_get_BN_mod_exp(ENGINE *e);
+BN_MOD_EXP_CRT ENGINE_get_BN_mod_exp_crt(ENGINE *e);
+ENGINE_GEN_INT_FUNC_PTR ENGINE_get_init_function(ENGINE *e);
+ENGINE_GEN_INT_FUNC_PTR ENGINE_get_finish_function(ENGINE *e);
+ENGINE_CTRL_FUNC_PTR ENGINE_get_ctrl_function(ENGINE *e);
+
+/* ENGINE_new is normally passed a NULL in the first parameter because
+ * the calling code doesn't have access to the definition of the ENGINE
+ * structure (for good reason). However, if the caller wishes to use
+ * its own memory allocation or use a static array, the following call
+ * should be used to check the amount of memory the ENGINE structure
+ * will occupy. This will make the code more future-proof.
+ *
+ * NB: I'm "#if 0"-ing this out because it's better to force the use of
+ * internally allocated memory. See similar change in ENGINE_new().
+ */
+#if 0
+int ENGINE_get_struct_size(void);
+#endif
+
+/* FUNCTIONAL functions. These functions deal with ENGINE structures
+ * that have (or will) be initialised for use. Broadly speaking, the
+ * structural functions are useful for iterating the list of available
+ * engine types, creating new engine types, and other "list" operations.
+ * These functions actually deal with ENGINEs that are to be used. As
+ * such these functions can fail (if applicable) when particular
+ * engines are unavailable - eg. if a hardware accelerator is not
+ * attached or not functioning correctly. Each ENGINE has 2 reference
+ * counts; structural and functional. Every time a functional reference
+ * is obtained or released, a corresponding structural reference is
+ * automatically obtained or released too. */
+
+/* Initialise a engine type for use (or up its reference count if it's
+ * already in use). This will fail if the engine is not currently
+ * operational and cannot initialise. */
+int ENGINE_init(ENGINE *e);
+/* Free a functional reference to a engine type. This does not require
+ * a corresponding call to ENGINE_free as it also releases a structural
+ * reference. */
+int ENGINE_finish(ENGINE *e);
+/* Send control parametrised commands to the engine.  The possibilities
+ * to send down an integer, a pointer to data or a function pointer are
+ * provided.  Any of the parameters may or may not be NULL, depending
+ * on the command number */
+/* WARNING: This is currently experimental and may change radically! */
+int ENGINE_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)());
+
+/* The following functions handle keys that are stored in some secondary
+ * location, handled by the engine.  The storage may be on a card or
+ * whatever. */
+EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id,
+	const char *passphrase);
+EVP_PKEY *ENGINE_load_public_key(ENGINE *e, const char *key_id,
+	const char *passphrase);
+
+/* This returns a pointer for the current ENGINE structure that
+ * is (by default) performing any RSA operations. The value returned
+ * is an incremented reference, so it should be free'd (ENGINE_finish)
+ * before it is discarded. */
+ENGINE *ENGINE_get_default_RSA(void);
+/* Same for the other "methods" */
+ENGINE *ENGINE_get_default_DSA(void);
+ENGINE *ENGINE_get_default_DH(void);
+ENGINE *ENGINE_get_default_RAND(void);
+ENGINE *ENGINE_get_default_BN_mod_exp(void);
+ENGINE *ENGINE_get_default_BN_mod_exp_crt(void);
+
+/* This sets a new default ENGINE structure for performing RSA
+ * operations. If the result is non-zero (success) then the ENGINE
+ * structure will have had its reference count up'd so the caller
+ * should still free their own reference 'e'. */
+int ENGINE_set_default_RSA(ENGINE *e);
+/* Same for the other "methods" */
+int ENGINE_set_default_DSA(ENGINE *e);
+int ENGINE_set_default_DH(ENGINE *e);
+int ENGINE_set_default_RAND(ENGINE *e);
+int ENGINE_set_default_BN_mod_exp(ENGINE *e);
+int ENGINE_set_default_BN_mod_exp_crt(ENGINE *e);
+
+/* The combination "set" - the flags are bitwise "OR"d from the
+ * ENGINE_METHOD_*** defines above. */
+int ENGINE_set_default(ENGINE *e, unsigned int flags);
+
+/*
+ * Error codes for all engine functions. NB: We use "generic"
+ * function names instead of per-implementation ones because this
+ * levels the playing field for externally implemented bootstrapped
+ * support code. As the filename and line number is included, it's
+ * more important to indicate the type of function, so that
+ * bootstrapped code (that can't easily add its own errors in) can
+ * use the same error codes too.
+ */
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+void ERR_load_ENGINE_strings(void);
+
+/* Error codes for the ENGINE functions. */
+
+/* Function codes. */
+#define ENGINE_F_AEP_FINISH				 156
+#define ENGINE_F_AEP_INIT				 157
+#define ENGINE_F_AEP_MOD_EXP				 158
+#define ENGINE_F_AEP_MOD_EXP_CRT			 160
+#define ENGINE_F_AEP_RAND				 161
+#define ENGINE_F_AEP_RSA_MOD_EXP			 159
+#define ENGINE_F_ATALLA_FINISH				 135
+#define ENGINE_F_ATALLA_INIT				 136
+#define ENGINE_F_ATALLA_MOD_EXP				 137
+#define ENGINE_F_ATALLA_RSA_MOD_EXP			 138
+#define ENGINE_F_CSWIFT_DSA_SIGN			 133
+#define ENGINE_F_CSWIFT_DSA_VERIFY			 134
+#define ENGINE_F_CSWIFT_FINISH				 100
+#define ENGINE_F_CSWIFT_INIT				 101
+#define ENGINE_F_CSWIFT_MOD_EXP				 102
+#define ENGINE_F_CSWIFT_MOD_EXP_CRT			 103
+#define ENGINE_F_CSWIFT_RSA_MOD_EXP			 104
+#define ENGINE_F_ENGINE_ADD				 105
+#define ENGINE_F_ENGINE_BY_ID				 106
+#define ENGINE_F_ENGINE_CTRL				 142
+#define ENGINE_F_ENGINE_FINISH				 107
+#define ENGINE_F_ENGINE_FREE				 108
+#define ENGINE_F_ENGINE_GET_BN_MOD_EXP			 109
+#define ENGINE_F_ENGINE_GET_BN_MOD_EXP_CRT		 110
+#define ENGINE_F_ENGINE_GET_CTRL_FUNCTION		 144
+#define ENGINE_F_ENGINE_GET_DH				 111
+#define ENGINE_F_ENGINE_GET_DSA				 112
+#define ENGINE_F_ENGINE_GET_FINISH_FUNCTION		 145
+#define ENGINE_F_ENGINE_GET_ID				 113
+#define ENGINE_F_ENGINE_GET_INIT_FUNCTION		 146
+#define ENGINE_F_ENGINE_GET_NAME			 114
+#define ENGINE_F_ENGINE_GET_NEXT			 115
+#define ENGINE_F_ENGINE_GET_PREV			 116
+#define ENGINE_F_ENGINE_GET_RAND			 117
+#define ENGINE_F_ENGINE_GET_RSA				 118
+#define ENGINE_F_ENGINE_INIT				 119
+#define ENGINE_F_ENGINE_LIST_ADD			 120
+#define ENGINE_F_ENGINE_LIST_REMOVE			 121
+#define ENGINE_F_ENGINE_LOAD_PRIVATE_KEY		 150
+#define ENGINE_F_ENGINE_LOAD_PUBLIC_KEY			 151
+#define ENGINE_F_ENGINE_NEW				 122
+#define ENGINE_F_ENGINE_REMOVE				 123
+#define ENGINE_F_ENGINE_SET_BN_MOD_EXP			 124
+#define ENGINE_F_ENGINE_SET_BN_MOD_EXP_CRT		 125
+#define ENGINE_F_ENGINE_SET_CTRL_FUNCTION		 147
+#define ENGINE_F_ENGINE_SET_DEFAULT_TYPE		 126
+#define ENGINE_F_ENGINE_SET_DH				 127
+#define ENGINE_F_ENGINE_SET_DSA				 128
+#define ENGINE_F_ENGINE_SET_FINISH_FUNCTION		 148
+#define ENGINE_F_ENGINE_SET_ID				 129
+#define ENGINE_F_ENGINE_SET_INIT_FUNCTION		 149
+#define ENGINE_F_ENGINE_SET_NAME			 130
+#define ENGINE_F_ENGINE_SET_RAND			 131
+#define ENGINE_F_ENGINE_SET_RSA				 132
+#define ENGINE_F_ENGINE_UNLOAD_KEY			 152
+#define ENGINE_F_HWCRHK_CTRL				 143
+#define ENGINE_F_HWCRHK_FINISH				 135
+#define ENGINE_F_HWCRHK_GET_PASS			 155
+#define ENGINE_F_HWCRHK_INIT				 136
+#define ENGINE_F_HWCRHK_LOAD_PRIVKEY			 153
+#define ENGINE_F_HWCRHK_LOAD_PUBKEY			 154
+#define ENGINE_F_HWCRHK_MOD_EXP				 137
+#define ENGINE_F_HWCRHK_MOD_EXP_CRT			 138
+#define ENGINE_F_HWCRHK_RAND_BYTES			 139
+#define ENGINE_F_HWCRHK_RSA_MOD_EXP			 140
+#define ENGINE_F_KC_INT_DSA_PRIV			 213
+#define ENGINE_F_KC_INT_DSA_VERIFY			 214
+#define ENGINE_F_KC_INT_RSA_PRIV			 215
+#define ENGINE_F_KC_INT_RSA_PUB				 216
+#define ENGINE_F_KEYCLIENT_CHECK_GLOBAL			 217
+#define ENGINE_F_KEYCLIENT_DSA_FINISH			 218
+#define ENGINE_F_KEYCLIENT_DSA_INIT			 219
+#define ENGINE_F_KEYCLIENT_DSA_SIGN			 220
+#define ENGINE_F_KEYCLIENT_DSA_VERIFY			 221
+#define ENGINE_F_KEYCLIENT_FINISH			 222
+#define ENGINE_F_KEYCLIENT_GET_DSA_CTX			 223
+#define ENGINE_F_KEYCLIENT_GET_RSA_CTX			 224
+#define ENGINE_F_KEYCLIENT_INIT				 225
+#define ENGINE_F_KEYCLIENT_PADDING			 226
+#define ENGINE_F_KEYCLIENT_RSA_FINISH			 227
+#define ENGINE_F_KEYCLIENT_RSA_INIT			 228
+#define ENGINE_F_KEYCLIENT_RSA_PRIV_DEC			 229
+#define ENGINE_F_KEYCLIENT_RSA_PRIV_ENC			 230
+#define ENGINE_F_KEYCLIENT_RSA_PUB_DEC			 231
+#define ENGINE_F_KEYCLIENT_RSA_PUB_ENC			 232
+#define ENGINE_F_KEYCLIENT_SET_DSA_CTX			 233
+#define ENGINE_F_KEYCLIENT_SET_RSA_CTX			 234
+#define ENGINE_F_LOG_MESSAGE				 141
+#define ENGINE_F_SUREWAREHK_CTRL			 209
+#define ENGINE_F_SUREWAREHK_DH_GEN_KEY			 210
+#define ENGINE_F_SUREWAREHK_DSA_DO_SIGN			 211
+#define ENGINE_F_SUREWAREHK_EX_FREE			 206
+#define ENGINE_F_SUREWAREHK_FINISH			 201
+#define ENGINE_F_SUREWAREHK_INIT			 200
+#define ENGINE_F_SUREWAREHK_LOAD_PRIVATE_KEY		 204
+#define ENGINE_F_SUREWAREHK_LOAD_PUBLIC_KEY		 205
+#define ENGINE_F_SUREWAREHK_MOD_EXP			 212
+#define ENGINE_F_SUREWAREHK_RAND_BYTES			 202
+#define ENGINE_F_SUREWAREHK_RAND_SEED			 203
+#define ENGINE_F_SUREWAREHK_RSA_PRIV_DEC		 207
+#define ENGINE_F_SUREWAREHK_RSA_PRIV_ENC		 208
+#define ENGINE_F_UBSEC_CTRL				 176
+#define ENGINE_F_UBSEC_DH_COMPUTE_KEY			 171
+#define ENGINE_F_UBSEC_DSA_SIGN				 163
+#define ENGINE_F_UBSEC_DSA_VERIFY			 164
+#define ENGINE_F_UBSEC_FINISH				 165
+#define ENGINE_F_UBSEC_INIT				 166
+#define ENGINE_F_UBSEC_MOD_EXP				 167
+#define ENGINE_F_UBSEC_RNG_BYTES			 172
+#define ENGINE_F_UBSEC_RSA_MOD_EXP			 168
+#define ENGINE_F_UBSEC_RSA_MOD_EXP_CRT			 169
+
+/* Reason codes. */
+#define ENGINE_R_AEP_INIT_FAILURE			 132
+#define ENGINE_R_ALREADY_LOADED				 100
+#define ENGINE_R_BIO_WAS_FREED				 121
+#define ENGINE_R_BN_CTX_FULL				 101
+#define ENGINE_R_BN_EXPAND_FAIL				 102
+#define ENGINE_R_CHIL_ERROR				 123
+#define ENGINE_R_CLOSE_HANDLES_FAILED			 140
+#define ENGINE_R_CONFLICTING_ENGINE_ID			 103
+#define ENGINE_R_CONNECTIONS_IN_USE			 141
+#define ENGINE_R_CTRL_COMMAND_NOT_IMPLEMENTED		 119
+#define ENGINE_R_DSO_FAILURE				 104
+#define ENGINE_R_ENGINE_IS_NOT_IN_LIST			 105
+#define ENGINE_R_FAILED_LOADING_PRIVATE_KEY		 128
+#define ENGINE_R_FAILED_LOADING_PUBLIC_KEY		 129
+#define ENGINE_R_FINALIZE_FAILED			 142
+#define ENGINE_R_FINISH_FAILED				 106
+#define ENGINE_R_GET_HANDLE_FAILED			 107
+#define ENGINE_R_GET_RANDOM_FAILED			 133
+#define ENGINE_R_ID_OR_NAME_MISSING			 108
+#define ENGINE_R_INIT_FAILED				 109
+#define ENGINE_R_INTERNAL_LIST_ERROR			 110
+#define ENGINE_R_INVALID_PADDING			 137
+#define ENGINE_R_KEY_TOO_LARGE				 138
+#define ENGINE_R_MISSING_KEY_COMPONENTS			 111
+#define ENGINE_R_MOD_EXP_CRT_FAILED			 134
+#define ENGINE_R_MOD_EXP_FAILED				 131
+#define ENGINE_R_NOT_INITIALISED			 117
+#define ENGINE_R_NOT_LOADED				 112
+#define ENGINE_R_NO_CALLBACK				 127
+#define ENGINE_R_NO_CONTROL_FUNCTION			 120
+#define ENGINE_R_NO_INDEX				 139
+#define ENGINE_R_NO_KEY					 124
+#define ENGINE_R_NO_LOAD_FUNCTION			 125
+#define ENGINE_R_NO_REFERENCE				 130
+#define ENGINE_R_NO_SUCH_ENGINE				 116
+#define ENGINE_R_NO_UNLOAD_FUNCTION			 126
+#define ENGINE_R_PROVIDE_PARAMETERS			 113
+#define ENGINE_R_REQUEST_FAILED				 114
+#define ENGINE_R_REQUEST_FALLBACK			 118
+#define ENGINE_R_RETURN_CONNECTION_FAILED		 135
+#define ENGINE_R_SETBNCALLBACK_FAILURE			 136
+#define ENGINE_R_SIZE_TOO_LARGE_OR_TOO_SMALL		 122
+#define ENGINE_R_UNIT_FAILURE				 115
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
--- a/crypto/engine/engine_err.c
+++ b/crypto/engine/engine_err.c
@@ -0,0 +1,246 @@
+/* crypto/engine/engine_err.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include <openssl/engine.h>
+
+/* BEGIN ERROR CODES */
+#ifndef NO_ERR
+static ERR_STRING_DATA ENGINE_str_functs[]=
+	{
+{ERR_PACK(0,ENGINE_F_AEP_FINISH,0),	"AEP_FINISH"},
+{ERR_PACK(0,ENGINE_F_AEP_INIT,0),	"AEP_INIT"},
+{ERR_PACK(0,ENGINE_F_AEP_MOD_EXP,0),	"AEP_MOD_EXP"},
+{ERR_PACK(0,ENGINE_F_AEP_MOD_EXP_CRT,0),	"AEP_MOD_EXP_CRT"},
+{ERR_PACK(0,ENGINE_F_AEP_RAND,0),	"AEP_RAND"},
+{ERR_PACK(0,ENGINE_F_AEP_RSA_MOD_EXP,0),	"AEP_RSA_MOD_EXP"},
+{ERR_PACK(0,ENGINE_F_ATALLA_FINISH,0),	"ATALLA_FINISH"},
+{ERR_PACK(0,ENGINE_F_ATALLA_INIT,0),	"ATALLA_INIT"},
+{ERR_PACK(0,ENGINE_F_ATALLA_MOD_EXP,0),	"ATALLA_MOD_EXP"},
+{ERR_PACK(0,ENGINE_F_ATALLA_RSA_MOD_EXP,0),	"ATALLA_RSA_MOD_EXP"},
+{ERR_PACK(0,ENGINE_F_CSWIFT_DSA_SIGN,0),	"CSWIFT_DSA_SIGN"},
+{ERR_PACK(0,ENGINE_F_CSWIFT_DSA_VERIFY,0),	"CSWIFT_DSA_VERIFY"},
+{ERR_PACK(0,ENGINE_F_CSWIFT_FINISH,0),	"CSWIFT_FINISH"},
+{ERR_PACK(0,ENGINE_F_CSWIFT_INIT,0),	"CSWIFT_INIT"},
+{ERR_PACK(0,ENGINE_F_CSWIFT_MOD_EXP,0),	"CSWIFT_MOD_EXP"},
+{ERR_PACK(0,ENGINE_F_CSWIFT_MOD_EXP_CRT,0),	"CSWIFT_MOD_EXP_CRT"},
+{ERR_PACK(0,ENGINE_F_CSWIFT_RSA_MOD_EXP,0),	"CSWIFT_RSA_MOD_EXP"},
+{ERR_PACK(0,ENGINE_F_ENGINE_ADD,0),	"ENGINE_add"},
+{ERR_PACK(0,ENGINE_F_ENGINE_BY_ID,0),	"ENGINE_by_id"},
+{ERR_PACK(0,ENGINE_F_ENGINE_CTRL,0),	"ENGINE_ctrl"},
+{ERR_PACK(0,ENGINE_F_ENGINE_FINISH,0),	"ENGINE_finish"},
+{ERR_PACK(0,ENGINE_F_ENGINE_FREE,0),	"ENGINE_free"},
+{ERR_PACK(0,ENGINE_F_ENGINE_GET_BN_MOD_EXP,0),	"ENGINE_get_BN_mod_exp"},
+{ERR_PACK(0,ENGINE_F_ENGINE_GET_BN_MOD_EXP_CRT,0),	"ENGINE_get_BN_mod_exp_crt"},
+{ERR_PACK(0,ENGINE_F_ENGINE_GET_CTRL_FUNCTION,0),	"ENGINE_get_ctrl_function"},
+{ERR_PACK(0,ENGINE_F_ENGINE_GET_DH,0),	"ENGINE_get_DH"},
+{ERR_PACK(0,ENGINE_F_ENGINE_GET_DSA,0),	"ENGINE_get_DSA"},
+{ERR_PACK(0,ENGINE_F_ENGINE_GET_FINISH_FUNCTION,0),	"ENGINE_get_finish_function"},
+{ERR_PACK(0,ENGINE_F_ENGINE_GET_ID,0),	"ENGINE_get_id"},
+{ERR_PACK(0,ENGINE_F_ENGINE_GET_INIT_FUNCTION,0),	"ENGINE_get_init_function"},
+{ERR_PACK(0,ENGINE_F_ENGINE_GET_NAME,0),	"ENGINE_get_name"},
+{ERR_PACK(0,ENGINE_F_ENGINE_GET_NEXT,0),	"ENGINE_get_next"},
+{ERR_PACK(0,ENGINE_F_ENGINE_GET_PREV,0),	"ENGINE_get_prev"},
+{ERR_PACK(0,ENGINE_F_ENGINE_GET_RAND,0),	"ENGINE_get_RAND"},
+{ERR_PACK(0,ENGINE_F_ENGINE_GET_RSA,0),	"ENGINE_get_RSA"},
+{ERR_PACK(0,ENGINE_F_ENGINE_INIT,0),	"ENGINE_init"},
+{ERR_PACK(0,ENGINE_F_ENGINE_LIST_ADD,0),	"ENGINE_LIST_ADD"},
+{ERR_PACK(0,ENGINE_F_ENGINE_LIST_REMOVE,0),	"ENGINE_LIST_REMOVE"},
+{ERR_PACK(0,ENGINE_F_ENGINE_LOAD_PRIVATE_KEY,0),	"ENGINE_load_private_key"},
+{ERR_PACK(0,ENGINE_F_ENGINE_LOAD_PUBLIC_KEY,0),	"ENGINE_load_public_key"},
+{ERR_PACK(0,ENGINE_F_ENGINE_NEW,0),	"ENGINE_new"},
+{ERR_PACK(0,ENGINE_F_ENGINE_REMOVE,0),	"ENGINE_remove"},
+{ERR_PACK(0,ENGINE_F_ENGINE_SET_BN_MOD_EXP,0),	"ENGINE_set_BN_mod_exp"},
+{ERR_PACK(0,ENGINE_F_ENGINE_SET_BN_MOD_EXP_CRT,0),	"ENGINE_set_BN_mod_exp_crt"},
+{ERR_PACK(0,ENGINE_F_ENGINE_SET_CTRL_FUNCTION,0),	"ENGINE_set_ctrl_function"},
+{ERR_PACK(0,ENGINE_F_ENGINE_SET_DEFAULT_TYPE,0),	"ENGINE_SET_DEFAULT_TYPE"},
+{ERR_PACK(0,ENGINE_F_ENGINE_SET_DH,0),	"ENGINE_set_DH"},
+{ERR_PACK(0,ENGINE_F_ENGINE_SET_DSA,0),	"ENGINE_set_DSA"},
+{ERR_PACK(0,ENGINE_F_ENGINE_SET_FINISH_FUNCTION,0),	"ENGINE_set_finish_function"},
+{ERR_PACK(0,ENGINE_F_ENGINE_SET_ID,0),	"ENGINE_set_id"},
+{ERR_PACK(0,ENGINE_F_ENGINE_SET_INIT_FUNCTION,0),	"ENGINE_set_init_function"},
+{ERR_PACK(0,ENGINE_F_ENGINE_SET_NAME,0),	"ENGINE_set_name"},
+{ERR_PACK(0,ENGINE_F_ENGINE_SET_RAND,0),	"ENGINE_set_RAND"},
+{ERR_PACK(0,ENGINE_F_ENGINE_SET_RSA,0),	"ENGINE_set_RSA"},
+{ERR_PACK(0,ENGINE_F_ENGINE_UNLOAD_KEY,0),	"ENGINE_UNLOAD_KEY"},
+{ERR_PACK(0,ENGINE_F_HWCRHK_CTRL,0),	"HWCRHK_CTRL"},
+{ERR_PACK(0,ENGINE_F_HWCRHK_FINISH,0),	"HWCRHK_FINISH"},
+{ERR_PACK(0,ENGINE_F_HWCRHK_GET_PASS,0),	"HWCRHK_GET_PASS"},
+{ERR_PACK(0,ENGINE_F_HWCRHK_INIT,0),	"HWCRHK_INIT"},
+{ERR_PACK(0,ENGINE_F_HWCRHK_LOAD_PRIVKEY,0),	"HWCRHK_LOAD_PRIVKEY"},
+{ERR_PACK(0,ENGINE_F_HWCRHK_LOAD_PUBKEY,0),	"HWCRHK_LOAD_PUBKEY"},
+{ERR_PACK(0,ENGINE_F_HWCRHK_MOD_EXP,0),	"HWCRHK_MOD_EXP"},
+{ERR_PACK(0,ENGINE_F_HWCRHK_MOD_EXP_CRT,0),	"HWCRHK_MOD_EXP_CRT"},
+{ERR_PACK(0,ENGINE_F_HWCRHK_RAND_BYTES,0),	"HWCRHK_RAND_BYTES"},
+{ERR_PACK(0,ENGINE_F_HWCRHK_RSA_MOD_EXP,0),	"HWCRHK_RSA_MOD_EXP"},
+{ERR_PACK(0,ENGINE_F_KC_INT_DSA_PRIV,0),	"KC_INT_DSA_PRIV"},
+{ERR_PACK(0,ENGINE_F_KC_INT_DSA_VERIFY,0),	"KC_INT_DSA_VERIFY"},
+{ERR_PACK(0,ENGINE_F_KC_INT_RSA_PRIV,0),	"KC_INT_RSA_PRIV"},
+{ERR_PACK(0,ENGINE_F_KC_INT_RSA_PUB,0),	"KC_INT_RSA_PUB"},
+{ERR_PACK(0,ENGINE_F_KEYCLIENT_CHECK_GLOBAL,0),	"KEYCLIENT_CHECK_GLOBAL"},
+{ERR_PACK(0,ENGINE_F_KEYCLIENT_DSA_FINISH,0),	"KEYCLIENT_DSA_FINISH"},
+{ERR_PACK(0,ENGINE_F_KEYCLIENT_DSA_INIT,0),	"KEYCLIENT_DSA_INIT"},
+{ERR_PACK(0,ENGINE_F_KEYCLIENT_DSA_SIGN,0),	"KEYCLIENT_DSA_SIGN"},
+{ERR_PACK(0,ENGINE_F_KEYCLIENT_DSA_VERIFY,0),	"KEYCLIENT_DSA_VERIFY"},
+{ERR_PACK(0,ENGINE_F_KEYCLIENT_FINISH,0),	"KEYCLIENT_FINISH"},
+{ERR_PACK(0,ENGINE_F_KEYCLIENT_GET_DSA_CTX,0),	"KEYCLIENT_GET_DSA_CTX"},
+{ERR_PACK(0,ENGINE_F_KEYCLIENT_GET_RSA_CTX,0),	"KEYCLIENT_GET_RSA_CTX"},
+{ERR_PACK(0,ENGINE_F_KEYCLIENT_INIT,0),	"KEYCLIENT_INIT"},
+{ERR_PACK(0,ENGINE_F_KEYCLIENT_PADDING,0),	"KEYCLIENT_PADDING"},
+{ERR_PACK(0,ENGINE_F_KEYCLIENT_RSA_FINISH,0),	"KEYCLIENT_RSA_FINISH"},
+{ERR_PACK(0,ENGINE_F_KEYCLIENT_RSA_INIT,0),	"KEYCLIENT_RSA_INIT"},
+{ERR_PACK(0,ENGINE_F_KEYCLIENT_RSA_PRIV_DEC,0),	"KEYCLIENT_RSA_PRIV_DEC"},
+{ERR_PACK(0,ENGINE_F_KEYCLIENT_RSA_PRIV_ENC,0),	"KEYCLIENT_RSA_PRIV_ENC"},
+{ERR_PACK(0,ENGINE_F_KEYCLIENT_RSA_PUB_DEC,0),	"KEYCLIENT_RSA_PUB_DEC"},
+{ERR_PACK(0,ENGINE_F_KEYCLIENT_RSA_PUB_ENC,0),	"KEYCLIENT_RSA_PUB_ENC"},
+{ERR_PACK(0,ENGINE_F_KEYCLIENT_SET_DSA_CTX,0),	"KEYCLIENT_SET_DSA_CTX"},
+{ERR_PACK(0,ENGINE_F_KEYCLIENT_SET_RSA_CTX,0),	"KEYCLIENT_SET_RSA_CTX"},
+{ERR_PACK(0,ENGINE_F_LOG_MESSAGE,0),	"LOG_MESSAGE"},
+{ERR_PACK(0,ENGINE_F_SUREWAREHK_CTRL,0),	"SUREWAREHK_CTRL"},
+{ERR_PACK(0,ENGINE_F_SUREWAREHK_DH_GEN_KEY,0),	"SUREWAREHK_DH_GEN_KEY"},
+{ERR_PACK(0,ENGINE_F_SUREWAREHK_DSA_DO_SIGN,0),	"SUREWAREHK_DSA_DO_SIGN"},
+{ERR_PACK(0,ENGINE_F_SUREWAREHK_EX_FREE,0),	"SUREWAREHK_EX_FREE"},
+{ERR_PACK(0,ENGINE_F_SUREWAREHK_FINISH,0),	"SUREWAREHK_FINISH"},
+{ERR_PACK(0,ENGINE_F_SUREWAREHK_INIT,0),	"SUREWAREHK_INIT"},
+{ERR_PACK(0,ENGINE_F_SUREWAREHK_LOAD_PRIVATE_KEY,0),	"SUREWAREHK_LOAD_PRIVATE_KEY"},
+{ERR_PACK(0,ENGINE_F_SUREWAREHK_LOAD_PUBLIC_KEY,0),	"SUREWAREHK_LOAD_PUBLIC_KEY"},
+{ERR_PACK(0,ENGINE_F_SUREWAREHK_MOD_EXP,0),	"SUREWAREHK_MOD_EXP"},
+{ERR_PACK(0,ENGINE_F_SUREWAREHK_RAND_BYTES,0),	"SUREWAREHK_RAND_BYTES"},
+{ERR_PACK(0,ENGINE_F_SUREWAREHK_RAND_SEED,0),	"SUREWAREHK_RAND_SEED"},
+{ERR_PACK(0,ENGINE_F_SUREWAREHK_RSA_PRIV_DEC,0),	"SUREWAREHK_RSA_PRIV_DEC"},
+{ERR_PACK(0,ENGINE_F_SUREWAREHK_RSA_PRIV_ENC,0),	"SUREWAREHK_RSA_PRIV_ENC"},
+{ERR_PACK(0,ENGINE_F_UBSEC_CTRL,0),	"UBSEC_CTRL"},
+{ERR_PACK(0,ENGINE_F_UBSEC_DH_COMPUTE_KEY,0),	"UBSEC_DH_COMPUTE_KEY"},
+{ERR_PACK(0,ENGINE_F_UBSEC_DSA_SIGN,0),	"UBSEC_DSA_SIGN"},
+{ERR_PACK(0,ENGINE_F_UBSEC_DSA_VERIFY,0),	"UBSEC_DSA_VERIFY"},
+{ERR_PACK(0,ENGINE_F_UBSEC_FINISH,0),	"UBSEC_FINISH"},
+{ERR_PACK(0,ENGINE_F_UBSEC_INIT,0),	"UBSEC_INIT"},
+{ERR_PACK(0,ENGINE_F_UBSEC_MOD_EXP,0),	"UBSEC_MOD_EXP"},
+{ERR_PACK(0,ENGINE_F_UBSEC_RNG_BYTES,0),	"UBSEC_RNG_BYTES"},
+{ERR_PACK(0,ENGINE_F_UBSEC_RSA_MOD_EXP,0),	"UBSEC_RSA_MOD_EXP"},
+{ERR_PACK(0,ENGINE_F_UBSEC_RSA_MOD_EXP_CRT,0),	"UBSEC_RSA_MOD_EXP_CRT"},
+{0,NULL}
+	};
+
+static ERR_STRING_DATA ENGINE_str_reasons[]=
+	{
+{ENGINE_R_AEP_INIT_FAILURE               ,"aep init failure"},
+{ENGINE_R_ALREADY_LOADED                 ,"already loaded"},
+{ENGINE_R_BIO_WAS_FREED                  ,"bio was freed"},
+{ENGINE_R_BN_CTX_FULL                    ,"BN_CTX full"},
+{ENGINE_R_BN_EXPAND_FAIL                 ,"bn_expand fail"},
+{ENGINE_R_CHIL_ERROR                     ,"chil error"},
+{ENGINE_R_CLOSE_HANDLES_FAILED           ,"close handles failed"},
+{ENGINE_R_CONFLICTING_ENGINE_ID          ,"conflicting engine id"},
+{ENGINE_R_CONNECTIONS_IN_USE             ,"connections in use"},
+{ENGINE_R_CTRL_COMMAND_NOT_IMPLEMENTED   ,"ctrl command not implemented"},
+{ENGINE_R_DSO_FAILURE                    ,"DSO failure"},
+{ENGINE_R_ENGINE_IS_NOT_IN_LIST          ,"engine is not in the list"},
+{ENGINE_R_FAILED_LOADING_PRIVATE_KEY     ,"failed loading private key"},
+{ENGINE_R_FAILED_LOADING_PUBLIC_KEY      ,"failed loading public key"},
+{ENGINE_R_FINALIZE_FAILED                ,"finalize failed"},
+{ENGINE_R_FINISH_FAILED                  ,"finish failed"},
+{ENGINE_R_GET_HANDLE_FAILED              ,"could not obtain hardware handle"},
+{ENGINE_R_GET_RANDOM_FAILED              ,"get random failed"},
+{ENGINE_R_ID_OR_NAME_MISSING             ,"'id' or 'name' missing"},
+{ENGINE_R_INIT_FAILED                    ,"init failed"},
+{ENGINE_R_INTERNAL_LIST_ERROR            ,"internal list error"},
+{ENGINE_R_INVALID_PADDING                ,"invalid padding"},
+{ENGINE_R_KEY_TOO_LARGE                  ,"key too large"},
+{ENGINE_R_MISSING_KEY_COMPONENTS         ,"missing key components"},
+{ENGINE_R_MOD_EXP_CRT_FAILED             ,"mod exp crt failed"},
+{ENGINE_R_MOD_EXP_FAILED                 ,"mod exp failed"},
+{ENGINE_R_NOT_INITIALISED                ,"not initialised"},
+{ENGINE_R_NOT_LOADED                     ,"not loaded"},
+{ENGINE_R_NO_CALLBACK                    ,"no callback"},
+{ENGINE_R_NO_CONTROL_FUNCTION            ,"no control function"},
+{ENGINE_R_NO_INDEX                       ,"no index"},
+{ENGINE_R_NO_KEY                         ,"no key"},
+{ENGINE_R_NO_LOAD_FUNCTION               ,"no load function"},
+{ENGINE_R_NO_REFERENCE                   ,"no reference"},
+{ENGINE_R_NO_SUCH_ENGINE                 ,"no such engine"},
+{ENGINE_R_NO_UNLOAD_FUNCTION             ,"no unload function"},
+{ENGINE_R_PROVIDE_PARAMETERS             ,"provide parameters"},
+{ENGINE_R_REQUEST_FAILED                 ,"request failed"},
+{ENGINE_R_REQUEST_FALLBACK               ,"request fallback"},
+{ENGINE_R_RETURN_CONNECTION_FAILED       ,"return connection failed"},
+{ENGINE_R_SETBNCALLBACK_FAILURE          ,"setbncallback failure"},
+{ENGINE_R_SIZE_TOO_LARGE_OR_TOO_SMALL    ,"size too large or too small"},
+{ENGINE_R_UNIT_FAILURE                   ,"unit failure"},
+{0,NULL}
+	};
+
+#endif
+
+void ERR_load_ENGINE_strings(void)
+	{
+	static int init=1;
+
+	if (init)
+		{
+		init=0;
+#ifndef NO_ERR
+		ERR_load_strings(ERR_LIB_ENGINE,ENGINE_str_functs);
+		ERR_load_strings(ERR_LIB_ENGINE,ENGINE_str_reasons);
+#endif
+
+		}
+	}
--- a/crypto/engine/engine_int.h
+++ b/crypto/engine/engine_int.h
@@ -0,0 +1,179 @@
+/* crypto/engine/engine_int.h */
+/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_ENGINE_INT_H
+#define HEADER_ENGINE_INT_H
+
+#include <openssl/rsa.h>
+#include <openssl/dsa.h>
+#include <openssl/dh.h>
+#include <openssl/rand.h>
+#include <openssl/bn.h>
+#include <openssl/evp.h>
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+/* Bitwise OR-able values for the "flags" variable in ENGINE. */
+#define ENGINE_FLAGS_MALLOCED	0x0001
+
+#ifndef HEADER_ENGINE_H
+/* Regrettably, we need to reproduce the "BN" function types here
+ * because there is no such "BIGNUM_METHOD" as there is with RSA,
+ * DSA, etc. We do this so that we don't have a case where engine.h
+ * and engine_int.h conflict with each other. */
+typedef int (*BN_MOD_EXP)(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+		const BIGNUM *m, BN_CTX *ctx);
+ 
+/* private key operation for RSA, provided seperately in case other
+ * RSA implementations wish to use it. */
+typedef int (*BN_MOD_EXP_CRT)(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+		const BIGNUM *q, const BIGNUM *dmp1, const BIGNUM *dmq1,
+		const BIGNUM *iqmp, BN_CTX *ctx);
+
+/* Generic function pointer */
+typedef int (*ENGINE_GEN_FUNC_PTR)();
+/* Generic function pointer taking no arguments */
+typedef int (*ENGINE_GEN_INT_FUNC_PTR)(void);
+/* Specific control function pointer */
+typedef int (*ENGINE_CTRL_FUNC_PTR)(int cmd, long i, void *p, void (*f)());
+
+#endif
+
+/* This is a structure for storing implementations of various crypto
+ * algorithms and functions. */
+typedef struct engine_st
+	{
+	const char *id;
+	const char *name;
+	RSA_METHOD *rsa_meth;
+	DSA_METHOD *dsa_meth;
+	DH_METHOD *dh_meth;
+	RAND_METHOD *rand_meth;
+	BN_MOD_EXP bn_mod_exp;
+	BN_MOD_EXP_CRT bn_mod_exp_crt;
+	int (*init)(void);
+	int (*finish)(void);
+	int (*ctrl)(int cmd, long i, void *p, void (*f)());
+	EVP_PKEY *(*load_privkey)(const char *key_id, const char *passphrase);
+	EVP_PKEY *(*load_pubkey)(const char *key_id, const char *passphrase);
+	int flags;
+	/* reference count on the structure itself */
+	int struct_ref;
+	/* reference count on usability of the engine type. NB: This
+	 * controls the loading and initialisation of any functionlity
+	 * required by this engine, whereas the previous count is
+	 * simply to cope with (de)allocation of this structure. Hence,
+	 * running_ref <= struct_ref at all times. */
+	int funct_ref;
+	/* Used to maintain the linked-list of engines. */
+	struct engine_st *prev;
+	struct engine_st *next;
+	} ENGINE;
+
+/* BUILT-IN ENGINES. (these functions are only ever called once and
+ * do not return references - they are purely for bootstrapping). */
+
+/* Returns a structure of software only methods (the default). */
+ENGINE *ENGINE_openssl();
+
+#ifndef NO_HW
+
+#ifndef NO_HW_CSWIFT
+/* Returns a structure of cswift methods ... NB: This can exist and be
+ * "used" even on non-cswift systems because the "init" will fail if the
+ * card/library are not found. */
+ENGINE *ENGINE_cswift();
+#endif /* !NO_HW_CSWIFT */
+
+#ifndef NO_HW_NCIPHER
+ENGINE *ENGINE_ncipher();
+#endif /* !NO_HW_NCIPHER */
+
+#ifndef NO_HW_ATALLA
+/* Returns a structure of atalla methods. */
+ENGINE *ENGINE_atalla();
+#endif /* !NO_HW_ATALLA */
+
+#ifndef NO_HW_AEP
+/* Returns a structure of AEP methods. */
+ENGINE *ENGINE_aep();
+#endif /* !NO_HW_AEP */
+
+#ifndef NO_HW_SUREWARE
+/* Returns a structure of atalla methods. */
+ENGINE *ENGINE_sureware();
+#endif /* !NO_HW_SUREWARE */
+
+#ifndef NO_HW_UBSEC
+/* Returns a structure of ubsec methods. */
+ENGINE *ENGINE_ubsec();
+#endif /* !NO_HW_UBSEC */
+
+#ifndef NO_HW_KEYCLIENT
+/* Returns a structure of keyclient methods. */
+ENGINE *ENGINE_keyclient();
+#endif /* !NO_HW_KEYCLIENT */
+#endif /* !NO_HW */
+
+#ifdef  __cplusplus
+}
+#endif
+
+#endif /* HEADER_ENGINE_INT_H */
--- a/crypto/engine/engine_lib.c
+++ b/crypto/engine/engine_lib.c
@@ -0,0 +1,489 @@
+/* crypto/engine/engine_lib.c */
+/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include "engine_int.h"
+#include <openssl/engine.h>
+
+/* These pointers each have their own "functional reference" when they
+ * are non-NULL. Similarly, when they are retrieved by a call to
+ * ENGINE_get_default_[RSA|DSA|...] the returned pointer is also a
+ * reference and the caller is responsible for freeing that when they
+ * are finished with it (with a call to ENGINE_finish() *NOT* just
+ * ENGINE_free()!!!!!!). */
+static ENGINE *engine_def_rsa = NULL;
+static ENGINE *engine_def_dsa = NULL;
+static ENGINE *engine_def_dh = NULL;
+static ENGINE *engine_def_rand = NULL;
+static ENGINE *engine_def_bn_mod_exp = NULL;
+static ENGINE *engine_def_bn_mod_exp_crt = NULL;
+/* A static "once-only" flag used to control if/when the above were
+ * initialised to suitable start-up defaults. */
+static int engine_def_flag = 0;
+
+/* This is used in certain static utility functions to save code
+ * repetition for per-algorithm functions. */
+typedef enum {
+	ENGINE_TYPE_RSA,
+	ENGINE_TYPE_DSA,
+	ENGINE_TYPE_DH,
+	ENGINE_TYPE_RAND,
+	ENGINE_TYPE_BN_MOD_EXP,
+	ENGINE_TYPE_BN_MOD_EXP_CRT
+	} ENGINE_TYPE;
+
+static void engine_def_check_util(ENGINE **def, ENGINE *val)
+	{
+	*def = val;
+	val->struct_ref++;
+	val->funct_ref++;
+	}
+
+/* In a slight break with convention - this static function must be
+ * called *outside* any locking of CRYPTO_LOCK_ENGINE. */
+static void engine_def_check(void)
+	{
+	ENGINE *e;
+	if(engine_def_flag)
+		return;
+	e = ENGINE_get_first();
+	if(e == NULL)
+		/* The list is empty ... not much we can do! */
+		return;
+	/* We have a structural reference, see if getting a functional
+	 * reference is possible. This is done to cope with init errors
+	 * in the engine - the following locked code does a bunch of
+	 * manual "ENGINE_init"s which do *not* allow such an init
+	 * error so this is worth doing. */
+	if(ENGINE_init(e))
+		{
+		CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+		/* Doing another check here prevents an obvious race
+		 * condition because the whole function itself cannot
+		 * be locked. */
+		if(engine_def_flag)
+			goto skip_set_defaults;
+		/* OK, we got a functional reference, so we get one each
+		 * for the defaults too. */
+		engine_def_check_util(&engine_def_rsa, e);
+		engine_def_check_util(&engine_def_dsa, e);
+		engine_def_check_util(&engine_def_dh, e);
+		engine_def_check_util(&engine_def_rand, e);
+		engine_def_check_util(&engine_def_bn_mod_exp, e);
+		engine_def_check_util(&engine_def_bn_mod_exp_crt, e);
+		engine_def_flag = 1;
+skip_set_defaults:
+		CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+		/* The "if" needs to be balanced out. */
+		ENGINE_finish(e);
+		}
+	/* We need to balance out the fact we obtained a structural
+	 * reference to begin with from ENGINE_get_first(). */
+	ENGINE_free(e);
+	}
+
+/* Initialise a engine type for use (or up its functional reference count
+ * if it's already in use). */
+int ENGINE_init(ENGINE *e)
+	{
+	int to_return = 1;
+
+	if(e == NULL)
+		{
+		ENGINEerr(ENGINE_F_ENGINE_INIT,ERR_R_PASSED_NULL_PARAMETER);
+		return 0;
+		}
+	CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+	if((e->funct_ref == 0) && e->init)
+		/* This is the first functional reference and the engine
+		 * requires initialisation so we do it now. */
+		to_return = e->init();
+	if(to_return)
+		{
+		/* OK, we return a functional reference which is also a
+		 * structural reference. */
+		e->struct_ref++;
+		e->funct_ref++;
+		}
+	CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+	return to_return;
+	}
+
+/* Free a functional reference to a engine type */
+int ENGINE_finish(ENGINE *e)
+	{
+	int to_return = 1;
+
+	if(e == NULL)
+		{
+		ENGINEerr(ENGINE_F_ENGINE_FINISH,ERR_R_PASSED_NULL_PARAMETER);
+		return 0;
+		}
+	CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+	if((e->funct_ref == 1) && e->finish)
+#if 0
+		/* This is the last functional reference and the engine
+		 * requires cleanup so we do it now. */
+		to_return = e->finish();
+	if(to_return)
+		{
+		/* Cleanup the functional reference which is also a
+		 * structural reference. */
+		e->struct_ref--;
+		e->funct_ref--;
+		}
+	CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+#else
+		/* I'm going to deliberately do a convoluted version of this
+		 * piece of code because we don't want "finish" functions
+		 * being called inside a locked block of code, if at all
+		 * possible. I'd rather have this call take an extra couple
+		 * of ticks than have throughput serialised on a externally-
+		 * provided callback function that may conceivably never come
+		 * back. :-( */
+		{
+		CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+		/* CODE ALERT: This *IS* supposed to be "=" and NOT "==" :-) */
+		if((to_return = e->finish()))
+			{
+			CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+			/* Cleanup the functional reference which is also a
+			 * structural reference. */
+			e->struct_ref--;
+			e->funct_ref--;
+			CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+			}
+		}
+	else
+		CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+#endif
+	return to_return;
+	}
+
+EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id,
+	const char *passphrase)
+	{
+	EVP_PKEY *pkey;
+
+	if(e == NULL)
+		{
+		ENGINEerr(ENGINE_F_ENGINE_LOAD_PRIVATE_KEY,
+			ERR_R_PASSED_NULL_PARAMETER);
+		return 0;
+		}
+	CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+	if(e->funct_ref == 0)
+		{
+		CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+		ENGINEerr(ENGINE_F_ENGINE_LOAD_PRIVATE_KEY,
+			ENGINE_R_NOT_INITIALISED);
+		return 0;
+		}
+	CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+	if (!e->load_privkey)
+		{
+		ENGINEerr(ENGINE_F_ENGINE_LOAD_PRIVATE_KEY,
+			ENGINE_R_NO_LOAD_FUNCTION);
+		return 0;
+		}
+	pkey = e->load_privkey(key_id, passphrase);
+	if (!pkey)
+		{
+		ENGINEerr(ENGINE_F_ENGINE_LOAD_PRIVATE_KEY,
+			ENGINE_R_FAILED_LOADING_PRIVATE_KEY);
+		return 0;
+		}
+	return pkey;
+	}
+
+EVP_PKEY *ENGINE_load_public_key(ENGINE *e, const char *key_id,
+	const char *passphrase)
+	{
+	EVP_PKEY *pkey;
+
+	if(e == NULL)
+		{
+		ENGINEerr(ENGINE_F_ENGINE_LOAD_PUBLIC_KEY,
+			ERR_R_PASSED_NULL_PARAMETER);
+		return 0;
+		}
+	CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+	if(e->funct_ref == 0)
+		{
+		CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+		ENGINEerr(ENGINE_F_ENGINE_LOAD_PUBLIC_KEY,
+			ENGINE_R_NOT_INITIALISED);
+		return 0;
+		}
+	CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+	if (!e->load_pubkey)
+		{
+		ENGINEerr(ENGINE_F_ENGINE_LOAD_PUBLIC_KEY,
+			ENGINE_R_NO_LOAD_FUNCTION);
+		return 0;
+		}
+	pkey = e->load_pubkey(key_id, passphrase);
+	if (!pkey)
+		{
+		ENGINEerr(ENGINE_F_ENGINE_LOAD_PUBLIC_KEY,
+			ENGINE_R_FAILED_LOADING_PUBLIC_KEY);
+		return 0;
+		}
+	return pkey;
+	}
+
+int ENGINE_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)())
+	{
+	if(e == NULL)
+		{
+		ENGINEerr(ENGINE_F_ENGINE_CTRL,ERR_R_PASSED_NULL_PARAMETER);
+		return 0;
+		}
+	CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+	if(e->struct_ref == 0)
+		{
+		CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+		ENGINEerr(ENGINE_F_ENGINE_CTRL,ENGINE_R_NO_REFERENCE);
+		return 0;
+		}
+	CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+	if (!e->ctrl)
+		{
+		ENGINEerr(ENGINE_F_ENGINE_CTRL,ENGINE_R_NO_CONTROL_FUNCTION);
+		return 0;
+		}
+	return e->ctrl(cmd, i, p, f);
+	}
+
+static ENGINE *engine_get_default_type(ENGINE_TYPE t)
+	{
+	ENGINE *ret = NULL;
+
+	/* engine_def_check is lean and mean and won't replace any
+	 * prior default engines ... so we must ensure that it is always
+	 * the first function to get to touch the default values. */
+	engine_def_check();
+	CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+	switch(t)
+		{
+	case ENGINE_TYPE_RSA:
+		ret = engine_def_rsa; break;
+	case ENGINE_TYPE_DSA:
+		ret = engine_def_dsa; break;
+	case ENGINE_TYPE_DH:
+		ret = engine_def_dh; break;
+	case ENGINE_TYPE_RAND:
+		ret = engine_def_rand; break;
+	case ENGINE_TYPE_BN_MOD_EXP:
+		ret = engine_def_bn_mod_exp; break;
+	case ENGINE_TYPE_BN_MOD_EXP_CRT:
+		ret = engine_def_bn_mod_exp_crt; break;
+		}
+	/* Unforunately we can't do this work outside the lock with a
+	 * call to ENGINE_init() because that would leave a race
+	 * condition open. */
+	if(ret)
+		{
+		ret->struct_ref++;
+		ret->funct_ref++;
+		}
+	CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+	return ret;
+	}
+
+ENGINE *ENGINE_get_default_RSA(void)
+	{
+	return engine_get_default_type(ENGINE_TYPE_RSA);
+	}
+
+ENGINE *ENGINE_get_default_DSA(void)
+	{
+	return engine_get_default_type(ENGINE_TYPE_DSA);
+	}
+
+ENGINE *ENGINE_get_default_DH(void)
+	{
+	return engine_get_default_type(ENGINE_TYPE_DH);
+	}
+
+ENGINE *ENGINE_get_default_RAND(void)
+	{
+	return engine_get_default_type(ENGINE_TYPE_RAND);
+	}
+
+ENGINE *ENGINE_get_default_BN_mod_exp(void)
+	{
+	return engine_get_default_type(ENGINE_TYPE_BN_MOD_EXP);
+	}
+
+ENGINE *ENGINE_get_default_BN_mod_exp_crt(void)
+	{
+	return engine_get_default_type(ENGINE_TYPE_BN_MOD_EXP_CRT);
+	}
+
+static int engine_set_default_type(ENGINE_TYPE t, ENGINE *e)
+	{
+	ENGINE *old = NULL;
+
+	if(e == NULL)
+		{
+		ENGINEerr(ENGINE_F_ENGINE_SET_DEFAULT_TYPE,
+			ERR_R_PASSED_NULL_PARAMETER);
+		return 0;
+		}
+	/* engine_def_check is lean and mean and won't replace any
+	 * prior default engines ... so we must ensure that it is always
+	 * the first function to get to touch the default values. */
+	engine_def_check();
+	/* Attempt to get a functional reference (we need one anyway, but
+	 * also, 'e' may be just a structural reference being passed in so
+	 * this call may actually be the first). */
+	if(!ENGINE_init(e))
+		{
+		ENGINEerr(ENGINE_F_ENGINE_SET_DEFAULT_TYPE,
+			ENGINE_R_INIT_FAILED);
+		return 0;
+		}
+	CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+	switch(t)
+		{
+	case ENGINE_TYPE_RSA:
+		old = engine_def_rsa;
+		engine_def_rsa = e; break;
+	case ENGINE_TYPE_DSA:
+		old = engine_def_dsa;
+		engine_def_dsa = e; break;
+	case ENGINE_TYPE_DH:
+		old = engine_def_dh;
+		engine_def_dh = e; break;
+	case ENGINE_TYPE_RAND:
+		old = engine_def_rand;
+		engine_def_rand = e; break;
+	case ENGINE_TYPE_BN_MOD_EXP:
+		old = engine_def_bn_mod_exp;
+		engine_def_bn_mod_exp = e; break;
+	case ENGINE_TYPE_BN_MOD_EXP_CRT:
+		old = engine_def_bn_mod_exp_crt;
+		engine_def_bn_mod_exp_crt = e; break;
+		}
+	CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+	/* If we've replaced a previous value, then we need to remove the
+	 * functional reference we had. */
+	if(old && !ENGINE_finish(old))
+		{
+		ENGINEerr(ENGINE_F_ENGINE_SET_DEFAULT_TYPE,
+			ENGINE_R_FINISH_FAILED);
+		return 0;
+		}
+	return 1;
+	}
+
+int ENGINE_set_default_RSA(ENGINE *e)
+	{
+	return engine_set_default_type(ENGINE_TYPE_RSA, e);
+	}
+
+int ENGINE_set_default_DSA(ENGINE *e)
+	{
+	return engine_set_default_type(ENGINE_TYPE_DSA, e);
+	}
+
+int ENGINE_set_default_DH(ENGINE *e)
+	{
+	return engine_set_default_type(ENGINE_TYPE_DH, e);
+	}
+
+int ENGINE_set_default_RAND(ENGINE *e)
+	{
+	return engine_set_default_type(ENGINE_TYPE_RAND, e);
+	}
+
+int ENGINE_set_default_BN_mod_exp(ENGINE *e)
+	{
+	return engine_set_default_type(ENGINE_TYPE_BN_MOD_EXP, e);
+	}
+
+int ENGINE_set_default_BN_mod_exp_crt(ENGINE *e)
+	{
+	return engine_set_default_type(ENGINE_TYPE_BN_MOD_EXP_CRT, e);
+	}
+
+int ENGINE_set_default(ENGINE *e, unsigned int flags)
+	{
+	if((flags & ENGINE_METHOD_RSA) && e->rsa_meth &&
+			!ENGINE_set_default_RSA(e))
+		return 0;
+	if((flags & ENGINE_METHOD_DSA) && e->dsa_meth &&
+			!ENGINE_set_default_DSA(e))
+		return 0;
+	if((flags & ENGINE_METHOD_DH) && e->dh_meth &&
+			!ENGINE_set_default_DH(e))
+		return 0;
+	if((flags & ENGINE_METHOD_RAND) && e->rand_meth &&
+			!ENGINE_set_default_RAND(e))
+		return 0;
+	if((flags & ENGINE_METHOD_BN_MOD_EXP) && e->bn_mod_exp &&
+			!ENGINE_set_default_BN_mod_exp(e))
+		return 0;
+	if((flags & ENGINE_METHOD_BN_MOD_EXP_CRT) && e->bn_mod_exp_crt &&
+			!ENGINE_set_default_BN_mod_exp_crt(e))
+		return 0;
+	return 1;
+	}
+
--- a/crypto/engine/engine_list.c
+++ b/crypto/engine/engine_list.c
@@ -0,0 +1,691 @@
+/* crypto/engine/engine_list.c */
+/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include "engine_int.h"
+#include <openssl/engine.h>
+
+/* The linked-list of pointers to engine types. engine_list_head
+ * incorporates an implicit structural reference but engine_list_tail
+ * does not - the latter is a computational niceity and only points
+ * to something that is already pointed to by its predecessor in the
+ * list (or engine_list_head itself). In the same way, the use of the
+ * "prev" pointer in each ENGINE is to save excessive list iteration,
+ * it doesn't correspond to an extra structural reference. Hence,
+ * engine_list_head, and each non-null "next" pointer account for
+ * the list itself assuming exactly 1 structural reference on each
+ * list member. */
+static ENGINE *engine_list_head = NULL;
+static ENGINE *engine_list_tail = NULL;
+/* A boolean switch, used to ensure we only initialise once. This
+ * is needed because the engine list may genuinely become empty during
+ * use (so we can't use engine_list_head as an indicator for example. */
+static int engine_list_flag = 0;
+
+/* These static functions starting with a lower case "engine_" always
+ * take place when CRYPTO_LOCK_ENGINE has been locked up. */
+static int engine_list_add(ENGINE *e)
+	{
+	int conflict = 0;
+	ENGINE *iterator = NULL;
+
+	if(e == NULL)
+		{
+		ENGINEerr(ENGINE_F_ENGINE_LIST_ADD,
+			ERR_R_PASSED_NULL_PARAMETER);
+		return 0;
+		}
+	iterator = engine_list_head;
+	while(iterator && !conflict)
+		{
+		conflict = (strcmp(iterator->id, e->id) == 0);
+		iterator = iterator->next;
+		}
+	if(conflict)
+		{
+		ENGINEerr(ENGINE_F_ENGINE_LIST_ADD,
+			ENGINE_R_CONFLICTING_ENGINE_ID);
+		return 0;
+		}
+	if(engine_list_head == NULL)
+		{
+		/* We are adding to an empty list. */
+		if(engine_list_tail)
+			{
+			ENGINEerr(ENGINE_F_ENGINE_LIST_ADD,
+				ENGINE_R_INTERNAL_LIST_ERROR);
+			return 0;
+			}
+		engine_list_head = e;
+		e->prev = NULL;
+		}
+	else
+		{
+		/* We are adding to the tail of an existing list. */
+		if((engine_list_tail == NULL) ||
+				(engine_list_tail->next != NULL))
+			{
+			ENGINEerr(ENGINE_F_ENGINE_LIST_ADD,
+				ENGINE_R_INTERNAL_LIST_ERROR);
+			return 0;
+			}
+		engine_list_tail->next = e;
+		e->prev = engine_list_tail;
+		}
+	/* Having the engine in the list assumes a structural
+	 * reference. */
+	e->struct_ref++;
+	/* However it came to be, e is the last item in the list. */
+	engine_list_tail = e;
+	e->next = NULL;
+	return 1;
+	}
+
+static int engine_list_remove(ENGINE *e)
+	{
+	ENGINE *iterator;
+
+	if(e == NULL)
+		{
+		ENGINEerr(ENGINE_F_ENGINE_LIST_REMOVE,
+			ERR_R_PASSED_NULL_PARAMETER);
+		return 0;
+		}
+	/* We need to check that e is in our linked list! */
+	iterator = engine_list_head;
+	while(iterator && (iterator != e))
+		iterator = iterator->next;
+	if(iterator == NULL)
+		{
+		ENGINEerr(ENGINE_F_ENGINE_LIST_REMOVE,
+			ENGINE_R_ENGINE_IS_NOT_IN_LIST);
+		return 0;
+		}
+	/* un-link e from the chain. */
+	if(e->next)
+		e->next->prev = e->prev;
+	if(e->prev)
+		e->prev->next = e->next;
+	/* Correct our head/tail if necessary. */
+	if(engine_list_head == e)
+		engine_list_head = e->next;
+	if(engine_list_tail == e)
+		engine_list_tail = e->prev;
+	/* remove our structural reference. */
+	e->struct_ref--;
+	return 1;
+	}
+
+/* This check always takes place with CRYPTO_LOCK_ENGINE locked up
+ * so we're synchronised, but we can't call anything that tries to
+ * lock it again! :-) NB: For convenience (and code-clarity) we
+ * don't output errors for failures of the engine_list_add function
+ * as it will generate errors itself. */
+static int engine_internal_check(void)
+	{
+	if(engine_list_flag)
+		return 1;
+	/* This is our first time up, we need to populate the list
+	 * with our statically compiled-in engines. */
+	if(!engine_list_add(ENGINE_openssl()))
+		return 0;
+#ifndef NO_HW
+#ifndef NO_HW_CSWIFT
+	if(!engine_list_add(ENGINE_cswift()))
+		return 0;
+#endif /* !NO_HW_CSWIFT */
+#ifndef NO_HW_NCIPHER
+	if(!engine_list_add(ENGINE_ncipher()))
+		return 0;
+#endif /* !NO_HW_NCIPHER */
+#ifndef NO_HW_ATALLA
+	if(!engine_list_add(ENGINE_atalla()))
+		return 0;
+#endif /* !NO_HW_ATALLA */
+#ifndef NO_HW_AEP
+	if(!engine_list_add(ENGINE_aep()))
+		return 0;
+#endif /* !NO_HW_AEP */
+#ifndef NO_HW_SUREWARE
+       if(!engine_list_add(ENGINE_sureware()))
+                return 0;
+#endif /* !NO_HW_SUREWARE */
+#ifndef NO_HW_UBSEC
+	if(!engine_list_add(ENGINE_ubsec()))
+		return 0;
+#endif /* !NO_HW_UBSEC */
+#ifndef NO_HW_KEYCLIENT
+	if(!engine_list_add(ENGINE_keyclient()))
+		return 0;
+#endif /* !NO_HW_KEYCLIENT */
+#endif /* !NO_HW */
+	engine_list_flag = 1;
+	return 1;
+	}
+
+/* Get the first/last "ENGINE" type available. */
+ENGINE *ENGINE_get_first(void)
+	{
+	ENGINE *ret = NULL;
+
+	CRYPTO_r_lock(CRYPTO_LOCK_ENGINE);
+	if(engine_internal_check())
+		{
+		ret = engine_list_head;
+		if(ret)
+			ret->struct_ref++;
+		}
+	CRYPTO_r_unlock(CRYPTO_LOCK_ENGINE);
+	return ret;
+	}
+ENGINE *ENGINE_get_last(void)
+	{
+	ENGINE *ret = NULL;
+
+	CRYPTO_r_lock(CRYPTO_LOCK_ENGINE);
+	if(engine_internal_check())
+		{
+		ret = engine_list_tail;
+		if(ret)
+			ret->struct_ref++;
+		}
+	CRYPTO_r_unlock(CRYPTO_LOCK_ENGINE);
+	return ret;
+	}
+
+/* Iterate to the next/previous "ENGINE" type (NULL = end of the list). */
+ENGINE *ENGINE_get_next(ENGINE *e)
+	{
+	ENGINE *ret = NULL;
+	if(e == NULL)
+		{
+		ENGINEerr(ENGINE_F_ENGINE_GET_NEXT,
+			ERR_R_PASSED_NULL_PARAMETER);
+		return 0;
+		}
+	CRYPTO_r_lock(CRYPTO_LOCK_ENGINE);
+	ret = e->next;
+	e->struct_ref--;
+	if(ret)
+		ret->struct_ref++;
+	CRYPTO_r_unlock(CRYPTO_LOCK_ENGINE);
+	return ret;
+	}
+ENGINE *ENGINE_get_prev(ENGINE *e)
+	{
+	ENGINE *ret = NULL;
+	if(e == NULL)
+		{
+		ENGINEerr(ENGINE_F_ENGINE_GET_PREV,
+			ERR_R_PASSED_NULL_PARAMETER);
+		return 0;
+		}
+	CRYPTO_r_lock(CRYPTO_LOCK_ENGINE);
+	ret = e->prev;
+	e->struct_ref--;
+	if(ret)
+		ret->struct_ref++;
+	CRYPTO_r_unlock(CRYPTO_LOCK_ENGINE);
+	return ret;
+	}
+
+/* Add another "ENGINE" type into the list. */
+int ENGINE_add(ENGINE *e)
+	{
+	int to_return = 1;
+	if(e == NULL)
+		{
+		ENGINEerr(ENGINE_F_ENGINE_ADD,
+			ERR_R_PASSED_NULL_PARAMETER);
+		return 0;
+		}
+	if((e->id == NULL) || (e->name == NULL))
+		{
+		ENGINEerr(ENGINE_F_ENGINE_ADD,
+			ENGINE_R_ID_OR_NAME_MISSING);
+		}
+	CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+	if(!engine_internal_check() || !engine_list_add(e))
+		{
+		ENGINEerr(ENGINE_F_ENGINE_ADD,
+			ENGINE_R_INTERNAL_LIST_ERROR);
+		to_return = 0;
+		}
+	CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+	return to_return;
+	}
+
+/* Remove an existing "ENGINE" type from the array. */
+int ENGINE_remove(ENGINE *e)
+	{
+	int to_return = 1;
+	if(e == NULL)
+		{
+		ENGINEerr(ENGINE_F_ENGINE_REMOVE,
+			ERR_R_PASSED_NULL_PARAMETER);
+		return 0;
+		}
+	CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+	if(!engine_internal_check() || !engine_list_remove(e))
+		{
+		ENGINEerr(ENGINE_F_ENGINE_REMOVE,
+			ENGINE_R_INTERNAL_LIST_ERROR);
+		to_return = 0;
+		}
+	CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+	return to_return;
+	}
+
+ENGINE *ENGINE_by_id(const char *id)
+	{
+	ENGINE *iterator = NULL;
+	if(id == NULL)
+		{
+		ENGINEerr(ENGINE_F_ENGINE_BY_ID,
+			ERR_R_PASSED_NULL_PARAMETER);
+		return NULL;
+		}
+	CRYPTO_r_lock(CRYPTO_LOCK_ENGINE);
+	if(!engine_internal_check())
+		ENGINEerr(ENGINE_F_ENGINE_BY_ID,
+			ENGINE_R_INTERNAL_LIST_ERROR);
+	else
+		{
+		iterator = engine_list_head;
+		while(iterator && (strcmp(id, iterator->id) != 0))
+			iterator = iterator->next;
+		if(iterator)
+			/* We need to return a structural reference */
+			iterator->struct_ref++;
+		}
+	CRYPTO_r_unlock(CRYPTO_LOCK_ENGINE);
+	if(iterator == NULL)
+		ENGINEerr(ENGINE_F_ENGINE_BY_ID,
+			ENGINE_R_NO_SUCH_ENGINE);
+	return iterator;
+	}
+
+/* As per the comments in engine.h, it is generally better all round
+ * if the ENGINE structure is allocated within this framework. */
+#if 0
+int ENGINE_get_struct_size(void)
+	{
+	return sizeof(ENGINE);
+	}
+
+ENGINE *ENGINE_new(ENGINE *e)
+	{
+	ENGINE *ret;
+
+	if(e == NULL)
+		{
+		ret = (ENGINE *)(OPENSSL_malloc(sizeof(ENGINE));
+		if(ret == NULL)
+			{
+			ENGINEerr(ENGINE_F_ENGINE_NEW,
+				ERR_R_MALLOC_FAILURE);
+			return NULL;
+			}
+		}
+	else
+		ret = e;
+	memset(ret, 0, sizeof(ENGINE));
+	if(e)
+		ret->flags = ENGINE_FLAGS_MALLOCED;
+	ret->struct_ref = 1;
+	return ret;
+	}
+#else
+ENGINE *ENGINE_new(void)
+	{
+	ENGINE *ret;
+
+	ret = (ENGINE *)OPENSSL_malloc(sizeof(ENGINE));
+	if(ret == NULL)
+		{
+		ENGINEerr(ENGINE_F_ENGINE_NEW, ERR_R_MALLOC_FAILURE);
+		return NULL;
+		}
+	memset(ret, 0, sizeof(ENGINE));
+	ret->flags = ENGINE_FLAGS_MALLOCED;
+	ret->struct_ref = 1;
+	return ret;
+	}
+#endif
+
+int ENGINE_free(ENGINE *e)
+	{
+	int i;
+
+	if(e == NULL)
+		{
+		ENGINEerr(ENGINE_F_ENGINE_FREE,
+			ERR_R_PASSED_NULL_PARAMETER);
+		return 0;
+		}
+	i = CRYPTO_add(&e->struct_ref,-1,CRYPTO_LOCK_ENGINE);
+#ifdef REF_PRINT
+	REF_PRINT("ENGINE",e);
+#endif
+	if (i > 0) return 1;
+#ifdef REF_CHECK
+	if (i < 0)
+		{
+		fprintf(stderr,"ENGINE_free, bad reference count\n");
+		abort();
+		}
+#endif
+	if(e->flags & ENGINE_FLAGS_MALLOCED)
+		OPENSSL_free(e);
+	return 1;
+	}
+
+int ENGINE_set_id(ENGINE *e, const char *id)
+	{
+	if((e == NULL) || (id == NULL))
+		{
+		ENGINEerr(ENGINE_F_ENGINE_SET_ID,
+			ERR_R_PASSED_NULL_PARAMETER);
+		return 0;
+		}
+	e->id = id;
+	return 1;
+	}
+
+int ENGINE_set_name(ENGINE *e, const char *name)
+	{
+	if((e == NULL) || (name == NULL))
+		{
+		ENGINEerr(ENGINE_F_ENGINE_SET_NAME,
+			ERR_R_PASSED_NULL_PARAMETER);
+		return 0;
+		}
+	e->name = name;
+	return 1;
+	}
+
+int ENGINE_set_RSA(ENGINE *e, RSA_METHOD *rsa_meth)
+	{
+	if((e == NULL) || (rsa_meth == NULL))
+		{
+		ENGINEerr(ENGINE_F_ENGINE_SET_RSA,
+			ERR_R_PASSED_NULL_PARAMETER);
+		return 0;
+		}
+	e->rsa_meth = rsa_meth;
+	return 1;
+	}
+
+int ENGINE_set_DSA(ENGINE *e, DSA_METHOD *dsa_meth)
+	{
+	if((e == NULL) || (dsa_meth == NULL))
+		{
+		ENGINEerr(ENGINE_F_ENGINE_SET_DSA,
+			ERR_R_PASSED_NULL_PARAMETER);
+		return 0;
+		}
+	e->dsa_meth = dsa_meth;
+	return 1;
+	}
+
+int ENGINE_set_DH(ENGINE *e, DH_METHOD *dh_meth)
+	{
+	if((e == NULL) || (dh_meth == NULL))
+		{
+		ENGINEerr(ENGINE_F_ENGINE_SET_DH,
+			ERR_R_PASSED_NULL_PARAMETER);
+		return 0;
+		}
+	e->dh_meth = dh_meth;
+	return 1;
+	}
+
+int ENGINE_set_RAND(ENGINE *e, RAND_METHOD *rand_meth)
+	{
+	if((e == NULL) || (rand_meth == NULL))
+		{
+		ENGINEerr(ENGINE_F_ENGINE_SET_RAND,
+			ERR_R_PASSED_NULL_PARAMETER);
+		return 0;
+		}
+	e->rand_meth = rand_meth;
+	return 1;
+	}
+
+int ENGINE_set_BN_mod_exp(ENGINE *e, BN_MOD_EXP bn_mod_exp)
+	{
+	if((e == NULL) || (bn_mod_exp == NULL))
+		{
+		ENGINEerr(ENGINE_F_ENGINE_SET_BN_MOD_EXP,
+			ERR_R_PASSED_NULL_PARAMETER);
+		return 0;
+		}
+	e->bn_mod_exp = bn_mod_exp;
+	return 1;
+	}
+
+int ENGINE_set_BN_mod_exp_crt(ENGINE *e, BN_MOD_EXP_CRT bn_mod_exp_crt)
+	{
+	if((e == NULL) || (bn_mod_exp_crt == NULL))
+		{
+		ENGINEerr(ENGINE_F_ENGINE_SET_BN_MOD_EXP_CRT,
+			ERR_R_PASSED_NULL_PARAMETER);
+		return 0;
+		}
+	e->bn_mod_exp_crt = bn_mod_exp_crt;
+	return 1;
+	}
+
+int ENGINE_set_init_function(ENGINE *e, ENGINE_GEN_INT_FUNC_PTR init_f)
+	{
+	if((e == NULL) || (init_f == NULL))
+		{
+		ENGINEerr(ENGINE_F_ENGINE_SET_INIT_FUNCTION,
+			ERR_R_PASSED_NULL_PARAMETER);
+		return 0;
+		}
+	e->init = init_f;
+	return 1;
+	}
+
+int ENGINE_set_finish_function(ENGINE *e, ENGINE_GEN_INT_FUNC_PTR finish_f)
+	{
+	if((e == NULL) || (finish_f == NULL))
+		{
+		ENGINEerr(ENGINE_F_ENGINE_SET_FINISH_FUNCTION,
+			ERR_R_PASSED_NULL_PARAMETER);
+		return 0;
+		}
+	e->finish = finish_f;
+	return 1;
+	}
+
+int ENGINE_set_ctrl_function(ENGINE *e, ENGINE_CTRL_FUNC_PTR ctrl_f)
+	{
+	if((e == NULL) || (ctrl_f == NULL))
+		{
+		ENGINEerr(ENGINE_F_ENGINE_SET_CTRL_FUNCTION,
+			ERR_R_PASSED_NULL_PARAMETER);
+		return 0;
+		}
+	e->ctrl = ctrl_f;
+	return 1;
+	}
+
+const char *ENGINE_get_id(ENGINE *e)
+	{
+	if(e == NULL)
+		{
+		ENGINEerr(ENGINE_F_ENGINE_GET_ID,
+			ERR_R_PASSED_NULL_PARAMETER);
+		return 0;
+		}
+	return e->id;
+	}
+
+const char *ENGINE_get_name(ENGINE *e)
+	{
+	if(e == NULL)
+		{
+		ENGINEerr(ENGINE_F_ENGINE_GET_NAME,
+			ERR_R_PASSED_NULL_PARAMETER);
+		return 0;
+		}
+	return e->name;
+	}
+
+RSA_METHOD *ENGINE_get_RSA(ENGINE *e)
+	{
+	if(e == NULL)
+		{
+		ENGINEerr(ENGINE_F_ENGINE_GET_RSA,
+			ERR_R_PASSED_NULL_PARAMETER);
+		return NULL;
+		}
+	return e->rsa_meth;
+	}
+
+DSA_METHOD *ENGINE_get_DSA(ENGINE *e)
+	{
+	if(e == NULL)
+		{
+		ENGINEerr(ENGINE_F_ENGINE_GET_DSA,
+			ERR_R_PASSED_NULL_PARAMETER);
+		return NULL;
+		}
+	return e->dsa_meth;
+	}
+
+DH_METHOD *ENGINE_get_DH(ENGINE *e)
+	{
+	if(e == NULL)
+		{
+		ENGINEerr(ENGINE_F_ENGINE_GET_DH,
+			ERR_R_PASSED_NULL_PARAMETER);
+		return NULL;
+		}
+	return e->dh_meth;
+	}
+
+RAND_METHOD *ENGINE_get_RAND(ENGINE *e)
+	{
+	if(e == NULL)
+		{
+		ENGINEerr(ENGINE_F_ENGINE_GET_RAND,
+			ERR_R_PASSED_NULL_PARAMETER);
+		return NULL;
+		}
+	return e->rand_meth;
+	}
+
+BN_MOD_EXP ENGINE_get_BN_mod_exp(ENGINE *e)
+	{
+	if(e == NULL)
+		{
+		ENGINEerr(ENGINE_F_ENGINE_GET_BN_MOD_EXP,
+			ERR_R_PASSED_NULL_PARAMETER);
+		return NULL;
+		}
+	return e->bn_mod_exp;
+	}
+
+BN_MOD_EXP_CRT ENGINE_get_BN_mod_exp_crt(ENGINE *e)
+	{
+	if(e == NULL)
+		{
+		ENGINEerr(ENGINE_F_ENGINE_GET_BN_MOD_EXP_CRT,
+			ERR_R_PASSED_NULL_PARAMETER);
+		return NULL;
+		}
+	return e->bn_mod_exp_crt;
+	}
+
+ENGINE_GEN_INT_FUNC_PTR ENGINE_get_init_function(ENGINE *e)
+	{
+	if(e == NULL)
+		{
+		ENGINEerr(ENGINE_F_ENGINE_GET_INIT_FUNCTION,
+			ERR_R_PASSED_NULL_PARAMETER);
+		return NULL;
+		}
+	return e->init;
+	}
+
+ENGINE_GEN_INT_FUNC_PTR ENGINE_get_finish_function(ENGINE *e)
+	{
+	if(e == NULL)
+		{
+		ENGINEerr(ENGINE_F_ENGINE_GET_FINISH_FUNCTION,
+			ERR_R_PASSED_NULL_PARAMETER);
+		return NULL;
+		}
+	return e->finish;
+	}
+
+ENGINE_CTRL_FUNC_PTR ENGINE_get_ctrl_function(ENGINE *e)
+	{
+	if(e == NULL)
+		{
+		ENGINEerr(ENGINE_F_ENGINE_GET_CTRL_FUNCTION,
+			ERR_R_PASSED_NULL_PARAMETER);
+		return NULL;
+		}
+	return e->ctrl;
+	}
+
--- a/crypto/engine/engine_openssl.c
+++ b/crypto/engine/engine_openssl.c
@@ -0,0 +1,174 @@
+/* crypto/engine/engine_openssl.c */
+/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+#include <stdio.h>
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include "engine_int.h"
+#include <openssl/engine.h>
+#include <openssl/dso.h>
+#include <openssl/rsa.h>
+#include <openssl/dsa.h>
+#include <openssl/dh.h>
+#include <openssl/rand.h>
+#include <openssl/bn.h>
+
+/* This is the only function we need to implement as OpenSSL
+ * doesn't have a native CRT mod_exp. Perhaps this should be
+ * BN_mod_exp_crt and moved into crypto/bn/ ?? ... dunno. */
+static int openssl_mod_exp_crt(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+		const BIGNUM *q, const BIGNUM *dmp1, const BIGNUM *dmq1,
+		const BIGNUM *iqmp, BN_CTX *ctx);
+
+/* The ENGINE structure that can be pointed to. */
+static ENGINE engine_openssl =
+        {
+	"openssl",
+	"Software default engine support",
+	NULL,
+	NULL,
+	NULL, /* these methods are "stolen" in ENGINE_openssl() */
+	NULL,
+	NULL,
+	openssl_mod_exp_crt,
+	NULL, /* no init() */
+	NULL, /* no finish() */
+	NULL, /* no ctrl() */
+	NULL, /* no load_privkey() */
+	NULL, /* no load_pubkey() */
+	0, /* no flags */
+	0, 0, /* no references. */
+	NULL, NULL /* unlinked */
+        };
+
+/* As this is only ever called once, there's no need for locking
+ * (indeed - the lock will already be held by our caller!!!) */
+ENGINE *ENGINE_openssl()
+	{
+	/* We need to populate our structure with the software pointers
+	 * that we want to steal. */
+	engine_openssl.rsa_meth = RSA_get_default_openssl_method();
+	engine_openssl.dsa_meth = DSA_get_default_openssl_method();
+	engine_openssl.dh_meth = DH_get_default_openssl_method();
+	engine_openssl.rand_meth = RAND_SSLeay();
+	engine_openssl.bn_mod_exp = BN_mod_exp;
+	return &engine_openssl;
+	}
+
+/* Chinese Remainder Theorem, taken and adapted from rsa_eay.c */
+static int openssl_mod_exp_crt(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+			const BIGNUM *q, const BIGNUM *dmp1,
+			const BIGNUM *dmq1, const BIGNUM *iqmp, BN_CTX *ctx)
+	{
+	BIGNUM r1,m1;
+	int ret=0;
+	BN_CTX *bn_ctx;
+	BIGNUM *temp_bn = NULL;
+
+	if (ctx)
+		bn_ctx = ctx;
+	else
+		if ((bn_ctx=BN_CTX_new()) == NULL) goto err;
+	BN_init(&m1);
+	BN_init(&r1);
+	/* BN_mul() cannot accept const BIGNUMs so I use the BN_CTX
+	 * to duplicate what I need. <sigh> */
+	if ((temp_bn = BN_CTX_get(bn_ctx)) == NULL) goto err;
+	if (!BN_copy(temp_bn, iqmp)) goto err;
+ 
+	if (!BN_mod(&r1, a, q, bn_ctx)) goto err;
+	if (!engine_openssl.bn_mod_exp(&m1, &r1, dmq1, q, bn_ctx))
+		goto err;
+ 
+	if (!BN_mod(&r1, a, p, bn_ctx)) goto err;
+	if (!engine_openssl.bn_mod_exp(r, &r1, dmp1, p, bn_ctx))
+		goto err;
+
+	if (!BN_sub(r, r, &m1)) goto err;
+	/* This will help stop the size of r0 increasing, which does
+	 * affect the multiply if it optimised for a power of 2 size */
+	if (r->neg)
+		if (!BN_add(r, r, p)) goto err;
+ 
+	if (!BN_mul(&r1, r, temp_bn, bn_ctx)) goto err;
+	if (!BN_mod(r, &r1, p, bn_ctx)) goto err;
+	/* If p < q it is occasionally possible for the correction of
+	 * adding 'p' if r is negative above to leave the result still
+	 * negative. This can break the private key operations: the following
+	 * second correction should *always* correct this rare occurrence.
+	 * This will *never* happen with OpenSSL generated keys because
+	 * they ensure p > q [steve]
+	 */
+	if (r->neg)
+		if (!BN_add(r, r, p)) goto err;
+	/* Again, BN_mul() will need non-const values. */
+	if (!BN_copy(temp_bn, q)) goto err;
+	if (!BN_mul(&r1, r, temp_bn, bn_ctx)) goto err;
+	if (!BN_add(r, &r1, &m1)) goto err;
+ 
+	ret=1;
+err:
+	BN_clear_free(&m1);
+	BN_clear_free(&r1);
+	if (temp_bn)
+		bn_ctx->tos--;
+	if (!ctx)
+		BN_CTX_free(bn_ctx);
+	return(ret);
+	}
--- a/crypto/engine/enginetest.c
+++ b/crypto/engine/enginetest.c
@@ -0,0 +1,252 @@
+/* crypto/engine/enginetest.c */
+/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <openssl/buffer.h>
+#include <openssl/engine.h>
+#include <openssl/err.h>
+
+static void display_engine_list()
+	{
+	ENGINE *h;
+	int loop;
+
+	h = ENGINE_get_first();
+	loop = 0;
+	printf("listing available engine types\n");
+	while(h)
+		{
+		printf("engine %i, id = \"%s\", name = \"%s\"\n",
+			loop++, ENGINE_get_id(h), ENGINE_get_name(h));
+		h = ENGINE_get_next(h);
+		}
+	printf("end of list\n");
+	}
+
+int main(int argc, char *argv[])
+	{
+	ENGINE *block[512];
+	char buf[256];
+	const char *id, *name;
+	ENGINE *ptr;
+	int loop;
+	int to_return = 1;
+	ENGINE *new_h1 = NULL;
+	ENGINE *new_h2 = NULL;
+	ENGINE *new_h3 = NULL;
+	ENGINE *new_h4 = NULL;
+
+	ERR_load_crypto_strings();
+
+	memset(block, 0, 512 * sizeof(ENGINE *));
+	if(((new_h1 = ENGINE_new()) == NULL) ||
+			!ENGINE_set_id(new_h1, "test_id0") ||
+			!ENGINE_set_name(new_h1, "First test item") ||
+			((new_h2 = ENGINE_new()) == NULL) ||
+			!ENGINE_set_id(new_h2, "test_id1") ||
+			!ENGINE_set_name(new_h2, "Second test item") ||
+			((new_h3 = ENGINE_new()) == NULL) ||
+			!ENGINE_set_id(new_h3, "test_id2") ||
+			!ENGINE_set_name(new_h3, "Third test item") ||
+			((new_h4 = ENGINE_new()) == NULL) ||
+			!ENGINE_set_id(new_h4, "test_id3") ||
+			!ENGINE_set_name(new_h4, "Fourth test item"))
+		{
+		printf("Couldn't set up test ENGINE structures\n");
+		goto end;
+		}
+	printf("\nenginetest beginning\n\n");
+	display_engine_list();
+	if(!ENGINE_add(new_h1))
+		{
+		printf("Add failed!\n");
+		goto end;
+		}
+	display_engine_list();
+	ptr = ENGINE_get_first();
+	if(!ENGINE_remove(ptr))
+		{
+		printf("Remove failed!\n");
+		goto end;
+		}
+	display_engine_list();
+	if(!ENGINE_add(new_h3) || !ENGINE_add(new_h2))
+		{
+		printf("Add failed!\n");
+		goto end;
+		}
+	display_engine_list();
+	if(!ENGINE_remove(new_h2))
+		{
+		printf("Remove failed!\n");
+		goto end;
+		}
+	display_engine_list();
+	if(!ENGINE_add(new_h4))
+		{
+		printf("Add failed!\n");
+		goto end;
+		}
+	display_engine_list();
+	if(ENGINE_add(new_h3))
+		{
+		printf("Add *should* have failed but didn't!\n");
+		goto end;
+		}
+	else
+		printf("Add that should fail did.\n");
+	ERR_clear_error();
+	if(ENGINE_remove(new_h2))
+		{
+		printf("Remove *should* have failed but didn't!\n");
+		goto end;
+		}
+	else
+		printf("Remove that should fail did.\n");
+	if(!ENGINE_remove(new_h1))
+		{
+		printf("Remove failed!\n");
+		goto end;
+		}
+	display_engine_list();
+	if(!ENGINE_remove(new_h3))
+		{
+		printf("Remove failed!\n");
+		goto end;
+		}
+	display_engine_list();
+	if(!ENGINE_remove(new_h4))
+		{
+		printf("Remove failed!\n");
+		goto end;
+		}
+	display_engine_list();
+	/* Depending on whether there's any hardware support compiled
+	 * in, this remove may be destined to fail. */
+	ptr = ENGINE_get_first();
+	if(ptr)
+		if(!ENGINE_remove(ptr))
+			printf("Remove failed!i - probably no hardware "
+				"support present.\n");
+	display_engine_list();
+	if(!ENGINE_add(new_h1) || !ENGINE_remove(new_h1))
+		{
+		printf("Couldn't add and remove to an empty list!\n");
+		goto end;
+		}
+	else
+		printf("Successfully added and removed to an empty list!\n");
+	printf("About to beef up the engine-type list\n");
+	for(loop = 0; loop < 512; loop++)
+		{
+		sprintf(buf, "id%i", loop);
+		id = BUF_strdup(buf);
+		sprintf(buf, "Fake engine type %i", loop);
+		name = BUF_strdup(buf);
+		if(((block[loop] = ENGINE_new()) == NULL) ||
+				!ENGINE_set_id(block[loop], id) ||
+				!ENGINE_set_name(block[loop], name))
+			{
+			printf("Couldn't create block of ENGINE structures.\n"
+				"I'll probably also core-dump now, damn.\n");
+			goto end;
+			}
+		}
+	for(loop = 0; loop < 512; loop++)
+		{
+		if(!ENGINE_add(block[loop]))
+			{
+			printf("\nAdding stopped at %i, (%s,%s)\n",
+				loop, ENGINE_get_id(block[loop]),
+				ENGINE_get_name(block[loop]));
+			goto cleanup_loop;
+			}
+		else
+			printf("."); fflush(stdout);
+		}
+cleanup_loop:
+	printf("\nAbout to empty the engine-type list\n");
+	while((ptr = ENGINE_get_first()) != NULL)
+		{
+		if(!ENGINE_remove(ptr))
+			{
+			printf("\nRemove failed!\n");
+			goto end;
+			}
+		printf("."); fflush(stdout);
+		}
+	for(loop = 0; loop < 512; loop++)
+		{
+		free((char *)(ENGINE_get_id(block[loop])));
+		free((char *)(ENGINE_get_name(block[loop])));
+		}
+	printf("\nTests completed happily\n");
+	to_return = 0;
+end:
+	if(to_return)
+		ERR_print_errors_fp(stderr);
+	if(new_h1) ENGINE_free(new_h1);
+	if(new_h2) ENGINE_free(new_h2);
+	if(new_h3) ENGINE_free(new_h3);
+	if(new_h4) ENGINE_free(new_h4);
+	for(loop = 0; loop < 512; loop++)
+		if(block[loop])
+			ENGINE_free(block[loop]);
+	return to_return;
+	}
--- a/crypto/engine/hw_aep.c
+++ b/crypto/engine/hw_aep.c
--- a/crypto/engine/hw_atalla.c
+++ b/crypto/engine/hw_atalla.c
@@ -0,0 +1,444 @@
+/* crypto/engine/hw_atalla.c */
+/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include <openssl/dso.h>
+#include "engine_int.h"
+#include <openssl/engine.h>
+
+#ifndef NO_HW
+#ifndef NO_HW_ATALLA
+
+#ifdef FLAT_INC
+#include "atalla.h"
+#else
+#include "vendor_defns/atalla.h"
+#endif
+
+static int atalla_init(void);
+static int atalla_finish(void);
+
+/* BIGNUM stuff */
+static int atalla_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+		const BIGNUM *m, BN_CTX *ctx);
+
+/* RSA stuff */
+static int atalla_rsa_mod_exp(BIGNUM *r0, BIGNUM *I, RSA *rsa);
+/* This function is aliased to mod_exp (with the mont stuff dropped). */
+static int atalla_mod_exp_mont(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+		const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+
+/* DSA stuff */
+static int atalla_dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1,
+		BIGNUM *p1, BIGNUM *a2, BIGNUM *p2, BIGNUM *m,
+		BN_CTX *ctx, BN_MONT_CTX *in_mont);
+static int atalla_mod_exp_dsa(DSA *dsa, BIGNUM *r, BIGNUM *a,
+		const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
+		BN_MONT_CTX *m_ctx);
+
+/* DH stuff */
+/* This function is alised to mod_exp (with the DH and mont dropped). */
+static int atalla_mod_exp_dh(DH *dh, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+		const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+
+
+/* Our internal RSA_METHOD that we provide pointers to */
+static RSA_METHOD atalla_rsa =
+	{
+	"Atalla RSA method",
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	atalla_rsa_mod_exp,
+	atalla_mod_exp_mont,
+	NULL,
+	NULL,
+	0,
+	NULL,
+	NULL,
+	NULL
+	};
+
+/* Our internal DSA_METHOD that we provide pointers to */
+static DSA_METHOD atalla_dsa =
+	{
+	"Atalla DSA method",
+	NULL, /* dsa_do_sign */
+	NULL, /* dsa_sign_setup */
+	NULL, /* dsa_do_verify */
+	atalla_dsa_mod_exp, /* dsa_mod_exp */
+	atalla_mod_exp_dsa, /* bn_mod_exp */
+	NULL, /* init */
+	NULL, /* finish */
+	0, /* flags */
+	NULL /* app_data */
+	};
+
+/* Our internal DH_METHOD that we provide pointers to */
+static DH_METHOD atalla_dh =
+	{
+	"Atalla DH method",
+	NULL,
+	NULL,
+	atalla_mod_exp_dh,
+	NULL,
+	NULL,
+	0,
+	NULL
+	};
+
+/* Our ENGINE structure. */
+static ENGINE engine_atalla =
+        {
+	"atalla",
+	"Atalla hardware engine support",
+	&atalla_rsa,
+	&atalla_dsa,
+	&atalla_dh,
+	NULL,
+	atalla_mod_exp,
+	NULL,
+	atalla_init,
+	atalla_finish,
+	NULL, /* no ctrl() */
+	NULL, /* no load_privkey() */
+	NULL, /* no load_pubkey() */
+	0, /* no flags */
+	0, 0, /* no references */
+	NULL, NULL /* unlinked */
+        };
+
+/* As this is only ever called once, there's no need for locking
+ * (indeed - the lock will already be held by our caller!!!) */
+ENGINE *ENGINE_atalla()
+	{
+	RSA_METHOD *meth1;
+	DSA_METHOD *meth2;
+	DH_METHOD *meth3;
+
+	/* We know that the "PKCS1_SSLeay()" functions hook properly
+	 * to the atalla-specific mod_exp and mod_exp_crt so we use
+	 * those functions. NB: We don't use ENGINE_openssl() or
+	 * anything "more generic" because something like the RSAref
+	 * code may not hook properly, and if you own one of these
+	 * cards then you have the right to do RSA operations on it
+	 * anyway! */ 
+	meth1 = RSA_PKCS1_SSLeay();
+	atalla_rsa.rsa_pub_enc = meth1->rsa_pub_enc;
+	atalla_rsa.rsa_pub_dec = meth1->rsa_pub_dec;
+	atalla_rsa.rsa_priv_enc = meth1->rsa_priv_enc;
+	atalla_rsa.rsa_priv_dec = meth1->rsa_priv_dec;
+
+	/* Use the DSA_OpenSSL() method and just hook the mod_exp-ish
+	 * bits. */
+	meth2 = DSA_OpenSSL();
+	atalla_dsa.dsa_do_sign = meth2->dsa_do_sign;
+	atalla_dsa.dsa_sign_setup = meth2->dsa_sign_setup;
+	atalla_dsa.dsa_do_verify = meth2->dsa_do_verify;
+
+	/* Much the same for Diffie-Hellman */
+	meth3 = DH_OpenSSL();
+	atalla_dh.generate_key = meth3->generate_key;
+	atalla_dh.compute_key = meth3->compute_key;
+	return &engine_atalla;
+	}
+
+/* This is a process-global DSO handle used for loading and unloading
+ * the Atalla library. NB: This is only set (or unset) during an
+ * init() or finish() call (reference counts permitting) and they're
+ * operating with global locks, so this should be thread-safe
+ * implicitly. */
+static DSO *atalla_dso = NULL;
+
+/* These are the function pointers that are (un)set when the library has
+ * successfully (un)loaded. */
+static tfnASI_GetHardwareConfig *p_Atalla_GetHardwareConfig = NULL;
+static tfnASI_RSAPrivateKeyOpFn *p_Atalla_RSAPrivateKeyOpFn = NULL;
+static tfnASI_GetPerformanceStatistics *p_Atalla_GetPerformanceStatistics = NULL;
+
+/* (de)initialisation functions. */
+static int atalla_init()
+	{
+	tfnASI_GetHardwareConfig *p1;
+	tfnASI_RSAPrivateKeyOpFn *p2;
+	tfnASI_GetPerformanceStatistics *p3;
+	/* Not sure of the origin of this magic value, but Ben's code had it
+	 * and it seemed to have been working for a few people. :-) */
+	unsigned int config_buf[1024];
+
+	if(atalla_dso != NULL)
+		{
+		ENGINEerr(ENGINE_F_ATALLA_INIT,ENGINE_R_ALREADY_LOADED);
+		goto err;
+		}
+	/* Attempt to load libatasi.so/atasi.dll/whatever. Needs to be
+	 * changed unfortunately because the Atalla drivers don't have
+	 * standard library names that can be platform-translated well. */
+	/* TODO: Work out how to actually map to the names the Atalla
+	 * drivers really use - for now a symbollic link needs to be
+	 * created on the host system from libatasi.so to atasi.so on
+	 * unix variants. */
+	atalla_dso = DSO_load(NULL, ATALLA_LIBNAME, NULL,
+		DSO_FLAG_NAME_TRANSLATION);
+	if(atalla_dso == NULL)
+		{
+		ENGINEerr(ENGINE_F_ATALLA_INIT,ENGINE_R_DSO_FAILURE);
+		goto err;
+		}
+	if(!(p1 = (tfnASI_GetHardwareConfig *)DSO_bind_func(
+				atalla_dso, ATALLA_F1)) ||
+			!(p2 = (tfnASI_RSAPrivateKeyOpFn *)DSO_bind_func(
+				atalla_dso, ATALLA_F2)) ||
+			!(p3 = (tfnASI_GetPerformanceStatistics *)DSO_bind_func(
+				atalla_dso, ATALLA_F3)))
+		{
+		ENGINEerr(ENGINE_F_ATALLA_INIT,ENGINE_R_DSO_FAILURE);
+		goto err;
+		}
+	/* Copy the pointers */
+	p_Atalla_GetHardwareConfig = p1;
+	p_Atalla_RSAPrivateKeyOpFn = p2;
+	p_Atalla_GetPerformanceStatistics = p3;
+	/* Perform a basic test to see if there's actually any unit
+	 * running. */
+	if(p1(0L, config_buf) != 0)
+		{
+		ENGINEerr(ENGINE_F_ATALLA_INIT,ENGINE_R_UNIT_FAILURE);
+		goto err;
+		}
+	/* Everything's fine. */
+	return 1;
+err:
+	if(atalla_dso)
+		DSO_free(atalla_dso);
+	p_Atalla_GetHardwareConfig = NULL;
+	p_Atalla_RSAPrivateKeyOpFn = NULL;
+	p_Atalla_GetPerformanceStatistics = NULL;
+	return 0;
+	}
+
+static int atalla_finish()
+	{
+	if(atalla_dso == NULL)
+		{
+		ENGINEerr(ENGINE_F_ATALLA_FINISH,ENGINE_R_NOT_LOADED);
+		return 0;
+		}
+	if(!DSO_free(atalla_dso))
+		{
+		ENGINEerr(ENGINE_F_ATALLA_FINISH,ENGINE_R_DSO_FAILURE);
+		return 0;
+		}
+	atalla_dso = NULL;
+	p_Atalla_GetHardwareConfig = NULL;
+	p_Atalla_RSAPrivateKeyOpFn = NULL;
+	p_Atalla_GetPerformanceStatistics = NULL;
+	return 1;
+	}
+
+static int atalla_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+			const BIGNUM *m, BN_CTX *ctx)
+	{
+	/* I need somewhere to store temporary serialised values for
+	 * use with the Atalla API calls. A neat cheat - I'll use
+	 * BIGNUMs from the BN_CTX but access their arrays directly as
+	 * byte arrays <grin>. This way I don't have to clean anything
+	 * up. */
+	BIGNUM *modulus;
+	BIGNUM *exponent;
+	BIGNUM *argument;
+	BIGNUM *result;
+	RSAPrivateKey keydata;
+	int to_return, numbytes;
+
+	modulus = exponent = argument = result = NULL;
+	to_return = 0; /* expect failure */
+
+	if(!atalla_dso)
+	{
+		ENGINEerr(ENGINE_F_ATALLA_MOD_EXP,ENGINE_R_NOT_LOADED);
+		goto err;
+	}
+	/* Prepare the params */
+	modulus = BN_CTX_get(ctx);
+	exponent = BN_CTX_get(ctx);
+	argument = BN_CTX_get(ctx);
+	result = BN_CTX_get(ctx);
+	if(!modulus || !exponent || !argument || !result)
+	{
+		ENGINEerr(ENGINE_F_ATALLA_MOD_EXP,ENGINE_R_BN_CTX_FULL);
+		goto err;
+	}
+	if(!bn_wexpand(modulus, m->top) || !bn_wexpand(exponent, m->top) ||
+	   !bn_wexpand(argument, m->top) || !bn_wexpand(result, m->top))
+	{
+		ENGINEerr(ENGINE_F_ATALLA_MOD_EXP,ENGINE_R_BN_EXPAND_FAIL);
+		goto err;
+	}
+	/* Prepare the key-data */
+	memset(&keydata, 0,sizeof keydata);
+	numbytes = BN_num_bytes(m);
+	memset(exponent->d, 0, numbytes);
+	memset(modulus->d, 0, numbytes);
+	BN_bn2bin(p, (unsigned char *)exponent->d + numbytes - BN_num_bytes(p));
+	BN_bn2bin(m, (unsigned char *)modulus->d + numbytes - BN_num_bytes(m));
+	keydata.privateExponent.data = (unsigned char *)exponent->d;
+	keydata.privateExponent.len = numbytes;
+	keydata.modulus.data = (unsigned char *)modulus->d;
+	keydata.modulus.len = numbytes;
+	/* Prepare the argument */
+	memset(argument->d, 0, numbytes);
+	memset(result->d, 0, numbytes);
+	BN_bn2bin(a, (unsigned char *)argument->d + numbytes - BN_num_bytes(a));
+	/* Perform the operation */
+	if(p_Atalla_RSAPrivateKeyOpFn(&keydata, (unsigned char *)result->d,
+			(unsigned char *)argument->d,
+			keydata.modulus.len) != 0)
+	{
+		ENGINEerr(ENGINE_F_ATALLA_MOD_EXP,ENGINE_R_REQUEST_FAILED);
+		goto err;
+	}
+	/* Convert the response */
+	BN_bin2bn((unsigned char *)result->d, numbytes, r);
+	to_return = 1;
+err:
+	if(modulus) ctx->tos--;
+	if(exponent) ctx->tos--;
+	if(argument) ctx->tos--;
+	if(result) ctx->tos--;
+	return to_return;
+	}
+
+static int atalla_rsa_mod_exp(BIGNUM *r0, BIGNUM *I, RSA *rsa)
+	{
+	BN_CTX *ctx = NULL;
+	int to_return = 0;
+
+	if(!atalla_dso)
+	{
+		ENGINEerr(ENGINE_F_ATALLA_RSA_MOD_EXP,ENGINE_R_NOT_LOADED);
+		goto err;
+	}
+	if((ctx = BN_CTX_new()) == NULL)
+		goto err;
+	if(!rsa->d || !rsa->n)
+		{
+		ENGINEerr(ENGINE_F_ATALLA_RSA_MOD_EXP,ENGINE_R_MISSING_KEY_COMPONENTS);
+		goto err;
+		}
+	to_return = atalla_mod_exp(r0, I, rsa->d, rsa->n, ctx);
+err:
+	if(ctx)
+		BN_CTX_free(ctx);
+	return to_return;
+	}
+
+/* This code was liberated and adapted from the commented-out code in
+ * dsa_ossl.c. Because of the unoptimised form of the Atalla acceleration
+ * (it doesn't have a CRT form for RSA), this function means that an
+ * Atalla system running with a DSA server certificate can handshake
+ * around 5 or 6 times faster/more than an equivalent system running with
+ * RSA. Just check out the "signs" statistics from the RSA and DSA parts
+ * of "openssl speed -engine atalla dsa1024 rsa1024". */
+static int atalla_dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1,
+		BIGNUM *p1, BIGNUM *a2, BIGNUM *p2, BIGNUM *m,
+		BN_CTX *ctx, BN_MONT_CTX *in_mont)
+	{
+	BIGNUM t;
+	int to_return = 0;
+ 
+	BN_init(&t);
+	/* let rr = a1 ^ p1 mod m */
+	if (!atalla_mod_exp(rr,a1,p1,m,ctx)) goto end;
+	/* let t = a2 ^ p2 mod m */
+	if (!atalla_mod_exp(&t,a2,p2,m,ctx)) goto end;
+	/* let rr = rr * t mod m */
+	if (!BN_mod_mul(rr,rr,&t,m,ctx)) goto end;
+	to_return = 1;
+end:
+	BN_free(&t);
+	return to_return;
+	}
+
+
+static int atalla_mod_exp_dsa(DSA *dsa, BIGNUM *r, BIGNUM *a,
+		const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
+		BN_MONT_CTX *m_ctx)
+	{
+	return atalla_mod_exp(r, a, p, m, ctx);
+	}
+
+/* This function is aliased to mod_exp (with the mont stuff dropped). */
+static int atalla_mod_exp_mont(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+		const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
+	{
+	return atalla_mod_exp(r, a, p, m, ctx);
+	}
+
+/* This function is aliased to mod_exp (with the dh and mont dropped). */
+static int atalla_mod_exp_dh(DH *dh, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+		const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
+	{
+	return atalla_mod_exp(r, a, p, m, ctx);
+	}
+
+#endif /* !NO_HW_ATALLA */
+#endif /* !NO_HW */
--- a/crypto/engine/hw_cswift.c
+++ b/crypto/engine/hw_cswift.c
@@ -0,0 +1,807 @@
+/* crypto/engine/hw_cswift.c */
+/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include <openssl/dso.h>
+#include "engine_int.h"
+#include <openssl/engine.h>
+
+#ifndef NO_HW
+#ifndef NO_HW_CSWIFT
+
+/* Attribution notice: Rainbow have generously allowed me to reproduce
+ * the necessary definitions here from their API. This means the support
+ * can build independently of whether application builders have the
+ * API or hardware. This will allow developers to easily produce software
+ * that has latent hardware support for any users that have accelerators
+ * installed, without the developers themselves needing anything extra.
+ *
+ * I have only clipped the parts from the CryptoSwift header files that
+ * are (or seem) relevant to the CryptoSwift support code. This is
+ * simply to keep the file sizes reasonable.
+ * [Geoff]
+ */
+#ifdef FLAT_INC
+#include "cswift.h"
+#else
+#include "vendor_defns/cswift.h"
+#endif
+
+static int cswift_init(void);
+static int cswift_finish(void);
+
+/* BIGNUM stuff */
+static int cswift_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+		const BIGNUM *m, BN_CTX *ctx);
+static int cswift_mod_exp_crt(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+		const BIGNUM *q, const BIGNUM *dmp1, const BIGNUM *dmq1,
+		const BIGNUM *iqmp, BN_CTX *ctx);
+
+/* RSA stuff */
+static int cswift_rsa_mod_exp(BIGNUM *r0, BIGNUM *I, RSA *rsa);
+/* This function is aliased to mod_exp (with the mont stuff dropped). */
+static int cswift_mod_exp_mont(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+		const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+
+/* DSA stuff */
+static DSA_SIG *cswift_dsa_sign(const unsigned char *dgst, int dlen, DSA *dsa);
+static int cswift_dsa_verify(const unsigned char *dgst, int dgst_len,
+				DSA_SIG *sig, DSA *dsa);
+
+/* DH stuff */
+/* This function is alised to mod_exp (with the DH and mont dropped). */
+static int cswift_mod_exp_dh(DH *dh, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+		const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+
+
+/* Our internal RSA_METHOD that we provide pointers to */
+static RSA_METHOD cswift_rsa =
+	{
+	"CryptoSwift RSA method",
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	cswift_rsa_mod_exp,
+	cswift_mod_exp_mont,
+	NULL,
+	NULL,
+	0,
+	NULL,
+	NULL,
+	NULL
+	};
+
+/* Our internal DSA_METHOD that we provide pointers to */
+static DSA_METHOD cswift_dsa =
+	{
+	"CryptoSwift DSA method",
+	cswift_dsa_sign,
+	NULL, /* dsa_sign_setup */
+	cswift_dsa_verify,
+	NULL, /* dsa_mod_exp */
+	NULL, /* bn_mod_exp */
+	NULL, /* init */
+	NULL, /* finish */
+	0, /* flags */
+	NULL /* app_data */
+	};
+
+/* Our internal DH_METHOD that we provide pointers to */
+static DH_METHOD cswift_dh =
+	{
+	"CryptoSwift DH method",
+	NULL,
+	NULL,
+	cswift_mod_exp_dh,
+	NULL,
+	NULL,
+	0,
+	NULL
+	};
+
+/* Our ENGINE structure. */
+static ENGINE engine_cswift =
+        {
+	"cswift",
+	"CryptoSwift hardware engine support",
+	&cswift_rsa,
+	&cswift_dsa,
+	&cswift_dh,
+	NULL,
+	cswift_mod_exp,
+	cswift_mod_exp_crt,
+	cswift_init,
+	cswift_finish,
+	NULL, /* no ctrl() */
+	NULL, /* no load_privkey() */
+	NULL, /* no load_pubkey() */
+	0, /* no flags */
+	0, 0, /* no references */
+	NULL, NULL /* unlinked */
+        };
+
+/* As this is only ever called once, there's no need for locking
+ * (indeed - the lock will already be held by our caller!!!) */
+ENGINE *ENGINE_cswift()
+	{
+	RSA_METHOD *meth1;
+	DH_METHOD *meth2;
+
+	/* We know that the "PKCS1_SSLeay()" functions hook properly
+	 * to the cswift-specific mod_exp and mod_exp_crt so we use
+	 * those functions. NB: We don't use ENGINE_openssl() or
+	 * anything "more generic" because something like the RSAref
+	 * code may not hook properly, and if you own one of these
+	 * cards then you have the right to do RSA operations on it
+	 * anyway! */ 
+	meth1 = RSA_PKCS1_SSLeay();
+	cswift_rsa.rsa_pub_enc = meth1->rsa_pub_enc;
+	cswift_rsa.rsa_pub_dec = meth1->rsa_pub_dec;
+	cswift_rsa.rsa_priv_enc = meth1->rsa_priv_enc;
+	cswift_rsa.rsa_priv_dec = meth1->rsa_priv_dec;
+
+	/* Much the same for Diffie-Hellman */
+	meth2 = DH_OpenSSL();
+	cswift_dh.generate_key = meth2->generate_key;
+	cswift_dh.compute_key = meth2->compute_key;
+	return &engine_cswift;
+	}
+
+/* This is a process-global DSO handle used for loading and unloading
+ * the CryptoSwift library. NB: This is only set (or unset) during an
+ * init() or finish() call (reference counts permitting) and they're
+ * operating with global locks, so this should be thread-safe
+ * implicitly. */
+static DSO *cswift_dso = NULL;
+
+/* These are the function pointers that are (un)set when the library has
+ * successfully (un)loaded. */
+t_swAcquireAccContext *p_CSwift_AcquireAccContext = NULL;
+t_swAttachKeyParam *p_CSwift_AttachKeyParam = NULL;
+t_swSimpleRequest *p_CSwift_SimpleRequest = NULL;
+t_swReleaseAccContext *p_CSwift_ReleaseAccContext = NULL;
+
+/* Used in the DSO operations. */
+static const char *CSWIFT_LIBNAME = "swift";
+static const char *CSWIFT_F1 = "swAcquireAccContext";
+static const char *CSWIFT_F2 = "swAttachKeyParam";
+static const char *CSWIFT_F3 = "swSimpleRequest";
+static const char *CSWIFT_F4 = "swReleaseAccContext";
+
+
+/* CryptoSwift library functions and mechanics - these are used by the
+ * higher-level functions further down. NB: As and where there's no
+ * error checking, take a look lower down where these functions are
+ * called, the checking and error handling is probably down there. */
+
+/* utility function to obtain a context */
+static int get_context(SW_CONTEXT_HANDLE *hac)
+	{
+        SW_STATUS status;
+ 
+        status = p_CSwift_AcquireAccContext(hac);
+        if(status != SW_OK)
+                return 0;
+        return 1;
+	}
+ 
+/* similarly to release one. */
+static void release_context(SW_CONTEXT_HANDLE hac)
+	{
+        p_CSwift_ReleaseAccContext(hac);
+	}
+
+/* (de)initialisation functions. */
+static int cswift_init()
+	{
+        SW_CONTEXT_HANDLE hac;
+        t_swAcquireAccContext *p1;
+        t_swAttachKeyParam *p2;
+        t_swSimpleRequest *p3;
+        t_swReleaseAccContext *p4;
+
+	if(cswift_dso != NULL)
+		{
+		ENGINEerr(ENGINE_F_CSWIFT_INIT,ENGINE_R_ALREADY_LOADED);
+		goto err;
+		}
+	/* Attempt to load libswift.so/swift.dll/whatever. */
+	cswift_dso = DSO_load(NULL, CSWIFT_LIBNAME, NULL,
+		DSO_FLAG_NAME_TRANSLATION);
+	if(cswift_dso == NULL)
+		{
+		ENGINEerr(ENGINE_F_CSWIFT_INIT,ENGINE_R_DSO_FAILURE);
+		goto err;
+		}
+	if(!(p1 = (t_swAcquireAccContext *)
+				DSO_bind_func(cswift_dso, CSWIFT_F1)) ||
+			!(p2 = (t_swAttachKeyParam *)
+				DSO_bind_func(cswift_dso, CSWIFT_F2)) ||
+			!(p3 = (t_swSimpleRequest *)
+				DSO_bind_func(cswift_dso, CSWIFT_F3)) ||
+			!(p4 = (t_swReleaseAccContext *)
+				DSO_bind_func(cswift_dso, CSWIFT_F4)))
+		{
+		ENGINEerr(ENGINE_F_CSWIFT_INIT,ENGINE_R_DSO_FAILURE);
+		goto err;
+		}
+	/* Copy the pointers */
+	p_CSwift_AcquireAccContext = p1;
+	p_CSwift_AttachKeyParam = p2;
+	p_CSwift_SimpleRequest = p3;
+	p_CSwift_ReleaseAccContext = p4;
+	/* Try and get a context - if not, we may have a DSO but no
+	 * accelerator! */
+	if(!get_context(&hac))
+		{
+		ENGINEerr(ENGINE_F_CSWIFT_INIT,ENGINE_R_UNIT_FAILURE);
+		goto err;
+		}
+	release_context(hac);
+	/* Everything's fine. */
+	return 1;
+err:
+	if(cswift_dso)
+		DSO_free(cswift_dso);
+	p_CSwift_AcquireAccContext = NULL;
+	p_CSwift_AttachKeyParam = NULL;
+	p_CSwift_SimpleRequest = NULL;
+	p_CSwift_ReleaseAccContext = NULL;
+	return 0;
+	}
+
+static int cswift_finish()
+	{
+	if(cswift_dso == NULL)
+		{
+		ENGINEerr(ENGINE_F_CSWIFT_FINISH,ENGINE_R_NOT_LOADED);
+		return 0;
+		}
+	if(!DSO_free(cswift_dso))
+		{
+		ENGINEerr(ENGINE_F_CSWIFT_FINISH,ENGINE_R_DSO_FAILURE);
+		return 0;
+		}
+	cswift_dso = NULL;
+	p_CSwift_AcquireAccContext = NULL;
+	p_CSwift_AttachKeyParam = NULL;
+	p_CSwift_SimpleRequest = NULL;
+	p_CSwift_ReleaseAccContext = NULL;
+	return 1;
+	}
+
+/* Un petit mod_exp */
+static int cswift_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+			const BIGNUM *m, BN_CTX *ctx)
+	{
+	/* I need somewhere to store temporary serialised values for
+	 * use with the CryptoSwift API calls. A neat cheat - I'll use
+	 * BIGNUMs from the BN_CTX but access their arrays directly as
+	 * byte arrays <grin>. This way I don't have to clean anything
+	 * up. */
+	BIGNUM *modulus;
+	BIGNUM *exponent;
+	BIGNUM *argument;
+	BIGNUM *result;
+	SW_STATUS sw_status;
+	SW_LARGENUMBER arg, res;
+	SW_PARAM sw_param;
+	SW_CONTEXT_HANDLE hac;
+	int to_return, acquired;
+ 
+	modulus = exponent = argument = result = NULL;
+	to_return = 0; /* expect failure */
+	acquired = 0;
+ 
+	if(!get_context(&hac))
+		{
+		ENGINEerr(ENGINE_F_CSWIFT_MOD_EXP,ENGINE_R_GET_HANDLE_FAILED);
+		goto err;
+		}
+	acquired = 1;
+	/* Prepare the params */
+	modulus = BN_CTX_get(ctx);
+	exponent = BN_CTX_get(ctx);
+	argument = BN_CTX_get(ctx);
+	result = BN_CTX_get(ctx);
+	if(!modulus || !exponent || !argument || !result)
+		{
+		ENGINEerr(ENGINE_F_CSWIFT_MOD_EXP,ENGINE_R_BN_CTX_FULL);
+		goto err;
+		}
+	if(!bn_wexpand(modulus, m->top) || !bn_wexpand(exponent, p->top) ||
+		!bn_wexpand(argument, a->top) || !bn_wexpand(result, m->top))
+		{
+		ENGINEerr(ENGINE_F_CSWIFT_MOD_EXP,ENGINE_R_BN_EXPAND_FAIL);
+		goto err;
+		}
+	sw_param.type = SW_ALG_EXP;
+	sw_param.up.exp.modulus.nbytes = BN_bn2bin(m,
+		(unsigned char *)modulus->d);
+	sw_param.up.exp.modulus.value = (unsigned char *)modulus->d;
+	sw_param.up.exp.exponent.nbytes = BN_bn2bin(p,
+		(unsigned char *)exponent->d);
+	sw_param.up.exp.exponent.value = (unsigned char *)exponent->d;
+	/* Attach the key params */
+	sw_status = p_CSwift_AttachKeyParam(hac, &sw_param);
+	switch(sw_status)
+		{
+	case SW_OK:
+		break;
+	case SW_ERR_INPUT_SIZE:
+		ENGINEerr(ENGINE_F_CSWIFT_MOD_EXP,
+			ENGINE_R_SIZE_TOO_LARGE_OR_TOO_SMALL);
+		goto err;
+	default:
+		{
+		char tmpbuf[20];
+		ENGINEerr(ENGINE_F_CSWIFT_MOD_EXP,ENGINE_R_REQUEST_FAILED);
+		sprintf(tmpbuf, "%ld", sw_status);
+		ERR_add_error_data(2, "CryptoSwift error number is ",tmpbuf);
+		}
+		goto err;
+		}
+	/* Prepare the argument and response */
+	arg.nbytes = BN_bn2bin(a, (unsigned char *)argument->d);
+	arg.value = (unsigned char *)argument->d;
+	res.nbytes = BN_num_bytes(m);
+	memset(result->d, 0, res.nbytes);
+	res.value = (unsigned char *)result->d;
+	/* Perform the operation */
+	if((sw_status = p_CSwift_SimpleRequest(hac, SW_CMD_MODEXP, &arg, 1,
+		&res, 1)) != SW_OK)
+		{
+		char tmpbuf[20];
+		ENGINEerr(ENGINE_F_CSWIFT_MOD_EXP,ENGINE_R_REQUEST_FAILED);
+		sprintf(tmpbuf, "%ld", sw_status);
+		ERR_add_error_data(2, "CryptoSwift error number is ",tmpbuf);
+		goto err;
+		}
+	/* Convert the response */
+	BN_bin2bn((unsigned char *)result->d, res.nbytes, r);
+	to_return = 1;
+err:
+	if(acquired)
+		release_context(hac);
+	if(modulus) ctx->tos--;
+	if(exponent) ctx->tos--;
+	if(argument) ctx->tos--;
+	if(result) ctx->tos--;
+	return to_return;
+	}
+
+/* Un petit mod_exp chinois */
+static int cswift_mod_exp_crt(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+			const BIGNUM *q, const BIGNUM *dmp1,
+			const BIGNUM *dmq1, const BIGNUM *iqmp, BN_CTX *ctx)
+	{
+	SW_STATUS sw_status;
+	SW_LARGENUMBER arg, res;
+	SW_PARAM sw_param;
+	SW_CONTEXT_HANDLE hac;
+	BIGNUM *rsa_p = NULL;
+	BIGNUM *rsa_q = NULL;
+	BIGNUM *rsa_dmp1 = NULL;
+	BIGNUM *rsa_dmq1 = NULL;
+	BIGNUM *rsa_iqmp = NULL;
+	BIGNUM *argument = NULL;
+	BIGNUM *result = NULL;
+	int to_return = 0; /* expect failure */
+	int acquired = 0;
+ 
+	if(!get_context(&hac))
+		{
+		ENGINEerr(ENGINE_F_CSWIFT_MOD_EXP_CRT,ENGINE_R_GET_HANDLE_FAILED);
+		goto err;
+		}
+	acquired = 1;
+	/* Prepare the params */
+	rsa_p = BN_CTX_get(ctx);
+	rsa_q = BN_CTX_get(ctx);
+	rsa_dmp1 = BN_CTX_get(ctx);
+	rsa_dmq1 = BN_CTX_get(ctx);
+	rsa_iqmp = BN_CTX_get(ctx);
+	argument = BN_CTX_get(ctx);
+	result = BN_CTX_get(ctx);
+	if(!rsa_p || !rsa_q || !rsa_dmp1 || !rsa_dmq1 || !rsa_iqmp ||
+			!argument || !result)
+		{
+		ENGINEerr(ENGINE_F_CSWIFT_MOD_EXP_CRT,ENGINE_R_BN_CTX_FULL);
+		goto err;
+		}
+	if(!bn_wexpand(rsa_p, p->top) || !bn_wexpand(rsa_q, q->top) ||
+			!bn_wexpand(rsa_dmp1, dmp1->top) ||
+			!bn_wexpand(rsa_dmq1, dmq1->top) ||
+			!bn_wexpand(rsa_iqmp, iqmp->top) ||
+			!bn_wexpand(argument, a->top) ||
+			!bn_wexpand(result, p->top + q->top))
+		{
+		ENGINEerr(ENGINE_F_CSWIFT_MOD_EXP_CRT,ENGINE_R_BN_EXPAND_FAIL);
+		goto err;
+		}
+	sw_param.type = SW_ALG_CRT;
+	sw_param.up.crt.p.nbytes = BN_bn2bin(p, (unsigned char *)rsa_p->d);
+	sw_param.up.crt.p.value = (unsigned char *)rsa_p->d;
+	sw_param.up.crt.q.nbytes = BN_bn2bin(q, (unsigned char *)rsa_q->d);
+	sw_param.up.crt.q.value = (unsigned char *)rsa_q->d;
+	sw_param.up.crt.dmp1.nbytes = BN_bn2bin(dmp1,
+		(unsigned char *)rsa_dmp1->d);
+	sw_param.up.crt.dmp1.value = (unsigned char *)rsa_dmp1->d;
+	sw_param.up.crt.dmq1.nbytes = BN_bn2bin(dmq1,
+		(unsigned char *)rsa_dmq1->d);
+	sw_param.up.crt.dmq1.value = (unsigned char *)rsa_dmq1->d;
+	sw_param.up.crt.iqmp.nbytes = BN_bn2bin(iqmp,
+		(unsigned char *)rsa_iqmp->d);
+	sw_param.up.crt.iqmp.value = (unsigned char *)rsa_iqmp->d;
+	/* Attach the key params */
+	sw_status = p_CSwift_AttachKeyParam(hac, &sw_param);
+	switch(sw_status)
+		{
+	case SW_OK:
+		break;
+	case SW_ERR_INPUT_SIZE:
+		ENGINEerr(ENGINE_F_CSWIFT_MOD_EXP_CRT,
+			ENGINE_R_SIZE_TOO_LARGE_OR_TOO_SMALL);
+		goto err;
+	default:
+		{
+		char tmpbuf[20];
+		ENGINEerr(ENGINE_F_CSWIFT_MOD_EXP_CRT,ENGINE_R_REQUEST_FAILED);
+		sprintf(tmpbuf, "%ld", sw_status);
+		ERR_add_error_data(2, "CryptoSwift error number is ",tmpbuf);
+		}
+		goto err;
+		}
+	/* Prepare the argument and response */
+	arg.nbytes = BN_bn2bin(a, (unsigned char *)argument->d);
+	arg.value = (unsigned char *)argument->d;
+	res.nbytes = 2 * BN_num_bytes(p);
+	memset(result->d, 0, res.nbytes);
+	res.value = (unsigned char *)result->d;
+	/* Perform the operation */
+	if((sw_status = p_CSwift_SimpleRequest(hac, SW_CMD_MODEXP_CRT, &arg, 1,
+		&res, 1)) != SW_OK)
+		{
+		char tmpbuf[20];
+		ENGINEerr(ENGINE_F_CSWIFT_MOD_EXP_CRT,ENGINE_R_REQUEST_FAILED);
+		sprintf(tmpbuf, "%ld", sw_status);
+		ERR_add_error_data(2, "CryptoSwift error number is ",tmpbuf);
+		goto err;
+		}
+	/* Convert the response */
+	BN_bin2bn((unsigned char *)result->d, res.nbytes, r);
+	to_return = 1;
+err:
+	if(acquired)
+		release_context(hac);
+	if(rsa_p) ctx->tos--;
+	if(rsa_q) ctx->tos--;
+	if(rsa_dmp1) ctx->tos--;
+	if(rsa_dmq1) ctx->tos--;
+	if(rsa_iqmp) ctx->tos--;
+	if(argument) ctx->tos--;
+	if(result) ctx->tos--;
+	return to_return;
+	}
+ 
+static int cswift_rsa_mod_exp(BIGNUM *r0, BIGNUM *I, RSA *rsa)
+	{
+	BN_CTX *ctx;
+	int to_return = 0;
+
+	if((ctx = BN_CTX_new()) == NULL)
+		goto err;
+	if(!rsa->p || !rsa->q || !rsa->dmp1 || !rsa->dmq1 || !rsa->iqmp)
+		{
+		ENGINEerr(ENGINE_F_CSWIFT_RSA_MOD_EXP,ENGINE_R_MISSING_KEY_COMPONENTS);
+		goto err;
+		}
+	to_return = cswift_mod_exp_crt(r0, I, rsa->p, rsa->q, rsa->dmp1,
+		rsa->dmq1, rsa->iqmp, ctx);
+err:
+	if(ctx)
+		BN_CTX_free(ctx);
+	return to_return;
+	}
+
+/* This function is aliased to mod_exp (with the mont stuff dropped). */
+static int cswift_mod_exp_mont(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+		const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
+	{
+	return cswift_mod_exp(r, a, p, m, ctx);
+	}
+
+static DSA_SIG *cswift_dsa_sign(const unsigned char *dgst, int dlen, DSA *dsa)
+	{
+	SW_CONTEXT_HANDLE hac;
+	SW_PARAM sw_param;
+	SW_STATUS sw_status;
+	SW_LARGENUMBER arg, res;
+	unsigned char *ptr;
+	BN_CTX *ctx;
+	BIGNUM *dsa_p = NULL;
+	BIGNUM *dsa_q = NULL;
+	BIGNUM *dsa_g = NULL;
+	BIGNUM *dsa_key = NULL;
+	BIGNUM *result = NULL;
+	DSA_SIG *to_return = NULL;
+	int acquired = 0;
+
+	if((ctx = BN_CTX_new()) == NULL)
+		goto err;
+	if(!get_context(&hac))
+		{
+		ENGINEerr(ENGINE_F_CSWIFT_DSA_SIGN,ENGINE_R_GET_HANDLE_FAILED);
+		goto err;
+		}
+	acquired = 1;
+	/* Prepare the params */
+	dsa_p = BN_CTX_get(ctx);
+	dsa_q = BN_CTX_get(ctx);
+	dsa_g = BN_CTX_get(ctx);
+	dsa_key = BN_CTX_get(ctx);
+	result = BN_CTX_get(ctx);
+	if(!dsa_p || !dsa_q || !dsa_g || !dsa_key || !result)
+		{
+		ENGINEerr(ENGINE_F_CSWIFT_DSA_SIGN,ENGINE_R_BN_CTX_FULL);
+		goto err;
+		}
+	if(!bn_wexpand(dsa_p, dsa->p->top) ||
+			!bn_wexpand(dsa_q, dsa->q->top) ||
+			!bn_wexpand(dsa_g, dsa->g->top) ||
+			!bn_wexpand(dsa_key, dsa->priv_key->top) ||
+			!bn_wexpand(result, dsa->p->top))
+		{
+		ENGINEerr(ENGINE_F_CSWIFT_DSA_SIGN,ENGINE_R_BN_EXPAND_FAIL);
+		goto err;
+		}
+	sw_param.type = SW_ALG_DSA;
+	sw_param.up.dsa.p.nbytes = BN_bn2bin(dsa->p,
+				(unsigned char *)dsa_p->d);
+	sw_param.up.dsa.p.value = (unsigned char *)dsa_p->d;
+	sw_param.up.dsa.q.nbytes = BN_bn2bin(dsa->q,
+				(unsigned char *)dsa_q->d);
+	sw_param.up.dsa.q.value = (unsigned char *)dsa_q->d;
+	sw_param.up.dsa.g.nbytes = BN_bn2bin(dsa->g,
+				(unsigned char *)dsa_g->d);
+	sw_param.up.dsa.g.value = (unsigned char *)dsa_g->d;
+	sw_param.up.dsa.key.nbytes = BN_bn2bin(dsa->priv_key,
+				(unsigned char *)dsa_key->d);
+	sw_param.up.dsa.key.value = (unsigned char *)dsa_key->d;
+	/* Attach the key params */
+	sw_status = p_CSwift_AttachKeyParam(hac, &sw_param);
+	switch(sw_status)
+		{
+	case SW_OK:
+		break;
+	case SW_ERR_INPUT_SIZE:
+		ENGINEerr(ENGINE_F_CSWIFT_DSA_SIGN,
+			ENGINE_R_SIZE_TOO_LARGE_OR_TOO_SMALL);
+		goto err;
+	default:
+		{
+		char tmpbuf[20];
+		ENGINEerr(ENGINE_F_CSWIFT_DSA_SIGN,ENGINE_R_REQUEST_FAILED);
+		sprintf(tmpbuf, "%ld", sw_status);
+		ERR_add_error_data(2, "CryptoSwift error number is ",tmpbuf);
+		}
+		goto err;
+		}
+	/* Prepare the argument and response */
+	arg.nbytes = dlen;
+	arg.value = (unsigned char *)dgst;
+	res.nbytes = BN_num_bytes(dsa->p);
+	memset(result->d, 0, res.nbytes);
+	res.value = (unsigned char *)result->d;
+	/* Perform the operation */
+	sw_status = p_CSwift_SimpleRequest(hac, SW_CMD_DSS_SIGN, &arg, 1,
+		&res, 1);
+	if(sw_status != SW_OK)
+		{
+		char tmpbuf[20];
+		ENGINEerr(ENGINE_F_CSWIFT_DSA_SIGN,ENGINE_R_REQUEST_FAILED);
+		sprintf(tmpbuf, "%ld", sw_status);
+		ERR_add_error_data(2, "CryptoSwift error number is ",tmpbuf);
+		goto err;
+		}
+	/* Convert the response */
+	ptr = (unsigned char *)result->d;
+	if((to_return = DSA_SIG_new()) == NULL)
+		goto err;
+	to_return->r = BN_bin2bn((unsigned char *)result->d, 20, NULL);
+	to_return->s = BN_bin2bn((unsigned char *)result->d + 20, 20, NULL);
+
+err:
+	if(acquired)
+		release_context(hac);
+	if(dsa_p) ctx->tos--;
+	if(dsa_q) ctx->tos--;
+	if(dsa_g) ctx->tos--;
+	if(dsa_key) ctx->tos--;
+	if(result) ctx->tos--;
+	if(ctx)
+		BN_CTX_free(ctx);
+	return to_return;
+	}
+
+static int cswift_dsa_verify(const unsigned char *dgst, int dgst_len,
+				DSA_SIG *sig, DSA *dsa)
+	{
+	SW_CONTEXT_HANDLE hac;
+	SW_PARAM sw_param;
+	SW_STATUS sw_status;
+	SW_LARGENUMBER arg[2], res;
+	unsigned long sig_result;
+	BN_CTX *ctx;
+	BIGNUM *dsa_p = NULL;
+	BIGNUM *dsa_q = NULL;
+	BIGNUM *dsa_g = NULL;
+	BIGNUM *dsa_key = NULL;
+	BIGNUM *argument = NULL;
+	int to_return = -1;
+	int acquired = 0;
+
+	if((ctx = BN_CTX_new()) == NULL)
+		goto err;
+	if(!get_context(&hac))
+		{
+		ENGINEerr(ENGINE_F_CSWIFT_DSA_VERIFY,ENGINE_R_GET_HANDLE_FAILED);
+		goto err;
+		}
+	acquired = 1;
+	/* Prepare the params */
+	dsa_p = BN_CTX_get(ctx);
+	dsa_q = BN_CTX_get(ctx);
+	dsa_g = BN_CTX_get(ctx);
+	dsa_key = BN_CTX_get(ctx);
+	argument = BN_CTX_get(ctx);
+	if(!dsa_p || !dsa_q || !dsa_g || !dsa_key || !argument)
+		{
+		ENGINEerr(ENGINE_F_CSWIFT_DSA_VERIFY,ENGINE_R_BN_CTX_FULL);
+		goto err;
+		}
+	if(!bn_wexpand(dsa_p, dsa->p->top) ||
+			!bn_wexpand(dsa_q, dsa->q->top) ||
+			!bn_wexpand(dsa_g, dsa->g->top) ||
+			!bn_wexpand(dsa_key, dsa->pub_key->top) ||
+			!bn_wexpand(argument, 40))
+		{
+		ENGINEerr(ENGINE_F_CSWIFT_DSA_VERIFY,ENGINE_R_BN_EXPAND_FAIL);
+		goto err;
+		}
+	sw_param.type = SW_ALG_DSA;
+	sw_param.up.dsa.p.nbytes = BN_bn2bin(dsa->p,
+				(unsigned char *)dsa_p->d);
+	sw_param.up.dsa.p.value = (unsigned char *)dsa_p->d;
+	sw_param.up.dsa.q.nbytes = BN_bn2bin(dsa->q,
+				(unsigned char *)dsa_q->d);
+	sw_param.up.dsa.q.value = (unsigned char *)dsa_q->d;
+	sw_param.up.dsa.g.nbytes = BN_bn2bin(dsa->g,
+				(unsigned char *)dsa_g->d);
+	sw_param.up.dsa.g.value = (unsigned char *)dsa_g->d;
+	sw_param.up.dsa.key.nbytes = BN_bn2bin(dsa->pub_key,
+				(unsigned char *)dsa_key->d);
+	sw_param.up.dsa.key.value = (unsigned char *)dsa_key->d;
+	/* Attach the key params */
+	sw_status = p_CSwift_AttachKeyParam(hac, &sw_param);
+	switch(sw_status)
+		{
+	case SW_OK:
+		break;
+	case SW_ERR_INPUT_SIZE:
+		ENGINEerr(ENGINE_F_CSWIFT_DSA_VERIFY,
+			ENGINE_R_SIZE_TOO_LARGE_OR_TOO_SMALL);
+		goto err;
+	default:
+		{
+		char tmpbuf[20];
+		ENGINEerr(ENGINE_F_CSWIFT_DSA_VERIFY,ENGINE_R_REQUEST_FAILED);
+		sprintf(tmpbuf, "%ld", sw_status);
+		ERR_add_error_data(2, "CryptoSwift error number is ",tmpbuf);
+		}
+		goto err;
+		}
+	/* Prepare the argument and response */
+	arg[0].nbytes = dgst_len;
+	arg[0].value = (unsigned char *)dgst;
+	arg[1].nbytes = 40;
+	arg[1].value = (unsigned char *)argument->d;
+	memset(arg[1].value, 0, 40);
+	BN_bn2bin(sig->r, arg[1].value + 20 - BN_num_bytes(sig->r));
+	BN_bn2bin(sig->s, arg[1].value + 40 - BN_num_bytes(sig->s));
+	res.nbytes = 4; /* unsigned long */
+	res.value = (unsigned char *)(&sig_result);
+	/* Perform the operation */
+	sw_status = p_CSwift_SimpleRequest(hac, SW_CMD_DSS_VERIFY, arg, 2,
+		&res, 1);
+	if(sw_status != SW_OK)
+		{
+		char tmpbuf[20];
+		ENGINEerr(ENGINE_F_CSWIFT_DSA_VERIFY,ENGINE_R_REQUEST_FAILED);
+		sprintf(tmpbuf, "%ld", sw_status);
+		ERR_add_error_data(2, "CryptoSwift error number is ",tmpbuf);
+		goto err;
+		}
+	/* Convert the response */
+	to_return = ((sig_result == 0) ? 0 : 1);
+
+err:
+	if(acquired)
+		release_context(hac);
+	if(dsa_p) ctx->tos--;
+	if(dsa_q) ctx->tos--;
+	if(dsa_g) ctx->tos--;
+	if(dsa_key) ctx->tos--;
+	if(argument) ctx->tos--;
+	if(ctx)
+		BN_CTX_free(ctx);
+	return to_return;
+	}
+
+/* This function is aliased to mod_exp (with the dh and mont dropped). */
+static int cswift_mod_exp_dh(DH *dh, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+		const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
+	{
+	return cswift_mod_exp(r, a, p, m, ctx);
+	}
+
+#endif /* !NO_HW_CSWIFT */
+#endif /* !NO_HW */
--- a/crypto/engine/hw_keyclient.c
+++ b/crypto/engine/hw_keyclient.c
--- a/crypto/engine/hw_ncipher.c
+++ b/crypto/engine/hw_ncipher.c
--- a/crypto/engine/hw_sureware.c
+++ b/crypto/engine/hw_sureware.c
@@ -0,0 +1,925 @@
+/* Written by Corinne Dive-Reclus(cdive@baltimore.com)
+* 
+*
+* Redistribution and use in source and binary forms, with or without
+* modification, are permitted provided that the following conditions
+* are met:
+*
+* 1. Redistributions of source code must retain the above copyright
+*    notice, this list of conditions and the following disclaimer. 
+*
+* 2. Redistributions in binary form must reproduce the above copyright
+*    notice, this list of conditions and the following disclaimer in
+*    the documentation and/or other materials provided with the
+*    distribution.
+*
+* 3. All advertising materials mentioning features or use of this
+*    software must display the following acknowledgment:
+*    "This product includes software developed by the OpenSSL Project
+*    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+*
+* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+*    endorse or promote products derived from this software without
+*    prior written permission. For written permission, please contact
+*    licensing@OpenSSL.org.
+*
+* 5. Products derived from this software may not be called "OpenSSL"
+*    nor may "OpenSSL" appear in their names without prior written
+*    permission of the OpenSSL Project.
+*
+* 6. Redistributions of any form whatsoever must retain the following
+*    acknowledgment:
+*    "This product includes software developed by the OpenSSL Project
+*    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+*
+* Written by Corinne Dive-Reclus(cdive@baltimore.com)
+*
+* Copyright@2001 Baltimore Technologies Ltd.
+* All right Reserved.
+*																								*	
+*		THIS FILE IS PROVIDED BY BALTIMORE TECHNOLOGIES ``AS IS'' AND																			*
+*		ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE					* 
+*		IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE				*
+*		ARE DISCLAIMED.  IN NO EVENT SHALL BALTIMORE TECHNOLOGIES BE LIABLE						*
+*		FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL				*
+*		DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS					*
+*		OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)					*
+*		HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT				*
+*		LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY				*
+*		OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF					*
+*		SUCH DAMAGE.																			*
+====================================================================*/
+
+#include <stdio.h>
+#include <openssl/crypto.h>
+#include <openssl/pem.h>
+#include "cryptlib.h"
+#include <openssl/dso.h>
+#include "engine_int.h"
+#include "engine.h"
+#include <openssl/engine.h>
+
+#ifndef NO_HW
+#ifndef NO_HW_SUREWARE
+
+#ifdef FLAT_INC
+#include "sureware.h"
+#else
+#include "vendor_defns/sureware.h"
+#endif
+
+static int surewarehk_ctrl(int cmd, long i, void *p, void (*f)());
+static int surewarehk_init(void);
+static int surewarehk_finish(void);
+static int surewarehk_modexp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+							const BIGNUM *m, BN_CTX *ctx);
+
+/* RSA stuff */
+static int surewarehk_rsa_priv_dec(int flen,unsigned char *from,unsigned char *to,
+			RSA *rsa,int padding);
+static int surewarehk_rsa_sign(int flen,unsigned char *from,unsigned char *to,
+			    RSA *rsa,int padding);
+
+/* RAND stuff */
+static int surewarehk_rand_bytes(unsigned char *buf, int num);
+static void surewarehk_rand_seed(const void *buf, int num);
+static void surewarehk_rand_add(const void *buf, int num, double entropy);
+
+/* KM stuff */
+static EVP_PKEY *surewarehk_load_privkey(const char *key_id,
+	const char *passphrase);
+static EVP_PKEY *surewarehk_load_pubkey(const char *key_id,
+	const char *passphrase);
+static void surewarehk_ex_free(void *obj, void *item, CRYPTO_EX_DATA *ad,
+	int index,long argl, void *argp);
+#if 0
+static void surewarehk_dh_ex_free(void *obj, void *item, CRYPTO_EX_DATA *ad,
+	int index,long argl, void *argp);
+#endif
+
+/* This function is aliased to mod_exp (with the mont stuff dropped). */
+static int surewarehk_mod_exp_mont(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+		const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
+{
+	return surewarehk_modexp(r, a, p, m, ctx);
+}
+
+/* Our internal RSA_METHOD that we provide pointers to */
+static RSA_METHOD surewarehk_rsa =
+	{
+	"SureWare RSA method",
+	NULL, /* pub_enc*/
+	NULL, /* pub_dec*/
+	surewarehk_rsa_sign, /* our rsa_sign is OpenSSL priv_enc*/
+	surewarehk_rsa_priv_dec, /* priv_dec*/
+	NULL, /*mod_exp*/
+	surewarehk_mod_exp_mont, /*mod_exp_mongomery*/
+	NULL, /* init*/
+	NULL, /* finish*/
+	0,	/* RSA flag*/
+	NULL, 
+	NULL, /* OpenSSL sign*/
+	NULL  /* OpenSSL verify*/
+	};
+/* Our internal DH_METHOD that we provide pointers to */
+/* This function is aliased to mod_exp (with the dh and mont dropped). */
+static int surewarehk_modexp_dh(DH *dh, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+		const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
+{
+	return surewarehk_modexp(r, a, p, m, ctx);
+}
+static DH_METHOD surewarehk_dh =
+	{
+	"SureWare DH method",
+	NULL,/*gen_key*/
+	NULL,/*agree,*/
+	surewarehk_modexp_dh, /*dh mod exp*/
+	NULL, /* init*/
+	NULL, /* finish*/
+	0,    /* flags*/
+	NULL 
+	};
+static RAND_METHOD surewarehk_rand =
+	{
+	/* "SureWare RAND method", */
+	surewarehk_rand_seed,
+	surewarehk_rand_bytes,
+	NULL,/*cleanup*/
+	surewarehk_rand_add,
+	surewarehk_rand_bytes,
+	NULL,/*rand_status*/
+	};
+/* DSA stuff */
+static	DSA_SIG * surewarehk_dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
+static int surewarehk_dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1,
+		BIGNUM *p1, BIGNUM *a2, BIGNUM *p2, BIGNUM *m,
+		BN_CTX *ctx, BN_MONT_CTX *in_mont)
+{
+	BIGNUM t;
+	int to_return = 0;
+	BN_init(&t);
+	/* let rr = a1 ^ p1 mod m */
+	if (!surewarehk_modexp(rr,a1,p1,m,ctx)) goto end;
+	/* let t = a2 ^ p2 mod m */
+	if (!surewarehk_modexp(&t,a2,p2,m,ctx)) goto end;
+	/* let rr = rr * t mod m */
+	if (!BN_mod_mul(rr,rr,&t,m,ctx)) goto end;
+	to_return = 1;
+end:
+	BN_free(&t);
+	return to_return;
+}
+
+static DSA_METHOD surewarehk_dsa =
+	{
+	 "SureWare DSA method", 
+	surewarehk_dsa_do_sign,
+	NULL,/*sign setup*/
+	NULL,/*verify,*/
+	surewarehk_dsa_mod_exp,/*mod exp*/
+	NULL,/*bn mod exp*/
+	NULL, /*init*/
+	NULL,/*finish*/
+	0,
+	NULL,
+	};
+/* Our ENGINE structure. */
+static ENGINE engine_surewarehk =
+        {
+	"sureware",
+	"SureWare hardware engine support",
+	&surewarehk_rsa,
+	&surewarehk_dsa,
+	&surewarehk_dh,
+	&surewarehk_rand,
+	&surewarehk_modexp,
+	NULL,/* mod exp CRT*/
+	surewarehk_init,
+	surewarehk_finish,
+	surewarehk_ctrl, /* crtl*/
+	surewarehk_load_privkey,
+	surewarehk_load_pubkey,
+	0, /* no flags */
+	0, 0, /* no references */
+	NULL, /*unlinked */
+        };
+/* Now, to our own code */
+
+/* As this is only ever called once, there's no need for locking
+ * (indeed - the lock will already be held by our caller!!!) */
+ENGINE *ENGINE_sureware()
+{
+	RSA_METHOD *meth1;
+	DSA_METHOD *meth2;
+	DH_METHOD *meth3;
+
+	/* We know that the "PKCS1_SSLeay()" functions hook properly
+	 * to the cswift-specific mod_exp and mod_exp_crt so we use
+	 * those functions. NB: We don't use ENGINE_openssl() or
+	 * anything "more generic" because something like the RSAref
+	 * code may not hook properly, and if you own one of these
+	 * cards then you have the right to do RSA operations on it
+	 * anyway! */ 
+	meth1 = RSA_PKCS1_SSLeay();
+	if (meth1)
+	{
+		surewarehk_rsa.rsa_pub_enc = meth1->rsa_pub_enc;
+		surewarehk_rsa.rsa_pub_dec = meth1->rsa_pub_dec;
+	}
+	/* Use the DSA_OpenSSL() method and just hook the mod_exp-ish
+	 * bits. */
+	meth2 = DSA_OpenSSL();
+	if (meth2)
+	{
+		surewarehk_dsa.dsa_do_verify = meth2->dsa_do_verify;
+	}
+	/* Much the same for Diffie-Hellman */
+	meth3 = DH_OpenSSL();
+	if (meth3)
+	{
+		surewarehk_dh.generate_key = meth3->generate_key;
+		surewarehk_dh.compute_key = meth3->compute_key;
+	}
+	return &engine_surewarehk;
+}
+
+/* This is a process-global DSO handle used for loading and unloading
+ * the SureWareHook library. NB: This is only set (or unset) during an
+ * init() or finish() call (reference counts permitting) and they're
+ * operating with global locks, so this should be thread-safe
+ * implicitly. */
+static DSO *surewarehk_dso = NULL;
+static int rsaHndidx = -1;	/* Index for KM handle.  Not really used yet. */
+static int dsaHndidx = -1;	/* Index for KM handle.  Not really used yet. */
+
+/* These are the function pointers that are (un)set when the library has
+ * successfully (un)loaded. */
+static SureWareHook_Init_t *p_surewarehk_Init = NULL;
+static SureWareHook_Finish_t *p_surewarehk_Finish = NULL;
+static SureWareHook_Rand_Bytes_t *p_surewarehk_Rand_Bytes = NULL;
+static SureWareHook_Rand_Seed_t *p_surewarehk_Rand_Seed = NULL;
+static SureWareHook_Load_Privkey_t *p_surewarehk_Load_Privkey = NULL;
+static SureWareHook_Info_Pubkey_t *p_surewarehk_Info_Pubkey = NULL;
+static SureWareHook_Load_Rsa_Pubkey_t *p_surewarehk_Load_Rsa_Pubkey = NULL;
+static SureWareHook_Load_Dsa_Pubkey_t *p_surewarehk_Load_Dsa_Pubkey = NULL;
+static SureWareHook_Free_t *p_surewarehk_Free=NULL;
+static SureWareHook_Rsa_Priv_Dec_t *p_surewarehk_Rsa_Priv_Dec=NULL;
+static SureWareHook_Rsa_Sign_t *p_surewarehk_Rsa_Sign=NULL;
+static SureWareHook_Dsa_Sign_t *p_surewarehk_Dsa_Sign=NULL;
+static SureWareHook_Mod_Exp_t *p_surewarehk_Mod_Exp=NULL;
+
+/* Used in the DSO operations. */
+static const char *surewarehk_LIBNAME = "SureWareHook";
+static const char *n_surewarehk_Init = "SureWareHook_Init";
+static const char *n_surewarehk_Finish = "SureWareHook_Finish";
+static const char *n_surewarehk_Rand_Bytes="SureWareHook_Rand_Bytes";
+static const char *n_surewarehk_Rand_Seed="SureWareHook_Rand_Seed";
+static const char *n_surewarehk_Load_Privkey="SureWareHook_Load_Privkey";
+static const char *n_surewarehk_Info_Pubkey="SureWareHook_Info_Pubkey";
+static const char *n_surewarehk_Load_Rsa_Pubkey="SureWareHook_Load_Rsa_Pubkey";
+static const char *n_surewarehk_Load_Dsa_Pubkey="SureWareHook_Load_Dsa_Pubkey";
+static const char *n_surewarehk_Free="SureWareHook_Free";
+static const char *n_surewarehk_Rsa_Priv_Dec="SureWareHook_Rsa_Priv_Dec";
+static const char *n_surewarehk_Rsa_Sign="SureWareHook_Rsa_Sign";
+static const char *n_surewarehk_Dsa_Sign="SureWareHook_Dsa_Sign";
+static const char *n_surewarehk_Mod_Exp="SureWareHook_Mod_Exp";
+static BIO *logstream = NULL;
+
+/* SureWareHook library functions and mechanics - these are used by the
+ * higher-level functions further down. NB: As and where there's no
+ * error checking, take a look lower down where these functions are
+ * called, the checking and error handling is probably down there. 
+*/
+static int threadsafe=1;
+static int surewarehk_ctrl(int cmd, long i, void *p, void (*f)())
+{
+	int to_return = 1;
+
+	switch(cmd)
+	{
+		case ENGINE_CTRL_SET_LOGSTREAM:
+		{
+			BIO *bio = (BIO *)p;
+			CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+			if (logstream)
+			{
+				BIO_free(logstream);
+				logstream = NULL;
+			}
+			if (CRYPTO_add(&bio->references,1,CRYPTO_LOCK_BIO) > 1)
+				logstream = bio;
+			else
+				ENGINEerr(ENGINE_F_SUREWAREHK_CTRL,ENGINE_R_BIO_WAS_FREED);
+		}
+		CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+		break;
+	/* This will prevent the initialisation function from "installing"
+	 * the mutex-handling callbacks, even if they are available from
+	 * within the library (or were provided to the library from the
+	 * calling application). This is to remove any baggage for
+	 * applications not using multithreading. */
+	case ENGINE_CTRL_CHIL_NO_LOCKING:
+		CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+		threadsafe = 0;
+		CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+		break;
+
+	/* The command isn't understood by this engine */
+	default:
+		ENGINEerr(ENGINE_F_SUREWAREHK_CTRL,
+			ENGINE_R_CTRL_COMMAND_NOT_IMPLEMENTED);
+		to_return = 0;
+		break;
+		}
+
+	return to_return;
+}
+
+/* (de)initialisation functions. */
+static int surewarehk_init()
+{
+	char msg[64]="ENGINE_init";
+	SureWareHook_Init_t *p1=NULL;
+	SureWareHook_Finish_t *p2=NULL;
+	SureWareHook_Rand_Bytes_t *p3=NULL;
+	SureWareHook_Rand_Seed_t *p4=NULL;
+	SureWareHook_Load_Privkey_t *p5=NULL;
+	SureWareHook_Load_Rsa_Pubkey_t *p6=NULL;
+	SureWareHook_Free_t *p7=NULL;
+	SureWareHook_Rsa_Priv_Dec_t *p8=NULL;
+	SureWareHook_Rsa_Sign_t *p9=NULL;
+	SureWareHook_Dsa_Sign_t *p12=NULL;
+	SureWareHook_Info_Pubkey_t *p13=NULL;
+	SureWareHook_Load_Dsa_Pubkey_t *p14=NULL;
+	SureWareHook_Mod_Exp_t *p15=NULL;
+
+	if(surewarehk_dso != NULL)
+	{
+		ENGINEerr(ENGINE_F_SUREWAREHK_INIT,ENGINE_R_ALREADY_LOADED);
+		goto err;
+	}
+	/* Attempt to load libsurewarehk.so/surewarehk.dll/whatever. */
+	surewarehk_dso = DSO_load(NULL, surewarehk_LIBNAME, NULL,
+		DSO_FLAG_NAME_TRANSLATION);
+	if(surewarehk_dso == NULL)
+	{
+		ENGINEerr(ENGINE_F_SUREWAREHK_INIT,ENGINE_R_DSO_FAILURE);
+		goto err;
+	}
+	if(!(p1=(SureWareHook_Init_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Init)) ||
+	   !(p2=(SureWareHook_Finish_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Finish)) ||
+	   !(p3=(SureWareHook_Rand_Bytes_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Rand_Bytes)) ||
+	   !(p4=(SureWareHook_Rand_Seed_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Rand_Seed)) ||
+	   !(p5=(SureWareHook_Load_Privkey_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Load_Privkey)) ||
+	   !(p6=(SureWareHook_Load_Rsa_Pubkey_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Load_Rsa_Pubkey)) ||
+	   !(p7=(SureWareHook_Free_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Free)) ||
+	   !(p8=(SureWareHook_Rsa_Priv_Dec_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Rsa_Priv_Dec)) ||
+	   !(p9=(SureWareHook_Rsa_Sign_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Rsa_Sign)) ||
+	   !(p12=(SureWareHook_Dsa_Sign_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Dsa_Sign)) ||
+	   !(p13=(SureWareHook_Info_Pubkey_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Info_Pubkey)) ||
+	   !(p14=(SureWareHook_Load_Dsa_Pubkey_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Load_Dsa_Pubkey)) ||
+	   !(p15=(SureWareHook_Mod_Exp_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Mod_Exp)))
+	{
+		ENGINEerr(ENGINE_F_SUREWAREHK_INIT,ENGINE_R_DSO_FAILURE);
+		goto err;
+	}
+	/* Copy the pointers */
+	p_surewarehk_Init = p1;
+	p_surewarehk_Finish = p2;
+	p_surewarehk_Rand_Bytes = p3;
+	p_surewarehk_Rand_Seed = p4;
+	p_surewarehk_Load_Privkey = p5;
+	p_surewarehk_Load_Rsa_Pubkey = p6;
+	p_surewarehk_Free = p7;
+	p_surewarehk_Rsa_Priv_Dec = p8;
+	p_surewarehk_Rsa_Sign = p9;
+	p_surewarehk_Dsa_Sign = p12;
+	p_surewarehk_Info_Pubkey = p13;
+	p_surewarehk_Load_Dsa_Pubkey = p14;
+	p_surewarehk_Mod_Exp = p15;
+	/* Contact the hardware and initialises it. */
+	if(p_surewarehk_Init(msg,threadsafe)==SUREWAREHOOK_ERROR_UNIT_FAILURE)
+	{
+		ENGINEerr(ENGINE_F_SUREWAREHK_INIT,ENGINE_R_UNIT_FAILURE);
+		goto err;
+	}
+	if(p_surewarehk_Init(msg,threadsafe)==SUREWAREHOOK_ERROR_UNIT_FAILURE)
+	{
+		ENGINEerr(ENGINE_F_SUREWAREHK_INIT,ENGINE_R_UNIT_FAILURE);
+		goto err;
+	}
+	/* try to load the default private key, if failed does not return a failure but
+           wait for an explicit ENGINE_load_privakey */
+	surewarehk_load_privkey(NULL,NULL);
+
+	/* Everything's fine. */
+	if (rsaHndidx == -1)
+		rsaHndidx = RSA_get_ex_new_index(0,
+						"SureWareHook RSA key handle",
+						NULL, NULL, surewarehk_ex_free);
+	if (dsaHndidx == -1)
+		dsaHndidx = DSA_get_ex_new_index(0,
+						"SureWareHook DSA key handle",
+						NULL, NULL, surewarehk_ex_free);
+	return 1;
+err:
+	if(surewarehk_dso)
+		DSO_free(surewarehk_dso);
+	surewarehk_dso = NULL;
+	p_surewarehk_Init = NULL;
+	p_surewarehk_Finish = NULL;
+	p_surewarehk_Rand_Bytes = NULL;
+	p_surewarehk_Rand_Seed = NULL;
+	p_surewarehk_Load_Privkey = NULL;
+	p_surewarehk_Load_Rsa_Pubkey = NULL;
+	p_surewarehk_Free = NULL;
+	p_surewarehk_Rsa_Priv_Dec = NULL;
+	p_surewarehk_Rsa_Sign = NULL;
+	p_surewarehk_Dsa_Sign = NULL;
+	p_surewarehk_Info_Pubkey = NULL;
+	p_surewarehk_Load_Dsa_Pubkey = NULL;
+	p_surewarehk_Mod_Exp = NULL;
+	return 0;
+}
+
+static int surewarehk_finish()
+{
+	int to_return = 1;
+	if(surewarehk_dso == NULL)
+		{
+		ENGINEerr(ENGINE_F_SUREWAREHK_FINISH,ENGINE_R_NOT_LOADED);
+		to_return = 0;
+		goto err;
+		}
+	p_surewarehk_Finish();
+	if(!DSO_free(surewarehk_dso))
+		{
+		ENGINEerr(ENGINE_F_SUREWAREHK_FINISH,ENGINE_R_DSO_FAILURE);
+		to_return = 0;
+		goto err;
+		}
+ err:
+	if (logstream)
+		BIO_free(logstream);
+	surewarehk_dso = NULL;
+	p_surewarehk_Init = NULL;
+	p_surewarehk_Finish = NULL;
+	p_surewarehk_Rand_Bytes = NULL;
+	p_surewarehk_Rand_Seed = NULL;
+	p_surewarehk_Load_Privkey = NULL;
+	p_surewarehk_Load_Rsa_Pubkey = NULL;
+	p_surewarehk_Free = NULL;
+	p_surewarehk_Rsa_Priv_Dec = NULL;
+	p_surewarehk_Rsa_Sign = NULL;
+	p_surewarehk_Dsa_Sign = NULL;
+	p_surewarehk_Info_Pubkey = NULL;
+	p_surewarehk_Load_Dsa_Pubkey = NULL;
+	p_surewarehk_Mod_Exp = NULL;
+	return to_return;
+}
+static void surewarehk_error_handling(char *const msg,int func,int ret)
+{
+	switch (ret)
+	{
+		case SUREWAREHOOK_ERROR_UNIT_FAILURE:
+			ENGINEerr(func,ENGINE_R_UNIT_FAILURE);
+			break;
+		case SUREWAREHOOK_ERROR_FALLBACK:
+			ENGINEerr(func,ENGINE_R_REQUEST_FALLBACK);
+			break;
+		case SUREWAREHOOK_ERROR_DATA_SIZE:
+			ENGINEerr(func,ENGINE_R_SIZE_TOO_LARGE_OR_TOO_SMALL);
+			break;
+		case SUREWAREHOOK_ERROR_INVALID_PAD:
+			ENGINEerr(func,RSA_R_PADDING_CHECK_FAILED);
+			break;
+		default:
+			ENGINEerr(func,ENGINE_R_REQUEST_FAILED);
+			break;
+		case 1:/*nothing*/
+			msg[0]='\0';
+	}
+	if (*msg)
+	{
+		ERR_add_error_data(1,msg);
+		if (logstream)
+		{
+			CRYPTO_w_lock(CRYPTO_LOCK_BIO);
+			BIO_write(logstream, msg, strlen(msg));
+			CRYPTO_w_unlock(CRYPTO_LOCK_BIO);
+		}
+	}
+}
+static int surewarehk_rand_bytes(unsigned char *buf, int num)
+{
+	int ret=0;
+	char msg[64]="ENGINE_rand_bytes";
+	if(!p_surewarehk_Rand_Bytes)
+	{
+		ENGINEerr(ENGINE_F_SUREWAREHK_RAND_BYTES,ENGINE_R_NOT_INITIALISED);
+	}
+	else
+	{
+		ret = p_surewarehk_Rand_Bytes(msg,buf, num);
+		surewarehk_error_handling(msg,ENGINE_F_SUREWAREHK_RAND_BYTES,ret);
+	}
+	return ret==1 ? 1 : 0;
+}
+
+static void surewarehk_rand_seed(const void *buf, int num)
+{
+	int ret=0;
+	char msg[64]="ENGINE_rand_seed";
+	if(!p_surewarehk_Rand_Seed)
+	{
+		ENGINEerr(ENGINE_F_SUREWAREHK_RAND_SEED,ENGINE_R_NOT_INITIALISED);
+	}
+	else
+	{
+		ret = p_surewarehk_Rand_Seed(msg,buf, num);
+		surewarehk_error_handling(msg,ENGINE_F_SUREWAREHK_RAND_SEED,ret);
+	}
+}
+static void surewarehk_rand_add(const void *buf, int num, double entropy)
+{
+	surewarehk_rand_seed(buf,num);
+}
+static EVP_PKEY* sureware_load_public(const char *key_id,char *hptr,unsigned long el,char keytype)
+{
+	EVP_PKEY *res = NULL;
+	RSA *rsatmp = NULL;
+	DSA *dsatmp=NULL;
+	char msg[64]="sureware_load_public";
+	int ret=0;
+	if(!p_surewarehk_Load_Rsa_Pubkey || !p_surewarehk_Load_Dsa_Pubkey)
+	{
+		ENGINEerr(ENGINE_F_SUREWAREHK_LOAD_PUBLIC_KEY,ENGINE_R_NOT_INITIALISED);
+		goto err;
+	}
+	switch (keytype)
+	{
+	case 1: /*RSA*/
+		/* set private external reference */
+		rsatmp = RSA_new_method(&engine_surewarehk);
+		RSA_set_ex_data(rsatmp,rsaHndidx,hptr);
+		rsatmp->flags |= RSA_FLAG_EXT_PKEY;
+
+		/* set public big nums*/
+		rsatmp->e = BN_new();
+		rsatmp->n = BN_new();
+		bn_expand2(rsatmp->e, el/sizeof(BN_ULONG));
+		bn_expand2(rsatmp->n, el/sizeof(BN_ULONG));
+		if (!rsatmp->e || rsatmp->e->dmax!=(int)(el/sizeof(BN_ULONG))|| 
+			!rsatmp->n || rsatmp->n->dmax!=(int)(el/sizeof(BN_ULONG)))
+			goto err;
+		ret=p_surewarehk_Load_Rsa_Pubkey(msg,key_id,el,
+						 (unsigned long *)rsatmp->n->d,
+						 (unsigned long *)rsatmp->e->d);
+		surewarehk_error_handling(msg,ENGINE_F_SUREWAREHK_LOAD_PUBLIC_KEY,ret);
+		if (ret!=1)
+		{
+			ENGINEerr(ENGINE_F_SUREWAREHK_LOAD_PRIVATE_KEY,ENGINE_R_FAILED_LOADING_PUBLIC_KEY);
+			goto err;
+		}
+		/* normalise pub e and pub n */
+		rsatmp->e->top=el/sizeof(BN_ULONG);
+		bn_fix_top(rsatmp->e);
+		rsatmp->n->top=el/sizeof(BN_ULONG);
+		bn_fix_top(rsatmp->n);
+		/* create an EVP object: engine + rsa key */
+		res = EVP_PKEY_new();
+		EVP_PKEY_assign_RSA(res, rsatmp);
+		break;
+	case 2:/*DSA*/
+		/* set private/public external reference */
+		dsatmp = DSA_new_method(&engine_surewarehk);
+		DSA_set_ex_data(dsatmp,dsaHndidx,hptr);
+		/*dsatmp->flags |= DSA_FLAG_EXT_PKEY;*/
+
+		/* set public key*/
+		dsatmp->pub_key = BN_new();
+		dsatmp->p = BN_new();
+		dsatmp->q = BN_new();
+		dsatmp->g = BN_new();
+		bn_expand2(dsatmp->pub_key, el/sizeof(BN_ULONG));
+		bn_expand2(dsatmp->p, el/sizeof(BN_ULONG));
+		bn_expand2(dsatmp->q, 20/sizeof(BN_ULONG));
+		bn_expand2(dsatmp->g, el/sizeof(BN_ULONG));
+		if (!dsatmp->pub_key || dsatmp->pub_key->dmax!=(int)(el/sizeof(BN_ULONG))|| 
+			!dsatmp->p || dsatmp->p->dmax!=(int)(el/sizeof(BN_ULONG)) ||
+			!dsatmp->q || dsatmp->q->dmax!=20/sizeof(BN_ULONG) ||
+			!dsatmp->g || dsatmp->g->dmax!=(int)(el/sizeof(BN_ULONG)))
+			goto err;
+
+		ret=p_surewarehk_Load_Dsa_Pubkey(msg,key_id,el,
+						 (unsigned long *)dsatmp->pub_key->d, 
+						 (unsigned long *)dsatmp->p->d,
+						 (unsigned long *)dsatmp->q->d,
+						 (unsigned long *)dsatmp->g->d);
+		surewarehk_error_handling(msg,ENGINE_F_SUREWAREHK_LOAD_PUBLIC_KEY,ret);
+		if (ret!=1)
+		{
+			ENGINEerr(ENGINE_F_SUREWAREHK_LOAD_PRIVATE_KEY,ENGINE_R_FAILED_LOADING_PUBLIC_KEY);
+			goto err;
+		}
+		/* set parameters */
+		/* normalise pubkey and parameters in case of */
+		dsatmp->pub_key->top=el/sizeof(BN_ULONG);
+		bn_fix_top(dsatmp->pub_key);
+		dsatmp->p->top=el/sizeof(BN_ULONG);
+		bn_fix_top(dsatmp->p);
+		dsatmp->q->top=20/sizeof(BN_ULONG);
+		bn_fix_top(dsatmp->q);
+		dsatmp->g->top=el/sizeof(BN_ULONG);
+		bn_fix_top(dsatmp->g);
+
+		/* create an EVP object: engine + rsa key */
+		res = EVP_PKEY_new();
+		EVP_PKEY_assign_DSA(res, dsatmp);
+		break;
+	default:
+		ENGINEerr(ENGINE_F_SUREWAREHK_LOAD_PRIVATE_KEY,ENGINE_R_FAILED_LOADING_PRIVATE_KEY);
+		goto err;
+	}
+	return res;
+ err:
+	if (res)
+		EVP_PKEY_free(res);
+	if (rsatmp)
+		RSA_free(rsatmp);
+	if (dsatmp)
+		DSA_free(dsatmp);
+	return NULL;
+}
+static EVP_PKEY *surewarehk_load_privkey(const char *key_id,
+										const char *passphrase)
+{
+	EVP_PKEY *res = NULL;
+	int ret=0;
+	unsigned long el=0;
+	char *hptr=NULL;
+	char keytype=0;
+	char msg[64]="ENGINE_load_privkey";
+
+	if(!p_surewarehk_Load_Privkey)
+	{
+		ENGINEerr(ENGINE_F_SUREWAREHK_LOAD_PRIVATE_KEY,ENGINE_R_NOT_INITIALISED);
+	}
+	else
+	{
+		ret=p_surewarehk_Load_Privkey(msg,key_id,&hptr,&el,&keytype);
+		if (ret!=1)
+		{
+			ENGINEerr(ENGINE_F_SUREWAREHK_LOAD_PRIVATE_KEY,ENGINE_R_FAILED_LOADING_PRIVATE_KEY);
+			ERR_add_error_data(1,msg);		
+		}
+		else
+			res=sureware_load_public(key_id,hptr,el,keytype);
+	}
+	return res;
+}
+static EVP_PKEY *surewarehk_load_pubkey(const char *key_id,
+	const char *passphrase)
+{
+	EVP_PKEY *res = NULL;
+	int ret=0;
+	unsigned long el=0;
+	char *hptr=NULL;
+	char keytype=0;
+	char msg[64]="ENGINE_load_pubkey";
+
+	if(!p_surewarehk_Info_Pubkey)
+	{
+		ENGINEerr(ENGINE_F_SUREWAREHK_LOAD_PUBLIC_KEY,ENGINE_R_NOT_INITIALISED);
+	}
+	else
+	{
+		/* call once to identify if DSA or RSA */
+		ret=p_surewarehk_Info_Pubkey(msg,key_id,&el,&keytype);
+		if (ret!=1)
+		{
+			ENGINEerr(ENGINE_F_SUREWAREHK_LOAD_PUBLIC_KEY,ENGINE_R_FAILED_LOADING_PUBLIC_KEY);
+			ERR_add_error_data(1,msg);
+		}
+		else
+			res=sureware_load_public(key_id,hptr,el,keytype);
+	}
+	return res;
+}
+
+/* This cleans up an RSA/DSA KM key(do not destroy the key into the hardware)
+, called when ex_data is freed */
+static void surewarehk_ex_free(void *obj, void *item, CRYPTO_EX_DATA *ad,
+	int index,long argl, void *argp)
+{
+	if(!p_surewarehk_Free)
+	{
+		ENGINEerr(ENGINE_F_SUREWAREHK_EX_FREE,ENGINE_R_NOT_INITIALISED);
+	}
+	else
+		p_surewarehk_Free((char *)item,0);
+}
+
+#if 0
+/* This cleans up an DH KM key (destroys the key into hardware), 
+called when ex_data is freed */
+static void surewarehk_dh_ex_free(void *obj, void *item, CRYPTO_EX_DATA *ad,
+	int index,long argl, void *argp)
+{
+	if(!p_surewarehk_Free)
+	{
+		ENGINEerr(ENGINE_F_SUREWAREHK_EX_FREE,ENGINE_R_NOT_INITIALISED);
+	}
+	else
+		p_surewarehk_Free((char *)item,1);
+}
+#endif
+
+/*
+* return number of decrypted bytes
+*/
+static int surewarehk_rsa_priv_dec(int flen,unsigned char *from,unsigned char *to,
+			RSA *rsa,int padding)
+{
+	int ret=0,tlen;
+	char *buf=NULL,*hptr=NULL;
+	char msg[64]="ENGINE_rsa_priv_dec";
+	if (!p_surewarehk_Rsa_Priv_Dec)
+	{
+		ENGINEerr(ENGINE_F_SUREWAREHK_RSA_PRIV_DEC,ENGINE_R_NOT_INITIALISED);
+	}
+	/* extract ref to private key */
+	else if (!(hptr=RSA_get_ex_data(rsa, rsaHndidx)))
+	{
+		ENGINEerr(ENGINE_F_SUREWAREHK_RSA_PRIV_DEC,ENGINE_R_MISSING_KEY_COMPONENTS);
+		goto err;
+	}
+	/* analyse what padding we can do into the hardware */
+	if (padding==RSA_PKCS1_PADDING)
+	{
+		/* do it one shot */
+		ret=p_surewarehk_Rsa_Priv_Dec(msg,flen,from,&tlen,to,hptr,SUREWARE_PKCS1_PAD);
+		surewarehk_error_handling(msg,ENGINE_F_SUREWAREHK_RSA_PRIV_DEC,ret);
+		if (ret!=1)
+			goto err;
+		ret=tlen;
+	}
+	else /* do with no padding into hardware */
+	{
+		ret=p_surewarehk_Rsa_Priv_Dec(msg,flen,from,&tlen,to,hptr,SUREWARE_NO_PAD);
+		surewarehk_error_handling(msg,ENGINE_F_SUREWAREHK_RSA_PRIV_DEC,ret);
+		if (ret!=1)
+			goto err;
+		/* intermediate buffer for padding */
+		if ((buf=OPENSSL_malloc(tlen)) == NULL)
+		{
+			RSAerr(ENGINE_F_SUREWAREHK_RSA_PRIV_DEC,ERR_R_MALLOC_FAILURE);
+			goto err;
+		}
+		memcpy(buf,to,tlen);/* transfert to into buf */
+		switch (padding) /* check padding in software */
+		{
+#ifndef NO_SHA
+		case RSA_PKCS1_OAEP_PADDING:
+			ret=RSA_padding_check_PKCS1_OAEP(to,tlen,(unsigned char *)buf,tlen,tlen,NULL,0);
+			break;
+#endif
+ 		case RSA_SSLV23_PADDING:
+			ret=RSA_padding_check_SSLv23(to,tlen,(unsigned char *)buf,flen,tlen);
+			break;
+		case RSA_NO_PADDING:
+			ret=RSA_padding_check_none(to,tlen,(unsigned char *)buf,flen,tlen);
+			break;
+		default:
+			RSAerr(ENGINE_F_SUREWAREHK_RSA_PRIV_DEC,RSA_R_UNKNOWN_PADDING_TYPE);
+			goto err;
+		}
+		if (ret < 0)
+			RSAerr(ENGINE_F_SUREWAREHK_RSA_PRIV_DEC,RSA_R_PADDING_CHECK_FAILED);
+	}
+err:
+	if (buf)
+	{
+		memset(buf,0,tlen);
+		OPENSSL_free(buf);
+	}
+	return ret;
+}
+/*
+* Does what OpenSSL rsa_priv_enc does.
+*/
+static int surewarehk_rsa_sign(int flen,unsigned char *from,unsigned char *to,
+			    RSA *rsa,int padding)
+{
+	int ret=0,tlen;
+	char *hptr=NULL;
+	char msg[64]="ENGINE_rsa_sign";
+	if (!p_surewarehk_Rsa_Sign)
+	{
+		ENGINEerr(ENGINE_F_SUREWAREHK_RSA_PRIV_ENC,ENGINE_R_NOT_INITIALISED);
+	}
+	/* extract ref to private key */
+	else if (!(hptr=RSA_get_ex_data(rsa, rsaHndidx)))
+	{
+		ENGINEerr(ENGINE_F_SUREWAREHK_RSA_PRIV_ENC,ENGINE_R_MISSING_KEY_COMPONENTS);
+	}
+	else
+	{
+		switch (padding)
+		{
+		case RSA_PKCS1_PADDING: /* do it in one shot */
+			ret=p_surewarehk_Rsa_Sign(msg,flen,from,&tlen,to,hptr,SUREWARE_PKCS1_PAD);
+			surewarehk_error_handling(msg,ENGINE_F_SUREWAREHK_RSA_PRIV_ENC,ret);
+			break;
+		case RSA_NO_PADDING:
+		default:
+			RSAerr(ENGINE_F_SUREWAREHK_RSA_PRIV_ENC,RSA_R_UNKNOWN_PADDING_TYPE);
+		}
+	}
+	return ret==1 ? tlen : ret;
+}
+/* DSA sign and verify */
+static	DSA_SIG * surewarehk_dsa_do_sign(const unsigned char *from, int flen, DSA *dsa)
+{
+	int ret=0;
+	char *hptr=NULL;
+	DSA_SIG *psign=NULL;
+	char msg[64]="ENGINE_dsa_do_sign";
+	if (!p_surewarehk_Dsa_Sign)
+	{
+		ENGINEerr(ENGINE_F_SUREWAREHK_DSA_DO_SIGN,ENGINE_R_NOT_INITIALISED);
+	}
+	/* extract ref to private key */
+	else if (!(hptr=DSA_get_ex_data(dsa, dsaHndidx)))
+	{
+		ENGINEerr(ENGINE_F_SUREWAREHK_DSA_DO_SIGN,ENGINE_R_MISSING_KEY_COMPONENTS);
+	}
+	else
+	{
+		if((psign = DSA_SIG_new()) == NULL)
+		{
+			ENGINEerr(ENGINE_F_SUREWAREHK_DSA_DO_SIGN,ERR_R_MALLOC_FAILURE);
+			goto err;
+		}
+		psign->r=BN_new();
+		psign->s=BN_new();
+		bn_expand2(psign->r, 20/sizeof(BN_ULONG));
+		bn_expand2(psign->s, 20/sizeof(BN_ULONG));
+		if (!psign->r || psign->r->dmax!=20/sizeof(BN_ULONG) ||
+			!psign->s || psign->s->dmax!=20/sizeof(BN_ULONG))
+			goto err;
+		ret=p_surewarehk_Dsa_Sign(msg,flen,from,
+					  (unsigned long *)psign->r->d,
+					  (unsigned long *)psign->s->d,
+					  hptr);
+		surewarehk_error_handling(msg,ENGINE_F_SUREWAREHK_DSA_DO_SIGN,ret);
+	}
+	psign->r->top=20/sizeof(BN_ULONG);
+	bn_fix_top(psign->r);
+	psign->s->top=20/sizeof(BN_ULONG);
+	bn_fix_top(psign->s);
+
+err:	
+	if (psign)
+	{
+		DSA_SIG_free(psign);
+		psign=NULL;
+	}
+	return psign;
+}
+static int surewarehk_modexp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+							const BIGNUM *m, BN_CTX *ctx)
+{
+	int ret=0;
+	char msg[64]="ENGINE_modexp";
+	if (!p_surewarehk_Mod_Exp)
+	{
+		ENGINEerr(ENGINE_F_SUREWAREHK_MOD_EXP,ENGINE_R_NOT_INITIALISED);
+	}
+	else
+	{
+		bn_expand2(r,m->top);
+		if (r && r->dmax==m->top)
+		{
+			/* do it*/
+			ret=p_surewarehk_Mod_Exp(msg,
+						 m->top*sizeof(BN_ULONG),
+						 (unsigned long *)m->d,
+						 p->top*sizeof(BN_ULONG),
+						 (unsigned long *)p->d,
+						 a->top*sizeof(BN_ULONG),
+						 (unsigned long *)a->d,
+						 (unsigned long *)r->d);
+			surewarehk_error_handling(msg,ENGINE_F_SUREWAREHK_MOD_EXP,ret);
+			if (ret==1)
+			{
+				/* normalise result */
+				r->top=m->top;
+				bn_fix_top(r);
+			}
+		}
+	}
+	return ret;
+}
+#endif /* !NO_HW_SureWare */
+#endif /* !NO_HW */
--- a/crypto/engine/hw_ubsec.c
+++ b/crypto/engine/hw_ubsec.c
--- a/Show More
+++ b/Show More